| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 #include "components/ssl_config/ssl_config_service_manager.h" | 4 #include "components/ssl_config/ssl_config_service_manager.h" |
| 5 | 5 |
| 6 #include <stdint.h> | 6 #include <stdint.h> |
| 7 | 7 |
| 8 #include <algorithm> | 8 #include <algorithm> |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 154 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 165 // cached list of parsed SSL/TLS cipher suites that are disabled. | 165 // cached list of parsed SSL/TLS cipher suites that are disabled. |
| 166 void OnDisabledCipherSuitesChange(PrefService* local_state); | 166 void OnDisabledCipherSuitesChange(PrefService* local_state); |
| 167 | 167 |
| 168 PrefChangeRegistrar local_state_change_registrar_; | 168 PrefChangeRegistrar local_state_change_registrar_; |
| 169 | 169 |
| 170 // The local_state prefs (should only be accessed from UI thread) | 170 // The local_state prefs (should only be accessed from UI thread) |
| 171 BooleanPrefMember rev_checking_enabled_; | 171 BooleanPrefMember rev_checking_enabled_; |
| 172 BooleanPrefMember rev_checking_required_local_anchors_; | 172 BooleanPrefMember rev_checking_required_local_anchors_; |
| 173 StringPrefMember ssl_version_min_; | 173 StringPrefMember ssl_version_min_; |
| 174 StringPrefMember ssl_version_max_; | 174 StringPrefMember ssl_version_max_; |
| 175 StringPrefMember ssl_version_fallback_min_; | |
| 176 BooleanPrefMember dhe_enabled_; | 175 BooleanPrefMember dhe_enabled_; |
| 177 | 176 |
| 178 // The cached list of disabled SSL cipher suites. | 177 // The cached list of disabled SSL cipher suites. |
| 179 std::vector<uint16_t> disabled_cipher_suites_; | 178 std::vector<uint16_t> disabled_cipher_suites_; |
| 180 | 179 |
| 181 scoped_refptr<SSLConfigServicePref> ssl_config_service_; | 180 scoped_refptr<SSLConfigServicePref> ssl_config_service_; |
| 182 | 181 |
| 183 scoped_refptr<base::SingleThreadTaskRunner> io_task_runner_; | 182 scoped_refptr<base::SingleThreadTaskRunner> io_task_runner_; |
| 184 | 183 |
| 185 DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref); | 184 DISALLOW_COPY_AND_ASSIGN(SSLConfigServiceManagerPref); |
| (...skipping 20 matching lines...) Expand all Loading... |
| 206 | 205 |
| 207 rev_checking_enabled_.Init(ssl_config::prefs::kCertRevocationCheckingEnabled, | 206 rev_checking_enabled_.Init(ssl_config::prefs::kCertRevocationCheckingEnabled, |
| 208 local_state, local_state_callback); | 207 local_state, local_state_callback); |
| 209 rev_checking_required_local_anchors_.Init( | 208 rev_checking_required_local_anchors_.Init( |
| 210 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, | 209 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, |
| 211 local_state, local_state_callback); | 210 local_state, local_state_callback); |
| 212 ssl_version_min_.Init(ssl_config::prefs::kSSLVersionMin, local_state, | 211 ssl_version_min_.Init(ssl_config::prefs::kSSLVersionMin, local_state, |
| 213 local_state_callback); | 212 local_state_callback); |
| 214 ssl_version_max_.Init(ssl_config::prefs::kSSLVersionMax, local_state, | 213 ssl_version_max_.Init(ssl_config::prefs::kSSLVersionMax, local_state, |
| 215 local_state_callback); | 214 local_state_callback); |
| 216 ssl_version_fallback_min_.Init(ssl_config::prefs::kSSLVersionFallbackMin, | |
| 217 local_state, local_state_callback); | |
| 218 dhe_enabled_.Init(ssl_config::prefs::kDHEEnabled, local_state, | 215 dhe_enabled_.Init(ssl_config::prefs::kDHEEnabled, local_state, |
| 219 local_state_callback); | 216 local_state_callback); |
| 220 | 217 |
| 221 local_state_change_registrar_.Init(local_state); | 218 local_state_change_registrar_.Init(local_state); |
| 222 local_state_change_registrar_.Add(ssl_config::prefs::kCipherSuiteBlacklist, | 219 local_state_change_registrar_.Add(ssl_config::prefs::kCipherSuiteBlacklist, |
