chrome: Remove dependency on expat library.
[chromium-blink-merge.git] / net / ssl / openssl_ssl_util.cc
blob2bb7f8329c1581c1d3d49ba3bb680417116bfbc7
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/ssl/openssl_ssl_util.h"
7 #include <errno.h>
9 #include <openssl/err.h>
10 #include <openssl/ssl.h>
12 #include "base/bind.h"
13 #include "base/lazy_instance.h"
14 #include "base/location.h"
15 #include "base/logging.h"
16 #include "base/values.h"
17 #include "crypto/openssl_util.h"
18 #include "net/base/net_errors.h"
20 namespace net {
22 SslSetClearMask::SslSetClearMask()
23 : set_mask(0),
24 clear_mask(0) {
27 void SslSetClearMask::ConfigureFlag(long flag, bool state) {
28 (state ? set_mask : clear_mask) |= flag;
29 // Make sure we haven't got any intersection in the set & clear options.
30 DCHECK_EQ(0, set_mask & clear_mask) << flag << ":" << state;
33 namespace {
35 class OpenSSLNetErrorLibSingleton {
36 public:
37 OpenSSLNetErrorLibSingleton() {
38 crypto::EnsureOpenSSLInit();
40 // Allocate a new error library value for inserting net errors into
41 // OpenSSL. This does not register any ERR_STRING_DATA for the errors, so
42 // stringifying error codes through OpenSSL will return NULL.
43 net_error_lib_ = ERR_get_next_error_library();
46 int net_error_lib() const { return net_error_lib_; }
48 private:
49 int net_error_lib_;
52 base::LazyInstance<OpenSSLNetErrorLibSingleton>::Leaky g_openssl_net_error_lib =
53 LAZY_INSTANCE_INITIALIZER;
55 int OpenSSLNetErrorLib() {
56 return g_openssl_net_error_lib.Get().net_error_lib();
59 int MapOpenSSLErrorSSL(uint32_t error_code) {
60 DCHECK_EQ(ERR_LIB_SSL, ERR_GET_LIB(error_code));
62 DVLOG(1) << "OpenSSL SSL error, reason: " << ERR_GET_REASON(error_code)
63 << ", name: " << ERR_error_string(error_code, NULL);
64 switch (ERR_GET_REASON(error_code)) {
65 case SSL_R_READ_TIMEOUT_EXPIRED:
66 return ERR_TIMED_OUT;
67 case SSL_R_UNKNOWN_CERTIFICATE_TYPE:
68 case SSL_R_UNKNOWN_CIPHER_TYPE:
69 case SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE:
70 case SSL_R_UNKNOWN_SSL_VERSION:
71 return ERR_NOT_IMPLEMENTED;
72 case SSL_R_UNSUPPORTED_SSL_VERSION:
73 case SSL_R_NO_CIPHER_MATCH:
74 case SSL_R_NO_SHARED_CIPHER:
75 case SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY:
76 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
77 case SSL_R_UNSUPPORTED_PROTOCOL:
78 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
79 case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
80 case SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE:
81 case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED:
82 case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED:
83 case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
84 case SSL_R_TLSV1_ALERT_ACCESS_DENIED:
85 case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
86 return ERR_BAD_SSL_CLIENT_AUTH_CERT;
87 case SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE:
88 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT;
89 case SSL_R_SSLV3_ALERT_BAD_RECORD_MAC:
90 return ERR_SSL_BAD_RECORD_MAC_ALERT;
91 case SSL_R_TLSV1_ALERT_DECRYPT_ERROR:
92 return ERR_SSL_DECRYPT_ERROR_ALERT;
93 case SSL_R_TLSV1_UNRECOGNIZED_NAME:
94 return ERR_SSL_UNRECOGNIZED_NAME_ALERT;
95 case SSL_R_BAD_DH_P_LENGTH:
96 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY;
97 // SSL_R_UNKNOWN_PROTOCOL is reported if premature application data is
98 // received (see http://crbug.com/42538), and also if all the protocol
99 // versions supported by the server were disabled in this socket instance.
100 // Mapped to ERR_SSL_PROTOCOL_ERROR for compatibility with other SSL sockets
101 // in the former scenario.
102 case SSL_R_UNKNOWN_PROTOCOL:
103 case SSL_R_SSL_HANDSHAKE_FAILURE:
104 case SSL_R_DECRYPTION_FAILED:
105 case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC:
106 case SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG:
107 case SSL_R_DIGEST_CHECK_FAILED:
108 case SSL_R_ENCRYPTED_LENGTH_TOO_LONG:
109 case SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST:
110 case SSL_R_EXCESSIVE_MESSAGE_SIZE:
111 case SSL_R_EXTRA_DATA_IN_MESSAGE:
112 case SSL_R_GOT_A_FIN_BEFORE_A_CCS:
113 case SSL_R_INVALID_COMMAND:
114 case SSL_R_INVALID_TICKET_KEYS_LENGTH:
115 // SSL_do_handshake reports this error when the server responds to a
116 // ClientHello with a fatal close_notify alert.
