Initial SSL/Socket 0RTT changes.

This adds the API to SSLClientSocket but does not yet hook it up to the rest of the stack. Bug: 641225 Change-Id: I8694d4e4f92d7e57d32541fcc2b87ed5fb42d075 Reviewed-on: https://chromium-review.googlesource.com/1067639 Commit-Queue: Steven Valdez <svaldez@chromium.org> Reviewed-by: Steven Valdez <svaldez@chromium.org> Reviewed-by: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#575189}

Initial SSL/Socket 0RTT changes.
This adds the API to SSLClientSocket but does not yet hook it up to the rest of the stack. Bug: 641225 Change-Id: I8694d4e4f92d7e57d32541fcc2b87ed5fb42d075 Reviewed-on: https://chromium-review.googlesource.com/1067639 Commit-Queue: Steven Valdez <svaldez@chromium.org> Reviewed-by: Steven Valdez <svaldez@chromium.org> Reviewed-by: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#575189}
6af02df8 · Steven Valdez · Commit Bot · 51d7d8c9 · 6af02df8 · 6af02df8
Commit 6af02df8 authored Jul 15, 2018 by Steven Valdez Committed by Commit Bot Jul 15, 2018
17 changed files
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -413,6 +413,21 @@ NET_ERROR(NO_BUFFER_SPACE, -176)
 // private key and the server's preferences.
 NET_ERROR(SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS, -177)
+// TLS 1.3 early data was rejected by the server. This will be received before
+// any data is returned from the socket. The request should be retried with
+// early data disabled.
+NET_ERROR(EARLY_DATA_REJECTED, -178)
+// TLS 1.3 early data was offered, but the server responded with TLS 1.2 or
+// earlier. This is an internal error code to account for a
+// backwards-compatibility issue with early data and TLS 1.2. It will be
+// received before any data is returned from the socket. The request should be
+// retried with early data disabled.
+//
+// See https://tools.ietf.org/html/draft-ietf-tls-tls13-28#appendix-D.3 for
+// details.
+NET_ERROR(WRONG_VERSION_ON_EARLY_DATA, -179)
 // Certificate error codes
 //
 // The values of certificate error codes must be consecutive.

--- a/net/log/net_log_event_type_list.h
+++ b/net/log/net_log_event_type_list.h
@@ -545,6 +545,9 @@ EVENT_TYPE(SSL_VERIFICATION_MERGED)
 EVENT_TYPE(SSL_ALERT_RECEIVED)
 EVENT_TYPE(SSL_ALERT_SENT)
+// The SSL connection is being confirmed.
+EVENT_TYPE(SSL_CONFIRM_HANDSHAKE)
 // An SSL connection sent or received a handshake message.
 // The following parameters are attached:
 //   {

