diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-06-29 10:53:05 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-06-29 10:53:05 +0000 |
| commit | d5700d7ba712cbc99c5aa3409a94d9816c3f5782 (patch) | |
| tree | 1698865658f62644877e9eb29a7aa68ed90c3185 /net/socket/ssl_client_socket_nss.cc | |
| parent | 319fff3e31773e5522fe2b468c2e9908764c858d (diff) | |
| download | chromium_src-d5700d7ba712cbc99c5aa3409a94d9816c3f5782.zip chromium_src-d5700d7ba712cbc99c5aa3409a94d9816c3f5782.tar.gz chromium_src-d5700d7ba712cbc99c5aa3409a94d9816c3f5782.tar.bz2 | |
Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2
Technically NSS 3.14.3 depends on NSPR 4.9.5, but Debian stable still
ships 4.9.2 on stable, so this is the lower bound.
3.14.3 contains a number of important security fixes, and support for
older systems is no longer desirable.
BUG=245370
R=thestig@chromium.org, wtc@chromium.org
Review URL: https://chromiumcodereview.appspot.com/18063013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@209278 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket/ssl_client_socket_nss.cc')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 25 |
1 files changed, 5 insertions, 20 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 371155c..d722c3f 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -1262,7 +1262,6 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler( PRFileDesc* socket, PRBool checksig, PRBool is_server) { -#ifdef SSL_ENABLE_FALSE_START Core* core = reinterpret_cast<Core*>(arg); if (!core->handshake_callback_called_) { // Only need to turn off False Start in the initial handshake. Also, it is @@ -1279,7 +1278,6 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler( SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); } } -#endif // Tell NSS to not verify the certificate. return SECSuccess; @@ -2473,8 +2471,8 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { SSL_CONNECTION_COMPRESSION_MASK) << SSL_CONNECTION_COMPRESSION_SHIFT; - // NSS 3.12.x doesn't have version macros for TLS 1.1 and 1.2 (because NSS - // doesn't support them yet), so we use 0x0302 and 0x0303 directly. + // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't + // support it yet), so use 0x0303 directly. int version = SSL_CONNECTION_VERSION_UNKNOWN; if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) { // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL @@ -2484,7 +2482,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { version = SSL_CONNECTION_VERSION_SSL3; } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) { version = SSL_CONNECTION_VERSION_TLS1; - } else if (channel_info.protocolVersion == 0x0302) { + } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) { version = SSL_CONNECTION_VERSION_TLS1_1; } else if (channel_info.protocolVersion == 0x0303) { version = SSL_CONNECTION_VERSION_TLS1_2; @@ -2494,10 +2492,6 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { SSL_CONNECTION_VERSION_SHIFT; } - // SSL_HandshakeNegotiatedExtension was added in NSS 3.12.6. - // Since SSL_MAX_EXTENSIONS was added at the same time, we can test - // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension. -#if defined(SSL_MAX_EXTENSIONS) PRBool peer_supports_renego_ext; ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn, &peer_supports_renego_ext); @@ -2531,7 +2525,6 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { peer_supports_renego_ext == PR_TRUE); } } -#endif if (ssl_config_.version_fallback) { nss_handshake_state_.ssl_connection_status |= @@ -3180,25 +3173,18 @@ int SSLClientSocketNSS::InitializeSSLOptions() { SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE); } -#ifdef SSL_ENABLE_SESSION_TICKETS // Support RFC 5077 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); if (rv != SECSuccess) { LogFailedNSSFunction( net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); } -#else - #error "You need to install NSS-3.12 or later to build chromium" -#endif -#ifdef SSL_ENABLE_FALSE_START rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, ssl_config_.false_start_enabled); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START"); -#endif -#ifdef SSL_ENABLE_RENEGOTIATION // We allow servers to request renegotiation. Since we're a client, // prohibiting this is rather a waste of time. Only servers are in a // position to prevent renegotiation attacks. @@ -3210,14 +3196,12 @@ int SSLClientSocketNSS::InitializeSSLOptions() { LogFailedNSSFunction( net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); } -#endif // SSL_ENABLE_RENEGOTIATION -#ifdef SSL_CBC_RANDOM_IV rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); -#endif +// Added in NSS 3.15 #ifdef SSL_ENABLE_OCSP_STAPLING if (IsOCSPStaplingSupported()) { rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE); @@ -3228,6 +3212,7 @@ int SSLClientSocketNSS::InitializeSSLOptions() { } #endif +// Chromium patch to libssl #ifdef SSL_ENABLE_CACHED_INFO rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, ssl_config_.cached_info_enabled); |