1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/base/ssl_config_service.h"
6
7 #include "net/base/ssl_config_service_defaults.h"
8 #include "net/base/ssl_false_start_blacklist.h"
9
10 namespace net {
11
CertAndStatus()12 SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
13
~CertAndStatus()14 SSLConfig::CertAndStatus::~CertAndStatus() {}
15
SSLConfig()16 SSLConfig::SSLConfig()
17 : rev_checking_enabled(true), ssl3_enabled(true),
18 tls1_enabled(true), dnssec_enabled(false),
19 dns_cert_provenance_checking_enabled(false),
20 false_start_enabled(true),
21 send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) {
22 }
23
~SSLConfig()24 SSLConfig::~SSLConfig() {
25 }
26
IsAllowedBadCert(X509Certificate * cert) const27 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert) const {
28 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {
29 if (cert->Equals(allowed_bad_certs[i].cert))
30 return true;
31 }
32 return false;
33 }
34
SSLConfigService()35 SSLConfigService::SSLConfigService()
36 : observer_list_(ObserverList<Observer>::NOTIFY_EXISTING_ONLY) {
37 }
38
39 // static
CreateSystemSSLConfigService()40 SSLConfigService* SSLConfigService::CreateSystemSSLConfigService() {
41 // TODO(rtenneti): We don't use the system SSL configuration any more.
42 // Simplify this code after talking with mattm.
43 return new SSLConfigServiceDefaults;
44 }
45
46 // static
IsKnownFalseStartIncompatibleServer(const std::string & hostname)47 bool SSLConfigService::IsKnownFalseStartIncompatibleServer(
48 const std::string& hostname) {
49 #ifdef ANDROID
50 return true;
51 #else
52 return SSLFalseStartBlacklist::IsMember(hostname.c_str());
53 #endif
54 }
55
56 static bool g_dnssec_enabled = false;
57 static bool g_false_start_enabled = true;
58 static bool g_dns_cert_provenance_checking = false;
59
60 // static
EnableDNSSEC()61 void SSLConfigService::EnableDNSSEC() {
62 g_dnssec_enabled = true;
63 }
64
65 // static
dnssec_enabled()66 bool SSLConfigService::dnssec_enabled() {
67 return g_dnssec_enabled;
68 }
69
70 // static
DisableFalseStart()71 void SSLConfigService::DisableFalseStart() {
72 g_false_start_enabled = false;
73 }
74
75 // static
false_start_enabled()76 bool SSLConfigService::false_start_enabled() {
77 return g_false_start_enabled;
78 }
79
80 // static
EnableDNSCertProvenanceChecking()81 void SSLConfigService::EnableDNSCertProvenanceChecking() {
82 g_dns_cert_provenance_checking = true;
83 }
84
85 // static
dns_cert_provenance_checking_enabled()86 bool SSLConfigService::dns_cert_provenance_checking_enabled() {
87 return g_dns_cert_provenance_checking;
88 }
89
AddObserver(Observer * observer)90 void SSLConfigService::AddObserver(Observer* observer) {
91 observer_list_.AddObserver(observer);
92 }
93
RemoveObserver(Observer * observer)94 void SSLConfigService::RemoveObserver(Observer* observer) {
95 observer_list_.RemoveObserver(observer);
96 }
97
~SSLConfigService()98 SSLConfigService::~SSLConfigService() {
99 }
100
101 // static
SetSSLConfigFlags(SSLConfig * ssl_config)102 void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {
103 ssl_config->dnssec_enabled = g_dnssec_enabled;
104 ssl_config->false_start_enabled = g_false_start_enabled;
105 ssl_config->dns_cert_provenance_checking_enabled =
106 g_dns_cert_provenance_checking;
107 }
108
ProcessConfigUpdate(const SSLConfig & orig_config,const SSLConfig & new_config)109 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
110 const SSLConfig& new_config) {
111 if (orig_config.rev_checking_enabled != new_config.rev_checking_enabled ||
112 orig_config.ssl3_enabled != new_config.ssl3_enabled ||
113 orig_config.tls1_enabled != new_config.tls1_enabled) {
114 FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());
115 }
116 }
117
118 } // namespace net
119