Chromium Code Reviews Chromium Code Reviews
Issue 11411013:
Initialize NSS in the PPAPI process for ClearKey CDM. (Closed)
Base URL: http://git.chromium.org/chromium/src.git@master| Index: crypto/nss_util.h |
| diff --git a/crypto/nss_util.h b/crypto/nss_util.h |
| index 9e09d6db47eb390c2246ed2f3c81d13f3820bab8..25043f973b226445da2e8d46ba7eb9782956ba7b 100644 |
| --- a/crypto/nss_util.h |
| +++ b/crypto/nss_util.h |
| @@ -36,6 +36,16 @@ CRYPTO_EXPORT void EarlySetupForNSSInit(); |
| // thread-safe, and NSPR will only ever be initialized once. |
| CRYPTO_EXPORT void EnsureNSPRInit(); |
| +// Initialize NSS safely for strict sandboxing. This function makes sure that |
| +// NSS is initialized safely and will have proper entropy in a restricted, |
| +// sandboxed environment. |
|
wtc
2012/11/21 00:28:21
Why do you call this "WarmUp" as opposed to "Init"
|
| +// |
| +// As a defense in depth measure, this function should be called in a sandboxed |
| +// environment to make sure NSS will not load security modules that could |
| +// expose private data and keys. Make sure to get an LGTM from Security |
| +// if you use this. |
|
wtc
2012/11/21 00:28:21
"Make sure to get an LGTM from Security if you use
|
| +CRYPTO_EXPORT void WarmUpNSSSafely(); |
| + |
| // Initialize NSS if it isn't already initialized. This must be called before |
| // any other NSS functions. This function is thread-safe, and NSS will only |
| // ever be initialized once. |
| @@ -58,7 +68,7 @@ CRYPTO_EXPORT void EnsureNSSInit(); |
| // WARNING: Use this with caution. |
| CRYPTO_EXPORT void ForceNSSNoDBInit(); |
| -// This methods is used to disable checks in NSS when used in a forked process. |
| +// This method is used to disable checks in NSS when used in a forked process. |
| // NSS checks whether it is running a forked process to avoid problems when |
| // using user security modules in a forked process. However if we are sure |
| // there are no modules loaded before the process is forked then there is no |
