corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bug 528288 - disallow spdy from http created in nsNSSCallbacks to avoid OSCP/CRL loops with alternate-protocol sr=biesi r=honzab

Browse Source 
patch 15
This commit is contained in:
Patrick McManus
2011-12-02 10:28:57 -05:00
parent be86af83d6
commit 98c20171cb
9 changed files with 55 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
netwerk/protocol/http/HttpBaseChannel.cpp
View File

@@ -80,6 +80,7 @@ HttpBaseChannel::HttpBaseChannel()
, mChannelIsForDownload(false) , mChannelIsForDownload(false)
, mTracingEnabled(true) , mTracingEnabled(true)
, mTimingEnabled(false) , mTimingEnabled(false)
, mAllowSpdy(true)
, mSuspendCount(0) , mSuspendCount(0)
, mRedirectedCachekeys(nsnull) , mRedirectedCachekeys(nsnull)
{ {
@@ -1310,6 +1311,22 @@ HttpBaseChannel::HTTPUpgrade(const nsACString &aProtocolName,
return NS_OK; return NS_OK;
} }
NS_IMETHODIMP
HttpBaseChannel::GetAllowSpdy(bool *aAllowSpdy)
{
NS_ENSURE_ARG_POINTER(aAllowSpdy);
*aAllowSpdy = mAllowSpdy;
return NS_OK;
}
NS_IMETHODIMP
HttpBaseChannel::SetAllowSpdy(bool aAllowSpdy)
{
mAllowSpdy = aAllowSpdy;
return NS_OK;
}
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
// HttpBaseChannel::nsISupportsPriority // HttpBaseChannel::nsISupportsPriority
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
@@ -1619,6 +1636,8 @@ HttpBaseChannel::SetupReplacementChannel(nsIURI *newURI,
if (httpInternal) { if (httpInternal) {
// convey the mForceAllowThirdPartyCookie flag // convey the mForceAllowThirdPartyCookie flag
httpInternal->SetForceAllowThirdPartyCookie(mForceAllowThirdPartyCookie); httpInternal->SetForceAllowThirdPartyCookie(mForceAllowThirdPartyCookie);
// convey the spdy flag
httpInternal->SetAllowSpdy(mAllowSpdy);
// update the DocumentURI indicator since we are being redirected. // update the DocumentURI indicator since we are being redirected.
// if this was a top-level document channel, then the new channel // if this was a top-level document channel, then the new channel

4
netwerk/protocol/http/HttpBaseChannel.h
View File

@@ -167,6 +167,9 @@ public:
NS_IMETHOD GetLocalPort(PRInt32* port); NS_IMETHOD GetLocalPort(PRInt32* port);
NS_IMETHOD GetRemoteAddress(nsACString& addr); NS_IMETHOD GetRemoteAddress(nsACString& addr);
NS_IMETHOD GetRemotePort(PRInt32* port); NS_IMETHOD GetRemotePort(PRInt32* port);
NS_IMETHOD GetAllowSpdy(bool *aAllowSpdy);
NS_IMETHOD SetAllowSpdy(bool aAllowSpdy);
inline void CleanRedirectCacheChainIfNecessary() inline void CleanRedirectCacheChainIfNecessary()
{ {
if (mRedirectedCachekeys) { if (mRedirectedCachekeys) {
@@ -295,6 +298,7 @@ protected:
PRUint32 mTracingEnabled : 1; PRUint32 mTracingEnabled : 1;
// True if timing collection is enabled // True if timing collection is enabled
PRUint32 mTimingEnabled : 1; PRUint32 mTimingEnabled : 1;
PRUint32 mAllowSpdy : 1;
// Current suspension depth for this channel object // Current suspension depth for this channel object
PRUint32 mSuspendCount; PRUint32 mSuspendCount;

2
netwerk/protocol/http/HttpChannelChild.cpp
View File

@@ -1079,7 +1079,7 @@ HttpChannelChild::AsyncOpen(nsIStreamListener *listener, nsISupports *aContext)
mPriority, mRedirectionLimit, mAllowPipelining, mPriority, mRedirectionLimit, mAllowPipelining,
mForceAllowThirdPartyCookie, mSendResumeAt, mForceAllowThirdPartyCookie, mSendResumeAt,
mStartPos, mEntityID, mChooseApplicationCache, mStartPos, mEntityID, mChooseApplicationCache,
appCacheClientId); appCacheClientId, mAllowSpdy);
return NS_OK; return NS_OK;
} }

4
netwerk/protocol/http/HttpChannelParent.cpp
View File

@@ -143,7 +143,8 @@ HttpChannelParent::RecvAsyncOpen(const IPC::URI& aURI,
const PRUint64& startPos, const PRUint64& startPos,
const nsCString& entityID, const nsCString& entityID,
const bool& chooseApplicationCache, const bool& chooseApplicationCache,
const nsCString& appCacheClientID) const nsCString& appCacheClientID,
const bool& allowSpdy)
{ {
nsCOMPtr<nsIURI> uri(aURI); nsCOMPtr<nsIURI> uri(aURI);
nsCOMPtr<nsIURI> originalUri(aOriginalURI); nsCOMPtr<nsIURI> originalUri(aOriginalURI);
@@ -203,6 +204,7 @@ HttpChannelParent::RecvAsyncOpen(const IPC::URI& aURI,
httpChan->SetRedirectionLimit(redirectionLimit); httpChan->SetRedirectionLimit(redirectionLimit);
httpChan->SetAllowPipelining(allowPipelining); httpChan->SetAllowPipelining(allowPipelining);
httpChan->SetForceAllowThirdPartyCookie(forceAllowThirdPartyCookie); httpChan->SetForceAllowThirdPartyCookie(forceAllowThirdPartyCookie);
httpChan->SetAllowSpdy(allowSpdy);
nsCOMPtr<nsIApplicationCacheChannel> appCacheChan = nsCOMPtr<nsIApplicationCacheChannel> appCacheChan =
do_QueryInterface(mChannel); do_QueryInterface(mChannel);

