| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/nss_ssl_util.h" | 5 #include "net/socket/nss_ssl_util.h" |
| 6 | 6 |
| 7 #include <nss.h> | 7 #include <nss.h> |
| 8 #include <secerr.h> | 8 #include <secerr.h> |
| 9 #include <ssl.h> | 9 #include <ssl.h> |
| 10 #include <sslerr.h> | 10 #include <sslerr.h> |
| (...skipping 28 matching lines...) Expand all Loading... |
| 39 const PRUint16* pSSL_ImplementedCiphers = static_cast<const PRUint16*>( | 39 const PRUint16* pSSL_ImplementedCiphers = static_cast<const PRUint16*>( |
| 40 dlsym(RTLD_DEFAULT, "SSL_ImplementedCiphers")); | 40 dlsym(RTLD_DEFAULT, "SSL_ImplementedCiphers")); |
| 41 if (pSSL_ImplementedCiphers == NULL) { | 41 if (pSSL_ImplementedCiphers == NULL) { |
| 42 NOTREACHED() << "Can't get list of supported ciphers"; | 42 NOTREACHED() << "Can't get list of supported ciphers"; |
| 43 return; | 43 return; |
| 44 } | 44 } |
| 45 #else | 45 #else |
| 46 #define pSSL_ImplementedCiphers SSL_ImplementedCiphers | 46 #define pSSL_ImplementedCiphers SSL_ImplementedCiphers |
| 47 #endif | 47 #endif |
| 48 | 48 |
| 49 // Explicitly enable exactly those ciphers with keys of at least 80 bits | 49 // Explicitly enable exactly those ciphers with keys of at least 80 bits, |
| 50 // except for SRP ciphers. |
| 50 for (int i = 0; i < SSL_NumImplementedCiphers; i++) { | 51 for (int i = 0; i < SSL_NumImplementedCiphers; i++) { |
| 51 SSLCipherSuiteInfo info; | 52 SSLCipherSuiteInfo info; |
| 52 if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info, | 53 if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info, |
| 53 sizeof(info)) == SECSuccess) { | 54 sizeof(info)) == SECSuccess) { |
| 54 SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i], | 55 SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i], |
| 55 (info.effectiveKeyBits >= 80)); | 56 (info.effectiveKeyBits >= 80 && |
| 57 !IsNSSCipherKEATypeSRP(info.keaType))); |
| 56 } | 58 } |
| 57 } | 59 } |
| 58 | 60 |
| 59 // Enable SSL. | 61 // Enable SSL. |
| 60 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); | 62 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); |
| 61 | 63 |
| 62 // All other SSL options are set per-session by SSLClientSocket and | 64 // All other SSL options are set per-session by SSLClientSocket and |
| 63 // SSLServerSocket. | 65 // SSLServerSocket. |
| 64 } | 66 } |
| 65 | 67 |
| (...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 178 case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: | 180 case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: |
| 179 return ERR_SSL_PROTOCOL_ERROR; | 181 return ERR_SSL_PROTOCOL_ERROR; |
| 180 case SSL_ERROR_DECOMPRESSION_FAILURE_ALERT: | 182 case SSL_ERROR_DECOMPRESSION_FAILURE_ALERT: |
| 181 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT; | 183 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT; |
| 182 case SSL_ERROR_BAD_MAC_ALERT: | 184 case SSL_ERROR_BAD_MAC_ALERT: |
| 183 return ERR_SSL_BAD_RECORD_MAC_ALERT; | 185 return ERR_SSL_BAD_RECORD_MAC_ALERT; |
| 184 case SSL_ERROR_UNSAFE_NEGOTIATION: | 186 case SSL_ERROR_UNSAFE_NEGOTIATION: |
| 185 return ERR_SSL_UNSAFE_NEGOTIATION; | 187 return ERR_SSL_UNSAFE_NEGOTIATION; |
| 186 case SSL_ERROR_WEAK_SERVER_KEY: | 188 case SSL_ERROR_WEAK_SERVER_KEY: |
| 187 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY; | 189 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY; |
| 190 case SSL_ERROR_UNKNOWN_PSK_IDENTITY_ALERT: |
| 191 return ERR_SSL_UNKNOWN_PSK_IDENTITY_ALERT; |
| 188 | 192 |
| 189 default: { | 193 default: { |
| 190 if (IS_SSL_ERROR(err)) { | 194 if (IS_SSL_ERROR(err)) { |
| 191 LOG(WARNING) << "Unknown SSL error " << err << | 195 LOG(WARNING) << "Unknown SSL error " << err << |
| 192 " mapped to net::ERR_SSL_PROTOCOL_ERROR"; | 196 " mapped to net::ERR_SSL_PROTOCOL_ERROR"; |
| 193 return ERR_SSL_PROTOCOL_ERROR; | 197 return ERR_SSL_PROTOCOL_ERROR; |
| 194 } | 198 } |
| 195 LOG(WARNING) << "Unknown error " << err << | 199 LOG(WARNING) << "Unknown error " << err << |
| 196 " mapped to net::ERR_FAILED"; | 200 " mapped to net::ERR_FAILED"; |
| 197 return ERR_FAILED; | 201 return ERR_FAILED; |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 238 }; | 242 }; |
| 239 | 243 |
| 240 void LogFailedNSSFunction(const BoundNetLog& net_log, | 244 void LogFailedNSSFunction(const BoundNetLog& net_log, |
| 241 const char* function, | 245 const char* function, |
| 242 const char* param) { | 246 const char* param) { |
| 243 net_log.AddEvent( | 247 net_log.AddEvent( |
| 244 NetLog::TYPE_SSL_NSS_ERROR, | 248 NetLog::TYPE_SSL_NSS_ERROR, |
| 245 make_scoped_refptr(new SSLFailedNSSFunctionParams(function, param))); | 249 make_scoped_refptr(new SSLFailedNSSFunctionParams(function, param))); |
| 246 } | 250 } |
| 247 | 251 |
| 252 // Returns true iff |kea_type|, an NSS cipher's key exchange algorithm (KEA), |
| 253 // uses SRP, including ciphers that also use certificates (e.g., SRP_SHA_RSA |
| 254 // and SRP_SHA_DSS). |
| 255 bool IsNSSCipherKEATypeSRP(SSLKEAType kea_type) { |
| 256 return kea_type == ssl_kea_srp || |
| 257 kea_type == ssl_kea_srp_rsa || |
| 258 kea_type == ssl_kea_srp_dss; |
| 259 } |
| 260 |
| 248 } // namespace net | 261 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6804032:
Add TLS-SRP (RFC 5054) support
Base URL: http://git.chromium.org/git/chromium.git@trunk