| Index: net/third_party/nss/patches/cachecerts.patch
|
| diff --git a/net/third_party/nss/patches/cachecerts.patch b/net/third_party/nss/patches/cachecerts.patch
|
| index 1e0e3135c8c22b2c2992b4a25a36359953f91814..196bb278194ee41bdbc5e6ee6b11fb8f73bc3161 100644
|
| --- a/net/third_party/nss/patches/cachecerts.patch
|
| +++ b/net/third_party/nss/patches/cachecerts.patch
|
| @@ -1,33 +1,25 @@
|
| diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
| -index 8f1c547..9aaf601 100644
|
| +index c3698f3..b8d4784 100644
|
| --- a/lib/ssl/ssl3con.c
|
| +++ b/lib/ssl/ssl3con.c
|
| -@@ -45,6 +45,7 @@
|
| +@@ -47,6 +47,7 @@
|
|
|
| static SECStatus ssl3_AuthCertificate(sslSocket *ss);
|
| - static void ssl3_CleanupPeerCerts(sslSocket *ss);
|
| -+static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
|
| + static void ssl3_CleanupPeerCerts(sslSocket *ss);
|
| ++static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
|
| static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
|
| - PK11SlotInfo * serverKeySlot);
|
| + PK11SlotInfo *serverKeySlot);
|
| static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
|
| -@@ -6751,6 +6752,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| - /* copy the peer cert from the SID */
|
| - if (sid->peerCert != NULL) {
|
| - ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
|
| -+ ssl3_CopyPeerCertsFromSID(ss, sid);
|
| - }
|
| +@@ -7102,6 +7103,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| + /* copy the peer cert from the SID */
|
| + if (sid->peerCert != NULL) {
|
| + ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
|
| ++ ssl3_CopyPeerCertsFromSID(ss, sid);
|
| + }
|
|
|
| - /* NULL value for PMS because we are reusing the old MS */
|
| -@@ -8405,6 +8407,7 @@ compression_found:
|
| - ss->sec.ci.sid = sid;
|
| - if (sid->peerCert != NULL) {
|
| - ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
|
| -+ ssl3_CopyPeerCertsFromSID(ss, sid);
|
| - }
|
| -
|
| - /*
|
| -@@ -10389,6 +10392,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
|
| - ss->ssl3.peerCertChain = NULL;
|
| + /* NULL value for PMS because we are reusing the old MS */
|
| +@@ -8266,6 +8268,44 @@ ssl3_KEAAllowsSessionTicket(SSL3KeyExchangeAlgorithm kea)
|
| + };
|
| }
|
|
|
| +static void
|
| @@ -39,20 +31,20 @@ index 8f1c547..9aaf601 100644
|
| + int i;
|
| +
|
| + if (!sid->peerCertChain[0])
|
| -+ return;
|
| ++ return;
|
| + PORT_Assert(!ss->ssl3.peerCertArena);
|
| + PORT_Assert(!ss->ssl3.peerCertChain);
|
| + ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
| + for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
|
| -+ ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
|
| -+ c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
|
| -+ c->next = NULL;
|
| -+ if (lastCert) {
|
| -+ lastCert->next = c;
|
| -+ } else {
|
| -+ certs = c;
|
| -+ }
|
| -+ lastCert = c;
|
| ++ ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
|
| ++ c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
|
| ++ c->next = NULL;
|
| ++ if (lastCert) {
|
| ++ lastCert->next = c;
|
| ++ } else {
|
| ++ certs = c;
|
| ++ }
|
| ++ lastCert = c;
|
| + }
|
| + ss->ssl3.peerCertChain = certs;
|
| +}
|
| @@ -63,15 +55,23 @@ index 8f1c547..9aaf601 100644
|
| + int i = 0;
|
| + ssl3CertNode *c = certs;
|
| + for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
|
| -+ PORT_Assert(!sid->peerCertChain[i]);
|
| -+ sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
|
| ++ PORT_Assert(!sid->peerCertChain[i]);
|
| ++ sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
|
| + }
|
| +}
|
| +
|
| /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
|
| - * ssl3 CertificateStatus message.
