Chromium Code Reviews Chromium Code Reviews
Issue 138753005:
Add gnubby authentication to remoting host (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "remoting/host/gnubby_util.h" | |
| 6 | |
| 7 #include <endian.h> | |
|
Sergey Ulanov
2014/02/14 07:31:59
remove this include - won't compile on OSX.
psj
2014/02/15 00:01:34
Done.
| |
| 8 #include <algorithm> | |
| 9 #include <vector> | |
| 10 | |
| 11 #include "base/base64.h" | |
| 12 #include "base/json/json_reader.h" | |
| 13 #include "base/json/json_writer.h" | |
| 14 #include "base/logging.h" | |
| 15 #include "base/memory/scoped_ptr.h" | |
| 16 #include "base/values.h" | |
| 17 #include "remoting/base/logging.h" | |
| 18 | |
| 19 namespace remoting { | |
| 20 | |
| 21 namespace { | |
| 22 | |
| 23 // Failure code to use when the code from the webapp response isn't available. | |
| 24 const int kGnubbyResponseFail = 1; | |
| 25 | |
| 26 const int kSsh2AgentcGnubbySignRequest = 101; // 0x65 | |
| 27 const int kSsh2AgentcGnubbySignResponse = 102; // 0x66 | |
| 28 | |
| 29 void WebSafeBase64Encode(const std::string& data, std::string* encoded_data) { | |
| 30 base::Base64Encode(data, encoded_data); | |
| 31 | |
| 32 std::replace(encoded_data->begin(), encoded_data->end(), '+', '-'); | |
| 33 std::replace(encoded_data->begin(), encoded_data->end(), '/', '_'); | |
| 34 encoded_data->erase( | |
| 35 std::remove(encoded_data->begin(), encoded_data->end(), '='), | |
| 36 encoded_data->end()); | |
| 37 } | |
| 38 | |
| 39 void WebSafeBase64Decode(const std::string& encoded_data, std::string* data) { | |
| 40 std::string temp(encoded_data); | |
| 41 std::replace(temp.begin(), temp.end(), '-', '+'); | |
| 42 std::replace(temp.begin(), temp.end(), '_', '/'); | |
| 43 | |
| 44 int num_equals = temp.length() % 3; | |
| 45 temp.append(num_equals, '='); | |
| 46 | |
| 47 base::Base64Decode(temp, data); | |
| 48 } | |
| 49 | |
| 50 bool DecodeDataFromDictionary(const base::DictionaryValue& dictionary, | |
| 51 const std::string& path, | |
| 52 std::string* data) { | |
| 53 std::string encoded_data; | |
| 54 bool result = dictionary.GetString(path, &encoded_data); | |
| 55 if (result) { | |
| 56 WebSafeBase64Decode(encoded_data, data); | |
| 57 } else { | |
| 58 LOG(ERROR) << "Failed to get dictionary value " << path; | |
| 59 data->erase(); | |
| 60 } | |
| 61 return result; | |
| 62 } | |
| 63 | |
| 64 // Class to read gnubby blob data. | |
| 65 class BlobReader { | |
| 66 public: | |
| 67 // Create a blob with the given data. Does not take ownership of the memory. | |
| 68 BlobReader(const uint8_t* data, size_t data_len); | |
| 69 virtual ~BlobReader(); | |
| 70 | |
| 71 // Read a byte from the blob. Returns true on success. | |
| 72 bool ReadByte(uint8_t* value); | |
| 73 | |
| 74 // Read a four byte size from the blob. Returns true on success. | |
| 75 bool ReadSize(size_t* value); | |
| 76 | |
| 77 // Read a size-prefixed blob. Returns true on success. | |
| 78 bool ReadBlobReader(scoped_ptr<BlobReader>* value); | |
| 79 | |
| 80 // Read a size-prefixed string from the blob. Returns true on success. | |
| 81 bool ReadString(std::string* value); | |
| 82 | |
| 83 private: | |
| 84 // The blob data. | |
| 85 const uint8_t* data_; | |
| 86 | |
| 87 // The length of the blob data. | |
| 88 size_t data_len_; | |
| 89 | |
| 90 // The current read index. | |
| 91 size_t index_; | |
| 92 | |
| 93 DISALLOW_COPY_AND_ASSIGN(BlobReader); | |
| 94 }; | |
| 95 | |
| 96 // Class to write gnubby blob data. | |
| 97 class BlobWriter { | |
| 98 public: | |
| 99 BlobWriter(); | |
| 100 virtual ~BlobWriter(); | |
| 101 | |
| 102 // Write a byte to the blob. | |
| 103 void WriteByte(uint8_t value); | |
| 104 | |
| 105 // Write a four byte size to the blob. | |
| 106 void WriteSize(size_t value); | |
| 107 | |
| 108 // Write a size-prefixed blob to the blob. | |
| 109 void WriteBlobWriter(const BlobWriter& value); | |
| 110 | |
| 111 // Write a size-prefixed string to the blob. | |
| 112 void WriteString(const std::string& value); | |
| 113 | |
| 114 // Returns the blob data. | |
| 115 std::string GetData() const; | |
| 116 | |
