search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Port Chromium's blink_tests target to GN.
[chromium-blink-merge.git] / net / socket / ssl_client_socket_nss.cc
blob6165b154ebb0dcba2baccd02724169c5a07dff81
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
6 // from AuthCertificateCallback() in
7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
8
9 /* ***** BEGIN LICENSE BLOCK *****
10 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
11 *
12 * The contents of this file are subject to the Mozilla Public License Version
13 * 1.1 (the "License"); you may not use this file except in compliance with
14 * the License. You may obtain a copy of the License at
15 * http://www.mozilla.org/MPL/
16 *
17 * Software distributed under the License is distributed on an "AS IS" basis,
18 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
19 * for the specific language governing rights and limitations under the
20 * License.
21 *
22 * The Original Code is the Netscape security libraries.
23 *
24 * The Initial Developer of the Original Code is
25 * Netscape Communications Corporation.
26 * Portions created by the Initial Developer are Copyright (C) 2000
27 * the Initial Developer. All Rights Reserved.
28 *
29 * Contributor(s):
30 * Ian McGreer <mcgreer@netscape.com>
31 * Javier Delgadillo <javi@netscape.com>
32 * Kai Engert <kengert@redhat.com>
33 *
34 * Alternatively, the contents of this file may be used under the terms of
35 * either the GNU General Public License Version 2 or later (the "GPL"), or
36 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
37 * in which case the provisions of the GPL or the LGPL are applicable instead
38 * of those above. If you wish to allow use of your version of this file only
39 * under the terms of either the GPL or the LGPL, and not to allow others to
40 * use your version of this file under the terms of the MPL, indicate your
41 * decision by deleting the provisions above and replace them with the notice
42 * and other provisions required by the GPL or the LGPL. If you do not delete
43 * the provisions above, a recipient may use your version of this file under
44 * the terms of any one of the MPL, the GPL or the LGPL.
45 *
46 * ***** END LICENSE BLOCK ***** */
47
48 #include "net/socket/ssl_client_socket_nss.h"
49
50 #include <certdb.h>
51 #include <hasht.h>
52 #include <keyhi.h>
53 #include <nspr.h>
54 #include <nss.h>
55 #include <ocsp.h>
56 #include <pk11pub.h>
57 #include <secerr.h>
58 #include <sechash.h>
59 #include <ssl.h>
60 #include <sslerr.h>
61 #include <sslproto.h>
62
63 #include <algorithm>
64 #include <limits>
65 #include <map>
66
67 #include "base/bind.h"
68 #include "base/bind_helpers.h"
69 #include "base/callback_helpers.h"
70 #include "base/compiler_specific.h"
71 #include "base/logging.h"
72 #include "base/metrics/histogram.h"
73 #include "base/single_thread_task_runner.h"
74 #include "base/stl_util.h"
75 #include "base/strings/string_number_conversions.h"
76 #include "base/strings/string_util.h"
77 #include "base/strings/stringprintf.h"
78 #include "base/thread_task_runner_handle.h"
79 #include "base/threading/thread_restrictions.h"
80 #include "base/values.h"
81 #include "crypto/ec_private_key.h"
82 #include "crypto/nss_util.h"
83 #include "crypto/nss_util_internal.h"
84 #include "crypto/rsa_private_key.h"
85 #include "crypto/scoped_nss_types.h"
86 #include "net/base/address_list.h"
87 #include "net/base/dns_util.h"
88 #include "net/base/io_buffer.h"
89 #include "net/base/net_errors.h"
90 #include "net/cert/asn1_util.h"
91 #include "net/cert/cert_policy_enforcer.h"
92 #include "net/cert/cert_status_flags.h"
93 #include "net/cert/cert_verifier.h"
94 #include "net/cert/ct_ev_whitelist.h"
95 #include "net/cert/ct_verifier.h"
96 #include "net/cert/ct_verify_result.h"
97 #include "net/cert/scoped_nss_types.h"
98 #include "net/cert/sct_status_flags.h"
99 #include "net/cert/x509_certificate_net_log_param.h"
100 #include "net/cert/x509_util.h"
101 #include "net/cert_net/nss_ocsp.h"
102 #include "net/http/transport_security_state.h"
103 #include "net/log/net_log.h"
104 #include "net/socket/client_socket_handle.h"
105 #include "net/socket/nss_ssl_util.h"
106 #include "net/ssl/ssl_cert_request_info.h"
107 #include "net/ssl/ssl_cipher_suite_names.h"
108 #include "net/ssl/ssl_connection_status_flags.h"
109 #include "net/ssl/ssl_info.h"
110
111 #if defined(USE_NSS_CERTS)
112 #include <dlfcn.h>
113 #endif
114
115 namespace net {
116
117 // State machines are easier to debug if you log state transitions.
118 // Enable these if you want to see what's going on.
119 #if 1
120 #define EnterFunction(x)
121 #define LeaveFunction(x)
122 #define GotoState(s) next_handshake_state_ = s
123 #else
124 #define EnterFunction(x)\
125 VLOG(1) << (void *)this << " " << __FUNCTION__ << " enter " << x\
126 << "; next_handshake_state " << next_handshake_state_
127 #define LeaveFunction(x)\
128 VLOG(1) << (void *)this << " " << __FUNCTION__ << " leave " << x\
129 << "; next_handshake_state " << next_handshake_state_
130 #define GotoState(s)\
131 do {\
132 VLOG(1) << (void *)this << " " << __FUNCTION__ << " jump to state " << s;\
133 next_handshake_state_ = s;\
134 } while (0)
135 #endif
136
137 #if !defined(CKM_AES_GCM)
138 #define CKM_AES_GCM 0x00001087
139 #endif
140
141 #if !defined(CKM_NSS_CHACHA20_POLY1305)
142 #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26)
143 #endif
144
145 namespace {
146
147 // SSL plaintext fragments are shorter than 16KB. Although the record layer
148 // overhead is allowed to be 2K + 5 bytes, in practice the overhead is much
149 // smaller than 1KB. So a 17KB buffer should be large enough to hold an
150 // entire SSL record.
151 const int kRecvBufferSize = 17 * 1024;
152 const int kSendBufferSize = 17 * 1024;
153
154 // Used by SSLClientSocketNSS::Core to indicate there is no read result
155 // obtained by a previous operation waiting to be returned to the caller.
156 // This constant can be any non-negative/non-zero value (eg: it does not
157 // overlap with any value of the net::Error range, including net::OK).
158 const int kNoPendingReadResult = 1;
159
160 // Helper functions to make it possible to log events from within the
161 // SSLClientSocketNSS::Core.
162 void AddLogEvent(const base::WeakPtr<BoundNetLog>& net_log,
163 NetLog::EventType event_type) {
164 if (!net_log)
165 return;
166 net_log->AddEvent(event_type);
167 }
168
169 // Helper function to make it possible to log events from within the
170 // SSLClientSocketNSS::Core.
171 void AddLogEventWithCallback(const base::WeakPtr<BoundNetLog>& net_log,
172 NetLog::EventType event_type,
173 const NetLog::ParametersCallback& callback) {
174 if (!net_log)
175 return;
176 net_log->AddEvent(event_type, callback);
177 }
178
179 // Helper function to make it easier to call BoundNetLog::AddByteTransferEvent
180 // from within the SSLClientSocketNSS::Core.
181 // AddByteTransferEvent expects to receive a const char*, which within the
182 // Core is backed by an IOBuffer. If the "const char*" is bound via
183 // base::Bind and posted to another thread, and the IOBuffer that backs that
184 // pointer then goes out of scope on the origin thread, this would result in
185 // an invalid read of a stale pointer.
186 // Instead, provide a signature that accepts an IOBuffer*, so that a reference
187 // to the owning IOBuffer can be bound to the Callback. This ensures that the
188 // IOBuffer will stay alive long enough to cross threads if needed.
189 void LogByteTransferEvent(
190 const base::WeakPtr<BoundNetLog>& net_log, NetLog::EventType event_type,
191 int len, IOBuffer* buffer) {
192 if (!net_log)
193 return;
194 net_log->AddByteTransferEvent(event_type, len, buffer->data());
195 }
196
197 // PeerCertificateChain is a helper object which extracts the certificate
198 // chain, as given by the server, from an NSS socket and performs the needed
199 // resource management. The first element of the chain is the leaf certificate
200 // and the other elements are in the order given by the server.
201 class PeerCertificateChain {
202 public:
203 PeerCertificateChain() {}
204 PeerCertificateChain(const PeerCertificateChain& other);
205 ~PeerCertificateChain();
206 PeerCertificateChain& operator=(const PeerCertificateChain& other);
207
208 // Resets the current chain, freeing any resources, and updates the current
209 // chain to be a copy of the chain stored in |nss_fd|.
210 // If |nss_fd| is NULL, then the current certificate chain will be freed.
211 void Reset(PRFileDesc* nss_fd);
212
213 // Returns the current certificate chain as a vector of DER-encoded
214 // base::StringPieces. The returned vector remains valid until Reset is
215 // called.
216 std::vector<base::StringPiece> AsStringPieceVector() const;
217
218 bool empty() const { return certs_.empty(); }
219
220 CERTCertificate* operator[](size_t index) const {
221 DCHECK_LT(index, certs_.size());
222 return certs_[index];
223 }
224
225 private:
226 std::vector<CERTCertificate*> certs_;
227 };
228
229 PeerCertificateChain::PeerCertificateChain(
230 const PeerCertificateChain& other) {
231 *this = other;
232 }
233
234 PeerCertificateChain::~PeerCertificateChain() {
235 Reset(NULL);
236 }
237
238 PeerCertificateChain& PeerCertificateChain::operator=(
239 const PeerCertificateChain& other) {
240 if (this == &other)
241 return *this;
242
243 Reset(NULL);
244 certs_.reserve(other.certs_.size());
245 for (size_t i = 0; i < other.certs_.size(); ++i)
246 certs_.push_back(CERT_DupCertificate(other.certs_[i]));
247
248 return *this;
249 }
250
251 void PeerCertificateChain::Reset(PRFileDesc* nss_fd) {
252 for (size_t i = 0; i < certs_.size(); ++i)
253 CERT_DestroyCertificate(certs_[i]);
254 certs_.clear();
255
256 if (nss_fd == NULL)
257 return;
258
259 CERTCertList* list = SSL_PeerCertificateChain(nss_fd);
260 // The handshake on |nss_fd| may not have completed.
261 if (list == NULL)
262 return;
263
264 for (CERTCertListNode* node = CERT_LIST_HEAD(list);
265 !CERT_LIST_END(node, list); node = CERT_LIST_NEXT(node)) {
266 certs_.push_back(CERT_DupCertificate(node->cert));
267 }
268 CERT_DestroyCertList(list);
269 }
270
271 std::vector<base::StringPiece>
272 PeerCertificateChain::AsStringPieceVector() const {
273 std::vector<base::StringPiece> v(certs_.size());
274 for (unsigned i = 0; i < certs_.size(); i++) {
275 v[i] = base::StringPiece(
276 reinterpret_cast<const char*>(certs_[i]->derCert.data),
277 certs_[i]->derCert.len);
278 }
279
280 return v;
281 }
282
283 // HandshakeState is a helper struct used to pass handshake state between
284 // the NSS task runner and the network task runner.
285 //
286 // It contains members that may be read or written on the NSS task runner,
287 // but which also need to be read from the network task runner. The NSS task
288 // runner will notify the network task runner whenever this state changes, so
289 // that the network task runner can safely make a copy, which avoids the need
290 // for locking.
291 struct HandshakeState {
292 HandshakeState() { Reset(); }
293
294 void Reset() {
295 next_proto_status = SSLClientSocket::kNextProtoUnsupported;
296 next_proto.clear();
297 negotiation_extension_ = SSLClientSocket::kExtensionUnknown;
298 channel_id_sent = false;
299 server_cert_chain.Reset(NULL);
300 server_cert = NULL;
301 sct_list_from_tls_extension.clear();
302 stapled_ocsp_response.clear();
303 resumed_handshake = false;
304 ssl_connection_status = 0;
305 }
306
307 // Set to kNextProtoNegotiated if NPN was successfully negotiated, with the
308 // negotiated protocol stored in |next_proto|.
309 SSLClientSocket::NextProtoStatus next_proto_status;
310 std::string next_proto;
311
312 // TLS extension used for protocol negotiation.
313 SSLClientSocket::SSLNegotiationExtension negotiation_extension_;
314
315 // True if a channel ID was sent.
316 bool channel_id_sent;
317
318 // List of DER-encoded X.509 DistinguishedName of certificate authorities
319 // allowed by the server.
320 std::vector<std::string> cert_authorities;
321
322 // Set when the handshake fully completes.
323 //
324 // The server certificate is first received from NSS as an NSS certificate
325 // chain (|server_cert_chain|) and then converted into a platform-specific
326 // X509Certificate object (|server_cert|). It's possible for some
327 // certificates to be successfully parsed by NSS, and not by the platform
328 // libraries (i.e.: when running within a sandbox, different parsing
329 // algorithms, etc), so it's not safe to assume that |server_cert| will
330 // always be non-NULL.
331 PeerCertificateChain server_cert_chain;
332 scoped_refptr<X509Certificate> server_cert;
333 // SignedCertificateTimestampList received via TLS extension (RFC 6962).
334 std::string sct_list_from_tls_extension;
335 // Stapled OCSP response received.
336 std::string stapled_ocsp_response;
337
338 // True if the current handshake was the result of TLS session resumption.
339 bool resumed_handshake;
340
341 // The negotiated security parameters (TLS version, cipher, extensions) of
342 // the SSL connection.
343 int ssl_connection_status;
344 };
345
346 // Client-side error mapping functions.
347
348 // Map NSS error code to network error code.
349 int MapNSSClientError(PRErrorCode err) {
350 switch (err) {
351 case SSL_ERROR_BAD_CERT_ALERT:
352 case SSL_ERROR_UNSUPPORTED_CERT_ALERT:
353 case SSL_ERROR_REVOKED_CERT_ALERT:
354 case SSL_ERROR_EXPIRED_CERT_ALERT:
355 case SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT:
356 case SSL_ERROR_UNKNOWN_CA_ALERT:
357 case SSL_ERROR_ACCESS_DENIED_ALERT:
358 return ERR_BAD_SSL_CLIENT_AUTH_CERT;
359 default:
360 return MapNSSError(err);
361 }
362 }
363
364 } // namespace
365
366 // SSLClientSocketNSS::Core provides a thread-safe, ref-counted core that is
367 // able to marshal data between NSS functions and an underlying transport
368 // socket.
369 //
370 // All public functions are meant to be called from the network task runner,
371 // and any callbacks supplied will be invoked there as well, provided that
372 // Detach() has not been called yet.
373 //
374 /////////////////////////////////////////////////////////////////////////////
375 //
376 // Threading within SSLClientSocketNSS and SSLClientSocketNSS::Core:
377 //
378 // Because NSS may block on either hardware or user input during operations
379 // such as signing, creating certificates, or locating private keys, the Core
380 // handles all of the interactions with the underlying NSS SSL socket, so
381 // that these blocking calls can be executed on a dedicated task runner.
382 //
383 // Note that the network task runner and the NSS task runner may be executing
384 // on the same thread. If that happens, then it's more performant to try to
385 // complete as much work as possible synchronously, even if it might block,
386 // rather than continually PostTask-ing to the same thread.
387 //
388 // Because NSS functions should only be called on the NSS task runner, while
389 // I/O resources should only be accessed on the network task runner, most
390 // public functions are implemented via three methods, each with different
391 // task runner affinities.
