mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-07 04:05:49 +00:00
ae04912e48
--HG-- rename : security/manager/ssl/src/CryptoTask.cpp => security/manager/ssl/CryptoTask.cpp rename : security/manager/ssl/src/CryptoTask.h => security/manager/ssl/CryptoTask.h rename : security/manager/ssl/src/CryptoUtil.h => security/manager/ssl/CryptoUtil.h rename : security/manager/ssl/src/IntolerantFallbackList.inc => security/manager/ssl/IntolerantFallbackList.inc rename : security/manager/ssl/src/NSSErrorsService.cpp => security/manager/ssl/NSSErrorsService.cpp rename : security/manager/ssl/src/NSSErrorsService.h => security/manager/ssl/NSSErrorsService.h rename : security/manager/ssl/src/PPSMContentDownloader.ipdl => security/manager/ssl/PPSMContentDownloader.ipdl rename : security/manager/ssl/src/PSMContentListener.cpp => security/manager/ssl/PSMContentListener.cpp rename : security/manager/ssl/src/PSMContentListener.h => security/manager/ssl/PSMContentListener.h rename : security/manager/ssl/src/PSMRunnable.cpp => security/manager/ssl/PSMRunnable.cpp rename : security/manager/ssl/src/PSMRunnable.h => security/manager/ssl/PSMRunnable.h rename : security/manager/ssl/src/PublicSSL.h => security/manager/ssl/PublicSSL.h rename : security/manager/ssl/src/SSLServerCertVerification.cpp => security/manager/ssl/SSLServerCertVerification.cpp rename : security/manager/ssl/src/SSLServerCertVerification.h => security/manager/ssl/SSLServerCertVerification.h rename : security/manager/ssl/src/ScopedNSSTypes.h => security/manager/ssl/ScopedNSSTypes.h rename : security/manager/ssl/src/SharedCertVerifier.h => security/manager/ssl/SharedCertVerifier.h rename : security/manager/ssl/src/SharedSSLState.cpp => security/manager/ssl/SharedSSLState.cpp rename : security/manager/ssl/src/SharedSSLState.h => security/manager/ssl/SharedSSLState.h rename : security/manager/ssl/src/TransportSecurityInfo.cpp => security/manager/ssl/TransportSecurityInfo.cpp rename : security/manager/ssl/src/TransportSecurityInfo.h => security/manager/ssl/TransportSecurityInfo.h rename : security/manager/ssl/src/md4.c => security/manager/ssl/md4.c rename : security/manager/ssl/src/md4.h => security/manager/ssl/md4.h rename : security/manager/ssl/src/nsCertOverrideService.cpp => security/manager/ssl/nsCertOverrideService.cpp rename : security/manager/ssl/src/nsCertOverrideService.h => security/manager/ssl/nsCertOverrideService.h rename : security/manager/ssl/src/nsCertPicker.cpp => security/manager/ssl/nsCertPicker.cpp rename : security/manager/ssl/src/nsCertPicker.h => security/manager/ssl/nsCertPicker.h rename : security/manager/ssl/src/nsCertTree.cpp => security/manager/ssl/nsCertTree.cpp rename : security/manager/ssl/src/nsCertTree.h => security/manager/ssl/nsCertTree.h rename : security/manager/ssl/src/nsCertVerificationThread.cpp => security/manager/ssl/nsCertVerificationThread.cpp rename : security/manager/ssl/src/nsCertVerificationThread.h => security/manager/ssl/nsCertVerificationThread.h rename : security/manager/ssl/src/nsClientAuthRemember.cpp => security/manager/ssl/nsClientAuthRemember.cpp