Chromium Code Reviews Chromium Code Reviews
Issue 1378613004:
Set Token-Binding HTTP header (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@tb-tls-ext-new| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| 11 #include <openssl/bio.h> | 11 #include <openssl/bio.h> |
| 12 #include <openssl/bytestring.h> | 12 #include <openssl/bytestring.h> |
| 13 #include <openssl/err.h> | 13 #include <openssl/err.h> |
| 14 #include <openssl/evp.h> | 14 #include <openssl/evp.h> |
| 15 #include <openssl/mem.h> | 15 #include <openssl/mem.h> |
| 16 #include <openssl/ssl.h> | 16 #include <openssl/ssl.h> |
| 17 #include <string.h> | 17 #include <string.h> |
| 18 | 18 |
| 19 #include <utility> | 19 #include <utility> |
| 20 | 20 |
| 21 #include "base/bind.h" | 21 #include "base/bind.h" |
| 22 #include "base/callback_helpers.h" | 22 #include "base/callback_helpers.h" |
| 23 #include "base/lazy_instance.h" | 23 #include "base/lazy_instance.h" |
| 24 #include "base/macros.h" | 24 #include "base/macros.h" |
| 25 #include "base/memory/singleton.h" | 25 #include "base/memory/singleton.h" |
| 26 #include "base/metrics/histogram_macros.h" | 26 #include "base/metrics/histogram_macros.h" |
| 27 #include "base/metrics/sparse_histogram.h" | 27 #include "base/metrics/sparse_histogram.h" |
| 28 #include "base/profiler/scoped_tracker.h" | 28 #include "base/profiler/scoped_tracker.h" |
| 29 #include "base/stl_util.h" | |
|
davidben
2016/01/22 00:19:21
Unused?
nharper
2016/01/22 19:36:52
Removed.
| |
| 29 #include "base/strings/string_piece.h" | 30 #include "base/strings/string_piece.h" |
| 30 #include "base/synchronization/lock.h" | 31 #include "base/synchronization/lock.h" |
| 31 #include "base/threading/thread_local.h" | 32 #include "base/threading/thread_local.h" |
| 32 #include "base/values.h" | 33 #include "base/values.h" |
| 33 #include "crypto/ec_private_key.h" | 34 #include "crypto/ec_private_key.h" |
| 34 #include "crypto/openssl_util.h" | 35 #include "crypto/openssl_util.h" |
| 35 #include "crypto/scoped_openssl_types.h" | 36 #include "crypto/scoped_openssl_types.h" |
| 36 #include "net/base/ip_address_number.h" | 37 #include "net/base/ip_address_number.h" |
| 37 #include "net/base/net_errors.h" | 38 #include "net/base/net_errors.h" |
| 38 #include "net/cert/cert_verifier.h" | 39 #include "net/cert/cert_verifier.h" |
| (...skipping 480 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 519 transport_read_error_(OK), | 520 transport_read_error_(OK), |
| 520 transport_write_error_(OK), | 521 transport_write_error_(OK), |
| 521 server_cert_chain_(new PeerCertificateChain(NULL)), | 522 server_cert_chain_(new PeerCertificateChain(NULL)), |
| 522 completed_connect_(false), | 523 completed_connect_(false), |
| 523 was_ever_used_(false), | 524 was_ever_used_(false), |
| 524 cert_verifier_(context.cert_verifier), | 525 cert_verifier_(context.cert_verifier), |
| 525 cert_transparency_verifier_(context.cert_transparency_verifier), | 526 cert_transparency_verifier_(context.cert_transparency_verifier), |
| 526 channel_id_service_(context.channel_id_service), | 527 channel_id_service_(context.channel_id_service), |
| 527 tb_was_negotiated_(false), | 528 tb_was_negotiated_(false), |
| 528 tb_negotiated_param_(TB_PARAM_ECDSAP256), | 529 tb_negotiated_param_(TB_PARAM_ECDSAP256), |
| 530 tb_signed_ekm_map_(10), | |
| 529 ssl_(NULL), | 531 ssl_(NULL), |
| 530 transport_bio_(NULL), | 532 transport_bio_(NULL), |
| 531 transport_(std::move(transport_socket)), | 533 transport_(std::move(transport_socket)), |
| 532 host_and_port_(host_and_port), | 534 host_and_port_(host_and_port), |
| 533 ssl_config_(ssl_config), | 535 ssl_config_(ssl_config), |
| 534 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 536 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
| 535 next_handshake_state_(STATE_NONE), | 537 next_handshake_state_(STATE_NONE), |
| 536 disconnected_(false), | 538 disconnected_(false), |
