Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(73)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/socket/ssl_client_socket_openssl.cc

Issue 1921563003: Renaming _openssl files to _impl (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/android/keystore_impl.h ('K') | « net/socket/ssl_client_socket_openssl.h ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | net/socket/ssl_client_socket_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // OpenSSL binding for SSLClientSocket. The class layout and general principle
6 // of operation is derived from SSLClientSocketNSS.
7
8 #include "net/socket/ssl_client_socket_openssl.h"
9
10 #include <errno.h>
11 #include <openssl/bio.h>
12 #include <openssl/bytestring.h>
13 #include <openssl/err.h>
14 #include <openssl/evp.h>
15 #include <openssl/mem.h>
16 #include <openssl/ssl.h>
17 #include <string.h>
18
19 #include <utility>
20
21 #include "base/bind.h"
22 #include "base/callback_helpers.h"
23 #include "base/lazy_instance.h"
24 #include "base/macros.h"
25 #include "base/memory/singleton.h"
26 #include "base/metrics/histogram_macros.h"
27 #include "base/metrics/sparse_histogram.h"
28 #include "base/profiler/scoped_tracker.h"
29 #include "base/strings/string_number_conversions.h"
30 #include "base/strings/string_piece.h"
31 #include "base/synchronization/lock.h"
32 #include "base/threading/thread_local.h"
33 #include "base/trace_event/trace_event.h"
34 #include "base/values.h"
35 #include "crypto/auto_cbb.h"
36 #include "crypto/ec_private_key.h"
37 #include "crypto/openssl_util.h"
38 #include "crypto/scoped_openssl_types.h"
39 #include "net/base/ip_address.h"
40 #include "net/base/net_errors.h"
41 #include "net/cert/cert_verifier.h"
42 #include "net/cert/ct_ev_whitelist.h"
43 #include "net/cert/ct_policy_enforcer.h"
44 #include "net/cert/ct_policy_status.h"
45 #include "net/cert/ct_verifier.h"
46 #include "net/cert/x509_certificate_net_log_param.h"
47 #include "net/cert/x509_util_openssl.h"
48 #include "net/http/transport_security_state.h"
49 #include "net/ssl/scoped_openssl_types.h"
50 #include "net/ssl/ssl_cert_request_info.h"
51 #include "net/ssl/ssl_client_session_cache_openssl.h"
52 #include "net/ssl/ssl_connection_status_flags.h"
53 #include "net/ssl/ssl_failure_state.h"
54 #include "net/ssl/ssl_info.h"
55 #include "net/ssl/ssl_private_key.h"
56 #include "net/ssl/token_binding.h"
57
58 #if !defined(OS_NACL)
59 #include "net/ssl/ssl_key_logger.h"
60 #endif
61
62 #if defined(USE_NSS_CERTS)
63 #include "net/cert_net/nss_ocsp.h"
64 #endif
65
66 namespace net {
67
68 namespace {
69
70 // Enable this to see logging for state machine state transitions.
71 #if 0
72 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \
73 " jump to state " << s; \
74 next_handshake_state_ = s; } while (0)
75 #else
76 #define GotoState(s) next_handshake_state_ = s
77 #endif
78
79 // This constant can be any non-negative/non-zero value (eg: it does not
80 // overlap with any value of the net::Error range, including net::OK).
81 const int kNoPendingResult = 1;
82
83 // If a client doesn't have a list of protocols that it supports, but
84 // the server supports NPN, choosing "http/1.1" is the best answer.
85 const char kDefaultSupportedNPNProtocol[] = "http/1.1";
86
87 // Default size of the internal BoringSSL buffers.
88 const int KDefaultOpenSSLBufferSize = 17 * 1024;
89
90 // TLS extension number use for Token Binding.
91 const unsigned int kTbExtNum = 24;
92
93 // Token Binding ProtocolVersions supported.
94 const uint8_t kTbProtocolVersionMajor = 0;
95 const uint8_t kTbProtocolVersionMinor = 5;
96 const uint8_t kTbMinProtocolVersionMajor = 0;
97 const uint8_t kTbMinProtocolVersionMinor = 3;
98
99 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) {
100 switch (EVP_MD_type(md)) {
101 case NID_md5_sha1:
102 *hash = SSLPrivateKey::Hash::MD5_SHA1;
103 return true;
104 case NID_sha1:
105 *hash = SSLPrivateKey::Hash::SHA1;
106 return true;
107 case NID_sha256:
108 *hash = SSLPrivateKey::Hash::SHA256;
109 return true;
110 case NID_sha384:
111 *hash = SSLPrivateKey::Hash::SHA384;
112 return true;
113 case NID_sha512:
114 *hash = SSLPrivateKey::Hash::SHA512;
115 return true;
116 default:
117 return false;
118 }
119 }
120
121 std::unique_ptr<base::Value> NetLogPrivateKeyOperationCallback(
122 SSLPrivateKey::Type type,
123 SSLPrivateKey::Hash hash,
124 NetLogCaptureMode mode) {
125 std::string type_str;
126 switch (type) {
127 case SSLPrivateKey::Type::RSA:
128 type_str = "RSA";
129 break;
130 case SSLPrivateKey::Type::ECDSA:
131 type_str = "ECDSA";
132 break;
133 }
134
135 std::string hash_str;
136 switch (hash) {
137 case SSLPrivateKey::Hash::MD5_SHA1:
138 hash_str = "MD5_SHA1";
139 break;
140 case SSLPrivateKey::Hash::SHA1:
141 hash_str = "SHA1";
142 break;
143 case SSLPrivateKey::Hash::SHA256:
144 hash_str = "SHA256";
145 break;
146 case SSLPrivateKey::Hash::SHA384:
147 hash_str = "SHA384";
148 break;
149 case SSLPrivateKey::Hash::SHA512:
150 hash_str = "SHA512";
151 break;
152 }
153
154 std::unique_ptr<base::DictionaryValue> value(new base::DictionaryValue);
155 value->SetString("type", type_str);
156 value->SetString("hash", hash_str);
157 return std::move(value);
158 }
159
160 std::unique_ptr<base::Value> NetLogChannelIDLookupCallback(
161 ChannelIDService* channel_id_service,
162 NetLogCaptureMode capture_mode) {
163 ChannelIDStore* store = channel_id_service->GetChannelIDStore();
164 std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
165 dict->SetBoolean("ephemeral", store->IsEphemeral());
166 dict->SetString("service", base::HexEncode(&channel_id_service,
167 sizeof(channel_id_service)));
168 dict->SetString("store", base::HexEncode(&store, sizeof(store)));
169 return std::move(dict);
170 }
171
172 std::unique_ptr<base::Value> NetLogChannelIDLookupCompleteCallback(
173 crypto::ECPrivateKey* key,
174 int result,
175 NetLogCaptureMode capture_mode) {
176 std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
177 dict->SetInteger("net_error", result);
178 std::string raw_key;
179 if (result == OK && key && key->ExportRawPublicKey(&raw_key)) {
180 std::string key_to_log = "redacted";
181 if (capture_mode.include_cookies_and_credentials()) {
182 key_to_log = base::HexEncode(raw_key.data(), raw_key.length());
183 }
184 dict->SetString("key", key_to_log);
185 }
186 return std::move(dict);
187 }
188
189 } // namespace
190
191 class SSLClientSocketOpenSSL::SSLContext {
192 public:
193 static SSLContext* GetInstance() {
194 return base::Singleton<SSLContext>::get();
195 }
196 SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); }
197 SSLClientSessionCacheOpenSSL* session_cache() { return &session_cache_; }
198
199 SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) {
200 DCHECK(ssl);
201 SSLClientSocketOpenSSL* socket = static_cast<SSLClientSocketOpenSSL*>(
202 SSL_get_ex_data(ssl, ssl_socket_data_index_));
203 DCHECK(socket);
204 return socket;
205 }
206
207 bool SetClientSocketForSSL(SSL* ssl, SSLClientSocketOpenSSL* socket) {
208 return SSL_set_ex_data(ssl, ssl_socket_data_index_, socket) != 0;
209 }
210
211 #if !defined(OS_NACL)
212 void SetSSLKeyLogFile(
213 const base::FilePath& path,
214 const scoped_refptr<base::SequencedTaskRunner>& task_runner) {
215 DCHECK(!ssl_key_logger_);
216 ssl_key_logger_.reset(new SSLKeyLogger(path, task_runner));
217 SSL_CTX_set_keylog_callback(ssl_ctx_.get(), KeyLogCallback);
218 }
219 #endif
220
221 static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod;
222
223 private:
224 friend struct base::DefaultSingletonTraits<SSLContext>;
225
226 SSLContext() : session_cache_(SSLClientSessionCacheOpenSSL::Config()) {
227 crypto::EnsureOpenSSLInit();
228 ssl_socket_data_index_ = SSL_get_ex_new_index(0, 0, 0, 0, 0);
229 DCHECK_NE(ssl_socket_data_index_, -1);
230 ssl_ctx_.reset(SSL_CTX_new(SSLv23_client_method()));
231 SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), CertVerifyCallback, NULL);
232 SSL_CTX_set_cert_cb(ssl_ctx_.get(), ClientCertRequestCallback, NULL);
233 SSL_CTX_set_verify(ssl_ctx_.get(), SSL_VERIFY_PEER, NULL);
234 // This stops |SSL_shutdown| from generating the close_notify message, which
235 // is currently not sent on the network.
236 // TODO(haavardm): Remove setting quiet shutdown once 118366 is fixed.
237 SSL_CTX_set_quiet_shutdown(ssl_ctx_.get(), 1);
238 // Note that SSL_OP_DISABLE_NPN is used to disable NPN if
239 // ssl_config_.next_proto is empty.
240 SSL_CTX_set_next_proto_select_cb(ssl_ctx_.get(), SelectNextProtoCallback,
241 NULL);
242
243 // Disable the internal session cache. Session caching is handled
244 // externally (i.e. by SSLClientSessionCacheOpenSSL).
