OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/ssl/ssl_cipher_suite_names.h" | 5 #include "net/ssl/ssl_cipher_suite_names.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
10 | 10 |
(...skipping 287 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
298 if (!r) | 298 if (!r) |
299 return false; | 299 return false; |
300 | 300 |
301 const CipherSuite* cs = static_cast<const CipherSuite*>(r); | 301 const CipherSuite* cs = static_cast<const CipherSuite*>(r); |
302 *out_key_exchange = cs->encoded >> 8; | 302 *out_key_exchange = cs->encoded >> 8; |
303 *out_cipher = (cs->encoded >> 3) & 0x1f; | 303 *out_cipher = (cs->encoded >> 3) & 0x1f; |
304 *out_mac = cs->encoded & 0x7; | 304 *out_mac = cs->encoded & 0x7; |
305 return true; | 305 return true; |
306 } | 306 } |
307 | 307 |
| 308 int ObsoleteSSLStatusForProtocol(int ssl_version) { |
| 309 int obsolete_ssl = net::OBSOLETE_SSL_NONE; |
| 310 if (ssl_version < net::SSL_CONNECTION_VERSION_TLS1_2) |
| 311 obsolete_ssl |= net::OBSOLETE_SSL_MASK_PROTOCOL; |
| 312 return obsolete_ssl; |
| 313 } |
| 314 |
| 315 int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) { |
| 316 int obsolete_ssl = net::OBSOLETE_SSL_NONE; |
| 317 |
| 318 int key_exchange, cipher, mac; |
| 319 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) { |
| 320 // Cannot determine/unknown cipher suite. Err on the side of caution. |
| 321 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; |
| 322 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
| 323 return obsolete_ssl; |
| 324 } |
| 325 |
| 326 // Only allow ECDHE key exchanges. |
| 327 switch (key_exchange) { |
| 328 case 14: // ECDHE_ECDSA |
| 329 case 16: // ECDHE_RSA |
| 330 case 18: // CECPQ1_RSA |
| 331 case 19: // CECPQ1_ECDSA |
| 332 case 20: // ECDHE_PSK |
| 333 break; |
| 334 default: |
| 335 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; |
| 336 } |
| 337 |
| 338 switch (cipher) { |
| 339 case 13: // AES_128_GCM |
| 340 case 14: // AES_256_GCM |
| 341 case 17: // CHACHA20_POLY1305 |
| 342 break; |
| 343 default: |
| 344 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
| 345 } |
| 346 |
| 347 // Only AEADs allowed. |
| 348 if (mac != kAEADMACValue) |
| 349 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
| 350 |
| 351 return obsolete_ssl; |
| 352 } |
| 353 |
308 } // namespace | 354 } // namespace |
309 | 355 |
310 namespace net { | 356 namespace net { |
311 | 357 |
312 void SSLCipherSuiteToStrings(const char** key_exchange_str, | 358 void SSLCipherSuiteToStrings(const char** key_exchange_str, |
313 const char** cipher_str, | 359 const char** cipher_str, |
314 const char** mac_str, | 360 const char** mac_str, |
315 bool* is_aead, | 361 bool* is_aead, |
316 uint16_t cipher_suite) { | 362 uint16_t cipher_suite) { |
317 *key_exchange_str = *cipher_str = *mac_str = "???"; | 363 *key_exchange_str = *cipher_str = *mac_str = "???"; |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
367 if (cipher_string.size() == 6 && | 413 if (cipher_string.size() == 6 && |
368 base::StartsWith(cipher_string, "0x", | 414 base::StartsWith(cipher_string, "0x", |
369 base::CompareCase::INSENSITIVE_ASCII) && | 415 base::CompareCase::INSENSITIVE_ASCII) && |
370 base::HexStringToInt(cipher_string, &value)) { | 416 base::HexStringToInt(cipher_string, &value)) { |
371 *cipher_suite = static_cast<uint16_t>(value); | 417 *cipher_suite = static_cast<uint16_t>(value); |
372 return true; | 418 return true; |
373 } | 419 } |
374 return false; | 420 return false; |
375 } | 421 } |
376 | 422 |
377 bool IsSecureTLSCipherSuite(uint16_t cipher_suite) { | 423 int ObsoleteSSLStatus(int connection_status) { |
378 int key_exchange, cipher, mac; | 424 int obsolete_ssl = OBSOLETE_SSL_NONE; |
379 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) | |
380 return false; | |
381 | 425 |
382 // Only allow ECDHE key exchanges. | 426 int ssl_version = SSLConnectionStatusToVersion(connection_status); |
383 switch (key_exchange) { | 427 obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version); |
384 case 14: // ECDHE_ECDSA | |
385 case 16: // ECDHE_RSA | |
386 case 18: // CECPQ1_RSA | |
387 case 19: // CECPQ1_ECDSA | |
388 case 20: // ECDHE_PSK | |
389 break; | |
390 default: | |
391 return false; | |
392 } | |
393 | 428 |
394 switch (cipher) { | 429 uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status); |
395 case 13: // AES_128_GCM | 430 obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite); |
396 case 14: // AES_256_GCM | |
397 case 17: // CHACHA20_POLY1305 | |
398 break; | |
399 default: | |
400 return false; | |
401 } | |
402 | 431 |
403 // Only AEADs allowed. | 432 return obsolete_ssl; |
404 if (mac != kAEADMACValue) | |
405 return false; | |
406 | |
407 return true; | |
408 } | 433 } |
409 | 434 |
410 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) { | 435 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) { |
411 int key_exchange, cipher, mac; | 436 int key_exchange, cipher, mac; |
412 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) | 437 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) |
413 return false; | 438 return false; |
414 | 439 |
415 // Only allow forward secure key exchanges. | 440 // Only allow forward secure key exchanges. |
416 switch (key_exchange) { | 441 switch (key_exchange) { |
417 case 10: // DHE_RSA | 442 case 10: // DHE_RSA |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
450 case 16: // ECDHE_RSA | 475 case 16: // ECDHE_RSA |
451 case 20: // ECDHE_PSK | 476 case 20: // ECDHE_PSK |
452 break; | 477 break; |
453 default: | 478 default: |
454 return nullptr; | 479 return nullptr; |
455 } | 480 } |
456 return SSL_get_curve_name(key_exchange_info); | 481 return SSL_get_curve_name(key_exchange_info); |
457 } | 482 } |
458 | 483 |
459 } // namespace net | 484 } // namespace net |
OLD | NEW |