OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" | 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" |
6 | 6 |
7 #include "base/bind.h" | 7 #include "base/bind.h" |
8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
11 #include "crypto/secure_util.h" | 11 #include "crypto/secure_util.h" |
12 #include "net/base/host_port_pair.h" | 12 #include "net/base/host_port_pair.h" |
13 #include "net/base/io_buffer.h" | 13 #include "net/base/io_buffer.h" |
14 #include "net/base/net_errors.h" | 14 #include "net/base/net_errors.h" |
15 #include "net/cert/cert_status_flags.h" | 15 #include "net/cert/cert_status_flags.h" |
16 #include "net/cert/cert_verifier.h" | 16 #include "net/cert/cert_verifier.h" |
17 #include "net/cert/x509_certificate.h" | 17 #include "net/cert/x509_certificate.h" |
18 #include "net/http/transport_security_state.h" | 18 #include "net/http/transport_security_state.h" |
19 #include "net/socket/client_socket_factory.h" | 19 #include "net/socket/client_socket_factory.h" |
20 #include "net/socket/client_socket_handle.h" | 20 #include "net/socket/client_socket_handle.h" |
21 #include "net/socket/ssl_client_socket.h" | 21 #include "net/socket/ssl_client_socket.h" |
22 #include "net/socket/ssl_client_socket_openssl.h" | 22 #include "net/socket/ssl_client_socket_openssl.h" |
23 #include "net/socket/ssl_server_socket.h" | 23 #include "net/socket/ssl_server_socket.h" |
24 #include "net/ssl/ssl_config_service.h" | 24 #include "net/ssl/ssl_config_service.h" |
25 #include "remoting/base/rsa_key_pair.h" | 25 #include "remoting/base/rsa_key_pair.h" |
26 #include "remoting/protocol/auth_util.h" | 26 #include "remoting/protocol/auth_util.h" |
| 27 #include "remoting/protocol/p2p_socket.h" |
27 | 28 |
28 namespace remoting { | 29 namespace remoting { |
29 namespace protocol { | 30 namespace protocol { |
30 | 31 |
31 namespace { | 32 namespace { |
32 | 33 |
33 // A CertVerifier which rejects every certificate. | 34 // A CertVerifier which rejects every certificate. |
34 class FailingCertVerifier : public net::CertVerifier { | 35 class FailingCertVerifier : public net::CertVerifier { |
35 public: | 36 public: |
36 FailingCertVerifier() {} | 37 FailingCertVerifier() {} |
37 ~FailingCertVerifier() override {} | 38 ~FailingCertVerifier() override {} |
38 | 39 |
39 int Verify(net::X509Certificate* cert, | 40 int Verify(net::X509Certificate* cert, |
40 const std::string& hostname, | 41 const std::string& hostname, |
41 const std::string& ocsp_response, | 42 const std::string& ocsp_response, |
42 int flags, | 43 int flags, |
43 net::CRLSet* crl_set, | 44 net::CRLSet* crl_set, |
44 net::CertVerifyResult* verify_result, | 45 net::CertVerifyResult* verify_result, |
45 const net::CompletionCallback& callback, | 46 const net::CompletionCallback& callback, |
46 scoped_ptr<Request>* out_req, | 47 scoped_ptr<Request>* out_req, |
47 const net::BoundNetLog& net_log) override { | 48 const net::BoundNetLog& net_log) override { |
48 verify_result->verified_cert = cert; | 49 verify_result->verified_cert = cert; |
49 verify_result->cert_status = net::CERT_STATUS_INVALID; | 50 verify_result->cert_status = net::CERT_STATUS_INVALID; |
50 return net::ERR_CERT_INVALID; | 51 return net::ERR_CERT_INVALID; |
51 } | 52 } |
52 }; | 53 }; |
53 | 54 |
| 55 // Implements net::StreamSocket interface on top of P2PStreamSocket to be passed |
| 56 // to net::SSLClientSocket and net::SSLServerSocket. |
| 57 class NetStreamSocketAdapter : public net::StreamSocket { |
| 58 public: |
| 59 NetStreamSocketAdapter(scoped_ptr<P2PStreamSocket> socket) |
| 60 : socket_(socket.Pass()) {} |
| 61 ~NetStreamSocketAdapter() override {} |
| 62 |
| 63 int Read(net::IOBuffer* buf, int buf_len, |
