1*6777b538SAndroid Build Coastguard Worker // Copyright 2012 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_H_ 6*6777b538SAndroid Build Coastguard Worker #define NET_SOCKET_SSL_CLIENT_SOCKET_H_ 7*6777b538SAndroid Build Coastguard Worker 8*6777b538SAndroid Build Coastguard Worker #include <stdint.h> 9*6777b538SAndroid Build Coastguard Worker 10*6777b538SAndroid Build Coastguard Worker #include <memory> 11*6777b538SAndroid Build Coastguard Worker #include <vector> 12*6777b538SAndroid Build Coastguard Worker 13*6777b538SAndroid Build Coastguard Worker #include "base/containers/flat_set.h" 14*6777b538SAndroid Build Coastguard Worker #include "base/gtest_prod_util.h" 15*6777b538SAndroid Build Coastguard Worker #include "base/memory/raw_ptr.h" 16*6777b538SAndroid Build Coastguard Worker #include "base/observer_list.h" 17*6777b538SAndroid Build Coastguard Worker #include "net/base/net_export.h" 18*6777b538SAndroid Build Coastguard Worker #include "net/cert/cert_database.h" 19*6777b538SAndroid Build Coastguard Worker #include "net/cert/cert_verifier.h" 20*6777b538SAndroid Build Coastguard Worker #include "net/socket/ssl_socket.h" 21*6777b538SAndroid Build Coastguard Worker #include "net/ssl/ssl_client_auth_cache.h" 22*6777b538SAndroid Build Coastguard Worker #include "net/ssl/ssl_config_service.h" 23*6777b538SAndroid Build Coastguard Worker 24*6777b538SAndroid Build Coastguard Worker namespace net { 25*6777b538SAndroid Build Coastguard Worker 26*6777b538SAndroid Build Coastguard Worker class HostPortPair; 27*6777b538SAndroid Build Coastguard Worker class SCTAuditingDelegate; 28*6777b538SAndroid Build Coastguard Worker class SSLClientSessionCache; 29*6777b538SAndroid Build Coastguard Worker struct SSLConfig; 30*6777b538SAndroid Build Coastguard Worker class SSLKeyLogger; 31*6777b538SAndroid Build Coastguard Worker class StreamSocket; 32*6777b538SAndroid Build Coastguard Worker class TransportSecurityState; 33*6777b538SAndroid Build Coastguard Worker 34*6777b538SAndroid Build Coastguard Worker // A client socket that uses SSL as the transport layer. 35*6777b538SAndroid Build Coastguard Worker // 36*6777b538SAndroid Build Coastguard Worker // NOTE: The SSL handshake occurs within the Connect method after a TCP 37*6777b538SAndroid Build Coastguard Worker // connection is established. If a SSL error occurs during the handshake, 38*6777b538SAndroid Build Coastguard Worker // Connect will fail. 39*6777b538SAndroid Build Coastguard Worker // 40*6777b538SAndroid Build Coastguard Worker class NET_EXPORT SSLClientSocket : public SSLSocket { 41*6777b538SAndroid Build Coastguard Worker public: 42*6777b538SAndroid Build Coastguard Worker SSLClientSocket(); 43*6777b538SAndroid Build Coastguard Worker 44*6777b538SAndroid Build Coastguard Worker // Called in response to |ERR_ECH_NOT_NEGOTIATED| in Connect(), to determine 45*6777b538SAndroid Build Coastguard Worker // how to retry the connection, up to some limit. If this method returns a 46*6777b538SAndroid Build Coastguard Worker // non-empty string, it is the serialized updated ECHConfigList provided by 47*6777b538SAndroid Build Coastguard Worker // the server. The connection can be retried with the new value. If it returns 48*6777b538SAndroid Build Coastguard Worker // an empty string, the server has indicated ECH has been disabled. The 49*6777b538SAndroid Build Coastguard Worker // connection can be retried with ECH disabled. 50*6777b538SAndroid Build Coastguard Worker virtual std::vector<uint8_t> GetECHRetryConfigs() = 0; 51*6777b538SAndroid Build Coastguard Worker 52*6777b538SAndroid Build Coastguard Worker // Log SSL key material to |logger|. Must be called before any 53*6777b538SAndroid Build Coastguard Worker // SSLClientSockets are created. 54*6777b538SAndroid Build Coastguard Worker // 55*6777b538SAndroid Build Coastguard Worker // TODO(davidben): Switch this to a parameter on the SSLClientSocketContext 56*6777b538SAndroid Build Coastguard Worker // once https://crbug.com/458365 is resolved. 