1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
5 * You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 // Original author: ekr@rtfm.com
8
9 #include "transportlayerdtls.h"
10
11 #include <algorithm>
12 #include <queue>
13 #include <sstream>
14
15 #include "dtlsidentity.h"
16 #include "keyhi.h"
17 #include "logging.h"
18 #include "mozilla/Telemetry.h"
19 #include "mozilla/UniquePtr.h"
20 #include "mozilla/Unused.h"
21 #include "nsCOMPtr.h"
22 #include "nsComponentManagerUtils.h"
23 #include "nsComponentManagerUtils.h"
24 #include "nsNetCID.h"
25 #include "nsServiceManagerUtils.h"
26 #include "sslexp.h"
27 #include "sslproto.h"
28 #include "transportflow.h"
29
30 namespace mozilla {
31
32 MOZ_MTLOG_MODULE("mtransport")
33
34 static PRDescIdentity transport_layer_identity = PR_INVALID_IO_LAYER;
35
36 // TODO: Implement a mode for this where
37 // the channel is not ready until confirmed externally
38 // (e.g., after cert check).
39
40 #define UNIMPLEMENTED \
41 MOZ_MTLOG(ML_ERROR, "Call to unimplemented function " << __FUNCTION__); \
42 MOZ_ASSERT(false); \
43 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0)
44
45 #define MAX_ALPN_LENGTH 255
46
47 // We need to adapt the NSPR/libssl model to the TransportFlow model.
48 // The former wants pull semantics and TransportFlow wants push.
49 //
50 // - A TransportLayerDtls assumes it is sitting on top of another
51 // TransportLayer, which means that events come in asynchronously.
52 // - NSS (libssl) wants to sit on top of a PRFileDesc and poll.
53 // - The TransportLayerNSPRAdapter is a PRFileDesc containing a
54 // FIFO.
55 // - When TransportLayerDtls.PacketReceived() is called, we insert
56 // the packets in the FIFO and then do a PR_Recv() on the NSS
57 // PRFileDesc, which eventually reads off the FIFO.
58 //
59 // All of this stuff is assumed to happen solely in a single thread
60 // (generally the SocketTransportService thread)
61
PacketReceived(MediaPacket & packet)62 void TransportLayerNSPRAdapter::PacketReceived(MediaPacket& packet) {
63 if (enabled_) {
64 input_.push(new MediaPacket(std::move(packet)));
65 }
66 }
67
Recv(void * buf,int32_t buflen)68 int32_t TransportLayerNSPRAdapter::Recv(void* buf, int32_t buflen) {
69 if (input_.empty()) {
70 PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
71 return -1;
72 }
73
74 MediaPacket* front = input_.front();
75 int32_t count = static_cast<int32_t>(front->len());
76
77 if (buflen < count) {
78 MOZ_ASSERT(false, "Not enough buffer space to receive into");
79 PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
80 return -1;
81 }
82
83 memcpy(buf, front->data(), count);
84
85 input_.pop();
86 delete front;
87
88 return count;
89 }
90
Write(const void * buf,int32_t length)91 int32_t TransportLayerNSPRAdapter::Write(const void* buf, int32_t length) {
92 if (!enabled_) {
93 MOZ_MTLOG(ML_WARNING, "Writing to disabled transport layer");
94 return -1;
95 }
96
97 MediaPacket packet;
98 // Copies. Oh well.
99 packet.Copy(static_cast<const uint8_t*>(buf), static_cast<size_t>(length));
100 packet.SetType(MediaPacket::DTLS);
101
102 TransportResult r = output_->SendPacket(packet);
103 if (r >= 0) {
104 return r;
105 }
106
107 if (r == TE_WOULDBLOCK) {
108 PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
109 } else {
110 PR_SetError(PR_IO_ERROR, 0);
111 }
112
113 return -1;
114 }
115
116 // Implementation of NSPR methods
TransportLayerClose(PRFileDesc * f)117 static PRStatus TransportLayerClose(PRFileDesc* f) {
118 f->dtor(f);
119 return PR_SUCCESS;
120 }
121
TransportLayerRead(PRFileDesc * f,void * buf,int32_t length)122 static int32_t TransportLayerRead(PRFileDesc* f, void* buf, int32_t length) {
123 UNIMPLEMENTED;
124 return -1;
125 }
126
TransportLayerWrite(PRFileDesc * f,const void * buf,int32_t length)127 static int32_t TransportLayerWrite(PRFileDesc* f, const void* buf,
128 int32_t length) {
129 TransportLayerNSPRAdapter* io =
130 reinterpret_cast<TransportLayerNSPRAdapter*>(f->secret);
131 return io->Write(buf, length);
132 }
133
TransportLayerAvailable(PRFileDesc * f)134 static int32_t TransportLayerAvailable(PRFileDesc* f) {
135 UNIMPLEMENTED;
136 return -1;
137 }
138
TransportLayerAvailable64(PRFileDesc * f)139 int64_t TransportLayerAvailable64(PRFileDesc* f) {
140 UNIMPLEMENTED;
141 return -1;
142 }
143
TransportLayerSync(PRFileDesc * f)144 static PRStatus TransportLayerSync(PRFileDesc* f) {
145 UNIMPLEMENTED;
146 return PR_FAILURE;
147 }
148
TransportLayerSeek(PRFileDesc * f,int32_t offset,PRSeekWhence how)149 static int32_t TransportLayerSeek(PRFileDesc* f, int32_t offset,
150 PRSeekWhence how) {
151 UNIMPLEMENTED;
152 return -1;
153 }
154
TransportLayerSeek64(PRFileDesc * f,int64_t offset,PRSeekWhence how)155 static int64_t TransportLayerSeek64(PRFileDesc* f, int64_t offset,
156 PRSeekWhence how) {
157 UNIMPLEMENTED;
158 return -1;
159 }
160
TransportLayerFileInfo(PRFileDesc * f,PRFileInfo * info)161 static PRStatus TransportLayerFileInfo(PRFileDesc* f, PRFileInfo* info) {
162 UNIMPLEMENTED;
163 return PR_FAILURE;
164 }
165
TransportLayerFileInfo64(PRFileDesc * f,PRFileInfo64 * info)166 static PRStatus TransportLayerFileInfo64(PRFileDesc* f, PRFileInfo64* info) {
167 UNIMPLEMENTED;
168 return PR_FAILURE;
169 }
170
TransportLayerWritev(PRFileDesc * f,const PRIOVec * iov,int32_t iov_size,PRIntervalTime to)171 static int32_t TransportLayerWritev(PRFileDesc* f, const PRIOVec* iov,
172 int32_t iov_size, PRIntervalTime to) {
173 UNIMPLEMENTED;
174 return -1;
175 }
176
TransportLayerConnect(PRFileDesc * f,const PRNetAddr * addr,PRIntervalTime to)177 static PRStatus TransportLayerConnect(PRFileDesc* f, const PRNetAddr* addr,
178 PRIntervalTime to) {
179 UNIMPLEMENTED;
180 return PR_FAILURE;
181 }
182
TransportLayerAccept(PRFileDesc * sd,PRNetAddr * addr,PRIntervalTime to)183 static PRFileDesc* TransportLayerAccept(PRFileDesc* sd, PRNetAddr* addr,
184 PRIntervalTime to) {
185 UNIMPLEMENTED;
186 return nullptr;
187 }
188
TransportLayerBind(PRFileDesc * f,const PRNetAddr * addr)189 static PRStatus TransportLayerBind(PRFileDesc* f, const PRNetAddr* addr) {
190 UNIMPLEMENTED;
191 return PR_FAILURE;
192 }
193
TransportLayerListen(PRFileDesc * f,int32_t depth)194 static PRStatus TransportLayerListen(PRFileDesc* f, int32_t depth) {
195 UNIMPLEMENTED;
196 return PR_FAILURE;
197 }
198
TransportLayerShutdown(PRFileDesc * f,int32_t how)199 static PRStatus TransportLayerShutdown(PRFileDesc* f, int32_t how) {
200 // This is only called from NSS when we are the server and the client refuses
201 // to provide a certificate. In this case, the handshake is destined for
202 // failure, so we will just let this pass.
