net/socket/ssl_client_socket_impl.cc - Issue 2510633003: Add an escape hatch for the ECDSA CBC cipher removal.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/socket/ssl_client_socket_impl.cc

Issue 2510633003: Add an escape hatch for the ECDSA CBC cipher removal. (Closed)

Patch Set: add bug link Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/socket/ssl_client_socket_impl.cc

diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc

index a5d2afd7d8483a4996e04f9b68e3756f55af5d1a..9c5de623961687bc39a9f17cf5caeb45e69649a4 100644

--- a/net/socket/ssl_client_socket_impl.cc

+++ b/net/socket/ssl_client_socket_impl.cc

@@ -11,6 +11,7 @@

#include "base/bind.h"

#include "base/callback_helpers.h"

+#include "base/feature_list.h"

#include "base/lazy_instance.h"

#include "base/macros.h"

#include "base/memory/singleton.h"

@@ -216,6 +217,21 @@ int GetBufferSize(const char* field_trial) {

return buffer_size;

}

+#if defined(OS_NACL)

+bool AreLegacyECDSACiphersEnabled() {

+ return false;

+#else

+// TODO(davidben): Remove this after the ECDSA CBC removal sticks.

+// https:/crbug.com/666191.

+const base::Feature kLegacyECDSACiphersFeature{

+ "SSLLegacyECDSACiphers", base::FEATURE_DISABLED_BY_DEFAULT};

+bool AreLegacyECDSACiphersEnabled() {

+ return base::FeatureList::IsEnabled(kLegacyECDSACiphersFeature);

+#endif

} // namespace

class SSLClientSocketImpl::SSLContext {

@@ -943,16 +959,14 @@ int SSLClientSocketImpl::Init() {

}

// Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers

- // (note that SHA256 and SHA384 only select legacy CBC ciphers). Additionally

- // disable HMAC-SHA1 ciphers in ECDSA. Also disable

+ // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable

// DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not

- // supported. As DHE is being deprecated, don't add a cipher only to remove it

- // immediately.

+ // supported. As DHE is being deprecated, don't add a cipher only to remove

+ // it immediately.

// TODO(davidben): Remove the DHE_RSA_WITH_AES_256_GCM_SHA384 exclusion when

// the DHEEnabled administrative policy expires.

- command.append(

- "ALL:!SHA256:!SHA384:!ECDSA+SHA1:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4");

+ command.append("ALL:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK:!RC4");

if (ssl_config_.require_ecdhe)

command.append(":!kRSA:!kDHE");

@@ -962,6 +976,11 @@ int SSLClientSocketImpl::Init() {

command.append(":!kDHE");

}

+ // Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining

+ // CBC-mode ECDSA ciphers.

+ if (!AreLegacyECDSACiphersEnabled())

+ command.append("!ECDSA+SHA1");

// Remove any disabled ciphers.

for (uint16_t id : ssl_config_.disabled_cipher_suites) {

const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);

« no previous file with comments | « no previous file | no next file » | no next file with comments »