| 223 local_state_callback); | 220 local_state_callback); |
| 224 | 221 |
| 225 OnDisabledCipherSuitesChange(local_state); | 222 OnDisabledCipherSuitesChange(local_state); |
| 226 | 223 |
| 227 // Initialize from UI thread. This is okay as there shouldn't be anything on | 224 // Initialize from UI thread. This is okay as there shouldn't be anything on |
| 228 // the IO thread trying to access it yet. | 225 // the IO thread trying to access it yet. |
| 229 GetSSLConfigFromPrefs(&ssl_config_service_->cached_config_); | 226 GetSSLConfigFromPrefs(&ssl_config_service_->cached_config_); |
| 230 } | 227 } |
| 231 | 228 |
| 232 // static | 229 // static |
| 233 void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) { | 230 void SSLConfigServiceManagerPref::RegisterPrefs(PrefRegistrySimple* registry) { |
| 234 net::SSLConfig default_config; | 231 net::SSLConfig default_config; |
| 235 registry->RegisterBooleanPref( | 232 registry->RegisterBooleanPref( |
| 236 ssl_config::prefs::kCertRevocationCheckingEnabled, | 233 ssl_config::prefs::kCertRevocationCheckingEnabled, |
| 237 default_config.rev_checking_enabled); | 234 default_config.rev_checking_enabled); |
| 238 registry->RegisterBooleanPref( | 235 registry->RegisterBooleanPref( |
| 239 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, | 236 ssl_config::prefs::kCertRevocationCheckingRequiredLocalAnchors, |
| 240 default_config.rev_checking_required_local_anchors); | 237 default_config.rev_checking_required_local_anchors); |
| 241 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMin, | 238 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMin, |
| 242 std::string()); | 239 std::string()); |
| 243 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMax, | 240 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionMax, |
| 244 std::string()); | 241 std::string()); |
| 245 registry->RegisterStringPref(ssl_config::prefs::kSSLVersionFallbackMin, | |
| 246 std::string()); | |
| 247 registry->RegisterListPref(ssl_config::prefs::kCipherSuiteBlacklist); | 242 registry->RegisterListPref(ssl_config::prefs::kCipherSuiteBlacklist); |
| 248 registry->RegisterBooleanPref(ssl_config::prefs::kDHEEnabled, | 243 registry->RegisterBooleanPref(ssl_config::prefs::kDHEEnabled, |
| 249 default_config.dhe_enabled); | 244 default_config.dhe_enabled); |
| 250 } | 245 } |
| 251 | 246 |
| 252 net::SSLConfigService* SSLConfigServiceManagerPref::Get() { | 247 net::SSLConfigService* SSLConfigServiceManagerPref::Get() { |
| 253 return ssl_config_service_.get(); | 248 return ssl_config_service_.get(); |
| 254 } | 249 } |
| 255 | 250 |
| 256 void SSLConfigServiceManagerPref::OnPreferenceChanged( | 251 void SSLConfigServiceManagerPref::OnPreferenceChanged( |
| (...skipping 18 matching lines...) Expand all Loading... |
| 275 // rev_checking_enabled was formerly a user-settable preference, but now | 270 // rev_checking_enabled was formerly a user-settable preference, but now |
| 276 // it is managed-only. | 271 // it is managed-only. |
| 277 if (rev_checking_enabled_.IsManaged()) | 272 if (rev_checking_enabled_.IsManaged()) |
| 278 config->rev_checking_enabled = rev_checking_enabled_.GetValue(); | 273 config->rev_checking_enabled = rev_checking_enabled_.GetValue(); |
| 279 else | 274 else |
| 280 config->rev_checking_enabled = false; | 275 config->rev_checking_enabled = false; |
| 281 config->rev_checking_required_local_anchors = | 276 config->rev_checking_required_local_anchors = |
| 282 rev_checking_required_local_anchors_.GetValue(); | 277 rev_checking_required_local_anchors_.GetValue(); |
| 283 std::string version_min_str = ssl_version_min_.GetValue(); | 278 std::string version_min_str = ssl_version_min_.GetValue(); |
| 284 std::string version_max_str = ssl_version_max_.GetValue(); | 279 std::string version_max_str = ssl_version_max_.GetValue(); |
