Index: net/socket/ssl_client_socket_openssl.cc |
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc |
index 59d170778bf2cbfec29ff2134455ae71d87dadde..db837babc5a140bbefb9d5a914c40cd389170970 100644 |
--- a/net/socket/ssl_client_socket_openssl.cc |
+++ b/net/socket/ssl_client_socket_openssl.cc |
@@ -497,6 +497,7 @@ SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( |
channel_id_service_(context.channel_id_service), |
tb_was_negotiated_(false), |
tb_negotiated_param_(TB_PARAM_ECDSAP256), |
+ tb_signed_ekm_map_(SignedEkmMap::NO_AUTO_EVICT), |
davidben
2015/11/18 20:49:00
With NO_AUTO_EVICT and no explicit evictions, this
nharper
2015/12/04 01:42:20
Correct. I've changed it to 10.
|
ssl_(NULL), |
transport_bio_(NULL), |
transport_(transport_socket.Pass()), |
@@ -552,6 +553,45 @@ SSLClientSocketOpenSSL::GetChannelIDService() const { |
return channel_id_service_; |
} |
+int SSLClientSocketOpenSSL::GetSignedEKMForTokenBinding( |
+ crypto::ECPrivateKey* key, |
+ std::vector<uint8_t>* out) { |
davidben
2015/11/18 20:49:00
I think this deserves a comment like:
// The sa
nharper
2015/12/04 01:42:20
Done.
|
+ std::string raw_public_key; |
+ if (!key->ExportRawPublicKey(&raw_public_key)) |
+ return ERR_FAILED; |
+ SignedEkmMap::iterator it = tb_signed_ekm_map_.Get(raw_public_key); |
+ if (it != tb_signed_ekm_map_.end()) { |
+ *out = it->second; |
+ return OK; |
+ } |
davidben
2015/11/18 20:49:00
Nit: Newline here, probably.
nharper
2015/12/04 01:42:20
Done.
|
+ size_t tb_ekm_size = 32; |
+ uint8_t tb_ekm_buf[32]; |
+ const char tb_ekm_label[] = "EXPORTER-Token-Binding"; |
davidben
2015/11/18 20:49:00
Nit: static const char kTbEkmLabel[]. Or maybe kTo
nharper
2015/12/04 01:42:20
Done.
|
+ // The EKM label as specified does not include a null terminating byte. |
+ // Calling arraysize on a char array includes the null terminator in the |
+ // length, so subtract 1 to account for that. |
+ size_t ekm_label_length = arraysize(tb_ekm_label) - 1; |
davidben
2015/11/18 20:49:00
Rather than that long comment, how about just usin
nharper
2015/12/04 01:42:20
I forgot about strlen. Done.
|
+ if (!SSL_export_keying_material(ssl_, tb_ekm_buf, tb_ekm_size, tb_ekm_label, |
+ ekm_label_length, nullptr, 0, false)) { |
+ return ERR_FAILED; |
+ } |
+ |
+ size_t sig_len; |
+ crypto::ScopedEVP_PKEY_CTX pctx(EVP_PKEY_CTX_new(key->key(), nullptr)); |
+ if (!EVP_PKEY_sign_init(pctx.get()) || |
+ !EVP_PKEY_sign(pctx.get(), nullptr, &sig_len, tb_ekm_buf, tb_ekm_size)) { |
+ return ERR_FAILED; |
+ } |
+ out->resize(sig_len); |
+ if (!EVP_PKEY_sign(pctx.get(), &out->front(), &sig_len, tb_ekm_buf, |
davidben
2015/11/18 20:49:00
vector_as_array(out) from base/stl_util.h, very so
nharper
2015/12/04 01:42:20
Done.
|
+ tb_ekm_size)) { |
+ return ERR_FAILED; |
+ } |
+ out->resize(sig_len); |
+ tb_signed_ekm_map_.Put(raw_public_key, *out); |
+ return OK; |
+} |
+ |
SSLFailureState SSLClientSocketOpenSSL::GetSSLFailureState() const { |
return ssl_failure_state_; |
} |