Index: net/ssl/ssl_cipher_suite_names.cc |
diff --git a/net/ssl/ssl_cipher_suite_names.cc b/net/ssl/ssl_cipher_suite_names.cc |
index f018857d25005fb21363f5b5e3a77f84832d768b..dccec6072a9a46e2a8a289b1f75ad44626dad3bd 100644 |
--- a/net/ssl/ssl_cipher_suite_names.cc |
+++ b/net/ssl/ssl_cipher_suite_names.cc |
@@ -345,4 +345,49 @@ bool ParseSSLCipherString(const std::string& cipher_string, |
return false; |
} |
+bool IsModernTLSCipherSuite(uint16 cipher_suite) { |
+ struct CipherSuite desired = {0}; |
wtc
2014/05/21 21:51:10
Nit: I know you copied this from existing code, bu
willchan no longer on Chromium
2014/05/21 22:55:22
Done.
|
+ desired.cipher_suite = cipher_suite; |
+ |
+ void* r = bsearch(&desired, |
+ kCipherSuites, |
+ arraysize(kCipherSuites), |
+ sizeof(kCipherSuites[0]), |
+ CipherSuiteCmp); |
wtc
2014/05/21 21:51:10
Nit: just wondering why this is formatted in a dif
willchan no longer on Chromium
2014/05/21 22:55:22
Yes.
|
+ |
+ if (!r) |
+ return false; |
+ |
+ const CipherSuite* cs = static_cast<const CipherSuite*>(r); |
+ |
+ const int key_exchange = cs->encoded >> 8; |
+ const int cipher = (cs->encoded >> 3) & 0x1f; |
+ const int mac = cs->encoded & 0x7; |
+ |
+ // Only allow forward secure key exchanges. |
+ switch (key_exchange) { |
+ case 10: // DHE_RSA |
wtc
2014/05/21 21:51:10
Why do you not allow 8 (DHE_DSS)?
willchan no longer on Chromium
2014/05/21 22:55:22
agl@ tells me no one uses DSS.
|
+ case 14: // ECDHE_ECDSA |
+ case 16: // ECDHE_RSA |
+ break; |
+ default: |
+ return false; |
+ } |
+ |
+ switch (cipher) { |
+ case 13: // AES_128_GCM |
+ case 14: // AES_256_GCM |
+ case 17: // CHACHA20_POLY1305 |
+ break; |
+ default: |
+ return false; |
+ } |
+ |
+ // Only AEADs allowed. |
+ if (mac != kAEADMACValue) |
+ return false; |
+ |
+ return true; |
+} |
+ |
} // namespace net |