diff options
Diffstat (limited to 'cast/sender/channel')
-rw-r--r-- | cast/sender/channel/cast_auth_util.cc | 63 | ||||
-rw-r--r-- | cast/sender/channel/cast_auth_util.h | 3 | ||||
-rw-r--r-- | cast/sender/channel/sender_socket_factory.cc | 4 |
3 files changed, 51 insertions, 19 deletions
diff --git a/cast/sender/channel/cast_auth_util.cc b/cast/sender/channel/cast_auth_util.cc index cb1ced69..f0e1c36f 100644 --- a/cast/sender/channel/cast_auth_util.cc +++ b/cast/sender/channel/cast_auth_util.cc @@ -9,6 +9,7 @@ #include <algorithm> #include <memory> +#include "absl/strings/str_cat.h" #include "cast/common/certificate/cast_cert_validator.h" #include "cast/common/certificate/cast_cert_validator_internal.h" #include "cast/common/certificate/cast_crl.h" @@ -104,43 +105,56 @@ class CastNonce { std::chrono::seconds nonce_generation_time_; }; -// Maps Error::Code from certificate verification to Error. -// If crl_required is set to false, all revocation related errors are ignored. -Error MapToOpenscreenError(Error::Code error, bool crl_required) { - switch (error) { +// Maps an error from certificate verification to an error reported to the +// library client. If crl_required is set to false, all revocation related +// errors are ignored. +// +// TODO(https://issuetracker.google.com/issues/193164666): It would be simpler +// to just pass the underlying verification error directly to the client. +Error MapToOpenscreenError(Error verify_error, bool crl_required) { + switch (verify_error.code()) { case Error::Code::kErrCertsMissing: return Error(Error::Code::kCastV2PeerCertEmpty, - "Failed to locate certificates."); + absl::StrCat("Failed to locate certificates: ", + verify_error.message())); case Error::Code::kErrCertsParse: return Error(Error::Code::kErrCertsParse, - "Failed to parse certificates."); + absl::StrCat("Failed to parse certificates: ", + verify_error.message())); case Error::Code::kErrCertsDateInvalid: - return Error(Error::Code::kCastV2CertNotSignedByTrustedCa, - "Failed date validity check."); + return Error( + Error::Code::kCastV2CertNotSignedByTrustedCa, + absl::StrCat("Failed date validity check: ", verify_error.message())); case Error::Code::kErrCertsVerifyGeneric: - return Error(Error::Code::kCastV2CertNotSignedByTrustedCa, - "Failed with a generic certificate verification error."); + return Error( + Error::Code::kCastV2CertNotSignedByTrustedCa, + absl::StrCat("Failed with a generic certificate verification error: ", + verify_error.message())); case Error::Code::kErrCertsRestrictions: return Error(Error::Code::kCastV2CertNotSignedByTrustedCa, - "Failed certificate restrictions."); + absl::StrCat("Failed certificate restrictions: ", + verify_error.message())); case Error::Code::kErrCertsVerifyUntrustedCert: return Error(Error::Code::kCastV2CertNotSignedByTrustedCa, - "Failed with untrusted certificate."); + absl::StrCat("Failed with untrusted certificate: ", + verify_error.message())); case Error::Code::kErrCrlInvalid: // This error is only encountered if |crl_required| is true. OSP_DCHECK(crl_required); return Error(Error::Code::kErrCrlInvalid, - "Failed to provide a valid CRL."); + absl::StrCat("Failed to provide a valid CRL: ", + verify_error.message())); case Error::Code::kErrCertsRevoked: return Error(Error::Code::kErrCertsRevoked, - "Failed certificate revocation check."); + absl::StrCat("Failed certificate revocation check: ", + verify_error.message())); case Error::Code::kNone: return Error::None(); default: return Error(Error::Code::kCastV2CertNotSignedByTrustedCa, - "Failed verifying cast device certificate."); + absl::StrCat("Failed verifying cast device certificate: ", + verify_error.message())); } - return Error::None(); } Error VerifyAndMapDigestAlgorithm(HashAlgorithm response_digest_algorithm, @@ -170,6 +184,21 @@ AuthContext AuthContext::Create() { return AuthContext(CastNonce::Get()); } +// static +AuthContext AuthContext::CreateForTest(const std::string& nonce_data) { + std::string nonce; + if (nonce_data.empty()) { + nonce = std::string(kNonceSizeInBytes, '0'); + } else { + while (nonce.size() < kNonceSizeInBytes) { + nonce += nonce_data; + } + nonce.erase(kNonceSizeInBytes); + } + OSP_DCHECK_EQ(nonce.size(), kNonceSizeInBytes); + return AuthContext(nonce); +} + AuthContext::AuthContext(const std::string& nonce) : nonce_(nonce) {} AuthContext::~AuthContext() {} @@ -356,7 +385,7 @@ ErrorOr<CastDeviceCertPolicy> VerifyCredentialsImpl( &device_policy, crl.get(), crl_policy, cast_trust_store); // Handle and report errors. - Error result = MapToOpenscreenError(verify_result.code(), + Error result = MapToOpenscreenError(verify_result, crl_policy == CRLPolicy::kCrlRequired); if (!result.ok()) { return result; diff --git a/cast/sender/channel/cast_auth_util.h b/cast/sender/channel/cast_auth_util.h index d23ebd7e..9c0646ec 100644 --- a/cast/sender/channel/cast_auth_util.h +++ b/cast/sender/channel/cast_auth_util.h @@ -36,6 +36,9 @@ class AuthContext { // The same context must be used in the challenge and reply. static AuthContext Create(); + // Create a context with some seed nonce data for testing. + static AuthContext CreateForTest(const std::string& nonce_data); + // Verifies the nonce received in the response is equivalent to the one sent. // Returns success if |nonce_response| matches nonce_ Error VerifySenderNonce(const std::string& nonce_response, diff --git a/cast/sender/channel/sender_socket_factory.cc b/cast/sender/channel/sender_socket_factory.cc index e971976b..c0924836 100644 --- a/cast/sender/channel/sender_socket_factory.cc +++ b/cast/sender/channel/sender_socket_factory.cc @@ -16,6 +16,8 @@ using ::cast::channel::CastMessage; namespace openscreen { namespace cast { +SenderSocketFactory::Client::~Client() = default; + bool operator<(const std::unique_ptr<SenderSocketFactory::PendingAuth>& a, int b) { return a && a->socket->socket_id() < b; @@ -106,8 +108,6 @@ void SenderSocketFactory::OnConnectionFailed(TlsConnectionFactory* factory, const IPEndpoint& remote_address) { auto it = FindPendingConnection(remote_address); if (it == pending_connections_.end()) { - OSP_DVLOG << "OnConnectionFailed reported for untracked address: " - << remote_address; return; } pending_connections_.erase(it); |