3 * Copyright 2004--2008, Google Inc.
4 * Copyright 2004--2011, RTFM, Inc.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
9 * 1. Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
20 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
21 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
22 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
23 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
24 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
26 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #endif // HAVE_CONFIG_H
37 #include "talk/base/nssstreamadapter.h"
45 #ifdef NSS_SSL_RELATIVE_PATH
50 #include "net/third_party/nss/ssl/ssl.h"
51 #include "net/third_party/nss/ssl/sslerr.h"
52 #include "net/third_party/nss/ssl/sslproto.h"
55 #include "talk/base/nssidentity.h"
56 #include "talk/base/safe_conversions.h"
57 #include "talk/base/thread.h"
61 PRDescIdentity NSSStreamAdapter::nspr_layer_identity = PR_INVALID_IO_LAYER;
63 #define UNIMPLEMENTED \
64 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0); \
66 << "Call to unimplemented function "<< __FUNCTION__; ASSERT(false)
68 #ifdef SRTP_AES128_CM_HMAC_SHA1_80
69 #define HAVE_DTLS_SRTP
73 // SRTP cipher suite table
74 struct SrtpCipherMapEntry {
75 const char* external_name;
79 // This isn't elegant, but it's better than an external reference
80 static const SrtpCipherMapEntry kSrtpCipherMap[] = {
81 {"AES_CM_128_HMAC_SHA1_80", SRTP_AES128_CM_HMAC_SHA1_80 },
82 {"AES_CM_128_HMAC_SHA1_32", SRTP_AES128_CM_HMAC_SHA1_32 },
88 // Implementation of NSPR methods
89 static PRStatus StreamClose(PRFileDesc *socket) {
90 ASSERT(!socket->lower);
95 static PRInt32 StreamRead(PRFileDesc *socket, void *buf, PRInt32 length) {
96 StreamInterface *stream = reinterpret_cast<StreamInterface *>(socket->secret);
99 StreamResult result = stream->Read(buf, length, &read, &error);
100 if (result == SR_SUCCESS) {
101 return checked_cast<PRInt32>(read);
104 if (result == SR_EOS) {
108 if (result == SR_BLOCK) {
109 PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
113 PR_SetError(PR_UNKNOWN_ERROR, error);
117 static PRInt32 StreamWrite(PRFileDesc *socket, const void *buf,
119 StreamInterface *stream = reinterpret_cast<StreamInterface *>(socket->secret);
122 StreamResult result = stream->Write(buf, length, &written, &error);
123 if (result == SR_SUCCESS) {
124 return checked_cast<PRInt32>(written);
127 if (result == SR_BLOCK) {
129 "NSSStreamAdapter: write to underlying transport would block";
130 PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
134 LOG(LS_ERROR) << "Write error";
135 PR_SetError(PR_UNKNOWN_ERROR, error);
139 static PRInt32 StreamAvailable(PRFileDesc *socket) {
144 PRInt64 StreamAvailable64(PRFileDesc *socket) {
149 static PRStatus StreamSync(PRFileDesc *socket) {
154 static PROffset32 StreamSeek(PRFileDesc *socket, PROffset32 offset,
160 static PROffset64 StreamSeek64(PRFileDesc *socket, PROffset64 offset,
166 static PRStatus StreamFileInfo(PRFileDesc *socket, PRFileInfo *info) {
171 static PRStatus StreamFileInfo64(PRFileDesc *socket, PRFileInfo64 *info) {
176 static PRInt32 StreamWritev(PRFileDesc *socket, const PRIOVec *iov,
177 PRInt32 iov_size, PRIntervalTime timeout) {
182 static PRStatus StreamConnect(PRFileDesc *socket, const PRNetAddr *addr,
183 PRIntervalTime timeout) {
188 static PRFileDesc *StreamAccept(PRFileDesc *sd, PRNetAddr *addr,
189 PRIntervalTime timeout) {
194 static PRStatus StreamBind(PRFileDesc *socket, const PRNetAddr *addr) {
199 static PRStatus StreamListen(PRFileDesc *socket, PRIntn depth) {
204 static PRStatus StreamShutdown(PRFileDesc *socket, PRIntn how) {
209 // Note: this is always nonblocking and ignores the timeout.
