xref: /aosp_15_r20/external/cronet/net/socket/ssl_client_socket.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b)
1*6777b538SAndroid Build Coastguard Worker // Copyright 2012 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker 
5*6777b538SAndroid Build Coastguard Worker #include "net/socket/ssl_client_socket.h"
6*6777b538SAndroid Build Coastguard Worker 
7*6777b538SAndroid Build Coastguard Worker #include <string>
8*6777b538SAndroid Build Coastguard Worker 
9*6777b538SAndroid Build Coastguard Worker #include "base/containers/flat_tree.h"
10*6777b538SAndroid Build Coastguard Worker #include "base/logging.h"
11*6777b538SAndroid Build Coastguard Worker #include "base/observer_list.h"
12*6777b538SAndroid Build Coastguard Worker #include "base/values.h"
13*6777b538SAndroid Build Coastguard Worker #include "net/cert/x509_certificate_net_log_param.h"
14*6777b538SAndroid Build Coastguard Worker #include "net/log/net_log.h"
15*6777b538SAndroid Build Coastguard Worker #include "net/log/net_log_event_type.h"
16*6777b538SAndroid Build Coastguard Worker #include "net/socket/ssl_client_socket_impl.h"
17*6777b538SAndroid Build Coastguard Worker #include "net/socket/stream_socket.h"
18*6777b538SAndroid Build Coastguard Worker #include "net/ssl/ssl_client_session_cache.h"
19*6777b538SAndroid Build Coastguard Worker #include "net/ssl/ssl_key_logger.h"
20*6777b538SAndroid Build Coastguard Worker 
21*6777b538SAndroid Build Coastguard Worker namespace net {
22*6777b538SAndroid Build Coastguard Worker 
23*6777b538SAndroid Build Coastguard Worker namespace {
24*6777b538SAndroid Build Coastguard Worker 
25*6777b538SAndroid Build Coastguard Worker // Returns true if |first_cert| and |second_cert| represent the same certificate
26*6777b538SAndroid Build Coastguard Worker // (with the same chain), or if they're both NULL.
AreCertificatesEqual(const scoped_refptr<X509Certificate> & first_cert,const scoped_refptr<X509Certificate> & second_cert,bool include_chain=true)27*6777b538SAndroid Build Coastguard Worker bool AreCertificatesEqual(const scoped_refptr<X509Certificate>& first_cert,
28*6777b538SAndroid Build Coastguard Worker                           const scoped_refptr<X509Certificate>& second_cert,
29*6777b538SAndroid Build Coastguard Worker                           bool include_chain = true) {
30*6777b538SAndroid Build Coastguard Worker   return (!first_cert && !second_cert) ||
31*6777b538SAndroid Build Coastguard Worker          (first_cert && second_cert &&
32*6777b538SAndroid Build Coastguard Worker           (include_chain
33*6777b538SAndroid Build Coastguard Worker                ? first_cert->EqualsIncludingChain(second_cert.get())
34*6777b538SAndroid Build Coastguard Worker                : first_cert->EqualsExcludingChain(second_cert.get())));
35*6777b538SAndroid Build Coastguard Worker }
36*6777b538SAndroid Build Coastguard Worker 
37*6777b538SAndroid Build Coastguard Worker // Returns a base::Value::Dict value NetLog parameter with the expected format
38*6777b538SAndroid Build Coastguard Worker // for events of type CLEAR_CACHED_CLIENT_CERT.
