OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_ | |
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_ | |
7 | |
8 #include <string> | |
9 | |
10 #include "base/gtest_prod_util.h" | |
11 #include "net/base/completion_callback.h" | |
12 #include "net/base/load_flags.h" | |
13 #include "net/base/net_errors.h" | |
14 #include "net/socket/ssl_socket.h" | |
15 #include "net/socket/stream_socket.h" | |
16 | |
17 namespace net { | |
18 | |
19 class CertPolicyEnforcer; | |
20 class CertVerifier; | |
21 class ChannelIDService; | |
22 class CTVerifier; | |
23 class HostPortPair; | |
24 class ServerBoundCertService; | |
25 class SSLCertRequestInfo; | |
26 struct SSLConfig; | |
27 class SSLInfo; | |
28 class TransportSecurityState; | |
29 class X509Certificate; | |
30 | |
31 // This struct groups together several fields which are used by various | |
32 // classes related to SSLClientSocket. | |
33 struct SSLClientSocketContext { | |
34 SSLClientSocketContext() | |
35 : cert_verifier(NULL), | |
36 channel_id_service(NULL), | |
37 transport_security_state(NULL), | |
38 cert_transparency_verifier(NULL), | |
39 cert_policy_enforcer(NULL) {} | |
40 | |
41 SSLClientSocketContext(CertVerifier* cert_verifier_arg, | |
42 ChannelIDService* channel_id_service_arg, | |
43 TransportSecurityState* transport_security_state_arg, | |
44 CTVerifier* cert_transparency_verifier_arg, | |
45 CertPolicyEnforcer* cert_policy_enforcer_arg, | |
46 const std::string& ssl_session_cache_shard_arg) | |
47 : cert_verifier(cert_verifier_arg), | |
48 channel_id_service(channel_id_service_arg), | |
49 transport_security_state(transport_security_state_arg), | |
50 cert_transparency_verifier(cert_transparency_verifier_arg), | |
51 cert_policy_enforcer(cert_policy_enforcer_arg), | |
52 ssl_session_cache_shard(ssl_session_cache_shard_arg) {} | |
53 | |
54 CertVerifier* cert_verifier; | |
55 ChannelIDService* channel_id_service; | |
56 TransportSecurityState* transport_security_state; | |
57 CTVerifier* cert_transparency_verifier; | |
58 CertPolicyEnforcer* cert_policy_enforcer; | |
59 // ssl_session_cache_shard is an opaque string that identifies a shard of the | |
60 // SSL session cache. SSL sockets with the same ssl_session_cache_shard may | |
61 // resume each other's SSL sessions but we'll never sessions between shards. | |
62 const std::string ssl_session_cache_shard; | |
63 }; | |
64 | |
65 // A client socket that uses SSL as the transport layer. | |
66 // | |
67 // NOTE: The SSL handshake occurs within the Connect method after a TCP | |
68 // connection is established. If a SSL error occurs during the handshake, | |
69 // Connect will fail. | |
70 // | |
71 class NET_EXPORT SSLClientSocket : public SSLSocket { | |
72 public: | |
73 SSLClientSocket(); | |
74 | |
75 // Next Protocol Negotiation (NPN) allows a TLS client and server to come to | |
76 // an agreement about the application level protocol to speak over a | |
77 // connection. | |
78 enum NextProtoStatus { | |
79 // WARNING: These values are serialized to disk. Don't change them. | |
80 | |
81 kNextProtoUnsupported = 0, // The server doesn't support NPN. | |
82 kNextProtoNegotiated = 1, // We agreed on a protocol. | |
83 kNextProtoNoOverlap = 2, // No protocols in common. We requested | |
84 // the first protocol in our list. | |
85 }; | |
86 | |
87 // TLS extension used to negotiate protocol. | |
88 enum SSLNegotiationExtension { | |
89 kExtensionUnknown, | |
90 kExtensionALPN, | |
91 kExtensionNPN, | |
92 }; | |
93 | |
94 // StreamSocket: | |
95 bool WasNpnNegotiated() const override; | |
96 NextProto GetNegotiatedProtocol() const override; | |
97 | |
98 // Computes a unique key string for the SSL session cache. | |
99 virtual std::string GetSessionCacheKey() const = 0; | |
100 | |
101 // Returns true if there is a cache entry in the SSL session cache | |