210 // TODO(ekr@rtfm.com): In future verify that the socket is
211 // actually in non-blocking mode.
212 // This function does not support peek.
213 static PRInt32 StreamRecv(PRFileDesc *socket, void *buf, PRInt32 amount,
214 PRIntn flags, PRIntervalTime to) {
218 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
222 return StreamRead(socket, buf, amount);
225 // Note: this is always nonblocking and assumes a zero timeout.
226 // This function does not support peek.
227 static PRInt32 StreamSend(PRFileDesc *socket, const void *buf,
228 PRInt32 amount, PRIntn flags,
232 return StreamWrite(socket, buf, amount);
235 static PRInt32 StreamRecvfrom(PRFileDesc *socket, void *buf,
236 PRInt32 amount, PRIntn flags,
237 PRNetAddr *addr, PRIntervalTime to) {
242 static PRInt32 StreamSendto(PRFileDesc *socket, const void *buf,
243 PRInt32 amount, PRIntn flags,
244 const PRNetAddr *addr, PRIntervalTime to) {
249 static PRInt16 StreamPoll(PRFileDesc *socket, PRInt16 in_flags,
250 PRInt16 *out_flags) {
255 static PRInt32 StreamAcceptRead(PRFileDesc *sd, PRFileDesc **nd,
257 void *buf, PRInt32 amount, PRIntervalTime t) {
262 static PRInt32 StreamTransmitFile(PRFileDesc *sd, PRFileDesc *socket,
263 const void *headers, PRInt32 hlen,
264 PRTransmitFileFlags flags, PRIntervalTime t) {
269 static PRStatus StreamGetPeerName(PRFileDesc *socket, PRNetAddr *addr) {
270 // TODO(ekr@rtfm.com): Modify to return unique names for each channel
271 // somehow, as opposed to always the same static address. The current
272 // implementation messes up the session cache, which is why it's off
274 addr->inet.family = PR_AF_INET;
281 static PRStatus StreamGetSockName(PRFileDesc *socket, PRNetAddr *addr) {
286 static PRStatus StreamGetSockOption(PRFileDesc *socket, PRSocketOptionData *opt) {
287 switch (opt->option) {
288 case PR_SockOpt_Nonblocking:
289 opt->value.non_blocking = PR_TRUE;
299 // Imitate setting socket options. These are mostly noops.
300 static PRStatus StreamSetSockOption(PRFileDesc *socket,
301 const PRSocketOptionData *opt) {
302 switch (opt->option) {
303 case PR_SockOpt_Nonblocking:
305 case PR_SockOpt_NoDelay:
315 static PRInt32 StreamSendfile(PRFileDesc *out, PRSendFileData *in,
316 PRTransmitFileFlags flags, PRIntervalTime to) {
321 static PRStatus StreamConnectContinue(PRFileDesc *socket, PRInt16 flags) {
326 static PRIntn StreamReserved(PRFileDesc *socket) {
331 static const struct PRIOMethods nss_methods = {
363 StreamConnectContinue,
370 NSSStreamAdapter::NSSStreamAdapter(StreamInterface *stream)
371 : SSLStreamAdapterHelper(stream),
376 bool NSSStreamAdapter::Init() {
377 if (nspr_layer_identity == PR_INVALID_IO_LAYER) {
378 nspr_layer_identity = PR_GetUniqueIdentity("nssstreamadapter");
380 PRFileDesc *pr_fd = PR_CreateIOLayerStub(nspr_layer_identity, &nss_methods);
383 pr_fd->secret = reinterpret_cast<PRFilePrivate *>(stream());
386 if (ssl_mode_ == SSL_MODE_DTLS) {
387 ssl_fd = DTLS_ImportFD(NULL, pr_fd);
389 ssl_fd = SSL_ImportFD(NULL, pr_fd);
391 ASSERT(ssl_fd != NULL); // This should never happen
399 rv = SSL_OptionSet(ssl_fd, SSL_SECURITY, PR_TRUE);
400 if (rv != SECSuccess) {
401 LOG(LS_ERROR) << "Error enabling security on SSL Socket";
406 rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_SSL2, PR_FALSE);
407 if (rv != SECSuccess) {
408 LOG(LS_ERROR) << "Error disabling SSL2";
413 // TODO(ekr@rtfm.com): restore this when I have the caching
415 rv = SSL_OptionSet(ssl_fd, SSL_NO_CACHE, PR_TRUE);
416 if (rv != SECSuccess) {
417 LOG(LS_ERROR) << "Error disabling cache";
421 // Disable session tickets.