117 case SSL_R_SSLV3_ALERT_CLOSE_NOTIFY:
118 case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE:
119 case SSL_R_SSLV3_ALERT_NO_CERTIFICATE:
120 case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER:
121 case SSL_R_TLSV1_ALERT_DECODE_ERROR:
122 case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED:
123 case SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION:
124 case SSL_R_TLSV1_ALERT_INTERNAL_ERROR:
125 case SSL_R_TLSV1_ALERT_NO_RENEGOTIATION:
126 case SSL_R_TLSV1_ALERT_RECORD_OVERFLOW:
127 case SSL_R_TLSV1_ALERT_USER_CANCELLED:
128 return ERR_SSL_PROTOCOL_ERROR;
129 case SSL_R_CERTIFICATE_VERIFY_FAILED:
130 // The only way that the certificate verify callback can fail is if
131 // the leaf certificate changed during a renegotiation.
132 return ERR_SSL_SERVER_CERT_CHANGED;
133 case SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK:
134 return ERR_SSL_INAPPROPRIATE_FALLBACK;
135 // SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the server after
136 // receiving ClientHello if there's no common supported cipher. Map that
137 // specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH to match the NSS
138 // implementation. See https://goo.gl/oMtZW and https://crbug.com/446505.
139 case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: {
140 uint32_t previous = ERR_peek_error();
141 if (previous != 0 && ERR_GET_LIB(previous) == ERR_LIB_SSL &&
142 ERR_GET_REASON(previous) == SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO) {
143 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
145 return ERR_SSL_PROTOCOL_ERROR;
147 default:
148 LOG(WARNING) << "Unmapped error reason: " << ERR_GET_REASON(error_code);
149 return ERR_SSL_PROTOCOL_ERROR;
153 scoped_ptr<base::Value> NetLogOpenSSLErrorCallback(
154 int net_error,
155 int ssl_error,
156 const OpenSSLErrorInfo& error_info,
157 NetLogCaptureMode /* capture_mode */) {
158 scoped_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
159 dict->SetInteger("net_error", net_error);
160 dict->SetInteger("ssl_error", ssl_error);
161 if (error_info.error_code != 0) {
162 dict->SetInteger("error_lib", ERR_GET_LIB(error_info.error_code));
163 dict->SetInteger("error_reason", ERR_GET_REASON(error_info.error_code));
165 if (error_info.file != NULL)
166 dict->SetString("file", error_info.file);
167 if (error_info.line != 0)
168 dict->SetInteger("line", error_info.line);
169 return dict.Pass();
172 } // namespace
174 void OpenSSLPutNetError(const tracked_objects::Location& location, int err) {
175 // Net error codes are negative. Encode them as positive numbers.
176 err = -err;
177 if (err < 0 || err > 0xfff) {
178 // OpenSSL reserves 12 bits for the reason code.
179 NOTREACHED();
180 err = ERR_INVALID_ARGUMENT;
182 ERR_put_error(OpenSSLNetErrorLib(), 0, err,
183 location.file_name(), location.line_number());
186 int MapOpenSSLError(int err, const crypto::OpenSSLErrStackTracer& tracer) {
187 OpenSSLErrorInfo error_info;
188 return MapOpenSSLErrorWithDetails(err, tracer, &error_info);
191 int MapOpenSSLErrorWithDetails(int err,
192 const crypto::OpenSSLErrStackTracer& tracer,
193 OpenSSLErrorInfo* out_error_info) {
194 *out_error_info = OpenSSLErrorInfo();
196 switch (err) {
197 case SSL_ERROR_WANT_READ:
198 case SSL_ERROR_WANT_WRITE:
199 return ERR_IO_PENDING;
200 case SSL_ERROR_SYSCALL:
201 LOG(ERROR) << "OpenSSL SYSCALL error, earliest error code in "
202 "error queue: " << ERR_peek_error() << ", errno: "
203 << errno;
204 return ERR_FAILED;
205 case SSL_ERROR_SSL:
206 // Walk down the error stack to find an SSL or net error.
207 uint32_t error_code;
208 const char* file;
209 int line;
210 do {
211 error_code = ERR_get_error_line(&file, &line);
212 if (ERR_GET_LIB(error_code) == ERR_LIB_SSL) {
213 out_error_info->error_code = error_code;
214 out_error_info->file = file;
215 out_error_info->line = line;
216 return MapOpenSSLErrorSSL(error_code);
217 } else if (ERR_GET_LIB(error_code) == OpenSSLNetErrorLib()) {
218 out_error_info->error_code = error_code;
219 out_error_info->file = file;
220 out_error_info->line = line;
221 // Net error codes are negative but encoded in OpenSSL as positive
222 // numbers.
223 return -ERR_GET_REASON(error_code);
225 } while (error_code != 0);
226 return ERR_FAILED;
227 default:
228 // TODO(joth): Implement full mapping.
229 LOG(WARNING) << "Unknown OpenSSL error " << err;
230 return ERR_SSL_PROTOCOL_ERROR;
234 NetLog::ParametersCallback CreateNetLogOpenSSLErrorCallback(
235 int net_error,
236 int ssl_error,
237 const OpenSSLErrorInfo& error_info) {
238 return base::Bind(&NetLogOpenSSLErrorCallback,
239 net_error, ssl_error, error_info);
242 } // namespace net