OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "extensions/browser/api/socket/tls_socket.h" | |
6 | |
7 #include "base/callback_helpers.h" | |
8 #include "base/logging.h" | |
9 #include "extensions/browser/api/api_resource.h" | |
10 #include "net/base/address_list.h" | |
11 #include "net/base/ip_endpoint.h" | |
12 #include "net/base/net_errors.h" | |
13 #include "net/base/rand_callback.h" | |
14 #include "net/socket/client_socket_factory.h" | |
15 #include "net/socket/client_socket_handle.h" | |
16 #include "net/socket/ssl_client_socket.h" | |
17 #include "net/socket/tcp_client_socket.h" | |
18 #include "url/url_canon.h" | |
19 | |
20 namespace { | |
21 | |
22 // Returns the SSL protocol version (as a uint16) represented by a string. | |
23 // Returns 0 if the string is invalid. | |
24 uint16 SSLProtocolVersionFromString(const std::string& version_str) { | |
25 uint16 version = 0; // Invalid. | |
26 if (version_str == "ssl3") { | |
27 version = net::SSL_PROTOCOL_VERSION_SSL3; | |
28 } else if (version_str == "tls1") { | |
29 version = net::SSL_PROTOCOL_VERSION_TLS1; | |
30 } else if (version_str == "tls1.1") { | |
31 version = net::SSL_PROTOCOL_VERSION_TLS1_1; | |
32 } else if (version_str == "tls1.2") { | |
33 version = net::SSL_PROTOCOL_VERSION_TLS1_2; | |
34 } | |
35 return version; | |
36 } | |
37 | |
38 void TlsConnectDone(scoped_ptr<net::SSLClientSocket> ssl_socket, | |
39 const std::string& extension_id, | |
40 const extensions::TLSSocket::SecureCallback& callback, | |
41 int result) { | |
42 DVLOG(1) << "Got back result " << result << " " << net::ErrorToString(result); | |
43 | |
44 // No matter how the TLS connection attempt went, the underlying socket's | |
45 // no longer bound to the original TCPSocket. It belongs to |ssl_socket|, | |
46 // which is promoted here to a new API-accessible socket (via a TLSSocket | |
47 // wrapper), or deleted. | |
48 if (result != net::OK) { | |
49 callback.Run(scoped_ptr<extensions::TLSSocket>(), result); | |
50 return; | |
51 }; | |
52 | |
53 // Wrap the StreamSocket in a TLSSocket, which matches the extension socket | |
54 // API. Set the handle of the socket to the new value, so that it can be | |
55 // used for read/write/close/etc. | |
56 scoped_ptr<extensions::TLSSocket> wrapper(new extensions::TLSSocket( | |
57 ssl_socket.PassAs<net::StreamSocket>(), extension_id)); | |
58 | |
59 // Caller will end up deleting the prior TCPSocket, once it calls | |
60 // SetSocket(..,wrapper). | |
61 callback.Run(wrapper.Pass(), result); | |
62 } | |
63 | |
64 } // namespace | |
65 | |
66 namespace extensions { | |
67 | |
68 const char kTLSSocketTypeInvalidError[] = | |
69 "Cannot listen on a socket that is already connected."; | |
70 | |
71 TLSSocket::TLSSocket(scoped_ptr<net::StreamSocket> tls_socket, | |
72 const std::string& owner_extension_id) | |
73 : ResumableTCPSocket(owner_extension_id), tls_socket_(tls_socket.Pass()) { | |
74 } | |
75 | |
76 TLSSocket::~TLSSocket() { | |
77 Disconnect(); | |
78 } | |
79 | |
80 void TLSSocket::Connect(const std::string& address, | |
81 int port, | |
82 const CompletionCallback& callback) { | |
83 callback.Run(net::ERR_CONNECTION_FAILED); | |
84 } | |
85 | |
86 void TLSSocket::Disconnect() { | |
87 if (tls_socket_) { | |
88 tls_socket_->Disconnect(); | |
89 tls_socket_.reset(); | |
90 } | |
91 } | |
92 | |
93 void TLSSocket::Read(int count, const ReadCompletionCallback& callback) { | |
94 DCHECK(!callback.is_null()); | |
95 | |
96 if (!read_callback_.is_null()) { | |
97 callback.Run(net::ERR_IO_PENDING, NULL); | |
98 return; | |
99 } | |
100 | |
101 if (count <= 0) { | |
102 callback.Run(net::ERR_INVALID_ARGUMENT, NULL); | |
103 return; | |
104 } | |
105 | |
106 if (!tls_socket_.get() || !IsConnected()) { | |
107 callback.Run(net::ERR_SOCKET_NOT_CONNECTED, NULL); | |
108 return; | |
109 } | |
110 | |
111 read_callback_ = callback; | |
112 scoped_refptr<net::IOBuffer> io_buffer(new net::IOBuffer(count)); | |
113 int result = tls_socket_->Read( | |
114 io_buffer.get(), | |
115 count, | |
116 base::Bind( | |
117 &TLSSocket::OnReadComplete, base::Unretained(this), io_buffer)); | |
Marijn Kruisselbrink
2014/07/24 22:44:08
I'm probably missing something, since the normal T
rpaquay
2014/07/24 23:06:13
My understanding is
1) At lower level, the actual
Marijn Kruisselbrink
2014/07/24 23:17:42
Ah yes, digging deeper through several more layers
Ryan Sleevi
2014/07/25 00:31:00
It is documented - https://code.google.com/p/chrom
lally
2014/07/26 15:25:17
Done.
