ssl_config_service.cc revision c2e0dbddbe15c98d52c4786dac06cb8952a8ae6d
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/ssl/ssl_config_service.h" 6 7#include "base/lazy_instance.h" 8#include "base/memory/ref_counted.h" 9#include "base/synchronization/lock.h" 10#include "net/cert/crl_set.h" 11#include "net/ssl/ssl_config_service_defaults.h" 12 13#if defined(USE_OPENSSL) 14#include <openssl/ssl.h> 15#endif 16 17namespace net { 18 19static uint16 g_default_version_min = SSL_PROTOCOL_VERSION_SSL3; 20 21static uint16 g_default_version_max = 22#if defined(USE_OPENSSL) 23#if defined(SSL_OP_NO_TLSv1_1) 24 SSL_PROTOCOL_VERSION_TLS1_1; 25#else 26 SSL_PROTOCOL_VERSION_TLS1; 27#endif 28#else 29 SSL_PROTOCOL_VERSION_TLS1_1; 30#endif 31 32SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {} 33 34SSLConfig::CertAndStatus::~CertAndStatus() {} 35 36SSLConfig::SSLConfig() 37 : rev_checking_enabled(false), 38 version_min(g_default_version_min), 39 version_max(g_default_version_max), 40 cached_info_enabled(false), 41 channel_id_enabled(true), 42 false_start_enabled(true), 43 unrestricted_ssl3_fallback_enabled(false), 44 send_client_cert(false), 45 verify_ev_cert(false), 46 version_fallback(false), 47 cert_io_enabled(true) { 48} 49 50SSLConfig::~SSLConfig() { 51} 52 53bool SSLConfig::IsAllowedBadCert(X509Certificate* cert, 54 CertStatus* cert_status) const { 55 std::string der_cert; 56 if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_cert)) 57 return false; 58 return IsAllowedBadCert(der_cert, cert_status); 59} 60 61bool SSLConfig::IsAllowedBadCert(const base::StringPiece& der_cert, 62 CertStatus* cert_status) const { 63 for (size_t i = 0; i < allowed_bad_certs.size(); ++i) { 64 if (der_cert == allowed_bad_certs[i].der_cert) { 65 if (cert_status) 66 *cert_status = allowed_bad_certs[i].cert_status; 67 return true; 68 } 69 } 70 return false; 71} 72 73SSLConfigService::SSLConfigService() 74 : observer_list_(ObserverList<Observer>::NOTIFY_EXISTING_ONLY) { 75} 76 77static bool g_cached_info_enabled = false; 78 79// GlobalCRLSet holds a reference to the global CRLSet. It simply wraps a lock 80// around a scoped_refptr so that getting a reference doesn't race with 81// updating the CRLSet. 82class GlobalCRLSet { 83 public: 84 void Set(const scoped_refptr<CRLSet>& new_crl_set) { 85 base::AutoLock locked(lock_); 86 crl_set_ = new_crl_set; 87 } 88 89 scoped_refptr<CRLSet> Get() const { 90 base::AutoLock locked(lock_); 91 return crl_set_; 92 } 93 94 private: 95 scoped_refptr<CRLSet> crl_set_; 96 mutable base::Lock lock_; 97}; 98 99base::LazyInstance<GlobalCRLSet>::Leaky g_crl_set = LAZY_INSTANCE_INITIALIZER; 100 101// static 102void SSLConfigService::SetCRLSet(scoped_refptr<CRLSet> crl_set) { 103 // Note: this can be called concurently with GetCRLSet(). 104 g_crl_set.Get().Set(crl_set); 105} 106 107// static 108scoped_refptr<CRLSet> SSLConfigService::GetCRLSet() { 109 return g_crl_set.Get().Get(); 110} 111 112void SSLConfigService::EnableCachedInfo() { 113 g_cached_info_enabled = true; 114} 115 116// static 117bool SSLConfigService::cached_info_enabled() { 118 return g_cached_info_enabled; 119} 120 121// static 122uint16 SSLConfigService::default_version_min() { 123 return g_default_version_min; 124} 125 126// static 127uint16 SSLConfigService::default_version_max() { 128 return g_default_version_max; 129} 130 131void SSLConfigService::AddObserver(Observer* observer) { 132 observer_list_.AddObserver(observer); 133} 134 135void SSLConfigService::RemoveObserver(Observer* observer) { 136 observer_list_.RemoveObserver(observer); 137} 138 139void SSLConfigService::NotifySSLConfigChange() { 140 FOR_EACH_OBSERVER(Observer, observer_list_, OnSSLConfigChanged()); 141} 142 143SSLConfigService::~SSLConfigService() { 144} 145 146// static 147void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) { 148 ssl_config->cached_info_enabled = g_cached_info_enabled; 149} 150 151void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config, 152 const SSLConfig& new_config) { 153 bool config_changed = 154 (orig_config.rev_checking_enabled != new_config.rev_checking_enabled) || 155 (orig_config.version_min != new_config.version_min) || 156 (orig_config.version_max != new_config.version_max) || 157 (orig_config.disabled_cipher_suites != 158 new_config.disabled_cipher_suites) || 159 (orig_config.channel_id_enabled != new_config.channel_id_enabled) || 160 (orig_config.false_start_enabled != new_config.false_start_enabled) || 161 (orig_config.unrestricted_ssl3_fallback_enabled != 162 new_config.unrestricted_ssl3_fallback_enabled); 163 164 if (config_changed) 165 NotifySSLConfigChange(); 166} 167 168// static 169bool SSLConfigService::IsSNIAvailable(SSLConfigService* service) { 170 if (!service) 171 return false; 172 173 SSLConfig ssl_config; 174 service->GetSSLConfig(&ssl_config); 175 return ssl_config.version_max >= SSL_PROTOCOL_VERSION_TLS1; 176} 177 178} // namespace net 179