203 TransportLayerNSPRAdapter* io =
204 reinterpret_cast<TransportLayerNSPRAdapter*>(f->secret);
205 io->SetEnabled(false);
206 return PR_SUCCESS;
207 }
208
209 // This function does not support peek, or waiting until `to`
TransportLayerRecv(PRFileDesc * f,void * buf,int32_t buflen,int32_t flags,PRIntervalTime to)210 static int32_t TransportLayerRecv(PRFileDesc* f, void* buf, int32_t buflen,
211 int32_t flags, PRIntervalTime to) {
212 MOZ_ASSERT(flags == 0);
213 if (flags != 0) {
214 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
215 return -1;
216 }
217
218 TransportLayerNSPRAdapter* io =
219 reinterpret_cast<TransportLayerNSPRAdapter*>(f->secret);
220 return io->Recv(buf, buflen);
221 }
222
223 // Note: this is always nonblocking and assumes a zero timeout.
TransportLayerSend(PRFileDesc * f,const void * buf,int32_t amount,int32_t flags,PRIntervalTime to)224 static int32_t TransportLayerSend(PRFileDesc* f, const void* buf,
225 int32_t amount, int32_t flags,
226 PRIntervalTime to) {
227 int32_t written = TransportLayerWrite(f, buf, amount);
228 return written;
229 }
230
TransportLayerRecvfrom(PRFileDesc * f,void * buf,int32_t amount,int32_t flags,PRNetAddr * addr,PRIntervalTime to)231 static int32_t TransportLayerRecvfrom(PRFileDesc* f, void* buf, int32_t amount,
232 int32_t flags, PRNetAddr* addr,
233 PRIntervalTime to) {
234 UNIMPLEMENTED;
235 return -1;
236 }
237
TransportLayerSendto(PRFileDesc * f,const void * buf,int32_t amount,int32_t flags,const PRNetAddr * addr,PRIntervalTime to)238 static int32_t TransportLayerSendto(PRFileDesc* f, const void* buf,
239 int32_t amount, int32_t flags,
240 const PRNetAddr* addr, PRIntervalTime to) {
241 UNIMPLEMENTED;
242 return -1;
243 }
244
TransportLayerPoll(PRFileDesc * f,int16_t in_flags,int16_t * out_flags)245 static int16_t TransportLayerPoll(PRFileDesc* f, int16_t in_flags,
246 int16_t* out_flags) {
247 UNIMPLEMENTED;
248 return -1;
249 }
250
TransportLayerAcceptRead(PRFileDesc * sd,PRFileDesc ** nd,PRNetAddr ** raddr,void * buf,int32_t amount,PRIntervalTime t)251 static int32_t TransportLayerAcceptRead(PRFileDesc* sd, PRFileDesc** nd,
252 PRNetAddr** raddr, void* buf,
253 int32_t amount, PRIntervalTime t) {
254 UNIMPLEMENTED;
255 return -1;
256 }
257
TransportLayerTransmitFile(PRFileDesc * sd,PRFileDesc * f,const void * headers,int32_t hlen,PRTransmitFileFlags flags,PRIntervalTime t)258 static int32_t TransportLayerTransmitFile(PRFileDesc* sd, PRFileDesc* f,
259 const void* headers, int32_t hlen,
260 PRTransmitFileFlags flags,
261 PRIntervalTime t) {
262 UNIMPLEMENTED;
263 return -1;
264 }
265
TransportLayerGetpeername(PRFileDesc * f,PRNetAddr * addr)266 static PRStatus TransportLayerGetpeername(PRFileDesc* f, PRNetAddr* addr) {
267 // TODO: Modify to return unique names for each channel
268 // somehow, as opposed to always the same static address. The current
269 // implementation messes up the session cache, which is why it's off
270 // elsewhere
271 addr->inet.family = PR_AF_INET;
272 addr->inet.port = 0;
273 addr->inet.ip = 0;
274
275 return PR_SUCCESS;
276 }
277
TransportLayerGetsockname(PRFileDesc * f,PRNetAddr * addr)278 static PRStatus TransportLayerGetsockname(PRFileDesc* f, PRNetAddr* addr) {
279 UNIMPLEMENTED;
280 return PR_FAILURE;
281 }
282
TransportLayerGetsockoption(PRFileDesc * f,PRSocketOptionData * opt)283 static PRStatus TransportLayerGetsockoption(PRFileDesc* f,
284 PRSocketOptionData* opt) {
285 switch (opt->option) {
286 case PR_SockOpt_Nonblocking:
287 opt->value.non_blocking = PR_TRUE;
288 return PR_SUCCESS;
289 default:
290 UNIMPLEMENTED;
291 break;
292 }
293
294 return PR_FAILURE;
295 }
296
297 // Imitate setting socket options. These are mostly noops.
TransportLayerSetsockoption(PRFileDesc * f,const PRSocketOptionData * opt)298 static PRStatus TransportLayerSetsockoption(PRFileDesc* f,
299 const PRSocketOptionData* opt) {
300 switch (opt->option) {
301 case PR_SockOpt_Nonblocking:
302 return PR_SUCCESS;
303 case PR_SockOpt_NoDelay:
304 return PR_SUCCESS;
305 default:
306 UNIMPLEMENTED;
307 break;
308 }
309
310 return PR_FAILURE;
311 }
312
TransportLayerSendfile(PRFileDesc * out,PRSendFileData * in,PRTransmitFileFlags flags,PRIntervalTime to)313 static int32_t TransportLayerSendfile(PRFileDesc* out, PRSendFileData* in,
314 PRTransmitFileFlags flags,
315 PRIntervalTime to) {
316 UNIMPLEMENTED;
317 return -1;
318 }
319
TransportLayerConnectContinue(PRFileDesc * f,int16_t flags)320 static PRStatus TransportLayerConnectContinue(PRFileDesc* f, int16_t flags) {
321 UNIMPLEMENTED;
322 return PR_FAILURE;
323 }
324
TransportLayerReserved(PRFileDesc * f)325 static int32_t TransportLayerReserved(PRFileDesc* f) {
326 UNIMPLEMENTED;
327 return -1;
328 }
329
330 static const struct PRIOMethods TransportLayerMethods = {
331 PR_DESC_LAYERED,
332 TransportLayerClose,
333 TransportLayerRead,
334 TransportLayerWrite,
335 TransportLayerAvailable,
336 TransportLayerAvailable64,
337 TransportLayerSync,
338 TransportLayerSeek,
339 TransportLayerSeek64,
340 TransportLayerFileInfo,
341 TransportLayerFileInfo64,
342 TransportLayerWritev,
343 TransportLayerConnect,
344 TransportLayerAccept,
345 TransportLayerBind,
346 TransportLayerListen,
347 TransportLayerShutdown,
348 TransportLayerRecv,
349 TransportLayerSend,
350 TransportLayerRecvfrom,
351 TransportLayerSendto,
352 TransportLayerPoll,
353 TransportLayerAcceptRead,
354 TransportLayerTransmitFile,
355 TransportLayerGetsockname,
356 TransportLayerGetpeername,
357 TransportLayerReserved,
358 TransportLayerReserved,
359 TransportLayerGetsockoption,
360 TransportLayerSetsockoption,
361 TransportLayerSendfile,
362 TransportLayerConnectContinue,
363 TransportLayerReserved,
364 TransportLayerReserved,
365 TransportLayerReserved,
366 TransportLayerReserved};
367
~TransportLayerDtls()368 TransportLayerDtls::~TransportLayerDtls() {
369 // Destroy the NSS instance first so it can still send out an alert before
370 // we disable the nspr_io_adapter_.
