OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 #include "components/ssl_config/ssl_config_service_manager.h" | 4 #include "components/ssl_config/ssl_config_service_manager.h" |
5 | 5 |
6 #include <stdint.h> | 6 #include <stdint.h> |
7 | 7 |
8 #include <algorithm> | 8 #include <algorithm> |
9 #include <string> | 9 #include <string> |
10 #include <vector> | 10 #include <vector> |
11 | 11 |
12 #include "base/bind.h" | 12 #include "base/bind.h" |
| 13 #include "base/feature_list.h" |
13 #include "base/location.h" | 14 #include "base/location.h" |
14 #include "base/macros.h" | 15 #include "base/macros.h" |
15 #include "base/single_thread_task_runner.h" | 16 #include "base/single_thread_task_runner.h" |
16 #include "base/strings/string_util.h" | 17 #include "base/strings/string_util.h" |
17 #include "base/values.h" | 18 #include "base/values.h" |
18 #include "components/content_settings/core/browser/content_settings_utils.h" | 19 #include "components/content_settings/core/browser/content_settings_utils.h" |
19 #include "components/content_settings/core/common/content_settings.h" | 20 #include "components/content_settings/core/common/content_settings.h" |
20 #include "components/prefs/pref_change_registrar.h" | 21 #include "components/prefs/pref_change_registrar.h" |
21 #include "components/prefs/pref_member.h" | 22 #include "components/prefs/pref_member.h" |
22 #include "components/prefs/pref_registry_simple.h" | 23 #include "components/prefs/pref_registry_simple.h" |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
75 if (version_str == switches::kSSLVersionTLSv1) { | 76 if (version_str == switches::kSSLVersionTLSv1) { |
76 version = net::SSL_PROTOCOL_VERSION_TLS1; | 77 version = net::SSL_PROTOCOL_VERSION_TLS1; |
77 } else if (version_str == switches::kSSLVersionTLSv11) { | 78 } else if (version_str == switches::kSSLVersionTLSv11) { |
78 version = net::SSL_PROTOCOL_VERSION_TLS1_1; | 79 version = net::SSL_PROTOCOL_VERSION_TLS1_1; |
79 } else if (version_str == switches::kSSLVersionTLSv12) { | 80 } else if (version_str == switches::kSSLVersionTLSv12) { |
80 version = net::SSL_PROTOCOL_VERSION_TLS1_2; | 81 version = net::SSL_PROTOCOL_VERSION_TLS1_2; |
81 } | 82 } |
82 return version; | 83 return version; |
83 } | 84 } |
84 | 85 |
| 86 const base::Feature kDHECiphersFeature{ |
| 87 "DHECiphers", base::FEATURE_DISABLED_BY_DEFAULT, |
| 88 }; |
| 89 |
85 } // namespace | 90 } // namespace |
86 | 91 |
87 //////////////////////////////////////////////////////////////////////////////// | 92 //////////////////////////////////////////////////////////////////////////////// |
88 // SSLConfigServicePref | 93 // SSLConfigServicePref |
89 | 94 |
90 // An SSLConfigService which stores a cached version of the current SSLConfig | 95 // An SSLConfigService which stores a cached version of the current SSLConfig |
91 // prefs, which are updated by SSLConfigServiceManagerPref when the prefs | 96 // prefs, which are updated by SSLConfigServiceManagerPref when the prefs |
92 // change. | 97 // change. |
93 class SSLConfigServicePref : public net::SSLConfigService { | 98 class SSLConfigServicePref : public net::SSLConfigService { |
94 public: | 99 public: |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
161 void OnDisabledCipherSuitesChange(PrefService* local_state); | 166 void OnDisabledCipherSuitesChange(PrefService* local_state); |
162 | 167 |
163 PrefChangeRegistrar local_state_change_registrar_; | 168 PrefChangeRegistrar local_state_change_registrar_; |
164 | 169 |
165 // The local_state prefs (should only be accessed from UI thread) | 170 // The local_state prefs (should only be accessed from UI thread) |
166 BooleanPrefMember rev_checking_enabled_; | 171 BooleanPrefMember rev_checking_enabled_; |
167 BooleanPrefMember rev_checking_required_local_anchors_; | 172 BooleanPrefMember rev_checking_required_local_anchors_; |
168 StringPrefMember ssl_version_min_; | 173 StringPrefMember ssl_version_min_; |
169 StringPrefMember ssl_version_max_; | 174 StringPrefMember ssl_version_max_; |
170 StringPrefMember ssl_version_fallback_min_; | 175 StringPrefMember ssl_version_fallback_min_; |
| 176 BooleanPrefMember dhe_enabled_; |
171 | 177 |
172 // The cached list of disabled SSL cipher suites. | 178 // The cached list of disabled SSL cipher suites. |
173 std::vector<uint16_t> disabled_cipher_suites_; | 179 std::vector<uint16_t> disabled_cipher_suites_; |
174 | 180 |
