1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SSL_SSL_CONFIG_SERVICE_H_ 6 #define NET_SSL_SSL_CONFIG_SERVICE_H_ 7 8 #include <vector> 9 10 #include "base/basictypes.h" 11 #include "base/memory/ref_counted.h" 12 #include "base/observer_list.h" 13 #include "base/strings/string_piece.h" 14 #include "net/base/net_export.h" 15 #include "net/cert/cert_status_flags.h" 16 #include "net/cert/crl_set.h" 17 #include "net/cert/x509_certificate.h" 18 19 namespace net { 20 21 // Various TLS/SSL ProtocolVersion values encoded as uint16 22 // struct { 23 // uint8 major; 24 // uint8 minor; 25 // } ProtocolVersion; 26 // The most significant byte is |major|, and the least significant byte 27 // is |minor|. 28 enum { 29 SSL_PROTOCOL_VERSION_SSL3 = 0x0300, 30 SSL_PROTOCOL_VERSION_TLS1 = 0x0301, 31 SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302, 32 SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303, 33 }; 34 35 // A collection of SSL-related configuration settings. 36 struct NET_EXPORT SSLConfig { 37 // Default to revocation checking. 38 // Default to SSL 3.0 ~ default_version_max() on. 39 SSLConfig(); 40 ~SSLConfig(); 41 42 // Returns true if |cert| is one of the certs in |allowed_bad_certs|. 43 // The expected cert status is written to |cert_status|. |*cert_status| can 44 // be NULL if user doesn't care about the cert status. 45 bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const; 46 47 // Same as above except works with DER encoded certificates instead 48 // of X509Certificate. 49 bool IsAllowedBadCert(const base::StringPiece& der_cert, 50 CertStatus* cert_status) const; 51 52 // rev_checking_enabled is true if online certificate revocation checking is 53 // enabled (i.e. OCSP and CRL fetching). 54 // 55 // Regardless of this flag, CRLSet checking is always enabled and locally 56 // cached revocation information will be considered. 57 bool rev_checking_enabled; 58 59 // rev_checking_required_local_anchors is true if revocation checking is 60 // required to succeed when certificates chain to local trust anchors (that 61 // is, non-public CAs). If revocation information cannot be obtained, such 62 // certificates will be treated as revoked ("hard-fail"). 63 // Note: This is distinct from rev_checking_enabled. If true, it is 64 // equivalent to also setting rev_checking_enabled, but only when the 65 // certificate chain chains to a local (non-public) trust anchor. 66 bool rev_checking_required_local_anchors; 67 68 // The minimum and maximum protocol versions that are enabled. 69 // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on. 70 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.) 71 // SSL 2.0 is not supported. If version_max < version_min, it means no 72 // protocol versions are enabled. 73 uint16 version_min; 74 uint16 version_max; 75 76 // Presorted list of cipher suites which should be explicitly prevented from 77 // being used in addition to those disabled by the net built-in policy. 78 // 79 // By default, all cipher suites supported by the underlying SSL 80 // implementation will be enabled except for: 81 // - Null encryption cipher suites. 82 // - Weak cipher suites: < 80 bits of security strength. 83 // - FORTEZZA cipher suites (obsolete). 84 // - IDEA cipher suites (RFC 5469 explains why). 85 // - Anonymous cipher suites. 86 // - ECDSA cipher suites on platforms that do not support ECDSA signed 87 // certificates, as servers may use the presence of such ciphersuites as a 88 // hint to send an ECDSA certificate. 89 // The ciphers listed in |disabled_cipher_suites| will be removed in addition 90 // to the above list. 91 // 92 // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in 93 // big-endian form, they should be declared in host byte order, with the 94 // first uint8 occupying the most significant byte. 95 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to 96 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. 97 std::vector<uint16> disabled_cipher_suites; 98 99 bool cached_info_enabled; // True if TLS cached info extension is enabled. 100 bool channel_id_enabled; // True if TLS channel ID extension is enabled. 101 bool false_start_enabled; // True if we'll use TLS False Start. 102 // True if the Certificate Transparency signed_certificate_timestamp 103 // TLS extension is enabled. 104 bool signed_cert_timestamps_enabled; 105 106 // require_forward_secrecy, if true, causes only (EC)DHE cipher suites to be 107 // enabled. NOTE: this only applies to server sockets currently, although 108 // that could be extended if needed. 109 bool require_forward_secrecy; 110 111 // If |unrestricted_ssl3_fallback_enabled| is true, SSL 3.0 fallback will be 112 // enabled for all sites. 