OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <certt.h> | 9 #include <certt.h> |
10 #include <keyt.h> | 10 #include <keyt.h> |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
90 STATE_VERIFY_DNSSEC_COMPLETE, | 90 STATE_VERIFY_DNSSEC_COMPLETE, |
91 STATE_VERIFY_CERT, | 91 STATE_VERIFY_CERT, |
92 STATE_VERIFY_CERT_COMPLETE, | 92 STATE_VERIFY_CERT_COMPLETE, |
93 }; | 93 }; |
94 | 94 |
95 int Init(); | 95 int Init(); |
96 | 96 |
97 // Initializes NSS SSL options. Returns a net error code. | 97 // Initializes NSS SSL options. Returns a net error code. |
98 int InitializeSSLOptions(); | 98 int InitializeSSLOptions(); |
99 | 99 |
| 100 // Enables SRP ciphers. If |disable_non_srp_ciphers| is true, then non-SRP |
| 101 // ciphers will be disabled. Returns a net error code. |
| 102 int SetCiphersForTLSAuth(bool set_srp_ciphers, bool disable_non_srp_ciphers); |
| 103 |
100 // Initializes the socket peer name in SSL. Returns a net error code. | 104 // Initializes the socket peer name in SSL. Returns a net error code. |
101 int InitializeSSLPeerName(); | 105 int InitializeSSLPeerName(); |
102 | 106 |
103 #if defined(OS_MACOSX) || defined(OS_WIN) | 107 #if defined(OS_MACOSX) || defined(OS_WIN) |
104 // Creates an OS certificate from a DER-encoded certificate. | 108 // Creates an OS certificate from a DER-encoded certificate. |
105 static X509Certificate::OSCertHandle CreateOSCert(const SECItem& der_cert); | 109 static X509Certificate::OSCertHandle CreateOSCert(const SECItem& der_cert); |
106 #endif | 110 #endif |
107 X509Certificate* UpdateServerCert(); | 111 X509Certificate* UpdateServerCert(); |
108 void UpdateConnectionStatus(); | 112 void UpdateConnectionStatus(); |
| 113 void UpdateAuth(); |
109 void DoReadCallback(int result); | 114 void DoReadCallback(int result); |
110 void DoWriteCallback(int result); | 115 void DoWriteCallback(int result); |
111 void DoConnectCallback(int result); | 116 void DoConnectCallback(int result); |
112 void OnHandshakeIOComplete(int result); | 117 void OnHandshakeIOComplete(int result); |
113 void OnSendComplete(int result); | 118 void OnSendComplete(int result); |
114 void OnRecvComplete(int result); | 119 void OnRecvComplete(int result); |
115 | 120 |
116 int DoHandshakeLoop(int last_io_result); | 121 int DoHandshakeLoop(int last_io_result); |
117 int DoReadLoop(int result); | 122 int DoReadLoop(int result); |
118 int DoWriteLoop(int result); | 123 int DoWriteLoop(int result); |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
154 CERTDistNames* ca_names, | 159 CERTDistNames* ca_names, |
155 CERTCertList** result_certs, | 160 CERTCertList** result_certs, |
156 void** result_private_key); | 161 void** result_private_key); |
157 #else | 162 #else |
158 static SECStatus ClientAuthHandler(void* arg, | 163 static SECStatus ClientAuthHandler(void* arg, |
159 PRFileDesc* socket, | 164 PRFileDesc* socket, |
160 CERTDistNames* ca_names, | 165 CERTDistNames* ca_names, |
161 CERTCertificate** result_certificate, | 166 CERTCertificate** result_certificate, |
162 SECKEYPrivateKey** result_private_key); | 167 SECKEYPrivateKey** result_private_key); |
163 #endif | 168 #endif |
| 169 |
| 170 // NSS calls this when password authentication is requested (for TLS-SRP). |
| 171 static SECStatus TLSAuthCallback(PRFileDesc *socket, SECItem *pw, void *arg); |
| 172 |
164 // NSS calls this when handshake is completed. We pass 'this' as the second | 173 // NSS calls this when handshake is completed. We pass 'this' as the second |
165 // argument. | 174 // argument. |
166 static void HandshakeCallback(PRFileDesc* socket, void* arg); | 175 static void HandshakeCallback(PRFileDesc* socket, void* arg); |
167 | 176 |
168 CompletionCallbackImpl<SSLClientSocketNSS> buffer_send_callback_; | 177 CompletionCallbackImpl<SSLClientSocketNSS> buffer_send_callback_; |
169 CompletionCallbackImpl<SSLClientSocketNSS> buffer_recv_callback_; | 178 CompletionCallbackImpl<SSLClientSocketNSS> buffer_recv_callback_; |
170 bool transport_send_busy_; | 179 bool transport_send_busy_; |
