xref: /aosp_15_r20/external/cronet/net/ssl/ssl_cipher_suite_names.h (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1 // Copyright 2011 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_SSL_SSL_CIPHER_SUITE_NAMES_H_
6 #define NET_SSL_SSL_CIPHER_SUITE_NAMES_H_
7 
8 #include <stdint.h>
9 
10 #include <string>
11 
12 #include "net/base/net_export.h"
13 
14 namespace net {
15 
16 // SSLCipherSuiteToStrings returns three strings for a given cipher suite
17 // number, the name of the key exchange algorithm, the name of the cipher and
18 // the name of the MAC. The cipher suite number is the number as sent on the
19 // wire and recorded at
20 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
21 // If the cipher suite is unknown, the strings are set to "???".
22 // In the case of an AEAD cipher suite, *mac_str is nullptr and *is_aead is
23 // true.
24 // In the case of a TLS 1.3 AEAD-only cipher suite, *key_exchange_str is nullptr
25 // and *is_tls13 is true.
26 NET_EXPORT void SSLCipherSuiteToStrings(const char** key_exchange_str,
27                                         const char** cipher_str,
28                                         const char** mac_str,
29                                         bool* is_aead,
30                                         bool* is_tls13,
31                                         uint16_t cipher_suite);
32 
33 // SSLVersionToString returns the name of the SSL protocol version
34 // specified by |ssl_version|, which is defined in
35 // net/ssl/ssl_connection_status_flags.h.
36 // If the version is unknown, |name| is set to "???".
37 NET_EXPORT void SSLVersionToString(const char** name, int ssl_version);
38 
39 // Parses a string literal that represents a SSL/TLS cipher suite.
40 //
41 // Supported literal forms:
42 //   0xAABB, where AA is cipher_suite[0] and BB is cipher_suite[1], as
43 //     defined in RFC 2246, Section 7.4.1.2. Unrecognized but parsable cipher
44 //     suites in this form will not return an error.
45 //
46 // Returns true if the cipher suite was successfully parsed, storing the
47 // result in |cipher_suite|.
48 //
49 // TODO(rsleevi): Support the full strings defined in the IANA TLS parameters
50 // list.
51 NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string,
52                                      uint16_t* cipher_suite);
53 
54 // Mask definitions for an integer that holds obsolete SSL setting details.
55 enum ObsoleteSSLMask {
56   OBSOLETE_SSL_NONE = 0,  // Modern SSL
57   OBSOLETE_SSL_MASK_PROTOCOL = 1 << 0,
58   OBSOLETE_SSL_MASK_KEY_EXCHANGE = 1 << 1,
59   OBSOLETE_SSL_MASK_CIPHER = 1 << 2,
60   OBSOLETE_SSL_MASK_SIGNATURE = 1 << 3,
61 };
62 
63 // Takes the given |connection_status| and |signature_algorithm| and returns a
64 // bitmask indicating which settings do not meet modern best-practice security
65 // standards - that is, which ones are "obsolete".
66 //
67 // Currently, this function uses the following criteria to determine what is
68 // obsolete:
69 //
70 // - Protocol: less than TLS 1.2
71 // - Key exchange: Does not use ECDHE-based key exchanges authenticated by a
72 //   certificate
73 // - Cipher: not an AEAD cipher
74 // - Signature algorithm: MD5 or SHA-1
75 NET_EXPORT int ObsoleteSSLStatus(int connection_status,
76                                  uint16_t signature_algorithm);
77 
78 // Returns true if |cipher_suite| is suitable for use with HTTP/2. See
79 // https://http2.github.io/http2-spec/#rfc.section.9.2.2.
80 NET_EXPORT bool IsTLSCipherSuiteAllowedByHTTP2(uint16_t cipher_suite);
81 
82 }  // namespace net
83 
84 #endif  // NET_SSL_SSL_CIPHER_SUITE_NAMES_H_
85