| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/ssl_cipher_suite_names.h" | 5 #include "net/ssl/ssl_cipher_suite_names.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 | 8 |
| 9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
| 10 | 10 |
| (...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 122 {0xbc, 0x653}, // TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | 122 {0xbc, 0x653}, // TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 |
| 123 {0xbd, 0x853}, // TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 | 123 {0xbd, 0x853}, // TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 |
| 124 {0xbe, 0xa53}, // TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 | 124 {0xbe, 0xa53}, // TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 |
| 125 {0xbf, 0xc53}, // TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 | 125 {0xbf, 0xc53}, // TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 |
| 126 {0xc0, 0x15b}, // TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 | 126 {0xc0, 0x15b}, // TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 |
| 127 {0xc1, 0x45b}, // TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 | 127 {0xc1, 0x45b}, // TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 |
| 128 {0xc2, 0x65b}, // TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 | 128 {0xc2, 0x65b}, // TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 |
| 129 {0xc3, 0x85b}, // TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 | 129 {0xc3, 0x85b}, // TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 |
| 130 {0xc4, 0xa5b}, // TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 | 130 {0xc4, 0xa5b}, // TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 |
| 131 {0xc5, 0xc5b}, // TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 | 131 {0xc5, 0xc5b}, // TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 |
| 132 {0x1301, 0x1f6f}, // TLS_AES_128_GCM_SHA256 | |
| 133 {0x1302, 0x1f77}, // TLS_AES_256_GCM_SHA384 | |
| 134 {0x1303, 0x1f8f}, // TLS_CHACHA20_POLY1305_SHA256 | |
| 135 {0x16b7, 0x128f}, // TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 (exper) | 132 {0x16b7, 0x128f}, // TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 (exper) |
| 136 {0x16b8, 0x138f}, // TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (exper) | 133 {0x16b8, 0x138f}, // TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (exper) |
| 137 {0x16b9, 0x1277}, // TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 (exper) | 134 {0x16b9, 0x1277}, // TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 (exper) |
| 138 {0x16ba, 0x1377}, // TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 (exper) | 135 {0x16ba, 0x1377}, // TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 (exper) |
| 139 {0xc001, 0xd02}, // TLS_ECDH_ECDSA_WITH_NULL_SHA | 136 {0xc001, 0xd02}, // TLS_ECDH_ECDSA_WITH_NULL_SHA |
| 140 {0xc002, 0xd12}, // TLS_ECDH_ECDSA_WITH_RC4_128_SHA | 137 {0xc002, 0xd12}, // TLS_ECDH_ECDSA_WITH_RC4_128_SHA |
| 141 {0xc003, 0xd3a}, // TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | 138 {0xc003, 0xd3a}, // TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA |
| 142 {0xc004, 0xd42}, // TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 139 {0xc004, 0xd42}, // TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA |
| 143 {0xc005, 0xd4a}, // TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 140 {0xc005, 0xd4a}, // TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA |
| 144 {0xc006, 0xe02}, // TLS_ECDHE_ECDSA_WITH_NULL_SHA | 141 {0xc006, 0xe02}, // TLS_ECDHE_ECDSA_WITH_NULL_SHA |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 202 {0xc088, 0xd7f}, // TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | 199 {0xc088, 0xd7f}, // TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 |
| 203 {0xc089, 0xd87}, // TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | 200 {0xc089, 0xd87}, // TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 |
| 204 {0xc08a, 0x107f}, // TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 | 201 {0xc08a, 0x107f}, // TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 |
| 205 {0xc08b, 0x1087}, // TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 | 202 {0xc08b, 0x1087}, // TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 |
| 206 {0xc08c, 0xf7f}, // TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | 203 {0xc08c, 0xf7f}, // TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 |
| 207 {0xc08d, 0xf87}, // TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | 204 {0xc08d, 0xf87}, // TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 |
| 208 {0xcc13, 0x108f}, // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (non-standard) | 205 {0xcc13, 0x108f}, // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 (non-standard) |
| 209 {0xcc14, 0x0e8f}, // TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) | 206 {0xcc14, 0x0e8f}, // TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) |
| 210 {0xcca8, 0x108f}, // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 207 {0xcca8, 0x108f}, // TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
| 211 {0xcca9, 0x0e8f}, // TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 208 {0xcca9, 0x0e8f}, // TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
| 209 {0xccab, 0x148f}, // TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 |
| 210 {0xd001, 0x146f}, // TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 |
| 211 {0xd002, 0x1477}, // TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 |
| 212 }; | 212 }; |
| 213 | 213 |
| 214 const struct { | 214 const struct { |
| 215 char name[15]; | 215 char name[15]; |
| 216 } kKeyExchangeNames[20] = { | 216 } kKeyExchangeNames[21] = { |
| 217 {"NULL"}, // 0 | 217 {"NULL"}, // 0 |
| 218 {"RSA"}, // 1 | 218 {"RSA"}, // 1 |
| 219 {"RSA_EXPORT"}, // 2 | 219 {"RSA_EXPORT"}, // 2 |
| 220 {"DH_DSS_EXPORT"}, // 3 | 220 {"DH_DSS_EXPORT"}, // 3 |
| 221 {"DH_DSS"}, // 4 | 221 {"DH_DSS"}, // 4 |
| 222 {"DH_RSA_EXPORT"}, // 5 | 222 {"DH_RSA_EXPORT"}, // 5 |
| 223 {"DH_RSA"}, // 6 | 223 {"DH_RSA"}, // 6 |
| 224 {"DHE_DSS_EXPORT"}, // 7 | 224 {"DHE_DSS_EXPORT"}, // 7 |
| 225 {"DHE_DSS"}, // 8 | 225 {"DHE_DSS"}, // 8 |
| 226 {"DHE_RSA_EXPORT"}, // 9 | 226 {"DHE_RSA_EXPORT"}, // 9 |
| 227 {"DHE_RSA"}, // 10 | 227 {"DHE_RSA"}, // 10 |
| 228 {"DH_anon_EXPORT"}, // 11 | 228 {"DH_anon_EXPORT"}, // 11 |
| 229 {"DH_anon"}, // 12 | 229 {"DH_anon"}, // 12 |
| 230 {"ECDH_ECDSA"}, // 13 | 230 {"ECDH_ECDSA"}, // 13 |
| 231 {"ECDHE_ECDSA"}, // 14 | 231 {"ECDHE_ECDSA"}, // 14 |
| 232 {"ECDH_RSA"}, // 15 | 232 {"ECDH_RSA"}, // 15 |
| 233 {"ECDHE_RSA"}, // 16 | 233 {"ECDHE_RSA"}, // 16 |
| 234 {"ECDH_anon"}, // 17 | 234 {"ECDH_anon"}, // 17 |
| 235 {"CECPQ1_RSA"}, // 18 | 235 {"CECPQ1_RSA"}, // 18 |