371 ssl_fd_ = nullptr;
372 nspr_io_adapter_->SetEnabled(false);
373 if (timer_) {
374 timer_->Cancel();
375 }
376 }
377
InitInternal()378 nsresult TransportLayerDtls::InitInternal() {
379 // Get the transport service as an event target
380 nsresult rv;
381 target_ = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv);
382
383 if (NS_FAILED(rv)) {
384 MOZ_MTLOG(ML_ERROR, "Couldn't get socket transport service");
385 return rv;
386 }
387
388 timer_ = NS_NewTimer();
389 if (!timer_) {
390 MOZ_MTLOG(ML_ERROR, "Couldn't get timer");
391 return rv;
392 }
393
394 return NS_OK;
395 }
396
WasInserted()397 void TransportLayerDtls::WasInserted() {
398 // Connect to the lower layers
399 if (!Setup()) {
400 TL_SET_STATE(TS_ERROR);
401 }
402 }
403
404 // Set the permitted and default ALPN identifiers.
405 // The default is here to allow for peers that don't want to negotiate ALPN
406 // in that case, the default string will be reported from GetNegotiatedAlpn().
407 // Setting the default to the empty string causes the transport layer to fail
408 // if ALPN is not negotiated.
409 // Note: we only support Unicode strings here, which are encoded into UTF-8,
410 // even though ALPN ostensibly allows arbitrary octet sequences.
SetAlpn(const std::set<std::string> & alpn_allowed,const std::string & alpn_default)411 nsresult TransportLayerDtls::SetAlpn(const std::set<std::string>& alpn_allowed,
412 const std::string& alpn_default) {
413 alpn_allowed_ = alpn_allowed;
414 alpn_default_ = alpn_default;
415
416 return NS_OK;
417 }
418
SetVerificationAllowAll()419 nsresult TransportLayerDtls::SetVerificationAllowAll() {
420 // Defensive programming
421 if (verification_mode_ != VERIFY_UNSET) return NS_ERROR_ALREADY_INITIALIZED;
422
423 verification_mode_ = VERIFY_ALLOW_ALL;
424
425 return NS_OK;
426 }
427
SetVerificationDigest(const DtlsDigest & digest)428 nsresult TransportLayerDtls::SetVerificationDigest(const DtlsDigest& digest) {
429 // Defensive programming
430 if (verification_mode_ != VERIFY_UNSET &&
431 verification_mode_ != VERIFY_DIGEST) {
432 return NS_ERROR_ALREADY_INITIALIZED;
433 }
434
435 digests_.push_back(digest);
436 verification_mode_ = VERIFY_DIGEST;
437 return NS_OK;
438 }
439
SetMinMaxVersion(Version min_version,Version max_version)440 void TransportLayerDtls::SetMinMaxVersion(Version min_version,
441 Version max_version) {
442 if (min_version < Version::DTLS_1_0 || min_version > Version::DTLS_1_3 ||
443 max_version < Version::DTLS_1_0 || max_version > Version::DTLS_1_3 ||
444 min_version > max_version || max_version < min_version) {
445 return;
446 }
447 minVersion_ = min_version;
448 maxVersion_ = max_version;
449 }
450
451 // These are the named groups that we will allow.
452 static const SSLNamedGroup NamedGroupPreferences[] = {
453 ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1,
454 ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072};
455
456 // TODO: make sure this is called from STS. Otherwise
457 // we have thread safety issues
Setup()458 bool TransportLayerDtls::Setup() {
459 CheckThread();
460 SECStatus rv;
461
462 if (!downward_) {
463 MOZ_MTLOG(ML_ERROR, "DTLS layer with nothing below. This is useless");
464 return false;
465 }
466 nspr_io_adapter_ = MakeUnique<TransportLayerNSPRAdapter>(downward_);
467
468 if (!identity_) {
469 MOZ_MTLOG(ML_ERROR, "Can't start DTLS without an identity");
470 return false;
471 }
472
473 if (verification_mode_ == VERIFY_UNSET) {
474 MOZ_MTLOG(ML_ERROR,
475 "Can't start DTLS without specifying a verification mode");
476 return false;
477 }
478
479 if (transport_layer_identity == PR_INVALID_IO_LAYER) {
480 transport_layer_identity = PR_GetUniqueIdentity("nssstreamadapter");
481 }
482
483 UniquePRFileDesc pr_fd(
484 PR_CreateIOLayerStub(transport_layer_identity, &TransportLayerMethods));
485 MOZ_ASSERT(pr_fd != nullptr);
486 if (!pr_fd) return false;
487 pr_fd->secret = reinterpret_cast<PRFilePrivate*>(nspr_io_adapter_.get());
488
489 UniquePRFileDesc ssl_fd(DTLS_ImportFD(nullptr, pr_fd.get()));
490 MOZ_ASSERT(ssl_fd != nullptr); // This should never happen
491 if (!ssl_fd) {
492 return false;
493 }
494
495 Unused << pr_fd.release(); // ownership transfered to ssl_fd;
496
497 if (role_ == CLIENT) {
498 MOZ_MTLOG(ML_INFO, "Setting up DTLS as client");
499 rv = SSL_GetClientAuthDataHook(ssl_fd.get(), GetClientAuthDataHook, this);
500 if (rv != SECSuccess) {
501 MOZ_MTLOG(ML_ERROR, "Couldn't set identity");
502 return false;
503 }
504
505 if (maxVersion_ >= Version::DTLS_1_3) {
506 MOZ_MTLOG(ML_INFO, "Setting DTLS1.3 supported_versions workaround");
507 rv = SSL_SetDtls13VersionWorkaround(ssl_fd.get(), PR_TRUE);
508 if (rv != SECSuccess) {
509 MOZ_MTLOG(ML_ERROR, "Couldn't set DTLS1.3 workaround");
510 return false;
511 }
512 }
513 } else {
514 MOZ_MTLOG(ML_INFO, "Setting up DTLS as server");
515 // Server side
516 rv = SSL_ConfigSecureServer(ssl_fd.get(), identity_->cert().get(),
517 identity_->privkey().get(),
518 identity_->auth_type());
519 if (rv != SECSuccess) {
520 MOZ_MTLOG(ML_ERROR, "Couldn't set identity");
521 return false;
522 }
523
524 UniqueCERTCertList zero_certs(CERT_NewCertList());
525 rv = SSL_SetTrustAnchors(ssl_fd.get(), zero_certs.get());
526 if (rv != SECSuccess) {
527 MOZ_MTLOG(ML_ERROR, "Couldn't set trust anchors");
528 return false;
529 }
530
531 // Insist on a certificate from the client
532 rv = SSL_OptionSet(ssl_fd.get(), SSL_REQUEST_CERTIFICATE, PR_TRUE);
533 if (rv != SECSuccess) {
534 MOZ_MTLOG(ML_ERROR, "Couldn't request certificate");
535 return false;
536 }
537
538 rv = SSL_OptionSet(ssl_fd.get(), SSL_REQUIRE_CERTIFICATE, PR_TRUE);
539 if (rv != SECSuccess) {
540 MOZ_MTLOG(ML_ERROR, "Couldn't require certificate");
541 return false;
542 }
543 }
544
545 SSLVersionRange version_range = {static_cast<PRUint16>(minVersion_),
546 static_cast<PRUint16>(maxVersion_)};
547
548 rv = SSL_VersionRangeSet(ssl_fd.get(), &version_range);
549 if (rv != SECSuccess) {
550 MOZ_MTLOG(ML_ERROR, "Can't disable SSLv3");
551 return false;
552 }
553
554 rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_SESSION_TICKETS, PR_FALSE);
555 if (rv != SECSuccess) {
556 MOZ_MTLOG(ML_ERROR, "Couldn't disable session tickets");
557 return false;
558 }
559
560 rv = SSL_OptionSet(ssl_fd.get(), SSL_NO_CACHE, PR_TRUE);
561 if (rv != SECSuccess) {
562 MOZ_MTLOG(ML_ERROR, "Couldn't disable session caching");
563 return false;
564 }
565
566 rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_DEFLATE, PR_FALSE);
567 if (rv != SECSuccess) {
568 MOZ_MTLOG(ML_ERROR, "Couldn't disable deflate");
569 return false;
570 }
571
572 rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_RENEGOTIATION,
573 SSL_RENEGOTIATE_NEVER);
574 if (rv != SECSuccess) {
575 MOZ_MTLOG(ML_ERROR, "Couldn't disable renegotiation");
576 return false;
577 }
578
579 rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_FALSE_START, PR_FALSE);
580 if (rv != SECSuccess) {
581 MOZ_MTLOG(ML_ERROR, "Couldn't disable false start");
582 return false;
583 }
584
585 rv = SSL_OptionSet(ssl_fd.get(), SSL_NO_LOCKS, PR_TRUE);
586 if (rv != SECSuccess) {
587 MOZ_MTLOG(ML_ERROR, "Couldn't disable locks");
588 return false;
589 }
590
591 rv = SSL_OptionSet(ssl_fd.get(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
592 if (rv != SECSuccess) {
593 MOZ_MTLOG(ML_ERROR, "Couldn't disable ECDHE key reuse");
594 return false;
595 }
596
597 if (!SetupCipherSuites(ssl_fd)) {
598 return false;
599 }
600
601 rv = SSL_NamedGroupConfig(ssl_fd.get(), NamedGroupPreferences,
602 mozilla::ArrayLength(NamedGroupPreferences));
603 if (rv != SECSuccess) {
604 MOZ_MTLOG(ML_ERROR, "Couldn't set named groups");
605 return false;
606 }
607
608 // Certificate validation
609 rv = SSL_AuthCertificateHook(ssl_fd.get(), AuthCertificateHook,
