1// Copyright (c) 2011 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_BASE_SSL_CONFIG_SERVICE_H_
6#define NET_BASE_SSL_CONFIG_SERVICE_H_
7#pragma once
8
9#include <vector>
10
11#include "base/basictypes.h"
12#include "base/memory/ref_counted.h"
13#include "base/observer_list.h"
14#include "net/base/net_export.h"
15#include "net/base/x509_certificate.h"
16
17namespace net {
18
19// A collection of SSL-related configuration settings.
20struct NET_EXPORT SSLConfig {
21  // Default to revocation checking.
22  // Default to SSL 3.0 on and TLS 1.0 on.
23  SSLConfig();
24  ~SSLConfig();
25
26  // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
27  bool IsAllowedBadCert(X509Certificate* cert) const;
28
29  bool rev_checking_enabled;  // True if server certificate revocation
30                              // checking is enabled.
31  // SSL 2.0 is not supported.
32  bool ssl3_enabled;  // True if SSL 3.0 is enabled.
33  bool tls1_enabled;  // True if TLS 1.0 is enabled.
34  bool dnssec_enabled;  // True if we'll accept DNSSEC chains in certificates.
35  // True if we'll do async checks for certificate provenance using DNS.
36  bool dns_cert_provenance_checking_enabled;
37
38  // Cipher suites which should be explicitly prevented from being used in
39  // addition to those disabled by the net built-in policy -- by default, all
40  // cipher suites supported by the underlying SSL implementation will be
41  // enabled except for:
42  // - Null encryption cipher suites.
43  // - Weak cipher suites: < 80 bits of security strength.
44  // - FORTEZZA cipher suites (obsolete).
45  // - IDEA cipher suites (RFC 5469 explains why).
46  // - Anonymous cipher suites.
47  // The ciphers listed in |disabled_cipher_suites| will be removed in addition
48  // to the above statically defined disable list.
49  //
50  // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
51  // big-endian form, they should be declared in host byte order, with the
52  // first uint8 occupying the most significant byte.
53  // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
54  // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
55  //
56  // TODO(rsleevi): Not implemented when using Schannel.
57  std::vector<uint16> disabled_cipher_suites;
58
59  bool false_start_enabled;  // True if we'll use TLS False Start.
60
61  // TODO(wtc): move the following members to a new SSLParams structure.  They
62  // are not SSL configuration settings.
63
64  struct CertAndStatus {
65    CertAndStatus();
66    ~CertAndStatus();
67
68    scoped_refptr<X509Certificate> cert;
69    int cert_status;
70  };
71
72  // Add any known-bad SSL certificate (with its cert status) to
73  // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
74  // calling SSLClientSocket::Connect.  This would normally be done in
75  // response to the user explicitly accepting the bad certificate.
76  std::vector<CertAndStatus> allowed_bad_certs;
77
78  // True if we should send client_cert to the server.
79  bool send_client_cert;
80
81  bool verify_ev_cert;  // True if we should verify the certificate for EV.
82
83  bool ssl3_fallback;  // True if we are falling back to SSL 3.0 (one still
84                       // needs to clear tls1_enabled).
85
86  // The list of application level protocols supported. If set, this will
87  // enable Next Protocol Negotiation (if supported). This is a list of 8-bit
88  // length prefixed strings. The order of the protocols doesn't matter expect
89  // for one case: if the server supports Next Protocol Negotiation, but there
90  // is no overlap between the server's and client's protocol sets, then the
91  // first protocol in this list will be requested by the client.
92  std::string next_protos;
93
94  scoped_refptr<X509Certificate> client_cert;
95};
96
97// The interface for retrieving the SSL configuration.  This interface
98// does not cover setting the SSL configuration, as on some systems, the
99// SSLConfigService objects may not have direct access to the configuration, or
100// live longer than the configuration preferences.
101class NET_EXPORT SSLConfigService : public base::RefCountedThreadSafe<SSLConfigService> {
102 public:
103  // Observer is notified when SSL config settings have changed.
104  class NET_EXPORT Observer {
105   public:
106    // Notify observers if SSL settings have changed.  We don't check all of the
107    // data in SSLConfig, just those that qualify as a user config change.
108    // The following settings are considered user changes:
109    //     rev_checking_enabled
110    //     ssl3_enabled
111    //     tls1_enabled
112    virtual void OnSSLConfigChanged() = 0;
113
114   protected:
115    virtual ~Observer() {}
116  };
117
118  SSLConfigService();
119
120  // Create an instance of SSLConfigService which retrieves the configuration
121  // from the system SSL configuration, or an instance of
122  // SSLConfigServiceDefaults if the current system does not have a system SSL
123  // configuration.  Note: this does not handle SSLConfigService implementations
124  // that are not native to their platform, such as preference-backed ones.
125  static SSLConfigService* CreateSystemSSLConfigService();
126
127  // May not be thread-safe, should only be called on the IO thread.
128  virtual void GetSSLConfig(SSLConfig* config) = 0;
129
130  // Returns true if the given hostname is known to be incompatible with TLS
131  // False Start.
132  static bool IsKnownFalseStartIncompatibleServer(const std::string& hostname);
133
134  // Enables the acceptance of self-signed certificates which contain an
135  // embedded DNSSEC chain proving their validity.
136  static void EnableDNSSEC();
137  static bool dnssec_enabled();
138
139  // Disables False Start in SSL connections.
140  static void DisableFalseStart();
141  // True if we use False Start for SSL and TLS.
142  static bool false_start_enabled();
143
144  // Enables DNS side checks for certificates.
145  static void EnableDNSCertProvenanceChecking();
146  static bool dns_cert_provenance_checking_enabled();
147
148  // Add an observer of this service.
149  void AddObserver(Observer* observer);
150
151  // Remove an observer of this service.
152  void RemoveObserver(Observer* observer);
153
154 protected:
155  friend class base::RefCountedThreadSafe<SSLConfigService>;
156
157  virtual ~SSLConfigService();
158
159  // SetFlags sets the values of several flags based on global configuration.
160  static void SetSSLConfigFlags(SSLConfig* ssl_config);
161
162  // Process before/after config update.
163  void ProcessConfigUpdate(const SSLConfig& orig_config,
164                           const SSLConfig& new_config);
165
166 private:
167  ObserverList<Observer> observer_list_;
168};
169
170}  // namespace net
171
172#endif  // NET_BASE_SSL_CONFIG_SERVICE_H_
173