Chromium Code Reviews Chromium Code Reviews
Issue 1138813003:
Use cert config options in SSLServerSocketOpenSSL. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_server_socket_openssl.h" | 5 #include "net/socket/ssl_server_socket_openssl.h" |
| 6 | 6 |
| 7 #include <openssl/err.h> | 7 #include <openssl/err.h> |
| 8 #include <openssl/ssl.h> | 8 #include <openssl/ssl.h> |
| 9 | 9 |
| 10 #include "base/callback_helpers.h" | 10 #include "base/callback_helpers.h" |
| 11 #include "base/logging.h" | 11 #include "base/logging.h" |
| 12 #include "base/strings/string_util.h" | |
| 12 #include "crypto/openssl_util.h" | 13 #include "crypto/openssl_util.h" |
| 13 #include "crypto/rsa_private_key.h" | 14 #include "crypto/rsa_private_key.h" |
| 14 #include "crypto/scoped_openssl_types.h" | 15 #include "crypto/scoped_openssl_types.h" |
| 15 #include "net/base/net_errors.h" | 16 #include "net/base/net_errors.h" |
| 16 #include "net/ssl/openssl_ssl_util.h" | 17 #include "net/ssl/openssl_ssl_util.h" |
| 17 #include "net/ssl/scoped_openssl_types.h" | 18 #include "net/ssl/scoped_openssl_types.h" |
| 18 | 19 |
| 19 #define GotoState(s) next_handshake_state_ = s | 20 #define GotoState(s) next_handshake_state_ = s |
| 20 | 21 |
| 21 namespace net { | 22 namespace net { |
| (...skipping 656 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 678 SSL_clear_options(ssl_, options.clear_mask); | 679 SSL_clear_options(ssl_, options.clear_mask); |
| 679 | 680 |
| 680 // Same as above, this time for the SSL mode. | 681 // Same as above, this time for the SSL mode. |
| 681 SslSetClearMask mode; | 682 SslSetClearMask mode; |
| 682 | 683 |
| 683 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true); | 684 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true); |
| 684 | 685 |
| 685 SSL_set_mode(ssl_, mode.set_mask); | 686 SSL_set_mode(ssl_, mode.set_mask); |
| 686 SSL_clear_mode(ssl_, mode.clear_mask); | 687 SSL_clear_mode(ssl_, mode.clear_mask); |
| 687 | 688 |
| 689 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the | |
| 690 // textual name with SSL_set_cipher_list because there is no public API to | |
| 691 // directly remove a cipher by ID. | |
| 692 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_); | |
| 693 DCHECK(ciphers); | |
| 694 // See SSLConfig::disabled_cipher_suites for description of the suites | |
| 695 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256 | |
| 696 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384 | |
| 697 // as the handshake hash. | |
| 698 std::string command( | |
| 699 "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK"); | |
| 700 // Walk through all the installed ciphers, seeing if any need to be | |
| 701 // appended to the cipher removal |command|. | |
| 702 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) { | |
| 703 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i); | |
| 704 const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher)); | |
|
davidben
2015/05/12 00:00:50
uint16_t, not uint16.
Sergey Ulanov
2015/05/12 18:55:46
Done.
| |
| 705 const char* name = SSL_CIPHER_get_name(cipher); | |
| 706 // Remove any ciphers with a strength of less than 80 bits. Note the NSS | |
| 707 // implementation uses "effective" bits here but OpenSSL does not provide | |
| 708 // this detail. This only impacts Triple DES: reports 112 vs. 168 bits, | |
| 709 // both of which are greater than 80 anyway. | |
| 710 bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80; | |
|
davidben
2015/05/12 00:00:50
This is unnecessary. BoringSSL doesn't expose any
Sergey Ulanov
2015/05/12 18:55:46
I copied most of this code from ssl_client_socket_
davidben
2015/05/12 19:05:16
Yeah, I should go prune quite a lot of that code..
| |
| 711 if (!disable && ssl_config_.require_forward_secrecy) { | |
|
davidben
2015/05/12 00:00:50
Let's just do the rename to require_ecdhe. There's
Sergey Ulanov
2015/05/12 18:55:46
Done.
| |
| 712 disable = !StartsWithASCII(name, "ECDHE", true); | |
|
davidben
2015/05/12 00:00:50
Yuck. OpenSSL doesn't give very good APIs for this
Sergey Ulanov
2015/05/12 18:55:46
Done.
| |
| 713 } | |
| 714 if (!disable) { | |
| 715 disable = std::find(ssl_config_.disabled_cipher_suites.begin(), | |
| 716 ssl_config_.disabled_cipher_suites.end(), | |
| 717 id) != ssl_config_.disabled_cipher_suites.end(); | |
| 718 } | |
| 719 if (disable) { | |
| 720 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id | |
| 721 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL); | |
| 722 command.append(":!"); | |
| 723 command.append(name); | |
| 724 } | |
| 725 } | |
| 726 | |
| 727 if (!ssl_config_.enable_deprecated_cipher_suites) | |
| 728 command.append(":!RC4"); | |
|
davidben
2015/05/12 00:00:50
This isn't implemented in SSLServerSocketNSS. If w
Sergey Ulanov
2015/05/12 18:55:46
left it client-only - added !RC4 to the default co
| |
| 729 | |
| 730 int rv = SSL_set_cipher_list(ssl_, command.c_str()); | |
| 731 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. | |
| 732 // This will almost certainly result in the socket failing to complete the | |
| 733 // handshake at which point the appropriate error is bubbled up to the client. | |
| 734 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command | |
| 735 << "') returned " << rv; | |
| 736 | |
| 688 return OK; | 737 return OK; |
| 689 } | 738 } |
| 690 | 739 |
| 691 } // namespace net | 740 } // namespace net |
| OLD | NEW |
