1d7d5f0223bd30dfd618762349c6209dd1d5ea3e6Daniel Dunbar/* 2c83ed049af2a2ed7ab94b8206fc0fec4da7e26dbDouglas Gregor * Various SSL functions. 3b5a57a69e5fdac6dd9a92be717e279486c4a0128Sebastian Redl * 4b5a57a69e5fdac6dd9a92be717e279486c4a0128Sebastian Redl * This Source Code Form is subject to the terms of the Mozilla Public 54c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * License, v. 2.0. If a copy of the MPL was not distributed with this 64c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 74c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl#include "cert.h" 83cb069213c8502dbb7a67860d40122d869ed8fd6Sebastian Redl#include "secitem.h" 93cb069213c8502dbb7a67860d40122d869ed8fd6Sebastian Redl#include "keyhi.h" 104c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl#include "ssl.h" 114ec339f43c0cae2678334850c90926bea10999c7Douglas Gregor#include "sslimpl.h" 12636a7c42d42800f69caadcdea433312fd642a4b3Sebastian Redl#include "sslproto.h" 13636a7c42d42800f69caadcdea433312fd642a4b3Sebastian Redl#include "secoid.h" /* for SECOID_GetALgorithmTag */ 14636a7c42d42800f69caadcdea433312fd642a4b3Sebastian Redl#include "pk11func.h" /* for PK11_GenerateRandom */ 159afe1308ed19dffc281dca5cfbe521826754980fSebastian Redl#include "nss.h" /* for NSS_RegisterShutdown */ 16636a7c42d42800f69caadcdea433312fd642a4b3Sebastian Redl#include "prinit.h" /* for PR_CallOnceWithArg */ 177f6623914e779e41eb3d85f9a2dc3affea5de1e8Sebastian Redl 187f6623914e779e41eb3d85f9a2dc3affea5de1e8Sebastian Redl#define MAX_BLOCK_CYPHER_SIZE 32 197f6623914e779e41eb3d85f9a2dc3affea5de1e8Sebastian Redl 204c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl#define TEST_FOR_FAILURE /* reminder */ 213cb069213c8502dbb7a67860d40122d869ed8fd6Sebastian Redl#define SET_ERROR_CODE /* reminder */ 223cb069213c8502dbb7a67860d40122d869ed8fd6Sebastian Redl 233cb069213c8502dbb7a67860d40122d869ed8fd6Sebastian Redl/* Returns a SECStatus: SECSuccess or SECFailure, NOT SECWouldBlock. 24b5a57a69e5fdac6dd9a92be717e279486c4a0128Sebastian Redl * 254c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * Currently, the list of functions called through ss->handshake is: 264c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * 274c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * In sslsocks.c: 284c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * SocksGatherRecord 294c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * SocksHandleReply 304c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * SocksStartGather 314c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * 324c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * In sslcon.c: 33cee63fbf0e64ac526582312bf8cf33263fc5c16eSebastian Redl * ssl_GatherRecord1stHandshake 344c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * ssl2_HandleClientSessionKeyMessage 354c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * ssl2_HandleMessage 364c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * ssl2_HandleVerifyMessage 374c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * ssl2_BeginClientHandshake 38fb4ccd7152723ac6190eb379250cfe7516cfd1b8Sebastian Redl * ssl2_BeginServerHandshake 39636a7c42d42800f69caadcdea433312fd642a4b3Sebastian Redl * ssl2_HandleClientHelloMessage 409afe1308ed19dffc281dca5cfbe521826754980fSebastian Redl * ssl2_HandleServerHelloMessage 417f6623914e779e41eb3d85f9a2dc3affea5de1e8Sebastian Redl * 424c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * The ss->handshake function returns SECWouldBlock under these conditions: 434c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * 1. ssl_GatherRecord1stHandshake called ssl2_GatherData which read in 44e7450f5dbd5bed63b8ef9db86350a8fc3db011e8Douglas Gregor * the beginning of an SSL v3 hello message and returned SECWouldBlock 45e7450f5dbd5bed63b8ef9db86350a8fc3db011e8Douglas Gregor * to switch to SSL v3 handshake processing. 46e7450f5dbd5bed63b8ef9db86350a8fc3db011e8Douglas Gregor * 47e7450f5dbd5bed63b8ef9db86350a8fc3db011e8Douglas Gregor * 2. ssl2_HandleClientHelloMessage discovered version 3.0 in the incoming 48c83ed049af2a2ed7ab94b8206fc0fec4da7e26dbDouglas Gregor * v2 client hello msg, and called ssl3_HandleV2ClientHello which 494c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * returned SECWouldBlock. 504c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * 514c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * 3. SECWouldBlock was returned by one of the callback functions, via 524c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * one of these paths: 534c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * - ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> 54cee63fbf0e64ac526582312bf8cf33263fc5c16eSebastian Redl * ss->getClientAuthData() 554c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * 564c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * - ssl2_HandleServerHelloMessage() -> ss->handleBadCert() 574c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * 584c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * - ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 594c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 60c83ed049af2a2ed7ab94b8206fc0fec4da7e26dbDouglas Gregor * ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificate() -> 614c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * ss->handleBadCert() 62c83ed049af2a2ed7ab94b8206fc0fec4da7e26dbDouglas Gregor * 63cee63fbf0e64ac526582312bf8cf33263fc5c16eSebastian Redl * - ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 64cee63fbf0e64ac526582312bf8cf33263fc5c16eSebastian Redl * ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 65cee63fbf0e64ac526582312bf8cf33263fc5c16eSebastian Redl * ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificateRequest() -> 66fb4ccd7152723ac6190eb379250cfe7516cfd1b8Sebastian Redl * ss->getClientAuthData() 67b5a57a69e5fdac6dd9a92be717e279486c4a0128Sebastian Redl * 687f6623914e779e41eb3d85f9a2dc3affea5de1e8Sebastian Redl * Called from: SSL_ForceHandshake (below), 69636a7c42d42800f69caadcdea433312fd642a4b3Sebastian Redl * ssl_SecureRecv (below) and 70636a7c42d42800f69caadcdea433312fd642a4b3Sebastian Redl * ssl_SecureSend (below) 719afe1308ed19dffc281dca5cfbe521826754980fSebastian Redl * from: WaitForResponse in sslsocks.c 729afe1308ed19dffc281dca5cfbe521826754980fSebastian Redl * ssl_SocksRecv in sslsocks.c 7300e68e2cc5ce37cb95beb801cae73c0d1e9dda37Sebastian Redl * ssl_SocksSend in sslsocks.c 7400e68e2cc5ce37cb95beb801cae73c0d1e9dda37Sebastian Redl * 754c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl * Caller must hold the (write) handshakeLock. 