This source file includes following definitions.
- CiphersRemove
- CiphersCompact
- CiphersCopy
- GetModelSocket
- EnsureNSSSSLInit
- GetNSSModelSocket
- MapErrorToNSS
- MapNSSError
- NetLogSSLFailedNSSFunctionCallback
- LogFailedNSSFunction
#include "net/socket/nss_ssl_util.h"
#include <nss.h>
#include <secerr.h>
#include <ssl.h>
#include <sslerr.h>
#include <sslproto.h>
#include <string>
#include "base/bind.h"
#include "base/cpu.h"
#include "base/lazy_instance.h"
#include "base/logging.h"
#include "base/memory/singleton.h"
#include "base/threading/thread_restrictions.h"
#include "base/values.h"
#include "build/build_config.h"
#include "crypto/nss_util.h"
#include "net/base/net_errors.h"
#include "net/base/net_log.h"
#include "net/base/nss_memio.h"
#if defined(OS_WIN)
#include "base/win/windows_version.h"
#endif
namespace {
bool CiphersRemove(const uint16* to_remove, uint16* ciphers, size_t num) {
size_t i, found = 0;
for (i = 0; ; i++) {
if (to_remove[i] == 0)
break;
for (size_t j = 0; j < num; j++) {
if (to_remove[i] == ciphers[j]) {
ciphers[j] = 0;
found++;
break;
}
}
}
return found == i;
}
void CiphersCompact(uint16* ciphers, size_t num) {
size_t j = num - 1;
for (size_t i = num - 1; i < num; i--) {
if (ciphers[i] == 0)
continue;
ciphers[j--] = ciphers[i];
}
}
size_t CiphersCopy(const uint16* in, uint16* out) {
for (size_t i = 0; ; i++) {
if (in[i] == 0)
return i;
out[i] = in[i];
}
}
}
namespace net {
class NSSSSLInitSingleton {
public:
NSSSSLInitSingleton() : model_fd_(NULL) {
crypto::EnsureNSSInit();
NSS_SetDomesticPolicy();
const PRUint16* const ssl_ciphers = SSL_GetImplementedCiphers();
const PRUint16 num_ciphers = SSL_GetNumImplementedCiphers();
bool disableECDSA = false;
#if defined(OS_WIN)
if (base::win::GetVersion() < base::win::VERSION_VISTA)
disableECDSA = true;
#endif
for (int i = 0; i < num_ciphers; i++) {
SSLCipherSuiteInfo info;
if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info,
sizeof(info)) == SECSuccess) {
bool enabled = info.effectiveKeyBits >= 80;
if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA)
enabled = false;
if (info.symCipher == ssl_calg_camellia ||
info.symCipher == ssl_calg_seed ||
(info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) ||
info.authAlgorithm == ssl_auth_dsa ||
info.macAlgorithm == ssl_hmac_sha256 ||
info.nonStandard ||
strcmp(info.keaTypeName, "ECDH") == 0) {
enabled = false;
}
if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) {
enabled = true;
}
SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled);
}
}
SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
static const uint16 chacha_ciphers[] = {
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
0,
};
static const uint16 aes_gcm_ciphers[] = {
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
0,
};
scoped_ptr<uint16[]> ciphers(new uint16[num_ciphers]);
memcpy(ciphers.get(), ssl_ciphers, sizeof(uint16)*num_ciphers);