392 //
393 // In the single-threaded mode (where the network and NSS task runners run on
394 // the same thread), these are all attempted synchronously, while in the
395 // multi-threaded mode, message passing is used.
396 //
397 // 1) NSS Task Runner: Execute NSS function (DoPayloadRead, DoPayloadWrite,
398 // DoHandshake)
399 // 2) NSS Task Runner: Prepare data to go from NSS to an IO function:
400 // (BufferRecv, BufferSend)
401 // 3) Network Task Runner: Perform IO on that data (DoBufferRecv,
402 // DoBufferSend, DoGetChannelID, OnGetChannelIDComplete)
403 // 4) Both Task Runners: Callback for asynchronous completion or to marshal
404 // data from the network task runner back to NSS (BufferRecvComplete,
405 // BufferSendComplete, OnHandshakeIOComplete)
406 //
407 /////////////////////////////////////////////////////////////////////////////
408 // Single-threaded example
409 //
410 // |--------------------------Network Task Runner--------------------------|
411 // SSLClientSocketNSS Core (Transport Socket)
412 // Read()
413 // |-------------------------V
414 // Read()
415 // |
416 // DoPayloadRead()
417 // |
418 // BufferRecv()
419 // |
420 // DoBufferRecv()
421 // |-------------------------V
422 // Read()
423 // V-------------------------|
424 // BufferRecvComplete()
425 // |
426 // PostOrRunCallback()
427 // V-------------------------|
428 // (Read Callback)
429 //
430 /////////////////////////////////////////////////////////////////////////////
431 // Multi-threaded example:
432 //
433 // |--------------------Network Task Runner-------------|--NSS Task Runner--|
434 // SSLClientSocketNSS Core Socket Core
435 // Read()
436 // |---------------------V
437 // Read()
438 // |-------------------------------V
439 // Read()
440 // |
441 // DoPayloadRead()
442 // |
443 // BufferRecv
444 // V-------------------------------|
445 // DoBufferRecv
446 // |----------------V
447 // Read()
448 // V----------------|
449 // BufferRecvComplete()
450 // |-------------------------------V
451 // BufferRecvComplete()
452 // |
453 // PostOrRunCallback()
454 // V-------------------------------|
455 // PostOrRunCallback()
456 // V---------------------|
457 // (Read Callback)
458 //
459 /////////////////////////////////////////////////////////////////////////////
460 class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> {
461 public:
462 // Creates a new Core.
463 //
464 // Any calls to NSS are executed on the |nss_task_runner|, while any calls
465 // that need to operate on the underlying transport, net log, or server
466 // bound certificate fetching will happen on the |network_task_runner|, so
467 // that their lifetimes match that of the owning SSLClientSocketNSS.
468 //
469 // The caller retains ownership of |transport|, |net_log|, and
470 // |channel_id_service|, and they will not be accessed once Detach()
471 // has been called.
472 Core(base::SequencedTaskRunner* network_task_runner,
473 base::SequencedTaskRunner* nss_task_runner,
474 ClientSocketHandle* transport,
475 const HostPortPair& host_and_port,
476 const SSLConfig& ssl_config,
477 BoundNetLog* net_log,
478 ChannelIDService* channel_id_service);
479
480 // Called on the network task runner.
481 // Transfers ownership of |socket|, an NSS SSL socket, and |buffers|, the
482 // underlying memio implementation, to the Core. Returns true if the Core
483 // was successfully registered with the socket.
484 bool Init(PRFileDesc* socket, memio_Private* buffers);
485
486 // Called on the network task runner.
487 //
488 // Attempts to perform an SSL handshake. If the handshake cannot be
489 // completed synchronously, returns ERR_IO_PENDING, invoking |callback| on
490 // the network task runner once the handshake has completed. Otherwise,
491 // returns OK on success or a network error code on failure.
492 int Connect(const CompletionCallback& callback);
493
494 // Called on the network task runner.
495 // Signals that the resources owned by the network task runner are going
496 // away. No further callbacks will be invoked on the network task runner.
497 // May be called at any time.
498 void Detach();
499
500 // Called on the network task runner.
501 // Returns the current state of the underlying SSL socket. May be called at
502 // any time.
503 const HandshakeState& state() const { return network_handshake_state_; }
504
505 // Called on the network task runner.
506 // Read() and Write() mirror the net::Socket functions of the same name.
507 // If ERR_IO_PENDING is returned, |callback| will be invoked on the network
508 // task runner at a later point, unless the caller calls Detach().
509 int Read(IOBuffer* buf, int buf_len, const CompletionCallback& callback);
510 int Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback);
511
512 // Called on the network task runner.
513 bool IsConnected() const;
514 bool HasPendingAsyncOperation() const;
515 bool HasUnhandledReceivedData() const;
516 bool WasEverUsed() const;
517
518 // Called on the network task runner.
519 // Causes the associated SSL/TLS session ID to be added to NSS's session
520 // cache, but only if the connection has not been False Started.
521 //
522 // This should only be called after the server's certificate has been
523 // verified, and may not be called within an NSS callback.
524 void CacheSessionIfNecessary();
525
526 private:
527 friend class base::RefCountedThreadSafe<Core>;
528 ~Core();
529
530 enum State {
531 STATE_NONE,
532 STATE_HANDSHAKE,
533 STATE_GET_DOMAIN_BOUND_CERT_COMPLETE,
534 };
535
536 bool OnNSSTaskRunner() const;
537 bool OnNetworkTaskRunner() const;
538
539 ////////////////////////////////////////////////////////////////////////////
540 // Methods that are ONLY called on the NSS task runner:
541 ////////////////////////////////////////////////////////////////////////////
542
543 // Called by NSS during full handshakes to allow the application to
544 // verify the certificate. Instead of verifying the certificate in the midst
545 // of the handshake, SECSuccess is always returned and the peer's certificate
546 // is verified afterwards.
547 // This behaviour is an artifact of the original SSLClientSocketWin
548 // implementation, which could not verify the peer's certificate until after
549 // the handshake had completed, as well as bugs in NSS that prevent
550 // SSL_RestartHandshakeAfterCertReq from working.
551 static SECStatus OwnAuthCertHandler(void* arg,
552 PRFileDesc* socket,
553 PRBool checksig,
554 PRBool is_server);
555
556 // Callbacks called by NSS when the peer requests client certificate
557 // authentication.
558 // See the documentation in third_party/nss/ssl/ssl.h for the meanings of
559 // the arguments.
560 static SECStatus ClientAuthHandler(void* arg,
561 PRFileDesc* socket,
562 CERTDistNames* ca_names,
563 CERTCertificate** result_certificate,
564 SECKEYPrivateKey** result_private_key);
565
566 // Called by NSS to determine if we can False Start.
567 // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
568 static SECStatus CanFalseStartCallback(PRFileDesc* socket,
569 void* arg,
570 PRBool* can_false_start);
571
572 // Called by NSS once the handshake has completed.
573 // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
574 static void HandshakeCallback(PRFileDesc* socket, void* arg);
575
576 // Called once the handshake has succeeded.
577 void HandshakeSucceeded();
578
579 // Handles an NSS error generated while handshaking or performing IO.
580 // Returns a network error code mapped from the original NSS error.
581 int HandleNSSError(PRErrorCode error);
582
583 int DoHandshakeLoop(int last_io_result);
584 int DoReadLoop(int result);
585 int DoWriteLoop(int result);
586
587 int DoHandshake();
588 int DoGetDBCertComplete(int result);
589
590 int DoPayloadRead();
591 int DoPayloadWrite();
592
593 bool DoTransportIO();
594 int BufferRecv();
595 int BufferSend();
596
597 void OnRecvComplete(int result);
598 void OnSendComplete(int result);
599
600 void DoConnectCallback(int result);
601 void DoReadCallback(int result);
602 void DoWriteCallback(int result);
603
604 // Client channel ID handler.
605 static SECStatus ClientChannelIDHandler(
606 void* arg,
607 PRFileDesc* socket,
608 SECKEYPublicKey **out_public_key,
609 SECKEYPrivateKey **out_private_key);
610
611 // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and
612 // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success
613 // and an error code otherwise.
614 // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been
615 // set by a call to ChannelIDService->GetChannelID. The caller
616 // takes ownership of the |*cert| and |*key|.
617 int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key);
618
619 // Updates the NSS and platform specific certificates.
620 void UpdateServerCert();
621 // Update the nss_handshake_state_ with the SignedCertificateTimestampList
622 // received in the handshake via a TLS extension.
623 void UpdateSignedCertTimestamps();
624 // Update the OCSP response cache with the stapled response received in the
625 // handshake, and update nss_handshake_state_ with
626 // the SignedCertificateTimestampList received in the stapled OCSP response.
627 void UpdateStapledOCSPResponse();
628 // Updates the nss_handshake_state_ with the negotiated security parameters.
629 void UpdateConnectionStatus();
630 // Record histograms for channel id support during full handshakes - resumed
631 // handshakes are ignored.
632 void RecordChannelIDSupportOnNSSTaskRunner();
633 // UpdateNextProto gets any application-layer protocol that may have been
634 // negotiated by the TLS connection.
635 void UpdateNextProto();
636 // Record TLS extension used for protocol negotiation (NPN or ALPN).
637 void UpdateExtensionUsed();
638
639 ////////////////////////////////////////////////////////////////////////////
640 // Methods that are ONLY called on the network task runner:
641 ////////////////////////////////////////////////////////////////////////////
642 int DoBufferRecv(IOBuffer* buffer, int len);
643 int DoBufferSend(IOBuffer* buffer, int len);
644 int DoGetChannelID(const std::string& host);
645
646 void OnGetChannelIDComplete(int result);
647 void OnHandshakeStateUpdated(const HandshakeState& state);
648 void OnNSSBufferUpdated(int amount_in_read_buffer);
649 void DidNSSRead(int result);
650 void DidNSSWrite(int result);
651 void RecordChannelIDSupportOnNetworkTaskRunner(
652 bool negotiated_channel_id,
653 bool channel_id_enabled,
654 bool supports_ecc) const;
655
656 ////////////////////////////////////////////////////////////////////////////
657 // Methods that are called on both the network task runner and the NSS
658 // task runner.
659 ////////////////////////////////////////////////////////////////////////////
660 void OnHandshakeIOComplete(int result);
661 void BufferRecvComplete(IOBuffer* buffer, int result);
662 void BufferSendComplete(int result);
663
664 // PostOrRunCallback is a helper function to ensure that |callback| is
665 // invoked on the network task runner, but only if Detach() has not yet
666 // been called.
667 void PostOrRunCallback(const tracked_objects::Location& location,
668 const base::Closure& callback);
669
670 // Uses PostOrRunCallback and |weak_net_log_| to try and log a
671 // SSL_CLIENT_CERT_PROVIDED event, with the indicated count.
672 void AddCertProvidedEvent(int cert_count);
673
674 // Sets the handshake state |channel_id_sent| flag and logs the
675 // SSL_CHANNEL_ID_PROVIDED event.
676 void SetChannelIDProvided();
677
678 ////////////////////////////////////////////////////////////////////////////
679 // Members that are ONLY accessed on the network task runner:
680 ////////////////////////////////////////////////////////////////////////////
681
682 // True if the owning SSLClientSocketNSS has called Detach(). No further
683 // callbacks will be invoked nor access to members owned by the network
684 // task runner.
685 bool detached_;
686
687 // The underlying transport to use for network IO.
688 ClientSocketHandle* transport_;
689 base::WeakPtrFactory<BoundNetLog> weak_net_log_factory_;
690
691 // The current handshake state. Mirrors |nss_handshake_state_|.
692 HandshakeState network_handshake_state_;
693
694 // The service for retrieving Channel ID keys. May be NULL.
695 ChannelIDService* channel_id_service_;
696 ChannelIDService::RequestHandle domain_bound_cert_request_handle_;
697
698 // The information about NSS task runner.
699 int unhandled_buffer_size_;
700 bool nss_waiting_read_;
701 bool nss_waiting_write_;
702 bool nss_is_closed_;
703
704 // Set when Read() or Write() successfully reads or writes data to or from the
705 // network.
706 bool was_ever_used_;
707
708 ////////////////////////////////////////////////////////////////////////////
709 // Members that are ONLY accessed on the NSS task runner:
710 ////////////////////////////////////////////////////////////////////////////
711 HostPortPair host_and_port_;
712 SSLConfig ssl_config_;
713
714 // NSS SSL socket.
715 PRFileDesc* nss_fd_;
716
717 // Buffers for the network end of the SSL state machine
718 memio_Private* nss_bufs_;
719
720 // Used by DoPayloadRead() when attempting to fill the caller's buffer with
721 // as much data as possible, without blocking.
722 // If DoPayloadRead() encounters an error after having read some data, stores
723 // the results to return on the *next* call to DoPayloadRead(). A value of
724 // kNoPendingReadResult indicates there is no pending result, otherwise 0
725 // indicates EOF and < 0 indicates an error.
726 int pending_read_result_;
727 // Contains the previously observed NSS error. Only valid when
728 // pending_read_result_ != kNoPendingReadResult.
729 PRErrorCode pending_read_nss_error_;
730
731 // The certificate chain, in DER form, that is expected to be received from
732 // the server.
733 std::vector<std::string> predicted_certs_;
734
735 State next_handshake_state_;
736
737 // True if channel ID extension was negotiated.
738 bool channel_id_xtn_negotiated_;
739 // True if the handshake state machine was interrupted for channel ID.
740 bool channel_id_needed_;
741 // True if the handshake state machine was interrupted for client auth.
742 bool client_auth_cert_needed_;
743 // True if NSS has False Started.
744 bool false_started_;
745 // True if NSS has called HandshakeCallback.
746 bool handshake_callback_called_;
747
748 HandshakeState nss_handshake_state_;
749
750 bool transport_recv_busy_;
751 bool transport_recv_eof_;
752 bool transport_send_busy_;
753
754 // Used by Read function.
755 scoped_refptr<IOBuffer> user_read_buf_;
756 int user_read_buf_len_;
757
758 // Used by Write function.
759 scoped_refptr<IOBuffer> user_write_buf_;
760 int user_write_buf_len_;
761
762 CompletionCallback user_connect_callback_;
763 CompletionCallback user_read_callback_;
764 CompletionCallback user_write_callback_;
765
766 ////////////////////////////////////////////////////////////////////////////
767 // Members that are accessed on both the network task runner and the NSS
768 // task runner.
769 ////////////////////////////////////////////////////////////////////////////
770 scoped_refptr<base::SequencedTaskRunner> network_task_runner_;
771 scoped_refptr<base::SequencedTaskRunner> nss_task_runner_;
772
773 // Dereferenced only on the network task runner, but bound to tasks destined
774 // for the network task runner from the NSS task runner.
775 base::WeakPtr<BoundNetLog> weak_net_log_;
776
777 // Written on the network task runner by the |channel_id_service_|,
778 // prior to invoking OnHandshakeIOComplete.
779 // Read on the NSS task runner when once OnHandshakeIOComplete is invoked
780 // on the NSS task runner.
