Google Git
Sign in
chromium / chromium / src / 10dba963e93ddcde2058dcdc0dbf9ffa6f0ddf67 / . / extensions / browser / api / socket / tls_socket.cc
blob: 92d3a6b47c349120ed7007f64054f5dd7c91a777 [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "extensions/browser/api/socket/tls_socket.h"
#include <utility>
#include "base/callback_helpers.h"
#include "base/logging.h"
#include "extensions/browser/api/api_resource.h"
#include "net/base/address_list.h"
#include "net/base/ip_endpoint.h"
#include "net/base/net_errors.h"
#include "net/base/rand_callback.h"
#include "net/base/url_util.h"
#include "net/socket/client_socket_factory.h"
#include "net/socket/client_socket_handle.h"
#include "net/socket/ssl_client_socket.h"
#include "net/socket/tcp_client_socket.h"
#include "url/url_canon.h"
namespace {
// Returns the SSL protocol version (as a uint16_t) represented by a string.
// Returns 0 if the string is invalid.
uint16_t SSLProtocolVersionFromString(const std::string& version_str) {
uint16_t version = 0; // Invalid.
if (version_str == "tls1") {
version = net::SSL_PROTOCOL_VERSION_TLS1;
} else if (version_str == "tls1.1") {
version = net::SSL_PROTOCOL_VERSION_TLS1_1;
} else if (version_str == "tls1.2") {
version = net::SSL_PROTOCOL_VERSION_TLS1_2;
}
return version;
}
void TlsConnectDone(std::unique_ptr<net::SSLClientSocket> ssl_socket,
const std::string& extension_id,
const extensions::TLSSocket::SecureCallback& callback,
int result) {
DVLOG(1) << "Got back result " << result << " " << net::ErrorToString(result);
// No matter how the TLS connection attempt went, the underlying socket's
// no longer bound to the original TCPSocket. It belongs to |ssl_socket|,
// which is promoted here to a new API-accessible socket (via a TLSSocket
// wrapper), or deleted.
if (result != net::OK) {
callback.Run(std::unique_ptr<extensions::TLSSocket>(), result);
return;
};
// Wrap the StreamSocket in a TLSSocket, which matches the extension socket
// API. Set the handle of the socket to the new value, so that it can be
// used for read/write/close/etc.
std::unique_ptr<extensions::TLSSocket> wrapper(
new extensions::TLSSocket(std::move(ssl_socket), extension_id));
// Caller will end up deleting the prior TCPSocket, once it calls
// SetSocket(..,wrapper).
callback.Run(std::move(wrapper), result);
}
} // namespace
namespace extensions {
const char kTLSSocketTypeInvalidError[] =
"Cannot listen on a socket that is already connected.";
TLSSocket::TLSSocket(std::unique_ptr<net::StreamSocket> tls_socket,
const std::string& owner_extension_id)
: ResumableTCPSocket(owner_extension_id),
tls_socket_(std::move(tls_socket)) {}
TLSSocket::~TLSSocket() {
Disconnect(true /* socket_destroying */);
}
void TLSSocket::Connect(const net::AddressList& address,
const CompletionCallback& callback) {
callback.Run(net::ERR_CONNECTION_FAILED);
}
void TLSSocket::Disconnect(bool socket_destroying) {
if (tls_socket_) {
tls_socket_->Disconnect();
tls_socket_.reset();
}
}
void TLSSocket::Read(int count, const ReadCompletionCallback& callback) {
DCHECK(!callback.is_null());
const bool socket_destroying = false;
if (!read_callback_.is_null()) {
callback.Run(net::ERR_IO_PENDING, nullptr, socket_destroying);
return;
}
if (count <= 0) {
callback.Run(net::ERR_INVALID_ARGUMENT, nullptr, socket_destroying);
return;
}
if (!tls_socket_.get()) {
callback.Run(net::ERR_SOCKET_NOT_CONNECTED, nullptr, socket_destroying);
return;
}
read_callback_ = callback;
scoped_refptr<net::IOBuffer> io_buffer(new net::IOBuffer(count));
// |tls_socket_| is owned by this class and the callback won't be run once
// |tls_socket_| is gone (as in an a call to Disconnect()). Therefore, it is
// safe to use base::Unretained() here.
