initial version

1 files changed, 35 insertions, 0 deletions

diff --git a/mozbug1323209.patch b/mozbug1323209.patch
new file mode 100644
index 000000000000..92c1376aeb87
--- /dev/null
+++ b/mozbug1323209.patch
@@ -0,0 +1,35 @@
+
+# HG changeset patch
+# User Franziskus Kiefer <franziskuskiefer@gmail.com>
+# Date 1469717280 -7200
+# Node ID 361ac226da2a83516db8d4e4c5b41a69b3ba754f
+# Parent  5d5d3ef04f3f77bb95616f56c129256a89f57831
+Bug 1290037 - Update keybits in H2, r=mt
+
+MozReview-Commit-ID: 35oWoDMqe1Y
+
+diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp
+--- a/netwerk/protocol/http/Http2Session.cpp
++++ b/netwerk/protocol/http/Http2Session.cpp
+@@ -3544,18 +3544,18 @@ Http2Session::ConfirmTLSProfile()
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+   }
+ 
+   uint32_t keybits = ssl->GetKEAKeyBits();
+   if (kea == ssl_kea_dh && keybits < 2048) {
+     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
+-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
++  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
++    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+   }
+ 
+   int16_t macAlgorithm = ssl->GetMACAlgorithmUsed();
+   LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n",
+         this, macAlgorithm));
+   if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) {
+