NetLogClearCachedClientCertParams(const net::HostPortPair & host,const scoped_refptr<net::X509Certificate> & cert,bool is_cleared)39*6777b538SAndroid Build Coastguard Worker base::Value::Dict NetLogClearCachedClientCertParams(
40*6777b538SAndroid Build Coastguard Worker     const net::HostPortPair& host,
41*6777b538SAndroid Build Coastguard Worker     const scoped_refptr<net::X509Certificate>& cert,
42*6777b538SAndroid Build Coastguard Worker     bool is_cleared) {
43*6777b538SAndroid Build Coastguard Worker   return base::Value::Dict()
44*6777b538SAndroid Build Coastguard Worker       .Set("host", host.ToString())
45*6777b538SAndroid Build Coastguard Worker       .Set("certificates", cert ? net::NetLogX509CertificateList(cert.get())
46*6777b538SAndroid Build Coastguard Worker                                 : base::Value(base::Value::List()))
47*6777b538SAndroid Build Coastguard Worker       .Set("is_cleared", is_cleared);
48*6777b538SAndroid Build Coastguard Worker }
49*6777b538SAndroid Build Coastguard Worker 
50*6777b538SAndroid Build Coastguard Worker // Returns a base::Value::Dict value NetLog parameter with the expected format
51*6777b538SAndroid Build Coastguard Worker // for events of type CLEAR_MATCHING_CACHED_CLIENT_CERT.
NetLogClearMatchingCachedClientCertParams(const base::flat_set<net::HostPortPair> & hosts,const scoped_refptr<net::X509Certificate> & cert)52*6777b538SAndroid Build Coastguard Worker base::Value::Dict NetLogClearMatchingCachedClientCertParams(
53*6777b538SAndroid Build Coastguard Worker     const base::flat_set<net::HostPortPair>& hosts,
54*6777b538SAndroid Build Coastguard Worker     const scoped_refptr<net::X509Certificate>& cert) {
55*6777b538SAndroid Build Coastguard Worker   base::Value::List hosts_values;
56*6777b538SAndroid Build Coastguard Worker   for (const auto& host : hosts) {
57*6777b538SAndroid Build Coastguard Worker     hosts_values.Append(host.ToString());
58*6777b538SAndroid Build Coastguard Worker   }
59*6777b538SAndroid Build Coastguard Worker 
60*6777b538SAndroid Build Coastguard Worker   return base::Value::Dict()
61*6777b538SAndroid Build Coastguard Worker       .Set("hosts", base::Value(std::move(hosts_values)))
62*6777b538SAndroid Build Coastguard Worker       .Set("certificates", cert ? net::NetLogX509CertificateList(cert.get())
63*6777b538SAndroid Build Coastguard Worker                                 : base::Value(base::Value::List()));
64*6777b538SAndroid Build Coastguard Worker }
65*6777b538SAndroid Build Coastguard Worker 
66*6777b538SAndroid Build Coastguard Worker }  // namespace
67*6777b538SAndroid Build Coastguard Worker 
68*6777b538SAndroid Build Coastguard Worker SSLClientSocket::SSLClientSocket() = default;
69*6777b538SAndroid Build Coastguard Worker 
70*6777b538SAndroid Build Coastguard Worker // static
SetSSLKeyLogger(std::unique_ptr<SSLKeyLogger> logger)71*6777b538SAndroid Build Coastguard Worker void SSLClientSocket::SetSSLKeyLogger(std::unique_ptr<SSLKeyLogger> logger) {
72*6777b538SAndroid Build Coastguard Worker   SSLClientSocketImpl::SetSSLKeyLogger(std::move(logger));
73*6777b538SAndroid Build Coastguard Worker }
74*6777b538SAndroid Build Coastguard Worker 
75*6777b538SAndroid Build Coastguard Worker // static
SerializeNextProtos(const NextProtoVector & next_protos)76*6777b538SAndroid Build Coastguard Worker std::vector<uint8_t> SSLClientSocket::SerializeNextProtos(
77*6777b538SAndroid Build Coastguard Worker     const NextProtoVector& next_protos) {
78*6777b538SAndroid Build Coastguard Worker   std::vector<uint8_t> wire_protos;
79*6777b538SAndroid Build Coastguard Worker   for (const NextProto next_proto : next_protos) {
80*6777b538SAndroid Build Coastguard Worker     const std::string proto = NextProtoToString(next_proto);