|
| + * ssl3 Client Hello message.
|
| * Caller must hold Handshake and RecvBuf locks.
|
| -@@ -10669,6 +10710,7 @@ ssl3_AuthCertificate(sslSocket *ss)
|
| +@@ -8886,6 +8926,7 @@ compression_found:
|
| + ss->sec.ci.sid = sid;
|
| + if (sid->peerCert != NULL) {
|
| + ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
|
| ++ ssl3_CopyPeerCertsFromSID(ss, sid);
|
| + }
|
| +
|
| + /*
|
| +@@ -11240,6 +11281,7 @@ ssl3_AuthCertificate(sslSocket *ss)
|
| }
|
|
|
| ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
|
| @@ -80,11 +80,11 @@ index 8f1c547..9aaf601 100644
|
| if (!ss->sec.isServer) {
|
| CERTCertificate *cert = ss->sec.peerCert;
|
| diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
|
| -index ad31aae..9dcc29e 100644
|
| +index bce9437..10361a0 100644
|
| --- a/lib/ssl/sslimpl.h
|
| +++ b/lib/ssl/sslimpl.h
|
| -@@ -608,6 +608,8 @@ typedef enum { never_cached,
|
| - invalid_cache /* no longer in any cache. */
|
| +@@ -614,6 +614,8 @@ typedef enum { never_cached,
|
| + invalid_cache /* no longer in any cache. */
|
| } Cached;
|
|
|
| +#define MAX_PEER_CERT_CHAIN_SIZE 8
|
| @@ -92,19 +92,19 @@ index ad31aae..9dcc29e 100644
|
| struct sslSessionIDStr {
|
| /* The global cache lock must be held when accessing these members when the
|
| * sid is in any cache.
|
| -@@ -622,6 +624,7 @@ struct sslSessionIDStr {
|
| +@@ -628,6 +630,7 @@ struct sslSessionIDStr {
|
| */
|
|
|
| - CERTCertificate * peerCert;
|
| -+ CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
|
| - SECItemArray peerCertStatus; /* client only */
|
| - const char * peerID; /* client only */
|
| - const char * urlSvrName; /* client only */
|
| + CERTCertificate *peerCert;
|
| ++ CERTCertificate *peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
|
| + SECItemArray peerCertStatus; /* client only */
|
| + const char *peerID; /* client only */
|
| + const char *urlSvrName; /* client only */
|
| diff --git a/lib/ssl/sslnonce.c b/lib/ssl/sslnonce.c
|
| -index 2e861f1..be11008 100644
|
| +index 85031c4..3216892 100644
|
| --- a/lib/ssl/sslnonce.c
|
| +++ b/lib/ssl/sslnonce.c
|
| -@@ -164,6 +164,7 @@ lock_cache(void)
|
| +@@ -167,6 +167,7 @@ lock_cache(void)
|
| static void
|
| ssl_DestroySID(sslSessionID *sid)
|
| {
|
| @@ -112,9 +112,9 @@ index 2e861f1..be11008 100644
|
| SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
|
| PORT_Assert(sid->references == 0);
|
| PORT_Assert(sid->cached != in_client_cache);
|
| -@@ -194,6 +195,9 @@ ssl_DestroySID(sslSessionID *sid)
|
| - if ( sid->peerCert ) {
|
| - CERT_DestroyCertificate(sid->peerCert);
|
| +@@ -200,6 +201,9 @@ ssl_DestroySID(sslSessionID *sid)
|
| + if (sid->peerCert) {
|
| + CERT_DestroyCertificate(sid->peerCert);
|
| }
|
| + for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
|
| + CERT_DestroyCertificate(sid->peerCertChain[i]);
|
|
|
Chromium Code Reviews
Issue 1844813002:
Uprev NSS to 3.23 on iOS (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master