610 reinterpret_cast<void*>(this));
611 if (rv != SECSuccess) {
612 MOZ_MTLOG(ML_ERROR, "Couldn't set certificate validation hook");
613 return false;
614 }
615
616 if (!SetupAlpn(ssl_fd)) {
617 return false;
618 }
619
620 // Now start the handshake
621 rv = SSL_ResetHandshake(ssl_fd.get(), role_ == SERVER ? PR_TRUE : PR_FALSE);
622 if (rv != SECSuccess) {
623 MOZ_MTLOG(ML_ERROR, "Couldn't reset handshake");
624 return false;
625 }
626 ssl_fd_ = std::move(ssl_fd);
627
628 // Finally, get ready to receive data
629 downward_->SignalStateChange.connect(this, &TransportLayerDtls::StateChange);
630 downward_->SignalPacketReceived.connect(this,
631 &TransportLayerDtls::PacketReceived);
632
633 if (downward_->state() == TS_OPEN) {
634 TL_SET_STATE(TS_CONNECTING);
635 Handshake();
636 }
637
638 return true;
639 }
640
SetupAlpn(UniquePRFileDesc & ssl_fd) const641 bool TransportLayerDtls::SetupAlpn(UniquePRFileDesc& ssl_fd) const {
642 if (alpn_allowed_.empty()) {
643 return true;
644 }
645
646 SECStatus rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_NPN, PR_FALSE);
647 if (rv != SECSuccess) {
648 MOZ_MTLOG(ML_ERROR, "Couldn't disable NPN");
649 return false;
650 }
651
652 rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_ALPN, PR_TRUE);
653 if (rv != SECSuccess) {
654 MOZ_MTLOG(ML_ERROR, "Couldn't enable ALPN");
655 return false;
656 }
657
658 unsigned char buf[MAX_ALPN_LENGTH];
659 size_t offset = 0;
660 for (const auto& tag : alpn_allowed_) {
661 if ((offset + 1 + tag.length()) >= sizeof(buf)) {
662 MOZ_MTLOG(ML_ERROR, "ALPN too long");
663 return false;
664 }
665 buf[offset++] = tag.length();
666 memcpy(buf + offset, tag.c_str(), tag.length());
667 offset += tag.length();
668 }
669 rv = SSL_SetNextProtoNego(ssl_fd.get(), buf, offset);
670 if (rv != SECSuccess) {
671 MOZ_MTLOG(ML_ERROR, "Couldn't set ALPN string");
672 return false;
673 }
674 return true;
675 }
676
677 // Ciphers we need to enable. These are on by default in standard firefox
678 // builds, but can be disabled with prefs and they aren't on in our unit tests
679 // since that uses NSS default configuration.
680 //
681 // Only override prefs to comply with MUST statements in the security-arch doc.
682 // Anything outside this list is governed by the usual combination of policy
683 // and user preferences.
684 static const uint32_t EnabledCiphers[] = {
685 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
686 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA};
687
688 // Disable all NSS suites modes without PFS or with old and rusty ciphersuites.
689 // Anything outside this list is governed by the usual combination of policy
690 // and user preferences.
691 static const uint32_t DisabledCiphers[] = {
692 // Bug 1310061: disable all SHA384 ciphers until fixed
693 TLS_AES_256_GCM_SHA384,
694 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
695 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
696 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
697 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
698 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
699 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
700
701 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
702 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
703
704 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
705 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
706 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
707 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
708
709 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
710 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
711 TLS_DHE_DSS_WITH_RC4_128_SHA,
712
713 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
714 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
715 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
716 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
717 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
718 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
719 TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
720 TLS_ECDH_RSA_WITH_RC4_128_SHA,
721
722 TLS_RSA_WITH_AES_128_GCM_SHA256,
723 TLS_RSA_WITH_AES_256_GCM_SHA384,
724 TLS_RSA_WITH_AES_128_CBC_SHA,
725 TLS_RSA_WITH_AES_128_CBC_SHA256,
726 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
727 TLS_RSA_WITH_AES_256_CBC_SHA,
728 TLS_RSA_WITH_AES_256_CBC_SHA256,
729 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
730 TLS_RSA_WITH_SEED_CBC_SHA,
731 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
732 TLS_RSA_WITH_RC4_128_SHA,
733 TLS_RSA_WITH_RC4_128_MD5,
734
735 TLS_DHE_RSA_WITH_DES_CBC_SHA,
736 TLS_DHE_DSS_WITH_DES_CBC_SHA,
737 TLS_RSA_WITH_DES_CBC_SHA,
738
739 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
740 TLS_ECDHE_RSA_WITH_NULL_SHA,
741 TLS_ECDH_ECDSA_WITH_NULL_SHA,
742 TLS_ECDH_RSA_WITH_NULL_SHA,
743 TLS_RSA_WITH_NULL_SHA,
744 TLS_RSA_WITH_NULL_SHA256,
745 TLS_RSA_WITH_NULL_MD5,
746 };
747
SetupCipherSuites(UniquePRFileDesc & ssl_fd)748 bool TransportLayerDtls::SetupCipherSuites(UniquePRFileDesc& ssl_fd) {
749 SECStatus rv;
750
751 // Set the SRTP ciphers
752 if (!enabled_srtp_ciphers_.empty()) {
753 rv = SSL_InstallExtensionHooks(ssl_fd.get(), ssl_use_srtp_xtn,
754 TransportLayerDtls::WriteSrtpXtn, this,
755 TransportLayerDtls::HandleSrtpXtn, this);
756 if (rv != SECSuccess) {
757 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "unable to set SRTP extension handler");
758 return false;
759 }
760 }
761
762 for (const auto& cipher : EnabledCiphers) {
763 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Enabling: " << cipher);
764 rv = SSL_CipherPrefSet(ssl_fd.get(), cipher, PR_TRUE);
765 if (rv != SECSuccess) {
766 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "Unable to enable suite: " << cipher);
767 return false;
768 }
769 }
770
771 for (const auto& cipher : DisabledCiphers) {
772 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Disabling: " << cipher);
773
774 PRBool enabled = false;
775 rv = SSL_CipherPrefGet(ssl_fd.get(), cipher, &enabled);
776 if (rv != SECSuccess) {
777 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "Unable to check if suite is enabled: "
778 << cipher);
779 return false;
780 }
781 if (enabled) {
782 rv = SSL_CipherPrefSet(ssl_fd.get(), cipher, PR_FALSE);
783 if (rv != SECSuccess) {
784 MOZ_MTLOG(ML_NOTICE,
785 LAYER_INFO << "Unable to disable suite: " << cipher);
786 return false;
787 }
788 }
789 }
790
791 return true;
792 }
793
GetCipherSuite(uint16_t * cipherSuite) const794 nsresult TransportLayerDtls::GetCipherSuite(uint16_t* cipherSuite) const {
795 CheckThread();
796 if (!cipherSuite) {
797 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "GetCipherSuite passed a nullptr");
798 return NS_ERROR_NULL_POINTER;
799 }
800 if (state_ != TS_OPEN) {
801 return NS_ERROR_NOT_AVAILABLE;
802 }
803 SSLChannelInfo info;
804 SECStatus rv = SSL_GetChannelInfo(ssl_fd_.get(), &info, sizeof(info));
805 if (rv != SECSuccess) {
806 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "GetCipherSuite can't get channel info");
807 return NS_ERROR_FAILURE;
808 }
809 *cipherSuite = info.cipherSuite;
810 return NS_OK;
811 }
812
GetDefaultSrtpCiphers()813 std::vector<uint16_t> TransportLayerDtls::GetDefaultSrtpCiphers() {
814 std::vector<uint16_t> ciphers;
815
816 ciphers.push_back(kDtlsSrtpAeadAes128Gcm);
817 // Since we don't support DTLS 1.3 or SHA384 ciphers (see bug 1312976)
818 // we don't really enough entropy to prefer this over 128 bit
819 ciphers.push_back(kDtlsSrtpAeadAes256Gcm);
820 ciphers.push_back(kDtlsSrtpAes128CmHmacSha1_80);
821 #ifndef NIGHTLY_BUILD
822 // To support bug 1491583 lets try to find out if we get bug reports if we no
823 // longer offer this in Nightly builds.