102 // for the cache key of the SSL socket. | |
103 // | |
104 // The cache key consists of a host and port concatenated with a session | |
105 // cache shard. These two strings are passed to the constructor of most | |
106 // subclasses of SSLClientSocket. | |
107 virtual bool InSessionCache() const = 0; | |
108 | |
109 // Sets |callback| to be run when the handshake has fully completed. | |
110 // For example, in the case of False Start, Connect() will return | |
111 // early, before the peer's TLS Finished message has been verified, | |
112 // in order to allow the caller to call Write() and send application | |
113 // data with the client's Finished message. | |
114 // In such situations, |callback| will be invoked sometime after | |
115 // Connect() - either during a Write() or Read() call, and before | |
116 // invoking the Read() or Write() callback. | |
117 // Otherwise, during a traditional TLS connection (i.e. no False | |
118 // Start), this will be called right before the Connect() callback | |
119 // is called. | |
120 // | |
121 // Note that it's not valid to mutate this socket during such | |
122 // callbacks, including deleting the socket. | |
123 // | |
124 // TODO(mshelley): Provide additional details about whether or not | |
125 // the handshake actually succeeded or not. This can be inferred | |
126 // from the result to Connect()/Read()/Write(), but may be useful | |
127 // to inform here as well. | |
128 virtual void SetHandshakeCompletionCallback( | |
129 const base::Closure& callback) = 0; | |
130 | |
131 // Gets the SSL CertificateRequest info of the socket after Connect failed | |
132 // with ERR_SSL_CLIENT_AUTH_CERT_NEEDED. | |
133 virtual void GetSSLCertRequestInfo( | |
134 SSLCertRequestInfo* cert_request_info) = 0; | |
135 | |
136 // Get the application level protocol that we negotiated with the server. | |
137 // *proto is set to the resulting protocol (n.b. that the string may have | |
138 // embedded NULs). | |
139 // kNextProtoUnsupported: *proto is cleared. | |
140 // kNextProtoNegotiated: *proto is set to the negotiated protocol. | |
141 // kNextProtoNoOverlap: *proto is set to the first protocol in the | |
142 // supported list. | |
143 virtual NextProtoStatus GetNextProto(std::string* proto) = 0; | |
144 | |
145 static NextProto NextProtoFromString(const std::string& proto_string); | |
146 | |
147 static const char* NextProtoToString(NextProto next_proto); | |
148 | |
149 static const char* NextProtoStatusToString(const NextProtoStatus status); | |
150 | |
151 static bool IgnoreCertError(int error, int load_flags); | |
152 | |
153 // ClearSessionCache clears the SSL session cache, used to resume SSL | |
154 // sessions. | |
155 static void ClearSessionCache(); | |
156 | |
157 // Get the maximum SSL version supported by the underlying library and | |
158 // cryptographic implementation. | |
159 static uint16 GetMaxSupportedSSLVersion(); | |
160 | |
161 virtual bool set_was_npn_negotiated(bool negotiated); | |
162 | |
163 virtual bool was_spdy_negotiated() const; | |
164 | |
165 virtual bool set_was_spdy_negotiated(bool negotiated); | |
166 | |
167 virtual void set_protocol_negotiated(NextProto protocol_negotiated); | |
168 | |
169 void set_negotiation_extension(SSLNegotiationExtension negotiation_extension); | |
170 | |
171 // Returns the ChannelIDService used by this socket, or NULL if | |
172 // channel ids are not supported. | |
173 virtual ChannelIDService* GetChannelIDService() const = 0; | |
174 | |
175 // Returns true if a channel ID was sent on this connection. | |
176 // This may be useful for protocols, like SPDY, which allow the same | |
177 // connection to be shared between multiple domains, each of which need | |
178 // a channel ID. | |
179 // | |
180 // Public for ssl_client_socket_openssl_unittest.cc. | |
181 virtual bool WasChannelIDSent() const; | |
182 | |
