Require renegotiation info from a whitelist of servers.

The renegotiation extension was introduced into TLS in [1], to address
the attack described in [2]. In order to fully protect ourselves,
clients need to require support from servers. However, these things
take a long time to roll out.

As an initial measure, we start to require the extension from a
whitelist of servers that we known to support the extension. We are
then protected from prefix attacks against these servers. Over time,
if the list grows we might want to share it with Mozilla, but we'll
start simple.

[1] http://tools.ietf.org/html/rfc5746
[2] http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

http://codereview.chromium.org/2045006/show

TEST=Setup a dummy TLS server without renegotiation extension support (Hardy) will do and force mail.google.com to it using /etc/hosts.  Navigate to https://mail.google.com and check for ERR_SSL_UNSAFE_NEGOTIATION.

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@51258 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 35 insertions, 0 deletions

diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h
index 1b21084..b471930 100644
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -159,6 +159,9 @@ NET_ERROR(SSL_BAD_RECORD_MAC_ALERT, -126)
 // The HTTP auth handler requires a DNS lookup to find the canonical name.
 NET_ERROR(AUTH_NEEDS_CANONICAL_NAME, -127)
 
+// A known TLS strict server didn't offer the renegotiation extension.
+NET_ERROR(SSL_UNSAFE_NEGOTIATION, -128)
+
 // Certificate error codes
 //
 // The values of certificate error codes must be consecutive.
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index 67d1349..6c2992f 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -25,4 +25,28 @@ SSLConfigService* SSLConfigService::CreateSystemSSLConfigService() {
 #endif
 }
 
+// static
+bool SSLConfigService::IsKnownStrictTLSServer(const std::string& hostname) {
+  // If you wish to add an entry to this list, please contact agl AT chromium
+  // DOT org.
+  //
+  // If this list starts growing, it'll need to be something more efficient
+  // than a linear list.
+  static const char kStrictServers[][20] = {
+      "www.google.com",
+      "mail.google.com",
+      "www.gmail.com",
+      "gmail.com",
+      "docs.google.com",
+      "clients1.google.com",
+  };
+
+  for (size_t i = 0; i < arraysize(kStrictServers); i++) {
+    if (strcmp(hostname.c_str(), kStrictServers[i]) == 0)
+      return true;
+  }
+
+  return false;
+}
+
 }  // namespace net
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index 0213f1f..d195039 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -84,6 +84,14 @@ class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> {
   // May not be thread-safe, should only be called on the IO thread.
   virtual void GetSSLConfig(SSLConfig* config) = 0;
 
+  // Returns true if the given hostname is known to be 'strict'. This means
+  // that we will require the renegotiation extension and will always use TLS
+  // (no SSLv3 fallback).
+  //
+  // If you wish to add an element to this list, file a bug at
+  // http://crbug.com and email the link to agl AT chromium DOT org.
+  static bool IsKnownStrictTLSServer(const std::string& hostname);
+
  protected:
   friend class base::RefCountedThreadSafe<SSLConfigService>;