mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-25 22:01:30 +00:00
Bug 466080 - Make more things honor the LOAD_ANONYMOUS flag r=sicking,MisterSSL, sr=sicking
This commit is contained in:
parent
2d69d8c702
commit
e006a13751
@ -150,6 +150,14 @@ interface nsISocketTransport : nsITransport
|
||||
*/
|
||||
const unsigned long BYPASS_CACHE = (1 << 0);
|
||||
|
||||
/**
|
||||
* When setting this flag, the socket will not apply any
|
||||
* credentials when establishing a connection. For example,
|
||||
* an SSL connection would not send any client-certificates
|
||||
* if this flag is set.
|
||||
*/
|
||||
const unsigned long ANONYMOUS_CONNECT = (1 << 1);
|
||||
|
||||
};
|
||||
|
||||
%{C++
|
||||
|
@ -1002,6 +1002,9 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, PRBool &proxyTransparent, PRBool
|
||||
|
||||
if (mProxyTransparentResolvesHost)
|
||||
proxyFlags |= nsISocketProvider::PROXY_RESOLVES_HOST;
|
||||
|
||||
if (mConnectionFlags & nsISocketTransport::ANONYMOUS_CONNECT)
|
||||
proxyFlags |= nsISocketProvider::ANONYMOUS_CONNECT;
|
||||
|
||||
nsCOMPtr<nsISupports> secinfo;
|
||||
if (i == 0) {
|
||||
@ -1026,7 +1029,7 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, PRBool &proxyTransparent, PRBool
|
||||
proxyFlags, fd,
|
||||
getter_AddRefs(secinfo));
|
||||
}
|
||||
proxyFlags = 0;
|
||||
// proxyFlags = 0; not used below this point...
|
||||
if (NS_FAILED(rv))
|
||||
break;
|
||||
|
||||
|
@ -108,6 +108,10 @@ typedef PRUint8 nsHttpVersion;
|
||||
// bypass the local DNS cache
|
||||
#define NS_HTTP_REFRESH_DNS (1<<3)
|
||||
|
||||
// a transaction with this caps flag will not pass SSL client-certificates
|
||||
// to the server (see bug #466080), but is may also be used for other things
|
||||
#define NS_HTTP_LOAD_ANONYMOUS (1<<4)
|
||||
|
||||
//-----------------------------------------------------------------------------
|
||||
// some default values
|
||||
//-----------------------------------------------------------------------------
|
||||
|
@ -673,6 +673,11 @@ nsHttpChannel::SetupTransaction()
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
NS_ADDREF(mTransaction);
|
||||
|
||||
// See bug #466080. Transfer LOAD_ANONYMOUS flag to socket-layer.
|
||||
if (mLoadFlags & LOAD_ANONYMOUS) {
|
||||
mCaps |= NS_HTTP_LOAD_ANONYMOUS;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIAsyncInputStream> responseStream;
|
||||
rv = mTransaction->Init(mCaps, mConnectionInfo, &mRequestHead,
|
||||
mUploadStream, mUploadStreamHasHeaders,
|
||||
|
@ -452,8 +452,14 @@ nsHttpConnection::CreateTransport(PRUint8 caps)
|
||||
getter_AddRefs(strans));
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
PRUint32 tmpFlags = 0;
|
||||
if (caps & NS_HTTP_REFRESH_DNS)
|
||||
strans->SetConnectionFlags(nsISocketTransport::BYPASS_CACHE);
|
||||
tmpFlags = nsISocketTransport::BYPASS_CACHE;
|
||||
|
||||
if (caps & NS_HTTP_LOAD_ANONYMOUS)
|
||||
tmpFlags |= nsISocketTransport::ANONYMOUS_CONNECT;
|
||||
|
||||
strans->SetConnectionFlags(tmpFlags);
|
||||
|
||||
// NOTE: these create cyclical references, which we break inside
|
||||
// nsHttpConnection::Close
|
||||
|
@ -106,6 +106,15 @@ interface nsISocketProvider : nsISupports
|
||||
* later connect et al. request.
