Update Token Binding code to the latest drafts

net/socket/ssl_client_socket_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_impl.h"
 
 #include <errno.h>
 #include <openssl/bio.h>
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
@@ skipping 60 matching lines @@
 const int kNoPendingResult = 1;
 
 // Default size of the internal BoringSSL buffers.
 const int kDefaultOpenSSLBufferSize = 17 * 1024;
 
 // TLS extension number use for Token Binding.
 const unsigned int kTbExtNum = 24;
 
 // Token Binding ProtocolVersions supported.
 const uint8_t kTbProtocolVersionMajor = 0;
-const uint8_t kTbProtocolVersionMinor = 8;
+const uint8_t kTbProtocolVersionMinor = 10;
 const uint8_t kTbMinProtocolVersionMajor = 0;
-const uint8_t kTbMinProtocolVersionMinor = 6;
+const uint8_t kTbMinProtocolVersionMinor = 10;
 
 bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) {
   switch (EVP_MD_type(md)) {
     case NID_md5_sha1:
       *hash = SSLPrivateKey::Hash::MD5_SHA1;
       return true;
     case NID_sha1:
       *hash = SSLPrivateKey::Hash::SHA1;
       return true;
     case NID_sha256:
@@ skipping 386 matching lines @@
       transport_read_error_(OK),
       transport_write_error_(OK),
       server_cert_chain_(new PeerCertificateChain(NULL)),
       completed_connect_(false),
       was_ever_used_(false),
       cert_verifier_(context.cert_verifier),
       cert_transparency_verifier_(context.cert_transparency_verifier),
       channel_id_service_(context.channel_id_service),
       tb_was_negotiated_(false),
       tb_negotiated_param_(TB_PARAM_ECDSAP256),
-      tb_signed_ekm_map_(10),
+      tb_signature_map_(10),
       ssl_(NULL),
       transport_bio_(NULL),
       transport_(std::move(transport_socket)),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       ssl_session_cache_shard_(context.ssl_session_cache_shard),
       next_handshake_state_(STATE_NONE),
       disconnected_(false),
       negotiated_protocol_(kProtoUnknown),
       channel_id_sent_(false),
@@ skipping 26 matching lines @@
     SSLCertRequestInfo* cert_request_info) {
   cert_request_info->host_and_port = host_and_port_;
   cert_request_info->cert_authorities = cert_authorities_;
   cert_request_info->cert_key_types = cert_key_types_;
 }
 
 ChannelIDService* SSLClientSocketImpl::GetChannelIDService() const {
   return channel_id_service_;
 }
 
-Error SSLClientSocketImpl::GetSignedEKMForTokenBinding(
-    crypto::ECPrivateKey* key,
-    std::vector<uint8_t>* out) {
+Error SSLClientSocketImpl::GetTokenBindingSignature(crypto::ECPrivateKey* key,
+                                                    TokenBindingType tb_type,
+                                                    std::vector<uint8_t>* out) {
   // The same key will be used across multiple requests to sign the same value,
   // so the signature is cached.
   std::string raw_public_key;
   if (!key->ExportRawPublicKey(&raw_public_key))
     return ERR_FAILED;
-  SignedEkmMap::iterator it = tb_signed_ekm_map_.Get(raw_public_key);
-  if (it != tb_signed_ekm_map_.end()) {
+  auto it = tb_signature_map_.Get(std::make_pair(tb_type, raw_public_key));
+  if (it != tb_signature_map_.end()) {
     *out = it->second;
     return OK;
   }
 
   uint8_t tb_ekm_buf[32];
   static const char kTokenBindingExporterLabel[] = "EXPORTER-Token-Binding";
   if (!SSL_export_keying_material(ssl_, tb_ekm_buf, sizeof(tb_ekm_buf),
                                   kTokenBindingExporterLabel,
                                   strlen(kTokenBindingExporterLabel), nullptr,
                                   0, false /* no context */)) {
     return ERR_FAILED;
   }
 
-  if (!SignTokenBindingEkm(
+  if (!CreateTokenBindingSignature(
           base::StringPiece(reinterpret_cast<char*>(tb_ekm_buf),
                             sizeof(tb_ekm_buf)),
-          key, out))
+          tb_type, key, out))
     return ERR_FAILED;
 
-  tb_signed_ekm_map_.Put(raw_public_key, *out);
+  tb_signature_map_.Put(std::make_pair(tb_type, raw_public_key), *out);
   return OK;
 }
 
 crypto::ECPrivateKey* SSLClientSocketImpl::GetChannelIDKey() const {
   return channel_id_key_.get();
 }
 
 int SSLClientSocketImpl::ExportKeyingMaterial(const base::StringPiece& label,
                                               bool has_context,
                                               const base::StringPiece& context,
@@ skipping 590 matching lines @@
   // afterwards. This is to aid in diagnosing connection failures because a
   // server requires DHE ciphers.
   //
   // TODO(davidben): A few releases after DHE's removal, remove this logic.
   if (!ssl_config_.dhe_enabled &&
       SSL_CIPHER_is_DHE(SSL_get_current_cipher(ssl_))) {
     return ERR_SSL_OBSOLETE_CIPHER;
   }
 
   // Check that if token binding was negotiated, then extended master secret
-  // must also be negotiated.
-  if (tb_was_negotiated_ && !SSL_get_extms_support(ssl_))
+  // and renegotiation indication must also be negotiated.
+  if (tb_was_negotiated_ &&
+      !(SSL_get_extms_support(ssl_) &&
+        SSL_get_secure_renegotiation_support(ssl_))) {
     return ERR_SSL_PROTOCOL_ERROR;
+  }
 
   const uint8_t* alpn_proto = NULL;
   unsigned alpn_len = 0;
   SSL_get0_alpn_selected(ssl_, &alpn_proto, &alpn_len);
   if (alpn_len > 0) {
     base::StringPiece proto(reinterpret_cast<const char*>(alpn_proto),
                             alpn_len);
     negotiated_protocol_ = NextProtoFromString(proto);
   }
 
@@ skipping 1090 matching lines @@
   }
   UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.Support", supported,
                             CHANNEL_ID_USAGE_MAX);
 }
 
 bool SSLClientSocketImpl::IsChannelIDEnabled() const {
   return ssl_config_.channel_id_enabled && channel_id_service_;
 }
 
 }  // namespace net