diff options
author | davidben <davidben@chromium.org> | 2016-01-25 14:07:59 -0800 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-01-25 22:11:59 +0000 |
commit | 3c0aa77c46d827484a01662cc0eb383e7de6d93f (patch) | |
tree | c54fb87515a7f73e6b1fe3f207dcb998473070f5 | |
parent | efa847a54ec8dbb71ab7d630a05fb289c2991a78 (diff) | |
download | chromium_src-3c0aa77c46d827484a01662cc0eb383e7de6d93f.zip chromium_src-3c0aa77c46d827484a01662cc0eb383e7de6d93f.tar.gz chromium_src-3c0aa77c46d827484a01662cc0eb383e7de6d93f.tar.bz2 |
Remove Windows XP SHA-256 and ECDSA logic.
We can assume the system verifier handles both SHA-256 and ECDSA now.
No need to inject SHA-256 support or disable ECDSA ciphers.
BUG=554410
Review URL: https://codereview.chromium.org/1610833004
Cr-Commit-Position: refs/heads/master@{#371329}
-rw-r--r-- | base/win/win_util.cc | 19 | ||||
-rw-r--r-- | base/win/win_util.h | 7 | ||||
-rw-r--r-- | chrome/browser/extensions/updater/chrome_update_client_config.cc | 1 | ||||
-rw-r--r-- | components/component_updater/component_updater_url_constants.cc | 3 | ||||
-rw-r--r-- | components/component_updater/component_updater_url_constants.h | 1 | ||||
-rw-r--r-- | components/component_updater/configurator_impl.cc | 25 | ||||
-rw-r--r-- | components/component_updater/configurator_impl.h | 6 | ||||
-rw-r--r-- | content/browser/browser_main_runner.cc | 85 | ||||
-rw-r--r-- | net/cert/sha256_legacy_support_win.cc | 217 | ||||
-rw-r--r-- | net/cert/sha256_legacy_support_win.h | 49 | ||||
-rw-r--r-- | net/cert/sha256_legacy_support_win_unittest.cc | 52 | ||||
-rw-r--r-- | net/data/ssl/certificates/README | 2 | ||||
-rw-r--r-- | net/data/ssl/certificates/sha256.pem | 70 | ||||
-rwxr-xr-x | net/data/ssl/scripts/generate-test-certs.sh | 6 | ||||
-rw-r--r-- | net/net.gypi | 3 | ||||
-rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 12 |
16 files changed, 1 insertions, 557 deletions
diff --git a/base/win/win_util.cc b/base/win/win_util.cc index 57bee8a..05250f1 100644 --- a/base/win/win_util.cc +++ b/base/win/win_util.cc @@ -556,25 +556,6 @@ void SetDomainStateForTesting(bool state) { g_domain_state = state ? ENROLLED : NOT_ENROLLED; } -bool MaybeHasSHA256Support() { - const OSInfo* os_info = OSInfo::GetInstance(); - - if (os_info->version() == VERSION_PRE_XP) - return false; // Too old to have it and this OS is not supported anyway. - - if (os_info->version() == VERSION_XP) - return os_info->service_pack().major >= 3; // Windows XP SP3 has it. - - // Assume it is missing in this case, although it may not be. This category - // includes Windows XP x64, and Windows Server, where a hotfix could be - // deployed. - if (os_info->version() == VERSION_SERVER_2003) - return false; - - DCHECK(os_info->version() >= VERSION_VISTA); - return true; // New enough to have SHA-256 support. -} - bool IsUser32AndGdi32Available() { static base::LazyInstance<LazyIsUser32AndGdi32Available>::Leaky available = LAZY_INSTANCE_INITIALIZER; diff --git a/base/win/win_util.h b/base/win/win_util.h index 6162b51..1d22ad9 100644 --- a/base/win/win_util.h +++ b/base/win/win_util.h @@ -159,13 +159,6 @@ BASE_EXPORT bool IsEnrolledToDomain(); // simulate being in a domain and false otherwise. BASE_EXPORT void SetDomainStateForTesting(bool state); -// Returns true if the current operating system has support for SHA-256 -// certificates. As its name indicates, this function provides a best-effort -// answer, which is solely based on comparing version numbers. The function -// may be re-implemented in the future to return a reliable value, based on -// run-time detection of this capability. -BASE_EXPORT bool MaybeHasSHA256Support(); - // Returns true if the current process can make USER32 or GDI32 calls such as // CreateWindow