diff options
author | Andras Becsi <andras.becsi@digia.com> | 2013-12-11 21:33:03 +0100 |
---|---|---|
committer | Andras Becsi <andras.becsi@digia.com> | 2013-12-13 12:34:07 +0100 |
commit | f2a33ff9cbc6d19943f1c7fbddd1f23d23975577 (patch) | |
tree | 0586a32aa390ade8557dfd6b4897f43a07449578 /chromium/net/socket/ssl_client_socket_nss.cc | |
parent | 5362912cdb5eea702b68ebe23702468d17c3017a (diff) | |
download | qtwebengine-chromium-f2a33ff9cbc6d19943f1c7fbddd1f23d23975577.tar.gz |
Update Chromium to branch 1650 (31.0.1650.63)
Change-Id: I57d8c832eaec1eb2364e0a8e7352a6dd354db99f
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Diffstat (limited to 'chromium/net/socket/ssl_client_socket_nss.cc')
-rw-r--r-- | chromium/net/socket/ssl_client_socket_nss.cc | 42 |
1 files changed, 26 insertions, 16 deletions
diff --git a/chromium/net/socket/ssl_client_socket_nss.cc b/chromium/net/socket/ssl_client_socket_nss.cc index f374dedcf80..0de7cfb9060 100644 --- a/chromium/net/socket/ssl_client_socket_nss.cc +++ b/chromium/net/socket/ssl_client_socket_nss.cc @@ -380,20 +380,16 @@ void PeerCertificateChain::Reset(PRFileDesc* nss_fd) { if (nss_fd == NULL) return; - unsigned int num_certs = 0; - SECStatus rv = SSL_PeerCertificateChain(nss_fd, NULL, &num_certs, 0); - DCHECK_EQ(SECSuccess, rv); - + CERTCertList* list = SSL_PeerCertificateChain(nss_fd); // The handshake on |nss_fd| may not have completed. - if (num_certs == 0) + if (list == NULL) return; - certs_.resize(num_certs); - const unsigned int expected_num_certs = num_certs; - rv = SSL_PeerCertificateChain(nss_fd, vector_as_array(&certs_), - &num_certs, expected_num_certs); - DCHECK_EQ(SECSuccess, rv); - DCHECK_EQ(expected_num_certs, num_certs); + for (CERTCertListNode* node = CERT_LIST_HEAD(list); + !CERT_LIST_END(node, list); node = CERT_LIST_NEXT(node)) { + certs_.push_back(CERT_DupCertificate(node->cert)); + } + CERT_DestroyCertList(list); } std::vector<base::StringPiece> @@ -1291,6 +1287,19 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler( // Start with it. SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); } + } else { + // Disallow the server certificate to change in a renegotiation. + CERTCertificate* old_cert = core->nss_handshake_state_.server_cert_chain[0]; + ScopedCERTCertificate new_cert(SSL_PeerCertificate(socket)); + if (new_cert->derCert.len != old_cert->derCert.len || + memcmp(new_cert->derCert.data, old_cert->derCert.data, + new_cert->derCert.len) != 0) { + // NSS doesn't have an error code that indicates the server certificate + // changed. Borrow SSL_ERROR_WRONG_CERTIFICATE (which NSS isn't using) + // for this purpose. + PORT_SetError(SSL_ERROR_WRONG_CERTIFICATE); + return SECFailure; + } } // Tell NSS to not verify the certificate. @@ -2598,7 +2607,7 @@ int SSLClientSocketNSS::Core::DoGetDomainBoundCert(const std::string& host) { weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT); - int rv = server_bound_cert_service_->GetDomainBoundCert( + int rv = server_bound_cert_service_->GetOrCreateDomainBoundCert( host, &domain_bound_private_key_, &domain_bound_cert_, @@ -2751,12 +2760,12 @@ void SSLClientSocketNSS::Core::SetChannelIDProvided() { SSLClientSocketNSS::SSLClientSocketNSS( base::SequencedTaskRunner* nss_task_runner, - ClientSocketHandle* transport_socket, + scoped_ptr<ClientSocketHandle> transport_socket, const HostPortPair& host_and_port, const SSLConfig& ssl_config, const SSLClientSocketContext& context) : nss_task_runner_(nss_task_runner), - transport_(transport_socket), + transport_(transport_socket.Pass()), host_and_port_(host_and_port), ssl_config_(ssl_config), cert_verifier_(context.cert_verifier), @@ -2765,7 +2774,7 @@ SSLClientSocketNSS::SSLClientSocketNSS( completed_handshake_(false), next_handshake_state_(STATE_NONE), nss_fd_(NULL), - net_log_(transport_socket->socket()->NetLog()), + net_log_(transport_->socket()->NetLog()), transport_security_state_(context.transport_security_state), valid_thread_id_(base::kInvalidThreadId) { EnterFunction(""); @@ -3141,7 +3150,8 @@ int SSLClientSocketNSS::InitializeSSLOptions() { net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); } - rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, PR_FALSE); + rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, + ssl_config_.false_start_enabled); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START"); |