net: disable ECDSA ciphersuites on platforms where we can't support it.

BUG=142782 https://chromiumcodereview.appspot.com/10830326/ git-svn-id: svn://svn.chromium.org/chrome/trunk/src@151845 0039d316-1c4b-4281-b951-d872f2087c98

net: disable ECDSA ciphersuites on platforms where we can't support it.
BUG=142782 https://chromiumcodereview.appspot.com/10830326/ git-svn-id: svn://svn.chromium.org/chrome/trunk/src@151845 0039d316-1c4b-4281-b951-d872f2087c98
a6194ed1 · agl@chromium.org · 32080ab8 · a6194ed1 · a6194ed1
Commit a6194ed1 authored Aug 16, 2012 by agl@chromium.org
Show whitespace changes
Inline Side-by-side

Showing with 34 additions and 0 deletions

net/base/ssl_config_service.h net/base/ssl_config_service.h +3 -0

net/socket/nss_ssl_util.cc net/socket/nss_ssl_util.cc +31 -0

No files found.
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -74,6 +74,9 @@ struct NET_EXPORT SSLConfig {
  // - FORTEZZA cipher suites (obsolete).
  // - IDEA cipher suites (RFC 5469 explains why).
  // - Anonymous cipher suites.
+  // - ECDSA cipher suites on platforms that do not support ECDSA signed
+  //   certificates, as servers may use the presence of such ciphersuites as a
+  //   hint to send an ECDSA certificate.
  // The ciphers listed in |disabled_cipher_suites| will be removed in addition
  // to the above list.
  //

--- a/net/socket/nss_ssl_util.cc
+++ b/net/socket/nss_ssl_util.cc
@@ -25,10 +25,17 @@ bool IsOSSnowLeopardOrLater() { return true; }
 #include "base/memory/singleton.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
+#include "build/build_config.h"
 #include "crypto/nss_util.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"

+#if defined(OS_WIN)
+#include "base/win/windows_version.h"
+#elif defined(OS_MACOSX)
+#include "base/mac/mac_util.h"
+#endif
+
 namespace net {

 class NSSSSLInitSingleton {
@@ -68,6 +75,17 @@ class NSSSSLInitSingleton {
    // Enable SSL.
    SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);

+    // Disable ECDSA cipher suites on platforms that do not support ECDSA
+    // signed certificates, as servers may use the presence of such
+    // ciphersuites as a hint to send an ECDSA certificate.
+#if defined(OS_WIN)
+    if (base::win::GetVersion() < base::win::VERSION_VISTA)
+      DisableECDSA();
+#elif defined(OS_MACOSX)
+    if (!base::mac::IsOSSnowLeopardOrLater())
+      DisableECDSA();
+#endif
+
    // All other SSL options are set per-session by SSLClientSocket and
    // SSLServerSocket.
  }
@@ -76,6 +94,19 @@ class NSSSSLInitSingleton {
    // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.
    SSL_ClearSessionCache();
  }
+
+  void DisableECDSA() {
+    const PRUint16* ciphersuites = SSL_GetImplementedCiphers();
+    const unsigned num_ciphersuites = SSL_GetNumImplementedCiphers();
+    SECStatus rv;
+    SSLCipherSuiteInfo info;
+
+    for (unsigned i = 0; i < num_ciphersuites; i++) {
+      rv = SSL_GetCipherSuiteInfo(ciphersuites[i], &info, sizeof(info));
+      if (rv == SECSuccess && info.authAlgorithm == ssl_auth_ecdsa)
+        SSL_CipherPrefSetDefault(ciphersuites[i], PR_FALSE);
+    }
+  }
 };

 static base::LazyInstance<NSSSSLInitSingleton> g_nss_ssl_init_singleton =