search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Chromecast Android buildfix: rework CommandLine initialization logic.
[chromium-blink-merge.git] / net / socket / ssl_client_socket_openssl.h
blob1465f8454ae9bb61246706caff12b38d21efbc73
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
7
8 #include <string>
9
10 #include "base/compiler_specific.h"
11 #include "base/memory/scoped_ptr.h"
12 #include "base/memory/weak_ptr.h"
13 #include "net/base/completion_callback.h"
14 #include "net/base/io_buffer.h"
15 #include "net/cert/cert_verify_result.h"
16 #include "net/cert/ct_verify_result.h"
17 #include "net/socket/client_socket_handle.h"
18 #include "net/socket/ssl_client_socket.h"
19 #include "net/ssl/channel_id_service.h"
20 #include "net/ssl/ssl_client_cert_type.h"
21 #include "net/ssl/ssl_config_service.h"
22
23 // Avoid including misc OpenSSL headers, i.e.:
24 // <openssl/bio.h>
25 typedef struct bio_st BIO;
26 // <openssl/evp.h>
27 typedef struct evp_pkey_st EVP_PKEY;
28 // <openssl/ssl.h>
29 typedef struct ssl_st SSL;
30 // <openssl/x509.h>
31 typedef struct x509_st X509;
32 // <openssl/ossl_type.h>
33 typedef struct x509_store_ctx_st X509_STORE_CTX;
34
35 namespace net {
36
37 class CertVerifier;
38 class CTVerifier;
39 class SingleRequestCertVerifier;
40 class SSLCertRequestInfo;
41 class SSLInfo;
42
43 // An SSL client socket implemented with OpenSSL.
44 class SSLClientSocketOpenSSL : public SSLClientSocket {
45 public:
46 // Takes ownership of the transport_socket, which may already be connected.
47 // The given hostname will be compared with the name(s) in the server's
48 // certificate during the SSL handshake. ssl_config specifies the SSL
49 // settings.
50 SSLClientSocketOpenSSL(scoped_ptr<ClientSocketHandle> transport_socket,
51 const HostPortPair& host_and_port,
52 const SSLConfig& ssl_config,
53 const SSLClientSocketContext& context);
54 virtual ~SSLClientSocketOpenSSL();
55
56 const HostPortPair& host_and_port() const { return host_and_port_; }
57 const std::string& ssl_session_cache_shard() const {
58 return ssl_session_cache_shard_;
59 }
60
61 // SSLClientSocket implementation.
62 virtual std::string GetSessionCacheKey() const OVERRIDE;
63 virtual bool InSessionCache() const OVERRIDE;
64 virtual void SetHandshakeCompletionCallback(
65 const base::Closure& callback) OVERRIDE;
66 virtual void GetSSLCertRequestInfo(
67 SSLCertRequestInfo* cert_request_info) OVERRIDE;
68 virtual NextProtoStatus GetNextProto(std::string* proto) OVERRIDE;
69 virtual ChannelIDService* GetChannelIDService() const OVERRIDE;
70
71 // SSLSocket implementation.
72 virtual int ExportKeyingMaterial(const base::StringPiece& label,
73 bool has_context,
74 const base::StringPiece& context,
75 unsigned char* out,
76 unsigned int outlen) OVERRIDE;
77 virtual int GetTLSUniqueChannelBinding(std::string* out) OVERRIDE;
78
79 // StreamSocket implementation.
80 virtual int Connect(const CompletionCallback& callback) OVERRIDE;
81 virtual void Disconnect() OVERRIDE;
82 virtual bool IsConnected() const OVERRIDE;
83 virtual bool IsConnectedAndIdle() const OVERRIDE;
84 virtual int GetPeerAddress(IPEndPoint* address) const OVERRIDE;
85 virtual int GetLocalAddress(IPEndPoint* address) const OVERRIDE;
86 virtual const BoundNetLog& NetLog() const OVERRIDE;
87 virtual void SetSubresourceSpeculation() OVERRIDE;
88 virtual void SetOmniboxSpeculation() OVERRIDE;
89 virtual bool WasEverUsed() const OVERRIDE;
90 virtual bool UsingTCPFastOpen() const OVERRIDE;
91 virtual bool GetSSLInfo(SSLInfo* ssl_info) OVERRIDE;
92
93 // Socket implementation.
