OLD | NEW |
1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c | 1 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c |
2 --- a/nss/lib/ssl/ssl3con.c» 2014-01-17 17:49:26.062517203 -0800 | 2 index 529eb42..ebaee61 100644 |
3 +++ b/nss/lib/ssl/ssl3con.c» 2014-01-17 17:51:23.974478249 -0800 | 3 --- a/ssl/ssl3con.c |
| 4 +++ b/ssl/ssl3con.c |
4 @@ -43,6 +43,7 @@ | 5 @@ -43,6 +43,7 @@ |
5 | 6 |
6 static SECStatus ssl3_AuthCertificate(sslSocket *ss); | 7 static SECStatus ssl3_AuthCertificate(sslSocket *ss); |
7 static void ssl3_CleanupPeerCerts(sslSocket *ss); | 8 static void ssl3_CleanupPeerCerts(sslSocket *ss); |
8 +static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); | 9 +static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); |
9 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, | 10 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, |
10 PK11SlotInfo * serverKeySlot); | 11 PK11SlotInfo * serverKeySlot); |
11 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); | 12 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); |
12 @@ -6474,6 +6475,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS | 13 @@ -6534,6 +6535,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
13 /* copy the peer cert from the SID */ | 14 /* copy the peer cert from the SID */ |
14 if (sid->peerCert != NULL) { | 15 if (sid->peerCert != NULL) { |
15 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); | 16 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
16 + ssl3_CopyPeerCertsFromSID(ss, sid); | 17 + ssl3_CopyPeerCertsFromSID(ss, sid); |
17 } | 18 } |
18 | 19 |
19 /* NULL value for PMS signifies re-use of the old MS */ | 20 /* NULL value for PMS signifies re-use of the old MS */ |
20 @@ -8048,6 +8050,7 @@ compression_found: | 21 @@ -8127,6 +8129,7 @@ compression_found: |
21 ss->sec.ci.sid = sid; | 22 ss->sec.ci.sid = sid; |
22 if (sid->peerCert != NULL) { | 23 if (sid->peerCert != NULL) { |
23 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); | 24 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
24 + ssl3_CopyPeerCertsFromSID(ss, sid); | 25 + ssl3_CopyPeerCertsFromSID(ss, sid); |
25 } | 26 } |
26 | 27 |
27 /* | 28 /* |
28 @@ -9662,6 +9665,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss) | 29 @@ -9750,6 +9753,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss) |
29 ss->ssl3.peerCertChain = NULL; | 30 ss->ssl3.peerCertChain = NULL; |
30 } | 31 } |
31 | 32 |
32 +static void | 33 +static void |
33 +ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid) | 34 +ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid) |
34 +{ | 35 +{ |
35 + PLArenaPool *arena; | 36 + PLArenaPool *arena; |
36 + ssl3CertNode *lastCert = NULL; | 37 + ssl3CertNode *lastCert = NULL; |
37 + ssl3CertNode *certs = NULL; | 38 + ssl3CertNode *certs = NULL; |
38 + int i; | 39 + int i; |
(...skipping 24 matching lines...) Expand all Loading... |
63 + ssl3CertNode *c = certs; | 64 + ssl3CertNode *c = certs; |
64 + for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) { | 65 + for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) { |
65 + PORT_Assert(!sid->peerCertChain[i]); | 66 + PORT_Assert(!sid->peerCertChain[i]); |
66 + sid->peerCertChain[i] = CERT_DupCertificate(c->cert); | 67 + sid->peerCertChain[i] = CERT_DupCertificate(c->cert); |
67 + } | 68 + } |
68 +} | 69 +} |
69 + | 70 + |
70 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 71 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
71 * ssl3 CertificateStatus message. | 72 * ssl3 CertificateStatus message. |
72 * Caller must hold Handshake and RecvBuf locks. | 73 * Caller must hold Handshake and RecvBuf locks. |
73 @@ -9940,6 +9981,7 @@ ssl3_AuthCertificate(sslSocket *ss) | 74 @@ -10028,6 +10069,7 @@ ssl3_AuthCertificate(sslSocket *ss) |
