OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" | 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" |
6 | 6 |
7 #include <stdint.h> | 7 #include <stdint.h> |
8 | 8 |
9 #include <utility> | 9 #include <utility> |
10 | 10 |
11 #include "base/bind.h" | 11 #include "base/bind.h" |
12 #include "base/bind_helpers.h" | 12 #include "base/bind_helpers.h" |
13 #include "base/callback_helpers.h" | 13 #include "base/callback_helpers.h" |
14 #include "base/logging.h" | 14 #include "base/logging.h" |
| 15 #include "base/memory/ptr_util.h" |
15 #include "build/build_config.h" | 16 #include "build/build_config.h" |
16 #include "crypto/secure_util.h" | 17 #include "crypto/secure_util.h" |
17 #include "net/base/host_port_pair.h" | 18 #include "net/base/host_port_pair.h" |
18 #include "net/base/io_buffer.h" | 19 #include "net/base/io_buffer.h" |
19 #include "net/base/net_errors.h" | 20 #include "net/base/net_errors.h" |
20 #include "net/cert/cert_status_flags.h" | 21 #include "net/cert/cert_status_flags.h" |
21 #include "net/cert/cert_verifier.h" | 22 #include "net/cert/cert_verifier.h" |
22 #include "net/cert/cert_verify_result.h" | 23 #include "net/cert/cert_verify_result.h" |
23 #include "net/cert/x509_certificate.h" | 24 #include "net/cert/x509_certificate.h" |
24 #include "net/http/transport_security_state.h" | 25 #include "net/http/transport_security_state.h" |
(...skipping 23 matching lines...) Expand all Loading... |
48 FailingCertVerifier() {} | 49 FailingCertVerifier() {} |
49 ~FailingCertVerifier() override {} | 50 ~FailingCertVerifier() override {} |
50 | 51 |
51 int Verify(net::X509Certificate* cert, | 52 int Verify(net::X509Certificate* cert, |
52 const std::string& hostname, | 53 const std::string& hostname, |
53 const std::string& ocsp_response, | 54 const std::string& ocsp_response, |
54 int flags, | 55 int flags, |
55 net::CRLSet* crl_set, | 56 net::CRLSet* crl_set, |
56 net::CertVerifyResult* verify_result, | 57 net::CertVerifyResult* verify_result, |
57 const net::CompletionCallback& callback, | 58 const net::CompletionCallback& callback, |
58 scoped_ptr<Request>* out_req, | 59 std::unique_ptr<Request>* out_req, |
59 const net::BoundNetLog& net_log) override { | 60 const net::BoundNetLog& net_log) override { |
60 verify_result->verified_cert = cert; | 61 verify_result->verified_cert = cert; |
61 verify_result->cert_status = net::CERT_STATUS_INVALID; | 62 verify_result->cert_status = net::CERT_STATUS_INVALID; |
62 return net::ERR_CERT_INVALID; | 63 return net::ERR_CERT_INVALID; |
63 } | 64 } |
64 }; | 65 }; |
65 | 66 |
66 // Implements net::StreamSocket interface on top of P2PStreamSocket to be passed | 67 // Implements net::StreamSocket interface on top of P2PStreamSocket to be passed |
67 // to net::SSLClientSocket and net::SSLServerSocket. | 68 // to net::SSLClientSocket and net::SSLServerSocket. |
68 class NetStreamSocketAdapter : public net::StreamSocket { | 69 class NetStreamSocketAdapter : public net::StreamSocket { |
69 public: | 70 public: |
70 NetStreamSocketAdapter(scoped_ptr<P2PStreamSocket> socket) | 71 NetStreamSocketAdapter(std::unique_ptr<P2PStreamSocket> socket) |
71 : socket_(std::move(socket)) {} | 72 : socket_(std::move(socket)) {} |
72 ~NetStreamSocketAdapter() override {} | 73 ~NetStreamSocketAdapter() override {} |
73 | 74 |
