OLD | NEW |
(Empty) | |
| 1 /* |
| 2 * vtables (and methods that call through them) for the 4 types of |
| 3 * SSLSockets supported. Only one type is still supported. |
| 4 * Various other functions. |
| 5 * |
| 6 * ***** BEGIN LICENSE BLOCK ***** |
| 7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| 8 * |
| 9 * The contents of this file are subject to the Mozilla Public License Version |
| 10 * 1.1 (the "License"); you may not use this file except in compliance with |
| 11 * the License. You may obtain a copy of the License at |
| 12 * http://www.mozilla.org/MPL/ |
| 13 * |
| 14 * Software distributed under the License is distributed on an "AS IS" basis, |
| 15 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License |
| 16 * for the specific language governing rights and limitations under the |
| 17 * License. |
| 18 * |
| 19 * The Original Code is the Netscape security libraries. |
| 20 * |
| 21 * The Initial Developer of the Original Code is |
| 22 * Netscape Communications Corporation. |
| 23 * Portions created by the Initial Developer are Copyright (C) 1994-2000 |
| 24 * the Initial Developer. All Rights Reserved. |
| 25 * |
| 26 * Contributor(s): |
| 27 * Dr Stephen Henson <stephen.henson@gemplus.com> |
| 28 * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories |
| 29 * |
| 30 * Alternatively, the contents of this file may be used under the terms of |
| 31 * either the GNU General Public License Version 2 or later (the "GPL"), or |
| 32 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), |
| 33 * in which case the provisions of the GPL or the LGPL are applicable instead |
| 34 * of those above. If you wish to allow use of your version of this file only |
| 35 * under the terms of either the GPL or the LGPL, and not to allow others to |
| 36 * use your version of this file under the terms of the MPL, indicate your |
| 37 * decision by deleting the provisions above and replace them with the notice |
| 38 * and other provisions required by the GPL or the LGPL. If you do not delete |
| 39 * the provisions above, a recipient may use your version of this file under |
| 40 * the terms of any one of the MPL, the GPL or the LGPL. |
| 41 * |
| 42 * ***** END LICENSE BLOCK ***** */ |
| 43 /* $Id: sslsock.c,v 1.59 2009/11/06 20:11:29 nelson%bolyard.com Exp $ */ |
| 44 #include "seccomon.h" |
| 45 #include "cert.h" |
| 46 #include "keyhi.h" |
| 47 #include "ssl.h" |
| 48 #include "sslimpl.h" |
| 49 #include "sslproto.h" |
| 50 #include "nspr.h" |
| 51 #include "private/pprio.h" |
| 52 #include "blapi.h" |
| 53 #include "nss.h" |
| 54 |
| 55 #define SET_ERROR_CODE /* reminder */ |
| 56 |
| 57 struct cipherPolicyStr { |
| 58 int cipher; |
| 59 unsigned char export; /* policy value for export policy */ |
| 60 unsigned char france; /* policy value for france policy */ |
| 61 }; |
| 62 |
| 63 typedef struct cipherPolicyStr cipherPolicy; |
| 64 |
| 65 /* This table contains two preconfigured policies: Export and France. |
| 66 ** It is used only by the functions SSL_SetDomesticPolicy, |
| 67 ** SSL_SetExportPolicy, and SSL_SetFrancyPolicy. |
| 68 ** Order of entries is not important. |
| 69 */ |
| 70 static cipherPolicy ssl_ciphers[] = { /* Export France */ |
| 71 { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 72 { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 73 { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 74 { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 75 { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 76 { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 77 { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 78 { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 79 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 80 { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, |
| 81 { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 82 { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 83 { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 84 { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 85 { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 86 { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 87 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 88 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 89 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 90 { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 91 { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, |
| 92 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 93 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 94 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 95 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 96 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 97 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 98 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 99 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 100 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 101 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 102 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 103 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 104 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 105 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, |
| 106 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, |
| 107 #ifdef NSS_ENABLE_ECC |
| 108 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 109 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 110 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 111 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 112 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 113 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 114 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 115 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 116 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 117 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 118 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 119 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 120 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 121 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 122 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 123 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 124 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 125 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 126 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 127 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 128 #endif /* NSS_ENABLE_ECC */ |
| 129 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } |
| 130 }; |
| 131 |
| 132 static const sslSocketOps ssl_default_ops = { /* No SSL. */ |
| 133 ssl_DefConnect, |
| 134 NULL, |
| 135 ssl_DefBind, |
| 136 ssl_DefListen, |
| 137 ssl_DefShutdown, |
| 138 ssl_DefClose, |
| 139 ssl_DefRecv, |
| 140 ssl_DefSend, |
| 141 ssl_DefRead, |
| 142 ssl_DefWrite, |
| 143 ssl_DefGetpeername, |
| 144 ssl_DefGetsockname |
| 145 }; |
| 146 |
| 147 static const sslSocketOps ssl_secure_ops = { /* SSL. */ |
| 148 ssl_SecureConnect, |
| 149 NULL, |
| 150 ssl_DefBind, |
| 151 ssl_DefListen, |
| 152 ssl_SecureShutdown, |
| 153 ssl_SecureClose, |
| 154 ssl_SecureRecv, |
| 155 ssl_SecureSend, |
| 156 ssl_SecureRead, |
| 157 ssl_SecureWrite, |
| 158 ssl_DefGetpeername, |
| 159 ssl_DefGetsockname |
| 160 }; |
| 161 |
| 162 /* |
| 163 ** default settings for socket enables |
| 164 */ |
| 165 static sslOptions ssl_defaults = { |
| 166 PR_TRUE, /* useSecurity */ |
| 167 PR_FALSE, /* useSocks */ |
| 168 PR_FALSE, /* requestCertificate */ |
| 169 2, /* requireCertificate */ |
| 170 PR_FALSE, /* handshakeAsClient */ |
| 171 PR_FALSE, /* handshakeAsServer */ |
| 172 PR_TRUE, /* enableSSL2 */ |
| 173 PR_TRUE, /* enableSSL3 */ |
| 174 PR_TRUE, /* enableTLS */ /* now defaults to on in NSS 3.0 */ |
| 175 PR_FALSE, /* noCache */ |
| 176 PR_FALSE, /* fdx */ |
| 177 PR_TRUE, /* v2CompatibleHello */ |
| 178 PR_TRUE, /* detectRollBack */ |
| 179 PR_FALSE, /* noStepDown */ |
| 180 PR_FALSE, /* bypassPKCS11 */ |
| 181 PR_FALSE, /* noLocks */ |
| 182 PR_FALSE, /* enableSessionTickets */ |
| 183 PR_FALSE, /* enableDeflate */ |
| 184 0, /* enableRenegotiation (default: never) */ |
| 185 PR_FALSE, /* requireSafeNegotiation */ |
| 186 }; |
| 187 |
| 188 sslSessionIDLookupFunc ssl_sid_lookup; |
| 189 sslSessionIDCacheFunc ssl_sid_cache; |
| 190 sslSessionIDUncacheFunc ssl_sid_uncache; |
| 191 |
| 192 static PRBool ssl_inited = PR_FALSE; |
| 193 static PRDescIdentity ssl_layer_id; |
| 194 |
| 195 PRBool locksEverDisabled; /* implicitly PR_FALSE */ |
| 196 PRBool ssl_force_locks; /* implicitly PR_FALSE */ |
| 197 int ssl_lock_readers = 1; /* default true. */ |
| 198 char ssl_debug; |
| 199 char ssl_trace; |
| 200 FILE * ssl_trace_iob; |
| 201 char lockStatus[] = "Locks are ENABLED. "; |
| 202 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ |
| 203 |
| 204 /* forward declarations. */ |
| 205 static sslSocket *ssl_NewSocket(PRBool makeLocks); |
| 206 static SECStatus ssl_MakeLocks(sslSocket *ss); |
| 207 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, |
| 208 PRDescIdentity id); |
| 209 |
| 210 /************************************************************************/ |
| 211 |
| 212 /* |
| 213 ** Lookup a socket structure from a file descriptor. |
| 214 ** Only functions called through the PRIOMethods table should use this. |
