Index: net/socket/ssl_client_socket_openssl.h |
diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h |
index c8478901d82254965c7c5b721b99dac623cd2610..42ec8ecf5c9e40b15e775e1650822bb0e7614105 100644 |
--- a/net/socket/ssl_client_socket_openssl.h |
+++ b/net/socket/ssl_client_socket_openssl.h |
@@ -6,6 +6,7 @@ |
#define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ |
#include <openssl/base.h> |
+#include <openssl/bytestring.h> |
#include <openssl/ssl.h> |
#include <string> |
@@ -35,6 +36,72 @@ class SSLCertRequestInfo; |
class SSLInfo; |
class SSLPrivateKey; |
+// Stores the state and result of the token binding negotiation TLS extension. |
+// (draft-ietf-tokbind-negotiation-00). |
+class TokenBindingExtension { |
mattm
2015/09/24 22:13:13
Maybe this should be a subclass of SSLClientSocket
nharper
2015/09/28 21:43:39
Done.
|
+ public: |
+ static const unsigned int kExtNum = 30033; |
+ |
+ // Token Binding ProtocolVersion that this extension supports. |
+ static const uint8_t kProtocolVersionMajor = 0; |
+ static const uint8_t kProtocolVersionMinor = 2; |
+ |
+ TokenBindingExtension(); |
+ ~TokenBindingExtension(); |
+ |
+ // Sets the supported key params to use in negotiation. If empty, token |
+ // binding will not be negotiated. Does not take ownership of |params|. |
+ void SetParams(std::vector<TokenBindingParam>* params); |
+ |
+ // Returns which TokenBindingParam was negotiated. This value is only valid if |
+ // WasNegotiated returns true. |
+ TokenBindingParam NegotiationResult() const; |
+ |
+ // Returns whether token binding was negotiated. |
+ bool WasNegotiated() const; |
+ |
+ // Sets the custom extension api callbacks to ClientAddCallback, |
+ // ClientFreeCallback, and ClientParseCallback. The callbacks are static |
+ // methods (since the OpenSSL api takes function pointers) and are wrappers to |
+ // call ClientAdd or ClientParse on the TokenBindingExtension object that is a |
+ // member of the SSLClientSocketOpenSSL for the corresponding SSL struct |
+ // passed in to the callback. |
+ static int RegisterCallbacks(SSL_CTX* ssl_ctx); |
+ |
+ private: |
+ static int ClientAddCallback(SSL* s, |
+ unsigned int ext_type, |
+ const unsigned char** out, |
+ size_t* outlen, |
+ int* al, |
+ void* add_arg); |
+ static void ClientFreeCallback(SSL* s, |
+ unsigned int ext_type, |
+ const unsigned char* out, |
+ void* add_arg); |
+ static int ClientParseCallback(SSL* s, |
+ unsigned int ext_type, |
+ const unsigned char* in, |
+ size_t inlen, |
+ int* al, |
+ void* parse_arg); |
+ |
+ int ClientAdd(SSL* s, |
+ unsigned int ext_type, |
+ const unsigned char** out, |
+ size_t* outlen, |
+ int* al); |
+ int ClientParse(SSL* s, |
+ unsigned int ext_type, |
+ const unsigned char* in, |
+ size_t inlen, |
+ int* al); |
+ |
+ bool negotiated_; |
+ TokenBindingParam negotiated_param_; |
+ std::vector<TokenBindingParam> supported_params_; |
+}; |
+ |
// An SSL client socket implemented with OpenSSL. |
class SSLClientSocketOpenSSL : public SSLClientSocket { |
public: |
@@ -99,6 +166,7 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { |
class SSLContext; |
friend class SSLClientSocket; |
friend class SSLContext; |
+ friend class TokenBindingExtension; |
int Init(); |
void DoReadCallback(int result); |
@@ -109,6 +177,8 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { |
int DoHandshakeComplete(int result); |
int DoChannelIDLookup(); |
int DoChannelIDLookupComplete(int result); |
+ int DoTokenBindingLookup(); |
+ int DoTokenBindingLookupComplete(int result); |
int DoVerifyCert(int result); |
int DoVerifyCertComplete(int result); |
void DoConnectCallback(int result); |
@@ -277,6 +347,7 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { |
// The service for retrieving Channel ID keys. May be NULL. |
ChannelIDService* channel_id_service_; |
+ TokenBindingExtension token_binding_extension_; |
// OpenSSL stuff |
SSL* ssl_; |
@@ -296,6 +367,8 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { |
STATE_HANDSHAKE_COMPLETE, |
STATE_CHANNEL_ID_LOOKUP, |
STATE_CHANNEL_ID_LOOKUP_COMPLETE, |
+ STATE_TOKEN_BINDING_LOOKUP, |
+ STATE_TOKEN_BINDING_LOOKUP_COMPLETE, |
STATE_VERIFY_CERT, |
STATE_VERIFY_CERT_COMPLETE, |
}; |