| 64 const net::CompletionCallback& callback) override { |
| 65 return socket_->Read(buf, buf_len, callback); |
| 66 } |
| 67 int Write(net::IOBuffer* buf, int buf_len, |
| 68 const net::CompletionCallback& callback) override { |
| 69 return socket_->Write(buf, buf_len, callback); |
| 70 } |
| 71 int SetReceiveBufferSize(int32_t size) override { |
| 72 return socket_->SetReceiveBufferSize(size); |
| 73 } |
| 74 |
| 75 int SetSendBufferSize(int32_t size) override { |
| 76 return socket_->SetSendBufferSize(size); |
| 77 } |
| 78 |
| 79 int Connect(const net::CompletionCallback& callback) override { |
| 80 NOTREACHED(); |
| 81 return net::ERR_FAILED; |
| 82 } |
| 83 void Disconnect() override { socket_.reset(); } |
| 84 bool IsConnected() const override { return true; } |
| 85 bool IsConnectedAndIdle() const override { return true; } |
| 86 int GetPeerAddress(net::IPEndPoint* address) const override { |
| 87 // SSL sockets call this function so it must return some result. |
| 88 net::IPAddressNumber ip_address(net::kIPv4AddressSize); |
| 89 *address = net::IPEndPoint(ip_address, 0); |
| 90 return net::OK; |
| 91 } |
| 92 int GetLocalAddress(net::IPEndPoint* address) const override { |
| 93 NOTREACHED(); |
| 94 return net::ERR_FAILED; |
| 95 } |
| 96 const net::BoundNetLog& NetLog() const override { return net_log_; } |
| 97 void SetSubresourceSpeculation() override { NOTREACHED(); } |
| 98 void SetOmniboxSpeculation() override { NOTREACHED(); } |
| 99 bool WasEverUsed() const override { |
| 100 NOTREACHED(); |
| 101 return true; |
| 102 } |
| 103 bool UsingTCPFastOpen() const override { |
| 104 NOTREACHED(); |
| 105 return false; |
| 106 } |
| 107 void EnableTCPFastOpenIfSupported() override { NOTREACHED(); } |
| 108 bool WasNpnNegotiated() const override { |
| 109 NOTREACHED(); |
| 110 return false; |
| 111 } |
| 112 net::NextProto GetNegotiatedProtocol() const override { |
| 113 NOTREACHED(); |
| 114 return net::kProtoUnknown; |
| 115 } |
| 116 bool GetSSLInfo(net::SSLInfo* ssl_info) override { |
| 117 NOTREACHED(); |
| 118 return false; |
| 119 } |
| 120 void GetConnectionAttempts(net::ConnectionAttempts* out) const override { |
| 121 NOTREACHED(); |
| 122 } |
| 123 void ClearConnectionAttempts() override { NOTREACHED(); } |
| 124 void AddConnectionAttempts(const net::ConnectionAttempts& attempts) override { |
| 125 NOTREACHED(); |
| 126 } |
| 127 |
| 128 private: |
| 129 scoped_ptr<P2PStreamSocket> socket_; |
| 130 net::BoundNetLog net_log_; |
| 131 }; |
| 132 |
| 133 // Implements P2PStreamSocket interface on top of net::StreamSocket. |
| 134 class P2PStreamSocketAdapter : public P2PStreamSocket { |
| 135 public: |
| 136 P2PStreamSocketAdapter(scoped_ptr<net::StreamSocket> socket) |
| 137 : socket_(socket.Pass()) {} |
| 138 ~P2PStreamSocketAdapter() override {} |
| 139 |
| 140 int Read(net::IOBuffer* buf, int buf_len, |
| 141 const net::CompletionCallback& callback) override { |
| 142 return socket_->Read(buf, buf_len, callback); |
| 143 } |
| 144 int Write(net::IOBuffer* buf, int buf_len, |
| 145 const net::CompletionCallback& callback) override { |
| 146 return socket_->Write(buf, buf_len, callback); |
| 147 } |
| 148 int SetReceiveBufferSize(int32_t size) override { |
| 149 return socket_->SetReceiveBufferSize(size); |
| 150 } |
| 151 |
| 152 int SetSendBufferSize(int32_t size) override { |
| 153 return socket_->SetSendBufferSize(size); |
| 154 } |
| 155 |
| 156 private: |
| 157 scoped_ptr<net::StreamSocket> socket_; |
| 158 }; |
| 159 |
54 } // namespace | 160 } // namespace |
55 | 161 |
56 // static | 162 // static |
57 scoped_ptr<SslHmacChannelAuthenticator> | 163 scoped_ptr<SslHmacChannelAuthenticator> |
