Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(445)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_impl.cc

Issue 2101283004: TLS CECPQ1 (experimental post-quantum) ciphers. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: davidben review 1 Created 4 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | net/socket/ssl_client_socket_pool.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/socket/ssl_client_socket_impl.h" 5 #include "net/socket/ssl_client_socket_impl.h"
6 6
7 #include <errno.h> 7 #include <errno.h>
8 #include <openssl/bio.h> 8 #include <openssl/bio.h>
9 #include <openssl/bytestring.h> 9 #include <openssl/bytestring.h>
10 #include <openssl/err.h> 10 #include <openssl/err.h>
(...skipping 948 matching lines...) Expand 10 before | Expand all | Expand 10 after
959 mode.ConfigureFlag(SSL_MODE_SEND_FALLBACK_SCSV, ssl_config_.version_fallback); 959 mode.ConfigureFlag(SSL_MODE_SEND_FALLBACK_SCSV, ssl_config_.version_fallback);
960 960
961 SSL_set_mode(ssl_, mode.set_mask); 961 SSL_set_mode(ssl_, mode.set_mask);
962 SSL_clear_mode(ssl_, mode.clear_mask); 962 SSL_clear_mode(ssl_, mode.clear_mask);
963 963
964 // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers 964 // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
965 // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable 965 // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable
966 // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not 966 // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not
967 // supported. As DHE is being deprecated, don't add a cipher only to remove it 967 // supported. As DHE is being deprecated, don't add a cipher only to remove it
968 // immediately. 968 // immediately.
969 std::string command( 969 std::string command;
970 "DEFAULT:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4"); 970 // These are experimental, non-standard ciphersuites. They are part of an
agl 2016/06/28 22:14:39 begin line with two spaces.
mab 2016/06/28 22:40:58 (moot)
971 // experiment in post-quantum cryptography. They're not intended to
972 // represent a de-facto standard, and will be removed from BoringSSL in
973 // ~2018.
974 #if !defined(OS_ANDROID) && !defined(OS_IOS)
975 if (EVP_has_aes_hardware()) {
976 command.append(
977 "CECPQ1-RSA-AES256-GCM-SHA384:"
978 "CECPQ1-ECDSA-AES256-GCM-SHA384:");
979 }
980 command.append(
981 "CECPQ1-RSA-CHACHA20-POLY1305-SHA256:"
982 "CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256:");
983 if (!EVP_has_aes_hardware()) {
984 command.append(
985 "CECPQ1-RSA-AES256-GCM-SHA384:"
986 "CECPQ1-ECDSA-AES256-GCM-SHA384:");
987 }
988 #endif
989 command.append("ALL:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4");
971 990
972 if (ssl_config_.require_ecdhe) 991 if (ssl_config_.require_ecdhe)
973 command.append(":!kRSA:!kDHE"); 992 command.append(":!kRSA:!kDHE");
974 993
975 if (!ssl_config_.deprecated_cipher_suites_enabled) { 994 if (!ssl_config_.deprecated_cipher_suites_enabled) {
976 // Only offer DHE on the second handshake. https://crbug.com/538690 995 // Only offer DHE on the second handshake. https://crbug.com/538690
977 command.append(":!kDHE"); 996 command.append(":!kDHE");
978 } 997 }
979 998
980 // Remove any disabled ciphers. 999 // Remove any disabled ciphers.
(...skipping 1309 matching lines...) Expand 10 before | Expand all | Expand 10 after
2290 if (rv != OK) { 2309 if (rv != OK) {
2291 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); 2310 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2292 return; 2311 return;
2293 } 2312 }
2294 2313
2295 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT, 2314 net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT,
2296 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this))); 2315 base::Bind(&NetLogSSLInfoCallback, base::Unretained(this)));
2297 } 2316 }
2298 2317
2299 } // namespace net 2318 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/socket/ssl_client_socket_pool.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698