// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived // from AuthCertificateCallback() in // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. /* ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0/LGPL 2.1 * * The contents of this file are subject to the Mozilla Public License Version * 1.1 (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * http://www.mozilla.org/MPL/ * * Software distributed under the License is distributed on an "AS IS" basis, * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License * for the specific language governing rights and limitations under the * License. * * The Original Code is the Netscape security libraries. * * The Initial Developer of the Original Code is * Netscape Communications Corporation. * Portions created by the Initial Developer are Copyright (C) 2000 * the Initial Developer. All Rights Reserved. * * Contributor(s): * Ian McGreer * Javier Delgadillo * Kai Engert * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), * in which case the provisions of the GPL or the LGPL are applicable instead * of those above. If you wish to allow use of your version of this file only * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ #include "net/socket/ssl_client_socket_nss.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "base/bind.h" #include "base/bind_helpers.h" #include "base/callback_helpers.h" #include "base/compiler_specific.h" #include "base/logging.h" #include "base/memory/singleton.h" #include "base/metrics/histogram.h" #include "base/single_thread_task_runner.h" #include "base/stl_util.h" #include "base/strings/string_number_conversions.h" #include "base/strings/string_util.h" #include "base/strings/stringprintf.h" #include "base/thread_task_runner_handle.h" #include "base/threading/thread_restrictions.h" #include "base/values.h" #include "crypto/ec_private_key.h" #include "crypto/nss_util.h" #include "crypto/nss_util_internal.h" #include "crypto/rsa_private_key.h" #include "crypto/scoped_nss_types.h" #include "net/base/address_list.h" #include "net/base/connection_type_histograms.h" #include "net/base/dns_util.h" #include "net/base/io_buffer.h" #include "net/base/net_errors.h" #include "net/base/net_log.h" #include "net/cert/asn1_util.h" #include "net/cert/cert_status_flags.h" #include "net/cert/cert_verifier.h" #include "net/cert/ct_objects_extractor.h" #include "net/cert/ct_verifier.h" #include "net/cert/ct_verify_result.h" #include "net/cert/scoped_nss_types.h" #include "net/cert/sct_status_flags.h" #include "net/cert/single_request_cert_verifier.h" #include "net/cert/x509_certificate_net_log_param.h" #include "net/cert/x509_util.h" #include "net/http/transport_security_state.h" #include "net/ocsp/nss_ocsp.h" #include "net/socket/client_socket_handle.h" #include "net/socket/nss_ssl_util.h" #include "net/socket/ssl_error_params.h" #include "net/ssl/ssl_cert_request_info.h" #include "net/ssl/ssl_connection_status_flags.h" #include "net/ssl/ssl_info.h" #if defined(OS_WIN) #include #include #include "base/win/windows_version.h" #elif defined(OS_MACOSX) #include #include #include #include "base/mac/mac_logging.h" #include "base/synchronization/lock.h" #include "crypto/mac_security_services_lock.h" #elif defined(USE_NSS) #include #endif namespace net { // State machines are easier to debug if you log state transitions. // Enable these if you want to see what's going on. #if 1 #define EnterFunction(x) #define LeaveFunction(x) #define GotoState(s) next_handshake_state_ = s #else #define EnterFunction(x)\ VLOG(1) << (void *)this << " " << __FUNCTION__ << " enter " << x\ << "; next_handshake_state " << next_handshake_state_ #define LeaveFunction(x)\ VLOG(1) << (void *)this << " " << __FUNCTION__ << " leave " << x\ << "; next_handshake_state " << next_handshake_state_ #define GotoState(s)\ do {\ VLOG(1) << (void *)this << " " << __FUNCTION__ << " jump to state " << s;\ next_handshake_state_ = s;\ } while (0) #endif namespace { // SSL plaintext fragments are shorter than 16KB. Although the record layer // overhead is allowed to be 2K + 5 bytes, in practice the overhead is much // smaller than 1KB. So a 17KB buffer should be large enough to hold an // entire SSL record. const int kRecvBufferSize = 17 * 1024; const int kSendBufferSize = 17 * 1024; // Used by SSLClientSocketNSS::Core to indicate there is no read result // obtained by a previous operation waiting to be returned to the caller. // This constant can be any non-negative/non-zero value (eg: it does not // overlap with any value of the net::Error range, including net::OK). const int kNoPendingReadResult = 1; #if defined(OS_WIN) // CERT_OCSP_RESPONSE_PROP_ID is only implemented on Vista+, but it can be // set on Windows XP without error. There is some overhead from the server // sending the OCSP response if it supports the extension, for the subset of // XP clients who will request it but be unable to use it, but this is an // acceptable trade-off for simplicity of implementation. bool IsOCSPStaplingSupported() { return true; } #elif defined(USE_NSS) typedef SECStatus (*CacheOCSPResponseFromSideChannelFunction)( CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time, SECItem *encodedResponse, void *pwArg); // On Linux, we dynamically link against the system version of libnss3.so. In // order to continue working on systems without up-to-date versions of NSS we // lookup CERT_CacheOCSPResponseFromSideChannel with dlsym. // RuntimeLibNSSFunctionPointers is a singleton which caches the results of any // runtime symbol resolution that we need. class RuntimeLibNSSFunctionPointers { public: CacheOCSPResponseFromSideChannelFunction GetCacheOCSPResponseFromSideChannelFunction() { return cache_ocsp_response_from_side_channel_; } static RuntimeLibNSSFunctionPointers* GetInstance() { return Singleton::get(); } private: friend struct DefaultSingletonTraits; RuntimeLibNSSFunctionPointers() { cache_ocsp_response_from_side_channel_ = (CacheOCSPResponseFromSideChannelFunction) dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel"); } CacheOCSPResponseFromSideChannelFunction cache_ocsp_response_from_side_channel_; }; CacheOCSPResponseFromSideChannelFunction GetCacheOCSPResponseFromSideChannelFunction() { return RuntimeLibNSSFunctionPointers::GetInstance() ->GetCacheOCSPResponseFromSideChannelFunction(); } bool IsOCSPStaplingSupported() { return GetCacheOCSPResponseFromSideChannelFunction() != NULL; } #else // TODO(agl): Figure out if we can plumb the OCSP response into Mac's system // certificate validation functions. bool IsOCSPStaplingSupported() { return false; } #endif #if defined(OS_WIN) // This callback is intended to be used with CertFindChainInStore. In addition // to filtering by extended/enhanced key usage, we do not show expired // certificates and require digital signature usage in the key usage // extension. // // This matches our behavior on Mac OS X and that of NSS. It also matches the // default behavior of IE8. See http://support.microsoft.com/kb/890326 and // http://blogs.msdn.com/b/askie/archive/2009/06/09/my-expired-client-certificates-no-longer-display-when-connecting-to-my-web-server-using-ie8.aspx BOOL WINAPI ClientCertFindCallback(PCCERT_CONTEXT cert_context, void* find_arg) { VLOG(1) << "Calling ClientCertFindCallback from _nss"; // Verify the certificate's KU is good. BYTE key_usage; if (CertGetIntendedKeyUsage(X509_ASN_ENCODING, cert_context->pCertInfo, &key_usage, 1)) { if (!(key_usage & CERT_DIGITAL_SIGNATURE_KEY_USAGE)) return FALSE; } else { DWORD err = GetLastError(); // If |err| is non-zero, it's an actual error. Otherwise the extension // just isn't present, and we treat it as if everything was allowed. if (err) { DLOG(ERROR) << "CertGetIntendedKeyUsage failed: " << err; return FALSE; } } // Verify the current time is within the certificate's validity period. if (CertVerifyTimeValidity(NULL, cert_context->pCertInfo) != 0) return FALSE; // Verify private key metadata is associated with this certificate. DWORD size = 0; if (!CertGetCertificateContextProperty( cert_context, CERT_KEY_PROV_INFO_PROP_ID, NULL, &size)) { return FALSE; } return TRUE; } #endif // Helper functions to make it possible to log events from within the // SSLClientSocketNSS::Core. void AddLogEvent(const base::WeakPtr& net_log, NetLog::EventType event_type) { if (!net_log) return; net_log->AddEvent(event_type); } // Helper function to make it possible to log events from within the // SSLClientSocketNSS::Core. void AddLogEventWithCallback(const base::WeakPtr& net_log, NetLog::EventType event_type, const NetLog::ParametersCallback& callback) { if (!net_log) return; net_log->AddEvent(event_type, callback); } // Helper function to make it easier to call BoundNetLog::AddByteTransferEvent // from within the SSLClientSocketNSS::Core. // AddByteTransferEvent expects to receive a const char*, which within the // Core is backed by an IOBuffer. If the "const char*" is bound via // base::Bind and posted to another thread, and the IOBuffer that backs that // pointer then goes out of scope on the origin thread, this would result in // an invalid read of a stale pointer. // Instead, provide a signature that accepts an IOBuffer*, so that a reference // to the owning IOBuffer can be bound to the Callback. This ensures that the // IOBuffer will stay alive long enough to cross threads if needed. void LogByteTransferEvent( const base::WeakPtr& net_log, NetLog::EventType event_type, int len, IOBuffer* buffer) { if (!net_log) return; net_log->AddByteTransferEvent(event_type, len, buffer->data()); } // PeerCertificateChain is a helper object which extracts the certificate // chain, as given by the server, from an NSS socket and performs the needed // resource management. The first element of the chain is the leaf certificate // and the other elements are in the order given by the server. class PeerCertificateChain { public: PeerCertificateChain() {} PeerCertificateChain(const PeerCertificateChain& other); ~PeerCertificateChain(); PeerCertificateChain& operator=(const PeerCertificateChain& other); // Resets the current chain, freeing any resources, and updates the current // chain to be a copy of the chain stored in |nss_fd|. // If |nss_fd| is NULL, then the current certificate chain will be freed. void Reset(PRFileDesc* nss_fd); // Returns the current certificate chain as a vector of DER-encoded // base::StringPieces. The returned vector remains valid until Reset is // called. std::vector AsStringPieceVector() const; bool empty() const { return certs_.empty(); } CERTCertificate* operator[](size_t index) const { DCHECK_LT(index, certs_.size()); return certs_[index]; } private: std::vector certs_; }; PeerCertificateChain::PeerCertificateChain( const PeerCertificateChain& other) { *this = other; } PeerCertificateChain::~PeerCertificateChain() { Reset(NULL); } PeerCertificateChain& PeerCertificateChain::operator=( const PeerCertificateChain& other) { if (this == &other) return *this; Reset(NULL); certs_.reserve(other.certs_.size()); for (size_t i = 0; i < other.certs_.size(); ++i) certs_.push_back(CERT_DupCertificate(other.certs_[i])); return *this; } void PeerCertificateChain::Reset(PRFileDesc* nss_fd) { for (size_t i = 0; i < certs_.size(); ++i) CERT_DestroyCertificate(certs_[i]); certs_.clear(); if (nss_fd == NULL) return; CERTCertList* list = SSL_PeerCertificateChain(nss_fd); // The handshake on |nss_fd| may not have completed. if (list == NULL) return; for (CERTCertListNode* node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list); node = CERT_LIST_NEXT(node)) { certs_.push_back(CERT_DupCertificate(node->cert)); } CERT_DestroyCertList(list); } std::vector PeerCertificateChain::AsStringPieceVector() const { std::vector v(certs_.size()); for (unsigned i = 0; i < certs_.size(); i++) { v[i] = base::StringPiece( reinterpret_cast(certs_[i]->derCert.data), certs_[i]->derCert.len); } return v; } // HandshakeState is a helper struct used to pass handshake state between // the NSS task runner and the network task runner. // // It contains members that may be read or written on the NSS task runner, // but which also need to be read from the network task runner. The NSS task // runner will notify the network task runner whenever this state changes, so // that the network task runner can safely make a copy, which avoids the need // for locking. struct HandshakeState { HandshakeState() { Reset(); } void Reset() { next_proto_status = SSLClientSocket::kNextProtoUnsupported; next_proto.clear(); server_protos.clear(); channel_id_sent = false; server_cert_chain.Reset(NULL); server_cert = NULL; sct_list_from_tls_extension.clear(); stapled_ocsp_response.clear(); resumed_handshake = false; ssl_connection_status = 0; } // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the // negotiated protocol stored in |next_proto|. SSLClientSocket::NextProtoStatus next_proto_status; std::string next_proto; // If the server supports NPN, the protocols supported by the server. std::string server_protos; // True if a channel ID was sent. bool channel_id_sent; // List of DER-encoded X.509 DistinguishedName of certificate authorities // allowed by the server. std::vector cert_authorities; // Set when the handshake fully completes. // // The server certificate is first received from NSS as an NSS certificate // chain (|server_cert_chain|) and then converted into a platform-specific // X509Certificate object (|server_cert|). It's possible for some // certificates to be successfully parsed by NSS, and not by the platform // libraries (i.e.: when running within a sandbox, different parsing // algorithms, etc), so it's not safe to assume that |server_cert| will // always be non-NULL. PeerCertificateChain server_cert_chain; scoped_refptr server_cert; // SignedCertificateTimestampList received via