1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/socket/nss_ssl_util.h"
15 #include "base/bind.h"
17 #include "base/lazy_instance.h"
18 #include "base/logging.h"
19 #include "base/memory/singleton.h"
20 #include "base/threading/thread_restrictions.h"
21 #include "base/values.h"
22 #include "build/build_config.h"
23 #include "crypto/nss_util.h"
24 #include "net/base/net_errors.h"
25 #include "net/base/net_log.h"
26 #include "net/base/nss_memio.h"
29 #include "base/win/windows_version.h"
36 // CiphersRemove takes a zero-terminated array of cipher suite ids in
37 // |to_remove| and sets every instance of them in |ciphers| to zero. It returns
38 // true if it found and removed every element of |to_remove|. It assumes that
39 // there are no duplicates in |ciphers| nor in |to_remove|.
40 bool CiphersRemove(const uint16
* to_remove
, uint16
* ciphers
, size_t num
) {
44 if (to_remove
[i
] == 0)
47 for (size_t j
= 0; j
< num
; j
++) {
48 if (to_remove
[i
] == ciphers
[j
]) {
59 // CiphersCompact takes an array of cipher suite ids in |ciphers|, where some
60 // entries are zero, and moves the entries so that all the non-zero elements
61 // are compacted at the end of the array.
62 void CiphersCompact(uint16
* ciphers
, size_t num
) {
65 for (size_t i
= num
- 1; i
< num
; i
--) {
68 ciphers
[j
--] = ciphers
[i
];
72 // CiphersCopy copies the zero-terminated array |in| to |out|. It returns the
73 // number of cipher suite ids copied.
74 size_t CiphersCopy(const uint16
* in
, uint16
* out
) {
75 for (size_t i
= 0; ; i
++) {
82 base::Value
* NetLogSSLErrorCallback(int net_error
,
84 NetLog::LogLevel
/* log_level */) {
85 base::DictionaryValue
* dict
= new base::DictionaryValue();
86 dict
->SetInteger("net_error", net_error
);
88 dict
->SetInteger("ssl_lib_error", ssl_lib_error
);
92 class NSSSSLInitSingleton
{
94 NSSSSLInitSingleton() : model_fd_(NULL
) {
95 crypto::EnsureNSSInit();
97 NSS_SetDomesticPolicy();
99 const PRUint16
* const ssl_ciphers
= SSL_GetImplementedCiphers();
100 const PRUint16 num_ciphers
= SSL_GetNumImplementedCiphers();
102 // Disable ECDSA cipher suites on platforms that do not support ECDSA
103 // signed certificates, as servers may use the presence of such
104 // ciphersuites as a hint to send an ECDSA certificate.
105 bool disableECDSA
= false;
107 if (base::win::GetVersion() < base::win::VERSION_VISTA
)
111 // Explicitly enable exactly those ciphers with keys of at least 80 bits
112 for (int i
= 0; i
< num_ciphers
; i
++) {
113 SSLCipherSuiteInfo info
;
114 if (SSL_GetCipherSuiteInfo(ssl_ciphers
[i
], &info
,
115 sizeof(info
)) == SECSuccess
) {
116 bool enabled
= info
.effectiveKeyBits
>= 80;
117 if (info
.authAlgorithm
== ssl_auth_ecdsa
&& disableECDSA
)
120 // Trim the list of cipher suites in order to keep the size of the
121 // ClientHello down. DSS, ECDH, CAMELLIA, SEED, ECC+3DES, and
122 // HMAC-SHA256 cipher suites are disabled.
123 if (info
.symCipher
== ssl_calg_camellia
||
124 info
.symCipher
== ssl_calg_seed
||
125 (info
.symCipher
== ssl_calg_3des
&& info
.keaType
!= ssl_kea_rsa
) ||
126 info
.authAlgorithm
== ssl_auth_dsa
||
127 info
.macAlgorithm
== ssl_hmac_sha256
||
129 strcmp(info
.keaTypeName
, "ECDH") == 0) {
133 if (ssl_ciphers
[i
] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA
) {
134 // Enabled to allow servers with only a DSA certificate to function.