781 std::string domain_bound_private_key_;
782 std::string domain_bound_cert_;
783
784 DISALLOW_COPY_AND_ASSIGN(Core);
785 };
786
787 SSLClientSocketNSS::Core::Core(
788 base::SequencedTaskRunner* network_task_runner,
789 base::SequencedTaskRunner* nss_task_runner,
790 ClientSocketHandle* transport,
791 const HostPortPair& host_and_port,
792 const SSLConfig& ssl_config,
793 BoundNetLog* net_log,
794 ChannelIDService* channel_id_service)
795 : detached_(false),
796 transport_(transport),
797 weak_net_log_factory_(net_log),
798 channel_id_service_(channel_id_service),
799 unhandled_buffer_size_(0),
800 nss_waiting_read_(false),
801 nss_waiting_write_(false),
802 nss_is_closed_(false),
803 was_ever_used_(false),
804 host_and_port_(host_and_port),
805 ssl_config_(ssl_config),
806 nss_fd_(NULL),
807 nss_bufs_(NULL),
808 pending_read_result_(kNoPendingReadResult),
809 pending_read_nss_error_(0),
810 next_handshake_state_(STATE_NONE),
811 channel_id_xtn_negotiated_(false),
812 channel_id_needed_(false),
813 client_auth_cert_needed_(false),
814 false_started_(false),
815 handshake_callback_called_(false),
816 transport_recv_busy_(false),
817 transport_recv_eof_(false),
818 transport_send_busy_(false),
819 user_read_buf_len_(0),
820 user_write_buf_len_(0),
821 network_task_runner_(network_task_runner),
822 nss_task_runner_(nss_task_runner),
823 weak_net_log_(weak_net_log_factory_.GetWeakPtr()) {
824 }
825
826 SSLClientSocketNSS::Core::~Core() {
827 // TODO(wtc): Send SSL close_notify alert.
828 if (nss_fd_ != NULL) {
829 PR_Close(nss_fd_);
830 nss_fd_ = NULL;
831 }
832 nss_bufs_ = NULL;
833 }
834
835 bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
836 memio_Private* buffers) {
837 DCHECK(OnNetworkTaskRunner());
838 DCHECK(!nss_fd_);
839 DCHECK(!nss_bufs_);
840
841 nss_fd_ = socket;
842 nss_bufs_ = buffers;
843
844 SECStatus rv = SECSuccess;
845
846 if (!ssl_config_.next_protos.empty()) {
847 // TODO(bnc): Check ssl_config_.disabled_cipher_suites.
848 const bool adequate_encryption =
849 PK11_TokenExists(CKM_AES_GCM) ||
850 PK11_TokenExists(CKM_NSS_CHACHA20_POLY1305);
851 const bool adequate_key_agreement = PK11_TokenExists(CKM_DH_PKCS_DERIVE) ||
852 PK11_TokenExists(CKM_ECDH1_DERIVE);
853 std::vector<uint8_t> wire_protos =
854 SerializeNextProtos(ssl_config_.next_protos,
855 adequate_encryption && adequate_key_agreement &&
856 IsTLSVersionAdequateForHTTP2(ssl_config_));
857 rv = SSL_SetNextProtoNego(
858 nss_fd_, wire_protos.empty() ? NULL : &wire_protos[0],
859 wire_protos.size());
860 if (rv != SECSuccess)
861 LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", "");
862 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE);
863 if (rv != SECSuccess)
864 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN");
865 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE);
866 if (rv != SECSuccess)
867 LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_NPN");
868 }
869
870 rv = SSL_AuthCertificateHook(
871 nss_fd_, SSLClientSocketNSS::Core::OwnAuthCertHandler, this);
872 if (rv != SECSuccess) {
873 LogFailedNSSFunction(*weak_net_log_, "SSL_AuthCertificateHook", "");
874 return false;
875 }
876
877 rv = SSL_GetClientAuthDataHook(
878 nss_fd_, SSLClientSocketNSS::Core::ClientAuthHandler, this);
879 if (rv != SECSuccess) {
880 LogFailedNSSFunction(*weak_net_log_, "SSL_GetClientAuthDataHook", "");
881 return false;
882 }
883
884 if (IsChannelIDEnabled(ssl_config_, channel_id_service_)) {
885 rv = SSL_SetClientChannelIDCallback(
886 nss_fd_, SSLClientSocketNSS::Core::ClientChannelIDHandler, this);
887 if (rv != SECSuccess) {
888 LogFailedNSSFunction(
889 *weak_net_log_, "SSL_SetClientChannelIDCallback", "");
890 }
891 }
892
893 rv = SSL_SetCanFalseStartCallback(
894 nss_fd_, SSLClientSocketNSS::Core::CanFalseStartCallback, this);
895 if (rv != SECSuccess) {
896 LogFailedNSSFunction(*weak_net_log_, "SSL_SetCanFalseStartCallback", "");
897 return false;
898 }
899
900 rv = SSL_HandshakeCallback(
901 nss_fd_, SSLClientSocketNSS::Core::HandshakeCallback, this);
902 if (rv != SECSuccess) {
903 LogFailedNSSFunction(*weak_net_log_, "SSL_HandshakeCallback", "");
904 return false;
905 }
906
907 return true;
908 }
909
910 int SSLClientSocketNSS::Core::Connect(const CompletionCallback& callback) {
911 if (!OnNSSTaskRunner()) {
912 DCHECK(!detached_);
913 bool posted = nss_task_runner_->PostTask(
914 FROM_HERE,
915 base::Bind(IgnoreResult(&Core::Connect), this, callback));
916 return posted ? ERR_IO_PENDING : ERR_ABORTED;
917 }
918
919 DCHECK(OnNSSTaskRunner());
920 DCHECK_EQ(STATE_NONE, next_handshake_state_);
921 DCHECK(user_read_callback_.is_null());
922 DCHECK(user_write_callback_.is_null());
923 DCHECK(user_connect_callback_.is_null());
924 DCHECK(!user_read_buf_.get());
925 DCHECK(!user_write_buf_.get());
926
927 next_handshake_state_ = STATE_HANDSHAKE;
928 int rv = DoHandshakeLoop(OK);
929 if (rv == ERR_IO_PENDING) {
930 user_connect_callback_ = callback;
931 } else if (rv > OK) {
932 rv = OK;
933 }
934 if (rv != ERR_IO_PENDING && !OnNetworkTaskRunner()) {
935 PostOrRunCallback(FROM_HERE, base::Bind(callback, rv));
936 return ERR_IO_PENDING;
937 }
938
939 return rv;
940 }
941
942 void SSLClientSocketNSS::Core::Detach() {
943 DCHECK(OnNetworkTaskRunner());
944
945 detached_ = true;
946 transport_ = NULL;
947 weak_net_log_factory_.InvalidateWeakPtrs();
948
949 network_handshake_state_.Reset();
950
951 domain_bound_cert_request_handle_.Cancel();
952 }
953
954 int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len,
955 const CompletionCallback& callback) {
956 if (!OnNSSTaskRunner()) {
957 DCHECK(OnNetworkTaskRunner());
958 DCHECK(!detached_);
959 DCHECK(transport_);
960 DCHECK(!nss_waiting_read_);
961
962 nss_waiting_read_ = true;
963 bool posted = nss_task_runner_->PostTask(
964 FROM_HERE,
965 base::Bind(IgnoreResult(&Core::Read), this, make_scoped_refptr(buf),
966 buf_len, callback));
967 if (!posted) {
968 nss_is_closed_ = true;
969 nss_waiting_read_ = false;
970 }
971 return posted ? ERR_IO_PENDING : ERR_ABORTED;
972 }
973
974 DCHECK(OnNSSTaskRunner());
975 DCHECK(false_started_ || handshake_callback_called_);
976 DCHECK_EQ(STATE_NONE, next_handshake_state_);
977 DCHECK(user_read_callback_.is_null());
978 DCHECK(user_connect_callback_.is_null());
979 DCHECK(!user_read_buf_.get());
980 DCHECK(nss_bufs_);
981
982 user_read_buf_ = buf;
983 user_read_buf_len_ = buf_len;
984
985 int rv = DoReadLoop(OK);
986 if (rv == ERR_IO_PENDING) {
987 if (OnNetworkTaskRunner())
988 nss_waiting_read_ = true;
989 user_read_callback_ = callback;
990 } else {
991 user_read_buf_ = NULL;
992 user_read_buf_len_ = 0;
993
994 if (!OnNetworkTaskRunner()) {
995 PostOrRunCallback(FROM_HERE, base::Bind(&Core::DidNSSRead, this, rv));
996 PostOrRunCallback(FROM_HERE, base::Bind(callback, rv));
997 return ERR_IO_PENDING;
998 } else {
999 DCHECK(!nss_waiting_read_);
1000 if (rv <= 0) {
1001 nss_is_closed_ = true;
1002 } else {
1003 was_ever_used_ = true;
1004 }
1005 }
1006 }
1007
1008 return rv;
1009 }
1010
1011 int SSLClientSocketNSS::Core::Write(IOBuffer* buf, int buf_len,
1012 const CompletionCallback& callback) {
1013 if (!OnNSSTaskRunner()) {
1014 DCHECK(OnNetworkTaskRunner());
1015 DCHECK(!detached_);
1016 DCHECK(transport_);
1017 DCHECK(!nss_waiting_write_);
1018
1019 nss_waiting_write_ = true;
1020 bool posted = nss_task_runner_->PostTask(
1021 FROM_HERE,
1022 base::Bind(IgnoreResult(&Core::Write), this, make_scoped_refptr(buf),
1023 buf_len, callback));
1024 if (!posted) {
1025 nss_is_closed_ = true;
1026 nss_waiting_write_ = false;
1027 }
1028 return posted ? ERR_IO_PENDING : ERR_ABORTED;
1029 }
1030
1031 DCHECK(OnNSSTaskRunner());
1032 DCHECK(false_started_ || handshake_callback_called_);
1033 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1034 DCHECK(user_write_callback_.is_null());
1035 DCHECK(user_connect_callback_.is_null());
1036 DCHECK(!user_write_buf_.get());
1037 DCHECK(nss_bufs_);
1038
1039 user_write_buf_ = buf;
1040 user_write_buf_len_ = buf_len;
1041
1042 int rv = DoWriteLoop(OK);
1043 if (rv == ERR_IO_PENDING) {
1044 if (OnNetworkTaskRunner())
1045 nss_waiting_write_ = true;
1046 user_write_callback_ = callback;
1047 } else {
1048 user_write_buf_ = NULL;
1049 user_write_buf_len_ = 0;
1050
1051 if (!OnNetworkTaskRunner()) {
1052 PostOrRunCallback(FROM_HERE, base::Bind(&Core::DidNSSWrite, this, rv));
1053 PostOrRunCallback(FROM_HERE, base::Bind(callback, rv));
1054 return ERR_IO_PENDING;
1055 } else {
1056 DCHECK(!nss_waiting_write_);
1057 if (rv < 0) {
1058 nss_is_closed_ = true;
1059 } else if (rv > 0) {
1060 was_ever_used_ = true;
1061 }
1062 }
1063 }
1064
1065 return rv;
1066 }
1067
1068 bool SSLClientSocketNSS::Core::IsConnected() const {
1069 DCHECK(OnNetworkTaskRunner());
1070 return !nss_is_closed_;
1071 }
1072
1073 bool SSLClientSocketNSS::Core::HasPendingAsyncOperation() const {
1074 DCHECK(OnNetworkTaskRunner());
1075 return nss_waiting_read_ || nss_waiting_write_;
1076 }
1077
1078 bool SSLClientSocketNSS::Core::HasUnhandledReceivedData() const {
1079 DCHECK(OnNetworkTaskRunner());
1080 return unhandled_buffer_size_ != 0;
1081 }
1082
1083 bool SSLClientSocketNSS::Core::WasEverUsed() const {
1084 DCHECK(OnNetworkTaskRunner());
1085 return was_ever_used_;
1086 }
1087
1088 void SSLClientSocketNSS::Core::CacheSessionIfNecessary() {
1089 // TODO(rsleevi): This should occur on the NSS task runner, due to the use of
1090 // nss_fd_. However, it happens on the network task runner in order to match
1091 // the buggy behavior of ExportKeyingMaterial.
1092 //
1093 // Once http://crbug.com/330360 is fixed, this should be moved to an
1094 // implementation that exclusively does this work on the NSS TaskRunner. This
1095 // is "safe" because it is only called during the certificate verification
1096 // state machine of the main socket, which is safe because no underlying
1097 // transport IO will be occuring in that state, and NSS will not be blocking
1098 // on any PKCS#11 related locks that might block the Network TaskRunner.
1099 DCHECK(OnNetworkTaskRunner());
1100
1101 // Only cache the session if the connection was not False Started, because
1102 // sessions should only be cached *after* the peer's Finished message is
1103 // processed.
1104 // In the case of False Start, the session will be cached once the
1105 // HandshakeCallback is called, which signals the receipt and processing of
1106 // the Finished message, and which will happen during a call to
1107 // PR_Read/PR_Write.
1108 if (!false_started_)
1109 SSL_CacheSession(nss_fd_);
1110 }
1111
1112 bool SSLClientSocketNSS::Core::OnNSSTaskRunner() const {
1113 return nss_task_runner_->RunsTasksOnCurrentThread();
1114 }
1115
1116 bool SSLClientSocketNSS::Core::OnNetworkTaskRunner() const {
1117 return network_task_runner_->RunsTasksOnCurrentThread();
1118 }
1119
1120 // static
1121 SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(
1122 void* arg,
1123 PRFileDesc* socket,
1124 PRBool checksig,
1125 PRBool is_server) {
1126 Core* core = reinterpret_cast<Core*>(arg);
1127 if (core->handshake_callback_called_) {
1128 // Disallow the server certificate to change in a renegotiation.
1129 CERTCertificate* old_cert = core->nss_handshake_state_.server_cert_chain[0];
1130 ScopedCERTCertificate new_cert(SSL_PeerCertificate(socket));
1131 if (new_cert->derCert.len != old_cert->derCert.len ||
1132 memcmp(new_cert->derCert.data, old_cert->derCert.data,
1133 new_cert->derCert.len) != 0) {
1134 // NSS doesn't have an error code that indicates the server certificate
1135 // changed. Borrow SSL_ERROR_WRONG_CERTIFICATE (which NSS isn't using)
1136 // for this purpose.
1137 PORT_SetError(SSL_ERROR_WRONG_CERTIFICATE);
1138 return SECFailure;
1139 }
1140 }
1141
1142 // Tell NSS to not verify the certificate.
1143 return SECSuccess;
1144 }
1145
1146 #if defined(OS_IOS)
1147
1148 // static
1149 SECStatus SSLClientSocketNSS::Core::ClientAuthHandler(
1150 void* arg,
1151 PRFileDesc* socket,
1152 CERTDistNames* ca_names,
1153 CERTCertificate** result_certificate,
1154 SECKEYPrivateKey** result_private_key) {
1155 Core* core = reinterpret_cast<Core*>(arg);
1156 DCHECK(core->OnNSSTaskRunner());
1157
1158 core->PostOrRunCallback(
1159 FROM_HERE,
1160 base::Bind(&AddLogEvent, core->weak_net_log_,
1161 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
1162
1163 // TODO(droger): Support client auth on iOS. See http://crbug.com/145954).
1164 LOG(WARNING) << "Client auth is not supported";
1165
1166 // Never send a certificate.
1167 core->AddCertProvidedEvent(0);
1168 return SECFailure;
1169 }
1170
1171 #else // !OS_IOS
1172
1173 // static
1174 // Based on Mozilla's NSS_GetClientAuthData.
1175 SECStatus SSLClientSocketNSS::Core::ClientAuthHandler(
1176 void* arg,
1177 PRFileDesc* socket,
1178 CERTDistNames* ca_names,
1179 CERTCertificate** result_certificate,
1180 SECKEYPrivateKey** result_private_key) {
1181 Core* core = reinterpret_cast<Core*>(arg);
1182 DCHECK(core->OnNSSTaskRunner());
1183
1184 core->PostOrRunCallback(
1185 FROM_HERE,
1186 base::Bind(&AddLogEvent, core->weak_net_log_,
1187 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
1188
1189 // Regular client certificate requested.
