Resolves: #1104597 - prevent NSS from incorrectly re-using a session

0003-curl-7.43.0-958d2ffb.patch

@@ -0,0 +1,71 @@
+From 98dee5ab5a862a506beb8a7bf60c0aaec3b08a0f Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 18 Sep 2015 17:07:22 +0200
+Subject: [PATCH 1/2] nss: check return values of NSS functions
+
+Upstream-commit: a9fd53887ba07cd8313a8b9706f2dc71d6b8ed1b
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/nss.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 91727c7..1fa1c64 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1792,9 +1792,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
+ 
+ 
+   /* Force handshake on next I/O */
+-  SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE);
++  if(SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE)
++      != SECSuccess)
++    goto error;
+ 
+-  SSL_SetURL(connssl->handle, conn->host.name);
++  /* propagate hostname to the TLS layer */
++  if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess)
++    goto error;
+ 
+   return CURLE_OK;
+ 
+-- 
+2.5.2
+
+
+From d082ad368ecec7894d8e9e9a35336b2350c30ade Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 18 Sep 2015 17:10:05 +0200
+Subject: [PATCH 2/2] nss: prevent NSS from incorrectly re-using a session
+
+Without this workaround, NSS re-uses a session cache entry despite the
+server name does not match.  This causes SNI host name to differ from
+the actual host name.  Consequently, certain servers (e.g. github.com)
+respond by 400 to such requests.
+
+Bug: https://bugzilla.mozilla.org/1202264
+
+Upstream-commit: 958d2ffb198166a062a0ff20d009c64972a2b374
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/nss.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 1fa1c64..3d73ffe 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1800,6 +1800,10 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
+   if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess)
+     goto error;
+ 
++  /* prevent NSS from re-using the session for a different hostname */
++  if(SSL_SetSockPeerID(connssl->handle, conn->host.name) != SECSuccess)
++    goto error;
++
+   return CURLE_OK;
+ 
+ error:
+-- 
+2.5.2
+

curl.spec

@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.43.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -13,6 +13,9 @@ Patch1: 0001-curl-7.43.0-f7dcc7c1.patch
 # prevent test46 from failing due to expired cookie
 Patch2: 0002-curl-7.43.0-002d58f1.patch
 
+# prevent NSS from incorrectly re-using a session (#1104597)
+Patch3: 0003-curl-7.43.0-958d2ffb.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -125,6 +128,7 @@ documentation of the library, too.
 # upstream patches
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -244,6 +248,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Fri Sep 18 2015 Kamil Dudka <kdudka@redhat.com> 7.43.0-4
+- prevent NSS from incorrectly re-using a session (#1104597)
+
 * Thu Aug 27 2015 Kamil Dudka <kdudka@redhat.com> 7.43.0-3
 - prevent test46 from failing due to expired cookie