1 // Copyright 2018 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "services/network/tls_socket_factory.h"
6
7 #include <string>
8 #include <utility>
9
10 #include "base/optional.h"
11 #include "mojo/public/cpp/bindings/type_converter.h"
12 #include "net/base/completion_once_callback.h"
13 #include "net/base/net_errors.h"
14 #include "net/cert/cert_verifier.h"
15 #include "net/cert/ct_policy_enforcer.h"
16 #include "net/cert/multi_log_ct_verifier.h"
17 #include "net/socket/client_socket_factory.h"
18 #include "net/socket/stream_socket.h"
19 #include "net/ssl/ssl_config.h"
20 #include "net/ssl/ssl_config_service.h"
21 #include "net/url_request/url_request_context.h"
22 #include "services/network/ssl_config_type_converter.h"
23 #include "services/network/tls_client_socket.h"
24
25 namespace network {
26 namespace {
27 // Cert verifier which blindly accepts all certificates, regardless of validity.
28 class FakeCertVerifier : public net::CertVerifier {
29 public:
FakeCertVerifier()30 FakeCertVerifier() {}
~FakeCertVerifier()31 ~FakeCertVerifier() override {}
32
Verify(const RequestParams & params,net::CertVerifyResult * verify_result,net::CompletionOnceCallback,std::unique_ptr<Request> *,const net::NetLogWithSource &)33 int Verify(const RequestParams& params,
34 net::CertVerifyResult* verify_result,
35 net::CompletionOnceCallback,
36 std::unique_ptr<Request>*,
37 const net::NetLogWithSource&) override {
38 verify_result->Reset();
39 verify_result->verified_cert = params.certificate();
40 return net::OK;
41 }
SetConfig(const Config & config)42 void SetConfig(const Config& config) override {}
43 };
44 } // namespace
45
TLSSocketFactory(net::URLRequestContext * url_request_context,const net::HttpNetworkSession::Context * http_context)46 TLSSocketFactory::TLSSocketFactory(
47 net::URLRequestContext* url_request_context,
48 const net::HttpNetworkSession::Context* http_context)
49 : ssl_client_context_(url_request_context->ssl_config_service(),
50 url_request_context->cert_verifier(),
51 url_request_context->transport_security_state(),
52 url_request_context->cert_transparency_verifier(),
53 url_request_context->ct_policy_enforcer(),
54 nullptr /* Disables SSL session caching */),
55 client_socket_factory_(nullptr),
56 ssl_config_service_(url_request_context->ssl_config_service()) {
57 if (http_context) {
58 client_socket_factory_ = http_context->client_socket_factory;
59 }
60
61 if (!client_socket_factory_ &&
62 url_request_context->GetNetworkSessionContext()) {
63 client_socket_factory_ =
64 url_request_context->GetNetworkSessionContext()->client_socket_factory;
65 }
66 if (!client_socket_factory_)
67 client_socket_factory_ = net::ClientSocketFactory::GetDefaultFactory();
68 }
69
~TLSSocketFactory()70 TLSSocketFactory::~TLSSocketFactory() {}
71
UpgradeToTLS(Delegate * socket_delegate,const net::HostPortPair & host_port_pair,mojom::TLSClientSocketOptionsPtr socket_options,const net::MutableNetworkTrafficAnnotationTag & traffic_annotation,mojo::PendingReceiver<mojom::TLSClientSocket> receiver,mojo::PendingRemote<mojom::SocketObserver> observer,UpgradeToTLSCallback callback)72 void TLSSocketFactory::UpgradeToTLS(
73 Delegate* socket_delegate,
74 const net::HostPortPair& host_port_pair,
75 mojom::TLSClientSocketOptionsPtr socket_options,
76 const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
