diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-27 16:57:13 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-27 16:57:13 +0000 |
| commit | 08ba16f7dade0fc671cf014d1754cfef07a1f530 (patch) | |
| tree | 69590d36ec27f532fc522ff91c0e2a1f35f212ec /net/third_party | |
| parent | 1224ad1d7aacd8cd49d57571458700e8020d0fa4 (diff) | |
| download | chromium_src-08ba16f7dade0fc671cf014d1754cfef07a1f530.zip chromium_src-08ba16f7dade0fc671cf014d1754cfef07a1f530.tar.gz chromium_src-08ba16f7dade0fc671cf014d1754cfef07a1f530.tar.bz2 | |
Allow SSL_SecurityStatus, SSL_GetChannelInfo, and
SSL_HandshakeNegotiatedExtension to be called as soon as a false
start handshake is done.
R=agl
BUG=53366
TEST=Visit any HTTPS sites, especially sites with certificate
errors. The SSL InfoBubble should not say "your connection to
www.example.com is not encrypted."
Review URL: http://codereview.chromium.org/3233001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57691 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/third_party')
| -rw-r--r-- | net/third_party/nss/README.chromium | 2 | ||||
| -rw-r--r-- | net/third_party/nss/patches/falsestart2.patch | 146 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslauth.c | 9 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslinfo.c | 10 | ||||
| -rw-r--r-- | net/third_party/nss/ssl/sslreveal.c | 14 |
5 files changed, 178 insertions, 3 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium index 4c4fb36..ce137bd 100644 --- a/net/third_party/nss/README.chromium +++ b/net/third_party/nss/README.chromium @@ -14,6 +14,8 @@ Patches: * False start support patches/falsestart.patch + patches/falsestart2.patch + https://bugzilla.mozilla.org/show_bug.cgi?id=525092 * Commenting out a couple of functions because they need NSS symbols which may not exist in the system NSS library. diff --git a/net/third_party/nss/patches/falsestart2.patch b/net/third_party/nss/patches/falsestart2.patch new file mode 100644 index 0000000..0449b68 --- /dev/null +++ b/net/third_party/nss/patches/falsestart2.patch @@ -0,0 +1,146 @@ +Index: mozilla/security/nss/lib/ssl/sslauth.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslauth.c,v +retrieving revision 1.16 +diff -p -u -8 -r1.16 sslauth.c +--- mozilla/security/nss/lib/ssl/sslauth.c 20 Apr 2006 00:20:45 -0000 1.16 ++++ mozilla/security/nss/lib/ssl/sslauth.c 27 Aug 2010 02:01:44 -0000 +@@ -87,16 +87,17 @@ SSL_LocalCertificate(PRFileDesc *fd) + /* NEED LOCKS IN HERE. */ + SECStatus + SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, + char **ip, char **sp) + { + sslSocket *ss; + const char *cipherName; + PRBool isDes = PR_FALSE; ++ PRBool enoughFirstHsDone = PR_FALSE; + + ss = ssl_FindSocket(fd); + if (!ss) { + SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus", + SSL_GETPID(), fd)); + return SECFailure; + } + +@@ -104,18 +105,24 @@ SSL_SecurityStatus(PRFileDesc *fd, int * + if (kp0) *kp0 = 0; + if (kp1) *kp1 = 0; + if (ip) *ip = 0; + if (sp) *sp = 0; + if (op) { + *op = SSL_SECURITY_STATUS_OFF; + } + +- if (ss->opt.useSecurity && ss->firstHsDone) { ++ if (ss->firstHsDone) { ++ enoughFirstHsDone = PR_TRUE; ++ } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 && ++ ssl3_CanFalseStart(ss)) { ++ enoughFirstHsDone = PR_TRUE; ++ } + ++ if (ss->opt.useSecurity && enoughFirstHsDone) { + if (ss->version < SSL_LIBRARY_VERSION_3_0) { + cipherName = ssl_cipherName[ss->sec.cipherType]; + } else { + cipherName = ssl3_cipherName[ss->sec.cipherType]; + } + PORT_Assert(cipherName); + if (cipherName) { + if (PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; +Index: mozilla/security/nss/lib/ssl/sslinfo.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslinfo.c,v +retrieving revision 1.23 +diff -p -u -8 -r1.23 sslinfo.c +--- mozilla/security/nss/lib/ssl/sslinfo.c 15 Jan 2010 01:49:33 -0000 1.23 ++++ mozilla/security/nss/lib/ssl/sslinfo.c 27 Aug 2010 02:01:44 -0000 +@@ -55,33 +55,41 @@ ssl_GetCompressionMethodName(SSLCompress + } + + SECStatus + SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) + { + sslSocket * ss; + SSLChannelInfo inf; + sslSessionID * sid; ++ PRBool enoughFirstHsDone = PR_FALSE; + + if (!info || len < sizeof inf.length) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + ss = ssl_FindSocket(fd); + if (!ss) { + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelInfo", + SSL_GETPID(), fd)); + return SECFailure; + } + + memset(&inf, 0, sizeof inf); + inf.length = PR_MIN(sizeof inf, len); + +- if (ss->opt.useSecurity && ss->firstHsDone) { ++ if (ss->firstHsDone) { ++ enoughFirstHsDone = PR_TRUE; ++ } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 && ++ ssl3_CanFalseStart(ss)) { ++ enoughFirstHsDone = PR_TRUE; ++ } ++ ++ if (ss->opt.useSecurity && enoughFirstHsDone) { + sid = ss->sec.ci.sid; + inf.protocolVersion = ss->version; + inf.authKeyBits = ss->sec.authKeyBits; + inf.keaKeyBits = ss->sec.keaKeyBits; + if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */ + inf.cipherSuite = ss->sec.cipherType | 0xff00; + inf.compressionMethod = ssl_compression_null; + inf.compressionMethodName = "N/A"; +Index: mozilla/security/nss/lib/ssl/sslreveal.