Adding TLS support to the TCP Client sockets.

content/browser/renderer_host/p2p/socket_host_tcp.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/renderer_host/p2p/socket_host_tcp.h"
 
 #include "base/sys_byteorder.h"
 #include "content/common/p2p_messages.h"
 #include "ipc/ipc_sender.h"
 #include "jingle/glue/fake_ssl_client_socket.h"
 #include "jingle/glue/proxy_resolving_client_socket.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
+#include "net/socket/client_socket_factory.h"
+#include "net/socket/client_socket_handle.h"
+#include "net/socket/ssl_client_socket.h"
 #include "net/socket/tcp_client_socket.h"
+#include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_getter.h"
 
 namespace {
 
 typedef uint16 PacketLength;
 const int kPacketHeaderSize = sizeof(PacketLength);
 const int kReadBufferSize = 4096;
 const int kPacketLengthOffset = 2;
 const int kTurnChannelDataHeaderSize = 4;
 
-bool IsSslClientSocket(content::P2PSocketType type) {
+bool IsTlsClientSocket(content::P2PSocketType type) {
+  return (type == content::P2P_SOCKET_STUN_TLS_CLIENT ||
+          type == content::P2P_SOCKET_TLS_CLIENT);
+}
+
+bool IsPseudoTlsClientSocket(content::P2PSocketType type) {
   return (type == content::P2P_SOCKET_SSLTCP_CLIENT ||
           type == content::P2P_SOCKET_STUN_SSLTCP_CLIENT);
 }
 
 }  // namespace
 
 namespace content {
 
 P2PSocketHostTcpBase::P2PSocketHostTcpBase(
     IPC::Sender* message_sender, int id,
@@ skipping 38 matching lines @@
   // find a way to inject this into ProxyResolvingClientSocket. This could be
   // a problem on multi-homed host.
 
   // The default SSLConfig is good enough for us for now.
   const net::SSLConfig ssl_config;
   socket_.reset(new jingle_glue::ProxyResolvingClientSocket(
                     NULL,     // Default socket pool provided by the net::Proxy.
                     url_context_,
                     ssl_config,
                     dest_host_port_pair));
-  if (IsSslClientSocket(type_)) {
-    socket_.reset(new jingle_glue::FakeSSLClientSocket(socket_.release()));
-  }
 
   int status = socket_->Connect(
       base::Bind(&P2PSocketHostTcpBase::OnConnected,
                  base::Unretained(this)));
   if (status != net::ERR_IO_PENDING) {
     // We defer execution of ProcessConnectDone instead of calling it
     // directly here as the caller may not expect an error/close to
     // happen here.  This is okay, as from the caller's point of view,
     // the connect always happens asynchronously.
     base::MessageLoop* message_loop = base::MessageLoop::current();
     CHECK(message_loop);
     message_loop->PostTask(
         FROM_HERE,
         base::Bind(&P2PSocketHostTcpBase::OnConnected,
                    base::Unretained(this), status));
   }
 
   return state_ != STATE_ERROR;
 }
 
 void P2PSocketHostTcpBase::OnError() {
   socket_.reset();
 
   if (state_ == STATE_UNINITIALIZED || state_ == STATE_CONNECTING ||
-      state_ == STATE_OPEN) {
+      state_ == STATE_TLS_CONNECTING || state_ == STATE_OPEN) {
     message_sender_->Send(new P2PMsg_OnError(id_));
   }
 
   state_ = STATE_ERROR;
 }
 
 void P2PSocketHostTcpBase::OnConnected(int result) {
   DCHECK_EQ(state_, STATE_CONNECTING);
   DCHECK_NE(result, net::ERR_IO_PENDING);
 