| 285 std::string version_fallback_min_str = ssl_version_fallback_min_.GetValue(); | |
| 286 config->version_min = net::kDefaultSSLVersionMin; | 280 config->version_min = net::kDefaultSSLVersionMin; |
| 287 config->version_max = net::kDefaultSSLVersionMax; | 281 config->version_max = net::kDefaultSSLVersionMax; |
| 288 config->version_fallback_min = net::kDefaultSSLVersionFallbackMin; | |
| 289 uint16_t version_min = SSLProtocolVersionFromString(version_min_str); | 282 uint16_t version_min = SSLProtocolVersionFromString(version_min_str); |
| 290 uint16_t version_max = SSLProtocolVersionFromString(version_max_str); | 283 uint16_t version_max = SSLProtocolVersionFromString(version_max_str); |
| 291 uint16_t version_fallback_min = | |
| 292 SSLProtocolVersionFromString(version_fallback_min_str); | |
| 293 if (version_min) { | 284 if (version_min) { |
| 294 config->version_min = version_min; | 285 config->version_min = version_min; |
| 295 } | 286 } |
| 296 if (version_max) { | 287 if (version_max) { |
| 297 uint16_t supported_version_max = config->version_max; | 288 uint16_t supported_version_max = config->version_max; |
| 298 config->version_max = std::min(supported_version_max, version_max); | 289 config->version_max = std::min(supported_version_max, version_max); |
| 299 } | 290 } |
| 300 // Values below TLS 1.1 are invalid. | |
| 301 if (version_fallback_min && | |
| 302 version_fallback_min >= net::SSL_PROTOCOL_VERSION_TLS1_1) { | |
| 303 config->version_fallback_min = version_fallback_min; | |
| 304 } | |
| 305 config->disabled_cipher_suites = disabled_cipher_suites_; | 291 config->disabled_cipher_suites = disabled_cipher_suites_; |
| 306 config->dhe_enabled = dhe_enabled_.GetValue(); | 292 config->dhe_enabled = dhe_enabled_.GetValue(); |
| 307 } | 293 } |
| 308 | 294 |
| 309 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange( | 295 void SSLConfigServiceManagerPref::OnDisabledCipherSuitesChange( |
| 310 PrefService* local_state) { | 296 PrefService* local_state) { |
| 311 const base::ListValue* value = | 297 const base::ListValue* value = |
| 312 local_state->GetList(ssl_config::prefs::kCipherSuiteBlacklist); | 298 local_state->GetList(ssl_config::prefs::kCipherSuiteBlacklist); |
| 313 disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value)); | 299 disabled_cipher_suites_ = ParseCipherSuites(ListValueToStringVector(value)); |
| 314 } | 300 } |
| 315 | 301 |
| 316 //////////////////////////////////////////////////////////////////////////////// | 302 //////////////////////////////////////////////////////////////////////////////// |
| 317 // SSLConfigServiceManager | 303 // SSLConfigServiceManager |
| 318 | 304 |
| 319 namespace ssl_config { | 305 namespace ssl_config { |
| 320 // static | 306 // static |
| 321 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( | 307 SSLConfigServiceManager* SSLConfigServiceManager::CreateDefaultManager( |
| 322 PrefService* local_state, | 308 PrefService* local_state, |
| 323 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) { | 309 const scoped_refptr<base::SingleThreadTaskRunner>& io_task_runner) { |
| 324 return new SSLConfigServiceManagerPref(local_state, io_task_runner); | 310 return new SSLConfigServiceManagerPref(local_state, io_task_runner); |
| 325 } | 311 } |
| 326 | 312 |
| 327 // static | 313 // static |
| 328 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) { | 314 void SSLConfigServiceManager::RegisterPrefs(PrefRegistrySimple* registry) { |
| 329 SSLConfigServiceManagerPref::RegisterPrefs(registry); | 315 SSLConfigServiceManagerPref::RegisterPrefs(registry); |
| 330 } | 316 } |
| 331 } // namespace ssl_config | 317 } // namespace ssl_config |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2098723002:
Unwind the fallback admin policy knobs. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master