Implement Token Binding negotiation TLS extension

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <errno.h>
 #include <openssl/bio.h>
+#include <openssl/bytestring.h>
 #include <openssl/err.h>
+#include <openssl/evp.h>
 #include <openssl/mem.h>
 #include <openssl/ssl.h>
 #include <string.h>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/environment.h"
 #include "base/lazy_instance.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram_macros.h"
@@ skipping 225 matching lines @@
         !ssl_keylog_file.empty()) {
       crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
       BIO* bio = BIO_new_file(ssl_keylog_file.c_str(), "a");
       if (!bio) {
         LOG(ERROR) << "Failed to open " << ssl_keylog_file;
         ERR_print_errors_cb(&LogErrorCallback, NULL);
       } else {
         SSL_CTX_set_keylog_bio(ssl_ctx_.get(), bio);
       }
     }
+
+    if (!TokenBindingExtension::RegisterCallbacks(ssl_ctx_.get())) {
+      NOTREACHED();
+    }
   }
 
   static int ClientCertRequestCallback(SSL* ssl, void* arg) {
     SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
     DCHECK(socket);
     return socket->ClientCertRequestCallback(ssl);
   }
 
   static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) {
     SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(
@@ skipping 266 matching lines @@
 
   net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT);
 
   // Set up new ssl object.
   int rv = Init();
   if (rv != OK) {
     net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
     return rv;
   }
 
+  // Set params for TokenBindingExtension object.
+  if (IsTokenBindingEnabled(ssl_config_, channel_id_service_)) {
+    token_binding_extension_.SetParams(ssl_config_.token_binding_params);
+  }
+
   // Set SSL to client mode. Handshake happens in the loop below.
   SSL_set_connect_state(ssl_);
 
   GotoState(STATE_HANDSHAKE);
   rv = DoHandshakeLoop(OK);
   if (rv == ERR_IO_PENDING) {
     user_connect_callback_ = callback;
   } else {
     net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
   }
@@ skipping 143 matching lines @@
   ssl_info->cert = server_cert_verify_result_.verified_cert;
   ssl_info->unverified_cert = server_cert_;
   ssl_info->cert_status = server_cert_verify_result_.cert_status;
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_.is_issued_by_known_root;
   ssl_info->public_key_hashes =
     server_cert_verify_result_.public_key_hashes;
   ssl_info->client_cert_sent =
       ssl_config_.send_client_cert && ssl_config_.client_cert.get();
   ssl_info->channel_id_sent = channel_id_sent_;
+  ssl_info->token_binding_negotiated = token_binding_extension_.WasNegotiated();
   ssl_info->pinning_failure_log = pinning_failure_log_;
 
   AddSCTInfoToSSLInfo(ssl_info);
 
   const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
   CHECK(cipher);
   ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
   ssl_info->key_exchange_info =
       SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_));
 
@@ skipping 378 matching lines @@
 
 int SSLClientSocketOpenSSL::DoHandshakeComplete(int result) {
   if (result < 0)
     return result;
 
   if (ssl_config_.version_fallback &&
       ssl_config_.version_max < ssl_config_.version_fallback_min) {
     return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION;
   }
 
+  // Check that if token binding was negotiated, then extended master secret
+  // must also be negotiated.
+  if (token_binding_extension_.WasNegotiated() &&
+      !ssl_->session->extended_master_secret) {
+    return ERR_SSL_PROTOCOL_ERROR;
+  }
+
+  if (token_binding_extension_.WasNegotiated() && !channel_id_key_) {
+    GotoState(STATE_TOKEN_BINDING_LOOKUP);
+    return OK;
+  }
+
   // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was.
   if (npn_status_ == kNextProtoUnsupported) {
     const uint8_t* alpn_proto = NULL;
     unsigned alpn_len = 0;
     SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len);
     if (alpn_len > 0) {
       npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len);
       npn_status_ = kNextProtoNegotiated;
       set_negotiation_extension(kExtensionALPN);
     }
   }
 
   RecordNegotiationExtension();
   RecordChannelIDSupport(channel_id_service_, channel_id_sent_,
                          ssl_config_.channel_id_enabled,
                          crypto::ECPrivateKey::IsSupported());
+  RecordTokenBindingSupport(ssl_config_, channel_id_service_,
+                            token_binding_extension_.WasNegotiated());
 
   // Only record OCSP histograms if OCSP was requested.
   if (ssl_config_.signed_cert_timestamps_enabled ||
       cert_verifier_->SupportsOCSPStapling()) {
     const uint8_t* ocsp_response;
     size_t ocsp_response_len;
     SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len);
 
     set_stapled_ocsp_response_received(ocsp_response_len != 0);
     UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0);
@@ skipping 42 matching lines @@
     return MapOpenSSLError(err, err_tracer);
   }
 
   // Return to the handshake.
   channel_id_sent_ = true;
   net_log_.AddEvent(NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED);
   GotoState(STATE_HANDSHAKE);
   return OK;
 }
 
+int SSLClientSocketOpenSSL::DoTokenBindingLookup() {
+  net_log_.BeginEvent(NetLog::TYPE_SSL_GET_TOKEN_BINDING_KEY);
+  GotoState(STATE_TOKEN_BINDING_LOOKUP_COMPLETE);
+  return channel_id_service_->GetOrCreateChannelID(
+      host_and_port_.host(), &channel_id_key_,
+      base::Bind(&SSLClientSocketOpenSSL::OnHandshakeIOComplete,
+                 base::Unretained(this)),
+      &channel_id_request_);

[davidben, 2015/10/01 16:15:17]

What does this do? Do we even use this key for anything at the SSL layer?

