mirror of
https://github.com/klzgrad/naiveproxy.git
synced 2024-12-01 01:36:09 +03:00
181 lines
4.7 KiB
C++
181 lines
4.7 KiB
C++
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#include "net/ssl/ssl_cipher_suite_names.h"
|
|
|
|
#include "base/logging.h"
|
|
#include "base/strings/string_number_conversions.h"
|
|
#include "base/strings/string_util.h"
|
|
#include "net/ssl/ssl_connection_status_flags.h"
|
|
#include "third_party/boringssl/src/include/openssl/ssl.h"
|
|
|
|
namespace net {
|
|
|
|
namespace {
|
|
|
|
int ObsoleteSSLStatusForProtocol(int ssl_version) {
|
|
int obsolete_ssl = OBSOLETE_SSL_NONE;
|
|
if (ssl_version < SSL_CONNECTION_VERSION_TLS1_2)
|
|
obsolete_ssl |= OBSOLETE_SSL_MASK_PROTOCOL;
|
|
return obsolete_ssl;
|
|
}
|
|
|
|
int ObsoleteSSLStatusForCipherSuite(uint16_t cipher_suite) {
|
|
int obsolete_ssl = OBSOLETE_SSL_NONE;
|
|
|
|
const SSL_CIPHER* cipher = SSL_get_cipher_by_value(cipher_suite);
|
|
if (!cipher) {
|
|
// Cannot determine/unknown cipher suite. Err on the side of caution.
|
|
obsolete_ssl |= OBSOLETE_SSL_MASK_KEY_EXCHANGE;
|
|
obsolete_ssl |= OBSOLETE_SSL_MASK_CIPHER;
|
|
return obsolete_ssl;
|
|
}
|
|
|
|
if (SSL_CIPHER_get_kx_nid(cipher) == NID_kx_rsa) {
|
|
obsolete_ssl |= OBSOLETE_SSL_MASK_KEY_EXCHANGE;
|
|
}
|
|
|
|
if (!SSL_CIPHER_is_aead(cipher)) {
|
|
obsolete_ssl |= OBSOLETE_SSL_MASK_CIPHER;
|
|
}
|
|
|
|
return obsolete_ssl;
|
|
}
|
|
|
|
} // namespace
|
|
|
|
void SSLCipherSuiteToStrings(const char** key_exchange_str,
|
|
const char** cipher_str,
|
|
const char** mac_str,
|
|
bool* is_aead,
|
|
bool* is_tls13,
|
|
uint16_t cipher_suite) {
|
|
*key_exchange_str = *cipher_str = *mac_str = "???";
|
|
*is_aead = false;
|
|
*is_tls13 = false;
|
|
|
|
const SSL_CIPHER* cipher = SSL_get_cipher_by_value(cipher_suite);
|
|
if (!cipher)
|
|
return;
|
|
|
|
switch (SSL_CIPHER_get_kx_nid(cipher)) {
|
|
case NID_kx_any:
|
|
*key_exchange_str = nullptr;
|
|
*is_tls13 = true;
|
|
break;
|
|
case NID_kx_rsa:
|
|
*key_exchange_str = "RSA";
|
|
break;
|
|
case NID_kx_ecdhe:
|
|
switch (SSL_CIPHER_get_auth_nid(cipher)) {
|
|
case NID_auth_rsa:
|
|
*key_exchange_str = "ECDHE_RSA";
|
|
break;
|
|
case NID_auth_ecdsa:
|
|
*key_exchange_str = "ECDHE_ECDSA";
|
|
break;
|
|
}
|
|
break;
|
|
}
|
|
|
|
switch (SSL_CIPHER_get_cipher_nid(cipher)) {
|
|
case NID_aes_128_gcm:
|
|
*cipher_str = "AES_128_GCM";
|
|
break;
|
|
case NID_aes_256_gcm:
|
|
*cipher_str = "AES_256_GCM";
|
|
break;
|
|
case NID_chacha20_poly1305:
|
|
*cipher_str = "CHACHA20_POLY1305";
|
|
break;
|
|
case NID_aes_128_cbc:
|
|
*cipher_str = "AES_128_CBC";
|
|
break;
|
|
case NID_aes_256_cbc:
|
|
*cipher_str = "AES_256_CBC";
|
|
break;
|
|
case NID_des_ede3_cbc:
|
|
*cipher_str = "3DES_EDE_CBC";
|
|
break;
|
|
}
|
|
|
|
if (SSL_CIPHER_is_aead(cipher)) {
|
|
*is_aead = true;
|
|
*mac_str = nullptr;
|
|
} else {
|
|
switch (SSL_CIPHER_get_digest_nid(cipher)) {
|
|
case NID_sha1:
|
|
*mac_str = "HMAC-SHA1";
|
|
break;
|
|
case NID_sha256:
|
|
*mac_str = "HMAC-SHA256";
|
|
break;
|
|
case NID_sha384:
|
|
*mac_str = "HMAC-SHA384";
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
void SSLVersionToString(const char** name, int ssl_version) {
|
|
switch (ssl_version) {
|
|
case SSL_CONNECTION_VERSION_SSL2:
|
|
*name = "SSL 2.0";
|
|
break;
|
|
case SSL_CONNECTION_VERSION_SSL3:
|
|
*name = "SSL 3.0";
|
|
break;
|
|
case SSL_CONNECTION_VERSION_TLS1:
|
|
*name = "TLS 1.0";
|
|
break;
|
|
case SSL_CONNECTION_VERSION_TLS1_1:
|
|
*name = "TLS 1.1";
|
|
break;
|
|
case SSL_CONNECTION_VERSION_TLS1_2:
|
|
*name = "TLS 1.2";
|
|
break;
|
|
case SSL_CONNECTION_VERSION_TLS1_3:
|
|
*name = "TLS 1.3";
|
|
break;
|
|
case SSL_CONNECTION_VERSION_QUIC:
|
|
*name = "QUIC";
|
|
break;
|
|
default:
|
|
NOTREACHED() << ssl_version;
|
|
*name = "???";
|
|
break;
|
|
}
|
|
}
|
|
|
|
bool ParseSSLCipherString(const std::string& cipher_string,
|
|
uint16_t* cipher_suite) {
|
|
int value = 0;
|
|
if (cipher_string.size() == 6 &&
|
|
base::StartsWith(cipher_string, "0x",
|
|
base::CompareCase::INSENSITIVE_ASCII) &&
|
|
base::HexStringToInt(cipher_string, &value)) {
|
|
*cipher_suite = static_cast<uint16_t>(value);
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
int ObsoleteSSLStatus(int connection_status) {
|
|
int obsolete_ssl = OBSOLETE_SSL_NONE;
|
|
|
|
int ssl_version = SSLConnectionStatusToVersion(connection_status);
|
|
obsolete_ssl |= ObsoleteSSLStatusForProtocol(ssl_version);
|
|
|
|
uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(connection_status);
|
|
obsolete_ssl |= ObsoleteSSLStatusForCipherSuite(cipher_suite);
|
|
|
|
return obsolete_ssl;
|
|
}
|
|
|
|
bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite) {
|
|
return ObsoleteSSLStatusForCipherSuite(cipher_suite) == OBSOLETE_SSL_NONE;
|
|
}
|
|
|
|
} // namespace net
|