OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 #include "components/ssl_config/ssl_config_service_manager.h" | 4 #include "components/ssl_config/ssl_config_service_manager.h" |
5 | 5 |
6 #include <stdint.h> | 6 #include <stdint.h> |
7 | 7 |
8 #include <algorithm> | 8 #include <algorithm> |
9 #include <string> | 9 #include <string> |
10 #include <vector> | 10 #include <vector> |
11 | 11 |
12 #include "base/bind.h" | 12 #include "base/bind.h" |
13 #include "base/feature_list.h" | |
13 #include "base/macros.h" | 14 #include "base/macros.h" |
14 #include "base/metrics/field_trial.h" | 15 #include "base/metrics/field_trial.h" |
15 #include "base/single_thread_task_runner.h" | 16 #include "base/single_thread_task_runner.h" |
16 #include "base/strings/string_util.h" | 17 #include "base/strings/string_util.h" |
17 #include "base/values.h" | 18 #include "base/values.h" |
18 #include "components/content_settings/core/browser/content_settings_utils.h" | 19 #include "components/content_settings/core/browser/content_settings_utils.h" |
19 #include "components/content_settings/core/common/content_settings.h" | 20 #include "components/content_settings/core/common/content_settings.h" |
20 #include "components/prefs/pref_change_registrar.h" | 21 #include "components/prefs/pref_change_registrar.h" |
21 #include "components/prefs/pref_member.h" | 22 #include "components/prefs/pref_member.h" |
22 #include "components/prefs/pref_registry_simple.h" | 23 #include "components/prefs/pref_registry_simple.h" |
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
81 } | 82 } |
82 return version; | 83 return version; |
83 } | 84 } |
84 | 85 |
85 bool IsRC4EnabledByDefault() { | 86 bool IsRC4EnabledByDefault() { |
86 const std::string group_name = | 87 const std::string group_name = |
87 base::FieldTrialList::FindFullName("RC4Ciphers"); | 88 base::FieldTrialList::FindFullName("RC4Ciphers"); |
88 return base::StartsWith(group_name, "Enabled", base::CompareCase::SENSITIVE); | 89 return base::StartsWith(group_name, "Enabled", base::CompareCase::SENSITIVE); |
89 } | 90 } |
90 | 91 |
92 const base::Feature kSSLVersionFallbackTLSv11 = { | |
Alexei Svitkine (slow)
2016/02/16 16:25:04
Nit: No =
davidben
2016/02/16 17:01:08
Done.
| |
93 "SSLVersionFallbackTLSv1.1", base::FEATURE_DISABLED_BY_DEFAULT, | |
94 }; | |
95 | |
91 } // namespace | 96 } // namespace |
92 | 97 |
93 //////////////////////////////////////////////////////////////////////////////// | 98 //////////////////////////////////////////////////////////////////////////////// |
94 // SSLConfigServicePref | 99 // SSLConfigServicePref |
95 | 100 |
96 // An SSLConfigService which stores a cached version of the current SSLConfig | 101 // An SSLConfigService which stores a cached version of the current SSLConfig |
97 // prefs, which are updated by SSLConfigServiceManagerPref when the prefs | 102 // prefs, which are updated by SSLConfigServiceManagerPref when the prefs |
98 // change. | 103 // change. |
99 class SSLConfigServicePref : public net::SSLConfigService { | 104 class SSLConfigServicePref : public net::SSLConfigService { |
100 public: | 105 public: |
(...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
190 PrefService* local_state, | 195 PrefService* local_state, |
191 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) | 196 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) |
192 : ssl_config_service_(new SSLConfigServicePref(io_task_runner)), | 197 : ssl_config_service_(new SSLConfigServicePref(io_task_runner)), |
193 io_task_runner_(io_task_runner) { | 198 io_task_runner_(io_task_runner) { |
194 DCHECK(local_state); | 199 DCHECK(local_state); |
195 | 200 |
196 local_state->SetDefaultPrefValue( | 201 local_state->SetDefaultPrefValue( |
197 ssl_config::prefs::kRC4Enabled, | 202 ssl_config::prefs::kRC4Enabled, |
198 new base::FundamentalValue(IsRC4EnabledByDefault())); | 203 new base::FundamentalValue(IsRC4EnabledByDefault())); |
199 | 204 |
205 // Restore the TLS 1.1 fallback leg if enabled via features. | |
206 // TODO(davidben): Remove this when the fallback removal has succeeded. | |
207 // https://crbug.com/536200. | |
208 if (base::FeatureList::IsEnabled(kSSLVersionFallbackTLSv11)) { | |
209 local_state->SetDefaultPrefValue( | |
210 ssl_config::prefs::kSSLVersionFallbackMin, | |
211 new base::StringValue(switches::kSSLVersionTLSv11)); | |
