1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_
6#define NET_SOCKET_SSL_CLIENT_SOCKET_H_
7
8#include <string>
9
10#include "base/gtest_prod_util.h"
11#include "net/base/completion_callback.h"
12#include "net/base/load_flags.h"
13#include "net/base/net_errors.h"
14#include "net/socket/ssl_socket.h"
15#include "net/socket/stream_socket.h"
16
17namespace net {
18
19class CertVerifier;
20class CTVerifier;
21class ServerBoundCertService;
22class SSLCertRequestInfo;
23struct SSLConfig;
24class SSLInfo;
25class TransportSecurityState;
26
27// This struct groups together several fields which are used by various
28// classes related to SSLClientSocket.
29struct SSLClientSocketContext {
30  SSLClientSocketContext()
31      : cert_verifier(NULL),
32        server_bound_cert_service(NULL),
33        transport_security_state(NULL),
34        cert_transparency_verifier(NULL) {}
35
36  SSLClientSocketContext(CertVerifier* cert_verifier_arg,
37                         ServerBoundCertService* server_bound_cert_service_arg,
38                         TransportSecurityState* transport_security_state_arg,
39                         CTVerifier* cert_transparency_verifier_arg,
40                         const std::string& ssl_session_cache_shard_arg)
41      : cert_verifier(cert_verifier_arg),
42        server_bound_cert_service(server_bound_cert_service_arg),
43        transport_security_state(transport_security_state_arg),
44        cert_transparency_verifier(cert_transparency_verifier_arg),
45        ssl_session_cache_shard(ssl_session_cache_shard_arg) {}
46
47  CertVerifier* cert_verifier;
48  ServerBoundCertService* server_bound_cert_service;
49  TransportSecurityState* transport_security_state;
50  CTVerifier* cert_transparency_verifier;
51  // ssl_session_cache_shard is an opaque string that identifies a shard of the
52  // SSL session cache. SSL sockets with the same ssl_session_cache_shard may
53  // resume each other's SSL sessions but we'll never sessions between shards.
54  const std::string ssl_session_cache_shard;
55};
56
57// A client socket that uses SSL as the transport layer.
58//
59// NOTE: The SSL handshake occurs within the Connect method after a TCP
60// connection is established.  If a SSL error occurs during the handshake,
61// Connect will fail.
62//
63class NET_EXPORT SSLClientSocket : public SSLSocket {
64 public:
65  SSLClientSocket();
66
67  // Next Protocol Negotiation (NPN) allows a TLS client and server to come to
68  // an agreement about the application level protocol to speak over a
69  // connection.
70  enum NextProtoStatus {
71    // WARNING: These values are serialized to disk. Don't change them.
72
73    kNextProtoUnsupported = 0,  // The server doesn't support NPN.
74    kNextProtoNegotiated = 1,   // We agreed on a protocol.
75    kNextProtoNoOverlap = 2,    // No protocols in common. We requested
76                                // the first protocol in our list.
77  };
78
79  // StreamSocket:
80  virtual bool WasNpnNegotiated() const OVERRIDE;
81  virtual NextProto GetNegotiatedProtocol() const OVERRIDE;
82
83  // Gets the SSL CertificateRequest info of the socket after Connect failed
84  // with ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
85  virtual void GetSSLCertRequestInfo(
86      SSLCertRequestInfo* cert_request_info) = 0;
87
88  // Get the application level protocol that we negotiated with the server.
89  // *proto is set to the resulting protocol (n.b. that the string may have
90  // embedded NULs).
91  //   kNextProtoUnsupported: *proto is cleared.
92  //   kNextProtoNegotiated:  *proto is set to the negotiated protocol.
93  //   kNextProtoNoOverlap:   *proto is set to the first protocol in the
94  //                          supported list.
95  // *server_protos is set to the server advertised protocols.
96  virtual NextProtoStatus GetNextProto(std::string* proto,
97                                       std::string* server_protos) = 0;
98
99  static NextProto NextProtoFromString(const std::string& proto_string);
100
101  static const char* NextProtoToString(NextProto next_proto);
102
103  static const char* NextProtoStatusToString(const NextProtoStatus status);
104
105  // Can be used with the second argument(|server_protos|) of |GetNextProto| to
106  // construct a comma separated string of server advertised protocols.
107  static std::string ServerProtosToString(const std::string& server_protos);
108
109  static bool IgnoreCertError(int error, int load_flags);
110
111  // ClearSessionCache clears the SSL session cache, used to resume SSL
112  // sessions.
113  static void ClearSessionCache();
114
115  virtual bool set_was_npn_negotiated(bool negotiated);
116
117  virtual bool was_spdy_negotiated() const;
118
119  virtual bool set_was_spdy_negotiated(bool negotiated);
120
121  virtual void set_protocol_negotiated(NextProto protocol_negotiated);
122
123  // Returns the ServerBoundCertService used by this socket, or NULL if
124  // server bound certificates are not supported.
125  virtual ServerBoundCertService* GetServerBoundCertService() const = 0;
126
127  // Returns true if a channel ID was sent on this connection.
128  // This may be useful for protocols, like SPDY, which allow the same
129  // connection to be shared between multiple domains, each of which need
130  // a channel ID.
131  //
132  // Public for ssl_client_socket_openssl_unittest.cc.
133  virtual bool WasChannelIDSent() const;
134
135 protected:
136  virtual void set_channel_id_sent(bool channel_id_sent);
137
138  virtual void set_signed_cert_timestamps_received(
139      bool signed_cert_timestamps_received);
140
141  virtual void set_stapled_ocsp_response_received(
142      bool stapled_ocsp_response_received);
143
144  // Records histograms for channel id support during full handshakes - resumed
145  // handshakes are ignored.
146  static void RecordChannelIDSupport(
147      ServerBoundCertService* server_bound_cert_service,
148      bool negotiated_channel_id,
149      bool channel_id_enabled,
150      bool supports_ecc);
151
152  // Returns whether TLS channel ID is enabled.
153  static bool IsChannelIDEnabled(
154      const SSLConfig& ssl_config,
155      ServerBoundCertService* server_bound_cert_service);
156
157 private:
158  // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.
159  FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
160                           ConnectSignedCertTimestampsEnabledTLSExtension);
161  FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
162                           ConnectSignedCertTimestampsEnabledOCSP);
163  FRIEND_TEST_ALL_PREFIXES(SSLClientSocketTest,
164                           ConnectSignedCertTimestampsDisabled);
165
166  // True if NPN was responded to, independent of selecting SPDY or HTTP.
167  bool was_npn_negotiated_;
168  // True if NPN successfully negotiated SPDY.
169  bool was_spdy_negotiated_;
170  // Protocol that we negotiated with the server.
171  NextProto protocol_negotiated_;
172  // True if a channel ID was sent.
173  bool channel_id_sent_;
174  // True if SCTs were received via a TLS extension.
175  bool signed_cert_timestamps_received_;
176  // True if a stapled OCSP response was received.
177  bool stapled_ocsp_response_received_;
178};
179
180}  // namespace net
181
182#endif  // NET_SOCKET_SSL_CLIENT_SOCKET_H_
183