1190 core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert;
1191 void* wincx = SSL_RevealPinArg(socket);
1192
1193 if (core->ssl_config_.send_client_cert) {
1194 // Second pass: a client certificate should have been selected.
1195 if (core->ssl_config_.client_cert.get()) {
1196 CERTCertificate* cert =
1197 CERT_DupCertificate(core->ssl_config_.client_cert->os_cert_handle());
1198 SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx);
1199 if (privkey) {
1200 // TODO(jsorianopastor): We should wait for server certificate
1201 // verification before sending our credentials. See
1202 // http://crbug.com/13934.
1203 *result_certificate = cert;
1204 *result_private_key = privkey;
1205 // A cert_count of -1 means the number of certificates is unknown.
1206 // NSS will construct the certificate chain.
1207 core->AddCertProvidedEvent(-1);
1208
1209 return SECSuccess;
1210 }
1211 LOG(WARNING) << "Client cert found without private key";
1212 }
1213 // Send no client certificate.
1214 core->AddCertProvidedEvent(0);
1215 return SECFailure;
1216 }
1217
1218 // First pass: client certificate is needed.
1219 core->nss_handshake_state_.cert_authorities.clear();
1220
1221 // Retrieve the DER-encoded DistinguishedName of the cert issuers accepted by
1222 // the server and save them in |cert_authorities|.
1223 for (int i = 0; i < ca_names->nnames; i++) {
1224 core->nss_handshake_state_.cert_authorities.push_back(std::string(
1225 reinterpret_cast<const char*>(ca_names->names[i].data),
1226 static_cast<size_t>(ca_names->names[i].len)));
1227 }
1228
1229 // Update the network task runner's view of the handshake state now that
1230 // server certificate request has been recorded.
1231 core->PostOrRunCallback(
1232 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core,
1233 core->nss_handshake_state_));
1234
1235 // Tell NSS to suspend the client authentication. We will then abort the
1236 // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
1237 return SECWouldBlock;
1238 }
1239 #endif // OS_IOS
1240
1241 // static
1242 SECStatus SSLClientSocketNSS::Core::CanFalseStartCallback(
1243 PRFileDesc* socket,
1244 void* arg,
1245 PRBool* can_false_start) {
1246 // If the server doesn't support NPN or ALPN, then we don't do False
1247 // Start with it.
1248 PRBool negotiated_extension;
1249 SECStatus rv = SSL_HandshakeNegotiatedExtension(socket,
1250 ssl_app_layer_protocol_xtn,
1251 &negotiated_extension);
1252 if (rv != SECSuccess || !negotiated_extension) {
1253 rv = SSL_HandshakeNegotiatedExtension(socket,
1254 ssl_next_proto_nego_xtn,
1255 &negotiated_extension);
1256 }
1257 if (rv != SECSuccess || !negotiated_extension) {
1258 *can_false_start = PR_FALSE;
1259 return SECSuccess;
1260 }
1261
1262 SSLChannelInfo channel_info;
1263 SECStatus ok =
1264 SSL_GetChannelInfo(socket, &channel_info, sizeof(channel_info));
1265 if (ok != SECSuccess || channel_info.length != sizeof(channel_info) ||
1266 channel_info.protocolVersion < SSL_LIBRARY_VERSION_TLS_1_2 ||
1267 !IsFalseStartableTLSCipherSuite(channel_info.cipherSuite)) {
1268 *can_false_start = PR_FALSE;
1269 return SECSuccess;
1270 }
1271
1272 return SSL_RecommendedCanFalseStart(socket, can_false_start);
1273 }
1274
1275 // static
1276 void SSLClientSocketNSS::Core::HandshakeCallback(
1277 PRFileDesc* socket,
1278 void* arg) {
1279 Core* core = reinterpret_cast<Core*>(arg);
1280 DCHECK(core->OnNSSTaskRunner());
1281
1282 core->handshake_callback_called_ = true;
1283 if (core->false_started_) {
1284 core->false_started_ = false;
1285 // If the connection was False Started, then at the time of this callback,
1286 // the peer's certificate will have been verified or the caller will have
1287 // accepted the error.
1288 // This is guaranteed when using False Start because this callback will
1289 // not be invoked until processing the peer's Finished message, which
1290 // will only happen in a PR_Read/PR_Write call, which can only happen
1291 // after the peer's certificate is verified.
1292 SSL_CacheSessionUnlocked(socket);
1293
1294 // Additionally, when False Starting, DoHandshake() will have already
1295 // called HandshakeSucceeded(), so return now.
1296 return;
1297 }
1298 core->HandshakeSucceeded();
1299 }
1300
1301 void SSLClientSocketNSS::Core::HandshakeSucceeded() {
1302 DCHECK(OnNSSTaskRunner());
1303
1304 PRBool last_handshake_resumed;
1305 SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed);
1306 if (rv == SECSuccess && last_handshake_resumed) {
1307 nss_handshake_state_.resumed_handshake = true;
1308 } else {
1309 nss_handshake_state_.resumed_handshake = false;
1310 }
1311
1312 RecordChannelIDSupportOnNSSTaskRunner();
1313 UpdateServerCert();
1314 UpdateSignedCertTimestamps();
1315 UpdateStapledOCSPResponse();
1316 UpdateConnectionStatus();
1317 UpdateNextProto();
1318 UpdateExtensionUsed();
1319
1320 // Update the network task runners view of the handshake state whenever
1321 // a handshake has completed.
1322 PostOrRunCallback(
1323 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
1324 nss_handshake_state_));
1325 }
1326
1327 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error) {
1328 DCHECK(OnNSSTaskRunner());
1329
1330 return MapNSSClientError(nss_error);
1331 }
1332
1333 int SSLClientSocketNSS::Core::DoHandshakeLoop(int last_io_result) {
1334 DCHECK(OnNSSTaskRunner());
1335
1336 int rv = last_io_result;
1337 do {
1338 // Default to STATE_NONE for next state.
1339 State state = next_handshake_state_;
1340 GotoState(STATE_NONE);
1341
1342 switch (state) {
1343 case STATE_HANDSHAKE:
1344 rv = DoHandshake();
1345 break;
1346 case STATE_GET_DOMAIN_BOUND_CERT_COMPLETE:
1347 rv = DoGetDBCertComplete(rv);
1348 break;
1349 case STATE_NONE:
1350 default:
1351 rv = ERR_UNEXPECTED;
1352 LOG(DFATAL) << "unexpected state " << state;
1353 break;
1354 }
1355
1356 // Do the actual network I/O
1357 bool network_moved = DoTransportIO();
1358 if (network_moved && next_handshake_state_ == STATE_HANDSHAKE) {
1359 // In general we exit the loop if rv is ERR_IO_PENDING. In this
1360 // special case we keep looping even if rv is ERR_IO_PENDING because
1361 // the transport IO may allow DoHandshake to make progress.
1362 DCHECK(rv == OK || rv == ERR_IO_PENDING);
1363 rv = OK; // This causes us to stay in the loop.
1364 }
1365 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
1366 return rv;
1367 }
1368
1369 int SSLClientSocketNSS::Core::DoReadLoop(int result) {
1370 DCHECK(OnNSSTaskRunner());
1371 DCHECK(false_started_ || handshake_callback_called_);
1372 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1373
1374 if (result < 0)
1375 return result;
1376
1377 if (!nss_bufs_) {
1378 LOG(DFATAL) << "!nss_bufs_";
1379 int rv = ERR_UNEXPECTED;
1380 PostOrRunCallback(
1381 FROM_HERE,
1382 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1383 NetLog::TYPE_SSL_READ_ERROR,
1384 CreateNetLogSSLErrorCallback(rv, 0)));
1385 return rv;
1386 }
1387
1388 bool network_moved;
1389 int rv;
1390 do {
1391 rv = DoPayloadRead();
1392 network_moved = DoTransportIO();
1393 } while (rv == ERR_IO_PENDING && network_moved);
1394
1395 return rv;
1396 }
1397
1398 int SSLClientSocketNSS::Core::DoWriteLoop(int result) {
1399 DCHECK(OnNSSTaskRunner());
1400 DCHECK(false_started_ || handshake_callback_called_);
1401 DCHECK_EQ(STATE_NONE, next_handshake_state_);
1402
1403 if (result < 0)
1404 return result;
1405
1406 if (!nss_bufs_) {
1407 LOG(DFATAL) << "!nss_bufs_";
1408 int rv = ERR_UNEXPECTED;
1409 PostOrRunCallback(
1410 FROM_HERE,
1411 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1412 NetLog::TYPE_SSL_READ_ERROR,
1413 CreateNetLogSSLErrorCallback(rv, 0)));
1414 return rv;
1415 }
1416
1417 bool network_moved;
1418 int rv;
1419 do {
1420 rv = DoPayloadWrite();
1421 network_moved = DoTransportIO();
1422 } while (rv == ERR_IO_PENDING && network_moved);
1423
1424 LeaveFunction(rv);
1425 return rv;
1426 }
1427
1428 int SSLClientSocketNSS::Core::DoHandshake() {
1429 DCHECK(OnNSSTaskRunner());
1430
1431 int net_error = OK;
1432 SECStatus rv = SSL_ForceHandshake(nss_fd_);
1433
1434 // Note: this function may be called multiple times during the handshake, so
1435 // even though channel id and client auth are separate else cases, they can
1436 // both be used during a single SSL handshake.
1437 if (channel_id_needed_) {
1438 GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE);
1439 net_error = ERR_IO_PENDING;
1440 } else if (client_auth_cert_needed_) {
1441 net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
1442 PostOrRunCallback(
1443 FROM_HERE,
1444 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1445 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
1446 CreateNetLogSSLErrorCallback(net_error, 0)));
1447 } else if (rv == SECSuccess) {
1448 if (!handshake_callback_called_) {
1449 false_started_ = true;
1450 HandshakeSucceeded();
1451 }
1452 } else {
1453 PRErrorCode prerr = PR_GetError();
1454 net_error = HandleNSSError(prerr);
1455
1456 // If not done, stay in this state
1457 if (net_error == ERR_IO_PENDING) {
1458 GotoState(STATE_HANDSHAKE);
1459 } else {
1460 PostOrRunCallback(
1461 FROM_HERE,
1462 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1463 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
1464 CreateNetLogSSLErrorCallback(net_error, prerr)));
1465 }
1466 }
1467
1468 return net_error;
1469 }
1470
1471 int SSLClientSocketNSS::Core::DoGetDBCertComplete(int result) {
1472 SECStatus rv;
1473 PostOrRunCallback(
1474 FROM_HERE,
1475 base::Bind(&BoundNetLog::EndEventWithNetErrorCode, weak_net_log_,
1476 NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, result));
1477
1478 channel_id_needed_ = false;
1479
1480 if (result != OK)
1481 return result;
1482
1483 SECKEYPublicKey* public_key;
1484 SECKEYPrivateKey* private_key;
1485 int error = ImportChannelIDKeys(&public_key, &private_key);
1486 if (error != OK)
1487 return error;
1488
1489 rv = SSL_RestartHandshakeAfterChannelIDReq(nss_fd_, public_key, private_key);
1490 if (rv != SECSuccess)
1491 return MapNSSError(PORT_GetError());
1492
1493 SetChannelIDProvided();
1494 GotoState(STATE_HANDSHAKE);
1495 return OK;
1496 }
1497
1498 int SSLClientSocketNSS::Core::DoPayloadRead() {
1499 DCHECK(OnNSSTaskRunner());
1500 DCHECK(user_read_buf_.get());
1501 DCHECK_GT(user_read_buf_len_, 0);
1502
1503 int rv;
1504 // If a previous greedy read resulted in an error that was not consumed (eg:
1505 // due to the caller having read some data successfully), then return that
1506 // pending error now.
1507 if (pending_read_result_ != kNoPendingReadResult) {
1508 rv = pending_read_result_;
1509 PRErrorCode prerr = pending_read_nss_error_;
1510 pending_read_result_ = kNoPendingReadResult;
1511 pending_read_nss_error_ = 0;
1512
1513 if (rv == 0) {
1514 PostOrRunCallback(
1515 FROM_HERE,
1516 base::Bind(&LogByteTransferEvent, weak_net_log_,
1517 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
1518 scoped_refptr<IOBuffer>(user_read_buf_)));
1519 } else {
1520 PostOrRunCallback(
1521 FROM_HERE,
1522 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1523 NetLog::TYPE_SSL_READ_ERROR,
1524 CreateNetLogSSLErrorCallback(rv, prerr)));
1525 }
1526 return rv;
1527 }
1528
1529 // Perform a greedy read, attempting to read as much as the caller has
1530 // requested. In the current NSS implementation, PR_Read will return
1531 // exactly one SSL application data record's worth of data per invocation.
1532 // The record size is dictated by the server, and may be noticeably smaller
1533 // than the caller's buffer. This may be as little as a single byte, if the
1534 // server is performing 1/n-1 record splitting.
1535 //
1536 // However, this greedy read may result in renegotiations/re-handshakes
1537 // happening or may lead to some data being read, followed by an EOF (such as
1538 // a TLS close-notify). If at least some data was read, then that result
1539 // should be deferred until the next call to DoPayloadRead(). Otherwise, if no
1540 // data was read, it's safe to return the error or EOF immediately.
1541 int total_bytes_read = 0;
1542 do {
1543 rv = PR_Read(nss_fd_, user_read_buf_->data() + total_bytes_read,
1544 user_read_buf_len_ - total_bytes_read);
1545 if (rv > 0)
1546 total_bytes_read += rv;
1547 } while (total_bytes_read < user_read_buf_len_ && rv > 0);
1548 int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
1549 PostOrRunCallback(FROM_HERE, base::Bind(&Core::OnNSSBufferUpdated, this,
1550 amount_in_read_buffer));
1551
1552 if (total_bytes_read == user_read_buf_len_) {
1553 // The caller's entire request was satisfied without error. No further
1554 // processing needed.
1555 rv = total_bytes_read;
1556 } else {
1557 // Otherwise, an error occurred (rv <= 0). The error needs to be handled
1558 // immediately, while the NSPR/NSS errors are still available in
1559 // thread-local storage. However, the handled/remapped error code should
1560 // only be returned if no application data was already read; if it was, the
1561 // error code should be deferred until the next call of DoPayloadRead.
1562 //
1563 // If no data was read, |*next_result| will point to the return value of
1564 // this function. If at least some data was read, |*next_result| will point
1565 // to |pending_read_error_|, to be returned in a future call to
1566 // DoPayloadRead() (e.g.: after the current data is handled).
1567 int* next_result = &rv;
1568 if (total_bytes_read > 0) {
1569 pending_read_result_ = rv;
1570 rv = total_bytes_read;
1571 next_result = &pending_read_result_;
1572 }
1573
1574 if (client_auth_cert_needed_) {
1575 *next_result = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
1576 pending_read_nss_error_ = 0;
1577 } else if (*next_result < 0) {
1578 // If *next_result == 0, then that indicates EOF, and no special error
1579 // handling is needed.
1580 pending_read_nss_error_ = PR_GetError();
1581 *next_result = HandleNSSError(pending_read_nss_error_);
1582 if (rv > 0 && *next_result == ERR_IO_PENDING) {
1583 // If at least some data was read from PR_Read(), do not treat
1584 // insufficient data as an error to return in the next call to
1585 // DoPayloadRead() - instead, let the call fall through to check
1586 // PR_Read() again. This is because DoTransportIO() may complete
1587 // in between the next call to DoPayloadRead(), and thus it is
1588 // important to check PR_Read() on subsequent invocations to see
1589 // if a complete record may now be read.
