Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(88)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/ssl/ssl_cipher_suite_names.cc

Issue 1727133002: Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Respond to comments; simplify a lot of the strings; take out IsObsoleteTLSCipherSuite(). Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« chrome/app/generated_resources.grd ('K') | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/ssl/ssl_cipher_suite_names.h" 5 #include "net/ssl/ssl_cipher_suite_names.h"
6 6
7 #include <stdlib.h> 7 #include <stdlib.h>
8 8
9 #include <openssl/ssl.h> 9 #include <openssl/ssl.h>
10 10
(...skipping 277 matching lines...) Expand 10 before | Expand all | Expand 10 after
288 if (!r) 288 if (!r)
289 return false; 289 return false;
290 290
291 const CipherSuite* cs = static_cast<const CipherSuite*>(r); 291 const CipherSuite* cs = static_cast<const CipherSuite*>(r);
292 *out_key_exchange = cs->encoded >> 8; 292 *out_key_exchange = cs->encoded >> 8;
293 *out_cipher = (cs->encoded >> 3) & 0x1f; 293 *out_cipher = (cs->encoded >> 3) & 0x1f;
294 *out_mac = cs->encoded & 0x7; 294 *out_mac = cs->encoded & 0x7;
295 return true; 295 return true;
296 } 296 }
297 297
298 int ObsoleteSSLStatusForProtocol(int ssl_version) {
299 int obsolete_ssl = net::OBSOLETE_SSL_NONE;
300 if (ssl_version < net::SSL_CONNECTION_VERSION_TLS1_2)
301 obsolete_ssl |= net::OBSOLETE_SSL_MASK_PROTOCOL;
302 return obsolete_ssl;
303 }
304
305 int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) {
306 int obsolete_ssl = net::OBSOLETE_SSL_NONE;
307
308 int key_exchange, cipher, mac;
309 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) {
310 // Cannot determine/unknown cipher suite. Err on the side of caution.
311 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
312 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
313 return obsolete_ssl;
314 }
315
316 // Only allow ECDHE key exchanges.
317 switch (key_exchange) {
318 case 14: // ECDHE_ECDSA
319 case 16: // ECDHE_RSA
320 break;
321 default:
322 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
323 }
324
325 switch (cipher) {
326 case 13: // AES_128_GCM
327 case 14: // AES_256_GCM
328 case 17: // CHACHA20_POLY1305
329 break;
330 default:
331 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
332 }
333
334 // Only AEADs allowed.
335 if (mac != kAEADMACValue)
336 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
337
338 return obsolete_ssl;
339 }
340
298 } // namespace 341 } // namespace
299 342
300 namespace net { 343 namespace net {
301 344
302 void SSLCipherSuiteToStrings(const char** key_exchange_str, 345 void SSLCipherSuiteToStrings(const char** key_exchange_str,
303 const char** cipher_str, 346 const char** cipher_str,
304 const char** mac_str, 347 const char** mac_str,
305 bool* is_aead, 348 bool* is_aead,
306 uint16_t cipher_suite) { 349 uint16_t cipher_suite) {
307 *key_exchange_str = *cipher_str = *mac_str = "???"; 350 *key_exchange_str = *cipher_str = *mac_str = "???";
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after
354 if (cipher_string.size() == 6 && 397 if (cipher_string.size() == 6 &&
355 base::StartsWith(cipher_string, "0x", 398 base::StartsWith(cipher_string, "0x",
356 base::CompareCase::INSENSITIVE_ASCII) && 399 base::CompareCase::INSENSITIVE_ASCII) &&
357 base::HexStringToInt(cipher_string, &value)) { 400 base::HexStringToInt(cipher_string, &value)) {
358 *cipher_suite = static_cast<uint16_t>(value); 401 *cipher_suite = static_cast<uint16_t>(value);
359 return true; 402 return true;
360 } 403 }
361 return false; 404 return false;
362 } 405 }
363 406
364 bool IsSecureTLSCipherSuite(uint16_t cipher_suite) { 407 int ObsoleteSSLStatus(int connection_status) {
365 int key_exchange, cipher, mac; 408 int obsolete_ssl = OBSOLETE_SSL_NONE;
366 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
367 return false;
368 409
369 // Only allow ECDHE key exchanges. 410 int ssl_version = SSLConnectionStatusToVersion(connection_status);
370 switch (key_exchange) { 411 obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version);
371 case 14: // ECDHE_ECDSA
372 case 16: // ECDHE_RSA
373 break;
374 default:
375 return false;
376 }
377 412
378 switch (cipher) { 413 uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status);
379 case 13: // AES_128_GCM 414 obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite);
380 case 14: // AES_256_GCM
381 case 17: // CHACHA20_POLY1305
382 break;
383 default:
384 return false;
385 }
386 415
387 // Only AEADs allowed. 416 return obsolete_ssl;
388 if (mac != kAEADMACValue)
389 return false;
390
391 return true;
392 } 417 }
393 418
394 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) { 419 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) {
395 int key_exchange, cipher, mac; 420 int key_exchange, cipher, mac;
396 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) 421 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
397 return false; 422 return false;
398 423
399 // Only allow forward secure key exchanges. 424 // Only allow forward secure key exchanges.
400 switch (key_exchange) { 425 switch (key_exchange) {
401 case 10: // DHE_RSA 426 case 10: // DHE_RSA
(...skipping 28 matching lines...) Expand all
430 case 14: // ECDHE_ECDSA 455 case 14: // ECDHE_ECDSA
431 case 16: // ECDHE_RSA 456 case 16: // ECDHE_RSA
432 break; 457 break;
433 default: 458 default:
434 return nullptr; 459 return nullptr;
435 } 460 }
436 return SSL_get_curve_name(key_exchange_info); 461 return SSL_get_curve_name(key_exchange_info);
437 } 462 }
438 463
439 } // namespace net 464 } // namespace net
OLDNEW
« chrome/app/generated_resources.grd ('K') | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698