1 files changed, 38 insertions, 0 deletions

diff --git a/dev-libs/nss/files/nss-3.87-fix-client-cert-crash.patch b/dev-libs/nss/files/nss-3.87-fix-client-cert-crash.patch
new file mode 100644
index 000000000000..2f8c3b37219b
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.87-fix-client-cert-crash.patch
@@ -0,0 +1,38 @@
+diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
+--- a/lib/ssl/authcert.c
++++ b/lib/ssl/authcert.c
+@@ -204,10 +204,13 @@
+     if (certList == NULL) {
+         certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
+                                              certUsageSSLClient,
+                                              PR_FALSE, chosenNickName == NULL,
+                                              pw_arg);
++        if (certList == NULL) {
++            return SECFailure;
++        }
+         /* filter only the certs that meet the nickname requirements */
+         if (chosenNickName) {
+             rv = CERT_FilterCertListByNickname(certList, chosenNickName,
+                                                pw_arg);
+         } else {
+@@ -217,17 +220,14 @@
+                                               certUsageSSLClient);
+             ssl_FreeDistNamesStrings(names, nnames);
+         }
+         if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
+             CERT_DestroyCertList(certList);
+-            certList = NULL;
++            return SECFailure;
+         }
+     }
+-    if (certList == NULL) {
+-        /* no user certs meeting the nickname/usage requirements found */
+-        return SECFailure;
+-    }
++
+     /* now remove any certs that can't meet the connection requirements */
+     rv = ssl_FilterClientCertListBySSLSocket(ss, certList);
+     if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
+         // no certs left.
+         CERT_DestroyCertList(certList);
+