/security/manager/ssl/src/nsNSSIOLayer.cpp
http://github.com/zpao/v8monkey · C++ · 3656 lines · 2687 code · 541 blank · 428 comment · 506 complexity · 2d05e328bccca59597b112725aedb031 MD5 · raw file
Large files are truncated click here to view the full file
- /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- * Brian Ryner <bryner@brianryner.com>
- * Javier Delgadillo <javi@netscape.com>
- * Kai Engert <kengert@redhat.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
- #include "nsNSSComponent.h"
- #include "nsNSSIOLayer.h"
- #include "nsNSSCallbacks.h"
- #include "prlog.h"
- #include "prnetdb.h"
- #include "nsIPrefService.h"
- #include "nsIPrefBranch.h"
- #include "nsIServiceManager.h"
- #include "nsIWebProgressListener.h"
- #include "nsIChannel.h"
- #include "nsNSSCertificate.h"
- #include "nsIX509CertValidity.h"
- #include "nsIDateTimeFormat.h"
- #include "nsDateTimeFormatCID.h"
- #include "nsIClientAuthDialogs.h"
- #include "nsClientAuthRemember.h"
- #include "nsICertOverrideService.h"
- #include "nsISSLErrorListener.h"
- #include "nsIObjectInputStream.h"
- #include "nsIObjectOutputStream.h"
- #include "nsXPIDLString.h"
- #include "nsReadableUtils.h"
- #include "nsHashSets.h"
- #include "nsCRT.h"
- #include "nsAutoPtr.h"
- #include "nsPrintfCString.h"
- #include "SSLServerCertVerification.h"
- #include "nsNSSShutDown.h"
- #include "nsSSLStatus.h"
- #include "nsNSSCertHelper.h"
- #include "nsNSSCleaner.h"
- #include "nsIDocShell.h"
- #include "nsIDocShellTreeItem.h"
- #include "nsISecureBrowserUI.h"
- #include "nsIClassInfoImpl.h"
- #include "nsIProgrammingLanguage.h"
- #include "nsIArray.h"
- #include "nsCharSeparatedTokenizer.h"
- #include "PSMRunnable.h"
- #include "ssl.h"
- #include "secerr.h"
- #include "sslerr.h"
- #include "secder.h"
- #include "secasn1.h"
- #include "certdb.h"
- #include "cert.h"
- #include "keyhi.h"
- #include "mozilla/Util.h"
- using namespace mozilla;
- using namespace mozilla::psm;
- //#define DEBUG_SSL_VERBOSE //Enable this define to get minimal
- //reports when doing SSL read/write
-
- //#define DUMP_BUFFER //Enable this define along with
- //DEBUG_SSL_VERBOSE to dump SSL
- //read/write buffer to a log.
- //Uses PR_LOG except on Mac where
- //we always write out to our own
- //file.
- NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
- NSSCleanupAutoPtrClass(void, PR_FREEIF)
- static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
- /* SSM_UserCertChoice: enum for cert choice info */
- typedef enum {ASK, AUTO} SSM_UserCertChoice;
- #ifdef PR_LOGGING
- extern PRLogModuleInfo* gPIPNSSLog;
- #endif
- #if defined(DEBUG_SSL_VERBOSE) && defined (XP_MAC)
- #ifdef PR_LOG
- #undef PR_LOG
- #endif
- static PRFileDesc *gMyLogFile = nsnull;
- #define MAC_LOG_FILE "MAC PIPNSS Log File"
- void MyLogFunction(const char *fmt, ...)
- {
-
- va_list ap;
- va_start(ap,fmt);
- if (gMyLogFile == nsnull)
- gMyLogFile = PR_Open(MAC_LOG_FILE, PR_WRONLY | PR_CREATE_FILE | PR_APPEND,
- 0600);
- if (!gMyLogFile)
- return;
- PR_vfprintf(gMyLogFile, fmt, ap);
- va_end(ap);
- }
- #define PR_LOG(module,level,args) MyLogFunction args
- #endif
- nsNSSSocketInfo::nsNSSSocketInfo()
- : mMutex("nsNSSSocketInfo::nsNSSSocketInfo"),
- mFd(nsnull),
- mCertVerificationState(before_cert_verification),
- mCertVerificationStarted(0),
- mCertVerificationEnded(0),
- mSecurityState(nsIWebProgressListener::STATE_IS_INSECURE),
- mSubRequestsHighSecurity(0),
- mSubRequestsLowSecurity(0),
- mSubRequestsBrokenSecurity(0),
- mSubRequestsNoSecurity(0),
- mErrorCode(0),
- mErrorMessageType(PlainErrorMessage),
- mForSTARTTLS(false),
- mSSL3Enabled(false),
- mTLSEnabled(false),
- mHandshakePending(true),
- mHasCleartextPhase(false),
- mHandshakeInProgress(false),
- mAllowTLSIntoleranceTimeout(true),
- mRememberClientAuthCertificate(false),
- mHandshakeStartTime(0),
- mPort(0),
- mIsCertIssuerBlacklisted(false),
- mNPNCompleted(false),
- mHandshakeCompleted(false),
- mJoined(false),
- mSentClientCert(false)
- {
- }
- nsNSSSocketInfo::~nsNSSSocketInfo()
- {
- nsNSSShutDownPreventionLock locker;
- if (isAlreadyShutDown())
- return;
- shutdown(calledFromObject);
- }
- void nsNSSSocketInfo::virtualDestroyNSSReference()
- {
- }
- NS_IMPL_THREADSAFE_ISUPPORTS8(nsNSSSocketInfo,
- nsITransportSecurityInfo,
- nsISSLSocketControl,
- nsIInterfaceRequestor,
- nsISSLStatusProvider,
- nsIAssociatedContentSecurity,
- nsISerializable,
- nsIClassInfo,
- nsIClientAuthUserDecision)
- nsresult
- nsNSSSocketInfo::GetHandshakePending(bool *aHandshakePending)
- {
- *aHandshakePending = mHandshakePending;
- return NS_OK;
- }
- nsresult
- nsNSSSocketInfo::SetHandshakePending(bool aHandshakePending)
- {
- mHandshakePending = aHandshakePending;
- return NS_OK;
- }
- nsresult
- nsNSSSocketInfo::SetHostName(const char* host)
- {
- mHostName.Adopt(host ? NS_strdup(host) : 0);
- return NS_OK;
- }
- nsresult
- nsNSSSocketInfo::GetHostName(char **host)
- {
- *host = (mHostName) ? NS_strdup(mHostName) : nsnull;
- return NS_OK;
- }
- nsresult
- nsNSSSocketInfo::SetPort(PRInt32 aPort)
- {
- mPort = aPort;
- return NS_OK;
- }
- nsresult
- nsNSSSocketInfo::GetPort(PRInt32 *aPort)
- {
- *aPort = mPort;
- return NS_OK;
- }
- PRErrorCode
- nsNSSSocketInfo::GetErrorCode() const
- {
- MutexAutoLock lock(mMutex);
- return mErrorCode;
- }
- void
- nsNSSSocketInfo::SetCanceled(PRErrorCode errorCode,
- SSLErrorMessageType errorMessageType)
- {
- MutexAutoLock lock(mMutex);
- mErrorCode = errorCode;
- mErrorMessageType = errorMessageType;
- mErrorMessageCached.Truncate();
- }
- NS_IMETHODIMP nsNSSSocketInfo::GetRememberClientAuthCertificate(bool *aRememberClientAuthCertificate)
