blob: f523e26f264072c378fd3de11811cde045a66620 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <stdint.h>
#include <string>
#include "base/gtest_prod_util.h"
#include "base/strings/string_piece.h"
#include "net/base/completion_callback.h"
#include "net/base/load_flags.h"
#include "net/base/net_errors.h"
#include "net/base/net_export.h"
#include "net/socket/ssl_socket.h"
#include "net/socket/stream_socket.h"
#include "net/ssl/token_binding.h"
namespace base {
class FilePath;
class SequencedTaskRunner;
namespace crypto {
class ECPrivateKey;
namespace net {
class CTPolicyEnforcer;
class CertVerifier;
class ChannelIDService;
class CTVerifier;
class SSLCertRequestInfo;
struct SSLConfig;
class SSLInfo;
class TransportSecurityState;
class X509Certificate;
// This struct groups together several fields which are used by various
// classes related to SSLClientSocket.
struct SSLClientSocketContext {
SSLClientSocketContext() = default;
SSLClientSocketContext(CertVerifier* cert_verifier_arg,
ChannelIDService* channel_id_service_arg,
TransportSecurityState* transport_security_state_arg,
CTVerifier* cert_transparency_verifier_arg,
CTPolicyEnforcer* ct_policy_enforcer_arg,
const std::string& ssl_session_cache_shard_arg)
: cert_verifier(cert_verifier_arg),
ssl_session_cache_shard(ssl_session_cache_shard_arg) {}
CertVerifier* cert_verifier = nullptr;
ChannelIDService* channel_id_service = nullptr;
TransportSecurityState* transport_security_state = nullptr;
CTVerifier* cert_transparency_verifier = nullptr;
CTPolicyEnforcer* ct_policy_enforcer = nullptr;
// ssl_session_cache_shard is an opaque string that identifies a shard of the
// SSL session cache. SSL sockets with the same ssl_session_cache_shard may
// resume each other's SSL sessions but we'll never sessions between shards.
const std::string ssl_session_cache_shard;
// A client socket that uses SSL as the transport layer.
// NOTE: The SSL handshake occurs within the Connect method after a TCP
// connection is established. If a SSL error occurs during the handshake,
// Connect will fail.
class NET_EXPORT SSLClientSocket : public SSLSocket {
// Gets the SSL CertificateRequest info of the socket after Connect failed
virtual void GetSSLCertRequestInfo(
SSLCertRequestInfo* cert_request_info) = 0;
// Log SSL key material to |path| on |task_runner|. Must be called before any
// SSLClientSockets are created.
// TODO(davidben): Switch this to a parameter on the SSLClientSocketContext
// once is resolved. This will require splitting
// SSLKeyLogger into an interface, built with OS_NACL and a non-NaCl
// SSLKeyLoggerImpl.
static void SetSSLKeyLogFile(
const base::FilePath& path,
const scoped_refptr<base::SequencedTaskRunner>& task_runner);
// Returns true if |error| is OK or |load_flags| ignores certificate errors
// and |error| is a certificate error.
static bool IgnoreCertError(int error, int load_flags);
// ClearSessionCache clears the SSL session cache, used to resume SSL
// sessions.
static void ClearSessionCache();
// Returns the ChannelIDService used by this socket, or NULL if
// channel ids are not supported.
virtual ChannelIDService* GetChannelIDService() const = 0;
// Generates the signature used in Token Binding using key |*key| and for a
// Token Binding of type |tb_type|, putting the signature in |*out|. Returns a
// net error code.
virtual Error GetTokenBindingSignature(crypto::ECPrivateKey* key,
TokenBindingType tb_type,
std::vector<uint8_t>* out) = 0;
// This method is only for debugging and will be removed when
// that bug is closed. This returns the channel ID key that was used when
// establishing the connection (or NULL if no channel ID was used).
virtual crypto::ECPrivateKey* GetChannelIDKey() const = 0;
// Returns true if the CECPQ1 (experimental post-quantum) experiment is
// enabled. This should be removed after the experiment is ended, around
// 2017-18.
static bool IsPostQuantumExperimentEnabled();
void set_signed_cert_timestamps_received(
bool signed_cert_timestamps_received) {
signed_cert_timestamps_received_ = signed_cert_timestamps_received;
void set_stapled_ocsp_response_received(bool stapled_ocsp_response_received) {
stapled_ocsp_response_received_ = stapled_ocsp_response_received;
// Serialize |next_protos| in the wire format for ALPN and NPN: protocols are
// listed in order, each prefixed by a one-byte length.
static std::vector<uint8_t> SerializeNextProtos(
const NextProtoVector& next_protos);
FRIEND_TEST_ALL_PREFIXES(SSLClientSocket, SerializeNextProtos);
// For signed_cert_timestamps_received_ and stapled_ocsp_response_received_.
// True if SCTs were received via a TLS extension.
bool signed_cert_timestamps_received_;
// True if a stapled OCSP response was received.
bool stapled_ocsp_response_received_;
} // namespace net