OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ | 5 #ifndef NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ |
6 #define NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ | 6 #define NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ |
7 | 7 |
8 #include <stdint.h> | 8 #include <stdint.h> |
9 | 9 |
10 #include <string> | 10 #include <string> |
(...skipping 29 matching lines...) Expand all Loading... | |
40 // suites in this form will not return an error. | 40 // suites in this form will not return an error. |
41 // | 41 // |
42 // Returns true if the cipher suite was successfully parsed, storing the | 42 // Returns true if the cipher suite was successfully parsed, storing the |
43 // result in |cipher_suite|. | 43 // result in |cipher_suite|. |
44 // | 44 // |
45 // TODO(rsleevi): Support the full strings defined in the IANA TLS parameters | 45 // TODO(rsleevi): Support the full strings defined in the IANA TLS parameters |
46 // list. | 46 // list. |
47 NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string, | 47 NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string, |
48 uint16_t* cipher_suite); | 48 uint16_t* cipher_suite); |
49 | 49 |
50 // |cipher_suite| is the IANA id for the cipher suite. What a "secure" | 50 // Mask definitions for an integer that holds obsolete SSL setting details. |
51 // cipher suite is arbitrarily determined here. The intent is to indicate what | 51 // We use "obsolete" instead of "modern" (the complement) for each bit, |
52 // cipher suites meet modern security standards when backwards compatibility can | 52 // to make it very clear that any obsolete bit makes the whole mask obsolete. |
davidben
2016/04/19 17:47:01
I wouldn't bother with the second sentence.
lgarron
2016/04/25 23:56:54
Done.
| |
53 // be ignored. | 53 enum NET_EXPORT ObsoleteSSLMask { |
54 // Modern SSL | |
55 OBSOLETE_SSL_NONE = 0, | |
56 OBSOLETE_SSL_MASK_PROTOCOL = 1 << 0, | |
57 OBSOLETE_SSL_MASK_KEY_EXCHANGE = 1 << 1, | |
58 // |OBSOLETE_SSL_CIPHER_SUITE| indicates to obsolete cipher. | |
estark
2016/04/18 11:46:45
"to" -> "an", maybe? not sure what it's supposed t
lgarron
2016/04/25 23:56:54
This comment was more relevant before I added OBSO
| |
59 // Note that it does NOT indicate anything about the key exchange. | |
60 OBSOLETE_SSL_MASK_CIPHER = 1 << 2, | |
61 }; | |
62 | |
63 // Takes the given |connection_status| and returns a bitmask indicating which of | |
64 // the protocol, key exchange, and cipher suite do not meet modern best-practice | |
65 // security standards (when backwards compatibility can be ignored) - that is, | |
66 // which ones are "obsolete". | |
davidben
2016/04/19 17:47:01
Nit: no quotes (you already used it without quotes
lgarron
2016/04/25 23:56:54
Ack, but I've removed line 50, so I'll keep the qu
| |
54 // | 67 // |
55 // Currently, this function follows these criteria: | 68 // Currently, this function follows these criteria to determine what is |
56 // 1) Only uses ECDHE-based key exchanges authenticated by a certificate | 69 // obsolete: |
57 // 2) Only uses AEADs | 70 // |
58 NET_EXPORT bool IsSecureTLSCipherSuite(uint16_t cipher_suite); | 71 // - Protocol: less than TLS 1.2 |
72 // - Key exchange: Does not use ECDHE-based key exchanges authenticated by a | |
73 // certificate | |
74 // - Cipher: not an AEAD cipher | |
75 NET_EXPORT int ObsoleteSSLStatus(int connection_status); | |
76 | |
77 // A convenience function that performs the ObsoleteSSLStatus() checks on just | |
78 // the |cipher_suite| and returns true if either the key exchange of the cipher | |
estark
2016/04/18 11:46:44
"of the cipher" -> "or the cipher"
lgarron
2016/04/25 23:56:54
Good catch; function is now removed, though.
| |
79 // is obsolete. | |
80 NET_EXPORT bool IsObsoleteTLSCipherSuite(int cipher_suite); | |
davidben
2016/04/19 17:47:01
I realize I was the one who said you needed to add
lgarron
2016/04/25 23:56:54
I was struggling with what to call this. Since the
| |
59 | 81 |
60 // Returns true if |cipher_suite| is suitable for use with HTTP/2. See | 82 // Returns true if |cipher_suite| is suitable for use with HTTP/2. See |
61 // https://http2.github.io/http2-spec/#rfc.section.9.2.2. | 83 // https://http2.github.io/http2-spec/#rfc.section.9.2.2. |
62 NET_EXPORT bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite); | 84 NET_EXPORT bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite); |
63 | 85 |
64 // Returns the static curve name of |key_exchange_info| if the |cipher_suite| | 86 // Returns the static curve name of |key_exchange_info| if the |cipher_suite| |
65 // is an elliptic curve, and a name is known. Returns nullptr otherwise. | 87 // is an elliptic curve, and a name is known. Returns nullptr otherwise. |
66 // Only defined for OpenSSL, returns nullptr otherwise. | 88 // Only defined for OpenSSL, returns nullptr otherwise. |
67 NET_EXPORT const char* ECCurveName(uint16_t cipher_suite, | 89 NET_EXPORT const char* ECCurveName(uint16_t cipher_suite, |
68 int key_exchange_info); | 90 int key_exchange_info); |
69 | 91 |
70 } // namespace net | 92 } // namespace net |
71 | 93 |
72 #endif // NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ | 94 #endif // NET_SSL_SSL_CIPHER_SUITE_NAMES_H_ |
OLD | NEW |