| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/ssl_cipher_suite_names.h" | 5 #include "net/ssl/ssl_cipher_suite_names.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 | 8 |
| 9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
| 10 | 10 |
| (...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 122 {0xbc, 0x653}, // TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | 122 {0xbc, 0x653}, // TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 |
| 123 {0xbd, 0x853}, // TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 | 123 {0xbd, 0x853}, // TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 |
| 124 {0xbe, 0xa53}, // TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 | 124 {0xbe, 0xa53}, // TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 |
| 125 {0xbf, 0xc53}, // TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 | 125 {0xbf, 0xc53}, // TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 |
| 126 {0xc0, 0x15b}, // TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 | 126 {0xc0, 0x15b}, // TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 |
| 127 {0xc1, 0x45b}, // TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 | 127 {0xc1, 0x45b}, // TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 |
| 128 {0xc2, 0x65b}, // TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 | 128 {0xc2, 0x65b}, // TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 |
| 129 {0xc3, 0x85b}, // TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 | 129 {0xc3, 0x85b}, // TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 |
| 130 {0xc4, 0xa5b}, // TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 | 130 {0xc4, 0xa5b}, // TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 |
| 131 {0xc5, 0xc5b}, // TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 | 131 {0xc5, 0xc5b}, // TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 |
| 132 {0x1301, 0x1f6f}, // TLS_AES_128_GCM_SHA256 |
| 133 {0x1302, 0x1f77}, // TLS_AES_256_GCM_SHA384 |
| 134 {0x1303, 0x1f8f}, // TLS_CHACHA20_POLY1305_SHA256 |
| 132 {0x16b7, 0x128f}, // TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 (exper) | 135 {0x16b7, 0x128f}, // TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 (exper) |
| 133 {0x16b8, 0x138f}, // TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (exper) | 136 {0x16b8, 0x138f}, // TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (exper) |
| 134 {0x16b9, 0x1277}, // TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 (exper) | 137 {0x16b9, 0x1277}, // TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 (exper) |
| 135 {0x16ba, 0x1377}, // TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 (exper) | 138 {0x16ba, 0x1377}, // TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 (exper) |
| 136 {0xc001, 0xd02}, // TLS_ECDH_ECDSA_WITH_NULL_SHA | 139 {0xc001, 0xd02}, // TLS_ECDH_ECDSA_WITH_NULL_SHA |
| 137 {0xc002, 0xd12}, // TLS_ECDH_ECDSA_WITH_RC4_128_SHA | 140 {0xc002, 0xd12}, // TLS_ECDH_ECDSA_WITH_RC4_128_SHA |
| 138 {0xc003, 0xd3a}, // TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | 141 {0xc003, 0xd3a}, // TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA |
| 139 {0xc004, 0xd42}, // TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 142 {0xc004, 0xd42}, // TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
| 140 {0xc005, 0xd4a}, // TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 143 {0xc005, 0xd4a}, // TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
| 141 {0xc006, 0xe02}, // TLS_ECDHE_ECDSA_WITH_NULL_SHA | 144 {0xc006, 0xe02}, // TLS_ECDHE_ECDSA_WITH_NULL_SHA |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 199 {0xc088, 0xd7f}, // TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | 202 {0xc088, 0xd7f}, // TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 |
| 200 {0xc089, 0xd87}, // TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | 203 {0xc089, 0xd87}, // TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 |
| 201 {0xc08a, 0x107f}, // TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 | 204 {0xc08a, 0x107f}, // TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 |
| 202 {0xc08b, 0x1087}, // TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 | 205 {0xc08b, 0x1087}, // TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 |
| 203 {0xc08c, 0xf7f}, // TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | 206 {0xc08c, 0xf7f}, // TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 |
