OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/nss_ssl_util.h" | 5 #include "net/socket/nss_ssl_util.h" |
6 | 6 |
7 #include <nss.h> | 7 #include <nss.h> |
8 #include <secerr.h> | 8 #include <secerr.h> |
9 #include <ssl.h> | 9 #include <ssl.h> |
10 #include <sslerr.h> | 10 #include <sslerr.h> |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
51 // Explicitly enable exactly those ciphers with keys of at least 80 bits | 51 // Explicitly enable exactly those ciphers with keys of at least 80 bits |
52 for (int i = 0; i < num_ciphers; i++) { | 52 for (int i = 0; i < num_ciphers; i++) { |
53 SSLCipherSuiteInfo info; | 53 SSLCipherSuiteInfo info; |
54 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, | 54 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, |
55 sizeof(info)) == SECSuccess) { | 55 sizeof(info)) == SECSuccess) { |
56 bool enabled = info.effectiveKeyBits >= 80; | 56 bool enabled = info.effectiveKeyBits >= 80; |
57 if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA) | 57 if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA) |
58 enabled = false; | 58 enabled = false; |
59 | 59 |
60 // Trim the list of cipher suites in order to keep the size of the | 60 // Trim the list of cipher suites in order to keep the size of the |
61 // ClientHello down. DSS, ECDH, CAMELLIA, SEED and ECC+3DES cipher | 61 // ClientHello down. DSS, ECDH, CAMELLIA, SEED, ECC+3DES, and |
62 // suites are disabled. | 62 // HMAC-SHA256 cipher suites are disabled. |
63 if (info.symCipher == ssl_calg_camellia || | 63 if (info.symCipher == ssl_calg_camellia || |
64 info.symCipher == ssl_calg_seed || | 64 info.symCipher == ssl_calg_seed || |
65 (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) || | 65 (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) || |
66 info.authAlgorithm == ssl_auth_dsa || | 66 info.authAlgorithm == ssl_auth_dsa || |
| 67 info.macAlgorithm == ssl_hmac_sha256 || |
67 info.nonStandard || | 68 info.nonStandard || |
68 strcmp(info.keaTypeName, "ECDH") == 0) { | 69 strcmp(info.keaTypeName, "ECDH") == 0) { |
69 enabled = false; | 70 enabled = false; |
70 } | 71 } |
71 | 72 |
72 if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) { | 73 if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) { |
73 // Enabled to allow servers with only a DSA certificate to function. | 74 // Enabled to allow servers with only a DSA certificate to function. |
74 enabled = true; | 75 enabled = true; |
75 } | 76 } |
76 SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled); | 77 SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled); |
(...skipping 189 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
266 const char* param) { | 267 const char* param) { |
267 DCHECK(function); | 268 DCHECK(function); |
268 DCHECK(param); | 269 DCHECK(param); |
269 net_log.AddEvent( | 270 net_log.AddEvent( |
270 NetLog::TYPE_SSL_NSS_ERROR, | 271 NetLog::TYPE_SSL_NSS_ERROR, |
271 base::Bind(&NetLogSSLFailedNSSFunctionCallback, | 272 base::Bind(&NetLogSSLFailedNSSFunctionCallback, |
272 function, param, PR_GetError())); | 273 function, param, PR_GetError())); |
273 } | 274 } |
274 | 275 |
275 } // namespace net | 276 } // namespace net |
OLD | NEW |