OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 5 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 6 #define NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
7 #pragma once | 7 #pragma once |
8 | 8 |
9 #include <certt.h> | 9 #include <certt.h> |
10 #include <keyt.h> | 10 #include <keyt.h> |
(...skipping 17 matching lines...) Expand all Loading... |
28 #include "net/base/origin_bound_cert_service.h" | 28 #include "net/base/origin_bound_cert_service.h" |
29 #include "net/base/ssl_config_service.h" | 29 #include "net/base/ssl_config_service.h" |
30 #include "net/base/x509_certificate.h" | 30 #include "net/base/x509_certificate.h" |
31 #include "net/socket/ssl_client_socket.h" | 31 #include "net/socket/ssl_client_socket.h" |
32 | 32 |
33 namespace net { | 33 namespace net { |
34 | 34 |
35 class BoundNetLog; | 35 class BoundNetLog; |
36 class CertVerifier; | 36 class CertVerifier; |
37 class ClientSocketHandle; | 37 class ClientSocketHandle; |
38 class OriginBoundCertService; | 38 class ServerBoundCertService; |
39 class SingleRequestCertVerifier; | 39 class SingleRequestCertVerifier; |
40 class SSLHostInfo; | 40 class SSLHostInfo; |
41 class TransportSecurityState; | 41 class TransportSecurityState; |
42 class X509Certificate; | 42 class X509Certificate; |
43 | 43 |
44 // An SSL client socket implemented with Mozilla NSS. | 44 // An SSL client socket implemented with Mozilla NSS. |
45 class SSLClientSocketNSS : public SSLClientSocket { | 45 class SSLClientSocketNSS : public SSLClientSocket { |
46 public: | 46 public: |
47 // Takes ownership of the |transport_socket|, which must already be connected. | 47 // Takes ownership of the |transport_socket|, which must already be connected. |
48 // The hostname specified in |host_and_port| will be compared with the name(s) | 48 // The hostname specified in |host_and_port| will be compared with the name(s) |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
86 | 86 |
87 // Socket implementation. | 87 // Socket implementation. |
88 virtual int Read(IOBuffer* buf, | 88 virtual int Read(IOBuffer* buf, |
89 int buf_len, | 89 int buf_len, |
90 const CompletionCallback& callback) OVERRIDE; | 90 const CompletionCallback& callback) OVERRIDE; |
91 virtual int Write(IOBuffer* buf, | 91 virtual int Write(IOBuffer* buf, |
92 int buf_len, | 92 int buf_len, |
93 const CompletionCallback& callback) OVERRIDE; | 93 const CompletionCallback& callback) OVERRIDE; |
94 virtual bool SetReceiveBufferSize(int32 size) OVERRIDE; | 94 virtual bool SetReceiveBufferSize(int32 size) OVERRIDE; |
95 virtual bool SetSendBufferSize(int32 size) OVERRIDE; | 95 virtual bool SetSendBufferSize(int32 size) OVERRIDE; |
96 virtual OriginBoundCertService* GetOriginBoundCertService() const OVERRIDE; | 96 virtual ServerBoundCertService* GetServerBoundCertService() const OVERRIDE; |
97 | 97 |
98 private: | 98 private: |
99 enum State { | 99 enum State { |
100 STATE_NONE, | 100 STATE_NONE, |
101 STATE_LOAD_SSL_HOST_INFO, | 101 STATE_LOAD_SSL_HOST_INFO, |
102 STATE_HANDSHAKE, | 102 STATE_HANDSHAKE, |
103 STATE_GET_OB_CERT_COMPLETE, | 103 STATE_GET_DOMAIN_BOUND_CERT_COMPLETE, |
104 STATE_VERIFY_DNSSEC, | 104 STATE_VERIFY_DNSSEC, |
105 STATE_VERIFY_CERT, | 105 STATE_VERIFY_CERT, |
106 STATE_VERIFY_CERT_COMPLETE, | 106 STATE_VERIFY_CERT_COMPLETE, |
107 }; | 107 }; |
108 | 108 |
109 int Init(); | 109 int Init(); |
110 | 110 |
111 // Initializes NSS SSL options. Returns a net error code. | 111 // Initializes NSS SSL options. Returns a net error code. |
112 int InitializeSSLOptions(); | 112 int InitializeSSLOptions(); |
113 | 113 |
(...skipping 11 matching lines...) Expand all Loading... |
125 | 125 |
126 int DoHandshakeLoop(int last_io_result); | 126 int DoHandshakeLoop(int last_io_result); |
127 int DoReadLoop(int result); | 127 int DoReadLoop(int result); |
128 int DoWriteLoop(int result); | 128 int DoWriteLoop(int result); |
