Update Chromium to branch 1650 (31.0.1650.63)

Change-Id: I57d8c832eaec1eb2364e0a8e7352a6dd354db99f Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
author: Andras Becsi <andras.becsi@digia.com> 2013-12-11 21:33:03 +0100
committer: Andras Becsi <andras.becsi@digia.com> 2013-12-13 12:34:07 +0100
commit: f2a33ff9cbc6d19943f1c7fbddd1f23d23975577 (patch)
tree: 0586a32aa390ade8557dfd6b4897f43a07449578 /chromium/net/socket/ssl_client_socket_nss.cc
parent: 5362912cdb5eea702b68ebe23702468d17c3017a (diff)
download: qtwebengine-chromium-f2a33ff9cbc6d19943f1c7fbddd1f23d23975577.tar.gz
1 files changed, 26 insertions, 16 deletions
diff --git a/chromium/net/socket/ssl_client_socket_nss.cc b/chromium/net/socket/ssl_client_socket_nss.cc
index f374dedcf80..0de7cfb9060 100644
--- a/chromium/net/socket/ssl_client_socket_nss.cc
+++ b/chromium/net/socket/ssl_client_socket_nss.cc
@@ -380,20 +380,16 @@ void PeerCertificateChain::Reset(PRFileDesc* nss_fd) {
   if (nss_fd == NULL)
     return;
 
-  unsigned int num_certs = 0;
-  SECStatus rv = SSL_PeerCertificateChain(nss_fd, NULL, &num_certs, 0);
-  DCHECK_EQ(SECSuccess, rv);
-
+  CERTCertList* list = SSL_PeerCertificateChain(nss_fd);
   // The handshake on |nss_fd| may not have completed.
-  if (num_certs == 0)
+  if (list == NULL)
     return;
 
-  certs_.resize(num_certs);
-  const unsigned int expected_num_certs = num_certs;
-  rv = SSL_PeerCertificateChain(nss_fd, vector_as_array(&certs_),
-                                &num_certs, expected_num_certs);
-  DCHECK_EQ(SECSuccess, rv);
-  DCHECK_EQ(expected_num_certs, num_certs);
+  for (CERTCertListNode* node = CERT_LIST_HEAD(list);
+       !CERT_LIST_END(node, list); node = CERT_LIST_NEXT(node)) {
+    certs_.push_back(CERT_DupCertificate(node->cert));
+  }
+  CERT_DestroyCertList(list);
 }
 
 std::vector<base::StringPiece>
@@ -1291,6 +1287,19 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(
       // Start with it.
       SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);
     }
+  } else {
+    // Disallow the server certificate to change in a renegotiation.
+    CERTCertificate* old_cert = core->nss_handshake_state_.server_cert_chain[0];
+    ScopedCERTCertificate new_cert(SSL_PeerCertificate(socket));
+    if (new_cert->derCert.len != old_cert->derCert.len ||
+        memcmp(new_cert->derCert.data, old_cert->derCert.data,
+               new_cert->derCert.len) != 0) {
+      // NSS doesn't have an error code that indicates the server certificate
+      // changed. Borrow SSL_ERROR_WRONG_CERTIFICATE (which NSS isn't using)
+      // for this purpose.
+      PORT_SetError(SSL_ERROR_WRONG_CERTIFICATE);
+      return SECFailure;
+    }
   }
 
   // Tell NSS to not verify the certificate.
@@ -2598,7 +2607,7 @@ int SSLClientSocketNSS::Core::DoGetDomainBoundCert(const std::string& host) {
 
   weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT);
 
-  int rv = server_bound_cert_service_->GetDomainBoundCert(
+  int rv = server_bound_cert_service_->GetOrCreateDomainBoundCert(
       host,
       &domain_bound_private_key_,
       &domain_bound_cert_,
@@ -2751,12 +2760,12 @@ void SSLClientSocketNSS::Core::SetChannelIDProvided() {
 
 SSLClientSocketNSS::SSLClientSocketNSS(
     base::SequencedTaskRunner* nss_task_runner,
-    ClientSocketHandle* transport_socket,
+    scoped_ptr<ClientSocketHandle> transport_socket,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     const SSLClientSocketContext& context)
     : nss_task_runner_(nss_task_runner),
-      transport_(transport_socket),
+      transport_(transport_socket.Pass()),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       cert_verifier_(context.cert_verifier),
@@ -2765,7 +2774,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(
       completed_handshake_(false),
       next_handshake_state_(STATE_NONE),
       nss_fd_(NULL),
-      net_log_(transport_socket->socket()->NetLog()),
+      net_log_(transport_->socket()->NetLog()),
       transport_security_state_(context.transport_security_state),
       valid_thread_id_(base::kInvalidThreadId) {
   EnterFunction("");
@@ -3141,7 +3150,8 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
         net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
   }
 
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, PR_FALSE);
+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
+                     ssl_config_.false_start_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
author	Andras Becsi <andras.becsi@digia.com>	2013-12-11 21:33:03 +0100
committer	Andras Becsi <andras.becsi@digia.com>	2013-12-13 12:34:07 +0100
commit	f2a33ff9cbc6d19943f1c7fbddd1f23d23975577 (patch)
tree	0586a32aa390ade8557dfd6b4897f43a07449578 /chromium/net/socket/ssl_client_socket_nss.cc
parent	5362912cdb5eea702b68ebe23702468d17c3017a (diff)
download	qtwebengine-chromium-f2a33ff9cbc6d19943f1c7fbddd1f23d23975577.tar.gz