1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/socket/nss_ssl_util.h"
15 #include "base/bind.h"
17 #include "base/lazy_instance.h"
18 #include "base/logging.h"
19 #include "base/memory/singleton.h"
20 #include "base/threading/thread_restrictions.h"
21 #include "base/values.h"
22 #include "build/build_config.h"
23 #include "crypto/nss_util.h"
24 #include "net/base/net_errors.h"
25 #include "net/base/net_log.h"
26 #include "net/base/nss_memio.h"
29 #include "base/win/windows_version.h"
34 // CiphersRemove takes a zero-terminated array of cipher suite ids in
35 // |to_remove| and sets every instance of them in |ciphers| to zero. It returns
36 // true if it found and removed every element of |to_remove|. It assumes that
37 // there are no duplicates in |ciphers| nor in |to_remove|.
38 bool CiphersRemove(const uint16* to_remove, uint16* ciphers, size_t num) {
42 if (to_remove[i] == 0)
45 for (size_t j = 0; j < num; j++) {
46 if (to_remove[i] == ciphers[j]) {
57 // CiphersCompact takes an array of cipher suite ids in |ciphers|, where some
58 // entries are zero, and moves the entries so that all the non-zero elements
59 // are compacted at the end of the array.
60 void CiphersCompact(uint16* ciphers, size_t num) {
63 for (size_t i = num - 1; i < num; i--) {
66 ciphers[j--] = ciphers[i];
70 // CiphersCopy copies the zero-terminated array |in| to |out|. It returns the
71 // number of cipher suite ids copied.
72 size_t CiphersCopy(const uint16* in, uint16* out) {
73 for (size_t i = 0; ; i++) {
80 } // anonymous namespace
84 class NSSSSLInitSingleton {
86 NSSSSLInitSingleton() : model_fd_(NULL) {
87 crypto::EnsureNSSInit();
89 NSS_SetDomesticPolicy();
91 const PRUint16* const ssl_ciphers = SSL_GetImplementedCiphers();
92 const PRUint16 num_ciphers = SSL_GetNumImplementedCiphers();
94 // Disable ECDSA cipher suites on platforms that do not support ECDSA
95 // signed certificates, as servers may use the presence of such
96 // ciphersuites as a hint to send an ECDSA certificate.
97 bool disableECDSA = false;
99 if (base::win::GetVersion() < base::win::VERSION_VISTA)
103 // Explicitly enable exactly those ciphers with keys of at least 80 bits
104 for (int i = 0; i < num_ciphers; i++) {
105 SSLCipherSuiteInfo info;
106 if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info,
107 sizeof(info)) == SECSuccess) {
108 bool enabled = info.effectiveKeyBits >= 80;
109 if (info.authAlgorithm == ssl_auth_ecdsa && disableECDSA)
112 // Trim the list of cipher suites in order to keep the size of the
113 // ClientHello down. DSS, ECDH, CAMELLIA, SEED, ECC+3DES, and
114 // HMAC-SHA256 cipher suites are disabled.
115 if (info.symCipher == ssl_calg_camellia ||
116 info.symCipher == ssl_calg_seed ||
117 (info.symCipher == ssl_calg_3des && info.keaType != ssl_kea_rsa) ||
118 info.authAlgorithm == ssl_auth_dsa ||
119 info.macAlgorithm == ssl_hmac_sha256 ||
121 strcmp(info.keaTypeName, "ECDH") == 0) {
125 if (ssl_ciphers[i] == TLS_DHE_DSS_WITH_AES_128_CBC_SHA) {
126 // Enabled to allow servers with only a DSA certificate to function.
129 SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled);
134 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
136 // Calculate the order of ciphers that we'll use for NSS sockets. (Note
137 // that, even if a cipher is specified in the ordering, it must still be
138 // enabled in order to be included in a ClientHello.)
140 // Our top preference cipher suites are either forward-secret AES-GCM or
141 // forward-secret ChaCha20-Poly1305. If the local machine has AES-NI then
142 // we prefer AES-GCM, otherwise ChaCha20. The remainder of the cipher suite
143 // preference is inheriented from NSS. */
144 static const uint16 chacha_ciphers[] = {
145 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
146 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
149 static const uint16 aes_gcm_ciphers[] = {
150 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
151 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
152 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
155 scoped_ptr<uint16[]> ciphers(new uint16[num_ciphers]);
156 memcpy(ciphers.get(), ssl_ciphers, sizeof(uint16)*num_ciphers);
158 if (CiphersRemove(chacha_ciphers, ciphers.get(), num_ciphers) &&
159 CiphersRemove(aes_gcm_ciphers, ciphers.get(), num_ciphers)) {
160 CiphersCompact(ciphers.get(), num_ciphers);
162 const uint16* preference_ciphers = chacha_ciphers;
163 const uint16* other_ciphers = aes_gcm_ciphers;
166 if (cpu.has_aesni() && cpu.has_avx()) {
167 preference_ciphers = aes_gcm_ciphers;
168 other_ciphers = chacha_ciphers;
170 unsigned i = CiphersCopy(preference_ciphers, ciphers.get());
171 CiphersCopy(other_ciphers, &ciphers[i]);
173 if ((model_fd_ = memio_CreateIOLayer(1, 1)) == NULL ||
174 SSL_ImportFD(NULL, model_fd_) == NULL ||
176 SSL_CipherOrderSet(model_fd_, ciphers.get(), num_ciphers)) {
185 // All other SSL options are set per-session by SSLClientSocket and
189 PRFileDesc* GetModelSocket() {
193 ~NSSSSLInitSingleton() {
194 // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.
