Bug 466080 - Make more things honor the LOAD_ANONYMOUS flag r=sicking,MisterSSL, sr=sicking

netwerk/base/public/nsISocketTransport.idl

@@ -150,6 +150,14 @@ interface nsISocketTransport : nsITransport
      */
     const unsigned long BYPASS_CACHE = (1 << 0);
 
+    /**
+     * When setting this flag, the socket will not apply any
+     * credentials when establishing a connection. For example,
+     * an SSL connection would not send any client-certificates
+     * if this flag is set.
+     */
+    const unsigned long ANONYMOUS_CONNECT = (1 << 1);
+
 };
 
 %{C++

netwerk/base/src/nsSocketTransport2.cpp

@@ -1002,6 +1002,9 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, PRBool &proxyTransparent, PRBool
 
             if (mProxyTransparentResolvesHost)
                 proxyFlags |= nsISocketProvider::PROXY_RESOLVES_HOST;
+            
+            if (mConnectionFlags & nsISocketTransport::ANONYMOUS_CONNECT)
+                proxyFlags |= nsISocketProvider::ANONYMOUS_CONNECT;
 
             nsCOMPtr<nsISupports> secinfo;
             if (i == 0) {
@@ -1026,7 +1029,7 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, PRBool &proxyTransparent, PRBool
                                            proxyFlags, fd,
                                            getter_AddRefs(secinfo));
             }
-            proxyFlags = 0;
+            // proxyFlags = 0; not used below this point...
             if (NS_FAILED(rv))
                 break;
 

netwerk/protocol/http/src/nsHttp.h

@@ -108,6 +108,10 @@ typedef PRUint8 nsHttpVersion;
 // bypass the local DNS cache
 #define NS_HTTP_REFRESH_DNS          (1<<3)
 
+// a transaction with this caps flag will not pass SSL client-certificates
+// to the server (see bug #466080), but is may also be used for other things
+#define NS_HTTP_LOAD_ANONYMOUS       (1<<4)
+
 //-----------------------------------------------------------------------------
 // some default values
 //-----------------------------------------------------------------------------

netwerk/protocol/http/src/nsHttpChannel.cpp

@@ -673,6 +673,11 @@ nsHttpChannel::SetupTransaction()
         return NS_ERROR_OUT_OF_MEMORY;
     NS_ADDREF(mTransaction);
 
+    // See bug #466080. Transfer LOAD_ANONYMOUS flag to socket-layer.
+    if (mLoadFlags & LOAD_ANONYMOUS) {
+        mCaps |= NS_HTTP_LOAD_ANONYMOUS;
+    }
+
     nsCOMPtr<nsIAsyncInputStream> responseStream;
     rv = mTransaction->Init(mCaps, mConnectionInfo, &mRequestHead,
                             mUploadStream, mUploadStreamHasHeaders,

netwerk/protocol/http/src/nsHttpConnection.cpp

@@ -452,8 +452,14 @@ nsHttpConnection::CreateTransport(PRUint8 caps)
                               getter_AddRefs(strans));
     if (NS_FAILED(rv)) return rv;
 
+    PRUint32 tmpFlags = 0;
     if (caps & NS_HTTP_REFRESH_DNS)
-        strans->SetConnectionFlags(nsISocketTransport::BYPASS_CACHE); 
+        tmpFlags = nsISocketTransport::BYPASS_CACHE;
+    
+    if (caps & NS_HTTP_LOAD_ANONYMOUS)
+        tmpFlags |= nsISocketTransport::ANONYMOUS_CONNECT;
+    
+    strans->SetConnectionFlags(tmpFlags); 
 