1590 pending_read_nss_error_ = 0;
1591 pending_read_result_ = kNoPendingReadResult;
1592 }
1593 }
1594 }
1595
1596 DCHECK_NE(ERR_IO_PENDING, pending_read_result_);
1597
1598 if (rv >= 0) {
1599 PostOrRunCallback(
1600 FROM_HERE,
1601 base::Bind(&LogByteTransferEvent, weak_net_log_,
1602 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
1603 scoped_refptr<IOBuffer>(user_read_buf_)));
1604 } else if (rv != ERR_IO_PENDING) {
1605 PostOrRunCallback(
1606 FROM_HERE,
1607 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1608 NetLog::TYPE_SSL_READ_ERROR,
1609 CreateNetLogSSLErrorCallback(rv, pending_read_nss_error_)));
1610 pending_read_nss_error_ = 0;
1611 }
1612 return rv;
1613 }
1614
1615 int SSLClientSocketNSS::Core::DoPayloadWrite() {
1616 DCHECK(OnNSSTaskRunner());
1617
1618 DCHECK(user_write_buf_.get());
1619
1620 int old_amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
1621 int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_);
1622 int new_amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
1623 // PR_Write could potentially consume the unhandled data in the memio read
1624 // buffer if a renegotiation is in progress. If the buffer is consumed,
1625 // notify the latest buffer size to NetworkRunner.
1626 if (old_amount_in_read_buffer != new_amount_in_read_buffer) {
1627 PostOrRunCallback(
1628 FROM_HERE,
1629 base::Bind(&Core::OnNSSBufferUpdated, this, new_amount_in_read_buffer));
1630 }
1631 if (rv >= 0) {
1632 PostOrRunCallback(
1633 FROM_HERE,
1634 base::Bind(&LogByteTransferEvent, weak_net_log_,
1635 NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
1636 scoped_refptr<IOBuffer>(user_write_buf_)));
1637 return rv;
1638 }
1639 PRErrorCode prerr = PR_GetError();
1640 if (prerr == PR_WOULD_BLOCK_ERROR)
1641 return ERR_IO_PENDING;
1642
1643 rv = HandleNSSError(prerr);
1644 PostOrRunCallback(
1645 FROM_HERE,
1646 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1647 NetLog::TYPE_SSL_WRITE_ERROR,
1648 CreateNetLogSSLErrorCallback(rv, prerr)));
1649 return rv;
1650 }
1651
1652 // Do as much network I/O as possible between the buffer and the
1653 // transport socket. Return true if some I/O performed, false
1654 // otherwise (error or ERR_IO_PENDING).
1655 bool SSLClientSocketNSS::Core::DoTransportIO() {
1656 DCHECK(OnNSSTaskRunner());
1657
1658 bool network_moved = false;
1659 if (nss_bufs_ != NULL) {
1660 int rv;
1661 // Read and write as much data as we can. The loop is neccessary
1662 // because Write() may return synchronously.
1663 do {
1664 rv = BufferSend();
1665 if (rv != ERR_IO_PENDING && rv != 0)
1666 network_moved = true;
1667 } while (rv > 0);
1668 if (!transport_recv_eof_ && BufferRecv() != ERR_IO_PENDING)
1669 network_moved = true;
1670 }
1671 return network_moved;
1672 }
1673
1674 int SSLClientSocketNSS::Core::BufferRecv() {
1675 DCHECK(OnNSSTaskRunner());
1676
1677 if (transport_recv_busy_)
1678 return ERR_IO_PENDING;
1679
1680 // If NSS is blocked on reading from |nss_bufs_|, because it is empty,
1681 // determine how much data NSS wants to read. If NSS was not blocked,
1682 // this will return 0.
1683 int requested = memio_GetReadRequest(nss_bufs_);
1684 if (requested == 0) {
1685 // This is not a perfect match of error codes, as no operation is
1686 // actually pending. However, returning 0 would be interpreted as a
1687 // possible sign of EOF, which is also an inappropriate match.
1688 return ERR_IO_PENDING;
1689 }
1690
1691 char* buf;
1692 int nb = memio_GetReadParams(nss_bufs_, &buf);
1693 int rv;
1694 if (!nb) {
1695 // buffer too full to read into, so no I/O possible at moment
1696 rv = ERR_IO_PENDING;
1697 } else {
1698 scoped_refptr<IOBuffer> read_buffer(new IOBuffer(nb));
1699 if (OnNetworkTaskRunner()) {
1700 rv = DoBufferRecv(read_buffer.get(), nb);
1701 } else {
1702 bool posted = network_task_runner_->PostTask(
1703 FROM_HERE,
1704 base::Bind(IgnoreResult(&Core::DoBufferRecv), this, read_buffer,
1705 nb));
1706 rv = posted ? ERR_IO_PENDING : ERR_ABORTED;
1707 }
1708
1709 if (rv == ERR_IO_PENDING) {
1710 transport_recv_busy_ = true;
1711 } else {
1712 if (rv > 0) {
1713 memcpy(buf, read_buffer->data(), rv);
1714 } else if (rv == 0) {
1715 transport_recv_eof_ = true;
1716 }
1717 memio_PutReadResult(nss_bufs_, MapErrorToNSS(rv));
1718 }
1719 }
1720 return rv;
1721 }
1722
1723 // Return 0 if nss_bufs_ was empty,
1724 // > 0 for bytes transferred immediately,
1725 // < 0 for error (or the non-error ERR_IO_PENDING).
1726 int SSLClientSocketNSS::Core::BufferSend() {
1727 DCHECK(OnNSSTaskRunner());
1728
1729 if (transport_send_busy_)
1730 return ERR_IO_PENDING;
1731
1732 const char* buf1;
1733 const char* buf2;
1734 unsigned int len1, len2;
1735 if (memio_GetWriteParams(nss_bufs_, &buf1, &len1, &buf2, &len2)) {
1736 // It is important this return synchronously to prevent spinning infinitely
1737 // in the off-thread NSS case. The error code itself is ignored, so just
1738 // return ERR_ABORTED. See https://crbug.com/381160.
1739 return ERR_ABORTED;
1740 }
1741 const unsigned int len = len1 + len2;
1742
1743 int rv = 0;
1744 if (len) {
1745 scoped_refptr<IOBuffer> send_buffer(new IOBuffer(len));
1746 memcpy(send_buffer->data(), buf1, len1);
1747 memcpy(send_buffer->data() + len1, buf2, len2);
1748
1749 if (OnNetworkTaskRunner()) {
1750 rv = DoBufferSend(send_buffer.get(), len);
1751 } else {
1752 bool posted = network_task_runner_->PostTask(
1753 FROM_HERE,
1754 base::Bind(IgnoreResult(&Core::DoBufferSend), this, send_buffer,
1755 len));
1756 rv = posted ? ERR_IO_PENDING : ERR_ABORTED;
1757 }
1758
1759 if (rv == ERR_IO_PENDING) {
1760 transport_send_busy_ = true;
1761 } else {
1762 memio_PutWriteResult(nss_bufs_, MapErrorToNSS(rv));
1763 }
1764 }
1765
1766 return rv;
1767 }
1768
1769 void SSLClientSocketNSS::Core::OnRecvComplete(int result) {
1770 DCHECK(OnNSSTaskRunner());
1771
1772 if (next_handshake_state_ == STATE_HANDSHAKE) {
1773 OnHandshakeIOComplete(result);
1774 return;
1775 }
1776
1777 // Network layer received some data, check if client requested to read
1778 // decrypted data.
1779 if (!user_read_buf_.get())
1780 return;
1781
1782 int rv = DoReadLoop(result);
1783 if (rv != ERR_IO_PENDING)
1784 DoReadCallback(rv);
1785 }
1786
1787 void SSLClientSocketNSS::Core::OnSendComplete(int result) {
1788 DCHECK(OnNSSTaskRunner());
1789
1790 if (next_handshake_state_ == STATE_HANDSHAKE) {
1791 OnHandshakeIOComplete(result);
1792 return;
1793 }
1794
1795 // OnSendComplete may need to call DoPayloadRead while the renegotiation
1796 // handshake is in progress.
1797 int rv_read = ERR_IO_PENDING;
1798 int rv_write = ERR_IO_PENDING;
1799 bool network_moved;
1800 do {
1801 if (user_read_buf_.get())
1802 rv_read = DoPayloadRead();
1803 if (user_write_buf_.get())
1804 rv_write = DoPayloadWrite();
1805 network_moved = DoTransportIO();
1806 } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING &&
1807 (user_read_buf_.get() || user_write_buf_.get()) && network_moved);
1808
1809 // If the parent SSLClientSocketNSS is deleted during the processing of the
1810 // Read callback and OnNSSTaskRunner() == OnNetworkTaskRunner(), then the Core
1811 // will be detached (and possibly deleted). Guard against deletion by taking
1812 // an extra reference, then check if the Core was detached before invoking the
1813 // next callback.
1814 scoped_refptr<Core> guard(this);
1815 if (user_read_buf_.get() && rv_read != ERR_IO_PENDING)
1816 DoReadCallback(rv_read);
1817
1818 if (OnNetworkTaskRunner() && detached_)
1819 return;
1820
1821 if (user_write_buf_.get() && rv_write != ERR_IO_PENDING)
1822 DoWriteCallback(rv_write);
1823 }
1824
1825 // As part of Connect(), the SSLClientSocketNSS object performs an SSL
1826 // handshake. This requires network IO, which in turn calls
1827 // BufferRecvComplete() with a non-zero byte count. This byte count eventually
1828 // winds its way through the state machine and ends up being passed to the
1829 // callback. For Read() and Write(), that's what we want. But for Connect(),
1830 // the caller expects OK (i.e. 0) for success.
1831 void SSLClientSocketNSS::Core::DoConnectCallback(int rv) {
1832 DCHECK(OnNSSTaskRunner());
1833 DCHECK_NE(rv, ERR_IO_PENDING);
1834 DCHECK(!user_connect_callback_.is_null());
1835
1836 base::Closure c = base::Bind(
1837 base::ResetAndReturn(&user_connect_callback_),
1838 rv > OK ? OK : rv);
1839 PostOrRunCallback(FROM_HERE, c);
1840 }
1841
1842 void SSLClientSocketNSS::Core::DoReadCallback(int rv) {
1843 DCHECK(OnNSSTaskRunner());
1844 DCHECK_NE(ERR_IO_PENDING, rv);
1845 DCHECK(!user_read_callback_.is_null());
1846
1847 user_read_buf_ = NULL;
1848 user_read_buf_len_ = 0;
1849 int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
1850 // This is used to curry the |amount_int_read_buffer| and |user_cb| back to
1851 // the network task runner.
1852 PostOrRunCallback(
1853 FROM_HERE,
1854 base::Bind(&Core::OnNSSBufferUpdated, this, amount_in_read_buffer));
1855 PostOrRunCallback(
1856 FROM_HERE,
1857 base::Bind(&Core::DidNSSRead, this, rv));
1858 PostOrRunCallback(
1859 FROM_HERE,
1860 base::Bind(base::ResetAndReturn(&user_read_callback_), rv));
1861 }
1862
1863 void SSLClientSocketNSS::Core::DoWriteCallback(int rv) {
1864 DCHECK(OnNSSTaskRunner());
1865 DCHECK_NE(ERR_IO_PENDING, rv);
1866 DCHECK(!user_write_callback_.is_null());
1867
1868 // Since Run may result in Write being called, clear |user_write_callback_|
1869 // up front.
1870 user_write_buf_ = NULL;
1871 user_write_buf_len_ = 0;
1872 // Update buffer status because DoWriteLoop called DoTransportIO which may
1873 // perform read operations.
1874 int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
1875 // This is used to curry the |amount_int_read_buffer| and |user_cb| back to
1876 // the network task runner.
1877 PostOrRunCallback(
1878 FROM_HERE,
1879 base::Bind(&Core::OnNSSBufferUpdated, this, amount_in_read_buffer));
1880 PostOrRunCallback(
1881 FROM_HERE,
1882 base::Bind(&Core::DidNSSWrite, this, rv));
1883 PostOrRunCallback(
1884 FROM_HERE,
1885 base::Bind(base::ResetAndReturn(&user_write_callback_), rv));
1886 }
1887
1888 SECStatus SSLClientSocketNSS::Core::ClientChannelIDHandler(
1889 void* arg,
1890 PRFileDesc* socket,
1891 SECKEYPublicKey **out_public_key,
1892 SECKEYPrivateKey **out_private_key) {
1893 Core* core = reinterpret_cast<Core*>(arg);
1894 DCHECK(core->OnNSSTaskRunner());
1895
1896 core->PostOrRunCallback(
1897 FROM_HERE,
1898 base::Bind(&AddLogEvent, core->weak_net_log_,
1899 NetLog::TYPE_SSL_CHANNEL_ID_REQUESTED));
1900
1901 // We have negotiated the TLS channel ID extension.
1902 core->channel_id_xtn_negotiated_ = true;
1903 std::string host = core->host_and_port_.host();
1904 int error = ERR_UNEXPECTED;
1905 if (core->OnNetworkTaskRunner()) {
1906 error = core->DoGetChannelID(host);
1907 } else {
1908 bool posted = core->network_task_runner_->PostTask(
1909 FROM_HERE,
1910 base::Bind(
1911 IgnoreResult(&Core::DoGetChannelID),
1912 core, host));
1913 error = posted ? ERR_IO_PENDING : ERR_ABORTED;
1914 }
1915
1916 if (error == ERR_IO_PENDING) {
1917 // Asynchronous case.
1918 core->channel_id_needed_ = true;
1919 return SECWouldBlock;
1920 }
1921
1922 core->PostOrRunCallback(
1923 FROM_HERE,
1924 base::Bind(&BoundNetLog::EndEventWithNetErrorCode, core->weak_net_log_,
1925 NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, error));
1926 SECStatus rv = SECSuccess;
1927 if (error == OK) {
1928 // Synchronous success.
1929 int result = core->ImportChannelIDKeys(out_public_key, out_private_key);
1930 if (result == OK)
1931 core->SetChannelIDProvided();
1932 else
1933 rv = SECFailure;
1934 } else {
1935 rv = SECFailure;
1936 }
1937
1938 return rv;
1939 }
1940
1941 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key,
1942 SECKEYPrivateKey** key) {
1943 // Set the certificate.
1944 SECItem cert_item;
1945 cert_item.data = (unsigned char*) domain_bound_cert_.data();
1946 cert_item.len = domain_bound_cert_.size();
1947 ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
1948 &cert_item,
1949 NULL,
1950 PR_FALSE,
1951 PR_TRUE));
1952 if (cert == NULL)
1953 return MapNSSError(PORT_GetError());
1954
1955 crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
1956 // Set the private key.
1957 if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
1958 slot.get(),
1959 ChannelIDService::kEPKIPassword,
1960 reinterpret_cast<const unsigned char*>(
1961 domain_bound_private_key_.data()),
1962 domain_bound_private_key_.size(),
1963 &cert->subjectPublicKeyInfo,
1964 false,
1965 false,
1966 key,
1967 public_key)) {
1968 int error = MapNSSError(PORT_GetError());
1969 return error;
1970 }
1971
1972 return OK;
1973 }
1974
1975 void SSLClientSocketNSS::Core::UpdateServerCert() {
1976 nss_handshake_state_.server_cert_chain.Reset(nss_fd_);
1977 nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain(
1978 nss_handshake_state_.server_cert_chain.AsStringPieceVector());
1979 if (nss_handshake_state_.server_cert.get()) {
1980 // Since this will be called asynchronously on another thread, it needs to
1981 // own a reference to the certificate.
