/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ /* * vtables (and methods that call through them) for the 4 types of * SSLSockets supported. Only one type is still supported. * Various other functions. * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "seccomon.h" #include "cert.h" #include "keyhi.h" #include "ssl.h" #include "sslexp.h" #include "sslimpl.h" #include "sslproto.h" #include "nspr.h" #include "private/pprio.h" #include "nss.h" #include "pk11pqg.h" #include "pk11pub.h" #include "tls13esni.h" static const sslSocketOps ssl_default_ops = { /* No SSL. */ ssl_DefConnect, NULL, ssl_DefBind, ssl_DefListen, ssl_DefShutdown, ssl_DefClose, ssl_DefRecv, ssl_DefSend, ssl_DefRead, ssl_DefWrite, ssl_DefGetpeername, ssl_DefGetsockname }; static const sslSocketOps ssl_secure_ops = { /* SSL. */ ssl_SecureConnect, NULL, ssl_DefBind, ssl_DefListen, ssl_SecureShutdown, ssl_SecureClose, ssl_SecureRecv, ssl_SecureSend, ssl_SecureRead, ssl_SecureWrite, ssl_DefGetpeername, ssl_DefGetsockname }; /* ** default settings for socket enables */ static sslOptions ssl_defaults = { .nextProtoNego = { siBuffer, NULL, 0 }, .maxEarlyDataSize = 1 << 16, .recordSizeLimit = MAX_FRAGMENT_LENGTH + 1, .useSecurity = PR_TRUE, .useSocks = PR_FALSE, .requestCertificate = PR_FALSE, .requireCertificate = SSL_REQUIRE_FIRST_HANDSHAKE, .handshakeAsClient = PR_FALSE, .handshakeAsServer = PR_FALSE, .noCache = PR_FALSE, .fdx = PR_FALSE, .detectRollBack = PR_TRUE, .noLocks = PR_FALSE, .enableSessionTickets = PR_FALSE, .enableDeflate = PR_FALSE, .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, .requireSafeNegotiation = PR_FALSE, .enableFalseStart = PR_FALSE, .cbcRandomIV = PR_TRUE, .enableOCSPStapling = PR_FALSE, .enableALPN = PR_TRUE, .reuseServerECDHEKey = PR_TRUE, .enableFallbackSCSV = PR_FALSE, .enableServerDhe = PR_TRUE, .enableExtendedMS = PR_FALSE, .enableSignedCertTimestamps = PR_FALSE, .requireDHENamedGroups = PR_FALSE, .enable0RttData = PR_FALSE, .enableTls13CompatMode = PR_FALSE, .enableDtlsShortHeader = PR_FALSE, .enableHelloDowngradeCheck = PR_FALSE, .enableV2CompatibleHello = PR_FALSE }; /* * default range of enabled SSL/TLS protocols */ static SSLVersionRange versions_defaults_stream = { SSL_LIBRARY_VERSION_TLS_1_0, SSL_LIBRARY_VERSION_TLS_1_2 }; static SSLVersionRange versions_defaults_datagram = { SSL_LIBRARY_VERSION_TLS_1_1, SSL_LIBRARY_VERSION_TLS_1_2 }; #define VERSIONS_DEFAULTS(variant) \ (variant == ssl_variant_stream ? &versions_defaults_stream : &versions_defaults_datagram) #define VERSIONS_POLICY_MIN(variant) \ (variant == ssl_variant_stream ? NSS_TLS_VERSION_MIN_POLICY : NSS_DTLS_VERSION_MIN_POLICY) #define VERSIONS_POLICY_MAX(variant) \ (variant == ssl_variant_stream ? NSS_TLS_VERSION_MAX_POLICY : NSS_DTLS_VERSION_MAX_POLICY) sslSessionIDLookupFunc ssl_sid_lookup; static PRDescIdentity ssl_layer_id; PRBool locksEverDisabled; /* implicitly PR_FALSE */ PRBool ssl_force_locks; /* implicitly PR_FALSE */ int ssl_lock_readers = 1; /* default true. */ char ssl_debug; char ssl_trace; FILE *ssl_trace_iob; #ifdef NSS_ALLOW_SSLKEYLOGFILE FILE *ssl_keylog_iob; PZLock *ssl_keylog_lock; #endif char lockStatus[] = "Locks are ENABLED. "; #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ /* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */ static const PRUint16 srtpCiphers[] = { SRTP_AES128_CM_HMAC_SHA1_80, SRTP_AES128_CM_HMAC_SHA1_32, 0 }; /* This list is in preference order. Note that while some smaller groups appear * early in the list, smaller groups are generally ignored when iterating * through this list. ffdhe_custom must not appear in this list. */ #define ECGROUP(name, size, oid, assumeSupported) \ { \ ssl_grp_ec_##name, size, ssl_kea_ecdh, \ SEC_OID_SECG_EC_##oid, assumeSupported \ } #define FFGROUP(size) \ { \ ssl_grp_ffdhe_##size, size, ssl_kea_dh, \ SEC_OID_TLS_FFDHE_##size, PR_TRUE \ } const sslNamedGroupDef ssl_named_groups[] = { /* Note that 256 for 25519 is a lie, but we only use it for checking bit * security and expect 256 bits there (not 255). */ { ssl_grp_ec_curve25519, 256, ssl_kea_ecdh, SEC_OID_CURVE25519, PR_TRUE }, ECGROUP(secp256r1, 256, SECP256R1, PR_TRUE), ECGROUP(secp384r1, 384, SECP384R1, PR_TRUE), ECGROUP(secp521r1, 521, SECP521R1, PR_TRUE), FFGROUP(2048), FFGROUP(3072), FFGROUP(4096), FFGROUP(6144), FFGROUP(8192), ECGROUP(secp192r1, 192, SECP192R1, PR_FALSE), ECGROUP(secp160r2, 160, SECP160R2, PR_FALSE), ECGROUP(secp160k1, 160, SECP160K1, PR_FALSE), ECGROUP(secp160r1, 160, SECP160R1, PR_FALSE), ECGROUP(sect163k1, 163, SECT163K1, PR_FALSE), ECGROUP(sect163r1, 163, SECT163R1, PR_FALSE), ECGROUP(sect163r2, 163, SECT163R2, PR_FALSE), ECGROUP(secp192k1, 192, SECP192K1, PR_FALSE), ECGROUP(sect193r1, 193, SECT193R1, PR_FALSE), ECGROUP(sect193r2, 193, SECT193R2, PR_FALSE), ECGROUP(secp224r1, 224, SECP224R1, PR_FALSE), ECGROUP(secp224k1, 224, SECP224K1, PR_FALSE), ECGROUP(sect233k1, 233, SECT233K1, PR_FALSE), ECGROUP(sect233r1, 233, SECT233R1, PR_FALSE), ECGROUP(sect239k1, 239, SECT239K1, PR_FALSE), ECGROUP(secp256k1, 256, SECP256K1, PR_FALSE), ECGROUP(sect283k1, 283, SECT283K1, PR_FALSE), ECGROUP(sect283r1, 283, SECT283R1, PR_FALSE), ECGROUP(sect409k1, 409, SECT409K1, PR_FALSE), ECGROUP(sect409r1, 409, SECT409R1, PR_FALSE), ECGROUP(sect571k1, 571, SECT571K1, PR_FALSE), ECGROUP(sect571r1, 571, SECT571R1, PR_FALSE), }; PR_STATIC_ASSERT(SSL_NAMED_GROUP_COUNT == PR_ARRAY_SIZE(ssl_named_groups)); #undef ECGROUP #undef FFGROUP /* forward declarations. */ static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); static SECStatus ssl_MakeLocks(sslSocket *ss); static void ssl_SetDefaultsFromEnvironment(void); static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id); /************************************************************************/ /* ** Lookup a socket structure from a file descriptor. ** Only functions called through the PRIOMethods table should use this. ** Other app-callable functions should use ssl_FindSocket. */ static sslSocket * ssl_GetPrivate(PRFileDesc *fd) { sslSocket *ss; PORT_Assert(fd != NULL); PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED); PORT_Assert(fd->identity == ssl_layer_id); if (fd->methods->file_type != PR_DESC_LAYERED || fd->identity != ssl_layer_id) { PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); return NULL; } ss = (sslSocket *)fd->secret; /* Set ss->fd lazily. We can't rely on the value of ss->fd set by * ssl_PushIOLayer because another PR_PushIOLayer call will switch the * contents of the PRFileDesc pointed by ss->fd and the new layer. * See bug 807250. */ ss->fd = fd; return ss; } /* This function tries to find the SSL layer in the stack. * It searches for the first SSL layer at or below the argument fd, * and failing that, it searches for the nearest SSL layer above the * argument fd. It returns the private sslSocket from the found layer. */ sslSocket * ssl_FindSocket(PRFileDesc *fd) { PRFileDesc *layer; sslSocket *ss; PORT_Assert(fd != NULL); PORT_Assert(ssl_layer_id != 0); layer = PR_GetIdentitiesLayer(fd, ssl_layer_id); if (layer == NULL) { PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); return NULL; } ss = (sslSocket *)layer->secret; /* Set ss->fd lazily. We can't rely on the value of ss->fd set by * ssl_PushIOLayer because another PR_PushIOLayer call will switch the * contents of the PRFileDesc pointed by ss->fd and the new layer. * See bug 807250. */ ss->fd = layer; return ss; } static sslSocket * ssl_DupSocket(sslSocket *os) { sslSocket *ss; SECStatus rv; ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant); if (!ss) { return NULL; } ss->opt = os->opt; ss->opt.useSocks = PR_FALSE; rv = SECITEM_CopyItem(NULL, &ss->opt.nextProtoNego, &os->opt.nextProtoNego); if (rv != SECSuccess) { goto loser; } ss->vrange = os->vrange; ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); ss->url = !os->url ? NULL : PORT_Strdup(os->url); ss->ops = os->ops; ss->rTimeout = os->rTimeout; ss->wTimeout = os->wTimeout; ss->cTimeout = os->cTimeout; ss->dbHandle = os->dbHandle; /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites); PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount); ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount; PORT_Memcpy(ss->ssl3.signatureSchemes, os->ssl3.signatureSchemes, sizeof(ss->ssl3.signatureSchemes[0]) * os->ssl3.signatureSchemeCount); ss->ssl3.signatureSchemeCount = os->ssl3.signatureSchemeCount; ss->ssl3.downgradeCheckVersion = os->ssl3.downgradeCheckVersion; ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled; if (ss->opt.useSecurity) { PRCList *cursor; for (cursor = PR_NEXT_LINK(&os->serverCerts); cursor != &os->serverCerts; cursor = PR_NEXT_LINK(cursor)) { sslServerCert *sc = ssl_CopyServerCert((sslServerCert *)cursor); if (!sc) goto loser; PR_APPEND_LINK(&sc->link, &ss->serverCerts); } for (cursor = PR_NEXT_LINK(&os->ephemeralKeyPairs); cursor != &os->ephemeralKeyPairs; cursor = PR_NEXT_LINK(cursor)) { sslEphemeralKeyPair *okp = (sslEphemeralKeyPair *)cursor; sslEphemeralKeyPair *skp = ssl_CopyEphemeralKeyPair(okp); if (!skp) goto loser; PR_APPEND_LINK(&skp->link, &ss->ephemeralKeyPairs); } for (cursor = PR_NEXT_LINK(&os->extensionHooks); cursor != &os->extensionHooks; cursor = PR_NEXT_LINK(cursor)) { sslCustomExtensionHooks *oh = (sslCustomExtensionHooks *)cursor; sslCustomExtensionHooks *sh = PORT_ZNew(sslCustomExtensionHooks); if (!sh) { goto loser; } *sh = *oh; PR_APPEND_LINK(&sh->link, &ss->extensionHooks); } /* * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. * XXX We should detect this, and not just march on with NULL pointers. */ ss->authCertificate = os->authCertificate; ss->authCertificateArg = os->authCertificateArg; ss->getClientAuthData = os->getClientAuthData; ss->getClientAuthDataArg = os->getClientAuthDataArg; ss->sniSocketConfig = os->sniSocketConfig; ss->sniSocketConfigArg = os->sniSocketConfigArg; ss->alertReceivedCallback = os->alertReceivedCallback; ss->alertReceivedCallbackArg = os->alertReceivedCallbackArg; ss->alertSentCallback = os->alertSentCallback; ss->alertSentCallbackArg = os->alertSentCallbackArg; ss->handleBadCert = os->handleBadCert; ss->badCertArg = os->badCertArg; ss->handshakeCallback = os->handshakeCallback; ss->handshakeCallbackData = os->handshakeCallbackData; ss->canFalseStartCallback = os->canFalseStartCallback; ss->canFalseStartCallbackData = os->canFalseStartCallbackData; ss->pkcs11PinArg = os->pkcs11PinArg; ss->nextProtoCallback = os->nextProtoCallback; ss->nextProtoArg = os->nextProtoArg; PORT_Memcpy((void *)ss->namedGroupPreferences, os->namedGroupPreferences, sizeof(ss->namedGroupPreferences)); ss->additionalShares = os->additionalShares; ss->resumptionTokenCallback = os->resumptionTokenCallback; ss->resumptionTokenContext = os->resumptionTokenContext; if (os->esniKeys) { ss->esniKeys = tls13_CopyESNIKeys(os->esniKeys); if (!ss->esniKeys) { goto loser; } } /* Create security data */ rv = ssl_CopySecurityInfo(ss, os); if (rv != SECSuccess) { goto loser; } } return ss; loser: ssl_FreeSocket(ss); return NULL; } static void ssl_DestroyLocks(sslSocket *ss) { /* Destroy locks. */ if (ss->firstHandshakeLock) { PZ_DestroyMonitor(ss->firstHandshakeLock); ss->firstHandshakeLock = NULL; } if (ss->ssl3HandshakeLock) { PZ_DestroyMonitor(ss->ssl3HandshakeLock); ss->ssl3HandshakeLock = NULL; } if (ss->specLock) { NSSRWLock_Destroy(ss->specLock); ss->specLock = NULL; } if (ss->recvLock) { PZ_DestroyLock(ss->recvLock); ss->recvLock = NULL; } if (ss->sendLock) { PZ_DestroyLock(ss->sendLock); ss->sendLock = NULL; } if (ss->xmitBufLock) { PZ_DestroyMonitor(ss->xmitBufLock); ss->xmitBufLock = NULL; } if (ss->recvBufLock) { PZ_DestroyMonitor(ss->recvBufLock); ss->recvBufLock = NULL; } } /* Caller holds any relevant locks */ static void ssl_DestroySocketContents(sslSocket *ss) { PRCList *cursor; /* Free up socket */ ssl_DestroySecurityInfo(&ss->sec); ssl3_DestroySSL3Info(ss); PORT_Free(ss->saveBuf.buf); PORT_Free(ss->pendingBuf.buf); ssl3_DestroyGather(&ss->gs); if (ss->peerID != NULL) PORT_Free(ss->peerID); if (ss->url != NULL) PORT_Free((void *)ss->url); /* CONST */ /* Clean up server certificates and sundries. */ while (!PR_CLIST_IS_EMPTY(&ss->serverCerts)) { cursor = PR_LIST_TAIL(&ss->serverCerts); PR_REMOVE_LINK(cursor); ssl_FreeServerCert((sslServerCert *)cursor); } /* Remove