diff options
| author | Rene Ladan <rene@FreeBSD.org> | 2014-10-15 21:55:33 +0000 |
|---|---|---|
| committer | Rene Ladan <rene@FreeBSD.org> | 2014-10-15 21:55:33 +0000 |
| commit | fff5120b13758ebdbadcfa6c104c442c7f3afd4e (patch) | |
| tree | 2fbe800723e7d78d5d607489e488dde71908a769 | |
| parent | 70e2ba18d528836edcd3263b316438e0b79991a4 (diff) | |
| download | ports-fff5120b13758ebdbadcfa6c104c442c7f3afd4e.tar.gz ports-fff5120b13758ebdbadcfa6c104c442c7f3afd4e.zip | |
MFH: r370928
www/chromium: desupport SSLv3.0, taken from upstream GIT repository.
While here really fix the desktop icon.
Bump PORTREVISION
Obtained from: https://chromium.googlesource.com/chromium/src/+/701bb044ac5ad4f1572e86b83a673cc49383efb4
Obtained from: https://chromium.googlesource.com/chromium/src/+/32352ad08ee673a4d43e8593ce988b224f6482d3
Security: CVE-2014-3566 ("Poodle")
Approved by: portmgr (bdrewery)
Notes
Notes:
svn path=/branches/2014Q4/; revision=370959
16 files changed, 263 insertions, 12 deletions
diff --git a/www/chromium/Makefile b/www/chromium/Makefile index 4f817474f235..6891e6651290 100644 --- a/www/chromium/Makefile +++ b/www/chromium/Makefile @@ -3,7 +3,7 @@ PORTNAME= chromium PORTVERSION= 38.0.2125.101 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www MASTER_SITES= http://commondatastorage.googleapis.com/chromium-browser-official/ DISTFILES= ${DISTNAME}${EXTRACT_SUFX} diff --git a/www/chromium/files/chromium-browser.desktop.in b/www/chromium/files/chromium-browser.desktop.in index 784d0cf26be6..7654b75848d3 100644 --- a/www/chromium/files/chromium-browser.desktop.in +++ b/www/chromium/files/chromium-browser.desktop.in @@ -4,7 +4,7 @@ Version=1.0 Encoding=UTF-8 Name=Chromium Comment=%%COMMENT%% -Icon=%%DATADIR%%/product_logo_48.png +Icon=chrome Exec=chrome %U Categories=Application;Network;WebBrowser; MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp; diff --git a/www/chromium/files/patch-chrome__app__generated_resources.grd b/www/chromium/files/patch-chrome__app__generated_resources.grd new file mode 100644 index 000000000000..6e2893ae7a21 --- /dev/null +++ b/www/chromium/files/patch-chrome__app__generated_resources.grd @@ -0,0 +1,19 @@ +--- chrome/app/generated_resources.grd.orig 2014-10-02 17:39:45 UTC ++++ chrome/app/generated_resources.grd +@@ -9024,6 +9024,16 @@ + SSL protocol error. + </message> + ++ <message name="IDS_ERRORPAGES_HEADING_SSL_FALLBACK_BEYOND_MINIMUM_VERSION" desc="Heading in the error page for SSL fallback errors."> ++ SSL server probably obsolete. ++ </message> ++ <message name="IDS_ERRORPAGES_SUMMARY_SSL_FALLBACK_BEYOND_MINIMUM_VERSION" desc="Summary in the error page for SSL fallback errors."> ++ Unable to connect securely to the server. This website may have worked previously, but connecting to such sites has now been shown to cause security risks to all users and thus has been disabled for your safety. ++ </message> ++ <message name="IDS_ERRORPAGES_DETAILS_SSL_FALLBACK_BEYOND_MINIMUM_VERSION" desc="The error message displayed for SSL fallback errors."> ++ An SSLv3 fallback was able to handshake with the server, but we no longer accept SSLv3 fallbacks due to new attacks against the protocol. The server needs to be updated to support a minimum of TLS 1.0 and preferably TLS 1.2. ++ </message> ++ + <message name="IDS_ERRORPAGES_HEADING_PINNING_FAILURE" desc="Title of the error page for a certificate which doesn't match the built-in pins for that name"> + Incorrect certificate for host. + </message> diff --git a/www/chromium/files/patch-chrome__browser__net__ssl_config_service_manager_pref.cc b/www/chromium/files/patch-chrome__browser__net__ssl_config_service_manager_pref.cc new file mode 100644 index 000000000000..08f8d6d0a50b --- /dev/null +++ b/www/chromium/files/patch-chrome__browser__net__ssl_config_service_manager_pref.cc @@ -0,0 +1,57 @@ +--- chrome/browser/net/ssl_config_service_manager_pref.cc.orig 2014-10-02 17:39:46 UTC ++++ chrome/browser/net/ssl_config_service_manager_pref.cc +@@ -174,6 +174,7 @@ + BooleanPrefMember rev_checking_required_local_anchors_; + StringPrefMember ssl_version_min_; + StringPrefMember ssl_version_max_; ++ StringPrefMember ssl_version_fallback_min_; + BooleanPrefMember ssl_record_splitting_disabled_; + + // The cached list of disabled SSL cipher suites. +@@ -204,6 +205,8 @@ + prefs::kSSLVersionMin, local_state, local_state_callback); + ssl_version_max_.Init( + prefs::kSSLVersionMax, local_state, local_state_callback); ++ ssl_version_fallback_min_.Init( ++ prefs::kSSLVersionFallbackMin, local_state, local_state_callback); + ssl_record_splitting_disabled_.Init( + prefs::kDisableSSLRecordSplitting, local_state, local_state_callback); + +@@ -230,8 +233,12 @@ + SSLProtocolVersionToString(default_config.version_min); + std::string version_max_str = + SSLProtocolVersionToString(default_config.version_max); ++ std::string version_fallback_min_str = ++ SSLProtocolVersionToString(default_config.version_fallback_min); + registry->RegisterStringPref(prefs::kSSLVersionMin, version_min_str); + registry->RegisterStringPref(prefs::kSSLVersionMax, version_max_str); ++ registry->RegisterStringPref(prefs::kSSLVersionFallbackMin, ++ version_fallback_min_str); + registry->RegisterBooleanPref(prefs::kDisableSSLRecordSplitting, + !default_config.false_start_enabled); + registry->RegisterListPref(prefs::kCipherSuiteBlacklist); +@@ -275,10 +282,14 @@ + rev_checking_required_local_anchors_.GetValue(); + std::string version_min_str = ssl_version_min_.GetValue(); + std::string version_max_str = ssl_version_max_.GetValue(); ++ std::string version_fallback_min_str = ssl_version_fallback_min_.GetValue(); + config->version_min = net::kDefaultSSLVersionMin; + config->version_max = net::kDefaultSSLVersionMax; ++ config->version_fallback_min = net::kDefaultSSLVersionFallbackMin; + uint16 version_min = SSLProtocolVersionFromString(version_min_str); + uint16 version_max = SSLProtocolVersionFromString(version_max_str); ++ uint16 version_fallback_min = ++ SSLProtocolVersionFromString(version_fallback_min_str); + if (version_min) { + // TODO(wtc): get the minimum SSL protocol version supported by the + // SSLClientSocket class. Right now it happens to be the same as the +@@ -293,6 +304,9 @@ + uint16 supported_version_max = config->version_max; + config->version_max = std::min(supported_version_max, version_max); + } ++ if (version_fallback_min) { ++ config->version_fallback_min = version_fallback_min; ++ } + config->disabled_cipher_suites = disabled_cipher_suites_; + // disabling False Start also happens to disable record splitting. + config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue(); diff --git a/www/chromium/files/patch-chrome__browser__prefs__command_line_pref_store.cc b/www/chromium/files/patch-chrome__browser__prefs__command_line_pref_store.cc new file mode 100644 index 000000000000..05aa5a59138f --- /dev/null +++ b/www/chromium/files/patch-chrome__browser__prefs__command_line_pref_store.cc @@ -0,0 +1,10 @@ +--- chrome/browser/prefs/command_line_pref_store.cc.orig 2014-10-02 17:39:46 UTC ++++ chrome/browser/prefs/command_line_pref_store.cc +@@ -33,6 +33,7 @@ + { switches::kDiskCacheDir, prefs::kDiskCacheDir }, + { switches::kSSLVersionMin, prefs::kSSLVersionMin }, + { switches::kSSLVersionMax, prefs::kSSLVersionMax }, ++ { switches::kSSLVersionFallbackMin, prefs::kSSLVersionFallbackMin }, + }; + + const CommandLinePrefStore::BooleanSwitchToPreferenceMapEntry diff --git a/www/chromium/files/patch-chrome__common__chrome_switches.cc