129 | 129 |
130 bool LoadSSLHostInfo(); | 130 bool LoadSSLHostInfo(); |
131 int DoLoadSSLHostInfo(); | 131 int DoLoadSSLHostInfo(); |
132 | 132 |
133 int DoHandshake(); | 133 int DoHandshake(); |
134 | 134 |
135 // ImportOBCertAndKey is a helper function for turning a DER-encoded cert and | 135 // ImportDBCertAndKey is a helper function for turning a DER-encoded cert and |
136 // key into a CERTCertificate and SECKEYPrivateKey. Returns OK upon success | 136 // key into a CERTCertificate and SECKEYPrivateKey. Returns OK upon success |
137 // and an error code otherwise. | 137 // and an error code otherwise. |
138 // Requires |ob_private_key_| and |ob_cert_| to have been set by a call to | 138 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been |
139 // OriginBoundCertService->GetOriginBoundCert. The caller takes ownership of | 139 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller |
140 // the |*cert| and |*key|. | 140 // takes ownership of the |*cert| and |*key|. |
141 int ImportOBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key); | 141 int ImportDBCertAndKey(CERTCertificate** cert, SECKEYPrivateKey** key); |
142 int DoGetOBCertComplete(int result); | 142 int DoGetDBCertComplete(int result); |
143 int DoVerifyDNSSEC(int result); | 143 int DoVerifyDNSSEC(int result); |
144 int DoVerifyCert(int result); | 144 int DoVerifyCert(int result); |
145 int DoVerifyCertComplete(int result); | 145 int DoVerifyCertComplete(int result); |
146 int DoPayloadRead(); | 146 int DoPayloadRead(); |
147 int DoPayloadWrite(); | 147 int DoPayloadWrite(); |
148 void LogConnectionTypeMetrics() const; | 148 void LogConnectionTypeMetrics() const; |
149 void SaveSSLHostInfo(); | 149 void SaveSSLHostInfo(); |
150 void UncorkAfterTimeout(); | 150 void UncorkAfterTimeout(); |
151 | 151 |
152 bool DoTransportIO(); | 152 bool DoTransportIO(); |
153 int BufferSend(void); | 153 int BufferSend(void); |
154 void BufferSendComplete(int result); | 154 void BufferSendComplete(int result); |
155 int BufferRecv(void); | 155 int BufferRecv(void); |
156 void BufferRecvComplete(int result); | 156 void BufferRecvComplete(int result); |
157 | 157 |
158 // Handles an NSS error generated while handshaking or performing IO. | 158 // Handles an NSS error generated while handshaking or performing IO. |
159 // Returns a network error code mapped from the original NSS error. | 159 // Returns a network error code mapped from the original NSS error. |
160 int HandleNSSError(PRErrorCode error, bool handshake_error); | 160 int HandleNSSError(PRErrorCode error, bool handshake_error); |
161 | 161 |
162 // NSS calls this when checking certificates. We pass 'this' as the first | 162 // NSS calls this when checking certificates. We pass 'this' as the first |
163 // argument. | 163 // argument. |
164 static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket, | 164 static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket, |
165 PRBool checksig, PRBool is_server); | 165 PRBool checksig, PRBool is_server); |
166 // Returns true if connection negotiated the origin bound cert extension. | 166 // Returns true if connection negotiated the domain bound cert extension. |
167 static bool OriginBoundCertNegotiated(PRFileDesc* socket); | 167 static bool DomainBoundCertNegotiated(PRFileDesc* socket); |
168 // Origin bound cert client auth handler. | 168 // Domain bound cert client auth handler. |
169 // Returns the value the ClientAuthHandler function should return. | 169 // Returns the value the ClientAuthHandler function should return. |
170 SECStatus OriginBoundClientAuthHandler( | 170 SECStatus DomainBoundClientAuthHandler( |
171 const SECItem* cert_types, | 171 const SECItem* cert_types, |
172 CERTCertificate** result_certificate, | 172 CERTCertificate** result_certificate, |
