An implementation of chrome.socket.secure().

chrome/browser/extensions/api/socket/tls_socket.cc

Index: chrome/browser/extensions/api/socket/tls_socket.cc
diff --git a/chrome/browser/extensions/api/socket/tls_socket.cc b/chrome/browser/extensions/api/socket/tls_socket.cc
new file mode 100644
index 0000000000000000000000000000000000000000..1e431f7095da5fc2f9902491989b722b26264f39
--- /dev/null
+++ b/chrome/browser/extensions/api/socket/tls_socket.cc
@@ -0,0 +1,281 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/extensions/api/socket/tls_socket.h"
+
+#include "base/logging.h"
+#include "chrome/browser/extensions/api/api_resource.h"
+#include "net/base/address_list.h"
+#include "net/base/ip_endpoint.h"
+#include "net/base/net_errors.h"
+#include "net/base/rand_callback.h"
+#include "net/socket/client_socket_factory.h"
+#include "net/socket/client_socket_handle.h"
+#include "net/socket/tcp_client_socket.h"
+#include "net/url_request/url_request_context.h"
+#include "net/url_request/url_request_context_getter.h"
+
+namespace {
+// Returns the SSL protocol version (as a uint16) represented by a string.
+// Returns 0 if the string is invalid.  Pulled from
+// chrome/browser/net/ssl_config_service_manager_pref.cc.
+uint16 SSLProtocolVersionFromString(const std::string& version_str) {
+  uint16 version = 0;  // Invalid.
+  if (version_str == "ssl3") {
+    version = net::SSL_PROTOCOL_VERSION_SSL3;
+  } else if (version_str == "tls1") {
+    version = net::SSL_PROTOCOL_VERSION_TLS1;
+  } else if (version_str == "tls1.1") {
+    version = net::SSL_PROTOCOL_VERSION_TLS1_1;
+  } else if (version_str == "tls1.2") {
+    version = net::SSL_PROTOCOL_VERSION_TLS1_2;
+  }
+  return version;
+}
+}  // namespace
+
+namespace extensions {
+
+const char kSecureSocketTypeError[] =
+    "Only TCP sockets are supported for TLS.";
+const char kSocketNotConnectedError[] = "Socket not connected";
+const char kSocketNotFoundError[] = "Socket not found";
+const char kTLSSocketTypeInvalidError[] =
+    "Cannot listen on a socket that's already connected.";
+
+TLSSocket::TLSSocket(net::StreamSocket* tls_socket,
+                      const std::string& owner_extension_id)
+    : ResumableTCPSocket(owner_extension_id),
+      tls_socket_(tls_socket) {
+}
+
+TLSSocket::~TLSSocket() {
+  Disconnect();
+}
+
+void TLSSocket::Connect(const std::string& address,
+                        int port,
+                        const CompletionCallback& callback) {
+  callback.Run(net::ERR_CONNECTION_FAILED);
+}
+
+void TLSSocket::Disconnect() {
+  if (tls_socket_) {
+    tls_socket_->Disconnect();
+    tls_socket_.reset();
+  }
+}
+
+void TLSSocket::Read(int count,
+                     const ReadCompletionCallback& callback) {
+  DCHECK(!callback.is_null());
+
+  if (!read_callback_.is_null()) {
+    callback.Run(net::ERR_IO_PENDING, NULL);
+    return;
+  }
+
+  if (count <= 0) {
+    callback.Run(net::ERR_INVALID_ARGUMENT, NULL);
+    return;
+  }
+
+  if (!tls_socket_.get() || !IsConnected()) {
+    callback.Run(net::ERR_SOCKET_NOT_CONNECTED, NULL);
+    return;
+  }
+
+  read_callback_ = callback;
+  scoped_refptr<net::IOBuffer> io_buffer = new net::IOBuffer(count);
+  int result = tls_socket_->Read(
+      io_buffer.get(), count, base::Bind(&TLSSocket::OnReadComplete,
+                                         base::Unretained(this),
+                                         io_buffer));
+
+  if (result != net::ERR_IO_PENDING)
+    OnReadComplete(io_buffer, result);
+}
+
+void TLSSocket::OnReadComplete(scoped_refptr<net::IOBuffer> io_buffer,
+                               int result) {
+  DCHECK(!read_callback_.is_null());
+  ReadCompletionCallback read_callback = read_callback_;
+  read_callback_.Reset();
+  // Don't touch 'this' after the read callback.
+  read_callback.Run(result, io_buffer);
+}
+
+int TLSSocket::WriteImpl(net::IOBuffer* io_buffer,
+                         int io_buffer_size,
+                         const net::CompletionCallback& callback) {
+  if (!IsConnected())
+    return net::ERR_SOCKET_NOT_CONNECTED;
+  else
+   return tls_socket_->Write(io_buffer, io_buffer_size, callback);
+}
+
+bool TLSSocket::SetKeepAlive(bool enable, int delay) {
+  return false;
+}
+
+bool TLSSocket::SetNoDelay(bool no_delay) {
+  return false;
+}
+
+int TLSSocket::Listen(const std::string& address, int port, int backlog,
+                      std::string* error_msg) {
+  *error_msg = kTLSSocketTypeInvalidError;
+  return net::ERR_NOT_IMPLEMENTED;
+}
+
+void TLSSocket::Accept(const AcceptCompletionCallback &callback) {
+  callback.Run(net::ERR_FAILED, NULL);
+}
+
+bool TLSSocket::IsConnected() {
+  return tls_socket_.get() && tls_socket_->IsConnected();
+}
+
+bool TLSSocket::GetPeerAddress(net::IPEndPoint* address) {
+  return IsConnected() && tls_socket_->GetPeerAddress(address);
+}
+
+bool TLSSocket::GetLocalAddress(net::IPEndPoint* address) {
+  return IsConnected() && tls_socket_->GetLocalAddress(address);
+}
+
+Socket::SocketType TLSSocket::GetSocketType() const {
+  return Socket::TYPE_TLS;
+}
+
+namespace impl {

