Create a new function, CERT_DupCertList(), and call it instead of calling

CERT_CertChainFromCert in ssl_DupSocket().  This is MUCH faster.  This is
the first approximation of the right fix.  The next step is to consider
doing ref counting instead of actual duplication.  Fixes bug 51425 .

3 files changed, 54 insertions, 7 deletions

diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index c12b77489..d77bcb5a4 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -905,6 +905,9 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
 extern CERTCertificateList *
 CERT_CertListFromCert(CERTCertificate *cert);
 
+extern CERTCertificateList *
+CERT_DupCertList(CERTCertificateList * oldList);
+
 extern void CERT_DestroyCertificateList(CERTCertificateList *list);
 
 /* is cert a newer than cert b? */
diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c
index c75f97a6e..e24ad7553 100644
--- a/security/nss/lib/certhigh/certhigh.c
+++ b/security/nss/lib/certhigh/certhigh.c
@@ -980,10 +980,10 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
 	node->cert = NULL;
 	if (rv < 0) goto loser;
     }
-    if ( includeRoot ) {
-	chain->len = len;
-    } else {
+    if ( !includeRoot && len > 1) {
 	chain->len = len - 1;
+    } else {
+	chain->len = len;
     }
     
     chain->arena = arena;
@@ -1013,6 +1013,9 @@ loser:
     return NULL;
 }
 
+/* Builds a CERTCertificateList holding just one DER-encoded cert, namely
+** the one for the cert passed as an argument.
+*/
 CERTCertificateList *
 CERT_CertListFromCert(CERTCertificate *cert)
 {
@@ -1045,6 +1048,48 @@ loser:
     return NULL;
 }
 
+CERTCertificateList *
+CERT_DupCertList(CERTCertificateList * oldList)
+{
+    CERTCertificateList *newList = NULL;
+    PRArenaPool         *arena   = NULL;
+    SECItem             *newItem;
+    SECItem             *oldItem;
+    int                 len      = oldList->len;
+    int                 rv;
+
+    /* arena for SecCertificateList */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) 
+	goto no_memory;
+
+    /* now build the CERTCertificateList */
+    newList = PORT_ArenaNew(arena, CERTCertificateList);
+    if (newList == NULL) 
+	goto no_memory;
+    newList->arena = arena;
+    newItem = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
+    if (newItem == NULL) 
+	goto no_memory;
+    newList->certs = newItem;
+    newList->len   = len;
+
+    for (oldItem = oldList->certs; len > 0; --len, ++newItem, ++oldItem) {
+	rv = SECITEM_CopyItem(arena, newItem, oldItem);
+	if (rv < 0) 
+	    goto loser;
+    }
+    return newList;
+
+no_memory:
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
 void
 CERT_DestroyCertificateList(CERTCertificateList *list)
 {
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
index 2921e3b6c..b55e170b5 100644
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -285,11 +285,10 @@ ssl_DupSocket(sslSocket *os)
 	    int i;
 
 	    for (i=kt_null; i < kt_kea_size; i++) {
-		if (os->serverCert[i]) {
+		if (os->serverCert[i] && os->serverCertChain[i]) {
 		    ss->serverCert[i] = CERT_DupCertificate(os->serverCert[i]);
-		    ss->serverCertChain[i] = CERT_CertChainFromCert
-				(ss->serverCert[i], certUsageSSLServer, 
-				 PR_TRUE);
+		    ss->serverCertChain[i] = CERT_DupCertList(
+		                                       os->serverCertChain[i]);
 		} else {
 		    ss->serverCert[i]      = NULL;
 		    ss->serverCertChain[i] = NULL;