/security/manager/ssl/src/nsNSSIOLayer.h

  1/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  2 *
  3 * ***** BEGIN LICENSE BLOCK *****
  4 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  5 *
  6 * The contents of this file are subject to the Mozilla Public License Version
  7 * 1.1 (the "License"); you may not use this file except in compliance with
  8 * the License. You may obtain a copy of the License at
  9 * http://www.mozilla.org/MPL/
 10 *
 11 * Software distributed under the License is distributed on an "AS IS" basis,
 12 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 13 * for the specific language governing rights and limitations under the
 14 * License.
 15 *
 16 * The Original Code is mozilla.org code.
 17 *
 18 * The Initial Developer of the Original Code is
 19 * Netscape Communications Corporation.
 20 * Portions created by the Initial Developer are Copyright (C) 1998
 21 * the Initial Developer. All Rights Reserved.
 22 *
 23 * Contributor(s):
 24 *   Brian Ryner <bryner@brianryner.com>
 25 *   Kai Engert <kengert@redhat.com>
 26 *
 27 * Alternatively, the contents of this file may be used under the terms of
 28 * either the GNU General Public License Version 2 or later (the "GPL"), or
 29 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 30 * in which case the provisions of the GPL or the LGPL are applicable instead
 31 * of those above. If you wish to allow use of your version of this file only
 32 * under the terms of either the GPL or the LGPL, and not to allow others to
 33 * use your version of this file under the terms of the MPL, indicate your
 34 * decision by deleting the provisions above and replace them with the notice
 35 * and other provisions required by the GPL or the LGPL. If you do not delete
 36 * the provisions above, a recipient may use your version of this file under
 37 * the terms of any one of the MPL, the GPL or the LGPL.
 38 *
 39 * ***** END LICENSE BLOCK ***** */
 40
 41#ifndef _NSNSSIOLAYER_H
 42#define _NSNSSIOLAYER_H
 43
 44#include "prtypes.h"
 45#include "prio.h"
 46#include "certt.h"
 47#include "mozilla/Mutex.h"
 48#include "nsString.h"
 49#include "nsIInterfaceRequestor.h"
 50#include "nsIInterfaceRequestorUtils.h"
 51#include "nsITransportSecurityInfo.h"
 52#include "nsISSLSocketControl.h"
 53#include "nsSSLStatus.h"
 54#include "nsISSLStatusProvider.h"
 55#include "nsIAssociatedContentSecurity.h"
 56#include "nsXPIDLString.h"
 57#include "nsNSSShutDown.h"
 58#include "nsIClientAuthDialogs.h"
 59#include "nsAutoPtr.h"
 60#include "nsNSSCertificate.h"
 61#include "nsDataHashtable.h"
 62
 63namespace mozilla {
 64
 65class MutexAutoLock;
 66
 67namespace psm {
 68
 69enum SSLErrorMessageType {
 70  OverridableCertErrorMessage  = 1, // for *overridable* certificate errors
 71  PlainErrorMessage = 2             // all other errors (or "no error")
 72};
 73
 74} // namespace psm
 75
 76} // namespace mozilla
 77
 78class nsNSSSocketInfo : public nsITransportSecurityInfo,
 79                        public nsISSLSocketControl,
 80                        public nsIInterfaceRequestor,
 81                        public nsISSLStatusProvider,
 82                        public nsIAssociatedContentSecurity,
 83                        public nsISerializable,
 84                        public nsIClassInfo,
 85                        public nsIClientAuthUserDecision,
 86                        public nsNSSShutDownObject,
 87                        public nsOnPK11LogoutCancelObject
 88{
 89public:
 90  nsNSSSocketInfo();
 91  virtual ~nsNSSSocketInfo();
 92  
 93  NS_DECL_ISUPPORTS
 94  NS_DECL_NSITRANSPORTSECURITYINFO
 95  NS_DECL_NSISSLSOCKETCONTROL
 96  NS_DECL_NSIINTERFACEREQUESTOR
 97  NS_DECL_NSISSLSTATUSPROVIDER
 98  NS_DECL_NSIASSOCIATEDCONTENTSECURITY
 99  NS_DECL_NSISERIALIZABLE
100  NS_DECL_NSICLASSINFO
101  NS_DECL_NSICLIENTAUTHUSERDECISION
102
103  nsresult SetSecurityState(PRUint32 aState);
