summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/nsNSSCallbacks.cpp
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /security/manager/ssl/nsNSSCallbacks.cpp
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloadUXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/manager/ssl/nsNSSCallbacks.cpp')
-rw-r--r--security/manager/ssl/nsNSSCallbacks.cpp1379
1 files changed, 1379 insertions, 0 deletions
diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
new file mode 100644
index 000000000..e28760d5f
--- /dev/null
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -0,0 +1,1379 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsNSSCallbacks.h"
+
+#include "PSMRunnable.h"
+#include "ScopedNSSTypes.h"
+#include "SharedCertVerifier.h"
+#include "SharedSSLState.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Casting.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/Telemetry.h"
+#include "mozilla/TimeStamp.h"
+#include "mozilla/Unused.h"
+#include "nsContentUtils.h"
+#include "nsICertOverrideService.h"
+#include "nsIHttpChannelInternal.h"
+#include "nsIPrompt.h"
+#include "nsISupportsPriority.h"
+#include "nsITokenDialogs.h"
+#include "nsIUploadChannel.h"
+#include "nsIWebProgressListener.h"
+#include "nsNSSCertificate.h"
+#include "nsNSSComponent.h"
+#include "nsNSSIOLayer.h"
+#include "nsNetUtil.h"
+#include "nsProtectedAuthThread.h"
+#include "nsProxyRelease.h"
+#include "pkix/pkixtypes.h"
+#include "ssl.h"
+#include "sslproto.h"
+
+using namespace mozilla;
+using namespace mozilla::psm;
+
+extern LazyLogModule gPIPNSSLog;
+
+static void AccumulateCipherSuite(Telemetry::ID probe,
+ const SSLChannelInfo& channelInfo);
+
+namespace {
+
+// Bits in bit mask for SSL_REASONS_FOR_NOT_FALSE_STARTING telemetry probe
+// These bits are numbered so that the least subtle issues have higher values.
+// This should make it easier for us to interpret the results.
+const uint32_t NPN_NOT_NEGOTIATED = 64;
+const uint32_t POSSIBLE_VERSION_DOWNGRADE = 4;
+const uint32_t POSSIBLE_CIPHER_SUITE_DOWNGRADE = 2;
+const uint32_t KEA_NOT_SUPPORTED = 1;
+
+} // namespace
+
+class nsHTTPDownloadEvent : public Runnable {
+public:
+ nsHTTPDownloadEvent();
+ ~nsHTTPDownloadEvent();
+
+ NS_IMETHOD Run();
+
+ nsNSSHttpRequestSession *mRequestSession;
+
+ RefPtr<nsHTTPListener> mListener;
+ bool mResponsibleForDoneSignal;
+ TimeStamp mStartTime;
+};
+
+nsHTTPDownloadEvent::nsHTTPDownloadEvent()
+:mResponsibleForDoneSignal(true)
+{
+}
+
+nsHTTPDownloadEvent::~nsHTTPDownloadEvent()
+{
+ if (mResponsibleForDoneSignal && mListener)
+ mListener->send_done_signal();
+
+ mRequestSession->Release();
+}
+
+NS_IMETHODIMP
+nsHTTPDownloadEvent::Run()
+{
+ if (!mListener)
+ return NS_OK;
+
+ nsresult rv;
+
+ nsCOMPtr<nsIIOService> ios = do_GetIOService();
+ NS_ENSURE_STATE(ios);
+
+ nsCOMPtr<nsIChannel> chan;
+ ios->NewChannel2(mRequestSession->mURL,
+ nullptr,
+ nullptr,
+ nullptr, // aLoadingNode
+ nsContentUtils::GetSystemPrincipal(),
+ nullptr, // aTriggeringPrincipal
+ nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL,
+ nsIContentPolicy::TYPE_OTHER,
+ getter_AddRefs(chan));
+ NS_ENSURE_STATE(chan);
+
+ // Security operations scheduled through normal HTTP channels are given
+ // high priority to accommodate real time OCSP transactions.
+ nsCOMPtr<nsISupportsPriority> priorityChannel = do_QueryInterface(chan);
+ if (priorityChannel)
+ priorityChannel->AdjustPriority(nsISupportsPriority::PRIORITY_HIGHEST);
+
+ chan->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS |
+ nsIChannel::LOAD_BYPASS_SERVICE_WORKER);
+
+ // For OCSP requests, only the first party domain aspect of origin attributes
+ // is used. This means that OCSP requests are shared across different
+ // containers.
+ if (mRequestSession->mOriginAttributes != NeckoOriginAttributes()) {
+ NeckoOriginAttributes attrs;
+ attrs.mFirstPartyDomain =
+ mRequestSession->mOriginAttributes.mFirstPartyDomain;
+
+ nsCOMPtr<nsILoadInfo> loadInfo = chan->GetLoadInfo();
+ if (loadInfo) {
+ rv = loadInfo->SetOriginAttributes(attrs);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+ }
+
+ // Create a loadgroup for this new channel. This way if the channel
+ // is redirected, we'll have a way to cancel the resulting channel.
+ nsCOMPtr<nsILoadGroup> lg = do_CreateInstance(NS_LOADGROUP_CONTRACTID);
+ chan->SetLoadGroup(lg);
+
+ if (mRequestSession->mHasPostData)
+ {
+ nsCOMPtr<nsIInputStream> uploadStream;
+ rv = NS_NewPostDataStream(getter_AddRefs(uploadStream),
+ false,
+ mRequestSession->mPostData);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ nsCOMPtr<nsIUploadChannel> uploadChannel(do_QueryInterface(chan));
+ NS_ENSURE_STATE(uploadChannel);
+
+ rv = uploadChannel->SetUploadStream(uploadStream,
+ mRequestSession->mPostContentType,
+ -1);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ // Do not use SPDY for internal security operations. It could result
+ // in the silent upgrade to ssl, which in turn could require an SSL
+ // operation to fulfill something like an OCSP fetch, which is an
+ // endless loop.
+ nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(chan);
+ if (internalChannel) {
+ rv = internalChannel->SetAllowSpdy(false);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(chan);
+ NS_ENSURE_STATE(hchan);
+
+ rv = hchan->SetAllowSTS(false);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ rv = hchan->SetRequestMethod(mRequestSession->mRequestMethod);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ mResponsibleForDoneSignal = false;
+ mListener->mResponsibleForDoneSignal = true;
+
+ mListener->mLoadGroup = lg.get();
+ NS_ADDREF(mListener->mLoadGroup);
+ mListener->mLoadGroupOwnerThread = PR_GetCurrentThread();
+
+ rv = NS_NewStreamLoader(getter_AddRefs(mListener->mLoader),
+ mListener);
+
+ if (NS_SUCCEEDED(rv)) {
+ mStartTime = TimeStamp::Now();
+ rv = hchan->AsyncOpen2(mListener->mLoader);
+ }
+
+ if (NS_FAILED(rv)) {
+ mListener->mResponsibleForDoneSignal = false;
+ mResponsibleForDoneSignal = true;
+
+ NS_RELEASE(mListener->mLoadGroup);
+ mListener->mLoadGroup = nullptr;
+ mListener->mLoadGroupOwnerThread = nullptr;
+ }
+
+ return NS_OK;
+}
+
+struct nsCancelHTTPDownloadEvent : Runnable {
+ RefPtr<nsHTTPListener> mListener;
+
+ NS_IMETHOD Run() override {
+ mListener->FreeLoadGroup(true);
+ mListener = nullptr;
+ return NS_OK;
+ }
+};
+
+mozilla::pkix::Result
+nsNSSHttpServerSession::createSessionFcn(const char* host,
+ uint16_t portnum,
+ /*out*/ nsNSSHttpServerSession** pSession)
+{
+ if (!host || !pSession) {
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+
+ nsNSSHttpServerSession* hss = new nsNSSHttpServerSession;
+ if (!hss) {
+ return Result::FATAL_ERROR_NO_MEMORY;
+ }
+
+ hss->mHost = host;
+ hss->mPort = portnum;
+
+ *pSession = hss;
+ return Success;
+}
+
+mozilla::pkix::Result
+nsNSSHttpRequestSession::createFcn(const nsNSSHttpServerSession* session,
+ const char* http_protocol_variant,
+ const char* path_and_query_string,
+ const char* http_request_method,
+ const NeckoOriginAttributes& origin_attributes,
+ const PRIntervalTime timeout,
+ /*out*/ nsNSSHttpRequestSession** pRequest)
+{
+ if (!session || !http_protocol_variant || !path_and_query_string ||
+ !http_request_method || !pRequest) {
+ return Result::FATAL_ERROR_INVALID_ARGS;
+ }
+
+ nsNSSHttpRequestSession* rs = new nsNSSHttpRequestSession;
+ if (!rs) {
+ return Result::FATAL_ERROR_NO_MEMORY;
+ }
+
+ rs->mTimeoutInterval = timeout;
+
+ // Use a maximum timeout value of 10 seconds because of bug 404059.
+ // FIXME: Use a better approach once 406120 is ready.
+ uint32_t maxBug404059Timeout = PR_TicksPerSecond() * 10;
+ if (timeout > maxBug404059Timeout) {
+ rs->mTimeoutInterval = maxBug404059Timeout;
+ }
+
+ rs->mURL.Assign(http_protocol_variant);
+ rs->mURL.AppendLiteral("://");
+ rs->mURL.Append(session->mHost);
+ rs->mURL.Append(':');
+ rs->mURL.AppendInt(session->mPort);
+ rs->mURL.Append(path_and_query_string);
+
+ rs->mOriginAttributes = origin_attributes;
+
+ rs->mRequestMethod = http_request_method;
+
+ *pRequest = rs;
+ return Success;
+}
+
+mozilla::pkix::Result
+nsNSSHttpRequestSession::setPostDataFcn(const char* http_data,
+ const uint32_t http_data_len,
+ const char* http_content_type)
+{
+ mHasPostData = true;
+ mPostData.Assign(http_data, http_data_len);
+ mPostContentType.Assign(http_content_type);
+
+ return Success;
+}
+
+mozilla::pkix::Result
+nsNSSHttpRequestSession::trySendAndReceiveFcn(PRPollDesc** pPollDesc,
+ uint16_t* http_response_code,
+ const char** http_response_content_type,
+ const char** http_response_headers,
+ const char** http_response_data,
+ uint32_t* http_response_data_len)
+{
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSHttpRequestSession::trySendAndReceiveFcn to %s\n", mURL.get()));
+
+ bool onSTSThread;
+ nsresult nrv;
+ nsCOMPtr<nsIEventTarget> sts
+ = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
+ if (NS_FAILED(nrv)) {
+ NS_ERROR("Could not get STS service");
+ return Result::FATAL_ERROR_INVALID_STATE;
+ }
+
+ nrv = sts->IsOnCurrentThread(&onSTSThread);
+ if (NS_FAILED(nrv)) {
+ NS_ERROR("IsOnCurrentThread failed");
+ return Result::FATAL_ERROR_INVALID_STATE;
+ }
+
+ if (onSTSThread) {
+ NS_ERROR("nsNSSHttpRequestSession::trySendAndReceiveFcn called on socket "
+ "thread; this will not work.");
+ return Result::FATAL_ERROR_INVALID_STATE;
+ }
+
+ const int max_retries = 2;
+ int retry_count = 0;
+ bool retryable_error = false;
+ Result rv = Result::ERROR_UNKNOWN_ERROR;
+
+ do
+ {
+ if (retry_count > 0)
+ {
+ if (retryable_error)
+ {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSHttpRequestSession::trySendAndReceiveFcn - sleeping and retrying: %d of %d\n",
+ retry_count, max_retries));
+ }
+
+ PR_Sleep( PR_MillisecondsToInterval(300) * retry_count );
+ }
+
+ ++retry_count;
+ retryable_error = false;
+
+ rv =
+ internal_send_receive_attempt(retryable_error, pPollDesc, http_response_code,
+ http_response_content_type, http_response_headers,
+ http_response_data, http_response_data_len);
+ }
+ while (retryable_error &&
+ retry_count < max_retries);
+
+ if (retry_count > 1)
+ {
+ if (retryable_error)
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSHttpRequestSession::trySendAndReceiveFcn - still failing, giving up...\n"));
