| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" | 5 #include "remoting/protocol/ssl_hmac_channel_authenticator.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include <utility> | 9 #include <utility> |
| 10 | 10 |
| 11 #include "base/bind.h" | 11 #include "base/bind.h" |
| 12 #include "base/bind_helpers.h" | 12 #include "base/bind_helpers.h" |
| 13 #include "base/callback_helpers.h" | 13 #include "base/callback_helpers.h" |
| 14 #include "base/logging.h" | 14 #include "base/logging.h" |
| 15 #include "base/memory/ptr_util.h" | 15 #include "base/memory/ptr_util.h" |
| 16 #include "build/build_config.h" | 16 #include "build/build_config.h" |
| 17 #include "crypto/secure_util.h" | 17 #include "crypto/secure_util.h" |
| 18 #include "net/base/host_port_pair.h" | 18 #include "net/base/host_port_pair.h" |
| 19 #include "net/base/io_buffer.h" | 19 #include "net/base/io_buffer.h" |
| 20 #include "net/base/ip_address.h" | 20 #include "net/base/ip_address.h" |
| 21 #include "net/base/net_errors.h" | 21 #include "net/base/net_errors.h" |
| 22 #include "net/cert/cert_status_flags.h" | 22 #include "net/cert/cert_status_flags.h" |
| 23 #include "net/cert/cert_verifier.h" | 23 #include "net/cert/cert_verifier.h" |
| 24 #include "net/cert/cert_verify_result.h" | 24 #include "net/cert/cert_verify_result.h" |
| 25 #include "net/cert/ct_policy_enforcer.h" |
| 26 #include "net/cert/ct_policy_status.h" |
| 27 #include "net/cert/ct_verifier.h" |
| 25 #include "net/cert/x509_certificate.h" | 28 #include "net/cert/x509_certificate.h" |
| 26 #include "net/http/transport_security_state.h" | 29 #include "net/http/transport_security_state.h" |
| 27 #include "net/socket/client_socket_handle.h" | 30 #include "net/socket/client_socket_handle.h" |
| 28 #include "net/socket/ssl_client_socket.h" | 31 #include "net/socket/ssl_client_socket.h" |
| 29 #include "net/socket/ssl_server_socket.h" | 32 #include "net/socket/ssl_server_socket.h" |
| 30 #include "net/ssl/ssl_config_service.h" | 33 #include "net/ssl/ssl_config_service.h" |
| 31 #include "net/ssl/ssl_server_config.h" | 34 #include "net/ssl/ssl_server_config.h" |
| 32 #include "remoting/base/rsa_key_pair.h" | 35 #include "remoting/base/rsa_key_pair.h" |
| 33 #include "remoting/protocol/auth_util.h" | 36 #include "remoting/protocol/auth_util.h" |
| 34 #include "remoting/protocol/p2p_stream_socket.h" | 37 #include "remoting/protocol/p2p_stream_socket.h" |
| (...skipping 20 matching lines...) Expand all Loading... |
| 55 net::CertVerifyResult* verify_result, | 58 net::CertVerifyResult* verify_result, |
| 56 const net::CompletionCallback& callback, | 59 const net::CompletionCallback& callback, |
| 57 std::unique_ptr<Request>* out_req, | 60 std::unique_ptr<Request>* out_req, |
| 58 const net::BoundNetLog& net_log) override { | 61 const net::BoundNetLog& net_log) override { |
| 59 verify_result->verified_cert = params.certificate(); | 62 verify_result->verified_cert = params.certificate(); |
| 60 verify_result->cert_status = net::CERT_STATUS_INVALID; | 63 verify_result->cert_status = net::CERT_STATUS_INVALID; |
| 61 return net::ERR_CERT_INVALID; | 64 return net::ERR_CERT_INVALID; |
| 62 } | 65 } |
| 63 }; | 66 }; |
| 64 | 67 |
| 68 // A CTVerifier which ignores Certificate Transparency information. |
| 69 class IgnoresCTVerifier : public net::CTVerifier { |
| 70 public: |
| 71 IgnoresCTVerifier() = default; |
| 72 ~IgnoresCTVerifier() override = default; |
| 73 |
