Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(527)

Unified Diff: net/socket/ssl_client_socket_nss.cc

Issue 757033004: Do not use HTTP/2 without adequate security. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Update function call in test. Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 3651e8d62466696169433993af5f4cd92d62b67b..0c97442c1a754f056338d4276e1856d875f36dbe 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -972,9 +972,17 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
SECStatus rv = SECSuccess;
+#if !defined(CKM_AES_GCM)
+#define CKM_AES_GCM 0x00001087
+#endif
Ryan Sleevi 2014/12/12 21:33:28 Don't mix #defines in bodies like this. This block
Bence 2014/12/12 22:08:43 Done.
+
if (!ssl_config_.next_protos.empty()) {
- std::vector<uint8_t> wire_protos =
- SerializeNextProtos(ssl_config_.next_protos);
+ // On platforms using NSS, AES-GCM is the only mechanism that satisfies the
+ // security requirements of HTTP/2.
+ // TODO(bnc): Check if ssl_config_.disabled_cipher_suites contains all
+ // AES-GCM ciphersuites.
+ std::vector<uint8_t> wire_protos = SerializeNextProtos(
+ ssl_config_.next_protos, PK11_TokenExists(CKM_AES_GCM));
Ryan Sleevi 2014/12/12 21:33:28 I'm fine with the simplified form - the death of N
davidben 2014/12/12 21:56:22 Wait, seriously, we can't do ECDH on Fedora, Red H
Bence 2014/12/12 22:08:43 Done.
rv = SSL_SetNextProtoNego(
nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0],
wire_protos.size());

Powered by Google App Engine
This is Rietveld 408576698