bug 528288 - disallow spdy from http created in nsNSSCallbacks to avoid OSCP/CRL loops with alternate-protocol sr=biesi r=honzab

patch 15

netwerk/protocol/http/HttpBaseChannel.cpp

@@ -80,6 +80,7 @@ HttpBaseChannel::HttpBaseChannel()
   , mChannelIsForDownload(false)
   , mTracingEnabled(true)
   , mTimingEnabled(false)
+  , mAllowSpdy(true)
   , mSuspendCount(0)
   , mRedirectedCachekeys(nsnull)
 {
@@ -1310,6 +1311,22 @@ HttpBaseChannel::HTTPUpgrade(const nsACString &aProtocolName,
     return NS_OK;
 }
 
+NS_IMETHODIMP
+HttpBaseChannel::GetAllowSpdy(bool *aAllowSpdy)
+{
+  NS_ENSURE_ARG_POINTER(aAllowSpdy);
+
+  *aAllowSpdy = mAllowSpdy;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+HttpBaseChannel::SetAllowSpdy(bool aAllowSpdy)
+{
+  mAllowSpdy = aAllowSpdy;
+  return NS_OK;
+}
+
 //-----------------------------------------------------------------------------
 // HttpBaseChannel::nsISupportsPriority
 //-----------------------------------------------------------------------------
@@ -1619,6 +1636,8 @@ HttpBaseChannel::SetupReplacementChannel(nsIURI       *newURI,
   if (httpInternal) {
     // convey the mForceAllowThirdPartyCookie flag
     httpInternal->SetForceAllowThirdPartyCookie(mForceAllowThirdPartyCookie);
+    // convey the spdy flag
+    httpInternal->SetAllowSpdy(mAllowSpdy);
 
     // update the DocumentURI indicator since we are being redirected.
     // if this was a top-level document channel, then the new channel

netwerk/protocol/http/HttpBaseChannel.h

@@ -167,6 +167,9 @@ public:
   NS_IMETHOD GetLocalPort(PRInt32* port);
   NS_IMETHOD GetRemoteAddress(nsACString& addr);
   NS_IMETHOD GetRemotePort(PRInt32* port);
+  NS_IMETHOD GetAllowSpdy(bool *aAllowSpdy);
+  NS_IMETHOD SetAllowSpdy(bool aAllowSpdy);
+  
   inline void CleanRedirectCacheChainIfNecessary()
   {
       if (mRedirectedCachekeys) {
@@ -295,6 +298,7 @@ protected:
   PRUint32                          mTracingEnabled             : 1;
   // True if timing collection is enabled
   PRUint32                          mTimingEnabled              : 1;
+  PRUint32                          mAllowSpdy                  : 1;
 
   // Current suspension depth for this channel object
   PRUint32                          mSuspendCount;

netwerk/protocol/http/HttpChannelChild.cpp

@@ -1079,7 +1079,7 @@ HttpChannelChild::AsyncOpen(nsIStreamListener *listener, nsISupports *aContext)
                 mPriority, mRedirectionLimit, mAllowPipelining,
                 mForceAllowThirdPartyCookie, mSendResumeAt,
                 mStartPos, mEntityID, mChooseApplicationCache, 
-                appCacheClientId);
+                appCacheClientId, mAllowSpdy);
 
   return NS_OK;
 }

netwerk/protocol/http/HttpChannelParent.cpp

@@ -143,7 +143,8 @@ HttpChannelParent::RecvAsyncOpen(const IPC::URI&            aURI,
                                  const PRUint64&            startPos,
                                  const nsCString&           entityID,
                                  const bool&                chooseApplicationCache,
-                                 const nsCString&           appCacheClientID)
+                                 const nsCString&           appCacheClientID,
+                                 const bool&                allowSpdy)
 {
   nsCOMPtr<nsIURI> uri(aURI);
   nsCOMPtr<nsIURI> originalUri(aOriginalURI);
@@ -203,6 +204,7 @@ HttpChannelParent::RecvAsyncOpen(const IPC::URI&            aURI,
   httpChan->SetRedirectionLimit(redirectionLimit);
   httpChan->SetAllowPipelining(allowPipelining);
   httpChan->SetForceAllowThirdPartyCookie(forceAllowThirdPartyCookie);
+  httpChan->SetAllowSpdy(allowSpdy);
 
