| blob | 8a67160e83abdc4002a3e77e9072c0cc1399ac52 |
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 *
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /*
8 * For connections that are not processed on the socket transport thread, we do
9 * NOT use the async logic described below. Instead, we authenticate the
10 * certificate on the thread that the connection's I/O happens on,
11 * synchronously. This allows us to do certificate verification for blocking
12 * (not non-blocking) sockets and sockets that have their I/O processed on a
13 * thread other than the socket transport service thread. Also, we DO NOT
14 * support blocking sockets on the socket transport service thread at all.
15 *
16 * During certificate authentication, we call CERT_PKIXVerifyCert or
17 * CERT_VerifyCert. These functions may make zero or more HTTP requests
18 * for OCSP responses, CRLs, intermediate certificates, etc. Our fetching logic
19 * for these requests processes them on the socket transport service thread.
20 *
21 * If the connection for which we are verifying the certificate is happening
22 * on the socket transport thread (the usually case, at least for HTTP), then
23 * if our cert auth hook were to call the CERT_*Verify* functions directly,
24 * there would be a deadlock: The CERT_*Verify* function would cause an event
25 * to be asynchronously posted to the socket transport thread, and then it
26 * would block the socket transport thread waiting to be notified of the HTTP
27 * response. However, the HTTP request would never actually be processed
28 * because the socket transport thread would be blocked and so it wouldn't be
29 * able process HTTP requests. (i.e. Deadlock.)
30 *
31 * Consequently, when we are asked to verify a certificate on the socket
32 * transport service thread, we must always call the CERT_*Verify* cert
33 * functions on another thread. To accomplish this, our auth cert hook
34 * dispatches a SSLServerCertVerificationJob to a pool of background threads,
35 * and then immediatley return SECWouldBlock to libssl. These jobs are where
36 * the CERT_*Verify* functions are actually called.
37 *
38 * When our auth cert hook returns SECWouldBlock, libssl will carry on the
39 * handshake while we validate the certificate. This will free up the socket
40 * transport thread so that HTTP requests--in particular, the OCSP/CRL/cert
41 * requests needed for cert verification as mentioned above--can be processed.
42 *
43 * Once the CERT_*Verify* function returns, the cert verification job
44 * dispatches a SSLServerCertVerificationResult to the socket transport thread;
45 * the SSLServerCertVerificationResult will notify libssl that the certificate
46 * authentication is complete. Once libssl is notified that the authentication
47 * is complete, it will continue the SSL handshake (if it hasn't already
48 * finished) and it will begin allowing us to send/receive data on the
49 * connection.
50 *
51 * Timeline of events (for connections managed by the socket transport service):
52 *
53 * * libssl calls SSLServerCertVerificationJob::Dispatch on the socket
54 * transport thread.
55 * * SSLServerCertVerificationJob::Dispatch queues a job
56 * (instance of SSLServerCertVerificationJob) to its background thread
57 * pool and returns.
58 * * One of the background threads calls CERT_*Verify*, which may enqueue
59 * some HTTP request(s) onto the socket transport thread, and then
60 * blocks that background thread waiting for the responses and/or timeouts
61 * or errors for those requests.
62 * * Once those HTTP responses have all come back or failed, the
63 * CERT_*Verify* function returns a result indicating that the validation
64 * succeeded or failed.
65 * * If the validation succeeded, then a SSLServerCertVerificationResult
66 * event is posted to the socket transport thread, and the cert
67 * verification thread becomes free to verify other certificates.
68 * * Otherwise, a CertErrorRunnable is posted to the socket transport thread
69 * and then to the main thread (blocking both, see CertErrorRunnable) to
70 * do cert override processing and bad cert listener notification. Then
71 * the cert verification thread becomes free to verify other certificates.
72 * * After processing cert overrides, the CertErrorRunnable will dispatch a
73 * SSLServerCertVerificationResult event to the socket transport thread to
74 * notify it of the result of the override processing; then it returns,
75 * freeing up the main thread.
