1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8
9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
11 *
12 * The contents of this file are subject to the Mozilla Public License Version
13 * 1.1 (the "License"); you may not use this file except in compliance with
14 * the License. You may obtain a copy of the License at
15 * http://www.mozilla.org/MPL/
16 *
17 * Software distributed under the License is distributed on an "AS IS" basis,
18 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
19 * for the specific language governing rights and limitations under the
20 * License.
21 *
22 * The Original Code is the Netscape security libraries.
23 *
24 * The Initial Developer of the Original Code is
25 * Netscape Communications Corporation.
26 * Portions created by the Initial Developer are Copyright (C) 2000
27 * the Initial Developer. All Rights Reserved.
28 *
29 * Contributor(s):
30 * Ian McGreer <mcgreer@netscape.com>
31 * Javier Delgadillo <javi@netscape.com>
32 * Kai Engert <kengert@redhat.com>
33 *
34 * Alternatively, the contents of this file may be used under the terms of
35 * either the GNU General Public License Version 2 or later (the "GPL"), or
36 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
37 * in which case the provisions of the GPL or the LGPL are applicable instead
38 * of those above. If you wish to allow use of your version of this file only
39 * under the terms of either the GPL or the LGPL, and not to allow others to
40 * use your version of this file under the terms of the MPL, indicate your
41 * decision by deleting the provisions above and replace them with the notice
42 * and other provisions required by the GPL or the LGPL. If you do not delete
43 * the provisions above, a recipient may use your version of this file under
44 * the terms of any one of the MPL, the GPL or the LGPL.
45 *
46 * ***** END LICENSE BLOCK ***** */
47
48 #include "net/socket/ssl_client_socket_nss.h"
49
50 #include <certdb.h>
51 #include <hasht.h>
52 #include <keyhi.h>
53 #include <nspr.h>
54 #include <nss.h>
55 #include <ocsp.h>
56 #include <pk11pub.h>
57 #include <secerr.h>
58 #include <sechash.h>
59 #include <ssl.h>
60 #include <sslerr.h>
61 #include <sslproto.h>
62
63 #include <algorithm>
64 #include <limits>
65 #include <map>
66
67 #include "base/bind.h"
68 #include "base/bind_helpers.h"
69 #include "base/callback_helpers.h"
70 #include "base/compiler_specific.h"
71 #include "base/logging.h"
72 #include "base/memory/singleton.h"
73 #include "base/metrics/histogram.h"
74 #include "base/single_thread_task_runner.h"
75 #include "base/stl_util.h"
76 #include "base/strings/string_number_conversions.h"
77 #include "base/strings/string_util.h"
78 #include "base/strings/stringprintf.h"
79 #include "base/thread_task_runner_handle.h"
80 #include "base/threading/thread_restrictions.h"
81 #include "base/values.h"
82 #include "crypto/ec_private_key.h"
83 #include "crypto/nss_util.h"
84 #include "crypto/nss_util_internal.h"
85 #include "crypto/rsa_private_key.h"
86 #include "crypto/scoped_nss_types.h"
87 #include "net/base/address_list.h"
88 #include "net/base/connection_type_histograms.h"
89 #include "net/base/dns_util.h"
90 #include "net/base/io_buffer.h"
91 #include "net/base/net_errors.h"
92 #include "net/base/net_log.h"
93 #include "net/cert/asn1_util.h"
94 #include "net/cert/cert_status_flags.h"
95 #include "net/cert/cert_verifier.h"
96 #include "net/cert/ct_objects_extractor.h"
97 #include "net/cert/ct_verifier.h"
98 #include "net/cert/ct_verify_result.h"
99 #include "net/cert/scoped_nss_types.h"
100 #include "net/cert/sct_status_flags.h"
101 #include "net/cert/single_request_cert_verifier.h"
102 #include "net/cert/x509_certificate_net_log_param.h"
103 #include "net/cert/x509_util.h"
104 #include "net/http/transport_security_state.h"
105 #include "net/ocsp/nss_ocsp.h"
106 #include "net/socket/client_socket_handle.h"
107 #include "net/socket/nss_ssl_util.h"
108 #include "net/socket/ssl_error_params.h"
109 #include "net/ssl/ssl_cert_request_info.h"
110 #include "net/ssl/ssl_connection_status_flags.h"
111 #include "net/ssl/ssl_info.h"
112
113 #if defined(OS_WIN)
114 #include <windows.h>
115 #include <wincrypt.h>
116
117 #include "base/win/windows_version.h"
118 #elif defined(OS_MACOSX)
119 #include <Security/SecBase.h>
120 #include <Security/SecCertificate.h>
121 #include <Security/SecIdentity.h>
122
123 #include "base/mac/mac_logging.h"
124 #include "base/synchronization/lock.h"
125 #include "crypto/mac_security_services_lock.h"
126 #elif defined(USE_NSS)
127 #include <dlfcn.h>
128 #endif
129
130 namespace net {
131
132 // State machines are easier to debug if you log state transitions.
133 // Enable these if you want to see what's going on.
134 #if 1
135 #define EnterFunction(x)
136 #define LeaveFunction(x)
137 #define GotoState(s) next_handshake_state_ = s
138 #else
139 #define EnterFunction(x)\
140 VLOG(1) << (void *)this << " " << __FUNCTION__ << " enter " << x\
141 << "; next_handshake_state " << next_handshake_state_
142 #define LeaveFunction(x)\
143 VLOG(1) << (void *)this << " " << __FUNCTION__ << " leave " << x\
144 << "; next_handshake_state " << next_handshake_state_
145 #define GotoState(s)\
146 do {\
147 VLOG(1) << (void *)this << " " << __FUNCTION__ << " jump to state " << s;\
148 next_handshake_state_ = s;\
149 } while (0)
150 #endif
151
152 namespace {
153
154 // SSL plaintext fragments are shorter than 16KB. Although the record layer
155 // overhead is allowed to be 2K + 5 bytes, in practice the overhead is much
156 // smaller than 1KB. So a 17KB buffer should be large enough to hold an
157 // entire SSL record.
158 const int kRecvBufferSize = 17 * 1024;
159 const int kSendBufferSize = 17 * 1024;
160
161 // Used by SSLClientSocketNSS::Core to indicate there is no read result
162 // obtained by a previous operation waiting to be returned to the caller.
163 // This constant can be any non-negative/non-zero value (eg: it does not
164 // overlap with any value of the net::Error range, including net::OK).
165 const int kNoPendingReadResult = 1;
166
167 #if defined(OS_WIN)
168 // CERT_OCSP_RESPONSE_PROP_ID is only implemented on Vista+, but it can be
169 // set on Windows XP without error. There is some overhead from the server
170 // sending the OCSP response if it supports the extension, for the subset of
171 // XP clients who will request it but be unable to use it, but this is an
172 // acceptable trade-off for simplicity of implementation.
IsOCSPStaplingSupported()173 bool IsOCSPStaplingSupported() {
174 return true;
175 }
176 #elif defined(USE_NSS)
177 typedef SECStatus
178 (*CacheOCSPResponseFromSideChannelFunction)(
179 CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time,
180 SECItem *encodedResponse, void *pwArg);
181
182 // On Linux, we dynamically link against the system version of libnss3.so. In
183 // order to continue working on systems without up-to-date versions of NSS we
184 // lookup CERT_CacheOCSPResponseFromSideChannel with dlsym.
185
186 // RuntimeLibNSSFunctionPointers is a singleton which caches the results of any
187 // runtime symbol resolution that we need.
188 class RuntimeLibNSSFunctionPointers {
189 public:
190 CacheOCSPResponseFromSideChannelFunction
GetCacheOCSPResponseFromSideChannelFunction()191 GetCacheOCSPResponseFromSideChannelFunction() {
192 return cache_ocsp_response_from_side_channel_;
193 }
194
GetInstance()195 static RuntimeLibNSSFunctionPointers* GetInstance() {
196 return Singleton<RuntimeLibNSSFunctionPointers>::get();
197 }
198
199 private:
200 friend struct DefaultSingletonTraits<RuntimeLibNSSFunctionPointers>;
201
RuntimeLibNSSFunctionPointers()202 RuntimeLibNSSFunctionPointers() {
203 cache_ocsp_response_from_side_channel_ =
204 (CacheOCSPResponseFromSideChannelFunction)
205 dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel");
206 }
207
208 CacheOCSPResponseFromSideChannelFunction
209 cache_ocsp_response_from_side_channel_;
210 };
211
212 CacheOCSPResponseFromSideChannelFunction
GetCacheOCSPResponseFromSideChannelFunction()213 GetCacheOCSPResponseFromSideChannelFunction() {
214 return RuntimeLibNSSFunctionPointers::GetInstance()
215 ->GetCacheOCSPResponseFromSideChannelFunction();
216 }
217
IsOCSPStaplingSupported()218 bool IsOCSPStaplingSupported() {
219 return GetCacheOCSPResponseFromSideChannelFunction() != NULL;
220 }
221 #else
222 // TODO(agl): Figure out if we can plumb the OCSP response into Mac's system
223 // certificate validation functions.
IsOCSPStaplingSupported()224 bool IsOCSPStaplingSupported() {
225 return false;
226 }
227 #endif
228
229 #if defined(OS_WIN)
230
231 // This callback is intended to be used with CertFindChainInStore. In addition
232 // to filtering by extended/enhanced key usage, we do not show expired
233 // certificates and require digital signature usage in the key usage
234 // extension.
235 //
236 // This matches our behavior on Mac OS X and that of NSS. It also matches the
237 // default behavior of IE8. See http://support.microsoft.com/kb/890326 and
238 // http://blogs.msdn.com/b/askie/archive/2009/06/09/my-expired-client-certificates-no-longer-display-when-connecting-to-my-web-server-using-ie8.aspx
ClientCertFindCallback(PCCERT_CONTEXT cert_context,void * find_arg)239 BOOL WINAPI ClientCertFindCallback(PCCERT_CONTEXT cert_context,
240 void* find_arg) {
241 VLOG(1) << "Calling ClientCertFindCallback from _nss";
242 // Verify the certificate's KU is good.
243 BYTE key_usage;
244 if (CertGetIntendedKeyUsage(X509_ASN_ENCODING, cert_context->pCertInfo,
245 &key_usage, 1)) {
246 if (!(key_usage & CERT_DIGITAL_SIGNATURE_KEY_USAGE))
247 return FALSE;
248 } else {
249 DWORD err = GetLastError();
250 // If |err| is non-zero, it's an actual error. Otherwise the extension
251 // just isn't present, and we treat it as if everything was allowed.
252 if (err) {
253 DLOG(ERROR) << "CertGetIntendedKeyUsage failed: " << err;
254 return FALSE;
255 }
256 }
257
258 // Verify the current time is within the certificate's validity period.
259 if (CertVerifyTimeValidity(NULL, cert_context->pCertInfo) != 0)
260 return FALSE;
261
262 // Verify private key metadata is associated with this certificate.
263 DWORD size = 0;
264 if (!CertGetCertificateContextProperty(
265 cert_context, CERT_KEY_PROV_INFO_PROP_ID, NULL, &size)) {
266 return FALSE;
267 }
268
269 return TRUE;
270 }
271
272 #endif
273
274 // Helper functions to make it possible to log events from within the
275 // SSLClientSocketNSS::Core.
AddLogEvent(const base::WeakPtr<BoundNetLog> & net_log,NetLog::EventType event_type)276 void AddLogEvent(const base::WeakPtr<BoundNetLog>& net_log,
277 NetLog::EventType event_type) {
278 if (!net_log)
279 return;
280 net_log->AddEvent(event_type);
281 }
282
283 // Helper function to make it possible to log events from within the
284 // SSLClientSocketNSS::Core.
AddLogEventWithCallback(const base::WeakPtr<BoundNetLog> & net_log,NetLog::EventType event_type,const NetLog::ParametersCallback & callback)285 void AddLogEventWithCallback(const base::WeakPtr<BoundNetLog>& net_log,
286 NetLog::EventType event_type,
287 const NetLog::ParametersCallback& callback) {
288 if (!net_log)
289 return;
290 net_log->AddEvent(event_type, callback);
291 }
292
293 // Helper function to make it easier to call BoundNetLog::AddByteTransferEvent
294 // from within the SSLClientSocketNSS::Core.
295 // AddByteTransferEvent expects to receive a const char*, which within the
296 // Core is backed by an IOBuffer. If the "const char*" is bound via
297 // base::Bind and posted to another thread, and the IOBuffer that backs that
298 // pointer then goes out of scope on the origin thread, this would result in
299 // an invalid read of a stale pointer.
300 // Instead, provide a signature that accepts an IOBuffer*, so that a reference
301 // to the owning IOBuffer can be bound to the Callback. This ensures that the
302 // IOBuffer will stay alive long enough to cross threads if needed.
LogByteTransferEvent(const base::WeakPtr<BoundNetLog> & net_log,NetLog::EventType event_type,int len,IOBuffer * buffer)303 void LogByteTransferEvent(
304 const base::WeakPtr<BoundNetLog>& net_log, NetLog::EventType event_type,
305 int len, IOBuffer* buffer) {
306 if (!net_log)
307 return;
308 net_log->AddByteTransferEvent(event_type, len, buffer->data());
309 }
310
311 // PeerCertificateChain is a helper object which extracts the certificate
312 // chain, as given by the server, from an NSS socket and performs the needed
313 // resource management. The first element of the chain is the leaf certificate
314 // and the other elements are in the order given by the server.
315 class PeerCertificateChain {
316 public:
PeerCertificateChain()317 PeerCertificateChain() {}
318 PeerCertificateChain(const PeerCertificateChain& other);
319 ~PeerCertificateChain();
320 PeerCertificateChain& operator=(const PeerCertificateChain& other);
321
322 // Resets the current chain, freeing any resources, and updates the current
323 // chain to be a copy of the chain stored in |nss_fd|.
324 // If |nss_fd| is NULL, then the current certificate chain will be freed.
325 void Reset(PRFileDesc* nss_fd);
326
327 // Returns the current certificate chain as a vector of DER-encoded
328 // base::StringPieces. The returned vector remains valid until Reset is
329 // called.
330 std::vector<base::StringPiece> AsStringPieceVector() const;
331
empty() const332 bool empty() const { return certs_.empty(); }
333
operator [](size_t index) const334 CERTCertificate* operator[](size_t index) const {
335 DCHECK_LT(index, certs_.size());
336 return certs_[index];
337 }
338
339 private:
340 std::vector<CERTCertificate*> certs_;
341 };
342
PeerCertificateChain(const PeerCertificateChain & other)343 PeerCertificateChain::PeerCertificateChain(
344 const PeerCertificateChain& other) {
345 *this = other;
346 }
347
~PeerCertificateChain()348 PeerCertificateChain::~PeerCertificateChain() {
349 Reset(NULL);
350 }
351
operator =(const PeerCertificateChain & other)352 PeerCertificateChain& PeerCertificateChain::operator=(
353 const PeerCertificateChain& other) {
354 if (this == &other)
355 return *this;
356
357 Reset(NULL);
358 certs_.reserve(other.certs_.size());
359 for (size_t i = 0; i < other.certs_.size(); ++i)
360 certs_.push_back(CERT_DupCertificate(other.certs_[i]));
361
362 return *this;
363 }
364
Reset(PRFileDesc * nss_fd)365 void PeerCertificateChain::Reset(PRFileDesc* nss_fd) {
366 for (size_t i = 0; i < certs_.size(); ++i)
367 CERT_DestroyCertificate(certs_[i]);
368 certs_.clear();
369
370 if (nss_fd == NULL)
371 return;
372
373 CERTCertList* list = SSL_PeerCertificateChain(nss_fd);
374 // The handshake on |nss_fd| may not have completed.
375 if (list == NULL)
376 return;
377
378 for (CERTCertListNode* node = CERT_LIST_HEAD(list);
379 !CERT_LIST_END(node, list); node = CERT_LIST_NEXT(node)) {
380 certs_.push_back(CERT_DupCertificate(node->cert));
381 }
382 CERT_DestroyCertList(list);
383 }
384
385 std::vector<base::StringPiece>
AsStringPieceVector() const386 PeerCertificateChain::AsStringPieceVector() const {
387 std::vector<base::StringPiece> v(certs_.size());
388 for (unsigned i = 0; i < certs_.size(); i++) {
389 v[i] = base::StringPiece(
390 reinterpret_cast<const char*>(certs_[i]->derCert.data),
391 certs_[i]->derCert.len);
392 }
393
394 return v;
395 }
396
397 // HandshakeState is a helper struct used to pass handshake state between
398 // the NSS task runner and the network task runner.
399 //
400 // It contains members that may be read or written on the NSS task runner,
401 // but which also need to be read from the network task runner. The NSS task
402 // runner will notify the network task runner whenever this state changes, so
403 // that the network task runner can safely make a copy, which avoids the need
404 // for locking.
405 struct HandshakeState {
HandshakeStatenet::__anond1bb7e5c0111::HandshakeState406 HandshakeState() { Reset(); }
407
Resetnet::__anond1bb7e5c0111::HandshakeState408 void Reset() {
409 next_proto_status = SSLClientSocket::kNextProtoUnsupported;
410 next_proto.clear();
411 server_protos.clear();
412 channel_id_sent = false;
413 server_cert_chain.Reset(NULL);
414 server_cert = NULL;
415 sct_list_from_tls_extension.clear();
416 stapled_ocsp_response.clear();
417 resumed_handshake = false;
418 ssl_connection_status = 0;
419 }
420
421 // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the
422 // negotiated protocol stored in |next_proto|.
423 SSLClientSocket::NextProtoStatus next_proto_status;
424 std::string next_proto;
425 // If the server supports NPN, the protocols supported by the server.
426 std::string server_protos;
427
428 // True if a channel ID was sent.
429 bool channel_id_sent;
430
431 // List of DER-encoded X.509 DistinguishedName of certificate authorities
432 // allowed by the server.
433 std::vector<std::string> cert_authorities;
434
435 // Set when the handshake fully completes.
436 //
437 // The server certificate is first received from NSS as an NSS certificate
438 // chain (|server_cert_chain|) and then converted into a platform-specific
439 // X509Certificate object (|server_cert|). It's possible for some
440 // certificates to be successfully parsed by NSS, and not by the platform
441 // libraries (i.e.: when running within a sandbox, different parsing
442 // algorithms, etc), so it's not safe to assume that |server_cert| will
443 // always be non-NULL.
444 PeerCertificateChain server_cert_chain;
445 scoped_refptr<X509Certificate> server_cert;
446 // SignedCertificateTimestampList received via TLS extension (RFC 6962).
