sslsock.c (142404B)
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 2 /* 3 * vtables (and methods that call through them) for the 4 types of 4 * SSLSockets supported. Only one type is still supported. 5 * Various other functions. 6 * 7 * This Source Code Form is subject to the terms of the Mozilla Public 8 * License, v. 2.0. If a copy of the MPL was not distributed with this 9 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 10 #include "seccomon.h" 11 #include "cert.h" 12 #include "keyhi.h" 13 #include "ssl.h" 14 #include "sslexp.h" 15 #include "sslimpl.h" 16 #include "sslproto.h" 17 #include "nspr.h" 18 #include "private/pprio.h" 19 #include "nss.h" 20 #include "pk11pqg.h" 21 #include "pk11pub.h" 22 #include "tls13ech.h" 23 #include "tls13psk.h" 24 #include "tls13subcerts.h" 25 26 static const sslSocketOps ssl_default_ops = { /* No SSL. */ 27 ssl_DefConnect, 28 NULL, 29 ssl_DefBind, 30 ssl_DefListen, 31 ssl_DefShutdown, 32 ssl_DefClose, 33 ssl_DefRecv, 34 ssl_DefSend, 35 ssl_DefRead, 36 ssl_DefWrite, 37 ssl_DefGetpeername, 38 ssl_DefGetsockname 39 }; 40 41 static const sslSocketOps ssl_secure_ops = { /* SSL. */ 42 ssl_SecureConnect, 43 NULL, 44 ssl_DefBind, 45 ssl_DefListen, 46 ssl_SecureShutdown, 47 ssl_SecureClose, 48 ssl_SecureRecv, 49 ssl_SecureSend, 50 ssl_SecureRead, 51 ssl_SecureWrite, 52 ssl_DefGetpeername, 53 ssl_DefGetsockname 54 }; 55 56 /* 57 ** default settings for socket enables 58 */ 59 static sslOptions ssl_defaults = { 60 .nextProtoNego = { siBuffer, NULL, 0 }, 61 .maxEarlyDataSize = 1 << 16, 62 .recordSizeLimit = MAX_FRAGMENT_LENGTH + 1, 63 .useSecurity = PR_TRUE, 64 .useSocks = PR_FALSE, 65 .requestCertificate = PR_FALSE, 66 .requireCertificate = SSL_REQUIRE_FIRST_HANDSHAKE, 67 .handshakeAsClient = PR_FALSE, 68 .handshakeAsServer = PR_FALSE, 69 .noCache = PR_FALSE, 70 .fdx = PR_FALSE, 71 .detectRollBack = PR_TRUE, 72 .noLocks = PR_FALSE, 73 .enableSessionTickets = PR_FALSE, 74 .enableDeflate = PR_FALSE, 75 .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, 76 .requireSafeNegotiation = PR_FALSE, 77 .enableFalseStart = PR_FALSE, 78 .cbcRandomIV = PR_TRUE, 79 .enableOCSPStapling = PR_FALSE, 80 .enableDelegatedCredentials = PR_FALSE, 81 .enableALPN = PR_TRUE, 82 .reuseServerECDHEKey = PR_FALSE, 83 .enableFallbackSCSV = PR_FALSE, 84 .enableServerDhe = PR_TRUE, 85 .enableExtendedMS = PR_TRUE, 86 .enableSignedCertTimestamps = PR_FALSE, 87 .requireDHENamedGroups = PR_FALSE, 88 .enable0RttData = PR_FALSE, 89 .enableTls13CompatMode = PR_FALSE, 90 .enableDtls13VersionCompat = PR_FALSE, 91 .enableDtlsShortHeader = PR_FALSE, 92 .enableHelloDowngradeCheck = PR_TRUE, 93 .enableV2CompatibleHello = PR_FALSE, 94 .enablePostHandshakeAuth = PR_FALSE, 95 .suppressEndOfEarlyData = PR_FALSE, 96 .enableTls13GreaseEch = PR_FALSE, 97 .enableTls13BackendEch = PR_FALSE, 98 .callExtensionWriterOnEchInner = PR_FALSE, 99 .enableGrease = PR_FALSE, 100 .enableChXtnPermutation = PR_FALSE, 101 .dbLoadCertChain = PR_TRUE, 102 }; 103 104 /* 105 * default range of enabled SSL/TLS protocols 106 */ 107 static SSLVersionRange versions_defaults_stream = { 108 SSL_LIBRARY_VERSION_TLS_1_2, 109 SSL_LIBRARY_VERSION_TLS_1_3 110 }; 111 112 static SSLVersionRange versions_defaults_datagram = { 113 SSL_LIBRARY_VERSION_TLS_1_2, 114 SSL_LIBRARY_VERSION_TLS_1_2 115 }; 116 117 #define VERSIONS_DEFAULTS(variant) \ 118 (variant == ssl_variant_stream ? &versions_defaults_stream : &versions_defaults_datagram) 119 #define VERSIONS_POLICY_MIN(variant) \ 120 (variant == ssl_variant_stream ? NSS_TLS_VERSION_MIN_POLICY : NSS_DTLS_VERSION_MIN_POLICY) 121 #define VERSIONS_POLICY_MAX(variant) \ 122 (variant == ssl_variant_stream ? NSS_TLS_VERSION_MAX_POLICY : NSS_DTLS_VERSION_MAX_POLICY) 123 124 sslSessionIDLookupFunc ssl_sid_lookup; 125 126 static PRDescIdentity ssl_layer_id; 127 128 static PRCallOnceType ssl_setDefaultsFromEnvironment = { 0 }; 129 130 PRBool ssl_force_locks = PR_FALSE; 131 int ssl_lock_readers = 1; /* default true. */ 132 char ssl_debug; 133 char ssl_trace; 134 FILE *ssl_trace_iob; 135 136 #ifdef NSS_ALLOW_SSLKEYLOGFILE 137 FILE *ssl_keylog_iob; 138 PZLock *ssl_keylog_lock; 139 #endif 140 141 /* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */ 142 static const PRUint16 srtpCiphers[] = { 143 SRTP_AES128_CM_HMAC_SHA1_80, 144 SRTP_AES128_CM_HMAC_SHA1_32, 145 0 146 }; 147 148 /* This list is in preference order. Note that while some smaller groups appear 149 * early in the list, smaller groups are generally ignored when iterating 150 * through this list. ffdhe_custom must not appear in this list. */ 151 #define ECGROUP(name, size, oid, assumeSupported) \ 152 { \ 153 ssl_grp_ec_##name, size, ssl_kea_ecdh, \ 154 SEC_OID_SECG_EC_##oid, assumeSupported \ 155 } 156 #define FFGROUP(size) \ 157 { \ 158 ssl_grp_ffdhe_##size, size, ssl_kea_dh, \ 159 SEC_OID_TLS_FFDHE_##size, PR_TRUE \ 160 } 161 #define HYGROUP(first, second, size, first_oid, second_oid, assumeSupported) \ 162 { \ 163 ssl_grp_kem_##first##second, size, ssl_kea_ecdh_hybrid, \ 164 SEC_OID_##first_oid##second_oid, assumeSupported \ 165 } 166 167 const sslNamedGroupDef ssl_named_groups[] = { 168 /* Note that 256 for 25519 and x25519mlkem786 is a lie, but we only use it 169 * for checking bit security and expect 256 bits there (not 255). */ 170 HYGROUP(mlkem768, x25519, 256, MLKEM768, X25519, PR_TRUE), 171 { ssl_grp_ec_curve25519, 256, ssl_kea_ecdh, SEC_OID_CURVE25519, PR_TRUE }, 172 ECGROUP(secp256r1, 256, SECP256R1, PR_TRUE), 173 ECGROUP(secp384r1, 384, SECP384R1, PR_TRUE), 174 ECGROUP(secp521r1, 521, SECP521R1, PR_TRUE), 175 HYGROUP(secp256r1, mlkem768, 256, SECP256R1, MLKEM768, PR_TRUE), 176 HYGROUP(secp384r1, mlkem1024, 256, SECP384R1, MLKEM1024, PR_TRUE), 177 { ssl_grp_kem_xyber768d00, 256, ssl_kea_ecdh_hybrid, SEC_OID_XYBER768D00, PR_FALSE }, 178 FFGROUP(2048), 179 FFGROUP(3072), 180 FFGROUP(4096), 181 FFGROUP(6144), 182 FFGROUP(8192), 183 ECGROUP(secp192r1, 192, SECP192R1, PR_FALSE), 184 ECGROUP(secp160r2, 160, SECP160R2, PR_FALSE), 185 ECGROUP(secp160k1, 160, SECP160K1, PR_FALSE), 186 ECGROUP(secp160r1, 160, SECP160R1, PR_FALSE), 187 ECGROUP(sect163k1, 163, SECT163K1, PR_FALSE), 188 ECGROUP(sect163r1, 163, SECT163R1, PR_FALSE), 189 ECGROUP(sect163r2, 163, SECT163R2, PR_FALSE), 190 ECGROUP(secp192k1, 192, SECP192K1, PR_FALSE), 191 ECGROUP(sect193r1, 193, SECT193R1, PR_FALSE), 192 ECGROUP(sect193r2, 193, SECT193R2, PR_FALSE), 193 ECGROUP(secp224r1, 224, SECP224R1, PR_FALSE), 194 ECGROUP(secp224k1, 224, SECP224K1, PR_FALSE), 195 ECGROUP(sect233k1, 233, SECT233K1, PR_FALSE), 196 ECGROUP(sect233r1, 233, SECT233R1, PR_FALSE), 197 ECGROUP(sect239k1, 239, SECT239K1, PR_FALSE), 198 ECGROUP(secp256k1, 256, SECP256K1, PR_FALSE), 199 ECGROUP(sect283k1, 283, SECT283K1, PR_FALSE), 200 ECGROUP(sect283r1, 283, SECT283R1, PR_FALSE), 201 ECGROUP(sect409k1, 409, SECT409K1, PR_FALSE), 202 ECGROUP(sect409r1, 409, SECT409R1, PR_FALSE), 203 ECGROUP(sect571k1, 571, SECT571K1, PR_FALSE), 204 ECGROUP(sect571r1, 571, SECT571R1, PR_FALSE), 205 }; 206 PR_STATIC_ASSERT(SSL_NAMED_GROUP_COUNT == PR_ARRAY_SIZE(ssl_named_groups)); 207 208 #undef ECGROUP 209 #undef FFGROUP 210 #undef HYGROUP 211 212 /* forward declarations. */ 213 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); 214 static SECStatus ssl_MakeLocks(sslSocket *ss); 215 static PRStatus ssl_SetDefaultsFromEnvironmentCallOnce(void); 216 static void ssl_SetDefaultsFromEnvironment(void); 217 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, 218 PRDescIdentity id); 219 220 /************************************************************************/ 221 222 /* 223 ** Lookup a socket structure from a file descriptor. 224 ** Only functions called through the PRIOMethods table should use this. 225 ** Other app-callable functions should use ssl_FindSocket. 226 */ 227 static sslSocket * 228 ssl_GetPrivate(PRFileDesc *fd) 229 { 230 sslSocket *ss; 231 232 PORT_Assert(fd != NULL); 233 PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED); 234 PORT_Assert(fd->identity == ssl_layer_id); 235 236 if (fd->methods->file_type != PR_DESC_LAYERED || 237 fd->identity != ssl_layer_id) { 238 PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); 239 return NULL; 240 } 241 242 ss = (sslSocket *)fd->secret; 243 /* Set ss->fd lazily. We can't rely on the value of ss->fd set by 244 * ssl_PushIOLayer because another PR_PushIOLayer call will switch the 245 * contents of the PRFileDesc pointed by ss->fd and the new layer. 246 * See bug 807250. 247 */ 248 ss->fd = fd; 249 return ss; 250 } 251 252 /* This function tries to find the SSL layer in the stack. 253 * It searches for the first SSL layer at or below the argument fd, 254 * and failing that, it searches for the nearest SSL layer above the 255 * argument fd. It returns the private sslSocket from the found layer. 256 */ 257 sslSocket * 258 ssl_FindSocket(PRFileDesc *fd) 259 { 260 PRFileDesc *layer; 261 sslSocket *ss; 262 263 PORT_Assert(fd != NULL); 264 PORT_Assert(ssl_layer_id != 0); 265 266 layer = PR_GetIdentitiesLayer(fd, ssl_layer_id); 267 if (layer == NULL) { 268 PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); 269 return NULL; 270 } 271 272 ss = (sslSocket *)layer->secret; 273 /* Set ss->fd lazily. We can't rely on the value of ss->fd set by 274 * ssl_PushIOLayer because another PR_PushIOLayer call will switch the 275 * contents of the PRFileDesc pointed by ss->fd and the new layer. 276 * See bug 807250. 277 */ 278 ss->fd = layer; 279 return ss; 280 } 281 282 static sslSocket * 283 ssl_DupSocket(sslSocket *os) 284 { 285 sslSocket *ss; 286 SECStatus rv; 287 288 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant); 289 if (!ss) { 290 return NULL; 291 } 292 293 ss->opt = os->opt; 294 ss->opt.useSocks = PR_FALSE; 295 rv = SECITEM_CopyItem(NULL, &ss->opt.nextProtoNego, &os->opt.nextProtoNego); 296 if (rv != SECSuccess) { 297 goto loser; 298 } 299 ss->vrange = os->vrange; 300 ss->now = os->now; 301 ss->nowArg = os->nowArg; 302 303 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); 304 ss->url = !os->url ? NULL : PORT_Strdup(os->url); 305 306 ss->ops = os->ops; 307 ss->rTimeout = os->rTimeout; 308 ss->wTimeout = os->wTimeout; 309 ss->cTimeout = os->cTimeout; 310 ss->dbHandle = os->dbHandle; 311 312 /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ 313 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites); 314 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers, 315 sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount); 316 ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount; 317 PORT_Memcpy(ss->ssl3.signatureSchemes, os->ssl3.signatureSchemes, 318 sizeof(ss->ssl3.signatureSchemes[0]) * 319 os->ssl3.signatureSchemeCount); 320 ss->ssl3.signatureSchemeCount = os->ssl3.signatureSchemeCount; 321 ss->ssl3.downgradeCheckVersion = os->ssl3.downgradeCheckVersion; 322 323 ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled; 324 325 PORT_Memcpy(ss->ssl3.supportedCertCompressionAlgorithms, 326 os->ssl3.supportedCertCompressionAlgorithms, 327 sizeof(ss->ssl3.supportedCertCompressionAlgorithms[0]) * 328 os->ssl3.supportedCertCompressionAlgorithmsCount); 329 ss->ssl3.supportedCertCompressionAlgorithmsCount = 330 os->ssl3.supportedCertCompressionAlgorithmsCount; 331 332 if (ss->opt.useSecurity) { 333 PRCList *cursor; 334 335 for (cursor = PR_NEXT_LINK(&os->serverCerts); 336 cursor != &os->serverCerts; 337 cursor = PR_NEXT_LINK(cursor)) { 338 sslServerCert *sc = ssl_CopyServerCert((sslServerCert *)cursor); 339 if (!sc) 340 goto loser; 341 PR_APPEND_LINK(&sc->link, &ss->serverCerts); 342 } 343 344 for (cursor = PR_NEXT_LINK(&os->ephemeralKeyPairs); 345 cursor != &os->ephemeralKeyPairs; 346 cursor = PR_NEXT_LINK(cursor)) { 347 sslEphemeralKeyPair *okp = (sslEphemeralKeyPair *)cursor; 348 sslEphemeralKeyPair *skp = ssl_CopyEphemeralKeyPair(okp); 349 if (!skp) 350 goto loser; 351 PR_APPEND_LINK(&skp->link, &ss->ephemeralKeyPairs); 352 } 353 354 for (cursor = PR_NEXT_LINK(&os->extensionHooks); 355 cursor != &os->extensionHooks; 356 cursor = PR_NEXT_LINK(cursor)) { 357 sslCustomExtensionHooks *oh = (sslCustomExtensionHooks *)cursor; 358 sslCustomExtensionHooks *sh = PORT_ZNew(sslCustomExtensionHooks); 359 if (!sh) { 360 goto loser; 361 } 362 *sh = *oh; 363 PR_APPEND_LINK(&sh->link, &ss->extensionHooks); 364 } 365 366 /* 367 * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL. 368 * XXX We should detect this, and not just march on with NULL pointers. 369 */ 370 ss->authCertificate = os->authCertificate; 371 ss->authCertificateArg = os->authCertificateArg; 372 ss->getClientAuthData = os->getClientAuthData; 373 ss->getClientAuthDataArg = os->getClientAuthDataArg; 374 ss->sniSocketConfig = os->sniSocketConfig; 375 ss->sniSocketConfigArg = os->sniSocketConfigArg; 376 ss->alertReceivedCallback = os->alertReceivedCallback; 377 ss->alertReceivedCallbackArg = os->alertReceivedCallbackArg; 378 ss->alertSentCallback = os->alertSentCallback; 379 ss->alertSentCallbackArg = os->alertSentCallbackArg; 380 ss->handleBadCert = os->handleBadCert; 381 ss->badCertArg = os->badCertArg; 382 ss->handshakeCallback = os->handshakeCallback; 383 ss->handshakeCallbackData = os->handshakeCallbackData; 384 ss->canFalseStartCallback = os->canFalseStartCallback; 385 ss->canFalseStartCallbackData = os->canFalseStartCallbackData; 386 ss->pkcs11PinArg = os->pkcs11PinArg; 387 ss->nextProtoCallback = os->nextProtoCallback; 388 ss->nextProtoArg = os->nextProtoArg; 389 PORT_Memcpy((void *)ss->namedGroupPreferences, 390 os->namedGroupPreferences, 391 sizeof(ss->namedGroupPreferences)); 392 ss->additionalShares = os->additionalShares; 393 ss->resumptionTokenCallback = os->resumptionTokenCallback; 394 ss->resumptionTokenContext = os->resumptionTokenContext; 395 396 rv = tls13_CopyEchConfigs(&os->echConfigs, &ss->echConfigs); 397 if (rv != SECSuccess) { 398 goto loser; 399 } 400 if (os->echPrivKey && os->echPubKey) { 401 ss->echPrivKey = SECKEY_CopyPrivateKey(os->echPrivKey); 402 ss->echPubKey = SECKEY_CopyPublicKey(os->echPubKey); 403 if (!ss->echPrivKey || !ss->echPubKey) { 404 goto loser; 405 } 406 } 407 408 if (os->antiReplay) { 409 ss->antiReplay = tls13_RefAntiReplayContext(os->antiReplay); 410 PORT_Assert(ss->antiReplay); /* Can't fail. */ 411 if (!ss->antiReplay) { 412 goto loser; 413 } 414 } 415 if (os->psk) { 416 ss->psk = tls13_CopyPsk(os->psk); 417 if (!ss->psk) { 418 goto loser; 419 } 420 } 421 422 /* Create security data */ 423 rv = ssl_CopySecurityInfo(ss, os); 424 if (rv != SECSuccess) { 425 goto loser; 426 } 427 } 428 429 return ss; 430 431 loser: 432 ssl_FreeSocket(ss); 433 return NULL; 434 } 435 436 static void 437 ssl_DestroyLocks(sslSocket *ss) 438 { 439 /* Destroy locks. */ 440 if (ss->firstHandshakeLock) { 441 PZ_DestroyMonitor(ss->firstHandshakeLock); 442 ss->firstHandshakeLock = NULL; 443 } 444 if (ss->ssl3HandshakeLock) { 445 PZ_DestroyMonitor(ss->ssl3HandshakeLock); 446 ss->ssl3HandshakeLock = NULL; 447 } 448 if (ss->specLock) { 449 NSSRWLock_Destroy(ss->specLock); 450 ss->specLock = NULL; 451 } 452 453 if (ss->recvLock) { 454 PZ_DestroyLock(ss->recvLock); 455 ss->recvLock = NULL; 456 } 457 if (ss->sendLock) { 458 PZ_DestroyLock(ss->sendLock); 459 ss->sendLock = NULL; 460 } 461 if (ss->xmitBufLock) { 462 PZ_DestroyMonitor(ss->xmitBufLock); 463 ss->xmitBufLock = NULL; 464 } 465 if (ss->recvBufLock) { 466 PZ_DestroyMonitor(ss->recvBufLock); 467 ss->recvBufLock = NULL; 468 } 469 } 470 471 /* Caller holds any relevant locks */ 472 static void 473 ssl_DestroySocketContents(sslSocket *ss) 474 { 475 PRCList *cursor; 476 477 /* Free up socket */ 478 ssl_DestroySecurityInfo(&ss->sec); 479 480 ssl3_DestroySSL3Info(ss); 481 482 PORT_Free(ss->saveBuf.buf); 483 PORT_Free(ss->pendingBuf.buf); 484 ssl3_DestroyGather(&ss->gs); 485 486 if (ss->peerID != NULL) 487 PORT_Free(ss->peerID); 488 if (ss->url != NULL) 489 PORT_Free((void *)ss->url); /* CONST */ 490 491 /* Clean up server certificates and sundries. */ 492 while (!PR_CLIST_IS_EMPTY(&ss->serverCerts)) { 493 cursor = PR_LIST_TAIL(&ss->serverCerts); 494 PR_REMOVE_LINK(cursor); 495 ssl_FreeServerCert((sslServerCert *)cursor); 496 } 497 498 /* Remove extension handlers. */ 499 ssl_ClearPRCList(&ss->extensionHooks, NULL); 500 501 ssl_FreeEphemeralKeyPairs(ss); 502 SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); 503 ssl3_FreeSniNameArray(&ss->xtnData); 504 505 ssl_ClearPRCList(&ss->ssl3.hs.dtlsSentHandshake, NULL); 506 ssl_ClearPRCList(&ss->ssl3.hs.dtlsRcvdHandshake, NULL); 507 tls13_DestroyPskList(&ss->ssl3.hs.psks); 508 509 tls13_ReleaseAntiReplayContext(ss->antiReplay); 510 511 tls13_DestroyPsk(ss->psk); 512 513 tls13_DestroyEchConfigs(&ss->echConfigs); 514 SECKEY_DestroyPrivateKey(ss->echPrivKey); 515 SECKEY_DestroyPublicKey(ss->echPubKey); 516 } 517 518 /* 519 * free an sslSocket struct, and all the stuff that hangs off of it 520 */ 521 void 522 ssl_FreeSocket(sslSocket *ss) 523 { 524 /* Get every lock you can imagine! 