OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <certt.h> | 9 #include <certt.h> |
10 #include <keyt.h> | 10 #include <keyt.h> |
(...skipping 17 matching lines...) Expand all Loading... | |
28 #include "net/base/origin_bound_cert_service.h" | 28 #include "net/base/origin_bound_cert_service.h" |
29 #include "net/base/ssl_config_service.h" | 29 #include "net/base/ssl_config_service.h" |
30 #include "net/base/x509_certificate.h" | 30 #include "net/base/x509_certificate.h" |
31 #include "net/socket/ssl_client_socket.h" | 31 #include "net/socket/ssl_client_socket.h" |
32 | 32 |
33 namespace net { | 33 namespace net { |
34 | 34 |
35 class BoundNetLog; | 35 class BoundNetLog; |
36 class CertVerifier; | 36 class CertVerifier; |
37 class ClientSocketHandle; | 37 class ClientSocketHandle; |
38 class OriginBoundCertService; | 38 class ServerBoundCertService; |
39 class SingleRequestCertVerifier; | 39 class SingleRequestCertVerifier; |
40 class SSLHostInfo; | 40 class SSLHostInfo; |
41 class TransportSecurityState; | 41 class TransportSecurityState; |
42 class X509Certificate; | 42 class X509Certificate; |
43 | 43 |
44 // An SSL client socket implemented with Mozilla NSS. | 44 // An SSL client socket implemented with Mozilla NSS. |
45 class SSLClientSocketNSS : public SSLClientSocket { | 45 class SSLClientSocketNSS : public SSLClientSocket { |
46 public: | 46 public: |
47 // Takes ownership of the |transport_socket|, which must already be connected. | 47 // Takes ownership of the |transport_socket|, which must already be connected. |
48 // The hostname specified in |host_and_port| will be compared with the name(s) | 48 // The hostname specified in |host_and_port| will be compared with the name(s) |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
85 | 85 |
86 // Socket implementation. | 86 // Socket implementation. |
87 virtual int Read(IOBuffer* buf, | 87 virtual int Read(IOBuffer* buf, |
88 int buf_len, | 88 int buf_len, |
89 const CompletionCallback& callback) OVERRIDE; | 89 const CompletionCallback& callback) OVERRIDE; |
90 virtual int Write(IOBuffer* buf, | 90 virtual int Write(IOBuffer* buf, |
91 int buf_len, | 91 int buf_len, |
92 const CompletionCallback& callback) OVERRIDE; | 92 const CompletionCallback& callback) OVERRIDE; |
93 virtual bool SetReceiveBufferSize(int32 size) OVERRIDE; | 93 virtual bool SetReceiveBufferSize(int32 size) OVERRIDE; |
94 virtual bool SetSendBufferSize(int32 size) OVERRIDE; | 94 virtual bool SetSendBufferSize(int32 size) OVERRIDE; |
95 virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; | 95 virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; |
96 | 96 |
97 private: | 97 private: |
98 enum State { | 98 enum State { |
99 STATE_NONE, | 99 STATE_NONE, |
100 STATE_LOAD_SSL_HOST_INFO, | 100 STATE_LOAD_SSL_HOST_INFO, |
101 STATE_HANDSHAKE, | 101 STATE_HANDSHAKE, |
102 STATE_GET_OB_CERT_COMPLETE, | 102 STATE_GET_DB_CERT_COMPLETE, |
wtc
2012/03/15 23:46:38
Nit: let's spell out DOMAIN_BOUND because "DB" loo
mattm
2012/03/16 22:22:00
Done.