764c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl */ 774c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redlint 784c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redlssl_Do1stHandshake(sslSocket *ss) 794c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl{ 804c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl int rv = SECSuccess; 814c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl int loopCount = 0; 824c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl 83fb4ccd7152723ac6190eb379250cfe7516cfd1b8Sebastian Redl do { 844c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl PORT_Assert(ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); 854c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss)); 864c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss)); 874c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss)); 884c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl 894c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl if (ss->handshake == 0) { 9028eb7e992b9a266abb300da25b6d3c1557cec361Chris Lattner /* Previous handshake finished. Switch to next one */ 914c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl ss->handshake = ss->nextHandshake; 924c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl ss->nextHandshake = 0; 93fb4ccd7152723ac6190eb379250cfe7516cfd1b8Sebastian Redl } 944c5d320a7581f4b80b151630c91cea5727fa9923Sebastian Redl if (ss->handshake == 0) { 95 /* Previous handshake finished. Switch to security handshake */ 96 ss->handshake = ss->securityHandshake; 97 ss->securityHandshake = 0; 98 } 99 if (ss->handshake == 0) { 100 /* for v3 this is done in ssl3_FinishHandshake */ 101 if (!ss->firstHsDone && ss->version < SSL_LIBRARY_VERSION_3_0) { 102 ssl_GetRecvBufLock(ss); 103 ss->gs.recordLen = 0; 104 ssl_FinishHandshake(ss); 105 ssl_ReleaseRecvBufLock(ss); 106 } 107 break; 108 } 109 rv = (*ss->handshake)(ss); 110 ++loopCount; 111 /* This code must continue to loop on SECWouldBlock, 112 * or any positive value. See XXX_1 comments. 113 */ 114 } while (rv != SECFailure); /* was (rv >= 0); XXX_1 */ 115 116 PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss)); 117 PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss)); 118 PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss)); 119 120 if (rv == SECWouldBlock) { 121 PORT_SetError(PR_WOULD_BLOCK_ERROR); 122 rv = SECFailure; 123 } 124 return rv; 125} 126 127void 128ssl_FinishHandshake(sslSocket *ss) 129{ 130 PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); 131 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 132 133 SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd)); 134 135 ss->firstHsDone = PR_TRUE; 136 ss->enoughFirstHsDone = PR_TRUE; 137 ss->gs.writeOffset = 0; 138 ss->gs.readOffset = 0; 139 140 if (ss->handshakeCallback) { 141 (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData); 142 } 143} 144 145/* 146 * Handshake function that blocks. Used to force a 147 * retry on a connection on the next read/write. 148 */ 149static SECStatus 150ssl3_AlwaysBlock(sslSocket *ss) 151{ 152 PORT_SetError(PR_WOULD_BLOCK_ERROR); /* perhaps redundant. */ 153 return SECWouldBlock; 154} 155 156/* 157 * set the initial handshake state machine to block 158 */ 159void 160ssl3_SetAlwaysBlock(sslSocket *ss) 161{ 162 if (!ss->firstHsDone) { 163 ss->handshake = ssl3_AlwaysBlock; 164 ss->nextHandshake = 0; 165 } 166} 167 168static SECStatus 169ssl_SetTimeout(PRFileDesc *fd, PRIntervalTime timeout) 170{ 171 sslSocket *ss; 172 173 ss = ssl_FindSocket(fd); 174 if (!ss) { 175 SSL_DBG(("%d: SSL[%d]: bad socket in SetTimeout", SSL_GETPID(), fd)); 176 return SECFailure; 177 } 178 SSL_LOCK_READER(ss); 179 ss->rTimeout = timeout; 180 if (ss->opt.fdx) { 181 SSL_LOCK_WRITER(ss); 182 } 183 ss->wTimeout = timeout; 184 if (ss->opt.fdx) { 185 SSL_UNLOCK_WRITER(ss); 186 } 187 SSL_UNLOCK_READER(ss); 188 return SECSuccess; 189} 190 191/* Acquires and releases HandshakeLock. 192*/ 193SECStatus 194SSL_ResetHandshake(PRFileDesc *s, PRBool asServer) 195{ 196 sslSocket *ss; 197 SECStatus status; 198 PRNetAddr addr; 199 200 ss = ssl_FindSocket(s); 201 if (!ss) { 202 SSL_DBG(("%d: SSL[%d]: bad socket in ResetHandshake", SSL_GETPID(), s)); 203 return SECFailure; 204 } 205 206 /* Don't waste my time */ 207 if (!ss->opt.useSecurity) 208 return SECSuccess; 209 210 SSL_LOCK_READER(ss); 211 SSL_LOCK_WRITER(ss); 212 213 /* Reset handshake state */ 214 ssl_Get1stHandshakeLock(ss); 215 216 ss->firstHsDone = PR_FALSE; 217 ss->enoughFirstHsDone = PR_FALSE; 218 if ( asServer ) { 219 ss->handshake = ssl2_BeginServerHandshake; 220 ss->handshaking = sslHandshakingAsServer; 221 } else { 222 ss->handshake = ssl2_BeginClientHandshake; 223 ss->handshaking = sslHandshakingAsClient; 224 } 225 ss->nextHandshake = 0; 226 ss->securityHandshake = 0; 227 228 ssl_GetRecvBufLock(ss); 229 status = ssl_InitGather(&ss->gs); 230 ssl_ReleaseRecvBufLock(ss); 231 232 ssl_GetSSL3HandshakeLock(ss); 233 ss->ssl3.hs.canFalseStart = PR_FALSE; 234 ss->ssl3.hs.restartTarget = NULL; 235 236 /* 237 ** Blow away old security state and get a fresh setup. 238 */ 239 ssl_GetXmitBufLock(ss); 240 ssl_ResetSecurityInfo(&ss->sec, PR_TRUE); 241 status = ssl_CreateSecurityInfo(ss); 242 ssl_ReleaseXmitBufLock(ss); 243 244 ssl_ReleaseSSL3HandshakeLock(ss); 245 ssl_Release1stHandshakeLock(ss); 246 247 if (!ss->TCPconnected) 248 ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr)); 249 250 SSL_UNLOCK_WRITER(ss); 251 SSL_UNLOCK_READER(ss); 252 253 return status; 254} 255 256/* For SSLv2, does nothing but return an error. 257** For SSLv3, flushes SID cache entry (if requested), 258** and then starts new client hello or hello request. 259** Acquires and releases HandshakeLock. 260*/ 261SECStatus 262SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache) 263{ 264 sslSocket *ss; 265 SECStatus rv; 266 267 ss = ssl_FindSocket(fd); 268 if (!ss) { 269 SSL_DBG(("%d: SSL[%d]: bad socket in RedoHandshake", SSL_GETPID(), fd)); 270 return SECFailure; 271 } 272 273 if (!ss->opt.useSecurity) 274 return SECSuccess; 275 276 ssl_Get1stHandshakeLock(ss); 277 278 /* SSL v2 protocol does not support subsequent handshakes. */ 279 if (ss->version < SSL_LIBRARY_VERSION_3_0) { 280 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); 281 rv = SECFailure; 282 } else { 283 ssl_GetSSL3HandshakeLock(ss); 284 rv = ssl3_RedoHandshake(ss, flushCache); /* force full handshake. */ 285 ssl_ReleaseSSL3HandshakeLock(ss); 286 } 287 288 ssl_Release1stHandshakeLock(ss); 289 290 return rv; 291} 292 293/* 294** Same as above, but with an I/O timeout. 