Make the Pepper TCP open the firewall on Cros.

content/browser/renderer_host/pepper/pepper_socket_utils.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/renderer_host/pepper/pepper_socket_utils.h"
 
 #include <string>
 #include <vector>
 
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
 #include "base/strings/string_util.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/site_instance.h"
 #include "content/public/common/content_client.h"
+#include "net/base/ip_endpoint.h"
 #include "net/cert/x509_certificate.h"
 #include "ppapi/c/private/ppb_net_address_private.h"
 #include "ppapi/shared_impl/private/net_address_private_impl.h"
 #include "ppapi/shared_impl/private/ppb_x509_certificate_private_shared.h"
 
+#if defined(OS_CHROMEOS)
+#include "chromeos/network/firewall_hole.h"
+#endif  // defined(OS_CHROMEOS)
+
 namespace content {
 namespace pepper_socket_utils {
 
 SocketPermissionRequest CreateSocketPermissionRequest(
     SocketPermissionRequest::OperationType type,
     const PP_NetAddress_Private& net_addr) {
   std::string host =
       ppapi::NetAddressPrivateImpl::DescribeNetAddress(net_addr, false);
   uint16 port = 0;
   std::vector<unsigned char> address;
   ppapi::NetAddressPrivateImpl::NetAddressToIPEndPoint(
       net_addr, &address, &port);
   return SocketPermissionRequest(type, host, port);
 }
 
 bool CanUseSocketAPIs(bool external_plugin,
                       bool private_api,
                       const SocketPermissionRequest* params,
                       int render_process_id,
                       int render_frame_id) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   if (!external_plugin) {
     // Always allow socket APIs for out-process plugins (other than external
-    // plugins instantiated by the embeeder through
+    // plugins instantiated by the embedder through
     // BrowserPpapiHost::CreateExternalPluginProcess).
     return true;
   }
 
   RenderFrameHost* render_frame_host =
       RenderFrameHost::FromID(render_process_id, render_frame_id);
   if (!render_frame_host)
     return false;
   SiteInstance* site_instance = render_frame_host->GetSiteInstance();
   if (!site_instance)
@@ skipping 64 matching lines @@
 bool GetCertificateFields(const char* der,
                           uint32_t length,
                           ppapi::PPB_X509Certificate_Fields* fields) {
   scoped_refptr<net::X509Certificate> cert =
       net::X509Certificate::CreateFromBytes(der, length);
   if (!cert.get())
     return false;
   return GetCertificateFields(*cert.get(), fields);
 }
 
+#if defined(OS_CHROMEOS)
+namespace {
+
+const unsigned char kIPv4Empty[] = {0, 0, 0, 0};
+const unsigned char kIPv6Empty[] =
+    {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+const unsigned char kIPv6Loopback[] =
+    {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1};
+
+bool isLoopbackAddress(const net::IPAddressNumber& address) {
+  if (address.size() == net::kIPv4AddressSize) {
+    // All of 127.0.0.0/8 is loopback in ipv4. See RFC3330.

[bbudge, 2015/07/22 02:00:48]

Maybe the comment is confusing me then: Could you say "All of 127.*.*.*/8 is
loopback" instead?

[avallee, 2015/07/24 18:33:00]

I guess it want's clear that my notation is not a subnet, not a specific host
address.

+    return address[0] == 0x7f;
+  } else if (address.size() == net::kIPv6AddressSize) {
+    // ::1 is the only loopback address in ipv6.
+    return std::equal(&kIPv6Loopback[0], &kIPv6Loopback[net::kIPv6AddressSize],
+                      address.begin());
+  }
+  return false;
+}
+
+std::string addressToFirewallString(const net::IPAddressNumber& address) {
+  if (address.empty()) {
+    return std::string();
+  }
+  if (address.size() == net::kIPv4AddressSize &&
+      std::equal(&kIPv4Empty[0], &kIPv4Empty[net::kIPv4AddressSize],
+                 address.begin())) {
+    return std::string();
+  }
+  if (address.size() == net::kIPv6AddressSize &&
+      std::equal(&kIPv6Empty[0], &kIPv6Empty[net::kIPv6AddressSize],
+                 address.begin())) {
+    return std::string();
+  }
+
+  return net::IPAddressToString(address);
+}
+
+}  // namespace
+
+void OpenFirewallHole(const net::IPEndPoint& address,
+                      chromeos::FirewallHole::PortType type,
+                      FirewallHoleOpenCallback callback) {
+  if (isLoopbackAddress(address.address())) {
+    callback.Run(nullptr);
+    return;
+  }
+  std::string address_string = addressToFirewallString(address.address());
+
+  chromeos::FirewallHole::Open(type, address.port(), address_string, callback);
+}
+
+void OpenTCPFirewallHole(const net::IPEndPoint& address,
+                         FirewallHoleOpenCallback callback) {
+  OpenFirewallHole(address, chromeos::FirewallHole::PortType::TCP, callback);
+}
+
+void OpenUDPFirewallHole(const net::IPEndPoint& address,
+                         FirewallHoleOpenCallback callback) {
+  OpenFirewallHole(address, chromeos::FirewallHole::PortType::UDP, callback);
+}
+#endif  // defined(OS_CHROMEOS)
+
 }  // namespace pepper_socket_utils
 }  // namespace content