57*6777b538SAndroid Build Coastguard Worker static void SetSSLKeyLogger(std::unique_ptr<SSLKeyLogger> logger); 58*6777b538SAndroid Build Coastguard Worker 59*6777b538SAndroid Build Coastguard Worker protected: set_signed_cert_timestamps_received(bool signed_cert_timestamps_received)60*6777b538SAndroid Build Coastguard Worker void set_signed_cert_timestamps_received( 61*6777b538SAndroid Build Coastguard Worker bool signed_cert_timestamps_received) { 62*6777b538SAndroid Build Coastguard Worker signed_cert_timestamps_received_ = signed_cert_timestamps_received; 63*6777b538SAndroid Build Coastguard Worker } 64*6777b538SAndroid Build Coastguard Worker set_stapled_ocsp_response_received(bool stapled_ocsp_response_received)65*6777b538SAndroid Build Coastguard Worker void set_stapled_ocsp_response_received(bool stapled_ocsp_response_received) { 66*6777b538SAndroid Build Coastguard Worker stapled_ocsp_response_received_ = stapled_ocsp_response_received; 67*6777b538SAndroid Build Coastguard Worker } 68*6777b538SAndroid Build Coastguard Worker 69*6777b538SAndroid Build Coastguard Worker // Serialize |next_protos| in the wire format for ALPN: protocols are listed 70*6777b538SAndroid Build Coastguard Worker // in order, each prefixed by a one-byte length. 71*6777b538SAndroid Build Coastguard Worker static std::vector<uint8_t> SerializeNextProtos( 72*6777b538SAndroid Build Coastguard Worker const NextProtoVector& next_protos); 73*6777b538SAndroid Build Coastguard Worker 74*6777b538SAndroid Build Coastguard Worker private: 75*6777b538SAndroid Build Coastguard Worker FRIEND_TEST_ALL_PREFIXES(SSLClientSocket, SerializeNextProtos); 76*6777b538SAndroid Build Coastguard Worker // For signed_cert_timestamps_received_ and stapled_ocsp_response_received_. 77*6777b538SAndroid Build Coastguard Worker FRIEND_TEST_ALL_PREFIXES(SSLClientSocketVersionTest, 78*6777b538SAndroid Build Coastguard Worker ConnectSignedCertTimestampsTLSExtension); 79*6777b538SAndroid Build Coastguard Worker FRIEND_TEST_ALL_PREFIXES(SSLClientSocketVersionTest, 80*6777b538SAndroid Build Coastguard Worker ConnectSignedCertTimestampsEnablesOCSP); 81*6777b538SAndroid Build Coastguard Worker 82*6777b538SAndroid Build Coastguard Worker // True if SCTs were received via a TLS extension. 83*6777b538SAndroid Build Coastguard Worker bool signed_cert_timestamps_received_ = false; 84*6777b538SAndroid Build Coastguard Worker // True if a stapled OCSP response was received. 85*6777b538SAndroid Build Coastguard Worker bool stapled_ocsp_response_received_ = false; 86*6777b538SAndroid Build Coastguard Worker }; 87*6777b538SAndroid Build Coastguard Worker 88*6777b538SAndroid Build Coastguard Worker // Shared state and configuration across multiple SSLClientSockets. 89*6777b538SAndroid Build Coastguard Worker class NET_EXPORT SSLClientContext : public SSLConfigService::Observer, 90*6777b538SAndroid Build Coastguard Worker public CertVerifier::Observer, 91*6777b538SAndroid Build Coastguard Worker public CertDatabase::Observer { 92*6777b538SAndroid Build Coastguard Worker public: 93*6777b538SAndroid Build Coastguard Worker enum class SSLConfigChangeType { 94*6777b538SAndroid Build Coastguard Worker kSSLConfigChanged, 95*6777b538SAndroid Build Coastguard Worker kCertDatabaseChanged, 96*6777b538SAndroid Build Coastguard Worker kCertVerifierChanged, 97*6777b538SAndroid Build Coastguard Worker }; 98*6777b538SAndroid Build Coastguard Worker 99*6777b538SAndroid Build Coastguard Worker class NET_EXPORT Observer : public base::CheckedObserver { 100*6777b538SAndroid Build Coastguard Worker public: 101*6777b538SAndroid Build Coastguard Worker // Called when SSL configuration for all hosts changed. Newly-created 102*6777b538SAndroid Build Coastguard Worker // SSLClientSockets will pick up the new configuration. Note that changes 103*6777b538SAndroid Build Coastguard Worker // which only apply to one server will result in a call to 104*6777b538SAndroid Build Coastguard Worker // OnSSLConfigForServersChanged() instead. 