OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 #include "chrome/browser/net/ssl_config_service_manager.h" | 4 #include "chrome/browser/net/ssl_config_service_manager.h" |
5 | 5 |
6 #include <algorithm> | 6 #include <algorithm> |
7 #include <string> | 7 #include <string> |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
11 #include "base/bind.h" | 11 #include "base/bind.h" |
12 #include "chrome/browser/prefs/pref_change_registrar.h" | 12 #include "chrome/browser/prefs/pref_change_registrar.h" |
13 #include "chrome/browser/prefs/pref_member.h" | 13 #include "chrome/browser/prefs/pref_member.h" |
14 #include "chrome/browser/prefs/pref_service.h" | 14 #include "chrome/browser/prefs/pref_service.h" |
15 #include "chrome/common/chrome_notification_types.h" | 15 #include "chrome/common/chrome_notification_types.h" |
16 #include "chrome/common/pref_names.h" | 16 #include "chrome/common/pref_names.h" |
17 #include "content/public/browser/browser_thread.h" | 17 #include "content/public/browser/browser_thread.h" |
18 #include "content/public/browser/notification_details.h" | 18 #include "content/public/browser/notification_details.h" |
19 #include "content/public/browser/notification_source.h" | 19 #include "content/public/browser/notification_source.h" |
20 #include "net/base/ssl_cipher_suite_names.h" | 20 #include "net/base/ssl_cipher_suite_names.h" |
21 #include "net/base/ssl_config_service.h" | 21 #include "net/base/ssl_config_service.h" |
22 | 22 |
23 #if !defined(USE_OPENSSL) | |
24 #include <pkcs11t.h> | |
25 #endif | |
26 | |
27 #if !defined(USE_OPENSSL) | |
Ryan Sleevi
2012/07/04 01:36:33
nit: Combine these two blocks into one #if, with a
| |
28 #include "crypto/ec_private_key.h" | |
29 #include "crypto/nss_util.h" | |
30 #include "crypto/scoped_nss_types.h" | |
31 #endif | |
32 | |
23 using content::BrowserThread; | 33 using content::BrowserThread; |
24 | 34 |
25 namespace { | 35 namespace { |
26 | 36 |
27 // Converts a ListValue of StringValues into a vector of strings. Any Values | 37 // Converts a ListValue of StringValues into a vector of strings. Any Values |
28 // which cannot be converted will be skipped. | 38 // which cannot be converted will be skipped. |
29 std::vector<std::string> ListValueToStringVector(const ListValue* value) { | 39 std::vector<std::string> ListValueToStringVector(const ListValue* value) { |
30 std::vector<std::string> results; | 40 std::vector<std::string> results; |
31 results.reserve(value->GetSize()); | 41 results.reserve(value->GetSize()); |
32 std::string s; | 42 std::string s; |
(...skipping 140 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
173 // The prefs (should only be accessed from UI thread) | 183 // The prefs (should only be accessed from UI thread) |
174 BooleanPrefMember rev_checking_enabled_; | 184 BooleanPrefMember rev_checking_enabled_; |
175 StringPrefMember ssl_version_min_; | 185 StringPrefMember ssl_version_min_; |
176 StringPrefMember ssl_version_max_; | 186 StringPrefMember ssl_version_max_; |
177 BooleanPrefMember channel_id_enabled_; | 187 BooleanPrefMember channel_id_enabled_; |
178 BooleanPrefMember ssl_record_splitting_disabled_; | 188 BooleanPrefMember ssl_record_splitting_disabled_; |
179 | 189 |
180 // The cached list of disabled SSL cipher suites. | 190 // The cached list of disabled SSL cipher suites. |
181 std::vector<uint16> disabled_cipher_suites_; | 191 std::vector<uint16> disabled_cipher_suites_; |
182 | 192 |
193 // Whether channel ID is supported by the system. | |
194 bool channel_id_supported_; | |
195 | |
183 scoped_refptr<SSLConfigServicePref> ssl_config_service_; | 196 scoped_refptr<SSLConfigServicePref> ssl_config_service_; |
184 | 197 |
185 DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref); | 198 DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref); |
186 }; | 199 }; |
187 | 200 |
188 SSLConfigServiceManagerPref::SSLConfigServiceManagerPref( | 201 SSLConfigServiceManagerPref::SSLConfigServiceManagerPref( |
189 PrefService* local_state) | 202 PrefService* local_state) |
190 : ssl_config_service_(new SSLConfigServicePref()) { | 203 : channel_id_supported_(false), |
204 ssl_config_service_(new SSLConfigServicePref()) { | |
191 DCHECK(local_state); | 205 DCHECK(local_state); |
192 | 206 |
207 #if !defined(USE_OPENSSL) | |
208 // TODO(mattm): we can do this check here only because we use the NSS internal | |
209 // slot. If we support other slots in the future, checking whether they | |
210 // support ECDSA may block NSS, and thus this check would have to be moved to | |
211 // the NSS task runner. If we support arbitrary slots, the value may also | |
Ryan Sleevi
2012/07/04 01:36:33