422 rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_SESSION_TICKETS, PR_FALSE);
423 if (rv != SECSuccess) {
424 LOG(LS_ERROR) << "Error enabling tickets";
428 // Disable renegotiation.
429 rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_RENEGOTIATION,
430 SSL_RENEGOTIATE_NEVER);
431 if (rv != SECSuccess) {
432 LOG(LS_ERROR) << "Error disabling renegotiation";
436 // Disable false start.
437 rv = SSL_OptionSet(ssl_fd, SSL_ENABLE_FALSE_START, PR_FALSE);
438 if (rv != SECSuccess) {
439 LOG(LS_ERROR) << "Error disabling false start";
448 NSSStreamAdapter::~NSSStreamAdapter() {
454 int NSSStreamAdapter::BeginSSL() {
458 Error("Init", -1, false);
462 ASSERT(state_ == SSL_CONNECTING);
463 // The underlying stream has been opened. If we are in peer-to-peer mode
464 // then a peer certificate must have been specified by now.
465 ASSERT(!ssl_server_name_.empty() ||
466 peer_certificate_.get() != NULL ||
467 !peer_certificate_digest_algorithm_.empty());
468 LOG(LS_INFO) << "BeginSSL: "
469 << (!ssl_server_name_.empty() ? ssl_server_name_ :
472 if (role_ == SSL_CLIENT) {
473 LOG(LS_INFO) << "BeginSSL: as client";
475 rv = SSL_GetClientAuthDataHook(ssl_fd_, GetClientAuthDataHook,
477 if (rv != SECSuccess) {
478 Error("BeginSSL", -1, false);
482 LOG(LS_INFO) << "BeginSSL: as server";
483 NSSIdentity *identity;
485 if (identity_.get()) {
486 identity = static_cast<NSSIdentity *>(identity_.get());
488 LOG(LS_ERROR) << "Can't be an SSL server without an identity";
489 Error("BeginSSL", -1, false);
492 rv = SSL_ConfigSecureServer(ssl_fd_, identity->certificate().certificate(),
493 identity->keypair()->privkey(),
495 if (rv != SECSuccess) {
496 Error("BeginSSL", -1, false);
500 // Insist on a certificate from the client
501 rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE);
502 if (rv != SECSuccess) {
503 Error("BeginSSL", -1, false);
507 rv = SSL_OptionSet(ssl_fd_, SSL_REQUIRE_CERTIFICATE, PR_TRUE);
508 if (rv != SECSuccess) {
509 Error("BeginSSL", -1, false);
514 // Set the version range.
515 SSLVersionRange vrange;
516 vrange.min = (ssl_mode_ == SSL_MODE_DTLS) ?