447 std::string sct_list_from_tls_extension;
448 // Stapled OCSP response received.
449 std::string stapled_ocsp_response;
450
451 // True if the current handshake was the result of TLS session resumption.
452 bool resumed_handshake;
453
454 // The negotiated security parameters (TLS version, cipher, extensions) of
455 // the SSL connection.
456 int ssl_connection_status;
457 };
458
459 // Client-side error mapping functions.
460
461 // Map NSS error code to network error code.
MapNSSClientError(PRErrorCode err)462 int MapNSSClientError(PRErrorCode err) {
463 switch (err) {
464 case SSL_ERROR_BAD_CERT_ALERT:
465 case SSL_ERROR_UNSUPPORTED_CERT_ALERT:
466 case SSL_ERROR_REVOKED_CERT_ALERT:
467 case SSL_ERROR_EXPIRED_CERT_ALERT:
468 case SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT:
469 case SSL_ERROR_UNKNOWN_CA_ALERT:
470 case SSL_ERROR_ACCESS_DENIED_ALERT:
471 return ERR_BAD_SSL_CLIENT_AUTH_CERT;
472 default:
473 return MapNSSError(err);
474 }
475 }
476
477 // Map NSS error code from the first SSL handshake to network error code.
MapNSSClientHandshakeError(PRErrorCode err)478 int MapNSSClientHandshakeError(PRErrorCode err) {
479 switch (err) {
480 // If the server closed on us, it is a protocol error.
481 // Some TLS-intolerant servers do this when we request TLS.
482 case PR_END_OF_FILE_ERROR:
483 return ERR_SSL_PROTOCOL_ERROR;
484 default:
485 return MapNSSClientError(err);
486 }
487 }
488
489 } // namespace
490
491 // SSLClientSocketNSS::Core provides a thread-safe, ref-counted core that is
492 // able to marshal data between NSS functions and an underlying transport
493 // socket.
494 //
495 // All public functions are meant to be called from the network task runner,
496 // and any callbacks supplied will be invoked there as well, provided that
497 // Detach() has not been called yet.
498 //
499 /////////////////////////////////////////////////////////////////////////////
500 //
501 // Threading within SSLClientSocketNSS and SSLClientSocketNSS::Core:
502 //
503 // Because NSS may block on either hardware or user input during operations
504 // such as signing, creating certificates, or locating private keys, the Core
505 // handles all of the interactions with the underlying NSS SSL socket, so
506 // that these blocking calls can be executed on a dedicated task runner.
507 //
508 // Note that the network task runner and the NSS task runner may be executing
509 // on the same thread. If that happens, then it's more performant to try to
510 // complete as much work as possible synchronously, even if it might block,
511 // rather than continually PostTask-ing to the same thread.
512 //
513 // Because NSS functions should only be called on the NSS task runner, while
514 // I/O resources should only be accessed on the network task runner, most
515 // public functions are implemented via three methods, each with different
516 // task runner affinities.
517 //
518 // In the single-threaded mode (where the network and NSS task runners run on
519 // the same thread), these are all attempted synchronously, while in the
520 // multi-threaded mode, message passing is used.
521 //
522 // 1) NSS Task Runner: Execute NSS function (DoPayloadRead, DoPayloadWrite,
523 // DoHandshake)
524 // 2) NSS Task Runner: Prepare data to go from NSS to an IO function:
525 // (BufferRecv, BufferSend)
526 // 3) Network Task Runner: Perform IO on that data (DoBufferRecv,
527 // DoBufferSend, DoGetDomainBoundCert, OnGetDomainBoundCertComplete)
528 // 4) Both Task Runners: Callback for asynchronous completion or to marshal
529 // data from the network task runner back to NSS (BufferRecvComplete,
530 // BufferSendComplete, OnHandshakeIOComplete)
531 //
532 /////////////////////////////////////////////////////////////////////////////
533 // Single-threaded example
534 //
535 // |--------------------------Network Task Runner--------------------------|
536 // SSLClientSocketNSS Core (Transport Socket)
537 // Read()
538 // |-------------------------V
539 // Read()
540 // |
541 // DoPayloadRead()
542 // |
543 // BufferRecv()
544 // |
545 // DoBufferRecv()
546 // |-------------------------V
547 // Read()
548 // V-------------------------|
549 // BufferRecvComplete()
550 // |
551 // PostOrRunCallback()
552 // V-------------------------|
553 // (Read Callback)
554 //
555 /////////////////////////////////////////////////////////////////////////////
556 // Multi-threaded example:
557 //
558 // |--------------------Network Task Runner-------------|--NSS Task Runner--|
559 // SSLClientSocketNSS Core Socket Core
560 // Read()
561 // |---------------------V
562 // Read()
563 // |-------------------------------V
564 // Read()
565 // |
566 // DoPayloadRead()
567 // |
568 // BufferRecv
569 // V-------------------------------|
570 // DoBufferRecv
571 // |----------------V
572 // Read()
573 // V----------------|
574 // BufferRecvComplete()
575 // |-------------------------------V
576 // BufferRecvComplete()
577 // |
578 // PostOrRunCallback()
579 // V-------------------------------|
580 // PostOrRunCallback()
581 // V---------------------|
582 // (Read Callback)
583 //
584 /////////////////////////////////////////////////////////////////////////////
585 class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> {
586 public:
587 // Creates a new Core.
588 //
589 // Any calls to NSS are executed on the |nss_task_runner|, while any calls
590 // that need to operate on the underlying transport, net log, or server
591 // bound certificate fetching will happen on the |network_task_runner|, so
592 // that their lifetimes match that of the owning SSLClientSocketNSS.
593 //
594 // The caller retains ownership of |transport|, |net_log|, and
595 // |server_bound_cert_service|, and they will not be accessed once Detach()
596 // has been called.
597 Core(base::SequencedTaskRunner* network_task_runner,
598 base::SequencedTaskRunner* nss_task_runner,
599 ClientSocketHandle* transport,
600 const HostPortPair& host_and_port,
601 const SSLConfig& ssl_config,
602 BoundNetLog* net_log,
603 ServerBoundCertService* server_bound_cert_service);
604
605 // Called on the network task runner.
606 // Transfers ownership of |socket|, an NSS SSL socket, and |buffers|, the
607 // underlying memio implementation, to the Core. Returns true if the Core
608 // was successfully registered with the socket.
609 bool Init(PRFileDesc* socket, memio_Private* buffers);
610
611 // Called on the network task runner.
612 //
613 // Attempts to perform an SSL handshake. If the handshake cannot be
614 // completed synchronously, returns ERR_IO_PENDING, invoking |callback| on
615 // the network task runner once the handshake has completed. Otherwise,
616 // returns OK on success or a network error code on failure.
617 int Connect(const CompletionCallback& callback);
618
619 // Called on the network task runner.
620 // Signals that the resources owned by the network task runner are going
621 // away. No further callbacks will be invoked on the network task runner.
622 // May be called at any time.
623 void Detach();
624
625 // Called on the network task runner.
626 // Returns the current state of the underlying SSL socket. May be called at
627 // any time.
state() const628 const HandshakeState& state() const { return network_handshake_state_; }
629
630 // Called on the network task runner.
631 // Read() and Write() mirror the net::Socket functions of the same name.
632 // If ERR_IO_PENDING is returned, |callback| will be invoked on the network
633 // task runner at a later point, unless the caller calls Detach().
634 int Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback);
635 int Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback);
636
637 // Called on the network task runner.
638 bool IsConnected() const;
639 bool HasPendingAsyncOperation() const;
640 bool HasUnhandledReceivedData() const;
641 bool WasEverUsed() const;
642
643 // Called on the network task runner.
644 // Causes the associated SSL/TLS session ID to be added to NSS's session
645 // cache, but only if the connection has not been False Started.
646 //
647 // This should only be called after the server's certificate has been
648 // verified, and may not be called within an NSS callback.
649 void CacheSessionIfNecessary();
650
651 private:
652 friend class base::RefCountedThreadSafe<Core>;
653 ~Core();
654
655 enum State {
656 STATE_NONE,
657 STATE_HANDSHAKE,
658 STATE_GET_DOMAIN_BOUND_CERT_COMPLETE,
659 };
660
661 bool OnNSSTaskRunner() const;
662 bool OnNetworkTaskRunner() const;
663
664 ////////////////////////////////////////////////////////////////////////////
665 // Methods that are ONLY called on the NSS task runner:
666 ////////////////////////////////////////////////////////////////////////////
667
668 // Called by NSS during full handshakes to allow the application to
669 // verify the certificate. Instead of verifying the certificate in the midst
670 // of the handshake, SECSuccess is always returned and the peer's certificate
671 // is verified afterwards.
672 // This behaviour is an artifact of the original SSLClientSocketWin
673 // implementation, which could not verify the peer's certificate until after
674 // the handshake had completed, as well as bugs in NSS that prevent
675 // SSL_RestartHandshakeAfterCertReq from working.
676 static SECStatus OwnAuthCertHandler(void* arg,
677 PRFileDesc* socket,
678 PRBool checksig,
679 PRBool is_server);
680
681 // Callbacks called by NSS when the peer requests client certificate
682 // authentication.
683 // See the documentation in third_party/nss/ssl/ssl.h for the meanings of
684 // the arguments.
685 #if defined(NSS_PLATFORM_CLIENT_AUTH)
686 // When NSS has been integrated with awareness of the underlying system
687 // cryptographic libraries, this callback allows the caller to supply a
688 // native platform certificate and key for use by NSS. At most, one of
689 // either (result_certs, result_private_key) or (result_nss_certificate,
690 // result_nss_private_key) should be set.
691 // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
692 static SECStatus PlatformClientAuthHandler(
693 void* arg,
694 PRFileDesc* socket,
695 CERTDistNames* ca_names,
696 CERTCertList** result_certs,
697 void** result_private_key,
698 CERTCertificate** result_nss_certificate,
699 SECKEYPrivateKey** result_nss_private_key);
700 #else
701 static SECStatus ClientAuthHandler(void* arg,
702 PRFileDesc* socket,
703 CERTDistNames* ca_names,
704 CERTCertificate** result_certificate,
705 SECKEYPrivateKey** result_private_key);
706 #endif
707
708 // Called by NSS to determine if we can False Start.
709 // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
710 static SECStatus CanFalseStartCallback(PRFileDesc* socket,
711 void* arg,
712 PRBool* can_false_start);
713
714 // Called by NSS once the handshake has completed.
715 // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
716 static void HandshakeCallback(PRFileDesc* socket, void* arg);
717
718 // Called once the handshake has succeeded.
719 void HandshakeSucceeded();
720
721 // Handles an NSS error generated while handshaking or performing IO.
722 // Returns a network error code mapped from the original NSS error.
723 int HandleNSSError(PRErrorCode error, bool handshake_error);
724
725 int DoHandshakeLoop(int last_io_result);
726 int DoReadLoop(int result);
727 int DoWriteLoop(int result);
728
729 int DoHandshake();
730 int DoGetDBCertComplete(int result);
731
732 int DoPayloadRead();
733 int DoPayloadWrite();
734
735 bool DoTransportIO();
736 int BufferRecv();
737 int BufferSend();
738
739 void OnRecvComplete(int result);
740 void OnSendComplete(int result);
741
742 void DoConnectCallback(int result);
743 void DoReadCallback(int result);
744 void DoWriteCallback(int result);
745
746 // Client channel ID handler.
747 static SECStatus ClientChannelIDHandler(
748 void* arg,
749 PRFileDesc* socket,
750 SECKEYPublicKey **out_public_key,
751 SECKEYPrivateKey **out_private_key);
752
753 // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and
754 // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success
755 // and an error code otherwise.
756 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been
757 // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller
758 // takes ownership of the |*cert| and |*key|.
759 int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key);
760
761 // Updates the NSS and platform specific certificates.
762 void UpdateServerCert();
763 // Update the nss_handshake_state_ with the SignedCertificateTimestampList
764 // received in the handshake via a TLS extension.
765 void UpdateSignedCertTimestamps();
766 // Update the OCSP response cache with the stapled response received in the
767 // handshake, and update nss_handshake_state_ with
768 // the SignedCertificateTimestampList received in the stapled OCSP response.
769 void UpdateStapledOCSPResponse();
770 // Updates the nss_handshake_state_ with the negotiated security parameters.
771 void UpdateConnectionStatus();
772 // Record histograms for channel id support during full handshakes - resumed
773 // handshakes are ignored.
774 void RecordChannelIDSupportOnNSSTaskRunner();
775 // UpdateNextProto gets any application-layer protocol that may have been
776 // negotiated by the TLS connection.
777 void UpdateNextProto();
778
779 ////////////////////////////////////////////////////////////////////////////
780 // Methods that are ONLY called on the network task runner:
781 ////////////////////////////////////////////////////////////////////////////
782 int DoBufferRecv(IOBuffer* buffer, int len);
783 int DoBufferSend(IOBuffer* buffer, int len);
784 int DoGetDomainBoundCert(const std::string& host);
785
786 void OnGetDomainBoundCertComplete(int result);
787 void OnHandshakeStateUpdated(const HandshakeState& state);
788 void OnNSSBufferUpdated(int amount_in_read_buffer);
789 void DidNSSRead(int result);
790 void DidNSSWrite(int result);
791 void RecordChannelIDSupportOnNetworkTaskRunner(
792 bool negotiated_channel_id,
793 bool channel_id_enabled,
794 bool supports_ecc) const;
795
796 ////////////////////////////////////////////////////////////////////////////
797 // Methods that are called on both the network task runner and the NSS
798 // task runner.
799 ////////////////////////////////////////////////////////////////////////////
800 void OnHandshakeIOComplete(int result);
801 void BufferRecvComplete(IOBuffer* buffer, int result);
802 void BufferSendComplete(int result);
803
804 // PostOrRunCallback is a helper function to ensure that |callback| is
805 // invoked on the network task runner, but only if Detach() has not yet
806 // been called.
807 void PostOrRunCallback(const tracked_objects::Location& location,
808 const base::Closure& callback);
809
810 // Uses PostOrRunCallback and |weak_net_log_| to try and log a
811 // SSL_CLIENT_CERT_PROVIDED event, with the indicated count.
812 void AddCertProvidedEvent(int cert_count);
813
814 // Sets the handshake state |channel_id_sent| flag and logs the
815 // SSL_CHANNEL_ID_PROVIDED event.
816 void SetChannelIDProvided();
817
818 ////////////////////////////////////////////////////////////////////////////
819 // Members that are ONLY accessed on the network task runner:
820 ////////////////////////////////////////////////////////////////////////////
821
822 // True if the owning SSLClientSocketNSS has called Detach(). No further
823 // callbacks will be invoked nor access to members owned by the network
824 // task runner.
825 bool detached_;
826
827 // The underlying transport to use for network IO.
828 ClientSocketHandle* transport_;
829 base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_;
830
831 // The current handshake state. Mirrors |nss_handshake_state_|.
832 HandshakeState network_handshake_state_;
833
834 // The service for retrieving Channel ID keys. May be NULL.
835 ServerBoundCertService* server_bound_cert_service_;
836 ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_;
837
838 // The information about NSS task runner.
839 int unhandled_buffer_size_;
840 bool nss_waiting_read_;
841 bool nss_waiting_write_;
842 bool nss_is_closed_;
843
844 // Set when Read() or Write() successfully reads or writes data to or from the
845 // network.
846 bool was_ever_used_;
847
848 ////////////////////////////////////////////////////////////////////////////
849 // Members that are ONLY accessed on the NSS task runner:
850 ////////////////////////////////////////////////////////////////////////////
851 HostPortPair host_and_port_;
852 SSLConfig ssl_config_;
853
854 // NSS SSL socket.
855 PRFileDesc* nss_fd_;
856
857 // Buffers for the network end of the SSL state machine
858 memio_Private* nss_bufs_;
859
860 // Used by DoPayloadRead() when attempting to fill the caller's buffer with
861 // as much data as possible, without blocking.
862 // If DoPayloadRead() encounters an error after having read some data, stores
863 // the results to return on the *next* call to DoPayloadRead(). A value of
864 // kNoPendingReadResult indicates there is no pending result, otherwise 0
865 // indicates EOF and < 0 indicates an error.
866 int pending_read_result_;
867 // Contains the previously observed NSS error. Only valid when
868 // pending_read_result_ != kNoPendingReadResult.
869 PRErrorCode pending_read_nss_error_;
870
871 // The certificate chain, in DER form, that is expected to be received from
872 // the server.
873 std::vector<std::string> predicted_certs_;
874
875 State next_handshake_state_;
876
877 // True if channel ID extension was negotiated.
878 bool channel_id_xtn_negotiated_;
879 // True if the handshake state machine was interrupted for channel ID.
880 bool channel_id_needed_;
881 // True if the handshake state machine was interrupted for client auth.
882 bool client_auth_cert_needed_;
883 // True if NSS has False Started.
884 bool false_started_;
885 // True if NSS has called HandshakeCallback.
886 bool handshake_callback_called_;
887
888 HandshakeState nss_handshake_state_;
889
890 bool transport_recv_busy_;
891 bool transport_recv_eof_;
892 bool transport_send_busy_;
893
894 // Used by Read function.
895 scoped_refptr<IOBuffer> user_read_buf_;
896 int user_read_buf_len_;
897
898 // Used by Write function.
899 scoped_refptr<IOBuffer> user_write_buf_;
900 int user_write_buf_len_;
901
902 CompletionCallback user_connect_callback_;
903 CompletionCallback user_read_callback_;
904 CompletionCallback user_write_callback_;
905
906 ////////////////////////////////////////////////////////////////////////////
907 // Members that are accessed on both the network task runner and the NSS
908 // task runner.
909 ////////////////////////////////////////////////////////////////////////////
910 scoped_refptr<base::SequencedTaskRunner> network_task_runner_;
911 scoped_refptr<base::SequencedTaskRunner> nss_task_runner_;
912
913 // Dereferenced only on the network task runner, but bound to tasks destined
914 // for the network task runner from the NSS task runner.
915 base::WeakPtr<BoundNetLog> weak_net_log_;
916
917 // Written on the network task runner by the |server_bound_cert_service_|,
918 // prior to invoking OnHandshakeIOComplete.
919 // Read on the NSS task runner when once OnHandshakeIOComplete is invoked
920 // on the NSS task runner.