| 215 ** Other app-callable functions should use ssl_FindSocket. |
| 216 */ |
| 217 static sslSocket * |
| 218 ssl_GetPrivate(PRFileDesc *fd) |
| 219 { |
| 220 sslSocket *ss; |
| 221 |
| 222 PORT_Assert(fd != NULL); |
| 223 PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED); |
| 224 PORT_Assert(fd->identity == ssl_layer_id); |
| 225 |
| 226 if (fd->methods->file_type != PR_DESC_LAYERED || |
| 227 fd->identity != ssl_layer_id) { |
| 228 PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); |
| 229 return NULL; |
| 230 } |
| 231 |
| 232 ss = (sslSocket *)fd->secret; |
| 233 ss->fd = fd; |
| 234 return ss; |
| 235 } |
| 236 |
| 237 /* This function tries to find the SSL layer in the stack. |
| 238 * It searches for the first SSL layer at or below the argument fd, |
| 239 * and failing that, it searches for the nearest SSL layer above the |
| 240 * argument fd. It returns the private sslSocket from the found layer. |
| 241 */ |
| 242 sslSocket * |
| 243 ssl_FindSocket(PRFileDesc *fd) |
| 244 { |
| 245 PRFileDesc *layer; |
| 246 sslSocket *ss; |
| 247 |
| 248 PORT_Assert(fd != NULL); |
| 249 PORT_Assert(ssl_layer_id != 0); |
| 250 |
| 251 layer = PR_GetIdentitiesLayer(fd, ssl_layer_id); |
| 252 if (layer == NULL) { |
| 253 PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); |
| 254 return NULL; |
| 255 } |
| 256 |
| 257 ss = (sslSocket *)layer->secret; |
| 258 ss->fd = layer; |
| 259 return ss; |
| 260 } |
| 261 |
| 262 sslSocket * |
| 263 ssl_DupSocket(sslSocket *os) |
| 264 { |
| 265 sslSocket *ss; |
| 266 SECStatus rv; |
| 267 |
| 268 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks)); |
| 269 if (ss) { |
| 270 ss->opt = os->opt; |
| 271 ss->opt.useSocks = PR_FALSE; |
| 272 |
| 273 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); |
| 274 ss->url = !os->url ? NULL : PORT_Strdup(os->url); |
| 275 |
| 276 ss->ops = os->ops; |
| 277 ss->rTimeout = os->rTimeout; |
| 278 ss->wTimeout = os->wTimeout; |
| 279 ss->cTimeout = os->cTimeout; |
| 280 ss->dbHandle = os->dbHandle; |
| 281 |
| 282 /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ |
| 283 ss->allowedByPolicy = os->allowedByPolicy; |
| 284 ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; |
| 285 ss->chosenPreference = os->chosenPreference; |
| 286 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites)
; |
| 287 |
| 288 if (os->cipherSpecs) { |
| 289 ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs); |
| 290 if (ss->cipherSpecs) |
| 291 PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, |
| 292 os->sizeCipherSpecs); |
| 293 ss->sizeCipherSpecs = os->sizeCipherSpecs; |
| 294 ss->preferredCipher = os->preferredCipher; |
| 295 } else { |
| 296 ss->cipherSpecs = NULL; /* produced lazily */ |
| 297 ss->sizeCipherSpecs = 0; |
| 298 ss->preferredCipher = NULL; |
| 299 } |
| 300 if (ss->opt.useSecurity) { |
| 301 /* This int should be SSLKEAType, but CC on Irix complains, |
| 302 * during the for loop. |
| 303 */ |
| 304 int i; |
| 305 sslServerCerts * oc = os->serverCerts; |
| 306 sslServerCerts * sc = ss->serverCerts; |
| 307 |
| 308 for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) { |
| 309 if (oc->serverCert && oc->serverCertChain) { |
| 310 sc->serverCert = CERT_DupCertificate(oc->serverCert); |
| 311 sc->serverCertChain = CERT_DupCertList(oc->serverCertChain); |
| 312 if (!sc->serverCertChain) |
| 313 goto loser; |
| 314 } else { |
| 315 sc->serverCert = NULL; |
| 316 sc->serverCertChain = NULL; |
| 317 } |
| 318 sc->serverKeyPair = oc->serverKeyPair ? |
| 319 ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL; |
| 320 if (oc->serverKeyPair && !sc->serverKeyPair) |
| 321 goto loser; |
| 322 sc->serverKeyBits = oc->serverKeyBits; |
| 323 } |
| 324 ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL : |
| 325 ssl3_GetKeyPairRef(os->stepDownKeyPair); |
| 326 ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL : |
| 327 ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair); |
| 328 /* |
| 329 * XXX the preceeding CERT_ and SECKEY_ functions can fail and return NULL. |
| 330 * XXX We should detect this, and not just march on with NULL pointers. |
| 331 */ |
| 332 ss->authCertificate = os->authCertificate; |
| 333 ss->authCertificateArg = os->authCertificateArg; |
| 334 ss->getClientAuthData = os->getClientAuthData; |
| 335 ss->getClientAuthDataArg = os->getClientAuthDataArg; |
| 336 ss->handleBadCert = os->handleBadCert; |
| 337 ss->badCertArg = os->badCertArg; |
| 338 ss->handshakeCallback = os->handshakeCallback; |
| 339 ss->handshakeCallbackData = os->handshakeCallbackData; |
| 340 ss->pkcs11PinArg = os->pkcs11PinArg; |
| 341 |
| 342 /* Create security data */ |
| 343 rv = ssl_CopySecurityInfo(ss, os); |
| 344 if (rv != SECSuccess) { |
| 345 goto loser; |
| 346 } |
| 347 } |
| 348 } |
| 349 return ss; |
| 350 |
| 351 loser: |
| 352 ssl_FreeSocket(ss); |
| 353 return NULL; |
| 354 } |
| 355 |
| 356 static void |
| 357 ssl_DestroyLocks(sslSocket *ss) |
| 358 { |
| 359 /* Destroy locks. */ |
| 360 if (ss->firstHandshakeLock) { |
| 361 PZ_DestroyMonitor(ss->firstHandshakeLock); |
| 362 ss->firstHandshakeLock = NULL; |
| 363 } |
| 364 if (ss->ssl3HandshakeLock) { |
| 365 PZ_DestroyMonitor(ss->ssl3HandshakeLock); |
| 366 ss->ssl3HandshakeLock = NULL; |
| 367 } |
| 368 if (ss->specLock) { |
| 369 NSSRWLock_Destroy(ss->specLock); |
| 370 ss->specLock = NULL; |
| 371 } |
| 372 |
| 373 if (ss->recvLock) { |
| 374 PZ_DestroyLock(ss->recvLock); |
| 375 ss->recvLock = NULL; |
| 376 } |
| 377 if (ss->sendLock) { |
| 378 PZ_DestroyLock(ss->sendLock); |
| 379 ss->sendLock = NULL; |
| 380 } |
| 381 if (ss->xmitBufLock) { |
| 382 PZ_DestroyMonitor(ss->xmitBufLock); |
| 383 ss->xmitBufLock = NULL; |
| 384 } |
| 385 if (ss->recvBufLock) { |
| 386 PZ_DestroyMonitor(ss->recvBufLock); |
| 387 ss->recvBufLock = NULL; |
| 388 } |
| 389 } |
| 390 |
| 391 /* Caller holds any relevant locks */ |
| 392 static void |
| 393 ssl_DestroySocketContents(sslSocket *ss) |
| 394 { |
| 395 /* "i" should be of type SSLKEAType, but CC on IRIX complains during |
| 396 * the for loop. |
| 397 */ |
| 398 int i; |
| 399 |
| 400 /* Free up socket */ |
| 401 ssl_DestroySecurityInfo(&ss->sec); |
| 402 |
| 403 ssl3_DestroySSL3Info(ss); |
| 404 |
| 405 PORT_Free(ss->saveBuf.buf); |
| 406 PORT_Free(ss->pendingBuf.buf); |
| 407 ssl_DestroyGather(&ss->gs); |
| 408 |
| 409 if (ss->peerID != NULL) |
| 410 PORT_Free(ss->peerID); |
| 411 if (ss->url != NULL) |
| 412 PORT_Free((void *)ss->url); /* CONST */ |
| 413 if (ss->cipherSpecs) { |
| 414 PORT_Free(ss->cipherSpecs); |
| 415 ss->cipherSpecs = NULL; |
| 416 ss->sizeCipherSpecs = 0; |
| 417 } |
| 418 |
| 419 /* Clean up server configuration */ |
| 420 for (i=kt_null; i < kt_kea_size; i++) { |
| 421 sslServerCerts * sc = ss->serverCerts + i; |
| 422 if (sc->serverCert != NULL) |
| 423 CERT_DestroyCertificate(sc->serverCert); |
| 424 if (sc->serverCertChain != NULL) |
| 425 CERT_DestroyCertificateList(sc->serverCertChain); |
| 426 if (sc->serverKeyPair != NULL) |
| 427 ssl3_FreeKeyPair(sc->serverKeyPair); |
| 428 } |
| 429 if (ss->stepDownKeyPair) { |
| 430 ssl3_FreeKeyPair(ss->stepDownKeyPair); |
| 431 ss->stepDownKeyPair = NULL; |
| 432 } |
| 433 if (ss->ephemeralECDHKeyPair) { |
| 434 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); |
| 435 ss->ephemeralECDHKeyPair = NULL; |
| 436 } |
| 437 } |
| 438 |
| 439 /* |
| 440 * free an sslSocket struct, and all the stuff that hangs off of it |
| 441 */ |
| 442 void |
| 443 ssl_FreeSocket(sslSocket *ss) |
| 444 { |
| 445 #ifdef DEBUG |
| 446 sslSocket *fs; |
| 447 sslSocket lSock; |
| 448 #endif |
| 449 |
| 450 /* Get every lock you can imagine! |
| 451 ** Caller already holds these: |
| 452 ** SSL_LOCK_READER(ss); |
| 453 ** SSL_LOCK_WRITER(ss); |
| 454 */ |
| 455 ssl_Get1stHandshakeLock(ss); |
| 456 ssl_GetRecvBufLock(ss); |
| 457 ssl_GetSSL3HandshakeLock(ss); |
| 458 ssl_GetXmitBufLock(ss); |
| 459 ssl_GetSpecWriteLock(ss); |
| 460 |
| 461 #ifdef DEBUG |
| 462 fs = &lSock; |
| 463 *fs = *ss; /* Copy the old socket structure, */ |
| 464 PORT_Memset(ss, 0x1f, sizeof *ss); /* then blast the old struct ASAP. */ |
| 465 #else |
| 466 #define fs ss |
| 467 #endif |
| 468 |
| 469 ssl_DestroySocketContents(fs); |
| 470 |
| 471 /* Release all the locks acquired above. */ |
| 472 SSL_UNLOCK_READER(fs); |
| 473 SSL_UNLOCK_WRITER(fs); |
| 474 ssl_Release1stHandshakeLock(fs); |
| 475 ssl_ReleaseRecvBufLock(fs); |
| 476 ssl_ReleaseSSL3HandshakeLock(fs); |
| 477 ssl_ReleaseXmitBufLock(fs); |
| 478 ssl_ReleaseSpecWriteLock(fs); |
| 479 |
| 480 ssl_DestroyLocks(fs); |
| 481 |
| 482 PORT_Free(ss); /* free the caller's copy, not ours. */ |
| 483 return; |
| 484 } |
| 485 #undef fs |
| 486 |
| 487 /************************************************************************/ |
| 488 SECStatus |
| 489 ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled) |
| 490 { |
| 491 PRFileDesc * osfd = ss->fd->lower; |
| 492 SECStatus rv = SECFailure; |
| 493 PRSocketOptionData opt; |
| 494 |
| 495 opt.option = PR_SockOpt_NoDelay; |
| 496 opt.value.no_delay = (PRBool)!enabled; |
| 497 |
| 498 if (osfd->methods->setsocketoption) { |
| 499 rv = (SECStatus) osfd->methods->setsocketoption(osfd, &opt); |
| 500 } else { |
| 501 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
| 502 } |
| 503 |
| 504 return rv; |
| 505 } |
