Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(185)

Side by Side Diff: net/socket/ssl_client_socket_nss.cc

Issue 1131763002: Reject renegotiations in SSLClientSocket by default. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: NSS greediness... Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/http/http_stream_factory_impl_job.cc ('k') | net/socket/ssl_client_socket_openssl.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived 5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in 6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp. 7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8 8
9 /* ***** BEGIN LICENSE BLOCK ***** 9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
(...skipping 552 matching lines...) Expand 10 before | Expand all | Expand 10 after
563 CERTDistNames* ca_names, 563 CERTDistNames* ca_names,
564 CERTCertificate** result_certificate, 564 CERTCertificate** result_certificate,
565 SECKEYPrivateKey** result_private_key); 565 SECKEYPrivateKey** result_private_key);
566 566
567 // Called by NSS to determine if we can False Start. 567 // Called by NSS to determine if we can False Start.
568 // |arg| contains a pointer to the current SSLClientSocketNSS::Core. 568 // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
569 static SECStatus CanFalseStartCallback(PRFileDesc* socket, 569 static SECStatus CanFalseStartCallback(PRFileDesc* socket,
570 void* arg, 570 void* arg,
571 PRBool* can_false_start); 571 PRBool* can_false_start);
572 572
573 // Called by NSS once the handshake has completed. 573 // Called by NSS each time a handshake completely finishes.
574 // |arg| contains a pointer to the current SSLClientSocketNSS::Core. 574 // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
575 static void HandshakeCallback(PRFileDesc* socket, void* arg); 575 static void HandshakeCallback(PRFileDesc* socket, void* arg);
576 576
577 // Called once the handshake has succeeded. 577 // Called once for each successful handshake. If the initial handshake false
578 void HandshakeSucceeded(); 578 // starts, it is called when it false starts and not when it completely
579 // finishes. is_initial is true if this is the initial handshake.
580 void HandshakeSucceeded(bool is_initial);
579 581
580 // Handles an NSS error generated while handshaking or performing IO. 582 // Handles an NSS error generated while handshaking or performing IO.
581 // Returns a network error code mapped from the original NSS error. 583 // Returns a network error code mapped from the original NSS error.
582 int HandleNSSError(PRErrorCode error); 584 int HandleNSSError(PRErrorCode error);
583 585
584 int DoHandshakeLoop(int last_io_result); 586 int DoHandshakeLoop(int last_io_result);
585 int DoReadLoop(int result); 587 int DoReadLoop(int result);
586 int DoWriteLoop(int result); 588 int DoWriteLoop(int result);
587 589
588 int DoHandshake(); 590 int DoHandshake();
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after
630 void UpdateConnectionStatus(); 632 void UpdateConnectionStatus();
631 // Record histograms for channel id support during full handshakes - resumed 633 // Record histograms for channel id support during full handshakes - resumed
632 // handshakes are ignored. 634 // handshakes are ignored.
633 void RecordChannelIDSupportOnNSSTaskRunner(); 635 void RecordChannelIDSupportOnNSSTaskRunner();
634 // UpdateNextProto gets any application-layer protocol that may have been 636 // UpdateNextProto gets any application-layer protocol that may have been
635 // negotiated by the TLS connection. 637 // negotiated by the TLS connection.
636 void UpdateNextProto(); 638 void UpdateNextProto();
637 // Record TLS extension used for protocol negotiation (NPN or ALPN). 639 // Record TLS extension used for protocol negotiation (NPN or ALPN).
638 void UpdateExtensionUsed(); 640 void UpdateExtensionUsed();
639 641
642 // Returns true if renegotiations are allowed.
643 bool IsRenegotiationAllowed() const;
644
640 //////////////////////////////////////////////////////////////////////////// 645 ////////////////////////////////////////////////////////////////////////////
641 // Methods that are ONLY called on the network task runner: 646 // Methods that are ONLY called on the network task runner:
642 //////////////////////////////////////////////////////////////////////////// 647 ////////////////////////////////////////////////////////////////////////////
643 int DoBufferRecv(IOBuffer* buffer, int len); 648 int DoBufferRecv(IOBuffer* buffer, int len);
644 int DoBufferSend(IOBuffer* buffer, int len); 649 int DoBufferSend(IOBuffer* buffer, int len);
645 int DoGetChannelID(const std::string& host); 650 int DoGetChannelID(const std::string& host);
646 651
647 void OnGetChannelIDComplete(int result); 652 void OnGetChannelIDComplete(int result);
648 void OnHandshakeStateUpdated(const HandshakeState& state); 653 void OnHandshakeStateUpdated(const HandshakeState& state);
649 void OnNSSBufferUpdated(int amount_in_read_buffer); 654 void OnNSSBufferUpdated(int amount_in_read_buffer);
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after
734 std::vector<std::string> predicted_certs_; 739 std::vector<std::string> predicted_certs_;
735 740
736 State next_handshake_state_; 741 State next_handshake_state_;
737 742
738 // True if channel ID extension was negotiated. 743 // True if channel ID extension was negotiated.