81*6777b538SAndroid Build Coastguard Worker     if (proto.size() > 255) {
82*6777b538SAndroid Build Coastguard Worker       LOG(WARNING) << "Ignoring overlong ALPN protocol: " << proto;
83*6777b538SAndroid Build Coastguard Worker       continue;
84*6777b538SAndroid Build Coastguard Worker     }
85*6777b538SAndroid Build Coastguard Worker     if (proto.size() == 0) {
86*6777b538SAndroid Build Coastguard Worker       LOG(WARNING) << "Ignoring empty ALPN protocol";
87*6777b538SAndroid Build Coastguard Worker       continue;
88*6777b538SAndroid Build Coastguard Worker     }
89*6777b538SAndroid Build Coastguard Worker     wire_protos.push_back(proto.size());
90*6777b538SAndroid Build Coastguard Worker     for (const char ch : proto) {
91*6777b538SAndroid Build Coastguard Worker       wire_protos.push_back(static_cast<uint8_t>(ch));
92*6777b538SAndroid Build Coastguard Worker     }
93*6777b538SAndroid Build Coastguard Worker   }
94*6777b538SAndroid Build Coastguard Worker 
95*6777b538SAndroid Build Coastguard Worker   return wire_protos;
96*6777b538SAndroid Build Coastguard Worker }
97*6777b538SAndroid Build Coastguard Worker 
SSLClientContext(SSLConfigService * ssl_config_service,CertVerifier * cert_verifier,TransportSecurityState * transport_security_state,SSLClientSessionCache * ssl_client_session_cache,SCTAuditingDelegate * sct_auditing_delegate)98*6777b538SAndroid Build Coastguard Worker SSLClientContext::SSLClientContext(
99*6777b538SAndroid Build Coastguard Worker     SSLConfigService* ssl_config_service,
100*6777b538SAndroid Build Coastguard Worker     CertVerifier* cert_verifier,
101*6777b538SAndroid Build Coastguard Worker     TransportSecurityState* transport_security_state,
102*6777b538SAndroid Build Coastguard Worker     SSLClientSessionCache* ssl_client_session_cache,
103*6777b538SAndroid Build Coastguard Worker     SCTAuditingDelegate* sct_auditing_delegate)
104*6777b538SAndroid Build Coastguard Worker     : ssl_config_service_(ssl_config_service),
105*6777b538SAndroid Build Coastguard Worker       cert_verifier_(cert_verifier),
106*6777b538SAndroid Build Coastguard Worker       transport_security_state_(transport_security_state),
107*6777b538SAndroid Build Coastguard Worker       ssl_client_session_cache_(ssl_client_session_cache),
108*6777b538SAndroid Build Coastguard Worker       sct_auditing_delegate_(sct_auditing_delegate) {
109*6777b538SAndroid Build Coastguard Worker   CHECK(cert_verifier_);
110*6777b538SAndroid Build Coastguard Worker   CHECK(transport_security_state_);
111*6777b538SAndroid Build Coastguard Worker 
112*6777b538SAndroid Build Coastguard Worker   if (ssl_config_service_) {
113*6777b538SAndroid Build Coastguard Worker     config_ = ssl_config_service_->GetSSLContextConfig();
114*6777b538SAndroid Build Coastguard Worker     ssl_config_service_->AddObserver(this);
115*6777b538SAndroid Build Coastguard Worker   }
116*6777b538SAndroid Build Coastguard Worker   cert_verifier_->AddObserver(this);
117*6777b538SAndroid Build Coastguard Worker   CertDatabase::GetInstance()->AddObserver(this);
118*6777b538SAndroid Build Coastguard Worker }
119*6777b538SAndroid Build Coastguard Worker 
~SSLClientContext()120*6777b538SAndroid Build Coastguard Worker SSLClientContext::~SSLClientContext() {
121*6777b538SAndroid Build Coastguard Worker   if (ssl_config_service_) {
122*6777b538SAndroid Build Coastguard Worker     ssl_config_service_->RemoveObserver(this);
123*6777b538SAndroid Build Coastguard Worker   }
124*6777b538SAndroid Build Coastguard Worker   cert_verifier_->RemoveObserver(this);
125*6777b538SAndroid Build Coastguard Worker   CertDatabase::GetInstance()->RemoveObserver(this);
