Bug 466080 - Make more things honor the LOAD_ANONYMOUS flag r=sicking,MisterSSL, sr=sicking

This commit is contained in:
bjarne@runitsoft.com 2009-02-17 14:06:52 -08:00
parent 2d69d8c702
commit e006a13751
10 changed files with 74 additions and 17 deletions

View File

@ -150,6 +150,14 @@ interface nsISocketTransport : nsITransport
*/
const unsigned long BYPASS_CACHE = (1 << 0);
/**
* When setting this flag, the socket will not apply any
* credentials when establishing a connection. For example,
* an SSL connection would not send any client-certificates
* if this flag is set.
*/
const unsigned long ANONYMOUS_CONNECT = (1 << 1);
};
%{C++

View File

@ -1002,6 +1002,9 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, PRBool &proxyTransparent, PRBool
if (mProxyTransparentResolvesHost)
proxyFlags |= nsISocketProvider::PROXY_RESOLVES_HOST;
if (mConnectionFlags & nsISocketTransport::ANONYMOUS_CONNECT)
proxyFlags |= nsISocketProvider::ANONYMOUS_CONNECT;
nsCOMPtr<nsISupports> secinfo;
if (i == 0) {
@ -1026,7 +1029,7 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, PRBool &proxyTransparent, PRBool
proxyFlags, fd,
getter_AddRefs(secinfo));
}
proxyFlags = 0;
// proxyFlags = 0; not used below this point...
if (NS_FAILED(rv))
break;

View File

@ -108,6 +108,10 @@ typedef PRUint8 nsHttpVersion;
// bypass the local DNS cache
#define NS_HTTP_REFRESH_DNS (1<<3)
// a transaction with this caps flag will not pass SSL client-certificates
// to the server (see bug #466080), but is may also be used for other things
#define NS_HTTP_LOAD_ANONYMOUS (1<<4)
//-----------------------------------------------------------------------------
// some default values
//-----------------------------------------------------------------------------

View File

@ -673,6 +673,11 @@ nsHttpChannel::SetupTransaction()
return NS_ERROR_OUT_OF_MEMORY;
NS_ADDREF(mTransaction);
// See bug #466080. Transfer LOAD_ANONYMOUS flag to socket-layer.
if (mLoadFlags & LOAD_ANONYMOUS) {
mCaps |= NS_HTTP_LOAD_ANONYMOUS;
}
nsCOMPtr<nsIAsyncInputStream> responseStream;
rv = mTransaction->Init(mCaps, mConnectionInfo, &mRequestHead,
mUploadStream, mUploadStreamHasHeaders,

View File

@ -452,8 +452,14 @@ nsHttpConnection::CreateTransport(PRUint8 caps)
getter_AddRefs(strans));
if (NS_FAILED(rv)) return rv;
PRUint32 tmpFlags = 0;
if (caps & NS_HTTP_REFRESH_DNS)
strans->SetConnectionFlags(nsISocketTransport::BYPASS_CACHE);
tmpFlags = nsISocketTransport::BYPASS_CACHE;
if (caps & NS_HTTP_LOAD_ANONYMOUS)
tmpFlags |= nsISocketTransport::ANONYMOUS_CONNECT;
strans->SetConnectionFlags(tmpFlags);
// NOTE: these create cyclical references, which we break inside
// nsHttpConnection::Close

View File

@ -106,6 +106,15 @@ interface nsISocketProvider : nsISupports
* later connect et al. request.
*/
const long PROXY_RESOLVES_HOST = 1 << 0;
/**
* When setting this flag, the socket will not apply any
* credentials when establishing a connection. For example,
* an SSL connection would not send any client-certificates
* if this flag is set.
*/
const long ANONYMOUS_CONNECT = 1 << 1;
};
%{C++