525 ** Caller already holds these: 526 ** SSL_LOCK_READER(ss); 527 ** SSL_LOCK_WRITER(ss); 528 */ 529 ssl_Get1stHandshakeLock(ss); 530 ssl_GetRecvBufLock(ss); 531 ssl_GetSSL3HandshakeLock(ss); 532 ssl_GetXmitBufLock(ss); 533 ssl_GetSpecWriteLock(ss); 534 535 ssl_DestroySocketContents(ss); 536 537 /* Release all the locks acquired above. */ 538 SSL_UNLOCK_READER(ss); 539 SSL_UNLOCK_WRITER(ss); 540 ssl_Release1stHandshakeLock(ss); 541 ssl_ReleaseRecvBufLock(ss); 542 ssl_ReleaseSSL3HandshakeLock(ss); 543 ssl_ReleaseXmitBufLock(ss); 544 ssl_ReleaseSpecWriteLock(ss); 545 546 ssl_DestroyLocks(ss); 547 548 #ifdef DEBUG 549 PORT_Memset(ss, 0x1f, sizeof *ss); 550 #endif 551 PORT_Free(ss); 552 return; 553 } 554 555 /************************************************************************/ 556 SECStatus 557 ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled) 558 { 559 PRFileDesc *osfd = ss->fd->lower; 560 SECStatus rv = SECFailure; 561 PRSocketOptionData opt; 562 563 opt.option = PR_SockOpt_NoDelay; 564 opt.value.no_delay = (PRBool)!enabled; 565 566 if (osfd->methods->setsocketoption) { 567 rv = (SECStatus)osfd->methods->setsocketoption(osfd, &opt); 568 } else { 569 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 570 } 571 572 return rv; 573 } 574 575 static void 576 ssl_ChooseOps(sslSocket *ss) 577 { 578 ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops; 579 } 580 581 /* Called from SSL_Enable (immediately below) */ 582 static SECStatus 583 PrepareSocket(sslSocket *ss) 584 { 585 SECStatus rv = SECSuccess; 586 587 ssl_ChooseOps(ss); 588 return rv; 589 } 590 591 SECStatus 592 SSL_Enable(PRFileDesc *fd, int which, PRIntn on) 593 { 594 return SSL_OptionSet(fd, which, on); 595 } 596 597 static PRBool ssl_VersionIsSupportedByPolicy( 598 SSLProtocolVariant protocolVariant, SSL3ProtocolVersion version); 599 600 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in 601 * ssl.h in the section "SSL version range setting API". 602 */ 603 static void 604 ssl_EnableTLS(SSLVersionRange *vrange, PRIntn enable) 605 { 606 if (enable) { 607 /* don't turn it on if tls1.0 disallowed by by policy */ 608 if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, 609 SSL_LIBRARY_VERSION_TLS_1_0)) { 610 return; 611 } 612 } 613 if (SSL_ALL_VERSIONS_DISABLED(vrange)) { 614 if (enable) { 615 vrange->min = SSL_LIBRARY_VERSION_TLS_1_0; 616 vrange->max = SSL_LIBRARY_VERSION_TLS_1_0; 617 } /* else don't change anything */ 618 return; 619 } 620 621 if (enable) { 622 /* Expand the range of enabled version to include TLS 1.0 */ 623 vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); 624 vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0); 625 } else { 626 /* Disable all TLS versions, leaving only SSL 3.0 if it was enabled */ 627 if (vrange->min == SSL_LIBRARY_VERSION_3_0) { 628 vrange->max = SSL_LIBRARY_VERSION_3_0; 629 } else { 630 /* Only TLS was enabled, so now no versions are. */ 631 vrange->min = SSL_LIBRARY_VERSION_NONE; 632 vrange->max = SSL_LIBRARY_VERSION_NONE; 633 } 634 } 635 } 636 637 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in 638 * ssl.h in the section "SSL version range setting API". 639 */ 640 static void 641 ssl_EnableSSL3(SSLVersionRange *vrange, PRIntn enable) 642 { 643 if (enable) { 644 /* don't turn it on if ssl3 disallowed by by policy */ 645 if (!ssl_VersionIsSupportedByPolicy(ssl_variant_stream, 646 SSL_LIBRARY_VERSION_3_0)) { 647 return; 648 } 649 } 650 if (SSL_ALL_VERSIONS_DISABLED(vrange)) { 651 if (enable) { 652 vrange->min = SSL_LIBRARY_VERSION_3_0; 653 vrange->max = SSL_LIBRARY_VERSION_3_0; 654 } /* else don't change anything */ 655 return; 656 } 657 658 if (enable) { 659 /* Expand the range of enabled versions to include SSL 3.0. We know 660 * SSL 3.0 or some version of TLS is already enabled at this point, so 661 * we don't need to change vrange->max. 662 */ 663 vrange->min = SSL_LIBRARY_VERSION_3_0; 664 } else { 665 /* Disable SSL 3.0, leaving TLS unaffected. */ 666 if (vrange->max > SSL_LIBRARY_VERSION_3_0) { 667 vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); 668 } else { 669 /* Only SSL 3.0 was enabled, so now no versions are. */ 670 vrange->min = SSL_LIBRARY_VERSION_NONE; 671 vrange->max = SSL_LIBRARY_VERSION_NONE; 672 } 673 } 674 } 675 676 SECStatus 677 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val) 678 { 679 sslSocket *ss = ssl_FindSocket(fd); 680 SECStatus rv = SECSuccess; 681 PRBool holdingLocks; 682 683 if (!ss) { 684 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); 685 return SECFailure; 686 } 687 688 holdingLocks = (!ss->opt.noLocks); 689 ssl_Get1stHandshakeLock(ss); 690 ssl_GetSSL3HandshakeLock(ss); 691 692 switch (which) { 693 case SSL_SOCKS: 694 ss->opt.useSocks = PR_FALSE; 695 rv = PrepareSocket(ss); 696 if (val) { 697 PORT_SetError(SEC_ERROR_INVALID_ARGS); 698 rv = SECFailure; 699 } 700 break; 701 702 case SSL_SECURITY: 703 ss->opt.useSecurity = val; 704 rv = PrepareSocket(ss); 705 break; 706 707 case SSL_REQUEST_CERTIFICATE: 708 ss->opt.requestCertificate = val; 709 break; 710 711 case SSL_REQUIRE_CERTIFICATE: 712 ss->opt.requireCertificate = val; 713 break; 714 715 case SSL_HANDSHAKE_AS_CLIENT: 716 if (ss->opt.handshakeAsServer && val) { 717 PORT_SetError(SEC_ERROR_INVALID_ARGS); 718 rv = SECFailure; 719 break; 720 } 721 ss->opt.handshakeAsClient = val; 722 break; 723 724 case SSL_HANDSHAKE_AS_SERVER: 725 if (ss->opt.handshakeAsClient && val) { 726 PORT_SetError(SEC_ERROR_INVALID_ARGS); 727 rv = SECFailure; 728 break; 729 } 730 ss->opt.handshakeAsServer = val; 731 break; 732 733 case SSL_ENABLE_TLS: 734 if (IS_DTLS(ss)) { 735 if (val) { 736 PORT_SetError(SEC_ERROR_INVALID_ARGS); 737 rv = SECFailure; /* not allowed */ 738 } 739 break; 740 } 741 ssl_EnableTLS(&ss->vrange, val); 742 break; 743 744 case SSL_ENABLE_SSL3: 745 if (IS_DTLS(ss)) { 746 if (val) { 747 PORT_SetError(SEC_ERROR_INVALID_ARGS); 748 rv = SECFailure; /* not allowed */ 749 } 750 break; 751 } 752 ssl_EnableSSL3(&ss->vrange, val); 753 break; 754 755 case SSL_ENABLE_SSL2: 756 case SSL_V2_COMPATIBLE_HELLO: 757 /* We no longer support SSL v2. 758 * However, if an old application requests to disable SSL v2, 759 * we shouldn't fail. 760 */ 761 if (val) { 762 PORT_SetError(SEC_ERROR_INVALID_ARGS); 763 rv = SECFailure; 764 } 765 break; 766 767 case SSL_NO_CACHE: 768 ss->opt.noCache = val; 769 break; 770 771 case SSL_ENABLE_FDX: 772 if (val && ss->opt.noLocks) { 773 PORT_SetError(SEC_ERROR_INVALID_ARGS); 774 rv = SECFailure; 775 } 776 ss->opt.fdx = val; 777 break; 778 779 case SSL_ROLLBACK_DETECTION: 780 ss->opt.detectRollBack = val; 781 break; 782 783 case SSL_NO_STEP_DOWN: 784 break; 785 786 case SSL_BYPASS_PKCS11: 787 break; 788 789 case SSL_NO_LOCKS: 790 if (val && ss->opt.fdx) { 791 PORT_SetError(SEC_ERROR_INVALID_ARGS); 792 rv = SECFailure; 793 } 794 if (val && ssl_force_locks) 795 val = PR_FALSE; /* silent override */ 796 ss->opt.noLocks = val; 797 798 if (val && holdingLocks) { 799 /* If we're disabling locks and locks were previously enabled. */ 800 PZ_ExitMonitor((ss)->ssl3HandshakeLock); 801 PZ_ExitMonitor((ss)->firstHandshakeLock); 802 ssl_DestroyLocks(ss); 803 holdingLocks = PR_FALSE; 804 } else if (!val && !holdingLocks) { 805 /* If we're enabling locks and locks were previously disabled. */ 806 rv = ssl_MakeLocks(ss); 807 if (rv != SECSuccess) { 808 ss->opt.noLocks = PR_TRUE; 809 } 810 } 811 break; 812 813 case SSL_ENABLE_SESSION_TICKETS: 814 ss->opt.enableSessionTickets = val; 815 break; 816 817 case SSL_ENABLE_DEFLATE: 818 ss->opt.enableDeflate = val; 819 break; 820 821 case SSL_ENABLE_RENEGOTIATION: 822 if (IS_DTLS(ss) && val != SSL_RENEGOTIATE_NEVER) { 823 PORT_SetError(SEC_ERROR_INVALID_ARGS); 824 rv = SECFailure; 825 break; 826 } 827 ss->opt.enableRenegotiation = val; 828 break; 829 830 case SSL_REQUIRE_SAFE_NEGOTIATION: 831 ss->opt.requireSafeNegotiation = val; 832 break; 833 834 case SSL_ENABLE_FALSE_START: 835 ss->opt.enableFalseStart = val; 836 break; 837 838 case SSL_CBC_RANDOM_IV: 839 ss->opt.cbcRandomIV = val; 840 break; 841 842 case SSL_ENABLE_OCSP_STAPLING: 843 ss->opt.enableOCSPStapling = val; 844 break; 845 846 case SSL_ENABLE_DELEGATED_CREDENTIALS: 847 ss->opt.enableDelegatedCredentials = val; 848 break; 849 850 case SSL_ENABLE_NPN: 851 break; 852 853 case SSL_ENABLE_ALPN: 854 ss->opt.enableALPN = val; 855 break; 856 857 case SSL_REUSE_SERVER_ECDHE_KEY: 858 ss->opt.reuseServerECDHEKey = val; 859 break; 860 861 case SSL_ENABLE_FALLBACK_SCSV: 862 ss->opt.enableFallbackSCSV = val; 863 break; 864 865 case SSL_ENABLE_SERVER_DHE: 866 ss->opt.enableServerDhe = val; 867 break; 868 869 case SSL_ENABLE_EXTENDED_MASTER_SECRET: 870 ss->opt.enableExtendedMS = val; 871 break; 872 873 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 874 ss->opt.enableSignedCertTimestamps = val; 875 break; 876 877 case SSL_REQUIRE_DH_NAMED_GROUPS: 878 ss->opt.requireDHENamedGroups = val; 879 break; 880 881 case SSL_ENABLE_0RTT_DATA: 882 ss->opt.enable0RttData = val; 883 break; 884 885 case SSL_RECORD_SIZE_LIMIT: 886 if (val < 64 || val > (MAX_FRAGMENT_LENGTH + 1)) { 887 PORT_SetError(SEC_ERROR_INVALID_ARGS); 888 rv = SECFailure; 889 } else { 890 ss->opt.recordSizeLimit = val; 891 } 892 break; 893 894 case SSL_ENABLE_TLS13_COMPAT_MODE: 895 ss->opt.enableTls13CompatMode = val; 896 break; 897 898 case SSL_ENABLE_DTLS_SHORT_HEADER: 899 ss->opt.enableDtlsShortHeader = val; 900 break; 901 902 case SSL_ENABLE_HELLO_DOWNGRADE_CHECK: 903 ss->opt.enableHelloDowngradeCheck = val; 904 break; 905 906 case SSL_ENABLE_V2_COMPATIBLE_HELLO: 907 ss->opt.enableV2CompatibleHello = val; 908 break; 909 910 case SSL_ENABLE_POST_HANDSHAKE_AUTH: 911 ss->opt.enablePostHandshakeAuth = val; 912 break; 913 914 case SSL_SUPPRESS_END_OF_EARLY_DATA: 915 ss->opt.suppressEndOfEarlyData = val; 916 break; 917 918 case SSL_ENABLE_GREASE: 919 ss->opt.enableGrease = val; 920 break; 921 922 case SSL_ENABLE_CH_EXTENSION_PERMUTATION: 923 ss->opt.enableChXtnPermutation = val; 924 break; 925 926 case SSL_DB_LOAD_CERTIFICATE_CHAIN: 927 ss->opt.dbLoadCertChain = val; 928 break; 929 930 default: 931 PORT_SetError(SEC_ERROR_INVALID_ARGS); 932 rv = SECFailure; 933 } 934 935 /* We can't use the macros for releasing the locks here, 936 * because ss->opt.noLocks might have changed just above. 937 * We must release these locks (monitors) here, if we aquired them above, 938 * regardless of the current value of ss->opt.noLocks. 939 */ 940 if (holdingLocks) { 941 PZ_ExitMonitor((ss)->ssl3HandshakeLock); 942 PZ_ExitMonitor((ss)->firstHandshakeLock); 943 } 944 945 return rv; 946 } 947 948 SECStatus 949 SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal) 950 { 951 sslSocket *ss = ssl_FindSocket(fd); 952 SECStatus rv = SECSuccess; 953 PRIntn val = PR_FALSE; 954 955 if (!pVal) { 956 PORT_SetError(SEC_ERROR_INVALID_ARGS); 957 return SECFailure; 958 } 959 if (!ss) { 960 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); 961 *pVal = PR_FALSE; 962 return SECFailure; 963 } 964 965 ssl_Get1stHandshakeLock(ss); 966 ssl_GetSSL3HandshakeLock(ss); 967 968 switch (which) { 969 case SSL_SOCKS: 970 val = PR_FALSE; 971 break; 972 case SSL_SECURITY: 973 val = ss->opt.useSecurity; 974 break; 975 case SSL_REQUEST_CERTIFICATE: 976 val = ss->opt.requestCertificate; 977 break; 978 case SSL_REQUIRE_CERTIFICATE: 979 val = ss->opt.requireCertificate; 980 break; 981 case SSL_HANDSHAKE_AS_CLIENT: 982 val = ss->opt.handshakeAsClient; 983 break; 984 case SSL_HANDSHAKE_AS_SERVER: 985 val = ss->opt.handshakeAsServer; 986 break; 987 case SSL_ENABLE_TLS: 988 val = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; 989 break; 990 case SSL_ENABLE_SSL3: 991 val = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; 992 break; 993 case SSL_ENABLE_SSL2: 994 case SSL_V2_COMPATIBLE_HELLO: 995 val = PR_FALSE; 996 break; 997 case SSL_NO_CACHE: 998 val = ss->opt.noCache; 999 break; 1000 case SSL_ENABLE_FDX: 1001 val = ss->opt.fdx; 1002 break; 1003 case SSL_ROLLBACK_DETECTION: 1004 val = ss->opt.detectRollBack; 1005 break; 1006 case SSL_NO_STEP_DOWN: 1007 val = PR_FALSE; 1008 break; 1009 case SSL_BYPASS_PKCS11: 1010 val = PR_FALSE; 1011 break; 1012 case SSL_NO_LOCKS: 1013 val = ss->opt.noLocks; 1014 break; 1015 case SSL_ENABLE_SESSION_TICKETS: 1016 val = ss->opt.enableSessionTickets; 1017 break; 1018 case SSL_ENABLE_DEFLATE: 1019 val = ss->opt.enableDeflate; 1020 break; 1021 case SSL_ENABLE_RENEGOTIATION: 1022 val = ss->opt.enableRenegotiation; 1023 break; 1024 case SSL_REQUIRE_SAFE_NEGOTIATION: 1025 val = ss->opt.requireSafeNegotiation; 1026 break; 1027 case SSL_ENABLE_FALSE_START: 1028 val = ss->opt.enableFalseStart; 1029 break; 1030 case SSL_CBC_RANDOM_IV: 1031 val = ss->opt.cbcRandomIV; 1032 break; 1033 case SSL_ENABLE_OCSP_STAPLING: 1034 val = ss->opt.enableOCSPStapling; 1035 break; 1036 case SSL_ENABLE_DELEGATED_CREDENTIALS: 1037 val = ss->opt.enableDelegatedCredentials; 1038 break; 1039 case SSL_ENABLE_NPN: 1040 val = PR_FALSE; 1041 break; 1042 case SSL_ENABLE_ALPN: 1043 val = ss->opt.enableALPN; 1044 break; 1045 case SSL_REUSE_SERVER_ECDHE_KEY: 1046 val = ss->opt.reuseServerECDHEKey; 1047 break; 1048 case SSL_ENABLE_FALLBACK_SCSV: 1049 val = ss->opt.enableFallbackSCSV; 1050 break; 1051 case SSL_ENABLE_SERVER_DHE: 1052 val = ss->opt.enableServerDhe; 1053 break; 1054 case SSL_ENABLE_EXTENDED_MASTER_SECRET: 1055 val = ss->opt.enableExtendedMS; 1056 break; 1057 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 1058 val = ss->opt.enableSignedCertTimestamps; 1059 break; 1060 case SSL_REQUIRE_DH_NAMED_GROUPS: 1061 val = ss->opt.requireDHENamedGroups; 1062 break; 1063 case SSL_ENABLE_0RTT_DATA: 1064 val = ss->opt.enable0RttData; 1065 break; 1066 case SSL_RECORD_SIZE_LIMIT: 1067 val = ss->opt.recordSizeLimit; 1068 break; 1069 case SSL_ENABLE_TLS13_COMPAT_MODE: 1070 val = ss->opt.enableTls13CompatMode; 1071 break; 1072 case SSL_ENABLE_DTLS_SHORT_HEADER: 1073 val = ss->opt.enableDtlsShortHeader; 1074 break; 1075 case SSL_ENABLE_HELLO_DOWNGRADE_CHECK: 1076 val = ss->opt.enableHelloDowngradeCheck; 1077 break; 1078 case SSL_ENABLE_V2_COMPATIBLE_HELLO: 1079 val = ss->opt.enableV2CompatibleHello; 1080 break; 1081 case SSL_ENABLE_POST_HANDSHAKE_AUTH: 1082 val = ss->opt.enablePostHandshakeAuth; 1083 break; 1084 case SSL_SUPPRESS_END_OF_EARLY_DATA: 1085 val = ss->opt.suppressEndOfEarlyData; 1086 break; 1087 case SSL_ENABLE_GREASE: 1088 val = ss->opt.enableGrease; 1089 break; 1090 case SSL_ENABLE_CH_EXTENSION_PERMUTATION: 1091 val = ss->opt.enableChXtnPermutation; 1092 break; 1093 case SSL_DB_LOAD_CERTIFICATE_CHAIN: 1094 val = ss->opt.dbLoadCertChain; 1095 break; 1096 default: 1097 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1098 rv = SECFailure; 1099 } 1100 1101 ssl_ReleaseSSL3HandshakeLock(ss); 1102 ssl_Release1stHandshakeLock(ss); 1103 1104 *pVal = val; 1105 return rv; 1106 } 1107 1108 SECStatus 1109 SSL_OptionGetDefault(PRInt32 which, PRIntn *pVal) 1110 { 1111 SECStatus rv = SECSuccess; 1112 PRIntn val = PR_FALSE; 1113 1114 if (!pVal) { 1115 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1116 return SECFailure; 1117 } 1118 1119 ssl_SetDefaultsFromEnvironment(); 1120 1121 switch (which) { 1122 case SSL_SOCKS: 1123 val = PR_FALSE; 1124 break; 1125 case SSL_SECURITY: 1126 val = ssl_defaults.useSecurity; 1127 break; 1128 case SSL_REQUEST_CERTIFICATE: 1129 val = ssl_defaults.requestCertificate; 1130 break; 1131 case SSL_REQUIRE_CERTIFICATE: 1132 val = ssl_defaults.requireCertificate; 1133 break; 1134 case SSL_HANDSHAKE_AS_CLIENT: 1135 val = ssl_defaults.handshakeAsClient; 1136 break; 1137 case SSL_HANDSHAKE_AS_SERVER: 1138 val = ssl_defaults.handshakeAsServer; 1139 break; 1140 case SSL_ENABLE_TLS: 1141 val = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; 1142 break; 1143 case SSL_ENABLE_SSL3: 1144 val = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; 1145 break; 1146 case SSL_ENABLE_SSL2: 1147 case SSL_V2_COMPATIBLE_HELLO: 1148 val = PR_FALSE; 1149 break; 1150 case SSL_NO_CACHE: 1151 val = ssl_defaults.noCache; 1152 break; 1153 case SSL_ENABLE_FDX: 1154 val = ssl_defaults.fdx; 1155 break; 1156 case SSL_ROLLBACK_DETECTION: 1157 val = ssl_defaults.detectRollBack; 1158 break; 1159 case SSL_NO_STEP_DOWN: 1160 val = PR_FALSE; 1161 break; 1162 case SSL_BYPASS_PKCS11: 1163 val = PR_FALSE; 1164 break; 1165 case SSL_NO_LOCKS: 1166 val = ssl_defaults.noLocks; 1167 break; 1168 case SSL_ENABLE_SESSION_TICKETS: 1169 val = ssl_defaults.enableSessionTickets; 1170 break; 1171 case SSL_ENABLE_DEFLATE: 1172 val = ssl_defaults.enableDeflate; 1173 break; 1174 case SSL_ENABLE_RENEGOTIATION: 1175 val = ssl_defaults.enableRenegotiation; 1176 break; 1177 case SSL_REQUIRE_SAFE_NEGOTIATION: 1178 val = ssl_defaults.requireSafeNegotiation; 1179 break; 1180 case SSL_ENABLE_FALSE_START: 1181 val = ssl_defaults.enableFalseStart; 1182 break; 1183 case SSL_CBC_RANDOM_IV: 1184 val = ssl_defaults.cbcRandomIV; 1185 break; 1186 case SSL_ENABLE_OCSP_STAPLING: 1187 val = ssl_defaults.enableOCSPStapling; 1188 break; 1189 case SSL_ENABLE_DELEGATED_CREDENTIALS: 1190 val = ssl_defaults.enableDelegatedCredentials; 1191 break; 1192 case SSL_ENABLE_NPN: 1193 val = PR_FALSE; 1194 break; 1195 case SSL_ENABLE_ALPN: 1196 val = ssl_defaults.enableALPN; 1197 break; 1198 case SSL_REUSE_SERVER_ECDHE_KEY: 1199 val = ssl_defaults.reuseServerECDHEKey; 1200 break; 1201 case SSL_ENABLE_FALLBACK_SCSV: 1202 val = ssl_defaults.enableFallbackSCSV; 1203 break; 1204 case SSL_ENABLE_SERVER_DHE: 1205 val = ssl_defaults.enableServerDhe; 1206 break; 1207 case SSL_ENABLE_EXTENDED_MASTER_SECRET: 1208 val = ssl_defaults.enableExtendedMS; 1209 break; 1210 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 1211 val = ssl_defaults.enableSignedCertTimestamps; 1212 break; 1213 case SSL_REQUIRE_DH_NAMED_GROUPS: 1214 val = ssl_defaults.requireDHENamedGroups; 1215 break; 1216 case SSL_ENABLE_0RTT_DATA: 1217 val = ssl_defaults.enable0RttData; 1218 break; 1219 case SSL_RECORD_SIZE_LIMIT: 1220 val = ssl_defaults.recordSizeLimit; 1221 break; 1222 case SSL_ENABLE_TLS13_COMPAT_MODE: 1223 val = ssl_defaults.enableTls13CompatMode; 1224 break; 1225 case SSL_ENABLE_DTLS_SHORT_HEADER: 1226 val = ssl_defaults.enableDtlsShortHeader; 1227 break; 1228 case SSL_ENABLE_HELLO_DOWNGRADE_CHECK: 1229 val = ssl_defaults.enableHelloDowngradeCheck; 1230 break; 1231 case SSL_ENABLE_V2_COMPATIBLE_HELLO: 1232 val = ssl_defaults.enableV2CompatibleHello; 1233 break; 1234 case SSL_ENABLE_POST_HANDSHAKE_AUTH: 1235 val = ssl_defaults.enablePostHandshakeAuth; 1236 break; 1237 case SSL_SUPPRESS_END_OF_EARLY_DATA: 1238 val = ssl_defaults.suppressEndOfEarlyData; 1239 break; 1240 case SSL_ENABLE_GREASE: 1241 val = ssl_defaults.enableGrease; 1242 break; 1243 case SSL_ENABLE_CH_EXTENSION_PERMUTATION: 1244 val = ssl_defaults.enableChXtnPermutation; 1245 break; 1246 case SSL_DB_LOAD_CERTIFICATE_CHAIN: 1247 val = ssl_defaults.dbLoadCertChain; 1248 break; 1249 default: 1250 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1251 rv = SECFailure; 1252 } 1253 1254 *pVal = val; 1255 return rv; 1256 } 1257 1258 /* XXX Use Global Lock to protect this stuff. */ 1259 SECStatus 1260 SSL_EnableDefault(int which, PRIntn val) 1261 { 1262 return SSL_OptionSetDefault(which, val); 1263 } 1264 1265 SECStatus 1266 SSL_OptionSetDefault(PRInt32 which, PRIntn val) 1267 { 1268 SECStatus status = ssl_Init(); 1269 1270 if (status != SECSuccess) { 1271 return status; 1272 } 1273 1274 ssl_SetDefaultsFromEnvironment(); 1275 1276 switch (which) { 1277 case SSL_SOCKS: 1278 ssl_defaults.useSocks = PR_FALSE; 1279 if (val) { 1280 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1281 return SECFailure; 1282 } 1283 break; 1284 1285 case SSL_SECURITY: 1286 ssl_defaults.useSecurity = val; 1287 break; 1288 1289 case SSL_REQUEST_CERTIFICATE: 1290 ssl_defaults.requestCertificate = val; 1291 break; 1292 1293 case SSL_REQUIRE_CERTIFICATE: 1294 ssl_defaults.requireCertificate = val; 1295 break; 1296 1297 case SSL_HANDSHAKE_AS_CLIENT: 1298 if (ssl_defaults.handshakeAsServer && val) { 1299 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1300 return SECFailure; 1301 } 1302 ssl_defaults.handshakeAsClient = val; 1303 break; 1304 1305 case SSL_HANDSHAKE_AS_SERVER: 1306 if (ssl_defaults.handshakeAsClient && val) { 1307 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1308 return SECFailure; 1309 } 1310 ssl_defaults.handshakeAsServer = val; 1311 break; 1312 1313 case SSL_ENABLE_TLS: 1314 ssl_EnableTLS(&versions_defaults_stream, val); 1315 break; 1316 1317 case SSL_ENABLE_SSL3: 1318 ssl_EnableSSL3(&versions_defaults_stream, val); 1319 break; 1320 1321 case SSL_ENABLE_SSL2: 1322 case SSL_V2_COMPATIBLE_HELLO: 1323 /* We no longer support SSL v2. 1324 * However, if an old application requests to disable SSL v2, 1325 * we shouldn't fail. 1326 */ 1327 if (val) { 1328 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1329 return SECFailure; 1330 } 1331 break; 1332 1333 case SSL_NO_CACHE: 1334 ssl_defaults.noCache = val; 1335 break; 1336 1337 case SSL_ENABLE_FDX: 1338 if (val && ssl_defaults.noLocks) { 1339 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1340 return SECFailure; 1341 } 1342 ssl_defaults.fdx = val; 1343 break; 1344 1345 case SSL_ROLLBACK_DETECTION: 1346 ssl_defaults.detectRollBack = val; 1347 break; 1348 1349 case SSL_NO_STEP_DOWN: 1350 break; 1351 1352 case SSL_BYPASS_PKCS11: 1353 break; 1354 1355 case SSL_NO_LOCKS: 1356 if (val && ssl_defaults.fdx) { 1357 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1358 return SECFailure; 1359 } 1360 if (val && ssl_force_locks) 1361 val = PR_FALSE; /* silent override */ 1362 ssl_defaults.noLocks = val; 1363 break; 1364 1365 case SSL_ENABLE_SESSION_TICKETS: 1366 ssl_defaults.enableSessionTickets = val; 1367 break; 1368 1369 case SSL_ENABLE_DEFLATE: 1370 ssl_defaults.enableDeflate = val; 1371 break; 1372 1373 case SSL_ENABLE_RENEGOTIATION: 1374 ssl_defaults.enableRenegotiation = val; 1375 break; 1376 1377 case SSL_REQUIRE_SAFE_NEGOTIATION: 1378 ssl_defaults.requireSafeNegotiation = val; 1379 break; 1380 1381 case SSL_ENABLE_FALSE_START: 1382 ssl_defaults.enableFalseStart = val; 1383 break; 1384 1385 case SSL_CBC_RANDOM_IV: 1386 ssl_defaults.cbcRandomIV = val; 1387 break; 1388 1389 case SSL_ENABLE_OCSP_STAPLING: 1390 ssl_defaults.enableOCSPStapling = val; 1391 break; 1392 1393 case SSL_ENABLE_DELEGATED_CREDENTIALS: 1394 ssl_defaults.enableDelegatedCredentials = val; 1395 break; 1396 1397 case SSL_ENABLE_NPN: 1398 break; 1399 1400 case SSL_ENABLE_ALPN: 1401 ssl_defaults.enableALPN = val; 1402 break; 1403 1404 case SSL_REUSE_SERVER_ECDHE_KEY: 1405 ssl_defaults.reuseServerECDHEKey = val; 1406 break; 1407 1408 case SSL_ENABLE_FALLBACK_SCSV: 1409 ssl_defaults.enableFallbackSCSV = val; 1410 break; 1411 1412 case SSL_ENABLE_SERVER_DHE: 1413 ssl_defaults.enableServerDhe = val; 1414 break; 1415 1416 case SSL_ENABLE_EXTENDED_MASTER_SECRET: 1417 ssl_defaults.enableExtendedMS = val; 1418 break; 1419 1420 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: 1421 ssl_defaults.enableSignedCertTimestamps = val; 1422 break; 1423 case SSL_REQUIRE_DH_NAMED_GROUPS: 1424 ssl_defaults.requireDHENamedGroups = val; 1425 break; 1426 case SSL_ENABLE_0RTT_DATA: 1427 ssl_defaults.enable0RttData = val; 1428 break; 1429 1430 case SSL_RECORD_SIZE_LIMIT: 1431 if (val < 64 || val > (MAX_FRAGMENT_LENGTH + 1)) { 1432 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1433 return SECFailure; 1434 } 1435 ssl_defaults.recordSizeLimit = val; 1436 break; 1437 1438 case SSL_ENABLE_TLS13_COMPAT_MODE: 1439 ssl_defaults.enableTls13CompatMode = val; 1440 break; 1441 1442 case SSL_ENABLE_DTLS_SHORT_HEADER: 1443 ssl_defaults.enableDtlsShortHeader = val; 1444 break; 1445 1446 case SSL_ENABLE_HELLO_DOWNGRADE_CHECK: 1447 ssl_defaults.enableHelloDowngradeCheck = val; 1448 break; 1449 1450 case SSL_ENABLE_V2_COMPATIBLE_HELLO: 1451 ssl_defaults.enableV2CompatibleHello = val; 1452 break; 1453 1454 case SSL_ENABLE_POST_HANDSHAKE_AUTH: 1455 ssl_defaults.enablePostHandshakeAuth = val; 1456 break; 1457 1458 case SSL_SUPPRESS_END_OF_EARLY_DATA: 1459 ssl_defaults.suppressEndOfEarlyData = val; 1460 break; 1461 case SSL_ENABLE_GREASE: 1462 ssl_defaults.enableGrease = val; 1463 break; 1464 case SSL_ENABLE_CH_EXTENSION_PERMUTATION: 1465 ssl_defaults.enableChXtnPermutation = val; 1466 break; 1467 case SSL_DB_LOAD_CERTIFICATE_CHAIN: 1468 ssl_defaults.dbLoadCertChain = val; 1469 break; 1470 default: 1471 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1472 return SECFailure; 1473 } 1474 return SECSuccess; 1475 } 1476 1477 SECStatus 1478 SSLExp_SetMaxEarlyDataSize(PRFileDesc *fd, PRUint32 size) 1479 { 1480 sslSocket *ss = ssl_FindSocket(fd); 1481 if (!ss) { 1482 return SECFailure; /* Error code already set. */ 1483 } 1484 1485 ss->opt.maxEarlyDataSize = size; 1486 return SECSuccess; 1487 } 1488 1489 /* function tells us if the cipher suite is one that we no longer support. */ 1490 static PRBool 1491 ssl_IsRemovedCipherSuite(PRInt32 suite) 1492 { 1493 switch (suite) { 1494 case SSL_FORTEZZA_DMS_WITH_NULL_SHA: 1495 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: 1496 case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: 1497 return PR_TRUE; 1498 default: 1499 return PR_FALSE; 1500 } 1501 } 1502 1503 /* Part of the public NSS API. 1504 * Since this is a global (not per-socket) setting, we cannot use the 1505 * HandshakeLock to protect this. Probably want a global lock. 1506 */ 1507 SECStatus 1508 SSL_SetPolicy(long which, int policy) 1509 { 1510 if (ssl_IsRemovedCipherSuite(which)) 1511 return SECSuccess; 1512 return SSL_CipherPolicySet(which, policy); 1513 } 1514 1515 SECStatus 1516 ssl_CipherPolicySet(PRInt32 which, PRInt32 policy) 1517 { 1518 SECStatus rv = SECSuccess; 1519 1520 if (ssl_IsRemovedCipherSuite(which)) { 1521 rv = SECSuccess; 1522 } else { 1523 rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); 1524 } 1525 return rv; 1526 } 1527 SECStatus 1528 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) 1529 { 1530 SECStatus rv = ssl_Init(); 1531 1532 if (rv != SECSuccess) { 1533 return rv; 1534 } 1535 if (NSS_IsPolicyLocked()) { 1536 PORT_SetError(SEC_ERROR_POLICY_LOCKED); 1537 return SECFailure; 1538 } 1539 return ssl_CipherPolicySet(which, policy); 1540 } 1541 1542 SECStatus 1543 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) 1544 { 1545 SECStatus rv; 1546 1547 if (!oPolicy) { 1548 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1549 return SECFailure; 1550 } 1551 if (ssl_IsRemovedCipherSuite(which)) { 1552 *oPolicy = SSL_NOT_ALLOWED; 1553 rv = SECSuccess; 1554 } else { 1555 rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy); 1556 } 1557 return rv; 1558 } 1559 1560 /* Part of the public NSS API. 1561 * Since this is a global (not per-socket) setting, we cannot use the 1562 * HandshakeLock to protect this. Probably want a global lock. 1563 * These changes have no effect on any sslSockets already created. 1564 */ 1565 SECStatus 1566 SSL_EnableCipher(long which, PRBool enabled) 1567 { 1568 if (ssl_IsRemovedCipherSuite(which)) 1569 return SECSuccess; 1570 return SSL_CipherPrefSetDefault(which, enabled); 1571 } 1572 1573 SECStatus 1574 ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled) 1575 { 1576 if (ssl_IsRemovedCipherSuite(which)) 1577 return SECSuccess; 1578 return ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled); 1579 } 1580 1581 SECStatus 1582 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) 1583 { 1584 SECStatus rv = ssl_Init(); 1585 PRInt32 locks; 1586 1587 if (rv != SECSuccess) { 1588 return rv; 1589 } 1590 rv = NSS_OptionGet(NSS_DEFAULT_LOCKS, &locks); 1591 if ((rv == SECSuccess) && (locks & NSS_DEFAULT_SSL_LOCK)) { 1592 return SECSuccess; 1593 } 1594 return ssl_CipherPrefSetDefault(which, enabled); 1595 } 1596 1597 SECStatus 1598 SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled) 1599 { 1600 SECStatus rv; 1601 1602 if (!enabled) { 1603 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1604 return SECFailure; 1605 } 1606 if (ssl_IsRemovedCipherSuite(which)) { 1607 *enabled = PR_FALSE; 1608 rv = SECSuccess; 1609 } else { 1610 rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled); 1611 } 1612 return rv; 1613 } 1614 1615 SECStatus 1616 SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled) 1617 { 1618 sslSocket *ss = ssl_FindSocket(fd); 1619 PRInt32 locks; 1620 SECStatus rv; 1621 1622 if (!ss) { 1623 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd)); 1624 return SECFailure; 1625 } 1626 rv = NSS_OptionGet(NSS_DEFAULT_LOCKS, &locks); 1627 if ((rv == SECSuccess) && (locks & NSS_DEFAULT_SSL_LOCK)) { 1628 return SECSuccess; 1629 } 1630 if (ssl_IsRemovedCipherSuite(which)) 1631 return SECSuccess; 1632 return ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled); 1633 } 1634 1635 SECStatus 1636 SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) 1637 { 1638 SECStatus rv; 1639 sslSocket *ss = ssl_FindSocket(fd); 1640 1641 if (!enabled) { 1642 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1643 return SECFailure; 1644 } 1645 if (!ss) { 1646 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd)); 1647 *enabled = PR_FALSE; 1648 return SECFailure; 1649 } 1650 if (ssl_IsRemovedCipherSuite(which)) { 1651 *enabled = PR_FALSE; 1652 rv = SECSuccess; 1653 } else { 1654 rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); 1655 } 1656 return rv; 1657 } 1658 1659 /* The client can call this function to be aware of the current 1660 * CipherSuites order. */ 1661 SECStatus 1662 SSLExp_CipherSuiteOrderGet(PRFileDesc *fd, PRUint16 *cipherOrder, 1663 unsigned int *numCiphers) 1664 { 1665 if (!fd) { 1666 SSL_DBG(("%d: SSL: file descriptor in CipherSuiteOrderGet is null", 1667 SSL_GETPID())); 1668 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1669 return SECFailure; 1670 } 1671 if (!cipherOrder || !numCiphers) { 1672 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1673 return SECFailure; 1674 } 1675 sslSocket *ss = ssl_FindSocket(fd); 1676 if (!ss) { 1677 SSL_DBG(("%d: SSL[%d]: bad socket in CipherSuiteOrderGet", SSL_GETPID(), 1678 fd)); 1679 return SECFailure; /* Error code already set. */ 1680 } 1681 1682 unsigned int enabled = 0; 1683 ssl_Get1stHandshakeLock(ss); 1684 ssl_GetSSL3HandshakeLock(ss); 1685 for (unsigned int i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 1686 const ssl3CipherSuiteCfg *suiteCfg = &ss->cipherSuites[i]; 1687 if (suiteCfg && suiteCfg->enabled && 1688 suiteCfg->policy != SSL_NOT_ALLOWED) { 1689 cipherOrder[enabled++] = suiteCfg->cipher_suite; 1690 } 1691 } 1692 ssl_ReleaseSSL3HandshakeLock(ss); 1693 ssl_Release1stHandshakeLock(ss); 1694 *numCiphers = enabled; 1695 return SECSuccess; 1696 } 1697 1698 /* This function permits reorder the CipherSuites List for the Handshake 1699 * (Client Hello). */ 1700 SECStatus 1701 SSLExp_CipherSuiteOrderSet(PRFileDesc *fd, const PRUint16 *cipherOrder, 1702 PRUint16 numCiphers) 1703 { 1704 if (!fd) { 1705 SSL_DBG(("%d: SSL: file descriptor in CipherSuiteOrderGet is null", 1706 SSL_GETPID())); 1707 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1708 return SECFailure; 1709 } 1710 if (!cipherOrder || !numCiphers || numCiphers > ssl_V3_SUITES_IMPLEMENTED) { 1711 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1712 return SECFailure; 1713 } 1714 sslSocket *ss = ssl_FindSocket(fd); 1715 if (!ss) { 1716 SSL_DBG(("%d: SSL[%d]: bad socket in CipherSuiteOrderSet", SSL_GETPID(), 1717 fd)); 1718 return SECFailure; /* Error code already set. */ 1719 } 1720 ssl3CipherSuiteCfg tmpSuiteCfg[ssl_V3_SUITES_IMPLEMENTED]; 1721 ssl_Get1stHandshakeLock(ss); 1722 ssl_GetSSL3HandshakeLock(ss); 1723 /* For each cipherSuite given as input, verify that it is 1724 * known to NSS and only present in the list once. */ 1725 for (unsigned int i = 0; i < numCiphers; i++) { 1726 const ssl3CipherSuiteCfg *suiteCfg = 1727 ssl_LookupCipherSuiteCfg(cipherOrder[i], ss->cipherSuites); 1728 if (!suiteCfg) { 1729 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1730 ssl_ReleaseSSL3HandshakeLock(ss); 1731 ssl_Release1stHandshakeLock(ss); 1732 return SECFailure; 1733 } 1734 for (unsigned int j = i + 1; j < numCiphers; j++) { 1735 /* This is a duplicate entry. */ 1736 if (cipherOrder[i] == cipherOrder[j]) { 1737 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1738 ssl_ReleaseSSL3HandshakeLock(ss); 1739 ssl_Release1stHandshakeLock(ss); 1740 return SECFailure; 1741 } 1742 } 1743 tmpSuiteCfg[i] = *suiteCfg; 1744 tmpSuiteCfg[i].enabled = PR_TRUE; 1745 } 1746 /* Find all defined ciphersuites not present in the input list and append 1747 * them after the preferred. This guarantees that the socket will always 1748 * have a complete list of size ssl_V3_SUITES_IMPLEMENTED */ 1749 unsigned int cfgIdx = numCiphers; 1750 for (unsigned int i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { 1751 PRBool received = PR_FALSE; 1752 for (unsigned int j = 0; j < numCiphers; j++) { 1753 if (ss->cipherSuites[i].cipher_suite == 1754 tmpSuiteCfg[j].cipher_suite) { 1755 received = PR_TRUE; 1756 break; 1757 } 1758 } 1759 if (!received) { 1760 tmpSuiteCfg[cfgIdx] = ss->cipherSuites[i]; 1761 tmpSuiteCfg[cfgIdx++].enabled = PR_FALSE; 1762 } 1763 } 1764 PORT_Assert(cfgIdx == ssl_V3_SUITES_IMPLEMENTED); 1765 /* now we can rewrite the socket with the desired order */ 1766 PORT_Memcpy(ss->cipherSuites, tmpSuiteCfg, sizeof(tmpSuiteCfg)); 1767 ssl_ReleaseSSL3HandshakeLock(ss); 1768 ssl_Release1stHandshakeLock(ss); 1769 return SECSuccess; 1770 } 1771 1772 SECStatus 1773 NSS_SetDomesticPolicy(void) 1774 { 1775 SECStatus status = SECSuccess; 1776 const PRUint16 *cipher; 1777 SECStatus rv; 1778 PRUint32 policy; 1779 1780 /* If we've already defined some policy oids, skip changing them */ 1781 rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy); 1782 if ((rv == SECSuccess) && (policy & NSS_USE_POLICY_IN_SSL)) { 1783 return ssl_Init(); /* make sure the policies have been loaded */ 1784 } 1785 1786 for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { 1787 status = SSL_SetPolicy(*cipher, SSL_ALLOWED); 1788 if (status != SECSuccess) 1789 break; 1790 } 1791 return status; 1792 } 1793 1794 SECStatus 1795 NSS_SetExportPolicy(void) 1796 { 1797 return NSS_SetDomesticPolicy(); 1798 } 1799 1800 SECStatus 1801 NSS_SetFrancePolicy(void) 1802 { 1803 return