# HG changeset patch # User Robert Relyea # Date 1670534238 28800 # Node ID a7f363511333b8062945557607691002fd6e40b9 # Parent 89a562b7cf3d3c501ee49143e0b12c7d0f330a69 Bug 1774654 tstclnt crashes when accessing gnutls server without a user cert in the database. The filter functions do not handle NULL CERTCertLists, but CERT_FindUserCertsByUsage can return a NULL cert list. If it returns a NULL list, we should just fail at the point (there are no certs available). Differential Revision: https://phabricator.services.mozilla.com/D164273 Origin: https://hg.mozilla.org/projects/nss/rev/a7f363511333b8062945557607691002fd6e40b9 diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c --- a/security/nss/lib/ssl/authcert.c +++ b/security/nss/lib/ssl/authcert.c @@ -201,36 +201,36 @@ NSS_GetClientAuthData(void *arg, /* otherwise look through the cache based on usage * if chosenNickname is set, we ignore the expiration date */ if (certList == NULL) { certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), certUsageSSLClient, PR_FALSE, chosenNickName == NULL, pw_arg); + if (certList == NULL) { + return SECFailure; + } /* filter only the certs that meet the nickname requirements */ if (chosenNickName) { rv = CERT_FilterCertListByNickname(certList, chosenNickName, pw_arg); } else { int nnames = 0; char **names = ssl_DistNamesToStrings(caNames, &nnames); rv = CERT_FilterCertListByCANames(certList, nnames, names, certUsageSSLClient); ssl_FreeDistNamesStrings(names, nnames); } if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) { CERT_DestroyCertList(certList); - certList = NULL; + return SECFailure; } } - if (certList == NULL) { - /* no user certs meeting the nickname/usage requirements found */ - return SECFailure; - } + /* now remove any certs that can't meet the connection requirements */ rv = ssl_FilterClientCertListBySSLSocket(ss, certList); if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) { // no certs left. CERT_DestroyCertList(certList); return SECFailure; }