OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "chrome/browser/extensions/api/socket/tls_socket.h" | |
6 | |
7 #include "base/callback_helpers.h" | |
8 #include "base/logging.h" | |
9 #include "chrome/browser/extensions/api/api_resource.h" | |
10 #include "net/base/address_list.h" | |
11 #include "net/base/ip_endpoint.h" | |
12 #include "net/base/net_errors.h" | |
13 #include "net/base/rand_callback.h" | |
14 #include "net/socket/client_socket_factory.h" | |
15 #include "net/socket/client_socket_handle.h" | |
16 #include "net/socket/tcp_client_socket.h" | |
17 #include "net/url_request/url_request_context.h" | |
18 #include "net/url_request/url_request_context_getter.h" | |
19 | |
20 namespace { | |
21 | |
22 // Returns the SSL protocol version (as a uint16) represented by a string. | |
23 // Returns 0 if the string is invalid. Pulled from | |
24 // chrome/browser/net/ssl_config_service_manager_pref.cc. | |
Ryan Sleevi
2014/02/04 22:28:14
Delete this last line. The fact that it overlaps w
lally
2014/02/11 22:05:35
Done.
| |
25 uint16 SSLProtocolVersionFromString(const std::string& version_str) { | |
26 uint16 version = 0; // Invalid. | |
27 if (version_str == "ssl3") { | |
28 version = net::SSL_PROTOCOL_VERSION_SSL3; | |
29 } else if (version_str == "tls1") { | |
30 version = net::SSL_PROTOCOL_VERSION_TLS1; | |
31 } else if (version_str == "tls1.1") { | |
32 version = net::SSL_PROTOCOL_VERSION_TLS1_1; | |
33 } else if (version_str == "tls1.2") { | |
34 version = net::SSL_PROTOCOL_VERSION_TLS1_2; | |
35 } | |
36 return version; | |
37 } | |
38 | |
39 } // namespace | |
40 | |
41 namespace extensions { | |
42 | |
43 const char kTLSSocketTypeInvalidError[] = | |
44 "Cannot listen on a socket that's already connected."; | |
45 | |
46 TLSSocket::TLSSocket(net::StreamSocket* tls_socket, | |
47 const std::string& owner_extension_id) | |
48 : ResumableTCPSocket(owner_extension_id), | |
49 tls_socket_(tls_socket) { | |
50 } | |
51 | |
52 TLSSocket::~TLSSocket() { | |
53 Disconnect(); | |
54 } | |
55 | |
56 void TLSSocket::Connect(const std::string& address, | |
57 int port, | |
58 const CompletionCallback& callback) { | |
59 callback.Run(net::ERR_CONNECTION_FAILED); | |
60 } | |
61 | |
62 void TLSSocket::Disconnect() { | |
63 if (tls_socket_) { | |
64 tls_socket_->Disconnect(); | |
65 tls_socket_.reset(); | |
66 } | |
67 } | |
68 | |
69 void TLSSocket::Read(int count, | |
70 const ReadCompletionCallback& callback) { | |
71 DCHECK(!callback.is_null()); | |
72 | |
73 if (!read_callback_.is_null()) { | |
74 callback.Run(net::ERR_IO_PENDING, NULL); | |
75 return; | |
76 } | |
77 | |
78 if (count <= 0) { | |
79 callback.Run(net::ERR_INVALID_ARGUMENT, NULL); | |
80 return; | |
81 } | |
82 | |
83 if (!tls_socket_.get() || !IsConnected()) { | |
84 callback.Run(net::ERR_SOCKET_NOT_CONNECTED, NULL); | |
85 return; | |
86 } | |
87 | |
88 read_callback_ = callback; | |
89 scoped_refptr<net::IOBuffer> io_buffer = new net::IOBuffer(count); | |
Ryan Sleevi
2014/02/04 22:28:14
nit: io_buffer(new net::IOBuffer(count));
lally
2014/02/11 22:05:35
Done.