126*6777b538SAndroid Build Coastguard Worker }
127*6777b538SAndroid Build Coastguard Worker 
CreateSSLClientSocket(std::unique_ptr<StreamSocket> stream_socket,const HostPortPair & host_and_port,const SSLConfig & ssl_config)128*6777b538SAndroid Build Coastguard Worker std::unique_ptr<SSLClientSocket> SSLClientContext::CreateSSLClientSocket(
129*6777b538SAndroid Build Coastguard Worker     std::unique_ptr<StreamSocket> stream_socket,
130*6777b538SAndroid Build Coastguard Worker     const HostPortPair& host_and_port,
131*6777b538SAndroid Build Coastguard Worker     const SSLConfig& ssl_config) {
132*6777b538SAndroid Build Coastguard Worker   return std::make_unique<SSLClientSocketImpl>(this, std::move(stream_socket),
133*6777b538SAndroid Build Coastguard Worker                                                host_and_port, ssl_config);
134*6777b538SAndroid Build Coastguard Worker }
135*6777b538SAndroid Build Coastguard Worker 
GetClientCertificate(const HostPortPair & server,scoped_refptr<X509Certificate> * client_cert,scoped_refptr<SSLPrivateKey> * private_key)136*6777b538SAndroid Build Coastguard Worker bool SSLClientContext::GetClientCertificate(
137*6777b538SAndroid Build Coastguard Worker     const HostPortPair& server,
138*6777b538SAndroid Build Coastguard Worker     scoped_refptr<X509Certificate>* client_cert,
139*6777b538SAndroid Build Coastguard Worker     scoped_refptr<SSLPrivateKey>* private_key) {
140*6777b538SAndroid Build Coastguard Worker   return ssl_client_auth_cache_.Lookup(server, client_cert, private_key);
141*6777b538SAndroid Build Coastguard Worker }
142*6777b538SAndroid Build Coastguard Worker 
SetClientCertificate(const HostPortPair & server,scoped_refptr<X509Certificate> client_cert,scoped_refptr<SSLPrivateKey> private_key)143*6777b538SAndroid Build Coastguard Worker void SSLClientContext::SetClientCertificate(
144*6777b538SAndroid Build Coastguard Worker     const HostPortPair& server,
145*6777b538SAndroid Build Coastguard Worker     scoped_refptr<X509Certificate> client_cert,
146*6777b538SAndroid Build Coastguard Worker     scoped_refptr<SSLPrivateKey> private_key) {
147*6777b538SAndroid Build Coastguard Worker   ssl_client_auth_cache_.Add(server, std::move(client_cert),
148*6777b538SAndroid Build Coastguard Worker                              std::move(private_key));
149*6777b538SAndroid Build Coastguard Worker 
150*6777b538SAndroid Build Coastguard Worker   if (ssl_client_session_cache_) {
151*6777b538SAndroid Build Coastguard Worker     // Session resumption bypasses client certificate negotiation, so flush all
152*6777b538SAndroid Build Coastguard Worker     // associated sessions when preferences change.
153*6777b538SAndroid Build Coastguard Worker     ssl_client_session_cache_->FlushForServers({server});
154*6777b538SAndroid Build Coastguard Worker   }
155*6777b538SAndroid Build Coastguard Worker   NotifySSLConfigForServersChanged({server});
156*6777b538SAndroid Build Coastguard Worker }
157*6777b538SAndroid Build Coastguard Worker 
ClearClientCertificate(const HostPortPair & server)158*6777b538SAndroid Build Coastguard Worker bool SSLClientContext::ClearClientCertificate(const HostPortPair& server) {
159*6777b538SAndroid Build Coastguard Worker   if (!ssl_client_auth_cache_.Remove(server)) {
160*6777b538SAndroid Build Coastguard Worker     return false;
161*6777b538SAndroid Build Coastguard Worker   }
162*6777b538SAndroid Build Coastguard Worker 
163*6777b538SAndroid Build Coastguard Worker   if (ssl_client_session_cache_) {
164*6777b538SAndroid Build Coastguard Worker     // Session resumption bypasses client certificate negotiation, so flush all
165*6777b538SAndroid Build Coastguard Worker     // associated sessions when preferences change.
