| // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_ |
| #define NET_SOCKET_SSL_CLIENT_SOCKET_H_ |
| |
| #include <string> |
| |
| #include "base/gtest_prod_util.h" |
| #include "net/base/completion_callback.h" |
| #include "net/base/load_flags.h" |
| #include "net/base/net_errors.h" |
| #include "net/socket/ssl_socket.h" |
| #include "net/socket/stream_socket.h" |
| |
| namespace net { |
| |
| class CertVerifier; |
| class ChannelIDService; |
| class CTVerifier; |
| class HostPortPair; |
| class ServerBoundCertService; |
| class SSLCertRequestInfo; |
| struct SSLConfig; |
| class SSLInfo; |
| class TransportSecurityState; |
| class X509Certificate; |
| |
| // This struct groups together several fields which are used by various |
| // classes related to SSLClientSocket. |
| struct SSLClientSocketContext { |
| SSLClientSocketContext() |
| : cert_verifier(NULL), |
| channel_id_service(NULL), |
| transport_security_state(NULL), |
| cert_transparency_verifier(NULL) {} |
| |
| SSLClientSocketContext(CertVerifier* cert_verifier_arg, |
| ChannelIDService* channel_id_service_arg, |
| TransportSecurityState* transport_security_state_arg, |
| CTVerifier* cert_transparency_verifier_arg, |
| const std::string& ssl_session_cache_shard_arg) |
| : cert_verifier(cert_verifier_arg), |
| channel_id_service(channel_id_service_arg), |
| transport_security_state(transport_security_state_arg), |
| cert_transparency_verifier(cert_transparency_verifier_arg), |
| ssl_session_cache_shard(ssl_session_cache_shard_arg) {} |
| |
| CertVerifier* cert_verifier; |
| ChannelIDService* channel_id_service; |
| TransportSecurityState* transport_security_state; |
| CTVerifier* cert_transparency_verifier; |
| // ssl_session_cache_shard is an opaque string that identifies a shard of the |
| // SSL session cache. SSL sockets with the same ssl_session_cache_shard may |
| // resume each other's SSL sessions but we'll never sessions between shards. |
| const std::string ssl_session_cache_shard; |
| }; |
| |
| // A client socket that uses SSL as the transport layer. |
| // |
| // NOTE: The SSL handshake occurs within the Connect method after a TCP |
| // connection is established. If a SSL error occurs during the handshake, |
| // Connect will fail. |
| // |
| class NET_EXPORT SSLClientSocket : public SSLSocket { |
| public: |
| SSLClientSocket(); |
| |
| // Next Protocol Negotiation (NPN) allows a TLS client and server to come to |
| // an agreement about the application level protocol to speak over a |
| // connection. |
| enum NextProtoStatus { |
| // WARNING: These values are serialized to disk. Don't change them. |
| |
| kNextProtoUnsupported = 0, // The server doesn't support NPN. |
| kNextProtoNegotiated = 1, // We agreed on a protocol. |
| kNextProtoNoOverlap = 2, // No protocols in common. We requested |
| // the first protocol in our list. |
| }; |
| |
| // StreamSocket: |
| virtual bool WasNpnNegotiated() const OVERRIDE; |
| virtual NextProto GetNegotiatedProtocol() const OVERRIDE; |
| |
| // Formats a unique key for the SSL session cache. This method |
| // is necessary so that all classes create cache keys in a consistent |
| // manner. |
| // TODO(mshelley) This method will be deleted in an upcoming CL when |
| // it will no longer be necessary to generate a cache key outside of |
| // an SSLClientSocket. |
| static std::string CreateSessionCacheKey( |
| const HostPortPair& host_and_port, |
| const std::string& ssl_session_cache_shard); |
| |
| // Returns true if there is a cache entry in the SSL session cache |
| // for the cache key of the SSL socket. |
| // |
| // The cache key consists of a host and port concatenated with a session |
| // cache shard. These two strings are passed to the constructor of most |
| // subclasses of SSLClientSocket. |
| virtual bool InSessionCache() const = 0; |
| |
| // Sets |callback| to be run when the handshake has fully completed. |
| // For example, in the case of False Start, Connect() will return |
| // early, before the peer's TLS Finished message has been verified, |
| // in order to allow the caller to call Write() and send application |
| // data with the client's Finished message. |
| // In such situations, |callback| will be invoked sometime after |
| // Connect() - either during a Write() or Read() call, and before |
| // invoking the Read() or Write() callback. |
| // Otherwise, during a traditional TLS connection (i.e. no False |
| // Start), this will be called right before the Connect() callback |
| // is called. |
| // |
| // Note that it's not valid to mutate this socket during such |
| // callbacks, including deleting the socket. |