517 SSL_LIBRARY_VERSION_TLS_1_1 :
518 SSL_LIBRARY_VERSION_TLS_1_0;
519 vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
521 rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
522 if (rv != SECSuccess) {
523 Error("BeginSSL", -1, false);
528 #ifdef HAVE_DTLS_SRTP
529 if (!srtp_ciphers_.empty()) {
530 rv = SSL_SetSRTPCiphers(
531 ssl_fd_, &srtp_ciphers_[0],
532 checked_cast<unsigned int>(srtp_ciphers_.size()));
533 if (rv != SECSuccess) {
534 Error("BeginSSL", -1, false);
540 // Certificate validation
541 rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
542 if (rv != SECSuccess) {
543 Error("BeginSSL", -1, false);
547 // Now start the handshake
548 rv = SSL_ResetHandshake(ssl_fd_, role_ == SSL_SERVER ? PR_TRUE : PR_FALSE);
549 if (rv != SECSuccess) {
550 Error("BeginSSL", -1, false);
554 return ContinueSSL();
557 int NSSStreamAdapter::ContinueSSL() {
558 LOG(LS_INFO) << "ContinueSSL";
559 ASSERT(state_ == SSL_CONNECTING);
561 // Clear the DTLS timer
562 Thread::Current()->Clear(this, MSG_DTLS_TIMEOUT);
564 SECStatus rv = SSL_ForceHandshake(ssl_fd_);
566 if (rv == SECSuccess) {
567 LOG(LS_INFO) << "Handshake complete";
571 Error("ContinueSSL", -1, true);
575 state_ = SSL_CONNECTED;
576 StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0);
580 PRInt32 err = PR_GetError();
582 case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
583 if (ssl_mode_ != SSL_MODE_DTLS) {
584 Error("ContinueSSL", -1, true);
587 LOG(LS_INFO) << "Malformed DTLS message. Ignoring.";
590 case PR_WOULD_BLOCK_ERROR:
591 LOG(LS_INFO) << "Would have blocked";
592 if (ssl_mode_ == SSL_MODE_DTLS) {
593 PRIntervalTime timeout;
595 SECStatus rv = DTLS_GetHandshakeTimeout(ssl_fd_, &timeout);
596 if (rv == SECSuccess) {
597 LOG(LS_INFO) << "Timeout is " << timeout << " ms";
598 Thread::Current()->PostDelayed(PR_IntervalToMilliseconds(timeout),
599 this, MSG_DTLS_TIMEOUT, 0);
605 LOG(LS_INFO) << "Error " << err;
609 Error("ContinueSSL", -1, true);
613 void NSSStreamAdapter::Cleanup() {
614 if (state_ != SSL_ERROR) {
624 peer_certificate_.reset();
626 Thread::Current()->Clear(this, MSG_DTLS_TIMEOUT);
629 StreamResult NSSStreamAdapter::Read(void* data, size_t data_len,
630 size_t* read, int* error) {
631 // SSL_CONNECTED sanity check.
647 *error = ssl_error_code_;
651 PRInt32 rv = PR_Read(ssl_fd_, data, checked_cast<PRInt32>(data_len));
659 PRInt32 err = PR_GetError();
662 case PR_WOULD_BLOCK_ERROR:
665 Error("Read", -1, false);
666 *error = err; // libjingle semantics are that this is impl-specific
677 StreamResult NSSStreamAdapter::Write(const void* data, size_t data_len,
678 size_t* written, int* error) {
679 // SSL_CONNECTED sanity check.
693 *error = ssl_error_code_;
697 PRInt32 rv = PR_Write(ssl_fd_, data, checked_cast<PRInt32>(data_len));
701 PRInt32 err = PR_GetError();
704 case PR_WOULD_BLOCK_ERROR:
707 Error("Write", -1, false);
708 *error = err; // libjingle semantics are that this is impl-specific
719 void NSSStreamAdapter::OnEvent(StreamInterface* stream, int events,
721 int events_to_signal = 0;
722 int signal_error = 0;
723 ASSERT(stream == this->stream());
724 if ((events & SE_OPEN)) {
725 LOG(LS_INFO) << "NSSStreamAdapter::OnEvent SE_OPEN";
726 if (state_ != SSL_WAIT) {
727 ASSERT(state_ == SSL_NONE);
728 events_to_signal |= SE_OPEN;
730 state_ = SSL_CONNECTING;
731 if (int err = BeginSSL()) {
732 Error("BeginSSL", err, true);
737 if ((events & (SE_READ|SE_WRITE))) {
738 LOG(LS_INFO) << "NSSStreamAdapter::OnEvent"
739 << ((events & SE_READ) ? " SE_READ" : "")
740 << ((events & SE_WRITE) ? " SE_WRITE" : "");
741 if (state_ == SSL_NONE) {
742 events_to_signal |= events & (SE_READ|SE_WRITE);
743 } else if (state_ == SSL_CONNECTING) {
744 if (int err = ContinueSSL()) {
745 Error("ContinueSSL", err, true);
748 } else if (state_ == SSL_CONNECTED) {
749 if (events & SE_WRITE) {
750 LOG(LS_INFO) << " -- onStreamWriteable";
751 events_to_signal |= SE_WRITE;
753 if (events & SE_READ) {
754 LOG(LS_INFO) << " -- onStreamReadable";
755 events_to_signal |= SE_READ;
759 if ((events & SE_CLOSE)) {
760 LOG(LS_INFO) << "NSSStreamAdapter::OnEvent(SE_CLOSE, " << err << ")";
762 events_to_signal |= SE_CLOSE;
763 // SE_CLOSE is the only event that uses the final parameter to OnEvent().
