1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/socket/nss_ssl_util.h" 6 7 #include <nss.h> 8 #include <secerr.h> 9 #include <ssl.h> 10 #include <sslerr.h> 11 #include <sslproto.h> 12 13 #include <string> 14 15 #include "base/bind.h" 16 #include "base/cpu.h" 17 #include "base/lazy_instance.h" 18 #include "base/logging.h" 19 #include "base/memory/singleton.h" 20 #include "base/threading/thread_restrictions.h" 21 #include "base/values.h" 22 #include "build/build_config.h" 23 #include "crypto/nss_util.h" 24 #include "net/base/net_errors.h" 25 #include "net/base/net_log.h" 26 #include "net/base/nss_memio.h" 27 28 #if defined(OS_WIN) 29 #include "base/win/windows_version.h" 30 #endif 31 32 namespace net { 33 34 namespace { 35 36 // CiphersRemove takes a zero-terminated array of cipher suite ids in 37 // |to_remove| and sets every instance of them in |ciphers| to zero. It returns 38 // true if it found and removed every element of |to_remove|. It assumes that 39 // there are no duplicates in |ciphers| nor in |to_remove|. 40 bool CiphersRemove(const uint16* to_remove, uint16* ciphers, size_t num) { 41 size_t i, found = 0; 42 43 for (i = 0; ; i++) { 44 if (to_remove[i] == 0) 45 break; 46 47 for (size_t j = 0; j < num; j++) { 48 if (to_remove[i] == ciphers[j]) { 49 ciphers[j] = 0; 50 found++; 51 break; 52 } 53 } 54 } 55 56 return found == i; 57 } 58 59 // CiphersCompact takes an array of cipher suite ids in |ciphers|, where some 60 // entries are zero, and moves the entries so that all the non-zero elements 61 // are compacted at the end of the array. 62 void CiphersCompact(uint16* ciphers, size_t num) { 63 size_t j = num - 1; 64 65 for (size_t i = num - 1; i < num; i--) { 66 if (ciphers[i] == 0) 67 continue; 68 ciphers[j--] = ciphers[i]; 69 } 70 } 71 72 // CiphersCopy copies the zero-terminated array |in| to |out|. It returns the 73 // number of cipher suite ids copied. 74 size_t CiphersCopy(const uint16* in, uint16* out) { 75 for (size_t i = 0; ; i++) { 76 if (in[i] == 0) 77 return i; 78 out[i] = in[i]; 79 } 80 } 81 82 base::Value* NetLogSSLErrorCallback(int net_error, 83 int ssl_lib_error, 84 NetLog::LogLevel /* log_level */) { 85 base::DictionaryValue* dict = new base::DictionaryValue(); 86 dict->SetInteger("net_error", net_error); 87 if (ssl_lib_error) 88 dict->SetInteger("ssl_lib_error", ssl_lib_error); 89 return dict; 90 } 91 92 class NSSSSLInitSingleton { 93 public: 94 NSSSSLInitSingleton() : model_fd_(NULL) { 95 crypto::EnsureNSSInit(); 96 97 NSS_SetDomesticPolicy(); 98 99 const PRUint16* const ssl_ciphers = SSL_GetImplementedCiphers(); 100 const PRUint16 num_ciphers = SSL_GetNumImplementedCiphers(); 101 102 // Disable ECDSA cipher suites on platforms that do not support ECDSA 103 // signed certificates, as servers may use the presence of such 104 // ciphersuites as a hint to send an ECDSA certificate. 105 bool disableECDSA = false; 106 #if defined(OS_WIN) 107 if (base::win::GetVersion() < base::win::VERSION_VISTA) 108 disableECDSA = true; 109 #endif 110 111 // Explicitly enable exactly those ciphers with keys of at least 80 bits 112 for (int i = 0; i < num_ciphers; i++) { 113 SSLCipherSuiteInfo info; 114 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, 115 sizeof(info)) == SECSuccess) { 116 bool enabled = info.effectiveKeyBits >= 80; 117 if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA) 118 enabled = false; 119 120 // Trim the list of cipher suites in order to keep the size of the 121 // ClientHello down. DSS, ECDH, CAMELLIA, SEED, ECC+3DES, and 122 // HMAC-SHA256 cipher suites are disabled. 