1 // Copyright 2012 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_ 6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_ 7 8 #include <stdint.h> 9 10 #include <memory> 11 #include <vector> 12 13 #include "base/containers/flat_set.h" 14 #include "base/gtest_prod_util.h" 15 #include "base/memory/raw_ptr.h" 16 #include "base/observer_list.h" 17 #include "net/base/net_export.h" 18 #include "net/cert/cert_database.h" 19 #include "net/cert/cert_verifier.h" 20 #include "net/socket/ssl_socket.h" 21 #include "net/ssl/ssl_client_auth_cache.h" 22 #include "net/ssl/ssl_config_service.h" 23 24 namespace net { 25 26 class CTPolicyEnforcer; 27 class HostPortPair; 28 class SCTAuditingDelegate; 29 class SSLClientSessionCache; 30 struct SSLConfig; 31 class SSLKeyLogger; 32 class StreamSocket; 33 class TransportSecurityState; 34 35 // A client socket that uses SSL as the transport layer. 36 // 37 // NOTE: The SSL handshake occurs within the Connect method after a TCP 38 // connection is established. If a SSL error occurs during the handshake, 39 // Connect will fail. 40 // 41 class NET_EXPORT SSLClientSocket : public SSLSocket { 42 public: 43 SSLClientSocket(); 44 45 // Called in response to |ERR_ECH_NOT_NEGOTIATED| in Connect(), to determine 46 // how to retry the connection, up to some limit. If this method returns a 47 // non-empty string, it is the serialized updated ECHConfigList provided by 48 // the server. The connection can be retried with the new value. If it returns 49 // an empty string, the server has indicated ECH has been disabled. The 50 // connection can be retried with ECH disabled. 51 virtual std::vector<uint8_t> GetECHRetryConfigs() = 0; 52 53 // Log SSL key material to |logger|. Must be called before any 54 // SSLClientSockets are created. 55 // 56 // TODO(davidben): Switch this to a parameter on the SSLClientSocketContext 57 // once https://crbug.com/458365 is resolved. 58 static void SetSSLKeyLogger(std::unique_ptr<SSLKeyLogger> logger); 59 60 protected: set_signed_cert_timestamps_received(bool signed_cert_timestamps_received)61 void set_signed_cert_timestamps_received( 62 bool signed_cert_timestamps_received) { 63 signed_cert_timestamps_received_ = signed_cert_timestamps_received; 64 } 65 set_stapled_ocsp_response_received(bool stapled_ocsp_response_received)66 void set_stapled_ocsp_response_received(bool stapled_ocsp_response_received) { 67 stapled_ocsp_response_received_ = stapled_ocsp_response_received; 68 } 69 70 // Serialize |next_protos| in the wire format for ALPN: protocols are listed 71 // in order, each prefixed by a one-byte length. 72 static std::vector<uint8_t> SerializeNextProtos( 73 const NextProtoVector& next_protos); 74 75 private: 76 FRIEND_TEST_ALL_PREFIXES(SSLClientSocket, SerializeNextProtos); 77 // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_. 78 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketVersionTest, 79 ConnectSignedCertTimestampsTLSExtension); 80 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketVersionTest, 81 ConnectSignedCertTimestampsEnablesOCSP); 82 83 // True if SCTs were received via a TLS extension. 84 bool signed_cert_timestamps_received_ = false; 85 // True if a stapled OCSP response was received. 86 bool stapled_ocsp_response_received_ = false; 87 }; 88 89 // Shared state and configuration across multiple SSLClientSockets. 90 class NET_EXPORT SSLClientContext : public SSLConfigService::Observer, 91 public CertVerifier::Observer, 92 public CertDatabase::Observer { 93 public: 94 enum class SSLConfigChangeType { 95 kSSLConfigChanged, 96 kCertDatabaseChanged, 97 kCertVerifierChanged, 98 }; 99 100 class NET_EXPORT Observer : public base::CheckedObserver { 101 public: 102 // Called when SSL configuration for all hosts changed. Newly-created 103 // SSLClientSockets will pick up the new configuration. Note that changes 104 // which only apply to one server will result in a call to 105 // OnSSLConfigForServersChanged() instead. 106 virtual void OnSSLConfigChanged(SSLConfigChangeType change_type) = 0; 107 // Called when SSL configuration for |servers| changed. Newly-created 108 // SSLClientSockets to any server in |servers| will pick up the new 109 // configuration. 110 virtual void OnSSLConfigForServersChanged( 111 const base::flat_set<HostPortPair>& servers) = 0; 112 }; 113 114 // Creates a new SSLClientContext with the specified parameters. The 115 // SSLClientContext may not outlive the input parameters. 116 // 117 // |ssl_config_service| may be null to always use the default 118 // SSLContextConfig. |ssl_client_session_cache| may be null to disable session 119 // caching. |sct_auditing_delegate| may be null to disable SCT auditing. 