166*6777b538SAndroid Build Coastguard Worker     ssl_client_session_cache_->FlushForServers({server});
167*6777b538SAndroid Build Coastguard Worker   }
168*6777b538SAndroid Build Coastguard Worker   NotifySSLConfigForServersChanged({server});
169*6777b538SAndroid Build Coastguard Worker   return true;
170*6777b538SAndroid Build Coastguard Worker }
171*6777b538SAndroid Build Coastguard Worker 
AddObserver(Observer * observer)172*6777b538SAndroid Build Coastguard Worker void SSLClientContext::AddObserver(Observer* observer) {
173*6777b538SAndroid Build Coastguard Worker   observers_.AddObserver(observer);
174*6777b538SAndroid Build Coastguard Worker }
175*6777b538SAndroid Build Coastguard Worker 
RemoveObserver(Observer * observer)176*6777b538SAndroid Build Coastguard Worker void SSLClientContext::RemoveObserver(Observer* observer) {
177*6777b538SAndroid Build Coastguard Worker   observers_.RemoveObserver(observer);
178*6777b538SAndroid Build Coastguard Worker }
179*6777b538SAndroid Build Coastguard Worker 
OnSSLContextConfigChanged()180*6777b538SAndroid Build Coastguard Worker void SSLClientContext::OnSSLContextConfigChanged() {
181*6777b538SAndroid Build Coastguard Worker   config_ = ssl_config_service_->GetSSLContextConfig();
182*6777b538SAndroid Build Coastguard Worker   if (ssl_client_session_cache_) {
183*6777b538SAndroid Build Coastguard Worker     ssl_client_session_cache_->Flush();
184*6777b538SAndroid Build Coastguard Worker   }
185*6777b538SAndroid Build Coastguard Worker   NotifySSLConfigChanged(SSLConfigChangeType::kSSLConfigChanged);
186*6777b538SAndroid Build Coastguard Worker }
187*6777b538SAndroid Build Coastguard Worker 
OnCertVerifierChanged()188*6777b538SAndroid Build Coastguard Worker void SSLClientContext::OnCertVerifierChanged() {
189*6777b538SAndroid Build Coastguard Worker   NotifySSLConfigChanged(SSLConfigChangeType::kCertVerifierChanged);
190*6777b538SAndroid Build Coastguard Worker }
191*6777b538SAndroid Build Coastguard Worker 
OnTrustStoreChanged()192*6777b538SAndroid Build Coastguard Worker void SSLClientContext::OnTrustStoreChanged() {
193*6777b538SAndroid Build Coastguard Worker   NotifySSLConfigChanged(SSLConfigChangeType::kCertDatabaseChanged);
194*6777b538SAndroid Build Coastguard Worker }
195*6777b538SAndroid Build Coastguard Worker 
OnClientCertStoreChanged()196*6777b538SAndroid Build Coastguard Worker void SSLClientContext::OnClientCertStoreChanged() {
197*6777b538SAndroid Build Coastguard Worker   base::flat_set<HostPortPair> servers =
198*6777b538SAndroid Build Coastguard Worker       ssl_client_auth_cache_.GetCachedServers();
199*6777b538SAndroid Build Coastguard Worker   ssl_client_auth_cache_.Clear();
200*6777b538SAndroid Build Coastguard Worker   if (ssl_client_session_cache_) {
201*6777b538SAndroid Build Coastguard Worker     ssl_client_session_cache_->FlushForServers(servers);
202*6777b538SAndroid Build Coastguard Worker   }
203*6777b538SAndroid Build Coastguard Worker   NotifySSLConfigForServersChanged(servers);
204*6777b538SAndroid Build Coastguard Worker }
205*6777b538SAndroid Build Coastguard Worker 
ClearClientCertificateIfNeeded(const net::HostPortPair & host,const scoped_refptr<net::X509Certificate> & certificate)206*6777b538SAndroid Build Coastguard Worker void SSLClientContext::ClearClientCertificateIfNeeded(
207*6777b538SAndroid Build Coastguard Worker     const net::HostPortPair& host,
208*6777b538SAndroid Build Coastguard Worker     const scoped_refptr<net::X509Certificate>& certificate) {
209*6777b538SAndroid Build Coastguard Worker   scoped_refptr<X509Certificate> cached_certificate;
210*6777b538SAndroid Build Coastguard Worker   scoped_refptr<SSLPrivateKey> cached_private_key;
211*6777b538SAndroid Build Coastguard Worker   if (!ssl_client_auth_cache_.Lookup(host, &cached_certificate,
212*6777b538SAndroid Build Coastguard Worker                                      &cached_private_key) ||
213*6777b538SAndroid Build Coastguard Worker       AreCertificatesEqual(cached_certificate, certificate)) {
214*6777b538SAndroid Build Coastguard Worker     // No cached client certificate preference for this host.
