1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/ssl/ssl_config_service.h"
6
7 #include "base/lazy_instance.h"
8 #include "base/memory/ref_counted.h"
9 #include "base/synchronization/lock.h"
10 #include "net/cert/crl_set.h"
11 #include "net/ssl/ssl_config_service_defaults.h"
12
13 #if defined(USE_OPENSSL)
14 #include <openssl/ssl.h>
15 #endif
16
17 namespace net {
18
19 static uint16 g_default_version_min = SSL_PROTOCOL_VERSION_SSL3;
20
21 static uint16 g_default_version_max =
22 #if defined(USE_OPENSSL)
23 #if defined(SSL_OP_NO_TLSv1_2)
24 SSL_PROTOCOL_VERSION_TLS1_2;
25 #elif defined(SSL_OP_NO_TLSv1_1)
26 SSL_PROTOCOL_VERSION_TLS1_1;
27 #else
28 SSL_PROTOCOL_VERSION_TLS1;
29 #endif
30 #else
31 SSL_PROTOCOL_VERSION_TLS1_2;
32 #endif
33
CertAndStatus()34 SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
35
~CertAndStatus()36 SSLConfig::CertAndStatus::~CertAndStatus() {}
37
SSLConfig()38 SSLConfig::SSLConfig()
39 : rev_checking_enabled(false),
40 rev_checking_required_local_anchors(false),
41 version_min(g_default_version_min),
42 version_max(g_default_version_max),
43 cached_info_enabled(false),
44 channel_id_enabled(true),
45 false_start_enabled(true),
46 signed_cert_timestamps_enabled(true),
47 require_forward_secrecy(false),
48 unrestricted_ssl3_fallback_enabled(false),
49 send_client_cert(false),
50 verify_ev_cert(false),
51 version_fallback(false),
52 cert_io_enabled(true) {
53 }
54
~SSLConfig()55 SSLConfig::~SSLConfig() {
56 }
57
IsAllowedBadCert(X509Certificate * cert,CertStatus * cert_status) const58 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert,
59 CertStatus* cert_status) const {
60 std::string der_cert;
61 if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_cert))
62 return false;
63 return IsAllowedBadCert(der_cert, cert_status);
64 }
65
IsAllowedBadCert(const base::StringPiece & der_cert,CertStatus * cert_status) const66 bool SSLConfig::IsAllowedBadCert(const base::StringPiece& der_cert,
67 CertStatus* cert_status) const {
68 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {
69 if (der_cert == allowed_bad_certs[i].der_cert) {
70 if (cert_status)
71 *cert_status = allowed_bad_certs[i].cert_status;
72 return true;
73 }
74 }
75 return false;
76 }
77
SSLConfigService()78 SSLConfigService::SSLConfigService()
79 : observer_list_(ObserverList<Observer>::NOTIFY_EXISTING_ONLY) {
80 }
81
82 static bool g_cached_info_enabled = false;
83
84 // GlobalCRLSet holds a reference to the global CRLSet. It simply wraps a lock
85 // around a scoped_refptr so that getting a reference doesn't race with
86 // updating the CRLSet.
87 class GlobalCRLSet {
88 public:
Set(const scoped_refptr<CRLSet> & new_crl_set)89 void Set(const scoped_refptr<CRLSet>& new_crl_set) {
90 base::AutoLock locked(lock_);
91 crl_set_ = new_crl_set;
92 }
93
Get() const94 scoped_refptr<CRLSet> Get() const {
95 base::AutoLock locked(lock_);
96 return crl_set_;
97 }
98
99 private:
100 scoped_refptr<CRLSet> crl_set_;
101 mutable base::Lock lock_;
102 };
103
104 base::LazyInstance<GlobalCRLSet>::Leaky g_crl_set = LAZY_INSTANCE_INITIALIZER;
105
106 // static
SetCRLSet(scoped_refptr<CRLSet> crl_set)107 void SSLConfigService::SetCRLSet(scoped_refptr<CRLSet> crl_set) {
108 // Note: this can be called concurently with GetCRLSet().
109 g_crl_set.Get().Set(crl_set);
110 }
111
112 // static
GetCRLSet()113 scoped_refptr<CRLSet> SSLConfigService::GetCRLSet() {
114 return g_crl_set.Get().Get();
115 }
116
EnableCachedInfo()117 void SSLConfigService::EnableCachedInfo() {
118 g_cached_info_enabled = true;
119 }
120
121 // static
cached_info_enabled()122 bool SSLConfigService::cached_info_enabled() {
123 return g_cached_info_enabled;
124 }
125
126 // static
default_version_min()127 uint16 SSLConfigService::default_version_min() {
128 return g_default_version_min;
129 }
130
131 // static
default_version_max()132 uint16 SSLConfigService::default_version_max() {
133 return g_default_version_max;
134 }
135
AddObserver(Observer * observer)136 void SSLConfigService::AddObserver(Observer* observer) {
137 observer_list_.AddObserver(observer);
138 }
139
RemoveObserver(Observer * observer)140 void SSLConfigService::RemoveObserver(Observer* observer) {
141 observer_list_.RemoveObserver(observer);
142 }
143
NotifySSLConfigChange()144 void SSLConfigService::NotifySSLConfigChange() {
145 FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());
146 }
147
~SSLConfigService()148 SSLConfigService::~SSLConfigService() {
149 }
150
151 // static
SetSSLConfigFlags(SSLConfig * ssl_config)152 void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {
153 ssl_config->cached_info_enabled = g_cached_info_enabled;
154 }
155
ProcessConfigUpdate(const SSLConfig & orig_config,const SSLConfig & new_config)156 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
157 const SSLConfig& new_config) {
158 bool config_changed =
159 (orig_config.rev_checking_enabled != new_config.rev_checking_enabled) ||
160 (orig_config.rev_checking_required_local_anchors !=
161 new_config.rev_checking_required_local_anchors) ||
162 (orig_config.version_min != new_config.version_min) ||
163 (orig_config.version_max != new_config.version_max) ||
164 (orig_config.disabled_cipher_suites !=
165 new_config.disabled_cipher_suites) ||
166 (orig_config.channel_id_enabled != new_config.channel_id_enabled) ||
167 (orig_config.false_start_enabled != new_config.false_start_enabled) ||
168 (orig_config.require_forward_secrecy !=
169 new_config.require_forward_secrecy) ||
170 (orig_config.unrestricted_ssl3_fallback_enabled !=
171 new_config.unrestricted_ssl3_fallback_enabled);
172
173 if (config_changed)
174 NotifySSLConfigChange();
175 }
176
177 // static
IsSNIAvailable(SSLConfigService * service)178 bool SSLConfigService::IsSNIAvailable(SSLConfigService* service) {
179 if (!service)
180 return false;
181
182 SSLConfig ssl_config;
183 service->GetSSLConfig(&ssl_config);
184 return ssl_config.version_max >= SSL_PROTOCOL_VERSION_TLS1;
185 }
186
187 } // namespace net
188