[rpaquay, 2013/12/09 23:02:03]

Convention: Remove the "impl" namespace and move this function to the anonymous
namespace at the top of the file.

[lally, 2013/12/12 02:31:39]

Done.

+void TlsConnectDone(net::SSLClientSocket* ssl_socket,
+                    const std::string& extension_id, SecureCallback callback,
+                    int result ) {

[rpaquay, 2013/12/09 23:02:03]

No space before ")"

[lally, 2013/12/12 02:31:39]

Done.

+  DVLOG(1) << "chrome.socket.secure: TlsConnectDone(): got back result "
+           << result;
+
+  // No matter how the TLS connection attempt went, the underlying socket's
+  // no longer bound to the original TCPSocket.  It belongs to ssl_socket_,
+  // which is promoted here to a new API-accessible socket (via a TLSSocket
+  // wrapper) or deleted.
+  if (result == net::OK) {
+    // Wrap the StreamSocket in a TLSSocket (which matches the extension
+    // socket API).  Set the handle of the socket to the new value, so that
+    // it can be used for read/write/close/etc.
+    TLSSocket* wrapper = new TLSSocket(ssl_socket, extension_id);
+
+    // Caller will end up deleting the prior TCPSocket, once it calls
+    // SetSocket(..,wrapper).
+    callback.Run(wrapper, result);
+  } else {
+    // Failed TLS connection.  This'll delete the underlying TCPClientSocket.
+    delete ssl_socket;
+    callback.Run(NULL, result);
+  }
+}
+
+}  // namespace impl
+
+// static
+const char* TLSSocket::SecureTCPSocket(
+    Socket* socket,
+    Profile* profile,
+    net::URLRequestContextGetter* url_request_getter,
+    const std::string& extension_id,
+    api::socket::SecureOptions* options,
+    SecureCallback callback,
+    base::Value** result_ret) {
+  int result = -1;

[rpaquay, 2013/12/09 23:02:03]

Use "net::ERROR_FAILED" instead of "-1".

