Index: net/ssl/ssl_cipher_suite_names.cc |
diff --git a/net/ssl/ssl_cipher_suite_names.cc b/net/ssl/ssl_cipher_suite_names.cc |
index 2bfe72ac93f9e2e0746db4c04c69f5b6111ab5ac..db62e572dc952fbe2de6a9730c9a9fbd11578952 100644 |
--- a/net/ssl/ssl_cipher_suite_names.cc |
+++ b/net/ssl/ssl_cipher_suite_names.cc |
@@ -296,6 +296,50 @@ bool GetCipherProperties(uint16_t cipher_suite, |
return true; |
} |
+int ObsoleteSSLStatusForProtocol(int ssl_version) { |
+ int obsolete_ssl = net::OBSOLETE_SSL_NONE; |
+ if (ssl_version < net::SSL_CONNECTION_VERSION_TLS1_2) { |
estark
2016/04/18 11:46:44
nit: no curly braces
lgarron
2016/04/25 23:56:54
Done.
|
+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_PROTOCOL; |
+ } |
+ return obsolete_ssl; |
+} |
+ |
+int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) { |
+ int obsolete_ssl = net::OBSOLETE_SSL_NONE; |
+ |
+ int key_exchange, cipher, mac; |
+ if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) { |
+ // Cannot determine/unknown cipher suite. Err on the side of caution. |
+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; |
+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
+ return obsolete_ssl; |
+ } |
+ |
+ // Only allow ECDHE key exchanges. |
+ switch (key_exchange) { |
+ case 14: // ECDHE_ECDSA |
+ case 16: // ECDHE_RSA |
+ break; |
+ default: |
+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; |
+ } |
+ |
+ switch (cipher) { |
+ case 13: // AES_128_GCM |
+ case 14: // AES_256_GCM |
+ case 17: // CHACHA20_POLY1305 |
+ break; |
+ default: |
+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
+ } |
+ |
+ // Only AEADs allowed. |
+ if (mac != kAEADMACValue) |
+ obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
+ |
+ return obsolete_ssl; |
+} |
+ |
} // namespace |
namespace net { |
@@ -362,34 +406,20 @@ bool ParseSSLCipherString(const std::string& cipher_string, |
return false; |
} |
-bool IsSecureTLSCipherSuite(uint16_t cipher_suite) { |
- int key_exchange, cipher, mac; |
- if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) |
- return false; |
+int ObsoleteSSLStatus(int connection_status) { |
+ int obsolete_ssl = OBSOLETE_SSL_NONE; |
- // Only allow ECDHE key exchanges. |
- switch (key_exchange) { |
- case 14: // ECDHE_ECDSA |
- case 16: // ECDHE_RSA |
- break; |
- default: |
- return false; |
- } |
+ int ssl_version = SSLConnectionStatusToVersion(connection_status); |
+ obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version); |
- switch (cipher) { |
- case 13: // AES_128_GCM |
- case 14: // AES_256_GCM |
- case 17: // CHACHA20_POLY1305 |
- break; |
- default: |
- return false; |
- } |
+ uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status); |
+ obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite); |
- // Only AEADs allowed. |
- if (mac != kAEADMACValue) |
- return false; |
+ return obsolete_ssl; |
+} |
- return true; |
+bool IsObsoleteTLSCipherSuite(int cipher_suite) { |
+ return ObsoleteSSLStatusForCipherSuite(cipher_suite) != OBSOLETE_SSL_NONE; |
} |
bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) { |