NSS_SetDomesticPolicy(); 1804 } 1805 1806 SECStatus 1807 SSL_NamedGroupConfig(PRFileDesc *fd, const SSLNamedGroup *groups, 1808 unsigned int numGroups) 1809 { 1810 unsigned int i; 1811 unsigned int j = 0; 1812 sslSocket *ss = ssl_FindSocket(fd); 1813 1814 if (!ss) { 1815 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); 1816 return SECFailure; 1817 } 1818 1819 if (!groups) { 1820 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1821 return SECFailure; 1822 } 1823 if (numGroups > SSL_NAMED_GROUP_COUNT) { 1824 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1825 return SECFailure; 1826 } 1827 1828 memset((void *)ss->namedGroupPreferences, 0, 1829 sizeof(ss->namedGroupPreferences)); 1830 for (i = 0; i < numGroups; ++i) { 1831 const sslNamedGroupDef *groupDef = ssl_LookupNamedGroup(groups[i]); 1832 if (!ssl_NamedGroupEnabled(ss, groupDef)) { 1833 ss->namedGroupPreferences[j++] = groupDef; 1834 } 1835 } 1836 1837 return SECSuccess; 1838 } 1839 1840 SECStatus 1841 SSL_DHEGroupPrefSet(PRFileDesc *fd, const SSLDHEGroupType *groups, 1842 PRUint16 num_groups) 1843 { 1844 sslSocket *ss; 1845 const SSLDHEGroupType *list; 1846 unsigned int count; 1847 int i, k, j; 1848 const sslNamedGroupDef *enabled[SSL_NAMED_GROUP_COUNT] = { 0 }; 1849 static const SSLDHEGroupType default_dhe_groups[] = { 1850 ssl_ff_dhe_2048_group 1851 }; 1852 1853 if ((num_groups && !groups) || (!num_groups && groups) || 1854 num_groups > SSL_NAMED_GROUP_COUNT) { 1855 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1856 return SECFailure; 1857 } 1858 1859 ss = ssl_FindSocket(fd); 1860 if (!ss) { 1861 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd)); 1862 return SECFailure; 1863 } 1864 1865 if (groups) { 1866 list = groups; 1867 count = num_groups; 1868 } else { 1869 list = default_dhe_groups; 1870 count = PR_ARRAY_SIZE(default_dhe_groups); 1871 } 1872 1873 /* save enabled ec groups and clear ss->namedGroupPreferences */ 1874 k = 0; 1875 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { 1876 if (ss->namedGroupPreferences[i] && 1877 ss->namedGroupPreferences[i]->keaType != ssl_kea_dh) { 1878 enabled[k++] = ss->namedGroupPreferences[i]; 1879 } 1880 ss->namedGroupPreferences[i] = NULL; 1881 } 1882 1883 ss->ssl3.dhePreferredGroup = NULL; 1884 for (i = 0; i < count; ++i) { 1885 PRBool duplicate = PR_FALSE; 1886 SSLNamedGroup name; 1887 const sslNamedGroupDef *groupDef; 1888 switch (list[i]) { 1889 case ssl_ff_dhe_2048_group: 1890 name = ssl_grp_ffdhe_2048; 1891 break; 1892 case ssl_ff_dhe_3072_group: 1893 name = ssl_grp_ffdhe_3072; 1894 break; 1895 case ssl_ff_dhe_4096_group: 1896 name = ssl_grp_ffdhe_4096; 1897 break; 1898 case ssl_ff_dhe_6144_group: 1899 name = ssl_grp_ffdhe_6144; 1900 break; 1901 case ssl_ff_dhe_8192_group: 1902 name = ssl_grp_ffdhe_8192; 1903 break; 1904 default: 1905 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1906 return SECFailure; 1907 } 1908 groupDef = ssl_LookupNamedGroup(name); 1909 PORT_Assert(groupDef); 1910 if (!ss->ssl3.dhePreferredGroup) { 1911 ss->ssl3.dhePreferredGroup = groupDef; 1912 } 1913 PORT_Assert(k < SSL_NAMED_GROUP_COUNT); 1914 for (j = 0; j < k; ++j) { 1915 /* skip duplicates */ 1916 if (enabled[j] == groupDef) { 1917 duplicate = PR_TRUE; 1918 break; 1919 } 1920 } 1921 if (!duplicate) { 1922 enabled[k++] = groupDef; 1923 } 1924 } 1925 for (i = 0; i < k; ++i) { 1926 ss->namedGroupPreferences[i] = enabled[i]; 1927 } 1928 1929 return SECSuccess; 1930 } 1931 1932 PRCallOnceType gWeakDHParamsRegisterOnce; 1933 int gWeakDHParamsRegisterError; 1934 1935 PRCallOnceType gWeakDHParamsOnce; 1936 int gWeakDHParamsError; 1937 /* As our code allocates type PQGParams, we'll keep it around, 1938 * even though we only make use of it's parameters through gWeakDHParam. */ 1939 static PQGParams *gWeakParamsPQG; 1940 static ssl3DHParams *gWeakDHParams; 1941 #define WEAK_DHE_SIZE 1024 1942 1943 static PRStatus 1944 ssl3_CreateWeakDHParams(void) 1945 { 1946 PQGVerify *vfy; 1947 SECStatus rv, passed; 1948 1949 PORT_Assert(!gWeakDHParams && !gWeakParamsPQG); 1950 1951 rv = PK11_PQG_ParamGenV2(WEAK_DHE_SIZE, 160, 64 /*maximum seed that will work*/, 1952 &gWeakParamsPQG, &vfy); 1953 if (rv != SECSuccess) { 1954 gWeakDHParamsError = PORT_GetError(); 1955 return PR_FAILURE; 1956 } 1957 1958 rv = PK11_PQG_VerifyParams(gWeakParamsPQG, vfy, &passed); 1959 if (rv != SECSuccess || passed != SECSuccess) { 1960 SSL_DBG(("%d: PK11_PQG_VerifyParams failed in ssl3_CreateWeakDHParams", 1961 SSL_GETPID())); 1962 gWeakDHParamsError = PORT_GetError(); 1963 return PR_FAILURE; 1964 } 1965 1966 gWeakDHParams = PORT_ArenaNew(gWeakParamsPQG->arena, ssl3DHParams); 1967 if (!gWeakDHParams) { 1968 gWeakDHParamsError = PORT_GetError(); 1969 return PR_FAILURE; 1970 } 1971 1972 gWeakDHParams->name = ssl_grp_ffdhe_custom; 1973 gWeakDHParams->prime.data = gWeakParamsPQG->prime.data; 1974 gWeakDHParams->prime.len = gWeakParamsPQG->prime.len; 1975 gWeakDHParams->base.data = gWeakParamsPQG->base.data; 1976 gWeakDHParams->base.len = gWeakParamsPQG->base.len; 1977 1978 PK11_PQG_DestroyVerify(vfy); 1979 return PR_SUCCESS; 1980 } 1981 1982 static SECStatus 1983 ssl3_WeakDHParamsShutdown(void *appData, void *nssData) 1984 { 1985 if (gWeakParamsPQG) { 1986 PK11_PQG_DestroyParams(gWeakParamsPQG); 1987 gWeakParamsPQG = NULL; 1988 gWeakDHParams = NULL; 1989 } 1990 return SECSuccess; 1991 } 1992 1993 static PRStatus 1994 ssl3_WeakDHParamsRegisterShutdown(void) 1995 { 1996 SECStatus rv; 1997 rv = NSS_RegisterShutdown(ssl3_WeakDHParamsShutdown, NULL); 1998 if (rv != SECSuccess) { 1999 gWeakDHParamsRegisterError = PORT_GetError(); 2000 } 2001 return (PRStatus)rv; 2002 } 2003 2004 /* global init strategy inspired by ssl3_CreateECDHEphemeralKeys */ 2005 SECStatus 2006 SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled) 2007 { 2008 sslSocket *ss; 2009 PRStatus status; 2010 2011 if (enabled) { 2012 status = PR_CallOnce(&gWeakDHParamsRegisterOnce, 2013 ssl3_WeakDHParamsRegisterShutdown); 2014 if (status != PR_SUCCESS) { 2015 PORT_SetError(gWeakDHParamsRegisterError); 2016 return SECFailure; 2017 } 2018 2019 status = PR_CallOnce(&gWeakDHParamsOnce, ssl3_CreateWeakDHParams); 2020 if (status != PR_SUCCESS) { 2021 PORT_SetError(gWeakDHParamsError); 2022 return SECFailure; 2023 } 2024 } 2025 2026 if (!fd) 2027 return SECSuccess; 2028 2029 ss = ssl_FindSocket(fd); 2030 if (!ss) { 2031 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_DHEGroupPrefSet", SSL_GETPID(), fd)); 2032 return SECFailure; 2033 } 2034 2035 ss->ssl3.dheWeakGroupEnabled = enabled; 2036 return SECSuccess; 2037 } 2038 2039 #include "dhe-param.c" 2040 2041 const ssl3DHParams * 2042 ssl_GetDHEParams(const sslNamedGroupDef *groupDef) 2043 { 2044 switch (groupDef->name) { 2045 case ssl_grp_ffdhe_2048: 2046 return &ff_dhe_2048_params; 2047 case ssl_grp_ffdhe_3072: 2048 return &ff_dhe_3072_params; 2049 case ssl_grp_ffdhe_4096: 2050 return &ff_dhe_4096_params; 2051 case ssl_grp_ffdhe_6144: 2052 return &ff_dhe_6144_params; 2053 case ssl_grp_ffdhe_8192: 2054 return &ff_dhe_8192_params; 2055 case ssl_grp_ffdhe_custom: 2056 PORT_Assert(gWeakDHParams); 2057 return gWeakDHParams; 2058 default: 2059 PORT_Assert(0); 2060 } 2061 return NULL; 2062 } 2063 2064 /* This validates dh_Ys against the group prime. */ 2065 PRBool 2066 ssl_IsValidDHEShare(const SECItem *dh_p, const SECItem *dh_Ys) 2067 { 2068 unsigned int size_p = SECKEY_BigIntegerBitLength(dh_p); 2069 unsigned int size_y = SECKEY_BigIntegerBitLength(dh_Ys); 2070 unsigned int commonPart; 2071 int cmp; 2072 2073 if (dh_p->len == 0 || dh_Ys->len == 0) { 2074 return PR_FALSE; 2075 } 2076 /* Check that the prime is at least odd. */ 2077 if ((dh_p->data[dh_p->len - 1] & 0x01) == 0) { 2078 return PR_FALSE; 2079 } 2080 /* dh_Ys can't be 1, or bigger than dh_p. */ 2081 if (size_y <= 1 || size_y > size_p) { 2082 return PR_FALSE; 2083 } 2084 /* If dh_Ys is shorter, then it's definitely smaller than p-1. */ 2085 if (size_y < size_p) { 2086 return PR_TRUE; 2087 } 2088 2089 /* Compare the common part of each, minus the final octet. */ 2090 commonPart = (size_p + 7) / 8; 2091 PORT_Assert(commonPart <= dh_Ys->len); 2092 PORT_Assert(commonPart <= dh_p->len); 2093 cmp = PORT_Memcmp(dh_Ys->data + dh_Ys->len - commonPart, 2094 dh_p->data + dh_p->len - commonPart, commonPart - 1); 2095 if (cmp < 0) { 2096 return PR_TRUE; 2097 } 2098 if (cmp > 0) { 2099 return PR_FALSE; 2100 } 2101 2102 /* The last octet of the prime is the only thing that is different and that 2103 * has to be two greater than the share, otherwise we have Ys == p - 1, 2104 * and that means small subgroups. */ 2105 if (dh_Ys->data[dh_Ys->len - 1] >= (dh_p->data[dh_p->len - 1] - 1)) { 2106 return PR_FALSE; 2107 } 2108 2109 return PR_TRUE; 2110 } 2111 2112 /* Checks that the provided DH parameters match those in one of the named groups 2113 * that we have enabled. The groups are defined in dhe-param.c and are those 2114 * defined in Appendix A of draft-ietf-tls-negotiated-ff-dhe. 2115 * 2116 * |groupDef| and |dhParams| are optional outparams that identify the group and 2117 * its parameters respectively (if this is successful). */ 2118 SECStatus 2119 ssl_ValidateDHENamedGroup(sslSocket *ss, 2120 const SECItem *dh_p, 2121 const SECItem *dh_g, 2122 const sslNamedGroupDef **groupDef, 2123 const ssl3DHParams **dhParams) 2124 { 2125 unsigned int i; 2126 2127 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { 2128 const ssl3DHParams *params; 2129 if (!ss->namedGroupPreferences[i]) { 2130 continue; 2131 } 2132 if (ss->namedGroupPreferences[i]->keaType != ssl_kea_dh) { 2133 continue; 2134 } 2135 2136 params = ssl_GetDHEParams(ss->namedGroupPreferences[i]); 2137 PORT_Assert(params); 2138 if (SECITEM_ItemsAreEqual(¶ms->prime, dh_p)) { 2139 if (!SECITEM_ItemsAreEqual(¶ms->base, dh_g)) { 2140 return SECFailure; 2141 } 2142 if (groupDef) 2143 *groupDef = ss->namedGroupPreferences[i]; 2144 if (dhParams) 2145 *dhParams = params; 2146 return SECSuccess; 2147 } 2148 } 2149 2150 return SECFailure; 2151 } 2152 2153 /* Ensure DH parameters have been selected. This just picks the first enabled 2154 * FFDHE group in ssl_named_groups, or the weak one if it was enabled. */ 2155 SECStatus 2156 ssl_SelectDHEGroup(sslSocket *ss, const sslNamedGroupDef **groupDef) 2157 { 2158 unsigned int i; 2159 static const sslNamedGroupDef weak_group_def = { 2160 ssl_grp_ffdhe_custom, WEAK_DHE_SIZE, ssl_kea_dh, 2161 SEC_OID_TLS_DHE_CUSTOM, PR_TRUE 2162 }; 2163 PRInt32 minDH; 2164 SECStatus rv; 2165 2166 // make sure we select a group consistent with our 2167 // current policy policy 2168 rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH); 2169 if (rv != SECSuccess || minDH <= 0) { 2170 minDH = DH_MIN_P_BITS; 2171 } 2172 2173 /* Only select weak groups in TLS 1.2 and earlier, but not if the client has 2174 * indicated that it supports an FFDHE named group. */ 2175 if (ss->ssl3.dheWeakGroupEnabled && 2176 ss->version < SSL_LIBRARY_VERSION_TLS_1_3 && 2177 !ss->xtnData.peerSupportsFfdheGroups && 2178 weak_group_def.bits >= minDH) { 2179 *groupDef = &weak_group_def; 2180 return SECSuccess; 2181 } 2182 if (ss->ssl3.dhePreferredGroup && 2183 ssl_NamedGroupEnabled(ss, ss->ssl3.dhePreferredGroup) && 2184 ss->ssl3.dhePreferredGroup->bits >= minDH) { 2185 *groupDef = ss->ssl3.dhePreferredGroup; 2186 return SECSuccess; 2187 } 2188 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { 2189 if (ss->namedGroupPreferences[i] && 2190 ss->namedGroupPreferences[i]->keaType == ssl_kea_dh && 2191 ss->namedGroupPreferences[i]->bits >= minDH) { 2192 *groupDef = ss->namedGroupPreferences[i]; 2193 return SECSuccess; 2194 } 2195 } 2196 2197 *groupDef = NULL; 2198 PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP); 2199 return SECFailure; 2200 } 2201 2202 /* LOCKS ??? XXX */ 2203 static PRFileDesc * 2204 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant) 2205 { 2206 sslSocket *ns = NULL; 2207 PRStatus rv; 2208 PRNetAddr addr; 2209 SECStatus status = ssl_Init(); 2210 2211 if (status != SECSuccess) { 2212 return NULL; 2213 } 2214 2215 if (model == NULL) { 2216 /* Just create a default socket if we're given NULL for the model */ 2217 ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant); 2218 } else { 2219 sslSocket *ss = ssl_FindSocket(model); 2220 if (ss == NULL || ss->protocolVariant != variant) { 2221 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", 2222 SSL_GETPID(), model)); 2223 return NULL; 2224 } 2225 ns = ssl_DupSocket(ss); 2226 } 2227 if (ns == NULL) 2228 return NULL; 2229 2230 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); 2231 if (rv != PR_SUCCESS) { 2232 ssl_FreeSocket(ns); 2233 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 2234 return NULL; 2235 } 2236 #if defined(DEBUG) || defined(FORCE_PR_ASSERT) 2237 { 2238 sslSocket *ss = ssl_FindSocket(fd); 2239 PORT_Assert(ss == ns); 2240 } 2241 #endif 2242 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); 2243 return fd; 2244 } 2245 2246 PRFileDesc * 2247 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) 2248 { 2249 return ssl_ImportFD(model, fd, ssl_variant_stream); 2250 } 2251 2252 PRFileDesc * 2253 DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd) 2254 { 2255 return ssl_ImportFD(model, fd, ssl_variant_datagram); 2256 } 2257 2258 /* SSL_SetNextProtoCallback is used to select an application protocol 2259 * for ALPN. */ 2260 SECStatus 2261 SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback, 2262 void *arg) 2263 { 2264 sslSocket *ss = ssl_FindSocket(fd); 2265 2266 if (!ss) { 2267 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETPID(), 2268 fd)); 2269 return SECFailure; 2270 } 2271 2272 ssl_GetSSL3HandshakeLock(ss); 2273 ss->nextProtoCallback = callback; 2274 ss->nextProtoArg = arg; 2275 ssl_ReleaseSSL3HandshakeLock(ss); 2276 2277 return SECSuccess; 2278 } 2279 2280 /* ssl_NextProtoNegoCallback is set as an ALPN callback when 2281 * SSL_SetNextProtoNego is used. 2282 */ 2283 static SECStatus 2284 ssl_NextProtoNegoCallback(void *arg, PRFileDesc *fd, 2285 const unsigned char *protos, unsigned int protos_len, 2286 unsigned char *protoOut, unsigned int *protoOutLen, 2287 unsigned int protoMaxLen) 2288 { 2289 unsigned int i, j; 2290 sslSocket *ss = ssl_FindSocket(fd); 2291 if (!ss) { 2292 SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback", 2293 SSL_GETPID(), fd)); 2294 return SECFailure; 2295 } 2296 if (ss->opt.nextProtoNego.len == 0) { 2297 SSL_DBG(("%d: SSL[%d]: ssl_NextProtoNegoCallback ALPN disabled", 2298 SSL_GETPID(), fd)); 2299 SSL3_SendAlert(ss, alert_fatal, unsupported_extension); 2300 return SECFailure; 2301 } 2302 2303 PORT_Assert(protoMaxLen <= 255); 2304 if (protoMaxLen > 255) { 2305 PORT_SetError(SEC_ERROR_OUTPUT_LEN); 2306 return SECFailure; 2307 } 2308 2309 /* For each protocol in client preference, see if we support it. */ 2310 for (j = 0; j < ss->opt.nextProtoNego.len;) { 2311 for (i = 0; i < protos_len;) { 2312 if (protos[i] == ss->opt.nextProtoNego.data[j] && 2313 PORT_Memcmp(&protos[i + 1], &ss->opt.nextProtoNego.data[j + 1], 2314 protos[i]) == 0) { 2315 /* We found a match. */ 2316 const unsigned char *result = &protos[i]; 2317 memcpy(protoOut, result + 1, result[0]); 2318 *protoOutLen = result[0]; 2319 return SECSuccess; 2320 } 2321 i += 1 + (unsigned int)protos[i]; 2322 } 2323 j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j]; 2324 } 2325 2326 return SECSuccess; 2327 } 2328 2329 SECStatus 2330 SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, 2331 unsigned int length) 2332 { 2333 sslSocket *ss; 2334 2335 ss = ssl_FindSocket(fd); 2336 if (!ss) { 2337 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", 2338 SSL_GETPID(), fd)); 2339 return SECFailure; 2340 } 2341 2342 if (length > 0 && ssl3_ValidateAppProtocol(data, length) != SECSuccess) { 2343 return SECFailure; 2344 } 2345 2346 /* NPN required that the client's fallback protocol is first in the 2347 * list. However, ALPN sends protocols in preference order. So move the 2348 * first protocol to the end of the list. */ 2349 ssl_GetSSL3HandshakeLock(ss); 2350 SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE); 2351 if (length > 0) { 2352 SECITEM_AllocItem(NULL, &ss->opt.nextProtoNego, length); 2353 size_t firstLen = data[0] + 1; 2354 /* firstLen <= length is ensured by ssl3_ValidateAppProtocol. */ 2355 PORT_Memcpy(ss->opt.nextProtoNego.data + (length - firstLen), data, firstLen); 2356 PORT_Memcpy(ss->opt.nextProtoNego.data, data + firstLen, length - firstLen); 2357 } 2358 ssl_ReleaseSSL3HandshakeLock(ss); 2359 2360 return SSL_SetNextProtoCallback(fd, ssl_NextProtoNegoCallback, NULL); 2361 } 2362 2363 SECStatus 2364 SSL_GetNextProto(PRFileDesc *fd, SSLNextProtoState *state, unsigned char *buf, 2365 unsigned int *bufLen, unsigned int bufLenMax) 2366 { 2367 sslSocket *ss = ssl_FindSocket(fd); 2368 2369 if (!ss) { 2370 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetNextProto", SSL_GETPID(), 2371 fd)); 2372 return SECFailure; 2373 } 2374 2375 if (!state || !buf || !bufLen) { 2376 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2377 return SECFailure; 2378 } 2379 2380 *state = ss->xtnData.nextProtoState; 2381 2382 if (ss->xtnData.