Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(516)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_nss.cc

Issue 10830326: net: disable ECDSA ciphersuites on platforms where we can't support it. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/socket/ssl_client_socket_nss.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 21089d521b3b5d59c87261688933dfa0778fe34b..f6ffc0a17d125dabb50f5b42e98762de1ddba453 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -108,11 +108,13 @@
#if defined(OS_WIN)
#include <windows.h>
#include <wincrypt.h>
+#include "base/win/windows_version.h"
#elif defined(OS_MACOSX)
#include <Security/SecBase.h>
#include <Security/SecCertificate.h>
#include <Security/SecIdentity.h>
#include "base/mac/mac_logging.h"
+#include "base/mac/mac_util.h"
#elif defined(USE_NSS)
#include <dlfcn.h>
#endif
@@ -3114,6 +3116,17 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE);
}
+ // On some platforms we cannot verify ECDSA certificates.
+#if defined(OS_WIN)
+ if (base::win::GetVersion() < base::win::VISTA) {
+ DisableECDSA();
+ }
+#elif defined(OS_MACOSX)
+ if (!base::mac::IsOSSnowLeopardOrLater()) {
+ DisableECDSA();
+ }
+#endif
Ryan Sleevi 2012/08/15 00:40:27 Seems like you can move this into NSSSSLInitSingle
agl 2012/08/15 01:06:20 Good point, there's a SetDefault function too. Don
+
#ifdef SSL_ENABLE_SESSION_TICKETS
// Support RFC 5077
rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
@@ -3510,6 +3523,25 @@ bool SSLClientSocketNSS::CalledOnValidThread() const {
return valid_thread_id_ == base::PlatformThread::CurrentId();
}
+void SSLClientSocketNSS::DisableECDSA() {
+ const PRUint16* ciphersuites = SSL_GetImplementedCiphers();
+ const unsigned num_ciphersuites = SSL_GetNumImplementedCiphers();
+ SECStatus rv;
+ SSLCipherSuiteInfo info;
+
+ for (unsigned i = 0; i < num_ciphersuites; i++) {
+ rv = SSL_GetCipherSuiteInfo(ciphersuites[i], &info, sizeof(info));
+ if (rv != SECSuccess) {
+ LogFailedNSSFunction(net_log_, "SSL_GetCipherSuiteInfo", "");
+ LOG(ERROR) << "SSL_GetCipherSuiteInfo failed";
+ break;
+ }
+ if (info.authAlgorithm == ssl_auth_ecdsa) {
+ SSL_CipherPrefSet(nss_fd_, ciphersuites[i], PR_FALSE);
+ }
+ }
+}
+
ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
return server_bound_cert_service_;
}
« no previous file with comments | « net/socket/ssl_client_socket_nss.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698