Chromium Code Reviews Chromium Code Reviews
Issue 76443006:
Certificate Transparency: Threading the CT verifier into the SSL client socket. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
| 6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
| 7 | 7 |
| 8 #include <certt.h> | 8 #include <certt.h> |
| 9 #include <keyt.h> | 9 #include <keyt.h> |
| 10 #include <nspr.h> | 10 #include <nspr.h> |
| 11 #include <nss.h> | 11 #include <nss.h> |
| 12 | 12 |
| 13 #include <string> | 13 #include <string> |
| 14 #include <vector> | 14 #include <vector> |
| 15 | 15 |
| 16 #include "base/memory/scoped_ptr.h" | 16 #include "base/memory/scoped_ptr.h" |
| 17 #include "base/synchronization/lock.h" | 17 #include "base/synchronization/lock.h" |
| 18 #include "base/threading/platform_thread.h" | 18 #include "base/threading/platform_thread.h" |
| 19 #include "base/time/time.h" | 19 #include "base/time/time.h" |
| 20 #include "base/timer/timer.h" | 20 #include "base/timer/timer.h" |
| 21 #include "net/base/completion_callback.h" | 21 #include "net/base/completion_callback.h" |
| 22 #include "net/base/host_port_pair.h" | 22 #include "net/base/host_port_pair.h" |
| 23 #include "net/base/net_export.h" | 23 #include "net/base/net_export.h" |
| 24 #include "net/base/net_log.h" | 24 #include "net/base/net_log.h" |
| 25 #include "net/base/nss_memio.h" | 25 #include "net/base/nss_memio.h" |
| 26 #include "net/cert/cert_verify_result.h" | 26 #include "net/cert/cert_verify_result.h" |
| 27 #include "net/cert/ct_verify_result.h" | |
| 27 #include "net/cert/x509_certificate.h" | 28 #include "net/cert/x509_certificate.h" |
| 28 #include "net/socket/ssl_client_socket.h" | 29 #include "net/socket/ssl_client_socket.h" |
| 29 #include "net/ssl/server_bound_cert_service.h" | 30 #include "net/ssl/server_bound_cert_service.h" |
| 30 #include "net/ssl/ssl_config_service.h" | 31 #include "net/ssl/ssl_config_service.h" |
| 31 | 32 |
| 32 namespace base { | 33 namespace base { |
| 33 class SequencedTaskRunner; | 34 class SequencedTaskRunner; |
| 34 } | 35 } |
| 35 | 36 |
| 36 namespace net { | 37 namespace net { |
| 37 | 38 |
| 38 class BoundNetLog; | 39 class BoundNetLog; |
| 39 class CertVerifier; | 40 class CertVerifier; |
| 41 class CTVerifier; | |
| 40 class ClientSocketHandle; | 42 class ClientSocketHandle; |
| 41 class ServerBoundCertService; | 43 class ServerBoundCertService; |
| 42 class SingleRequestCertVerifier; | 44 class SingleRequestCertVerifier; |
| 43 class TransportSecurityState; | 45 class TransportSecurityState; |
| 44 class X509Certificate; | 46 class X509Certificate; |
| 45 | 47 |
| 46 // An SSL client socket implemented with Mozilla NSS. | 48 // An SSL client socket implemented with Mozilla NSS. |
| 47 class SSLClientSocketNSS : public SSLClientSocket { | 49 class SSLClientSocketNSS : public SSLClientSocket { |
| 48 public: | 50 public: |
| 49 // Takes ownership of the |transport_socket|, which must already be connected. | 51 // Takes ownership of the |transport_socket|, which must already be connected. |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 127 int InitializeSSLPeerName(); | 129 int InitializeSSLPeerName(); |
| 128 | 130 |
| 129 void DoConnectCallback(int result); | 131 void DoConnectCallback(int result); |
| 130 void OnHandshakeIOComplete(int result); | 132 void OnHandshakeIOComplete(int result); |
| 131 | 133 |
| 132 int DoHandshakeLoop(int last_io_result); | 134 int DoHandshakeLoop(int last_io_result); |
| 133 int DoHandshake(); | 135 int DoHandshake(); |
| 134 int DoHandshakeComplete(int result); | 136 int DoHandshakeComplete(int result); |
| 135 int DoVerifyCert(int result); | 137 int DoVerifyCert(int result); |
| 136 int DoVerifyCertComplete(int result); | 138 int DoVerifyCertComplete(int result); |
| 139 void VerifyCT(); | |
|
wtc
2013/11/27 20:00:49
Nit: add a blank line before to separate this meth
Eran M. (Google)
2013/11/27 23:01:42
Done.