+ else
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsNSSHttpRequestSession::trySendAndReceiveFcn - success at attempt %d\n",
+ retry_count));
+ }
+
+ return rv;
+}
+
+void
+nsNSSHttpRequestSession::AddRef()
+{
+ ++mRefCount;
+}
+
+void
+nsNSSHttpRequestSession::Release()
+{
+ int32_t newRefCount = --mRefCount;
+ if (!newRefCount) {
+ delete this;
+ }
+}
+
+mozilla::pkix::Result
+nsNSSHttpRequestSession::internal_send_receive_attempt(bool &retryable_error,
+ PRPollDesc **pPollDesc,
+ uint16_t *http_response_code,
+ const char **http_response_content_type,
+ const char **http_response_headers,
+ const char **http_response_data,
+ uint32_t *http_response_data_len)
+{
+ if (pPollDesc) *pPollDesc = nullptr;
+ if (http_response_code) *http_response_code = 0;
+ if (http_response_content_type) *http_response_content_type = 0;
+ if (http_response_headers) *http_response_headers = 0;
+ if (http_response_data) *http_response_data = 0;
+
+ uint32_t acceptableResultSize = 0;
+
+ if (http_response_data_len)
+ {
+ acceptableResultSize = *http_response_data_len;
+ *http_response_data_len = 0;
+ }
+
+ if (!mListener) {
+ return Result::FATAL_ERROR_INVALID_STATE;
+ }
+
+ Mutex& waitLock = mListener->mLock;
+ CondVar& waitCondition = mListener->mCondition;
+ volatile bool &waitFlag = mListener->mWaitFlag;
+ waitFlag = true;
+
+ RefPtr<nsHTTPDownloadEvent> event(new nsHTTPDownloadEvent);
+ if (!event) {
+ return Result::FATAL_ERROR_NO_MEMORY;
+ }
+
+ event->mListener = mListener;
+ this->AddRef();
+ event->mRequestSession = this;
+
+ nsresult rv = NS_DispatchToMainThread(event);
+ if (NS_FAILED(rv)) {
+ event->mResponsibleForDoneSignal = false;
+ return Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+
+ bool request_canceled = false;
+
+ {
+ MutexAutoLock locker(waitLock);
+
+ const PRIntervalTime start_time = PR_IntervalNow();
+ PRIntervalTime wait_interval;
+
+ bool running_on_main_thread = NS_IsMainThread();
+ if (running_on_main_thread)
+ {
+ // The result of running this on the main thread
+ // is a series of small timeouts mixed with spinning the
+ // event loop - this is always dangerous as there is so much main
+ // thread code that does not expect to be called re-entrantly. Your
+ // app really shouldn't do that.
+ NS_WARNING("Security network blocking I/O on Main Thread");
+
+ // let's process events quickly
+ wait_interval = PR_MicrosecondsToInterval(50);
+ }
+ else
+ {
+ // On a secondary thread, it's fine to wait some more for
+ // for the condition variable.
+ wait_interval = PR_MillisecondsToInterval(250);
+ }
+
+ while (waitFlag)
+ {
+ if (running_on_main_thread)
+ {
+ // Networking runs on the main thread, which we happen to block here.
+ // Processing events will allow the OCSP networking to run while we
+ // are waiting. Thanks a lot to Darin Fisher for rewriting the
+ // thread manager. Thanks a lot to Christian Biesinger who
+ // made me aware of this possibility. (kaie)
+
+ MutexAutoUnlock unlock(waitLock);
+ NS_ProcessNextEvent(nullptr);
+ }
+
+ waitCondition.Wait(wait_interval);
+
+ if (!waitFlag)
+ break;
+
+ if (!request_canceled)
+ {
+ bool timeout =
+ (PRIntervalTime)(PR_IntervalNow() - start_time) > mTimeoutInterval;
+
+ if (timeout)
+ {
+ request_canceled = true;
+
+ RefPtr<nsCancelHTTPDownloadEvent> cancelevent(
+ new nsCancelHTTPDownloadEvent);
+ cancelevent->mListener = mListener;
+ rv = NS_DispatchToMainThread(cancelevent);
+ if (NS_FAILED(rv)) {
+ NS_WARNING("cannot post cancel event");
+ }
+ break;
+ }
+ }
+ }
+ }
+
+ if (!event->mStartTime.IsNull()) {
+ if (request_canceled) {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 0);
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::CERT_VALIDATION_HTTP_REQUEST_CANCELED_TIME,
+ event->mStartTime, TimeStamp::Now());
+ }
+ else if (NS_SUCCEEDED(mListener->mResultCode) &&
+ mListener->mHttpResponseCode == 200) {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 1);
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::CERT_VALIDATION_HTTP_REQUEST_SUCCEEDED_TIME,
+ event->mStartTime, TimeStamp::Now());
+ }
+ else {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 2);
+ Telemetry::AccumulateTimeDelta(
+ Telemetry::CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME,
+ event->mStartTime, TimeStamp::Now());
+ }
+ }
+ else {
+ Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 3);
+ }
+
+ if (request_canceled) {
+ return Result::ERROR_OCSP_SERVER_ERROR;
+ }
+
+ if (NS_FAILED(mListener->mResultCode)) {
+ if (mListener->mResultCode == NS_ERROR_CONNECTION_REFUSED ||
+ mListener->mResultCode == NS_ERROR_NET_RESET) {
+ retryable_error = true;
+ }
+ return Result::ERROR_OCSP_SERVER_ERROR;
+ }
+
+ if (http_response_code)
+ *http_response_code = mListener->mHttpResponseCode;
+
+ if (mListener->mHttpRequestSucceeded && http_response_data &&
+ http_response_data_len) {
+ *http_response_data_len = mListener->mResultLen;
+
+ // acceptableResultSize == 0 means: any size is acceptable
+ if (acceptableResultSize != 0 &&
+ acceptableResultSize < mListener->mResultLen) {
+ return Result::ERROR_OCSP_SERVER_ERROR;
+ }
+
+ // Return data by reference, result data will be valid until "this" gets
+ // destroyed.
