| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" | 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/logging.h" |
| 9 #include "crypto/secure_util.h" | 10 #include "crypto/secure_util.h" |
| 10 #include "net/base/host_port_pair.h" | 11 #include "net/base/host_port_pair.h" |
| 11 #include "net/base/io_buffer.h" | 12 #include "net/base/io_buffer.h" |
| 12 #include "net/base/net_errors.h" | 13 #include "net/base/net_errors.h" |
| 14 #include "net/cert/cert_status_flags.h" |
| 15 #include "net/cert/cert_verifier.h" |
| 13 #include "net/cert/x509_certificate.h" | 16 #include "net/cert/x509_certificate.h" |
| 14 #include "net/http/transport_security_state.h" | 17 #include "net/http/transport_security_state.h" |
| 15 #include "net/socket/client_socket_factory.h" | 18 #include "net/socket/client_socket_factory.h" |
| 16 #include "net/socket/client_socket_handle.h" | 19 #include "net/socket/client_socket_handle.h" |
| 17 #include "net/socket/ssl_client_socket.h" | 20 #include "net/socket/ssl_client_socket.h" |
| 18 #include "net/socket/ssl_client_socket_openssl.h" | 21 #include "net/socket/ssl_client_socket_openssl.h" |
| 19 #include "net/socket/ssl_server_socket.h" | 22 #include "net/socket/ssl_server_socket.h" |
| 20 #include "net/ssl/ssl_config_service.h" | 23 #include "net/ssl/ssl_config_service.h" |
| 21 #include "remoting/base/rsa_key_pair.h" | 24 #include "remoting/base/rsa_key_pair.h" |
| 22 #include "remoting/protocol/auth_util.h" | 25 #include "remoting/protocol/auth_util.h" |
| 23 | 26 |
| 24 namespace remoting { | 27 namespace remoting { |
| 25 namespace protocol { | 28 namespace protocol { |
| 26 | 29 |
| 30 namespace { |
| 31 |
| 32 // A CertVerifier which rejects every certificate. |
| 33 class FailingCertVerifier : public net::CertVerifier { |
| 34 public: |
| 35 FailingCertVerifier() {} |
| 36 ~FailingCertVerifier() override {} |
| 37 |
| 38 int Verify(net::X509Certificate* cert, |
| 39 const std::string& hostname, |
| 40 int flags, |
| 41 net::CRLSet* crl_set, |
| 42 net::CertVerifyResult* verify_result, |
| 43 const net::CompletionCallback& callback, |
| 44 RequestHandle* out_req, |
| 45 const net::BoundNetLog& net_log) override { |
| 46 verify_result->verified_cert = cert; |
| 47 verify_result->cert_status = net::CERT_STATUS_INVALID; |
| 48 return net::ERR_CERT_INVALID; |
| 49 } |
| 50 |
| 51 void CancelRequest(RequestHandle req) override { |
| 52 NOTIMPLEMENTED(); |
| 53 } |
| 54 }; |
| 55 |
| 56 } // namespace |
| 57 |
| 27 // static | 58 // static |
| 28 scoped_ptr<SslHmacChannelAuthenticator> | 59 scoped_ptr<SslHmacChannelAuthenticator> |
| 29 SslHmacChannelAuthenticator::CreateForClient( | 60 SslHmacChannelAuthenticator::CreateForClient( |
| 30 const std::string& remote_cert, | 61 const std::string& remote_cert, |
| 31 const std::string& auth_key) { | 62 const std::string& auth_key) { |
| 32 scoped_ptr<SslHmacChannelAuthenticator> result( | 63 scoped_ptr<SslHmacChannelAuthenticator> result( |
| 33 new SslHmacChannelAuthenticator(auth_key)); | 64 new SslHmacChannelAuthenticator(auth_key)); |
| 34 result->remote_cert_ = remote_cert; | 65 result->remote_cert_ = remote_cert; |
| 35 return result.Pass(); | 66 return result.Pass(); |
| 36 } | 67 } |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 88 local_key_pair_->private_key(), | 119 local_key_pair_->private_key(), |
| 89 ssl_config); | 120 ssl_config); |
| 90 net::SSLServerSocket* raw_server_socket = server_socket.get(); | 121 net::SSLServerSocket* raw_server_socket = server_socket.get(); |
| 91 socket_ = server_socket.Pass(); | 122 socket_ = server_socket.Pass(); |
| 92 result = raw_server_socket->Handshake( | 123 result = raw_server_socket->Handshake( |
