Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1564)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/ssl/token_binding_openssl.cc

Issue 1378613004: Set Token-Binding HTTP header (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@tb-tls-ext-new
Patch Set: fix build issues Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/spdy/spdy_session.cc ('K') | « net/ssl/token_binding_nss.cc ('k') | net/tools/testserver/testserver.py » ('j') | net/url_request/url_request_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/ssl/token_binding_openssl.cc
diff --git a/net/ssl/token_binding_openssl.cc b/net/ssl/token_binding_openssl.cc
new file mode 100644
index 0000000000000000000000000000000000000000..721901096a010061b6534f7dd063fdfebc952d16
--- /dev/null
+++ b/net/ssl/token_binding_openssl.cc
@@ -0,0 +1,146 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/ssl/token_binding.h"
+
+#include <openssl/bytestring.h>
+#include <openssl/ec.h>
+#include <openssl/evp.h>
+#include <openssl/mem.h>
+
+#include "base/stl_util.h"
+#include "crypto/scoped_openssl_types.h"
+#include "net/base/net_errors.h"
+#include "net/ssl/ssl_config.h"
+
+namespace net {
+
+namespace {
+
+enum TokenBindingType {
+ TB_TYPE_PROVIDED = 0,
+ TB_TYPE_REFERRED = 1,
+};
+
+bool BuildTokenBindingID(TokenBindingType type,
+ crypto::ECPrivateKey* key,
+ CBB* out) {
+ CBB ec_point;
+ if (!CBB_add_u8(out, type) || !CBB_add_u8(out, TB_PARAM_ECDSAP256) ||
+ !CBB_add_u8_length_prefixed(out, &ec_point)) {
+ return false;
+ }
+
+ EVP_PKEY* pkey = key->key();
+ static const int kExpectedKeyLength = 65;
+ uint8_t* buf;
+ if (pkey->type != EVP_PKEY_EC ||
+ i2o_ECPublicKey(pkey->pkey.ec, nullptr) != kExpectedKeyLength ||
+ !CBB_add_space(&ec_point, &buf, kExpectedKeyLength) ||
+ i2o_ECPublicKey(pkey->pkey.ec, &buf) != kExpectedKeyLength ||
+ !CBB_flush(out)) {
davidben 2016/01/22 00:19:22 [Later there'll be an EC_POINT_point2cbb but appar
nharper 2016/01/22 19:36:52 Added a TODO to use EC_POINT_point2cbb.
+ return false;
+ }
+ return true;
+}
+
+} // namespace
+
+Error BuildTokenBindingMessageFromTokenBindings(
+ const std::vector<base::StringPiece>& token_bindings,
+ std::string* out) {
+ CBB tb_message, child;
+ if (!CBB_init(&tb_message, 0) ||
+ !CBB_add_u16_length_prefixed(&tb_message, &child)) {
+ CBB_cleanup(&tb_message);
+ return ERR_FAILED;
+ }
+ for (const base::StringPiece& token_binding : token_bindings) {
+ if (!CBB_add_bytes(&child,
+ reinterpret_cast<const uint8_t*>(token_binding.data()),
+ token_binding.size())) {
+ CBB_cleanup(&tb_message);
+ return ERR_FAILED;
+ }
+ }
+
+ uint8_t* out_data;
+ size_t out_len;
+ if (!CBB_finish(&tb_message, &out_data, &out_len)) {
+ CBB_cleanup(&tb_message);
+ return ERR_FAILED;
+ }
+ out->assign(reinterpret_cast<char*>(out_data), out_len);
+ OPENSSL_free(out_data);
+ return OK;
+}
+
+Error BuildProvidedTokenBinding(crypto::ECPrivateKey* key,
+ const std::vector<uint8_t>& signed_ekm,
+ std::string* out) {
+ uint8_t* out_data;
+ size_t out_len;
+ CBB token_binding;
+ if (!CBB_init(&token_binding, 0) ||
+ !BuildTokenBindingID(TB_TYPE_PROVIDED, key, &token_binding) ||
+ !CBB_add_u16(&token_binding, signed_ekm.size()) ||
+ !CBB_add_bytes(&token_binding, signed_ekm.data(), signed_ekm.size()) ||
+ // 0-length extensions
+ !CBB_add_u16(&token_binding, 0) ||
+ !CBB_finish(&token_binding, &out_data, &out_len)) {
+ CBB_cleanup(&token_binding);
+ return ERR_FAILED;
+ }
+ out->assign(reinterpret_cast<char*>(out_data), out_len);
+ OPENSSL_free(out_data);
+ return OK;
+}
+
+bool ParseTokenBindingMessage(base::StringPiece token_binding_message,
+ base::StringPiece* ec_point_out,
+ base::StringPiece* signature_out) {
+ CBS tb_message, tb, ec_point, signature;
+ uint8_t tb_type, tb_param;
+ CBS_init(&tb_message,
+ reinterpret_cast<const uint8_t*>(token_binding_message.data()),
+ token_binding_message.size());
+ if (!CBS_get_u16_length_prefixed(&tb_message, &tb) ||
+ !CBS_get_u8(&tb, &tb_type) || !CBS_get_u8(&tb, &tb_param) ||
+ !CBS_get_u8_length_prefixed(&tb, &ec_point) ||
+ !CBS_get_u16_length_prefixed(&tb, &signature) ||
+ tb_type != TB_TYPE_PROVIDED || tb_param != TB_PARAM_ECDSAP256) {
+ return false;
+ }
+
+ *ec_point_out = base::StringPiece(
+ reinterpret_cast<const char*>(CBS_data(&ec_point)), CBS_len(&ec_point));
+ *signature_out = base::StringPiece(
+ reinterpret_cast<const char*>(CBS_data(&signature)), CBS_len(&signature));
+ return true;
+}
+
+bool VerifyEKMSignature(base::StringPiece ec_point,
+ base::StringPiece signature,
+ base::StringPiece ekm) {
+ crypto::ScopedEC_Key key(EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+ EC_KEY* keyp = key.get();
+ const uint8_t* ec_point_data =
+ reinterpret_cast<const uint8_t*>(ec_point.data());
+ if (o2i_ECPublicKey(&keyp, &ec_point_data, ec_point.size()) != key.get())
+ return false;
+ crypto::ScopedEVP_PKEY pkey(EVP_PKEY_new());
+ if (!EVP_PKEY_assign_EC_KEY(pkey.get(), key.release()))
+ return false;
+ crypto::ScopedEVP_PKEY_CTX pctx(EVP_PKEY_CTX_new(pkey.get(), nullptr));
+ if (!EVP_PKEY_verify_init(pctx.get()) ||
+ !EVP_PKEY_verify(
+ pctx.get(), reinterpret_cast<const uint8_t*>(signature.data()),
+ signature.size(), reinterpret_cast<const uint8_t*>(ekm.data()),
+ ekm.size())) {
+ return false;
+ }
+ return true;
+}
+
+} // namespace net
« net/spdy/spdy_session.cc ('K') | « net/ssl/token_binding_nss.cc ('k') | net/tools/testserver/testserver.py » ('j') | net/url_request/url_request_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698