| 506 |
| 507 static void |
| 508 ssl_ChooseOps(sslSocket *ss) |
| 509 { |
| 510 ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops; |
| 511 } |
| 512 |
| 513 /* Called from SSL_Enable (immediately below) */ |
| 514 static SECStatus |
| 515 PrepareSocket(sslSocket *ss) |
| 516 { |
| 517 SECStatus rv = SECSuccess; |
| 518 |
| 519 ssl_ChooseOps(ss); |
| 520 return rv; |
| 521 } |
| 522 |
| 523 SECStatus |
| 524 SSL_Enable(PRFileDesc *fd, int which, PRBool on) |
| 525 { |
| 526 return SSL_OptionSet(fd, which, on); |
| 527 } |
| 528 |
| 529 static const PRCallOnceType pristineCallOnce; |
| 530 static PRCallOnceType setupBypassOnce; |
| 531 |
| 532 static SECStatus SSL_BypassShutdown(void* appData, void* nssData) |
| 533 { |
| 534 /* unload freeBL shared library from memory */ |
| 535 BL_Unload(); |
| 536 setupBypassOnce = pristineCallOnce; |
| 537 return SECSuccess; |
| 538 } |
| 539 |
| 540 static PRStatus SSL_BypassRegisterShutdown(void) |
| 541 { |
| 542 SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL); |
| 543 PORT_Assert(SECSuccess == rv); |
| 544 return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE; |
| 545 } |
| 546 |
| 547 static PRStatus SSL_BypassSetup(void) |
| 548 { |
| 549 return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); |
| 550 } |
| 551 |
| 552 SECStatus |
| 553 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) |
| 554 { |
| 555 sslSocket *ss = ssl_FindSocket(fd); |
| 556 SECStatus rv = SECSuccess; |
| 557 PRBool holdingLocks; |
| 558 |
| 559 if (!ss) { |
| 560 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); |
| 561 return SECFailure; |
| 562 } |
| 563 |
| 564 holdingLocks = (!ss->opt.noLocks); |
| 565 ssl_Get1stHandshakeLock(ss); |
| 566 ssl_GetSSL3HandshakeLock(ss); |
| 567 |
| 568 switch (which) { |
| 569 case SSL_SOCKS: |
| 570 ss->opt.useSocks = PR_FALSE; |
| 571 rv = PrepareSocket(ss); |
| 572 if (on) { |
| 573 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 574 rv = SECFailure; |
| 575 } |
| 576 break; |
| 577 |
| 578 case SSL_SECURITY: |
| 579 ss->opt.useSecurity = on; |
| 580 rv = PrepareSocket(ss); |
| 581 break; |
| 582 |
| 583 case SSL_REQUEST_CERTIFICATE: |
| 584 ss->opt.requestCertificate = on; |
| 585 break; |
| 586 |
| 587 case SSL_REQUIRE_CERTIFICATE: |
| 588 ss->opt.requireCertificate = on; |
| 589 break; |
| 590 |
| 591 case SSL_HANDSHAKE_AS_CLIENT: |
| 592 if ( ss->opt.handshakeAsServer && on ) { |
| 593 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 594 rv = SECFailure; |
| 595 break; |
| 596 } |
| 597 ss->opt.handshakeAsClient = on; |
| 598 break; |
| 599 |
| 600 case SSL_HANDSHAKE_AS_SERVER: |
| 601 if ( ss->opt.handshakeAsClient && on ) { |
| 602 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 603 rv = SECFailure; |
| 604 break; |
| 605 } |
| 606 ss->opt.handshakeAsServer = on; |
| 607 break; |
| 608 |
| 609 case SSL_ENABLE_TLS: |
| 610 ss->opt.enableTLS = on; |
| 611 ss->preferredCipher = NULL; |
| 612 if (ss->cipherSpecs) { |
| 613 PORT_Free(ss->cipherSpecs); |
| 614 ss->cipherSpecs = NULL; |
| 615 ss->sizeCipherSpecs = 0; |
| 616 } |
| 617 break; |
| 618 |
| 619 case SSL_ENABLE_SSL3: |
| 620 ss->opt.enableSSL3 = on; |
| 621 ss->preferredCipher = NULL; |
| 622 if (ss->cipherSpecs) { |
| 623 PORT_Free(ss->cipherSpecs); |
| 624 ss->cipherSpecs = NULL; |
| 625 ss->sizeCipherSpecs = 0; |
| 626 } |
| 627 break; |
| 628 |
| 629 case SSL_ENABLE_SSL2: |
| 630 ss->opt.enableSSL2 = on; |
| 631 if (on) { |
| 632 ss->opt.v2CompatibleHello = on; |
| 633 } |
| 634 ss->preferredCipher = NULL; |
| 635 if (ss->cipherSpecs) { |
| 636 PORT_Free(ss->cipherSpecs); |
| 637 ss->cipherSpecs = NULL; |
| 638 ss->sizeCipherSpecs = 0; |
| 639 } |
| 640 break; |
| 641 |
| 642 case SSL_NO_CACHE: |
| 643 ss->opt.noCache = on; |
| 644 break; |
| 645 |
| 646 case SSL_ENABLE_FDX: |
| 647 if (on && ss->opt.noLocks) { |
| 648 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 649 rv = SECFailure; |
| 650 } |
| 651 ss->opt.fdx = on; |
| 652 break; |
| 653 |
| 654 case SSL_V2_COMPATIBLE_HELLO: |
| 655 ss->opt.v2CompatibleHello = on; |
| 656 if (!on) { |
| 657 ss->opt.enableSSL2 = on; |
| 658 } |
| 659 break; |
| 660 |
| 661 case SSL_ROLLBACK_DETECTION: |
| 662 ss->opt.detectRollBack = on; |
| 663 break; |
| 664 |
| 665 case SSL_NO_STEP_DOWN: |
| 666 ss->opt.noStepDown = on; |
| 667 if (on) |
| 668 SSL_DisableExportCipherSuites(fd); |
| 669 break; |
| 670 |
| 671 case SSL_BYPASS_PKCS11: |
| 672 if (ss->handshakeBegun) { |
| 673 PORT_SetError(PR_INVALID_STATE_ERROR); |
| 674 rv = SECFailure; |
| 675 } else { |
| 676 if (PR_FALSE != on) { |
| 677 if (PR_SUCCESS == SSL_BypassSetup() ) { |
| 678 ss->opt.bypassPKCS11 = on; |
| 679 } else { |
| 680 rv = SECFailure; |
| 681 } |
| 682 } else { |
| 683 ss->opt.bypassPKCS11 = PR_FALSE; |
| 684 } |
| 685 } |
| 686 break; |
| 687 |
| 688 case SSL_NO_LOCKS: |
| 689 if (on && ss->opt.fdx) { |
| 690 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 691 rv = SECFailure; |
| 692 } |
| 693 if (on && ssl_force_locks) |
| 694 on = PR_FALSE; /* silent override */ |
| 695 ss->opt.noLocks = on; |
| 696 if (on) { |
| 697 locksEverDisabled = PR_TRUE; |
| 698 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); |
| 699 } else if (!holdingLocks) { |
| 700 rv = ssl_MakeLocks(ss); |
| 701 if (rv != SECSuccess) { |
| 702 ss->opt.noLocks = PR_TRUE; |
| 703 } |
| 704 } |
| 705 break; |
| 706 |
| 707 case SSL_ENABLE_SESSION_TICKETS: |
| 708 ss->opt.enableSessionTickets = on; |
| 709 break; |
| 710 |
| 711 case SSL_ENABLE_DEFLATE: |
| 712 ss->opt.enableDeflate = on; |
| 713 break; |
| 714 |
| 715 case SSL_ENABLE_RENEGOTIATION: |
| 716 ss->opt.enableRenegotiation = on; |
| 717 break; |
| 718 |
| 719 case SSL_REQUIRE_SAFE_NEGOTIATION: |
| 720 ss->opt.requireSafeNegotiation = on; |
| 721 break; |
| 722 |
| 723 default: |
| 724 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 725 rv = SECFailure; |
| 726 } |
| 727 |
| 728 /* We can't use the macros for releasing the locks here, |
| 729 * because ss->opt.noLocks might have changed just above. |
| 730 * We must release these locks (monitors) here, if we aquired them above, |
| 731 * regardless of the current value of ss->opt.noLocks. |
| 732 */ |
| 733 if (holdingLocks) { |
| 734 PZ_ExitMonitor((ss)->ssl3HandshakeLock); |
| 735 PZ_ExitMonitor((ss)->firstHandshakeLock); |
| 736 } |
| 737 |
| 738 return rv; |
| 739 } |
| 740 |
| 741 SECStatus |
| 742 SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) |
| 743 { |
| 744 sslSocket *ss = ssl_FindSocket(fd); |
| 745 SECStatus rv = SECSuccess; |
| 746 PRBool on = PR_FALSE; |
| 747 |
| 748 if (!pOn) { |
| 749 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 750 return SECFailure; |
| 751 } |
| 752 if (!ss) { |
| 753 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd)); |
| 754 *pOn = PR_FALSE; |
| 755 return SECFailure; |
| 756 } |
| 757 |
| 758 ssl_Get1stHandshakeLock(ss); |
| 759 ssl_GetSSL3HandshakeLock(ss); |
| 760 |
| 761 switch (which) { |
| 762 case SSL_SOCKS: on = PR_FALSE; break; |
| 763 case SSL_SECURITY: on = ss->opt.useSecurity; break; |
| 764 case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break; |
| 765 case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break; |
| 766 case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break; |
| 767 case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break; |
| 768 case SSL_ENABLE_TLS: on = ss->opt.enableTLS; break; |
| 769 case SSL_ENABLE_SSL3: on = ss->opt.enableSSL3; break; |
| 770 case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break; |
| 771 case SSL_NO_CACHE: on = ss->opt.noCache; break; |
| 772 case SSL_ENABLE_FDX: on = ss->opt.fdx; break; |
| 773 case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break; |
| 774 case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break; |
| 775 case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break; |
| 776 case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break; |
| 777 case SSL_NO_LOCKS: on = ss->opt.noLocks; break; |
| 778 case SSL_ENABLE_SESSION_TICKETS: |
| 779 on = ss->opt.enableSessionTickets; |
| 780 break; |
| 781 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; |
| 782 case SSL_ENABLE_RENEGOTIATION: |
| 783 on = ss->opt.enableRenegotiation; break; |
| 784 case SSL_REQUIRE_SAFE_NEGOTIATION: |
| 785 on = ss->opt.requireSafeNegotiation; break; |
| 786 |
| 787 default: |
| 788 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 789 rv = SECFailure; |
| 790 } |
| 791 |
| 792 ssl_ReleaseSSL3HandshakeLock(ss); |
| 793 ssl_Release1stHandshakeLock(ss); |
| 794 |
| 795 *pOn = on; |
| 796 return rv; |
| 797 } |
| 798 |
| 799 SECStatus |
| 800 SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) |
| 801 { |
| 802 SECStatus rv = SECSuccess; |
| 803 PRBool on = PR_FALSE; |
| 804 |
| 805 if (!pOn) { |
| 806 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 807 return SECFailure; |
| 808 } |
| 809 |
| 810 switch (which) { |
| 811 case SSL_SOCKS: on = PR_FALSE; break; |
| 812 case SSL_SECURITY: on = ssl_defaults.useSecurity; break; |
| 813 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break; |
| 814 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break; |
| 815 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break; |
| 816 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break; |