--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -460,6 +460,7 @@ SSLClientSocketImpl::SSLClientSocketImpl(
      ssl_config_(ssl_config),
      ssl_session_cache_shard_(context.ssl_session_cache_shard),
      next_handshake_state_(STATE_NONE),
+      in_confirm_handshake_(false),
      disconnected_(false),
      negotiated_protocol_(kProtoUnknown),
      channel_id_sent_(false),
@@ -561,6 +562,30 @@ void SSLClientSocketImpl::Disconnect() {
  transport_->socket()->Disconnect();
 }
+// ConfirmHandshake may only be called on a connected socket and, like other
+// socket methods, there may only be one ConfirmHandshake operation in progress
+// at once.
+int SSLClientSocketImpl::ConfirmHandshake(CompletionOnceCallback callback) {
+  CHECK(completed_connect_);
+  CHECK(!in_confirm_handshake_);
+  if (!SSL_in_early_data(ssl_.get())) {
+    return OK;
+  }
+  net_log_.BeginEvent(NetLogEventType::SSL_CONFIRM_HANDSHAKE);
+  next_handshake_state_ = STATE_HANDSHAKE;
+  in_confirm_handshake_ = true;
+  int rv = DoHandshakeLoop(OK);
+  if (rv == ERR_IO_PENDING) {
+    user_connect_callback_ = std::move(callback);
+  } else {
+    net_log_.EndEvent(NetLogEventType::SSL_CONFIRM_HANDSHAKE);
+    in_confirm_handshake_ = false;
+  }
+  return rv > OK ? OK : rv;
+}
 bool SSLClientSocketImpl::IsConnected() const {
  // If the handshake has not yet completed or the socket has been explicitly
  // disconnected.
@@ -877,6 +902,8 @@ int SSLClientSocketImpl::Init() {
    return ERR_UNEXPECTED;
  }
+  SSL_set_early_data_enabled(ssl_.get(), ssl_config_.early_data_enabled);
  switch (ssl_config_.tls13_variant) {
    case kTLS13VariantDraft23:
      SSL_set_tls13_variant(ssl_.get(), tls13_draft23);
@@ -1035,6 +1062,11 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) {
  if (result < 0)
    return result;
+  if (in_confirm_handshake_) {
+    next_handshake_state_ = STATE_NONE;
+    return OK;
+  }
  if (ssl_config_.version_interference_probe) {
    DCHECK_LT(ssl_config_.version_max, TLS1_3_VERSION);
    return ERR_SSL_VERSION_INTERFERENCE;
@@ -1258,7 +1290,12 @@ void SSLClientSocketImpl::DoConnectCallback(int rv) {
 void SSLClientSocketImpl::OnHandshakeIOComplete(int result) {
  int rv = DoHandshakeLoop(result);
  if (rv != ERR_IO_PENDING) {
-    LogConnectEndEvent(rv);
+    if (in_confirm_handshake_) {
+      in_confirm_handshake_ = false;
+      net_log_.EndEvent(NetLogEventType::SSL_CONFIRM_HANDSHAKE);
+    } else {
+      LogConnectEndEvent(rv);
+    }
    DoConnectCallback(rv);
  }
 }
@@ -1345,14 +1382,6 @@ int SSLClientSocketImpl::DoPayloadRead(IOBuffer* buf, int buf_len) {
  // processed immediately, while the information still available in OpenSSL's
  // error queue.
  if (ssl_ret <= 0) {
-    // A zero return from SSL_read may mean any of:
-    // - The underlying BIO_read returned 0.
-    // - The peer sent a close_notify.
-    // - Any arbitrary error. https://crbug.com/466303
-    //
-    // TransportReadComplete converts the first to an ERR_CONNECTION_CLOSED
-    // error, so it does not occur. The second and third are distinguished by
-    // SSL_ERROR_ZERO_RETURN.
    pending_read_ssl_error_ = SSL_get_error(ssl_.get(), ssl_ret);
    if (pending_read_ssl_error_ == SSL_ERROR_ZERO_RETURN) {
      pending_read_error_ = 0;
@@ -1437,12 +1466,18 @@ void SSLClientSocketImpl::RetryAllOperations() {
  // so retry all operations for simplicity. (Otherwise, SSL_get_error for each
  // operation may be remembered to retry only the blocked ones.)
+  // Performing these callbacks may cause |this| to be deleted. If this
+  // happens, the other callbacks should not be invoked. Guard against this by
+  // holding a WeakPtr to |this| and ensuring it's still valid.
+  base::WeakPtr<SSLClientSocketImpl> guard(weak_factory_.GetWeakPtr());
  if (next_handshake_state_ == STATE_HANDSHAKE) {
    // In handshake phase. The parameter to OnHandshakeIOComplete is unused.
    OnHandshakeIOComplete(OK);
-    return;
  }
+  if (!guard.get())
+    return;
  int rv_read = ERR_IO_PENDING;
  int rv_write = ERR_IO_PENDING;
  if (user_read_buf_) {
@@ -1456,10 +1491,6 @@ void SSLClientSocketImpl::RetryAllOperations() {
  if (user_write_buf_)
    rv_write = DoPayloadWrite();
-  // Performing the Read callback may cause |this| to be deleted. If this
-  // happens, the Write callback should not be invoked. Guard against this by
-  // holding a WeakPtr to |this| and ensuring it's still valid.
-  base::WeakPtr<SSLClientSocketImpl> guard(weak_factory_.GetWeakPtr());
  if (rv_read != ERR_IO_PENDING)
    DoReadCallback(rv_read);

--- a/net/socket/ssl_client_socket_impl.h
+++ b/net/socket/ssl_client_socket_impl.h
@@ -89,6 +89,7 @@ class SSLClientSocketImpl : public SSLClientSocket,
  // StreamSocket implementation.
  int Connect(CompletionOnceCallback callback) override;
  void Disconnect() override;
+  int ConfirmHandshake(CompletionOnceCallback callback) override;
  bool IsConnected() const override;
  bool IsConnectedAndIdle() const override;
  int GetPeerAddress(IPEndPoint* address) const override;
@@ -310,6 +311,9 @@ class SSLClientSocketImpl : public SSLClientSocket,
  };
  State next_handshake_state_;
+  // True if we are currently confirming the handshake.
+  bool in_confirm_handshake_;
  // True if the socket has been disconnected.
  bool disconnected_;