739 bool channel_id_xtn_negotiated_; 744 bool channel_id_xtn_negotiated_;
740 // True if the handshake state machine was interrupted for channel ID. 745 // True if the handshake state machine was interrupted for channel ID.
741 bool channel_id_needed_; 746 bool channel_id_needed_;
742 // True if the handshake state machine was interrupted for client auth. 747 // True if the handshake state machine was interrupted for client auth.
743 bool client_auth_cert_needed_; 748 bool client_auth_cert_needed_;
744 // True if NSS has False Started. 749 // True if NSS has False Started in the initial handshake, but the initial
750 // handshake has not yet completely finished..
745 bool false_started_; 751 bool false_started_;
746 // True if NSS has called HandshakeCallback. 752 // True if NSS has called HandshakeCallback.
747 bool handshake_callback_called_; 753 bool handshake_callback_called_;
748 754
749 HandshakeState nss_handshake_state_; 755 HandshakeState nss_handshake_state_;
750 756
751 bool transport_recv_busy_; 757 bool transport_recv_busy_;
752 bool transport_recv_eof_; 758 bool transport_recv_eof_;
753 bool transport_send_busy_; 759 bool transport_send_busy_;
754 760
(...skipping 518 matching lines...) Expand 10 before | Expand all | Expand 10 after
1273 return SSL_RecommendedCanFalseStart(socket, can_false_start); 1279 return SSL_RecommendedCanFalseStart(socket, can_false_start);
1274 } 1280 }
1275 1281
1276 // static 1282 // static
1277 void SSLClientSocketNSS::Core::HandshakeCallback( 1283 void SSLClientSocketNSS::Core::HandshakeCallback(
1278 PRFileDesc* socket, 1284 PRFileDesc* socket,
1279 void* arg) { 1285 void* arg) {
1280 Core* core = reinterpret_cast<Core*>(arg); 1286 Core* core = reinterpret_cast<Core*>(arg);
1281 DCHECK(core->OnNSSTaskRunner()); 1287 DCHECK(core->OnNSSTaskRunner());
1282 1288
1289 bool is_initial = !core->handshake_callback_called_;
1283 core->handshake_callback_called_ = true; 1290 core->handshake_callback_called_ = true;
1284 if (core->false_started_) { 1291 if (core->false_started_) {
1285 core->false_started_ = false; 1292 core->false_started_ = false;
1286 // If the connection was False Started, then at the time of this callback, 1293 // If the connection was False Started, then at the time of this callback,
1287 // the peer's certificate will have been verified or the caller will have 1294 // the peer's certificate will have been verified or the caller will have
1288 // accepted the error. 1295 // accepted the error.
1289 // This is guaranteed when using False Start because this callback will 1296 // This is guaranteed when using False Start because this callback will
1290 // not be invoked until processing the peer's Finished message, which 1297 // not be invoked until processing the peer's Finished message, which
1291 // will only happen in a PR_Read/PR_Write call, which can only happen 1298 // will only happen in a PR_Read/PR_Write call, which can only happen
1292 // after the peer's certificate is verified. 1299 // after the peer's certificate is verified.
1293 SSL_CacheSessionUnlocked(socket); 1300 SSL_CacheSessionUnlocked(socket);
1294 1301
1295 // Additionally, when False Starting, DoHandshake() will have already 1302 // Additionally, when False Starting, DoHandshake() will have already
1296 // called HandshakeSucceeded(), so return now. 1303 // called HandshakeSucceeded(), so return now.