| 817 case SSL_ENABLE_TLS: on = ssl_defaults.enableTLS; break; |
| 818 case SSL_ENABLE_SSL3: on = ssl_defaults.enableSSL3; break; |
| 819 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break; |
| 820 case SSL_NO_CACHE: on = ssl_defaults.noCache; break; |
| 821 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break; |
| 822 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break; |
| 823 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break; |
| 824 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break; |
| 825 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break; |
| 826 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break; |
| 827 case SSL_ENABLE_SESSION_TICKETS: |
| 828 on = ssl_defaults.enableSessionTickets; |
| 829 break; |
| 830 case SSL_ENABLE_DEFLATE: on = ssl_defaults.enableDeflate; break; |
| 831 case SSL_ENABLE_RENEGOTIATION: |
| 832 on = ssl_defaults.enableRenegotiation; break; |
| 833 case SSL_REQUIRE_SAFE_NEGOTIATION: |
| 834 on = ssl_defaults.requireSafeNegotiation; |
| 835 break; |
| 836 |
| 837 default: |
| 838 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 839 rv = SECFailure; |
| 840 } |
| 841 |
| 842 *pOn = on; |
| 843 return rv; |
| 844 } |
| 845 |
| 846 /* XXX Use Global Lock to protect this stuff. */ |
| 847 SECStatus |
| 848 SSL_EnableDefault(int which, PRBool on) |
| 849 { |
| 850 return SSL_OptionSetDefault(which, on); |
| 851 } |
| 852 |
| 853 SECStatus |
| 854 SSL_OptionSetDefault(PRInt32 which, PRBool on) |
| 855 { |
| 856 switch (which) { |
| 857 case SSL_SOCKS: |
| 858 ssl_defaults.useSocks = PR_FALSE; |
| 859 if (on) { |
| 860 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 861 return SECFailure; |
| 862 } |
| 863 break; |
| 864 |
| 865 case SSL_SECURITY: |
| 866 ssl_defaults.useSecurity = on; |
| 867 break; |
| 868 |
| 869 case SSL_REQUEST_CERTIFICATE: |
| 870 ssl_defaults.requestCertificate = on; |
| 871 break; |
| 872 |
| 873 case SSL_REQUIRE_CERTIFICATE: |
| 874 ssl_defaults.requireCertificate = on; |
| 875 break; |
| 876 |
| 877 case SSL_HANDSHAKE_AS_CLIENT: |
| 878 if ( ssl_defaults.handshakeAsServer && on ) { |
| 879 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 880 return SECFailure; |
| 881 } |
| 882 ssl_defaults.handshakeAsClient = on; |
| 883 break; |
| 884 |
| 885 case SSL_HANDSHAKE_AS_SERVER: |
| 886 if ( ssl_defaults.handshakeAsClient && on ) { |
| 887 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 888 return SECFailure; |
| 889 } |
| 890 ssl_defaults.handshakeAsServer = on; |
| 891 break; |
| 892 |
| 893 case SSL_ENABLE_TLS: |
| 894 ssl_defaults.enableTLS = on; |
| 895 break; |
| 896 |
| 897 case SSL_ENABLE_SSL3: |
| 898 ssl_defaults.enableSSL3 = on; |
| 899 break; |
| 900 |
| 901 case SSL_ENABLE_SSL2: |
| 902 ssl_defaults.enableSSL2 = on; |
| 903 if (on) { |
| 904 ssl_defaults.v2CompatibleHello = on; |
| 905 } |
| 906 break; |
| 907 |
| 908 case SSL_NO_CACHE: |
| 909 ssl_defaults.noCache = on; |
| 910 break; |
| 911 |
| 912 case SSL_ENABLE_FDX: |
| 913 if (on && ssl_defaults.noLocks) { |
| 914 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 915 return SECFailure; |
| 916 } |
| 917 ssl_defaults.fdx = on; |
| 918 break; |
| 919 |
| 920 case SSL_V2_COMPATIBLE_HELLO: |
| 921 ssl_defaults.v2CompatibleHello = on; |
| 922 if (!on) { |
| 923 ssl_defaults.enableSSL2 = on; |
| 924 } |
| 925 break; |
| 926 |
| 927 case SSL_ROLLBACK_DETECTION: |
| 928 ssl_defaults.detectRollBack = on; |
| 929 break; |
| 930 |
| 931 case SSL_NO_STEP_DOWN: |
| 932 ssl_defaults.noStepDown = on; |
| 933 if (on) |
| 934 SSL_DisableDefaultExportCipherSuites(); |
| 935 break; |
| 936 |
| 937 case SSL_BYPASS_PKCS11: |
| 938 if (PR_FALSE != on) { |
| 939 if (PR_SUCCESS == SSL_BypassSetup()) { |
| 940 ssl_defaults.bypassPKCS11 = on; |
| 941 } else { |
| 942 return SECFailure; |
| 943 } |
| 944 } else { |
| 945 ssl_defaults.bypassPKCS11 = PR_FALSE; |
| 946 } |
| 947 break; |
| 948 |
| 949 case SSL_NO_LOCKS: |
| 950 if (on && ssl_defaults.fdx) { |
| 951 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 952 return SECFailure; |
| 953 } |
| 954 if (on && ssl_force_locks) |
| 955 on = PR_FALSE; /* silent override */ |
| 956 ssl_defaults.noLocks = on; |
| 957 if (on) { |
| 958 locksEverDisabled = PR_TRUE; |
| 959 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); |
| 960 } |
| 961 break; |
| 962 |
| 963 case SSL_ENABLE_SESSION_TICKETS: |
| 964 ssl_defaults.enableSessionTickets = on; |
| 965 break; |
| 966 |
| 967 case SSL_ENABLE_DEFLATE: |
| 968 ssl_defaults.enableDeflate = on; |
| 969 break; |
| 970 |
| 971 case SSL_ENABLE_RENEGOTIATION: |
| 972 ssl_defaults.enableRenegotiation = on; |
| 973 break; |
| 974 |
| 975 case SSL_REQUIRE_SAFE_NEGOTIATION: |
| 976 ssl_defaults.requireSafeNegotiation = on; |
| 977 break; |
| 978 |
| 979 default: |
| 980 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 981 return SECFailure; |
| 982 } |
| 983 return SECSuccess; |
| 984 } |
| 985 |
| 986 /* function tells us if the cipher suite is one that we no longer support. */ |
| 987 static PRBool |
| 988 ssl_IsRemovedCipherSuite(PRInt32 suite) |
| 989 { |
| 990 switch (suite) { |
| 991 case SSL_FORTEZZA_DMS_WITH_NULL_SHA: |
| 992 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: |
| 993 case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: |
| 994 return PR_TRUE; |
| 995 default: |
| 996 return PR_FALSE; |
| 997 } |
| 998 } |
| 999 |
| 1000 /* Part of the public NSS API. |
| 1001 * Since this is a global (not per-socket) setting, we cannot use the |
| 1002 * HandshakeLock to protect this. Probably want a global lock. |
| 1003 */ |
| 1004 SECStatus |
| 1005 SSL_SetPolicy(long which, int policy) |
| 1006 { |
| 1007 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { |
| 1008 /* one of the two old FIPS ciphers */ |
| 1009 if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) |
| 1010 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; |
| 1011 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) |
| 1012 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; |
| 1013 } |
| 1014 if (ssl_IsRemovedCipherSuite(which)) |
| 1015 return SECSuccess; |
| 1016 return SSL_CipherPolicySet(which, policy); |
| 1017 } |
| 1018 |
| 1019 SECStatus |
| 1020 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy) |
| 1021 { |
| 1022 SECStatus rv; |
| 1023 |
| 1024 if (ssl_IsRemovedCipherSuite(which)) { |
| 1025 rv = SECSuccess; |
| 1026 } else if (SSL_IS_SSL2_CIPHER(which)) { |
| 1027 rv = ssl2_SetPolicy(which, policy); |
| 1028 } else { |
| 1029 rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); |
| 1030 } |
| 1031 return rv; |
| 1032 } |
| 1033 |
| 1034 SECStatus |
| 1035 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) |
| 1036 { |
| 1037 SECStatus rv; |
| 1038 |
| 1039 if (!oPolicy) { |
| 1040 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1041 return SECFailure; |
| 1042 } |
| 1043 if (ssl_IsRemovedCipherSuite(which)) { |
| 1044 *oPolicy = SSL_NOT_ALLOWED; |
| 1045 rv = SECSuccess; |
| 1046 } else if (SSL_IS_SSL2_CIPHER(which)) { |
| 1047 rv = ssl2_GetPolicy(which, oPolicy); |
| 1048 } else { |
| 1049 rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy); |
| 1050 } |
| 1051 return rv; |
| 1052 } |
| 1053 |
| 1054 /* Part of the public NSS API. |
| 1055 * Since this is a global (not per-socket) setting, we cannot use the |
| 1056 * HandshakeLock to protect this. Probably want a global lock. |
| 1057 * These changes have no effect on any sslSockets already created. |
| 1058 */ |
| 1059 SECStatus |
| 1060 SSL_EnableCipher(long which, PRBool enabled) |
| 1061 { |
| 1062 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) { |
| 1063 /* one of the two old FIPS ciphers */ |
| 1064 if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) |
| 1065 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA; |
| 1066 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA) |
| 1067 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA; |
| 1068 } |
| 1069 if (ssl_IsRemovedCipherSuite(which)) |
| 1070 return SECSuccess; |
| 1071 return SSL_CipherPrefSetDefault(which, enabled); |
| 1072 } |
| 1073 |
| 1074 SECStatus |
| 1075 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled) |
| 1076 { |
| 1077 SECStatus rv; |
| 1078 |
| 1079 if (ssl_IsRemovedCipherSuite(which)) |
| 1080 return SECSuccess; |
| 1081 if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) { |
| 1082 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
| 1083 return SECFailure; |
| 1084 } |
| 1085 if (SSL_IS_SSL2_CIPHER(which)) { |
| 1086 rv = ssl2_CipherPrefSetDefault(which, enabled); |
| 1087 } else { |
| 1088 rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled); |
| 1089 } |
| 1090 return rv; |
| 1091 } |
| 1092 |
| 1093 SECStatus |
| 1094 SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled) |
| 1095 { |
| 1096 SECStatus rv; |
| 1097 |
| 1098 if (!enabled) { |
| 1099 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1100 return SECFailure; |
| 1101 } |
| 1102 if (ssl_IsRemovedCipherSuite(which)) { |
| 1103 *enabled = PR_FALSE; |
| 1104 rv = SECSuccess; |
| 1105 } else if (SSL_IS_SSL2_CIPHER(which)) { |
| 1106 rv = ssl2_CipherPrefGetDefault(which, enabled); |
| 1107 } else { |
| 1108 rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled); |
| 1109 } |
| 1110 return rv; |
| 1111 } |
| 1112 |
| 1113 SECStatus |
| 1114 SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled) |