rename : security/manager/ssl/src/nsClientAuthRemember.h => security/manager/ssl/nsClientAuthRemember.h rename : security/manager/ssl/src/nsCrypto.cpp => security/manager/ssl/nsCrypto.cpp rename : security/manager/ssl/src/nsCrypto.h => security/manager/ssl/nsCrypto.h rename : security/manager/ssl/src/nsCryptoHash.cpp => security/manager/ssl/nsCryptoHash.cpp rename : security/manager/ssl/src/nsCryptoHash.h => security/manager/ssl/nsCryptoHash.h rename : security/manager/ssl/src/nsDataSignatureVerifier.cpp => security/manager/ssl/nsDataSignatureVerifier.cpp rename : security/manager/ssl/src/nsDataSignatureVerifier.h => security/manager/ssl/nsDataSignatureVerifier.h rename : security/manager/ssl/src/nsKeyModule.cpp => security/manager/ssl/nsKeyModule.cpp rename : security/manager/ssl/src/nsKeyModule.h => security/manager/ssl/nsKeyModule.h rename : security/manager/ssl/src/nsKeygenHandler.cpp => security/manager/ssl/nsKeygenHandler.cpp rename : security/manager/ssl/src/nsKeygenHandler.h => security/manager/ssl/nsKeygenHandler.h rename : security/manager/ssl/src/nsKeygenHandlerContent.cpp => security/manager/ssl/nsKeygenHandlerContent.cpp rename : security/manager/ssl/src/nsKeygenHandlerContent.h => security/manager/ssl/nsKeygenHandlerContent.h rename : security/manager/ssl/src/nsKeygenThread.cpp => security/manager/ssl/nsKeygenThread.cpp rename : security/manager/ssl/src/nsKeygenThread.h => security/manager/ssl/nsKeygenThread.h rename : security/manager/ssl/src/nsNSSASN1Object.cpp => security/manager/ssl/nsNSSASN1Object.cpp rename : security/manager/ssl/src/nsNSSASN1Object.h => security/manager/ssl/nsNSSASN1Object.h rename : security/manager/ssl/src/nsNSSCallbacks.cpp => security/manager/ssl/nsNSSCallbacks.cpp rename : security/manager/ssl/src/nsNSSCallbacks.h => security/manager/ssl/nsNSSCallbacks.h rename : security/manager/ssl/src/nsNSSCertHelper.cpp => security/manager/ssl/nsNSSCertHelper.cpp rename : security/manager/ssl/src/nsNSSCertHelper.h => security/manager/ssl/nsNSSCertHelper.h rename : security/manager/ssl/src/nsNSSCertTrust.cpp => security/manager/ssl/nsNSSCertTrust.cpp rename : security/manager/ssl/src/nsNSSCertTrust.h => security/manager/ssl/nsNSSCertTrust.h rename : security/manager/ssl/src/nsNSSCertValidity.cpp => security/manager/ssl/nsNSSCertValidity.cpp rename : security/manager/ssl/src/nsNSSCertValidity.h => security/manager/ssl/nsNSSCertValidity.h rename : security/manager/ssl/src/nsNSSCertificate.cpp => security/manager/ssl/nsNSSCertificate.cpp rename : security/manager/ssl/src/nsNSSCertificate.h => security/manager/ssl/nsNSSCertificate.h rename : security/manager/ssl/src/nsNSSCertificateDB.cpp => security/manager/ssl/nsNSSCertificateDB.cpp rename : security/manager/ssl/src/nsNSSCertificateDB.h => security/manager/ssl/nsNSSCertificateDB.h rename : security/manager/ssl/src/nsNSSCertificateFakeTransport.cpp => security/manager/ssl/nsNSSCertificateFakeTransport.cpp rename : security/manager/ssl/src/nsNSSCertificateFakeTransport.h => security/manager/ssl/nsNSSCertificateFakeTransport.h