764 ASSERT(signal_error == 0);
767 if (events_to_signal)
768 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error);
771 void NSSStreamAdapter::OnMessage(Message* msg) {
772 // Process our own messages and then pass others to the superclass
773 if (MSG_DTLS_TIMEOUT == msg->message_id) {
774 LOG(LS_INFO) << "DTLS timeout expired";
777 StreamInterface::OnMessage(msg);
781 // Certificate verification callback. Called to check any certificate
782 SECStatus NSSStreamAdapter::AuthCertificateHook(void *arg,
786 LOG(LS_INFO) << "NSSStreamAdapter::AuthCertificateHook";
787 // SSL_PeerCertificate returns a pointer that is owned by the caller, and
788 // the NSSCertificate constructor copies its argument, so |raw_peer_cert|
789 // must be destroyed in this function.
790 CERTCertificate* raw_peer_cert = SSL_PeerCertificate(fd);
791 NSSCertificate peer_cert(raw_peer_cert);
792 CERT_DestroyCertificate(raw_peer_cert);
794 NSSStreamAdapter *stream = reinterpret_cast<NSSStreamAdapter *>(arg);
795 stream->cert_ok_ = false;
797 // Read the peer's certificate chain.
798 CERTCertList* cert_list = SSL_PeerCertificateChain(fd);
799 ASSERT(cert_list != NULL);
801 // If the peer provided multiple certificates, check that they form a valid
802 // chain as defined by RFC 5246 Section 7.4.2: "Each following certificate
803 // MUST directly certify the one preceding it.". This check does NOT
804 // verify other requirements, such as whether the chain reaches a trusted
805 // root, self-signed certificates have valid signatures, certificates are not
807 // Even if the chain is valid, the leaf certificate must still match a
808 // provided certificate or digest.
809 if (!NSSCertificate::IsValidChain(cert_list)) {
810 CERT_DestroyCertList(cert_list);
811 PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
815 if (stream->peer_certificate_.get()) {
816 LOG(LS_INFO) << "Checking against specified certificate";
818 // The peer certificate was specified
819 if (reinterpret_cast<NSSCertificate *>(stream->peer_certificate_.get())->
820 Equals(&peer_cert)) {
821 LOG(LS_INFO) << "Accepted peer certificate";
822 stream->cert_ok_ = true;
824 } else if (!stream->peer_certificate_digest_algorithm_.empty()) {
825 LOG(LS_INFO) << "Checking against specified digest";
826 // The peer certificate digest was specified
827 unsigned char digest[64]; // Maximum size
828 size_t digest_length;
830 if (!peer_cert.ComputeDigest(
831 stream->peer_certificate_digest_algorithm_,
832 digest, sizeof(digest), &digest_length)) {
833 LOG(LS_ERROR) << "Digest computation failed";
835 Buffer computed_digest(digest, digest_length);
836 if (computed_digest == stream->peer_certificate_digest_value_) {
837 LOG(LS_INFO) << "Accepted peer certificate";
838 stream->cert_ok_ = true;
842 // Other modes, but we haven't implemented yet
843 // TODO(ekr@rtfm.com): Implement real certificate validation
847 if (!stream->cert_ok_ && stream->ignore_bad_cert()) {
848 LOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
849 stream->cert_ok_ = true;
852 if (stream->cert_ok_)
853 stream->peer_certificate_.reset(new NSSCertificate(cert_list));
