1 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ 6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ 7 8 #include <certt.h> 9 #include <keyt.h> 10 #include <nspr.h> 11 #include <nss.h> 12 13 #include <string> 14 #include <vector> 15 16 #include "base/scoped_ptr.h" 17 #include "net/base/cert_verify_result.h" 18 #include "net/base/completion_callback.h" 19 #include "net/base/nss_memio.h" 20 #include "net/base/ssl_config_service.h" 21 #include "net/socket/ssl_client_socket.h" 22 23 namespace net { 24 25 class CertVerifier; 26 class LoadLog; 27 class X509Certificate; 28 29 // An SSL client socket implemented with Mozilla NSS. 30 class SSLClientSocketNSS : public SSLClientSocket { 31 public: 32 // Takes ownership of the transport_socket, which may already be connected. 33 // The given hostname will be compared with the name(s) in the server's 34 // certificate during the SSL handshake. ssl_config specifies the SSL 35 // settings. 36 SSLClientSocketNSS(ClientSocket* transport_socket, 37 const std::string& hostname, 38 const SSLConfig& ssl_config); 39 ~SSLClientSocketNSS(); 40 41 // SSLClientSocket methods: 42 virtual void GetSSLInfo(SSLInfo* ssl_info); 43 virtual void GetSSLCertRequestInfo(SSLCertRequestInfo* cert_request_info); 44 virtual NextProtoStatus GetNextProto(std::string* proto); 45 46 // ClientSocket methods: 47 virtual int Connect(CompletionCallback* callback, LoadLog* load_log); 48 virtual void Disconnect(); 49 virtual bool IsConnected() const; 50 virtual bool IsConnectedAndIdle() const; 51 virtual int GetPeerName(struct sockaddr* name, socklen_t* namelen); 52 53 // Socket methods: 54 virtual int Read(IOBuffer* buf, int buf_len, CompletionCallback* callback); 55 virtual int Write(IOBuffer* buf, int buf_len, CompletionCallback* callback); 56 virtual bool SetReceiveBufferSize(int32 size); 57 virtual bool SetSendBufferSize(int32 size); 58 59 private: 60 // Initializes NSS SSL options. Returns a net error code. 61 int InitializeSSLOptions(); 62 63 void InvalidateSessionIfBadCertificate(); 64 X509Certificate* UpdateServerCert(); 65 void DoReadCallback(int result); 66 void DoWriteCallback(int result); 67 void DoConnectCallback(int result); 68 void OnHandshakeIOComplete(int result); 69 void OnSendComplete(int result); 70 void OnRecvComplete(int result); 71 72 int DoHandshakeLoop(int last_io_result); 73 int DoReadLoop(int result); 74 int DoWriteLoop(int result); 75 76 int DoHandshake(); 77 int DoVerifyCert(int result); 78 int DoVerifyCertComplete(int result); 79 int DoPayloadRead(); 80 int DoPayloadWrite(); 81 int Init(); 82 83 bool DoTransportIO(); 84 int BufferSend(void); 85 int BufferRecv(void); 86 void BufferSendComplete(int result); 87 void BufferRecvComplete(int result); 88 89 // NSS calls this when checking certificates. We pass 'this' as the first 90 // argument. 91 static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket, 92 PRBool checksig, PRBool is_server); 93 // NSS calls this when client authentication is requested. 94 static SECStatus ClientAuthHandler(void* arg, 95 PRFileDesc* socket, 96 CERTDistNames* ca_names, 97 CERTCertificate** result_certificate, 98 SECKEYPrivateKey** result_private_key); 99 // NSS calls this when handshake is completed. We pass 'this' as the second 100 // argument. 101 static void HandshakeCallback(PRFileDesc* socket, void* arg); 102 103 CompletionCallbackImpl<SSLClientSocketNSS> buffer_send_callback_; 104 CompletionCallbackImpl<SSLClientSocketNSS> buffer_recv_callback_; 105 bool transport_send_busy_; 106 bool transport_recv_busy_; 107 scoped_refptr<IOBuffer> recv_buffer_; 108 109 CompletionCallbackImpl<SSLClientSocketNSS> handshake_io_callback_; 110 scoped_ptr<ClientSocket> transport_; 111 std::string hostname_; 112 SSLConfig ssl_config_; 113 114 CompletionCallback* user_connect_callback_; 115 CompletionCallback* user_read_callback_; 116 CompletionCallback* user_write_callback_; 117 118 // Used by Read function. 119 scoped_refptr<IOBuffer> user_read_buf_; 120 int user_read_buf_len_; 121 122 // Used by Write function. 123 scoped_refptr<IOBuffer> user_write_buf_; 124 int user_write_buf_len_; 125 126 // Set when handshake finishes. The server certificate is first received 127 // from NSS as an NSS certificate handle (server_cert_nss_), and then 128 // converted into an X509Certificate object (server_cert_). 129 scoped_refptr<X509Certificate> server_cert_; 130 CERTCertificate* server_cert_nss_; 131 CertVerifyResult server_cert_verify_result_; 132 133 // Stores client authentication information between ClientAuthHandler and 134 // GetSSLCertRequestInfo calls. 135 std::vector<scoped_refptr<X509Certificate> > client_certs_; 136 bool client_auth_cert_needed_; 137 138 scoped_ptr<CertVerifier> verifier_; 139 140 bool completed_handshake_; 141 142 enum State { 143 STATE_NONE, 144 STATE_HANDSHAKE, 145 STATE_VERIFY_CERT, 146 STATE_VERIFY_CERT_COMPLETE, 147 }; 148 State next_handshake_state_; 149 150 // The NSS SSL state machine 151 PRFileDesc* nss_fd_; 152 153 // Buffers for the network end of the SSL state machine 154 memio_Private* nss_bufs_; 155 156 scoped_refptr<LoadLog> load_log_; 157 158 #if defined(OS_WIN) 159 // A CryptoAPI in-memory certificate store that we import server 160 // certificates into so that we can verify and display the certificates 161 // using CryptoAPI. 162 static HCERTSTORE cert_store_; 163 #endif 164 }; 165 166 } // namespace net 167 168 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ 169