diff options
| author | dkegel@google.com <dkegel@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-12-02 19:49:48 +0000 |
|---|---|---|
| committer | dkegel@google.com <dkegel@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-12-02 19:49:48 +0000 |
| commit | 78e8c3d710650acb48fd241a826d86ad22941c66 (patch) | |
| tree | 49e63fb3431b9d225479c02c2e4335df0fbd43b7 /base | |
| parent | 9cf11c6589e6e24df310bf634155d90afd4def56 (diff) | |
| download | chromium_src-78e8c3d710650acb48fd241a826d86ad22941c66.zip chromium_src-78e8c3d710650acb48fd241a826d86ad22941c66.tar.gz chromium_src-78e8c3d710650acb48fd241a826d86ad22941c66.tar.bz2 | |
For http://code.google.com/p/chromium/issues/detail?id=4510
Extract some UI SSL test code into new class SSLTestUtil to avoid duplication.
Point nss at root certs so test_shell can talk to mail.google.com without warnings.
Support ciphers needed to talk to testserver.py.
Load temporary testing cert needed to run unit tests.
Implement part of GetSSLInfo.
Change URL in developer error message to point to chromium.org.
Re-enable url_request_unittest.cc, which seems to have been disabled by mistake.
Later changesets will implement x509 certificates for nss,
finish GetSSLInfo support, and update chrome/browser/ssl_uitest.cc to use SSLTestUtil.
Earlier version was committed as r6063, but was rolled back.
Review URL: http://codereview.chromium.org/11249
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@6233 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'base')
| -rw-r--r-- | base/nss_init.cc | 49 |
1 files changed, 47 insertions, 2 deletions
diff --git a/base/nss_init.cc b/base/nss_init.cc index c8ba44b..df2beea 100644 --- a/base/nss_init.cc +++ b/base/nss_init.cc @@ -9,31 +9,76 @@ // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 // until NSS 3.12.2 comes out and we update to it. #define Lock FOO_NSS_Lock +#include <secmod.h> #include <ssl.h> #undef Lock +#include "base/file_util.h" #include "base/logging.h" #include "base/singleton.h" namespace { +// Load nss's built-in root certs. +SECMODModule *InitDefaultRootCerts() { + const char* kModulePath = "libnssckbi.so"; + char modparams[1024]; + snprintf(modparams, sizeof(modparams), + "name=\"Root Certs\" library=\"%s\"", kModulePath); + SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE); + if (root) + return root; + + // Aw, snap. Can't find/load root cert shared library. + // This will make it hard to talk to anybody via https. + NOTREACHED(); + return NULL; +} + class NSSInitSingleton { public: NSSInitSingleton() { + + // Initialize without using a persistant database (e.g. ~/.netscape) CHECK(NSS_NoDB_Init(".") == SECSuccess); - // Enable ciphers + + root_ = InitDefaultRootCerts(); + NSS_SetDomesticPolicy(); + + // Explicitly enable exactly those ciphers with keys of at least 80 bits + for (int i = 0; i < SSL_NumImplementedCiphers; i++) { + SSLCipherSuiteInfo info; + if (SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i], &info, + sizeof(info)) == SECSuccess) { + SSL_CipherPrefSetDefault(SSL_ImplementedCiphers[i], + (info.effectiveKeyBits >= 80)); + } + } + // Enable SSL SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); + + // All other SSL options are set per-session by SSLClientSocket } ~NSSInitSingleton() { + if (root_) { + SECMOD_UnloadUserModule(root_); + SECMOD_DestroyModule(root_); + root_ = NULL; + } + // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY SSL_ClearSessionCache(); SECStatus status = NSS_Shutdown(); - DCHECK(status == SECSuccess); + if (status != SECSuccess) + LOG(ERROR) << "NSS_Shutdown failed, leak? See " + "http://code.google.com/p/chromium/issues/detail?id=4609"; } + private: + SECMODModule *root_; }; } // namespace |