net/socket/nss_ssl_util.cc - Issue 10830326: net: disable ECDSA ciphersuites on platforms where we can't support it.

Side by Side Diff: net/socket/nss_ssl_util.cc

Issue 10830326: net: disable ECDSA ciphersuites on platforms where we can't support it. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: ... Created 8 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/socket/nss_ssl_util.h"	5 #include "net/socket/nss_ssl_util.h"

6	6

7 #include <nss.h>	7 #include <nss.h>

8 #include <secerr.h>	8 #include <secerr.h>

9 #include <ssl.h>	9 #include <ssl.h>

10 #include <sslerr.h>	10 #include <sslerr.h>

11	11

12 #include <string>	12 #include <string>

13	13

14 #include "base/bind.h"	14 #include "base/bind.h"

15 #include "base/lazy_instance.h"	15 #include "base/lazy_instance.h"

16 #include "base/logging.h"	16 #include "base/logging.h"

17 #include "base/memory/singleton.h"	17 #include "base/memory/singleton.h"

18 #include "base/threading/thread_restrictions.h"	18 #include "base/threading/thread_restrictions.h"

19 #include "base/values.h"	19 #include "base/values.h"

	20 #include "build/build_config.h"

20 #include "crypto/nss_util.h"	21 #include "crypto/nss_util.h"

21 #include "net/base/net_errors.h"	22 #include "net/base/net_errors.h"

22 #include "net/base/net_log.h"	23 #include "net/base/net_log.h"

23	24

	25 #if defined(OS_WIN)

	26 #include "base/win/windows_version.h"

	27 #elif defined(OS_MACOSX)

	28 #include "base/mac/mac_util.h"

	29 #endif

	30
	Mark Mentovai 2012/08/15 02:33:48 Alternative B, if you’re intent on landing this on Alternative B, if you’re intent on landing this on the trunk as-is first and then merging it straight over, is to use the strategy you proposed earlier by landing IsOSSnowLeopardOrLater on the trunk temporarily in a separate not-for-merge change independent of the “meat” of this one, except scoping it to this file only, not landing it in base. Since its return value on the trunk is a constant anyway, you could just write it right here: namespace { namespace base { namespace mac { // see, told ya it was a tautology bool IsOSSnowLeopardOrLater() { return true; } } // namespace mac } // namespace base } // namespace Obviously you’d need to keep the mac_util.h #include in the “meat” of your for-merge change to make sure it works on the branch, which won’t have this version of the function.
24 namespace net {	31 namespace net {

25	32

26 class NSSSSLInitSingleton {	33 class NSSSSLInitSingleton {

27 public:	34 public:

28 NSSSSLInitSingleton() {	35 NSSSSLInitSingleton() {

29 crypto::EnsureNSSInit();	36 crypto::EnsureNSSInit();

30	37

31 NSS_SetDomesticPolicy();	38 NSS_SetDomesticPolicy();

32	39

33 #if defined(USE_SYSTEM_SSL)	40 #if defined(USE_SYSTEM_SSL)

(...skipping 19 matching lines...) Expand all Loading...
53 if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info,	60 if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info,

54 sizeof(info)) == SECSuccess) {	61 sizeof(info)) == SECSuccess) {

55 SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i],	62 SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i],

56 (info.effectiveKeyBits >= 80));	63 (info.effectiveKeyBits >= 80));

57 }	64 }

58 }	65 }

59	66

60 // Enable SSL.	67 // Enable SSL.

61 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);	68 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);

62	69

	70 // Disable ECDSA cipher suites on platforms that do not support ECDSA

	71 // signed certificates, as servers may use the presence of such

	72 // ciphersuites as a hint to send an ECDSA certificate.

	73 #if defined(OS_WIN)

	74 if (base::win::GetVersion() < base::win::VERSION_VISTA) {
	Ryan Sleevi 2012/08/15 01:45:35 nit on the braces here ;) nit on the braces here ;)
	75 DisableECDSA();

	76 }

	77 #elif defined(OS_MACOSX)

	78 if (!base::mac::IsOSSnowLeopardOrLater()) {
	Mark Mentovai 2012/08/15 02:19:22 We’ve removed all 10.5-specific code on the trunk. We’ve removed all 10.5-specific code on the trunk. You’ll need to leave the Mac-specific parts out of this patch. For the merge to the 21.0.1180 branch, you will need to add this code here back in. IsOSSnowLeopardOrLater still does exist on that branch.
	79 DisableECDSA();

	80 }

	81 #endif

	82

63 // All other SSL options are set per-session by SSLClientSocket and	83 // All other SSL options are set per-session by SSLClientSocket and

64 // SSLServerSocket.	84 // SSLServerSocket.

65 }	85 }

66	86

67 ~NSSSSLInitSingleton() {	87 ~NSSSSLInitSingleton() {

68 // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.	88 // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.

69 SSL_ClearSessionCache();	89 SSL_ClearSessionCache();

70 }	90 }

	91

	92 void DisableECDSA() {

	93 const PRUint16* ciphersuites = SSL_GetImplementedCiphers();

	94 const unsigned num_ciphersuites = SSL_GetNumImplementedCiphers();

	95 SECStatus rv;

	96 SSLCipherSuiteInfo info;

	97

	98 for (unsigned i = 0; i < num_ciphersuites; i++) {
	wtc 2012/08/15 02:38:42 You should merge this for loop with the existing f You should merge this for loop with the existing for loop on lines 58-65. Pwehaps I missed something?
	99 rv = SSL_GetCipherSuiteInfo(ciphersuites[i], &info, sizeof(info));

	100 if (rv == SECSuccess && info.authAlgorithm == ssl_auth_ecdsa)

	101 SSL_CipherPrefSetDefault(ciphersuites[i], PR_FALSE);

	102 }

	103 }

71 };	104 };

72	105

73 static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton =	106 static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton =

74 LAZY_INSTANCE_INITIALIZER;	107 LAZY_INSTANCE_INITIALIZER;

75	108

76 // Initialize the NSS SSL library if it isn't already initialized. This must	109 // Initialize the NSS SSL library if it isn't already initialized. This must

77 // be called before any other NSS SSL functions. This function is	110 // be called before any other NSS SSL functions. This function is

78 // thread-safe, and the NSS SSL library will only ever be initialized once.	111 // thread-safe, and the NSS SSL library will only ever be initialized once.

79 // The NSS SSL library will be properly shut down on program exit.	112 // The NSS SSL library will be properly shut down on program exit.

80 void EnsureNSSSSLInit() {	113 void EnsureNSSSSLInit() {

(...skipping 161 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
242 const char* param) {	275 const char* param) {

243 DCHECK(function);	276 DCHECK(function);

244 DCHECK(param);	277 DCHECK(param);

245 net_log.AddEvent(	278 net_log.AddEvent(

246 NetLog::TYPE_SSL_NSS_ERROR,	279 NetLog::TYPE_SSL_NSS_ERROR,

247 base::Bind(&NetLogSSLFailedNSSFunctionCallback,	280 base::Bind(&NetLogSSLFailedNSSFunctionCallback,

248 function, param, PR_GetError()));	281 function, param, PR_GetError()));

249 }	282 }

250	283

251 } // namespace net	284 } // namespace net

OLD	NEW

« base/mac/mac_util.mm ('K') | « net/base/ssl_config_service.h ('k') | no next file » | no next file with comments »