Index: net/socket/ssl_client_socket_impl.cc |
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc |
index 94f7f1c418bbc3cb5a22c71873d159d07815e818..282ea2b1102c650f28e43439a7a135269c3377bb 100644 |
--- a/net/socket/ssl_client_socket_impl.cc |
+++ b/net/socket/ssl_client_socket_impl.cc |
@@ -82,9 +82,9 @@ const unsigned int kTbExtNum = 24; |
// Token Binding ProtocolVersions supported. |
const uint8_t kTbProtocolVersionMajor = 0; |
-const uint8_t kTbProtocolVersionMinor = 8; |
+const uint8_t kTbProtocolVersionMinor = 10; |
const uint8_t kTbMinProtocolVersionMajor = 0; |
-const uint8_t kTbMinProtocolVersionMinor = 6; |
+const uint8_t kTbMinProtocolVersionMinor = 10; |
bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { |
switch (EVP_MD_type(md)) { |
@@ -501,7 +501,7 @@ SSLClientSocketImpl::SSLClientSocketImpl( |
channel_id_service_(context.channel_id_service), |
tb_was_negotiated_(false), |
tb_negotiated_param_(TB_PARAM_ECDSAP256), |
- tb_signed_ekm_map_(10), |
+ tb_signature_map_(10), |
ssl_(NULL), |
transport_bio_(NULL), |
transport_(std::move(transport_socket)), |
@@ -550,16 +550,17 @@ ChannelIDService* SSLClientSocketImpl::GetChannelIDService() const { |
return channel_id_service_; |
} |
-Error SSLClientSocketImpl::GetSignedEKMForTokenBinding( |
- crypto::ECPrivateKey* key, |
- std::vector<uint8_t>* out) { |
+Error SSLClientSocketImpl::GetTokenBindingSignature(crypto::ECPrivateKey* key, |
+ TokenBindingType tb_type, |
+ std::vector<uint8_t>* out) { |
// The same key will be used across multiple requests to sign the same value, |
// so the signature is cached. |
std::string raw_public_key; |
if (!key->ExportRawPublicKey(&raw_public_key)) |
return ERR_FAILED; |
- SignedEkmMap::iterator it = tb_signed_ekm_map_.Get(raw_public_key); |
- if (it != tb_signed_ekm_map_.end()) { |
+ TokenBindingSignatureMap::iterator it = |
davidben
2016/09/19 21:24:14
Optional: auto?
nharper
2016/09/19 22:32:23
Done.
|
+ tb_signature_map_.Get(std::make_pair(tb_type, raw_public_key)); |
+ if (it != tb_signature_map_.end()) { |
*out = it->second; |
return OK; |
} |
@@ -573,13 +574,13 @@ Error SSLClientSocketImpl::GetSignedEKMForTokenBinding( |
return ERR_FAILED; |
} |
- if (!SignTokenBindingEkm( |
+ if (!CreateTokenBindingSignature( |
base::StringPiece(reinterpret_cast<char*>(tb_ekm_buf), |
sizeof(tb_ekm_buf)), |
- key, out)) |
+ tb_type, key, out)) |
return ERR_FAILED; |
- tb_signed_ekm_map_.Put(raw_public_key, *out); |
+ tb_signature_map_.Put(std::make_pair(tb_type, raw_public_key), *out); |
return OK; |
} |
@@ -1197,9 +1198,12 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) { |
} |
// Check that if token binding was negotiated, then extended master secret |
- // must also be negotiated. |
- if (tb_was_negotiated_ && !SSL_get_extms_support(ssl_)) |
+ // and renegotiation indication must also be negotiated. |
+ if (tb_was_negotiated_ && |
+ !(SSL_get_extms_support(ssl_) && |
+ SSL_get_secure_renegotiation_support(ssl_))) { |
return ERR_SSL_PROTOCOL_ERROR; |
+ } |
// SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. |
if (npn_status_ == kNextProtoUnsupported) { |