--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
--- a/net/socket/ssl_server_socket_impl.cc
+++ b/net/socket/ssl_server_socket_impl.cc
@@ -186,6 +186,9 @@ class SSLServerContextImpl::SocketImpl : public SSLServerSocket,
  // OpenSSL stuff
  bssl::UniquePtr<SSL> ssl_;
+  // Whether we received any data in early data.
+  bool early_data_received_;
  // StreamSocket for sending and receiving data.
  std::unique_ptr<StreamSocket> transport_socket_;
  std::unique_ptr<SocketBIOAdapter> transport_adapter_;
@@ -208,6 +211,7 @@ SSLServerContextImpl::SocketImpl::SocketImpl(
      signature_result_(kSSLServerSocketNoPendingResult),
      user_read_buf_len_(0),
      user_write_buf_len_(0),
+      early_data_received_(false),
      transport_socket_(std::move(transport_socket)),
      next_handshake_state_(STATE_NONE),
      completed_handshake_(false),
@@ -505,6 +509,7 @@ bool SSLServerContextImpl::SocketImpl::GetSSLInfo(SSLInfo* ssl_info) {
  SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_.get()),
                                &ssl_info->connection_status);
+  ssl_info->early_data_received = early_data_received_;
  ssl_info->handshake_type = SSL_session_reused(ssl_.get())
                                 ? SSLInfo::HANDSHAKE_RESUME
                                 : SSLInfo::HANDSHAKE_FULL;
@@ -577,8 +582,11 @@ int SSLServerContextImpl::SocketImpl::DoPayloadRead() {
  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
  int rv = SSL_read(ssl_.get(), user_read_buf_->data(), user_read_buf_len_);
-  if (rv >= 0)
+  if (rv >= 0) {
+    if (SSL_in_early_data(ssl_.get()))
+      early_data_received_ = true;
    return rv;
+  }
  int ssl_error = SSL_get_error(ssl_.get(), rv);
  OpenSSLErrorInfo error_info;
  int net_error =
@@ -849,6 +857,8 @@ void SSLServerContextImpl::Init() {
      break;
  }
+  SSL_CTX_set_early_data_enabled(ssl_ctx_.get(),
+                                 ssl_server_config_.early_data_enabled);
  DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_min);
  DCHECK_LT(SSL3_VERSION, ssl_server_config_.version_max);
  CHECK(SSL_CTX_set_min_proto_version(ssl_ctx_.get(),

--- a/net/socket/stream_socket.cc
+++ b/net/socket/stream_socket.cc
@@ -35,4 +35,8 @@ StreamSocket::SocketMemoryStats::SocketMemoryStats()
 StreamSocket::SocketMemoryStats::~SocketMemoryStats() = default;
+int StreamSocket::ConfirmHandshake(CompletionOnceCallback callback) {
+  return OK;
+}
 }  // namespace net
--- a/net/socket/stream_socket.h
+++ b/net/socket/stream_socket.h
@@ -67,6 +67,24 @@ class NET_EXPORT StreamSocket : public Socket {
  //
  virtual int Connect(CompletionOnceCallback callback) = 0;
+  // Called to confirm the TLS handshake, if any, indicating that replay
+  // protection is ready. Returns OK if the handshake could complete
+  // synchronously or had already been confirmed. Otherwise, ERR_IO_PENDING is
+  // returned and the given callback will run asynchronously when the connection
+  // is established or when an error occurs.  The result is some other error
+  // code if the connection could not be completed.
+  //
+  // This operation is only needed if TLS early data is enabled, in which case
+  // Connect returns early and Write initially sends early data, which does not
+  // have TLS's usual security properties. The caller must call this function
+  // and wait for handshake confirmation before sending data that is not
+  // replay-safe.
+  //
+  // ConfirmHandshake may run concurrently with Read or Write, but, as with Read
+  // and Write, at most one pending ConfirmHandshake operation may be in
+  // progress at a time.
+  virtual int ConfirmHandshake(CompletionOnceCallback callback);
  // Called to disconnect a socket.  Does nothing if the socket is already
  // disconnected.  After calling Disconnect it is possible to call Connect
  // again to establish a new connection.

