• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_
7 
8 #include <stdint.h>
9 
10 #include <memory>
11 #include <vector>
12 
13 #include "base/gtest_prod_util.h"
14 #include "base/memory/raw_ptr.h"
15 #include "base/observer_list.h"
16 #include "net/base/net_export.h"
17 #include "net/cert/cert_database.h"
18 #include "net/cert/cert_verifier.h"
19 #include "net/socket/ssl_socket.h"
20 #include "net/ssl/ssl_client_auth_cache.h"
21 #include "net/ssl/ssl_config_service.h"
22 
23 namespace net {
24 
25 class CTPolicyEnforcer;
26 class HostPortPair;
27 class SCTAuditingDelegate;
28 class SSLClientSessionCache;
29 struct SSLConfig;
30 class SSLKeyLogger;
31 class StreamSocket;
32 class TransportSecurityState;
33 
34 // A client socket that uses SSL as the transport layer.
35 //
36 // NOTE: The SSL handshake occurs within the Connect method after a TCP
37 // connection is established.  If a SSL error occurs during the handshake,
38 // Connect will fail.
39 //
40 class NET_EXPORT SSLClientSocket : public SSLSocket {
41  public:
42   SSLClientSocket();
43 
44   // Called in response to |ERR_ECH_NOT_NEGOTIATED| in Connect(), to determine
45   // how to retry the connection, up to some limit. If this method returns a
46   // non-empty string, it is the serialized updated ECHConfigList provided by
47   // the server. The connection can be retried with the new value. If it returns
48   // an empty string, the server has indicated ECH has been disabled. The
49   // connection can be retried with ECH disabled.
50   virtual std::vector<uint8_t> GetECHRetryConfigs() = 0;
51 
52   // Log SSL key material to |logger|. Must be called before any
53   // SSLClientSockets are created.
54   //
55   // TODO(davidben): Switch this to a parameter on the SSLClientSocketContext
56   // once https://crbug.com/458365 is resolved.
57   static void SetSSLKeyLogger(std::unique_ptr<SSLKeyLogger> logger);
58 
59  protected:
set_signed_cert_timestamps_received(bool signed_cert_timestamps_received)60   void set_signed_cert_timestamps_received(
61       bool signed_cert_timestamps_received) {
62     signed_cert_timestamps_received_ = signed_cert_timestamps_received;
63   }
64 
set_stapled_ocsp_response_received(bool stapled_ocsp_response_received)65   void set_stapled_ocsp_response_received(bool stapled_ocsp_response_received) {
66     stapled_ocsp_response_received_ = stapled_ocsp_response_received;
67   }
68 
69   // Serialize |next_protos| in the wire format for ALPN: protocols are listed
70   // in order, each prefixed by a one-byte length.
71   static std::vector<uint8_t> SerializeNextProtos(
72       const NextProtoVector& next_protos);
73 
74  private:
75   FRIEND_TEST_ALL_PREFIXES(SSLClientSocket, SerializeNextProtos);
76   // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.
77   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketVersionTest,
78                            ConnectSignedCertTimestampsTLSExtension);
79   FRIEND_TEST_ALL_PREFIXES(SSLClientSocketVersionTest,
80                            ConnectSignedCertTimestampsEnablesOCSP);
81 
82   // True if SCTs were received via a TLS extension.
83   bool signed_cert_timestamps_received_ = false;
84   // True if a stapled OCSP response was received.
85   bool stapled_ocsp_response_received_ = false;
86 };
87 
88 // Shared state and configuration across multiple SSLClientSockets.
89 class NET_EXPORT SSLClientContext : public SSLConfigService::Observer,
90                                     public CertVerifier::Observer,
91                                     public CertDatabase::Observer {
92  public:
93   enum class SSLConfigChangeType {
94     kSSLConfigChanged,
95     kCertDatabaseChanged,
96     kCertVerifierChanged,
97   };
98 
99   class NET_EXPORT Observer : public base::CheckedObserver {
100    public:
101     // Called when SSL configuration for all hosts changed. Newly-created
102     // SSLClientSockets will pick up the new configuration. Note that changes
103     // which only apply to one server will result in a call to
104     // OnSSLConfigForServerChanged() instead.
105     virtual void OnSSLConfigChanged(SSLConfigChangeType change_type) = 0;
106     // Called when SSL configuration for |server| changed. Newly-created
107     // SSLClientSockets to |server| will pick up the new configuration.
108     virtual void OnSSLConfigForServerChanged(const HostPortPair& server) = 0;
109   };
110 
111   // Creates a new SSLClientContext with the specified parameters. The
112   // SSLClientContext may not outlive the input parameters.
