OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ | 5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ |
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ | 6 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ |
7 | 7 |
8 #include <openssl/base.h> | 8 #include <openssl/base.h> |
9 #include <openssl/bytestring.h> | |
9 #include <openssl/ssl.h> | 10 #include <openssl/ssl.h> |
10 | 11 |
11 #include <string> | 12 #include <string> |
12 #include <vector> | 13 #include <vector> |
13 | 14 |
14 #include "base/compiler_specific.h" | 15 #include "base/compiler_specific.h" |
15 #include "base/memory/scoped_ptr.h" | 16 #include "base/memory/scoped_ptr.h" |
16 #include "base/memory/weak_ptr.h" | 17 #include "base/memory/weak_ptr.h" |
17 #include "net/base/completion_callback.h" | 18 #include "net/base/completion_callback.h" |
18 #include "net/base/io_buffer.h" | 19 #include "net/base/io_buffer.h" |
19 #include "net/cert/cert_verifier.h" | 20 #include "net/cert/cert_verifier.h" |
20 #include "net/cert/cert_verify_result.h" | 21 #include "net/cert/cert_verify_result.h" |
21 #include "net/cert/ct_verify_result.h" | 22 #include "net/cert/ct_verify_result.h" |
22 #include "net/socket/client_socket_handle.h" | 23 #include "net/socket/client_socket_handle.h" |
23 #include "net/socket/ssl_client_socket.h" | 24 #include "net/socket/ssl_client_socket.h" |
24 #include "net/ssl/channel_id_service.h" | 25 #include "net/ssl/channel_id_service.h" |
25 #include "net/ssl/openssl_ssl_util.h" | 26 #include "net/ssl/openssl_ssl_util.h" |
26 #include "net/ssl/ssl_client_cert_type.h" | 27 #include "net/ssl/ssl_client_cert_type.h" |
27 #include "net/ssl/ssl_config_service.h" | 28 #include "net/ssl/ssl_config_service.h" |
28 #include "net/ssl/ssl_failure_state.h" | 29 #include "net/ssl/ssl_failure_state.h" |
29 | 30 |
30 namespace net { | 31 namespace net { |
31 | 32 |
32 class CertVerifier; | 33 class CertVerifier; |
33 class CTVerifier; | 34 class CTVerifier; |
34 class SSLCertRequestInfo; | 35 class SSLCertRequestInfo; |
35 class SSLInfo; | 36 class SSLInfo; |
36 class SSLPrivateKey; | 37 class SSLPrivateKey; |
37 | 38 |
39 // Stores the state and result of the token binding negotiation TLS extension. | |
40 // (draft-ietf-tokbind-negotiation-00). | |
41 class TokenBindingExtension { | |
mattm
2015/09/24 22:13:13
Maybe this should be a subclass of SSLClientSocket
nharper
2015/09/28 21:43:39
Done.
| |
42 public: | |
43 static const unsigned int kExtNum = 30033; | |
44 | |
45 // Token Binding ProtocolVersion that this extension supports. | |
46 static const uint8_t kProtocolVersionMajor = 0; | |
47 static const uint8_t kProtocolVersionMinor = 2; | |
48 | |
49 TokenBindingExtension(); | |
50 ~TokenBindingExtension(); | |
51 | |
52 // Sets the supported key params to use in negotiation. If empty, token | |
53 // binding will not be negotiated. Does not take ownership of |params|. | |
54 void SetParams(std::vector<TokenBindingParam>* params); | |
55 | |
56 // Returns which TokenBindingParam was negotiated. This value is only valid if | |
57 // WasNegotiated returns true. | |
58 TokenBindingParam NegotiationResult() const; | |
59 | |
60 // Returns whether token binding was negotiated. | |
61 bool WasNegotiated() const; | |
62 | |
63 // Sets the custom extension api callbacks to ClientAddCallback, | |
64 // ClientFreeCallback, and ClientParseCallback. The callbacks are static | |
65 // methods (since the OpenSSL api takes function pointers) and are wrappers to | |
66 // call ClientAdd or ClientParse on the TokenBindingExtension object that is a | |
67 // member of the SSLClientSocketOpenSSL for the corresponding SSL struct | |
68 // passed in to the callback. | |
69 static int RegisterCallbacks(SSL_CTX* ssl_ctx); | |
70 | |