int result = tls_socket_->Read(
io_buffer.get(),
count,
base::Bind(
&TLSSocket::OnReadComplete, base::Unretained(this), io_buffer));
if (result != net::ERR_IO_PENDING) {
OnReadComplete(io_buffer, result);
}
}
void TLSSocket::OnReadComplete(const scoped_refptr<net::IOBuffer>& io_buffer,
int result) {
DCHECK(!read_callback_.is_null());
base::ResetAndReturn(&read_callback_)
.Run(result, io_buffer, false /* socket_destroying */);
}
int TLSSocket::WriteImpl(net::IOBuffer* io_buffer,
int io_buffer_size,
const net::CompletionCallback& callback) {
if (!IsConnected()) {
return net::ERR_SOCKET_NOT_CONNECTED;
}
return tls_socket_->Write(io_buffer, io_buffer_size, callback);
}
bool TLSSocket::SetKeepAlive(bool enable, int delay) {
return false;
}
bool TLSSocket::SetNoDelay(bool no_delay) {
return false;
}
int TLSSocket::Listen(const std::string& address,
uint16_t port,
int backlog,
std::string* error_msg) {
*error_msg = kTLSSocketTypeInvalidError;
return net::ERR_NOT_IMPLEMENTED;
}
void TLSSocket::Accept(const AcceptCompletionCallback& callback) {
callback.Run(net::ERR_FAILED, NULL);
}
bool TLSSocket::IsConnected() {
return tls_socket_.get() && tls_socket_->IsConnected();
}
bool TLSSocket::GetPeerAddress(net::IPEndPoint* address) {
return IsConnected() && tls_socket_->GetPeerAddress(address);
}
bool TLSSocket::GetLocalAddress(net::IPEndPoint* address) {
return IsConnected() && tls_socket_->GetLocalAddress(address);
}
Socket::SocketType TLSSocket::GetSocketType() const {
return Socket::TYPE_TLS;
}
// static
void TLSSocket::UpgradeSocketToTLS(
Socket* socket,
scoped_refptr<net::SSLConfigService> ssl_config_service,
net::CertVerifier* cert_verifier,
net::TransportSecurityState* transport_security_state,
net::CTVerifier* ct_verifier,
net::CTPolicyEnforcer* ct_policy_enforcer,
const std::string& extension_id,
api::socket::SecureOptions* options,
const TLSSocket::SecureCallback& callback) {
DCHECK_CURRENTLY_ON(content::BrowserThread::IO);
TCPSocket* tcp_socket = static_cast<TCPSocket*>(socket);
std::unique_ptr<net::SSLClientSocket> null_sock;
if (!tcp_socket || tcp_socket->GetSocketType() != Socket::TYPE_TCP ||
!tcp_socket->ClientStream() || !tcp_socket->IsConnected() ||
tcp_socket->HasPendingRead()) {
DVLOG(1) << "Failing before trying. socket is " << tcp_socket;
if (tcp_socket) {
DVLOG(1) << "type: " << tcp_socket->GetSocketType()
<< ", ClientStream is " << tcp_socket->ClientStream()
<< ", IsConnected: " << tcp_socket->IsConnected()
<< ", HasPendingRead: " << tcp_socket->HasPendingRead();
}
TlsConnectDone(std::move(null_sock), extension_id, callback,
net::ERR_INVALID_ARGUMENT);
return;
}
net::IPEndPoint dest_host_port_pair;
if (!tcp_socket->GetPeerAddress(&dest_host_port_pair)) {
DVLOG(1) << "Could not get peer address.";
TlsConnectDone(std::move(null_sock), extension_id, callback,
net::ERR_INVALID_ARGUMENT);
return;
}
// Convert any U-LABELs to A-LABELs.
