Update net/third_party/nss to NSS 3.13.3.

net/third_party/nss/patches/cachecerts.patch

 From 4c2b4b3992f81f062248f03296f7eb59b5fc0868 Mon Sep 17 00:00:00 2001
 From: Adam Langley <agl@chromium.org>
 Date: Mon, 3 Oct 2011 12:20:29 -0400
 Subject: [PATCH] cachecerts.patch
 
 ---
  mozilla/security/nss/lib/ssl/ssl3con.c  |   54 +++++++++++++++++++++++++++++-
  mozilla/security/nss/lib/ssl/sslimpl.h  |    3 ++
  mozilla/security/nss/lib/ssl/sslnonce.c |    4 ++
  3 files changed, 59 insertions(+), 2 deletions(-)
@@ skipping 64 matching lines @@
 +    ssl3CertNode *c = certs;
 +    for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
 +       PORT_Assert(!sid->peerCertChain[i]);
 +       sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
 +    }
 +}
 +
  /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   * ssl3 Certificate message.
   * Caller must hold Handshake and RecvBuf locks.
-@@ -7769,6 +7810,7 @@ static SECStatus
- ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
- {
-     ssl3CertNode *   c;
-+    ssl3CertNode *   lastCert  = NULL;
-     ssl3CertNode *   certs     = NULL;
-     PRArenaPool *    arena     = NULL;
-     CERTCertificate *cert;
-@@ -7896,8 +7938,13 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-        if (c->cert->trust)
-            trusted = PR_TRUE;
- 
--       c->next = certs;
--       certs = c;
-+       c->next = NULL;
-+       if (lastCert) {
-+           lastCert->next = c;
-+       } else {
-+           certs = c;
-+       }
-+       lastCert = c;
-     }
- 
-     if (remaining != 0)
 @@ -7947,6 +7994,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
      }
  
      ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
-+    ssl3_CopyPeerCertsToSID(certs, ss->sec.ci.sid);
++    ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid);
  
      if (!ss->sec.isServer) {
         /* set the server authentication and key exchange types and sizes
-@@ -8118,6 +8166,8 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
-     if (ss->handshake != NULL) {
-        ss->handshake = ssl_GatherRecord1stHandshake;
-        ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
-+       ssl3_CopyPeerCertsToSID((ssl3CertNode *)ss->ssl3.peerCertChain,
-+                               ss->sec.ci.sid);
- 
-        ssl_GetRecvBufLock(ss);
-        if (ss->ssl3.hs.msgState.buf != NULL) {
 diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
 index d1c1181..48d6d83 100644
 --- a/mozilla/security/nss/lib/ssl/sslimpl.h
 +++ b/mozilla/security/nss/lib/ssl/sslimpl.h
 @@ -569,10 +569,13 @@ typedef enum {    never_cached,
                 invalid_cache           /* no longer in any cache. */
  } Cached;
  
 +#define MAX_PEER_CERT_CHAIN_SIZE 8
 +
@@ skipping 20 matching lines @@
 @@ -216,6 +217,9 @@ ssl_DestroySID(sslSessionID *sid)
      if ( sid->peerCert ) {
         CERT_DestroyCertificate(sid->peerCert);
      }
 +    for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
 +       CERT_DestroyCertificate(sid->peerCertChain[i]);
 +    }
      if ( sid->localCert ) {
         CERT_DestroyCertificate(sid->localCert);
      }