Chromium Code Reviews Chromium Code Reviews
Issue 10700099:
NSS Channel ID: don't check ECC support on every socket creation. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: chrome/browser/net/ssl_config_service_manager_pref.cc |
| diff --git a/chrome/browser/net/ssl_config_service_manager_pref.cc b/chrome/browser/net/ssl_config_service_manager_pref.cc |
| index c8ac92714de095934a72f809b7b4a7dc7b59955c..2a3bed3818d9aa3d4e5a6105e75c1f9727b9d6f5 100644 |
| --- a/chrome/browser/net/ssl_config_service_manager_pref.cc |
| +++ b/chrome/browser/net/ssl_config_service_manager_pref.cc |
| @@ -20,6 +20,16 @@ |
| #include "net/base/ssl_cipher_suite_names.h" |
| #include "net/base/ssl_config_service.h" |
| +#if !defined(USE_OPENSSL) |
| +#include <pkcs11t.h> |
| +#endif |
| + |
| +#if !defined(USE_OPENSSL) |
|
Ryan Sleevi
2012/07/04 01:36:33
nit: Combine these two blocks into one #if, with a
|
| +#include "crypto/ec_private_key.h" |
| +#include "crypto/nss_util.h" |
| +#include "crypto/scoped_nss_types.h" |
| +#endif |
| + |
| using content::BrowserThread; |
| namespace { |
| @@ -180,6 +190,9 @@ class SSLConfigServiceManagerPref |
| // The cached list of disabled SSL cipher suites. |
| std::vector<uint16> disabled_cipher_suites_; |
| + // Whether channel ID is supported by the system. |
| + bool channel_id_supported_; |
| + |
| scoped_refptr<SSLConfigServicePref> ssl_config_service_; |
| DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref); |
| @@ -187,9 +200,25 @@ class SSLConfigServiceManagerPref |
| SSLConfigServiceManagerPref::SSLConfigServiceManagerPref( |
| PrefService* local_state) |
| - : ssl_config_service_(new SSLConfigServicePref()) { |
| + : channel_id_supported_(false), |
| + ssl_config_service_(new SSLConfigServicePref()) { |
| DCHECK(local_state); |
| +#if !defined(USE_OPENSSL) |
| + // TODO(mattm): we can do this check here only because we use the NSS internal |
| + // slot. If we support other slots in the future, checking whether they |
| + // support ECDSA may block NSS, and thus this check would have to be moved to |
| + // the NSS task runner. If we support arbitrary slots, the value may also |
|
Ryan Sleevi
2012/07/04 01:36:33
The comment about "the NSS task runner" is probabl
|
| + // change as devices are inserted/removed, so we would need to re-check on |
| + // every connection. |
| + crypto::EnsureNSSInit(); |
| + crypto::ScopedPK11Slot slot(crypto::ECPrivateKey::GetKeySlot()); |
| + channel_id_supported_ = PK11_DoesMechanism(slot.get(), CKM_EC_KEY_PAIR_GEN) && |
| + PK11_DoesMechanism(slot.get(), CKM_ECDSA); |
| + if (!channel_id_supported_) |
| + DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID."; |
| +#endif |
| + |
| rev_checking_enabled_.Init(prefs::kCertRevocationCheckingEnabled, |
| local_state, this); |
| ssl_version_min_.Init(prefs::kSSLVersionMin, local_state, this); |
| @@ -279,7 +308,8 @@ void SSLConfigServiceManagerPref::GetSSLConfigFromPrefs( |
| config->version_max = std::min(supported_version_max, version_max); |
| } |
| config->disabled_cipher_suites = disabled_cipher_suites_; |
| - config->channel_id_enabled = channel_id_enabled_.GetValue(); |
| + config->channel_id_enabled = channel_id_supported_ && |
| + channel_id_enabled_.GetValue(); |
| // disabling False Start also happens to disable record splitting. |
| config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue(); |
| SSLConfigServicePref::SetSSLConfigFlags(config); |
