diff options
| author | willchan@chromium.org <willchan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-05-23 10:31:51 +0000 |
|---|---|---|
| committer | willchan@chromium.org <willchan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-05-23 10:31:51 +0000 |
| commit | 514aeafb81f823103d35c83132b508e3e5814808 (patch) | |
| tree | 07444179c4b84ae8a574e17bcc0007134626de76 /net/ssl/ssl_cipher_suite_names.cc | |
| parent | 2993b0bddff7fef278e78eed3d31bae4ff1e1d11 (diff) | |
| download | chromium_src-514aeafb81f823103d35c83132b508e3e5814808.zip chromium_src-514aeafb81f823103d35c83132b508e3e5814808.tar.gz chromium_src-514aeafb81f823103d35c83132b508e3e5814808.tar.bz2 | |
Fail the SPDY transaction if it does not meet TLS base requirements.
* Generally follows guidelines in https://http2.github.io/http2-spec/#TLSUsage.
* Apply only to SPDY4+ versions
* Fail the stream job if the TLS version for SPDY is too old (<1.2)
* Fail the stream job if the TLS cipher suite is sucky. Note that we're stricter here than the HTTP/2 spec.
Also added while implementing this CL:
* Add SSLConnectionStatus setters.
* Add ability for SSLSocketDataProvider to set SSLConnectionStatus.
* Add modern cipher suite check into net/ssl.
BUG=374957
Review URL: https://codereview.chromium.org/291093002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@272467 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/ssl/ssl_cipher_suite_names.cc')
| -rw-r--r-- | net/ssl/ssl_cipher_suite_names.cc | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/net/ssl/ssl_cipher_suite_names.cc b/net/ssl/ssl_cipher_suite_names.cc index f018857..55b0276 100644 --- a/net/ssl/ssl_cipher_suite_names.cc +++ b/net/ssl/ssl_cipher_suite_names.cc @@ -345,4 +345,49 @@ bool ParseSSLCipherString(const std::string& cipher_string, return false; } +bool IsSecureTLSCipherSuite(uint16 cipher_suite) { + CipherSuite desired = {0}; + desired.cipher_suite = cipher_suite; + + void* r = bsearch(&desired, + kCipherSuites, + arraysize(kCipherSuites), + sizeof(kCipherSuites[0]), + CipherSuiteCmp); + + if (!r) + return false; + + const CipherSuite* cs = static_cast<const CipherSuite*>(r); + + const int key_exchange = cs->encoded >> 8; + const int cipher = (cs->encoded >> 3) & 0x1f; + const int mac = cs->encoded & 0x7; + + // Only allow forward secure key exchanges. + switch (key_exchange) { + case 10: // DHE_RSA + case 14: // ECDHE_ECDSA + case 16: // ECDHE_RSA + break; + default: + return false; + } + + switch (cipher) { + case 13: // AES_128_GCM + case 14: // AES_256_GCM + case 17: // CHACHA20_POLY1305 + break; + default: + return false; + } + + // Only AEADs allowed. + if (mac != kAEADMACValue) + return false; + + return true; +} + } // namespace net |