295 */ 296SSL_IMPORT SECStatus SSL_ReHandshakeWithTimeout(PRFileDesc *fd, 297 PRBool flushCache, 298 PRIntervalTime timeout) 299{ 300 if (SECSuccess != ssl_SetTimeout(fd, timeout)) { 301 return SECFailure; 302 } 303 return SSL_ReHandshake(fd, flushCache); 304} 305 306SECStatus 307SSL_RedoHandshake(PRFileDesc *fd) 308{ 309 return SSL_ReHandshake(fd, PR_TRUE); 310} 311 312/* Register an application callback to be called when SSL handshake completes. 313** Acquires and releases HandshakeLock. 314*/ 315SECStatus 316SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb, 317 void *client_data) 318{ 319 sslSocket *ss; 320 321 ss = ssl_FindSocket(fd); 322 if (!ss) { 323 SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeCallback", 324 SSL_GETPID(), fd)); 325 return SECFailure; 326 } 327 328 if (!ss->opt.useSecurity) { 329 PORT_SetError(SEC_ERROR_INVALID_ARGS); 330 return SECFailure; 331 } 332 333 ssl_Get1stHandshakeLock(ss); 334 ssl_GetSSL3HandshakeLock(ss); 335 336 ss->handshakeCallback = cb; 337 ss->handshakeCallbackData = client_data; 338 339 ssl_ReleaseSSL3HandshakeLock(ss); 340 ssl_Release1stHandshakeLock(ss); 341 342 return SECSuccess; 343} 344 345/* Register an application callback to be called when false start may happen. 346** Acquires and releases HandshakeLock. 347*/ 348SECStatus 349SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb, 350 void *arg) 351{ 352 sslSocket *ss; 353 354 ss = ssl_FindSocket(fd); 355 if (!ss) { 356 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback", 357 SSL_GETPID(), fd)); 358 return SECFailure; 359 } 360 361 if (!ss->opt.useSecurity) { 362 PORT_SetError(SEC_ERROR_INVALID_ARGS); 363 return SECFailure; 364 } 365 366 ssl_Get1stHandshakeLock(ss); 367 ssl_GetSSL3HandshakeLock(ss); 368 369 ss->canFalseStartCallback = cb; 370 ss->canFalseStartCallbackData = arg; 371 372 ssl_ReleaseSSL3HandshakeLock(ss); 373 ssl_Release1stHandshakeLock(ss); 374 375 return SECSuccess; 376} 377 378SECStatus 379SSL_RecommendedCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart) 380{ 381 sslSocket *ss; 382 383 *canFalseStart = PR_FALSE; 384 ss = ssl_FindSocket(fd); 385 if (!ss) { 386 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RecommendedCanFalseStart", 387 SSL_GETPID(), fd)); 388 return SECFailure; 389 } 390 391 if (!ss->ssl3.initialized) { 392 PORT_SetError(SEC_ERROR_INVALID_ARGS); 393 return SECFailure; 394 } 395 396 if (ss->version < SSL_LIBRARY_VERSION_3_0) { 397 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); 398 return SECFailure; 399 } 400 401 /* Require a forward-secret key exchange. */ 402 *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss || 403 ss->ssl3.hs.kea_def->kea == kea_dhe_rsa || 404 ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa || 405 ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa; 406 407 return SECSuccess; 408} 409 410/* Try to make progress on an SSL handshake by attempting to read the 411** next handshake from the peer, and sending any responses. 412** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK if it cannot 413** read the next handshake from the underlying socket. 414** For SSLv2, returns when handshake is complete or fatal error occurs. 415** For SSLv3, returns when handshake is complete, or application data has 416** arrived that must be taken by application before handshake can continue, 417** or a fatal error occurs. 418** Application should use handshake completion callback to tell which. 419*/ 420SECStatus 421SSL_ForceHandshake(PRFileDesc *fd) 422{ 423 sslSocket *ss; 424 SECStatus rv = SECFailure; 425 426 ss = ssl_FindSocket(fd); 427 if (!ss) { 428 SSL_DBG(("%d: SSL[%d]: bad socket in ForceHandshake", 429 SSL_GETPID(), fd)); 430 return rv; 431 } 432 433 /* Don't waste my time */ 434 if (!ss->opt.useSecurity) 435 return SECSuccess; 436 437 if (!ssl_SocketIsBlocking(ss)) { 438 ssl_GetXmitBufLock(ss); 439 if (ss->pendingBuf.len != 0) { 440 int sent = ssl_SendSavedWriteData(ss); 441 if ((sent < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) { 442 ssl_ReleaseXmitBufLock(ss); 443 return SECFailure; 444 } 445 } 446 ssl_ReleaseXmitBufLock(ss); 447 } 448 449 ssl_Get1stHandshakeLock(ss); 450 451 if (ss->version >= SSL_LIBRARY_VERSION_3_0) { 452 int gatherResult; 453 454 ssl_GetRecvBufLock(ss); 455 gatherResult = ssl3_GatherCompleteHandshake(ss, 0); 456 ssl_ReleaseRecvBufLock(ss); 457 if (gatherResult > 0) { 458 rv = SECSuccess; 459 } else if (gatherResult == 0) { 460 PORT_SetError(PR_END_OF_FILE_ERROR); 461 } else if (gatherResult == SECWouldBlock) { 462 PORT_SetError(PR_WOULD_BLOCK_ERROR); 463 } 464 } else if (!ss->firstHsDone) { 465 rv = ssl_Do1stHandshake(ss); 466 } else { 467 /* tried to force handshake on an SSL 2 socket that has 468 ** already completed the handshake. */ 469 rv = SECSuccess; /* just pretend we did it. */ 470 } 471 472 ssl_Release1stHandshakeLock(ss); 473 474 return rv; 475} 476 477/* 478 ** Same as above, but with an I/O timeout. 479 */ 480SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd, 481 PRIntervalTime timeout) 482{ 483 if (SECSuccess != ssl_SetTimeout(fd, timeout)) { 484 return SECFailure; 485 } 486 return SSL_ForceHandshake(fd); 487} 488 489 490/************************************************************************/ 491 492/* 493** Grow a buffer to hold newLen bytes of data. 494** Called for both recv buffers and xmit buffers. 495** Caller must hold xmitBufLock or recvBufLock, as appropriate. 496*/ 497SECStatus 498sslBuffer_Grow(sslBuffer *b, unsigned int newLen) 499{ 500 newLen = PR_MAX(newLen, MAX_FRAGMENT_LENGTH + 2048); 501 if (newLen > b->space) { 502 unsigned char *newBuf; 503 if (b->buf) { 504 newBuf = (unsigned char *) PORT_Realloc(b->buf, newLen); 505 } else { 506 newBuf = (unsigned char *) PORT_Alloc(newLen); 507 } 508 if (!newBuf) { 509 return SECFailure; 510 } 511 SSL_TRC(10, ("%d: SSL: grow buffer from %d to %d", 512 SSL_GETPID(), b->space, newLen)); 513 b->buf = newBuf; 514 b->space = newLen; 515 } 516 return SECSuccess; 517} 518 519SECStatus 520sslBuffer_Append(sslBuffer *b, const void * data, unsigned int len) 521{ 522 unsigned int newLen = b->len + len; 523 SECStatus rv; 524 525 rv = sslBuffer_Grow(b, newLen); 526 if (rv != SECSuccess) 527 return rv; 528 PORT_Memcpy(b->buf + b->len, data, len); 529 b->len += len; 530 return SECSuccess; 531} 532 533/* 534** Save away write data that is trying to be written before the security 535** handshake has been completed. When the handshake is completed, we will 536** flush this data out. 537** Caller must hold xmitBufLock 538*/ 539SECStatus 540ssl_SaveWriteData(sslSocket *ss, const void *data, unsigned int len) 541{ 542 SECStatus rv; 543 544 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 545 rv = sslBuffer_Append(&ss->pendingBuf, data, len); 546 SSL_TRC(5, ("%d: SSL[%d]: saving %u bytes of data (%u total saved so far)", 547 SSL_GETPID(), ss->fd, len, ss->pendingBuf.len)); 548 return rv; 549} 550 551/* 552** Send saved write data. This will flush out data sent prior to a 553** complete security handshake. Hopefully there won't be too much of it. 554** Returns count of the bytes sent, NOT a SECStatus. 