extension handlers. */ ssl_ClearPRCList(&ss->extensionHooks, NULL); ssl_FreeEphemeralKeyPairs(ss); SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); ssl3_FreeSniNameArray(&ss->xtnData); ssl_ClearPRCList(&ss->ssl3.hs.dtlsSentHandshake, NULL); ssl_ClearPRCList(&ss->ssl3.hs.dtlsRcvdHandshake, NULL); tls13_DestroyESNIKeys(ss->esniKeys); } /* * free an sslSocket struct, and all the stuff that hangs off of it */ void ssl_FreeSocket(sslSocket *ss) { /* Get every lock you can imagine! ** Caller already holds these: ** SSL_LOCK_READER(ss); ** SSL_LOCK_WRITER(ss); */ ssl_Get1stHandshakeLock(ss); ssl_GetRecvBufLock(ss); ssl_GetSSL3HandshakeLock(ss); ssl_GetXmitBufLock(ss); ssl_GetSpecWriteLock(ss); ssl_DestroySocketContents(ss); /* Release all the locks acquired above. */ SSL_UNLOCK_READER(ss); SSL_UNLOCK_WRITER(ss); ssl_Release1stHandshakeLock(ss); ssl_ReleaseRecvBufLock(ss); ssl_ReleaseSSL3HandshakeLock(ss); ssl_ReleaseXmitBufLock(ss); ssl_ReleaseSpecWriteLock(ss); ssl_DestroyLocks(ss); #ifdef DEBUG PORT_Memset(ss, 0x1f, sizeof *ss); #endif PORT_Free(ss); return; } /************************************************************************/ SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled) { PRFileDesc *osfd = ss->fd->lower; SECStatus rv = SECFailure; PRSocketOptionData opt; opt.option = PR_SockOpt_NoDelay; opt.value.no_delay = (PRBool)!enabled; if (osfd->methods->setsocketoption) { rv = (SECStatus)osfd->methods->setsocketoption(osfd, &opt); } else { PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); } return rv; } static void ssl_ChooseOps(sslSocket *ss) { ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops; } /* Called from SSL_Enable (immediately below) */ static SECStatus PrepareSocket(sslSocket *ss) { SECStatus rv = SECSuccess; ssl_ChooseOps(ss); return rv; } SECStatus SSL_Enable(PRFileDesc *fd, int which, PRIntn on) { return SSL_OptionSet(fd, which, on); } static PRBool ssl_VersionIsSupportedByPolicy( SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version); /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in * ssl.h in the section "SSL version range setting API". */ static void ssl_EnableTLS(SSLVersionRange *vrange, PRIntn enable) { if (enable) { /* don't turn it on if tls1.0 disallowed by by policy */ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_0)) { return; } } if (SSL_ALL_VERSIONS_DISABLED(vrange)) { if (enable) { vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; vrange->max = SSL_LIBRARY_VERSION_TLS_1_0; } /* else don't change anything */ return; } if (enable) { /* Expand the range of enabled version to include TLS 1.0 */ vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0); } else { /* Disable all TLS versions, leaving only SSL 3.0 if it was enabled */ if (vrange->min == SSL_LIBRARY_VERSION_3_0) { vrange->max = SSL_LIBRARY_VERSION_3_0; } else { /* Only TLS was enabled, so now no versions are. */ vrange->min = SSL_LIBRARY_VERSION_NONE; vrange->max = SSL_LIBRARY_VERSION_NONE; } } } /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in * ssl.h in the section "SSL version range setting API". */ static void ssl_EnableSSL3(SSLVersionRange *vrange, PRIntn enable) { if (enable) { /* don't turn it on if ssl3 disallowed by by policy */ if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, SSL_LIBRARY_VERSION_3_0)) { return; } } if (SSL_ALL_VERSIONS_DISABLED(vrange)) { if (enable) { vrange->min = SSL_LIBRARY_VERSION_3_0; vrange->max = SSL_LIBRARY_VERSION_3_0; } /* else don't change anything */ return; } if (enable) { /* Expand the range of enabled versions to include SSL 3.0. We know * SSL 3.0 or some version of TLS is already enabled at this point, so * we don't need to change vrange->max. */ vrange->min = SSL_LIBRARY_VERSION_3_0; } else { /* Disable SSL 3.0, leaving TLS unaffected. */ if (vrange->max > SSL_LIBRARY_VERSION_3_0) { vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); } else { /* Only SSL 3.0 was enabled, so now no versions are. */ vrange->min = SSL_LIBRARY_VERSION_NONE; vrange->max = SSL_LIBRARY_VERSION_NONE; } } } SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val) { sslSocket *ss = ssl_FindSocket(fd); SECStatus rv = SECSuccess; PRBool holdingLocks; if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); return SECFailure; } holdingLocks = (!ss->opt.noLocks); ssl_Get1stHandshakeLock(ss); ssl_GetSSL3HandshakeLock(ss); switch (which) { case SSL_SOCKS: ss->opt.useSocks = PR_FALSE; rv = PrepareSocket(ss); if (val) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } break; case SSL_SECURITY: ss->opt.useSecurity = val; rv = PrepareSocket(ss); break; case SSL_REQUEST_CERTIFICATE: ss->opt.requestCertificate = val; break; case SSL_REQUIRE_CERTIFICATE: ss->opt.requireCertificate = val; break; case SSL_HANDSHAKE_AS_CLIENT: if (ss->opt.handshakeAsServer && val) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; break; } ss->opt.handshakeAsClient = val; break; case SSL_HANDSHAKE_AS_SERVER: if (ss->opt.handshakeAsClient && val) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; break; } ss->opt.handshakeAsServer = val; break; case SSL_ENABLE_TLS: if (IS_DTLS(ss)) { if (val) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; /* not allowed */ } break; } ssl_EnableTLS(&ss->vrange, val); break; case SSL_ENABLE_SSL3: if (IS_DTLS(ss)) { if (val) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; /* not allowed */ } break; } ssl_EnableSSL3(&ss->vrange, val); break; case SSL_ENABLE_SSL2: case SSL_V2_COMPATIBLE_HELLO: /* We no longer support SSL v2. * However, if an old application requests to disable SSL v2, * we shouldn't fail. */ if (val) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } break; case SSL_NO_CACHE: ss->opt.noCache = val; break; case SSL_ENABLE_FDX: if (val && ss->opt.noLocks) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } ss->opt.fdx = val; break; case SSL_ROLLBACK_DETECTION: ss->opt.detectRollBack = val; break; case SSL_NO_STEP_DOWN: break; case SSL_BYPASS_PKCS11: break; case SSL_NO_LOCKS: if (val && ss->opt.fdx) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } if (val && ssl_force_locks) val = PR_FALSE; /* silent override */ ss->opt.noLocks = val; if (val) { locksEverDisabled = PR_TRUE; strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); } else if (!holdingLocks) { rv = ssl_MakeLocks(ss); if (rv != SECSuccess) { ss->opt.noLocks = PR_TRUE; } } break; case SSL_ENABLE_SESSION_TICKETS: ss->opt.enableSessionTickets = val; break; case SSL_ENABLE_DEFLATE: ss->opt.enableDeflate = val; break; case SSL_ENABLE_RENEGOTIATION: if (IS_DTLS(ss) && val != SSL_RENEGOTIATE_NEVER) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; break; } ss->opt.enableRenegotiation = val; break; case SSL_REQUIRE_SAFE_NEGOTIATION: ss->opt.requireSafeNegotiation = val; break; case SSL_ENABLE_FALSE_START: ss->opt.enableFalseStart = val; break; case SSL_CBC_RANDOM_IV: ss->opt.cbcRandomIV = val; break; case SSL_ENABLE_OCSP_STAPLING: ss->opt.enableOCSPStapling = val; break; case SSL_ENABLE_NPN: break; case SSL_ENABLE_ALPN: ss->opt.enableALPN = val; break; case SSL_REUSE_SERVER_ECDHE_KEY: ss->opt.reuseServerECDHEKey = val; break; case SSL_ENABLE_FALLBACK_SCSV: ss->opt.enableFallbackSCSV = val; break; case SSL_ENABLE_SERVER_DHE: ss->opt.enableServerDhe = val; break; case SSL_ENABLE_EXTENDED_MASTER_SECRET: ss->opt.enableExtendedMS = val; break; case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: ss->opt.enableSignedCertTimestamps = val; break; case SSL_REQUIRE_DH_NAMED_GROUPS: ss->opt.requireDHENamedGroups = val; break; case SSL_ENABLE_0RTT_DATA: ss->opt.enable0RttData = val; break; case SSL_RECORD_SIZE_LIMIT: if (val < 64 || val > (MAX_FRAGMENT_LENGTH + 1)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } else { ss->opt.recordSizeLimit = val; } break; case SSL_ENABLE_TLS13_COMPAT_MODE: ss->opt.enableTls13CompatMode = val; break; case SSL_ENABLE_DTLS_SHORT_HEADER: ss->opt.enableDtlsShortHeader = val; break; case SSL_ENABLE_HELLO_DOWNGRADE_CHECK: ss->opt.enableHelloDowngradeCheck = val; break; case SSL_ENABLE_V2_COMPATIBLE_HELLO: ss->opt.enableV2CompatibleHello = val; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } /* We can't use the macros for releasing the locks here, * because ss->opt.noLocks might have changed just above. * We must release these locks (monitors) here, if we aquired them above, * regardless of the current value of ss->opt.noLocks. */ if (holdingLocks) { PZ_ExitMonitor((ss)->ssl3HandshakeLock); PZ_ExitMonitor((ss)->firstHandshakeLock); } return rv; } SECStatus SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal) { sslSocket *ss = ssl_FindSocket(fd); SECStatus rv = SECSuccess; PRIntn val = PR_FALSE; if (!pVal) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); *pVal = PR_FALSE; return SECFailure; } ssl_Get1stHandshakeLock(ss); ssl_GetSSL3HandshakeLock(ss); switch (which) { case SSL_SOCKS: val = PR_FALSE; break; case SSL_SECURITY: val = ss->opt.useSecurity; break; case SSL_REQUEST_CERTIFICATE: val = ss->opt.requestCertificate; break; case SSL_REQUIRE_CERTIFICATE: val = ss->opt.requireCertificate; break; case SSL_HANDSHAKE_AS_CLIENT: val = ss->opt.handshakeAsClient; break; case SSL_HANDSHAKE_AS_SERVER: val = ss->opt.handshakeAsServer; break; case SSL_ENABLE_TLS: val = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; break; case SSL_ENABLE_SSL3: val = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; break; case SSL_ENABLE_SSL2: case SSL_V2_COMPATIBLE_HELLO: val = PR_FALSE; break; case SSL_NO_CACHE: val = ss->opt.noCache; break; case SSL_ENABLE_FDX: val = ss->opt.fdx; break; case SSL_ROLLBACK_DETECTION: val = ss->opt.detectRollBack; break; case SSL_NO_STEP_DOWN: val = PR_FALSE; break; case SSL_BYPASS_PKCS11: val = PR_FALSE; break; case SSL_NO_LOCKS: val = ss->opt.noLocks; break; case SSL_ENABLE_SESSION_TICKETS: val = ss->opt.enableSessionTickets; break; case SSL_ENABLE_DEFLATE: val = ss->opt.enableDeflate; break; case SSL_ENABLE_RENEGOTIATION: val = ss->opt.enableRenegotiation; break; case SSL_REQUIRE_SAFE_NEGOTIATION: val = ss->opt.requireSafeNegotiation; break; case SSL_ENABLE_FALSE_START: val = ss->opt.enableFalseStart; break; case SSL_CBC_RANDOM_IV: val = ss->opt.cbcRandomIV; break; case SSL_ENABLE_OCSP_STAPLING: val = ss->opt.enableOCSPStapling; break; case SSL_ENABLE_NPN: val = PR_FALSE; break; case SSL_ENABLE_ALPN: val = ss->opt.enableALPN; break; case SSL_REUSE_SERVER_ECDHE_KEY: val = ss->opt.reuseServerECDHEKey; break; case SSL_ENABLE_FALLBACK_SCSV: val = ss->opt.enableFallbackSCSV; break; case SSL_ENABLE_SERVER_DHE: val = ss->opt.enableServerDhe; break; case SSL_ENABLE_EXTENDED_MASTER_SECRET: val = ss->opt.enableExtendedMS; break; case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: val = ss->opt.enableSignedCertTimestamps; break; case SSL_REQUIRE_DH_NAMED_GROUPS: val = ss->opt.requireDHENamedGroups; break; case SSL_ENABLE_0RTT_DATA: val = ss->opt.enable0RttData; break; case SSL_RECORD_SIZE_LIMIT: val = ss->opt.recordSizeLimit; break; case SSL_ENABLE_TLS13_COMPAT_MODE: val = ss->opt.enableTls13CompatMode; break; case SSL_ENABLE_DTLS_SHORT_HEADER: val = ss->opt.enableDtlsShortHeader; break; case SSL_ENABLE_HELLO_DOWNGRADE_CHECK: val = ss->opt.enableHelloDowngradeCheck; break; case SSL_ENABLE_V2_COMPATIBLE_HELLO: val = ss->opt.enableV2CompatibleHello; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); *pVal = val; return rv; } SECStatus SSL_OptionGetDefault(PRInt32 which, PRIntn *pVal) { SECStatus rv = SECSuccess; PRIntn val = PR_FALSE; if (!pVal) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ssl_SetDefaultsFromEnvironment(); switch (which) { case SSL_SOCKS: val = PR_FALSE; break; case SSL_SECURITY: val = ssl_defaults.useSecurity; break; case SSL_REQUEST_CERTIFICATE: val = ssl_defaults.requestCertificate; break; case SSL_REQUIRE_CERTIFICATE: val = ssl_defaults.requireCertificate; break; case SSL_HANDSHAKE_AS_CLIENT: val = ssl_defaults.handshakeAsClient; break; case SSL_HANDSHAKE_AS_SERVER: val = ssl_defaults.handshakeAsServer; break; case SSL_ENABLE_TLS: val = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; break; case SSL_ENABLE_SSL3: val = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; break; case SSL_ENABLE_SSL2: case SSL_V2_COMPATIBLE_HELLO: val = PR_FALSE; break; case SSL_NO_CACHE: val = ssl_defaults.noCache; break; case SSL_ENABLE_FDX: val = ssl_defaults.fdx; break; case SSL_ROLLBACK_DETECTION: val = ssl_defaults.detectRollBack; break; case SSL_NO_STEP_DOWN: val = PR_FALSE; break; case SSL_BYPASS_PKCS11: val = PR_FALSE; break; case SSL_NO_LOCKS: val = ssl_defaults.noLocks; break; case SSL_ENABLE_SESSION_TICKETS: val = ssl_defaults.enableSessionTickets; break; case SSL_ENABLE_DEFLATE: val = ssl_defaults.enableDeflate; break; case SSL_ENABLE_RENEGOTIATION: val = ssl_defaults.enableRenegotiation; break; case SSL_REQUIRE_SAFE_NEGOTIATION: val = ssl_defaults.requireSafeNegotiation; break; case SSL_ENABLE_FALSE_START: val = ssl_defaults.enableFalseStart; break; case SSL_CBC_RANDOM_IV: val = ssl_defaults.cbcRandomIV; break; case SSL_ENABLE_OCSP_STAPLING: val = ssl_defaults.enableOCSPStapling; break; case SSL_ENABLE_NPN: val = PR_FALSE; break; case SSL_ENABLE_ALPN: val = ssl_defaults.enableALPN; break; case SSL_REUSE_SERVER_ECDHE_KEY: val = ssl_defaults.reuseServerECDHEKey; break; case SSL_ENABLE_FALLBACK_SCSV: val = ssl_defaults.enableFallbackSCSV; break; case SSL_ENABLE_SERVER_DHE: val = ssl_defaults.enableServerDhe; break; case SSL_ENABLE_EXTENDED_MASTER_SECRET: val = ssl_defaults.enableExtendedMS; break; case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: val = ssl_defaults.enableSignedCertTimestamps; break; case SSL_ENABLE_0RTT_DATA: val = ssl_defaults.enable0RttData; break; case SSL_RECORD_SIZE_LIMIT: val = ssl_defaults.recordSizeLimit; break; case SSL_ENABLE_TLS13_COMPAT_MODE: val = ssl_defaults.enableTls13CompatMode; break; case SSL_ENABLE_DTLS_SHORT_HEADER: val = ssl_defaults.enableDtlsShortHeader; break; case SSL_ENABLE_HELLO_DOWNGRADE_CHECK: val = ssl_defaults.enableHelloDowngradeCheck; break; case SSL_ENABLE_V2_COMPATIBLE_HELLO: val = ssl_defaults.enableV2CompatibleHello; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; } *pVal = val; return rv; } /* XXX Use Global Lock to protect this stuff. */ SECStatus SSL_EnableDefault(int which, PRIntn val) { return SSL_OptionSetDefault(which, val); } SECStatus SSL_OptionSetDefault(PRInt32 which, PRIntn val) { SECStatus status = ssl_Init(); if (status != SECSuccess) { return status; } ssl_SetDefaultsFromEnvironment(); switch (which) { case SSL_SOCKS: ssl_defaults.useSocks = PR_FALSE; if (val) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } break; case SSL_SECURITY: ssl_defaults.useSecurity = val; break; case SSL_REQUEST_CERTIFICATE: ssl_defaults.requestCertificate = val; break; case SSL_REQUIRE_CERTIFICATE: ssl_defaults.requireCertificate = val; break; case SSL_HANDSHAKE_AS_CLIENT: if (ssl_defaults.handshakeAsServer && val) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ssl_defaults.handshakeAsClient = val; break; case SSL_HANDSHAKE_AS_SERVER: if (ssl_defaults.handshakeAsClient && val) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ssl_defaults.handshakeAsServer = val; break; case SSL_ENABLE_TLS: ssl_EnableTLS(&versions_defaults_stream, val); break; case SSL_ENABLE_SSL3: ssl_EnableSSL3(&versions_defaults_stream, val); break; case SSL_ENABLE_SSL2: case SSL_V2_COMPATIBLE_HELLO: /* We no longer support SSL v2. * However, if an old application requests to disable SSL v2, * we shouldn't fail. */ if (val) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } break; case SSL_NO_CACHE: ssl_defaults.noCache = val; break; case SSL_ENABLE_FDX: if (val && ssl_defaults.noLocks) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ssl_defaults.fdx = val; break; case SSL_ROLLBACK_DETECTION: ssl_defaults.detectRollBack = val; break; case SSL_NO_STEP_DOWN: break; case SSL_BYPASS_PKCS11: break; case SSL_NO_LOCKS: if (val && ssl_defaults.fdx) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (val && ssl_force_locks) val = PR_FALSE; /* silent override */ ssl_defaults.noLocks = val; if (val) { locksEverDisabled = PR_TRUE; strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); } break; case SSL_ENABLE_SESSION_TICKETS: ssl_defaults.enableSessionTickets = val; break; case SSL_ENABLE_DEFLATE: ssl_defaults.enableDeflate = val; break; case SSL_ENABLE_RENEGOTIATION: ssl_defaults.enableRenegotiation = val; break; case SSL_REQUIRE_SAFE_NEGOTIATION: ssl_defaults.requireSafeNegotiation = val; break; case SSL_ENABLE_FALSE_START: ssl_defaults.enableFalseStart = val; break; case SSL_CBC_RANDOM_IV: ssl_defaults.cbcRandomIV = val; break; case SSL_ENABLE_OCSP_STAPLING: ssl_defaults.enableOCSPStapling = val; break; case SSL_ENABLE_NPN: break; case SSL_ENABLE_ALPN: ssl_defaults.enableALPN = val; break; case SSL_REUSE_SERVER_ECDHE_KEY: ssl_defaults.reuseServerECDHEKey = val; break; case SSL_ENABLE_FALLBACK_SCSV: ssl_defaults.enableFallbackSCSV = val; break; case SSL_ENABLE_SERVER_DHE: ssl_defaults.enableServerDhe = val; break; case SSL_ENABLE_EXTENDED_MASTER_SECRET: ssl_defaults.enableExtendedMS = val; break; case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: ssl_defaults.enableSignedCertTimestamps = val; break; case SSL_ENABLE_0RTT_DATA: ssl_defaults.enable0RttData = val; break; case SSL_RECORD_SIZE_LIMIT: if (val < 64 || val > (MAX_FRAGMENT_LENGTH + 1)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ssl_defaults.recordSizeLimit = val; break; case SSL_ENABLE_TLS13_COMPAT_MODE: ssl_defaults.enableTls13CompatMode = val; break; case SSL_ENABLE_DTLS_SHORT_HEADER: ssl_defaults.enableDtlsShortHeader = val; break; case SSL_ENABLE_HELLO_DOWNGRADE_CHECK: ssl_defaults.enableHelloDowngradeCheck = val; break; case SSL_ENABLE_V2_COMPATIBLE_HELLO: ssl_defaults.enableV2CompatibleHello = val; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } return SECSuccess; } SECStatus SSLExp_SetMaxEarlyDataSize(PRFileDesc *fd, PRUint32 size) { sslSocket *ss = ssl_FindSocket(fd); if (!ss) { return SECFailure; /* Error code already set. */ } ss->opt.maxEarlyDataSize = size; return SECSuccess; } /* function tells us if the cipher suite is one that we no longer support. */ static PRBool ssl_IsRemovedCipherSuite(PRInt32 suite) { switch (suite) { case SSL_FORTEZZA_DMS_WITH_NULL_SHA: case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: return PR_TRUE; default: return PR_FALSE; } } /* Part of the public NSS API. * Since this is a global (not per-socket) setting, we cannot use the * HandshakeLock to protect this. Probably want a global lock. */ SECStatus SSL_SetPolicy(long which, int policy) { if (ssl_IsRemovedCipherSuite(which)) return SECSuccess; return SSL_CipherPolicySet(which, policy); } SECStatus ssl_CipherPolicySet(PRInt32 which, PRInt32 policy) { SECStatus rv = SECSuccess; if (ssl_IsRemovedCipherSuite(which)) { rv = SECSuccess; } else { rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); } return rv; } SECStatus SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) { SECStatus rv = ssl_Init(); if (rv != SECSuccess) { return rv; } return ssl_CipherPolicySet(which, policy); } SECStatus SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) { SECStatus rv; if (!oPolicy) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (ssl_IsRemovedCipherSuite(which)) { *oPolicy = SSL_NOT_ALLOWED; rv = SECSuccess; } else { rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy); } return rv; } /* Part of the public NSS API. * Since this is a global (not per-socket) setting, we cannot use the * HandshakeLock to protect this. Probably want a global lock. * These changes have no effect on any sslSockets already created. */ SECStatus SSL_EnableCipher(long which, PRBool enabled) { if (ssl_IsRemovedCipherSuite(which)) return SECSuccess; return SSL_CipherPrefSetDefault(which, enabled); } SECStatus ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled) { if (ssl_IsRemovedCipherSuite(which)) return SECSuccess; return ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled); } SECStatus SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) { SECStatus rv = ssl_Init(); if (rv != SECSuccess) { return rv; } return ssl_CipherPrefSetDefault(which, enabled); } SECStatus SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled) { SECStatus rv; if (!enabled) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (ssl_IsRemovedCipherSuite(which)) { *enabled = PR_FALSE; rv = SECSuccess; } else { rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled); } return rv; } SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled) { sslSocket *ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd)); return SECFailure; } if (ssl_IsRemovedCipherSuite(which)) return SECSuccess; return ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled); } SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) { SECStatus rv; sslSocket *ss = ssl_FindSocket(fd); if (!enabled) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd)); *enabled = PR_FALSE; return SECFailure; } if (ssl_IsRemovedCipherSuite(which)) { *enabled = PR_FALSE; rv = SECSuccess; } else { rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); } return rv; } SECStatus NSS_SetDomesticPolicy(void) { SECStatus status = SECSuccess; const PRUint16 *cipher; SECStatus rv; PRUint32 policy; /* If we've already defined some policy oids, skip changing them */ rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy); if ((rv == SECSuccess) && (policy & NSS_USE_POLICY_IN_SSL)) { return ssl_Init(); /* make sure the policies have bee loaded */ } for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { status = SSL_SetPolicy(*cipher, SSL_ALLOWED); if (status != SECSuccess) break; } return status; } SECStatus NSS_SetExportPolicy(void) { return NSS_SetDomesticPolicy(); } SECStatus NSS_SetFrancePolicy(void) { return NSS_SetDomesticPolicy(); } SECStatus SSL_NamedGroupConfig(PRFileDesc *fd, const SSLNamedGroup *groups, unsigned int numGroups) { unsigned int i; unsigned int j = 0; sslSocket *ss = ssl_FindSocket(fd); if (!ss) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return SECFailure; } if (!groups) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (numGroups > SSL_NAMED_GROUP_COUNT) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } memset((void *)ss->namedGroupPreferences, 0, sizeof(ss->namedGroupPreferences)); for (i = 0; i < numGroups; ++i) { const sslNamedGroupDef *groupDef = ssl_LookupNamedGroup(groups[i]); if (!ssl_NamedGroupEnabled(ss, groupDef)) { ss->namedGroupPreferences[j++] = groupDef; } } return SECSuccess; } SECStatus SSL_DHEGroupPrefSet(PRFileDesc *fd, const SSLDHEGroupType *groups, PRUint16 num_groups) { sslSocket *ss; const SSLDHEGroupType *list; unsigned int count; int i, k, j; const sslNamedGroupDef *enabled[SSL_NAMED_GROUP_COUNT] = { 0 }; static const SSLDHEGroupType default_dhe_groups[] = { ssl_ff_dhe_2048_group }; if ((num_groups && !groups) || (!num_groups && groups) || num_groups > SSL_NAMED_GROUP_COUNT) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd)); return SECFailure; } if (groups) { list = groups; count = num_groups; } else { list = default_dhe_groups; count = PR_ARRAY_SIZE(default_dhe_groups); } /* save enabled ec groups and clear ss->namedGroupPreferences */ k = 0; for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { if (ss->namedGroupPreferences[i] && ss->namedGroupPreferences[i]->keaType != ssl_kea_dh) { enabled[k++] = ss->namedGroupPreferences[i]; } ss->namedGroupPreferences[i] = NULL; } ss->ssl3.dhePreferredGroup = NULL; for (i = 0; i < count; ++i) { PRBool duplicate = PR_FALSE; SSLNamedGroup name; const sslNamedGroupDef *groupDef; switch (list[i]) { case ssl_ff_dhe_2048_group: name = ssl_grp_ffdhe_2048; break; case ssl_ff_dhe_3072_group: name = ssl_grp_ffdhe_3072; break; case ssl_ff_dhe_4096_group: name = ssl_grp_ffdhe_4096; break; case ssl_ff_dhe_6144_group: name = ssl_grp_ffdhe_6144; break; case ssl_ff_dhe_8192_group: name = ssl_grp_ffdhe_8192; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } groupDef = ssl_LookupNamedGroup(name); PORT_Assert(groupDef); if (!ss->ssl3.dhePreferredGroup) { ss->ssl3.dhePreferredGroup = groupDef; } PORT_Assert(k < SSL_NAMED_GROUP_COUNT); for (j = 0; j < k; ++j) { /* skip duplicates */ if (enabled[j] == groupDef) { duplicate = PR_TRUE; break; } } if (!duplicate) { enabled[k++] = groupDef; } } for (i = 0; i < k; ++i) { ss->namedGroupPreferences[i] = enabled[i]; } return SECSuccess; } PRCallOnceType gWeakDHParamsRegisterOnce; int gWeakDHParamsRegisterError; PRCallOnceType gWeakDHParamsOnce; int