123 if (info.symCipher == ssl_calg_camellia || 124 info.symCipher == ssl_calg_seed || 125 (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) || 126 info.authAlgorithm == ssl_auth_dsa || 127 info.macAlgorithm == ssl_hmac_sha256 || 128 info.nonStandard || 129 strcmp(info.keaTypeName, "ECDH") == 0) { 130 enabled = false; 131 } 132 133 if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) { 134 // Enabled to allow servers with only a DSA certificate to function. 135 enabled = true; 136 } 137 SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled); 138 } 139 } 140 141 // Enable SSL. 142 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); 143 144 // Calculate the order of ciphers that we'll use for NSS sockets. (Note 145 // that, even if a cipher is specified in the ordering, it must still be 146 // enabled in order to be included in a ClientHello.) 147 // 148 // Our top preference cipher suites are either forward-secret AES-GCM or 149 // forward-secret ChaCha20-Poly1305. If the local machine has AES-NI then 150 // we prefer AES-GCM, otherwise ChaCha20. The remainder of the cipher suite 151 // preference is inheriented from NSS. */ 152 static const uint16 chacha_ciphers[] = { 153 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 154 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 155 0, 156 }; 157 static const uint16 aes_gcm_ciphers[] = { 158 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 159 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 160 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 161 0, 162 }; 163 scoped_ptr<uint16[]> ciphers(new uint16[num_ciphers]); 164 memcpy(ciphers.get(), ssl_ciphers, sizeof(uint16)*num_ciphers); 165 166 if (CiphersRemove(chacha_ciphers, ciphers.get(), num_ciphers) && 167 CiphersRemove(aes_gcm_ciphers, ciphers.get(), num_ciphers)) { 168 CiphersCompact(ciphers.get(), num_ciphers); 169 170 const uint16* preference_ciphers = chacha_ciphers; 171 const uint16* other_ciphers = aes_gcm_ciphers; 172 base::CPU cpu; 173 174 if (cpu.has_aesni() && cpu.has_avx()) { 175 preference_ciphers = aes_gcm_ciphers; 176 other_ciphers = chacha_ciphers; 177 } 178 unsigned i = CiphersCopy(preference_ciphers, ciphers.get()); 179 CiphersCopy(other_ciphers, &ciphers[i]); 180 181 if ((model_fd_ = memio_CreateIOLayer(1, 1)) == NULL || 182 SSL_ImportFD(NULL, model_fd_) == NULL || 183 SECSuccess != 184 SSL_CipherOrderSet(model_fd_, ciphers.get(), num_ciphers)) { 185 NOTREACHED(); 186 if (model_fd_) { 187 PR_Close(model_fd_); 188 model_fd_ = NULL; 189 } 190 } 191 } 192 193 // All other SSL options are set per-session by SSLClientSocket and 194 // SSLServerSocket. 195 } 196 197 PRFileDesc* GetModelSocket() { 198 return model_fd_; 199 } 200 201 ~NSSSSLInitSingleton() { 202 // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY. 203 SSL_ClearSessionCache(); 204 if (model_fd_) 205 PR_Close(model_fd_); 206 } 207 208 private: 209 PRFileDesc* model_fd_; 210 }; 211 212 base::LazyInstance<NSSSSLInitSingleton>::Leaky g_nss_ssl_init_singleton = 213 LAZY_INSTANCE_INITIALIZER; 214 215 } // anonymous namespace 216 217 // Initialize the NSS SSL library if it isn't already initialized. This must 218 // be called before any other NSS SSL functions. This function is 219 // thread-safe, and the NSS SSL library will only ever be initialized once. 220 // The NSS SSL library will be properly shut down on program exit. 221 void EnsureNSSSSLInit() { 222 // Initializing SSL causes us to do blocking IO. 223 // Temporarily allow it until we fix 224 // http://code.google.com/p/chromium/issues/detail?id=59847 225 base::ThreadRestrictions::ScopedAllowIO allow_io; 226 227 g_nss_ssl_init_singleton.Get(); 228 } 229 230 PRFileDesc* GetNSSModelSocket() { 231 return g_nss_ssl_init_singleton.Get().GetModelSocket(); 232 } 233 234 // Map a Chromium net error code to an NSS error code. 235 // See _MD_unix_map_default_error in the NSS source 236 // tree for inspiration. 