diff --git a/0001-curl-7.28.1-68d2830e.patch b/0001-curl-7.28.1-68d2830e.patch deleted file mode 100644 index be8c558..0000000 --- a/0001-curl-7.28.1-68d2830e.patch +++ /dev/null @@ -1,68 +0,0 @@ -From c011938e10bf3af5896d0f7f5ecffc22150303f3 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 3 Dec 2012 13:17:50 +0100 -Subject: [PATCH 1/3] nss: prevent NSS from crashing on client auth hook failure - -Although it is not explicitly stated in the documentation, NSS uses -*pRetCert and *pRetKey even if the client authentication hook returns -a failure. Namely, if we destroy *pRetCert without clearing *pRetCert -afterwards, NSS destroys the certificate once again, which causes a -double free. - -Reported by: Bob Relyea - -[upstream commit 68d2830ee9df50961e481e81c1baaa290c33f03e] ---- - lib/nss.c | 17 +++++++++++------ - 1 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index 22b53bf..794eccb 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -757,6 +757,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, - static const char pem_slotname[] = "PEM Token #1"; - SECItem cert_der = { 0, NULL, 0 }; - void *proto_win = SSL_RevealPinArg(sock); -+ struct CERTCertificateStr *cert; -+ struct SECKEYPrivateKeyStr *key; - - PK11SlotInfo *slot = PK11_FindSlotByName(pem_slotname); - if(NULL == slot) { -@@ -771,24 +773,27 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, - return SECFailure; - } - -- *pRetCert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win); -+ cert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win); - SECITEM_FreeItem(&cert_der, PR_FALSE); -- if(NULL == *pRetCert) { -+ if(NULL == cert) { - failf(data, "NSS: client certificate from file not found"); - PK11_FreeSlot(slot); - return SECFailure; - } - -- *pRetKey = PK11_FindPrivateKeyFromCert(slot, *pRetCert, NULL); -+ key = PK11_FindPrivateKeyFromCert(slot, cert, NULL); - PK11_FreeSlot(slot); -- if(NULL == *pRetKey) { -+ if(NULL == key) { - failf(data, "NSS: private key from file not found"); -- CERT_DestroyCertificate(*pRetCert); -+ CERT_DestroyCertificate(cert); - return SECFailure; - } - - infof(data, "NSS: client certificate from file\n"); -- display_cert_info(data, *pRetCert); -+ display_cert_info(data, cert); -+ -+ *pRetCert = cert; -+ *pRetKey = key; - return SECSuccess; - } - --- -1.7.1 - diff --git a/0002-curl-7.28.1-b36f1d26.patch b/0002-curl-7.28.1-b36f1d26.patch deleted file mode 100644 index c712da0..0000000 --- a/0002-curl-7.28.1-b36f1d26.patch +++ /dev/null @@ -1,55 +0,0 @@ -From fefd7cdcde39c56651f6e2c32be9cd79354ffdc4 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 11 Jan 2013 10:24:21 +0100 -Subject: [PATCH 2/3] nss: clear session cache if a client cert from file is used - -This commit fixes a regression introduced in 052a08ff. - -NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback -and if we connect second time to the same server, the cached cert/key -pair is used. If we use multiple client certificates for different -paths on the same server, we need to clear the session cache to force -NSS to call the hook again. The commit 052a08ff prevented the session -cache from being cleared if a client certificate from file was used. - -The condition is now fixed to cover both cases: consssl->client_nickname -is not NULL if a client certificate from the NSS database is used and -connssl->obj_clicert is not NULL if a client certificate from file is -used. - -Review by: Kai Engert - -[upstream commit b36f1d26f830453ebaa17238f9bd1e396f618720] ---- - lib/nss.c | 12 ++++++++---- - 1 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index 794eccb..f97090a 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1058,13 +1058,17 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) - as closed to avoid double close */ - fake_sclose(conn->sock[sockindex]); - conn->sock[sockindex] = CURL_SOCKET_BAD; -+ -+ if((connssl->client_nickname != NULL) || (connssl->obj_clicert != NULL)) -+ /* A server might require different authentication based on the -+ * particular path being requested by the client. To support this -+ * scenario, we must ensure that a connection will never reuse the -+ * authentication data from a previous connection. */ -+ SSL_InvalidateSession(connssl->handle); -+ - if(connssl->client_nickname != NULL) { - free(connssl->client_nickname); - connssl->client_nickname = NULL; -- -- /* force NSS to ask again for a client cert when connecting -- * next time to the same server */ -- SSL_InvalidateSession(connssl->handle); - } - /* destroy all NSS objects in order to avoid failure of NSS shutdown */ - Curl_llist_destroy(connssl->obj_list, NULL); --- -1.7.1 - diff --git a/0003-curl-7.28.1-26613d78.patch b/0003-curl-7.28.1-26613d78.patch deleted file mode 100644 index 2ebe38e..0000000 --- a/0003-curl-7.28.1-26613d78.patch +++ /dev/null @@ -1,30 +0,0 @@ -From afd2d98b4a9c69fb47048122629fd4be1d40f906 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 15 Jan 2013 12:58:08 +0100 -Subject: [PATCH 3/3] nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE - -Do not use the error messages from NSS for errors not occurring in NSS. - -[upstream commit 26613d781725e39b0f601301a65c64e146977d8f] ---- - lib/nss.c | 2 -- - 1 files changed, 0 insertions(+), 2 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index f97090a..c5dcf52 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1097,10 +1097,8 @@ static bool is_nss_error(CURLcode err) - switch(err) { - case CURLE_PEER_FAILED_VERIFICATION: - case CURLE_SSL_CACERT: -- case CURLE_SSL_CACERT_BADFILE: - case CURLE_SSL_CERTPROBLEM: - case CURLE_SSL_CONNECT_ERROR: -- case CURLE_SSL_CRL_BADFILE: - case CURLE_SSL_ISSUER_ERROR: - return true; - --- -1.7.1 -