1297 return; 1304 return;
1298 } 1305 }
1299 core->HandshakeSucceeded(); 1306 core->HandshakeSucceeded(is_initial);
1300 } 1307 }
1301 1308
1302 void SSLClientSocketNSS::Core::HandshakeSucceeded() { 1309 void SSLClientSocketNSS::Core::HandshakeSucceeded(bool is_initial) {
1303 DCHECK(OnNSSTaskRunner()); 1310 DCHECK(OnNSSTaskRunner());
1304 1311
1305 PRBool last_handshake_resumed; 1312 PRBool last_handshake_resumed;
1306 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed); 1313 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed);
1307 if (rv == SECSuccess && last_handshake_resumed) { 1314 if (rv == SECSuccess && last_handshake_resumed) {
1308 nss_handshake_state_.resumed_handshake = true; 1315 nss_handshake_state_.resumed_handshake = true;
1309 } else { 1316 } else {
1310 nss_handshake_state_.resumed_handshake = false; 1317 nss_handshake_state_.resumed_handshake = false;
1311 } 1318 }
1312 1319
1313 RecordChannelIDSupportOnNSSTaskRunner(); 1320 RecordChannelIDSupportOnNSSTaskRunner();
1314 UpdateServerCert(); 1321 UpdateServerCert();
1315 UpdateSignedCertTimestamps(); 1322 UpdateSignedCertTimestamps();
1316 UpdateStapledOCSPResponse(); 1323 UpdateStapledOCSPResponse();
1317 UpdateConnectionStatus(); 1324 UpdateConnectionStatus();
1318 UpdateNextProto(); 1325 UpdateNextProto();
1319 UpdateExtensionUsed(); 1326 UpdateExtensionUsed();
1320 1327
1328 if (is_initial && IsRenegotiationAllowed()) {
1329 // For compatibility, do not enforce RFC 5746 support. Per section 4.1,
1330 // enforcement falls largely on the server.
1331 //
1332 // This is done in a callback rather than after SSL_ForceHandshake returns
1333 // because SSL_ForceHandshake will otherwise greedly consume renegotiations
1334 // before returning if Finished and HelloRequest are in the same
1335 // record.
1336 //
1337 // Note that SSL_OptionSet should only be called for an initial
1338 // handshake. See https://crbug.com/125299.
1339 SECStatus rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
1340 SSL_RENEGOTIATE_TRANSITIONAL);
1341 DCHECK_EQ(SECSuccess, rv);
1342 }
1343
1321 // Update the network task runners view of the handshake state whenever 1344 // Update the network task runners view of the handshake state whenever
1322 // a handshake has completed. 1345 // a handshake has completed.
1323 PostOrRunCallback( 1346 PostOrRunCallback(
1324 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this, 1347 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
1325 nss_handshake_state_)); 1348 nss_handshake_state_));
1326 } 1349 }
1327 1350
1328 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error) { 1351 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error) {
1329 DCHECK(OnNSSTaskRunner()); 1352 DCHECK(OnNSSTaskRunner());
1330 1353
(...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after
1441 } else if (client_auth_cert_needed_) { 1464 } else if (client_auth_cert_needed_) {
1442 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; 1465 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
1443 PostOrRunCallback( 1466 PostOrRunCallback(
1444 FROM_HERE, 1467 FROM_HERE,
1445 base::Bind(&AddLogEventWithCallback, weak_net_log_, 1468 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1446 NetLog::TYPE_SSL_HANDSHAKE_ERROR, 1469 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
1447 CreateNetLogSSLErrorCallback(net_error, 0))); 1470 CreateNetLogSSLErrorCallback(net_error, 0)));
1448 } else if (rv == SECSuccess) { 1471 } else if (rv == SECSuccess) {
1449 if (!handshake_callback_called_) { 1472 if (!handshake_callback_called_) {
1450 false_started_ = true; 1473 false_started_ = true;
1451 HandshakeSucceeded(); 1474 HandshakeSucceeded(true);
1452 } 1475 }
1453 } else { 1476 } else {
1454 PRErrorCode prerr = PR_GetError(); 1477 PRErrorCode prerr = PR_GetError();
1455 net_error = HandleNSSError(prerr); 1478 net_error = HandleNSSError(prerr);
1456 1479
1457 // If not done, stay in this state 1480 // If not done, stay in this state
1458 if (net_error == ERR_IO_PENDING) { 1481 if (net_error == ERR_IO_PENDING) {
1459 GotoState(STATE_HANDSHAKE); 1482 GotoState(STATE_HANDSHAKE);
1460 } else { 1483 } else {
1461 PostOrRunCallback( 1484 PostOrRunCallback(
(...skipping 652 matching lines...) Expand 10 before | Expand all | Expand 10 after
2114 } else { 2137 } else {
2115 rv = SSL_HandshakeNegotiatedExtension(nss_fd_, 2138 rv = SSL_HandshakeNegotiatedExtension(nss_fd_,
