Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(239)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/ssl/ssl_cipher_suite_names.cc

Issue 1727133002: Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Add some tests. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« chrome/browser/ui/browser.cc ('K') | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/ssl/ssl_cipher_suite_names.h" 5 #include "net/ssl/ssl_cipher_suite_names.h"
6 6
7 #include <stdlib.h> 7 #include <stdlib.h>
8 8
9 #include <openssl/ssl.h> 9 #include <openssl/ssl.h>
10 10
(...skipping 283 matching lines...) Expand 10 before | Expand all | Expand 10 after
294 if (!r) 294 if (!r)
295 return false; 295 return false;
296 296
297 const CipherSuite* cs = static_cast<const CipherSuite*>(r); 297 const CipherSuite* cs = static_cast<const CipherSuite*>(r);
298 *out_key_exchange = cs->encoded >> 8; 298 *out_key_exchange = cs->encoded >> 8;
299 *out_cipher = (cs->encoded >> 3) & 0x1f; 299 *out_cipher = (cs->encoded >> 3) & 0x1f;
300 *out_mac = cs->encoded & 0x7; 300 *out_mac = cs->encoded & 0x7;
301 return true; 301 return true;
302 } 302 }
303 303
304 int ObsoleteSSLStatusForProtocol(int ssl_version) {
305 int obsolete_ssl = net::OBSOLETE_SSL_NONE;
306 if (ssl_version < net::SSL_CONNECTION_VERSION_TLS1_2)
307 obsolete_ssl |= net::OBSOLETE_SSL_MASK_PROTOCOL;
308 return obsolete_ssl;
309 }
310
311 int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) {
312 int obsolete_ssl = net::OBSOLETE_SSL_NONE;
313
314 int key_exchange, cipher, mac;
315 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) {
316 // Cannot determine/unknown cipher suite. Err on the side of caution.
317 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
318 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
319 return obsolete_ssl;
320 }
321
322 // Only allow ECDHE key exchanges.
323 switch (key_exchange) {
324 case 14: // ECDHE_ECDSA
325 case 16: // ECDHE_RSA
326 case 18: // CECPQ1_RSA
327 case 19: // CECPQ1_ECDSA
328 break;
329 default:
330 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
331 }
332
333 switch (cipher) {
334 case 13: // AES_128_GCM
335 case 14: // AES_256_GCM
336 case 17: // CHACHA20_POLY1305
337 break;
338 default:
339 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
340 }
341
342 // Only AEADs allowed.
343 if (mac != kAEADMACValue)
344 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
345
346 return obsolete_ssl;
347 }
348
304 } // namespace 349 } // namespace
305 350
306 namespace net { 351 namespace net {
307 352
308 void SSLCipherSuiteToStrings(const char** key_exchange_str, 353 void SSLCipherSuiteToStrings(const char** key_exchange_str,
309 const char** cipher_str, 354 const char** cipher_str,
310 const char** mac_str, 355 const char** mac_str,
311 bool* is_aead, 356 bool* is_aead,
312 uint16_t cipher_suite) { 357 uint16_t cipher_suite) {
313 *key_exchange_str = *cipher_str = *mac_str = "???"; 358 *key_exchange_str = *cipher_str = *mac_str = "???";
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after
360 if (cipher_string.size() == 6 && 405 if (cipher_string.size() == 6 &&
361 base::StartsWith(cipher_string, "0x", 406 base::StartsWith(cipher_string, "0x",
362 base::CompareCase::INSENSITIVE_ASCII) && 407 base::CompareCase::INSENSITIVE_ASCII) &&
363 base::HexStringToInt(cipher_string, &value)) { 408 base::HexStringToInt(cipher_string, &value)) {
364 *cipher_suite = static_cast<uint16_t>(value); 409 *cipher_suite = static_cast<uint16_t>(value);
365 return true; 410 return true;
366 } 411 }
367 return false; 412 return false;
368 } 413 }
369 414
370 bool IsSecureTLSCipherSuite(uint16_t cipher_suite) { 415 int ObsoleteSSLStatus(int connection_status) {
371 int key_exchange, cipher, mac; 416 int obsolete_ssl = OBSOLETE_SSL_NONE;
372 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
373 return false;
374 417
375 // Only allow ECDHE key exchanges. 418 int ssl_version = SSLConnectionStatusToVersion(connection_status);
376 switch (key_exchange) { 419 obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version);
377 case 14: // ECDHE_ECDSA
378 case 16: // ECDHE_RSA
379 case 18: // CECPQ1_RSA
380 case 19: // CECPQ1_ECDSA
381 break;
382 default:
383 return false;
384 }
385 420
386 switch (cipher) { 421 uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status);
387 case 13: // AES_128_GCM 422 obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite);
388 case 14: // AES_256_GCM
389 case 17: // CHACHA20_POLY1305
390 break;
391 default:
392 return false;
393 }
394 423
395 // Only AEADs allowed. 424 return obsolete_ssl;
396 if (mac != kAEADMACValue)
397 return false;
398
399 return true;
400 } 425 }
401 426
402 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) { 427 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) {
403 int key_exchange, cipher, mac; 428 int key_exchange, cipher, mac;
404 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) 429 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
405 return false; 430 return false;
406 431
407 // Only allow forward secure key exchanges. 432 // Only allow forward secure key exchanges.
408 switch (key_exchange) { 433 switch (key_exchange) {
409 case 10: // DHE_RSA 434 case 10: // DHE_RSA
(...skipping 30 matching lines...) Expand all
440 case 14: // ECDHE_ECDSA 465 case 14: // ECDHE_ECDSA
441 case 16: // ECDHE_RSA 466 case 16: // ECDHE_RSA
442 break; 467 break;
443 default: 468 default:
444 return nullptr; 469 return nullptr;
445 } 470 }
446 return SSL_get_curve_name(key_exchange_info); 471 return SSL_get_curve_name(key_exchange_info);
447 } 472 }
448 473
449 } // namespace net 474 } // namespace net
OLDNEW
« chrome/browser/ui/browser.cc ('K') | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698