and CreateDC. Windows 8 and above allow the kernel component // of these calls to be disabled which can cause undefined behaviour such as diff --git a/chrome/browser/extensions/updater/chrome_update_client_config.cc b/chrome/browser/extensions/updater/chrome_update_client_config.cc index 1c095f7..feaedd1 100644 --- a/chrome/browser/extensions/updater/chrome_update_client_config.cc +++ b/chrome/browser/extensions/updater/chrome_update_client_config.cc @@ -16,7 +16,6 @@ ChromeUpdateClientConfig::ChromeUpdateClientConfig( content::BrowserContext* context) : impl_(base::CommandLine::ForCurrentProcess(), context->GetRequestContext()) { - impl_.set_enable_alt_source_url(false); } int ChromeUpdateClientConfig::InitialDelay() const { diff --git a/components/component_updater/component_updater_url_constants.cc b/components/component_updater/component_updater_url_constants.cc index 7c78f64b..3cb8ef1 100644 --- a/components/component_updater/component_updater_url_constants.cc +++ b/components/component_updater/component_updater_url_constants.cc @@ -6,9 +6,6 @@ namespace component_updater { -// The alternative URL for the v3 protocol service endpoint. -const char kUpdaterAltUrl[] = "http://clients2.google.com/service/update2"; - // The default URL for the v3 protocol service endpoint. In some cases, the // component updater is allowed to fall back to and alternate URL source, if // the request to the default URL source fails. diff --git a/components/component_updater/component_updater_url_constants.h b/components/component_updater/component_updater_url_constants.h index 6f83a4d..3195dd8 100644 --- a/components/component_updater/component_updater_url_constants.h +++ b/components/component_updater/component_updater_url_constants.h @@ -7,7 +7,6 @@ namespace component_updater { -extern const char kUpdaterAltUrl[]; extern const char kUpdaterDefaultUrl[]; } // namespace component_updater diff --git a/components/component_updater/configurator_impl.cc b/components/component_updater/configurator_impl.cc index 407da85..be52913 100644 --- a/components/component_updater/configurator_impl.cc +++ b/components/component_updater/configurator_impl.cc @@ -59,19 +59,6 @@ bool HasSwitchValue(const std::vector<std::string>& vec, const char* test) { return (std::find(vec.begin(), vec.end(), test) != vec.end()); } -// Returns true if falling back on an alternate, unsafe, service URL is -// allowed. In the fallback case, the security of the component update relies -// only on the integrity of the CRX payloads, which is self-validating. -// This is allowed only for some of the pre-Windows Vista versions not including -// Windows XP SP3. As a side note, pings could be sent to the alternate URL too. -bool CanUseAltUrlSource() { -#if defined(OS_WIN) - return !base::win::MaybeHasSHA256Support(); -#else - return false; -#endif // OS_WIN -} - // If there is an element of |vec| of the form |test|=.*, returns the right- // hand side of that assignment. Otherwise, returns an empty string. // The right-hand side may contain additional '=' characters, allowing for @@ -101,8 +88,7 @@ ConfiguratorImpl::ConfiguratorImpl( fast_update_(false), pings_enabled_(false), deltas_enabled_(false), - background_downloads_enabled_(false), - fallback_to_alt_source_url_enabled_(false) { + background_downloads_enabled_(false) { // Parse comma-delimited debug flags. std::vector<std::string> switch_values = base::SplitString( cmdline->GetSwitchValueASCII(switches::kComponentUpdater), ",", @@ -127,8 +113,6 @@ ConfiguratorImpl::ConfiguratorImpl( if (HasSwitchValue(switch_values, kSwitchRequestParam)) extra_info_ += "testrequest=\"1\""; - - fallback_to_alt_source_url_enabled_ = CanUseAltUrlSource(); } ConfiguratorImpl::~ConfiguratorImpl() {} @@ -159,9 +143,6 @@ std::vector<GURL> ConfiguratorImpl::UpdateUrl() const { urls.push_back(GURL(url_source_override_)); } else { urls.push_back(GURL(kUpdaterDefaultUrl)); - if (fallback_to_alt_source_url_enabled_) { - urls.push_back(GURL(kUpdaterAltUrl)); - } } return urls; } @@ -194,8 +175,4 @@ bool ConfiguratorImpl::UseBackgroundDownloader() const { return background_downloads_enabled_; } -void ConfiguratorImpl::set_enable_alt_source_url(bool enable_alt_source_url) { - fallback_to_alt_source_url_enabled_ = enable_alt_source_url; -} - } // namespace component_updater diff --git a/components/component_updater/configurator_impl.h b/components/component_updater/configurator_impl.h index b2e75a9..959a9b1 100644 --- a/components/component_updater/configurator_impl.h +++ b/components/component_updater/configurator_impl.h @@ -77,11 +77,6 @@ class ConfiguratorImpl { // non on-demand components. bool UseBackgroundDownloader() const; - // Setting this to false means that we'll only use secure transport (eg https) - // for update/ping urls. This is already false by default everywhere but older - // versions of Windows XP. - void set_enable_alt_source_url(bool enable_alt_source_url); - private: net::URLRequestContextGetter* url_request_getter_; std::string extra_info_; @@ -90,7 +85,6 @@ class ConfiguratorImpl { bool pings_enabled_; bool deltas_enabled_; bool background_downloads_enabled_; - bool fallback_to_alt_source_url_enabled_; DISALLOW_COPY_AND_ASSIGN(ConfiguratorImpl); }; diff --git a/content/browser/browser_main_runner.cc b/content/browser/browser_main_runner.cc index 2585c8d..9ee9ee1 100644 --- a/content/browser/browser_main_runner.cc +++ b/content/browser/browser_main_runner.cc @@ -34,12 +34,8 @@ #endif #if defined(OS_WIN) -#include "base/win/win_util.h" #include "base/win/windows_version.h" -#include "net/cert/sha256_legacy_support_win.h" -#include "sandbox/win/src/sidestep/preamble_patcher.h" #include "ui/base/win/scoped_ole_initializer.h" -#include "ui/gfx/switches.h" #include "ui/gfx/win/direct_write.h" #endif @@ -49,86 +45,6 @@ namespace { bool g_exited_main_message_loop = false; -#if defined(OS_WIN) -#if !defined(_WIN64) -// Pointer to the original CryptVerifyCertificateSignatureEx function. -net::sha256_interception::CryptVerifyCertificateSignatureExFunc - g_real_crypt_verify_signature_stub = NULL; - -// Stub function that is called whenever the Crypt32 function -// CryptVerifyCertificateSignatureEx is called. It just defers to net to perform -// the actual verification. -BOOL WINAPI CryptVerifyCertificateSignatureExStub( - HCRYPTPROV_LEGACY provider, - DWORD encoding_type, - DWORD subject_type, - void* subject_data, - DWORD issuer_type, - void* issuer_data, - DWORD flags, - void* extra) { - return net::sha256_interception::CryptVerifyCertificateSignatureExHook( - g_real_crypt_verify_signature_stub, provider, encoding_type, subject_type, - subject_data, issuer_type, issuer_data, flags, extra); -} -#endif // !defined(_WIN64) - -// If necessary, install an interception -void InstallSha256LegacyHooks() { -#if defined(_WIN64) - // Interception on x64 is not supported. - return; -#else - if (base::win::MaybeHasSHA256Support()) - return; - - net::sha256_interception::CryptVerifyCertificateSignatureExFunc - cert_verify_signature_ptr = reinterpret_cast< - net::sha256_interception::CryptVerifyCertificateSignatureExFunc>( - ::GetProcAddress(::GetModuleHandle(L"crypt32.dll"), - "CryptVerifyCertificateSignatureEx")); - CHECK(cert_verify_signature_ptr); - - DWORD old_protect = 0; - if (!::VirtualProtect(cert_verify_signature_ptr, 5, PAGE_EXECUTE_READWRITE, - &old_protect)) { - return; - } - - g_real_crypt_verify_signature_stub = - reinterpret_cast< - net::sha256_interception::CryptVerifyCertificateSignatureExFunc>( - VirtualAllocEx(::GetCurrentProcess(), NULL, - sidestep::kMaxPreambleStubSize, MEM_COMMIT, - PAGE_EXECUTE_READWRITE)); - if (g_real_crypt_verify_signature_stub == NULL) { - CHECK(::VirtualProtect(cert_verify_signature_ptr, 5, old_protect, - &old_protect)); - return; - } - - sidestep::SideStepError patch_result = - sidestep::PreamblePatcher::Patch( - cert_verify_signature_ptr, CryptVerifyCertificateSignatureExStub, - g_real_crypt_verify_signature_stub, sidestep::kMaxPreambleStubSize); - if (patch_result != sidestep::SIDESTEP_SUCCESS) { - CHECK(::VirtualFreeEx(::GetCurrentProcess(), - g_real_crypt_verify_signature_stub, 0, - MEM_RELEASE)); - CHECK(::VirtualProtect(cert_verify_signature_ptr, 5, old_protect, - &old_protect)); - return; - } - - DWORD dummy = 0; - CHECK(::VirtualProtect(cert_verify_signature_ptr, 5, old_protect, &dummy)); - CHECK(::VirtualProtect(g_real_crypt_verify_signature_stub, - sidestep::kMaxPreambleStubSize, old_protect, - &old_protect)); -#endif // _WIN64 -} -#endif // OS_WIN - } // namespace class BrowserMainRunnerImpl : public BrowserMainRunner { @@ -180,7 +96,6 @@ class BrowserMainRunnerImpl : public BrowserMainRunner { // Win32 API here directly. ImmDisableTextFrameService(static_cast<DWORD>(-1)); } - InstallSha256LegacyHooks(); #endif // OS_WIN base::StatisticsRecorder::Initialize(); diff --git a/net/cert/sha256_legacy_support_win.cc b/net/cert/sha256_legacy_support_win.cc deleted file mode 100644 index a936637..0000000 --- a/net/cert/sha256_legacy_support_win.cc +++ /dev/null @@ -1,217 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "net/cert/sha256_legacy_support_win.h" - -#include <openssl/asn1.h> -#include <openssl/bytestring.h> -#include <openssl/evp.h> -#include <openssl/obj.h> -#include <openssl/x509.h> - -#include "base/logging.h" -#include "crypto/scoped_openssl_types.h" - -namespace net { - -namespace sha256_interception { - -namespace { - -using ScopedX509_ALGOR = crypto::ScopedOpenSSL<X509_ALGOR, X509_ALGOR_free>; - -bool IsSupportedSubjectType(DWORD subject_type) { - switch (subject_type) { - case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB: - case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT: - case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL: - return true; - } - return false; -} - -bool IsSupportedIssuerType(DWORD issuer_type) { - switch (issuer_type) { - case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY: - case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT: - case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN: - return true; - } - return false; -} - -base::StringPiece GetSubjectSignature(DWORD subject_type, - void* subject_data) { - switch (subject_type) { - case CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB: { - CRYPT_DATA_BLOB* data_blob = - reinterpret_cast<CRYPT_DATA_BLOB*>(subject_data); - return base::StringPiece(reinterpret_cast<char*>(data_blob->pbData), - data_blob->cbData); - } - case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT: { - PCCERT_CONTEXT subject_cert = - reinterpret_cast<PCCERT_CONTEXT>(subject_data); - return base::StringPiece( - reinterpret_cast<char*>(subject_cert->pbCertEncoded), - subject_cert->cbCertEncoded); - } - case CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL: { - PCCRL_CONTEXT subject_crl = - reinterpret_cast<PCCRL_CONTEXT>(subject_data); - return base::StringPiece( - reinterpret_cast<char*>(subject_crl->pbCrlEncoded), - subject_crl->cbCrlEncoded); - } - } - return base::StringPiece(); -} - -PCERT_PUBLIC_KEY_INFO GetIssuerPublicKey(DWORD issuer_type, - void* issuer_data) { - switch (issuer_type) { - case CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY: - return reinterpret_cast<PCERT_PUBLIC_KEY_INFO>(issuer_data); - case CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT: { - PCCERT_CONTEXT cert = reinterpret_cast<PCCERT_CONTEXT>(issuer_data); - return &cert->pCertInfo->SubjectPublicKeyInfo; - } - case CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN: { - PCCERT_CHAIN_CONTEXT chain = - reinterpret_cast<PCCERT_CHAIN_CONTEXT>(issuer_data); - PCCERT_CONTEXT cert = chain->rgpChain[0]->rgpElement[0]->pCertContext; - return &cert->pCertInfo->SubjectPublicKeyInfo; - } - } - return NULL; -} - -// Parses |subject_signature| and writes the components into |*out_tbs_data|, -// |*out_algor|, and |*out_signature|. The BIT STRING in the signature must be -// a multiple of 8 bits. |*out_signature| will have the padding byte removed. -// It returns true on success and false on failure. -bool ParseSubjectSignature(const base::StringPiece& subject_signature, - CBS* out_tbs_data, - ScopedX509_ALGOR* out_algor, - CBS* out_signature) { - CBS cbs, sequence, tbs_data, algorithm, signature; - CBS_init(&cbs, reinterpret_cast<const uint8_t*>(subject_signature.data()), - subject_signature.size()); - if (!CBS_get_asn1(&cbs, &sequence, CBS_ASN1_SEQUENCE) || CBS_len(&cbs) != 0 || - !CBS_get_any_asn1_element(&sequence, &tbs_data, nullptr, nullptr) || - !CBS_get_asn1_element(&sequence, &algorithm, CBS_ASN1_SEQUENCE) || - !CBS_get_asn1(&sequence, &signature, CBS_ASN1_BITSTRING) || - CBS_len(&sequence) != 0) { - return false; - } - - // Decode the algorithm. - const uint8_t* ptr = CBS_data(&algorithm); - ScopedX509_ALGOR algor(d2i_X509_ALGOR(NULL, &ptr, CBS_len(&algorithm))); - if (!algor || ptr != CBS_data(&algorithm) + CBS_len(&algorithm)) - return false; - - // An ASN.1 BIT STRING is encoded with a leading byte denoting the number of - // padding bits. All supported signature algorithms output octets, so the - // leading byte must be zero. - uint8_t padding; - if (!CBS_get_u8(&signature, &padding) || padding != 0) - return false; - - *out_tbs_data = tbs_data; - *out_algor = algor.Pass(); - *out_signature = signature; - return true; -} - -} // namespace - -BOOL CryptVerifyCertificateSignatureExHook( - CryptVerifyCertificateSignatureExFunc original_func, - HCRYPTPROV_LEGACY provider, - DWORD encoding_type, - DWORD subject_type, - void* subject_data, - DWORD issuer_type, - void* issuer_data, - DWORD flags, - void* extra) { - CHECK(original_func); - - // Only intercept if the arguments are supported. - if (provider != NULL || (encoding_type != X509_ASN_ENCODING) || - !IsSupportedSubjectType(subject_type) || subject_data == NULL || - !IsSupportedIssuerType(issuer_type) || issuer_data == NULL) { - return original_func(provider, encoding_type, subject_type, subject_data, - issuer_type, issuer_data, flags, extra); - } - - base::StringPiece subject_signature = - GetSubjectSignature(subject_type, subject_data); - bool should_intercept = false; - - // Parse out the data, AlgorithmIdentifier, and signature. - CBS tbs_data, signature; - ScopedX509_ALGOR algor; - if (ParseSubjectSignature(subject_signature, &tbs_data, &algor, &signature)) { - // If the signature algorithm is RSA with one of the SHA-2 algorithms - // supported by BoringSSL (excluding SHA-224, which is pointless), then - // defer to the BoringSSL implementation. Otherwise, fall back and let the - // OS handle it (e.g. in case there are any algorithm policies in effect). - int nid = OBJ_obj2nid(algor->algorithm); - if (nid == NID_sha256WithRSAEncryption || - nid == NID_sha384WithRSAEncryption || - nid == NID_sha512WithRSAEncryption) { - should_intercept = true; - } - } - - if (!should_intercept) { - return original_func(provider, encoding_type, subject_type, subject_data, - issuer_type, issuer_data, flags, extra); - } - - // Rather than attempting to synthesize