175 scoped_refptr<SSLConfigServicePref> ssl_config_service_; | 181 scoped_refptr<SSLConfigServicePref> ssl_config_service_; |
176 | 182 |
177 scoped_refptr<base::SingleThreadTaskRunner> io_task_runner_; | 183 scoped_refptr<base::SingleThreadTaskRunner> io_task_runner_; |
178 | 184 |
179 DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref); | 185 DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref); |
180 }; | 186 }; |
181 | 187 |
182 SSLConfigServiceManagerPref::SSLConfigServiceManagerPref( | 188 SSLConfigServiceManagerPref::SSLConfigServiceManagerPref( |
183 PrefService* local_state, | 189 PrefService* local_state, |
184 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) | 190 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) |
185 : ssl_config_service_(new SSLConfigServicePref(io_task_runner)), | 191 : ssl_config_service_(new SSLConfigServicePref(io_task_runner)), |
186 io_task_runner_(io_task_runner) { | 192 io_task_runner_(io_task_runner) { |
187 DCHECK(local_state); | 193 DCHECK(local_state); |
188 | 194 |
| 195 // Restore DHE-based ciphers if enabled via features. |
| 196 // TODO(davidben): Remove this when the removal has succeeded. |
| 197 // https://crbug.com/619194. |
| 198 if (base::FeatureList::IsEnabled(kDHECiphersFeature)) { |
| 199 local_state->SetDefaultPrefValue(ssl_config::prefs::kDHEEnabled, |
| 200 new base::FundamentalValue(true)); |
| 201 } |
| 202 |
189 PrefChangeRegistrar::NamedChangeCallback local_state_callback = | 203 PrefChangeRegistrar::NamedChangeCallback local_state_callback = |
190 base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged, | 204 base::Bind(&SSLConfigServiceManagerPref::OnPreferenceChanged, |
191 base::Unretained(this), local_state); | 205 base::Unretained(this), local_state); |
192 | 206 |
193 rev_checking_enabled_.Init(ssl_config::prefs::kCertRevocationCheckingEnabled, | 207 rev_checking_enabled_.Init(ssl_config::prefs::kCertRevocationCheckingEnabled, |
194 local_state, local_state_callback); | 208 local_state, local_state_callback); |
195 rev_checking_required_local_anchors_.Init( | 209 rev_checking_required_local_anchors_.Init( |
196 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, | 210 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, |
197 local_state, local_state_callback); | 211 local_state, local_state_callback); |
198 ssl_version_min_.Init(ssl_config::prefs::kSSLVersionMin, local_state, | 212 ssl_version_min_.Init(ssl_config::prefs::kSSLVersionMin, local_state, |
199 local_state_callback); | 213 local_state_callback); |
200 ssl_version_max_.Init(ssl_config::prefs::kSSLVersionMax, local_state, | 214 ssl_version_max_.Init(ssl_config::prefs::kSSLVersionMax, local_state, |
201 local_state_callback); | 215 local_state_callback); |
202 ssl_version_fallback_min_.Init(ssl_config::prefs::kSSLVersionFallbackMin, | 216 ssl_version_fallback_min_.Init(ssl_config::prefs::kSSLVersionFallbackMin, |
203 local_state, local_state_callback); | 217 local_state, local_state_callback); |
| 218 dhe_enabled_.Init(ssl_config::prefs::kDHEEnabled, local_state, |
| 219 local_state_callback); |
204 | 220 |
205 local_state_change_registrar_.Init(local_state); | 221 local_state_change_registrar_.Init(local_state); |
206 local_state_change_registrar_.Add(ssl_config::prefs::kCipherSuiteBlacklist, | 222 local_state_change_registrar_.Add(ssl_config::prefs::kCipherSuiteBlacklist, |
207 local_state_callback); | 223 local_state_callback); |
208 | 224 |
209 OnDisabledCipherSuitesChange(local_state); | 225 OnDisabledCipherSuitesChange(local_state); |
210 | 226 |
211 // Initialize from UI thread. This is okay as there shouldn't be anything on | 227 // Initialize from UI thread. This is okay as there shouldn't be anything on |
212 // the IO thread trying to access it yet. | 228 // the IO thread trying to access it yet. |
213 GetSSLConfigFromPrefs(&ssl_config_service_->cached_config_); | 229 GetSSLConfigFromPrefs(&ssl_config_service_->cached_config_); |
214 } | 230 } |
215 | 231 |
216 // static | 232 // static |
217 void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) { | 233 void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) { |
218 net::SSLConfig default_config; | 234 net::SSLConfig default_config; |
219 registry->RegisterBooleanPref( | 235 registry->RegisterBooleanPref( |
220 ssl_config::prefs::kCertRevocationCheckingEnabled, | 236 ssl_config::prefs::kCertRevocationCheckingEnabled, |
221 default_config.rev_checking_enabled); | 237 default_config.rev_checking_enabled); |