In Token Binding, this should be at the HTTP layer, no? I would think instead
SSLClientSocketOpenSSL just advertises the TB type in SSLInfo or whereever and
then the HTTP layer does whatever else beyond that.

[nharper, 2015/10/01 19:12:23]

We use this key once at the SSL layer to generate the provided token binding
once and cache it in a member variable. This is done so that the token binding
remains constant. (Otherwise, if we re-sign and regenerate the token binding for
each http request, the value differs, negating the advantage of HTTP/2 header
compression.)

+}
+
+int SSLClientSocketOpenSSL::DoTokenBindingLookupComplete(int result) {
+  if (!channel_id_key_) {
+    LOG(ERROR) << "Failed to import Channel ID.";
+    result = ERR_CHANNEL_ID_IMPORT_FAILED;
+  }
+
+  net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_TOKEN_BINDING_KEY,
+                                    result);
+  if (result < 0)
+    return result;
+
+  GotoState(STATE_HANDSHAKE_COMPLETE);
+  return OK;
+}
+
 int SSLClientSocketOpenSSL::DoVerifyCert(int result) {
   DCHECK(!server_cert_chain_->empty());
   DCHECK(start_cert_verification_time_.is_null());
 
   GotoState(STATE_VERIFY_CERT_COMPLETE);
 
   // OpenSSL decoded the certificate, but the platform certificate
   // implementation could not. This is treated as a fatal SSL-level protocol
   // error rather than a certificate error. See https://crbug.com/91341.
   if (!server_cert_.get())
@@ skipping 210 matching lines @@
       case STATE_HANDSHAKE_COMPLETE:
         rv = DoHandshakeComplete(rv);
         break;
       case STATE_CHANNEL_ID_LOOKUP:
         DCHECK_EQ(OK, rv);
         rv = DoChannelIDLookup();
        break;
       case STATE_CHANNEL_ID_LOOKUP_COMPLETE:
         rv = DoChannelIDLookupComplete(rv);
         break;
+      case STATE_TOKEN_BINDING_LOOKUP:
+        DCHECK_EQ(OK, rv);
+        rv = DoTokenBindingLookup();
+        break;
+      case STATE_TOKEN_BINDING_LOOKUP_COMPLETE:
+        rv = DoTokenBindingLookupComplete(rv);
+        break;
       case STATE_VERIFY_CERT:
         DCHECK_EQ(OK, rv);
         rv = DoVerifyCert(rv);
        break;
       case STATE_VERIFY_CERT_COMPLETE:
         rv = DoVerifyCertComplete(rv);
         break;
       case STATE_NONE:
       default:
         rv = ERR_UNEXPECTED;
@@ skipping 731 matching lines @@
   if (next_handshake_state_ == STATE_HANDSHAKE) {
     OnHandshakeIOComplete(signature_result_);
     return;
   }
 
   // During a renegotiation, either Read or Write calls may be blocked on an
   // asynchronous private key operation.
   PumpReadWriteEvents();
 }
 