| |
| 137 | 140 |
| 138 void LogConnectionTypeMetrics() const; | 141 void LogConnectionTypeMetrics() const; |
| 139 | 142 |
| 140 // The following methods are for debugging bug 65948. Will remove this code | 143 // The following methods are for debugging bug 65948. Will remove this code |
| 141 // after fixing bug 65948. | 144 // after fixing bug 65948. |
| 142 void EnsureThreadIdAssigned() const; | 145 void EnsureThreadIdAssigned() const; |
| 143 bool CalledOnValidThread() const; | 146 bool CalledOnValidThread() const; |
| 144 | 147 |
| 145 // The task runner used to perform NSS operations. | 148 // The task runner used to perform NSS operations. |
| 146 scoped_refptr<base::SequencedTaskRunner> nss_task_runner_; | 149 scoped_refptr<base::SequencedTaskRunner> nss_task_runner_; |
| 147 scoped_ptr<ClientSocketHandle> transport_; | 150 scoped_ptr<ClientSocketHandle> transport_; |
| 148 HostPortPair host_and_port_; | 151 HostPortPair host_and_port_; |
| 149 SSLConfig ssl_config_; | 152 SSLConfig ssl_config_; |
| 150 | 153 |
| 151 scoped_refptr<Core> core_; | 154 scoped_refptr<Core> core_; |
| 152 | 155 |
| 153 CompletionCallback user_connect_callback_; | 156 CompletionCallback user_connect_callback_; |
| 154 | 157 |
| 155 CertVerifyResult server_cert_verify_result_; | 158 CertVerifyResult server_cert_verify_result_; |
| 156 HashValueVector side_pinned_public_keys_; | 159 HashValueVector side_pinned_public_keys_; |
| 157 | 160 |
| 158 CertVerifier* const cert_verifier_; | 161 CertVerifier* const cert_verifier_; |
| 159 scoped_ptr<SingleRequestCertVerifier> verifier_; | 162 scoped_ptr<SingleRequestCertVerifier> verifier_; |
| 160 | 163 |
| 164 // Certificate Transparency: Verifier and result holder. | |
| 165 ct::CTVerifyResult ct_verify_result_; | |
| 166 CTVerifier* cert_transparency_verifier_; | |
| 167 | |
| 161 // The service for retrieving Channel ID keys. May be NULL. | 168 // The service for retrieving Channel ID keys. May be NULL. |
| 162 ServerBoundCertService* server_bound_cert_service_; | 169 ServerBoundCertService* server_bound_cert_service_; |
| 163 | 170 |
| 164 // ssl_session_cache_shard_ is an opaque string that partitions the SSL | 171 // ssl_session_cache_shard_ is an opaque string that partitions the SSL |
| 165 // session cache. i.e. sessions created with one value will not attempt to | 172 // session cache. i.e. sessions created with one value will not attempt to |
| 166 // resume on the socket with a different value. | 173 // resume on the socket with a different value. |
| 167 const std::string ssl_session_cache_shard_; | 174 const std::string ssl_session_cache_shard_; |
| 168 | 175 |
| 169 // True if the SSL handshake has been completed. | 176 // True if the SSL handshake has been completed. |
| 170 bool completed_handshake_; | 177 bool completed_handshake_; |
| (...skipping 16 matching lines...) Expand all Loading... | |
| 187 // Added the following code Debugging in release mode. | 194 // Added the following code Debugging in release mode. |
| 188 mutable base::Lock lock_; | 195 mutable base::Lock lock_; |
| 189 // This is mutable so that CalledOnValidThread can set it. | 196 // This is mutable so that CalledOnValidThread can set it. |
| 190 // It's guarded by |lock_|. | 197 // It's guarded by |lock_|. |
| 191 mutable base::PlatformThreadId valid_thread_id_; | 198 mutable base::PlatformThreadId valid_thread_id_; |
| 192 }; | 199 }; |
| 193 | 200 |
| 194 } // namespace net | 201 } // namespace net |
| 195 | 202 |
| 196 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 203 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
| OLD | NEW |
