diff options
Diffstat (limited to 'chromium/third_party/blink/renderer/modules/peerconnection/adapters/p2p_quic_crypto_config_factory_impl.cc')
-rw-r--r-- | chromium/third_party/blink/renderer/modules/peerconnection/adapters/p2p_quic_crypto_config_factory_impl.cc | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/modules/peerconnection/adapters/p2p_quic_crypto_config_factory_impl.cc b/chromium/third_party/blink/renderer/modules/peerconnection/adapters/p2p_quic_crypto_config_factory_impl.cc new file mode 100644 index 00000000000..58b3b365681 --- /dev/null +++ b/chromium/third_party/blink/renderer/modules/peerconnection/adapters/p2p_quic_crypto_config_factory_impl.cc @@ -0,0 +1,135 @@ +// Copyright 2019 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/third_party/quic/core/crypto/proof_source.h" +#include "net/third_party/quic/core/crypto/proof_verifier.h" + +#include "net/third_party/quic/core/tls_client_handshaker.h" +#include "net/third_party/quic/core/tls_server_handshaker.h" +#include "third_party/blink/renderer/modules/peerconnection/adapters/p2p_quic_crypto_config_factory_impl.h" + +namespace blink { + +namespace { + +// Length of HKDF input keying material, equal to its number of bytes. +// https://tools.ietf.org/html/rfc5869#section-2.2. +const size_t kInputKeyingMaterialLength = 32; + +// TODO(https://crbug.com/874300): Implement a secure QUIC handshake, meaning +// that both side's certificates are verified. This can be done by creating a +// P2PProofSource and P2PProofVerifier, and removing these objects once the +// TLS 1.3 handshake is implemented for QUIC. +// - The self signed certificate fingerprint matches the remote +// fingerprint that was signaled. +// - The peer owns the certificate, by verifying the signature of the hash of +// the handshake context. +// +// Ignores the peer's credentials (taken from quic/quartc). +class InsecureProofVerifier : public quic::ProofVerifier { + public: + InsecureProofVerifier() {} + ~InsecureProofVerifier() override {} + + // ProofVerifier override. + quic::QuicAsyncStatus VerifyProof( + const quic::QuicString& hostname, + const uint16_t port, + const quic::QuicString& server_config, + quic::QuicTransportVersion transport_version, + quic::QuicStringPiece chlo_hash, + const std::vector<quic::QuicString>& certs, + const quic::QuicString& cert_sct, + const quic::QuicString& signature, + const quic::ProofVerifyContext* context, + quic::QuicString* error_details, + std::unique_ptr<quic::ProofVerifyDetails>* verify_details, + std::unique_ptr<quic::ProofVerifierCallback> callback) override { + return quic::QUIC_SUCCESS; + } + + quic::QuicAsyncStatus VerifyCertChain( + const quic::QuicString& hostname, + const std::vector<quic::QuicString>& certs, + const quic::ProofVerifyContext* context, + quic::QuicString* error_details, + std::unique_ptr<quic::ProofVerifyDetails>* details, + std::unique_ptr<quic::ProofVerifierCallback> callback) override { + return quic::QUIC_SUCCESS; + } + + std::unique_ptr<quic::ProofVerifyContext> CreateDefaultContext() override { + return nullptr; + } +}; + +} // namespace + +// Used by QuicCryptoServerConfig to provide dummy proof credentials +// (taken from quic/quartc). +class DummyProofSource : public quic::ProofSource { + public: + DummyProofSource() {} + ~DummyProofSource() override {} + + // ProofSource override. + void GetProof(const quic::QuicSocketAddress& server_addr, + const quic::QuicString& hostname, + const quic::QuicString& server_config, + quic::QuicTransportVersion transport_version, + quic::QuicStringPiece chlo_hash, + std::unique_ptr<Callback> callback) override { + quic::QuicCryptoProof proof; + proof.signature = "Dummy signature"; + proof.leaf_cert_scts = "Dummy timestamp"; + callback->Run(true, GetCertChain(server_addr, hostname), proof, + nullptr /* details */); + } + + quic::QuicReferenceCountedPointer<Chain> GetCertChain( + const quic::QuicSocketAddress& server_address, + const quic::QuicString& hostname) override { + std::vector<quic::QuicString> certs; + certs.push_back("Dummy cert"); + return quic::QuicReferenceCountedPointer<Chain>( + new quic::ProofSource::Chain(certs)); + } + void ComputeTlsSignature( + const quic::QuicSocketAddress& server_address, + const quic::QuicString& hostname, + uint16_t signature_algorithm, + quic::QuicStringPiece in, + std::unique_ptr<SignatureCallback> callback) override { + callback->Run(true, "Dummy signature"); + } +}; + +P2PQuicCryptoConfigFactoryImpl::P2PQuicCryptoConfigFactoryImpl( + quic::QuicRandom* const random_generator) + : random_generator_(random_generator) {} + +std::unique_ptr<quic::QuicCryptoClientConfig> +P2PQuicCryptoConfigFactoryImpl::CreateClientCryptoConfig() { + std::unique_ptr<quic::ProofVerifier> proof_verifier( + new InsecureProofVerifier); + return std::make_unique<quic::QuicCryptoClientConfig>( + std::move(proof_verifier), quic::TlsClientHandshaker::CreateSslCtx()); +} + +std::unique_ptr<quic::QuicCryptoServerConfig> +P2PQuicCryptoConfigFactoryImpl::CreateServerCryptoConfig() { + // Generate a random source address token secret every time since this is + // a transient client. + char source_address_token_secret[kInputKeyingMaterialLength]; + random_generator_->RandBytes(source_address_token_secret, + kInputKeyingMaterialLength); + std::unique_ptr<quic::ProofSource> proof_source(new DummyProofSource); + return std::make_unique<quic::QuicCryptoServerConfig>( + quic::QuicString(source_address_token_secret, kInputKeyingMaterialLength), + random_generator_, std::move(proof_source), + quic::KeyExchangeSource::Default(), + quic::TlsServerHandshaker::CreateSslCtx()); +} + +} // namespace blink |