summaryrefslogtreecommitdiffstats
path: root/net/socket/ssl_client_socket_nss.cc
diff options
context:
space:
mode:
authorrsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-07-01 22:06:48 +0000
committerrsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-07-01 22:06:48 +0000
commit47cdc0bbf783f2d35db391050e95867a75af3701 (patch)
treedab70ff8a51c7cc71109653486c65f6eac111efb /net/socket/ssl_client_socket_nss.cc
parent24c66d99fd134119cce6d88b59bf444a20faa911 (diff)
downloadchromium_src-47cdc0bbf783f2d35db391050e95867a75af3701.zip
chromium_src-47cdc0bbf783f2d35db391050e95867a75af3701.tar.gz
chromium_src-47cdc0bbf783f2d35db391050e95867a75af3701.tar.bz2
Reland http://crrev.com/209278
Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2 Technically NSS 3.14.3 depends on NSPR 4.9.5, but Debian stable still ships 4.9.2 on stable, so this is the lower bound. 3.14.3 contains a number of important security fixes, and support for older systems is no longer desirable. BUG=245370 TBR=thestig@chromium.org, wtc@chromium.org Review URL: https://chromiumcodereview.appspot.com/18332012 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@209515 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_client_socket_nss.cc')
-rw-r--r--net/socket/ssl_client_socket_nss.cc25
1 files changed, 5 insertions, 20 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index bffadfa..ca71836 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1274,7 +1274,6 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(
PRFileDesc* socket,
PRBool checksig,
PRBool is_server) {
-#ifdef SSL_ENABLE_FALSE_START
Core* core = reinterpret_cast<Core*>(arg);
if (!core->handshake_callback_called_) {
// Only need to turn off False Start in the initial handshake. Also, it is
@@ -1291,7 +1290,6 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(
SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);
}
}
-#endif
// Tell NSS to not verify the certificate.
return SECSuccess;
@@ -2419,8 +2417,8 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
SSL_CONNECTION_COMPRESSION_MASK) <<
SSL_CONNECTION_COMPRESSION_SHIFT;
- // NSS 3.12.x doesn't have version macros for TLS 1.1 and 1.2 (because NSS
- // doesn't support them yet), so we use 0x0302 and 0x0303 directly.
+ // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't
+ // support it yet), so use 0x0303 directly.
int version = SSL_CONNECTION_VERSION_UNKNOWN;
if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
// All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
@@ -2430,7 +2428,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
version = SSL_CONNECTION_VERSION_SSL3;
} else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) {
version = SSL_CONNECTION_VERSION_TLS1;
- } else if (channel_info.protocolVersion == 0x0302) {
+ } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) {
version = SSL_CONNECTION_VERSION_TLS1_1;
} else if (channel_info.protocolVersion == 0x0303) {
version = SSL_CONNECTION_VERSION_TLS1_2;
@@ -2440,10 +2438,6 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
SSL_CONNECTION_VERSION_SHIFT;
}
- // SSL_HandshakeNegotiatedExtension was added in NSS 3.12.6.
- // Since SSL_MAX_EXTENSIONS was added at the same time, we can test
- // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension.
-#if defined(SSL_MAX_EXTENSIONS)
PRBool peer_supports_renego_ext;
ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,
&peer_supports_renego_ext);
@@ -2477,7 +2471,6 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
peer_supports_renego_ext == PR_TRUE);
}
}
-#endif
if (ssl_config_.version_fallback) {
nss_handshake_state_.ssl_connection_status |=
@@ -3153,25 +3146,18 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE);
}
-#ifdef SSL_ENABLE_SESSION_TICKETS
// Support RFC 5077
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
if (rv != SECSuccess) {
LogFailedNSSFunction(
net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
}
-#else
- #error "You need to install NSS-3.12 or later to build chromium"
-#endif
-#ifdef SSL_ENABLE_FALSE_START
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
ssl_config_.false_start_enabled);
if (rv != SECSuccess)
LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
-#endif
-#ifdef SSL_ENABLE_RENEGOTIATION
// We allow servers to request renegotiation. Since we're a client,
// prohibiting this is rather a waste of time. Only servers are in a
// position to prevent renegotiation attacks.
@@ -3183,14 +3169,12 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
LogFailedNSSFunction(
net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
}
-#endif // SSL_ENABLE_RENEGOTIATION
-#ifdef SSL_CBC_RANDOM_IV
rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
if (rv != SECSuccess)
LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
-#endif
+// Added in NSS 3.15
#ifdef SSL_ENABLE_OCSP_STAPLING
if (IsOCSPStaplingSupported()) {
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
@@ -3201,6 +3185,7 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
}
#endif
+// Chromium patch to libssl
#ifdef SSL_ENABLE_CACHED_INFO
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO,
ssl_config_.cached_info_enabled);