| 204 {0xc08d, 0xf87}, // TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | 207 {0xc08d, 0xf87}, // TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 |
| 205 {0xcc13, 0x108f}, // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (non-standard) | 208 {0xcc13, 0x108f}, // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (non-standard) |
| 206 {0xcc14, 0x0e8f}, // TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) | 209 {0xcc14, 0x0e8f}, // TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) |
| 207 {0xcca8, 0x108f}, // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 210 {0xcca8, 0x108f}, // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
| 208 {0xcca9, 0x0e8f}, // TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 211 {0xcca9, 0x0e8f}, // TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
| 209 {0xccab, 0x148f}, // TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | |
| 210 {0xd001, 0x146f}, // TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 | |
| 211 {0xd002, 0x1477}, // TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 | |
| 212 }; | 212 }; |
| 213 | 213 |
| 214 const struct { | 214 const struct { |
| 215 char name[15]; | 215 char name[15]; |
| 216 } kKeyExchangeNames[21] = { | 216 } kKeyExchangeNames[20] = { |
| 217 {"NULL"}, // 0 | 217 {"NULL"}, // 0 |
| 218 {"RSA"}, // 1 | 218 {"RSA"}, // 1 |
| 219 {"RSA_EXPORT"}, // 2 | 219 {"RSA_EXPORT"}, // 2 |
| 220 {"DH_DSS_EXPORT"}, // 3 | 220 {"DH_DSS_EXPORT"}, // 3 |
| 221 {"DH_DSS"}, // 4 | 221 {"DH_DSS"}, // 4 |
| 222 {"DH_RSA_EXPORT"}, // 5 | 222 {"DH_RSA_EXPORT"}, // 5 |
| 223 {"DH_RSA"}, // 6 | 223 {"DH_RSA"}, // 6 |
| 224 {"DHE_DSS_EXPORT"}, // 7 | 224 {"DHE_DSS_EXPORT"}, // 7 |
| 225 {"DHE_DSS"}, // 8 | 225 {"DHE_DSS"}, // 8 |
| 226 {"DHE_RSA_EXPORT"}, // 9 | 226 {"DHE_RSA_EXPORT"}, // 9 |
| 227 {"DHE_RSA"}, // 10 | 227 {"DHE_RSA"}, // 10 |
| 228 {"DH_anon_EXPORT"}, // 11 | 228 {"DH_anon_EXPORT"}, // 11 |
| 229 {"DH_anon"}, // 12 | 229 {"DH_anon"}, // 12 |
| 230 {"ECDH_ECDSA"}, // 13 | 230 {"ECDH_ECDSA"}, // 13 |
| 231 {"ECDHE_ECDSA"}, // 14 | 231 {"ECDHE_ECDSA"}, // 14 |
| 232 {"ECDH_RSA"}, // 15 | 232 {"ECDH_RSA"}, // 15 |
| 233 {"ECDHE_RSA"}, // 16 | 233 {"ECDHE_RSA"}, // 16 |
| 234 {"ECDH_anon"}, // 17 | 234 {"ECDH_anon"}, // 17 |
| 235 {"CECPQ1_RSA"}, // 18 | 235 {"CECPQ1_RSA"}, // 18 |
| 236 {"CECPQ1_ECDSA"}, // 19 | 236 {"CECPQ1_ECDSA"}, // 19 |
| 237 {"ECDHE_PSK"}, // 20 | 237 // 31 is reserved to indicate a TLS 1.3 AEAD-only suite. |
| 238 }; | 238 }; |
| 239 | 239 |
| 240 constexpr int kTLS13KeyExchangeValue = 31; |
| 241 |
| 240 const struct { | 242 const struct { |
| 241 char name[18]; | 243 char name[18]; |
| 242 } kCipherNames[18] = { | 244 } kCipherNames[18] = { |
| 243 {"NULL"}, // 0 | 245 {"NULL"}, // 0 |
| 244 {"RC4_40"}, // 1 | 246 {"RC4_40"}, // 1 |
| 245 {"RC4_128"}, // 2 | 247 {"RC4_128"}, // 2 |
| 246 {"RC2_CBC_40"}, // 3 | 248 {"RC2_CBC_40"}, // 3 |
| 247 {"IDEA_CBC"}, // 4 | 249 {"IDEA_CBC"}, // 4 |
| 248 {"DES40_CBC"}, // 5 | 250 {"DES40_CBC"}, // 5 |
| 249 {"DES_CBC"}, // 6 | 251 {"DES_CBC"}, // 6 |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 316 int obsolete_ssl = net::OBSOLETE_SSL_NONE; | 318 int obsolete_ssl = net::OBSOLETE_SSL_NONE; |
| 317 | 319 |
| 318 int key_exchange, cipher, mac; | 320 int key_exchange, cipher, mac; |
| 319 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) { | 321 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) { |
| 320 // Cannot determine/unknown cipher suite. Err on the side of caution. | 322 // Cannot determine/unknown cipher suite. Err on the side of caution. |
| 321 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; | 323 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; |
| 322 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; | 324 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
| 323 return obsolete_ssl; | 325 return obsolete_ssl; |
| 324 } | 326 } |
| 325 | 327 |
| 326 // Only allow ECDHE key exchanges. | |
| 327 switch (key_exchange) { | 328 switch (key_exchange) { |
| 328 case 14: // ECDHE_ECDSA | 329 case 14: // ECDHE_ECDSA |
| 329 case 16: // ECDHE_RSA | 330 case 16: // ECDHE_RSA |
| 330 case 18: // CECPQ1_RSA | 331 case 18: // CECPQ1_RSA |
| 331 case 19: // CECPQ1_ECDSA | 332 case 19: // CECPQ1_ECDSA |
| 332 case 20: // ECDHE_PSK | 333 case kTLS13KeyExchangeValue: // TLS 1.3 |
| 333 break; | 334 break; |
| 334 default: | 335 default: |
| 335 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; | 336 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; |
| 336 } | 337 } |