| 236 {"CECPQ1_ECDSA"}, // 19 | 236 {"CECPQ1_ECDSA"}, // 19 |
| 237 // 31 is reserved to indicate a TLS 1.3 AEAD-only suite. | 237 {"ECDHE_PSK"}, // 20 |
| 238 }; | 238 }; |
| 239 | 239 |
| 240 constexpr int kTLS13KeyExchangeValue = 31; | |
| 241 | |
| 242 const struct { | 240 const struct { |
| 243 char name[18]; | 241 char name[18]; |
| 244 } kCipherNames[18] = { | 242 } kCipherNames[18] = { |
| 245 {"NULL"}, // 0 | 243 {"NULL"}, // 0 |
| 246 {"RC4_40"}, // 1 | 244 {"RC4_40"}, // 1 |
| 247 {"RC4_128"}, // 2 | 245 {"RC4_128"}, // 2 |
| 248 {"RC2_CBC_40"}, // 3 | 246 {"RC2_CBC_40"}, // 3 |
| 249 {"IDEA_CBC"}, // 4 | 247 {"IDEA_CBC"}, // 4 |
| 250 {"DES40_CBC"}, // 5 | 248 {"DES40_CBC"}, // 5 |
| 251 {"DES_CBC"}, // 6 | 249 {"DES_CBC"}, // 6 |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 318 int obsolete_ssl = net::OBSOLETE_SSL_NONE; | 316 int obsolete_ssl = net::OBSOLETE_SSL_NONE; |
| 319 | 317 |
| 320 int key_exchange, cipher, mac; | 318 int key_exchange, cipher, mac; |
| 321 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) { | 319 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) { |
| 322 // Cannot determine/unknown cipher suite. Err on the side of caution. | 320 // Cannot determine/unknown cipher suite. Err on the side of caution. |
| 323 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; | 321 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; |
| 324 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; | 322 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
| 325 return obsolete_ssl; | 323 return obsolete_ssl; |
| 326 } | 324 } |
| 327 | 325 |
| 326 // Only allow ECDHE key exchanges. |
| 328 switch (key_exchange) { | 327 switch (key_exchange) { |
| 329 case 14: // ECDHE_ECDSA | 328 case 14: // ECDHE_ECDSA |
| 330 case 16: // ECDHE_RSA | 329 case 16: // ECDHE_RSA |
| 331 case 18: // CECPQ1_RSA | 330 case 18: // CECPQ1_RSA |
| 332 case 19: // CECPQ1_ECDSA | 331 case 19: // CECPQ1_ECDSA |
| 333 case kTLS13KeyExchangeValue: // TLS 1.3 | 332 case 20: // ECDHE_PSK |
| 334 break; | 333 break; |
| 335 default: | 334 default: |
| 336 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; | 335 obsolete_ssl |= net::OBSOLETE_SSL_MASK_KEY_EXCHANGE; |
| 337 } | 336 } |
| 338 | 337 |
| 339 switch (cipher) { | 338 switch (cipher) { |
| 340 case 13: // AES_128_GCM | 339 case 13: // AES_128_GCM |
| 341 case 14: // AES_256_GCM | 340 case 14: // AES_256_GCM |
| 342 case 17: // CHACHA20_POLY1305 | 341 case 17: // CHACHA20_POLY1305 |
| 343 break; | 342 break; |
| 344 default: | 343 default: |
| 345 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; | 344 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
| 346 } | 345 } |
| 347 | 346 |
| 348 // Only AEADs allowed. | 347 // Only AEADs allowed. |
| 349 if (mac != kAEADMACValue) | 348 if (mac != kAEADMACValue) |
| 350 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; | 349 obsolete_ssl |= net::OBSOLETE_SSL_MASK_CIPHER; |
| 351 | 350 |
| 352 return obsolete_ssl; | 351 return obsolete_ssl; |
| 353 } | 352 } |
| 354 | 353 |
| 355 } // namespace | 354 } // namespace |
| 356 | 355 |
| 357 namespace net { | 356 namespace net { |
| 358 | 357 |
| 359 void SSLCipherSuiteToStrings(const char** key_exchange_str, | 358 void SSLCipherSuiteToStrings(const char** key_exchange_str, |
| 360 const char** cipher_str, | 359 const char** cipher_str, |
| 361 const char** mac_str, | 360 const char** mac_str, |