| |
90 int result = tls_socket_->Read( | |
91 io_buffer.get(), count, base::Bind(&TLSSocket::OnReadComplete, | |
92 base::Unretained(this), | |
93 io_buffer)); | |
94 | |
95 if (result != net::ERR_IO_PENDING) | |
96 OnReadComplete(io_buffer, result); | |
97 } | |
98 | |
99 void TLSSocket::OnReadComplete(const scoped_refptr<net::IOBuffer>& io_buffer, | |
100 int result) { | |
101 DCHECK(!read_callback_.is_null()); | |
102 base::ResetAndReturn(&read_callback_).Run(result, io_buffer); | |
103 } | |
104 | |
105 int TLSSocket::WriteImpl(net::IOBuffer* io_buffer, | |
106 int io_buffer_size, | |
107 const net::CompletionCallback& callback) { | |
108 if (!IsConnected()) | |
109 return net::ERR_SOCKET_NOT_CONNECTED; | |
110 return tls_socket_->Write(io_buffer, io_buffer_size, callback); | |
111 } | |
112 | |
113 bool TLSSocket::SetKeepAlive(bool enable, int delay) { | |
114 return false; | |
115 } | |
116 | |
117 bool TLSSocket::SetNoDelay(bool no_delay) { | |
118 return false; | |
119 } | |
120 | |
121 int TLSSocket::Listen(const std::string& address, | |
122 int port, | |
123 int backlog, | |
124 std::string* error_msg) { | |
125 *error_msg = kTLSSocketTypeInvalidError; | |
126 return net::ERR_NOT_IMPLEMENTED; | |
127 } | |
128 | |
129 void TLSSocket::Accept(const AcceptCompletionCallback &callback) { | |
130 callback.Run(net::ERR_FAILED, NULL); | |
131 } | |
132 | |
133 bool TLSSocket::IsConnected() { | |
134 return tls_socket_.get() && tls_socket_->IsConnected(); | |
135 } | |
136 | |
137 bool TLSSocket::GetPeerAddress(net::IPEndPoint* address) { | |
138 return IsConnected() && tls_socket_->GetPeerAddress(address); | |
139 } | |
140 | |
141 bool TLSSocket::GetLocalAddress(net::IPEndPoint* address) { | |
142 return IsConnected() && tls_socket_->GetLocalAddress(address); | |
143 } | |
144 | |
145 Socket::SocketType TLSSocket::GetSocketType() const { | |
146 return Socket::TYPE_TLS; | |
147 } | |
148 | |
149 // static | |
150 void TLSSocket::UpgradeSocketToTLS( | |
151 Socket* socket, | |
152 Profile* profile, | |
153 net::URLRequestContextGetter* url_request_getter, | |
154 const std::string& extension_id, | |
155 api::socket::SecureOptions* options, | |
156 const SecureCallback& callback) { | |
157 DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO)); | |
158 DCHECK(profile); | |
159 | |
160 TCPSocket* tcp_socket = static_cast<TCPSocket*>(socket); | |
161 | |
162 if (!tcp_socket || tcp_socket->GetSocketType() != Socket::TYPE_TCP || | |
163 !tcp_socket->ClientStream() || !tcp_socket->IsConnected()) { | |
164 DVLOG(1) << "UpgradeSocketToTLS(): failing before trying. socket is " | |
165 << tcp_socket << ", type is " << tcp_socket->GetSocketType() | |
166 << ", client_stream is " << tcp_socket->ClientStream() | |
167 << ", and socket IsConnected: " << tcp_socket->IsConnected(); | |
168 TlsConnectDone(NULL, extension_id, callback, net::ERR_INVALID_ARGUMENT); | |
169 return; | |
170 } | |
171 | |
172 net::IPEndPoint dest_host_port_pair; | |
173 if (!tcp_socket->GetPeerAddress(&dest_host_port_pair)) { | |
174 DVLOG(1) << "UpgradeSocketToTLS(): could not get peer address."; | |
175 TlsConnectDone(NULL, extension_id, callback, net::ERR_INVALID_ARGUMENT); | |
176 return; | |
177 } | |
178 | |
179 net::HostPortPair host_and_port(tcp_socket->hostname(), | |
180 dest_host_port_pair.port()); | |
181 | |
182 // Modeled after P2PSocketHostTcpBase::StartTls() | |
Ryan Sleevi
2014/02/04 22:28:14
Delete comment.
lally
2014/02/11 22:05:35
Done.