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT && 2383 ss->xtnData.nextProto.data) { 2384 if (ss->xtnData.nextProto.len > bufLenMax) { 2385 PORT_SetError(SEC_ERROR_OUTPUT_LEN); 2386 return SECFailure; 2387 } 2388 PORT_Memcpy(buf, ss->xtnData.nextProto.data, ss->xtnData.nextProto.len); 2389 *bufLen = ss->xtnData.nextProto.len; 2390 } else { 2391 *bufLen = 0; 2392 } 2393 2394 return SECSuccess; 2395 } 2396 2397 SECStatus 2398 SSL_SetSRTPCiphers(PRFileDesc *fd, 2399 const PRUint16 *ciphers, 2400 unsigned int numCiphers) 2401 { 2402 sslSocket *ss; 2403 unsigned int i; 2404 2405 ss = ssl_FindSocket(fd); 2406 if (!ss || !IS_DTLS(ss)) { 2407 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers", 2408 SSL_GETPID(), fd)); 2409 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2410 return SECFailure; 2411 } 2412 2413 if (numCiphers > MAX_DTLS_SRTP_CIPHER_SUITES) { 2414 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2415 return SECFailure; 2416 } 2417 2418 ss->ssl3.dtlsSRTPCipherCount = 0; 2419 for (i = 0; i < numCiphers; i++) { 2420 const PRUint16 *srtpCipher = srtpCiphers; 2421 2422 while (*srtpCipher) { 2423 if (ciphers[i] == *srtpCipher) 2424 break; 2425 srtpCipher++; 2426 } 2427 if (*srtpCipher) { 2428 ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] = 2429 ciphers[i]; 2430 } else { 2431 SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher " 2432 "suite specified: 0x%04hx", 2433 SSL_GETPID(), fd, 2434 ciphers[i])); 2435 } 2436 } 2437 2438 if (ss->ssl3.dtlsSRTPCipherCount == 0) { 2439 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2440 return SECFailure; 2441 } 2442 2443 return SECSuccess; 2444 } 2445 2446 SECStatus 2447 SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher) 2448 { 2449 sslSocket *ss; 2450 2451 ss = ssl_FindSocket(fd); 2452 if (!ss) { 2453 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher", 2454 SSL_GETPID(), fd)); 2455 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2456 return SECFailure; 2457 } 2458 2459 if (!ss->xtnData.dtlsSRTPCipherSuite) { 2460 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2461 return SECFailure; 2462 } 2463 2464 *cipher = ss->xtnData.dtlsSRTPCipherSuite; 2465 return SECSuccess; 2466 } 2467 2468 PRFileDesc * 2469 SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) 2470 { 2471 sslSocket *sm = NULL, *ss = NULL; 2472 PRCList *cursor; 2473 SECStatus rv; 2474 2475 if (model == NULL) { 2476 PR_SetError(SEC_ERROR_INVALID_ARGS, 0); 2477 return NULL; 2478 } 2479 sm = ssl_FindSocket(model); 2480 if (sm == NULL) { 2481 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ReconfigFD", 2482 SSL_GETPID(), model)); 2483 return NULL; 2484 } 2485 ss = ssl_FindSocket(fd); 2486 PORT_Assert(ss); 2487 if (ss == NULL) { 2488 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2489 return NULL; 2490 } 2491 2492 ss->opt = sm->opt; 2493 ss->vrange = sm->vrange; 2494 ss->now = sm->now; 2495 ss->nowArg = sm->nowArg; 2496 PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites); 2497 PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers, 2498 sizeof(PRUint16) * sm->ssl3.dtlsSRTPCipherCount); 2499 ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount; 2500 PORT_Memcpy(ss->ssl3.signatureSchemes, sm->ssl3.signatureSchemes, 2501 sizeof(ss->ssl3.signatureSchemes[0]) * 2502 sm->ssl3.signatureSchemeCount); 2503 ss->ssl3.signatureSchemeCount = sm->ssl3.signatureSchemeCount; 2504 ss->ssl3.downgradeCheckVersion = sm->ssl3.downgradeCheckVersion; 2505 2506 if (!ss->opt.useSecurity) { 2507 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2508 return NULL; 2509 } 2510 while (!PR_CLIST_IS_EMPTY(&ss->serverCerts)) { 2511 cursor = PR_LIST_TAIL(&ss->serverCerts); 2512 PR_REMOVE_LINK(cursor); 2513 ssl_FreeServerCert((sslServerCert *)cursor); 2514 } 2515 for (cursor = PR_NEXT_LINK(&sm->serverCerts); 2516 cursor != &sm->serverCerts; 2517 cursor = PR_NEXT_LINK(cursor)) { 2518 sslServerCert *sc = ssl_CopyServerCert((sslServerCert *)cursor); 2519 if (!sc) 2520 return NULL; 2521 PR_APPEND_LINK(&sc->link, &ss->serverCerts); 2522 } 2523 2524 ssl_FreeEphemeralKeyPairs(ss); 2525 for (cursor = PR_NEXT_LINK(&sm->ephemeralKeyPairs); 2526 cursor != &sm->ephemeralKeyPairs; 2527 cursor = PR_NEXT_LINK(cursor)) { 2528 sslEphemeralKeyPair *mkp = (sslEphemeralKeyPair *)cursor; 2529 sslEphemeralKeyPair *skp = ssl_CopyEphemeralKeyPair(mkp); 2530 if (!skp) 2531 return NULL; 2532 PR_APPEND_LINK(&skp->link, &ss->ephemeralKeyPairs); 2533 } 2534 2535 while (!PR_CLIST_IS_EMPTY(&ss->extensionHooks)) { 2536 cursor = PR_LIST_TAIL(&ss->extensionHooks); 2537 PR_REMOVE_LINK(cursor); 2538 PORT_Free(cursor); 2539 } 2540 for (cursor = PR_NEXT_LINK(&sm->extensionHooks); 2541 cursor != &sm->extensionHooks; 2542 cursor = PR_NEXT_LINK(cursor)) { 2543 sslCustomExtensionHooks *hook = (sslCustomExtensionHooks *)cursor; 2544 rv = SSL_InstallExtensionHooks(ss->fd, hook->type, 2545 hook->writer, hook->writerArg, 2546 hook->handler, hook->handlerArg); 2547 if (rv != SECSuccess) { 2548 return NULL; 2549 } 2550 } 2551 2552 PORT_Memcpy((void *)ss->namedGroupPreferences, 2553 sm->namedGroupPreferences, 2554 sizeof(ss->namedGroupPreferences)); 2555 ss->additionalShares = sm->additionalShares; 2556 2557 /* copy trust anchor names */ 2558 if (sm->ssl3.ca_list) { 2559 if (ss->ssl3.ca_list) { 2560 CERT_FreeDistNames(ss->ssl3.ca_list); 2561 } 2562 ss->ssl3.ca_list = CERT_DupDistNames(sm->ssl3.ca_list); 2563 if (!ss->ssl3.ca_list) { 2564 return NULL; 2565 } 2566 } 2567 2568 /* Copy ECH. */ 2569 tls13_DestroyEchConfigs(&ss->echConfigs); 2570 SECKEY_DestroyPrivateKey(ss->echPrivKey); 2571 SECKEY_DestroyPublicKey(ss->echPubKey); 2572 rv = tls13_CopyEchConfigs(&sm->echConfigs, &ss->echConfigs); 2573 if (rv != SECSuccess) { 2574 return NULL; 2575 } 2576 if (sm->echPrivKey && sm->echPubKey) { 2577 /* Might be client (no keys). */ 2578 ss->echPrivKey = SECKEY_CopyPrivateKey(sm->echPrivKey); 2579 ss->echPubKey = SECKEY_CopyPublicKey(sm->echPubKey); 2580 if (!ss->echPrivKey || !ss->echPubKey) { 2581 return NULL; 2582 } 2583 } 2584 2585 /* Copy anti-replay context. */ 2586 if (ss->antiReplay) { 2587 tls13_ReleaseAntiReplayContext(ss->antiReplay); 2588 ss->antiReplay = NULL; 2589 } 2590 if (sm->antiReplay) { 2591 ss->antiReplay = tls13_RefAntiReplayContext(sm->antiReplay); 2592 PORT_Assert(ss->antiReplay); 2593 if (!ss->antiReplay) { 2594 return NULL; 2595 } 2596 } 2597 2598 tls13_ResetHandshakePsks(sm, &ss->ssl3.hs.psks); 2599 2600 if (sm->authCertificate) 2601 ss->authCertificate = sm->authCertificate; 2602 if (sm->authCertificateArg) 2603 ss->authCertificateArg = sm->authCertificateArg; 2604 if (sm->getClientAuthData) 2605 ss->getClientAuthData = sm->getClientAuthData; 2606 if (sm->getClientAuthDataArg) 2607 ss->getClientAuthDataArg = sm->getClientAuthDataArg; 2608 if (sm->sniSocketConfig) 2609 ss->sniSocketConfig = sm->sniSocketConfig; 2610 if (sm->sniSocketConfigArg) 2611 ss->sniSocketConfigArg = sm->sniSocketConfigArg; 2612 if (sm->alertReceivedCallback) { 2613 ss->alertReceivedCallback = sm->alertReceivedCallback; 2614 ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg; 2615 } 2616 if (sm->alertSentCallback) { 2617 ss->alertSentCallback = sm->alertSentCallback; 2618 ss->alertSentCallbackArg = sm->alertSentCallbackArg; 2619 } 2620 if (sm->handleBadCert) 2621 ss->handleBadCert = sm->handleBadCert; 2622 if (sm->badCertArg) 2623 ss->badCertArg = sm->badCertArg; 2624 if (sm->handshakeCallback) 2625 ss->handshakeCallback = sm->handshakeCallback; 2626 if (sm->handshakeCallbackData) 2627 ss->handshakeCallbackData = sm->handshakeCallbackData; 2628 if (sm->pkcs11PinArg) 2629 ss->pkcs11PinArg = sm->pkcs11PinArg; 2630 2631 return fd; 2632 } 2633 2634 SECStatus 2635 ssl3_GetEffectiveVersionPolicy(SSLProtocolVariant variant, 2636 SSLVersionRange *effectivePolicy) 2637 { 2638 SECStatus rv; 2639 PRUint32 policyFlag; 2640 PRInt32 minPolicy, maxPolicy; 2641 2642 if (variant == ssl_variant_stream) { 2643 effectivePolicy->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM; 2644 effectivePolicy->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; 2645 } else { 2646 effectivePolicy->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM; 2647 effectivePolicy->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; 2648 } 2649 2650 rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policyFlag); 2651 if ((rv != SECSuccess) || !(policyFlag & NSS_USE_POLICY_IN_SSL)) { 2652 /* Policy is not active, report library extents. */ 2653 return SECSuccess; 2654 } 2655 2656 rv = NSS_OptionGet(VERSIONS_POLICY_MIN(variant), &minPolicy); 2657 if (rv != SECSuccess) { 2658 return SECFailure; 2659 } 2660 rv = NSS_OptionGet(VERSIONS_POLICY_MAX(variant), &maxPolicy); 2661 if (rv != SECSuccess) { 2662 return SECFailure; 2663 } 2664 2665 if (minPolicy > effectivePolicy->max || 2666 maxPolicy < effectivePolicy->min || 2667 minPolicy > maxPolicy) { 2668 return SECFailure; 2669 } 2670 effectivePolicy->min = PR_MAX(effectivePolicy->min, minPolicy); 2671 effectivePolicy->max = PR_MIN(effectivePolicy->max, maxPolicy); 2672 return SECSuccess; 2673 } 2674 2675 /* 2676 * Assumes that rangeParam values are within the supported boundaries, 2677 * but should contain all potentially allowed versions, even if they contain 2678 * conflicting versions. 2679 * Will return the overlap, or a NONE range if system policy is invalid. 2680 */ 2681 static SECStatus 2682 ssl3_CreateOverlapWithPolicy(SSLProtocolVariant protocolVariant, 2683 SSLVersionRange *input, 2684 SSLVersionRange *overlap) 2685 { 2686 SECStatus rv; 2687 SSLVersionRange effectivePolicyBoundary; 2688 SSLVersionRange vrange; 2689 2690 PORT_Assert(input != NULL); 2691 2692 rv = ssl3_GetEffectiveVersionPolicy(protocolVariant, 2693 &effectivePolicyBoundary); 2694 if (rv == SECFailure) { 2695 /* SECFailure means internal failure or invalid configuration. */ 2696 overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE; 2697 return SECFailure; 2698 } 2699 2700 vrange.min = PR_MAX(input->min, effectivePolicyBoundary.min); 2701 vrange.max = PR_MIN(input->max, effectivePolicyBoundary.max); 2702 2703 if (vrange.max < vrange.min) { 2704 /* there was no overlap, turn off range altogether */ 2705 overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE; 2706 return SECFailure; 2707 } 2708 2709 *overlap = vrange; 2710 return SECSuccess; 2711 } 2712 2713 static PRBool 2714 ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant, 2715 SSL3ProtocolVersion version) 2716 { 2717 SECStatus rv; 2718 SSLVersionRange effectivePolicyBoundary; 2719 2720 rv = ssl3_GetEffectiveVersionPolicy(protocolVariant, 2721 &effectivePolicyBoundary); 2722 if (rv == SECFailure) { 2723 /* SECFailure means internal failure or invalid configuration. */ 2724 return PR_FALSE; 2725 } 2726 return version >= effectivePolicyBoundary.min && 2727 version <= effectivePolicyBoundary.max; 2728 } 2729 2730 /* 2731 * This is called at SSL init time to constrain the existing range based 2732 * on user supplied policy. 2733 */ 2734 SECStatus 2735 ssl3_ConstrainRangeByPolicy(void) 2736 { 2737 /* We ignore failures in ssl3_CreateOverlapWithPolicy. Although an empty 2738 * overlap disables all connectivity, it's an allowed state. 2739 */ 2740 ssl3_CreateOverlapWithPolicy(ssl_variant_stream, 2741 VERSIONS_DEFAULTS(ssl_variant_stream), 2742 VERSIONS_DEFAULTS(ssl_variant_stream)); 2743 ssl3_CreateOverlapWithPolicy(ssl_variant_datagram, 2744 VERSIONS_DEFAULTS(ssl_variant_datagram), 2745 VERSIONS_DEFAULTS(ssl_variant_datagram)); 2746 return SECSuccess; 2747 } 2748 2749 PRBool 2750 ssl3_VersionIsSupportedByCode(SSLProtocolVariant protocolVariant, 2751 SSL3ProtocolVersion version) 2752 { 2753 switch (protocolVariant) { 2754 case ssl_variant_stream: 2755 return (version >= SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM && 2756 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); 2757 case ssl_variant_datagram: 2758 return (version >= SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM && 2759 version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED); 2760 } 2761 2762 /* Can't get here */ 2763 PORT_Assert(PR_FALSE); 2764 return PR_FALSE; 2765 } 2766 2767 PRBool 2768 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, 2769 SSL3ProtocolVersion version) 2770 { 2771 if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) { 2772 return PR_FALSE; 2773 } 2774 return ssl3_VersionIsSupportedByCode(protocolVariant, version); 2775 } 2776 2777 const SECItem * 2778 SSL_PeerSignedCertTimestamps(PRFileDesc *fd) 2779 { 2780 sslSocket *ss = ssl_FindSocket(fd); 2781 2782 if (!ss) { 2783 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", 2784 SSL_GETPID(), fd)); 2785 return NULL; 2786 } 2787 2788 if (!ss->sec.ci.sid) { 2789 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); 2790 return NULL; 2791 } 2792 2793 return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; 2794 } 2795 2796 SECStatus 2797 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant, 2798 SSLVersionRange *vrange) 2799 { 2800 SECStatus rv; 2801 2802 if (!vrange) { 2803 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2804 return SECFailure; 2805 } 2806 2807 switch (protocolVariant) { 2808 case ssl_variant_stream: 2809 vrange->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM; 2810 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; 2811 /* We don't allow SSLv3 and TLSv1.3 together. 2812 * However, don't check yet, apply the policy first. 2813 * Because if the effective supported range doesn't use TLS 1.3, 2814 * then we don't need to increase the minimum. */ 2815 break; 2816 case ssl_variant_datagram: 2817 vrange->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM; 2818 vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED; 2819 break; 2820 default: 2821 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2822 return SECFailure; 2823 } 2824 2825 rv = ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange); 2826 if (rv != SECSuccess) { 2827 /* Library default and policy don't overlap. */ 2828 return rv; 2829 } 2830 2831 /* We don't allow SSLv3 and TLSv1.3 together */ 2832 if (vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3) { 2833 vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); 2834 } 2835 2836 return SECSuccess; 2837 } 2838 2839 SECStatus 2840 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant, 2841 SSLVersionRange *vrange) 2842 { 2843 if ((protocolVariant != ssl_variant_stream && 2844 protocolVariant != ssl_variant_datagram) || 2845 !vrange) { 2846 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2847 return SECFailure; 2848 } 2849 2850 *vrange = *VERSIONS_DEFAULTS(protocolVariant); 2851 return ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange); 2852 } 2853 2854 static PRBool 2855 ssl3_HasConflictingSSLVersions(const SSLVersionRange *vrange) 2856 { 2857 return (vrange->min <= SSL_LIBRARY_VERSION_3_0 && 2858 vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3); 2859 } 2860 2861 static SECStatus 2862 ssl3_CheckRangeValidAndConstrainByPolicy(SSLProtocolVariant protocolVariant, 2863 SSLVersionRange *vrange) 2864 { 2865 SECStatus rv; 2866 2867 if (vrange->min > vrange->max || 2868 !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->min) || 2869 !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max) || 2870 ssl3_HasConflictingSSLVersions(vrange)) { 2871 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); 2872 return SECFailure; 2873 } 2874 2875 /* Try to adjust the received range using our policy. 2876 * If there's overlap, we'll use the (possibly reduced) range. 