58 SslHmacChannelAuthenticator::CreateForClient( | 164 SslHmacChannelAuthenticator::CreateForClient( |
59 const std::string& remote_cert, | 165 const std::string& remote_cert, |
60 const std::string& auth_key) { | 166 const std::string& auth_key) { |
61 scoped_ptr<SslHmacChannelAuthenticator> result( | 167 scoped_ptr<SslHmacChannelAuthenticator> result( |
62 new SslHmacChannelAuthenticator(auth_key)); | 168 new SslHmacChannelAuthenticator(auth_key)); |
63 result->remote_cert_ = remote_cert; | 169 result->remote_cert_ = remote_cert; |
(...skipping 14 matching lines...) Expand all Loading... |
78 | 184 |
79 SslHmacChannelAuthenticator::SslHmacChannelAuthenticator( | 185 SslHmacChannelAuthenticator::SslHmacChannelAuthenticator( |
80 const std::string& auth_key) | 186 const std::string& auth_key) |
81 : auth_key_(auth_key) { | 187 : auth_key_(auth_key) { |
82 } | 188 } |
83 | 189 |
84 SslHmacChannelAuthenticator::~SslHmacChannelAuthenticator() { | 190 SslHmacChannelAuthenticator::~SslHmacChannelAuthenticator() { |
85 } | 191 } |
86 | 192 |
87 void SslHmacChannelAuthenticator::SecureAndAuthenticate( | 193 void SslHmacChannelAuthenticator::SecureAndAuthenticate( |
88 scoped_ptr<net::StreamSocket> socket, const DoneCallback& done_callback) { | 194 scoped_ptr<P2PStreamSocket> socket, |
| 195 const DoneCallback& done_callback) { |
89 DCHECK(CalledOnValidThread()); | 196 DCHECK(CalledOnValidThread()); |
90 DCHECK(socket->IsConnected()); | |
91 | 197 |
92 done_callback_ = done_callback; | 198 done_callback_ = done_callback; |
93 | 199 |
94 int result; | 200 int result; |
95 if (is_ssl_server()) { | 201 if (is_ssl_server()) { |
96 #if defined(OS_NACL) | 202 #if defined(OS_NACL) |
97 // Client plugin doesn't use server SSL sockets, and so SSLServerSocket | 203 // Client plugin doesn't use server SSL sockets, and so SSLServerSocket |
98 // implementation is not compiled for NaCl as part of net_nacl. | 204 // implementation is not compiled for NaCl as part of net_nacl. |
99 NOTREACHED(); | 205 NOTREACHED(); |
100 result = net::ERR_FAILED; | 206 result = net::ERR_FAILED; |
101 #else | 207 #else |
102 scoped_refptr<net::X509Certificate> cert = | 208 scoped_refptr<net::X509Certificate> cert = |
103 net::X509Certificate::CreateFromBytes( | 209 net::X509Certificate::CreateFromBytes( |
104 local_cert_.data(), local_cert_.length()); | 210 local_cert_.data(), local_cert_.length()); |
105 if (!cert.get()) { | 211 if (!cert.get()) { |
106 LOG(ERROR) << "Failed to parse X509Certificate"; | 212 LOG(ERROR) << "Failed to parse X509Certificate"; |
107 NotifyError(net::ERR_FAILED); | 213 NotifyError(net::ERR_FAILED); |
108 return; | 214 return; |
109 } | 215 } |
110 | 216 |
111 net::SSLConfig ssl_config; | 217 net::SSLConfig ssl_config; |
112 ssl_config.require_ecdhe = true; | 218 ssl_config.require_ecdhe = true; |
113 | 219 |
114 scoped_ptr<net::SSLServerSocket> server_socket = | 220 scoped_ptr<net::SSLServerSocket> server_socket = net::CreateSSLServerSocket( |
115 net::CreateSSLServerSocket(socket.Pass(), | 221 make_scoped_ptr(new NetStreamSocketAdapter(socket.Pass())), cert.get(), |
116 cert.get(), | 222 local_key_pair_->private_key(), ssl_config); |
117 local_key_pair_->private_key(), | |
118 ssl_config); | |
119 net::SSLServerSocket* raw_server_socket = server_socket.get(); | 223 net::SSLServerSocket* raw_server_socket = server_socket.get(); |
120 socket_ = server_socket.Pass(); | 224 socket_ = server_socket.Pass(); |
121 result = raw_server_socket->Handshake( | 225 result = raw_server_socket->Handshake( |
122 base::Bind(&SslHmacChannelAuthenticator::OnConnected, | 226 base::Bind(&SslHmacChannelAuthenticator::OnConnected, |
123 base::Unretained(this))); | 227 base::Unretained(this))); |
124 #endif | 228 #endif |
