net/socket/ssl_client_socket.h - Issue 757033004: Do not use HTTP/2 without adequate security.

Side by Side Diff: net/socket/ssl_client_socket.h

Issue 757033004: Do not use HTTP/2 without adequate security. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Add namespace qualifier to definition. Created 6 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_	5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_

6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_	6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_

7	7

8 #include <string>	8 #include <string>

9	9

10 #include "base/gtest_prod_util.h"	10 #include "base/gtest_prod_util.h"

(...skipping 191 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
202 bool supports_ecc);	202 bool supports_ecc);

203	203

204 // Records ConnectionType histograms for a successful SSL connection.	204 // Records ConnectionType histograms for a successful SSL connection.

205 static void RecordConnectionTypeMetrics(int ssl_version);	205 static void RecordConnectionTypeMetrics(int ssl_version);

206	206

207 // Returns whether TLS channel ID is enabled.	207 // Returns whether TLS channel ID is enabled.

208 static bool IsChannelIDEnabled(	208 static bool IsChannelIDEnabled(

209 const SSLConfig& ssl_config,	209 const SSLConfig& ssl_config,

210 ChannelIDService* channel_id_service);	210 ChannelIDService* channel_id_service);

211	211

	212 // Determine if there is at least one enabled cipher suite and TLS version

	213 // that is up to Section 9.2 of the HTTP/2 specification. Note that the
	Ryan Hamilton 2014/12/10 21:11:41 s/that is up to/that satisfies/ s/that is up to/that satisfies/ Bence 2014/12/11 16:50:49 Done. Show quoted text On 2014/12/10 21:11:41, Ryan Hamilton wrote: > s/that is up to/that satisfies/ Done.
	214 // server might still pick an inadequate cipher suite or TLS version.

	215 static bool IsSecurityAdequateForHTTP2(

	216 const SSLConfig& ssl_config,

	217 const std::vector<uint16>& cipher_suites);

	218

212 // Serializes \|next_protos\| in the wire format for ALPN: protocols are listed	219 // Serializes \|next_protos\| in the wire format for ALPN: protocols are listed

213 // in order, each prefixed by a one-byte length.	220 // in order, each prefixed by a one-byte length. Only advertises HTTP2 if

	221 // adequate cipher suites and TLS are also advertised.
	Ryan Hamilton 2014/12/10 21:11:41 Instead of talking about adequate cipher suites an Instead of talking about adequate cipher suites and TLS versions, I would just refer to \|advertise_http2\|. Or possibly consider reversing the polarity and making it \|exclude_http2\|. As currently written, if advertise_http2 = true, I might expect that that forces http2 (which it doesn't do obviously). Bence 2014/12/11 16:50:49 I decided against reversing polarity, because I do Show quoted text On 2014/12/10 21:11:41, Ryan Hamilton wrote: > Instead of talking about adequate cipher suites and TLS versions, I would just > refer to \|advertise_http2\|. Or possibly consider reversing the polarity and > making it \|exclude_http2\|. As currently written, if advertise_http2 = true, I > might expect that that forces http2 (which it doesn't do obviously). I decided against reversing polarity, because I do not want a negation like SerializeNextProtos(!IsSecurityAdequate), not do I like reversing the polarity of IsSecurityAdequate. Done.
214 static std::vector<uint8_t> SerializeNextProtos(	222 static std::vector<uint8_t> SerializeNextProtos(

215 const std::vector<std::string>& next_protos);	223 const std::vector<std::string>& next_protos,

	224 bool advertise_http2);

216	225

217 // For unit testing only.	226 // For unit testing only.

218 // Returns the unverified certificate chain as presented by server.	227 // Returns the unverified certificate chain as presented by server.

219 // Note that chain may be different than the verified chain returned by	228 // Note that chain may be different than the verified chain returned by

220 // StreamSocket::GetSSLInfo().	229 // StreamSocket::GetSSLInfo().

221 virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain()	230 virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain()

222 const = 0;	231 const = 0;

223	232

224 private:	233 private:

225 // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.	234 // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.

(...skipping 18 matching lines...) Expand all Loading...
244 bool signed_cert_timestamps_received_;	253 bool signed_cert_timestamps_received_;

245 // True if a stapled OCSP response was received.	254 // True if a stapled OCSP response was received.

246 bool stapled_ocsp_response_received_;	255 bool stapled_ocsp_response_received_;

247 // Protocol negotiation extension used.	256 // Protocol negotiation extension used.

248 SSLNegotiationExtension negotiation_extension_;	257 SSLNegotiationExtension negotiation_extension_;

249 };	258 };

250	259

251 } // namespace net	260 } // namespace net

252	261

253 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_	262 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_

OLD	NEW

« net/socket/nss_ssl_util.cc ('K') | « net/socket/nss_ssl_util.cc ('k') | net/socket/ssl_client_socket.cc » ('j') | net/socket/ssl_client_socket.cc » ('J')