921 std::string domain_bound_private_key_;
922 std::string domain_bound_cert_;
923
924 DISALLOW_COPY_AND_ASSIGN(Core);
925 };
926
Core(base::SequencedTaskRunner * network_task_runner,base::SequencedTaskRunner * nss_task_runner,ClientSocketHandle * transport,const HostPortPair & host_and_port,const SSLConfig & ssl_config,BoundNetLog * net_log,ServerBoundCertService * server_bound_cert_service)927 SSLClientSocketNSS::Core::Core(
928 base::SequencedTaskRunner* network_task_runner,
929 base::SequencedTaskRunner* nss_task_runner,
930 ClientSocketHandle* transport,
931 const HostPortPair& host_and_port,
932 const SSLConfig& ssl_config,
933 BoundNetLog* net_log,
934 ServerBoundCertService* server_bound_cert_service)
935 : detached_(false),
936 transport_(transport),
937 weak_net_log_factory_(net_log),
938 server_bound_cert_service_(server_bound_cert_service),
939 unhandled_buffer_size_(0),
940 nss_waiting_read_(false),
941 nss_waiting_write_(false),
942 nss_is_closed_(false),
943 was_ever_used_(false),
944 host_and_port_(host_and_port),
945 ssl_config_(ssl_config),
946 nss_fd_(NULL),
947 nss_bufs_(NULL),
948 pending_read_result_(kNoPendingReadResult),
949 pending_read_nss_error_(0),
950 next_handshake_state_(STATE_NONE),
951 channel_id_xtn_negotiated_(false),
952 channel_id_needed_(false),
953 client_auth_cert_needed_(false),
954 false_started_(false),
955 handshake_callback_called_(false),
956 transport_recv_busy_(false),
957 transport_recv_eof_(false),
958 transport_send_busy_(false),
959 user_read_buf_len_(0),
960 user_write_buf_len_(0),
961 network_task_runner_(network_task_runner),
962 nss_task_runner_(nss_task_runner),
963 weak_net_log_(weak_net_log_factory_.GetWeakPtr()) {
964 }
965
~Core()966 SSLClientSocketNSS::Core::~Core() {
967 // TODO(wtc): Send SSL close_notify alert.
968 if (nss_fd_ != NULL) {
969 PR_Close(nss_fd_);
970 nss_fd_ = NULL;
971 }
972 }
973
Init(PRFileDesc * socket,memio_Private * buffers)974 bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
975 memio_Private* buffers) {
976 DCHECK(OnNetworkTaskRunner());
977 DCHECK(!nss_fd_);
978 DCHECK(!nss_bufs_);
979
980 nss_fd_ = socket;
981 nss_bufs_ = buffers;
982
983 SECStatus rv = SECSuccess;
984
985 if (!ssl_config_.next_protos.empty()) {
986 size_t wire_length = 0;
987 for (std::vector<std::string>::const_iterator
988 i = ssl_config_.next_protos.begin();
989 i != ssl_config_.next_protos.end(); ++i) {
990 if (i->size() > 255) {
991 LOG(WARNING) << "Ignoring overlong NPN/ALPN protocol: " << *i;
992 continue;
993 }
994 wire_length += i->size();
995 wire_length++;
996 }
997 scoped_ptr<uint8[]> wire_protos(new uint8[wire_length]);
998 uint8* dst = wire_protos.get();
999 for (std::vector<std::string>::const_iterator
1000 i = ssl_config_.next_protos.begin();
1001 i != ssl_config_.next_protos.end(); i++) {
1002 if (i->size() > 255)
1003 continue;
1004 *dst++ = i->size();
1005 memcpy(dst, i->data(), i->size());
1006 dst += i->size();
1007 }
1008 DCHECK_EQ(dst, wire_protos.get() + wire_length);
1009 rv = SSL_SetNextProtoNego(nss_fd_, wire_protos.get(), wire_length);
1010 if (rv != SECSuccess)
1011 LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", "");
1012 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE);
1013 if (rv != SECSuccess)
1014 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN");
1015 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE);
1016 if (rv != SECSuccess)
1017 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_NPN");
1018 }
1019
1020 rv = SSL_AuthCertificateHook(
1021 nss_fd_, SSLClientSocketNSS::Core::OwnAuthCertHandler, this);
1022 if (rv != SECSuccess) {
1023 LogFailedNSSFunction(*weak_net_log_, "SSL_AuthCertificateHook", "");
1024 return false;
1025 }
1026
1027 #if defined(NSS_PLATFORM_CLIENT_AUTH)
1028 rv = SSL_GetPlatformClientAuthDataHook(
1029 nss_fd_, SSLClientSocketNSS::Core::PlatformClientAuthHandler,
1030 this);
1031 #else
1032 rv = SSL_GetClientAuthDataHook(
1033 nss_fd_, SSLClientSocketNSS::Core::ClientAuthHandler, this);
1034 #endif
1035 if (rv != SECSuccess) {
1036 LogFailedNSSFunction(*weak_net_log_, "SSL_GetClientAuthDataHook", "");
1037 return false;
1038 }
1039
1040 if (IsChannelIDEnabled(ssl_config_, server_bound_cert_service_)) {
1041 rv = SSL_SetClientChannelIDCallback(
1042 nss_fd_, SSLClientSocketNSS::Core::ClientChannelIDHandler, this);
1043 if (rv != SECSuccess) {
1044 LogFailedNSSFunction(
1045 *weak_net_log_, "SSL_SetClientChannelIDCallback", "");
1046 }
1047 }
1048
1049 rv = SSL_SetCanFalseStartCallback(
1050 nss_fd_, SSLClientSocketNSS::Core::CanFalseStartCallback, this);
1051 if (rv != SECSuccess) {
1052 LogFailedNSSFunction(*weak_net_log_, "SSL_SetCanFalseStartCallback", "");
1053 return false;
1054 }
1055
1056 rv = SSL_HandshakeCallback(
1057 nss_fd_, SSLClientSocketNSS::Core::HandshakeCallback, this);
1058 if (rv != SECSuccess) {
1059 LogFailedNSSFunction(*weak_net_log_, "SSL_HandshakeCallback", "");
1060 return false;
1061 }
1062
1063 return true;
1064 }
1065
Connect(const CompletionCallback & callback)1066 int SSLClientSocketNSS::Core::Connect(const CompletionCallback& callback) {
1067 if (!OnNSSTaskRunner()) {
1068 DCHECK(!detached_);
1069 bool posted = nss_task_runner_->PostTask(
1070 FROM_HERE,
1071 base::Bind(IgnoreResult(&Core::Connect), this, callback));
1072 return posted ? ERR_IO_PENDING : ERR_ABORTED;
1073 }
1074
1075 DCHECK(OnNSSTaskRunner());
1076 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1077 DCHECK(user_read_callback_.is_null());
1078 DCHECK(user_write_callback_.is_null());
1079 DCHECK(user_connect_callback_.is_null());
1080 DCHECK(!user_read_buf_.get());
1081 DCHECK(!user_write_buf_.get());
1082
1083 next_handshake_state_ = STATE_HANDSHAKE;
1084 int rv = DoHandshakeLoop(OK);
1085 if (rv == ERR_IO_PENDING) {
1086 user_connect_callback_ = callback;
1087 } else if (rv > OK) {
1088 rv = OK;
1089 }
1090 if (rv != ERR_IO_PENDING && !OnNetworkTaskRunner()) {
1091 PostOrRunCallback(FROM_HERE, base::Bind(callback, rv));
1092 return ERR_IO_PENDING;
1093 }
1094
1095 return rv;
1096 }
1097
Detach()1098 void SSLClientSocketNSS::Core::Detach() {
1099 DCHECK(OnNetworkTaskRunner());
1100
1101 detached_ = true;
1102 transport_ = NULL;
1103 weak_net_log_factory_.InvalidateWeakPtrs();
1104
1105 network_handshake_state_.Reset();
1106
1107 domain_bound_cert_request_handle_.Cancel();
1108 }
1109
Read(IOBuffer * buf,int buf_len,const CompletionCallback & callback)1110 int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len,
1111 const CompletionCallback& callback) {
1112 if (!OnNSSTaskRunner()) {
1113 DCHECK(OnNetworkTaskRunner());
1114 DCHECK(!detached_);
1115 DCHECK(transport_);
1116 DCHECK(!nss_waiting_read_);
1117
1118 nss_waiting_read_ = true;
1119 bool posted = nss_task_runner_->PostTask(
1120 FROM_HERE,
1121 base::Bind(IgnoreResult(&Core::Read), this, make_scoped_refptr(buf),
1122 buf_len, callback));
1123 if (!posted) {
1124 nss_is_closed_ = true;
1125 nss_waiting_read_ = false;
1126 }
1127 return posted ? ERR_IO_PENDING : ERR_ABORTED;
1128 }
1129
1130 DCHECK(OnNSSTaskRunner());
1131 DCHECK(false_started_ || handshake_callback_called_);
1132 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1133 DCHECK(user_read_callback_.is_null());
1134 DCHECK(user_connect_callback_.is_null());
1135 DCHECK(!user_read_buf_.get());
1136 DCHECK(nss_bufs_);
1137
1138 user_read_buf_ = buf;
1139 user_read_buf_len_ = buf_len;
1140
1141 int rv = DoReadLoop(OK);
1142 if (rv == ERR_IO_PENDING) {
1143 if (OnNetworkTaskRunner())
1144 nss_waiting_read_ = true;
1145 user_read_callback_ = callback;
1146 } else {
1147 user_read_buf_ = NULL;
1148 user_read_buf_len_ = 0;
1149
1150 if (!OnNetworkTaskRunner()) {
1151 PostOrRunCallback(FROM_HERE, base::Bind(&Core::DidNSSRead, this, rv));
1152 PostOrRunCallback(FROM_HERE, base::Bind(callback, rv));
1153 return ERR_IO_PENDING;
1154 } else {
1155 DCHECK(!nss_waiting_read_);
1156 if (rv <= 0) {
1157 nss_is_closed_ = true;
1158 } else {
1159 was_ever_used_ = true;
1160 }
1161 }
1162 }
1163
1164 return rv;
1165 }
1166
Write(IOBuffer * buf,int buf_len,const CompletionCallback & callback)1167 int SSLClientSocketNSS::Core::Write(IOBuffer* buf, int buf_len,
1168 const CompletionCallback& callback) {
1169 if (!OnNSSTaskRunner()) {
1170 DCHECK(OnNetworkTaskRunner());
1171 DCHECK(!detached_);
1172 DCHECK(transport_);
1173 DCHECK(!nss_waiting_write_);
1174
1175 nss_waiting_write_ = true;
1176 bool posted = nss_task_runner_->PostTask(
1177 FROM_HERE,
1178 base::Bind(IgnoreResult(&Core::Write), this, make_scoped_refptr(buf),
1179 buf_len, callback));
1180 if (!posted) {
1181 nss_is_closed_ = true;
1182 nss_waiting_write_ = false;
1183 }
1184 return posted ? ERR_IO_PENDING : ERR_ABORTED;
1185 }
1186
1187 DCHECK(OnNSSTaskRunner());
1188 DCHECK(false_started_ || handshake_callback_called_);
1189 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1190 DCHECK(user_write_callback_.is_null());
1191 DCHECK(user_connect_callback_.is_null());
1192 DCHECK(!user_write_buf_.get());
1193 DCHECK(nss_bufs_);
1194
1195 user_write_buf_ = buf;
1196 user_write_buf_len_ = buf_len;
1197
1198 int rv = DoWriteLoop(OK);
1199 if (rv == ERR_IO_PENDING) {
1200 if (OnNetworkTaskRunner())
1201 nss_waiting_write_ = true;
1202 user_write_callback_ = callback;
1203 } else {
1204 user_write_buf_ = NULL;
1205 user_write_buf_len_ = 0;
1206
1207 if (!OnNetworkTaskRunner()) {
1208 PostOrRunCallback(FROM_HERE, base::Bind(&Core::DidNSSWrite, this, rv));
1209 PostOrRunCallback(FROM_HERE, base::Bind(callback, rv));
1210 return ERR_IO_PENDING;
1211 } else {
1212 DCHECK(!nss_waiting_write_);
1213 if (rv < 0) {
1214 nss_is_closed_ = true;
1215 } else if (rv > 0) {
1216 was_ever_used_ = true;
1217 }
1218 }
1219 }
1220
1221 return rv;
1222 }
1223
IsConnected() const1224 bool SSLClientSocketNSS::Core::IsConnected() const {
1225 DCHECK(OnNetworkTaskRunner());
1226 return !nss_is_closed_;
1227 }
1228
HasPendingAsyncOperation() const1229 bool SSLClientSocketNSS::Core::HasPendingAsyncOperation() const {
1230 DCHECK(OnNetworkTaskRunner());
1231 return nss_waiting_read_ || nss_waiting_write_;
1232 }
1233
HasUnhandledReceivedData() const1234 bool SSLClientSocketNSS::Core::HasUnhandledReceivedData() const {
1235 DCHECK(OnNetworkTaskRunner());
1236 return unhandled_buffer_size_ != 0;
1237 }
1238
WasEverUsed() const1239 bool SSLClientSocketNSS::Core::WasEverUsed() const {
1240 DCHECK(OnNetworkTaskRunner());
1241 return was_ever_used_;
1242 }
1243
CacheSessionIfNecessary()1244 void SSLClientSocketNSS::Core::CacheSessionIfNecessary() {
1245 // TODO(rsleevi): This should occur on the NSS task runner, due to the use of
1246 // nss_fd_. However, it happens on the network task runner in order to match
1247 // the buggy behavior of ExportKeyingMaterial.
1248 //
1249 // Once http://crbug.com/330360 is fixed, this should be moved to an
1250 // implementation that exclusively does this work on the NSS TaskRunner. This
1251 // is "safe" because it is only called during the certificate verification
1252 // state machine of the main socket, which is safe because no underlying
1253 // transport IO will be occuring in that state, and NSS will not be blocking
1254 // on any PKCS#11 related locks that might block the Network TaskRunner.
1255 DCHECK(OnNetworkTaskRunner());
1256
1257 // Only cache the session if the connection was not False Started, because
1258 // sessions should only be cached *after* the peer's Finished message is
1259 // processed.
1260 // In the case of False Start, the session will be cached once the
1261 // HandshakeCallback is called, which signals the receipt and processing of
1262 // the Finished message, and which will happen during a call to
1263 // PR_Read/PR_Write.
1264 if (!false_started_)
1265 SSL_CacheSession(nss_fd_);
1266 }
1267
OnNSSTaskRunner() const1268 bool SSLClientSocketNSS::Core::OnNSSTaskRunner() const {
1269 return nss_task_runner_->RunsTasksOnCurrentThread();
1270 }
1271
OnNetworkTaskRunner() const1272 bool SSLClientSocketNSS::Core::OnNetworkTaskRunner() const {
1273 return network_task_runner_->RunsTasksOnCurrentThread();
1274 }
1275
1276 // static
OwnAuthCertHandler(void * arg,PRFileDesc * socket,PRBool checksig,PRBool is_server)1277 SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(
1278 void* arg,
1279 PRFileDesc* socket,
1280 PRBool checksig,
1281 PRBool is_server) {
1282 Core* core = reinterpret_cast<Core*>(arg);
1283 if (core->handshake_callback_called_) {
1284 // Disallow the server certificate to change in a renegotiation.
1285 CERTCertificate* old_cert = core->nss_handshake_state_.server_cert_chain[0];
1286 ScopedCERTCertificate new_cert(SSL_PeerCertificate(socket));
1287 if (new_cert->derCert.len != old_cert->derCert.len ||
1288 memcmp(new_cert->derCert.data, old_cert->derCert.data,
1289 new_cert->derCert.len) != 0) {
1290 // NSS doesn't have an error code that indicates the server certificate
1291 // changed. Borrow SSL_ERROR_WRONG_CERTIFICATE (which NSS isn't using)
1292 // for this purpose.
1293 PORT_SetError(SSL_ERROR_WRONG_CERTIFICATE);
1294 return SECFailure;
1295 }
1296 }
1297
1298 // Tell NSS to not verify the certificate.
1299 return SECSuccess;
1300 }
1301
1302 #if defined(NSS_PLATFORM_CLIENT_AUTH)
1303 // static
PlatformClientAuthHandler(void * arg,PRFileDesc * socket,CERTDistNames * ca_names,CERTCertList ** result_certs,void ** result_private_key,CERTCertificate ** result_nss_certificate,SECKEYPrivateKey ** result_nss_private_key)1304 SECStatus SSLClientSocketNSS::Core::PlatformClientAuthHandler(
1305 void* arg,
1306 PRFileDesc* socket,
1307 CERTDistNames* ca_names,
1308 CERTCertList** result_certs,
1309 void** result_private_key,
1310 CERTCertificate** result_nss_certificate,
1311 SECKEYPrivateKey** result_nss_private_key) {
1312 Core* core = reinterpret_cast<Core*>(arg);
1313 DCHECK(core->OnNSSTaskRunner());
1314
1315 core->PostOrRunCallback(
1316 FROM_HERE,
1317 base::Bind(&AddLogEvent, core->weak_net_log_,
1318 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
1319
1320 core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert;
1321 #if defined(OS_WIN)
1322 if (core->ssl_config_.send_client_cert) {
1323 if (core->ssl_config_.client_cert) {
1324 PCCERT_CONTEXT cert_context =
1325 core->ssl_config_.client_cert->os_cert_handle();
1326
1327 HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov = 0;
1328 DWORD key_spec = 0;
1329 BOOL must_free = FALSE;
1330 DWORD flags = 0;
1331 if (base::win::GetVersion() >= base::win::VERSION_VISTA)
1332 flags |= CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
1333
1334 BOOL acquired_key = CryptAcquireCertificatePrivateKey(
1335 cert_context, flags, NULL, &crypt_prov, &key_spec, &must_free);
1336
1337 if (acquired_key) {
1338 // Should never get a cached handle back - ownership must always be
1339 // transferred.
1340 CHECK_EQ(must_free, TRUE);
1341
1342 SECItem der_cert;
1343 der_cert.type = siDERCertBuffer;
1344 der_cert.data = cert_context->pbCertEncoded;
1345 der_cert.len = cert_context->cbCertEncoded;
1346
1347 // TODO(rsleevi): Error checking for NSS allocation errors.
1348 CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB();
1349 CERTCertificate* user_cert = CERT_NewTempCertificate(
1350 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE);
1351 if (!user_cert) {
1352 // Importing the certificate can fail for reasons including a serial
1353 // number collision. See crbug.com/97355.
1354 core->AddCertProvidedEvent(0);
1355 return SECFailure;
1356 }
1357 CERTCertList* cert_chain = CERT_NewCertList();
1358 CERT_AddCertToListTail(cert_chain, user_cert);
1359
1360 // Add the intermediates.
