Add support for restricting the cipher suites that SSLClientSocket(Mac,NSS) use. Restricting SSLClientSocketWin is handled by the existing Windows system policy (which deals in algorithms, not cipher suites).

R=wtc
BUG=58831
TEST=SSLClientSocketTest.CipherSuiteDisables

Review URL: http://codereview.chromium.org/3845005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65773 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 28 insertions, 0 deletions

diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index be50097..0639f48 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -8,6 +8,7 @@
 
 #include <vector>
 
+#include "base/basictypes.h"
 #include "base/observer_list.h"
 #include "base/ref_counted.h"
 #include "net/base/x509_certificate.h"
@@ -31,6 +32,24 @@ struct SSLConfig {
   // True if we'll do async checks for certificate provenance using DNS.
   bool dns_cert_provenance_checking_enabled;
 
+  // Cipher suites which should be explicitly prevented from being used. By
+  // default, all cipher suites supported by the underlying SSL implementation
+  // will be enabled, except for:
+  // - Null encryption cipher suites.
+  // - Weak cipher suites: < 80 bits of security strength.
+  // - FORTEZZA cipher suites (obsolete).
+  // - IDEA cipher suites (RFC 5469 explains why).
+  // - Anonymous cipher suites.
+  //
+  // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
+  // big-endian form, they should be declared in host byte order, with the
+  // first uint8 occupying the most significant byte.
+  // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
+  // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
+  //
+  // TODO(rsleevi): Not implemented when using OpenSSL or Schannel.
+  std::vector<uint16> disabled_cipher_suites;
+
   // True if we allow this connection to be MITM attacked. This sounds a little
   // worse than it is: large networks sometimes MITM attack all SSL connections
   // on egress. We want to know this because we might not have the end-to-end
diff --git a/net/base/ssl_config_service_mac.cc b/net/base/ssl_config_service_mac.cc
index 2ce1d5c..148bba4 100644
--- a/net/base/ssl_config_service_mac.cc
+++ b/net/base/ssl_config_service_mac.cc
@@ -97,6 +97,8 @@ bool SSLConfigServiceMac::GetSSLConfigNow(SSLConfig* config) {
                                              kTLS1EnabledDefaultValue);
   SSLConfigService::SetSSLConfigFlags(config);
 
+  // TODO(rsleevi): http://crbug.com/58831 - Implement preferences for
+  // disabling cipher suites.
   return true;
 }
 
diff --git a/net/base/ssl_config_service_win.cc b/net/base/ssl_config_service_win.cc
index debea7d..d4153c3 100644
--- a/net/base/ssl_config_service_win.cc
+++ b/net/base/ssl_config_service_win.cc
@@ -82,6 +82,13 @@ bool SSLConfigServiceWin::GetSSLConfigNow(SSLConfig* config) {
   config->tls1_enabled = ((protocols & TLS1) != 0);
   SSLConfigService::SetSSLConfigFlags(config);
 
+  // TODO(rsleevi): Possibly respect the registry keys defined in
+  // http://support.microsoft.com/kb/245030 (pre-Vista) or
+  // http://msdn.microsoft.com/en-us/library/bb870930(VS.85).aspx (post-Vista).
+  // Currently, these values are respected implicitly when using
+  // SSLClientSocketWin, but they do not propogate to SSLClientSocketNSS
+  // because we're not currently translating the keys.
+
   return true;
 }