Adds command-line switch for TLS origin bound certificate extension.

This extension is disabled by default. To enable, pass in the command line switch "--enable-ssl-origin-bound-certs". BUG=88782 TEST=None Review URL: http://codereview.chromium.org/7460002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@93289 0039d316-1c4b-4281-b951-d872f2087c98
marcosholgado · Jul 20, 2011 · 2619d33 · 2619d33
1 parent 351631b
commit 2619d33
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 1 deletion.
diff --git a/chrome/browser/browser_main.cc b/chrome/browser/browser_main.cc
@@ -250,6 +250,8 @@ void BrowserMainParts::EarlyInitialization() {
     net::SSLConfigService::DisableFalseStart();
   if (parsed_command_line().HasSwitch(switches::kEnableSSLCachedInfo))
     net::SSLConfigService::EnableCachedInfo();
+  if (parsed_command_line().HasSwitch(switches::kEnableOriginBoundCerts))
+    net::SSLConfigService::EnableOriginBoundCerts();
   if (parsed_command_line().HasSwitch(
           switches::kEnableDNSCertProvenanceChecking)) {
     net::SSLConfigService::EnableDNSCertProvenanceChecking();

diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
@@ -502,6 +502,9 @@ const char kEnableSmoothScrolling[]         = "enable-smooth-scrolling";
 // Enables TLS cached info extension.
 const char kEnableSSLCachedInfo[]  = "enable-ssl-cached-info";
 
+// Enables TLS origin bound certificate extension.
+const char kEnableOriginBoundCerts[]  = "enable-origin-bound-certs";
+
 // Enable syncing browser data to a Google Account.
 const char kEnableSync[]                    = "enable-sync";
 

diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
@@ -145,6 +145,7 @@ extern const char kEnableSearchProviderApiV2[];
 extern const char kEnableShortcutsProvider[];
 extern const char kEnableSmoothScrolling[];
 extern const char kEnableSSLCachedInfo[];
+extern const char kEnableOriginBoundCerts[];
 extern const char kEnableSync[];
 extern const char kEnableSyncAutofill[];
 extern const char kEnableSyncOAuth[];

diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
@@ -17,6 +17,7 @@ SSLConfig::SSLConfig()
     : rev_checking_enabled(true), ssl3_enabled(true),
       tls1_enabled(true),
       dns_cert_provenance_checking_enabled(false), cached_info_enabled(false),
+      origin_bound_certs_enabled(false),
       false_start_enabled(true),
       send_client_cert(false), verify_ev_cert(false), ssl3_fallback(false) {
 }
@@ -55,6 +56,7 @@ bool SSLConfigService::IsKnownFalseStartIncompatibleServer(
 }
 
 static bool g_cached_info_enabled = false;
+static bool g_origin_bound_certs_enabled = false;
 static bool g_false_start_enabled = true;
 static bool g_dns_cert_provenance_checking = false;
 
@@ -88,6 +90,16 @@ bool SSLConfigService::cached_info_enabled() {
   return g_cached_info_enabled;
 }
 
+// static
+void SSLConfigService::EnableOriginBoundCerts() {
+  g_origin_bound_certs_enabled = true;
+}
+
+// static
+bool SSLConfigService::origin_bound_certs_enabled() {
+  return g_origin_bound_certs_enabled;
+}
+
 void SSLConfigService::AddObserver(Observer* observer) {
   observer_list_.AddObserver(observer);
 }
@@ -105,6 +117,7 @@ void SSLConfigService::SetSSLConfigFlags(SSLConfig* ssl_config) {
   ssl_config->dns_cert_provenance_checking_enabled =
       g_dns_cert_provenance_checking;
   ssl_config->cached_info_enabled = g_cached_info_enabled;
+  ssl_config->origin_bound_certs_enabled = g_origin_bound_certs_enabled;
 }
 
 void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,

diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
@@ -65,6 +65,8 @@ struct NET_API SSLConfig {
   std::vector<uint16> disabled_cipher_suites;
 
   bool cached_info_enabled;  // True if TLS cached info extension is enabled.
+  bool origin_bound_certs_enabled;  // True if TLS origin bound cert extension
+                                    // is enabled.
   bool false_start_enabled;  // True if we'll use TLS False Start.
 
   // TODO(wtc): move the following members to a new SSLParams structure.  They
@@ -156,6 +158,11 @@ class NET_API SSLConfigService
   static void EnableCachedInfo();
   static bool cached_info_enabled();
 
+  // Enables the TLS origin bound cert extension, which allows the replacement
+  // of login cookies by self-signed certificates.
+  static void EnableOriginBoundCerts();
+  static bool origin_bound_certs_enabled();
+
   // Is SNI available in this configuration?
   static bool IsSNIAvailable(SSLConfigService* service);
 

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
@@ -957,7 +957,8 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
 #endif
 
 #ifdef SSL_ENABLE_OB_CERTS
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS, PR_FALSE);
+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS,
+                     ssl_config_.origin_bound_certs_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS");
 #endif

diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc
@@ -256,6 +256,7 @@ class SSLServerSocketTest : public PlatformTest {
     net::SSLConfig ssl_config;
     ssl_config.cached_info_enabled = false;
     ssl_config.false_start_enabled = false;
+    ssl_config.origin_bound_certs_enabled = false;
     ssl_config.ssl3_enabled = true;
     ssl_config.tls1_enabled = true;