245 SSL_CTX_set_session_cache_mode(
246 ssl_ctx_.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL);
247 SSL_CTX_sess_set_new_cb(ssl_ctx_.get(), NewSessionCallback);
248
249 if (!SSL_CTX_add_client_custom_ext(ssl_ctx_.get(), kTbExtNum,
250 &TokenBindingAddCallback,
251 &TokenBindingFreeCallback, nullptr,
252 &TokenBindingParseCallback, nullptr)) {
253 NOTREACHED();
254 }
255 }
256
257 static int TokenBindingAddCallback(SSL* ssl,
258 unsigned int extension_value,
259 const uint8_t** out,
260 size_t* out_len,
261 int* out_alert_value,
262 void* add_arg) {
263 DCHECK_EQ(extension_value, kTbExtNum);
264 SSLClientSocketOpenSSL* socket =
265 SSLClientSocketOpenSSL::SSLContext::GetInstance()
266 ->GetClientSocketFromSSL(ssl);
267 return socket->TokenBindingAdd(out, out_len, out_alert_value);
268 }
269
270 static void TokenBindingFreeCallback(SSL* ssl,
271 unsigned extension_value,
272 const uint8_t* out,
273 void* add_arg) {
274 DCHECK_EQ(extension_value, kTbExtNum);
275 OPENSSL_free(const_cast<unsigned char*>(out));
276 }
277
278 static int TokenBindingParseCallback(SSL* ssl,
279 unsigned int extension_value,
280 const uint8_t* contents,
281 size_t contents_len,
282 int* out_alert_value,
283 void* parse_arg) {
284 DCHECK_EQ(extension_value, kTbExtNum);
285 SSLClientSocketOpenSSL* socket =
286 SSLClientSocketOpenSSL::SSLContext::GetInstance()
287 ->GetClientSocketFromSSL(ssl);
288 return socket->TokenBindingParse(contents, contents_len, out_alert_value);
289 }
290
291 static int ClientCertRequestCallback(SSL* ssl, void* arg) {
292 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
293 DCHECK(socket);
294 return socket->ClientCertRequestCallback(ssl);
295 }
296
297 static int CertVerifyCallback(X509_STORE_CTX *store_ctx, void *arg) {
298 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(
299 store_ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
300 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
301 CHECK(socket);
302
303 return socket->CertVerifyCallback(store_ctx);
304 }
305
306 static int SelectNextProtoCallback(SSL* ssl,
307 unsigned char** out, unsigned char* outlen,
308 const unsigned char* in,
309 unsigned int inlen, void* arg) {
310 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
311 return socket->SelectNextProtoCallback(out, outlen, in, inlen);
312 }
313
314 static int NewSessionCallback(SSL* ssl, SSL_SESSION* session) {
315 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
316 return socket->NewSessionCallback(session);
317 }
318
319 static int PrivateKeyTypeCallback(SSL* ssl) {
320 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
321 return socket->PrivateKeyTypeCallback();
322 }
323
324 static size_t PrivateKeyMaxSignatureLenCallback(SSL* ssl) {
325 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
326 return socket->PrivateKeyMaxSignatureLenCallback();
327 }
328
329 static ssl_private_key_result_t PrivateKeySignCallback(SSL* ssl,
330 uint8_t* out,
331 size_t* out_len,
332 size_t max_out,
333 const EVP_MD* md,
334 const uint8_t* in,
335 size_t in_len) {
336 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
337 return socket->PrivateKeySignCallback(out, out_len, max_out, md, in,
338 in_len);
339 }
340
341 static ssl_private_key_result_t PrivateKeySignCompleteCallback(
342 SSL* ssl,
343 uint8_t* out,
344 size_t* out_len,
345 size_t max_out) {
346 SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
347 return socket->PrivateKeySignCompleteCallback(out, out_len, max_out);
348 }
349
350 #if !defined(OS_NACL)
351 static void KeyLogCallback(const SSL* ssl, const char* line) {
352 GetInstance()->ssl_key_logger_->WriteLine(line);
353 }
354 #endif
355
356 // This is the index used with SSL_get_ex_data to retrieve the owner
357 // SSLClientSocketOpenSSL object from an SSL instance.
358 int ssl_socket_data_index_;
359
360 ScopedSSL_CTX ssl_ctx_;
361
362 #if !defined(OS_NACL)
363 std::unique_ptr<SSLKeyLogger> ssl_key_logger_;
364 #endif
365
366 // TODO(davidben): Use a separate cache per URLRequestContext.
367 // https://crbug.com/458365
368 //
369 // TODO(davidben): Sessions should be invalidated on fatal
370 // alerts. https://crbug.com/466352
371 SSLClientSessionCacheOpenSSL session_cache_;
372 };
373
374 const SSL_PRIVATE_KEY_METHOD
375 SSLClientSocketOpenSSL::SSLContext::kPrivateKeyMethod = {
376 &SSLClientSocketOpenSSL::SSLContext::PrivateKeyTypeCallback,
377 &SSLClientSocketOpenSSL::SSLContext::PrivateKeyMaxSignatureLenCallback,
378 &SSLClientSocketOpenSSL::SSLContext::PrivateKeySignCallback,
379 &SSLClientSocketOpenSSL::SSLContext::PrivateKeySignCompleteCallback,
380 };
381
382 // PeerCertificateChain is a helper object which extracts the certificate
383 // chain, as given by the server, from an OpenSSL socket and performs the needed
384 // resource management. The first element of the chain is the leaf certificate
385 // and the other elements are in the order given by the server.
386 class SSLClientSocketOpenSSL::PeerCertificateChain {
387 public:
388 explicit PeerCertificateChain(STACK_OF(X509)* chain) { Reset(chain); }
389 PeerCertificateChain(const PeerCertificateChain& other) { *this = other; }
390 ~PeerCertificateChain() {}
391 PeerCertificateChain& operator=(const PeerCertificateChain& other);
392
393 // Resets the PeerCertificateChain to the set of certificates in|chain|,
394 // which may be NULL, indicating to empty the store certificates.
395 // Note: If an error occurs, such as being unable to parse the certificates,
396 // this will behave as if Reset(NULL) was called.
397 void Reset(STACK_OF(X509)* chain);
398
399 // Note that when USE_OPENSSL_CERTS is defined, OSCertHandle is X509*
400 scoped_refptr<X509Certificate> AsOSChain() const;
401
402 size_t size() const {
403 if (!openssl_chain_.get())
404 return 0;
405 return sk_X509_num(openssl_chain_.get());
406 }
407
408 bool empty() const {
409 return size() == 0;
410 }
411
412 X509* Get(size_t index) const {
413 DCHECK_LT(index, size());
414 return sk_X509_value(openssl_chain_.get(), index);
415 }
416
417 private:
418 ScopedX509Stack openssl_chain_;
419 };
420
421 SSLClientSocketOpenSSL::PeerCertificateChain&
422 SSLClientSocketOpenSSL::PeerCertificateChain::operator=(
423 const PeerCertificateChain& other) {
424 if (this == &other)
425 return *this;
426
427 openssl_chain_.reset(X509_chain_up_ref(other.openssl_chain_.get()));
428 return *this;
429 }
430
431 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
432 STACK_OF(X509)* chain) {
433 openssl_chain_.reset(chain ? X509_chain_up_ref(chain) : NULL);
434 }
435
436 scoped_refptr<X509Certificate>
437 SSLClientSocketOpenSSL::PeerCertificateChain::AsOSChain() const {
438 #if defined(USE_OPENSSL_CERTS)
439 // When OSCertHandle is typedef'ed to X509, this implementation does a short
440 // cut to avoid converting back and forth between DER and the X509 struct.
441 X509Certificate::OSCertHandles intermediates;
442 for (size_t i = 1; i < sk_X509_num(openssl_chain_.get()); ++i) {
443 intermediates.push_back(sk_X509_value(openssl_chain_.get(), i));
444 }
445
446 return X509Certificate::CreateFromHandle(
447 sk_X509_value(openssl_chain_.get(), 0), intermediates);
448 #else
449 // DER-encode the chain and convert to a platform certificate handle.
450 std::vector<base::StringPiece> der_chain;
451 for (size_t i = 0; i < sk_X509_num(openssl_chain_.get()); ++i) {
452 X509* x = sk_X509_value(openssl_chain_.get(), i);
453 base::StringPiece der;
454 if (!x509_util::GetDER(x, &der))
455 return NULL;
456 der_chain.push_back(der);
457 }
458
459 return X509Certificate::CreateFromDERCertChain(der_chain);
460 #endif
461 }
462
463 // static
464 void SSLClientSocket::ClearSessionCache() {
465 SSLClientSocketOpenSSL::SSLContext* context =
466 SSLClientSocketOpenSSL::SSLContext::GetInstance();
467 context->session_cache()->Flush();
468 }
469
470 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
471 std::unique_ptr<ClientSocketHandle> transport_socket,
472 const HostPortPair& host_and_port,
473 const SSLConfig& ssl_config,
474 const SSLClientSocketContext& context)
475 : transport_send_busy_(false),
476 transport_recv_busy_(false),
477 pending_read_error_(kNoPendingResult),
478 pending_read_ssl_error_(SSL_ERROR_NONE),
479 transport_read_error_(OK),
480 transport_write_error_(OK),
481 server_cert_chain_(new PeerCertificateChain(NULL)),
482 completed_connect_(false),
483 was_ever_used_(false),
484 cert_verifier_(context.cert_verifier),
485 cert_transparency_verifier_(context.cert_transparency_verifier),
486 channel_id_service_(context.channel_id_service),
487 tb_was_negotiated_(false),
488 tb_negotiated_param_(TB_PARAM_ECDSAP256),
489 tb_signed_ekm_map_(10),
490 ssl_(NULL),
491 transport_bio_(NULL),
492 transport_(std::move(transport_socket)),
493 host_and_port_(host_and_port),
494 ssl_config_(ssl_config),
495 ssl_session_cache_shard_(context.ssl_session_cache_shard),
496 next_handshake_state_(STATE_NONE),
497 disconnected_(false),
498 npn_status_(kNextProtoUnsupported),
499 channel_id_sent_(false),
500 session_pending_(false),
501 certificate_verified_(false),
502 ssl_failure_state_(SSL_FAILURE_NONE),
503 signature_result_(kNoPendingResult),
504 transport_security_state_(context.transport_security_state),
505 policy_enforcer_(context.ct_policy_enforcer),
506 net_log_(transport_->socket()->NetLog()),
507 weak_factory_(this) {
508 DCHECK(cert_verifier_);
509 }
510
511 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() {
512 Disconnect();
513 }
514
515 #if !defined(OS_NACL)
516 void SSLClientSocketOpenSSL::SetSSLKeyLogFile(
517 const base::FilePath& ssl_keylog_file,
518 const scoped_refptr<base::SequencedTaskRunner>& task_runner) {
519 SSLContext::GetInstance()->SetSSLKeyLogFile(ssl_keylog_file, task_runner);
520 }
521 #endif
522
523 void SSLClientSocketOpenSSL::GetSSLCertRequestInfo(
524 SSLCertRequestInfo* cert_request_info) {
525 cert_request_info->host_and_port = host_and_port_;
526 cert_request_info->cert_authorities = cert_authorities_;
527 cert_request_info->cert_key_types = cert_key_types_;
528 }
529
530 SSLClientSocket::NextProtoStatus SSLClientSocketOpenSSL::GetNextProto(
531 std::string* proto) const {
532 *proto = npn_proto_;
533 return npn_status_;
534 }
535
536 ChannelIDService*
537 SSLClientSocketOpenSSL::GetChannelIDService() const {
538 return channel_id_service_;
539 }
540
541 Error SSLClientSocketOpenSSL::GetSignedEKMForTokenBinding(
542 crypto::ECPrivateKey* key,
543 std::vector<uint8_t>* out) {
544 // The same key will be used across multiple requests to sign the same value,
545 // so the signature is cached.
546 std::string raw_public_key;
547 if (!key->ExportRawPublicKey(&raw_public_key))
548 return ERR_FAILED;
549 SignedEkmMap::iterator it = tb_signed_ekm_map_.Get(raw_public_key);
550 if (it != tb_signed_ekm_map_.end()) {
551 *out = it->second;
552 return OK;
553 }
554
555 uint8_t tb_ekm_buf[32];
556 static const char kTokenBindingExporterLabel[] = "EXPORTER-Token-Binding";
557 if (!SSL_export_keying_material(ssl_, tb_ekm_buf, sizeof(tb_ekm_buf),
558 kTokenBindingExporterLabel,
559 strlen(kTokenBindingExporterLabel), nullptr,
560 0, false /* no context */)) {
561 return ERR_FAILED;
562 }
563
564 if (!SignTokenBindingEkm(
565 base::StringPiece(reinterpret_cast<char*>(tb_ekm_buf),
566 sizeof(tb_ekm_buf)),
567 key, out))
568 return ERR_FAILED;
569
570 tb_signed_ekm_map_.Put(raw_public_key, *out);
571 return OK;
572 }
573
574 crypto::ECPrivateKey* SSLClientSocketOpenSSL::GetChannelIDKey() const {
575 return channel_id_key_.get();
576 }
577
578 SSLFailureState SSLClientSocketOpenSSL::GetSSLFailureState() const {
579 return ssl_failure_state_;
580 }
581
582 int SSLClientSocketOpenSSL::ExportKeyingMaterial(
583 const base::StringPiece& label,
584 bool has_context, const base::StringPiece& context,
585 unsigned char* out, unsigned int outlen) {
586 if (!IsConnected())
587 return ERR_SOCKET_NOT_CONNECTED;
588
589 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
590
591 int rv = SSL_export_keying_material(
592 ssl_, out, outlen, label.data(), label.size(),
593 reinterpret_cast<const unsigned char*>(context.data()), context.length(),
594 has_context ? 1 : 0);
595
596 if (rv != 1) {
597 int ssl_error = SSL_get_error(ssl_, rv);
598 LOG(ERROR) << "Failed to export keying material;"
599 << " returned " << rv
600 << ", SSL error code " << ssl_error;
601 return MapOpenSSLError(ssl_error, err_tracer);
602 }
603 return OK;
604 }
605
606 int SSLClientSocketOpenSSL::Connect(const CompletionCallback& callback) {
607 // It is an error to create an SSLClientSocket whose context has no
608 // TransportSecurityState.