125 } else { | 229 } else { |
126 transport_security_state_.reset(new net::TransportSecurityState); | 230 transport_security_state_.reset(new net::TransportSecurityState); |
127 cert_verifier_.reset(new FailingCertVerifier); | 231 cert_verifier_.reset(new FailingCertVerifier); |
128 | 232 |
(...skipping 10 matching lines...) Expand all Loading... |
139 ssl_config.rev_checking_enabled = false; | 243 ssl_config.rev_checking_enabled = false; |
140 ssl_config.allowed_bad_certs.push_back(cert_and_status); | 244 ssl_config.allowed_bad_certs.push_back(cert_and_status); |
141 ssl_config.require_ecdhe = true; | 245 ssl_config.require_ecdhe = true; |
142 | 246 |
143 net::HostPortPair host_and_port(kSslFakeHostName, 0); | 247 net::HostPortPair host_and_port(kSslFakeHostName, 0); |
144 net::SSLClientSocketContext context; | 248 net::SSLClientSocketContext context; |
145 context.transport_security_state = transport_security_state_.get(); | 249 context.transport_security_state = transport_security_state_.get(); |
146 context.cert_verifier = cert_verifier_.get(); | 250 context.cert_verifier = cert_verifier_.get(); |
147 scoped_ptr<net::ClientSocketHandle> socket_handle( | 251 scoped_ptr<net::ClientSocketHandle> socket_handle( |
148 new net::ClientSocketHandle); | 252 new net::ClientSocketHandle); |
149 socket_handle->SetSocket(socket.Pass()); | 253 socket_handle->SetSocket( |
| 254 make_scoped_ptr(new NetStreamSocketAdapter(socket.Pass()))); |
150 | 255 |
151 #if defined(OS_NACL) | 256 #if defined(OS_NACL) |
152 // net_nacl doesn't include ClientSocketFactory. | 257 // net_nacl doesn't include ClientSocketFactory. |
153 socket_.reset(new net::SSLClientSocketOpenSSL( | 258 socket_.reset(new net::SSLClientSocketOpenSSL( |
154 socket_handle.Pass(), host_and_port, ssl_config, context)); | 259 socket_handle.Pass(), host_and_port, ssl_config, context)); |
155 #else | 260 #else |
156 socket_ = | 261 socket_ = |
157 net::ClientSocketFactory::GetDefaultFactory()->CreateSSLClientSocket( | 262 net::ClientSocketFactory::GetDefaultFactory()->CreateSSLClientSocket( |
158 socket_handle.Pass(), host_and_port, ssl_config, context); | 263 socket_handle.Pass(), host_and_port, ssl_config, context); |
159 #endif | 264 #endif |
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
305 return crypto::SecureMemEqual(received_auth_bytes.data(), | 410 return crypto::SecureMemEqual(received_auth_bytes.data(), |
306 &(auth_bytes[0]), kAuthDigestLength); | 411 &(auth_bytes[0]), kAuthDigestLength); |
307 } | 412 } |
308 | 413 |
309 void SslHmacChannelAuthenticator::CheckDone(bool* callback_called) { | 414 void SslHmacChannelAuthenticator::CheckDone(bool* callback_called) { |
310 if (auth_write_buf_.get() == nullptr && auth_read_buf_.get() == nullptr) { | 415 if (auth_write_buf_.get() == nullptr && auth_read_buf_.get() == nullptr) { |
311 DCHECK(socket_.get() != nullptr); | 416 DCHECK(socket_.get() != nullptr); |
312 if (callback_called) | 417 if (callback_called) |
313 *callback_called = true; | 418 *callback_called = true; |
314 | 419 |
315 base::ResetAndReturn(&done_callback_).Run(net::OK, socket_.Pass()); | 420 base::ResetAndReturn(&done_callback_) |
| 421 .Run(net::OK, |
| 422 make_scoped_ptr(new P2PStreamSocketAdapter(socket_.Pass()))); |
316 } | 423 } |
317 } | 424 } |
318 | 425 |
319 void SslHmacChannelAuthenticator::NotifyError(int error) { | 426 void SslHmacChannelAuthenticator::NotifyError(int error) { |
320 base::ResetAndReturn(&done_callback_).Run(error, nullptr); | 427 base::ResetAndReturn(&done_callback_).Run(error, nullptr); |
321 } | 428 } |
322 | 429 |
323 } // namespace protocol | 430 } // namespace protocol |
324 } // namespace remoting | 431 } // namespace remoting |
OLD | NEW |