1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
#define NET_SOCKET_SSL_CLIENT_SOCKET_H_
#pragma once
#include <string>
#include "net/base/completion_callback.h"
#include "net/base/load_flags.h"
#include "net/base/net_errors.h"
#include "net/socket/stream_socket.h"
namespace base {
class StringPiece;
} // namespace base
namespace net {
class CertVerifier;
class DnsCertProvenanceChecker;
class DnsRRResolver;
class OriginBoundCertService;
class SSLCertRequestInfo;
class SSLHostInfo;
class SSLHostInfoFactory;
class SSLInfo;
struct RRResponse;
// DNSSECProvider is an interface to an object that can return DNSSEC data.
class DNSSECProvider {
public:
// GetDNSSECRecords will either:
// 1) set |*out| to NULL and return OK.
// 2) set |*out| to a pointer, which is owned by this object, and return OK.
// 3) return IO_PENDING and call |callback| on the current MessageLoop at
// some point in the future. Once the callback has been made, this
// function will return OK if called again.
virtual int GetDNSSECRecords(RRResponse** out,
OldCompletionCallback* callback) = 0;
private:
~DNSSECProvider() {}
};
// This struct groups together several fields which are used by various
// classes related to SSLClientSocket.
struct SSLClientSocketContext {
SSLClientSocketContext()
: cert_verifier(NULL),
origin_bound_cert_service(NULL),
dnsrr_resolver(NULL),
dns_cert_checker(NULL),
ssl_host_info_factory(NULL) {}
SSLClientSocketContext(CertVerifier* cert_verifier_arg,
OriginBoundCertService* origin_bound_cert_service_arg,
DnsRRResolver* dnsrr_resolver_arg,
DnsCertProvenanceChecker* dns_cert_checker_arg,
SSLHostInfoFactory* ssl_host_info_factory_arg)
: cert_verifier(cert_verifier_arg),
origin_bound_cert_service(origin_bound_cert_service_arg),
dnsrr_resolver(dnsrr_resolver_arg),
dns_cert_checker(dns_cert_checker_arg),
ssl_host_info_factory(ssl_host_info_factory_arg) {}
CertVerifier* cert_verifier;
OriginBoundCertService* origin_bound_cert_service;
DnsRRResolver* dnsrr_resolver;
DnsCertProvenanceChecker* dns_cert_checker;
SSLHostInfoFactory* ssl_host_info_factory;
};
// A client socket that uses SSL as the transport layer.
//
// NOTE: The SSL handshake occurs within the Connect method after a TCP
// connection is established. If a SSL error occurs during the handshake,
// Connect will fail.
//
class NET_EXPORT SSLClientSocket : public StreamSocket {
public:
SSLClientSocket();
// Next Protocol Negotiation (NPN) allows a TLS client and server to come to
// an agreement about the application level protocol to speak over a
// connection.
enum NextProtoStatus {
// WARNING: These values are serialised to disk. Don't change them.
kNextProtoUnsupported = 0, // The server doesn't support NPN.
kNextProtoNegotiated = 1, // We agreed on a protocol.
kNextProtoNoOverlap = 2, // No protocols in common. We requested
// the first protocol in our list.
};
// Next Protocol Negotiation (NPN), if successful, results in agreement on an
// application-level string that specifies the application level protocol to
// use over the TLS connection. NextProto enumerates the application level
// protocols that we recognise.
enum NextProto {
kProtoUnknown = 0,
kProtoHTTP11 = 1,
kProtoSPDY1 = 2,
kProtoSPDY2 = 3,
};
// Gets the SSL connection information of the socket.
virtual void GetSSLInfo(SSLInfo* ssl_info) = 0;
// Gets the SSL CertificateRequest info of the socket after Connect failed
// with ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
virtual void GetSSLCertRequestInfo(
SSLCertRequestInfo* cert_request_info) = 0;
// Exports data derived from the SSL master-secret (see RFC 5705).
// The call will fail with an error if the socket is not connected, or the
// SSL implementation does not support the operation.
virtual int ExportKeyingMaterial(const base::StringPiece& label,
const base::StringPiece& context,
unsigned char *out,
unsigned int outlen) = 0;
// Get the application level protocol that we negotiated with the server.
// *proto is set to the resulting protocol (n.b. that the string may have
// embedded NULs).
// kNextProtoUnsupported: *proto is cleared.
// kNextProtoNegotiated: *proto is set to the negotiated protocol.
// kNextProtoNoOverlap: *proto is set to the first protocol in the
// supported list.
virtual NextProtoStatus GetNextProto(std::string* proto) = 0;
static NextProto NextProtoFromString(const std::string& proto_string);
static bool IgnoreCertError(int error, int load_flags);
virtual bool was_npn_negotiated() const;
virtual bool set_was_npn_negotiated(bool negotiated);
virtual void UseDNSSEC(DNSSECProvider*) { }
virtual bool was_spdy_negotiated() const;
virtual bool set_was_spdy_negotiated(bool negotiated);
private:
// True if NPN was responded to, independent of selecting SPDY or HTTP.
bool was_npn_negotiated_;
// True if NPN successfully negotiated SPDY.
bool was_spdy_negotiated_;
};
} // namespace net
#endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_
|
