From owner-svn-ports-head@FreeBSD.ORG Wed Oct 15 15:10:09 2014 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6815470A; Wed, 15 Oct 2014 15:10:09 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 525C132E; Wed, 15 Oct 2014 15:10:09 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9FFA9FV091733; Wed, 15 Oct 2014 15:10:09 GMT (envelope-from rene@FreeBSD.org) Received: (from rene@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9FFA5I8090351; Wed, 15 Oct 2014 15:10:05 GMT (envelope-from rene@FreeBSD.org) Message-Id: <201410151510.s9FFA5I8090351@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: rene set sender to rene@FreeBSD.org using -f From: Rene Ladan Date: Wed, 15 Oct 2014 15:10:05 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r370928 - in head/www/chromium: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2014 15:10:09 -0000 Author: rene Date: Wed Oct 15 15:10:04 2014 New Revision: 370928 URL: https://svnweb.freebsd.org/changeset/ports/370928 QAT: https://qat.redports.org/buildarchive/r370928/ Log: www/chromium: desupport SSLv3.0, taken from upstream GIT repository. While here really fix the desktop icon. Bump PORTREVISION Obtained from: https://chromium.googlesource.com/chromium/src/+/701bb044ac5ad4f1572e86b83a673cc49383efb4 Obtained from: https://chromium.googlesource.com/chromium/src/+/32352ad08ee673a4d43e8593ce988b224f6482d3 MFH: 2014Q4 Security: CVE-2014-3566 ("Poodle") Added: head/www/chromium/files/patch-chrome__app__generated_resources.grd (contents, props changed) head/www/chromium/files/patch-chrome__browser__net__ssl_config_service_manager_pref.cc (contents, props changed) head/www/chromium/files/patch-chrome__browser__prefs__command_line_pref_store.cc (contents, props changed) head/www/chromium/files/patch-chrome__common__localized_error.cc (contents, props changed) head/www/chromium/files/patch-net__base__net_error_list.h (contents, props changed) head/www/chromium/files/patch-net__socket__ssl_client_socket_nss.cc (contents, props changed) head/www/chromium/files/patch-net__socket__ssl_client_socket_openssl.cc (contents, props changed) head/www/chromium/files/patch-net__ssl__ssl_config.cc (contents, props changed) head/www/chromium/files/patch-net__ssl__ssl_config.h (contents, props changed) head/www/chromium/files/patch-tools__metrics__histograms__histograms.xml (contents, props changed) Modified: head/www/chromium/Makefile head/www/chromium/files/chromium-browser.desktop.in head/www/chromium/files/patch-chrome__common__chrome_switches.cc head/www/chromium/files/patch-chrome__common__chrome_switches.h head/www/chromium/files/patch-chrome__common__pref_names.cc head/www/chromium/files/patch-chrome__common__pref_names.h Modified: head/www/chromium/Makefile ============================================================================== --- head/www/chromium/Makefile Wed Oct 15 14:53:51 2014 (r370927) +++ head/www/chromium/Makefile Wed Oct 15 15:10:04 2014 (r370928) @@ -3,7 +3,7 @@ PORTNAME= chromium PORTVERSION= 38.0.2125.101 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www MASTER_SITES= http://commondatastorage.googleapis.com/chromium-browser-official/ DISTFILES= ${DISTNAME}${EXTRACT_SUFX} Modified: head/www/chromium/files/chromium-browser.desktop.in ============================================================================== --- head/www/chromium/files/chromium-browser.desktop.in Wed Oct 15 14:53:51 2014 (r370927) +++ head/www/chromium/files/chromium-browser.desktop.in Wed Oct 15 15:10:04 2014 (r370928) @@ -4,7 +4,7 @@ Version=1.0 Encoding=UTF-8 Name=Chromium Comment=%%COMMENT%% -Icon=%%DATADIR%%/product_logo_48.png +Icon=chrome Exec=chrome %U Categories=Application;Network;WebBrowser; MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp; Added: head/www/chromium/files/patch-chrome__app__generated_resources.grd ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/chromium/files/patch-chrome__app__generated_resources.grd Wed Oct 15 15:10:04 2014 (r370928) @@ -0,0 +1,19 @@ +--- chrome/app/generated_resources.grd.orig 2014-10-02 17:39:45 UTC ++++ chrome/app/generated_resources.grd +@@ -9024,6 +9024,16 @@ + SSL protocol error. + + ++ ++ SSL server probably obsolete. ++ ++ ++ Unable to connect securely to the server. This website may have worked previously, but connecting to such sites has now been shown to cause security risks to all users and thus has been disabled for your safety. ++ ++ ++ An SSLv3 fallback was able to handshake with the server, but we no longer accept SSLv3 fallbacks due to new attacks against the protocol. The server needs to be updated to support a minimum of TLS 1.0 and preferably TLS 1.2. ++ ++ + + Incorrect certificate for host. + Added: head/www/chromium/files/patch-chrome__browser__net__ssl_config_service_manager_pref.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/chromium/files/patch-chrome__browser__net__ssl_config_service_manager_pref.cc Wed Oct 15 15:10:04 2014 (r370928) @@ -0,0 +1,57 @@ +--- chrome/browser/net/ssl_config_service_manager_pref.cc.orig 2014-10-02 17:39:46 UTC ++++ chrome/browser/net/ssl_config_service_manager_pref.cc +@@ -174,6 +174,7 @@ + BooleanPrefMember rev_checking_required_local_anchors_; + StringPrefMember ssl_version_min_; + StringPrefMember ssl_version_max_; ++ StringPrefMember ssl_version_fallback_min_; + BooleanPrefMember ssl_record_splitting_disabled_; + + // The cached list of disabled SSL cipher suites. +@@ -204,6 +205,8 @@ + prefs::kSSLVersionMin, local_state, local_state_callback); + ssl_version_max_.Init( + prefs::kSSLVersionMax, local_state, local_state_callback); ++ ssl_version_fallback_min_.Init( ++ prefs::kSSLVersionFallbackMin, local_state, local_state_callback); + ssl_record_splitting_disabled_.Init( + prefs::kDisableSSLRecordSplitting, local_state, local_state_callback); + +@@ -230,8 +233,12 @@ + SSLProtocolVersionToString(default_config.version_min); + std::string version_max_str = + SSLProtocolVersionToString(default_config.version_max); ++ std::string version_fallback_min_str = ++ SSLProtocolVersionToString(default_config.version_fallback_min); + registry->RegisterStringPref(prefs::kSSLVersionMin, version_min_str); + registry->RegisterStringPref(prefs::kSSLVersionMax, version_max_str); ++ registry->RegisterStringPref(prefs::kSSLVersionFallbackMin, ++ version_fallback_min_str); + registry->RegisterBooleanPref(prefs::kDisableSSLRecordSplitting, + !default_config.false_start_enabled); + registry->RegisterListPref(prefs::kCipherSuiteBlacklist); +@@ -275,10 +282,14 @@ + rev_checking_required_local_anchors_.GetValue(); + std::string version_min_str = ssl_version_min_.GetValue(); + std::string version_max_str = ssl_version_max_.GetValue(); ++ std::string version_fallback_min_str = ssl_version_fallback_min_.GetValue(); + config->version_min = net::kDefaultSSLVersionMin; + config->version_max = net::kDefaultSSLVersionMax; ++ config->version_fallback_min = net::kDefaultSSLVersionFallbackMin; + uint16 version_min = SSLProtocolVersionFromString(version_min_str); + uint16 version_max = SSLProtocolVersionFromString(version_max_str); ++ uint16 version_fallback_min = ++ SSLProtocolVersionFromString(version_fallback_min_str); + if (version_min) { + // TODO(wtc): get the minimum SSL protocol version supported by the + // SSLClientSocket class. Right now it happens to be the same as the +@@ -293,6 +304,9 @@ + uint16 supported_version_max = config->version_max; + config->version_max = std::min(supported_version_max, version_max); + } ++ if (version_fallback_min) { ++ config->version_fallback_min = version_fallback_min; ++ } + config->disabled_cipher_suites = disabled_cipher_suites_; + // disabling False Start also happens to disable record splitting. + config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue(); Added: head/www/chromium/files/patch-chrome__browser__prefs__command_line_pref_store.