| |
103 STATE_VERIFY_DNSSEC, | 103 STATE_VERIFY_DNSSEC, |
104 STATE_VERIFY_CERT, | 104 STATE_VERIFY_CERT, |
105 STATE_VERIFY_CERT_COMPLETE, | 105 STATE_VERIFY_CERT_COMPLETE, |
106 }; | 106 }; |
107 | 107 |
108 int Init(); | 108 int Init(); |
109 | 109 |
110 // Initializes NSS SSL options. Returns a net error code. | 110 // Initializes NSS SSL options. Returns a net error code. |
111 int InitializeSSLOptions(); | 111 int InitializeSSLOptions(); |
112 | 112 |
(...skipping 11 matching lines...) Expand all Loading... | |
124 | 124 |
125 int DoHandshakeLoop(int last_io_result); | 125 int DoHandshakeLoop(int last_io_result); |
126 int DoReadLoop(int result); | 126 int DoReadLoop(int result); |
127 int DoWriteLoop(int result); | 127 int DoWriteLoop(int result); |
128 | 128 |
129 bool LoadSSLHostInfo(); | 129 bool LoadSSLHostInfo(); |
130 int DoLoadSSLHostInfo(); | 130 int DoLoadSSLHostInfo(); |
131 | 131 |
132 int DoHandshake(); | 132 int DoHandshake(); |
133 | 133 |
134 // ImportOBCertAndKey is a helper function for turning a DER-encoded cert and | 134 // ImportDBCertAndKey is a helper function for turning a DER-encoded cert and |
135 // key into a CERTCertificate and SECKEYPrivateKey. Returns OK upon success | 135 // key into a CERTCertificate and SECKEYPrivateKey. Returns OK upon success |
136 // and an error code otherwise. | 136 // and an error code otherwise. |
137 // Requires |ob_private_key_| and |ob_cert_| to have been set by a call to | 137 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been |
138 // OriginBoundCertService->GetOriginBoundCert. The caller takes ownership of | 138 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller |
139 // the |*cert| and |*key|. | 139 // takes ownership of the |*cert| and |*key|. |
140 int ImportOBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key); | 140 int ImportDBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key); |
141 int DoGetOBCertComplete(int result); | 141 int DoGetDBCertComplete(int result); |
142 int DoVerifyDNSSEC(int result); | 142 int DoVerifyDNSSEC(int result); |
143 int DoVerifyCert(int result); | 143 int DoVerifyCert(int result); |
144 int DoVerifyCertComplete(int result); | 144 int DoVerifyCertComplete(int result); |
145 int DoPayloadRead(); | 145 int DoPayloadRead(); |
146 int DoPayloadWrite(); | 146 int DoPayloadWrite(); |
147 void LogConnectionTypeMetrics() const; | 147 void LogConnectionTypeMetrics() const; |
148 void SaveSSLHostInfo(); | 148 void SaveSSLHostInfo(); |
149 void UncorkAfterTimeout(); | 149 void UncorkAfterTimeout(); |
150 | 150 |
151 bool DoTransportIO(); | 151 bool DoTransportIO(); |
152 int BufferSend(void); | 152 int BufferSend(void); |
153 void BufferSendComplete(int result); | 153 void BufferSendComplete(int result); |
154 int BufferRecv(void); | 154 int BufferRecv(void); |
155 void BufferRecvComplete(int result); | 155 void BufferRecvComplete(int result); |
156 | 156 |
157 // Handles an NSS error generated while handshaking or performing IO. | 157 // Handles an NSS error generated while handshaking or performing IO. |
158 // Returns a network error code mapped from the original NSS error. | 158 // Returns a network error code mapped from the original NSS error. |
159 int HandleNSSError(PRErrorCode error, bool handshake_error); | 159 int HandleNSSError(PRErrorCode error, bool handshake_error); |
160 | 160 |
161 // NSS calls this when checking certificates. We pass 'this' as the first | 161 // NSS calls this when checking certificates. We pass 'this' as the first |
162 // argument. | 162 // argument. |
163 static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket, | 163 static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket, |
164 PRBool checksig, PRBool is_server); | 164 PRBool checksig, PRBool is_server); |
165 // Returns true if connection negotiated the origin bound cert extension. | 165 // Returns true if connection negotiated the domain bound cert extension. |
166 static bool OriginBoundCertNegotiated(PRFileDesc* socket); | 166 static bool DomainBoundCertNegotiated(PRFileDesc* socket); |
167 // Origin bound cert client auth handler. | 167 // Domain bound cert client auth handler. |
