OLD | NEW |
1 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c | 1 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c |
2 index 163572c..60af5b0 100644 | 2 index 8f1c547..9aaf601 100644 |
3 --- a/ssl/ssl3con.c | 3 --- a/lib/ssl/ssl3con.c |
4 +++ b/ssl/ssl3con.c | 4 +++ b/lib/ssl/ssl3con.c |
5 @@ -43,6 +43,7 @@ | 5 @@ -45,6 +45,7 @@ |
6 | 6 |
7 static SECStatus ssl3_AuthCertificate(sslSocket *ss); | 7 static SECStatus ssl3_AuthCertificate(sslSocket *ss); |
8 static void ssl3_CleanupPeerCerts(sslSocket *ss); | 8 static void ssl3_CleanupPeerCerts(sslSocket *ss); |
9 +static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); | 9 +static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); |
10 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, | 10 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, |
11 PK11SlotInfo * serverKeySlot); | 11 PK11SlotInfo * serverKeySlot); |
12 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); | 12 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); |
13 @@ -6549,6 +6550,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) | 13 @@ -6751,6 +6752,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
14 /* copy the peer cert from the SID */ | 14 /* copy the peer cert from the SID */ |
15 if (sid->peerCert != NULL) { | 15 if (sid->peerCert != NULL) { |
16 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); | 16 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
17 + ssl3_CopyPeerCertsFromSID(ss, sid); | 17 + ssl3_CopyPeerCertsFromSID(ss, sid); |
18 } | 18 } |
19 | 19 |
20 » /* NULL value for PMS signifies re-use of the old MS */ | 20 » /* NULL value for PMS because we are reusing the old MS */ |
21 @@ -8140,6 +8142,7 @@ compression_found: | 21 @@ -8405,6 +8407,7 @@ compression_found: |
22 ss->sec.ci.sid = sid; | 22 ss->sec.ci.sid = sid; |
23 if (sid->peerCert != NULL) { | 23 if (sid->peerCert != NULL) { |
24 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); | 24 ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
25 + ssl3_CopyPeerCertsFromSID(ss, sid); | 25 + ssl3_CopyPeerCertsFromSID(ss, sid); |
26 } | 26 } |
27 | 27 |
28 /* | 28 /* |
29 @@ -9763,6 +9766,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss) | 29 @@ -10389,6 +10392,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss) |
30 ss->ssl3.peerCertChain = NULL; | 30 ss->ssl3.peerCertChain = NULL; |
31 } | 31 } |
32 | 32 |
33 +static void | 33 +static void |
34 +ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid) | 34 +ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid) |
35 +{ | 35 +{ |
36 + PLArenaPool *arena; | 36 + PLArenaPool *arena; |
37 + ssl3CertNode *lastCert = NULL; | 37 + ssl3CertNode *lastCert = NULL; |
38 + ssl3CertNode *certs = NULL; | 38 + ssl3CertNode *certs = NULL; |
39 + int i; | 39 + int i; |
(...skipping 24 matching lines...) Expand all Loading... |
64 + ssl3CertNode *c = certs; | 64 + ssl3CertNode *c = certs; |
65 + for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) { | 65 + for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) { |
66 + PORT_Assert(!sid->peerCertChain[i]); | 66 + PORT_Assert(!sid->peerCertChain[i]); |
67 + sid->peerCertChain[i] = CERT_DupCertificate(c->cert); | 67 + sid->peerCertChain[i] = CERT_DupCertificate(c->cert); |
68 + } | 68 + } |
69 +} | 69 +} |
70 + | 70 + |
71 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 71 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
72 * ssl3 CertificateStatus message. | 72 * ssl3 CertificateStatus message. |
73 * Caller must hold Handshake and RecvBuf locks. | 73 * Caller must hold Handshake and RecvBuf locks. |
74 @@ -10041,6 +10082,7 @@ ssl3_AuthCertificate(sslSocket *ss) | 74 @@ -10669,6 +10710,7 @@ ssl3_AuthCertificate(sslSocket *ss) |
