diff options
author | Robert Relyea <rrelyea@redhat.com> | 2022-12-08 13:17:18 -0800 |
---|---|---|
committer | Robert Relyea <rrelyea@redhat.com> | 2022-12-08 13:17:18 -0800 |
commit | 82c3331a469e8b8fd69e799b2c28a79de0612a67 (patch) | |
tree | 4c425b4e4f4a68ce5e78520c7cf45868ff45b4fe | |
parent | 311df61c6a4771757ff959a96b27caacd2324eed (diff) | |
download | nss-hg-82c3331a469e8b8fd69e799b2c28a79de0612a67.tar.gz |
Bug 1774654 tstclnt crashes when accessing gnutls server without a user cert in the database.
The filter functions do not handle NULL CERTCertLists, but CERT_FindUserCertsByUsage can return a NULL cert list. If it returns a NULL list, we should just
fail at the point (there are no certs available).
Differential Revision: https://phabricator.services.mozilla.com/D164273
-rw-r--r-- | lib/ssl/authcert.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c index 073103d5a..3d64173b4 100644 --- a/lib/ssl/authcert.c +++ b/lib/ssl/authcert.c @@ -206,6 +206,9 @@ NSS_GetClientAuthData(void *arg, certUsageSSLClient, PR_FALSE, chosenNickName == NULL, pw_arg); + if (certList == NULL) { + return SECFailure; + } /* filter only the certs that meet the nickname requirements */ if (chosenNickName) { rv = CERT_FilterCertListByNickname(certList, chosenNickName, @@ -219,13 +222,10 @@ NSS_GetClientAuthData(void *arg, } if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) { CERT_DestroyCertList(certList); - certList = NULL; + return SECFailure; } } - if (certList == NULL) { - /* no user certs meeting the nickname/usage requirements found */ - return SECFailure; - } + /* now remove any certs that can't meet the connection requirements */ rv = ssl_FilterClientCertListBySSLSocket(ss, certList); if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) { |