1361 X509Certificate::OSCertHandles intermediates =
1362 core->ssl_config_.client_cert->GetIntermediateCertificates();
1363 for (X509Certificate::OSCertHandles::const_iterator it =
1364 intermediates.begin(); it != intermediates.end(); ++it) {
1365 der_cert.data = (*it)->pbCertEncoded;
1366 der_cert.len = (*it)->cbCertEncoded;
1367
1368 CERTCertificate* intermediate = CERT_NewTempCertificate(
1369 db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE);
1370 if (!intermediate) {
1371 CERT_DestroyCertList(cert_chain);
1372 core->AddCertProvidedEvent(0);
1373 return SECFailure;
1374 }
1375 CERT_AddCertToListTail(cert_chain, intermediate);
1376 }
1377 PCERT_KEY_CONTEXT key_context = reinterpret_cast<PCERT_KEY_CONTEXT>(
1378 PORT_ZAlloc(sizeof(CERT_KEY_CONTEXT)));
1379 key_context->cbSize = sizeof(*key_context);
1380 // NSS will free this context when no longer in use.
1381 key_context->hCryptProv = crypt_prov;
1382 key_context->dwKeySpec = key_spec;
1383 *result_private_key = key_context;
1384 *result_certs = cert_chain;
1385
1386 int cert_count = 1 + intermediates.size();
1387 core->AddCertProvidedEvent(cert_count);
1388 return SECSuccess;
1389 }
1390 LOG(WARNING) << "Client cert found without private key";
1391 }
1392
1393 // Send no client certificate.
1394 core->AddCertProvidedEvent(0);
1395 return SECFailure;
1396 }
1397
1398 core->nss_handshake_state_.cert_authorities.clear();
1399
1400 std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames);
1401 for (int i = 0; i < ca_names->nnames; ++i) {
1402 issuer_list[i].cbData = ca_names->names[i].len;
1403 issuer_list[i].pbData = ca_names->names[i].data;
1404 core->nss_handshake_state_.cert_authorities.push_back(std::string(
1405 reinterpret_cast<const char*>(ca_names->names[i].data),
1406 static_cast<size_t>(ca_names->names[i].len)));
1407 }
1408
1409 // Update the network task runner's view of the handshake state now that
1410 // server certificate request has been recorded.
1411 core->PostOrRunCallback(
1412 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core,
1413 core->nss_handshake_state_));
1414
1415 // Tell NSS to suspend the client authentication. We will then abort the
1416 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
1417 return SECWouldBlock;
1418 #elif defined(OS_MACOSX)
1419 if (core->ssl_config_.send_client_cert) {
1420 if (core->ssl_config_.client_cert.get()) {
1421 OSStatus os_error = noErr;
1422 SecIdentityRef identity = NULL;
1423 SecKeyRef private_key = NULL;
1424 X509Certificate::OSCertHandles chain;
1425 {
1426 base::AutoLock lock(crypto::GetMacSecurityServicesLock());
1427 os_error = SecIdentityCreateWithCertificate(
1428 NULL, core->ssl_config_.client_cert->os_cert_handle(), &identity);
1429 }
1430 if (os_error == noErr) {
1431 os_error = SecIdentityCopyPrivateKey(identity, &private_key);
1432 CFRelease(identity);
1433 }
1434
1435 if (os_error == noErr) {
1436 // TODO(rsleevi): Error checking for NSS allocation errors.
1437 *result_certs = CERT_NewCertList();
1438 *result_private_key = private_key;
1439
1440 chain.push_back(core->ssl_config_.client_cert->os_cert_handle());
1441 const X509Certificate::OSCertHandles& intermediates =
1442 core->ssl_config_.client_cert->GetIntermediateCertificates();
1443 if (!intermediates.empty())
1444 chain.insert(chain.end(), intermediates.begin(), intermediates.end());
1445
1446 for (size_t i = 0, chain_count = chain.size(); i < chain_count; ++i) {
1447 CSSM_DATA cert_data;
1448 SecCertificateRef cert_ref = chain[i];
1449 os_error = SecCertificateGetData(cert_ref, &cert_data);
1450 if (os_error != noErr)
1451 break;
1452
1453 SECItem der_cert;
1454 der_cert.type = siDERCertBuffer;
1455 der_cert.data = cert_data.Data;
1456 der_cert.len = cert_data.Length;
1457 CERTCertificate* nss_cert = CERT_NewTempCertificate(
1458 CERT_GetDefaultCertDB(), &der_cert, NULL, PR_FALSE, PR_TRUE);
1459 if (!nss_cert) {
1460 // In the event of an NSS error, make up an OS error and reuse
1461 // the error handling below.
1462 os_error = errSecCreateChainFailed;
1463 break;
1464 }
1465 CERT_AddCertToListTail(*result_certs, nss_cert);
1466 }
1467 }
1468
1469 if (os_error == noErr) {
1470 core->AddCertProvidedEvent(chain.size());
1471 return SECSuccess;
1472 }
1473
1474 OSSTATUS_LOG(WARNING, os_error)
1475 << "Client cert found, but could not be used";
1476 if (*result_certs) {
1477 CERT_DestroyCertList(*result_certs);
1478 *result_certs = NULL;
1479 }
1480 if (*result_private_key)
1481 *result_private_key = NULL;
1482 if (private_key)
1483 CFRelease(private_key);
1484 }
1485
1486 // Send no client certificate.
1487 core->AddCertProvidedEvent(0);
1488 return SECFailure;
1489 }
1490
1491 core->nss_handshake_state_.cert_authorities.clear();
1492
1493 // Retrieve the cert issuers accepted by the server.
1494 std::vector<CertPrincipal> valid_issuers;
1495 int n = ca_names->nnames;
1496 for (int i = 0; i < n; i++) {
1497 core->nss_handshake_state_.cert_authorities.push_back(std::string(
1498 reinterpret_cast<const char*>(ca_names->names[i].data),
1499 static_cast<size_t>(ca_names->names[i].len)));
1500 }
1501
1502 // Update the network task runner's view of the handshake state now that
1503 // server certificate request has been recorded.
1504 core->PostOrRunCallback(
1505 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core,
1506 core->nss_handshake_state_));
1507
1508 // Tell NSS to suspend the client authentication. We will then abort the
1509 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
1510 return SECWouldBlock;
1511 #else
1512 return SECFailure;
1513 #endif
1514 }
1515
1516 #elif defined(OS_IOS)
1517
ClientAuthHandler(void * arg,PRFileDesc * socket,CERTDistNames * ca_names,CERTCertificate ** result_certificate,SECKEYPrivateKey ** result_private_key)1518 SECStatus SSLClientSocketNSS::Core::ClientAuthHandler(
1519 void* arg,
1520 PRFileDesc* socket,
1521 CERTDistNames* ca_names,
1522 CERTCertificate** result_certificate,
1523 SECKEYPrivateKey** result_private_key) {
1524 Core* core = reinterpret_cast<Core*>(arg);
1525 DCHECK(core->OnNSSTaskRunner());
1526
1527 core->PostOrRunCallback(
1528 FROM_HERE,
1529 base::Bind(&AddLogEvent, core->weak_net_log_,
1530 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
1531
1532 // TODO(droger): Support client auth on iOS. See http://crbug.com/145954).
1533 LOG(WARNING) << "Client auth is not supported";
1534
1535 // Never send a certificate.
1536 core->AddCertProvidedEvent(0);
1537 return SECFailure;
1538 }
1539
1540 #else // NSS_PLATFORM_CLIENT_AUTH
1541
1542 // static
1543 // Based on Mozilla's NSS_GetClientAuthData.
ClientAuthHandler(void * arg,PRFileDesc * socket,CERTDistNames * ca_names,CERTCertificate ** result_certificate,SECKEYPrivateKey ** result_private_key)1544 SECStatus SSLClientSocketNSS::Core::ClientAuthHandler(
1545 void* arg,
1546 PRFileDesc* socket,
1547 CERTDistNames* ca_names,
1548 CERTCertificate** result_certificate,
1549 SECKEYPrivateKey** result_private_key) {
1550 Core* core = reinterpret_cast<Core*>(arg);
1551 DCHECK(core->OnNSSTaskRunner());
1552
1553 core->PostOrRunCallback(
1554 FROM_HERE,
1555 base::Bind(&AddLogEvent, core->weak_net_log_,
1556 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
1557
1558 // Regular client certificate requested.
1559 core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert;
1560 void* wincx = SSL_RevealPinArg(socket);
1561
1562 if (core->ssl_config_.send_client_cert) {
1563 // Second pass: a client certificate should have been selected.
1564 if (core->ssl_config_.client_cert.get()) {
1565 CERTCertificate* cert =
1566 CERT_DupCertificate(core->ssl_config_.client_cert->os_cert_handle());
1567 SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx);
1568 if (privkey) {
1569 // TODO(jsorianopastor): We should wait for server certificate
1570 // verification before sending our credentials. See
1571 // http://crbug.com/13934.
1572 *result_certificate = cert;
1573 *result_private_key = privkey;
1574 // A cert_count of -1 means the number of certificates is unknown.
1575 // NSS will construct the certificate chain.
1576 core->AddCertProvidedEvent(-1);
1577
1578 return SECSuccess;
1579 }
1580 LOG(WARNING) << "Client cert found without private key";
1581 }
1582 // Send no client certificate.
1583 core->AddCertProvidedEvent(0);
1584 return SECFailure;
1585 }
1586
1587 // First pass: client certificate is needed.
1588 core->nss_handshake_state_.cert_authorities.clear();
1589
1590 // Retrieve the DER-encoded DistinguishedName of the cert issuers accepted by
1591 // the server and save them in |cert_authorities|.
1592 for (int i = 0; i < ca_names->nnames; i++) {
1593 core->nss_handshake_state_.cert_authorities.push_back(std::string(
1594 reinterpret_cast<const char*>(ca_names->names[i].data),
1595 static_cast<size_t>(ca_names->names[i].len)));
1596 }
1597
1598 // Update the network task runner's view of the handshake state now that
1599 // server certificate request has been recorded.
1600 core->PostOrRunCallback(
1601 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core,
1602 core->nss_handshake_state_));
1603
1604 // Tell NSS to suspend the client authentication. We will then abort the
1605 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
1606 return SECWouldBlock;
1607 }
1608 #endif // NSS_PLATFORM_CLIENT_AUTH
1609
1610 // static
CanFalseStartCallback(PRFileDesc * socket,void * arg,PRBool * can_false_start)1611 SECStatus SSLClientSocketNSS::Core::CanFalseStartCallback(
1612 PRFileDesc* socket,
1613 void* arg,
1614 PRBool* can_false_start) {
1615 // If the server doesn't support NPN or ALPN, then we don't do False
1616 // Start with it.
1617 PRBool negotiated_extension;
1618 SECStatus rv = SSL_HandshakeNegotiatedExtension(socket,
1619 ssl_app_layer_protocol_xtn,
1620 &negotiated_extension);
1621 if (rv != SECSuccess || !negotiated_extension) {
1622 rv = SSL_HandshakeNegotiatedExtension(socket,
1623 ssl_next_proto_nego_xtn,
1624 &negotiated_extension);
1625 }
1626 if (rv != SECSuccess || !negotiated_extension) {
1627 *can_false_start = PR_FALSE;
1628 return SECSuccess;
1629 }
1630
1631 return SSL_RecommendedCanFalseStart(socket, can_false_start);
1632 }
1633
1634 // static
HandshakeCallback(PRFileDesc * socket,void * arg)1635 void SSLClientSocketNSS::Core::HandshakeCallback(
1636 PRFileDesc* socket,
1637 void* arg) {
1638 Core* core = reinterpret_cast<Core*>(arg);
1639 DCHECK(core->OnNSSTaskRunner());
1640
1641 core->handshake_callback_called_ = true;
1642 if (core->false_started_) {
1643 core->false_started_ = false;
1644 // If the connection was False Started, then at the time of this callback,
1645 // the peer's certificate will have been verified or the caller will have
1646 // accepted the error.
1647 // This is guaranteed when using False Start because this callback will
1648 // not be invoked until processing the peer's Finished message, which
1649 // will only happen in a PR_Read/PR_Write call, which can only happen
1650 // after the peer's certificate is verified.
1651 SSL_CacheSessionUnlocked(socket);
1652
1653 // Additionally, when False Starting, DoHandshake() will have already
1654 // called HandshakeSucceeded(), so return now.
1655 return;
1656 }
1657 core->HandshakeSucceeded();
1658 }
1659
HandshakeSucceeded()1660 void SSLClientSocketNSS::Core::HandshakeSucceeded() {
1661 DCHECK(OnNSSTaskRunner());
1662
1663 PRBool last_handshake_resumed;
1664 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed);
1665 if (rv == SECSuccess && last_handshake_resumed) {
1666 nss_handshake_state_.resumed_handshake = true;
1667 } else {
1668 nss_handshake_state_.resumed_handshake = false;
1669 }
1670
1671 RecordChannelIDSupportOnNSSTaskRunner();
1672 UpdateServerCert();
1673 UpdateSignedCertTimestamps();
1674 UpdateStapledOCSPResponse();
1675 UpdateConnectionStatus();
1676 UpdateNextProto();
1677
1678 // Update the network task runners view of the handshake state whenever
1679 // a handshake has completed.
1680 PostOrRunCallback(
1681 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
1682 nss_handshake_state_));
1683 }
1684
HandleNSSError(PRErrorCode nss_error,bool handshake_error)1685 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error,
1686 bool handshake_error) {
1687 DCHECK(OnNSSTaskRunner());
1688
1689 int net_error = handshake_error ? MapNSSClientHandshakeError(nss_error) :
1690 MapNSSClientError(nss_error);
1691
1692 #if defined(OS_WIN)
1693 // On Windows, a handle to the HCRYPTPROV is cached in the X509Certificate
1694 // os_cert_handle() as an optimization. However, if the certificate
1695 // private key is stored on a smart card, and the smart card is removed,
1696 // the cached HCRYPTPROV will not be able to obtain the HCRYPTKEY again,
1697 // preventing client certificate authentication. Because the
1698 // X509Certificate may outlive the individual SSLClientSocketNSS, due to
1699 // caching in X509Certificate, this failure ends up preventing client
1700 // certificate authentication with the same certificate for all future
1701 // attempts, even after the smart card has been re-inserted. By setting
1702 // the CERT_KEY_PROV_HANDLE_PROP_ID to NULL, the cached HCRYPTPROV will
1703 // typically be freed. This allows a new HCRYPTPROV to be obtained from
1704 // the certificate on the next attempt, which should succeed if the smart
1705 // card has been re-inserted, or will typically prompt the user to
1706 // re-insert the smart card if not.
1707 if ((net_error == ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY ||
1708 net_error == ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED) &&
1709 ssl_config_.send_client_cert && ssl_config_.client_cert) {
1710 CertSetCertificateContextProperty(
1711 ssl_config_.client_cert->os_cert_handle(),
1712 CERT_KEY_PROV_HANDLE_PROP_ID, 0, NULL);
1713 }
1714 #endif
1715
1716 return net_error;
1717 }
1718
DoHandshakeLoop(int last_io_result)1719 int SSLClientSocketNSS::Core::DoHandshakeLoop(int last_io_result) {
1720 DCHECK(OnNSSTaskRunner());
1721
1722 int rv = last_io_result;
1723 do {
1724 // Default to STATE_NONE for next state.
1725 State state = next_handshake_state_;
1726 GotoState(STATE_NONE);
1727
1728 switch (state) {
1729 case STATE_HANDSHAKE:
1730 rv = DoHandshake();
1731 break;
1732 case STATE_GET_DOMAIN_BOUND_CERT_COMPLETE:
1733 rv = DoGetDBCertComplete(rv);
1734 break;
1735 case STATE_NONE:
1736 default:
1737 rv = ERR_UNEXPECTED;
1738 LOG(DFATAL) << "unexpected state " << state;
1739 break;
1740 }
1741
1742 // Do the actual network I/O
1743 bool network_moved = DoTransportIO();
1744 if (network_moved && next_handshake_state_ == STATE_HANDSHAKE) {
1745 // In general we exit the loop if rv is ERR_IO_PENDING. In this
1746 // special case we keep looping even if rv is ERR_IO_PENDING because
1747 // the transport IO may allow DoHandshake to make progress.
1748 DCHECK(rv == OK || rv == ERR_IO_PENDING);
1749 rv = OK; // This causes us to stay in the loop.
1750 }
1751 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
1752 return rv;
1753 }
1754
DoReadLoop(int result)1755 int SSLClientSocketNSS::Core::DoReadLoop(int result) {
1756 DCHECK(OnNSSTaskRunner());
1757 DCHECK(false_started_ || handshake_callback_called_);
1758 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1759
1760 if (result < 0)
1761 return result;
1762
1763 if (!nss_bufs_) {
1764 LOG(DFATAL) << "!nss_bufs_";
1765 int rv = ERR_UNEXPECTED;
1766 PostOrRunCallback(
1767 FROM_HERE,
1768 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1769 NetLog::TYPE_SSL_READ_ERROR,
1770 CreateNetLogSSLErrorCallback(rv, 0)));
1771 return rv;
1772 }
1773
1774 bool network_moved;
1775 int rv;
1776 do {
1777 rv = DoPayloadRead();
1778 network_moved = DoTransportIO();
1779 } while (rv == ERR_IO_PENDING && network_moved);
1780
1781 return rv;
1782 }
1783
DoWriteLoop(int result)1784 int SSLClientSocketNSS::Core::DoWriteLoop(int result) {
1785 DCHECK(OnNSSTaskRunner());
1786 DCHECK(false_started_ || handshake_callback_called_);
1787 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1788
1789 if (result < 0)
1790 return result;
1791
1792 if (!nss_bufs_) {
1793 LOG(DFATAL) << "!nss_bufs_";
1794 int rv = ERR_UNEXPECTED;
1795 PostOrRunCallback(
1796 FROM_HERE,
1797 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1798 NetLog::TYPE_SSL_READ_ERROR,
1799 CreateNetLogSSLErrorCallback(rv, 0)));
1800 return rv;
1801 }
1802
1803 bool network_moved;
1804 int rv;
1805 do {
1806 rv = DoPayloadWrite();
1807 network_moved = DoTransportIO();
1808 } while (rv == ERR_IO_PENDING && network_moved);
1809
1810 LeaveFunction(rv);
1811 return rv;
1812 }
1813
DoHandshake()1814 int SSLClientSocketNSS::Core::DoHandshake() {
1815 DCHECK(OnNSSTaskRunner());
1816
1817 int net_error = net::OK;
1818 SECStatus rv = SSL_ForceHandshake(nss_fd_);
1819
1820 // Note: this function may be called multiple times during the handshake, so
1821 // even though channel id and client auth are separate else cases, they can
1822 // both be used during a single SSL handshake.