1982 NetLog::ParametersCallback net_log_callback =
1983 base::Bind(&NetLogX509CertificateCallback,
1984 nss_handshake_state_.server_cert);
1985 PostOrRunCallback(
1986 FROM_HERE,
1987 base::Bind(&AddLogEventWithCallback, weak_net_log_,
1988 NetLog::TYPE_SSL_CERTIFICATES_RECEIVED,
1989 net_log_callback));
1990 }
1991 }
1992
1993 void SSLClientSocketNSS::Core::UpdateSignedCertTimestamps() {
1994 const SECItem* signed_cert_timestamps =
1995 SSL_PeerSignedCertTimestamps(nss_fd_);
1996
1997 if (!signed_cert_timestamps || !signed_cert_timestamps->len)
1998 return;
1999
2000 nss_handshake_state_.sct_list_from_tls_extension = std::string(
2001 reinterpret_cast<char*>(signed_cert_timestamps->data),
2002 signed_cert_timestamps->len);
2003 }
2004
2005 void SSLClientSocketNSS::Core::UpdateStapledOCSPResponse() {
2006 PRBool ocsp_requested = PR_FALSE;
2007 SSL_OptionGet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, &ocsp_requested);
2008 const SECItemArray* ocsp_responses =
2009 SSL_PeerStapledOCSPResponses(nss_fd_);
2010 bool ocsp_responses_present = ocsp_responses && ocsp_responses->len;
2011 if (ocsp_requested)
2012 UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_responses_present);
2013 if (!ocsp_responses_present)
2014 return;
2015
2016 nss_handshake_state_.stapled_ocsp_response = std::string(
2017 reinterpret_cast<char*>(ocsp_responses->items[0].data),
2018 ocsp_responses->items[0].len);
2019 }
2020
2021 void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
2022 // Note: This function may be called multiple times for a single connection
2023 // if renegotiations occur.
2024 nss_handshake_state_.ssl_connection_status = 0;
2025
2026 SSLChannelInfo channel_info;
2027 SECStatus ok = SSL_GetChannelInfo(nss_fd_,
2028 &channel_info, sizeof(channel_info));
2029 if (ok == SECSuccess &&
2030 channel_info.length == sizeof(channel_info) &&
2031 channel_info.cipherSuite) {
2032 nss_handshake_state_.ssl_connection_status |= channel_info.cipherSuite;
2033
2034 nss_handshake_state_.ssl_connection_status |=
2035 (static_cast<int>(channel_info.compressionMethod) &
2036 SSL_CONNECTION_COMPRESSION_MASK) <<
2037 SSL_CONNECTION_COMPRESSION_SHIFT;
2038
2039 int version = SSL_CONNECTION_VERSION_UNKNOWN;
2040 if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
2041 // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
2042 // version 2.
2043 version = SSL_CONNECTION_VERSION_SSL2;
2044 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {
2045 version = SSL_CONNECTION_VERSION_SSL3;
2046 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_0) {
2047 version = SSL_CONNECTION_VERSION_TLS1;
2048 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) {
2049 version = SSL_CONNECTION_VERSION_TLS1_1;
2050 } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_2) {
2051 version = SSL_CONNECTION_VERSION_TLS1_2;
2052 }
2053 nss_handshake_state_.ssl_connection_status |=
2054 (version & SSL_CONNECTION_VERSION_MASK) <<
2055 SSL_CONNECTION_VERSION_SHIFT;
2056 }
2057
2058 PRBool peer_supports_renego_ext;
2059 ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,
2060 &peer_supports_renego_ext);
2061 if (ok == SECSuccess) {
2062 if (!peer_supports_renego_ext) {
2063 nss_handshake_state_.ssl_connection_status |=
2064 SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
2065 // Log an informational message if the server does not support secure
2066 // renegotiation (RFC 5746).
2067 VLOG(1) << "The server " << host_and_port_.ToString()
2068 << " does not support the TLS renegotiation_info extension.";
2069 }
2070 }
2071
2072 if (ssl_config_.version_fallback) {
2073 nss_handshake_state_.ssl_connection_status |=
2074 SSL_CONNECTION_VERSION_FALLBACK;
2075 }
2076 }
2077
2078 void SSLClientSocketNSS::Core::UpdateNextProto() {
2079 uint8 buf[256];
2080 SSLNextProtoState state;
2081 unsigned buf_len;
2082
2083 SECStatus rv = SSL_GetNextProto(nss_fd_, &state, buf, &buf_len, sizeof(buf));
2084 if (rv != SECSuccess)
2085 return;
2086
2087 nss_handshake_state_.next_proto =
2088 std::string(reinterpret_cast<char*>(buf), buf_len);
2089 switch (state) {
2090 case SSL_NEXT_PROTO_NEGOTIATED:
2091 case SSL_NEXT_PROTO_SELECTED:
2092 nss_handshake_state_.next_proto_status = kNextProtoNegotiated;
2093 break;
2094 case SSL_NEXT_PROTO_NO_OVERLAP:
2095 nss_handshake_state_.next_proto_status = kNextProtoNoOverlap;
2096 break;
2097 case SSL_NEXT_PROTO_NO_SUPPORT:
2098 nss_handshake_state_.next_proto_status = kNextProtoUnsupported;
2099 break;
2100 default:
2101 NOTREACHED();
2102 break;
2103 }
2104 }
2105
2106 void SSLClientSocketNSS::Core::UpdateExtensionUsed() {
2107 PRBool negotiated_extension;
2108 SECStatus rv = SSL_HandshakeNegotiatedExtension(nss_fd_,
2109 ssl_app_layer_protocol_xtn,
2110 &negotiated_extension);
2111 if (rv == SECSuccess && negotiated_extension) {
2112 nss_handshake_state_.negotiation_extension_ = kExtensionALPN;
2113 } else {
2114 rv = SSL_HandshakeNegotiatedExtension(nss_fd_,
2115 ssl_next_proto_nego_xtn,
2116 &negotiated_extension);
2117 if (rv == SECSuccess && negotiated_extension) {
2118 nss_handshake_state_.negotiation_extension_ = kExtensionNPN;
2119 }
2120 }
2121 }
2122
2123 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() {
2124 DCHECK(OnNSSTaskRunner());
2125 if (nss_handshake_state_.resumed_handshake)
2126 return;
2127
2128 // Copy the NSS task runner-only state to the network task runner and
2129 // log histograms from there, since the histograms also need access to the
2130 // network task runner state.
2131 PostOrRunCallback(
2132 FROM_HERE,
2133 base::Bind(&Core::RecordChannelIDSupportOnNetworkTaskRunner,
2134 this,
2135 channel_id_xtn_negotiated_,
2136 ssl_config_.channel_id_enabled,
2137 crypto::ECPrivateKey::IsSupported()));
2138 }
2139
2140 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNetworkTaskRunner(
2141 bool negotiated_channel_id,
2142 bool channel_id_enabled,
2143 bool supports_ecc) const {
2144 DCHECK(OnNetworkTaskRunner());
2145
2146 RecordChannelIDSupport(channel_id_service_,
2147 negotiated_channel_id,
2148 channel_id_enabled,
2149 supports_ecc);
2150 }
2151
2152 int SSLClientSocketNSS::Core::DoBufferRecv(IOBuffer* read_buffer, int len) {
2153 DCHECK(OnNetworkTaskRunner());
2154 DCHECK_GT(len, 0);
2155
2156 if (detached_)
2157 return ERR_ABORTED;
2158
2159 int rv = transport_->socket()->Read(
2160 read_buffer, len,
2161 base::Bind(&Core::BufferRecvComplete, base::Unretained(this),
2162 scoped_refptr<IOBuffer>(read_buffer)));
2163
2164 if (!OnNSSTaskRunner() && rv != ERR_IO_PENDING) {
2165 nss_task_runner_->PostTask(
2166 FROM_HERE, base::Bind(&Core::BufferRecvComplete, this,
2167 scoped_refptr<IOBuffer>(read_buffer), rv));
2168 return rv;
2169 }
2170
2171 return rv;
2172 }
2173
2174 int SSLClientSocketNSS::Core::DoBufferSend(IOBuffer* send_buffer, int len) {
2175 DCHECK(OnNetworkTaskRunner());
2176 DCHECK_GT(len, 0);
2177
2178 if (detached_)
2179 return ERR_ABORTED;
2180
2181 int rv = transport_->socket()->Write(
2182 send_buffer, len,
2183 base::Bind(&Core::BufferSendComplete,
2184 base::Unretained(this)));
2185
2186 if (!OnNSSTaskRunner() && rv != ERR_IO_PENDING) {
2187 nss_task_runner_->PostTask(
2188 FROM_HERE,
2189 base::Bind(&Core::BufferSendComplete, this, rv));
2190 return rv;
2191 }
2192
2193 return rv;
2194 }
2195
2196 int SSLClientSocketNSS::Core::DoGetChannelID(const std::string& host) {
2197 DCHECK(OnNetworkTaskRunner());
2198
2199 if (detached_)
2200 return ERR_ABORTED;
2201
2202 weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT);
2203
2204 int rv = channel_id_service_->GetOrCreateChannelID(
2205 host,
2206 &domain_bound_private_key_,
2207 &domain_bound_cert_,
2208 base::Bind(&Core::OnGetChannelIDComplete, base::Unretained(this)),
2209 &domain_bound_cert_request_handle_);
2210
2211 if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) {
2212 nss_task_runner_->PostTask(
2213 FROM_HERE,
2214 base::Bind(&Core::OnHandshakeIOComplete, this, rv));
2215 return ERR_IO_PENDING;
2216 }
2217
2218 return rv;
2219 }
2220
2221 void SSLClientSocketNSS::Core::OnHandshakeStateUpdated(
2222 const HandshakeState& state) {
2223 DCHECK(OnNetworkTaskRunner());
2224 network_handshake_state_ = state;
2225 }
2226
2227 void SSLClientSocketNSS::Core::OnNSSBufferUpdated(int amount_in_read_buffer) {
2228 DCHECK(OnNetworkTaskRunner());
2229 unhandled_buffer_size_ = amount_in_read_buffer;
2230 }
2231
2232 void SSLClientSocketNSS::Core::DidNSSRead(int result) {
2233 DCHECK(OnNetworkTaskRunner());
2234 DCHECK(nss_waiting_read_);
2235 nss_waiting_read_ = false;
2236 if (result <= 0) {
2237 nss_is_closed_ = true;
2238 } else {
2239 was_ever_used_ = true;
2240 }
2241 }
2242
2243 void SSLClientSocketNSS::Core::DidNSSWrite(int result) {
2244 DCHECK(OnNetworkTaskRunner());
2245 DCHECK(nss_waiting_write_);
2246 nss_waiting_write_ = false;
2247 if (result < 0) {
2248 nss_is_closed_ = true;
2249 } else if (result > 0) {
2250 was_ever_used_ = true;
2251 }
2252 }
2253
2254 void SSLClientSocketNSS::Core::BufferSendComplete(int result) {
2255 if (!OnNSSTaskRunner()) {
2256 if (detached_)
2257 return;
2258
2259 nss_task_runner_->PostTask(
2260 FROM_HERE, base::Bind(&Core::BufferSendComplete, this, result));
2261 return;
2262 }
2263
2264 DCHECK(OnNSSTaskRunner());
2265
2266 memio_PutWriteResult(nss_bufs_, MapErrorToNSS(result));
2267 transport_send_busy_ = false;
2268 OnSendComplete(result);
2269 }
2270
2271 void SSLClientSocketNSS::Core::OnHandshakeIOComplete(int result) {
2272 if (!OnNSSTaskRunner()) {
2273 if (detached_)
2274 return;
2275
2276 nss_task_runner_->PostTask(
2277 FROM_HERE, base::Bind(&Core::OnHandshakeIOComplete, this, result));
2278 return;
2279 }
2280
2281 DCHECK(OnNSSTaskRunner());
2282
2283 int rv = DoHandshakeLoop(result);
2284 if (rv != ERR_IO_PENDING)
2285 DoConnectCallback(rv);
2286 }
2287
2288 void SSLClientSocketNSS::Core::OnGetChannelIDComplete(int result) {
2289 DVLOG(1) << __FUNCTION__ << " " << result;
2290 DCHECK(OnNetworkTaskRunner());
2291
2292 OnHandshakeIOComplete(result);
2293 }
2294
2295 void SSLClientSocketNSS::Core::BufferRecvComplete(
2296 IOBuffer* read_buffer,
2297 int result) {
2298 DCHECK(read_buffer);
2299
2300 if (!OnNSSTaskRunner()) {
2301 if (detached_)
2302 return;
2303
2304 nss_task_runner_->PostTask(
2305 FROM_HERE, base::Bind(&Core::BufferRecvComplete, this,
2306 scoped_refptr<IOBuffer>(read_buffer), result));
2307 return;
2308 }
2309
2310 DCHECK(OnNSSTaskRunner());
2311
2312 if (result > 0) {
2313 char* buf;
2314 int nb = memio_GetReadParams(nss_bufs_, &buf);
2315 CHECK_GE(nb, result);
2316 memcpy(buf, read_buffer->data(), result);
2317 } else if (result == 0) {
2318 transport_recv_eof_ = true;
2319 }
2320
2321 memio_PutReadResult(nss_bufs_, MapErrorToNSS(result));
2322 transport_recv_busy_ = false;
2323 OnRecvComplete(result);
2324 }
2325
2326 void SSLClientSocketNSS::Core::PostOrRunCallback(
2327 const tracked_objects::Location& location,
2328 const base::Closure& task) {
2329 if (!OnNetworkTaskRunner()) {
2330 network_task_runner_->PostTask(
2331 FROM_HERE,
2332 base::Bind(&Core::PostOrRunCallback, this, location, task));
2333 return;
2334 }
2335
2336 if (detached_ || task.is_null())
2337 return;
2338 task.Run();
2339 }
2340
2341 void SSLClientSocketNSS::Core::AddCertProvidedEvent(int cert_count) {
2342 PostOrRunCallback(
2343 FROM_HERE,
2344 base::Bind(&AddLogEventWithCallback, weak_net_log_,
2345 NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
2346 NetLog::IntegerCallback("cert_count", cert_count)));
2347 }
2348
2349 void SSLClientSocketNSS::Core::SetChannelIDProvided() {
2350 PostOrRunCallback(
2351 FROM_HERE, base::Bind(&AddLogEvent, weak_net_log_,
2352 NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED));
2353 nss_handshake_state_.channel_id_sent = true;
2354 // Update the network task runner's view of the handshake state now that
2355 // channel id has been sent.
