Index: net/ssl/ssl_cipher_suite_names.cc |
diff --git a/net/ssl/ssl_cipher_suite_names.cc b/net/ssl/ssl_cipher_suite_names.cc |
index de3cff2987b70b3c4e51bf272bee29955353f860..56d75214e94a9dfbca8720896d7771a945f6c1f2 100644 |
--- a/net/ssl/ssl_cipher_suite_names.cc |
+++ b/net/ssl/ssl_cipher_suite_names.cc |
@@ -25,11 +25,13 @@ |
// The following tables were generated by ssl_cipher_suite_names_generate.go, |
// found in the same directory as this file. |
+namespace { |
+ |
struct CipherSuite { |
uint16 cipher_suite, encoded; |
}; |
-static const struct CipherSuite kCipherSuites[] = { |
+const struct CipherSuite kCipherSuites[] = { |
{0x0, 0x0}, // TLS_NULL_WITH_NULL_NULL |
{0x1, 0x101}, // TLS_RSA_WITH_NULL_MD5 |
{0x2, 0x102}, // TLS_RSA_WITH_NULL_SHA |
@@ -199,7 +201,7 @@ static const struct CipherSuite kCipherSuites[] = { |
{0xcc15, 0x0a8f}, // TLS_DHE_RSA_WITH_CHACHA20_POLY1305 |
}; |
-static const struct { |
+const struct { |
char name[15]; |
} kKeyExchangeNames[18] = { |
{"NULL"}, // 0 |
@@ -222,7 +224,7 @@ static const struct { |
{"ECDH_anon"}, // 17 |
}; |
-static const struct { |
+const struct { |
char name[18]; |
} kCipherNames[18] = { |
{"NULL"}, // 0 |
@@ -245,7 +247,7 @@ static const struct { |
{"CHACHA20_POLY1305"}, // 17 |
}; |
-static const struct { |
+const struct { |
char name[7]; |
} kMacNames[5] = { |
{"NULL"}, // 0 |
@@ -256,11 +258,9 @@ static const struct { |
// 7 is reserved to indicate an AEAD cipher suite. |
}; |
-static const int kAEADMACValue = 7; |
- |
-namespace net { |
+const int kAEADMACValue = 7; |
-static int CipherSuiteCmp(const void* ia, const void* ib) { |
+int CipherSuiteCmp(const void* ia, const void* ib) { |
const CipherSuite* a = static_cast<const CipherSuite*>(ia); |
const CipherSuite* b = static_cast<const CipherSuite*>(ib); |
@@ -273,6 +273,29 @@ static int CipherSuiteCmp(const void* ia, const void* ib) { |
} |
} |
+bool GetCipherProperties(uint16 cipher_suite, |
+ int* out_key_exchange, |
+ int* out_cipher, |
+ int* out_mac) { |
+ CipherSuite desired = {0}; |
+ desired.cipher_suite = cipher_suite; |
+ void* r = bsearch(&desired, kCipherSuites, arraysize(kCipherSuites), |
+ sizeof(kCipherSuites[0]), CipherSuiteCmp); |
+ |
+ if (!r) |
+ return false; |
+ |
+ const CipherSuite* cs = static_cast<const CipherSuite*>(r); |
+ *out_key_exchange = cs->encoded >> 8; |
+ *out_cipher = (cs->encoded >> 3) & 0x1f; |
+ *out_mac = cs->encoded & 0x7; |
+ return true; |
+} |
+ |
+} // namespace |
+ |
+namespace net { |
+ |
void SSLCipherSuiteToStrings(const char** key_exchange_str, |
const char** cipher_str, |
const char** mac_str, |
@@ -281,22 +304,10 @@ void SSLCipherSuiteToStrings(const char** key_exchange_str, |
*key_exchange_str = *cipher_str = *mac_str = "???"; |
*is_aead = false; |
- struct CipherSuite desired = {0}; |
- desired.cipher_suite = cipher_suite; |
- |
- void* r = bsearch(&desired, kCipherSuites, |
- arraysize(kCipherSuites), sizeof(kCipherSuites[0]), |
- CipherSuiteCmp); |
- |
- if (!r) |
+ int key_exchange, cipher, mac; |
+ if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) |
return; |
- const CipherSuite* cs = static_cast<CipherSuite*>(r); |
- |
- const int key_exchange = cs->encoded >> 8; |
- const int cipher = (cs->encoded >> 3) & 0x1f; |
- const int mac = cs->encoded & 0x7; |
- |
*key_exchange_str = kKeyExchangeNames[key_exchange].name; |
*cipher_str = kCipherNames[cipher].name; |
if (mac == kAEADMACValue) { |
@@ -347,27 +358,43 @@ bool ParseSSLCipherString(const std::string& cipher_string, |
} |
bool IsSecureTLSCipherSuite(uint16 cipher_suite) { |
- CipherSuite desired = {0}; |
- desired.cipher_suite = cipher_suite; |
+ int key_exchange, cipher, mac; |
+ if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) |
+ return false; |
+ |
+ // Only allow forward secure key exchanges. |
+ switch (key_exchange) { |
+ case 10: // DHE_RSA |
+ case 14: // ECDHE_ECDSA |
+ case 16: // ECDHE_RSA |
+ break; |
+ default: |
+ return false; |
+ } |
- void* r = bsearch(&desired, |
- kCipherSuites, |
- arraysize(kCipherSuites), |
- sizeof(kCipherSuites[0]), |
- CipherSuiteCmp); |
+ switch (cipher) { |
+ case 13: // AES_128_GCM |
+ case 14: // AES_256_GCM |
+ case 17: // CHACHA20_POLY1305 |
+ break; |
+ default: |
+ return false; |
+ } |
- if (!r) |
+ // Only AEADs allowed. |
+ if (mac != kAEADMACValue) |
return false; |
- const CipherSuite* cs = static_cast<const CipherSuite*>(r); |
+ return true; |
+} |
- const int key_exchange = cs->encoded >> 8; |
- const int cipher = (cs->encoded >> 3) & 0x1f; |
- const int mac = cs->encoded & 0x7; |
+bool IsFalseStartableTLSCipherSuite(uint16 cipher_suite) { |
+ int key_exchange, cipher, mac; |
+ if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) |
+ return false; |
- // Only allow forward secure key exchanges. |
+ // Only allow ECDHE key exchanges. |
switch (key_exchange) { |
- case 10: // DHE_RSA |
case 14: // ECDHE_ECDSA |
case 16: // ECDHE_RSA |
break; |