rename : security/manager/ssl/src/nsNSSComponent.cpp => security/manager/ssl/nsNSSComponent.cpp rename : security/manager/ssl/src/nsNSSComponent.h => security/manager/ssl/nsNSSComponent.h rename : security/manager/ssl/src/nsNSSErrors.cpp => security/manager/ssl/nsNSSErrors.cpp rename : security/manager/ssl/src/nsNSSHelper.h => security/manager/ssl/nsNSSHelper.h rename : security/manager/ssl/src/nsNSSIOLayer.cpp => security/manager/ssl/nsNSSIOLayer.cpp rename : security/manager/ssl/src/nsNSSIOLayer.h => security/manager/ssl/nsNSSIOLayer.h rename : security/manager/ssl/src/nsNSSModule.cpp => security/manager/ssl/nsNSSModule.cpp rename : security/manager/ssl/src/nsNSSShutDown.cpp => security/manager/ssl/nsNSSShutDown.cpp rename : security/manager/ssl/src/nsNSSShutDown.h => security/manager/ssl/nsNSSShutDown.h rename : security/manager/ssl/src/nsNSSVersion.cpp => security/manager/ssl/nsNSSVersion.cpp rename : security/manager/ssl/src/nsNSSVersion.h => security/manager/ssl/nsNSSVersion.h rename : security/manager/ssl/src/nsNTLMAuthModule.cpp => security/manager/ssl/nsNTLMAuthModule.cpp rename : security/manager/ssl/src/nsNTLMAuthModule.h => security/manager/ssl/nsNTLMAuthModule.h rename : security/manager/ssl/src/nsPK11TokenDB.cpp => security/manager/ssl/nsPK11TokenDB.cpp rename : security/manager/ssl/src/nsPK11TokenDB.h => security/manager/ssl/nsPK11TokenDB.h rename : security/manager/ssl/src/nsPKCS11Slot.cpp => security/manager/ssl/nsPKCS11Slot.cpp rename : security/manager/ssl/src/nsPKCS11Slot.h => security/manager/ssl/nsPKCS11Slot.h rename : security/manager/ssl/src/nsPKCS12Blob.cpp => security/manager/ssl/nsPKCS12Blob.cpp rename : security/manager/ssl/src/nsPKCS12Blob.h => security/manager/ssl/nsPKCS12Blob.h rename : security/manager/ssl/src/nsPSMBackgroundThread.cpp => security/manager/ssl/nsPSMBackgroundThread.cpp rename : security/manager/ssl/src/nsPSMBackgroundThread.h => security/manager/ssl/nsPSMBackgroundThread.h rename : security/manager/ssl/src/nsProtectedAuthThread.cpp => security/manager/ssl/nsProtectedAuthThread.cpp rename : security/manager/ssl/src/nsProtectedAuthThread.h => security/manager/ssl/nsProtectedAuthThread.h rename : security/manager/ssl/src/nsRandomGenerator.cpp => security/manager/ssl/nsRandomGenerator.cpp rename : security/manager/ssl/src/nsRandomGenerator.h => security/manager/ssl/nsRandomGenerator.h rename : security/manager/ssl/src/nsSDR.cpp => security/manager/ssl/nsSDR.cpp rename : security/manager/ssl/src/nsSDR.h => security/manager/ssl/nsSDR.h rename : security/manager/ssl/src/nsSSLSocketProvider.cpp => security/manager/ssl/nsSSLSocketProvider.cpp rename : security/manager/ssl/src/nsSSLSocketProvider.h => security/manager/ssl/nsSSLSocketProvider.h rename : security/manager/ssl/src/nsSSLStatus.cpp => security/manager/ssl/nsSSLStatus.cpp rename : security/manager/ssl/src/nsSSLStatus.h => security/manager/ssl/nsSSLStatus.h rename : security/manager/ssl/src/nsSmartCardMonitor.cpp => security/manager/ssl/nsSmartCardMonitor.cpp rename : security/manager/ssl/src/nsSmartCardMonitor.h => security/manager/ssl/nsSmartCardMonitor.h rename : security/manager/ssl/src/nsTLSSocketProvider.cpp => security/manager/ssl/nsTLSSocketProvider.cpp rename : security/manager/ssl/src/nsTLSSocketProvider.h => security/manager/ssl/nsTLSSocketProvider.h rename : security/manager/ssl/src/nsUsageArrayHelper.cpp => security/manager/ssl/nsUsageArrayHelper.cpp rename : security/manager/ssl/src/nsUsageArrayHelper.h => security/manager/ssl/nsUsageArrayHelper.h rename : security/manager/ssl/src/nsVerificationJob.h => security/manager/ssl/nsVerificationJob.h
270 lines
8.5 KiB
C++
270 lines
8.5 KiB
C++
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#ifndef _NSNSSIOLAYER_H
|
|
#define _NSNSSIOLAYER_H
|
|
|
|
#include "TransportSecurityInfo.h"
|
|
#include "nsISSLSocketControl.h"
|
|
#include "nsIClientAuthDialogs.h"
|
|
#include "nsNSSCertificate.h"
|
|
#include "nsDataHashtable.h"
|
|
#include "nsTHashtable.h"
|
|
#include "mozilla/TimeStamp.h"
|
|
#include "sslt.h"
|
|
|
|
namespace mozilla {
|
|
namespace psm {
|
|
class SharedSSLState;
|
|
}
|
|
}
|
|
|
|
class nsIObserver;
|
|
|
|
class nsNSSSocketInfo final : public mozilla::psm::TransportSecurityInfo,
|
|
public nsISSLSocketControl,
|
|
public nsIClientAuthUserDecision
|
|
{
|
|
public:
|
|
nsNSSSocketInfo(mozilla::psm::SharedSSLState& aState, uint32_t providerFlags);
|
|
|
|
NS_DECL_ISUPPORTS_INHERITED
|
|
NS_DECL_NSISSLSOCKETCONTROL
|
|
NS_DECL_NSICLIENTAUTHUSERDECISION
|
|
|
|
void SetForSTARTTLS(bool aForSTARTTLS);
|
|
bool GetForSTARTTLS();
|
|
|
|
nsresult GetFileDescPtr(PRFileDesc** aFilePtr);
|
|
nsresult SetFileDescPtr(PRFileDesc* aFilePtr);
|
|
|
|
bool IsHandshakePending() const { return mHandshakePending; }
|
|
void SetHandshakeNotPending() { mHandshakePending = false; }
|
|
|
|
void SetTLSVersionRange(SSLVersionRange range) { mTLSVersionRange = range; }
|
|
SSLVersionRange GetTLSVersionRange() const { return mTLSVersionRange; };
|
|
|
|
PRStatus CloseSocketAndDestroy(
|
|
const nsNSSShutDownPreventionLock& proofOfLock);
|
|
|
|
void SetNegotiatedNPN(const char* value, uint32_t length);
|
|
|
|
void SetHandshakeCompleted();
|
|
void NoteTimeUntilReady();
|
|
|
|
|
|
void SetFalseStartCallbackCalled() { mFalseStartCallbackCalled = true; }
|
|
void SetFalseStarted() { mFalseStarted = true; }
|
|
|
|
// Note that this is only valid *during* a handshake; at the end of the handshake,
|
|
// it gets reset back to false.
|
|
void SetFullHandshake() { mIsFullHandshake = true; }
|
|
bool IsFullHandshake() const { return mIsFullHandshake; }
|
|
|
|
bool GetJoined() { return mJoined; }
|
|
void SetSentClientCert() { mSentClientCert = true; }
|
|
|
|
uint32_t GetProviderFlags() const { return mProviderFlags; }
|
|
|
|
mozilla::psm::SharedSSLState& SharedState();
|
|
|
|
// XXX: These are only used on for diagnostic purposes
|
|
enum CertVerificationState {
|
|
before_cert_verification,
|
|
waiting_for_cert_verification,
|
|
after_cert_verification
|
|
};
|
|
void SetCertVerificationWaiting();
|
|
// Use errorCode == 0 to indicate success; in that case, errorMessageType is
|
|
// ignored.