76 * * The SSLServerCertVerificationResult event will either wake up the
77 * socket (using SSL_RestartHandshakeAfterServerCert) if validation
78 * succeeded or there was an error override, or it will set an error flag
79 * so that the next I/O operation on the socket will fail, causing the
80 * socket transport thread to close the connection.
81 *
82 * Cert override processing must happen on the main thread because it accesses
83 * the nsICertOverrideService, and that service must be accessed on the main
84 * thread because some extensions (Selenium, in particular) replace it with a
85 * Javascript implementation, and chrome JS must always be run on the main
86 * thread.
87 *
88 * SSLServerCertVerificationResult must be dispatched to the socket transport
89 * thread because we must only call SSL_* functions on the socket transport
90 * thread since they may do I/O, because many parts of nsNSSSocketInfo (the
91 * subclass of TransportSecurityInfo used when validating certificates during
92 * an SSL handshake) and the PSM NSS I/O layer are not thread-safe, and because
93 * we need the event to interrupt the PR_Poll that may waiting for I/O on the
94 * socket for which we are validating the cert.
95 */
126 #ifdef PR_LOGGING
128 #endif
139 // do not use a nsCOMPtr to avoid static initializer/destructor
142 // We avoid using a mutex for the success case to avoid lock-related
143 // performance issues. However, we do use a lock in the error case to simplify
144 // the code, since performance in the error case is not important.
149 // Called when the socket transport thread starts, to initialize the SSL cert
150 // verification thread pool. By tying the thread pool startup/shutdown directly
151 // to the STS thread's lifetime, we ensure that they are *always* available for
152 // SSL connections and that there are no races during startup and especially
153 // shutdown. (Previously, we have had multiple problems with races in PSM
154 // background threads, and the race-prevention/shutdown logic used there is
155 // brittle. Since this service is critical to things like downloading updates,
156 // we take no chances.) Also, by doing things this way, we avoid the need for
157 // locks, since gCertVerificationThreadPool is only ever accessed on the socket
158 // transport thread.
159 void
161 {
163 // TODO: tuning, make parameters preferences
164 // XXX: instantiate nsThreadPool directly, to make this more bulletproof.
165 // Currently, the nsThreadPool.h header isn't exported for us to do so.
171 }
177 }
179 // Called when the socket transport thread finishes, to destroy the thread
180 // pool. Since the socket transport service has stopped processing events, it
181 // will not attempt any more SSL I/O operations, so it is clearly safe to shut
182 // down the SSL cert verification infrastructure. Also, the STS will not
183 // dispatch many SSL verification result events at this point, so any pending
184 // cert verifications will (correctly) fail at the point they are dispatched.
185 //
186 // The other shutdown race condition that is possible is a race condition with
187 // shutdown of the nsNSSComponent service. We use the
188 // nsNSSShutdownPreventionLock where needed (not here) to prevent that.
190 {
194 }
198 }
199 }
203 void
208 PRErrorCode errorCode,
211 {
212 nsString message;
220 }
221 }
222 }
224 // Dispatched to the STS thread to notify the infoObject of the verification
225 // result.
226 //
227 // This will cause the PR_Poll in the STS thread to return, so things work
228 // correctly even if the STS thread is blocked polling (only) on the file
229 // descriptor that is waiting for this result.
231 {
233 NS_DECL_NSIRUNNABLE
236 PRErrorCode errorCode,
239 SSLErrorMessageType errorMessageType =
240 PlainErrorMessage);
250 };
253 {
258 PRErrorCode defaultErrorCodeToReport,
260 PRErrorCode errorCodeTrust,
261 PRErrorCode errorCodeMismatch,
262 PRErrorCode errorCodeExpired,
271 {
272 }
288 };
290 SSLServerCertVerificationResult *
292 {
299 mDefaultErrorCodeToReport);
300 }
305 nsCString hostWithPortString;
312 nsresult nsrv;
314 // Enforce Strict-Transport-Security for hosts that are "STS" hosts:
315 // connections must be dropped when there are any certificate errors
316 // (STS Spec section 7.3).