b/www/chromium/files/patch-chrome__common__chrome_switches.cc index 9bda80df8130..78ba721ed90b 100644 --- a/www/chromium/files/patch-chrome__common__chrome_switches.cc +++ b/www/chromium/files/patch-chrome__common__chrome_switches.cc @@ -1,6 +1,17 @@ ---- chrome/common/chrome_switches.cc.orig 2014-10-02 17:39:46 UTC -+++ chrome/common/chrome_switches.cc -@@ -1277,13 +1277,13 @@ +--- chrome/common/chrome_switches.cc.orig 2014-10-02 19:39:46.000000000 +0200 ++++ chrome/common/chrome_switches.cc 2014-10-15 11:59:52.000000000 +0200 +@@ -1127,6 +1127,10 @@ + // "tls1.2"). + const char kSSLVersionMin[] = "ssl-version-min"; + ++// Specifies the minimum SSL/TLS version ("ssl3", "tls1", "tls1.1", or ++// "tls1.2") that TLS fallback will accept. ++const char kSSLVersionFallbackMin[] = "ssl-version-fallback-min"; ++ + // Starts the browser maximized, regardless of any previous settings. + const char kStartMaximized[] = "start-maximized"; + +@@ -1277,13 +1281,13 @@ const char kPasswordStore[] = "password-store"; #endif diff --git a/www/chromium/files/patch-chrome__common__chrome_switches.h b/www/chromium/files/patch-chrome__common__chrome_switches.h index e68096d1da1a..e92c2a4add89 100644 --- a/www/chromium/files/patch-chrome__common__chrome_switches.h +++ b/www/chromium/files/patch-chrome__common__chrome_switches.h @@ -1,6 +1,14 @@ ---- chrome/common/chrome_switches.h.orig 2014-10-02 17:39:46 UTC -+++ chrome/common/chrome_switches.h -@@ -362,7 +362,7 @@ +--- chrome/common/chrome_switches.h.orig 2014-10-02 19:39:46.000000000 +0200 ++++ chrome/common/chrome_switches.h 2014-10-15 11:59:52.000000000 +0200 +@@ -309,6 +309,7 @@ + extern const char kSpellingServiceFeedbackIntervalSeconds[]; + extern const char kSSLVersionMax[]; + extern const char kSSLVersionMin[]; ++extern const char kSSLVersionFallbackMin[]; + extern const char kStartMaximized[]; + extern const char kSupervisedUserId[]; + extern const char kSupervisedUserSyncToken[]; +@@ -362,7 +363,7 @@ extern const char kPasswordStore[]; #endif diff --git a/www/chromium/files/patch-chrome__common__localized_error.cc b/www/chromium/files/patch-chrome__common__localized_error.cc new file mode 100644 index 000000000000..23986cfbf534 --- /dev/null +++ b/www/chromium/files/patch-chrome__common__localized_error.cc @@ -0,0 +1,35 @@ +--- chrome/common/localized_error.cc.orig 2014-10-02 17:39:46 UTC ++++ chrome/common/localized_error.cc +@@ -40,6 +40,8 @@ + static const char kWeakDHKeyLearnMoreUrl[] = + "http://sites.google.com/a/chromium.org/dev/" + "err_ssl_weak_server_ephemeral_dh_key"; ++static const char kSSLv3FallbackUrl[] = ++ "https://code.google.com/p/chromium/issues/detail?id=418848"; + #if defined(OS_CHROMEOS) + static const char kAppWarningLearnMoreUrl[] = + "chrome-extension://honijodknafkokifofgiaalefdiedpko/main.html" +@@ -301,6 +303,13 @@ + IDS_ERRORPAGES_DETAILS_BLOCKED_ENROLLMENT_CHECK_PENDING, + SUGGEST_CHECK_CONNECTION, + }, ++ {net::ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ++ IDS_ERRORPAGES_TITLE_LOAD_FAILED, ++ IDS_ERRORPAGES_HEADING_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ++ IDS_ERRORPAGES_SUMMARY_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ++ IDS_ERRORPAGES_DETAILS_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ++ SUGGEST_LEARNMORE, ++ }, + }; + + // Special error page to be used in the case of navigating back to a page +@@ -796,6 +805,9 @@ + case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY: + learn_more_url = GURL(kWeakDHKeyLearnMoreUrl); + break; ++ case net::ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION: ++ learn_more_url = GURL(kSSLv3FallbackUrl); ++ break; + default: + break; + } diff --git a/www/chromium/files/patch-chrome__common__pref_names.cc b/www/chromium/files/patch-chrome__common__pref_names.cc