| 117 private: | |
| 118 // The blob data. | |
| 119 std::vector<uint8_t> data_; | |
| 120 | |
| 121 DISALLOW_COPY_AND_ASSIGN(BlobWriter); | |
| 122 }; | |
| 123 | |
| 124 BlobReader::BlobReader(const uint8_t* data, size_t data_len) | |
| 125 : data_(data), data_len_(data_len), index_(0) {} | |
| 126 | |
| 127 BlobReader::~BlobReader() {} | |
| 128 | |
| 129 bool BlobReader::ReadByte(uint8_t* value) { | |
| 130 if (data_len_ < index_) { | |
| 131 *value = 0; | |
| 132 return false; | |
| 133 } | |
| 134 *value = data_[index_++]; | |
| 135 return true; | |
| 136 } | |
| 137 | |
| 138 bool BlobReader::ReadSize(size_t* value) { | |
| 139 if (data_len_ < (index_ + 4)) { | |
| 140 *value = 0; | |
| 141 return false; | |
| 142 } | |
| 143 *value = ((data_[index_] & 255) << 24) + ((data_[index_ + 1] & 255) << 16) + | |
| 144 ((data_[index_ + 2] & 255) << 8) + (data_[index_ + 3] & 255); | |
| 145 index_ += 4; | |
| 146 return true; | |
| 147 } | |
| 148 | |
| 149 bool BlobReader::ReadBlobReader(scoped_ptr<BlobReader>* value) { | |
| 150 size_t blob_size; | |
| 151 if (!ReadSize(&blob_size) || data_len_ < (index_ + blob_size)) { | |
| 152 value->reset(); | |
| 153 return 0; | |
| 154 } | |
| 155 value->reset(new BlobReader(data_ + index_, blob_size)); | |
| 156 index_ += blob_size; | |
| 157 return true; | |
| 158 } | |
| 159 | |
| 160 bool BlobReader::ReadString(std::string* value) { | |
| 161 size_t length; | |
| 162 if (!ReadSize(&length) || data_len_ < (index_ + length)) { | |
| 163 value->erase(); | |
| 164 return 0; | |
| 165 } | |
| 166 value->assign(reinterpret_cast<const char*>(data_ + index_), length); | |
| 167 index_ += length; | |
| 168 return true; | |
| 169 } | |
| 170 | |
| 171 BlobWriter::BlobWriter() {} | |
| 172 | |
| 173 BlobWriter::~BlobWriter() {} | |
| 174 | |
| 175 void BlobWriter::WriteByte(uint8_t value) { data_.push_back(value); } | |
| 176 | |
| 177 void BlobWriter::WriteSize(size_t value) { | |
| 178 data_.push_back((value & 0xff000000) >> 24); | |
| 179 data_.push_back((value & 0xff0000) >> 16); | |
| 180 data_.push_back((value & 0xff00) >> 8); | |
| 181 data_.push_back(value & 0xff); | |
| 182 } | |
| 183 | |
| 184 void BlobWriter::WriteBlobWriter(const BlobWriter& value) { | |
| 185 WriteString(value.GetData()); | |
| 186 } | |
| 187 | |
| 188 void BlobWriter::WriteString(const std::string& value) { | |
| 189 WriteSize(value.length()); | |
| 190 data_.insert(data_.end(), value.begin(), value.end()); | |
| 191 } | |
| 192 | |
| 193 std::string BlobWriter::GetData() const { | |
| 194 return std::string(reinterpret_cast<const char*>(data_.data()), data_.size()); | |
| 195 } | |
| 196 | |
| 197 } // namespace | |
| 198 | |
| 199 bool GetJsonFromGnubbyRequest(const char* data, | |
| 200 int data_len, | |
| 201 std::string* json) { | |
| 202 json->empty(); | |
| 203 | |
| 204 BlobReader ssh_request(reinterpret_cast<const uint8_t*>(data), data_len); | |
| 205 scoped_ptr<BlobReader> blob; | |
| 206 if (!ssh_request.ReadBlobReader(&blob)) | |
| 207 return false; | |
| 208 | |
| 209 uint8_t cmd = 0; | |
| 210 uint8_t timeout = 0; | |
| 211 size_t request_count = 0; | |
| 212 bool result = blob->ReadByte(&cmd); | |
| 213 result = result && blob->ReadByte(&timeout); | |
| 214 result = result && blob->ReadSize(&request_count); | |
| 215 if (!result || cmd != kSsh2AgentcGnubbySignRequest) | |
| 216 return false; | |
| 217 | |
| 218 base::DictionaryValue request; | |
| 219 request.SetString("type", "sign_helper_request"); | |
| 220 request.SetInteger("timeout", timeout); | |
| 221 | |
| 222 base::ListValue* sign_requests = new base::ListValue(); | |
| 223 request.Set("signData", sign_requests); | |
| 224 | |
| 225 for (unsigned int i = 0; i < request_count; ++i) { | |
| 226 scoped_ptr<BlobReader> sign_request; | |
| 227 std::string version; | |
| 228 std::string challenge_hash; | |
| 229 std::string origin_hash; | |
| 230 std::string key_handle; | |
| 231 | |
| 232 result = result && blob->ReadBlobReader(&sign_request); | |
|
Sergey Ulanov
2014/02/14 07:31:59
nit: I think you can write this expression like th
psj
2014/02/15 00:01:34
Done.