gWeakDHParamsError; /* As our code allocates type PQGParams, we'll keep it around, * even though we only make use of it's parameters through gWeakDHParam. */ static PQGParams *gWeakParamsPQG; static ssl3DHParams *gWeakDHParams; #define WEAK_DHE_SIZE 1024 static PRStatus ssl3_CreateWeakDHParams(void) { PQGVerify *vfy; SECStatus rv, passed; PORT_Assert(!gWeakDHParams && !gWeakParamsPQG); rv = PK11_PQG_ParamGenV2(WEAK_DHE_SIZE, 160, 64 /*maximum seed that will work*/, &gWeakParamsPQG, &vfy); if (rv != SECSuccess) { gWeakDHParamsError = PORT_GetError(); return PR_FAILURE; } rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed); if (rv != SECSuccess || passed != SECSuccess) { SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams", SSL_GETPID())); gWeakDHParamsError = PORT_GetError(); return PR_FAILURE; } gWeakDHParams = PORT_ArenaNew(gWeakParamsPQG->arena, ssl3DHParams); if (!gWeakDHParams) { gWeakDHParamsError = PORT_GetError(); return PR_FAILURE; } gWeakDHParams->name = ssl_grp_ffdhe_custom; gWeakDHParams->prime.data = gWeakParamsPQG->prime.data; gWeakDHParams->prime.len = gWeakParamsPQG->prime.len; gWeakDHParams->base.data = gWeakParamsPQG->base.data; gWeakDHParams->base.len = gWeakParamsPQG->base.len; PK11_PQG_DestroyVerify(vfy); return PR_SUCCESS; } static SECStatus ssl3_WeakDHParamsShutdown(void *appData, void *nssData) { if (gWeakParamsPQG) { PK11_PQG_DestroyParams(gWeakParamsPQG); gWeakParamsPQG = NULL; gWeakDHParams = NULL; } return SECSuccess; } static PRStatus ssl3_WeakDHParamsRegisterShutdown(void) { SECStatus rv; rv = NSS_RegisterShutdown(ssl3_WeakDHParamsShutdown, NULL); if (rv != SECSuccess) { gWeakDHParamsRegisterError = PORT_GetError(); } return (PRStatus)rv; } /* global init strategy inspired by ssl3_CreateECDHEphemeralKeys */ SECStatus SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled) { sslSocket *ss; PRStatus status; if (enabled) { status = PR_CallOnce(&gWeakDHParamsRegisterOnce, ssl3_WeakDHParamsRegisterShutdown); if (status != PR_SUCCESS) { PORT_SetError(gWeakDHParamsRegisterError); return SECFailure; } status = PR_CallOnce(&gWeakDHParamsOnce, ssl3_CreateWeakDHParams); if (status != PR_SUCCESS) { PORT_SetError(gWeakDHParamsError); return SECFailure; } } if (!fd) return SECSuccess; ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd)); return SECFailure; } ss->ssl3.dheWeakGroupEnabled = enabled; return SECSuccess; } #include "dhe-param.c" const ssl3DHParams * ssl_GetDHEParams(const sslNamedGroupDef *groupDef) { switch (groupDef->name) { case ssl_grp_ffdhe_2048: return &ff_dhe_2048_params; case ssl_grp_ffdhe_3072: return &ff_dhe_3072_params; case ssl_grp_ffdhe_4096: return &ff_dhe_4096_params; case ssl_grp_ffdhe_6144: return &ff_dhe_6144_params; case ssl_grp_ffdhe_8192: return &ff_dhe_8192_params; case ssl_grp_ffdhe_custom: PORT_Assert(gWeakDHParams); return gWeakDHParams; default: PORT_Assert(0); } return NULL; } /* This validates dh_Ys against the group prime. */ PRBool ssl_IsValidDHEShare(const SECItem *dh_p, const SECItem *dh_Ys) { unsigned int size_p = SECKEY_BigIntegerBitLength(dh_p); unsigned int size_y = SECKEY_BigIntegerBitLength(dh_Ys); unsigned int commonPart; int cmp; if (dh_p->len == 0 || dh_Ys->len == 0) { return PR_FALSE; } /* Check that the prime is at least odd. */ if ((dh_p->data[dh_p->len - 1] & 0x01) == 0) { return PR_FALSE; } /* dh_Ys can't be 1, or bigger than dh_p. */ if (size_y <= 1 || size_y > size_p) { return PR_FALSE; } /* If dh_Ys is shorter, then it's definitely smaller than p-1. */ if (size_y < size_p) { return PR_TRUE; } /* Compare the common part of each, minus the final octet. */ commonPart = (size_p + 7) / 8; PORT_Assert(commonPart <= dh_Ys->len); PORT_Assert(commonPart <= dh_p->len); cmp = PORT_Memcmp(dh_Ys->data + dh_Ys->len - commonPart, dh_p->data + dh_p->len - commonPart, commonPart - 1); if (cmp < 0) { return PR_TRUE; } if (cmp > 0) { return PR_FALSE; } /* The last octet of the prime is the only thing that is different and that * has to be two greater than the share, otherwise we have Ys == p - 1, * and that means small subgroups. */ if (dh_Ys->data[dh_Ys->len - 1] >= (dh_p->data[dh_p->len - 1] - 1)) { return PR_FALSE; } return PR_TRUE; } /* Checks that the provided DH parameters match those in one of the named groups * that we have enabled. The groups are defined in dhe-param.c and are those * defined in Appendix A of draft-ietf-tls-negotiated-ff-dhe. * * |groupDef| and |dhParams| are optional outparams that identify the group and * its parameters respectively (if this is successful). */ SECStatus ssl_ValidateDHENamedGroup(sslSocket *ss, const SECItem *dh_p, const SECItem *dh_g, const sslNamedGroupDef **groupDef, const ssl3DHParams **dhParams) { unsigned int i; for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { const ssl3DHParams *params; if (!ss->namedGroupPreferences[i]) { continue; } if (ss->namedGroupPreferences[i]->keaType != ssl_kea_dh) { continue; } params = ssl_GetDHEParams(ss->namedGroupPreferences[i]); PORT_Assert(params); if (SECITEM_ItemsAreEqual(¶ms->prime, dh_p)) { if (!SECITEM_ItemsAreEqual(¶ms->base, dh_g)) { return SECFailure; } if (groupDef) *groupDef = ss->namedGroupPreferences[i]; if (dhParams) *dhParams = params; return SECSuccess; } } return SECFailure; } /* Ensure DH parameters have been selected. This just picks the first enabled * FFDHE group in ssl_named_groups, or the weak one if it was enabled. */ SECStatus ssl_SelectDHEGroup(sslSocket *ss, const sslNamedGroupDef **groupDef) { unsigned int i; static const sslNamedGroupDef weak_group_def = { ssl_grp_ffdhe_custom, WEAK_DHE_SIZE, ssl_kea_dh, SEC_OID_TLS_DHE_CUSTOM, PR_TRUE }; /* Only select weak groups in TLS 1.2 and earlier, but not if the client has * indicated that it supports an FFDHE named group. */ if (ss->ssl3.dheWeakGroupEnabled && ss->version < SSL_LIBRARY_VERSION_TLS_1_3 && !ss->xtnData.peerSupportsFfdheGroups) { *groupDef = &weak_group_def; return SECSuccess; } if (ss->ssl3.dhePreferredGroup && ssl_NamedGroupEnabled(ss, ss->ssl3.dhePreferredGroup)) { *groupDef = ss->ssl3.dhePreferredGroup; return SECSuccess; } for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { if (ss->namedGroupPreferences[i] && ss->namedGroupPreferences[i]->keaType == ssl_kea_dh) { *groupDef = ss->namedGroupPreferences[i]; return SECSuccess; } } *groupDef = NULL; PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); return SECFailure; } /* LOCKS ??? XXX */ static PRFileDesc * ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) { sslSocket *ns = NULL; PRStatus rv; PRNetAddr addr; SECStatus status = ssl_Init(); if (status != SECSuccess) { return NULL; } if (model == NULL) { /* Just create a default socket if we're given NULL for the model */ ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant); } else { sslSocket *ss = ssl_FindSocket(model); if (ss == NULL || ss->protocolVariant != variant) { SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", SSL_GETPID(), model)); return NULL; } ns = ssl_DupSocket(ss); } if (ns == NULL) return NULL; rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); if (rv != PR_SUCCESS) { ssl_FreeSocket(ns); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return NULL; } #if defined(DEBUG) || defined(FORCE_PR_ASSERT) { sslSocket *ss = ssl_FindSocket(fd); PORT_Assert(ss == ns); } #endif ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); return fd; } PRFileDesc * SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) { return ssl_ImportFD(model, fd, ssl_variant_stream); } PRFileDesc * DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd) { return ssl_ImportFD(model, fd, ssl_variant_datagram); } /* SSL_SetNextProtoCallback is used to select an application protocol * for ALPN. */ SECStatus SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback, void *arg) { sslSocket *ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETPID(), fd)); return SECFailure; } ssl_GetSSL3HandshakeLock(ss); ss->nextProtoCallback = callback; ss->nextProtoArg = arg; ssl_ReleaseSSL3HandshakeLock(ss); return SECSuccess; } /* ssl_NextProtoNegoCallback is set as an ALPN callback when * SSL_SetNextProtoNego is used. */ static SECStatus ssl_NextProtoNegoCallback(void *arg, PRFileDesc *fd, const unsigned char *protos, unsigned int protos_len, unsigned char *protoOut, unsigned int *protoOutLen, unsigned int protoMaxLen) { unsigned int i, j; sslSocket *ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback", SSL_GETPID(), fd)); return SECFailure; } PORT_Assert(protoMaxLen <= 255); if (protoMaxLen > 255) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); return SECFailure; } /* For each protocol in client preference, see if we support it. */ for (j = 0; j < ss->opt.nextProtoNego.len;) { for (i = 0; i < protos_len;) { if (protos[i] == ss->opt.nextProtoNego.data[j] && PORT_Memcmp(&protos[i + 1], &ss->opt.nextProtoNego.data[j + 1], protos[i]) == 0) { /* We found a match. */ const unsigned char *result = &protos[i]; memcpy(protoOut, result + 1, result[0]); *protoOutLen = result[0]; return SECSuccess; } i += 1 + (unsigned int)protos[i]; } j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j]; } return SECSuccess; } SECStatus SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, unsigned int length) { sslSocket *ss; ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", SSL_GETPID(), fd)); return SECFailure; } if (ssl3_ValidateAppProtocol(data, length) != SECSuccess) { return SECFailure; } /* NPN required that the client's fallback protocol is first in the * list. However, ALPN sends protocols in preference order. So move the * first protocol to the end of the list. */ ssl_GetSSL3HandshakeLock(ss); SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); SECITEM_AllocItem(NULL, &ss->opt.nextProtoNego, length); size_t firstLen = data[0] + 1; /* firstLen <= length is ensured by ssl3_ValidateAppProtocol. */ PORT_Memcpy(ss->opt.nextProtoNego.data + (length - firstLen), data, firstLen); PORT_Memcpy(ss->opt.nextProtoNego.data, data + firstLen, length - firstLen); ssl_ReleaseSSL3HandshakeLock(ss); return SSL_SetNextProtoCallback(fd, ssl_NextProtoNegoCallback, NULL); } SECStatus SSL_GetNextProto(PRFileDesc *fd, SSLNextProtoState *state, unsigned char *buf, unsigned int *bufLen, unsigned int bufLenMax) { sslSocket *ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetNextProto", SSL_GETPID(), fd)); return SECFailure; } if (!state || !buf || !bufLen) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } *state = ss->xtnData.nextProtoState; if (ss->xtnData.