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/chromium/files/patch-chrome__browser__prefs__command_line_pref_store.cc Wed Oct 15 15:10:04 2014 (r370928) @@ -0,0 +1,10 @@ +--- chrome/browser/prefs/command_line_pref_store.cc.orig 2014-10-02 17:39:46 UTC ++++ chrome/browser/prefs/command_line_pref_store.cc +@@ -33,6 +33,7 @@ + { switches::kDiskCacheDir, prefs::kDiskCacheDir }, + { switches::kSSLVersionMin, prefs::kSSLVersionMin }, + { switches::kSSLVersionMax, prefs::kSSLVersionMax }, ++ { switches::kSSLVersionFallbackMin, prefs::kSSLVersionFallbackMin }, + }; + + const CommandLinePrefStore::BooleanSwitchToPreferenceMapEntry Modified: head/www/chromium/files/patch-chrome__common__chrome_switches.cc ============================================================================== --- head/www/chromium/files/patch-chrome__common__chrome_switches.cc Wed Oct 15 14:53:51 2014 (r370927) +++ head/www/chromium/files/patch-chrome__common__chrome_switches.cc Wed Oct 15 15:10:04 2014 (r370928) @@ -1,6 +1,17 @@ ---- chrome/common/chrome_switches.cc.orig 2014-10-02 17:39:46 UTC -+++ chrome/common/chrome_switches.cc -@@ -1277,13 +1277,13 @@ +--- chrome/common/chrome_switches.cc.orig 2014-10-02 19:39:46.000000000 +0200 ++++ chrome/common/chrome_switches.cc 2014-10-15 11:59:52.000000000 +0200 +@@ -1127,6 +1127,10 @@ + // "tls1.2"). + const char kSSLVersionMin[] = "ssl-version-min"; + ++// Specifies the minimum SSL/TLS version ("ssl3", "tls1", "tls1.1", or ++// "tls1.2") that TLS fallback will accept. ++const char kSSLVersionFallbackMin[] = "ssl-version-fallback-min"; ++ + // Starts the browser maximized, regardless of any previous settings. + const char kStartMaximized[] = "start-maximized"; + +@@ -1277,13 +1281,13 @@ const char kPasswordStore[] = "password-store"; #endif Modified: head/www/chromium/files/patch-chrome__common__chrome_switches.h ============================================================================== --- head/www/chromium/files/patch-chrome__common__chrome_switches.h Wed Oct 15 14:53:51 2014 (r370927) +++ head/www/chromium/files/patch-chrome__common__chrome_switches.h Wed Oct 15 15:10:04 2014 (r370928) @@ -1,6 +1,14 @@ ---- chrome/common/chrome_switches.h.orig 2014-10-02 17:39:46 UTC -+++ chrome/common/chrome_switches.h -@@ -362,7 +362,7 @@ +--- chrome/common/chrome_switches.h.orig 2014-10-02 19:39:46.000000000 +0200 ++++ chrome/common/chrome_switches.h 2014-10-15 11:59:52.000000000 +0200 +@@ -309,6 +309,7 @@ + extern const char kSpellingServiceFeedbackIntervalSeconds[]; + extern const char kSSLVersionMax[]; + extern const char kSSLVersionMin[]; ++extern const char kSSLVersionFallbackMin[]; + extern const char kStartMaximized[]; + extern const char kSupervisedUserId[]; + extern const char kSupervisedUserSyncToken[]; +@@ -362,7 +363,7 @@ extern const char kPasswordStore[]; #endif Added: head/www/chromium/files/patch-chrome__common__localized_error.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/chromium/files/patch-chrome__common__localized_error.cc Wed Oct 15 15:10:04 2014 (r370928) @@ -0,0 +1,35 @@ +--- chrome/common/localized_error.cc.orig 2014-10-02 17:39:46 UTC ++++ chrome/common/localized_error.cc +@@ -40,6 +40,8 @@ + static const char kWeakDHKeyLearnMoreUrl[] = + "http://sites.google.com/a/chromium.org/dev/" + "err_ssl_weak_server_ephemeral_dh_key"; ++static const char kSSLv3FallbackUrl[] = ++ "https://code.google.com/p/chromium/issues/detail?id=418848"; + #if defined(OS_CHROMEOS) + static const char kAppWarningLearnMoreUrl[] = + "chrome-extension://honijodknafkokifofgiaalefdiedpko/main.html" +@@ -301,6 +303,13 @@ + IDS_ERRORPAGES_DETAILS_BLOCKED_ENROLLMENT_CHECK_PENDING, + SUGGEST_CHECK_CONNECTION, + }, ++ {net::ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ++ IDS_ERRORPAGES_TITLE_LOAD_FAILED, ++ IDS_ERRORPAGES_HEADING_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ++ IDS_ERRORPAGES_SUMMARY_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ++ IDS_ERRORPAGES_DETAILS_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ++ SUGGEST_LEARNMORE, ++ }, + }; + + // Special error page to be used in the case of navigating back to a page +@@ -796,6 +805,9 @@ + case net::ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY: + learn_more_url = GURL(kWeakDHKeyLearnMoreUrl); + break; ++ case net::ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION: ++ learn_more_url = GURL(kSSLv3FallbackUrl); ++ break; + default: + break; + } Modified: head/www/chromium/files/patch-chrome__common__pref_names.cc ============================================================================== --- head/www/chromium/files/patch-chrome__common__pref_names.cc Wed Oct 15 14:53:51 2014 (r370927) +++ head/www/chromium/files/patch-chrome__common__pref_names.cc Wed Oct 15 15:10:04 2014 (r370928) @@ -1,5 +1,5 @@ ---- chrome/common/pref_names.cc.orig 2014-10-02 17:39:46 UTC -+++ chrome/common/pref_names.cc +--- chrome/common/pref_names.cc.orig 2014-10-02 19:39:46.000000000 +0200 ++++ chrome/common/pref_names.cc 2014-10-15 11:59:52.000000000 +0200 @@ -898,7 +898,7 @@ // Boolean controlling whether SafeSearch is mandatory for Google Web Searches. const char kForceSafeSearch[] = "settings.force_safesearch"; @@ -9,3 +9,11 @@ // Linux specific preference on whether we should match the system theme. const char kUsesSystemTheme[] = "extensions.theme.use_system"; #endif +@@ -1288,6 +1288,7 @@ + "ssl.rev_checking.required_for_local_anchors"; + const char kSSLVersionMin[] = "ssl.version_min"; + const char kSSLVersionMax[] = "ssl.version_max"; ++const char kSSLVersionFallbackMin[] = "ssl.version_fallback_min"; + const char kCipherSuiteBlacklist[] = "ssl.cipher_suites.blacklist"; + const char kDisableSSLRecordSplitting[] = "ssl.ssl_record_splitting.disabled"; + Modified: head/www/chromium/files/patch-chrome__common__pref_names.h ============================================================================== --- head/www/chromium/files/patch-chrome__common__pref_names.h Wed Oct 15 14:53:51 2014 (r370927) +++ head/www/chromium/files/patch-chrome__common__pref_names.h Wed Oct 15 15:10:04 2014 (r370928) @@ -1,5 +1,5 @@ ---- chrome/common/pref_names.h.orig 2014-10-02 17:39:46 UTC -+++ chrome/common/pref_names.h +--- chrome/common/pref_names.h.orig 2014-10-02 19:39:46.000000000 +0200 ++++ chrome/common/pref_names.h 2014-10-15 11:59:52.000000000 +0200 @@ -291,7 +291,7 @@ extern const char kForceSafeSearch[]; extern const char kDeleteTimePeriod[]; @@ -9,3 +9,11 @@ extern const char kUsesSystemTheme[]; #endif extern const char kCurrentThemePackFilename[]; +@@ -405,6 +405,7 @@ + extern const char kCertRevocationCheckingRequiredLocalAnchors[]; + extern const char kSSLVersionMin[]; + extern const char kSSLVersionMax[]; ++extern const char kSSLVersionFallbackMin[]; + extern const char kCipherSuiteBlacklist[]; + extern const char kDisableSSLRecordSplitting[]; + Added: head/www/chromium/files/patch-net__base__net_error_list.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/chromium/files/patch-net__base__net_error_list.h Wed Oct 15 15:10:04 2014 (r370928) @@ -0,0 +1,13 @@ +--- net/base/net_error_list.h.orig 2014-10-02 17:18:59 UTC ++++ net/base/net_error_list.h +@@ -336,6 +336,10 @@ + // library. + NET_ERROR(SSL_CLIENT_AUTH_CERT_BAD_FORMAT, -164) + ++// The SSL server requires falling back to a version older than the configured ++// minimum fallback version, and thus fallback failed. ++NET_ERROR(SSL_FALLBACK_BEYOND_MINIMUM_VERSION, -165) ++ + // Certificate error codes + // + // The values of certificate error codes must be consecutive. Added: head/www/chromium/files/patch-net__socket__ssl_client_socket_nss.