94 virtual int Read(IOBuffer* buf, int buf_len,
95 const CompletionCallback& callback) OVERRIDE;
96 virtual int Write(IOBuffer* buf, int buf_len,
97 const CompletionCallback& callback) OVERRIDE;
98 virtual int SetReceiveBufferSize(int32 size) OVERRIDE;
99 virtual int SetSendBufferSize(int32 size) OVERRIDE;
100
101 protected:
102 // SSLClientSocket implementation.
103 virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain()
104 const OVERRIDE;
105
106 private:
107 class PeerCertificateChain;
108 class SSLContext;
109 friend class SSLClientSocket;
110 friend class SSLContext;
111
112 int Init();
113 void DoReadCallback(int result);
114 void DoWriteCallback(int result);
115
116 void OnHandshakeCompletion();
117
118 bool DoTransportIO();
119 int DoHandshake();
120 int DoChannelIDLookup();
121 int DoChannelIDLookupComplete(int result);
122 int DoVerifyCert(int result);
123 int DoVerifyCertComplete(int result);
124 void DoConnectCallback(int result);
125 void UpdateServerCert();
126 void VerifyCT();
127
128 void OnHandshakeIOComplete(int result);
129 void OnSendComplete(int result);
130 void OnRecvComplete(int result);
131
132 int DoHandshakeLoop(int last_io_result);
133 int DoReadLoop(int result);
134 int DoWriteLoop(int result);
135 int DoPayloadRead();
136 int DoPayloadWrite();
137
138 int BufferSend();
139 int BufferRecv();
140 void BufferSendComplete(int result);
141 void BufferRecvComplete(int result);
142 void TransportWriteComplete(int result);
143 int TransportReadComplete(int result);
144
145 // Callback from the SSL layer that indicates the remote server is requesting
146 // a certificate for this client.
147 int ClientCertRequestCallback(SSL* ssl);
148
149 // CertVerifyCallback is called to verify the server's certificates. We do
150 // verification after the handshake so this function only enforces that the
151 // certificates don't change during renegotiation.
152 int CertVerifyCallback(X509_STORE_CTX *store_ctx);
153
154 // Callback from the SSL layer to check which NPN protocol we are supporting
155 int SelectNextProtoCallback(unsigned char** out, unsigned char* outlen,
156 const unsigned char* in, unsigned int inlen);
157
158 // Called during an operation on |transport_bio_|'s peer. Checks saved
159 // transport error state and, if appropriate, returns an error through
160 // OpenSSL's error system.
161 long MaybeReplayTransportError(BIO *bio,
162 int cmd,
163 const char *argp, int argi, long argl,
164 long retvalue);
165
166 // Callback from the SSL layer when an operation is performed on
167 // |transport_bio_|'s peer.
168 static long BIOCallback(BIO *bio,
169 int cmd,
170 const char *argp, int argi, long argl,
171 long retvalue);
172
173 // Callback that is used to obtain information about the state of the SSL
174 // handshake.
175 static void InfoCallback(const SSL* ssl, int type, int val);
176
177 void CheckIfHandshakeFinished();
178
179 // Adds the SignedCertificateTimestamps from ct_verify_result_ to |ssl_info|.
180 // SCTs are held in three separate vectors in ct_verify_result, each
181 // vetor representing a particular verification state, this method associates
182 // each of the SCTs with the corresponding SCTVerifyStatus as it adds it to
183 // the |ssl_info|.signed_certificate_timestamps list.
184 void AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const;
185
186 bool transport_send_busy_;
187 bool transport_recv_busy_;
188
189 scoped_refptr<DrainableIOBuffer> send_buffer_;
190 scoped_refptr<IOBuffer> recv_buffer_;
191
192 CompletionCallback user_connect_callback_;
193 CompletionCallback user_read_callback_;
194 CompletionCallback user_write_callback_;
195
196 // Used by Read function.
197 scoped_refptr<IOBuffer> user_read_buf_;
198 int user_read_buf_len_;
199
200 // Used by Write function.
201 scoped_refptr<IOBuffer> user_write_buf_;
202 int user_write_buf_len_;
203
204 // Used by DoPayloadRead() when attempting to fill the caller's buffer with
205 // as much data as possible without blocking.
