Chromium Code Reviews Chromium Code Reviews
Issue 2337253004:
Update Token Binding code to the latest drafts (Closed)
| Index: net/socket/ssl_client_socket_impl.cc |
| diff --git a/net/socket/ssl_client_socket_impl.cc b/net/socket/ssl_client_socket_impl.cc |
| index 94f7f1c418bbc3cb5a22c71873d159d07815e818..282ea2b1102c650f28e43439a7a135269c3377bb 100644 |
| --- a/net/socket/ssl_client_socket_impl.cc |
| +++ b/net/socket/ssl_client_socket_impl.cc |
| @@ -82,9 +82,9 @@ const unsigned int kTbExtNum = 24; |
| // Token Binding ProtocolVersions supported. |
| const uint8_t kTbProtocolVersionMajor = 0; |
| -const uint8_t kTbProtocolVersionMinor = 8; |
| +const uint8_t kTbProtocolVersionMinor = 10; |
| const uint8_t kTbMinProtocolVersionMajor = 0; |
| -const uint8_t kTbMinProtocolVersionMinor = 6; |
| +const uint8_t kTbMinProtocolVersionMinor = 10; |
| bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) { |
| switch (EVP_MD_type(md)) { |
| @@ -501,7 +501,7 @@ SSLClientSocketImpl::SSLClientSocketImpl( |
| channel_id_service_(context.channel_id_service), |
| tb_was_negotiated_(false), |
| tb_negotiated_param_(TB_PARAM_ECDSAP256), |
| - tb_signed_ekm_map_(10), |
| + tb_signature_map_(10), |
| ssl_(NULL), |
| transport_bio_(NULL), |
| transport_(std::move(transport_socket)), |
| @@ -550,16 +550,17 @@ ChannelIDService* SSLClientSocketImpl::GetChannelIDService() const { |
| return channel_id_service_; |
| } |
| -Error SSLClientSocketImpl::GetSignedEKMForTokenBinding( |
| - crypto::ECPrivateKey* key, |
| - std::vector<uint8_t>* out) { |
| +Error SSLClientSocketImpl::GetTokenBindingSignature(crypto::ECPrivateKey* key, |
| + TokenBindingType tb_type, |
| + std::vector<uint8_t>* out) { |
| // The same key will be used across multiple requests to sign the same value, |
| // so the signature is cached. |
| std::string raw_public_key; |
| if (!key->ExportRawPublicKey(&raw_public_key)) |
| return ERR_FAILED; |
| - SignedEkmMap::iterator it = tb_signed_ekm_map_.Get(raw_public_key); |
| - if (it != tb_signed_ekm_map_.end()) { |
| + TokenBindingSignatureMap::iterator it = |
|
davidben
2016/09/19 21:24:14
Optional: auto?
nharper
2016/09/19 22:32:23
Done.
|
| + tb_signature_map_.Get(std::make_pair(tb_type, raw_public_key)); |
| + if (it != tb_signature_map_.end()) { |
| *out = it->second; |
| return OK; |
| } |
| @@ -573,13 +574,13 @@ Error SSLClientSocketImpl::GetSignedEKMForTokenBinding( |
| return ERR_FAILED; |
| } |
| - if (!SignTokenBindingEkm( |
| + if (!CreateTokenBindingSignature( |
| base::StringPiece(reinterpret_cast<char*>(tb_ekm_buf), |
| sizeof(tb_ekm_buf)), |
| - key, out)) |
| + tb_type, key, out)) |
| return ERR_FAILED; |
| - tb_signed_ekm_map_.Put(raw_public_key, *out); |
| + tb_signature_map_.Put(std::make_pair(tb_type, raw_public_key), *out); |
| return OK; |
| } |
| @@ -1197,9 +1198,12 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) { |
| } |
| // Check that if token binding was negotiated, then extended master secret |
| - // must also be negotiated. |
| - if (tb_was_negotiated_ && !SSL_get_extms_support(ssl_)) |
| + // and renegotiation indication must also be negotiated. |
| + if (tb_was_negotiated_ && |
| + !(SSL_get_extms_support(ssl_) && |
| + SSL_get_secure_renegotiation_support(ssl_))) { |
| return ERR_SSL_PROTOCOL_ERROR; |
| + } |
| // SSL handshake is completed. If NPN wasn't negotiated, see if ALPN was. |
| if (npn_status_ == kNextProtoUnsupported) { |
