| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived | 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived |
| 6 // from AuthCertificateCallback() in | 6 // from AuthCertificateCallback() in |
| 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. | 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. |
| 8 | 8 |
| 9 /* ***** BEGIN LICENSE BLOCK ***** | 9 /* ***** BEGIN LICENSE BLOCK ***** |
| 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| (...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 142 #define LeaveFunction(x)\ | 142 #define LeaveFunction(x)\ |
| 143 VLOG(1) << (void *)this << " " << __FUNCTION__ << " leave " << x\ | 143 VLOG(1) << (void *)this << " " << __FUNCTION__ << " leave " << x\ |
| 144 << "; next_handshake_state " << next_handshake_state_ | 144 << "; next_handshake_state " << next_handshake_state_ |
| 145 #define GotoState(s)\ | 145 #define GotoState(s)\ |
| 146 do {\ | 146 do {\ |
| 147 VLOG(1) << (void *)this << " " << __FUNCTION__ << " jump to state " << s;\ | 147 VLOG(1) << (void *)this << " " << __FUNCTION__ << " jump to state " << s;\ |
| 148 next_handshake_state_ = s;\ | 148 next_handshake_state_ = s;\ |
| 149 } while (0) | 149 } while (0) |
| 150 #endif | 150 #endif |
| 151 | 151 |
| 152 #if !defined(CKM_AES_GCM) |
| 153 #define CKM_AES_GCM 0x00001087 |
| 154 #endif |
| 155 |
| 156 #if !defined(CKM_NSS_CHACHA20_POLY1305) |
| 157 #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26) |
| 158 #endif |
| 159 |
| 152 namespace { | 160 namespace { |
| 153 | 161 |
| 154 // SSL plaintext fragments are shorter than 16KB. Although the record layer | 162 // SSL plaintext fragments are shorter than 16KB. Although the record layer |
| 155 // overhead is allowed to be 2K + 5 bytes, in practice the overhead is much | 163 // overhead is allowed to be 2K + 5 bytes, in practice the overhead is much |
| 156 // smaller than 1KB. So a 17KB buffer should be large enough to hold an | 164 // smaller than 1KB. So a 17KB buffer should be large enough to hold an |
| 157 // entire SSL record. | 165 // entire SSL record. |
| 158 const int kRecvBufferSize = 17 * 1024; | 166 const int kRecvBufferSize = 17 * 1024; |
| 159 const int kSendBufferSize = 17 * 1024; | 167 const int kSendBufferSize = 17 * 1024; |
| 160 | 168 |
| 161 // Used by SSLClientSocketNSS::Core to indicate there is no read result | 169 // Used by SSLClientSocketNSS::Core to indicate there is no read result |
| (...skipping 804 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 966 DCHECK(OnNetworkTaskRunner()); | 974 DCHECK(OnNetworkTaskRunner()); |
| 967 DCHECK(!nss_fd_); | 975 DCHECK(!nss_fd_); |
| 968 DCHECK(!nss_bufs_); | 976 DCHECK(!nss_bufs_); |
| 969 | 977 |
| 970 nss_fd_ = socket; | 978 nss_fd_ = socket; |
| 971 nss_bufs_ = buffers; | 979 nss_bufs_ = buffers; |
| 972 | 980 |
| 973 SECStatus rv = SECSuccess; | 981 SECStatus rv = SECSuccess; |
| 974 | 982 |
| 975 if (!ssl_config_.next_protos.empty()) { | 983 if (!ssl_config_.next_protos.empty()) { |
| 984 // TODO(bnc): Check ssl_config_.disabled_cipher_suites. |
| 985 const bool adequate_encryption = |
| 986 PK11_TokenExists(CKM_AES_GCM) || |
| 987 PK11_TokenExists(CKM_NSS_CHACHA20_POLY1305); |
| 988 const bool adequate_key_agreement = PK11_TokenExists(CKM_DH_PKCS_DERIVE) || |
| 989 PK11_TokenExists(CKM_ECDH1_DERIVE); |
| 976 std::vector<uint8_t> wire_protos = | 990 std::vector<uint8_t> wire_protos = |
| 977 SerializeNextProtos(ssl_config_.next_protos); | 991 SerializeNextProtos(ssl_config_.next_protos, |
| 992 adequate_encryption && adequate_key_agreement && |
| 993 IsTLSVersionAdequateForHTTP2(ssl_config_)); |
| 978 rv = SSL_SetNextProtoNego( | 994 rv = SSL_SetNextProtoNego( |
| 979 nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0], | 995 nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0], |
| 980 wire_protos.size()); | 996 wire_protos.size()); |
| 981 if (rv != SECSuccess) | 997 if (rv != SECSuccess) |
| 982 LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", ""); | 998 LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", ""); |
| 983 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE); | 999 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE); |
| 984 if (rv != SECSuccess) | 1000 if (rv != SECSuccess) |
| 985 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN"); | 1001 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN"); |
| 986 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE); | 1002 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE); |
| 987 if (rv != SECSuccess) | 1003 if (rv != SECSuccess) |
| (...skipping 2630 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3618 scoped_refptr<X509Certificate> | 3634 scoped_refptr<X509Certificate> |
| 3619 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { | 3635 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { |
| 3620 return core_->state().server_cert.get(); | 3636 return core_->state().server_cert.get(); |
| 3621 } | 3637 } |
| 3622 | 3638 |
| 3623 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { | 3639 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { |
| 3624 return channel_id_service_; | 3640 return channel_id_service_; |
| 3625 } | 3641 } |
| 3626 | 3642 |
| 3627 } // namespace net | 3643 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 812543002:
Update from https://crrev.com/308331 (Closed)
Base URL: git@github.com:domokit/mojo.git@master