Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(387)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_openssl.cc

Issue 1191623002: Require ECDHE cipher in remoting client. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/socket/ssl_client_socket_nss.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle
6 // of operation is derived from SSLClientSocketNSS. 6 // of operation is derived from SSLClientSocketNSS.
7 7
8 #include "net/socket/ssl_client_socket_openssl.h" 8 #include "net/socket/ssl_client_socket_openssl.h"
9 9
10 #include <errno.h> 10 #include <errno.h>
(...skipping 747 matching lines...) Expand 10 before | Expand all | Expand 10 after
758 758
759 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the 759 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the
760 // textual name with SSL_set_cipher_list because there is no public API to 760 // textual name with SSL_set_cipher_list because there is no public API to
761 // directly remove a cipher by ID. 761 // directly remove a cipher by ID.
762 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_); 762 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_);
763 DCHECK(ciphers); 763 DCHECK(ciphers);
764 // See SSLConfig::disabled_cipher_suites for description of the suites 764 // See SSLConfig::disabled_cipher_suites for description of the suites
765 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256 765 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256
766 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384 766 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
767 // as the handshake hash. 767 // as the handshake hash.
768 std::string command( 768 std::string command("DEFAULT:!SHA256:!SHA384:!AESGCM+AES256:!aPSK");
769 "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK");
770 // Walk through all the installed ciphers, seeing if any need to be 769 // Walk through all the installed ciphers, seeing if any need to be
771 // appended to the cipher removal |command|. 770 // appended to the cipher removal |command|.
772 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) { 771 for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
773 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i); 772 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i);
774 const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher)); 773 const uint16 id = static_cast<uint16>(SSL_CIPHER_get_id(cipher));
775 // Remove any ciphers with a strength of less than 80 bits. Note the NSS 774 bool disable = false;
776 // implementation uses "effective" bits here but OpenSSL does not provide 775 if (ssl_config_.require_ecdhe) {
777 // this detail. This only impacts Triple DES: reports 112 vs. 168 bits, 776 base::StringPiece kx_name(SSL_CIPHER_get_kx_name(cipher));
778 // both of which are greater than 80 anyway. 777 disable = kx_name != "ECDHE_RSA" && kx_name != "ECDHE_ECDSA";
779 bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80; 778 }
780 if (!disable) { 779 if (!disable) {
781 disable = std::find(ssl_config_.disabled_cipher_suites.begin(), 780 disable = std::find(ssl_config_.disabled_cipher_suites.begin(),
782 ssl_config_.disabled_cipher_suites.end(), id) != 781 ssl_config_.disabled_cipher_suites.end(), id) !=
783 ssl_config_.disabled_cipher_suites.end(); 782 ssl_config_.disabled_cipher_suites.end();
784 } 783 }
785 if (disable) { 784 if (disable) {
786 const char* name = SSL_CIPHER_get_name(cipher); 785 const char* name = SSL_CIPHER_get_name(cipher);
787 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id 786 DVLOG(3) << "Found cipher to remove: '" << name << "', ID: " << id
788 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL); 787 << " strength: " << SSL_CIPHER_get_bits(cipher, NULL);
789 command.append(":!"); 788 command.append(":!");
(...skipping 1127 matching lines...) Expand 10 before | Expand all | Expand 10 after
1917 1916
1918 NextProto next_proto = NextProtoFromString(npn_proto_); 1917 NextProto next_proto = NextProtoFromString(npn_proto_);
1919 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) { 1918 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) {
1920 if (next_proto == allowed) 1919 if (next_proto == allowed)
1921 return true; 1920 return true;
1922 } 1921 }
1923 return false; 1922 return false;
1924 } 1923 }
1925 1924
1926 } // namespace net 1925 } // namespace net
OLDNEW
« no previous file with comments | « net/socket/ssl_client_socket_nss.cc ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698