summaryrefslogtreecommitdiffstats
path: root/net/socket/ssl_client_socket_nss.cc
diff options
context:
space:
mode:
authorjoaodasilva@chromium.org <joaodasilva@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-06-29 13:00:01 +0000
committerjoaodasilva@chromium.org <joaodasilva@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-06-29 13:00:01 +0000
commit8fc73c77bef5950266756a691b90b5d1a6b4ee67 (patch)
tree4f83f8fac6584572a90dd9fb270e92fb131ee076 /net/socket/ssl_client_socket_nss.cc
parent06c3261f668bf413e8f85e4a26593f970cac700a (diff)
downloadchromium_src-8fc73c77bef5950266756a691b90b5d1a6b4ee67.zip
chromium_src-8fc73c77bef5950266756a691b90b5d1a6b4ee67.tar.gz
chromium_src-8fc73c77bef5950266756a691b90b5d1a6b4ee67.tar.bz2
Revert 209278 "Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2"
> Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2 > > Technically NSS 3.14.3 depends on NSPR 4.9.5, but Debian stable still > ships 4.9.2 on stable, so this is the lower bound. > > 3.14.3 contains a number of important security fixes, and support for > older systems is no longer desirable. > > BUG=245370 > R=thestig@chromium.org, wtc@chromium.org > > Review URL: https://chromiumcodereview.appspot.com/18063013 TBR=rsleevi@chromium.org Review URL: https://codereview.chromium.org/18181019 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@209282 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_client_socket_nss.cc')
-rw-r--r--net/socket/ssl_client_socket_nss.cc25
1 files changed, 20 insertions, 5 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index d722c3f..371155c 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1262,6 +1262,7 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(
PRFileDesc* socket,
PRBool checksig,
PRBool is_server) {
+#ifdef SSL_ENABLE_FALSE_START
Core* core = reinterpret_cast<Core*>(arg);
if (!core->handshake_callback_called_) {
// Only need to turn off False Start in the initial handshake. Also, it is
@@ -1278,6 +1279,7 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(
SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);
}
}
+#endif
// Tell NSS to not verify the certificate.
return SECSuccess;
@@ -2471,8 +2473,8 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
SSL_CONNECTION_COMPRESSION_MASK) <<
SSL_CONNECTION_COMPRESSION_SHIFT;
- // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't
- // support it yet), so use 0x0303 directly.
+ // NSS 3.12.x doesn't have version macros for TLS 1.1 and 1.2 (because NSS
+ // doesn't support them yet), so we use 0x0302 and 0x0303 directly.
int version = SSL_CONNECTION_VERSION_UNKNOWN;
if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
// All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
@@ -2482,7 +2484,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
version = SSL_CONNECTION_VERSION_SSL3;
} else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) {
version = SSL_CONNECTION_VERSION_TLS1;
- } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) {
+ } else if (channel_info.protocolVersion == 0x0302) {
version = SSL_CONNECTION_VERSION_TLS1_1;
} else if (channel_info.protocolVersion == 0x0303) {
version = SSL_CONNECTION_VERSION_TLS1_2;
@@ -2492,6 +2494,10 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
SSL_CONNECTION_VERSION_SHIFT;
}
+ // SSL_HandshakeNegotiatedExtension was added in NSS 3.12.6.
+ // Since SSL_MAX_EXTENSIONS was added at the same time, we can test
+ // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension.
+#if defined(SSL_MAX_EXTENSIONS)
PRBool peer_supports_renego_ext;
ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,
&peer_supports_renego_ext);
@@ -2525,6 +2531,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
peer_supports_renego_ext == PR_TRUE);
}
}
+#endif
if (ssl_config_.version_fallback) {
nss_handshake_state_.ssl_connection_status |=
@@ -3173,18 +3180,25 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE);
}
+#ifdef SSL_ENABLE_SESSION_TICKETS
// Support RFC 5077
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
if (rv != SECSuccess) {
LogFailedNSSFunction(
net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
}
+#else
+ #error "You need to install NSS-3.12 or later to build chromium"
+#endif
+#ifdef SSL_ENABLE_FALSE_START
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
ssl_config_.false_start_enabled);
if (rv != SECSuccess)
LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
+#endif
+#ifdef SSL_ENABLE_RENEGOTIATION
// We allow servers to request renegotiation. Since we're a client,
// prohibiting this is rather a waste of time. Only servers are in a
// position to prevent renegotiation attacks.
@@ -3196,12 +3210,14 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
LogFailedNSSFunction(
net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
}
+#endif // SSL_ENABLE_RENEGOTIATION
+#ifdef SSL_CBC_RANDOM_IV
rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
if (rv != SECSuccess)
LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
+#endif
-// Added in NSS 3.15
#ifdef SSL_ENABLE_OCSP_STAPLING
if (IsOCSPStaplingSupported()) {
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
@@ -3212,7 +3228,6 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
}
#endif
-// Chromium patch to libssl
#ifdef SSL_ENABLE_CACHED_INFO
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO,
ssl_config_.cached_info_enabled);