1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_ 6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_ 7 8 #include <string> 9 10 #include "base/gtest_prod_util.h" 11 #include "net/base/completion_callback.h" 12 #include "net/base/load_flags.h" 13 #include "net/base/net_errors.h" 14 #include "net/socket/ssl_socket.h" 15 #include "net/socket/stream_socket.h" 16 17 namespace net { 18 19 class CertVerifier; 20 class CTVerifier; 21 class ServerBoundCertService; 22 class SSLCertRequestInfo; 23 struct SSLConfig; 24 class SSLInfo; 25 class TransportSecurityState; 26 class X509Certificate; 27 28 // This struct groups together several fields which are used by various 29 // classes related to SSLClientSocket. 30 struct SSLClientSocketContext { SSLClientSocketContextSSLClientSocketContext31 SSLClientSocketContext() 32 : cert_verifier(NULL), 33 server_bound_cert_service(NULL), 34 transport_security_state(NULL), 35 cert_transparency_verifier(NULL) {} 36 SSLClientSocketContextSSLClientSocketContext37 SSLClientSocketContext(CertVerifier* cert_verifier_arg, 38 ServerBoundCertService* server_bound_cert_service_arg, 39 TransportSecurityState* transport_security_state_arg, 40 CTVerifier* cert_transparency_verifier_arg, 41 const std::string& ssl_session_cache_shard_arg) 42 : cert_verifier(cert_verifier_arg), 43 server_bound_cert_service(server_bound_cert_service_arg), 44 transport_security_state(transport_security_state_arg), 45 cert_transparency_verifier(cert_transparency_verifier_arg), 46 ssl_session_cache_shard(ssl_session_cache_shard_arg) {} 47 48 CertVerifier* cert_verifier; 49 ServerBoundCertService* server_bound_cert_service; 50 TransportSecurityState* transport_security_state; 51 CTVerifier* cert_transparency_verifier; 52 // ssl_session_cache_shard is an opaque string that identifies a shard of the 53 // SSL session cache. SSL sockets with the same ssl_session_cache_shard may 54 // resume each other's SSL sessions but we'll never sessions between shards. 55 const std::string ssl_session_cache_shard; 56 }; 57 58 // A client socket that uses SSL as the transport layer. 59 // 60 // NOTE: The SSL handshake occurs within the Connect method after a TCP 61 // connection is established. If a SSL error occurs during the handshake, 62 // Connect will fail. 63 // 64 class NET_EXPORT SSLClientSocket : public SSLSocket { 65 public: 66 SSLClientSocket(); 67 68 // Next Protocol Negotiation (NPN) allows a TLS client and server to come to 69 // an agreement about the application level protocol to speak over a 70 // connection. 71 enum NextProtoStatus { 72 // WARNING: These values are serialized to disk. Don't change them. 73 74 kNextProtoUnsupported = 0, // The server doesn't support NPN. 75 kNextProtoNegotiated = 1, // We agreed on a protocol. 76 kNextProtoNoOverlap = 2, // No protocols in common. We requested 77 // the first protocol in our list. 78 }; 79 80 // StreamSocket: 81 virtual bool WasNpnNegotiated() const OVERRIDE; 82 virtual NextProto GetNegotiatedProtocol() const OVERRIDE; 83 84 // Gets the SSL CertificateRequest info of the socket after Connect failed 85 // with ERR_SSL_CLIENT_AUTH_CERT_NEEDED. 86 virtual void GetSSLCertRequestInfo( 87 SSLCertRequestInfo* cert_request_info) = 0; 88 89 // Get the application level protocol that we negotiated with the server. 90 // *proto is set to the resulting protocol (n.b. that the string may have 91 // embedded NULs). 92 // kNextProtoUnsupported: *proto is cleared. 93 // kNextProtoNegotiated: *proto is set to the negotiated protocol. 94 // kNextProtoNoOverlap: *proto is set to the first protocol in the 95 // supported list. 96 // *server_protos is set to the server advertised protocols. 97 virtual NextProtoStatus GetNextProto(std::string* proto, 98 std::string* server_protos) = 0; 99 100 static NextProto NextProtoFromString(const std::string& proto_string); 101 102 static const char* NextProtoToString(NextProto next_proto); 103 104 static const char* NextProtoStatusToString(const NextProtoStatus status); 105 106 // Can be used with the second argument(|server_protos|) of |GetNextProto| to 107 // construct a comma separated string of server advertised protocols. 108 static std::string ServerProtosToString(const std::string& server_protos); 109 110 static bool IgnoreCertError(int error, int load_flags); 111 112 // ClearSessionCache clears the SSL session cache, used to resume SSL 113 // sessions. 114 static void ClearSessionCache(); 115 116 virtual bool set_was_npn_negotiated(bool negotiated); 117 118 virtual bool was_spdy_negotiated() const; 119 120 virtual bool set_was_spdy_negotiated(bool negotiated); 121 122 virtual void set_protocol_negotiated(NextProto protocol_negotiated); 123 124 // Returns the ServerBoundCertService used by this socket, or NULL if 125 // server bound certificates are not supported. 126 virtual ServerBoundCertService* GetServerBoundCertService() const = 0; 127 128 // Returns true if a channel ID was sent on this connection. 129 // This may be useful for protocols, like SPDY, which allow the same 130 // connection to be shared between multiple domains, each of which need 131 // a channel ID. 132 // 133 // Public for ssl_client_socket_openssl_unittest.cc. 134 virtual bool WasChannelIDSent() const; 135 136 protected: 137 virtual void set_channel_id_sent(bool channel_id_sent); 138 139 virtual void set_signed_cert_timestamps_received( 140 bool signed_cert_timestamps_received); 141 142 virtual void set_stapled_ocsp_response_received( 143 bool stapled_ocsp_response_received); 144 145 // Records histograms for channel id support during full handshakes - resumed 146 // handshakes are ignored. 147 static void RecordChannelIDSupport( 148 ServerBoundCertService* server_bound_cert_service, 149 bool negotiated_channel_id, 150 bool channel_id_enabled, 151 bool supports_ecc); 152 153 // Returns whether TLS channel ID is enabled. 154 static bool IsChannelIDEnabled( 155 const SSLConfig& ssl_config, 156 ServerBoundCertService* server_bound_cert_service); 157 158 // For unit testing only. 159 // Returns the unverified certificate chain as presented by server. 160 // Note that chain may be different than the verified chain returned by 161 // StreamSocket::GetSSLInfo(). 162 virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain() 163 const = 0; 164 165 private: 166 // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_. 167 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, 168 ConnectSignedCertTimestampsEnabledTLSExtension); 169 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, 170 ConnectSignedCertTimestampsEnabledOCSP); 171 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, 172 ConnectSignedCertTimestampsDisabled); 173 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest, 174 VerifyServerChainProperlyOrdered); 175 176 // True if NPN was responded to, independent of selecting SPDY or HTTP. 177 bool was_npn_negotiated_; 178 // True if NPN successfully negotiated SPDY. 179 bool was_spdy_negotiated_; 180 // Protocol that we negotiated with the server. 181 NextProto protocol_negotiated_; 182 // True if a channel ID was sent. 183 bool channel_id_sent_; 184 // True if SCTs were received via a TLS extension. 185 bool signed_cert_timestamps_received_; 186 // True if a stapled OCSP response was received. 187 bool stapled_ocsp_response_received_; 188 }; 189 190 } // namespace net 191 192 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_ 193