Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(581)

Unified Diff: net/socket/ssl_client_socket_impl.cc

Issue 2337253004: Update Token Binding code to the latest drafts (Closed)
Patch Set: Fix compilation error in unit_tests Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/socket/ssl_client_socket_impl.cc
diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc
index 94f7f1c418bbc3cb5a22c71873d159d07815e818..282ea2b1102c650f28e43439a7a135269c3377bb 100644
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -82,9 +82,9 @@ const unsigned int kTbExtNum = 24;
// Token Binding ProtocolVersions supported.
const uint8_t kTbProtocolVersionMajor = 0;
-const uint8_t kTbProtocolVersionMinor = 8;
+const uint8_t kTbProtocolVersionMinor = 10;
const uint8_t kTbMinProtocolVersionMajor = 0;
-const uint8_t kTbMinProtocolVersionMinor = 6;
+const uint8_t kTbMinProtocolVersionMinor = 10;
bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) {
switch (EVP_MD_type(md)) {
@@ -501,7 +501,7 @@ SSLClientSocketImpl::SSLClientSocketImpl(
channel_id_service_(context.channel_id_service),
tb_was_negotiated_(false),
tb_negotiated_param_(TB_PARAM_ECDSAP256),
- tb_signed_ekm_map_(10),
+ tb_signature_map_(10),
ssl_(NULL),
transport_bio_(NULL),
transport_(std::move(transport_socket)),
@@ -550,16 +550,17 @@ ChannelIDService* SSLClientSocketImpl::GetChannelIDService() const {
return channel_id_service_;
}
-Error SSLClientSocketImpl::GetSignedEKMForTokenBinding(
- crypto::ECPrivateKey* key,
- std::vector<uint8_t>* out) {
+Error SSLClientSocketImpl::GetTokenBindingSignature(crypto::ECPrivateKey* key,
+ TokenBindingType tb_type,
+ std::vector<uint8_t>* out) {
// The same key will be used across multiple requests to sign the same value,
// so the signature is cached.
std::string raw_public_key;
if (!key->ExportRawPublicKey(&raw_public_key))
return ERR_FAILED;
- SignedEkmMap::iterator it = tb_signed_ekm_map_.Get(raw_public_key);
- if (it != tb_signed_ekm_map_.end()) {
+ TokenBindingSignatureMap::iterator it =
davidben 2016/09/19 21:24:14 Optional: auto?
nharper 2016/09/19 22:32:23 Done.
+ tb_signature_map_.Get(std::make_pair(tb_type, raw_public_key));
+ if (it != tb_signature_map_.end()) {
*out = it->second;
return OK;
}
@@ -573,13 +574,13 @@ Error SSLClientSocketImpl::GetSignedEKMForTokenBinding(
return ERR_FAILED;
}
- if (!SignTokenBindingEkm(
+ if (!CreateTokenBindingSignature(
base::StringPiece(reinterpret_cast<char*>(tb_ekm_buf),
sizeof(tb_ekm_buf)),
- key, out))
+ tb_type, key, out))
return ERR_FAILED;
- tb_signed_ekm_map_.Put(raw_public_key, *out);
+ tb_signature_map_.Put(std::make_pair(tb_type, raw_public_key), *out);
return OK;
}
@@ -1197,9 +1198,12 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) {
}
// Check that if token binding was negotiated, then extended master secret
- // must also be negotiated.
- if (tb_was_negotiated_ && !SSL_get_extms_support(ssl_))
+ // and renegotiation indication must also be negotiated.
+ if (tb_was_negotiated_ &&
+ !(SSL_get_extms_support(ssl_) &&
+ SSL_get_secure_renegotiation_support(ssl_))) {
return ERR_SSL_PROTOCOL_ERROR;
+ }
// SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was.
if (npn_status_ == kNextProtoUnsupported) {

Powered by Google App Engine
This is Rietveld 408576698