TLS extension (RFC 6962). std::string sct_list_from_tls_extension; // Stapled OCSP response received. std::string stapled_ocsp_response; // True if the current handshake was the result of TLS session resumption. bool resumed_handshake; // The negotiated security parameters (TLS version, cipher, extensions) of // the SSL connection. int ssl_connection_status; }; // Client-side error mapping functions. // Map NSS error code to network error code. int MapNSSClientError(PRErrorCode err) { switch (err) { case SSL_ERROR_BAD_CERT_ALERT: case SSL_ERROR_UNSUPPORTED_CERT_ALERT: case SSL_ERROR_REVOKED_CERT_ALERT: case SSL_ERROR_EXPIRED_CERT_ALERT: case SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT: case SSL_ERROR_UNKNOWN_CA_ALERT: case SSL_ERROR_ACCESS_DENIED_ALERT: return ERR_BAD_SSL_CLIENT_AUTH_CERT; default: return MapNSSError(err); } } // Map NSS error code from the first SSL handshake to network error code. int MapNSSClientHandshakeError(PRErrorCode err) { switch (err) { // If the server closed on us, it is a protocol error. // Some TLS-intolerant servers do this when we request TLS. case PR_END_OF_FILE_ERROR: return ERR_SSL_PROTOCOL_ERROR; default: return MapNSSClientError(err); } } } // namespace // SSLClientSocketNSS::Core provides a thread-safe, ref-counted core that is // able to marshal data between NSS functions and an underlying transport // socket. // // All public functions are meant to be called from the network task runner, // and any callbacks supplied will be invoked there as well, provided that // Detach() has not been called yet. // ///////////////////////////////////////////////////////////////////////////// // // Threading within SSLClientSocketNSS and SSLClientSocketNSS::Core: // // Because NSS may block on either hardware or user input during operations // such as signing, creating certificates, or locating private keys, the Core // handles all of the interactions with the underlying NSS SSL socket, so // that these blocking calls can be executed on a dedicated task runner. // // Note that the network task runner and the NSS task runner may be executing // on the same thread. If that happens, then it's more performant to try to // complete as much work as possible synchronously, even if it might block, // rather than continually PostTask-ing to the same thread. // // Because NSS functions should only be called on the NSS task runner, while // I/O resources should only be accessed on the network task runner, most // public functions are implemented via three methods, each with different // task runner affinities. // // In the single-threaded mode (where the network and NSS task runners run on // the same thread), these are all attempted synchronously, while in the // multi-threaded mode, message passing is used. // // 1) NSS Task Runner: Execute NSS function (DoPayloadRead, DoPayloadWrite, // DoHandshake) // 2) NSS Task Runner: Prepare data to go from NSS to an IO function: // (BufferRecv, BufferSend) // 3) Network Task Runner: Perform IO on that data (DoBufferRecv, // DoBufferSend, DoGetDomainBoundCert, OnGetDomainBoundCertComplete) // 4) Both Task Runners: Callback for asynchronous completion or to marshal // data from the network task runner back to NSS (BufferRecvComplete, // BufferSendComplete, OnHandshakeIOComplete) // ///////////////////////////////////////////////////////////////////////////// // Single-threaded example // // |--------------------------Network Task Runner--------------------------| // SSLClientSocketNSS Core (Transport Socket) // Read() // |-------------------------V // Read() // | // DoPayloadRead() // | // BufferRecv() // | // DoBufferRecv() // |-------------------------V // Read() // V-------------------------| // BufferRecvComplete() // | // PostOrRunCallback() // V-------------------------| // (Read Callback) // ///////////////////////////////////////////////////////////////////////////// // Multi-threaded example: // // |--------------------Network Task Runner-------------|--NSS Task Runner--| // SSLClientSocketNSS Core Socket Core // Read() // |---------------------V // Read() // |-------------------------------V // Read() // | // DoPayloadRead() // | // BufferRecv // V-------------------------------| // DoBufferRecv // |----------------V // Read() // V----------------| // BufferRecvComplete() // |-------------------------------V // BufferRecvComplete() // | // PostOrRunCallback() // V-------------------------------| // PostOrRunCallback() // V---------------------| // (Read Callback) // ///////////////////////////////////////////////////////////////////////////// class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe { public: // Creates a new Core. // // Any calls to NSS are executed on the |nss_task_runner|, while any calls // that need to operate on the underlying transport, net log, or server // bound certificate fetching will happen on the |network_task_runner|, so // that their lifetimes match that of the owning SSLClientSocketNSS. // // The caller retains ownership of |transport|, |net_log|, and // |server_bound_cert_service|, and they will not be accessed once Detach() // has been called. Core(base::SequencedTaskRunner* network_task_runner, base::SequencedTaskRunner* nss_task_runner, ClientSocketHandle* transport, const HostPortPair& host_and_port, const SSLConfig& ssl_config, BoundNetLog* net_log, ServerBoundCertService* server_bound_cert_service); // Called on the network task runner. // Transfers ownership of |socket|, an NSS SSL socket, and |buffers|, the // underlying memio implementation, to the Core. Returns true if the Core // was successfully registered with the socket. bool Init(PRFileDesc* socket, memio_Private* buffers); // Called on the network task runner. // // Attempts to perform an SSL handshake. If the handshake cannot be // completed synchronously, returns ERR_IO_PENDING, invoking |callback| on // the network task runner once the handshake has completed. Otherwise, // returns OK on success or a network error code on failure. int Connect(const CompletionCallback& callback); // Called on the network task runner. // Signals that the resources owned by the network task runner are going // away. No further callbacks will be invoked on the network task runner. // May be called at any time. void Detach(); // Called on the network task runner. // Returns the current state of the underlying SSL socket. May be called at // any time. const HandshakeState& state() const { return network_handshake_state_; } // Called on the network task runner. // Read() and Write() mirror the net::Socket functions of the same name. // If ERR_IO_PENDING is returned, |callback| will be invoked on the network // task runner at a later point, unless the caller calls Detach(). int Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback); int Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback); // Called on the network task runner. bool IsConnected() const; bool HasPendingAsyncOperation() const; bool HasUnhandledReceivedData() const; bool WasEverUsed() const; // Called on the network task runner. // Causes the associated SSL/TLS session ID to be added to NSS's session // cache, but only if the connection has not been False Started. // // This should only be called after the server's certificate has been // verified, and may not be called within an NSS callback. void CacheSessionIfNecessary(); private: friend class base::RefCountedThreadSafe; ~Core(); enum State { STATE_NONE, STATE_HANDSHAKE, STATE_GET_DOMAIN_BOUND_CERT_COMPLETE, }; bool OnNSSTaskRunner() const; bool OnNetworkTaskRunner() const; //////////////////////////////////////////////////////////////////////////// // Methods that are ONLY called on the NSS task runner: //////////////////////////////////////////////////////////////////////////// // Called by NSS during full handshakes to allow the application to // verify the certificate. Instead of verifying the certificate in the midst // of the handshake, SECSuccess is always returned and the peer's certificate // is verified afterwards. // This behaviour is an artifact of the original SSLClientSocketWin // implementation, which could not verify the peer's certificate until after // the handshake had completed, as well as bugs in NSS that prevent // SSL_RestartHandshakeAfterCertReq from working. static SECStatus OwnAuthCertHandler(void* arg, PRFileDesc* socket, PRBool checksig, PRBool is_server); // Callbacks called by NSS when the peer requests client certificate // authentication. // See the documentation in third_party/nss/ssl/ssl.h for the meanings of // the arguments. #if defined(NSS_PLATFORM_CLIENT_AUTH) // When NSS has been integrated with awareness of the underlying system // cryptographic libraries, this callback allows the caller to supply a // native platform certificate and key for use by NSS. At most, one of // either (result_certs, result_private_key) or (result_nss_certificate, // result_nss_private_key) should be set. // |arg| contains a pointer to the current SSLClientSocketNSS::Core. static SECStatus PlatformClientAuthHandler( void* arg, PRFileDesc* socket, CERTDistNames* ca_names, CERTCertList** result_certs, void** result_private_key, CERTCertificate** result_nss_certificate, SECKEYPrivateKey** result_nss_private_key); #else static SECStatus ClientAuthHandler(void* arg, PRFileDesc* socket, CERTDistNames* ca_names, CERTCertificate** result_certificate, SECKEYPrivateKey** result_private_key); #endif // Called by NSS to determine if we can False Start. // |arg| contains a pointer to the current SSLClientSocketNSS::Core. static SECStatus CanFalseStartCallback(PRFileDesc* socket, void* arg, PRBool* can_false_start); // Called by NSS once the handshake has completed. // |arg| contains a pointer to the current SSLClientSocketNSS::Core. static void HandshakeCallback(PRFileDesc* socket, void* arg); // Called once the handshake has succeeded. void HandshakeSucceeded(); // Handles an NSS error generated while handshaking or performing IO. // Returns a network error code mapped from the original NSS error. int HandleNSSError(PRErrorCode error, bool handshake_error); int DoHandshakeLoop(int last_io_result); int DoReadLoop(int result); int DoWriteLoop(int result); int DoHandshake(); int DoGetDBCertComplete(int result); int DoPayloadRead(); int DoPayloadWrite(); bool DoTransportIO(); int BufferRecv(); int BufferSend(); void OnRecvComplete(int result); void OnSendComplete(int result); void DoConnectCallback(int result); void DoReadCallback(int result); void DoWriteCallback(int result); // Client channel ID handler. static SECStatus ClientChannelIDHandler( void* arg, PRFileDesc* socket, SECKEYPublicKey **out_public_key, SECKEYPrivateKey **out_private_key); // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success // and an error code otherwise. // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller // takes ownership of the |*cert| and |*key|. int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key); // Updates the NSS and platform specific certificates. void UpdateServerCert(); // Update the nss_handshake_state_ with the SignedCertificateTimestampList // received in the handshake via a TLS extension. void UpdateSignedCertTimestamps(); // Update the OCSP response cache with the stapled response received in the // handshake, and update nss_handshake_state_ with // the SignedCertificateTimestampList received in the stapled OCSP response. void UpdateStapledOCSPResponse(); // Updates the nss_handshake_state_ with the negotiated security parameters. void UpdateConnectionStatus(); // Record histograms for channel id support during full handshakes - resumed // handshakes are ignored. void RecordChannelIDSupportOnNSSTaskRunner(); // UpdateNextProto gets any application-layer protocol that may have been // negotiated by the TLS connection. void UpdateNextProto(); //////////////////////////////////////////////////////////////////////////// // Methods that are ONLY called on the network task runner: //////////////////////////////////////////////////////////////////////////// int DoBufferRecv(IOBuffer* buffer, int len); int DoBufferSend(IOBuffer* buffer, int len); int DoGetDomainBoundCert(const std::string& host); void OnGetDomainBoundCertComplete(int result); void OnHandshakeStateUpdated(const HandshakeState& state); void OnNSSBufferUpdated(int amount_in_read_buffer); void DidNSSRead(int result); void DidNSSWrite(int result); void RecordChannelIDSupportOnNetworkTaskRunner( bool negotiated_channel_id, bool channel_id_enabled, bool supports_ecc) const; //////////////////////////////////////////////////////////////////////////// // Methods that are called on both the network task runner and the NSS // task runner. //////////////////////////////////////////////////////////////////////////// void OnHandshakeIOComplete(int result); void BufferRecvComplete(IOBuffer* buffer, int result); void BufferSendComplete(int result); // PostOrRunCallback is a helper function to ensure that |callback| is // invoked on the network task runner, but only if Detach() has not yet // been called. void PostOrRunCallback(const tracked_objects::Location& location, const base::Closure& callback); // Uses PostOrRunCallback and |weak_net_log_| to try and log a // SSL_CLIENT_CERT_PROVIDED event, with the indicated count. void AddCertProvidedEvent(int cert_count); // Sets the handshake state |channel_id_sent| flag and logs the // SSL_CHANNEL_ID_PROVIDED event. void SetChannelIDProvided(); //////////////////////////////////////////////////////////////////////////// // Members that are ONLY accessed on the network task runner: //////////////////////////////////////////////////////////////////////////// // True if the owning SSLClientSocketNSS has called Detach(). No further // callbacks will be invoked nor access