Chromium Code Reviews Chromium Code Reviews
Issue 208713004:
Move SSLConfig class from ssl_config_service.h to ssl_config.h (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_SSL_SSL_CONFIG_SERVICE_H_ | 5 #ifndef NET_SSL_SSL_CONFIG_SERVICE_H_ |
| 6 #define NET_SSL_SSL_CONFIG_SERVICE_H_ | 6 #define NET_SSL_SSL_CONFIG_SERVICE_H_ |
| 7 | 7 |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
| 11 #include "base/memory/ref_counted.h" | 11 #include "base/memory/ref_counted.h" |
| 12 #include "base/observer_list.h" | 12 #include "base/observer_list.h" |
| 13 #include "base/strings/string_piece.h" | 13 #include "base/strings/string_piece.h" |
| 14 #include "net/base/net_export.h" | 14 #include "net/base/net_export.h" |
| 15 #include "net/cert/cert_status_flags.h" | 15 #include "net/cert/cert_status_flags.h" |
|
wtc
2014/03/22 01:29:41
We should be able to remove "base/basictypes.h",
Sergey Ulanov
2014/03/22 01:49:00
Done.
| |
| 16 #include "net/cert/crl_set.h" | 16 #include "net/cert/crl_set.h" |
| 17 #include "net/cert/x509_certificate.h" | 17 #include "net/ssl/ssl_config.h" |
| 18 | 18 |
| 19 namespace net { | 19 namespace net { |
| 20 | 20 |
| 21 // Various TLS/SSL ProtocolVersion values encoded as uint16 | |
| 22 // struct { | |
| 23 // uint8 major; | |
| 24 // uint8 minor; | |
| 25 // } ProtocolVersion; | |
| 26 // The most significant byte is |major|, and the least significant byte | |
| 27 // is |minor|. | |
| 28 enum { | |
| 29 SSL_PROTOCOL_VERSION_SSL3 = 0x0300, | |
| 30 SSL_PROTOCOL_VERSION_TLS1 = 0x0301, | |
| 31 SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302, | |
| 32 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303, | |
| 33 }; | |
| 34 | |
| 35 // A collection of SSL-related configuration settings. | |
| 36 struct NET_EXPORT SSLConfig { | |
| 37 // Default to revocation checking. | |
| 38 // Default to SSL 3.0 ~ default_version_max() on. | |
| 39 SSLConfig(); | |
| 40 ~SSLConfig(); | |
| 41 | |
| 42 // Returns true if |cert| is one of the certs in |allowed_bad_certs|. | |
| 43 // The expected cert status is written to |cert_status|. |*cert_status| can | |
| 44 // be NULL if user doesn't care about the cert status. | |
| 45 bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const; | |
| 46 | |
| 47 // Same as above except works with DER encoded certificates instead | |
| 48 // of X509Certificate. | |
| 49 bool IsAllowedBadCert(const base::StringPiece& der_cert, | |
| 50 CertStatus* cert_status) const; | |
| 51 | |
| 52 // rev_checking_enabled is true if online certificate revocation checking is | |
| 53 // enabled (i.e. OCSP and CRL fetching). | |
| 54 // | |
| 55 // Regardless of this flag, CRLSet checking is always enabled and locally | |
| 56 // cached revocation information will be considered. | |
| 57 bool rev_checking_enabled; | |
| 58 | |
| 59 // rev_checking_required_local_anchors is true if revocation checking is | |
| 60 // required to succeed when certificates chain to local trust anchors (that | |
| 61 // is, non-public CAs). If revocation information cannot be obtained, such | |
| 62 // certificates will be treated as revoked ("hard-fail"). | |
| 63 // Note: This is distinct from rev_checking_enabled. If true, it is | |
| 64 // equivalent to also setting rev_checking_enabled, but only when the | |
| 65 // certificate chain chains to a local (non-public) trust anchor. | |
| 66 bool rev_checking_required_local_anchors; | |
| 67 | |
| 68 // The minimum and maximum protocol versions that are enabled. | |
| 69 // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on. | |
| 70 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) | |
| 71 // SSL 2.0 is not supported. If version_max < version_min, it means no | |
| 72 // protocol versions are enabled. | |
| 73 uint16 version_min; | |
| 74 uint16 version_max; | |
| 75 | |
| 76 // Presorted list of cipher suites which should be explicitly prevented from | |
| 77 // being used in addition to those disabled by the net built-in policy. | |
| 78 // | |
