Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(140)

Side by Side Diff: net/third_party/nss/ssl/sslsock.c

Issue 394003: Linux: enable building with a local version of libssl. (Closed)
Patch Set: ... Created 11 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/third_party/nss/ssl/sslsnce.c ('k') | net/third_party/nss/ssl/sslt.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /*
2 * vtables (and methods that call through them) for the 4 types of
3 * SSLSockets supported. Only one type is still supported.
4 * Various other functions.
5 *
6 * ***** BEGIN LICENSE BLOCK *****
7 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
8 *
9 * The contents of this file are subject to the Mozilla Public License Version
10 * 1.1 (the "License"); you may not use this file except in compliance with
11 * the License. You may obtain a copy of the License at
12 * http://www.mozilla.org/MPL/
13 *
14 * Software distributed under the License is distributed on an "AS IS" basis,
15 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
16 * for the specific language governing rights and limitations under the
17 * License.
18 *
19 * The Original Code is the Netscape security libraries.
20 *
21 * The Initial Developer of the Original Code is
22 * Netscape Communications Corporation.
23 * Portions created by the Initial Developer are Copyright (C) 1994-2000
24 * the Initial Developer. All Rights Reserved.
25 *
26 * Contributor(s):
27 * Dr Stephen Henson <stephen.henson@gemplus.com>
28 * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
29 *
30 * Alternatively, the contents of this file may be used under the terms of
31 * either the GNU General Public License Version 2 or later (the "GPL"), or
32 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
33 * in which case the provisions of the GPL or the LGPL are applicable instead
34 * of those above. If you wish to allow use of your version of this file only
35 * under the terms of either the GPL or the LGPL, and not to allow others to
36 * use your version of this file under the terms of the MPL, indicate your
37 * decision by deleting the provisions above and replace them with the notice
38 * and other provisions required by the GPL or the LGPL. If you do not delete
39 * the provisions above, a recipient may use your version of this file under
40 * the terms of any one of the MPL, the GPL or the LGPL.
41 *
42 * ***** END LICENSE BLOCK ***** */
43 /* $Id: sslsock.c,v 1.59 2009/11/06 20:11:29 nelson%bolyard.com Exp $ */
44 #include "seccomon.h"
45 #include "cert.h"
46 #include "keyhi.h"
47 #include "ssl.h"
48 #include "sslimpl.h"
49 #include "sslproto.h"
50 #include "nspr.h"
51 #include "private/pprio.h"
52 #include "blapi.h"
53 #include "nss.h"
54
55 #define SET_ERROR_CODE /* reminder */
56
57 struct cipherPolicyStr {
58 int cipher;
59 unsigned char export; /* policy value for export policy */
60 unsigned char france; /* policy value for france policy */
61 };
62
63 typedef struct cipherPolicyStr cipherPolicy;
64
65 /* This table contains two preconfigured policies: Export and France.
66 ** It is used only by the functions SSL_SetDomesticPolicy,
67 ** SSL_SetExportPolicy, and SSL_SetFrancyPolicy.
68 ** Order of entries is not important.
69 */
70 static cipherPolicy ssl_ciphers[] = { /* Export France */
71 { SSL_EN_RC4_128_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
72 { SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED },
73 { SSL_EN_RC2_128_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
74 { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED },
75 { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
76 { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
77 { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED },
78 { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED },
79 { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
80 { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED },
81 { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
82 { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
83 { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED },
84 { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED },
85 { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
86 { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
87 { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
88 { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
89 { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
90 { SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
91 { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED },
92 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
93 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
94 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
95 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
96 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
97 { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
98 { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
99 { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
100 { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
101 { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
102 { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
103 { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
104 { TLS_RSA_WITH_SEED_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
105 { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED },
106 { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED },
107 #ifdef NSS_ENABLE_ECC
108 { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
109 { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
110 { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
111 { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
112 { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
113 { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
114 { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
115 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
116 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
117 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
118 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
119 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
120 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
121 { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
122 { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
123 { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
124 { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
125 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
126 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
127 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
128 #endif /* NSS_ENABLE_ECC */
129 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
130 };
131
132 static const sslSocketOps ssl_default_ops = { /* No SSL. */
133 ssl_DefConnect,
134 NULL,
135 ssl_DefBind,
136 ssl_DefListen,
137 ssl_DefShutdown,
138 ssl_DefClose,
139 ssl_DefRecv,
140 ssl_DefSend,
141 ssl_DefRead,
142 ssl_DefWrite,
143 ssl_DefGetpeername,
144 ssl_DefGetsockname
145 };
146
147 static const sslSocketOps ssl_secure_ops = { /* SSL. */
148 ssl_SecureConnect,
149 NULL,
150 ssl_DefBind,
151 ssl_DefListen,
152 ssl_SecureShutdown,
153 ssl_SecureClose,
154 ssl_SecureRecv,
155 ssl_SecureSend,
156 ssl_SecureRead,
157 ssl_SecureWrite,
158 ssl_DefGetpeername,
159 ssl_DefGetsockname
160 };
161
162 /*
163 ** default settings for socket enables
164 */
165 static sslOptions ssl_defaults = {
166 PR_TRUE, /* useSecurity */
167 PR_FALSE, /* useSocks */
168 PR_FALSE, /* requestCertificate */
169 2, /* requireCertificate */
170 PR_FALSE, /* handshakeAsClient */
171 PR_FALSE, /* handshakeAsServer */
172 PR_TRUE, /* enableSSL2 */
173 PR_TRUE, /* enableSSL3 */
174 PR_TRUE, /* enableTLS */ /* now defaults to on in NSS 3.0 */
175 PR_FALSE, /* noCache */
176 PR_FALSE, /* fdx */
177 PR_TRUE, /* v2CompatibleHello */
178 PR_TRUE, /* detectRollBack */
179 PR_FALSE, /* noStepDown */
180 PR_FALSE, /* bypassPKCS11 */
181 PR_FALSE, /* noLocks */
182 PR_FALSE, /* enableSessionTickets */
183 PR_FALSE, /* enableDeflate */
184 0, /* enableRenegotiation (default: never) */
185 PR_FALSE, /* requireSafeNegotiation */
186 };
187
188 sslSessionIDLookupFunc ssl_sid_lookup;
189 sslSessionIDCacheFunc ssl_sid_cache;
190 sslSessionIDUncacheFunc ssl_sid_uncache;
191
192 static PRBool ssl_inited = PR_FALSE;
193 static PRDescIdentity ssl_layer_id;
194
195 PRBool locksEverDisabled; /* implicitly PR_FALSE */
196 PRBool ssl_force_locks; /* implicitly PR_FALSE */
197 int ssl_lock_readers = 1; /* default true. */
198 char ssl_debug;
199 char ssl_trace;
200 FILE * ssl_trace_iob;
201 char lockStatus[] = "Locks are ENABLED. ";
202 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */
203
204 /* forward declarations. */
205 static sslSocket *ssl_NewSocket(PRBool makeLocks);
206 static SECStatus ssl_MakeLocks(sslSocket *ss);
207 static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack,
208 PRDescIdentity id);
209
210 /************************************************************************/
211
212 /*
213 ** Lookup a socket structure from a file descriptor.
214 ** Only functions called through the PRIOMethods table should use this.
215 ** Other app-callable functions should use ssl_FindSocket.
216 */
217 static sslSocket *
218 ssl_GetPrivate(PRFileDesc *fd)
219 {
220 sslSocket *ss;
221
222 PORT_Assert(fd != NULL);
223 PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED);
224 PORT_Assert(fd->identity == ssl_layer_id);
225
226 if (fd->methods->file_type != PR_DESC_LAYERED ||
227 fd->identity != ssl_layer_id) {
228 PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
229 return NULL;
230 }
231
232 ss = (sslSocket *)fd->secret;
233 ss->fd = fd;
234 return ss;
235 }
236
237 /* This function tries to find the SSL layer in the stack.
238 * It searches for the first SSL layer at or below the argument fd,
239 * and failing that, it searches for the nearest SSL layer above the
240 * argument fd. It returns the private sslSocket from the found layer.
241 */
242 sslSocket *
243 ssl_FindSocket(PRFileDesc *fd)
244 {
245 PRFileDesc *layer;
246 sslSocket *ss;
247
248 PORT_Assert(fd != NULL);
249 PORT_Assert(ssl_layer_id != 0);
250
251 layer = PR_GetIdentitiesLayer(fd, ssl_layer_id);
252 if (layer == NULL) {
253 PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
254 return NULL;
255 }
256
257 ss = (sslSocket *)layer->secret;
258 ss->fd = layer;
259 return ss;
260 }
261
262 sslSocket *
263 ssl_DupSocket(sslSocket *os)
264 {
265 sslSocket *ss;
266 SECStatus rv;
267
268 ss = ssl_NewSocket((PRBool)(!os->opt.noLocks));
269 if (ss) {
270 ss->opt = os->opt;
271 ss->opt.useSocks = PR_FALSE;
272
273 ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID);
274 ss->url = !os->url ? NULL : PORT_Strdup(os->url);
275
276 ss->ops = os->ops;
277 ss->rTimeout = os->rTimeout;
278 ss->wTimeout = os->wTimeout;
279 ss->cTimeout = os->cTimeout;
280 ss->dbHandle = os->dbHandle;
281
282 /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
283 ss->allowedByPolicy = os->allowedByPolicy;
284 ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
285 ss->chosenPreference = os->chosenPreference;
286 PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites) ;
287
288 if (os->cipherSpecs) {
289 ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
290 if (ss->cipherSpecs)
291 PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs,
292 os->sizeCipherSpecs);
293 ss->sizeCipherSpecs = os->sizeCipherSpecs;
294 ss->preferredCipher = os->preferredCipher;
295 } else {
296 ss->cipherSpecs = NULL; /* produced lazily */
297 ss->sizeCipherSpecs = 0;
298 ss->preferredCipher = NULL;
299 }
300 if (ss->opt.useSecurity) {
301 /* This int should be SSLKEAType, but CC on Irix complains,
302 * during the for loop.