74 int Read(net::IOBuffer* buf, int buf_len, | 75 int Read(net::IOBuffer* buf, int buf_len, |
75 const net::CompletionCallback& callback) override { | 76 const net::CompletionCallback& callback) override { |
76 return socket_->Read(buf, buf_len, callback); | 77 return socket_->Read(buf, buf_len, callback); |
77 } | 78 } |
78 int Write(net::IOBuffer* buf, int buf_len, | 79 int Write(net::IOBuffer* buf, int buf_len, |
79 const net::CompletionCallback& callback) override { | 80 const net::CompletionCallback& callback) override { |
80 return socket_->Write(buf, buf_len, callback); | 81 return socket_->Write(buf, buf_len, callback); |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
133 void ClearConnectionAttempts() override { NOTREACHED(); } | 134 void ClearConnectionAttempts() override { NOTREACHED(); } |
134 void AddConnectionAttempts(const net::ConnectionAttempts& attempts) override { | 135 void AddConnectionAttempts(const net::ConnectionAttempts& attempts) override { |
135 NOTREACHED(); | 136 NOTREACHED(); |
136 } | 137 } |
137 int64_t GetTotalReceivedBytes() const override { | 138 int64_t GetTotalReceivedBytes() const override { |
138 NOTIMPLEMENTED(); | 139 NOTIMPLEMENTED(); |
139 return 0; | 140 return 0; |
140 } | 141 } |
141 | 142 |
142 private: | 143 private: |
143 scoped_ptr<P2PStreamSocket> socket_; | 144 std::unique_ptr<P2PStreamSocket> socket_; |
144 net::BoundNetLog net_log_; | 145 net::BoundNetLog net_log_; |
145 }; | 146 }; |
146 | 147 |
147 // Implements P2PStreamSocket interface on top of net::StreamSocket. | 148 // Implements P2PStreamSocket interface on top of net::StreamSocket. |
148 class P2PStreamSocketAdapter : public P2PStreamSocket { | 149 class P2PStreamSocketAdapter : public P2PStreamSocket { |
149 public: | 150 public: |
150 P2PStreamSocketAdapter(scoped_ptr<net::StreamSocket> socket, | 151 P2PStreamSocketAdapter(std::unique_ptr<net::StreamSocket> socket, |
151 scoped_ptr<net::SSLServerContext> server_context) | 152 std::unique_ptr<net::SSLServerContext> server_context) |
152 : server_context_(std::move(server_context)), | 153 : server_context_(std::move(server_context)), |
153 socket_(std::move(socket)) {} | 154 socket_(std::move(socket)) {} |
154 ~P2PStreamSocketAdapter() override {} | 155 ~P2PStreamSocketAdapter() override {} |
155 | 156 |
156 int Read(const scoped_refptr<net::IOBuffer>& buf, int buf_len, | 157 int Read(const scoped_refptr<net::IOBuffer>& buf, int buf_len, |
157 const net::CompletionCallback& callback) override { | 158 const net::CompletionCallback& callback) override { |
158 return socket_->Read(buf.get(), buf_len, callback); | 159 return socket_->Read(buf.get(), buf_len, callback); |
159 } | 160 } |
160 int Write(const scoped_refptr<net::IOBuffer>& buf, int buf_len, | 161 int Write(const scoped_refptr<net::IOBuffer>& buf, int buf_len, |
161 const net::CompletionCallback& callback) override { | 162 const net::CompletionCallback& callback) override { |
162 return socket_->Write(buf.get(), buf_len, callback); | 163 return socket_->Write(buf.get(), buf_len, callback); |
163 } | 164 } |
164 | 165 |
165 private: | 166 private: |
166 // The server_context_ will be a nullptr for client sockets. | 167 // The server_context_ will be a nullptr for client sockets. |
167 // The server_context_ must outlive any sockets it spawns. | 168 // The server_context_ must outlive any sockets it spawns. |
