Chromium Code Reviews Chromium Code Reviews
Issue 5746003:
Defines SSLServerSocket and implements SSLServerSocketNSS (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/socket/nss_common.h" | |
| 6 | |
| 7 #include <hasht.h> | |
| 8 #include <keyhi.h> | |
| 9 #include <nspr.h> | |
| 10 #include <nss.h> | |
| 11 #include <pk11pub.h> | |
| 12 #include <secerr.h> | |
| 13 #include <sechash.h> | |
| 14 #include <ssl.h> | |
| 15 #include <sslerr.h> | |
| 16 #include <sslproto.h> | |
|
wtc
2010/12/17 00:16:26
Many of these headers don't need to be included no
Alpha Left Google
2010/12/17 08:30:43
Done.
| |
| 17 | |
| 18 #include "base/logging.h" | |
| 19 #include "base/nss_util.h" | |
| 20 #include "base/singleton.h" | |
| 21 #include "base/thread_restrictions.h" | |
| 22 #include "base/values.h" | |
| 23 #include "net/base/net_errors.h" | |
| 24 #include "net/base/net_log.h" | |
| 25 | |
| 26 namespace net { | |
| 27 | |
| 28 class NSSSSLInitSingleton { | |
| 29 public: | |
| 30 NSSSSLInitSingleton() { | |
| 31 base::EnsureNSSInit(); | |
| 32 | |
| 33 NSS_SetDomesticPolicy(); | |
| 34 | |
| 35 #if defined(USE_SYSTEM_SSL) | |
| 36 // Use late binding to avoid scary but benign warning | |
| 37 // "Symbol `SSL_ImplementedCiphers' has different size in shared object, | |
| 38 // consider re-linking" | |
| 39 // TODO(wtc): Use the new SSL_GetImplementedCiphers and | |
| 40 // SSL_GetNumImplementedCiphers functions when we require NSS 3.12.6. | |
| 41 // See https://bugzilla.mozilla.org/show_bug.cgi?id=496993. | |
| 42 const PRUint16* pSSL_ImplementedCiphers = static_cast<const PRUint16*>( | |
| 43 dlsym(RTLD_DEFAULT, "SSL_ImplementedCiphers")); | |
| 44 if (pSSL_ImplementedCiphers == NULL) { | |
| 45 NOTREACHED() << "Can't get list of supported ciphers"; | |
| 46 return; | |
| 47 } | |
| 48 #else | |
| 49 #define pSSL_ImplementedCiphers SSL_ImplementedCiphers | |
| 50 #endif | |
| 51 | |
| 52 // Explicitly enable exactly those ciphers with keys of at least 80 bits | |
| 53 for (int i = 0; i < SSL_NumImplementedCiphers; i++) { | |
| 54 SSLCipherSuiteInfo info; | |
| 55 if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info, | |
| 56 sizeof(info)) == SECSuccess) { | |
| 57 SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i], | |
| 58 (info.effectiveKeyBits >= 80)); | |
| 59 } | |
| 60 } | |
| 61 | |
| 62 // Enable SSL. | |
| 63 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); | |
| 64 | |
| 65 // All other SSL options are set per-session by SSLClientSocket. | |
|
wtc
2010/12/17 00:16:26
"SSLClientSocket" needs to be updated.
Alpha Left Google
2010/12/17 08:30:43
Done.
| |
| 66 } | |
| 67 | |
| 68 ~NSSSSLInitSingleton() { | |
| 69 // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY. | |
| 70 SSL_ClearSessionCache(); | |
| 71 } | |
| 72 }; | |
| 73 | |
| 74 // Initialize the NSS SSL library if it isn't already initialized. This must | |
| 75 // be called before any other NSS SSL functions. This function is | |
| 76 // thread-safe, and the NSS SSL library will only ever be initialized once. | |
| 77 // The NSS SSL library will be properly shut down on program exit. | |
| 78 void EnsureNSSSSLInit() { | |
| 79 // Initializing SSL causes us to do blocking IO. | |
| 80 // Temporarily allow it until we fix | |
| 81 // http://code.google.com/p/chromium/issues/detail?id=59847 | |
| 82 base::ThreadRestrictions::ScopedAllowIO allow_io; | |
| 83 | |
| 84 Singleton<NSSSSLInitSingleton>::get(); | |
| 85 } | |
| 86 | |
| 87 | |
|
wtc
2010/12/17 00:16:26
Nit: remove blank lines here and on line 122 below
Alpha Left Google
2010/12/17 08:30:43
Done.
