| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/nss_ssl_util.h" | 5 #include "net/socket/nss_ssl_util.h" |
| 6 | 6 |
| 7 #include <nss.h> | 7 #include <nss.h> |
| 8 #include <secerr.h> | 8 #include <secerr.h> |
| 9 #include <ssl.h> | 9 #include <ssl.h> |
| 10 #include <sslerr.h> | 10 #include <sslerr.h> |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 51 // Explicitly enable exactly those ciphers with keys of at least 80 bits | 51 // Explicitly enable exactly those ciphers with keys of at least 80 bits |
| 52 for (int i = 0; i < num_ciphers; i++) { | 52 for (int i = 0; i < num_ciphers; i++) { |
| 53 SSLCipherSuiteInfo info; | 53 SSLCipherSuiteInfo info; |
| 54 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, | 54 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, |
| 55 sizeof(info)) == SECSuccess) { | 55 sizeof(info)) == SECSuccess) { |
| 56 bool enabled = info.effectiveKeyBits >= 80; | 56 bool enabled = info.effectiveKeyBits >= 80; |
| 57 if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA) | 57 if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA) |
| 58 enabled = false; | 58 enabled = false; |
| 59 | 59 |
| 60 // Trim the list of cipher suites in order to keep the size of the | 60 // Trim the list of cipher suites in order to keep the size of the |
| 61 // ClientHello down. DSS, ECDH, CAMELLIA, SEED and ECC+3DES cipher | 61 // ClientHello down. DSS, ECDH, CAMELLIA, SEED, ECC+3DES, and |
| 62 // suites are disabled. | 62 // HMAC-SHA256 cipher suites are disabled. |
| 63 if (info.symCipher == ssl_calg_camellia || | 63 if (info.symCipher == ssl_calg_camellia || |
| 64 info.symCipher == ssl_calg_seed || | 64 info.symCipher == ssl_calg_seed || |
| 65 (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) || | 65 (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) || |
| 66 info.authAlgorithm == ssl_auth_dsa || | 66 info.authAlgorithm == ssl_auth_dsa || |
| 67 info.macAlgorithm == ssl_hmac_sha256 || |
| 67 info.nonStandard || | 68 info.nonStandard || |
| 68 strcmp(info.keaTypeName, "ECDH") == 0) { | 69 strcmp(info.keaTypeName, "ECDH") == 0) { |
| 69 enabled = false; | 70 enabled = false; |
| 70 } | 71 } |
| 71 | 72 |
| 72 if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) { | 73 if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) { |
| 73 // Enabled to allow servers with only a DSA certificate to function. | 74 // Enabled to allow servers with only a DSA certificate to function. |
| 74 enabled = true; | 75 enabled = true; |
| 75 } | 76 } |
| 76 SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled); | 77 SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled); |
| (...skipping 189 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 266 const char* param) { | 267 const char* param) { |
| 267 DCHECK(function); | 268 DCHECK(function); |
| 268 DCHECK(param); | 269 DCHECK(param); |
| 269 net_log.AddEvent( | 270 net_log.AddEvent( |
| 270 NetLog::TYPE_SSL_NSS_ERROR, | 271 NetLog::TYPE_SSL_NSS_ERROR, |
| 271 base::Bind(&NetLogSSLFailedNSSFunctionCallback, | 272 base::Bind(&NetLogSSLFailedNSSFunctionCallback, |
| 272 function, param, PR_GetError())); | 273 function, param, PR_GetError())); |
| 273 } | 274 } |
| 274 | 275 |
| 275 } // namespace net | 276 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 21696002:
Implement the AES GCM cipher suites for TLS. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/