168 scoped_ptr<net::SSLServerContext> server_context_; | 169 std::unique_ptr<net::SSLServerContext> server_context_; |
169 scoped_ptr<net::StreamSocket> socket_; | 170 std::unique_ptr<net::StreamSocket> socket_; |
170 }; | 171 }; |
171 | 172 |
172 } // namespace | 173 } // namespace |
173 | 174 |
174 // static | 175 // static |
175 scoped_ptr<SslHmacChannelAuthenticator> | 176 std::unique_ptr<SslHmacChannelAuthenticator> |
176 SslHmacChannelAuthenticator::CreateForClient( | 177 SslHmacChannelAuthenticator::CreateForClient(const std::string& remote_cert, |
177 const std::string& remote_cert, | 178 const std::string& auth_key) { |
178 const std::string& auth_key) { | 179 std::unique_ptr<SslHmacChannelAuthenticator> result( |
179 scoped_ptr<SslHmacChannelAuthenticator> result( | |
180 new SslHmacChannelAuthenticator(auth_key)); | 180 new SslHmacChannelAuthenticator(auth_key)); |
181 result->remote_cert_ = remote_cert; | 181 result->remote_cert_ = remote_cert; |
182 return result; | 182 return result; |
183 } | 183 } |
184 | 184 |
185 scoped_ptr<SslHmacChannelAuthenticator> | 185 std::unique_ptr<SslHmacChannelAuthenticator> |
186 SslHmacChannelAuthenticator::CreateForHost( | 186 SslHmacChannelAuthenticator::CreateForHost(const std::string& local_cert, |
187 const std::string& local_cert, | 187 scoped_refptr<RsaKeyPair> key_pair, |
188 scoped_refptr<RsaKeyPair> key_pair, | 188 const std::string& auth_key) { |
189 const std::string& auth_key) { | 189 std::unique_ptr<SslHmacChannelAuthenticator> result( |
190 scoped_ptr<SslHmacChannelAuthenticator> result( | |
191 new SslHmacChannelAuthenticator(auth_key)); | 190 new SslHmacChannelAuthenticator(auth_key)); |
192 result->local_cert_ = local_cert; | 191 result->local_cert_ = local_cert; |
193 result->local_key_pair_ = key_pair; | 192 result->local_key_pair_ = key_pair; |
194 return result; | 193 return result; |
195 } | 194 } |
196 | 195 |
197 SslHmacChannelAuthenticator::SslHmacChannelAuthenticator( | 196 SslHmacChannelAuthenticator::SslHmacChannelAuthenticator( |
198 const std::string& auth_key) | 197 const std::string& auth_key) |
199 : auth_key_(auth_key) { | 198 : auth_key_(auth_key) { |
200 } | 199 } |
201 | 200 |
202 SslHmacChannelAuthenticator::~SslHmacChannelAuthenticator() { | 201 SslHmacChannelAuthenticator::~SslHmacChannelAuthenticator() { |
203 } | 202 } |
204 | 203 |
205 void SslHmacChannelAuthenticator::SecureAndAuthenticate( | 204 void SslHmacChannelAuthenticator::SecureAndAuthenticate( |
206 scoped_ptr<P2PStreamSocket> socket, | 205 std::unique_ptr<P2PStreamSocket> socket, |
207 const DoneCallback& done_callback) { | 206 const DoneCallback& done_callback) { |
208 DCHECK(CalledOnValidThread()); | 207 DCHECK(CalledOnValidThread()); |
209 | 208 |
210 done_callback_ = done_callback; | 209 done_callback_ = done_callback; |
211 | 210 |
212 int result; | 211 int result; |
213 if (is_ssl_server()) { | 212 if (is_ssl_server()) { |
214 #if defined(OS_NACL) | 213 #if defined(OS_NACL) |
215 // Client plugin doesn't use server SSL sockets, and so SSLServerSocket | 214 // Client plugin doesn't use server SSL sockets, and so SSLServerSocket |
216 // implementation is not compiled for NaCl as part of net_nacl. | 215 // implementation is not compiled for NaCl as part of net_nacl. |