855 CERT_DestroyCertList(cert_list);
857 if (stream->cert_ok_)
860 PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
865 SECStatus NSSStreamAdapter::GetClientAuthDataHook(void *arg, PRFileDesc *fd,
866 CERTDistNames *caNames,
867 CERTCertificate **pRetCert,
868 SECKEYPrivateKey **pRetKey) {
869 LOG(LS_INFO) << "Client cert requested";
870 NSSStreamAdapter *stream = reinterpret_cast<NSSStreamAdapter *>(arg);
872 if (!stream->identity_.get()) {
873 LOG(LS_ERROR) << "No identity available";
877 NSSIdentity *identity = static_cast<NSSIdentity *>(stream->identity_.get());
878 // Destroyed internally by NSS
879 *pRetCert = CERT_DupCertificate(identity->certificate().certificate());
880 *pRetKey = SECKEY_CopyPrivateKey(identity->keypair()->privkey());
885 // RFC 5705 Key Exporter
886 bool NSSStreamAdapter::ExportKeyingMaterial(const std::string& label,
887 const uint8* context,
892 SECStatus rv = SSL_ExportKeyingMaterial(
895 checked_cast<unsigned int>(label.size()),
898 checked_cast<unsigned int>(context_len),
900 checked_cast<unsigned int>(result_len));
902 return rv == SECSuccess;
905 bool NSSStreamAdapter::SetDtlsSrtpCiphers(
906 const std::vector<std::string>& ciphers) {
907 #ifdef HAVE_DTLS_SRTP
908 std::vector<PRUint16> internal_ciphers;
909 if (state_ != SSL_NONE)
912 for (std::vector<std::string>::const_iterator cipher = ciphers.begin();
913 cipher != ciphers.end(); ++cipher) {
915 for (const SrtpCipherMapEntry *entry = kSrtpCipherMap; entry->cipher_id;
917 if (*cipher == entry->external_name) {
919 internal_ciphers.push_back(entry->cipher_id);
925 LOG(LS_ERROR) << "Could not find cipher: " << *cipher;
930 if (internal_ciphers.empty())
933 srtp_ciphers_ = internal_ciphers;
941 bool NSSStreamAdapter::GetDtlsSrtpCipher(std::string* cipher) {
942 #ifdef HAVE_DTLS_SRTP
943 ASSERT(state_ == SSL_CONNECTED);
944 if (state_ != SSL_CONNECTED)
947 PRUint16 selected_cipher;
949 SECStatus rv = SSL_GetSRTPCipher(ssl_fd_, &selected_cipher);
950 if (rv == SECFailure)
953 for (const SrtpCipherMapEntry *entry = kSrtpCipherMap;
954 entry->cipher_id; ++entry) {
955 if (selected_cipher == entry->cipher_id) {
956 *cipher = entry->external_name;
961 ASSERT(false); // This should never happen
967 bool NSSContext::initialized;
968 NSSContext *NSSContext::global_nss_context;
970 // Static initialization and shutdown
971 NSSContext *NSSContext::Instance() {
972 if (!global_nss_context) {
973 NSSContext *new_ctx = new NSSContext();
975 if (!(new_ctx->slot_ = PK11_GetInternalSlot())) {
980 global_nss_context = new_ctx;
984 return global_nss_context;
989 bool NSSContext::InitializeSSL(VerificationCallback callback) {
995 rv = NSS_NoDB_Init(NULL);
996 if (rv != SECSuccess) {
997 LOG(LS_ERROR) << "Couldn't initialize NSS error=" <<
1002 NSS_SetDomesticPolicy();
1010 bool NSSContext::InitializeSSLThread() {
1015 bool NSSContext::CleanupSSL() {
1020 bool NSSStreamAdapter::HaveDtls() {
1024 bool NSSStreamAdapter::HaveDtlsSrtp() {
1025 #ifdef HAVE_DTLS_SRTP
1032 bool NSSStreamAdapter::HaveExporter() {
1036 } // namespace talk_base
1038 #endif // HAVE_NSS_SSL_H