+ *http_response_data = (const char*)mListener->mResultData;
+ }
+
+ if (mListener->mHttpRequestSucceeded && http_response_content_type) {
+ if (mListener->mHttpResponseContentType.Length()) {
+ *http_response_content_type = mListener->mHttpResponseContentType.get();
+ }
+ }
+
+ return Success;
+}
+
+nsNSSHttpRequestSession::nsNSSHttpRequestSession()
+: mRefCount(1),
+ mHasPostData(false),
+ mTimeoutInterval(0),
+ mListener(new nsHTTPListener)
+{
+}
+
+nsNSSHttpRequestSession::~nsNSSHttpRequestSession()
+{
+}
+
+nsHTTPListener::nsHTTPListener()
+: mResultData(nullptr),
+ mResultLen(0),
+ mLock("nsHTTPListener.mLock"),
+ mCondition(mLock, "nsHTTPListener.mCondition"),
+ mWaitFlag(true),
+ mResponsibleForDoneSignal(false),
+ mLoadGroup(nullptr),
+ mLoadGroupOwnerThread(nullptr)
+{
+}
+
+nsHTTPListener::~nsHTTPListener()
+{
+ if (mResponsibleForDoneSignal)
+ send_done_signal();
+
+ if (mResultData) {
+ free(const_cast<uint8_t *>(mResultData));
+ }
+
+ if (mLoader) {
+ NS_ReleaseOnMainThread(mLoader.forget());
+ }
+}
+
+NS_IMPL_ISUPPORTS(nsHTTPListener, nsIStreamLoaderObserver)
+
+void
+nsHTTPListener::FreeLoadGroup(bool aCancelLoad)
+{
+ nsILoadGroup *lg = nullptr;
+
+ MutexAutoLock locker(mLock);
+
+ if (mLoadGroup) {
+ if (mLoadGroupOwnerThread != PR_GetCurrentThread()) {
+ NS_ASSERTION(false,
+ "attempt to access nsHTTPDownloadEvent::mLoadGroup on multiple threads, leaking it!");
+ }
+ else {
+ lg = mLoadGroup;
+ mLoadGroup = nullptr;
+ }
+ }
+
+ if (lg) {
+ if (aCancelLoad) {
+ lg->Cancel(NS_ERROR_ABORT);
+ }
+ NS_RELEASE(lg);
+ }
+}
+
+NS_IMETHODIMP
+nsHTTPListener::OnStreamComplete(nsIStreamLoader* aLoader,
+ nsISupports* aContext,
+ nsresult aStatus,
+ uint32_t stringLen,
+ const uint8_t* string)
+{
+ mResultCode = aStatus;
+
+ FreeLoadGroup(false);
+
+ nsCOMPtr<nsIRequest> req;
+ nsCOMPtr<nsIHttpChannel> hchan;
+
+ nsresult rv = aLoader->GetRequest(getter_AddRefs(req));
+
+ if (NS_FAILED(aStatus))
+ {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("nsHTTPListener::OnStreamComplete status failed %d", aStatus));
+ }
+
+ if (NS_SUCCEEDED(rv))
+ hchan = do_QueryInterface(req, &rv);
+
+ if (NS_SUCCEEDED(rv))
+ {
+ rv = hchan->GetRequestSucceeded(&mHttpRequestSucceeded);
+ if (NS_FAILED(rv))
+ mHttpRequestSucceeded = false;
+
+ mResultLen = stringLen;
+ mResultData = string; // take ownership of allocation
+ aStatus = NS_SUCCESS_ADOPTED_DATA;
+
+ unsigned int rcode;
+ rv = hchan->GetResponseStatus(&rcode);
+ if (NS_FAILED(rv))
+ mHttpResponseCode = 500;
+ else
+ mHttpResponseCode = rcode;
+
+ hchan->GetResponseHeader(NS_LITERAL_CSTRING("Content-Type"),
+ mHttpResponseContentType);
+ }
+
+ if (mResponsibleForDoneSignal)
+ send_done_signal();
+
+ return aStatus;
+}
+
+void nsHTTPListener::send_done_signal()
+{
+ mResponsibleForDoneSignal = false;
+
+ {
+ MutexAutoLock locker(mLock);
+ mWaitFlag = false;
+ mCondition.NotifyAll();
+ }
+}
+
+static char*
+ShowProtectedAuthPrompt(PK11SlotInfo* slot, nsIInterfaceRequestor *ir)
+{
+ if (!NS_IsMainThread()) {
+ NS_ERROR("ShowProtectedAuthPrompt called off the main thread");
+ return nullptr;
+ }
+
+ char* protAuthRetVal = nullptr;
+
+ // Get protected auth dialogs
+ nsCOMPtr<nsITokenDialogs> dialogs;
+ nsresult nsrv = getNSSDialogs(getter_AddRefs(dialogs),
+ NS_GET_IID(nsITokenDialogs),
+ NS_TOKENDIALOGS_CONTRACTID);
+ if (NS_SUCCEEDED(nsrv))
+ {
+ nsProtectedAuthThread* protectedAuthRunnable = new nsProtectedAuthThread();
+ if (protectedAuthRunnable)
+ {
+ NS_ADDREF(protectedAuthRunnable);
+
+ protectedAuthRunnable->SetParams(slot);
+
+ nsCOMPtr<nsIProtectedAuthThread> runnable = do_QueryInterface(protectedAuthRunnable);
+ if (runnable)
+ {
+ nsrv = dialogs->DisplayProtectedAuth(ir, runnable);
+
+ // We call join on the thread,
+ // so we can be sure that no simultaneous access will happen.
+ protectedAuthRunnable->Join();
+
+ if (NS_SUCCEEDED(nsrv))
+ {
+ SECStatus rv = protectedAuthRunnable->GetResult();
+ switch (rv)
+ {
+ case SECSuccess:
+ protAuthRetVal = ToNewCString(nsDependentCString(PK11_PW_AUTHENTICATED));
+ break;
+ case SECWouldBlock:
+ protAuthRetVal = ToNewCString(nsDependentCString(PK11_PW_RETRY));
+ break;
+ default:
+ protAuthRetVal = nullptr;
+ break;
+ }
+ }
+ }
+
+ NS_RELEASE(protectedAuthRunnable);
+ }
+ }
+
+ return protAuthRetVal;
+}
+
+class PK11PasswordPromptRunnable : public SyncRunnableBase
+ , public nsNSSShutDownObject
+{
+public:
+ PK11PasswordPromptRunnable(PK11SlotInfo* slot,
+ nsIInterfaceRequestor* ir)
+ : mResult(nullptr),
+ mSlot(slot),
+ mIR(ir)
+ {
+ }
+ virtual ~PK11PasswordPromptRunnable();
+
+ // This doesn't own the PK11SlotInfo or any other NSS objects, so there's
+ // nothing to release.
