Reland of TLS CECPQ1 (experimental post-quantum) ciphers.

net/socket/ssl_client_socket_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_impl.h"
 
 #include <errno.h>
 #include <openssl/bio.h>
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/mem.h>
 #include <openssl/ssl.h>
 #include <string.h>
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
+#include "base/feature_list.h"
 #include "base/lazy_instance.h"
 #include "base/macros.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/profiler/scoped_tracker.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
 #include "base/synchronization/lock.h"
 #include "base/threading/thread_local.h"
@@ skipping 47 matching lines @@
 
 // TLS extension number use for Token Binding.
 const unsigned int kTbExtNum = 24;
 
 // Token Binding ProtocolVersions supported.
 const uint8_t kTbProtocolVersionMajor = 0;
 const uint8_t kTbProtocolVersionMinor = 6;
 const uint8_t kTbMinProtocolVersionMajor = 0;
 const uint8_t kTbMinProtocolVersionMinor = 6;
 
+#if !defined(OS_NACL)
+const base::Feature kPostQuantumExperiment{"SSLPostQuantumExperiment",
+                                           base::FEATURE_DISABLED_BY_DEFAULT};
+#endif
+
 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) {
   switch (EVP_MD_type(md)) {
     case NID_md5_sha1:
       *hash = SSLPrivateKey::Hash::MD5_SHA1;
       return true;
     case NID_sha1:
       *hash = SSLPrivateKey::Hash::SHA1;
       return true;
     case NID_sha256:
       *hash = SSLPrivateKey::Hash::SHA256;
@@ skipping 862 matching lines @@
   mode.ConfigureFlag(SSL_MODE_SEND_FALLBACK_SCSV, ssl_config_.version_fallback);
 
   SSL_set_mode(ssl_, mode.set_mask);
   SSL_clear_mode(ssl_, mode.clear_mask);
 
   // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
   // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable
   // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not
   // supported. As DHE is being deprecated, don't add a cipher only to remove it
   // immediately.
-  std::string command(
-      "DEFAULT:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4");
+  std::string command;
+#if !defined(OS_NACL)
+  if (base::FeatureList::IsEnabled(kPostQuantumExperiment)) {
+    // These are experimental, non-standard ciphersuites.  They are part of an
+    // experiment in post-quantum cryptography.  They're not intended to
+    // represent a de-facto standard, and will be removed from BoringSSL in
+    // ~2018.
+    if (EVP_has_aes_hardware()) {
+      command.append(
+          "CECPQ1-RSA-AES256-GCM-SHA384:"
+          "CECPQ1-ECDSA-AES256-GCM-SHA384:");
+    }
+    command.append(
+        "CECPQ1-RSA-CHACHA20-POLY1305-SHA256:"
+        "CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256:");
+    if (!EVP_has_aes_hardware()) {
+      command.append(
+          "CECPQ1-RSA-AES256-GCM-SHA384:"
+          "CECPQ1-ECDSA-AES256-GCM-SHA384:");
+    }
+  }
+#endif
+  command.append("ALL:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4");
 
   if (ssl_config_.require_ecdhe)
     command.append(":!kRSA:!kDHE");
 
   if (!ssl_config_.deprecated_cipher_suites_enabled) {
     // Only offer DHE on the second handshake. https://crbug.com/538690
     command.append(":!kDHE");
   }
 
   // Remove any disabled ciphers.
@@ skipping 1309 matching lines @@
   if (rv != OK) {
     net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
     return;
   }
 
   net_log_.EndEvent(NetLog::TYPE_SSL_CONNECT,
                     base::Bind(&NetLogSSLInfoCallback, base::Unretained(this)));
 }
 
 }  // namespace net