| 1115 { |
| 1116 SECStatus rv; |
| 1117 sslSocket *ss = ssl_FindSocket(fd); |
| 1118 |
| 1119 if (!ss) { |
| 1120 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd)); |
| 1121 return SECFailure; |
| 1122 } |
| 1123 if (ssl_IsRemovedCipherSuite(which)) |
| 1124 return SECSuccess; |
| 1125 if (enabled && ss->opt.noStepDown && SSL_IsExportCipherSuite(which)) { |
| 1126 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
| 1127 return SECFailure; |
| 1128 } |
| 1129 if (SSL_IS_SSL2_CIPHER(which)) { |
| 1130 rv = ssl2_CipherPrefSet(ss, which, enabled); |
| 1131 } else { |
| 1132 rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled); |
| 1133 } |
| 1134 return rv; |
| 1135 } |
| 1136 |
| 1137 SECStatus |
| 1138 SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) |
| 1139 { |
| 1140 SECStatus rv; |
| 1141 sslSocket *ss = ssl_FindSocket(fd); |
| 1142 |
| 1143 if (!enabled) { |
| 1144 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1145 return SECFailure; |
| 1146 } |
| 1147 if (!ss) { |
| 1148 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd)); |
| 1149 *enabled = PR_FALSE; |
| 1150 return SECFailure; |
| 1151 } |
| 1152 if (ssl_IsRemovedCipherSuite(which)) { |
| 1153 *enabled = PR_FALSE; |
| 1154 rv = SECSuccess; |
| 1155 } else if (SSL_IS_SSL2_CIPHER(which)) { |
| 1156 rv = ssl2_CipherPrefGet(ss, which, enabled); |
| 1157 } else { |
| 1158 rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); |
| 1159 } |
| 1160 return rv; |
| 1161 } |
| 1162 |
| 1163 SECStatus |
| 1164 NSS_SetDomesticPolicy(void) |
| 1165 { |
| 1166 #ifndef EXPORT_VERSION |
| 1167 SECStatus status = SECSuccess; |
| 1168 cipherPolicy * policy; |
| 1169 |
| 1170 for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { |
| 1171 status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED); |
| 1172 if (status != SECSuccess) |
| 1173 break; |
| 1174 } |
| 1175 return status; |
| 1176 #else |
| 1177 return NSS_SetExportPolicy(); |
| 1178 #endif |
| 1179 } |
| 1180 |
| 1181 SECStatus |
| 1182 NSS_SetExportPolicy(void) |
| 1183 { |
| 1184 SECStatus status = SECSuccess; |
| 1185 cipherPolicy * policy; |
| 1186 |
| 1187 for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { |
| 1188 status = SSL_SetPolicy(policy->cipher, policy->export); |
| 1189 if (status != SECSuccess) |
| 1190 break; |
| 1191 } |
| 1192 return status; |
| 1193 } |
| 1194 |
| 1195 SECStatus |
| 1196 NSS_SetFrancePolicy(void) |
| 1197 { |
| 1198 SECStatus status = SECSuccess; |
| 1199 cipherPolicy * policy; |
| 1200 |
| 1201 for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { |
| 1202 status = SSL_SetPolicy(policy->cipher, policy->france); |
| 1203 if (status != SECSuccess) |
| 1204 break; |
| 1205 } |
| 1206 return status; |
| 1207 } |
| 1208 |
| 1209 |
| 1210 |
| 1211 /* LOCKS ??? XXX */ |
| 1212 PRFileDesc * |
| 1213 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) |
| 1214 { |
| 1215 sslSocket * ns = NULL; |
| 1216 PRStatus rv; |
| 1217 PRNetAddr addr; |
| 1218 |
| 1219 if (model == NULL) { |
| 1220 /* Just create a default socket if we're given NULL for the model */ |
| 1221 ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks)); |
| 1222 } else { |
| 1223 sslSocket * ss = ssl_FindSocket(model); |
| 1224 if (ss == NULL) { |
| 1225 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", |
| 1226 SSL_GETPID(), model)); |
| 1227 return NULL; |
| 1228 } |
| 1229 ns = ssl_DupSocket(ss); |
| 1230 } |
| 1231 if (ns == NULL) |
| 1232 return NULL; |
| 1233 |
| 1234 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); |
| 1235 if (rv != PR_SUCCESS) { |
| 1236 ssl_FreeSocket(ns); |
| 1237 SET_ERROR_CODE |
| 1238 return NULL; |
| 1239 } |
| 1240 #ifdef _WIN32 |
| 1241 PR_Sleep(PR_INTERVAL_NO_WAIT); /* workaround NT winsock connect bug. */ |
| 1242 #endif |
| 1243 ns = ssl_FindSocket(fd); |
| 1244 PORT_Assert(ns); |
| 1245 if (ns) |
| 1246 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr)); |
| 1247 return fd; |
| 1248 } |
| 1249 |
| 1250 /************************************************************************/ |
| 1251 /* The following functions are the TOP LEVEL SSL functions. |
| 1252 ** They all get called through the NSPRIOMethods table below. |
| 1253 */ |
| 1254 |
| 1255 static PRFileDesc * PR_CALLBACK |
| 1256 ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) |
| 1257 { |
| 1258 sslSocket *ss; |
| 1259 sslSocket *ns = NULL; |
| 1260 PRFileDesc *newfd = NULL; |
| 1261 PRFileDesc *osfd; |
| 1262 PRStatus status; |
| 1263 |
| 1264 ss = ssl_GetPrivate(fd); |
| 1265 if (!ss) { |
| 1266 SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd)); |
| 1267 return NULL; |
| 1268 } |
| 1269 |
| 1270 /* IF this is a listen socket, there shouldn't be any I/O going on */ |
| 1271 SSL_LOCK_READER(ss); |
| 1272 SSL_LOCK_WRITER(ss); |
| 1273 ssl_Get1stHandshakeLock(ss); |
| 1274 ssl_GetSSL3HandshakeLock(ss); |
| 1275 |
| 1276 ss->cTimeout = timeout; |
| 1277 |
| 1278 osfd = ss->fd->lower; |
| 1279 |
| 1280 /* First accept connection */ |
| 1281 newfd = osfd->methods->accept(osfd, sockaddr, timeout); |
| 1282 if (newfd == NULL) { |
| 1283 SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d", |
| 1284 SSL_GETPID(), ss->fd, PORT_GetError())); |
| 1285 } else { |
| 1286 /* Create ssl module */ |
| 1287 ns = ssl_DupSocket(ss); |
| 1288 } |
| 1289 |
| 1290 ssl_ReleaseSSL3HandshakeLock(ss); |
| 1291 ssl_Release1stHandshakeLock(ss); |
| 1292 SSL_UNLOCK_WRITER(ss); |
| 1293 SSL_UNLOCK_READER(ss); /* ss isn't used below here. */ |
| 1294 |
| 1295 if (ns == NULL) |
| 1296 goto loser; |
| 1297 |
| 1298 /* push ssl module onto the new socket */ |
| 1299 status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER); |
| 1300 if (status != PR_SUCCESS) |
| 1301 goto loser; |
| 1302 |
| 1303 /* Now start server connection handshake with client. |
| 1304 ** Don't need locks here because nobody else has a reference to ns yet. |
| 1305 */ |
| 1306 if ( ns->opt.useSecurity ) { |
| 1307 if ( ns->opt.handshakeAsClient ) { |
| 1308 ns->handshake = ssl2_BeginClientHandshake; |
| 1309 ss->handshaking = sslHandshakingAsClient; |
| 1310 } else { |
| 1311 ns->handshake = ssl2_BeginServerHandshake; |
| 1312 ss->handshaking = sslHandshakingAsServer; |
| 1313 } |
| 1314 } |
| 1315 ns->TCPconnected = 1; |
| 1316 return newfd; |
| 1317 |
| 1318 loser: |
| 1319 if (ns != NULL) |
| 1320 ssl_FreeSocket(ns); |
| 1321 if (newfd != NULL) |
| 1322 PR_Close(newfd); |
| 1323 return NULL; |
| 1324 } |
| 1325 |
| 1326 static PRStatus PR_CALLBACK |
| 1327 ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout) |
| 1328 { |
| 1329 sslSocket *ss; |
| 1330 PRStatus rv; |
| 1331 |
| 1332 ss = ssl_GetPrivate(fd); |
| 1333 if (!ss) { |
| 1334 SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd)); |
| 1335 return PR_FAILURE; |
| 1336 } |
| 1337 |
| 1338 /* IF this is a listen socket, there shouldn't be any I/O going on */ |
| 1339 SSL_LOCK_READER(ss); |
| 1340 SSL_LOCK_WRITER(ss); |
| 1341 |
| 1342 ss->cTimeout = timeout; |
| 1343 rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr); |
| 1344 #ifdef _WIN32 |
| 1345 PR_Sleep(PR_INTERVAL_NO_WAIT); /* workaround NT winsock connect bug. */ |
| 1346 #endif |
| 1347 |
| 1348 SSL_UNLOCK_WRITER(ss); |
| 1349 SSL_UNLOCK_READER(ss); |
| 1350 |
| 1351 return rv; |
| 1352 } |
| 1353 |
| 1354 static PRStatus PR_CALLBACK |
| 1355 ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr) |
| 1356 { |
| 1357 sslSocket * ss = ssl_GetPrivate(fd); |
| 1358 PRStatus rv; |
| 1359 |
| 1360 if (!ss) { |
| 1361 SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd)); |
| 1362 return PR_FAILURE; |
| 1363 } |
| 1364 SSL_LOCK_READER(ss); |
| 1365 SSL_LOCK_WRITER(ss); |
| 1366 |
| 1367 rv = (PRStatus)(*ss->ops->bind)(ss, addr); |
| 1368 |
| 1369 SSL_UNLOCK_WRITER(ss); |
| 1370 SSL_UNLOCK_READER(ss); |
| 1371 return rv; |
| 1372 } |
| 1373 |
| 1374 static PRStatus PR_CALLBACK |
| 1375 ssl_Listen(PRFileDesc *fd, PRIntn backlog) |
| 1376 { |
| 1377 sslSocket * ss = ssl_GetPrivate(fd); |
| 1378 PRStatus rv; |
| 1379 |
| 1380 if (!ss) { |
| 1381 SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd)); |
| 1382 return PR_FAILURE; |
| 1383 } |
| 1384 SSL_LOCK_READER(ss); |
| 1385 SSL_LOCK_WRITER(ss); |
| 1386 |
| 1387 rv = (PRStatus)(*ss->ops->listen)(ss, backlog); |
| 1388 |
| 1389 SSL_UNLOCK_WRITER(ss); |
| 1390 SSL_UNLOCK_READER(ss); |
| 1391 return rv; |
| 1392 } |
| 1393 |
| 1394 static PRStatus PR_CALLBACK |
| 1395 ssl_Shutdown(PRFileDesc *fd, PRIntn how) |
| 1396 { |
| 1397 sslSocket * ss = ssl_GetPrivate(fd); |
| 1398 PRStatus rv; |
| 1399 |
| 1400 if (!ss) { |
| 1401 SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd)); |
| 1402 return PR_FAILURE; |
| 1403 } |
| 1404 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { |
| 1405 SSL_LOCK_READER(ss); |
| 1406 } |
| 1407 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { |
| 1408 SSL_LOCK_WRITER(ss); |
| 1409 } |
| 1410 |
| 1411 rv = (PRStatus)(*ss->ops->shutdown)(ss, how); |
| 1412 |
| 1413 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) { |
| 1414 SSL_UNLOCK_WRITER(ss); |
| 1415 } |
| 1416 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) { |
| 1417 SSL_UNLOCK_READER(ss); |
| 1418 } |
| 1419 return rv; |
| 1420 } |
| 1421 |
| 1422 static PRStatus PR_CALLBACK |
| 1423 ssl_Close(PRFileDesc *fd) |
| 1424 { |
| 1425 sslSocket *ss; |