303 */
304 int i;
305 sslServerCerts * oc = os->serverCerts;
306 sslServerCerts * sc = ss->serverCerts;
307
308 for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) {
309 if (oc->serverCert && oc->serverCertChain) {
310 sc->serverCert = CERT_DupCertificate(oc->serverCert);
311 sc->serverCertChain = CERT_DupCertList(oc->serverCertChain);
312 if (!sc->serverCertChain)
313 goto loser;
314 } else {
315 sc->serverCert = NULL;
316 sc->serverCertChain = NULL;
317 }
318 sc->serverKeyPair = oc->serverKeyPair ?
319 ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL;
320 if (oc->serverKeyPair && !sc->serverKeyPair)
321 goto loser;
322 sc->serverKeyBits = oc->serverKeyBits;
323 }
324 ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL :
325 ssl3_GetKeyPairRef(os->stepDownKeyPair);
326 ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL :
327 ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
328 /*
329 * XXX the preceeding CERT_ and SECKEY_ functions can fail and return NULL.
330 * XXX We should detect this, and not just march on with NULL pointers.
331 */
332 ss->authCertificate = os->authCertificate;
333 ss->authCertificateArg = os->authCertificateArg;
334 ss->getClientAuthData = os->getClientAuthData;
335 ss->getClientAuthDataArg = os->getClientAuthDataArg;
336 ss->handleBadCert = os->handleBadCert;
337 ss->badCertArg = os->badCertArg;
338 ss->handshakeCallback = os->handshakeCallback;
339 ss->handshakeCallbackData = os->handshakeCallbackData;
340 ss->pkcs11PinArg = os->pkcs11PinArg;
341
342 /* Create security data */
343 rv = ssl_CopySecurityInfo(ss, os);
344 if (rv != SECSuccess) {
345 goto loser;
346 }
347 }
348 }
349 return ss;
350
351 loser:
352 ssl_FreeSocket(ss);
353 return NULL;
354 }
355
356 static void
357 ssl_DestroyLocks(sslSocket *ss)
358 {
359 /* Destroy locks. */
360 if (ss->firstHandshakeLock) {
361 PZ_DestroyMonitor(ss->firstHandshakeLock);
362 ss->firstHandshakeLock = NULL;
363 }
364 if (ss->ssl3HandshakeLock) {
365 PZ_DestroyMonitor(ss->ssl3HandshakeLock);
366 ss->ssl3HandshakeLock = NULL;
367 }
368 if (ss->specLock) {
369 NSSRWLock_Destroy(ss->specLock);
370 ss->specLock = NULL;
371 }
372
373 if (ss->recvLock) {
374 PZ_DestroyLock(ss->recvLock);
375 ss->recvLock = NULL;
376 }
377 if (ss->sendLock) {
378 PZ_DestroyLock(ss->sendLock);
379 ss->sendLock = NULL;
380 }
381 if (ss->xmitBufLock) {
382 PZ_DestroyMonitor(ss->xmitBufLock);
383 ss->xmitBufLock = NULL;
384 }
385 if (ss->recvBufLock) {
386 PZ_DestroyMonitor(ss->recvBufLock);
387 ss->recvBufLock = NULL;
388 }
389 }
390
391 /* Caller holds any relevant locks */
392 static void
393 ssl_DestroySocketContents(sslSocket *ss)
394 {
395 /* "i" should be of type SSLKEAType, but CC on IRIX complains during
396 * the for loop.
397 */
398 int i;
399
400 /* Free up socket */
401 ssl_DestroySecurityInfo(&ss->sec);
402
403 ssl3_DestroySSL3Info(ss);
404
405 PORT_Free(ss->saveBuf.buf);
406 PORT_Free(ss->pendingBuf.buf);
407 ssl_DestroyGather(&ss->gs);
408
409 if (ss->peerID != NULL)
410 PORT_Free(ss->peerID);
411 if (ss->url != NULL)
412 PORT_Free((void *)ss->url); /* CONST */
413 if (ss->cipherSpecs) {
414 PORT_Free(ss->cipherSpecs);
415 ss->cipherSpecs = NULL;
416 ss->sizeCipherSpecs = 0;
417 }
418
419 /* Clean up server configuration */
420 for (i=kt_null; i < kt_kea_size; i++) {
421 sslServerCerts * sc = ss->serverCerts + i;
422 if (sc->serverCert != NULL)
423 CERT_DestroyCertificate(sc->serverCert);
424 if (sc->serverCertChain != NULL)
425 CERT_DestroyCertificateList(sc->serverCertChain);
426 if (sc->serverKeyPair != NULL)
427 ssl3_FreeKeyPair(sc->serverKeyPair);
428 }
429 if (ss->stepDownKeyPair) {
430 ssl3_FreeKeyPair(ss->stepDownKeyPair);
431 ss->stepDownKeyPair = NULL;
432 }
433 if (ss->ephemeralECDHKeyPair) {
434 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
435 ss->ephemeralECDHKeyPair = NULL;
436 }
437 }
438
439 /*
440 * free an sslSocket struct, and all the stuff that hangs off of it
441 */
442 void
443 ssl_FreeSocket(sslSocket *ss)
444 {
445 #ifdef DEBUG
446 sslSocket *fs;
447 sslSocket lSock;
448 #endif
449
450 /* Get every lock you can imagine!
451 ** Caller already holds these:
452 ** SSL_LOCK_READER(ss);
453 ** SSL_LOCK_WRITER(ss);
454 */
455 ssl_Get1stHandshakeLock(ss);
456 ssl_GetRecvBufLock(ss);
457 ssl_GetSSL3HandshakeLock(ss);
458 ssl_GetXmitBufLock(ss);
459 ssl_GetSpecWriteLock(ss);
460
461 #ifdef DEBUG
462 fs = &lSock;
463 *fs = *ss; /* Copy the old socket structure, */
464 PORT_Memset(ss, 0x1f, sizeof *ss); /* then blast the old struct ASAP. */
465 #else
466 #define fs ss
467 #endif
468
469 ssl_DestroySocketContents(fs);
470
471 /* Release all the locks acquired above. */
472 SSL_UNLOCK_READER(fs);
473 SSL_UNLOCK_WRITER(fs);
474 ssl_Release1stHandshakeLock(fs);
475 ssl_ReleaseRecvBufLock(fs);
476 ssl_ReleaseSSL3HandshakeLock(fs);
477 ssl_ReleaseXmitBufLock(fs);
478 ssl_ReleaseSpecWriteLock(fs);
479
480 ssl_DestroyLocks(fs);
481
482 PORT_Free(ss); /* free the caller's copy, not ours. */
483 return;
484 }
485 #undef fs
486
487 /************************************************************************/
488 SECStatus
489 ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled)
490 {
491 PRFileDesc * osfd = ss->fd->lower;
492 SECStatus rv = SECFailure;
493 PRSocketOptionData opt;
494
495 opt.option = PR_SockOpt_NoDelay;
496 opt.value.no_delay = (PRBool)!enabled;
497
498 if (osfd->methods->setsocketoption) {
499 rv = (SECStatus) osfd->methods->setsocketoption(osfd, &opt);
500 } else {
501 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
502 }
503
504 return rv;
505 }
506
507 static void
508 ssl_ChooseOps(sslSocket *ss)
509 {
510 ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops;
511 }
512
513 /* Called from SSL_Enable (immediately below) */
514 static SECStatus
515 PrepareSocket(sslSocket *ss)
516 {
517 SECStatus rv = SECSuccess;
518
519 ssl_ChooseOps(ss);
520 return rv;
521 }
522
523 SECStatus
524 SSL_Enable(PRFileDesc *fd, int which, PRBool on)
525 {
526 return SSL_OptionSet(fd, which, on);
527 }
528
529 static const PRCallOnceType pristineCallOnce;
530 static PRCallOnceType setupBypassOnce;
531
532 static SECStatus SSL_BypassShutdown(void* appData, void* nssData)
533 {
534 /* unload freeBL shared library from memory */
535 BL_Unload();
536 setupBypassOnce = pristineCallOnce;
537 return SECSuccess;
538 }
539
540 static PRStatus SSL_BypassRegisterShutdown(void)
541 {
542 SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL);
543 PORT_Assert(SECSuccess == rv);
544 return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE;
545 }
546
547 static PRStatus SSL_BypassSetup(void)
548 {
549 return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