   nsCOMPtr<nsIApplicationCacheChannel> appCacheChan =
     do_QueryInterface(mChannel);

netwerk/protocol/http/HttpChannelParent.h

@@ -97,7 +97,8 @@ protected:
                              const PRUint64&            startPos,
                              const nsCString&           entityID,
                              const bool&                chooseApplicationCache,
-                             const nsCString&           appCacheClientID);
+                             const nsCString&           appCacheClientID,
+                             const bool&                allowSpdy);
 
   virtual bool RecvConnectChannel(const PRUint32& channelId);
   virtual bool RecvSetPriority(const PRUint16& priority);

netwerk/protocol/http/PHttpChannel.ipdl

@@ -81,7 +81,8 @@ parent:
             PRUint64            startPos,
             nsCString           entityID,
             bool                chooseApplicationCache,
-            nsCString           appCacheClientID);
+            nsCString           appCacheClientID,
+            bool                allowSpdy);
 
   // Used to connect redirected-to channel on the parent with redirected-to
   // channel on the child.

netwerk/protocol/http/nsHttpChannel.cpp

@@ -211,7 +211,7 @@ nsHttpChannel::Connect(bool firstTime)
         }
 
         // Check for a previous SPDY Alternate-Protocol directive
-        if (gHttpHandler->IsSpdyEnabled()) {
+        if (gHttpHandler->IsSpdyEnabled() && mAllowSpdy) {
             nsCAutoString hostPort;
 
             if (NS_SUCCEEDED(mURI->GetHostPort(hostPort)) &&
@@ -519,6 +519,9 @@ nsHttpChannel::SetupTransaction()
         }
     }
 
+    if (!mAllowSpdy)
+        mCaps |= NS_HTTP_DISALLOW_SPDY;
+
     // use the URI path if not proxying (transparent proxying such as SSL proxy
     // does not count here). also, figure out what version we should be speaking.
     nsCAutoString buf, path;
@@ -4104,7 +4107,7 @@ nsHttpChannel::OnStartRequest(nsIRequest *request, nsISupports *ctxt)
     }
 
     if (gHttpHandler->IsSpdyEnabled() && !mCachePump && NS_FAILED(mStatus) &&
-        (mLoadFlags & LOAD_REPLACE) && mOriginalURI) {
+        (mLoadFlags & LOAD_REPLACE) && mOriginalURI && mAllowSpdy) {
         // For sanity's sake we may want to cancel an alternate protocol
         // redirection involving the original host name
 

netwerk/protocol/http/nsIHttpChannelInternal.idl

@@ -53,7 +53,7 @@ interface nsIProxyInfo;
  * The callback interface for nsIHttpChannelInternal::HTTPUpgrade()
  */
 
-[scriptable, uuid(5644af88-09e1-4fbd-83da-f012b3b30180)]
+[scriptable, uuid(4b967b6d-cd1c-49ae-a457-23ff76f5a2e8)]
 interface nsIHttpUpgradeListener : nsISupports
 {
     void onTransportAvailable(in nsISocketTransport   aTransport,
@@ -181,4 +181,11 @@ interface nsIHttpChannelInternal : nsISupports
     void HTTPUpgrade(in ACString aProtocolName,
                      in nsIHttpUpgradeListener aListener);
 
+    /**
+     * Enable/Disable Spdy negotiation on per channel basis.
+     * The network.http.spdy.enabled preference is still a pre-requisite
+     * for starting spdy.
+     */
+    attribute boolean allowSpdy;
+
 };

security/manager/ssl/src/nsNSSCallbacks.cpp

@@ -53,6 +53,7 @@
 #include "nsProxyRelease.h"
 #include "PSMRunnable.h"
 #include "nsIConsoleService.h"
+#include "nsIHttpChannelInternal.h"
 
 #include "ssl.h"
 #include "ocsp.h"
@@ -133,6 +134,16 @@ nsHTTPDownloadEvent::Run()
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
+  // Do not use SPDY for internal security operations. It could result
+  // in the silent upgrade to ssl, which in turn could require an SSL
+  // operation to fufill something like a CRL fetch, which is an
+  // endless loop.
+  nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(chan);
+  if (internalChannel) {
+    rv = internalChannel->SetAllowSpdy(false);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
   nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(chan);
   NS_ENSURE_STATE(hchan);