222 registry->RegisterBooleanPref( | 238 registry->RegisterBooleanPref( |
223 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, | 239 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, |
224 default_config.rev_checking_required_local_anchors); | 240 default_config.rev_checking_required_local_anchors); |
225 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMin, | 241 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMin, |
226 std::string()); | 242 std::string()); |
227 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMax, | 243 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMax, |
228 std::string()); | 244 std::string()); |
229 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionFallbackMin, | 245 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionFallbackMin, |
230 std::string()); | 246 std::string()); |
231 registry->RegisterListPref(ssl_config::prefs::kCipherSuiteBlacklist); | 247 registry->RegisterListPref(ssl_config::prefs::kCipherSuiteBlacklist); |
| 248 registry->RegisterBooleanPref(ssl_config::prefs::kDHEEnabled, |
| 249 default_config.dhe_enabled); |
232 } | 250 } |
233 | 251 |
234 net::SSLConfigService* SSLConfigServiceManagerPref::Get() { | 252 net::SSLConfigService* SSLConfigServiceManagerPref::Get() { |
235 return ssl_config_service_.get(); | 253 return ssl_config_service_.get(); |
236 } | 254 } |
237 | 255 |
238 void SSLConfigServiceManagerPref::OnPreferenceChanged( | 256 void SSLConfigServiceManagerPref::OnPreferenceChanged( |
239 PrefService* prefs, | 257 PrefService* prefs, |
240 const std::string& pref_name_in) { | 258 const std::string& pref_name_in) { |
241 DCHECK(prefs); | 259 DCHECK(prefs); |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
278 if (version_max) { | 296 if (version_max) { |
279 uint16_t supported_version_max = config->version_max; | 297 uint16_t supported_version_max = config->version_max; |
280 config->version_max = std::min(supported_version_max, version_max); | 298 config->version_max = std::min(supported_version_max, version_max); |
281 } | 299 } |
282 // Values below TLS 1.1 are invalid. | 300 // Values below TLS 1.1 are invalid. |
283 if (version_fallback_min && | 301 if (version_fallback_min && |
284 version_fallback_min >= net::SSL_PROTOCOL_VERSION_TLS1_1) { | 302 version_fallback_min >= net::SSL_PROTOCOL_VERSION_TLS1_1) { |
285 config->version_fallback_min = version_fallback_min; | 303 config->version_fallback_min = version_fallback_min; |
286 } | 304 } |
287 config->disabled_cipher_suites = disabled_cipher_suites_; | 305 config->disabled_cipher_suites = disabled_cipher_suites_; |
| 306 config->dhe_enabled = dhe_enabled_.GetValue(); |
288 } | 307 } |
289 | 308 |
290 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange( | 309 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange( |
291 PrefService* local_state) { | 310 PrefService* local_state) { |
292 const base::ListValue* value = | 311 const base::ListValue* value = |
293 local_state->GetList(ssl_config::prefs::kCipherSuiteBlacklist); | 312 local_state->GetList(ssl_config::prefs::kCipherSuiteBlacklist); |
294 disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value)); | 313 disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value)); |
295 } | 314 } |
296 | 315 |
297 //////////////////////////////////////////////////////////////////////////////// | 316 //////////////////////////////////////////////////////////////////////////////// |
298 // SSLConfigServiceManager | 317 // SSLConfigServiceManager |
299 | 318 |
300 namespace ssl_config { | 319 namespace ssl_config { |
301 // static | 320 // static |
302 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( | 321 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( |
303 PrefService* local_state, | 322 PrefService* local_state, |
304 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) { | 323 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) { |
305 return new SSLConfigServiceManagerPref(local_state, io_task_runner); | 324 return new SSLConfigServiceManagerPref(local_state, io_task_runner); |
306 } | 325 } |
307 | 326 |
308 // static | 327 // static |
309 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) { | 328 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) { |
310 SSLConfigServiceManagerPref::RegisterPrefs(registry); | 329 SSLConfigServiceManagerPref::RegisterPrefs(registry); |
311 } | 330 } |
312 } // namespace ssl_config | 331 } // namespace ssl_config |
OLD | NEW |