550 }
551
552 SECStatus
553 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
554 {
555 sslSocket *ss = ssl_FindSocket(fd);
556 SECStatus rv = SECSuccess;
557 PRBool holdingLocks;
558
559 if (!ss) {
560 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
561 return SECFailure;
562 }
563
564 holdingLocks = (!ss->opt.noLocks);
565 ssl_Get1stHandshakeLock(ss);
566 ssl_GetSSL3HandshakeLock(ss);
567
568 switch (which) {
569 case SSL_SOCKS:
570 ss->opt.useSocks = PR_FALSE;
571 rv = PrepareSocket(ss);
572 if (on) {
573 PORT_SetError(SEC_ERROR_INVALID_ARGS);
574 rv = SECFailure;
575 }
576 break;
577
578 case SSL_SECURITY:
579 ss->opt.useSecurity = on;
580 rv = PrepareSocket(ss);
581 break;
582
583 case SSL_REQUEST_CERTIFICATE:
584 ss->opt.requestCertificate = on;
585 break;
586
587 case SSL_REQUIRE_CERTIFICATE:
588 ss->opt.requireCertificate = on;
589 break;
590
591 case SSL_HANDSHAKE_AS_CLIENT:
592 if ( ss->opt.handshakeAsServer && on ) {
593 PORT_SetError(SEC_ERROR_INVALID_ARGS);
594 rv = SECFailure;
595 break;
596 }
597 ss->opt.handshakeAsClient = on;
598 break;
599
600 case SSL_HANDSHAKE_AS_SERVER:
601 if ( ss->opt.handshakeAsClient && on ) {
602 PORT_SetError(SEC_ERROR_INVALID_ARGS);
603 rv = SECFailure;
604 break;
605 }
606 ss->opt.handshakeAsServer = on;
607 break;
608
609 case SSL_ENABLE_TLS:
610 ss->opt.enableTLS = on;
611 ss->preferredCipher = NULL;
612 if (ss->cipherSpecs) {
613 PORT_Free(ss->cipherSpecs);
614 ss->cipherSpecs = NULL;
615 ss->sizeCipherSpecs = 0;
616 }
617 break;
618
619 case SSL_ENABLE_SSL3:
620 ss->opt.enableSSL3 = on;
621 ss->preferredCipher = NULL;
622 if (ss->cipherSpecs) {
623 PORT_Free(ss->cipherSpecs);
624 ss->cipherSpecs = NULL;
625 ss->sizeCipherSpecs = 0;
626 }
627 break;
628
629 case SSL_ENABLE_SSL2:
630 ss->opt.enableSSL2 = on;
631 if (on) {
632 ss->opt.v2CompatibleHello = on;
633 }
634 ss->preferredCipher = NULL;
635 if (ss->cipherSpecs) {
636 PORT_Free(ss->cipherSpecs);
637 ss->cipherSpecs = NULL;
638 ss->sizeCipherSpecs = 0;
639 }
640 break;
641
642 case SSL_NO_CACHE:
643 ss->opt.noCache = on;
644 break;
645
646 case SSL_ENABLE_FDX:
647 if (on && ss->opt.noLocks) {
648 PORT_SetError(SEC_ERROR_INVALID_ARGS);
649 rv = SECFailure;
650 }
651 ss->opt.fdx = on;
652 break;
653
654 case SSL_V2_COMPATIBLE_HELLO:
655 ss->opt.v2CompatibleHello = on;
656 if (!on) {
657 ss->opt.enableSSL2 = on;
658 }
659 break;
660
661 case SSL_ROLLBACK_DETECTION:
662 ss->opt.detectRollBack = on;
663 break;
664
665 case SSL_NO_STEP_DOWN:
666 ss->opt.noStepDown = on;
667 if (on)
668 SSL_DisableExportCipherSuites(fd);
669 break;
670
671 case SSL_BYPASS_PKCS11:
672 if (ss->handshakeBegun) {
673 PORT_SetError(PR_INVALID_STATE_ERROR);
674 rv = SECFailure;
675 } else {
676 if (PR_FALSE != on) {
677 if (PR_SUCCESS == SSL_BypassSetup() ) {
678 ss->opt.bypassPKCS11 = on;
679 } else {
680 rv = SECFailure;
681 }
682 } else {
683 ss->opt.bypassPKCS11 = PR_FALSE;
684 }
685 }
686 break;
687
688 case SSL_NO_LOCKS:
689 if (on && ss->opt.fdx) {
690 PORT_SetError(SEC_ERROR_INVALID_ARGS);
691 rv = SECFailure;
692 }
693 if (on && ssl_force_locks)
694 on = PR_FALSE; /* silent override */
695 ss->opt.noLocks = on;
696 if (on) {
697 locksEverDisabled = PR_TRUE;
698 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
699 } else if (!holdingLocks) {
700 rv = ssl_MakeLocks(ss);
701 if (rv != SECSuccess) {
702 ss->opt.noLocks = PR_TRUE;
703 }
704 }
705 break;
706
707 case SSL_ENABLE_SESSION_TICKETS:
708 ss->opt.enableSessionTickets = on;
709 break;
710
711 case SSL_ENABLE_DEFLATE:
712 ss->opt.enableDeflate = on;
713 break;
714
715 case SSL_ENABLE_RENEGOTIATION:
716 ss->opt.enableRenegotiation = on;
717 break;
718
719 case SSL_REQUIRE_SAFE_NEGOTIATION:
720 ss->opt.requireSafeNegotiation = on;
721 break;
722
723 default:
724 PORT_SetError(SEC_ERROR_INVALID_ARGS);
725 rv = SECFailure;
726 }
727
728 /* We can't use the macros for releasing the locks here,
729 * because ss->opt.noLocks might have changed just above.
730 * We must release these locks (monitors) here, if we aquired them above,
731 * regardless of the current value of ss->opt.noLocks.
732 */
733 if (holdingLocks) {
734 PZ_ExitMonitor((ss)->ssl3HandshakeLock);
735 PZ_ExitMonitor((ss)->firstHandshakeLock);
736 }
737
738 return rv;
739 }
740
741 SECStatus
742 SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
743 {
744 sslSocket *ss = ssl_FindSocket(fd);
745 SECStatus rv = SECSuccess;
746 PRBool on = PR_FALSE;
747
748 if (!pOn) {
749 PORT_SetError(SEC_ERROR_INVALID_ARGS);
750 return SECFailure;
751 }
752 if (!ss) {
753 SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
754 *pOn = PR_FALSE;
755 return SECFailure;
756 }
757
758 ssl_Get1stHandshakeLock(ss);
759 ssl_GetSSL3HandshakeLock(ss);
760
761 switch (which) {
762 case SSL_SOCKS: on = PR_FALSE; break;
763 case SSL_SECURITY: on = ss->opt.useSecurity; break;
764 case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break;
765 case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break;
766 case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient; break;
767 case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer; break;
768 case SSL_ENABLE_TLS: on = ss->opt.enableTLS; break;
769 case SSL_ENABLE_SSL3: on = ss->opt.enableSSL3; break;
770 case SSL_ENABLE_SSL2: on = ss->opt.enableSSL2; break;
771 case SSL_NO_CACHE: on = ss->opt.noCache; break;
772 case SSL_ENABLE_FDX: on = ss->opt.fdx; break;
773 case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello; break;
774 case SSL_ROLLBACK_DETECTION: on = ss->opt.detectRollBack; break;
775 case SSL_NO_STEP_DOWN: on = ss->opt.noStepDown; break;
776 case SSL_BYPASS_PKCS11: on = ss->opt.bypassPKCS11; break;
777 case SSL_NO_LOCKS: on = ss->opt.noLocks; break;
778 case SSL_ENABLE_SESSION_TICKETS:
779 on = ss->opt.enableSessionTickets;
780 break;
781 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break;
782 case SSL_ENABLE_RENEGOTIATION:
783 on = ss->opt.enableRenegotiation; break;
784 case SSL_REQUIRE_SAFE_NEGOTIATION:
785 on = ss->opt.requireSafeNegotiation; break;
786
787 default:
788 PORT_SetError(SEC_ERROR_INVALID_ARGS);
789 rv = SECFailure;
790 }
791
792 ssl_ReleaseSSL3HandshakeLock(ss);
793 ssl_Release1stHandshakeLock(ss);
794
795 *pOn = on;
796 return rv;
797 }
798
799 SECStatus
800 SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
801 {
802 SECStatus rv = SECSuccess;
803 PRBool on = PR_FALSE;
804
805 if (!pOn) {
806 PORT_SetError(SEC_ERROR_INVALID_ARGS);
807 return SECFailure;
808 }
809
810 switch (which) {
811 case SSL_SOCKS: on = PR_FALSE; break;
812 case SSL_SECURITY: on = ssl_defaults.useSecurity; break;
813 case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break;