609 DCHECK(transport_security_state_);
610
611 // Although StreamSocket does allow calling Connect() after Disconnect(),
612 // this has never worked for layered sockets. CHECK to detect any consumers
613 // reconnecting an SSL socket.
614 //
615 // TODO(davidben,mmenke): Remove this API feature. See
616 // https://crbug.com/499289.
617 CHECK(!disconnected_);
618
619 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT);
620
621 // Set up new ssl object.
622 int rv = Init();
623 if (rv != OK) {
624 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
625 return rv;
626 }
627
628 // Set SSL to client mode. Handshake happens in the loop below.
629 SSL_set_connect_state(ssl_);
630
631 GotoState(STATE_HANDSHAKE);
632 rv = DoHandshakeLoop(OK);
633 if (rv == ERR_IO_PENDING) {
634 user_connect_callback_ = callback;
635 } else {
636 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
637 }
638
639 return rv > OK ? OK : rv;
640 }
641
642 void SSLClientSocketOpenSSL::Disconnect() {
643 crypto::OpenSSLErrStackTracer tracer(FROM_HERE);
644
645 if (ssl_) {
646 // Calling SSL_shutdown prevents the session from being marked as
647 // unresumable.
648 SSL_shutdown(ssl_);
649 SSL_free(ssl_);
650 ssl_ = NULL;
651 }
652 if (transport_bio_) {
653 BIO_free_all(transport_bio_);
654 transport_bio_ = NULL;
655 }
656
657 disconnected_ = true;
658
659 // Shut down anything that may call us back.
660 cert_verifier_request_.reset();
661 transport_->socket()->Disconnect();
662
663 // Null all callbacks, delete all buffers.
664 transport_send_busy_ = false;
665 send_buffer_ = NULL;
666 transport_recv_busy_ = false;
667 recv_buffer_ = NULL;
668
669 user_connect_callback_.Reset();
670 user_read_callback_.Reset();
671 user_write_callback_.Reset();
672 user_read_buf_ = NULL;
673 user_read_buf_len_ = 0;
674 user_write_buf_ = NULL;
675 user_write_buf_len_ = 0;
676
677 pending_read_error_ = kNoPendingResult;
678 pending_read_ssl_error_ = SSL_ERROR_NONE;
679 pending_read_error_info_ = OpenSSLErrorInfo();
680
681 transport_read_error_ = OK;
682 transport_write_error_ = OK;
683
684 server_cert_verify_result_.Reset();
685 completed_connect_ = false;
686
687 cert_authorities_.clear();
688 cert_key_types_.clear();
689
690 start_cert_verification_time_ = base::TimeTicks();
691
692 npn_status_ = kNextProtoUnsupported;
693 npn_proto_.clear();
694
695 channel_id_sent_ = false;
696 tb_was_negotiated_ = false;
697 session_pending_ = false;
698 certificate_verified_ = false;
699 channel_id_request_.Cancel();
700 ssl_failure_state_ = SSL_FAILURE_NONE;
701
702 signature_result_ = kNoPendingResult;
703 signature_.clear();
704 }
705
706 bool SSLClientSocketOpenSSL::IsConnected() const {
707 // If the handshake has not yet completed.
708 if (!completed_connect_)
709 return false;
710 // If an asynchronous operation is still pending.
711 if (user_read_buf_.get() || user_write_buf_.get())
712 return true;
713
714 return transport_->socket()->IsConnected();
715 }
716
717 bool SSLClientSocketOpenSSL::IsConnectedAndIdle() const {
718 // If the handshake has not yet completed.
719 if (!completed_connect_)
720 return false;
721 // If an asynchronous operation is still pending.
722 if (user_read_buf_.get() || user_write_buf_.get())
723 return false;
724
725 // If there is data read from the network that has not yet been consumed, do
726 // not treat the connection as idle.
727 //
728 // Note that this does not check |BIO_pending|, whether there is ciphertext
729 // that has not yet been flushed to the network. |Write| returns early, so
730 // this can cause race conditions which cause a socket to not be treated
731 // reusable when it should be. See https://crbug.com/466147.
732 if (BIO_wpending(transport_bio_) > 0)
733 return false;
734
735 return transport_->socket()->IsConnectedAndIdle();
736 }
737
738 int SSLClientSocketOpenSSL::GetPeerAddress(IPEndPoint* addressList) const {
739 return transport_->socket()->GetPeerAddress(addressList);
740 }
741
742 int SSLClientSocketOpenSSL::GetLocalAddress(IPEndPoint* addressList) const {
743 return transport_->socket()->GetLocalAddress(addressList);
744 }
745
746 const BoundNetLog& SSLClientSocketOpenSSL::NetLog() const {
747 return net_log_;
748 }
749
750 void SSLClientSocketOpenSSL::SetSubresourceSpeculation() {
751 if (transport_.get() && transport_->socket()) {
752 transport_->socket()->SetSubresourceSpeculation();
753 } else {
754 NOTREACHED();
755 }
756 }
757
758 void SSLClientSocketOpenSSL::SetOmniboxSpeculation() {
759 if (transport_.get() && transport_->socket()) {
760 transport_->socket()->SetOmniboxSpeculation();
761 } else {
762 NOTREACHED();
763 }
764 }
765
766 bool SSLClientSocketOpenSSL::WasEverUsed() const {
767 return was_ever_used_;
768 }
769
770 bool SSLClientSocketOpenSSL::GetSSLInfo(SSLInfo* ssl_info) {
771 ssl_info->Reset();
772 if (server_cert_chain_->empty())
773 return false;
774
775 ssl_info->cert = server_cert_verify_result_.verified_cert;
776 ssl_info->unverified_cert = server_cert_;
777 ssl_info->cert_status = server_cert_verify_result_.cert_status;
778 ssl_info->is_issued_by_known_root =
779 server_cert_verify_result_.is_issued_by_known_root;
780 ssl_info->public_key_hashes =
781 server_cert_verify_result_.public_key_hashes;
782 ssl_info->client_cert_sent =
783 ssl_config_.send_client_cert && ssl_config_.client_cert.get();
784 ssl_info->channel_id_sent = channel_id_sent_;
785 ssl_info->token_binding_negotiated = tb_was_negotiated_;
786 ssl_info->token_binding_key_param = tb_negotiated_param_;
787 ssl_info->pinning_failure_log = pinning_failure_log_;
788
789 AddCTInfoToSSLInfo(ssl_info);
790
791 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
792 CHECK(cipher);
793 ssl_info->security_bits = SSL_CIPHER_get_bits(cipher, NULL);
794 ssl_info->key_exchange_info =
795 SSL_SESSION_get_key_exchange_info(SSL_get_session(ssl_));
796
797 SSLConnectionStatusSetCipherSuite(
798 static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)),
799 &ssl_info->connection_status);
800 SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_),
801 &ssl_info->connection_status);
802
803 if (!SSL_get_secure_renegotiation_support(ssl_))
804 ssl_info->connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
805
806 if (ssl_config_.version_fallback)
807 ssl_info->connection_status |= SSL_CONNECTION_VERSION_FALLBACK;
808
809 ssl_info->handshake_type = SSL_session_reused(ssl_) ?
810 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL;
811
812 DVLOG(3) << "Encoded connection status: cipher suite = "
813 << SSLConnectionStatusToCipherSuite(ssl_info->connection_status)
814 << " version = "
815 << SSLConnectionStatusToVersion(ssl_info->connection_status);
816 return true;
817 }
818
819 void SSLClientSocketOpenSSL::GetConnectionAttempts(
820 ConnectionAttempts* out) const {
821 out->clear();
822 }
823
824 int64_t SSLClientSocketOpenSSL::GetTotalReceivedBytes() const {
825 return transport_->socket()->GetTotalReceivedBytes();
826 }
827
828 int SSLClientSocketOpenSSL::Read(IOBuffer* buf,
829 int buf_len,
830 const CompletionCallback& callback) {
831 user_read_buf_ = buf;
832 user_read_buf_len_ = buf_len;
833
834 int rv = DoReadLoop();
835
836 if (rv == ERR_IO_PENDING) {
837 user_read_callback_ = callback;
838 } else {
839 if (rv > 0)
840 was_ever_used_ = true;
841 user_read_buf_ = NULL;
842 user_read_buf_len_ = 0;
843 }
844
845 return rv;
846 }
847
848 int SSLClientSocketOpenSSL::Write(IOBuffer* buf,
849 int buf_len,
850 const CompletionCallback& callback) {
851 user_write_buf_ = buf;
852 user_write_buf_len_ = buf_len;
853
854 int rv = DoWriteLoop();
855
856 if (rv == ERR_IO_PENDING) {
857 user_write_callback_ = callback;
858 } else {
859 if (rv > 0)
860 was_ever_used_ = true;
861 user_write_buf_ = NULL;
862 user_write_buf_len_ = 0;
863 }
864
865 return rv;
866 }
867
868 int SSLClientSocketOpenSSL::SetReceiveBufferSize(int32_t size) {
869 return transport_->socket()->SetReceiveBufferSize(size);
870 }
871
872 int SSLClientSocketOpenSSL::SetSendBufferSize(int32_t size) {
873 return transport_->socket()->SetSendBufferSize(size);
874 }
875
876 int SSLClientSocketOpenSSL::Init() {
877 DCHECK(!ssl_);
878 DCHECK(!transport_bio_);
879
880 #if defined(USE_NSS_CERTS)
881 if (ssl_config_.cert_io_enabled) {
882 // TODO(davidben): Move this out of SSLClientSocket. See
883 // https://crbug.com/539520.
884 EnsureNSSHttpIOInit();
885 }
886 #endif
887
888 SSLContext* context = SSLContext::GetInstance();
889 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
890
891 ssl_ = SSL_new(context->ssl_ctx());
892 if (!ssl_ || !context->SetClientSocketForSSL(ssl_, this))
893 return ERR_UNEXPECTED;
894
895 // SNI should only contain valid DNS hostnames, not IP addresses (see RFC
896 // 6066, Section 3).
897 //
898 // TODO(rsleevi): Should this code allow hostnames that violate the LDH rule?
899 // See https://crbug.com/496472 and https://crbug.com/496468 for discussion.
900 IPAddress unused;
901 if (!unused.AssignFromIPLiteral(host_and_port_.host()) &&
902 !SSL_set_tlsext_host_name(ssl_, host_and_port_.host().c_str())) {
903 return ERR_UNEXPECTED;
904 }
905
906 ScopedSSL_SESSION session =
907 context->session_cache()->Lookup(GetSessionCacheKey());
908 if (session)
909 SSL_set_session(ssl_, session.get());
910
911 send_buffer_ = new GrowableIOBuffer();
912 send_buffer_->SetCapacity(KDefaultOpenSSLBufferSize);
913 recv_buffer_ = new GrowableIOBuffer();
914 recv_buffer_->SetCapacity(KDefaultOpenSSLBufferSize);
915
916 BIO* ssl_bio = NULL;
917
918 // SSLClientSocketOpenSSL retains ownership of the BIO buffers.
