Chromium Code Reviews Chromium Code Reviews
Issue 16501002:
Give more request types a TransportSecurityState. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" | 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "crypto/secure_util.h" | 9 #include "crypto/secure_util.h" |
| 10 #include "net/base/host_port_pair.h" | 10 #include "net/base/host_port_pair.h" |
| 11 #include "net/base/io_buffer.h" | 11 #include "net/base/io_buffer.h" |
| 12 #include "net/base/net_errors.h" | 12 #include "net/base/net_errors.h" |
| 13 #include "net/cert/cert_verifier.h" | 13 #include "net/cert/cert_verifier.h" |
| 14 #include "net/cert/x509_certificate.h" | 14 #include "net/cert/x509_certificate.h" |
| 15 #include "net/http/transport_security_state.h" | |
| 15 #include "net/socket/client_socket_factory.h" | 16 #include "net/socket/client_socket_factory.h" |
| 16 #include "net/socket/ssl_client_socket.h" | 17 #include "net/socket/ssl_client_socket.h" |
| 17 #include "net/socket/ssl_server_socket.h" | 18 #include "net/socket/ssl_server_socket.h" |
| 18 #include "net/ssl/ssl_config_service.h" | 19 #include "net/ssl/ssl_config_service.h" |
| 19 #include "remoting/base/rsa_key_pair.h" | 20 #include "remoting/base/rsa_key_pair.h" |
| 20 #include "remoting/protocol/auth_util.h" | 21 #include "remoting/protocol/auth_util.h" |
| 21 | 22 |
| 22 namespace remoting { | 23 namespace remoting { |
| 23 namespace protocol { | 24 namespace protocol { |
| 24 | 25 |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 76 net::CreateSSLServerSocket(socket.release(), | 77 net::CreateSSLServerSocket(socket.release(), |
| 77 cert.get(), | 78 cert.get(), |
| 78 local_key_pair_->private_key(), | 79 local_key_pair_->private_key(), |
| 79 ssl_config); | 80 ssl_config); |
| 80 socket_.reset(server_socket); | 81 socket_.reset(server_socket); |
| 81 | 82 |
| 82 result = server_socket->Handshake(base::Bind( | 83 result = server_socket->Handshake(base::Bind( |
| 83 &SslHmacChannelAuthenticator::OnConnected, base::Unretained(this))); | 84 &SslHmacChannelAuthenticator::OnConnected, base::Unretained(this))); |
| 84 } else { | 85 } else { |
| 85 cert_verifier_.reset(net::CertVerifier::CreateDefault()); | 86 cert_verifier_.reset(net::CertVerifier::CreateDefault()); |
| 87 transport_security_state_.reset(new net::TransportSecurityState); | |
| 86 | 88 |
| 87 net::SSLConfig::CertAndStatus cert_and_status; | 89 net::SSLConfig::CertAndStatus cert_and_status; |
| 88 cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; | 90 cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; |
| 89 cert_and_status.der_cert = remote_cert_; | 91 cert_and_status.der_cert = remote_cert_; |
| 90 | 92 |
| 91 net::SSLConfig ssl_config; | 93 net::SSLConfig ssl_config; |
| 92 // Certificate verification and revocation checking are not needed | 94 // Certificate verification and revocation checking are not needed |
| 93 // because we use self-signed certs. Disable it so that the SSL | 95 // because we use self-signed certs. Disable it so that the SSL |
| 94 // layer doesn't try to initialize OCSP (OCSP works only on the IO | 96 // layer doesn't try to initialize OCSP (OCSP works only on the IO |
| 95 // thread). | 97 // thread). |
| 96 ssl_config.cert_io_enabled = false; | 98 ssl_config.cert_io_enabled = false; |
| 97 ssl_config.rev_checking_enabled = false; | 99 ssl_config.rev_checking_enabled = false; |
| 98 ssl_config.allowed_bad_certs.push_back(cert_and_status); | 100 ssl_config.allowed_bad_certs.push_back(cert_and_status); |
| 99 | 101 |
| 100 net::HostPortPair host_and_port(kSslFakeHostName, 0); | 102 net::HostPortPair host_and_port(kSslFakeHostName, 0); |
| 101 net::SSLClientSocketContext context; | 103 net::SSLClientSocketContext context; |
| 102 context.cert_verifier = cert_verifier_.get(); | 104 context.cert_verifier = cert_verifier_.get(); |
| 105 context.transport_security_state = transport_security_state_.get(); | |
|
Sergey Ulanov
2013/06/11 19:32:29
Do we really need to set it here? Chromoting alway
| |
| 103 socket_.reset( | 106 socket_.reset( |
| 104 net::ClientSocketFactory::GetDefaultFactory()->CreateSSLClientSocket( | 107 net::ClientSocketFactory::GetDefaultFactory()->CreateSSLClientSocket( |
| 105 socket.release(), host_and_port, ssl_config, context)); | 108 socket.release(), host_and_port, ssl_config, context)); |
| 106 | 109 |
| 107 result = socket_->Connect( | 110 result = socket_->Connect( |
| 108 base::Bind(&SslHmacChannelAuthenticator::OnConnected, | 111 base::Bind(&SslHmacChannelAuthenticator::OnConnected, |
| 109 base::Unretained(this))); | 112 base::Unretained(this))); |
| 110 } | 113 } |
| 111 | 114 |
| 112 if (result == net::ERR_IO_PENDING) | 115 if (result == net::ERR_IO_PENDING) |
| (...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 261 } | 264 } |
| 262 } | 265 } |
| 263 | 266 |
| 264 void SslHmacChannelAuthenticator::NotifyError(int error) { | 267 void SslHmacChannelAuthenticator::NotifyError(int error) { |
| 265 done_callback_.Run(static_cast<net::Error>(error), | 268 done_callback_.Run(static_cast<net::Error>(error), |
| 266 scoped_ptr<net::StreamSocket>(NULL)); | 269 scoped_ptr<net::StreamSocket>(NULL)); |
| 267 } | 270 } |
| 268 | 271 |
| 269 } // namespace protocol | 272 } // namespace protocol |
| 270 } // namespace remoting | 273 } // namespace remoting |
| OLD | NEW |
