search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / net / third_party / nss / patches / cachecerts.patch
blob18fcc242962081d43841911ccef7edfb0ce9ac3f
1 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c
2 index 163572c..60af5b0 100644
3 --- a/ssl/ssl3con.c
4 +++ b/ssl/ssl3con.c
5 @@ -43,6 +43,7 @@
6
7 static SECStatus ssl3_AuthCertificate(sslSocket *ss);
8 static void ssl3_CleanupPeerCerts(sslSocket *ss);
9 +static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
10 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
11 PK11SlotInfo * serverKeySlot);
12 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
13 @@ -6549,6 +6550,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
14 /* copy the peer cert from the SID */
15 if (sid->peerCert != NULL) {
16 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
17 + ssl3_CopyPeerCertsFromSID(ss, sid);
18 }
19
20 /* NULL value for PMS signifies re-use of the old MS */
21 @@ -8140,6 +8142,7 @@ compression_found:
22 ss->sec.ci.sid = sid;
23 if (sid->peerCert != NULL) {
24 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
25 + ssl3_CopyPeerCertsFromSID(ss, sid);
26 }
27
28 /*
29 @@ -9763,6 +9766,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
30 ss->ssl3.peerCertChain = NULL;
31 }
32
33 +static void
34 +ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid)
35 +{
36 + PLArenaPool *arena;
37 + ssl3CertNode *lastCert = NULL;
38 + ssl3CertNode *certs = NULL;
39 + int i;
40 +
41 + if (!sid->peerCertChain[0])
42 + return;
43 + PORT_Assert(!ss->ssl3.peerCertArena);
44 + PORT_Assert(!ss->ssl3.peerCertChain);
45 + ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
46 + for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
47 + ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
48 + c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
49 + c->next = NULL;
50 + if (lastCert) {
51 + lastCert->next = c;
52 + } else {
53 + certs = c;
54 + }
55 + lastCert = c;
56 + }
57 + ss->ssl3.peerCertChain = certs;
58 +}
59 +
60 +static void
61 +ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
62 +{
63 + int i = 0;
64 + ssl3CertNode *c = certs;
65 + for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
66 + PORT_Assert(!sid->peerCertChain[i]);
67 + sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
68 + }
69 +}
70 +
71 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
72 * ssl3 CertificateStatus message.
73 * Caller must hold Handshake and RecvBuf locks.
74 @@ -10041,6 +10082,7 @@ ssl3_AuthCertificate(sslSocket *ss)
75 }
76
77 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
78 + ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid);
79
80 if (!ss->sec.isServer) {
81 CERTCertificate *cert = ss->sec.peerCert;
82 diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h
83 index 1b38a52..086f6d2 100644
84 --- a/ssl/sslimpl.h
85 +++ b/ssl/sslimpl.h
86 @@ -597,6 +597,8 @@ typedef enum { never_cached,
87 invalid_cache /* no longer in any cache. */
88 } Cached;
89
90 +#define MAX_PEER_CERT_CHAIN_SIZE 8
91 +
92 struct sslSessionIDStr {
93 /* The global cache lock must be held when accessing these members when the
94 * sid is in any cache.
95 @@ -611,6 +613,7 @@ struct sslSessionIDStr {
96 */
97
98 CERTCertificate * peerCert;
99 + CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
100 SECItemArray peerCertStatus; /* client only */
101 const char * peerID; /* client only */
102 const char * urlSvrName; /* client only */
103 diff --git a/ssl/sslnonce.c b/ssl/sslnonce.c
104 index 2e861f1..be11008 100644
105 --- a/ssl/sslnonce.c
106 +++ b/ssl/sslnonce.c
107 @@ -164,6 +164,7 @@ lock_cache(void)
108 static void
109 ssl_DestroySID(sslSessionID *sid)
110 {
111 + int i;
112 SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
113 PORT_Assert(sid->references == 0);
114 PORT_Assert(sid->cached != in_client_cache);
115 @@ -194,6 +195,9 @@ ssl_DestroySID(sslSessionID *sid)
116 if ( sid->peerCert ) {
117 CERT_DestroyCertificate(sid->peerCert);
118 }
119 + for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
120 + CERT_DestroyCertificate(sid->peerCertChain[i]);
121 + }
122 if (sid->peerCertStatus.items) {
123 SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE);
124 }