Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(422)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/nss_ssl_util.cc

Issue 60353005: net: disable ChaCha20 based cipher suites. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Match against ssl_calg_chacha20 Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/socket/nss_ssl_util.h" 5 #include "net/socket/nss_ssl_util.h"
6 6
7 #include <nss.h> 7 #include <nss.h>
8 #include <secerr.h> 8 #include <secerr.h>
9 #include <ssl.h> 9 #include <ssl.h>
10 #include <sslerr.h> 10 #include <sslerr.h>
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after
54 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, 54 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info,
55 sizeof(info)) == SECSuccess) { 55 sizeof(info)) == SECSuccess) {
56 bool enabled = info.effectiveKeyBits >= 80; 56 bool enabled = info.effectiveKeyBits >= 80;
57 if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA) 57 if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA)
58 enabled = false; 58 enabled = false;
59 59
60 // Trim the list of cipher suites in order to keep the size of the 60 // Trim the list of cipher suites in order to keep the size of the
61 // ClientHello down. DSS, ECDH, CAMELLIA, SEED, ECC+3DES, and 61 // ClientHello down. DSS, ECDH, CAMELLIA, SEED, ECC+3DES, and
62 // HMAC-SHA256 cipher suites are disabled. 62 // HMAC-SHA256 cipher suites are disabled.
63 if (info.symCipher == ssl_calg_camellia || 63 if (info.symCipher == ssl_calg_camellia ||
64 info.symCipher == ssl_calg_seed || 64 info.symCipher == ssl_calg_seed ||
wtc 2013/11/06 19:18:40 We can also move the info.symCipher == ssl_calg_ch
65 (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) || 65 (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) ||
66 info.authAlgorithm == ssl_auth_dsa || 66 info.authAlgorithm == ssl_auth_dsa ||
67 info.macAlgorithm == ssl_hmac_sha256 || 67 info.macAlgorithm == ssl_hmac_sha256 ||
68 info.nonStandard || 68 info.nonStandard ||
69 strcmp(info.keaTypeName, "ECDH") == 0) { 69 strcmp(info.keaTypeName, "ECDH") == 0) {
70 enabled = false; 70 enabled = false;
71 } 71 }
72 72
73 // We also disable ChaCha20 based cipher suites for now because we
74 // aren't quite ready to use them in M32.
75 if (info.symCipher == ssl_calg_chacha20)
76 enabled = false;
77
73 if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) { 78 if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) {
74 // Enabled to allow servers with only a DSA certificate to function. 79 // Enabled to allow servers with only a DSA certificate to function.
75 enabled = true; 80 enabled = true;
76 } 81 }
77 SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled); 82 SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled);
78 } 83 }
79 } 84 }
80 85
81 // Enable SSL. 86 // Enable SSL.
82 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); 87 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
(...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after
271 const char* param) { 276 const char* param) {
272 DCHECK(function); 277 DCHECK(function);
273 DCHECK(param); 278 DCHECK(param);
274 net_log.AddEvent( 279 net_log.AddEvent(
275 NetLog::TYPE_SSL_NSS_ERROR, 280 NetLog::TYPE_SSL_NSS_ERROR,
276 base::Bind(&NetLogSSLFailedNSSFunctionCallback, 281 base::Bind(&NetLogSSLFailedNSSFunctionCallback,
277 function, param, PR_GetError())); 282 function, param, PR_GetError()));
278 } 283 }
279 284
280 } // namespace net 285 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698