- {
- NS_ENSURE_ARG_POINTER(aRememberClientAuthCertificate);
- *aRememberClientAuthCertificate = mRememberClientAuthCertificate;
- return NS_OK;
- }
- NS_IMETHODIMP nsNSSSocketInfo::SetRememberClientAuthCertificate(bool aRememberClientAuthCertificate)
- {
- mRememberClientAuthCertificate = aRememberClientAuthCertificate;
- return NS_OK;
- }
- void nsNSSSocketInfo::SetHasCleartextPhase(bool aHasCleartextPhase)
- {
- mHasCleartextPhase = aHasCleartextPhase;
- }
- bool nsNSSSocketInfo::GetHasCleartextPhase()
- {
- return mHasCleartextPhase;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetNotificationCallbacks(nsIInterfaceRequestor** aCallbacks)
- {
- *aCallbacks = mCallbacks;
- NS_IF_ADDREF(*aCallbacks);
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::SetNotificationCallbacks(nsIInterfaceRequestor* aCallbacks)
- {
- if (!aCallbacks) {
- mCallbacks = nsnull;
- return NS_OK;
- }
- mCallbacks = aCallbacks;
- return NS_OK;
- }
- static void
- getSecureBrowserUI(nsIInterfaceRequestor * callbacks,
- nsISecureBrowserUI ** result)
- {
- NS_ASSERTION(result != nsnull, "result parameter to getSecureBrowserUI is null");
- *result = nsnull;
- NS_ASSERTION(NS_IsMainThread(),
- "getSecureBrowserUI called off the main thread");
- if (!callbacks)
- return;
- nsCOMPtr<nsISecureBrowserUI> secureUI = do_GetInterface(callbacks);
- if (secureUI) {
- secureUI.forget(result);
- return;
- }
- nsCOMPtr<nsIDocShellTreeItem> item = do_GetInterface(callbacks);
- if (item) {
- nsCOMPtr<nsIDocShellTreeItem> rootItem;
- (void) item->GetSameTypeRootTreeItem(getter_AddRefs(rootItem));
-
- nsCOMPtr<nsIDocShell> docShell = do_QueryInterface(rootItem);
- if (docShell) {
- (void) docShell->GetSecurityUI(result);
- }
- }
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetSecurityState(PRUint32* state)
- {
- *state = mSecurityState;
- return NS_OK;
- }
- nsresult
- nsNSSSocketInfo::SetSecurityState(PRUint32 aState)
- {
- mSecurityState = aState;
- return NS_OK;
- }
- /* attribute unsigned long countSubRequestsHighSecurity; */
- NS_IMETHODIMP nsNSSSocketInfo::GetCountSubRequestsHighSecurity(PRInt32 *aSubRequestsHighSecurity)
- {
- *aSubRequestsHighSecurity = mSubRequestsHighSecurity;
- return NS_OK;
- }
- NS_IMETHODIMP nsNSSSocketInfo::SetCountSubRequestsHighSecurity(PRInt32 aSubRequestsHighSecurity)
- {
- mSubRequestsHighSecurity = aSubRequestsHighSecurity;
- return NS_ERROR_NOT_IMPLEMENTED;
- }
- /* attribute unsigned long countSubRequestsLowSecurity; */
- NS_IMETHODIMP nsNSSSocketInfo::GetCountSubRequestsLowSecurity(PRInt32 *aSubRequestsLowSecurity)
- {
- *aSubRequestsLowSecurity = mSubRequestsLowSecurity;
- return NS_OK;
- }
- NS_IMETHODIMP nsNSSSocketInfo::SetCountSubRequestsLowSecurity(PRInt32 aSubRequestsLowSecurity)
- {
- mSubRequestsLowSecurity = aSubRequestsLowSecurity;
- return NS_OK;
- }
- /* attribute unsigned long countSubRequestsBrokenSecurity; */
- NS_IMETHODIMP nsNSSSocketInfo::GetCountSubRequestsBrokenSecurity(PRInt32 *aSubRequestsBrokenSecurity)
- {
- *aSubRequestsBrokenSecurity = mSubRequestsBrokenSecurity;
- return NS_OK;
- }
- NS_IMETHODIMP nsNSSSocketInfo::SetCountSubRequestsBrokenSecurity(PRInt32 aSubRequestsBrokenSecurity)
- {
- mSubRequestsBrokenSecurity = aSubRequestsBrokenSecurity;
- return NS_OK;
- }
- /* attribute unsigned long countSubRequestsNoSecurity; */
- NS_IMETHODIMP nsNSSSocketInfo::GetCountSubRequestsNoSecurity(PRInt32 *aSubRequestsNoSecurity)
- {
- *aSubRequestsNoSecurity = mSubRequestsNoSecurity;
- return NS_OK;
- }
- NS_IMETHODIMP nsNSSSocketInfo::SetCountSubRequestsNoSecurity(PRInt32 aSubRequestsNoSecurity)
- {
- mSubRequestsNoSecurity = aSubRequestsNoSecurity;
- return NS_OK;
- }
- NS_IMETHODIMP nsNSSSocketInfo::Flush()
- {
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetShortSecurityDescription(PRUnichar** aText) {
- if (mShortDesc.IsEmpty())
- *aText = nsnull;
- else {
- *aText = ToNewUnicode(mShortDesc);
- NS_ENSURE_TRUE(*aText, NS_ERROR_OUT_OF_MEMORY);
- }
- return NS_OK;
- }
- nsresult
- nsNSSSocketInfo::SetShortSecurityDescription(const PRUnichar* aText) {
- mShortDesc.Assign(aText);
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetErrorMessage(PRUnichar** aText)
- {
- NS_ENSURE_ARG_POINTER(aText);
- *aText = nsnull;
- if (!NS_IsMainThread()) {
- NS_ERROR("nsNSSSocketInfo::GetErrorMessage called off the main thread");
- return NS_ERROR_NOT_SAME_THREAD;
- }
- MutexAutoLock lock(mMutex);
- nsresult rv = formatErrorMessage(lock);
- NS_ENSURE_SUCCESS(rv, rv);
- *aText = ToNewUnicode(mErrorMessageCached);
- return *aText != nsnull ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
- }
- void
- nsNSSSocketInfo::SetNegotiatedNPN(const char *value, PRUint32 length)
- {
- if (!value)
- mNegotiatedNPN.Truncate();
- else
- mNegotiatedNPN.Assign(value, length);
- mNPNCompleted = true;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetNegotiatedNPN(nsACString &aNegotiatedNPN)
- {
- if (!mNPNCompleted)
- return NS_ERROR_NOT_CONNECTED;
- aNegotiatedNPN = mNegotiatedNPN;
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::JoinConnection(const nsACString & npnProtocol,
- const nsACString & hostname,
- PRInt32 port,
- bool *_retval NS_OUTPARAM)
- {
- *_retval = false;
- // Different ports may not be joined together
- if (port != mPort)
- return NS_OK;
- // Make sure NPN has been completed and matches requested npnProtocol
- if (!mNPNCompleted || !mNegotiatedNPN.Equals(npnProtocol))
- return NS_OK;
- // If this is the same hostname then the certicate status does not
- // need to be considered. They are joinable.