to members owned by the network // task runner. bool detached_; // The underlying transport to use for network IO. ClientSocketHandle* transport_; base::WeakPtrFactory weak_net_log_factory_; // The current handshake state. Mirrors |nss_handshake_state_|. HandshakeState network_handshake_state_; // The service for retrieving Channel ID keys. May be NULL. ServerBoundCertService* server_bound_cert_service_; ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_; // The information about NSS task runner. int unhandled_buffer_size_; bool nss_waiting_read_; bool nss_waiting_write_; bool nss_is_closed_; // Set when Read() or Write() successfully reads or writes data to or from the // network. bool was_ever_used_; //////////////////////////////////////////////////////////////////////////// // Members that are ONLY accessed on the NSS task runner: //////////////////////////////////////////////////////////////////////////// HostPortPair host_and_port_; SSLConfig ssl_config_; // NSS SSL socket. PRFileDesc* nss_fd_; // Buffers for the network end of the SSL state machine memio_Private* nss_bufs_; // Used by DoPayloadRead() when attempting to fill the caller's buffer with // as much data as possible, without blocking. // If DoPayloadRead() encounters an error after having read some data, stores // the results to return on the *next* call to DoPayloadRead(). A value of // kNoPendingReadResult indicates there is no pending result, otherwise 0 // indicates EOF and < 0 indicates an error. int pending_read_result_; // Contains the previously observed NSS error. Only valid when // pending_read_result_ != kNoPendingReadResult. PRErrorCode pending_read_nss_error_; // The certificate chain, in DER form, that is expected to be received from // the server. std::vector predicted_certs_; State next_handshake_state_; // True if channel ID extension was negotiated. bool channel_id_xtn_negotiated_; // True if the handshake state machine was interrupted for channel ID. bool channel_id_needed_; // True if the handshake state machine was interrupted for client auth. bool client_auth_cert_needed_; // True if NSS has False Started. bool false_started_; // True if NSS has called HandshakeCallback. bool handshake_callback_called_; HandshakeState nss_handshake_state_; bool transport_recv_busy_; bool transport_recv_eof_; bool transport_send_busy_; // Used by Read function. scoped_refptr user_read_buf_; int user_read_buf_len_; // Used by Write function. scoped_refptr user_write_buf_; int user_write_buf_len_; CompletionCallback user_connect_callback_; CompletionCallback user_read_callback_; CompletionCallback user_write_callback_; //////////////////////////////////////////////////////////////////////////// // Members that are accessed on both the network task runner and the NSS // task runner. //////////////////////////////////////////////////////////////////////////// scoped_refptr network_task_runner_; scoped_refptr nss_task_runner_; // Dereferenced only on the network task runner, but bound to tasks destined // for the network task runner from the NSS task runner. base::WeakPtr weak_net_log_; // Written on the network task runner by the |server_bound_cert_service_|, // prior to invoking OnHandshakeIOComplete. // Read on the NSS task runner when once OnHandshakeIOComplete is invoked // on the NSS task runner. std::string domain_bound_private_key_; std::string domain_bound_cert_; DISALLOW_COPY_AND_ASSIGN(Core); }; SSLClientSocketNSS::Core::Core( base::SequencedTaskRunner* network_task_runner, base::SequencedTaskRunner* nss_task_runner, ClientSocketHandle* transport, const HostPortPair& host_and_port, const SSLConfig& ssl_config, BoundNetLog* net_log, ServerBoundCertService* server_bound_cert_service) : detached_(false), transport_(transport), weak_net_log_factory_(net_log), server_bound_cert_service_(server_bound_cert_service), unhandled_buffer_size_(0), nss_waiting_read_(false), nss_waiting_write_(false), nss_is_closed_(false), was_ever_used_(false), host_and_port_(host_and_port), ssl_config_(ssl_config), nss_fd_(NULL), nss_bufs_(NULL), pending_read_result_(kNoPendingReadResult), pending_read_nss_error_(0), next_handshake_state_(STATE_NONE), channel_id_xtn_negotiated_(false), channel_id_needed_(false), client_auth_cert_needed_(false), false_started_(false), handshake_callback_called_(false), transport_recv_busy_(false), transport_recv_eof_(false), transport_send_busy_(false), user_read_buf_len_(0), user_write_buf_len_(0), network_task_runner_(network_task_runner), nss_task_runner_(nss_task_runner), weak_net_log_(weak_net_log_factory_.GetWeakPtr()) { } SSLClientSocketNSS::Core::~Core() { // TODO(wtc): Send SSL close_notify alert. if (nss_fd_ != NULL) { PR_Close(nss_fd_); nss_fd_ = NULL; } } bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket, memio_Private* buffers) { DCHECK(OnNetworkTaskRunner()); DCHECK(!nss_fd_); DCHECK(!nss_bufs_); nss_fd_ = socket; nss_bufs_ = buffers; SECStatus rv = SECSuccess; if (!ssl_config_.next_protos.empty()) { size_t wire_length = 0; for (std::vector::const_iterator i = ssl_config_.next_protos.begin(); i != ssl_config_.next_protos.end(); ++i) { if (i->size() > 255) { LOG(WARNING) << "Ignoring overlong NPN/ALPN protocol: " << *i; continue; } wire_length += i->size(); wire_length++; } scoped_ptr wire_protos(new uint8[wire_length]); uint8* dst = wire_protos.get(); for (std::vector::const_iterator i = ssl_config_.next_protos.begin(); i != ssl_config_.next_protos.end(); i++) { if (i->size() > 255) continue; *dst++ = i->size(); memcpy(dst, i->data(), i->size()); dst += i->size(); } DCHECK_EQ(dst, wire_protos.get() + wire_length); rv = SSL_SetNextProtoNego(nss_fd_, wire_protos.get(), wire_length); if (rv != SECSuccess) LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", ""); rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE); if (rv != SECSuccess) LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN"); rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE); if (rv != SECSuccess) LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_NPN"); } rv = SSL_AuthCertificateHook( nss_fd_, SSLClientSocketNSS::Core::OwnAuthCertHandler, this); if (rv != SECSuccess) { LogFailedNSSFunction(*weak_net_log_, "SSL_AuthCertificateHook", ""); return false; } #if defined(NSS_PLATFORM_CLIENT_AUTH) rv = SSL_GetPlatformClientAuthDataHook( nss_fd_, SSLClientSocketNSS::Core::PlatformClientAuthHandler, this); #else rv = SSL_GetClientAuthDataHook( nss_fd_, SSLClientSocketNSS::Core::ClientAuthHandler, this); #endif if (rv != SECSuccess) { LogFailedNSSFunction(*weak_net_log_, "SSL_GetClientAuthDataHook", ""); return false; } if (IsChannelIDEnabled(ssl_config_, server_bound_cert_service_)) { rv = SSL_SetClientChannelIDCallback( nss_fd_, SSLClientSocketNSS::Core::ClientChannelIDHandler, this); if (rv != SECSuccess) { LogFailedNSSFunction( *weak_net_log_, "SSL_SetClientChannelIDCallback", ""); } } rv = SSL_SetCanFalseStartCallback( nss_fd_, SSLClientSocketNSS::Core::CanFalseStartCallback, this); if (rv != SECSuccess) { LogFailedNSSFunction(*weak_net_log_, "SSL_SetCanFalseStartCallback", ""); return false; } rv = SSL_HandshakeCallback( nss_fd_, SSLClientSocketNSS::Core::HandshakeCallback, this); if (rv != SECSuccess) { LogFailedNSSFunction(*weak_net_log_, "SSL_HandshakeCallback", ""); return false; } return true; } int SSLClientSocketNSS::Core::Connect(const CompletionCallback& callback) { if (!OnNSSTaskRunner()) { DCHECK(!detached_); bool posted = nss_task_runner_->PostTask( FROM_HERE, base::Bind(IgnoreResult(&Core::Connect), this, callback)); return posted ? ERR_IO_PENDING : ERR_ABORTED; } DCHECK(OnNSSTaskRunner()); DCHECK_EQ(STATE_NONE, next_handshake_state_); DCHECK(user_read_callback_.is_null()); DCHECK(user_write_callback_.is_null()); DCHECK(user_connect_callback_.is_null()); DCHECK(!user_read_buf_.get()); DCHECK(!user_write_buf_.get()); next_handshake_state_ = STATE_HANDSHAKE; int rv = DoHandshakeLoop(OK); if (rv == ERR_IO_PENDING) { user_connect_callback_ = callback; } else if (rv > OK) { rv = OK; } if (rv != ERR_IO_PENDING && !OnNetworkTaskRunner()) { PostOrRunCallback(FROM_HERE, base::Bind(callback, rv)); return ERR_IO_PENDING; } return rv; } void SSLClientSocketNSS::Core::Detach() { DCHECK(OnNetworkTaskRunner()); detached_ = true; transport_ = NULL; weak_net_log_factory_.InvalidateWeakPtrs(); network_handshake_state_.Reset(); domain_bound_cert_request_handle_.Cancel(); } int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback) { if (!OnNSSTaskRunner()) { DCHECK(OnNetworkTaskRunner()); DCHECK(!detached_); DCHECK(transport_); DCHECK(!nss_waiting_read_); nss_waiting_read_ = true; bool posted = nss_task_runner_->PostTask( FROM_HERE, base::Bind(IgnoreResult(&Core::Read), this, make_scoped_refptr(buf), buf_len, callback)); if (!posted) { nss_is_closed_ = true; nss_waiting_read_ = false; } return posted ? ERR_IO_PENDING : ERR_ABORTED; } DCHECK(OnNSSTaskRunner()); DCHECK(false_started_ || handshake_callback_called_); DCHECK_EQ(STATE_NONE, next_handshake_state_); DCHECK(user_read_callback_.is_null()); DCHECK(user_connect_callback_.is_null()); DCHECK(!user_read_buf_.get()); DCHECK(nss_bufs_); user_read_buf_ = buf; user_read_buf_len_ = buf_len; int rv = DoReadLoop(OK); if (rv == ERR_IO_PENDING) { if (OnNetworkTaskRunner()) nss_waiting_read_ = true; user_read_callback_ = callback; } else { user_read_buf_ = NULL; user_read_buf_len_ = 0; if (!OnNetworkTaskRunner()) { PostOrRunCallback(FROM_HERE, base::Bind(&Core::DidNSSRead, this, rv)); PostOrRunCallback(FROM_HERE, base::Bind(callback, rv)); return ERR_IO_PENDING; } else { DCHECK(!nss_waiting_read_); if (rv <= 0) { nss_is_closed_ = true; } else { was_ever_used_ = true; } } } return rv; } int SSLClientSocketNSS::Core::Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback) { if (!OnNSSTaskRunner()) { DCHECK(OnNetworkTaskRunner()); DCHECK(!detached_); DCHECK(transport_); DCHECK(!nss_waiting_write_); nss_waiting_write_ = true; bool posted = nss_task_runner_->PostTask( FROM_HERE, base::Bind(IgnoreResult(&Core::Write), this, make_scoped_refptr(buf), buf_len, callback)); if (!posted) { nss_is_closed_ = true; nss_waiting_write_ = false; } return posted ? ERR_IO_PENDING : ERR_ABORTED; } DCHECK(OnNSSTaskRunner()); DCHECK(false_started_ || handshake_callback_called_); DCHECK_EQ(STATE_NONE, next_handshake_state_); DCHECK(user_write_callback_.is_null()); DCHECK(user_connect_callback_.is_null()); DCHECK(!user_write_buf_.get()); DCHECK(nss_bufs_); user_write_buf_ = buf; user_write_buf_len_ = buf_len; int rv = DoWriteLoop(OK); if (rv == ERR_IO_PENDING) { if (OnNetworkTaskRunner()) nss_waiting_write_ = true; user_write_callback_ = callback; } else { user_write_buf_ = NULL; user_write_buf_len_ = 0; if (!OnNetworkTaskRunner()) { PostOrRunCallback(FROM_HERE, base::Bind(&Core::DidNSSWrite, this, rv)); PostOrRunCallback(FROM_HERE, base::Bind(callback, rv)); return ERR_IO_PENDING; } else { DCHECK(!nss_waiting_write_); if (rv < 0) { nss_is_closed_ = true; } else if (rv > 0) { was_ever_used_ = true; } } } return rv; } bool SSLClientSocketNSS::Core::IsConnected() const { DCHECK(OnNetworkTaskRunner()); return !nss_is_closed_; } bool SSLClientSocketNSS::Core::HasPendingAsyncOperation() const { DCHECK(OnNetworkTaskRunner()); return nss_waiting_read_ || nss_waiting_write_; } bool SSLClientSocketNSS::Core::HasUnhandledReceivedData() const { DCHECK(OnNetworkTaskRunner()); return unhandled_buffer_size_ != 0; } bool SSLClientSocketNSS::Core::WasEverUsed() const { DCHECK(OnNetworkTaskRunner()); return was_ever_used_; } void SSLClientSocketNSS::Core::CacheSessionIfNecessary() { // TODO(rsleevi): This should occur on the NSS task runner, due to the use of // nss_fd_. However, it happens on the network task runner in order to match // the buggy behavior of ExportKeyingMaterial. // // Once http://crbug.com/330360 is fixed, this should be moved to an // implementation that exclusively does this work on the NSS TaskRunner. This // is "safe" because it is only called during the certificate verification // state machine of the main socket, which is safe because no underlying // transport IO will be occuring in that state, and NSS will not be blocking // on any PKCS#11 related locks that might block the Network TaskRunner. DCHECK(OnNetworkTaskRunner()); // Only cache the session if the connection was not False Started, because // sessions should only be cached *after* the peer's Finished message is // processed. // In the case of False Start, the session will be cached once the // HandshakeCallback is called, which signals the receipt and processing of // the Finished message, and which will happen during a call to // PR_Read/PR_Write. if (!false_started_) SSL_CacheSession(nss_fd_); } bool SSLClientSocketNSS::Core::OnNSSTaskRunner() const { return nss_task_runner_->RunsTasksOnCurrentThread(); } bool SSLClientSocketNSS::Core::OnNetworkTaskRunner() const { return network_task_runner_->RunsTasksOnCurrentThread(); } // static SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler( void* arg, PRFileDesc* socket, PRBool checksig, PRBool is_server) { Core* core = reinterpret_cast(arg); if (core->handshake_callback_called_) { // Disallow the server certificate to change in a renegotiation. CERTCertificate* old_cert = core->nss_handshake_state_.server_cert_chain[0]; ScopedCERTCertificate new_cert(SSL_PeerCertificate(socket)); if (new_cert->derCert.len != old_cert->derCert.len || memcmp(new_cert->derCert.data, old_cert->derCert.data, new_cert->derCert.len) != 0) { // NSS doesn't have an error code that indicates the server certificate // changed. Borrow SSL_ERROR_WRONG_CERTIFICATE (which NSS isn't using) // for this purpose. PORT_SetError(SSL_ERROR_WRONG_CERTIFICATE); return SECFailure; } } // Tell NSS to not verify the certificate. return SECSuccess; } #if