206 // If DoPayloadRead() encounters an error after having read some data, stores
207 // the result to return on the *next* call to DoPayloadRead(). A value > 0
208 // indicates there is no pending result, otherwise 0 indicates EOF and < 0
209 // indicates an error.
210 int pending_read_error_;
211
212 // Used by TransportReadComplete() to signify an error reading from the
213 // transport socket. A value of OK indicates the socket is still
214 // readable. EOFs are mapped to ERR_CONNECTION_CLOSED.
215 int transport_read_error_;
216
217 // Used by TransportWriteComplete() and TransportReadComplete() to signify an
218 // error writing to the transport socket. A value of OK indicates no error.
219 int transport_write_error_;
220
221 // Set when Connect finishes.
222 scoped_ptr<PeerCertificateChain> server_cert_chain_;
223 scoped_refptr<X509Certificate> server_cert_;
224 CertVerifyResult server_cert_verify_result_;
225 bool completed_connect_;
226
227 // Set when Read() or Write() successfully reads or writes data to or from the
228 // network.
229 bool was_ever_used_;
230
231 // Stores client authentication information between ClientAuthHandler and
232 // GetSSLCertRequestInfo calls.
233 bool client_auth_cert_needed_;
234 // List of DER-encoded X.509 DistinguishedName of certificate authorities
235 // allowed by the server.
236 std::vector<std::string> cert_authorities_;
237 // List of SSLClientCertType values for client certificates allowed by the
238 // server.
239 std::vector<SSLClientCertType> cert_key_types_;
240
241 CertVerifier* const cert_verifier_;
242 scoped_ptr<SingleRequestCertVerifier> verifier_;
243 base::TimeTicks start_cert_verification_time_;
244
245 // Certificate Transparency: Verifier and result holder.
246 ct::CTVerifyResult ct_verify_result_;
247 CTVerifier* cert_transparency_verifier_;
248
249 // The service for retrieving Channel ID keys. May be NULL.
250 ChannelIDService* channel_id_service_;
251
252 // Callback that is invoked when the connection finishes.
253 //
254 // Note: this callback will be run in Disconnect(). It will not alter
255 // any member variables of the SSLClientSocketOpenSSL.
256 base::Closure handshake_completion_callback_;
257
258 // OpenSSL stuff
259 SSL* ssl_;
260 BIO* transport_bio_;
261
262 scoped_ptr<ClientSocketHandle> transport_;
263 const HostPortPair host_and_port_;
264 SSLConfig ssl_config_;
265 // ssl_session_cache_shard_ is an opaque string that partitions the SSL
266 // session cache. i.e. sessions created with one value will not attempt to
267 // resume on the socket with a different value.
268 const std::string ssl_session_cache_shard_;
269
270 // Used for session cache diagnostics.
271 bool trying_cached_session_;
272
273 enum State {
274 STATE_NONE,
275 STATE_HANDSHAKE,
276 STATE_CHANNEL_ID_LOOKUP,
277 STATE_CHANNEL_ID_LOOKUP_COMPLETE,
278 STATE_VERIFY_CERT,
279 STATE_VERIFY_CERT_COMPLETE,
280 };
281 State next_handshake_state_;
282 NextProtoStatus npn_status_;
283 std::string npn_proto_;
284 // Written by the |channel_id_service_|.
285 std::string channel_id_private_key_;
286 std::string channel_id_cert_;
287 // True if channel ID extension was negotiated.
288 bool channel_id_xtn_negotiated_;
289 // True if InfoCallback has been run with result = SSL_CB_HANDSHAKE_DONE.
290 bool handshake_succeeded_;
291 // True if MarkSSLSessionAsGood has been called for this socket's
292 // SSL session.
293 bool marked_session_as_good_;
294 // The request handle for |channel_id_service_|.
295 ChannelIDService::RequestHandle channel_id_request_handle_;
296
297 TransportSecurityState* transport_security_state_;
298
299 // pinning_failure_log contains a message produced by
300 // TransportSecurityState::CheckPublicKeyPins in the event of a
301 // pinning failure. It is a (somewhat) human-readable string.
302 std::string pinning_failure_log_;
303
304 BoundNetLog net_log_;
305 base::WeakPtrFactory<SSLClientSocketOpenSSL> weak_factory_;
306 };
307
308 } // namespace net
309
310 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_