- if (mHostName && hostname.Equals(mHostName)) {
- *_retval = true;
- return NS_OK;
- }
- // Before checking the server certificate we need to make sure the
- // handshake has completed.
- if (!mHandshakeCompleted || !SSLStatus() || !SSLStatus()->mServerCert)
- return NS_OK;
- // If the cert has error bits (e.g. it is untrusted) then do not join.
- // The value of mHaveCertErrorBits is only reliable because we know that
- // the handshake completed.
- if (SSLStatus()->mHaveCertErrorBits)
- return NS_OK;
- // If the connection is using client certificates then do not join
- // because the user decides on whether to send client certs to hosts on a
- // per-domain basis.
- if (mSentClientCert)
- return NS_OK;
- // Ensure that the server certificate covers the hostname that would
- // like to join this connection
- CERTCertificate *nssCert = nsnull;
- CERTCertificateCleaner nsscertCleaner(nssCert);
- nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(SSLStatus()->mServerCert);
- if (cert2)
- nssCert = cert2->GetCert();
- if (!nssCert)
- return NS_OK;
- if (CERT_VerifyCertName(nssCert, PromiseFlatCString(hostname).get()) !=
- SECSuccess)
- return NS_OK;
- // All tests pass - this is joinable
- mJoined = true;
- *_retval = true;
- return NS_OK;
- }
- static nsresult
- formatPlainErrorMessage(nsXPIDLCString const & host, PRInt32 port,
- PRErrorCode err, nsString &returnedMessage);
- static nsresult
- formatOverridableCertErrorMessage(nsISSLStatus & sslStatus,
- PRErrorCode errorCodeToReport,
- const nsXPIDLCString & host, PRInt32 port,
- nsString & returnedMessage);
- // XXX: uses nsNSSComponent string bundles off the main thread when called by
- // nsNSSSocketInfo::Write(). When we remove the error message from the
- // serialization of nsNSSSocketInfo (bug 697781) we can inline
- // formatErrorMessage into GetErrorMessage().
- nsresult
- nsNSSSocketInfo::formatErrorMessage(MutexAutoLock const & proofOfLock)
- {
- if (mErrorCode == 0 || !mErrorMessageCached.IsEmpty()) {
- return NS_OK;
- }
- nsresult rv;
- NS_ConvertASCIItoUTF16 hostNameU(mHostName);
- NS_ASSERTION(mErrorMessageType != OverridableCertErrorMessage ||
- (mSSLStatus && mSSLStatus->mServerCert &&
- mSSLStatus->mHaveCertErrorBits),
- "GetErrorMessage called for cert error without cert");
- if (mErrorMessageType == OverridableCertErrorMessage &&
- mSSLStatus && mSSLStatus->mServerCert) {
- rv = formatOverridableCertErrorMessage(*mSSLStatus, mErrorCode,
- mHostName, mPort,
- mErrorMessageCached);
- } else {
- rv = formatPlainErrorMessage(mHostName, mPort, mErrorCode,
- mErrorMessageCached);
- }
- if (NS_FAILED(rv)) {
- mErrorMessageCached.Truncate();
- }
- return rv;
- }
- /* void getInterface (in nsIIDRef uuid, [iid_is (uuid), retval] out nsQIResult result); */
- NS_IMETHODIMP nsNSSSocketInfo::GetInterface(const nsIID & uuid, void * *result)
- {
- if (!NS_IsMainThread()) {
- NS_ERROR("nsNSSSocketInfo::GetInterface called off the main thread");
- return NS_ERROR_NOT_SAME_THREAD;
- }
- nsresult rv;
- if (!mCallbacks) {
- nsCOMPtr<nsIInterfaceRequestor> ir = new PipUIContext();
- if (!ir)
- return NS_ERROR_OUT_OF_MEMORY;
- rv = ir->GetInterface(uuid, result);
- } else {
- rv = mCallbacks->GetInterface(uuid, result);
- }
- return rv;
- }
- nsresult
- nsNSSSocketInfo::GetForSTARTTLS(bool* aForSTARTTLS)
- {
- *aForSTARTTLS = mForSTARTTLS;
- return NS_OK;
- }
- nsresult
- nsNSSSocketInfo::SetForSTARTTLS(bool aForSTARTTLS)
- {
- mForSTARTTLS = aForSTARTTLS;
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::ProxyStartSSL()
- {
- return ActivateSSL();
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::StartTLS()
- {
- return ActivateSSL();
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::SetNPNList(nsTArray<nsCString> &protocolArray)
- {
- nsNSSShutDownPreventionLock locker;
- if (isAlreadyShutDown())
- return NS_ERROR_NOT_AVAILABLE;
- if (!mFd)
- return NS_ERROR_FAILURE;
- // the npn list is a concatenated list of 8 bit byte strings.
- nsCString npnList;
- for (PRUint32 index = 0; index < protocolArray.Length(); ++index) {
- if (protocolArray[index].IsEmpty() ||
- protocolArray[index].Length() > 255)
- return NS_ERROR_ILLEGAL_VALUE;
- npnList.Append(protocolArray[index].Length());
- npnList.Append(protocolArray[index]);
- }
-
- if (SSL_SetNextProtoNego(
- mFd,
- reinterpret_cast<const unsigned char *>(npnList.get()),
- npnList.Length()) != SECSuccess)
- return NS_ERROR_FAILURE;
- return NS_OK;
- }
- static NS_DEFINE_CID(kNSSCertificateCID, NS_X509CERT_CID);
- #define NSSSOCKETINFOMAGIC { 0xa9863a23, 0x26b8, 0x4a9c, \
- { 0x83, 0xf1, 0xe9, 0xda, 0xdb, 0x36, 0xb8, 0x30 } }
- static NS_DEFINE_CID(kNSSSocketInfoMagic, NSSSOCKETINFOMAGIC);
- NS_IMETHODIMP
- nsNSSSocketInfo::Write(nsIObjectOutputStream* stream) {
- stream->WriteID(kNSSSocketInfoMagic);
- MutexAutoLock lock(mMutex);
- nsRefPtr<nsSSLStatus> status = mSSLStatus;
- nsCOMPtr<nsISerializable> certSerializable;
- // Write a redundant copy of the certificate for backward compatibility
- // with previous versions, which also unnecessarily wrote it.
- //
- // As we are reading the object our self, not using ReadObject, we have
- // to store it here 'manually' as well, mimicking our object stream
- // implementation.
