1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
5 * You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7 // Original author: ekr@rtfm.com
8
9 #include "transportlayerdtls.h"
10
11 #include <algorithm>
12 #include <queue>
13 #include <sstream>
14
15 #include "dtlsidentity.h"
16 #include "keyhi.h"
17 #include "logging.h"
18 #include "mozilla/Telemetry.h"
19 #include "mozilla/UniquePtr.h"
20 #include "mozilla/Unused.h"
21 #include "nsCOMPtr.h"
22 #include "nsComponentManagerUtils.h"
23 #include "nsNetCID.h"
24 #include "nsServiceManagerUtils.h"
25 #include "sslexp.h"
26 #include "sslproto.h"
27 #include "transportflow.h"
28
29 namespace mozilla {
30
31 MOZ_MTLOG_MODULE("mtransport")
32
33 static PRDescIdentity transport_layer_identity = PR_INVALID_IO_LAYER;
34
35 // TODO: Implement a mode for this where
36 // the channel is not ready until confirmed externally
37 // (e.g., after cert check).
38
39 #define UNIMPLEMENTED \
40 MOZ_MTLOG(ML_ERROR, "Call to unimplemented function " << __FUNCTION__); \
41 MOZ_ASSERT(false); \
42 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0)
43
44 #define MAX_ALPN_LENGTH 255
45
46 // We need to adapt the NSPR/libssl model to the TransportFlow model.
47 // The former wants pull semantics and TransportFlow wants push.
48 //
49 // - A TransportLayerDtls assumes it is sitting on top of another
50 // TransportLayer, which means that events come in asynchronously.
51 // - NSS (libssl) wants to sit on top of a PRFileDesc and poll.
52 // - The TransportLayerNSPRAdapter is a PRFileDesc containing a
53 // FIFO.
54 // - When TransportLayerDtls.PacketReceived() is called, we insert
55 // the packets in the FIFO and then do a PR_Recv() on the NSS
56 // PRFileDesc, which eventually reads off the FIFO.
57 //
58 // All of this stuff is assumed to happen solely in a single thread
59 // (generally the SocketTransportService thread)
60
PacketReceived(MediaPacket & packet)61 void TransportLayerNSPRAdapter::PacketReceived(MediaPacket& packet) {
62 if (enabled_) {
63 input_.push(new MediaPacket(std::move(packet)));
64 }
65 }
66
Recv(void * buf,int32_t buflen)67 int32_t TransportLayerNSPRAdapter::Recv(void* buf, int32_t buflen) {
68 if (input_.empty()) {
69 PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
70 return -1;
71 }
72
73 MediaPacket* front = input_.front();
74 int32_t count = static_cast<int32_t>(front->len());
75
76 if (buflen < count) {
77 MOZ_ASSERT(false, "Not enough buffer space to receive into");
78 PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
79 return -1;
80 }
81
82 memcpy(buf, front->data(), count);
83
84 input_.pop();
85 delete front;
86
87 return count;
88 }
89
Write(const void * buf,int32_t length)90 int32_t TransportLayerNSPRAdapter::Write(const void* buf, int32_t length) {
91 if (!enabled_) {
92 MOZ_MTLOG(ML_WARNING, "Writing to disabled transport layer");
93 return -1;
94 }
95
96 MediaPacket packet;
97 // Copies. Oh well.
98 packet.Copy(static_cast<const uint8_t*>(buf), static_cast<size_t>(length));
99 packet.SetType(MediaPacket::DTLS);
100
101 TransportResult r = output_->SendPacket(packet);
102 if (r >= 0) {
103 return r;
104 }
105
106 if (r == TE_WOULDBLOCK) {
107 PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
108 } else {
109 PR_SetError(PR_IO_ERROR, 0);
110 }
111
112 return -1;
113 }
114
115 // Implementation of NSPR methods
TransportLayerClose(PRFileDesc * f)116 static PRStatus TransportLayerClose(PRFileDesc* f) {
117 f->dtor(f);
118 return PR_SUCCESS;
119 }
120
TransportLayerRead(PRFileDesc * f,void * buf,int32_t length)121 static int32_t TransportLayerRead(PRFileDesc* f, void* buf, int32_t length) {
122 UNIMPLEMENTED;
123 return -1;
124 }
125
TransportLayerWrite(PRFileDesc * f,const void * buf,int32_t length)126 static int32_t TransportLayerWrite(PRFileDesc* f, const void* buf,
127 int32_t length) {
128 TransportLayerNSPRAdapter* io =
129 reinterpret_cast<TransportLayerNSPRAdapter*>(f->secret);
130 return io->Write(buf, length);
131 }
132
TransportLayerAvailable(PRFileDesc * f)133 static int32_t TransportLayerAvailable(PRFileDesc* f) {
134 UNIMPLEMENTED;
135 return -1;
136 }
137
TransportLayerAvailable64(PRFileDesc * f)138 int64_t TransportLayerAvailable64(PRFileDesc* f) {
139 UNIMPLEMENTED;
140 return -1;
141 }
142
TransportLayerSync(PRFileDesc * f)143 static PRStatus TransportLayerSync(PRFileDesc* f) {
144 UNIMPLEMENTED;
145 return PR_FAILURE;
146 }
147
TransportLayerSeek(PRFileDesc * f,int32_t offset,PRSeekWhence how)148 static int32_t TransportLayerSeek(PRFileDesc* f, int32_t offset,
149 PRSeekWhence how) {
150 UNIMPLEMENTED;
151 return -1;
152 }
153
TransportLayerSeek64(PRFileDesc * f,int64_t offset,PRSeekWhence how)154 static int64_t TransportLayerSeek64(PRFileDesc* f, int64_t offset,
155 PRSeekWhence how) {
156 UNIMPLEMENTED;
157 return -1;
158 }
159
TransportLayerFileInfo(PRFileDesc * f,PRFileInfo * info)160 static PRStatus TransportLayerFileInfo(PRFileDesc* f, PRFileInfo* info) {
161 UNIMPLEMENTED;
162 return PR_FAILURE;
163 }
164
TransportLayerFileInfo64(PRFileDesc * f,PRFileInfo64 * info)165 static PRStatus TransportLayerFileInfo64(PRFileDesc* f, PRFileInfo64* info) {
166 UNIMPLEMENTED;
167 return PR_FAILURE;
168 }
169
TransportLayerWritev(PRFileDesc * f,const PRIOVec * iov,int32_t iov_size,PRIntervalTime to)170 static int32_t TransportLayerWritev(PRFileDesc* f, const PRIOVec* iov,
171 int32_t iov_size, PRIntervalTime to) {
172 UNIMPLEMENTED;
173 return -1;
174 }
175
TransportLayerConnect(PRFileDesc * f,const PRNetAddr * addr,PRIntervalTime to)176 static PRStatus TransportLayerConnect(PRFileDesc* f, const PRNetAddr* addr,
177 PRIntervalTime to) {
178 UNIMPLEMENTED;
179 return PR_FAILURE;
180 }
181
TransportLayerAccept(PRFileDesc * sd,PRNetAddr * addr,PRIntervalTime to)182 static PRFileDesc* TransportLayerAccept(PRFileDesc* sd, PRNetAddr* addr,
183 PRIntervalTime to) {
184 UNIMPLEMENTED;
185 return nullptr;
186 }
187
TransportLayerBind(PRFileDesc * f,const PRNetAddr * addr)188 static PRStatus TransportLayerBind(PRFileDesc* f, const PRNetAddr* addr) {
189 UNIMPLEMENTED;
190 return PR_FAILURE;
191 }
192
TransportLayerListen(PRFileDesc * f,int32_t depth)193 static PRStatus TransportLayerListen(PRFileDesc* f, int32_t depth) {
194 UNIMPLEMENTED;
195 return PR_FAILURE;
196 }
197
TransportLayerShutdown(PRFileDesc * f,int32_t how)198 static PRStatus TransportLayerShutdown(PRFileDesc* f, int32_t how) {
199 // This is only called from NSS when we are the server and the client refuses
200 // to provide a certificate. In this case, the handshake is destined for
201 // failure, so we will just let this pass.
