Index: net/socket/ssl_client_socket_openssl.h |
diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h |
index 228214b42d6e2f5b925050f976a5a8274c0171c2..6bee84cb799987efcb94ff6c730a9a6743b3b04a 100644 |
--- a/net/socket/ssl_client_socket_openssl.h |
+++ b/net/socket/ssl_client_socket_openssl.h |
@@ -6,6 +6,7 @@ |
#define NET_SOCKET_SSL_CLIENT_SOCKET_OPENSSL_H_ |
#include <openssl/base.h> |
+#include <openssl/bytestring.h> |
#include <openssl/ssl.h> |
#include <string> |
@@ -95,10 +96,72 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { |
int SetSendBufferSize(int32 size) override; |
private: |
+ // Stores the state and result of the token binding negotiation TLS extension. |
+ // (draft-ietf-tokbind-negotiation-00). |
+ class TokenBindingExtension { |
+ public: |
+ static const unsigned int kExtNum = 30033; |
davidben
2015/10/01 16:15:17
I believe this is actually an ODR violation for we
nharper
2015/10/01 19:12:23
To be clear, you're suggesting removing the TokenB
|
+ |
+ // Token Binding ProtocolVersion that this extension supports. |
+ static const uint8_t kProtocolVersionMajor = 0; |
+ static const uint8_t kProtocolVersionMinor = 2; |
+ static const uint8_t kMinProtocolVersionMajor = 0; |
+ static const uint8_t kMinProtocolVersionMinor = 2; |
+ |
+ TokenBindingExtension(); |
+ ~TokenBindingExtension(); |
+ |
+ // Sets the supported key params to use in negotiation. If empty, token |
+ // binding will not be negotiated. |
+ void SetParams(const std::vector<TokenBindingParam>& params); |
+ |
+ // Returns which TokenBindingParam was negotiated. This value is only valid |
+ // if WasNegotiated returns true. |
+ TokenBindingParam NegotiationResult() const; |
+ |
+ // Returns whether token binding was negotiated. |
+ bool WasNegotiated() const; |
+ |
+ // Sets the custom extension api callbacks to ClientAddCallback, |
+ // ClientFreeCallback, and ClientParseCallback. The callbacks are static |
+ // methods (since the OpenSSL api takes function pointers) and are wrappers |
+ // to call ClientAdd or ClientParse on the TokenBindingExtension object that |
+ // is a member of the SSLClientSocketOpenSSL for the corresponding SSL |
+ // struct passed in to the callback. |
+ static bool RegisterCallbacks(SSL_CTX* ssl_ctx); |
+ |
+ private: |
+ static int ClientAddCallback(SSL* ssl, |
+ unsigned int extension_value, |
+ const uint8_t** out, |
+ size_t* out_len, |
+ int* out_alert_value, |
+ void* add_arg); |
+ static void ClientFreeCallback(SSL* ssl, |
+ unsigned int extension_value, |
+ const uint8_t* out, |
+ void* add_arg); |
+ static int ClientParseCallback(SSL* ssl, |
+ unsigned int extension_value, |
+ const uint8_t* contents, |
+ size_t contents_len, |
+ int* out_alert_value, |
+ void* parse_arg); |
davidben
2015/10/01 16:15:17
The random static methods thus far have ended up o
nharper
2015/10/02 03:31:27
These static methods are calling the private metho
|
+ |
+ int ClientAdd(const uint8_t** out, size_t* out_len, int* out_alert_value); |
+ int ClientParse(const uint8_t* contents, |
+ size_t contents_len, |
+ int* out_alert_value); |
+ |
+ bool negotiated_; |
+ TokenBindingParam negotiated_param_; |
+ std::vector<TokenBindingParam> supported_params_; |
+ }; |
class PeerCertificateChain; |
class SSLContext; |
friend class SSLClientSocket; |
friend class SSLContext; |
+ friend class TokenBindingExtension; |
int Init(); |
void DoReadCallback(int result); |
@@ -109,6 +172,8 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { |
int DoHandshakeComplete(int result); |
int DoChannelIDLookup(); |
int DoChannelIDLookupComplete(int result); |
+ int DoTokenBindingLookup(); |
+ int DoTokenBindingLookupComplete(int result); |
int DoVerifyCert(int result); |
int DoVerifyCertComplete(int result); |
void DoConnectCallback(int result); |
@@ -276,6 +341,7 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { |
// The service for retrieving Channel ID keys. May be NULL. |
ChannelIDService* channel_id_service_; |
+ TokenBindingExtension token_binding_extension_; |
// OpenSSL stuff |
SSL* ssl_; |
@@ -295,6 +361,8 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { |
STATE_HANDSHAKE_COMPLETE, |
STATE_CHANNEL_ID_LOOKUP, |
STATE_CHANNEL_ID_LOOKUP_COMPLETE, |
+ STATE_TOKEN_BINDING_LOOKUP, |
+ STATE_TOKEN_BINDING_LOOKUP_COMPLETE, |
STATE_VERIFY_CERT, |
STATE_VERIFY_CERT_COMPLETE, |
}; |