2356 PostOrRunCallback(
2357 FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
2358 nss_handshake_state_));
2359 }
2360
2361 SSLClientSocketNSS::SSLClientSocketNSS(
2362 base::SequencedTaskRunner* nss_task_runner,
2363 scoped_ptr<ClientSocketHandle> transport_socket,
2364 const HostPortPair& host_and_port,
2365 const SSLConfig& ssl_config,
2366 const SSLClientSocketContext& context)
2367 : nss_task_runner_(nss_task_runner),
2368 transport_(transport_socket.Pass()),
2369 host_and_port_(host_and_port),
2370 ssl_config_(ssl_config),
2371 cert_verifier_(context.cert_verifier),
2372 cert_transparency_verifier_(context.cert_transparency_verifier),
2373 channel_id_service_(context.channel_id_service),
2374 ssl_session_cache_shard_(context.ssl_session_cache_shard),
2375 completed_handshake_(false),
2376 next_handshake_state_(STATE_NONE),
2377 nss_fd_(NULL),
2378 net_log_(transport_->socket()->NetLog()),
2379 transport_security_state_(context.transport_security_state),
2380 policy_enforcer_(context.cert_policy_enforcer),
2381 valid_thread_id_(base::kInvalidThreadId) {
2382 DCHECK(cert_verifier_);
2383
2384 EnterFunction("");
2385 InitCore();
2386 LeaveFunction("");
2387 }
2388
2389 SSLClientSocketNSS::~SSLClientSocketNSS() {
2390 EnterFunction("");
2391 Disconnect();
2392 LeaveFunction("");
2393 }
2394
2395 // static
2396 void SSLClientSocket::ClearSessionCache() {
2397 // SSL_ClearSessionCache can't be called before NSS is initialized. Don't
2398 // bother initializing NSS just to clear an empty SSL session cache.
2399 if (!NSS_IsInitialized())
2400 return;
2401
2402 SSL_ClearSessionCache();
2403 }
2404
2405 #if !defined(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)
2406 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
2407 #endif
2408
2409 // static
2410 uint16 SSLClientSocket::GetMaxSupportedSSLVersion() {
2411 crypto::EnsureNSSInit();
2412 if (PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) {
2413 return SSL_PROTOCOL_VERSION_TLS1_2;
2414 } else {
2415 return SSL_PROTOCOL_VERSION_TLS1_1;
2416 }
2417 }
2418
2419 bool SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
2420 EnterFunction("");
2421 ssl_info->Reset();
2422 if (core_->state().server_cert_chain.empty() ||
2423 !core_->state().server_cert_chain[0]) {
2424 return false;
2425 }
2426
2427 ssl_info->cert_status = server_cert_verify_result_.cert_status;
2428 ssl_info->cert = server_cert_verify_result_.verified_cert;
2429
2430 AddSCTInfoToSSLInfo(ssl_info);
2431
2432 ssl_info->connection_status =
2433 core_->state().ssl_connection_status;
2434 ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
2435 ssl_info->is_issued_by_known_root =
2436 server_cert_verify_result_.is_issued_by_known_root;
2437 ssl_info->client_cert_sent =
2438 ssl_config_.send_client_cert && ssl_config_.client_cert.get();
2439 ssl_info->channel_id_sent = core_->state().channel_id_sent;
2440 ssl_info->pinning_failure_log = pinning_failure_log_;
2441
2442 PRUint16 cipher_suite = SSLConnectionStatusToCipherSuite(
2443 core_->state().ssl_connection_status);
2444 SSLCipherSuiteInfo cipher_info;
2445 SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite,
2446 &cipher_info, sizeof(cipher_info));
2447 if (ok == SECSuccess) {
2448 ssl_info->security_bits = cipher_info.effectiveKeyBits;
2449 } else {
2450 ssl_info->security_bits = -1;
2451 LOG(DFATAL) << "SSL_GetCipherSuiteInfo returned " << PR_GetError()
2452 << " for cipherSuite " << cipher_suite;
2453 }
2454
2455 ssl_info->handshake_type = core_->state().resumed_handshake ?
2456 SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL;
2457
2458 LeaveFunction("");
2459 return true;
2460 }
2461
2462 void SSLClientSocketNSS::GetSSLCertRequestInfo(
2463 SSLCertRequestInfo* cert_request_info) {
2464 EnterFunction("");
2465 cert_request_info->host_and_port = host_and_port_;
2466 cert_request_info->cert_authorities = core_->state().cert_authorities;
2467 LeaveFunction("");
2468 }
2469
2470 int SSLClientSocketNSS::ExportKeyingMaterial(const base::StringPiece& label,
2471 bool has_context,
2472 const base::StringPiece& context,
2473 unsigned char* out,
2474 unsigned int outlen) {
2475 if (!IsConnected())
2476 return ERR_SOCKET_NOT_CONNECTED;
2477
2478 // SSL_ExportKeyingMaterial may block the current thread if |core_| is in
2479 // the midst of a handshake.
2480 SECStatus result = SSL_ExportKeyingMaterial(
2481 nss_fd_, label.data(), label.size(), has_context,
2482 reinterpret_cast<const unsigned char*>(context.data()),
2483 context.length(), out, outlen);
2484 if (result != SECSuccess) {
2485 LogFailedNSSFunction(net_log_, "SSL_ExportKeyingMaterial", "");
2486 return MapNSSError(PORT_GetError());
2487 }
2488 return OK;
2489 }
2490
2491 int SSLClientSocketNSS::GetTLSUniqueChannelBinding(std::string* out) {
2492 if (!IsConnected())
2493 return ERR_SOCKET_NOT_CONNECTED;
2494 unsigned char buf[64];
2495 unsigned int len;
2496 SECStatus result = SSL_GetChannelBinding(nss_fd_,
2497 SSL_CHANNEL_BINDING_TLS_UNIQUE,
2498 buf, &len, arraysize(buf));
2499 if (result != SECSuccess) {
2500 LogFailedNSSFunction(net_log_, "SSL_GetChannelBinding", "");
2501 return MapNSSError(PORT_GetError());
2502 }
2503 out->assign(reinterpret_cast<char*>(buf), len);
2504 return OK;
2505 }
2506
2507 SSLClientSocket::NextProtoStatus SSLClientSocketNSS::GetNextProto(
2508 std::string* proto) const {
2509 *proto = core_->state().next_proto;
2510 return core_->state().next_proto_status;
2511 }
2512
2513 int SSLClientSocketNSS::Connect(const CompletionCallback& callback) {
2514 EnterFunction("");
2515 DCHECK(transport_.get());
2516 // It is an error to create an SSLClientSocket whose context has no
2517 // TransportSecurityState.
2518 DCHECK(transport_security_state_);
2519 DCHECK_EQ(STATE_NONE, next_handshake_state_);
2520 DCHECK(user_connect_callback_.is_null());
2521 DCHECK(!callback.is_null());
2522
2523 EnsureThreadIdAssigned();
2524
2525 net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT);
2526
2527 int rv = Init();
2528 if (rv != OK) {
2529 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2530 return rv;
2531 }
2532
2533 rv = InitializeSSLOptions();
2534 if (rv != OK) {
2535 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2536 return rv;
2537 }
2538
2539 rv = InitializeSSLPeerName();
2540 if (rv != OK) {
2541 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2542 return rv;
2543 }
2544
2545 GotoState(STATE_HANDSHAKE);
2546
2547 rv = DoHandshakeLoop(OK);
2548 if (rv == ERR_IO_PENDING) {
2549 user_connect_callback_ = callback;
2550 } else {
2551 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2552 }
2553
2554 LeaveFunction("");
2555 return rv > OK ? OK : rv;
2556 }
2557
2558 void SSLClientSocketNSS::Disconnect() {
2559 EnterFunction("");
2560
2561 CHECK(CalledOnValidThread());
2562
2563 // Shut down anything that may call us back.
2564 core_->Detach();
2565 cert_verifier_request_.reset();
2566 transport_->socket()->Disconnect();
2567
2568 // Reset object state.
2569 user_connect_callback_.Reset();
2570 server_cert_verify_result_.Reset();
2571 completed_handshake_ = false;
2572 start_cert_verification_time_ = base::TimeTicks();
2573 InitCore();
2574
2575 LeaveFunction("");
2576 }
2577
2578 bool SSLClientSocketNSS::IsConnected() const {
2579 EnterFunction("");
2580 bool ret = completed_handshake_ &&
2581 (core_->HasPendingAsyncOperation() ||
2582 (core_->IsConnected() && core_->HasUnhandledReceivedData()) ||
2583 transport_->socket()->IsConnected());
2584 LeaveFunction("");
2585 return ret;
2586 }
2587
2588 bool SSLClientSocketNSS::IsConnectedAndIdle() const {
2589 EnterFunction("");
2590 bool ret = completed_handshake_ &&
2591 !core_->HasPendingAsyncOperation() &&
2592 !(core_->IsConnected() && core_->HasUnhandledReceivedData()) &&
2593 transport_->socket()->IsConnectedAndIdle();
2594 LeaveFunction("");
2595 return ret;
2596 }
2597
2598 int SSLClientSocketNSS::GetPeerAddress(IPEndPoint* address) const {
2599 return transport_->socket()->GetPeerAddress(address);
2600 }
2601
2602 int SSLClientSocketNSS::GetLocalAddress(IPEndPoint* address) const {
2603 return transport_->socket()->GetLocalAddress(address);
2604 }
2605
2606 const BoundNetLog& SSLClientSocketNSS::NetLog() const {
2607 return net_log_;
2608 }
2609
2610 void SSLClientSocketNSS::SetSubresourceSpeculation() {
2611 if (transport_.get() && transport_->socket()) {
2612 transport_->socket()->SetSubresourceSpeculation();
2613 } else {
2614 NOTREACHED();
2615 }
2616 }
2617
2618 void SSLClientSocketNSS::SetOmniboxSpeculation() {
2619 if (transport_.get() && transport_->socket()) {
2620 transport_->socket()->SetOmniboxSpeculation();
2621 } else {
2622 NOTREACHED();
2623 }
2624 }
2625
2626 bool SSLClientSocketNSS::WasEverUsed() const {
2627 DCHECK(core_.get());
2628
2629 return core_->WasEverUsed();
2630 }
2631
2632 bool SSLClientSocketNSS::UsingTCPFastOpen() const {
2633 if (transport_.get() && transport_->socket()) {
2634 return transport_->socket()->UsingTCPFastOpen();
2635 }
2636 NOTREACHED();
2637 return false;
2638 }
2639
2640 int SSLClientSocketNSS::Read(IOBuffer* buf, int buf_len,
2641 const CompletionCallback& callback) {
2642 DCHECK(core_.get());
2643 DCHECK(!callback.is_null());
2644
2645 EnterFunction(buf_len);
2646 int rv = core_->Read(buf, buf_len, callback);
2647 LeaveFunction(rv);
2648
2649 return rv;
2650 }
2651
2652 int SSLClientSocketNSS::Write(IOBuffer* buf, int buf_len,
2653 const CompletionCallback& callback) {
2654 DCHECK(core_.get());
2655 DCHECK(!callback.is_null());
2656
2657 EnterFunction(buf_len);
2658 int rv = core_->Write(buf, buf_len, callback);
2659 LeaveFunction(rv);
2660
2661 return rv;
2662 }
2663
2664 int SSLClientSocketNSS::SetReceiveBufferSize(int32 size) {
2665 return transport_->socket()->SetReceiveBufferSize(size);
2666 }
2667
2668 int SSLClientSocketNSS::SetSendBufferSize(int32 size) {
2669 return transport_->socket()->SetSendBufferSize(size);
2670 }
2671
2672 int SSLClientSocketNSS::Init() {
2673 EnterFunction("");
2674 // Initialize the NSS SSL library in a threadsafe way. This also
2675 // initializes the NSS base library.
2676 EnsureNSSSSLInit();
2677 if (!NSS_IsInitialized())
2678 return ERR_UNEXPECTED;
2679 #if defined(USE_NSS_CERTS) || defined(OS_IOS)
2680 if (ssl_config_.cert_io_enabled) {
2681 // We must call EnsureNSSHttpIOInit() here, on the IO thread, to get the IO
2682 // loop by MessageLoopForIO::current().
2683 // X509Certificate::Verify() runs on a worker thread of CertVerifier.
2684 EnsureNSSHttpIOInit();
2685 }
2686 #endif
2687
2688 LeaveFunction("");
2689 return OK;
2690 }
2691
2692 void SSLClientSocketNSS::InitCore() {
2693 core_ = new Core(base::ThreadTaskRunnerHandle::Get().get(),
2694 nss_task_runner_.get(),
2695 transport_.get(),
2696 host_and_port_,
2697 ssl_config_,
2698 &net_log_,
2699 channel_id_service_);
2700 }
2701
2702 int SSLClientSocketNSS::InitializeSSLOptions() {
2703 // Transport connected, now hook it up to nss
2704 nss_fd_ = memio_CreateIOLayer(kRecvBufferSize, kSendBufferSize);
2705 if (nss_fd_ == NULL) {
2706 return ERR_OUT_OF_MEMORY; // TODO(port): map NSPR error code.
2707 }
2708
2709 // Grab pointer to buffers
2710 memio_Private* nss_bufs = memio_GetSecret(nss_fd_);
2711
2712 /* Create SSL state machine */
2713 /* Push SSL onto our fake I/O socket */
2714 if (SSL_ImportFD(GetNSSModelSocket(), nss_fd_) == NULL) {
2715 LogFailedNSSFunction(net_log_, "SSL_ImportFD", "");
2716 PR_Close(nss_fd_);
2717 nss_fd_ = NULL;
2718 return ERR_OUT_OF_MEMORY; // TODO(port): map NSPR/NSS error code.
2719 }
2720 // TODO(port): set more ssl options! Check errors!
2721
2722 int rv;
2723
2724 rv = SSL_OptionSet(nss_fd_, SSL_SECURITY, PR_TRUE);
2725 if (rv != SECSuccess) {
2726 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_SECURITY");
2727 return ERR_UNEXPECTED;
2728 }
2729
2730 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SSL2, PR_FALSE);
2731 if (rv != SECSuccess) {
2732 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL2");
2733 return ERR_UNEXPECTED;
2734 }
2735
2736 // Don't do V2 compatible hellos because they don't support TLS extensions.
2737 rv = SSL_OptionSet(nss_fd_, SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
2738 if (rv != SECSuccess) {
2739 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_V2_COMPATIBLE_HELLO");
2740 return ERR_UNEXPECTED;
2741 }
2742
2743 SSLVersionRange version_range;
2744 version_range.min = ssl_config_.version_min;
2745 version_range.max = ssl_config_.version_max;
2746 rv = SSL_VersionRangeSet(nss_fd_, &version_range);
2747 if (rv != SECSuccess) {
2748 LogFailedNSSFunction(net_log_, "SSL_VersionRangeSet", "");
2749 return ERR_NO_SSL_VERSIONS_ENABLED;
2750 }
2751
2752 if (ssl_config_.version_fallback) {
2753 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
2754 if (rv != SECSuccess) {
2755 LogFailedNSSFunction(
2756 net_log_, "SSL_OptionSet", "SSL_ENABLE_FALLBACK_SCSV");
2757 }
2758 }
2759
2760 for (std::vector<uint16>::const_iterator it =
2761 ssl_config_.disabled_cipher_suites.begin();
2762 it != ssl_config_.disabled_cipher_suites.end(); ++it) {
2763 // This will fail if the specified cipher is not implemented by NSS, but
2764 // the failure is harmless.
2765 SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE);
2766 }
2767
2768 if (!ssl_config_.enable_deprecated_cipher_suites) {
2769 const PRUint16* const ssl_ciphers = SSL_GetImplementedCiphers();
2770 const PRUint16 num_ciphers = SSL_GetNumImplementedCiphers();
2771 for (int i = 0; i < num_ciphers; i++) {
2772 SSLCipherSuiteInfo info;
2773 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, sizeof(info)) !=
2774 SECSuccess) {
2775 continue;
2776 }
2777 if (info.symCipher == ssl_calg_rc4)
2778 SSL_CipherPrefSet(nss_fd_, ssl_ciphers[i], PR_FALSE);
2779 }
2780 }
2781
2782 // Support RFC 5077
2783 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
2784 if (rv != SECSuccess) {
2785 LogFailedNSSFunction(
2786 net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
2787 }
2788
2789 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
2790 ssl_config_.false_start_enabled);
2791 if (rv != SECSuccess)
2792 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
2793
2794 // We allow servers to request renegotiation. Since we're a client,
2795 // prohibiting this is rather a waste of time. Only servers are in a
2796 // position to prevent renegotiation attacks.
