Do not use HTTP/2 without adequate security.

net/socket/ssl_client_socket.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket.h"
 
 #include "base/metrics/histogram.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/strings/string_util.h"
 #include "crypto/ec_private_key.h"
 #include "net/base/connection_type_histograms.h"
 #include "net/base/host_port_pair.h"
 #include "net/ssl/channel_id_service.h"
+#include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_config_service.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 
 namespace net {
 
 SSLClientSocket::SSLClientSocket()
     : was_npn_negotiated_(false),
       was_spdy_negotiated_(false),
       protocol_negotiated_(kProtoUnknown),
       channel_id_sent_(false),
@@ skipping 203 matching lines @@
   }
   if (!channel_id_service->IsSystemTimeValid()) {
     DVLOG(1) << "System time is not within the supported range for certificate "
                 "generation, not enabling channel ID.";
     return false;
   }
   return true;
 }
 
 // static
+bool SSLClientSocket::IsSecurityAdequateForHTTP2(
+    const SSLConfig& ssl_config,
+    const std::vector<uint16>& cipher_suites) {
+  if (ssl_config.version_max < SSL_PROTOCOL_VERSION_TLS1_2)
+    return false;
+  for (uint16 cipher : cipher_suites) {
+    if (IsSecureTLSCipherSuite(cipher))
+      return true;
+  }
+  return false;
+}
+
+// static
 std::vector<uint8_t> SSLClientSocket::SerializeNextProtos(
-    const NextProtoVector& next_protos) {
-  // Do a first pass to determine the total length.
+    const NextProtoVector& next_protos,
+    bool can_advertise_http2) {
   size_t wire_length = 0;
   std::vector<std::string> next_proto_strings;
   for (const NextProto next_proto : next_protos) {
+    if (!can_advertise_http2) {
+      if (kProtoSPDY4MinimumVersion <= next_proto &&

[Ryan Hamilton, 2014/12/12 18:56:44]

nit: might as well make this a single if statement with 3 conditions.

[Bence, 2014/12/12 20:21:33]

Done.

+          next_proto <= kProtoSPDY4MaximumVersion) {
+        continue;
+      }
+    }
     const std::string proto = NextProtoToString(next_proto);
     if (proto.size() > 255) {
       LOG(WARNING) << "Ignoring overlong NPN/ALPN protocol: " << proto;
       continue;
     }
     if (proto.size() == 0) {
       LOG(WARNING) << "Ignoring empty NPN/ALPN protocol";
       continue;
     }
     next_proto_strings.push_back(proto);
     wire_length += proto.size();
     wire_length++;
   }
 
-  // Allocate memory for the result and fill it in.
   std::vector<uint8_t> wire_protos;
   wire_protos.reserve(wire_length);
   for (const std::string& proto : next_proto_strings) {
     wire_protos.push_back(proto.size());
     // TODO(bnc): Rewrite.
     wire_protos.resize(wire_protos.size() + proto.size());
     memcpy(&wire_protos[wire_protos.size() - proto.size()], proto.data(),
            proto.size());
   }
   DCHECK_EQ(wire_protos.size(), wire_length);
@@ skipping 21 matching lines @@
     } else {
       sample += 500;
     }
   } else {
     DCHECK_EQ(kExtensionALPN, negotiation_extension_);
   }
   UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLProtocolNegotiation", sample);
 }
 
 }  // namespace net