324 mProviderFlags,
326 }
329 mDefaultErrorCodeToReport);
330 }
335 // it is fine to continue without the nsICertOverrideService
340 {
345 mCert,
350 {
351 // remove the errors that are already overriden
353 }
354 }
357 // all errors are covered by override rules, so let's accept the cert
362 }
367 }
373 // Ok, this is a full stop.
374 // First, deliver the technical details of the broken SSL status.
376 // Try to get a nsIBadCertListener2 implementation from the socket consumer.
385 nsIInterfaceRequestor *csi
390 }
391 }
392 }
399 }
405 }
407 // pick the error code to report by priority
415 errorCodeToReport,
418 OverridableCertErrorMessage);
422 hostWithPortString,
423 port,
426 mCert);
429 }
431 void
433 {
439 }
441 // Returns null with the error code (PR_GetError()) set if it does not create
442 // the CertErrorRunnable.
443 CertErrorRunnable *
449 PRTime now)
450 {
454 // cert was revoked, don't do anything else
458 }
464 }
471 }
473 SECStatus srv;
480 }
487 }
493 }
500 // We ignore the result code of the cert verification.
501 // Either it is a failure, which is expected, and we'll process the
502 // verify log below.
503 // Or it is a success, then a domain mismatch is the only
504 // possible failure.
515 }
517 // Check the name field against the desired hostname.
521 }
525 {
527 {
535 // We group all these errors as "cert not trusted"
539 }
545 }
551 }
556 }
557 }
560 {
561 // This will happen when CERT_*Verify* only returned error(s) that are
562 // not on our whitelist of overridable certificate errors.
567 }
576 providerFlags);
577 }
579 // When doing async cert processing, we dispatch one of these runnables to the
580 // socket transport service thread, which blocks the socket transport
581 // service thread while it waits for the inner CertErrorRunnable to execute
582 // CheckCertOverrides on the main thread. CheckCertOverrides must block events
583 // on both of these threads because it calls TransportSecurityInfo::GetInterface(),
584 // which may call nsHttpConnection::GetInterface() through
585 // TransportSecurityInfo::mCallbacks. nsHttpConnection::GetInterface must always
586 // execute on the main thread, with the socket transport service thread
587 // blocked.
589 {
593 {
594 }
597 {
599 // The result must run on the socket transport thread, which we are already
600 // on, so we can just run it directly, instead of dispatching it.
604 }
606 }
608 };
611 {
613 // Must be called only on the socket transport thread
620 NS_DECL_NSIRUNNABLE
622 // Must be called only on the socket transport thread
634 };
646 {
647 }
649 SECStatus
655 {
660 }
667 /* cert is OK. This is the client side of an SSL connection.
668 * Now check the name field in the cert against the desired hostname.
669 * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
670 */
673 else
677 }
680 }
682 struct nsSerialBinaryBlacklistEntry
683 {
686 };
688 // bug 642395
701 };
703 // Call this if we have already decided that a cert should be treated as INVALID,
704 // in order to check if we to worsen the error to REVOKED.
705 PRErrorCode
708 {
709 // If any involved cert was issued by DigiNotar,
710 // and serverCert was issued after 01-JUL-2011,
711 // then worsen the error to revoked.
717 // be safe, assume it's afterwards, keep going
722 // no worsening for certs issued before the cutoff date
724 }
725 }
733 }
734 }
737 }
739 // Call this only if a cert has been reported by NSS as VALID
740 PRErrorCode
743 {
754 }
755 }
758 // let's see if we want to worsen the error code to revoked.
761 }
764 }
766 // This function assumes that we will only use the SPDY connection coalescing
767 // feature on connections where we have negotiated SPDY using NPN. If we ever
768 // talk SPDY without having negotiated it with SPDY, this code will give wrong
769 // and perhaps unsafe results.
