Change SSL_PeerCertificateChain to return a CERTCertList.

net/third_party/nss/ssl/ssl.h

Index: net/third_party/nss/ssl/ssl.h
===================================================================
--- net/third_party/nss/ssl/ssl.h	(revision 225295)
+++ net/third_party/nss/ssl/ssl.h	(working copy)
@@ -434,6 +434,15 @@
 */
 SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
 
+/*
+** Return the certificates presented by the SSL peer. If the SSL peer
+** did not present certificates, return NULL with the
+** SSL_ERROR_NO_CERTIFICATE error. On failure, return NULL with an error
+** code other than SSL_ERROR_NO_CERTIFICATE.
+**	"fd" the socket "file" descriptor
+*/
+SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd);

[wtc, 2013/09/27 23:49:41]

This function can also be called on the server side. If client authentication is
not requested, there is no peer certificate. Returning NULL in this case seems
simpler for the caller than returning an empty CERTCertList.

+
 /* SSL_PeerStapledOCSPResponses returns the OCSP responses that were provided
  * by the TLS server. The return value is a pointer to an internal SECItemArray
  * that contains the returned OCSP responses; it is only valid until the
@@ -463,18 +472,6 @@
 			    SSLKEAType kea);
 
 /*
-** Return references to the certificates presented by the SSL peer.
-** |maxNumCerts| must contain the size of the |certs| array. On successful
-** return, |*numCerts| contains the number of certificates available and
-** |certs| will contain references to as many certificates as would fit.
-** Therefore if |*numCerts| contains a value less than or equal to
-** |maxNumCerts|, then all certificates were returned.
-*/
-SSL_IMPORT SECStatus SSL_PeerCertificateChain(
-	PRFileDesc *fd, CERTCertificate **certs,
-	unsigned int *numCerts, unsigned int maxNumCerts);
-
-/*
 ** Authenticate certificate hook. Called when a certificate comes in
 ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
 ** certificate.