net/socket/ssl_client_socket_nss.cc - Issue 757033004: Do not use HTTP/2 without adequate security.

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 757033004: Do not use HTTP/2 without adequate security. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Remove ssl_cipher_suite_names.* from net_non_nacl_sources. Created 6 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived	5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived

6 // from AuthCertificateCallback() in	6 // from AuthCertificateCallback() in

7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.	7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.

8	8

9 /* *** BEGIN LICENSE BLOCK ***	9 /* *** BEGIN LICENSE BLOCK ***

10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1	10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

(...skipping 955 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
966 DCHECK(OnNetworkTaskRunner());	966 DCHECK(OnNetworkTaskRunner());

967 DCHECK(!nss_fd_);	967 DCHECK(!nss_fd_);

968 DCHECK(!nss_bufs_);	968 DCHECK(!nss_bufs_);

969	969

970 nss_fd_ = socket;	970 nss_fd_ = socket;

971 nss_bufs_ = buffers;	971 nss_bufs_ = buffers;

972	972

973 SECStatus rv = SECSuccess;	973 SECStatus rv = SECSuccess;

974	974

975 if (!ssl_config_.next_protos.empty()) {	975 if (!ssl_config_.next_protos.empty()) {

976 std::vector<uint8_t> wire_protos =	976 DCHECK(NSS_IsInitialized());

977 SerializeNextProtos(ssl_config_.next_protos);	977 const std::vector<uint16> cipher_suites =

	978 GetNSSDefaultEnabledCipherSuites();

	979 std::vector<uint16> implemented_enabled_cipher_suites;

	980 // TODO(bnc): SSL_CipherPrefGet uses linear search. Consider rewriting it

	981 // using binary search, or merging the for cycle that applies

	982 // disabled_cipher_suites in SSLClientSocketNSS::InitializeSSLOptions() with

	983 // the cycle below to avoid using it.

	984 for (uint16 cipher : cipher_suites) {

	985 PRBool enabled = PR_FALSE;

	986 if (PK11_TokenExists(cipher) &&
	davidben 2014/12/12 19:45:36 We talked about this out-of-band, but to publish t We talked about this out-of-band, but to publish this comment: PK11_TokenExists takes a CK_MECHANISM_TYPE, not a cipher suite. NSS has to do other work to translate between a cipher suite to the mechanisms it needs. Unfortunately, that seems to happen pretty late. Probably simplest to only check PK11_TokenExists for AES-GCM. That's the only case that varies that we care about. Bence 2014/12/12 20:21:33 Done. Show quoted text On 2014/12/12 19:45:36, David Benjamin wrote: > We talked about this out-of-band, but to publish this comment: PK11_TokenExists > takes a CK_MECHANISM_TYPE, not a cipher suite. NSS has to do other work to > translate between a cipher suite to the mechanisms it needs. Unfortunately, that > seems to happen pretty late. > > Probably simplest to only check PK11_TokenExists for AES-GCM. That's the only > case that varies that we care about. Done.
	987 SSL_CipherPrefGet(nss_fd_, cipher, &enabled) == SECSuccess &&

	988 enabled) {

	989 implemented_enabled_cipher_suites.push_back(cipher);

	990 }

	991 }

	992 std::vector<uint8_t> wire_protos = SerializeNextProtos(

	993 ssl_config_.next_protos,

	994 IsSecurityAdequateForHTTP2(ssl_config_,

	995 implemented_enabled_cipher_suites));

978 rv = SSL_SetNextProtoNego(	996 rv = SSL_SetNextProtoNego(

979 nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0],	997 nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0],

980 wire_protos.size());	998 wire_protos.size());

981 if (rv != SECSuccess)	999 if (rv != SECSuccess)

982 LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", "");	1000 LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", "");

983 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE);	1001 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE);

984 if (rv != SECSuccess)	1002 if (rv != SECSuccess)

985 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN");	1003 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN");

986 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE);	1004 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE);

987 if (rv != SECSuccess)	1005 if (rv != SECSuccess)

(...skipping 2630 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3618 scoped_refptr<X509Certificate>	3636 scoped_refptr<X509Certificate>

3619 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {	3637 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {

3620 return core_->state().server_cert.get();	3638 return core_->state().server_cert.get();

3621 }	3639 }

3622	3640

3623 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {	3641 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {

3624 return channel_id_service_;	3642 return channel_id_service_;

3625 }	3643 }

3626	3644

3627 } // namespace net	3645 } // namespace net

OLD	NEW

« net/socket/ssl_client_socket.cc ('K') | « net/socket/ssl_client_socket.cc ('k') | net/socket/ssl_client_socket_openssl.cc » ('j') | no next file with comments »