1*6777b538SAndroid Build Coastguard Worker // Copyright 2015 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_SSL_SSL_SERVER_CONFIG_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_SSL_SSL_SERVER_CONFIG_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <stdint.h> 9*6777b538SAndroid Build Coastguard Worker 10*6777b538SAndroid Build Coastguard Worker #include <optional> 11*6777b538SAndroid Build Coastguard Worker #include <utility> 12*6777b538SAndroid Build Coastguard Worker #include <vector> 13*6777b538SAndroid Build Coastguard Worker 14*6777b538SAndroid Build Coastguard Worker #include "base/containers/flat_map.h" 15*6777b538SAndroid Build Coastguard Worker #include "base/functional/callback.h" 16*6777b538SAndroid Build Coastguard Worker #include "base/memory/raw_ptr.h" 17*6777b538SAndroid Build Coastguard Worker #include "net/base/net_export.h" 18*6777b538SAndroid Build Coastguard Worker #include "net/socket/next_proto.h" 19*6777b538SAndroid Build Coastguard Worker #include "net/ssl/ssl_config.h" 20*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/base.h" 21*6777b538SAndroid Build Coastguard Worker 22*6777b538SAndroid Build Coastguard Worker namespace net { 23*6777b538SAndroid Build Coastguard Worker 24*6777b538SAndroid Build Coastguard Worker class ClientCertVerifier; 25*6777b538SAndroid Build Coastguard Worker 26*6777b538SAndroid Build Coastguard Worker // A collection of server-side SSL-related configuration settings. 27*6777b538SAndroid Build Coastguard Worker struct NET_EXPORT SSLServerConfig { 28*6777b538SAndroid Build Coastguard Worker enum ClientCertType { 29*6777b538SAndroid Build Coastguard Worker NO_CLIENT_CERT, 30*6777b538SAndroid Build Coastguard Worker OPTIONAL_CLIENT_CERT, 31*6777b538SAndroid Build Coastguard Worker REQUIRE_CLIENT_CERT, 32*6777b538SAndroid Build Coastguard Worker }; 33*6777b538SAndroid Build Coastguard Worker 34*6777b538SAndroid Build Coastguard Worker // Defaults 35*6777b538SAndroid Build Coastguard Worker SSLServerConfig(); 36*6777b538SAndroid Build Coastguard Worker SSLServerConfig(const SSLServerConfig& other); 37*6777b538SAndroid Build Coastguard Worker ~SSLServerConfig(); 38*6777b538SAndroid Build Coastguard Worker 39*6777b538SAndroid Build Coastguard Worker // The minimum and maximum protocol versions that are enabled. 40*6777b538SAndroid Build Coastguard Worker // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined in ssl_config.h) 41*6777b538SAndroid Build Coastguard Worker // SSL 2.0 and SSL 3.0 are not supported. If version_max < version_min, it 42*6777b538SAndroid Build Coastguard Worker // means no protocol versions are enabled. 43*6777b538SAndroid Build Coastguard Worker uint16_t version_min = kDefaultSSLVersionMin; 44*6777b538SAndroid Build Coastguard Worker uint16_t version_max = kDefaultSSLVersionMax; 45*6777b538SAndroid Build Coastguard Worker 46*6777b538SAndroid Build Coastguard Worker // Whether early data is enabled on this connection. The caller is obligated 47*6777b538SAndroid Build Coastguard Worker // to reject early data that is non-safe to be replayed. 48*6777b538SAndroid Build Coastguard Worker bool early_data_enabled = false; 49*6777b538SAndroid Build Coastguard Worker 50*6777b538SAndroid Build Coastguard Worker // A list of cipher suites which should be explicitly prevented from being 51*6777b538SAndroid Build Coastguard Worker // used in addition to those disabled by the net built-in policy. 52*6777b538SAndroid Build Coastguard Worker // 53*6777b538SAndroid Build Coastguard Worker // Though cipher suites are sent in TLS as "uint8_t CipherSuite[2]", in 54*6777b538SAndroid Build Coastguard Worker // big-endian form, they should be declared in host byte order, with the 55*6777b538SAndroid Build Coastguard Worker // first uint8_t occupying the most significant byte. 56*6777b538SAndroid Build Coastguard Worker // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to 57*6777b538SAndroid Build Coastguard Worker // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002. 