OLD | NEW |
| (Empty) |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/socket/openssl_ssl_util.h" | |
6 | |
7 #include <errno.h> | |
8 | |
9 #include <openssl/err.h> | |
10 #include <openssl/ssl.h> | |
11 | |
12 #include "base/lazy_instance.h" | |
13 #include "base/location.h" | |
14 #include "base/logging.h" | |
15 #include "crypto/openssl_util.h" | |
16 #include "net/base/net_errors.h" | |
17 | |
18 namespace net { | |
19 | |
20 SslSetClearMask::SslSetClearMask() | |
21 : set_mask(0), | |
22 clear_mask(0) { | |
23 } | |
24 | |
25 void SslSetClearMask::ConfigureFlag(long flag, bool state) { | |
26 (state ? set_mask : clear_mask) |= flag; | |
27 // Make sure we haven't got any intersection in the set & clear options. | |
28 DCHECK_EQ(0, set_mask & clear_mask) << flag << ":" << state; | |
29 } | |
30 | |
31 namespace { | |
32 | |
33 class OpenSSLNetErrorLibSingleton { | |
34 public: | |
35 OpenSSLNetErrorLibSingleton() { | |
36 crypto::EnsureOpenSSLInit(); | |
37 | |
38 // Allocate a new error library value for inserting net errors into | |
39 // OpenSSL. This does not register any ERR_STRING_DATA for the errors, so | |
40 // stringifying error codes through OpenSSL will return NULL. | |
41 net_error_lib_ = ERR_get_next_error_library(); | |
42 } | |
43 | |
44 unsigned net_error_lib() const { return net_error_lib_; } | |
45 | |
46 private: | |
47 unsigned net_error_lib_; | |
48 }; | |
49 | |
50 base::LazyInstance<OpenSSLNetErrorLibSingleton>::Leaky g_openssl_net_error_lib = | |
51 LAZY_INSTANCE_INITIALIZER; | |
52 | |
53 unsigned OpenSSLNetErrorLib() { | |
54 return g_openssl_net_error_lib.Get().net_error_lib(); | |
55 } | |
56 | |
57 int MapOpenSSLErrorSSL(unsigned long error_code) { | |
58 DCHECK_EQ(ERR_LIB_SSL, ERR_GET_LIB(error_code)); | |
59 | |
60 DVLOG(1) << "OpenSSL SSL error, reason: " << ERR_GET_REASON(error_code) | |
61 << ", name: " << ERR_error_string(error_code, NULL); | |
62 switch (ERR_GET_REASON(error_code)) { | |
63 case SSL_R_READ_TIMEOUT_EXPIRED: | |
64 return ERR_TIMED_OUT; | |
65 case SSL_R_BAD_RESPONSE_ARGUMENT: | |
66 return ERR_INVALID_ARGUMENT; | |
67 case SSL_R_UNKNOWN_CERTIFICATE_TYPE: | |
68 case SSL_R_UNKNOWN_CIPHER_TYPE: | |
69 case SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE: | |
70 case SSL_R_UNKNOWN_PKEY_TYPE: | |
71 case SSL_R_UNKNOWN_REMOTE_ERROR_TYPE: | |
72 case SSL_R_UNKNOWN_SSL_VERSION: | |
73 return ERR_NOT_IMPLEMENTED; | |
74 case SSL_R_UNSUPPORTED_SSL_VERSION: | |
75 case SSL_R_NO_CIPHER_MATCH: | |
76 case SSL_R_NO_SHARED_CIPHER: | |
77 case SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY: | |
78 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION: | |
79 case SSL_R_UNSUPPORTED_PROTOCOL: | |
80 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH; | |
81 case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE: | |
82 case SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE: | |
83 case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED: | |
84 case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED: | |
85 case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN: | |
86 case SSL_R_TLSV1_ALERT_ACCESS_DENIED: | |
87 case SSL_R_TLSV1_ALERT_UNKNOWN_CA: | |
88 return ERR_BAD_SSL_CLIENT_AUTH_CERT; | |
89 case SSL_R_BAD_DECOMPRESSION: | |
90 case SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE: | |
91 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT; | |
92 case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC: | |
93 return ERR_SSL_BAD_RECORD_MAC_ALERT; | |
94 case SSL_R_TLSV1_ALERT_DECRYPT_ERROR: | |
95 return ERR_SSL_DECRYPT_ERROR_ALERT; | |
96 case SSL_R_TLSV1_UNRECOGNIZED_NAME: | |
97 return ERR_SSL_UNRECOGNIZED_NAME_ALERT; | |
98 case SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED: | |
99 return ERR_SSL_UNSAFE_NEGOTIATION; | |
100 case SSL_R_WRONG_NUMBER_OF_KEY_BITS: | |
101 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY; | |
102 // SSL_R_UNKNOWN_PROTOCOL is reported if premature application data is | |
103 // received (see http://crbug.com/42538), and also if all the protocol | |
104 // versions supported by the server were disabled in this socket instance. | |
105 // Mapped to ERR_SSL_PROTOCOL_ERROR for compatibility with other SSL sockets | |
106 // in the former scenario. | |
