Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(22)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/ssl/ssl_cipher_suite_names.cc

Issue 1727133002: Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Also check that connection_status is not zero, which is the case for 3 browser tests. Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/ssl/ssl_cipher_suite_names.h" 5 #include "net/ssl/ssl_cipher_suite_names.h"
6 6
7 #include <stdlib.h> 7 #include <stdlib.h>
8 8
9 #include <openssl/ssl.h> 9 #include <openssl/ssl.h>
10 10
(...skipping 287 matching lines...) Expand 10 before | Expand all | Expand 10 after
298 if (!r) 298 if (!r)
299 return false; 299 return false;
300 300
301 const CipherSuite* cs = static_cast<const CipherSuite*>(r); 301 const CipherSuite* cs = static_cast<const CipherSuite*>(r);
302 *out_key_exchange = cs->encoded >> 8; 302 *out_key_exchange = cs->encoded >> 8;
303 *out_cipher = (cs->encoded >> 3) & 0x1f; 303 *out_cipher = (cs->encoded >> 3) & 0x1f;
304 *out_mac = cs->encoded & 0x7; 304 *out_mac = cs->encoded & 0x7;
305 return true; 305 return true;
306 } 306 }
307 307
308 int ObsoleteSSLStatusForProtocol(int ssl_version) {
309 int obsolete_ssl = net::OBSOLETE_SSL_NONE;
310 if (ssl_version < net::SSL_CONNECTION_VERSION_TLS1_2)
311 obsolete_ssl |= net::OBSOLETE_SSL_MASK_PROTOCOL;
312 return obsolete_ssl;
313 }
314
315 int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) {
316 int obsolete_ssl = net::OBSOLETE_SSL_NONE;
317
318 int key_exchange, cipher, mac;
319 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) {
320 // Cannot determine/unknown cipher suite. Err on the side of caution.
321 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
322 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
323 return obsolete_ssl;
324 }
325
326 // Only allow ECDHE key exchanges.
327 switch (key_exchange) {
328 case 14: // ECDHE_ECDSA
329 case 16: // ECDHE_RSA
330 case 18: // CECPQ1_RSA
331 case 19: // CECPQ1_ECDSA
332 case 20: // ECDHE_PSK
333 break;
334 default:
335 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
336 }
337
338 switch (cipher) {
339 case 13: // AES_128_GCM
340 case 14: // AES_256_GCM
341 case 17: // CHACHA20_POLY1305
342 break;
343 default:
344 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
345 }
346
347 // Only AEADs allowed.
348 if (mac != kAEADMACValue)
349 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
350
351 return obsolete_ssl;
352 }
353
308 } // namespace 354 } // namespace
309 355
310 namespace net { 356 namespace net {
311 357
312 void SSLCipherSuiteToStrings(const char** key_exchange_str, 358 void SSLCipherSuiteToStrings(const char** key_exchange_str,
313 const char** cipher_str, 359 const char** cipher_str,
314 const char** mac_str, 360 const char** mac_str,
315 bool* is_aead, 361 bool* is_aead,
316 uint16_t cipher_suite) { 362 uint16_t cipher_suite) {
317 *key_exchange_str = *cipher_str = *mac_str = "???"; 363 *key_exchange_str = *cipher_str = *mac_str = "???";
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after
367 if (cipher_string.size() == 6 && 413 if (cipher_string.size() == 6 &&
368 base::StartsWith(cipher_string, "0x", 414 base::StartsWith(cipher_string, "0x",
369 base::CompareCase::INSENSITIVE_ASCII) && 415 base::CompareCase::INSENSITIVE_ASCII) &&
370 base::HexStringToInt(cipher_string, &value)) { 416 base::HexStringToInt(cipher_string, &value)) {
371 *cipher_suite = static_cast<uint16_t>(value); 417 *cipher_suite = static_cast<uint16_t>(value);
372 return true; 418 return true;
373 } 419 }
374 return false; 420 return false;
375 } 421 }
376 422
377 bool IsSecureTLSCipherSuite(uint16_t cipher_suite) { 423 int ObsoleteSSLStatus(int connection_status) {
378 int key_exchange, cipher, mac; 424 int obsolete_ssl = OBSOLETE_SSL_NONE;
379 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
380 return false;
381 425
382 // Only allow ECDHE key exchanges. 426 int ssl_version = SSLConnectionStatusToVersion(connection_status);
383 switch (key_exchange) { 427 obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version);
384 case 14: // ECDHE_ECDSA
385 case 16: // ECDHE_RSA
386 case 18: // CECPQ1_RSA
387 case 19: // CECPQ1_ECDSA
388 case 20: // ECDHE_PSK
389 break;
390 default:
391 return false;
392 }
393 428
394 switch (cipher) { 429 uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status);
395 case 13: // AES_128_GCM 430 obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite);
396 case 14: // AES_256_GCM
397 case 17: // CHACHA20_POLY1305
398 break;
399 default:
400 return false;
401 }
402 431
403 // Only AEADs allowed. 432 return obsolete_ssl;
404 if (mac != kAEADMACValue)
405 return false;
406
407 return true;
408 } 433 }
409 434
410 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) { 435 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) {
411 int key_exchange, cipher, mac; 436 int key_exchange, cipher, mac;
412 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) 437 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
413 return false; 438 return false;
414 439
415 // Only allow forward secure key exchanges. 440 // Only allow forward secure key exchanges.
416 switch (key_exchange) { 441 switch (key_exchange) {
417 case 10: // DHE_RSA 442 case 10: // DHE_RSA
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after
450 case 16: // ECDHE_RSA 475 case 16: // ECDHE_RSA
451 case 20: // ECDHE_PSK 476 case 20: // ECDHE_PSK
452 break; 477 break;
453 default: 478 default:
454 return nullptr; 479 return nullptr;
455 } 480 }
456 return SSL_get_curve_name(key_exchange_info); 481 return SSL_get_curve_name(key_exchange_info);
457 } 482 }
458 483
459 } // namespace net 484 } // namespace net
OLDNEW
« no previous file with comments | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698