| 1426 PRStatus rv; |
| 1427 |
| 1428 ss = ssl_GetPrivate(fd); |
| 1429 if (!ss) { |
| 1430 SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd)); |
| 1431 return PR_FAILURE; |
| 1432 } |
| 1433 |
| 1434 /* There must not be any I/O going on */ |
| 1435 SSL_LOCK_READER(ss); |
| 1436 SSL_LOCK_WRITER(ss); |
| 1437 |
| 1438 /* By the time this function returns, |
| 1439 ** ss is an invalid pointer, and the locks to which it points have |
| 1440 ** been unlocked and freed. So, this is the ONE PLACE in all of SSL |
| 1441 ** where the LOCK calls and the corresponding UNLOCK calls are not in |
| 1442 ** the same function scope. The unlock calls are in ssl_FreeSocket(). |
| 1443 */ |
| 1444 rv = (PRStatus)(*ss->ops->close)(ss); |
| 1445 |
| 1446 return rv; |
| 1447 } |
| 1448 |
| 1449 static int PR_CALLBACK |
| 1450 ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, |
| 1451 PRIntervalTime timeout) |
| 1452 { |
| 1453 sslSocket *ss; |
| 1454 int rv; |
| 1455 |
| 1456 ss = ssl_GetPrivate(fd); |
| 1457 if (!ss) { |
| 1458 SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd)); |
| 1459 return SECFailure; |
| 1460 } |
| 1461 SSL_LOCK_READER(ss); |
| 1462 ss->rTimeout = timeout; |
| 1463 if (!ss->opt.fdx) |
| 1464 ss->wTimeout = timeout; |
| 1465 rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags); |
| 1466 SSL_UNLOCK_READER(ss); |
| 1467 return rv; |
| 1468 } |
| 1469 |
| 1470 static int PR_CALLBACK |
| 1471 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags, |
| 1472 PRIntervalTime timeout) |
| 1473 { |
| 1474 sslSocket *ss; |
| 1475 int rv; |
| 1476 |
| 1477 ss = ssl_GetPrivate(fd); |
| 1478 if (!ss) { |
| 1479 SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd)); |
| 1480 return SECFailure; |
| 1481 } |
| 1482 SSL_LOCK_WRITER(ss); |
| 1483 ss->wTimeout = timeout; |
| 1484 if (!ss->opt.fdx) |
| 1485 ss->rTimeout = timeout; |
| 1486 rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags); |
| 1487 SSL_UNLOCK_WRITER(ss); |
| 1488 return rv; |
| 1489 } |
| 1490 |
| 1491 static int PR_CALLBACK |
| 1492 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len) |
| 1493 { |
| 1494 sslSocket *ss; |
| 1495 int rv; |
| 1496 |
| 1497 ss = ssl_GetPrivate(fd); |
| 1498 if (!ss) { |
| 1499 SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd)); |
| 1500 return SECFailure; |
| 1501 } |
| 1502 SSL_LOCK_READER(ss); |
| 1503 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 1504 if (!ss->opt.fdx) |
| 1505 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 1506 rv = (*ss->ops->read)(ss, (unsigned char*)buf, len); |
| 1507 SSL_UNLOCK_READER(ss); |
| 1508 return rv; |
| 1509 } |
| 1510 |
| 1511 static int PR_CALLBACK |
| 1512 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len) |
| 1513 { |
| 1514 sslSocket *ss; |
| 1515 int rv; |
| 1516 |
| 1517 ss = ssl_GetPrivate(fd); |
| 1518 if (!ss) { |
| 1519 SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd)); |
| 1520 return SECFailure; |
| 1521 } |
| 1522 SSL_LOCK_WRITER(ss); |
| 1523 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 1524 if (!ss->opt.fdx) |
| 1525 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 1526 rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len); |
| 1527 SSL_UNLOCK_WRITER(ss); |
| 1528 return rv; |
| 1529 } |
| 1530 |
| 1531 static PRStatus PR_CALLBACK |
| 1532 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr) |
| 1533 { |
| 1534 sslSocket *ss; |
| 1535 |
| 1536 ss = ssl_GetPrivate(fd); |
| 1537 if (!ss) { |
| 1538 SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd)); |
| 1539 return PR_FAILURE; |
| 1540 } |
| 1541 return (PRStatus)(*ss->ops->getpeername)(ss, addr); |
| 1542 } |
| 1543 |
| 1544 /* |
| 1545 */ |
| 1546 SECStatus |
| 1547 ssl_GetPeerInfo(sslSocket *ss) |
| 1548 { |
| 1549 PRFileDesc * osfd; |
| 1550 int rv; |
| 1551 PRNetAddr sin; |
| 1552 |
| 1553 osfd = ss->fd->lower; |
| 1554 |
| 1555 PORT_Memset(&sin, 0, sizeof(sin)); |
| 1556 rv = osfd->methods->getpeername(osfd, &sin); |
| 1557 if (rv < 0) { |
| 1558 return SECFailure; |
| 1559 } |
| 1560 ss->TCPconnected = 1; |
| 1561 if (sin.inet.family == PR_AF_INET) { |
| 1562 PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer); |
| 1563 ss->sec.ci.port = sin.inet.port; |
| 1564 } else if (sin.ipv6.family == PR_AF_INET6) { |
| 1565 ss->sec.ci.peer = sin.ipv6.ip; |
| 1566 ss->sec.ci.port = sin.ipv6.port; |
| 1567 } else { |
| 1568 PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR); |
| 1569 return SECFailure; |
| 1570 } |
| 1571 return SECSuccess; |
| 1572 } |
| 1573 |
| 1574 static PRStatus PR_CALLBACK |
| 1575 ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name) |
| 1576 { |
| 1577 sslSocket *ss; |
| 1578 |
| 1579 ss = ssl_GetPrivate(fd); |
| 1580 if (!ss) { |
| 1581 SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd)); |
| 1582 return PR_FAILURE; |
| 1583 } |
| 1584 return (PRStatus)(*ss->ops->getsockname)(ss, name); |
| 1585 } |
| 1586 |
| 1587 SECStatus PR_CALLBACK |
| 1588 SSL_SetSockPeerID(PRFileDesc *fd, char *peerID) |
| 1589 { |
| 1590 sslSocket *ss; |
| 1591 |
| 1592 ss = ssl_FindSocket(fd); |
| 1593 if (!ss) { |
| 1594 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCacheIndex", |
| 1595 SSL_GETPID(), fd)); |
| 1596 return SECFailure; |
| 1597 } |
| 1598 |
| 1599 if (ss->peerID) { |
| 1600 PORT_Free(ss->peerID); |
| 1601 ss->peerID = NULL; |
| 1602 } |
| 1603 if (peerID) |
| 1604 ss->peerID = PORT_Strdup(peerID); |
| 1605 return (ss->peerID || !peerID) ? SECSuccess : SECFailure; |
| 1606 } |
| 1607 |
| 1608 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ) |
| 1609 |
| 1610 static PRInt16 PR_CALLBACK |
| 1611 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) |
| 1612 { |
| 1613 sslSocket *ss; |
| 1614 PRInt16 new_flags = how_flags; /* should select on these flags. */ |
| 1615 PRNetAddr addr; |
| 1616 |
| 1617 *p_out_flags = 0; |
| 1618 ss = ssl_GetPrivate(fd); |
| 1619 if (!ss) { |
| 1620 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll", |
| 1621 SSL_GETPID(), fd)); |
| 1622 return 0; /* don't poll on this socket */ |
| 1623 } |
| 1624 |
| 1625 if (ss->opt.useSecurity && |
| 1626 ss->handshaking != sslHandshakingUndetermined && |
| 1627 !ss->firstHsDone && |
| 1628 (how_flags & PR_POLL_RW)) { |
| 1629 if (!ss->TCPconnected) { |
| 1630 ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr)); |
| 1631 } |
| 1632 /* If it's not connected, then presumably the application is polling |
| 1633 ** on read or write appropriately, so don't change it. |
| 1634 */ |
| 1635 if (ss->TCPconnected) { |
| 1636 if (!ss->handshakeBegun) { |
| 1637 /* If the handshake has not begun, poll on read or write |
| 1638 ** based on the local application's role in the handshake, |
| 1639 ** not based on what the application requested. |
| 1640 */ |
| 1641 new_flags &= ~PR_POLL_RW; |
| 1642 if (ss->handshaking == sslHandshakingAsClient) { |
| 1643 new_flags |= PR_POLL_WRITE; |
| 1644 } else { /* handshaking as server */ |
| 1645 new_flags |= PR_POLL_READ; |
| 1646 } |
| 1647 } else |
| 1648 /* First handshake is in progress */ |
| 1649 if (ss->lastWriteBlocked) { |
| 1650 if (new_flags & PR_POLL_READ) { |
| 1651 /* The caller is waiting for data to be received, |
| 1652 ** but the initial handshake is blocked on write, or the |
| 1653 ** client's first handshake record has not been written. |
| 1654 ** The code should select on write, not read. |
| 1655 */ |
| 1656 new_flags ^= PR_POLL_READ; /* don't select on read. */ |
| 1657 new_flags |= PR_POLL_WRITE; /* do select on write. */ |
| 1658 } |
| 1659 } else if (new_flags & PR_POLL_WRITE) { |
| 1660 /* The caller is trying to write, but the handshake is |
| 1661 ** blocked waiting for data to read, and the first |
| 1662 ** handshake has been sent. so do NOT to poll on write. |
| 1663 */ |
| 1664 new_flags ^= PR_POLL_WRITE; /* don't select on write. */ |
| 1665 new_flags |= PR_POLL_READ; /* do select on read. */ |
| 1666 } |
| 1667 } |
| 1668 } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) { |
| 1669 *p_out_flags = PR_POLL_READ; /* it's ready already. */ |
| 1670 return new_flags; |
| 1671 } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) && |
| 1672 (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */ |
| 1673 new_flags |= PR_POLL_WRITE; /* also select on write. */ |
| 1674 } |
| 1675 if (new_flags && (fd->lower->methods->poll != NULL)) { |
| 1676 PRInt16 lower_out_flags = 0; |
| 1677 PRInt16 lower_new_flags; |
| 1678 lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, |
| 1679 &lower_out_flags); |
| 1680 if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) { |
| 1681 PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW; |
| 1682 if (lower_out_flags & PR_POLL_READ) |
| 1683 out_flags |= PR_POLL_WRITE; |
| 1684 if (lower_out_flags & PR_POLL_WRITE) |
| 1685 out_flags |= PR_POLL_READ; |
| 1686 *p_out_flags = out_flags; |
| 1687 new_flags = how_flags; |
| 1688 } else { |
| 1689 *p_out_flags = lower_out_flags; |
| 1690 new_flags = lower_new_flags; |
| 1691 } |
| 1692 } |
| 1693 |
| 1694 return new_flags; |
| 1695 } |
| 1696 |
| 1697 static PRInt32 PR_CALLBACK |
| 1698 ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd, |
| 1699 const void *headers, PRInt32 hlen, |
| 1700 PRTransmitFileFlags flags, PRIntervalTime timeout) |
| 1701 { |
| 1702 PRSendFileData sfd; |
| 1703 |
| 1704 sfd.fd = fd; |
