1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
#define NET_SOCKET_SSL_CLIENT_SOCKET_H_
#pragma once
#include <string>
#include "net/base/completion_callback.h"
#include "net/base/load_flags.h"
#include "net/base/net_errors.h"
#include "net/socket/ssl_socket.h"
#include "net/socket/stream_socket.h"
namespace net {
class CertVerifier;
class OriginBoundCertService;
class SSLCertRequestInfo;
class SSLHostInfo;
class SSLHostInfoFactory;
class SSLInfo;
class TransportSecurityState;
// This struct groups together several fields which are used by various
// classes related to SSLClientSocket.
struct SSLClientSocketContext {
SSLClientSocketContext()
: cert_verifier(NULL),
origin_bound_cert_service(NULL),
transport_security_state(NULL),
ssl_host_info_factory(NULL) {}
SSLClientSocketContext(CertVerifier* cert_verifier_arg,
OriginBoundCertService* origin_bound_cert_service_arg,
TransportSecurityState* transport_security_state_arg,
SSLHostInfoFactory* ssl_host_info_factory_arg,
const std::string& ssl_session_cache_shard_arg)
: cert_verifier(cert_verifier_arg),
origin_bound_cert_service(origin_bound_cert_service_arg),
transport_security_state(transport_security_state_arg),
ssl_host_info_factory(ssl_host_info_factory_arg),
ssl_session_cache_shard(ssl_session_cache_shard_arg) {}
CertVerifier* cert_verifier;
OriginBoundCertService* origin_bound_cert_service;
TransportSecurityState* transport_security_state;
SSLHostInfoFactory* ssl_host_info_factory;
// ssl_session_cache_shard is an opaque string that identifies a shard of the
// SSL session cache. SSL sockets with the same ssl_session_cache_shard may
// resume each other's SSL sessions but we'll never sessions between shards.
const std::string ssl_session_cache_shard;
};
// A client socket that uses SSL as the transport layer.
//
// NOTE: The SSL handshake occurs within the Connect method after a TCP
// connection is established. If a SSL error occurs during the handshake,
// Connect will fail.
//
class NET_EXPORT SSLClientSocket : public SSLSocket {
public:
SSLClientSocket();
// Next Protocol Negotiation (NPN) allows a TLS client and server to come to
// an agreement about the application level protocol to speak over a
// connection.
enum NextProtoStatus {
// WARNING: These values are serialised to disk. Don't change them.
kNextProtoUnsupported = 0, // The server doesn't support NPN.
kNextProtoNegotiated = 1, // We agreed on a protocol.
kNextProtoNoOverlap = 2, // No protocols in common. We requested
// the first protocol in our list.
};
// Next Protocol Negotiation (NPN), if successful, results in agreement on an
// application-level string that specifies the application level protocol to
// use over the TLS connection. NextProto enumerates the application level
// protocols that we recognise.
enum NextProto {
kProtoUnknown = 0,
kProtoHTTP11 = 1,
kProtoSPDY1 = 2,
kProtoSPDY2 = 3,
kProtoSPDY21 = 4,
};
// Gets the SSL connection information of the socket.
//
// TODO(sergeyu): Move this method to the SSLSocket interface and
// implemented in SSLServerSocket too.
virtual void GetSSLInfo(SSLInfo* ssl_info) = 0;
// Gets the SSL CertificateRequest info of the socket after Connect failed
// with ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
virtual void GetSSLCertRequestInfo(
SSLCertRequestInfo* cert_request_info) = 0;
// Get the application level protocol that we negotiated with the server.
// *proto is set to the resulting protocol (n.b. that the string may have
// embedded NULs).
// kNextProtoUnsupported: *proto is cleared.
// kNextProtoNegotiated: *proto is set to the negotiated protocol.
// kNextProtoNoOverlap: *proto is set to the first protocol in the
// supported list.
// *server_protos is set to the server advertised protocols.
virtual NextProtoStatus GetNextProto(std::string* proto,
std::string* server_protos) = 0;
static NextProto NextProtoFromString(const std::string& proto_string);
static const char* NextProtoToString(SSLClientSocket::NextProto next_proto);
static const char* NextProtoStatusToString(
const SSLClientSocket::NextProtoStatus status);
// Can be used with the second argument(|server_protos|) of |GetNextProto| to
// construct a comma separated string of server advertised protocols.
static std::string ServerProtosToString(const std::string& server_protos);
static bool IgnoreCertError(int error, int load_flags);
// ClearSessionCache clears the SSL session cache, used to resume SSL
// sessions.
static void ClearSessionCache();
virtual bool was_npn_negotiated() const;
virtual bool set_was_npn_negotiated(bool negotiated);
virtual bool was_spdy_negotiated() const;
virtual bool set_was_spdy_negotiated(bool negotiated);
virtual SSLClientSocket::NextProto protocol_negotiated() const;
virtual void set_protocol_negotiated(
SSLClientSocket::NextProto protocol_negotiated);
// Returns true if an origin bound certificate was sent on this connection.
// This may be useful for protocols, like SPDY, which allow the same
// connection to be shared between multiple origins, each of which need
// an origin bound certificate.
virtual bool was_origin_bound_cert_sent() const;
virtual bool set_was_origin_bound_cert_sent(bool sent);
private:
// True if NPN was responded to, independent of selecting SPDY or HTTP.
bool was_npn_negotiated_;
// True if NPN successfully negotiated SPDY.
bool was_spdy_negotiated_;
// Protocol that we negotiated with the server.
SSLClientSocket::NextProto protocol_negotiated_;
// True if an origin bound certificate was sent.
bool was_origin_bound_cert_sent_;
};
} // namespace net
#endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_
|