OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" | 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" |
6 | 6 |
7 #include "base/bind.h" | 7 #include "base/bind.h" |
8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
9 #include "base/callback_helpers.h" | 9 #include "base/callback_helpers.h" |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
11 #include "crypto/secure_util.h" | 11 #include "crypto/secure_util.h" |
12 #include "net/base/host_port_pair.h" | 12 #include "net/base/host_port_pair.h" |
13 #include "net/base/io_buffer.h" | 13 #include "net/base/io_buffer.h" |
14 #include "net/base/net_errors.h" | 14 #include "net/base/net_errors.h" |
15 #include "net/cert/cert_status_flags.h" | 15 #include "net/cert/cert_status_flags.h" |
16 #include "net/cert/cert_verifier.h" | 16 #include "net/cert/cert_verifier.h" |
17 #include "net/cert/cert_verify_result.h" | 17 #include "net/cert/cert_verify_result.h" |
18 #include "net/cert/x509_certificate.h" | 18 #include "net/cert/x509_certificate.h" |
19 #include "net/http/transport_security_state.h" | 19 #include "net/http/transport_security_state.h" |
20 #include "net/socket/client_socket_handle.h" | 20 #include "net/socket/client_socket_handle.h" |
21 #include "net/socket/ssl_client_socket.h" | 21 #include "net/socket/ssl_client_socket.h" |
22 #include "net/socket/ssl_server_socket.h" | 22 #include "net/socket/ssl_server_socket.h" |
23 #include "net/ssl/ssl_config_service.h" | 23 #include "net/ssl/ssl_config_service.h" |
24 #include "remoting/base/rsa_key_pair.h" | 24 #include "remoting/base/rsa_key_pair.h" |
25 #include "remoting/protocol/auth_util.h" | 25 #include "remoting/protocol/auth_util.h" |
| 26 #include "remoting/protocol/p2p_stream_socket.h" |
26 | 27 |
27 #if defined(OS_NACL) | 28 #if defined(OS_NACL) |
28 #include "net/socket/ssl_client_socket_openssl.h" | 29 #include "net/socket/ssl_client_socket_openssl.h" |
29 #else | 30 #else |
30 #include "net/socket/client_socket_factory.h" | 31 #include "net/socket/client_socket_factory.h" |
31 #endif | 32 #endif |
32 | 33 |
33 namespace remoting { | 34 namespace remoting { |
34 namespace protocol { | 35 namespace protocol { |
35 | 36 |
(...skipping 13 matching lines...) Expand all Loading... |
49 net::CertVerifyResult* verify_result, | 50 net::CertVerifyResult* verify_result, |
50 const net::CompletionCallback& callback, | 51 const net::CompletionCallback& callback, |
51 scoped_ptr<Request>* out_req, | 52 scoped_ptr<Request>* out_req, |
52 const net::BoundNetLog& net_log) override { | 53 const net::BoundNetLog& net_log) override { |
53 verify_result->verified_cert = cert; | 54 verify_result->verified_cert = cert; |
54 verify_result->cert_status = net::CERT_STATUS_INVALID; | 55 verify_result->cert_status = net::CERT_STATUS_INVALID; |
55 return net::ERR_CERT_INVALID; | 56 return net::ERR_CERT_INVALID; |
56 } | 57 } |
57 }; | 58 }; |
58 | 59 |
| 60 // Implements net::StreamSocket interface on top of P2PStreamSocket to be passed |
| 61 // to net::SSLClientSocket and net::SSLServerSocket. |
| 62 class NetStreamSocketAdapter : public net::StreamSocket { |
| 63 public: |
| 64 NetStreamSocketAdapter(scoped_ptr<P2PStreamSocket> socket) |
| 65 : socket_(socket.Pass()) {} |
| 66 ~NetStreamSocketAdapter() override {} |
| 67 |
| 68 int Read(net::IOBuffer* buf, int buf_len, |
| 69 const net::CompletionCallback& callback) override { |
| 70 return socket_->Read(buf, buf_len, callback); |
| 71 } |
| 72 int Write(net::IOBuffer* buf, int buf_len, |
| 73 const net::CompletionCallback& callback) override { |