View File

@ -2004,14 +2004,15 @@ nsSSLIOLayerNewSocket(PRInt32 family,
PRInt32 proxyPort,
PRFileDesc **fd,
nsISupports** info,
PRBool forSTARTTLS)
PRBool forSTARTTLS,
PRBool anonymousLoad)
{
PRFileDesc* sock = PR_OpenTCPSocket(family);
if (!sock) return NS_ERROR_OUT_OF_MEMORY;
nsresult rv = nsSSLIOLayerAddToSocket(family, host, port, proxyHost, proxyPort,
sock, info, forSTARTTLS);
sock, info, forSTARTTLS, anonymousLoad);
if (NS_FAILED(rv)) {
PR_Close(sock);
return rv;
@ -3118,7 +3119,8 @@ nsNSSBadCertHandler(void *arg, PRFileDesc *sslSocket)
static PRFileDesc*
nsSSLIOLayerImportFD(PRFileDesc *fd,
nsNSSSocketInfo *infoObject,
const char *host)
const char *host,
PRBool anonymousLoad)
{
nsNSSShutDownPreventionLock locker;
PRFileDesc* sslSock = SSL_ImportFD(nsnull, fd);
@ -3128,9 +3130,15 @@ nsSSLIOLayerImportFD(PRFileDesc *fd,
}
SSL_SetPKCS11PinArg(sslSock, (nsIInterfaceRequestor*)infoObject);
SSL_HandshakeCallback(sslSock, HandshakeCallback, infoObject);
SSL_GetClientAuthDataHook(sslSock,
// Disable this hook if we connect anonymously. See bug 466080.
if (anonymousLoad) {
SSL_GetClientAuthDataHook(sslSock, NULL, infoObject);
} else {
SSL_GetClientAuthDataHook(sslSock,
(SSLGetClientAuthData)nsNSS_SSLGetClientAuthData,
infoObject);
}
SSL_AuthCertificateHook(sslSock, AuthCertificateCallback, 0);
PRInt32 ret = SSL_SetURL(sslSock, host);
@ -3149,7 +3157,7 @@ loser:
static nsresult
nsSSLIOLayerSetOptions(PRFileDesc *fd, PRBool forSTARTTLS,
const char *proxyHost, const char *host, PRInt32 port,
nsNSSSocketInfo *infoObject)
PRBool anonymousLoad, nsNSSSocketInfo *infoObject)
{
nsNSSShutDownPreventionLock locker;
if (forSTARTTLS || proxyHost) {
@ -3200,7 +3208,13 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, PRBool forSTARTTLS,
}
// Set the Peer ID so that SSL proxy connections work properly.
char *peerId = PR_smprintf("%s:%d", host, port);
char *peerId;
if (anonymousLoad) { // See bug #466080. Separate the caches.
peerId = PR_smprintf("anon:%s:%d", host, port);
} else {
peerId = PR_smprintf("%s:%d", host, port);
}
if (SECSuccess != SSL_SetSockPeerID(fd, peerId)) {
PR_smprintf_free(peerId);
return NS_ERROR_FAILURE;
@ -3218,7 +3232,8 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
PRInt32 proxyPort,
PRFileDesc* fd,
nsISupports** info,
PRBool forSTARTTLS)
PRBool forSTARTTLS,
PRBool anonymousLoad)
{
nsNSSShutDownPreventionLock locker;
PRFileDesc* layer = nsnull;
@ -3232,7 +3247,7 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
infoObject->SetHostName(host);
infoObject->SetPort(port);
PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host);
PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host, anonymousLoad);
if (!sslSock) {
NS_ASSERTION(PR_FALSE, "NSS: Error importing socket");
goto loser;
@ -3240,7 +3255,8 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
infoObject->SetFileDescPtr(sslSock);
rv = nsSSLIOLayerSetOptions(sslSock, forSTARTTLS, proxyHost, host, port,
rv = nsSSLIOLayerSetOptions(sslSock,
forSTARTTLS, proxyHost, host, port, anonymousLoad,
infoObject);
if (NS_FAILED(rv))

View File

@ -272,7 +272,8 @@ nsresult nsSSLIOLayerNewSocket(PRInt32 family,
PRInt32 proxyPort,
PRFileDesc **fd,
nsISupports **securityInfo,
PRBool forSTARTTLS);
PRBool forSTARTTLS,
PRBool anonymousLoad);
nsresult nsSSLIOLayerAddToSocket(PRInt32 family,
const char *host,
@ -281,7 +282,8 @@ nsresult nsSSLIOLayerAddToSocket(PRInt32 family,
PRInt32 proxyPort,
PRFileDesc *fd,
nsISupports **securityInfo,
PRBool forSTARTTLS);
PRBool forSTARTTLS,
PRBool anonymousLoad);
nsresult nsSSLIOLayerFreeTLSIntolerantSites();
nsresult displayUnknownCertErrorAlert(nsNSSSocketInfo *infoObject, int error);

View File

@ -68,7 +68,8 @@ nsSSLSocketProvider::NewSocket(PRInt32 family,
proxyPort,
_result,
securityInfo,
PR_FALSE);
PR_FALSE,
flags & ANONYMOUS_CONNECT);
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
}
@ -90,7 +91,8 @@ nsSSLSocketProvider::AddToSocket(PRInt32 family,
proxyPort,
aSocket,
securityInfo,
PR_FALSE);
PR_FALSE,
flags & ANONYMOUS_CONNECT);
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
}

View File

@ -68,7 +68,8 @@ nsTLSSocketProvider::NewSocket(PRInt32 family,
proxyPort,
_result,
securityInfo,
PR_TRUE);
PR_TRUE,
flags & ANONYMOUS_CONNECT);
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
}
@ -91,7 +92,8 @@ nsTLSSocketProvider::AddToSocket(PRInt32 family,
proxyPort,
aSocket,
securityInfo,
PR_TRUE);
PR_TRUE,
flags & ANONYMOUS_CONNECT);
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
}