195 SSL_ClearSessionCache();
201 PRFileDesc* model_fd_;
204 static base::LazyInstance<NSSSSLInitSingleton>::Leaky g_nss_ssl_init_singleton =
205 LAZY_INSTANCE_INITIALIZER;
207 // Initialize the NSS SSL library if it isn't already initialized. This must
208 // be called before any other NSS SSL functions. This function is
209 // thread-safe, and the NSS SSL library will only ever be initialized once.
210 // The NSS SSL library will be properly shut down on program exit.
211 void EnsureNSSSSLInit() {
212 // Initializing SSL causes us to do blocking IO.
213 // Temporarily allow it until we fix
214 // http://code.google.com/p/chromium/issues/detail?id=59847
215 base::ThreadRestrictions::ScopedAllowIO allow_io;
217 g_nss_ssl_init_singleton.Get();
220 PRFileDesc* GetNSSModelSocket() {
221 return g_nss_ssl_init_singleton.Get().GetModelSocket();
224 // Map a Chromium net error code to an NSS error code.
225 // See _MD_unix_map_default_error in the NSS source
226 // tree for inspiration.
227 PRErrorCode MapErrorToNSS(int result) {
233 return PR_WOULD_BLOCK_ERROR;
234 case ERR_ACCESS_DENIED:
235 case ERR_NETWORK_ACCESS_DENIED:
236 // For connect, this could be mapped to PR_ADDRESS_NOT_SUPPORTED_ERROR.
237 return PR_NO_ACCESS_RIGHTS_ERROR;
238 case ERR_NOT_IMPLEMENTED:
239 return PR_NOT_IMPLEMENTED_ERROR;
240 case ERR_SOCKET_NOT_CONNECTED:
241 return PR_NOT_CONNECTED_ERROR;
242 case ERR_INTERNET_DISCONNECTED: // Equivalent to ENETDOWN.
243 return PR_NETWORK_UNREACHABLE_ERROR; // Best approximation.
244 case ERR_CONNECTION_TIMED_OUT:
246 return PR_IO_TIMEOUT_ERROR;
247 case ERR_CONNECTION_RESET:
248 return PR_CONNECT_RESET_ERROR;
249 case ERR_CONNECTION_ABORTED:
250 return PR_CONNECT_ABORTED_ERROR;
251 case ERR_CONNECTION_REFUSED:
252 return PR_CONNECT_REFUSED_ERROR;
253 case ERR_ADDRESS_UNREACHABLE:
254 return PR_HOST_UNREACHABLE_ERROR; // Also PR_NETWORK_UNREACHABLE_ERROR.
255 case ERR_ADDRESS_INVALID:
256 return PR_ADDRESS_NOT_AVAILABLE_ERROR;
257 case ERR_NAME_NOT_RESOLVED:
258 return PR_DIRECTORY_LOOKUP_ERROR;
260 LOG(WARNING) << "MapErrorToNSS " << result
261 << " mapped to PR_UNKNOWN_ERROR";
262 return PR_UNKNOWN_ERROR;
266 // The default error mapping function.
267 // Maps an NSS error code to a network error code.
268 int MapNSSError(PRErrorCode err) {
269 // TODO(port): fill this out as we learn what's important
271 case PR_WOULD_BLOCK_ERROR:
272 return ERR_IO_PENDING;
273 case PR_ADDRESS_NOT_SUPPORTED_ERROR: // For connect.