+ virtual void virtualDestroyNSSReference() override {}
+ char * mResult; // out
+ virtual void RunOnTargetThread() override;
+private:
+ PK11SlotInfo* const mSlot; // in
+ nsIInterfaceRequestor* const mIR; // in
+};
+
+PK11PasswordPromptRunnable::~PK11PasswordPromptRunnable()
+{
+ nsNSSShutDownPreventionLock locker;
+ if (isAlreadyShutDown()) {
+ return;
+ }
+
+ shutdown(ShutdownCalledFrom::Object);
+}
+
+void
+PK11PasswordPromptRunnable::RunOnTargetThread()
+{
+ static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
+
+ nsNSSShutDownPreventionLock locker;
+ if (isAlreadyShutDown()) {
+ return;
+ }
+
+ nsresult rv;
+ nsCOMPtr<nsIPrompt> prompt;
+ if (!mIR) {
+ rv = nsNSSComponent::GetNewPrompter(getter_AddRefs(prompt));
+ if (NS_FAILED(rv)) {
+ return;
+ }
+ } else {
+ prompt = do_GetInterface(mIR);
+ MOZ_ASSERT(prompt, "Interface requestor should implement nsIPrompt");
+ }
+
+ if (!prompt) {
+ return;
+ }
+
+ if (PK11_ProtectedAuthenticationPath(mSlot)) {
+ mResult = ShowProtectedAuthPrompt(mSlot, mIR);
+ return;
+ }
+
+ nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID));
+ if (!nssComponent) {
+ return;
+ }
+
+ NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(mSlot));
+ const char16_t* formatStrings[] = {
+ tokenName.get(),
+ };
+ nsAutoString promptString;
+ rv = nssComponent->PIPBundleFormatStringFromName("CertPassPrompt",
+ formatStrings,
+ ArrayLength(formatStrings),
+ promptString);
+ if (NS_FAILED(rv)) {
+ return;
+ }
+
+ nsXPIDLString password;
+ // |checkState| is unused because |checkMsg| (the argument just before it) is
+ // null, but XPConnect requires it to point to a valid bool nonetheless.
+ bool checkState = false;
+ bool userClickedOK = false;
+ rv = prompt->PromptPassword(nullptr, promptString.get(),
+ getter_Copies(password), nullptr, &checkState,
+ &userClickedOK);
+ if (NS_FAILED(rv) || !userClickedOK) {
+ return;
+ }
+
+ mResult = ToNewUTF8String(password);
+}
+
+char*
+PK11PasswordPrompt(PK11SlotInfo* slot, PRBool /*retry*/, void* arg)
+{
+ RefPtr<PK11PasswordPromptRunnable> runnable(
+ new PK11PasswordPromptRunnable(slot,
+ static_cast<nsIInterfaceRequestor*>(arg)));
+ runnable->DispatchToMainThreadAndWait();
+ return runnable->mResult;
+}
+
+// call with shutdown prevention lock held
+static void
+PreliminaryHandshakeDone(PRFileDesc* fd)
+{
+ nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
+ if (!infoObject)
+ return;
+
+ SSLChannelInfo channelInfo;
+ if (SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)) == SECSuccess) {
+ infoObject->SetSSLVersionUsed(channelInfo.protocolVersion);
+ infoObject->SetEarlyDataAccepted(channelInfo.earlyDataAccepted);
+
+ SSLCipherSuiteInfo cipherInfo;
+ if (SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
+ sizeof cipherInfo) == SECSuccess) {
+ /* Set the SSL Status information */
+ RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
+ if (!status) {
+ status = new nsSSLStatus();
+ infoObject->SetSSLStatus(status);
+ }
+
+ status->mHaveCipherSuiteAndProtocol = true;
+ status->mCipherSuite = channelInfo.cipherSuite;
+ status->mProtocolVersion = channelInfo.protocolVersion & 0xFF;
+ infoObject->SetKEAUsed(channelInfo.keaType);
+ infoObject->SetKEAKeyBits(channelInfo.keaKeyBits);
+ infoObject->SetMACAlgorithmUsed(cipherInfo.macAlgorithm);
+ }
+ }
+
+ // Don't update NPN details on renegotiation.
+ if (infoObject->IsPreliminaryHandshakeDone()) {
+ return;
+ }
+
+ // Get the NPN value.
+ SSLNextProtoState state;
+ unsigned char npnbuf[256];
+ unsigned int npnlen;
+
+ if (SSL_GetNextProto(fd, &state, npnbuf, &npnlen,
+ AssertedCast<unsigned int>(ArrayLength(npnbuf)))
+ == SECSuccess) {
+ if (state == SSL_NEXT_PROTO_NEGOTIATED ||
+ state == SSL_NEXT_PROTO_SELECTED) {
+ infoObject->SetNegotiatedNPN(BitwiseCast<char*, unsigned char*>(npnbuf),
+ npnlen);
+ } else {
+ infoObject->SetNegotiatedNPN(nullptr, 0);
+ }
+ mozilla::Telemetry::Accumulate(Telemetry::SSL_NPN_TYPE, state);
+ } else {
+ infoObject->SetNegotiatedNPN(nullptr, 0);
+ }
+
+ infoObject->SetPreliminaryHandshakeDone();
+}
+
+SECStatus
+CanFalseStartCallback(PRFileDesc* fd, void* client_data, PRBool *canFalseStart)
+{
+ *canFalseStart = false;
+
+ nsNSSShutDownPreventionLock locker;
+
+ nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
+ if (!infoObject) {
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ return SECFailure;
+ }
+
+ infoObject->SetFalseStartCallbackCalled();
+
+ if (infoObject->isAlreadyShutDown()) {
+ MOZ_CRASH("SSL socket used after NSS shut down");
+ PR_SetError(PR_INVALID_STATE_ERROR, 0);
+ return SECFailure;
+ }
+
+ PreliminaryHandshakeDone(fd);
+
+ uint32_t reasonsForNotFalseStarting = 0;
+
+ SSLChannelInfo channelInfo;
+ if (SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)) != SECSuccess) {
+ return SECSuccess;
+ }
+
+ SSLCipherSuiteInfo cipherInfo;
+ if (SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
+ sizeof (cipherInfo)) != SECSuccess) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CanFalseStartCallback [%p] failed - "
+ " KEA %d\n", fd,
+ static_cast<int32_t>(channelInfo.keaType)));
+ return SECSuccess;
+ }
+
+ nsSSLIOLayerHelpers& helpers = infoObject->SharedState().IOLayerHelpers();
+
+ // Prevent version downgrade attacks from TLS 1.2, and avoid False Start for
+ // TLS 1.3 and later. See Bug 861310 for all the details as to why.