217 NOTREACHED(); | 216 NOTREACHED(); |
218 result = net::ERR_FAILED; | 217 result = net::ERR_FAILED; |
219 #else | 218 #else |
220 scoped_refptr<net::X509Certificate> cert = | 219 scoped_refptr<net::X509Certificate> cert = |
221 net::X509Certificate::CreateFromBytes(local_cert_.data(), | 220 net::X509Certificate::CreateFromBytes(local_cert_.data(), |
222 local_cert_.length()); | 221 local_cert_.length()); |
223 if (!cert.get()) { | 222 if (!cert.get()) { |
224 LOG(ERROR) << "Failed to parse X509Certificate"; | 223 LOG(ERROR) << "Failed to parse X509Certificate"; |
225 NotifyError(net::ERR_FAILED); | 224 NotifyError(net::ERR_FAILED); |
226 return; | 225 return; |
227 } | 226 } |
228 | 227 |
229 net::SSLServerConfig ssl_config; | 228 net::SSLServerConfig ssl_config; |
230 ssl_config.require_ecdhe = true; | 229 ssl_config.require_ecdhe = true; |
231 | 230 |
232 server_context_ = net::CreateSSLServerContext( | 231 server_context_ = net::CreateSSLServerContext( |
233 cert.get(), *local_key_pair_->private_key(), ssl_config); | 232 cert.get(), *local_key_pair_->private_key(), ssl_config); |
234 | 233 |
235 scoped_ptr<net::SSLServerSocket> server_socket = | 234 std::unique_ptr<net::SSLServerSocket> server_socket = |
236 server_context_->CreateSSLServerSocket( | 235 server_context_->CreateSSLServerSocket( |
237 make_scoped_ptr(new NetStreamSocketAdapter(std::move(socket)))); | 236 base::WrapUnique(new NetStreamSocketAdapter(std::move(socket)))); |
238 net::SSLServerSocket* raw_server_socket = server_socket.get(); | 237 net::SSLServerSocket* raw_server_socket = server_socket.get(); |
239 socket_ = std::move(server_socket); | 238 socket_ = std::move(server_socket); |
240 result = raw_server_socket->Handshake( | 239 result = raw_server_socket->Handshake( |
241 base::Bind(&SslHmacChannelAuthenticator::OnConnected, | 240 base::Bind(&SslHmacChannelAuthenticator::OnConnected, |
242 base::Unretained(this))); | 241 base::Unretained(this))); |
243 #endif | 242 #endif |
244 } else { | 243 } else { |
245 transport_security_state_.reset(new net::TransportSecurityState); | 244 transport_security_state_.reset(new net::TransportSecurityState); |
246 cert_verifier_.reset(new FailingCertVerifier); | 245 cert_verifier_.reset(new FailingCertVerifier); |
247 | 246 |
248 net::SSLConfig::CertAndStatus cert_and_status; | 247 net::SSLConfig::CertAndStatus cert_and_status; |
249 cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; | 248 cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; |
250 cert_and_status.der_cert = remote_cert_; | 249 cert_and_status.der_cert = remote_cert_; |
251 | 250 |
252 net::SSLConfig ssl_config; | 251 net::SSLConfig ssl_config; |
253 // Certificate verification and revocation checking are not needed | 252 // Certificate verification and revocation checking are not needed |
254 // because we use self-signed certs. Disable it so that the SSL | 253 // because we use self-signed certs. Disable it so that the SSL |
255 // layer doesn't try to initialize OCSP (OCSP works only on the IO | 254 // layer doesn't try to initialize OCSP (OCSP works only on the IO |
256 // thread). | 255 // thread). |
257 ssl_config.cert_io_enabled = false; | 256 ssl_config.cert_io_enabled = false; |
258 ssl_config.rev_checking_enabled = false; | 257 ssl_config.rev_checking_enabled = false; |