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT && ss->xtnData.nextProto.data) { if (ss->xtnData.nextProto.len > bufLenMax) { PORT_SetError(SEC_ERROR_OUTPUT_LEN); return SECFailure; } PORT_Memcpy(buf, ss->xtnData.nextProto.data, ss->xtnData.nextProto.len); *bufLen = ss->xtnData.nextProto.len; } else { *bufLen = 0; } return SECSuccess; } SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int numCiphers) { sslSocket *ss; unsigned int i; ss = ssl_FindSocket(fd); if (!ss || !IS_DTLS(ss)) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers", SSL_GETPID(), fd)); PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (numCiphers > MAX_DTLS_SRTP_CIPHER_SUITES) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ss->ssl3.dtlsSRTPCipherCount = 0; for (i = 0; i < numCiphers; i++) { const PRUint16 *srtpCipher = srtpCiphers; while (*srtpCipher) { if (ciphers[i] == *srtpCipher) break; srtpCipher++; } if (*srtpCipher) { ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] = ciphers[i]; } else { SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher " "suite specified: 0x%04hx", SSL_GETPID(), fd, ciphers[i])); } } if (ss->ssl3.dtlsSRTPCipherCount == 0) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } return SECSuccess; } SECStatus SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher) { sslSocket *ss; ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher", SSL_GETPID(), fd)); PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (!ss->xtnData.dtlsSRTPCipherSuite) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } *cipher = ss->xtnData.dtlsSRTPCipherSuite; return SECSuccess; } PRFileDesc * SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) { sslSocket *sm = NULL, *ss = NULL; PRCList *cursor; if (model == NULL) { PR_SetError(SEC_ERROR_INVALID_ARGS, 0); return NULL; } sm = ssl_FindSocket(model); if (sm == NULL) { SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ReconfigFD", SSL_GETPID(), model)); return NULL; } ss = ssl_FindSocket(fd); PORT_Assert(ss); if (ss == NULL) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } ss->opt = sm->opt; ss->vrange = sm->vrange; PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers, sizeof(PRUint16) * sm->ssl3.dtlsSRTPCipherCount); ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount; PORT_Memcpy(ss->ssl3.signatureSchemes, sm->ssl3.signatureSchemes, sizeof(ss->ssl3.signatureSchemes[0]) * sm->ssl3.signatureSchemeCount); ss->ssl3.signatureSchemeCount = sm->ssl3.signatureSchemeCount; ss->ssl3.downgradeCheckVersion = sm->ssl3.downgradeCheckVersion; if (!ss->opt.useSecurity) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } while (!PR_CLIST_IS_EMPTY(&ss->serverCerts)) { cursor = PR_LIST_TAIL(&ss->serverCerts); PR_REMOVE_LINK(cursor); ssl_FreeServerCert((sslServerCert *)cursor); } for (cursor = PR_NEXT_LINK(&sm->serverCerts); cursor != &sm->serverCerts; cursor = PR_NEXT_LINK(cursor)) { sslServerCert *sc = ssl_CopyServerCert((sslServerCert *)cursor); if (!sc) return NULL; PR_APPEND_LINK(&sc->link, &ss->serverCerts); } ssl_FreeEphemeralKeyPairs(ss); for (cursor = PR_NEXT_LINK(&sm->ephemeralKeyPairs); cursor != &sm->ephemeralKeyPairs; cursor = PR_NEXT_LINK(cursor)) { sslEphemeralKeyPair *mkp = (sslEphemeralKeyPair *)cursor; sslEphemeralKeyPair *skp = ssl_CopyEphemeralKeyPair(mkp); if (!skp) return NULL; PR_APPEND_LINK(&skp->link, &ss->ephemeralKeyPairs); } while (!PR_CLIST_IS_EMPTY(&ss->extensionHooks)) { cursor = PR_LIST_TAIL(&ss->extensionHooks); PR_REMOVE_LINK(cursor); PORT_Free(cursor); } for (cursor = PR_NEXT_LINK(&sm->extensionHooks); cursor != &sm->extensionHooks; cursor = PR_NEXT_LINK(cursor)) { SECStatus rv; sslCustomExtensionHooks *hook = (sslCustomExtensionHooks *)cursor; rv = SSL_InstallExtensionHooks(ss->fd, hook->type, hook->writer, hook->writerArg, hook->handler, hook->handlerArg); if (rv != SECSuccess) { return NULL; } } PORT_Memcpy((void *)ss->namedGroupPreferences, sm->namedGroupPreferences, sizeof(ss->namedGroupPreferences)); ss->additionalShares = sm->additionalShares; /* copy trust anchor names */ if (sm->ssl3.ca_list) { if (ss->ssl3.ca_list) { CERT_FreeDistNames(ss->ssl3.ca_list); } ss->ssl3.ca_list = CERT_DupDistNames(sm->ssl3.ca_list); if (!ss->ssl3.ca_list) { return NULL; } } if (sm->authCertificate) ss->authCertificate = sm->authCertificate; if (sm->authCertificateArg) ss->authCertificateArg = sm->authCertificateArg; if (sm->getClientAuthData) ss->getClientAuthData = sm->getClientAuthData; if (sm->getClientAuthDataArg) ss->getClientAuthDataArg = sm->getClientAuthDataArg; if (sm->sniSocketConfig) ss->sniSocketConfig = sm->sniSocketConfig; if (sm->sniSocketConfigArg) ss->sniSocketConfigArg = sm->sniSocketConfigArg; if (sm->alertReceivedCallback) { ss->alertReceivedCallback = sm->alertReceivedCallback; ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg; } if (sm->alertSentCallback) { ss->alertSentCallback = sm->alertSentCallback; ss->alertSentCallbackArg = sm->alertSentCallbackArg; } if (sm->handleBadCert) ss->handleBadCert = sm->handleBadCert; if (sm->badCertArg) ss->badCertArg = sm->badCertArg; if (sm->handshakeCallback) ss->handshakeCallback = sm->handshakeCallback; if (sm->handshakeCallbackData) ss->handshakeCallbackData = sm->handshakeCallbackData; if (sm->pkcs11PinArg) ss->pkcs11PinArg = sm->pkcs11PinArg; return fd; } SECStatus ssl3_GetEffectiveVersionPolicy(SSLProtocolVariant variant, SSLVersionRange *effectivePolicy) { SECStatus rv; PRUint32 policyFlag; PRInt32 minPolicy, maxPolicy; if (variant == ssl_variant_stream) { effectivePolicy->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM; effectivePolicy->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; } else { effectivePolicy->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM; effectivePolicy->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; } rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policyFlag); if ((rv != SECSuccess) || !(policyFlag & NSS_USE_POLICY_IN_SSL)) { /* Policy is not active, report library extents. */ return SECSuccess; } rv = NSS_OptionGet(VERSIONS_POLICY_MIN(variant), &minPolicy); if (rv != SECSuccess) { return SECFailure; } rv = NSS_OptionGet(VERSIONS_POLICY_MAX(variant), &maxPolicy); if (rv != SECSuccess) { return SECFailure; } if (minPolicy > effectivePolicy->max || maxPolicy < effectivePolicy->min || minPolicy > maxPolicy) { return SECFailure; } effectivePolicy->min = PR_MAX(effectivePolicy->min, minPolicy); effectivePolicy->max = PR_MIN(effectivePolicy->max, maxPolicy); return SECSuccess; } /* * Assumes that rangeParam values are within the supported boundaries, * but should contain all potentially allowed versions, even if they contain * conflicting versions. * Will return the overlap, or a NONE range if system policy is invalid. */ static SECStatus ssl3_CreateOverlapWithPolicy(SSLProtocolVariant protocolVariant, SSLVersionRange *input, SSLVersionRange *overlap) { SECStatus rv; SSLVersionRange effectivePolicyBoundary; SSLVersionRange vrange; PORT_Assert(input != NULL); rv = ssl3_GetEffectiveVersionPolicy(protocolVariant, &effectivePolicyBoundary); if (rv == SECFailure) { /* SECFailure means internal failure or invalid configuration. */ overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE; return SECFailure; } vrange.min = PR_MAX(input->min, effectivePolicyBoundary.min); vrange.max = PR_MIN(input->max, effectivePolicyBoundary.max); if (vrange.max < vrange.min) { /* there was no overlap, turn off range altogether */ overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE; return SECFailure; } *overlap = vrange; return SECSuccess; } static PRBool ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version) { SECStatus rv; SSLVersionRange effectivePolicyBoundary; rv = ssl3_GetEffectiveVersionPolicy(protocolVariant, &effectivePolicyBoundary); if (rv == SECFailure) { /* SECFailure means internal failure or invalid configuration. */ return PR_FALSE; } return version >= effectivePolicyBoundary.min && version <= effectivePolicyBoundary.max; } /* * This is called at SSL init time to constrain the existing range based * on user supplied policy. */ SECStatus ssl3_ConstrainRangeByPolicy(void) { /* We ignore failures in ssl3_CreateOverlapWithPolicy. Although an empty * overlap disables all connectivity, it's an allowed state. */ ssl3_CreateOverlapWithPolicy(ssl_variant_stream, VERSIONS_DEFAULTS(ssl_variant_stream), VERSIONS_DEFAULTS(ssl_variant_stream)); ssl3_CreateOverlapWithPolicy(ssl_variant_datagram, VERSIONS_DEFAULTS(ssl_variant_datagram), VERSIONS_DEFAULTS(ssl_variant_datagram)); return SECSuccess; } PRBool ssl3_VersionIsSupportedByCode(SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version) { switch (protocolVariant) { case ssl_variant_stream: return (version >= SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM && version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); case ssl_variant_datagram: return (version >= SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM && version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); } /* Can't get here */ PORT_Assert(PR_FALSE); return PR_FALSE; } PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version) { if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) { return PR_FALSE; } return ssl3_VersionIsSupportedByCode(protocolVariant, version); } const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd) { sslSocket *ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", SSL_GETPID(), fd)); return NULL; } if (!ss->sec.ci.sid) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return NULL; } return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; } SECStatus SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, SSLVersionRange *vrange) { SECStatus rv; if (!vrange) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } switch (protocolVariant) { case ssl_variant_stream: vrange->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM; vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; /* We don't allow SSLv3 and TLSv1.3 together. * However, don't check yet, apply the policy first. * Because if the effective supported range doesn't use TLS 1.3, * then we don't need to increase the minimum. */ break; case ssl_variant_datagram: vrange->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM; vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } rv = ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange); if (rv != SECSuccess) { /* Library default and policy don't overlap. */ return rv; } /* We don't allow SSLv3 and TLSv1.3 together */ if (vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3) { vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); } return SECSuccess; } SECStatus SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, SSLVersionRange *vrange) { if ((protocolVariant != ssl_variant_stream && protocolVariant != ssl_variant_datagram) || !vrange) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } *vrange = *VERSIONS_DEFAULTS(protocolVariant); return ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange); } static PRBool ssl3_HasConflictingSSLVersions(const SSLVersionRange *vrange) { return (vrange->min <= SSL_LIBRARY_VERSION_3_0 && vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3); } static SECStatus ssl3_CheckRangeValidAndConstrainByPolicy(SSLProtocolVariant protocolVariant, SSLVersionRange *vrange) { SECStatus rv; if (vrange->min > vrange->max || !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->min) || !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max) || ssl3_HasConflictingSSLVersions(vrange)) { PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); return SECFailure; } /* Try to adjust the received range using our policy. * If there's overlap, we'll use the (possibly reduced) range. * If there isn't overlap, it's failure. */ rv = ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange); if (rv != SECSuccess) { return rv; } /* We don't allow SSLv3 and TLSv1.3 together */ if (vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3) { vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); } return SECSuccess; } SECStatus SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, const SSLVersionRange *vrange) { SSLVersionRange constrainedRange; SECStatus rv; if (!vrange) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } constrainedRange = *vrange; rv = ssl3_CheckRangeValidAndConstrainByPolicy(protocolVariant, &constrainedRange); if (rv != SECSuccess) return rv; *VERSIONS_DEFAULTS(protocolVariant) = constrainedRange; return SECSuccess; } SECStatus SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) { sslSocket *ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeGet", SSL_GETPID(), fd)); return SECFailure; } if (!vrange) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ssl_Get1stHandshakeLock(ss); ssl_GetSSL3HandshakeLock(ss); *vrange = ss->vrange; ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); return ssl3_CreateOverlapWithPolicy(ss->protocolVariant, vrange, vrange); } SECStatus SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) { SSLVersionRange constrainedRange; sslSocket *ss; SECStatus rv; if (!vrange) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet", SSL_GETPID(), fd)); return SECFailure; } constrainedRange = *vrange; rv = ssl3_CheckRangeValidAndConstrainByPolicy(ss->protocolVariant, &constrainedRange); if (rv != SECSuccess) return rv; ssl_Get1stHandshakeLock(ss); ssl_GetSSL3HandshakeLock(ss); if (ss->ssl3.downgradeCheckVersion && ss->vrange.max > ss->ssl3.downgradeCheckVersion) { PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); return SECFailure; } ss->vrange = constrainedRange; ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); return SECSuccess; } SECStatus SSL_SetDowngradeCheckVersion(PRFileDesc *fd, PRUint16 version) { sslSocket *ss = ssl_FindSocket(fd); SECStatus rv = SECFailure; if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetDowngradeCheckVersion", SSL_GETPID(), fd)); return SECFailure; } if (version && !ssl3_VersionIsSupported(ss->protocolVariant, version)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } ssl_Get1stHandshakeLock(ss); ssl_GetSSL3HandshakeLock(ss); if (version && version < ss->vrange.max) { PORT_SetError(SEC_ERROR_INVALID_ARGS); goto loser; } ss->ssl3.downgradeCheckVersion = version; rv = SECSuccess; loser: ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); return rv; } const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd) { sslSocket *ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses", SSL_GETPID(), fd)); return NULL; } if (!ss->sec.ci.sid) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return NULL; } return &ss->sec.ci.sid->peerCertStatus; } /************************************************************************/ /* The following functions are the TOP LEVEL SSL functions. ** They all get called through the NSPRIOMethods table below. */ static PRFileDesc *PR_CALLBACK ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) { sslSocket *ss; sslSocket *ns = NULL; PRFileDesc *newfd = NULL; PRFileDesc *osfd; PRStatus status; ss = ssl_GetPrivate(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd)); return NULL; } /* IF this is a listen socket, there shouldn't be any I/O going on */ SSL_LOCK_READER(ss); SSL_LOCK_WRITER(ss); ssl_Get1stHandshakeLock(ss); ssl_GetSSL3HandshakeLock(ss); ss->cTimeout = timeout; osfd = ss->fd->lower; /* First accept connection */ newfd = osfd->methods->accept(osfd, sockaddr, timeout); if (newfd == NULL) { SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d", SSL_GETPID(), ss->fd, PORT_GetError())); } else { /* Create ssl module */ ns = ssl_DupSocket(ss); } ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); SSL_UNLOCK_WRITER(ss); SSL_UNLOCK_READER(ss); /* ss isn't used below here. */ if (ns == NULL) goto loser; /* push ssl module onto the new socket */ status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER); if (status != PR_SUCCESS) goto loser; /* Now start server connection handshake with client. ** Don't need locks here because nobody else has a reference to ns yet. */ if (ns->opt.useSecurity) { if (ns->opt.handshakeAsClient) { ns->handshake = ssl_BeginClientHandshake; ss->handshaking = sslHandshakingAsClient; } else { ns->handshake = ssl_BeginServerHandshake; ss->handshaking = sslHandshakingAsServer; } } ns->TCPconnected = 1; return newfd; loser: if (ns != NULL) ssl_FreeSocket(ns); if (newfd != NULL) PR_Close(newfd); return NULL; } static PRStatus PR_CALLBACK ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout) { sslSocket *ss; PRStatus rv; ss = ssl_GetPrivate(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd)); return PR_FAILURE; } /* IF this is a listen socket, there shouldn't be any I/O going on */ SSL_LOCK_READER(ss); SSL_LOCK_WRITER(ss); ss->cTimeout = timeout; rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr); SSL_UNLOCK_WRITER(ss); SSL_UNLOCK_READER(ss); return rv; } static PRStatus PR_CALLBACK ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr) { sslSocket *ss = ssl_GetPrivate(fd); PRStatus rv; if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd)); return PR_FAILURE; } SSL_LOCK_READER(ss); SSL_LOCK_WRITER(ss); rv = (PRStatus)(*ss->ops->bind)(ss, addr); SSL_UNLOCK_WRITER(ss); SSL_UNLOCK_READER(ss); return rv; } static PRStatus PR_CALLBACK ssl_Listen(PRFileDesc *fd, PRIntn backlog) { sslSocket *ss = ssl_GetPrivate(fd); PRStatus rv; if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd)); return PR_FAILURE; } SSL_LOCK_READER(ss); SSL_LOCK_WRITER(ss); rv = (PRStatus)(*ss->ops->listen)(ss, backlog); SSL_UNLOCK_WRITER(ss); SSL_UNLOCK_READER(ss); return rv; } static PRStatus PR_CALLBACK ssl_Shutdown(PRFileDesc *fd, PRIntn how) { sslSocket *ss = ssl_GetPrivate(fd); PRStatus rv; if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd)); return PR_FAILURE; } if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { SSL_LOCK_READER(ss); } if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { SSL_LOCK_WRITER(ss); } rv = (PRStatus)(*ss->ops->shutdown)(ss, how); if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { SSL_UNLOCK_WRITER(ss); } if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { SSL_UNLOCK_READER(ss); } return rv; } static PRStatus PR_CALLBACK ssl_Close(PRFileDesc *fd) { sslSocket *ss; PRStatus rv; ss = ssl_GetPrivate(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd)); return PR_FAILURE; } /* There must not be any I/O going on */ SSL_LOCK_READER(ss); SSL_LOCK_WRITER(ss); /* By the time this function returns, ** ss is an invalid pointer, and the locks to which it points have ** been unlocked and freed. So, this is the ONE PLACE in all of SSL ** where the LOCK calls and the corresponding UNLOCK calls are not in ** the same function scope. The unlock calls are in ssl_FreeSocket(). */ rv = (PRStatus)(*ss->ops->close)(ss); return rv; } static int PR_CALLBACK ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, PRIntervalTime timeout) { sslSocket *ss; int rv; ss = ssl_GetPrivate(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd)); return SECFailure; } SSL_LOCK_READER(ss); ss->rTimeout = timeout; if (!ss->opt.fdx) ss->wTimeout = timeout; rv = (*ss->ops->recv)(ss, (unsigned char *)buf, len, flags); SSL_UNLOCK_READER(ss); return rv; } static int PR_CALLBACK ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags, PRIntervalTime timeout) { sslSocket *ss; int rv; ss = ssl_GetPrivate(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd)); return SECFailure; } SSL_LOCK_WRITER(ss); ss->wTimeout = timeout; if (!ss->opt.fdx) ss->rTimeout = timeout; rv = (*ss->ops->send)(ss, (const unsigned char *)buf, len, flags); SSL_UNLOCK_WRITER(ss); return rv; } static int PR_CALLBACK ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len) { sslSocket *ss; int rv; ss = ssl_GetPrivate(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd)); return SECFailure; } SSL_LOCK_READER(ss); ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; if (!ss->opt.fdx) ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; rv = (*ss->ops->read)(ss, (unsigned char *)buf, len); SSL_UNLOCK_READER(ss); return rv; } static int PR_CALLBACK ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len) { sslSocket *ss; int rv; ss = ssl_GetPrivate(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd)); return SECFailure; } SSL_LOCK_WRITER(ss); ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; if (!ss->opt.fdx) ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; rv = (*ss->ops->write)(ss, (const unsigned char *)buf, len); SSL_UNLOCK_WRITER(ss); return rv; } static PRStatus PR_CALLBACK ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr) { sslSocket *ss; ss = ssl_GetPrivate(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd)); return PR_FAILURE; } return (PRStatus)(*ss->ops->getpeername)(ss, addr); } /* */ SECStatus ssl_GetPeerInfo(sslSocket *ss) { PRFileDesc *osfd; int rv; PRNetAddr sin; osfd = ss->fd->lower; PORT_Memset(&sin, 0, sizeof(sin)); rv = osfd->methods->getpeername(osfd, &sin); if (rv < 0) { return SECFailure; } ss->TCPconnected = 1; if (sin.inet.family == PR_AF_INET) { PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer); ss->sec.ci.port = sin.inet.port; } else if (sin.ipv6.family == PR_AF_INET6) { ss->sec.ci.peer = sin.ipv6.ip; ss->sec.ci.port = sin.ipv6.port; } else { PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR); return SECFailure; } return SECSuccess; } static PRStatus PR_CALLBACK ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name) { sslSocket *ss; ss = ssl_GetPrivate(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd)); return PR_FAILURE; } return (PRStatus)(*ss->ops->getsockname)(ss, name); } SECStatus SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID) { sslSocket *ss; ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID", SSL_GETPID(), fd)); return SECFailure; } if (ss->peerID) { PORT_Free(ss->peerID); ss->peerID = NULL; } if (peerID) ss->peerID = PORT_Strdup(peerID); return (ss->peerID || !peerID) ? SECSuccess : SECFailure; } #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ) static PRInt16 PR_CALLBACK ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) { sslSocket *ss; PRInt16 new_flags = how_flags; /* should select on these flags. */ PRNetAddr addr; *p_out_flags = 0; ss = ssl_GetPrivate(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll", SSL_GETPID(), fd)); return 0; /* don't poll on this socket */ } if (ss->opt.useSecurity && ss->handshaking != sslHandshakingUndetermined && !ss->firstHsDone && (how_flags & PR_POLL_RW)) { if (!ss->TCPconnected) { ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr)); } /* If it's not connected, then presumably the application is polling ** on read or write appropriately, so don't change it. */ if (ss->TCPconnected) { if (!ss->handshakeBegun) { /* If the handshake has not begun, poll on read or write ** based on the local application's role in the handshake, ** not based on what the application requested. */ new_flags &= ~PR_POLL_RW; if (ss->handshaking == sslHandshakingAsClient) { new_flags |= PR_POLL_WRITE; } else { /* handshaking as server */ new_flags |= PR_POLL_READ; } } else if (ss->lastWriteBlocked) { /* First handshake is in progress */ if (new_flags & PR_POLL_READ) { /* The caller is waiting for data to be received, ** but the initial handshake is blocked on write, or the ** client's first handshake record has not been written. ** The code should select on write, not read. */ new_flags &= ~PR_POLL_READ; /* don't select on read. */ new_flags |= PR_POLL_WRITE; /* do select on write. */ } } else if (new_flags & PR_POLL_WRITE) { /* The caller is trying to write, but the handshake is ** blocked waiting for data to read, and the first ** handshake has been sent. So do NOT to poll on write ** unless we did false start or we are doing 0-RTT. */ if (!(ss->ssl3.hs.canFalseStart || ss->ssl3.hs.zeroRttState == ssl_0rtt_sent || ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted)) { new_flags &= ~PR_POLL_WRITE; /* don't select on write. */ } new_flags |= PR_POLL_READ; /* do select on read. */ } } } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) { *p_out_flags = PR_POLL_READ; /* it's ready already. */ return new_flags; } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) && (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */ new_flags |= PR_POLL_WRITE; /* also select on write. */ } if (ss->ssl3.hs.restartTarget != NULL) { /* Read and write will block until the asynchronous callback completes * (e.g. until SSL_AuthCertificateComplete is called), so don't tell * the caller to poll the socket unless there is pending write data. */ if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) { /* Ignore any newly-received data on the socket, but do wait for * the socket to become writable again. Here, it is OK for an error * to be detected, because our logic for sending pending write data * will allow us to report the error to the caller without the risk * of the application spinning. */ new_flags &= (PR_POLL_WRITE | PR_POLL_EXCEPT); } else { /* Unfortunately, clearing new_flags will make it impossible for * the application to detect errors that it would otherwise be * able to detect with PR_POLL_EXCEPT, until the asynchronous * callback completes. However, we must clear all the flags to * prevent the application from spinning (alternating between * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv * which won't actually report the I/O error while we are waiting * for the asynchronous callback to complete). */ new_flags = 0; } } SSL_TRC(20, ("%d: SSL[%d]: ssl_Poll flags %x -> %x", SSL_GETPID(), fd, how_flags, new_flags)); if (new_flags && (fd->lower->methods->poll != NULL)) { PRInt16 lower_out_flags = 0; PRInt16 lower_new_flags; lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, &lower_out_flags); if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) { PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW; if (lower_out_flags & PR_POLL_READ) out_flags |= PR_POLL_WRITE; if (lower_out_flags & PR_POLL_WRITE) out_flags |= PR_POLL_READ; *p_out_flags = out_flags; new_flags = how_flags; } else { *p_out_flags = lower_out_flags; new_flags = lower_new_flags; } } return new_flags; } static PRInt32 PR_CALLBACK ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd, const void *headers, PRInt32 hlen, PRTransmitFileFlags