if (CiphersRemove(chacha_ciphers, ciphers.get(), num_ciphers) &&
CiphersRemove(aes_gcm_ciphers, ciphers.get(), num_ciphers)) {
CiphersCompact(ciphers.get(), num_ciphers);
const uint16* preference_ciphers = chacha_ciphers;
const uint16* other_ciphers = aes_gcm_ciphers;
base::CPU cpu;
if (cpu.has_aesni() && cpu.has_avx()) {
preference_ciphers = aes_gcm_ciphers;
other_ciphers = chacha_ciphers;
}
unsigned i = CiphersCopy(preference_ciphers, ciphers.get());
CiphersCopy(other_ciphers, &ciphers[i]);
if ((model_fd_ = memio_CreateIOLayer(1, 1)) == NULL ||
SSL_ImportFD(NULL, model_fd_) == NULL ||
SECSuccess !=
SSL_CipherOrderSet(model_fd_, ciphers.get(), num_ciphers)) {
NOTREACHED();
if (model_fd_) {
PR_Close(model_fd_);
model_fd_ = NULL;
}
}
}
}
PRFileDesc* GetModelSocket() {
return model_fd_;
}
~NSSSSLInitSingleton() {
SSL_ClearSessionCache();
if (model_fd_)
PR_Close(model_fd_);
}
private:
PRFileDesc* model_fd_;
};
static base::LazyInstance<NSSSSLInitSingleton>::Leaky g_nss_ssl_init_singleton =
LAZY_INSTANCE_INITIALIZER;
void EnsureNSSSSLInit() {
base::ThreadRestrictions::ScopedAllowIO allow_io;
g_nss_ssl_init_singleton.Get();
}
PRFileDesc* GetNSSModelSocket() {
return g_nss_ssl_init_singleton.Get().GetModelSocket();
}
PRErrorCode MapErrorToNSS(int result) {
if (result >=0)
return result;
switch (result) {
case ERR_IO_PENDING:
return PR_WOULD_BLOCK_ERROR;
case ERR_ACCESS_DENIED:
case ERR_NETWORK_ACCESS_DENIED:
return PR_NO_ACCESS_RIGHTS_ERROR;
case ERR_NOT_IMPLEMENTED:
return PR_NOT_IMPLEMENTED_ERROR;
case ERR_SOCKET_NOT_CONNECTED:
return PR_NOT_CONNECTED_ERROR;
case ERR_INTERNET_DISCONNECTED:
return PR_NETWORK_UNREACHABLE_ERROR;
case ERR_CONNECTION_TIMED_OUT:
case ERR_TIMED_OUT:
return PR_IO_TIMEOUT_ERROR;
case ERR_CONNECTION_RESET:
return PR_CONNECT_RESET_ERROR;
case ERR_CONNECTION_ABORTED:
return PR_CONNECT_ABORTED_ERROR;
case ERR_CONNECTION_REFUSED:
return PR_CONNECT_REFUSED_ERROR;
case ERR_ADDRESS_UNREACHABLE:
return PR_HOST_UNREACHABLE_ERROR;
case ERR_ADDRESS_INVALID:
return PR_ADDRESS_NOT_AVAILABLE_ERROR;
case ERR_NAME_NOT_RESOLVED:
return PR_DIRECTORY_LOOKUP_ERROR;
default:
LOG(WARNING) << "MapErrorToNSS " << result
<< " mapped to PR_UNKNOWN_ERROR";
return PR_UNKNOWN_ERROR;
}
}
int MapNSSError(PRErrorCode err) {
switch (err) {
case PR_WOULD_BLOCK_ERROR:
return ERR_IO_PENDING;
case PR_ADDRESS_NOT_SUPPORTED_ERROR:
case PR_NO_ACCESS_RIGHTS_ERROR:
return ERR_ACCESS_DENIED;
case PR_IO_TIMEOUT_ERROR:
return ERR_TIMED_OUT;
case PR_CONNECT_RESET_ERROR:
return ERR_CONNECTION_RESET;
case PR_CONNECT_ABORTED_ERROR:
return ERR_CONNECTION_ABORTED;
case PR_CONNECT_REFUSED_ERROR:
return ERR_CONNECTION_REFUSED;
case PR_NOT_CONNECTED_ERROR:
return ERR_SOCKET_NOT_CONNECTED;
case PR_HOST_UNREACHABLE_ERROR:
case PR_NETWORK_UNREACHABLE_ERROR:
return ERR_ADDRESS_UNREACHABLE;
case PR_ADDRESS_NOT_AVAILABLE_ERROR:
return ERR_ADDRESS_INVALID;
case PR_INVALID_ARGUMENT_ERROR:
return ERR_INVALID_ARGUMENT;
case PR_END_OF_FILE_ERROR:
return ERR_CONNECTION_CLOSED;
case PR_NOT_IMPLEMENTED_ERROR:
return ERR_NOT_IMPLEMENTED;
case SEC_ERROR_LIBRARY_FAILURE:
return ERR_UNEXPECTED;
case SEC_ERROR_INVALID_ARGS:
return ERR_INVALID_ARGUMENT;
case SEC_ERROR_NO_MEMORY:
return ERR_OUT_OF_MEMORY;
case SEC_ERROR_NO_KEY:
return ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY;
case SEC_ERROR_INVALID_KEY:
case SSL_ERROR_SIGN_HASHES_FAILURE:
LOG(ERROR) << "ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: NSS error " << err
<< ", OS error " << PR_GetOSError();
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
case SEC_ERROR_BAD_SIGNATURE:
return ERR_SSL_PROTOCOL_ERROR;
case SSL_ERROR_SSL_DISABLED:
return ERR_NO_SSL_VERSIONS_ENABLED;
case SSL_ERROR_NO_CYPHER_OVERLAP:
case SSL_ERROR_PROTOCOL_VERSION_ALERT:
case SSL_ERROR_UNSUPPORTED_VERSION:
return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
return ERR_SSL_PROTOCOL_ERROR;
case SSL_ERROR_DECOMPRESSION_FAILURE_ALERT:
return ERR_SSL_DECOMPRESSION_FAILURE_ALERT;
case SSL_ERROR_BAD_MAC_ALERT:
return ERR_SSL_BAD_RECORD_MAC_ALERT;
case SSL_ERROR_DECRYPT_ERROR_ALERT:
return ERR_SSL_DECRYPT_ERROR_ALERT;
case SSL_ERROR_UNRECOGNIZED_NAME_ALERT:
return ERR_SSL_UNRECOGNIZED_NAME_ALERT;
case SSL_ERROR_UNSAFE_NEGOTIATION:
return ERR_SSL_UNSAFE_NEGOTIATION;
case SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY:
return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY;
case SSL_ERROR_HANDSHAKE_NOT_COMPLETED:
return ERR_SSL_HANDSHAKE_NOT_COMPLETED;
case SEC_ERROR_BAD_KEY:
case SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE:
case SEC_ERROR_UNSUPPORTED_KEYALG:
case SEC_ERROR_BAD_DER:
case SEC_ERROR_EXTRA_INPUT:
return ERR_SSL_BAD_PEER_PUBLIC_KEY;
case SSL_ERROR_WRONG_CERTIFICATE:
return ERR_SSL_SERVER_CERT_CHANGED;
case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT:
return ERR_SSL_INAPPROPRIATE_FALLBACK;
default: {
const char* err_name = PR_ErrorToName(err);
if (err_name == NULL)
err_name = "";
if (IS_SSL_ERROR(err)) {
LOG(WARNING) << "Unknown SSL error " << err << " (" << err_name << ")"
<< " mapped to net::ERR_SSL_PROTOCOL_ERROR";
return ERR_SSL_PROTOCOL_ERROR;
}
LOG(WARNING) << "Unknown error " << err << " (" << err_name << ")"
<< " mapped to net::ERR_FAILED";
return ERR_FAILED;
}
}
}
base::Value* NetLogSSLFailedNSSFunctionCallback(
const char* function,
const char* param,
int ssl_lib_error,
NetLog::LogLevel ) {
base::DictionaryValue* dict = new base::DictionaryValue();
dict->SetString("function", function);
if (param[0] != '\0')
dict->SetString("param", param);
dict->SetInteger("ssl_lib_error", ssl_lib_error);
return dict;
}
void LogFailedNSSFunction(const BoundNetLog& net_log,
const char* function,
const char* param) {
DCHECK(function);
DCHECK(param);
net_log.AddEvent(
NetLog::TYPE_SSL_NSS_ERROR,
base::Bind(&NetLogSSLFailedNSSFunctionCallback,
function, param, PR_GetError()));
}
}