summaryrefslogtreecommitdiffstats
path: root/net/third_party
diff options
context:
space:
mode:
Diffstat (limited to 'net/third_party')
-rw-r--r--net/third_party/nss/README.chromium5
-rwxr-xr-xnet/third_party/nss/patches/applypatches.sh2
-rw-r--r--net/third_party/nss/patches/sessioncache.patch100
-rw-r--r--net/third_party/nss/ssl/exports_win.def2
-rw-r--r--net/third_party/nss/ssl/ssl.h12
-rw-r--r--net/third_party/nss/ssl/ssl3con.c2
-rw-r--r--net/third_party/nss/ssl/sslsecur.c43
7 files changed, 165 insertions, 1 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index 06d3e12..d4f9386 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -163,6 +163,11 @@ Patches:
https://bugzilla.mozilla.org/show_bug.cgi?id=930857
patches/disableticketrenewal.patch
+ * Add explicit functions for managing the SSL/TLS session cache.
+ This is a temporary workaround until Chromium migrates to NSS's
+ asynchronous certificate verification.
+ patches/sessioncache.patch
+
Apply the patches to NSS by running the patches/applypatches.sh script. Read
the comments at the top of patches/applypatches.sh for instructions.
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
index 33850e2..c07f6e5 100755
--- a/net/third_party/nss/patches/applypatches.sh
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -81,3 +81,5 @@ patch -p5 < $patches_dir/tls12backuphash2.patch
patch -p4 < $patches_dir/fallbackscsv.patch
patch -p4 < $patches_dir/disableticketrenewal.patch
+
+patch -p4 < $patches_dir/sessioncache.patch
diff --git a/net/third_party/nss/patches/sessioncache.patch b/net/third_party/nss/patches/sessioncache.patch
new file mode 100644
index 0000000..11fd9fc
--- /dev/null
+++ b/net/third_party/nss/patches/sessioncache.patch
@@ -0,0 +1,100 @@
+diff --git a/net/third_party/nss/ssl/exports_win.def b/net/third_party/nss/ssl/exports_win.def
+index e0624f1..a1045bb 100644
+--- a/net/third_party/nss/ssl/exports_win.def
++++ b/net/third_party/nss/ssl/exports_win.def
+@@ -62,3 +62,5 @@ SSL_RestartHandshakeAfterChannelIDReq
+ SSL_GetChannelBinding
+ SSL_PeerSignedCertTimestamps
+ SSL_CipherOrderSet
++SSL_CacheSession
++SSL_CacheSessionUnlocked
+diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
+index bef33fc..6f7c988 100644
+--- a/net/third_party/nss/ssl/ssl.h
++++ b/net/third_party/nss/ssl/ssl.h
+@@ -872,6 +872,18 @@ SSL_IMPORT int SSL_DataPending(PRFileDesc *fd);
+ SSL_IMPORT SECStatus SSL_InvalidateSession(PRFileDesc *fd);
+
+ /*
++** Cache the SSL session associated with fd, if it has not already been cached.
++*/
++SSL_IMPORT SECStatus SSL_CacheSession(PRFileDesc *fd);
++
++/*
++** Cache the SSL session associated with fd, if it has not already been cached.
++** This function may only be called when processing within a callback assigned
++** via SSL_HandshakeCallback
++*/
++SSL_IMPORT SECStatus SSL_CacheSessionUnlocked(PRFileDesc *fd);
++
++/*
+ ** Return a SECItem containing the SSL session ID associated with the fd.
