NSS Channel ID: don't check ECC support on every socket creation.

chrome/browser/net/ssl_config_service_manager_pref.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "chrome/browser/net/ssl_config_service_manager.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "chrome/browser/prefs/pref_change_registrar.h"
 #include "chrome/browser/prefs/pref_member.h"
 #include "chrome/browser/prefs/pref_service.h"
 #include "chrome/common/chrome_notification_types.h"
 #include "chrome/common/pref_names.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_details.h"
 #include "content/public/browser/notification_source.h"
 #include "net/base/ssl_cipher_suite_names.h"
 #include "net/base/ssl_config_service.h"
 
+#if !defined(USE_OPENSSL)
+#include <pkcs11t.h>
+#endif
+
+#if !defined(USE_OPENSSL)

[Ryan Sleevi, 2012/07/04 01:36:33]

nit: Combine these two blocks into one #if, with a newline in between the
#includes

+#include "crypto/ec_private_key.h"
+#include "crypto/nss_util.h"
+#include "crypto/scoped_nss_types.h"
+#endif
+
 using content::BrowserThread;
 
 namespace {
 
 // Converts a ListValue of StringValues into a vector of strings. Any Values
 // which cannot be converted will be skipped.
 std::vector<std::string> ListValueToStringVector(const ListValue* value) {
   std::vector<std::string> results;
   results.reserve(value->GetSize());
   std::string s;
@@ skipping 140 matching lines @@
   // The prefs (should only be accessed from UI thread)
   BooleanPrefMember rev_checking_enabled_;
   StringPrefMember ssl_version_min_;
   StringPrefMember ssl_version_max_;
   BooleanPrefMember channel_id_enabled_;
   BooleanPrefMember ssl_record_splitting_disabled_;
 
   // The cached list of disabled SSL cipher suites.
   std::vector<uint16> disabled_cipher_suites_;
 
+  // Whether channel ID is supported by the system.
+  bool channel_id_supported_;
+
   scoped_refptr<SSLConfigServicePref> ssl_config_service_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref);
 };
 
 SSLConfigServiceManagerPref::SSLConfigServiceManagerPref(
     PrefService* local_state)
-    : ssl_config_service_(new SSLConfigServicePref()) {
+    : channel_id_supported_(false),
+      ssl_config_service_(new SSLConfigServicePref()) {
   DCHECK(local_state);
 
+#if !defined(USE_OPENSSL)
+  // TODO(mattm): we can do this check here only because we use the NSS internal
+  // slot. If we support other slots in the future, checking whether they
+  // support ECDSA may block NSS, and thus this check would have to be moved to
+  // the NSS task runner. If we support arbitrary slots, the value may also

[Ryan Sleevi, 2012/07/04 01:36:33]

The comment about "the NSS task runner" is probably not applicable here.

+  // change as devices are inserted/removed, so we would need to re-check on
+  // every connection.
+  crypto::EnsureNSSInit();
+  crypto::ScopedPK11Slot slot(crypto::ECPrivateKey::GetKeySlot());
+  channel_id_supported_ = PK11_DoesMechanism(slot.get(), CKM_EC_KEY_PAIR_GEN) &&
+      PK11_DoesMechanism(slot.get(), CKM_ECDSA);
+  if (!channel_id_supported_)
+    DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID.";
+#endif
+
   rev_checking_enabled_.Init(prefs::kCertRevocationCheckingEnabled,
                              local_state, this);
   ssl_version_min_.Init(prefs::kSSLVersionMin, local_state, this);
   ssl_version_max_.Init(prefs::kSSLVersionMax, local_state, this);
   channel_id_enabled_.Init(prefs::kEnableOriginBoundCerts, local_state, this);
   ssl_record_splitting_disabled_.Init(prefs::kDisableSSLRecordSplitting,
                                       local_state, this);
   pref_change_registrar_.Init(local_state);
   pref_change_registrar_.Add(prefs::kCipherSuiteBlacklist, this);
 
@@ skipping 69 matching lines @@
     uint16 supported_version_min = config->version_min;
     config->version_min = std::max(supported_version_min, version_min);
   }
   if (version_max) {
     // TODO(wtc): get the maximum SSL protocol version supported by the
     // SSLClientSocket class.
     uint16 supported_version_max = config->version_max;
     config->version_max = std::min(supported_version_max, version_max);
   }
   config->disabled_cipher_suites = disabled_cipher_suites_;
-  config->channel_id_enabled = channel_id_enabled_.GetValue();
+  config->channel_id_enabled = channel_id_supported_ &&
+      channel_id_enabled_.GetValue();
   // disabling False Start also happens to disable record splitting.
   config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue();
   SSLConfigServicePref::SetSSLConfigFlags(config);
 }
 
 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange(
     PrefService* prefs) {
   const ListValue* value = prefs->GetList(prefs::kCipherSuiteBlacklist);
   disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value));
 }
 
 ////////////////////////////////////////////////////////////////////////////////
 //  SSLConfigServiceManager
 
 // static
 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager(
     PrefService* local_state) {
   return new SSLConfigServiceManagerPref(local_state);
 }
 
 // static
 void SSLConfigServiceManager::RegisterPrefs(PrefService* prefs) {
   SSLConfigServiceManagerPref::RegisterPrefs(prefs);
 }