Point nss at root certs so test_shell can talk to mail.google.com without warnings.

(gmail.com's certificate is for mail.google.com, which doesn't match gmail.com,
so on some distros, test_shell will now refuse to talk with gmail.com.)

Support ciphers needed to talk to testserver.py.

Load temporary testing cert needed to run unit tests (can't
do it manually like on Windows, since we don't use a writable cert database in the filesystem.)

Implement part of GetSSLInfo.

Re-enable url_request_unittest.cc, which seems to have been removed from the list of files to compile by mistake.

Addresses part of http://code.google.com/p/chromium/issues/detail?id=4510

Later changesets will implement x509 certificates for nss,
finish GetSSLInfo support, and update chrome/browser/ssl_uitest.cc
to use SSLTestUtil.

Review URL: http://codereview.chromium.org/11249

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@6063 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 59 insertions, 2 deletions

diff --git a/base/nss_init.cc b/base/nss_init.cc
index c8ba44b..f43bf3f 100644
--- a/base/nss_init.cc
+++ b/base/nss_init.cc
@@ -9,31 +9,88 @@
 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424
 // until NSS 3.12.2 comes out and we update to it.
 #define Lock FOO_NSS_Lock
+#include <secmod.h>
 #include <ssl.h>
 #undef Lock
 
+#include "base/file_util.h"
 #include "base/logging.h"
 #include "base/singleton.h"
 
 namespace {
 
+// Load nss's built-in root certs.
+// TODO(port): figure out a less hacky way to do this
+const char *possible_locations[] = { 
+  "libnssckbi.so",
+  "/usr/lib32/nss/libnssckbi.so",
+  "/usr/lib/nss/libnssckbi.so",
+  "/usr/lib32/libnssckbi.so",
+  "/usr/lib/libnssckbi.so",
+  NULL
+};
+SECMODModule *InitDefaultRootCerts() {
+  int i;
+  for (i=0; possible_locations[i]; i++) {
+    if (possible_locations[i][0] == '/' && access(possible_locations[i], R_OK)) 
+      continue;
+    char modparams[1024];
+    snprintf(modparams, sizeof(modparams),
+            "name=\"Root Certs\" library=\"%s\"\n", possible_locations[i]);
+    SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE);
+    if (root)
+      return root;
+  }
+  // Aw, snap.  Can't find/load root cert shared library.
+  // This will make it hard to talk to anybody via https.
+  NOTREACHED();
+  return NULL;
+}
+
 class NSSInitSingleton {
  public:
   NSSInitSingleton() {
+
+    // Initialize without using a persistant database (e.g. ~/.netscape)
     CHECK(NSS_NoDB_Init(".") == SECSuccess);
-    // Enable ciphers
+
+    root_ = InitDefaultRootCerts();
+
     NSS_SetDomesticPolicy();
+
+    // Explicitly enable exactly those ciphers with keys of at least 80 bits
+    for (int i = 0; i < SSL_NumImplementedCiphers; i++) {
+      SSLCipherSuiteInfo info;
+      if (SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i], &info, 
+                                 sizeof(info)) == SECSuccess) {
+        SSL_CipherPrefSetDefault(SSL_ImplementedCiphers[i], 
+                                 (info.effectiveKeyBits >= 80));
+      }
+    }
+
     // Enable SSL
     SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
+
+    // All other SSL options are set per-session by SSLClientSocket 
   }
 
   ~NSSInitSingleton() {
+    if (root_) {
+      SECMOD_UnloadUserModule(root_);
+      SECMOD_DestroyModule(root_);
+      root_ = NULL;
+    }
+
     // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY
     SSL_ClearSessionCache();
 
     SECStatus status = NSS_Shutdown();
-    DCHECK(status == SECSuccess);
+    if (status != SECSuccess)
+      LOG(ERROR) << "NSS_Shutdown failed, leak?  See "
+                    "http://code.google.com/p/chromium/issues/detail?id=4609";
   }
+ private:
+  SECMODModule *root_;
 };
 
 }  // namespace