137 SSL_CipherPrefSetDefault(ssl_ciphers
[i
], enabled
);
142 SSL_OptionSetDefault(SSL_SECURITY
, PR_TRUE
);
144 // Calculate the order of ciphers that we'll use for NSS sockets. (Note
145 // that, even if a cipher is specified in the ordering, it must still be
146 // enabled in order to be included in a ClientHello.)
148 // Our top preference cipher suites are either forward-secret AES-GCM or
149 // forward-secret ChaCha20-Poly1305. If the local machine has AES-NI then
150 // we prefer AES-GCM, otherwise ChaCha20. The remainder of the cipher suite
151 // preference is inheriented from NSS. */
152 static const uint16 chacha_ciphers
[] = {
153 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
,
154 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
,
157 static const uint16 aes_gcm_ciphers
[] = {
158 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
,
159 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
,
160 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
,
163 scoped_ptr
<uint16
[]> ciphers(new uint16
[num_ciphers
]);
164 memcpy(ciphers
.get(), ssl_ciphers
, sizeof(uint16
)*num_ciphers
);
166 if (CiphersRemove(chacha_ciphers
, ciphers
.get(), num_ciphers
) &&
167 CiphersRemove(aes_gcm_ciphers
, ciphers
.get(), num_ciphers
)) {
168 CiphersCompact(ciphers
.get(), num_ciphers
);
170 const uint16
* preference_ciphers
= chacha_ciphers
;
171 const uint16
* other_ciphers
= aes_gcm_ciphers
;
174 if (cpu
.has_aesni() && cpu
.has_avx()) {
175 preference_ciphers
= aes_gcm_ciphers
;
176 other_ciphers
= chacha_ciphers
;
178 unsigned i
= CiphersCopy(preference_ciphers
, ciphers
.get());
179 CiphersCopy(other_ciphers
, &ciphers
[i
]);
181 if ((model_fd_
= memio_CreateIOLayer(1, 1)) == NULL
||
182 SSL_ImportFD(NULL
, model_fd_
) == NULL
||
184 SSL_CipherOrderSet(model_fd_
, ciphers
.get(), num_ciphers
)) {
193 // All other SSL options are set per-session by SSLClientSocket and
197 PRFileDesc
* GetModelSocket() {
201 ~NSSSSLInitSingleton() {
202 // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.
203 SSL_ClearSessionCache();
209 PRFileDesc
* model_fd_
;
212 base::LazyInstance
<NSSSSLInitSingleton
>::Leaky g_nss_ssl_init_singleton
=
213 LAZY_INSTANCE_INITIALIZER
;
215 } // anonymous namespace
217 // Initialize the NSS SSL library if it isn't already initialized. This must
218 // be called before any other NSS SSL functions. This function is
219 // thread-safe, and the NSS SSL library will only ever be initialized once.
220 // The NSS SSL library will be properly shut down on program exit.
221 void EnsureNSSSSLInit() {
222 // Initializing SSL causes us to do blocking IO.
223 // Temporarily allow it until we fix
224 // http://code.google.com/p/chromium/issues/detail?id=59847
225 base::ThreadRestrictions::ScopedAllowIO allow_io
;
227 g_nss_ssl_init_singleton
.Get();
230 PRFileDesc
* GetNSSModelSocket() {
231 return g_nss_ssl_init_singleton
.Get().GetModelSocket();
234 // Map a Chromium net error code to an NSS error code.
235 // See _MD_unix_map_default_error in the NSS source
236 // tree for inspiration.
237 PRErrorCode
MapErrorToNSS(int result
) {
243 return PR_WOULD_BLOCK_ERROR
;
244 case ERR_ACCESS_DENIED
:
245 case ERR_NETWORK_ACCESS_DENIED
:
246 // For connect, this could be mapped to PR_ADDRESS_NOT_SUPPORTED_ERROR.
247 return PR_NO_ACCESS_RIGHTS_ERROR
;
248 case ERR_NOT_IMPLEMENTED
:
249 return PR_NOT_IMPLEMENTED_ERROR
;
250 case ERR_SOCKET_NOT_CONNECTED
:
251 return PR_NOT_CONNECTED_ERROR
;
252 case ERR_INTERNET_DISCONNECTED
: // Equivalent to ENETDOWN.