defined(NSS_PLATFORM_CLIENT_AUTH) // static SECStatus SSLClientSocketNSS::Core::PlatformClientAuthHandler( void* arg, PRFileDesc* socket, CERTDistNames* ca_names, CERTCertList** result_certs, void** result_private_key, CERTCertificate** result_nss_certificate, SECKEYPrivateKey** result_nss_private_key) { Core* core = reinterpret_cast(arg); DCHECK(core->OnNSSTaskRunner()); core->PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEvent, core->weak_net_log_, NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED)); core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert; #if defined(OS_WIN) if (core->ssl_config_.send_client_cert) { if (core->ssl_config_.client_cert) { PCCERT_CONTEXT cert_context = core->ssl_config_.client_cert->os_cert_handle(); HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov = 0; DWORD key_spec = 0; BOOL must_free = FALSE; DWORD flags = 0; if (base::win::GetVersion() >= base::win::VERSION_VISTA) flags |= CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG; BOOL acquired_key = CryptAcquireCertificatePrivateKey( cert_context, flags, NULL, &crypt_prov, &key_spec, &must_free); if (acquired_key) { // Should never get a cached handle back - ownership must always be // transferred. CHECK_EQ(must_free, TRUE); SECItem der_cert; der_cert.type = siDERCertBuffer; der_cert.data = cert_context->pbCertEncoded; der_cert.len = cert_context->cbCertEncoded; // TODO(rsleevi): Error checking for NSS allocation errors. CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB(); CERTCertificate* user_cert = CERT_NewTempCertificate( db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); if (!user_cert) { // Importing the certificate can fail for reasons including a serial // number collision. See crbug.com/97355. core->AddCertProvidedEvent(0); return SECFailure; } CERTCertList* cert_chain = CERT_NewCertList(); CERT_AddCertToListTail(cert_chain, user_cert); // Add the intermediates. X509Certificate::OSCertHandles intermediates = core->ssl_config_.client_cert->GetIntermediateCertificates(); for (X509Certificate::OSCertHandles::const_iterator it = intermediates.begin(); it != intermediates.end(); ++it) { der_cert.data = (*it)->pbCertEncoded; der_cert.len = (*it)->cbCertEncoded; CERTCertificate* intermediate = CERT_NewTempCertificate( db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE); if (!intermediate) { CERT_DestroyCertList(cert_chain); core->AddCertProvidedEvent(0); return SECFailure; } CERT_AddCertToListTail(cert_chain, intermediate); } PCERT_KEY_CONTEXT key_context = reinterpret_cast( PORT_ZAlloc(sizeof(CERT_KEY_CONTEXT))); key_context->cbSize = sizeof(*key_context); // NSS will free this context when no longer in use. key_context->hCryptProv = crypt_prov; key_context->dwKeySpec = key_spec; *result_private_key = key_context; *result_certs = cert_chain; int cert_count = 1 + intermediates.size(); core->AddCertProvidedEvent(cert_count); return SECSuccess; } LOG(WARNING) << "Client cert found without private key"; } // Send no client certificate. core->AddCertProvidedEvent(0); return SECFailure; } core->nss_handshake_state_.cert_authorities.clear(); std::vector issuer_list(ca_names->nnames); for (int i = 0; i < ca_names->nnames; ++i) { issuer_list[i].cbData = ca_names->names[i].len; issuer_list[i].pbData = ca_names->names[i].data; core->nss_handshake_state_.cert_authorities.push_back(std::string( reinterpret_cast(ca_names->names[i].data), static_cast(ca_names->names[i].len))); } // Update the network task runner's view of the handshake state now that // server certificate request has been recorded. core->PostOrRunCallback( FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core, core->nss_handshake_state_)); // Tell NSS to suspend the client authentication. We will then abort the // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. return SECWouldBlock; #elif defined(OS_MACOSX) if (core->ssl_config_.send_client_cert) { if (core->ssl_config_.client_cert.get()) { OSStatus os_error = noErr; SecIdentityRef identity = NULL; SecKeyRef private_key = NULL; X509Certificate::OSCertHandles chain; { base::AutoLock lock(crypto::GetMacSecurityServicesLock()); os_error = SecIdentityCreateWithCertificate( NULL, core->ssl_config_.client_cert->os_cert_handle(), &identity); } if (os_error == noErr) { os_error = SecIdentityCopyPrivateKey(identity, &private_key); CFRelease(identity); } if (os_error == noErr) { // TODO(rsleevi): Error checking for NSS allocation errors. *result_certs = CERT_NewCertList(); *result_private_key = private_key; chain.push_back(core->ssl_config_.client_cert->os_cert_handle()); const X509Certificate::OSCertHandles& intermediates = core->ssl_config_.client_cert->GetIntermediateCertificates(); if (!intermediates.empty()) chain.insert(chain.end(), intermediates.begin(), intermediates.end()); for (size_t i = 0, chain_count = chain.size(); i < chain_count; ++i) { CSSM_DATA cert_data; SecCertificateRef cert_ref = chain[i]; os_error = SecCertificateGetData(cert_ref, &cert_data); if (os_error != noErr) break; SECItem der_cert; der_cert.type = siDERCertBuffer; der_cert.data = cert_data.Data; der_cert.len = cert_data.Length; CERTCertificate* nss_cert = CERT_NewTempCertificate( CERT_GetDefaultCertDB(), &der_cert, NULL, PR_FALSE, PR_TRUE); if (!nss_cert) { // In the event of an NSS error, make up an OS error and reuse // the error handling below. os_error = errSecCreateChainFailed; break; } CERT_AddCertToListTail(*result_certs, nss_cert); } } if (os_error == noErr) { core->AddCertProvidedEvent(chain.size()); return SECSuccess; } OSSTATUS_LOG(WARNING, os_error) << "Client cert found, but could not be used"; if (*result_certs) { CERT_DestroyCertList(*result_certs); *result_certs = NULL; } if (*result_private_key) *result_private_key = NULL; if (private_key) CFRelease(private_key); } // Send no client certificate. core->AddCertProvidedEvent(0); return SECFailure; } core->nss_handshake_state_.cert_authorities.clear(); // Retrieve the cert issuers accepted by the server. std::vector valid_issuers; int n = ca_names->nnames; for (int i = 0; i < n; i++) { core->nss_handshake_state_.cert_authorities.push_back(std::string( reinterpret_cast(ca_names->names[i].data), static_cast(ca_names->names[i].len))); } // Update the network task runner's view of the handshake state now that // server certificate request has been recorded. core->PostOrRunCallback( FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core, core->nss_handshake_state_)); // Tell NSS to suspend the client authentication. We will then abort the // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. return SECWouldBlock; #else return SECFailure; #endif } #elif defined(OS_IOS) SECStatus SSLClientSocketNSS::Core::ClientAuthHandler( void* arg, PRFileDesc* socket, CERTDistNames* ca_names, CERTCertificate** result_certificate, SECKEYPrivateKey** result_private_key) { Core* core = reinterpret_cast(arg); DCHECK(core->OnNSSTaskRunner()); core->PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEvent, core->weak_net_log_, NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED)); // TODO(droger): Support client auth on iOS. See http://crbug.com/145954). LOG(WARNING) << "Client auth is not supported"; // Never send a certificate. core->AddCertProvidedEvent(0); return SECFailure; } #else // NSS_PLATFORM_CLIENT_AUTH // static // Based on Mozilla's NSS_GetClientAuthData. SECStatus SSLClientSocketNSS::Core::ClientAuthHandler( void* arg, PRFileDesc* socket, CERTDistNames* ca_names, CERTCertificate** result_certificate, SECKEYPrivateKey** result_private_key) { Core* core = reinterpret_cast(arg); DCHECK(core->OnNSSTaskRunner()); core->PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEvent, core->weak_net_log_, NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED)); // Regular client certificate requested. core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert; void* wincx = SSL_RevealPinArg(socket); if (core->ssl_config_.send_client_cert) { // Second pass: a client certificate should have been selected. if (core->ssl_config_.client_cert.get()) { CERTCertificate* cert = CERT_DupCertificate(core->ssl_config_.client_cert->os_cert_handle()); SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx); if (privkey) { // TODO(jsorianopastor): We should wait for server certificate // verification before sending our credentials. See // http://crbug.com/13934. *result_certificate = cert; *result_private_key = privkey; // A cert_count of -1 means the number of certificates is unknown. // NSS will construct the certificate chain. core->AddCertProvidedEvent(-1); return SECSuccess; } LOG(WARNING) << "Client cert found without private key"; } // Send no client certificate. core->AddCertProvidedEvent(0); return SECFailure; } // First pass: client certificate is needed. core->nss_handshake_state_.cert_authorities.clear(); // Retrieve the DER-encoded DistinguishedName of the cert issuers accepted by // the server and save them in |cert_authorities|. for (int i = 0; i < ca_names->nnames; i++) { core->nss_handshake_state_.cert_authorities.push_back(std::string( reinterpret_cast(ca_names->names[i].data), static_cast(ca_names->names[i].len))); } // Update the network task runner's view of the handshake state now that // server certificate request has been recorded. core->PostOrRunCallback( FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core, core->nss_handshake_state_)); // Tell NSS to suspend the client authentication. We will then abort the // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED. return SECWouldBlock; } #endif // NSS_PLATFORM_CLIENT_AUTH // static SECStatus SSLClientSocketNSS::Core::CanFalseStartCallback( PRFileDesc* socket, void* arg, PRBool* can_false_start) { // If the server doesn't support NPN or ALPN, then we don't do False // Start with it. PRBool negotiated_extension; SECStatus rv = SSL_HandshakeNegotiatedExtension(socket, ssl_app_layer_protocol_xtn, &negotiated_extension); if (rv != SECSuccess || !negotiated_extension) { rv = SSL_HandshakeNegotiatedExtension(socket, ssl_next_proto_nego_xtn, &negotiated_extension); } if (rv != SECSuccess || !negotiated_extension) { *can_false_start = PR_FALSE; return SECSuccess; } return SSL_RecommendedCanFalseStart(socket, can_false_start); } // static void SSLClientSocketNSS::Core::HandshakeCallback( PRFileDesc* socket, void* arg) { Core* core = reinterpret_cast(arg); DCHECK(core->OnNSSTaskRunner()); core->handshake_callback_called_ = true; if (core->false_started_) { core->false_started_ = false; // If the connection was False Started, then at the time of this callback, // the peer's certificate will have been verified or the caller will have // accepted the error. // This is guaranteed when using False Start because this callback will // not be invoked until processing the peer's Finished message, which // will only happen in a PR_Read/PR_Write call, which can only happen // after the peer's certificate is verified. SSL_CacheSessionUnlocked(socket); // Additionally, when False Starting, DoHandshake() will have already // called HandshakeSucceeded(), so return now. return; } core->HandshakeSucceeded(); } void SSLClientSocketNSS::Core::HandshakeSucceeded() { DCHECK(OnNSSTaskRunner()); PRBool last_handshake_resumed; SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed); if (rv == SECSuccess && last_handshake_resumed) { nss_handshake_state_.resumed_handshake = true; } else { nss_handshake_state_.resumed_handshake = false; } RecordChannelIDSupportOnNSSTaskRunner(); UpdateServerCert(); UpdateSignedCertTimestamps(); UpdateStapledOCSPResponse(); UpdateConnectionStatus(); UpdateNextProto(); // Update the network task runners view of the handshake state whenever // a handshake has completed. PostOrRunCallback( FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, nss_handshake_state_)); } int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error, bool handshake_error) { DCHECK(OnNSSTaskRunner()); int net_error = handshake_error ? MapNSSClientHandshakeError(nss_error) : MapNSSClientError(nss_error); #if defined(OS_WIN) // On Windows, a handle to the HCRYPTPROV is cached in the X509Certificate // os_cert_handle() as an optimization. However, if the certificate // private key is stored on a smart card, and the smart card is removed, // the cached HCRYPTPROV will not be able to obtain the HCRYPTKEY again, // preventing client certificate authentication. Because the // X509Certificate may outlive the individual SSLClientSocketNSS, due to // caching in X509Certificate, this failure ends up preventing client // certificate authentication with the same certificate for all future // attempts, even after the smart card has been re-inserted. By setting // the CERT_KEY_PROV_HANDLE_PROP_ID to NULL, the cached HCRYPTPROV will // typically be freed. This allows a new HCRYPTPROV to be obtained from // the certificate on the next attempt, which should succeed if the smart // card has been re-inserted, or will typically prompt the user to // re-insert the smart card if not. if ((net_error == ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY || net_error == ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED) && ssl_config_.send_client_cert && ssl_config_.client_cert) { CertSetCertificateContextProperty( ssl_config_.client_cert->os_cert_handle(), CERT_KEY_PROV_HANDLE_PROP_ID, 0, NULL); } #endif return net_error; } int SSLClientSocketNSS::Core::DoHandshakeLoop(int last_io_result) { DCHECK(OnNSSTaskRunner()); int rv = last_io_result; do { // Default to STATE_NONE for next state. State state = next_handshake_state_; GotoState(STATE_NONE); switch (state) { case STATE_HANDSHAKE: rv = DoHandshake(); break; case STATE_GET_DOMAIN_BOUND_CERT_COMPLETE: rv = DoGetDBCertComplete(rv); break; case STATE_NONE: default: rv = ERR_UNEXPECTED; LOG(DFATAL) << "unexpected