| |
183 scoped_ptr<net::ClientSocketHandle> socket_handle( | |
184 new net::ClientSocketHandle()); | |
185 | |
186 // Set the socket handle to the socket's client stream (that should be the | |
187 // only one active here). Then have the old socket release ownership on of | |
188 // that client stream. | |
189 socket_handle->SetSocket(scoped_ptr<net::StreamSocket>( | |
190 tcp_socket->ClientStream())); | |
191 tcp_socket->Release(); | |
192 | |
193 net::URLRequestContext* url_context = | |
194 url_request_getter->GetURLRequestContext(); | |
195 DCHECK(url_context); | |
196 | |
197 net::SSLClientSocketContext context; | |
198 context.cert_verifier = url_context->cert_verifier(); | |
199 context.transport_security_state = url_context->transport_security_state(); | |
200 DCHECK(context.transport_security_state); | |
201 | |
202 // Fill in the SSL socket params. | |
203 net::SSLConfig ssl_config; | |
204 profile->GetSSLConfigService()->GetSSLConfig(&ssl_config); | |
Ryan Sleevi
2014/02/04 22:28:14
SECURITY: I don't think it's safe to access |profi
lally
2014/02/11 22:05:35
I've removed the access to that, and instead made
| |
205 if (options && options->tls_version.get()) { | |
206 uint16 version_min = 0, version_max = 0; | |
207 api::socket::TLSVersionConstraints* versions = options->tls_version.get(); | |
208 if (versions->min.get()) { | |
209 version_min = SSLProtocolVersionFromString(*versions->min.get()); | |
210 } | |
211 if (versions->max.get()) { | |
212 version_max = SSLProtocolVersionFromString(*versions->max.get()); | |
213 } | |
214 if (version_min) { | |
215 ssl_config.version_min = version_min; | |
216 } | |
217 if (version_max) { | |
218 ssl_config.version_max = version_max; | |
219 } | |
220 } | |
221 net::ClientSocketFactory* socket_factory = | |
222 net::ClientSocketFactory::GetDefaultFactory(); | |
223 | |
224 // Create the socket. | |
225 net::SSLClientSocket* ssl_socket = socket_factory->CreateSSLClientSocket( | |
226 socket_handle.Pass(), host_and_port, ssl_config, context).release(); | |
227 | |
228 DVLOG(1) << "UpgradeSocketToTLS: Attempting to connect to " | |
229 << tcp_socket->hostname() << ":" | |
230 << dest_host_port_pair.port(); | |
231 // Try establish a TLS connection. Pass ownership of ssl_socket to | |
232 // TlsConnectDone, which will pass it on to the callback. | |
233 int status = ssl_socket->Connect( | |
234 base::Bind(&TLSSocket::TlsConnectDone, ssl_socket, extension_id, | |
235 callback)); | |
236 | |
237 // Connect failed, and won't call the callback. Call it now. | |
238 if (status != net::ERR_IO_PENDING) { | |
Ryan Sleevi
2014/02/04 22:28:14
what about status == OK?
lally
2014/02/11 22:05:35
Sure, a new implementation of that interface could
| |
239 // Note: this can't recurse -- if 'socket' is already a connected | |
240 // TLSSocket, it will return TYPE_TLS instead of TYPE_TCP, failing before | |
241 // we get here. If the connection failed, the socket is closed below | |
242 // before the callback. If the caller tries to recurse into another | |
243 // secure() call, they must have either created a prior socket to try, or | |
244 // will have to go through an asynchronous Connect() call first. | |
245 DVLOG(1) << "UpgradeSocketToTLS: Status is not IO-pending: " | |
246 << net::ErrorToString(status); | |
247 TlsConnectDone(ssl_socket, extension_id, callback, status); | |
248 } | |
Ryan Sleevi
2014/02/04 22:28:14
You can still use the scoped_ptr<> to accomplish w
lally
2014/02/11 22:05:35
Great!, thanks.
| |
249 } | |
250 | |
251 // static | |
252 void TLSSocket::TlsConnectDone(net::SSLClientSocket* ssl_socket, | |
253 const std::string& extension_id, | |
254 const SecureCallback& callback, | |
255 int result) { | |
256 DVLOG(1) << "TLSSocket::TlsConnectDone(): got back result " | |
257 << result << " (" << net::ErrorToString(result) << ")"; | |
258 | |
259 // No matter how the TLS connection attempt went, the underlying socket's | |
260 // no longer bound to the original TCPSocket. It belongs to ssl_socket_, | |
Ryan Sleevi
2014/02/04 22:28:14
|ssl_socket| ?
lally
2014/02/11 22:05:35
Yikes, missed this one on the last cl upload. Cha
| |
261 // which is promoted here to a new API-accessible socket (via a TLSSocket | |
262 // wrapper) or deleted. | |
263 if (result != net::OK) { | |
264 // Failed TLS connection. This will delete the underlying TCPClientSocket. | |
265 delete ssl_socket; | |
266 callback.Run(scoped_ptr<TLSSocket>(), result); | |
267 return; | |
268 }; | |
269 | |
270 // Wrap the StreamSocket in a TLSSocket (which matches the extension socket | |
271 // API). Set the handle of the socket to the new value, so that it can be | |
272 // used for read/write/close/etc. | |
273 scoped_ptr<TLSSocket> wrapper(new TLSSocket(ssl_socket, extension_id)); | |
274 | |
275 // Caller will end up deleting the prior TCPSocket, once it calls | |
276 // SetSocket(..,wrapper). | |
277 callback.Run(wrapper.Pass(), result); | |
278 } | |
279 | |
280 } // namespace extensions | |
OLD | NEW |