Add support for OpenSSL Next Protocol Negotiation

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
 #include "base/lock.h"
 #include "base/metrics/histogram.h"
 #include "base/openssl_util.h"
 #include "base/singleton.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_cert_request_info.h"
 #include "net/base/ssl_connection_status_flags.h"
 #include "net/base/ssl_info.h"
+// TODO(willchan): Fix this dependency.  It's ugly for net/socket to depend on
+// net/http.

[joth, 2010/12/02 17:46:55]

overlength line

[Kristian_, 2010/12/03 14:58:56]

Done.

+#include "net/http/http_stream_factory.h"

[joth, 2010/12/02 17:46:55]

Istead of doing this please see if we can use SSLConfig::next_protos instead.

[willchan no longer on Chromium, 2010/12/03 01:35:06]

Agreed, this is preferable, primarily in terms of layering, since socket
shouldn't be depending on http.

[Kristian_, 2010/12/03 14:58:56]

Done

 
 namespace net {
 
 namespace {
 
 // Enable this to see logging for state machine state transitions.
 #if 0
 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \
                            " jump to state " << s; \
                            next_handshake_state_ = s; } while (0)
@@ skipping 136 matching lines @@
     ssl_socket_data_index_ = SSL_get_ex_new_index(0, 0, 0, 0, 0);
     DCHECK_NE(ssl_socket_data_index_, -1);
     ssl_ctx_.reset(SSL_CTX_new(SSLv23_client_method()));
     SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), NoOpVerifyCallback, NULL);
     SSL_CTX_set_session_cache_mode(ssl_ctx_.get(), SSL_SESS_CACHE_CLIENT);
     SSL_CTX_sess_set_new_cb(ssl_ctx_.get(), NewSessionCallbackStatic);
     SSL_CTX_sess_set_remove_cb(ssl_ctx_.get(), RemoveSessionCallbackStatic);
     SSL_CTX_set_timeout(ssl_ctx_.get(), kSessionCacheTimeoutSeconds);
     SSL_CTX_sess_set_cache_size(ssl_ctx_.get(), kSessionCacheMaxEntires);
     SSL_CTX_set_client_cert_cb(ssl_ctx_.get(), ClientCertCallback);
+#ifdef OPENSSL_NPN_NEGOTIATED

[willchan no longer on Chromium, 2010/12/03 01:35:06]

In Chromium code, we usually do #if defined(OPENSSL_NPN_NEGOTIATED).

[Kristian_, 2010/12/03 14:58:56]

Done.

+    SSL_CTX_set_next_proto_select_cb(ssl_ctx_.get(), &SelectNextProtoCallback,

[joth, 2010/12/02 17:46:55]

nit: other calls don't use & to get function address

[joth, 2010/12/02 17:46:55]

Problem: a side effect of calling SSL_CTX_set_next_proto_select_cb is to put
openssl into NPN mode (hence make the request and handle the response).
We only want to do this per SSL instance (i.e. per connection), once we have
determined that SSLConfig::next_protos is not empty.

But AFAICT we have to set this for the whole CTX.

We can't easily create 2 CTXs (one with and one with NPN) without also making 2
cache instances. (Sessions may not be shared across CTX)

What am I missing?

[willchan no longer on Chromium, 2010/12/03 01:35:06]

NPN next protos are decided on Chrome startup and never change.

In current Chrome, we always have NPN set.  So not conditioning on
SSLConfig::next_protos right now is OK, but a better way to do it would be to
read from the first SSLConfig::next_protos instance.  I'm fine with having that
be a TODO since it's basically never empty.

[Kristian_, 2010/12/03 14:58:56]

I'm not sure if setting on first run gives us much. We can still get into an
inconsistent state. As long as it is an on/off switch (that can't be turned
off), I think we should just enabled it at start. If this creates problems we
have to turn the feature off anyway.

+        NULL);

[joth, 2010/12/02 17:46:55]

align NULL with first param

[Kristian_, 2010/12/03 14:58:56]

Done.

+#endif
   }
 
   static int NewSessionCallbackStatic(SSL* ssl, SSL_SESSION* session) {
     return Get()->NewSessionCallback(ssl, session);
   }
 
   int NewSessionCallback(SSL* ssl, SSL_SESSION* session) {
     SSLClientSocketOpenSSL* socket = GetClientSocketFromSSL(ssl);
     session_cache_.OnSessionAdded(socket->host_and_port(), session);
     return 1;  // 1 => We took ownership of |session|.
   }
 
   static void RemoveSessionCallbackStatic(SSL_CTX* ctx, SSL_SESSION* session) {
     return Get()->RemoveSessionCallback(ctx, session);
   }
 
   void RemoveSessionCallback(SSL_CTX* ctx, SSL_SESSION* session) {
     DCHECK(ctx == ssl_ctx());
     session_cache_.OnSessionRemoved(session);
   }
 
   static int ClientCertCallback(SSL* ssl, X509** x509, EVP_PKEY** pkey) {
     SSLClientSocketOpenSSL* socket = Get()->GetClientSocketFromSSL(ssl);
     CHECK(socket);
     return socket->ClientCertRequestCallback(ssl, x509, pkey);
   }
 