77 mojo::PendingReceiver<mojom::TLSClientSocket> receiver,
78 mojo::PendingRemote<mojom::SocketObserver> observer,
79 UpgradeToTLSCallback callback) {
80 const net::StreamSocket* socket = socket_delegate->BorrowSocket();
81 if (!socket || !socket->IsConnected()) {
82 std::move(callback).Run(
83 net::ERR_SOCKET_NOT_CONNECTED, mojo::ScopedDataPipeConsumerHandle(),
84 mojo::ScopedDataPipeProducerHandle(), base::nullopt);
85 return;
86 }
87 CreateTLSClientSocket(
88 host_port_pair, std::move(socket_options), std::move(receiver),
89 socket_delegate->TakeSocket(), std::move(observer),
90 static_cast<net::NetworkTrafficAnnotationTag>(traffic_annotation),
91 std::move(callback));
92 }
93
CreateTLSClientSocket(const net::HostPortPair & host_port_pair,mojom::TLSClientSocketOptionsPtr socket_options,mojo::PendingReceiver<mojom::TLSClientSocket> receiver,std::unique_ptr<net::StreamSocket> underlying_socket,mojo::PendingRemote<mojom::SocketObserver> observer,const net::NetworkTrafficAnnotationTag & traffic_annotation,mojom::TCPConnectedSocket::UpgradeToTLSCallback callback)94 void TLSSocketFactory::CreateTLSClientSocket(
95 const net::HostPortPair& host_port_pair,
96 mojom::TLSClientSocketOptionsPtr socket_options,
97 mojo::PendingReceiver<mojom::TLSClientSocket> receiver,
98 std::unique_ptr<net::StreamSocket> underlying_socket,
99 mojo::PendingRemote<mojom::SocketObserver> observer,
100 const net::NetworkTrafficAnnotationTag& traffic_annotation,
101 mojom::TCPConnectedSocket::UpgradeToTLSCallback callback) {
102 auto socket = std::make_unique<TLSClientSocket>(
103 std::move(observer),
104 static_cast<net::NetworkTrafficAnnotationTag>(traffic_annotation));
105 TLSClientSocket* socket_raw = socket.get();
106 tls_socket_receivers_.Add(std::move(socket), std::move(receiver));
107
108 net::SSLClientContext* ssl_client_context = &ssl_client_context_;
109
110 bool send_ssl_info = false;
111 net::SSLConfig ssl_config;
112 if (socket_options) {
113 ssl_config.version_min_override =
114 mojo::MojoSSLVersionToNetSSLVersion(socket_options->version_min);
115 ssl_config.version_max_override =
116 mojo::MojoSSLVersionToNetSSLVersion(socket_options->version_max);
117
118 send_ssl_info = socket_options->send_ssl_info;
119
120 if (socket_options->unsafely_skip_cert_verification) {
121 if (!no_verification_ssl_client_context_) {
122 no_verification_cert_verifier_ = std::make_unique<FakeCertVerifier>();
123 no_verification_transport_security_state_ =
124 std::make_unique<net::TransportSecurityState>();
125 no_verification_cert_transparency_verifier_ =
126 std::make_unique<net::MultiLogCTVerifier>();
127 no_verification_ct_policy_enforcer_ =
128 std::make_unique<net::DefaultCTPolicyEnforcer>();
129 no_verification_ssl_client_context_ =
130 std::make_unique<net::SSLClientContext>(
131 ssl_config_service_, no_verification_cert_verifier_.get(),
132 no_verification_transport_security_state_.get(),
133 no_verification_cert_transparency_verifier_.get(),
134 no_verification_ct_policy_enforcer_.get(),
135 nullptr /* no session cache */);
136 }
137 ssl_client_context = no_verification_ssl_client_context_.get();
138 send_ssl_info = true;
139 }
140 }
141 socket_raw->Connect(host_port_pair, ssl_config, std::move(underlying_socket),
142 ssl_client_context, client_socket_factory_,
143 std::move(callback), send_ssl_info);
144 }
145
146 } // namespace network
147