index 6d6b8b9223f9..e08e896099e0 100644 --- a/www/chromium/files/patch-chrome__common__pref_names.cc +++ b/www/chromium/files/patch-chrome__common__pref_names.cc @@ -1,5 +1,5 @@ ---- chrome/common/pref_names.cc.orig 2014-10-02 17:39:46 UTC -+++ chrome/common/pref_names.cc +--- chrome/common/pref_names.cc.orig 2014-10-02 19:39:46.000000000 +0200 ++++ chrome/common/pref_names.cc 2014-10-15 11:59:52.000000000 +0200 @@ -898,7 +898,7 @@ // Boolean controlling whether SafeSearch is mandatory for Google Web Searches. const char kForceSafeSearch[] = "settings.force_safesearch"; @@ -9,3 +9,11 @@ // Linux specific preference on whether we should match the system theme. const char kUsesSystemTheme[] = "extensions.theme.use_system"; #endif +@@ -1288,6 +1288,7 @@ + "ssl.rev_checking.required_for_local_anchors"; + const char kSSLVersionMin[] = "ssl.version_min"; + const char kSSLVersionMax[] = "ssl.version_max"; ++const char kSSLVersionFallbackMin[] = "ssl.version_fallback_min"; + const char kCipherSuiteBlacklist[] = "ssl.cipher_suites.blacklist"; + const char kDisableSSLRecordSplitting[] = "ssl.ssl_record_splitting.disabled"; + diff --git a/www/chromium/files/patch-chrome__common__pref_names.h b/www/chromium/files/patch-chrome__common__pref_names.h index 51d6c485dc82..bea49931893e 100644 --- a/www/chromium/files/patch-chrome__common__pref_names.h +++ b/www/chromium/files/patch-chrome__common__pref_names.h @@ -1,5 +1,5 @@ ---- chrome/common/pref_names.h.orig 2014-10-02 17:39:46 UTC -+++ chrome/common/pref_names.h +--- chrome/common/pref_names.h.orig 2014-10-02 19:39:46.000000000 +0200 ++++ chrome/common/pref_names.h 2014-10-15 11:59:52.000000000 +0200 @@ -291,7 +291,7 @@ extern const char kForceSafeSearch[]; extern const char kDeleteTimePeriod[]; @@ -9,3 +9,11 @@ extern const char kUsesSystemTheme[]; #endif extern const char kCurrentThemePackFilename[]; +@@ -405,6 +405,7 @@ + extern const char kCertRevocationCheckingRequiredLocalAnchors[]; + extern const char kSSLVersionMin[]; + extern const char kSSLVersionMax[]; ++extern const char kSSLVersionFallbackMin[]; + extern const char kCipherSuiteBlacklist[]; + extern const char kDisableSSLRecordSplitting[]; + diff --git a/www/chromium/files/patch-net__base__net_error_list.h b/www/chromium/files/patch-net__base__net_error_list.h new file mode 100644 index 000000000000..417c040678bf --- /dev/null +++ b/www/chromium/files/patch-net__base__net_error_list.h @@ -0,0 +1,13 @@ +--- net/base/net_error_list.h.orig 2014-10-02 17:18:59 UTC ++++ net/base/net_error_list.h +@@ -336,6 +336,10 @@ + // library. + NET_ERROR(SSL_CLIENT_AUTH_CERT_BAD_FORMAT, -164) + ++// The SSL server requires falling back to a version older than the configured ++// minimum fallback version, and thus fallback failed. ++NET_ERROR(SSL_FALLBACK_BEYOND_MINIMUM_VERSION, -165) ++ + // Certificate error codes + // + // The values of certificate error codes must be consecutive. diff --git a/www/chromium/files/patch-net__socket__ssl_client_socket_nss.cc b/www/chromium/files/patch-net__socket__ssl_client_socket_nss.cc new file mode 100644 index 000000000000..b9b8223100bd --- /dev/null +++ b/www/chromium/files/patch-net__socket__ssl_client_socket_nss.cc @@ -0,0 +1,14 @@ +--- net/socket/ssl_client_socket_nss.cc.orig 2014-10-02 17:39:47 UTC ++++ net/socket/ssl_client_socket_nss.cc +@@ -3330,6 +3330,11 @@ + EnterFunction(result); + + if (result == OK) { ++ if (ssl_config_.version_fallback && ++ ssl_config_.version_max < ssl_config_.version_fallback_min) { ++ return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; ++ } ++ + // SSL handshake is completed. Let's verify the certificate. + GotoState(STATE_VERIFY_CERT); + // Done! diff --git a/www/chromium/files/patch-net__socket__ssl_client_socket_openssl.cc