770 //
771 // Returns SECSuccess on the initial handshake of all connections, on
772 // renegotiations for any connections where we did not negotiate SPDY, or on any
773 // SPDY connection where the server's certificate did not change.
774 //
775 // Prohibit changing the server cert only if we negotiated SPDY,
776 // in order to support SPDY's cross-origin connection pooling.
778 static SECStatus
781 {
782 // Get the existing cert. If there isn't one, then there is
783 // no cert change to worry about.
789 // If we didn't have a status, then this is the
790 // first handshake on this connection, not a
791 // renegotiation.
793 }
802 }
804 // Filter out sockets that did not neogtiate SPDY via NPN
805 nsAutoCString negotiatedNPN;
814 // If GetNegotiatedNPN() failed we will assume spdy for safety's safe
819 }
821 // Check to see if the cert has actually changed
828 // Report an error - changed cert is confirmed
833 }
835 SECStatus
838 {
842 "CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US")) {
853 }
867 }
870 !memcmp(server_cert_comparison_start, locked_cert_comparison_start, locked_cert_comparison_len)) {
873 }
874 }
875 }
877 SECStatus rv;
881 stapledOCSPResponse,
882 infoObject);
885 }
886 }
889 SECOidTag evOidPolicy;
893 // We want to remember the CA certs in the temp db, so that the application can find the
894 // complete chain at any time it might need it.
895 // But we keep only those CA certs in the temp db, that we didn't already know.
903 }
906 }
907 }
914 PRErrorCode blacklistErrorCode;
919 // Check if we want to worsen the error code to "revoked".
922 // we don't worsen the code, let's keep the original error code from NSS
924 }
925 }
931 }
932 }
935 // We want to avoid storing any intermediate cert information when browsing
936 // in private, transient contexts.
943 // This cert was found on a token, no need to remember it in the temp db.
945 }
948 // We don't need to remember certs already stored in perm db.
950 }
953 // We don't want to remember the server cert,
954 // the code that cares for displaying page info does this already.
956 }
958 // We have found a signer cert that we want to remember.
965 }
966 }
968 }
969 }
971 // The connection may get terminated, for example, if the server requires
972 // a client cert. Let's provide a minimal SSLStatus
973 // to the caller that contains at least the cert and its status.
977 }
980 // Certificate verification succeeded delete any potential record
981 // of certificate error bits.
984 }
986 // Certificate verification failed, update the status' bits.
989 }
995 }
996 }
999 }
1001 /*static*/ SECStatus
1007 {
1008 // Runs on the socket transport thread
1013 }
1019 nsresult nrv;
1024 }
1026 // We can't call SetCertVerificationResult here to change
1027 // mCertVerificationState because SetCertVerificationResult will call
1028 // libssl functions that acquire SSL locks that are already being held at
1029 // this point. infoObject->mCertVerificationState will be stuck at
1030 // waiting_for_cert_verification here, but that is OK because we already
1031 // have to be able to handle cases where we encounter non-cert errors while
1032 // in that state.
1034 ? SEC_ERROR_NO_MEMORY
1038 }
1042 }
1044 NS_IMETHODIMP
1046 {
1047 // Runs on a cert verification thread
1052 PRErrorCode error;
1054 nsNSSShutDownPreventionLock nssShutdownPrevention;
1058 // Reset the error code here so we can detect if AuthCertificate fails to
1059 // set the error code if/when it fails.
1062 mProviderFlags);
1066 #ifndef NSS_NO_LIBPKIX
1069 }
1071 #endif
1073 #ifndef NSS_NO_LIBPKIX
1074 }
1075 #endif
1081 }
1083 // Note: the interval is not calculated once as PR_GetError MUST be called
1084 // before any other function call
1086 {
1089 #ifndef NSS_NO_LIBPKIX
1092 }
1094 #endif
1096 #ifndef NSS_NO_LIBPKIX
1097 }
1098 #endif
1101 mJobStartTime,
1102 now);
1103 }
1108 // CreateCertErrorRunnable set a new error code
1111 // We must block the the socket transport service thread while the
1112 // main thread executes the CertErrorRunnable. The CertErrorRunnable
1113 // will dispatch the result asynchronously, so we don't have to block
1114 // this thread waiting for it.
