1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
10 #include "base/compiler_specific.h"
11 #include "base/memory/scoped_ptr.h"
12 #include "base/memory/weak_ptr.h"
13 #include "net/base/completion_callback.h"
14 #include "net/base/io_buffer.h"
15 #include "net/cert/cert_verify_result.h"
16 #include "net/socket/client_socket_handle.h"
17 #include "net/socket/ssl_client_socket.h"
18 #include "net/ssl/server_bound_cert_service.h"
19 #include "net/ssl/ssl_config_service.h"
21 // Avoid including misc OpenSSL headers, i.e.:
23 typedef struct bio_st BIO;
25 typedef struct evp_pkey_st EVP_PKEY;
27 typedef struct ssl_st SSL;
29 typedef struct x509_st X509;
34 class SingleRequestCertVerifier;
35 class SSLCertRequestInfo;
38 // An SSL client socket implemented with OpenSSL.
39 class SSLClientSocketOpenSSL : public SSLClientSocket {
41 // Takes ownership of the transport_socket, which may already be connected.
42 // The given hostname will be compared with the name(s) in the server's
43 // certificate during the SSL handshake. ssl_config specifies the SSL
45 SSLClientSocketOpenSSL(scoped_ptr<ClientSocketHandle> transport_socket,
46 const HostPortPair& host_and_port,
47 const SSLConfig& ssl_config,
48 const SSLClientSocketContext& context);
49 virtual ~SSLClientSocketOpenSSL();
51 const HostPortPair& host_and_port() const { return host_and_port_; }
52 const std::string& ssl_session_cache_shard() const {
53 return ssl_session_cache_shard_;
56 // Callback from the SSL layer that indicates the remote server is requesting
57 // a certificate for this client.
58 int ClientCertRequestCallback(SSL* ssl, X509** x509, EVP_PKEY** pkey);
60 // Callback from the SSL layer that indicates the remote server supports TLS
62 void ChannelIDRequestCallback(SSL* ssl, EVP_PKEY** pkey);
64 // Callback from the SSL layer to check which NPN protocol we are supporting
65 int SelectNextProtoCallback(unsigned char** out, unsigned char* outlen,
66 const unsigned char* in, unsigned int inlen);
68 // SSLClientSocket implementation.
69 virtual void GetSSLCertRequestInfo(
70 SSLCertRequestInfo* cert_request_info) OVERRIDE;
71 virtual NextProtoStatus GetNextProto(std::string* proto,
72 std::string* server_protos) OVERRIDE;
73 virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE;
75 // SSLSocket implementation.
76 virtual int ExportKeyingMaterial(const base::StringPiece& label,
78 const base::StringPiece& context,
80 unsigned int outlen) OVERRIDE;
81 virtual int GetTLSUniqueChannelBinding(std::string* out) OVERRIDE;
83 // StreamSocket implementation.
84 virtual int Connect(const CompletionCallback& callback) OVERRIDE;
85 virtual void Disconnect() OVERRIDE;
86 virtual bool IsConnected() const OVERRIDE;
87 virtual bool IsConnectedAndIdle() const OVERRIDE;
88 virtual int GetPeerAddress(IPEndPoint* address) const OVERRIDE;
89 virtual int GetLocalAddress(IPEndPoint* address) const OVERRIDE;
90 virtual const BoundNetLog& NetLog() const OVERRIDE;
91 virtual void SetSubresourceSpeculation() OVERRIDE;
92 virtual void SetOmniboxSpeculation() OVERRIDE;
93 virtual bool WasEverUsed() const OVERRIDE;
94 virtual bool UsingTCPFastOpen() const OVERRIDE;
95 virtual bool GetSSLInfo(SSLInfo* ssl_info) OVERRIDE;
97 // Socket implementation.
98 virtual int Read(IOBuffer* buf, int buf_len,
99 const CompletionCallback& callback) OVERRIDE;
100 virtual int Write(IOBuffer* buf, int buf_len,
101 const CompletionCallback& callback) OVERRIDE;
102 virtual bool SetReceiveBufferSize(int32 size) OVERRIDE;
103 virtual bool SetSendBufferSize(int32 size) OVERRIDE;
107 void DoReadCallback(int result);
108 void DoWriteCallback(int result);
110 bool DoTransportIO();
112 int DoVerifyCert(int result);
113 int DoVerifyCertComplete(int result);
114 void DoConnectCallback(int result);
115 X509Certificate* UpdateServerCert();
117 void OnHandshakeIOComplete(int result);
118 void OnSendComplete(int result);
119 void OnRecvComplete(int result);
121 int DoHandshakeLoop(int last_io_result);
122 int DoReadLoop(int result);
123 int DoWriteLoop(int result);
125 int DoPayloadWrite();
129 void BufferSendComplete(int result);
130 void BufferRecvComplete(int result);
131 void TransportWriteComplete(int result);
132 void TransportReadComplete(int result);
134 bool transport_send_busy_;
135 bool transport_recv_busy_;
136 bool transport_recv_eof_;
138 scoped_refptr<DrainableIOBuffer> send_buffer_;
139 scoped_refptr<IOBuffer> recv_buffer_;
141 CompletionCallback user_connect_callback_;
142 CompletionCallback user_read_callback_;
143 CompletionCallback user_write_callback_;
145 base::WeakPtrFactory<SSLClientSocketOpenSSL> weak_factory_;
147 // Used by Read function.
148 scoped_refptr<IOBuffer> user_read_buf_;
149 int user_read_buf_len_;
151 // Used by Write function.
152 scoped_refptr<IOBuffer> user_write_buf_;
153 int user_write_buf_len_;
155 // Used by DoPayloadRead() when attempting to fill the caller's buffer with
156 // as much data as possible without blocking.
157 // If DoPayloadRead() encounters an error after having read some data, stores
158 // the result to return on the *next* call to DoPayloadRead(). A value > 0
159 // indicates there is no pending result, otherwise 0 indicates EOF and < 0
160 // indicates an error.
161 int pending_read_error_;
163 // Set when handshake finishes.
164 scoped_refptr<X509Certificate> server_cert_;
165 CertVerifyResult server_cert_verify_result_;
166 bool completed_handshake_;
168 // Stores client authentication information between ClientAuthHandler and
169 // GetSSLCertRequestInfo calls.
170 bool client_auth_cert_needed_;
171 // List of DER-encoded X.509 DistinguishedName of certificate authorities
172 // allowed by the server.
173 std::vector<std::string> cert_authorities_;
175 CertVerifier* const cert_verifier_;
176 scoped_ptr<SingleRequestCertVerifier> verifier_;
178 // The service for retrieving Channel ID keys. May be NULL.
179 ServerBoundCertService* server_bound_cert_service_;
185 scoped_ptr<ClientSocketHandle> transport_;
186 const HostPortPair host_and_port_;
187 SSLConfig ssl_config_;
188 // ssl_session_cache_shard_ is an opaque string that partitions the SSL
189 // session cache. i.e. sessions created with one value will not attempt to
190 // resume on the socket with a different value.
191 const std::string ssl_session_cache_shard_;
193 // Used for session cache diagnostics.
194 bool trying_cached_session_;
200 STATE_VERIFY_CERT_COMPLETE,
202 State next_handshake_state_;
203 NextProtoStatus npn_status_;
204 std::string npn_proto_;
205 std::string server_protos_;
206 // Written by the |server_bound_cert_service_|.
207 std::string channel_id_private_key_;
208 std::string channel_id_cert_;
209 // The return value of the last call to |server_bound_cert_service_|.
210 int channel_id_request_return_value_;
211 // True if channel ID extension was negotiated.
212 bool channel_id_xtn_negotiated_;
213 // The request handle for |server_bound_cert_service_|.
214 ServerBoundCertService::RequestHandle channel_id_request_handle_;
215 BoundNetLog net_log_;
220 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_