OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 479 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
490 transport_read_error_(OK), | 490 transport_read_error_(OK), |
491 transport_write_error_(OK), | 491 transport_write_error_(OK), |
492 server_cert_chain_(new PeerCertificateChain(NULL)), | 492 server_cert_chain_(new PeerCertificateChain(NULL)), |
493 completed_connect_(false), | 493 completed_connect_(false), |
494 was_ever_used_(false), | 494 was_ever_used_(false), |
495 cert_verifier_(context.cert_verifier), | 495 cert_verifier_(context.cert_verifier), |
496 cert_transparency_verifier_(context.cert_transparency_verifier), | 496 cert_transparency_verifier_(context.cert_transparency_verifier), |
497 channel_id_service_(context.channel_id_service), | 497 channel_id_service_(context.channel_id_service), |
498 tb_was_negotiated_(false), | 498 tb_was_negotiated_(false), |
499 tb_negotiated_param_(TB_PARAM_ECDSAP256), | 499 tb_negotiated_param_(TB_PARAM_ECDSAP256), |
500 tb_signed_ekm_map_(SignedEkmMap::NO_AUTO_EVICT), | |
davidben
2015/11/18 20:49:00
With NO_AUTO_EVICT and no explicit evictions, this
nharper
2015/12/04 01:42:20
Correct. I've changed it to 10.
| |
500 ssl_(NULL), | 501 ssl_(NULL), |
501 transport_bio_(NULL), | 502 transport_bio_(NULL), |
502 transport_(transport_socket.Pass()), | 503 transport_(transport_socket.Pass()), |
503 host_and_port_(host_and_port), | 504 host_and_port_(host_and_port), |
504 ssl_config_(ssl_config), | 505 ssl_config_(ssl_config), |
505 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 506 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
506 next_handshake_state_(STATE_NONE), | 507 next_handshake_state_(STATE_NONE), |
507 disconnected_(false), | 508 disconnected_(false), |
508 npn_status_(kNextProtoUnsupported), | 509 npn_status_(kNextProtoUnsupported), |
509 channel_id_sent_(false), | 510 channel_id_sent_(false), |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
545 std::string* proto) const { | 546 std::string* proto) const { |
546 *proto = npn_proto_; | 547 *proto = npn_proto_; |
547 return npn_status_; | 548 return npn_status_; |
548 } | 549 } |
549 | 550 |
550 ChannelIDService* | 551 ChannelIDService* |
551 SSLClientSocketOpenSSL::GetChannelIDService() const { | 552 SSLClientSocketOpenSSL::GetChannelIDService() const { |
552 return channel_id_service_; | 553 return channel_id_service_; |
553 } | 554 } |
554 | 555 |
556 int SSLClientSocketOpenSSL::GetSignedEKMForTokenBinding( | |
557 crypto::ECPrivateKey* key, | |
558 std::vector<uint8_t>* out) { | |
davidben
2015/11/18 20:49:00
I think this deserves a comment like:
// The sa
nharper
2015/12/04 01:42:20
Done.
| |
559 std::string raw_public_key; | |
560 if (!key->ExportRawPublicKey(&raw_public_key)) | |
561 return ERR_FAILED; | |
562 SignedEkmMap::iterator it = tb_signed_ekm_map_.Get(raw_public_key); | |
563 if (it != tb_signed_ekm_map_.end()) { | |
564 *out = it->second; | |
565 return OK; | |
566 } | |
davidben
2015/11/18 20:49:00
Nit: Newline here, probably.
nharper
2015/12/04 01:42:20
Done.
| |
567 size_t tb_ekm_size = 32; | |
568 uint8_t tb_ekm_buf[32]; | |
569 const char tb_ekm_label[] = "EXPORTER-Token-Binding"; | |
davidben
2015/11/18 20:49:00
Nit: static const char kTbEkmLabel[]. Or maybe kTo
nharper
2015/12/04 01:42:20
Done.
| |
570 // The EKM label as specified does not include a null terminating byte. | |
571 // Calling arraysize on a char array includes the null terminator in the | |
572 // length, so subtract 1 to account for that. | |
573 size_t ekm_label_length = arraysize(tb_ekm_label) - 1; | |
davidben
2015/11/18 20:49:00
Rather than that long comment, how about just usin
nharper
2015/12/04 01:42:20
I forgot about strlen. Done.
| |
574 if (!SSL_export_keying_material(ssl_, tb_ekm_buf, tb_ekm_size, tb_ekm_label, | |
575 ekm_label_length, nullptr, 0, false)) { | |
576 return ERR_FAILED; | |
577 } | |
578 | |
579 size_t sig_len; | |
580 crypto::ScopedEVP_PKEY_CTX pctx(EVP_PKEY_CTX_new(key->key(), nullptr)); | |
581 if (!EVP_PKEY_sign_init(pctx.get()) || | |
582 !EVP_PKEY_sign(pctx.get(), nullptr, &sig_len, tb_ekm_buf, tb_ekm_size)) { | |
583 return ERR_FAILED; | |
584 } | |
585 out->resize(sig_len); | |
586 if (!EVP_PKEY_sign(pctx.get(), &out->front(), &sig_len, tb_ekm_buf, | |
davidben
2015/11/18 20:49:00
vector_as_array(out) from base/stl_util.h, very so
nharper
2015/12/04 01:42:20
Done.
| |
587 tb_ekm_size)) { | |
588 return ERR_FAILED; | |
589 } | |
590 out->resize(sig_len); | |
591 tb_signed_ekm_map_.Put(raw_public_key, *out); | |
592 return OK; | |
593 } | |
594 | |
555 SSLFailureState SSLClientSocketOpenSSL::GetSSLFailureState() const { | 595 SSLFailureState SSLClientSocketOpenSSL::GetSSLFailureState() const { |
556 return ssl_failure_state_; | 596 return ssl_failure_state_; |
557 } | 597 } |
558 | 598 |
559 int SSLClientSocketOpenSSL::ExportKeyingMaterial( | 599 int SSLClientSocketOpenSSL::ExportKeyingMaterial( |
560 const base::StringPiece& label, | 600 const base::StringPiece& label, |
561 bool has_context, const base::StringPiece& context, | 601 bool has_context, const base::StringPiece& context, |
562 unsigned char* out, unsigned int outlen) { | 602 unsigned char* out, unsigned int outlen) { |
563 if (!IsConnected()) | 603 if (!IsConnected()) |
564 return ERR_SOCKET_NOT_CONNECTED; | 604 return ERR_SOCKET_NOT_CONNECTED; |
(...skipping 1746 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2311 tb_was_negotiated_ = true; | 2351 tb_was_negotiated_ = true; |
2312 return 1; | 2352 return 1; |
2313 } | 2353 } |
2314 } | 2354 } |
2315 | 2355 |
2316 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2356 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
2317 return 0; | 2357 return 0; |
2318 } | 2358 } |
2319 | 2359 |
2320 } // namespace net | 2360 } // namespace net |
OLD | NEW |