OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <openssl/err.h> | 10 #include <openssl/err.h> |
(...skipping 514 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
525 | 525 |
526 SSL_set_mode(ssl_, mode.set_mask); | 526 SSL_set_mode(ssl_, mode.set_mask); |
527 SSL_clear_mode(ssl_, mode.clear_mask); | 527 SSL_clear_mode(ssl_, mode.clear_mask); |
528 | 528 |
529 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the | 529 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the |
530 // textual name with SSL_set_cipher_list because there is no public API to | 530 // textual name with SSL_set_cipher_list because there is no public API to |
531 // directly remove a cipher by ID. | 531 // directly remove a cipher by ID. |
532 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_); | 532 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_); |
533 DCHECK(ciphers); | 533 DCHECK(ciphers); |
534 // See SSLConfig::disabled_cipher_suites for description of the suites | 534 // See SSLConfig::disabled_cipher_suites for description of the suites |
535 // disabled by default. Note that !SHA384 only removes HMAC-SHA384 cipher | 535 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256 |
536 // suites, not GCM cipher suites with SHA384 as the handshake hash. | 536 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384 |
537 std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!SRP:!SHA384:!aECDH"); | 537 // as the handshake hash. |
| 538 std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!SRP:!SHA256:!SHA384:" |
| 539 "!aECDH:!AESGCM+AES256"); |
538 // Walk through all the installed ciphers, seeing if any need to be | 540 // Walk through all the installed ciphers, seeing if any need to be |
539 // appended to the cipher removal |command|. | 541 // appended to the cipher removal |command|. |
540 for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) { | 542 for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) { |
541 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i); | 543 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i); |
542 const uint16 id = SSL_CIPHER_get_id(cipher); | 544 const uint16 id = SSL_CIPHER_get_id(cipher); |
543 // Remove any ciphers with a strength of less than 80 bits. Note the NSS | 545 // Remove any ciphers with a strength of less than 80 bits. Note the NSS |
544 // implementation uses "effective" bits here but OpenSSL does not provide | 546 // implementation uses "effective" bits here but OpenSSL does not provide |
545 // this detail. This only impacts Triple DES: reports 112 vs. 168 bits, | 547 // this detail. This only impacts Triple DES: reports 112 vs. 168 bits, |
546 // both of which are greater than 80 anyway. | 548 // both of which are greater than 80 anyway. |
547 bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80; | 549 bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80; |
(...skipping 878 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1426 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, | 1428 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, |
1427 user_write_buf_->data()); | 1429 user_write_buf_->data()); |
1428 return rv; | 1430 return rv; |
1429 } | 1431 } |
1430 | 1432 |
1431 int err = SSL_get_error(ssl_, rv); | 1433 int err = SSL_get_error(ssl_, rv); |
1432 return MapOpenSSLError(err, err_tracer); | 1434 return MapOpenSSLError(err, err_tracer); |
1433 } | 1435 } |
1434 | 1436 |
1435 } // namespace net | 1437 } // namespace net |
OLD | NEW |