guix/gnu/packages/patches/curl-7.77-tls-priority-string.patch

cURL 7.77.0 would use a bogus TLS priority string favoring older TLS
protocol versions, which in turn would prevent access to bitbucket.org:

  https://issues.guix.gnu.org/49035
  https://github.com/curl/curl/pull/7278

This patch fixes it.
From <https://github.com/curl/curl/pull/7278/commits/b98f79f6ecdb708c67f9a0cec56ce48952a54556>.

From b98f79f6ecdb708c67f9a0cec56ce48952a54556 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 18 Jun 2021 14:54:07 +0200
Subject: [PATCH] gnutls: set the prefer ciphers in correct order

Reported-by: civodul on github
Assisted-by: Nikos Mavrogiannopoulos
Fixes #7277
---
 lib/vtls/gtls.c | 30 +++++++++++++-----------------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index d9bc5611e8f9..da2af64955c3 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -330,6 +330,9 @@ set_ssl_version_min_max(struct Curl_easy *data,
       ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
     }
   }
+  else if(ssl_version_max == CURL_SSLVERSION_MAX_DEFAULT) {
+    ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3;
+  }
 
   switch(ssl_version | ssl_version_max) {
   case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
@@ -338,11 +341,11 @@ set_ssl_version_min_max(struct Curl_easy *data,
     return CURLE_OK;
   case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_1:
     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
-      "+VERS-TLS1.0:+VERS-TLS1.1";
+      "+VERS-TLS1.1:+VERS-TLS1.0";
     return CURLE_OK;
   case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2:
     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
-      "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2";
+      "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0";
     return CURLE_OK;
   case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_1:
     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
@@ -350,7 +353,7 @@ set_ssl_version_min_max(struct Curl_easy *data,
     return CURLE_OK;
   case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_2:
     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
-      "+VERS-TLS1.1:+VERS-TLS1.2";
+      "+VERS-TLS1.2:+VERS-TLS1.1";
     return CURLE_OK;
   case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_2:
     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
@@ -360,25 +363,17 @@ set_ssl_version_min_max(struct Curl_easy *data,
     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
       "+VERS-TLS1.3";
     return CURLE_OK;
-  case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT:
-    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
-      "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2"
-      ":+VERS-TLS1.3";
+  case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_3:
+    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0";
     return CURLE_OK;
-  case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_DEFAULT:
+  case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_3:
     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
-      "+VERS-TLS1.1:+VERS-TLS1.2"
-      ":+VERS-TLS1.3";
+      "+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1";
     return CURLE_OK;
-  case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT:
+  case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_3:
     *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
-      "+VERS-TLS1.2"
-      ":+VERS-TLS1.3";
+      "+VERS-TLS1.3:+VERS-TLS1.2";
     return CURLE_OK;
-  case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_DEFAULT:
-    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
-      "+VERS-TLS1.2"
-      ":+VERS-TLS1.3";
     return CURLE_OK;
   }
 
@@ -608,6 +603,7 @@ gtls_connect_step1(struct Curl_easy *data,
   }
   else {
 #endif
+    infof(data, "GnuTLS ciphers: %s\n", prioritylist);
     rc = gnutls_priority_set_direct(session, prioritylist, &err);
 #ifdef HAVE_GNUTLS_SRP
   }
gnu: curl@7.77.0: Provide a correct TLS priority string. Fixes <https://bugs.gnu.org/49035>. * gnu/packages/patches/curl-7.77-tls-priority-string.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/curl.scm (curl-7.77.0)[source]: Use it. 2021-06-18 09:43:12 -04:00			`cURL 7.77.0 would use a bogus TLS priority string favoring older TLS`
			`protocol versions, which in turn would prevent access to bitbucket.org:`

			`https://issues.guix.gnu.org/49035`
			`https://github.com/curl/curl/pull/7278`

			`This patch fixes it.`
			`From <https://github.com/curl/curl/pull/7278/commits/b98f79f6ecdb708c67f9a0cec56ce48952a54556>.`

			`From b98f79f6ecdb708c67f9a0cec56ce48952a54556 Mon Sep 17 00:00:00 2001`
			`From: Daniel Stenberg <daniel@haxx.se>`
			`Date: Fri, 18 Jun 2021 14:54:07 +0200`
			`Subject: [PATCH] gnutls: set the prefer ciphers in correct order`

			`Reported-by: civodul on github`
			`Assisted-by: Nikos Mavrogiannopoulos`
			`Fixes #7277`
			`---`
			`lib/vtls/gtls.c \| 30 +++++++++++++-----------------`
			`1 file changed, 13 insertions(+), 17 deletions(-)`

			`diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c`
			`index d9bc5611e8f9..da2af64955c3 100644`
			`--- a/lib/vtls/gtls.c`
			`+++ b/lib/vtls/gtls.c`
			`@@ -330,6 +330,9 @@ set_ssl_version_min_max(struct Curl_easy *data,`
			`ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;`
			`}`
			`}`
			`+ else if(ssl_version_max == CURL_SSLVERSION_MAX_DEFAULT) {`
			`+ ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3;`
			`+ }`

			`switch(ssl_version \| ssl_version_max) {`
			`case CURL_SSLVERSION_TLSv1_0 \| CURL_SSLVERSION_MAX_TLSv1_0:`
			`@@ -338,11 +341,11 @@ set_ssl_version_min_max(struct Curl_easy *data,`
			`return CURLE_OK;`
			`case CURL_SSLVERSION_TLSv1_0 \| CURL_SSLVERSION_MAX_TLSv1_1:`
			`*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"`
			`- "+VERS-TLS1.0:+VERS-TLS1.1";`
			`+ "+VERS-TLS1.1:+VERS-TLS1.0";`
			`return CURLE_OK;`
			`case CURL_SSLVERSION_TLSv1_0 \| CURL_SSLVERSION_MAX_TLSv1_2:`
			`*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"`
			`- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2";`
			`+ "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0";`
			`return CURLE_OK;`
			`case CURL_SSLVERSION_TLSv1_1 \| CURL_SSLVERSION_MAX_TLSv1_1:`
			`*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"`
			`@@ -350,7 +353,7 @@ set_ssl_version_min_max(struct Curl_easy *data,`
			`return CURLE_OK;`
			`case CURL_SSLVERSION_TLSv1_1 \| CURL_SSLVERSION_MAX_TLSv1_2:`
			`*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"`
			`- "+VERS-TLS1.1:+VERS-TLS1.2";`
			`+ "+VERS-TLS1.2:+VERS-TLS1.1";`
			`return CURLE_OK;`
			`case CURL_SSLVERSION_TLSv1_2 \| CURL_SSLVERSION_MAX_TLSv1_2:`
			`*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"`
			`@@ -360,25 +363,17 @@ set_ssl_version_min_max(struct Curl_easy *data,`
			`*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"`
			`"+VERS-TLS1.3";`
			`return CURLE_OK;`
			`- case CURL_SSLVERSION_TLSv1_0 \| CURL_SSLVERSION_MAX_DEFAULT:`
			`- *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"`
			`- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2"`
			`- ":+VERS-TLS1.3";`
			`+ case CURL_SSLVERSION_TLSv1_0 \| CURL_SSLVERSION_MAX_TLSv1_3:`
			`+ *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0";`
			`return CURLE_OK;`
			`- case CURL_SSLVERSION_TLSv1_1 \| CURL_SSLVERSION_MAX_DEFAULT:`
			`+ case CURL_SSLVERSION_TLSv1_1 \| CURL_SSLVERSION_MAX_TLSv1_3:`
			`*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"`
			`- "+VERS-TLS1.1:+VERS-TLS1.2"`
			`- ":+VERS-TLS1.3";`
			`+ "+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1";`
			`return CURLE_OK;`
			`- case CURL_SSLVERSION_TLSv1_2 \| CURL_SSLVERSION_MAX_DEFAULT:`
			`+ case CURL_SSLVERSION_TLSv1_2 \| CURL_SSLVERSION_MAX_TLSv1_3:`
			`*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"`
			`- "+VERS-TLS1.2"`
			`- ":+VERS-TLS1.3";`
			`+ "+VERS-TLS1.3:+VERS-TLS1.2";`
			`return CURLE_OK;`
			`- case CURL_SSLVERSION_TLSv1_3 \| CURL_SSLVERSION_MAX_DEFAULT:`
			`- *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"`
			`- "+VERS-TLS1.2"`
			`- ":+VERS-TLS1.3";`
			`return CURLE_OK;`
			`}`

			`@@ -608,6 +603,7 @@ gtls_connect_step1(struct Curl_easy *data,`
			`}`
			`else {`
			`#endif`
			`+ infof(data, "GnuTLS ciphers: %s\n", prioritylist);`
			`rc = gnutls_priority_set_direct(session, prioritylist, &err);`
			`#ifdef HAVE_GNUTLS_SRP`
			`}`