104  nsresult SetShortSecurityDescription(const PRUnichar *aText);
105
106  nsresult SetForSTARTTLS(bool aForSTARTTLS);
107  nsresult GetForSTARTTLS(bool *aForSTARTTLS);
108
109  nsresult GetFileDescPtr(PRFileDesc** aFilePtr);
110  nsresult SetFileDescPtr(PRFileDesc* aFilePtr);
111
112  nsresult GetHandshakePending(bool *aHandshakePending);
113  nsresult SetHandshakePending(bool aHandshakePending);
114
115  const char * GetHostName() const {
116    return mHostName.get();
117  }
118  nsresult GetHostName(char **aHostName);
119  nsresult SetHostName(const char *aHostName);
120
121  nsresult GetPort(PRInt32 *aPort);
122  nsresult SetPort(PRInt32 aPort);
123
124  void GetPreviousCert(nsIX509Cert** _result);
125
126  PRErrorCode GetErrorCode() const;
127  void SetCanceled(PRErrorCode errorCode,
128                   ::mozilla::psm::SSLErrorMessageType errorMessageType);
129  
130  void SetHasCleartextPhase(bool aHasCleartextPhase);
131  bool GetHasCleartextPhase();
132  
133  void SetHandshakeInProgress(bool aIsIn);
134  bool GetHandshakeInProgress() { return mHandshakeInProgress; }
135  bool HandshakeTimeout();
136
137  void SetAllowTLSIntoleranceTimeout(bool aAllow);
138
139  nsresult RememberCAChain(CERTCertList *aCertList);
140
141  /* Set SSL Status values */
142  nsresult SetSSLStatus(nsSSLStatus *aSSLStatus);
143  nsSSLStatus* SSLStatus() { return mSSLStatus; }
144  void SetStatusErrorBits(nsIX509Cert & cert, PRUint32 collected_errors);
145
146  PRStatus CloseSocketAndDestroy(
147                const nsNSSShutDownPreventionLock & proofOfLock);
148  
149  bool IsCertIssuerBlacklisted() const {
150    return mIsCertIssuerBlacklisted;
151  }
152  void SetCertIssuerBlacklisted() {
153    mIsCertIssuerBlacklisted = true;
154  }
155
156  void SetNegotiatedNPN(const char *value, PRUint32 length);
157  void SetHandshakeCompleted() { mHandshakeCompleted = true; }
158
159  bool GetJoined() { return mJoined; }
160  void SetSentClientCert() { mSentClientCert = true; }
161  
162  // XXX: These are only used on for diagnostic purposes
163  enum CertVerificationState {
164    before_cert_verification,
165    waiting_for_cert_verification,
166    after_cert_verification
167  };
168  void SetCertVerificationWaiting();
169  // Use errorCode == 0 to indicate success; in that case, errorMessageType is
170  // ignored.
171  void SetCertVerificationResult(PRErrorCode errorCode,
172              ::mozilla::psm::SSLErrorMessageType errorMessageType);
173  
174  // for logging only
175  PRBool IsWaitingForCertVerification() const
176  {
177    return mCertVerificationState == waiting_for_cert_verification;
178  }
179  
180  bool IsSSL3Enabled() const { return mSSL3Enabled; }
181  void SetSSL3Enabled(bool enabled) { mSSL3Enabled = enabled; }
182  bool IsTLSEnabled() const { return mTLSEnabled; }
183  void SetTLSEnabled(bool enabled) { mTLSEnabled = enabled; }
184protected:
185  mutable ::mozilla::Mutex mMutex;
186
187  nsCOMPtr<nsIInterfaceRequestor> mCallbacks;
188  PRFileDesc* mFd;
189  CertVerificationState mCertVerificationState;
190  PRIntervalTime mCertVerificationStarted;
191  PRIntervalTime mCertVerificationEnded;
192  PRUint32 mSecurityState;
193  PRInt32 mSubRequestsHighSecurity;
194  PRInt32 mSubRequestsLowSecurity;
195  PRInt32 mSubRequestsBrokenSecurity;
196  PRInt32 mSubRequestsNoSecurity;
197  nsString mShortDesc;
198
199  PRErrorCode mErrorCode;
200  ::mozilla::psm::SSLErrorMessageType mErrorMessageType;
201  nsString mErrorMessageCached;
202  nsresult formatErrorMessage(::mozilla::MutexAutoLock const & proofOfLock);
203
204  bool mDocShellDependentStuffKnown;
205  bool mExternalErrorReporting; // DocShellDependent
206  bool mForSTARTTLS;
207  bool mSSL3Enabled;
208  bool mTLSEnabled;
209  bool mHandshakePending;
210  bool mHasCleartextPhase;
211  bool mHandshakeInProgress;
212  bool mAllowTLSIntoleranceTimeout;
213  bool mRememberClientAuthCertificate;
214  PRIntervalTime mHandshakeStartTime;
215  PRInt32 mPort;
216  nsXPIDLCString mHostName;
