net/socket/nss_ssl_util.cc - Issue 10830326: net: disable ECDSA ciphersuites on platforms where we can't support it.

Side by Side Diff: net/socket/nss_ssl_util.cc

Issue 10830326: net: disable ECDSA ciphersuites on platforms where we can't support it. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 8 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/socket/nss_ssl_util.h"	5 #include "net/socket/nss_ssl_util.h"

6	6

7 #include <nss.h>	7 #include <nss.h>

8 #include <secerr.h>	8 #include <secerr.h>

9 #include <ssl.h>	9 #include <ssl.h>

10 #include <sslerr.h>	10 #include <sslerr.h>

11	11

12 #include <string>	12 #include <string>

13	13

14 #include "base/bind.h"	14 #include "base/bind.h"

15 #include "base/lazy_instance.h"	15 #include "base/lazy_instance.h"

16 #include "base/logging.h"	16 #include "base/logging.h"

17 #include "base/memory/singleton.h"	17 #include "base/memory/singleton.h"

18 #include "base/threading/thread_restrictions.h"	18 #include "base/threading/thread_restrictions.h"

19 #include "base/values.h"	19 #include "base/values.h"

	20 #include "build/build_config.h"

20 #include "crypto/nss_util.h"	21 #include "crypto/nss_util.h"

21 #include "net/base/net_errors.h"	22 #include "net/base/net_errors.h"

22 #include "net/base/net_log.h"	23 #include "net/base/net_log.h"

23	24

	25 #if defined(OS_WIN)

	26 #include "base/win/windows_version.h"

	27 #elif defined(OS_MACOSX)

	28 #include "base/mac/mac_util.h"

	29 #endif

	30

24 namespace net {	31 namespace net {

25	32

26 class NSSSSLInitSingleton {	33 class NSSSSLInitSingleton {

27 public:	34 public:

28 NSSSSLInitSingleton() {	35 NSSSSLInitSingleton() {

29 crypto::EnsureNSSInit();	36 crypto::EnsureNSSInit();

30	37

31 NSS_SetDomesticPolicy();	38 NSS_SetDomesticPolicy();

32	39

33 #if defined(USE_SYSTEM_SSL)	40 #if defined(USE_SYSTEM_SSL)

(...skipping 19 matching lines...) Expand all Loading...
53 if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info,	60 if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info,

54 sizeof(info)) == SECSuccess) {	61 sizeof(info)) == SECSuccess) {

55 SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i],	62 SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i],

56 (info.effectiveKeyBits >= 80));	63 (info.effectiveKeyBits >= 80));

57 }	64 }

58 }	65 }

59	66

60 // Enable SSL.	67 // Enable SSL.

61 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);	68 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);

62	69

	70 // On some platforms we cannot verify ECDSA certificates.
	Ryan Sleevi 2012/08/15 01:12:07 nit: Suggested re-word to drop the "we" (a pet nit nit: Suggested re-word to drop the "we" (a pet nit of Mark's that I've inherited), but also provide context why this is, since normally the two statements would be unrelated. // On platforms that do not support ECDSA signed certificates, // disable ECDSA cipher suites, as servers may use the presence // of such ciphersuites as a hint to send an ECDSA certificate. agl 2012/08/15 01:36:29 Done. (And have reworked the ssl_config_service.h Show quoted text On 2012/08/15 01:12:07, Ryan Sleevi wrote: > nit: Suggested re-word to drop the "we" (a pet nit of Mark's that I've > inherited), but also provide context why this is, since normally the two > statements would be unrelated. > > // On platforms that do not support ECDSA signed certificates, > // disable ECDSA cipher suites, as servers may use the presence > // of such ciphersuites as a hint to send an ECDSA certificate. Done. (And have reworked the ssl_config_service.h comment similarly.)
	71 #if defined(OS_WIN)

	72 if (base::win::GetVersion() < base::win::VERSION_VISTA) {

	73 DisableECDSA();

	74 }

	75 #elif defined(OS_MACOSX)

	76 if (!base::mac::IsOSSnowLeopardOrLater()) {

	77 DisableECDSA();

	78 }

	79 #endif

	80

63 // All other SSL options are set per-session by SSLClientSocket and	81 // All other SSL options are set per-session by SSLClientSocket and

64 // SSLServerSocket.	82 // SSLServerSocket.

