| Index: net/ssl/ssl_cipher_suite_names.cc
|
| diff --git a/net/ssl/ssl_cipher_suite_names.cc b/net/ssl/ssl_cipher_suite_names.cc
|
| index de3cff2987b70b3c4e51bf272bee29955353f860..56d75214e94a9dfbca8720896d7771a945f6c1f2 100644
|
| --- a/net/ssl/ssl_cipher_suite_names.cc
|
| +++ b/net/ssl/ssl_cipher_suite_names.cc
|
| @@ -25,11 +25,13 @@
|
| // The following tables were generated by ssl_cipher_suite_names_generate.go,
|
| // found in the same directory as this file.
|
|
|
| +namespace {
|
| +
|
| struct CipherSuite {
|
| uint16 cipher_suite, encoded;
|
| };
|
|
|
| -static const struct CipherSuite kCipherSuites[] = {
|
| +const struct CipherSuite kCipherSuites[] = {
|
| {0x0, 0x0}, // TLS_NULL_WITH_NULL_NULL
|
| {0x1, 0x101}, // TLS_RSA_WITH_NULL_MD5
|
| {0x2, 0x102}, // TLS_RSA_WITH_NULL_SHA
|
| @@ -199,7 +201,7 @@ static const struct CipherSuite kCipherSuites[] = {
|
| {0xcc15, 0x0a8f}, // TLS_DHE_RSA_WITH_CHACHA20_POLY1305
|
| };
|
|
|
| -static const struct {
|
| +const struct {
|
| char name[15];
|
| } kKeyExchangeNames[18] = {
|
| {"NULL"}, // 0
|
| @@ -222,7 +224,7 @@ static const struct {
|
| {"ECDH_anon"}, // 17
|
| };
|
|
|
| -static const struct {
|
| +const struct {
|
| char name[18];
|
| } kCipherNames[18] = {
|
| {"NULL"}, // 0
|
| @@ -245,7 +247,7 @@ static const struct {
|
| {"CHACHA20_POLY1305"}, // 17
|
| };
|
|
|
| -static const struct {
|
| +const struct {
|
| char name[7];
|
| } kMacNames[5] = {
|
| {"NULL"}, // 0
|
| @@ -256,11 +258,9 @@ static const struct {
|
| // 7 is reserved to indicate an AEAD cipher suite.
|
| };
|
|
|
| -static const int kAEADMACValue = 7;
|
| -
|
| -namespace net {
|
| +const int kAEADMACValue = 7;
|
|
|
| -static int CipherSuiteCmp(const void* ia, const void* ib) {
|
| +int CipherSuiteCmp(const void* ia, const void* ib) {
|
| const CipherSuite* a = static_cast<const CipherSuite*>(ia);
|
| const CipherSuite* b = static_cast<const CipherSuite*>(ib);
|
|
|
| @@ -273,6 +273,29 @@ static int CipherSuiteCmp(const void* ia, const void* ib) {
|
| }
|
| }
|
|
|
| +bool GetCipherProperties(uint16 cipher_suite,
|
| + int* out_key_exchange,
|
| + int* out_cipher,
|
| + int* out_mac) {
|
| + CipherSuite desired = {0};
|
| + desired.cipher_suite = cipher_suite;
|
| + void* r = bsearch(&desired, kCipherSuites, arraysize(kCipherSuites),
|
| + sizeof(kCipherSuites[0]), CipherSuiteCmp);
|
| +
|
| + if (!r)
|
| + return false;
|
| +
|
| + const CipherSuite* cs = static_cast<const CipherSuite*>(r);
|
| + *out_key_exchange = cs->encoded >> 8;
|
| + *out_cipher = (cs->encoded >> 3) & 0x1f;
|
| + *out_mac = cs->encoded & 0x7;
|
| + return true;
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| +namespace net {
|
| +
|
| void SSLCipherSuiteToStrings(const char** key_exchange_str,
|
| const char** cipher_str,
|
| const char** mac_str,
|
| @@ -281,22 +304,10 @@ void SSLCipherSuiteToStrings(const char** key_exchange_str,
|
| *key_exchange_str = *cipher_str = *mac_str = "???";
|
| *is_aead = false;
|
|
|
| - struct CipherSuite desired = {0};
|
| - desired.cipher_suite = cipher_suite;
|
| -
|
| - void* r = bsearch(&desired, kCipherSuites,
|
| - arraysize(kCipherSuites), sizeof(kCipherSuites[0]),
|
| - CipherSuiteCmp);
|
| -
|
| - if (!r)
|
| + int key_exchange, cipher, mac;
|
| + if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
|
| return;
|
|
|
| - const CipherSuite* cs = static_cast<CipherSuite*>(r);
|
| -
|
| - const int key_exchange = cs->encoded >> 8;
|
| - const int cipher = (cs->encoded >> 3) & 0x1f;
|
| - const int mac = cs->encoded & 0x7;
|
| -
|
| *key_exchange_str = kKeyExchangeNames[key_exchange].name;
|
| *cipher_str = kCipherNames[cipher].name;
|
| if (mac == kAEADMACValue) {
|
| @@ -347,27 +358,43 @@ bool ParseSSLCipherString(const std::string& cipher_string,
|
| }
|
|
|
| bool IsSecureTLSCipherSuite(uint16 cipher_suite) {
|
| - CipherSuite desired = {0};
|
| - desired.cipher_suite = cipher_suite;
|
| + int key_exchange, cipher, mac;
|
| + if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
|
| + return false;
|
| +
|
| + // Only allow forward secure key exchanges.
|
| + switch (key_exchange) {
|
| + case 10: // DHE_RSA
|
| + case 14: // ECDHE_ECDSA
|
| + case 16: // ECDHE_RSA
|
| + break;
|
| + default:
|
| + return false;
|
| + }
|
|
|
| - void* r = bsearch(&desired,
|
| - kCipherSuites,
|
| - arraysize(kCipherSuites),
|
| - sizeof(kCipherSuites[0]),
|
| - CipherSuiteCmp);
|
| + switch (cipher) {
|
| + case 13: // AES_128_GCM
|
| + case 14: // AES_256_GCM
|
| + case 17: // CHACHA20_POLY1305
|
| + break;
|
| + default:
|
| + return false;
|
| + }
|
|
|
| - if (!r)
|
| + // Only AEADs allowed.
|
| + if (mac != kAEADMACValue)
|
| return false;
|
|
|
| - const CipherSuite* cs = static_cast<const CipherSuite*>(r);
|
| + return true;
|
| +}
|
|
|
| - const int key_exchange = cs->encoded >> 8;
|
| - const int cipher = (cs->encoded >> 3) & 0x1f;
|
| - const int mac = cs->encoded & 0x7;
|
| +bool IsFalseStartableTLSCipherSuite(uint16 cipher_suite) {
|
| + int key_exchange, cipher, mac;
|
| + if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
|
| + return false;
|
|
|
| - // Only allow forward secure key exchanges.
|
| + // Only allow ECDHE key exchanges.
|
| switch (key_exchange) {
|
| - case 10: // DHE_RSA
|
| case 14: // ECDHE_ECDSA
|
| case 16: // ECDHE_RSA
|
| break;
|
|
|
Chromium Code Reviews
Issue 1057733002:
Require ECDHE for False Start. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master