| blob | 645aaf41899059900a19bf58088b2a288623ec4f |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
8 #include <openssl/base.h>
9 #include <openssl/ssl.h>
11 #include <string>
12 #include <vector>
38 // An SSL client socket implemented with OpenSSL.
41 // Takes ownership of the transport_socket, which may already be connected.
42 // The given hostname will be compared with the name(s) in the server's
43 // certificate during the SSL handshake. ssl_config specifies the SSL
44 // settings.
54 }
56 // SSLClientSocket implementation.
62 // SSLSocket implementation.
70 // StreamSocket implementation.
87 // Socket implementation.
128 // Called when an asynchronous event completes which may have blocked the
129 // pending Read or Write calls, if any. Retries both state machines and, if
130 // complete, runs the respective callbacks.
140 // Callback from the SSL layer that indicates the remote server is requesting
141 // a certificate for this client.
144 // CertVerifyCallback is called to verify the server's certificates. We do
145 // verification after the handshake so this function only enforces that the
146 // certificates don't change during renegotiation.
149 // Callback from the SSL layer to check which NPN protocol we are supporting
153 // Called during an operation on |transport_bio_|'s peer. Checks saved
154 // transport error state and, if appropriate, returns an error through
155 // OpenSSL's error system.
161 // Callback from the SSL layer when an operation is performed on
162 // |transport_bio_|'s peer.
168 // Called after the initial handshake completes and after the server
169 // certificate has been verified. The order of handshake completion and
170 // certificate verification depends on whether the connection was false
171 // started. After both have happened (thus calling this twice), the session is
172 // safe to cache and will be cached.
175 // Called from the SSL layer whenever a new session is established.
178 // Adds the SignedCertificateTimestamps from ct_verify_result_ to |ssl_info|.
179 // SCTs are held in three separate vectors in ct_verify_result, each
180 // vetor representing a particular verification state, this method associates
181 // each of the SCTs with the corresponding SCTVerifyStatus as it adds it to
182 // the |ssl_info|.signed_certificate_timestamps list.
185 // Returns a unique key string for the SSL session cache for
186 // this socket.
189 // Returns true if renegotiations are allowed.
192 // Callbacks for operations with the private key.
212 // Buffers which are shared by BoringSSL and SSLClientSocketOpenSSL.
213 // GrowableIOBuffer is used to keep ownership and setting offset.
217 CompletionCallback user_connect_callback_;
218 CompletionCallback user_read_callback_;
219 CompletionCallback user_write_callback_;
221 // Used by Read function.
225 // Used by Write function.
229 // Used by DoPayloadRead() when attempting to fill the caller's buffer with
230 // as much data as possible without blocking.
231 // If DoPayloadRead() encounters an error after having read some data, stores
232 // the result to return on the *next* call to DoPayloadRead(). A value > 0
233 // indicates there is no pending result, otherwise 0 indicates EOF and < 0
234 // indicates an error.
237 // If there is a pending read result, the OpenSSL result code (output of
238 // SSL_get_error) associated with it.
241 // If there is a pending read result, the OpenSSLErrorInfo associated with it.
242 OpenSSLErrorInfo pending_read_error_info_;
244 // Used by TransportReadComplete() to signify an error reading from the
245 // transport socket. A value of OK indicates the socket is still
246 // readable. EOFs are mapped to ERR_CONNECTION_CLOSED.
249 // Used by TransportWriteComplete() and TransportReadComplete() to signify an
250 // error writing to the transport socket. A value of OK indicates no error.
253 // Set when Connect finishes.
256 CertVerifyResult server_cert_verify_result_;
259 // Set when Read() or Write() successfully reads or writes data to or from the
260 // network.
263 // List of DER-encoded X.509 DistinguishedName of certificate authorities
264 // allowed by the server.
266 // List of SSLClientCertType values for client certificates allowed by the
267 // server.
274 // Certificate Transparency: Verifier and result holder.
278 // The service for retrieving Channel ID keys. May be NULL.
281 // OpenSSL stuff
287 SSLConfig ssl_config_;
288 // ssl_session_cache_shard_ is an opaque string that partitions the SSL
289 // session cache. i.e. sessions created with one value will not attempt to
290 // resume on the socket with a different value.
294 STATE_NONE,
295 STATE_HANDSHAKE,
296 STATE_HANDSHAKE_COMPLETE,
297 STATE_CHANNEL_ID_LOOKUP,
298 STATE_CHANNEL_ID_LOOKUP_COMPLETE,
299 STATE_VERIFY_CERT,
300 STATE_VERIFY_CERT_COMPLETE,
301 };
302 State next_handshake_state_;
303 NextProtoStatus npn_status_;
305 // Written by the |channel_id_service_|.
307 // True if a channel ID was sent.
309 // True if the current session was newly-established, but the certificate had
310 // not yet been verified externally, so it cannot be inserted into the cache
311 // until later.
313 // True if the initial handshake's certificate has been verified.
315 // The request handle for |channel_id_service_|.
317 SSLFailureState ssl_failure_state_;
327 // pinning_failure_log contains a message produced by
328 // TransportSecurityState::CheckPublicKeyPins in the event of a
329 // pinning failure. It is a (somewhat) human-readable string.
332 BoundNetLog net_log_;
334 };