202 TransportLayerNSPRAdapter* io =
203 reinterpret_cast<TransportLayerNSPRAdapter*>(f->secret);
204 io->SetEnabled(false);
205 return PR_SUCCESS;
206 }
207
208 // This function does not support peek, or waiting until `to`
TransportLayerRecv(PRFileDesc * f,void * buf,int32_t buflen,int32_t flags,PRIntervalTime to)209 static int32_t TransportLayerRecv(PRFileDesc* f, void* buf, int32_t buflen,
210 int32_t flags, PRIntervalTime to) {
211 MOZ_ASSERT(flags == 0);
212 if (flags != 0) {
213 PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
214 return -1;
215 }
216
217 TransportLayerNSPRAdapter* io =
218 reinterpret_cast<TransportLayerNSPRAdapter*>(f->secret);
219 return io->Recv(buf, buflen);
220 }
221
222 // Note: this is always nonblocking and assumes a zero timeout.
TransportLayerSend(PRFileDesc * f,const void * buf,int32_t amount,int32_t flags,PRIntervalTime to)223 static int32_t TransportLayerSend(PRFileDesc* f, const void* buf,
224 int32_t amount, int32_t flags,
225 PRIntervalTime to) {
226 int32_t written = TransportLayerWrite(f, buf, amount);
227 return written;
228 }
229
TransportLayerRecvfrom(PRFileDesc * f,void * buf,int32_t amount,int32_t flags,PRNetAddr * addr,PRIntervalTime to)230 static int32_t TransportLayerRecvfrom(PRFileDesc* f, void* buf, int32_t amount,
231 int32_t flags, PRNetAddr* addr,
232 PRIntervalTime to) {
233 UNIMPLEMENTED;
234 return -1;
235 }
236
TransportLayerSendto(PRFileDesc * f,const void * buf,int32_t amount,int32_t flags,const PRNetAddr * addr,PRIntervalTime to)237 static int32_t TransportLayerSendto(PRFileDesc* f, const void* buf,
238 int32_t amount, int32_t flags,
239 const PRNetAddr* addr, PRIntervalTime to) {
240 UNIMPLEMENTED;
241 return -1;
242 }
243
TransportLayerPoll(PRFileDesc * f,int16_t in_flags,int16_t * out_flags)244 static int16_t TransportLayerPoll(PRFileDesc* f, int16_t in_flags,
245 int16_t* out_flags) {
246 UNIMPLEMENTED;
247 return -1;
248 }
249
TransportLayerAcceptRead(PRFileDesc * sd,PRFileDesc ** nd,PRNetAddr ** raddr,void * buf,int32_t amount,PRIntervalTime t)250 static int32_t TransportLayerAcceptRead(PRFileDesc* sd, PRFileDesc** nd,
251 PRNetAddr** raddr, void* buf,
252 int32_t amount, PRIntervalTime t) {
253 UNIMPLEMENTED;
254 return -1;
255 }
256
TransportLayerTransmitFile(PRFileDesc * sd,PRFileDesc * f,const void * headers,int32_t hlen,PRTransmitFileFlags flags,PRIntervalTime t)257 static int32_t TransportLayerTransmitFile(PRFileDesc* sd, PRFileDesc* f,
258 const void* headers, int32_t hlen,
259 PRTransmitFileFlags flags,
260 PRIntervalTime t) {
261 UNIMPLEMENTED;
262 return -1;
263 }
264
TransportLayerGetpeername(PRFileDesc * f,PRNetAddr * addr)265 static PRStatus TransportLayerGetpeername(PRFileDesc* f, PRNetAddr* addr) {
266 // TODO: Modify to return unique names for each channel
267 // somehow, as opposed to always the same static address. The current
268 // implementation messes up the session cache, which is why it's off
269 // elsewhere
270 addr->inet.family = PR_AF_INET;
271 addr->inet.port = 0;
272 addr->inet.ip = 0;
273
274 return PR_SUCCESS;
275 }
276
TransportLayerGetsockname(PRFileDesc * f,PRNetAddr * addr)277 static PRStatus TransportLayerGetsockname(PRFileDesc* f, PRNetAddr* addr) {
278 UNIMPLEMENTED;
279 return PR_FAILURE;
280 }
281
TransportLayerGetsockoption(PRFileDesc * f,PRSocketOptionData * opt)282 static PRStatus TransportLayerGetsockoption(PRFileDesc* f,
283 PRSocketOptionData* opt) {
284 switch (opt->option) {
285 case PR_SockOpt_Nonblocking:
286 opt->value.non_blocking = PR_TRUE;
287 return PR_SUCCESS;
288 default:
289 UNIMPLEMENTED;
290 break;
291 }
292
293 return PR_FAILURE;
294 }
295
296 // Imitate setting socket options. These are mostly noops.
TransportLayerSetsockoption(PRFileDesc * f,const PRSocketOptionData * opt)297 static PRStatus TransportLayerSetsockoption(PRFileDesc* f,
298 const PRSocketOptionData* opt) {
299 switch (opt->option) {
300 case PR_SockOpt_Nonblocking:
301 return PR_SUCCESS;
302 case PR_SockOpt_NoDelay:
303 return PR_SUCCESS;
304 default:
305 UNIMPLEMENTED;
306 break;
307 }
308
309 return PR_FAILURE;
310 }
311
TransportLayerSendfile(PRFileDesc * out,PRSendFileData * in,PRTransmitFileFlags flags,PRIntervalTime to)312 static int32_t TransportLayerSendfile(PRFileDesc* out, PRSendFileData* in,
313 PRTransmitFileFlags flags,
314 PRIntervalTime to) {
315 UNIMPLEMENTED;
316 return -1;
317 }
318
TransportLayerConnectContinue(PRFileDesc * f,int16_t flags)319 static PRStatus TransportLayerConnectContinue(PRFileDesc* f, int16_t flags) {
320 UNIMPLEMENTED;
321 return PR_FAILURE;
322 }
323
TransportLayerReserved(PRFileDesc * f)324 static int32_t TransportLayerReserved(PRFileDesc* f) {
325 UNIMPLEMENTED;
326 return -1;
327 }
328
329 static const struct PRIOMethods TransportLayerMethods = {
330 PR_DESC_LAYERED,
331 TransportLayerClose,
332 TransportLayerRead,
333 TransportLayerWrite,
334 TransportLayerAvailable,
335 TransportLayerAvailable64,
336 TransportLayerSync,
337 TransportLayerSeek,
338 TransportLayerSeek64,
339 TransportLayerFileInfo,
340 TransportLayerFileInfo64,
341 TransportLayerWritev,
342 TransportLayerConnect,
343 TransportLayerAccept,
344 TransportLayerBind,
345 TransportLayerListen,
346 TransportLayerShutdown,
347 TransportLayerRecv,
348 TransportLayerSend,
349 TransportLayerRecvfrom,
350 TransportLayerSendto,
351 TransportLayerPoll,
352 TransportLayerAcceptRead,
353 TransportLayerTransmitFile,
354 TransportLayerGetsockname,
355 TransportLayerGetpeername,
356 TransportLayerReserved,
357 TransportLayerReserved,
358 TransportLayerGetsockoption,
359 TransportLayerSetsockoption,
360 TransportLayerSendfile,
361 TransportLayerConnectContinue,
362 TransportLayerReserved,
363 TransportLayerReserved,
364 TransportLayerReserved,
365 TransportLayerReserved};
366
~TransportLayerDtls()367 TransportLayerDtls::~TransportLayerDtls() {
368 // Destroy the NSS instance first so it can still send out an alert before
369 // we disable the nspr_io_adapter_.