| 79 // By default, all cipher suites supported by the underlying SSL | |
| 80 // implementation will be enabled except for: | |
| 81 // - Null encryption cipher suites. | |
| 82 // - Weak cipher suites: < 80 bits of security strength. | |
| 83 // - FORTEZZA cipher suites (obsolete). | |
| 84 // - IDEA cipher suites (RFC 5469 explains why). | |
| 85 // - Anonymous cipher suites. | |
| 86 // - ECDSA cipher suites on platforms that do not support ECDSA signed | |
| 87 // certificates, as servers may use the presence of such ciphersuites as a | |
| 88 // hint to send an ECDSA certificate. | |
| 89 // The ciphers listed in |disabled_cipher_suites| will be removed in addition | |
| 90 // to the above list. | |
| 91 // | |
| 92 // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in | |
| 93 // big-endian form, they should be declared in host byte order, with the | |
| 94 // first uint8 occupying the most significant byte. | |
| 95 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to | |
| 96 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. | |
| 97 std::vector<uint16> disabled_cipher_suites; | |
| 98 | |
| 99 bool channel_id_enabled; // True if TLS channel ID extension is enabled. | |
| 100 bool false_start_enabled; // True if we'll use TLS False Start. | |
| 101 // True if the Certificate Transparency signed_certificate_timestamp | |
| 102 // TLS extension is enabled. | |
| 103 bool signed_cert_timestamps_enabled; | |
| 104 | |
| 105 // require_forward_secrecy, if true, causes only (EC)DHE cipher suites to be | |
| 106 // enabled. NOTE: this only applies to server sockets currently, although | |
| 107 // that could be extended if needed. | |
| 108 bool require_forward_secrecy; | |
| 109 | |
| 110 // If |unrestricted_ssl3_fallback_enabled| is true, SSL 3.0 fallback will be | |
| 111 // enabled for all sites. | |
| 112 // If |unrestricted_ssl3_fallback_enabled| is false, SSL 3.0 fallback will be | |
| 113 // disabled for a site pinned to the Google pin list (indicating that it is a | |
| 114 // Google site). | |
| 115 bool unrestricted_ssl3_fallback_enabled; | |
| 116 | |
| 117 // TODO(wtc): move the following members to a new SSLParams structure. They | |
| 118 // are not SSL configuration settings. | |
| 119 | |
| 120 struct NET_EXPORT CertAndStatus { | |
| 121 CertAndStatus(); | |
| 122 ~CertAndStatus(); | |
| 123 | |
| 124 std::string der_cert; | |
| 125 CertStatus cert_status; | |
| 126 }; | |
| 127 | |
| 128 // Add any known-bad SSL certificate (with its cert status) to | |
| 129 // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when | |
| 130 // calling SSLClientSocket::Connect. This would normally be done in | |
| 131 // response to the user explicitly accepting the bad certificate. | |
| 132 std::vector<CertAndStatus> allowed_bad_certs; | |
| 133 | |
| 134 // True if we should send client_cert to the server. | |
| 135 bool send_client_cert; | |
| 136 | |
| 137 bool verify_ev_cert; // True if we should verify the certificate for EV. | |
| 138 | |
| 139 bool version_fallback; // True if we are falling back to an older protocol | |
| 140 // version (one still needs to decrement | |
| 141 // version_max). | |
| 142 | |
| 143 // If cert_io_enabled is false, then certificate verification will not | |
| 144 // result in additional HTTP requests. (For example: to fetch missing | |
| 145 // intermediates or to perform OCSP/CRL fetches.) It also implies that online | |
| 146 // revocation checking is disabled. | |
| 147 // NOTE: Only used by NSS. | |
| 148 bool cert_io_enabled; | |
| 149 | |
| 150 // The list of application level protocols supported. If set, this will | |
| 151 // enable Next Protocol Negotiation (if supported). The order of the | |
| 152 // protocols doesn't matter expect for one case: if the server supports Next | |
| 153 // Protocol Negotiation, but there is no overlap between the server's and | |
| 154 // client's protocol sets, then the first protocol in this list will be | |
| 155 // requested by the client. | |
