search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
QUIC - enable persisting of QUICServerInfo (server config) to disk
[chromium-blink-merge.git] / net / socket / ssl_client_socket_openssl.h
blobd20d5ee5284ccf9383909ac194038781c1e3b966
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
7
8 #include <string>
9
10 #include "base/compiler_specific.h"
11 #include "base/memory/scoped_ptr.h"
12 #include "base/memory/weak_ptr.h"
13 #include "net/base/completion_callback.h"
14 #include "net/base/io_buffer.h"
15 #include "net/cert/cert_verify_result.h"
16 #include "net/socket/client_socket_handle.h"
17 #include "net/socket/ssl_client_socket.h"
18 #include "net/ssl/channel_id_service.h"
19 #include "net/ssl/ssl_client_cert_type.h"
20 #include "net/ssl/ssl_config_service.h"
21
22 // Avoid including misc OpenSSL headers, i.e.:
23 // <openssl/bio.h>
24 typedef struct bio_st BIO;
25 // <openssl/evp.h>
26 typedef struct evp_pkey_st EVP_PKEY;
27 // <openssl/ssl.h>
28 typedef struct ssl_st SSL;
29 // <openssl/x509.h>
30 typedef struct x509_st X509;
31 // <openssl/ossl_type.h>
32 typedef struct x509_store_ctx_st X509_STORE_CTX;
33
34 namespace net {
35
36 class CertVerifier;
37 class SingleRequestCertVerifier;
38 class SSLCertRequestInfo;
39 class SSLInfo;
40
41 // An SSL client socket implemented with OpenSSL.
42 class SSLClientSocketOpenSSL : public SSLClientSocket {
43 public:
44 // Takes ownership of the transport_socket, which may already be connected.
45 // The given hostname will be compared with the name(s) in the server's
46 // certificate during the SSL handshake. ssl_config specifies the SSL
47 // settings.
48 SSLClientSocketOpenSSL(scoped_ptr<ClientSocketHandle> transport_socket,
49 const HostPortPair& host_and_port,
50 const SSLConfig& ssl_config,
51 const SSLClientSocketContext& context);
52 virtual ~SSLClientSocketOpenSSL();
53
54 const HostPortPair& host_and_port() const { return host_and_port_; }
55 const std::string& ssl_session_cache_shard() const {
56 return ssl_session_cache_shard_;
57 }
58
59 // SSLClientSocket implementation.
60 virtual void GetSSLCertRequestInfo(
61 SSLCertRequestInfo* cert_request_info) OVERRIDE;
62 virtual NextProtoStatus GetNextProto(std::string* proto) OVERRIDE;
63 virtual ChannelIDService* GetChannelIDService() const OVERRIDE;
64
65 // SSLSocket implementation.
66 virtual int ExportKeyingMaterial(const base::StringPiece& label,
67 bool has_context,
68 const base::StringPiece& context,
69 unsigned char* out,
70 unsigned int outlen) OVERRIDE;
71 virtual int GetTLSUniqueChannelBinding(std::string* out) OVERRIDE;
72
73 // StreamSocket implementation.
74 virtual int Connect(const CompletionCallback& callback) OVERRIDE;
75 virtual void Disconnect() OVERRIDE;
76 virtual bool IsConnected() const OVERRIDE;
77 virtual bool IsConnectedAndIdle() const OVERRIDE;
78 virtual int GetPeerAddress(IPEndPoint* address) const OVERRIDE;
79 virtual int GetLocalAddress(IPEndPoint* address) const OVERRIDE;
80 virtual const BoundNetLog& NetLog() const OVERRIDE;
81 virtual void SetSubresourceSpeculation() OVERRIDE;
82 virtual void SetOmniboxSpeculation() OVERRIDE;
83 virtual bool WasEverUsed() const OVERRIDE;
84 virtual bool UsingTCPFastOpen() const OVERRIDE;
85 virtual bool GetSSLInfo(SSLInfo* ssl_info) OVERRIDE;
86
87 // Socket implementation.
88 virtual int Read(IOBuffer* buf, int buf_len,
89 const CompletionCallback& callback) OVERRIDE;
90 virtual int Write(IOBuffer* buf, int buf_len,
91 const CompletionCallback& callback) OVERRIDE;
92 virtual int SetReceiveBufferSize(int32 size) OVERRIDE;
93 virtual int SetSendBufferSize(int32 size) OVERRIDE;
94
95 protected:
96 // SSLClientSocket implementation.
97 virtual scoped_refptr<X509Certificate> GetUnverifiedServerCertificateChain()
98 const OVERRIDE;
99
100 private:
101 class PeerCertificateChain;
102 class SSLContext;
103 friend class SSLClientSocket;
104 friend class SSLContext;
105
106 int Init();
107 void DoReadCallback(int result);
108 void DoWriteCallback(int result);
109
110 bool DoTransportIO();
111 int DoHandshake();
112 int DoChannelIDLookup();
113 int DoChannelIDLookupComplete(int result);
114 int DoVerifyCert(int result);
115 int DoVerifyCertComplete(int result);
116 void DoConnectCallback(int result);
117 X509Certificate* UpdateServerCert();
118
119 void OnHandshakeIOComplete(int result);
120 void OnSendComplete(int result);
121 void OnRecvComplete(int result);
122
123 int DoHandshakeLoop(int last_io_result);
124 int DoReadLoop(int result);
125 int DoWriteLoop(int result);
126 int DoPayloadRead();
127 int DoPayloadWrite();
128
129 int BufferSend();
130 int BufferRecv();
131 void BufferSendComplete(int result);
132 void BufferRecvComplete(int result);
133 void TransportWriteComplete(int result);
134 int TransportReadComplete(int result);
135
136 // Callback from the SSL layer that indicates the remote server is requesting
137 // a certificate for this client.
