| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_ | |
| 6 #define NET_BASE_SSL_CONFIG_SERVICE_H_ | |
| 7 | |
| 8 #include <vector> | |
| 9 | |
| 10 #include "base/basictypes.h" | |
| 11 #include "base/memory/ref_counted.h" | |
| 12 #include "base/observer_list.h" | |
| 13 #include "base/string_piece.h" | |
| 14 #include "net/base/cert_status_flags.h" | |
| 15 #include "net/base/crl_set.h" | |
| 16 #include "net/base/net_export.h" | |
| 17 #include "net/base/x509_certificate.h" | |
| 18 | |
| 19 namespace net { | |
| 20 | |
| 21 // Various TLS/SSL ProtocolVersion values encoded as uint16 | |
| 22 // struct { | |
| 23 // uint8 major; | |
| 24 // uint8 minor; | |
| 25 // } ProtocolVersion; | |
| 26 // The most significant byte is |major|, and the least significant byte | |
| 27 // is |minor|. | |
| 28 enum { | |
| 29 SSL_PROTOCOL_VERSION_SSL3 = 0x0300, | |
| 30 SSL_PROTOCOL_VERSION_TLS1 = 0x0301, | |
| 31 SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302, | |
| 32 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303, | |
| 33 }; | |
| 34 | |
| 35 // A collection of SSL-related configuration settings. | |
| 36 struct NET_EXPORT SSLConfig { | |
| 37 // Default to revocation checking. | |
| 38 // Default to SSL 3.0 ~ default_version_max() on. | |
| 39 SSLConfig(); | |
| 40 ~SSLConfig(); | |
| 41 | |
| 42 // Returns true if |cert| is one of the certs in |allowed_bad_certs|. | |
| 43 // The expected cert status is written to |cert_status|. |*cert_status| can | |
| 44 // be NULL if user doesn't care about the cert status. | |
| 45 bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const; | |
| 46 | |
| 47 // Same as above except works with DER encoded certificates instead | |
| 48 // of X509Certificate. | |
| 49 bool IsAllowedBadCert(const base::StringPiece& der_cert, | |
| 50 CertStatus* cert_status) const; | |
| 51 | |
| 52 // rev_checking_enabled is true if online certificate revocation checking is | |
| 53 // enabled (i.e. OCSP and CRL fetching). | |
| 54 // | |
| 55 // Regardless of this flag, CRLSet checking is always enabled and locally | |
| 56 // cached revocation information will be considered. | |
| 57 bool rev_checking_enabled; | |
| 58 | |
| 59 // The minimum and maximum protocol versions that are enabled. | |
| 60 // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on. | |
| 61 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) | |
| 62 // SSL 2.0 is not supported. If version_max < version_min, it means no | |
| 63 // protocol versions are enabled. | |
| 64 uint16 version_min; | |
| 65 uint16 version_max; | |
| 66 | |
| 67 // Presorted list of cipher suites which should be explicitly prevented from | |
| 68 // being used in addition to those disabled by the net built-in policy. | |
| 69 // | |
| 70 // By default, all cipher suites supported by the underlying SSL | |
| 71 // implementation will be enabled except for: | |
| 72 // - Null encryption cipher suites. | |
| 73 // - Weak cipher suites: < 80 bits of security strength. | |
| 74 // - FORTEZZA cipher suites (obsolete). | |
| 75 // - IDEA cipher suites (RFC 5469 explains why). | |
| 76 // - Anonymous cipher suites. | |
| 77 // - ECDSA cipher suites on platforms that do not support ECDSA signed | |
| 78 // certificates, as servers may use the presence of such ciphersuites as a | |
| 79 // hint to send an ECDSA certificate. | |
| 80 // The ciphers listed in |disabled_cipher_suites| will be removed in addition | |
| 81 // to the above list. | |
| 82 // | |
| 83 // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in | |
| 84 // big-endian form, they should be declared in host byte order, with the | |
| 85 // first uint8 occupying the most significant byte. | |
| 86 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to | |
| 87 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. | |
| 88 std::vector<uint16> disabled_cipher_suites; | |
| 89 | |
| 90 bool cached_info_enabled; // True if TLS cached info extension is enabled. | |
| 91 bool channel_id_enabled; // True if TLS channel ID extension is enabled. | |
| 92 bool false_start_enabled; // True if we'll use TLS False Start. | |
| 93 | |
| 94 // TODO(wtc): move the following members to a new SSLParams structure. They | |
| 95 // are not SSL configuration settings. | |
| 96 | |
| 97 struct NET_EXPORT CertAndStatus { | |
| 98 CertAndStatus(); | |
| 99 ~CertAndStatus(); | |
| 100 | |
| 101 std::string der_cert; | |
| 102 CertStatus cert_status; | |
| 103 }; | |
| 104 | |
| 105 // Add any known-bad SSL certificate (with its cert status) to | |
| 106 // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when | |
| 107 // calling SSLClientSocket::Connect. This would normally be done in | |
