Chromium Code Reviews Chromium Code Reviews
Issue 9558017:
Update net/third_party/nss to NSS 3.13.3. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| Index: net/socket/ssl_client_socket_nss.cc |
| =================================================================== |
| --- net/socket/ssl_client_socket_nss.cc (revision 123842) |
| +++ net/socket/ssl_client_socket_nss.cc (working copy) |
| @@ -261,12 +261,13 @@ |
| explicit PeerCertificateChain(PRFileDesc* nss_fd) |
| : num_certs_(0), |
| certs_(NULL) { |
| - SECStatus rv = SSL_PeerCertificateChain(nss_fd, NULL, &num_certs_); |
| + SECStatus rv = SSL_PeerCertificateChain(nss_fd, NULL, &num_certs_, 0); |
| DCHECK_EQ(rv, SECSuccess); |
| certs_ = new CERTCertificate*[num_certs_]; |
| const unsigned expected_num_certs = num_certs_; |
| - rv = SSL_PeerCertificateChain(nss_fd, certs_, &num_certs_); |
| + rv = SSL_PeerCertificateChain(nss_fd, certs_, &num_certs_, |
| + expected_num_certs); |
| DCHECK_EQ(rv, SECSuccess); |
| DCHECK_EQ(num_certs_, expected_num_certs); |
| } |
| @@ -913,12 +914,12 @@ |
| LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_DEFLATE"); |
| #endif |
| -#ifdef SSL_ENABLE_FALSE_START |
| - rv = SSL_OptionSet( |
| - nss_fd_, SSL_ENABLE_FALSE_START, |
| + PRBool false_start_enabled = |
| ssl_config_.false_start_enabled && |
| !SSLConfigService::IsKnownFalseStartIncompatibleServer( |
| - host_and_port_.host())); |
| + host_and_port_.host()); |
| +#ifdef SSL_ENABLE_FALSE_START |
| + rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, false_start_enabled); |
| if (rv != SECSuccess) |
| LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START"); |
| #endif |
| @@ -937,13 +938,17 @@ |
| } |
| #endif // SSL_ENABLE_RENEGOTIATION |
| -#ifdef SSL_NEXT_PROTO_NEGOTIATED |
|
wtc
2012/03/02 23:06:17
In the NSS upstream, SSL_NEXT_PROTO_NEGOTIATED is
|
| if (!ssl_config_.next_protos.empty()) { |
| rv = SSL_SetNextProtoCallback( |
| nss_fd_, SSLClientSocketNSS::NextProtoCallback, this); |
| if (rv != SECSuccess) |
| LogFailedNSSFunction(net_log_, "SSL_SetNextProtoCallback", ""); |
| } |
| + |
| +#ifdef SSL_CBC_RANDOM_IV |
| + rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, false_start_enabled); |
|
wtc
2012/03/02 23:06:17
The SSL_CBC_RANDOM_IV option (SSL 1/n-1 record spl
|
| + if (rv != SECSuccess) |
| + LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); |
| #endif |
| #ifdef SSL_ENABLE_OCSP_STAPLING |
| @@ -1370,7 +1375,6 @@ |
| if (state.certs.empty()) |
| return true; |
| - SECStatus rv; |
| const std::vector<std::string>& certs_in = state.certs; |
| scoped_array<CERTCertificate*> certs(new CERTCertificate*[certs_in.size()]); |
| @@ -1389,11 +1393,16 @@ |
| } |
| } |
| + SECStatus rv; |
| +#ifdef SSL_ENABLE_CACHED_INFO |
|
wtc
2012/03/02 23:06:17
This ifdef is necessary because SSL_SetPredictedPe
|
| rv = SSL_SetPredictedPeerCertificates(nss_fd_, certs.get(), certs_in.size()); |
| + DCHECK_EQ(SECSuccess, rv); |
| +#else |
| + rv = SECFailure; // Not implemented. |
| +#endif |
| DestroyCertificates(&certs[0], certs_in.size()); |
| - DCHECK_EQ(SECSuccess, rv); |
| - return true; |
| + return rv == SECSuccess; |
| } |
| int SSLClientSocketNSS::DoLoadSSLHostInfo() { |
| @@ -2656,7 +2665,8 @@ |
| const unsigned char* protos, |
| unsigned int protos_len, |
| unsigned char* proto_out, |
| - unsigned int* proto_out_len) { |
| + unsigned int* proto_out_len, |
| + unsigned int proto_max_len) { |
| SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg); |
| // For each protocol in server preference, see if we support it. |
| @@ -2695,6 +2705,10 @@ |
| that->next_proto_ = that->ssl_config_.next_protos[0]; |
| } |
| + if (that->next_proto_.size() > proto_max_len) { |
| + PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
| + return SECFailure; |
| + } |
| memcpy(proto_out, that->next_proto_.data(), that->next_proto_.size()); |
| *proto_out_len = that->next_proto_.size(); |
| return SECSuccess; |
