base/nss_init.cc - Issue 11249: Fix several cert problems on Linux (take 2)

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: base/nss_init.cc

Issue 11249: Fix several cert problems on Linux (take 2) (Closed) Base URL: svn://chrome-svn/chrome/trunk/src/

Patch Set: '' Created 12 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: base/nss_init.cc

===================================================================

--- base/nss_init.cc (revision 6192)

+++ base/nss_init.cc (working copy)

@@ -9,31 +9,76 @@

// Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424

// until NSS 3.12.2 comes out and we update to it.

#define Lock FOO_NSS_Lock

+#include <secmod.h>

#include <ssl.h>

#undef Lock

+#include "base/file_util.h"

#include "base/logging.h"

#include "base/singleton.h"

namespace {

+// Load nss's built-in root certs.

+SECMODModule *InitDefaultRootCerts() {

+ const char* kModulePath = "libnssckbi.so";

wtc 2008/12/02 02:10:39 Why can you get rid of the possible_locations arra

+ char modparams[1024];

+ snprintf(modparams, sizeof(modparams),

+ "name=\"Root Certs\" library=\"%s\"", kModulePath);

+ SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE);

+ if (root)

+ return root;

+ // Aw, snap. Can't find/load root cert shared library.

+ // This will make it hard to talk to anybody via https.

+ NOTREACHED();

+ return NULL;

class NSSInitSingleton {

public:

NSSInitSingleton() {

+ // Initialize without using a persistant database (e.g. ~/.netscape)

CHECK(NSS_NoDB_Init(".") == SECSuccess);

- // Enable ciphers

+ root_ = InitDefaultRootCerts();

NSS_SetDomesticPolicy();

+ // Explicitly enable exactly those ciphers with keys of at least 80 bits

+ for (int i = 0; i < SSL_NumImplementedCiphers; i++) {

+ SSLCipherSuiteInfo info;

+ if (SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i], &info,

+ sizeof(info)) == SECSuccess) {

+ SSL_CipherPrefSetDefault(SSL_ImplementedCiphers[i],

+ (info.effectiveKeyBits >= 80));

+ }

// Enable SSL

SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);

+ // All other SSL options are set per-session by SSLClientSocket

}

~NSSInitSingleton() {

+ if (root_) {

+ SECMOD_UnloadUserModule(root_);

+ SECMOD_DestroyModule(root_);

+ root_ = NULL;

+ }

// Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY

SSL_ClearSessionCache();

SECStatus status = NSS_Shutdown();

- DCHECK(status == SECSuccess);

+ if (status != SECSuccess)

+ LOG(ERROR) << "NSS_Shutdown failed, leak? See "

+ "http://code.google.com/p/chromium/issues/detail?id=4609";

}

+ private:

+ SECMODModule *root_;

};

} // namespace

« no previous file with comments | « no previous file | net/base/ssl_client_socket_nss.h » ('j') | no next file with comments »