+#ifdef OPENSSL_NPN_NEGOTIATED
+  static int SelectNextProtoCallback(SSL* ssl,
+                                     unsigned char** out, unsigned char* outlen,
+                                     const unsigned char* in,
+                                     unsigned int inlen, void* arg) {
+    if (!HttpStreamFactory::next_protos() ||
+        HttpStreamFactory::next_protos()->empty())
+      return SSL_TLSEXT_ERR_OK;

[joth, 2010/12/02 17:46:55]

The docs for SSL_CTX_set_next_proto_select_cb state "The client must select a
protocol."
At the very least we should probably set *outlen = 0 here (and maybe *out =
NULL), as it looks like the openssl library goes ahead and calls malloc(*outlen)
if we return OK.

Although: as per my comments above, shouldn't we using SSLConfig::next_protos
instead? And arrange to only get this callback once we know
SSLConfig::next_protos is not empty.

[willchan no longer on Chromium, 2010/12/03 01:35:06]

You're right.  That'd be better, but if it's too much work, I'm fine with a
TODO.  I defer to agl here.

[Kristian_, 2010/12/03 14:58:56]

The problem is that the contents of SSLConfig::next_proto can be changing, but
the callback can only be set once. What if we set the string on creation to
contain the fallback case? As far as I can see that should never be a problem.

+
+    const std::string& next_protos = *HttpStreamFactory::next_protos();

[joth, 2010/12/02 17:46:55]

maybe add a comment:
CARE: |*out| maybe set to point to a substring within the |next_protos| content
by SSL_select_next_proto, and then accessed after this function returns, hence
it must not be scoped within this function.

+    SSLClientSocketOpenSSL* socket = Get()->GetClientSocketFromSSL(ssl);
+
+    int status = SSL_select_next_proto(
+        out, outlen, in, inlen,
+        reinterpret_cast<const unsigned char*>(next_protos.data()),
+        next_protos.size());
+
+    socket->set_npn_proto(reinterpret_cast<const char*>(*out), *outlen);
+    switch (status) {
+      case OPENSSL_NPN_UNSUPPORTED:
+        socket->set_npn_status(SSLClientSocket::kNextProtoUnsupported);
+        break;
+      case OPENSSL_NPN_NEGOTIATED:
+        socket->set_npn_status(SSLClientSocket::kNextProtoNegotiated);
+        break;
+      case OPENSSL_NPN_NO_OVERLAP:
+        socket->set_npn_status(SSLClientSocket::kNextProtoNoOverlap);
+        break;
+      default:
+        NOTREACHED();

[joth, 2010/12/02 17:46:55]

nit: NOTREACHED() << status;

[Kristian_, 2010/12/03 14:58:56]

Done.

+        break;
+    }
+    return SSL_TLSEXT_ERR_OK;
+  }
+#endif
+
   // This is the index used with SSL_get_ex_data to retrieve the owner
   // SSLClientSocketOpenSSL object from an SSL instance.
   int ssl_socket_data_index_;
 
   base::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ssl_ctx_;
   SSLSessionCache session_cache_;
 };
 
 // Utility to construct the appropriate set & clear masks for use the OpenSSL
 // options and mode configuration functions. (SSL_set_options etc)
@@ skipping 26 matching lines @@
       completed_handshake_(false),
       client_auth_cert_needed_(false),
       ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_(
           this, &SSLClientSocketOpenSSL::OnHandshakeIOComplete)),
       ssl_(NULL),
       transport_bio_(NULL),
       transport_(transport_socket),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       trying_cached_session_(false),
+      npn_status_(kNextProtoUnsupported),
       net_log_(transport_socket->socket()->NetLog()) {
 }
 
 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() {
   Disconnect();
 }
 
 bool SSLClientSocketOpenSSL::Init() {
   DCHECK(!ssl_);
   DCHECK(!transport_bio_);
@@ skipping 102 matching lines @@
 }
 
 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   cert_request_info->host_and_port = host_and_port_.ToString();
   cert_request_info->client_certs = client_certs_;
 }
 
 SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto(
     std::string* proto) {
-  proto->clear();
-  return kNextProtoUnsupported;
+  proto->assign(npn_proto_);

[joth, 2010/12/02 17:46:55]

nit: *proto = npn_proto_;
(probably just slightly more canonical for string copy)

[Kristian_, 2010/12/03 14:58:56]

Done.

+  return npn_status_;
 }
 
 void SSLClientSocketOpenSSL::DoReadCallback(int rv) {
   // Since Run may result in Read being called, clear |user_read_callback_|
   // up front.
   CompletionCallback* c = user_read_callback_;
   user_read_callback_ = NULL;
   user_read_buf_ = NULL;
   user_read_buf_len_ = 0;
   c->Run(rv);
@@ skipping 559 matching lines @@
   int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_);
 
   if (rv >= 0)
     return rv;
 
   int err = SSL_get_error(ssl_, rv);
   return MapOpenSSLError(err);
 }
 
 } // namespace net