168 // Returns the value the ClientAuthHandler function should return. | 168 // Returns the value the ClientAuthHandler function should return. |
169 SECStatus OriginBoundClientAuthHandler( | 169 SECStatus DomainBoundClientAuthHandler( |
170 const SECItem* cert_types, | 170 const SECItem* cert_types, |
171 CERTCertificate** result_certificate, | 171 CERTCertificate** result_certificate, |
172 SECKEYPrivateKey** result_private_key); | 172 SECKEYPrivateKey** result_private_key); |
173 #if defined(NSS_PLATFORM_CLIENT_AUTH) | 173 #if defined(NSS_PLATFORM_CLIENT_AUTH) |
174 // On platforms where we use the native certificate store, NSS calls this | 174 // On platforms where we use the native certificate store, NSS calls this |
175 // instead when client authentication is requested. At most one of | 175 // instead when client authentication is requested. At most one of |
176 // (result_certs, result_private_key) or | 176 // (result_certs, result_private_key) or |
177 // (result_nss_certificate, result_nss_private_key) should be set. | 177 // (result_nss_certificate, result_nss_private_key) should be set. |
178 static SECStatus PlatformClientAuthHandler( | 178 static SECStatus PlatformClientAuthHandler( |
179 void* arg, | 179 void* arg, |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
248 int ssl_connection_status_; | 248 int ssl_connection_status_; |
249 | 249 |
250 // Stores client authentication information between ClientAuthHandler and | 250 // Stores client authentication information between ClientAuthHandler and |
251 // GetSSLCertRequestInfo calls. | 251 // GetSSLCertRequestInfo calls. |
252 std::vector<scoped_refptr<X509Certificate> > client_certs_; | 252 std::vector<scoped_refptr<X509Certificate> > client_certs_; |
253 bool client_auth_cert_needed_; | 253 bool client_auth_cert_needed_; |
254 | 254 |
255 CertVerifier* const cert_verifier_; | 255 CertVerifier* const cert_verifier_; |
256 scoped_ptr<SingleRequestCertVerifier> verifier_; | 256 scoped_ptr<SingleRequestCertVerifier> verifier_; |
257 | 257 |
258 // For origin bound certificates in client auth. | 258 // For domain bound certificates in client auth. |
259 bool ob_cert_xtn_negotiated_; | 259 bool domain_bound_cert_xtn_negotiated_; |
260 OriginBoundCertService* origin_bound_cert_service_; | 260 ServerBoundCertService* server_bound_cert_service_; |
261 SSLClientCertType ob_cert_type_; | 261 SSLClientCertType domain_bound_cert_type_; |
262 std::string ob_private_key_; | 262 std::string domain_bound_private_key_; |
263 std::string ob_cert_; | 263 std::string domain_bound_cert_; |
264 OriginBoundCertService::RequestHandle ob_cert_request_handle_; | 264 ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_; |
265 | 265 |
266 // True if NSS has called HandshakeCallback. | 266 // True if NSS has called HandshakeCallback. |
267 bool handshake_callback_called_; | 267 bool handshake_callback_called_; |
268 | 268 |
269 // True if the SSL handshake has been completed. | 269 // True if the SSL handshake has been completed. |
270 bool completed_handshake_; | 270 bool completed_handshake_; |
271 | 271 |
272 // ssl_session_cache_shard_ is an opaque string that partitions the SSL | 272 // ssl_session_cache_shard_ is an opaque string that partitions the SSL |
273 // session cache. i.e. sessions created with one value will not attempt to | 273 // session cache. i.e. sessions created with one value will not attempt to |
274 // resume on the socket with a different value. | 274 // resume on the socket with a different value. |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
309 // Added the following code Debugging in release mode. | 309 // Added the following code Debugging in release mode. |
310 mutable base::Lock lock_; | 310 mutable base::Lock lock_; |
311 // This is mutable so that CalledOnValidThread can set it. | 311 // This is mutable so that CalledOnValidThread can set it. |
312 // It's guarded by |lock_|. | 312 // It's guarded by |lock_|. |
313 mutable base::PlatformThreadId valid_thread_id_; | 313 mutable base::PlatformThreadId valid_thread_id_; |
314 }; | 314 }; |
315 | 315 |
316 } // namespace net | 316 } // namespace net |
317 | 317 |
318 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 318 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
OLD | NEW |