an EVP_PKEY by hand, just force the - // OS to do an ASN.1 encoding and then decode it back into BoringSSL. This - // is silly for performance, but safest for consistency. - PCERT_PUBLIC_KEY_INFO issuer_public_key = - GetIssuerPublicKey(issuer_type, issuer_data); - if (!issuer_public_key) { - SetLastError(static_cast<DWORD>(NTE_BAD_ALGID)); - return FALSE; - } - - uint8_t* issuer_spki_data = NULL; - DWORD issuer_spki_len = 0; - if (!CryptEncodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, - issuer_public_key, CRYPT_ENCODE_ALLOC_FLAG, NULL, - &issuer_spki_data, &issuer_spki_len)) { - return FALSE; - } - - const uint8_t* ptr = issuer_spki_data; - crypto::ScopedEVP_PKEY pubkey(d2i_PUBKEY(NULL, &ptr, issuer_spki_len)); - if (!pubkey.get() || ptr != issuer_spki_data + issuer_spki_len) { - ::LocalFree(issuer_spki_data); - SetLastError(static_cast<DWORD>(NTE_BAD_ALGID)); - return FALSE; - } - ::LocalFree(issuer_spki_data); - - crypto::ScopedEVP_MD_CTX md_ctx(EVP_MD_CTX_create()); - if (!EVP_DigestVerifyInitFromAlgorithm(md_ctx.get(), algor.get(), - pubkey.get()) || - !EVP_DigestVerifyUpdate(md_ctx.get(), CBS_data(&tbs_data), - CBS_len(&tbs_data)) || - !EVP_DigestVerifyFinal(md_ctx.get(), CBS_data(&signature), - CBS_len(&signature))) { - SetLastError(static_cast<DWORD>(NTE_BAD_SIGNATURE)); - return FALSE; - } - return TRUE; -} - -} // namespace sha256_interception - -} // namespace net diff --git a/net/cert/sha256_legacy_support_win.h b/net/cert/sha256_legacy_support_win.h deleted file mode 100644 index 472ff60..0000000 --- a/net/cert/sha256_legacy_support_win.h +++ /dev/null @@ -1,49 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef NET_CERT_SHA256_LEGACY_SUPPORT_WIN_H_ -#define NET_CERT_SHA256_LEGACY_SUPPORT_WIN_H_ - -#include <windows.h> - -#include "base/strings/string_piece.h" -#include "crypto/wincrypt_shim.h" -#include "net/base/net_export.h" - -namespace net { - -namespace sha256_interception { - -typedef BOOL (WINAPI* CryptVerifyCertificateSignatureExFunc)( - HCRYPTPROV_LEGACY provider, - DWORD encoding_type, - DWORD subject_type, - void* subject_data, - DWORD issuer_type, - void* issuer_data, - DWORD flags, - void* extra); - -// Interception function meant to be called whenever -// CryptVerifyCertificateSignatureEx is called. Note that the calling -// conventions do not match, as the caller is expected to ensure that their -// interposed function handles the calling conventions and provides a pointer -// to the original CryptVerifyCertificateSignatureEx (e.g. to handle parameters -// and keys that are not supported). -NET_EXPORT BOOL CryptVerifyCertificateSignatureExHook( - CryptVerifyCertificateSignatureExFunc original_func, - HCRYPTPROV_LEGACY provider, - DWORD encoding_type, - DWORD subject_type, - void* subject_data, - DWORD issuer_type, - void* issuer_data, - DWORD flags, - void* extra); - -} // namespace sha256_interception - -} // namespace net - -#endif // NET_CERT_SHA256_LEGACY_SUPPORT_WIN_H_ diff --git a/net/cert/sha256_legacy_support_win_unittest.cc b/net/cert/sha256_legacy_support_win_unittest.cc deleted file mode 100644 index 0496ca3..0000000 --- a/net/cert/sha256_legacy_support_win_unittest.cc +++ /dev/null @@ -1,52 +0,0 @@ -// Copyright 2014 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "net/cert/sha256_legacy_support_win.h" - -#include "base/memory/ref_counted.h" -#include "net/base/test_data_directory.h" -#include "net/cert/x509_certificate.h" -#include "net/test/cert_test_util.h" -#include "testing/gtest/include/gtest/gtest.h" - -namespace net { - -namespace sha256_interception { - -namespace { - -// Verifies that SHA-256 signatures can be validated through the interception. -// Although this is only needed on legacy platforms, the test is