| 74 return socket_->Write(buf, buf_len, callback); |
| 75 } |
| 76 |
| 77 int SetReceiveBufferSize(int32_t size) override { |
| 78 NOTREACHED(); |
| 79 return net::ERR_FAILED; |
| 80 } |
| 81 |
| 82 int SetSendBufferSize(int32_t size) override { |
| 83 NOTREACHED(); |
| 84 return net::ERR_FAILED; |
| 85 } |
| 86 |
| 87 int Connect(const net::CompletionCallback& callback) override { |
| 88 NOTREACHED(); |
| 89 return net::ERR_FAILED; |
| 90 } |
| 91 void Disconnect() override { socket_.reset(); } |
| 92 bool IsConnected() const override { return true; } |
| 93 bool IsConnectedAndIdle() const override { return true; } |
| 94 int GetPeerAddress(net::IPEndPoint* address) const override { |
| 95 // SSL sockets call this function so it must return some result. |
| 96 net::IPAddressNumber ip_address(net::kIPv4AddressSize); |
| 97 *address = net::IPEndPoint(ip_address, 0); |
| 98 return net::OK; |
| 99 } |
| 100 int GetLocalAddress(net::IPEndPoint* address) const override { |
| 101 NOTREACHED(); |
| 102 return net::ERR_FAILED; |
| 103 } |
| 104 const net::BoundNetLog& NetLog() const override { return net_log_; } |
| 105 void SetSubresourceSpeculation() override { NOTREACHED(); } |
| 106 void SetOmniboxSpeculation() override { NOTREACHED(); } |
| 107 bool WasEverUsed() const override { |
| 108 NOTREACHED(); |
| 109 return true; |
| 110 } |
| 111 bool UsingTCPFastOpen() const override { |
| 112 NOTREACHED(); |
| 113 return false; |
| 114 } |
| 115 void EnableTCPFastOpenIfSupported() override { NOTREACHED(); } |
| 116 bool WasNpnNegotiated() const override { |
| 117 NOTREACHED(); |
| 118 return false; |
| 119 } |
| 120 net::NextProto GetNegotiatedProtocol() const override { |
| 121 NOTREACHED(); |
| 122 return net::kProtoUnknown; |
| 123 } |
| 124 bool GetSSLInfo(net::SSLInfo* ssl_info) override { |
| 125 NOTREACHED(); |
| 126 return false; |
| 127 } |
| 128 void GetConnectionAttempts(net::ConnectionAttempts* out) const override { |
| 129 NOTREACHED(); |
| 130 } |
| 131 void ClearConnectionAttempts() override { NOTREACHED(); } |
| 132 void AddConnectionAttempts(const net::ConnectionAttempts& attempts) override { |
| 133 NOTREACHED(); |
| 134 } |
| 135 |
| 136 private: |
| 137 scoped_ptr<P2PStreamSocket> socket_; |
| 138 net::BoundNetLog net_log_; |
| 139 }; |
| 140 |
| 141 // Implements P2PStreamSocket interface on top of net::StreamSocket. |
| 142 class P2PStreamSocketAdapter : public P2PStreamSocket { |
| 143 public: |
| 144 P2PStreamSocketAdapter(scoped_ptr<net::StreamSocket> socket) |
| 145 : socket_(socket.Pass()) {} |
| 146 ~P2PStreamSocketAdapter() override {} |
| 147 |
| 148 int Read(const scoped_refptr<net::IOBuffer>& buf, int buf_len, |
| 149 const net::CompletionCallback& callback) override { |
| 150 return socket_->Read(buf.get(), buf_len, callback); |
| 151 } |
| 152 int Write(const scoped_refptr<net::IOBuffer>& buf, int buf_len, |
| 153 const net::CompletionCallback& callback) override { |
| 154 return socket_->Write(buf.get(), buf_len, callback); |
| 155 } |
| 156 |
| 157 private: |
| 158 scoped_ptr<net::StreamSocket> socket_; |
| 159 }; |
| 160 |
59 } // namespace | 161 } // namespace |
60 | 162 |
61 // static | 163 // static |
62 scoped_ptr<SslHmacChannelAuthenticator> | 164 scoped_ptr<SslHmacChannelAuthenticator> |
63 SslHmacChannelAuthenticator::CreateForClient( | 165 SslHmacChannelAuthenticator::CreateForClient( |
64 const std::string& remote_cert, | 166 const std::string& remote_cert, |
65 const std::string& auth_key) { | 167 const std::string& auth_key) { |
66 scoped_ptr<SslHmacChannelAuthenticator> result( | 168 scoped_ptr<SslHmacChannelAuthenticator> result( |
