Re: checking if a file descriptor corresponds to a TCP or TLS connection

Thu, 15 Feb 2007 16:46:32 -0800 

Peter Djalaliev wrote:

Hello,

Given only a NSPR file descriptor, what would be the correct way to
see if:

1) TLS functionality has been layered on the file descriptor stack?
2) The TLS handshake has been done with the host on the remote end of
the socket connection?

For 1), can I use the PR_GetDescType() from the NSPR API?  For TCP
socket, I guess the type should be PR_DESC_SOCKET_TCP and for a TLS
socket, it would be PR_DESC_LAYERED.  Here, I am assuming that only
SSL can be layered on top of the TLS socket (which in my project seems
to be a valid assumption).


Layers other than TLS can also be layered on top of the TCP socket.
The most reliable way to determine if the TLS functionality has
been layered on the file descriptor stack is to call
PR_GetIdentitiesLayer:
http://www.mozilla.org/projects/nspr/reference/html/priofnc.html#19853

But you need the PRDescIdentity value for the TLS layer, which I don't
think is easily available.  You can certainly use the PRDescIdentity
value of a layer that you know for sure is TLS.

PR_GetDescType returns a PRDescType value PR_DESC_LAYERED that is
too vague.  You'll need other information to conclude that a layer
of the type PR_DESC_LAYERED is TLS.


What can I use for 2)?  I can't seem to invoke any of the SSL API
functions because they all use ssl_FindSocket to match the PRFileDesc*
to a sslSocket structure.  However, ssl_FindSocket seems to die very
ungracefully when it receives a non-TLS PRFileDesc and returns a
segmentation fault on a Linux platform.  Shouldn't ssl_FindSocket
return an error code instead of a segmentation fault?


ssl_FindSocket first checks the identity of the layer, so
it seems that it should fail with the PR_BAD_DESCRIPTOR_ERROR
if it receives a non-TLS PRFileDesc:
http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ssl/sslsock.c#220

220 ssl_FindSocket(PRFileDesc *fd)
221 {
222     PRFileDesc *layer;
223     sslSocket *ss;
224
225     PORT_Assert(fd != NULL);
226     PORT_Assert(ssl_layer_id != 0);
227
228     layer = PR_GetIdentitiesLayer(fd, ssl_layer_id);
229     if (layer == NULL) {
230         PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
231         return NULL;
232     }
233
234     ss = (sslSocket *)layer->secret;
235     ss->fd = layer;
236     return ss;
237 }

Do you know why ssl_FindSocket does not return from line 231 in that
case?

Wan-Teh

_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to