2877 * If there isn't overlap, it's failure. */ 2878 2879 rv = ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange); 2880 if (rv != SECSuccess) { 2881 return rv; 2882 } 2883 2884 /* We don't allow SSLv3 and TLSv1.3 together */ 2885 if (vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3) { 2886 vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0); 2887 } 2888 2889 return SECSuccess; 2890 } 2891 2892 SECStatus 2893 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant, 2894 const SSLVersionRange *vrange) 2895 { 2896 SSLVersionRange constrainedRange; 2897 SECStatus rv; 2898 2899 if (!vrange) { 2900 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2901 return SECFailure; 2902 } 2903 2904 constrainedRange = *vrange; 2905 rv = ssl3_CheckRangeValidAndConstrainByPolicy(protocolVariant, 2906 &constrainedRange); 2907 if (rv != SECSuccess) 2908 return rv; 2909 2910 *VERSIONS_DEFAULTS(protocolVariant) = constrainedRange; 2911 return SECSuccess; 2912 } 2913 2914 SECStatus 2915 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange) 2916 { 2917 sslSocket *ss = ssl_FindSocket(fd); 2918 2919 if (!ss) { 2920 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeGet", 2921 SSL_GETPID(), fd)); 2922 return SECFailure; 2923 } 2924 2925 if (!vrange) { 2926 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2927 return SECFailure; 2928 } 2929 2930 ssl_Get1stHandshakeLock(ss); 2931 ssl_GetSSL3HandshakeLock(ss); 2932 2933 *vrange = ss->vrange; 2934 2935 ssl_ReleaseSSL3HandshakeLock(ss); 2936 ssl_Release1stHandshakeLock(ss); 2937 2938 return ssl3_CreateOverlapWithPolicy(ss->protocolVariant, vrange, vrange); 2939 } 2940 2941 SECStatus 2942 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) 2943 { 2944 SSLVersionRange constrainedRange; 2945 sslSocket *ss; 2946 SECStatus rv; 2947 2948 if (!vrange) { 2949 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2950 return SECFailure; 2951 } 2952 2953 ss = ssl_FindSocket(fd); 2954 if (!ss) { 2955 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet", 2956 SSL_GETPID(), fd)); 2957 return SECFailure; 2958 } 2959 2960 constrainedRange = *vrange; 2961 rv = ssl3_CheckRangeValidAndConstrainByPolicy(ss->protocolVariant, 2962 &constrainedRange); 2963 if (rv != SECSuccess) 2964 return rv; 2965 2966 ssl_Get1stHandshakeLock(ss); 2967 ssl_GetSSL3HandshakeLock(ss); 2968 2969 if (ss->ssl3.downgradeCheckVersion && 2970 ss->vrange.max > ss->ssl3.downgradeCheckVersion) { 2971 PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); 2972 ssl_ReleaseSSL3HandshakeLock(ss); 2973 ssl_Release1stHandshakeLock(ss); 2974 return SECFailure; 2975 } 2976 2977 ss->vrange = constrainedRange; 2978 2979 ssl_ReleaseSSL3HandshakeLock(ss); 2980 ssl_Release1stHandshakeLock(ss); 2981 2982 return SECSuccess; 2983 } 2984 2985 SECStatus 2986 SSL_SetDowngradeCheckVersion(PRFileDesc *fd, PRUint16 version) 2987 { 2988 sslSocket *ss = ssl_FindSocket(fd); 2989 SECStatus rv = SECFailure; 2990 2991 if (!ss) { 2992 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetDowngradeCheckVersion", 2993 SSL_GETPID(), fd)); 2994 return SECFailure; 2995 } 2996 2997 if (version && !ssl3_VersionIsSupported(ss->protocolVariant, version)) { 2998 PORT_SetError(SEC_ERROR_INVALID_ARGS); 2999 return SECFailure; 3000 } 3001 3002 ssl_Get1stHandshakeLock(ss); 3003 ssl_GetSSL3HandshakeLock(ss); 3004 3005 if (version && version < ss->vrange.max) { 3006 PORT_SetError(SEC_ERROR_INVALID_ARGS); 3007 goto loser; 3008 } 3009 ss->ssl3.downgradeCheckVersion = version; 3010 rv = SECSuccess; 3011 3012 loser: 3013 ssl_ReleaseSSL3HandshakeLock(ss); 3014 ssl_Release1stHandshakeLock(ss); 3015 3016 return rv; 3017 } 3018 3019 const SECItemArray * 3020 SSL_PeerStapledOCSPResponses(PRFileDesc *fd) 3021 { 3022 sslSocket *ss = ssl_FindSocket(fd); 3023 3024 if (!ss) { 3025 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerStapledOCSPResponses", 3026 SSL_GETPID(), fd)); 3027 return NULL; 3028 } 3029 3030 if (!ss->sec.ci.sid) { 3031 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); 3032 return NULL; 3033 } 3034 3035 return &ss->sec.ci.sid->peerCertStatus; 3036 } 3037 3038 /************************************************************************/ 3039 /* The following functions are the TOP LEVEL SSL functions. 3040 ** They all get called through the NSPRIOMethods table below. 3041 */ 3042 3043 static PRFileDesc *PR_CALLBACK 3044 ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) 3045 { 3046 sslSocket *ss; 3047 sslSocket *ns = NULL; 3048 PRFileDesc *newfd = NULL; 3049 PRFileDesc *osfd; 3050 PRStatus status; 3051 3052 ss = ssl_GetPrivate(fd); 3053 if (!ss) { 3054 SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd)); 3055 return NULL; 3056 } 3057 3058 /* IF this is a listen socket, there shouldn't be any I/O going on */ 3059 SSL_LOCK_READER(ss); 3060 SSL_LOCK_WRITER(ss); 3061 ssl_Get1stHandshakeLock(ss); 3062 ssl_GetSSL3HandshakeLock(ss); 3063 3064 ss->cTimeout = timeout; 3065 3066 osfd = ss->fd->lower; 3067 3068 /* First accept connection */ 3069 newfd = osfd->methods->accept(osfd, sockaddr, timeout); 3070 if (newfd == NULL) { 3071 SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d", 3072 SSL_GETPID(), ss->fd, PORT_GetError())); 3073 } else { 3074 /* Create ssl module */ 3075 ns = ssl_DupSocket(ss); 3076 } 3077 3078 ssl_ReleaseSSL3HandshakeLock(ss); 3079 ssl_Release1stHandshakeLock(ss); 3080 SSL_UNLOCK_WRITER(ss); 3081 SSL_UNLOCK_READER(ss); /* ss isn't used below here. */ 3082 3083 if (ns == NULL) 3084 goto loser; 3085 3086 /* push ssl module onto the new socket */ 3087 status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER); 3088 if (status != PR_SUCCESS) 3089 goto loser; 3090 3091 /* Now start server connection handshake with client. 3092 ** Don't need locks here because nobody else has a reference to ns yet. 3093 */ 3094 if (ns->opt.useSecurity) { 3095 if (ns->opt.handshakeAsClient) { 3096 ns->handshake = ssl_BeginClientHandshake; 3097 ss->handshaking = sslHandshakingAsClient; 3098 } else { 3099 ns->handshake = ssl_BeginServerHandshake; 3100 ss->handshaking = sslHandshakingAsServer; 3101 } 3102 } 3103 ns->TCPconnected = 1; 3104 return newfd; 3105 3106 loser: 3107 if (ns != NULL) 3108 ssl_FreeSocket(ns); 3109 if (newfd != NULL) 3110 PR_Close(newfd); 3111 return NULL; 3112 } 3113 3114 static PRStatus PR_CALLBACK 3115 ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout) 3116 { 3117 sslSocket *ss; 3118 PRStatus rv; 3119 3120 ss = ssl_GetPrivate(fd); 3121 if (!ss) { 3122 SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd)); 3123 return PR_FAILURE; 3124 } 3125 3126 /* IF this is a listen socket, there shouldn't be any I/O going on */ 3127 SSL_LOCK_READER(ss); 3128 SSL_LOCK_WRITER(ss); 3129 3130 ss->cTimeout = timeout; 3131 rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr); 3132 3133 SSL_UNLOCK_WRITER(ss); 3134 SSL_UNLOCK_READER(ss); 3135 3136 return rv; 3137 } 3138 3139 static PRStatus PR_CALLBACK 3140 ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr) 3141 { 3142 sslSocket *ss = ssl_GetPrivate(fd); 3143 PRStatus rv; 3144 3145 if (!ss) { 3146 SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd)); 3147 return PR_FAILURE; 3148 } 3149 SSL_LOCK_READER(ss); 3150 SSL_LOCK_WRITER(ss); 3151 3152 rv = (PRStatus)(*ss->ops->bind)(ss, addr); 3153 3154 SSL_UNLOCK_WRITER(ss); 3155 SSL_UNLOCK_READER(ss); 3156 return rv; 3157 } 3158 3159 static PRStatus PR_CALLBACK 3160 ssl_Listen(PRFileDesc *fd, PRIntn backlog) 3161 { 3162 sslSocket *ss = ssl_GetPrivate(fd); 3163 PRStatus rv; 3164 3165 if (!ss) { 3166 SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd)); 3167 return PR_FAILURE; 3168 } 3169 SSL_LOCK_READER(ss); 3170 SSL_LOCK_WRITER(ss); 3171 3172 rv = (PRStatus)(*ss->ops->listen)(ss, backlog); 3173 3174 SSL_UNLOCK_WRITER(ss); 3175 SSL_UNLOCK_READER(ss); 3176 return rv; 3177 } 3178 3179 static PRStatus PR_CALLBACK 3180 ssl_Shutdown(PRFileDesc *fd, PRIntn how) 3181 { 3182 sslSocket *ss = ssl_GetPrivate(fd); 3183 PRStatus rv; 3184 3185 if (!ss) { 3186 SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd)); 3187 return PR_FAILURE; 3188 } 3189 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { 3190 SSL_LOCK_READER(ss); 3191 } 3192 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { 3193 SSL_LOCK_WRITER(ss); 3194 } 3195 3196 rv = (PRStatus)(*ss->ops->shutdown)(ss, how); 3197 3198 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { 3199 SSL_UNLOCK_WRITER(ss); 3200 } 3201 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { 3202 SSL_UNLOCK_READER(ss); 3203 } 3204 return rv; 3205 } 3206 3207 static PRStatus PR_CALLBACK 3208 ssl_Close(PRFileDesc *fd) 3209 { 3210 sslSocket *ss; 3211 PRStatus rv; 3212 3213 ss = ssl_GetPrivate(fd); 3214 if (!ss) { 3215 SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd)); 3216 return PR_FAILURE; 3217 } 3218 3219 /* There must not be any I/O going on */ 3220 SSL_LOCK_READER(ss); 3221 SSL_LOCK_WRITER(ss); 3222 3223 /* By the time this function returns, 3224 ** ss is an invalid pointer, and the locks to which it points have 3225 ** been unlocked and freed. So, this is the ONE PLACE in all of SSL 3226 ** where the LOCK calls and the corresponding UNLOCK calls are not in 3227 ** the same function scope. The unlock calls are in ssl_FreeSocket(). 3228 */ 3229 rv = (PRStatus)(*ss->ops->close)(ss); 3230 3231 return rv; 3232 } 3233 3234 static int PR_CALLBACK 3235 ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, 3236 PRIntervalTime timeout) 3237 { 3238 sslSocket *ss; 3239 int rv; 3240 3241 ss = ssl_GetPrivate(fd); 3242 if (!ss) { 3243 SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd)); 3244 return SECFailure; 3245 } 3246 SSL_LOCK_READER(ss); 3247 ss->rTimeout = timeout; 3248 if (!ss->opt.fdx) 3249 ss->wTimeout = timeout; 3250 rv = (*ss->ops->recv)(ss, (unsigned char *)buf, len, flags); 3251 SSL_UNLOCK_READER(ss); 3252 return rv; 3253 } 3254 3255 static int PR_CALLBACK 3256 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags, 3257 PRIntervalTime timeout) 3258 { 3259 sslSocket *ss; 3260 int rv; 3261 3262 ss = ssl_GetPrivate(fd); 3263 if (!ss) { 3264 SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd)); 3265 return SECFailure; 3266 } 3267 SSL_LOCK_WRITER(ss); 3268 ss->wTimeout = timeout; 3269 if (!ss->opt.fdx) 3270 ss->rTimeout = timeout; 3271 rv = (*ss->ops->send)(ss, (const unsigned char *)buf, len, flags); 3272 SSL_UNLOCK_WRITER(ss); 3273 return rv; 3274 } 3275 3276 static int PR_CALLBACK 3277 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len) 3278 { 3279 sslSocket *ss; 3280 int rv; 3281 3282 ss = ssl_GetPrivate(fd); 3283 if (!ss) { 3284 SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd)); 3285 return SECFailure; 3286 } 3287 SSL_LOCK_READER(ss); 3288 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; 3289 if (!ss->opt.fdx) 3290 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; 3291 rv = (*ss->ops->read)(ss, (unsigned char *)buf, len); 3292 SSL_UNLOCK_READER(ss); 3293 return rv; 3294 } 3295 3296 static int PR_CALLBACK 3297 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len) 3298 { 3299 sslSocket *ss; 3300 int rv; 3301 3302 ss = ssl_GetPrivate(fd); 3303 if (!ss) { 3304 SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd)); 3305 return SECFailure; 3306 } 3307 SSL_LOCK_WRITER(ss); 3308 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; 3309 if (!ss->opt.fdx) 3310 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; 3311 rv = (*ss->ops->write)(ss, (const unsigned char *)buf, len); 3312 SSL_UNLOCK_WRITER(ss); 3313 return rv; 3314 } 3315 3316 static PRStatus PR_CALLBACK 3317 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr) 3318 { 3319 sslSocket *ss; 3320 3321 ss = ssl_GetPrivate(fd); 3322 if (!ss) { 3323 SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd)); 3324 return PR_FAILURE; 3325 } 3326 return (PRStatus)(*ss->ops->getpeername)(ss, addr); 3327 } 3328 3329 /* 3330 */ 3331 SECStatus 3332 ssl_GetPeerInfo(sslSocket *ss) 3333 { 3334 PRFileDesc *osfd; 3335 int rv; 3336 PRNetAddr sin; 3337 3338 osfd = ss->fd->lower; 3339 3340 PORT_Memset(&sin, 0, sizeof(sin)); 3341 rv = osfd->methods->getpeername(osfd, &sin); 3342 if (rv < 0) { 3343 return SECFailure; 3344 } 3345 ss->TCPconnected = 1; 3346 if (sin.inet.family == PR_AF_INET) { 3347 PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer); 3348 ss->sec.ci.port = sin.inet.port; 3349 } else if (sin.ipv6.family == PR_AF_INET6) { 3350 ss->sec.ci.peer = sin.ipv6.ip; 3351 ss->sec.ci.port = sin.ipv6.port; 3352 } else { 3353 PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR); 3354 return SECFailure; 3355 } 3356 return SECSuccess; 3357 } 3358 3359 static PRStatus PR_CALLBACK 3360 ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name) 3361 { 3362 sslSocket *ss; 3363 3364 ss = ssl_GetPrivate(fd); 3365 if (!ss) { 3366 SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd)); 3367 return PR_FAILURE; 3368 } 3369 return (PRStatus)(*ss->ops->getsockname)(ss, name); 3370 } 3371 3372 SECStatus 3373 SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID) 3374 { 3375 sslSocket *ss; 3376 3377 ss = ssl_FindSocket(fd); 3378 if (!ss) { 3379 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID", 3380 SSL_GETPID(), fd)); 3381 return SECFailure; 3382 } 3383 3384 if (ss->peerID) { 3385 PORT_Free(ss->peerID); 3386 ss->peerID = NULL; 3387 } 3388 if (peerID) 3389 ss->peerID = PORT_Strdup(peerID); 3390 return (ss->peerID || !peerID) ? SECSuccess : SECFailure; 3391 } 3392 3393 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ) 3394 3395 static PRInt16 PR_CALLBACK 3396 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) 3397 { 3398 sslSocket *ss; 3399 PRInt16 new_flags = how_flags; /* should select on these flags. */ 3400 PRNetAddr addr; 3401 3402 *p_out_flags = 0; 3403 ss = ssl_GetPrivate(fd); 3404 if (!ss) { 3405 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll", 3406 SSL_GETPID(), fd)); 3407 return 0; /* don't poll on this socket */ 3408 } 3409 3410 if (ss->opt.useSecurity && 3411 ss->handshaking != sslHandshakingUndetermined && 3412 !ss->firstHsDone && 3413 (how_flags & PR_POLL_RW)) { 3414 if (!ss->TCPconnected) { 3415 ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr)); 3416 } 3417 /* If it's not connected, then presumably the application is polling 3418 ** on read or write appropriately, so don't change it. 3419 */ 3420 if (ss->TCPconnected) { 3421 if (!ss->handshakeBegun) { 3422 /* If the handshake has not begun, poll on read or write 3423 ** based on the local application's role in the handshake, 3424 ** not based on what the application requested. 3425 */ 3426 new_flags &= ~PR_POLL_RW; 3427 if (ss->handshaking == sslHandshakingAsClient) { 3428 new_flags |= PR_POLL_WRITE; 3429 } else { /* handshaking as server */ 3430 new_flags |= PR_POLL_READ; 3431 } 3432 } else if (ss->lastWriteBlocked) { 3433 /* First handshake is in progress */ 3434 if (new_flags & PR_POLL_READ) { 3435 /* The caller is waiting for data to be received, 3436 ** but the initial handshake is blocked on write, or the 3437 ** client's first handshake record has not been written. 3438 ** The code should select on write, not read. 3439 */ 3440 new_flags &= ~PR_POLL_READ; /* don't select on read. */ 3441 new_flags |= PR_POLL_WRITE; /* do select on write. */ 3442 } 3443 } else if (new_flags & PR_POLL_WRITE) { 3444 /* The caller is trying to write, but the handshake is 3445 ** blocked waiting for data to read, and the first 3446 ** handshake has been sent. So do NOT to poll on write 3447 ** unless we did false start or we are doing 0-RTT. 3448 */ 3449 if (!(ss->ssl3.hs.canFalseStart || 3450 ss->ssl3.hs.zeroRttState == ssl_0rtt_sent || 3451 ss->ssl3.hs.zeroRttState == ssl_0rtt_accepted)) { 3452 new_flags &= ~PR_POLL_WRITE; /* don't select on write. */ 3453 } 3454 new_flags |= PR_POLL_READ; /* do select on read. */ 3455 } 3456 } 3457 } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) { 3458 *p_out_flags = PR_POLL_READ; /* it's ready already. */ 3459 return new_flags; 3460 } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) && 3461 (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */ 3462 new_flags |= PR_POLL_WRITE; /* also select on write. */ 3463 } 3464 3465 if (ss->ssl3.hs.restartTarget != NULL) { 3466 /* Read and write will block until the asynchronous callback completes 3467 * (e.g. until SSL_AuthCertificateComplete is called), so don't tell 3468 * the caller to poll the socket unless there is pending write data. 3469 */ 3470 if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) { 3471 /* Ignore any newly-received data on the socket, but do wait for 3472 * the socket to become writable again. Here, it is OK for an error 3473 * to be detected, because our logic for sending pending write data 3474 * will allow us to report the error to the caller without the risk 3475 * of the application spinning. 3476 */ 3477 new_flags &= (PR_POLL_WRITE | PR_POLL_EXCEPT); 3478 } else { 3479 /* Unfortunately, clearing new_flags will make it impossible for 3480 * the application to detect errors that it would otherwise be 3481 * able to detect with PR_POLL_EXCEPT, until the asynchronous 3482 * callback completes. However, we must clear all the flags to 3483 * prevent the application from spinning (alternating between 3484 * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv 3485 * which won't actually report the I/O error while we are waiting 3486 * for the asynchronous callback to complete). 