| |
| 233 result = result && sign_request->ReadString(&version); | |
| 234 result = result && sign_request->ReadString(&challenge_hash); | |
| 235 result = result && sign_request->ReadString(&origin_hash); | |
| 236 result = result && sign_request->ReadString(&key_handle); | |
| 237 if (!result) | |
| 238 return false; | |
| 239 | |
| 240 std::string encoded_origin_hash; | |
| 241 std::string encoded_challenge_hash; | |
| 242 std::string encoded_key_handle; | |
| 243 | |
| 244 WebSafeBase64Encode(origin_hash, &encoded_origin_hash); | |
| 245 WebSafeBase64Encode(challenge_hash, &encoded_challenge_hash); | |
| 246 WebSafeBase64Encode(key_handle, &encoded_key_handle); | |
| 247 | |
| 248 base::DictionaryValue* request = new base::DictionaryValue(); | |
| 249 request->SetString("appIdHash", encoded_origin_hash); | |
| 250 request->SetString("challengeHash", encoded_challenge_hash); | |
| 251 request->SetString("keyHandle", encoded_key_handle); | |
| 252 request->SetString("version", version); | |
| 253 sign_requests->Append(request); | |
| 254 } | |
| 255 | |
| 256 base::JSONWriter::Write(&request, json); | |
| 257 return true; | |
| 258 } | |
| 259 | |
| 260 void GetGnubbyResponseFromJson(const std::string& json, std::string* data) { | |
| 261 data->erase(); | |
| 262 | |
| 263 scoped_ptr<base::Value> json_value(base::JSONReader::Read(json)); | |
| 264 base::DictionaryValue* reply; | |
| 265 if (json_value && json_value->GetAsDictionary(&reply)) { | |
| 266 BlobWriter response; | |
| 267 response.WriteByte(kSsh2AgentcGnubbySignResponse); | |
| 268 | |
| 269 int code; | |
| 270 if (reply->GetInteger("code", &code) && code == 0) { | |
| 271 response.WriteSize(code); | |
| 272 | |
| 273 std::string type; | |
| 274 if (!(reply->GetString("type", &type) && type == "sign_helper_reply")) { | |
| 275 LOG(ERROR) << "Invalid type"; | |
| 276 return; | |
| 277 } | |
| 278 | |
| 279 base::DictionaryValue* reply_data; | |
| 280 if (!reply->GetDictionary("responseData", &reply_data)) { | |
| 281 LOG(ERROR) << "Invalid response data"; | |
| 282 return; | |
| 283 } | |
| 284 | |
| 285 BlobWriter tmp; | |
| 286 std::string version; | |
| 287 if (reply_data->GetString("version", &version)) { | |
| 288 tmp.WriteString(version); | |
| 289 } else { | |
| 290 tmp.WriteSize(0); | |
| 291 } | |
| 292 | |
| 293 std::string challenge_hash; | |
| 294 if (!DecodeDataFromDictionary( | |
| 295 *reply_data, "challengeHash", &challenge_hash)) { | |
| 296 LOG(ERROR) << "Invalid challenge hash"; | |
| 297 return; | |
| 298 } | |
| 299 tmp.WriteString(challenge_hash); | |
| 300 | |
| 301 std::string app_id_hash; | |
| 302 if (!DecodeDataFromDictionary(*reply_data, "appIdHash", &app_id_hash)) { | |
| 303 LOG(ERROR) << "Invalid app id hash"; | |
| 304 return; | |
| 305 } | |
| 306 tmp.WriteString(app_id_hash); | |
| 307 | |
| 308 std::string key_handle; | |
| 309 if (!DecodeDataFromDictionary(*reply_data, "keyHandle", &key_handle)) { | |
| 310 LOG(ERROR) << "Invalid key handle"; | |
| 311 return; | |
| 312 } | |
| 313 tmp.WriteString(key_handle); | |
| 314 | |
| 315 std::string signature_data; | |
| 316 if (!DecodeDataFromDictionary( | |
| 317 *reply_data, "signatureData", &signature_data)) { | |
| 318 LOG(ERROR) << "Invalid signature data"; | |
| 319 return; | |
| 320 } | |
| 321 tmp.WriteString(signature_data); | |
| 322 | |
| 323 response.WriteBlobWriter(tmp); | |
| 324 } else { | |
| 325 response.WriteSize(kGnubbyResponseFail); | |
| 326 } | |
| 327 | |
| 328 BlobWriter ssh_response; | |
| 329 ssh_response.WriteBlobWriter(response); | |
| 330 data->assign(ssh_response.GetData()); | |
| 331 } else { | |
| 332 LOG(ERROR) << "Could not parse json: " << json; | |
| 333 } | |
| 334 } | |
| 335 | |
| 336 } // namespace remoting | |
| OLD | NEW |
