diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-09 05:55:33 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-09 05:55:33 +0000 |
| commit | 56e37a44c338d140e3ec9d9f0667511a10b690f8 (patch) | |
| tree | d8d10d98eedf997c8050a7728430bab845925166 | |
| parent | 91b5dd04014cf71cfd3a5afa9b2f36bf2f5945c6 (diff) | |
| download | chromium_src-56e37a44c338d140e3ec9d9f0667511a10b690f8.zip chromium_src-56e37a44c338d140e3ec9d9f0667511a10b690f8.tar.gz chromium_src-56e37a44c338d140e3ec9d9f0667511a10b690f8.tar.bz2 | |
Disable SSL renegotiation on OS X when using system SSL and on 10.5.x. By default, system SSL is disabled unless --use-system-ssl is passed via the command-line.
BUG=66931
TEST=none
Review URL: http://codereview.chromium.org/6051013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@70858 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | net/socket/ssl_client_socket_mac.cc | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index 352b3b1..fa283ab 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -14,6 +14,7 @@ #include "base/lazy_instance.h" #include "base/mac/scoped_cftyperef.h" #include "base/string_util.h" +#include "base/sys_info.h" #include "net/base/address_list.h" #include "net/base/cert_verifier.h" #include "net/base/io_buffer.h" @@ -140,6 +141,27 @@ enum { }; #endif +// On OS X 10.5.x, SSLHandshake() is broken with respect to renegotiation +// handshakes, and the only way to advance the handshake state machine is +// to use SSLRead(), which transparently re-handshakes and then reads +// application data. Using SSLRead() to pump the handshake, rather than +// SSLHandshake(), is not presently implemented, so on 10.5.x, SSL +// renegotiation is disabled entirely. On 10.6.x, SSLHandshake() behaves as +// expected/documented, so renegotiation is supported. +struct RenegotiationBroken { + RenegotiationBroken() : broken(false) { + int32 major, minor, bugfix; + base::SysInfo::OperatingSystemVersionNumbers(&major, &minor, &bugfix); + if (major < 10 || (major == 10 && minor < 6)) + broken = true; + } + + bool broken; +}; + +base::LazyInstance<RenegotiationBroken> g_renegotiation_broken( + base::LINKER_INITIALIZED); + // For an explanation of the Mac OS X error codes, please refer to: // http://developer.apple.com/mac/library/documentation/Security/Reference/secureTransportRef/Reference/reference.html int NetErrorFromOSStatus(OSStatus status) { @@ -1119,6 +1141,9 @@ int SSLClientSocketMac::DoPayloadRead() { OSStatus status = SSLRead(ssl_context_, user_read_buf_->data(), user_read_buf_len_, &processed); if (status == errSSLWouldBlock && renegotiating_) { + if (g_renegotiation_broken.Get().broken) + return ERR_SSL_RENEGOTIATION_REQUESTED; + CHECK_EQ(static_cast<size_t>(0), processed); next_handshake_state_ = STATE_HANDSHAKE; return DoHandshakeLoop(OK); |