diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-03-03 15:02:22 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-03-03 15:02:22 +0000 |
| commit | 1b5bcd397cf7e5bfb947be72f06138a2ee4be699 (patch) | |
| tree | 6008c21d4c741cccb8a6bc2cd0c3a26414ddfc64 /net/socket | |
| parent | 8cf99c80877e6030417a3c2e0fa7cb46cfcef3d3 (diff) | |
| download | chromium_src-1b5bcd397cf7e5bfb947be72f06138a2ee4be699.zip chromium_src-1b5bcd397cf7e5bfb947be72f06138a2ee4be699.tar.gz chromium_src-1b5bcd397cf7e5bfb947be72f06138a2ee4be699.tar.bz2 | |
Update net/third_party/nss to NSS 3.13.3.
The following patches have been upstreamed:
- net/third_party/nss/patches/handshakeshortwrite.patch
- net/third_party/nss/patches/cbcrandomiv.patch
- net/third_party/nss/patches/nextproto.patch
- portions of patches/cachecerts.patch that add certificates to
ss->ssl3.peerCertChain in the right order.
- portions of net/third_party/nss/patches/clientauth.patch that
fix NSS bug 616757.
I omitted the net/third_party/nss/patches/cachedinfo.patch because
Chrome isn't using the TLS cached info extension and I wanted to
maintain fewer patches. We can add it back later.
R=rsleevi@chromium.org,agl@chromium.org
BUG=116617
TEST=Unit tests should pass. Manual tests of SSL client auth and
origin-bound certs.
Review URL: http://codereview.chromium.org/9558017
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@124862 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 36 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.h | 3 |
2 files changed, 27 insertions, 12 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index aaa8a17..7f9bb4c 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -261,12 +261,13 @@ class PeerCertificateChain { explicit PeerCertificateChain(PRFileDesc* nss_fd) : num_certs_(0), certs_(NULL) { - SECStatus rv = SSL_PeerCertificateChain(nss_fd, NULL, &num_certs_); + SECStatus rv = SSL_PeerCertificateChain(nss_fd, NULL, &num_certs_, 0); DCHECK_EQ(rv, SECSuccess); certs_ = new CERTCertificate*[num_certs_]; const unsigned expected_num_certs = num_certs_; - rv = SSL_PeerCertificateChain(nss_fd, certs_, &num_certs_); + rv = SSL_PeerCertificateChain(nss_fd, certs_, &num_certs_, + expected_num_certs); DCHECK_EQ(rv, SECSuccess); DCHECK_EQ(num_certs_, expected_num_certs); } @@ -913,12 +914,12 @@ int SSLClientSocketNSS::InitializeSSLOptions() { LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_DEFLATE"); #endif -#ifdef SSL_ENABLE_FALSE_START - rv = SSL_OptionSet( - nss_fd_, SSL_ENABLE_FALSE_START, + PRBool false_start_enabled = ssl_config_.false_start_enabled && !SSLConfigService::IsKnownFalseStartIncompatibleServer( - host_and_port_.host())); + host_and_port_.host()); +#ifdef SSL_ENABLE_FALSE_START + rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, false_start_enabled); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START"); #endif @@ -937,13 +938,17 @@ int SSLClientSocketNSS::InitializeSSLOptions() { } #endif // SSL_ENABLE_RENEGOTIATION -#ifdef SSL_NEXT_PROTO_NEGOTIATED if (!ssl_config_.next_protos.empty()) { rv = SSL_SetNextProtoCallback( nss_fd_, SSLClientSocketNSS::NextProtoCallback, this); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_SetNextProtoCallback", ""); } + +#ifdef SSL_CBC_RANDOM_IV + rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, false_start_enabled); + if (rv != SECSuccess) + LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); #endif #ifdef SSL_ENABLE_OCSP_STAPLING @@ -1370,7 +1375,6 @@ bool SSLClientSocketNSS::LoadSSLHostInfo() { if (state.certs.empty()) return true; - SECStatus rv; const std::vector<std::string>& certs_in = state.certs; scoped_array<CERTCertificate*> certs(new CERTCertificate*[certs_in.size()]); @@ -1389,11 +1393,16 @@ bool SSLClientSocketNSS::LoadSSLHostInfo() { } } + SECStatus rv; +#ifdef SSL_ENABLE_CACHED_INFO rv = SSL_SetPredictedPeerCertificates(nss_fd_, certs.get(), certs_in.size()); - DestroyCertificates(&certs[0], certs_in.size()); DCHECK_EQ(SECSuccess, rv); +#else + rv = SECFailure; // Not implemented. +#endif + DestroyCertificates(&certs[0], certs_in.size()); - return true; + return rv == SECSuccess; } int SSLClientSocketNSS::DoLoadSSLHostInfo() { @@ -2637,7 +2646,8 @@ SSLClientSocketNSS::NextProtoCallback(void* arg, const unsigned char* protos, unsigned int protos_len, unsigned char* proto_out, - unsigned int* proto_out_len) { + unsigned int* proto_out_len, + unsigned int proto_max_len) { SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); // For each protocol in server preference, see if we support it. @@ -2676,6 +2686,10 @@ SSLClientSocketNSS::NextProtoCallback(void* arg, that->next_proto_ = that->ssl_config_.next_protos[0]; } + if (that->next_proto_.size() > proto_max_len) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + return SECFailure; + } memcpy(proto_out, that->next_proto_.data(), that->next_proto_.size()); *proto_out_len = that->next_proto_.size(); return SECSuccess; diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index 3ce5b78..2dc72c5 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -200,7 +200,8 @@ class SSLClientSocketNSS : public SSLClientSocket { const unsigned char* protos, unsigned int protos_len, unsigned char* proto_out, - unsigned int* proto_out_len); + unsigned int* proto_out_len, + unsigned int proto_max_len); // The following methods are for debugging bug 65948. Will remove this code // after fixing bug 65948. |