diff options
author | joaodasilva@chromium.org <joaodasilva@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-06-29 13:00:01 +0000 |
---|---|---|
committer | joaodasilva@chromium.org <joaodasilva@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-06-29 13:00:01 +0000 |
commit | 8fc73c77bef5950266756a691b90b5d1a6b4ee67 (patch) | |
tree | 4f83f8fac6584572a90dd9fb270e92fb131ee076 /net/socket/ssl_client_socket_nss.cc | |
parent | 06c3261f668bf413e8f85e4a26593f970cac700a (diff) | |
download | chromium_src-8fc73c77bef5950266756a691b90b5d1a6b4ee67.zip chromium_src-8fc73c77bef5950266756a691b90b5d1a6b4ee67.tar.gz chromium_src-8fc73c77bef5950266756a691b90b5d1a6b4ee67.tar.bz2 |
Revert 209278 "Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2"
> Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2
>
> Technically NSS 3.14.3 depends on NSPR 4.9.5, but Debian stable still
> ships 4.9.2 on stable, so this is the lower bound.
>
> 3.14.3 contains a number of important security fixes, and support for
> older systems is no longer desirable.
>
> BUG=245370
> R=thestig@chromium.org, wtc@chromium.org
>
> Review URL: https://chromiumcodereview.appspot.com/18063013
TBR=rsleevi@chromium.org
Review URL: https://codereview.chromium.org/18181019
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@209282 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_client_socket_nss.cc')
-rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index d722c3f..371155c 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -1262,6 +1262,7 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler( PRFileDesc* socket, PRBool checksig, PRBool is_server) { +#ifdef SSL_ENABLE_FALSE_START Core* core = reinterpret_cast<Core*>(arg); if (!core->handshake_callback_called_) { // Only need to turn off False Start in the initial handshake. Also, it is @@ -1278,6 +1279,7 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler( SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); } } +#endif // Tell NSS to not verify the certificate. return SECSuccess; @@ -2471,8 +2473,8 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { SSL_CONNECTION_COMPRESSION_MASK) << SSL_CONNECTION_COMPRESSION_SHIFT; - // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't - // support it yet), so use 0x0303 directly. + // NSS 3.12.x doesn't have version macros for TLS 1.1 and 1.2 (because NSS + // doesn't support them yet), so we use 0x0302 and 0x0303 directly. int version = SSL_CONNECTION_VERSION_UNKNOWN; if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) { // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL @@ -2482,7 +2484,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { version = SSL_CONNECTION_VERSION_SSL3; } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) { version = SSL_CONNECTION_VERSION_TLS1; - } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) { + } else if (channel_info.protocolVersion == 0x0302) { version = SSL_CONNECTION_VERSION_TLS1_1; } else if (channel_info.protocolVersion == 0x0303) { version = SSL_CONNECTION_VERSION_TLS1_2; @@ -2492,6 +2494,10 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { SSL_CONNECTION_VERSION_SHIFT; } + // SSL_HandshakeNegotiatedExtension was added in NSS 3.12.6. + // Since SSL_MAX_EXTENSIONS was added at the same time, we can test + // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension. +#if defined(SSL_MAX_EXTENSIONS) PRBool peer_supports_renego_ext; ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn, &peer_supports_renego_ext); @@ -2525,6 +2531,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { peer_supports_renego_ext == PR_TRUE); } } +#endif if (ssl_config_.version_fallback) { nss_handshake_state_.ssl_connection_status |= @@ -3173,18 +3180,25 @@ int SSLClientSocketNSS::InitializeSSLOptions() { SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE); } +#ifdef SSL_ENABLE_SESSION_TICKETS // Support RFC 5077 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); if (rv != SECSuccess) { LogFailedNSSFunction( net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); } +#else + #error "You need to install NSS-3.12 or later to build chromium" +#endif +#ifdef SSL_ENABLE_FALSE_START rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, ssl_config_.false_start_enabled); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START"); +#endif +#ifdef SSL_ENABLE_RENEGOTIATION // We allow servers to request renegotiation. Since we're a client, // prohibiting this is rather a waste of time. Only servers are in a // position to prevent renegotiation attacks. @@ -3196,12 +3210,14 @@ int SSLClientSocketNSS::InitializeSSLOptions() { LogFailedNSSFunction( net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); } +#endif // SSL_ENABLE_RENEGOTIATION +#ifdef SSL_CBC_RANDOM_IV rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); +#endif -// Added in NSS 3.15 #ifdef SSL_ENABLE_OCSP_STAPLING if (IsOCSPStaplingSupported()) { rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE); @@ -3212,7 +3228,6 @@ int SSLClientSocketNSS::InitializeSSLOptions() { } #endif -// Chromium patch to libssl #ifdef SSL_ENABLE_CACHED_INFO rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, ssl_config_.cached_info_enabled); |