net/socket/ssl_client_socket_nss.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_
   6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_
   7
   8 #include <certt.h>
   9 #include <keyt.h>
  10 #include <nspr.h>
  11 #include <nss.h>
  12
  13 #include <string>
  14 #include <vector>
  15
  16 #include "base/memory/scoped_ptr.h"
  17 #include "base/synchronization/lock.h"
  18 #include "base/threading/platform_thread.h"
  19 #include "base/time.h"
  20 #include "base/timer.h"
  21 #include "net/base/completion_callback.h"
  22 #include "net/base/host_port_pair.h"
  23 #include "net/base/net_export.h"
  24 #include "net/base/net_log.h"
  25 #include "net/base/nss_memio.h"
  26 #include "net/cert/cert_verify_result.h"
  27 #include "net/cert/x509_certificate.h"
  28 #include "net/socket/ssl_client_socket.h"
  29 #include "net/ssl/server_bound_cert_service.h"
  30 #include "net/ssl/ssl_config_service.h"
  31
  32 namespace base {
  33 class SequencedTaskRunner;
  34 }
  35
  36 namespace net {
  37
  38 class BoundNetLog;
  39 class CertVerifier;
  40 class ClientSocketHandle;
  41 class ServerBoundCertService;
  42 class SingleRequestCertVerifier;
  43 class TransportSecurityState;
  44 class X509Certificate;
  45
  46 // An SSL client socket implemented with Mozilla NSS.
  47 class SSLClientSocketNSS : public SSLClientSocket {
  48  public:
  49   // Takes ownership of the |transport_socket|, which must already be connected.
  50   // The hostname specified in |host_and_port| will be compared with the name(s)
  51   // in the server's certificate during the SSL handshake.  If SSL client
  52   // authentication is requested, the host_and_port field of SSLCertRequestInfo
  53   // will be populated with |host_and_port|.  |ssl_config| specifies
  54   // the SSL settings.
  55   //
  56   // Because calls to NSS may block, such as due to needing to access slow
  57   // hardware or needing to synchronously unlock protected tokens, calls to
  58   // NSS may optionally be run on a dedicated thread. If synchronous/blocking
  59   // behaviour is desired, for performance or compatibility, the current task
  60   // runner should be supplied instead.
  61   SSLClientSocketNSS(base::SequencedTaskRunner* nss_task_runner,
  62                      ClientSocketHandle* transport_socket,
  63                      const HostPortPair& host_and_port,
  64                      const SSLConfig& ssl_config,
  65                      const SSLClientSocketContext& context);
  66   virtual ~SSLClientSocketNSS();
  67
  68   // SSLClientSocket implementation.
  69   virtual void GetSSLCertRequestInfo(
  70       SSLCertRequestInfo* cert_request_info) OVERRIDE;
  71   virtual NextProtoStatus GetNextProto(std::string* proto,
  72                                        std::string* server_protos) OVERRIDE;
  73
  74   // SSLSocket implementation.
  75   virtual int ExportKeyingMaterial(const base::StringPiece& label,
  76                                    bool has_context,
  77                                    const base::StringPiece& context,
  78                                    unsigned char* out,
  79                                    unsigned int outlen) OVERRIDE;
  80   virtual int GetTLSUniqueChannelBinding(std::string* out) OVERRIDE;
  81
  82   // StreamSocket implementation.
  83   virtual int Connect(const CompletionCallback& callback) OVERRIDE;
  84   virtual void Disconnect() OVERRIDE;
  85   virtual bool IsConnected() const OVERRIDE;
  86   virtual bool IsConnectedAndIdle() const OVERRIDE;
  87   virtual int GetPeerAddress(IPEndPoint* address) const OVERRIDE;
  88   virtual int GetLocalAddress(IPEndPoint* address) const OVERRIDE;
  89   virtual const BoundNetLog& NetLog() const OVERRIDE;
  90   virtual void SetSubresourceSpeculation() OVERRIDE;
  91   virtual void SetOmniboxSpeculation() OVERRIDE;
  92   virtual bool WasEverUsed() const OVERRIDE;
  93   virtual bool UsingTCPFastOpen() const OVERRIDE;
  94   virtual bool GetSSLInfo(SSLInfo* ssl_info) OVERRIDE;
  95
  96   // Socket implementation.
