1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
--- a/nss/lib/ssl/ssl3con.c 2013-04-27 09:19:50.358559102 -0700
+++ b/nss/lib/ssl/ssl3con.c 2013-04-27 09:19:58.798678612 -0700
@@ -42,6 +42,7 @@
#endif
static void ssl3_CleanupPeerCerts(sslSocket *ss);
+static void ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
PK11SlotInfo * serverKeySlot);
static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
@@ -5697,6 +5698,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS
/* copy the peer cert from the SID */
if (sid->peerCert != NULL) {
ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
+ ssl3_CopyPeerCertsFromSID(ss, sid);
}
/* NULL value for PMS signifies re-use of the old MS */
@@ -7048,6 +7050,7 @@ compression_found:
ss->sec.ci.sid = sid;
if (sid->peerCert != NULL) {
ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
+ ssl3_CopyPeerCertsFromSID(ss, sid);
}
/*
@@ -8501,6 +8504,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
ss->ssl3.peerCertChain = NULL;
}
+static void
+ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid)
+{
+ PRArenaPool *arena;
+ ssl3CertNode *lastCert = NULL;
+ ssl3CertNode *certs = NULL;
+ int i;
+
+ if (!sid->peerCertChain[0])
+ return;
+ PORT_Assert(!ss->ssl3.peerCertArena);
+ PORT_Assert(!ss->ssl3.peerCertChain);
+ ss->ssl3.peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
+ ssl3CertNode *c = PORT_ArenaNew(arena, ssl3CertNode);
+ c->cert = CERT_DupCertificate(sid->peerCertChain[i]);
+ c->next = NULL;
+ if (lastCert) {
+ lastCert->next = c;
+ } else {
+ certs = c;
+ }
+ lastCert = c;
+ }
+ ss->ssl3.peerCertChain = certs;
+}
+
+static void
+ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
+{
+ int i = 0;
+ ssl3CertNode *c = certs;
+ for (; i < MAX_PEER_CERT_CHAIN_SIZE && c; i++, c = c->next) {
+ PORT_Assert(!sid->peerCertChain[i]);
+ sid->peerCertChain[i] = CERT_DupCertificate(c->cert);
+ }
+}
+
/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
* ssl3 CertificateStatus message.
* Caller must hold Handshake and RecvBuf locks.
@@ -8780,6 +8821,7 @@ ssl3_AuthCertificate(sslSocket *ss)
}
ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
+ ssl3_CopyPeerCertsToSID(ss->ssl3.peerCertChain, ss->sec.ci.sid);
if (!ss->sec.isServer) {
CERTCertificate *cert = ss->sec.peerCert;
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
--- a/nss/lib/ssl/sslimpl.h 2013-04-27 09:17:17.216390477 -0700
+++ b/nss/lib/ssl/sslimpl.h 2013-04-27 09:19:58.798678612 -0700
@@ -570,10 +570,13 @@ typedef enum { never_cached,
invalid_cache /* no longer in any cache. */
} Cached;
+#define MAX_PEER_CERT_CHAIN_SIZE 8
+
struct sslSessionIDStr {
sslSessionID * next; /* chain used for client sockets, only */
CERTCertificate * peerCert;
+ CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
SECItemArray peerCertStatus; /* client only */
const char * peerID; /* client only */
const char * urlSvrName; /* client only */
diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
--- a/nss/lib/ssl/sslnonce.c 2013-04-27 09:17:17.216390477 -0700
+++ b/nss/lib/ssl/sslnonce.c 2013-04-27 09:19:58.798678612 -0700
@@ -165,6 +165,7 @@ lock_cache(void)
static void
ssl_DestroySID(sslSessionID *sid)
{
+ int i;
SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
PORT_Assert((sid->references == 0));
@@ -184,6 +185,9 @@ ssl_DestroySID(sslSessionID *sid)
if ( sid->peerCert ) {
CERT_DestroyCertificate(sid->peerCert);
}
+ for (i = 0; i < MAX_PEER_CERT_CHAIN_SIZE && sid->peerCertChain[i]; i++) {
+ CERT_DestroyCertificate(sid->peerCertChain[i]);
+ }
if (sid->peerCertStatus.len) {
SECITEM_FreeArray(&sid->peerCertStatus, PR_FALSE);
sid->peerCertStatus.items = NULL;
|