3
netwerk/protocol/http/HttpChannelParent.h
View File

@@ -97,7 +97,8 @@ protected:
const PRUint64& startPos, const PRUint64& startPos,
const nsCString& entityID, const nsCString& entityID,
const bool& chooseApplicationCache, const bool& chooseApplicationCache,
const nsCString& appCacheClientID); const nsCString& appCacheClientID,
const bool& allowSpdy);
virtual bool RecvConnectChannel(const PRUint32& channelId); virtual bool RecvConnectChannel(const PRUint32& channelId);
virtual bool RecvSetPriority(const PRUint16& priority); virtual bool RecvSetPriority(const PRUint16& priority);

3
netwerk/protocol/http/PHttpChannel.ipdl
View File

@@ -81,7 +81,8 @@ parent:
PRUint64 startPos, PRUint64 startPos,
nsCString entityID, nsCString entityID,
bool chooseApplicationCache, bool chooseApplicationCache,
nsCString appCacheClientID); nsCString appCacheClientID,
bool allowSpdy);
// Used to connect redirected-to channel on the parent with redirected-to // Used to connect redirected-to channel on the parent with redirected-to
// channel on the child. // channel on the child.

7
netwerk/protocol/http/nsHttpChannel.cpp
View File

@@ -211,7 +211,7 @@ nsHttpChannel::Connect(bool firstTime)
} }
// Check for a previous SPDY Alternate-Protocol directive // Check for a previous SPDY Alternate-Protocol directive
if (gHttpHandler->IsSpdyEnabled()) { if (gHttpHandler->IsSpdyEnabled() && mAllowSpdy) {
nsCAutoString hostPort; nsCAutoString hostPort;
if (NS_SUCCEEDED(mURI->GetHostPort(hostPort)) && if (NS_SUCCEEDED(mURI->GetHostPort(hostPort)) &&
@@ -519,6 +519,9 @@ nsHttpChannel::SetupTransaction()
} }
} }
if (!mAllowSpdy)
mCaps |= NS_HTTP_DISALLOW_SPDY;
// use the URI path if not proxying (transparent proxying such as SSL proxy // use the URI path if not proxying (transparent proxying such as SSL proxy
// does not count here). also, figure out what version we should be speaking. // does not count here). also, figure out what version we should be speaking.
nsCAutoString buf, path; nsCAutoString buf, path;
@@ -4104,7 +4107,7 @@ nsHttpChannel::OnStartRequest(nsIRequest *request, nsISupports *ctxt)
} }
if (gHttpHandler->IsSpdyEnabled() && !mCachePump && NS_FAILED(mStatus) && if (gHttpHandler->IsSpdyEnabled() && !mCachePump && NS_FAILED(mStatus) &&
(mLoadFlags & LOAD_REPLACE) && mOriginalURI) { (mLoadFlags & LOAD_REPLACE) && mOriginalURI && mAllowSpdy) {
// For sanity's sake we may want to cancel an alternate protocol // For sanity's sake we may want to cancel an alternate protocol
// redirection involving the original host name // redirection involving the original host name

9
netwerk/protocol/http/nsIHttpChannelInternal.idl
View File

@@ -53,7 +53,7 @@ interface nsIProxyInfo;
* The callback interface for nsIHttpChannelInternal::HTTPUpgrade() * The callback interface for nsIHttpChannelInternal::HTTPUpgrade()
*/ */
[scriptable, uuid(5644af88-09e1-4fbd-83da-f012b3b30180)] [scriptable, uuid(4b967b6d-cd1c-49ae-a457-23ff76f5a2e8)]
interface nsIHttpUpgradeListener : nsISupports interface nsIHttpUpgradeListener : nsISupports
{ {
void onTransportAvailable(in nsISocketTransport aTransport, void onTransportAvailable(in nsISocketTransport aTransport,
@@ -181,4 +181,11 @@ interface nsIHttpChannelInternal : nsISupports
void HTTPUpgrade(in ACString aProtocolName, void HTTPUpgrade(in ACString aProtocolName,
in nsIHttpUpgradeListener aListener); in nsIHttpUpgradeListener aListener);
/**
* Enable/Disable Spdy negotiation on per channel basis.
* The network.http.spdy.enabled preference is still a pre-requisite
* for starting spdy.
*/
attribute boolean allowSpdy;
}; };

11
security/manager/ssl/src/nsNSSCallbacks.cpp
View File

@@ -53,6 +53,7 @@
#include "nsProxyRelease.h" #include "nsProxyRelease.h"
#include "PSMRunnable.h" #include "PSMRunnable.h"
#include "nsIConsoleService.h" #include "nsIConsoleService.h"
#include "nsIHttpChannelInternal.h"
#include "ssl.h" #include "ssl.h"
#include "ocsp.h" #include "ocsp.h"
@@ -133,6 +134,16 @@ nsHTTPDownloadEvent::Run()
NS_ENSURE_SUCCESS(rv, rv); NS_ENSURE_SUCCESS(rv, rv);
} }
// Do not use SPDY for internal security operations. It could result
// in the silent upgrade to ssl, which in turn could require an SSL
// operation to fufill something like a CRL fetch, which is an
// endless loop.
nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(chan);
if (internalChannel) {
rv = internalChannel->SetAllowSpdy(false);
NS_ENSURE_SUCCESS(rv, rv);
}
nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(chan); nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(chan);
NS_ENSURE_STATE(hchan); NS_ENSURE_STATE(hchan);