Implement Token Binding negotiation TLS extension

net/socket/ssl_client_socket_openssl.h

Index: net/socket/ssl_client_socket_openssl.h
diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h
index 228214b42d6e2f5b925050f976a5a8274c0171c2..6bee84cb799987efcb94ff6c730a9a6743b3b04a 100644
--- a/net/socket/ssl_client_socket_openssl.h
+++ b/net/socket/ssl_client_socket_openssl.h
@@ -6,6 +6,7 @@
 #define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_
 
 #include <openssl/base.h>
+#include <openssl/bytestring.h>
 #include <openssl/ssl.h>
 
 #include <string>
@@ -95,10 +96,72 @@ class SSLClientSocketOpenSSL : public SSLClientSocket {
   int SetSendBufferSize(int32 size) override;
 
  private:
+  // Stores the state and result of the token binding negotiation TLS extension.
+  // (draft-ietf-tokbind-negotiation-00).
+  class TokenBindingExtension {
+   public:
+    static const unsigned int kExtNum = 30033;

[davidben, 2015/10/01 16:15:17]

I believe this is actually an ODR violation for weird reasons. There was some
Chromium-dev thread. Ditto below. A lot of this can probably get stuffed into
the cc file somewhere.

There's actually little enough state here, that I might just fold them into
SSLClientSocketOpenSSL. That class is pretty intertwined with everything anyway
and it doesn't look like the individual methods here do much, outside the
extension callbacks.

[nharper, 2015/10/01 19:12:23]

To be clear, you're suggesting removing the TokenBindingExtension class and
folding its methods and members into SSLClientSocketOpenSSL? That sounds
reasonable enough.

+
+    // Token Binding ProtocolVersion that this extension supports.
+    static const uint8_t kProtocolVersionMajor = 0;
+    static const uint8_t kProtocolVersionMinor = 2;
+    static const uint8_t kMinProtocolVersionMajor = 0;
+    static const uint8_t kMinProtocolVersionMinor = 2;
+
+    TokenBindingExtension();
+    ~TokenBindingExtension();
+
+    // Sets the supported key params to use in negotiation. If empty, token
+    // binding will not be negotiated.
+    void SetParams(const std::vector<TokenBindingParam>& params);
+
+    // Returns which TokenBindingParam was negotiated. This value is only valid
+    // if WasNegotiated returns true.
+    TokenBindingParam NegotiationResult() const;
+
+    // Returns whether token binding was negotiated.
+    bool WasNegotiated() const;
+
+    // Sets the custom extension api callbacks to ClientAddCallback,
+    // ClientFreeCallback, and ClientParseCallback. The callbacks are static
+    // methods (since the OpenSSL api takes function pointers) and are wrappers
+    // to call ClientAdd or ClientParse on the TokenBindingExtension object that
+    // is a member of the SSLClientSocketOpenSSL for the corresponding SSL
+    // struct passed in to the callback.
+    static bool RegisterCallbacks(SSL_CTX* ssl_ctx);
+
+   private:
+    static int ClientAddCallback(SSL* ssl,
+                                 unsigned int extension_value,
+                                 const uint8_t** out,
+                                 size_t* out_len,
+                                 int* out_alert_value,
+                                 void* add_arg);
+    static void ClientFreeCallback(SSL* ssl,
+                                   unsigned int extension_value,
+                                   const uint8_t* out,
+                                   void* add_arg);
+    static int ClientParseCallback(SSL* ssl,
+                                   unsigned int extension_value,
+                                   const uint8_t* contents,
+                                   size_t contents_len,
+                                   int* out_alert_value,
+                                   void* parse_arg);

[davidben, 2015/10/01 16:15:17]

The random static methods thus far have ended up on SSLContext so they needn't
be in the header.

[nharper, 2015/10/02 03:31:27]

These static methods are calling the private methods. Is there a way to leave
them out of the header while still declaring and defining a private method in
the .cc file? I tried making them functions in the anonymous namespace in the
.cc file, but that didn't work because they were calling private methods.

+
+    int ClientAdd(const uint8_t** out, size_t* out_len, int* out_alert_value);
+    int ClientParse(const uint8_t* contents,
+                    size_t contents_len,
+                    int* out_alert_value);
+
+    bool negotiated_;
+    TokenBindingParam negotiated_param_;
+    std::vector<TokenBindingParam> supported_params_;
+  };
   class PeerCertificateChain;
   class SSLContext;
   friend class SSLClientSocket;
   friend class SSLContext;
+  friend class TokenBindingExtension;
 
   int Init();
   void DoReadCallback(int result);
@@ -109,6 +172,8 @@ class SSLClientSocketOpenSSL : public SSLClientSocket {
   int DoHandshakeComplete(int result);
   int DoChannelIDLookup();
   int DoChannelIDLookupComplete(int result);
+  int DoTokenBindingLookup();
+  int DoTokenBindingLookupComplete(int result);
   int DoVerifyCert(int result);
   int DoVerifyCertComplete(int result);
   void DoConnectCallback(int result);
@@ -276,6 +341,7 @@ class SSLClientSocketOpenSSL : public SSLClientSocket {
 
   // The service for retrieving Channel ID keys.  May be NULL.
   ChannelIDService* channel_id_service_;
+  TokenBindingExtension token_binding_extension_;
 
   // OpenSSL stuff
   SSL* ssl_;
@@ -295,6 +361,8 @@ class SSLClientSocketOpenSSL : public SSLClientSocket {
     STATE_HANDSHAKE_COMPLETE,
     STATE_CHANNEL_ID_LOOKUP,
     STATE_CHANNEL_ID_LOOKUP_COMPLETE,
+    STATE_TOKEN_BINDING_LOOKUP,
+    STATE_TOKEN_BINDING_LOOKUP_COMPLETE,
     STATE_VERIFY_CERT,
     STATE_VERIFY_CERT_COMPLETE,
   };