- if (status) {
- nsCOMPtr<nsIX509Cert> cert = status->mServerCert;
- certSerializable = do_QueryInterface(cert);
- if (!certSerializable) {
- NS_ERROR("certificate is missing or isn't serializable");
- return NS_ERROR_UNEXPECTED;
- }
- } else {
- NS_WARNING("Serializing nsNSSSocketInfo without mSSLStatus");
- }
- // Store the flag if there is the certificate present
- stream->WriteBoolean(certSerializable);
- if (certSerializable) {
- stream->WriteID(kNSSCertificateCID);
- stream->WriteID(NS_GET_IID(nsISupports));
- certSerializable->Write(stream);
- }
- // Store the version number of the binary stream data format.
- // The 0xFFFF0000 mask is included to the version number
- // to distinguish version number from mSecurityState
- // field stored in times before versioning has been introduced.
- // This mask value has been chosen as mSecurityState could
- // never be assigned such value.
- PRUint32 version = 3;
- stream->Write32(version | 0xFFFF0000);
- stream->Write32(mSecurityState);
- stream->WriteWStringZ(mShortDesc.get());
- // XXX: uses nsNSSComponent string bundles off the main thread
- nsresult rv = formatErrorMessage(lock);
- NS_ENSURE_SUCCESS(rv, rv);
- stream->WriteWStringZ(mErrorMessageCached.get());
- stream->WriteCompoundObject(NS_ISUPPORTS_CAST(nsISSLStatus*, status),
- NS_GET_IID(nsISupports), true);
- stream->Write32((PRUint32)mSubRequestsHighSecurity);
- stream->Write32((PRUint32)mSubRequestsLowSecurity);
- stream->Write32((PRUint32)mSubRequestsBrokenSecurity);
- stream->Write32((PRUint32)mSubRequestsNoSecurity);
- return NS_OK;
- }
- static bool CheckUUIDEquals(PRUint32 m0,
- nsIObjectInputStream* stream,
- const nsCID& id)
- {
- nsID tempID;
- tempID.m0 = m0;
- stream->Read16(&tempID.m1);
- stream->Read16(&tempID.m2);
- for (int i = 0; i < 8; ++i)
- stream->Read8(&tempID.m3[i]);
- return tempID.Equals(id);
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::Read(nsIObjectInputStream* stream) {
- nsresult rv;
- PRUint32 version;
- bool certificatePresent;
- // Check what we have here...
- PRUint32 UUID_0;
- stream->Read32(&UUID_0);
- if (UUID_0 == kNSSSocketInfoMagic.m0) {
- // It seems this stream begins with our magic ID, check it really is there
- if (!CheckUUIDEquals(UUID_0, stream, kNSSSocketInfoMagic))
- return NS_ERROR_FAILURE;
- // OK, this seems to be our stream, now continue to check there is
- // the certificate
- stream->ReadBoolean(&certificatePresent);
- stream->Read32(&UUID_0);
- }
- else {
- // There is no magic, assume there is a certificate present as in versions
- // prior to those with the magic didn't store that flag; we check the
- // certificate is present by cheking the CID then
- certificatePresent = true;
- }
- if (certificatePresent && UUID_0 == kNSSCertificateCID.m0) {
- // It seems there is the certificate CID present, check it now; we only
- // have this single certificate implementation at this time.
- if (!CheckUUIDEquals(UUID_0, stream, kNSSCertificateCID))
- return NS_ERROR_FAILURE;
- // OK, we have read the CID of the certificate, check the interface ID
- nsID tempID;
- stream->ReadID(&tempID);
- if (!tempID.Equals(NS_GET_IID(nsISupports)))
- return NS_ERROR_FAILURE;
- nsCOMPtr<nsISerializable> serializable =
- do_CreateInstance(kNSSCertificateCID, &rv);
- NS_ENSURE_SUCCESS(rv, rv);
- // This is the redundant copy of the certificate; just ignore it
- serializable->Read(stream);
- // We are done with reading the certificate, now read the version
- // as we did before.
- stream->Read32(&version);
- }
- else {
- // There seems not to be the certificate present in the stream.
- version = UUID_0;
- }
- MutexAutoLock lock(mMutex);
- // If the version field we have just read is not masked with 0xFFFF0000
- // then it is stored mSecurityState field and this is version 1 of
- // the binary data stream format.
- if ((version & 0xFFFF0000) == 0xFFFF0000) {
- version &= ~0xFFFF0000;
- stream->Read32(&mSecurityState);
- }
- else {
- mSecurityState = version;
- version = 1;
- }
- stream->ReadString(mShortDesc);
- stream->ReadString(mErrorMessageCached);
- mErrorCode = 0;
- nsCOMPtr<nsISupports> obj;
- stream->ReadObject(true, getter_AddRefs(obj));
-
- mSSLStatus = reinterpret_cast<nsSSLStatus*>(obj.get());
- if (!mSSLStatus) {
- NS_WARNING("deserializing nsNSSSocketInfo without mSSLStatus");
- }
- if (version >= 2) {
- stream->Read32((PRUint32*)&mSubRequestsHighSecurity);
- stream->Read32((PRUint32*)&mSubRequestsLowSecurity);
- stream->Read32((PRUint32*)&mSubRequestsBrokenSecurity);
- stream->Read32((PRUint32*)&mSubRequestsNoSecurity);
- }
- else {
- mSubRequestsHighSecurity = 0;
- mSubRequestsLowSecurity = 0;
- mSubRequestsBrokenSecurity = 0;
- mSubRequestsNoSecurity = 0;
- }
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetInterfaces(PRUint32 *count, nsIID * **array)
- {
- *count = 0;
- *array = nsnull;
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetHelperForLanguage(PRUint32 language, nsISupports **_retval)
- {
- *_retval = nsnull;
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetContractID(char * *aContractID)
- {
- *aContractID = nsnull;
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetClassDescription(char * *aClassDescription)
- {
- *aClassDescription = nsnull;
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetClassID(nsCID * *aClassID)
- {
- *aClassID = (nsCID*) nsMemory::Alloc(sizeof(nsCID));
- if (!*aClassID)
- return NS_ERROR_OUT_OF_MEMORY;
- return GetClassIDNoAlloc(*aClassID);
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetImplementationLanguage(PRUint32 *aImplementationLanguage)
- {
- *aImplementationLanguage = nsIProgrammingLanguage::CPLUSPLUS;
- return NS_OK;
- }
- NS_IMETHODIMP
- nsNSSSocketInfo::GetFlags(PRUint32 *aFlags)
- {
- *aFlags = 0;
- return NS_OK;
- }
- static NS_DEFINE_CID(kNSSSocketInfoCID, NS_NSSSOCKETINFO_CID);
- NS_IMETHODIMP
- nsNSSSocketInfo::GetClassIDNoAlloc(nsCID *aClassIDNoAlloc)
- {
- *aClassIDNoAlloc = kNSSSocketInfoCID;
- return NS_OK;
- }
- nsresult nsNSSSocketInfo::ActivateSSL()
- {