67 new SslHmacChannelAuthenticator(auth_key)); | 169 new SslHmacChannelAuthenticator(auth_key)); |
68 result->remote_cert_ = remote_cert; | 170 result->remote_cert_ = remote_cert; |
(...skipping 14 matching lines...) Expand all Loading... |
83 | 185 |
84 SslHmacChannelAuthenticator::SslHmacChannelAuthenticator( | 186 SslHmacChannelAuthenticator::SslHmacChannelAuthenticator( |
85 const std::string& auth_key) | 187 const std::string& auth_key) |
86 : auth_key_(auth_key) { | 188 : auth_key_(auth_key) { |
87 } | 189 } |
88 | 190 |
89 SslHmacChannelAuthenticator::~SslHmacChannelAuthenticator() { | 191 SslHmacChannelAuthenticator::~SslHmacChannelAuthenticator() { |
90 } | 192 } |
91 | 193 |
92 void SslHmacChannelAuthenticator::SecureAndAuthenticate( | 194 void SslHmacChannelAuthenticator::SecureAndAuthenticate( |
93 scoped_ptr<net::StreamSocket> socket, const DoneCallback& done_callback) { | 195 scoped_ptr<P2PStreamSocket> socket, |
| 196 const DoneCallback& done_callback) { |
94 DCHECK(CalledOnValidThread()); | 197 DCHECK(CalledOnValidThread()); |
95 DCHECK(socket->IsConnected()); | |
96 | 198 |
97 done_callback_ = done_callback; | 199 done_callback_ = done_callback; |
98 | 200 |
99 int result; | 201 int result; |
100 if (is_ssl_server()) { | 202 if (is_ssl_server()) { |
101 #if defined(OS_NACL) | 203 #if defined(OS_NACL) |
102 // Client plugin doesn't use server SSL sockets, and so SSLServerSocket | 204 // Client plugin doesn't use server SSL sockets, and so SSLServerSocket |
103 // implementation is not compiled for NaCl as part of net_nacl. | 205 // implementation is not compiled for NaCl as part of net_nacl. |
104 NOTREACHED(); | 206 NOTREACHED(); |
105 result = net::ERR_FAILED; | 207 result = net::ERR_FAILED; |
106 #else | 208 #else |
107 scoped_refptr<net::X509Certificate> cert = | 209 scoped_refptr<net::X509Certificate> cert = |
108 net::X509Certificate::CreateFromBytes( | 210 net::X509Certificate::CreateFromBytes( |
109 local_cert_.data(), local_cert_.length()); | 211 local_cert_.data(), local_cert_.length()); |
110 if (!cert.get()) { | 212 if (!cert.get()) { |
111 LOG(ERROR) << "Failed to parse X509Certificate"; | 213 LOG(ERROR) << "Failed to parse X509Certificate"; |
112 NotifyError(net::ERR_FAILED); | 214 NotifyError(net::ERR_FAILED); |
113 return; | 215 return; |
114 } | 216 } |
115 | 217 |
116 net::SSLConfig ssl_config; | 218 net::SSLConfig ssl_config; |
117 ssl_config.require_ecdhe = true; | 219 ssl_config.require_ecdhe = true; |
118 | 220 |
119 scoped_ptr<net::SSLServerSocket> server_socket = | 221 scoped_ptr<net::SSLServerSocket> server_socket = net::CreateSSLServerSocket( |
120 net::CreateSSLServerSocket(socket.Pass(), | 222 make_scoped_ptr(new NetStreamSocketAdapter(socket.Pass())), cert.get(), |
121 cert.get(), | 223 local_key_pair_->private_key(), ssl_config); |
122 local_key_pair_->private_key(), | |
123 ssl_config); | |
124 net::SSLServerSocket* raw_server_socket = server_socket.get(); | 224 net::SSLServerSocket* raw_server_socket = server_socket.get(); |
125 socket_ = server_socket.Pass(); | 225 socket_ = server_socket.Pass(); |
126 result = raw_server_socket->Handshake( | 226 result = raw_server_socket->Handshake( |
127 base::Bind(&SslHmacChannelAuthenticator::OnConnected, | 227 base::Bind(&SslHmacChannelAuthenticator::OnConnected, |
128 base::Unretained(this))); | 228 base::Unretained(this))); |
129 #endif | 229 #endif |
130 } else { | 230 } else { |
131 transport_security_state_.reset(new net::TransportSecurityState); | 231 transport_security_state_.reset(new net::TransportSecurityState); |