919 if (!BIO_new_bio_pair_external_buf(
920 &ssl_bio, send_buffer_->capacity(),
921 reinterpret_cast<uint8_t*>(send_buffer_->data()), &transport_bio_,
922 recv_buffer_->capacity(),
923 reinterpret_cast<uint8_t*>(recv_buffer_->data())))
924 return ERR_UNEXPECTED;
925 DCHECK(ssl_bio);
926 DCHECK(transport_bio_);
927
928 // Install a callback on OpenSSL's end to plumb transport errors through.
929 BIO_set_callback(ssl_bio, &SSLClientSocketOpenSSL::BIOCallback);
930 BIO_set_callback_arg(ssl_bio, reinterpret_cast<char*>(this));
931
932 SSL_set_bio(ssl_, ssl_bio, ssl_bio);
933
934 DCHECK_LT(SSL3_VERSION, ssl_config_.version_min);
935 DCHECK_LT(SSL3_VERSION, ssl_config_.version_max);
936 SSL_set_min_version(ssl_, ssl_config_.version_min);
937 SSL_set_max_version(ssl_, ssl_config_.version_max);
938
939 // OpenSSL defaults some options to on, others to off. To avoid ambiguity,
940 // set everything we care about to an absolute value.
941 SslSetClearMask options;
942 options.ConfigureFlag(SSL_OP_NO_COMPRESSION, true);
943
944 // TODO(joth): Set this conditionally, see http://crbug.com/55410
945 options.ConfigureFlag(SSL_OP_LEGACY_SERVER_CONNECT, true);
946
947 SSL_set_options(ssl_, options.set_mask);
948 SSL_clear_options(ssl_, options.clear_mask);
949
950 // Same as above, this time for the SSL mode.
951 SslSetClearMask mode;
952
953 mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);
954 mode.ConfigureFlag(SSL_MODE_CBC_RECORD_SPLITTING, true);
955
956 mode.ConfigureFlag(SSL_MODE_ENABLE_FALSE_START,
957 ssl_config_.false_start_enabled);
958
959 mode.ConfigureFlag(SSL_MODE_SEND_FALLBACK_SCSV, ssl_config_.version_fallback);
960
961 SSL_set_mode(ssl_, mode.set_mask);
962 SSL_clear_mode(ssl_, mode.clear_mask);
963
964 // Use BoringSSL defaults, but disable HMAC-SHA256 and HMAC-SHA384 ciphers
965 // (note that SHA256 and SHA384 only select legacy CBC ciphers). Also disable
966 // DHE_RSA_WITH_AES_256_GCM_SHA384. Historically, AES_256_GCM was not
967 // supported. As DHE is being deprecated, don't add a cipher only to remove it
968 // immediately.
969 std::string command(
970 "DEFAULT:!SHA256:!SHA384:!DHE-RSA-AES256-GCM-SHA384:!aPSK");
971
972 if (ssl_config_.require_ecdhe)
973 command.append(":!kRSA:!kDHE");
974
975 if (!(ssl_config_.rc4_enabled &&
976 ssl_config_.deprecated_cipher_suites_enabled)) {
977 command.append(":!RC4");
978 }
979
980 if (!ssl_config_.deprecated_cipher_suites_enabled) {
981 // Only offer DHE on the second handshake. https://crbug.com/538690
982 command.append(":!kDHE");
983 }
984
985 // Remove any disabled ciphers.
986 for (uint16_t id : ssl_config_.disabled_cipher_suites) {
987 const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);
988 if (cipher) {
989 command.append(":!");
990 command.append(SSL_CIPHER_get_name(cipher));
991 }
992 }
993
994 int rv = SSL_set_cipher_list(ssl_, command.c_str());
995 // If this fails (rv = 0) it means there are no ciphers enabled on this SSL.
996 // This will almost certainly result in the socket failing to complete the
997 // handshake at which point the appropriate error is bubbled up to the client.
998 LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command << "') "
999 "returned " << rv;
1000
1001 // TLS channel ids.
1002 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) {
1003 SSL_enable_tls_channel_id(ssl_);
1004 }
1005
1006 if (!ssl_config_.alpn_protos.empty()) {
1007 // Get list of ciphers that are enabled.
1008 STACK_OF(SSL_CIPHER)* enabled_ciphers = SSL_get_ciphers(ssl_);
1009 DCHECK(enabled_ciphers);
1010 std::vector<uint16_t> enabled_ciphers_vector;
1011 for (size_t i = 0; i < sk_SSL_CIPHER_num(enabled_ciphers); ++i) {
1012 const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(enabled_ciphers, i);
1013 const uint16_t id = static_cast<uint16_t>(SSL_CIPHER_get_id(cipher));
1014 enabled_ciphers_vector.push_back(id);
1015 }
1016
1017 NextProtoVector alpn_protos = ssl_config_.alpn_protos;
1018 if (!HasCipherAdequateForHTTP2(enabled_ciphers_vector) ||
1019 !IsTLSVersionAdequateForHTTP2(ssl_config_)) {
1020 DisableHTTP2(&alpn_protos);
1021 }
1022 std::vector<uint8_t> wire_protos = SerializeNextProtos(alpn_protos);
1023 SSL_set_alpn_protos(ssl_, wire_protos.empty() ? NULL : &wire_protos[0],
1024 wire_protos.size());
1025 }
1026
1027 if (ssl_config_.npn_protos.empty())
1028 SSL_set_options(ssl_, SSL_OP_DISABLE_NPN);
1029
1030 if (ssl_config_.signed_cert_timestamps_enabled) {
1031 SSL_enable_signed_cert_timestamps(ssl_);
1032 SSL_enable_ocsp_stapling(ssl_);
1033 }
1034
1035 if (cert_verifier_->SupportsOCSPStapling())
1036 SSL_enable_ocsp_stapling(ssl_);
1037
1038 return OK;
1039 }
1040
1041 void SSLClientSocketOpenSSL::DoReadCallback(int rv) {
1042 // Since Run may result in Read being called, clear |user_read_callback_|
1043 // up front.
1044 if (rv > 0)
1045 was_ever_used_ = true;
1046 user_read_buf_ = NULL;
1047 user_read_buf_len_ = 0;
1048 base::ResetAndReturn(&user_read_callback_).Run(rv);
1049 }
1050
1051 void SSLClientSocketOpenSSL::DoWriteCallback(int rv) {
1052 // Since Run may result in Write being called, clear |user_write_callback_|
1053 // up front.
1054 if (rv > 0)
1055 was_ever_used_ = true;
1056 user_write_buf_ = NULL;
1057 user_write_buf_len_ = 0;
1058 base::ResetAndReturn(&user_write_callback_).Run(rv);
1059 }
1060
1061 bool SSLClientSocketOpenSSL::DoTransportIO() {
1062 bool network_moved = false;
1063 int rv;
1064 // Read and write as much data as possible. The loop is necessary because
1065 // Write() may return synchronously.
1066 do {
1067 rv = BufferSend();
1068 if (rv != ERR_IO_PENDING && rv != 0)
1069 network_moved = true;
1070 } while (rv > 0);
1071 if (transport_read_error_ == OK && BufferRecv() != ERR_IO_PENDING)
1072 network_moved = true;
1073 return network_moved;
1074 }
1075
1076 // TODO(cbentzel): Remove including "base/threading/thread_local.h" and
1077 // g_first_run_completed once crbug.com/424386 is fixed.
1078 base::LazyInstance<base::ThreadLocalBoolean>::Leaky g_first_run_completed =
1079 LAZY_INSTANCE_INITIALIZER;
1080
1081 int SSLClientSocketOpenSSL::DoHandshake() {
1082 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
1083
1084 int rv;
1085
1086 // TODO(cbentzel): Leave only 1 call to SSL_do_handshake once crbug.com/424386
1087 // is fixed.
1088 if (ssl_config_.send_client_cert && ssl_config_.client_cert.get()) {
1089 rv = SSL_do_handshake(ssl_);
1090 } else {
1091 if (g_first_run_completed.Get().Get()) {
1092 // TODO(cbentzel): Remove ScopedTracker below once crbug.com/424386 is
1093 // fixed.
1094 tracked_objects::ScopedTracker tracking_profile(
1095 FROM_HERE_WITH_EXPLICIT_FUNCTION("424386 SSL_do_handshake()"));
1096
1097 rv = SSL_do_handshake(ssl_);
1098 } else {
1099 g_first_run_completed.Get().Set(true);
1100 rv = SSL_do_handshake(ssl_);
1101 }
1102 }
1103
1104 int net_error = OK;
1105 if (rv <= 0) {
1106 int ssl_error = SSL_get_error(ssl_, rv);
1107 if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) {
1108 // The server supports channel ID. Stop to look one up before returning to
1109 // the handshake.
1110 GotoState(STATE_CHANNEL_ID_LOOKUP);
1111 return OK;
1112 }
1113 if (ssl_error == SSL_ERROR_WANT_X509_LOOKUP &&
1114 !ssl_config_.send_client_cert) {
1115 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
1116 }
1117 if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
1118 DCHECK(ssl_config_.client_private_key);
1119 DCHECK_NE(kNoPendingResult, signature_result_);
1120 GotoState(STATE_HANDSHAKE);
1121 return ERR_IO_PENDING;
1122 }
1123
1124 OpenSSLErrorInfo error_info;
1125 net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
1126 if (net_error == ERR_IO_PENDING) {
1127 // If not done, stay in this state
1128 GotoState(STATE_HANDSHAKE);
1129 return ERR_IO_PENDING;
1130 }
1131
1132 LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code "
1133 << ssl_error << ", net_error " << net_error;
1134 net_log_.AddEvent(
1135 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
1136 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
1137
1138 // Classify the handshake failure. This is used to determine causes of the
1139 // TLS version fallback.
1140
1141 // |cipher| is the current outgoing cipher suite, so it is non-null iff
1142 // ChangeCipherSpec was sent.
1143 const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_);
1144 if (SSL_get_state(ssl_) == SSL3_ST_CR_SRVR_HELLO_A) {
1145 ssl_failure_state_ = SSL_FAILURE_CLIENT_HELLO;
1146 } else if (cipher && (SSL_CIPHER_get_id(cipher) ==
1147 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256 ||
1148 SSL_CIPHER_get_id(cipher) ==
1149 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256)) {
1150 ssl_failure_state_ = SSL_FAILURE_BUGGY_GCM;
1151 } else if (cipher && ssl_config_.send_client_cert) {
1152 ssl_failure_state_ = SSL_FAILURE_CLIENT_AUTH;
1153 } else if (ERR_GET_LIB(error_info.error_code) == ERR_LIB_SSL &&
1154 ERR_GET_REASON(error_info.error_code) ==
1155 SSL_R_OLD_SESSION_VERSION_NOT_RETURNED) {
1156 ssl_failure_state_ = SSL_FAILURE_SESSION_MISMATCH;
1157 } else if (cipher && npn_status_ != kNextProtoUnsupported) {
1158 ssl_failure_state_ = SSL_FAILURE_NEXT_PROTO;
1159 } else {
1160 ssl_failure_state_ = SSL_FAILURE_UNKNOWN;
1161 }
1162 }
1163
1164 GotoState(STATE_HANDSHAKE_COMPLETE);
1165 return net_error;
1166 }
1167
1168 int SSLClientSocketOpenSSL::DoHandshakeComplete(int result) {
1169 if (result < 0)
1170 return result;
1171
1172 if (ssl_config_.version_fallback &&
1173 ssl_config_.version_max < ssl_config_.version_fallback_min) {
1174 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION;
1175 }
1176
1177 // Check that if token binding was negotiated, then extended master secret
1178 // must also be negotiated.
1179 if (tb_was_negotiated_ && !SSL_get_extms_support(ssl_))
1180 return ERR_SSL_PROTOCOL_ERROR;
1181
1182 // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was.
