diff options
author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-30 20:25:19 +0000 |
---|---|---|
committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-30 20:25:19 +0000 |
commit | 4e4793913217b92577f0a0b80efd6377182bb8c3 (patch) | |
tree | ea2e4c71a8ef703d352b8ddc6a0c5b847f334e3e /net/third_party | |
parent | 7b8132a31af3037cb634f5aed088c2050e69197b (diff) | |
download | chromium_src-4e4793913217b92577f0a0b80efd6377182bb8c3.zip chromium_src-4e4793913217b92577f0a0b80efd6377182bb8c3.tar.gz chromium_src-4e4793913217b92577f0a0b80efd6377182bb8c3.tar.bz2 |
net: don't set NSS options in a callback.
This debugger traps in debug mode due to the locks held at the time that the callback is made.
BUG=125299
TEST=none
Review URL: http://codereview.chromium.org/10221018
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134584 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/third_party')
-rw-r--r-- | net/third_party/nss/README.chromium | 6 | ||||
-rwxr-xr-x | net/third_party/nss/patches/applypatches.sh | 2 | ||||
-rw-r--r-- | net/third_party/nss/patches/falsestartnpn2.patch | 15 | ||||
-rw-r--r-- | net/third_party/nss/ssl/ssl3con.c | 4 |
4 files changed, 26 insertions, 1 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium index b5105a0..22e7a15 100644 --- a/net/third_party/nss/README.chromium +++ b/net/third_party/nss/README.chromium @@ -65,9 +65,13 @@ Patches: https://bugzilla.mozilla.org/show_bug.cgi?id=681065 patches/dtls.patch - * Enable False Start only when the server supports NPN. + * Enable False Start only when the server supports forward secrecy. patches/falsestartnpn.patch + * Enable False Start only when the server supports NPN. (Not for + upstreaming.) + patches/falsestartnpn2.patch + * Reject DH generators and public values equal to zero or one. patches/dhvalues.patch diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh index 55167bf..e3c00eb 100755 --- a/net/third_party/nss/patches/applypatches.sh +++ b/net/third_party/nss/patches/applypatches.sh @@ -38,4 +38,6 @@ patch -p4 < $patches_dir/dtls.patch patch -p5 < $patches_dir/falsestartnpn.patch +patch -p5 < $patches_dir/falsestartnpn2.patch + patch -p5 < $patches_dir/dhvalues.patch diff --git a/net/third_party/nss/patches/falsestartnpn2.patch b/net/third_party/nss/patches/falsestartnpn2.patch new file mode 100644 index 0000000..00b2934 --- /dev/null +++ b/net/third_party/nss/patches/falsestartnpn2.patch @@ -0,0 +1,15 @@ +diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c +index 5476fa5..1465558 100644 +--- a/net/third_party/nss/ssl/ssl3con.c ++++ b/net/third_party/nss/ssl/ssl3con.c +@@ -6108,6 +6108,10 @@ ssl3_CanFalseStart(sslSocket *ss) { + rv = ss->opt.enableFalseStart && + !ss->sec.isServer && + !ss->ssl3.hs.isResuming && ++ /* This check for NPN is performed here because we can't call ++ * SSL_HandshakeNegotiatedExtension in the auth callback because of ++ * lock ordering issues. See crbug.com/125299 */ ++ ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn) && + ss->ssl3.cwSpec && + + /* An attacker can control the selected ciphersuite so we only wish to diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c index 5476fa5..1465558 100644 --- a/net/third_party/nss/ssl/ssl3con.c +++ b/net/third_party/nss/ssl/ssl3con.c @@ -6108,6 +6108,10 @@ ssl3_CanFalseStart(sslSocket *ss) { rv = ss->opt.enableFalseStart && !ss->sec.isServer && !ss->ssl3.hs.isResuming && + /* This check for NPN is performed here because we can't call + * SSL_HandshakeNegotiatedExtension in the auth callback because of + * lock ordering issues. See crbug.com/125299 */ + ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn) && ss->ssl3.cwSpec && /* An attacker can control the selected ciphersuite so we only wish to |