Bug 1774654 tstclnt crashes when accessing gnutls server without a user cert in the database.

The filter functions do not handle NULL CERTCertLists, but CERT_FindUserCertsByUsage can return a NULL cert list. If it returns a NULL list, we should just
fail at the point (there are no certs available).

Differential Revision: https://phabricator.services.mozilla.com/D164273

1 files changed, 5 insertions, 5 deletions

diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
index 073103d5a..3d64173b4 100644
--- a/lib/ssl/authcert.c
+++ b/lib/ssl/authcert.c
@@ -206,6 +206,9 @@ NSS_GetClientAuthData(void *arg,
                                              certUsageSSLClient,
                                              PR_FALSE, chosenNickName == NULL,
                                              pw_arg);
+        if (certList == NULL) {
+            return SECFailure;
+        }
         /* filter only the certs that meet the nickname requirements */
         if (chosenNickName) {
             rv = CERT_FilterCertListByNickname(certList, chosenNickName,
@@ -219,13 +222,10 @@ NSS_GetClientAuthData(void *arg,
         }
         if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
             CERT_DestroyCertList(certList);
-            certList = NULL;
+            return SECFailure;
         }
     }
-    if (certList == NULL) {
-        /* no user certs meeting the nickname/usage requirements found */
-        return SECFailure;
-    }
+
     /* now remove any certs that can't meet the connection requirements */
     rv = ssl_FilterClientCertListBySSLSocket(ss, certList);
     if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {