Adds command-line switch for TLS origin bound certificate extension.

This extension is disabled by default. To enable, pass in the command line switch "--enable-ssl-origin-bound-certs". BUG=88782 TEST=None Review URL: http://codereview.chromium.org/7460002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@93289 0039d316-1c4b-4281-b951-d872f2087c98
author: rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-07-20 23:50:34 +0000
committer: rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-07-20 23:50:34 +0000
commit: 2619d3318502ad7bc1c03f77bf5b699f8350c4c0 (patch)
tree: 763990bf25e893669b4d3f0fab94bc62ae3b086f /net
parent: 351631b199be296f6e6193312b4393a40b0e3b4c (diff)
download: chromium_src-2619d3318502ad7bc1c03f77bf5b699f8350c4c0.zip
chromium_src-2619d3318502ad7bc1c03f77bf5b699f8350c4c0.tar.gz
chromium_src-2619d3318502ad7bc1c03f77bf5b699f8350c4c0.tar.bz2
4 files changed, 23 insertions, 1 deletions
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index 82c9add..c7153e3 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -17,6 +17,7 @@ SSLConfig::SSLConfig()
     : rev_checking_enabled(true), ssl3_enabled(true),
       tls1_enabled(true),
       dns_cert_provenance_checking_enabled(false), cached_info_enabled(false),
+      origin_bound_certs_enabled(false),
       false_start_enabled(true),
       send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) {
 }
@@ -55,6 +56,7 @@ bool SSLConfigService::IsKnownFalseStartIncompatibleServer(
 }
 
 static bool g_cached_info_enabled = false;
+static bool g_origin_bound_certs_enabled = false;
 static bool g_false_start_enabled = true;
 static bool g_dns_cert_provenance_checking = false;
 
@@ -88,6 +90,16 @@ bool SSLConfigService::cached_info_enabled() {
   return g_cached_info_enabled;
 }
 
+// static
+void SSLConfigService::EnableOriginBoundCerts() {
+  g_origin_bound_certs_enabled = true;
+}
+
+// static
+bool SSLConfigService::origin_bound_certs_enabled() {
+  return g_origin_bound_certs_enabled;
+}
+
 void SSLConfigService::AddObserver(Observer* observer) {
   observer_list_.AddObserver(observer);
 }
@@ -105,6 +117,7 @@ void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {
   ssl_config->dns_cert_provenance_checking_enabled =
       g_dns_cert_provenance_checking;
   ssl_config->cached_info_enabled = g_cached_info_enabled;
+  ssl_config->origin_bound_certs_enabled = g_origin_bound_certs_enabled;
 }
 
 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index 98acc1e..bd87abf 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -65,6 +65,8 @@ struct NET_API SSLConfig {
   std::vector<uint16> disabled_cipher_suites;
 
   bool cached_info_enabled;  // True if TLS cached info extension is enabled.
+  bool origin_bound_certs_enabled;  // True if TLS origin bound cert extension
+                                    // is enabled.
   bool false_start_enabled;  // True if we'll use TLS False Start.
 
   // TODO(wtc): move the following members to a new SSLParams structure.  They
@@ -156,6 +158,11 @@ class NET_API SSLConfigService
   static void EnableCachedInfo();
   static bool cached_info_enabled();
 
+  // Enables the TLS origin bound cert extension, which allows the replacement
+  // of login cookies by self-signed certificates.
+  static void EnableOriginBoundCerts();
+  static bool origin_bound_certs_enabled();
+
   // Is SNI available in this configuration?
   static bool IsSNIAvailable(SSLConfigService* service);
 
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 18fd378..83e866c 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -957,7 +957,8 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
 #endif
 
 #ifdef SSL_ENABLE_OB_CERTS
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS, PR_FALSE);
+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS,
+                     ssl_config_.origin_bound_certs_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS");
 #endif
diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc
index 894bf98..1ab9f63 100644
--- a/net/socket/ssl_server_socket_unittest.cc
+++ b/net/socket/ssl_server_socket_unittest.cc
@@ -256,6 +256,7 @@ class SSLServerSocketTest : public PlatformTest {
     net::SSLConfig ssl_config;
     ssl_config.cached_info_enabled = false;
     ssl_config.false_start_enabled = false;
+    ssl_config.origin_bound_certs_enabled = false;
     ssl_config.ssl3_enabled = true;
     ssl_config.tls1_enabled = true;
author	rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-07-20 23:50:34 +0000
committer	rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-07-20 23:50:34 +0000
commit	2619d3318502ad7bc1c03f77bf5b699f8350c4c0 (patch)
tree	763990bf25e893669b4d3f0fab94bc62ae3b086f /net
parent	351631b199be296f6e6193312b4393a40b0e3b4c (diff)
download	chromium_src-2619d3318502ad7bc1c03f77bf5b699f8350c4c0.zip chromium_src-2619d3318502ad7bc1c03f77bf5b699f8350c4c0.tar.gz chromium_src-2619d3318502ad7bc1c03f77bf5b699f8350c4c0.tar.bz2