OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_server_socket_openssl.h" | 5 #include "net/socket/ssl_server_socket_openssl.h" |
6 | 6 |
7 #include <openssl/err.h> | 7 #include <openssl/err.h> |
8 #include <openssl/ssl.h> | 8 #include <openssl/ssl.h> |
9 | 9 |
10 #include "base/callback_helpers.h" | 10 #include "base/callback_helpers.h" |
11 #include "base/logging.h" | 11 #include "base/logging.h" |
| 12 #include "base/strings/string_util.h" |
12 #include "crypto/openssl_util.h" | 13 #include "crypto/openssl_util.h" |
13 #include "crypto/rsa_private_key.h" | 14 #include "crypto/rsa_private_key.h" |
14 #include "crypto/scoped_openssl_types.h" | 15 #include "crypto/scoped_openssl_types.h" |
15 #include "net/base/net_errors.h" | 16 #include "net/base/net_errors.h" |
16 #include "net/ssl/openssl_ssl_util.h" | 17 #include "net/ssl/openssl_ssl_util.h" |
17 #include "net/ssl/scoped_openssl_types.h" | 18 #include "net/ssl/scoped_openssl_types.h" |
18 | 19 |
19 #define GotoState(s) next_handshake_state_ = s | 20 #define GotoState(s) next_handshake_state_ = s |
20 | 21 |
21 namespace net { | 22 namespace net { |
(...skipping 656 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
678 SSL_clear_options(ssl_, options.clear_mask); | 679 SSL_clear_options(ssl_, options.clear_mask); |
679 | 680 |
680 // Same as above, this time for the SSL mode. | 681 // Same as above, this time for the SSL mode. |
681 SslSetClearMask mode; | 682 SslSetClearMask mode; |
682 | 683 |
683 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true); | 684 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true); |
684 | 685 |
685 SSL_set_mode(ssl_, mode.set_mask); | 686 SSL_set_mode(ssl_, mode.set_mask); |
686 SSL_clear_mode(ssl_, mode.clear_mask); | 687 SSL_clear_mode(ssl_, mode.clear_mask); |
687 | 688 |
| 689 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the |
| 690 // textual name with SSL_set_cipher_list because there is no public API to |
| 691 // directly remove a cipher by ID. |
| 692 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_); |
| 693 DCHECK(ciphers); |
| 694 // See SSLConfig::disabled_cipher_suites for description of the suites |
| 695 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256 |
| 696 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384 |
| 697 // as the handshake hash. |
| 698 std::string command("DEFAULT:!SHA256:!SHA384:!AESGCM+AES256:!aPSK"); |
| 699 // Walk through all the installed ciphers, seeing if any need to be |
| 700 // appended to the cipher removal |command|. |
| 701 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) { |
| 702 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i); |
| 703 const uint16_t id = static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)); |
| 704 |
| 705 bool disable = false; |
| 706 if (ssl_config_.require_ecdhe) { |
| 707 base::StringPiece kx_name(SSL_CIPHER_get_kx_name(cipher)); |
| 708 disable = kx_name != "ECDHE_RSA" && kx_name != "ECDHE_ECDSA"; |
| 709 } |
| 710 if (!disable) { |
| 711 disable = std::find(ssl_config_.disabled_cipher_suites.begin(), |
| 712 ssl_config_.disabled_cipher_suites.end(), |
| 713 id) != ssl_config_.disabled_cipher_suites.end(); |
| 714 } |
| 715 if (disable) { |
| 716 const char* name = SSL_CIPHER_get_name(cipher); |
| 717 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id |
| 718 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL); |
| 719 command.append(":!"); |
| 720 command.append(name); |
| 721 } |
| 722 } |
| 723 |
| 724 int rv = SSL_set_cipher_list(ssl_, command.c_str()); |
| 725 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. |
| 726 // This will almost certainly result in the socket failing to complete the |
| 727 // handshake at which point the appropriate error is bubbled up to the client. |
| 728 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command |
| 729 << "') returned " << rv; |
| 730 |
688 return OK; | 731 return OK; |
689 } | 732 } |
690 | 733 |
691 } // namespace net | 734 } // namespace net |
OLD | NEW |