diff options
author | nelsonb%netscape.com <devnull@localhost> | 2000-09-09 06:08:46 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2000-09-09 06:08:46 +0000 |
commit | 0e3d78dd165faa348df07345ffafbdbb789f469a (patch) | |
tree | 5d28323f12cbae67651d19e03c141d421e980dd2 /security/nss | |
parent | 706090cc6485395e082bf76a3522f1466a344d9d (diff) | |
download | nss-hg-0e3d78dd165faa348df07345ffafbdbb789f469a.tar.gz |
Create a new function, CERT_DupCertList(), and call it instead of calling
CERT_CertChainFromCert in ssl_DupSocket(). This is MUCH faster. This is
the first approximation of the right fix. The next step is to consider
doing ref counting instead of actual duplication. Fixes bug 51425 .
Diffstat (limited to 'security/nss')
-rw-r--r-- | security/nss/lib/certdb/cert.h | 3 | ||||
-rw-r--r-- | security/nss/lib/certhigh/certhigh.c | 51 | ||||
-rw-r--r-- | security/nss/lib/ssl/sslsock.c | 7 |
3 files changed, 54 insertions, 7 deletions
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h index c12b77489..d77bcb5a4 100644 --- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -905,6 +905,9 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage, extern CERTCertificateList * CERT_CertListFromCert(CERTCertificate *cert); +extern CERTCertificateList * +CERT_DupCertList(CERTCertificateList * oldList); + extern void CERT_DestroyCertificateList(CERTCertificateList *list); /* is cert a newer than cert b? */ diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c index c75f97a6e..e24ad7553 100644 --- a/security/nss/lib/certhigh/certhigh.c +++ b/security/nss/lib/certhigh/certhigh.c @@ -980,10 +980,10 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage, node->cert = NULL; if (rv < 0) goto loser; } - if ( includeRoot ) { - chain->len = len; - } else { + if ( !includeRoot && len > 1) { chain->len = len - 1; + } else { + chain->len = len; } chain->arena = arena; @@ -1013,6 +1013,9 @@ loser: return NULL; } +/* Builds a CERTCertificateList holding just one DER-encoded cert, namely +** the one for the cert passed as an argument. +*/ CERTCertificateList * CERT_CertListFromCert(CERTCertificate *cert) { @@ -1045,6 +1048,48 @@ loser: return NULL; } +CERTCertificateList * +CERT_DupCertList(CERTCertificateList * oldList) +{ + CERTCertificateList *newList = NULL; + PRArenaPool *arena = NULL; + SECItem *newItem; + SECItem *oldItem; + int len = oldList->len; + int rv; + + /* arena for SecCertificateList */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) + goto no_memory; + + /* now build the CERTCertificateList */ + newList = PORT_ArenaNew(arena, CERTCertificateList); + if (newList == NULL) + goto no_memory; + newList->arena = arena; + newItem = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem)); + if (newItem == NULL) + goto no_memory; + newList->certs = newItem; + newList->len = len; + + for (oldItem = oldList->certs; len > 0; --len, ++newItem, ++oldItem) { + rv = SECITEM_CopyItem(arena, newItem, oldItem); + if (rv < 0) + goto loser; + } + return newList; + +no_memory: + PORT_SetError(SEC_ERROR_NO_MEMORY); +loser: + if (arena != NULL) { + PORT_FreeArena(arena, PR_FALSE); + } + return NULL; +} + void CERT_DestroyCertificateList(CERTCertificateList *list) { diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 2921e3b6c..b55e170b5 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -285,11 +285,10 @@ ssl_DupSocket(sslSocket *os) int i; for (i=kt_null; i < kt_kea_size; i++) { - if (os->serverCert[i]) { + if (os->serverCert[i] && os->serverCertChain[i]) { ss->serverCert[i] = CERT_DupCertificate(os->serverCert[i]); - ss->serverCertChain[i] = CERT_CertChainFromCert - (ss->serverCert[i], certUsageSSLServer, - PR_TRUE); + ss->serverCertChain[i] = CERT_DupCertList( + os->serverCertChain[i]); } else { ss->serverCert[i] = NULL; ss->serverCertChain[i] = NULL; |