| |
118 | |
119 if (result != net::ERR_IO_PENDING) { | |
120 OnReadComplete(io_buffer, result); | |
121 } | |
122 } | |
123 | |
124 void TLSSocket::OnReadComplete(const scoped_refptr<net::IOBuffer>& io_buffer, | |
125 int result) { | |
126 DCHECK(!read_callback_.is_null()); | |
127 base::ResetAndReturn(&read_callback_).Run(result, io_buffer); | |
128 } | |
129 | |
130 int TLSSocket::WriteImpl(net::IOBuffer* io_buffer, | |
131 int io_buffer_size, | |
132 const net::CompletionCallback& callback) { | |
133 if (!IsConnected()) { | |
134 return net::ERR_SOCKET_NOT_CONNECTED; | |
135 } | |
136 return tls_socket_->Write(io_buffer, io_buffer_size, callback); | |
137 } | |
138 | |
139 bool TLSSocket::SetKeepAlive(bool enable, int delay) { | |
140 return false; | |
141 } | |
142 | |
143 bool TLSSocket::SetNoDelay(bool no_delay) { | |
144 return false; | |
145 } | |
146 | |
147 int TLSSocket::Listen(const std::string& address, | |
148 int port, | |
149 int backlog, | |
150 std::string* error_msg) { | |
151 *error_msg = kTLSSocketTypeInvalidError; | |
152 return net::ERR_NOT_IMPLEMENTED; | |
153 } | |
154 | |
155 void TLSSocket::Accept(const AcceptCompletionCallback& callback) { | |
156 callback.Run(net::ERR_FAILED, NULL); | |
157 } | |
158 | |
159 bool TLSSocket::IsConnected() { | |
160 return tls_socket_.get() && tls_socket_->IsConnected(); | |
161 } | |
162 | |
163 bool TLSSocket::GetPeerAddress(net::IPEndPoint* address) { | |
164 return IsConnected() && tls_socket_->GetPeerAddress(address); | |
165 } | |
166 | |
167 bool TLSSocket::GetLocalAddress(net::IPEndPoint* address) { | |
168 return IsConnected() && tls_socket_->GetLocalAddress(address); | |
169 } | |
170 | |
171 Socket::SocketType TLSSocket::GetSocketType() const { | |
172 return Socket::TYPE_TLS; | |
173 } | |
174 | |
175 // static | |
176 void TLSSocket::UpgradeSocketToTLS( | |
177 Socket* socket, | |
178 scoped_refptr<net::SSLConfigService> ssl_config_service, | |
179 net::CertVerifier* cert_verifier, | |
180 net::TransportSecurityState* transport_security_state, | |
181 const std::string& extension_id, | |
182 core_api::socket::SecureOptions* options, | |
183 const TLSSocket::SecureCallback& callback) { | |
184 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO)); | |
185 TCPSocket* tcp_socket = static_cast<TCPSocket*>(socket); | |
186 scoped_ptr<net::SSLClientSocket> null_sock; | |
187 | |
188 if (!tcp_socket || tcp_socket->GetSocketType() != Socket::TYPE_TCP || | |
189 !tcp_socket->ClientStream() || !tcp_socket->IsConnected() || | |
190 tcp_socket->HasPendingRead()) { | |
191 DVLOG(1) << "Failing before trying. socket is " << tcp_socket; | |
192 if (tcp_socket) { | |
193 DVLOG(1) << "type: " << tcp_socket->GetSocketType() | |
194 << ", ClientStream is " << tcp_socket->ClientStream() | |
195 << ", IsConnected: " << tcp_socket->IsConnected() | |
196 << ", HasPendingRead: " << tcp_socket->HasPendingRead(); | |
197 } | |
198 TlsConnectDone( | |
199 null_sock.Pass(), extension_id, callback, net::ERR_INVALID_ARGUMENT); | |
200 return; | |
201 } | |
202 | |
203 net::IPEndPoint dest_host_port_pair; | |
204 if (!tcp_socket->GetPeerAddress(&dest_host_port_pair)) { | |
205 DVLOG(1) << "Could not get peer address."; | |
206 TlsConnectDone( | |
207 null_sock.Pass(), extension_id, callback, net::ERR_INVALID_ARGUMENT); | |
208 return; | |
209 } | |
210 | |
211 // Convert any U-LABELs to A-LABELs. | |
212 url::CanonHostInfo host_info; | |
213 std::string canon_host = | |
214 net::CanonicalizeHost(tcp_socket->hostname(), &host_info); | |
215 | |
216 // Canonicalization shouldn't fail: the socket is already connected with a | |
217 // host, using this hostname. | |
218 if (host_info.family == url::CanonHostInfo::BROKEN) { | |