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslreveal.c,v +retrieving revision 1.7 +diff -p -u -8 -r1.7 sslreveal.c +--- mozilla/security/nss/lib/ssl/sslreveal.c 4 Feb 2010 03:21:11 -0000 1.7 ++++ mozilla/security/nss/lib/ssl/sslreveal.c 27 Aug 2010 02:01:44 -0000 +@@ -106,24 +106,36 @@ SSL_RevealURL(PRFileDesc * fd) + SECStatus + SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, + SSLExtensionType extId, + PRBool *pYes) + { + /* some decisions derived from SSL_GetChannelInfo */ + sslSocket * sslsocket = NULL; + SECStatus rv = SECFailure; ++ PRBool enoughFirstHsDone = PR_FALSE; + + if (!pYes) + return rv; + + sslsocket = ssl_FindSocket(socket); ++ if (!sslsocket) { ++ SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeNegotiatedExtension", ++ SSL_GETPID(), socket)); ++ return rv; ++ } ++ ++ if (sslsocket->firstHsDone) { ++ enoughFirstHsDone = PR_TRUE; ++ } else if (sslsocket->ssl3.initialized && ssl3_CanFalseStart(sslsocket)) { ++ enoughFirstHsDone = PR_TRUE; ++ } + + /* according to public API SSL_GetChannelInfo, this doesn't need a lock */ +- if (sslsocket && sslsocket->opt.useSecurity && sslsocket->firstHsDone) { ++ if (sslsocket->opt.useSecurity && enoughFirstHsDone) { + if (sslsocket->ssl3.initialized) { /* SSL3 and TLS */ + /* now we know this socket went through ssl3_InitState() and + * ss->xtnData got initialized, which is the only member accessed by + * ssl3_ExtensionNegotiated(); + * Member xtnData appears to get accessed in functions that handle + * the handshake (hello messages and extension sending), + * therefore the handshake lock should be sufficient. + */ diff --git a/net/third_party/nss/ssl/sslauth.c b/net/third_party/nss/ssl/sslauth.c index 742765c..39c630d 100644 --- a/net/third_party/nss/ssl/sslauth.c +++ b/net/third_party/nss/ssl/sslauth.c @@ -92,6 +92,7 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, sslSocket *ss; const char *cipherName; PRBool isDes = PR_FALSE; + PRBool enoughFirstHsDone = PR_FALSE; ss = ssl_FindSocket(fd); if (!ss) { @@ -109,8 +110,14 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, *op = SSL_SECURITY_STATUS_OFF; } - if (ss->opt.useSecurity && ss->firstHsDone) { + if (ss->firstHsDone) { + enoughFirstHsDone = PR_TRUE; + } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 && + ssl3_CanFalseStart(ss)) { + enoughFirstHsDone = PR_TRUE; + } + if (ss->opt.useSecurity && enoughFirstHsDone) { if (ss->version < SSL_LIBRARY_VERSION_3_0) { cipherName = ssl_cipherName[ss->sec.cipherType]; } else { diff --git a/net/third_party/nss/ssl/sslinfo.c b/net/third_party/nss/ssl/sslinfo.c index e4ee35f..c1c3fd7 100644 --- a/net/third_party/nss/ssl/sslinfo.c +++ b/net/third_party/nss/ssl/sslinfo.c @@ -60,6 +60,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) sslSocket * ss; SSLChannelInfo inf; sslSessionID * sid; + PRBool enoughFirstHsDone = PR_FALSE; if (!info || len < sizeof inf.length) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -76,7 +77,14 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) memset(&inf, 0, sizeof inf); inf.length = PR_MIN(sizeof inf, len); - if (ss->opt.useSecurity && ss->firstHsDone) { + if (ss->firstHsDone) { + enoughFirstHsDone = PR_TRUE; + } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 && + ssl3_CanFalseStart(ss)) { + enoughFirstHsDone = PR_TRUE; + } + + if (ss->opt.useSecurity && enoughFirstHsDone) { sid = ss->sec.ci.sid; inf.protocolVersion = ss->version; inf.authKeyBits = ss->sec.authKeyBits; diff --git a/net/third_party/nss/ssl/sslreveal.c b/net/third_party/nss/ssl/sslreveal.c index 74f8814..8941ff2 100644 --- a/net/third_party/nss/ssl/sslreveal.c +++ b/net/third_party/nss/ssl/sslreveal.c @@ -111,14 +111,26 @@ SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, /* some decisions derived from SSL_GetChannelInfo */ sslSocket * sslsocket = NULL; SECStatus rv = SECFailure; + PRBool enoughFirstHsDone = PR_FALSE; if (!pYes) return rv; sslsocket = ssl_FindSocket(socket); + if (!sslsocket) { + SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeNegotiatedExtension", + SSL_GETPID(), socket)); + return rv; + } + + if (sslsocket->firstHsDone) { + enoughFirstHsDone = PR_TRUE; + } else if (sslsocket->ssl3.initialized && ssl3_CanFalseStart(sslsocket)) { + enoughFirstHsDone = PR_TRUE; + } /* according to public API SSL_GetChannelInfo, this doesn't need a lock */ - if (sslsocket && sslsocket->opt.useSecurity && sslsocket->firstHsDone) { + if (sslsocket->opt.useSecurity && enoughFirstHsDone) { if (sslsocket->ssl3.initialized) { /* SSL3 and TLS */ /* now we know this socket went through ssl3_InitState() and * ss->xtnData got initialized, which is the only member accessed by |