107 case SSL_R_UNKNOWN_PROTOCOL: | |
108 case SSL_R_SSL_HANDSHAKE_FAILURE: | |
109 case SSL_R_DECRYPTION_FAILED: | |
110 case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC: | |
111 case SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG: | |
112 case SSL_R_DIGEST_CHECK_FAILED: | |
113 case SSL_R_DUPLICATE_COMPRESSION_ID: | |
114 case SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER: | |
115 case SSL_R_ENCRYPTED_LENGTH_TOO_LONG: | |
116 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST: | |
117 case SSL_R_EXCESSIVE_MESSAGE_SIZE: | |
118 case SSL_R_EXTRA_DATA_IN_MESSAGE: | |
119 case SSL_R_GOT_A_FIN_BEFORE_A_CCS: | |
120 case SSL_R_ILLEGAL_PADDING: | |
121 case SSL_R_INVALID_CHALLENGE_LENGTH: | |
122 case SSL_R_INVALID_COMMAND: | |
123 case SSL_R_INVALID_PURPOSE: | |
124 case SSL_R_INVALID_STATUS_RESPONSE: | |
125 case SSL_R_INVALID_TICKET_KEYS_LENGTH: | |
126 case SSL_R_KEY_ARG_TOO_LONG: | |
127 case SSL_R_READ_WRONG_PACKET_TYPE: | |
128 // SSL_do_handshake reports this error when the server responds to a | |
129 // ClientHello with a fatal close_notify alert. | |
130 case SSL_AD_REASON_OFFSET + SSL_AD_CLOSE_NOTIFY: | |
131 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE: | |
132 // TODO(joth): SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the | |
133 // server after receiving ClientHello if there's no common supported cipher. | |
134 // Ideally we'd map that specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH | |
135 // to match the NSS implementation. See also http://goo.gl/oMtZW | |
136 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: | |
137 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE: | |
138 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER: | |
139 case SSL_R_TLSV1_ALERT_DECODE_ERROR: | |
140 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED: | |
141 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION: | |
142 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR: | |
143 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION: | |
144 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW: | |
145 case SSL_R_TLSV1_ALERT_USER_CANCELLED: | |
146 return ERR_SSL_PROTOCOL_ERROR; | |
147 case SSL_R_CERTIFICATE_VERIFY_FAILED: | |
148 // The only way that the certificate verify callback can fail is if | |
149 // the leaf certificate changed during a renegotiation. | |
150 return ERR_SSL_SERVER_CERT_CHANGED; | |
151 default: | |
152 LOG(WARNING) << "Unmapped error reason: " << ERR_GET_REASON(error_code); | |
153 return ERR_FAILED; | |
154 } | |
155 } | |
156 | |
157 } // namespace | |
158 | |
159 void OpenSSLPutNetError(const tracked_objects::Location& location, int err) { | |
160 // Net error codes are negative. Encode them as positive numbers. | |
161 err = -err; | |
162 if (err < 0 || err > 0xfff) { | |
163 // OpenSSL reserves 12 bits for the reason code. | |
164 NOTREACHED(); | |
165 err = ERR_INVALID_ARGUMENT; | |
166 } | |
167 ERR_put_error(OpenSSLNetErrorLib(), 0, err, | |
168 location.file_name(), location.line_number()); | |
169 } | |
170 | |
171 int MapOpenSSLError(int err, const crypto::OpenSSLErrStackTracer& tracer) { | |
172 switch (err) { | |
173 case SSL_ERROR_WANT_READ: | |
174 case SSL_ERROR_WANT_WRITE: | |
175 return ERR_IO_PENDING; | |
176 case SSL_ERROR_SYSCALL: | |
177 LOG(ERROR) << "OpenSSL SYSCALL error, earliest error code in " | |
178 "error queue: " << ERR_peek_error() << ", errno: " | |
179 << errno; | |
180 return ERR_SSL_PROTOCOL_ERROR; | |
181 case SSL_ERROR_SSL: | |
182 // Walk down the error stack to find an SSL or net error. | |
183 unsigned long error_code; | |
184 do { | |
185 error_code = ERR_get_error(); | |
186 if (ERR_GET_LIB(error_code) == ERR_LIB_SSL) { | |
187 return MapOpenSSLErrorSSL(error_code); | |
188 } else if (ERR_GET_LIB(error_code) == OpenSSLNetErrorLib()) { | |
189 // Net error codes are negative but encoded in OpenSSL as positive | |
190 // numbers. | |
191 return -ERR_GET_REASON(error_code); | |
192 } | |
193 } while (error_code != 0); | |
194 return ERR_SSL_PROTOCOL_ERROR; | |
195 default: | |
196 // TODO(joth): Implement full mapping. | |
197 LOG(WARNING) << "Unknown OpenSSL error " << err; | |
198 return ERR_SSL_PROTOCOL_ERROR; | |
199 } | |
200 } | |
201 | |
202 } // namespace net | |
OLD | NEW |