1120 nsresult nrv;
1125 NS_DISPATCH_NORMAL);
1126 }
1129 }
1133 }
1134 }
1135 }
1140 }
1146 }
1150 // Extracts whatever information we need out of fd (using SSL_*) and passes it
1151 // to SSLServerCertVerificationJob::Dispatch. SSLServerCertVerificationJob should
1152 // never do anything with fd except logging.
1153 SECStatus
1155 {
1156 // Runs on the socket transport thread
1161 // Modern libssl always passes PR_TRUE for checkSig, and we have no means of
1162 // doing verification without checking signatures.
1165 // PSM never causes libssl to call this function with PR_TRUE for isServer,
1166 // and many things in PSM assume that we are a client.
1172 // This is the first callback during full handshakes.
1174 }
1181 }
1187 nsresult nrv;
1192 }
1198 }
1200 // SSL_PeerStapledOCSPResponses will never return a non-empty response if
1201 // OCSP stapling wasn't enabled because libssl wouldn't have let the server
1202 // return a stapled OCSP response.
1203 // We don't own these pointers.
1206 // we currently only support single stapled responses
1209 }
1216 // We *must* do certificate verification on a background thread because
1217 // we need the socket transport thread to be free for our OCSP requests,
1218 // and we *want* to do certificate verification on a background thread
1219 // because of the performance benefits of doing so.
1225 }
1227 // We can't do certificate verification on a background thread, because the
1228 // thread doing the network I/O may not interrupt its network I/O on receipt
1229 // of our SSLServerCertVerificationResult event, and/or it might not even be
1230 // a non-blocking socket.
1233 providerFlags);
1236 }
1244 // CreateCertErrorRunnable sets a new error code when it fails
1247 // We have to return SECSuccess or SECFailure based on the result of the
1248 // override processing, so we must block this thread waiting for it. The
1249 // CertErrorRunnable will NOT dispatch the result at all, since we passed
1250 // false for CreateCertErrorRunnable's async parameter
1256 }
1262 }
1266 }
1268 // We must call SetCanceled here to set the error message type
1269 // in case it isn't PlainErrorMessage, which is what we would
1270 // default to if we just called
1271 // PR_SetError(runnable->mResult->mErrorCode, 0) and returned
1272 // SECFailure without doing this.
1276 }
1277 }
1282 }
1286 }
1288 #ifndef NSS_NO_LIBPKIX
1291 {
1294 {
1295 nsNSSShutDownPreventionLock nssShutdownPrevention;
1299 nsresult rv;
1304 }
1307 {
1308 }
1311 {
1312 nsNSSShutDownPreventionLock nssShutdownPrevention;
1315 }
1316 };
1317 #endif
1320 {
1321 #ifndef NSS_NO_LIBPKIX
1322 // Should only be called from socket transport thread due to the static
1323 // variable and the reference to gCertVerificationThreadPool
1333 #endif
1334 }
1339 SSLErrorMessageType errorMessageType)
1345 {
1346 // We accumulate telemetry for (only) successful validations on the main thread
1347 // to avoid adversely affecting performance by acquiring the mutex that we use
1348 // when accumulating the telemetry for unsuccessful validations. Unsuccessful
1349 // validations times are accumulated elsewhere.
1351 }
1353 void
1355 {
1356 nsresult rv;
1364 }
1366 NS_IMETHODIMP
1368 {
1369 // TODO: Assert that we're on the socket transport thread
1372 }
1373 // XXX: This cast will be removed by the next patch
1377 }