Revert "CVE-2016-5420.patch: amend the patch to fix a related (NSS on…

…ly) bug" This reverts commit ba22025.
curl · Sep 7, 2016 · af1885f · af1885f
1 parent 200c502
commit af1885f
Showing 1 changed file with 1 addition and 44 deletions.
diff --git a/CVE-2016-5420.patch b/CVE-2016-5420.patch
@@ -1,7 +1,7 @@
 From f6474ff3bfb38c28b70b5ba01048edc41f654376 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Sun, 31 Jul 2016 00:51:48 +0200
-Subject: [PATCH 1/2] TLS: only reuse connections with the same client cert
+Subject: [PATCH] TLS: only reuse connections with the same client cert
 
 CVE-2016-5420
 Bug: https://curl.haxx.se/docs/adv_20160803B.html
@@ -28,46 +28,3 @@ index 33e209d..3863777 100644
 -- 
 2.8.1
 
-
-From f6e4783b7fc6f3fe3c5f84ac196eb0a860a2ad64 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Mon, 22 Aug 2016 10:24:35 +0200
-Subject: [PATCH 2/2] nss: refuse previously loaded certificate from file
-
-... when we are not asked to use a certificate from file
----
- lib/vtls/nss.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
-index ad33f25..e467360 100644
---- a/lib/vtls/nss.c
-+++ b/lib/vtls/nss.c
-@@ -1004,10 +1004,10 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
-   struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg;
-   struct Curl_easy *data = connssl->data;
-   const char *nickname = connssl->client_nickname;
-+  static const char pem_slotname[] = "PEM Token #1";
-
-   if(connssl->obj_clicert) {
-     /* use the cert/key provided by PEM reader */
--    static const char pem_slotname[] = "PEM Token #1";
-     SECItem cert_der = { 0, NULL, 0 };
-     void *proto_win = SSL_RevealPinArg(sock);
-     struct CERTCertificateStr *cert;
-@@ -1069,6 +1069,12 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
-   if(NULL == nickname)
-     nickname = "[unknown]";
-
-+  if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) {
-+    failf(data, "NSS: refusing previously loaded certificate from file: %s",
-+          nickname);
-+    return SECFailure;
-+  }
-+
-   if(NULL == *pRetKey) {
-     failf(data, "NSS: private key not found for certificate: %s", nickname);
-     return SECFailure;
--- 
-2.8.1
-