1 files changed, 124 insertions, 0 deletions
diff --git a/net/third_party/nss/patches/cachecerts.patch b/net/third_party/nss/patches/cachecerts.patch
new file mode 100644
index 0000000..c91ad60
--- /dev/null
+++ b/net/third_party/nss/patches/cachecerts.patch
@@ -0,0 +1,124 @@
+diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
+index 45bf853..e3f9a9a 100644
+--- a/mozilla/security/nss/lib/ssl/ssl3con.c
++++ b/mozilla/security/nss/lib/ssl/ssl3con.c
+@@ -72,6 +72,7 @@
+ #endif
+ 
+ static void      ssl3_CleanupPeerCerts(sslSocket *ss);
++static void      ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
+ static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
+                                        PK11SlotInfo * serverKeySlot);
+ static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
+@@ -5136,6 +5137,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+ 	/* copy the peer cert from the SID */
+ 	if (sid->peerCert != NULL) {
+ 	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
++	    ssl3_CopyPeerCertsFromSID(ss, sid);
+ 	}
+ 
+ 
+@@ -6378,6 +6380,7 @@ compression_found:
+ 	ss->sec.ci.sid = sid;
+ 	if (sid->peerCert != NULL) {
+ 	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
++	    ssl3_CopyPeerCertsFromSID(ss, sid);
+ 	}
+ 
+ 	/*
+@@ -7746,6 +7749,38 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
+     ss->ssl3.peerCertChain = NULL;
+ }
+ 
++static void
++ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid)
++{
++    PRArenaPool *arena;
++    ssl3CertNode *certs = NULL;
++    int i;
++
++    if (!sid->peerCertChain[0])
++	return;
++    PORT_Assert(!ss->ssl3.peerCertArena);
++    PORT_Assert(!ss->ssl3.peerCertChain);
++    ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
++    for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
++	ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
++	c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
++	c->next = certs;
++	certs = c;
++    }
++    ss->ssl3.peerCertChain = certs;
++}
++
++static void
++ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
++{
++    int i = 0;
++    ssl3CertNode *c = certs;
++    for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
++	PORT_Assert(!sid->peerCertChain[i]);
++	sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
++    }
++}
++
+ /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+  * ssl3 Certificate message.
+  * Caller must hold Handshake and RecvBuf locks.
+@@ -7932,6 +7967,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+     }
+ 
+     ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
++    ssl3_CopyPeerCertsToSID(certs, ss->sec.ci.sid);
+ 
+     if (!ss->sec.isServer) {
+ 	/* set the server authentication and key exchange types and sizes
+@@ -8103,6 +8139,8 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
+     if (ss->handshake != NULL) {
+ 	ss->handshake = ssl_GatherRecord1stHandshake;
+ 	ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
++	ssl3_CopyPeerCertsToSID((ssl3CertNode *)ss->ssl3.peerCertChain,
++				ss->sec.ci.sid);
+ 
+ 	ssl_GetRecvBufLock(ss);
+ 	if (ss->ssl3.hs.msgState.buf != NULL) {
+diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
+index a800d56..fe7ac7a 100644
+--- a/mozilla/security/nss/lib/ssl/sslimpl.h
++++ b/mozilla/security/nss/lib/ssl/sslimpl.h
+@@ -569,10 +569,13 @@ typedef enum {	never_cached,
+ 		invalid_cache		/* no longer in any cache. */
+ } Cached;
+ 
++#define MAX_PEER_CERT_CHAIN_SIZE 8
++
+ struct sslSessionIDStr {
+     sslSessionID *        next;   /* chain used for client sockets, only */
+ 
+     CERTCertificate *     peerCert;
++    CERTCertificate *     peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
+     const char *          peerID;     /* client only */
+     const char *          urlSvrName; /* client only */
+     CERTCertificate *     localCert;
+diff --git a/mozilla/security/nss/lib/ssl/sslnonce.c b/mozilla/security/nss/lib/ssl/sslnonce.c
+index 63dc5a2..64adc1f 100644
+--- a/mozilla/security/nss/lib/ssl/sslnonce.c
++++ b/mozilla/security/nss/lib/ssl/sslnonce.c
+@@ -197,6 +197,7 @@ lock_cache(void)
+ static void
+ ssl_DestroySID(sslSessionID *sid)
+ {
++    int i;
+     SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
+     PORT_Assert((sid->references == 0));
+ 
+@@ -216,6 +217,9 @@ ssl_DestroySID(sslSessionID *sid)
+     if ( sid->peerCert ) {
+ 	CERT_DestroyCertificate(sid->peerCert);
+     }
++    for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
++	CERT_DestroyCertificate(sid->peerCertChain[i]);
++    }
+     if ( sid->localCert ) {
+ 	CERT_DestroyCertificate(sid->localCert);
+     }