132 cert_verifier_.reset(new FailingCertVerifier); | 232 cert_verifier_.reset(new FailingCertVerifier); |
133 | 233 |
(...skipping 10 matching lines...) Expand all Loading... |
144 ssl_config.rev_checking_enabled = false; | 244 ssl_config.rev_checking_enabled = false; |
145 ssl_config.allowed_bad_certs.push_back(cert_and_status); | 245 ssl_config.allowed_bad_certs.push_back(cert_and_status); |
146 ssl_config.require_ecdhe = false; | 246 ssl_config.require_ecdhe = false; |
147 | 247 |
148 net::HostPortPair host_and_port(kSslFakeHostName, 0); | 248 net::HostPortPair host_and_port(kSslFakeHostName, 0); |
149 net::SSLClientSocketContext context; | 249 net::SSLClientSocketContext context; |
150 context.transport_security_state = transport_security_state_.get(); | 250 context.transport_security_state = transport_security_state_.get(); |
151 context.cert_verifier = cert_verifier_.get(); | 251 context.cert_verifier = cert_verifier_.get(); |
152 scoped_ptr<net::ClientSocketHandle> socket_handle( | 252 scoped_ptr<net::ClientSocketHandle> socket_handle( |
153 new net::ClientSocketHandle); | 253 new net::ClientSocketHandle); |
154 socket_handle->SetSocket(socket.Pass()); | 254 socket_handle->SetSocket( |
| 255 make_scoped_ptr(new NetStreamSocketAdapter(socket.Pass()))); |
155 | 256 |
156 #if defined(OS_NACL) | 257 #if defined(OS_NACL) |
157 // net_nacl doesn't include ClientSocketFactory. | 258 // net_nacl doesn't include ClientSocketFactory. |
158 socket_.reset(new net::SSLClientSocketOpenSSL( | 259 socket_.reset(new net::SSLClientSocketOpenSSL( |
159 socket_handle.Pass(), host_and_port, ssl_config, context)); | 260 socket_handle.Pass(), host_and_port, ssl_config, context)); |
160 #else | 261 #else |
161 socket_ = | 262 socket_ = |
162 net::ClientSocketFactory::GetDefaultFactory()->CreateSSLClientSocket( | 263 net::ClientSocketFactory::GetDefaultFactory()->CreateSSLClientSocket( |
163 socket_handle.Pass(), host_and_port, ssl_config, context); | 264 socket_handle.Pass(), host_and_port, ssl_config, context); |
164 #endif | 265 #endif |
(...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
311 return crypto::SecureMemEqual(received_auth_bytes.data(), | 412 return crypto::SecureMemEqual(received_auth_bytes.data(), |
312 &(auth_bytes[0]), kAuthDigestLength); | 413 &(auth_bytes[0]), kAuthDigestLength); |
313 } | 414 } |
314 | 415 |
315 void SslHmacChannelAuthenticator::CheckDone(bool* callback_called) { | 416 void SslHmacChannelAuthenticator::CheckDone(bool* callback_called) { |
316 if (auth_write_buf_.get() == nullptr && auth_read_buf_.get() == nullptr) { | 417 if (auth_write_buf_.get() == nullptr && auth_read_buf_.get() == nullptr) { |
317 DCHECK(socket_.get() != nullptr); | 418 DCHECK(socket_.get() != nullptr); |
318 if (callback_called) | 419 if (callback_called) |
319 *callback_called = true; | 420 *callback_called = true; |
320 | 421 |
321 base::ResetAndReturn(&done_callback_).Run(net::OK, socket_.Pass()); | 422 base::ResetAndReturn(&done_callback_) |
| 423 .Run(net::OK, |
| 424 make_scoped_ptr(new P2PStreamSocketAdapter(socket_.Pass()))); |
322 } | 425 } |
323 } | 426 } |
324 | 427 |
325 void SslHmacChannelAuthenticator::NotifyError(int error) { | 428 void SslHmacChannelAuthenticator::NotifyError(int error) { |
326 base::ResetAndReturn(&done_callback_).Run(error, nullptr); | 429 base::ResetAndReturn(&done_callback_).Run(error, nullptr); |
327 } | 430 } |
328 | 431 |
329 } // namespace protocol | 432 } // namespace protocol |
330 } // namespace remoting | 433 } // namespace remoting |
OLD | NEW |