- nsNSSShutDownPreventionLock locker;
- if (isAlreadyShutDown())
- return NS_ERROR_NOT_AVAILABLE;
- if (SECSuccess != SSL_OptionSet(mFd, SSL_SECURITY, true))
- return NS_ERROR_FAILURE;
- if (SECSuccess != SSL_ResetHandshake(mFd, false))
- return NS_ERROR_FAILURE;
- mHandshakePending = true;
- return NS_OK;
- }
- nsresult nsNSSSocketInfo::GetFileDescPtr(PRFileDesc** aFilePtr)
- {
- *aFilePtr = mFd;
- return NS_OK;
- }
- nsresult nsNSSSocketInfo::SetFileDescPtr(PRFileDesc* aFilePtr)
- {
- mFd = aFilePtr;
- return NS_OK;
- }
- class PreviousCertRunnable : public SyncRunnableBase
- {
- public:
- PreviousCertRunnable(nsIInterfaceRequestor * callbacks)
- : mCallbacks(callbacks)
- {
- }
- virtual void RunOnTargetThread()
- {
- nsCOMPtr<nsISecureBrowserUI> secureUI;
- getSecureBrowserUI(mCallbacks, getter_AddRefs(secureUI));
- nsCOMPtr<nsISSLStatusProvider> statusProvider = do_QueryInterface(secureUI);
- if (statusProvider) {
- nsCOMPtr<nsISSLStatus> status;
- (void) statusProvider->GetSSLStatus(getter_AddRefs(status));
- if (status) {
- (void) status->GetServerCert(getter_AddRefs(mPreviousCert));
- }
- }
- }
- nsCOMPtr<nsIX509Cert> mPreviousCert; // out
- private:
- nsCOMPtr<nsIInterfaceRequestor> mCallbacks; // in
- };
- void nsNSSSocketInfo::GetPreviousCert(nsIX509Cert** _result)
- {
- NS_ASSERTION(_result, "_result parameter to GetPreviousCert is null");
- *_result = nsnull;
- nsRefPtr<PreviousCertRunnable> runnable = new PreviousCertRunnable(mCallbacks);
- nsresult rv = runnable->DispatchToMainThreadAndWait();
- NS_ASSERTION(NS_SUCCEEDED(rv), "runnable->DispatchToMainThreadAndWait() failed");
- runnable->mPreviousCert.forget(_result);
- }
- void
- nsNSSSocketInfo::SetCertVerificationWaiting()
- {
- // mCertVerificationState may be before_cert_verification for the first
- // handshake on the connection, or after_cert_verification for subsequent
- // renegotiation handshakes.
- NS_ASSERTION(mCertVerificationState != waiting_for_cert_verification,
- "Invalid state transition to waiting_for_cert_verification");
- mCertVerificationState = waiting_for_cert_verification;
- mCertVerificationStarted = PR_IntervalNow();
- }
- // Be careful that SetCertVerificationResult does NOT get called while we are
- // processing a SSL callback function, because SSL_AuthCertificateComplete will
- // attempt to acquire locks that are already held by libssl when it calls
- // callbacks.
- void
- nsNSSSocketInfo::SetCertVerificationResult(PRErrorCode errorCode,
- SSLErrorMessageType errorMessageType)
- {
- NS_ASSERTION(mCertVerificationState == waiting_for_cert_verification,
- "Invalid state transition to cert_verification_finished");
- mCertVerificationEnded = PR_IntervalNow();
- if (mFd) {
- SECStatus rv = SSL_AuthCertificateComplete(mFd, errorCode);
- // Only replace errorCode if there was originally no error
- if (rv != SECSuccess && errorCode == 0) {
- errorCode = PR_GetError();
- errorMessageType = PlainErrorMessage;
- if (errorCode == 0) {
- NS_ERROR("SSL_AuthCertificateComplete didn't set error code");
- errorCode = PR_INVALID_STATE_ERROR;
- }
- }
- }
- if (errorCode) {
- SetCanceled(errorCode, errorMessageType);
- }
- mCertVerificationState = after_cert_verification;
- }
- nsresult nsNSSSocketInfo::GetSSLStatus(nsISSLStatus** _result)
- {
- NS_ENSURE_ARG_POINTER(_result);
- *_result = mSSLStatus;
- NS_IF_ADDREF(*_result);
- return NS_OK;
- }
- nsresult nsNSSSocketInfo::SetSSLStatus(nsSSLStatus *aSSLStatus)
- {
- mSSLStatus = aSSLStatus;
- return NS_OK;
- }
- void nsNSSSocketInfo::SetHandshakeInProgress(bool aIsIn)
- {
- mHandshakeInProgress = aIsIn;
- if (mHandshakeInProgress && !mHandshakeStartTime)
- {
- mHandshakeStartTime = PR_IntervalNow();
- }
- }
- void nsNSSSocketInfo::SetAllowTLSIntoleranceTimeout(bool aAllow)
- {
- mAllowTLSIntoleranceTimeout = aAllow;
- }
- #define HANDSHAKE_TIMEOUT_SECONDS 25
- bool nsNSSSocketInfo::HandshakeTimeout()
- {
- if (mCertVerificationState == waiting_for_cert_verification) {
- // Do not do a TLS interlerance timeout during cert verification because:
- //
- // * If we would have timed out, but cert verification is still ongoing,
- // then the handshake probably already completed, and it is probably the
- // certificate validation (OCSP responder or similar) that is timing
- // out.
- // * If certificate validation AND the handshake is slow, then that is a
- // good indication that the network is bad, and so the problem probably
- // isn't the server being TLS intolerant.
- // * When we timeout, we return non-zero flags from PR_Poll, which will
- // cause the application to try to read from and/or write to the socket,
- // possibly in a loop. But, it is likely that the socket is blocked on
- // cert authentication, so those read and/or write calls would result in
- // PR_WOULD_BLOCK_ERROR, causing the application to spin.
- return false;
- }
- if (!mHandshakeInProgress || !mAllowTLSIntoleranceTimeout)
- return false;
- PRIntervalTime now = PR_IntervalNow();
- PRIntervalTime certVerificationTime =
- mCertVerificationEnded - mCertVerificationStarted;
- PRIntervalTime totalTime = now - mHandshakeStartTime;
- PRIntervalTime totalTimeExceptCertVerificationTime =
- totalTime - certVerificationTime;
- return totalTimeExceptCertVerificationTime >
- PR_SecondsToInterval(HANDSHAKE_TIMEOUT_SECONDS);
- }
- void nsSSLIOLayerHelpers::Cleanup()
- {
- if (mTLSIntolerantSites) {
- delete mTLSIntolerantSites;
- mTLSIntolerantSites = nsnull;
- }
- if (mTLSTolerantSites) {
- delete mTLSTolerantSites;
- mTLSTolerantSites = nsnull;
- }
- if (mRenegoUnrestrictedSites) {
- delete mRenegoUnrestrictedSites;
- mRenegoUnrestrictedSites = nsnull;
- }
- if (mutex) {
- delete mutex;
- mutex = nsnull;
- }
- if (mHostsWithCertErrors) {
- delete mHostsWithCertErrors;
- mHostsWithCertErrors = nsnull;
- }
- }
- /* Formats an error message for non-certificate-related SSL errors
- * and non-overridable certificate errors (both are of type
- * PlainErrormMessage). Use formatOverridableCertErrorMessage
- * for overridable cert errors.