212 } | |
213 | |
200 PrefChangeRegistrar::NamedChangeCallback local_state_callback = | 214 PrefChangeRegistrar::NamedChangeCallback local_state_callback = |
201 base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged, | 215 base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged, |
202 base::Unretained(this), local_state); | 216 base::Unretained(this), local_state); |
203 | 217 |
204 rev_checking_enabled_.Init(ssl_config::prefs::kCertRevocationCheckingEnabled, | 218 rev_checking_enabled_.Init(ssl_config::prefs::kCertRevocationCheckingEnabled, |
205 local_state, local_state_callback); | 219 local_state, local_state_callback); |
206 rev_checking_required_local_anchors_.Init( | 220 rev_checking_required_local_anchors_.Init( |
207 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, | 221 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, |
208 local_state, local_state_callback); | 222 local_state, local_state_callback); |
209 ssl_version_min_.Init(ssl_config::prefs::kSSLVersionMin, local_state, | 223 ssl_version_min_.Init(ssl_config::prefs::kSSLVersionMin, local_state, |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
287 uint16_t version_max = SSLProtocolVersionFromString(version_max_str); | 301 uint16_t version_max = SSLProtocolVersionFromString(version_max_str); |
288 uint16_t version_fallback_min = | 302 uint16_t version_fallback_min = |
289 SSLProtocolVersionFromString(version_fallback_min_str); | 303 SSLProtocolVersionFromString(version_fallback_min_str); |
290 if (version_min) { | 304 if (version_min) { |
291 config->version_min = version_min; | 305 config->version_min = version_min; |
292 } | 306 } |
293 if (version_max) { | 307 if (version_max) { |
294 uint16_t supported_version_max = config->version_max; | 308 uint16_t supported_version_max = config->version_max; |
295 config->version_max = std::min(supported_version_max, version_max); | 309 config->version_max = std::min(supported_version_max, version_max); |
296 } | 310 } |
297 if (version_fallback_min) { | 311 // Values below TLS 1.1 are invalid. |
312 if (version_fallback_min && | |
313 version_fallback_min >= net::SSL_PROTOCOL_VERSION_TLS1_1) { | |
298 config->version_fallback_min = version_fallback_min; | 314 config->version_fallback_min = version_fallback_min; |
299 } | 315 } |
300 config->disabled_cipher_suites = disabled_cipher_suites_; | 316 config->disabled_cipher_suites = disabled_cipher_suites_; |
301 config->rc4_enabled = rc4_enabled_.GetValue(); | 317 config->rc4_enabled = rc4_enabled_.GetValue(); |
302 } | 318 } |
303 | 319 |
304 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange( | 320 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange( |
305 PrefService* local_state) { | 321 PrefService* local_state) { |
306 const base::ListValue* value = | 322 const base::ListValue* value = |
307 local_state->GetList(ssl_config::prefs::kCipherSuiteBlacklist); | 323 local_state->GetList(ssl_config::prefs::kCipherSuiteBlacklist); |
308 disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value)); | 324 disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value)); |
309 } | 325 } |
310 | 326 |
311 //////////////////////////////////////////////////////////////////////////////// | 327 //////////////////////////////////////////////////////////////////////////////// |
312 // SSLConfigServiceManager | 328 // SSLConfigServiceManager |
313 | 329 |
314 namespace ssl_config { | 330 namespace ssl_config { |
315 // static | 331 // static |
316 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( | 332 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( |
317 PrefService* local_state, | 333 PrefService* local_state, |
318 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) { | 334 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) { |
319 return new SSLConfigServiceManagerPref(local_state, io_task_runner); | 335 return new SSLConfigServiceManagerPref(local_state, io_task_runner); |
320 } | 336 } |
321 | 337 |
322 // static | 338 // static |
323 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) { | 339 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) { |
324 SSLConfigServiceManagerPref::RegisterPrefs(registry); | 340 SSLConfigServiceManagerPref::RegisterPrefs(registry); |
325 } | 341 } |
326 } // namespace ssl_config | 342 } // namespace ssl_config |
OLD | NEW |