| Index: net/socket/ssl_client_socket_nss.h
|
| diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h
|
| index 3dd3538e5096819694dccfbd7caf376ce6bd61a1..250feaaf362a1ddc7cf73d2945ecc861a4b252f7 100644
|
| --- a/net/socket/ssl_client_socket_nss.h
|
| +++ b/net/socket/ssl_client_socket_nss.h
|
| @@ -30,6 +30,10 @@
|
| #include "net/base/x509_certificate.h"
|
| #include "net/socket/ssl_client_socket.h"
|
|
|
| +namespace base {
|
| +class SingleThreadTaskRunner;
|
| +}
|
| +
|
| namespace net {
|
|
|
| class BoundNetLog;
|
| @@ -50,7 +54,14 @@ class SSLClientSocketNSS : public SSLClientSocket {
|
| // authentication is requested, the host_and_port field of SSLCertRequestInfo
|
| // will be populated with |host_and_port|. |ssl_config| specifies
|
| // the SSL settings.
|
| - SSLClientSocketNSS(ClientSocketHandle* transport_socket,
|
| + //
|
| + // Because calls to NSS may block, such as due to needing to access slow
|
| + // hardware or needing to synchronously unlock protected tokens, calls to
|
| + // NSS may optionally be run on a dedicated thread. If synchronous/blocking
|
| + // behaviour is desired, for performance or compatibility, the current task
|
| + // runner should be supplied instead.
|
| + SSLClientSocketNSS(base::SingleThreadTaskRunner* nss_task_runner,
|
| + ClientSocketHandle* transport_socket,
|
| const HostPortPair& host_and_port,
|
| const SSLConfig& ssl_config,
|
| SSLHostInfo* ssl_host_info,
|
| @@ -96,17 +107,22 @@ class SSLClientSocketNSS : public SSLClientSocket {
|
| virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE;
|
|
|
| private:
|
| + // Helper class to handle marshalling any NSS interaction to and from the
|
| + // NSS and network task runners. Not every call needs to happen on the Core
|
| + class Core;
|
| +
|
| enum State {
|
| STATE_NONE,
|
| STATE_LOAD_SSL_HOST_INFO,
|
| STATE_HANDSHAKE,
|
| - STATE_GET_DOMAIN_BOUND_CERT_COMPLETE,
|
| + STATE_HANDSHAKE_COMPLETE,
|
| STATE_VERIFY_DNSSEC,
|
| STATE_VERIFY_CERT,
|
| STATE_VERIFY_CERT_COMPLETE,
|
| };
|
|
|
| int Init();
|
| + void InitCore();
|
|
|
| // Initializes NSS SSL options. Returns a net error code.
|
| int InitializeSSLOptions();
|
| @@ -114,177 +130,65 @@ class SSLClientSocketNSS : public SSLClientSocket {
|
| // Initializes the socket peer name in SSL. Returns a net error code.
|
| int InitializeSSLPeerName();
|
|
|
| - void UpdateServerCert();
|
| - void UpdateConnectionStatus();
|
| - void DoReadCallback(int result);
|
| - void DoWriteCallback(int result);
|
| void DoConnectCallback(int result);
|
| void OnHandshakeIOComplete(int result);
|
| - void OnSendComplete(int result);
|
| - void OnRecvComplete(int result);
|
|
|
| - int DoHandshakeLoop(int last_io_result);
|
| - int DoReadLoop(int result);
|
| - int DoWriteLoop(int result);
|
| -
|
| - bool LoadSSLHostInfo();
|
| + void LoadSSLHostInfo();
|
| int DoLoadSSLHostInfo();
|
|
|
| + int DoHandshakeLoop(int last_io_result);
|
| int DoHandshake();
|
| -
|
| - // ImportDBCertAndKey is a helper function for turning a DER-encoded cert and
|
| - // key into a CERTCertificate and SECKEYPrivateKey. Returns OK upon success
|
| - // and an error code otherwise.
|
| - // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been
|
| - // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller
|
| - // takes ownership of the |*cert| and |*key|.