| 537 npn_status_(kNextProtoUnsupported), | 539 npn_status_(kNextProtoUnsupported), |
| 538 channel_id_sent_(false), | 540 channel_id_sent_(false), |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 570 std::string* proto) const { | 572 std::string* proto) const { |
| 571 *proto = npn_proto_; | 573 *proto = npn_proto_; |
| 572 return npn_status_; | 574 return npn_status_; |
| 573 } | 575 } |
| 574 | 576 |
| 575 ChannelIDService* | 577 ChannelIDService* |
| 576 SSLClientSocketOpenSSL::GetChannelIDService() const { | 578 SSLClientSocketOpenSSL::GetChannelIDService() const { |
| 577 return channel_id_service_; | 579 return channel_id_service_; |
| 578 } | 580 } |
| 579 | 581 |
| 582 int SSLClientSocketOpenSSL::GetSignedEKMForTokenBinding( | |
| 583 crypto::ECPrivateKey* key, | |
| 584 std::vector<uint8_t>* out) { | |
| 585 // The same key will be used across multiple requests to sign the same value, | |
| 586 // so the signature is cached. | |
| 587 std::string raw_public_key; | |
| 588 if (!key->ExportRawPublicKey(&raw_public_key)) | |
| 589 return ERR_FAILED; | |
| 590 SignedEkmMap::iterator it = tb_signed_ekm_map_.Get(raw_public_key); | |
| 591 if (it != tb_signed_ekm_map_.end()) { | |
| 592 *out = it->second; | |
| 593 return OK; | |
| 594 } | |
| 595 | |
| 596 size_t tb_ekm_size = 32; | |
|
davidben
2016/01/22 00:19:21
Nit: Could just use sizeof(tb_ekm_buf) everywhere
nharper
2016/01/22 19:36:52
Done.
| |
| 597 uint8_t tb_ekm_buf[32]; | |
| 598 static const char kTokenBindingExporterLabel[] = "EXPORTER-Token-Binding"; | |
| 599 size_t ekm_label_length = strlen(kTokenBindingExporterLabel); | |
|
davidben
2016/01/22 00:19:21
Nit: Could just use strlen(kTokenBindingExporterLa
nharper
2016/01/22 19:36:52
Done.
| |
| 600 if (!SSL_export_keying_material(ssl_, tb_ekm_buf, tb_ekm_size, | |
| 601 kTokenBindingExporterLabel, ekm_label_length, | |
| 602 nullptr, 0, false)) { | |
|
davidben
2016/01/22 00:19:21
Nit: false /* no context */
nharper
2016/01/22 19:36:52
I've made this change, but I'm not sure it's any c
| |
| 603 return ERR_FAILED; | |
| 604 } | |
| 605 | |
| 606 size_t sig_len; | |
| 607 crypto::ScopedEVP_PKEY_CTX pctx(EVP_PKEY_CTX_new(key->key(), nullptr)); | |
| 608 if (!EVP_PKEY_sign_init(pctx.get()) || | |
| 609 !EVP_PKEY_sign(pctx.get(), nullptr, &sig_len, tb_ekm_buf, tb_ekm_size)) { | |
| 610 return ERR_FAILED; | |
| 611 } | |
| 612 out->resize(sig_len); | |
| 613 if (!EVP_PKEY_sign(pctx.get(), out->data(), &sig_len, tb_ekm_buf, | |
| 614 tb_ekm_size)) { | |
| 615 return ERR_FAILED; | |
| 616 } | |
| 617 out->resize(sig_len); | |
| 618 | |
| 619 tb_signed_ekm_map_.Put(raw_public_key, *out); | |
| 620 return OK; | |
| 621 } | |
| 622 | |
| 580 SSLFailureState SSLClientSocketOpenSSL::GetSSLFailureState() const { | 623 SSLFailureState SSLClientSocketOpenSSL::GetSSLFailureState() const { |
| 581 return ssl_failure_state_; | 624 return ssl_failure_state_; |
| 582 } | 625 } |
| 583 | 626 |
| 584 int SSLClientSocketOpenSSL::ExportKeyingMaterial( | 627 int SSLClientSocketOpenSSL::ExportKeyingMaterial( |
| 585 const base::StringPiece& label, | 628 const base::StringPiece& label, |
| 586 bool has_context, const base::StringPiece& context, | 629 bool has_context, const base::StringPiece& context, |
| 587 unsigned char* out, unsigned int outlen) { | 630 unsigned char* out, unsigned int outlen) { |
| 588 if (!IsConnected()) | 631 if (!IsConnected()) |
| 589 return ERR_SOCKET_NOT_CONNECTED; | 632 return ERR_SOCKET_NOT_CONNECTED; |
| (...skipping 1714 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2304 tb_was_negotiated_ = true; | 2347 tb_was_negotiated_ = true; |
| 2305 return 1; | 2348 return 1; |
| 2306 } | 2349 } |
| 2307 } | 2350 } |
| 2308 | 2351 |
| 2309 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2352 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
| 2310 return 0; | 2353 return 0; |
| 2311 } | 2354 } |
| 2312 | 2355 |
| 2313 } // namespace net | 2356 } // namespace net |
| OLD | NEW |