1823 if (channel_id_needed_) {
1824 GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE);
1825 net_error = ERR_IO_PENDING;
1826 } else if (client_auth_cert_needed_) {
1827 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
1828 PostOrRunCallback(
1829 FROM_HERE,
1830 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1831 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
1832 CreateNetLogSSLErrorCallback(net_error, 0)));
1833
1834 // If the handshake already succeeded (because the server requests but
1835 // doesn't require a client cert), we need to invalidate the SSL session
1836 // so that we won't try to resume the non-client-authenticated session in
1837 // the next handshake. This will cause the server to ask for a client
1838 // cert again.
1839 if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess)
1840 LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError();
1841 } else if (rv == SECSuccess) {
1842 if (!handshake_callback_called_) {
1843 false_started_ = true;
1844 HandshakeSucceeded();
1845 }
1846 } else {
1847 PRErrorCode prerr = PR_GetError();
1848 net_error = HandleNSSError(prerr, true);
1849
1850 // Some network devices that inspect application-layer packets seem to
1851 // inject TCP reset packets to break the connections when they see
1852 // TLS 1.1 in ClientHello or ServerHello. See http://crbug.com/130293.
1853 //
1854 // Only allow ERR_CONNECTION_RESET to trigger a fallback from TLS 1.1 or
1855 // 1.2. We don't lose much in this fallback because the explicit IV for CBC
1856 // mode in TLS 1.1 is approximated by record splitting in TLS 1.0. The
1857 // fallback will be more painful for TLS 1.2 when we have GCM support.
1858 //
1859 // ERR_CONNECTION_RESET is a common network error, so we don't want it
1860 // to trigger a version fallback in general, especially the TLS 1.0 ->
1861 // SSL 3.0 fallback, which would drop TLS extensions.
1862 if (prerr == PR_CONNECT_RESET_ERROR &&
1863 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1) {
1864 net_error = ERR_SSL_PROTOCOL_ERROR;
1865 }
1866
1867 // If not done, stay in this state
1868 if (net_error == ERR_IO_PENDING) {
1869 GotoState(STATE_HANDSHAKE);
1870 } else {
1871 PostOrRunCallback(
1872 FROM_HERE,
1873 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1874 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
1875 CreateNetLogSSLErrorCallback(net_error, prerr)));
1876 }
1877 }
1878
1879 return net_error;
1880 }
1881
DoGetDBCertComplete(int result)1882 int SSLClientSocketNSS::Core::DoGetDBCertComplete(int result) {
1883 SECStatus rv;
1884 PostOrRunCallback(
1885 FROM_HERE,
1886 base::Bind(&BoundNetLog::EndEventWithNetErrorCode, weak_net_log_,
1887 NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, result));
1888
1889 channel_id_needed_ = false;
1890
1891 if (result != OK)
1892 return result;
1893
1894 SECKEYPublicKey* public_key;
1895 SECKEYPrivateKey* private_key;
1896 int error = ImportChannelIDKeys(&public_key, &private_key);
1897 if (error != OK)
1898 return error;
1899
1900 rv = SSL_RestartHandshakeAfterChannelIDReq(nss_fd_, public_key, private_key);
1901 if (rv != SECSuccess)
1902 return MapNSSError(PORT_GetError());
1903
1904 SetChannelIDProvided();
1905 GotoState(STATE_HANDSHAKE);
1906 return OK;
1907 }
1908
DoPayloadRead()1909 int SSLClientSocketNSS::Core::DoPayloadRead() {
1910 DCHECK(OnNSSTaskRunner());
1911 DCHECK(user_read_buf_.get());
1912 DCHECK_GT(user_read_buf_len_, 0);
1913
1914 int rv;
1915 // If a previous greedy read resulted in an error that was not consumed (eg:
1916 // due to the caller having read some data successfully), then return that
1917 // pending error now.
1918 if (pending_read_result_ != kNoPendingReadResult) {
1919 rv = pending_read_result_;
1920 PRErrorCode prerr = pending_read_nss_error_;
1921 pending_read_result_ = kNoPendingReadResult;
1922 pending_read_nss_error_ = 0;
1923
1924 if (rv == 0) {
1925 PostOrRunCallback(
1926 FROM_HERE,
1927 base::Bind(&LogByteTransferEvent, weak_net_log_,
1928 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
1929 scoped_refptr<IOBuffer>(user_read_buf_)));
1930 } else {
1931 PostOrRunCallback(
1932 FROM_HERE,
1933 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1934 NetLog::TYPE_SSL_READ_ERROR,
1935 CreateNetLogSSLErrorCallback(rv, prerr)));
1936 }
1937 return rv;
1938 }
1939
1940 // Perform a greedy read, attempting to read as much as the caller has
1941 // requested. In the current NSS implementation, PR_Read will return
1942 // exactly one SSL application data record's worth of data per invocation.
1943 // The record size is dictated by the server, and may be noticeably smaller
1944 // than the caller's buffer. This may be as little as a single byte, if the
1945 // server is performing 1/n-1 record splitting.
1946 //
1947 // However, this greedy read may result in renegotiations/re-handshakes
1948 // happening or may lead to some data being read, followed by an EOF (such as
1949 // a TLS close-notify). If at least some data was read, then that result
1950 // should be deferred until the next call to DoPayloadRead(). Otherwise, if no
1951 // data was read, it's safe to return the error or EOF immediately.
1952 int total_bytes_read = 0;
1953 do {
1954 rv = PR_Read(nss_fd_, user_read_buf_->data() + total_bytes_read,
1955 user_read_buf_len_ - total_bytes_read);
1956 if (rv > 0)
1957 total_bytes_read += rv;
1958 } while (total_bytes_read < user_read_buf_len_ && rv > 0);
1959 int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
1960 PostOrRunCallback(FROM_HERE, base::Bind(&Core::OnNSSBufferUpdated, this,
1961 amount_in_read_buffer));
1962
1963 if (total_bytes_read == user_read_buf_len_) {
1964 // The caller's entire request was satisfied without error. No further
1965 // processing needed.
1966 rv = total_bytes_read;
1967 } else {
1968 // Otherwise, an error occurred (rv <= 0). The error needs to be handled
1969 // immediately, while the NSPR/NSS errors are still available in
1970 // thread-local storage. However, the handled/remapped error code should
1971 // only be returned if no application data was already read; if it was, the
1972 // error code should be deferred until the next call of DoPayloadRead.
1973 //
1974 // If no data was read, |*next_result| will point to the return value of
1975 // this function. If at least some data was read, |*next_result| will point
1976 // to |pending_read_error_|, to be returned in a future call to
1977 // DoPayloadRead() (e.g.: after the current data is handled).
1978 int* next_result = &rv;
1979 if (total_bytes_read > 0) {
1980 pending_read_result_ = rv;
1981 rv = total_bytes_read;
1982 next_result = &pending_read_result_;
1983 }
1984
1985 if (client_auth_cert_needed_) {
1986 *next_result = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
1987 pending_read_nss_error_ = 0;
1988 } else if (*next_result < 0) {
1989 // If *next_result == 0, then that indicates EOF, and no special error
1990 // handling is needed.
1991 pending_read_nss_error_ = PR_GetError();
1992 *next_result = HandleNSSError(pending_read_nss_error_, false);
1993 if (rv > 0 && *next_result == ERR_IO_PENDING) {
1994 // If at least some data was read from PR_Read(), do not treat
1995 // insufficient data as an error to return in the next call to
1996 // DoPayloadRead() - instead, let the call fall through to check
1997 // PR_Read() again. This is because DoTransportIO() may complete
1998 // in between the next call to DoPayloadRead(), and thus it is
1999 // important to check PR_Read() on subsequent invocations to see
2000 // if a complete record may now be read.
2001 pending_read_nss_error_ = 0;
2002 pending_read_result_ = kNoPendingReadResult;
2003 }
2004 }
2005 }
2006
2007 DCHECK_NE(ERR_IO_PENDING, pending_read_result_);
2008
2009 if (rv >= 0) {
2010 PostOrRunCallback(
2011 FROM_HERE,
2012 base::Bind(&LogByteTransferEvent, weak_net_log_,
2013 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
2014 scoped_refptr<IOBuffer>(user_read_buf_)));
2015 } else if (rv != ERR_IO_PENDING) {
2016 PostOrRunCallback(
2017 FROM_HERE,
2018 base::Bind(&AddLogEventWithCallback, weak_net_log_,
2019 NetLog::TYPE_SSL_READ_ERROR,
2020 CreateNetLogSSLErrorCallback(rv, pending_read_nss_error_)));
2021 pending_read_nss_error_ = 0;
2022 }
2023 return rv;
2024 }
2025
DoPayloadWrite()2026 int SSLClientSocketNSS::Core::DoPayloadWrite() {
2027 DCHECK(OnNSSTaskRunner());
2028
2029 DCHECK(user_write_buf_.get());
2030
2031 int old_amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
2032 int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_);
2033 int new_amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
2034 // PR_Write could potentially consume the unhandled data in the memio read
2035 // buffer if a renegotiation is in progress. If the buffer is consumed,
2036 // notify the latest buffer size to NetworkRunner.
2037 if (old_amount_in_read_buffer != new_amount_in_read_buffer) {
2038 PostOrRunCallback(
2039 FROM_HERE,
2040 base::Bind(&Core::OnNSSBufferUpdated, this, new_amount_in_read_buffer));
2041 }
2042 if (rv >= 0) {
2043 PostOrRunCallback(
2044 FROM_HERE,
2045 base::Bind(&LogByteTransferEvent, weak_net_log_,
2046 NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
2047 scoped_refptr<IOBuffer>(user_write_buf_)));
2048 return rv;
2049 }
2050 PRErrorCode prerr = PR_GetError();
2051 if (prerr == PR_WOULD_BLOCK_ERROR)
2052 return ERR_IO_PENDING;
2053
2054 rv = HandleNSSError(prerr, false);
2055 PostOrRunCallback(
2056 FROM_HERE,
2057 base::Bind(&AddLogEventWithCallback, weak_net_log_,
2058 NetLog::TYPE_SSL_WRITE_ERROR,
2059 CreateNetLogSSLErrorCallback(rv, prerr)));
2060 return rv;
2061 }
2062
2063 // Do as much network I/O as possible between the buffer and the
2064 // transport socket. Return true if some I/O performed, false
2065 // otherwise (error or ERR_IO_PENDING).
DoTransportIO()2066 bool SSLClientSocketNSS::Core::DoTransportIO() {
2067 DCHECK(OnNSSTaskRunner());
2068
2069 bool network_moved = false;
2070 if (nss_bufs_ != NULL) {
2071 int rv;
2072 // Read and write as much data as we can. The loop is neccessary
2073 // because Write() may return synchronously.
2074 do {
2075 rv = BufferSend();
2076 if (rv != ERR_IO_PENDING && rv != 0)
2077 network_moved = true;
2078 } while (rv > 0);
2079 if (!transport_recv_eof_ && BufferRecv() != ERR_IO_PENDING)
2080 network_moved = true;
2081 }
2082 return network_moved;
2083 }
2084
BufferRecv()2085 int SSLClientSocketNSS::Core::BufferRecv() {
2086 DCHECK(OnNSSTaskRunner());
2087
2088 if (transport_recv_busy_)
2089 return ERR_IO_PENDING;
2090
2091 // If NSS is blocked on reading from |nss_bufs_|, because it is empty,
2092 // determine how much data NSS wants to read. If NSS was not blocked,
2093 // this will return 0.
2094 int requested = memio_GetReadRequest(nss_bufs_);
2095 if (requested == 0) {
2096 // This is not a perfect match of error codes, as no operation is
2097 // actually pending. However, returning 0 would be interpreted as a
2098 // possible sign of EOF, which is also an inappropriate match.
2099 return ERR_IO_PENDING;
2100 }
2101
2102 char* buf;
2103 int nb = memio_GetReadParams(nss_bufs_, &buf);
2104 int rv;
2105 if (!nb) {
2106 // buffer too full to read into, so no I/O possible at moment
2107 rv = ERR_IO_PENDING;
2108 } else {
2109 scoped_refptr<IOBuffer> read_buffer(new IOBuffer(nb));
2110 if (OnNetworkTaskRunner()) {
2111 rv = DoBufferRecv(read_buffer.get(), nb);
2112 } else {
2113 bool posted = network_task_runner_->PostTask(
2114 FROM_HERE,
2115 base::Bind(IgnoreResult(&Core::DoBufferRecv), this, read_buffer,
2116 nb));
2117 rv = posted ? ERR_IO_PENDING : ERR_ABORTED;
2118 }
2119
2120 if (rv == ERR_IO_PENDING) {
2121 transport_recv_busy_ = true;
2122 } else {
2123 if (rv > 0) {
2124 memcpy(buf, read_buffer->data(), rv);
2125 } else if (rv == 0) {
2126 transport_recv_eof_ = true;
2127 }
2128 memio_PutReadResult(nss_bufs_, MapErrorToNSS(rv));
2129 }
2130 }
2131 return rv;
2132 }
2133
2134 // Return 0 if nss_bufs_ was empty,
2135 // > 0 for bytes transferred immediately,
2136 // < 0 for error (or the non-error ERR_IO_PENDING).
BufferSend()2137 int SSLClientSocketNSS::Core::BufferSend() {
2138 DCHECK(OnNSSTaskRunner());
2139
2140 if (transport_send_busy_)
2141 return ERR_IO_PENDING;
2142
2143 const char* buf1;
2144 const char* buf2;
2145 unsigned int len1, len2;
2146 if (memio_GetWriteParams(nss_bufs_, &buf1, &len1, &buf2, &len2)) {
2147 // It is important this return synchronously to prevent spinning infinitely
2148 // in the off-thread NSS case. The error code itself is ignored, so just
2149 // return ERR_ABORTED. See https://crbug.com/381160.
2150 return ERR_ABORTED;
2151 }
2152 const unsigned int len = len1 + len2;
2153
2154 int rv = 0;
2155 if (len) {
2156 scoped_refptr<IOBuffer> send_buffer(new IOBuffer(len));
2157 memcpy(send_buffer->data(), buf1, len1);
2158 memcpy(send_buffer->data() + len1, buf2, len2);
2159
2160 if (OnNetworkTaskRunner()) {
2161 rv = DoBufferSend(send_buffer.get(), len);
2162 } else {
2163 bool posted = network_task_runner_->PostTask(
2164 FROM_HERE,
2165 base::Bind(IgnoreResult(&Core::DoBufferSend), this, send_buffer,
2166 len));
2167 rv = posted ? ERR_IO_PENDING : ERR_ABORTED;
2168 }
2169
2170 if (rv == ERR_IO_PENDING) {
2171 transport_send_busy_ = true;
2172 } else {
2173 memio_PutWriteResult(nss_bufs_, MapErrorToNSS(rv));
2174 }
2175 }
2176
2177 return rv;
2178 }
2179
OnRecvComplete(int result)2180 void SSLClientSocketNSS::Core::OnRecvComplete(int result) {
2181 DCHECK(OnNSSTaskRunner());
2182
2183 if (next_handshake_state_ == STATE_HANDSHAKE) {
2184 OnHandshakeIOComplete(result);
2185 return;
2186 }
2187
2188 // Network layer received some data, check if client requested to read
2189 // decrypted data.
2190 if (!user_read_buf_.get())
2191 return;
2192
2193 int rv = DoReadLoop(result);
2194 if (rv != ERR_IO_PENDING)
2195 DoReadCallback(rv);
2196 }
2197
OnSendComplete(int result)2198 void SSLClientSocketNSS::Core::OnSendComplete(int result) {
2199 DCHECK(OnNSSTaskRunner());
2200
2201 if (next_handshake_state_ == STATE_HANDSHAKE) {
2202 OnHandshakeIOComplete(result);
2203 return;
2204 }
2205
2206 // OnSendComplete may need to call DoPayloadRead while the renegotiation
2207 // handshake is in progress.
2208 int rv_read = ERR_IO_PENDING;
2209 int rv_write = ERR_IO_PENDING;
2210 bool network_moved;
2211 do {
2212 if (user_read_buf_.get())
2213 rv_read = DoPayloadRead();
2214 if (user_write_buf_.get())
2215 rv_write = DoPayloadWrite();
2216 network_moved = DoTransportIO();
2217 } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING &&
2218 (user_read_buf_.get() || user_write_buf_.get()) && network_moved);
2219
2220 // If the parent SSLClientSocketNSS is deleted during the processing of the
2221 // Read callback and OnNSSTaskRunner() == OnNetworkTaskRunner(), then the Core
2222 // will be detached (and possibly deleted). Guard against deletion by taking
2223 // an extra reference, then check if the Core was detached before invoking the
2224 // next callback.
2225 scoped_refptr<Core> guard(this);
2226 if (user_read_buf_.get() && rv_read != ERR_IO_PENDING)
2227 DoReadCallback(rv_read);
2228
2229 if (OnNetworkTaskRunner() && detached_)
2230 return;
2231
2232 if (user_write_buf_.get() && rv_write != ERR_IO_PENDING)
2233 DoWriteCallback(rv_write);
2234 }
2235
2236 // As part of Connect(), the SSLClientSocketNSS object performs an SSL
2237 // handshake. This requires network IO, which in turn calls
2238 // BufferRecvComplete() with a non-zero byte count. This byte count eventually
2239 // winds its way through the state machine and ends up being passed to the
2240 // callback. For Read() and Write(), that's what we want. But for Connect(),
2241 // the caller expects OK (i.e. 0) for success.
DoConnectCallback(int rv)2242 void SSLClientSocketNSS::Core::DoConnectCallback(int rv) {
2243 DCHECK(OnNSSTaskRunner());
2244 DCHECK_NE(rv, ERR_IO_PENDING);
2245 DCHECK(!user_connect_callback_.is_null());
2246
2247 base::Closure c = base::Bind(
2248 base::ResetAndReturn(&user_connect_callback_),
2249 rv > OK ? OK : rv);
2250 PostOrRunCallback(FROM_HERE, c);
2251 }
2252
DoReadCallback(int rv)2253 void SSLClientSocketNSS::Core::DoReadCallback(int rv) {
2254 DCHECK(OnNSSTaskRunner());
2255 DCHECK_NE(ERR_IO_PENDING, rv);
2256 DCHECK(!user_read_callback_.is_null());
2257
2258 user_read_buf_ = NULL;
2259 user_read_buf_len_ = 0;
2260 int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
2261 // This is used to curry the |amount_int_read_buffer| and |user_cb| back to
2262 // the network task runner.