| // |
| // TODO(mshelley): Provide additional details about whether or not |
| // the handshake actually succeeded or not. This can be inferred |
| // from the result to Connect()/Read()/Write(), but may be useful |
| // to inform here as well. |
| virtual void SetHandshakeCompletionCallback( |
| const base::Closure& callback) = 0; |
| |
| // Gets the SSL CertificateRequest info of the socket after Connect failed |
| // with ERR_SSL_CLIENT_AUTH_CERT_NEEDED. |
| virtual void GetSSLCertRequestInfo( |
| SSLCertRequestInfo* cert_request_info) = 0; |
| |
| // Get the application level protocol that we negotiated with the server. |
| // *proto is set to the resulting protocol (n.b. that the string may have |
| // embedded NULs). |
| // kNextProtoUnsupported: *proto is cleared. |
| // kNextProtoNegotiated: *proto is set to the negotiated protocol. |
| // kNextProtoNoOverlap: *proto is set to the first protocol in the |
| // supported list. |
| virtual NextProtoStatus GetNextProto(std::string* proto) = 0; |
| |
| static NextProto NextProtoFromString(const std::string& proto_string); |
| |
| static const char* NextProtoToString(NextProto next_proto); |
| |
| static const char* NextProtoStatusToString(const NextProtoStatus status); |
| |
| static bool IgnoreCertError(int error, int load_flags); |
| |
| // ClearSessionCache clears the SSL session cache, used to resume SSL |
| // sessions. |
| static void ClearSessionCache(); |
| |
| virtual bool set_was_npn_negotiated(bool negotiated); |
| |
| virtual bool was_spdy_negotiated() const; |
| |
| virtual bool set_was_spdy_negotiated(bool negotiated); |
| |
| virtual void set_protocol_negotiated(NextProto protocol_negotiated); |
| |
| // Returns the ChannelIDService used by this socket, or NULL if |
| // channel ids are not supported. |
| virtual ChannelIDService* GetChannelIDService() const = 0; |
| |
| // Returns true if a channel ID was sent on this connection. |
| // This may be useful for protocols, like SPDY, which allow the same |
| // connection to be shared between multiple domains, each of which need |
| // a channel ID. |
| // |
| // Public for ssl_client_socket_openssl_unittest.cc. |
| virtual bool WasChannelIDSent() const; |
| |
| protected: |
| virtual void set_channel_id_sent(bool channel_id_sent); |
| |
| virtual void set_signed_cert_timestamps_received( |
| bool signed_cert_timestamps_received); |
| |
| virtual void set_stapled_ocsp_response_received( |
| bool stapled_ocsp_response_received); |
| |
| // Records histograms for channel id support during full handshakes - resumed |
| // handshakes are ignored. |
| static void RecordChannelIDSupport( |
| ChannelIDService* channel_id_service, |
| bool negotiated_channel_id, |
| bool channel_id_enabled, |
| bool supports_ecc); |
| |
| // Returns whether TLS channel ID is enabled. |
| static bool IsChannelIDEnabled( |
| const SSLConfig& ssl_config, |
| ChannelIDService* channel_id_service); |
| |
| // Serializes |next_protos| in the wire format for ALPN: protocols are listed |
| // in order, each prefixed by a one-byte length. |
| static std::vector<uint8_t> SerializeNextProtos( |
| const std::vector<std::string>& next_protos); |
| |
| // For unit testing only. |
| // Returns the unverified certificate chain as presented by server. |
| // Note that chain may be different than the verified chain returned by |
| // StreamSocket::GetSSLInfo(). |
| virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain() |
| const = 0; |
| |
| private: |
| // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_. |
| FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, |
| ConnectSignedCertTimestampsEnabledTLSExtension); |
| FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, |
| ConnectSignedCertTimestampsEnabledOCSP); |
| FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, |
| ConnectSignedCertTimestampsDisabled); |
| FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, |
| VerifyServerChainProperlyOrdered); |
| |
| // True if NPN was responded to, independent of selecting SPDY or HTTP. |
| bool was_npn_negotiated_; |
| // True if NPN successfully negotiated SPDY. |
| bool was_spdy_negotiated_; |
| // Protocol that we negotiated with the server. |
| NextProto protocol_negotiated_; |
| // True if a channel ID was sent. |
| bool channel_id_sent_; |
| // True if SCTs were received via a TLS extension. |
| bool signed_cert_timestamps_received_; |
| // True if a stapled OCSP response was received. |
| bool stapled_ocsp_response_received_; |
| }; |
| |
| } // namespace net |
| |
| #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_ |