113 // If |unrestricted_ssl3_fallback_enabled| is false, SSL 3.0 fallback will be 114 // disabled for a site pinned to the Google pin list (indicating that it is a 115 // Google site). 116 bool unrestricted_ssl3_fallback_enabled; 117 118 // TODO(wtc): move the following members to a new SSLParams structure. They 119 // are not SSL configuration settings. 120 121 struct NET_EXPORT CertAndStatus { 122 CertAndStatus(); 123 ~CertAndStatus(); 124 125 std::string der_cert; 126 CertStatus cert_status; 127 }; 128 129 // Add any known-bad SSL certificate (with its cert status) to 130 // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when 131 // calling SSLClientSocket::Connect. This would normally be done in 132 // response to the user explicitly accepting the bad certificate. 133 std::vector<CertAndStatus> allowed_bad_certs; 134 135 // True if we should send client_cert to the server. 136 bool send_client_cert; 137 138 bool verify_ev_cert; // True if we should verify the certificate for EV. 139 140 bool version_fallback; // True if we are falling back to an older protocol 141 // version (one still needs to decrement 142 // version_max). 143 144 // If cert_io_enabled is false, then certificate verification will not 145 // result in additional HTTP requests. (For example: to fetch missing 146 // intermediates or to perform OCSP/CRL fetches.) It also implies that online 147 // revocation checking is disabled. 148 // NOTE: Only used by NSS. 149 bool cert_io_enabled; 150 151 // The list of application level protocols supported. If set, this will 152 // enable Next Protocol Negotiation (if supported). The order of the 153 // protocols doesn't matter expect for one case: if the server supports Next 154 // Protocol Negotiation, but there is no overlap between the server's and 155 // client's protocol sets, then the first protocol in this list will be 156 // requested by the client. 157 std::vector<std::string> next_protos; 158 159 scoped_refptr<X509Certificate> client_cert; 160 }; 161 162 // The interface for retrieving the SSL configuration. This interface 163 // does not cover setting the SSL configuration, as on some systems, the 164 // SSLConfigService objects may not have direct access to the configuration, or 165 // live longer than the configuration preferences. 166 class NET_EXPORT SSLConfigService 167 : public base::RefCountedThreadSafe<SSLConfigService> { 168 public: 169 // Observer is notified when SSL config settings have changed. 170 class NET_EXPORT Observer { 171 public: 172 // Notify observers if SSL settings have changed. We don't check all of the 173 // data in SSLConfig, just those that qualify as a user config change. 174 // The following settings are considered user changes: 175 // rev_checking_enabled 176 // version_min 177 // version_max 178 // disabled_cipher_suites 179 // channel_id_enabled 180 // false_start_enabled 181 // require_forward_secrecy 182 virtual void OnSSLConfigChanged() = 0; 183 184 protected: 185 virtual ~Observer() {} 186 }; 187 188 SSLConfigService(); 189 190 // May not be thread-safe, should only be called on the IO thread. 191 virtual void GetSSLConfig(SSLConfig* config) = 0; 192 193 // Sets and gets the current, global CRL set. 194 static void SetCRLSet(scoped_refptr<CRLSet> crl_set); 195 static scoped_refptr<CRLSet> GetCRLSet(); 196 197 // Enables the TLS cached info extension, which allows the server to send 198 // just a digest of its certificate chain. 199 static void EnableCachedInfo(); 200 static bool cached_info_enabled(); 201 202 // Gets the default minimum protocol version. 203 static uint16 default_version_min(); 204 205 // Gets the default maximum protocol version. 206 static uint16 default_version_max(); 207 208 // Is SNI available in this configuration? 209 static bool IsSNIAvailable(SSLConfigService* service); 210 211 // Add an observer of this service. 212 void AddObserver(Observer* observer); 213 214 // Remove an observer of this service. 215 void RemoveObserver(Observer* observer); 216 217 // Calls the OnSSLConfigChanged method of registered observers. Should only be 218 // called on the IO thread. 219 void NotifySSLConfigChange(); 220 221 protected: 222 friend class base::RefCountedThreadSafe<SSLConfigService>; 223 224 virtual ~SSLConfigService(); 225 226 // SetFlags sets the values of several flags based on global configuration. 227 static void SetSSLConfigFlags(SSLConfig* ssl_config); 228 229 // Process before/after config update. 230 void ProcessConfigUpdate(const SSLConfig& orig_config, 231 const SSLConfig& new_config); 232 233 private: 234 ObserverList<Observer> observer_list_; 235 }; 236 237 } // namespace net 238 239 #endif // NET_SSL_SSL_CONFIG_SERVICE_H_ 240
