1// Copyright (c) 2011 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/base/ssl_config_service.h" 6 7#include "net/base/ssl_config_service_defaults.h" 8#include "net/base/ssl_false_start_blacklist.h" 9 10namespace net { 11 12SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {} 13 14SSLConfig::CertAndStatus::~CertAndStatus() {} 15 16SSLConfig::SSLConfig() 17 : rev_checking_enabled(true), ssl3_enabled(true), 18 tls1_enabled(true), dnssec_enabled(false), 19 dns_cert_provenance_checking_enabled(false), 20 false_start_enabled(true), 21 send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) { 22} 23 24SSLConfig::~SSLConfig() { 25} 26 27bool SSLConfig::IsAllowedBadCert(X509Certificate* cert) const { 28 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) { 29 if (cert->Equals(allowed_bad_certs[i].cert)) 30 return true; 31 } 32 return false; 33} 34 35SSLConfigService::SSLConfigService() 36 : observer_list_(ObserverList<Observer>::NOTIFY_EXISTING_ONLY) { 37} 38 39// static 40SSLConfigService* SSLConfigService::CreateSystemSSLConfigService() { 41 // TODO(rtenneti): We don't use the system SSL configuration any more. 42 // Simplify this code after talking with mattm. 43 return new SSLConfigServiceDefaults; 44} 45 46// static 47bool SSLConfigService::IsKnownFalseStartIncompatibleServer( 48 const std::string& hostname) { 49#ifdef ANDROID 50 return true; 51#else 52 return SSLFalseStartBlacklist::IsMember(hostname.c_str()); 53#endif 54} 55 56static bool g_dnssec_enabled = false; 57static bool g_false_start_enabled = true; 58static bool g_dns_cert_provenance_checking = false; 59 60// static 61void SSLConfigService::EnableDNSSEC() { 62 g_dnssec_enabled = true; 63} 64 65// static 66bool SSLConfigService::dnssec_enabled() { 67 return g_dnssec_enabled; 68} 69 70// static 71void SSLConfigService::DisableFalseStart() { 72 g_false_start_enabled = false; 73} 74 75// static 76bool SSLConfigService::false_start_enabled() { 77 return g_false_start_enabled; 78} 79 80// static 81void SSLConfigService::EnableDNSCertProvenanceChecking() { 82 g_dns_cert_provenance_checking = true; 83} 84 85// static 86bool SSLConfigService::dns_cert_provenance_checking_enabled() { 87 return g_dns_cert_provenance_checking; 88} 89 90void SSLConfigService::AddObserver(Observer* observer) { 91 observer_list_.AddObserver(observer); 92} 93 94void SSLConfigService::RemoveObserver(Observer* observer) { 95 observer_list_.RemoveObserver(observer); 96} 97 98SSLConfigService::~SSLConfigService() { 99} 100 101// static 102void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) { 103 ssl_config->dnssec_enabled = g_dnssec_enabled; 104 ssl_config->false_start_enabled = g_false_start_enabled; 105 ssl_config->dns_cert_provenance_checking_enabled = 106 g_dns_cert_provenance_checking; 107} 108 109void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config, 110 const SSLConfig& new_config) { 111 if (orig_config.rev_checking_enabled != new_config.rev_checking_enabled || 112 orig_config.ssl3_enabled != new_config.ssl3_enabled || 113 orig_config.tls1_enabled != new_config.tls1_enabled) { 114 FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged()); 115 } 116} 117 118} // namespace net 119