net/third_party/nss: sync patches/ directory.

* Add a patch for r50960 (Cache the peer's intermediate CA certificates...) No code changes. TEST=none BUG=none git-svn-id: svn://svn.chromium.org/chrome/trunk/src@51859 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-07-08 17:34:14 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-07-08 17:34:14 +0000
commit: 021ede949fb1f5dfe425b965328433124911352e (patch)
tree: d31d03f38769935320cef88f1b2c2de617e50e6d /net/third_party
parent: a899ee85117ab6cc9b959c68e397042fd565dbdd (diff)
download: chromium_src-021ede949fb1f5dfe425b965328433124911352e.zip
chromium_src-021ede949fb1f5dfe425b965328433124911352e.tar.gz
chromium_src-021ede949fb1f5dfe425b965328433124911352e.tar.bz2
3 files changed, 129 insertions, 1 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index 918d225..b1141fe 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -24,5 +24,9 @@ Patches:
     patches/renegoscsv.patch
     https://bugzilla.mozilla.org/show_bug.cgi?id=549042
 
+  * Cache the peer's intermediate CA certificates in session ID, so that
+    they're available when we resume a session.
+    patches/cachecerts.patch
+
 The ssl/bodge directory contains files taken from the NSS repo that we required
 for building libssl outside of its usual build environment.
diff --git a/net/third_party/nss/patches/cachecerts.patch b/net/third_party/nss/patches/cachecerts.patch
new file mode 100644
index 0000000..c91ad60
--- /dev/null
+++ b/net/third_party/nss/patches/cachecerts.patch
@@ -0,0 +1,124 @@
+diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
+index 45bf853..e3f9a9a 100644
+--- a/mozilla/security/nss/lib/ssl/ssl3con.c
++++ b/mozilla/security/nss/lib/ssl/ssl3con.c
+@@ -72,6 +72,7 @@
+ #endif
+ 
+ static void      ssl3_CleanupPeerCerts(sslSocket *ss);
++static void      ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
+ static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
+                                        PK11SlotInfo * serverKeySlot);
+ static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
+@@ -5136,6 +5137,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+ 	/* copy the peer cert from the SID */
+ 	if (sid->peerCert != NULL) {
+ 	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
++	    ssl3_CopyPeerCertsFromSID(ss, sid);
+ 	}
+ 
+ 
+@@ -6378,6 +6380,7 @@ compression_found:
+ 	ss->sec.ci.sid = sid;
+ 	if (sid->peerCert != NULL) {
+ 	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
++	    ssl3_CopyPeerCertsFromSID(ss, sid);
+ 	}
+ 
+ 	/*
+@@ -7746,6 +7749,38 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
+     ss->ssl3.peerCertChain = NULL;
+ }
+ 
++static void
++ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid)
++{
++    PRArenaPool *arena;
++    ssl3CertNode *certs = NULL;
++    int i;
++
++    if (!sid->peerCertChain[0])
++	return;
++    PORT_Assert(!ss->ssl3.peerCertArena);
++    PORT_Assert(!ss->ssl3.peerCertChain);
++    ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
++    for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
++	ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
++	c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
++	c->next = certs;
++	certs = c;
++    }
++    ss->ssl3.peerCertChain = certs;
++}
++
++static void
++ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
++{
++    int i = 0;
++    ssl3CertNode *c = certs;
++    for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
++	PORT_Assert(!sid->peerCertChain[i]);
++	sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
++    }
++}
++
+ /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+  * ssl3 Certificate message.
+  * Caller must hold Handshake and RecvBuf locks.
+@@ -7932,6 +7967,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+     }
+ 
+     ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
++    ssl3_CopyPeerCertsToSID(certs, ss->sec.ci.sid);
+ 
+     if (!ss->sec.isServer) {
+ 	/* set the server authentication and key exchange types and sizes
+@@ -8103,6 +8139,8 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
+     if (ss->handshake != NULL) {
+ 	ss->handshake = ssl_GatherRecord1stHandshake;
+ 	ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
++	ssl3_CopyPeerCertsToSID((ssl3CertNode *)ss->ssl3.peerCertChain,
++				ss->sec.ci.sid);
+ 
+ 	ssl_GetRecvBufLock(ss);
+ 	if (ss->ssl3.hs.msgState.buf != NULL) {
+diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
+index a800d56..fe7ac7a 100644
+--- a/mozilla/security/nss/lib/ssl/sslimpl.h
++++ b/mozilla/security/nss/lib/ssl/sslimpl.h
+@@ -569,10 +569,13 @@ typedef enum {	never_cached,
+ 		invalid_cache		/* no longer in any cache. */
+ } Cached;
+ 
++#define MAX_PEER_CERT_CHAIN_SIZE 8
++
+ struct sslSessionIDStr {
+     sslSessionID *        next;   /* chain used for client sockets, only */
+ 
+     CERTCertificate *     peerCert;
++    CERTCertificate *     peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
+     const char *          peerID;     /* client only */
+     const char *          urlSvrName; /* client only */
+     CERTCertificate *     localCert;
+diff --git a/mozilla/security/nss/lib/ssl/sslnonce.c b/mozilla/security/nss/lib/ssl/sslnonce.c
+index 63dc5a2..64adc1f 100644
+--- a/mozilla/security/nss/lib/ssl/sslnonce.c
++++ b/mozilla/security/nss/lib/ssl/sslnonce.c
+@@ -197,6 +197,7 @@ lock_cache(void)
+ static void
+ ssl_DestroySID(sslSessionID *sid)
+ {
++    int i;
+     SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
+     PORT_Assert((sid->references == 0));
+ 
+@@ -216,6 +217,9 @@ ssl_DestroySID(sslSessionID *sid)
+     if ( sid->peerCert ) {
+ 	CERT_DestroyCertificate(sid->peerCert);
+     }
++    for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
++	CERT_DestroyCertificate(sid->peerCertChain[i]);
++    }
+     if ( sid->localCert ) {
+ 	CERT_DestroyCertificate(sid->localCert);
+     }
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index e3f9a9a..9b671e7 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -8489,7 +8489,7 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
 	if (!isServer) {
 	    rv = ssl3_SendNextProto(ss);
 	    if (rv != SECSuccess) {
-		goto xmit_loser;        /* err code was set. */
+		goto xmit_loser;	/* err code was set. */
 	    }
 	}
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-07-08 17:34:14 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-07-08 17:34:14 +0000
commit	021ede949fb1f5dfe425b965328433124911352e (patch)
tree	d31d03f38769935320cef88f1b2c2de617e50e6d /net/third_party
parent	a899ee85117ab6cc9b959c68e397042fd565dbdd (diff)
download	chromium_src-021ede949fb1f5dfe425b965328433124911352e.zip chromium_src-021ede949fb1f5dfe425b965328433124911352e.tar.gz chromium_src-021ede949fb1f5dfe425b965328433124911352e.tar.bz2