Fail the SPDY transaction if it does not meet TLS base requirements.

net/ssl/ssl_cipher_suite_names.cc

Index: net/ssl/ssl_cipher_suite_names.cc
diff --git a/net/ssl/ssl_cipher_suite_names.cc b/net/ssl/ssl_cipher_suite_names.cc
index f018857d25005fb21363f5b5e3a77f84832d768b..55b0276ee5c2e2dc860b057edc16c687d5447e44 100644
--- a/net/ssl/ssl_cipher_suite_names.cc
+++ b/net/ssl/ssl_cipher_suite_names.cc
@@ -345,4 +345,49 @@ bool ParseSSLCipherString(const std::string& cipher_string,
   return false;
 }
 
+bool IsSecureTLSCipherSuite(uint16 cipher_suite) {
+  CipherSuite desired = {0};
+  desired.cipher_suite = cipher_suite;
+
+  void* r = bsearch(&desired,
+                    kCipherSuites,
+                    arraysize(kCipherSuites),
+                    sizeof(kCipherSuites[0]),
+                    CipherSuiteCmp);
+
+  if (!r)
+    return false;
+
+  const CipherSuite* cs = static_cast<const CipherSuite*>(r);
+
+  const int key_exchange = cs->encoded >> 8;
+  const int cipher = (cs->encoded >> 3) & 0x1f;
+  const int mac = cs->encoded & 0x7;
+
+  // Only allow forward secure key exchanges.
+  switch (key_exchange) {
+    case 10:  // DHE_RSA
+    case 14:  // ECDHE_ECDSA
+    case 16:  // ECDHE_RSA
+      break;
+    default:
+      return false;
+  }
+
+  switch (cipher) {
+    case 13:  // AES_128_GCM
+    case 14:  // AES_256_GCM
+    case 17:  // CHACHA20_POLY1305
+      break;
+    default:
+      return false;
+  }
+
+  // Only AEADs allowed.
+  if (mac != kAEADMACValue)
+    return false;
+
+  return true;
+}
+
 }  // namespace net