net: boost AES-GCM ciphers if the machine has AES-NI.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 50 matching lines @@
 #include <sslproto.h>
 
 #include <algorithm>
 #include <limits>
 #include <map>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback_helpers.h"
 #include "base/compiler_specific.h"
+#include "base/cpu.h"
 #include "base/logging.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram.h"
 #include "base/single_thread_task_runner.h"
 #include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/thread_task_runner_handle.h"
 #include "base/threading/thread_restrictions.h"
@@ skipping 402 matching lines @@
   switch (err) {
     // If the server closed on us, it is a protocol error.
     // Some TLS-intolerant servers do this when we request TLS.
     case PR_END_OF_FILE_ERROR:
       return ERR_SSL_PROTOCOL_ERROR;
     default:
       return MapNSSClientError(err);
   }
 }
 
+// CiphersRemove takes a zero-terminated array of cipher suite ids in
+// |to_remove| and sets every instance of them in |ciphers| to zero. It returns
+// true if it found and removed every element of |to_remove|. It assumes that
+// there are no duplicates in |ciphers| nor in |to_remove|.
+bool CiphersRemove(const uint16* to_remove, uint16* ciphers, size_t num) {
+  size_t num_remove, found = 0;
+
+  for (num_remove = 0; ; num_remove++) {
+    if (to_remove[num_remove] == 0)
+      break;
+  }
+
+  for (size_t i = 0; i < num; i++) {
+    for (size_t j = 0; j < num_remove; j++) {
+      if (to_remove[j] == ciphers[i]) {
+        ciphers[i] = 0;
+        found++;
+        break;
+      }
+    }
+  }
+
+  return found == num_remove;
+}
+
+// CiphersCompact takes an array of cipher suite ids in |ciphers|, where some
+// entries are zero, and moves the entries so that all the non-zero elements
+// are compacted at the end of the array.
+size_t CiphersCompact(uint16* ciphers, size_t num) {
+  size_t j = num - 1;
+
+  for (size_t i = num - 1; i < num; i--) {
+    printf("@%u %d %u\n", (unsigned) i, ciphers[i], (unsigned) j);
+    if (ciphers[i] == 0)
+      continue;
+    ciphers[j--] = ciphers[i];
+  }
+  return j+1;
+}
+
+// CiphersCopy copies the zero-terminated array |in| to |out|.
+size_t CiphersCopy(const uint16* in, uint16* out) {
+  for (size_t i = 0; ; i++) {
+    if (in[i] == 0)
+      return i;
+    out[i] = in[i];
+  }
+}
+
 }  // namespace
 
 // SSLClientSocketNSS::Core provides a thread-safe, ref-counted core that is
 // able to marshal data between NSS functions and an underlying transport
 // socket.
 //
 // All public functions are meant to be called from the network task runner,
 // and any callbacks supplied will be invoked there as well, provided that
 // Detach() has not been called yet.
 //
@@ skipping 2608 matching lines @@
   }
 
   for (std::vector<uint16>::const_iterator it =
            ssl_config_.disabled_cipher_suites.begin();
        it != ssl_config_.disabled_cipher_suites.end(); ++it) {
     // This will fail if the specified cipher is not implemented by NSS, but
     // the failure is harmless.
     SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE);
   }
 
+  /* Our top preference cipher suites are either forward-secure AES-GCM or
+   * forward secure ChaCha20-Poly1305. If the local machine has AES-NI then we
+   * prefer AES-GCM, otherwise ChaCha20. The remainder of the cipher suite
+   * preference is inheriented from NSS. */
+  static const uint16 chacha_ciphers[] = {
+    0xcc14  /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 */,
+    0xcc13  /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 */,
+    0,
+  };
+  static const uint16 aes_gcm_ciphers[] = {
+    0xc02b  /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */,
+    0xc02f  /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */,
+    0x9e    /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */,
+    0,
+  };
+  const PRUint16 *all_ciphers = SSL_GetImplementedCiphers();
+  const size_t num_ciphers = SSL_GetNumImplementedCiphers();
+  scoped_ptr<uint16[]> ciphers(new uint16[num_ciphers]);
+  memcpy(ciphers.get(), all_ciphers, sizeof(uint16)*num_ciphers);
+
+  if (CiphersRemove(chacha_ciphers, ciphers.get(), num_ciphers) &&
+      CiphersRemove(aes_gcm_ciphers, ciphers.get(), num_ciphers)) {
+    CiphersCompact(ciphers.get(), num_ciphers);
+
+    const uint16 *preference_ciphers = chacha_ciphers;
+    const uint16 *other_ciphers = aes_gcm_ciphers;
+    if (base::CPU().has_aesni()) {

[wtc, 2013/11/19 23:00:44]

Since this won't change over time, we should ideally do this only once. We have
a NSSSSLInitSingleton in net/socket/nss_ssl_util.cc that might be a good place
to do this.

[agl, 2013/11/20 18:21:07]

Done.

+      preference_ciphers = aes_gcm_ciphers;
+      other_ciphers = chacha_ciphers;
+    }
+    unsigned i = CiphersCopy(preference_ciphers, ciphers.get());
+    CiphersCopy(other_ciphers, &ciphers[i]);
+
+    rv = SSL_CipherOrderSet(nss_fd_, ciphers.get(), num_ciphers);
+    if (rv != SECSuccess) {
+      LogFailedNSSFunction(net_log_, "SSL_CipherOrderSet", "");
+    }
+  }
+
   // Support RFC 5077
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
   }
 
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
                      ssl_config_.false_start_enabled);
   if (rv != SECSuccess)
@@ skipping 348 matching lines @@
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net