nsNSSIOLayer.h (5938B)
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- 2 * 3 * This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #ifndef nsNSSIOLayer_h 8 #define nsNSSIOLayer_h 9 10 #include "mozilla/Assertions.h" 11 #include "mozilla/StaticPtr.h" 12 #include "mozilla/TimeStamp.h" 13 #include "nsCOMPtr.h" 14 #include "nsIObserver.h" 15 #include "nsIProxyInfo.h" 16 #include "nsITLSSocketControl.h" 17 #include "nsITlsHandshakeListener.h" 18 #include "nsNSSCertificate.h" 19 #include "nsTHashMap.h" 20 #include "nsTHashtable.h" 21 #include "sslt.h" 22 23 namespace mozilla { 24 class OriginAttributes; 25 } // namespace mozilla 26 27 using mozilla::OriginAttributes; 28 29 // Order matters for UpdateEchExtensioNStatus. 30 enum class EchExtensionStatus { 31 kNotPresent, // No ECH Extension was sent 32 kGREASE, // A GREASE ECH Extension was sent 33 kReal // A 'real' ECH Extension was sent 34 }; 35 36 enum class PublicOrPrivate { Public, Private }; 37 38 class nsSSLIOLayerHelpers : public nsIObserver { 39 public: 40 NS_DECL_THREADSAFE_ISUPPORTS 41 NS_DECL_NSIOBSERVER 42 43 explicit nsSSLIOLayerHelpers(PublicOrPrivate aPublicOrPrivate, 44 uint32_t aTlsFlags = 0); 45 46 static void GlobalInit(); 47 static void GlobalCleanup(); 48 49 nsresult Init(); 50 51 static bool nsSSLIOLayerInitialized; 52 static PRDescIdentity nsSSLIOLayerIdentity; 53 static PRDescIdentity nsSSLPlaintextLayerIdentity; 54 static PRIOMethods nsSSLIOLayerMethods; 55 static PRIOMethods nsSSLPlaintextLayerMethods; 56 57 protected: 58 virtual ~nsSSLIOLayerHelpers(); 59 60 private: 61 struct IntoleranceEntry { 62 uint16_t tolerant; 63 uint16_t intolerant; 64 PRErrorCode intoleranceReason; 65 66 void AssertInvariant() const { 67 MOZ_ASSERT(intolerant == 0 || tolerant < intolerant); 68 } 69 }; 70 nsTHashMap<nsCStringHashKey, IntoleranceEntry> mTLSIntoleranceInfo; 71 // Sites that require insecure fallback to TLS 1.0, set by the pref 72 // security.tls.insecure_fallback_hosts, which is a comma-delimited 73 // list of domain names. 74 nsTHashtable<nsCStringHashKey> mInsecureFallbackSites; 75 76 public: 77 void rememberTolerantAtVersion(const nsACString& hostname, uint16_t port, 78 uint16_t tolerant); 79 bool fallbackLimitReached(const nsACString& hostname, uint16_t intolerant); 80 bool rememberIntolerantAtVersion(const nsACString& hostname, uint16_t port, 81 uint16_t intolerant, uint16_t minVersion, 82 PRErrorCode intoleranceReason); 83 void forgetIntolerance(const nsACString& hostname, uint16_t port); 84 void adjustForTLSIntolerance(const nsACString& hostname, uint16_t port, 85 /*in/out*/ SSLVersionRange& range); 86 PRErrorCode getIntoleranceReason(const nsACString& hostname, uint16_t port); 87 88 void clearStoredData(); 89 void loadVersionFallbackLimit(); 90 void setInsecureFallbackSites(const nsCString& str); 91 void initInsecureFallbackSites(); 92 bool isPublic() const; 93 void removeInsecureFallbackSite(const nsACString& hostname, uint16_t port); 94 bool isInsecureFallbackSite(const nsACString& hostname); 95 96 uint16_t mVersionFallbackLimit; 97 98 private: 99 const PublicOrPrivate mPublicOrPrivate; 100 101 mozilla::Mutex mutex MOZ_UNANNOTATED; 102 uint32_t mTlsFlags; 103 }; 104 105 namespace { 106 static mozilla::StaticRefPtr<nsSSLIOLayerHelpers> gPublicSSLIOLayerHelpers; 107 static mozilla::StaticRefPtr<nsSSLIOLayerHelpers> gPrivateSSLIOLayerHelpers; 108 } // namespace 109 110 already_AddRefed<nsSSLIOLayerHelpers> PublicSSLIOLayerHelpers(); 111 already_AddRefed<nsSSLIOLayerHelpers> PrivateSSLIOLayerHelpers(); 112 113 nsresult nsSSLIOLayerNewSocket(int32_t family, const char* host, int32_t port, 114 nsIProxyInfo* proxy, 115 const OriginAttributes& originAttributes, 116 PRFileDesc** fd, 117 nsITLSSocketControl** tlsSocketControl, 118 bool forSTARTTLS, uint32_t flags, 119 uint32_t tlsFlags); 120 121 nsresult nsSSLIOLayerAddToSocket(int32_t family, const char* host, int32_t port, 122 nsIProxyInfo* proxy, 123 const OriginAttributes& originAttributes, 124 PRFileDesc* fd, 125 nsITLSSocketControl** tlsSocketControl, 126 bool forSTARTTLS, uint32_t flags, 127 uint32_t tlsFlags); 128 129 SECStatus abridgedCertificatePass1Decode(const SECItem* input, 130 unsigned char* output, 131 size_t outputLen, size_t* usedLen); 132 SECStatus abridgedCertificateDecode(const SECItem* input, unsigned char* output, 133 size_t outputLen, size_t* usedLen); 134 135 SECStatus zlibCertificateDecode(const SECItem* input, unsigned char* output, 136 size_t outputLen, size_t* usedLen); 137 138 SECStatus brotliCertificateDecode(const SECItem* input, unsigned char* output, 139 size_t outputLen, size_t* usedLen); 140 141 SECStatus zstdCertificateDecode(const SECItem* input, unsigned char* output, 142 size_t outputLen, size_t* usedLen); 143 144 extern "C" { 145 using FindObjectsCallback = void (*)(uint8_t type, size_t id_len, 146 const uint8_t* id, size_t data_len, 147 const uint8_t* data, void* ctx); 148 void DoFindObjects(FindObjectsCallback cb, void* ctx); 149 using SignCallback = void (*)(size_t data_len, const uint8_t* data, void* ctx); 150 void DoSign(size_t cert_len, const uint8_t* cert, size_t data_len, 151 const uint8_t* data, size_t params_len, const uint8_t* params, 152 SignCallback cb, void* ctx); 153 } 154 155 #endif // nsNSSIOLayer_h