120 SSLClientContext(SSLConfigService* ssl_config_service, 121 CertVerifier* cert_verifier, 122 TransportSecurityState* transport_security_state, 123 CTPolicyEnforcer* ct_policy_enforcer, 124 SSLClientSessionCache* ssl_client_session_cache, 125 SCTAuditingDelegate* sct_auditing_delegate); 126 127 SSLClientContext(const SSLClientContext&) = delete; 128 SSLClientContext& operator=(const SSLClientContext&) = delete; 129 130 ~SSLClientContext() override; 131 config()132 const SSLContextConfig& config() { return config_; } 133 ssl_config_service()134 SSLConfigService* ssl_config_service() { return ssl_config_service_; } cert_verifier()135 CertVerifier* cert_verifier() { return cert_verifier_; } transport_security_state()136 TransportSecurityState* transport_security_state() { 137 return transport_security_state_; 138 } ct_policy_enforcer()139 CTPolicyEnforcer* ct_policy_enforcer() { return ct_policy_enforcer_; } ssl_client_session_cache()140 SSLClientSessionCache* ssl_client_session_cache() { 141 return ssl_client_session_cache_; 142 } sct_auditing_delegate()143 SCTAuditingDelegate* sct_auditing_delegate() { 144 return sct_auditing_delegate_; 145 } 146 147 // Creates a new SSLClientSocket which can then be used to establish an SSL 148 // connection to |host_and_port| over the already-connected |stream_socket|. 149 std::unique_ptr<SSLClientSocket> CreateSSLClientSocket( 150 std::unique_ptr<StreamSocket> stream_socket, 151 const HostPortPair& host_and_port, 152 const SSLConfig& ssl_config); 153 154 // Looks up the client certificate preference for |server|. If one is found, 155 // returns true and sets |client_cert| and |private_key| to the certificate 156 // and key. Note these may be null if the preference is to continue with no 157 // client certificate. Returns false if no preferences are configured, 158 // which means client certificate requests should be reported as 159 // ERR_SSL_CLIENT_AUTH_CERT_NEEDED. 160 bool GetClientCertificate(const HostPortPair& server, 161 scoped_refptr<X509Certificate>* client_cert, 162 scoped_refptr<SSLPrivateKey>* private_key); 163 164 // Configures all subsequent connections to |server| to authenticate with 165 // |client_cert| and |private_key| when requested. If there is already a 166 // client certificate for |server|, it will be overwritten. |client_cert| and 167 // |private_key| may be null to indicate that no client certificate should be 168 // sent to |server|. 169 // 170 // Note this method will synchronously call OnSSLConfigForServersChanged() on 171 // observers. 172 void SetClientCertificate(const HostPortPair& server, 173 scoped_refptr<X509Certificate> client_cert, 174 scoped_refptr<SSLPrivateKey> private_key); 175 176 // Clears a client certificate preference for |server| set by 177 // SetClientCertificate(). Returns true if one was removed and false 178 // otherwise. 179 // 180 // Note this method will synchronously call OnSSLConfigForServersChanged() on 181 // observers. 182 bool ClearClientCertificate(const HostPortPair& server); 183 184 // Clears a client certificate preference for |host| set by 185 // SetClientCertificate() if |certificate| doesn't match the cached 186 // certificate. 187 // 188 // Note this method will synchronously call OnSSLConfigForServersChanged() on 189 // observers. 190 void ClearClientCertificateIfNeeded( 191 const net::HostPortPair& host, 192 const scoped_refptr<net::X509Certificate>& certificate); 193 GetClientCertificateCachedServersForTesting()194 base::flat_set<HostPortPair> GetClientCertificateCachedServersForTesting() 195 const { 196 return ssl_client_auth_cache_.GetCachedServers(); 197 } 198 199 // Add an observer to be notified when configuration has changed. 200 // RemoveObserver() must be called before |observer| is destroyed. 201 void AddObserver(Observer* observer); 202 203 // Remove an observer added with AddObserver(). 204 void RemoveObserver(Observer* observer); 205 206 // SSLConfigService::Observer: 207 void OnSSLContextConfigChanged() override; 208 209 // CertVerifier::Observer: 210 void OnCertVerifierChanged() override; 211 212 // CertDatabase::Observer: 213 void OnTrustStoreChanged() override; 214 void OnClientCertStoreChanged() override; 215 216 private: 217 void NotifySSLConfigChanged(SSLConfigChangeType change_type); 218 void NotifySSLConfigForServersChanged( 219 const base::flat_set<HostPortPair>& servers); 220 221 SSLContextConfig config_; 222 223 raw_ptr<SSLConfigService> ssl_config_service_; 224 raw_ptr<CertVerifier> cert_verifier_; 225 raw_ptr<TransportSecurityState> transport_security_state_; 226 raw_ptr<CTPolicyEnforcer> ct_policy_enforcer_; 227 raw_ptr<SSLClientSessionCache> ssl_client_session_cache_; 228 raw_ptr<SCTAuditingDelegate> sct_auditing_delegate_; 229 230 SSLClientAuthCache ssl_client_auth_cache_; 231 232 base::ObserverList<Observer, true /* check_empty */> observers_; 233 }; 234 235 } // namespace net 236 237 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_ 238