183 // Record which TLS extension was used to negotiate protocol and protocol | |
184 // chosen in a UMA histogram. | |
185 void RecordNegotiationExtension(); | |
186 | |
187 protected: | |
188 virtual void set_channel_id_sent(bool channel_id_sent); | |
189 | |
190 virtual void set_signed_cert_timestamps_received( | |
191 bool signed_cert_timestamps_received); | |
192 | |
193 virtual void set_stapled_ocsp_response_received( | |
194 bool stapled_ocsp_response_received); | |
195 | |
196 // Records histograms for channel id support during full handshakes - resumed | |
197 // handshakes are ignored. | |
198 static void RecordChannelIDSupport( | |
199 ChannelIDService* channel_id_service, | |
200 bool negotiated_channel_id, | |
201 bool channel_id_enabled, | |
202 bool supports_ecc); | |
203 | |
204 // Records ConnectionType histograms for a successful SSL connection. | |
205 static void RecordConnectionTypeMetrics(int ssl_version); | |
206 | |
207 // Returns whether TLS channel ID is enabled. | |
208 static bool IsChannelIDEnabled( | |
209 const SSLConfig& ssl_config, | |
210 ChannelIDService* channel_id_service); | |
211 | |
212 // Determine if there is at least one enabled cipher suite that satisfies | |
213 // Section 9.2 of the HTTP/2 specification. Note that the server might still | |
214 // pick an inadequate cipher suite. | |
215 static bool HasCipherAdequateForHTTP2( | |
216 const std::vector<uint16>& cipher_suites); | |
217 | |
218 // Determine if the TLS version required by Section 9.2 of the HTTP/2 | |
219 // specification is enabled. Note that the server might still pick an | |
220 // inadequate TLS version. | |
221 static bool IsTLSVersionAdequateForHTTP2(const SSLConfig& ssl_config); | |
222 | |
223 // Serializes |next_protos| in the wire format for ALPN: protocols are listed | |
224 // in order, each prefixed by a one-byte length. Any HTTP/2 protocols in | |
225 // |next_protos| are ignored if |can_advertise_http2| is false. | |
226 static std::vector<uint8_t> SerializeNextProtos( | |
227 const NextProtoVector& next_protos, | |
228 bool can_advertise_http2); | |
229 | |
230 // For unit testing only. | |
231 // Returns the unverified certificate chain as presented by server. | |
232 // Note that chain may be different than the verified chain returned by | |
233 // StreamSocket::GetSSLInfo(). | |
234 virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain() | |
235 const = 0; | |
236 | |
237 private: | |
238 FRIEND_TEST_ALL_PREFIXES(SSLClientSocket, SerializeNextProtos); | |
239 // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_. | |
240 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, | |
241 ConnectSignedCertTimestampsEnabledTLSExtension); | |
242 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, | |
243 ConnectSignedCertTimestampsEnabledOCSP); | |
244 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, | |
245 ConnectSignedCertTimestampsDisabled); | |
246 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, | |
247 VerifyServerChainProperlyOrdered); | |
248 | |
249 // True if NPN was responded to, independent of selecting SPDY or HTTP. | |
250 bool was_npn_negotiated_; | |
251 // True if NPN successfully negotiated SPDY. | |
252 bool was_spdy_negotiated_; | |
253 // Protocol that we negotiated with the server. | |
254 NextProto protocol_negotiated_; | |
255 // True if a channel ID was sent. | |
256 bool channel_id_sent_; | |
257 // True if SCTs were received via a TLS extension. | |
258 bool signed_cert_timestamps_received_; | |
259 // True if a stapled OCSP response was received. | |
260 bool stapled_ocsp_response_received_; | |
261 // Protocol negotiation extension used. | |
262 SSLNegotiationExtension negotiation_extension_; | |
263 }; | |
264 | |
265 } // namespace net | |
266 | |
267 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_ | |
OLD | NEW |