237 PRErrorCode MapErrorToNSS(int result) { 238 if (result >=0) 239 return result; 240 241 switch (result) { 242 case ERR_IO_PENDING: 243 return PR_WOULD_BLOCK_ERROR; 244 case ERR_ACCESS_DENIED: 245 case ERR_NETWORK_ACCESS_DENIED: 246 // For connect, this could be mapped to PR_ADDRESS_NOT_SUPPORTED_ERROR. 247 return PR_NO_ACCESS_RIGHTS_ERROR; 248 case ERR_NOT_IMPLEMENTED: 249 return PR_NOT_IMPLEMENTED_ERROR; 250 case ERR_SOCKET_NOT_CONNECTED: 251 return PR_NOT_CONNECTED_ERROR; 252 case ERR_INTERNET_DISCONNECTED: // Equivalent to ENETDOWN. 253 return PR_NETWORK_UNREACHABLE_ERROR; // Best approximation. 254 case ERR_CONNECTION_TIMED_OUT: 255 case ERR_TIMED_OUT: 256 return PR_IO_TIMEOUT_ERROR; 257 case ERR_CONNECTION_RESET: 258 return PR_CONNECT_RESET_ERROR; 259 case ERR_CONNECTION_ABORTED: 260 return PR_CONNECT_ABORTED_ERROR; 261 case ERR_CONNECTION_REFUSED: 262 return PR_CONNECT_REFUSED_ERROR; 263 case ERR_ADDRESS_UNREACHABLE: 264 return PR_HOST_UNREACHABLE_ERROR; // Also PR_NETWORK_UNREACHABLE_ERROR. 265 case ERR_ADDRESS_INVALID: 266 return PR_ADDRESS_NOT_AVAILABLE_ERROR; 267 case ERR_NAME_NOT_RESOLVED: 268 return PR_DIRECTORY_LOOKUP_ERROR; 269 default: 270 LOG(WARNING) << "MapErrorToNSS " << result 271 << " mapped to PR_UNKNOWN_ERROR"; 272 return PR_UNKNOWN_ERROR; 273 } 274 } 275 276 // The default error mapping function. 277 // Maps an NSS error code to a network error code. 278 int MapNSSError(PRErrorCode err) { 279 // TODO(port): fill this out as we learn what's important 280 switch (err) { 281 case PR_WOULD_BLOCK_ERROR: 282 return ERR_IO_PENDING; 283 case PR_ADDRESS_NOT_SUPPORTED_ERROR: // For connect. 284 case PR_NO_ACCESS_RIGHTS_ERROR: 285 return ERR_ACCESS_DENIED; 286 case PR_IO_TIMEOUT_ERROR: 287 return ERR_TIMED_OUT; 288 case PR_CONNECT_RESET_ERROR: 289 return ERR_CONNECTION_RESET; 290 case PR_CONNECT_ABORTED_ERROR: 291 return ERR_CONNECTION_ABORTED; 292 case PR_CONNECT_REFUSED_ERROR: 293 return ERR_CONNECTION_REFUSED; 294 case PR_NOT_CONNECTED_ERROR: 295 return ERR_SOCKET_NOT_CONNECTED; 296 case PR_HOST_UNREACHABLE_ERROR: 297 case PR_NETWORK_UNREACHABLE_ERROR: 298 return ERR_ADDRESS_UNREACHABLE; 299 case PR_ADDRESS_NOT_AVAILABLE_ERROR: 300 return ERR_ADDRESS_INVALID; 301 case PR_INVALID_ARGUMENT_ERROR: 302 return ERR_INVALID_ARGUMENT; 303 case PR_END_OF_FILE_ERROR: 304 return ERR_CONNECTION_CLOSED; 305 case PR_NOT_IMPLEMENTED_ERROR: 306 return ERR_NOT_IMPLEMENTED; 307 308 case SEC_ERROR_LIBRARY_FAILURE: 309 return ERR_UNEXPECTED; 310 case SEC_ERROR_INVALID_ARGS: 311 return ERR_INVALID_ARGUMENT; 312 case SEC_ERROR_NO_MEMORY: 313 return ERR_OUT_OF_MEMORY; 314 case SEC_ERROR_NO_KEY: 315 return ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY; 316 case SEC_ERROR_INVALID_KEY: 317 case SSL_ERROR_SIGN_HASHES_FAILURE: 318 LOG(ERROR) << "ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: NSS error " << err 319 << ", OS error " << PR_GetOSError(); 320 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED; 321 // A handshake (initial or renegotiation) may fail because some signature 322 // (for example, the signature in the ServerKeyExchange message for an 323 // ephemeral Diffie-Hellman cipher suite) is invalid. 