219 DVLOG(1) << "Could not canonicalize hostname"; | |
220 TlsConnectDone( | |
221 null_sock.Pass(), extension_id, callback, net::ERR_INVALID_ARGUMENT); | |
222 return; | |
223 } | |
224 | |
225 net::HostPortPair host_and_port(canon_host, dest_host_port_pair.port()); | |
226 | |
227 scoped_ptr<net::ClientSocketHandle> socket_handle( | |
228 new net::ClientSocketHandle()); | |
229 | |
230 // Set the socket handle to the socket's client stream (that should be the | |
231 // only one active here). Then have the old socket release ownership on | |
232 // that client stream. | |
233 socket_handle->SetSocket( | |
234 scoped_ptr<net::StreamSocket>(tcp_socket->ClientStream())); | |
235 tcp_socket->Release(); | |
236 | |
237 DCHECK(transport_security_state); | |
238 net::SSLClientSocketContext context; | |
239 context.cert_verifier = cert_verifier; | |
240 context.transport_security_state = transport_security_state; | |
241 | |
242 // Fill in the SSL socket params. | |
243 net::SSLConfig ssl_config; | |
244 ssl_config_service->GetSSLConfig(&ssl_config); | |
245 if (options && options->tls_version.get()) { | |
246 uint16 version_min = 0, version_max = 0; | |
247 core_api::socket::TLSVersionConstraints* versions = | |
248 options->tls_version.get(); | |
249 if (versions->min.get()) { | |
250 version_min = SSLProtocolVersionFromString(*versions->min.get()); | |
251 } | |
252 if (versions->max.get()) { | |
253 version_max = SSLProtocolVersionFromString(*versions->max.get()); | |
254 } | |
255 if (version_min) { | |
256 ssl_config.version_min = version_min; | |
257 } | |
258 if (version_max) { | |
259 ssl_config.version_max = version_max; | |
260 } | |
261 } | |
262 net::ClientSocketFactory* socket_factory = | |
263 net::ClientSocketFactory::GetDefaultFactory(); | |
264 | |
265 // Create the socket. | |
266 scoped_ptr<net::SSLClientSocket> ssl_socket( | |
267 socket_factory->CreateSSLClientSocket( | |
268 socket_handle.Pass(), host_and_port, ssl_config, context)); | |
269 | |
270 DVLOG(1) << "Attempting to secure a connection to " << tcp_socket->hostname() | |
271 << ":" << dest_host_port_pair.port(); | |
272 | |
273 // We need the contents of |ssl_socket| in order to invoke its Connect() | |
274 // method. It belongs to |ssl_socket|, and we own that until our internal | |
275 // callback (|connect_cb|, below) is invoked. | |
276 net::SSLClientSocket* saved_ssl_socket = ssl_socket.get(); | |
277 | |
278 // Try establish a TLS connection. Pass ownership of |ssl_socket| to | |
279 // TlsConnectDone, which will pass it on to |callback|. |connect_cb| below | |
280 // is only for UpgradeSocketToTLS use, and not be confused with the | |
281 // argument |callback|, which gets invoked by TlsConnectDone() after | |
282 // Connect() below returns. | |
283 base::Callback<void(int)> connect_cb(base::Bind( | |
284 &TlsConnectDone, base::Passed(&ssl_socket), extension_id, callback)); | |
285 int status = saved_ssl_socket->Connect(connect_cb); | |
286 saved_ssl_socket = NULL; | |
287 | |
288 // Connect completed synchronously, or failed. | |
289 if (status != net::ERR_IO_PENDING) { | |
290 // Note: this can't recurse -- if |socket| is already a connected | |
291 // TLSSocket, it will return TYPE_TLS instead of TYPE_TCP, causing | |
292 // UpgradeSocketToTLS() to fail with an error above. If | |
293 // UpgradeSocketToTLS() is called on |socket| twice, the call to | |
294 // Release() on |socket| above causes the additional call to | |
295 // fail with an error above. | |
296 if (status != net::OK) { | |
297 DVLOG(1) << "Status is not OK or IO-pending: " | |
298 << net::ErrorToString(status); | |
299 } | |
300 connect_cb.Run(status); | |
301 } | |
302 } | |
303 | |
304 } // namespace extensions | |
OLD | NEW |