71 private: | |
72 static int ClientAddCallback(SSL* s, | |
73 unsigned int ext_type, | |
74 const unsigned char** out, | |
75 size_t* outlen, | |
76 int* al, | |
77 void* add_arg); | |
78 static void ClientFreeCallback(SSL* s, | |
79 unsigned int ext_type, | |
80 const unsigned char* out, | |
81 void* add_arg); | |
82 static int ClientParseCallback(SSL* s, | |
83 unsigned int ext_type, | |
84 const unsigned char* in, | |
85 size_t inlen, | |
86 int* al, | |
87 void* parse_arg); | |
88 | |
89 int ClientAdd(SSL* s, | |
90 unsigned int ext_type, | |
91 const unsigned char** out, | |
92 size_t* outlen, | |
93 int* al); | |
94 int ClientParse(SSL* s, | |
95 unsigned int ext_type, | |
96 const unsigned char* in, | |
97 size_t inlen, | |
98 int* al); | |
99 | |
100 bool negotiated_; | |
101 TokenBindingParam negotiated_param_; | |
102 std::vector<TokenBindingParam> supported_params_; | |
103 }; | |
104 | |
38 // An SSL client socket implemented with OpenSSL. | 105 // An SSL client socket implemented with OpenSSL. |
39 class SSLClientSocketOpenSSL : public SSLClientSocket { | 106 class SSLClientSocketOpenSSL : public SSLClientSocket { |
40 public: | 107 public: |
41 // Takes ownership of the transport_socket, which may already be connected. | 108 // Takes ownership of the transport_socket, which may already be connected. |
42 // The given hostname will be compared with the name(s) in the server's | 109 // The given hostname will be compared with the name(s) in the server's |
43 // certificate during the SSL handshake. ssl_config specifies the SSL | 110 // certificate during the SSL handshake. ssl_config specifies the SSL |
44 // settings. | 111 // settings. |
45 SSLClientSocketOpenSSL(scoped_ptr<ClientSocketHandle> transport_socket, | 112 SSLClientSocketOpenSSL(scoped_ptr<ClientSocketHandle> transport_socket, |
46 const HostPortPair& host_and_port, | 113 const HostPortPair& host_and_port, |
47 const SSLConfig& ssl_config, | 114 const SSLConfig& ssl_config, |
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
92 int buf_len, | 159 int buf_len, |
93 const CompletionCallback& callback) override; | 160 const CompletionCallback& callback) override; |
94 int SetReceiveBufferSize(int32 size) override; | 161 int SetReceiveBufferSize(int32 size) override; |
95 int SetSendBufferSize(int32 size) override; | 162 int SetSendBufferSize(int32 size) override; |
96 | 163 |
97 private: | 164 private: |
98 class PeerCertificateChain; | 165 class PeerCertificateChain; |
99 class SSLContext; | 166 class SSLContext; |
100 friend class SSLClientSocket; | 167 friend class SSLClientSocket; |
101 friend class SSLContext; | 168 friend class SSLContext; |
169 friend class TokenBindingExtension; | |
102 | 170 |
103 int Init(); | 171 int Init(); |
104 void DoReadCallback(int result); | 172 void DoReadCallback(int result); |
105 void DoWriteCallback(int result); | 173 void DoWriteCallback(int result); |
106 | 174 |
107 bool DoTransportIO(); | 175 bool DoTransportIO(); |
108 int DoHandshake(); | 176 int DoHandshake(); |
109 int DoHandshakeComplete(int result); | 177 int DoHandshakeComplete(int result); |
110 int DoChannelIDLookup(); | 178 int DoChannelIDLookup(); |
111 int DoChannelIDLookupComplete(int result); | 179 int DoChannelIDLookupComplete(int result); |
180 int DoTokenBindingLookup(); | |
181 int DoTokenBindingLookupComplete(int result); | |
112 int DoVerifyCert(int result); | 182 int DoVerifyCert(int result); |
113 int DoVerifyCertComplete(int result); | 183 int DoVerifyCertComplete(int result); |
114 void DoConnectCallback(int result); | 184 void DoConnectCallback(int result); |
115 void UpdateServerCert(); | 185 void UpdateServerCert(); |
116 void VerifyCT(); | 186 void VerifyCT(); |
117 | 187 |