1183 if (npn_status_ == kNextProtoUnsupported) {
1184 const uint8_t* alpn_proto = NULL;
1185 unsigned alpn_len = 0;
1186 SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len);
1187 if (alpn_len > 0) {
1188 npn_proto_.assign(reinterpret_cast<const char*>(alpn_proto), alpn_len);
1189 npn_status_ = kNextProtoNegotiated;
1190 set_negotiation_extension(kExtensionALPN);
1191 }
1192 }
1193
1194 RecordNegotiationExtension();
1195 RecordChannelIDSupport(channel_id_service_, channel_id_sent_,
1196 ssl_config_.channel_id_enabled);
1197
1198 // Only record OCSP histograms if OCSP was requested.
1199 if (ssl_config_.signed_cert_timestamps_enabled ||
1200 cert_verifier_->SupportsOCSPStapling()) {
1201 const uint8_t* ocsp_response;
1202 size_t ocsp_response_len;
1203 SSL_get0_ocsp_response(ssl_, &ocsp_response, &ocsp_response_len);
1204
1205 set_stapled_ocsp_response_received(ocsp_response_len != 0);
1206 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_response_len != 0);
1207 }
1208
1209 const uint8_t* sct_list;
1210 size_t sct_list_len;
1211 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list, &sct_list_len);
1212 set_signed_cert_timestamps_received(sct_list_len != 0);
1213
1214 if (IsRenegotiationAllowed())
1215 SSL_set_renegotiate_mode(ssl_, ssl_renegotiate_freely);
1216
1217 uint8_t server_key_exchange_hash = SSL_get_server_key_exchange_hash(ssl_);
1218 if (server_key_exchange_hash != TLSEXT_hash_none) {
1219 UMA_HISTOGRAM_SPARSE_SLOWLY("Net.SSLServerKeyExchangeHash",
1220 server_key_exchange_hash);
1221 }
1222
1223 // Verify the certificate.
1224 UpdateServerCert();
1225 GotoState(STATE_VERIFY_CERT);
1226 return OK;
1227 }
1228
1229 int SSLClientSocketOpenSSL::DoChannelIDLookup() {
1230 NetLog::ParametersCallback callback = base::Bind(
1231 &NetLogChannelIDLookupCallback, base::Unretained(channel_id_service_));
1232 net_log_.BeginEvent(NetLog::TYPE_SSL_GET_CHANNEL_ID, callback);
1233 GotoState(STATE_CHANNEL_ID_LOOKUP_COMPLETE);
1234 return channel_id_service_->GetOrCreateChannelID(
1235 host_and_port_.host(), &channel_id_key_,
1236 base::Bind(&SSLClientSocketOpenSSL::OnHandshakeIOComplete,
1237 base::Unretained(this)),
1238 &channel_id_request_);
1239 }
1240
1241 int SSLClientSocketOpenSSL::DoChannelIDLookupComplete(int result) {
1242 net_log_.EndEvent(NetLog::TYPE_SSL_GET_CHANNEL_ID,
1243 base::Bind(&NetLogChannelIDLookupCompleteCallback,
1244 channel_id_key_.get(), result));
1245 if (result < 0)
1246 return result;
1247
1248 // Hand the key to OpenSSL. Check for error in case OpenSSL rejects the key
1249 // type.
1250 DCHECK(channel_id_key_);
1251 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
1252 int rv = SSL_set1_tls_channel_id(ssl_, channel_id_key_->key());
1253 if (!rv) {
1254 LOG(ERROR) << "Failed to set Channel ID.";
1255 int err = SSL_get_error(ssl_, rv);
1256 return MapOpenSSLError(err, err_tracer);
1257 }
1258
1259 // Return to the handshake.
1260 channel_id_sent_ = true;
1261 GotoState(STATE_HANDSHAKE);
1262 return OK;
1263 }
1264
1265 int SSLClientSocketOpenSSL::DoVerifyCert(int result) {
1266 DCHECK(!server_cert_chain_->empty());
1267 DCHECK(start_cert_verification_time_.is_null());
1268
1269 GotoState(STATE_VERIFY_CERT_COMPLETE);
1270
1271 // OpenSSL decoded the certificate, but the platform certificate
1272 // implementation could not. This is treated as a fatal SSL-level protocol
1273 // error rather than a certificate error. See https://crbug.com/91341.
1274 if (!server_cert_.get())
1275 return ERR_SSL_SERVER_CERT_BAD_FORMAT;
1276
1277 // If the certificate is bad and has been previously accepted, use
1278 // the previous status and bypass the error.
1279 base::StringPiece der_cert;
1280 if (!x509_util::GetDER(server_cert_chain_->Get(0), &der_cert)) {
1281 NOTREACHED();
1282 return ERR_CERT_INVALID;
1283 }
1284 CertStatus cert_status;
1285 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) {
1286 VLOG(1) << "Received an expected bad cert with status: " << cert_status;
1287 server_cert_verify_result_.Reset();
1288 server_cert_verify_result_.cert_status = cert_status;
1289 server_cert_verify_result_.verified_cert = server_cert_;
1290 return OK;
1291 }
1292
1293 std::string ocsp_response;
1294 if (cert_verifier_->SupportsOCSPStapling()) {
1295 const uint8_t* ocsp_response_raw;
1296 size_t ocsp_response_len;
1297 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
1298 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw),
1299 ocsp_response_len);
1300 }
1301
1302 start_cert_verification_time_ = base::TimeTicks::Now();
1303
1304 return cert_verifier_->Verify(
1305 server_cert_.get(), host_and_port_.host(), ocsp_response,
1306 ssl_config_.GetCertVerifyFlags(),
1307 // TODO(davidben): Route the CRLSet through SSLConfig so
1308 // SSLClientSocket doesn't depend on SSLConfigService.
1309 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_,
1310 base::Bind(&SSLClientSocketOpenSSL::OnHandshakeIOComplete,
1311 base::Unretained(this)),
1312 &cert_verifier_request_, net_log_);
1313 }
1314
1315 int SSLClientSocketOpenSSL::DoVerifyCertComplete(int result) {
1316 cert_verifier_request_.reset();
1317
1318 if (!start_cert_verification_time_.is_null()) {
1319 base::TimeDelta verify_time =
1320 base::TimeTicks::Now() - start_cert_verification_time_;
1321 if (result == OK) {
1322 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time);
1323 } else {
1324 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
1325 }
1326 }
1327
1328 const CertStatus cert_status = server_cert_verify_result_.cert_status;
1329 if (transport_security_state_ &&
1330 (result == OK ||
1331 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
1332 !transport_security_state_->CheckPublicKeyPins(
1333 host_and_port_, server_cert_verify_result_.is_issued_by_known_root,
1334 server_cert_verify_result_.public_key_hashes, server_cert_.get(),
1335 server_cert_verify_result_.verified_cert.get(),
1336 TransportSecurityState::ENABLE_PIN_REPORTS, &pinning_failure_log_)) {
1337 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
1338 }
1339
1340 if (result == OK) {
1341 // Only check Certificate Transparency if there were no other errors with
1342 // the connection.
1343 VerifyCT();
1344
1345 DCHECK(!certificate_verified_);
1346 certificate_verified_ = true;
1347 MaybeCacheSession();
1348 } else {
1349 DVLOG(1) << "DoVerifyCertComplete error " << ErrorToString(result)
1350 << " (" << result << ")";
1351 }
1352
1353 completed_connect_ = true;
1354 // Exit DoHandshakeLoop and return the result to the caller to Connect.
1355 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1356 return result;
1357 }
1358
1359 void SSLClientSocketOpenSSL::DoConnectCallback(int rv) {
1360 if (!user_connect_callback_.is_null()) {
1361 CompletionCallback c = user_connect_callback_;
1362 user_connect_callback_.Reset();
1363 c.Run(rv > OK ? OK : rv);
1364 }
1365 }
1366
1367 void SSLClientSocketOpenSSL::UpdateServerCert() {
1368 server_cert_chain_->Reset(SSL_get_peer_cert_chain(ssl_));
1369 server_cert_ = server_cert_chain_->AsOSChain();
1370 if (server_cert_.get()) {
1371 net_log_.AddEvent(
1372 NetLog::TYPE_SSL_CERTIFICATES_RECEIVED,
1373 base::Bind(&NetLogX509CertificateCallback,
1374 base::Unretained(server_cert_.get())));
1375 }
1376 }
1377
1378 void SSLClientSocketOpenSSL::VerifyCT() {
1379 if (!cert_transparency_verifier_)
1380 return;
1381
1382 const uint8_t* ocsp_response_raw;
1383 size_t ocsp_response_len;
1384 SSL_get0_ocsp_response(ssl_, &ocsp_response_raw, &ocsp_response_len);
1385 std::string ocsp_response;
1386 if (ocsp_response_len > 0) {
1387 ocsp_response.assign(reinterpret_cast<const char*>(ocsp_response_raw),
1388 ocsp_response_len);
1389 }
1390
1391 const uint8_t* sct_list_raw;
1392 size_t sct_list_len;
1393 SSL_get0_signed_cert_timestamp_list(ssl_, &sct_list_raw, &sct_list_len);
1394 std::string sct_list;
1395 if (sct_list_len > 0)
1396 sct_list.assign(reinterpret_cast<const char*>(sct_list_raw), sct_list_len);
1397
1398 // Note that this is a completely synchronous operation: The CT Log Verifier
1399 // gets all the data it needs for SCT verification and does not do any
1400 // external communication.
1401 cert_transparency_verifier_->Verify(
1402 server_cert_verify_result_.verified_cert.get(), ocsp_response, sct_list,
1403 &ct_verify_result_, net_log_);
1404
1405 ct_verify_result_.ct_policies_applied = (policy_enforcer_ != nullptr);
1406 ct_verify_result_.ev_policy_compliance =
1407 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY;
1408 if (policy_enforcer_) {
1409 if ((server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV)) {
1410 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
1411 SSLConfigService::GetEVCertsWhitelist();
1412 ct::EVPolicyCompliance ev_policy_compliance =
1413 policy_enforcer_->DoesConformToCTEVPolicy(
1414 server_cert_verify_result_.verified_cert.get(),
1415 ev_whitelist.get(), ct_verify_result_.verified_scts, net_log_);
1416 ct_verify_result_.ev_policy_compliance = ev_policy_compliance;
1417 if (ev_policy_compliance !=
1418 ct::EVPolicyCompliance::EV_POLICY_DOES_NOT_APPLY &&
1419 ev_policy_compliance !=
1420 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_WHITELIST &&
1421 ev_policy_compliance !=
1422 ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS) {
1423 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
1424 VLOG(1) << "EV certificate for "
1425 << server_cert_verify_result_.verified_cert->subject()
1426 .GetDisplayName()
1427 << " does not conform to CT policy, removing EV status.";
1428 server_cert_verify_result_.cert_status |=
1429 CERT_STATUS_CT_COMPLIANCE_FAILED;
1430 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
1431 }
1432 }
1433 ct_verify_result_.cert_policy_compliance =
1434 policy_enforcer_->DoesConformToCertPolicy(
1435 server_cert_verify_result_.verified_cert.get(),
1436 ct_verify_result_.verified_scts, net_log_);
1437 }
1438 }
1439
1440 void SSLClientSocketOpenSSL::OnHandshakeIOComplete(int result) {
1441 int rv = DoHandshakeLoop(result);
1442 if (rv != ERR_IO_PENDING) {
1443 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
1444 DoConnectCallback(rv);
1445 }
1446 }
1447
1448 void SSLClientSocketOpenSSL::OnSendComplete(int result) {
1449 if (next_handshake_state_ == STATE_HANDSHAKE) {
1450 // In handshake phase.