555** Caller must hold xmitBufLock 556*/ 557int 558ssl_SendSavedWriteData(sslSocket *ss) 559{ 560 int rv = 0; 561 562 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) ); 563 if (ss->pendingBuf.len != 0) { 564 SSL_TRC(5, ("%d: SSL[%d]: sending %d bytes of saved data", 565 SSL_GETPID(), ss->fd, ss->pendingBuf.len)); 566 rv = ssl_DefSend(ss, ss->pendingBuf.buf, ss->pendingBuf.len, 0); 567 if (rv < 0) { 568 return rv; 569 } 570 ss->pendingBuf.len -= rv; 571 if (ss->pendingBuf.len > 0 && rv > 0) { 572 /* UGH !! This shifts the whole buffer down by copying it */ 573 PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv, 574 ss->pendingBuf.len); 575 } 576 } 577 return rv; 578} 579 580/************************************************************************/ 581 582/* 583** Receive some application data on a socket. Reads SSL records from the input 584** stream, decrypts them and then copies them to the output buffer. 585** Called from ssl_SecureRecv() below. 586** 587** Caller does NOT hold 1stHandshakeLock because that handshake is over. 588** Caller doesn't call this until initial handshake is complete. 589** For SSLv2, there is no subsequent handshake. 590** For SSLv3, the call to ssl3_GatherAppDataRecord may encounter handshake 591** messages from a subsequent handshake. 592** 593** This code is similar to, and easily confused with, 594** ssl_GatherRecord1stHandshake() in sslcon.c 595*/ 596static int 597DoRecv(sslSocket *ss, unsigned char *out, int len, int flags) 598{ 599 int rv; 600 int amount; 601 int available; 602 603 /* ssl3_GatherAppDataRecord may call ssl_FinishHandshake, which needs the 604 * 1stHandshakeLock. */ 605 ssl_Get1stHandshakeLock(ss); 606 ssl_GetRecvBufLock(ss); 607 608 available = ss->gs.writeOffset - ss->gs.readOffset; 609 if (available == 0) { 610 /* Get some more data */ 611 if (ss->version >= SSL_LIBRARY_VERSION_3_0) { 612 /* Wait for application data to arrive. */ 613 rv = ssl3_GatherAppDataRecord(ss, 0); 614 } else { 615 /* See if we have a complete record */ 616 rv = ssl2_GatherRecord(ss, 0); 617 } 618 if (rv <= 0) { 619 if (rv == 0) { 620 /* EOF */ 621 SSL_TRC(10, ("%d: SSL[%d]: ssl_recv EOF", 622 SSL_GETPID(), ss->fd)); 623 goto done; 624 } 625 if ((rv != SECWouldBlock) && 626 (PR_GetError() != PR_WOULD_BLOCK_ERROR)) { 627 /* Some random error */ 628 goto done; 629 } 630 631 /* 632 ** Gather record is blocked waiting for more record data to 633 ** arrive. Try to process what we have already received 634 */ 635 } else { 636 /* Gather record has finished getting a complete record */ 637 } 638 639 /* See if any clear data is now available */ 640 available = ss->gs.writeOffset - ss->gs.readOffset; 641 if (available == 0) { 642 /* 643 ** No partial data is available. Force error code to 644 ** EWOULDBLOCK so that caller will try again later. Note 645 ** that the error code is probably EWOULDBLOCK already, 646 ** but if it isn't (for example, if we received a zero 647 ** length record) then this will force it to be correct. 648 */ 649 PORT_SetError(PR_WOULD_BLOCK_ERROR); 650 rv = SECFailure; 651 goto done; 652 } 653 SSL_TRC(30, ("%d: SSL[%d]: partial data ready, available=%d", 654 SSL_GETPID(), ss->fd, available)); 655 } 656 657 /* Dole out clear data to reader */ 658 amount = PR_MIN(len, available); 659 PORT_Memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount); 660 if (!(flags & PR_MSG_PEEK)) { 661 ss->gs.readOffset += amount; 662 } 663 PORT_Assert(ss->gs.readOffset <= ss->gs.writeOffset); 664 rv = amount; 665 666 SSL_TRC(30, ("%d: SSL[%d]: amount=%d available=%d", 667 SSL_GETPID(), ss->fd, amount, available)); 668 PRINT_BUF(4, (ss, "DoRecv receiving plaintext:", out, amount)); 669 670done: 671 ssl_ReleaseRecvBufLock(ss); 672 ssl_Release1stHandshakeLock(ss); 673 return rv; 674} 675 676/************************************************************************/ 677 678/* 679** Return SSLKEAType derived from cert's Public Key algorithm info. 680*/ 681SSLKEAType 682NSS_FindCertKEAType(CERTCertificate * cert) 683{ 684 SSLKEAType keaType = kt_null; 685 int tag; 686 687 if (!cert) goto loser; 688 689 tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm)); 690 691 switch (tag) { 692 case SEC_OID_X500_RSA_ENCRYPTION: 693 case SEC_OID_PKCS1_RSA_ENCRYPTION: 694 keaType = kt_rsa; 695 break; 696 case SEC_OID_X942_DIFFIE_HELMAN_KEY: 697 keaType = kt_dh; 698 break; 699#ifdef NSS_ENABLE_ECC 700 case SEC_OID_ANSIX962_EC_PUBLIC_KEY: 701 keaType = kt_ecdh; 702 break; 703#endif /* NSS_ENABLE_ECC */ 704 default: 705 keaType = kt_null; 706 } 707 708 loser: 709 710 return keaType; 711} 712 713static const PRCallOnceType pristineCallOnce; 714static PRCallOnceType setupServerCAListOnce; 715 716static SECStatus serverCAListShutdown(void* appData, void* nssData) 717{ 718 PORT_Assert(ssl3_server_ca_list); 719 if (ssl3_server_ca_list) { 720 CERT_FreeDistNames(ssl3_server_ca_list); 721 ssl3_server_ca_list = NULL; 722 } 723 setupServerCAListOnce = pristineCallOnce; 724 return SECSuccess; 725} 726 727static PRStatus serverCAListSetup(void *arg) 728{ 729 CERTCertDBHandle *dbHandle = (CERTCertDBHandle *)arg; 730 SECStatus rv = NSS_RegisterShutdown(serverCAListShutdown, NULL); 731 PORT_Assert(SECSuccess == rv); 732 if (SECSuccess == rv) { 733 ssl3_server_ca_list = CERT_GetSSLCACerts(dbHandle); 734 return PR_SUCCESS; 735 } 736 return PR_FAILURE; 737} 738 739SECStatus 740ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert, 741 const CERTCertificateList *certChain, 742 ssl3KeyPair *keyPair, SSLKEAType kea) 743{ 744 CERTCertificateList *localCertChain = NULL; 745 sslServerCerts *sc = ss->serverCerts + kea; 746 747 /* load the server certificate */ 748 if (sc->serverCert != NULL) { 749 CERT_DestroyCertificate(sc->serverCert); 750 sc->serverCert = NULL; 751 sc->serverKeyBits = 0; 752 } 753 /* load the server cert chain */ 754 if (sc->serverCertChain != NULL) { 755 CERT_DestroyCertificateList(sc->serverCertChain); 756 sc->serverCertChain = NULL; 757 } 758 if (cert) { 759 sc->serverCert = CERT_DupCertificate(cert); 760 /* get the size of the cert's public key, and remember it */ 761 sc->serverKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->pubKey); 762 if (!certChain) { 763 localCertChain = 764 CERT_CertChainFromCert(sc->serverCert, certUsageSSLServer, 765 PR_TRUE); 766 if (!localCertChain) 767 goto loser; 768 } 769 sc->serverCertChain = (certChain) ? CERT_DupCertList(certChain) : 770 localCertChain; 771 if (!sc->serverCertChain) { 772 goto loser; 773 } 774 localCertChain = NULL; /* consumed */ 775 } 776 777 /* get keyPair */ 778 if (sc->serverKeyPair != NULL) { 779 ssl3_FreeKeyPair(sc->serverKeyPair); 780 sc->serverKeyPair = NULL; 781 } 782 if (keyPair) { 783 SECKEY_CacheStaticFlags(keyPair->privKey); 784 sc->serverKeyPair = ssl3_GetKeyPairRef(keyPair); 785 } 786 if (kea == kt_rsa && cert && sc->serverKeyBits > 512 && 787 !ss->opt.noStepDown && !ss->stepDownKeyPair) { 788 if (ssl3_CreateRSAStepDownKeys(ss) != SECSuccess) { 789 goto loser; 790 } 791 } 792 return SECSuccess; 793 794loser: 795 if (localCertChain) { 796 CERT_DestroyCertificateList(localCertChain); 797 } 798 if (sc->serverCert != NULL) { 799 CERT_DestroyCertificate(sc->serverCert); 800 sc->serverCert = NULL; 801 } 802 if (sc->serverCertChain != NULL) { 803 CERT_DestroyCertificateList(sc->serverCertChain); 804 sc->serverCertChain = NULL; 805 } 806 if (sc->serverKeyPair != NULL) { 807 ssl3_FreeKeyPair(sc->serverKeyPair); 808 sc->serverKeyPair = NULL; 809 } 810 return SECFailure; 811} 812 813/* XXX need to protect the data that gets changed here.!! */ 814 815SECStatus 816SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert, 817 SECKEYPrivateKey *key, SSL3KEAType kea) 818{ 819 820 return SSL_ConfigSecureServerWithCertChain(fd, cert, NULL, key, kea); 821} 822 823SECStatus 824SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert, 825 const CERTCertificateList *certChainOpt, 826 SECKEYPrivateKey *key, SSL3KEAType kea) 827{ 828 sslSocket *ss; 829 SECKEYPublicKey *pubKey = NULL; 830 ssl3KeyPair *keyPair = NULL; 831 SECStatus rv = SECFailure; 832 833 ss = ssl_FindSocket(fd); 834 if (!ss) { 835 return SECFailure; 836 } 837 838 /* Both key and cert must have a value or be NULL */ 839 /* Passing a value of NULL will turn off key exchange algorithms that were 840 * previously turned on */ 841 if (!cert != !key) { 842 PORT_SetError(SEC_ERROR_INVALID_ARGS); 843 return SECFailure; 844 } 845 846 /* make sure the key exchange is recognized */ 847 if ((kea >= kt_kea_size) || (kea < kt_null)) { 848 PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); 849 return SECFailure; 850 } 851 852 if (kea != NSS_FindCertKEAType(cert)) { 853 PORT_SetError(SSL_ERROR_CERT_KEA_MISMATCH); 854 return SECFailure; 855 } 856 857 if (cert) { 858 /* get the size of the cert's public key, and remember it */ 859 pubKey = CERT_ExtractPublicKey(cert); 860 if (!pubKey) 861 return SECFailure; 862 } 863 864 if (key) { 865 SECKEYPrivateKey * keyCopy = NULL; 866 CK_MECHANISM_TYPE keyMech = CKM_INVALID_MECHANISM; 867 868 if (key->pkcs11Slot) { 869 PK11SlotInfo * bestSlot; 870 bestSlot = PK11_ReferenceSlot(key->pkcs11Slot); 871 if (bestSlot) { 872 keyCopy = PK11_CopyTokenPrivKeyToSessionPrivKey(bestSlot, key); 873 PK11_FreeSlot(bestSlot); 874 } 875 } 876 if (keyCopy == NULL) 877 keyMech = PK11_MapSignKeyType(key->keyType); 878 if (keyMech != CKM_INVALID_MECHANISM) { 879 PK11SlotInfo * bestSlot; 880 /* XXX Maybe should be bestSlotMultiple? */ 881 bestSlot = PK11_GetBestSlot(keyMech, NULL /* wincx */); 882 if (bestSlot) { 883 keyCopy = PK11_CopyTokenPrivKeyToSessionPrivKey(bestSlot, key); 884 PK11_FreeSlot(bestSlot); 885 } 886 } 887 if (keyCopy == NULL) 888 keyCopy = SECKEY_CopyPrivateKey(key); 889 if (keyCopy == NULL) 890 goto loser; 891 keyPair = ssl3_NewKeyPair(keyCopy, pubKey); 892 if (keyPair == NULL) { 893 SECKEY_DestroyPrivateKey(keyCopy); 894 goto loser; 895 } 896 pubKey = NULL; /* adopted by serverKeyPair */ 897 } 898 if (ssl_ConfigSecureServer(ss, cert, certChainOpt, 899 keyPair, kea) == SECFailure) { 900 goto loser; 901 } 902 903 /* Only do this once because it's global. */ 904 if (PR_SUCCESS == PR_CallOnceWithArg(&setupServerCAListOnce, 905 &serverCAListSetup, 906 (void *)(ss->dbHandle))) { 907 rv = SECSuccess; 908 } 909 910loser: 911 if (keyPair) { 912 ssl3_FreeKeyPair(keyPair); 913 } 914 if (pubKey) { 915 SECKEY_DestroyPublicKey(pubKey); 916 pubKey = NULL; 917 } 918 return rv; 919} 920 921/************************************************************************/ 922 923SECStatus 924ssl_CreateSecurityInfo(sslSocket *ss) 925{ 926 SECStatus status; 927 928 /* initialize sslv2 socket to send data in the clear. */ 929 ssl2_UseClearSendFunc(ss); 930 931 ss->sec.blockSize = 1; 932 ss->sec.blockShift = 0; 933 934 ssl_GetXmitBufLock(ss); 935 status = sslBuffer_Grow(&ss->sec.writeBuf, 4096); 936 ssl_ReleaseXmitBufLock(ss); 937 938 return status; 939} 940 941SECStatus 942ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os) 943{ 944 ss->sec.send = os->sec.send; 945 ss->sec.isServer = os->sec.isServer; 946 ss->sec.keyBits = os->sec.keyBits; 947 ss->sec.secretKeyBits = os->sec.secretKeyBits; 948 949 ss->sec.peerCert = CERT_DupCertificate(os->sec.peerCert); 950 if (os->sec.peerCert && !ss->sec.peerCert) 951 goto loser; 952 953 ss->sec.cache = os->sec.cache; 954 ss->sec.uncache = os->sec.uncache; 955 956 /* we don't dup the connection info. */ 957 958 ss->sec.sendSequence = os->sec.sendSequence; 959 ss->sec.rcvSequence = os->sec.rcvSequence; 960 961 if (os->sec.hash && os->sec.hashcx) { 962 ss->sec.hash = os->sec.hash; 963 ss->sec.hashcx = os->sec.hash->clone(os->sec.hashcx); 964 if (os->sec.hashcx && !ss->sec.hashcx) 965 goto loser; 966 } else { 967 ss->sec.hash = NULL; 968 ss->sec.hashcx = NULL; 969 } 970 971 SECITEM_CopyItem(0, &ss->sec.sendSecret, &os->sec.sendSecret); 972 if (os->sec.sendSecret.data && !ss->sec.sendSecret.data) 973 goto loser; 974 SECITEM_CopyItem(0, &ss->sec.rcvSecret, &os->sec.rcvSecret); 975 if (os->sec.rcvSecret.data && !ss->sec.rcvSecret.data) 976 goto loser; 977 978 /* XXX following code is wrong if either cx != 0 */ 979 PORT_Assert(os->sec.readcx == 0); 980 PORT_Assert(os->sec.writecx == 0); 981 ss->sec.readcx = os->sec.readcx; 982 ss->sec.writecx = os->sec.writecx; 983 ss->sec.destroy = 0; 984 985 ss->sec.enc = os->sec.enc; 986 ss->sec.dec = os->sec.dec; 987 988 ss->sec.blockShift = os->sec.blockShift; 989 ss->sec.blockSize = os->sec.blockSize; 990 991 return SECSuccess; 992 993loser: 994 return SECFailure; 995} 996 997/* Reset sec back to its initial state. 998** Caller holds any relevant locks. 