370 ssl_fd_ = nullptr;
371 nspr_io_adapter_->SetEnabled(false);
372 if (timer_) {
373 timer_->Cancel();
374 }
375 }
376
InitInternal()377 nsresult TransportLayerDtls::InitInternal() {
378 // Get the transport service as an event target
379 nsresult rv;
380 target_ = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv);
381
382 if (NS_FAILED(rv)) {
383 MOZ_MTLOG(ML_ERROR, "Couldn't get socket transport service");
384 return rv;
385 }
386
387 timer_ = NS_NewTimer();
388 if (!timer_) {
389 MOZ_MTLOG(ML_ERROR, "Couldn't get timer");
390 return rv;
391 }
392
393 return NS_OK;
394 }
395
WasInserted()396 void TransportLayerDtls::WasInserted() {
397 // Connect to the lower layers
398 if (!Setup()) {
399 TL_SET_STATE(TS_ERROR);
400 }
401 }
402
403 // Set the permitted and default ALPN identifiers.
404 // The default is here to allow for peers that don't want to negotiate ALPN
405 // in that case, the default string will be reported from GetNegotiatedAlpn().
406 // Setting the default to the empty string causes the transport layer to fail
407 // if ALPN is not negotiated.
408 // Note: we only support Unicode strings here, which are encoded into UTF-8,
409 // even though ALPN ostensibly allows arbitrary octet sequences.
SetAlpn(const std::set<std::string> & alpn_allowed,const std::string & alpn_default)410 nsresult TransportLayerDtls::SetAlpn(const std::set<std::string>& alpn_allowed,
411 const std::string& alpn_default) {
412 alpn_allowed_ = alpn_allowed;
413 alpn_default_ = alpn_default;
414
415 return NS_OK;
416 }
417
SetVerificationAllowAll()418 nsresult TransportLayerDtls::SetVerificationAllowAll() {
419 // Defensive programming
420 if (verification_mode_ != VERIFY_UNSET) return NS_ERROR_ALREADY_INITIALIZED;
421
422 verification_mode_ = VERIFY_ALLOW_ALL;
423
424 return NS_OK;
425 }
426
SetVerificationDigest(const DtlsDigest & digest)427 nsresult TransportLayerDtls::SetVerificationDigest(const DtlsDigest& digest) {
428 // Defensive programming
429 if (verification_mode_ != VERIFY_UNSET &&
430 verification_mode_ != VERIFY_DIGEST) {
431 return NS_ERROR_ALREADY_INITIALIZED;
432 }
433
434 digests_.push_back(digest);
435 verification_mode_ = VERIFY_DIGEST;
436 return NS_OK;
437 }
438
SetMinMaxVersion(Version min_version,Version max_version)439 void TransportLayerDtls::SetMinMaxVersion(Version min_version,
440 Version max_version) {
441 if (min_version < Version::DTLS_1_0 || min_version > Version::DTLS_1_3 ||
442 max_version < Version::DTLS_1_0 || max_version > Version::DTLS_1_3 ||
443 min_version > max_version || max_version < min_version) {
444 return;
445 }
446 minVersion_ = min_version;
447 maxVersion_ = max_version;
448 }
449
450 // These are the named groups that we will allow.
451 static const SSLNamedGroup NamedGroupPreferences[] = {
452 ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1,
453 ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072};
454
455 // TODO: make sure this is called from STS. Otherwise
456 // we have thread safety issues
Setup()457 bool TransportLayerDtls::Setup() {
458 CheckThread();
459 SECStatus rv;
460
461 if (!downward_) {
462 MOZ_MTLOG(ML_ERROR, "DTLS layer with nothing below. This is useless");
463 return false;
464 }
465 nspr_io_adapter_ = MakeUnique<TransportLayerNSPRAdapter>(downward_);
466
467 if (!identity_) {
468 MOZ_MTLOG(ML_ERROR, "Can't start DTLS without an identity");
469 return false;
470 }
471
472 if (verification_mode_ == VERIFY_UNSET) {
473 MOZ_MTLOG(ML_ERROR,
474 "Can't start DTLS without specifying a verification mode");
475 return false;
476 }
477
478 if (transport_layer_identity == PR_INVALID_IO_LAYER) {
479 transport_layer_identity = PR_GetUniqueIdentity("nssstreamadapter");
480 }
481
482 UniquePRFileDesc pr_fd(
483 PR_CreateIOLayerStub(transport_layer_identity, &TransportLayerMethods));
484 MOZ_ASSERT(pr_fd != nullptr);
485 if (!pr_fd) return false;
486 pr_fd->secret = reinterpret_cast<PRFilePrivate*>(nspr_io_adapter_.get());
487
488 UniquePRFileDesc ssl_fd(DTLS_ImportFD(nullptr, pr_fd.get()));
489 MOZ_ASSERT(ssl_fd != nullptr); // This should never happen
490 if (!ssl_fd) {
491 return false;
492 }
493
494 Unused << pr_fd.release(); // ownership transfered to ssl_fd;
495
496 if (role_ == CLIENT) {
497 MOZ_MTLOG(ML_INFO, "Setting up DTLS as client");
498 rv = SSL_GetClientAuthDataHook(ssl_fd.get(), GetClientAuthDataHook, this);
499 if (rv != SECSuccess) {
500 MOZ_MTLOG(ML_ERROR, "Couldn't set identity");
501 return false;
502 }
503
504 if (maxVersion_ >= Version::DTLS_1_3) {
505 MOZ_MTLOG(ML_INFO, "Setting DTLS1.3 supported_versions workaround");
506 rv = SSL_SetDtls13VersionWorkaround(ssl_fd.get(), PR_TRUE);
507 if (rv != SECSuccess) {
508 MOZ_MTLOG(ML_ERROR, "Couldn't set DTLS1.3 workaround");
509 return false;
510 }
511 }
512 } else {
513 MOZ_MTLOG(ML_INFO, "Setting up DTLS as server");
514 // Server side
515 rv = SSL_ConfigSecureServer(ssl_fd.get(), identity_->cert().get(),
516 identity_->privkey().get(),
517 identity_->auth_type());
518 if (rv != SECSuccess) {
519 MOZ_MTLOG(ML_ERROR, "Couldn't set identity");
520 return false;
521 }
522
523 UniqueCERTCertList zero_certs(CERT_NewCertList());
524 rv = SSL_SetTrustAnchors(ssl_fd.get(), zero_certs.get());
525 if (rv != SECSuccess) {
526 MOZ_MTLOG(ML_ERROR, "Couldn't set trust anchors");
527 return false;
528 }
529
530 // Insist on a certificate from the client
531 rv = SSL_OptionSet(ssl_fd.get(), SSL_REQUEST_CERTIFICATE, PR_TRUE);
532 if (rv != SECSuccess) {
533 MOZ_MTLOG(ML_ERROR, "Couldn't request certificate");
534 return false;
535 }
536
537 rv = SSL_OptionSet(ssl_fd.get(), SSL_REQUIRE_CERTIFICATE, PR_TRUE);
538 if (rv != SECSuccess) {
539 MOZ_MTLOG(ML_ERROR, "Couldn't require certificate");
540 return false;
541 }
542 }
543
544 SSLVersionRange version_range = {static_cast<PRUint16>(minVersion_),
545 static_cast<PRUint16>(maxVersion_)};
546
547 rv = SSL_VersionRangeSet(ssl_fd.get(), &version_range);
548 if (rv != SECSuccess) {
549 MOZ_MTLOG(ML_ERROR, "Can't disable SSLv3");
550 return false;
551 }
552
553 rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_SESSION_TICKETS, PR_FALSE);
554 if (rv != SECSuccess) {
555 MOZ_MTLOG(ML_ERROR, "Couldn't disable session tickets");
556 return false;
557 }
558
559 rv = SSL_OptionSet(ssl_fd.get(), SSL_NO_CACHE, PR_TRUE);
560 if (rv != SECSuccess) {
561 MOZ_MTLOG(ML_ERROR, "Couldn't disable session caching");
562 return false;
563 }
564
565 rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_DEFLATE, PR_FALSE);
566 if (rv != SECSuccess) {
567 MOZ_MTLOG(ML_ERROR, "Couldn't disable deflate");
568 return false;
569 }
570
571 rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_RENEGOTIATION,
572 SSL_RENEGOTIATE_NEVER);
573 if (rv != SECSuccess) {
574 MOZ_MTLOG(ML_ERROR, "Couldn't disable renegotiation");
575 return false;
576 }
577
578 rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_FALSE_START, PR_FALSE);
579 if (rv != SECSuccess) {
580 MOZ_MTLOG(ML_ERROR, "Couldn't disable false start");
581 return false;
582 }
583
584 rv = SSL_OptionSet(ssl_fd.get(), SSL_NO_LOCKS, PR_TRUE);
585 if (rv != SECSuccess) {
586 MOZ_MTLOG(ML_ERROR, "Couldn't disable locks");
587 return false;
588 }
589
590 rv = SSL_OptionSet(ssl_fd.get(), SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
591 if (rv != SECSuccess) {
592 MOZ_MTLOG(ML_ERROR, "Couldn't disable ECDHE key reuse");
593 return false;
594 }
595
596 if (!SetupCipherSuites(ssl_fd)) {
597 return false;
598 }
599
600 rv = SSL_NamedGroupConfig(ssl_fd.get(), NamedGroupPreferences,
601 mozilla::ArrayLength(NamedGroupPreferences));
602 if (rv != SECSuccess) {
603 MOZ_MTLOG(ML_ERROR, "Couldn't set named groups");
604 return false;
605 }
606
607 // Certificate validation
608 rv = SSL_AuthCertificateHook(ssl_fd.get(), AuthCertificateHook,