| 108 // response to the user explicitly accepting the bad certificate. | |
| 109 std::vector<CertAndStatus> allowed_bad_certs; | |
| 110 | |
| 111 // True if we should send client_cert to the server. | |
| 112 bool send_client_cert; | |
| 113 | |
| 114 bool verify_ev_cert; // True if we should verify the certificate for EV. | |
| 115 | |
| 116 bool version_fallback; // True if we are falling back to an older protocol | |
| 117 // version (one still needs to decrement | |
| 118 // version_max). | |
| 119 | |
| 120 // If cert_io_enabled is false, then certificate verification will not | |
| 121 // result in additional HTTP requests. (For example: to fetch missing | |
| 122 // intermediates or to perform OCSP/CRL fetches.) It also implies that online | |
| 123 // revocation checking is disabled. | |
| 124 // NOTE: currently only effective on Linux | |
| 125 bool cert_io_enabled; | |
| 126 | |
| 127 // The list of application level protocols supported. If set, this will | |
| 128 // enable Next Protocol Negotiation (if supported). The order of the | |
| 129 // protocols doesn't matter expect for one case: if the server supports Next | |
| 130 // Protocol Negotiation, but there is no overlap between the server's and | |
| 131 // client's protocol sets, then the first protocol in this list will be | |
| 132 // requested by the client. | |
| 133 std::vector<std::string> next_protos; | |
| 134 | |
| 135 scoped_refptr<X509Certificate> client_cert; | |
| 136 }; | |
| 137 | |
| 138 // The interface for retrieving the SSL configuration. This interface | |
| 139 // does not cover setting the SSL configuration, as on some systems, the | |
| 140 // SSLConfigService objects may not have direct access to the configuration, or | |
| 141 // live longer than the configuration preferences. | |
| 142 class NET_EXPORT SSLConfigService | |
| 143 : public base::RefCountedThreadSafe<SSLConfigService> { | |
| 144 public: | |
| 145 // Observer is notified when SSL config settings have changed. | |
| 146 class NET_EXPORT Observer { | |
| 147 public: | |
| 148 // Notify observers if SSL settings have changed. We don't check all of the | |
| 149 // data in SSLConfig, just those that qualify as a user config change. | |
| 150 // The following settings are considered user changes: | |
| 151 // rev_checking_enabled | |
| 152 // version_min | |
| 153 // version_max | |
| 154 // disabled_cipher_suites | |
| 155 // channel_id_enabled | |
| 156 // false_start_enabled | |
| 157 virtual void OnSSLConfigChanged() = 0; | |
| 158 | |
| 159 protected: | |
| 160 virtual ~Observer() {} | |
| 161 }; | |
| 162 | |
| 163 SSLConfigService(); | |
| 164 | |
| 165 // May not be thread-safe, should only be called on the IO thread. | |
| 166 virtual void GetSSLConfig(SSLConfig* config) = 0; | |
| 167 | |
| 168 // Sets and gets the current, global CRL set. | |
| 169 static void SetCRLSet(scoped_refptr<CRLSet> crl_set); | |
| 170 static scoped_refptr<CRLSet> GetCRLSet(); | |
| 171 | |
| 172 // Enables the TLS cached info extension, which allows the server to send | |
| 173 // just a digest of its certificate chain. | |
| 174 static void EnableCachedInfo(); | |
| 175 static bool cached_info_enabled(); | |
| 176 | |
| 177 // Gets the default minimum protocol version. | |
| 178 static uint16 default_version_min(); | |
| 179 | |
| 180 // Gets the default maximum protocol version. | |
| 181 static uint16 default_version_max(); | |
| 182 | |
| 183 // Is SNI available in this configuration? | |
| 184 static bool IsSNIAvailable(SSLConfigService* service); | |
| 185 | |
| 186 // Add an observer of this service. | |
| 187 void AddObserver(Observer* observer); | |
| 188 | |
| 189 // Remove an observer of this service. | |
| 190 void RemoveObserver(Observer* observer); | |
| 191 | |
| 192 // Calls the OnSSLConfigChanged method of registered observers. Should only be | |
| 193 // called on the IO thread. | |
| 194 void NotifySSLConfigChange(); | |
| 195 | |
| 196 protected: | |
| 197 friend class base::RefCountedThreadSafe<SSLConfigService>; | |
| 198 | |
| 199 virtual ~SSLConfigService(); | |
| 200 | |
| 201 // SetFlags sets the values of several flags based on global configuration. | |
| 202 static void SetSSLConfigFlags(SSLConfig* ssl_config); | |
| 203 | |
| 204 // Process before/after config update. | |
| 205 void ProcessConfigUpdate(const SSLConfig& orig_config, | |
| 206 const SSLConfig& new_config); | |
| 207 | |
| 208 private: | |
| 209 ObserverList<Observer> observer_list_; | |
| 210 }; | |
| 211 | |
| 212 } // namespace net | |
| 213 | |
| 214 #endif // NET_BASE_SSL_CONFIG_SERVICE_H_ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12680003:
net: split net/ssl out of net/base (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src