| |
| 88 // Extra parameters to attach to the NetLog when we receive an error in response | |
| 89 // to a call to an NSS function. Used instead of SSLErrorParams with | |
| 90 // events of type TYPE_SSL_NSS_ERROR. Automatically looks up last PR error. | |
| 91 class SSLFailedNSSFunctionParams : public NetLog::EventParameters { | |
| 92 public: | |
| 93 // |param| is ignored if it has a length of 0. | |
| 94 SSLFailedNSSFunctionParams(const std::string& function, | |
| 95 const std::string& param) | |
| 96 : function_(function), param_(param), ssl_lib_error_(PR_GetError()) { | |
| 97 } | |
| 98 | |
| 99 virtual Value* ToValue() const { | |
| 100 DictionaryValue* dict = new DictionaryValue(); | |
| 101 dict->SetString("function", function_); | |
| 102 if (!param_.empty()) | |
| 103 dict->SetString("param", param_); | |
| 104 dict->SetInteger("ssl_lib_error", ssl_lib_error_); | |
| 105 return dict; | |
| 106 } | |
| 107 | |
| 108 private: | |
| 109 const std::string function_; | |
| 110 const std::string param_; | |
| 111 const PRErrorCode ssl_lib_error_; | |
| 112 }; | |
| 113 | |
| 114 void LogFailedNSSFunction(const BoundNetLog& net_log, | |
| 115 const char* function, | |
| 116 const char* param) { | |
| 117 net_log.AddEvent( | |
| 118 NetLog::TYPE_SSL_NSS_ERROR, | |
| 119 make_scoped_refptr(new SSLFailedNSSFunctionParams(function, param))); | |
| 120 } | |
| 121 | |
| 122 | |
| 123 // Map a Chromium net error code to an NSS error code. | |
| 124 // See _MD_unix_map_default_error in the NSS source | |
| 125 // tree for inspiration. | |
| 126 PRErrorCode MapErrorToNSS(int result) { | |
| 127 if (result >=0) | |
| 128 return result; | |
| 129 | |
| 130 switch (result) { | |
| 131 case ERR_IO_PENDING: | |
| 132 return PR_WOULD_BLOCK_ERROR; | |
| 133 case ERR_ACCESS_DENIED: | |
| 134 case ERR_NETWORK_ACCESS_DENIED: | |
| 135 // For connect, this could be mapped to PR_ADDRESS_NOT_SUPPORTED_ERROR. | |
| 136 return PR_NO_ACCESS_RIGHTS_ERROR; | |
| 137 case ERR_NOT_IMPLEMENTED: | |
| 138 return PR_NOT_IMPLEMENTED_ERROR; | |
| 139 case ERR_INTERNET_DISCONNECTED: // Equivalent to ENETDOWN. | |
| 140 return PR_NETWORK_UNREACHABLE_ERROR; // Best approximation. | |
| 141 case ERR_CONNECTION_TIMED_OUT: | |
| 142 case ERR_TIMED_OUT: | |
| 143 return PR_IO_TIMEOUT_ERROR; | |
| 144 case ERR_CONNECTION_RESET: | |
| 145 return PR_CONNECT_RESET_ERROR; | |
| 146 case ERR_CONNECTION_ABORTED: | |
| 147 return PR_CONNECT_ABORTED_ERROR; | |
| 148 case ERR_CONNECTION_REFUSED: | |
| 149 return PR_CONNECT_REFUSED_ERROR; | |
| 150 case ERR_ADDRESS_UNREACHABLE: | |
| 151 return PR_HOST_UNREACHABLE_ERROR; // Also PR_NETWORK_UNREACHABLE_ERROR. | |
| 152 case ERR_ADDRESS_INVALID: | |
| 153 return PR_ADDRESS_NOT_AVAILABLE_ERROR; | |
| 154 case ERR_NAME_NOT_RESOLVED: | |
| 155 return PR_DIRECTORY_LOOKUP_ERROR; | |
| 156 default: | |
| 157 LOG(WARNING) << "MapErrorToNSS " << result | |
| 158 << " mapped to PR_UNKNOWN_ERROR"; | |
| 159 return PR_UNKNOWN_ERROR; | |
| 160 } | |
| 161 } | |
| 162 | |
| 163 // The default error mapping function. | |
| 164 // Maps an NSPR error code to a network error code. | |
| 165 int MapNSPRError(PRErrorCode err) { | |
