OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | |
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | |
7 | |
8 #include <certt.h> | |
9 #include <keyt.h> | |
10 #include <nspr.h> | |
11 #include <nss.h> | |
12 #include <stdint.h> | |
13 | |
14 #include <memory> | |
15 #include <string> | |
16 #include <vector> | |
17 | |
18 #include "base/synchronization/lock.h" | |
19 #include "base/threading/platform_thread.h" | |
20 #include "base/time/time.h" | |
21 #include "net/base/completion_callback.h" | |
22 #include "net/base/host_port_pair.h" | |
23 #include "net/base/net_export.h" | |
24 #include "net/base/nss_memio.h" | |
25 #include "net/cert/cert_verifier.h" | |
26 #include "net/cert/cert_verify_result.h" | |
27 #include "net/cert/ct_verify_result.h" | |
28 #include "net/cert/x509_certificate.h" | |
29 #include "net/log/net_log.h" | |
30 #include "net/socket/ssl_client_socket.h" | |
31 #include "net/ssl/channel_id_service.h" | |
32 #include "net/ssl/ssl_config_service.h" | |
33 | |
34 namespace net { | |
35 | |
36 class BoundNetLog; | |
37 class CTPolicyEnforcer; | |
38 class CertVerifier; | |
39 class ChannelIDService; | |
40 class CTVerifier; | |
41 class ClientSocketHandle; | |
42 class TransportSecurityState; | |
43 class X509Certificate; | |
44 | |
45 // An SSL client socket implemented with Mozilla NSS. | |
46 class SSLClientSocketNSS : public SSLClientSocket { | |
47 public: | |
48 // Takes ownership of the |transport_socket|, which must already be connected. | |
49 // The hostname specified in |host_and_port| will be compared with the name(s) | |
50 // in the server's certificate during the SSL handshake. If SSL client | |
51 // authentication is requested, the host_and_port field of SSLCertRequestInfo | |
52 // will be populated with |host_and_port|. |ssl_config| specifies | |
53 // the SSL settings. | |
54 SSLClientSocketNSS(std::unique_ptr<ClientSocketHandle> transport_socket, | |
55 const HostPortPair& host_and_port, | |
56 const SSLConfig& ssl_config, | |
57 const SSLClientSocketContext& context); | |
58 ~SSLClientSocketNSS() override; | |
59 | |
60 // SSLClientSocket implementation. | |
61 void GetSSLCertRequestInfo(SSLCertRequestInfo* cert_request_info) override; | |
62 NextProtoStatus GetNextProto(std::string* proto) const override; | |
63 | |
64 // SSLSocket implementation. | |
65 int ExportKeyingMaterial(const base::StringPiece& label, | |
66 bool has_context, | |
67 const base::StringPiece& context, | |
68 unsigned char* out, | |
69 unsigned int outlen) override; | |
70 | |
71 // StreamSocket implementation. | |
72 int Connect(const CompletionCallback& callback) override; | |
73 void Disconnect() override; | |
74 bool IsConnected() const override; | |
75 bool IsConnectedAndIdle() const override; | |
76 int GetPeerAddress(IPEndPoint* address) const override; | |
77 int GetLocalAddress(IPEndPoint* address) const override; | |
78 const BoundNetLog& NetLog() const override; | |
79 void SetSubresourceSpeculation() override; | |
80 void SetOmniboxSpeculation() override; | |
81 bool WasEverUsed() const override; | |
82 bool GetSSLInfo(SSLInfo* ssl_info) override; | |
83 void GetConnectionAttempts(ConnectionAttempts* out) const override; | |
84 void ClearConnectionAttempts() override {} | |
85 void AddConnectionAttempts(const ConnectionAttempts& attempts) override {} | |
86 int64_t GetTotalReceivedBytes() const override; | |
87 | |
88 // Socket implementation. | |
89 int Read(IOBuffer* buf, | |
90 int buf_len, | |
91 const CompletionCallback& callback) override; | |
92 int Write(IOBuffer* buf, | |
93 int buf_len, | |
94 const CompletionCallback& callback) override; | |
95 int SetReceiveBufferSize(int32_t size) override; | |
96 int SetSendBufferSize(int32_t size) override; | |
97 | |
98 // SSLClientSocket implementation. | |
99 ChannelIDService* GetChannelIDService() const override; | |
100 Error GetSignedEKMForTokenBinding(crypto::ECPrivateKey* key, | |
101 std::vector<uint8_t>* out) override; | |
102 crypto::ECPrivateKey* GetChannelIDKey() const override; | |
103 SSLFailureState GetSSLFailureState() const override; | |
104 | |
105 private: | |
106 // Helper class to handle marshalling any NSS interaction to and from the | |
107 // NSS and network task runners. Not every call needs to happen on the Core | |
108 class Core; | |
109 | |
