Home | History | Annotate | Download | only in base 
      1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef NET_BASE_SSL_CONFIG_SERVICE_H_
      6 #define NET_BASE_SSL_CONFIG_SERVICE_H_
      7 #pragma once
      8 
      9 #include <vector>
     10 
     11 #include "base/basictypes.h"
     12 #include "base/memory/ref_counted.h"
     13 #include "base/observer_list.h"
     14 #include "net/base/net_export.h"
     15 #include "net/base/x509_certificate.h"
     16 
     17 namespace net {
     18 
     19 // A collection of SSL-related configuration settings.
     20 struct NET_EXPORT SSLConfig {
     21   // Default to revocation checking.
     22   // Default to SSL 3.0 on and TLS 1.0 on.
     23   SSLConfig();
     24   ~SSLConfig();
     25 
     26   // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
     27   bool IsAllowedBadCert(X509Certificate* cert) const;
     28 
     29   bool rev_checking_enabled;  // True if server certificate revocation
     30                               // checking is enabled.
     31   // SSL 2.0 is not supported.
     32   bool ssl3_enabled;  // True if SSL 3.0 is enabled.
     33   bool tls1_enabled;  // True if TLS 1.0 is enabled.
     34   bool dnssec_enabled;  // True if we'll accept DNSSEC chains in certificates.
     35   // True if we'll do async checks for certificate provenance using DNS.
     36   bool dns_cert_provenance_checking_enabled;
     37 
     38   // Cipher suites which should be explicitly prevented from being used in
     39   // addition to those disabled by the net built-in policy -- by default, all
     40   // cipher suites supported by the underlying SSL implementation will be
     41   // enabled except for:
     42   // - Null encryption cipher suites.
     43   // - Weak cipher suites: < 80 bits of security strength.
     44   // - FORTEZZA cipher suites (obsolete).
     45   // - IDEA cipher suites (RFC 5469 explains why).
     46   // - Anonymous cipher suites.
     47   // The ciphers listed in |disabled_cipher_suites| will be removed in addition
     48   // to the above statically defined disable list.
     49   //
     50   // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
     51   // big-endian form, they should be declared in host byte order, with the
     52   // first uint8 occupying the most significant byte.
     53   // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
     54   // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
     55   //
     56   // TODO(rsleevi): Not implemented when using Schannel.
     57   std::vector<uint16> disabled_cipher_suites;
     58 
     59   bool false_start_enabled;  // True if we'll use TLS False Start.
     60 
     61   // TODO(wtc): move the following members to a new SSLParams structure.  They
     62   // are not SSL configuration settings.
     63 
     64   struct CertAndStatus {
     65     CertAndStatus();
     66     ~CertAndStatus();
     67 
     68     scoped_refptr<X509Certificate> cert;
     69     int cert_status;
     70   };
     71 
     72   // Add any known-bad SSL certificate (with its cert status) to
     73   // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
     74   // calling SSLClientSocket::Connect.  This would normally be done in
     75   // response to the user explicitly accepting the bad certificate.
     76   std::vector<CertAndStatus> allowed_bad_certs;
     77 
     78   // True if we should send client_cert to the server.
     79   bool send_client_cert;
     80 
     81   bool verify_ev_cert;  // True if we should verify the certificate for EV.
     82 
     83   bool ssl3_fallback;  // True if we are falling back to SSL 3.0 (one still
     84                        // needs to clear tls1_enabled).
     85 
     86   // The list of application level protocols supported. If set, this will
     87   // enable Next Protocol Negotiation (if supported). This is a list of 8-bit
     88   // length prefixed strings. The order of the protocols doesn't matter expect
     89   // for one case: if the server supports Next Protocol Negotiation, but there
     90   // is no overlap between the server's and client's protocol sets, then the
     91   // first protocol in this list will be requested by the client.
     92   std::string next_protos;
     93 
     94   scoped_refptr<X509Certificate> client_cert;
     95 };
     96 
     97 // The interface for retrieving the SSL configuration.  This interface
     98 // does not cover setting the SSL configuration, as on some systems, the
     99 // SSLConfigService objects may not have direct access to the configuration, or
    100 // live longer than the configuration preferences.
    101 class NET_EXPORT SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> {
    102  public:
    103   // Observer is notified when SSL config settings have changed.
    104   class NET_EXPORT Observer {
    105    public:
    106     // Notify observers if SSL settings have changed.  We don't check all of the
    107     // data in SSLConfig, just those that qualify as a user config change.
    108     // The following settings are considered user changes:
    109     //     rev_checking_enabled
    110     //     ssl3_enabled
    111     //     tls1_enabled
    112     virtual void OnSSLConfigChanged() = 0;
    113 
    114    protected:
    115     virtual ~Observer() {}
    116   };
    117 
    118   SSLConfigService();
    119 
    120   // Create an instance of SSLConfigService which retrieves the configuration
    121   // from the system SSL configuration, or an instance of
    122   // SSLConfigServiceDefaults if the current system does not have a system SSL
    123   // configuration.  Note: this does not handle SSLConfigService implementations
    124   // that are not native to their platform, such as preference-backed ones.
    125   static SSLConfigService* CreateSystemSSLConfigService();
    126 
    127   // May not be thread-safe, should only be called on the IO thread.
    128   virtual void GetSSLConfig(SSLConfig* config) = 0;
    129 
    130   // Returns true if the given hostname is known to be incompatible with TLS
    131   // False Start.
    132   static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname);
    133 
    134   // Enables the acceptance of self-signed certificates which contain an
    135   // embedded DNSSEC chain proving their validity.
    136   static void EnableDNSSEC();
    137   static bool dnssec_enabled();
    138 
    139   // Disables False Start in SSL connections.
    140   static void DisableFalseStart();
    141   // True if we use False Start for SSL and TLS.
    142   static bool false_start_enabled();
    143 
    144   // Enables DNS side checks for certificates.
    145   static void EnableDNSCertProvenanceChecking();
    146   static bool dns_cert_provenance_checking_enabled();
    147 
    148   // Add an observer of this service.
    149   void AddObserver(Observer* observer);
    150 
    151   // Remove an observer of this service.
    152   void RemoveObserver(Observer* observer);
    153 
    154  protected:
    155   friend class base::RefCountedThreadSafe<SSLConfigService>;
    156 
    157   virtual ~SSLConfigService();
    158 
    159   // SetFlags sets the values of several flags based on global configuration.
    160   static void SetSSLConfigFlags(SSLConfig* ssl_config);
    161 
    162   // Process before/after config update.
    163   void ProcessConfigUpdate(const SSLConfig& orig_config,
    164                            const SSLConfig& new_config);
    165 
    166  private:
    167   ObserverList<Observer> observer_list_;
    168 };
    169 
    170 }  // namespace net
    171 
    172 #endif  // NET_BASE_SSL_CONFIG_SERVICE_H_
    173