2263 PostOrRunCallback(
2264 FROM_HERE,
2265 base::Bind(&Core::OnNSSBufferUpdated, this, amount_in_read_buffer));
2266 PostOrRunCallback(
2267 FROM_HERE,
2268 base::Bind(&Core::DidNSSRead, this, rv));
2269 PostOrRunCallback(
2270 FROM_HERE,
2271 base::Bind(base::ResetAndReturn(&user_read_callback_), rv));
2272 }
2273
DoWriteCallback(int rv)2274 void SSLClientSocketNSS::Core::DoWriteCallback(int rv) {
2275 DCHECK(OnNSSTaskRunner());
2276 DCHECK_NE(ERR_IO_PENDING, rv);
2277 DCHECK(!user_write_callback_.is_null());
2278
2279 // Since Run may result in Write being called, clear |user_write_callback_|
2280 // up front.
2281 user_write_buf_ = NULL;
2282 user_write_buf_len_ = 0;
2283 // Update buffer status because DoWriteLoop called DoTransportIO which may
2284 // perform read operations.
2285 int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
2286 // This is used to curry the |amount_int_read_buffer| and |user_cb| back to
2287 // the network task runner.
2288 PostOrRunCallback(
2289 FROM_HERE,
2290 base::Bind(&Core::OnNSSBufferUpdated, this, amount_in_read_buffer));
2291 PostOrRunCallback(
2292 FROM_HERE,
2293 base::Bind(&Core::DidNSSWrite, this, rv));
2294 PostOrRunCallback(
2295 FROM_HERE,
2296 base::Bind(base::ResetAndReturn(&user_write_callback_), rv));
2297 }
2298
ClientChannelIDHandler(void * arg,PRFileDesc * socket,SECKEYPublicKey ** out_public_key,SECKEYPrivateKey ** out_private_key)2299 SECStatus SSLClientSocketNSS::Core::ClientChannelIDHandler(
2300 void* arg,
2301 PRFileDesc* socket,
2302 SECKEYPublicKey **out_public_key,
2303 SECKEYPrivateKey **out_private_key) {
2304 Core* core = reinterpret_cast<Core*>(arg);
2305 DCHECK(core->OnNSSTaskRunner());
2306
2307 core->PostOrRunCallback(
2308 FROM_HERE,
2309 base::Bind(&AddLogEvent, core->weak_net_log_,
2310 NetLog::TYPE_SSL_CHANNEL_ID_REQUESTED));
2311
2312 // We have negotiated the TLS channel ID extension.
2313 core->channel_id_xtn_negotiated_ = true;
2314 std::string host = core->host_and_port_.host();
2315 int error = ERR_UNEXPECTED;
2316 if (core->OnNetworkTaskRunner()) {
2317 error = core->DoGetDomainBoundCert(host);
2318 } else {
2319 bool posted = core->network_task_runner_->PostTask(
2320 FROM_HERE,
2321 base::Bind(
2322 IgnoreResult(&Core::DoGetDomainBoundCert),
2323 core, host));
2324 error = posted ? ERR_IO_PENDING : ERR_ABORTED;
2325 }
2326
2327 if (error == ERR_IO_PENDING) {
2328 // Asynchronous case.
2329 core->channel_id_needed_ = true;
2330 return SECWouldBlock;
2331 }
2332
2333 core->PostOrRunCallback(
2334 FROM_HERE,
2335 base::Bind(&BoundNetLog::EndEventWithNetErrorCode, core->weak_net_log_,
2336 NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, error));
2337 SECStatus rv = SECSuccess;
2338 if (error == OK) {
2339 // Synchronous success.
2340 int result = core->ImportChannelIDKeys(out_public_key, out_private_key);
2341 if (result == OK)
2342 core->SetChannelIDProvided();
2343 else
2344 rv = SECFailure;
2345 } else {
2346 rv = SECFailure;
2347 }
2348
2349 return rv;
2350 }
2351
ImportChannelIDKeys(SECKEYPublicKey ** public_key,SECKEYPrivateKey ** key)2352 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key,
2353 SECKEYPrivateKey** key) {
2354 // Set the certificate.
2355 SECItem cert_item;
2356 cert_item.data = (unsigned char*) domain_bound_cert_.data();
2357 cert_item.len = domain_bound_cert_.size();
2358 ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
2359 &cert_item,
2360 NULL,
2361 PR_FALSE,
2362 PR_TRUE));
2363 if (cert == NULL)
2364 return MapNSSError(PORT_GetError());
2365
2366 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
2367 // Set the private key.
2368 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
2369 slot.get(),
2370 ServerBoundCertService::kEPKIPassword,
2371 reinterpret_cast<const unsigned char*>(
2372 domain_bound_private_key_.data()),
2373 domain_bound_private_key_.size(),
2374 &cert->subjectPublicKeyInfo,
2375 false,
2376 false,
2377 key,
2378 public_key)) {
2379 int error = MapNSSError(PORT_GetError());
2380 return error;
2381 }
2382
2383 return OK;
2384 }
2385
UpdateServerCert()2386 void SSLClientSocketNSS::Core::UpdateServerCert() {
2387 nss_handshake_state_.server_cert_chain.Reset(nss_fd_);
2388 nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain(
2389 nss_handshake_state_.server_cert_chain.AsStringPieceVector());
2390 if (nss_handshake_state_.server_cert.get()) {
2391 // Since this will be called asynchronously on another thread, it needs to
2392 // own a reference to the certificate.
2393 NetLog::ParametersCallback net_log_callback =
2394 base::Bind(&NetLogX509CertificateCallback,
2395 nss_handshake_state_.server_cert);
2396 PostOrRunCallback(
2397 FROM_HERE,
2398 base::Bind(&AddLogEventWithCallback, weak_net_log_,
2399 NetLog::TYPE_SSL_CERTIFICATES_RECEIVED,
2400 net_log_callback));
2401 }
2402 }
2403
UpdateSignedCertTimestamps()2404 void SSLClientSocketNSS::Core::UpdateSignedCertTimestamps() {
2405 const SECItem* signed_cert_timestamps =
2406 SSL_PeerSignedCertTimestamps(nss_fd_);
2407
2408 if (!signed_cert_timestamps || !signed_cert_timestamps->len)
2409 return;
2410
2411 nss_handshake_state_.sct_list_from_tls_extension = std::string(
2412 reinterpret_cast<char*>(signed_cert_timestamps->data),
2413 signed_cert_timestamps->len);
2414 }
2415
UpdateStapledOCSPResponse()2416 void SSLClientSocketNSS::Core::UpdateStapledOCSPResponse() {
2417 PRBool ocsp_requested = PR_FALSE;
2418 SSL_OptionGet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, &ocsp_requested);
2419 const SECItemArray* ocsp_responses =
2420 SSL_PeerStapledOCSPResponses(nss_fd_);
2421 bool ocsp_responses_present = ocsp_responses && ocsp_responses->len;
2422 if (ocsp_requested)
2423 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_responses_present);
2424 if (!ocsp_responses_present)
2425 return;
2426
2427 nss_handshake_state_.stapled_ocsp_response = std::string(
2428 reinterpret_cast<char*>(ocsp_responses->items[0].data),
2429 ocsp_responses->items[0].len);
2430
2431 // TODO(agl): figure out how to plumb an OCSP response into the Mac
2432 // system library and update IsOCSPStaplingSupported for Mac.
2433 if (IsOCSPStaplingSupported()) {
2434 #if defined(OS_WIN)
2435 if (nss_handshake_state_.server_cert) {
2436 CRYPT_DATA_BLOB ocsp_response_blob;
2437 ocsp_response_blob.cbData = ocsp_responses->items[0].len;
2438 ocsp_response_blob.pbData = ocsp_responses->items[0].data;
2439 BOOL ok = CertSetCertificateContextProperty(
2440 nss_handshake_state_.server_cert->os_cert_handle(),
2441 CERT_OCSP_RESPONSE_PROP_ID,
2442 CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
2443 &ocsp_response_blob);
2444 if (!ok) {
2445 VLOG(1) << "Failed to set OCSP response property: "
2446 << GetLastError();
2447 }
2448 }
2449 #elif defined(USE_NSS)
2450 CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
2451 GetCacheOCSPResponseFromSideChannelFunction();
2452
2453 cache_ocsp_response(
2454 CERT_GetDefaultCertDB(),
2455 nss_handshake_state_.server_cert_chain[0], PR_Now(),
2456 &ocsp_responses->items[0], NULL);
2457 #endif
2458 } // IsOCSPStaplingSupported()
2459 }
2460
UpdateConnectionStatus()2461 void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
2462 SSLChannelInfo channel_info;
2463 SECStatus ok = SSL_GetChannelInfo(nss_fd_,
2464 &channel_info, sizeof(channel_info));
2465 if (ok == SECSuccess &&
2466 channel_info.length == sizeof(channel_info) &&
2467 channel_info.cipherSuite) {
2468 nss_handshake_state_.ssl_connection_status |=
2469 (static_cast<int>(channel_info.cipherSuite) &
2470 SSL_CONNECTION_CIPHERSUITE_MASK) <<
2471 SSL_CONNECTION_CIPHERSUITE_SHIFT;
2472
2473 nss_handshake_state_.ssl_connection_status |=
2474 (static_cast<int>(channel_info.compressionMethod) &
2475 SSL_CONNECTION_COMPRESSION_MASK) <<
2476 SSL_CONNECTION_COMPRESSION_SHIFT;
2477
2478 // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't
2479 // support it yet), so use 0x0303 directly.
2480 int version = SSL_CONNECTION_VERSION_UNKNOWN;
2481 if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
2482 // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
2483 // version 2.
2484 version = SSL_CONNECTION_VERSION_SSL2;
2485 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {
2486 version = SSL_CONNECTION_VERSION_SSL3;
2487 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) {
2488 version = SSL_CONNECTION_VERSION_TLS1;
2489 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) {
2490 version = SSL_CONNECTION_VERSION_TLS1_1;
2491 } else if (channel_info.protocolVersion == 0x0303) {
2492 version = SSL_CONNECTION_VERSION_TLS1_2;
2493 }
2494 nss_handshake_state_.ssl_connection_status |=
2495 (version & SSL_CONNECTION_VERSION_MASK) <<
2496 SSL_CONNECTION_VERSION_SHIFT;
2497 }
2498
2499 PRBool peer_supports_renego_ext;
2500 ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,
2501 &peer_supports_renego_ext);
2502 if (ok == SECSuccess) {
2503 if (!peer_supports_renego_ext) {
2504 nss_handshake_state_.ssl_connection_status |=
2505 SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
2506 // Log an informational message if the server does not support secure
2507 // renegotiation (RFC 5746).
2508 VLOG(1) << "The server " << host_and_port_.ToString()
2509 << " does not support the TLS renegotiation_info extension.";
2510 }
2511 UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",
2512 peer_supports_renego_ext, 2);
2513
2514 // We would like to eliminate fallback to SSLv3 for non-buggy servers
2515 // because of security concerns. For example, Google offers forward
2516 // secrecy with ECDHE but that requires TLS 1.0. An attacker can block
2517 // TLSv1 connections and force us to downgrade to SSLv3 and remove forward
2518 // secrecy.
2519 //
2520 // Yngve from Opera has suggested using the renegotiation extension as an
2521 // indicator that SSLv3 fallback was mistaken:
2522 // tools.ietf.org/html/draft-pettersen-tls-version-rollback-removal-00 .
2523 //
2524 // As a first step, measure how often clients perform version fallback
2525 // while the server advertises support secure renegotiation.
2526 if (ssl_config_.version_fallback &&
2527 channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {
2528 UMA_HISTOGRAM_BOOLEAN("Net.SSLv3FallbackToRenegoPatchedServer",
2529 peer_supports_renego_ext == PR_TRUE);
2530 }
2531 }
2532
2533 if (ssl_config_.version_fallback) {
2534 nss_handshake_state_.ssl_connection_status |=
2535 SSL_CONNECTION_VERSION_FALLBACK;
2536 }
2537 }
2538
UpdateNextProto()2539 void SSLClientSocketNSS::Core::UpdateNextProto() {
2540 uint8 buf[256];
2541 SSLNextProtoState state;
2542 unsigned buf_len;
2543
2544 SECStatus rv = SSL_GetNextProto(nss_fd_, &state, buf, &buf_len, sizeof(buf));
2545 if (rv != SECSuccess)
2546 return;
2547
2548 nss_handshake_state_.next_proto =
2549 std::string(reinterpret_cast<char*>(buf), buf_len);
2550 switch (state) {
2551 case SSL_NEXT_PROTO_NEGOTIATED:
2552 case SSL_NEXT_PROTO_SELECTED:
2553 nss_handshake_state_.next_proto_status = kNextProtoNegotiated;
2554 break;
2555 case SSL_NEXT_PROTO_NO_OVERLAP:
2556 nss_handshake_state_.next_proto_status = kNextProtoNoOverlap;
2557 break;
2558 case SSL_NEXT_PROTO_NO_SUPPORT:
2559 nss_handshake_state_.next_proto_status = kNextProtoUnsupported;
2560 break;
2561 default:
2562 NOTREACHED();
2563 break;
2564 }
2565 }
2566
RecordChannelIDSupportOnNSSTaskRunner()2567 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() {
2568 DCHECK(OnNSSTaskRunner());
2569 if (nss_handshake_state_.resumed_handshake)
2570 return;
2571
2572 // Copy the NSS task runner-only state to the network task runner and
2573 // log histograms from there, since the histograms also need access to the
2574 // network task runner state.
2575 PostOrRunCallback(
2576 FROM_HERE,
2577 base::Bind(&Core::RecordChannelIDSupportOnNetworkTaskRunner,
2578 this,
2579 channel_id_xtn_negotiated_,
2580 ssl_config_.channel_id_enabled,
2581 crypto::ECPrivateKey::IsSupported()));
2582 }
2583
RecordChannelIDSupportOnNetworkTaskRunner(bool negotiated_channel_id,bool channel_id_enabled,bool supports_ecc) const2584 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNetworkTaskRunner(
2585 bool negotiated_channel_id,
2586 bool channel_id_enabled,
2587 bool supports_ecc) const {
2588 DCHECK(OnNetworkTaskRunner());
2589
2590 RecordChannelIDSupport(server_bound_cert_service_,
2591 negotiated_channel_id,
2592 channel_id_enabled,
2593 supports_ecc);
2594 }
2595
DoBufferRecv(IOBuffer * read_buffer,int len)2596 int SSLClientSocketNSS::Core::DoBufferRecv(IOBuffer* read_buffer, int len) {
2597 DCHECK(OnNetworkTaskRunner());
2598 DCHECK_GT(len, 0);
2599
2600 if (detached_)
2601 return ERR_ABORTED;
2602
2603 int rv = transport_->socket()->Read(
2604 read_buffer, len,
2605 base::Bind(&Core::BufferRecvComplete, base::Unretained(this),
2606 scoped_refptr<IOBuffer>(read_buffer)));
2607
2608 if (!OnNSSTaskRunner() && rv != ERR_IO_PENDING) {
2609 nss_task_runner_->PostTask(
2610 FROM_HERE, base::Bind(&Core::BufferRecvComplete, this,
2611 scoped_refptr<IOBuffer>(read_buffer), rv));
2612 return rv;
2613 }
2614
2615 return rv;
2616 }
2617
DoBufferSend(IOBuffer * send_buffer,int len)2618 int SSLClientSocketNSS::Core::DoBufferSend(IOBuffer* send_buffer, int len) {
2619 DCHECK(OnNetworkTaskRunner());
2620 DCHECK_GT(len, 0);
2621
2622 if (detached_)
2623 return ERR_ABORTED;
2624
2625 int rv = transport_->socket()->Write(
2626 send_buffer, len,
2627 base::Bind(&Core::BufferSendComplete,
2628 base::Unretained(this)));
2629
2630 if (!OnNSSTaskRunner() && rv != ERR_IO_PENDING) {
2631 nss_task_runner_->PostTask(
2632 FROM_HERE,
2633 base::Bind(&Core::BufferSendComplete, this, rv));
2634 return rv;
2635 }
2636
2637 return rv;
2638 }
2639
DoGetDomainBoundCert(const std::string & host)2640 int SSLClientSocketNSS::Core::DoGetDomainBoundCert(const std::string& host) {
2641 DCHECK(OnNetworkTaskRunner());
2642
2643 if (detached_)
2644 return ERR_FAILED;
2645
2646 weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT);
2647
2648 int rv = server_bound_cert_service_->GetOrCreateDomainBoundCert(
2649 host,
2650 &domain_bound_private_key_,
2651 &domain_bound_cert_,
2652 base::Bind(&Core::OnGetDomainBoundCertComplete, base::Unretained(this)),
2653 &domain_bound_cert_request_handle_);
2654
2655 if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) {
2656 nss_task_runner_->PostTask(
2657 FROM_HERE,
2658 base::Bind(&Core::OnHandshakeIOComplete, this, rv));
2659 return ERR_IO_PENDING;
2660 }
2661
2662 return rv;
2663 }
2664
OnHandshakeStateUpdated(const HandshakeState & state)2665 void SSLClientSocketNSS::Core::OnHandshakeStateUpdated(
2666 const HandshakeState& state) {
2667 DCHECK(OnNetworkTaskRunner());
2668 network_handshake_state_ = state;
2669 }
2670
OnNSSBufferUpdated(int amount_in_read_buffer)2671 void SSLClientSocketNSS::Core::OnNSSBufferUpdated(int amount_in_read_buffer) {
2672 DCHECK(OnNetworkTaskRunner());
2673 unhandled_buffer_size_ = amount_in_read_buffer;
2674 }
2675
DidNSSRead(int result)2676 void SSLClientSocketNSS::Core::DidNSSRead(int result) {
2677 DCHECK(OnNetworkTaskRunner());
2678 DCHECK(nss_waiting_read_);
2679 nss_waiting_read_ = false;
2680 if (result <= 0) {
2681 nss_is_closed_ = true;
2682 } else {
2683 was_ever_used_ = true;
2684 }
2685 }
2686
DidNSSWrite(int result)2687 void SSLClientSocketNSS::Core::DidNSSWrite(int result) {
2688 DCHECK(OnNetworkTaskRunner());
2689 DCHECK(nss_waiting_write_);
2690 nss_waiting_write_ = false;
2691 if (result < 0) {
2692 nss_is_closed_ = true;
2693 } else if (result > 0) {
2694 was_ever_used_ = true;
2695 }
2696 }
2697
BufferSendComplete(int result)2698 void SSLClientSocketNSS::Core::BufferSendComplete(int result) {
2699 if (!OnNSSTaskRunner()) {
2700 if (detached_)
2701 return;
2702
2703 nss_task_runner_->PostTask(
2704 FROM_HERE, base::Bind(&Core::BufferSendComplete, this, result));
2705 return;
2706 }
2707
2708 DCHECK(OnNSSTaskRunner());
2709
2710 memio_PutWriteResult(nss_bufs_, MapErrorToNSS(result));
2711 transport_send_busy_ = false;
2712 OnSendComplete(result);
2713 }
2714
OnHandshakeIOComplete(int result)2715 void SSLClientSocketNSS::Core::OnHandshakeIOComplete(int result) {
2716 if (!OnNSSTaskRunner()) {
2717 if (detached_)
2718 return;
2719
2720 nss_task_runner_->PostTask(
2721 FROM_HERE, base::Bind(&Core::OnHandshakeIOComplete, this, result));
2722 return;
2723 }
2724
2725 DCHECK(OnNSSTaskRunner());
2726
2727 int rv = DoHandshakeLoop(result);
2728 if (rv != ERR_IO_PENDING)
2729 DoConnectCallback(rv);
2730 }
2731
OnGetDomainBoundCertComplete(int result)2732 void SSLClientSocketNSS::Core::OnGetDomainBoundCertComplete(int result) {
2733 DVLOG(1) << __FUNCTION__ << " " << result;
2734 DCHECK(OnNetworkTaskRunner());
2735
2736 OnHandshakeIOComplete(result);
2737 }
2738
BufferRecvComplete(IOBuffer * read_buffer,int result)2739 void SSLClientSocketNSS::Core::BufferRecvComplete(
2740 IOBuffer* read_buffer,
2741 int result) {
2742 DCHECK(read_buffer);
2743
2744 if (!OnNSSTaskRunner()) {
2745 if (detached_)
2746 return;
2747
2748 nss_task_runner_->PostTask(
2749 FROM_HERE, base::Bind(&Core::BufferRecvComplete, this,
2750 scoped_refptr<IOBuffer>(read_buffer), result));
2751 return;
2752 }
2753
2754 DCHECK(OnNSSTaskRunner());
2755
2756 if (result > 0) {
2757 char* buf;
2758 int nb = memio_GetReadParams(nss_bufs_, &buf);
2759 CHECK_GE(nb, result);
2760 memcpy(buf, read_buffer->data(), result);
2761 } else if (result == 0) {
2762 transport_recv_eof_ = true;
2763 }
2764
2765 memio_PutReadResult(nss_bufs_, MapErrorToNSS(result));
2766 transport_recv_busy_ = false;
2767 OnRecvComplete(result);
2768 }
2769
PostOrRunCallback(const tracked_objects::Location & location,const base::Closure & task)2770 void SSLClientSocketNSS::Core::PostOrRunCallback(
2771 const tracked_objects::Location& location,
2772 const base::Closure& task) {
2773 if (!OnNetworkTaskRunner()) {
2774 network_task_runner_->PostTask(
2775 FROM_HERE,
2776 base::Bind(&Core::PostOrRunCallback, this, location, task));
2777 return;
2778 }
2779
2780 if (detached_ || task.is_null())
2781 return;
2782 task.Run();
2783 }
2784
AddCertProvidedEvent(int cert_count)2785 void SSLClientSocketNSS::Core::AddCertProvidedEvent(int cert_count) {
2786 PostOrRunCallback(
2787 FROM_HERE,
2788 base::Bind(&AddLogEventWithCallback, weak_net_log_,
2789 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
2790 NetLog::IntegerCallback("cert_count", cert_count)));
2791 }
2792
SetChannelIDProvided()2793 void SSLClientSocketNSS::Core::SetChannelIDProvided() {
2794 PostOrRunCallback(
2795 FROM_HERE, base::Bind(&AddLogEvent, weak_net_log_,
2796 NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED));
2797 nss_handshake_state_.channel_id_sent = true;
2798 // Update the network task runner's view of the handshake state now that
2799 // channel id has been sent.