- */
- static nsresult
- formatPlainErrorMessage(const nsXPIDLCString &host, PRInt32 port,
- PRErrorCode err, nsString &returnedMessage)
- {
- const PRUnichar *params[1];
- nsresult rv;
- nsCOMPtr<nsINSSComponent> component = do_GetService(kNSSComponentCID, &rv);
- NS_ENSURE_SUCCESS(rv, rv);
- if (host.Length())
- {
- nsString hostWithPort;
- // For now, hide port when it's 443 and we're reporting the error.
- // In the future a better mechanism should be used
- // to make a decision about showing the port number, possibly by requiring
- // the context object to implement a specific interface.
- // The motivation is that Mozilla browser would like to hide the port number
- // in error pages in the common case.
- hostWithPort.AssignASCII(host);
- if (port != 443) {
- hostWithPort.AppendLiteral(":");
- hostWithPort.AppendInt(port);
- }
- params[0] = hostWithPort.get();
- nsString formattedString;
- rv = component->PIPBundleFormatStringFromName("SSLConnectionErrorPrefix",
- params, 1,
- formattedString);
- if (NS_SUCCEEDED(rv))
- {
- returnedMessage.Append(formattedString);
- returnedMessage.Append(NS_LITERAL_STRING("\n\n"));
- }
- }
- nsString explanation;
- rv = nsNSSErrors::getErrorMessageFromCode(err, component, explanation);
- if (NS_SUCCEEDED(rv))
- returnedMessage.Append(explanation);
- return NS_OK;
- }
- static void
- AppendErrorTextUntrusted(PRErrorCode errTrust,
- const nsString &host,
- nsIX509Cert* ix509,
- nsINSSComponent *component,
- nsString &returnedMessage)
- {
- const char *errorID = nsnull;
- nsCOMPtr<nsIX509Cert3> cert3 = do_QueryInterface(ix509);
- if (cert3) {
- bool isSelfSigned;
- if (NS_SUCCEEDED(cert3->GetIsSelfSigned(&isSelfSigned))
- && isSelfSigned) {
- errorID = "certErrorTrust_SelfSigned";
- }
- }
- if (!errorID) {
- switch (errTrust) {
- case SEC_ERROR_UNKNOWN_ISSUER:
- {
- nsCOMPtr<nsIArray> chain;
- ix509->GetChain(getter_AddRefs(chain));
- PRUint32 length = 0;
- if (chain && NS_FAILED(chain->GetLength(&length)))
- length = 0;
- if (length == 1)
- errorID = "certErrorTrust_MissingChain";
- else
- errorID = "certErrorTrust_UnknownIssuer";
- break;
- }
- case SEC_ERROR_INADEQUATE_KEY_USAGE:
- // Should get an individual string in the future
- // For now, use the same as CaInvalid
- case SEC_ERROR_CA_CERT_INVALID:
- errorID = "certErrorTrust_CaInvalid";
- break;
- case SEC_ERROR_UNTRUSTED_ISSUER:
- errorID = "certErrorTrust_Issuer";
- break;
- case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
- errorID = "certErrorTrust_ExpiredIssuer";
- break;
- case SEC_ERROR_UNTRUSTED_CERT:
- default:
- errorID = "certErrorTrust_Untrusted";
- break;
- }
- }
- nsString formattedString;
- nsresult rv = component->GetPIPNSSBundleString(errorID,
- formattedString);
- if (NS_SUCCEEDED(rv))
- {
- returnedMessage.Append(formattedString);
- returnedMessage.Append(NS_LITERAL_STRING("\n"));
- }
- }
- // returns TRUE if SAN was used to produce names
- // return FALSE if nothing was produced
- // names => a single name or a list of names
- // multipleNames => whether multiple names were delivered
- static bool
- GetSubjectAltNames(CERTCertificate *nssCert,
- nsINSSComponent *component,
- nsString &allNames,
- PRUint32 &nameCount)
- {
- allNames.Truncate();
- nameCount = 0;
- PRArenaPool *san_arena = nsnull;
- SECItem altNameExtension = {siBuffer, NULL, 0 };
- CERTGeneralName *sanNameList = nsnull;
- nsresult rv;
- rv = CERT_FindCertExtension(nssCert, SEC_OID_X509_SUBJECT_ALT_NAME,
- &altNameExtension);
- if (rv != SECSuccess)
- return false;
- san_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (!san_arena)
- return false;
- sanNameList = CERT_DecodeAltNameExtension(san_arena, &altNameExtension);
- if (!sanNameList)
- return false;
- SECITEM_FreeItem(&altNameExtension, false);
- CERTGeneralName *current = sanNameList;
- do {
- nsAutoString name;
- switch (current->type) {
- case certDNSName:
- name.AssignASCII((char*)current->name.other.data, current->name.other.len);
- if (!allNames.IsEmpty()) {
- allNames.Append(NS_LITERAL_STRING(" , "));
- }
- ++nameCount;
- allNames.Append(name);
- break;
- case certIPAddress:
- {
- char buf[INET6_ADDRSTRLEN];
- PRNetAddr addr;
- if (current->name.other.len == 4) {
- addr.inet.family = PR_AF_INET;
- memcpy(&addr.inet.ip, current->name.other.data, current->name.other.len);
- PR_NetAddrToString(&addr, buf, sizeof(buf));
- name.AssignASCII(buf);
- } else if (current->name.other.len == 16) {
- addr.ipv6.family = PR_AF_INET6;
- memcpy(&addr.ipv6.ip, current->name.other.data, current->name.other.len);
- PR_NetAddrToString(&addr, buf, sizeof(buf));
- name.AssignASCII(buf);
- } else {
- /* invalid IP address */
- }
- if (!name.IsEmpty()) {
- if (!allNames.IsEmpty()) {
- allNames.Append(NS_LITERAL_STRING(" , "));
- }
- ++nameCount;
- allNames.Append(name);
- }
- break;
- }
- default: // all other types of names are ignored
- break;
- }
- current = CERT_GetNextGeneralName(current);
- } while (current != sanNameList); // double linked
- PORT_FreeArena(san_arena, false);
- return true;
- }
- static void
- AppendErrorTextMismatch(const nsString &host,
- nsIX509Cert* ix509,
- nsINSSComponent *component,
- nsString &returnedMessage)
- {
- const PRUnichar *params[1];
- nsresult rv;
- CERTCertificate *nssCert = NULL;
- CERTCertificateCleaner nssCertCleaner(nssCert);
- nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
- if (cert2)
- nssCert = cert2->GetCert();
- if (!nssCert) {
- // We are unable to extract the valid names, say "not valid for name".