609 reinterpret_cast<void*>(this));
610 if (rv != SECSuccess) {
611 MOZ_MTLOG(ML_ERROR, "Couldn't set certificate validation hook");
612 return false;
613 }
614
615 if (!SetupAlpn(ssl_fd)) {
616 return false;
617 }
618
619 // Now start the handshake
620 rv = SSL_ResetHandshake(ssl_fd.get(), role_ == SERVER ? PR_TRUE : PR_FALSE);
621 if (rv != SECSuccess) {
622 MOZ_MTLOG(ML_ERROR, "Couldn't reset handshake");
623 return false;
624 }
625 ssl_fd_ = std::move(ssl_fd);
626
627 // Finally, get ready to receive data
628 downward_->SignalStateChange.connect(this, &TransportLayerDtls::StateChange);
629 downward_->SignalPacketReceived.connect(this,
630 &TransportLayerDtls::PacketReceived);
631
632 if (downward_->state() == TS_OPEN) {
633 TL_SET_STATE(TS_CONNECTING);
634 Handshake();
635 }
636
637 return true;
638 }
639
SetupAlpn(UniquePRFileDesc & ssl_fd) const640 bool TransportLayerDtls::SetupAlpn(UniquePRFileDesc& ssl_fd) const {
641 if (alpn_allowed_.empty()) {
642 return true;
643 }
644
645 SECStatus rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_NPN, PR_FALSE);
646 if (rv != SECSuccess) {
647 MOZ_MTLOG(ML_ERROR, "Couldn't disable NPN");
648 return false;
649 }
650
651 rv = SSL_OptionSet(ssl_fd.get(), SSL_ENABLE_ALPN, PR_TRUE);
652 if (rv != SECSuccess) {
653 MOZ_MTLOG(ML_ERROR, "Couldn't enable ALPN");
654 return false;
655 }
656
657 unsigned char buf[MAX_ALPN_LENGTH];
658 size_t offset = 0;
659 for (const auto& tag : alpn_allowed_) {
660 if ((offset + 1 + tag.length()) >= sizeof(buf)) {
661 MOZ_MTLOG(ML_ERROR, "ALPN too long");
662 return false;
663 }
664 buf[offset++] = tag.length();
665 memcpy(buf + offset, tag.c_str(), tag.length());
666 offset += tag.length();
667 }
668 rv = SSL_SetNextProtoNego(ssl_fd.get(), buf, offset);
669 if (rv != SECSuccess) {
670 MOZ_MTLOG(ML_ERROR, "Couldn't set ALPN string");
671 return false;
672 }
673 return true;
674 }
675
676 // Ciphers we need to enable. These are on by default in standard firefox
677 // builds, but can be disabled with prefs and they aren't on in our unit tests
678 // since that uses NSS default configuration.
679 //
680 // Only override prefs to comply with MUST statements in the security-arch doc.
681 // Anything outside this list is governed by the usual combination of policy
682 // and user preferences.
683 static const uint32_t EnabledCiphers[] = {
684 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
685 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA};
686
687 // Disable all NSS suites modes without PFS or with old and rusty ciphersuites.
688 // Anything outside this list is governed by the usual combination of policy
689 // and user preferences.
690 static const uint32_t DisabledCiphers[] = {
691 // Bug 1310061: disable all SHA384 ciphers until fixed
692 TLS_AES_256_GCM_SHA384,
693 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
694 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
695 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
696 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
697 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
698 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
699
700 TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
701 TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
702
703 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
704 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
705 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
706 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
707
708 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
709 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
710 TLS_DHE_DSS_WITH_RC4_128_SHA,
711
712 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
713 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
714 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
715 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
716 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
717 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
718 TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
719 TLS_ECDH_RSA_WITH_RC4_128_SHA,
720
721 TLS_RSA_WITH_AES_128_GCM_SHA256,
722 TLS_RSA_WITH_AES_256_GCM_SHA384,
723 TLS_RSA_WITH_AES_128_CBC_SHA,
724 TLS_RSA_WITH_AES_128_CBC_SHA256,
725 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
726 TLS_RSA_WITH_AES_256_CBC_SHA,
727 TLS_RSA_WITH_AES_256_CBC_SHA256,
728 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
729 TLS_RSA_WITH_SEED_CBC_SHA,
730 TLS_RSA_WITH_3DES_EDE_CBC_SHA,
731 TLS_RSA_WITH_RC4_128_SHA,
732 TLS_RSA_WITH_RC4_128_MD5,
733
734 TLS_DHE_RSA_WITH_DES_CBC_SHA,
735 TLS_DHE_DSS_WITH_DES_CBC_SHA,
736 TLS_RSA_WITH_DES_CBC_SHA,
737
738 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
739 TLS_ECDHE_RSA_WITH_NULL_SHA,
740 TLS_ECDH_ECDSA_WITH_NULL_SHA,
741 TLS_ECDH_RSA_WITH_NULL_SHA,
742 TLS_RSA_WITH_NULL_SHA,
743 TLS_RSA_WITH_NULL_SHA256,
744 TLS_RSA_WITH_NULL_MD5,
745 };
746
SetupCipherSuites(UniquePRFileDesc & ssl_fd)747 bool TransportLayerDtls::SetupCipherSuites(UniquePRFileDesc& ssl_fd) {
748 SECStatus rv;
749
750 // Set the SRTP ciphers
751 if (!enabled_srtp_ciphers_.empty()) {
752 rv = SSL_InstallExtensionHooks(ssl_fd.get(), ssl_use_srtp_xtn,
753 TransportLayerDtls::WriteSrtpXtn, this,
754 TransportLayerDtls::HandleSrtpXtn, this);
755 if (rv != SECSuccess) {
756 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "unable to set SRTP extension handler");
757 return false;
758 }
759 }
760
761 for (const auto& cipher : EnabledCiphers) {
762 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Enabling: " << cipher);
763 rv = SSL_CipherPrefSet(ssl_fd.get(), cipher, PR_TRUE);
764 if (rv != SECSuccess) {
765 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "Unable to enable suite: " << cipher);
766 return false;
767 }
768 }
769
770 for (const auto& cipher : DisabledCiphers) {
771 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Disabling: " << cipher);
772
773 PRBool enabled = false;
774 rv = SSL_CipherPrefGet(ssl_fd.get(), cipher, &enabled);
775 if (rv != SECSuccess) {
776 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "Unable to check if suite is enabled: "
777 << cipher);
778 return false;
779 }
780 if (enabled) {
781 rv = SSL_CipherPrefSet(ssl_fd.get(), cipher, PR_FALSE);
782 if (rv != SECSuccess) {
783 MOZ_MTLOG(ML_NOTICE,
784 LAYER_INFO << "Unable to disable suite: " << cipher);
785 return false;
786 }
787 }
788 }
789
790 return true;
791 }
792
GetCipherSuite(uint16_t * cipherSuite) const793 nsresult TransportLayerDtls::GetCipherSuite(uint16_t* cipherSuite) const {
794 CheckThread();
795 if (!cipherSuite) {
796 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "GetCipherSuite passed a nullptr");
797 return NS_ERROR_NULL_POINTER;
798 }
799 if (state_ != TS_OPEN) {
800 return NS_ERROR_NOT_AVAILABLE;
801 }
802 SSLChannelInfo info;
803 SECStatus rv = SSL_GetChannelInfo(ssl_fd_.get(), &info, sizeof(info));
804 if (rv != SECSuccess) {
805 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "GetCipherSuite can't get channel info");
806 return NS_ERROR_FAILURE;
807 }
808 *cipherSuite = info.cipherSuite;
809 return NS_OK;
810 }
811
GetDefaultSrtpCiphers()812 std::vector<uint16_t> TransportLayerDtls::GetDefaultSrtpCiphers() {
813 std::vector<uint16_t> ciphers;
814
815 ciphers.push_back(kDtlsSrtpAeadAes128Gcm);
816 // Since we don't support DTLS 1.3 or SHA384 ciphers (see bug 1312976)
817 // we don't really enough entropy to prefer this over 128 bit
818 ciphers.push_back(kDtlsSrtpAeadAes256Gcm);
819 ciphers.push_back(kDtlsSrtpAes128CmHmacSha1_80);
820 #ifndef NIGHTLY_BUILD
821 // To support bug 1491583 lets try to find out if we get bug reports if we no
822 // longer offer this in Nightly builds.