217  PRErrorCode mIsCertIssuerBlacklisted;
218
219  /* SSL Status */
220  nsRefPtr<nsSSLStatus> mSSLStatus;
221
222  nsresult ActivateSSL();
223
224  nsCString mNegotiatedNPN;
225  bool      mNPNCompleted;
226  bool      mHandshakeCompleted;
227  bool      mJoined;
228  bool      mSentClientCert;
229
230private:
231  virtual void virtualDestroyNSSReference();
232  void destructorSafeDestroyNSSReference();
233};
234
235class nsCStringHashSet;
236
237class nsSSLStatus;
238class nsNSSSocketInfo;
239
240class nsPSMRememberCertErrorsTable
241{
242private:
243  struct CertStateBits
244  {
245    bool mIsDomainMismatch;
246    bool mIsNotValidAtThisTime;
247    bool mIsUntrusted;
248  };
249  nsDataHashtableMT<nsCStringHashKey, CertStateBits> mErrorHosts;
250  nsresult GetHostPortKey(nsNSSSocketInfo* infoObject, nsCAutoString& result);
251
252public:
253  friend class nsSSLIOLayerHelpers;
254  nsPSMRememberCertErrorsTable();
255  void RememberCertHasError(nsNSSSocketInfo* infoObject,
256                           nsSSLStatus* status,
257                           SECStatus certVerificationResult);
258  void LookupCertErrorBits(nsNSSSocketInfo* infoObject,
259                           nsSSLStatus* status);
260};
261
262class nsSSLIOLayerHelpers
263{
264public:
265  static nsresult Init();
266  static void Cleanup();
267
268  static bool nsSSLIOLayerInitialized;
269  static PRDescIdentity nsSSLIOLayerIdentity;
270  static PRIOMethods nsSSLIOLayerMethods;
271
272  static mozilla::Mutex *mutex;
273  static nsCStringHashSet *mTLSIntolerantSites;
274  static nsCStringHashSet *mTLSTolerantSites;
275  static nsPSMRememberCertErrorsTable* mHostsWithCertErrors;
276
277  static nsCStringHashSet *mRenegoUnrestrictedSites;
278  static bool mTreatUnsafeNegotiationAsBroken;
279  static PRInt32 mWarnLevelMissingRFC5746;
280
281  static void setTreatUnsafeNegotiationAsBroken(bool broken);
282  static bool treatUnsafeNegotiationAsBroken();
283
284  static void setWarnLevelMissingRFC5746(PRInt32 level);
285  static PRInt32 getWarnLevelMissingRFC5746();
286
287  static void getSiteKey(nsNSSSocketInfo *socketInfo, nsCSubstring &key);
288  static bool rememberPossibleTLSProblemSite(nsNSSSocketInfo *socketInfo);
289  static void rememberTolerantSite(nsNSSSocketInfo *socketInfo);
290
291  static void addIntolerantSite(const nsCString &str);
292  static void removeIntolerantSite(const nsCString &str);
293  static bool isKnownAsIntolerantSite(const nsCString &str);
294
295  static void setRenegoUnrestrictedSites(const nsCString &str);
296  static bool isRenegoUnrestrictedSite(const nsCString &str);
297};
298
299nsresult nsSSLIOLayerNewSocket(PRInt32 family,
300                               const char *host,
301                               PRInt32 port,
302                               const char *proxyHost,
303                               PRInt32 proxyPort,
304                               PRFileDesc **fd,
305                               nsISupports **securityInfo,
306                               bool forSTARTTLS,
307                               bool anonymousLoad);
308
309nsresult nsSSLIOLayerAddToSocket(PRInt32 family,
310                                 const char *host,
311                                 PRInt32 port,
312                                 const char *proxyHost,
313                                 PRInt32 proxyPort,
314                                 PRFileDesc *fd,
315                                 nsISupports **securityInfo,
316                                 bool forSTARTTLS,
317                                 bool anonymousLoad);
318
319nsresult nsSSLIOLayerFreeTLSIntolerantSites();
320nsresult displayUnknownCertErrorAlert(nsNSSSocketInfo *infoObject, int error);
321
322// 16786594-0296-4471-8096-8f84497ca428
323#define NS_NSSSOCKETINFO_CID \
324{ 0x16786594, 0x0296, 0x4471, \
325    { 0x80, 0x96, 0x8f, 0x84, 0x49, 0x7c, 0xa4, 0x28 } }
326
327
328#endif /* _NSNSSIOLAYER_H */