999*/ 1000void 1001ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset) 1002{ 1003 /* Destroy MAC */ 1004 if (sec->hash && sec->hashcx) { 1005 (*sec->hash->destroy)(sec->hashcx, PR_TRUE); 1006 sec->hashcx = NULL; 1007 sec->hash = NULL; 1008 } 1009 SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE); 1010 SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE); 1011 1012 /* Destroy ciphers */ 1013 if (sec->destroy) { 1014 (*sec->destroy)(sec->readcx, PR_TRUE); 1015 (*sec->destroy)(sec->writecx, PR_TRUE); 1016 sec->readcx = NULL; 1017 sec->writecx = NULL; 1018 } else { 1019 PORT_Assert(sec->readcx == 0); 1020 PORT_Assert(sec->writecx == 0); 1021 } 1022 sec->readcx = 0; 1023 sec->writecx = 0; 1024 1025 if (sec->localCert) { 1026 CERT_DestroyCertificate(sec->localCert); 1027 sec->localCert = NULL; 1028 } 1029 if (sec->peerCert) { 1030 CERT_DestroyCertificate(sec->peerCert); 1031 sec->peerCert = NULL; 1032 } 1033 if (sec->peerKey) { 1034 SECKEY_DestroyPublicKey(sec->peerKey); 1035 sec->peerKey = NULL; 1036 } 1037 1038 /* cleanup the ci */ 1039 if (sec->ci.sid != NULL) { 1040 ssl_FreeSID(sec->ci.sid); 1041 } 1042 PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space); 1043 if (doMemset) { 1044 memset(&sec->ci, 0, sizeof sec->ci); 1045 } 1046 1047} 1048 1049/* 1050** Called from SSL_ResetHandshake (above), and 1051** from ssl_FreeSocket in sslsock.c 1052** Caller should hold relevant locks (e.g. XmitBufLock) 1053*/ 1054void 1055ssl_DestroySecurityInfo(sslSecurityInfo *sec) 1056{ 1057 ssl_ResetSecurityInfo(sec, PR_FALSE); 1058 1059 PORT_ZFree(sec->writeBuf.buf, sec->writeBuf.space); 1060 sec->writeBuf.buf = 0; 1061 1062 memset(sec, 0, sizeof *sec); 1063} 1064 1065/************************************************************************/ 1066 1067int 1068ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa) 1069{ 1070 PRFileDesc *osfd = ss->fd->lower; 1071 int rv; 1072 1073 if ( ss->opt.handshakeAsServer ) { 1074 ss->securityHandshake = ssl2_BeginServerHandshake; 1075 ss->handshaking = sslHandshakingAsServer; 1076 } else { 1077 ss->securityHandshake = ssl2_BeginClientHandshake; 1078 ss->handshaking = sslHandshakingAsClient; 1079 } 1080 1081 /* connect to server */ 1082 rv = osfd->methods->connect(osfd, sa, ss->cTimeout); 1083 if (rv == PR_SUCCESS) { 1084 ss->TCPconnected = 1; 1085 } else { 1086 int err = PR_GetError(); 1087 SSL_DBG(("%d: SSL[%d]: connect failed, errno=%d", 1088 SSL_GETPID(), ss->fd, err)); 1089 if (err == PR_IS_CONNECTED_ERROR) { 1090 ss->TCPconnected = 1; 1091 } 1092 } 1093 1094 SSL_TRC(5, ("%d: SSL[%d]: secure connect completed, rv == %d", 1095 SSL_GETPID(), ss->fd, rv)); 1096 return rv; 1097} 1098 1099/* 1100 * The TLS 1.2 RFC 5246, Section 7.2.1 says: 1101 * 1102 * Unless some other fatal alert has been transmitted, each party is 1103 * required to send a close_notify alert before closing the write side 1104 * of the connection. The other party MUST respond with a close_notify 1105 * alert of its own and close down the connection immediately, 1106 * discarding any pending writes. It is not required for the initiator 1107 * of the close to wait for the responding close_notify alert before 1108 * closing the read side of the connection. 1109 * 1110 * The second sentence requires that we send a close_notify alert when we 1111 * have received a close_notify alert. In practice, all SSL implementations 1112 * close the socket immediately after sending a close_notify alert (which is 1113 * allowed by the third sentence), so responding with a close_notify alert 1114 * would result in a write failure with the ECONNRESET error. This is why 1115 * we don't respond with a close_notify alert. 1116 * 1117 * Also, in the unlikely event that the TCP pipe is full and the peer stops 1118 * reading, the SSL3_SendAlert call in ssl_SecureClose and ssl_SecureShutdown 1119 * may block indefinitely in blocking mode, and may fail (without retrying) 1120 * in non-blocking mode. 1121 */ 1122 1123int 1124ssl_SecureClose(sslSocket *ss) 1125{ 1126 int rv; 1127 1128 if (ss->version >= SSL_LIBRARY_VERSION_3_0 && 1129 !(ss->shutdownHow & ssl_SHUTDOWN_SEND) && 1130 ss->firstHsDone && 1131 !ss->recvdCloseNotify && 1132 ss->ssl3.initialized) { 1133 1134 /* We don't want the final alert to be Nagle delayed. */ 1135 if (!ss->delayDisabled) { 1136 ssl_EnableNagleDelay(ss, PR_FALSE); 1137 ss->delayDisabled = 1; 1138 } 1139 1140 (void) SSL3_SendAlert(ss, alert_warning, close_notify); 1141 } 1142 rv = ssl_DefClose(ss); 1143 return rv; 1144} 1145 1146/* Caller handles all locking */ 1147int 1148ssl_SecureShutdown(sslSocket *ss, int nsprHow) 1149{ 1150 PRFileDesc *osfd = ss->fd->lower; 1151 int rv; 1152 PRIntn sslHow = nsprHow + 1; 1153 1154 if ((unsigned)nsprHow > PR_SHUTDOWN_BOTH) { 1155 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 1156 return PR_FAILURE; 1157 } 1158 1159 if ((sslHow & ssl_SHUTDOWN_SEND) != 0 && 1160 ss->version >= SSL_LIBRARY_VERSION_3_0 && 1161 !(ss->shutdownHow & ssl_SHUTDOWN_SEND) && 1162 ss->firstHsDone && 1163 !ss->recvdCloseNotify && 1164 ss->ssl3.initialized) { 1165 1166 (void) SSL3_SendAlert(ss, alert_warning, close_notify); 1167 } 1168 1169 rv = osfd->methods->shutdown(osfd, nsprHow); 1170 1171 ss->shutdownHow |= sslHow; 1172 1173 return rv; 1174} 1175 1176/************************************************************************/ 1177 1178 1179int 1180ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags) 1181{ 1182 sslSecurityInfo *sec; 1183 int rv = 0; 1184 1185 sec = &ss->sec; 1186 1187 if (ss->shutdownHow & ssl_SHUTDOWN_RCV) { 1188 PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR); 1189 return PR_FAILURE; 1190 } 1191 if (flags & ~PR_MSG_PEEK) { 1192 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 1193 return PR_FAILURE; 1194 } 1195 1196 if (!ssl_SocketIsBlocking(ss) && !ss->opt.fdx) { 1197 ssl_GetXmitBufLock(ss); 1198 if (ss->pendingBuf.len != 0) { 1199 rv = ssl_SendSavedWriteData(ss); 1200 if ((rv < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) { 1201 ssl_ReleaseXmitBufLock(ss); 1202 return SECFailure; 1203 } 1204 } 1205 ssl_ReleaseXmitBufLock(ss); 1206 } 1207 1208 rv = 0; 1209 /* If any of these is non-zero, the initial handshake is not done. */ 1210 if (!ss->firstHsDone) { 1211 ssl_Get1stHandshakeLock(ss); 1212 if (ss->handshake || ss->nextHandshake || ss->securityHandshake) { 1213 rv = ssl_Do1stHandshake(ss); 1214 } 1215 ssl_Release1stHandshakeLock(ss); 1216 } 1217 if (rv < 0) { 1218 return rv; 1219 } 1220 1221 if (len == 0) return 0; 1222 1223 rv = DoRecv(ss, (unsigned char*) buf, len, flags); 