summaryrefslogtreecommitdiffstats
path: root/net/third_party
diff options
context:
space:
mode:
Diffstat (limited to 'net/third_party')
-rw-r--r--net/third_party/nss/README.chromium4
-rw-r--r--net/third_party/nss/patches/cachecerts.patch124
-rw-r--r--net/third_party/nss/ssl/ssl3con.c2
3 files changed, 129 insertions, 1 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index 918d225..b1141fe 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -24,5 +24,9 @@ Patches:
patches/renegoscsv.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=549042
+ * Cache the peer's intermediate CA certificates in session ID, so that
+ they're available when we resume a session.
+ patches/cachecerts.patch
+
The ssl/bodge directory contains files taken from the NSS repo that we required
for building libssl outside of its usual build environment.
diff --git a/net/third_party/nss/patches/cachecerts.patch b/net/third_party/nss/patches/cachecerts.patch
new file mode 100644
index 0000000..c91ad60
--- /dev/null
+++ b/net/third_party/nss/patches/cachecerts.patch
@@ -0,0 +1,124 @@
+diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
+index 45bf853..e3f9a9a 100644
+--- a/mozilla/security/nss/lib/ssl/ssl3con.c
++++ b/mozilla/security/nss/lib/ssl/ssl3con.c
+@@ -72,6 +72,7 @@
+ #endif
+
+ static void ssl3_CleanupPeerCerts(sslSocket *ss);
++static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
+ static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
+ PK11SlotInfo * serverKeySlot);
+ static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
+@@ -5136,6 +5137,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+ /* copy the peer cert from the SID */
+ if (sid->peerCert != NULL) {
+ ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
++ ssl3_CopyPeerCertsFromSID(ss, sid);
+ }
+
+
+@@ -6378,6 +6380,7 @@ compression_found:
+ ss->sec.ci.sid = sid;
+ if (sid->peerCert != NULL) {
+ ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
++ ssl3_CopyPeerCertsFromSID(ss, sid);
+ }
+
+ /*
+@@ -7746,6 +7749,38 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
+ ss->ssl3.peerCertChain = NULL;
+ }
+
++static void
++ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid)
++{
++ PRArenaPool *arena;
++ ssl3CertNode *certs = NULL;
++ int i;
++
++ if (!sid->peerCertChain[0])
++ return;
++ PORT_Assert(!ss->ssl3.peerCertArena);
++ PORT_Assert(!ss->ssl3.peerCertChain);
++ ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
++ for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
++ ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
++ c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
++ c->next = certs;
++ certs = c;
++ }
++ ss->ssl3.peerCertChain = certs;
++}
++
++static void
++ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
++{
++ int i = 0;
++ ssl3CertNode *c = certs;
++ for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
++ PORT_Assert(!sid->peerCertChain[i]);
++ sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
++ }
++}
++
+ /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Certificate message.
+ * Caller must hold Handshake and RecvBuf locks.
+@@ -7932,6 +7967,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+ }
+
+ ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
++ ssl3_CopyPeerCertsToSID(certs, ss->sec.ci.sid);
+
+ if (!ss->sec.isServer) {
+ /* set the server authentication and key exchange types and sizes
+@@ -8103,6 +8139,8 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
+ if (ss->handshake != NULL) {
+ ss->handshake = ssl_GatherRecord1stHandshake;
+ ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
++ ssl3_CopyPeerCertsToSID((ssl3CertNode *)ss->ssl3.peerCertChain,
++ ss->sec.ci.sid);
+
+ ssl_GetRecvBufLock(ss);
+ if (ss->ssl3.hs.msgState.buf != NULL) {
+diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
+index a800d56..fe7ac7a 100644
+--- a/mozilla/security/nss/lib/ssl/sslimpl.h
++++ b/mozilla/security/nss/lib/ssl/sslimpl.h
+@@ -569,10 +569,13 @@ typedef enum { never_cached,
+ invalid_cache /* no longer in any cache. */
+ } Cached;
+
++#define MAX_PEER_CERT_CHAIN_SIZE 8
++
+ struct sslSessionIDStr {
+ sslSessionID * next; /* chain used for client sockets, only */
+
+ CERTCertificate * peerCert;
++ CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
+ const char * peerID; /* client only */
+ const char * urlSvrName; /* client only */
+ CERTCertificate * localCert;
+diff --git a/mozilla/security/nss/lib/ssl/sslnonce.c b/mozilla/security/nss/lib/ssl/sslnonce.c
+index 63dc5a2..64adc1f 100644
+--- a/mozilla/security/nss/lib/ssl/sslnonce.c
++++ b/mozilla/security/nss/lib/ssl/sslnonce.c
+@@ -197,6 +197,7 @@ lock_cache(void)
+ static void
+ ssl_DestroySID(sslSessionID *sid)
+ {
++ int i;
+ SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
+ PORT_Assert((sid->references == 0));
+
+@@ -216,6 +217,9 @@ ssl_DestroySID(sslSessionID *sid)
+ if ( sid->peerCert ) {
+ CERT_DestroyCertificate(sid->peerCert);
+ }
++ for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
++ CERT_DestroyCertificate(sid->peerCertChain[i]);
++ }
+ if ( sid->localCert ) {
+ CERT_DestroyCertificate(sid->localCert);
+ }
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index e3f9a9a..9b671e7 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -8489,7 +8489,7 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
if (!isServer) {
rv = ssl3_SendNextProto(ss);
if (rv != SECSuccess) {
- goto xmit_loser; /* err code was set. */
+ goto xmit_loser; /* err code was set. */
}
}