Require ECDHE for False Start.

net/ssl/ssl_cipher_suite_names.cc

Index: net/ssl/ssl_cipher_suite_names.cc
diff --git a/net/ssl/ssl_cipher_suite_names.cc b/net/ssl/ssl_cipher_suite_names.cc
index de3cff2987b70b3c4e51bf272bee29955353f860..842376302360dec1d126930cd3158601dbeac950 100644
--- a/net/ssl/ssl_cipher_suite_names.cc
+++ b/net/ssl/ssl_cipher_suite_names.cc
@@ -25,11 +25,13 @@
 // The following tables were generated by ssl_cipher_suite_names_generate.go,
 // found in the same directory as this file.
 
+namespace {
+
 struct CipherSuite {
   uint16 cipher_suite, encoded;
 };
 
-static const struct CipherSuite kCipherSuites[] = {
+const struct CipherSuite kCipherSuites[] = {
     {0x0, 0x0},        // TLS_NULL_WITH_NULL_NULL
     {0x1, 0x101},      // TLS_RSA_WITH_NULL_MD5
     {0x2, 0x102},      // TLS_RSA_WITH_NULL_SHA
@@ -199,7 +201,7 @@ static const struct CipherSuite kCipherSuites[] = {
     {0xcc15, 0x0a8f},  // TLS_DHE_RSA_WITH_CHACHA20_POLY1305
 };
 
-static const struct {
+const struct {
   char name[15];
 } kKeyExchangeNames[18] = {
   {"NULL"},  // 0
@@ -222,7 +224,7 @@ static const struct {
   {"ECDH_anon"},  // 17
 };
 
-static const struct {
+const struct {
   char name[18];
 } kCipherNames[18] = {
   {"NULL"},  // 0
@@ -245,7 +247,7 @@ static const struct {
   {"CHACHA20_POLY1305"},  // 17
 };
 
-static const struct {
+const struct {
   char name[7];
 } kMacNames[5] = {
   {"NULL"},  // 0
@@ -256,11 +258,9 @@ static const struct {
   // 7 is reserved to indicate an AEAD cipher suite.
 };
 
-static const int kAEADMACValue = 7;
-
-namespace net {
+const int kAEADMACValue = 7;
 
-static int CipherSuiteCmp(const void* ia, const void* ib) {
+int CipherSuiteCmp(const void* ia, const void* ib) {
   const CipherSuite* a = static_cast<const CipherSuite*>(ia);
   const CipherSuite* b = static_cast<const CipherSuite*>(ib);
 
@@ -273,6 +273,29 @@ static int CipherSuiteCmp(const void* ia, const void* ib) {
   }
 }
 
+bool GetCipherProperties(uint16 cipher_suite,
+                         int* out_key_exchange,
+                         int* out_cipher,
+                         int* out_mac) {
+  CipherSuite desired = {0};
+  desired.cipher_suite = cipher_suite;
+  void* r = bsearch(&desired, kCipherSuites, arraysize(kCipherSuites),
+                    sizeof(kCipherSuites[0]), CipherSuiteCmp);
+
+  if (!r)
+    return false;
+
+  const CipherSuite* cs = static_cast<const CipherSuite*>(r);
+  *out_key_exchange = cs->encoded >> 8;
+  *out_cipher = (cs->encoded >> 3) & 0x1f;
+  *out_mac = cs->encoded & 0x7;
+  return true;
+}
+
+}  // namespace
+
+namespace net {
+
 void SSLCipherSuiteToStrings(const char** key_exchange_str,
                              const char** cipher_str,
                              const char** mac_str,
@@ -281,22 +304,12 @@ void SSLCipherSuiteToStrings(const char** key_exchange_str,
   *key_exchange_str = *cipher_str = *mac_str = "???";
   *is_aead = false;
 
-  struct CipherSuite desired = {0};
-  desired.cipher_suite = cipher_suite;
-
-  void* r = bsearch(&desired, kCipherSuites,
-                    arraysize(kCipherSuites), sizeof(kCipherSuites[0]),
-                    CipherSuiteCmp);
-
-  if (!r)
+  int key_exchange;

[agl, 2015/04/02 00:36:43]

these could all be one line.

[davidben, 2015/04/02 16:48:31]

Done.

+  int cipher;
+  int mac;
+  if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
     return;
 
-  const CipherSuite* cs = static_cast<CipherSuite*>(r);
-
-  const int key_exchange = cs->encoded >> 8;
-  const int cipher = (cs->encoded >> 3) & 0x1f;
-  const int mac = cs->encoded & 0x7;
-
   *key_exchange_str = kKeyExchangeNames[key_exchange].name;
   *cipher_str = kCipherNames[cipher].name;
   if (mac == kAEADMACValue) {
@@ -347,27 +360,47 @@ bool ParseSSLCipherString(const std::string& cipher_string,
 }
 
 bool IsSecureTLSCipherSuite(uint16 cipher_suite) {
-  CipherSuite desired = {0};
-  desired.cipher_suite = cipher_suite;
+  int key_exchange;

[agl, 2015/04/02 00:36:43]

ditto.

[davidben, 2015/04/02 16:48:31]

Done.

+  int cipher;
+  int mac;
+  if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
+    return false;
+
+  // Only allow forward secure key exchanges.
+  switch (key_exchange) {
+    case 10:  // DHE_RSA
+    case 14:  // ECDHE_ECDSA
+    case 16:  // ECDHE_RSA
+      break;
+    default:
+      return false;
+  }
 
-  void* r = bsearch(&desired,
-                    kCipherSuites,
-                    arraysize(kCipherSuites),
-                    sizeof(kCipherSuites[0]),
-                    CipherSuiteCmp);
+  switch (cipher) {
+    case 13:  // AES_128_GCM
+    case 14:  // AES_256_GCM
+    case 17:  // CHACHA20_POLY1305
+      break;
+    default:
+      return false;
+  }
 
-  if (!r)
+  // Only AEADs allowed.
+  if (mac != kAEADMACValue)
     return false;
 
-  const CipherSuite* cs = static_cast<const CipherSuite*>(r);
+  return true;
+}
 
-  const int key_exchange = cs->encoded >> 8;
-  const int cipher = (cs->encoded >> 3) & 0x1f;
-  const int mac = cs->encoded & 0x7;
+bool IsFalseStartableTLSCipherSuite(uint16 cipher_suite) {
+  int key_exchange;

[agl, 2015/04/02 00:36:43]

ditto.

[davidben, 2015/04/02 16:48:31]

Done.

+  int cipher;
+  int mac;
+  if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
+    return false;
 
-  // Only allow forward secure key exchanges.
+  // Only allow ECDHE key exchanges.
   switch (key_exchange) {
-    case 10:  // DHE_RSA
     case 14:  // ECDHE_ECDSA
     case 16:  // ECDHE_RSA
       break;