|
|
void SetCertVerificationResult(PRErrorCode errorCode,
|
|
::mozilla::psm::SSLErrorMessageType errorMessageType);
|
|
|
|
// for logging only
|
|
PRBool IsWaitingForCertVerification() const
|
|
{
|
|
return mCertVerificationState == waiting_for_cert_verification;
|
|
}
|
|
void AddPlaintextBytesRead(uint64_t val) { mPlaintextBytesRead += val; }
|
|
|
|
bool IsPreliminaryHandshakeDone() const { return mPreliminaryHandshakeDone; }
|
|
void SetPreliminaryHandshakeDone() { mPreliminaryHandshakeDone = true; }
|
|
|
|
void SetKEAUsed(uint16_t kea) { mKEAUsed = kea; }
|
|
|
|
void SetKEAKeyBits(uint32_t keaBits) { mKEAKeyBits = keaBits; }
|
|
|
|
void SetBypassAuthentication(bool val)
|
|
{
|
|
if (!mHandshakeCompleted) {
|
|
mBypassAuthentication = val;
|
|
}
|
|
}
|
|
|
|
void SetSSLVersionUsed(int16_t version)
|
|
{
|
|
mSSLVersionUsed = version;
|
|
}
|
|
|
|
void SetMACAlgorithmUsed(int16_t mac) { mMACAlgorithmUsed = mac; }
|
|
|
|
inline bool GetBypassAuthentication()
|
|
{
|
|
bool result = false;
|
|
mozilla::DebugOnly<nsresult> rv = GetBypassAuthentication(&result);
|
|
MOZ_ASSERT(NS_SUCCEEDED(rv));
|
|
return result;
|
|
}
|
|
|
|
protected:
|
|
virtual ~nsNSSSocketInfo();
|
|
|
|
private:
|
|
PRFileDesc* mFd;
|
|
|
|
CertVerificationState mCertVerificationState;
|
|
|
|
mozilla::psm::SharedSSLState& mSharedState;
|
|
bool mForSTARTTLS;
|
|
SSLVersionRange mTLSVersionRange;
|
|
bool mHandshakePending;
|
|
bool mRememberClientAuthCertificate;
|
|
bool mPreliminaryHandshakeDone; // after false start items are complete
|
|
|
|
nsresult ActivateSSL();
|
|
|
|
nsCString mNegotiatedNPN;
|
|
bool mNPNCompleted;
|
|
bool mFalseStartCallbackCalled;
|
|
bool mFalseStarted;
|
|
bool mIsFullHandshake;
|
|
bool mHandshakeCompleted;
|
|
bool mJoined;
|
|
bool mSentClientCert;
|
|
bool mNotedTimeUntilReady;
|
|
bool mFailedVerification;
|
|
|
|
// mKEA* are used in false start and http/2 detetermination
|
|
// Values are from nsISSLSocketControl
|
|
int16_t mKEAUsed;
|
|
uint32_t mKEAKeyBits;
|
|
int16_t mSSLVersionUsed;
|
|
int16_t mMACAlgorithmUsed;
|
|
bool mBypassAuthentication;
|
|
|
|
uint32_t mProviderFlags;
|
|
mozilla::TimeStamp mSocketCreationTimestamp;
|
|
uint64_t mPlaintextBytesRead;
|
|
|
|
nsCOMPtr<nsIX509Cert> mClientCert;
|
|
};
|
|
|
|
enum StrongCipherStatus {
|
|
StrongCipherStatusUnknown,
|
|
StrongCiphersWorked,
|
|
StrongCiphersFailed
|
|
};
|
|
|
|
class nsSSLIOLayerHelpers
|
|
{
|
|
public:
|
|
nsSSLIOLayerHelpers();
|
|
~nsSSLIOLayerHelpers();
|
|
|
|
nsresult Init();
|
|
void Cleanup();
|
|
|
|
static bool nsSSLIOLayerInitialized;
|
|
static PRDescIdentity nsSSLIOLayerIdentity;
|
|
static PRDescIdentity nsSSLPlaintextLayerIdentity;
|
|
static PRIOMethods nsSSLIOLayerMethods;
|
|
static PRIOMethods nsSSLPlaintextLayerMethods;
|
|
|
|
bool mTreatUnsafeNegotiationAsBroken;
|
|
int32_t mWarnLevelMissingRFC5746;
|
|
|
|
void setTreatUnsafeNegotiationAsBroken(bool broken);
|
|
bool treatUnsafeNegotiationAsBroken();
|
|
void setWarnLevelMissingRFC5746(int32_t level);
|
|
int32_t getWarnLevelMissingRFC5746();
|
|
|
|
private:
|
|
struct IntoleranceEntry
|
|
{
|
|
uint16_t tolerant;
|
|
uint16_t intolerant;
|
|
PRErrorCode intoleranceReason;
|
|
StrongCipherStatus strongCipherStatus;
|
|
|
|
void AssertInvariant() const
|
|
{
|
|
MOZ_ASSERT(intolerant == 0 || tolerant < intolerant);
|
|
}
|
|
};
|
|
nsDataHashtable<nsCStringHashKey, IntoleranceEntry> mTLSIntoleranceInfo;
|
|
// Sites that require insecure fallback to TLS 1.0, set by the pref
|
|
// security.tls.insecure_fallback_hosts, which is a comma-delimited
|
|
// list of domain names.
