1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ 6 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ 7 8 #include <string> 9 10 #include "base/compiler_specific.h" 11 #include "base/memory/scoped_ptr.h" 12 #include "base/memory/weak_ptr.h" 13 #include "net/base/completion_callback.h" 14 #include "net/base/io_buffer.h" 15 #include "net/cert/cert_verify_result.h" 16 #include "net/socket/client_socket_handle.h" 17 #include "net/socket/ssl_client_socket.h" 18 #include "net/ssl/server_bound_cert_service.h" 19 #include "net/ssl/ssl_client_cert_type.h" 20 #include "net/ssl/ssl_config_service.h" 21 22 // Avoid including misc OpenSSL headers, i.e.: 23 // <openssl/bio.h> 24 typedef struct bio_st BIO; 25 // <openssl/evp.h> 26 typedef struct evp_pkey_st EVP_PKEY; 27 // <openssl/ssl.h> 28 typedef struct ssl_st SSL; 29 // <openssl/x509.h> 30 typedef struct x509_st X509; 31 // <openssl/ossl_type.h> 32 typedef struct x509_store_ctx_st X509_STORE_CTX; 33 34 namespace net { 35 36 class CertVerifier; 37 class SingleRequestCertVerifier; 38 class SSLCertRequestInfo; 39 class SSLInfo; 40 41 // An SSL client socket implemented with OpenSSL. 42 class SSLClientSocketOpenSSL : public SSLClientSocket { 43 public: 44 // Takes ownership of the transport_socket, which may already be connected. 45 // The given hostname will be compared with the name(s) in the server's 46 // certificate during the SSL handshake. ssl_config specifies the SSL 47 // settings. 48 SSLClientSocketOpenSSL(scoped_ptr<ClientSocketHandle> transport_socket, 49 const HostPortPair& host_and_port, 50 const SSLConfig& ssl_config, 51 const SSLClientSocketContext& context); 52 virtual ~SSLClientSocketOpenSSL(); 53 host_and_port()54 const HostPortPair& host_and_port() const { return host_and_port_; } ssl_session_cache_shard()55 const std::string& ssl_session_cache_shard() const { 56 return ssl_session_cache_shard_; 57 } 58 59 // SSLClientSocket implementation. 60 virtual void GetSSLCertRequestInfo( 61 SSLCertRequestInfo* cert_request_info) OVERRIDE; 62 virtual NextProtoStatus GetNextProto(std::string* proto, 63 std::string* server_protos) OVERRIDE; 64 virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; 65 66 // SSLSocket implementation. 67 virtual int ExportKeyingMaterial(const base::StringPiece& label, 68 bool has_context, 69 const base::StringPiece& context, 70 unsigned char* out, 71 unsigned int outlen) OVERRIDE; 72 virtual int GetTLSUniqueChannelBinding(std::string* out) OVERRIDE; 73 74 // StreamSocket implementation. 75 virtual int Connect(const CompletionCallback& callback) OVERRIDE; 76 virtual void Disconnect() OVERRIDE; 77 virtual bool IsConnected() const OVERRIDE; 78 virtual bool IsConnectedAndIdle() const OVERRIDE; 79 virtual int GetPeerAddress(IPEndPoint* address) const OVERRIDE; 80 virtual int GetLocalAddress(IPEndPoint* address) const OVERRIDE; 81 virtual const BoundNetLog& NetLog() const OVERRIDE; 82 virtual void SetSubresourceSpeculation() OVERRIDE; 83 virtual void SetOmniboxSpeculation() OVERRIDE; 84 virtual bool WasEverUsed() const OVERRIDE; 85 virtual bool UsingTCPFastOpen() const OVERRIDE; 86 virtual bool GetSSLInfo(SSLInfo* ssl_info) OVERRIDE; 87 88 // Socket implementation. 89 virtual int Read(IOBuffer* buf, int buf_len, 90 const CompletionCallback& callback) OVERRIDE; 91 virtual int Write(IOBuffer* buf, int buf_len, 92 const CompletionCallback& callback) OVERRIDE; 93 virtual int SetReceiveBufferSize(int32 size) OVERRIDE; 94 virtual int SetSendBufferSize(int32 size) OVERRIDE; 95 96 protected: 97 // SSLClientSocket implementation. 98 virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain() 99 const OVERRIDE; 100 101 private: 102 class PeerCertificateChain; 103 class SSLContext; 104 friend class SSLClientSocket; 105 friend class SSLContext; 106 107 int Init(); 108 void DoReadCallback(int result); 109 void DoWriteCallback(int result); 110 111 bool DoTransportIO(); 112 int DoHandshake(); 113 int DoVerifyCert(int result); 114 int DoVerifyCertComplete(int result); 115 void DoConnectCallback(int result); 116 X509Certificate* UpdateServerCert(); 117 118 void OnHandshakeIOComplete(int result); 119 void OnSendComplete(int result); 120 void OnRecvComplete(int result); 121 122 int DoHandshakeLoop(int last_io_result); 123 int DoReadLoop(int result); 124 int DoWriteLoop(int result); 125 int DoPayloadRead(); 126 int DoPayloadWrite(); 127 128 int BufferSend(); 129 int BufferRecv(); 130 void BufferSendComplete(int result); 131 void BufferRecvComplete(int result); 132 void TransportWriteComplete(int result); 133 int TransportReadComplete(int result); 134 135 // Callback from the SSL layer that indicates the remote server is requesting 136 // a certificate for this client. 