  97   virtual int Read(IOBuffer* buf,
  98                    int buf_len,
  99                    const CompletionCallback& callback) OVERRIDE;
 100   virtual int Write(IOBuffer* buf,
 101                     int buf_len,
 102                     const CompletionCallback& callback) OVERRIDE;
 103   virtual bool SetReceiveBufferSize(int32 size) OVERRIDE;
 104   virtual bool SetSendBufferSize(int32 size) OVERRIDE;
 105   virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE;
 106
 107  private:
 108   // Helper class to handle marshalling any NSS interaction to and from the
 109   // NSS and network task runners. Not every call needs to happen on the Core
 110   class Core;
 111
 112   enum State {
 113     STATE_NONE,
 114     STATE_HANDSHAKE,
 115     STATE_HANDSHAKE_COMPLETE,
 116     STATE_VERIFY_CERT,
 117     STATE_VERIFY_CERT_COMPLETE,
 118   };
 119
 120   int Init();
 121   void InitCore();
 122
 123   // Initializes NSS SSL options.  Returns a net error code.
 124   int InitializeSSLOptions();
 125
 126   // Initializes the socket peer name in SSL.  Returns a net error code.
 127   int InitializeSSLPeerName();
 128
 129   void DoConnectCallback(int result);
 130   void OnHandshakeIOComplete(int result);
 131
 132   int DoHandshakeLoop(int last_io_result);
 133   int DoHandshake();
 134   int DoHandshakeComplete(int result);
 135   int DoVerifyCert(int result);
 136   int DoVerifyCertComplete(int result);
 137
 138   void LogConnectionTypeMetrics() const;
 139
 140   // The following methods are for debugging bug 65948. Will remove this code
 141   // after fixing bug 65948.
 142   void EnsureThreadIdAssigned() const;
 143   bool CalledOnValidThread() const;
 144
 145   // The task runner used to perform NSS operations.
 146   scoped_refptr<base::SequencedTaskRunner> nss_task_runner_;
 147   scoped_ptr<ClientSocketHandle> transport_;
 148   HostPortPair host_and_port_;
 149   SSLConfig ssl_config_;
 150
 151   scoped_refptr<Core> core_;
 152
 153   CompletionCallback user_connect_callback_;
 154
 155   CertVerifyResult server_cert_verify_result_;
 156   HashValueVector side_pinned_public_keys_;
 157
 158   CertVerifier* const cert_verifier_;
 159   scoped_ptr<SingleRequestCertVerifier> verifier_;
 160
 161   // The service for retrieving Channel ID keys.  May be NULL.
 162   ServerBoundCertService* server_bound_cert_service_;
 163
 164   // ssl_session_cache_shard_ is an opaque string that partitions the SSL
 165   // session cache. i.e. sessions created with one value will not attempt to
 166   // resume on the socket with a different value.
 167   const std::string ssl_session_cache_shard_;
 168
 169   // True if the SSL handshake has been completed.
 170   bool completed_handshake_;
 171
 172   State next_handshake_state_;
 173
 174   // The NSS SSL state machine. This is owned by |core_|.
 175   // TODO(rsleevi): http://crbug.com/130616 - Remove this member once
 176   // ExportKeyingMaterial is updated to be asynchronous.
 177   PRFileDesc* nss_fd_;
 178
 179   BoundNetLog net_log_;
 180
 181   base::TimeTicks start_cert_verification_time_;
 182
 183   TransportSecurityState* transport_security_state_;
 184
 185   // The following two variables are added for debugging bug 65948. Will
 186   // remove this code after fixing bug 65948.
 187   // Added the following code Debugging in release mode.
 188   mutable base::Lock lock_;
 189   // This is mutable so that CalledOnValidThread can set it.
 190   // It's guarded by |lock_|.
 191   mutable base::PlatformThreadId valid_thread_id_;
 192 };
 193
 194 }  // namespace net
 195
 196 #endif  // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_