Chromium Code Reviews Chromium Code Reviews
Issue 757033004:
Do not use HTTP/2 without adequate security. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/socket/ssl_client_socket_nss.cc |
| diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc |
| index 3651e8d62466696169433993af5f4cd92d62b67b..a209dd3e6fb66e3f566a4ddc9bb179b2a31df7a9 100644 |
| --- a/net/socket/ssl_client_socket_nss.cc |
| +++ b/net/socket/ssl_client_socket_nss.cc |
| @@ -973,8 +973,26 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket, |
| SECStatus rv = SECSuccess; |
| if (!ssl_config_.next_protos.empty()) { |
| - std::vector<uint8_t> wire_protos = |
| - SerializeNextProtos(ssl_config_.next_protos); |
| + DCHECK(NSS_IsInitialized()); |
| + const std::vector<uint16> cipher_suites = |
| + GetNSSDefaultEnabledCipherSuites(); |
| + std::vector<uint16> implemented_enabled_cipher_suites; |
| + // TODO(bnc): SSL_CipherPrefGet uses linear search. Consider rewriting it |
| + // using binary search, or merging the for cycle that applies |
| + // disabled_cipher_suites in SSLClientSocketNSS::InitializeSSLOptions() with |
| + // the cycle below to avoid using it. |
| + for (uint16 cipher : cipher_suites) { |
| + PRBool enabled = PR_FALSE; |
| + if (PK11_TokenExists(cipher) && |
|
davidben
2014/12/12 19:45:36
We talked about this out-of-band, but to publish t
Bence
2014/12/12 20:21:33
Done.
|
| + SSL_CipherPrefGet(nss_fd_, cipher, &enabled) == SECSuccess && |
| + enabled) { |
| + implemented_enabled_cipher_suites.push_back(cipher); |
| + } |
| + } |
| + std::vector<uint8_t> wire_protos = SerializeNextProtos( |
| + ssl_config_.next_protos, |
| + IsSecurityAdequateForHTTP2(ssl_config_, |
| + implemented_enabled_cipher_suites)); |
| rv = SSL_SetNextProtoNego( |
| nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0], |
| wire_protos.size()); |