105*6777b538SAndroid Build Coastguard Worker virtual void OnSSLConfigChanged(SSLConfigChangeType change_type) = 0; 106*6777b538SAndroid Build Coastguard Worker // Called when SSL configuration for |servers| changed. Newly-created 107*6777b538SAndroid Build Coastguard Worker // SSLClientSockets to any server in |servers| will pick up the new 108*6777b538SAndroid Build Coastguard Worker // configuration. 109*6777b538SAndroid Build Coastguard Worker virtual void OnSSLConfigForServersChanged( 110*6777b538SAndroid Build Coastguard Worker const base::flat_set<HostPortPair>& servers) = 0; 111*6777b538SAndroid Build Coastguard Worker }; 112*6777b538SAndroid Build Coastguard Worker 113*6777b538SAndroid Build Coastguard Worker // Creates a new SSLClientContext with the specified parameters. The 114*6777b538SAndroid Build Coastguard Worker // SSLClientContext may not outlive the input parameters. 115*6777b538SAndroid Build Coastguard Worker // 116*6777b538SAndroid Build Coastguard Worker // |ssl_config_service| may be null to always use the default 117*6777b538SAndroid Build Coastguard Worker // SSLContextConfig. |ssl_client_session_cache| may be null to disable session 118*6777b538SAndroid Build Coastguard Worker // caching. |sct_auditing_delegate| may be null to disable SCT auditing. 119*6777b538SAndroid Build Coastguard Worker SSLClientContext(SSLConfigService* ssl_config_service, 120*6777b538SAndroid Build Coastguard Worker CertVerifier* cert_verifier, 121*6777b538SAndroid Build Coastguard Worker TransportSecurityState* transport_security_state, 122*6777b538SAndroid Build Coastguard Worker SSLClientSessionCache* ssl_client_session_cache, 123*6777b538SAndroid Build Coastguard Worker SCTAuditingDelegate* sct_auditing_delegate); 124*6777b538SAndroid Build Coastguard Worker 125*6777b538SAndroid Build Coastguard Worker SSLClientContext(const SSLClientContext&) = delete; 126*6777b538SAndroid Build Coastguard Worker SSLClientContext& operator=(const SSLClientContext&) = delete; 127*6777b538SAndroid Build Coastguard Worker 128*6777b538SAndroid Build Coastguard Worker ~SSLClientContext() override; 129*6777b538SAndroid Build Coastguard Worker config()130*6777b538SAndroid Build Coastguard Worker const SSLContextConfig& config() { return config_; } 131*6777b538SAndroid Build Coastguard Worker ssl_config_service()132*6777b538SAndroid Build Coastguard Worker SSLConfigService* ssl_config_service() { return ssl_config_service_; } cert_verifier()133*6777b538SAndroid Build Coastguard Worker CertVerifier* cert_verifier() { return cert_verifier_; } transport_security_state()134*6777b538SAndroid Build Coastguard Worker TransportSecurityState* transport_security_state() { 135*6777b538SAndroid Build Coastguard Worker return transport_security_state_; 136*6777b538SAndroid Build Coastguard Worker } ssl_client_session_cache()137*6777b538SAndroid Build Coastguard Worker SSLClientSessionCache* ssl_client_session_cache() { 138*6777b538SAndroid Build Coastguard Worker return ssl_client_session_cache_; 139*6777b538SAndroid Build Coastguard Worker } sct_auditing_delegate()140*6777b538SAndroid Build Coastguard Worker SCTAuditingDelegate* sct_auditing_delegate() { 141*6777b538SAndroid Build Coastguard Worker return sct_auditing_delegate_; 142*6777b538SAndroid Build Coastguard Worker } 143*6777b538SAndroid Build Coastguard Worker 144*6777b538SAndroid Build Coastguard Worker // Creates a new SSLClientSocket which can then be used to establish an SSL 145*6777b538SAndroid Build Coastguard Worker // connection to |host_and_port| over the already-connected |stream_socket|. 