274 case PR_NO_ACCESS_RIGHTS_ERROR:
275 return ERR_ACCESS_DENIED;
276 case PR_IO_TIMEOUT_ERROR:
277 return ERR_TIMED_OUT;
278 case PR_CONNECT_RESET_ERROR:
279 return ERR_CONNECTION_RESET;
280 case PR_CONNECT_ABORTED_ERROR:
281 return ERR_CONNECTION_ABORTED;
282 case PR_CONNECT_REFUSED_ERROR:
283 return ERR_CONNECTION_REFUSED;
284 case PR_NOT_CONNECTED_ERROR:
285 return ERR_SOCKET_NOT_CONNECTED;
286 case PR_HOST_UNREACHABLE_ERROR:
287 case PR_NETWORK_UNREACHABLE_ERROR:
288 return ERR_ADDRESS_UNREACHABLE;
289 case PR_ADDRESS_NOT_AVAILABLE_ERROR:
290 return ERR_ADDRESS_INVALID;
291 case PR_INVALID_ARGUMENT_ERROR:
292 return ERR_INVALID_ARGUMENT;
293 case PR_END_OF_FILE_ERROR:
294 return ERR_CONNECTION_CLOSED;
295 case PR_NOT_IMPLEMENTED_ERROR:
296 return ERR_NOT_IMPLEMENTED;
298 case SEC_ERROR_LIBRARY_FAILURE:
299 return ERR_UNEXPECTED;
300 case SEC_ERROR_INVALID_ARGS:
301 return ERR_INVALID_ARGUMENT;
302 case SEC_ERROR_NO_MEMORY:
303 return ERR_OUT_OF_MEMORY;
304 case SEC_ERROR_NO_KEY:
305 return ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY;
306 case SEC_ERROR_INVALID_KEY:
307 case SSL_ERROR_SIGN_HASHES_FAILURE:
308 LOG(ERROR) << "ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: NSS error " << err
309 << ", OS error " << PR_GetOSError();
310 return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
311 // A handshake (initial or renegotiation) may fail because some signature
312 // (for example, the signature in the ServerKeyExchange message for an
313 // ephemeral Diffie-Hellman cipher suite) is invalid.
314 case SEC_ERROR_BAD_SIGNATURE:
315 return ERR_SSL_PROTOCOL_ERROR;
317 case SSL_ERROR_SSL_DISABLED:
318 return ERR_NO_SSL_VERSIONS_ENABLED;
319 case SSL_ERROR_NO_CYPHER_OVERLAP:
320 case SSL_ERROR_PROTOCOL_VERSION_ALERT:
321 case SSL_ERROR_UNSUPPORTED_VERSION:
322 return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
323 case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
324 case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
325 case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
326 return ERR_SSL_PROTOCOL_ERROR;
327 case SSL_ERROR_DECOMPRESSION_FAILURE_ALERT:
328 return ERR_SSL_DECOMPRESSION_FAILURE_ALERT;
329 case SSL_ERROR_BAD_MAC_ALERT:
330 return ERR_SSL_BAD_RECORD_MAC_ALERT;
331 case SSL_ERROR_DECRYPT_ERROR_ALERT:
332 return ERR_SSL_DECRYPT_ERROR_ALERT;
333 case SSL_ERROR_UNRECOGNIZED_NAME_ALERT:
334 return ERR_SSL_UNRECOGNIZED_NAME_ALERT;
335 case SSL_ERROR_UNSAFE_NEGOTIATION:
336 return ERR_SSL_UNSAFE_NEGOTIATION;
337 case SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY:
338 return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY;
339 case SSL_ERROR_HANDSHAKE_NOT_COMPLETED:
340 return ERR_SSL_HANDSHAKE_NOT_COMPLETED;
341 case SEC_ERROR_BAD_KEY:
342 case SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE:
343 // TODO(wtc): the following errors may also occur in contexts unrelated
344 // to the peer's public key. We should add new error codes for them, or
345 // map them to ERR_SSL_BAD_PEER_PUBLIC_KEY only in the right context.
346 // General unsupported/unknown key algorithm error.
347 case SEC_ERROR_UNSUPPORTED_KEYALG:
348 // General DER decoding errors.
349 case SEC_ERROR_BAD_DER:
350 case SEC_ERROR_EXTRA_INPUT:
351 return ERR_SSL_BAD_PEER_PUBLIC_KEY;
352 // During renegotiation, the server presented a different certificate than
354 case SSL_ERROR_WRONG_CERTIFICATE:
355 return ERR_SSL_SERVER_CERT_CHANGED;
356 case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT:
357 return ERR_SSL_INAPPROPRIATE_FALLBACK;
360 if (IS_SSL_ERROR(err)) {
361 LOG(WARNING) << "Unknown SSL error " << err
362 << " mapped to net::ERR_SSL_PROTOCOL_ERROR";
363 return ERR_SSL_PROTOCOL_ERROR;
365 LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED";
371 // Returns parameters to attach to the NetLog when we receive an error in
372 // response to a call to an NSS function. Used instead of
373 // NetLogSSLErrorCallback with events of type TYPE_SSL_NSS_ERROR.
374 base::Value* NetLogSSLFailedNSSFunctionCallback(
375 const char* function,
378 NetLog::LogLevel /* log_level */) {
379 base::DictionaryValue* dict = new base::DictionaryValue();
380 dict->SetString("function", function);
381 if (param[0] != '\0')
382 dict->SetString("param", param);
383 dict->SetInteger("ssl_lib_error", ssl_lib_error);
387 void LogFailedNSSFunction(const BoundNetLog& net_log,
388 const char* function,
393 NetLog::TYPE_SSL_NSS_ERROR,
394 base::Bind(&NetLogSSLFailedNSSFunctionCallback,
395 function, param, PR_GetError()));