3487 */ 3488 new_flags = 0; 3489 } 3490 } 3491 3492 SSL_TRC(20, ("%d: SSL[%d]: ssl_Poll flags %x -> %x", 3493 SSL_GETPID(), fd, how_flags, new_flags)); 3494 3495 if (new_flags && (fd->lower->methods->poll != NULL)) { 3496 PRInt16 lower_out_flags = 0; 3497 PRInt16 lower_new_flags; 3498 lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, 3499 &lower_out_flags); 3500 if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) { 3501 PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW; 3502 if (lower_out_flags & PR_POLL_READ) 3503 out_flags |= PR_POLL_WRITE; 3504 if (lower_out_flags & PR_POLL_WRITE) 3505 out_flags |= PR_POLL_READ; 3506 *p_out_flags = out_flags; 3507 new_flags = how_flags; 3508 } else { 3509 *p_out_flags = lower_out_flags; 3510 new_flags = lower_new_flags; 3511 } 3512 } 3513 3514 return new_flags; 3515 } 3516 3517 static PRInt32 PR_CALLBACK 3518 ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd, 3519 const void *headers, PRInt32 hlen, 3520 PRTransmitFileFlags flags, PRIntervalTime timeout) 3521 { 3522 PRSendFileData sfd; 3523 3524 sfd.fd = fd; 3525 sfd.file_offset = 0; 3526 sfd.file_nbytes = 0; 3527 sfd.header = headers; 3528 sfd.hlen = hlen; 3529 sfd.trailer = NULL; 3530 sfd.tlen = 0; 3531 3532 return sd->methods->sendfile(sd, &sfd, flags, timeout); 3533 } 3534 3535 PRBool 3536 ssl_FdIsBlocking(PRFileDesc *fd) 3537 { 3538 PRSocketOptionData opt; 3539 PRStatus status; 3540 3541 opt.option = PR_SockOpt_Nonblocking; 3542 opt.value.non_blocking = PR_FALSE; 3543 status = PR_GetSocketOption(fd, &opt); 3544 if (status != PR_SUCCESS) 3545 return PR_FALSE; 3546 return (PRBool)!opt.value.non_blocking; 3547 } 3548 3549 PRBool 3550 ssl_SocketIsBlocking(sslSocket *ss) 3551 { 3552 return ssl_FdIsBlocking(ss->fd); 3553 } 3554 3555 PRInt32 sslFirstBufSize = 8 * 1024; 3556 PRInt32 sslCopyLimit = 1024; 3557 3558 static PRInt32 PR_CALLBACK 3559 ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, 3560 PRIntervalTime timeout) 3561 { 3562 PRInt32 i; 3563 PRInt32 bufLen; 3564 PRInt32 left; 3565 PRInt32 rv; 3566 PRInt32 sent = 0; 3567 const PRInt32 first_len = sslFirstBufSize; 3568 const PRInt32 limit = sslCopyLimit; 3569 PRBool blocking; 3570 PRIOVec myIov; 3571 char buf[MAX_FRAGMENT_LENGTH]; 3572 3573 if (vectors < 0) { 3574 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 3575 return -1; 3576 } 3577 if (vectors > PR_MAX_IOVECTOR_SIZE) { 3578 PORT_SetError(PR_BUFFER_OVERFLOW_ERROR); 3579 return -1; 3580 } 3581 for (i = 0; i < vectors; i++) { 3582 if (iov[i].iov_len < 0) { 3583 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 3584 return -1; 3585 } 3586 } 3587 blocking = ssl_FdIsBlocking(fd); 3588 3589 #define K16 ((int)sizeof(buf)) 3590 #define KILL_VECTORS \ 3591 while (vectors && !iov->iov_len) { \ 3592 ++iov; \ 3593 --vectors; \ 3594 } 3595 #define GET_VECTOR \ 3596 do { \ 3597 myIov = *iov++; \ 3598 --vectors; \ 3599 KILL_VECTORS \ 3600 } while (0) 3601 #define HANDLE_ERR(rv, len) \ 3602 if (rv != len) { \ 3603 if (rv < 0) { \ 3604 if (!blocking && \ 3605 (PR_GetError() == PR_WOULD_BLOCK_ERROR) && \ 3606 (sent > 0)) { \ 3607 return sent; \ 3608 } else { \ 3609 return -1; \ 3610 } \ 3611 } \ 3612 /* Only a nonblocking socket can have partial sends */ \ 3613 PR_ASSERT(!blocking); \ 3614 return sent + rv; \ 3615 } 3616 #define SEND(bfr, len) \ 3617 do { \ 3618 rv = ssl_Send(fd, bfr, len, 0, timeout); \ 3619 HANDLE_ERR(rv, len) \ 3620 sent += len; \ 3621 } while (0) 3622 3623 /* Make sure the first write is at least 8 KB, if possible. */ 3624 KILL_VECTORS 3625 if (!vectors) 3626 return ssl_Send(fd, 0, 0, 0, timeout); 3627 GET_VECTOR; 3628 if (!vectors) { 3629 return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout); 3630 } 3631 if (myIov.iov_len < first_len) { 3632 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); 3633 bufLen = myIov.iov_len; 3634 left = first_len - bufLen; 3635 while (vectors && left) { 3636 int toCopy; 3637 GET_VECTOR; 3638 toCopy = PR_MIN(left, myIov.iov_len); 3639 PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy); 3640 bufLen += toCopy; 3641 left -= toCopy; 3642 myIov.iov_base += toCopy; 3643 myIov.iov_len -= toCopy; 3644 } 3645 SEND(buf, bufLen); 3646 } 3647 3648 while (vectors || myIov.iov_len) { 3649 PRInt32 addLen; 3650 if (!myIov.iov_len) { 3651 GET_VECTOR; 3652 } 3653 while (myIov.iov_len >= K16) { 3654 SEND(myIov.iov_base, K16); 3655 myIov.iov_base += K16; 3656 myIov.iov_len -= K16; 3657 } 3658 if (!myIov.iov_len) 3659 continue; 3660 3661 if (!vectors || myIov.iov_len > limit) { 3662 addLen = 0; 3663 } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) { 3664 /* Addlen is already computed. */; 3665 } else if (vectors > 1 && 3666 iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) { 3667 addLen = limit - myIov.iov_len; 3668 } else 3669 addLen = 0; 3670 3671 if (!addLen) { 3672 SEND(myIov.iov_base, myIov.iov_len); 3673 myIov.iov_len = 0; 3674 continue; 3675 } 3676 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); 3677 bufLen = myIov.iov_len; 3678 do { 3679 GET_VECTOR; 3680 PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen); 3681 myIov.iov_base += addLen; 3682 myIov.iov_len -= addLen; 3683 bufLen += addLen; 3684 3685 left = PR_MIN(limit, K16 - bufLen); 3686 if (!vectors /* no more left */ 3687 || myIov.iov_len > 0 /* we didn't use that one all up */ 3688 || bufLen >= K16 /* it's full. */) { 3689 addLen = 0; 3690 } else if ((addLen = iov->iov_len % K16) <= left) { 3691 /* Addlen is already computed. */; 3692 } else if (vectors > 1 && 3693 iov[1].iov_len % K16 + addLen <= left + limit) { 3694 addLen = left; 3695 } else 3696 addLen = 0; 3697 3698 } while (addLen); 3699 SEND(buf, bufLen); 3700 } 3701 return sent; 3702 } 3703 3704 /* 3705 * These functions aren't implemented. 3706 */ 3707 3708 static PRInt32 PR_CALLBACK 3709 ssl_Available(PRFileDesc *fd) 3710 { 3711 PORT_Assert(0); 3712 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3713 return SECFailure; 3714 } 3715 3716 static PRInt64 PR_CALLBACK 3717 ssl_Available64(PRFileDesc *fd) 3718 { 3719 PRInt64 res; 3720 3721 PORT_Assert(0); 3722 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3723 LL_I2L(res, -1L); 3724 return res; 3725 } 3726 3727 static PRStatus PR_CALLBACK 3728 ssl_FSync(PRFileDesc *fd) 3729 { 3730 PORT_Assert(0); 3731 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3732 return PR_FAILURE; 3733 } 3734 3735 static PRInt32 PR_CALLBACK 3736 ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) 3737 { 3738 PORT_Assert(0); 3739 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3740 return SECFailure; 3741 } 3742 3743 static PRInt64 PR_CALLBACK 3744 ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) 3745 { 3746 PRInt64 res; 3747 3748 PORT_Assert(0); 3749 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3750 LL_I2L(res, -1L); 3751 return res; 3752 } 3753 3754 static PRStatus PR_CALLBACK 3755 ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info) 3756 { 3757 PORT_Assert(0); 3758 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3759 return PR_FAILURE; 3760 } 3761 3762 static PRStatus PR_CALLBACK 3763 ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info) 3764 { 3765 PORT_Assert(0); 3766 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3767 return PR_FAILURE; 3768 } 3769 3770 static PRInt32 PR_CALLBACK 3771 ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags, 3772 PRNetAddr *addr, PRIntervalTime timeout) 3773 { 3774 PORT_Assert(0); 3775 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3776 return SECFailure; 3777 } 3778 3779 static PRInt32 PR_CALLBACK 3780 ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, 3781 const PRNetAddr *addr, PRIntervalTime timeout) 3782 { 3783 PORT_Assert(0); 3784 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); 3785 return SECFailure; 3786 } 3787 3788 static const PRIOMethods ssl_methods = { 3789 PR_DESC_LAYERED, 3790 ssl_Close, /* close */ 3791 ssl_Read, /* read */ 3792 ssl_Write, /* write */ 3793 ssl_Available, /* available */ 3794 ssl_Available64, /* available64 */ 3795 ssl_FSync, /* fsync */ 3796 ssl_Seek, /* seek */ 3797 ssl_Seek64, /* seek64 */ 3798 ssl_FileInfo, /* fileInfo */ 3799 ssl_FileInfo64, /* fileInfo64 */ 3800 ssl_WriteV, /* writev */ 3801 ssl_Connect, /* connect */ 3802 ssl_Accept, /* accept */ 3803 ssl_Bind, /* bind */ 3804 ssl_Listen, /* listen */ 3805 ssl_Shutdown, /* shutdown */ 3806 ssl_Recv, /* recv */ 3807 ssl_Send, /* send */ 3808 ssl_RecvFrom, /* recvfrom */ 3809 ssl_SendTo, /* sendto */ 3810 ssl_Poll, /* poll */ 3811 PR_EmulateAcceptRead, /* acceptread */ 3812 ssl_TransmitFile, /* transmitfile */ 3813 ssl_GetSockName, /* getsockname */ 3814 ssl_GetPeerName, /* getpeername */ 3815 NULL, /* getsockopt OBSOLETE */ 3816 NULL, /* setsockopt OBSOLETE */ 3817 NULL, /* getsocketoption */ 3818 NULL, /* setsocketoption */ 3819 PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/ 3820 NULL, /* reserved for future use */ 3821 NULL, /* reserved for future use */ 3822 NULL, /* reserved for future use */ 3823 NULL, /* reserved for future use */ 3824 NULL /* reserved for future use */ 3825 }; 3826 3827 static PRIOMethods combined_methods; 3828 3829 static void 3830 ssl_SetupIOMethods(void) 3831 { 3832 PRIOMethods *new_methods = &combined_methods; 3833 const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods(); 3834 const PRIOMethods *my_methods = &ssl_methods; 3835 3836 *new_methods = *nspr_methods; 3837 3838 new_methods->file_type = my_methods->file_type; 3839 new_methods->close = my_methods->close; 3840 new_methods->read = my_methods->read; 3841 new_methods->write = my_methods->write; 3842 new_methods->available = my_methods->available; 3843 new_methods->available64 = my_methods->available64; 3844 new_methods->fsync = my_methods->fsync; 3845 new_methods->seek = my_methods->seek; 3846 new_methods->seek64 = my_methods->seek64; 3847 new_methods->fileInfo = my_methods->fileInfo; 3848 new_methods->fileInfo64 = my_methods->fileInfo64; 3849 new_methods->writev = my_methods->writev; 3850 new_methods->connect = my_methods->connect; 3851 new_methods->accept = my_methods->accept; 3852 new_methods->bind = my_methods->bind; 3853 new_methods->listen = my_methods->listen; 3854 new_methods->shutdown = my_methods->shutdown; 3855 new_methods->recv = my_methods->recv; 3856 new_methods->send = my_methods->send; 3857 new_methods->recvfrom = my_methods->recvfrom; 3858 new_methods->sendto = my_methods->sendto; 3859 new_methods->poll = my_methods->poll; 3860 new_methods->acceptread = my_methods->acceptread; 3861 new_methods->transmitfile = my_methods->transmitfile; 3862 new_methods->getsockname = my_methods->getsockname; 3863 new_methods->getpeername = my_methods->getpeername; 3864 /* new_methods->getsocketoption = my_methods->getsocketoption; */ 3865 /* new_methods->setsocketoption = my_methods->setsocketoption; */ 3866 new_methods->sendfile = my_methods->sendfile; 3867 } 3868 3869 static PRCallOnceType initIoLayerOnce; 3870 3871 static PRStatus 3872 ssl_InitIOLayer(void) 3873 { 3874 ssl_layer_id = PR_GetUniqueIdentity("SSL"); 3875 ssl_SetupIOMethods(); 3876 return PR_SUCCESS; 3877 } 3878 3879 static PRStatus 3880 ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) 3881 { 3882 PRFileDesc *layer = NULL; 3883 PRStatus status; 3884 3885 status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); 3886 if (status != PR_SUCCESS) { 3887 goto loser; 3888 } 3889 if (ns == NULL) { 3890 goto loser; 3891 } 3892 layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods); 3893 if (layer == NULL) 3894 goto loser; 3895 layer->secret = (PRFilePrivate *)ns; 3896 3897 /* Here, "stack" points to the PRFileDesc on the top of the stack. 3898 ** "layer" points to a new FD that is to be inserted into the stack. 3899 ** If layer is being pushed onto the top of the stack, then 3900 ** PR_PushIOLayer switches the contents of stack and layer, and then 3901 ** puts stack on top of layer, so that after it is done, the top of 3902 ** stack is the same "stack" as it was before, and layer is now the 3903 ** FD for the former top of stack. 3904 ** After this call, stack always points to the top PRFD on the stack. 3905 ** If this function fails, the contents of stack and layer are as 3906 ** they were before the call. 3907 */ 3908 status = PR_PushIOLayer(stack, id, layer); 3909 if (status != PR_SUCCESS) 3910 goto loser; 3911 3912 ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer; 3913 return PR_SUCCESS; 3914 3915 loser: 3916 if (layer) { 3917 layer->dtor(layer); /* free layer */ 3918 } 3919 return PR_FAILURE; 3920 } 3921 3922 /* if this fails, caller must destroy socket. */ 3923 static SECStatus 3924 ssl_MakeLocks(sslSocket *ss) 3925 { 3926 PR_ASSERT(!ss->firstHandshakeLock); 3927 ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL); 3928 if (!ss->firstHandshakeLock) 3929 goto loser; 3930 3931 PR_ASSERT(!ss->ssl3HandshakeLock); 3932 ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL); 3933 if (!ss->ssl3HandshakeLock) 3934 goto loser; 3935 3936 PR_ASSERT(!ss->specLock); 3937 ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL); 3938 if (!ss->specLock) 3939 goto loser; 3940 3941 PR_ASSERT(!ss->recvBufLock); 3942 ss->recvBufLock = PZ_NewMonitor(nssILockSSL); 3943 if (!ss->recvBufLock) 3944 goto loser; 3945 3946 PR_ASSERT(!ss->xmitBufLock); 3947 ss->xmitBufLock = PZ_NewMonitor(nssILockSSL); 3948 if (!ss->xmitBufLock) 3949 goto loser; 3950 ss->writerThread = NULL; 3951 if (ssl_lock_readers) { 3952 PR_ASSERT(!ss->recvLock); 3953 ss->recvLock = PZ_NewLock(nssILockSSL); 3954 if (!ss->recvLock) 3955 goto loser; 3956 3957 PR_ASSERT(!ss->sendLock); 3958 ss->sendLock = PZ_NewLock(nssILockSSL); 3959 if (!ss->sendLock) 3960 goto loser; 3961 } 3962 return SECSuccess; 3963 loser: 3964 ssl_DestroyLocks(ss); 3965 return SECFailure; 3966 } 3967 3968 #if defined(XP_UNIX) || defined(XP_WIN32) 3969 #define NSS_HAVE_GETENV 1 3970 #endif 3971 3972 #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ 3973 3974 static PRStatus 3975 ssl_SetDefaultsFromEnvironmentCallOnce(void) 3976 { 3977 #if defined(NSS_HAVE_GETENV) 3978 char *ev; 3979 #ifdef DEBUG 3980 ssl_trace_iob = NULL; 3981 ev = PR_GetEnvSecure("SSLDEBUGFILE"); 3982 if (ev && ev[0]) { 3983 ssl_trace_iob = fopen(ev, "w"); 3984 } 3985 if (!ssl_trace_iob) { 3986 ssl_trace_iob = stderr; 3987 } 3988 #ifdef TRACE 3989 ev = PR_GetEnvSecure("SSLTRACE"); 3990 if (ev && ev[0]) { 3991 ssl_trace = atoi(ev); 3992 SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); 3993 } 3994 #endif /* TRACE */ 3995 ev = PR_GetEnvSecure("SSLDEBUG"); 3996 if (ev && ev[0]) { 3997 ssl_debug = atoi(ev); 3998 SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); 3999 } 4000 #endif /* DEBUG */ 4001 #ifdef NSS_ALLOW_SSLKEYLOGFILE 4002 ssl_keylog_iob = NULL; 4003 ev = PR_GetEnvSecure("SSLKEYLOGFILE"); 4004 if (ev && ev[0]) { 4005 ssl_keylog_iob = fopen(ev, "a"); 4006 if (!ssl_keylog_iob) { 4007 SSL_TRACE(("SSL: failed to open key log file")); 4008 } else { 4009 if (ftell(ssl_keylog_iob) == 0) { 4010 fputs("# SSL/TLS secrets log file, generated by NSS\n", 4011 ssl_keylog_iob); 4012 } 4013 SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev)); 4014 ssl_keylog_lock = PR_NewLock(); 4015 if (!ssl_keylog_lock) { 4016 SSL_TRACE(("SSL: failed to create key log lock")); 4017 fclose(ssl_keylog_iob); 4018 ssl_keylog_iob = NULL; 4019 } 4020 } 4021 } 4022 #endif 4023 ev = PR_GetEnvSecure("SSLFORCELOCKS"); 4024 if (ev && ev[0] == '1') { 4025 ssl_force_locks = PR_TRUE; 4026 ssl_defaults.noLocks = 0; 4027 SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); 4028 } 4029 ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION"); 4030 if (ev) { 4031 if (ev[0] == '1' || LOWER(ev[0]) == 'u') 4032 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; 4033 else if (ev[0] == '0' || LOWER(ev[0]) == 'n') 4034 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; 4035 else if (ev[0] == '2' || LOWER(ev[0]) == 'r') 4036 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; 4037 else if (ev[0] == '3' || LOWER(ev[0]) == 't') 4038 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL; 4039 SSL_TRACE(("SSL: enableRenegotiation set to %d", 4040 ssl_defaults.enableRenegotiation)); 4041 } 4042 ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); 4043 if (ev && ev[0] == '1') { 4044 ssl_defaults.requireSafeNegotiation = PR_TRUE; 4045 SSL_TRACE(("SSL: requireSafeNegotiation set to %d", 4046 PR_TRUE)); 4047 } 4048 ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV"); 4049 if (ev && ev[0] == '0') { 4050 ssl_defaults.cbcRandomIV = PR_FALSE; 4051 SSL_TRACE(("SSL: cbcRandomIV set to 0")); 4052 } 4053 #endif /* NSS_HAVE_GETENV */ 4054 return PR_SUCCESS; 4055 } 4056 4057 static void 4058 ssl_SetDefaultsFromEnvironment(void) 4059 { 4060 PR_CallOnce(&ssl_setDefaultsFromEnvironment, ssl_SetDefaultsFromEnvironmentCallOnce); 4061 } 4062 4063 const sslNamedGroupDef * 4064 ssl_LookupNamedGroup(SSLNamedGroup group) 4065 { 4066 unsigned int i; 4067 4068 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { 4069 if (ssl_named_groups[i].name == group) { 4070 return &ssl_named_groups[i]; 4071 } 4072 } 4073 return NULL; 4074 } 4075 4076 PRBool 4077 ssl_NamedGroupEnabled(const sslSocket *ss, const sslNamedGroupDef *groupDef) 4078 { 4079 unsigned int i; 4080 4081 if (!groupDef) { 4082 return PR_FALSE; 4083 } 4084 4085 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { 4086 if (ss->namedGroupPreferences[i] && 4087 ss->namedGroupPreferences[i] == groupDef) { 4088 return PR_TRUE; 4089 } 4090 } 4091 return PR_FALSE; 4092 } 4093 4094 /* Returns a reference counted object that contains a key pair. 4095 * Or NULL on failure. Initial ref count is 1. 4096 * Uses the keys in the pair as input. Adopts the keys given. 