| 156 std::vector<std::string> next_protos; | |
| 157 | |
| 158 scoped_refptr<X509Certificate> client_cert; | |
| 159 }; | |
| 160 | |
| 161 // The interface for retrieving the SSL configuration. This interface | 21 // The interface for retrieving the SSL configuration. This interface |
| 162 // does not cover setting the SSL configuration, as on some systems, the | 22 // does not cover setting the SSL configuration, as on some systems, the |
| 163 // SSLConfigService objects may not have direct access to the configuration, or | 23 // SSLConfigService objects may not have direct access to the configuration, or |
| 164 // live longer than the configuration preferences. | 24 // live longer than the configuration preferences. |
| 165 class NET_EXPORT SSLConfigService | 25 class NET_EXPORT SSLConfigService |
| 166 : public base::RefCountedThreadSafe<SSLConfigService> { | 26 : public base::RefCountedThreadSafe<SSLConfigService> { |
| 167 public: | 27 public: |
| 168 // Observer is notified when SSL config settings have changed. | 28 // Observer is notified when SSL config settings have changed. |
| 169 class NET_EXPORT Observer { | 29 class NET_EXPORT Observer { |
| 170 public: | 30 public: |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 186 | 46 |
| 187 SSLConfigService(); | 47 SSLConfigService(); |
| 188 | 48 |
| 189 // May not be thread-safe, should only be called on the IO thread. | 49 // May not be thread-safe, should only be called on the IO thread. |
| 190 virtual void GetSSLConfig(SSLConfig* config) = 0; | 50 virtual void GetSSLConfig(SSLConfig* config) = 0; |
| 191 | 51 |
| 192 // Sets and gets the current, global CRL set. | 52 // Sets and gets the current, global CRL set. |
| 193 static void SetCRLSet(scoped_refptr<CRLSet> crl_set); | 53 static void SetCRLSet(scoped_refptr<CRLSet> crl_set); |
| 194 static scoped_refptr<CRLSet> GetCRLSet(); | 54 static scoped_refptr<CRLSet> GetCRLSet(); |
| 195 | 55 |
| 196 // Gets the default minimum protocol version. | |
| 197 static uint16 default_version_min(); | |
| 198 | |
| 199 // Gets the default maximum protocol version. | |
| 200 static uint16 default_version_max(); | |
| 201 | |
| 202 // Is SNI available in this configuration? | 56 // Is SNI available in this configuration? |
| 203 static bool IsSNIAvailable(SSLConfigService* service); | 57 static bool IsSNIAvailable(SSLConfigService* service); |
| 204 | 58 |
| 205 // Add an observer of this service. | 59 // Add an observer of this service. |
| 206 void AddObserver(Observer* observer); | 60 void AddObserver(Observer* observer); |
| 207 | 61 |
| 208 // Remove an observer of this service. | 62 // Remove an observer of this service. |
| 209 void RemoveObserver(Observer* observer); | 63 void RemoveObserver(Observer* observer); |
| 210 | 64 |
| 211 // Calls the OnSSLConfigChanged method of registered observers. Should only be | 65 // Calls the OnSSLConfigChanged method of registered observers. Should only be |
| 212 // called on the IO thread. | 66 // called on the IO thread. |
| 213 void NotifySSLConfigChange(); | 67 void NotifySSLConfigChange(); |
| 214 | 68 |
| 215 protected: | 69 protected: |
| 216 friend class base::RefCountedThreadSafe<SSLConfigService>; | 70 friend class base::RefCountedThreadSafe<SSLConfigService>; |
| 217 | 71 |
| 218 virtual ~SSLConfigService(); | 72 virtual ~SSLConfigService(); |
| 219 | 73 |
| 220 // Process before/after config update. | 74 // Process before/after config update. |
| 221 void ProcessConfigUpdate(const SSLConfig& orig_config, | 75 void ProcessConfigUpdate(const SSLConfig& orig_config, |
| 222 const SSLConfig& new_config); | 76 const SSLConfig& new_config); |
| 223 | 77 |
| 224 private: | 78 private: |
| 225 ObserverList<Observer> observer_list_; | 79 ObserverList<Observer> observer_list_; |
| 226 }; | 80 }; |
| 227 | 81 |
| 228 } // namespace net | 82 } // namespace net |
| 229 | 83 |
| 230 #endif // NET_SSL_SSL_CONFIG_SERVICE_H_ | 84 #endif // NET_SSL_SSL_CONFIG_SERVICE_H_ |
| OLD | NEW |