253 return PR_NETWORK_UNREACHABLE_ERROR
; // Best approximation.
254 case ERR_CONNECTION_TIMED_OUT
:
256 return PR_IO_TIMEOUT_ERROR
;
257 case ERR_CONNECTION_RESET
:
258 return PR_CONNECT_RESET_ERROR
;
259 case ERR_CONNECTION_ABORTED
:
260 return PR_CONNECT_ABORTED_ERROR
;
261 case ERR_CONNECTION_REFUSED
:
262 return PR_CONNECT_REFUSED_ERROR
;
263 case ERR_ADDRESS_UNREACHABLE
:
264 return PR_HOST_UNREACHABLE_ERROR
; // Also PR_NETWORK_UNREACHABLE_ERROR.
265 case ERR_ADDRESS_INVALID
:
266 return PR_ADDRESS_NOT_AVAILABLE_ERROR
;
267 case ERR_NAME_NOT_RESOLVED
:
268 return PR_DIRECTORY_LOOKUP_ERROR
;
270 LOG(WARNING
) << "MapErrorToNSS " << result
271 << " mapped to PR_UNKNOWN_ERROR";
272 return PR_UNKNOWN_ERROR
;
276 // The default error mapping function.
277 // Maps an NSS error code to a network error code.
278 int MapNSSError(PRErrorCode err
) {
279 // TODO(port): fill this out as we learn what's important
281 case PR_WOULD_BLOCK_ERROR
:
282 return ERR_IO_PENDING
;
283 case PR_ADDRESS_NOT_SUPPORTED_ERROR
: // For connect.
284 case PR_NO_ACCESS_RIGHTS_ERROR
:
285 return ERR_ACCESS_DENIED
;
286 case PR_IO_TIMEOUT_ERROR
:
287 return ERR_TIMED_OUT
;
288 case PR_CONNECT_RESET_ERROR
:
289 return ERR_CONNECTION_RESET
;
290 case PR_CONNECT_ABORTED_ERROR
:
291 return ERR_CONNECTION_ABORTED
;
292 case PR_CONNECT_REFUSED_ERROR
:
293 return ERR_CONNECTION_REFUSED
;
294 case PR_NOT_CONNECTED_ERROR
:
295 return ERR_SOCKET_NOT_CONNECTED
;
296 case PR_HOST_UNREACHABLE_ERROR
:
297 case PR_NETWORK_UNREACHABLE_ERROR
:
298 return ERR_ADDRESS_UNREACHABLE
;
299 case PR_ADDRESS_NOT_AVAILABLE_ERROR
:
300 return ERR_ADDRESS_INVALID
;
301 case PR_INVALID_ARGUMENT_ERROR
:
302 return ERR_INVALID_ARGUMENT
;
303 case PR_END_OF_FILE_ERROR
:
304 return ERR_CONNECTION_CLOSED
;
305 case PR_NOT_IMPLEMENTED_ERROR
:
306 return ERR_NOT_IMPLEMENTED
;
308 case SEC_ERROR_LIBRARY_FAILURE
:
309 return ERR_UNEXPECTED
;
310 case SEC_ERROR_INVALID_ARGS
:
311 return ERR_INVALID_ARGUMENT
;
312 case SEC_ERROR_NO_MEMORY
:
313 return ERR_OUT_OF_MEMORY
;
314 case SEC_ERROR_NO_KEY
:
315 return ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY
;
316 case SEC_ERROR_INVALID_KEY
:
317 case SSL_ERROR_SIGN_HASHES_FAILURE
:
318 LOG(ERROR
) << "ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: NSS error " << err
319 << ", OS error " << PR_GetOSError();
320 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED
;
321 // A handshake (initial or renegotiation) may fail because some signature
322 // (for example, the signature in the ServerKeyExchange message for an
323 // ephemeral Diffie-Hellman cipher suite) is invalid.