+ if (channelInfo.protocolVersion != SSL_LIBRARY_VERSION_TLS_1_2) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CanFalseStartCallback [%p] failed - "
+ "SSL Version must be TLS 1.2, was %x\n", fd,
+ static_cast<int32_t>(channelInfo.protocolVersion)));
+ reasonsForNotFalseStarting |= POSSIBLE_VERSION_DOWNGRADE;
+ }
+
+ // See bug 952863 for why ECDHE is allowed, but DHE (and RSA) are not.
+ if (channelInfo.keaType != ssl_kea_ecdh) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CanFalseStartCallback [%p] failed - "
+ "unsupported KEA %d\n", fd,
+ static_cast<int32_t>(channelInfo.keaType)));
+ reasonsForNotFalseStarting |= KEA_NOT_SUPPORTED;
+ }
+
+ // Prevent downgrade attacks on the symmetric cipher. We do not allow CBC
+ // mode due to BEAST, POODLE, and other attacks on the MAC-then-Encrypt
+ // design. See bug 1109766 for more details.
+ if (cipherInfo.macAlgorithm != ssl_mac_aead) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("CanFalseStartCallback [%p] failed - non-AEAD cipher used, %d, "
+ "is not supported with False Start.\n", fd,
+ static_cast<int32_t>(cipherInfo.symCipher)));
+ reasonsForNotFalseStarting |= POSSIBLE_CIPHER_SUITE_DOWNGRADE;
+ }
+
+ // XXX: An attacker can choose which protocols are advertised in the
+ // NPN extension. TODO(Bug 861311): We should restrict the ability
+ // of an attacker leverage this capability by restricting false start
+ // to the same protocol we previously saw for the server, after the
+ // first successful connection to the server.
+
+ // Enforce NPN to do false start if policy requires it. Do this as an
+ // indicator if server compatibility.
+ if (helpers.mFalseStartRequireNPN) {
+ nsAutoCString negotiatedNPN;
+ if (NS_FAILED(infoObject->GetNegotiatedNPN(negotiatedNPN)) ||
+ !negotiatedNPN.Length()) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CanFalseStartCallback [%p] failed - "
+ "NPN cannot be verified\n", fd));
+ reasonsForNotFalseStarting |= NPN_NOT_NEGOTIATED;
+ }
+ }
+
+ Telemetry::Accumulate(Telemetry::SSL_REASONS_FOR_NOT_FALSE_STARTING,
+ reasonsForNotFalseStarting);
+
+ if (reasonsForNotFalseStarting == 0) {
+ *canFalseStart = PR_TRUE;
+ infoObject->SetFalseStarted();
+ infoObject->NoteTimeUntilReady();
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CanFalseStartCallback [%p] ok\n", fd));
+ }
+
+ return SECSuccess;
+}
+
+static void
+AccumulateNonECCKeySize(Telemetry::ID probe, uint32_t bits)
+{
+ unsigned int value = bits < 512 ? 1 : bits == 512 ? 2
+ : bits < 768 ? 3 : bits == 768 ? 4
+ : bits < 1024 ? 5 : bits == 1024 ? 6
+ : bits < 1280 ? 7 : bits == 1280 ? 8
+ : bits < 1536 ? 9 : bits == 1536 ? 10
+ : bits < 2048 ? 11 : bits == 2048 ? 12
+ : bits < 3072 ? 13 : bits == 3072 ? 14
+ : bits < 4096 ? 15 : bits == 4096 ? 16
+ : bits < 8192 ? 17 : bits == 8192 ? 18
+ : bits < 16384 ? 19 : bits == 16384 ? 20
+ : 0;
+ Telemetry::Accumulate(probe, value);
+}
+
+// XXX: This attempts to map a bit count to an ECC named curve identifier. In
+// the vast majority of situations, we only have the Suite B curves available.
+// In that case, this mapping works fine. If we were to have more curves
+// available, the mapping would be ambiguous since there could be multiple
+// named curves for a given size (e.g. secp256k1 vs. secp256r1). We punt on
+// that for now. See also NSS bug 323674.
+static void
+AccumulateECCCurve(Telemetry::ID probe, uint32_t bits)
+{
+ unsigned int value = bits == 256 ? 23 // P-256
+ : bits == 384 ? 24 // P-384
+ : bits == 521 ? 25 // P-521
+ : 0; // Unknown
+ Telemetry::Accumulate(probe, value);
+}
+
+static void
+AccumulateCipherSuite(Telemetry::ID probe, const SSLChannelInfo& channelInfo)
+{
+ uint32_t value;
+ switch (channelInfo.cipherSuite) {
+ // ECDHE key exchange
+ case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: value = 1; break;
+ case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: value = 2; break;
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: value = 3; break;
+ case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: value = 4; break;
+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: value = 5; break;
+ case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: value = 6; break;
+ case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: value = 7; break;
+ case TLS_ECDHE_RSA_WITH_RC4_128_SHA: value = 8; break;
+ case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: value = 9; break;
+ case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: value = 10; break;
+ case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: value = 11; break;
+ case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: value = 12; break;
+ case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: value = 13; break;
+ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: value = 14; break;
+ // DHE key exchange
+ case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: value = 21; break;
+ case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: value = 22; break;
+ case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: value = 23; break;
+ case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: value = 24; break;
+ case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: value = 25; break;
+ case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: value = 26; break;
+ case TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: value = 27; break;
+ case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: value = 28; break;
+ case TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: value = 29; break;
+ case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: value = 30; break;
+ // ECDH key exchange
+ case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: value = 41; break;
+ case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: value = 42; break;
+ case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: value = 43; break;
+ case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: value = 44; break;
+ case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: value = 45; break;
+ case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: value = 46; break;
+ case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: value = 47; break;
+ case TLS_ECDH_RSA_WITH_RC4_128_SHA: value = 48; break;
+ // RSA key exchange
+ case TLS_RSA_WITH_AES_128_CBC_SHA: value = 61; break;
+ case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: value = 62; break;
+ case TLS_RSA_WITH_AES_256_CBC_SHA: value = 63; break;
+ case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: value = 64; break;
+ case SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: value = 65; break;
+ case TLS_RSA_WITH_3DES_EDE_CBC_SHA: value = 66; break;
+ case TLS_RSA_WITH_SEED_CBC_SHA: value = 67; break;
+ case TLS_RSA_WITH_RC4_128_SHA: value = 68; break;
+ case TLS_RSA_WITH_RC4_128_MD5: value = 69; break;
+ // TLS 1.3 PSK resumption
+ case TLS_AES_128_GCM_SHA256: value = 70; break;
+ case TLS_CHACHA20_POLY1305_SHA256: value = 71; break;
+ case TLS_AES_256_GCM_SHA384: value = 72; break;
+ // unknown
+ default:
+ value = 0;
+ break;
+ }
+ MOZ_ASSERT(value != 0);
+ Telemetry::Accumulate(probe, value);
+}
+
+// In the case of session resumption, the AuthCertificate hook has been bypassed
+// (because we've previously successfully connected to our peer). That being the
+// case, we unfortunately don't know if the peer's server certificate verified
+// as extended validation or not. To address this, we attempt to build a
+// verified EV certificate chain here using as much of the original context as
+// possible (e.g. stapled OCSP responses, SCTs, the hostname, the first party
+// domain, etc.). Note that because we are on the socket thread, this must not
+// cause any network requests, hence the use of FLAG_LOCAL_ONLY.
