1 // Copyright 2012 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SSL_SSL_CONFIG_SERVICE_H_ 6 #define NET_SSL_SSL_CONFIG_SERVICE_H_ 7 8 #include <vector> 9 10 #include "base/observer_list.h" 11 #include "net/base/net_export.h" 12 #include "net/ssl/ssl_config.h" 13 #include "third_party/abseil-cpp/absl/types/optional.h" 14 15 namespace net { 16 17 struct NET_EXPORT SSLContextConfig { 18 SSLContextConfig(); 19 SSLContextConfig(const SSLContextConfig&); 20 SSLContextConfig(SSLContextConfig&&); 21 ~SSLContextConfig(); 22 SSLContextConfig& operator=(const SSLContextConfig&); 23 SSLContextConfig& operator=(SSLContextConfig&&); 24 25 // EncryptedClientHelloEnabled returns whether ECH is enabled. 26 bool EncryptedClientHelloEnabled() const; 27 28 // Returns whether insecure hashes are allowed in TLS handshakes. 29 bool InsecureHashesInTLSHandshakesEnabled() const; 30 31 // The minimum and maximum protocol versions that are enabled. 32 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined in ssl_config.h.) 33 // SSL 2.0/3.0 and TLS 1.0/1.1 are not supported. If version_max < 34 // version_min, it means no protocol versions are enabled. 35 uint16_t version_min = kDefaultSSLVersionMin; 36 uint16_t version_max = kDefaultSSLVersionMax; 37 38 // A list of cipher suites which should be explicitly prevented from being 39 // used in addition to those disabled by the net built-in policy. 40 // 41 // Though cipher suites are sent in TLS as "uint8_t CipherSuite[2]", in 42 // big-endian form, they should be declared in host byte order, with the 43 // first uint8_t occupying the most significant byte. 44 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to 45 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. 46 std::vector<uint16_t> disabled_cipher_suites; 47 48 // If false, disables post-quantum key agreement in TLS connections. 49 bool post_quantum_enabled = true; 50 51 // If false, disables TLS Encrypted ClientHello (ECH). If true, the feature 52 // may be enabled or disabled, depending on feature flags. If querying whether 53 // ECH is enabled, use `EncryptedClientHelloEnabled` instead. 54 bool ech_enabled = true; 55 56 // If specified, controls whether insecure hashes are allowed in TLS 57 // handshakes. If `absl::nullopt`, this is determined by feature flags. 58 absl::optional<bool> insecure_hash_override; 59 60 // ADDING MORE HERE? Don't forget to update `SSLContextConfigsAreEqual`. 61 }; 62 63 // The interface for retrieving global SSL configuration. This interface 64 // does not cover setting the SSL configuration, as on some systems, the 65 // SSLConfigService objects may not have direct access to the configuration, or 66 // live longer than the configuration preferences. 67 class NET_EXPORT SSLConfigService { 68 public: 69 // Observer is notified when SSL config settings have changed. 70 class NET_EXPORT Observer { 71 public: 72 // Notify observers if SSL settings have changed. 73 virtual void OnSSLContextConfigChanged() = 0; 74 75 protected: 76 virtual ~Observer() = default; 77 }; 78 79 SSLConfigService(); 80 virtual ~SSLConfigService(); 81 82 // May not be thread-safe, should only be called on the IO thread. 83 virtual SSLContextConfig GetSSLContextConfig() = 0; 84 85 // Returns true if connections to |hostname| can reuse, or are permitted to 86 // reuse, connections on which a client cert has been negotiated. Note that 87 // this must return true for both hostnames being pooled - that is to say this 88 // function must return true for both the hostname of the existing connection 89 // and the potential hostname to pool before allowing the connection to be 90 // reused. 91 // 92 // NOTE: Pooling connections with ambient authority can create security issues 93 // with that ambient authority and privacy issues in that embedders (and 94 // users) may not have been consulted to send a client cert to |hostname|. 95 // Implementations of this method should only return true if they have 96 // received affirmative consent (e.g. through preferences or Enterprise 97 // policy). 98 // 99 // NOTE: For Web Platform clients, this violates the Fetch Standard's policies 100 // around connection pools: https://fetch.spec.whatwg.org/#connections. 101 // Implementations that return true should take steps to limit the Web 102 // Platform visibility of this, such as only allowing it to be used for 103 // Enterprise or internal configurations. 104 // 105 // DEPRECATED: For the reasons above, this method is temporary and will be 106 // removed in a future release. Please leave a comment on 107 // https://crbug.com/855690 if you believe this is needed. 108 virtual bool CanShareConnectionWithClientCerts( 109 const std::string& hostname) const = 0; 110 111 // Add an observer of this service. 112 void AddObserver(Observer* observer); 113 114 // Remove an observer of this service. 115 void RemoveObserver(Observer* observer); 116 117 // Calls the OnSSLContextConfigChanged method of registered observers. Should 118 // only be called on the IO thread. 119 void NotifySSLContextConfigChange(); 120 121 // Checks if the config-service managed fields in two SSLContextConfigs are 122 // the same. 123 static bool SSLContextConfigsAreEqualForTesting( 124 const SSLContextConfig& config1, 125 const SSLContextConfig& config2); 126 127 protected: 128 // Process before/after config update. If |force_notification| is true, 129 // NotifySSLContextConfigChange will be called regardless of whether 130 // |orig_config| and |new_config| are equal. 131 void ProcessConfigUpdate(const SSLContextConfig& orig_config, 132 const SSLContextConfig& new_config, 133 bool force_notification); 134 135 private: 136 base::ObserverList<Observer>::Unchecked observer_list_; 137 }; 138 139 } // namespace net 140 141 #endif // NET_SSL_SSL_CONFIG_SERVICE_H_ 142