state " << state; break; } // Do the actual network I/O bool network_moved = DoTransportIO(); if (network_moved && next_handshake_state_ == STATE_HANDSHAKE) { // In general we exit the loop if rv is ERR_IO_PENDING. In this // special case we keep looping even if rv is ERR_IO_PENDING because // the transport IO may allow DoHandshake to make progress. DCHECK(rv == OK || rv == ERR_IO_PENDING); rv = OK; // This causes us to stay in the loop. } } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); return rv; } int SSLClientSocketNSS::Core::DoReadLoop(int result) { DCHECK(OnNSSTaskRunner()); DCHECK(false_started_ || handshake_callback_called_); DCHECK_EQ(STATE_NONE, next_handshake_state_); if (result < 0) return result; if (!nss_bufs_) { LOG(DFATAL) << "!nss_bufs_"; int rv = ERR_UNEXPECTED; PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEventWithCallback, weak_net_log_, NetLog::TYPE_SSL_READ_ERROR, CreateNetLogSSLErrorCallback(rv, 0))); return rv; } bool network_moved; int rv; do { rv = DoPayloadRead(); network_moved = DoTransportIO(); } while (rv == ERR_IO_PENDING && network_moved); return rv; } int SSLClientSocketNSS::Core::DoWriteLoop(int result) { DCHECK(OnNSSTaskRunner()); DCHECK(false_started_ || handshake_callback_called_); DCHECK_EQ(STATE_NONE, next_handshake_state_); if (result < 0) return result; if (!nss_bufs_) { LOG(DFATAL) << "!nss_bufs_"; int rv = ERR_UNEXPECTED; PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEventWithCallback, weak_net_log_, NetLog::TYPE_SSL_READ_ERROR, CreateNetLogSSLErrorCallback(rv, 0))); return rv; } bool network_moved; int rv; do { rv = DoPayloadWrite(); network_moved = DoTransportIO(); } while (rv == ERR_IO_PENDING && network_moved); LeaveFunction(rv); return rv; } int SSLClientSocketNSS::Core::DoHandshake() { DCHECK(OnNSSTaskRunner()); int net_error = net::OK; SECStatus rv = SSL_ForceHandshake(nss_fd_); // Note: this function may be called multiple times during the handshake, so // even though channel id and client auth are separate else cases, they can // both be used during a single SSL handshake. if (channel_id_needed_) { GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE); net_error = ERR_IO_PENDING; } else if (client_auth_cert_needed_) { net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEventWithCallback, weak_net_log_, NetLog::TYPE_SSL_HANDSHAKE_ERROR, CreateNetLogSSLErrorCallback(net_error, 0))); // If the handshake already succeeded (because the server requests but // doesn't require a client cert), we need to invalidate the SSL session // so that we won't try to resume the non-client-authenticated session in // the next handshake. This will cause the server to ask for a client // cert again. if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError(); } else if (rv == SECSuccess) { if (!handshake_callback_called_) { false_started_ = true; HandshakeSucceeded(); } } else { PRErrorCode prerr = PR_GetError(); net_error = HandleNSSError(prerr, true); // Some network devices that inspect application-layer packets seem to // inject TCP reset packets to break the connections when they see // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293. // // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or // 1.2. We don't lose much in this fallback because the explicit IV for CBC // mode in TLS 1.1 is approximated by record splitting in TLS 1.0. The // fallback will be more painful for TLS 1.2 when we have GCM support. // // ERR_CONNECTION_RESET is a common network error, so we don't want it // to trigger a version fallback in general, especially the TLS 1.0 -> // SSL 3.0 fallback, which would drop TLS extensions. if (prerr == PR_CONNECT_RESET_ERROR && ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1) { net_error = ERR_SSL_PROTOCOL_ERROR; } // If not done, stay in this state if (net_error == ERR_IO_PENDING) { GotoState(STATE_HANDSHAKE); } else { PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEventWithCallback, weak_net_log_, NetLog::TYPE_SSL_HANDSHAKE_ERROR, CreateNetLogSSLErrorCallback(net_error, prerr))); } } return net_error; } int SSLClientSocketNSS::Core::DoGetDBCertComplete(int result) { SECStatus rv; PostOrRunCallback( FROM_HERE, base::Bind(&BoundNetLog::EndEventWithNetErrorCode, weak_net_log_, NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, result)); channel_id_needed_ = false; if (result != OK) return result; SECKEYPublicKey* public_key; SECKEYPrivateKey* private_key; int error = ImportChannelIDKeys(&public_key, &private_key); if (error != OK) return error; rv = SSL_RestartHandshakeAfterChannelIDReq(nss_fd_, public_key, private_key); if (rv != SECSuccess) return MapNSSError(PORT_GetError()); SetChannelIDProvided(); GotoState(STATE_HANDSHAKE); return OK; } int SSLClientSocketNSS::Core::DoPayloadRead() { DCHECK(OnNSSTaskRunner()); DCHECK(user_read_buf_.get()); DCHECK_GT(user_read_buf_len_, 0); int rv; // If a previous greedy read resulted in an error that was not consumed (eg: // due to the caller having read some data successfully), then return that // pending error now. if (pending_read_result_ != kNoPendingReadResult) { rv = pending_read_result_; PRErrorCode prerr = pending_read_nss_error_; pending_read_result_ = kNoPendingReadResult; pending_read_nss_error_ = 0; if (rv == 0) { PostOrRunCallback( FROM_HERE, base::Bind(&LogByteTransferEvent, weak_net_log_, NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, scoped_refptr(user_read_buf_))); } else { PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEventWithCallback, weak_net_log_, NetLog::TYPE_SSL_READ_ERROR, CreateNetLogSSLErrorCallback(rv, prerr))); } return rv; } // Perform a greedy read, attempting to read as much as the caller has // requested. In the current NSS implementation, PR_Read will return // exactly one SSL application data record's worth of data per invocation. // The record size is dictated by the server, and may be noticeably smaller // than the caller's buffer. This may be as little as a single byte, if the // server is performing 1/n-1 record splitting. // // However, this greedy read may result in renegotiations/re-handshakes // happening or may lead to some data being read, followed by an EOF (such as // a TLS close-notify). If at least some data was read, then that result // should be deferred until the next call to DoPayloadRead(). Otherwise, if no // data was read, it's safe to return the error or EOF immediately. int total_bytes_read = 0; do { rv = PR_Read(nss_fd_, user_read_buf_->data() + total_bytes_read, user_read_buf_len_ - total_bytes_read); if (rv > 0) total_bytes_read += rv; } while (total_bytes_read < user_read_buf_len_ && rv > 0); int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_); PostOrRunCallback(FROM_HERE, base::Bind(&Core::OnNSSBufferUpdated, this, amount_in_read_buffer)); if (total_bytes_read == user_read_buf_len_) { // The caller's entire request was satisfied without error. No further // processing needed. rv = total_bytes_read; } else { // Otherwise, an error occurred (rv <= 0). The error needs to be handled // immediately, while the NSPR/NSS errors are still available in // thread-local storage. However, the handled/remapped error code should // only be returned if no application data was already read; if it was, the // error code should be deferred until the next call of DoPayloadRead. // // If no data was read, |*next_result| will point to the return value of // this function. If at least some data was read, |*next_result| will point // to |pending_read_error_|, to be returned in a future call to // DoPayloadRead() (e.g.: after the current data is handled). int* next_result = &rv; if (total_bytes_read > 0) { pending_read_result_ = rv; rv = total_bytes_read; next_result = &pending_read_result_; } if (client_auth_cert_needed_) { *next_result = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; pending_read_nss_error_ = 0; } else if (*next_result < 0) { // If *next_result == 0, then that indicates EOF, and no special error // handling is needed. pending_read_nss_error_ = PR_GetError(); *next_result = HandleNSSError(pending_read_nss_error_, false); if (rv > 0 && *next_result == ERR_IO_PENDING) { // If at least some data was read from PR_Read(), do not treat // insufficient data as an error to return in the next call to // DoPayloadRead() - instead, let the call fall through to check // PR_Read() again. This is because DoTransportIO() may complete // in between the next call to DoPayloadRead(), and thus it is // important to check PR_Read() on subsequent invocations to see // if a complete record may now be read. pending_read_nss_error_ = 0; pending_read_result_ = kNoPendingReadResult; } } } DCHECK_NE(ERR_IO_PENDING, pending_read_result_); if (rv >= 0) { PostOrRunCallback( FROM_HERE, base::Bind(&LogByteTransferEvent, weak_net_log_, NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, scoped_refptr(user_read_buf_))); } else if (rv != ERR_IO_PENDING) { PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEventWithCallback, weak_net_log_, NetLog::TYPE_SSL_READ_ERROR, CreateNetLogSSLErrorCallback(rv, pending_read_nss_error_))); pending_read_nss_error_ = 0; } return rv; } int SSLClientSocketNSS::Core::DoPayloadWrite() { DCHECK(OnNSSTaskRunner()); DCHECK(user_write_buf_.get()); int old_amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_); int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_); int new_amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_); // PR_Write could potentially consume the unhandled data in the memio read // buffer if a renegotiation is in progress. If the buffer is consumed, // notify the latest buffer size to NetworkRunner. if (old_amount_in_read_buffer != new_amount_in_read_buffer) { PostOrRunCallback( FROM_HERE, base::Bind(&Core::OnNSSBufferUpdated, this, new_amount_in_read_buffer)); } if (rv >= 0) { PostOrRunCallback( FROM_HERE, base::Bind(&LogByteTransferEvent, weak_net_log_, NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, scoped_refptr(user_write_buf_))); return rv; } PRErrorCode prerr = PR_GetError(); if (prerr == PR_WOULD_BLOCK_ERROR) return ERR_IO_PENDING; rv = HandleNSSError(prerr, false); PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEventWithCallback, weak_net_log_, NetLog::TYPE_SSL_WRITE_ERROR, CreateNetLogSSLErrorCallback(rv, prerr))); return rv; } // Do as much network I/O as possible between the buffer and the // transport socket. Return true if some I/O performed, false // otherwise (error or ERR_IO_PENDING). bool SSLClientSocketNSS::Core::DoTransportIO() { DCHECK(OnNSSTaskRunner()); bool network_moved = false; if (nss_bufs_ != NULL) { int rv; // Read and write as much data as we can. The loop is neccessary // because Write() may return synchronously. do { rv = BufferSend(); if (rv != ERR_IO_PENDING && rv != 0) network_moved = true; } while (rv > 0); if (!transport_recv_eof_ && BufferRecv() != ERR_IO_PENDING) network_moved = true; } return network_moved; } int SSLClientSocketNSS::Core::BufferRecv() { DCHECK(OnNSSTaskRunner()); if (transport_recv_busy_) return ERR_IO_PENDING; // If NSS is blocked on reading from |nss_bufs_|, because it is empty, // determine how much data NSS wants to read. If NSS was not blocked, // this will return 0. int requested = memio_GetReadRequest(nss_bufs_); if (requested == 0) { // This is not a perfect match of error codes, as no operation is // actually pending. However, returning 0 would be interpreted as a // possible sign of EOF, which is also an inappropriate match. return ERR_IO_PENDING; } char* buf; int nb = memio_GetReadParams(nss_bufs_, &buf); int rv; if (!nb) { // buffer too full to read into, so no I/O possible at moment rv = ERR_IO_PENDING; } else { scoped_refptr read_buffer(new IOBuffer(nb)); if (OnNetworkTaskRunner()) { rv = DoBufferRecv(read_buffer.get(), nb); } else { bool posted = network_task_runner_->PostTask( FROM_HERE, base::Bind(IgnoreResult(&Core::DoBufferRecv), this, read_buffer, nb)); rv = posted ? ERR_IO_PENDING : ERR_ABORTED; } if (rv == ERR_IO_PENDING) { transport_recv_busy_ = true; } else { if (rv > 0) { memcpy(buf, read_buffer->data(), rv); } else if (rv == 0) { transport_recv_eof_ = true; } memio_PutReadResult(nss_bufs_, MapErrorToNSS(rv)); } } return rv; } // Return 0 if nss_bufs_ was empty, // > 0 for bytes transferred immediately, // < 0 for error (or the non-error ERR_IO_PENDING). int SSLClientSocketNSS::Core::BufferSend() { DCHECK(OnNSSTaskRunner()); if (transport_send_busy_) return ERR_IO_PENDING; const char* buf1; const char* buf2; unsigned int len1, len2; memio_GetWriteParams(nss_bufs_, &buf1, &len1, &buf2, &len2); const unsigned int len = len1 + len2; int rv = 0; if (len) { scoped_refptr send_buffer(new IOBuffer(len)); memcpy(send_buffer->data(), buf1, len1); memcpy(send_buffer->data() + len1, buf2, len2); if (OnNetworkTaskRunner()) { rv = DoBufferSend(send_buffer.get(), len); } else { bool posted = network_task_runner_->PostTask( FROM_HERE, base::Bind(IgnoreResult(&Core::DoBufferSend), this, send_buffer, len)); rv = posted ? ERR_IO_PENDING : ERR_ABORTED; } if (rv == ERR_IO_PENDING) { transport_send_busy_ = true; } else { memio_PutWriteResult(nss_bufs_, MapErrorToNSS(rv)); } } return rv; } void SSLClientSocketNSS::Core::OnRecvComplete(int result) { DCHECK(OnNSSTaskRunner()); if (next_handshake_state_ == STATE_HANDSHAKE) { OnHandshakeIOComplete(result); return; } // Network layer received some data, check if client requested to read // decrypted data. if (!user_read_buf_.get()) return; int rv = DoReadLoop(result); if (rv != ERR_IO_PENDING) DoReadCallback(rv); } void SSLClientSocketNSS::Core::OnSendComplete(int result) { DCHECK(OnNSSTaskRunner()); if (next_handshake_state_ == STATE_HANDSHAKE) { OnHandshakeIOComplete(result); return; } // OnSendComplete may need to call DoPayloadRead while the renegotiation // handshake is in progress. int rv_read = ERR_IO_PENDING; int rv_write = ERR_IO_PENDING; bool network_moved; do { if (user_read_buf_.get()) rv_read = DoPayloadRead(); if (user_write_buf_.get()) rv_write = DoPayloadWrite(); network_moved = DoTransportIO(); } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING && (user_read_buf_.get() || user_write_buf_.get()) && network_moved); // If the parent SSLClientSocketNSS is deleted during the processing of the // Read callback and OnNSSTaskRunner() == OnNetworkTaskRunner(), then the Core // will be detached (and possibly deleted). Guard against deletion by taking // an extra reference, then check if the Core was detached before invoking the // next callback. scoped_refptr guard(this); if (user_read_buf_.get() && rv_read != ERR_IO_PENDING) DoReadCallback(rv_read); if (OnNetworkTaskRunner() && detached_) return; if (user_write_buf_.get() && rv_write != ERR_IO_PENDING) DoWriteCallback(rv_write); } // As part of Connect(), the SSLClientSocketNSS object performs an SSL // handshake. This requires network IO, which in turn calls // BufferRecvComplete() with a non-zero byte count. This byte count eventually // winds its way through the state machine and ends up being passed to the // callback. For Read() and Write(), that's what we want. But for Connect(), // the caller expects OK (i.e. 0) for success. void SSLClientSocketNSS::Core::DoConnectCallback(int rv) { DCHECK(OnNSSTaskRunner()); DCHECK_NE(rv, ERR_IO_PENDING); DCHECK(!user_connect_callback_.is_null()); base::Closure c = base::Bind( base::ResetAndReturn(&user_connect_callback_), rv > OK ? OK : rv); PostOrRunCallback(FROM_HERE, c); } void SSLClientSocketNSS::Core::DoReadCallback(int rv) { DCHECK(OnNSSTaskRunner()); DCHECK_NE(ERR_IO_PENDING, rv); DCHECK(!user_read_callback_.is_null()); user_read_buf_ = NULL; user_read_buf_len_ = 0; int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_); // This is used to curry the |amount_int_read_buffer| and |user_cb| back to // the network task runner. PostOrRunCallback( FROM_HERE, base::Bind(&Core::OnNSSBufferUpdated, this, amount_in_read_buffer)); PostOrRunCallback( FROM_HERE, base::Bind(&Core::DidNSSRead, this, rv)); PostOrRunCallback( FROM_HERE, base::Bind(base::ResetAndReturn(&user_read_callback_), rv)); } void SSLClientSocketNSS::Core::DoWriteCallback(int rv) { DCHECK(OnNSSTaskRunner()); DCHECK_NE(ERR_IO_PENDING, rv); DCHECK(!user_write_callback_.is_null()); // Since Run may result in Write being called, clear |user_write_callback_| // up front. user_write_buf_ = NULL; user_write_buf_len_ = 0; // Update buffer status because DoWriteLoop called DoTransportIO which may // perform read operations. int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_); // This is used to curry the |amount_int_read_buffer| and |user_cb| back to // the network task runner. PostOrRunCallback( FROM_HERE, base::Bind(&Core::OnNSSBufferUpdated, this, amount_in_read_buffer)); PostOrRunCallback( FROM_HERE, base::Bind(&Core::DidNSSWrite, this, rv)); PostOrRunCallback( FROM_HERE, base::Bind(base::ResetAndReturn(&user_write_callback_), rv)); } SECStatus SSLClientSocketNSS::Core::ClientChannelIDHandler( void* arg, PRFileDesc* socket, SECKEYPublicKey **out_public_key, SECKEYPrivateKey **out_private_key) { Core* core = reinterpret_cast(arg); DCHECK(core->OnNSSTaskRunner()); core->PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEvent, core->weak_net_log_, NetLog::TYPE_SSL_CHANNEL_ID_REQUESTED)); // We have negotiated the TLS channel ID extension. core->channel_id_xtn_negotiated_ = true; std::string host = core->host_and_port_.host(); int error = ERR_UNEXPECTED; if (core->OnNetworkTaskRunner()) { error = core->DoGetDomainBoundCert(host); } else { bool posted = core->network_task_runner_->PostTask( FROM_HERE, base::Bind( IgnoreResult(&Core::DoGetDomainBoundCert), core, host)); error = posted ? ERR_IO_PENDING : ERR_ABORTED; } if (error == ERR_IO_PENDING) { // Asynchronous case. core->channel_id_needed_ = true; return SECWouldBlock; } core->PostOrRunCallback( FROM_HERE, base::Bind(&BoundNetLog::EndEventWithNetErrorCode, core->weak_net_log_, NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, error)); SECStatus rv = SECSuccess; if (error == OK) { // Synchronous success. int result = core->ImportChannelIDKeys(out_public_key, out_private_key); if (result == OK) core->SetChannelIDProvided(); else rv = SECFailure; } else { rv = SECFailure; } return rv; } int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key) { // Set the certificate. SECItem cert_item; cert_item.data = (unsigned char*) domain_bound_cert_.data(); cert_item.len = domain_bound_cert_.size(); ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &cert_item, NULL, PR_FALSE, PR_TRUE)); if (cert == NULL) return MapNSSError(PORT_GetError()); crypto::ScopedPK11Slot slot(PK11_GetInternalSlot()); // Set the private key. if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo( slot.get(), ServerBoundCertService::kEPKIPassword, reinterpret_cast( domain_bound_private_key_.data()), domain_bound_private_key_.size(), &cert->subjectPublicKeyInfo, false, false, key, public_key)) { int error = MapNSSError(PORT_GetError()); return error; } return OK; } void SSLClientSocketNSS::Core::UpdateServerCert() { nss_handshake_state_.server_cert_chain.Reset(nss_fd_); nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain( nss_handshake_state_.server_cert_chain.AsStringPieceVector()); if (nss_handshake_state_.server_cert.get()) { // Since this will be called asynchronously on another thread, it needs to // own a reference to the certificate. NetLog::ParametersCallback net_log_callback = base::Bind(&NetLogX509CertificateCallback, nss_handshake_state_.server_cert); PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEventWithCallback, weak_net_log_, NetLog::TYPE_SSL_CERTIFICATES_RECEIVED, net_log_callback)); } } void SSLClientSocketNSS::Core::UpdateSignedCertTimestamps() { const SECItem* signed_cert_timestamps = SSL_PeerSignedCertTimestamps(nss_fd_); if (!signed_cert_timestamps || !signed_cert_timestamps->len) return; nss_handshake_state_.sct_list_from_tls_extension = std::string( reinterpret_cast(signed_cert_timestamps->data), signed_cert_timestamps->len); } void SSLClientSocketNSS::Core::UpdateStapledOCSPResponse() { PRBool ocsp_requested = PR_FALSE; SSL_OptionGet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, &ocsp_requested); const SECItemArray* ocsp_responses = SSL_PeerStapledOCSPResponses(nss_fd_); bool ocsp_responses_present = ocsp_responses && ocsp_responses->len; if (ocsp_requested) UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_responses_present); if (!ocsp_responses_present) return; nss_handshake_state_.stapled_ocsp_response = std::string( reinterpret_cast(ocsp_responses->items[0].data), ocsp_responses->items[0].len); // TODO(agl): figure out how to plumb an OCSP response into the Mac // system library and update IsOCSPStaplingSupported for Mac. if (IsOCSPStaplingSupported()) { #if defined(OS_WIN) if (nss_handshake_state_.server_cert) { CRYPT_DATA_BLOB ocsp_response_blob; ocsp_response_blob.cbData = ocsp_responses->items[0].len; ocsp_response_blob.pbData = ocsp_responses->items[0].data; BOOL ok = CertSetCertificateContextProperty( nss_handshake_state_.server_cert->os_cert_handle(), CERT_OCSP_RESPONSE_PROP_ID, CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG, &ocsp_response_blob); if (!ok) { VLOG(1) << "Failed to set OCSP response property: " << GetLastError(); } } #elif defined(USE_NSS) CacheOCSPResponseFromSideChannelFunction cache_ocsp_response = GetCacheOCSPResponseFromSideChannelFunction(); cache_ocsp_response( CERT_GetDefaultCertDB(), nss_handshake_state_.server_cert_chain[0], PR_Now(), &ocsp_responses->items[0], NULL); #endif } // IsOCSPStaplingSupported() } void SSLClientSocketNSS::Core::UpdateConnectionStatus() { SSLChannelInfo channel_info; SECStatus ok = SSL_GetChannelInfo(nss_fd_, &channel_info, sizeof(channel_info)); if (ok == SECSuccess && channel_info.length == sizeof(channel_info) && channel_info.cipherSuite) { nss_handshake_state_.ssl_connection_status |= (static_cast(channel_info.cipherSuite) & SSL_CONNECTION_CIPHERSUITE_MASK) << SSL_CONNECTION_CIPHERSUITE_SHIFT; nss_handshake_state_.ssl_connection_status |= (static_cast(channel_info.compressionMethod) & SSL_CONNECTION_COMPRESSION_MASK) << SSL_CONNECTION_COMPRESSION_SHIFT; // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't // support it yet), so use 0x0303 directly. int version = SSL_CONNECTION_VERSION_UNKNOWN; if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) { // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL // version 2. version = SSL_CONNECTION_VERSION_SSL2; } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) { version = SSL_CONNECTION_VERSION_SSL3; } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) { version = SSL_CONNECTION_VERSION_TLS1; } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) { version = SSL_CONNECTION_VERSION_TLS1_1; } else if (channel_info.protocolVersion == 0x0303) { version = SSL_CONNECTION_VERSION_TLS1_2; } nss_handshake_state_.ssl_connection_status |= (version & SSL_CONNECTION_VERSION_MASK) << SSL_CONNECTION_VERSION_SHIFT; } PRBool peer_supports_renego_ext; ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn, &peer_supports_renego_ext); if (ok == SECSuccess) { if (!peer_supports_renego_ext) { nss_handshake_state_.ssl_connection_status |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; // Log an informational message if the server does not support secure // renegotiation (RFC 5746). VLOG(1) << "The server " << host_and_port_.ToString() << " does not support the TLS renegotiation_info extension."; } UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported", peer_supports_renego_ext, 2); // We would like to eliminate fallback to SSLv3 for non-buggy servers // because of security concerns. For example, Google offers forward // secrecy with ECDHE but that requires TLS 1.0. An attacker can block // TLSv1 connections and force us to downgrade to SSLv3 and remove forward // secrecy. // // Yngve from Opera has suggested using the renegotiation extension as an // indicator that SSLv3 fallback was mistaken: // tools.ietf.org/html/draft-pettersen-tls-version-rollback-removal-00 . // // As a first step, measure how often clients perform version fallback // while the server advertises support secure renegotiation. if (ssl_config_.version_fallback && channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) { UMA_HISTOGRAM_BOOLEAN("Net.SSLv3FallbackToRenegoPatchedServer", peer_supports_renego_ext == PR_TRUE); } } if (ssl_config_.version_fallback) { nss_handshake_state_.ssl_connection_status |= SSL_CONNECTION_VERSION_FALLBACK; } } void SSLClientSocketNSS::Core::UpdateNextProto() { uint8 buf[256]; SSLNextProtoState state; unsigned buf_len; SECStatus rv = SSL_GetNextProto(nss_fd_, &state, buf, &buf_len, sizeof(buf)); if (rv != SECSuccess) return; nss_handshake_state_.next_proto = std::string(reinterpret_cast(buf), buf_len); switch (state) { case SSL_NEXT_PROTO_NEGOTIATED: case SSL_NEXT_PROTO_SELECTED: nss_handshake_state_.next_proto_status = kNextProtoNegotiated; break; case SSL_NEXT_PROTO_NO_OVERLAP: nss_handshake_state_.next_proto_status = kNextProtoNoOverlap; break; case SSL_NEXT_PROTO_NO_SUPPORT: nss_handshake_state_.next_proto_status = kNextProtoUnsupported; break; default: NOTREACHED(); break; } } void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() { DCHECK(OnNSSTaskRunner()); if (nss_handshake_state_.resumed_handshake) return; // Copy the NSS task runner-only state to the network task runner and // log histograms from there, since the histograms also need access to the // network task runner state. PostOrRunCallback( FROM_HERE, base::Bind(&Core::RecordChannelIDSupportOnNetworkTaskRunner, this, channel_id_xtn_negotiated_, ssl_config_.channel_id_enabled, crypto::ECPrivateKey::IsSupported())); } void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNetworkTaskRunner( bool negotiated_channel_id, bool channel_id_enabled, bool supports_ecc) const { DCHECK(OnNetworkTaskRunner()); RecordChannelIDSupport(server_bound_cert_service_, negotiated_channel_id, channel_id_enabled, supports_ecc); } int SSLClientSocketNSS::Core::DoBufferRecv(IOBuffer* read_buffer, int len) { DCHECK(OnNetworkTaskRunner()); DCHECK_GT(len, 0); if (detached_) return ERR_ABORTED; int rv = transport_->socket()->Read( read_buffer, len, base::Bind(&Core::BufferRecvComplete, base::Unretained(this), scoped_refptr(read_buffer))); if (!OnNSSTaskRunner() && rv != ERR_IO_PENDING) { nss_task_runner_->PostTask( FROM_HERE, base::Bind(&Core::BufferRecvComplete, this, scoped_refptr(read_buffer), rv)); return rv; } return rv; } int SSLClientSocketNSS::Core::DoBufferSend(IOBuffer* send_buffer, int len) { DCHECK(OnNetworkTaskRunner()); DCHECK_GT(len, 0); if (detached_) return ERR_ABORTED; int rv = transport_->socket()->Write( send_buffer, len, base::Bind(&Core::BufferSendComplete, base::Unretained(this))); if (!OnNSSTaskRunner() && rv != ERR_IO_PENDING) { nss_task_runner_->PostTask( FROM_HERE, base::Bind(&Core::BufferSendComplete, this, rv)); return rv; } return rv; } int SSLClientSocketNSS::Core::DoGetDomainBoundCert(const std::string& host) { DCHECK(OnNetworkTaskRunner()); if (detached_) return ERR_FAILED; weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT); int rv = server_bound_cert_service_->GetOrCreateDomainBoundCert( host, &domain_bound_private_key_, &domain_bound_cert_, base::Bind(&Core::OnGetDomainBoundCertComplete, base::Unretained(this)), &domain_bound_cert_request_handle_); if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) { nss_task_runner_->PostTask( FROM_HERE, base::Bind(&Core::OnHandshakeIOComplete, this, rv)); return ERR_IO_PENDING; } return rv; } void