58*6777b538SAndroid Build Coastguard Worker std::vector<uint16_t> disabled_cipher_suites; 59*6777b538SAndroid Build Coastguard Worker 60*6777b538SAndroid Build Coastguard Worker // If true, causes only ECDHE cipher suites to be enabled. 61*6777b538SAndroid Build Coastguard Worker bool require_ecdhe = false; 62*6777b538SAndroid Build Coastguard Worker 63*6777b538SAndroid Build Coastguard Worker // cipher_suite_for_testing, if set, causes the server to only support the 64*6777b538SAndroid Build Coastguard Worker // specified cipher suite in TLS 1.2 and below. This should only be used in 65*6777b538SAndroid Build Coastguard Worker // unit tests. 66*6777b538SAndroid Build Coastguard Worker std::optional<uint16_t> cipher_suite_for_testing; 67*6777b538SAndroid Build Coastguard Worker 68*6777b538SAndroid Build Coastguard Worker // signature_algorithm_for_testing, if set, causes the server to only support 69*6777b538SAndroid Build Coastguard Worker // the specified signature algorithm in TLS 1.2 and below. This should only be 70*6777b538SAndroid Build Coastguard Worker // used in unit tests. 71*6777b538SAndroid Build Coastguard Worker std::optional<uint16_t> signature_algorithm_for_testing; 72*6777b538SAndroid Build Coastguard Worker 73*6777b538SAndroid Build Coastguard Worker // curves_for_testing, if not empty, specifies the list of NID values (e.g. 74*6777b538SAndroid Build Coastguard Worker // NID_X25519) to configure as supported curves for the TLS connection. 75*6777b538SAndroid Build Coastguard Worker std::vector<int> curves_for_testing; 76*6777b538SAndroid Build Coastguard Worker 77*6777b538SAndroid Build Coastguard Worker // Sets the requirement for client certificates during handshake. 78*6777b538SAndroid Build Coastguard Worker ClientCertType client_cert_type = NO_CLIENT_CERT; 79*6777b538SAndroid Build Coastguard Worker 80*6777b538SAndroid Build Coastguard Worker // List of DER-encoded X.509 DistinguishedName of certificate authorities 81*6777b538SAndroid Build Coastguard Worker // to be included in the CertificateRequest handshake message, 82*6777b538SAndroid Build Coastguard Worker // if client certificates are required. 83*6777b538SAndroid Build Coastguard Worker std::vector<std::string> cert_authorities; 84*6777b538SAndroid Build Coastguard Worker 85*6777b538SAndroid Build Coastguard Worker // Provides the ClientCertVerifier that is to be used to verify 86*6777b538SAndroid Build Coastguard Worker // client certificates during the handshake. 87*6777b538SAndroid Build Coastguard Worker // The |client_cert_verifier| continues to be owned by the caller, 88*6777b538SAndroid Build Coastguard Worker // and must outlive any sockets spawned from this SSLServerContext. 89*6777b538SAndroid Build Coastguard Worker // This field is meaningful only if client certificates are requested. 90*6777b538SAndroid Build Coastguard Worker // If a verifier is not provided then all certificates are accepted. 91*6777b538SAndroid Build Coastguard Worker raw_ptr<ClientCertVerifier> client_cert_verifier = nullptr; 92*6777b538SAndroid Build Coastguard Worker 93*6777b538SAndroid Build Coastguard Worker // The list of application level protocols supported with ALPN (Application 94*6777b538SAndroid Build Coastguard Worker // Layer Protocol Negotiation), in decreasing order of preference. Protocols 95*6777b538SAndroid Build Coastguard Worker // will be advertised in this order during TLS handshake. 96*6777b538SAndroid Build Coastguard Worker NextProtoVector alpn_protos; 97*6777b538SAndroid Build Coastguard Worker 98*6777b538SAndroid Build Coastguard Worker // ALPS TLS extension is enabled and corresponding data is sent to client if 99*6777b538SAndroid Build Coastguard Worker // client also enabled ALPS, for each NextProto in |application_settings|. 