Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(385)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/socket/ssl_client_socket_impl.cc

Issue 2769153003: Unwind ECDSA CBC escape hatch. (Closed)
Patch Set: Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/socket/ssl_client_socket_impl.cc
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index bdbce02cc97fcb7eefd8971e9ee52a1a281cceb3..b8db10f14f38dff4b5bdc11c3df902495baeaa2e 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -12,7 +12,6 @@
#include "base/bind.h"
#include "base/callback_helpers.h"
-#include "base/feature_list.h"
#include "base/lazy_instance.h"
#include "base/macros.h"
#include "base/memory/singleton.h"
@@ -219,21 +218,6 @@ int GetBufferSize(const char* field_trial) {
return buffer_size;
}
-#if defined(OS_NACL)
-bool AreLegacyECDSACiphersEnabled() {
- return false;
-}
-#else
-// TODO(davidben): Remove this after the ECDSA CBC removal sticks.
-// https:/crbug.com/666191.
-const base::Feature kLegacyECDSACiphersFeature{
- "SSLLegacyECDSACiphers", base::FEATURE_DISABLED_BY_DEFAULT};
-
-bool AreLegacyECDSACiphersEnabled() {
- return base::FeatureList::IsEnabled(kLegacyECDSACiphersFeature);
-}
-#endif
-
scoped_refptr<X509Certificate> OSChainFromBuffers(STACK_OF(CRYPTO_BUFFER) *
openssl_chain) {
if (sk_CRYPTO_BUFFER_num(openssl_chain) == 0) {
@@ -929,16 +913,13 @@ int SSLClientSocketImpl::Init() {
// Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
// (note that SHA256 and SHA384 only select legacy CBC ciphers).
- std::string command("ALL:!SHA256:!SHA384:!kDHE:!aPSK:!RC4");
+ // Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
+ // CBC-mode ECDSA ciphers.
+ std::string command("ALL:!SHA256:!SHA384:!kDHE:!aPSK:!RC4:!ECDSA+SHA1");
if (ssl_config_.require_ecdhe)
command.append(":!kRSA:!kDHE");
- // Additionally disable HMAC-SHA1 ciphers in ECDSA. These are the remaining
- // CBC-mode ECDSA ciphers.
- if (!AreLegacyECDSACiphersEnabled())
- command.append("!ECDSA+SHA1");
-
// Remove any disabled ciphers.
for (uint16_t id : ssl_config_.disabled_cipher_suites) {
const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698