+static void
+DetermineEVStatusAndSetNewCert(RefPtr<nsSSLStatus> sslStatus, PRFileDesc* fd,
+ nsNSSSocketInfo* infoObject)
+{
+ MOZ_ASSERT(sslStatus);
+ MOZ_ASSERT(fd);
+ MOZ_ASSERT(infoObject);
+
+ if (!sslStatus || !fd || !infoObject) {
+ return;
+ }
+
+ UniqueCERTCertificate cert(SSL_PeerCertificate(fd));
+ MOZ_ASSERT(cert, "SSL_PeerCertificate failed in TLS handshake callback?");
+ if (!cert) {
+ return;
+ }
+
+ RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
+ MOZ_ASSERT(certVerifier,
+ "Certificate verifier uninitialized in TLS handshake callback?");
+ if (!certVerifier) {
+ return;
+ }
+
+ // We don't own these pointers.
+ const SECItemArray* stapledOCSPResponses = SSL_PeerStapledOCSPResponses(fd);
+ const SECItem* stapledOCSPResponse = nullptr;
+ // we currently only support single stapled responses
+ if (stapledOCSPResponses && stapledOCSPResponses->len == 1) {
+ stapledOCSPResponse = &stapledOCSPResponses->items[0];
+ }
+ const SECItem* sctsFromTLSExtension = SSL_PeerSignedCertTimestamps(fd);
+ if (sctsFromTLSExtension && sctsFromTLSExtension->len == 0) {
+ // SSL_PeerSignedCertTimestamps returns null on error and empty item
+ // when no extension was returned by the server. We always use null when
+ // no extension was received (for whatever reason), ignoring errors.
+ sctsFromTLSExtension = nullptr;
+ }
+
+ int flags = mozilla::psm::CertVerifier::FLAG_LOCAL_ONLY |
+ mozilla::psm::CertVerifier::FLAG_MUST_BE_EV;
+ if (!infoObject->SharedState().IsOCSPStaplingEnabled() ||
+ !infoObject->SharedState().IsOCSPMustStapleEnabled()) {
+ flags |= CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
+ }
+
+ SECOidTag evOidPolicy;
+ UniqueCERTCertList unusedBuiltChain;
+ const bool saveIntermediates = false;
+ mozilla::pkix::Result rv = certVerifier->VerifySSLServerCert(
+ cert,
+ stapledOCSPResponse,
+ sctsFromTLSExtension,
+ mozilla::pkix::Now(),
+ infoObject,
+ infoObject->GetHostNameRaw(),
+ unusedBuiltChain,
+ saveIntermediates,
+ flags,
+ infoObject->GetOriginAttributes(),
+ &evOidPolicy);
+
+ RefPtr<nsNSSCertificate> nssc(nsNSSCertificate::Create(cert.get()));
+ if (rv == Success && evOidPolicy != SEC_OID_UNKNOWN) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("HandshakeCallback using NEW cert %p (is EV)", nssc.get()));
+ sslStatus->SetServerCert(nssc, EVStatus::EV);
+ } else {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("HandshakeCallback using NEW cert %p (is not EV)", nssc.get()));
+ sslStatus->SetServerCert(nssc, EVStatus::NotEV);
+ }
+}
+
+void HandshakeCallback(PRFileDesc* fd, void* client_data) {
+ nsNSSShutDownPreventionLock locker;
+ SECStatus rv;
+
+ nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
+
+ // Do the bookkeeping that needs to be done after the
+ // server's ServerHello...ServerHelloDone have been processed, but that doesn't
+ // need the handshake to be completed.
