Move SSL layer initialization into ChannelAuthenticator implementations.

remoting/protocol/pepper_stream_channel.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "remoting/protocol/pepper_stream_channel.h"
 
 #include "base/bind.h"
 #include "crypto/hmac.h"
 #include "jingle/glue/utils.h"
 #include "net/base/cert_status_flags.h"
@@ skipping 17 matching lines @@
 
 // Value is choosen to balance the extra latency against the reduced
 // load due to ACK traffic.
 const int kTcpAckDelayMilliseconds = 10;
 
 // Values for the TCP send and receive buffer size. This should be tuned to
 // accomodate high latency network but not backlog the decoding pipeline.
 const int kTcpReceiveBufferSize = 256 * 1024;
 const int kTcpSendBufferSize = kTcpReceiveBufferSize + 30 * 1024;
 
-// Helper method to create a SSL client socket.
-net::SSLClientSocket* CreateSSLClientSocket(
-    net::StreamSocket* socket, const std::string& der_cert,
-    net::CertVerifier* cert_verifier) {
-  net::SSLConfig ssl_config;
-
-  // Certificate provided by the host doesn't need authority.
-  net::SSLConfig::CertAndStatus cert_and_status;
-  cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID;
-  cert_and_status.der_cert = der_cert;
-  ssl_config.allowed_bad_certs.push_back(cert_and_status);
-
-  // Revocation checking is not needed because we use self-signed
-  // certs. Disable it so that SSL layer doesn't try to initialize
-  // OCSP (OCSP works only on IO thread).
-  ssl_config.rev_checking_enabled = false;
-
-  // SSLClientSocket takes ownership of the |socket|.
-  net::HostPortPair host_and_port("chromoting", 0);
-  net::SSLClientSocketContext context;
-  context.cert_verifier = cert_verifier;
-  net::SSLClientSocket* ssl_socket =
-      net::ClientSocketFactory::GetDefaultFactory()->CreateSSLClientSocket(
-          socket, host_and_port, ssl_config, NULL, context);
-  return ssl_socket;
-}
-
 }  // namespace
 
 PepperStreamChannel::PepperStreamChannel(
     PepperSession* session,
     const std::string& name,
     const Session::StreamChannelCallback& callback)
     : session_(session),
       name_(name),
       callback_(callback),
       channel_(NULL),
       connected_(false),
-      ssl_client_socket_(NULL),
       ALLOW_THIS_IN_INITIALIZER_LIST(p2p_connect_callback_(
-          this, &PepperStreamChannel::OnP2PConnect)),
-      ALLOW_THIS_IN_INITIALIZER_LIST(ssl_connect_callback_(
-          this, &PepperStreamChannel::OnSSLConnect)) {
+          this, &PepperStreamChannel::OnP2PConnect)) {
 }
 
 PepperStreamChannel::~PepperStreamChannel() {
   session_->OnDeleteChannel(this);
   // Verify that the |channel_| is ether destroyed or we own it.
   DCHECK_EQ(channel_, owned_channel_.get());
   // Channel should be already destroyed if we were connected.
   DCHECK(!connected_ || channel_ == NULL);
 }
 
 void PepperStreamChannel::Connect(pp::Instance* pp_instance,
                                   const TransportConfig& transport_config,
-                                  const std::string& remote_cert) {
+                                  ChannelAuthenticator* authenticator) {
   DCHECK(CalledOnValidThread());
 
-  remote_cert_ = remote_cert;
+  authenticator_.reset(authenticator);
 
   pp::Transport_Dev* transport =
       new pp::Transport_Dev(pp_instance, name_.c_str(),
                             PP_TRANSPORTTYPE_STREAM);
 
   if (transport->SetProperty(PP_TRANSPORTPROPERTY_TCP_RECEIVE_WINDOW,
                              pp::Var(kTcpReceiveBufferSize)) != PP_OK) {
     LOG(ERROR) << "Failed to set TCP receive window";
   }
   if (transport->SetProperty(PP_TRANSPORTPROPERTY_TCP_SEND_WINDOW,
@@ skipping 83 matching lines @@
   cricket::Candidate candidate_value;
   if (!jingle_glue::DeserializeP2PCandidate(candidate, &candidate_value)) {
     LOG(ERROR) << "Failed to parse candidate " << candidate;
   }
   session_->AddLocalCandidate(candidate_value);
 }
 
 void PepperStreamChannel::OnP2PConnect(int result) {
   DCHECK(CalledOnValidThread());
 
-  if (result != net::OK || !EstablishSSLConnection())
+  if (result != net::OK)
     NotifyConnectFailed();
+
+  authenticator_->SecureAndAuthenticate(owned_channel_.release(), base::Bind(
+      &PepperStreamChannel::OnAuthenticationDone, base::Unretained(this)));
 }
 
-bool PepperStreamChannel::EstablishSSLConnection() {
+
+void PepperStreamChannel::OnAuthenticationDone(
+    net::Error error, net::StreamSocket* socket) {
   DCHECK(CalledOnValidThread());
-
-  cert_verifier_.reset(new net::CertVerifier());
-
-  // Create client SSL socket.
-  ssl_client_socket_ = CreateSSLClientSocket(
-      owned_channel_.release(), remote_cert_, cert_verifier_.get());
-  socket_.reset(ssl_client_socket_);
-
-  int result = ssl_client_socket_->Connect(&ssl_connect_callback_);
-
-  if (result == net::ERR_IO_PENDING) {
-    return true;
-  } else if (result != net::OK) {
-    LOG(ERROR) << "Failed to establish SSL connection";
-    return false;
-  }
-
-  // Reach here if net::OK is received.
-  ssl_connect_callback_.Run(net::OK);
-  return true;
-}
-
-void PepperStreamChannel::OnSSLConnect(int result) {
-  DCHECK(CalledOnValidThread());
-
-  if (result != net::OK) {
-    LOG(ERROR) << "Error during SSL connection: " << result;
+  if (error != net::OK) {
     NotifyConnectFailed();
     return;
   }
 
-  DCHECK(socket_->IsConnected());
-  AuthenticateChannel();
-}
-
-void PepperStreamChannel::AuthenticateChannel() {
-  DCHECK(CalledOnValidThread());
-
-  authenticator_.reset(
-      new ClientChannelAuthenticator(session_->shared_secret()));
-  authenticator_->Authenticate(ssl_client_socket_, base::Bind(
-      &PepperStreamChannel::OnAuthenticationDone, base::Unretained(this)));
-}
-
-void PepperStreamChannel::OnAuthenticationDone(
-    ChannelAuthenticator::Result result) {
-  DCHECK(CalledOnValidThread());
-
-  switch (result) {
-    case ChannelAuthenticator::SUCCESS:
-      NotifyConnected(socket_.release());
-      break;
-
-    case ChannelAuthenticator::FAILURE:
-      NotifyConnectFailed();
-      break;
-  }
+  NotifyConnected(socket);
 }
 
 void PepperStreamChannel::NotifyConnected(net::StreamSocket* socket) {
   DCHECK(!connected_);
   callback_.Run(socket);
   connected_ = true;
 }
 
 void PepperStreamChannel::NotifyConnectFailed() {
   channel_ = NULL;
   owned_channel_.reset();
-  socket_.reset();
+  authenticator_.reset();
 
   NotifyConnected(NULL);
 }
 
 }  // namespace protocol
 }  // namespace remoting