make the --tls13-ciphers option work

2018-09-04 15:20:55 +02:00 · 2018-09-04 15:20:55 +02:00 · e7b6b91818
commit e7b6b91818
parent 8bff7e0d6b
2 changed files with 109 additions and 1 deletions
--- a/0003-curl-7.61.0-tls13-ciphers.patch
+++ b/0003-curl-7.61.0-tls13-ciphers.patch
@ -0,0 +1,101 @@
+From 426b00d0587797d79806f9682b058d5c90a0ab79 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Fri, 31 Aug 2018 19:46:29 -0400
+Subject: [PATCH 1/2] openssl: Fix setting TLS 1.3 cipher suites
+
+The flag indicating TLS 1.3 cipher support in the OpenSSL backend was
+missing.
+
+Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187
+Reported-by: Kamil Dudka
+
+Closes #2926
+
+Upstream-commit: 978574b502294ae06eb97d4f590b54ed5d24cd7f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/openssl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index bc46eca..fad4287 100644
+--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
+@@ -3804,6 +3804,9 @@ const struct Curl_ssl Curl_ssl_openssl = {
+   SSLSUPP_CERTINFO |
+   SSLSUPP_PINNEDPUBKEY |
+   SSLSUPP_SSL_CTX |
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+  SSLSUPP_TLS13_CIPHERSUITES |
+#endif
+   SSLSUPP_HTTPS_PROXY,
+ 
+   sizeof(struct ssl_backend_data),
+-- 
+2.17.1
+
+
+From 081afa4e2eb5e853833bd87ca43f48ab550fe657 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 3 Sep 2018 13:04:00 +0200
+Subject: [PATCH 2/2] url, vtls: make CURLOPT{,_PROXY}_TLS13_CIPHERS work
+
+This is a follow-up to PR #2607 and PR #2926.
+
+Closes #2936
+
+Upstream-commit: 52c13d6328ff56b2d2e8313e88cfdfc78acda365
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c       | 4 ++++
+ lib/vtls/vtls.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 27b2c1e..46898c4 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -4356,6 +4356,10 @@ static CURLcode create_conn(struct Curl_easy *data,
+     data->set.str[STRING_SSL_CIPHER_LIST_ORIG];
+   data->set.proxy_ssl.primary.cipher_list =
+     data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
+  data->set.ssl.primary.cipher_list13 =
+    data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];
+  data->set.proxy_ssl.primary.cipher_list13 =
+    data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
+ 
+   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
+   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index bf96518..b61c640 100644
+--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
+@@ -96,7 +96,8 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
+      Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
+      Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
+      Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
+-     Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list))
+     Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+     Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
+     return TRUE;
+ 
+   return FALSE;
+@@ -119,6 +120,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   CLONE_STRING(random_file);
+   CLONE_STRING(egdsocket);
+   CLONE_STRING(cipher_list);
+  CLONE_STRING(cipher_list13);
+ 
+   return TRUE;
+ }
+@@ -131,6 +133,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
+   Curl_safefree(sslc->random_file);
+   Curl_safefree(sslc->egdsocket);
+   Curl_safefree(sslc->cipher_list);
+  Curl_safefree(sslc->cipher_list13);
+ }
+ 
+ #ifdef USE_SSL
+-- 
+2.17.1
+
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.61.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: MIT
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz

@ -11,6 +11,9 @@ Patch1:   0001-curl-7.61.0-pkcs11.patch
 # scp/sftp: fix infinite connect loop on invalid private key (#1595135)
 Patch2:   0002-curl-7.61.0-libssh.patch

+# make the --tls13-ciphers option work
+Patch3:   0003-curl-7.61.0-tls13-ciphers.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -166,6 +169,7 @@ be installed.
 # upstream patches
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 # Fedora patches
 %patch101 -p1
@ -333,6 +337,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Tue Sep 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-8
+- make the --tls13-ciphers option work
+
 * Mon Aug 27 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-7
 - tests: make ssh-keygen always produce PEM format (#1622594)