75 } | 75 } |
76 | 76 |
77 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); | 77 ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); |
78 + ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid); | 78 + ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid); |
79 | 79 |
80 if (!ss->sec.isServer) { | 80 if (!ss->sec.isServer) { |
81 CERTCertificate *cert = ss->sec.peerCert; | 81 CERTCertificate *cert = ss->sec.peerCert; |
82 diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h | 82 diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h |
83 index 1b38a52..086f6d2 100644 | 83 index ad31aae..9dcc29e 100644 |
84 --- a/ssl/sslimpl.h | 84 --- a/lib/ssl/sslimpl.h |
85 +++ b/ssl/sslimpl.h | 85 +++ b/lib/ssl/sslimpl.h |
86 @@ -597,6 +597,8 @@ typedef enum {» never_cached, | 86 @@ -608,6 +608,8 @@ typedef enum {» never_cached, |
87 invalid_cache /* no longer in any cache. */ | 87 invalid_cache /* no longer in any cache. */ |
88 } Cached; | 88 } Cached; |
89 | 89 |
90 +#define MAX_PEER_CERT_CHAIN_SIZE 8 | 90 +#define MAX_PEER_CERT_CHAIN_SIZE 8 |
91 + | 91 + |
92 struct sslSessionIDStr { | 92 struct sslSessionIDStr { |
93 /* The global cache lock must be held when accessing these members when the | 93 /* The global cache lock must be held when accessing these members when the |
94 * sid is in any cache. | 94 * sid is in any cache. |
95 @@ -611,6 +613,7 @@ struct sslSessionIDStr { | 95 @@ -622,6 +624,7 @@ struct sslSessionIDStr { |
96 */ | 96 */ |
97 | 97 |
98 CERTCertificate * peerCert; | 98 CERTCertificate * peerCert; |
99 + CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE]; | 99 + CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE]; |
100 SECItemArray peerCertStatus; /* client only */ | 100 SECItemArray peerCertStatus; /* client only */ |
101 const char * peerID; /* client only */ | 101 const char * peerID; /* client only */ |
102 const char * urlSvrName; /* client only */ | 102 const char * urlSvrName; /* client only */ |
103 diff --git a/ssl/sslnonce.c b/ssl/sslnonce.c | 103 diff --git a/lib/ssl/sslnonce.c b/lib/ssl/sslnonce.c |
104 index 2e861f1..be11008 100644 | 104 index 2e861f1..be11008 100644 |
105 --- a/ssl/sslnonce.c | 105 --- a/lib/ssl/sslnonce.c |
106 +++ b/ssl/sslnonce.c | 106 +++ b/lib/ssl/sslnonce.c |
107 @@ -164,6 +164,7 @@ lock_cache(void) | 107 @@ -164,6 +164,7 @@ lock_cache(void) |
108 static void | 108 static void |
109 ssl_DestroySID(sslSessionID *sid) | 109 ssl_DestroySID(sslSessionID *sid) |
110 { | 110 { |
111 + int i; | 111 + int i; |
112 SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached)); | 112 SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached)); |
113 PORT_Assert(sid->references == 0); | 113 PORT_Assert(sid->references == 0); |
114 PORT_Assert(sid->cached != in_client_cache); | 114 PORT_Assert(sid->cached != in_client_cache); |
115 @@ -194,6 +195,9 @@ ssl_DestroySID(sslSessionID *sid) | 115 @@ -194,6 +195,9 @@ ssl_DestroySID(sslSessionID *sid) |
116 if ( sid->peerCert ) { | 116 if ( sid->peerCert ) { |
117 CERT_DestroyCertificate(sid->peerCert); | 117 CERT_DestroyCertificate(sid->peerCert); |
118 } | 118 } |
119 + for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) { | 119 + for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) { |
120 + CERT_DestroyCertificate(sid->peerCertChain[i]); | 120 + CERT_DestroyCertificate(sid->peerCertChain[i]); |
121 + } | 121 + } |
122 if (sid->peerCertStatus.items) { | 122 if (sid->peerCertStatus.items) { |
123 SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE); | 123 SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE); |
124 } | 124 } |
OLD | NEW |