bug 1006804 - psm interface for kea size and make kea available in preliminary handshake r=keeler r=honzab

2024-09-13 09:24:08 -07:00 · 2014-05-06 17:22:25 -04:00 · 2014-05-06 17:22:25 -04:00 · 033d5fc4e8
commit 033d5fc4e8
parent 60c704eda3
4 changed files with 40 additions and 9 deletions
--- a/netwerk/socket/nsISSLSocketControl.idl
+++ b/netwerk/socket/nsISSLSocketControl.idl
@ -14,7 +14,7 @@ class nsCString;
 %}
 [ref] native nsCStringTArrayRef(nsTArray<nsCString>);

-[scriptable, builtinclass, uuid(4080f700-9c16-4884-8f8d-e28094377084)]
+[scriptable, builtinclass, uuid(ec72446c-8241-457f-ba75-83d214392289)]
 interface nsISSLSocketControl : nsISupports {
    attribute nsIInterfaceRequestor     notificationCallbacks;

@ -53,15 +53,19 @@ interface nsISSLSocketControl : nsISupports {
      in long port);

    /* The Key Exchange Algorithm is used when determining whether or
-       not to do false start.
+       not to do false start and whether or not HTTP/2 can be used.
+
       After a handshake is complete it can be read from KEAUsed,
       before a handshake is started it may be set through KEAExpected.
       The values correspond to the SSLKEAType enum in NSS or the
       KEY_EXCHANGE_UNKNOWN constant defined below.
+
+       KEAKeyBits is the size/security-level used for the KEA.
    */

    [infallible] readonly attribute short KEAUsed;
    [infallible] attribute short KEAExpected;
+    [infallible] readonly attribute unsigned long KEAKeyBits;

    const short KEY_EXCHANGE_UNKNOWN = -1;

--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@ -888,6 +888,24 @@ PreliminaryHandshakeDone(PRFileDesc* fd)
  SSLChannelInfo channelInfo;
  if (SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)) == SECSuccess) {
    infoObject->SetSSLVersionUsed(channelInfo.protocolVersion);
+
+    SSLCipherSuiteInfo cipherInfo;
+    if (SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
+                               sizeof cipherInfo) == SECSuccess) {
+      /* Set the SSL Status information */
+      RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
+      if (!status) {
+        status = new nsSSLStatus();
+        infoObject->SetSSLStatus(status);
+      }
+
+      status->mHaveKeyLengthAndCipher = true;
+      status->mKeyLength = cipherInfo.symKeyBits;
+      status->mSecretKeyLength = cipherInfo.effectiveKeyBits;
+      status->mCipherName.Assign(cipherInfo.cipherSuiteName);
+      infoObject->SetKEAUsed(cipherInfo.keaType);
+      infoObject->SetKEAKeyBits(channelInfo.keaKeyBits);
+    }
  }

  // Get the NPN value.
@ -1253,18 +1271,16 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
                                sizeof cipherInfo);
    MOZ_ASSERT(rv == SECSuccess);
    if (rv == SECSuccess) {
-      status->mHaveKeyLengthAndCipher = true;
-      status->mKeyLength = cipherInfo.symKeyBits;
-      status->mSecretKeyLength = cipherInfo.effectiveKeyBits;
-      status->mCipherName.Assign(cipherInfo.cipherSuiteName);
-
      // keyExchange null=0, rsa=1, dh=2, fortezza=3, ecdh=4
      Telemetry::Accumulate(
        infoObject->IsFullHandshake()
          ? Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_FULL
          : Telemetry::SSL_KEY_EXCHANGE_ALGORITHM_RESUMED,
        cipherInfo.keaType);
-      infoObject->SetKEAUsed(cipherInfo.keaType);
+
+      DebugOnly<int16_t> KEAUsed;
+      MOZ_ASSERT(NS_SUCCEEDED(infoObject->GetKEAUsed(&KEAUsed)) &&
+                 (KEAUsed == cipherInfo.keaType));

      if (infoObject->IsFullHandshake()) {
        switch (cipherInfo.keaType) {
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@ -133,6 +133,7 @@ nsNSSSocketInfo::nsNSSSocketInfo(SharedSSLState& aState, uint32_t providerFlags)
    mNotedTimeUntilReady(false),
    mKEAUsed(nsISSLSocketControl::KEY_EXCHANGE_UNKNOWN),
    mKEAExpected(nsISSLSocketControl::KEY_EXCHANGE_UNKNOWN),
+    mKEAKeyBits(0),
    mSSLVersionUsed(nsISSLSocketControl::SSL_VERSION_UNKNOWN),
    mProviderFlags(providerFlags),
    mSocketCreationTimestamp(TimeStamp::Now()),
@ -174,6 +175,13 @@ nsNSSSocketInfo::SetKEAExpected(int16_t aKea)
  return NS_OK;
 }

+NS_IMETHODIMP
+nsNSSSocketInfo::GetKEAKeyBits(uint32_t* aKeyBits)
+{
+  *aKeyBits = mKEAKeyBits;
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 nsNSSSocketInfo::GetSSLVersionUsed(int16_t* aSSLVersionUsed)
 {
--- a/security/manager/ssl/src/nsNSSIOLayer.h
+++ b/security/manager/ssl/src/nsNSSIOLayer.h
@ -104,6 +104,8 @@ public:
    return result;
  }

+  void SetKEAKeyBits(uint32_t keaBits) { mKEAKeyBits = keaBits; }
+
  void SetSSLVersionUsed(int16_t version)
  {
    mSSLVersionUsed = version;
@ -133,10 +135,11 @@ private:
  bool      mSentClientCert;
  bool      mNotedTimeUntilReady;

-  // mKEA* are used in false start detetermination
+  // mKEA* are used in false start and http/2 detetermination
  // Values are from nsISSLSocketControl
  int16_t mKEAUsed;
  int16_t mKEAExpected;
+  uint32_t mKEAKeyBits;
  int16_t mSSLVersionUsed;

  uint32_t mProviderFlags;