Resolves: #1396719 - map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3

This commit is contained in:
Kamil Dudka 2016-11-21 09:54:16 +01:00
parent 40b1d9916f
commit c38149da81
2 changed files with 293 additions and 1 deletions

View File

@ -0,0 +1,285 @@
From 53782619bae773a4034bc53b3b0bd858f90190dc Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 27 Oct 2016 14:27:25 +0200
Subject: [PATCH 1/4] nss: map CURL_SSLVERSION_DEFAULT to NSS default
... but make sure we use at least TLSv1.0 according to libcurl API
Reported-by: Cure53
Reviewed-by: Ray Satiro
Upstream-commit: 5d45ced7a45ea38e32f1cbf73d7c63a3e4f241e7
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/nss.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index dff1575..5abb574 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
struct Curl_easy *data)
{
switch(data->set.ssl.version) {
- default:
case CURL_SSLVERSION_DEFAULT:
+ /* map CURL_SSLVERSION_DEFAULT to NSS default */
+ if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
+ return CURLE_SSL_CONNECT_ERROR;
+ /* ... but make sure we use at least TLSv1.0 according to libcurl API */
+ if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+ return CURLE_OK;
+
case CURL_SSLVERSION_TLSv1:
sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+ /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */
#ifdef SSL_LIBRARY_VERSION_TLS_1_2
sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
#elif defined SSL_LIBRARY_VERSION_TLS_1_1
@@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
return CURLE_OK;
#endif
break;
+
+ default:
+ /* unsupported SSL/TLS version */
+ break;
}
failf(data, "TLS minor version cannot be set");
--
2.7.4
From 6a42abb03de6e5afe859313b236f2b776ca51722 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 27 Oct 2016 14:57:11 +0200
Subject: [PATCH 2/4] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
Fully implemented with the NSS backend only for now.
Reviewed-by: Ray Satiro
Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 ++
docs/libcurl/symbols-in-versions | 1 +
include/curl/curl.h | 1 +
lib/vtls/nss.c | 8 ++++++++
4 files changed, 12 insertions(+)
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
index 2f40e46..1854af0 100644
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
@@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0)
TLSv1.1 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
TLSv1.2 (Added in 7.34.0)
+.IP CURL_SSLVERSION_TLSv1_3
+TLSv1.3 (Added in 7.51.1)
.RE
.SH DEFAULT
CURL_SSLVERSION_DEFAULT
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index f6365ae..a77fde4 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2
CURL_SSLVERSION_TLSv1_0 7.34.0
CURL_SSLVERSION_TLSv1_1 7.34.0
CURL_SSLVERSION_TLSv1_2 7.34.0
+CURL_SSLVERSION_TLSv1_3 7.51.1
CURL_TIMECOND_IFMODSINCE 7.9.7
CURL_TIMECOND_IFUNMODSINCE 7.9.7
CURL_TIMECOND_LASTMOD 7.9.7
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 9c09cb9..03fcfeb 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -1805,6 +1805,7 @@ enum {
CURL_SSLVERSION_TLSv1_0,
CURL_SSLVERSION_TLSv1_1,
CURL_SSLVERSION_TLSv1_2,
+ CURL_SSLVERSION_TLSv1_3,
CURL_SSLVERSION_LAST /* never use, keep last */
};
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 5abb574..5e52727 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1541,6 +1541,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
#endif
break;
+ case CURL_SSLVERSION_TLSv1_3:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
+ return CURLE_OK;
+#endif
+ break;
+
default:
/* unsupported SSL/TLS version */
break;
--
2.7.4
From d930268ab522ac7ea7ccd83671d22f57148f3d21 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 27 Oct 2016 14:58:43 +0200
Subject: [PATCH 3/4] curl: introduce the --tlsv1.3 option to force TLS 1.3
Fully implemented with the NSS backend only for now.
Reviewed-by: Ray Satiro
Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/curl.1 | 10 +++++++---
src/tool_getparam.c | 5 +++++
src/tool_help.c | 1 +
src/tool_setopt.c | 1 +
4 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/docs/curl.1 b/docs/curl.1
index f5375ed..e9c6150 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -176,9 +176,9 @@ HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
.IP "-1, --tlsv1"
(SSL)
Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
-control the TLS version more precisely (if the SSL backend in use supports such
-a level of control).
+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and
+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend
+in use supports such a level of control).
.IP "-2, --sslv2"
(SSL) Forces curl to use SSL version 2 when negotiating with a remote SSL
server. Sometimes curl is built without SSLv2 support. SSLv2 is widely
@@ -1820,6 +1820,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
(SSL)
Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
(Added in 7.34.0)
+.IP "--tlsv1.3"
+(SSL)
+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
+(Added in 7.51.1)
.IP "--tr-encoding"
(HTTP) Request a compressed Transfer-Encoding response using one of the
algorithms curl supports, and uncompress the data while receiving it.
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 95dd455..2d16e06 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -190,6 +190,7 @@ static const struct LongShort aliases[]= {
{"10", "tlsv1.0", FALSE},
{"11", "tlsv1.1", FALSE},
{"12", "tlsv1.2", FALSE},
+ {"13", "tlsv1.3", FALSE},
{"2", "sslv2", FALSE},
{"3", "sslv3", FALSE},
{"4", "ipv4", FALSE},
@@ -1061,6 +1062,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */
/* TLS version 1.2 */
config->ssl_version = CURL_SSLVERSION_TLSv1_2;
break;
+ case '3':
+ /* TLS version 1.3 */
+ config->ssl_version = CURL_SSLVERSION_TLSv1_3;
+ break;
}
break;
case '2':
diff --git a/src/tool_help.c b/src/tool_help.c
index fb428c9..9890cc8 100644
--- a/src/tool_help.c
+++ b/src/tool_help.c
@@ -232,6 +232,7 @@ static const char *const helptext[] = {
" --tlsv1.0 Use TLSv1.0 (SSL)",
" --tlsv1.1 Use TLSv1.1 (SSL)",
" --tlsv1.2 Use TLSv1.2 (SSL)",
+ " --tlsv1.3 Use TLSv1.3 (SSL)",
" --trace FILE Write a debug trace to FILE",
" --trace-ascii FILE Like --trace, but without hex output",
" --trace-time Add time stamps to trace/verbose output",
diff --git a/src/tool_setopt.c b/src/tool_setopt.c
index c854225..f3de09d 100644
--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
@@ -83,6 +83,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
NV(CURL_SSLVERSION_TLSv1_0),
NV(CURL_SSLVERSION_TLSv1_1),
NV(CURL_SSLVERSION_TLSv1_2),
+ NV(CURL_SSLVERSION_TLSv1_3),
NVEND,
};
--
2.7.4
From 2fce531638a12f44ea1fbc52e86ca795a3a4e4e2 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 15 Nov 2016 12:21:00 +0100
Subject: [PATCH 4/4] docs: the next release will be 7.52.0
Upstream-commit: cfd69c133984a5df3de63b4f8c5f64885c6e33ae
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/curl.1 | 2 +-
docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 +-
docs/libcurl/symbols-in-versions | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs/curl.1 b/docs/curl.1
index e9c6150..05d1a8d 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1823,7 +1823,7 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
.IP "--tlsv1.3"
(SSL)
Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
-(Added in 7.51.1)
+(Added in 7.52.0)
.IP "--tr-encoding"
(HTTP) Request a compressed Transfer-Encoding response using one of the
algorithms curl supports, and uncompress the data while receiving it.
diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
index 1854af0..77dfcd4 100644
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
@@ -49,7 +49,7 @@ TLSv1.1 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
TLSv1.2 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_3
-TLSv1.3 (Added in 7.51.1)
+TLSv1.3 (Added in 7.52.0)
.RE
.SH DEFAULT
CURL_SSLVERSION_DEFAULT
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index a77fde4..ef730c8 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -773,7 +773,7 @@ CURL_SSLVERSION_TLSv1 7.9.2
CURL_SSLVERSION_TLSv1_0 7.34.0
CURL_SSLVERSION_TLSv1_1 7.34.0
CURL_SSLVERSION_TLSv1_2 7.34.0
-CURL_SSLVERSION_TLSv1_3 7.51.1
+CURL_SSLVERSION_TLSv1_3 7.52.0
CURL_TIMECOND_IFMODSINCE 7.9.7
CURL_TIMECOND_IFUNMODSINCE 7.9.7
CURL_TIMECOND_LASTMOD 7.9.7
--
2.7.4

View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.51.0 Version: 7.51.0
Release: 2%{?dist} Release: 3%{?dist}
License: MIT License: MIT
Group: Applications/Internet Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@ -12,6 +12,9 @@ Patch1: 0001-curl-7.51.0-ssh-md5.patch
# stricter host name checking for file:// URLs # stricter host name checking for file:// URLs
Patch2: 0002-curl-7.51.0-file-host.patch Patch2: 0002-curl-7.51.0-file-host.patch
# map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
Patch3: 0003-curl-7.51.0-tls-version.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -130,6 +133,7 @@ documentation of the library, too.
# upstream patches # upstream patches
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
# Fedora patches # Fedora patches
%patch101 -p1 %patch101 -p1
@ -237,6 +241,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4 %{_datadir}/aclocal/libcurl.m4
%changelog %changelog
* Mon Nov 21 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-3
- map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
* Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2 * Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2
- stricter host name checking for file:// URLs - stricter host name checking for file:// URLs
- ssh: check md5 fingerprints case insensitively - ssh: check md5 fingerprints case insensitively