summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2021-06-18 15:43:12 +0200
committerLudovic Courtès <ludo@gnu.org>2021-06-18 17:40:10 +0200
commitcaf4a7a2770ef4d05a6e18f40d602e51da749ddc (patch)
treeccb3dd9fb430cc8c71c620671d90f4569dce0827 /gnu
parent299c3c18603f4f92f187908ad48eeb6e5b3b6630 (diff)
downloadguix-caf4a7a2770ef4d05a6e18f40d602e51da749ddc.tar.gz
gnu: curl@7.77.0: Provide a correct TLS priority string.
Fixes <https://bugs.gnu.org/49035>.

* gnu/packages/patches/curl-7.77-tls-priority-string.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/curl.scm (curl-7.77.0)[source]: Use it.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/curl.scm5
-rw-r--r--gnu/packages/patches/curl-7.77-tls-priority-string.patch98
3 files changed, 102 insertions, 2 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 918c8515ac..fec88aa3a2 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -931,6 +931,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/cube-nocheck.patch			\
   %D%/packages/patches/curl-use-ssl-cert-env.patch		\
   %D%/packages/patches/curl-7.76-use-ssl-cert-env.patch	\
+  %D%/packages/patches/curl-7.77-tls-priority-string.patch	\
   %D%/packages/patches/cursynth-wave-rand.patch			\
   %D%/packages/patches/cvs-CVE-2017-12836.patch		\
   %D%/packages/patches/cyrus-sasl-ac-try-run-fix.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 76b9b9840c..d368c4140e 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2013, 2014, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz>
-;;; Copyright © 2015, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016, 2017, 2019 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
@@ -161,7 +161,8 @@ tunneling, and so on.")
        (inherit (package-source curl))
        (uri (string-append "https://curl.haxx.se/download/curl-"
                            version ".tar.xz"))
-       (patches (search-patches "curl-7.76-use-ssl-cert-env.patch"))
+       (patches (search-patches "curl-7.76-use-ssl-cert-env.patch"
+                                "curl-7.77-tls-priority-string.patch"))
        (sha256
         (base32
          "0jsrc97vbghvljic997r9nypc9qqddcil2lzvv032br8ahn5hr0g"))))))
diff --git a/gnu/packages/patches/curl-7.77-tls-priority-string.patch b/gnu/packages/patches/curl-7.77-tls-priority-string.patch
new file mode 100644
index 0000000000..bf1bfa8aaa
--- /dev/null
+++ b/gnu/packages/patches/curl-7.77-tls-priority-string.patch
@@ -0,0 +1,98 @@
+cURL 7.77.0 would use a bogus TLS priority string favoring older TLS
+protocol versions, which in turn would prevent access to bitbucket.org:
+
+  https://issues.guix.gnu.org/49035
+  https://github.com/curl/curl/pull/7278
+
+This patch fixes it.
+From <https://github.com/curl/curl/pull/7278/commits/b98f79f6ecdb708c67f9a0cec56ce48952a54556>.
+
+From b98f79f6ecdb708c67f9a0cec56ce48952a54556 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 18 Jun 2021 14:54:07 +0200
+Subject: [PATCH] gnutls: set the prefer ciphers in correct order
+
+Reported-by: civodul on github
+Assisted-by: Nikos Mavrogiannopoulos
+Fixes #7277
+---
+ lib/vtls/gtls.c | 30 +++++++++++++-----------------
+ 1 file changed, 13 insertions(+), 17 deletions(-)
+
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index d9bc5611e8f9..da2af64955c3 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -330,6 +330,9 @@ set_ssl_version_min_max(struct Curl_easy *data,
+       ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
+     }
+   }
++  else if(ssl_version_max == CURL_SSLVERSION_MAX_DEFAULT) {
++    ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3;
++  }
+ 
+   switch(ssl_version | ssl_version_max) {
+   case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
+@@ -338,11 +341,11 @@ set_ssl_version_min_max(struct Curl_easy *data,
+     return CURLE_OK;
+   case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_1:
+     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+-      "+VERS-TLS1.0:+VERS-TLS1.1";
++      "+VERS-TLS1.1:+VERS-TLS1.0";
+     return CURLE_OK;
+   case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2:
+     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+-      "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2";
++      "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0";
+     return CURLE_OK;
+   case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_1:
+     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+@@ -350,7 +353,7 @@ set_ssl_version_min_max(struct Curl_easy *data,
+     return CURLE_OK;
+   case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_2:
+     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+-      "+VERS-TLS1.1:+VERS-TLS1.2";
++      "+VERS-TLS1.2:+VERS-TLS1.1";
+     return CURLE_OK;
+   case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_2:
+     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+@@ -360,25 +363,17 @@ set_ssl_version_min_max(struct Curl_easy *data,
+     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+       "+VERS-TLS1.3";
+     return CURLE_OK;
+-  case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT:
+-    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+-      "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2"
+-      ":+VERS-TLS1.3";
++  case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_3:
++    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0";
+     return CURLE_OK;
+-  case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_DEFAULT:
++  case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_3:
+     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+-      "+VERS-TLS1.1:+VERS-TLS1.2"
+-      ":+VERS-TLS1.3";
++      "+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1";
+     return CURLE_OK;
+-  case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT:
++  case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_3:
+     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+-      "+VERS-TLS1.2"
+-      ":+VERS-TLS1.3";
++      "+VERS-TLS1.3:+VERS-TLS1.2";
+     return CURLE_OK;
+-  case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_DEFAULT:
+-    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
+-      "+VERS-TLS1.2"
+-      ":+VERS-TLS1.3";
+     return CURLE_OK;
+   }
+ 
+@@ -608,6 +603,7 @@ gtls_connect_step1(struct Curl_easy *data,
+   }
+   else {
+ #endif
++    infof(data, "GnuTLS ciphers: %s\n", prioritylist);
+     rc = gnutls_priority_set_direct(session, prioritylist, &err);
+ #ifdef HAVE_GNUTLS_SRP
+   }