65 }	83 }

66	84

67 ~NSSSSLInitSingleton() {	85 ~NSSSSLInitSingleton() {

68 // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.	86 // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.

69 SSL_ClearSessionCache();	87 SSL_ClearSessionCache();

70 }	88 }

	89

	90 void DisableECDSA() {

	91 const PRUint16* ciphersuites = SSL_GetImplementedCiphers();

	92 const unsigned num_ciphersuites = SSL_GetNumImplementedCiphers();

	93 SECStatus rv;

	94 SSLCipherSuiteInfo info;

	95

	96 for (unsigned i = 0; i < num_ciphersuites; i++) {

	97 rv = SSL_GetCipherSuiteInfo(ciphersuites[i], &info, sizeof(info));

	98 if (rv != SECSuccess) {

	99 LOG(ERROR) << "SSL_GetCipherSuiteInfo failed";

	100 break;
	Ryan Sleevi 2012/08/15 01:12:07 break or continue? If continue, you can probably break or continue? If continue, you can probably just rewrite if (rv == SECSuccess && info.authAlgorithm == ...) SSL_CipherPrefSetDefault(..., PR_FALSE); agl 2012/08/15 01:36:29 I did mean break, but less code is better. Show quoted text On 2012/08/15 01:12:07, Ryan Sleevi wrote: > break or continue? > > If continue, you can probably just rewrite > if (rv == SECSuccess && info.authAlgorithm == ...) > SSL_CipherPrefSetDefault(..., PR_FALSE); I did mean break, but less code is better.
	101 }

	102 if (info.authAlgorithm == ssl_auth_ecdsa) {

	103 SSL_CipherPrefSetDefault(ciphersuites[i], PR_FALSE);

	104 }
	Ryan Sleevi 2012/08/15 01:12:07 nit: lose the braces for the one-line if here nit: lose the braces for the one-line if here agl 2012/08/15 01:36:29 So many different micro-styles... :) Show quoted text On 2012/08/15 01:12:07, Ryan Sleevi wrote: > nit: lose the braces for the one-line if here So many different micro-styles... :)
	105 }

	106 }

71 };	107 };

72	108

73 static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton =	109 static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton =

74 LAZY_INSTANCE_INITIALIZER;	110 LAZY_INSTANCE_INITIALIZER;

75	111

76 // Initialize the NSS SSL library if it isn't already initialized. This must	112 // Initialize the NSS SSL library if it isn't already initialized. This must

77 // be called before any other NSS SSL functions. This function is	113 // be called before any other NSS SSL functions. This function is

78 // thread-safe, and the NSS SSL library will only ever be initialized once.	114 // thread-safe, and the NSS SSL library will only ever be initialized once.

79 // The NSS SSL library will be properly shut down on program exit.	115 // The NSS SSL library will be properly shut down on program exit.

80 void EnsureNSSSSLInit() {	116 void EnsureNSSSSLInit() {

(...skipping 161 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
242 const char* param) {	278 const char* param) {

243 DCHECK(function);	279 DCHECK(function);

244 DCHECK(param);	280 DCHECK(param);

245 net_log.AddEvent(	281 net_log.AddEvent(

246 NetLog::TYPE_SSL_NSS_ERROR,	282 NetLog::TYPE_SSL_NSS_ERROR,

247 base::Bind(&NetLogSSLFailedNSSFunctionCallback,	283 base::Bind(&NetLogSSLFailedNSSFunctionCallback,

248 function, param, PR_GetError()));	284 function, param, PR_GetError()));

249 }	285 }

250	286

251 } // namespace net	287 } // namespace net

OLD	NEW

« no previous file with comments | « net/base/ssl_config_service.h ('k') | no next file » | no next file with comments »