| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket_impl.h" | 5 #include "net/socket/ssl_client_socket_impl.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <openssl/bio.h> | 8 #include <openssl/bio.h> |
| 9 #include <openssl/bytestring.h> | 9 #include <openssl/bytestring.h> |
| 10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
| 11 #include <openssl/evp.h> | 11 #include <openssl/evp.h> |
| 12 #include <openssl/mem.h> | 12 #include <openssl/mem.h> |
| 13 #include <openssl/ssl.h> | 13 #include <openssl/ssl.h> |
| 14 #include <string.h> | 14 #include <string.h> |
| 15 | 15 |
| 16 #include <utility> | 16 #include <utility> |
| 17 | 17 |
| 18 #include "base/bind.h" | 18 #include "base/bind.h" |
| 19 #include "base/callback_helpers.h" | 19 #include "base/callback_helpers.h" |
| 20 #include "base/feature_list.h" | |
| 21 #include "base/lazy_instance.h" | 20 #include "base/lazy_instance.h" |
| 22 #include "base/macros.h" | 21 #include "base/macros.h" |
| 23 #include "base/memory/singleton.h" | 22 #include "base/memory/singleton.h" |
| 24 #include "base/metrics/field_trial.h" | 23 #include "base/metrics/field_trial.h" |
| 25 #include "base/metrics/histogram_macros.h" | 24 #include "base/metrics/histogram_macros.h" |
| 26 #include "base/metrics/sparse_histogram.h" | 25 #include "base/metrics/sparse_histogram.h" |
| 27 #include "base/profiler/scoped_tracker.h" | 26 #include "base/profiler/scoped_tracker.h" |
| 28 #include "base/strings/string_number_conversions.h" | 27 #include "base/strings/string_number_conversions.h" |
| 29 #include "base/strings/string_piece.h" | 28 #include "base/strings/string_piece.h" |
| 30 #include "base/synchronization/lock.h" | 29 #include "base/synchronization/lock.h" |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 79 | 78 |
| 80 // TLS extension number use for Token Binding. | 79 // TLS extension number use for Token Binding. |
| 81 const unsigned int kTbExtNum = 24; | 80 const unsigned int kTbExtNum = 24; |
| 82 | 81 |
| 83 // Token Binding ProtocolVersions supported. | 82 // Token Binding ProtocolVersions supported. |
| 84 const uint8_t kTbProtocolVersionMajor = 0; | 83 const uint8_t kTbProtocolVersionMajor = 0; |
| 85 const uint8_t kTbProtocolVersionMinor = 8; | 84 const uint8_t kTbProtocolVersionMinor = 8; |
| 86 const uint8_t kTbMinProtocolVersionMajor = 0; | 85 const uint8_t kTbMinProtocolVersionMajor = 0; |
| 87 const uint8_t kTbMinProtocolVersionMinor = 6; | 86 const uint8_t kTbMinProtocolVersionMinor = 6; |
| 88 | 87 |
| 89 #if !defined(OS_NACL) | |
| 90 const base::Feature kPostQuantumExperiment{"SSLPostQuantumExperiment", | |
| 91 base::FEATURE_DISABLED_BY_DEFAULT}; | |
| 92 #endif | |
| 93 | |
| 94 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { | 88 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { |
| 95 switch (EVP_MD_type(md)) { | 89 switch (EVP_MD_type(md)) { |
| 96 case NID_md5_sha1: | 90 case NID_md5_sha1: |
| 97 *hash = SSLPrivateKey::Hash::MD5_SHA1; | 91 *hash = SSLPrivateKey::Hash::MD5_SHA1; |
| 98 return true; | 92 return true; |
| 99 case NID_sha1: | 93 case NID_sha1: |
| 100 *hash = SSLPrivateKey::Hash::SHA1; | 94 *hash = SSLPrivateKey::Hash::SHA1; |
| 101 return true; | 95 return true; |
| 102 case NID_sha256: | 96 case NID_sha256: |
| 103 *hash = SSLPrivateKey::Hash::SHA256; | 97 *hash = SSLPrivateKey::Hash::SHA256; |
| (...skipping 897 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1001 | 995 |
| 1002 SSL_set_mode(ssl_, mode.set_mask); | 996 SSL_set_mode(ssl_, mode.set_mask); |
| 1003 SSL_clear_mode(ssl_, mode.clear_mask); | 997 SSL_clear_mode(ssl_, mode.clear_mask); |
| 1004 | 998 |
| 1005 // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers | 999 // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers |
| 1006 // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable | 1000 // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable |
| 1007 // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not | 1001 // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not |
| 1008 // supported. As DHE is being deprecated, don't add a cipher only to remove it | 1002 // supported. As DHE is being deprecated, don't add a cipher only to remove it |
| 1009 // immediately. | 1003 // immediately. |
| 1010 std::string command; | 1004 std::string command; |
| 1011 #if !defined(OS_NACL) | 1005 if (SSLClientSocket::IsPostQuantumExperimentEnabled()) { |
| 1012 if (base::FeatureList::IsEnabled(kPostQuantumExperiment)) { | |
| 1013 // These are experimental, non-standard ciphersuites. They are part of an | 1006 // These are experimental, non-standard ciphersuites. They are part of an |
| 1014 // experiment in post-quantum cryptography. They're not intended to | 1007 // experiment in post-quantum cryptography. They're not intended to |
| 1015 // represent a de-facto standard, and will be removed from BoringSSL in | 1008 // represent a de-facto standard, and will be removed from BoringSSL in |
| 1016 // ~2018. | 1009 // ~2018. |
| 1017 if (EVP_has_aes_hardware()) { | 1010 if (EVP_has_aes_hardware()) { |
| 1018 command.append( | 1011 command.append( |
| 1019 "CECPQ1-RSA-AES256-GCM-SHA384:" | 1012 "CECPQ1-RSA-AES256-GCM-SHA384:" |
| 1020 "CECPQ1-ECDSA-AES256-GCM-SHA384:"); | 1013 "CECPQ1-ECDSA-AES256-GCM-SHA384:"); |
| 1021 } | 1014 } |
| 1022 command.append( | 1015 command.append( |
| 1023 "CECPQ1-RSA-CHACHA20-POLY1305-SHA256:" | 1016 "CECPQ1-RSA-CHACHA20-POLY1305-SHA256:" |
| 1024 "CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256:"); | 1017 "CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256:"); |
| 1025 if (!EVP_has_aes_hardware()) { | 1018 if (!EVP_has_aes_hardware()) { |
| 1026 command.append( | 1019 command.append( |
| 1027 "CECPQ1-RSA-AES256-GCM-SHA384:" | 1020 "CECPQ1-RSA-AES256-GCM-SHA384:" |
| 1028 "CECPQ1-ECDSA-AES256-GCM-SHA384:"); | 1021 "CECPQ1-ECDSA-AES256-GCM-SHA384:"); |
| 1029 } | 1022 } |
| 1030 } | 1023 } |
| 1031 #endif | |
| 1032 command.append("ALL:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4"); | 1024 command.append("ALL:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4"); |
| 1033 | 1025 |
| 1034 if (ssl_config_.require_ecdhe) | 1026 if (ssl_config_.require_ecdhe) |
| 1035 command.append(":!kRSA:!kDHE"); | 1027 command.append(":!kRSA:!kDHE"); |
| 1036 | 1028 |
| 1037 if (!ssl_config_.deprecated_cipher_suites_enabled) { | 1029 if (!ssl_config_.deprecated_cipher_suites_enabled) { |
| 1038 // Only offer DHE on the second handshake. https://crbug.com/538690 | 1030 // Only offer DHE on the second handshake. https://crbug.com/538690 |
| 1039 command.append(":!kDHE"); | 1031 command.append(":!kDHE"); |
| 1040 } | 1032 } |
| 1041 | 1033 |
| (...skipping 1344 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2386 } | 2378 } |
| 2387 UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported, | 2379 UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported, |
| 2388 CHANNEL_ID_USAGE_MAX); | 2380 CHANNEL_ID_USAGE_MAX); |
| 2389 } | 2381 } |
| 2390 | 2382 |
| 2391 bool SSLClientSocketImpl::IsChannelIDEnabled() const { | 2383 bool SSLClientSocketImpl::IsChannelIDEnabled() const { |
| 2392 return ssl_config_.channel_id_enabled && channel_id_service_; | 2384 return ssl_config_.channel_id_enabled && channel_id_service_; |
| 2393 } | 2385 } |
| 2394 | 2386 |
| 2395 } // namespace net | 2387 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2192053002:
Metric & meta-metric for CECPQ1 handshake latency. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master