74 } | 75 } |
75 | 76 |
76 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); | 77 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); |
77 + ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid); | 78 + ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid); |
78 | 79 |
79 if (!ss->sec.isServer) { | 80 if (!ss->sec.isServer) { |
80 CERTCertificate *cert = ss->sec.peerCert; | 81 CERTCertificate *cert = ss->sec.peerCert; |
81 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h | 82 diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h |
82 --- a/nss/lib/ssl/sslimpl.h» 2014-01-17 17:49:26.072517368 -0800 | 83 index 858ae0c..88a7039 100644 |
83 +++ b/nss/lib/ssl/sslimpl.h» 2014-01-17 17:51:23.984478418 -0800 | 84 --- a/ssl/sslimpl.h |
84 @@ -595,6 +595,8 @@ typedef enum {» never_cached, | 85 +++ b/ssl/sslimpl.h |
| 86 @@ -597,6 +597,8 @@ typedef enum {» never_cached, |
85 invalid_cache /* no longer in any cache. */ | 87 invalid_cache /* no longer in any cache. */ |
86 } Cached; | 88 } Cached; |
87 | 89 |
88 +#define MAX_PEER_CERT_CHAIN_SIZE 8 | 90 +#define MAX_PEER_CERT_CHAIN_SIZE 8 |
89 + | 91 + |
90 struct sslSessionIDStr { | 92 struct sslSessionIDStr { |
91 /* The global cache lock must be held when accessing these members when the | 93 /* The global cache lock must be held when accessing these members when the |
92 * sid is in any cache. | 94 * sid is in any cache. |
93 @@ -609,6 +611,7 @@ struct sslSessionIDStr { | 95 @@ -611,6 +613,7 @@ struct sslSessionIDStr { |
94 */ | 96 */ |
95 | 97 |
96 CERTCertificate * peerCert; | 98 CERTCertificate * peerCert; |
97 + CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE]; | 99 + CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE]; |
98 SECItemArray peerCertStatus; /* client only */ | 100 SECItemArray peerCertStatus; /* client only */ |
99 const char * peerID; /* client only */ | 101 const char * peerID; /* client only */ |
100 const char * urlSvrName; /* client only */ | 102 const char * urlSvrName; /* client only */ |
101 diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c | 103 diff --git a/ssl/sslnonce.c b/ssl/sslnonce.c |
102 --- a/nss/lib/ssl/sslnonce.c» 2014-01-17 17:49:26.072517368 -0800 | 104 index 2e861f1..be11008 100644 |
103 +++ b/nss/lib/ssl/sslnonce.c» 2014-01-17 17:51:23.984478418 -0800 | 105 --- a/ssl/sslnonce.c |
| 106 +++ b/ssl/sslnonce.c |
104 @@ -164,6 +164,7 @@ lock_cache(void) | 107 @@ -164,6 +164,7 @@ lock_cache(void) |
105 static void | 108 static void |
106 ssl_DestroySID(sslSessionID *sid) | 109 ssl_DestroySID(sslSessionID *sid) |
107 { | 110 { |
108 + int i; | 111 + int i; |
109 SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached)); | 112 SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached)); |
110 PORT_Assert(sid->references == 0); | 113 PORT_Assert(sid->references == 0); |
111 PORT_Assert(sid->cached != in_client_cache); | 114 PORT_Assert(sid->cached != in_client_cache); |
112 @@ -194,6 +195,9 @@ ssl_DestroySID(sslSessionID *sid) | 115 @@ -194,6 +195,9 @@ ssl_DestroySID(sslSessionID *sid) |
113 if ( sid->peerCert ) { | 116 if ( sid->peerCert ) { |
114 CERT_DestroyCertificate(sid->peerCert); | 117 CERT_DestroyCertificate(sid->peerCert); |
115 } | 118 } |
116 + for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) { | 119 + for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) { |
117 + CERT_DestroyCertificate(sid->peerCertChain[i]); | 120 + CERT_DestroyCertificate(sid->peerCertChain[i]); |
118 + } | 121 + } |
119 if (sid->peerCertStatus.items) { | 122 if (sid->peerCertStatus.items) { |
120 SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE); | 123 SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE); |
121 } | 124 } |
OLD | NEW |