- params[0] = host.get();
- nsString formattedString;
- rv = component->PIPBundleFormatStringFromName("certErrorMismatch",
- params, 1,
- formattedString);
- if (NS_SUCCEEDED(rv)) {
- returnedMessage.Append(formattedString);
- returnedMessage.Append(NS_LITERAL_STRING("\n"));
- }
- return;
- }
- nsString allNames;
- PRUint32 nameCount = 0;
- bool useSAN = false;
- if (nssCert)
- useSAN = GetSubjectAltNames(nssCert, component, allNames, nameCount);
- if (!useSAN) {
- char *certName = nsnull;
- // currently CERT_FindNSStringExtension is not being exported by NSS.
- // If it gets exported, enable the following line.
- // certName = CERT_FindNSStringExtension(nssCert, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
- // However, it has been discussed to treat the extension as obsolete and ignore it.
- if (!certName)
- certName = CERT_GetCommonName(&nssCert->subject);
- if (certName) {
- ++nameCount;
- allNames.AssignASCII(certName);
- PORT_Free(certName);
- }
- }
- if (nameCount > 1) {
- nsString message;
- rv = component->GetPIPNSSBundleString("certErrorMismatchMultiple",
- message);
- if (NS_SUCCEEDED(rv)) {
- returnedMessage.Append(message);
- returnedMessage.Append(NS_LITERAL_STRING("\n "));
- returnedMessage.Append(allNames);
- returnedMessage.Append(NS_LITERAL_STRING(" \n"));
- }
- }
- else if (nameCount == 1) {
- const PRUnichar *params[1];
- params[0] = allNames.get();
- nsString formattedString;
- rv = component->PIPBundleFormatStringFromName("certErrorMismatchSingle2",
- params, 1,
- formattedString);
- if (NS_SUCCEEDED(rv)) {
- returnedMessage.Append(formattedString);
- returnedMessage.Append(NS_LITERAL_STRING("\n"));
- }
- }
- else { // nameCount == 0
- nsString message;
- nsresult rv = component->GetPIPNSSBundleString("certErrorMismatchNoNames",
- message);
- if (NS_SUCCEEDED(rv)) {
- returnedMessage.Append(message);
- returnedMessage.Append(NS_LITERAL_STRING("\n"));
- }
- }
- }
- static void
- GetDateBoundary(nsIX509Cert* ix509,
- nsString &formattedDate,
- nsString &nowDate,
- bool &trueExpired_falseNotYetValid)
- {
- trueExpired_falseNotYetValid = true;
- formattedDate.Truncate();
- PRTime notAfter, notBefore, timeToUse;
- nsCOMPtr<nsIX509CertValidity> validity;
- nsresult rv;
- rv = ix509->GetValidity(getter_AddRefs(validity));
- if (NS_FAILED(rv))
- return;
- rv = validity->GetNotAfter(¬After);
- if (NS_FAILED(rv))
- return;
- rv = validity->GetNotBefore(¬Before);
- if (NS_FAILED(rv))
- return;
- PRTime now = PR_Now();
- if (LL_CMP(now, >, notAfter)) {
- timeToUse = notAfter;
- } else {
- timeToUse = notBefore;
- trueExpired_falseNotYetValid = false;
- }
- nsCOMPtr<nsIDateTimeFormat> dateTimeFormat(do_CreateInstance(NS_DATETIMEFORMAT_CONTRACTID, &rv));
- if (NS_FAILED(rv))
- return;
- dateTimeFormat->FormatPRTime(nsnull, kDateFormatShort,
- kTimeFormatNoSeconds, timeToUse,
- formattedDate);
- dateTimeFormat->FormatPRTime(nsnull, kDateFormatShort,
- kTimeFormatNoSeconds, now,
- nowDate);
- }
- static void
- AppendErrorTextTime(nsIX509Cert* ix509,
- nsINSSComponent *component,
- nsString &returnedMessage)
- {
- nsAutoString formattedDate, nowDate;
- bool trueExpired_falseNotYetValid;
- GetDateBoundary(ix509, formattedDate, nowDate, trueExpired_falseNotYetValid);
- const PRUnichar *params[2];
- params[0] = formattedDate.get(); // might be empty, if helper function had a problem
- params[1] = nowDate.get();
- const char *key = trueExpired_falseNotYetValid ?
- "certErrorExpiredNow" : "certErrorNotYetValidNow";
- nsresult rv;
- nsString formattedString;
- rv = component->PIPBundleFormatStringFromName(
- key,
- params,
- ArrayLength(params),
- formattedString);
- if (NS_SUCCEEDED(rv))
- {
- returnedMessage.Append(formattedString);
- returnedMessage.Append(NS_LITERAL_STRING("\n"));
- }
- }
- static void
- AppendErrorTextCode(PRErrorCode errorCodeToReport,
- nsINSSComponent *component,
- nsString &returnedMessage)
- {
- const char *codeName = nsNSSErrors::getDefaultErrorStringName(errorCodeToReport);
- if (codeName)
- {
- nsCString error_id(codeName);
- ToLowerCase(error_id);
- NS_ConvertASCIItoUTF16 idU(error_id);
- const PRUnichar *params[1];
- params[0] = idU.get();
- nsString formattedString;
- nsresult rv;
- rv = component->PIPBundleFormatStringFromName("certErrorCodePrefix",
- params, 1,
- formattedString);
- if (NS_SUCCEEDED(rv)) {
- returnedMessage.Append(NS_LITERAL_STRING("\n"));
- returnedMessage.Append(formattedString);
- returnedMessage.Append(NS_LITERAL_STRING("\n"));
- }
- else {
- returnedMessage.Append(NS_LITERAL_STRING(" ("));
- returnedMessage.Append(idU);
- returnedMessage.Append(NS_LITERAL_STRING(")"));
- }
- }
- }
- /* Formats an error message for overridable certificate errors (of type
- * OverridableCertErrorMessage). Use formatPlainErrorMessage to format
- * non-overridable cert errors and non-cert-related errors.
- */
- static nsresult
- formatOverridableCertErrorMessage(nsISSLStatus & sslStatus,
- PRErrorCode errorCodeToReport,
- const nsXPIDLCString & host, PRInt32 port,
- nsString & returnedMessage)
- {
- const PRUnichar *params[1];
- nsresult rv;
- nsAutoString hostWithPort;
- nsAutoString hostWithoutPort;
- // For now, hide port when it's 443 and we're reporting the error.
- // In the future a better mechanism should be used
- // to make a decision about showing the port number, possibly by requiring
- // the context object to implement a specific interface.
- // The motivation is that Mozilla browser would like to hide the port number
- // in error pages in the common case.
