diff options
Diffstat (limited to 'net/third_party')
-rw-r--r-- | net/third_party/nss/README.chromium | 4 | ||||
-rw-r--r-- | net/third_party/nss/patches/cachecerts.patch | 124 | ||||
-rw-r--r-- | net/third_party/nss/ssl/ssl3con.c | 2 |
3 files changed, 129 insertions, 1 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium index 918d225..b1141fe 100644 --- a/net/third_party/nss/README.chromium +++ b/net/third_party/nss/README.chromium @@ -24,5 +24,9 @@ Patches: patches/renegoscsv.patch https://bugzilla.mozilla.org/show_bug.cgi?id=549042 + * Cache the peer's intermediate CA certificates in session ID, so that + they're available when we resume a session. + patches/cachecerts.patch + The ssl/bodge directory contains files taken from the NSS repo that we required for building libssl outside of its usual build environment. diff --git a/net/third_party/nss/patches/cachecerts.patch b/net/third_party/nss/patches/cachecerts.patch new file mode 100644 index 0000000..c91ad60 --- /dev/null +++ b/net/third_party/nss/patches/cachecerts.patch @@ -0,0 +1,124 @@ +diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c +index 45bf853..e3f9a9a 100644 +--- a/mozilla/security/nss/lib/ssl/ssl3con.c ++++ b/mozilla/security/nss/lib/ssl/ssl3con.c +@@ -72,6 +72,7 @@ + #endif + + static void ssl3_CleanupPeerCerts(sslSocket *ss); ++static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid); + static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, + PK11SlotInfo * serverKeySlot); + static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms); +@@ -5136,6 +5137,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) + /* copy the peer cert from the SID */ + if (sid->peerCert != NULL) { + ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); ++ ssl3_CopyPeerCertsFromSID(ss, sid); + } + + +@@ -6378,6 +6380,7 @@ compression_found: + ss->sec.ci.sid = sid; + if (sid->peerCert != NULL) { + ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); ++ ssl3_CopyPeerCertsFromSID(ss, sid); + } + + /* +@@ -7746,6 +7749,38 @@ ssl3_CleanupPeerCerts(sslSocket *ss) + ss->ssl3.peerCertChain = NULL; + } + ++static void ++ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid) ++{ ++ PRArenaPool *arena; ++ ssl3CertNode *certs = NULL; ++ int i; ++ ++ if (!sid->peerCertChain[0]) ++ return; ++ PORT_Assert(!ss->ssl3.peerCertArena); ++ PORT_Assert(!ss->ssl3.peerCertChain); ++ ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); ++ for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) { ++ ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode); ++ c->cert = CERT_DupCertificate(sid->peerCertChain[i]); ++ c->next = certs; ++ certs = c; ++ } ++ ss->ssl3.peerCertChain = certs; ++} ++ ++static void ++ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid) ++{ ++ int i = 0; ++ ssl3CertNode *c = certs; ++ for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) { ++ PORT_Assert(!sid->peerCertChain[i]); ++ sid->peerCertChain[i] = CERT_DupCertificate(c->cert); ++ } ++} ++ + /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete + * ssl3 Certificate message. + * Caller must hold Handshake and RecvBuf locks. +@@ -7932,6 +7967,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) + } + + ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); ++ ssl3_CopyPeerCertsToSID(certs, ss->sec.ci.sid); + + if (!ss->sec.isServer) { + /* set the server authentication and key exchange types and sizes +@@ -8103,6 +8139,8 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss) + if (ss->handshake != NULL) { + ss->handshake = ssl_GatherRecord1stHandshake; + ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); ++ ssl3_CopyPeerCertsToSID((ssl3CertNode *)ss->ssl3.peerCertChain, ++ ss->sec.ci.sid); + + ssl_GetRecvBufLock(ss); + if (ss->ssl3.hs.msgState.buf != NULL) { +diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h +index a800d56..fe7ac7a 100644 +--- a/mozilla/security/nss/lib/ssl/sslimpl.h ++++ b/mozilla/security/nss/lib/ssl/sslimpl.h +@@ -569,10 +569,13 @@ typedef enum { never_cached, + invalid_cache /* no longer in any cache. */ + } Cached; + ++#define MAX_PEER_CERT_CHAIN_SIZE 8 ++ + struct sslSessionIDStr { + sslSessionID * next; /* chain used for client sockets, only */ + + CERTCertificate * peerCert; ++ CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE]; + const char * peerID; /* client only */ + const char * urlSvrName; /* client only */ + CERTCertificate * localCert; +diff --git a/mozilla/security/nss/lib/ssl/sslnonce.c b/mozilla/security/nss/lib/ssl/sslnonce.c +index 63dc5a2..64adc1f 100644 +--- a/mozilla/security/nss/lib/ssl/sslnonce.c ++++ b/mozilla/security/nss/lib/ssl/sslnonce.c +@@ -197,6 +197,7 @@ lock_cache(void) + static void + ssl_DestroySID(sslSessionID *sid) + { ++ int i; + SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached)); + PORT_Assert((sid->references == 0)); + +@@ -216,6 +217,9 @@ ssl_DestroySID(sslSessionID *sid) + if ( sid->peerCert ) { + CERT_DestroyCertificate(sid->peerCert); + } ++ for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) { ++ CERT_DestroyCertificate(sid->peerCertChain[i]); ++ } + if ( sid->localCert ) { + CERT_DestroyCertificate(sid->localCert); + } diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c index e3f9a9a..9b671e7 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -8489,7 +8489,7 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, if (!isServer) { rv = ssl3_SendNextProto(ss); if (rv != SECSuccess) { - goto xmit_loser; /* err code was set. */ + goto xmit_loser; /* err code was set. */ } } |