824 ciphers.push_back(kDtlsSrtpAes128CmHmacSha1_32);
825 #endif
826
827 return ciphers;
828 }
829
StateChange(TransportLayer * layer,State state)830 void TransportLayerDtls::StateChange(TransportLayer* layer, State state) {
831 switch (state) {
832 case TS_NONE:
833 MOZ_ASSERT(false); // Can't happen
834 break;
835
836 case TS_INIT:
837 MOZ_MTLOG(ML_ERROR,
838 LAYER_INFO << "State change of lower layer to INIT forbidden");
839 TL_SET_STATE(TS_ERROR);
840 break;
841
842 case TS_CONNECTING:
843 MOZ_MTLOG(ML_INFO, LAYER_INFO << "Lower layer is connecting.");
844 break;
845
846 case TS_OPEN:
847 if (timer_) {
848 MOZ_MTLOG(ML_INFO,
849 LAYER_INFO << "Lower layer is now open; starting TLS");
850 timer_->Cancel();
851 timer_->SetTarget(target_);
852 // Async, since the ICE layer might need to send a STUN response, and we
853 // don't want the handshake to start until that is sent.
854 timer_->InitWithNamedFuncCallback(TimerCallback, this, 0,
855 nsITimer::TYPE_ONE_SHOT,
856 "TransportLayerDtls::TimerCallback");
857 TL_SET_STATE(TS_CONNECTING);
858 } else {
859 // We have already completed DTLS. Can happen if the ICE layer failed
860 // due to a loss of network, and then recovered.
861 TL_SET_STATE(TS_OPEN);
862 }
863 break;
864
865 case TS_CLOSED:
866 MOZ_MTLOG(ML_INFO, LAYER_INFO << "Lower layer is now closed");
867 TL_SET_STATE(TS_CLOSED);
868 break;
869
870 case TS_ERROR:
871 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "Lower layer experienced an error");
872 TL_SET_STATE(TS_ERROR);
873 break;
874 }
875 }
876
Handshake()877 void TransportLayerDtls::Handshake() {
878 if (!timer_) {
879 // We are done with DTLS, regardless of the state changes of lower layers
880 return;
881 }
882
883 // Clear the retransmit timer
884 timer_->Cancel();
885
886 MOZ_ASSERT(state_ == TS_CONNECTING);
887
888 SECStatus rv = SSL_ForceHandshake(ssl_fd_.get());
889
890 if (rv == SECSuccess) {
891 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "****** SSL handshake completed ******");
892 if (!cert_ok_) {
893 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "Certificate check never occurred");
894 TL_SET_STATE(TS_ERROR);
895 return;
896 }
897 if (!CheckAlpn()) {
898 // Despite connecting, the connection doesn't have a valid ALPN label.
899 // Forcibly close the connection so that the peer isn't left hanging
900 // (assuming the close_notify isn't dropped).
901 ssl_fd_ = nullptr;
902 TL_SET_STATE(TS_ERROR);
903 return;
904 }
905
906 TL_SET_STATE(TS_OPEN);
907
908 RecordTlsTelemetry();
909 timer_ = nullptr;
910 } else {
911 int32_t err = PR_GetError();
912 switch (err) {
913 case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
914 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "Malformed DTLS message; ignoring");
915 // If this were TLS (and not DTLS), this would be fatal, but
916 // here we're required to ignore bad messages, so fall through
917 [[fallthrough]];
918 case PR_WOULD_BLOCK_ERROR:
919 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "Handshake would have blocked");
920 PRIntervalTime timeout;
921 rv = DTLS_GetHandshakeTimeout(ssl_fd_.get(), &timeout);
922 if (rv == SECSuccess) {
923 uint32_t timeout_ms = PR_IntervalToMilliseconds(timeout);
924
925 MOZ_MTLOG(ML_DEBUG,
926 LAYER_INFO << "Setting DTLS timeout to " << timeout_ms);
927 timer_->SetTarget(target_);
928 timer_->InitWithNamedFuncCallback(
929 TimerCallback, this, timeout_ms, nsITimer::TYPE_ONE_SHOT,
930 "TransportLayerDtls::TimerCallback");
931 }
932 break;
933 default:
934 const char* err_msg = PR_ErrorToName(err);
935 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "DTLS handshake error " << err << " ("
936 << err_msg << ")");
937 TL_SET_STATE(TS_ERROR);
938 break;
939 }
940 }
941 }
942
943 // Checks if ALPN was negotiated correctly and returns false if it wasn't.
944 // After this returns successfully, alpn_ will be set to the negotiated
945 // protocol.
CheckAlpn()946 bool TransportLayerDtls::CheckAlpn() {
947 if (alpn_allowed_.empty()) {
948 return true;
949 }
950
951 SSLNextProtoState alpnState;
952 char chosenAlpn[MAX_ALPN_LENGTH];
953 unsigned int chosenAlpnLen;
954 SECStatus rv = SSL_GetNextProto(ssl_fd_.get(), &alpnState,
955 reinterpret_cast<unsigned char*>(chosenAlpn),
956 &chosenAlpnLen, sizeof(chosenAlpn));
957 if (rv != SECSuccess) {
958 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "ALPN error");
959 return false;
960 }
961 switch (alpnState) {
962 case SSL_NEXT_PROTO_SELECTED:
963 case SSL_NEXT_PROTO_NEGOTIATED:
964 break; // OK
965
966 case SSL_NEXT_PROTO_NO_SUPPORT:
967 MOZ_MTLOG(ML_NOTICE,
968 LAYER_INFO << "ALPN not negotiated, "
969 << (alpn_default_.empty() ? "failing"
970 : "selecting default"));
971 alpn_ = alpn_default_;
972 return !alpn_.empty();
973
974 case SSL_NEXT_PROTO_NO_OVERLAP:
975 // This only happens if there is a custom NPN/ALPN callback installed and
976 // that callback doesn't properly handle ALPN.
