OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ | 5 #ifndef NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ |
6 #define NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ | 6 #define NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <string> | 10 #include <string> |
(...skipping 29 matching lines...) Expand all Loading... |
40 // suites in this form will not return an error. | 40 // suites in this form will not return an error. |
41 // | 41 // |
42 // Returns true if the cipher suite was successfully parsed, storing the | 42 // Returns true if the cipher suite was successfully parsed, storing the |
43 // result in |cipher_suite|. | 43 // result in |cipher_suite|. |
44 // | 44 // |
45 // TODO(rsleevi): Support the full strings defined in the IANA TLS parameters | 45 // TODO(rsleevi): Support the full strings defined in the IANA TLS parameters |
46 // list. | 46 // list. |
47 NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string, | 47 NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string, |
48 uint16_t* cipher_suite); | 48 uint16_t* cipher_suite); |
49 | 49 |
50 // |cipher_suite| is the IANA id for the cipher suite. What a "secure" | 50 // Mask definitions for an integer that holds obsolete SSL setting details. |
51 // cipher suite is arbitrarily determined here. The intent is to indicate what | 51 enum ObsoleteSSLMask { |
52 // cipher suites meet modern security standards when backwards compatibility can | 52 OBSOLETE_SSL_NONE = 0, // Modern SSL |
53 // be ignored. | 53 OBSOLETE_SSL_MASK_PROTOCOL = 1 << 0, |
| 54 OBSOLETE_SSL_MASK_KEY_EXCHANGE = 1 << 1, |
| 55 OBSOLETE_SSL_MASK_CIPHER = 1 << 2, |
| 56 }; |
| 57 |
| 58 // Takes the given |connection_status| and returns a bitmask indicating which of |
| 59 // the protocol, key exchange, and cipher suite do not meet modern best-practice |
| 60 // security standards (when backwards compatibility can be ignored) - that is, |
| 61 // which ones are "obsolete". |
54 // | 62 // |
55 // Currently, this function follows these criteria: | 63 // Currently, this function uses the following criteria to determine what is |
56 // 1) Only uses ECDHE-based key exchanges authenticated by a certificate | 64 // obsolete: |
57 // 2) Only uses AEADs | 65 // |
58 NET_EXPORT bool IsSecureTLSCipherSuite(uint16_t cipher_suite); | 66 // - Protocol: less than TLS 1.2 |
| 67 // - Key exchange: Does not use ECDHE-based key exchanges authenticated by a |
| 68 // certificate |
| 69 // - Cipher: not an AEAD cipher |
| 70 NET_EXPORT int ObsoleteSSLStatus(int connection_status); |
59 | 71 |
60 // Returns true if |cipher_suite| is suitable for use with HTTP/2. See | 72 // Returns true if |cipher_suite| is suitable for use with HTTP/2. See |
61 // https://http2.github.io/http2-spec/#rfc.section.9.2.2. | 73 // https://http2.github.io/http2-spec/#rfc.section.9.2.2. |
62 NET_EXPORT bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite); | 74 NET_EXPORT bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite); |
63 | 75 |
64 // Returns the static curve name of |key_exchange_info| if the |cipher_suite| | 76 // Returns the static curve name of |key_exchange_info| if the |cipher_suite| |
65 // is an elliptic curve, and a name is known. Returns nullptr otherwise. | 77 // is an elliptic curve, and a name is known. Returns nullptr otherwise. |
66 // Only defined for OpenSSL, returns nullptr otherwise. | 78 // Only defined for OpenSSL, returns nullptr otherwise. |
67 NET_EXPORT const char* ECCurveName(uint16_t cipher_suite, | 79 NET_EXPORT const char* ECCurveName(uint16_t cipher_suite, |
68 int key_exchange_info); | 80 int key_exchange_info); |
69 | 81 |
70 } // namespace net | 82 } // namespace net |
71 | 83 |
72 #endif // NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ | 84 #endif // NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ |
OLD | NEW |