Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(11)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_openssl.cc

Issue 23038011: Disable the HMAC-SHA256 cipher suites for SSLClientSocketOpenSSL. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Also disable the AES_256_GCM cipher suites Created 7 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle
6 // of operation is derived from SSLClientSocketNSS. 6 // of operation is derived from SSLClientSocketNSS.
7 7
8 #include "net/socket/ssl_client_socket_openssl.h" 8 #include "net/socket/ssl_client_socket_openssl.h"
9 9
10 #include <openssl/err.h> 10 #include <openssl/err.h>
(...skipping 514 matching lines...) Expand 10 before | Expand all | Expand 10 after
525 525
526 SSL_set_mode(ssl_, mode.set_mask); 526 SSL_set_mode(ssl_, mode.set_mask);
527 SSL_clear_mode(ssl_, mode.clear_mask); 527 SSL_clear_mode(ssl_, mode.clear_mask);
528 528
529 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the 529 // Removing ciphers by ID from OpenSSL is a bit involved as we must use the
530 // textual name with SSL_set_cipher_list because there is no public API to 530 // textual name with SSL_set_cipher_list because there is no public API to
531 // directly remove a cipher by ID. 531 // directly remove a cipher by ID.
532 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_); 532 STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl_);
533 DCHECK(ciphers); 533 DCHECK(ciphers);
534 // See SSLConfig::disabled_cipher_suites for description of the suites 534 // See SSLConfig::disabled_cipher_suites for description of the suites
535 // disabled by default. Note that !SHA384 only removes HMAC-SHA384 cipher 535 // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256
536 // suites, not GCM cipher suites with SHA384 as the handshake hash. 536 // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
537 std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!SRP:!SHA384:!aECDH"); 537 // as the handshake hash.
538 std::string command("DEFAULT:!NULL:!aNULL:!IDEA:!FZA:!SRP:!SHA256:!SHA384:"
539 "!aECDH:!AESGCM+AES256");
538 // Walk through all the installed ciphers, seeing if any need to be 540 // Walk through all the installed ciphers, seeing if any need to be
539 // appended to the cipher removal |command|. 541 // appended to the cipher removal |command|.
540 for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) { 542 for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
541 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i); 543 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i);
542 const uint16 id = SSL_CIPHER_get_id(cipher); 544 const uint16 id = SSL_CIPHER_get_id(cipher);
543 // Remove any ciphers with a strength of less than 80 bits. Note the NSS 545 // Remove any ciphers with a strength of less than 80 bits. Note the NSS
544 // implementation uses "effective" bits here but OpenSSL does not provide 546 // implementation uses "effective" bits here but OpenSSL does not provide
545 // this detail. This only impacts Triple DES: reports 112 vs. 168 bits, 547 // this detail. This only impacts Triple DES: reports 112 vs. 168 bits,
546 // both of which are greater than 80 anyway. 548 // both of which are greater than 80 anyway.
547 bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80; 549 bool disable = SSL_CIPHER_get_bits(cipher, NULL) < 80;
(...skipping 878 matching lines...) Expand 10 before | Expand all | Expand 10 after
1426 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, 1428 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
1427 user_write_buf_->data()); 1429 user_write_buf_->data());
1428 return rv; 1430 return rv;
1429 } 1431 }
1430 1432
1431 int err = SSL_get_error(ssl_, rv); 1433 int err = SSL_get_error(ssl_, rv);
1432 return MapOpenSSLError(err, err_tracer); 1434 return MapOpenSSLError(err, err_tracer);
1433 } 1435 }
1434 1436
1435 } // namespace net 1437 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698