// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ #include <string> #include "base/compiler_specific.h" #include "base/memory/scoped_ptr.h" #include "base/memory/weak_ptr.h" #include "net/base/completion_callback.h" #include "net/base/io_buffer.h" #include "net/cert/cert_verify_result.h" #include "net/socket/client_socket_handle.h" #include "net/socket/ssl_client_socket.h" #include "net/ssl/server_bound_cert_service.h" #include "net/ssl/ssl_config_service.h" // Avoid including misc OpenSSL headers, i.e.: // <openssl/bio.h> typedef struct bio_st BIO; // <openssl/evp.h> typedef struct evp_pkey_st EVP_PKEY; // <openssl/ssl.h> typedef struct ssl_st SSL; // <openssl/x509.h> typedef struct x509_st X509; namespace net { class CertVerifier; class SingleRequestCertVerifier; class SSLCertRequestInfo; class SSLInfo; // An SSL client socket implemented with OpenSSL. class SSLClientSocketOpenSSL : public SSLClientSocket { public: // Takes ownership of the transport_socket, which may already be connected. // The given hostname will be compared with the name(s) in the server's // certificate during the SSL handshake. ssl_config specifies the SSL // settings. SSLClientSocketOpenSSL(scoped_ptr<ClientSocketHandle> transport_socket, const HostPortPair& host_and_port, const SSLConfig& ssl_config, const SSLClientSocketContext& context); virtual ~SSLClientSocketOpenSSL(); const HostPortPair& host_and_port() const { return host_and_port_; } const std::string& ssl_session_cache_shard() const { return ssl_session_cache_shard_; } // SSLClientSocket implementation. virtual void GetSSLCertRequestInfo( SSLCertRequestInfo* cert_request_info) OVERRIDE; virtual NextProtoStatus GetNextProto(std::string* proto, std::string* server_protos) OVERRIDE; virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; // SSLSocket implementation. virtual int ExportKeyingMaterial(const base::StringPiece& label, bool has_context, const base::StringPiece& context, unsigned char* out, unsigned int outlen) OVERRIDE; virtual int GetTLSUniqueChannelBinding(std::string* out) OVERRIDE; // StreamSocket implementation. virtual int Connect(const CompletionCallback& callback) OVERRIDE; virtual void Disconnect() OVERRIDE; virtual bool IsConnected() const OVERRIDE; virtual bool IsConnectedAndIdle() const OVERRIDE; virtual int GetPeerAddress(IPEndPoint* address) const OVERRIDE; virtual int GetLocalAddress(IPEndPoint* address) const OVERRIDE; virtual const BoundNetLog& NetLog() const OVERRIDE; virtual void SetSubresourceSpeculation() OVERRIDE; virtual void SetOmniboxSpeculation() OVERRIDE; virtual bool WasEverUsed() const OVERRIDE; virtual bool UsingTCPFastOpen() const OVERRIDE; virtual bool GetSSLInfo(SSLInfo* ssl_info) OVERRIDE; // Socket implementation. virtual int Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback) OVERRIDE; virtual int Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback) OVERRIDE; virtual bool SetReceiveBufferSize(int32 size) OVERRIDE; virtual bool SetSendBufferSize(int32 size) OVERRIDE; private: class SSLContext; friend class SSLClientSocket; friend class SSLContext; bool Init(); void DoReadCallback(int result); void DoWriteCallback(int result); bool DoTransportIO(); int DoHandshake(); int DoVerifyCert(int result); int DoVerifyCertComplete(int result); void DoConnectCallback(int result); X509Certificate* UpdateServerCert(); void OnHandshakeIOComplete(int result); void OnSendComplete(int result); void OnRecvComplete(int result); int DoHandshakeLoop(int last_io_result); int DoReadLoop(int result); int DoWriteLoop(int result); int DoPayloadRead(); int DoPayloadWrite(); int BufferSend(); int BufferRecv(); void BufferSendComplete(int result); void BufferRecvComplete(int result); void TransportWriteComplete(int result); int TransportReadComplete(int result); // Callback from the SSL layer that indicates the remote server is requesting // a certificate for this client. int ClientCertRequestCallback(SSL* ssl, X509** x509, EVP_PKEY** pkey); // Callback from the SSL layer that indicates the remote server supports TLS // Channel IDs. void ChannelIDRequestCallback(SSL* ssl, EVP_PKEY** pkey); // Callback from the SSL layer to check which NPN protocol we are supporting int SelectNextProtoCallback(unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen); bool transport_send_busy_; bool transport_recv_busy_; bool transport_recv_eof_; scoped_refptr<DrainableIOBuffer> send_buffer_; scoped_refptr<IOBuffer> recv_buffer_; CompletionCallback user_connect_callback_; CompletionCallback user_read_callback_; CompletionCallback user_write_callback_; base::WeakPtrFactory<SSLClientSocketOpenSSL> weak_factory_; // Used by Read function. scoped_refptr<IOBuffer> user_read_buf_; int user_read_buf_len_; // Used by Write function. scoped_refptr<IOBuffer> user_write_buf_; int user_write_buf_len_; // Used by DoPayloadRead() when attempting to fill the caller's buffer with // as much data as possible without blocking. // If DoPayloadRead() encounters an error after having read some data, stores // the result to return on the *next* call to DoPayloadRead(). A value > 0 // indicates there is no pending result, otherwise 0 indicates EOF and < 0 // indicates an error. int pending_read_error_; // Used by TransportWriteComplete() and TransportReadComplete() to signify an // error writing to the transport socket. A value of OK indicates no error. int transport_write_error_; // Set when handshake finishes. scoped_refptr<X509Certificate> server_cert_; CertVerifyResult server_cert_verify_result_; bool completed_handshake_; // Stores client authentication information between ClientAuthHandler and // GetSSLCertRequestInfo calls. bool client_auth_cert_needed_; // List of DER-encoded X.509 DistinguishedName of certificate authorities // allowed by the server. std::vector<std::string> cert_authorities_; CertVerifier* const cert_verifier_; scoped_ptr<SingleRequestCertVerifier> verifier_; // The service for retrieving Channel ID keys. May be NULL. ServerBoundCertService* server_bound_cert_service_; // OpenSSL stuff SSL* ssl_; BIO* transport_bio_; scoped_ptr<ClientSocketHandle> transport_; const HostPortPair host_and_port_; SSLConfig ssl_config_; // ssl_session_cache_shard_ is an opaque string that partitions the SSL // session cache. i.e. sessions created with one value will not attempt to // resume on the socket with a different value. const std::string ssl_session_cache_shard_; // Used for session cache diagnostics. bool trying_cached_session_; enum State { STATE_NONE, STATE_HANDSHAKE, STATE_VERIFY_CERT, STATE_VERIFY_CERT_COMPLETE, }; State next_handshake_state_; NextProtoStatus npn_status_; std::string npn_proto_; std::string server_protos_; // Written by the |server_bound_cert_service_|. std::string channel_id_private_key_; std::string channel_id_cert_; // The return value of the last call to |server_bound_cert_service_|. int channel_id_request_return_value_; // True if channel ID extension was negotiated. bool channel_id_xtn_negotiated_; // The request handle for |server_bound_cert_service_|. ServerBoundCertService::RequestHandle channel_id_request_handle_; BoundNetLog net_log_; }; } // namespace net #endif // NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_