net/socket/ssl_client_socket_nss.cc - Issue 1191623002: Require ECDHE cipher in remoting client.

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 1191623002: Require ECDHE cipher in remoting client. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived	5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived

6 // from AuthCertificateCallback() in	6 // from AuthCertificateCallback() in

7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.	7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.

8	8

9 /* *** BEGIN LICENSE BLOCK ***	9 /* *** BEGIN LICENSE BLOCK ***

10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1	10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1

(...skipping 2743 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2754	2754

2755 SSLVersionRange version_range;	2755 SSLVersionRange version_range;

2756 version_range.min = ssl_config_.version_min;	2756 version_range.min = ssl_config_.version_min;

2757 version_range.max = ssl_config_.version_max;	2757 version_range.max = ssl_config_.version_max;

2758 rv = SSL_VersionRangeSet(nss_fd_, &version_range);	2758 rv = SSL_VersionRangeSet(nss_fd_, &version_range);

2759 if (rv != SECSuccess) {	2759 if (rv != SECSuccess) {

2760 LogFailedNSSFunction(net_log_, "SSL_VersionRangeSet", "");	2760 LogFailedNSSFunction(net_log_, "SSL_VersionRangeSet", "");

2761 return ERR_NO_SSL_VERSIONS_ENABLED;	2761 return ERR_NO_SSL_VERSIONS_ENABLED;

2762 }	2762 }

2763	2763

	2764 if (ssl_config_.require_ecdhe) {

	2765 const PRUint16* const ssl_ciphers = SSL_GetImplementedCiphers();

	2766 const PRUint16 num_ciphers = SSL_GetNumImplementedCiphers();

	2767

	2768 // Require forward security by iterating over the cipher suites and
	davidben 2015/06/16 19:18:21 Nit: Maybe just: // Iterate over the cipher sui Nit: Maybe just: // Iterate over the cipher suites and disable all those that don't use ECDHE. Since DHE nominally also gets us forward secrecy, but (a) DHE is very sad because of the group size issue and (b) isn't sufficient for our purposes here anyway. Sergey Ulanov 2015/06/16 19:29:07 Done. Also updated the same comment in ssl_server_ Show quoted text On 2015/06/16 at 19:18:21, David Benjamin wrote: > Nit: Maybe just: > > // Iterate over the cipher suites and disable all those that don't use ECDHE. > > Since DHE nominally also gets us forward secrecy, but (a) DHE is very sad because of the group size issue and (b) isn't sufficient for our purposes here anyway. Done. Also updated the same comment in ssl_server_socket_nss.cc
	2769 // disabling all those that don't use ECDHE.

	2770 for (unsigned i = 0; i < num_ciphers; i++) {

	2771 SSLCipherSuiteInfo info;

	2772 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, sizeof(info)) ==

	2773 SECSuccess) {

	2774 if (strcmp(info.keaTypeName, "ECDHE") != 0) {

	2775 SSL_CipherPrefSet(nss_fd_, ssl_ciphers[i], PR_FALSE);

	2776 }

	2777 }

	2778 }

	2779 }

	2780

2764 if (ssl_config_.version_fallback) {	2781 if (ssl_config_.version_fallback) {

2765 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);	2782 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);

2766 if (rv != SECSuccess) {	2783 if (rv != SECSuccess) {

2767 LogFailedNSSFunction(	2784 LogFailedNSSFunction(

2768 net_log_, "SSL_OptionSet", "SSL_ENABLE_FALLBACK_SCSV");	2785 net_log_, "SSL_OptionSet", "SSL_ENABLE_FALLBACK_SCSV");

2769 }	2786 }

2770 }	2787 }

2771	2788

2772 for (std::vector<uint16>::const_iterator it =	2789 for (std::vector<uint16>::const_iterator it =

2773 ssl_config_.disabled_cipher_suites.begin();	2790 ssl_config_.disabled_cipher_suites.begin();

(...skipping 405 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3179 return channel_id_service_;	3196 return channel_id_service_;

3180 }	3197 }

3181	3198

3182 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const {	3199 SSLFailureState SSLClientSocketNSS::GetSSLFailureState() const {

3183 if (completed_handshake_)	3200 if (completed_handshake_)

3184 return SSL_FAILURE_NONE;	3201 return SSL_FAILURE_NONE;

3185 return SSL_FAILURE_UNKNOWN;	3202 return SSL_FAILURE_UNKNOWN;

3186 }	3203 }

3187	3204

3188 } // namespace net	3205 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | net/socket/ssl_client_socket_openssl.cc » ('j') | net/socket/ssl_client_socket_openssl.cc » ('J')