forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathssl_client_socket.h
197 lines (164 loc) · 7.53 KB
/
ssl_client_socket.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
#define NET_SOCKET_SSL_CLIENT_SOCKET_H_
#include <stdint.h>
#include <memory>
#include <vector>
#include "base/gtest_prod_util.h"
#include "base/macros.h"
#include "base/observer_list.h"
#include "net/base/net_export.h"
#include "net/cert/cert_database.h"
#include "net/socket/ssl_socket.h"
#include "net/ssl/ssl_client_auth_cache.h"
#include "net/ssl/ssl_config_service.h"
namespace net {
class CTPolicyEnforcer;
class CertVerifier;
class HostPortPair;
class SCTAuditingDelegate;
class SSLClientSessionCache;
struct SSLConfig;
class SSLKeyLogger;
class StreamSocket;
class TransportSecurityState;
// A client socket that uses SSL as the transport layer.
//
// NOTE: The SSL handshake occurs within the Connect method after a TCP
// connection is established. If a SSL error occurs during the handshake,
// Connect will fail.
//
class NET_EXPORT SSLClientSocket : public SSLSocket {
public:
SSLClientSocket();
// Log SSL key material to |logger|. Must be called before any
// SSLClientSockets are created.
//
// TODO(davidben): Switch this to a parameter on the SSLClientSocketContext
// once https://crbug.com/458365 is resolved.
static void SetSSLKeyLogger(std::unique_ptr<SSLKeyLogger> logger);
protected:
void set_signed_cert_timestamps_received(
bool signed_cert_timestamps_received) {
signed_cert_timestamps_received_ = signed_cert_timestamps_received;
}
void set_stapled_ocsp_response_received(bool stapled_ocsp_response_received) {
stapled_ocsp_response_received_ = stapled_ocsp_response_received;
}
// Serialize |next_protos| in the wire format for ALPN and NPN: protocols are
// listed in order, each prefixed by a one-byte length.
static std::vector<uint8_t> SerializeNextProtos(
const NextProtoVector& next_protos);
private:
FRIEND_TEST_ALL_PREFIXES(SSLClientSocket, SerializeNextProtos);
// For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.
FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
ConnectSignedCertTimestampsTLSExtension);
FRIEND_TEST_ALL_PREFIXES(SSLClientSocketVersionTest,
ConnectSignedCertTimestampsEnablesOCSP);
// True if SCTs were received via a TLS extension.
bool signed_cert_timestamps_received_;
// True if a stapled OCSP response was received.
bool stapled_ocsp_response_received_;
};
// Shared state and configuration across multiple SSLClientSockets.
class NET_EXPORT SSLClientContext : public SSLConfigService::Observer,
public CertDatabase::Observer {
public:
class NET_EXPORT Observer : public base::CheckedObserver {
public:
// Called when SSL configuration for all hosts changed. Newly-created
// SSLClientSockets will pick up the new configuration. Note that changes
// which only apply to one server will result in a call to
// OnSSLConfigForServerChanged() instead.
virtual void OnSSLConfigChanged(bool is_cert_database_change) = 0;
// Called when SSL configuration for |server| changed. Newly-created
// SSLClientSockets to |server| will pick up the new configuration.
virtual void OnSSLConfigForServerChanged(const HostPortPair& server) = 0;
};
// Creates a new SSLClientContext with the specified parameters. The
// SSLClientContext may not outlive the input parameters.
//
// |ssl_config_service| may be null to always use the default
// SSLContextConfig. |ssl_client_session_cache| may be null to disable session
// caching. |sct_auditing_delegate| may be null to disable SCT auditing.
SSLClientContext(SSLConfigService* ssl_config_service,
CertVerifier* cert_verifier,
TransportSecurityState* transport_security_state,
CTPolicyEnforcer* ct_policy_enforcer,
SSLClientSessionCache* ssl_client_session_cache,
SCTAuditingDelegate* sct_auditing_delegate);
~SSLClientContext() override;
const SSLContextConfig& config() { return config_; }
SSLConfigService* ssl_config_service() { return ssl_config_service_; }
CertVerifier* cert_verifier() { return cert_verifier_; }
TransportSecurityState* transport_security_state() {
return transport_security_state_;
}
CTPolicyEnforcer* ct_policy_enforcer() { return ct_policy_enforcer_; }
SSLClientSessionCache* ssl_client_session_cache() {
return ssl_client_session_cache_;
}
SCTAuditingDelegate* sct_auditing_delegate() {
return sct_auditing_delegate_;
}
// Creates a new SSLClientSocket which can then be used to establish an SSL
// connection to |host_and_port| over the already-connected |stream_socket|.
std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
std::unique_ptr<StreamSocket> stream_socket,
const HostPortPair& host_and_port,
const SSLConfig& ssl_config);
// Looks up the client certificate preference for |server|. If one is found,
// returns true and sets |client_cert| and |private_key| to the certificate
// and key. Note these may be null if the preference is to continue with no
// client certificate. Returns false if no preferences are configured,
// which means client certificate requests should be reported as
// ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
bool GetClientCertificate(const HostPortPair& server,
scoped_refptr<X509Certificate>* client_cert,
scoped_refptr<SSLPrivateKey>* private_key);
// Configures all subsequent connections to |server| to authenticate with
// |client_cert| and |private_key| when requested. If there is already a
// client certificate for |server|, it will be overwritten. |client_cert| and
// |private_key| may be null to indicate that no client certificate should be
// sent to |server|.
//
// Note this method will synchronously call OnSSLConfigForServerChanged() on
// observers.
void SetClientCertificate(const HostPortPair& server,
scoped_refptr<X509Certificate> client_cert,
scoped_refptr<SSLPrivateKey> private_key);
// Clears a client certificate preference for |server| set by
// SetClientCertificate(). Returns true if one was removed and false
// otherwise.
//
// Note this method will synchronously call OnSSLConfigForServerChanged() on
// observers.
bool ClearClientCertificate(const HostPortPair& server);
// Add an observer to be notified when configuration has changed.
// RemoveObserver() must be called before |observer| is destroyed.
void AddObserver(Observer* observer);
// Remove an observer added with AddObserver().
void RemoveObserver(Observer* observer);
// SSLConfigService::Observer:
void OnSSLContextConfigChanged() override;
// CertDatabase::Observer:
void OnCertDBChanged() override;
private:
void NotifySSLConfigChanged(bool is_cert_database_change);
void NotifySSLConfigForServerChanged(const HostPortPair& server);
SSLContextConfig config_;
SSLConfigService* ssl_config_service_;
CertVerifier* cert_verifier_;
TransportSecurityState* transport_security_state_;
CTPolicyEnforcer* ct_policy_enforcer_;
SSLClientSessionCache* ssl_client_session_cache_;
SCTAuditingDelegate* sct_auditing_delegate_;
SSLClientAuthCache ssl_client_auth_cache_;
base::ObserverList<Observer, true /* check_empty */> observers_;
DISALLOW_COPY_AND_ASSIGN(SSLClientContext);
};
} // namespace net
#endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_