Bug 510343 - Segmentation fault if nickname doesn't exist when doing client auth
Segmentation fault if nickname doesn't exist when doing client auth
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: python-nss (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: John Dennis
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-08 14:34 EDT by Rob Crittenden
Modified: 2009-08-17 17:54 EDT (History)
1 user (show)

See Also:
Fixed In Version: 0.6-2.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-09 08:17:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Crittenden 2009-07-08 14:34:32 EDT
Description of problem:

This python program, using nsslib from the IPA project, crashes if the nickname ipaCert is not in the database.

from ipapython import nsslib
import nss.nss as nss
import nss.ssl as ssl
from nss.error import NSPRError

ca_host="test.example.com"
ca_ssl_port=9443
sec_dir="/tmp"
url="/ca/agent/ca/displayBySerial"
post='xmlOutput=true&serialNumber=7'

headers = {"Content-type": "application/x-www-form-urlencoded",
           "Accept": "text/plain"}
conn = nsslib.NSSConnection(ca_host, ca_ssl_port, dbdir=sec_dir)
conn.sslsock.set_client_auth_data_callback(nsslib.client_auth_data_callback, "ipaCert", "", nss.get_default_certdb())
conn.set_debuglevel(99)
conn.request("POST", url, post, headers)
res = conn.getresponse()

The backtrace is:

#0  0x00f519a8 in get_client_auth_data (arg=0xb80583a0, fd=0x9cd4238, 
    caNames=0xbf8f9bd4, pRetCert=0x9cd45f0, pRetKey=0x9cd45f4)
    at src/nss/py_ssl.c:655
655         if (!PyCertificate_Check(py_cert)) {
Missing separate debuginfos, use: debuginfo-install e2fsprogs.i386 keyutils.i386 krb5.i386 libselinux.i386 openssl.i686 zlib.i386
(gdb) where
#0  0x00f519a8 in get_client_auth_data (arg=0xb80583a0, fd=0x9cd4238, 
    caNames=0xbf8f9bd4, pRetCert=0x9cd45f0, pRetKey=0x9cd45f4)
    at src/nss/py_ssl.c:655
#1  0x04c6e69d in ssl3_HandleHandshakeMessage (ss=<value optimized out>, 
    b=<value optimized out>, length=<value optimized out>) at ssl3con.c:5187
#2  0x04c6f2fc in ssl3_HandleRecord (ss=<value optimized out>, 
    cText=<value optimized out>, databuf=<value optimized out>)
    at ssl3con.c:8061
#3  0x04c6fc39 in ssl3_GatherCompleteHandshake (ss=<value optimized out>, 
    flags=<value optimized out>) at ssl3gthr.c:206
#4  0x04c72dab in ssl_GatherRecord1stHandshake (ss=<value optimized out>)
    at sslcon.c:1258
#5  0x04c78995 in ssl_Do1stHandshake (ss=<value optimized out>)
...

(gdb) print py_cert
$1 = (PyObject *) 0x0

Version-Release number of selected component (if applicable):

python-nss-0.1-2
Comment 1 John Dennis 2009-07-08 17:30:43 EDT
please give https://koji.fedoraproject.org/koji/taskinfo?taskID=1462440 a try and let me know if it fixes the problem.
Comment 2 John Dennis 2009-07-08 17:36:16 EDT
oh BTW, you might have to change ssl.nssinit() to nss.nss_init()
Comment 3 Rob Crittenden 2009-07-08 23:09:33 EDT
Works for me after making the API change.
Comment 4 John Dennis 2009-07-09 08:17:08 EDT
Thanks for testing, pushing the fix out now in python-nss-0.6-2

BTW, restored ssl.nssinit() but it issues a deprecation warning.
Comment 5 Fedora Update System 2009-07-09 09:12:40 EDT
python-nss-0.6-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/python-nss-0.6-2.fc11
Comment 6 Fedora Update System 2009-07-09 09:16:24 EDT
python-nss-0.6-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/python-nss-0.6-2.fc10
Comment 7 Fedora Update System 2009-07-16 03:03:50 EDT
python-nss-0.6-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-08-17 17:54:56 EDT
python-nss-0.6-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.