215*6777b538SAndroid Build Coastguard Worker     net::NetLog::Get()->AddGlobalEntry(
216*6777b538SAndroid Build Coastguard Worker         NetLogEventType::CLEAR_CACHED_CLIENT_CERT, [&]() {
217*6777b538SAndroid Build Coastguard Worker           return NetLogClearCachedClientCertParams(host, certificate,
218*6777b538SAndroid Build Coastguard Worker                                                    /*is_cleared=*/false);
219*6777b538SAndroid Build Coastguard Worker         });
220*6777b538SAndroid Build Coastguard Worker     return;
221*6777b538SAndroid Build Coastguard Worker   }
222*6777b538SAndroid Build Coastguard Worker 
223*6777b538SAndroid Build Coastguard Worker   net::NetLog::Get()->AddGlobalEntry(
224*6777b538SAndroid Build Coastguard Worker       NetLogEventType::CLEAR_CACHED_CLIENT_CERT, [&]() {
225*6777b538SAndroid Build Coastguard Worker         return NetLogClearCachedClientCertParams(host, certificate,
226*6777b538SAndroid Build Coastguard Worker                                                  /*is_cleared=*/true);
227*6777b538SAndroid Build Coastguard Worker       });
228*6777b538SAndroid Build Coastguard Worker 
229*6777b538SAndroid Build Coastguard Worker   ssl_client_auth_cache_.Remove(host);
230*6777b538SAndroid Build Coastguard Worker 
231*6777b538SAndroid Build Coastguard Worker   if (ssl_client_session_cache_) {
232*6777b538SAndroid Build Coastguard Worker     ssl_client_session_cache_->FlushForServers({host});
233*6777b538SAndroid Build Coastguard Worker   }
234*6777b538SAndroid Build Coastguard Worker 
235*6777b538SAndroid Build Coastguard Worker   NotifySSLConfigForServersChanged({host});
236*6777b538SAndroid Build Coastguard Worker }
237*6777b538SAndroid Build Coastguard Worker 
ClearMatchingClientCertificate(const scoped_refptr<net::X509Certificate> & certificate)238*6777b538SAndroid Build Coastguard Worker void SSLClientContext::ClearMatchingClientCertificate(
239*6777b538SAndroid Build Coastguard Worker     const scoped_refptr<net::X509Certificate>& certificate) {
240*6777b538SAndroid Build Coastguard Worker   CHECK(certificate);
241*6777b538SAndroid Build Coastguard Worker 
242*6777b538SAndroid Build Coastguard Worker   base::flat_set<HostPortPair> cleared_servers;
243*6777b538SAndroid Build Coastguard Worker   for (const auto& server : ssl_client_auth_cache_.GetCachedServers()) {
244*6777b538SAndroid Build Coastguard Worker     scoped_refptr<X509Certificate> cached_certificate;
245*6777b538SAndroid Build Coastguard Worker     scoped_refptr<SSLPrivateKey> cached_private_key;
246*6777b538SAndroid Build Coastguard Worker     if (ssl_client_auth_cache_.Lookup(server, &cached_certificate,
247*6777b538SAndroid Build Coastguard Worker                                       &cached_private_key) &&
248*6777b538SAndroid Build Coastguard Worker         AreCertificatesEqual(cached_certificate, certificate,
249*6777b538SAndroid Build Coastguard Worker                              /*include_chain=*/false)) {