url::CanonHostInfo host_info;
std::string canon_host =
net::CanonicalizeHost(tcp_socket->hostname(), &host_info);
// Canonicalization shouldn't fail: the socket is already connected with a
// host, using this hostname.
if (host_info.family == url::CanonHostInfo::BROKEN) {
DVLOG(1) << "Could not canonicalize hostname";
TlsConnectDone(std::move(null_sock), extension_id, callback,
net::ERR_INVALID_ARGUMENT);
return;
}
net::HostPortPair host_and_port(canon_host, dest_host_port_pair.port());
std::unique_ptr<net::ClientSocketHandle> socket_handle(
new net::ClientSocketHandle());
// Set the socket handle to the socket's client stream (that should be the
// only one active here). Then have the old socket release ownership on
// that client stream.
socket_handle->SetSocket(
std::unique_ptr<net::StreamSocket>(tcp_socket->ClientStream()));
tcp_socket->Release();
DCHECK(transport_security_state);
net::SSLClientSocketContext context;
context.cert_verifier = cert_verifier;
context.transport_security_state = transport_security_state;
context.cert_transparency_verifier = ct_verifier;
context.ct_policy_enforcer = ct_policy_enforcer;
// Fill in the SSL socket params.
net::SSLConfig ssl_config;
ssl_config_service->GetSSLConfig(&ssl_config);
if (options && options->tls_version.get()) {
uint16_t version_min = 0, version_max = 0;
api::socket::TLSVersionConstraints* versions = options->tls_version.get();
if (versions->min.get()) {
version_min = SSLProtocolVersionFromString(*versions->min);
}
if (versions->max.get()) {
version_max = SSLProtocolVersionFromString(*versions->max);
}
if (version_min) {
ssl_config.version_min = version_min;
}
if (version_max) {
ssl_config.version_max = version_max;
}
}
net::ClientSocketFactory* socket_factory =
net::ClientSocketFactory::GetDefaultFactory();
// Create the socket.
std::unique_ptr<net::SSLClientSocket> ssl_socket(
socket_factory->CreateSSLClientSocket(
std::move(socket_handle), host_and_port, ssl_config, context));
DVLOG(1) << "Attempting to secure a connection to " << tcp_socket->hostname()
<< ":" << dest_host_port_pair.port();
// We need the contents of |ssl_socket| in order to invoke its Connect()
// method. It belongs to |ssl_socket|, and we own that until our internal
// callback (|connect_cb|, below) is invoked.
net::SSLClientSocket* saved_ssl_socket = ssl_socket.get();
// Try establish a TLS connection. Pass ownership of |ssl_socket| to
// TlsConnectDone, which will pass it on to |callback|. |connect_cb| below
// is only for UpgradeSocketToTLS use, and not be confused with the
// argument |callback|, which gets invoked by TlsConnectDone() after
// Connect() below returns.
base::Callback<void(int)> connect_cb(base::Bind(
&TlsConnectDone, base::Passed(&ssl_socket), extension_id, callback));
int status = saved_ssl_socket->Connect(connect_cb);
saved_ssl_socket = NULL;
// Connect completed synchronously, or failed.
if (status != net::ERR_IO_PENDING) {
// Note: this can't recurse -- if |socket| is already a connected
// TLSSocket, it will return TYPE_TLS instead of TYPE_TCP, causing
// UpgradeSocketToTLS() to fail with an error above. If
// UpgradeSocketToTLS() is called on |socket| twice, the call to
// Release() on |socket| above causes the additional call to
// fail with an error above.
if (status != net::OK) {
DVLOG(1) << "Status is not OK or IO-pending: "
<< net::ErrorToString(status);
}
connect_cb.Run(status);
}
}
} // namespace extensions