823 ciphers.push_back(kDtlsSrtpAes128CmHmacSha1_32);
824 #endif
825
826 return ciphers;
827 }
828
StateChange(TransportLayer * layer,State state)829 void TransportLayerDtls::StateChange(TransportLayer* layer, State state) {
830 switch (state) {
831 case TS_NONE:
832 MOZ_ASSERT(false); // Can't happen
833 break;
834
835 case TS_INIT:
836 MOZ_MTLOG(ML_ERROR,
837 LAYER_INFO << "State change of lower layer to INIT forbidden");
838 TL_SET_STATE(TS_ERROR);
839 break;
840
841 case TS_CONNECTING:
842 MOZ_MTLOG(ML_INFO, LAYER_INFO << "Lower layer is connecting.");
843 break;
844
845 case TS_OPEN:
846 if (timer_) {
847 MOZ_MTLOG(ML_INFO,
848 LAYER_INFO << "Lower layer is now open; starting TLS");
849 timer_->Cancel();
850 timer_->SetTarget(target_);
851 // Async, since the ICE layer might need to send a STUN response, and we
852 // don't want the handshake to start until that is sent.
853 timer_->InitWithNamedFuncCallback(TimerCallback, this, 0,
854 nsITimer::TYPE_ONE_SHOT,
855 "TransportLayerDtls::TimerCallback");
856 TL_SET_STATE(TS_CONNECTING);
857 } else {
858 // We have already completed DTLS. Can happen if the ICE layer failed
859 // due to a loss of network, and then recovered.
860 TL_SET_STATE(TS_OPEN);
861 }
862 break;
863
864 case TS_CLOSED:
865 MOZ_MTLOG(ML_INFO, LAYER_INFO << "Lower layer is now closed");
866 TL_SET_STATE(TS_CLOSED);
867 break;
868
869 case TS_ERROR:
870 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "Lower layer experienced an error");
871 TL_SET_STATE(TS_ERROR);
872 break;
873 }
874 }
875
Handshake()876 void TransportLayerDtls::Handshake() {
877 if (!timer_) {
878 // We are done with DTLS, regardless of the state changes of lower layers
879 return;
880 }
881
882 // Clear the retransmit timer
883 timer_->Cancel();
884
885 MOZ_ASSERT(state_ == TS_CONNECTING);
886
887 SECStatus rv = SSL_ForceHandshake(ssl_fd_.get());
888
889 if (rv == SECSuccess) {
890 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "****** SSL handshake completed ******");
891 if (!cert_ok_) {
892 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "Certificate check never occurred");
893 TL_SET_STATE(TS_ERROR);
894 return;
895 }
896 if (!CheckAlpn()) {
897 // Despite connecting, the connection doesn't have a valid ALPN label.
898 // Forcibly close the connection so that the peer isn't left hanging
899 // (assuming the close_notify isn't dropped).
900 ssl_fd_ = nullptr;
901 TL_SET_STATE(TS_ERROR);
902 return;
903 }
904
905 TL_SET_STATE(TS_OPEN);
906
907 RecordTlsTelemetry();
908 timer_ = nullptr;
909 } else {
910 int32_t err = PR_GetError();
911 switch (err) {
912 case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
913 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "Malformed DTLS message; ignoring");
914 // If this were TLS (and not DTLS), this would be fatal, but
915 // here we're required to ignore bad messages, so fall through
916 [[fallthrough]];
917 case PR_WOULD_BLOCK_ERROR:
918 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "Handshake would have blocked");
919 PRIntervalTime timeout;
920 rv = DTLS_GetHandshakeTimeout(ssl_fd_.get(), &timeout);
921 if (rv == SECSuccess) {
922 uint32_t timeout_ms = PR_IntervalToMilliseconds(timeout);
923
924 MOZ_MTLOG(ML_DEBUG,
925 LAYER_INFO << "Setting DTLS timeout to " << timeout_ms);
926 timer_->SetTarget(target_);
927 timer_->InitWithNamedFuncCallback(
928 TimerCallback, this, timeout_ms, nsITimer::TYPE_ONE_SHOT,
929 "TransportLayerDtls::TimerCallback");
930 }
931 break;
932 default:
933 const char* err_msg = PR_ErrorToName(err);
934 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "DTLS handshake error " << err << " ("
935 << err_msg << ")");
936 TL_SET_STATE(TS_ERROR);
937 break;
938 }
939 }
940 }
941
942 // Checks if ALPN was negotiated correctly and returns false if it wasn't.
943 // After this returns successfully, alpn_ will be set to the negotiated
944 // protocol.
CheckAlpn()945 bool TransportLayerDtls::CheckAlpn() {
946 if (alpn_allowed_.empty()) {
947 return true;
948 }
949
950 SSLNextProtoState alpnState;
951 char chosenAlpn[MAX_ALPN_LENGTH];
952 unsigned int chosenAlpnLen;
953 SECStatus rv = SSL_GetNextProto(ssl_fd_.get(), &alpnState,
954 reinterpret_cast<unsigned char*>(chosenAlpn),
955 &chosenAlpnLen, sizeof(chosenAlpn));
956 if (rv != SECSuccess) {
957 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "ALPN error");
958 return false;
959 }
960 switch (alpnState) {
961 case SSL_NEXT_PROTO_SELECTED:
962 case SSL_NEXT_PROTO_NEGOTIATED:
963 break; // OK
964
965 case SSL_NEXT_PROTO_NO_SUPPORT:
966 MOZ_MTLOG(ML_NOTICE,
967 LAYER_INFO << "ALPN not negotiated, "
968 << (alpn_default_.empty() ? "failing"
969 : "selecting default"));
970 alpn_ = alpn_default_;
971 return !alpn_.empty();
972
973 case SSL_NEXT_PROTO_NO_OVERLAP:
974 // This only happens if there is a custom NPN/ALPN callback installed and
975 // that callback doesn't properly handle ALPN.
976 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "error in ALPN selection callback");
977 return false;
978
979 case SSL_NEXT_PROTO_EARLY_VALUE:
980 MOZ_CRASH("Unexpected 0-RTT ALPN value");
981 return false;
982 }
983
984 // Warning: NSS won't null terminate the ALPN string for us.