2116 ssl_next_proto_nego_xtn, 2139 ssl_next_proto_nego_xtn,
2117 &negotiated_extension); 2140 &negotiated_extension);
2118 if (rv == SECSuccess && negotiated_extension) { 2141 if (rv == SECSuccess && negotiated_extension) {
2119 nss_handshake_state_.negotiation_extension_ = kExtensionNPN; 2142 nss_handshake_state_.negotiation_extension_ = kExtensionNPN;
2120 } 2143 }
2121 } 2144 }
2122 } 2145 }
2123 2146
2147 bool SSLClientSocketNSS::Core::IsRenegotiationAllowed() const {
2148 DCHECK(OnNSSTaskRunner());
2149
2150 if (nss_handshake_state_.next_proto_status == kNextProtoUnsupported)
2151 return ssl_config_.renego_allowed_default;
2152
2153 NextProto next_proto = NextProtoFromString(nss_handshake_state_.next_proto);
2154 for (NextProto allowed : ssl_config_.renego_allowed_for_protos) {
2155 if (next_proto == allowed)
2156 return true;
2157 }
2158 return false;
2159 }
2160
2124 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() { 2161 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() {
2125 DCHECK(OnNSSTaskRunner()); 2162 DCHECK(OnNSSTaskRunner());
2126 if (nss_handshake_state_.resumed_handshake) 2163 if (nss_handshake_state_.resumed_handshake)
2127 return; 2164 return;
2128 2165
2129 // Copy the NSS task runner-only state to the network task runner and 2166 // Copy the NSS task runner-only state to the network task runner and
2130 // log histograms from there, since the histograms also need access to the 2167 // log histograms from there, since the histograms also need access to the
2131 // network task runner state. 2168 // network task runner state.
2132 PostOrRunCallback( 2169 PostOrRunCallback(
2133 FROM_HERE, 2170 FROM_HERE,
(...skipping 651 matching lines...) Expand 10 before | Expand all | Expand 10 after
2785 if (rv != SECSuccess) { 2822 if (rv != SECSuccess) {
2786 LogFailedNSSFunction( 2823 LogFailedNSSFunction(
2787 net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); 2824 net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
2788 } 2825 }
2789 2826
2790 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, 2827 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
2791 ssl_config_.false_start_enabled); 2828 ssl_config_.false_start_enabled);
2792 if (rv != SECSuccess) 2829 if (rv != SECSuccess)
2793 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START"); 2830 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
2794 2831
2795 // We allow servers to request renegotiation. Since we're a client, 2832 // By default, renegotiations are rejected. After the initial handshake
2796 // prohibiting this is rather a waste of time. Only servers are in a 2833 // completes, some application protocols may re-enable it.
2797 // position to prevent renegotiation attacks. 2834 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_NEVER);
2798 // http://extendedsubset.com/?p=8
2799
2800 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
2801 SSL_RENEGOTIATE_TRANSITIONAL);
2802 if (rv != SECSuccess) { 2835 if (rv != SECSuccess) {
2803 LogFailedNSSFunction( 2836 LogFailedNSSFunction(
2804 net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); 2837 net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
2805 } 2838 }
2806 2839
2807 rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE); 2840 rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
2808 if (rv != SECSuccess) 2841 if (rv != SECSuccess)
2809 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); 2842 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
2810 2843
2811 // Added in NSS 3.15 2844 // Added in NSS 3.15
(...skipping 363 matching lines...) Expand 10 before | Expand all | Expand 10 after
3175 scoped_refptr<X509Certificate> 3208 scoped_refptr<X509Certificate>
3176 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const { 3209 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
3177 return core_->state().server_cert.get(); 3210 return core_->state().server_cert.get();
3178 } 3211 }
3179 3212
3180 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const { 3213 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
3181 return channel_id_service_; 3214 return channel_id_service_;
3182 } 3215 }
3183 3216
3184 } // namespace net 3217 } // namespace net
OLDNEW
« no previous file with comments | « net/http/http_stream_factory_impl_job.cc ('k') | net/socket/ssl_client_socket_openssl.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698