SSLClientSocketNSS::Core::OnHandshakeStateUpdated( const HandshakeState& state) { DCHECK(OnNetworkTaskRunner()); network_handshake_state_ = state; } void SSLClientSocketNSS::Core::OnNSSBufferUpdated(int amount_in_read_buffer) { DCHECK(OnNetworkTaskRunner()); unhandled_buffer_size_ = amount_in_read_buffer; } void SSLClientSocketNSS::Core::DidNSSRead(int result) { DCHECK(OnNetworkTaskRunner()); DCHECK(nss_waiting_read_); nss_waiting_read_ = false; if (result <= 0) { nss_is_closed_ = true; } else { was_ever_used_ = true; } } void SSLClientSocketNSS::Core::DidNSSWrite(int result) { DCHECK(OnNetworkTaskRunner()); DCHECK(nss_waiting_write_); nss_waiting_write_ = false; if (result < 0) { nss_is_closed_ = true; } else if (result > 0) { was_ever_used_ = true; } } void SSLClientSocketNSS::Core::BufferSendComplete(int result) { if (!OnNSSTaskRunner()) { if (detached_) return; nss_task_runner_->PostTask( FROM_HERE, base::Bind(&Core::BufferSendComplete, this, result)); return; } DCHECK(OnNSSTaskRunner()); memio_PutWriteResult(nss_bufs_, MapErrorToNSS(result)); transport_send_busy_ = false; OnSendComplete(result); } void SSLClientSocketNSS::Core::OnHandshakeIOComplete(int result) { if (!OnNSSTaskRunner()) { if (detached_) return; nss_task_runner_->PostTask( FROM_HERE, base::Bind(&Core::OnHandshakeIOComplete, this, result)); return; } DCHECK(OnNSSTaskRunner()); int rv = DoHandshakeLoop(result); if (rv != ERR_IO_PENDING) DoConnectCallback(rv); } void SSLClientSocketNSS::Core::OnGetDomainBoundCertComplete(int result) { DVLOG(1) << __FUNCTION__ << " " << result; DCHECK(OnNetworkTaskRunner()); OnHandshakeIOComplete(result); } void SSLClientSocketNSS::Core::BufferRecvComplete( IOBuffer* read_buffer, int result) { DCHECK(read_buffer); if (!OnNSSTaskRunner()) { if (detached_) return; nss_task_runner_->PostTask( FROM_HERE, base::Bind(&Core::BufferRecvComplete, this, scoped_refptr(read_buffer), result)); return; } DCHECK(OnNSSTaskRunner()); if (result > 0) { char* buf; int nb = memio_GetReadParams(nss_bufs_, &buf); CHECK_GE(nb, result); memcpy(buf, read_buffer->data(), result); } else if (result == 0) { transport_recv_eof_ = true; } memio_PutReadResult(nss_bufs_, MapErrorToNSS(result)); transport_recv_busy_ = false; OnRecvComplete(result); } void SSLClientSocketNSS::Core::PostOrRunCallback( const tracked_objects::Location& location, const base::Closure& task) { if (!OnNetworkTaskRunner()) { network_task_runner_->PostTask( FROM_HERE, base::Bind(&Core::PostOrRunCallback, this, location, task)); return; } if (detached_ || task.is_null()) return; task.Run(); } void SSLClientSocketNSS::Core::AddCertProvidedEvent(int cert_count) { PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEventWithCallback, weak_net_log_, NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED, NetLog::IntegerCallback("cert_count", cert_count))); } void SSLClientSocketNSS::Core::SetChannelIDProvided() { PostOrRunCallback( FROM_HERE, base::Bind(&AddLogEvent, weak_net_log_, NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED)); nss_handshake_state_.channel_id_sent = true; // Update the network task runner's view of the handshake state now that // channel id has been sent. PostOrRunCallback( FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, nss_handshake_state_)); } SSLClientSocketNSS::SSLClientSocketNSS( base::SequencedTaskRunner* nss_task_runner, scoped_ptr transport_socket, const HostPortPair& host_and_port, const SSLConfig& ssl_config, const SSLClientSocketContext& context) : nss_task_runner_(nss_task_runner), transport_(transport_socket.Pass()), host_and_port_(host_and_port), ssl_config_(ssl_config), cert_verifier_(context.cert_verifier), cert_transparency_verifier_(context.cert_transparency_verifier), server_bound_cert_service_(context.server_bound_cert_service), ssl_session_cache_shard_(context.ssl_session_cache_shard), completed_handshake_(false), next_handshake_state_(STATE_NONE), nss_fd_(NULL), net_log_(transport_->socket()->NetLog()), transport_security_state_(context.transport_security_state), valid_thread_id_(base::kInvalidThreadId) { EnterFunction(""); InitCore(); LeaveFunction(""); } SSLClientSocketNSS::~SSLClientSocketNSS() { EnterFunction(""); Disconnect(); LeaveFunction(""); } // static void SSLClientSocket::ClearSessionCache() { // SSL_ClearSessionCache can't be called before NSS is initialized. Don't // bother initializing NSS just to clear an empty SSL session cache. if (!NSS_IsInitialized()) return; SSL_ClearSessionCache(); } bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { EnterFunction(""); ssl_info->Reset(); if (core_->state().server_cert_chain.empty() || !core_->state().server_cert_chain[0]) { return false; } ssl_info->cert_status = server_cert_verify_result_.cert_status; ssl_info->cert = server_cert_verify_result_.verified_cert; AddSCTInfoToSSLInfo(ssl_info); ssl_info->connection_status = core_->state().ssl_connection_status; ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes; ssl_info->is_issued_by_known_root = server_cert_verify_result_.is_issued_by_known_root; ssl_info->client_cert_sent = ssl_config_.send_client_cert && ssl_config_.client_cert.get(); ssl_info->channel_id_sent = WasChannelIDSent(); ssl_info->pinning_failure_log = pinning_failure_log_; PRUint16 cipher_suite = SSLConnectionStatusToCipherSuite( core_->state().ssl_connection_status); SSLCipherSuiteInfo cipher_info; SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite, &cipher_info, sizeof(cipher_info)); if (ok == SECSuccess) { ssl_info->security_bits = cipher_info.effectiveKeyBits; } else { ssl_info->security_bits = -1; LOG(DFATAL) << "SSL_GetCipherSuiteInfo returned " << PR_GetError() << " for cipherSuite " << cipher_suite; } ssl_info->handshake_type = core_->state().resumed_handshake ? SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL; LeaveFunction(""); return true; } void SSLClientSocketNSS::GetSSLCertRequestInfo( SSLCertRequestInfo* cert_request_info) { EnterFunction(""); cert_request_info->host_and_port = host_and_port_; cert_request_info->cert_authorities = core_->state().cert_authorities; LeaveFunction(""); } int SSLClientSocketNSS::ExportKeyingMaterial(const base::StringPiece& label, bool has_context, const base::StringPiece& context, unsigned char* out, unsigned int outlen) { if (!IsConnected()) return ERR_SOCKET_NOT_CONNECTED; // SSL_ExportKeyingMaterial may block the current thread if |core_| is in // the midst of a handshake. SECStatus result = SSL_ExportKeyingMaterial( nss_fd_, label.data(), label.size(), has_context, reinterpret_cast(context.data()), context.length(), out, outlen); if (result != SECSuccess) { LogFailedNSSFunction(net_log_, "SSL_ExportKeyingMaterial", ""); return MapNSSError(PORT_GetError()); } return OK; } int SSLClientSocketNSS::GetTLSUniqueChannelBinding(std::string* out) { if (!IsConnected()) return ERR_SOCKET_NOT_CONNECTED; unsigned char buf[64]; unsigned int len; SECStatus result = SSL_GetChannelBinding(nss_fd_, SSL_CHANNEL_BINDING_TLS_UNIQUE, buf, &len, arraysize(buf)); if (result != SECSuccess) { LogFailedNSSFunction(net_log_, "SSL_GetChannelBinding", ""); return MapNSSError(PORT_GetError()); } out->assign(reinterpret_cast(buf), len); return OK; } SSLClientSocket::NextProtoStatus SSLClientSocketNSS::GetNextProto(std::string* proto, std::string* server_protos) { *proto = core_->state().next_proto; *server_protos = core_->state().server_protos; return core_->state().next_proto_status; } int SSLClientSocketNSS::Connect(const CompletionCallback& callback) { EnterFunction(""); DCHECK(transport_.get()); // It is an error to create an SSLClientSocket whose context has no // TransportSecurityState. DCHECK(transport_security_state_); DCHECK_EQ(STATE_NONE, next_handshake_state_); DCHECK(user_connect_callback_.is_null()); DCHECK(!callback.is_null()); EnsureThreadIdAssigned(); net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT); int rv = Init(); if (rv != OK) { net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); return rv; } rv = InitializeSSLOptions(); if (rv != OK) { net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); return rv; } rv = InitializeSSLPeerName(); if (rv != OK) { net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); return rv; } GotoState(STATE_HANDSHAKE); rv = DoHandshakeLoop(OK); if (rv == ERR_IO_PENDING) { user_connect_callback_ = callback; } else { net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); } LeaveFunction(""); return rv > OK ? OK : rv; } void SSLClientSocketNSS::Disconnect() { EnterFunction(""); CHECK(CalledOnValidThread()); // Shut down anything that may call us back. core_->Detach(); verifier_.reset(); transport_->socket()->Disconnect(); // Reset object state. user_connect_callback_.Reset(); server_cert_verify_result_.Reset(); completed_handshake_ = false; start_cert_verification_time_ = base::TimeTicks(); InitCore(); LeaveFunction(""); } bool SSLClientSocketNSS::IsConnected() const { EnterFunction(""); bool ret = completed_handshake_ && (core_->HasPendingAsyncOperation() || (core_->IsConnected() && core_->HasUnhandledReceivedData()) || transport_->socket()->IsConnected()); LeaveFunction(""); return ret; } bool SSLClientSocketNSS::IsConnectedAndIdle() const { EnterFunction(""); bool ret = completed_handshake_ && !core_->HasPendingAsyncOperation() && !(core_->IsConnected() && core_->HasUnhandledReceivedData()) && transport_->socket()->IsConnectedAndIdle(); LeaveFunction(""); return ret; } int SSLClientSocketNSS::GetPeerAddress(IPEndPoint* address) const { return transport_->socket()->GetPeerAddress(address); } int SSLClientSocketNSS::GetLocalAddress(IPEndPoint* address) const { return transport_->socket()->GetLocalAddress(address); } const BoundNetLog& SSLClientSocketNSS::NetLog() const { return net_log_; } void SSLClientSocketNSS::SetSubresourceSpeculation() { if (transport_.get() && transport_->socket()) { transport_->socket()->SetSubresourceSpeculation(); } else { NOTREACHED(); } } void SSLClientSocketNSS::SetOmniboxSpeculation() { if (transport_.get() && transport_->socket()) { transport_->socket()->SetOmniboxSpeculation(); } else { NOTREACHED(); } } bool SSLClientSocketNSS::WasEverUsed() const { DCHECK(core_.get()); return core_->WasEverUsed(); } bool SSLClientSocketNSS::UsingTCPFastOpen() const { if (transport_.get() && transport_->socket()) { return transport_->socket()->UsingTCPFastOpen(); } NOTREACHED(); return false; } int SSLClientSocketNSS::Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback) { DCHECK(core_.get()); DCHECK(!callback.is_null()); EnterFunction(buf_len); int rv = core_->Read(buf, buf_len, callback); LeaveFunction(rv); return rv; } int SSLClientSocketNSS::Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback) { DCHECK(core_.get()); DCHECK(!callback.is_null()); EnterFunction(buf_len); int rv = core_->Write(buf, buf_len, callback); LeaveFunction(rv); return rv; } int SSLClientSocketNSS::SetReceiveBufferSize(int32 size) { return transport_->socket()->SetReceiveBufferSize(size); } int SSLClientSocketNSS::SetSendBufferSize(int32 size) { return transport_->socket()->SetSendBufferSize(size); } int SSLClientSocketNSS::Init() { EnterFunction(""); // Initialize the NSS SSL library in a threadsafe way. This also // initializes the NSS base library. EnsureNSSSSLInit(); if (!NSS_IsInitialized()) return ERR_UNEXPECTED; #if defined(USE_NSS) || defined(OS_IOS) if (ssl_config_.cert_io_enabled) { // We must call EnsureNSSHttpIOInit() here, on the IO thread, to get the IO // loop by MessageLoopForIO::current(). // X509Certificate::Verify() runs on a worker thread of CertVerifier. EnsureNSSHttpIOInit(); } #endif LeaveFunction(""); return OK; } void SSLClientSocketNSS::InitCore() { core_ = new Core(base::ThreadTaskRunnerHandle::Get().get(), nss_task_runner_.get(), transport_.get(), host_and_port_, ssl_config_, &net_log_, server_bound_cert_service_); } int SSLClientSocketNSS::InitializeSSLOptions() { // Transport connected, now hook it up to nss nss_fd_ = memio_CreateIOLayer(kRecvBufferSize, kSendBufferSize); if (nss_fd_ == NULL) { return ERR_OUT_OF_MEMORY; // TODO(port): map NSPR error code. } // Grab pointer to buffers memio_Private* nss_bufs = memio_GetSecret(nss_fd_); /* Create SSL state machine */ /* Push SSL onto our fake I/O socket */ if (SSL_ImportFD(GetNSSModelSocket(), nss_fd_) == NULL) { LogFailedNSSFunction(net_log_, "SSL_ImportFD", ""); PR_Close(nss_fd_); nss_fd_ = NULL; return ERR_OUT_OF_MEMORY; // TODO(port): map NSPR/NSS error code. } // TODO(port): set more ssl options! Check errors! int rv; rv = SSL_OptionSet(nss_fd_, SSL_SECURITY, PR_TRUE); if (rv != SECSuccess) { LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_SECURITY"); return ERR_UNEXPECTED; } rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SSL2, PR_FALSE); if (rv != SECSuccess) { LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL2"); return ERR_UNEXPECTED; } // Don't do V2 compatible hellos because they don't support TLS extensions. rv = SSL_OptionSet(nss_fd_, SSL_V2_COMPATIBLE_HELLO, PR_FALSE); if (rv != SECSuccess) { LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_V2_COMPATIBLE_HELLO"); return ERR_UNEXPECTED; } SSLVersionRange version_range; version_range.min = ssl_config_.version_min; version_range.max = ssl_config_.version_max; rv = SSL_VersionRangeSet(nss_fd_, &version_range); if (rv != SECSuccess) { LogFailedNSSFunction(net_log_, "SSL_VersionRangeSet", ""); return ERR_NO_SSL_VERSIONS_ENABLED; } if (ssl_config_.version_fallback) { rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE); if (rv != SECSuccess) { LogFailedNSSFunction( net_log_, "SSL_OptionSet", "SSL_ENABLE_FALLBACK_SCSV"); } } for (std::vector::const_iterator it = ssl_config_.disabled_cipher_suites.begin(); it != ssl_config_.disabled_cipher_suites.end(); ++it) { // This will fail if the specified cipher is not