977 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "error in ALPN selection callback");
978 return false;
979
980 case SSL_NEXT_PROTO_EARLY_VALUE:
981 MOZ_CRASH("Unexpected 0-RTT ALPN value");
982 return false;
983 }
984
985 // Warning: NSS won't null terminate the ALPN string for us.
986 std::string chosen(chosenAlpn, chosenAlpnLen);
987 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "Selected ALPN string: " << chosen);
988 if (alpn_allowed_.find(chosen) == alpn_allowed_.end()) {
989 // Maybe our peer chose a protocol we didn't offer (when we are client), or
990 // something is seriously wrong.
991 std::ostringstream ss;
992 for (auto i = alpn_allowed_.begin(); i != alpn_allowed_.end(); ++i) {
993 ss << (i == alpn_allowed_.begin() ? " '" : ", '") << *i << "'";
994 }
995 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "Bad ALPN string: '" << chosen
996 << "'; permitted:" << ss.str());
997 return false;
998 }
999 alpn_ = chosen;
1000 return true;
1001 }
1002
PacketReceived(TransportLayer * layer,MediaPacket & packet)1003 void TransportLayerDtls::PacketReceived(TransportLayer* layer,
1004 MediaPacket& packet) {
1005 CheckThread();
1006 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "PacketReceived(" << packet.len() << ")");
1007
1008 if (state_ != TS_CONNECTING && state_ != TS_OPEN) {
1009 MOZ_MTLOG(ML_DEBUG,
1010 LAYER_INFO << "Discarding packet in inappropriate state");
1011 return;
1012 }
1013
1014 if (!packet.data()) {
1015 // Something ate this, probably the SRTP layer
1016 return;
1017 }
1018
1019 if (packet.type() != MediaPacket::DTLS) {
1020 return;
1021 }
1022
1023 nspr_io_adapter_->PacketReceived(packet);
1024 GetDecryptedPackets();
1025 }
1026
GetDecryptedPackets()1027 void TransportLayerDtls::GetDecryptedPackets() {
1028 // If we're still connecting, try to handshake
1029 if (state_ == TS_CONNECTING) {
1030 Handshake();
1031 }
1032
1033 // Now try a recv if we're open, since there might be data left
1034 if (state_ == TS_OPEN) {
1035 int32_t rv;
1036 // One packet might contain several DTLS packets
1037 do {
1038 // nICEr uses a 9216 bytes buffer to allow support for jumbo frames
1039 // Can we peek to get a better idea of the actual size?
1040 static const size_t kBufferSize = 9216;
1041 auto buffer = MakeUnique<uint8_t[]>(kBufferSize);
1042 rv = PR_Recv(ssl_fd_.get(), buffer.get(), kBufferSize, 0,
1043 PR_INTERVAL_NO_WAIT);
1044 if (rv > 0) {
1045 // We have data
1046 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Read " << rv << " bytes from NSS");
1047 MediaPacket packet;
1048 packet.SetType(MediaPacket::SCTP);
1049 packet.Take(std::move(buffer), static_cast<size_t>(rv));
1050 SignalPacketReceived(this, packet);
1051 } else if (rv == 0) {
1052 TL_SET_STATE(TS_CLOSED);
1053 } else {
1054 int32_t err = PR_GetError();
1055
1056 if (err == PR_WOULD_BLOCK_ERROR) {
1057 // This gets ignored
1058 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Receive would have blocked");
1059 } else {
1060 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "NSS Error " << err);
1061 TL_SET_STATE(TS_ERROR);
1062 }
1063 }
1064 } while (rv > 0);
1065 }
1066 }
1067
SetState(State state,const char * file,unsigned line)1068 void TransportLayerDtls::SetState(State state, const char* file,
1069 unsigned line) {
1070 if (timer_) {
1071 switch (state) {
1072 case TS_NONE:
1073 case TS_INIT:
1074 MOZ_ASSERT(false);
1075 break;
1076 case TS_CONNECTING:
1077 break;
1078 case TS_OPEN:
1079 case TS_CLOSED:
1080 case TS_ERROR:
1081 timer_->Cancel();
1082 break;
1083 }
1084 }
1085
1086 TransportLayer::SetState(state, file, line);
1087 }
1088
SendPacket(MediaPacket & packet)1089 TransportResult TransportLayerDtls::SendPacket(MediaPacket& packet) {
1090 CheckThread();
1091 if (state_ != TS_OPEN) {
1092 MOZ_MTLOG(ML_ERROR,
1093 LAYER_INFO << "Can't call SendPacket() in state " << state_);
1094 return TE_ERROR;
1095 }
1096
1097 int32_t rv = PR_Send(ssl_fd_.get(), packet.data(), packet.len(), 0,
1098 PR_INTERVAL_NO_WAIT);
1099
1100 if (rv > 0) {
1101 // We have data
1102 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Wrote " << rv << " bytes to SSL Layer");
1103 return rv;
1104 }
1105
1106 if (rv == 0) {
1107 TL_SET_STATE(TS_CLOSED);
1108 return 0;
1109 }
1110
1111 int32_t err = PR_GetError();
1112
1113 if (err == PR_WOULD_BLOCK_ERROR) {
1114 // This gets ignored
1115 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Send would have blocked");
1116 return TE_WOULDBLOCK;
1117 }
1118
1119 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "NSS Error " << err);
1120 TL_SET_STATE(TS_ERROR);
1121 return TE_ERROR;
1122 }
1123
GetClientAuthDataHook(void * arg,PRFileDesc * fd,CERTDistNames * caNames,CERTCertificate ** pRetCert,SECKEYPrivateKey ** pRetKey)1124 SECStatus TransportLayerDtls::GetClientAuthDataHook(
1125 void* arg, PRFileDesc* fd, CERTDistNames* caNames,
1126 CERTCertificate** pRetCert, SECKEYPrivateKey** pRetKey) {
1127 MOZ_MTLOG(ML_DEBUG, "Server requested client auth");
1128
1129 TransportLayerDtls* stream = reinterpret_cast<TransportLayerDtls*>(arg);
1130 stream->CheckThread();
1131
1132 if (!stream->identity_) {
1133 MOZ_MTLOG(ML_ERROR, "No identity available");
1134 PR_SetError(SSL_ERROR_NO_CERTIFICATE, 0);
1135 return SECFailure;
1136 }
1137
1138 *pRetCert = CERT_DupCertificate(stream->identity_->cert().get());
1139 if (!*pRetCert) {
1140 PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
1141 return SECFailure;
1142 }
1143
1144 *pRetKey = SECKEY_CopyPrivateKey(stream->identity_->privkey().get());
1145 if (!*pRetKey) {
1146 CERT_DestroyCertificate(*pRetCert);
1147 *pRetCert = nullptr;
1148 PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
1149 return SECFailure;
1150 }
1151
1152 return SECSuccess;
1153 }
1154
SetSrtpCiphers(const std::vector<uint16_t> & ciphers)1155 nsresult TransportLayerDtls::SetSrtpCiphers(
1156 const std::vector<uint16_t>& ciphers) {
1157 enabled_srtp_ciphers_ = std::move(ciphers);
1158 return NS_OK;
1159 }
1160
GetSrtpCipher(uint16_t * cipher) const1161 nsresult TransportLayerDtls::GetSrtpCipher(uint16_t* cipher) const {
1162 CheckThread();
1163 if (srtp_cipher_ == 0) {
1164 return NS_ERROR_NOT_AVAILABLE;
1165 }
1166 *cipher = srtp_cipher_;
1167 return NS_OK;
1168 }
1169
WriteUint16(uint8_t * cursor,uint16_t v)1170 static uint8_t* WriteUint16(uint8_t* cursor, uint16_t v) {
1171 *cursor++ = v >> 8;
1172 *cursor++ = v & 0xff;
1173 return cursor;
1174 }
1175
SrtpXtnServerMessage(PRFileDesc * fd)1176 static SSLHandshakeType SrtpXtnServerMessage(PRFileDesc* fd) {
1177 SSLPreliminaryChannelInfo preinfo;
1178 SECStatus rv = SSL_GetPreliminaryChannelInfo(fd, &preinfo, sizeof(preinfo));
1179 if (rv != SECSuccess) {
1180 MOZ_ASSERT(false, "Can't get version info");
1181 return ssl_hs_client_hello;
1182 }
1183 return (preinfo.protocolVersion >= SSL_LIBRARY_VERSION_TLS_1_3)
1184 ? ssl_hs_encrypted_extensions
1185 : ssl_hs_server_hello;
1186 }
1187
1188 /* static */
WriteSrtpXtn(PRFileDesc * fd,SSLHandshakeType message,uint8_t * data,unsigned int * len,unsigned int max_len,void * arg)1189 PRBool TransportLayerDtls::WriteSrtpXtn(PRFileDesc* fd,
1190 SSLHandshakeType message, uint8_t* data,
1191 unsigned int* len, unsigned int max_len,
1192 void* arg) {
1193 auto self = reinterpret_cast<TransportLayerDtls*>(arg);
1194
1195 // ClientHello: send all supported versions.
