diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-16 04:21:17 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-16 04:21:17 +0000 |
| commit | 9ed908340a1196532484c09cf5f4ecfded788e52 (patch) | |
| tree | 5c30607b9a698a8866d40e09a35c78c245f89630 /net/socket | |
| parent | a6194ed157fda49d8332c03112ce8cdee0eaba9e (diff) | |
| download | chromium_src-9ed908340a1196532484c09cf5f4ecfded788e52.zip chromium_src-9ed908340a1196532484c09cf5f4ecfded788e52.tar.gz chromium_src-9ed908340a1196532484c09cf5f4ecfded788e52.tar.bz2 | |
net: cleanup code to disable ECDSA
r151845 was merge friendly for M21. But since we don't support OS X
10.5 for M22 and onwards, we can clean it up a bit for trunk.
BUG=142782
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@151846 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
| -rw-r--r-- | net/socket/nss_ssl_util.cc | 45 |
1 files changed, 11 insertions, 34 deletions
diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc index 68699cc..462aee9 100644 --- a/net/socket/nss_ssl_util.cc +++ b/net/socket/nss_ssl_util.cc @@ -2,14 +2,6 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -// HACK for crbug.com/142782. I've put it all the way up here to avoid a merge -// collision -namespace base { -namespace mac { -bool IsOSSnowLeopardOrLater() { return true; } -} // namespace mac -} // namespace base - #include "net/socket/nss_ssl_util.h" #include <nss.h> @@ -32,8 +24,6 @@ bool IsOSSnowLeopardOrLater() { return true; } #if defined(OS_WIN) #include "base/win/windows_version.h" -#elif defined(OS_MACOSX) -#include "base/mac/mac_util.h" #endif namespace net { @@ -62,6 +52,15 @@ class NSSSSLInitSingleton { #define pSSL_ImplementedCiphers SSL_ImplementedCiphers #endif + // Disable ECDSA cipher suites on platforms that do not support ECDSA + // signed certificates, as servers may use the presence of such + // ciphersuites as a hint to send an ECDSA certificate. + bool disableECDSA = false; +#if defined(OS_WIN) + if (base::win::GetVersion() < base::win::VERSION_VISTA) + disableECDSA = true; +#endif + // Explicitly enable exactly those ciphers with keys of at least 80 bits for (int i = 0; i < SSL_NumImplementedCiphers; i++) { SSLCipherSuiteInfo info; @@ -69,23 +68,14 @@ class NSSSSLInitSingleton { sizeof(info)) == SECSuccess) { SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i], (info.effectiveKeyBits >= 80)); + if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA) + SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i], PR_FALSE); } } // Enable SSL. SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); - // Disable ECDSA cipher suites on platforms that do not support ECDSA - // signed certificates, as servers may use the presence of such - // ciphersuites as a hint to send an ECDSA certificate. -#if defined(OS_WIN) - if (base::win::GetVersion() < base::win::VERSION_VISTA) - DisableECDSA(); -#elif defined(OS_MACOSX) - if (!base::mac::IsOSSnowLeopardOrLater()) - DisableECDSA(); -#endif - // All other SSL options are set per-session by SSLClientSocket and // SSLServerSocket. } @@ -94,19 +84,6 @@ class NSSSSLInitSingleton { // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY. SSL_ClearSessionCache(); } - - void DisableECDSA() { - const PRUint16* ciphersuites = SSL_GetImplementedCiphers(); - const unsigned num_ciphersuites = SSL_GetNumImplementedCiphers(); - SECStatus rv; - SSLCipherSuiteInfo info; - - for (unsigned i = 0; i < num_ciphersuites; i++) { - rv = SSL_GetCipherSuiteInfo(ciphersuites[i], &info, sizeof(info)); - if (rv == SECSuccess && info.authAlgorithm == ssl_auth_ecdsa) - SSL_CipherPrefSetDefault(ciphersuites[i], PR_FALSE); - } - } }; static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton = |