Implement Token Binding negotiation TLS extension

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <errno.h>
 #include <openssl/bio.h>
+#include <openssl/bytestring.h>
 #include <openssl/err.h>
+#include <openssl/evp.h>
 #include <openssl/mem.h>
 #include <openssl/ssl.h>
 #include <string.h>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/lazy_instance.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/profiler/scoped_tracker.h"
@@ skipping 52 matching lines @@
 // overlap with any value of the net::Error range, including net::OK).
 const int kNoPendingResult = 1;
 
 // If a client doesn't have a list of protocols that it supports, but
 // the server supports NPN, choosing "http/1.1" is the best answer.
 const char kDefaultSupportedNPNProtocol[] = "http/1.1";
 
 // Default size of the internal BoringSSL buffers.
 const int KDefaultOpenSSLBufferSize = 17 * 1024;
 
+// TLS extension number use for Token Binding.
+const unsigned int kTbExtNum = 30033;
+
+// Token Binding ProtocolVersions supported.
+const uint8_t kTbProtocolVersionMajor = 0;
+const uint8_t kTbProtocolVersionMinor = 3;
+const uint8_t kTbMinProtocolVersionMajor = 0;
+const uint8_t kTbMinProtocolVersionMinor = 2;
+
 void FreeX509Stack(STACK_OF(X509)* ptr) {
   sk_X509_pop_free(ptr, X509_free);
 }
 
 using ScopedX509Stack = crypto::ScopedOpenSSL<STACK_OF(X509), FreeX509Stack>;
 
 // Used for encoding the |connection_status| field of an SSLInfo object.
 int EncodeSSLConnectionStatus(uint16 cipher_suite,
                               int compression,
                               int version) {
@@ skipping 141 matching lines @@
     // Note that SSL_OP_DISABLE_NPN is used to disable NPN if
     // ssl_config_.next_proto is empty.
     SSL_CTX_set_next_proto_select_cb(ssl_ctx_.get(), SelectNextProtoCallback,
                                      NULL);
 
     // Disable the internal session cache. Session caching is handled
     // externally (i.e. by SSLClientSessionCacheOpenSSL).
     SSL_CTX_set_session_cache_mode(
         ssl_ctx_.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL);
     SSL_CTX_sess_set_new_cb(ssl_ctx_.get(), NewSessionCallback);
+
+    if (!RegisterTokenBindingExtensionCallbacks(ssl_ctx_.get()))
+      NOTREACHED();
   }
 
   static int ClientCertRequestCallback(SSL* ssl, void* arg) {
     SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
     DCHECK(socket);
     return socket->ClientCertRequestCallback(ssl);
   }
 
   static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) {
     SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(
@@ skipping 168 matching lines @@
       pending_read_error_(kNoPendingResult),
       pending_read_ssl_error_(SSL_ERROR_NONE),
       transport_read_error_(OK),
       transport_write_error_(OK),
       server_cert_chain_(new PeerCertificateChain(NULL)),
       completed_connect_(false),
       was_ever_used_(false),
       cert_verifier_(context.cert_verifier),
       cert_transparency_verifier_(context.cert_transparency_verifier),
       channel_id_service_(context.channel_id_service),
+      tb_was_negotiated_(false),
+      tb_negotiated_param_(TB_PARAM_ECDSAP256),
       ssl_(NULL),
       transport_bio_(NULL),
       transport_(transport_socket.Pass()),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       ssl_session_cache_shard_(context.ssl_session_cache_shard),
       next_handshake_state_(STATE_NONE),
       disconnected_(false),
       npn_status_(kNextProtoUnsupported),
       channel_id_sent_(false),
@@ skipping 156 matching lines @@
 
   cert_authorities_.clear();
   cert_key_types_.clear();
 
   start_cert_verification_time_ = base::TimeTicks();
 
   npn_status_ = kNextProtoUnsupported;
   npn_proto_.clear();
 
   channel_id_sent_ = false;
+  tb_was_negotiated_ = false;
   session_pending_ = false;
   certificate_verified_ = false;
   channel_id_request_.Cancel();
   ssl_failure_state_ = SSL_FAILURE_NONE;
 
   private_key_.reset();
   signature_result_ = kNoPendingResult;
   signature_.clear();
 }
 
@@ skipping 77 matching lines @@
   ssl_info->cert = server_cert_verify_result_.verified_cert;
   ssl_info->unverified_cert = server_cert_;
   ssl_info->cert_status = server_cert_verify_result_.cert_status;
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_.is_issued_by_known_root;
   ssl_info->public_key_hashes =
     server_cert_verify_result_.public_key_hashes;
   ssl_info->client_cert_sent =
       ssl_config_.send_client_cert && ssl_config_.client_cert.get();
   ssl_info->channel_id_sent = channel_id_sent_;
+  ssl_info->token_binding_negotiated = tb_was_negotiated_;
+  ssl_info->token_binding_key_param = tb_negotiated_param_;
   ssl_info->pinning_failure_log = pinning_failure_log_;
 
   AddSCTInfoToSSLInfo(ssl_info);
 
   const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
   CHECK(cipher);
   ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
   ssl_info->key_exchange_info =
       SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_));
 
@@ skipping 379 matching lines @@
 
 int SSLClientSocketOpenSSL::DoHandshakeComplete(int result) {
   if (result < 0)
     return result;
 
   if (ssl_config_.version_fallback &&
       ssl_config_.version_max < ssl_config_.version_fallback_min) {
     return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION;
   }
 
+  // Check that if token binding was negotiated, then extended master secret
+  // must also be negotiated.
+  if (tb_was_negotiated_ && !SSL_get_extms_support(ssl_))
+    return ERR_SSL_PROTOCOL_ERROR;
+
   // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was.
   if (npn_status_ == kNextProtoUnsupported) {
     const uint8_t* alpn_proto = NULL;
     unsigned alpn_len = 0;
     SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len);
     if (alpn_len > 0) {
       npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len);
       npn_status_ = kNextProtoNegotiated;
       set_negotiation_extension(kExtensionALPN);
     }
@@ skipping 942 matching lines @@
     result.append("deprecated");
 
   result.append("/");
   if (ssl_config_.channel_id_enabled)
     result.append("channelid");
 
   return result;
 }
 
 bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const {
+  if (tb_was_negotiated_)
+    return false;
+
   if (npn_status_ == kNextProtoUnsupported)
     return ssl_config_.renego_allowed_default;
 
   NextProto next_proto = NextProtoFromString(npn_proto_);
   for (NextProto allowed : ssl_config_.renego_allowed_for_protos) {
     if (next_proto == allowed)
       return true;
   }
   return false;
 }
@@ skipping 80 matching lines @@
   if (next_handshake_state_ == STATE_HANDSHAKE) {
     OnHandshakeIOComplete(signature_result_);
     return;
   }
 
   // During a renegotiation, either Read or Write calls may be blocked on an
   // asynchronous private key operation.
   PumpReadWriteEvents();
 }
 
+// static
+bool SSLClientSocketOpenSSL::RegisterTokenBindingExtensionCallbacks(
+    SSL_CTX* ssl_ctx) {
+  return SSL_CTX_add_client_custom_ext(
+             ssl_ctx, kTbExtNum, &TokenBindingAddCallback,
+             &TokenBindingFreeCallback, nullptr, &TokenBindingParseCallback,
+             nullptr) != 0;
+}
+
+namespace {
+CBB* CBB_new(size_t initial_capacity) {
+  CBB* ret;
+  ret = reinterpret_cast<CBB*>(OPENSSL_malloc(sizeof(CBB)));
+  if (ret == NULL)
+    return NULL;
+  if (!CBB_init(ret, initial_capacity))
+    OPENSSL_free(ret);
+  return ret;
+}
+
+void CBB_free(CBB* cbb) {
+  if (cbb == NULL)
+    return;
+  CBB_cleanup(cbb);
+  OPENSSL_free(cbb);
+}
+}

[davidben, 2015/11/04 00:40:36]

What's wrong with

class ScopedCBB {
 public:
  ScopedCBB() { CBB_zero(&cbb_); }
  ~ScopedCBB() { CBB_cleanup(&cbb_); }

  CBB* get() { return cbb_; }
 private:
  CBB cbb_;
  DISALLOW_COPY_AND_ASSIGN(ScopedCBB);
};

Shorter, more efficient, and that's how the API is meant to be used. I
specifically added CBB_zero so that it would be scopable without complications.
(CBB_cleanup is defined to be valid in the zero state.)

At the least, it's probably best to not define these OpenSSL-style, so you don't
collide with OpenSSL names later. Also no reason you can't use new/delete or
something or assume malloc doesn't fail.

[nharper, 2015/11/04 02:28:04]

Nothing's wrong with it. I thought you were suggesting using
crypto::ScopedOpenSSL; writing this short ScopedCBB class seems like it's
shorter and simpler.

+
+using ScopedCBB = crypto::ScopedOpenSSL<CBB, CBB_free>;
+
+int SSLClientSocketOpenSSL::TokenBindingAdd(const uint8_t** out,
+                                            size_t* out_len,
+                                            int* out_alert_value) {
+  if (!ssl_config_.token_binding_enabled ||
+      ssl_config_.token_binding_params.empty()) {
+    return 0;
+  }
+  ScopedCBB output(CBB_new(7));
+  CBB parameters_list;
+  int retval = -1;
+  if (!CBB_add_u8(output.get(), kTbProtocolVersionMajor) ||
+      !CBB_add_u8(output.get(), kTbProtocolVersionMinor) ||
+      !CBB_add_u8_length_prefixed(output.get(), &parameters_list)) {
+    return 0;
+  }
+  for (size_t i = 0; i < ssl_config_.token_binding_params.size(); ++i) {
+    if (!CBB_add_u8(&parameters_list, ssl_config_.token_binding_params[i]))
+      return 0;
+  }
+  // |*out| will be freed by TokenBindingFreeCallback.
+  if (!CBB_finish(output.get(), const_cast<uint8_t**>(out), out_len))
+    return 0;
+
+  retval = 1;
+
+  if (retval == -1)
+    *out_alert_value = SSL_AD_INTERNAL_ERROR;
+  return retval;
+}
+
+int SSLClientSocketOpenSSL::TokenBindingParse(const uint8_t* contents,
+                                              size_t contents_len,
+                                              int* out_alert_value) {
+  if (completed_connect_) {
+    // Token Binding may only be negotiated on the initial handshake.
+    *out_alert_value = SSL_AD_ILLEGAL_PARAMETER;
+    return 0;
+  }
+
+  CBS extension;
+  CBS_init(&extension, contents, contents_len);
+
+  CBS parameters_list;
+  uint8_t version_major, version_minor, param;
+  if (!CBS_get_u8(&extension, &version_major) ||
+      !CBS_get_u8(&extension, &version_minor) ||
+      !CBS_get_u8_length_prefixed(&extension, &parameters_list) ||
+      !CBS_get_u8(&parameters_list, &param) || CBS_len(&extension) > 0 ||
+      CBS_len(&parameters_list) > 0) {

