Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(33)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/ssl/ssl_cipher_suite_names.cc

Issue 1727133002: Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Rebase and update tests. Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc ('K') | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/ssl/ssl_cipher_suite_names.h" 5 #include "net/ssl/ssl_cipher_suite_names.h"
6 6
7 #include <stdlib.h> 7 #include <stdlib.h>
8 8
9 #include <openssl/ssl.h> 9 #include <openssl/ssl.h>
10 10
(...skipping 283 matching lines...) Expand 10 before | Expand all | Expand 10 after
294 if (!r) 294 if (!r)
295 return false; 295 return false;
296 296
297 const CipherSuite* cs = static_cast<const CipherSuite*>(r); 297 const CipherSuite* cs = static_cast<const CipherSuite*>(r);
298 *out_key_exchange = cs->encoded >> 8; 298 *out_key_exchange = cs->encoded >> 8;
299 *out_cipher = (cs->encoded >> 3) & 0x1f; 299 *out_cipher = (cs->encoded >> 3) & 0x1f;
300 *out_mac = cs->encoded & 0x7; 300 *out_mac = cs->encoded & 0x7;
301 return true; 301 return true;
302 } 302 }
303 303
304 int ObsoleteSSLStatusForProtocol(int ssl_version) {
305 int obsolete_ssl = net::OBSOLETE_SSL_NONE;
306 if (ssl_version < net::SSL_CONNECTION_VERSION_TLS1_2)
307 obsolete_ssl |= net::OBSOLETE_SSL_MASK_PROTOCOL;
308 return obsolete_ssl;
309 }
310
311 int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) {
312 int obsolete_ssl = net::OBSOLETE_SSL_NONE;
313
314 int key_exchange, cipher, mac;
315 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) {
316 // Cannot determine/unknown cipher suite. Err on the side of caution.
317 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
318 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
319 return obsolete_ssl;
320 }
321
322 // Only allow ECDHE key exchanges.
323 switch (key_exchange) {
324 case 14: // ECDHE_ECDSA
325 case 16: // ECDHE_RSA
326 case 18: // CECPQ1_RSA
327 case 19: // CECPQ1_ECDSA
328 break;
329 default:
330 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
331 }
332
333 switch (cipher) {
334 case 13: // AES_128_GCM
335 case 14: // AES_256_GCM
336 case 17: // CHACHA20_POLY1305
337 break;
338 default:
339 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
340 }
341
342 // Only AEADs allowed.
343 if (mac != kAEADMACValue)
344 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
345
346 return obsolete_ssl;
347 }
348
304 } // namespace 349 } // namespace
305 350
306 namespace net { 351 namespace net {
307 352
308 void SSLCipherSuiteToStrings(const char** key_exchange_str, 353 void SSLCipherSuiteToStrings(const char** key_exchange_str,
309 const char** cipher_str, 354 const char** cipher_str,
310 const char** mac_str, 355 const char** mac_str,
311 bool* is_aead, 356 bool* is_aead,
312 uint16_t cipher_suite) { 357 uint16_t cipher_suite) {
313 *key_exchange_str = *cipher_str = *mac_str = "???"; 358 *key_exchange_str = *cipher_str = *mac_str = "???";
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after
363 if (cipher_string.size() == 6 && 408 if (cipher_string.size() == 6 &&
364 base::StartsWith(cipher_string, "0x", 409 base::StartsWith(cipher_string, "0x",
365 base::CompareCase::INSENSITIVE_ASCII) && 410 base::CompareCase::INSENSITIVE_ASCII) &&
366 base::HexStringToInt(cipher_string, &value)) { 411 base::HexStringToInt(cipher_string, &value)) {
367 *cipher_suite = static_cast<uint16_t>(value); 412 *cipher_suite = static_cast<uint16_t>(value);
368 return true; 413 return true;
369 } 414 }
370 return false; 415 return false;
371 } 416 }
372 417
373 bool IsSecureTLSCipherSuite(uint16_t cipher_suite) { 418 int ObsoleteSSLStatus(int connection_status) {
374 int key_exchange, cipher, mac; 419 int obsolete_ssl = OBSOLETE_SSL_NONE;
375 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
376 return false;
377 420
378 // Only allow ECDHE key exchanges. 421 int ssl_version = SSLConnectionStatusToVersion(connection_status);
379 switch (key_exchange) { 422 obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version);
380 case 14: // ECDHE_ECDSA
381 case 16: // ECDHE_RSA
382 case 18: // CECPQ1_RSA
383 case 19: // CECPQ1_ECDSA
384 break;
385 default:
386 return false;
387 }
388 423
389 switch (cipher) { 424 uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status);
390 case 13: // AES_128_GCM 425 obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite);
391 case 14: // AES_256_GCM
392 case 17: // CHACHA20_POLY1305
393 break;
394 default:
395 return false;
396 }
397 426
398 // Only AEADs allowed. 427 return obsolete_ssl;
399 if (mac != kAEADMACValue)
400 return false;
401
402 return true;
403 } 428 }
404 429
405 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) { 430 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) {
406 int key_exchange, cipher, mac; 431 int key_exchange, cipher, mac;
407 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) 432 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
408 return false; 433 return false;
409 434
410 // Only allow forward secure key exchanges. 435 // Only allow forward secure key exchanges.
411 switch (key_exchange) { 436 switch (key_exchange) {
412 case 10: // DHE_RSA 437 case 10: // DHE_RSA
(...skipping 30 matching lines...) Expand all
443 case 14: // ECDHE_ECDSA 468 case 14: // ECDHE_ECDSA
444 case 16: // ECDHE_RSA 469 case 16: // ECDHE_RSA
445 break; 470 break;
446 default: 471 default:
447 return nullptr; 472 return nullptr;
448 } 473 }
449 return SSL_get_curve_name(key_exchange_info); 474 return SSL_get_curve_name(key_exchange_info);
450 } 475 }
451 476
452 } // namespace net 477 } // namespace net
OLDNEW
« chrome/browser/ssl/chrome_security_state_model_client_browser_tests.cc ('K') | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698