814 case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break;
815 case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient; break;
816 case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer; break;
817 case SSL_ENABLE_TLS: on = ssl_defaults.enableTLS; break;
818 case SSL_ENABLE_SSL3: on = ssl_defaults.enableSSL3; break;
819 case SSL_ENABLE_SSL2: on = ssl_defaults.enableSSL2; break;
820 case SSL_NO_CACHE: on = ssl_defaults.noCache; break;
821 case SSL_ENABLE_FDX: on = ssl_defaults.fdx; break;
822 case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello; break;
823 case SSL_ROLLBACK_DETECTION: on = ssl_defaults.detectRollBack; break;
824 case SSL_NO_STEP_DOWN: on = ssl_defaults.noStepDown; break;
825 case SSL_BYPASS_PKCS11: on = ssl_defaults.bypassPKCS11; break;
826 case SSL_NO_LOCKS: on = ssl_defaults.noLocks; break;
827 case SSL_ENABLE_SESSION_TICKETS:
828 on = ssl_defaults.enableSessionTickets;
829 break;
830 case SSL_ENABLE_DEFLATE: on = ssl_defaults.enableDeflate; break;
831 case SSL_ENABLE_RENEGOTIATION:
832 on = ssl_defaults.enableRenegotiation; break;
833 case SSL_REQUIRE_SAFE_NEGOTIATION:
834 on = ssl_defaults.requireSafeNegotiation;
835 break;
836
837 default:
838 PORT_SetError(SEC_ERROR_INVALID_ARGS);
839 rv = SECFailure;
840 }
841
842 *pOn = on;
843 return rv;
844 }
845
846 /* XXX Use Global Lock to protect this stuff. */
847 SECStatus
848 SSL_EnableDefault(int which, PRBool on)
849 {
850 return SSL_OptionSetDefault(which, on);
851 }
852
853 SECStatus
854 SSL_OptionSetDefault(PRInt32 which, PRBool on)
855 {
856 switch (which) {
857 case SSL_SOCKS:
858 ssl_defaults.useSocks = PR_FALSE;
859 if (on) {
860 PORT_SetError(SEC_ERROR_INVALID_ARGS);
861 return SECFailure;
862 }
863 break;
864
865 case SSL_SECURITY:
866 ssl_defaults.useSecurity = on;
867 break;
868
869 case SSL_REQUEST_CERTIFICATE:
870 ssl_defaults.requestCertificate = on;
871 break;
872
873 case SSL_REQUIRE_CERTIFICATE:
874 ssl_defaults.requireCertificate = on;
875 break;
876
877 case SSL_HANDSHAKE_AS_CLIENT:
878 if ( ssl_defaults.handshakeAsServer && on ) {
879 PORT_SetError(SEC_ERROR_INVALID_ARGS);
880 return SECFailure;
881 }
882 ssl_defaults.handshakeAsClient = on;
883 break;
884
885 case SSL_HANDSHAKE_AS_SERVER:
886 if ( ssl_defaults.handshakeAsClient && on ) {
887 PORT_SetError(SEC_ERROR_INVALID_ARGS);
888 return SECFailure;
889 }
890 ssl_defaults.handshakeAsServer = on;
891 break;
892
893 case SSL_ENABLE_TLS:
894 ssl_defaults.enableTLS = on;
895 break;
896
897 case SSL_ENABLE_SSL3:
898 ssl_defaults.enableSSL3 = on;
899 break;
900
901 case SSL_ENABLE_SSL2:
902 ssl_defaults.enableSSL2 = on;
903 if (on) {
904 ssl_defaults.v2CompatibleHello = on;
905 }
906 break;
907
908 case SSL_NO_CACHE:
909 ssl_defaults.noCache = on;
910 break;
911
912 case SSL_ENABLE_FDX:
913 if (on && ssl_defaults.noLocks) {
914 PORT_SetError(SEC_ERROR_INVALID_ARGS);
915 return SECFailure;
916 }
917 ssl_defaults.fdx = on;
918 break;
919
920 case SSL_V2_COMPATIBLE_HELLO:
921 ssl_defaults.v2CompatibleHello = on;
922 if (!on) {
923 ssl_defaults.enableSSL2 = on;
924 }
925 break;
926
927 case SSL_ROLLBACK_DETECTION:
928 ssl_defaults.detectRollBack = on;
929 break;
930
931 case SSL_NO_STEP_DOWN:
932 ssl_defaults.noStepDown = on;
933 if (on)
934 SSL_DisableDefaultExportCipherSuites();
935 break;
936
937 case SSL_BYPASS_PKCS11:
938 if (PR_FALSE != on) {
939 if (PR_SUCCESS == SSL_BypassSetup()) {
940 ssl_defaults.bypassPKCS11 = on;
941 } else {
942 return SECFailure;
943 }
944 } else {
945 ssl_defaults.bypassPKCS11 = PR_FALSE;
946 }
947 break;
948
949 case SSL_NO_LOCKS:
950 if (on && ssl_defaults.fdx) {
951 PORT_SetError(SEC_ERROR_INVALID_ARGS);
952 return SECFailure;
953 }
954 if (on && ssl_force_locks)
955 on = PR_FALSE; /* silent override */
956 ssl_defaults.noLocks = on;
957 if (on) {
958 locksEverDisabled = PR_TRUE;
959 strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
960 }
961 break;
962
963 case SSL_ENABLE_SESSION_TICKETS:
964 ssl_defaults.enableSessionTickets = on;
965 break;
966
967 case SSL_ENABLE_DEFLATE:
968 ssl_defaults.enableDeflate = on;
969 break;
970
971 case SSL_ENABLE_RENEGOTIATION:
972 ssl_defaults.enableRenegotiation = on;
973 break;
974
975 case SSL_REQUIRE_SAFE_NEGOTIATION:
976 ssl_defaults.requireSafeNegotiation = on;
977 break;
978
979 default:
980 PORT_SetError(SEC_ERROR_INVALID_ARGS);
981 return SECFailure;
982 }
983 return SECSuccess;
984 }
985
986 /* function tells us if the cipher suite is one that we no longer support. */
987 static PRBool
988 ssl_IsRemovedCipherSuite(PRInt32 suite)
989 {
990 switch (suite) {
991 case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
992 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
993 case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
994 return PR_TRUE;
995 default:
996 return PR_FALSE;
997 }
998 }
999
1000 /* Part of the public NSS API.
1001 * Since this is a global (not per-socket) setting, we cannot use the
1002 * HandshakeLock to protect this. Probably want a global lock.
1003 */
1004 SECStatus
1005 SSL_SetPolicy(long which, int policy)
1006 {
1007 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
1008 /* one of the two old FIPS ciphers */
1009 if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA)
1010 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
1011 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
1012 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
1013 }
1014 if (ssl_IsRemovedCipherSuite(which))
1015 return SECSuccess;
1016 return SSL_CipherPolicySet(which, policy);
1017 }
1018
1019 SECStatus
1020 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
1021 {
1022 SECStatus rv;
1023
1024 if (ssl_IsRemovedCipherSuite(which)) {
1025 rv = SECSuccess;
1026 } else if (SSL_IS_SSL2_CIPHER(which)) {
1027 rv = ssl2_SetPolicy(which, policy);
1028 } else {
1029 rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
1030 }
1031 return rv;
1032 }
1033
1034 SECStatus
1035 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
1036 {
1037 SECStatus rv;
1038
1039 if (!oPolicy) {
1040 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1041 return SECFailure;
1042 }
1043 if (ssl_IsRemovedCipherSuite(which)) {
1044 *oPolicy = SSL_NOT_ALLOWED;
1045 rv = SECSuccess;
1046 } else if (SSL_IS_SSL2_CIPHER(which)) {
1047 rv = ssl2_GetPolicy(which, oPolicy);
1048 } else {
1049 rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
1050 }
1051 return rv;
1052 }
1053
1054 /* Part of the public NSS API.
1055 * Since this is a global (not per-socket) setting, we cannot use the
1056 * HandshakeLock to protect this. Probably want a global lock.
1057 * These changes have no effect on any sslSockets already created.