100*6777b538SAndroid Build Coastguard Worker // Data might be empty. 101*6777b538SAndroid Build Coastguard Worker base::flat_map<NextProto, std::vector<uint8_t>> application_settings; 102*6777b538SAndroid Build Coastguard Worker 103*6777b538SAndroid Build Coastguard Worker // If non-empty, the DER-encoded OCSP response to staple. 104*6777b538SAndroid Build Coastguard Worker std::vector<uint8_t> ocsp_response; 105*6777b538SAndroid Build Coastguard Worker 106*6777b538SAndroid Build Coastguard Worker // If non-empty, the serialized SignedCertificateTimestampList to send in the 107*6777b538SAndroid Build Coastguard Worker // handshake. 108*6777b538SAndroid Build Coastguard Worker std::vector<uint8_t> signed_cert_timestamp_list; 109*6777b538SAndroid Build Coastguard Worker 110*6777b538SAndroid Build Coastguard Worker // If specified, called at the start of each connection with the ClientHello. 111*6777b538SAndroid Build Coastguard Worker // Returns true to continue the handshake and false to fail it. 112*6777b538SAndroid Build Coastguard Worker base::RepeatingCallback<bool(const SSL_CLIENT_HELLO*)> 113*6777b538SAndroid Build Coastguard Worker client_hello_callback_for_testing; 114*6777b538SAndroid Build Coastguard Worker 115*6777b538SAndroid Build Coastguard Worker // If specified, causes the specified alert to be sent immediately after the 116*6777b538SAndroid Build Coastguard Worker // handshake. 117*6777b538SAndroid Build Coastguard Worker std::optional<uint8_t> alert_after_handshake_for_testing; 118*6777b538SAndroid Build Coastguard Worker 119*6777b538SAndroid Build Coastguard Worker // This is a workaround for BoringSSL's scopers not being copyable. See 120*6777b538SAndroid Build Coastguard Worker // https://crbug.com/boringssl/431. 121*6777b538SAndroid Build Coastguard Worker class NET_EXPORT ECHKeysContainer { 122*6777b538SAndroid Build Coastguard Worker public: 123*6777b538SAndroid Build Coastguard Worker ECHKeysContainer(); 124*6777b538SAndroid Build Coastguard Worker // Intentionally allow implicit conversion from bssl::UniquePtr. 125*6777b538SAndroid Build Coastguard Worker ECHKeysContainer( // NOLINT(google-explicit-constructor) 126*6777b538SAndroid Build Coastguard Worker bssl::UniquePtr<SSL_ECH_KEYS> keys); 127*6777b538SAndroid Build Coastguard Worker ~ECHKeysContainer(); 128*6777b538SAndroid Build Coastguard Worker 129*6777b538SAndroid Build Coastguard Worker ECHKeysContainer(const ECHKeysContainer& other); 130*6777b538SAndroid Build Coastguard Worker ECHKeysContainer& operator=(const ECHKeysContainer& other); 131*6777b538SAndroid Build Coastguard Worker 132*6777b538SAndroid Build Coastguard Worker // Forward APIs from bssl::UniquePtr. getSSLServerConfig133*6777b538SAndroid Build Coastguard Worker SSL_ECH_KEYS* get() const { return keys_.get(); } 134*6777b538SAndroid Build Coastguard Worker explicit operator bool() const { return static_cast<bool>(keys_); } 135*6777b538SAndroid Build Coastguard Worker // This is defined out-of-line to avoid an ssl.h include. 136*6777b538SAndroid Build Coastguard Worker void reset(SSL_ECH_KEYS* keys = nullptr); 137*6777b538SAndroid Build Coastguard Worker 138*6777b538SAndroid Build Coastguard Worker private: 139*6777b538SAndroid Build Coastguard Worker bssl::UniquePtr<SSL_ECH_KEYS> keys_; 140*6777b538SAndroid Build Coastguard Worker }; 141*6777b538SAndroid Build Coastguard Worker 142*6777b538SAndroid Build Coastguard Worker // If not nullptr, an ECH configuration to use on the server. 143*6777b538SAndroid Build Coastguard Worker ECHKeysContainer ech_keys; 144*6777b538SAndroid Build Coastguard Worker }; 145*6777b538SAndroid Build Coastguard Worker 146*6777b538SAndroid Build Coastguard Worker } // namespace net 147*6777b538SAndroid Build Coastguard Worker 148*6777b538SAndroid Build Coastguard Worker #endif // NET_SSL_SSL_SERVER_CONFIG_H_ 149