138 int ClientCertRequestCallback(SSL* ssl, X509** x509, EVP_PKEY** pkey);
139
140 // CertVerifyCallback is called to verify the server's certificates. We do
141 // verification after the handshake so this function only enforces that the
142 // certificates don't change during renegotiation.
143 int CertVerifyCallback(X509_STORE_CTX *store_ctx);
144
145 // Callback from the SSL layer to check which NPN protocol we are supporting
146 int SelectNextProtoCallback(unsigned char** out, unsigned char* outlen,
147 const unsigned char* in, unsigned int inlen);
148
149 // Called during an operation on |transport_bio_|'s peer. Checks saved
150 // transport error state and, if appropriate, returns an error through
151 // OpenSSL's error system.
152 long MaybeReplayTransportError(BIO *bio,
153 int cmd,
154 const char *argp, int argi, long argl,
155 long retvalue);
156
157 // Callback from the SSL layer when an operation is performed on
158 // |transport_bio_|'s peer.
159 static long BIOCallback(BIO *bio,
160 int cmd,
161 const char *argp, int argi, long argl,
162 long retvalue);
163
164 bool transport_send_busy_;
165 bool transport_recv_busy_;
166
167 scoped_refptr<DrainableIOBuffer> send_buffer_;
168 scoped_refptr<IOBuffer> recv_buffer_;
169
170 CompletionCallback user_connect_callback_;
171 CompletionCallback user_read_callback_;
172 CompletionCallback user_write_callback_;
173
174 base::WeakPtrFactory<SSLClientSocketOpenSSL> weak_factory_;
175
176 // Used by Read function.
177 scoped_refptr<IOBuffer> user_read_buf_;
178 int user_read_buf_len_;
179
180 // Used by Write function.
181 scoped_refptr<IOBuffer> user_write_buf_;
182 int user_write_buf_len_;
183
184 // Used by DoPayloadRead() when attempting to fill the caller's buffer with
185 // as much data as possible without blocking.
186 // If DoPayloadRead() encounters an error after having read some data, stores
187 // the result to return on the *next* call to DoPayloadRead(). A value > 0
188 // indicates there is no pending result, otherwise 0 indicates EOF and < 0
189 // indicates an error.
190 int pending_read_error_;
191
192 // Used by TransportReadComplete() to signify an error reading from the
193 // transport socket. A value of OK indicates the socket is still
194 // readable. EOFs are mapped to ERR_CONNECTION_CLOSED.
195 int transport_read_error_;
196
197 // Used by TransportWriteComplete() and TransportReadComplete() to signify an
198 // error writing to the transport socket. A value of OK indicates no error.
199 int transport_write_error_;
200
201 // Set when handshake finishes.
202 scoped_ptr<PeerCertificateChain> server_cert_chain_;
203 scoped_refptr<X509Certificate> server_cert_;
204 CertVerifyResult server_cert_verify_result_;
205 bool completed_handshake_;
206
207 // Set when Read() or Write() successfully reads or writes data to or from the
208 // network.
209 bool was_ever_used_;
210
211 // Stores client authentication information between ClientAuthHandler and
212 // GetSSLCertRequestInfo calls.
213 bool client_auth_cert_needed_;
214 // List of DER-encoded X.509 DistinguishedName of certificate authorities
215 // allowed by the server.
216 std::vector<std::string> cert_authorities_;
217 // List of SSLClientCertType values for client certificates allowed by the
218 // server.
219 std::vector<SSLClientCertType> cert_key_types_;
220
221 CertVerifier* const cert_verifier_;
222 scoped_ptr<SingleRequestCertVerifier> verifier_;
223
224 // The service for retrieving Channel ID keys. May be NULL.
225 ChannelIDService* channel_id_service_;
226
227 // OpenSSL stuff
228 SSL* ssl_;
229 BIO* transport_bio_;
230
231 scoped_ptr<ClientSocketHandle> transport_;
232 const HostPortPair host_and_port_;
233 SSLConfig ssl_config_;
234 // ssl_session_cache_shard_ is an opaque string that partitions the SSL
235 // session cache. i.e. sessions created with one value will not attempt to
236 // resume on the socket with a different value.
237 const std::string ssl_session_cache_shard_;
238
239 // Used for session cache diagnostics.
240 bool trying_cached_session_;
241
242 enum State {
243 STATE_NONE,
244 STATE_HANDSHAKE,
245 STATE_CHANNEL_ID_LOOKUP,
246 STATE_CHANNEL_ID_LOOKUP_COMPLETE,
247 STATE_VERIFY_CERT,
248 STATE_VERIFY_CERT_COMPLETE,
249 };
250 State next_handshake_state_;
251 NextProtoStatus npn_status_;
252 std::string npn_proto_;
253 // Written by the |channel_id_service_|.
254 std::string channel_id_private_key_;
255 std::string channel_id_cert_;
256 // True if channel ID extension was negotiated.
257 bool channel_id_xtn_negotiated_;
258 // The request handle for |channel_id_service_|.
259 ChannelIDService::RequestHandle channel_id_request_handle_;
260 BoundNetLog net_log_;
261 };
262
263 } // namespace net
264
265 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_