Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1790)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket.cc

Issue 757033004: Do not use HTTP/2 without adequate security. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Rebase on https://crrev.com/794563003. Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/socket/ssl_client_socket.h ('k') | net/socket/ssl_client_socket_nss.cc » ('j') | net/socket/ssl_client_socket_nss.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket.cc
diff --git a/net/socket/ssl_client_socket.cc b/net/socket/ssl_client_socket.cc
index f6b9b895fa853410be2c8ed7d6fb9a3ff39ab726..51772360772087d9d675a0d78e9d1398d2aa9907 100644
--- a/net/socket/ssl_client_socket.cc
+++ b/net/socket/ssl_client_socket.cc
@@ -11,6 +11,7 @@
#include "net/base/connection_type_histograms.h"
#include "net/base/host_port_pair.h"
#include "net/ssl/channel_id_service.h"
+#include "net/ssl/ssl_cipher_suite_names.h"
#include "net/ssl/ssl_config_service.h"
#include "net/ssl/ssl_connection_status_flags.h"
@@ -234,12 +235,31 @@ bool SSLClientSocket::IsChannelIDEnabled(
}
// static
+bool SSLClientSocket::IsSecurityAdequateForHTTP2(
+ const SSLConfig& ssl_config,
+ const std::vector<uint16>& cipher_suites) {
+ if (ssl_config.version_max < SSL_PROTOCOL_VERSION_TLS1_2)
+ return false;
+ for (uint16 cipher : cipher_suites) {
+ if (IsSecureTLSCipherSuite(cipher))
+ return true;
+ }
+ return false;
+}
+
+// static
std::vector<uint8_t> SSLClientSocket::SerializeNextProtos(
- const NextProtoVector& next_protos) {
- // Do a first pass to determine the total length.
+ const NextProtoVector& next_protos,
+ bool can_advertise_http2) {
size_t wire_length = 0;
std::vector<std::string> next_proto_strings;
for (const NextProto next_proto : next_protos) {
+ if (!can_advertise_http2) {
+ if (kProtoSPDY4MinimumVersion <= next_proto &&
+ next_proto <= kProtoSPDY4MaximumVersion) {
Bence 2014/12/11 16:50:49 Ryan: do I need to use curly braces if the stateme
Ryan Hamilton 2014/12/11 20:06:09 Yes, that's the convention. I'm not sure this is o
Bence 2014/12/12 15:49:24 Acknowledged.
+ continue;
+ }
+ }
const std::string proto = NextProtoToString(next_proto);
if (proto.size() > 255) {
LOG(WARNING) << "Ignoring overlong NPN/ALPN protocol: " << proto;
@@ -254,7 +274,6 @@ std::vector<uint8_t> SSLClientSocket::SerializeNextProtos(
wire_length++;
}
- // Allocate memory for the result and fill it in.
std::vector<uint8_t> wire_protos;
wire_protos.reserve(wire_length);
for (const std::string& proto : next_proto_strings) {
« no previous file with comments | « net/socket/ssl_client_socket.h ('k') | net/socket/ssl_client_socket_nss.cc » ('j') | net/socket/ssl_client_socket_nss.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698