Index: chrome/browser/net/ssl_config_service_manager_pref.cc |
diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc |
index c8ac92714de095934a72f809b7b4a7dc7b59955c..2a3bed3818d9aa3d4e5a6105e75c1f9727b9d6f5 100644 |
--- a/chrome/browser/net/ssl_config_service_manager_pref.cc |
+++ b/chrome/browser/net/ssl_config_service_manager_pref.cc |
@@ -20,6 +20,16 @@ |
#include "net/base/ssl_cipher_suite_names.h" |
#include "net/base/ssl_config_service.h" |
+#if !defined(USE_OPENSSL) |
+#include <pkcs11t.h> |
+#endif |
+ |
+#if !defined(USE_OPENSSL) |
Ryan Sleevi
2012/07/04 01:36:33
nit: Combine these two blocks into one #if, with a
|
+#include "crypto/ec_private_key.h" |
+#include "crypto/nss_util.h" |
+#include "crypto/scoped_nss_types.h" |
+#endif |
+ |
using content::BrowserThread; |
namespace { |
@@ -180,6 +190,9 @@ class SSLConfigServiceManagerPref |
// The cached list of disabled SSL cipher suites. |
std::vector<uint16> disabled_cipher_suites_; |
+ // Whether channel ID is supported by the system. |
+ bool channel_id_supported_; |
+ |
scoped_refptr<SSLConfigServicePref> ssl_config_service_; |
DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref); |
@@ -187,9 +200,25 @@ class SSLConfigServiceManagerPref |
SSLConfigServiceManagerPref::SSLConfigServiceManagerPref( |
PrefService* local_state) |
- : ssl_config_service_(new SSLConfigServicePref()) { |
+ : channel_id_supported_(false), |
+ ssl_config_service_(new SSLConfigServicePref()) { |
DCHECK(local_state); |
+#if !defined(USE_OPENSSL) |
+ // TODO(mattm): we can do this check here only because we use the NSS internal |
+ // slot. If we support other slots in the future, checking whether they |
+ // support ECDSA may block NSS, and thus this check would have to be moved to |
+ // the NSS task runner. If we support arbitrary slots, the value may also |
Ryan Sleevi
2012/07/04 01:36:33
The comment about "the NSS task runner" is probabl
|
+ // change as devices are inserted/removed, so we would need to re-check on |
+ // every connection. |
+ crypto::EnsureNSSInit(); |
+ crypto::ScopedPK11Slot slot(crypto::ECPrivateKey::GetKeySlot()); |
+ channel_id_supported_ = PK11_DoesMechanism(slot.get(), CKM_EC_KEY_PAIR_GEN) && |
+ PK11_DoesMechanism(slot.get(), CKM_ECDSA); |
+ if (!channel_id_supported_) |
+ DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID."; |
+#endif |
+ |
rev_checking_enabled_.Init(prefs::kCertRevocationCheckingEnabled, |
local_state, this); |
ssl_version_min_.Init(prefs::kSSLVersionMin, local_state, this); |
@@ -279,7 +308,8 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs( |
config->version_max = std::min(supported_version_max, version_max); |
} |
config->disabled_cipher_suites = disabled_cipher_suites_; |
- config->channel_id_enabled = channel_id_enabled_.GetValue(); |
+ config->channel_id_enabled = channel_id_supported_ && |
+ channel_id_enabled_.GetValue(); |
// disabling False Start also happens to disable record splitting. |
config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue(); |
SSLConfigServicePref::SetSSLConfigFlags(config); |