search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
QUIC - enable persisting of QUICServerInfo (server config) to disk
[chromium-blink-merge.git] / net / socket / ssl_client_socket.h
blob9993bb6b64c19bcf0855471e093349c81c3784ee
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_H_
7
8 #include <string>
9
10 #include "base/gtest_prod_util.h"
11 #include "net/base/completion_callback.h"
12 #include "net/base/load_flags.h"
13 #include "net/base/net_errors.h"
14 #include "net/socket/ssl_socket.h"
15 #include "net/socket/stream_socket.h"
16
17 namespace net {
18
19 class CertVerifier;
20 class CTVerifier;
21 class ChannelIDService;
22 class SSLCertRequestInfo;
23 struct SSLConfig;
24 class SSLInfo;
25 class TransportSecurityState;
26 class X509Certificate;
27
28 // This struct groups together several fields which are used by various
29 // classes related to SSLClientSocket.
30 struct SSLClientSocketContext {
31 SSLClientSocketContext()
32 : cert_verifier(NULL),
33 channel_id_service(NULL),
34 transport_security_state(NULL),
35 cert_transparency_verifier(NULL) {}
36
37 SSLClientSocketContext(CertVerifier* cert_verifier_arg,
38 ChannelIDService* channel_id_service_arg,
39 TransportSecurityState* transport_security_state_arg,
40 CTVerifier* cert_transparency_verifier_arg,
41 const std::string& ssl_session_cache_shard_arg)
42 : cert_verifier(cert_verifier_arg),
43 channel_id_service(channel_id_service_arg),
44 transport_security_state(transport_security_state_arg),
45 cert_transparency_verifier(cert_transparency_verifier_arg),
46 ssl_session_cache_shard(ssl_session_cache_shard_arg) {}
47
48 CertVerifier* cert_verifier;
49 ChannelIDService* channel_id_service;
50 TransportSecurityState* transport_security_state;
51 CTVerifier* cert_transparency_verifier;
52 // ssl_session_cache_shard is an opaque string that identifies a shard of the
53 // SSL session cache. SSL sockets with the same ssl_session_cache_shard may
54 // resume each other's SSL sessions but we'll never sessions between shards.
55 const std::string ssl_session_cache_shard;
56 };
57
58 // A client socket that uses SSL as the transport layer.
59 //
60 // NOTE: The SSL handshake occurs within the Connect method after a TCP
61 // connection is established. If a SSL error occurs during the handshake,
62 // Connect will fail.
63 //
64 class NET_EXPORT SSLClientSocket : public SSLSocket {
65 public:
66 SSLClientSocket();
67
68 // Next Protocol Negotiation (NPN) allows a TLS client and server to come to
69 // an agreement about the application level protocol to speak over a
70 // connection.
71 enum NextProtoStatus {
72 // WARNING: These values are serialized to disk. Don't change them.
73
74 kNextProtoUnsupported = 0, // The server doesn't support NPN.
75 kNextProtoNegotiated = 1, // We agreed on a protocol.
76 kNextProtoNoOverlap = 2, // No protocols in common. We requested
77 // the first protocol in our list.
78 };
79
80 // StreamSocket:
81 virtual bool WasNpnNegotiated() const OVERRIDE;
82 virtual NextProto GetNegotiatedProtocol() const OVERRIDE;
83
84 // Gets the SSL CertificateRequest info of the socket after Connect failed
85 // with ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
86 virtual void GetSSLCertRequestInfo(
87 SSLCertRequestInfo* cert_request_info) = 0;
88
89 // Get the application level protocol that we negotiated with the server.
90 // *proto is set to the resulting protocol (n.b. that the string may have
91 // embedded NULs).
92 // kNextProtoUnsupported: *proto is cleared.
93 // kNextProtoNegotiated: *proto is set to the negotiated protocol.
94 // kNextProtoNoOverlap: *proto is set to the first protocol in the
95 // supported list.
96 virtual NextProtoStatus GetNextProto(std::string* proto) = 0;
97
98 static NextProto NextProtoFromString(const std::string& proto_string);
99
100 static const char* NextProtoToString(NextProto next_proto);
101
102 static const char* NextProtoStatusToString(const NextProtoStatus status);
103
104 static bool IgnoreCertError(int error, int load_flags);
105
106 // ClearSessionCache clears the SSL session cache, used to resume SSL
107 // sessions.
108 static void ClearSessionCache();
109
110 virtual bool set_was_npn_negotiated(bool negotiated);
111
112 virtual bool was_spdy_negotiated() const;
113
114 virtual bool set_was_spdy_negotiated(bool negotiated);
115
116 virtual void set_protocol_negotiated(NextProto protocol_negotiated);
117
118 // Returns the ChannelIDService used by this socket, or NULL if
119 // channel ids are not supported.
120 virtual ChannelIDService* GetChannelIDService() const = 0;
121
122 // Returns true if a channel ID was sent on this connection.
123 // This may be useful for protocols, like SPDY, which allow the same
124 // connection to be shared between multiple domains, each of which need
125 // a channel ID.
126 //
127 // Public for ssl_client_socket_openssl_unittest.cc.
128 virtual bool WasChannelIDSent() const;
129
130 protected:
131 virtual void set_channel_id_sent(bool channel_id_sent);
132
133 virtual void set_signed_cert_timestamps_received(
134 bool signed_cert_timestamps_received);
135
136 virtual void set_stapled_ocsp_response_received(
137 bool stapled_ocsp_response_received);
138
139 // Records histograms for channel id support during full handshakes - resumed
140 // handshakes are ignored.
141 static void RecordChannelIDSupport(
142 ChannelIDService* channel_id_service,
143 bool negotiated_channel_id,
144 bool channel_id_enabled,
145 bool supports_ecc);
146
147 // Returns whether TLS channel ID is enabled.
148 static bool IsChannelIDEnabled(
149 const SSLConfig& ssl_config,
150 ChannelIDService* channel_id_service);
151
152 // Serializes |next_protos| in the wire format for ALPN: protocols are listed
153 // in order, each prefixed by a one-byte length.
154 static std::vector<uint8_t> SerializeNextProtos(
155 const std::vector<std::string>& next_protos);
156
157 // For unit testing only.
158 // Returns the unverified certificate chain as presented by server.
159 // Note that chain may be different than the verified chain returned by
160 // StreamSocket::GetSSLInfo().
161 virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain()
162 const = 0;
163
164 private:
165 // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.
166 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
167 ConnectSignedCertTimestampsEnabledTLSExtension);
168 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
169 ConnectSignedCertTimestampsEnabledOCSP);
170 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
171 ConnectSignedCertTimestampsDisabled);
172 FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
173 VerifyServerChainProperlyOrdered);
174
175 // True if NPN was responded to, independent of selecting SPDY or HTTP.
176 bool was_npn_negotiated_;
177 // True if NPN successfully negotiated SPDY.
178 bool was_spdy_negotiated_;
179 // Protocol that we negotiated with the server.
180 NextProto protocol_negotiated_;
181 // True if a channel ID was sent.
182 bool channel_id_sent_;
183 // True if SCTs were received via a TLS extension.
184 bool signed_cert_timestamps_received_;
185 // True if a stapled OCSP response was received.
186 bool stapled_ocsp_response_received_;
187 };
188
189 } // namespace net
190
191 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_