| 166 // TODO(port): fill this out as we learn what's important | |
| 167 switch (err) { | |
| 168 case PR_WOULD_BLOCK_ERROR: | |
| 169 return ERR_IO_PENDING; | |
| 170 case PR_ADDRESS_NOT_SUPPORTED_ERROR: // For connect. | |
| 171 case PR_NO_ACCESS_RIGHTS_ERROR: | |
| 172 return ERR_ACCESS_DENIED; | |
| 173 case PR_IO_TIMEOUT_ERROR: | |
| 174 return ERR_TIMED_OUT; | |
| 175 case PR_CONNECT_RESET_ERROR: | |
| 176 return ERR_CONNECTION_RESET; | |
| 177 case PR_CONNECT_ABORTED_ERROR: | |
| 178 return ERR_CONNECTION_ABORTED; | |
| 179 case PR_CONNECT_REFUSED_ERROR: | |
| 180 return ERR_CONNECTION_REFUSED; | |
| 181 case PR_HOST_UNREACHABLE_ERROR: | |
| 182 case PR_NETWORK_UNREACHABLE_ERROR: | |
| 183 return ERR_ADDRESS_UNREACHABLE; | |
| 184 case PR_ADDRESS_NOT_AVAILABLE_ERROR: | |
| 185 return ERR_ADDRESS_INVALID; | |
| 186 case PR_INVALID_ARGUMENT_ERROR: | |
| 187 return ERR_INVALID_ARGUMENT; | |
| 188 case PR_END_OF_FILE_ERROR: | |
| 189 return ERR_CONNECTION_CLOSED; | |
| 190 case PR_NOT_IMPLEMENTED_ERROR: | |
| 191 return ERR_NOT_IMPLEMENTED; | |
| 192 | |
| 193 case SEC_ERROR_INVALID_ARGS: | |
| 194 return ERR_INVALID_ARGUMENT; | |
| 195 | |
| 196 case SSL_ERROR_SSL_DISABLED: | |
| 197 return ERR_NO_SSL_VERSIONS_ENABLED; | |
| 198 case SSL_ERROR_NO_CYPHER_OVERLAP: | |
| 199 case SSL_ERROR_UNSUPPORTED_VERSION: | |
| 200 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH; | |
| 201 case SSL_ERROR_HANDSHAKE_FAILURE_ALERT: | |
| 202 case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT: | |
| 203 case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: | |
| 204 return ERR_SSL_PROTOCOL_ERROR; | |
| 205 case SSL_ERROR_DECOMPRESSION_FAILURE_ALERT: | |
| 206 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT; | |
| 207 case SSL_ERROR_BAD_MAC_ALERT: | |
| 208 return ERR_SSL_BAD_RECORD_MAC_ALERT; | |
| 209 case SSL_ERROR_UNSAFE_NEGOTIATION: | |
| 210 return ERR_SSL_UNSAFE_NEGOTIATION; | |
| 211 case SSL_ERROR_WEAK_SERVER_KEY: | |
| 212 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY; | |
| 213 | |
| 214 default: { | |
| 215 if (IS_SSL_ERROR(err)) { | |
| 216 LOG(WARNING) << "Unknown SSL error " << err << | |
| 217 " mapped to net::ERR_SSL_PROTOCOL_ERROR"; | |
| 218 return ERR_SSL_PROTOCOL_ERROR; | |
| 219 } | |
| 220 LOG(WARNING) << "Unknown error " << err << | |
| 221 " mapped to net::ERR_FAILED"; | |
| 222 return ERR_FAILED; | |
| 223 } | |
| 224 } | |
| 225 } | |
| 226 | |
| 227 // Context-sensitive error mapping functions. | |
| 228 | |
| 229 int MapHandshakeError(PRErrorCode err) { | |
| 230 switch (err) { | |
| 231 // If the server closed on us, it is a protocol error. | |
| 232 // Some TLS-intolerant servers do this when we request TLS. | |
| 233 case PR_END_OF_FILE_ERROR: | |
| 234 // The handshake may fail because some signature (for example, the | |
| 235 // signature in the ServerKeyExchange message for an ephemeral | |
| 236 // Diffie-Hellman cipher suite) is invalid. | |
| 237 case SEC_ERROR_BAD_SIGNATURE: | |
| 238 return ERR_SSL_PROTOCOL_ERROR; | |
| 239 default: | |
| 240 return MapNSPRError(err); | |
| 241 } | |
| 242 } | |
| 243 | |
| 244 } // namespace net | |
| OLD | NEW |
