1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
#define NET_SOCKET_SSL_CLIENT_SOCKET_H_
#pragma once
#include <string>
#include "net/base/completion_callback.h"
#include "net/base/load_flags.h"
#include "net/base/net_errors.h"
#include "net/base/ssl_client_cert_type.h"
#include "net/socket/ssl_socket.h"
#include "net/socket/stream_socket.h"
namespace net {
class CertVerifier;
class ServerBoundCertService;
class SSLCertRequestInfo;
class SSLHostInfo;
class SSLHostInfoFactory;
class SSLInfo;
class TransportSecurityState;
// This struct groups together several fields which are used by various
// classes related to SSLClientSocket.
struct SSLClientSocketContext {
SSLClientSocketContext()
: cert_verifier(NULL),
server_bound_cert_service(NULL),
transport_security_state(NULL),
ssl_host_info_factory(NULL) {}
SSLClientSocketContext(CertVerifier* cert_verifier_arg,
ServerBoundCertService* server_bound_cert_service_arg,
TransportSecurityState* transport_security_state_arg,
SSLHostInfoFactory* ssl_host_info_factory_arg,
const std::string& ssl_session_cache_shard_arg)
: cert_verifier(cert_verifier_arg),
server_bound_cert_service(server_bound_cert_service_arg),
transport_security_state(transport_security_state_arg),
ssl_host_info_factory(ssl_host_info_factory_arg),
ssl_session_cache_shard(ssl_session_cache_shard_arg) {}
CertVerifier* cert_verifier;
ServerBoundCertService* server_bound_cert_service;
TransportSecurityState* transport_security_state;
SSLHostInfoFactory* ssl_host_info_factory;
// ssl_session_cache_shard is an opaque string that identifies a shard of the
// SSL session cache. SSL sockets with the same ssl_session_cache_shard may
// resume each other's SSL sessions but we'll never sessions between shards.
const std::string ssl_session_cache_shard;
};
// A client socket that uses SSL as the transport layer.
//
// NOTE: The SSL handshake occurs within the Connect method after a TCP
// connection is established. If a SSL error occurs during the handshake,
// Connect will fail.
//
class NET_EXPORT SSLClientSocket : public SSLSocket {
public:
SSLClientSocket();
// Next Protocol Negotiation (NPN) allows a TLS client and server to come to
// an agreement about the application level protocol to speak over a
// connection.
enum NextProtoStatus {
// WARNING: These values are serialized to disk. Don't change them.
kNextProtoUnsupported = 0, // The server doesn't support NPN.
kNextProtoNegotiated = 1, // We agreed on a protocol.
kNextProtoNoOverlap = 2, // No protocols in common. We requested
// the first protocol in our list.
};
// Gets the SSL connection information of the socket.
//
// TODO(sergeyu): Move this method to the SSLSocket interface and
// implemented in SSLServerSocket too.
virtual void GetSSLInfo(SSLInfo* ssl_info) = 0;
// Gets the SSL CertificateRequest info of the socket after Connect failed
// with ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
virtual void GetSSLCertRequestInfo(
SSLCertRequestInfo* cert_request_info) = 0;
// StreamSocket:
virtual NextProto GetNegotiatedProtocol() const OVERRIDE;
// Get the application level protocol that we negotiated with the server.
// *proto is set to the resulting protocol (n.b. that the string may have
// embedded NULs).
// kNextProtoUnsupported: *proto is cleared.
// kNextProtoNegotiated: *proto is set to the negotiated protocol.
// kNextProtoNoOverlap: *proto is set to the first protocol in the
// supported list.
// *server_protos is set to the server advertised protocols.
virtual NextProtoStatus GetNextProto(std::string* proto,
std::string* server_protos) = 0;
static NextProto NextProtoFromString(const std::string& proto_string);
static const char* NextProtoToString(NextProto next_proto);
static const char* NextProtoStatusToString(const NextProtoStatus status);
// Can be used with the second argument(|server_protos|) of |GetNextProto| to
// construct a comma separated string of server advertised protocols.
static std::string ServerProtosToString(const std::string& server_protos);
static bool IgnoreCertError(int error, int load_flags);
// ClearSessionCache clears the SSL session cache, used to resume SSL
// sessions.
static void ClearSessionCache();
virtual bool was_npn_negotiated() const;
virtual bool set_was_npn_negotiated(bool negotiated);
virtual bool was_spdy_negotiated() const;
virtual bool set_was_spdy_negotiated(bool negotiated);
virtual void set_protocol_negotiated(NextProto protocol_negotiated);
// Returns the ServerBoundCertService used by this socket, or NULL if
// server bound certificates are not supported.
virtual ServerBoundCertService* GetServerBoundCertService() const = 0;
// Returns true if a domain bound certificate was sent on this connection.
// This may be useful for protocols, like SPDY, which allow the same
// connection to be shared between multiple domains, each of which need
// a domain bound certificate.
virtual bool WasDomainBoundCertSent() const;
// Returns the type of the domain bound cert that was sent, or
// CLIENT_CERT_INVALID_TYPE if none was sent.
virtual SSLClientCertType domain_bound_cert_type() const;
virtual SSLClientCertType set_domain_bound_cert_type(SSLClientCertType type);
private:
// True if NPN was responded to, independent of selecting SPDY or HTTP.
bool was_npn_negotiated_;
// True if NPN successfully negotiated SPDY.
bool was_spdy_negotiated_;
// Protocol that we negotiated with the server.
NextProto protocol_negotiated_;
// Type of the domain bound cert that was sent, or CLIENT_CERT_INVALID_TYPE
// if none was sent.
SSLClientCertType domain_bound_cert_type_;
};
} // namespace net
#endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_
|
