From e955dd2f2b7a2ff0bd52a37ddaabd37d466a33b6 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 18 Sep 2015 18:13:13 +0200 Subject: [PATCH] Resolves: #1104597 - prevent NSS from incorrectly re-using a session --- 0003-curl-7.43.0-958d2ffb.patch | 71 +++++++++++++++++++++++++++++++++ curl.spec | 9 ++++- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 0003-curl-7.43.0-958d2ffb.patch diff --git a/0003-curl-7.43.0-958d2ffb.patch b/0003-curl-7.43.0-958d2ffb.patch new file mode 100644 index 0000000..4a6f919 --- /dev/null +++ b/0003-curl-7.43.0-958d2ffb.patch @@ -0,0 +1,71 @@ +From 98dee5ab5a862a506beb8a7bf60c0aaec3b08a0f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 18 Sep 2015 17:07:22 +0200 +Subject: [PATCH 1/2] nss: check return values of NSS functions + +Upstream-commit: a9fd53887ba07cd8313a8b9706f2dc71d6b8ed1b +Signed-off-by: Kamil Dudka +--- + lib/vtls/nss.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 91727c7..1fa1c64 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1792,9 +1792,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) + + + /* Force handshake on next I/O */ +- SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE); ++ if(SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE) ++ != SECSuccess) ++ goto error; + +- SSL_SetURL(connssl->handle, conn->host.name); ++ /* propagate hostname to the TLS layer */ ++ if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess) ++ goto error; + + return CURLE_OK; + +-- +2.5.2 + + +From d082ad368ecec7894d8e9e9a35336b2350c30ade Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 18 Sep 2015 17:10:05 +0200 +Subject: [PATCH 2/2] nss: prevent NSS from incorrectly re-using a session + +Without this workaround, NSS re-uses a session cache entry despite the +server name does not match. This causes SNI host name to differ from +the actual host name. Consequently, certain servers (e.g. github.com) +respond by 400 to such requests. + +Bug: https://bugzilla.mozilla.org/1202264 + +Upstream-commit: 958d2ffb198166a062a0ff20d009c64972a2b374 +Signed-off-by: Kamil Dudka +--- + lib/vtls/nss.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 1fa1c64..3d73ffe 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1800,6 +1800,10 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) + if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess) + goto error; + ++ /* prevent NSS from re-using the session for a different hostname */ ++ if(SSL_SetSockPeerID(connssl->handle, conn->host.name) != SECSuccess) ++ goto error; ++ + return CURLE_OK; + + error: +-- +2.5.2 + diff --git a/curl.spec b/curl.spec index 892bccd..deb6693 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.43.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma @@ -13,6 +13,9 @@ Patch1: 0001-curl-7.43.0-f7dcc7c1.patch # prevent test46 from failing due to expired cookie Patch2: 0002-curl-7.43.0-002d58f1.patch +# prevent NSS from incorrectly re-using a session (#1104597) +Patch3: 0003-curl-7.43.0-958d2ffb.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -125,6 +128,7 @@ documentation of the library, too. # upstream patches %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Fedora patches %patch101 -p1 @@ -244,6 +248,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Fri Sep 18 2015 Kamil Dudka 7.43.0-4 +- prevent NSS from incorrectly re-using a session (#1104597) + * Thu Aug 27 2015 Kamil Dudka 7.43.0-3 - prevent test46 from failing due to expired cookie