985 std::string chosen(chosenAlpn, chosenAlpnLen);
986 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "Selected ALPN string: " << chosen);
987 if (alpn_allowed_.find(chosen) == alpn_allowed_.end()) {
988 // Maybe our peer chose a protocol we didn't offer (when we are client), or
989 // something is seriously wrong.
990 std::ostringstream ss;
991 for (auto i = alpn_allowed_.begin(); i != alpn_allowed_.end(); ++i) {
992 ss << (i == alpn_allowed_.begin() ? " '" : ", '") << *i << "'";
993 }
994 MOZ_MTLOG(ML_ERROR, LAYER_INFO << "Bad ALPN string: '" << chosen
995 << "'; permitted:" << ss.str());
996 return false;
997 }
998 alpn_ = chosen;
999 return true;
1000 }
1001
PacketReceived(TransportLayer * layer,MediaPacket & packet)1002 void TransportLayerDtls::PacketReceived(TransportLayer* layer,
1003 MediaPacket& packet) {
1004 CheckThread();
1005 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "PacketReceived(" << packet.len() << ")");
1006
1007 if (state_ != TS_CONNECTING && state_ != TS_OPEN) {
1008 MOZ_MTLOG(ML_DEBUG,
1009 LAYER_INFO << "Discarding packet in inappropriate state");
1010 return;
1011 }
1012
1013 if (!packet.data()) {
1014 // Something ate this, probably the SRTP layer
1015 return;
1016 }
1017
1018 if (packet.type() != MediaPacket::DTLS) {
1019 return;
1020 }
1021
1022 nspr_io_adapter_->PacketReceived(packet);
1023 GetDecryptedPackets();
1024 }
1025
GetDecryptedPackets()1026 void TransportLayerDtls::GetDecryptedPackets() {
1027 // If we're still connecting, try to handshake
1028 if (state_ == TS_CONNECTING) {
1029 Handshake();
1030 }
1031
1032 // Now try a recv if we're open, since there might be data left
1033 if (state_ == TS_OPEN) {
1034 int32_t rv;
1035 // One packet might contain several DTLS packets
1036 do {
1037 // nICEr uses a 9216 bytes buffer to allow support for jumbo frames
1038 // Can we peek to get a better idea of the actual size?
1039 static const size_t kBufferSize = 9216;
1040 auto buffer = MakeUnique<uint8_t[]>(kBufferSize);
1041 rv = PR_Recv(ssl_fd_.get(), buffer.get(), kBufferSize, 0,
1042 PR_INTERVAL_NO_WAIT);
1043 if (rv > 0) {
1044 // We have data
1045 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Read " << rv << " bytes from NSS");
1046 MediaPacket packet;
1047 packet.SetType(MediaPacket::SCTP);
1048 packet.Take(std::move(buffer), static_cast<size_t>(rv));
1049 SignalPacketReceived(this, packet);
1050 } else if (rv == 0) {
1051 TL_SET_STATE(TS_CLOSED);
1052 } else {
1053 int32_t err = PR_GetError();
1054
1055 if (err == PR_WOULD_BLOCK_ERROR) {
1056 // This gets ignored
1057 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Receive would have blocked");
1058 } else {
1059 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "NSS Error " << err);
1060 TL_SET_STATE(TS_ERROR);
1061 }
1062 }
1063 } while (rv > 0);
1064 }
1065 }
1066
SetState(State state,const char * file,unsigned line)1067 void TransportLayerDtls::SetState(State state, const char* file,
1068 unsigned line) {
1069 if (timer_) {
1070 switch (state) {
1071 case TS_NONE:
1072 case TS_INIT:
1073 MOZ_ASSERT(false);
1074 break;
1075 case TS_CONNECTING:
1076 break;
1077 case TS_OPEN:
1078 case TS_CLOSED:
1079 case TS_ERROR:
1080 timer_->Cancel();
1081 break;
1082 }
1083 }
1084
1085 TransportLayer::SetState(state, file, line);
1086 }
1087
SendPacket(MediaPacket & packet)1088 TransportResult TransportLayerDtls::SendPacket(MediaPacket& packet) {
1089 CheckThread();
1090 if (state_ != TS_OPEN) {
1091 MOZ_MTLOG(ML_ERROR,
1092 LAYER_INFO << "Can't call SendPacket() in state " << state_);
1093 return TE_ERROR;
1094 }
1095
1096 int32_t rv = PR_Send(ssl_fd_.get(), packet.data(), packet.len(), 0,
1097 PR_INTERVAL_NO_WAIT);
1098
1099 if (rv > 0) {
1100 // We have data
1101 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Wrote " << rv << " bytes to SSL Layer");
1102 return rv;
1103 }
1104
1105 if (rv == 0) {
1106 TL_SET_STATE(TS_CLOSED);
1107 return 0;
1108 }
1109
1110 int32_t err = PR_GetError();
1111
1112 if (err == PR_WOULD_BLOCK_ERROR) {
1113 // This gets ignored
1114 MOZ_MTLOG(ML_DEBUG, LAYER_INFO << "Send would have blocked");
1115 return TE_WOULDBLOCK;
1116 }
1117
1118 MOZ_MTLOG(ML_NOTICE, LAYER_INFO << "NSS Error " << err);
1119 TL_SET_STATE(TS_ERROR);
1120 return TE_ERROR;
1121 }
1122
GetClientAuthDataHook(void * arg,PRFileDesc * fd,CERTDistNames * caNames,CERTCertificate ** pRetCert,SECKEYPrivateKey ** pRetKey)1123 SECStatus TransportLayerDtls::GetClientAuthDataHook(
1124 void* arg, PRFileDesc* fd, CERTDistNames* caNames,
1125 CERTCertificate** pRetCert, SECKEYPrivateKey** pRetKey) {
1126 MOZ_MTLOG(ML_DEBUG, "Server requested client auth");
1127
1128 TransportLayerDtls* stream = reinterpret_cast<TransportLayerDtls*>(arg);
1129 stream->CheckThread();
1130
1131 if (!stream->identity_) {
1132 MOZ_MTLOG(ML_ERROR, "No identity available");
1133 PR_SetError(SSL_ERROR_NO_CERTIFICATE, 0);
1134 return SECFailure;
1135 }
1136
1137 *pRetCert = CERT_DupCertificate(stream->identity_->cert().get());
1138 if (!*pRetCert) {
1139 PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
1140 return SECFailure;
1141 }
1142
1143 *pRetKey = SECKEY_CopyPrivateKey(stream->identity_->privkey().get());
1144 if (!*pRetKey) {
1145 CERT_DestroyCertificate(*pRetCert);
1146 *pRetCert = nullptr;
1147 PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
1148 return SECFailure;
1149 }
1150
1151 return SECSuccess;
1152 }
1153
SetSrtpCiphers(const std::vector<uint16_t> & ciphers)1154 nsresult TransportLayerDtls::SetSrtpCiphers(
1155 const std::vector<uint16_t>& ciphers) {
1156 enabled_srtp_ciphers_ = std::move(ciphers);
1157 return NS_OK;
1158 }
1159
GetSrtpCipher(uint16_t * cipher) const1160 nsresult TransportLayerDtls::GetSrtpCipher(uint16_t* cipher) const {
1161 CheckThread();
1162 if (srtp_cipher_ == 0) {
1163 return NS_ERROR_NOT_AVAILABLE;
1164 }
1165 *cipher = srtp_cipher_;
1166 return NS_OK;
1167 }
1168
WriteUint16(uint8_t * cursor,uint16_t v)1169 static uint8_t* WriteUint16(uint8_t* cursor, uint16_t v) {
1170 *cursor++ = v >> 8;
1171 *cursor++ = v & 0xff;
1172 return cursor;
1173 }
1174
SrtpXtnServerMessage(PRFileDesc * fd)1175 static SSLHandshakeType SrtpXtnServerMessage(PRFileDesc* fd) {
1176 SSLPreliminaryChannelInfo preinfo;
1177 SECStatus rv = SSL_GetPreliminaryChannelInfo(fd, &preinfo, sizeof(preinfo));
1178 if (rv != SECSuccess) {
1179 MOZ_ASSERT(false, "Can't get version info");
1180 return ssl_hs_client_hello;
1181 }
1182 return (preinfo.protocolVersion >= SSL_LIBRARY_VERSION_TLS_1_3)
1183 ? ssl_hs_encrypted_extensions
1184 : ssl_hs_server_hello;
1185 }
1186
1187 /* static */
WriteSrtpXtn(PRFileDesc * fd,SSLHandshakeType message,uint8_t * data,unsigned int * len,unsigned int max_len,void * arg)1188 PRBool TransportLayerDtls::WriteSrtpXtn(PRFileDesc* fd,
1189 SSLHandshakeType message, uint8_t* data,
1190 unsigned int* len, unsigned int max_len,
1191 void* arg) {
1192 auto self = reinterpret_cast<TransportLayerDtls*>(arg);
1193
1194 // ClientHello: send all supported versions.