2797 // http://extendedsubset.com/?p=8
2798
2799 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
2800 SSL_RENEGOTIATE_TRANSITIONAL);
2801 if (rv != SECSuccess) {
2802 LogFailedNSSFunction(
2803 net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
2804 }
2805
2806 rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
2807 if (rv != SECSuccess)
2808 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
2809
2810 // Added in NSS 3.15
2811 #ifdef SSL_ENABLE_OCSP_STAPLING
2812 // Request OCSP stapling even on platforms that don't support it, in
2813 // order to extract Certificate Transparency information.
2814 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING,
2815 cert_verifier_->SupportsOCSPStapling() ||
2816 ssl_config_.signed_cert_timestamps_enabled);
2817 if (rv != SECSuccess) {
2818 LogFailedNSSFunction(net_log_, "SSL_OptionSet",
2819 "SSL_ENABLE_OCSP_STAPLING");
2820 }
2821 #endif
2822
2823 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
2824 ssl_config_.signed_cert_timestamps_enabled);
2825 if (rv != SECSuccess) {
2826 LogFailedNSSFunction(net_log_, "SSL_OptionSet",
2827 "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS");
2828 }
2829
2830 rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
2831 if (rv != SECSuccess) {
2832 LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT");
2833 return ERR_UNEXPECTED;
2834 }
2835
2836 if (!core_->Init(nss_fd_, nss_bufs))
2837 return ERR_UNEXPECTED;
2838
2839 // Tell SSL the hostname we're trying to connect to.
2840 SSL_SetURL(nss_fd_, host_and_port_.host().c_str());
2841
2842 // Tell SSL we're a client; needed if not letting NSPR do socket I/O
2843 SSL_ResetHandshake(nss_fd_, PR_FALSE);
2844
2845 return OK;
2846 }
2847
2848 int SSLClientSocketNSS::InitializeSSLPeerName() {
2849 // Tell NSS who we're connected to
2850 IPEndPoint peer_address;
2851 int err = transport_->socket()->GetPeerAddress(&peer_address);
2852 if (err != OK)
2853 return err;
2854
2855 SockaddrStorage storage;
2856 if (!peer_address.ToSockAddr(storage.addr, &storage.addr_len))
2857 return ERR_ADDRESS_INVALID;
2858
2859 PRNetAddr peername;
2860 memset(&peername, 0, sizeof(peername));
2861 DCHECK_LE(static_cast<size_t>(storage.addr_len), sizeof(peername));
2862 size_t len = std::min(static_cast<size_t>(storage.addr_len),
2863 sizeof(peername));
2864 memcpy(&peername, storage.addr, len);
2865
2866 // Adjust the address family field for BSD, whose sockaddr
2867 // structure has a one-byte length and one-byte address family
2868 // field at the beginning. PRNetAddr has a two-byte address
2869 // family field at the beginning.
2870 peername.raw.family = storage.addr->sa_family;
2871
2872 memio_SetPeerName(nss_fd_, &peername);
2873
2874 // Set the peer ID for session reuse. This is necessary when we create an
2875 // SSL tunnel through a proxy -- GetPeerName returns the proxy's address
2876 // rather than the destination server's address in that case.
2877 std::string peer_id = host_and_port_.ToString();
2878 // Append |ssl_session_cache_shard_| to the peer id. This is used to partition
2879 // the session cache for incognito mode.
2880 peer_id += "/" + ssl_session_cache_shard_;
2881 peer_id += "/";
2882 // Shard the session cache based on maximum protocol version. This causes
2883 // fallback connections to use a separate session cache.
2884 switch (ssl_config_.version_max) {
2885 case SSL_PROTOCOL_VERSION_SSL3:
2886 peer_id += "ssl3";
2887 break;
2888 case SSL_PROTOCOL_VERSION_TLS1:
2889 peer_id += "tls1";
2890 break;
2891 case SSL_PROTOCOL_VERSION_TLS1_1:
2892 peer_id += "tls1.1";
2893 break;
2894 case SSL_PROTOCOL_VERSION_TLS1_2:
2895 peer_id += "tls1.2";
2896 break;
2897 default:
2898 NOTREACHED();
2899 }
2900 peer_id += "/";
2901 if (ssl_config_.enable_deprecated_cipher_suites)
2902 peer_id += "deprecated";
2903
2904 SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));
2905 if (rv != SECSuccess)
2906 LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str());
2907
2908 return OK;
2909 }
2910
2911 void SSLClientSocketNSS::DoConnectCallback(int rv) {
2912 EnterFunction(rv);
2913 DCHECK_NE(ERR_IO_PENDING, rv);
2914 DCHECK(!user_connect_callback_.is_null());
2915
2916 base::ResetAndReturn(&user_connect_callback_).Run(rv > OK ? OK : rv);
2917 LeaveFunction("");
2918 }
2919
2920 void SSLClientSocketNSS::OnHandshakeIOComplete(int result) {
2921 EnterFunction(result);
2922 int rv = DoHandshakeLoop(result);
2923 if (rv != ERR_IO_PENDING) {
2924 net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
2925 DoConnectCallback(rv);
2926 }
2927 LeaveFunction("");
2928 }
2929
2930 int SSLClientSocketNSS::DoHandshakeLoop(int last_io_result) {
2931 EnterFunction(last_io_result);
2932 int rv = last_io_result;
2933 do {
2934 // Default to STATE_NONE for next state.
2935 // (This is a quirk carried over from the windows
2936 // implementation. It makes reading the logs a bit harder.)
2937 // State handlers can and often do call GotoState just
2938 // to stay in the current state.
2939 State state = next_handshake_state_;
2940 GotoState(STATE_NONE);
2941 switch (state) {
2942 case STATE_HANDSHAKE:
2943 rv = DoHandshake();
2944 break;
2945 case STATE_HANDSHAKE_COMPLETE:
2946 rv = DoHandshakeComplete(rv);
2947 break;
2948 case STATE_VERIFY_CERT:
2949 DCHECK(rv == OK);
2950 rv = DoVerifyCert(rv);
2951 break;
2952 case STATE_VERIFY_CERT_COMPLETE:
2953 rv = DoVerifyCertComplete(rv);
2954 break;
2955 case STATE_NONE:
2956 default:
2957 rv = ERR_UNEXPECTED;
2958 LOG(DFATAL) << "unexpected state " << state;
2959 break;
2960 }
2961 } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
2962 LeaveFunction("");
2963 return rv;
2964 }
2965
2966 int SSLClientSocketNSS::DoHandshake() {
2967 EnterFunction("");
2968 int rv = core_->Connect(
2969 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
2970 base::Unretained(this)));
2971 GotoState(STATE_HANDSHAKE_COMPLETE);
2972
2973 LeaveFunction(rv);
2974 return rv;
2975 }
2976
2977 int SSLClientSocketNSS::DoHandshakeComplete(int result) {
2978 EnterFunction(result);
2979
2980 if (result == OK) {
2981 if (ssl_config_.version_fallback &&
2982 ssl_config_.version_max < ssl_config_.version_fallback_min) {
2983 return ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION;
2984 }
2985
2986 RecordNegotiationExtension();
2987
2988 // SSL handshake is completed. Let's verify the certificate.
2989 GotoState(STATE_VERIFY_CERT);
2990 // Done!
2991 }
2992 set_signed_cert_timestamps_received(
2993 !core_->state().sct_list_from_tls_extension.empty());
2994 set_stapled_ocsp_response_received(
2995 !core_->state().stapled_ocsp_response.empty());
2996 set_negotiation_extension(core_->state().negotiation_extension_);
2997
2998 LeaveFunction(result);
2999 return result;
3000 }
3001
3002 int SSLClientSocketNSS::DoVerifyCert(int result) {
3003 DCHECK(!core_->state().server_cert_chain.empty());
3004 DCHECK(core_->state().server_cert_chain[0]);
3005
3006 GotoState(STATE_VERIFY_CERT_COMPLETE);
3007
3008 // If the certificate is expected to be bad we can use the expectation as
3009 // the cert status.
3010 base::StringPiece der_cert(
3011 reinterpret_cast<char*>(
3012 core_->state().server_cert_chain[0]->derCert.data),
3013 core_->state().server_cert_chain[0]->derCert.len);
3014 CertStatus cert_status;
3015 if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) {
3016 DCHECK(start_cert_verification_time_.is_null());
3017 VLOG(1) << "Received an expected bad cert with status: " << cert_status;
3018 server_cert_verify_result_.Reset();
3019 server_cert_verify_result_.cert_status = cert_status;
3020 server_cert_verify_result_.verified_cert = core_->state().server_cert;
3021 return OK;
3022 }
3023
3024 // We may have failed to create X509Certificate object if we are
3025 // running inside sandbox.
3026 if (!core_->state().server_cert.get()) {
3027 server_cert_verify_result_.Reset();
3028 server_cert_verify_result_.cert_status = CERT_STATUS_INVALID;
3029 return ERR_CERT_INVALID;
3030 }
3031
3032 start_cert_verification_time_ = base::TimeTicks::Now();
3033
3034 int flags = 0;
3035 if (ssl_config_.rev_checking_enabled)
3036 flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED;
3037 if (ssl_config_.verify_ev_cert)
3038 flags |= CertVerifier::VERIFY_EV_CERT;
3039 if (ssl_config_.cert_io_enabled)
3040 flags |= CertVerifier::VERIFY_CERT_IO_ENABLED;
3041 if (ssl_config_.rev_checking_required_local_anchors)
3042 flags |= CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
3043 return cert_verifier_->Verify(
3044 core_->state().server_cert.get(), host_and_port_.host(),
3045 core_->state().stapled_ocsp_response, flags,
3046 SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_,
3047 base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
3048 base::Unretained(this)),
3049 &cert_verifier_request_, net_log_);
3050 }
3051
3052 // Derived from AuthCertificateCallback() in
3053 // mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp.
3054 int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
3055 cert_verifier_request_.reset();
3056
3057 if (!start_cert_verification_time_.is_null()) {
3058 base::TimeDelta verify_time =
3059 base::TimeTicks::Now() - start_cert_verification_time_;
3060 if (result == OK)
3061 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time);
3062 else
3063 UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
3064 }
3065
3066 // We used to remember the intermediate CA certs in the NSS database
3067 // persistently. However, NSS opens a connection to the SQLite database
3068 // during NSS initialization and doesn't close the connection until NSS
3069 // shuts down. If the file system where the database resides is gone,
3070 // the database connection goes bad. What's worse, the connection won't
3071 // recover when the file system comes back. Until this NSS or SQLite bug
3072 // is fixed, we need to avoid using the NSS database for non-essential
3073 // purposes. See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
3074 // http://crbug.com/15630 for more info.
3075
3076 const CertStatus cert_status = server_cert_verify_result_.cert_status;
3077 if (transport_security_state_ &&
3078 (result == OK ||
3079 (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
3080 !transport_security_state_->CheckPublicKeyPins(
3081 host_and_port_.host(),
3082 server_cert_verify_result_.is_issued_by_known_root,
3083 server_cert_verify_result_.public_key_hashes,
3084 &pinning_failure_log_)) {
3085 result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
3086 }
3087
3088 if (result == OK) {
3089 // Only check Certificate Transparency if there were no other errors with
3090 // the connection.
3091 VerifyCT();
3092
3093 // Only cache the session if the certificate verified successfully.
3094 core_->CacheSessionIfNecessary();
3095 }
3096
3097 completed_handshake_ = true;
3098
3099 // Exit DoHandshakeLoop and return the result to the caller to Connect.
3100 DCHECK_EQ(STATE_NONE, next_handshake_state_);
3101 return result;
3102 }
3103
3104 void SSLClientSocketNSS::VerifyCT() {
3105 if (!cert_transparency_verifier_)
3106 return;
3107
3108 // Note that this is a completely synchronous operation: The CT Log Verifier
3109 // gets all the data it needs for SCT verification and does not do any
3110 // external communication.
3111 cert_transparency_verifier_->Verify(
3112 server_cert_verify_result_.verified_cert.get(),
3113 core_->state().stapled_ocsp_response,
3114 core_->state().sct_list_from_tls_extension, &ct_verify_result_, net_log_);
3115 // TODO(ekasper): wipe stapled_ocsp_response and sct_list_from_tls_extension
3116 // from the state after verification is complete, to conserve memory.
3117
3118 if (!policy_enforcer_) {
3119 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
3120 } else {
3121 if (server_cert_verify_result_.cert_status & CERT_STATUS_IS_EV) {
3122 scoped_refptr<ct::EVCertsWhitelist> ev_whitelist =
3123 SSLConfigService::GetEVCertsWhitelist();
3124 if (!policy_enforcer_->DoesConformToCTEVPolicy(
3125 server_cert_verify_result_.verified_cert.get(),
3126 ev_whitelist.get(), ct_verify_result_, net_log_)) {
3127 // TODO(eranm): Log via the BoundNetLog, see crbug.com/437766
3128 VLOG(1) << "EV certificate for "
3129 << server_cert_verify_result_.verified_cert->subject()
3130 .GetDisplayName()
3131 << " does not conform to CT policy, removing EV status.";
3132 server_cert_verify_result_.cert_status &= ~CERT_STATUS_IS_EV;
3133 }
3134 }
3135 }
3136 }
3137
3138 void SSLClientSocketNSS::EnsureThreadIdAssigned() const {
3139 base::AutoLock auto_lock(lock_);
3140 if (valid_thread_id_ != base::kInvalidThreadId)
3141 return;
3142 valid_thread_id_ = base::PlatformThread::CurrentId();
3143 }
3144
3145 bool SSLClientSocketNSS::CalledOnValidThread() const {
3146 EnsureThreadIdAssigned();
3147 base::AutoLock auto_lock(lock_);
3148 return valid_thread_id_ == base::PlatformThread::CurrentId();
3149 }
3150
3151 void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const {
3152 for (ct::SCTList::const_iterator iter =
3153 ct_verify_result_.verified_scts.begin();
3154 iter != ct_verify_result_.verified_scts.end(); ++iter) {
3155 ssl_info->signed_certificate_timestamps.push_back(
3156 SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_OK));
3157 }
3158 for (ct::SCTList::const_iterator iter =
3159 ct_verify_result_.invalid_scts.begin();
3160 iter != ct_verify_result_.invalid_scts.end(); ++iter) {
3161 ssl_info->signed_certificate_timestamps.push_back(
3162 SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_INVALID));
3163 }
3164 for (ct::SCTList::const_iterator iter =
3165 ct_verify_result_.unknown_logs_scts.begin();
3166 iter != ct_verify_result_.unknown_logs_scts.end(); ++iter) {
3167 ssl_info->signed_certificate_timestamps.push_back(
3168 SignedCertificateTimestampAndStatus(*iter,
3169 ct::SCT_STATUS_LOG_UNKNOWN));
3170 }
3171 }
3172
3173 scoped_refptr<X509Certificate>
3174 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
3175 return core_->state().server_cert.get();
3176 }
3177
3178 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
3179 return channel_id_service_;
3180 }
3181
3182 } // namespace net