1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
10 #include "base/compiler_specific.h"
11 #include "base/memory/scoped_ptr.h"
12 #include "base/memory/weak_ptr.h"
13 #include "net/base/completion_callback.h"
14 #include "net/base/io_buffer.h"
15 #include "net/cert/cert_verify_result.h"
16 #include "net/cert/ct_verify_result.h"
17 #include "net/socket/client_socket_handle.h"
18 #include "net/socket/ssl_client_socket.h"
19 #include "net/ssl/channel_id_service.h"
20 #include "net/ssl/ssl_client_cert_type.h"
21 #include "net/ssl/ssl_config_service.h"
23 // Avoid including misc OpenSSL headers, i.e.:
25 typedef struct bio_st BIO
;
27 typedef struct evp_pkey_st EVP_PKEY
;
29 typedef struct ssl_st SSL
;
31 typedef struct x509_st X509
;
32 // <openssl/ossl_type.h>
33 typedef struct x509_store_ctx_st X509_STORE_CTX
;
39 class SingleRequestCertVerifier
;
40 class SSLCertRequestInfo
;
43 // An SSL client socket implemented with OpenSSL.
44 class SSLClientSocketOpenSSL
: public SSLClientSocket
{
46 // Takes ownership of the transport_socket, which may already be connected.
47 // The given hostname will be compared with the name(s) in the server's
48 // certificate during the SSL handshake. ssl_config specifies the SSL
50 SSLClientSocketOpenSSL(scoped_ptr
<ClientSocketHandle
> transport_socket
,
51 const HostPortPair
& host_and_port
,
52 const SSLConfig
& ssl_config
,
53 const SSLClientSocketContext
& context
);
54 virtual ~SSLClientSocketOpenSSL();
56 const HostPortPair
& host_and_port() const { return host_and_port_
; }
57 const std::string
& ssl_session_cache_shard() const {
58 return ssl_session_cache_shard_
;
61 // SSLClientSocket implementation.
62 virtual std::string
GetSessionCacheKey() const OVERRIDE
;
63 virtual bool InSessionCache() const OVERRIDE
;
64 virtual void SetHandshakeCompletionCallback(
65 const base::Closure
& callback
) OVERRIDE
;
66 virtual void GetSSLCertRequestInfo(
67 SSLCertRequestInfo
* cert_request_info
) OVERRIDE
;
68 virtual NextProtoStatus
GetNextProto(std::string
* proto
) OVERRIDE
;
69 virtual ChannelIDService
* GetChannelIDService() const OVERRIDE
;
71 // SSLSocket implementation.
72 virtual int ExportKeyingMaterial(const base::StringPiece
& label
,
74 const base::StringPiece
& context
,
76 unsigned int outlen
) OVERRIDE
;
77 virtual int GetTLSUniqueChannelBinding(std::string
* out
) OVERRIDE
;
79 // StreamSocket implementation.
80 virtual int Connect(const CompletionCallback
& callback
) OVERRIDE
;
81 virtual void Disconnect() OVERRIDE
;
82 virtual bool IsConnected() const OVERRIDE
;
83 virtual bool IsConnectedAndIdle() const OVERRIDE
;
84 virtual int GetPeerAddress(IPEndPoint
* address
) const OVERRIDE
;
85 virtual int GetLocalAddress(IPEndPoint
* address
) const OVERRIDE
;
86 virtual const BoundNetLog
& NetLog() const OVERRIDE
;
87 virtual void SetSubresourceSpeculation() OVERRIDE
;
88 virtual void SetOmniboxSpeculation() OVERRIDE
;
89 virtual bool WasEverUsed() const OVERRIDE
;
90 virtual bool UsingTCPFastOpen() const OVERRIDE
;
91 virtual bool GetSSLInfo(SSLInfo
* ssl_info
) OVERRIDE
;
93 // Socket implementation.
