Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2124)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/ssl/ssl_cipher_suite_names.cc

Issue 1727133002: Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Reintroduce IsSecureTLSCipherSuite() as its negative and update tests. Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/ssl/ssl_cipher_suite_names.h ('K') | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/ssl/ssl_cipher_suite_names.h" 5 #include "net/ssl/ssl_cipher_suite_names.h"
6 6
7 #if defined(USE_OPENSSL) 7 #if defined(USE_OPENSSL)
8 #include <openssl/ssl.h> 8 #include <openssl/ssl.h>
9 #endif 9 #endif
10 #include <stdlib.h> 10 #include <stdlib.h>
(...skipping 278 matching lines...) Expand 10 before | Expand all | Expand 10 after
289 if (!r) 289 if (!r)
290 return false; 290 return false;
291 291
292 const CipherSuite* cs = static_cast<const CipherSuite*>(r); 292 const CipherSuite* cs = static_cast<const CipherSuite*>(r);
293 *out_key_exchange = cs->encoded >> 8; 293 *out_key_exchange = cs->encoded >> 8;
294 *out_cipher = (cs->encoded >> 3) & 0x1f; 294 *out_cipher = (cs->encoded >> 3) & 0x1f;
295 *out_mac = cs->encoded & 0x7; 295 *out_mac = cs->encoded & 0x7;
296 return true; 296 return true;
297 } 297 }
298 298
299 int ObsoleteSSLStatusForProtocol(int ssl_version) {
300 int obsolete_ssl = net::OBSOLETE_SSL_NONE;
301 if (ssl_version < net::SSL_CONNECTION_VERSION_TLS1_2) {
estark 2016/04/18 11:46:44 nit: no curly braces
lgarron 2016/04/25 23:56:54 Done.
302 obsolete_ssl |= net::OBSOLETE_SSL_MASK_PROTOCOL;
303 }
304 return obsolete_ssl;
305 }
306
307 int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) {
308 int obsolete_ssl = net::OBSOLETE_SSL_NONE;
309
310 int key_exchange, cipher, mac;
311 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) {
312 // Cannot determine/unknown cipher suite. Err on the side of caution.
313 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
314 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
315 return obsolete_ssl;
316 }
317
318 // Only allow ECDHE key exchanges.
319 switch (key_exchange) {
320 case 14: // ECDHE_ECDSA
321 case 16: // ECDHE_RSA
322 break;
323 default:
324 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE;
325 }
326
327 switch (cipher) {
328 case 13: // AES_128_GCM
329 case 14: // AES_256_GCM
330 case 17: // CHACHA20_POLY1305
331 break;
332 default:
333 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
334 }
335
336 // Only AEADs allowed.
337 if (mac != kAEADMACValue)
338 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER;
339
340 return obsolete_ssl;
341 }
342
299 } // namespace 343 } // namespace
300 344
301 namespace net { 345 namespace net {
302 346
303 void SSLCipherSuiteToStrings(const char** key_exchange_str, 347 void SSLCipherSuiteToStrings(const char** key_exchange_str,
304 const char** cipher_str, 348 const char** cipher_str,
305 const char** mac_str, 349 const char** mac_str,
306 bool* is_aead, 350 bool* is_aead,
307 uint16_t cipher_suite) { 351 uint16_t cipher_suite) {
308 *key_exchange_str = *cipher_str = *mac_str = "???"; 352 *key_exchange_str = *cipher_str = *mac_str = "???";
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after
355 if (cipher_string.size() == 6 && 399 if (cipher_string.size() == 6 &&
356 base::StartsWith(cipher_string, "0x", 400 base::StartsWith(cipher_string, "0x",
357 base::CompareCase::INSENSITIVE_ASCII) && 401 base::CompareCase::INSENSITIVE_ASCII) &&
358 base::HexStringToInt(cipher_string, &value)) { 402 base::HexStringToInt(cipher_string, &value)) {
359 *cipher_suite = static_cast<uint16_t>(value); 403 *cipher_suite = static_cast<uint16_t>(value);
360 return true; 404 return true;
361 } 405 }
362 return false; 406 return false;
363 } 407 }
364 408
365 bool IsSecureTLSCipherSuite(uint16_t cipher_suite) { 409 int ObsoleteSSLStatus(int connection_status) {
366 int key_exchange, cipher, mac; 410 int obsolete_ssl = OBSOLETE_SSL_NONE;
367 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
368 return false;
369 411
370 // Only allow ECDHE key exchanges. 412 int ssl_version = SSLConnectionStatusToVersion(connection_status);
371 switch (key_exchange) { 413 obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version);
372 case 14: // ECDHE_ECDSA
373 case 16: // ECDHE_RSA
374 break;
375 default:
376 return false;
377 }
378 414
379 switch (cipher) { 415 uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status);
380 case 13: // AES_128_GCM 416 obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite);
381 case 14: // AES_256_GCM
382 case 17: // CHACHA20_POLY1305
383 break;
384 default:
385 return false;
386 }
387 417
388 // Only AEADs allowed. 418 return obsolete_ssl;
389 if (mac != kAEADMACValue) 419 }
390 return false;
391 420
392 return true; 421 bool IsObsoleteTLSCipherSuite(int cipher_suite) {
422 return ObsoleteSSLStatusForCipherSuite(cipher_suite) != OBSOLETE_SSL_NONE;
393 } 423 }
394 424
395 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) { 425 bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) {
396 int key_exchange, cipher, mac; 426 int key_exchange, cipher, mac;
397 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) 427 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac))
398 return false; 428 return false;
399 429
400 // Only allow forward secure key exchanges. 430 // Only allow forward secure key exchanges.
401 switch (key_exchange) { 431 switch (key_exchange) {
402 case 10: // DHE_RSA 432 case 10: // DHE_RSA
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after
435 default: 465 default:
436 return nullptr; 466 return nullptr;
437 } 467 }
438 return SSL_get_curve_name(key_exchange_info); 468 return SSL_get_curve_name(key_exchange_info);
439 #else 469 #else
440 return nullptr; 470 return nullptr;
441 #endif 471 #endif
442 } 472 }
443 473
444 } // namespace net 474 } // namespace net
OLDNEW
« net/ssl/ssl_cipher_suite_names.h ('K') | « net/ssl/ssl_cipher_suite_names.h ('k') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('j') | net/ssl/ssl_cipher_suite_names_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698