+SSLClientSocketOpenSSL::TokenBindingExtension::TokenBindingExtension()
+    : negotiated_(false), negotiated_param_(TokenBindingParam(0)) {}
+
+SSLClientSocketOpenSSL::TokenBindingExtension::~TokenBindingExtension() {}
+
+bool SSLClientSocketOpenSSL::TokenBindingExtension::WasNegotiated() const {
+  return negotiated_;
+}
+
+TokenBindingParam
+SSLClientSocketOpenSSL::TokenBindingExtension::NegotiationResult() const {
+  return negotiated_param_;
+};
+
+void SSLClientSocketOpenSSL::TokenBindingExtension::SetParams(
+    const std::vector<TokenBindingParam>& params) {
+  supported_params_.clear();
+  for (TokenBindingParam param : params) {
+    supported_params_.push_back(param);
+  }
+};
+
+// static
+bool SSLClientSocketOpenSSL::TokenBindingExtension::RegisterCallbacks(
+    SSL_CTX* ssl_ctx) {
+  return SSL_CTX_add_client_custom_ext(
+      ssl_ctx, kExtNum, &TokenBindingExtension::ClientAddCallback,
+      &TokenBindingExtension::ClientFreeCallback, nullptr,
+      &TokenBindingExtension::ClientParseCallback, nullptr);
+}
+
+int SSLClientSocketOpenSSL::TokenBindingExtension::ClientAdd(
+    const uint8_t** out,
+    size_t* out_len,
+    int* out_alert_value) {
+  if (supported_params_.empty()) {
+    return 0;
+  }
+  CBB output, parameters_list;
+  int retval = -1;
+  if (!CBB_init(&output, 7))
+    goto end;
+  if (!CBB_add_u8(&output, kProtocolVersionMajor) ||
+      !CBB_add_u8(&output, kProtocolVersionMinor) ||
+      !CBB_add_u8_length_prefixed(&output, &parameters_list)) {
+    goto end;
+  }
+  for (size_t i = 0; i < supported_params_.size(); ++i) {
+    if (!CBB_add_u8(&parameters_list, supported_params_[i])) {
+      goto end;
+    }
+  }
+  if (!CBB_finish(&output, const_cast<uint8_t**>(out), out_len))
+    goto end;
+
+  retval = 1;
+
+end:
+  CBB_cleanup(&output);
+  if (retval == -1)
+    *out_alert_value = SSL_AD_INTERNAL_ERROR;
+  return retval;
+}
+
+int SSLClientSocketOpenSSL::TokenBindingExtension::ClientParse(
+    const uint8_t* contents,
+    size_t contents_len,
+    int* out_alert_value) {
+  CBS extension;
+  CBS_init(&extension, contents, contents_len);
+
+  CBS parameters_list;
+  uint8_t version_major, version_minor, param;
+  if (!CBS_get_u8(&extension, &version_major) ||
+      !CBS_get_u8(&extension, &version_minor) ||
+      version_major != kProtocolVersionMajor ||
+      version_minor != kProtocolVersionMinor ||
+      !CBS_get_u8_length_prefixed(&extension, &parameters_list) ||
+      !CBS_get_u8(&parameters_list, &param) || CBS_len(&extension) > 0) {
+    *out_alert_value = SSL_AD_DECODE_ERROR;
+    return 0;
+  }
+  bool valid_param = false;
+  for (size_t i = 0; i < supported_params_.size(); ++i) {
+    if (param == supported_params_[i]) {
+      negotiated_param_ = TokenBindingParam(param);
+      valid_param = true;
+      break;
+    }
+  }
+
+  // The server-negotiated version must be less than or equal to our version.
+  if (version_major > kProtocolVersionMajor ||
+      (version_minor > kProtocolVersionMinor &&
+       version_major == kProtocolVersionMajor)) {
+    *out_alert_value = SSL_AD_ILLEGAL_PARAMETER;
+    return 0;
+  }
+
+  // Although the server returns the negotiated key param in a list, it must
+  // only send one element in that list.
+  if (CBS_len(&parameters_list) > 0 || !valid_param) {
+    *out_alert_value = SSL_AD_ILLEGAL_PARAMETER;
+    return 0;
+  }
+
+  // If the version the server negotiated is older than we support, don't fail
+  // parsing the extension, but also don't set |negotiated_|.
+  if (version_major < kMinProtocolVersionMajor ||
+      (version_minor < kMinProtocolVersionMinor &&
+       version_major == kMinProtocolVersionMajor)) {
+    return 1;
+  }
+
+  negotiated_ = true;
+  return 1;
+}
+
+// static
+int SSLClientSocketOpenSSL::TokenBindingExtension::ClientAddCallback(
+    SSL* ssl,
+    unsigned int extension_value,
+    const uint8_t** out,
+    size_t* out_len,
+    int* out_alert_value,
+    void* add_arg) {
+  DCHECK(extension_value == kExtNum);
+  SSLClientSocketOpenSSL* socket =
+      SSLClientSocketOpenSSL::SSLContext::GetInstance()->GetClientSocketFromSSL(
+          ssl);
+  return socket->token_binding_extension_.ClientAdd(out, out_len,
+                                                    out_alert_value);
+}
+
+// static
+void SSLClientSocketOpenSSL::TokenBindingExtension::ClientFreeCallback(
+    SSL* ssl,
+    unsigned extension_value,
+    const uint8_t* out,
+    void* add_arg) {
+  DCHECK(extension_value == kExtNum);
+  OPENSSL_free(const_cast<unsigned char*>(out));
+}
+
+// static
+int SSLClientSocketOpenSSL::TokenBindingExtension::ClientParseCallback(
+    SSL* ssl,
+    unsigned int extension_value,
+    const uint8_t* contents,
+    size_t contents_len,
+    int* out_alert_value,
+    void* parse_arg) {
+  DCHECK(extension_value == kExtNum);
+  SSLClientSocketOpenSSL* socket =
+      SSLClientSocketOpenSSL::SSLContext::GetInstance()->GetClientSocketFromSSL(
+          ssl);
+  return socket->token_binding_extension_.ClientParse(contents, contents_len,
+                                                      out_alert_value);
+}
+
 }  // namespace net