[davidben, 2015/11/04 00:40:36]

Super nitpicky nit: I think it's mildly better to check CBS_len of
parameters_list before extension, that way you assert empty in stack order.

[nharper, 2015/11/04 02:28:04]

Done.

+    *out_alert_value = SSL_AD_DECODE_ERROR;
+    return 0;
+  }
+  // The server-negotiated version must be less than or equal to our version.
+  if (version_major > kTbProtocolVersionMajor ||
+      (version_minor > kTbProtocolVersionMinor &&
+       version_major == kTbProtocolVersionMajor)) {
+    *out_alert_value = SSL_AD_ILLEGAL_PARAMETER;
+    return 0;
+  }
+  // If the version the server negotiated is older than we support, don't fail
+  // parsing the extension, but also don't set |negotiated_|.
+  if (version_major < kTbMinProtocolVersionMajor ||
+      (version_minor < kTbMinProtocolVersionMinor &&
+       version_major == kTbMinProtocolVersionMajor)) {
+    return 1;
+  }
+
+  for (size_t i = 0; i < ssl_config_.token_binding_params.size(); ++i) {
+    if (param == ssl_config_.token_binding_params[i]) {
+      tb_negotiated_param_ = ssl_config_.token_binding_params[i];
+      tb_was_negotiated_ = true;
+      return 1;
+    }
+  }

[davidben, 2015/11/04 00:40:36]

Optional: std::find I think works here too. Might be cleaner? Your call.

[nharper, 2015/11/04 02:28:04]

std::find works, but the code is just as long (or short). I'd prefer to leave it
as is. (The rest of this method is much more C-like than C++-like.)

+
+  *out_alert_value = SSL_AD_ILLEGAL_PARAMETER;
+  return 0;
+}
+
+// static
+int SSLClientSocketOpenSSL::TokenBindingAddCallback(
+    SSL* ssl,
+    unsigned int extension_value,
+    const uint8_t** out,
+    size_t* out_len,
+    int* out_alert_value,
+    void* add_arg) {

[davidben, 2015/11/04 00:40:35]

Most of the other FooCallback wrappers were static methods on the SSLContext
which then (like you're doing here) forward to the SSLClientSocketOpenSSL. You
can move Register up into SSLContext too and probably just inline it.

[nharper, 2015/11/04 02:28:04]

I inlined Register in SSLContext. Are you also suggesting I move the static
callback methods to SSLContext?

[davidben, 2015/11/04 17:40:13]

Yeah. Doesn't really matter, but it's more consistent with the rest. SSLContext
can call private methods of SSLClientSocketOpenSSL just fine.

[nharper, 2015/11/04 19:43:18]

I moved them into SSLContext to go with the rest of the callbacks there.

+  DCHECK_EQ(extension_value, kTbExtNum);
+  SSLClientSocketOpenSSL* socket =
+      SSLClientSocketOpenSSL::SSLContext::GetInstance()->GetClientSocketFromSSL(
+          ssl);
+  return socket->TokenBindingAdd(out, out_len, out_alert_value);
+}
+
+// static
+void SSLClientSocketOpenSSL::TokenBindingFreeCallback(SSL* ssl,
+                                                      unsigned extension_value,
+                                                      const uint8_t* out,
+                                                      void* add_arg) {
+  DCHECK_EQ(extension_value, kTbExtNum);
+  OPENSSL_free(const_cast<unsigned char*>(out));
+}
+
+// static
+int SSLClientSocketOpenSSL::TokenBindingParseCallback(
+    SSL* ssl,
+    unsigned int extension_value,
+    const uint8_t* contents,
+    size_t contents_len,
+    int* out_alert_value,
+    void* parse_arg) {
+  DCHECK_EQ(extension_value, kTbExtNum);
+  SSLClientSocketOpenSSL* socket =
+      SSLClientSocketOpenSSL::SSLContext::GetInstance()->GetClientSocketFromSSL(
+          ssl);
+  return socket->TokenBindingParse(contents, contents_len, out_alert_value);
+}
+
 }  // namespace net