Index: net/ssl/ssl_cipher_suite_names.h |
diff --git a/net/ssl/ssl_cipher_suite_names.h b/net/ssl/ssl_cipher_suite_names.h |
index 4651eb188a790bcc6d7e9c92175efc465fff6d55..cabe16b42ac1e04dded0e01ec5c1a123a44f42be 100644 |
--- a/net/ssl/ssl_cipher_suite_names.h |
+++ b/net/ssl/ssl_cipher_suite_names.h |
@@ -47,15 +47,37 @@ NET_EXPORT void SSLVersionToString(const char** name, int ssl_version); |
NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string, |
uint16_t* cipher_suite); |
-// |cipher_suite| is the IANA id for the cipher suite. What a "secure" |
-// cipher suite is arbitrarily determined here. The intent is to indicate what |
-// cipher suites meet modern security standards when backwards compatibility can |
-// be ignored. |
+// Mask definitions for an integer that holds obsolete SSL setting details. |
+// We use "obsolete" instead of "modern" (the complement) for each bit, |
+// to make it very clear that any obsolete bit makes the whole mask obsolete. |
davidben
2016/04/19 17:47:01
I wouldn't bother with the second sentence.
lgarron
2016/04/25 23:56:54
Done.
|
+enum NET_EXPORT ObsoleteSSLMask { |
+ // Modern SSL |
+ OBSOLETE_SSL_NONE = 0, |
+ OBSOLETE_SSL_MASK_PROTOCOL = 1 << 0, |
+ OBSOLETE_SSL_MASK_KEY_EXCHANGE = 1 << 1, |
+ // |OBSOLETE_SSL_CIPHER_SUITE| indicates to obsolete cipher. |
estark
2016/04/18 11:46:45
"to" -> "an", maybe? not sure what it's supposed t
lgarron
2016/04/25 23:56:54
This comment was more relevant before I added OBSO
|
+ // Note that it does NOT indicate anything about the key exchange. |
+ OBSOLETE_SSL_MASK_CIPHER = 1 << 2, |
+}; |
+ |
+// Takes the given |connection_status| and returns a bitmask indicating which of |
+// the protocol, key exchange, and cipher suite do not meet modern best-practice |
+// security standards (when backwards compatibility can be ignored) - that is, |
+// which ones are "obsolete". |
davidben
2016/04/19 17:47:01
Nit: no quotes (you already used it without quotes
lgarron
2016/04/25 23:56:54
Ack, but I've removed line 50, so I'll keep the qu
|
+// |
+// Currently, this function follows these criteria to determine what is |
+// obsolete: |
// |
-// Currently, this function follows these criteria: |
-// 1) Only uses ECDHE-based key exchanges authenticated by a certificate |
-// 2) Only uses AEADs |
-NET_EXPORT bool IsSecureTLSCipherSuite(uint16_t cipher_suite); |
+// - Protocol: less than TLS 1.2 |
+// - Key exchange: Does not use ECDHE-based key exchanges authenticated by a |
+// certificate |
+// - Cipher: not an AEAD cipher |
+NET_EXPORT int ObsoleteSSLStatus(int connection_status); |
+ |
+// A convenience function that performs the ObsoleteSSLStatus() checks on just |
+// the |cipher_suite| and returns true if either the key exchange of the cipher |
estark
2016/04/18 11:46:44
"of the cipher" -> "or the cipher"
lgarron
2016/04/25 23:56:54
Good catch; function is now removed, though.
|
+// is obsolete. |
+NET_EXPORT bool IsObsoleteTLSCipherSuite(int cipher_suite); |
davidben
2016/04/19 17:47:01
I realize I was the one who said you needed to add
lgarron
2016/04/25 23:56:54
I was struggling with what to call this. Since the
|
// Returns true if |cipher_suite| is suitable for use with HTTP/2. See |
// https://http2.github.io/http2-spec/#rfc.section.9.2.2. |