324 case SEC_ERROR_BAD_SIGNATURE: 325 return ERR_SSL_PROTOCOL_ERROR; 326 327 case SSL_ERROR_SSL_DISABLED: 328 return ERR_NO_SSL_VERSIONS_ENABLED; 329 case SSL_ERROR_NO_CYPHER_OVERLAP: 330 case SSL_ERROR_PROTOCOL_VERSION_ALERT: 331 case SSL_ERROR_UNSUPPORTED_VERSION: 332 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH; 333 case SSL_ERROR_HANDSHAKE_FAILURE_ALERT: 334 case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT: 335 case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: 336 return ERR_SSL_PROTOCOL_ERROR; 337 case SSL_ERROR_DECOMPRESSION_FAILURE_ALERT: 338 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT; 339 case SSL_ERROR_BAD_MAC_ALERT: 340 return ERR_SSL_BAD_RECORD_MAC_ALERT; 341 case SSL_ERROR_DECRYPT_ERROR_ALERT: 342 return ERR_SSL_DECRYPT_ERROR_ALERT; 343 case SSL_ERROR_UNRECOGNIZED_NAME_ALERT: 344 return ERR_SSL_UNRECOGNIZED_NAME_ALERT; 345 case SSL_ERROR_UNSAFE_NEGOTIATION: 346 return ERR_SSL_UNSAFE_NEGOTIATION; 347 case SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY: 348 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY; 349 case SSL_ERROR_HANDSHAKE_NOT_COMPLETED: 350 return ERR_SSL_HANDSHAKE_NOT_COMPLETED; 351 case SEC_ERROR_BAD_KEY: 352 case SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE: 353 // TODO(wtc): the following errors may also occur in contexts unrelated 354 // to the peer's public key. We should add new error codes for them, or 355 // map them to ERR_SSL_BAD_PEER_PUBLIC_KEY only in the right context. 356 // General unsupported/unknown key algorithm error. 357 case SEC_ERROR_UNSUPPORTED_KEYALG: 358 // General DER decoding errors. 359 case SEC_ERROR_BAD_DER: 360 case SEC_ERROR_EXTRA_INPUT: 361 return ERR_SSL_BAD_PEER_PUBLIC_KEY; 362 // During renegotiation, the server presented a different certificate than 363 // was used earlier. 364 case SSL_ERROR_WRONG_CERTIFICATE: 365 return ERR_SSL_SERVER_CERT_CHANGED; 366 case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT: 367 return ERR_SSL_INAPPROPRIATE_FALLBACK; 368 369 default: { 370 const char* err_name = PR_ErrorToName(err); 371 if (err_name == NULL) 372 err_name = ""; 373 if (IS_SSL_ERROR(err)) { 374 LOG(WARNING) << "Unknown SSL error " << err << " (" << err_name << ")" 375 << " mapped to net::ERR_SSL_PROTOCOL_ERROR"; 376 return ERR_SSL_PROTOCOL_ERROR; 377 } 378 LOG(WARNING) << "Unknown error " << err << " (" << err_name << ")" 379 << " mapped to net::ERR_FAILED"; 380 return ERR_FAILED; 381 } 382 } 383 } 384 385 // Returns parameters to attach to the NetLog when we receive an error in 386 // response to a call to an NSS function. Used instead of 387 // NetLogSSLErrorCallback with events of type TYPE_SSL_NSS_ERROR. 388 base::Value* NetLogSSLFailedNSSFunctionCallback( 389 const char* function, 390 const char* param, 391 int ssl_lib_error, 392 NetLog::LogLevel /* log_level */) { 393 base::DictionaryValue* dict = new base::DictionaryValue(); 394 dict->SetString("function", function); 395 if (param[0] != '\0') 396 dict->SetString("param", param); 397 dict->SetInteger("ssl_lib_error", ssl_lib_error); 398 return dict; 399 } 400 401 void LogFailedNSSFunction(const BoundNetLog& net_log, 402 const char* function, 403 const char* param) { 404 DCHECK(function); 405 DCHECK(param); 406 net_log.AddEvent( 407 NetLog::TYPE_SSL_NSS_ERROR, 408 base::Bind(&NetLogSSLFailedNSSFunctionCallback, 409 function, param, PR_GetError())); 410 } 411 412 NetLog::ParametersCallback CreateNetLogSSLErrorCallback(int net_error, 413 int ssl_lib_error) { 414 return base::Bind(&NetLogSSLErrorCallback, net_error, ssl_lib_error); 415 } 416 417 } // namespace net 418