net/ssl/ssl_config_service.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/ssl/ssl_config_service.h"
   6
   7 #include "base/lazy_instance.h"
   8 #include "base/memory/ref_counted.h"
   9 #include "base/synchronization/lock.h"
  10 #include "net/cert/crl_set.h"
  11 #include "net/ssl/ssl_config_service_defaults.h"
  12
  13 #if defined(USE_OPENSSL)
  14 #include <openssl/ssl.h>
  15 #endif
  16
  17 namespace net {
  18
  19 static uint16 g_default_version_min = SSL_PROTOCOL_VERSION_SSL3;
  20
  21 static uint16 g_default_version_max =
  22 #if defined(USE_OPENSSL)
  23 #if defined(SSL_OP_NO_TLSv1_2)
  24     SSL_PROTOCOL_VERSION_TLS1_2;
  25 #elif defined(SSL_OP_NO_TLSv1_1)
  26     SSL_PROTOCOL_VERSION_TLS1_1;
  27 #else
  28     SSL_PROTOCOL_VERSION_TLS1;
  29 #endif
  30 #else
  31     SSL_PROTOCOL_VERSION_TLS1_2;
  32 #endif
  33
  34 SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
  35
  36 SSLConfig::CertAndStatus::~CertAndStatus() {}
  37
  38 SSLConfig::SSLConfig()
  39     : rev_checking_enabled(false),
  40       rev_checking_required_local_anchors(false),
  41       version_min(g_default_version_min),
  42       version_max(g_default_version_max),
  43       channel_id_enabled(true),
  44       false_start_enabled(true),
  45       signed_cert_timestamps_enabled(true),
  46       require_forward_secrecy(false),
  47       unrestricted_ssl3_fallback_enabled(false),
  48       send_client_cert(false),
  49       verify_ev_cert(false),
  50       version_fallback(false),
  51       cert_io_enabled(true) {
  52 }
  53
  54 SSLConfig::~SSLConfig() {
  55 }
  56
  57 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert,
  58                                  CertStatus* cert_status) const {
  59   std::string der_cert;
  60   if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_cert))
  61     return false;
  62   return IsAllowedBadCert(der_cert, cert_status);
  63 }
  64
  65 bool SSLConfig::IsAllowedBadCert(const base::StringPiece& der_cert,
  66                                  CertStatus* cert_status) const {
  67   for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {
  68     if (der_cert == allowed_bad_certs[i].der_cert) {
  69       if (cert_status)
  70         *cert_status = allowed_bad_certs[i].cert_status;
  71       return true;
  72     }
  73   }
  74   return false;
  75 }
  76
  77 SSLConfigService::SSLConfigService()
  78     : observer_list_(ObserverList<Observer>::NOTIFY_EXISTING_ONLY) {
  79 }
  80
  81 // GlobalCRLSet holds a reference to the global CRLSet. It simply wraps a lock
  82 // around a scoped_refptr so that getting a reference doesn't race with
  83 // updating the CRLSet.
  84 class GlobalCRLSet {
  85  public:
  86   void Set(const scoped_refptr<CRLSet>& new_crl_set) {
  87     base::AutoLock locked(lock_);
  88     crl_set_ = new_crl_set;
  89   }
  90
  91   scoped_refptr<CRLSet> Get() const {
  92     base::AutoLock locked(lock_);
  93     return crl_set_;
  94   }
  95
  96  private:
  97   scoped_refptr<CRLSet> crl_set_;
  98   mutable base::Lock lock_;
  99 };
 100
 101 base::LazyInstance<GlobalCRLSet>::Leaky g_crl_set = LAZY_INSTANCE_INITIALIZER;
 102
 103 // static
 104 void SSLConfigService::SetCRLSet(scoped_refptr<CRLSet> crl_set) {
 105   // Note: this can be called concurently with GetCRLSet().
 106   g_crl_set.Get().Set(crl_set);
 107 }
 108
 109 // static
 110 scoped_refptr<CRLSet> SSLConfigService::GetCRLSet() {
 111   return g_crl_set.Get().Get();
 112 }
 113
 114 // static
 115 uint16 SSLConfigService::default_version_min() {
 116   return g_default_version_min;
 117 }
 118
 119 // static
 120 uint16 SSLConfigService::default_version_max() {
 121   return g_default_version_max;
 122 }
 123
 124 void SSLConfigService::AddObserver(Observer* observer) {
 125   observer_list_.AddObserver(observer);
 126 }
 127
 128 void SSLConfigService::RemoveObserver(Observer* observer) {
 129   observer_list_.RemoveObserver(observer);
 130 }
 131
 132 void SSLConfigService::NotifySSLConfigChange() {
 133   FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged());
 134 }
 135
 136 SSLConfigService::~SSLConfigService() {
 137 }
 138
 139 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
 140                                            const SSLConfig& new_config) {
 141   bool config_changed =
 142       (orig_config.rev_checking_enabled != new_config.rev_checking_enabled) ||
 143       (orig_config.rev_checking_required_local_anchors !=
 144        new_config.rev_checking_required_local_anchors) ||
 145       (orig_config.version_min != new_config.version_min) ||
 146       (orig_config.version_max != new_config.version_max) ||
 147       (orig_config.disabled_cipher_suites !=
 148        new_config.disabled_cipher_suites) ||
 149       (orig_config.channel_id_enabled != new_config.channel_id_enabled) ||
 150       (orig_config.false_start_enabled != new_config.false_start_enabled) ||
 151       (orig_config.require_forward_secrecy !=
 152        new_config.require_forward_secrecy) ||
 153       (orig_config.unrestricted_ssl3_fallback_enabled !=
 154        new_config.unrestricted_ssl3_fallback_enabled);
 155
 156   if (config_changed)
 157     NotifySSLConfigChange();
 158 }
 159
 160 // static
 161 bool SSLConfigService::IsSNIAvailable(SSLConfigService* service) {
 162   if (!service)
 163     return false;
 164
 165   SSLConfig ssl_config;
 166   service->GetSSLConfig(&ssl_config);
 167   return ssl_config.version_max >= SSL_PROTOCOL_VERSION_TLS1;
 168 }
 169
 170 }  // namespace net