--- a/net/ssl/openssl_ssl_util.cc
+++ b/net/ssl/openssl_ssl_util.cc
@@ -105,6 +105,8 @@ int MapOpenSSLErrorSSL(uint32_t error_code) {
      return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY;
    case SSL_R_SERVER_CERT_CHANGED:
      return ERR_SSL_SERVER_CERT_CHANGED;
+    case SSL_R_WRONG_VERSION_ON_EARLY_DATA:
+      return ERR_WRONG_VERSION_ON_EARLY_DATA;
    // SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the server after
    // receiving ClientHello if there's no common supported cipher. Map that
    // specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH to match the NSS
@@ -169,6 +171,8 @@ int MapOpenSSLErrorWithDetails(int err,
    case SSL_ERROR_WANT_READ:
    case SSL_ERROR_WANT_WRITE:
      return ERR_IO_PENDING;
+    case SSL_ERROR_EARLY_DATA_REJECTED:
+      return ERR_EARLY_DATA_REJECTED;
    case SSL_ERROR_SYSCALL:
      LOG(ERROR) << "OpenSSL SYSCALL error, earliest error code in "
                    "error queue: " << ERR_peek_error() << ", errno: "

--- a/net/ssl/ssl_config.cc
+++ b/net/ssl/ssl_config.cc
@@ -29,6 +29,7 @@ SSLConfig::SSLConfig()
      version_min(kDefaultSSLVersionMin),
      version_max(kDefaultSSLVersionMax),
      tls13_variant(kDefaultTLS13Variant),
+      early_data_enabled(false),
      version_interference_probe(false),
      channel_id_enabled(false),
      false_start_enabled(true),

--- a/net/ssl/ssl_config.h
+++ b/net/ssl/ssl_config.h
@@ -102,6 +102,20 @@ struct NET_EXPORT SSLConfig {
  // also enabled via version_min and version_max.
  TLS13Variant tls13_variant;
+  // Whether early data is enabled on this connection. Note that early data has
+  // weaker security properties than normal data and changes the
+  // SSLClientSocket's behavior. The caller must only send replayable data prior
+  // to handshake confirmation. See StreamSocket::ConfirmHandshake for details.
+  //
+  // Additionally, early data may be rejected by the server, resulting in some
+  // socket operation failing with ERR_EARLY_DATA_REJECTED or
+  // ERR_WRONG_VERSION_ON_EARLY_DATA before any data is returned from the
+  // server. The caller must handle these cases, typically by retrying the
+  // high-level operation.
+  //
+  // If unsure, do not enable this option.
+  bool early_data_enabled;
  // Presorted list of cipher suites which should be explicitly prevented from
  // being used in addition to those disabled by the net built-in policy.
  //

--- a/net/ssl/ssl_info.h
+++ b/net/ssl/ssl_info.h
@@ -113,6 +113,10 @@ class NET_EXPORT SSLInfo {
  // TODO(agl): remove by 2018-05-31.
  bool dummy_pq_padding_received = false;
+  // True if data was received over early data on the server. This field is only
+  // set for server sockets.
+  bool early_data_received = false;
  HandshakeType handshake_type = HANDSHAKE_UNKNOWN;
  // The hashes, in several algorithms, of the SubjectPublicKeyInfos from

--- a/net/ssl/ssl_server_config.cc
+++ b/net/ssl/ssl_server_config.cc
@@ -12,6 +12,7 @@ namespace net {
 SSLServerConfig::SSLServerConfig()
    : version_min(kDefaultSSLVersionMin),
      version_max(kDefaultSSLVersionMax),
+      early_data_enabled(false),
      require_ecdhe(false),
      client_cert_type(NO_CLIENT_CERT),
      client_cert_verifier(nullptr) {}

--- a/net/ssl/ssl_server_config.h
+++ b/net/ssl/ssl_server_config.h
@@ -36,6 +36,10 @@ struct NET_EXPORT SSLServerConfig {
  uint16_t version_min;
  uint16_t version_max;
+  // Whether early data is enabled on this connection. The caller is obligated
+  // to reject early data that is non-safe to be replayed.
+  bool early_data_enabled;
  // Presorted list of cipher suites which should be explicitly prevented from
  // being used in addition to those disabled by the net built-in policy.
  //