1195 if (message == ssl_hs_client_hello) {
1196 MOZ_ASSERT(self->role_ == CLIENT);
1197 MOZ_ASSERT(self->enabled_srtp_ciphers_.size(), "Haven't enabled SRTP");
1198 // We will take 2 octets for each cipher, plus a 2 octet length and 1 octet
1199 // for the length of the empty MKI.
1200 if (max_len < self->enabled_srtp_ciphers_.size() * 2 + 3) {
1201 MOZ_ASSERT(false, "Not enough space to send SRTP extension");
1202 return false;
1203 }
1204 uint8_t* cursor = WriteUint16(data, self->enabled_srtp_ciphers_.size() * 2);
1205 for (auto cs : self->enabled_srtp_ciphers_) {
1206 cursor = WriteUint16(cursor, cs);
1207 }
1208 *cursor++ = 0; // MKI is empty
1209 *len = cursor - data;
1210 return true;
1211 }
1212
1213 if (message == SrtpXtnServerMessage(fd)) {
1214 MOZ_ASSERT(self->role_ == SERVER);
1215 if (!self->srtp_cipher_) {
1216 // Not negotiated. Definitely bad, but the connection can fail later.
1217 return false;
1218 }
1219 if (max_len < 5) {
1220 MOZ_ASSERT(false, "Not enough space to send SRTP extension");
1221 return false;
1222 }
1223
1224 uint8_t* cursor = WriteUint16(data, 2); // Length = 2.
1225 cursor = WriteUint16(cursor, self->srtp_cipher_);
1226 *cursor++ = 0; // No MKI
1227 *len = cursor - data;
1228 return true;
1229 }
1230
1231 return false;
1232 }
1233
1234 class TlsParser {
1235 public:
TlsParser(const uint8_t * data,size_t len)1236 TlsParser(const uint8_t* data, size_t len) : cursor_(data), remaining_(len) {}
1237
error() const1238 bool error() const { return error_; }
remaining() const1239 size_t remaining() const { return remaining_; }
1240
1241 template <typename T,
1242 class = typename std::enable_if<std::is_unsigned<T>::value>::type>
Read(T * v,size_t sz=sizeof (T))1243 void Read(T* v, size_t sz = sizeof(T)) {
1244 MOZ_ASSERT(sz <= sizeof(T),
1245 "Type is too small to hold the value requested");
1246 if (remaining_ < sz) {
1247 error_ = true;
1248 return;
1249 }
1250
1251 T result = 0;
1252 for (size_t i = 0; i < sz; ++i) {
1253 result = (result << 8) | *cursor_++;
1254 remaining_--;
1255 }
1256 *v = result;
1257 }
1258
1259 template <typename T,
1260 class = typename std::enable_if<std::is_unsigned<T>::value>::type>
ReadVector(std::vector<T> * v,size_t w)1261 void ReadVector(std::vector<T>* v, size_t w) {
1262 MOZ_ASSERT(v->empty(), "vector needs to be empty");
1263
1264 uint32_t len;
1265 Read(&len, w);
1266 if (error_ || len % sizeof(T) != 0 || len > remaining_) {
1267 error_ = true;
1268 return;
1269 }
1270
1271 size_t count = len / sizeof(T);
1272 v->reserve(count);
1273 for (T i = 0; !error_ && i < count; ++i) {
1274 T item;
1275 Read(&item);
1276 if (!error_) {
1277 v->push_back(item);
1278 }
1279 }
1280 }
1281
Skip(size_t n)1282 void Skip(size_t n) {
1283 if (remaining_ < n) {
1284 error_ = true;
1285 } else {
1286 cursor_ += n;
1287 remaining_ -= n;
1288 }
1289 }
1290
SkipVector(size_t w)1291 size_t SkipVector(size_t w) {
1292 uint32_t len = 0;
1293 Read(&len, w);
1294 Skip(len);
1295 return len;
1296 }
1297
1298 private:
1299 const uint8_t* cursor_;
1300 size_t remaining_;
1301 bool error_ = false;
1302 };
1303
1304 /* static */
HandleSrtpXtn(PRFileDesc * fd,SSLHandshakeType message,const uint8_t * data,unsigned int len,SSLAlertDescription * alert,void * arg)1305 SECStatus TransportLayerDtls::HandleSrtpXtn(
1306 PRFileDesc* fd, SSLHandshakeType message, const uint8_t* data,
1307 unsigned int len, SSLAlertDescription* alert, void* arg) {
1308 static const uint8_t kTlsAlertHandshakeFailure = 40;
1309 static const uint8_t kTlsAlertIllegalParameter = 47;
1310 static const uint8_t kTlsAlertDecodeError = 50;
1311 static const uint8_t kTlsAlertUnsupportedExtension = 110;
1312
1313 auto self = reinterpret_cast<TransportLayerDtls*>(arg);
1314
1315 // Parse the extension.
1316 TlsParser parser(data, len);
1317 std::vector<uint16_t> advertised;
1318 parser.ReadVector(&advertised, 2);
1319 size_t mki_len = parser.SkipVector(1);
1320 if (parser.error() || parser.remaining() > 0) {
1321 *alert = kTlsAlertDecodeError;
1322 return SECFailure;
1323 }
1324
1325 if (message == ssl_hs_client_hello) {
1326 MOZ_ASSERT(self->role_ == SERVER);
1327 if (self->enabled_srtp_ciphers_.empty()) {
1328 // We don't have SRTP enabled, which is probably bad, but no sense in
1329 // having the handshake fail at this point, let the client decide if this
1330 // is a problem.
1331 return SECSuccess;
1332 }
1333
1334 for (auto supported : self->enabled_srtp_ciphers_) {
1335 auto it = std::find(advertised.begin(), advertised.end(), supported);
1336 if (it != advertised.end()) {
1337 self->srtp_cipher_ = supported;
1338 return SECSuccess;
1339 }
1340 }
1341
1342 // No common cipher.