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/chromium/files/patch-net__socket__ssl_client_socket_nss.cc Wed Oct 15 15:10:04 2014 (r370928) @@ -0,0 +1,14 @@ +--- net/socket/ssl_client_socket_nss.cc.orig 2014-10-02 17:39:47 UTC ++++ net/socket/ssl_client_socket_nss.cc +@@ -3330,6 +3330,11 @@ + EnterFunction(result); + + if (result == OK) { ++ if (ssl_config_.version_fallback && ++ ssl_config_.version_max < ssl_config_.version_fallback_min) { ++ return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; ++ } ++ + // SSL handshake is completed. Let's verify the certificate. + GotoState(STATE_VERIFY_CERT); + // Done! Added: head/www/chromium/files/patch-net__socket__ssl_client_socket_openssl.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/chromium/files/patch-net__socket__ssl_client_socket_openssl.cc Wed Oct 15 15:10:04 2014 (r370928) @@ -0,0 +1,14 @@ +--- net/socket/ssl_client_socket_openssl.cc.orig 2014-10-02 17:39:47 UTC ++++ net/socket/ssl_client_socket_openssl.cc +@@ -890,6 +890,11 @@ + << " is: " << (SSL_session_reused(ssl_) ? "Success" : "Fail"); + } + ++ if (ssl_config_.version_fallback && ++ ssl_config_.version_max < ssl_config_.version_fallback_min) { ++ return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION; ++ } ++ + // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. + if (npn_status_ == kNextProtoUnsupported) { + const uint8_t* alpn_proto = NULL; Added: head/www/chromium/files/patch-net__ssl__ssl_config.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/chromium/files/patch-net__ssl__ssl_config.cc Wed Oct 15 15:10:04 2014 (r370928) @@ -0,0 +1,19 @@ +--- net/ssl/ssl_config.cc.orig 2014-10-02 17:39:47 UTC ++++ net/ssl/ssl_config.cc +@@ -25,6 +25,8 @@ + SSL_PROTOCOL_VERSION_TLS1_2; + #endif + ++const uint16 kDefaultSSLVersionFallbackMin = SSL_PROTOCOL_VERSION_TLS1; ++ + SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {} + + SSLConfig::CertAndStatus::~CertAndStatus() {} +@@ -34,6 +36,7 @@ + rev_checking_required_local_anchors(false), + version_min(kDefaultSSLVersionMin), + version_max(kDefaultSSLVersionMax), ++ version_fallback_min(kDefaultSSLVersionFallbackMin), + channel_id_enabled(true), + false_start_enabled(true), + signed_cert_timestamps_enabled(true), Added: head/www/chromium/files/patch-net__ssl__ssl_config.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/chromium/files/patch-net__ssl__ssl_config.h Wed Oct 15 15:10:04 2014 (r370928) @@ -0,0 +1,25 @@ +--- net/ssl/ssl_config.h.orig 2014-10-02 17:19:00 UTC ++++ net/ssl/ssl_config.h +@@ -32,6 +32,9 @@ + // Default maximum protocol version. + NET_EXPORT extern const uint16 kDefaultSSLVersionMax; + ++// Default minimum protocol version that it's acceptable to fallback to. ++NET_EXPORT extern const uint16 kDefaultSSLVersionFallbackMin; ++ + // A collection of SSL-related configuration settings. + struct NET_EXPORT SSLConfig { + // Default to revocation checking. +@@ -73,6 +76,12 @@ + uint16 version_min; + uint16 version_max; + ++ // version_fallback_min contains the minimum version that is acceptable to ++ // fallback to. Versions before this may be tried to see whether they would ++ // have succeeded and thus to give a better message to the user, but the ++ // resulting connection won't be used in these cases. ++ uint16 version_fallback_min; ++ + // Presorted list of cipher suites which should be explicitly prevented from + // being used in addition to those disabled by the net built-in policy. + // Added: head/www/chromium/files/patch-tools__metrics__histograms__histograms.xml ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/chromium/files/patch-tools__metrics__histograms__histograms.xml Wed Oct 15 15:10:04 2014 (r370928) @@ -0,0 +1,10 @@ +--- tools/metrics/histograms/histograms.xml.orig 2014-10-02 17:39:48 UTC ++++ tools/metrics/histograms/histograms.xml +@@ -45253,6 +45253,7 @@ + + + ++ + + +