--- a/net/test/embedded_test_server/embedded_test_server.cc
+++ b/net/test/embedded_test_server/embedded_test_server.cc
@@ -30,6 +30,7 @@
 #include "net/socket/ssl_server_socket.h"
 #include "net/socket/stream_socket.h"
 #include "net/socket/tcp_server_socket.h"
+#include "net/ssl/ssl_info.h"
 #include "net/ssl/ssl_server_config.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/embedded_test_server/default_handlers.h"
@@ -208,6 +209,12 @@ void EmbeddedTestServer::HandleRequest(HttpConnection* connection,
  DCHECK(io_thread_->task_runner()->BelongsToCurrentThread());
  request->base_url = base_url_;
+  SSLInfo ssl_info;
+  if (connection->socket_->GetSSLInfo(&ssl_info) &&
+      ssl_info.early_data_received) {
+    request->headers["Early-Data"] = "1";
+  }
  for (const auto& monitor : request_monitors_)
    monitor.Run(*request);
@@ -258,16 +265,32 @@ GURL EmbeddedTestServer::GetURL(
  return local_url.ReplaceComponents(replace_host);
 }
+void EmbeddedTestServer::SetSSLConfig(ServerCertificate cert,
+                                      const SSLServerConfig& ssl_config) {
+  DCHECK(!Started());
+  cert_ = cert;
+  ssl_config_ = ssl_config;
+}
 bool EmbeddedTestServer::GetAddressList(AddressList* address_list) const {
  *address_list = AddressList(local_endpoint_);
  return true;
 }
-void EmbeddedTestServer::SetSSLConfig(ServerCertificate cert,
+void EmbeddedTestServer::ResetSSLConfigOnIOThread(
-                                      const SSLServerConfig& ssl_config) {
+    ServerCertificate cert,
-  DCHECK(!Started());
+    const SSLServerConfig& ssl_config) {
  cert_ = cert;
  ssl_config_ = ssl_config;
+  connections_.clear();
+  InitializeSSLServerContext();
+}
+bool EmbeddedTestServer::ResetSSLConfig(ServerCertificate cert,
+                                        const SSLServerConfig& ssl_config) {
+  return PostTaskToIOThreadAndWait(
+      base::BindRepeating(&EmbeddedTestServer::ResetSSLConfigOnIOThread,
+                          base::Unretained(this), cert, ssl_config));
 }
 void EmbeddedTestServer::SetSSLConfig(ServerCertificate cert) {

--- a/net/test/embedded_test_server/embedded_test_server.h
+++ b/net/test/embedded_test_server/embedded_test_server.h
@@ -193,6 +193,9 @@ class EmbeddedTestServer {
  void SetSSLConfig(ServerCertificate cert, const SSLServerConfig& ssl_config);
  void SetSSLConfig(ServerCertificate cert);
+  bool ResetSSLConfig(ServerCertificate cert,
+                      const SSLServerConfig& ssl_config);
  // Returns the file name of the certificate the server is using. The test
  // certificates can be found in net/data/ssl/certificates/.
  std::string GetCertificateName() const;
@@ -242,6 +245,10 @@ class EmbeddedTestServer {
  // Shuts down the server.
  void ShutdownOnIOThread();
+  // Resets the SSLServerConfig on the IO thread.
+  void ResetSSLConfigOnIOThread(ServerCertificate cert,
+                                const SSLServerConfig& ssl_config);
  // Upgrade the TCP connection to one over SSL.
  std::unique_ptr<StreamSocket> DoSSLUpgrade(
      std::unique_ptr<StreamSocket> connection);

--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
@@ -6619,6 +6619,8 @@ Called by update_net_error_codes.py.-->
  <int value="-202" label="CERT_AUTHORITY_INVALID"/>
  <int value="-201" label="CERT_DATE_INVALID"/>
  <int value="-200" label="CERT_COMMON_NAME_INVALID"/>
+  <int value="-179" label="WRONG_VERSION_ON_EARLY_DATA"/>
+  <int value="-178" label="EARLY_DATA_REJECTED"/>
  <int value="-177" label="SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS"/>
  <int value="-176" label="NO_BUFFER_SPACE"/>
  <int value="-175" label="SSL_VERSION_INTERFERENCE"/>
@@ -32191,6 +32193,8 @@ Called by update_net_error_codes.py.-->
  <int value="175" label="SSL_VERSION_INTERFERENCE"/>
  <int value="176" label="NO_BUFFER_SPACE"/>
  <int value="177" label="SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS"/>
+  <int value="178" label="EARLY_DATA_REJECTED"/>
+  <int value="179" label="WRONG_VERSION_ON_EARLY_DATA"/>
  <int value="200" label="CERT_COMMON_NAME_INVALID"/>
  <int value="201" label="CERT_DATE_INVALID"/>
  <int value="202" label="CERT_AUTHORITY_INVALID"/>