|
||||
*/
|
||||
const long PROXY_RESOLVES_HOST = 1 << 0;
|
||||
|
||||
/**
|
||||
* When setting this flag, the socket will not apply any
|
||||
* credentials when establishing a connection. For example,
|
||||
* an SSL connection would not send any client-certificates
|
||||
* if this flag is set.
|
||||
*/
|
||||
const long ANONYMOUS_CONNECT = 1 << 1;
|
||||
|
||||
};
|
||||
|
||||
%{C++
|
||||
|
@ -2004,14 +2004,15 @@ nsSSLIOLayerNewSocket(PRInt32 family,
|
||||
PRInt32 proxyPort,
|
||||
PRFileDesc **fd,
|
||||
nsISupports** info,
|
||||
PRBool forSTARTTLS)
|
||||
PRBool forSTARTTLS,
|
||||
PRBool anonymousLoad)
|
||||
{
|
||||
|
||||
PRFileDesc* sock = PR_OpenTCPSocket(family);
|
||||
if (!sock) return NS_ERROR_OUT_OF_MEMORY;
|
||||
|
||||
nsresult rv = nsSSLIOLayerAddToSocket(family, host, port, proxyHost, proxyPort,
|
||||
sock, info, forSTARTTLS);
|
||||
sock, info, forSTARTTLS, anonymousLoad);
|
||||
if (NS_FAILED(rv)) {
|
||||
PR_Close(sock);
|
||||
return rv;
|
||||
@ -3118,7 +3119,8 @@ nsNSSBadCertHandler(void *arg, PRFileDesc *sslSocket)
|
||||
static PRFileDesc*
|
||||
nsSSLIOLayerImportFD(PRFileDesc *fd,
|
||||
nsNSSSocketInfo *infoObject,
|
||||
const char *host)
|
||||
const char *host,
|
||||
PRBool anonymousLoad)
|
||||
{
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
PRFileDesc* sslSock = SSL_ImportFD(nsnull, fd);
|
||||
@ -3128,9 +3130,15 @@ nsSSLIOLayerImportFD(PRFileDesc *fd,
|
||||
}
|
||||
SSL_SetPKCS11PinArg(sslSock, (nsIInterfaceRequestor*)infoObject);
|
||||
SSL_HandshakeCallback(sslSock, HandshakeCallback, infoObject);
|
||||
SSL_GetClientAuthDataHook(sslSock,
|
||||
|
||||
// Disable this hook if we connect anonymously. See bug 466080.
|
||||
if (anonymousLoad) {
|
||||
SSL_GetClientAuthDataHook(sslSock, NULL, infoObject);
|
||||
} else {
|
||||
SSL_GetClientAuthDataHook(sslSock,
|
||||
(SSLGetClientAuthData)nsNSS_SSLGetClientAuthData,
|
||||
infoObject);
|
||||
}
|
||||
SSL_AuthCertificateHook(sslSock, AuthCertificateCallback, 0);
|
||||
|
||||
PRInt32 ret = SSL_SetURL(sslSock, host);
|
||||
@ -3149,7 +3157,7 @@ loser:
|
||||
static nsresult
|
||||
nsSSLIOLayerSetOptions(PRFileDesc *fd, PRBool forSTARTTLS,
|
||||
const char *proxyHost, const char *host, PRInt32 port,
|
||||
nsNSSSocketInfo *infoObject)
|
||||
PRBool anonymousLoad, nsNSSSocketInfo *infoObject)
|
||||
{
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
if (forSTARTTLS || proxyHost) {
|
||||
@ -3200,7 +3208,13 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, PRBool forSTARTTLS,
|
||||
}
|
||||
|
||||
// Set the Peer ID so that SSL proxy connections work properly.
|
||||
char *peerId = PR_smprintf("%s:%d", host, port);
|
||||
char *peerId;
|
||||
if (anonymousLoad) { // See bug #466080. Separate the caches.
