Resolves: rhbz#2104703

- more complete fix for the client auth crash
2022-07-07 09:34:21 -07:00 · 2022-07-07 09:34:21 -07:00 · 09dd8eef9a
commit 09dd8eef9a
parent 590eee18a6
2 changed files with 19 additions and 16 deletions
--- a/nss-3.79-fix-client-cert-crash.patch
+++ b/nss-3.79-fix-client-cert-crash.patch
@ -1,23 +1,23 @@
 diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
 --- a/lib/ssl/authcert.c
 +++ b/lib/ssl/authcert.c
-@@ -212,17 +212,17 @@ NSS_GetClientAuthData(void *arg,
+@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg,
+ 
+     /* otherwise look through the cache based on usage
+      * if chosenNickname is set, we ignore the expiration date */
+     if (certList == NULL) {
+         certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
+                                              certUsageSSLClient,
+                                              PR_FALSE, chosenNickName == NULL,
+                                              pw_arg);
+        if (certList == NULL) {
+            return SECFailure;
+        }
+         /* filter only the certs that meet the nickname requirements */
+         if (chosenNickName) {
+             rv = CERT_FilterCertListByNickname(certList, chosenNickName,
                                                pw_arg);
         } else {
             int nnames = 0;
             char **names = ssl_DistNamesToStrings(caNames, &nnames);
             rv = CERT_FilterCertListByCANames(certList, nnames, names,
-                                               certUsageSSLClient);
-             ssl_FreeDistNamesStrings(names, nnames);
-         }
-        if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
-+        if ((rv != SECSuccess) || (certList && CERT_LIST_EMPTY(certList))) {
-             CERT_DestroyCertList(certList);
-             certList = NULL;
-         }
-     }
-     if (certList == NULL) {
-         /* no user certs meeting the nickname/usage requirements found */
-         return SECFailure;
-     }
-
--- a/nss.spec
+++ b/nss.spec
@ -1,6 +1,6 @@
 %global nss_version 3.79.0
 %global nspr_version 4.34.0
-%global baserelease 6
+%global baserelease 7
 %global nss_release %baserelease
 # NOTE: To avoid NVR clashes of nspr* packages:
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
@ -1149,6 +1149,9 @@ update-crypto-policies &> /dev/null || :


 %changelog
+* Thu Jul 7 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-7
+- more complete fix for cert auth regression crash
+
 * Wed Jun 22 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-6
 - Remove debugging printf from a patch
 - increase the pbe cache size to handle reusing the same token key.