+ PreliminaryHandshakeDone(fd);
+
+ nsSSLIOLayerHelpers& ioLayerHelpers
+ = infoObject->SharedState().IOLayerHelpers();
+
+ SSLVersionRange versions(infoObject->GetTLSVersionRange());
+
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("[%p] HandshakeCallback: succeeded using TLS version range (0x%04x,0x%04x)\n",
+ fd, static_cast<unsigned int>(versions.min),
+ static_cast<unsigned int>(versions.max)));
+
+ // If the handshake completed, then we know the site is TLS tolerant
+ ioLayerHelpers.rememberTolerantAtVersion(infoObject->GetHostName(),
+ infoObject->GetPort(),
+ versions.max);
+
+ bool usesFallbackCipher = false;
+ SSLChannelInfo channelInfo;
+ rv = SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo));
+ MOZ_ASSERT(rv == SECSuccess);
+ if (rv == SECSuccess) {
+ // Get the protocol version for telemetry
+ // 1=tls1, 2=tls1.1, 3=tls1.2
+ unsigned int versionEnum = channelInfo.protocolVersion & 0xFF;
+ MOZ_ASSERT(versionEnum > 0);
+ Telemetry::Accumulate(Telemetry::SSL_HANDSHAKE_VERSION, versionEnum);
+ AccumulateCipherSuite(
+ infoObject->IsFullHandshake() ? Telemetry::SSL_CIPHER_SUITE_FULL
+ : Telemetry::SSL_CIPHER_SUITE_RESUMED,
+ channelInfo);
+
+ SSLCipherSuiteInfo cipherInfo;
+ rv = SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
+ sizeof cipherInfo);
+ MOZ_ASSERT(rv == SECSuccess);
+ if (rv == SECSuccess) {
+ usesFallbackCipher = channelInfo.keaType == ssl_kea_dh;
+
+ // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4
+ Telemetry::Accumulate(
+ infoObject->IsFullHandshake()
+ ? Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_FULL
+ : Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_RESUMED,
+ channelInfo.keaType);
+
+ MOZ_ASSERT(infoObject->GetKEAUsed() == channelInfo.keaType);
+
+ if (infoObject->IsFullHandshake()) {
+ switch (channelInfo.keaType) {
+ case ssl_kea_rsa:
+ AccumulateNonECCKeySize(Telemetry::SSL_KEA_RSA_KEY_SIZE_FULL,
+ channelInfo.keaKeyBits);
+ break;
+ case ssl_kea_dh:
+ AccumulateNonECCKeySize(Telemetry::SSL_KEA_DHE_KEY_SIZE_FULL,
+ channelInfo.keaKeyBits);
+ break;
+ case ssl_kea_ecdh:
+ AccumulateECCCurve(Telemetry::SSL_KEA_ECDHE_CURVE_FULL,
+ channelInfo.keaKeyBits);
+ break;
+ default:
+ MOZ_CRASH("impossible KEA");
+ break;
+ }
+
+ Telemetry::Accumulate(Telemetry::SSL_AUTH_ALGORITHM_FULL,
+ channelInfo.authType);
+
+ // RSA key exchange doesn't use a signature for auth.
+ if (channelInfo.keaType != ssl_kea_rsa) {
+ switch (channelInfo.authType) {
+ case ssl_auth_rsa:
+ case ssl_auth_rsa_sign:
+ AccumulateNonECCKeySize(Telemetry::SSL_AUTH_RSA_KEY_SIZE_FULL,
+ channelInfo.authKeyBits);
+ break;
+ case ssl_auth_ecdsa:
+ AccumulateECCCurve(Telemetry::SSL_AUTH_ECDSA_CURVE_FULL,
+ channelInfo.authKeyBits);
+ break;
+ default:
+ MOZ_CRASH("impossible auth algorithm");
+ break;
+ }
+ }
+ }
+
+ Telemetry::Accumulate(
+ infoObject->IsFullHandshake()
+ ? Telemetry::SSL_SYMMETRIC_CIPHER_FULL
+ : Telemetry::SSL_SYMMETRIC_CIPHER_RESUMED,
+ cipherInfo.symCipher);
+ }
+ }
+
+ PRBool siteSupportsSafeRenego;
+ if (channelInfo.protocolVersion != SSL_LIBRARY_VERSION_TLS_1_3) {
+ rv = SSL_HandshakeNegotiatedExtension(fd, ssl_renegotiation_info_xtn,
+ &siteSupportsSafeRenego);
+ MOZ_ASSERT(rv == SECSuccess);
+ if (rv != SECSuccess) {
+ siteSupportsSafeRenego = false;
+ }
+ } else {
+ // TLS 1.3 dropped support for renegotiation.
+ siteSupportsSafeRenego = true;
+ }
+ bool renegotiationUnsafe = !siteSupportsSafeRenego &&
+ ioLayerHelpers.treatUnsafeNegotiationAsBroken();
+
+
+ /* Set the SSL Status information */
+ RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
+ if (!status) {
+ status = new nsSSLStatus();
+ infoObject->SetSSLStatus(status);
+ }
+
+ RememberCertErrorsTable::GetInstance().LookupCertErrorBits(infoObject,
+ status);
+
+ uint32_t state;
+ if (renegotiationUnsafe) {
+ state = nsIWebProgressListener::STATE_IS_BROKEN;
+ } else {
+ state = nsIWebProgressListener::STATE_IS_SECURE |
+ nsIWebProgressListener::STATE_SECURE_HIGH;
+ if (!usesFallbackCipher) {
+ SSLVersionRange defVersion;
+ rv = SSL_VersionRangeGetDefault(ssl_variant_stream, &defVersion);
+ if (rv == SECSuccess && versions.max >= defVersion.max) {
+ // we know this site no longer requires a fallback cipher
+ ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(),
+ infoObject->GetPort());
+ }
+ }
+ }
+
+ if (status->HasServerCert()) {
+ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+ ("HandshakeCallback KEEPING existing cert\n"));
+ } else {
+ DetermineEVStatusAndSetNewCert(status, fd, infoObject);
+ }
+
+ bool domainMismatch;
+ bool untrusted;
+ bool notValidAtThisTime;
+ // These all return NS_OK, so don't even bother checking the return values.
+ Unused << status->GetIsDomainMismatch(&domainMismatch);
+ Unused << status->GetIsUntrusted(&untrusted);
+ Unused << status->GetIsNotValidAtThisTime(&notValidAtThisTime);
+ // If we're here, the TLS handshake has succeeded. Thus if any of these
+ // booleans are true, the user has added an override for a certificate error.
+ if (domainMismatch || untrusted || notValidAtThisTime) {
+ state |= nsIWebProgressListener::STATE_CERT_USER_OVERRIDDEN;
+ }
+
+ infoObject->SetSecurityState(state);
+
+ // XXX Bug 883674: We shouldn't be formatting messages here in PSM; instead,
+ // we should set a flag on the channel that higher (UI) level code can check
+ // to log the warning. In particular, these warnings should go to the web
+ // console instead of to the error console. Also, the warning is not
+ // localized.
+ if (!siteSupportsSafeRenego) {
+ nsXPIDLCString hostName;
+ infoObject->GetHostName(getter_Copies(hostName));
+
+ nsAutoString msg;
+ msg.Append(NS_ConvertASCIItoUTF16(hostName));
+ msg.AppendLiteral(" : server does not support RFC 5746, see CVE-2009-3555");
+
+ nsContentUtils::LogSimpleConsoleError(msg, "SSL");
+ }
+
+ infoObject->NoteTimeUntilReady();
+ infoObject->SetHandshakeCompleted();
+}