|
|
nsTHashtable<nsCStringHashKey> mInsecureFallbackSites;
|
|
public:
|
|
void rememberTolerantAtVersion(const nsACString& hostname, int16_t port,
|
|
uint16_t tolerant);
|
|
bool fallbackLimitReached(const nsACString& hostname, uint16_t intolerant);
|
|
bool rememberIntolerantAtVersion(const nsACString& hostname, int16_t port,
|
|
uint16_t intolerant, uint16_t minVersion,
|
|
PRErrorCode intoleranceReason);
|
|
bool rememberStrongCiphersFailed(const nsACString& hostName, int16_t port,
|
|
PRErrorCode intoleranceReason);
|
|
// returns the known tolerant version
|
|
// or 0 if there is no known tolerant version
|
|
uint16_t forgetIntolerance(const nsACString& hostname, int16_t port);
|
|
void adjustForTLSIntolerance(const nsACString& hostname, int16_t port,
|
|
/*in/out*/ SSLVersionRange& range,
|
|
/*out*/ StrongCipherStatus& strongCipherStatus);
|
|
PRErrorCode getIntoleranceReason(const nsACString& hostname, int16_t port);
|
|
|
|
void clearStoredData();
|
|
void loadVersionFallbackLimit();
|
|
void setInsecureFallbackSites(const nsCString& str);
|
|
bool isInsecureFallbackSite(const nsACString& hostname);
|
|
|
|
bool mFalseStartRequireNPN;
|
|
// Use the static list of sites that require insecure fallback
|
|
// to TLS 1.0 if true, set by the pref
|
|
// security.tls.insecure_fallback_hosts.use_static_list.
|
|
bool mUseStaticFallbackList;
|
|
bool mUnrestrictedRC4Fallback;
|
|
uint16_t mVersionFallbackLimit;
|
|
private:
|
|
mozilla::Mutex mutex;
|
|
nsCOMPtr<nsIObserver> mPrefObserver;
|
|
};
|
|
|
|
nsresult nsSSLIOLayerNewSocket(int32_t family,
|
|
const char* host,
|
|
int32_t port,
|
|
const char* proxyHost,
|
|
int32_t proxyPort,
|
|
PRFileDesc** fd,
|
|
nsISupports** securityInfo,
|
|
bool forSTARTTLS,
|
|
uint32_t flags);
|
|
|
|
nsresult nsSSLIOLayerAddToSocket(int32_t family,
|
|
const char* host,
|
|
int32_t port,
|
|
const char* proxyHost,
|
|
int32_t proxyPort,
|
|
PRFileDesc* fd,
|
|
nsISupports** securityInfo,
|
|
bool forSTARTTLS,
|
|
uint32_t flags);
|
|
|
|
nsresult nsSSLIOLayerFreeTLSIntolerantSites();
|
|
nsresult displayUnknownCertErrorAlert(nsNSSSocketInfo* infoObject, int error);
|
|
|
|
#endif /* _NSNSSIOLAYER_H */
|