The comment about "the NSS task runner" is probabl
| |
212 // change as devices are inserted/removed, so we would need to re-check on | |
213 // every connection. | |
214 crypto::EnsureNSSInit(); | |
215 crypto::ScopedPK11Slot slot(crypto::ECPrivateKey::GetKeySlot()); | |
216 channel_id_supported_ = PK11_DoesMechanism(slot.get(), CKM_EC_KEY_PAIR_GEN) && | |
217 PK11_DoesMechanism(slot.get(), CKM_ECDSA); | |
218 if (!channel_id_supported_) | |
219 DVLOG(1) << "Elliptic Curve not supported, not enabling channel ID."; | |
220 #endif | |
221 | |
193 rev_checking_enabled_.Init(prefs::kCertRevocationCheckingEnabled, | 222 rev_checking_enabled_.Init(prefs::kCertRevocationCheckingEnabled, |
194 local_state, this); | 223 local_state, this); |
195 ssl_version_min_.Init(prefs::kSSLVersionMin, local_state, this); | 224 ssl_version_min_.Init(prefs::kSSLVersionMin, local_state, this); |
196 ssl_version_max_.Init(prefs::kSSLVersionMax, local_state, this); | 225 ssl_version_max_.Init(prefs::kSSLVersionMax, local_state, this); |
197 channel_id_enabled_.Init(prefs::kEnableOriginBoundCerts, local_state, this); | 226 channel_id_enabled_.Init(prefs::kEnableOriginBoundCerts, local_state, this); |
198 ssl_record_splitting_disabled_.Init(prefs::kDisableSSLRecordSplitting, | 227 ssl_record_splitting_disabled_.Init(prefs::kDisableSSLRecordSplitting, |
199 local_state, this); | 228 local_state, this); |
200 pref_change_registrar_.Init(local_state); | 229 pref_change_registrar_.Init(local_state); |
201 pref_change_registrar_.Add(prefs::kCipherSuiteBlacklist, this); | 230 pref_change_registrar_.Add(prefs::kCipherSuiteBlacklist, this); |
202 | 231 |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
272 uint16 supported_version_min = config->version_min; | 301 uint16 supported_version_min = config->version_min; |
273 config->version_min = std::max(supported_version_min, version_min); | 302 config->version_min = std::max(supported_version_min, version_min); |
274 } | 303 } |
275 if (version_max) { | 304 if (version_max) { |
276 // TODO(wtc): get the maximum SSL protocol version supported by the | 305 // TODO(wtc): get the maximum SSL protocol version supported by the |
277 // SSLClientSocket class. | 306 // SSLClientSocket class. |
278 uint16 supported_version_max = config->version_max; | 307 uint16 supported_version_max = config->version_max; |
279 config->version_max = std::min(supported_version_max, version_max); | 308 config->version_max = std::min(supported_version_max, version_max); |
280 } | 309 } |
281 config->disabled_cipher_suites = disabled_cipher_suites_; | 310 config->disabled_cipher_suites = disabled_cipher_suites_; |
282 config->channel_id_enabled = channel_id_enabled_.GetValue(); | 311 config->channel_id_enabled = channel_id_supported_ && |
312 channel_id_enabled_.GetValue(); | |
283 // disabling False Start also happens to disable record splitting. | 313 // disabling False Start also happens to disable record splitting. |
284 config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue(); | 314 config->false_start_enabled = !ssl_record_splitting_disabled_.GetValue(); |
285 SSLConfigServicePref::SetSSLConfigFlags(config); | 315 SSLConfigServicePref::SetSSLConfigFlags(config); |
286 } | 316 } |
287 | 317 |
288 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange( | 318 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange( |
289 PrefService* prefs) { | 319 PrefService* prefs) { |
290 const ListValue* value = prefs->GetList(prefs::kCipherSuiteBlacklist); | 320 const ListValue* value = prefs->GetList(prefs::kCipherSuiteBlacklist); |
291 disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value)); | 321 disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value)); |
292 } | 322 } |
293 | 323 |
294 //////////////////////////////////////////////////////////////////////////////// | 324 //////////////////////////////////////////////////////////////////////////////// |
295 // SSLConfigServiceManager | 325 // SSLConfigServiceManager |
296 | 326 |
297 // static | 327 // static |
298 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( | 328 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( |
299 PrefService* local_state) { | 329 PrefService* local_state) { |
300 return new SSLConfigServiceManagerPref(local_state); | 330 return new SSLConfigServiceManagerPref(local_state); |
301 } | 331 } |
302 | 332 |
303 // static | 333 // static |
304 void SSLConfigServiceManager::RegisterPrefs(PrefService* prefs) { | 334 void SSLConfigServiceManager::RegisterPrefs(PrefService* prefs) { |
305 SSLConfigServiceManagerPref::RegisterPrefs(prefs); | 335 SSLConfigServiceManagerPref::RegisterPrefs(prefs); |
306 } | 336 } |
OLD | NEW |