OpenSSL: Disable ECDSA cipher suites on Windows XP.

This matches the logic in nss_ssl_util.cc. Note: this CL has a test which only affects Windows XP. We have no try coverage on XP, so if the XP bots break, please revert. BUG=405630 Review URL: https://codereview.chromium.org/495663002 Cr-Commit-Position: refs/heads/master@{#293214}
author: davidben <davidben@chromium.org> 2014-09-03 16:19:09 -0700
committer: Commit bot <commit-bot@chromium.org> 2014-09-03 23:23:16 +0000
commit: 8ecc3071e84838f8a20a76a7caf9ae51380896ad (patch)
tree: d22fe14ed79d0a57dbe41522d7b3bf55501f3968
parent: d734d197bb5462a65c37b17594a8c8d07dd79bc1 (diff)
download: chromium_src-8ecc3071e84838f8a20a76a7caf9ae51380896ad.zip
chromium_src-8ecc3071e84838f8a20a76a7caf9ae51380896ad.tar.gz
chromium_src-8ecc3071e84838f8a20a76a7caf9ae51380896ad.tar.bz2
6 files changed, 102 insertions, 0 deletions
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index f7b9d28..94dfdae 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -30,6 +30,10 @@
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 
+#if defined(OS_WIN)
+#include "base/win/windows_version.h"
+#endif
+
 #if defined(USE_OPENSSL_CERTS)
 #include "net/ssl/openssl_client_key_store.h"
 #else
@@ -786,6 +790,15 @@ int SSLClientSocketOpenSSL::Init() {
        command.append(name);
      }
   }
+
+  // Disable ECDSA cipher suites on platforms that do not support ECDSA
+  // signed certificates, as servers may use the presence of such
+  // ciphersuites as a hint to send an ECDSA certificate.
+#if defined(OS_WIN)
+  if (base::win::GetVersion() < base::win::VERSION_VISTA)
+    command.append(":!ECDSA");
+#endif
+
   int rv = SSL_set_cipher_list(ssl_, command.c_str());
   // If this fails (rv = 0) it means there are no ciphers enabled on this SSL.
   // This will almost certainly result in the socket failing to complete the
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index 9babbb2..d020ca3 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -335,6 +335,7 @@ class TestPageHandler(testserver_base.BasePageHandler):
       self.GetSSLSessionCacheHandler,
       self.SSLManySmallRecords,
       self.GetChannelID,
+      self.ClientCipherListHandler,
       self.CloseSocketHandler,
       self.RangeResetHandler,
       self.DefaultResponseHandler]
@@ -1492,6 +1493,23 @@ class TestPageHandler(testserver_base.BasePageHandler):
     self.wfile.write(hashlib.sha256(channel_id).digest().encode('base64'))
     return True
 
+  def ClientCipherListHandler(self):
+    """Send a reply containing the cipher suite list that the client
+    provided. Each cipher suite value is serialized in decimal, followed by a
+    newline."""
+
+    if not self._ShouldHandleRequest('/client-cipher-list'):
+      return False
+
+    self.send_response(200)
+    self.send_header('Content-Type', 'text/plain')
+    self.end_headers()
+
+    for cipher_suite in self.server.tlsConnection.clientHello.cipher_suites:
+      self.wfile.write(str(cipher_suite))
+      self.wfile.write('\n')
+    return True
+
   def CloseSocketHandler(self):
     """Closes the socket without sending anything."""
 
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 7e22546..818a3188 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -61,6 +61,7 @@
 #include "net/ocsp/nss_ocsp.h"
 #include "net/proxy/proxy_service.h"
 #include "net/socket/ssl_client_socket.h"
+#include "net/ssl/ssl_cipher_suite_names.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/spawned_test_server/spawned_test_server.h"
@@ -6931,6 +6932,57 @@ TEST_F(HTTPSRequestTest, SSLSessionCacheShardTest) {
   }
 }
 