1196 if (message == ssl_hs_client_hello) {
1197 MOZ_ASSERT(self->role_ == CLIENT);
1198 MOZ_ASSERT(self->enabled_srtp_ciphers_.size(), "Haven't enabled SRTP");
1199 // We will take 2 octets for each cipher, plus a 2 octet length and 1 octet
1200 // for the length of the empty MKI.
1201 if (max_len < self->enabled_srtp_ciphers_.size() * 2 + 3) {
1202 MOZ_ASSERT(false, "Not enough space to send SRTP extension");
1203 return false;
1204 }
1205 uint8_t* cursor = WriteUint16(data, self->enabled_srtp_ciphers_.size() * 2);
1206 for (auto cs : self->enabled_srtp_ciphers_) {
1207 cursor = WriteUint16(cursor, cs);
1208 }
1209 *cursor++ = 0; // MKI is empty
1210 *len = cursor - data;
1211 return true;
1212 }
1213
1214 if (message == SrtpXtnServerMessage(fd)) {
1215 MOZ_ASSERT(self->role_ == SERVER);
1216 if (!self->srtp_cipher_) {
1217 // Not negotiated. Definitely bad, but the connection can fail later.
1218 return false;
1219 }
1220 if (max_len < 5) {
1221 MOZ_ASSERT(false, "Not enough space to send SRTP extension");
1222 return false;
1223 }
1224
1225 uint8_t* cursor = WriteUint16(data, 2); // Length = 2.
1226 cursor = WriteUint16(cursor, self->srtp_cipher_);
1227 *cursor++ = 0; // No MKI
1228 *len = cursor - data;
1229 return true;
1230 }
1231
1232 return false;
1233 }
1234
1235 class TlsParser {
1236 public:
TlsParser(const uint8_t * data,size_t len)1237 TlsParser(const uint8_t* data, size_t len) : cursor_(data), remaining_(len) {}
1238
error() const1239 bool error() const { return error_; }
remaining() const1240 size_t remaining() const { return remaining_; }
1241
1242 template <typename T,
1243 class = typename std::enable_if<std::is_unsigned<T>::value>::type>
Read(T * v,size_t sz=sizeof (T))1244 void Read(T* v, size_t sz = sizeof(T)) {
1245 MOZ_ASSERT(sz <= sizeof(T),
1246 "Type is too small to hold the value requested");
1247 if (remaining_ < sz) {
1248 error_ = true;
1249 return;
1250 }
1251
1252 T result = 0;
1253 for (size_t i = 0; i < sz; ++i) {
1254 result = (result << 8) | *cursor_++;
1255 remaining_--;
1256 }
1257 *v = result;
1258 }
1259
1260 template <typename T,
1261 class = typename std::enable_if<std::is_unsigned<T>::value>::type>
ReadVector(std::vector<T> * v,size_t w)1262 void ReadVector(std::vector<T>* v, size_t w) {
1263 MOZ_ASSERT(v->empty(), "vector needs to be empty");
1264
1265 uint32_t len;
1266 Read(&len, w);
1267 if (error_ || len % sizeof(T) != 0 || len > remaining_) {
1268 error_ = true;
1269 return;
1270 }
1271
1272 size_t count = len / sizeof(T);
1273 v->reserve(count);
1274 for (T i = 0; !error_ && i < count; ++i) {
1275 T item;
1276 Read(&item);
1277 if (!error_) {
1278 v->push_back(item);
1279 }
1280 }
1281 }
1282
Skip(size_t n)1283 void Skip(size_t n) {
1284 if (remaining_ < n) {
1285 error_ = true;
1286 } else {
1287 cursor_ += n;
1288 remaining_ -= n;
1289 }
1290 }
1291
SkipVector(size_t w)1292 size_t SkipVector(size_t w) {
1293 uint32_t len = 0;
1294 Read(&len, w);
1295 Skip(len);
1296 return len;
1297 }
1298
1299 private:
1300 const uint8_t* cursor_;
1301 size_t remaining_;
1302 bool error_ = false;
1303 };
1304
1305 /* static */
HandleSrtpXtn(PRFileDesc * fd,SSLHandshakeType message,const uint8_t * data,unsigned int len,SSLAlertDescription * alert,void * arg)1306 SECStatus TransportLayerDtls::HandleSrtpXtn(
1307 PRFileDesc* fd, SSLHandshakeType message, const uint8_t* data,
1308 unsigned int len, SSLAlertDescription* alert, void* arg) {
1309 static const uint8_t kTlsAlertHandshakeFailure = 40;
1310 static const uint8_t kTlsAlertIllegalParameter = 47;
1311 static const uint8_t kTlsAlertDecodeError = 50;
1312 static const uint8_t kTlsAlertUnsupportedExtension = 110;
1313
1314 auto self = reinterpret_cast<TransportLayerDtls*>(arg);
1315
1316 // Parse the extension.
1317 TlsParser parser(data, len);
1318 std::vector<uint16_t> advertised;
1319 parser.ReadVector(&advertised, 2);
1320 size_t mki_len = parser.SkipVector(1);
1321 if (parser.error() || parser.remaining() > 0) {
1322 *alert = kTlsAlertDecodeError;
1323 return SECFailure;
1324 }
1325
1326 if (message == ssl_hs_client_hello) {
1327 MOZ_ASSERT(self->role_ == SERVER);
1328 if (self->enabled_srtp_ciphers_.empty()) {
1329 // We don't have SRTP enabled, which is probably bad, but no sense in
1330 // having the handshake fail at this point, let the client decide if this
1331 // is a problem.
1332 return SECSuccess;
1333 }
1334
1335 for (auto supported : self->enabled_srtp_ciphers_) {
1336 auto it = std::find(advertised.begin(), advertised.end(), supported);
1337 if (it != advertised.end()) {
1338 self->srtp_cipher_ = supported;
1339 return SECSuccess;
1340 }
1341 }
1342
1343 // No common cipher.