| 362 bool* is_aead, | 361 bool* is_aead, |
| 363 bool* is_tls13, | |
| 364 uint16_t cipher_suite) { | 362 uint16_t cipher_suite) { |
| 365 *key_exchange_str = *cipher_str = *mac_str = "???"; | 363 *key_exchange_str = *cipher_str = *mac_str = "???"; |
| 366 *is_aead = false; | 364 *is_aead = false; |
| 367 *is_tls13 = false; | |
| 368 | 365 |
| 369 int key_exchange, cipher, mac; | 366 int key_exchange, cipher, mac; |
| 370 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) | 367 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) |
| 371 return; | 368 return; |
| 372 | 369 |
| 373 if (key_exchange == kTLS13KeyExchangeValue) { | 370 *key_exchange_str = kKeyExchangeNames[key_exchange].name; |
| 374 *key_exchange_str = nullptr; | |
| 375 *is_tls13 = true; | |
| 376 } else { | |
| 377 *key_exchange_str = kKeyExchangeNames[key_exchange].name; | |
| 378 } | |
| 379 *cipher_str = kCipherNames[cipher].name; | 371 *cipher_str = kCipherNames[cipher].name; |
| 380 if (mac == kAEADMACValue) { | 372 if (mac == kAEADMACValue) { |
| 381 *is_aead = true; | 373 *is_aead = true; |
| 382 *mac_str = nullptr; | 374 *mac_str = NULL; |
| 383 } else { | 375 } else { |
| 384 *mac_str = kMacNames[mac].name; | 376 *mac_str = kMacNames[mac].name; |
| 385 } | 377 } |
| 386 } | 378 } |
| 387 | 379 |
| 388 void SSLVersionToString(const char** name, int ssl_version) { | 380 void SSLVersionToString(const char** name, int ssl_version) { |
| 389 switch (ssl_version) { | 381 switch (ssl_version) { |
| 390 case SSL_CONNECTION_VERSION_SSL2: | 382 case SSL_CONNECTION_VERSION_SSL2: |
| 391 *name = "SSL 2.0"; | 383 *name = "SSL 2.0"; |
| 392 break; | 384 break; |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 445 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) | 437 if (!GetCipherProperties(cipher_suite, &key_exchange, &cipher, &mac)) |
| 446 return false; | 438 return false; |
| 447 | 439 |
| 448 // Only allow forward secure key exchanges. | 440 // Only allow forward secure key exchanges. |
| 449 switch (key_exchange) { | 441 switch (key_exchange) { |
| 450 case 10: // DHE_RSA | 442 case 10: // DHE_RSA |
| 451 case 14: // ECDHE_ECDSA | 443 case 14: // ECDHE_ECDSA |
| 452 case 16: // ECDHE_RSA | 444 case 16: // ECDHE_RSA |
| 453 case 18: // CECPQ1_RSA | 445 case 18: // CECPQ1_RSA |
| 454 case 19: // CECPQ1_ECDSA | 446 case 19: // CECPQ1_ECDSA |
| 455 case kTLS13KeyExchangeValue: // TLS 1.3 | 447 case 20: // ECDHE_PSK |
| 456 break; | 448 break; |
| 457 default: | 449 default: |
| 458 return false; | 450 return false; |
| 459 } | 451 } |
| 460 | 452 |
| 461 switch (cipher) { | 453 switch (cipher) { |
| 462 case 13: // AES_128_GCM | 454 case 13: // AES_128_GCM |
| 463 case 14: // AES_256_GCM | 455 case 14: // AES_256_GCM |
| 464 case 17: // CHACHA20_POLY1305 | 456 case 17: // CHACHA20_POLY1305 |
| 465 break; | 457 break; |
| 466 default: | 458 default: |
| 467 return false; | 459 return false; |
| 468 } | 460 } |
| 469 | 461 |
| 470 // Only AEADs allowed. | 462 // Only AEADs allowed. |
| 471 if (mac != kAEADMACValue) | 463 if (mac != kAEADMACValue) |
| 472 return false; | 464 return false; |
| 473 | 465 |
| 474 return true; | 466 return true; |
| 475 } | 467 } |
| 476 | 468 |
| 477 } // namespace net | 469 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2418113002:
Revert "Roll src/third_party/boringssl/src 0d81373f9..1991af690" (https://codereview.chromium.org/2… (Closed)