113   //
114   // |ssl_config_service| may be null to always use the default
115   // SSLContextConfig. |ssl_client_session_cache| may be null to disable session
116   // caching. |sct_auditing_delegate| may be null to disable SCT auditing.
117   SSLClientContext(SSLConfigService* ssl_config_service,
118                    CertVerifier* cert_verifier,
119                    TransportSecurityState* transport_security_state,
120                    CTPolicyEnforcer* ct_policy_enforcer,
121                    SSLClientSessionCache* ssl_client_session_cache,
122                    SCTAuditingDelegate* sct_auditing_delegate);
123 
124   SSLClientContext(const SSLClientContext&) = delete;
125   SSLClientContext& operator=(const SSLClientContext&) = delete;
126 
127   ~SSLClientContext() override;
128 
config()129   const SSLContextConfig& config() { return config_; }
130 
ssl_config_service()131   SSLConfigService* ssl_config_service() { return ssl_config_service_; }
cert_verifier()132   CertVerifier* cert_verifier() { return cert_verifier_; }
transport_security_state()133   TransportSecurityState* transport_security_state() {
134     return transport_security_state_;
135   }
ct_policy_enforcer()136   CTPolicyEnforcer* ct_policy_enforcer() { return ct_policy_enforcer_; }
ssl_client_session_cache()137   SSLClientSessionCache* ssl_client_session_cache() {
138     return ssl_client_session_cache_;
139   }
sct_auditing_delegate()140   SCTAuditingDelegate* sct_auditing_delegate() {
141     return sct_auditing_delegate_;
142   }
143 
144   // Creates a new SSLClientSocket which can then be used to establish an SSL
145   // connection to |host_and_port| over the already-connected |stream_socket|.
146   std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
147       std::unique_ptr<StreamSocket> stream_socket,
148       const HostPortPair& host_and_port,
149       const SSLConfig& ssl_config);
150 
151   // Looks up the client certificate preference for |server|. If one is found,
152   // returns true and sets |client_cert| and |private_key| to the certificate
153   // and key. Note these may be null if the preference is to continue with no
154   // client certificate. Returns false if no preferences are configured,
155   // which means client certificate requests should be reported as
156   // ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
157   bool GetClientCertificate(const HostPortPair& server,
158                             scoped_refptr<X509Certificate>* client_cert,
159                             scoped_refptr<SSLPrivateKey>* private_key);
160 
161   // Configures all subsequent connections to |server| to authenticate with
162   // |client_cert| and |private_key| when requested. If there is already a
163   // client certificate for |server|, it will be overwritten. |client_cert| and
164   // |private_key| may be null to indicate that no client certificate should be
165   // sent to |server|.
166   //
167   // Note this method will synchronously call OnSSLConfigForServerChanged() on
168   // observers.
169   void SetClientCertificate(const HostPortPair& server,
170                             scoped_refptr<X509Certificate> client_cert,
171                             scoped_refptr<SSLPrivateKey> private_key);
172 
173   // Clears a client certificate preference for |server| set by
174   // SetClientCertificate(). Returns true if one was removed and false
175   // otherwise.
176   //
177   // Note this method will synchronously call OnSSLConfigForServerChanged() on
178   // observers.
179   bool ClearClientCertificate(const HostPortPair& server);
180 
181   // Add an observer to be notified when configuration has changed.
182   // RemoveObserver() must be called before |observer| is destroyed.
183   void AddObserver(Observer* observer);
184 
185   // Remove an observer added with AddObserver().
186   void RemoveObserver(Observer* observer);
187 
188   // SSLConfigService::Observer:
189   void OnSSLContextConfigChanged() override;
190 
191   // CertVerifier::Observer:
192   void OnCertVerifierChanged() override;
193 
194   // CertDatabase::Observer:
195   void OnCertDBChanged() override;
196 
197  private:
198   void NotifySSLConfigChanged(SSLConfigChangeType change_type);
199   void NotifySSLConfigForServerChanged(const HostPortPair& server);
200 
201   SSLContextConfig config_;
202 
203   raw_ptr<SSLConfigService> ssl_config_service_;
204   raw_ptr<CertVerifier> cert_verifier_;
205   raw_ptr<TransportSecurityState> transport_security_state_;
206   raw_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
207   raw_ptr<SSLClientSessionCache> ssl_client_session_cache_;
208   raw_ptr<SCTAuditingDelegate> sct_auditing_delegate_;
209 
210   SSLClientAuthCache ssl_client_auth_cache_;
211 
212   base::ObserverList<Observer, true /* check_empty */> observers_;
213 };
214 
215 }  // namespace net
216 
217 #endif  // NET_SOCKET_SSL_CLIENT_SOCKET_H_
218