net/socket/ssl_server_socket_openssl.cc - Issue 1138813003: Use cert config options in SSLServerSocketOpenSSL.

Side by Side Diff: net/socket/ssl_server_socket_openssl.cc

Issue 1138813003: Use cert config options in SSLServerSocketOpenSSL. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/socket/ssl_server_socket_openssl.h"	5 #include "net/socket/ssl_server_socket_openssl.h"

6	6

7 #include <openssl/err.h>	7 #include <openssl/err.h>

8 #include <openssl/ssl.h>	8 #include <openssl/ssl.h>

9	9

10 #include "base/callback_helpers.h"	10 #include "base/callback_helpers.h"

11 #include "base/logging.h"	11 #include "base/logging.h"

	12 #include "base/strings/string_util.h"

12 #include "crypto/openssl_util.h"	13 #include "crypto/openssl_util.h"

13 #include "crypto/rsa_private_key.h"	14 #include "crypto/rsa_private_key.h"

14 #include "crypto/scoped_openssl_types.h"	15 #include "crypto/scoped_openssl_types.h"

15 #include "net/base/net_errors.h"	16 #include "net/base/net_errors.h"

16 #include "net/ssl/openssl_ssl_util.h"	17 #include "net/ssl/openssl_ssl_util.h"

17 #include "net/ssl/scoped_openssl_types.h"	18 #include "net/ssl/scoped_openssl_types.h"

18	19

19 #define GotoState(s) next_handshake_state_ = s	20 #define GotoState(s) next_handshake_state_ = s

20	21

21 namespace net {	22 namespace net {

(...skipping 656 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
678 SSL_clear_options(ssl_, options.clear_mask);	679 SSL_clear_options(ssl_, options.clear_mask);

679	680

680 // Same as above, this time for the SSL mode.	681 // Same as above, this time for the SSL mode.

681 SslSetClearMask mode;	682 SslSetClearMask mode;

682	683

683 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);	684 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);

684	685

685 SSL_set_mode(ssl_, mode.set_mask);	686 SSL_set_mode(ssl_, mode.set_mask);

686 SSL_clear_mode(ssl_, mode.clear_mask);	687 SSL_clear_mode(ssl_, mode.clear_mask);

687	688

	689 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the

	690 // textual name with SSL_set_cipher_list because there is no public API to

	691 // directly remove a cipher by ID.

	692 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_);

	693 DCHECK(ciphers);

	694 // See SSLConfig::disabled_cipher_suites for description of the suites

	695 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256

	696 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384

	697 // as the handshake hash.

	698 std::string command(

	699 "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK:!RC4");
	Sergey Ulanov 2015/05/12 18:55:47 This is the same string that's used for client soc This is the same string that's used for client sockets with "!RC4" added at the end. But can this be changed to "DEFAULT" now with boringssl? davidben 2015/05/12 19:05:16 It can be pruned significantly, but we do still wa Show quoted text On 2015/05/12 18:55:47, Sergey Ulanov wrote: > This is the same string that's used for client sockets with "!RC4" added at the > end. > But can this be changed to "DEFAULT" now with boringssl? It can be pruned significantly, but we do still want to prune out !SHA256:!SHA384:!AESGCM+AES256. Probably also worth pruning out !aPSK even though BoringSSL will do that automatically by virtue of not configuring PSK options. davidben 2015/05/12 19:05:16 The !RC4 shouldn't be there. It's still enabled on The !RC4 shouldn't be there. It's still enabled on the NSS side. It might be worth pruning that from SSLServerSocket, but we should do that separately as it'd need to be mirrored on NSS as well. Sergey Ulanov 2015/05/12 19:42:21 Done. Show quoted text On 2015/05/12 19:05:16, David Benjamin wrote: > On 2015/05/12 18:55:47, Sergey Ulanov wrote: > > This is the same string that's used for client sockets with "!RC4" added at > the > > end. > > But can this be changed to "DEFAULT" now with boringssl? > > It can be pruned significantly, but we do still want to prune out > !SHA256:!SHA384:!AESGCM+AES256. Probably also worth pruning out !aPSK even > though BoringSSL will do that automatically by virtue of not configuring PSK > options. Done. Sergey Ulanov 2015/05/12 19:42:21 Done. Show quoted text On 2015/05/12 19:05:16, David Benjamin wrote: > The !RC4 shouldn't be there. It's still enabled on the NSS side. It might be > worth pruning that from SSLServerSocket, but we should do that separately as > it'd need to be mirrored on NSS as well. Done.
	700 // Walk through all the installed ciphers, seeing if any need to be

	701 // appended to the cipher removal \|command\|.

	702 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {

	703 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i);

	704 const uint16_t id = static_cast<uint16_t>(SSL_CIPHER_get_id(cipher));

	705 const char* name = SSL_CIPHER_get_name(cipher);
	davidben 2015/05/12 19:05:16 Nit: This line can be moved down to the block in l Nit: This line can be moved down to the block in line 717. Sergey Ulanov 2015/05/12 19:42:21 Done. Show quoted text On 2015/05/12 19:05:16, David Benjamin wrote: > Nit: This line can be moved down to the block in line 717. Done.
	706

	707 bool disable = false;

	708 if (ssl_config_.require_ecdhe) {

	709 StringPiece kx_name(SSL_CIPHER_get_kx_name(cipher));
	davidben 2015/05/12 19:05:16 Shouldn't this be base::StringPiece? Shouldn't this be base::StringPiece? Sergey Ulanov 2015/05/12 19:42:21 Done. Show quoted text On 2015/05/12 19:05:16, David Benjamin wrote: > Shouldn't this be base::StringPiece? Done.
	710 disable = kx_name != "ECDHE_RSA") && kx_name != "ECDHE_ECDSA";
	davidben 2015/05/12 19:05:16 Stray )? Stray )? Sergey Ulanov 2015/05/12 19:42:21 Apparently I was trying to compile this code with Show quoted text On 2015/05/12 19:05:16, David Benjamin wrote: > Stray )? Apparently I was trying to compile this code with use_openssl=0 :(
	711 }

	712 if (!disable) {

	713 disable = std::find(ssl_config_.disabled_cipher_suites.begin(),

	714 ssl_config_.disabled_cipher_suites.end(),

	715 id) != ssl_config_.disabled_cipher_suites.end();

	716 }

	717 if (disable) {

	718 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id

	719 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL);

	720 command.append(":!");

	721 command.append(name);

	722 }

	723 }

	724

	725 int rv = SSL_set_cipher_list(ssl_, command.c_str());

	726 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL.

	727 // This will almost certainly result in the socket failing to complete the

	728 // handshake at which point the appropriate error is bubbled up to the client.

	729 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command

	730 << "') returned " << rv;

	731

688 return OK;	732 return OK;

689 }	733 }

690	734

691 } // namespace net	735 } // namespace net

OLD	NEW

« no previous file with comments | « net/socket/ssl_server_socket_nss.cc ('k') | net/socket/ssl_server_socket_unittest.cc » ('j') | net/socket/ssl_server_socket_unittest.cc » ('J')