OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/ssl/ssl_cipher_suite_names.h" | 5 #include "net/ssl/ssl_cipher_suite_names.h" |
6 | 6 |
7 #if defined(USE_OPENSSL) | 7 #if defined(USE_OPENSSL) |
8 #include <openssl/ssl.h> | 8 #include <openssl/ssl.h> |
9 #endif | 9 #endif |
10 #include <stdlib.h> | 10 #include <stdlib.h> |
(...skipping 278 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
289 if (!r) | 289 if (!r) |
290 return false; | 290 return false; |
291 | 291 |
292 const CipherSuite* cs = static_cast<const CipherSuite*>(r); | 292 const CipherSuite* cs = static_cast<const CipherSuite*>(r); |
293 *out_key_exchange = cs->encoded >> 8; | 293 *out_key_exchange = cs->encoded >> 8; |
294 *out_cipher = (cs->encoded >> 3) & 0x1f; | 294 *out_cipher = (cs->encoded >> 3) & 0x1f; |
295 *out_mac = cs->encoded & 0x7; | 295 *out_mac = cs->encoded & 0x7; |
296 return true; | 296 return true; |
297 } | 297 } |
298 | 298 |
299 int ObsoleteSSLStatusForProtocol(int ssl_version) { | |
300 int obsolete_ssl = net::OBSOLETE_SSL_NONE; | |
301 if (ssl_version < net::SSL_CONNECTION_VERSION_TLS1_2) { | |
estark
2016/04/18 11:46:44
nit: no curly braces
lgarron
2016/04/25 23:56:54
Done.
| |
302 obsolete_ssl |= net::OBSOLETE_SSL_MASK_PROTOCOL; | |
303 } | |
304 return obsolete_ssl; | |
305 } | |
306 | |
307 int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) { | |
308 int obsolete_ssl = net::OBSOLETE_SSL_NONE; | |
309 | |
310 int key_exchange, cipher, mac; | |
311 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) { | |
312 // Cannot determine/unknown cipher suite. Err on the side of caution. | |
313 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; | |
314 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; | |
315 return obsolete_ssl; | |
316 } | |
317 | |
318 // Only allow ECDHE key exchanges. | |
319 switch (key_exchange) { | |
320 case 14: // ECDHE_ECDSA | |
321 case 16: // ECDHE_RSA | |
322 break; | |
323 default: | |
324 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; | |
325 } | |
326 | |
327 switch (cipher) { | |
328 case 13: // AES_128_GCM | |
329 case 14: // AES_256_GCM | |
330 case 17: // CHACHA20_POLY1305 | |
331 break; | |
332 default: | |
333 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; | |
334 } | |
335 | |
336 // Only AEADs allowed. | |
337 if (mac != kAEADMACValue) | |
338 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; | |
339 | |
340 return obsolete_ssl; | |
341 } | |
342 | |
299 } // namespace | 343 } // namespace |
300 | 344 |
301 namespace net { | 345 namespace net { |
302 | 346 |
303 void SSLCipherSuiteToStrings(const char** key_exchange_str, | 347 void SSLCipherSuiteToStrings(const char** key_exchange_str, |
304 const char** cipher_str, | 348 const char** cipher_str, |
305 const char** mac_str, | 349 const char** mac_str, |
306 bool* is_aead, | 350 bool* is_aead, |
307 uint16_t cipher_suite) { | 351 uint16_t cipher_suite) { |
308 *key_exchange_str = *cipher_str = *mac_str = "???"; | 352 *key_exchange_str = *cipher_str = *mac_str = "???"; |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
355 if (cipher_string.size() == 6 && | 399 if (cipher_string.size() == 6 && |
356 base::StartsWith(cipher_string, "0x", | 400 base::StartsWith(cipher_string, "0x", |
357 base::CompareCase::INSENSITIVE_ASCII) && | 401 base::CompareCase::INSENSITIVE_ASCII) && |
358 base::HexStringToInt(cipher_string, &value)) { | 402 base::HexStringToInt(cipher_string, &value)) { |
359 *cipher_suite = static_cast<uint16_t>(value); | 403 *cipher_suite = static_cast<uint16_t>(value); |
360 return true; | 404 return true; |
361 } | 405 } |
362 return false; | 406 return false; |
363 } | 407 } |
364 | 408 |
365 bool IsSecureTLSCipherSuite(uint16_t cipher_suite) { | 409 int ObsoleteSSLStatus(int connection_status) { |
366 int key_exchange, cipher, mac; | 410 int obsolete_ssl = OBSOLETE_SSL_NONE; |
367 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) | |
368 return false; | |
369 | 411 |
370 // Only allow ECDHE key exchanges. | 412 int ssl_version = SSLConnectionStatusToVersion(connection_status); |
371 switch (key_exchange) { | 413 obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version); |
372 case 14: // ECDHE_ECDSA | |
373 case 16: // ECDHE_RSA | |
374 break; | |
375 default: | |
376 return false; | |
377 } | |
378 | 414 |
379 switch (cipher) { | 415 uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status); |
380 case 13: // AES_128_GCM | 416 obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite); |
381 case 14: // AES_256_GCM | |
382 case 17: // CHACHA20_POLY1305 | |
383 break; | |
384 default: | |
385 return false; | |
386 } | |
387 | 417 |
388 // Only AEADs allowed. | 418 return obsolete_ssl; |
389 if (mac != kAEADMACValue) | 419 } |
390 return false; | |
391 | 420 |
392 return true; | 421 bool IsObsoleteTLSCipherSuite(int cipher_suite) { |
422 return ObsoleteSSLStatusForCipherSuite(cipher_suite) != OBSOLETE_SSL_NONE; | |
393 } | 423 } |
394 | 424 |
395 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) { | 425 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) { |
396 int key_exchange, cipher, mac; | 426 int key_exchange, cipher, mac; |
397 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) | 427 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) |
398 return false; | 428 return false; |
399 | 429 |
400 // Only allow forward secure key exchanges. | 430 // Only allow forward secure key exchanges. |
401 switch (key_exchange) { | 431 switch (key_exchange) { |
402 case 10: // DHE_RSA | 432 case 10: // DHE_RSA |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
435 default: | 465 default: |
436 return nullptr; | 466 return nullptr; |
437 } | 467 } |
438 return SSL_get_curve_name(key_exchange_info); | 468 return SSL_get_curve_name(key_exchange_info); |
439 #else | 469 #else |
440 return nullptr; | 470 return nullptr; |
441 #endif | 471 #endif |
442 } | 472 } |
443 | 473 |
444 } // namespace net | 474 } // namespace net |
OLD | NEW |