146*6777b538SAndroid Build Coastguard Worker std::unique_ptr<SSLClientSocket> CreateSSLClientSocket( 147*6777b538SAndroid Build Coastguard Worker std::unique_ptr<StreamSocket> stream_socket, 148*6777b538SAndroid Build Coastguard Worker const HostPortPair& host_and_port, 149*6777b538SAndroid Build Coastguard Worker const SSLConfig& ssl_config); 150*6777b538SAndroid Build Coastguard Worker 151*6777b538SAndroid Build Coastguard Worker // Looks up the client certificate preference for |server|. If one is found, 152*6777b538SAndroid Build Coastguard Worker // returns true and sets |client_cert| and |private_key| to the certificate 153*6777b538SAndroid Build Coastguard Worker // and key. Note these may be null if the preference is to continue with no 154*6777b538SAndroid Build Coastguard Worker // client certificate. Returns false if no preferences are configured, 155*6777b538SAndroid Build Coastguard Worker // which means client certificate requests should be reported as 156*6777b538SAndroid Build Coastguard Worker // ERR_SSL_CLIENT_AUTH_CERT_NEEDED. 157*6777b538SAndroid Build Coastguard Worker bool GetClientCertificate(const HostPortPair& server, 158*6777b538SAndroid Build Coastguard Worker scoped_refptr<X509Certificate>* client_cert, 159*6777b538SAndroid Build Coastguard Worker scoped_refptr<SSLPrivateKey>* private_key); 160*6777b538SAndroid Build Coastguard Worker 161*6777b538SAndroid Build Coastguard Worker // Configures all subsequent connections to |server| to authenticate with 162*6777b538SAndroid Build Coastguard Worker // |client_cert| and |private_key| when requested. If there is already a 163*6777b538SAndroid Build Coastguard Worker // client certificate for |server|, it will be overwritten. |client_cert| and 164*6777b538SAndroid Build Coastguard Worker // |private_key| may be null to indicate that no client certificate should be 165*6777b538SAndroid Build Coastguard Worker // sent to |server|. 166*6777b538SAndroid Build Coastguard Worker // 167*6777b538SAndroid Build Coastguard Worker // Note this method will synchronously call OnSSLConfigForServersChanged() on 168*6777b538SAndroid Build Coastguard Worker // observers. 169*6777b538SAndroid Build Coastguard Worker void SetClientCertificate(const HostPortPair& server, 170*6777b538SAndroid Build Coastguard Worker scoped_refptr<X509Certificate> client_cert, 171*6777b538SAndroid Build Coastguard Worker scoped_refptr<SSLPrivateKey> private_key); 172*6777b538SAndroid Build Coastguard Worker 173*6777b538SAndroid Build Coastguard Worker // Clears a client certificate preference for |server| set by 174*6777b538SAndroid Build Coastguard Worker // SetClientCertificate(). Returns true if one was removed and false 175*6777b538SAndroid Build Coastguard Worker // otherwise. 176*6777b538SAndroid Build Coastguard Worker // 177*6777b538SAndroid Build Coastguard Worker // Note this method will synchronously call OnSSLConfigForServersChanged() on 178*6777b538SAndroid Build Coastguard Worker // observers. 179*6777b538SAndroid Build Coastguard Worker bool ClearClientCertificate(const HostPortPair& server); 180*6777b538SAndroid Build Coastguard Worker 181*6777b538SAndroid Build Coastguard Worker // Clears a client certificate preference for |host| set by 182*6777b538SAndroid Build Coastguard Worker // SetClientCertificate() if |certificate| doesn't match the cached 183*6777b538SAndroid Build Coastguard Worker // certificate. 184*6777b538SAndroid Build Coastguard Worker // 185*6777b538SAndroid Build Coastguard Worker // Note this method will synchronously call OnSSLConfigForServersChanged() on 186*6777b538SAndroid Build Coastguard Worker // observers. 187*6777b538SAndroid Build Coastguard Worker void ClearClientCertificateIfNeeded( 188*6777b538SAndroid Build Coastguard Worker const net::HostPortPair& host, 189*6777b538SAndroid Build Coastguard Worker const scoped_refptr<net::X509Certificate>& certificate); 190*6777b538SAndroid Build Coastguard Worker 191*6777b538SAndroid Build Coastguard Worker // Clears a client certificate preference, set by SetClientCertificate(), 192*6777b538SAndroid Build Coastguard Worker // for all hosts whose cached certificate matches |certificate|. 