1344 *alert = kTlsAlertHandshakeFailure;
1345 return SECFailure;
1346 }
1347
1348 if (message == SrtpXtnServerMessage(fd)) {
1349 MOZ_ASSERT(self->role_ == CLIENT);
1350 if (advertised.size() != 1 || mki_len > 0) {
1351 *alert = kTlsAlertIllegalParameter;
1352 return SECFailure;
1353 }
1354 self->srtp_cipher_ = advertised[0];
1355 return SECSuccess;
1356 }
1357
1358 *alert = kTlsAlertUnsupportedExtension;
1359 return SECFailure;
1360 }
1361
ExportKeyingMaterial(const std::string & label,bool use_context,const std::string & context,unsigned char * out,unsigned int outlen)1362 nsresult TransportLayerDtls::ExportKeyingMaterial(const std::string& label,
1363 bool use_context,
1364 const std::string& context,
1365 unsigned char* out,
1366 unsigned int outlen) {
1367 CheckThread();
1368 if (state_ != TS_OPEN) {
1369 MOZ_ASSERT(false, "Transport must be open for ExportKeyingMaterial");
1370 return NS_ERROR_NOT_AVAILABLE;
1371 }
1372 SECStatus rv = SSL_ExportKeyingMaterial(
1373 ssl_fd_.get(), label.c_str(), label.size(), use_context,
1374 reinterpret_cast<const unsigned char*>(context.c_str()), context.size(),
1375 out, outlen);
1376 if (rv != SECSuccess) {
1377 MOZ_MTLOG(ML_ERROR, "Couldn't export SSL keying material");
1378 return NS_ERROR_FAILURE;
1379 }
1380
1381 return NS_OK;
1382 }
1383
AuthCertificateHook(void * arg,PRFileDesc * fd,PRBool checksig,PRBool isServer)1384 SECStatus TransportLayerDtls::AuthCertificateHook(void* arg, PRFileDesc* fd,
1385 PRBool checksig,
1386 PRBool isServer) {
1387 TransportLayerDtls* stream = reinterpret_cast<TransportLayerDtls*>(arg);
1388 stream->CheckThread();
1389 return stream->AuthCertificateHook(fd, checksig, isServer);
1390 }
1391
CheckDigest(const DtlsDigest & digest,UniqueCERTCertificate & peer_cert) const1392 SECStatus TransportLayerDtls::CheckDigest(
1393 const DtlsDigest& digest, UniqueCERTCertificate& peer_cert) const {
1394 DtlsDigest computed_digest(digest.algorithm_);
1395
1396 MOZ_MTLOG(ML_DEBUG,
1397 LAYER_INFO << "Checking digest, algorithm=" << digest.algorithm_);
1398 nsresult res = DtlsIdentity::ComputeFingerprint(peer_cert, &computed_digest);
1399 if (NS_FAILED(res)) {
1400 MOZ_MTLOG(ML_ERROR, "Could not compute peer fingerprint for digest "
1401 << digest.algorithm_);
1402 // Go to end
1403 PR_SetError(SSL_ERROR_BAD_CERTIFICATE, 0);
1404 return SECFailure;
1405 }
1406
1407 if (computed_digest != digest) {
1408 MOZ_MTLOG(ML_ERROR, "Digest does not match");
1409 PR_SetError(SSL_ERROR_BAD_CERTIFICATE, 0);
1410 return SECFailure;
1411 }
1412
1413 return SECSuccess;
1414 }
1415
AuthCertificateHook(PRFileDesc * fd,PRBool checksig,PRBool isServer)1416 SECStatus TransportLayerDtls::AuthCertificateHook(PRFileDesc* fd,
1417 PRBool checksig,
1418 PRBool isServer) {
1419 CheckThread();
1420 UniqueCERTCertificate peer_cert(SSL_PeerCertificate(fd));
1421
1422 // We are not set up to take this being called multiple
1423 // times. Change this if we ever add renegotiation.
1424 MOZ_ASSERT(!auth_hook_called_);
1425 if (auth_hook_called_) {
1426 PR_SetError(PR_UNKNOWN_ERROR, 0);
1427 return SECFailure;
1428 }
1429 auth_hook_called_ = true;
1430
1431 MOZ_ASSERT(verification_mode_ != VERIFY_UNSET);
1432
1433 switch (verification_mode_) {
1434 case VERIFY_UNSET:
1435 // Break out to error exit
1436 PR_SetError(PR_UNKNOWN_ERROR, 0);
1437 break;
1438
1439 case VERIFY_ALLOW_ALL:
1440 cert_ok_ = true;
1441 return SECSuccess;
1442
1443 case VERIFY_DIGEST: {
1444 MOZ_ASSERT(digests_.size() != 0);
1445 // Check all the provided digests
1446
1447 // Checking functions call PR_SetError()
1448 SECStatus rv = SECFailure;
1449 for (auto digest : digests_) {
1450 rv = CheckDigest(digest, peer_cert);
1451
1452 // Matches a digest, we are good to go
1453 if (rv == SECSuccess) {
1454 cert_ok_ = true;
1455 return SECSuccess;
1456 }
1457 }
1458 } break;
1459 default:
1460 MOZ_CRASH(); // Can't happen
1461 }
1462
1463 return SECFailure;
1464 }
1465
TimerCallback(nsITimer * timer,void * arg)1466 void TransportLayerDtls::TimerCallback(nsITimer* timer, void* arg) {
1467 TransportLayerDtls* dtls = reinterpret_cast<TransportLayerDtls*>(arg);
1468
1469 MOZ_MTLOG(ML_DEBUG, "DTLS timer expired");
1470
1471 dtls->Handshake();
1472 }
1473
RecordTlsTelemetry()1474 void TransportLayerDtls::RecordTlsTelemetry() {
1475 MOZ_ASSERT(state_ == TS_OPEN);
1476 SSLChannelInfo info;
1477 SECStatus ss = SSL_GetChannelInfo(ssl_fd_.get(), &info, sizeof(info));
1478 if (ss != SECSuccess) {
1479 MOZ_MTLOG(ML_NOTICE,
1480 LAYER_INFO << "RecordTlsTelemetry failed to get channel info");
1481 return;
1482 }
1483
1484 uint16_t telemetry_cipher = 0;
1485
1486 switch (info.cipherSuite) {
1487 /* Old DHE ciphers: candidates for removal, see bug 1227519 */
1488 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
1489 telemetry_cipher = 1;
1490 break;
1491 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
1492 telemetry_cipher = 2;
1493 break;
1494 /* Current ciphers */
1495 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
1496 telemetry_cipher = 3;
1497 break;
1498 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
1499 telemetry_cipher = 4;
1500 break;
1501 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
1502 telemetry_cipher = 5;
1503 break;
1504 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
1505 telemetry_cipher = 6;
1506 break;
1507 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
1508 telemetry_cipher = 7;
1509 break;
1510 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
1511 telemetry_cipher = 8;
1512 break;
1513 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
1514 telemetry_cipher = 9;
1515 break;
1516 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
1517 telemetry_cipher = 10;
1518 break;
1519 /* TLS 1.3 ciphers */
1520 case TLS_AES_128_GCM_SHA256:
1521 telemetry_cipher = 11;
1522 break;
1523 case TLS_CHACHA20_POLY1305_SHA256:
1524 telemetry_cipher = 12;
1525 break;
1526 case TLS_AES_256_GCM_SHA384:
1527 telemetry_cipher = 13;
1528 break;
1529 }
1530
1531 Telemetry::Accumulate(Telemetry::WEBRTC_DTLS_CIPHER, telemetry_cipher);
1532
1533 uint16_t cipher;
1534 nsresult rv = GetSrtpCipher(&cipher);
1535
1536 if (NS_FAILED(rv)) {
1537 MOZ_MTLOG(ML_DEBUG, "No SRTP cipher suite");
1538 return;
1539 }
1540
1541 auto cipher_label = mozilla::Telemetry::LABELS_WEBRTC_SRTP_CIPHER::Unknown;
1542
1543 switch (cipher) {
1544 case kDtlsSrtpAes128CmHmacSha1_80:
1545 cipher_label = Telemetry::LABELS_WEBRTC_SRTP_CIPHER::Aes128CmHmacSha1_80;
1546 break;
1547 case kDtlsSrtpAes128CmHmacSha1_32:
1548 cipher_label = Telemetry::LABELS_WEBRTC_SRTP_CIPHER::Aes128CmHmacSha1_32;
1549 break;
1550 case kDtlsSrtpAeadAes128Gcm:
1551 cipher_label = Telemetry::LABELS_WEBRTC_SRTP_CIPHER::AeadAes128Gcm;
1552 break;
1553 case kDtlsSrtpAeadAes256Gcm:
1554 cipher_label = Telemetry::LABELS_WEBRTC_SRTP_CIPHER::AeadAes256Gcm;
1555 break;
1556 }
1557
1558 Telemetry::AccumulateCategorical(cipher_label);
1559 }
1560
1561 } // namespace mozilla
1562