+#if defined(OS_WIN)
+
+namespace {
+
+bool IsECDSACipherSuite(uint16_t cipher_suite) {
+  const char* key_exchange;
+  const char* cipher;
+  const char* mac;
+  bool is_aead;
+  SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, cipher_suite);
+  return std::string(key_exchange).find("ECDSA") != std::string::npos;
+}
+
+}  // namespace
+
+// Test that ECDSA is disabled on Windows XP, where ECDSA certificates cannot be
+// verified.
+TEST_F(HTTPSRequestTest, DisableECDSAOnXP) {
+  if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
+    LOG(INFO) << "Skipping test on this version.";
+    return;
+  }
+
+  SpawnedTestServer test_server(
+      SpawnedTestServer::TYPE_HTTPS,
+      SpawnedTestServer::kLocalhost,
+      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+  TestDelegate d;
+  scoped_ptr<URLRequest> r(default_context_.CreateRequest(
+      test_server.GetURL("client-cipher-list"), DEFAULT_PRIORITY, &d, NULL));
+  r->Start();
+  EXPECT_TRUE(r->is_pending());
+
+  base::RunLoop().Run();
+
+  EXPECT_EQ(1, d.response_started_count());
+  std::vector<std::string> lines;
+  base::SplitString(d.data_received(), '\n', &lines);
+
+  for (size_t i = 0; i < lines.size(); i++) {
+    int cipher_suite;
+    ASSERT_TRUE(base::StringToInt(lines[i], &cipher_suite));
+    EXPECT_FALSE(IsECDSACipherSuite(cipher_suite))
+        << "ClientHello advertised " << cipher_suite;
+  }
+}
+
+#endif  // OS_WIN
+
 class HTTPSFallbackTest : public testing::Test {
  public:
   HTTPSFallbackTest() : context_(true) {
diff --git a/third_party/tlslite/README.chromium b/third_party/tlslite/README.chromium
index ab0b941..2d5723c 100644
--- a/third_party/tlslite/README.chromium
+++ b/third_party/tlslite/README.chromium
@@ -37,3 +37,5 @@ Local Modifications:
   failures.
 - patches/intolerance_options.patch: Add an option to further control
   simulated TLS version intolerance.
+- patches/save_client_hello.patch: Save the parsed ClientHello on TLSConnection
+  so tests can query it.
diff --git a/third_party/tlslite/patches/save_client_hello.patch b/third_party/tlslite/patches/save_client_hello.patch
new file mode 100644
index 0000000..aaa5d24
--- /dev/null
+++ b/third_party/tlslite/patches/save_client_hello.patch
@@ -0,0 +1,14 @@
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
+index 996b7e9..06aa0c9 100644
+--- a/third_party/tlslite/tlslite/tlsconnection.py
++++ b/third_party/tlslite/tlslite/tlsconnection.py
+@@ -1261,6 +1261,9 @@ class TLSConnection(TLSRecordLayer):
+                 return # Handshake was resumed, we're done 
+             else: break
+         (clientHello, cipherSuite) = result
++
++        # Save the ClientHello for external code to query.
++        self.clientHello = clientHello
+         
+         #If not a resumption...
+ 
diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
index 996b7e9..06aa0c9 100644
--- a/third_party/tlslite/tlslite/tlsconnection.py
+++ b/third_party/tlslite/tlslite/tlsconnection.py
@@ -1261,6 +1261,9 @@ class TLSConnection(TLSRecordLayer):
                 return # Handshake was resumed, we're done 
             else: break
         (clientHello, cipherSuite) = result
+
+        # Save the ClientHello for external code to query.
+        self.clientHello = clientHello
         
         #If not a resumption...
author	davidben <davidben@chromium.org>	2014-09-03 16:19:09 -0700
committer	Commit bot <commit-bot@chromium.org>	2014-09-03 23:23:16 +0000
commit	8ecc3071e84838f8a20a76a7caf9ae51380896ad (patch)
tree	d22fe14ed79d0a57dbe41522d7b3bf55501f3968
parent	d734d197bb5462a65c37b17594a8c8d07dd79bc1 (diff)
download	chromium_src-8ecc3071e84838f8a20a76a7caf9ae51380896ad.zip chromium_src-8ecc3071e84838f8a20a76a7caf9ae51380896ad.tar.gz chromium_src-8ecc3071e84838f8a20a76a7caf9ae51380896ad.tar.bz2