     // NOTE: these create cyclical references, which we break inside
     //       nsHttpConnection::Close

netwerk/socket/base/nsISocketProvider.idl

@@ -106,6 +106,15 @@ interface nsISocketProvider : nsISupports
      * later connect et al. request.
      */
     const long PROXY_RESOLVES_HOST = 1 << 0;
+    
+    /**
+     * When setting this flag, the socket will not apply any
+     * credentials when establishing a connection. For example,
+     * an SSL connection would not send any client-certificates
+     * if this flag is set.
+     */
+    const long ANONYMOUS_CONNECT = 1 << 1;
+    
 };
 
 %{C++

security/manager/ssl/src/nsNSSIOLayer.cpp

@@ -2004,14 +2004,15 @@ nsSSLIOLayerNewSocket(PRInt32 family,
                       PRInt32 proxyPort,
                       PRFileDesc **fd,
                       nsISupports** info,
-                      PRBool forSTARTTLS)
+                      PRBool forSTARTTLS,
+                      PRBool anonymousLoad)
 {
 
   PRFileDesc* sock = PR_OpenTCPSocket(family);
   if (!sock) return NS_ERROR_OUT_OF_MEMORY;
 
   nsresult rv = nsSSLIOLayerAddToSocket(family, host, port, proxyHost, proxyPort,
-                                        sock, info, forSTARTTLS);
+                                        sock, info, forSTARTTLS, anonymousLoad);
   if (NS_FAILED(rv)) {
     PR_Close(sock);
     return rv;
@@ -3118,7 +3119,8 @@ nsNSSBadCertHandler(void *arg, PRFileDesc *sslSocket)
 static PRFileDesc*
 nsSSLIOLayerImportFD(PRFileDesc *fd,
                      nsNSSSocketInfo *infoObject,
-                     const char *host)
+                     const char *host,
+                     PRBool anonymousLoad)
 {
   nsNSSShutDownPreventionLock locker;
   PRFileDesc* sslSock = SSL_ImportFD(nsnull, fd);
@@ -3128,9 +3130,15 @@ nsSSLIOLayerImportFD(PRFileDesc *fd,
   }
   SSL_SetPKCS11PinArg(sslSock, (nsIInterfaceRequestor*)infoObject);
   SSL_HandshakeCallback(sslSock, HandshakeCallback, infoObject);
-  SSL_GetClientAuthDataHook(sslSock, 
+
+  // Disable this hook if we connect anonymously. See bug 466080.
+  if (anonymousLoad) {
+      SSL_GetClientAuthDataHook(sslSock, NULL, infoObject);
+  } else {
+      SSL_GetClientAuthDataHook(sslSock, 
                             (SSLGetClientAuthData)nsNSS_SSLGetClientAuthData,
                             infoObject);
+  }
   SSL_AuthCertificateHook(sslSock, AuthCertificateCallback, 0);
 
   PRInt32 ret = SSL_SetURL(sslSock, host);
@@ -3149,7 +3157,7 @@ loser:
 static nsresult
 nsSSLIOLayerSetOptions(PRFileDesc *fd, PRBool forSTARTTLS, 
                        const char *proxyHost, const char *host, PRInt32 port,
-                       nsNSSSocketInfo *infoObject)
+                       PRBool anonymousLoad, nsNSSSocketInfo *infoObject)
 {
   nsNSSShutDownPreventionLock locker;
   if (forSTARTTLS || proxyHost) {
@@ -3200,7 +3208,13 @@ nsSSLIOLayerSetOptions(PRFileDesc *fd, PRBool forSTARTTLS,
   }
 
   // Set the Peer ID so that SSL proxy connections work properly.
-  char *peerId = PR_smprintf("%s:%d", host, port);
+  char *peerId;
+  if (anonymousLoad) {  // See bug #466080. Separate the caches.
+      peerId = PR_smprintf("anon:%s:%d", host, port);
+  } else {
+      peerId = PR_smprintf("%s:%d", host, port);
+  }
+  
   if (SECSuccess != SSL_SetSockPeerID(fd, peerId)) {
     PR_smprintf_free(peerId);
     return NS_ERROR_FAILURE;
@@ -3218,7 +3232,8 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
                         PRInt32 proxyPort,
                         PRFileDesc* fd,
                         nsISupports** info,
-                        PRBool forSTARTTLS)
+                        PRBool forSTARTTLS,
+                        PRBool anonymousLoad)
 {
   nsNSSShutDownPreventionLock locker;
   PRFileDesc* layer = nsnull;
@@ -3232,7 +3247,7 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
   infoObject->SetHostName(host);
   infoObject->SetPort(port);
 