+ */
+ SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd);
+diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
+index 307a0fe..e2be5e6 100644
+--- a/net/third_party/nss/ssl/ssl3con.c
++++ b/net/third_party/nss/ssl/ssl3con.c
+@@ -11240,7 +11240,7 @@ ssl3_FinishHandshake(sslSocket * ss)
+ /* The first handshake is now completed. */
+ ss->handshake = NULL;
+
+- if (ss->ssl3.hs.cacheSID) {
++ if (ss->ssl3.hs.cacheSID && ss->sec.isServer) {
+ (*ss->sec.cache)(ss->sec.ci.sid);
+ ss->ssl3.hs.cacheSID = PR_FALSE;
+ }
+diff --git a/net/third_party/nss/ssl/sslsecur.c b/net/third_party/nss/ssl/sslsecur.c
+index 31c343f..99538e5 100644
+--- a/net/third_party/nss/ssl/sslsecur.c
++++ b/net/third_party/nss/ssl/sslsecur.c
+@@ -1474,6 +1474,49 @@ SSL_InvalidateSession(PRFileDesc *fd)
+ return rv;
+ }
+
++static void
++ssl3_CacheSessionUnlocked(sslSocket *ss)
++{
++ PORT_Assert(!ss->sec.isServer);
++
++ if (ss->ssl3.hs.cacheSID) {
++ ss->sec.cache(ss->sec.ci.sid);
++ ss->ssl3.hs.cacheSID = PR_FALSE;
++ }
++}
++
++SECStatus
++SSL_CacheSession(PRFileDesc *fd)
++{
++ sslSocket * ss = ssl_FindSocket(fd);
++ SECStatus rv = SECFailure;
++
++ if (ss) {
++ ssl_Get1stHandshakeLock(ss);
++ ssl_GetSSL3HandshakeLock(ss);
++
++ ssl3_CacheSessionUnlocked(ss);
++ rv = SECSuccess;
++
++ ssl_ReleaseSSL3HandshakeLock(ss);
++ ssl_Release1stHandshakeLock(ss);
++ }
++ return rv;
++}
++
++SECStatus
++SSL_CacheSessionUnlocked(PRFileDesc *fd)
++{
++ sslSocket * ss = ssl_FindSocket(fd);
++ SECStatus rv = SECFailure;
++
++ if (ss) {
++ ssl3_CacheSessionUnlocked(ss);
++ rv = SECSuccess;
++ }
++ return rv;
++}
++
+ SECItem *
+ SSL_GetSessionID(PRFileDesc *fd)
+ {
diff --git a/net/third_party/nss/ssl/exports_win.def b/net/third_party/nss/ssl/exports_win.def
index e0624f1..a1045bb 100644
--- a/net/third_party/nss/ssl/exports_win.def
+++ b/net/third_party/nss/ssl/exports_win.def
@@ -62,3 +62,5 @@ SSL_RestartHandshakeAfterChannelIDReq
SSL_GetChannelBinding
SSL_PeerSignedCertTimestamps
SSL_CipherOrderSet
+SSL_CacheSession
+SSL_CacheSessionUnlocked
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
index bef33fc..6f7c988 100644
--- a/net/third_party/nss/ssl/ssl.h
+++ b/net/third_party/nss/ssl/ssl.h
@@ -872,6 +872,18 @@ SSL_IMPORT int SSL_DataPending(PRFileDesc *fd);
SSL_IMPORT SECStatus SSL_InvalidateSession(PRFileDesc *fd);
/*
+** Cache the SSL session associated with fd, if it has not already been cached.
+*/
+SSL_IMPORT SECStatus SSL_CacheSession(PRFileDesc *fd);
+
+/*
+** Cache the SSL session associated with fd, if it has not already been cached.
+** This function may only be called when processing within a callback assigned
+** via SSL_HandshakeCallback
+*/
+SSL_IMPORT SECStatus SSL_CacheSessionUnlocked(PRFileDesc *fd);
+
+/*
** Return a SECItem containing the SSL session ID associated with the fd.
*/
SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd);
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index 307a0fe..e2be5e6 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -11240,7 +11240,7 @@ ssl3_FinishHandshake(sslSocket * ss)
/* The first handshake is now completed. */
ss->handshake = NULL;
- if (ss->ssl3.hs.cacheSID) {
+ if (ss->ssl3.hs.cacheSID && ss->sec.isServer) {
(*ss->sec.cache)(ss->sec.ci.sid);
ss->ssl3.hs.cacheSID = PR_FALSE;
}
diff --git a/net/third_party/nss/ssl/sslsecur.c b/net/third_party/nss/ssl/sslsecur.c
index 31c343f..99538e5 100644
--- a/net/third_party/nss/ssl/sslsecur.c
+++ b/net/third_party/nss/ssl/sslsecur.c
@@ -1474,6 +1474,49 @@ SSL_InvalidateSession(PRFileDesc *fd)
return rv;
}
+static void
+ssl3_CacheSessionUnlocked(sslSocket *ss)
+{
+ PORT_Assert(!ss->sec.isServer);
+
+ if (ss->ssl3.hs.cacheSID) {
+ ss->sec.cache(ss->sec.ci.sid);
+ ss->ssl3.hs.cacheSID = PR_FALSE;
+ }
+}
+
+SECStatus
+SSL_CacheSession(PRFileDesc *fd)
+{
+ sslSocket * ss = ssl_FindSocket(fd);
+ SECStatus rv = SECFailure;
+
+ if (ss) {
+ ssl_Get1stHandshakeLock(ss);
+ ssl_GetSSL3HandshakeLock(ss);
+
+ ssl3_CacheSessionUnlocked(ss);
+ rv = SECSuccess;
+
+ ssl_ReleaseSSL3HandshakeLock(ss);
+ ssl_Release1stHandshakeLock(ss);
+ }
+ return rv;
+}
+
+SECStatus
+SSL_CacheSessionUnlocked(PRFileDesc *fd)
+{
+ sslSocket * ss = ssl_FindSocket(fd);
+ SECStatus rv = SECFailure;
+
+ if (ss) {
+ ssl3_CacheSessionUnlocked(ss);
+ rv = SECSuccess;
+ }
+ return rv;
+}
+
SECItem *
SSL_GetSessionID(PRFileDesc *fd)
{
generated by cgit v1.1 at 2025-01-18 10:03:47 +0000