1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/ssl/ssl_config_service.h" 6 7 #include "base/lazy_instance.h" 8 #include "base/memory/ref_counted.h" 9 #include "base/synchronization/lock.h" 10 #include "net/cert/crl_set.h" 11 #include "net/ssl/ssl_config_service_defaults.h" 12 13 #if defined(USE_OPENSSL) 14 #include <openssl/ssl.h> 15 #endif 16 17 namespace net { 18 19 static uint16 g_default_version_min = SSL_PROTOCOL_VERSION_SSL3; 20 21 static uint16 g_default_version_max = 22 #if defined(USE_OPENSSL) 23 #if defined(SSL_OP_NO_TLSv1_2) 24 SSL_PROTOCOL_VERSION_TLS1_2; 25 #elif defined(SSL_OP_NO_TLSv1_1) 26 SSL_PROTOCOL_VERSION_TLS1_1; 27 #else 28 SSL_PROTOCOL_VERSION_TLS1; 29 #endif 30 #else 31 SSL_PROTOCOL_VERSION_TLS1_2; 32 #endif 33 34 SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {} 35 36 SSLConfig::CertAndStatus::~CertAndStatus() {} 37 38 SSLConfig::SSLConfig() 39 : rev_checking_enabled(false), 40 rev_checking_required_local_anchors(false), 41 version_min(g_default_version_min), 42 version_max(g_default_version_max), 43 cached_info_enabled(false), 44 channel_id_enabled(true), 45 false_start_enabled(true), 46 signed_cert_timestamps_enabled(true), 47 require_forward_secrecy(false), 48 unrestricted_ssl3_fallback_enabled(false), 49 send_client_cert(false), 50 verify_ev_cert(false), 51 version_fallback(false), 52 cert_io_enabled(true) { 53 } 54 55 SSLConfig::~SSLConfig() { 56 } 57 58 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert, 59 CertStatus* cert_status) const { 60 std::string der_cert; 61 if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_cert)) 62 return false; 63 return IsAllowedBadCert(der_cert, cert_status); 64 } 65 66 bool SSLConfig::IsAllowedBadCert(const base::StringPiece& der_cert, 67 CertStatus* cert_status) const { 68 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) { 69 if (der_cert == allowed_bad_certs[i].der_cert) { 70 if (cert_status) 71 *cert_status = allowed_bad_certs[i].cert_status; 72 return true; 73 } 74 } 75 return false; 76 } 77 78 SSLConfigService::SSLConfigService() 79 : observer_list_(ObserverList<Observer>::NOTIFY_EXISTING_ONLY) { 80 } 81 82 static bool g_cached_info_enabled = false; 83 84 // GlobalCRLSet holds a reference to the global CRLSet. It simply wraps a lock 85 // around a scoped_refptr so that getting a reference doesn't race with 86 // updating the CRLSet. 87 class GlobalCRLSet { 88 public: 89 void Set(const scoped_refptr<CRLSet>& new_crl_set) { 90 base::AutoLock locked(lock_); 91 crl_set_ = new_crl_set; 92 } 93 94 scoped_refptr<CRLSet> Get() const { 95 base::AutoLock locked(lock_); 96 return crl_set_; 97 } 98 99 private: 100 scoped_refptr<CRLSet> crl_set_; 101 mutable base::Lock lock_; 102 }; 103 104 base::LazyInstance<GlobalCRLSet>::Leaky g_crl_set = LAZY_INSTANCE_INITIALIZER; 105 106 // static 107 void SSLConfigService::SetCRLSet(scoped_refptr<CRLSet> crl_set) { 108 // Note: this can be called concurently with GetCRLSet(). 109 g_crl_set.Get().Set(crl_set); 110 } 111 112 // static 113 scoped_refptr<CRLSet> SSLConfigService::GetCRLSet() { 114 return g_crl_set.Get().Get(); 115 } 116 117 void SSLConfigService::EnableCachedInfo() { 118 g_cached_info_enabled = true; 119 } 120 121 // static 122 bool SSLConfigService::cached_info_enabled() { 123 return g_cached_info_enabled; 124 } 125 126 // static 127 uint16 SSLConfigService::default_version_min() { 128 return g_default_version_min; 129 } 130 131 // static 132 uint16 SSLConfigService::default_version_max() { 133 return g_default_version_max; 134 } 135 136 void SSLConfigService::AddObserver(Observer* observer) { 137 observer_list_.AddObserver(observer); 138 } 139 140 void SSLConfigService::RemoveObserver(Observer* observer) { 141 observer_list_.RemoveObserver(observer); 142 } 143 144 void SSLConfigService::NotifySSLConfigChange() { 145 FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged()); 146 } 147 148 SSLConfigService::~SSLConfigService() { 149 } 150 151 // static 152 void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) { 153 ssl_config->cached_info_enabled = g_cached_info_enabled; 154 } 155 156 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config, 157 const SSLConfig& new_config) { 158 bool config_changed = 159 (orig_config.rev_checking_enabled != new_config.rev_checking_enabled) || 160 (orig_config.rev_checking_required_local_anchors != 161 new_config.rev_checking_required_local_anchors) || 162 (orig_config.version_min != new_config.version_min) || 163 (orig_config.version_max != new_config.version_max) || 164 (orig_config.disabled_cipher_suites != 165 new_config.disabled_cipher_suites) || 166 (orig_config.channel_id_enabled != new_config.channel_id_enabled) || 167 (orig_config.false_start_enabled != new_config.false_start_enabled) || 168 (orig_config.require_forward_secrecy != 169 new_config.require_forward_secrecy) || 170 (orig_config.unrestricted_ssl3_fallback_enabled != 171 new_config.unrestricted_ssl3_fallback_enabled); 172 173 if (config_changed) 174 NotifySSLConfigChange(); 175 } 176 177 // static 178 bool SSLConfigService::IsSNIAvailable(SSLConfigService* service) { 179 if (!service) 180 return false; 181 182 SSLConfig ssl_config; 183 service->GetSSLConfig(&ssl_config); 184 return ssl_config.version_max >= SSL_PROTOCOL_VERSION_TLS1; 185 } 186 187 } // namespace net 188