1451 OnHandshakeIOComplete(result);
1452 return;
1453 }
1454
1455 // During a renegotiation, a Read call may also be blocked on a transport
1456 // write, so retry both operations.
1457 PumpReadWriteEvents();
1458 }
1459
1460 void SSLClientSocketOpenSSL::OnRecvComplete(int result) {
1461 TRACE_EVENT0("net", "SSLClientSocketOpenSSL::OnRecvComplete");
1462 if (next_handshake_state_ == STATE_HANDSHAKE) {
1463 // In handshake phase.
1464 OnHandshakeIOComplete(result);
1465 return;
1466 }
1467
1468 // Network layer received some data, check if client requested to read
1469 // decrypted data.
1470 if (!user_read_buf_.get())
1471 return;
1472
1473 int rv = DoReadLoop();
1474 if (rv != ERR_IO_PENDING)
1475 DoReadCallback(rv);
1476 }
1477
1478 int SSLClientSocketOpenSSL::DoHandshakeLoop(int last_io_result) {
1479 TRACE_EVENT0("net", "SSLClientSocketOpenSSL::DoHandshakeLoop");
1480 int rv = last_io_result;
1481 do {
1482 // Default to STATE_NONE for next state.
1483 // (This is a quirk carried over from the windows
1484 // implementation. It makes reading the logs a bit harder.)
1485 // State handlers can and often do call GotoState just
1486 // to stay in the current state.
1487 State state = next_handshake_state_;
1488 GotoState(STATE_NONE);
1489 switch (state) {
1490 case STATE_HANDSHAKE:
1491 rv = DoHandshake();
1492 break;
1493 case STATE_HANDSHAKE_COMPLETE:
1494 rv = DoHandshakeComplete(rv);
1495 break;
1496 case STATE_CHANNEL_ID_LOOKUP:
1497 DCHECK_EQ(OK, rv);
1498 rv = DoChannelIDLookup();
1499 break;
1500 case STATE_CHANNEL_ID_LOOKUP_COMPLETE:
1501 rv = DoChannelIDLookupComplete(rv);
1502 break;
1503 case STATE_VERIFY_CERT:
1504 DCHECK_EQ(OK, rv);
1505 rv = DoVerifyCert(rv);
1506 break;
1507 case STATE_VERIFY_CERT_COMPLETE:
1508 rv = DoVerifyCertComplete(rv);
1509 break;
1510 case STATE_NONE:
1511 default:
1512 rv = ERR_UNEXPECTED;
1513 NOTREACHED() << "unexpected state" << state;
1514 break;
1515 }
1516
1517 bool network_moved = DoTransportIO();
1518 if (network_moved && next_handshake_state_ == STATE_HANDSHAKE) {
1519 // In general we exit the loop if rv is ERR_IO_PENDING. In this
1520 // special case we keep looping even if rv is ERR_IO_PENDING because
1521 // the transport IO may allow DoHandshake to make progress.
1522 rv = OK; // This causes us to stay in the loop.
1523 }
1524 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
1525 return rv;
1526 }
1527
1528 int SSLClientSocketOpenSSL::DoReadLoop() {
1529 bool network_moved;
1530 int rv;
1531 do {
1532 rv = DoPayloadRead();
1533 network_moved = DoTransportIO();
1534 } while (rv == ERR_IO_PENDING && network_moved);
1535
1536 return rv;
1537 }
1538
1539 int SSLClientSocketOpenSSL::DoWriteLoop() {
1540 bool network_moved;
1541 int rv;
1542 do {
1543 rv = DoPayloadWrite();
1544 network_moved = DoTransportIO();
1545 } while (rv == ERR_IO_PENDING && network_moved);
1546
1547 return rv;
1548 }
1549
1550 int SSLClientSocketOpenSSL::DoPayloadRead() {
1551 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
1552
1553 DCHECK_LT(0, user_read_buf_len_);
1554 DCHECK(user_read_buf_.get());
1555
1556 int rv;
1557 if (pending_read_error_ != kNoPendingResult) {
1558 rv = pending_read_error_;
1559 pending_read_error_ = kNoPendingResult;
1560 if (rv == 0) {
1561 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED,
1562 rv, user_read_buf_->data());
1563 } else {
1564 net_log_.AddEvent(
1565 NetLog::TYPE_SSL_READ_ERROR,
1566 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_,
1567 pending_read_error_info_));
1568 }
1569 pending_read_ssl_error_ = SSL_ERROR_NONE;
1570 pending_read_error_info_ = OpenSSLErrorInfo();
1571 return rv;
1572 }
1573
1574 int total_bytes_read = 0;
1575 int ssl_ret;
1576 do {
1577 ssl_ret = SSL_read(ssl_, user_read_buf_->data() + total_bytes_read,
1578 user_read_buf_len_ - total_bytes_read);
1579 if (ssl_ret > 0)
1580 total_bytes_read += ssl_ret;
1581 } while (total_bytes_read < user_read_buf_len_ && ssl_ret > 0);
1582
1583 // Although only the final SSL_read call may have failed, the failure needs to
1584 // processed immediately, while the information still available in OpenSSL's
1585 // error queue.
1586 if (ssl_ret <= 0) {
1587 // A zero return from SSL_read may mean any of:
1588 // - The underlying BIO_read returned 0.
1589 // - The peer sent a close_notify.
1590 // - Any arbitrary error. https://crbug.com/466303
1591 //
1592 // TransportReadComplete converts the first to an ERR_CONNECTION_CLOSED
1593 // error, so it does not occur. The second and third are distinguished by
1594 // SSL_ERROR_ZERO_RETURN.
1595 pending_read_ssl_error_ = SSL_get_error(ssl_, ssl_ret);
1596 if (pending_read_ssl_error_ == SSL_ERROR_ZERO_RETURN) {
1597 pending_read_error_ = 0;
1598 } else if (pending_read_ssl_error_ == SSL_ERROR_WANT_X509_LOOKUP &&
1599 !ssl_config_.send_client_cert) {
1600 pending_read_error_ = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
1601 } else if (pending_read_ssl_error_ ==
1602 SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
1603 DCHECK(ssl_config_.client_private_key);
1604 DCHECK_NE(kNoPendingResult, signature_result_);
1605 pending_read_error_ = ERR_IO_PENDING;
1606 } else {
1607 pending_read_error_ = MapOpenSSLErrorWithDetails(
1608 pending_read_ssl_error_, err_tracer, &pending_read_error_info_);
1609 }
1610
1611 // Many servers do not reliably send a close_notify alert when shutting down
1612 // a connection, and instead terminate the TCP connection. This is reported
1613 // as ERR_CONNECTION_CLOSED. Because of this, map the unclean shutdown to a
1614 // graceful EOF, instead of treating it as an error as it should be.
1615 if (pending_read_error_ == ERR_CONNECTION_CLOSED)
1616 pending_read_error_ = 0;
1617 }
1618
1619 if (total_bytes_read > 0) {
1620 // Return any bytes read to the caller. The error will be deferred to the
1621 // next call of DoPayloadRead.
1622 rv = total_bytes_read;
1623
1624 // Do not treat insufficient data as an error to return in the next call to
1625 // DoPayloadRead() - instead, let the call fall through to check SSL_read()
1626 // again. This is because DoTransportIO() may complete in between the next
1627 // call to DoPayloadRead(), and thus it is important to check SSL_read() on
1628 // subsequent invocations to see if a complete record may now be read.
1629 if (pending_read_error_ == ERR_IO_PENDING)
1630 pending_read_error_ = kNoPendingResult;
1631 } else {
1632 // No bytes were returned. Return the pending read error immediately.
1633 DCHECK_NE(kNoPendingResult, pending_read_error_);
1634 rv = pending_read_error_;
1635 pending_read_error_ = kNoPendingResult;
1636 }
1637
1638 if (rv >= 0) {
1639 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
1640 user_read_buf_->data());
1641 } else if (rv != ERR_IO_PENDING) {
1642 net_log_.AddEvent(
1643 NetLog::TYPE_SSL_READ_ERROR,
1644 CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_,
1645 pending_read_error_info_));
1646 pending_read_ssl_error_ = SSL_ERROR_NONE;
1647 pending_read_error_info_ = OpenSSLErrorInfo();
1648 }
1649 return rv;
1650 }
1651
1652 int SSLClientSocketOpenSSL::DoPayloadWrite() {
1653 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
1654 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_);
1655
1656 if (rv >= 0) {
1657 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
1658 user_write_buf_->data());
1659 return rv;
1660 }
1661
1662 int ssl_error = SSL_get_error(ssl_, rv);
1663 if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION)
1664 return ERR_IO_PENDING;
1665 OpenSSLErrorInfo error_info;
1666 int net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer,
1667 &error_info);
1668
1669 if (net_error != ERR_IO_PENDING) {
1670 net_log_.AddEvent(
1671 NetLog::TYPE_SSL_WRITE_ERROR,
1672 CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
1673 }
1674 return net_error;
1675 }
1676
1677 void SSLClientSocketOpenSSL::PumpReadWriteEvents() {
1678 int rv_read = ERR_IO_PENDING;
1679 int rv_write = ERR_IO_PENDING;
1680 bool network_moved;
1681 do {
1682 if (user_read_buf_.get())
1683 rv_read = DoPayloadRead();
1684 if (user_write_buf_.get())
1685 rv_write = DoPayloadWrite();
1686 network_moved = DoTransportIO();
1687 } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING &&
1688 (user_read_buf_.get() || user_write_buf_.get()) && network_moved);
1689
1690 // Performing the Read callback may cause |this| to be deleted. If this
1691 // happens, the Write callback should not be invoked. Guard against this by
1692 // holding a WeakPtr to |this| and ensuring it's still valid.
1693 base::WeakPtr<SSLClientSocketOpenSSL> guard(weak_factory_.GetWeakPtr());
1694 if (user_read_buf_.get() && rv_read != ERR_IO_PENDING)
1695 DoReadCallback(rv_read);
1696
1697 if (!guard.get())
1698 return;
1699
1700 if (user_write_buf_.get() && rv_write != ERR_IO_PENDING)
1701 DoWriteCallback(rv_write);
1702 }
1703
1704 int SSLClientSocketOpenSSL::BufferSend(void) {
1705 if (transport_send_busy_)
1706 return ERR_IO_PENDING;
1707
1708 size_t buffer_read_offset;
1709 uint8_t* read_buf;
1710 size_t max_read;
1711 int status = BIO_zero_copy_get_read_buf(transport_bio_, &read_buf,
1712 &buffer_read_offset, &max_read);
1713 DCHECK_EQ(status, 1); // Should never fail.
1714 if (!max_read)
1715 return 0; // Nothing pending in the OpenSSL write BIO.
1716 CHECK_EQ(read_buf, reinterpret_cast<uint8_t*>(send_buffer_->StartOfBuffer()));
1717 CHECK_LT(buffer_read_offset, static_cast<size_t>(send_buffer_->capacity()));
1718 send_buffer_->set_offset(buffer_read_offset);
1719
1720 int rv = transport_->socket()->Write(
1721 send_buffer_.get(), max_read,
1722 base::Bind(&SSLClientSocketOpenSSL::BufferSendComplete,
1723 base::Unretained(this)));
1724 if (rv == ERR_IO_PENDING) {
1725 transport_send_busy_ = true;
1726 } else {
1727 TransportWriteComplete(rv);
1728 }
1729 return rv;
1730 }
1731
1732 int SSLClientSocketOpenSSL::BufferRecv(void) {
1733 if (transport_recv_busy_)
1734 return ERR_IO_PENDING;
1735
1736 // Determine how much was requested from |transport_bio_| that was not
1737 // actually available.
1738 size_t requested = BIO_ctrl_get_read_request(transport_bio_);
1739 if (requested == 0) {
1740 // This is not a perfect match of error codes, as no operation is
1741 // actually pending. However, returning 0 would be interpreted as
1742 // a possible sign of EOF, which is also an inappropriate match.