94 virtual int Read(IOBuffer
* buf
, int buf_len
,
95 const CompletionCallback
& callback
) OVERRIDE
;
96 virtual int Write(IOBuffer
* buf
, int buf_len
,
97 const CompletionCallback
& callback
) OVERRIDE
;
98 virtual int SetReceiveBufferSize(int32 size
) OVERRIDE
;
99 virtual int SetSendBufferSize(int32 size
) OVERRIDE
;
102 // SSLClientSocket implementation.
103 virtual scoped_refptr
<X509Certificate
> GetUnverifiedServerCertificateChain()
107 class PeerCertificateChain
;
109 friend class SSLClientSocket
;
110 friend class SSLContext
;
113 void DoReadCallback(int result
);
114 void DoWriteCallback(int result
);
116 void OnHandshakeCompletion();
118 bool DoTransportIO();
120 int DoChannelIDLookup();
121 int DoChannelIDLookupComplete(int result
);
122 int DoVerifyCert(int result
);
123 int DoVerifyCertComplete(int result
);
124 void DoConnectCallback(int result
);
125 void UpdateServerCert();
128 void OnHandshakeIOComplete(int result
);
129 void OnSendComplete(int result
);
130 void OnRecvComplete(int result
);
132 int DoHandshakeLoop(int last_io_result
);
133 int DoReadLoop(int result
);
134 int DoWriteLoop(int result
);
136 int DoPayloadWrite();
140 void BufferSendComplete(int result
);
141 void BufferRecvComplete(int result
);
142 void TransportWriteComplete(int result
);
143 int TransportReadComplete(int result
);
145 // Callback from the SSL layer that indicates the remote server is requesting
146 // a certificate for this client.
147 int ClientCertRequestCallback(SSL
* ssl
);
149 // CertVerifyCallback is called to verify the server's certificates. We do
150 // verification after the handshake so this function only enforces that the
151 // certificates don't change during renegotiation.
152 int CertVerifyCallback(X509_STORE_CTX
*store_ctx
);
154 // Callback from the SSL layer to check which NPN protocol we are supporting
155 int SelectNextProtoCallback(unsigned char** out
, unsigned char* outlen
,
156 const unsigned char* in
, unsigned int inlen
);
158 // Called during an operation on |transport_bio_|'s peer. Checks saved
159 // transport error state and, if appropriate, returns an error through
160 // OpenSSL's error system.
161 long MaybeReplayTransportError(BIO
*bio
,
163 const char *argp
, int argi
, long argl
,
166 // Callback from the SSL layer when an operation is performed on
167 // |transport_bio_|'s peer.
168 static long BIOCallback(BIO
*bio
,
170 const char *argp
, int argi
, long argl
,
173 // Callback that is used to obtain information about the state of the SSL
175 static void InfoCallback(const SSL
* ssl
, int type
, int val
);
177 void CheckIfHandshakeFinished();
179 // Adds the SignedCertificateTimestamps from ct_verify_result_ to |ssl_info|.
180 // SCTs are held in three separate vectors in ct_verify_result, each
181 // vetor representing a particular verification state, this method associates
182 // each of the SCTs with the corresponding SCTVerifyStatus as it adds it to
183 // the |ssl_info|.signed_certificate_timestamps list.
184 void AddSCTInfoToSSLInfo(SSLInfo
* ssl_info
) const;
186 bool transport_send_busy_
;
187 bool transport_recv_busy_
;
189 scoped_refptr
<DrainableIOBuffer
> send_buffer_
;
190 scoped_refptr
<IOBuffer
> recv_buffer_
;
192 CompletionCallback user_connect_callback_
;
193 CompletionCallback user_read_callback_
;
194 CompletionCallback user_write_callback_
;
196 // Used by Read function.
197 scoped_refptr
<IOBuffer
> user_read_buf_
;
198 int user_read_buf_len_
;
200 // Used by Write function.
201 scoped_refptr
<IOBuffer
> user_write_buf_
;
202 int user_write_buf_len_
;
204 // Used by DoPayloadRead() when attempting to fill the caller's buffer with
205 // as much data as possible without blocking.