-
- hostWithoutPort.AppendASCII(host);
- if (port == 443) {
- params[0] = hostWithoutPort.get();
- } else {
- hostWithPort.AppendASCII(host);
- hostWithPort.Append(':');
- hostWithPort.AppendInt(port);
- params[0] = hostWithPort.get();
- }
- nsCOMPtr<nsINSSComponent> component = do_GetService(kNSSComponentCID, &rv);
- NS_ENSURE_SUCCESS(rv, rv);
- returnedMessage.Truncate();
- rv = component->PIPBundleFormatStringFromName("certErrorIntro", params, 1,
- returnedMessage);
- NS_ENSURE_SUCCESS(rv, rv);
- returnedMessage.Append(NS_LITERAL_STRING("\n\n"));
- nsRefPtr<nsIX509Cert> ix509;
- rv = sslStatus.GetServerCert(getter_AddRefs(ix509));
- NS_ENSURE_SUCCESS(rv, rv);
- bool isUntrusted;
- rv = sslStatus.GetIsUntrusted(&isUntrusted);
- NS_ENSURE_SUCCESS(rv, rv);
- if (isUntrusted) {
- AppendErrorTextUntrusted(errorCodeToReport, hostWithoutPort, ix509,
- component, returnedMessage);
- }
- bool isDomainMismatch;
- rv = sslStatus.GetIsDomainMismatch(&isDomainMismatch);
- NS_ENSURE_SUCCESS(rv, rv);
- if (isDomainMismatch) {
- AppendErrorTextMismatch(hostWithoutPort, ix509, component, returnedMessage);
- }
- bool isNotValidAtThisTime;
- rv = sslStatus.GetIsNotValidAtThisTime(&isNotValidAtThisTime);
- NS_ENSURE_SUCCESS(rv, rv);
- if (isNotValidAtThisTime) {
- AppendErrorTextTime(ix509, component, returnedMessage);
- }
- AppendErrorTextCode(errorCodeToReport, component, returnedMessage);
- return NS_OK;
- }
- static void
- nsHandleSSLError(nsNSSSocketInfo *socketInfo, PRErrorCode err)
- {
- if (!NS_IsMainThread()) {
- NS_ERROR("nsHandleSSLError called off the main thread");
- return;
- }
- // SetCanceled is only called by the main thread or the socket transport
- // thread. Whenever this function is called on the main thread, the SSL
- // thread is blocked on it. So, no mutex is necessary for
- // SetCanceled()/GetError*().
- if (socketInfo->GetErrorCode()) {
- // If the socket has been flagged as canceled,
- // the code who did was responsible for setting the error code.
- return;
- }
- nsresult rv;
- NS_DEFINE_CID(nssComponentCID, NS_NSSCOMPONENT_CID);
- nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(nssComponentCID, &rv));
- if (NS_FAILED(rv))
- return;
- nsXPIDLCString hostName;
- socketInfo->GetHostName(getter_Copies(hostName));
- PRInt32 port;
- socketInfo->GetPort(&port);
- // Try to get a nsISSLErrorListener implementation from the socket consumer.
- nsCOMPtr<nsIInterfaceRequestor> cb;
- socketInfo->GetNotificationCallbacks(getter_AddRefs(cb));
- if (cb) {
- nsCOMPtr<nsISSLErrorListener> sel = do_GetInterface(cb);
- if (sel) {
- nsIInterfaceRequestor *csi = static_cast<nsIInterfaceRequestor*>(socketInfo);
- nsCString hostWithPortString = hostName;
- hostWithPortString.AppendLiteral(":");
- hostWithPortString.AppendInt(port);
-
- bool suppressMessage = false; // obsolete, ignored
- rv = sel->NotifySSLError(csi, err, hostWithPortString, &suppressMessage);
- }
- }
- socketInfo->SetCanceled(err, PlainErrorMessage);
- }
- namespace {
- enum Operation { reading, writing, not_reading_or_writing };
- PRInt32 checkHandshake(PRInt32 bytesTransfered, bool wasReading,
- PRFileDesc* ssl_layer_fd,
- nsNSSSocketInfo *socketInfo);
- nsNSSSocketInfo *
- getSocketInfoIfRunning(PRFileDesc * fd, Operation op,
- const nsNSSShutDownPreventionLock & /*proofOfLock*/)
- {
- if (!fd || !fd->lower || !fd->secret ||
- fd->identity != nsSSLIOLayerHelpers::nsSSLIOLayerIdentity) {
- NS_ERROR("bad file descriptor passed to getSocketInfoIfRunning");
- PR_SetError(PR_BAD_DESCRIPTOR_ERROR, 0);
- return nsnull;
- }
- nsNSSSocketInfo *socketInfo = (nsNSSSocketInfo*)fd->secret;
- if (socketInfo->isAlreadyShutDown() || socketInfo->isPK11LoggedOut()) {
- PR_SetError(PR_SOCKET_SHUTDOWN_ERROR, 0);
- return nsnull;
- }
- if (socketInfo->GetErrorCode()) {
- PRErrorCode err = socketInfo->GetErrorCode();
- PR_SetError(err, 0);
- if (op == reading || op == writing) {
- // We must do TLS intolerance checks for reads and writes, for timeouts
- // in particular.
- (void) checkHandshake(-1, op == reading, fd, socketInfo);
- }
- // If we get here, it is probably because cert verification failed and this
- // is the first I/O attempt since that failure.
- return nsnull;
- }
- return socketInfo;
- }
- } // unnnamed namespace
- static PRStatus PR_CALLBACK
- nsSSLIOLayerConnect(PRFileDesc* fd, const PRNetAddr* addr,
- PRIntervalTime timeout)
- {
- PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("[%p] connecting SSL socket\n", (void*)fd));
- nsNSSShutDownPreventionLock locker;
- if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker))
- return PR_FAILURE;
-
- PRStatus status = fd->lower->methods->connect(fd->lower, addr, timeout);
- if (status != PR_SUCCESS) {
- PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("[%p] Lower layer connect error: %d\n",
- (void*)fd, PR_GetError()));
- return status;
- }
- PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("[%p] Connect\n", (void*)fd));
- return status;
- }
- // nsPSMRememberCertErrorsTable
- nsPSMRememberCertErrorsTable::nsPSMRememberCertErrorsTable()
- {
- mErrorHosts.Init(16);
- }
- nsresult
- nsPSMRememberCertErrorsTable::GetHostPortKey(nsNSSSocketInfo* infoObject,
- nsCAutoString &result)
- {
- nsresult rv;
- result.Truncate();
- nsXPIDLCString hostName;
- rv = infoObject->GetHostName(getter_Copies(hostName));
- NS_ENSURE_SUCCESS(rv, rv);
- PRInt32 port;
- rv = infoObject->GetPort(&port);
- NS_ENSURE_SUCCESS(rv, rv);
- result.Assign(hostName);
- result.Append(':');
- result.AppendInt(port);
- return NS_OK;
- }
- void
- nsPSMRememberCertErrorsTable::RememberCertHasError(nsNSSSocketInfo* infoObject,
- nsSSLStatus* status,
- SECStatus certVerificationResult)
- {
- nsresult rv;
- nsCAutoString hostPortKey;
- rv = GetHostPortKey(infoObject, hostPortKey);
- if (NS_FAILED(rv))
- return;
- if (certVerificationResult != SECSuccess) {
- NS_ASSERTION(status,
- "Must have nsSSLStatus object when remembering flags");
- if (!status)
- return;
- CertStateBits b…