net/socket/ssl_client_socket_nss.cc - Issue 27266002: Do not allow the server certificate to change in a renegotiation. - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(145)

My Issues | Starred Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_nss.cc

Issue 27266002: Do not allow the server certificate to change in a renegotiation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Created 7 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « net/socket/nss_ssl_util.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: net/socket/ssl_client_socket_nss.cc

===================================================================

--- net/socket/ssl_client_socket_nss.cc (revision 228029)

+++ net/socket/ssl_client_socket_nss.cc (working copy)

@@ -1287,6 +1287,16 @@

// Start with it.

SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);

}

+ } else {

+ // Disallow the server certificate to change in a renegotiation.

wtc 2013/10/14 23:11:11 This can also be enforced by NSS.

+ CERTCertificate* old_cert = core->nss_handshake_state_.server_cert_chain[0];

+ CERTCertificate* new_cert = SSL_PeerCertificate(socket);

+ if (new_cert->derCert.len != old_cert->derCert.len ||

+ memcmp(new_cert->derCert.data, old_cert->derCert.data,

+ new_cert->derCert.len) != 0) {

+ PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);

+ return SECFailure;

+ }

}

// Tell NSS to not verify the certificate.

« no previous file with comments | « net/socket/nss_ssl_util.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698