Implement referred Token Bindings

net/http/http_network_transaction.cc

Index: net/http/http_network_transaction.cc
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 94361dac063db5f2152086d21095825635f0b6bf..a6ab6069315d13031c87b69a554f2bb1df99e7cc 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -976,11 +976,16 @@ int HttpNetworkTransaction::DoGetTokenBindingKey() {
   if (!IsTokenBindingEnabled())
     return OK;
 
+  scoped_ptr<crypto::ECPrivateKey>* key = &provided_token_binding_key_;
+  std::string host = request_->url.host();
+  if (provided_token_binding_key_) {
+    key = &referred_token_binding_key_;
+    host = request_->token_binding_referrer;
+  }
   net_log_.BeginEvent(NetLog::TYPE_HTTP_TRANSACTION_GET_TOKEN_BINDING_KEY);
   ChannelIDService* channel_id_service = session_->params().channel_id_service;
-  return channel_id_service->GetOrCreateChannelID(
-      request_->url.host(), &token_binding_key_, io_callback_,
-      &token_binding_request_);
+  return channel_id_service->GetOrCreateChannelID(host, key, io_callback_,
+                                                  &token_binding_request_);
 }
 
 int HttpNetworkTransaction::DoGetTokenBindingKeyComplete(int rv) {

[davidben, 2016/03/24 20:53:52]

This might want to be done separately, but I think there's a bug here. If rv !=
OK, you still go to STATE_INIT_REQUEST_BODY and then you hit DoLoop's DCHECK.
Perhaps something like this?

int DoGetTokenBindingKey(int rv) {
  if (IsTokenBindingEnabled())
    net_log_.EndEventWithNetErrorCode(...);
  if (rv < 0)
    return rv;
  
  if (!request....) {
    next_state_ = STATE_GET_TOKEN_BINDING_KEY;
  } else {
    next_state_ = STATE_INIT_REQUEST_BODY;
  }
  return rv;
}

The IsTokenBindingEnabled thing is kind of weird. I guess it depends on whether
you want to skip steps (mirrors synchronous code more, but more potential for
messing up state transitions) or no-op unnecessary states. The latter does seem
more consistent for this file, so it's probably better?

[nharper, 2016/03/25 01:34:29]

I've changed the call to IsTokenBindingEnabled to be more like what you
suggested. I also changed it so that next_state_ is only set if rv == OK (which
seems to be the pattern for Do*Complete methods here). I also set it up so the
referred TB states are no-ops when there's no need to look up a referred TB key.

@@ -989,6 +994,10 @@ int HttpNetworkTransaction::DoGetTokenBindingKeyComplete(int rv) {
   if (!IsTokenBindingEnabled())
     return OK;
 
+  if (!request_->token_binding_referrer.empty() &&
+      !referred_token_binding_key_ && rv == OK) {
+    next_state_ = STATE_GET_TOKEN_BINDING_KEY;
+  }
   net_log_.EndEventWithNetErrorCode(
       NetLog::TYPE_HTTP_TRANSACTION_GET_TOKEN_BINDING_KEY, rv);
   return rv;
@@ -1028,7 +1037,7 @@ int HttpNetworkTransaction::BuildRequestHeaders(
   }
 
   RecordTokenBindingSupport();
-  if (token_binding_key_) {
+  if (provided_token_binding_key_) {
     std::string token_binding_header;
     int rv = BuildTokenBindingHeader(&token_binding_header);
     if (rv != OK)
@@ -1066,17 +1075,32 @@ int HttpNetworkTransaction::BuildRequestHeaders(
 
 int HttpNetworkTransaction::BuildTokenBindingHeader(std::string* out) {
   std::vector<uint8_t> signed_ekm;
-  int rv = stream_->GetSignedEKMForTokenBinding(token_binding_key_.get(),
-                                                &signed_ekm);
+  int rv = stream_->GetSignedEKMForTokenBinding(
+      provided_token_binding_key_.get(), &signed_ekm);
   if (rv != OK)
     return rv;
   std::string provided_token_binding;
-  rv = BuildProvidedTokenBinding(token_binding_key_.get(), signed_ekm,
-                                 &provided_token_binding);
+  rv = BuildTokenBinding(TB_TYPE_PROVIDED, provided_token_binding_key_.get(),
+                         signed_ekm, &provided_token_binding);
   if (rv != OK)
     return rv;
+
   std::vector<base::StringPiece> token_bindings;
   token_bindings.push_back(provided_token_binding);
+
+  std::string referred_token_binding;
+  if (referred_token_binding_key_) {
+    std::vector<uint8_t> referred_signed_ekm;
+    int rv = stream_->GetSignedEKMForTokenBinding(
+        referred_token_binding_key_.get(), &referred_signed_ekm);
+    if (rv != OK)
+      return rv;
+    rv = BuildTokenBinding(TB_TYPE_REFERRED, referred_token_binding_key_.get(),
+                           referred_signed_ekm, &referred_token_binding);
+    if (rv != OK)
+      return rv;
+    token_bindings.push_back(referred_token_binding);
+  }
   std::string header;
   rv = BuildTokenBindingMessageFromTokenBindings(token_bindings, &header);
   if (rv != OK)
@@ -1563,7 +1587,8 @@ void HttpNetworkTransaction::ResetStateForAuthRestart() {
   remote_endpoint_ = IPEndPoint();
   net_error_details_.quic_broken = false;
   net_error_details_.quic_connection_error = QUIC_NO_ERROR;
-  token_binding_key_.reset();
+  provided_token_binding_key_.reset();
+  referred_token_binding_key_.reset();
 }
 
 void HttpNetworkTransaction::CacheNetErrorDetailsAndResetStream() {