Restore SSL_SESSION/X509Certificate X509* sharing

net/socket/ssl_client_socket_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_impl.h"
 
 #include <errno.h>
 #include <string.h>
 
 #include <algorithm>
@@ skipping 463 matching lines @@
   openssl_chain_.reset(X509_chain_up_ref(other.openssl_chain_.get()));
   return *this;
 }
 
 void SSLClientSocketImpl::PeerCertificateChain::Reset(STACK_OF(X509) * chain) {
   openssl_chain_.reset(chain ? X509_chain_up_ref(chain) : NULL);
 }
 
 scoped_refptr<X509Certificate>
 SSLClientSocketImpl::PeerCertificateChain::AsOSChain() const {
-  // DER-encode the chain and convert to a platform certificate handle.
-  std::vector<std::string> chain;
-  chain.reserve(sk_X509_num(openssl_chain_.get()));
+#if defined(USE_OPENSSL_CERTS)
+  // When OSCertHandle is typedef'ed to X509, this implementation does a short
+  // cut to avoid converting back and forth between DER and the X509 struct.
+  X509Certificate::OSCertHandles intermediates;
+  for (size_t i = 1; i < sk_X509_num(openssl_chain_.get()); ++i) {
+    X509* cert = sk_X509_value(openssl_chain_.get(), i);
+    DCHECK(cert->buf);
+    intermediates.push_back(cert);
+  }
+
+  X509* leaf = sk_X509_value(openssl_chain_.get(), 0);
+  DCHECK(leaf->buf);
+  return X509Certificate::CreateFromHandle(leaf, intermediates);
+#else
+  // Convert the certificate chains to a platform certificate handle.
+  std::vector<base::StringPiece> der_chain;
+  der_chain.reserve(sk_X509_num(openssl_chain_.get()));
   for (size_t i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
-    X509* x = sk_X509_value(openssl_chain_.get(), i);
-    // Note: This intentionally avoids using x509_util::GetDER(), which may
-    // cache the encoded DER on |x|, as |x| is shared with the underlying
-    // socket (SSL*) this chain belongs to. As the DER will only be used
-    // once in //net, within this code, this avoids needlessly caching
-    // additional data. See https://crbug.com/642082
-    int len = i2d_X509(x, nullptr);
-    if (len < 0)
+    X509* cert = sk_X509_value(openssl_chain_.get(), i);
+    DCHECK(cert->buf);
+    base::StringPiece der;
+    if (!x509_util::GetDER(cert, &der))
       return nullptr;
-    std::string cert;
-    uint8_t* ptr = reinterpret_cast<uint8_t*>(base::WriteInto(&cert, len + 1));
-    len = i2d_X509(x, &ptr);
-    if (len < 0) {
-      NOTREACHED();
-      return nullptr;
-    }
-    chain.push_back(std::move(cert));
+    der_chain.push_back(der);
   }
-  std::vector<base::StringPiece> stringpiece_chain;
-  for (const auto& cert : chain)
-    stringpiece_chain.push_back(cert);
-
-  return X509Certificate::CreateFromDERCertChain(stringpiece_chain);
+  return X509Certificate::CreateFromDERCertChain(der_chain);
+#endif
 }
 
 // static
 void SSLClientSocket::ClearSessionCache() {
   SSLClientSocketImpl::SSLContext* context =
       SSLClientSocketImpl::SSLContext::GetInstance();
   context->session_cache()->Flush();
 }
 
 SSLClientSocketImpl::SSLClientSocketImpl(
@@ skipping 1530 matching lines @@
     if (ERR_GET_REASON(info->error_code) == SSL_R_TLSV1_ALERT_ACCESS_DENIED &&
         !certificate_requested_) {
       net_error = ERR_SSL_PROTOCOL_ERROR;
     }
   }
 
   return net_error;
 }
 
 }  // namespace net