1224 SSL_TRC(2, ("%d: SSL[%d]: recving %d bytes securely (errno=%d)", 1225 SSL_GETPID(), ss->fd, rv, PORT_GetError())); 1226 return rv; 1227} 1228 1229int 1230ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len) 1231{ 1232 return ssl_SecureRecv(ss, buf, len, 0); 1233} 1234 1235/* Caller holds the SSL Socket's write lock. SSL_LOCK_WRITER(ss) */ 1236int 1237ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags) 1238{ 1239 int rv = 0; 1240 1241 SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes", 1242 SSL_GETPID(), ss->fd, len)); 1243 1244 if (ss->shutdownHow & ssl_SHUTDOWN_SEND) { 1245 PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR); 1246 rv = PR_FAILURE; 1247 goto done; 1248 } 1249 if (flags) { 1250 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 1251 rv = PR_FAILURE; 1252 goto done; 1253 } 1254 1255 ssl_GetXmitBufLock(ss); 1256 if (ss->pendingBuf.len != 0) { 1257 PORT_Assert(ss->pendingBuf.len > 0); 1258 rv = ssl_SendSavedWriteData(ss); 1259 if (rv >= 0 && ss->pendingBuf.len != 0) { 1260 PORT_Assert(ss->pendingBuf.len > 0); 1261 PORT_SetError(PR_WOULD_BLOCK_ERROR); 1262 rv = SECFailure; 1263 } 1264 } 1265 ssl_ReleaseXmitBufLock(ss); 1266 if (rv < 0) { 1267 goto done; 1268 } 1269 1270 if (len > 0) 1271 ss->writerThread = PR_GetCurrentThread(); 1272 /* If any of these is non-zero, the initial handshake is not done. */ 1273 if (!ss->firstHsDone) { 1274 PRBool falseStart = PR_FALSE; 1275 ssl_Get1stHandshakeLock(ss); 1276 if (ss->opt.enableFalseStart && 1277 ss->version >= SSL_LIBRARY_VERSION_3_0) { 1278 ssl_GetSSL3HandshakeLock(ss); 1279 falseStart = ss->ssl3.hs.canFalseStart; 1280 ssl_ReleaseSSL3HandshakeLock(ss); 1281 } 1282 if (!falseStart && 1283 (ss->handshake || ss->nextHandshake || ss->securityHandshake)) { 1284 rv = ssl_Do1stHandshake(ss); 1285 } 1286 ssl_Release1stHandshakeLock(ss); 1287 } 1288 if (rv < 0) { 1289 ss->writerThread = NULL; 1290 goto done; 1291 } 1292 1293 /* Check for zero length writes after we do housekeeping so we make forward 1294 * progress. 1295 */ 1296 if (len == 0) { 1297 rv = 0; 1298 goto done; 1299 } 1300 PORT_Assert(buf != NULL); 1301 if (!buf) { 1302 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 1303 rv = PR_FAILURE; 1304 goto done; 1305 } 1306 1307 if (!ss->firstHsDone) { 1308 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_3_0); 1309#ifdef DEBUG 1310 ssl_GetSSL3HandshakeLock(ss); 1311 PORT_Assert(ss->ssl3.hs.canFalseStart); 1312 ssl_ReleaseSSL3HandshakeLock(ss); 1313#endif 1314 SSL_TRC(3, ("%d: SSL[%d]: SecureSend: sending data due to false start", 1315 SSL_GETPID(), ss->fd)); 1316 } 1317 1318 /* Send out the data using one of these functions: 1319 * ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock, 1320 * ssl3_SendApplicationData 1321 */ 1322 ssl_GetXmitBufLock(ss); 1323 rv = (*ss->sec.send)(ss, buf, len, flags); 1324 ssl_ReleaseXmitBufLock(ss); 1325 ss->writerThread = NULL; 1326done: 1327 if (rv < 0) { 1328 SSL_TRC(2, ("%d: SSL[%d]: SecureSend: returning %d count, error %d", 1329 SSL_GETPID(), ss->fd, rv, PORT_GetError())); 1330 } else { 1331 SSL_TRC(2, ("%d: SSL[%d]: SecureSend: returning %d count", 1332 SSL_GETPID(), ss->fd, rv)); 1333 } 1334 return rv; 1335} 1336 1337int 1338ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len) 1339{ 1340 return ssl_SecureSend(ss, buf, len, 0); 1341} 1342 1343SECStatus 1344SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg) 1345{ 1346 sslSocket *ss; 1347 1348 ss = ssl_FindSocket(fd); 1349 if (!ss) { 1350 SSL_DBG(("%d: SSL[%d]: bad socket in SSLBadCertHook", 1351 SSL_GETPID(), fd)); 1352 return SECFailure; 1353 } 1354 1355 ss->handleBadCert = f; 1356 ss->badCertArg = arg; 1357 1358 return SECSuccess; 1359} 1360 1361/* 1362 * Allow the application to pass the url or hostname into the SSL library 1363 * so that we can do some checking on it. It will be used for the value in 1364 * SNI extension of client hello message. 1365 */ 1366SECStatus 1367SSL_SetURL(PRFileDesc *fd, const char *url) 1368{ 1369 sslSocket * ss = ssl_FindSocket(fd); 1370 SECStatus rv = SECSuccess; 1371 1372 if (!ss) { 1373 SSL_DBG(("%d: SSL[%d]: bad socket in SSLSetURL", 1374 SSL_GETPID(), fd)); 1375 return SECFailure; 1376 } 1377 ssl_Get1stHandshakeLock(ss); 1378 ssl_GetSSL3HandshakeLock(ss); 1379 1380 if ( ss->url ) { 1381 PORT_Free((void *)ss->url); /* CONST */ 1382 } 1383 1384 ss->url = (const char *)PORT_Strdup(url); 1385 if ( ss->url == NULL ) { 1386 rv = SECFailure; 1387 } 1388 1389 ssl_ReleaseSSL3HandshakeLock(ss); 1390 ssl_Release1stHandshakeLock(ss); 1391 1392 return rv; 1393} 1394 1395/* 1396 * Allow the application to pass the set of trust anchors 1397 */ 1398SECStatus 1399SSL_SetTrustAnchors(PRFileDesc *fd, CERTCertList *certList) 1400{ 1401 sslSocket * ss = ssl_FindSocket(fd); 1402 CERTDistNames *names = NULL; 1403 1404 if (!certList) { 1405 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1406 return SECFailure; 1407 } 1408 if (!ss) { 1409 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetTrustAnchors", 1410 SSL_GETPID(), fd)); 1411 return SECFailure; 1412 } 1413 1414 names = CERT_DistNamesFromCertList(certList); 1415 if (names == NULL) { 1416 return SECFailure; 1417 } 1418 ssl_Get1stHandshakeLock(ss); 1419 ssl_GetSSL3HandshakeLock(ss); 1420 if (ss->ssl3.ca_list) { 1421 CERT_FreeDistNames(ss->ssl3.ca_list); 1422 } 1423 ss->ssl3.ca_list = names; 1424 ssl_ReleaseSSL3HandshakeLock(ss); 1425 ssl_Release1stHandshakeLock(ss); 1426 1427 return SECSuccess; 1428} 1429 1430/* 1431** Returns Negative number on error, zero or greater on success. 1432** Returns the amount of data immediately available to be read. 1433*/ 1434int 1435SSL_DataPending(PRFileDesc *fd) 1436{ 1437 sslSocket *ss; 1438 int rv = 0; 1439 1440 ss = ssl_FindSocket(fd); 1441 1442 if (ss && ss->opt.useSecurity) { 1443 ssl_GetRecvBufLock(ss); 1444 rv = ss->gs.writeOffset - ss->gs.readOffset; 1445 ssl_ReleaseRecvBufLock(ss); 1446 } 1447 1448 return rv; 1449} 1450 1451SECStatus 1452SSL_InvalidateSession(PRFileDesc *fd) 1453{ 1454 sslSocket * ss = ssl_FindSocket(fd); 1455 SECStatus rv = SECFailure; 1456 1457 if (ss) { 1458 ssl_Get1stHandshakeLock(ss); 1459 ssl_GetSSL3HandshakeLock(ss); 1460 1461 if (ss->sec.ci.sid && ss->sec.uncache) { 1462 ss->sec.uncache(ss->sec.ci.sid); 1463 rv = SECSuccess; 1464 } 1465 1466 ssl_ReleaseSSL3HandshakeLock(ss); 1467 ssl_Release1stHandshakeLock(ss); 1468 } 1469 return rv; 1470} 1471 1472static void 1473ssl3_CacheSessionUnlocked(sslSocket *ss) 1474{ 1475 PORT_Assert(!ss->sec.isServer); 1476 1477 if (ss->ssl3.hs.cacheSID) { 1478 ss->sec.cache(ss->sec.ci.sid); 