193*6777b538SAndroid Build Coastguard Worker // 194*6777b538SAndroid Build Coastguard Worker // Note this method will synchronously call OnSSLConfigForServersChanged() on 195*6777b538SAndroid Build Coastguard Worker // observers. 196*6777b538SAndroid Build Coastguard Worker void ClearMatchingClientCertificate( 197*6777b538SAndroid Build Coastguard Worker const scoped_refptr<net::X509Certificate>& certificate); 198*6777b538SAndroid Build Coastguard Worker GetClientCertificateCachedServersForTesting()199*6777b538SAndroid Build Coastguard Worker base::flat_set<HostPortPair> GetClientCertificateCachedServersForTesting() 200*6777b538SAndroid Build Coastguard Worker const { 201*6777b538SAndroid Build Coastguard Worker return ssl_client_auth_cache_.GetCachedServers(); 202*6777b538SAndroid Build Coastguard Worker } 203*6777b538SAndroid Build Coastguard Worker 204*6777b538SAndroid Build Coastguard Worker // Add an observer to be notified when configuration has changed. 205*6777b538SAndroid Build Coastguard Worker // RemoveObserver() must be called before |observer| is destroyed. 206*6777b538SAndroid Build Coastguard Worker void AddObserver(Observer* observer); 207*6777b538SAndroid Build Coastguard Worker 208*6777b538SAndroid Build Coastguard Worker // Remove an observer added with AddObserver(). 209*6777b538SAndroid Build Coastguard Worker void RemoveObserver(Observer* observer); 210*6777b538SAndroid Build Coastguard Worker 211*6777b538SAndroid Build Coastguard Worker // SSLConfigService::Observer: 212*6777b538SAndroid Build Coastguard Worker void OnSSLContextConfigChanged() override; 213*6777b538SAndroid Build Coastguard Worker 214*6777b538SAndroid Build Coastguard Worker // CertVerifier::Observer: 215*6777b538SAndroid Build Coastguard Worker void OnCertVerifierChanged() override; 216*6777b538SAndroid Build Coastguard Worker 217*6777b538SAndroid Build Coastguard Worker // CertDatabase::Observer: 218*6777b538SAndroid Build Coastguard Worker void OnTrustStoreChanged() override; 219*6777b538SAndroid Build Coastguard Worker void OnClientCertStoreChanged() override; 220*6777b538SAndroid Build Coastguard Worker 221*6777b538SAndroid Build Coastguard Worker private: 222*6777b538SAndroid Build Coastguard Worker void NotifySSLConfigChanged(SSLConfigChangeType change_type); 223*6777b538SAndroid Build Coastguard Worker void NotifySSLConfigForServersChanged( 224*6777b538SAndroid Build Coastguard Worker const base::flat_set<HostPortPair>& servers); 225*6777b538SAndroid Build Coastguard Worker 226*6777b538SAndroid Build Coastguard Worker SSLContextConfig config_; 227*6777b538SAndroid Build Coastguard Worker 228*6777b538SAndroid Build Coastguard Worker raw_ptr<SSLConfigService> ssl_config_service_; 229*6777b538SAndroid Build Coastguard Worker raw_ptr<CertVerifier> cert_verifier_; 230*6777b538SAndroid Build Coastguard Worker raw_ptr<TransportSecurityState> transport_security_state_; 231*6777b538SAndroid Build Coastguard Worker raw_ptr<SSLClientSessionCache> ssl_client_session_cache_; 232*6777b538SAndroid Build Coastguard Worker raw_ptr<SCTAuditingDelegate> sct_auditing_delegate_; 233*6777b538SAndroid Build Coastguard Worker 234*6777b538SAndroid Build Coastguard Worker SSLClientAuthCache ssl_client_auth_cache_; 235*6777b538SAndroid Build Coastguard Worker 236*6777b538SAndroid Build Coastguard Worker base::ObserverList<Observer, true /* check_empty */> observers_; 237*6777b538SAndroid Build Coastguard Worker }; 238*6777b538SAndroid Build Coastguard Worker 239*6777b538SAndroid Build Coastguard Worker } // namespace net 240*6777b538SAndroid Build Coastguard Worker 241*6777b538SAndroid Build Coastguard Worker #endif // NET_SOCKET_SSL_CLIENT_SOCKET_H_ 242