b/www/chromium/files/patch-net__socket__ssl_client_socket_openssl.cc new file mode 100644 index 000000000000..45a2d53a3e82 --- /dev/null +++ b/www/chromium/files/patch-net__socket__ssl_client_socket_openssl.cc @@ -0,0 +1,14 @@ +--- net/socket/ssl_client_socket_openssl.cc.orig 2014-10-02 17:39:47 UTC ++++ net/socket/ssl_client_socket_openssl.cc +@@ -890,6 +890,11 @@ + << " is: " << (SSL_session_reused(ssl_) ? "Success" : "Fail"); + } + ++ if (ssl_config_.version_fallback && ++ ssl_config_.version_max < ssl_config_.version_fallback_min) { ++ return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; ++ } ++ + // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. + if (npn_status_ == kNextProtoUnsupported) { + const uint8_t* alpn_proto = NULL; diff --git a/www/chromium/files/patch-net__ssl__ssl_config.cc b/www/chromium/files/patch-net__ssl__ssl_config.cc new file mode 100644 index 000000000000..daceda466cb4 --- /dev/null +++ b/www/chromium/files/patch-net__ssl__ssl_config.cc @@ -0,0 +1,19 @@ +--- net/ssl/ssl_config.cc.orig 2014-10-02 17:39:47 UTC ++++ net/ssl/ssl_config.cc +@@ -25,6 +25,8 @@ + SSL_PROTOCOL_VERSION_TLS1_2; + #endif + ++const uint16 kDefaultSSLVersionFallbackMin = SSL_PROTOCOL_VERSION_TLS1; ++ + SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {} + + SSLConfig::CertAndStatus::~CertAndStatus() {} +@@ -34,6 +36,7 @@ + rev_checking_required_local_anchors(false), + version_min(kDefaultSSLVersionMin), + version_max(kDefaultSSLVersionMax), ++ version_fallback_min(kDefaultSSLVersionFallbackMin), + channel_id_enabled(true), + false_start_enabled(true), + signed_cert_timestamps_enabled(true), diff --git a/www/chromium/files/patch-net__ssl__ssl_config.h b/www/chromium/files/patch-net__ssl__ssl_config.h new file mode 100644 index 000000000000..c9593650685a --- /dev/null +++ b/www/chromium/files/patch-net__ssl__ssl_config.h @@ -0,0 +1,25 @@ +--- net/ssl/ssl_config.h.orig 2014-10-02 17:19:00 UTC ++++ net/ssl/ssl_config.h +@@ -32,6 +32,9 @@ + // Default maximum protocol version. + NET_EXPORT extern const uint16 kDefaultSSLVersionMax; + ++// Default minimum protocol version that it's acceptable to fallback to. ++NET_EXPORT extern const uint16 kDefaultSSLVersionFallbackMin; ++ + // A collection of SSL-related configuration settings. + struct NET_EXPORT SSLConfig { + // Default to revocation checking. +@@ -73,6 +76,12 @@ + uint16 version_min; + uint16 version_max; + ++ // version_fallback_min contains the minimum version that is acceptable to ++ // fallback to. Versions before this may be tried to see whether they would ++ // have succeeded and thus to give a better message to the user, but the ++ // resulting connection won't be used in these cases. ++ uint16 version_fallback_min; ++ + // Presorted list of cipher suites which should be explicitly prevented from + // being used in addition to those disabled by the net built-in policy. + // diff --git a/www/chromium/files/patch-tools__metrics__histograms__histograms.xml b/www/chromium/files/patch-tools__metrics__histograms__histograms.xml new file mode 100644 index 000000000000..0eaff934a058 --- /dev/null +++ b/www/chromium/files/patch-tools__metrics__histograms__histograms.xml @@ -0,0 +1,10 @@ +--- tools/metrics/histograms/histograms.xml.orig 2014-10-02 17:39:48 UTC ++++ tools/metrics/histograms/histograms.xml +@@ -45253,6 +45253,7 @@ + <int value="162" label="SOCKET_RECEIVE_BUFFER_SIZE_UNCHANGEABLE"/> + <int value="163" label="SOCKET_SEND_BUFFER_SIZE_UNCHANGEABLE"/> + <int value="164" label="SSL_CLIENT_AUTH_CERT_BAD_FORMAT"/> ++ <int value="165" label="SSL_FALLBACK_BEYOND_MINIMUM_VERSION"/> + <int value="200" label="CERT_COMMON_NAME_INVALID"/> + <int value="201" label="CERT_DATE_INVALID"/> + <int value="202" label="CERT_AUTHORITY_INVALID"/> |