171 bool transport_recv_busy_; | 180 bool transport_recv_busy_; |
172 // corked_ is true if we are currently suspending writes to the network. This | 181 // corked_ is true if we are currently suspending writes to the network. This |
173 // is named after the similar kernel flag, TCP_CORK. | 182 // is named after the similar kernel flag, TCP_CORK. |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
207 int ssl_connection_status_; | 216 int ssl_connection_status_; |
208 | 217 |
209 // Stores client authentication information between ClientAuthHandler and | 218 // Stores client authentication information between ClientAuthHandler and |
210 // GetSSLCertRequestInfo calls. | 219 // GetSSLCertRequestInfo calls. |
211 std::vector<scoped_refptr<X509Certificate> > client_certs_; | 220 std::vector<scoped_refptr<X509Certificate> > client_certs_; |
212 bool client_auth_cert_needed_; | 221 bool client_auth_cert_needed_; |
213 | 222 |
214 CertVerifier* const cert_verifier_; | 223 CertVerifier* const cert_verifier_; |
215 scoped_ptr<SingleRequestCertVerifier> verifier_; | 224 scoped_ptr<SingleRequestCertVerifier> verifier_; |
216 | 225 |
| 226 // The mutually authenticated TLS username for the connection. This is only |
| 227 // set after the handshake has succeeded with this username. |
| 228 // If none, this is the empty string. |
| 229 std::string authenticated_tls_username_; |
| 230 |
217 // True if NSS has called HandshakeCallback. | 231 // True if NSS has called HandshakeCallback. |
218 bool handshake_callback_called_; | 232 bool handshake_callback_called_; |
219 | 233 |
220 // True if the SSL handshake has been completed. | 234 // True if the SSL handshake has been completed. |
221 bool completed_handshake_; | 235 bool completed_handshake_; |
222 | 236 |
223 // True if we are lying about being connected in order to merge the first | 237 // True if we are lying about being connected in order to merge the first |
224 // Write call into a Snap Start handshake. | 238 // Write call into a Snap Start handshake. |
225 bool pseudo_connected_; | 239 bool pseudo_connected_; |
226 | 240 |
227 // True iff we believe that the user has an ESET product intercepting our | 241 // True iff we believe that the user has an ESET product intercepting our |
228 // HTTPS connections. | 242 // HTTPS connections. |
229 bool eset_mitm_detected_; | 243 bool eset_mitm_detected_; |
230 | 244 |
| 245 // False iff we are using an SRP cipher suite that doesn't use server certs. |
| 246 // Default is true. |
| 247 bool server_cert_needed_; |
| 248 |
231 // True iff |ssl_host_info_| contained a predicted certificate chain and | 249 // True iff |ssl_host_info_| contained a predicted certificate chain and |
232 // that we found the prediction to be correct. | 250 // that we found the prediction to be correct. |
233 bool predicted_cert_chain_correct_; | 251 bool predicted_cert_chain_correct_; |
234 | 252 |
235 // True if the peer name has been initialized. | 253 // True if the peer name has been initialized. |
236 bool peername_initialized_; | 254 bool peername_initialized_; |
237 | 255 |
238 // This pointer is owned by the caller of UseDNSSEC. | 256 // This pointer is owned by the caller of UseDNSSEC. |
239 DNSSECProvider* dnssec_provider_; | 257 DNSSECProvider* dnssec_provider_; |
240 // The time when we started waiting for DNSSEC records. | 258 // The time when we started waiting for DNSSEC records. |
(...skipping 19 matching lines...) Expand all Loading... |
260 | 278 |
261 base::TimeTicks start_cert_verification_time_; | 279 base::TimeTicks start_cert_verification_time_; |
262 | 280 |
263 scoped_ptr<SSLHostInfo> ssl_host_info_; | 281 scoped_ptr<SSLHostInfo> ssl_host_info_; |
264 DnsCertProvenanceChecker* const dns_cert_checker_; | 282 DnsCertProvenanceChecker* const dns_cert_checker_; |
265 }; | 283 }; |
266 | 284 |
267 } // namespace net | 285 } // namespace net |
268 | 286 |
269 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 287 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
OLD | NEW |