implemented by NSS, but // the failure is harmless. SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE); } // Support RFC 5077 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); if (rv != SECSuccess) { LogFailedNSSFunction( net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); } rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, ssl_config_.false_start_enabled); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START"); // We allow servers to request renegotiation. Since we're a client, // prohibiting this is rather a waste of time. Only servers are in a // position to prevent renegotiation attacks. // http://extendedsubset.com/?p=8 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_TRANSITIONAL); if (rv != SECSuccess) { LogFailedNSSFunction( net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); } rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); // Added in NSS 3.15 #ifdef SSL_ENABLE_OCSP_STAPLING // Request OCSP stapling even on platforms that don't support it, in // order to extract Certificate Transparency information. rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, (IsOCSPStaplingSupported() || ssl_config_.signed_cert_timestamps_enabled)); if (rv != SECSuccess) { LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OCSP_STAPLING"); } #endif rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, ssl_config_.signed_cert_timestamps_enabled); if (rv != SECSuccess) { LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS"); } rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); if (rv != SECSuccess) { LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT"); return ERR_UNEXPECTED; } if (!core_->Init(nss_fd_, nss_bufs)) return ERR_UNEXPECTED; // Tell SSL the hostname we're trying to connect to. SSL_SetURL(nss_fd_, host_and_port_.host().c_str()); // Tell SSL we're a client; needed if not letting NSPR do socket I/O SSL_ResetHandshake(nss_fd_, PR_FALSE); return OK; } int SSLClientSocketNSS::InitializeSSLPeerName() { // Tell NSS who we're connected to IPEndPoint peer_address; int err = transport_->socket()->GetPeerAddress(&peer_address); if (err != OK) return err; SockaddrStorage storage; if (!peer_address.ToSockAddr(storage.addr, &storage.addr_len)) return ERR_ADDRESS_INVALID; PRNetAddr peername; memset(&peername, 0, sizeof(peername)); DCHECK_LE(static_cast(storage.addr_len), sizeof(peername)); size_t len = std::min(static_cast(storage.addr_len), sizeof(peername)); memcpy(&peername, storage.addr, len); // Adjust the address family field for BSD, whose sockaddr // structure has a one-byte length and one-byte address family // field at the beginning. PRNetAddr has a two-byte address // family field at the beginning. peername.raw.family = storage.addr->sa_family; memio_SetPeerName(nss_fd_, &peername); // Set the peer ID for session reuse. This is necessary when we create an // SSL tunnel through a proxy -- GetPeerName returns the proxy's address // rather than the destination server's address in that case. std::string peer_id = host_and_port_.ToString(); // If the ssl_session_cache_shard_ is non-empty, we append it to the peer id. // This will cause session cache misses between sockets with different values // of ssl_session_cache_shard_ and this is used to partition the session cache // for incognito mode. if (!ssl_session_cache_shard_.empty()) { peer_id += "/" + ssl_session_cache_shard_; } SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast(peer_id.c_str())); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str()); return OK; } void SSLClientSocketNSS::DoConnectCallback(int rv) { EnterFunction(rv); DCHECK_NE(ERR_IO_PENDING, rv); DCHECK(!user_connect_callback_.is_null()); base::ResetAndReturn(&user_connect_callback_).Run(rv > OK ? OK : rv); LeaveFunction(""); } void SSLClientSocketNSS::OnHandshakeIOComplete(int result) { EnterFunction(result); int rv = DoHandshakeLoop(result); if (rv != ERR_IO_PENDING) { net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv); DoConnectCallback(rv); } LeaveFunction(""); } int SSLClientSocketNSS::DoHandshakeLoop(int last_io_result) { EnterFunction(last_io_result); int rv = last_io_result; do { // Default to STATE_NONE for next state. // (This is a quirk carried over from the windows // implementation. It makes reading the logs a bit harder.) // State handlers can and often do call GotoState just // to stay in the current state. State state = next_handshake_state_; GotoState(STATE_NONE); switch (state) { case STATE_HANDSHAKE: rv = DoHandshake(); break; case STATE_HANDSHAKE_COMPLETE: rv = DoHandshakeComplete(rv); break; case STATE_VERIFY_CERT: DCHECK(rv == OK); rv = DoVerifyCert(rv); break; case STATE_VERIFY_CERT_COMPLETE: rv = DoVerifyCertComplete(rv); break; case STATE_NONE: default: rv = ERR_UNEXPECTED; LOG(DFATAL) << "unexpected state " << state; break; } } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE); LeaveFunction(""); return rv; } int SSLClientSocketNSS::DoHandshake() { EnterFunction(""); int rv = core_->Connect( base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, base::Unretained(this))); GotoState(STATE_HANDSHAKE_COMPLETE); LeaveFunction(rv); return rv; } int SSLClientSocketNSS::DoHandshakeComplete(int result) { EnterFunction(result); if (result == OK) { // SSL handshake is completed. Let's verify the certificate. GotoState(STATE_VERIFY_CERT); // Done! } set_channel_id_sent(core_->state().channel_id_sent); set_signed_cert_timestamps_received( !core_->state().sct_list_from_tls_extension.empty()); set_stapled_ocsp_response_received( !core_->state().stapled_ocsp_response.empty()); LeaveFunction(result); return result; } int SSLClientSocketNSS::DoVerifyCert(int result) { DCHECK(!core_->state().server_cert_chain.empty()); DCHECK(core_->state().server_cert_chain[0]); GotoState(STATE_VERIFY_CERT_COMPLETE); // If the certificate is expected to be bad we can use the expectation as // the cert status. base::StringPiece der_cert( reinterpret_cast( core_->state().server_cert_chain[0]->derCert.data), core_->state().server_cert_chain[0]->derCert.len); CertStatus cert_status; if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) { DCHECK(start_cert_verification_time_.is_null()); VLOG(1) << "Received an expected bad cert with status: " << cert_status; server_cert_verify_result_.Reset(); server_cert_verify_result_.cert_status = cert_status; server_cert_verify_result_.verified_cert = core_->state().server_cert; return OK; } // We may have failed to create X509Certificate object if we are // running inside sandbox. if (!core_->state().server_cert.get()) { server_cert_verify_result_.Reset(); server_cert_verify_result_.cert_status = CERT_STATUS_INVALID; return ERR_CERT_INVALID; } start_cert_verification_time_ = base::TimeTicks::Now(); int flags = 0; if (ssl_config_.rev_checking_enabled) flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= CertVerifier::VERIFY_EV_CERT; if (ssl_config_.cert_io_enabled) flags |= CertVerifier::VERIFY_CERT_IO_ENABLED; if (ssl_config_.rev_checking_required_local_anchors) flags |= CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS; verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); return verifier_->Verify( core_->state().server_cert.get(), host_and_port_.host(), flags, SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_, base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete, base::Unretained(this)), net_log_); } // Derived from AuthCertificateCallback() in // mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp. int SSLClientSocketNSS::DoVerifyCertComplete(int result) { verifier_.reset(); if (!start_cert_verification_time_.is_null()) { base::TimeDelta verify_time = base::TimeTicks::Now() - start_cert_verification_time_; if (result == OK) UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time); else UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time); } // We used to remember the intermediate CA certs in the NSS database // persistently. However, NSS opens a connection to the SQLite database // during NSS initialization and doesn't close the connection until NSS // shuts down. If the file system where the database resides is gone, // the database connection goes bad. What's worse, the connection won't // recover when the file system comes back. Until this NSS or SQLite bug // is fixed, we need to avoid using the NSS database for non-essential // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and // http://crbug.com/15630 for more info. // TODO(hclam): Skip logging if server cert was expected to be bad because // |server_cert_verify_result_| doesn't contain all the information about // the cert. if (result == OK) LogConnectionTypeMetrics(); #if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS) // Take care of any mandates for public key pinning. // // Pinning is only enabled for official builds to make sure that others don't // end up with pins that cannot be easily updated. // // TODO(agl): We might have an issue here where a request for foo.example.com // merges into a SPDY connection to www.example.com, and gets a different // certificate. // Perform pin validation if, and only if, all these conditions obtain: // // * a TransportSecurityState object is available; // * the server's certificate chain is valid (or suffers from only a minor // error); // * the server's certificate chain chains up to a known root (i.e. not a // user-installed trust anchor); and // * the build is recent (very old builds should fail open so that users // have some chance to recover). // const CertStatus cert_status = server_cert_verify_result_.cert_status; if (transport_security_state_ && (result == OK || (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && server_cert_verify_result_.is_issued_by_known_root && TransportSecurityState::IsBuildTimely()) { bool sni_available = ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 || ssl_config_.version_fallback; const std::string& host = host_and_port_.host(); if (transport_security_state_->HasPublicKeyPins(host, sni_available)) { if (!transport_security_state_->CheckPublicKeyPins( host, sni_available, server_cert_verify_result_.public_key_hashes, &pinning_failure_log_)) { LOG(ERROR) << pinning_failure_log_; result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false); TransportSecurityState::ReportUMAOnPinFailure(host); } else { UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true); } } } #endif if (result == OK) { // Only check Certificate Transparency if there were no other errors with // the connection. VerifyCT(); // Only cache the session if the certificate verified successfully. core_->CacheSessionIfNecessary(); } completed_handshake_ = true; // Exit DoHandshakeLoop and return the result to the caller to Connect. DCHECK_EQ(STATE_NONE, next_handshake_state_); return result; } void SSLClientSocketNSS::VerifyCT() { if (!cert_transparency_verifier_) return; // Note that this is a completely synchronous operation: The CT Log Verifier // gets all the data it needs for SCT verification and does not do any // external communication. int result = cert_transparency_verifier_->Verify( server_cert_verify_result_.verified_cert, core_->state().stapled_ocsp_response, core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_); // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension // from the state after verification is complete, to conserve memory. VLOG(1) << "CT Verification complete: result " << result << " Invalid scts: " << ct_verify_result_.invalid_scts.size() << " Verified scts: " << ct_verify_result_.verified_scts.size() << " scts from unknown logs: " << ct_verify_result_.unknown_logs_scts.size(); } void SSLClientSocketNSS::LogConnectionTypeMetrics() const { UpdateConnectionTypeHistograms(CONNECTION_SSL); int ssl_version = SSLConnectionStatusToVersion( core_->state().ssl_connection_status); switch (ssl_version) { case SSL_CONNECTION_VERSION_SSL2: UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2); break; case SSL_CONNECTION_VERSION_SSL3: UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3); break; case SSL_CONNECTION_VERSION_TLS1: UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1); break; case SSL_CONNECTION_VERSION_TLS1_1: UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1); break; case SSL_CONNECTION_VERSION_TLS1_2: UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2); break; }; } void SSLClientSocketNSS::EnsureThreadIdAssigned() const { base::AutoLock auto_lock(lock_); if (valid_thread_id_ != base::kInvalidThreadId) return; valid_thread_id_ = base::PlatformThread::CurrentId(); } bool SSLClientSocketNSS::CalledOnValidThread() const { EnsureThreadIdAssigned(); base::AutoLock auto_lock(lock_); return valid_thread_id_ == base::PlatformThread::CurrentId(); } void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const { for (ct::SCTList::const_iterator iter = ct_verify_result_.verified_scts.begin(); iter != ct_verify_result_.verified_scts.end(); ++iter) { ssl_info->signed_certificate_timestamps.push_back( SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_OK)); } for (ct::SCTList::const_iterator iter = ct_verify_result_.invalid_scts.begin(); iter != ct_verify_result_.invalid_scts.end(); ++iter) { ssl_info->signed_certificate_timestamps.push_back( SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_INVALID)); } for (ct::SCTList::const_iterator iter = ct_verify_result_.unknown_logs_scts.begin(); iter != ct_verify_result_.unknown_logs_scts.end(); ++iter) { ssl_info->signed_certificate_timestamps.push_back( SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_LOG_UNKNOWN)); } } scoped_refptr SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { return core_->state().server_cert.get(); } ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const { return server_bound_cert_service_; } } // namespace net