324 case SEC_ERROR_BAD_SIGNATURE
:
325 return ERR_SSL_PROTOCOL_ERROR
;
327 case SSL_ERROR_SSL_DISABLED
:
328 return ERR_NO_SSL_VERSIONS_ENABLED
;
329 case SSL_ERROR_NO_CYPHER_OVERLAP
:
330 case SSL_ERROR_PROTOCOL_VERSION_ALERT
:
331 case SSL_ERROR_UNSUPPORTED_VERSION
:
332 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH
;
333 case SSL_ERROR_HANDSHAKE_FAILURE_ALERT
:
334 case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT
:
335 case SSL_ERROR_ILLEGAL_PARAMETER_ALERT
:
336 return ERR_SSL_PROTOCOL_ERROR
;
337 case SSL_ERROR_DECOMPRESSION_FAILURE_ALERT
:
338 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT
;
339 case SSL_ERROR_BAD_MAC_ALERT
:
340 return ERR_SSL_BAD_RECORD_MAC_ALERT
;
341 case SSL_ERROR_DECRYPT_ERROR_ALERT
:
342 return ERR_SSL_DECRYPT_ERROR_ALERT
;
343 case SSL_ERROR_UNRECOGNIZED_NAME_ALERT
:
344 return ERR_SSL_UNRECOGNIZED_NAME_ALERT
;
345 case SSL_ERROR_UNSAFE_NEGOTIATION
:
346 return ERR_SSL_UNSAFE_NEGOTIATION
;
347 case SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
:
348 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
;
349 case SSL_ERROR_HANDSHAKE_NOT_COMPLETED
:
350 return ERR_SSL_HANDSHAKE_NOT_COMPLETED
;
351 case SEC_ERROR_BAD_KEY
:
352 case SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE
:
353 // TODO(wtc): the following errors may also occur in contexts unrelated
354 // to the peer's public key. We should add new error codes for them, or
355 // map them to ERR_SSL_BAD_PEER_PUBLIC_KEY only in the right context.
356 // General unsupported/unknown key algorithm error.
357 case SEC_ERROR_UNSUPPORTED_KEYALG
:
358 // General DER decoding errors.
359 case SEC_ERROR_BAD_DER
:
360 case SEC_ERROR_EXTRA_INPUT
:
361 return ERR_SSL_BAD_PEER_PUBLIC_KEY
;
362 // During renegotiation, the server presented a different certificate than
364 case SSL_ERROR_WRONG_CERTIFICATE
:
365 return ERR_SSL_SERVER_CERT_CHANGED
;
366 case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT
:
367 return ERR_SSL_INAPPROPRIATE_FALLBACK
;
370 const char* err_name
= PR_ErrorToName(err
);
371 if (err_name
== NULL
)
373 if (IS_SSL_ERROR(err
)) {
374 LOG(WARNING
) << "Unknown SSL error " << err
<< " (" << err_name
<< ")"
375 << " mapped to net::ERR_SSL_PROTOCOL_ERROR";
376 return ERR_SSL_PROTOCOL_ERROR
;
378 LOG(WARNING
) << "Unknown error " << err
<< " (" << err_name
<< ")"
379 << " mapped to net::ERR_FAILED";
385 // Returns parameters to attach to the NetLog when we receive an error in
386 // response to a call to an NSS function. Used instead of
387 // NetLogSSLErrorCallback with events of type TYPE_SSL_NSS_ERROR.
388 base::Value
* NetLogSSLFailedNSSFunctionCallback(
389 const char* function
,
392 NetLog::LogLevel
/* log_level */) {
393 base::DictionaryValue
* dict
= new base::DictionaryValue();
394 dict
->SetString("function", function
);
395 if (param
[0] != '\0')
396 dict
->SetString("param", param
);
397 dict
->SetInteger("ssl_lib_error", ssl_lib_error
);
401 void LogFailedNSSFunction(const BoundNetLog
& net_log
,
402 const char* function
,
407 NetLog::TYPE_SSL_NSS_ERROR
,
408 base::Bind(&NetLogSSLFailedNSSFunctionCallback
,
409 function
, param
, PR_GetError()));
412 NetLog::ParametersCallback
CreateNetLogSSLErrorCallback(int net_error
,
414 return base::Bind(&NetLogSSLErrorCallback
, net_error
, ssl_lib_error
);