1343 *alert = kTlsAlertHandshakeFailure;
1344 return SECFailure;
1345 }
1346
1347 if (message == SrtpXtnServerMessage(fd)) {
1348 MOZ_ASSERT(self->role_ == CLIENT);
1349 if (advertised.size() != 1 || mki_len > 0) {
1350 *alert = kTlsAlertIllegalParameter;
1351 return SECFailure;
1352 }
1353 self->srtp_cipher_ = advertised[0];
1354 return SECSuccess;
1355 }
1356
1357 *alert = kTlsAlertUnsupportedExtension;
1358 return SECFailure;
1359 }
1360
ExportKeyingMaterial(const std::string & label,bool use_context,const std::string & context,unsigned char * out,unsigned int outlen)1361 nsresult TransportLayerDtls::ExportKeyingMaterial(const std::string& label,
1362 bool use_context,
1363 const std::string& context,
1364 unsigned char* out,
1365 unsigned int outlen) {
1366 CheckThread();
1367 if (state_ != TS_OPEN) {
1368 MOZ_ASSERT(false, "Transport must be open for ExportKeyingMaterial");
1369 return NS_ERROR_NOT_AVAILABLE;
1370 }
1371 SECStatus rv = SSL_ExportKeyingMaterial(
1372 ssl_fd_.get(), label.c_str(), label.size(), use_context,
1373 reinterpret_cast<const unsigned char*>(context.c_str()), context.size(),
1374 out, outlen);
1375 if (rv != SECSuccess) {
1376 MOZ_MTLOG(ML_ERROR, "Couldn't export SSL keying material");
1377 return NS_ERROR_FAILURE;
1378 }
1379
1380 return NS_OK;
1381 }
1382
AuthCertificateHook(void * arg,PRFileDesc * fd,PRBool checksig,PRBool isServer)1383 SECStatus TransportLayerDtls::AuthCertificateHook(void* arg, PRFileDesc* fd,
1384 PRBool checksig,
1385 PRBool isServer) {
1386 TransportLayerDtls* stream = reinterpret_cast<TransportLayerDtls*>(arg);
1387 stream->CheckThread();
1388 return stream->AuthCertificateHook(fd, checksig, isServer);
1389 }
1390
CheckDigest(const DtlsDigest & digest,UniqueCERTCertificate & peer_cert) const1391 SECStatus TransportLayerDtls::CheckDigest(
1392 const DtlsDigest& digest, UniqueCERTCertificate& peer_cert) const {
1393 DtlsDigest computed_digest(digest.algorithm_);
1394
1395 MOZ_MTLOG(ML_DEBUG,
1396 LAYER_INFO << "Checking digest, algorithm=" << digest.algorithm_);
1397 nsresult res = DtlsIdentity::ComputeFingerprint(peer_cert, &computed_digest);
1398 if (NS_FAILED(res)) {
1399 MOZ_MTLOG(ML_ERROR, "Could not compute peer fingerprint for digest "
1400 << digest.algorithm_);
1401 // Go to end
1402 PR_SetError(SSL_ERROR_BAD_CERTIFICATE, 0);
1403 return SECFailure;
1404 }
1405
1406 if (computed_digest != digest) {
1407 MOZ_MTLOG(ML_ERROR, "Digest does not match");
1408 PR_SetError(SSL_ERROR_BAD_CERTIFICATE, 0);
1409 return SECFailure;
1410 }
1411
1412 return SECSuccess;
1413 }
1414
AuthCertificateHook(PRFileDesc * fd,PRBool checksig,PRBool isServer)1415 SECStatus TransportLayerDtls::AuthCertificateHook(PRFileDesc* fd,
1416 PRBool checksig,
1417 PRBool isServer) {
1418 CheckThread();
1419 UniqueCERTCertificate peer_cert(SSL_PeerCertificate(fd));
1420
1421 // We are not set up to take this being called multiple
1422 // times. Change this if we ever add renegotiation.
1423 MOZ_ASSERT(!auth_hook_called_);
1424 if (auth_hook_called_) {
1425 PR_SetError(PR_UNKNOWN_ERROR, 0);
1426 return SECFailure;
1427 }
1428 auth_hook_called_ = true;
1429
1430 MOZ_ASSERT(verification_mode_ != VERIFY_UNSET);
1431
1432 switch (verification_mode_) {
1433 case VERIFY_UNSET:
1434 // Break out to error exit
1435 PR_SetError(PR_UNKNOWN_ERROR, 0);
1436 break;
1437
1438 case VERIFY_ALLOW_ALL:
1439 cert_ok_ = true;
1440 return SECSuccess;
1441
1442 case VERIFY_DIGEST: {
1443 MOZ_ASSERT(!digests_.empty());
1444 // Check all the provided digests
1445
1446 // Checking functions call PR_SetError()
1447 SECStatus rv = SECFailure;
1448 for (auto digest : digests_) {
1449 rv = CheckDigest(digest, peer_cert);
1450
1451 // Matches a digest, we are good to go
1452 if (rv == SECSuccess) {
1453 cert_ok_ = true;
1454 return SECSuccess;
1455 }
1456 }
1457 } break;
1458 default:
1459 MOZ_CRASH(); // Can't happen
1460 }
1461
1462 return SECFailure;
1463 }
1464
TimerCallback(nsITimer * timer,void * arg)1465 void TransportLayerDtls::TimerCallback(nsITimer* timer, void* arg) {
1466 TransportLayerDtls* dtls = reinterpret_cast<TransportLayerDtls*>(arg);
1467
1468 MOZ_MTLOG(ML_DEBUG, "DTLS timer expired");
1469
1470 dtls->Handshake();
1471 }
1472
RecordTlsTelemetry()1473 void TransportLayerDtls::RecordTlsTelemetry() {
1474 MOZ_ASSERT(state_ == TS_OPEN);
1475 SSLChannelInfo info;
1476 SECStatus ss = SSL_GetChannelInfo(ssl_fd_.get(), &info, sizeof(info));
1477 if (ss != SECSuccess) {
1478 MOZ_MTLOG(ML_NOTICE,
1479 LAYER_INFO << "RecordTlsTelemetry failed to get channel info");
1480 return;
1481 }
1482
1483 uint16_t telemetry_cipher = 0;
1484
1485 switch (info.cipherSuite) {
1486 /* Old DHE ciphers: candidates for removal, see bug 1227519 */
1487 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
1488 telemetry_cipher = 1;
1489 break;
1490 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
1491 telemetry_cipher = 2;
1492 break;
1493 /* Current ciphers */
1494 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
1495 telemetry_cipher = 3;
1496 break;
1497 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
1498 telemetry_cipher = 4;
1499 break;
1500 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
1501 telemetry_cipher = 5;
1502 break;
1503 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
1504 telemetry_cipher = 6;
1505 break;
1506 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
1507 telemetry_cipher = 7;
1508 break;
1509 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
1510 telemetry_cipher = 8;
1511 break;
1512 case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
1513 telemetry_cipher = 9;
1514 break;
1515 case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
1516 telemetry_cipher = 10;
1517 break;
1518 /* TLS 1.3 ciphers */
1519 case TLS_AES_128_GCM_SHA256:
1520 telemetry_cipher = 11;
1521 break;
1522 case TLS_CHACHA20_POLY1305_SHA256:
1523 telemetry_cipher = 12;
1524 break;
1525 case TLS_AES_256_GCM_SHA384:
1526 telemetry_cipher = 13;
1527 break;
1528 }
1529
1530 Telemetry::Accumulate(Telemetry::WEBRTC_DTLS_CIPHER, telemetry_cipher);
1531
1532 uint16_t cipher;
1533 nsresult rv = GetSrtpCipher(&cipher);
1534
1535 if (NS_FAILED(rv)) {
1536 MOZ_MTLOG(ML_DEBUG, "No SRTP cipher suite");
1537 return;
1538 }
1539
1540 auto cipher_label = mozilla::Telemetry::LABELS_WEBRTC_SRTP_CIPHER::Unknown;
1541
1542 switch (cipher) {
1543 case kDtlsSrtpAes128CmHmacSha1_80:
1544 cipher_label = Telemetry::LABELS_WEBRTC_SRTP_CIPHER::Aes128CmHmacSha1_80;
1545 break;
1546 case kDtlsSrtpAes128CmHmacSha1_32:
1547 cipher_label = Telemetry::LABELS_WEBRTC_SRTP_CIPHER::Aes128CmHmacSha1_32;
1548 break;
1549 case kDtlsSrtpAeadAes128Gcm:
1550 cipher_label = Telemetry::LABELS_WEBRTC_SRTP_CIPHER::AeadAes128Gcm;
1551 break;
1552 case kDtlsSrtpAeadAes256Gcm:
1553 cipher_label = Telemetry::LABELS_WEBRTC_SRTP_CIPHER::AeadAes256Gcm;
1554 break;
1555 }
1556
1557 Telemetry::AccumulateCategorical(cipher_label);
1558 }
1559
1560 } // namespace mozilla
1561