Index: net/third_party/nss/patches/cachecerts.patch |
diff --git a/net/third_party/nss/patches/cachecerts.patch b/net/third_party/nss/patches/cachecerts.patch |
index 1e0e3135c8c22b2c2992b4a25a36359953f91814..196bb278194ee41bdbc5e6ee6b11fb8f73bc3161 100644 |
--- a/net/third_party/nss/patches/cachecerts.patch |
+++ b/net/third_party/nss/patches/cachecerts.patch |
@@ -1,33 +1,25 @@ |
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c |
-index 8f1c547..9aaf601 100644 |
+index c3698f3..b8d4784 100644 |
--- a/lib/ssl/ssl3con.c |
+++ b/lib/ssl/ssl3con.c |
-@@ -45,6 +45,7 @@ |
+@@ -47,6 +47,7 @@ |
static SECStatus ssl3_AuthCertificate(sslSocket *ss); |
- static void ssl3_CleanupPeerCerts(sslSocket *ss); |
-+static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); |
+ static void ssl3_CleanupPeerCerts(sslSocket *ss); |
++static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); |
static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, |
- PK11SlotInfo * serverKeySlot); |
+ PK11SlotInfo *serverKeySlot); |
static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); |
-@@ -6751,6 +6752,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
- /* copy the peer cert from the SID */ |
- if (sid->peerCert != NULL) { |
- ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
-+ ssl3_CopyPeerCertsFromSID(ss, sid); |
- } |
+@@ -7102,6 +7103,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
+ /* copy the peer cert from the SID */ |
+ if (sid->peerCert != NULL) { |
+ ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
++ ssl3_CopyPeerCertsFromSID(ss, sid); |
+ } |
- /* NULL value for PMS because we are reusing the old MS */ |
-@@ -8405,6 +8407,7 @@ compression_found: |
- ss->sec.ci.sid = sid; |
- if (sid->peerCert != NULL) { |
- ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
-+ ssl3_CopyPeerCertsFromSID(ss, sid); |
- } |
- |
- /* |
-@@ -10389,6 +10392,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss) |
- ss->ssl3.peerCertChain = NULL; |
+ /* NULL value for PMS because we are reusing the old MS */ |
+@@ -8266,6 +8268,44 @@ ssl3_KEAAllowsSessionTicket(SSL3KeyExchangeAlgorithm kea) |
+ }; |
} |
+static void |
@@ -39,20 +31,20 @@ index 8f1c547..9aaf601 100644 |
+ int i; |
+ |
+ if (!sid->peerCertChain[0]) |
-+ return; |
++ return; |
+ PORT_Assert(!ss->ssl3.peerCertArena); |
+ PORT_Assert(!ss->ssl3.peerCertChain); |
+ ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
+ for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) { |
-+ ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode); |
-+ c->cert = CERT_DupCertificate(sid->peerCertChain[i]); |
-+ c->next = NULL; |
-+ if (lastCert) { |
-+ lastCert->next = c; |
-+ } else { |
-+ certs = c; |
-+ } |
-+ lastCert = c; |
++ ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode); |
++ c->cert = CERT_DupCertificate(sid->peerCertChain[i]); |
++ c->next = NULL; |
++ if (lastCert) { |
++ lastCert->next = c; |
++ } else { |
++ certs = c; |
++ } |
++ lastCert = c; |
+ } |
+ ss->ssl3.peerCertChain = certs; |
+} |
@@ -63,15 +55,23 @@ index 8f1c547..9aaf601 100644 |
+ int i = 0; |
+ ssl3CertNode *c = certs; |
+ for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) { |
-+ PORT_Assert(!sid->peerCertChain[i]); |
-+ sid->peerCertChain[i] = CERT_DupCertificate(c->cert); |
++ PORT_Assert(!sid->peerCertChain[i]); |
++ sid->peerCertChain[i] = CERT_DupCertificate(c->cert); |
+ } |
+} |
+ |
/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
- * ssl3 CertificateStatus message. |
+ * ssl3 Client Hello message. |
* Caller must hold Handshake and RecvBuf locks. |
-@@ -10669,6 +10710,7 @@ ssl3_AuthCertificate(sslSocket *ss) |
+@@ -8886,6 +8926,7 @@ compression_found: |
+ ss->sec.ci.sid = sid; |
+ if (sid->peerCert != NULL) { |
+ ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); |
++ ssl3_CopyPeerCertsFromSID(ss, sid); |
+ } |
+ |
+ /* |
+@@ -11240,6 +11281,7 @@ ssl3_AuthCertificate(sslSocket *ss) |
} |
ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); |
@@ -80,11 +80,11 @@ index 8f1c547..9aaf601 100644 |
if (!ss->sec.isServer) { |
CERTCertificate *cert = ss->sec.peerCert; |
diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h |
-index ad31aae..9dcc29e 100644 |
+index bce9437..10361a0 100644 |
--- a/lib/ssl/sslimpl.h |
+++ b/lib/ssl/sslimpl.h |
-@@ -608,6 +608,8 @@ typedef enum { never_cached, |
- invalid_cache /* no longer in any cache. */ |
+@@ -614,6 +614,8 @@ typedef enum { never_cached, |
+ invalid_cache /* no longer in any cache. */ |
} Cached; |
+#define MAX_PEER_CERT_CHAIN_SIZE 8 |
@@ -92,19 +92,19 @@ index ad31aae..9dcc29e 100644 |
struct sslSessionIDStr { |
/* The global cache lock must be held when accessing these members when the |
* sid is in any cache. |
-@@ -622,6 +624,7 @@ struct sslSessionIDStr { |
+@@ -628,6 +630,7 @@ struct sslSessionIDStr { |
*/ |
- CERTCertificate * peerCert; |
-+ CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE]; |
- SECItemArray peerCertStatus; /* client only */ |
- const char * peerID; /* client only */ |
- const char * urlSvrName; /* client only */ |
+ CERTCertificate *peerCert; |
++ CERTCertificate *peerCertChain[MAX_PEER_CERT_CHAIN_SIZE]; |
+ SECItemArray peerCertStatus; /* client only */ |
+ const char *peerID; /* client only */ |
+ const char *urlSvrName; /* client only */ |
diff --git a/lib/ssl/sslnonce.c b/lib/ssl/sslnonce.c |
-index 2e861f1..be11008 100644 |
+index 85031c4..3216892 100644 |
--- a/lib/ssl/sslnonce.c |
+++ b/lib/ssl/sslnonce.c |
-@@ -164,6 +164,7 @@ lock_cache(void) |
+@@ -167,6 +167,7 @@ lock_cache(void) |
static void |
ssl_DestroySID(sslSessionID *sid) |
{ |
@@ -112,9 +112,9 @@ index 2e861f1..be11008 100644 |
SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached)); |
PORT_Assert(sid->references == 0); |
PORT_Assert(sid->cached != in_client_cache); |
-@@ -194,6 +195,9 @@ ssl_DestroySID(sslSessionID *sid) |
- if ( sid->peerCert ) { |
- CERT_DestroyCertificate(sid->peerCert); |
+@@ -200,6 +201,9 @@ ssl_DestroySID(sslSessionID *sid) |
+ if (sid->peerCert) { |
+ CERT_DestroyCertificate(sid->peerCert); |
} |
+ for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) { |
+ CERT_DestroyCertificate(sid->peerCertChain[i]); |