1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_
10 #include "base/gtest_prod_util.h"
11 #include "net/base/completion_callback.h"
12 #include "net/base/load_flags.h"
13 #include "net/base/net_errors.h"
14 #include "net/socket/ssl_socket.h"
15 #include "net/socket/stream_socket.h"
21 class ServerBoundCertService
;
22 class SSLCertRequestInfo
;
25 class TransportSecurityState
;
26 class X509Certificate
;
28 // This struct groups together several fields which are used by various
29 // classes related to SSLClientSocket.
30 struct SSLClientSocketContext
{
31 SSLClientSocketContext()
32 : cert_verifier(NULL
),
33 server_bound_cert_service(NULL
),
34 transport_security_state(NULL
),
35 cert_transparency_verifier(NULL
) {}
37 SSLClientSocketContext(CertVerifier
* cert_verifier_arg
,
38 ServerBoundCertService
* server_bound_cert_service_arg
,
39 TransportSecurityState
* transport_security_state_arg
,
40 CTVerifier
* cert_transparency_verifier_arg
,
41 const std::string
& ssl_session_cache_shard_arg
)
42 : cert_verifier(cert_verifier_arg
),
43 server_bound_cert_service(server_bound_cert_service_arg
),
44 transport_security_state(transport_security_state_arg
),
45 cert_transparency_verifier(cert_transparency_verifier_arg
),
46 ssl_session_cache_shard(ssl_session_cache_shard_arg
) {}
48 CertVerifier
* cert_verifier
;
49 ServerBoundCertService
* server_bound_cert_service
;
50 TransportSecurityState
* transport_security_state
;
51 CTVerifier
* cert_transparency_verifier
;
52 // ssl_session_cache_shard is an opaque string that identifies a shard of the
53 // SSL session cache. SSL sockets with the same ssl_session_cache_shard may
54 // resume each other's SSL sessions but we'll never sessions between shards.
55 const std::string ssl_session_cache_shard
;
58 // A client socket that uses SSL as the transport layer.
60 // NOTE: The SSL handshake occurs within the Connect method after a TCP
61 // connection is established. If a SSL error occurs during the handshake,
64 class NET_EXPORT SSLClientSocket
: public SSLSocket
{
68 // Next Protocol Negotiation (NPN) allows a TLS client and server to come to
69 // an agreement about the application level protocol to speak over a
71 enum NextProtoStatus
{
72 // WARNING: These values are serialized to disk. Don't change them.
74 kNextProtoUnsupported
= 0, // The server doesn't support NPN.
75 kNextProtoNegotiated
= 1, // We agreed on a protocol.
76 kNextProtoNoOverlap
= 2, // No protocols in common. We requested
77 // the first protocol in our list.
81 virtual bool WasNpnNegotiated() const OVERRIDE
;
82 virtual NextProto
GetNegotiatedProtocol() const OVERRIDE
;
84 // Gets the SSL CertificateRequest info of the socket after Connect failed
85 // with ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
86 virtual void GetSSLCertRequestInfo(
87 SSLCertRequestInfo
* cert_request_info
) = 0;
89 // Get the application level protocol that we negotiated with the server.
90 // *proto is set to the resulting protocol (n.b. that the string may have
92 // kNextProtoUnsupported: *proto is cleared.
93 // kNextProtoNegotiated: *proto is set to the negotiated protocol.
94 // kNextProtoNoOverlap: *proto is set to the first protocol in the
96 // *server_protos is set to the server advertised protocols.
97 virtual NextProtoStatus
GetNextProto(std::string
* proto
,
98 std::string
* server_protos
) = 0;
100 static NextProto
NextProtoFromString(const std::string
& proto_string
);
102 static const char* NextProtoToString(NextProto next_proto
);
104 static const char* NextProtoStatusToString(const NextProtoStatus status
);
106 // Can be used with the second argument(|server_protos|) of |GetNextProto| to
107 // construct a comma separated string of server advertised protocols.
108 static std::string
ServerProtosToString(const std::string
& server_protos
);
110 static bool IgnoreCertError(int error
, int load_flags
);
112 // ClearSessionCache clears the SSL session cache, used to resume SSL
114 static void ClearSessionCache();
116 virtual bool set_was_npn_negotiated(bool negotiated
);
118 virtual bool was_spdy_negotiated() const;
120 virtual bool set_was_spdy_negotiated(bool negotiated
);
122 virtual void set_protocol_negotiated(NextProto protocol_negotiated
);
124 // Returns the ServerBoundCertService used by this socket, or NULL if
125 // server bound certificates are not supported.
126 virtual ServerBoundCertService
* GetServerBoundCertService() const = 0;
128 // Returns true if a channel ID was sent on this connection.
129 // This may be useful for protocols, like SPDY, which allow the same
130 // connection to be shared between multiple domains, each of which need
133 // Public for ssl_client_socket_openssl_unittest.cc.
134 virtual bool WasChannelIDSent() const;
137 virtual void set_channel_id_sent(bool channel_id_sent
);
139 virtual void set_signed_cert_timestamps_received(
140 bool signed_cert_timestamps_received
);
142 virtual void set_stapled_ocsp_response_received(
143 bool stapled_ocsp_response_received
);
145 // Records histograms for channel id support during full handshakes - resumed
146 // handshakes are ignored.
147 static void RecordChannelIDSupport(
148 ServerBoundCertService
* server_bound_cert_service
,
149 bool negotiated_channel_id
,
150 bool channel_id_enabled
,
153 // Returns whether TLS channel ID is enabled.
154 static bool IsChannelIDEnabled(
155 const SSLConfig
& ssl_config
,
156 ServerBoundCertService
* server_bound_cert_service
);
158 // For unit testing only.
159 // Returns the unverified certificate chain as presented by server.
160 // Note that chain may be different than the verified chain returned by
161 // StreamSocket::GetSSLInfo().
162 virtual scoped_refptr
<X509Certificate
> GetUnverifiedServerCertificateChain()
166 // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.
167 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest
,
168 ConnectSignedCertTimestampsEnabledTLSExtension
);
169 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest
,
170 ConnectSignedCertTimestampsEnabledOCSP
);
171 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest
,
172 ConnectSignedCertTimestampsDisabled
);
173 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest
,
174 VerifyServerChainProperlyOrdered
);
176 // True if NPN was responded to, independent of selecting SPDY or HTTP.
177 bool was_npn_negotiated_
;
178 // True if NPN successfully negotiated SPDY.
179 bool was_spdy_negotiated_
;
180 // Protocol that we negotiated with the server.
181 NextProto protocol_negotiated_
;
182 // True if a channel ID was sent.
183 bool channel_id_sent_
;
184 // True if SCTs were received via a TLS extension.
185 bool signed_cert_timestamps_received_
;
186 // True if a stapled OCSP response was received.
187 bool stapled_ocsp_response_received_
;
192 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_