1058 */
1059 SECStatus
1060 SSL_EnableCipher(long which, PRBool enabled)
1061 {
1062 if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
1063 /* one of the two old FIPS ciphers */
1064 if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA)
1065 which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
1066 else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
1067 which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
1068 }
1069 if (ssl_IsRemovedCipherSuite(which))
1070 return SECSuccess;
1071 return SSL_CipherPrefSetDefault(which, enabled);
1072 }
1073
1074 SECStatus
1075 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
1076 {
1077 SECStatus rv;
1078
1079 if (ssl_IsRemovedCipherSuite(which))
1080 return SECSuccess;
1081 if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) {
1082 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
1083 return SECFailure;
1084 }
1085 if (SSL_IS_SSL2_CIPHER(which)) {
1086 rv = ssl2_CipherPrefSetDefault(which, enabled);
1087 } else {
1088 rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled);
1089 }
1090 return rv;
1091 }
1092
1093 SECStatus
1094 SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
1095 {
1096 SECStatus rv;
1097
1098 if (!enabled) {
1099 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1100 return SECFailure;
1101 }
1102 if (ssl_IsRemovedCipherSuite(which)) {
1103 *enabled = PR_FALSE;
1104 rv = SECSuccess;
1105 } else if (SSL_IS_SSL2_CIPHER(which)) {
1106 rv = ssl2_CipherPrefGetDefault(which, enabled);
1107 } else {
1108 rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled);
1109 }
1110 return rv;
1111 }
1112
1113 SECStatus
1114 SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
1115 {
1116 SECStatus rv;
1117 sslSocket *ss = ssl_FindSocket(fd);
1118
1119 if (!ss) {
1120 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
1121 return SECFailure;
1122 }
1123 if (ssl_IsRemovedCipherSuite(which))
1124 return SECSuccess;
1125 if (enabled && ss->opt.noStepDown && SSL_IsExportCipherSuite(which)) {
1126 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
1127 return SECFailure;
1128 }
1129 if (SSL_IS_SSL2_CIPHER(which)) {
1130 rv = ssl2_CipherPrefSet(ss, which, enabled);
1131 } else {
1132 rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
1133 }
1134 return rv;
1135 }
1136
1137 SECStatus
1138 SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
1139 {
1140 SECStatus rv;
1141 sslSocket *ss = ssl_FindSocket(fd);
1142
1143 if (!enabled) {
1144 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1145 return SECFailure;
1146 }
1147 if (!ss) {
1148 SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd));
1149 *enabled = PR_FALSE;
1150 return SECFailure;
1151 }
1152 if (ssl_IsRemovedCipherSuite(which)) {
1153 *enabled = PR_FALSE;
1154 rv = SECSuccess;
1155 } else if (SSL_IS_SSL2_CIPHER(which)) {
1156 rv = ssl2_CipherPrefGet(ss, which, enabled);
1157 } else {
1158 rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
1159 }
1160 return rv;
1161 }
1162
1163 SECStatus
1164 NSS_SetDomesticPolicy(void)
1165 {
1166 #ifndef EXPORT_VERSION
1167 SECStatus status = SECSuccess;
1168 cipherPolicy * policy;
1169
1170 for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
1171 status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED);
1172 if (status != SECSuccess)
1173 break;
1174 }
1175 return status;
1176 #else
1177 return NSS_SetExportPolicy();
1178 #endif
1179 }
1180
1181 SECStatus
1182 NSS_SetExportPolicy(void)
1183 {
1184 SECStatus status = SECSuccess;
1185 cipherPolicy * policy;
1186
1187 for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
1188 status = SSL_SetPolicy(policy->cipher, policy->export);
1189 if (status != SECSuccess)
1190 break;
1191 }
1192 return status;
1193 }
1194
1195 SECStatus
1196 NSS_SetFrancePolicy(void)
1197 {
1198 SECStatus status = SECSuccess;
1199 cipherPolicy * policy;
1200
1201 for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
1202 status = SSL_SetPolicy(policy->cipher, policy->france);
1203 if (status != SECSuccess)
1204 break;
1205 }
1206 return status;
1207 }
1208
1209
1210
1211 /* LOCKS ??? XXX */
1212 PRFileDesc *
1213 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
1214 {
1215 sslSocket * ns = NULL;
1216 PRStatus rv;
1217 PRNetAddr addr;
1218
1219 if (model == NULL) {
1220 /* Just create a default socket if we're given NULL for the model */
1221 ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks));
1222 } else {
1223 sslSocket * ss = ssl_FindSocket(model);
1224 if (ss == NULL) {
1225 SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD",
1226 SSL_GETPID(), model));
1227 return NULL;
1228 }
1229 ns = ssl_DupSocket(ss);
1230 }
1231 if (ns == NULL)
1232 return NULL;
1233
1234 rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER);
1235 if (rv != PR_SUCCESS) {
1236 ssl_FreeSocket(ns);
1237 SET_ERROR_CODE
1238 return NULL;
1239 }
1240 #ifdef _WIN32
1241 PR_Sleep(PR_INTERVAL_NO_WAIT); /* workaround NT winsock connect bug. */
1242 #endif
1243 ns = ssl_FindSocket(fd);
1244 PORT_Assert(ns);
1245 if (ns)
1246 ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
1247 return fd;
1248 }
1249
1250 /************************************************************************/
1251 /* The following functions are the TOP LEVEL SSL functions.
1252 ** They all get called through the NSPRIOMethods table below.
1253 */
1254
1255 static PRFileDesc * PR_CALLBACK
1256 ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
1257 {
1258 sslSocket *ss;
1259 sslSocket *ns = NULL;
1260 PRFileDesc *newfd = NULL;
1261 PRFileDesc *osfd;
1262 PRStatus status;
1263
1264 ss = ssl_GetPrivate(fd);
1265 if (!ss) {
1266 SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd));
1267 return NULL;
1268 }
1269
1270 /* IF this is a listen socket, there shouldn't be any I/O going on */
1271 SSL_LOCK_READER(ss);
1272 SSL_LOCK_WRITER(ss);
1273 ssl_Get1stHandshakeLock(ss);
1274 ssl_GetSSL3HandshakeLock(ss);
1275
1276 ss->cTimeout = timeout;
1277
1278 osfd = ss->fd->lower;
1279
1280 /* First accept connection */
1281 newfd = osfd->methods->accept(osfd, sockaddr, timeout);
1282 if (newfd == NULL) {
1283 SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d",
1284 SSL_GETPID(), ss->fd, PORT_GetError()));
1285 } else {
1286 /* Create ssl module */
1287 ns = ssl_DupSocket(ss);
1288 }
1289
1290 ssl_ReleaseSSL3HandshakeLock(ss);
1291 ssl_Release1stHandshakeLock(ss);
1292 SSL_UNLOCK_WRITER(ss);
1293 SSL_UNLOCK_READER(ss); /* ss isn't used below here. */
1294
1295 if (ns == NULL)
1296 goto loser;
1297
1298 /* push ssl module onto the new socket */
1299 status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER);
1300 if (status != PR_SUCCESS)
1301 goto loser;
1302
1303 /* Now start server connection handshake with client.
1304 ** Don't need locks here because nobody else has a reference to ns yet.
1305 */
1306 if ( ns->opt.useSecurity ) {
1307 if ( ns->opt.handshakeAsClient ) {
1308 ns->handshake = ssl2_BeginClientHandshake;
1309 ss->handshaking = sslHandshakingAsClient;
1310 } else {
1311 ns->handshake = ssl2_BeginServerHandshake;
1312 ss->handshaking = sslHandshakingAsServer;
1313 }
1314 }
1315 ns->TCPconnected = 1;
1316 return newfd;
1317
1318 loser:
1319 if (ns != NULL)
1320 ssl_FreeSocket(ns);
1321 if (newfd != NULL)
1322 PR_Close(newfd);
1323 return NULL;
1324 }
1325
1326 static PRStatus PR_CALLBACK
1327 ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout)
1328 {
1329 sslSocket *ss;
1330 PRStatus rv;
1331
1332 ss = ssl_GetPrivate(fd);
1333 if (!ss) {
1334 SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd));
1335 return PR_FAILURE;
1336 }
1337
1338 /* IF this is a listen socket, there shouldn't be any I/O going on */
1339 SSL_LOCK_READER(ss);
1340 SSL_LOCK_WRITER(ss);
1341
1342 ss->cTimeout = timeout;
1343 rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr);
1344 #ifdef _WIN32
1345 PR_Sleep(PR_INTERVAL_NO_WAIT); /* workaround NT winsock connect bug. */
1346 #endif
1347
1348 SSL_UNLOCK_WRITER(ss);
1349 SSL_UNLOCK_READER(ss);
1350
1351 return rv;
1352 }
1353
1354 static PRStatus PR_CALLBACK
1355 ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr)
1356 {
1357 sslSocket * ss = ssl_GetPrivate(fd);
1358 PRStatus rv;
1359
1360 if (!ss) {
1361 SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd));
1362 return PR_FAILURE;
1363 }
1364 SSL_LOCK_READER(ss);
1365 SSL_LOCK_WRITER(ss);
1366
1367 rv = (PRStatus)(*ss->ops->bind)(ss, addr);
1368
1369 SSL_UNLOCK_WRITER(ss);
1370 SSL_UNLOCK_READER(ss);
1371 return rv;
1372 }
1373
1374 static PRStatus PR_CALLBACK
1375 ssl_Listen(PRFileDesc *fd, PRIntn backlog)
1376 {
1377 sslSocket * ss = ssl_GetPrivate(fd);
1378 PRStatus rv;
1379
1380 if (!ss) {
1381 SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd));
1382 return PR_FAILURE;
1383 }
1384 SSL_LOCK_READER(ss);
1385 SSL_LOCK_WRITER(ss);
1386
1387 rv = (PRStatus)(*ss->ops->listen)(ss, backlog);
1388
1389 SSL_UNLOCK_WRITER(ss);
1390 SSL_UNLOCK_READER(ss);
1391 return rv;
1392 }
1393
1394 static PRStatus PR_CALLBACK
1395 ssl_Shutdown(PRFileDesc *fd, PRIntn how)
1396 {
1397 sslSocket * ss = ssl_GetPrivate(fd);
1398 PRStatus rv;
1399
1400 if (!ss) {
1401 SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd));
1402 return PR_FAILURE;
1403 }
1404 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
1405 SSL_LOCK_READER(ss);
1406 }
1407 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
1408 SSL_LOCK_WRITER(ss);
1409 }
1410
1411 rv = (PRStatus)(*ss->ops->shutdown)(ss, how);
1412
1413 if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
1414 SSL_UNLOCK_WRITER(ss);
1415 }
1416 if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
1417 SSL_UNLOCK_READER(ss);
1418 }
1419 return rv;
1420 }
1421
1422 static PRStatus PR_CALLBACK
1423 ssl_Close(PRFileDesc *fd)
1424 {
1425 sslSocket *ss;
1426 PRStatus rv;
1427
1428 ss = ssl_GetPrivate(fd);
1429 if (!ss) {
1430 SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd));
1431 return PR_FAILURE;
1432 }
1433
1434 /* There must not be any I/O going on */
1435 SSL_LOCK_READER(ss);
1436 SSL_LOCK_WRITER(ss);
1437
1438 /* By the time this function returns,
1439 ** ss is an invalid pointer, and the locks to which it points have
1440 ** been unlocked and freed. So, this is the ONE PLACE in all of SSL
1441 ** where the LOCK calls and the corresponding UNLOCK calls are not in
1442 ** the same function scope. The unlock calls are in ssl_FreeSocket().