1743 return ERR_IO_PENDING;
1744 }
1745
1746 // Known Issue: While only reading |requested| data is the more correct
1747 // implementation, it has the downside of resulting in frequent reads:
1748 // One read for the SSL record header (~5 bytes) and one read for the SSL
1749 // record body. Rather than issuing these reads to the underlying socket
1750 // (and constantly allocating new IOBuffers), a single Read() request to
1751 // fill |transport_bio_| is issued. As long as an SSL client socket cannot
1752 // be gracefully shutdown (via SSL close alerts) and re-used for non-SSL
1753 // traffic, this over-subscribed Read()ing will not cause issues.
1754
1755 size_t buffer_write_offset;
1756 uint8_t* write_buf;
1757 size_t max_write;
1758 int status = BIO_zero_copy_get_write_buf(transport_bio_, &write_buf,
1759 &buffer_write_offset, &max_write);
1760 DCHECK_EQ(status, 1); // Should never fail.
1761 if (!max_write)
1762 return ERR_IO_PENDING;
1763
1764 CHECK_EQ(write_buf,
1765 reinterpret_cast<uint8_t*>(recv_buffer_->StartOfBuffer()));
1766 CHECK_LT(buffer_write_offset, static_cast<size_t>(recv_buffer_->capacity()));
1767
1768 recv_buffer_->set_offset(buffer_write_offset);
1769 int rv = transport_->socket()->Read(
1770 recv_buffer_.get(),
1771 max_write,
1772 base::Bind(&SSLClientSocketOpenSSL::BufferRecvComplete,
1773 base::Unretained(this)));
1774 if (rv == ERR_IO_PENDING) {
1775 transport_recv_busy_ = true;
1776 } else {
1777 rv = TransportReadComplete(rv);
1778 }
1779 return rv;
1780 }
1781
1782 void SSLClientSocketOpenSSL::BufferSendComplete(int result) {
1783 TransportWriteComplete(result);
1784 OnSendComplete(result);
1785 }
1786
1787 void SSLClientSocketOpenSSL::BufferRecvComplete(int result) {
1788 result = TransportReadComplete(result);
1789 OnRecvComplete(result);
1790 }
1791
1792 void SSLClientSocketOpenSSL::TransportWriteComplete(int result) {
1793 DCHECK(ERR_IO_PENDING != result);
1794 int bytes_written = 0;
1795 if (result < 0) {
1796 // Record the error. Save it to be reported in a future read or write on
1797 // transport_bio_'s peer.
1798 transport_write_error_ = result;
1799 } else {
1800 bytes_written = result;
1801 }
1802 DCHECK_GE(send_buffer_->RemainingCapacity(), bytes_written);
1803 int ret = BIO_zero_copy_get_read_buf_done(transport_bio_, bytes_written);
1804 DCHECK_EQ(1, ret);
1805 transport_send_busy_ = false;
1806 }
1807
1808 int SSLClientSocketOpenSSL::TransportReadComplete(int result) {
1809 DCHECK(ERR_IO_PENDING != result);
1810 // If an EOF, canonicalize to ERR_CONNECTION_CLOSED here so MapOpenSSLError
1811 // does not report success.
1812 if (result == 0)
1813 result = ERR_CONNECTION_CLOSED;
1814 int bytes_read = 0;
1815 if (result < 0) {
1816 DVLOG(1) << "TransportReadComplete result " << result;
1817 // Received an error. Save it to be reported in a future read on
1818 // transport_bio_'s peer.
1819 transport_read_error_ = result;
1820 } else {
1821 bytes_read = result;
1822 }
1823 DCHECK_GE(recv_buffer_->RemainingCapacity(), bytes_read);
1824 int ret = BIO_zero_copy_get_write_buf_done(transport_bio_, bytes_read);
1825 DCHECK_EQ(1, ret);
1826 transport_recv_busy_ = false;
1827 return result;
1828 }
1829
1830 int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl) {
1831 DVLOG(3) << "OpenSSL ClientCertRequestCallback called";
1832 DCHECK(ssl == ssl_);
1833
1834 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED);
1835
1836 // Clear any currently configured certificates.
1837 SSL_certs_clear(ssl_);
1838
1839 #if defined(OS_IOS)
1840 // TODO(droger): Support client auth on iOS. See http://crbug.com/145954).
1841 LOG(WARNING) << "Client auth is not supported";
1842 #else // !defined(OS_IOS)
1843 if (!ssl_config_.send_client_cert) {
1844 // First pass: we know that a client certificate is needed, but we do not
1845 // have one at hand.
1846 STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl);
1847 for (size_t i = 0; i < sk_X509_NAME_num(authorities); i++) {
1848 X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i);
1849 unsigned char* str = NULL;
1850 int length = i2d_X509_NAME(ca_name, &str);
1851 cert_authorities_.push_back(std::string(
1852 reinterpret_cast<const char*>(str),
1853 static_cast<size_t>(length)));
1854 OPENSSL_free(str);
1855 }
1856
1857 const unsigned char* client_cert_types;
1858 size_t num_client_cert_types =
1859 SSL_get0_certificate_types(ssl, &client_cert_types);
1860 for (size_t i = 0; i < num_client_cert_types; i++) {
1861 cert_key_types_.push_back(
1862 static_cast<SSLClientCertType>(client_cert_types[i]));
1863 }
1864
1865 // Suspends handshake. SSL_get_error will return SSL_ERROR_WANT_X509_LOOKUP.
1866 return -1;
1867 }
1868
1869 // Second pass: a client certificate should have been selected.
1870 if (ssl_config_.client_cert.get()) {
1871 ScopedX509 leaf_x509 =
1872 OSCertHandleToOpenSSL(ssl_config_.client_cert->os_cert_handle());
1873 if (!leaf_x509) {
1874 LOG(WARNING) << "Failed to import certificate";
1875 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT);
1876 return -1;
1877 }
1878
1879 ScopedX509Stack chain = OSCertHandlesToOpenSSL(
1880 ssl_config_.client_cert->GetIntermediateCertificates());
1881 if (!chain) {
1882 LOG(WARNING) << "Failed to import intermediate certificates";
1883 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT);
1884 return -1;
1885 }
1886
1887 if (!SSL_use_certificate(ssl_, leaf_x509.get()) ||
1888 !SSL_set1_chain(ssl_, chain.get())) {
1889 LOG(WARNING) << "Failed to set client certificate";
1890 return -1;
1891 }
1892
1893 if (!ssl_config_.client_private_key) {
1894 // The caller supplied a null private key. Fail the handshake and surface
1895 // an appropriate error to the caller.
1896 LOG(WARNING) << "Client cert found without private key";
1897 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
1898 return -1;
1899 }
1900
1901 SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod);
1902
1903 std::vector<SSLPrivateKey::Hash> digest_prefs =
1904 ssl_config_.client_private_key->GetDigestPreferences();
1905
1906 size_t digests_len = digest_prefs.size();
1907 std::vector<int> digests;
1908 for (size_t i = 0; i < digests_len; i++) {
1909 switch (digest_prefs[i]) {
1910 case SSLPrivateKey::Hash::SHA1:
1911 digests.push_back(NID_sha1);
1912 break;
1913 case SSLPrivateKey::Hash::SHA256:
1914 digests.push_back(NID_sha256);
1915 break;
1916 case SSLPrivateKey::Hash::SHA384:
1917 digests.push_back(NID_sha384);
1918 break;
1919 case SSLPrivateKey::Hash::SHA512:
1920 digests.push_back(NID_sha512);
1921 break;
1922 case SSLPrivateKey::Hash::MD5_SHA1:
1923 // MD5-SHA1 is not used in TLS 1.2.
1924 break;
1925 }
1926 }
1927
1928 SSL_set_private_key_digest_prefs(ssl_, digests.data(), digests.size());
1929
1930 int cert_count = 1 + sk_X509_num(chain.get());
1931 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1932 NetLog::IntCallback("cert_count", cert_count));
1933 return 1;
1934 }
1935 #endif // defined(OS_IOS)
1936
1937 // Send no client certificate.
1938 net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
1939 NetLog::IntCallback("cert_count", 0));
1940 return 1;
1941 }
1942
1943 int SSLClientSocketOpenSSL::CertVerifyCallback(X509_STORE_CTX* store_ctx) {
1944 if (!completed_connect_) {
1945 // If the first handshake hasn't completed then we accept any certificates
1946 // because we verify after the handshake.
1947 return 1;
1948 }
1949
1950 // Disallow the server certificate to change in a renegotiation.
1951 if (server_cert_chain_->empty()) {
1952 LOG(ERROR) << "Received invalid certificate chain between handshakes";
1953 return 0;
1954 }
1955 base::StringPiece old_der, new_der;
1956 if (store_ctx->cert == NULL ||
1957 !x509_util::GetDER(server_cert_chain_->Get(0), &old_der) ||
1958 !x509_util::GetDER(store_ctx->cert, &new_der)) {
1959 LOG(ERROR) << "Failed to encode certificates";
1960 return 0;
1961 }
1962 if (old_der != new_der) {
1963 LOG(ERROR) << "Server certificate changed between handshakes";
1964 return 0;
1965 }
1966
1967 return 1;
1968 }
1969
1970 // SelectNextProtoCallback is called by OpenSSL during the handshake. If the
1971 // server supports NPN, selects a protocol from the list that the server
1972 // provides. According to third_party/boringssl/src/ssl/ssl_lib.c, the
1973 // callback can assume that |in| is syntactically valid.
1974 int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out,
1975 unsigned char* outlen,
1976 const unsigned char* in,
1977 unsigned int inlen) {
1978 if (ssl_config_.npn_protos.empty()) {
1979 *out = reinterpret_cast<uint8_t*>(
1980 const_cast<char*>(kDefaultSupportedNPNProtocol));
1981 *outlen = arraysize(kDefaultSupportedNPNProtocol) - 1;
1982 npn_status_ = kNextProtoUnsupported;
1983 return SSL_TLSEXT_ERR_OK;
1984 }
1985
1986 // Assume there's no overlap between our protocols and the server's list.
1987 npn_status_ = kNextProtoNoOverlap;
1988
1989 // For each protocol in server preference order, see if we support it.
1990 for (unsigned int i = 0; i < inlen; i += in[i] + 1) {
1991 for (NextProto next_proto : ssl_config_.npn_protos) {
1992 const std::string proto = NextProtoToString(next_proto);
1993 if (in[i] == proto.size() &&
1994 memcmp(&in[i + 1], proto.data(), in[i]) == 0) {
1995 // We found a match.
1996 *out = const_cast<unsigned char*>(in) + i + 1;
1997 *outlen = in[i];
1998 npn_status_ = kNextProtoNegotiated;
1999 break;
2000 }
2001 }
2002 if (npn_status_ == kNextProtoNegotiated)
2003 break;
2004 }
2005
2006 // If we didn't find a protocol, we select the last one from our list.
2007 if (npn_status_ == kNextProtoNoOverlap) {
2008 // NextProtoToString returns a pointer to a static string.
2009 const char* proto = NextProtoToString(ssl_config_.npn_protos.back());
2010 *out = reinterpret_cast<unsigned char*>(const_cast<char*>(proto));
2011 *outlen = strlen(proto);
2012 }
2013
2014 npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen);
2015 DVLOG(2) << "next protocol: '" << npn_proto_ << "' status: " << npn_status_;
2016 set_negotiation_extension(kExtensionNPN);
2017 return SSL_TLSEXT_ERR_OK;
2018 }
2019
2020 long SSLClientSocketOpenSSL::MaybeReplayTransportError(
2021 BIO *bio,
2022 int cmd,
2023 const char *argp, int argi, long argl,
2024 long retvalue) {
2025 if (cmd == (BIO_CB_READ|BIO_CB_RETURN) && retvalue <= 0) {
2026 // If there is no more data in the buffer, report any pending errors that
2027 // were observed. Note that both the readbuf and the writebuf are checked
2028 // for errors, since the application may have encountered a socket error
2029 // while writing that would otherwise not be reported until the application
2030 // attempted to write again - which it may never do. See
2031 // https://crbug.com/249848.
