blob: d7eba4db70902a069facd61e7ab272f15a4daec5 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "remoting/protocol/auth_util.h"
#include "base/base64.h"
#include "base/logging.h"
#include "base/strings/string_util.h"
#include "crypto/hmac.h"
#include "crypto/sha2.h"
#include "net/base/net_errors.h"
#include "net/socket/ssl_socket.h"
namespace remoting {
namespace protocol {
const char kClientAuthSslExporterLabel[] =
const char kHostAuthSslExporterLabel[] =
const char kSslFakeHostName[] = "chromoting";
std::string GetSharedSecretHash(const std::string& tag,
const std::string& shared_secret) {
crypto::HMAC response(crypto::HMAC::SHA256);
if (!response.Init(tag)) {
LOG(FATAL) << "HMAC::Init failed";
unsigned char out_bytes[kSharedSecretHashLength];
if (!response.Sign(shared_secret, out_bytes, sizeof(out_bytes))) {
LOG(FATAL) << "HMAC::Sign failed";
return std::string(out_bytes, out_bytes + sizeof(out_bytes));
// static
std::string GetAuthBytes(net::SSLSocket* socket,
const base::StringPiece& label,
const base::StringPiece& shared_secret) {
// Get keying material from SSL.
unsigned char key_material[kAuthDigestLength];
int export_result = socket->ExportKeyingMaterial(
label, false, "", key_material, kAuthDigestLength);
if (export_result != net::OK) {
LOG(ERROR) << "Error fetching keying material: " << export_result;
return std::string();
// Generate auth digest based on the keying material and shared secret.
crypto::HMAC response(crypto::HMAC::SHA256);
if (!response.Init(key_material, kAuthDigestLength)) {
NOTREACHED() << "HMAC::Init failed";
return std::string();
unsigned char out_bytes[kAuthDigestLength];
if (!response.Sign(shared_secret, out_bytes, kAuthDigestLength)) {
NOTREACHED() << "HMAC::Sign failed";
return std::string();
return std::string(out_bytes, out_bytes + kAuthDigestLength);
} // namespace protocol
} // namespace remoting