1443 */
1444 rv = (PRStatus)(*ss->ops->close)(ss);
1445
1446 return rv;
1447 }
1448
1449 static int PR_CALLBACK
1450 ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
1451 PRIntervalTime timeout)
1452 {
1453 sslSocket *ss;
1454 int rv;
1455
1456 ss = ssl_GetPrivate(fd);
1457 if (!ss) {
1458 SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd));
1459 return SECFailure;
1460 }
1461 SSL_LOCK_READER(ss);
1462 ss->rTimeout = timeout;
1463 if (!ss->opt.fdx)
1464 ss->wTimeout = timeout;
1465 rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags);
1466 SSL_UNLOCK_READER(ss);
1467 return rv;
1468 }
1469
1470 static int PR_CALLBACK
1471 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
1472 PRIntervalTime timeout)
1473 {
1474 sslSocket *ss;
1475 int rv;
1476
1477 ss = ssl_GetPrivate(fd);
1478 if (!ss) {
1479 SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd));
1480 return SECFailure;
1481 }
1482 SSL_LOCK_WRITER(ss);
1483 ss->wTimeout = timeout;
1484 if (!ss->opt.fdx)
1485 ss->rTimeout = timeout;
1486 rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags);
1487 SSL_UNLOCK_WRITER(ss);
1488 return rv;
1489 }
1490
1491 static int PR_CALLBACK
1492 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
1493 {
1494 sslSocket *ss;
1495 int rv;
1496
1497 ss = ssl_GetPrivate(fd);
1498 if (!ss) {
1499 SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd));
1500 return SECFailure;
1501 }
1502 SSL_LOCK_READER(ss);
1503 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
1504 if (!ss->opt.fdx)
1505 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
1506 rv = (*ss->ops->read)(ss, (unsigned char*)buf, len);
1507 SSL_UNLOCK_READER(ss);
1508 return rv;
1509 }
1510
1511 static int PR_CALLBACK
1512 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
1513 {
1514 sslSocket *ss;
1515 int rv;
1516
1517 ss = ssl_GetPrivate(fd);
1518 if (!ss) {
1519 SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd));
1520 return SECFailure;
1521 }
1522 SSL_LOCK_WRITER(ss);
1523 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
1524 if (!ss->opt.fdx)
1525 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
1526 rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len);
1527 SSL_UNLOCK_WRITER(ss);
1528 return rv;
1529 }
1530
1531 static PRStatus PR_CALLBACK
1532 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
1533 {
1534 sslSocket *ss;
1535
1536 ss = ssl_GetPrivate(fd);
1537 if (!ss) {
1538 SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd));
1539 return PR_FAILURE;
1540 }
1541 return (PRStatus)(*ss->ops->getpeername)(ss, addr);
1542 }
1543
1544 /*
1545 */
1546 SECStatus
1547 ssl_GetPeerInfo(sslSocket *ss)
1548 {
1549 PRFileDesc * osfd;
1550 int rv;
1551 PRNetAddr sin;
1552
1553 osfd = ss->fd->lower;
1554
1555 PORT_Memset(&sin, 0, sizeof(sin));
1556 rv = osfd->methods->getpeername(osfd, &sin);
1557 if (rv < 0) {
1558 return SECFailure;
1559 }
1560 ss->TCPconnected = 1;
1561 if (sin.inet.family == PR_AF_INET) {
1562 PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer);
1563 ss->sec.ci.port = sin.inet.port;
1564 } else if (sin.ipv6.family == PR_AF_INET6) {
1565 ss->sec.ci.peer = sin.ipv6.ip;
1566 ss->sec.ci.port = sin.ipv6.port;
1567 } else {
1568 PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR);
1569 return SECFailure;
1570 }
1571 return SECSuccess;
1572 }
1573
1574 static PRStatus PR_CALLBACK
1575 ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name)
1576 {
1577 sslSocket *ss;
1578
1579 ss = ssl_GetPrivate(fd);
1580 if (!ss) {
1581 SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd));
1582 return PR_FAILURE;
1583 }
1584 return (PRStatus)(*ss->ops->getsockname)(ss, name);
1585 }
1586
1587 SECStatus PR_CALLBACK
1588 SSL_SetSockPeerID(PRFileDesc *fd, char *peerID)
1589 {
1590 sslSocket *ss;
1591
1592 ss = ssl_FindSocket(fd);
1593 if (!ss) {
1594 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCacheIndex",
1595 SSL_GETPID(), fd));
1596 return SECFailure;
1597 }
1598
1599 if (ss->peerID) {
1600 PORT_Free(ss->peerID);
1601 ss->peerID = NULL;
1602 }
1603 if (peerID)
1604 ss->peerID = PORT_Strdup(peerID);
1605 return (ss->peerID || !peerID) ? SECSuccess : SECFailure;
1606 }
1607
1608 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ)
1609
1610 static PRInt16 PR_CALLBACK
1611 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
1612 {
1613 sslSocket *ss;
1614 PRInt16 new_flags = how_flags; /* should select on these flags. */
1615 PRNetAddr addr;
1616
1617 *p_out_flags = 0;
1618 ss = ssl_GetPrivate(fd);
1619 if (!ss) {
1620 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
1621 SSL_GETPID(), fd));
1622 return 0; /* don't poll on this socket */
1623 }
1624
1625 if (ss->opt.useSecurity &&
1626 ss->handshaking != sslHandshakingUndetermined &&
1627 !ss->firstHsDone &&
1628 (how_flags & PR_POLL_RW)) {
1629 if (!ss->TCPconnected) {
1630 ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
1631 }
1632 /* If it's not connected, then presumably the application is polling
1633 ** on read or write appropriately, so don't change it.
1634 */
1635 if (ss->TCPconnected) {
1636 if (!ss->handshakeBegun) {
1637 /* If the handshake has not begun, poll on read or write
1638 ** based on the local application's role in the handshake,
1639 ** not based on what the application requested.
1640 */
1641 new_flags &= ~PR_POLL_RW;
1642 if (ss->handshaking == sslHandshakingAsClient) {
1643 new_flags |= PR_POLL_WRITE;
1644 } else { /* handshaking as server */
1645 new_flags |= PR_POLL_READ;
1646 }
1647 } else
1648 /* First handshake is in progress */
1649 if (ss->lastWriteBlocked) {
1650 if (new_flags & PR_POLL_READ) {
1651 /* The caller is waiting for data to be received,
1652 ** but the initial handshake is blocked on write, or the
1653 ** client's first handshake record has not been written.
1654 ** The code should select on write, not read.
1655 */
1656 new_flags ^= PR_POLL_READ; /* don't select on read. */
1657 new_flags |= PR_POLL_WRITE; /* do select on write. */
1658 }
1659 } else if (new_flags & PR_POLL_WRITE) {
1660 /* The caller is trying to write, but the handshake is
1661 ** blocked waiting for data to read, and the first
1662 ** handshake has been sent. so do NOT to poll on write.