2032 if (transport_read_error_ != OK) {
2033 OpenSSLPutNetError(FROM_HERE, transport_read_error_);
2034 return -1;
2035 }
2036 if (transport_write_error_ != OK) {
2037 OpenSSLPutNetError(FROM_HERE, transport_write_error_);
2038 return -1;
2039 }
2040 } else if (cmd == BIO_CB_WRITE) {
2041 // Because of the write buffer, this reports a failure from the previous
2042 // write payload. If the current payload fails to write, the error will be
2043 // reported in a future write or read to |bio|.
2044 if (transport_write_error_ != OK) {
2045 OpenSSLPutNetError(FROM_HERE, transport_write_error_);
2046 return -1;
2047 }
2048 }
2049 return retvalue;
2050 }
2051
2052 // static
2053 long SSLClientSocketOpenSSL::BIOCallback(
2054 BIO *bio,
2055 int cmd,
2056 const char *argp, int argi, long argl,
2057 long retvalue) {
2058 SSLClientSocketOpenSSL* socket = reinterpret_cast<SSLClientSocketOpenSSL*>(
2059 BIO_get_callback_arg(bio));
2060 CHECK(socket);
2061 return socket->MaybeReplayTransportError(
2062 bio, cmd, argp, argi, argl, retvalue);
2063 }
2064
2065 void SSLClientSocketOpenSSL::MaybeCacheSession() {
2066 // Only cache the session once both a new session has been established and the
2067 // certificate has been verified. Due to False Start, these events may happen
2068 // in either order.
2069 if (!session_pending_ || !certificate_verified_)
2070 return;
2071
2072 SSLContext::GetInstance()->session_cache()->Insert(GetSessionCacheKey(),
2073 SSL_get_session(ssl_));
2074 session_pending_ = false;
2075 }
2076
2077 int SSLClientSocketOpenSSL::NewSessionCallback(SSL_SESSION* session) {
2078 DCHECK_EQ(session, SSL_get_session(ssl_));
2079
2080 // Only sessions from the initial handshake get cached. Note this callback may
2081 // be signaled on abbreviated handshakes if the ticket was renewed.
2082 session_pending_ = true;
2083 MaybeCacheSession();
2084
2085 // OpenSSL passes a reference to |session|, but the session cache does not
2086 // take this reference, so release it.
2087 SSL_SESSION_free(session);
2088 return 1;
2089 }
2090
2091 void SSLClientSocketOpenSSL::AddCTInfoToSSLInfo(SSLInfo* ssl_info) const {
2092 ssl_info->UpdateCertificateTransparencyInfo(ct_verify_result_);
2093 }
2094
2095 std::string SSLClientSocketOpenSSL::GetSessionCacheKey() const {
2096 std::string result = host_and_port_.ToString();
2097 result.append("/");
2098 result.append(ssl_session_cache_shard_);
2099
2100 // Shard the session cache based on maximum protocol version. This causes
2101 // fallback connections to use a separate session cache.
2102 result.append("/");
2103 switch (ssl_config_.version_max) {
2104 case SSL_PROTOCOL_VERSION_TLS1:
2105 result.append("tls1");
2106 break;
2107 case SSL_PROTOCOL_VERSION_TLS1_1:
2108 result.append("tls1.1");
2109 break;
2110 case SSL_PROTOCOL_VERSION_TLS1_2:
2111 result.append("tls1.2");
2112 break;
2113 default:
2114 NOTREACHED();
2115 }
2116
2117 result.append("/");
2118 if (ssl_config_.deprecated_cipher_suites_enabled)
2119 result.append("deprecated");
2120
2121 result.append("/");
2122 if (ssl_config_.channel_id_enabled)
2123 result.append("channelid");
2124
2125 return result;
2126 }
2127
2128 bool SSLClientSocketOpenSSL::IsRenegotiationAllowed() const {
2129 if (tb_was_negotiated_)
2130 return false;
2131
2132 if (npn_status_ == kNextProtoUnsupported)
2133 return ssl_config_.renego_allowed_default;
2134
2135 NextProto next_proto = NextProtoFromString(npn_proto_);
2136 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) {
2137 if (next_proto == allowed)
2138 return true;
2139 }
2140 return false;
2141 }
2142
2143 int SSLClientSocketOpenSSL::PrivateKeyTypeCallback() {
2144 switch (ssl_config_.client_private_key->GetType()) {
2145 case SSLPrivateKey::Type::RSA:
2146 return EVP_PKEY_RSA;
2147 case SSLPrivateKey::Type::ECDSA:
2148 return EVP_PKEY_EC;
2149 }
2150 NOTREACHED();
2151 return EVP_PKEY_NONE;
2152 }
2153
2154 size_t SSLClientSocketOpenSSL::PrivateKeyMaxSignatureLenCallback() {
2155 return ssl_config_.client_private_key->GetMaxSignatureLengthInBytes();
2156 }
2157
2158 ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCallback(
2159 uint8_t* out,
2160 size_t* out_len,
2161 size_t max_out,
2162 const EVP_MD* md,
2163 const uint8_t* in,
2164 size_t in_len) {
2165 DCHECK_EQ(kNoPendingResult, signature_result_);
2166 DCHECK(signature_.empty());
2167 DCHECK(ssl_config_.client_private_key);
2168
2169 SSLPrivateKey::Hash hash;
2170 if (!EVP_MDToPrivateKeyHash(md, &hash)) {
2171 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
2172 return ssl_private_key_failure;
2173 }
2174
2175 net_log_.BeginEvent(
2176 NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION,
2177 base::Bind(&NetLogPrivateKeyOperationCallback,
2178 ssl_config_.client_private_key->GetType(), hash));
2179
2180 signature_result_ = ERR_IO_PENDING;
2181 ssl_config_.client_private_key->SignDigest(
2182 hash, base::StringPiece(reinterpret_cast<const char*>(in), in_len),
2183 base::Bind(&SSLClientSocketOpenSSL::OnPrivateKeySignComplete,
2184 weak_factory_.GetWeakPtr()));
2185 return ssl_private_key_retry;
2186 }
2187
2188 ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCompleteCallback(
2189 uint8_t* out,
2190 size_t* out_len,
2191 size_t max_out) {
2192 DCHECK_NE(kNoPendingResult, signature_result_);
2193 DCHECK(ssl_config_.client_private_key);
2194
2195 if (signature_result_ == ERR_IO_PENDING)
2196 return ssl_private_key_retry;
2197 if (signature_result_ != OK) {
2198 OpenSSLPutNetError(FROM_HERE, signature_result_);
2199 return ssl_private_key_failure;
2200 }
2201 if (signature_.size() > max_out) {
2202 OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
2203 return ssl_private_key_failure;
2204 }
2205 memcpy(out, signature_.data(), signature_.size());
2206 *out_len = signature_.size();
2207 signature_.clear();
2208 return ssl_private_key_success;
2209 }
2210
2211 void SSLClientSocketOpenSSL::OnPrivateKeySignComplete(
2212 Error error,
2213 const std::vector<uint8_t>& signature) {
2214 DCHECK_EQ(ERR_IO_PENDING, signature_result_);
2215 DCHECK(signature_.empty());
2216 DCHECK(ssl_config_.client_private_key);
2217
2218 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION,
2219 error);
2220
2221 signature_result_ = error;
2222 if (signature_result_ == OK)
2223 signature_ = signature;
2224
2225 if (next_handshake_state_ == STATE_HANDSHAKE) {
2226 OnHandshakeIOComplete(signature_result_);
2227 return;
2228 }
2229
2230 // During a renegotiation, either Read or Write calls may be blocked on an
2231 // asynchronous private key operation.
2232 PumpReadWriteEvents();
2233 }
2234
2235 int SSLClientSocketOpenSSL::TokenBindingAdd(const uint8_t** out,
2236 size_t* out_len,
2237 int* out_alert_value) {
2238 if (ssl_config_.token_binding_params.empty()) {
2239 return 0;
2240 }
2241 crypto::AutoCBB output;
2242 CBB parameters_list;
2243 if (!CBB_init(output.get(), 7) ||
2244 !CBB_add_u8(output.get(), kTbProtocolVersionMajor) ||
2245 !CBB_add_u8(output.get(), kTbProtocolVersionMinor) ||
2246 !CBB_add_u8_length_prefixed(output.get(), &parameters_list)) {
2247 *out_alert_value = SSL_AD_INTERNAL_ERROR;
2248 return -1;
2249 }
2250 for (size_t i = 0; i < ssl_config_.token_binding_params.size(); ++i) {
2251 if (!CBB_add_u8(&parameters_list, ssl_config_.token_binding_params[i])) {
2252 *out_alert_value = SSL_AD_INTERNAL_ERROR;
2253 return -1;
2254 }
2255 }
2256 // |*out| will be freed by TokenBindingFreeCallback.
2257 if (!CBB_finish(output.get(), const_cast<uint8_t**>(out), out_len)) {
2258 *out_alert_value = SSL_AD_INTERNAL_ERROR;
2259 return -1;
2260 }
2261
2262 return 1;
2263 }
2264
2265 int SSLClientSocketOpenSSL::TokenBindingParse(const uint8_t* contents,
2266 size_t contents_len,
2267 int* out_alert_value) {
2268 if (completed_connect_) {
2269 // Token Binding may only be negotiated on the initial handshake.
2270 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER;
2271 return 0;
2272 }
2273
2274 CBS extension;
2275 CBS_init(&extension, contents, contents_len);
2276
2277 CBS parameters_list;
2278 uint8_t version_major, version_minor, param;
2279 if (!CBS_get_u8(&extension, &version_major) ||
2280 !CBS_get_u8(&extension, &version_minor) ||
2281 !CBS_get_u8_length_prefixed(&extension, &parameters_list) ||
2282 !CBS_get_u8(&parameters_list, &param) || CBS_len(&parameters_list) > 0 ||
2283 CBS_len(&extension) > 0) {
2284 *out_alert_value = SSL_AD_DECODE_ERROR;
2285 return 0;
2286 }
2287 // The server-negotiated version must be less than or equal to our version.
2288 if (version_major > kTbProtocolVersionMajor ||
2289 (version_minor > kTbProtocolVersionMinor &&
2290 version_major == kTbProtocolVersionMajor)) {
2291 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER;
2292 return 0;
2293 }
2294 // If the version the server negotiated is older than we support, don't fail
2295 // parsing the extension, but also don't set |negotiated_|.
2296 if (version_major < kTbMinProtocolVersionMajor ||
2297 (version_minor < kTbMinProtocolVersionMinor &&
2298 version_major == kTbMinProtocolVersionMajor)) {
2299 return 1;
2300 }
2301
2302 for (size_t i = 0; i < ssl_config_.token_binding_params.size(); ++i) {
2303 if (param == ssl_config_.token_binding_params[i]) {
2304 tb_negotiated_param_ = ssl_config_.token_binding_params[i];
2305 tb_was_negotiated_ = true;
2306 return 1;
2307 }
2308 }
2309
2310 *out_alert_value = SSL_AD_ILLEGAL_PARAMETER;
2311 return 0;
2312 }
2313
2314 } // namespace net
OLDNEW
« net/android/keystore_impl.h ('K') | « net/socket/ssl_client_socket_openssl.h ('k') | net/socket/ssl_client_socket_unittest.cc » ('j') | net/socket/ssl_client_socket_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698