|
| - int ImportDBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key);
|
| - int DoGetDBCertComplete(int result);
|
| + int DoHandshakeComplete(int result);
|
| int DoVerifyDNSSEC(int result);
|
| int DoVerifyCert(int result);
|
| int DoVerifyCertComplete(int result);
|
| - int DoPayloadRead();
|
| - int DoPayloadWrite();
|
| - void LogConnectionTypeMetrics() const;
|
| void SaveSSLHostInfo();
|
|
|
| - bool DoTransportIO();
|
| - int BufferSend();
|
| - void BufferSendComplete(int result);
|
| - int BufferRecv();
|
| - void BufferRecvComplete(int result);
|
| -
|
| - // Handles an NSS error generated while handshaking or performing IO.
|
| - // Returns a network error code mapped from the original NSS error.
|
| - int HandleNSSError(PRErrorCode error, bool handshake_error);
|
| -
|
| - // NSS calls this when checking certificates. We pass 'this' as the first
|
| - // argument.
|
| - static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket,
|
| - PRBool checksig, PRBool is_server);
|
| - // Returns true if connection negotiated the domain bound cert extension.
|
| - static bool DomainBoundCertNegotiated(PRFileDesc* socket);
|
| - // Domain bound cert client auth handler.
|
| - // Returns the value the ClientAuthHandler function should return.
|
| - SECStatus DomainBoundClientAuthHandler(
|
| - const SECItem* cert_types,
|
| - CERTCertificate** result_certificate,
|
| - SECKEYPrivateKey** result_private_key);
|
| -#if defined(NSS_PLATFORM_CLIENT_AUTH)
|
| - // On platforms where we use the native certificate store, NSS calls this
|
| - // instead when client authentication is requested. At most one of
|
| - // (result_certs, result_private_key) or
|
| - // (result_nss_certificate, result_nss_private_key) should be set.
|
| - static SECStatus PlatformClientAuthHandler(
|
| - void* arg,
|
| - PRFileDesc* socket,
|
| - CERTDistNames* ca_names,
|
| - CERTCertList** result_certs,
|
| - void** result_private_key,
|
| - CERTCertificate** result_nss_certificate,
|
| - SECKEYPrivateKey** result_nss_private_key);
|
| -#else
|
| - // NSS calls this when client authentication is requested.
|
| - static SECStatus ClientAuthHandler(void* arg,
|
| - PRFileDesc* socket,
|
| - CERTDistNames* ca_names,
|
| - CERTCertificate** result_certificate,
|
| - SECKEYPrivateKey** result_private_key);
|
| -#endif
|
| - // Record histograms for DBC support. The histogram will only be updated if
|
| - // this socket did a full handshake.
|
| - void RecordDomainBoundCertSupport() const;
|
| -
|
| - // NSS calls this when handshake is completed. We pass 'this' as the second
|
| - // argument.
|
| - static void HandshakeCallback(PRFileDesc* socket, void* arg);
|
| -
|
| - static SECStatus NextProtoCallback(void* arg,
|
| - PRFileDesc* fd,
|
| - const unsigned char* protos,
|
| - unsigned int protos_len,
|
| - unsigned char* proto_out,
|
| - unsigned int* proto_out_len,
|
| - unsigned int proto_max_len);
|
| + void LogConnectionTypeMetrics() const;
|
|
|
| // The following methods are for debugging bug 65948. Will remove this code
|
| // after fixing bug 65948.
|
| void EnsureThreadIdAssigned() const;
|
| bool CalledOnValidThread() const;
|
|
|
| - bool transport_send_busy_;
|
| - bool transport_recv_busy_;
|
| - bool transport_recv_eof_;
|
| - scoped_refptr<IOBuffer> recv_buffer_;
|
| -
|
| + // The task runner used to perform NSS operations.
|
| + scoped_refptr<base::SingleThreadTaskRunner> nss_task_runner_;
|
| scoped_ptr<ClientSocketHandle> transport_;
|
| HostPortPair host_and_port_;
|
| SSLConfig ssl_config_;
|
|
|
| + scoped_refptr<Core> core_;
|
| +
|
| CompletionCallback user_connect_callback_;
|
| - CompletionCallback user_read_callback_;
|
| - CompletionCallback user_write_callback_;
|
| -
|
| - // Used by Read function.