173 SECKEYPrivateKey** result_private_key); | 173 SECKEYPrivateKey** result_private_key); |
174 #if defined(NSS_PLATFORM_CLIENT_AUTH) | 174 #if defined(NSS_PLATFORM_CLIENT_AUTH) |
175 // On platforms where we use the native certificate store, NSS calls this | 175 // On platforms where we use the native certificate store, NSS calls this |
176 // instead when client authentication is requested. At most one of | 176 // instead when client authentication is requested. At most one of |
177 // (result_certs, result_private_key) or | 177 // (result_certs, result_private_key) or |
178 // (result_nss_certificate, result_nss_private_key) should be set. | 178 // (result_nss_certificate, result_nss_private_key) should be set. |
179 static SECStatus PlatformClientAuthHandler( | 179 static SECStatus PlatformClientAuthHandler( |
180 void* arg, | 180 void* arg, |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
249 int ssl_connection_status_; | 249 int ssl_connection_status_; |
250 | 250 |
251 // Stores client authentication information between ClientAuthHandler and | 251 // Stores client authentication information between ClientAuthHandler and |
252 // GetSSLCertRequestInfo calls. | 252 // GetSSLCertRequestInfo calls. |
253 std::vector<scoped_refptr<X509Certificate> > client_certs_; | 253 std::vector<scoped_refptr<X509Certificate> > client_certs_; |
254 bool client_auth_cert_needed_; | 254 bool client_auth_cert_needed_; |
255 | 255 |
256 CertVerifier* const cert_verifier_; | 256 CertVerifier* const cert_verifier_; |
257 scoped_ptr<SingleRequestCertVerifier> verifier_; | 257 scoped_ptr<SingleRequestCertVerifier> verifier_; |
258 | 258 |
259 // For origin bound certificates in client auth. | 259 // For domain bound certificates in client auth. |
260 bool ob_cert_xtn_negotiated_; | 260 bool domain_bound_cert_xtn_negotiated_; |
261 OriginBoundCertService* origin_bound_cert_service_; | 261 ServerBoundCertService* server_bound_cert_service_; |
262 SSLClientCertType ob_cert_type_; | 262 SSLClientCertType domain_bound_cert_type_; |
263 std::string ob_private_key_; | 263 std::string domain_bound_private_key_; |
264 std::string ob_cert_; | 264 std::string domain_bound_cert_; |
265 OriginBoundCertService::RequestHandle ob_cert_request_handle_; | 265 ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_; |
266 | 266 |
267 // True if NSS has called HandshakeCallback. | 267 // True if NSS has called HandshakeCallback. |
268 bool handshake_callback_called_; | 268 bool handshake_callback_called_; |
269 | 269 |
270 // True if the SSL handshake has been completed. | 270 // True if the SSL handshake has been completed. |
271 bool completed_handshake_; | 271 bool completed_handshake_; |
272 | 272 |
273 // ssl_session_cache_shard_ is an opaque string that partitions the SSL | 273 // ssl_session_cache_shard_ is an opaque string that partitions the SSL |
274 // session cache. i.e. sessions created with one value will not attempt to | 274 // session cache. i.e. sessions created with one value will not attempt to |
275 // resume on the socket with a different value. | 275 // resume on the socket with a different value. |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
310 // Added the following code Debugging in release mode. | 310 // Added the following code Debugging in release mode. |
311 mutable base::Lock lock_; | 311 mutable base::Lock lock_; |
312 // This is mutable so that CalledOnValidThread can set it. | 312 // This is mutable so that CalledOnValidThread can set it. |
313 // It's guarded by |lock_|. | 313 // It's guarded by |lock_|. |
314 mutable base::PlatformThreadId valid_thread_id_; | 314 mutable base::PlatformThreadId valid_thread_id_; |
315 }; | 315 }; |
316 | 316 |
317 } // namespace net | 317 } // namespace net |
318 | 318 |
319 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ | 319 #endif // NET_SOCKET_SSL_CLIENT_SOCKET_NSS_H_ |
OLD | NEW |