File nss-fix-bmo1774654.patch of Package mozilla-nss
# HG changeset patch
# User Robert Relyea <rrelyea@redhat.com>
# Date 1670534238 28800
# Node ID a7f363511333b8062945557607691002fd6e40b9
# Parent 89a562b7cf3d3c501ee49143e0b12c7d0f330a69
Bug 1774654 tstclnt crashes when accessing gnutls server without a user cert in the database.
The filter functions do not handle NULL CERTCertLists, but CERT_FindUserCertsByUsage can return a NULL cert list. If it returns a NULL list, we should just
fail at the point (there are no certs available).
Differential Revision: https://phabricator.services.mozilla.com/D164273
diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
--- a/lib/ssl/authcert.c
+++ b/lib/ssl/authcert.c
@@ -201,36 +201,36 @@ NSS_GetClientAuthData(void *arg,
/* otherwise look through the cache based on usage
* if chosenNickname is set, we ignore the expiration date */
if (certList == NULL) {
certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
certUsageSSLClient,
PR_FALSE, chosenNickName == NULL,
pw_arg);
+ if (certList == NULL) {
+ return SECFailure;
+ }
/* filter only the certs that meet the nickname requirements */
if (chosenNickName) {
rv = CERT_FilterCertListByNickname(certList, chosenNickName,
pw_arg);
} else {
int nnames = 0;
char **names = ssl_DistNamesToStrings(caNames, &nnames);
rv = CERT_FilterCertListByCANames(certList, nnames, names,
certUsageSSLClient);
ssl_FreeDistNamesStrings(names, nnames);
}
if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
CERT_DestroyCertList(certList);
- certList = NULL;
+ return SECFailure;
}
}
- if (certList == NULL) {
- /* no user certs meeting the nickname/usage requirements found */
- return SECFailure;
- }
+
/* now remove any certs that can't meet the connection requirements */
rv = ssl_FilterClientCertListBySSLSocket(ss, certList);
if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
// no certs left.
CERT_DestroyCertList(certList);
return SECFailure;
}