137 int ClientCertRequestCallback(SSL* ssl, X509** x509, EVP_PKEY** pkey); 138 139 // Callback from the SSL layer that indicates the remote server supports TLS 140 // Channel IDs. 141 void ChannelIDRequestCallback(SSL* ssl, EVP_PKEY** pkey); 142 143 // CertVerifyCallback is called to verify the server's certificates. We do 144 // verification after the handshake so this function only enforces that the 145 // certificates don't change during renegotiation. 146 int CertVerifyCallback(X509_STORE_CTX *store_ctx); 147 148 // Callback from the SSL layer to check which NPN protocol we are supporting 149 int SelectNextProtoCallback(unsigned char** out, unsigned char* outlen, 150 const unsigned char* in, unsigned int inlen); 151 152 bool transport_send_busy_; 153 bool transport_recv_busy_; 154 bool transport_recv_eof_; 155 156 scoped_refptr<DrainableIOBuffer> send_buffer_; 157 scoped_refptr<IOBuffer> recv_buffer_; 158 159 CompletionCallback user_connect_callback_; 160 CompletionCallback user_read_callback_; 161 CompletionCallback user_write_callback_; 162 163 base::WeakPtrFactory<SSLClientSocketOpenSSL> weak_factory_; 164 165 // Used by Read function. 166 scoped_refptr<IOBuffer> user_read_buf_; 167 int user_read_buf_len_; 168 169 // Used by Write function. 170 scoped_refptr<IOBuffer> user_write_buf_; 171 int user_write_buf_len_; 172 173 // Used by DoPayloadRead() when attempting to fill the caller's buffer with 174 // as much data as possible without blocking. 175 // If DoPayloadRead() encounters an error after having read some data, stores 176 // the result to return on the *next* call to DoPayloadRead(). A value > 0 177 // indicates there is no pending result, otherwise 0 indicates EOF and < 0 178 // indicates an error. 179 int pending_read_error_; 180 181 // Used by TransportWriteComplete() and TransportReadComplete() to signify an 182 // error writing to the transport socket. A value of OK indicates no error. 183 int transport_write_error_; 184 185 // Set when handshake finishes. 186 scoped_ptr<PeerCertificateChain> server_cert_chain_; 187 scoped_refptr<X509Certificate> server_cert_; 188 CertVerifyResult server_cert_verify_result_; 189 bool completed_handshake_; 190 191 // Set when Read() or Write() successfully reads or writes data to or from the 192 // network. 193 bool was_ever_used_; 194 195 // Stores client authentication information between ClientAuthHandler and 196 // GetSSLCertRequestInfo calls. 197 bool client_auth_cert_needed_; 198 // List of DER-encoded X.509 DistinguishedName of certificate authorities 199 // allowed by the server. 200 std::vector<std::string> cert_authorities_; 201 // List of SSLClientCertType values for client certificates allowed by the 202 // server. 203 std::vector<SSLClientCertType> cert_key_types_; 204 205 CertVerifier* const cert_verifier_; 206 scoped_ptr<SingleRequestCertVerifier> verifier_; 207 208 // The service for retrieving Channel ID keys. May be NULL. 209 ServerBoundCertService* server_bound_cert_service_; 210 211 // OpenSSL stuff 212 SSL* ssl_; 213 BIO* transport_bio_; 214 215 scoped_ptr<ClientSocketHandle> transport_; 216 const HostPortPair host_and_port_; 217 SSLConfig ssl_config_; 218 // ssl_session_cache_shard_ is an opaque string that partitions the SSL 219 // session cache. i.e. sessions created with one value will not attempt to 220 // resume on the socket with a different value. 221 const std::string ssl_session_cache_shard_; 222 223 // Used for session cache diagnostics. 224 bool trying_cached_session_; 225 226 enum State { 227 STATE_NONE, 228 STATE_HANDSHAKE, 229 STATE_VERIFY_CERT, 230 STATE_VERIFY_CERT_COMPLETE, 231 }; 232 State next_handshake_state_; 233 NextProtoStatus npn_status_; 234 std::string npn_proto_; 235 std::string server_protos_; 236 // Written by the |server_bound_cert_service_|. 237 std::string channel_id_private_key_; 238 std::string channel_id_cert_; 239 // The return value of the last call to |server_bound_cert_service_|. 240 int channel_id_request_return_value_; 241 // True if channel ID extension was negotiated. 242 bool channel_id_xtn_negotiated_; 243 // The request handle for |server_bound_cert_service_|. 244 ServerBoundCertService::RequestHandle channel_id_request_handle_; 245 BoundNetLog net_log_; 246 }; 247 248 } // namespace net 249 250 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ 251