1// Copyright (c) 2011 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_SSL_SSL_CIPHER_SUITE_NAMES_H_
6#define NET_SSL_SSL_CIPHER_SUITE_NAMES_H_
7
8#include <string>
9
10#include "base/basictypes.h"
11#include "net/base/net_export.h"
12
13namespace net {
14
15// SSLCipherSuiteToStrings returns three strings for a given cipher suite
16// number, the name of the key exchange algorithm, the name of the cipher and
17// the name of the MAC. The cipher suite number is the number as sent on the
18// wire and recorded at
19// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
20// If the cipher suite is unknown, the strings are set to "???".
21// In the case of an AEAD cipher suite, *mac_str is NULL and *is_aead is true.
22NET_EXPORT void SSLCipherSuiteToStrings(const char** key_exchange_str,
23                                        const char** cipher_str,
24                                        const char** mac_str,
25                                        bool* is_aead,
26                                        uint16 cipher_suite);
27
28// SSLVersionToString returns the name of the SSL protocol version
29// specified by |ssl_version|, which is defined in
30// net/ssl/ssl_connection_status_flags.h.
31// If the version is unknown, |name| is set to "???".
32NET_EXPORT void SSLVersionToString(const char** name, int ssl_version);
33
34// Parses a string literal that represents a SSL/TLS cipher suite.
35//
36// Supported literal forms:
37//   0xAABB, where AA is cipher_suite[0] and BB is cipher_suite[1], as
38//     defined in RFC 2246, Section 7.4.1.2. Unrecognized but parsable cipher
39//     suites in this form will not return an error.
40//
41// Returns true if the cipher suite was successfully parsed, storing the
42// result in |cipher_suite|.
43//
44// TODO(rsleevi): Support the full strings defined in the IANA TLS parameters
45// list.
46NET_EXPORT bool ParseSSLCipherString(const std::string& cipher_string,
47                                     uint16* cipher_suite);
48
49// |cipher_suite| is the IANA id for the cipher suite. What a "secure"
50// cipher suite is arbitrarily determined here. The intent is to indicate what
51// cipher suites meet modern security standards when backwards compatibility can
52// be ignored. Notably, HTTP/2 requires/encourages this sort of validation of
53// cipher suites: https://http2.github.io/http2-spec/#TLSUsage.
54//
55// Currently, this function follows these criteria:
56// 1) Only uses forward secure key exchanges
57// 2) Only uses AEADs
58NET_EXPORT_PRIVATE bool IsSecureTLSCipherSuite(uint16 cipher_suite);
59
60}  // namespace net
61
62#endif  // NET_SSL_SSL_CIPHER_SUITE_NAMES_H_
63