Home | History | Annotate | Download | only in base 
      1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_
      6 #define NET_BASE_SSL_CONFIG_SERVICE_H_
      7 #pragma once
      8 
      9 #include <vector>
     10 
     11 #include "base/basictypes.h"
     12 #include "base/memory/ref_counted.h"
     13 #include "base/observer_list.h"
     14 #include "net/base/x509_certificate.h"
     15 
     16 namespace net {
     17 
     18 // A collection of SSL-related configuration settings.
     19 struct SSLConfig {
     20   // Default to revocation checking.
     21   // Default to SSL 3.0 on and TLS 1.0 on.
     22   SSLConfig();
     23   ~SSLConfig();
     24 
     25   // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
     26   bool IsAllowedBadCert(X509Certificate* cert) const;
     27 
     28   bool rev_checking_enabled;  // True if server certificate revocation
     29                               // checking is enabled.
     30   // SSL 2.0 is not supported.
     31   bool ssl3_enabled;  // True if SSL 3.0 is enabled.
     32   bool tls1_enabled;  // True if TLS 1.0 is enabled.
     33   bool dnssec_enabled;  // True if we'll accept DNSSEC chains in certificates.
     34   // True if we'll do async checks for certificate provenance using DNS.
     35   bool dns_cert_provenance_checking_enabled;
     36 
     37   // Cipher suites which should be explicitly prevented from being used in
     38   // addition to those disabled by the net built-in policy -- by default, all
     39   // cipher suites supported by the underlying SSL implementation will be
     40   // enabled except for:
     41   // - Null encryption cipher suites.
     42   // - Weak cipher suites: < 80 bits of security strength.
     43   // - FORTEZZA cipher suites (obsolete).
     44   // - IDEA cipher suites (RFC 5469 explains why).
     45   // - Anonymous cipher suites.
     46   // The ciphers listed in |disabled_cipher_suites| will be removed in addition
     47   // to the above statically defined disable list.
     48   //
     49   // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
     50   // big-endian form, they should be declared in host byte order, with the
     51   // first uint8 occupying the most significant byte.
     52   // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
     53   // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
     54   //
     55   // TODO(rsleevi): Not implemented when using Schannel.
     56   std::vector<uint16> disabled_cipher_suites;
     57 
     58   bool false_start_enabled;  // True if we'll use TLS False Start.
     59 
     60   // TODO(wtc): move the following members to a new SSLParams structure.  They
     61   // are not SSL configuration settings.
     62 
     63   struct CertAndStatus {
     64     CertAndStatus();
     65     ~CertAndStatus();
     66 
     67     scoped_refptr<X509Certificate> cert;
     68     int cert_status;
     69   };
     70 
     71   // Add any known-bad SSL certificate (with its cert status) to
     72   // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
     73   // calling SSLClientSocket::Connect.  This would normally be done in
     74   // response to the user explicitly accepting the bad certificate.
     75   std::vector<CertAndStatus> allowed_bad_certs;
     76 
     77   // True if we should send client_cert to the server.
     78   bool send_client_cert;
     79 
     80   bool verify_ev_cert;  // True if we should verify the certificate for EV.
     81 
     82   bool ssl3_fallback;  // True if we are falling back to SSL 3.0 (one still
     83                        // needs to clear tls1_enabled).
     84 
     85   // The list of application level protocols supported. If set, this will
     86   // enable Next Protocol Negotiation (if supported). This is a list of 8-bit
     87   // length prefixed strings. The order of the protocols doesn't matter expect
     88   // for one case: if the server supports Next Protocol Negotiation, but there
     89   // is no overlap between the server's and client's protocol sets, then the
     90   // first protocol in this list will be requested by the client.
     91   std::string next_protos;
     92 
     93   scoped_refptr<X509Certificate> client_cert;
     94 };
     95 
     96 // The interface for retrieving the SSL configuration.  This interface
     97 // does not cover setting the SSL configuration, as on some systems, the
     98 // SSLConfigService objects may not have direct access to the configuration, or
     99 // live longer than the configuration preferences.
    100 class SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> {
    101  public:
    102   // Observer is notified when SSL config settings have changed.
    103   class Observer {
    104    public:
    105     // Notify observers if SSL settings have changed.  We don't check all of the
    106     // data in SSLConfig, just those that qualify as a user config change.
    107     // The following settings are considered user changes:
    108     //     rev_checking_enabled
    109     //     ssl3_enabled
    110     //     tls1_enabled
    111     virtual void OnSSLConfigChanged() = 0;
    112 
    113    protected:
    114     virtual ~Observer() {}
    115   };
    116 
    117   SSLConfigService();
    118 
    119   // Create an instance of SSLConfigService which retrieves the configuration
    120   // from the system SSL configuration, or an instance of
    121   // SSLConfigServiceDefaults if the current system does not have a system SSL
    122   // configuration.  Note: this does not handle SSLConfigService implementations
    123   // that are not native to their platform, such as preference-backed ones.
    124   static SSLConfigService* CreateSystemSSLConfigService();
    125 
    126   // May not be thread-safe, should only be called on the IO thread.
    127   virtual void GetSSLConfig(SSLConfig* config) = 0;
    128 
    129   // Returns true if the given hostname is known to be incompatible with TLS
    130   // False Start.
    131   static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname);
    132 
    133   // Enables the acceptance of self-signed certificates which contain an
    134   // embedded DNSSEC chain proving their validity.
    135   static void EnableDNSSEC();
    136   static bool dnssec_enabled();
    137 
    138   // Disables False Start in SSL connections.
    139   static void DisableFalseStart();
    140   // True if we use False Start for SSL and TLS.
    141   static bool false_start_enabled();
    142 
    143   // Enables DNS side checks for certificates.
    144   static void EnableDNSCertProvenanceChecking();
    145   static bool dns_cert_provenance_checking_enabled();
    146 
    147   // Add an observer of this service.
    148   void AddObserver(Observer* observer);
    149 
    150   // Remove an observer of this service.
    151   void RemoveObserver(Observer* observer);
    152 
    153  protected:
    154   friend class base::RefCountedThreadSafe<SSLConfigService>;
    155 
    156   virtual ~SSLConfigService();
    157 
    158   // SetFlags sets the values of several flags based on global configuration.
    159   static void SetSSLConfigFlags(SSLConfig* ssl_config);
    160 
    161   // Process before/after config update.
    162   void ProcessConfigUpdate(const SSLConfig& orig_config,
    163                            const SSLConfig& new_config);
    164 
    165  private:
    166   ObserverList<Observer> observer_list_;
    167 };
    168 
    169 }  // namespace net
    170 
    171 #endif  // NET_BASE_SSL_CONFIG_SERVICE_H_
    172