Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(200)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/nss_ssl_util.cc

Issue 1020073005: Disable DSS ciphers in the NSS port. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/socket/nss_ssl_util.h" 5 #include "net/socket/nss_ssl_util.h"
6 6
7 #include <nss.h> 7 #include <nss.h>
8 #include <secerr.h> 8 #include <secerr.h>
9 #include <ssl.h> 9 #include <ssl.h>
10 #include <sslerr.h> 10 #include <sslerr.h>
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after
101 101
102 // Disable ECDSA cipher suites on platforms that do not support ECDSA 102 // Disable ECDSA cipher suites on platforms that do not support ECDSA
103 // signed certificates, as servers may use the presence of such 103 // signed certificates, as servers may use the presence of such
104 // ciphersuites as a hint to send an ECDSA certificate. 104 // ciphersuites as a hint to send an ECDSA certificate.
105 bool disableECDSA = false; 105 bool disableECDSA = false;
106 #if defined(OS_WIN) 106 #if defined(OS_WIN)
107 if (base::win::GetVersion() < base::win::VERSION_VISTA) 107 if (base::win::GetVersion() < base::win::VERSION_VISTA)
108 disableECDSA = true; 108 disableECDSA = true;
109 #endif 109 #endif
110 110
111 // Explicitly enable exactly those ciphers with keys of at least 80 bits 111 // Explicitly enable exactly those ciphers with keys of at least 80 bits.
112 for (int i = 0; i < num_ciphers; i++) { 112 for (int i = 0; i < num_ciphers; i++) {
113 SSLCipherSuiteInfo info; 113 SSLCipherSuiteInfo info;
114 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, 114 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info,
115 sizeof(info)) == SECSuccess) { 115 sizeof(info)) == SECSuccess) {
116 bool enabled = info.effectiveKeyBits >= 80; 116 bool enabled = info.effectiveKeyBits >= 80;
117 if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA) 117 if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA)
118 enabled = false; 118 enabled = false;
119 119
120 // Trim the list of cipher suites in order to keep the size of the 120 // Trim the list of cipher suites in order to keep the size of the
121 // ClientHello down. DSS, ECDH, CAMELLIA, SEED, ECC+3DES, and 121 // ClientHello down. DSS, ECDH, CAMELLIA, SEED, ECC+3DES, and
122 // HMAC-SHA256 cipher suites are disabled. 122 // HMAC-SHA256 cipher suites are disabled.
123 if (info.symCipher == ssl_calg_camellia || 123 if (info.symCipher == ssl_calg_camellia ||
124 info.symCipher == ssl_calg_seed || 124 info.symCipher == ssl_calg_seed ||
125 (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) || 125 (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) ||
126 info.authAlgorithm == ssl_auth_dsa || 126 info.authAlgorithm == ssl_auth_dsa ||
127 info.macAlgorithm == ssl_hmac_sha256 || 127 info.macAlgorithm == ssl_hmac_sha256 ||
128 info.nonStandard || 128 info.nonStandard ||
129 strcmp(info.keaTypeName, "ECDH") == 0) { 129 strcmp(info.keaTypeName, "ECDH") == 0) {
130 enabled = false; 130 enabled = false;
131 } 131 }
132 132
133 if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) {
134 // Enabled to allow servers with only a DSA certificate to function.
135 enabled = true;
136 }
137 SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled); 133 SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled);
138 } 134 }
139 } 135 }
140 136
141 // Enable SSL. 137 // Enable SSL.
142 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); 138 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
143 139
144 // Calculate the order of ciphers that we'll use for NSS sockets. (Note 140 // Calculate the order of ciphers that we'll use for NSS sockets. (Note
145 // that, even if a cipher is specified in the ordering, it must still be 141 // that, even if a cipher is specified in the ordering, it must still be
146 // enabled in order to be included in a ClientHello.) 142 // enabled in order to be included in a ClientHello.)
(...skipping 261 matching lines...) Expand 10 before | Expand all | Expand 10 after
408 base::Bind(&NetLogSSLFailedNSSFunctionCallback, 404 base::Bind(&NetLogSSLFailedNSSFunctionCallback,
409 function, param, PR_GetError())); 405 function, param, PR_GetError()));
410 } 406 }
411 407
412 NetLog::ParametersCallback CreateNetLogSSLErrorCallback(int net_error, 408 NetLog::ParametersCallback CreateNetLogSSLErrorCallback(int net_error,
413 int ssl_lib_error) { 409 int ssl_lib_error) {
414 return base::Bind(&NetLogSSLErrorCallback, net_error, ssl_lib_error); 410 return base::Bind(&NetLogSSLErrorCallback, net_error, ssl_lib_error);
415 } 411 }
416 412
417 } // namespace net 413 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698