1 // Copyright 2012 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SSL_SSL_CONFIG_SERVICE_H_ 6 #define NET_SSL_SSL_CONFIG_SERVICE_H_ 7 8 #include <vector> 9 10 #include "base/observer_list.h" 11 #include "net/base/net_export.h" 12 #include "net/ssl/ssl_config.h" 13 #include "third_party/abseil-cpp/absl/types/optional.h" 14 15 namespace net { 16 17 struct NET_EXPORT SSLContextConfig { 18 SSLContextConfig(); 19 SSLContextConfig(const SSLContextConfig&); 20 SSLContextConfig(SSLContextConfig&&); 21 ~SSLContextConfig(); 22 SSLContextConfig& operator=(const SSLContextConfig&); 23 SSLContextConfig& operator=(SSLContextConfig&&); 24 25 bool operator==(const SSLContextConfig&) const; 26 27 // EncryptedClientHelloEnabled returns whether ECH is enabled. 28 bool EncryptedClientHelloEnabled() const; 29 30 // Returns whether insecure hashes are allowed in TLS handshakes. 31 bool InsecureHashesInTLSHandshakesEnabled() const; 32 33 // Returns whether post-quantum key agreement is enabled in TLS handshakes. 34 bool PostQuantumKeyAgreementEnabled() const; 35 36 // The minimum and maximum protocol versions that are enabled. 37 // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined in ssl_config.h.) 38 // SSL 2.0/3.0 and TLS 1.0/1.1 are not supported. If version_max < 39 // version_min, it means no protocol versions are enabled. 40 uint16_t version_min = kDefaultSSLVersionMin; 41 uint16_t version_max = kDefaultSSLVersionMax; 42 43 // A list of cipher suites which should be explicitly prevented from being 44 // used in addition to those disabled by the net built-in policy. 45 // 46 // Though cipher suites are sent in TLS as "uint8_t CipherSuite[2]", in 47 // big-endian form, they should be declared in host byte order, with the 48 // first uint8_t occupying the most significant byte. 49 // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to 50 // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. 51 std::vector<uint16_t> disabled_cipher_suites; 52 53 // If specified, controls whether post-quantum key agreement in TLS 54 // connections is allowed. If `absl::nullopt`, this is determined by feature 55 // flags. 56 absl::optional<bool> post_quantum_override; 57 58 // If false, disables TLS Encrypted ClientHello (ECH). If true, the feature 59 // may be enabled or disabled, depending on feature flags. If querying whether 60 // ECH is enabled, use `EncryptedClientHelloEnabled` instead. 61 bool ech_enabled = true; 62 63 // If specified, controls whether insecure hashes are allowed in TLS 64 // handshakes. If `absl::nullopt`, this is determined by feature flags. 65 absl::optional<bool> insecure_hash_override; 66 67 // If specified, controls whether the X.509 keyUsage extension is checked in 68 // TLS 1.2 for RSA certificates that chain to a local trust anchor. If 69 // `absl::nullopt`, this is determined by feature flags. 70 // 71 // Independent of the setting of this value, keyUsage is always checked at TLS 72 // 1.3, for ECDSA certificates, and for all certificates that chain to a known 73 // root. 74 // 75 // TODO(crbug.com/795089): Enable this unconditionally. 76 absl::optional<bool> rsa_key_usage_for_local_anchors_override; 77 }; 78 79 // The interface for retrieving global SSL configuration. This interface 80 // does not cover setting the SSL configuration, as on some systems, the 81 // SSLConfigService objects may not have direct access to the configuration, or 82 // live longer than the configuration preferences. 83 class NET_EXPORT SSLConfigService { 84 public: 85 // Observer is notified when SSL config settings have changed. 86 class NET_EXPORT Observer { 87 public: 88 // Notify observers if SSL settings have changed. 89 virtual void OnSSLContextConfigChanged() = 0; 90 91 protected: 92 virtual ~Observer() = default; 93 }; 94 95 SSLConfigService(); 96 virtual ~SSLConfigService(); 97 98 // May not be thread-safe, should only be called on the IO thread. 99 virtual SSLContextConfig GetSSLContextConfig() = 0; 100 101 // Returns true if connections to |hostname| can reuse, or are permitted to 102 // reuse, connections on which a client cert has been negotiated. Note that 103 // this must return true for both hostnames being pooled - that is to say this 104 // function must return true for both the hostname of the existing connection 105 // and the potential hostname to pool before allowing the connection to be 106 // reused. 107 // 108 // NOTE: Pooling connections with ambient authority can create security issues 109 // with that ambient authority and privacy issues in that embedders (and 110 // users) may not have been consulted to send a client cert to |hostname|. 111 // Implementations of this method should only return true if they have 112 // received affirmative consent (e.g. through preferences or Enterprise 113 // policy). 114 // 115 // NOTE: For Web Platform clients, this violates the Fetch Standard's policies 116 // around connection pools: https://fetch.spec.whatwg.org/#connections. 117 // Implementations that return true should take steps to limit the Web 118 // Platform visibility of this, such as only allowing it to be used for 119 // Enterprise or internal configurations. 120 // 121 // DEPRECATED: For the reasons above, this method is temporary and will be 122 // removed in a future release. Please leave a comment on 123 // https://crbug.com/855690 if you believe this is needed. 124 virtual bool CanShareConnectionWithClientCerts( 125 const std::string& hostname) const = 0; 126 127 // Add an observer of this service. 128 void AddObserver(Observer* observer); 129 130 // Remove an observer of this service. 131 void RemoveObserver(Observer* observer); 132 133 // Calls the OnSSLContextConfigChanged method of registered observers. Should 134 // only be called on the IO thread. 135 void NotifySSLContextConfigChange(); 136 137 protected: 138 // Process before/after config update. If |force_notification| is true, 139 // NotifySSLContextConfigChange will be called regardless of whether 140 // |orig_config| and |new_config| are equal. 141 void ProcessConfigUpdate(const SSLContextConfig& orig_config, 142 const SSLContextConfig& new_config, 143 bool force_notification); 144 145 private: 146 base::ObserverList<Observer>::Unchecked observer_list_; 147 }; 148 149 } // namespace net 150 151 #endif // NET_SSL_SSL_CONFIG_SERVICE_H_ 152