1479 ss->ssl3.hs.cacheSID = PR_FALSE; 1480 } 1481} 1482 1483SECStatus 1484SSL_CacheSession(PRFileDesc *fd) 1485{ 1486 sslSocket * ss = ssl_FindSocket(fd); 1487 SECStatus rv = SECFailure; 1488 1489 if (ss) { 1490 ssl_Get1stHandshakeLock(ss); 1491 ssl_GetSSL3HandshakeLock(ss); 1492 1493 ssl3_CacheSessionUnlocked(ss); 1494 rv = SECSuccess; 1495 1496 ssl_ReleaseSSL3HandshakeLock(ss); 1497 ssl_Release1stHandshakeLock(ss); 1498 } 1499 return rv; 1500} 1501 1502SECStatus 1503SSL_CacheSessionUnlocked(PRFileDesc *fd) 1504{ 1505 sslSocket * ss = ssl_FindSocket(fd); 1506 SECStatus rv = SECFailure; 1507 1508 if (ss) { 1509 ssl3_CacheSessionUnlocked(ss); 1510 rv = SECSuccess; 1511 } 1512 return rv; 1513} 1514 1515SECItem * 1516SSL_GetSessionID(PRFileDesc *fd) 1517{ 1518 sslSocket * ss; 1519 SECItem * item = NULL; 1520 1521 ss = ssl_FindSocket(fd); 1522 if (ss) { 1523 ssl_Get1stHandshakeLock(ss); 1524 ssl_GetSSL3HandshakeLock(ss); 1525 1526 if (ss->opt.useSecurity && ss->firstHsDone && ss->sec.ci.sid) { 1527 item = (SECItem *)PORT_Alloc(sizeof(SECItem)); 1528 if (item) { 1529 sslSessionID * sid = ss->sec.ci.sid; 1530 if (sid->version < SSL_LIBRARY_VERSION_3_0) { 1531 item->len = SSL2_SESSIONID_BYTES; 1532 item->data = (unsigned char*)PORT_Alloc(item->len); 1533 PORT_Memcpy(item->data, sid->u.ssl2.sessionID, item->len); 1534 } else { 1535 item->len = sid->u.ssl3.sessionIDLength; 1536 item->data = (unsigned char*)PORT_Alloc(item->len); 1537 PORT_Memcpy(item->data, sid->u.ssl3.sessionID, item->len); 1538 } 1539 } 1540 } 1541 1542 ssl_ReleaseSSL3HandshakeLock(ss); 1543 ssl_Release1stHandshakeLock(ss); 1544 } 1545 return item; 1546} 1547 1548SECStatus 1549SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle) 1550{ 1551 sslSocket * ss; 1552 1553 ss = ssl_FindSocket(fd); 1554 if (!ss) 1555 return SECFailure; 1556 if (!dbHandle) { 1557 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1558 return SECFailure; 1559 } 1560 ss->dbHandle = dbHandle; 1561 return SECSuccess; 1562} 1563 1564/* 1565 * attempt to restart the handshake after asynchronously handling 1566 * a request for the client's certificate. 1567 * 1568 * inputs: 1569 * cert Client cert chosen by application. 1570 * Note: ssl takes this reference, and does not bump the 1571 * reference count. The caller should drop its reference 1572 * without calling CERT_DestroyCertificate after calling this 1573 * function. 1574 * 1575 * key Private key associated with cert. This function takes 1576 * ownership of the private key, so the caller should drop its 1577 * reference without destroying the private key after this 1578 * function returns. 1579 * 1580 * certChain Chain of signers for cert. 1581 * Note: ssl takes this reference, and does not copy the chain. 1582 * The caller should drop its reference without destroying the 1583 * chain. SSL will free the chain when it is done with it. 1584 * 1585 * Return value: XXX 1586 * 1587 * XXX This code only works on the initial handshake on a connection, XXX 1588 * It does not work on a subsequent handshake (redo). 1589 */ 1590SECStatus 1591SSL_RestartHandshakeAfterCertReq(PRFileDesc * fd, 1592 CERTCertificate * cert, 1593 SECKEYPrivateKey * key, 1594 CERTCertificateList *certChain) 1595{ 1596 sslSocket * ss = ssl_FindSocket(fd); 1597 SECStatus ret; 1598 1599 if (!ss) { 1600 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RestartHandshakeAfterCertReq", 1601 SSL_GETPID(), fd)); 1602 if (cert) { 1603 CERT_DestroyCertificate(cert); 1604 } 1605 if (key) { 1606 SECKEY_DestroyPrivateKey(key); 1607 } 1608 if (certChain) { 1609 CERT_DestroyCertificateList(certChain); 1610 } 1611 return SECFailure; 1612 } 1613 1614 ssl_Get1stHandshakeLock(ss); /************************************/ 1615 1616 if (ss->version >= SSL_LIBRARY_VERSION_3_0) { 1617 ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain); 1618 } else { 1619 if (certChain != NULL) { 1620 CERT_DestroyCertificateList(certChain); 1621 } 1622 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); 1623 ret = SECFailure; 1624 } 1625 1626 ssl_Release1stHandshakeLock(ss); /************************************/ 1627 return ret; 1628} 1629 1630SECStatus 1631SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc * fd, 1632 SECKEYPublicKey * channelIDPub, 1633 SECKEYPrivateKey *channelID) 1634{ 1635 sslSocket * ss = ssl_FindSocket(fd); 1636 SECStatus ret; 1637 1638 if (!ss) { 1639 SSL_DBG(("%d: SSL[%d]: bad socket in" 1640 " SSL_RestartHandshakeAfterChannelIDReq", 1641 SSL_GETPID(), fd)); 1642 goto loser; 1643 } 1644 1645 1646 ssl_Get1stHandshakeLock(ss); 1647 1648 if (ss->version < SSL_LIBRARY_VERSION_3_0) { 1649 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); 1650 ssl_Release1stHandshakeLock(ss); 1651 goto loser; 1652 } 1653 1654 ret = ssl3_RestartHandshakeAfterChannelIDReq(ss, channelIDPub, 1655 channelID); 1656 ssl_Release1stHandshakeLock(ss); 1657 1658 return ret; 1659 1660loser: 1661 SECKEY_DestroyPublicKey(channelIDPub); 1662 SECKEY_DestroyPrivateKey(channelID); 1663 return SECFailure; 1664} 1665 1666/* DO NOT USE. This function was exported in ssl.def with the wrong signature; 1667 * this implementation exists to maintain link-time compatibility. 1668 */ 1669int 1670SSL_RestartHandshakeAfterServerCert(sslSocket * ss) 1671{ 1672 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); 1673 return -1; 1674} 1675 1676/* See documentation in ssl.h */ 1677SECStatus 1678SSL_AuthCertificateComplete(PRFileDesc *fd, PRErrorCode error) 1679{ 1680 SECStatus rv; 1681 sslSocket *ss = ssl_FindSocket(fd); 1682 1683 if (!ss) { 1684 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_AuthCertificateComplete", 1685 SSL_GETPID(), fd)); 1686 return SECFailure; 1687 } 1688 1689 ssl_Get1stHandshakeLock(ss); 1690 1691 if (!ss->ssl3.initialized) { 1692 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1693 rv = SECFailure; 1694 } else if (ss->version < SSL_LIBRARY_VERSION_3_0) { 1695 PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); 1696 rv = SECFailure; 1697 } else { 1698 rv = ssl3_AuthCertificateComplete(ss, error); 1699 } 1700 1701 ssl_Release1stHandshakeLock(ss); 1702 1703 return rv; 1704} 1705 1706/* For more info see ssl.h */ 1707SECStatus 1708SSL_SNISocketConfigHook(PRFileDesc *fd, SSLSNISocketConfig func, 1709 void *arg) 1710{ 1711 sslSocket *ss; 1712 1713 ss = ssl_FindSocket(fd); 1714 if (!ss) { 1715 SSL_DBG(("%d: SSL[%d]: bad socket in SNISocketConfigHook", 1716 SSL_GETPID(), fd)); 1717 return SECFailure; 1718 } 1719 1720 ss->sniSocketConfig = func; 1721 ss->sniSocketConfigArg = arg; 1722 return SECSuccess; 1723} 1724