| 74 int Verify(net::X509Certificate* cert, |
| 75 const std::string& stapled_ocsp_response, |
| 76 const std::string& sct_list_from_tls_extension, |
| 77 net::ct::CTVerifyResult* result, |
| 78 const net::BoundNetLog& net_log) override { |
| 79 return net::OK; |
| 80 } |
| 81 |
| 82 void SetObserver(Observer* observer) override {} |
| 83 }; |
| 84 |
| 85 // A CTPolicyEnforcer that accepts all certificates. |
| 86 class IgnoresCTPolicyEnforcer : public net::CTPolicyEnforcer { |
| 87 public: |
| 88 IgnoresCTPolicyEnforcer() = default; |
| 89 ~IgnoresCTPolicyEnforcer() override = default; |
| 90 |
| 91 net::ct::CertPolicyCompliance DoesConformToCertPolicy( |
| 92 net::X509Certificate* cert, |
| 93 const net::SCTList& verified_scts, |
| 94 const net::BoundNetLog& net_log) override { |
| 95 return net::ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS; |
| 96 } |
| 97 |
| 98 net::ct::EVPolicyCompliance DoesConformToCTEVPolicy( |
| 99 net::X509Certificate* cert, |
| 100 const net::ct::EVCertsWhitelist* ev_whitelist, |
| 101 const net::SCTList& verified_scts, |
| 102 const net::BoundNetLog& net_log) override { |
| 103 return net::ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY; |
| 104 } |
| 105 }; |
| 106 |
| 65 // Implements net::StreamSocket interface on top of P2PStreamSocket to be passed | 107 // Implements net::StreamSocket interface on top of P2PStreamSocket to be passed |
| 66 // to net::SSLClientSocket and net::SSLServerSocket. | 108 // to net::SSLClientSocket and net::SSLServerSocket. |
| 67 class NetStreamSocketAdapter : public net::StreamSocket { | 109 class NetStreamSocketAdapter : public net::StreamSocket { |
| 68 public: | 110 public: |
| 69 NetStreamSocketAdapter(std::unique_ptr<P2PStreamSocket> socket) | 111 NetStreamSocketAdapter(std::unique_ptr<P2PStreamSocket> socket) |
| 70 : socket_(std::move(socket)) {} | 112 : socket_(std::move(socket)) {} |
| 71 ~NetStreamSocketAdapter() override {} | 113 ~NetStreamSocketAdapter() override {} |
| 72 | 114 |
| 73 int Read(net::IOBuffer* buf, int buf_len, | 115 int Read(net::IOBuffer* buf, int buf_len, |
| 74 const net::CompletionCallback& callback) override { | 116 const net::CompletionCallback& callback) override { |
| (...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 233 base::WrapUnique(new NetStreamSocketAdapter(std::move(socket)))); | 275 base::WrapUnique(new NetStreamSocketAdapter(std::move(socket)))); |
| 234 net::SSLServerSocket* raw_server_socket = server_socket.get(); | 276 net::SSLServerSocket* raw_server_socket = server_socket.get(); |
| 235 socket_ = std::move(server_socket); | 277 socket_ = std::move(server_socket); |
| 236 result = raw_server_socket->Handshake( | 278 result = raw_server_socket->Handshake( |
| 237 base::Bind(&SslHmacChannelAuthenticator::OnConnected, | 279 base::Bind(&SslHmacChannelAuthenticator::OnConnected, |
| 238 base::Unretained(this))); | 280 base::Unretained(this))); |
| 239 #endif | 281 #endif |
| 240 } else { | 282 } else { |
| 241 transport_security_state_.reset(new net::TransportSecurityState); | 283 transport_security_state_.reset(new net::TransportSecurityState); |
| 242 cert_verifier_.reset(new FailingCertVerifier); | 284 cert_verifier_.reset(new FailingCertVerifier); |
| 285 ct_verifier_.reset(new IgnoresCTVerifier); |
| 286 ct_policy_enforcer_.reset(new IgnoresCTPolicyEnforcer); |
| 243 | 287 |
| 244 net::SSLConfig::CertAndStatus cert_and_status; | 288 net::SSLConfig::CertAndStatus cert_and_status; |