4097 */ 4098 sslKeyPair * 4099 ssl_NewKeyPair(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey) 4100 { 4101 sslKeyPair *pair; 4102 4103 if (!privKey || !pubKey) { 4104 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 4105 return NULL; 4106 } 4107 pair = PORT_ZNew(sslKeyPair); 4108 if (!pair) 4109 return NULL; /* error code is set. */ 4110 pair->privKey = privKey; 4111 pair->pubKey = pubKey; 4112 pair->refCount = 1; 4113 return pair; /* success */ 4114 } 4115 4116 sslKeyPair * 4117 ssl_GetKeyPairRef(sslKeyPair *keyPair) 4118 { 4119 PR_ATOMIC_INCREMENT(&keyPair->refCount); 4120 return keyPair; 4121 } 4122 4123 void 4124 ssl_FreeKeyPair(sslKeyPair *keyPair) 4125 { 4126 if (!keyPair) { 4127 return; 4128 } 4129 4130 PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount); 4131 if (!newCount) { 4132 SECKEY_DestroyPrivateKey(keyPair->privKey); 4133 SECKEY_DestroyPublicKey(keyPair->pubKey); 4134 PORT_Free(keyPair); 4135 } 4136 } 4137 4138 /* Ephemeral key handling. */ 4139 sslEphemeralKeyPair * 4140 ssl_NewEphemeralKeyPair(const sslNamedGroupDef *group, 4141 SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey) 4142 { 4143 sslKeyPair *keys; 4144 sslEphemeralKeyPair *pair; 4145 4146 if (!group) { 4147 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 4148 return NULL; 4149 } 4150 4151 keys = ssl_NewKeyPair(privKey, pubKey); 4152 if (!keys) { 4153 return NULL; 4154 } 4155 4156 pair = PORT_ZNew(sslEphemeralKeyPair); 4157 if (!pair) { 4158 ssl_FreeKeyPair(keys); 4159 return NULL; /* error already set */ 4160 } 4161 4162 PR_INIT_CLIST(&pair->link); 4163 pair->group = group; 4164 pair->keys = keys; 4165 pair->kemKeys = NULL; 4166 pair->kemCt = NULL; 4167 4168 return pair; 4169 } 4170 4171 sslEphemeralKeyPair * 4172 ssl_CopyEphemeralKeyPair(sslEphemeralKeyPair *keyPair) 4173 { 4174 sslEphemeralKeyPair *pair; 4175 4176 pair = PORT_ZNew(sslEphemeralKeyPair); 4177 if (!pair) { 4178 return NULL; /* error already set */ 4179 } 4180 4181 pair->kemCt = NULL; 4182 if (keyPair->kemCt) { 4183 pair->kemCt = SECITEM_DupItem(keyPair->kemCt); 4184 if (!pair->kemCt) { 4185 PORT_Free(pair); 4186 return NULL; 4187 } 4188 } 4189 4190 PR_INIT_CLIST(&pair->link); 4191 pair->group = keyPair->group; 4192 pair->keys = ssl_GetKeyPairRef(keyPair->keys); 4193 pair->kemKeys = keyPair->kemKeys ? ssl_GetKeyPairRef(keyPair->kemKeys) : NULL; 4194 4195 return pair; 4196 } 4197 4198 void 4199 ssl_FreeEphemeralKeyPair(sslEphemeralKeyPair *keyPair) 4200 { 4201 if (!keyPair) { 4202 return; 4203 } 4204 4205 ssl_FreeKeyPair(keyPair->keys); 4206 ssl_FreeKeyPair(keyPair->kemKeys); 4207 SECITEM_FreeItem(keyPair->kemCt, PR_TRUE); 4208 PR_REMOVE_LINK(&keyPair->link); 4209 PORT_Free(keyPair); 4210 } 4211 4212 PRBool 4213 ssl_HaveEphemeralKeyPair(const sslSocket *ss, const sslNamedGroupDef *groupDef) 4214 { 4215 return ssl_LookupEphemeralKeyPair((sslSocket *)ss, groupDef) != NULL; 4216 } 4217 4218 sslEphemeralKeyPair * 4219 ssl_LookupEphemeralKeyPair(sslSocket *ss, const sslNamedGroupDef *groupDef) 4220 { 4221 PRCList *cursor; 4222 for (cursor = PR_NEXT_LINK(&ss->ephemeralKeyPairs); 4223 cursor != &ss->ephemeralKeyPairs; 4224 cursor = PR_NEXT_LINK(cursor)) { 4225 sslEphemeralKeyPair *keyPair = (sslEphemeralKeyPair *)cursor; 4226 if (keyPair->group == groupDef) { 4227 return keyPair; 4228 } 4229 } 4230 return NULL; 4231 } 4232 4233 void 4234 ssl_FreeEphemeralKeyPairs(sslSocket *ss) 4235 { 4236 while (!PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs)) { 4237 PRCList *cursor = PR_LIST_TAIL(&ss->ephemeralKeyPairs); 4238 ssl_FreeEphemeralKeyPair((sslEphemeralKeyPair *)cursor); 4239 } 4240 } 4241 4242 PRTime 4243 ssl_Time(const sslSocket *ss) 4244 { 4245 if (!ss->now) { 4246 return PR_Now(); 4247 } 4248 return ss->now(ss->nowArg); 4249 } 4250 4251 /* 4252 ** Create a newsocket structure for a file descriptor. 4253 */ 4254 static sslSocket * 4255 ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) 4256 { 4257 SECStatus rv; 4258 sslSocket *ss; 4259 int i; 4260 ssl_SetDefaultsFromEnvironment(); 4261 4262 if (ssl_force_locks) 4263 makeLocks = PR_TRUE; 4264 4265 /* Make a new socket and get it ready */ 4266 ss = PORT_ZNew(sslSocket); 4267 if (!ss) { 4268 return NULL; 4269 } 4270 ss->opt = ssl_defaults; 4271 if (protocolVariant == ssl_variant_datagram) { 4272 ss->opt.enableRenegotiation = SSL_RENEGOTIATE_NEVER; 4273 } 4274 ss->opt.useSocks = PR_FALSE; 4275 ss->opt.noLocks = !makeLocks; 4276 ss->vrange = *VERSIONS_DEFAULTS(protocolVariant); 4277 ss->protocolVariant = protocolVariant; 4278 /* Ignore overlap failures, because returning NULL would trigger assertion 4279 * failures elsewhere. We don't want this scenario to be fatal, it's just 4280 * a state where no SSL connectivity is possible. */ 4281 ssl3_CreateOverlapWithPolicy(ss->protocolVariant, &ss->vrange, &ss->vrange); 4282 ss->peerID = NULL; 4283 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; 4284 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; 4285 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; 4286 ss->url = NULL; 4287 4288 PR_INIT_CLIST(&ss->serverCerts); 4289 PR_INIT_CLIST(&ss->ephemeralKeyPairs); 4290 PR_INIT_CLIST(&ss->extensionHooks); 4291 PR_INIT_CLIST(&ss->echConfigs); 4292 4293 ss->dbHandle = CERT_GetDefaultCertDB(); 4294 4295 /* Provide default implementation of hooks */ 4296 ss->authCertificate = SSL_AuthCertificate; 4297 ss->authCertificateArg = (void *)ss->dbHandle; 4298 ss->sniSocketConfig = NULL; 4299 ss->sniSocketConfigArg = NULL; 4300 ss->getClientAuthData = NULL; 4301 ss->alertReceivedCallback = NULL; 4302 ss->alertReceivedCallbackArg = NULL; 4303 ss->alertSentCallback = NULL; 4304 ss->alertSentCallbackArg = NULL; 4305 ss->handleBadCert = NULL; 4306 ss->badCertArg = NULL; 4307 ss->pkcs11PinArg = NULL; 4308 4309 ssl_ChooseOps(ss); 4310 ssl3_InitSocketPolicy(ss); 4311 for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { 4312 ss->namedGroupPreferences[i] = &ssl_named_groups[i]; 4313 } 4314 ss->additionalShares = 0; 4315 PR_INIT_CLIST(&ss->ssl3.hs.remoteExtensions); 4316 PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); 4317 PR_INIT_CLIST(&ss->ssl3.hs.cipherSpecs); 4318 PR_INIT_CLIST(&ss->ssl3.hs.bufferedEarlyData); 4319 ssl3_InitExtensionData(&ss->xtnData, ss); 4320 PR_INIT_CLIST(&ss->ssl3.hs.dtlsSentHandshake); 4321 PR_INIT_CLIST(&ss->ssl3.hs.dtlsRcvdHandshake); 4322 PR_INIT_CLIST(&ss->ssl3.hs.psks); 4323 dtls_InitTimers(ss); 4324 4325 ss->echPrivKey = NULL; 4326 ss->echPubKey = NULL; 4327 ss->antiReplay = NULL; 4328 ss->psk = NULL; 4329 4330 if (makeLocks) { 4331 rv = ssl_MakeLocks(ss); 4332 if (rv != SECSuccess) 4333 goto loser; 4334 } 4335 rv = ssl_CreateSecurityInfo(ss); 4336 if (rv != SECSuccess) 4337 goto loser; 4338 rv = ssl3_InitGather(&ss->gs); 4339 if (rv != SECSuccess) 4340 goto loser; 4341 rv = ssl3_InitState(ss); 4342 if (rv != SECSuccess) { 4343 goto loser; 4344 } 4345 return ss; 4346 4347 loser: 4348 ssl_DestroySocketContents(ss); 4349 ssl_DestroyLocks(ss); 4350 PORT_Free(ss); 4351 return NULL; 4352 } 4353 4354 /** 4355 * DEPRECATED: Will always return false. 4356 */ 4357 SECStatus 4358 SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey, 4359 PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites, 4360 PRBool *pcanbypass, void *pwArg) 4361 { 4362 if (!pcanbypass) { 4363 PORT_SetError(SEC_ERROR_INVALID_ARGS); 4364 return SECFailure; 4365 } 4366 *pcanbypass = PR_FALSE; 4367 return SECSuccess; 4368 } 4369 4370 /* Functions that are truly experimental use EXP, functions that are no longer 4371 * experimental use PUB. 4372 * 4373 * When initially defining a new API, add that API here using the EXP() macro 4374 * and name the function with a SSLExp_ prefix. Define the experimental API as 4375 * a macro in sslexp.h using the SSL_EXPERIMENTAL_API() macro defined there. 4376 * 4377 * Once an API is stable and proven, move the macro definition in sslexp.h to a 4378 * proper function declaration in ssl.h. Keeping the function in this list 4379 * ensures that code built against the release that contained the experimental 4380 * API will continue to work; use PUB() to reference the public function. 4381 */ 4382 #define EXP(n) \ 4383 { \ 4384 "SSL_" #n, SSLExp_##n \ 4385 } 4386 #define PUB(n) \ 4387 { \ 4388 "SSL_" #n, SSL_##n \ 4389 } 4390 struct { 4391 const char *const name; 4392 void *function; 4393 } ssl_experimental_functions[] = { 4394 #ifndef SSL_DISABLE_EXPERIMENTAL_API 4395 EXP(AddExternalPsk), 4396 EXP(AddExternalPsk0Rtt), 4397 EXP(AeadDecrypt), 4398 EXP(AeadEncrypt), 4399 EXP(CallExtensionWriterOnEchInner), 4400 EXP(CipherSuiteOrderGet), 4401 EXP(CipherSuiteOrderSet), 4402 EXP(CreateAntiReplayContext), 4403 EXP(CreateMask), 4404 EXP(CreateMaskingContext), 4405 EXP(CreateVariantMaskingContext), 4406 EXP(DelegateCredential), 4407 EXP(DestroyAead), 4408 EXP(DestroyMaskingContext), 4409 EXP(DestroyResumptionTokenInfo), 4410 EXP(EnableTls13BackendEch), 4411 EXP(EnableTls13GreaseEch), 4412 EXP(SetTls13GreaseEchSize), 4413 EXP(EncodeEchConfigId), 4414 EXP(GetCurrentEpoch), 4415 EXP(GetEchRetryConfigs), 4416 EXP(GetExtensionSupport), 4417 EXP(GetResumptionTokenInfo), 4418 EXP(HelloRetryRequestCallback), 4419 EXP(InstallExtensionHooks), 4420 EXP(HkdfExtract), 4421 EXP(HkdfExpandLabel), 4422 EXP(HkdfExpandLabelWithMech), 4423 EXP(HkdfVariantExpandLabel), 4424 EXP(HkdfVariantExpandLabelWithMech), 4425 EXP(KeyUpdate), 4426 EXP(MakeAead), 4427 EXP(MakeVariantAead), 4428 EXP(RecordLayerData), 4429 EXP(RecordLayerWriteCallback), 4430 EXP(ReleaseAntiReplayContext), 4431 EXP(RemoveEchConfigs), 4432 EXP(RemoveExternalPsk), 4433 EXP(SecretCallback), 4434 EXP(SendCertificateRequest), 4435 EXP(SendSessionTicket), 4436 EXP(SetAntiReplayContext), 4437 EXP(SetClientEchConfigs), 4438 EXP(SetDtls13VersionWorkaround), 4439 EXP(SetMaxEarlyDataSize), 4440 EXP(SetResumptionTokenCallback), 4441 EXP(SetResumptionToken), 4442 EXP(SetServerEchConfigs), 4443 EXP(SetTimeFunc), 4444 EXP(SetCertificateCompressionAlgorithm), 4445 EXP(PeerCertificateChainDER), 4446 #endif 4447 { "", NULL } 4448 }; 4449 #undef EXP 4450 #undef PUB 4451 4452 void * 4453 SSL_GetExperimentalAPI(const char *name) 4454 { 4455 unsigned int i; 4456 for (i = 0; i < PR_ARRAY_SIZE(ssl_experimental_functions); ++i) { 4457 if (strcmp(name, ssl_experimental_functions[i].name) == 0) { 4458 return ssl_experimental_functions[i].function; 4459 } 4460 } 4461 PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); 4462 return NULL; 4463 } 4464 4465 void 4466 ssl_ClearPRCList(PRCList *list, void (*f)(void *)) 4467 { 4468 PRCList *cursor; 4469 4470 while (!PR_CLIST_IS_EMPTY(list)) { 4471 cursor = PR_LIST_TAIL(list); 4472 4473 PR_REMOVE_LINK(cursor); 4474 if (f) { 4475 f(cursor); 4476 } 4477 PORT_Free(cursor); 4478 } 4479 } 4480 4481 SECStatus 4482 SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled) 4483 { 4484 sslSocket *ss = ssl_FindSocket(fd); 4485 if (!ss) { 4486 return SECFailure; 4487 } 4488 ss->opt.enableTls13GreaseEch = enabled; 4489 return SECSuccess; 4490 } 4491 4492 SECStatus 4493 SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size) 4494 { 4495 sslSocket *ss = ssl_FindSocket(fd); 4496 if (!ss || size == 0) { 4497 return SECFailure; 4498 } 4499 ssl_Get1stHandshakeLock(ss); 4500 ssl_GetSSL3HandshakeLock(ss); 4501 4502 ss->ssl3.hs.greaseEchSize = size; 4503 4504 ssl_ReleaseSSL3HandshakeLock(ss); 4505 ssl_Release1stHandshakeLock(ss); 4506 4507 return SECSuccess; 4508 } 4509 4510 SECStatus 4511 SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled) 4512 { 4513 sslSocket *ss = ssl_FindSocket(fd); 4514 if (!ss) { 4515 return SECFailure; 4516 } 4517 ss->opt.enableTls13BackendEch = enabled; 4518 return SECSuccess; 4519 } 4520 4521 SECStatus 4522 SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled) 4523 { 4524 sslSocket *ss = ssl_FindSocket(fd); 4525 if (!ss) { 4526 return SECFailure; 4527 } 4528 ss->opt.callExtensionWriterOnEchInner = enabled; 4529 return SECSuccess; 4530 } 4531 4532 SECStatus 4533 SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled) 4534 { 4535 sslSocket *ss = ssl_FindSocket(fd); 4536 if (!ss) { 4537 return SECFailure; 4538 } 4539 ss->opt.enableDtls13VersionCompat = enabled; 4540 return SECSuccess; 4541 } 4542 4543 SECStatus 4544 SSLExp_SetTimeFunc(PRFileDesc *fd, SSLTimeFunc f, void *arg) 4545 { 4546 sslSocket *ss = ssl_FindSocket(fd); 4547 4548 if (!ss) { 4549 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetTimeFunc", 4550 SSL_GETPID(), fd)); 4551 return SECFailure; 4552 } 4553 ss->now = f; 4554 ss->nowArg = arg; 4555 return SECSuccess; 4556 } 4557 4558 /* Experimental APIs for session cache handling. */ 4559 4560 SECStatus 4561 SSLExp_SetResumptionTokenCallback(PRFileDesc *fd, 4562 SSLResumptionTokenCallback cb, 4563 void *ctx) 4564 { 4565 sslSocket *ss = ssl_FindSocket(fd); 4566 4567 if (!ss) { 4568 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetResumptionTokenCallback", 4569 SSL_GETPID(), fd)); 4570 return SECFailure; 4571 } 4572 4573 ssl_Get1stHandshakeLock(ss); 4574 ssl_GetSSL3HandshakeLock(ss); 4575 ss->resumptionTokenCallback = cb; 4576 ss->resumptionTokenContext = ctx; 4577 ssl_ReleaseSSL3HandshakeLock(ss); 4578 ssl_Release1stHandshakeLock(ss); 4579 4580 return SECSuccess; 4581 } 4582 4583 SECStatus 4584 SSLExp_SetResumptionToken(PRFileDesc *fd, const PRUint8 *token, 4585 unsigned int len) 4586 { 4587 sslSocket *ss = ssl_FindSocket(fd); 4588 sslSessionID *sid = NULL; 4589 4590 if (!ss) { 4591 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetResumptionToken", 4592 SSL_GETPID(), fd)); 4593 return SECFailure; 4594 } 4595 4596 ssl_Get1stHandshakeLock(ss); 4597 ssl_GetSSL3HandshakeLock(ss); 4598 4599 if (ss->firstHsDone || ss->ssl3.hs.ws != idle_handshake || 4600 ss->sec.isServer || len == 0 || !token) { 4601 PORT_SetError(SEC_ERROR_INVALID_ARGS); 4602 goto loser; 4603 } 4604 4605 // We override any previously set session. 4606 if (ss->sec.ci.sid) { 4607 ssl_FreeSID(ss->sec.ci.sid); 4608 ss->sec.ci.sid = NULL; 4609 } 4610 4611 PRINT_BUF(50, (ss, "incoming resumption token", token, len)); 4612 4613 sid = ssl3_NewSessionID(ss, PR_FALSE); 4614 if (!sid) { 4615 goto loser; 4616 } 4617 4618 /* Populate NewSessionTicket values */ 4619 SECStatus rv = ssl_DecodeResumptionToken(sid, token, len); 4620 if (rv != SECSuccess) { 4621 // If decoding fails, we assume the token is bad. 4622 PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR); 4623 goto loser; 4624 } 4625 4626 // Make sure that the token is currently usable. 4627 if (!ssl_IsResumptionTokenUsable(ss, sid)) { 4628 PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR); 4629 goto loser; 4630 } 4631 4632 // Generate a new random session ID for this ticket. 4633 rv = PK11_GenerateRandom(sid->u.ssl3.sessionID, SSL3_SESSIONID_BYTES); 4634 if (rv != SECSuccess) { 4635 goto loser; // Code set by PK11_GenerateRandom. 4636 } 4637 sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES; 4638 /* Use the sid->cached as marker that this is from an external cache and 4639 * we don't have to look up anything in the NSS internal cache. */ 4640 sid->cached = in_external_cache; 4641 sid->lastAccessTime = ssl_Time(ss); 4642 4643 ss->sec.ci.sid = sid; 4644 4645 ssl_ReleaseSSL3HandshakeLock(ss); 4646 ssl_Release1stHandshakeLock(ss); 4647 return SECSuccess; 4648 4649 loser: 4650 ssl_FreeSID(sid); 4651 ssl_ReleaseSSL3HandshakeLock(ss); 4652 ssl_Release1stHandshakeLock(ss); 4653 4654 return SECFailure; 4655 } 4656 4657 SECStatus 4658 SSLExp_DestroyResumptionTokenInfo(SSLResumptionTokenInfo *token) 4659 { 4660 if (!token) { 4661 PORT_SetError(SEC_ERROR_INVALID_ARGS); 4662 return SECFailure; 4663 } 4664 if (token->peerCert) { 4665 CERT_DestroyCertificate(token->peerCert); 4666 } 4667 PORT_Free(token->alpnSelection); 4668 PORT_Memset(token, 0, token->length); 4669 return SECSuccess; 4670 } 4671 4672 SECStatus 4673 SSLExp_GetResumptionTokenInfo(const PRUint8 *tokenData, unsigned int tokenLen, 4674 SSLResumptionTokenInfo *tokenOut, PRUintn len) 4675 { 4676 if (!tokenData || !tokenOut || !tokenLen || 4677 len > sizeof(SSLResumptionTokenInfo)) { 4678 PORT_SetError(SEC_ERROR_INVALID_ARGS); 4679 return SECFailure; 4680 } 4681 sslSessionID sid = { 0 }; 4682 SSLResumptionTokenInfo token; 4683 4684 /* Populate sid values */ 4685 if (ssl_DecodeResumptionToken(&sid, tokenData, tokenLen) != SECSuccess) { 4686 // If decoding fails, we assume the token is bad. 4687 PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR); 4688 return SECFailure; 4689 } 4690 4691 token.peerCert = CERT_DupCertificate(sid.peerCert); 4692 4693 token.alpnSelectionLen = sid.u.ssl3.alpnSelection.len; 4694 token.alpnSelection = PORT_ZAlloc(token.alpnSelectionLen); 4695 if (!token.alpnSelection) { 4696 return SECFailure; 4697 } 4698 if (token.alpnSelectionLen > 0) { 4699 PORT_Assert(sid.u.ssl3.alpnSelection.data); 4700 PORT_Memcpy(token.alpnSelection, sid.u.ssl3.alpnSelection.data, 4701 token.alpnSelectionLen); 4702 } 4703 4704 if (sid.u.ssl3.locked.sessionTicket.flags & ticket_allow_early_data) { 4705 token.maxEarlyDataSize = 4706 sid.u.ssl3.locked.sessionTicket.max_early_data_size; 4707 } else { 4708 token.maxEarlyDataSize = 0; 4709 } 4710 token.expirationTime = sid.expirationTime; 4711 4712 token.length = PR_MIN(sizeof(SSLResumptionTokenInfo), len); 4713 PORT_Memcpy(tokenOut, &token, token.length); 4714 4715 ssl_DestroySID(&sid, PR_FALSE); 4716 return SECSuccess; 4717 }