2800 PostOrRunCallback(
2801 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
2802 nss_handshake_state_));
2803 }
2804
SSLClientSocketNSS(base::SequencedTaskRunner * nss_task_runner,scoped_ptr<ClientSocketHandle> transport_socket,const HostPortPair & host_and_port,const SSLConfig & ssl_config,const SSLClientSocketContext & context)2805 SSLClientSocketNSS::SSLClientSocketNSS(
2806 base::SequencedTaskRunner* nss_task_runner,
2807 scoped_ptr<ClientSocketHandle> transport_socket,
2808 const HostPortPair& host_and_port,
2809 const SSLConfig& ssl_config,
2810 const SSLClientSocketContext& context)
2811 : nss_task_runner_(nss_task_runner),
2812 transport_(transport_socket.Pass()),
2813 host_and_port_(host_and_port),
2814 ssl_config_(ssl_config),
2815 cert_verifier_(context.cert_verifier),
2816 cert_transparency_verifier_(context.cert_transparency_verifier),
2817 server_bound_cert_service_(context.server_bound_cert_service),
2818 ssl_session_cache_shard_(context.ssl_session_cache_shard),
2819 completed_handshake_(false),
2820 next_handshake_state_(STATE_NONE),
2821 nss_fd_(NULL),
2822 net_log_(transport_->socket()->NetLog()),
2823 transport_security_state_(context.transport_security_state),
2824 valid_thread_id_(base::kInvalidThreadId) {
2825 EnterFunction("");
2826 InitCore();
2827 LeaveFunction("");
2828 }
2829
~SSLClientSocketNSS()2830 SSLClientSocketNSS::~SSLClientSocketNSS() {
2831 EnterFunction("");
2832 Disconnect();
2833 LeaveFunction("");
2834 }
2835
2836 // static
ClearSessionCache()2837 void SSLClientSocket::ClearSessionCache() {
2838 // SSL_ClearSessionCache can't be called before NSS is initialized. Don't
2839 // bother initializing NSS just to clear an empty SSL session cache.
2840 if (!NSS_IsInitialized())
2841 return;
2842
2843 SSL_ClearSessionCache();
2844 }
2845
GetSSLInfo(SSLInfo * ssl_info)2846 bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
2847 EnterFunction("");
2848 ssl_info->Reset();
2849 if (core_->state().server_cert_chain.empty() ||
2850 !core_->state().server_cert_chain[0]) {
2851 return false;
2852 }
2853
2854 ssl_info->cert_status = server_cert_verify_result_.cert_status;
2855 ssl_info->cert = server_cert_verify_result_.verified_cert;
2856
2857 AddSCTInfoToSSLInfo(ssl_info);
2858
2859 ssl_info->connection_status =
2860 core_->state().ssl_connection_status;
2861 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
2862 ssl_info->is_issued_by_known_root =
2863 server_cert_verify_result_.is_issued_by_known_root;
2864 ssl_info->client_cert_sent =
2865 ssl_config_.send_client_cert && ssl_config_.client_cert.get();
2866 ssl_info->channel_id_sent = WasChannelIDSent();
2867 ssl_info->pinning_failure_log = pinning_failure_log_;
2868
2869 PRUint16 cipher_suite = SSLConnectionStatusToCipherSuite(
2870 core_->state().ssl_connection_status);
2871 SSLCipherSuiteInfo cipher_info;
2872 SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite,
2873 &cipher_info, sizeof(cipher_info));
2874 if (ok == SECSuccess) {
2875 ssl_info->security_bits = cipher_info.effectiveKeyBits;
2876 } else {
2877 ssl_info->security_bits = -1;
2878 LOG(DFATAL) << "SSL_GetCipherSuiteInfo returned " << PR_GetError()
2879 << " for cipherSuite " << cipher_suite;
2880 }
2881
2882 ssl_info->handshake_type = core_->state().resumed_handshake ?
2883 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL;
2884
2885 LeaveFunction("");
2886 return true;
2887 }
2888
GetSSLCertRequestInfo(SSLCertRequestInfo * cert_request_info)2889 void SSLClientSocketNSS::GetSSLCertRequestInfo(
2890 SSLCertRequestInfo* cert_request_info) {
2891 EnterFunction("");
2892 cert_request_info->host_and_port = host_and_port_;
2893 cert_request_info->cert_authorities = core_->state().cert_authorities;
2894 LeaveFunction("");
2895 }
2896
ExportKeyingMaterial(const base::StringPiece & label,bool has_context,const base::StringPiece & context,unsigned char * out,unsigned int outlen)2897 int SSLClientSocketNSS::ExportKeyingMaterial(const base::StringPiece& label,
2898 bool has_context,
2899 const base::StringPiece& context,
2900 unsigned char* out,
2901 unsigned int outlen) {
2902 if (!IsConnected())
2903 return ERR_SOCKET_NOT_CONNECTED;
2904
2905 // SSL_ExportKeyingMaterial may block the current thread if |core_| is in
2906 // the midst of a handshake.
2907 SECStatus result = SSL_ExportKeyingMaterial(
2908 nss_fd_, label.data(), label.size(), has_context,
2909 reinterpret_cast<const unsigned char*>(context.data()),
2910 context.length(), out, outlen);
2911 if (result != SECSuccess) {
2912 LogFailedNSSFunction(net_log_, "SSL_ExportKeyingMaterial", "");
2913 return MapNSSError(PORT_GetError());
2914 }
2915 return OK;
2916 }
2917
GetTLSUniqueChannelBinding(std::string * out)2918 int SSLClientSocketNSS::GetTLSUniqueChannelBinding(std::string* out) {
2919 if (!IsConnected())
2920 return ERR_SOCKET_NOT_CONNECTED;
2921 unsigned char buf[64];
2922 unsigned int len;
2923 SECStatus result = SSL_GetChannelBinding(nss_fd_,
2924 SSL_CHANNEL_BINDING_TLS_UNIQUE,
2925 buf, &len, arraysize(buf));
2926 if (result != SECSuccess) {
2927 LogFailedNSSFunction(net_log_, "SSL_GetChannelBinding", "");
2928 return MapNSSError(PORT_GetError());
2929 }
2930 out->assign(reinterpret_cast<char*>(buf), len);
2931 return OK;
2932 }
2933
2934 SSLClientSocket::NextProtoStatus
GetNextProto(std::string * proto,std::string * server_protos)2935 SSLClientSocketNSS::GetNextProto(std::string* proto,
2936 std::string* server_protos) {
2937 *proto = core_->state().next_proto;
2938 *server_protos = core_->state().server_protos;
2939 return core_->state().next_proto_status;
2940 }
2941
Connect(const CompletionCallback & callback)2942 int SSLClientSocketNSS::Connect(const CompletionCallback& callback) {
2943 EnterFunction("");
2944 DCHECK(transport_.get());
2945 // It is an error to create an SSLClientSocket whose context has no
2946 // TransportSecurityState.
2947 DCHECK(transport_security_state_);
2948 DCHECK_EQ(STATE_NONE, next_handshake_state_);
2949 DCHECK(user_connect_callback_.is_null());
2950 DCHECK(!callback.is_null());
2951
2952 EnsureThreadIdAssigned();
2953
2954 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT);
2955
2956 int rv = Init();
2957 if (rv != OK) {
2958 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2959 return rv;
2960 }
2961
2962 rv = InitializeSSLOptions();
2963 if (rv != OK) {
2964 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2965 return rv;
2966 }
2967
2968 rv = InitializeSSLPeerName();
2969 if (rv != OK) {
2970 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2971 return rv;
2972 }
2973
2974 GotoState(STATE_HANDSHAKE);
2975
2976 rv = DoHandshakeLoop(OK);
2977 if (rv == ERR_IO_PENDING) {
2978 user_connect_callback_ = callback;
2979 } else {
2980 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2981 }
2982
2983 LeaveFunction("");
2984 return rv > OK ? OK : rv;
2985 }
2986
Disconnect()2987 void SSLClientSocketNSS::Disconnect() {
2988 EnterFunction("");
2989
2990 CHECK(CalledOnValidThread());
2991
2992 // Shut down anything that may call us back.
2993 core_->Detach();
2994 verifier_.reset();
2995 transport_->socket()->Disconnect();
2996
2997 // Reset object state.
2998 user_connect_callback_.Reset();
2999 server_cert_verify_result_.Reset();
3000 completed_handshake_ = false;
3001 start_cert_verification_time_ = base::TimeTicks();
3002 InitCore();
3003
3004 LeaveFunction("");
3005 }
3006
IsConnected() const3007 bool SSLClientSocketNSS::IsConnected() const {
3008 EnterFunction("");
3009 bool ret = completed_handshake_ &&
3010 (core_->HasPendingAsyncOperation() ||
3011 (core_->IsConnected() && core_->HasUnhandledReceivedData()) ||
3012 transport_->socket()->IsConnected());
3013 LeaveFunction("");
3014 return ret;
3015 }
3016
IsConnectedAndIdle() const3017 bool SSLClientSocketNSS::IsConnectedAndIdle() const {
3018 EnterFunction("");
3019 bool ret = completed_handshake_ &&
3020 !core_->HasPendingAsyncOperation() &&
3021 !(core_->IsConnected() && core_->HasUnhandledReceivedData()) &&
3022 transport_->socket()->IsConnectedAndIdle();
3023 LeaveFunction("");
3024 return ret;
3025 }
3026
GetPeerAddress(IPEndPoint * address) const3027 int SSLClientSocketNSS::GetPeerAddress(IPEndPoint* address) const {
3028 return transport_->socket()->GetPeerAddress(address);
3029 }
3030
GetLocalAddress(IPEndPoint * address) const3031 int SSLClientSocketNSS::GetLocalAddress(IPEndPoint* address) const {
3032 return transport_->socket()->GetLocalAddress(address);
3033 }
3034
NetLog() const3035 const BoundNetLog& SSLClientSocketNSS::NetLog() const {
3036 return net_log_;
3037 }
3038
SetSubresourceSpeculation()3039 void SSLClientSocketNSS::SetSubresourceSpeculation() {
3040 if (transport_.get() && transport_->socket()) {
3041 transport_->socket()->SetSubresourceSpeculation();
3042 } else {
3043 NOTREACHED();
3044 }
3045 }
3046
SetOmniboxSpeculation()3047 void SSLClientSocketNSS::SetOmniboxSpeculation() {
3048 if (transport_.get() && transport_->socket()) {
3049 transport_->socket()->SetOmniboxSpeculation();
3050 } else {
3051 NOTREACHED();
3052 }
3053 }
3054
WasEverUsed() const3055 bool SSLClientSocketNSS::WasEverUsed() const {
3056 DCHECK(core_.get());
3057
3058 return core_->WasEverUsed();
3059 }
3060
UsingTCPFastOpen() const3061 bool SSLClientSocketNSS::UsingTCPFastOpen() const {
3062 if (transport_.get() && transport_->socket()) {
3063 return transport_->socket()->UsingTCPFastOpen();
3064 }
3065 NOTREACHED();
3066 return false;
3067 }
3068
Read(IOBuffer * buf,int buf_len,const CompletionCallback & callback)3069 int SSLClientSocketNSS::Read(IOBuffer* buf, int buf_len,
3070 const CompletionCallback& callback) {
3071 DCHECK(core_.get());
3072 DCHECK(!callback.is_null());
3073
3074 EnterFunction(buf_len);
3075 int rv = core_->Read(buf, buf_len, callback);
3076 LeaveFunction(rv);
3077
3078 return rv;
3079 }
3080
Write(IOBuffer * buf,int buf_len,const CompletionCallback & callback)3081 int SSLClientSocketNSS::Write(IOBuffer* buf, int buf_len,
3082 const CompletionCallback& callback) {
3083 DCHECK(core_.get());
3084 DCHECK(!callback.is_null());
3085
3086 EnterFunction(buf_len);
3087 int rv = core_->Write(buf, buf_len, callback);
3088 LeaveFunction(rv);
3089
3090 return rv;
3091 }
3092
SetReceiveBufferSize(int32 size)3093 int SSLClientSocketNSS::SetReceiveBufferSize(int32 size) {
3094 return transport_->socket()->SetReceiveBufferSize(size);
3095 }
3096
SetSendBufferSize(int32 size)3097 int SSLClientSocketNSS::SetSendBufferSize(int32 size) {
3098 return transport_->socket()->SetSendBufferSize(size);
3099 }
3100
Init()3101 int SSLClientSocketNSS::Init() {
3102 EnterFunction("");
3103 // Initialize the NSS SSL library in a threadsafe way. This also
3104 // initializes the NSS base library.
3105 EnsureNSSSSLInit();
3106 if (!NSS_IsInitialized())
3107 return ERR_UNEXPECTED;
3108 #if defined(USE_NSS) || defined(OS_IOS)
3109 if (ssl_config_.cert_io_enabled) {
3110 // We must call EnsureNSSHttpIOInit() here, on the IO thread, to get the IO
3111 // loop by MessageLoopForIO::current().
3112 // X509Certificate::Verify() runs on a worker thread of CertVerifier.
3113 EnsureNSSHttpIOInit();
3114 }
3115 #endif
3116
3117 LeaveFunction("");
3118 return OK;
3119 }
3120
InitCore()3121 void SSLClientSocketNSS::InitCore() {
3122 core_ = new Core(base::ThreadTaskRunnerHandle::Get().get(),
3123 nss_task_runner_.get(),
3124 transport_.get(),
3125 host_and_port_,
3126 ssl_config_,
3127 &net_log_,
3128 server_bound_cert_service_);
3129 }
3130
InitializeSSLOptions()3131 int SSLClientSocketNSS::InitializeSSLOptions() {
3132 // Transport connected, now hook it up to nss
3133 nss_fd_ = memio_CreateIOLayer(kRecvBufferSize, kSendBufferSize);
3134 if (nss_fd_ == NULL) {
3135 return ERR_OUT_OF_MEMORY; // TODO(port): map NSPR error code.
3136 }
3137
3138 // Grab pointer to buffers
3139 memio_Private* nss_bufs = memio_GetSecret(nss_fd_);
3140
3141 /* Create SSL state machine */
3142 /* Push SSL onto our fake I/O socket */
3143 if (SSL_ImportFD(GetNSSModelSocket(), nss_fd_) == NULL) {
3144 LogFailedNSSFunction(net_log_, "SSL_ImportFD", "");
3145 PR_Close(nss_fd_);
3146 nss_fd_ = NULL;
3147 return ERR_OUT_OF_MEMORY; // TODO(port): map NSPR/NSS error code.