| 245 cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; | 289 cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; |
| 246 cert_and_status.der_cert = remote_cert_; | 290 cert_and_status.der_cert = remote_cert_; |
| 247 | 291 |
| 248 net::SSLConfig ssl_config; | 292 net::SSLConfig ssl_config; |
| 249 // Certificate verification and revocation checking are not needed | 293 // Certificate verification and revocation checking are not needed |
| 250 // because we use self-signed certs. Disable it so that the SSL | 294 // because we use self-signed certs. Disable it so that the SSL |
| 251 // layer doesn't try to initialize OCSP (OCSP works only on the IO | 295 // layer doesn't try to initialize OCSP (OCSP works only on the IO |
| 252 // thread). | 296 // thread). |
| 253 ssl_config.cert_io_enabled = false; | 297 ssl_config.cert_io_enabled = false; |
| 254 ssl_config.rev_checking_enabled = false; | 298 ssl_config.rev_checking_enabled = false; |
| 255 ssl_config.allowed_bad_certs.push_back(cert_and_status); | 299 ssl_config.allowed_bad_certs.push_back(cert_and_status); |
| 256 ssl_config.require_ecdhe = true; | 300 ssl_config.require_ecdhe = true; |
| 257 | 301 |
| 258 net::HostPortPair host_and_port(kSslFakeHostName, 0); | 302 net::HostPortPair host_and_port(kSslFakeHostName, 0); |
| 259 net::SSLClientSocketContext context; | 303 net::SSLClientSocketContext context; |
| 260 context.transport_security_state = transport_security_state_.get(); | 304 context.transport_security_state = transport_security_state_.get(); |
| 261 context.cert_verifier = cert_verifier_.get(); | 305 context.cert_verifier = cert_verifier_.get(); |
| 306 context.cert_transparency_verifier = ct_verifier_.get(); |
| 307 context.ct_policy_enforcer = ct_policy_enforcer_.get(); |
| 262 std::unique_ptr<net::ClientSocketHandle> socket_handle( | 308 std::unique_ptr<net::ClientSocketHandle> socket_handle( |
| 263 new net::ClientSocketHandle); | 309 new net::ClientSocketHandle); |
| 264 socket_handle->SetSocket( | 310 socket_handle->SetSocket( |
| 265 base::WrapUnique(new NetStreamSocketAdapter(std::move(socket)))); | 311 base::WrapUnique(new NetStreamSocketAdapter(std::move(socket)))); |
| 266 | 312 |
| 267 #if defined(OS_NACL) | 313 #if defined(OS_NACL) |
| 268 // net_nacl doesn't include ClientSocketFactory. | 314 // net_nacl doesn't include ClientSocketFactory. |
| 269 socket_.reset(new net::SSLClientSocketImpl( | 315 socket_.reset(new net::SSLClientSocketImpl( |
| 270 std::move(socket_handle), host_and_port, ssl_config, context)); | 316 std::move(socket_handle), host_and_port, ssl_config, context)); |
| 271 #else | 317 #else |
| (...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 434 std::move(socket_), std::move(server_context_)))); | 480 std::move(socket_), std::move(server_context_)))); |
| 435 } | 481 } |
| 436 } | 482 } |
| 437 | 483 |
| 438 void SslHmacChannelAuthenticator::NotifyError(int error) { | 484 void SslHmacChannelAuthenticator::NotifyError(int error) { |
| 439 base::ResetAndReturn(&done_callback_).Run(error, nullptr); | 485 base::ResetAndReturn(&done_callback_).Run(error, nullptr); |
| 440 } | 486 } |
| 441 | 487 |
| 442 } // namespace protocol | 488 } // namespace protocol |
| 443 } // namespace remoting | 489 } // namespace remoting |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2067843003:
Require a CTVerifier and CTPolicyEnforcer for TLS/QUIC sockets (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master