|
| - scoped_refptr<IOBuffer> user_read_buf_;
|
| - int user_read_buf_len_;
|
| -
|
| - // Used by Write function.
|
| - scoped_refptr<IOBuffer> user_write_buf_;
|
| - int user_write_buf_len_;
|
| -
|
| - // Set when handshake finishes. The server certificate is first received
|
| - // from NSS as an NSS certificate handle (server_cert_nss_), and then
|
| - // converted into an X509Certificate object (server_cert_).
|
| - scoped_refptr<X509Certificate> server_cert_;
|
| - CERTCertificate* server_cert_nss_;
|
| +
|
| // |server_cert_verify_result_| points at the verification result, which may,
|
| // or may not be, |&local_server_cert_verify_result_|, depending on whether
|
| // we used an SSLHostInfo's verification.
|
| const CertVerifyResult* server_cert_verify_result_;
|
| CertVerifyResult local_server_cert_verify_result_;
|
| std::vector<SHA1Fingerprint> side_pinned_public_keys_;
|
| - int ssl_connection_status_;
|
| -
|
| - // Stores client authentication information between ClientAuthHandler and
|
| - // GetSSLCertRequestInfo calls.
|
| - std::vector<scoped_refptr<X509Certificate> > client_certs_;
|
| - bool client_auth_cert_needed_;
|
|
|
| CertVerifier* const cert_verifier_;
|
| scoped_ptr<SingleRequestCertVerifier> verifier_;
|
|
|
| // For domain bound certificates in client auth.
|
| - bool domain_bound_cert_xtn_negotiated_;
|
| ServerBoundCertService* server_bound_cert_service_;
|
| - SSLClientCertType domain_bound_cert_type_;
|
| - std::string domain_bound_private_key_;
|
| - std::string domain_bound_cert_;
|
| - ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_;
|
| -
|
| - // True if NSS has called HandshakeCallback.
|
| - bool handshake_callback_called_;
|
| -
|
| - // True if the SSL handshake has been completed.
|
| - bool completed_handshake_;
|
|
|
| // ssl_session_cache_shard_ is an opaque string that partitions the SSL
|
| // session cache. i.e. sessions created with one value will not attempt to
|
| // resume on the socket with a different value.
|
| const std::string ssl_session_cache_shard_;
|
|
|
| - // True iff |ssl_host_info_| contained a predicted certificate chain and
|
| - // that we found the prediction to be correct.
|
| - bool predicted_cert_chain_correct_;
|
| + // True if the SSL handshake has been completed.
|
| + bool completed_handshake_;
|
|
|
| State next_handshake_state_;
|
|
|
| - // The NSS SSL state machine
|
| + // The NSS SSL state machine. This is owned by |core_|.
|
| + // TODO(rsleevi): http://crbug.com/130616 - Remove this member once
|
| + // ExportKeyingMaterial is updated to be asynchronous.
|
| PRFileDesc* nss_fd_;
|
|
|
| - // Buffers for the network end of the SSL state machine
|
| - memio_Private* nss_bufs_;
|
| -
|
| BoundNetLog net_log_;
|
|
|
| base::TimeTicks start_cert_verification_time_;
|
| @@ -293,12 +197,6 @@ class SSLClientSocketNSS : public SSLClientSocket {
|
|
|
| TransportSecurityState* transport_security_state_;
|
|
|
| - // next_proto_ is the protocol that we selected by NPN.
|
| - std::string next_proto_;
|
| - NextProtoStatus next_proto_status_;
|
| - // Server's NPN advertised protocols.
|
| - std::string server_protos_;
|
| -
|
| // The following two variables are added for debugging bug 65948. Will
|
| // remove this code after fixing bug 65948.
|
| // Added the following code Debugging in release mode.
|
|
|
Chromium Code Reviews
Issue 10454066:
Move the core state machine of SSLClientSocketNSS into a thread-safe Core (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src