-  PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host);
+  PRFileDesc *sslSock = nsSSLIOLayerImportFD(fd, infoObject, host, anonymousLoad);
   if (!sslSock) {
     NS_ASSERTION(PR_FALSE, "NSS: Error importing socket");
     goto loser;
@@ -3240,7 +3255,8 @@ nsSSLIOLayerAddToSocket(PRInt32 family,
 
   infoObject->SetFileDescPtr(sslSock);
 
-  rv = nsSSLIOLayerSetOptions(sslSock, forSTARTTLS, proxyHost, host, port,
+  rv = nsSSLIOLayerSetOptions(sslSock,
+                              forSTARTTLS, proxyHost, host, port, anonymousLoad,
                               infoObject);
 
   if (NS_FAILED(rv))

security/manager/ssl/src/nsNSSIOLayer.h

@@ -272,7 +272,8 @@ nsresult nsSSLIOLayerNewSocket(PRInt32 family,
                                PRInt32 proxyPort,
                                PRFileDesc **fd,
                                nsISupports **securityInfo,
-                               PRBool forSTARTTLS);
+                               PRBool forSTARTTLS,
+                               PRBool anonymousLoad);
 
 nsresult nsSSLIOLayerAddToSocket(PRInt32 family,
                                  const char *host,
@@ -281,7 +282,8 @@ nsresult nsSSLIOLayerAddToSocket(PRInt32 family,
                                  PRInt32 proxyPort,
                                  PRFileDesc *fd,
                                  nsISupports **securityInfo,
-                                 PRBool forSTARTTLS);
+                                 PRBool forSTARTTLS,
+                                 PRBool anonymousLoad);
 
 nsresult nsSSLIOLayerFreeTLSIntolerantSites();
 nsresult displayUnknownCertErrorAlert(nsNSSSocketInfo *infoObject, int error);

security/manager/ssl/src/nsSSLSocketProvider.cpp

@@ -68,7 +68,8 @@ nsSSLSocketProvider::NewSocket(PRInt32 family,
                                       proxyPort,
                                       _result,
                                       securityInfo,
-                                      PR_FALSE);
+                                      PR_FALSE,
+                                      flags & ANONYMOUS_CONNECT);
   return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
 }
 
@@ -90,7 +91,8 @@ nsSSLSocketProvider::AddToSocket(PRInt32 family,
                                         proxyPort,
                                         aSocket,
                                         securityInfo,
-                                        PR_FALSE);
+                                        PR_FALSE,
+                                        flags & ANONYMOUS_CONNECT);
   
   return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
 }

security/manager/ssl/src/nsTLSSocketProvider.cpp

@@ -68,7 +68,8 @@ nsTLSSocketProvider::NewSocket(PRInt32 family,
                                       proxyPort,
                                       _result,
                                       securityInfo,
-                                      PR_TRUE);
+                                      PR_TRUE,
+                                      flags & ANONYMOUS_CONNECT);
   
   return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
 }
@@ -91,7 +92,8 @@ nsTLSSocketProvider::AddToSocket(PRInt32 family,
                                         proxyPort,
                                         aSocket,
                                         securityInfo,
-                                        PR_TRUE);
+                                        PR_TRUE,
+                                        flags & ANONYMOUS_CONNECT);
   
   return (NS_FAILED(rv)) ? NS_ERROR_SOCKET_CREATE_FAILED : NS_OK;
 }