| 1705 sfd.file_offset = 0; |
| 1706 sfd.file_nbytes = 0; |
| 1707 sfd.header = headers; |
| 1708 sfd.hlen = hlen; |
| 1709 sfd.trailer = NULL; |
| 1710 sfd.tlen = 0; |
| 1711 |
| 1712 return sd->methods->sendfile(sd, &sfd, flags, timeout); |
| 1713 } |
| 1714 |
| 1715 |
| 1716 PRBool |
| 1717 ssl_FdIsBlocking(PRFileDesc *fd) |
| 1718 { |
| 1719 PRSocketOptionData opt; |
| 1720 PRStatus status; |
| 1721 |
| 1722 opt.option = PR_SockOpt_Nonblocking; |
| 1723 opt.value.non_blocking = PR_FALSE; |
| 1724 status = PR_GetSocketOption(fd, &opt); |
| 1725 if (status != PR_SUCCESS) |
| 1726 return PR_FALSE; |
| 1727 return (PRBool)!opt.value.non_blocking; |
| 1728 } |
| 1729 |
| 1730 PRBool |
| 1731 ssl_SocketIsBlocking(sslSocket *ss) |
| 1732 { |
| 1733 return ssl_FdIsBlocking(ss->fd); |
| 1734 } |
| 1735 |
| 1736 PRInt32 sslFirstBufSize = 8 * 1024; |
| 1737 PRInt32 sslCopyLimit = 1024; |
| 1738 |
| 1739 static PRInt32 PR_CALLBACK |
| 1740 ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, |
| 1741 PRIntervalTime timeout) |
| 1742 { |
| 1743 PRInt32 bufLen; |
| 1744 PRInt32 left; |
| 1745 PRInt32 rv; |
| 1746 PRInt32 sent = 0; |
| 1747 const PRInt32 first_len = sslFirstBufSize; |
| 1748 const PRInt32 limit = sslCopyLimit; |
| 1749 PRBool blocking; |
| 1750 PRIOVec myIov = { 0, 0 }; |
| 1751 char buf[MAX_FRAGMENT_LENGTH]; |
| 1752 |
| 1753 if (vectors > PR_MAX_IOVECTOR_SIZE) { |
| 1754 PORT_SetError(PR_BUFFER_OVERFLOW_ERROR); |
| 1755 return -1; |
| 1756 } |
| 1757 blocking = ssl_FdIsBlocking(fd); |
| 1758 |
| 1759 #define K16 sizeof(buf) |
| 1760 #define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; } |
| 1761 #define GET_VECTOR do { myIov = *iov++; --vectors; KILL_VECTORS } while (0) |
| 1762 #define HANDLE_ERR(rv, len) \ |
| 1763 if (rv != len) { \ |
| 1764 if (rv < 0) { \ |
| 1765 if (!blocking \ |
| 1766 && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \ |
| 1767 && (sent > 0)) { \ |
| 1768 return sent; \ |
| 1769 } else { \ |
| 1770 return -1; \ |
| 1771 } \ |
| 1772 } \ |
| 1773 /* Only a nonblocking socket can have partial sends */ \ |
| 1774 PR_ASSERT(!blocking); \ |
| 1775 return sent + rv; \ |
| 1776 } |
| 1777 #define SEND(bfr, len) \ |
| 1778 do { \ |
| 1779 rv = ssl_Send(fd, bfr, len, 0, timeout); \ |
| 1780 HANDLE_ERR(rv, len) \ |
| 1781 sent += len; \ |
| 1782 } while (0) |
| 1783 |
| 1784 /* Make sure the first write is at least 8 KB, if possible. */ |
| 1785 KILL_VECTORS |
| 1786 if (!vectors) |
| 1787 return ssl_Send(fd, 0, 0, 0, timeout); |
| 1788 GET_VECTOR; |
| 1789 if (!vectors) { |
| 1790 return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout); |
| 1791 } |
| 1792 if (myIov.iov_len < first_len) { |
| 1793 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); |
| 1794 bufLen = myIov.iov_len; |
| 1795 left = first_len - bufLen; |
| 1796 while (vectors && left) { |
| 1797 int toCopy; |
| 1798 GET_VECTOR; |
| 1799 toCopy = PR_MIN(left, myIov.iov_len); |
| 1800 PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy); |
| 1801 bufLen += toCopy; |
| 1802 left -= toCopy; |
| 1803 myIov.iov_base += toCopy; |
| 1804 myIov.iov_len -= toCopy; |
| 1805 } |
| 1806 SEND( buf, bufLen ); |
| 1807 } |
| 1808 |
| 1809 while (vectors || myIov.iov_len) { |
| 1810 PRInt32 addLen; |
| 1811 if (!myIov.iov_len) { |
| 1812 GET_VECTOR; |
| 1813 } |
| 1814 while (myIov.iov_len >= K16) { |
| 1815 SEND(myIov.iov_base, K16); |
| 1816 myIov.iov_base += K16; |
| 1817 myIov.iov_len -= K16; |
| 1818 } |
| 1819 if (!myIov.iov_len) |
| 1820 continue; |
| 1821 |
| 1822 if (!vectors || myIov.iov_len > limit) { |
| 1823 addLen = 0; |
| 1824 } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) { |
| 1825 /* Addlen is already computed. */; |
| 1826 } else if (vectors > 1 && |
| 1827 iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) { |
| 1828 addLen = limit - myIov.iov_len; |
| 1829 } else |
| 1830 addLen = 0; |
| 1831 |
| 1832 if (!addLen) { |
| 1833 SEND( myIov.iov_base, myIov.iov_len ); |
| 1834 myIov.iov_len = 0; |
| 1835 continue; |
| 1836 } |
| 1837 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); |
| 1838 bufLen = myIov.iov_len; |
| 1839 do { |
| 1840 GET_VECTOR; |
| 1841 PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen); |
| 1842 myIov.iov_base += addLen; |
| 1843 myIov.iov_len -= addLen; |
| 1844 bufLen += addLen; |
| 1845 |
| 1846 left = PR_MIN( limit, K16 - bufLen); |
| 1847 if (!vectors /* no more left */ |
| 1848 || myIov.iov_len > 0 /* we didn't use that one all up */ |
| 1849 || bufLen >= K16 /* it's full. */ |
| 1850 ) { |
| 1851 addLen = 0; |
| 1852 } else if ((addLen = iov->iov_len % K16) <= left) { |
| 1853 /* Addlen is already computed. */; |
| 1854 } else if (vectors > 1 && |
| 1855 iov[1].iov_len % K16 + addLen <= left + limit) { |
| 1856 addLen = left; |
| 1857 } else |
| 1858 addLen = 0; |
| 1859 |
| 1860 } while (addLen); |
| 1861 SEND( buf, bufLen ); |
| 1862 } |
| 1863 return sent; |
| 1864 } |
| 1865 |
| 1866 /* |
| 1867 * These functions aren't implemented. |
| 1868 */ |
| 1869 |
| 1870 static PRInt32 PR_CALLBACK |
| 1871 ssl_Available(PRFileDesc *fd) |
| 1872 { |
| 1873 PORT_Assert(0); |
| 1874 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
| 1875 return SECFailure; |
| 1876 } |
| 1877 |
| 1878 static PRInt64 PR_CALLBACK |
| 1879 ssl_Available64(PRFileDesc *fd) |
| 1880 { |
| 1881 PRInt64 res; |
| 1882 |
| 1883 PORT_Assert(0); |
| 1884 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
| 1885 LL_I2L(res, -1L); |
| 1886 return res; |
| 1887 } |
| 1888 |
| 1889 static PRStatus PR_CALLBACK |
| 1890 ssl_FSync(PRFileDesc *fd) |
| 1891 { |
| 1892 PORT_Assert(0); |
| 1893 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
| 1894 return PR_FAILURE; |
| 1895 } |
| 1896 |
| 1897 static PRInt32 PR_CALLBACK |
| 1898 ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) { |
| 1899 PORT_Assert(0); |
| 1900 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
| 1901 return SECFailure; |
| 1902 } |
| 1903 |
| 1904 static PRInt64 PR_CALLBACK |
| 1905 ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) { |
| 1906 PRInt64 res; |
| 1907 |
| 1908 PORT_Assert(0); |
| 1909 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
| 1910 LL_I2L(res, -1L); |
| 1911 return res; |
| 1912 } |
| 1913 |
| 1914 static PRStatus PR_CALLBACK |
| 1915 ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info) |
| 1916 { |
| 1917 PORT_Assert(0); |
| 1918 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
| 1919 return PR_FAILURE; |
| 1920 } |
| 1921 |
| 1922 static PRStatus PR_CALLBACK |
| 1923 ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info) |
| 1924 { |
| 1925 PORT_Assert(0); |
| 1926 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
| 1927 return PR_FAILURE; |
| 1928 } |
| 1929 |
| 1930 static PRInt32 PR_CALLBACK |
| 1931 ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags, |
| 1932 PRNetAddr *addr, PRIntervalTime timeout) |
| 1933 { |
| 1934 PORT_Assert(0); |
| 1935 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
| 1936 return SECFailure; |
| 1937 } |
| 1938 |
| 1939 static PRInt32 PR_CALLBACK |
| 1940 ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, |
| 1941 const PRNetAddr *addr, PRIntervalTime timeout) |
| 1942 { |
| 1943 PORT_Assert(0); |
| 1944 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); |
| 1945 return SECFailure; |
| 1946 } |
| 1947 |
| 1948 static const PRIOMethods ssl_methods = { |
| 1949 PR_DESC_LAYERED, |
| 1950 ssl_Close, /* close */ |
| 1951 ssl_Read, /* read */ |
| 1952 ssl_Write, /* write */ |
| 1953 ssl_Available, /* available */ |
| 1954 ssl_Available64, /* available64 */ |
| 1955 ssl_FSync, /* fsync */ |
| 1956 ssl_Seek, /* seek */ |
| 1957 ssl_Seek64, /* seek64 */ |
| 1958 ssl_FileInfo, /* fileInfo */ |
| 1959 ssl_FileInfo64, /* fileInfo64 */ |
| 1960 ssl_WriteV, /* writev */ |
| 1961 ssl_Connect, /* connect */ |
| 1962 ssl_Accept, /* accept */ |
| 1963 ssl_Bind, /* bind */ |
| 1964 ssl_Listen, /* listen */ |
| 1965 ssl_Shutdown, /* shutdown */ |
| 1966 ssl_Recv, /* recv */ |
| 1967 ssl_Send, /* send */ |
| 1968 ssl_RecvFrom, /* recvfrom */ |
| 1969 ssl_SendTo, /* sendto */ |
| 1970 ssl_Poll, /* poll */ |
| 1971 PR_EmulateAcceptRead, /* acceptread */ |
| 1972 ssl_TransmitFile, /* transmitfile */ |
| 1973 ssl_GetSockName, /* getsockname */ |
| 1974 ssl_GetPeerName, /* getpeername */ |
| 1975 NULL, /* getsockopt OBSOLETE */ |
| 1976 NULL, /* setsockopt OBSOLETE */ |
| 1977 NULL, /* getsocketoption */ |
| 1978 NULL, /* setsocketoption */ |
| 1979 PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/ |
| 1980 NULL, /* reserved for future use */ |
| 1981 NULL, /* reserved for future use */ |
| 1982 NULL, /* reserved for future use */ |
| 1983 NULL, /* reserved for future use */ |
| 1984 NULL /* reserved for future use */ |
| 1985 }; |
| 1986 |
| 1987 |
| 1988 static PRIOMethods combined_methods; |
| 1989 |
| 1990 static void |
| 1991 ssl_SetupIOMethods(void) |
| 1992 { |
| 1993 PRIOMethods *new_methods = &combined_methods; |
| 1994 const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods(); |
| 1995 const PRIOMethods *my_methods = &ssl_methods; |
| 1996 |
| 1997 *new_methods = *nspr_methods; |
| 1998 |
| 1999 new_methods->file_type = my_methods->file_type; |
| 2000 new_methods->close = my_methods->close; |
| 2001 new_methods->read = my_methods->read; |
| 2002 new_methods->write = my_methods->write; |