| 93 base::Bind(&SslHmacChannelAuthenticator::OnConnected, | 124 base::Bind(&SslHmacChannelAuthenticator::OnConnected, |
| 94 base::Unretained(this))); | 125 base::Unretained(this))); |
| 95 #endif | 126 #endif |
| 96 } else { | 127 } else { |
| 97 transport_security_state_.reset(new net::TransportSecurityState); | 128 transport_security_state_.reset(new net::TransportSecurityState); |
| 129 cert_verifier_.reset(new FailingCertVerifier); |
| 98 | 130 |
| 99 net::SSLConfig::CertAndStatus cert_and_status; | 131 net::SSLConfig::CertAndStatus cert_and_status; |
| 100 cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; | 132 cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; |
| 101 cert_and_status.der_cert = remote_cert_; | 133 cert_and_status.der_cert = remote_cert_; |
| 102 | 134 |
| 103 net::SSLConfig ssl_config; | 135 net::SSLConfig ssl_config; |
| 104 // Certificate verification and revocation checking are not needed | 136 // Certificate verification and revocation checking are not needed |
| 105 // because we use self-signed certs. Disable it so that the SSL | 137 // because we use self-signed certs. Disable it so that the SSL |
| 106 // layer doesn't try to initialize OCSP (OCSP works only on the IO | 138 // layer doesn't try to initialize OCSP (OCSP works only on the IO |
| 107 // thread). | 139 // thread). |
| 108 ssl_config.cert_io_enabled = false; | 140 ssl_config.cert_io_enabled = false; |
| 109 ssl_config.rev_checking_enabled = false; | 141 ssl_config.rev_checking_enabled = false; |
| 110 ssl_config.allowed_bad_certs.push_back(cert_and_status); | 142 ssl_config.allowed_bad_certs.push_back(cert_and_status); |
| 111 | 143 |
| 112 net::HostPortPair host_and_port(kSslFakeHostName, 0); | 144 net::HostPortPair host_and_port(kSslFakeHostName, 0); |
| 113 net::SSLClientSocketContext context; | 145 net::SSLClientSocketContext context; |
| 114 context.transport_security_state = transport_security_state_.get(); | 146 context.transport_security_state = transport_security_state_.get(); |
| 147 context.cert_verifier = cert_verifier_.get(); |
| 115 scoped_ptr<net::ClientSocketHandle> socket_handle( | 148 scoped_ptr<net::ClientSocketHandle> socket_handle( |
| 116 new net::ClientSocketHandle); | 149 new net::ClientSocketHandle); |
| 117 socket_handle->SetSocket(socket.Pass()); | 150 socket_handle->SetSocket(socket.Pass()); |
| 118 | 151 |
| 119 #if defined(OS_NACL) | 152 #if defined(OS_NACL) |
| 120 // net_nacl doesn't include ClientSocketFactory. | 153 // net_nacl doesn't include ClientSocketFactory. |
| 121 socket_.reset(new net::SSLClientSocketOpenSSL( | 154 socket_.reset(new net::SSLClientSocketOpenSSL( |
| 122 socket_handle.Pass(), host_and_port, ssl_config, context)); | 155 socket_handle.Pass(), host_and_port, ssl_config, context)); |
| 123 #else | 156 #else |
| 124 socket_ = | 157 socket_ = |
| (...skipping 166 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 291 void SslHmacChannelAuthenticator::CallDoneCallback( | 324 void SslHmacChannelAuthenticator::CallDoneCallback( |
| 292 int error, | 325 int error, |
| 293 scoped_ptr<net::StreamSocket> socket) { | 326 scoped_ptr<net::StreamSocket> socket) { |
| 294 DoneCallback callback = done_callback_; | 327 DoneCallback callback = done_callback_; |
| 295 done_callback_.Reset(); | 328 done_callback_.Reset(); |
| 296 callback.Run(error, socket.Pass()); | 329 callback.Run(error, socket.Pass()); |
| 297 } | 330 } |
| 298 | 331 |
| 299 } // namespace protocol | 332 } // namespace protocol |
| 300 } // namespace remoting | 333 } // namespace remoting |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1080593003:
Pass in a non-null CertVerifier into SSLClientSocket. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@boringnss