110 enum State { | |
111 STATE_NONE, | |
112 STATE_HANDSHAKE, | |
113 STATE_HANDSHAKE_COMPLETE, | |
114 STATE_VERIFY_CERT, | |
115 STATE_VERIFY_CERT_COMPLETE, | |
116 }; | |
117 | |
118 int Init(); | |
119 void InitCore(); | |
120 | |
121 // Initializes NSS SSL options. Returns a net error code. | |
122 int InitializeSSLOptions(); | |
123 | |
124 // Initializes the socket peer name in SSL. Returns a net error code. | |
125 int InitializeSSLPeerName(); | |
126 | |
127 void DoConnectCallback(int result); | |
128 void OnHandshakeIOComplete(int result); | |
129 | |
130 int DoHandshakeLoop(int last_io_result); | |
131 int DoHandshake(); | |
132 int DoHandshakeComplete(int result); | |
133 int DoVerifyCert(int result); | |
134 int DoVerifyCertComplete(int result); | |
135 | |
136 void VerifyCT(); | |
137 | |
138 // The following methods are for debugging bug 65948. Will remove this code | |
139 // after fixing bug 65948. | |
140 void EnsureThreadIdAssigned() const; | |
141 bool CalledOnValidThread() const; | |
142 | |
143 // Adds the SignedCertificateTimestamps from ct_verify_result_ to |ssl_info|. | |
144 // SCTs are held in three separate vectors in ct_verify_result, each | |
145 // vetor representing a particular verification state, this method associates | |
146 // each of the SCTs with the corresponding SCTVerifyStatus as it adds it to | |
147 // the |ssl_info|.signed_certificate_timestamps list. | |
148 void AddCTInfoToSSLInfo(SSLInfo* ssl_info) const; | |
149 | |
150 // Move last protocol to first place: SSLConfig::next_protos has protocols in | |
151 // decreasing order of preference with NPN fallback protocol at the end, but | |
152 // NSS moves the first one to the last place before sending them in ALPN, and | |
153 // uses the first one as a fallback for NPN. | |
154 static void ReorderNextProtos(NextProtoVector* next_protos); | |
155 | |
156 std::unique_ptr<ClientSocketHandle> transport_; | |
157 HostPortPair host_and_port_; | |
158 SSLConfig ssl_config_; | |
159 | |
160 scoped_refptr<Core> core_; | |
161 | |
162 CompletionCallback user_connect_callback_; | |
163 | |
164 CertVerifyResult server_cert_verify_result_; | |
165 | |
166 CertVerifier* const cert_verifier_; | |
167 std::unique_ptr<CertVerifier::Request> cert_verifier_request_; | |
168 | |
169 // Certificate Transparency: Verifier and result holder. | |
170 ct::CTVerifyResult ct_verify_result_; | |
171 CTVerifier* cert_transparency_verifier_; | |
172 | |
173 // The service for retrieving Channel ID keys. May be NULL. | |
174 ChannelIDService* channel_id_service_; | |
175 | |
176 // ssl_session_cache_shard_ is an opaque string that partitions the SSL | |
177 // session cache. i.e. sessions created with one value will not attempt to | |
178 // resume on the socket with a different value. | |
179 const std::string ssl_session_cache_shard_; | |
180 | |
181 // True if the SSL handshake has been completed. | |
182 bool completed_handshake_; | |
183 | |
184 State next_handshake_state_; | |
185 | |
186 // True if the socket has been disconnected. | |
187 bool disconnected_; | |
188 | |
189 // The NSS SSL state machine. This is owned by |core_|. | |
190 // TODO(rsleevi): http://crbug.com/130616 - Remove this member once | |
191 // ExportKeyingMaterial is updated to be asynchronous. | |
192 PRFileDesc* nss_fd_; | |
193 | |
194 BoundNetLog net_log_; | |
195 | |
196 base::TimeTicks start_cert_verification_time_; | |
197 | |
198 TransportSecurityState* transport_security_state_; | |
199 | |
200 CTPolicyEnforcer* const policy_enforcer_; | |
201 | |
202 // pinning_failure_log contains a message produced by | |
203 // TransportSecurityState::CheckPublicKeyPins in the event of a | |
204 // pinning failure. It is a (somewhat) human-readable string. | |
205 std::string pinning_failure_log_; | |
206 | |
207 // The following two variables are added for debugging bug 65948. Will | |
208 // remove this code after fixing bug 65948. | |
209 // Added the following code Debugging in release mode. | |
210 mutable base::Lock lock_; | |
211 // This is mutable so that CalledOnValidThread can set it. | |
212 // It's guarded by |lock_|. | |
213 mutable base::PlatformThreadId valid_thread_id_; | |
214 }; | |
215 | |
216 } // namespace net | |
217 | |
218 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | |
OLD | NEW |