259 ssl_config.allowed_bad_certs.push_back(cert_and_status); | 258 ssl_config.allowed_bad_certs.push_back(cert_and_status); |
260 ssl_config.require_ecdhe = true; | 259 ssl_config.require_ecdhe = true; |
261 | 260 |
262 net::HostPortPair host_and_port(kSslFakeHostName, 0); | 261 net::HostPortPair host_and_port(kSslFakeHostName, 0); |
263 net::SSLClientSocketContext context; | 262 net::SSLClientSocketContext context; |
264 context.transport_security_state = transport_security_state_.get(); | 263 context.transport_security_state = transport_security_state_.get(); |
265 context.cert_verifier = cert_verifier_.get(); | 264 context.cert_verifier = cert_verifier_.get(); |
266 scoped_ptr<net::ClientSocketHandle> socket_handle( | 265 std::unique_ptr<net::ClientSocketHandle> socket_handle( |
267 new net::ClientSocketHandle); | 266 new net::ClientSocketHandle); |
268 socket_handle->SetSocket( | 267 socket_handle->SetSocket( |
269 make_scoped_ptr(new NetStreamSocketAdapter(std::move(socket)))); | 268 base::WrapUnique(new NetStreamSocketAdapter(std::move(socket)))); |
270 | 269 |
271 #if defined(OS_NACL) | 270 #if defined(OS_NACL) |
272 // net_nacl doesn't include ClientSocketFactory. | 271 // net_nacl doesn't include ClientSocketFactory. |
273 socket_.reset(new net::SSLClientSocketOpenSSL( | 272 socket_.reset(new net::SSLClientSocketOpenSSL( |
274 std::move(socket_handle), host_and_port, ssl_config, context)); | 273 std::move(socket_handle), host_and_port, ssl_config, context)); |
275 #else | 274 #else |
276 socket_ = | 275 socket_ = |
277 net::ClientSocketFactory::GetDefaultFactory()->CreateSSLClientSocket( | 276 net::ClientSocketFactory::GetDefaultFactory()->CreateSSLClientSocket( |
278 std::move(socket_handle), host_and_port, ssl_config, context); | 277 std::move(socket_handle), host_and_port, ssl_config, context); |
279 #endif | 278 #endif |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
427 &(auth_bytes[0]), kAuthDigestLength); | 426 &(auth_bytes[0]), kAuthDigestLength); |
428 } | 427 } |
429 | 428 |
430 void SslHmacChannelAuthenticator::CheckDone(bool* callback_called) { | 429 void SslHmacChannelAuthenticator::CheckDone(bool* callback_called) { |
431 if (auth_write_buf_.get() == nullptr && auth_read_buf_.get() == nullptr) { | 430 if (auth_write_buf_.get() == nullptr && auth_read_buf_.get() == nullptr) { |
432 DCHECK(socket_.get() != nullptr); | 431 DCHECK(socket_.get() != nullptr); |
433 if (callback_called) | 432 if (callback_called) |
434 *callback_called = true; | 433 *callback_called = true; |
435 | 434 |
436 base::ResetAndReturn(&done_callback_) | 435 base::ResetAndReturn(&done_callback_) |
437 .Run(net::OK, make_scoped_ptr(new P2PStreamSocketAdapter( | 436 .Run(net::OK, base::WrapUnique(new P2PStreamSocketAdapter( |
438 std::move(socket_), std::move(server_context_)))); | 437 std::move(socket_), std::move(server_context_)))); |
439 } | 438 } |
440 } | 439 } |
441 | 440 |
442 void SslHmacChannelAuthenticator::NotifyError(int error) { | 441 void SslHmacChannelAuthenticator::NotifyError(int error) { |
443 base::ResetAndReturn(&done_callback_).Run(error, nullptr); | 442 base::ResetAndReturn(&done_callback_).Run(error, nullptr); |
444 } | 443 } |
445 | 444 |
446 } // namespace protocol | 445 } // namespace protocol |
447 } // namespace remoting | 446 } // namespace remoting |
OLD | NEW |