|
||||
peerId = PR_smprintf("anon:%s:%d", host, port);
|
||||
} else {
|
||||
peerId = PR_smprintf("%s:%d", host, port);
|
||||
}
|
||||
|
||||
if (SECSuccess != SSL_SetSockPeerID(fd, peerId)) {
|
||||
PR_smprintf_free(peerId);
|
||||
return NS_ERROR_FAILURE;
|
||||
@ -3218,7 +3232,8 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
|
||||
PRInt32 proxyPort,
|
||||
PRFileDesc* fd,
|
||||
nsISupports** info,
|
||||
PRBool forSTARTTLS)
|
||||
PRBool forSTARTTLS,
|
||||
PRBool anonymousLoad)
|
||||
{
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
PRFileDesc* layer = nsnull;
|
||||
@ -3232,7 +3247,7 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
|
||||
infoObject->SetHostName(host);
|
||||
infoObject->SetPort(port);
|
||||
|
||||
PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host);
|
||||
PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host, anonymousLoad);
|
||||
if (!sslSock) {
|
||||
NS_ASSERTION(PR_FALSE, "NSS: Error importing socket");
|
||||
goto loser;
|
||||
@ -3240,7 +3255,8 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
|
||||
|
||||
infoObject->SetFileDescPtr(sslSock);
|
||||
|
||||
rv = nsSSLIOLayerSetOptions(sslSock, forSTARTTLS, proxyHost, host, port,
|
||||
rv = nsSSLIOLayerSetOptions(sslSock,
|
||||
forSTARTTLS, proxyHost, host, port, anonymousLoad,
|
||||
infoObject);
|
||||
|
||||
if (NS_FAILED(rv))
|
||||
|
@ -272,7 +272,8 @@ nsresult nsSSLIOLayerNewSocket(PRInt32 family,
|
||||
PRInt32 proxyPort,
|
||||
PRFileDesc **fd,
|
||||
nsISupports **securityInfo,
|
||||
PRBool forSTARTTLS);
|
||||
PRBool forSTARTTLS,
|
||||
PRBool anonymousLoad);
|
||||
|
||||
nsresult nsSSLIOLayerAddToSocket(PRInt32 family,
|
||||
const char *host,
|
||||
@ -281,7 +282,8 @@ nsresult nsSSLIOLayerAddToSocket(PRInt32 family,
|
||||
PRInt32 proxyPort,
|
||||
PRFileDesc *fd,
|
||||
nsISupports **securityInfo,
|
||||
PRBool forSTARTTLS);
|
||||
PRBool forSTARTTLS,
|
||||
PRBool anonymousLoad);
|
||||
|
||||
nsresult nsSSLIOLayerFreeTLSIntolerantSites();
|
||||
nsresult displayUnknownCertErrorAlert(nsNSSSocketInfo *infoObject, int error);
|
||||
|
@ -68,7 +68,8 @@ nsSSLSocketProvider::NewSocket(PRInt32 family,
|
||||
proxyPort,
|
||||
_result,
|
||||
securityInfo,
|
||||
PR_FALSE);
|
||||
PR_FALSE,
|
||||
flags & ANONYMOUS_CONNECT);
|
||||
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
|
||||
}
|
||||
|
||||
@ -90,7 +91,8 @@ nsSSLSocketProvider::AddToSocket(PRInt32 family,
|
||||
proxyPort,
|
||||
aSocket,
|
||||
securityInfo,
|
||||
PR_FALSE);
|
||||
PR_FALSE,
|
||||
flags & ANONYMOUS_CONNECT);
|
||||
|
||||
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
|
||||
}
|
||||
|
@ -68,7 +68,8 @@ nsTLSSocketProvider::NewSocket(PRInt32 family,
|
||||
proxyPort,
|
||||
_result,
|
||||
securityInfo,
|
||||
PR_TRUE);
|
||||
PR_TRUE,
|
||||
flags & ANONYMOUS_CONNECT);
|
||||
|
||||
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
|
||||
}
|
||||
@ -91,7 +92,8 @@ nsTLSSocketProvider::AddToSocket(PRInt32 family,
|
||||
proxyPort,
|
||||
aSocket,
|
||||
securityInfo,
|
||||
PR_TRUE);
|
||||
PR_TRUE,
|
||||
flags & ANONYMOUS_CONNECT);
|
||||
|
||||
return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user