[lally, 2013/12/12 02:31:39]

Done.

+
+  DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
+  DCHECK(profile);
+
+  if (!socket) {
+    *result_ret = new base::FundamentalValue(result);
+    return kSocketNotFoundError;
+  }
+
+  TCPSocket* tcp_socket = static_cast<TCPSocket*>(socket);
+  if (socket->GetSocketType() != Socket::TYPE_TCP
+      || tcp_socket->ClientStream() == NULL) {
+    *result_ret = new base::FundamentalValue(result);
+    return kSecureSocketTypeError;
+  }
+
+  if (!socket->IsConnected()) {
+    *result_ret = new base::FundamentalValue(result);
+    return kSocketNotConnectedError;
+  }
+

[rpaquay, 2013/12/09 23:02:03]

As mentioned in another comment, the 3 checks above should move to the API
function implementation (AsyncWorkStart method).

[lally, 2013/12/12 02:31:39]

I moved them, but kept simpler versions here that just returned instead of
allowed bad inputs.

+  net::IPEndPoint dest_host_port_pair;
+  socket->GetPeerAddress(&dest_host_port_pair);
+  net::HostPortPair host_port(socket->Hostname(), dest_host_port_pair.port());
+
+  // Modeled after P2PSocketHostTcpBase::StartTls()
+  scoped_ptr<net::ClientSocketHandle> socket_handle(
+      new net::ClientSocketHandle());
+
+  // Set the socket handle.
+  socket_handle->SetSocket(scoped_ptr<net::StreamSocket>(
+      tcp_socket->ClientStream()));
+
+  // Have the old socket release its hold on the client stream.
+  tcp_socket->Release();
+
+  net::SSLClientSocketContext context;
+  net::URLRequestContext* url_context =
+      url_request_getter->GetURLRequestContext();
+
+  DCHECK(url_context);
+  context.cert_verifier = url_context->cert_verifier();
+  context.transport_security_state = url_context->transport_security_state();
+  DCHECK(context.transport_security_state);
+
+  // Fill in the SSL socket params.
+  net::SSLConfig ssl_config;
+  profile->GetSSLConfigService()->GetSSLConfig(&ssl_config);
+  if (options && options->tls_version.get()) {
+    uint16 version_min = 0, version_max = 0;
+    api::socket::TLSVersionConstraints* versions = options->tls_version.get();
+    if (versions->min.get()) {
+      version_min = SSLProtocolVersionFromString(*versions->min.get());
+    }
+    if (versions->max.get()) {
+      version_max = SSLProtocolVersionFromString(*versions->max.get());
+    }
+    if (version_min) {
+      ssl_config.version_min = version_min;
+    }
+    if (version_max) {
+      ssl_config.version_max = version_max;
+    }
+  }
+  net::ClientSocketFactory* socket_factory =
+      net::ClientSocketFactory::GetDefaultFactory();
+
+  // Create the socket.
+  net::SSLClientSocket* ssl_socket = socket_factory->CreateSSLClientSocket(
+      socket_handle.Pass(), host_port, ssl_config, context).release();
+
+  // And try to connect.
+  int status = ssl_socket->Connect(
+      base::Bind(&impl::TlsConnectDone, ssl_socket, extension_id, callback));
+
+  *result_ret = new base::FundamentalValue(status);
+  if (status != net::ERR_IO_PENDING) {
+    // Note: this can't recurse -- if 'socket' is already a connected
+    // TLSSocket, it will return TYPE_TLS instead of TYPE_TCP, failing before
+    // we get here.  If the connection failed, the socket is closed below
+    // before the callback.  If the caller tries to recurse into another
+    // secure() call, they must have either created a prior socket to try, or
+    // will have to go through an asynchronous Connect() call first.
+    impl::TlsConnectDone(ssl_socket, extension_id, callback, status);
+    return NULL;
+  }
+
+  return NULL;
+}
+
+}  // namespace extensions