| 2003 new_methods->available = my_methods->available; |
| 2004 new_methods->available64 = my_methods->available64; |
| 2005 new_methods->fsync = my_methods->fsync; |
| 2006 new_methods->seek = my_methods->seek; |
| 2007 new_methods->seek64 = my_methods->seek64; |
| 2008 new_methods->fileInfo = my_methods->fileInfo; |
| 2009 new_methods->fileInfo64 = my_methods->fileInfo64; |
| 2010 new_methods->writev = my_methods->writev; |
| 2011 new_methods->connect = my_methods->connect; |
| 2012 new_methods->accept = my_methods->accept; |
| 2013 new_methods->bind = my_methods->bind; |
| 2014 new_methods->listen = my_methods->listen; |
| 2015 new_methods->shutdown = my_methods->shutdown; |
| 2016 new_methods->recv = my_methods->recv; |
| 2017 new_methods->send = my_methods->send; |
| 2018 new_methods->recvfrom = my_methods->recvfrom; |
| 2019 new_methods->sendto = my_methods->sendto; |
| 2020 new_methods->poll = my_methods->poll; |
| 2021 new_methods->acceptread = my_methods->acceptread; |
| 2022 new_methods->transmitfile = my_methods->transmitfile; |
| 2023 new_methods->getsockname = my_methods->getsockname; |
| 2024 new_methods->getpeername = my_methods->getpeername; |
| 2025 /* new_methods->getsocketoption = my_methods->getsocketoption; */ |
| 2026 /* new_methods->setsocketoption = my_methods->setsocketoption; */ |
| 2027 new_methods->sendfile = my_methods->sendfile; |
| 2028 |
| 2029 } |
| 2030 |
| 2031 static PRCallOnceType initIoLayerOnce; |
| 2032 |
| 2033 static PRStatus |
| 2034 ssl_InitIOLayer(void) |
| 2035 { |
| 2036 ssl_layer_id = PR_GetUniqueIdentity("SSL"); |
| 2037 ssl_SetupIOMethods(); |
| 2038 ssl_inited = PR_TRUE; |
| 2039 return PR_SUCCESS; |
| 2040 } |
| 2041 |
| 2042 static PRStatus |
| 2043 ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id) |
| 2044 { |
| 2045 PRFileDesc *layer = NULL; |
| 2046 PRStatus status; |
| 2047 |
| 2048 if (!ssl_inited) { |
| 2049 PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer); |
| 2050 } |
| 2051 |
| 2052 if (ns == NULL) |
| 2053 goto loser; |
| 2054 |
| 2055 layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods); |
| 2056 if (layer == NULL) |
| 2057 goto loser; |
| 2058 layer->secret = (PRFilePrivate *)ns; |
| 2059 |
| 2060 /* Here, "stack" points to the PRFileDesc on the top of the stack. |
| 2061 ** "layer" points to a new FD that is to be inserted into the stack. |
| 2062 ** If layer is being pushed onto the top of the stack, then |
| 2063 ** PR_PushIOLayer switches the contents of stack and layer, and then |
| 2064 ** puts stack on top of layer, so that after it is done, the top of |
| 2065 ** stack is the same "stack" as it was before, and layer is now the |
| 2066 ** FD for the former top of stack. |
| 2067 ** After this call, stack always points to the top PRFD on the stack. |
| 2068 ** If this function fails, the contents of stack and layer are as |
| 2069 ** they were before the call. |
| 2070 */ |
| 2071 status = PR_PushIOLayer(stack, id, layer); |
| 2072 if (status != PR_SUCCESS) |
| 2073 goto loser; |
| 2074 |
| 2075 ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer; |
| 2076 return PR_SUCCESS; |
| 2077 |
| 2078 loser: |
| 2079 if (layer) { |
| 2080 layer->dtor(layer); /* free layer */ |
| 2081 } |
| 2082 return PR_FAILURE; |
| 2083 } |
| 2084 |
| 2085 /* if this fails, caller must destroy socket. */ |
| 2086 static SECStatus |
| 2087 ssl_MakeLocks(sslSocket *ss) |
| 2088 { |
| 2089 ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL); |
| 2090 if (!ss->firstHandshakeLock) |
| 2091 goto loser; |
| 2092 ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL); |
| 2093 if (!ss->ssl3HandshakeLock) |
| 2094 goto loser; |
| 2095 ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL); |
| 2096 if (!ss->specLock) |
| 2097 goto loser; |
| 2098 ss->recvBufLock = PZ_NewMonitor(nssILockSSL); |
| 2099 if (!ss->recvBufLock) |
| 2100 goto loser; |
| 2101 ss->xmitBufLock = PZ_NewMonitor(nssILockSSL); |
| 2102 if (!ss->xmitBufLock) |
| 2103 goto loser; |
| 2104 ss->writerThread = NULL; |
| 2105 if (ssl_lock_readers) { |
| 2106 ss->recvLock = PZ_NewLock(nssILockSSL); |
| 2107 if (!ss->recvLock) |
| 2108 goto loser; |
| 2109 ss->sendLock = PZ_NewLock(nssILockSSL); |
| 2110 if (!ss->sendLock) |
| 2111 goto loser; |
| 2112 } |
| 2113 return SECSuccess; |
| 2114 loser: |
| 2115 ssl_DestroyLocks(ss); |
| 2116 return SECFailure; |
| 2117 } |
| 2118 |
| 2119 #if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)) && !defined(_WIN
32_WCE) |
| 2120 #define NSS_HAVE_GETENV 1 |
| 2121 #endif |
| 2122 |
| 2123 #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ |
| 2124 |
| 2125 /* |
| 2126 ** Create a newsocket structure for a file descriptor. |
| 2127 */ |
| 2128 static sslSocket * |
| 2129 ssl_NewSocket(PRBool makeLocks) |
| 2130 { |
| 2131 sslSocket *ss; |
| 2132 #if defined( NSS_HAVE_GETENV ) |
| 2133 static int firsttime = 1; |
| 2134 |
| 2135 if (firsttime) { |
| 2136 char * ev; |
| 2137 firsttime = 0; |
| 2138 #ifdef DEBUG |
| 2139 ev = getenv("SSLDEBUGFILE"); |
| 2140 if (ev && ev[0]) { |
| 2141 ssl_trace_iob = fopen(ev, "w"); |
| 2142 } |
| 2143 if (!ssl_trace_iob) { |
| 2144 ssl_trace_iob = stderr; |
| 2145 } |
| 2146 #ifdef TRACE |
| 2147 ev = getenv("SSLTRACE"); |
| 2148 if (ev && ev[0]) { |
| 2149 ssl_trace = atoi(ev); |
| 2150 SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); |
| 2151 } |
| 2152 #endif /* TRACE */ |
| 2153 ev = getenv("SSLDEBUG"); |
| 2154 if (ev && ev[0]) { |
| 2155 ssl_debug = atoi(ev); |
| 2156 SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); |
| 2157 } |
| 2158 #endif /* DEBUG */ |
| 2159 ev = getenv("SSLBYPASS"); |
| 2160 if (ev && ev[0]) { |
| 2161 ssl_defaults.bypassPKCS11 = (ev[0] == '1'); |
| 2162 SSL_TRACE(("SSL: bypass default set to %d", \ |
| 2163 ssl_defaults.bypassPKCS11)); |
| 2164 } |
| 2165 ev = getenv("SSLFORCELOCKS"); |
| 2166 if (ev && ev[0] == '1') { |
| 2167 ssl_force_locks = PR_TRUE; |
| 2168 ssl_defaults.noLocks = 0; |
| 2169 strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. "); |
| 2170 SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); |
| 2171 } |
| 2172 ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION"); |
| 2173 if (ev) { |
| 2174 if (ev[0] == '1' || LOWER(ev[0]) == 'u') |
| 2175 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; |
| 2176 #ifdef LATER |
| 2177 /* When SSL_RENEGOTIATE_REQUIRES_XTN is implemented, it will be |
| 2178 * the default. Until then, NEVER will be the default. |
| 2179 */ |
| 2180 else if (ev[0] == '0' || LOWER(ev[0]) == 'n') |
| 2181 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; |
| 2182 else |
| 2183 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; |
| 2184 #else |
| 2185 else |
| 2186 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; |
| 2187 #endif |
| 2188 |
| 2189 SSL_TRACE(("SSL: enableRenegotiation set to %d", |
| 2190 ssl_defaults.enableRenegotiation)); |
| 2191 } |
| 2192 ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); |
| 2193 if (ev && ev[0] == '1') { |
| 2194 ssl_defaults.requireSafeNegotiation = PR_TRUE; |
| 2195 SSL_TRACE(("SSL: requireSafeNegotiation set to %d", |
| 2196 PR_TRUE)); |
| 2197 } |
| 2198 } |
| 2199 #endif /* NSS_HAVE_GETENV */ |
| 2200 if (ssl_force_locks) |
| 2201 makeLocks = PR_TRUE; |
| 2202 |
| 2203 /* Make a new socket and get it ready */ |
| 2204 ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); |
| 2205 if (ss) { |
| 2206 /* This should be of type SSLKEAType, but CC on IRIX |
| 2207 * complains during the for loop. |
| 2208 */ |
| 2209 int i; |
| 2210 SECStatus status; |
| 2211 |
| 2212 ss->opt = ssl_defaults; |
| 2213 ss->opt.useSocks = PR_FALSE; |
| 2214 ss->opt.noLocks = !makeLocks; |
| 2215 |
| 2216 ss->peerID = NULL; |
| 2217 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 2218 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 2219 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT; |
| 2220 ss->cipherSpecs = NULL; |
| 2221 ss->sizeCipherSpecs = 0; /* produced lazily */ |
| 2222 ss->preferredCipher = NULL; |
| 2223 ss->url = NULL; |
| 2224 |
| 2225 for (i=kt_null; i < kt_kea_size; i++) { |
| 2226 sslServerCerts * sc = ss->serverCerts + i; |
| 2227 sc->serverCert = NULL; |
| 2228 sc->serverCertChain = NULL; |
| 2229 sc->serverKeyPair = NULL; |
| 2230 sc->serverKeyBits = 0; |
| 2231 } |
| 2232 ss->stepDownKeyPair = NULL; |
| 2233 ss->dbHandle = CERT_GetDefaultCertDB(); |
| 2234 |
| 2235 /* Provide default implementation of hooks */ |
| 2236 ss->authCertificate = SSL_AuthCertificate; |
| 2237 ss->authCertificateArg = (void *)ss->dbHandle; |
| 2238 ss->getClientAuthData = NULL; |
| 2239 ss->handleBadCert = NULL; |
| 2240 ss->badCertArg = NULL; |
| 2241 ss->pkcs11PinArg = NULL; |
| 2242 |
| 2243 ssl_ChooseOps(ss); |
| 2244 ssl2_InitSocketPolicy(ss); |
| 2245 ssl3_InitSocketPolicy(ss); |
| 2246 |
| 2247 if (makeLocks) { |
| 2248 status = ssl_MakeLocks(ss); |
| 2249 if (status != SECSuccess) |
| 2250 goto loser; |
| 2251 } |
| 2252 status = ssl_CreateSecurityInfo(ss); |
| 2253 if (status != SECSuccess) |
| 2254 goto loser; |
| 2255 status = ssl_InitGather(&ss->gs); |
| 2256 if (status != SECSuccess) { |
| 2257 loser: |
| 2258 ssl_DestroySocketContents(ss); |
| 2259 ssl_DestroyLocks(ss); |
| 2260 PORT_Free(ss); |
| 2261 ss = NULL; |
| 2262 } |
| 2263 } |
| 2264 return ss; |
| 2265 } |
| 2266 |
OLD | NEW |