DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Implementation

Mercurial (fddffdeab170)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

// Original author: ekr@rtfm.com

#ifndef transportlayerdtls_h__
#define transportlayerdtls_h__

#include <queue>
#include <set>

#include "sigslot.h"

#include "mozilla/RefPtr.h"
#include "mozilla/Scoped.h"
#include "nsCOMPtr.h"
#include "nsIEventTarget.h"
#include "nsITimer.h"
#include "ScopedNSSTypes.h"
#include "m_cpp_utils.h"
#include "dtlsidentity.h"
#include "transportflow.h"
#include "transportlayer.h"

namespace mozilla {

struct Packet;

class TransportLayerNSPRAdapter {
 public:
  explicit TransportLayerNSPRAdapter(TransportLayer *output) :
  output_(output),
  input_(),
  enabled_(true) {}

  void PacketReceived(const void *data, int32_t len);
  int32_t Recv(void *buf, int32_t buflen);
  int32_t Write(const void *buf, int32_t length);
  void SetEnabled(bool enabled) { enabled_ = enabled; }

 private:
  DISALLOW_COPY_ASSIGN(TransportLayerNSPRAdapter);

  TransportLayer *output_;
  std::queue<Packet *> input_;
  bool enabled_;
};

class TransportLayerDtls final : public TransportLayer {
 public:
  TransportLayerDtls() :
      role_(CLIENT),
      verification_mode_(VERIFY_UNSET),
      ssl_fd_(nullptr),
      auth_hook_called_(false),
      cert_ok_(false) {}

  virtual ~TransportLayerDtls();

  enum Role { CLIENT, SERVER};
  enum Verification { VERIFY_UNSET, VERIFY_ALLOW_ALL, VERIFY_DIGEST};
  const static size_t kMaxDigestLength = HASH_LENGTH_MAX;

  // DTLS-specific operations
  void SetRole(Role role) { role_ = role;}
  Role role() { return role_; }

  void SetIdentity(const RefPtr<DtlsIdentity>& identity) {
    identity_ = identity;
  }
  nsresult SetAlpn(const std::set<std::string>& allowedAlpn,
                   const std::string& alpnDefault);
  const std::string& GetNegotiatedAlpn() const { return alpn_; }

  nsresult SetVerificationAllowAll();
  nsresult SetVerificationDigest(const std::string digest_algorithm,
                                 const unsigned char *digest_value,
                                 size_t digest_len);

  nsresult GetCipherSuite(uint16_t* cipherSuite) const;

  nsresult SetSrtpCiphers(std::vector<uint16_t> ciphers);
  nsresult GetSrtpCipher(uint16_t *cipher) const;

  nsresult ExportKeyingMaterial(const std::string& label,
                                bool use_context,
                                const std::string& context,
                                unsigned char *out,
                                unsigned int outlen);

  const CERTCertificate *GetPeerCert() const {
    return peer_cert_;
  }

  // Transport layer overrides.
  virtual nsresult InitInternal();
  virtual void WasInserted();
  virtual TransportResult SendPacket(const unsigned char *data, size_t len);

  // Signals
  void StateChange(TransportLayer *layer, State state);
  void PacketReceived(TransportLayer* layer, const unsigned char *data,
                      size_t len);

  // For testing use only.  Returns the fd.
  PRFileDesc* internal_fd() { CheckThread(); return ssl_fd_.rwget(); }

  TRANSPORT_LAYER_ID("dtls")

  private:
  DISALLOW_COPY_ASSIGN(TransportLayerDtls);

  // A single digest to check
  class VerificationDigest {
   public:
    VerificationDigest(std::string algorithm,
                       const unsigned char *value, size_t len) {
      MOZ_ASSERT(len <= sizeof(value_));

      algorithm_ = algorithm;
      memcpy(value_, value, len);
      len_ = len;
    }

    NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VerificationDigest)

    std::string algorithm_;
    size_t len_;
    unsigned char value_[kMaxDigestLength];

   private:
    ~VerificationDigest() {}
    DISALLOW_COPY_ASSIGN(VerificationDigest);
  };


  bool Setup();
  bool SetupCipherSuites(PRFileDesc* ssl_fd) const;
  bool SetupAlpn(PRFileDesc* ssl_fd) const;
  void Handshake();

  bool CheckAlpn();

  static SECStatus GetClientAuthDataHook(void *arg, PRFileDesc *fd,
                                         CERTDistNames *caNames,
                                         CERTCertificate **pRetCert,
                                         SECKEYPrivateKey **pRetKey);
  static SECStatus AuthCertificateHook(void *arg,
                                       PRFileDesc *fd,
                                       PRBool checksig,
                                       PRBool isServer);
  SECStatus AuthCertificateHook(PRFileDesc *fd,
                                PRBool checksig,
                                PRBool isServer);

  static void TimerCallback(nsITimer *timer, void *arg);

  SECStatus CheckDigest(const RefPtr<VerificationDigest>& digest,
                        CERTCertificate *cert);

  RefPtr<DtlsIdentity> identity_;
  // What ALPN identifiers are permitted.
  std::set<std::string> alpn_allowed_;
  // What ALPN identifier is used if ALPN is not supported.
  // The empty string indicates that ALPN is required.
  std::string alpn_default_;
  // What ALPN string was negotiated.
  std::string alpn_;
  std::vector<uint16_t> srtp_ciphers_;

  Role role_;
  Verification verification_mode_;
  std::vector<RefPtr<VerificationDigest> > digests_;

  // Must delete nspr_io_adapter after ssl_fd_ b/c ssl_fd_ causes an alert
  // (ssl_fd_ contains an un-owning pointer to nspr_io_adapter_)
  ScopedDeletePtr<TransportLayerNSPRAdapter> nspr_io_adapter_;
  ScopedPRFileDesc ssl_fd_;

  ScopedCERTCertificate peer_cert_;
  nsCOMPtr<nsITimer> timer_;
  bool auth_hook_called_;
  bool cert_ok_;
};


}  // close namespace
#endif