OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/nss_ssl_util.h" | 5 #include "net/socket/nss_ssl_util.h" |
6 | 6 |
7 #include <nss.h> | 7 #include <nss.h> |
8 #include <secerr.h> | 8 #include <secerr.h> |
9 #include <ssl.h> | 9 #include <ssl.h> |
10 #include <sslerr.h> | 10 #include <sslerr.h> |
(...skipping 28 matching lines...) Expand all Loading... |
39 const PRUint16* pSSL_ImplementedCiphers = static_cast<const PRUint16*>( | 39 const PRUint16* pSSL_ImplementedCiphers = static_cast<const PRUint16*>( |
40 dlsym(RTLD_DEFAULT, "SSL_ImplementedCiphers")); | 40 dlsym(RTLD_DEFAULT, "SSL_ImplementedCiphers")); |
41 if (pSSL_ImplementedCiphers == NULL) { | 41 if (pSSL_ImplementedCiphers == NULL) { |
42 NOTREACHED() << "Can't get list of supported ciphers"; | 42 NOTREACHED() << "Can't get list of supported ciphers"; |
43 return; | 43 return; |
44 } | 44 } |
45 #else | 45 #else |
46 #define pSSL_ImplementedCiphers SSL_ImplementedCiphers | 46 #define pSSL_ImplementedCiphers SSL_ImplementedCiphers |
47 #endif | 47 #endif |
48 | 48 |
49 // Explicitly enable exactly those ciphers with keys of at least 80 bits | 49 // Explicitly enable exactly those ciphers with keys of at least 80 bits, |
| 50 // except for SRP ciphers. |
50 for (int i = 0; i < SSL_NumImplementedCiphers; i++) { | 51 for (int i = 0; i < SSL_NumImplementedCiphers; i++) { |
51 SSLCipherSuiteInfo info; | 52 SSLCipherSuiteInfo info; |
52 if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info, | 53 if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info, |
53 sizeof(info)) == SECSuccess) { | 54 sizeof(info)) == SECSuccess) { |
54 SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i], | 55 SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i], |
55 (info.effectiveKeyBits >= 80)); | 56 (info.effectiveKeyBits >= 80 && |
| 57 !IsNSSCipherKEATypeSRP(info.keaType))); |
56 } | 58 } |
57 } | 59 } |
58 | 60 |
59 // Enable SSL. | 61 // Enable SSL. |
60 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); | 62 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); |
61 | 63 |
62 // All other SSL options are set per-session by SSLClientSocket and | 64 // All other SSL options are set per-session by SSLClientSocket and |
63 // SSLServerSocket. | 65 // SSLServerSocket. |
64 } | 66 } |
65 | 67 |
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
178 case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: | 180 case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: |
179 return ERR_SSL_PROTOCOL_ERROR; | 181 return ERR_SSL_PROTOCOL_ERROR; |
180 case SSL_ERROR_DECOMPRESSION_FAILURE_ALERT: | 182 case SSL_ERROR_DECOMPRESSION_FAILURE_ALERT: |
181 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT; | 183 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT; |
182 case SSL_ERROR_BAD_MAC_ALERT: | 184 case SSL_ERROR_BAD_MAC_ALERT: |
183 return ERR_SSL_BAD_RECORD_MAC_ALERT; | 185 return ERR_SSL_BAD_RECORD_MAC_ALERT; |
184 case SSL_ERROR_UNSAFE_NEGOTIATION: | 186 case SSL_ERROR_UNSAFE_NEGOTIATION: |
185 return ERR_SSL_UNSAFE_NEGOTIATION; | 187 return ERR_SSL_UNSAFE_NEGOTIATION; |
186 case SSL_ERROR_WEAK_SERVER_KEY: | 188 case SSL_ERROR_WEAK_SERVER_KEY: |
187 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY; | 189 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY; |
| 190 case SSL_ERROR_UNKNOWN_PSK_IDENTITY_ALERT: |
| 191 return ERR_SSL_UNKNOWN_PSK_IDENTITY_ALERT; |
188 | 192 |
189 default: { | 193 default: { |
190 if (IS_SSL_ERROR(err)) { | 194 if (IS_SSL_ERROR(err)) { |
191 LOG(WARNING) << "Unknown SSL error " << err << | 195 LOG(WARNING) << "Unknown SSL error " << err << |
192 " mapped to net::ERR_SSL_PROTOCOL_ERROR"; | 196 " mapped to net::ERR_SSL_PROTOCOL_ERROR"; |
193 return ERR_SSL_PROTOCOL_ERROR; | 197 return ERR_SSL_PROTOCOL_ERROR; |
194 } | 198 } |
195 LOG(WARNING) << "Unknown error " << err << | 199 LOG(WARNING) << "Unknown error " << err << |
196 " mapped to net::ERR_FAILED"; | 200 " mapped to net::ERR_FAILED"; |
197 return ERR_FAILED; | 201 return ERR_FAILED; |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
238 }; | 242 }; |
239 | 243 |
240 void LogFailedNSSFunction(const BoundNetLog& net_log, | 244 void LogFailedNSSFunction(const BoundNetLog& net_log, |
241 const char* function, | 245 const char* function, |
242 const char* param) { | 246 const char* param) { |
243 net_log.AddEvent( | 247 net_log.AddEvent( |
244 NetLog::TYPE_SSL_NSS_ERROR, | 248 NetLog::TYPE_SSL_NSS_ERROR, |
245 make_scoped_refptr(new SSLFailedNSSFunctionParams(function, param))); | 249 make_scoped_refptr(new SSLFailedNSSFunctionParams(function, param))); |
246 } | 250 } |
247 | 251 |
| 252 // Returns true iff |kea_type|, an NSS cipher's key exchange algorithm (KEA), |
| 253 // uses SRP, including ciphers that also use certificates (e.g., SRP_SHA_RSA |
| 254 // and SRP_SHA_DSS). |
| 255 bool IsNSSCipherKEATypeSRP(SSLKEAType kea_type) { |
| 256 return kea_type == ssl_kea_srp || |
| 257 kea_type == ssl_kea_srp_rsa || |
| 258 kea_type == ssl_kea_srp_dss; |
| 259 } |
| 260 |
248 } // namespace net | 261 } // namespace net |
OLD | NEW |