206 // If DoPayloadRead() encounters an error after having read some data, stores
207 // the result to return on the *next* call to DoPayloadRead(). A value > 0
208 // indicates there is no pending result, otherwise 0 indicates EOF and < 0
209 // indicates an error.
210 int pending_read_error_
;
212 // Used by TransportReadComplete() to signify an error reading from the
213 // transport socket. A value of OK indicates the socket is still
214 // readable. EOFs are mapped to ERR_CONNECTION_CLOSED.
215 int transport_read_error_
;
217 // Used by TransportWriteComplete() and TransportReadComplete() to signify an
218 // error writing to the transport socket. A value of OK indicates no error.
219 int transport_write_error_
;
221 // Set when Connect finishes.
222 scoped_ptr
<PeerCertificateChain
> server_cert_chain_
;
223 scoped_refptr
<X509Certificate
> server_cert_
;
224 CertVerifyResult server_cert_verify_result_
;
225 bool completed_connect_
;
227 // Set when Read() or Write() successfully reads or writes data to or from the
231 // Stores client authentication information between ClientAuthHandler and
232 // GetSSLCertRequestInfo calls.
233 bool client_auth_cert_needed_
;
234 // List of DER-encoded X.509 DistinguishedName of certificate authorities
235 // allowed by the server.
236 std::vector
<std::string
> cert_authorities_
;
237 // List of SSLClientCertType values for client certificates allowed by the
239 std::vector
<SSLClientCertType
> cert_key_types_
;
241 CertVerifier
* const cert_verifier_
;
242 scoped_ptr
<SingleRequestCertVerifier
> verifier_
;
243 base::TimeTicks start_cert_verification_time_
;
245 // Certificate Transparency: Verifier and result holder.
246 ct::CTVerifyResult ct_verify_result_
;
247 CTVerifier
* cert_transparency_verifier_
;
249 // The service for retrieving Channel ID keys. May be NULL.
250 ChannelIDService
* channel_id_service_
;
252 // Callback that is invoked when the connection finishes.
254 // Note: this callback will be run in Disconnect(). It will not alter
255 // any member variables of the SSLClientSocketOpenSSL.
256 base::Closure handshake_completion_callback_
;
262 scoped_ptr
<ClientSocketHandle
> transport_
;
263 const HostPortPair host_and_port_
;
264 SSLConfig ssl_config_
;
265 // ssl_session_cache_shard_ is an opaque string that partitions the SSL
266 // session cache. i.e. sessions created with one value will not attempt to
267 // resume on the socket with a different value.
268 const std::string ssl_session_cache_shard_
;
270 // Used for session cache diagnostics.
271 bool trying_cached_session_
;
276 STATE_CHANNEL_ID_LOOKUP
,
277 STATE_CHANNEL_ID_LOOKUP_COMPLETE
,
279 STATE_VERIFY_CERT_COMPLETE
,
281 State next_handshake_state_
;
282 NextProtoStatus npn_status_
;
283 std::string npn_proto_
;
284 // Written by the |channel_id_service_|.
285 std::string channel_id_private_key_
;
286 std::string channel_id_cert_
;
287 // True if channel ID extension was negotiated.
288 bool channel_id_xtn_negotiated_
;
289 // True if InfoCallback has been run with result = SSL_CB_HANDSHAKE_DONE.
290 bool handshake_succeeded_
;
291 // True if MarkSSLSessionAsGood has been called for this socket's
293 bool marked_session_as_good_
;
294 // The request handle for |channel_id_service_|.
295 ChannelIDService::RequestHandle channel_id_request_handle_
;
297 TransportSecurityState
* transport_security_state_
;
299 // pinning_failure_log contains a message produced by
300 // TransportSecurityState::CheckPublicKeyPins in the event of a
301 // pinning failure. It is a (somewhat) human-readable string.
302 std::string pinning_failure_log_
;
304 BoundNetLog net_log_
;
305 base::WeakPtrFactory
<SSLClientSocketOpenSSL
> weak_factory_
;
310 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_