bug#2097663

Fix crash when getting client cert and there is none in the database.
2022-06-16 14:22:48 -07:00 · 2022-06-16 14:22:48 -07:00 · a9f44e8e59
parent e5848562c6
commit a9f44e8e59
2 changed files with 29 additions and 2 deletions
--- a/nss-3.79-fix-client-cert-crash.patch
+++ b/nss-3.79-fix-client-cert-crash.patch
@ -0,0 +1,23 @@
+diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
+--- a/lib/ssl/authcert.c
+++ b/lib/ssl/authcert.c
+@@ -212,17 +212,17 @@ NSS_GetClientAuthData(void *arg,
+                                                pw_arg);
+         } else {
+             int nnames = 0;
+             char **names = ssl_DistNamesToStrings(caNames, &nnames);
+             rv = CERT_FilterCertListByCANames(certList, nnames, names,
+                                               certUsageSSLClient);
+             ssl_FreeDistNamesStrings(names, nnames);
+         }
+-        if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
+        if ((rv != SECSuccess) || (certList && CERT_LIST_EMPTY(certList))) {
+             CERT_DestroyCertList(certList);
+             certList = NULL;
+         }
+     }
+     if (certList == NULL) {
+         /* no user certs meeting the nickname/usage requirements found */
+         return SECFailure;
+     }
+
--- a/nss.spec
+++ b/nss.spec
@ -3,7 +3,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 1
+%global baserelease 2
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
@ -131,6 +131,9 @@ Patch12:          nss-signtool-format.patch
 # fedora disabled dbm by default
 Patch40:          nss-no-dbm-man-page.patch

+# upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1774654
+Patch50:	nss-3.79-fix-client-cert-crash.patch
+
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch

@ -1087,6 +1090,7 @@ update-crypto-policies &> /dev/null || :


 %changelog
+* Thu Jun 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
 * Tue May 31 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
 - Update to NSS 3.79
 - Update to NSPR 4.34
@ -1178,7 +1182,7 @@ update-crypto-policies &> /dev/null || :
 - Consolidate NSPR package with this package

 * Mon Oct 26 2020 Bob Relyea <rrelyea@redhat.com> - 3.58.0-4
- fix pkix ocsp to tolerate OCSP checking on intermediates 
+- fix pkix ocsp to tolerate OCSP checking on intermediates
  when the root is signed by sha1 and sha1 is disabled by
  policy