1663 */
1664 new_flags ^= PR_POLL_WRITE; /* don't select on write. */
1665 new_flags |= PR_POLL_READ; /* do select on read. */
1666 }
1667 }
1668 } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
1669 *p_out_flags = PR_POLL_READ; /* it's ready already. */
1670 return new_flags;
1671 } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) &&
1672 (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */
1673 new_flags |= PR_POLL_WRITE; /* also select on write. */
1674 }
1675 if (new_flags && (fd->lower->methods->poll != NULL)) {
1676 PRInt16 lower_out_flags = 0;
1677 PRInt16 lower_new_flags;
1678 lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags,
1679 &lower_out_flags);
1680 if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) {
1681 PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW;
1682 if (lower_out_flags & PR_POLL_READ)
1683 out_flags |= PR_POLL_WRITE;
1684 if (lower_out_flags & PR_POLL_WRITE)
1685 out_flags |= PR_POLL_READ;
1686 *p_out_flags = out_flags;
1687 new_flags = how_flags;
1688 } else {
1689 *p_out_flags = lower_out_flags;
1690 new_flags = lower_new_flags;
1691 }
1692 }
1693
1694 return new_flags;
1695 }
1696
1697 static PRInt32 PR_CALLBACK
1698 ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd,
1699 const void *headers, PRInt32 hlen,
1700 PRTransmitFileFlags flags, PRIntervalTime timeout)
1701 {
1702 PRSendFileData sfd;
1703
1704 sfd.fd = fd;
1705 sfd.file_offset = 0;
1706 sfd.file_nbytes = 0;
1707 sfd.header = headers;
1708 sfd.hlen = hlen;
1709 sfd.trailer = NULL;
1710 sfd.tlen = 0;
1711
1712 return sd->methods->sendfile(sd, &sfd, flags, timeout);
1713 }
1714
1715
1716 PRBool
1717 ssl_FdIsBlocking(PRFileDesc *fd)
1718 {
1719 PRSocketOptionData opt;
1720 PRStatus status;
1721
1722 opt.option = PR_SockOpt_Nonblocking;
1723 opt.value.non_blocking = PR_FALSE;
1724 status = PR_GetSocketOption(fd, &opt);
1725 if (status != PR_SUCCESS)
1726 return PR_FALSE;
1727 return (PRBool)!opt.value.non_blocking;
1728 }
1729
1730 PRBool
1731 ssl_SocketIsBlocking(sslSocket *ss)
1732 {
1733 return ssl_FdIsBlocking(ss->fd);
1734 }
1735
1736 PRInt32 sslFirstBufSize = 8 * 1024;
1737 PRInt32 sslCopyLimit = 1024;
1738
1739 static PRInt32 PR_CALLBACK
1740 ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
1741 PRIntervalTime timeout)
1742 {
1743 PRInt32 bufLen;
1744 PRInt32 left;
1745 PRInt32 rv;
1746 PRInt32 sent = 0;
1747 const PRInt32 first_len = sslFirstBufSize;
1748 const PRInt32 limit = sslCopyLimit;
1749 PRBool blocking;
1750 PRIOVec myIov = { 0, 0 };
1751 char buf[MAX_FRAGMENT_LENGTH];
1752
1753 if (vectors > PR_MAX_IOVECTOR_SIZE) {
1754 PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
1755 return -1;
1756 }
1757 blocking = ssl_FdIsBlocking(fd);
1758
1759 #define K16 sizeof(buf)
1760 #define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; }
1761 #define GET_VECTOR do { myIov = *iov++; --vectors; KILL_VECTORS } while (0)
1762 #define HANDLE_ERR(rv, len) \
1763 if (rv != len) { \
1764 if (rv < 0) { \
1765 if (!blocking \
1766 && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \
1767 && (sent > 0)) { \
1768 return sent; \
1769 } else { \
1770 return -1; \
1771 } \
1772 } \
1773 /* Only a nonblocking socket can have partial sends */ \
1774 PR_ASSERT(!blocking); \
1775 return sent + rv; \
1776 }
1777 #define SEND(bfr, len) \
1778 do { \
1779 rv = ssl_Send(fd, bfr, len, 0, timeout); \
1780 HANDLE_ERR(rv, len) \
1781 sent += len; \
1782 } while (0)
1783
1784 /* Make sure the first write is at least 8 KB, if possible. */
1785 KILL_VECTORS
1786 if (!vectors)
1787 return ssl_Send(fd, 0, 0, 0, timeout);
1788 GET_VECTOR;
1789 if (!vectors) {
1790 return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout);
1791 }
1792 if (myIov.iov_len < first_len) {
1793 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
1794 bufLen = myIov.iov_len;
1795 left = first_len - bufLen;
1796 while (vectors && left) {
1797 int toCopy;
1798 GET_VECTOR;
1799 toCopy = PR_MIN(left, myIov.iov_len);
1800 PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy);
1801 bufLen += toCopy;
1802 left -= toCopy;
1803 myIov.iov_base += toCopy;
1804 myIov.iov_len -= toCopy;
1805 }
1806 SEND( buf, bufLen );
1807 }
1808
1809 while (vectors || myIov.iov_len) {
1810 PRInt32 addLen;
1811 if (!myIov.iov_len) {
1812 GET_VECTOR;
1813 }
1814 while (myIov.iov_len >= K16) {
1815 SEND(myIov.iov_base, K16);
1816 myIov.iov_base += K16;
1817 myIov.iov_len -= K16;
1818 }
1819 if (!myIov.iov_len)
1820 continue;
1821
1822 if (!vectors || myIov.iov_len > limit) {
1823 addLen = 0;
1824 } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
1825 /* Addlen is already computed. */;
1826 } else if (vectors > 1 &&
1827 iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
1828 addLen = limit - myIov.iov_len;
1829 } else
1830 addLen = 0;
1831
1832 if (!addLen) {
1833 SEND( myIov.iov_base, myIov.iov_len );
1834 myIov.iov_len = 0;
1835 continue;
1836 }
1837 PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
1838 bufLen = myIov.iov_len;
1839 do {
1840 GET_VECTOR;
1841 PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
1842 myIov.iov_base += addLen;
1843 myIov.iov_len -= addLen;
1844 bufLen += addLen;
1845
1846 left = PR_MIN( limit, K16 - bufLen);
1847 if (!vectors /* no more left */
1848 || myIov.iov_len > 0 /* we didn't use that one all up */
1849 || bufLen >= K16 /* it's full. */
1850 ) {
1851 addLen = 0;
1852 } else if ((addLen = iov->iov_len % K16) <= left) {
1853 /* Addlen is already computed. */;
1854 } else if (vectors > 1 &&
1855 iov[1].iov_len % K16 + addLen <= left + limit) {
1856 addLen = left;
1857 } else
1858 addLen = 0;
1859
1860 } while (addLen);
1861 SEND( buf, bufLen );
1862 }
1863 return sent;
1864 }
1865
1866 /*
1867 * These functions aren't implemented.
1868 */
1869
1870 static PRInt32 PR_CALLBACK
1871 ssl_Available(PRFileDesc *fd)
1872 {
1873 PORT_Assert(0);
1874 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
1875 return SECFailure;
1876 }
1877
1878 static PRInt64 PR_CALLBACK
1879 ssl_Available64(PRFileDesc *fd)
1880 {
1881 PRInt64 res;
1882
1883 PORT_Assert(0);
1884 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
1885 LL_I2L(res, -1L);
1886 return res;
1887 }
1888
1889 static PRStatus PR_CALLBACK
1890 ssl_FSync(PRFileDesc *fd)
1891 {
1892 PORT_Assert(0);
1893 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
1894 return PR_FAILURE;
1895 }
1896
1897 static PRInt32 PR_CALLBACK
1898 ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) {
1899 PORT_Assert(0);
1900 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
1901 return SECFailure;
1902 }
1903
1904 static PRInt64 PR_CALLBACK
1905 ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) {
1906 PRInt64 res;
1907
1908 PORT_Assert(0);
1909 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
1910 LL_I2L(res, -1L);
1911 return res;
1912 }
1913
1914 static PRStatus PR_CALLBACK
1915 ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info)
1916 {
1917 PORT_Assert(0);
1918 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
1919 return PR_FAILURE;
1920 }
1921
1922 static PRStatus PR_CALLBACK
1923 ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info)
1924 {
1925 PORT_Assert(0);
1926 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
1927 return PR_FAILURE;
1928 }
1929
1930 static PRInt32 PR_CALLBACK
1931 ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags,
1932 PRNetAddr *addr, PRIntervalTime timeout)
1933 {
1934 PORT_Assert(0);
1935 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
1936 return SECFailure;
1937 }
1938
1939 static PRInt32 PR_CALLBACK
1940 ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags,
1941 const PRNetAddr *addr, PRIntervalTime timeout)
1942 {
1943 PORT_Assert(0);
1944 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
1945 return SECFailure;
1946 }
1947
1948 static const PRIOMethods ssl_methods = {
1949 PR_DESC_LAYERED,
1950 ssl_Close, /* close */
1951 ssl_Read, /* read */
1952 ssl_Write, /* write */
1953 ssl_Available, /* available */
1954 ssl_Available64, /* available64 */
1955 ssl_FSync, /* fsync */
1956 ssl_Seek, /* seek */
1957 ssl_Seek64, /* seek64 */
1958 ssl_FileInfo, /* fileInfo */
1959 ssl_FileInfo64, /* fileInfo64 */
1960 ssl_WriteV, /* writev */
1961 ssl_Connect, /* connect */
1962 ssl_Accept, /* accept */
1963 ssl_Bind, /* bind */
1964 ssl_Listen, /* listen */
1965 ssl_Shutdown, /* shutdown */
1966 ssl_Recv, /* recv */
1967 ssl_Send, /* send */
1968 ssl_RecvFrom, /* recvfrom */
1969 ssl_SendTo, /* sendto */
1970 ssl_Poll, /* poll */
1971 PR_EmulateAcceptRead, /* acceptread */
1972 ssl_TransmitFile, /* transmitfile */
1973 ssl_GetSockName, /* getsockname */
1974 ssl_GetPeerName, /* getpeername */
1975 NULL, /* getsockopt OBSOLETE */
1976 NULL, /* setsockopt OBSOLETE */
1977 NULL, /* getsocketoption */
1978 NULL, /* setsocketoption */
1979 PR_EmulateSendFile, /* Send a (partial) file with header/trailer*/
1980 NULL, /* reserved for future use */
1981 NULL, /* reserved for future use */
1982 NULL, /* reserved for future use */
1983 NULL, /* reserved for future use */
1984 NULL /* reserved for future use */
1985 };
1986
1987
1988 static PRIOMethods combined_methods;
1989
1990 static void
1991 ssl_SetupIOMethods(void)
1992 {
1993 PRIOMethods *new_methods = &combined_methods;
1994 const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods();
1995 const PRIOMethods *my_methods = &ssl_methods;
1996
1997 *new_methods = *nspr_methods;
1998
1999 new_methods->file_type = my_methods->file_type;
2000 new_methods->close = my_methods->close;
2001 new_methods->read = my_methods->read;
2002 new_methods->write = my_methods->write;
2003 new_methods->available = my_methods->available;
2004 new_methods->available64 = my_methods->available64;
2005 new_methods->fsync = my_methods->fsync;
2006 new_methods->seek = my_methods->seek;
2007 new_methods->seek64 = my_methods->seek64;
2008 new_methods->fileInfo = my_methods->fileInfo;
2009 new_methods->fileInfo64 = my_methods->fileInfo64;
2010 new_methods->writev = my_methods->writev;
2011 new_methods->connect = my_methods->connect;
2012 new_methods->accept = my_methods->accept;
2013 new_methods->bind = my_methods->bind;
2014 new_methods->listen = my_methods->listen;
2015 new_methods->shutdown = my_methods->shutdown;
2016 new_methods->recv = my_methods->recv;
2017 new_methods->send = my_methods->send;
2018 new_methods->recvfrom = my_methods->recvfrom;
2019 new_methods->sendto = my_methods->sendto;
2020 new_methods->poll = my_methods->poll;
2021 new_methods->acceptread = my_methods->acceptread;
2022 new_methods->transmitfile = my_methods->transmitfile;
2023 new_methods->getsockname = my_methods->getsockname;
2024 new_methods->getpeername = my_methods->getpeername;
2025 /* new_methods->getsocketoption = my_methods->getsocketoption; */
2026 /* new_methods->setsocketoption = my_methods->setsocketoption; */
2027 new_methods->sendfile = my_methods->sendfile;
2028
2029 }
2030
2031 static PRCallOnceType initIoLayerOnce;
2032
2033 static PRStatus
2034 ssl_InitIOLayer(void)
2035 {
2036 ssl_layer_id = PR_GetUniqueIdentity("SSL");
2037 ssl_SetupIOMethods();
2038 ssl_inited = PR_TRUE;
2039 return PR_SUCCESS;
2040 }
2041
2042 static PRStatus
2043 ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
2044 {
2045 PRFileDesc *layer = NULL;
2046 PRStatus status;
2047
2048 if (!ssl_inited) {
2049 PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
2050 }
2051
2052 if (ns == NULL)
2053 goto loser;
2054
2055 layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods);
2056 if (layer == NULL)
2057 goto loser;
2058 layer->secret = (PRFilePrivate *)ns;
2059
2060 /* Here, "stack" points to the PRFileDesc on the top of the stack.
2061 ** "layer" points to a new FD that is to be inserted into the stack.
2062 ** If layer is being pushed onto the top of the stack, then
2063 ** PR_PushIOLayer switches the contents of stack and layer, and then
2064 ** puts stack on top of layer, so that after it is done, the top of
2065 ** stack is the same "stack" as it was before, and layer is now the
2066 ** FD for the former top of stack.
2067 ** After this call, stack always points to the top PRFD on the stack.
2068 ** If this function fails, the contents of stack and layer are as
2069 ** they were before the call.
2070 */
2071 status = PR_PushIOLayer(stack, id, layer);
2072 if (status != PR_SUCCESS)
2073 goto loser;
2074
2075 ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer;
2076 return PR_SUCCESS;
2077
2078 loser:
2079 if (layer) {
2080 layer->dtor(layer); /* free layer */
2081 }
2082 return PR_FAILURE;
2083 }
2084
2085 /* if this fails, caller must destroy socket. */
2086 static SECStatus
2087 ssl_MakeLocks(sslSocket *ss)
2088 {
2089 ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL);
2090 if (!ss->firstHandshakeLock)
2091 goto loser;
2092 ss->ssl3HandshakeLock = PZ_NewMonitor(nssILockSSL);
2093 if (!ss->ssl3HandshakeLock)
2094 goto loser;
2095 ss->specLock = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL);
2096 if (!ss->specLock)
2097 goto loser;
2098 ss->recvBufLock = PZ_NewMonitor(nssILockSSL);
2099 if (!ss->recvBufLock)
2100 goto loser;
2101 ss->xmitBufLock = PZ_NewMonitor(nssILockSSL);
2102 if (!ss->xmitBufLock)
2103 goto loser;
2104 ss->writerThread = NULL;
2105 if (ssl_lock_readers) {
2106 ss->recvLock = PZ_NewLock(nssILockSSL);
2107 if (!ss->recvLock)
2108 goto loser;
2109 ss->sendLock = PZ_NewLock(nssILockSSL);
2110 if (!ss->sendLock)
2111 goto loser;
2112 }
2113 return SECSuccess;
2114 loser:
2115 ssl_DestroyLocks(ss);
2116 return SECFailure;
2117 }
2118
2119 #if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)) && !defined(_WIN 32_WCE)
2120 #define NSS_HAVE_GETENV 1
2121 #endif
2122
2123 #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */
2124
2125 /*
2126 ** Create a newsocket structure for a file descriptor.
2127 */
2128 static sslSocket *
2129 ssl_NewSocket(PRBool makeLocks)
2130 {
2131 sslSocket *ss;
2132 #if defined( NSS_HAVE_GETENV )
2133 static int firsttime = 1;
2134
2135 if (firsttime) {
2136 char * ev;
2137 firsttime = 0;
2138 #ifdef DEBUG
2139 ev = getenv("SSLDEBUGFILE");
2140 if (ev && ev[0]) {
2141 ssl_trace_iob = fopen(ev, "w");
2142 }
2143 if (!ssl_trace_iob) {
2144 ssl_trace_iob = stderr;
2145 }
2146 #ifdef TRACE
2147 ev = getenv("SSLTRACE");
2148 if (ev && ev[0]) {
2149 ssl_trace = atoi(ev);
2150 SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
2151 }
2152 #endif /* TRACE */
2153 ev = getenv("SSLDEBUG");
2154 if (ev && ev[0]) {
2155 ssl_debug = atoi(ev);
2156 SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
2157 }
2158 #endif /* DEBUG */
2159 ev = getenv("SSLBYPASS");
2160 if (ev && ev[0]) {
2161 ssl_defaults.bypassPKCS11 = (ev[0] == '1');
2162 SSL_TRACE(("SSL: bypass default set to %d", \
2163 ssl_defaults.bypassPKCS11));
2164 }
2165 ev = getenv("SSLFORCELOCKS");
2166 if (ev && ev[0] == '1') {
2167 ssl_force_locks = PR_TRUE;
2168 ssl_defaults.noLocks = 0;
2169 strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. ");
2170 SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
2171 }
2172 ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION");
2173 if (ev) {
2174 if (ev[0] == '1' || LOWER(ev[0]) == 'u')
2175 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED;
2176 #ifdef LATER
2177 /* When SSL_RENEGOTIATE_REQUIRES_XTN is implemented, it will be
2178 * the default. Until then, NEVER will be the default.
2179 */
2180 else if (ev[0] == '0' || LOWER(ev[0]) == 'n')
2181 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER;
2182 else
2183 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN;
2184 #else
2185 else
2186 ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER;
2187 #endif
2188
2189 SSL_TRACE(("SSL: enableRenegotiation set to %d",
2190 ssl_defaults.enableRenegotiation));
2191 }
2192 ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
2193 if (ev && ev[0] == '1') {
2194 ssl_defaults.requireSafeNegotiation = PR_TRUE;
2195 SSL_TRACE(("SSL: requireSafeNegotiation set to %d",
2196 PR_TRUE));
2197 }
2198 }
2199 #endif /* NSS_HAVE_GETENV */
2200 if (ssl_force_locks)
2201 makeLocks = PR_TRUE;
2202
2203 /* Make a new socket and get it ready */
2204 ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket));
2205 if (ss) {
2206 /* This should be of type SSLKEAType, but CC on IRIX
2207 * complains during the for loop.
2208 */
2209 int i;
2210 SECStatus status;
2211
2212 ss->opt = ssl_defaults;
2213 ss->opt.useSocks = PR_FALSE;
2214 ss->opt.noLocks = !makeLocks;
2215
2216 ss->peerID = NULL;
2217 ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
2218 ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
2219 ss->cTimeout = PR_INTERVAL_NO_TIMEOUT;
2220 ss->cipherSpecs = NULL;
2221 ss->sizeCipherSpecs = 0; /* produced lazily */
2222 ss->preferredCipher = NULL;
2223 ss->url = NULL;
2224
2225 for (i=kt_null; i < kt_kea_size; i++) {
2226 sslServerCerts * sc = ss->serverCerts + i;
2227 sc->serverCert = NULL;
2228 sc->serverCertChain = NULL;
2229 sc->serverKeyPair = NULL;
2230 sc->serverKeyBits = 0;
2231 }
2232 ss->stepDownKeyPair = NULL;
2233 ss->dbHandle = CERT_GetDefaultCertDB();
2234
2235 /* Provide default implementation of hooks */
2236 ss->authCertificate = SSL_AuthCertificate;
2237 ss->authCertificateArg = (void *)ss->dbHandle;
2238 ss->getClientAuthData = NULL;
2239 ss->handleBadCert = NULL;
2240 ss->badCertArg = NULL;
2241 ss->pkcs11PinArg = NULL;
2242
2243 ssl_ChooseOps(ss);
2244 ssl2_InitSocketPolicy(ss);
2245 ssl3_InitSocketPolicy(ss);
2246
2247 if (makeLocks) {
2248 status = ssl_MakeLocks(ss);
2249 if (status != SECSuccess)
2250 goto loser;
2251 }
2252 status = ssl_CreateSecurityInfo(ss);
2253 if (status != SECSuccess)
2254 goto loser;
2255 status = ssl_InitGather(&ss->gs);
2256 if (status != SECSuccess) {
2257 loser:
2258 ssl_DestroySocketContents(ss);
2259 ssl_DestroyLocks(ss);
2260 PORT_Free(ss);
2261 ss = NULL;
2262 }
2263 }
2264 return ss;
2265 }
2266
OLDNEW
« no previous file with comments | « net/third_party/nss/ssl/sslsnce.c ('k') | net/third_party/nss/ssl/sslt.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698