OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
7 | 7 |
8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
(...skipping 508 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
519 transport_read_error_(OK), | 519 transport_read_error_(OK), |
520 transport_write_error_(OK), | 520 transport_write_error_(OK), |
521 server_cert_chain_(new PeerCertificateChain(NULL)), | 521 server_cert_chain_(new PeerCertificateChain(NULL)), |
522 completed_connect_(false), | 522 completed_connect_(false), |
523 was_ever_used_(false), | 523 was_ever_used_(false), |
524 cert_verifier_(context.cert_verifier), | 524 cert_verifier_(context.cert_verifier), |
525 cert_transparency_verifier_(context.cert_transparency_verifier), | 525 cert_transparency_verifier_(context.cert_transparency_verifier), |
526 channel_id_service_(context.channel_id_service), | 526 channel_id_service_(context.channel_id_service), |
527 tb_was_negotiated_(false), | 527 tb_was_negotiated_(false), |
528 tb_negotiated_param_(TB_PARAM_ECDSAP256), | 528 tb_negotiated_param_(TB_PARAM_ECDSAP256), |
| 529 tb_signed_ekm_map_(10), |
529 ssl_(NULL), | 530 ssl_(NULL), |
530 transport_bio_(NULL), | 531 transport_bio_(NULL), |
531 transport_(std::move(transport_socket)), | 532 transport_(std::move(transport_socket)), |
532 host_and_port_(host_and_port), | 533 host_and_port_(host_and_port), |
533 ssl_config_(ssl_config), | 534 ssl_config_(ssl_config), |
534 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 535 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
535 next_handshake_state_(STATE_NONE), | 536 next_handshake_state_(STATE_NONE), |
536 disconnected_(false), | 537 disconnected_(false), |
537 npn_status_(kNextProtoUnsupported), | 538 npn_status_(kNextProtoUnsupported), |
538 channel_id_sent_(false), | 539 channel_id_sent_(false), |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
570 std::string* proto) const { | 571 std::string* proto) const { |
571 *proto = npn_proto_; | 572 *proto = npn_proto_; |
572 return npn_status_; | 573 return npn_status_; |
573 } | 574 } |
574 | 575 |
575 ChannelIDService* | 576 ChannelIDService* |
576 SSLClientSocketOpenSSL::GetChannelIDService() const { | 577 SSLClientSocketOpenSSL::GetChannelIDService() const { |
577 return channel_id_service_; | 578 return channel_id_service_; |
578 } | 579 } |
579 | 580 |
| 581 Error SSLClientSocketOpenSSL::GetSignedEKMForTokenBinding( |
| 582 crypto::ECPrivateKey* key, |
| 583 std::vector<uint8_t>* out) { |
| 584 // The same key will be used across multiple requests to sign the same value, |
| 585 // so the signature is cached. |
| 586 std::string raw_public_key; |
| 587 if (!key->ExportRawPublicKey(&raw_public_key)) |
| 588 return ERR_FAILED; |
| 589 SignedEkmMap::iterator it = tb_signed_ekm_map_.Get(raw_public_key); |
| 590 if (it != tb_signed_ekm_map_.end()) { |
| 591 *out = it->second; |
| 592 return OK; |
| 593 } |
| 594 |
| 595 uint8_t tb_ekm_buf[32]; |
| 596 static const char kTokenBindingExporterLabel[] = "EXPORTER-Token-Binding"; |
| 597 if (!SSL_export_keying_material(ssl_, tb_ekm_buf, sizeof(tb_ekm_buf), |
| 598 kTokenBindingExporterLabel, |
| 599 strlen(kTokenBindingExporterLabel), nullptr, |
| 600 0, false /* no context */)) { |
| 601 return ERR_FAILED; |
| 602 } |
| 603 |
| 604 size_t sig_len; |
| 605 crypto::ScopedEVP_PKEY_CTX pctx(EVP_PKEY_CTX_new(key->key(), nullptr)); |
| 606 if (!EVP_PKEY_sign_init(pctx.get()) || |
| 607 !EVP_PKEY_sign(pctx.get(), nullptr, &sig_len, tb_ekm_buf, |
| 608 sizeof(tb_ekm_buf))) { |
| 609 return ERR_FAILED; |
| 610 } |
| 611 out->resize(sig_len); |
| 612 if (!EVP_PKEY_sign(pctx.get(), out->data(), &sig_len, tb_ekm_buf, |
| 613 sizeof(tb_ekm_buf))) { |
| 614 return ERR_FAILED; |
| 615 } |
| 616 out->resize(sig_len); |
| 617 |
| 618 tb_signed_ekm_map_.Put(raw_public_key, *out); |
| 619 return OK; |
| 620 } |
| 621 |
580 SSLFailureState SSLClientSocketOpenSSL::GetSSLFailureState() const { | 622 SSLFailureState SSLClientSocketOpenSSL::GetSSLFailureState() const { |
581 return ssl_failure_state_; | 623 return ssl_failure_state_; |
582 } | 624 } |
583 | 625 |
584 int SSLClientSocketOpenSSL::ExportKeyingMaterial( | 626 int SSLClientSocketOpenSSL::ExportKeyingMaterial( |
585 const base::StringPiece& label, | 627 const base::StringPiece& label, |
586 bool has_context, const base::StringPiece& context, | 628 bool has_context, const base::StringPiece& context, |
587 unsigned char* out, unsigned int outlen) { | 629 unsigned char* out, unsigned int outlen) { |
588 if (!IsConnected()) | 630 if (!IsConnected()) |
589 return ERR_SOCKET_NOT_CONNECTED; | 631 return ERR_SOCKET_NOT_CONNECTED; |
(...skipping 1714 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2304 tb_was_negotiated_ = true; | 2346 tb_was_negotiated_ = true; |
2305 return 1; | 2347 return 1; |
2306 } | 2348 } |
2307 } | 2349 } |
2308 | 2350 |
2309 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; | 2351 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER; |
2310 return 0; | 2352 return 0; |
2311 } | 2353 } |
2312 | 2354 |
2313 } // namespace net | 2355 } // namespace net |
OLD | NEW |