250*6777b538SAndroid Build Coastguard Worker       cleared_servers.insert(cleared_servers.end(), server);
251*6777b538SAndroid Build Coastguard Worker     }
252*6777b538SAndroid Build Coastguard Worker   }
253*6777b538SAndroid Build Coastguard Worker 
254*6777b538SAndroid Build Coastguard Worker   net::NetLog::Get()->AddGlobalEntry(
255*6777b538SAndroid Build Coastguard Worker       NetLogEventType::CLEAR_MATCHING_CACHED_CLIENT_CERT, [&]() {
256*6777b538SAndroid Build Coastguard Worker         return NetLogClearMatchingCachedClientCertParams(cleared_servers,
257*6777b538SAndroid Build Coastguard Worker                                                          certificate);
258*6777b538SAndroid Build Coastguard Worker       });
259*6777b538SAndroid Build Coastguard Worker 
260*6777b538SAndroid Build Coastguard Worker   if (cleared_servers.empty()) {
261*6777b538SAndroid Build Coastguard Worker     return;
262*6777b538SAndroid Build Coastguard Worker   }
263*6777b538SAndroid Build Coastguard Worker 
264*6777b538SAndroid Build Coastguard Worker   for (const auto& server_to_clear : cleared_servers) {
265*6777b538SAndroid Build Coastguard Worker     ssl_client_auth_cache_.Remove(server_to_clear);
266*6777b538SAndroid Build Coastguard Worker   }
267*6777b538SAndroid Build Coastguard Worker 
268*6777b538SAndroid Build Coastguard Worker   if (ssl_client_session_cache_) {
269*6777b538SAndroid Build Coastguard Worker     ssl_client_session_cache_->FlushForServers(cleared_servers);
270*6777b538SAndroid Build Coastguard Worker   }
271*6777b538SAndroid Build Coastguard Worker 
272*6777b538SAndroid Build Coastguard Worker   NotifySSLConfigForServersChanged(cleared_servers);
273*6777b538SAndroid Build Coastguard Worker }
274*6777b538SAndroid Build Coastguard Worker 
NotifySSLConfigChanged(SSLConfigChangeType change_type)275*6777b538SAndroid Build Coastguard Worker void SSLClientContext::NotifySSLConfigChanged(SSLConfigChangeType change_type) {
276*6777b538SAndroid Build Coastguard Worker   for (Observer& observer : observers_) {
277*6777b538SAndroid Build Coastguard Worker     observer.OnSSLConfigChanged(change_type);
278*6777b538SAndroid Build Coastguard Worker   }
279*6777b538SAndroid Build Coastguard Worker }
280*6777b538SAndroid Build Coastguard Worker 
NotifySSLConfigForServersChanged(const base::flat_set<HostPortPair> & servers)281*6777b538SAndroid Build Coastguard Worker void SSLClientContext::NotifySSLConfigForServersChanged(
282*6777b538SAndroid Build Coastguard Worker     const base::flat_set<HostPortPair>& servers) {
283*6777b538SAndroid Build Coastguard Worker   for (Observer& observer : observers_) {
284*6777b538SAndroid Build Coastguard Worker     observer.OnSSLConfigForServersChanged(servers);
285*6777b538SAndroid Build Coastguard Worker   }
286*6777b538SAndroid Build Coastguard Worker }
287*6777b538SAndroid Build Coastguard Worker 
288*6777b538SAndroid Build Coastguard Worker }  // namespace net
289