   if (result != net::OK) {
     OnError();
     return;
   }
 
+  if (IsTlsClientSocket(type_)) {
+    state_ = STATE_TLS_CONNECTING;
+    return StartTls();
+  } else if (IsPseudoTlsClientSocket(type_)) {
+    socket_.reset(new jingle_glue::FakeSSLClientSocket(socket_.release()));
+  }
+
+  // If we are not doing TLS, we are ready to send data now.
+  // In case of TLS, SignalConnect will be sent only after TLS handshake is
+  // successfull. So no buffering will be done at socket handlers if any
+  // packets sent before that by the application.
+  state_ = STATE_OPEN;
+
+  DoSendSocketCreateMsg();
+  DoRead();
+}
+
+void P2PSocketHostTcpBase::StartTls() {
+  if (state_ != STATE_TLS_CONNECTING) {
+    LOG(DFATAL) << "StartTls() called in wrong state";
+    return;
+  }
+
+  DCHECK(socket_.get());
+
+  scoped_ptr<net::ClientSocketHandle> socket_handle(
+      new net::ClientSocketHandle());
+  socket_handle->set_socket(socket_.release());
+
+  net::SSLClientSocketContext context;
+  context.cert_verifier = url_context_->GetURLRequestContext()->cert_verifier();
+  context.transport_security_state =
+      url_context_->GetURLRequestContext()->transport_security_state();
+  DCHECK(context.transport_security_state);
+
+  // Default ssl config.
+  const net::SSLConfig ssl_config;
+  net::HostPortPair dest_host_port_pair =
+      net::HostPortPair::FromIPEndPoint(remote_address_);
+  net::ClientSocketFactory* socket_factory =
+      net::ClientSocketFactory::GetDefaultFactory();
+  DCHECK(socket_factory);
+
+  socket_.reset(socket_factory->CreateSSLClientSocket(

[juberti2, 2013/08/08 22:16:06]

This looks like we throw away the open socket and create a new SSL socket, which
seems wrong. We should create the appropriate type of socket in the beginning.

[Mallinath (Gone from Chromium), 2013/08/08 22:25:59]

I don't think we are throwing away the open socket. It's passed into
socket_handle(line 161). CreateSSLClientSocket takes ClientSocketHandle as
input.
 
On 2013/08/08 22:16:06, juberti2 wrote:

+      socket_handle.release(), dest_host_port_pair, ssl_config, context));
+  int status = socket_->Connect(
+      base::Bind(&P2PSocketHostTcpBase::ProcessTlsConnectDone,
+                 base::Unretained(this)));
+  if (status != net::ERR_IO_PENDING) {
+    base::MessageLoop* message_loop = base::MessageLoop::current();
+    CHECK(message_loop);
+    message_loop->PostTask(
+        FROM_HERE,
+        base::Bind(&P2PSocketHostTcpBase::ProcessTlsConnectDone,
+                   base::Unretained(this), status));
+  }
+  return;
+}
+
+void P2PSocketHostTcpBase::ProcessTlsConnectDone(int status) {
+  DCHECK_NE(status, net::ERR_IO_PENDING);
+  DCHECK_EQ(state_, STATE_TLS_CONNECTING);
+  if (status != net::OK) {
+    OnError();
+    return;
+  }
+
+  state_ = STATE_OPEN;
+
+  DoSendSocketCreateMsg();
+  DoRead();
+}
+
+void P2PSocketHostTcpBase::DoSendSocketCreateMsg() {
+  DCHECK(socket_.get());
+
   net::IPEndPoint address;
-  result = socket_->GetLocalAddress(&address);
+  int result = socket_->GetLocalAddress(&address);
   if (result < 0) {
-    LOG(ERROR) << "P2PSocket::Init(): unable to get local address: "
-               << result;
+    LOG(ERROR) << "P2PSocketHostTcpBase::OnConnected: unable to get local"
+               << " address: " << result;
     OnError();
     return;
   }
 
   VLOG(1) << "Local address: " << address.ToString();
-  state_ = STATE_OPEN;
+
+  // If we are not doing TLS, we are ready to send data now.
+  // In case of TLS SignalConnect will be sent only after TLS handshake is
+  // successfull. So no buffering will be done at socket handlers if any
+  // packets sent before that by the application.
   message_sender_->Send(new P2PMsg_OnSocketCreated(id_, address));
-  DoRead();
 }
 
 void P2PSocketHostTcpBase::DoRead() {
   int result;
   do {
     if (!read_buffer_.get()) {
       read_buffer_ = new net::GrowableIOBuffer();
       read_buffer_->SetCapacity(kReadBufferSize);
     } else if (read_buffer_->RemainingCapacity() < kReadBufferSize) {
       // Make sure that we always have at least kReadBufferSize of
@@ skipping 274 matching lines @@
   } else {
     packet_size += kTurnChannelDataHeaderSize;
     // Calculate any padding if present.
     if (packet_size % 4)
       *pad_bytes = 4 - packet_size % 4;
   }
   return packet_size;
 }
 
 }  // namespace content