Add explicit |forceOnlineSignin| to user pod status
[chromium-blink-merge.git] / net / ssl / ssl_config_service.cc
blobec9fcc3eb34ead0754145d2e528ec6c7bf2b518f
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/ssl/ssl_config_service.h"
7 #include "base/lazy_instance.h"
8 #include "base/memory/ref_counted.h"
9 #include "base/synchronization/lock.h"
10 #include "net/cert/crl_set.h"
11 #include "net/ssl/ssl_config_service_defaults.h"
13 #if defined(USE_OPENSSL)
14 #include <openssl/ssl.h>
15 #endif
17 namespace net {
19 static uint16 g_default_version_min = SSL_PROTOCOL_VERSION_SSL3;
21 static uint16 g_default_version_max =
22 #if defined(USE_OPENSSL)
23 #if defined(SSL_OP_NO_TLSv1_2)
24 SSL_PROTOCOL_VERSION_TLS1_2;
25 #elif defined(SSL_OP_NO_TLSv1_1)
26 SSL_PROTOCOL_VERSION_TLS1_1;
27 #else
28 SSL_PROTOCOL_VERSION_TLS1;
29 #endif
30 #else
31 SSL_PROTOCOL_VERSION_TLS1_2;
32 #endif
34 SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
36 SSLConfig::CertAndStatus::~CertAndStatus() {}
38 SSLConfig::SSLConfig()
39 : rev_checking_enabled(false),
40 rev_checking_required_local_anchors(false),
41 version_min(g_default_version_min),
42 version_max(g_default_version_max),
43 channel_id_enabled(true),
44 false_start_enabled(true),
45 signed_cert_timestamps_enabled(true),
46 require_forward_secrecy(false),
47 unrestricted_ssl3_fallback_enabled(false),
48 send_client_cert(false),
49 verify_ev_cert(false),
50 version_fallback(false),
51 cert_io_enabled(true) {
54 SSLConfig::~SSLConfig() {
57 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert,
58 CertStatus* cert_status) const {
59 std::string der_cert;
60 if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_cert))
61 return false;
62 return IsAllowedBadCert(der_cert, cert_status);
65 bool SSLConfig::IsAllowedBadCert(const base::StringPiece& der_cert,
66 CertStatus* cert_status) const {
67 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {
68 if (der_cert == allowed_bad_certs[i].der_cert) {
69 if (cert_status)
70 *cert_status = allowed_bad_certs[i].cert_status;
71 return true;
74 return false;
77 SSLConfigService::SSLConfigService()
78 : observer_list_(ObserverList<Observer>::NOTIFY_EXISTING_ONLY) {
81 // GlobalCRLSet holds a reference to the global CRLSet. It simply wraps a lock
82 // around a scoped_refptr so that getting a reference doesn't race with
83 // updating the CRLSet.
84 class GlobalCRLSet {
85 public:
86 void Set(const scoped_refptr<CRLSet>& new_crl_set) {
87 base::AutoLock locked(lock_);
88 crl_set_ = new_crl_set;
91 scoped_refptr<CRLSet> Get() const {
92 base::AutoLock locked(lock_);
93 return crl_set_;
96 private:
97 scoped_refptr<CRLSet> crl_set_;
98 mutable base::Lock lock_;
101 base::LazyInstance<GlobalCRLSet>::Leaky g_crl_set = LAZY_INSTANCE_INITIALIZER;
103 // static
104 void SSLConfigService::SetCRLSet(scoped_refptr<CRLSet> crl_set) {
105 // Note: this can be called concurently with GetCRLSet().
106 g_crl_set.Get().Set(crl_set);
109 // static
110 scoped_refptr<CRLSet> SSLConfigService::GetCRLSet() {
111 return g_crl_set.Get().Get();
114 // static
115 uint16 SSLConfigService::default_version_min() {
116 return g_default_version_min;
119 // static
120 uint16 SSLConfigService::default_version_max() {
121 return g_default_version_max;
124 void SSLConfigService::AddObserver(Observer* observer) {
125 observer_list_.AddObserver(observer);
128 void SSLConfigService::RemoveObserver(Observer* observer) {
129 observer_list_.RemoveObserver(observer);
132 void SSLConfigService::NotifySSLConfigChange() {
133 FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());
136 SSLConfigService::~SSLConfigService() {
139 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
140 const SSLConfig& new_config) {
141 bool config_changed =
142 (orig_config.rev_checking_enabled != new_config.rev_checking_enabled) ||
143 (orig_config.rev_checking_required_local_anchors !=
144 new_config.rev_checking_required_local_anchors) ||
145 (orig_config.version_min != new_config.version_min) ||
146 (orig_config.version_max != new_config.version_max) ||
147 (orig_config.disabled_cipher_suites !=
148 new_config.disabled_cipher_suites) ||
149 (orig_config.channel_id_enabled != new_config.channel_id_enabled) ||
150 (orig_config.false_start_enabled != new_config.false_start_enabled) ||
151 (orig_config.require_forward_secrecy !=
152 new_config.require_forward_secrecy) ||
153 (orig_config.unrestricted_ssl3_fallback_enabled !=
154 new_config.unrestricted_ssl3_fallback_enabled);
156 if (config_changed)
157 NotifySSLConfigChange();
160 // static
161 bool SSLConfigService::IsSNIAvailable(SSLConfigService* service) {
162 if (!service)
163 return false;
165 SSLConfig ssl_config;
166 service->GetSSLConfig(&ssl_config);
167 return ssl_config.version_max >= SSL_PROTOCOL_VERSION_TLS1;
170 } // namespace net