118 void OnHandshakeIOComplete(int result); | 188 void OnHandshakeIOComplete(int result); |
119 void OnSendComplete(int result); | 189 void OnSendComplete(int result); |
120 void OnRecvComplete(int result); | 190 void OnRecvComplete(int result); |
121 | 191 |
(...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
270 CertVerifier* const cert_verifier_; | 340 CertVerifier* const cert_verifier_; |
271 scoped_ptr<CertVerifier::Request> cert_verifier_request_; | 341 scoped_ptr<CertVerifier::Request> cert_verifier_request_; |
272 base::TimeTicks start_cert_verification_time_; | 342 base::TimeTicks start_cert_verification_time_; |
273 | 343 |
274 // Certificate Transparency: Verifier and result holder. | 344 // Certificate Transparency: Verifier and result holder. |
275 ct::CTVerifyResult ct_verify_result_; | 345 ct::CTVerifyResult ct_verify_result_; |
276 CTVerifier* cert_transparency_verifier_; | 346 CTVerifier* cert_transparency_verifier_; |
277 | 347 |
278 // The service for retrieving Channel ID keys. May be NULL. | 348 // The service for retrieving Channel ID keys. May be NULL. |
279 ChannelIDService* channel_id_service_; | 349 ChannelIDService* channel_id_service_; |
350 TokenBindingExtension token_binding_extension_; | |
280 | 351 |
281 // OpenSSL stuff | 352 // OpenSSL stuff |
282 SSL* ssl_; | 353 SSL* ssl_; |
283 BIO* transport_bio_; | 354 BIO* transport_bio_; |
284 | 355 |
285 scoped_ptr<ClientSocketHandle> transport_; | 356 scoped_ptr<ClientSocketHandle> transport_; |
286 const HostPortPair host_and_port_; | 357 const HostPortPair host_and_port_; |
287 SSLConfig ssl_config_; | 358 SSLConfig ssl_config_; |
288 // ssl_session_cache_shard_ is an opaque string that partitions the SSL | 359 // ssl_session_cache_shard_ is an opaque string that partitions the SSL |
289 // session cache. i.e. sessions created with one value will not attempt to | 360 // session cache. i.e. sessions created with one value will not attempt to |
290 // resume on the socket with a different value. | 361 // resume on the socket with a different value. |
291 const std::string ssl_session_cache_shard_; | 362 const std::string ssl_session_cache_shard_; |
292 | 363 |
293 enum State { | 364 enum State { |
294 STATE_NONE, | 365 STATE_NONE, |
295 STATE_HANDSHAKE, | 366 STATE_HANDSHAKE, |
296 STATE_HANDSHAKE_COMPLETE, | 367 STATE_HANDSHAKE_COMPLETE, |
297 STATE_CHANNEL_ID_LOOKUP, | 368 STATE_CHANNEL_ID_LOOKUP, |
298 STATE_CHANNEL_ID_LOOKUP_COMPLETE, | 369 STATE_CHANNEL_ID_LOOKUP_COMPLETE, |
370 STATE_TOKEN_BINDING_LOOKUP, | |
371 STATE_TOKEN_BINDING_LOOKUP_COMPLETE, | |
299 STATE_VERIFY_CERT, | 372 STATE_VERIFY_CERT, |
300 STATE_VERIFY_CERT_COMPLETE, | 373 STATE_VERIFY_CERT_COMPLETE, |
301 }; | 374 }; |
302 State next_handshake_state_; | 375 State next_handshake_state_; |
303 | 376 |
304 // True if the socket has been disconnected. | 377 // True if the socket has been disconnected. |
305 bool disconnected_; | 378 bool disconnected_; |
306 | 379 |
307 NextProtoStatus npn_status_; | 380 NextProtoStatus npn_status_; |
308 std::string npn_proto_; | 381 std::string npn_proto_; |
(...skipping 24 matching lines...) Expand all Loading... | |
333 // pinning failure. It is a (somewhat) human-readable string. | 406 // pinning failure. It is a (somewhat) human-readable string. |
334 std::string pinning_failure_log_; | 407 std::string pinning_failure_log_; |
335 | 408 |
336 BoundNetLog net_log_; | 409 BoundNetLog net_log_; |
337 base::WeakPtrFactory<SSLClientSocketOpenSSL> weak_factory_; | 410 base::WeakPtrFactory<SSLClientSocketOpenSSL> weak_factory_; |
338 }; | 411 }; |
339 | 412 |
340 } // namespace net | 413 } // namespace net |
341 | 414 |
342 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ | 415 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ |
OLD | NEW |