| 337 | 338 |
| 338 switch (cipher) { | 339 switch (cipher) { |
| 339 case 13: // AES_128_GCM | 340 case 13: // AES_128_GCM |
| 340 case 14: // AES_256_GCM | 341 case 14: // AES_256_GCM |
| 341 case 17: // CHACHA20_POLY1305 | 342 case 17: // CHACHA20_POLY1305 |
| 342 break; | 343 break; |
| 343 default: | 344 default: |
| 344 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; | 345 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
| 345 } | 346 } |
| 346 | 347 |
| 347 // Only AEADs allowed. | 348 // Only AEADs allowed. |
| 348 if (mac != kAEADMACValue) | 349 if (mac != kAEADMACValue) |
| 349 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; | 350 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
| 350 | 351 |
| 351 return obsolete_ssl; | 352 return obsolete_ssl; |
| 352 } | 353 } |
| 353 | 354 |
| 354 } // namespace | 355 } // namespace |
| 355 | 356 |
| 356 namespace net { | 357 namespace net { |
| 357 | 358 |
| 358 void SSLCipherSuiteToStrings(const char** key_exchange_str, | 359 void SSLCipherSuiteToStrings(const char** key_exchange_str, |
| 359 const char** cipher_str, | 360 const char** cipher_str, |
| 360 const char** mac_str, | 361 const char** mac_str, |
| 361 bool* is_aead, | 362 bool* is_aead, |
| 363 bool* is_tls13, |
| 362 uint16_t cipher_suite) { | 364 uint16_t cipher_suite) { |
| 363 *key_exchange_str = *cipher_str = *mac_str = "???"; | 365 *key_exchange_str = *cipher_str = *mac_str = "???"; |
| 364 *is_aead = false; | 366 *is_aead = false; |
| 367 *is_tls13 = false; |
| 365 | 368 |
| 366 int key_exchange, cipher, mac; | 369 int key_exchange, cipher, mac; |
| 367 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) | 370 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) |
| 368 return; | 371 return; |
| 369 | 372 |
| 370 *key_exchange_str = kKeyExchangeNames[key_exchange].name; | 373 if (key_exchange == kTLS13KeyExchangeValue) { |
| 374 *key_exchange_str = nullptr; |
| 375 *is_tls13 = true; |
| 376 } else { |
| 377 *key_exchange_str = kKeyExchangeNames[key_exchange].name; |
| 378 } |
| 371 *cipher_str = kCipherNames[cipher].name; | 379 *cipher_str = kCipherNames[cipher].name; |
| 372 if (mac == kAEADMACValue) { | 380 if (mac == kAEADMACValue) { |
| 373 *is_aead = true; | 381 *is_aead = true; |
| 374 *mac_str = NULL; | 382 *mac_str = nullptr; |
| 375 } else { | 383 } else { |
| 376 *mac_str = kMacNames[mac].name; | 384 *mac_str = kMacNames[mac].name; |
| 377 } | 385 } |
| 378 } | 386 } |
| 379 | 387 |
| 380 void SSLVersionToString(const char** name, int ssl_version) { | 388 void SSLVersionToString(const char** name, int ssl_version) { |
| 381 switch (ssl_version) { | 389 switch (ssl_version) { |
| 382 case SSL_CONNECTION_VERSION_SSL2: | 390 case SSL_CONNECTION_VERSION_SSL2: |
| 383 *name = "SSL 2.0"; | 391 *name = "SSL 2.0"; |
| 384 break; | 392 break; |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 437 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) | 445 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) |
| 438 return false; | 446 return false; |
| 439 | 447 |
| 440 // Only allow forward secure key exchanges. | 448 // Only allow forward secure key exchanges. |
| 441 switch (key_exchange) { | 449 switch (key_exchange) { |
| 442 case 10: // DHE_RSA | 450 case 10: // DHE_RSA |
| 443 case 14: // ECDHE_ECDSA | 451 case 14: // ECDHE_ECDSA |
| 444 case 16: // ECDHE_RSA | 452 case 16: // ECDHE_RSA |
| 445 case 18: // CECPQ1_RSA | 453 case 18: // CECPQ1_RSA |
| 446 case 19: // CECPQ1_ECDSA | 454 case 19: // CECPQ1_ECDSA |
| 447 case 20: // ECDHE_PSK | 455 case kTLS13KeyExchangeValue: // TLS 1.3 |
| 448 break; | 456 break; |
| 449 default: | 457 default: |
| 450 return false; | 458 return false; |
| 451 } | 459 } |
| 452 | 460 |
| 453 switch (cipher) { | 461 switch (cipher) { |
| 454 case 13: // AES_128_GCM | 462 case 13: // AES_128_GCM |
| 455 case 14: // AES_256_GCM | 463 case 14: // AES_256_GCM |
| 456 case 17: // CHACHA20_POLY1305 | 464 case 17: // CHACHA20_POLY1305 |
| 457 break; | 465 break; |
| 458 default: | 466 default: |
| 459 return false; | 467 return false; |
| 460 } | 468 } |
| 461 | 469 |
| 462 // Only AEADs allowed. | 470 // Only AEADs allowed. |
| 463 if (mac != kAEADMACValue) | 471 if (mac != kAEADMACValue) |
| 464 return false; | 472 return false; |
| 465 | 473 |
| 466 return true; | 474 return true; |
| 467 } | 475 } |
| 468 | 476 |
| 469 } // namespace net | 477 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2395323002:
Roll src/third_party/boringssl/src 0d81373f9..1991af690 (Closed)