run on all -// Windows platforms to make sure that the CryptoAPI<->NSS integration does not -// regress. -TEST(Sha256Interception, HandlesSHA2) { - base::FilePath certs_dir = GetTestCertsDirectory(); - - scoped_refptr<X509Certificate> server_cert = - ImportCertFromFile(certs_dir, "sha256.pem"); - ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert.get()); - - CryptVerifyCertificateSignatureExFunc cert_verify_signature_ptr = - reinterpret_cast<CryptVerifyCertificateSignatureExFunc>( - ::GetProcAddress(::GetModuleHandle(L"crypt32.dll"), - "CryptVerifyCertificateSignatureEx")); - ASSERT_TRUE(cert_verify_signature_ptr); - - BOOL rv = CryptVerifyCertificateSignatureExHook( - cert_verify_signature_ptr, NULL, X509_ASN_ENCODING, - CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, - const_cast<void*>(reinterpret_cast<const void*>( - server_cert->os_cert_handle())), - CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, - const_cast<void*>(reinterpret_cast<const void*>( - server_cert->os_cert_handle())), - 0, NULL); - EXPECT_EQ(TRUE, rv); -} - -} // namespace - -} // namespace sha256_interception - -} // namespace net
\ No newline at end of file diff --git a/net/data/ssl/certificates/README b/net/data/ssl/certificates/README index 493283e..977535e 100644 --- a/net/data/ssl/certificates/README +++ b/net/data/ssl/certificates/README @@ -149,8 +149,6 @@ unit tests. A certificate and private key only valid on 0001-01-01. Windows refuses to parse this certificate. -- sha256.pem: Used to test the handling of SHA-256 certs on Windows. - - spdy_pooling.pem : Used to test the handling of spdy IP connection pooling - subjectAltName_sanity_check.pem : Used to test the handling of various types diff --git a/net/data/ssl/certificates/sha256.pem b/net/data/ssl/certificates/sha256.pem deleted file mode 100644 index 507ff04..0000000 --- a/net/data/ssl/certificates/sha256.pem +++ /dev/null @@ -1,70 +0,0 @@ -Certificate: - Data: - Version: 1 (0x0) - Serial Number: - 90:23:b2:54:1d:1a:a1:b4 - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1 - Validity - Not Before: Sep 11 19:19:22 2014 GMT - Not After : Sep 8 19:19:22 2024 GMT - Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:d2:41:24:4c:b5:a5:83:ad:b9:64:5b:90:e2:d1: - e5:17:14:fe:ee:d0:6a:d8:d0:74:3c:98:35:d1:6b: - 2a:81:32:9e:e4:a2:77:5b:f2:81:2c:ae:c1:cc:ca: - f0:45:dd:8e:21:d3:4c:a6:7a:69:1b:08:3e:83:31: - 0e:cc:5a:f8:a4:b6:05:10:68:ec:a0:a2:44:b6:95: - e9:c5:e3:7c:a2:fa:a0:72:de:b3:49:e7:ac:cc:dc: - ce:f3:7c:af:9f:05:46:e4:c2:31:54:a4:2b:cc:bf: - ab:c3:e2:a6:9d:30:24:f4:2b:4d:44:eb:63:5f:35: - 0f:c5:ec:e9:77:40:0d:3d:35:6c:88:e7:18:c3:01: - 95:4c:c1:d4:14:96:88:66:98:fd:8e:0f:0e:a1:50: - d3:f9:13:e1:b6:5d:5a:8a:1c:8d:55:e1:43:3d:ca: - c6:31:95:9c:0a:00:68:38:1a:b7:24:ce:cd:34:d6: - 8d:f5:11:79:64:7b:01:b3:0f:76:fd:cf:ca:73:33: - 96:03:e4:1a:2e:98:8b:54:4d:0b:b9:62:27:8f:0d: - 9a:2c:1f:5d:b5:6a:e4:3a:27:33:02:eb:7f:0d:30: - 6a:6f:ea:61:c9:78:fe:7a:9f:08:7b:61:cd:b8:b2: - 04:98:24:37:d5:f7:ce:ec:34:29:b3:bc:26:ca:6f: - 54:53 - Exponent: 65537 (0x10001) - Signature Algorithm: sha256WithRSAEncryption - 73:89:72:15:fa:cf:c9:6a:4d:a5:1a:66:0d:da:03:13:2e:31: - 6b:6f:df:f1:4f:dd:54:8d:bd:87:1e:e9:b1:b2:84:4a:da:8e: - fa:76:b8:66:f0:2d:d6:f4:72:2d:55:ef:99:d4:e1:99:7c:79: - 98:b7:b9:bc:9c:f8:69:47:6d:10:03:4b:41:59:ea:84:7c:04: - 97:67:37:d4:a8:75:53:4a:f3:f9:9a:cb:bb:09:fb:dd:d7:b0: - d5:35:48:04:f3:58:78:bc:fb:26:d7:dc:e2:bf:cb:64:22:3d: - f7:bb:a4:5e:a3:98:5f:aa:29:46:aa:c6:a9:7c:8c:04:ac:21: - 21:97:b1:94:da:eb:ee:49:03:9d:46:e0:a0:22:e4:dd:e4:2b: - 3d:0d:0e:af:1b:59:39:41:e8:47:43:b8:58:36:82:86:c6:0e: - d6:d3:c0:92:da:2b:a4:5a:5a:f8:4f:20:93:32:a7:74:21:13: - 9d:b7:7b:68:20:71:81:4a:1a:32:b7:5e:e7:45:de:f7:e4:04: - dd:c1:7b:89:3e:a2:cb:47:20:fa:36:a6:bc:17:5a:19:56:97: - 1e:3c:fa:a7:fc:1e:d9:ad:dc:62:6b:ef:52:88:c8:d3:09:6c: - 6f:ff:d4:28:4b:7d:1e:9d:bb:0c:08:12:f3:f8:fd:24:35:57: - a2:3a:26:e2 ------BEGIN CERTIFICATE----- -MIIDPDCCAiQCCQCQI7JUHRqhtDANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJV -UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQ -MA4GA1UECgwHVGVzdCBDQTESMBAGA1UEAwwJMTI3LjAuMC4xMB4XDTE0MDkxMTE5 -MTkyMloXDTI0MDkwODE5MTkyMlowYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh -bGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3Qg -Q0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBANJBJEy1pYOtuWRbkOLR5RcU/u7QatjQdDyYNdFrKoEynuSid1vygSyu -wczK8EXdjiHTTKZ6aRsIPoMxDsxa+KS2BRBo7KCiRLaV6cXjfKL6oHLes0nnrMzc -zvN8r58FRuTCMVSkK8y/q8Pipp0wJPQrTUTrY181D8Xs6XdADT01bIjnGMMBlUzB -1BSWiGaY/Y4PDqFQ0/kT4bZdWoocjVXhQz3KxjGVnAoAaDgatyTOzTTWjfUReWR7 -AbMPdv3PynMzlgPkGi6Yi1RNC7liJ48NmiwfXbVq5DonMwLrfw0wam/qYcl4/nqf -CHthzbiyBJgkN9X3zuw0KbO8JspvVFMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA -c4lyFfrPyWpNpRpmDdoDEy4xa2/f8U/dVI29hx7psbKEStqO+na4ZvAt1vRyLVXv -mdThmXx5mLe5vJz4aUdtEANLQVnqhHwEl2c31Kh1U0rz+ZrLuwn73dew1TVIBPNY -eLz7Jtfc4r/LZCI997ukXqOYX6opRqrGqXyMBKwhIZexlNrr7kkDnUbgoCLk3eQr -PQ0OrxtZOUHoR0O4WDaChsYO1tPAktorpFpa+E8gkzKndCETnbd7aCBxgUoaMrde -50Xe9+QE3cF7iT6iy0cg+jamvBdaGVaXHjz6p/we2a3cYmvvUojI0wlsb//UKEt9 -Hp27DAgS8/j9JDVXojom4g== ------END CERTIFICATE----- diff --git a/net/data/ssl/scripts/generate-test-certs.sh b/net/data/ssl/scripts/generate-test-certs.sh index 1358653..3f9e495 100755 --- a/net/data/ssl/scripts/generate-test-certs.sh +++ b/net/data/ssl/scripts/generate-test-certs.sh @@ -152,12 +152,6 @@ try /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \ > ../certificates/bad_validity.pem" # Now generate the one-off certs -## SHA-256 general test cert -try openssl req -x509 -days 3650 \ - -config ../scripts/ee.cnf -newkey rsa:2048 -text \ - -sha256 \ - -out ../certificates/sha256.pem - ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing try openssl req -x509 -days 3650 -extensions req_spdy_pooling \ -config ../scripts/ee.cnf -newkey rsa:2048 -text \ diff --git a/net/net.gypi b/net/net.gypi index 2fa6a09..ef6a1b4 100644 --- a/net/net.gypi +++ b/net/net.gypi @@ -111,8 +111,6 @@ 'cert/internal/verify_signed_data.h', 'cert/pem_tokenizer.cc', 'cert/pem_tokenizer.h', - 'cert/sha256_legacy_support_win.cc', - 'cert/sha256_legacy_support_win.h', 'cert/signed_certificate_timestamp.cc', 'cert/signed_certificate_timestamp.h', 'cert/signed_tree_head.h', @@ -1368,7 +1366,6 @@ 'cert/nss_cert_database_unittest.cc', 'cert/nss_profile_filter_chromeos_unittest.cc', 'cert/pem_tokenizer_unittest.cc', - 'cert/sha256_legacy_support_win_unittest.cc', 'cert/signed_certificate_timestamp_unittest.cc', 'cert/test_root_certs_unittest.cc', 'cert/x509_cert_types_unittest.cc', diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index 02a3efc..13121b4 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -50,10 +50,6 @@ #include "net/ssl/ssl_info.h" #include "net/ssl/ssl_private_key.h" -#if defined(OS_WIN) -#include "base/win/windows_version.h" -#endif - #if !defined(OS_NACL) #include "net/ssl/ssl_key_logger.h" #endif @@ -1000,14 +996,6 @@ int SSLClientSocketOpenSSL::Init() { } } - // Disable ECDSA cipher suites on platforms that do not support ECDSA - // signed certificates, as servers may use the presence of such - // ciphersuites as a hint to send an ECDSA certificate. -#if defined(OS_WIN) - if (base::win::GetVersion() < base::win::VERSION_VISTA) - command.append(":!ECDSA"); -#endif - int rv = SSL_set_cipher_list(ssl_, command.c_str()); // If this fails (rv = 0) it means there are no ciphers enabled on this SSL. // This will almost certainly result in the socket failing to complete the |