3148 }
3149 // TODO(port): set more ssl options! Check errors!
3150
3151 int rv;
3152
3153 rv = SSL_OptionSet(nss_fd_, SSL_SECURITY, PR_TRUE);
3154 if (rv != SECSuccess) {
3155 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_SECURITY");
3156 return ERR_UNEXPECTED;
3157 }
3158
3159 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SSL2, PR_FALSE);
3160 if (rv != SECSuccess) {
3161 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL2");
3162 return ERR_UNEXPECTED;
3163 }
3164
3165 // Don't do V2 compatible hellos because they don't support TLS extensions.
3166 rv = SSL_OptionSet(nss_fd_, SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
3167 if (rv != SECSuccess) {
3168 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_V2_COMPATIBLE_HELLO");
3169 return ERR_UNEXPECTED;
3170 }
3171
3172 SSLVersionRange version_range;
3173 version_range.min = ssl_config_.version_min;
3174 version_range.max = ssl_config_.version_max;
3175 rv = SSL_VersionRangeSet(nss_fd_, &version_range);
3176 if (rv != SECSuccess) {
3177 LogFailedNSSFunction(net_log_, "SSL_VersionRangeSet", "");
3178 return ERR_NO_SSL_VERSIONS_ENABLED;
3179 }
3180
3181 if (ssl_config_.version_fallback) {
3182 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
3183 if (rv != SECSuccess) {
3184 LogFailedNSSFunction(
3185 net_log_, "SSL_OptionSet", "SSL_ENABLE_FALLBACK_SCSV");
3186 }
3187 }
3188
3189 for (std::vector<uint16>::const_iterator it =
3190 ssl_config_.disabled_cipher_suites.begin();
3191 it != ssl_config_.disabled_cipher_suites.end(); ++it) {
3192 // This will fail if the specified cipher is not implemented by NSS, but
3193 // the failure is harmless.
3194 SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE);
3195 }
3196
3197 // Support RFC 5077
3198 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
3199 if (rv != SECSuccess) {
3200 LogFailedNSSFunction(
3201 net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
3202 }
3203
3204 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
3205 ssl_config_.false_start_enabled);
3206 if (rv != SECSuccess)
3207 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
3208
3209 // We allow servers to request renegotiation. Since we're a client,
3210 // prohibiting this is rather a waste of time. Only servers are in a
3211 // position to prevent renegotiation attacks.
3212 // http://extendedsubset.com/?p=8
3213
3214 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
3215 SSL_RENEGOTIATE_TRANSITIONAL);
3216 if (rv != SECSuccess) {
3217 LogFailedNSSFunction(
3218 net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
3219 }
3220
3221 rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
3222 if (rv != SECSuccess)
3223 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
3224
3225 // Added in NSS 3.15
3226 #ifdef SSL_ENABLE_OCSP_STAPLING
3227 // Request OCSP stapling even on platforms that don't support it, in
3228 // order to extract Certificate Transparency information.
3229 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING,
3230 (IsOCSPStaplingSupported() ||
3231 ssl_config_.signed_cert_timestamps_enabled));
3232 if (rv != SECSuccess) {
3233 LogFailedNSSFunction(net_log_, "SSL_OptionSet",
3234 "SSL_ENABLE_OCSP_STAPLING");
3235 }
3236 #endif
3237
3238 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
3239 ssl_config_.signed_cert_timestamps_enabled);
3240 if (rv != SECSuccess) {
3241 LogFailedNSSFunction(net_log_, "SSL_OptionSet",
3242 "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS");
3243 }
3244
3245 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
3246 if (rv != SECSuccess) {
3247 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT");
3248 return ERR_UNEXPECTED;
3249 }
3250
3251 if (!core_->Init(nss_fd_, nss_bufs))
3252 return ERR_UNEXPECTED;
3253
3254 // Tell SSL the hostname we're trying to connect to.
3255 SSL_SetURL(nss_fd_, host_and_port_.host().c_str());
3256
3257 // Tell SSL we're a client; needed if not letting NSPR do socket I/O
3258 SSL_ResetHandshake(nss_fd_, PR_FALSE);
3259
3260 return OK;
3261 }
3262
InitializeSSLPeerName()3263 int SSLClientSocketNSS::InitializeSSLPeerName() {
3264 // Tell NSS who we're connected to
3265 IPEndPoint peer_address;
3266 int err = transport_->socket()->GetPeerAddress(&peer_address);
3267 if (err != OK)
3268 return err;
3269
3270 SockaddrStorage storage;
3271 if (!peer_address.ToSockAddr(storage.addr, &storage.addr_len))
3272 return ERR_ADDRESS_INVALID;
3273
3274 PRNetAddr peername;
3275 memset(&peername, 0, sizeof(peername));
3276 DCHECK_LE(static_cast<size_t>(storage.addr_len), sizeof(peername));
3277 size_t len = std::min(static_cast<size_t>(storage.addr_len),
3278 sizeof(peername));
3279 memcpy(&peername, storage.addr, len);
3280
3281 // Adjust the address family field for BSD, whose sockaddr
3282 // structure has a one-byte length and one-byte address family
3283 // field at the beginning. PRNetAddr has a two-byte address
3284 // family field at the beginning.
3285 peername.raw.family = storage.addr->sa_family;
3286
3287 memio_SetPeerName(nss_fd_, &peername);
3288
3289 // Set the peer ID for session reuse. This is necessary when we create an
3290 // SSL tunnel through a proxy -- GetPeerName returns the proxy's address
3291 // rather than the destination server's address in that case.
3292 std::string peer_id = host_and_port_.ToString();
3293 // If the ssl_session_cache_shard_ is non-empty, we append it to the peer id.
3294 // This will cause session cache misses between sockets with different values
3295 // of ssl_session_cache_shard_ and this is used to partition the session cache
3296 // for incognito mode.
3297 if (!ssl_session_cache_shard_.empty()) {
3298 peer_id += "/" + ssl_session_cache_shard_;
3299 }
3300 SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));
3301 if (rv != SECSuccess)
3302 LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str());
3303
3304 return OK;
3305 }
3306
DoConnectCallback(int rv)3307 void SSLClientSocketNSS::DoConnectCallback(int rv) {
3308 EnterFunction(rv);
3309 DCHECK_NE(ERR_IO_PENDING, rv);
3310 DCHECK(!user_connect_callback_.is_null());
3311
3312 base::ResetAndReturn(&user_connect_callback_).Run(rv > OK ? OK : rv);
3313 LeaveFunction("");
3314 }
3315
OnHandshakeIOComplete(int result)3316 void SSLClientSocketNSS::OnHandshakeIOComplete(int result) {
3317 EnterFunction(result);
3318 int rv = DoHandshakeLoop(result);
3319 if (rv != ERR_IO_PENDING) {
3320 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
3321 DoConnectCallback(rv);
3322 }
3323 LeaveFunction("");
3324 }
3325
DoHandshakeLoop(int last_io_result)3326 int SSLClientSocketNSS::DoHandshakeLoop(int last_io_result) {
3327 EnterFunction(last_io_result);
3328 int rv = last_io_result;
3329 do {
3330 // Default to STATE_NONE for next state.
3331 // (This is a quirk carried over from the windows
3332 // implementation. It makes reading the logs a bit harder.)
3333 // State handlers can and often do call GotoState just
3334 // to stay in the current state.
3335 State state = next_handshake_state_;
3336 GotoState(STATE_NONE);
3337 switch (state) {
3338 case STATE_HANDSHAKE:
3339 rv = DoHandshake();
3340 break;
3341 case STATE_HANDSHAKE_COMPLETE:
3342 rv = DoHandshakeComplete(rv);
3343 break;
3344 case STATE_VERIFY_CERT:
3345 DCHECK(rv == OK);
3346 rv = DoVerifyCert(rv);
3347 break;
3348 case STATE_VERIFY_CERT_COMPLETE:
3349 rv = DoVerifyCertComplete(rv);
3350 break;
3351 case STATE_NONE:
3352 default:
3353 rv = ERR_UNEXPECTED;
3354 LOG(DFATAL) << "unexpected state " << state;
3355 break;
3356 }
3357 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
3358 LeaveFunction("");
3359 return rv;
3360 }
3361
DoHandshake()3362 int SSLClientSocketNSS::DoHandshake() {
3363 EnterFunction("");
3364 int rv = core_->Connect(
3365 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
3366 base::Unretained(this)));
3367 GotoState(STATE_HANDSHAKE_COMPLETE);
3368
3369 LeaveFunction(rv);
3370 return rv;
3371 }
3372
DoHandshakeComplete(int result)3373 int SSLClientSocketNSS::DoHandshakeComplete(int result) {
3374 EnterFunction(result);
3375
3376 if (result == OK) {
3377 // SSL handshake is completed. Let's verify the certificate.
3378 GotoState(STATE_VERIFY_CERT);
3379 // Done!
3380 }
3381 set_channel_id_sent(core_->state().channel_id_sent);
3382 set_signed_cert_timestamps_received(
3383 !core_->state().sct_list_from_tls_extension.empty());
3384 set_stapled_ocsp_response_received(
3385 !core_->state().stapled_ocsp_response.empty());
3386
3387 LeaveFunction(result);
3388 return result;
3389 }
3390
DoVerifyCert(int result)3391 int SSLClientSocketNSS::DoVerifyCert(int result) {
3392 DCHECK(!core_->state().server_cert_chain.empty());
3393 DCHECK(core_->state().server_cert_chain[0]);
3394
3395 GotoState(STATE_VERIFY_CERT_COMPLETE);
3396
3397 // If the certificate is expected to be bad we can use the expectation as
3398 // the cert status.
3399 base::StringPiece der_cert(
3400 reinterpret_cast<char*>(
3401 core_->state().server_cert_chain[0]->derCert.data),
3402 core_->state().server_cert_chain[0]->derCert.len);
3403 CertStatus cert_status;
3404 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) {
3405 DCHECK(start_cert_verification_time_.is_null());
3406 VLOG(1) << "Received an expected bad cert with status: " << cert_status;
3407 server_cert_verify_result_.Reset();
3408 server_cert_verify_result_.cert_status = cert_status;
3409 server_cert_verify_result_.verified_cert = core_->state().server_cert;
3410 return OK;
3411 }
3412
3413 // We may have failed to create X509Certificate object if we are
3414 // running inside sandbox.
3415 if (!core_->state().server_cert.get()) {
3416 server_cert_verify_result_.Reset();
3417 server_cert_verify_result_.cert_status = CERT_STATUS_INVALID;
3418 return ERR_CERT_INVALID;
3419 }
3420
3421 start_cert_verification_time_ = base::TimeTicks::Now();
3422
3423 int flags = 0;
3424 if (ssl_config_.rev_checking_enabled)
3425 flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED;
3426 if (ssl_config_.verify_ev_cert)
3427 flags |= CertVerifier::VERIFY_EV_CERT;
3428 if (ssl_config_.cert_io_enabled)
3429 flags |= CertVerifier::VERIFY_CERT_IO_ENABLED;
3430 if (ssl_config_.rev_checking_required_local_anchors)
3431 flags |= CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
3432 verifier_.reset(new SingleRequestCertVerifier(cert_verifier_));
3433 return verifier_->Verify(
3434 core_->state().server_cert.get(),
3435 host_and_port_.host(),
3436 flags,
3437 SSLConfigService::GetCRLSet().get(),
3438 &server_cert_verify_result_,
3439 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
3440 base::Unretained(this)),
3441 net_log_);
3442 }
3443
3444 // Derived from AuthCertificateCallback() in
3445 // mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp.
DoVerifyCertComplete(int result)3446 int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
3447 verifier_.reset();
3448
3449 if (!start_cert_verification_time_.is_null()) {
3450 base::TimeDelta verify_time =
3451 base::TimeTicks::Now() - start_cert_verification_time_;
3452 if (result == OK)
3453 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time);
3454 else
3455 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
3456 }
3457
3458 // We used to remember the intermediate CA certs in the NSS database
3459 // persistently. However, NSS opens a connection to the SQLite database
3460 // during NSS initialization and doesn't close the connection until NSS
3461 // shuts down. If the file system where the database resides is gone,
3462 // the database connection goes bad. What's worse, the connection won't
3463 // recover when the file system comes back. Until this NSS or SQLite bug
3464 // is fixed, we need to avoid using the NSS database for non-essential
3465 // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
3466 // http://crbug.com/15630 for more info.
3467
3468 // TODO(hclam): Skip logging if server cert was expected to be bad because
3469 // |server_cert_verify_result_| doesn't contain all the information about
3470 // the cert.
3471 if (result == OK)
3472 LogConnectionTypeMetrics();
3473
3474 #if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS)
3475 // Take care of any mandates for public key pinning.
3476 //
3477 // Pinning is only enabled for official builds to make sure that others don't
3478 // end up with pins that cannot be easily updated.
3479 //
3480 // TODO(agl): We might have an issue here where a request for foo.example.com
3481 // merges into a SPDY connection to www.example.com, and gets a different
3482 // certificate.
3483
3484 // Perform pin validation if, and only if, all these conditions obtain:
3485 //
3486 // * a TransportSecurityState object is available;
3487 // * the server's certificate chain is valid (or suffers from only a minor
3488 // error);
3489 // * the server's certificate chain chains up to a known root (i.e. not a
3490 // user-installed trust anchor); and
3491 // * the build is recent (very old builds should fail open so that users
3492 // have some chance to recover).
3493 //
3494 const CertStatus cert_status = server_cert_verify_result_.cert_status;
3495 if (transport_security_state_ &&
3496 (result == OK ||
3497 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
3498 server_cert_verify_result_.is_issued_by_known_root &&
3499 TransportSecurityState::IsBuildTimely()) {
3500 bool sni_available =
3501 ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 ||
3502 ssl_config_.version_fallback;
3503 const std::string& host = host_and_port_.host();
3504
3505 if (transport_security_state_->HasPublicKeyPins(host, sni_available)) {
3506 if (!transport_security_state_->CheckPublicKeyPins(
3507 host,
3508 sni_available,
3509 server_cert_verify_result_.public_key_hashes,
3510 &pinning_failure_log_)) {
3511 LOG(ERROR) << pinning_failure_log_;
3512 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
3513 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
3514 TransportSecurityState::ReportUMAOnPinFailure(host);
3515 } else {
3516 UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
3517 }
3518 }
3519 }
3520 #endif
3521
3522 if (result == OK) {
3523 // Only check Certificate Transparency if there were no other errors with
3524 // the connection.
3525 VerifyCT();
3526
3527 // Only cache the session if the certificate verified successfully.
3528 core_->CacheSessionIfNecessary();
3529 }
3530
3531 completed_handshake_ = true;
3532
3533 // Exit DoHandshakeLoop and return the result to the caller to Connect.
3534 DCHECK_EQ(STATE_NONE, next_handshake_state_);
3535 return result;
3536 }
3537
VerifyCT()3538 void SSLClientSocketNSS::VerifyCT() {
3539 if (!cert_transparency_verifier_)
3540 return;
3541
3542 // Note that this is a completely synchronous operation: The CT Log Verifier
3543 // gets all the data it needs for SCT verification and does not do any
3544 // external communication.
3545 int result = cert_transparency_verifier_->Verify(
3546 server_cert_verify_result_.verified_cert,
3547 core_->state().stapled_ocsp_response,
3548 core_->state().sct_list_from_tls_extension,
3549 &ct_verify_result_,
3550 net_log_);
3551 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
3552 // from the state after verification is complete, to conserve memory.
3553
3554 VLOG(1) << "CT Verification complete: result " << result
3555 << " Invalid scts: " << ct_verify_result_.invalid_scts.size()
3556 << " Verified scts: " << ct_verify_result_.verified_scts.size()
3557 << " scts from unknown logs: "
3558 << ct_verify_result_.unknown_logs_scts.size();
3559 }
3560
LogConnectionTypeMetrics() const3561 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {
3562 UpdateConnectionTypeHistograms(CONNECTION_SSL);
3563 int ssl_version = SSLConnectionStatusToVersion(
3564 core_->state().ssl_connection_status);
3565 switch (ssl_version) {
3566 case SSL_CONNECTION_VERSION_SSL2:
3567 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2);
3568 break;
3569 case SSL_CONNECTION_VERSION_SSL3:
3570 UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3);
3571 break;
3572 case SSL_CONNECTION_VERSION_TLS1:
3573 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1);
3574 break;
3575 case SSL_CONNECTION_VERSION_TLS1_1:
3576 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1);
3577 break;
3578 case SSL_CONNECTION_VERSION_TLS1_2:
3579 UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2);
3580 break;
3581 };
3582 }
3583
EnsureThreadIdAssigned() const3584 void SSLClientSocketNSS::EnsureThreadIdAssigned() const {
3585 base::AutoLock auto_lock(lock_);
3586 if (valid_thread_id_ != base::kInvalidThreadId)
3587 return;
3588 valid_thread_id_ = base::PlatformThread::CurrentId();
3589 }
3590
CalledOnValidThread() const3591 bool SSLClientSocketNSS::CalledOnValidThread() const {
3592 EnsureThreadIdAssigned();
3593 base::AutoLock auto_lock(lock_);
3594 return valid_thread_id_ == base::PlatformThread::CurrentId();
3595 }
3596
AddSCTInfoToSSLInfo(SSLInfo * ssl_info) const3597 void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const {
3598 for (ct::SCTList::const_iterator iter =
3599 ct_verify_result_.verified_scts.begin();
3600 iter != ct_verify_result_.verified_scts.end(); ++iter) {
3601 ssl_info->signed_certificate_timestamps.push_back(
3602 SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_OK));
3603 }
3604 for (ct::SCTList::const_iterator iter =
3605 ct_verify_result_.invalid_scts.begin();
3606 iter != ct_verify_result_.invalid_scts.end(); ++iter) {
3607 ssl_info->signed_certificate_timestamps.push_back(
3608 SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_INVALID));
3609 }
3610 for (ct::SCTList::const_iterator iter =
3611 ct_verify_result_.unknown_logs_scts.begin();
3612 iter != ct_verify_result_.unknown_logs_scts.end(); ++iter) {
3613 ssl_info->signed_certificate_timestamps.push_back(
3614 SignedCertificateTimestampAndStatus(*iter,
3615 ct::SCT_STATUS_LOG_UNKNOWN));
3616 }
3617 }
3618
3619 scoped_refptr<X509Certificate>
GetUnverifiedServerCertificateChain() const3620 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
3621 return core_->state().server_cert.get();
3622 }
3623
GetServerBoundCertService() const3624 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
3625 return server_bound_cert_service_;
3626 }
3627
3628 } // namespace net
3629