flags, PRIntervalTime timeout) { PRSendFileData sfd; sfd.fd = fd; sfd.file_offset = 0; sfd.file_nbytes = 0; sfd.header = headers; sfd.hlen = hlen; sfd.trailer = NULL; sfd.tlen = 0; return sd->methods->sendfile(sd, &sfd, flags, timeout); } PRBool ssl_FdIsBlocking(PRFileDesc *fd) { PRSocketOptionData opt; PRStatus status; opt.option = PR_SockOpt_Nonblocking; opt.value.non_blocking = PR_FALSE; status = PR_GetSocketOption(fd, &opt); if (status != PR_SUCCESS) return PR_FALSE; return (PRBool)!opt.value.non_blocking; } PRBool ssl_SocketIsBlocking(sslSocket *ss) { return ssl_FdIsBlocking(ss->fd); } PRInt32 sslFirstBufSize = 8 * 1024; PRInt32 sslCopyLimit = 1024; static PRInt32 PR_CALLBACK ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, PRIntervalTime timeout) { PRInt32 i; PRInt32 bufLen; PRInt32 left; PRInt32 rv; PRInt32 sent = 0; const PRInt32 first_len = sslFirstBufSize; const PRInt32 limit = sslCopyLimit; PRBool blocking; PRIOVec myIov; char buf[MAX_FRAGMENT_LENGTH]; if (vectors < 0) { PORT_SetError(PR_INVALID_ARGUMENT_ERROR); return -1; } if (vectors > PR_MAX_IOVECTOR_SIZE) { PORT_SetError(PR_BUFFER_OVERFLOW_ERROR); return -1; } for (i = 0; i < vectors; i++) { if (iov[i].iov_len < 0) { PORT_SetError(PR_INVALID_ARGUMENT_ERROR); return -1; } } blocking = ssl_FdIsBlocking(fd); #define K16 ((int)sizeof(buf)) #define KILL_VECTORS \ while (vectors && !iov->iov_len) { \ ++iov; \ --vectors; \ } #define GET_VECTOR \ do { \ myIov = *iov++; \ --vectors; \ KILL_VECTORS \ } while (0) #define HANDLE_ERR(rv, len) \ if (rv != len) { \ if (rv < 0) { \ if (!blocking && \ (PR_GetError() == PR_WOULD_BLOCK_ERROR) && \ (sent > 0)) { \ return sent; \ } else { \ return -1; \ } \ } \ /* Only a nonblocking socket can have partial sends */ \ PR_ASSERT(!blocking); \ return sent + rv; \ } #define SEND(bfr, len) \ do { \ rv = ssl_Send(fd, bfr, len, 0, timeout); \ HANDLE_ERR(rv, len) \ sent += len; \ } while (0) /* Make sure the first write is at least 8 KB, if possible. */ KILL_VECTORS if (!vectors) return ssl_Send(fd, 0, 0, 0, timeout); GET_VECTOR; if (!vectors) { return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout); } if (myIov.iov_len < first_len) { PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); bufLen = myIov.iov_len; left = first_len - bufLen; while (vectors && left) { int toCopy; GET_VECTOR; toCopy = PR_MIN(left, myIov.iov_len); PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy); bufLen += toCopy; left -= toCopy; myIov.iov_base += toCopy; myIov.iov_len -= toCopy; } SEND(buf, bufLen); } while (vectors || myIov.iov_len) { PRInt32 addLen; if (!myIov.iov_len) { GET_VECTOR; } while (myIov.iov_len >= K16) { SEND(myIov.iov_base, K16); myIov.iov_base += K16; myIov.iov_len -= K16; } if (!myIov.iov_len) continue; if (!vectors || myIov.iov_len > limit) { addLen = 0; } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) { /* Addlen is already computed. */; } else if (vectors > 1 && iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) { addLen = limit - myIov.iov_len; } else addLen = 0; if (!addLen) { SEND(myIov.iov_base, myIov.iov_len); myIov.iov_len = 0; continue; } PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); bufLen = myIov.iov_len; do { GET_VECTOR; PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen); myIov.iov_base += addLen; myIov.iov_len -= addLen; bufLen += addLen; left = PR_MIN(limit, K16 - bufLen); if (!vectors /* no more left */ || myIov.iov_len > 0 /* we didn't use that one all up */ || bufLen >= K16 /* it's full. */) { addLen = 0; } else if ((addLen = iov->iov_len % K16) <= left) { /* Addlen is already computed. */; } else if (vectors > 1 && iov[1].iov_len % K16 + addLen <= left + limit) { addLen = left; } else addLen = 0; } while (addLen); SEND(buf, bufLen); } return sent; } /* * These functions aren't implemented. */ static PRInt32 PR_CALLBACK ssl_Available(PRFileDesc *fd) { PORT_Assert(0); PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); return SECFailure; } static PRInt64 PR_CALLBACK ssl_Available64(PRFileDesc *fd) { PRInt64 res; PORT_Assert(0); PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); LL_I2L(res, -1L); return res; } static PRStatus PR_CALLBACK ssl_FSync(PRFileDesc *fd) { PORT_Assert(0); PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); return PR_FAILURE; } static PRInt32 PR_CALLBACK ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) { PORT_Assert(0); PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); return SECFailure; } static PRInt64 PR_CALLBACK ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) { PRInt64 res; PORT_Assert(0); PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); LL_I2L(res, -1L); return res; } static PRStatus PR_CALLBACK ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info) { PORT_Assert(0); PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); return PR_FAILURE; } static PRStatus PR_CALLBACK ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info) { PORT_Assert(0); PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); return PR_FAILURE; } static PRInt32 PR_CALLBACK ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags, PRNetAddr *addr, PRIntervalTime timeout) { PORT_Assert(0); PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); return SECFailure; } static PRInt32 PR_CALLBACK ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, const PRNetAddr *addr, PRIntervalTime timeout) { PORT_Assert(0); PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); return SECFailure; } static const PRIOMethods ssl_methods = { PR_DESC_LAYERED, ssl_Close, /* close */ ssl_Read, /* read */ ssl_Write, /* write */ ssl_Available, /* available */ ssl_Available64, /* available64 */ ssl_FSync, /* fsync */ ssl_Seek, /* seek */ ssl_Seek64, /* seek64 */ ssl_FileInfo, /* fileInfo */ ssl_FileInfo64, /* fileInfo64 */ ssl_WriteV, /* writev */ ssl_Connect, /* connect */ ssl_Accept, /* accept */ ssl_Bind, /* bind */ ssl_Listen, /* listen */ ssl_Shutdown, /* shutdown */ ssl_Recv, /* recv */ ssl_Send, /* send */ ssl_RecvFrom, /* recvfrom */ ssl_SendTo, /* sendto */ ssl_Poll, /* poll */ PR_EmulateAcceptRead, /* acceptread */ ssl_TransmitFile, /* transmitfile */ ssl_GetSockName, /* getsockname */ ssl_GetPeerName, /* getpeername */ NULL, /* getsockopt OBSOLETE */ NULL, /* setsockopt OBSOLETE */ NULL, /* getsocketoption */ NULL, /* setsocketoption */ PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/ NULL, /* reserved for future use */ NULL, /* reserved for future use */ NULL, /* reserved for future use */ NULL, /* reserved for future use */ NULL /* reserved for future use */ }; static PRIOMethods combined_methods; static void ssl_SetupIOMethods(void) { PRIOMethods *new_methods = &combined_methods; const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods(); const PRIOMethods *my_methods = &ssl_methods; *new_methods = *nspr_methods; new_methods->file_type = my_methods->file_type; new_methods->close = my_methods->close; new_methods->read = my_methods->read; new_methods->write = my_methods->write; new_methods->available = my_methods->available; new_methods->available64 = my_methods->available64; new_methods->fsync = my_methods->fsync; new_methods->seek = my_methods->seek; new_methods->seek64 = my_methods->seek64; new_methods->fileInfo = my_methods->fileInfo; new_methods->fileInfo64 = my_methods->fileInfo64; new_methods->writev = my_methods->writev; new_methods->connect = my_methods->connect; new_methods->accept = my_methods->accept; new_methods->bind = my_methods->bind; new_methods->listen = my_methods->listen; new_methods->shutdown = my_methods->shutdown; new_methods->recv = my_methods->recv; new_methods->send = my_methods->send; new_methods->recvfrom = my_methods->recvfrom; new_methods->sendto = my_methods->sendto; new_methods->poll = my_methods->poll; new_methods->acceptread = my_methods->acceptread; new_methods->transmitfile = my_methods->transmitfile; new_methods->getsockname = my_methods->getsockname; new_methods->getpeername = my_methods->getpeername; /* new_methods->getsocketoption = my_methods->getsocketoption; */ /* new_methods->setsocketoption = my_methods->setsocketoption; */ new_methods->sendfile = my_methods->sendfile; } static PRCallOnceType initIoLayerOnce; static PRStatus ssl_InitIOLayer(void) { ssl_layer_id = PR_GetUniqueIdentity("SSL"); ssl_SetupIOMethods(); return PR_SUCCESS; } static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) { PRFileDesc *layer = NULL; PRStatus status; status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); if (status != PR_SUCCESS) { goto loser; } if (ns == NULL) { goto loser; } layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods); if (layer == NULL) goto loser; layer->secret = (PRFilePrivate *)ns; /* Here, "stack" points to the PRFileDesc on the top of the stack. ** "layer" points to a new FD that is to be inserted into the stack. ** If layer is being pushed onto the top of the stack, then ** PR_PushIOLayer switches the contents of stack and layer, and then ** puts stack on top of layer, so that after it is done, the top of ** stack is the same "stack" as it was before, and layer is now the ** FD for the former top of stack. ** After this call, stack always points to the top PRFD on the stack. ** If this function fails, the contents of stack and layer are as ** they were before the call. */ status = PR_PushIOLayer(stack, id, layer); if (status != PR_SUCCESS) goto loser; ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer; return PR_SUCCESS; loser: if (layer) { layer->dtor(layer); /* free layer */ } return PR_FAILURE; } /* if this fails, caller must destroy socket. */ static SECStatus ssl_MakeLocks(sslSocket *ss) { ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL); if (!ss->firstHandshakeLock) goto loser; ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL); if (!ss->ssl3HandshakeLock) goto loser; ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL); if (!ss->specLock) goto loser; ss->recvBufLock = PZ_NewMonitor(nssILockSSL); if (!ss->recvBufLock) goto loser; ss->xmitBufLock = PZ_NewMonitor(nssILockSSL); if (!ss->xmitBufLock) goto loser; ss->writerThread = NULL; if (ssl_lock_readers) { ss->recvLock = PZ_NewLock(nssILockSSL); if (!ss->recvLock) goto loser; ss->sendLock = PZ_NewLock(nssILockSSL); if (!ss->sendLock) goto loser; } return SECSuccess; loser: ssl_DestroyLocks(ss); return SECFailure; } #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) #define NSS_HAVE_GETENV 1 #endif #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ static void ssl_SetDefaultsFromEnvironment(void) { #if defined(NSS_HAVE_GETENV) static int firsttime = 1; if (firsttime) { char *ev; firsttime = 0; #ifdef DEBUG ev = PR_GetEnvSecure("SSLDEBUGFILE"); if (ev && ev[0]) { ssl_trace_iob = fopen(ev, "w"); } if (!ssl_trace_iob) { ssl_trace_iob = stderr; } #ifdef TRACE ev = PR_GetEnvSecure("SSLTRACE"); if (ev && ev[0]) { ssl_trace = atoi(ev); SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); } #endif /* TRACE */ ev = PR_GetEnvSecure("SSLDEBUG"); if (ev && ev[0]) { ssl_debug = atoi(ev); SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); } #endif /* DEBUG */ #ifdef NSS_ALLOW_SSLKEYLOGFILE ev = PR_GetEnvSecure("SSLKEYLOGFILE"); if (ev && ev[0]) { ssl_keylog_iob = fopen(ev, "a"); if (!ssl_keylog_iob) { SSL_TRACE(("SSL: failed to open key log file")); } else { if (ftell(ssl_keylog_iob) == 0) { fputs("# SSL/TLS secrets log file, generated by NSS\n", ssl_keylog_iob); } SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev)); ssl_keylog_lock = PR_NewLock(); if (!ssl_keylog_lock) { SSL_TRACE(("SSL: failed to create key log lock")); fclose(ssl_keylog_iob); ssl_keylog_iob = NULL; } } } #endif ev = PR_GetEnvSecure("SSLFORCELOCKS"); if (ev && ev[0] == '1') { ssl_force_locks = PR_TRUE; ssl_defaults.noLocks = 0; strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. "); SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); } ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION"); if (ev) { if (ev[0] == '1' || LOWER(ev[0]) == 'u') ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; else if (ev[0] == '0' || LOWER(ev[0]) == 'n') ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; else if (ev[0] == '2' || LOWER(ev[0]) == 'r') ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; else if (ev[0] == '3' || LOWER(ev[0]) == 't') ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL; SSL_TRACE(("SSL: enableRenegotiation set to %d", ssl_defaults.enableRenegotiation)); } ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); if (ev && ev[0] == '1') { ssl_defaults.requireSafeNegotiation = PR_TRUE; SSL_TRACE(("SSL: requireSafeNegotiation set to %d", PR_TRUE)); } ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV"); if (ev && ev[0] == '0') { ssl_defaults.cbcRandomIV = PR_FALSE; SSL_TRACE(("SSL: cbcRandomIV set to 0")); } } #endif /* NSS_HAVE_GETENV */ } const sslNamedGroupDef * ssl_LookupNamedGroup(SSLNamedGroup group) { unsigned int i; for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { if (ssl_named_groups[i].name == group) { return &ssl_named_groups[i]; } } return NULL; } PRBool ssl_NamedGroupEnabled(const sslSocket *ss, const sslNamedGroupDef *groupDef) { unsigned int i; if (!groupDef) { return PR_FALSE; } for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { if (ss->namedGroupPreferences[i] && ss->namedGroupPreferences[i] == groupDef) { return PR_TRUE; } } return PR_FALSE; } /* Returns a reference counted object that contains a key pair. * Or NULL on failure. Initial ref count is 1. * Uses the keys in the pair as input. Adopts the keys given. */ sslKeyPair * ssl_NewKeyPair(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey) { sslKeyPair *pair; if (!privKey || !pubKey) { PORT_SetError(PR_INVALID_ARGUMENT_ERROR); return NULL; } pair = PORT_ZNew(sslKeyPair); if (!pair) return NULL; /* error code is set. */ pair->privKey = privKey; pair->pubKey = pubKey; pair->refCount = 1; return pair; /* success */ } sslKeyPair * ssl_GetKeyPairRef(sslKeyPair *keyPair) { PR_ATOMIC_INCREMENT(&keyPair->refCount); return keyPair; } void ssl_FreeKeyPair(sslKeyPair *keyPair) { if (!keyPair) { return; } PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount); if (!newCount) { SECKEY_DestroyPrivateKey(keyPair->privKey); SECKEY_DestroyPublicKey(keyPair->pubKey); PORT_Free(keyPair); } } /* Ephemeral key handling. */ sslEphemeralKeyPair * ssl_NewEphemeralKeyPair(const sslNamedGroupDef *group, SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey) { sslKeyPair *keys; sslEphemeralKeyPair *pair; if (!group) { PORT_SetError(PR_INVALID_ARGUMENT_ERROR); return NULL; } keys = ssl_NewKeyPair(privKey, pubKey); if (!keys) { return NULL; } pair = PORT_ZNew(sslEphemeralKeyPair); if (!pair) { ssl_FreeKeyPair(keys); return NULL; /* error already set */ } PR_INIT_CLIST(&pair->link); pair->group = group; pair->keys = keys; return pair; } sslEphemeralKeyPair * ssl_CopyEphemeralKeyPair(sslEphemeralKeyPair *keyPair) { sslEphemeralKeyPair *pair; pair = PORT_ZNew(sslEphemeralKeyPair); if (!pair) { return NULL; /* error already set */ } PR_INIT_CLIST(&pair->link); pair->group = keyPair->group; pair->keys = ssl_GetKeyPairRef(keyPair->keys); return pair; } void ssl_FreeEphemeralKeyPair(sslEphemeralKeyPair *keyPair) { if (!keyPair) { return; } ssl_FreeKeyPair(keyPair->keys); PR_REMOVE_LINK(&keyPair->link); PORT_Free(keyPair); } PRBool ssl_HaveEphemeralKeyPair(const sslSocket *ss, const sslNamedGroupDef *groupDef) { return ssl_LookupEphemeralKeyPair((sslSocket *)ss, groupDef) != NULL; } sslEphemeralKeyPair * ssl_LookupEphemeralKeyPair(sslSocket *ss, const sslNamedGroupDef *groupDef) { PRCList *cursor; for (cursor = PR_NEXT_LINK(&ss->ephemeralKeyPairs); cursor != &ss->ephemeralKeyPairs; cursor = PR_NEXT_LINK(cursor)) { sslEphemeralKeyPair *keyPair = (sslEphemeralKeyPair *)cursor; if (keyPair->group == groupDef) { return keyPair; } } return NULL; } void ssl_FreeEphemeralKeyPairs(sslSocket *ss) { while (!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)) { PRCList *cursor = PR_LIST_TAIL(&ss->ephemeralKeyPairs); ssl_FreeEphemeralKeyPair((sslEphemeralKeyPair *)cursor); } } /* ** Create a newsocket structure for a file descriptor. */ static sslSocket * ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) { SECStatus rv; sslSocket *ss; int i; ssl_SetDefaultsFromEnvironment(); if (ssl_force_locks) makeLocks = PR_TRUE; /* Make a new socket and get it ready */ ss = (sslSocket *)PORT_ZAlloc(sizeof(sslSocket)); if (!ss) { return NULL; } ss->opt = ssl_defaults; if (protocolVariant == ssl_variant_datagram) { ss->opt.enableRenegotiation = SSL_RENEGOTIATE_NEVER; } ss->opt.useSocks = PR_FALSE; ss->opt.noLocks = !makeLocks; ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); ss->protocolVariant = protocolVariant; /* Ignore overlap failures, because returning NULL would trigger assertion * failures elsewhere. We don't want this scenario to be fatal, it's just * a state where no SSL connectivity is possible. */ ssl3_CreateOverlapWithPolicy(ss->protocolVariant, &ss->vrange, &ss->vrange); ss->peerID = NULL; ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; ss->url = NULL; PR_INIT_CLIST(&ss->serverCerts); PR_INIT_CLIST(&ss->ephemeralKeyPairs); PR_INIT_CLIST(&ss->extensionHooks); ss->dbHandle = CERT_GetDefaultCertDB(); /* Provide default implementation of hooks */ ss->authCertificate = SSL_AuthCertificate; ss->authCertificateArg = (void *)ss->dbHandle; ss->sniSocketConfig = NULL; ss->sniSocketConfigArg = NULL; ss->getClientAuthData = NULL; ss->alertReceivedCallback = NULL; ss->alertReceivedCallbackArg = NULL; ss->alertSentCallback = NULL; ss->alertSentCallbackArg = NULL; ss->handleBadCert = NULL; ss->badCertArg = NULL; ss->pkcs11PinArg = NULL; ssl_ChooseOps(ss); ssl3_InitSocketPolicy(ss); for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { ss->namedGroupPreferences[i] = &ssl_named_groups[i]; } ss->additionalShares = 0; PR_INIT_CLIST(&ss->ssl3.hs.remoteExtensions); PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); PR_INIT_CLIST(&ss->ssl3.hs.cipherSpecs); PR_INIT_CLIST(&ss->ssl3.hs.bufferedEarlyData); ssl3_InitExtensionData(&ss->xtnData, ss); PR_INIT_CLIST(&ss->ssl3.hs.dtlsSentHandshake); PR_INIT_CLIST(&ss->ssl3.hs.dtlsRcvdHandshake); dtls_InitTimers(ss); ss->esniKeys = NULL; if (makeLocks) { rv = ssl_MakeLocks(ss); if (rv != SECSuccess) goto loser; } rv = ssl_CreateSecurityInfo(ss); if (rv != SECSuccess) goto loser; rv = ssl3_InitGather(&ss->gs); if (rv != SECSuccess) goto loser; rv = ssl3_InitState(ss); if (rv != SECSuccess) { goto loser; } return ss; loser: ssl_DestroySocketContents(ss); ssl_DestroyLocks(ss); PORT_Free(ss); return NULL; } /** * DEPRECATED: Will always return false. */ SECStatus SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites, PRBool *pcanbypass, void *pwArg) { if (!pcanbypass) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } *pcanbypass = PR_FALSE; return SECSuccess; } /* Functions that are truly experimental use EXP, functions that are no longer * experimental use PUB. * * When initially defining a new API, add that API here using the EXP() macro * and name the function with a SSLExp_ prefix. Define the experimental API as * a macro in sslexp.h using the SSL_EXPERIMENTAL_API() macro defined there. * * Once an API is stable and proven, move the macro definition in sslexp.h to a * proper function declaration in ssl.h. Keeping the function in this list * ensures that code built against the release that contained the experimental * API will continue to work; use PUB() to reference the public function. */ #define EXP(n) \ { \ "SSL_" #n, SSLExp_##n \ } #define PUB(n) \ { \ "SSL_" #n, SSL_##n \ } struct { const char *const name; void *function; } ssl_experimental_functions[] = { #ifndef SSL_DISABLE_EXPERIMENTAL_API EXP(GetExtensionSupport), EXP(HelloRetryRequestCallback), EXP(InstallExtensionHooks), EXP(KeyUpdate), EXP(SendSessionTicket), EXP(SetMaxEarlyDataSize), EXP(SetupAntiReplay), EXP(SetResumptionTokenCallback), EXP(SetResumptionToken), EXP(GetResumptionTokenInfo), EXP(DestroyResumptionTokenInfo), EXP(SetESNIKeyPair), EXP(EncodeESNIKeys), EXP(EnableESNI), #endif { "", NULL } }; #undef EXP #undef PUB void * SSL_GetExperimentalAPI(const char *name) { unsigned int i; for (i = 0; i < PR_ARRAY_SIZE(ssl_experimental_functions); ++i) { if (strcmp(name, ssl_experimental_functions[i].name) == 0) { return ssl_experimental_functions[i].function; } } PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); return NULL; } void ssl_ClearPRCList(PRCList *list, void (*f)(void *)) { PRCList *cursor; while (!PR_CLIST_IS_EMPTY(list)) { cursor = PR_LIST_TAIL(list); PR_REMOVE_LINK(cursor); if (f) { f(cursor); } PORT_Free(cursor); } } /* Experimental APIs for session cache handling. */ SECStatus SSLExp_SetResumptionTokenCallback(PRFileDesc *fd, SSLResumptionTokenCallback cb, void *ctx) { sslSocket *ss = ssl_FindSocket(fd); if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetResumptionTokenCallback", SSL_GETPID(), fd)); return SECFailure; } ssl_Get1stHandshakeLock(ss); ssl_GetSSL3HandshakeLock(ss); ss->resumptionTokenCallback = cb; ss->resumptionTokenContext = ctx; ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); return SECSuccess; } SECStatus SSLExp_SetResumptionToken(PRFileDesc *fd, const PRUint8 *token, unsigned int len) { sslSocket *ss = ssl_FindSocket(fd); sslSessionID *sid = NULL; if (!ss) { SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetResumptionToken", SSL_GETPID(), fd)); return SECFailure; } ssl_Get1stHandshakeLock(ss); ssl_GetSSL3HandshakeLock(ss); if (ss->firstHsDone || ss->ssl3.hs.ws != idle_handshake || ss->sec.isServer || len == 0 || !token) { PORT_SetError(SEC_ERROR_INVALID_ARGS); goto loser; } // We override any previously set session. if (ss->sec.ci.sid) { ssl_FreeSID(ss->sec.ci.sid); ss->sec.ci.sid = NULL; } PRINT_BUF(50, (ss, "incoming resumption token", token, len)); sid = ssl3_NewSessionID(ss, PR_FALSE); if (!sid) { goto loser; } /* Populate NewSessionTicket values */ SECStatus rv = ssl_DecodeResumptionToken(sid, token, len); if (rv != SECSuccess) { // If decoding fails, we assume the token is bad. PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR); goto loser; } // Make sure that the token is currently usable. if (!ssl_IsResumptionTokenUsable(ss, sid)) { PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR); goto loser; } // Generate a new random session ID for this ticket. rv = PK11_GenerateRandom(sid->u.ssl3.sessionID, SSL3_SESSIONID_BYTES); if (rv != SECSuccess) { goto loser; // Code set by PK11_GenerateRandom. } sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES; /* Use the sid->cached as marker that this is from an external cache and * we don't have to look up anything in the NSS internal cache. */ sid->cached = in_external_cache; sid->lastAccessTime = ssl_TimeSec(); ss->sec.ci.sid = sid; ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); return SECSuccess; loser: ssl_FreeSID(sid); ssl_ReleaseSSL3HandshakeLock(ss); ssl_Release1stHandshakeLock(ss); return SECFailure; } SECStatus SSLExp_DestroyResumptionTokenInfo(SSLResumptionTokenInfo *token) { if (!token) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } if (token->peerCert) { CERT_DestroyCertificate(token->peerCert); } PORT_Free(token->alpnSelection); PORT_Memset(token, 0, token->length); return SECSuccess; } SECStatus SSLExp_GetResumptionTokenInfo(const PRUint8 *tokenData, unsigned int tokenLen, SSLResumptionTokenInfo *tokenOut, PRUintn len) { if (!tokenData || !tokenOut || !tokenLen || len > sizeof(SSLResumptionTokenInfo)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } sslSessionID sid = { 0 }; SSLResumptionTokenInfo token; /* Populate sid values */ if (ssl_DecodeResumptionToken(&sid, tokenData, tokenLen) != SECSuccess) { // If decoding fails, we assume the token is bad. PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR); return SECFailure; } token.peerCert = CERT_DupCertificate(sid.peerCert); token.alpnSelectionLen = sid.u.ssl3.alpnSelection.len; token.alpnSelection = PORT_ZAlloc(token.alpnSelectionLen); if (!token.alpnSelection) { return SECFailure; } PORT_Memcpy(token.alpnSelection, sid.u.ssl3.alpnSelection.data, token.alpnSelectionLen); if (sid.u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data) { token.maxEarlyDataSize = sid.u.ssl3.locked.sessionTicket.max_early_data_size; } else { token.maxEarlyDataSize = 0; } token.expirationTime = sid.expirationTime; token.length = PR_MIN(sizeof(SSLResumptionTokenInfo), len); PORT_Memcpy(tokenOut, &token, token.length); ssl_DestroySID(&sid, PR_FALSE); return SECSuccess; }