net: disable ECDSA ciphersuites on platforms where we can't support it.

net/socket/nss_ssl_util.cc

Index: net/socket/nss_ssl_util.cc
diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc
index d262f939dc38bd9db7017663891c7e2dfd2bbafc..503a016e76aafe55c408b583bc5f19472495cedd 100644
--- a/net/socket/nss_ssl_util.cc
+++ b/net/socket/nss_ssl_util.cc
@@ -17,10 +17,17 @@
 #include "base/memory/singleton.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
+#include "build/build_config.h"
 #include "crypto/nss_util.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 
+#if defined(OS_WIN)
+#include "base/win/windows_version.h"
+#elif defined(OS_MACOSX)
+#include "base/mac/mac_util.h"
+#endif
+

[Mark Mentovai, 2012/08/15 02:33:48]

Alternative B, if you’re intent on landing this on the trunk as-is first and
then merging it straight over, is to use the strategy you proposed earlier by
landing IsOSSnowLeopardOrLater on the trunk temporarily in a separate
not-for-merge change independent of the “meat” of this one, except scoping it to
this file only, not landing it in base. Since its return value on the trunk is a
constant anyway, you could just write it right here:

namespace {
namespace base {
namespace mac {
// see, told ya it was a tautology
bool IsOSSnowLeopardOrLater() { return true; }
}  // namespace mac
}  // namespace base
}  // namespace

Obviously you’d need to keep the mac_util.h #include in the “meat” of your
for-merge change to make sure it works on the branch, which won’t have this
version of the function.

 namespace net {
 
 class NSSSSLInitSingleton {
@@ -60,6 +67,19 @@ class NSSSSLInitSingleton {
     // Enable SSL.
     SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
 
+    // Disable ECDSA cipher suites on platforms that do not support ECDSA
+    // signed certificates, as servers may use the presence of such
+    // ciphersuites as a hint to send an ECDSA certificate.
+#if defined(OS_WIN)
+    if (base::win::GetVersion() < base::win::VERSION_VISTA) {

[Ryan Sleevi, 2012/08/15 01:45:35]

nit on the braces here ;)

+      DisableECDSA();
+    }
+#elif defined(OS_MACOSX)
+    if (!base::mac::IsOSSnowLeopardOrLater()) {

[Mark Mentovai, 2012/08/15 02:19:22]

We’ve removed all 10.5-specific code on the trunk. You’ll need to leave the
Mac-specific parts out of this patch. For the merge to the 21.0.1180 branch, you
will need to add this code here back in. IsOSSnowLeopardOrLater still does exist
on that branch.

+      DisableECDSA();
+    }
+#endif
+
     // All other SSL options are set per-session by SSLClientSocket and
     // SSLServerSocket.
   }
@@ -68,6 +88,19 @@ class NSSSSLInitSingleton {
     // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.
     SSL_ClearSessionCache();
   }
+
+  void DisableECDSA() {
+    const PRUint16* ciphersuites = SSL_GetImplementedCiphers();
+    const unsigned num_ciphersuites = SSL_GetNumImplementedCiphers();
+    SECStatus rv;
+    SSLCipherSuiteInfo info;
+
+    for (unsigned i = 0; i < num_ciphersuites; i++) {

[wtc, 2012/08/15 02:38:42]

You should merge this for loop with the existing for loop
on lines 58-65.  Pwehaps I missed something?

+      rv = SSL_GetCipherSuiteInfo(ciphersuites[i], &info, sizeof(info));
+      if (rv == SECSuccess && info.authAlgorithm == ssl_auth_ecdsa)
+        SSL_CipherPrefSetDefault(ciphersuites[i], PR_FALSE);
+    }
+  }
 };
 
 static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton =