Uprev NSS to 3.23 on iOS

net/third_party/nss/ssl/sslimpl.h

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * This file is PRIVATE to SSL and should be the first thing included by
  * any SSL implementation file.
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef __sslimpl_h_
 #define __sslimpl_h_
 
 #ifdef DEBUG
 #undef NDEBUG
 #else
 #undef NDEBUG
 #define NDEBUG
 #endif
 #include "secport.h"
 #include "secerr.h"
 #include "sslerr.h"
 #include "ssl3prot.h"
 #include "hasht.h"
-#include "keythi.h"
 #include "nssilock.h"
 #include "pkcs11t.h"
 #if defined(XP_UNIX) || defined(XP_BEOS)
 #include "unistd.h"
 #endif
 #include "nssrwlk.h"
 #include "prthread.h"
 #include "prclist.h"
 
 #include "sslt.h" /* for some formerly private types, now public */
 
-#ifdef NSS_PLATFORM_CLIENT_AUTH
-#if defined(XP_WIN32)
-#include <windows.h>
-#include <wincrypt.h>
-#elif defined(XP_MACOSX)
-#include <Security/Security.h>
-#endif
-#endif
-
 /* to make some of these old enums public without namespace pollution,
 ** it was necessary to prepend ssl_ to the names.
 ** These #defines preserve compatibility with the old code here in libssl.
 */
-typedef SSLKEAType      SSL3KEAType;
+typedef SSLKEAType SSL3KEAType;
 typedef SSLMACAlgorithm SSL3MACAlgorithm;
-typedef SSLSignType     SSL3SignType;
 
-#define sign_null       ssl_sign_null
-#define sign_rsa        ssl_sign_rsa
-#define sign_dsa        ssl_sign_dsa
-#define sign_ecdsa      ssl_sign_ecdsa
+#define calg_null ssl_calg_null
+#define calg_rc4 ssl_calg_rc4
+#define calg_rc2 ssl_calg_rc2
+#define calg_des ssl_calg_des
+#define calg_3des ssl_calg_3des
+#define calg_idea ssl_calg_idea
+#define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */
+#define calg_aes ssl_calg_aes
+#define calg_camellia ssl_calg_camellia
+#define calg_seed ssl_calg_seed
+#define calg_aes_gcm ssl_calg_aes_gcm
+#define calg_chacha20 ssl_calg_chacha20
 
-#define calg_null       ssl_calg_null
-#define calg_rc4        ssl_calg_rc4
-#define calg_rc2        ssl_calg_rc2
-#define calg_des        ssl_calg_des
-#define calg_3des       ssl_calg_3des
-#define calg_idea       ssl_calg_idea
-#define calg_fortezza   ssl_calg_fortezza /* deprecated, must preserve */
-#define calg_aes        ssl_calg_aes
-#define calg_camellia   ssl_calg_camellia
-#define calg_seed       ssl_calg_seed
-#define calg_aes_gcm    ssl_calg_aes_gcm
-#define calg_chacha20   ssl_calg_chacha20
+#define mac_null ssl_mac_null
+#define mac_md5 ssl_mac_md5
+#define mac_sha ssl_mac_sha
+#define hmac_md5 ssl_hmac_md5
+#define hmac_sha ssl_hmac_sha
+#define hmac_sha256 ssl_hmac_sha256
+#define mac_aead ssl_mac_aead
 
-#define mac_null        ssl_mac_null
-#define mac_md5         ssl_mac_md5
-#define mac_sha         ssl_mac_sha
-#define hmac_md5        ssl_hmac_md5
-#define hmac_sha        ssl_hmac_sha
-#define hmac_sha256     ssl_hmac_sha256
-#define mac_aead        ssl_mac_aead
-
-#define SET_ERROR_CODE          /* reminder */
-#define SEND_ALERT              /* reminder */
-#define TEST_FOR_FAILURE        /* reminder */
-#define DEAL_WITH_FAILURE       /* reminder */
+#define SET_ERROR_CODE    /* reminder */
+#define SEND_ALERT        /* reminder */
+#define TEST_FOR_FAILURE  /* reminder */
+#define DEAL_WITH_FAILURE /* reminder */
 
 #if defined(DEBUG) || defined(TRACE)
 #ifdef __cplusplus
 #define Debug 1
 #else
 extern int Debug;
 #endif
 #else
 #undef Debug
 #endif
 
 #if defined(DEBUG) && !defined(TRACE) && !defined(NISCC_TEST)
 #define TRACE
 #endif
 
 #ifdef TRACE
-#define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
-#define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
-#define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
+#define SSL_TRC(a, b)     \
+    if (ssl_trace >= (a)) \
+    ssl_Trace b
+#define PRINT_BUF(a, b)   \
+    if (ssl_trace >= (a)) \
+    ssl_PrintBuf b
+#define DUMP_MSG(a, b)    \
+    if (ssl_trace >= (a)) \
+    ssl_DumpMsg b
 #else
-#define SSL_TRC(a,b)
-#define PRINT_BUF(a,b)
-#define DUMP_MSG(a,b)
+#define SSL_TRC(a, b)
+#define PRINT_BUF(a, b)
+#define DUMP_MSG(a, b)
 #endif
 
 #ifdef DEBUG
-#define SSL_DBG(b) if (ssl_debug) ssl_Trace b
+#define SSL_DBG(b) \
+    if (ssl_debug) \
+    ssl_Trace b
 #else
 #define SSL_DBG(b)
 #endif
 
-#include "private/pprthred.h"   /* for PR_InMonitor() */
+#include "private/pprthred.h" /* for PR_InMonitor() */
 #define ssl_InMonitor(m) PZ_InMonitor(m)
 
-#define LSB(x) ((unsigned char) ((x) & 0xff))
-#define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
+#define LSB(x) ((unsigned char)((x)&0xff))
+#define MSB(x) ((unsigned char)(((unsigned)(x)) >> 8))
 
 /************************************************************************/
 
 typedef enum { SSLAppOpRead = 0,
-               SSLAppOpWrite,
-               SSLAppOpRDWR,
-               SSLAppOpPost,
-               SSLAppOpHeader
+               SSLAppOpWrite,
+               SSLAppOpRDWR,
+               SSLAppOpPost,
+               SSLAppOpHeader
 } SSLAppOperation;
 
-#define SSL_MIN_MASTER_KEY_BYTES        5
-#define SSL_MAX_MASTER_KEY_BYTES        64
+#define SSL_MIN_MASTER_KEY_BYTES 5
+#define SSL_MAX_MASTER_KEY_BYTES 64
 
-#define SSL2_SESSIONID_BYTES            16
-#define SSL3_SESSIONID_BYTES            32
+#define SSL2_SESSIONID_BYTES 16
+#define SSL3_SESSIONID_BYTES 32
 
-#define SSL_MIN_CHALLENGE_BYTES         16
-#define SSL_MAX_CHALLENGE_BYTES         32
-#define SSL_CHALLENGE_BYTES             16
+#define SSL_MIN_CHALLENGE_BYTES 16
+#define SSL_MAX_CHALLENGE_BYTES 32
+#define SSL_CHALLENGE_BYTES 16
 
-#define SSL_CONNECTIONID_BYTES          16
+#define SSL_CONNECTIONID_BYTES 16
 
-#define SSL_MIN_CYPHER_ARG_BYTES        0
-#define SSL_MAX_CYPHER_ARG_BYTES        32
+#define SSL_MIN_CYPHER_ARG_BYTES 0
+#define SSL_MAX_CYPHER_ARG_BYTES 32
 
-#define SSL_MAX_MAC_BYTES               16
+#define SSL_MAX_MAC_BYTES 16
 
 #define SSL3_RSA_PMS_LENGTH 48
 #define SSL3_MASTER_SECRET_LENGTH 48
 
 /* number of wrap mechanisms potentially used to wrap master secrets. */
-#define SSL_NUM_WRAP_MECHS              16
+#define SSL_NUM_WRAP_MECHS 16
 
 /* This makes the cert cache entry exactly 4k. */
-#define SSL_MAX_CACHED_CERT_LEN         4060
+#define SSL_MAX_CACHED_CERT_LEN 4060
 
-#define NUM_MIXERS                      9
+#define NUM_MIXERS 9
 
 /* Mask of the 25 named curves we support. */
 #define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe
 /* Mask of only 3 curves, suite B */
 #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000
 
 #ifndef BPB
 #define BPB 8 /* Bits Per Byte */
 #endif
 
-#define EXPORT_RSA_KEY_LENGTH 64        /* bytes */
+#define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
 
-#define INITIAL_DTLS_TIMEOUT_MS   1000  /* Default value from RFC 4347 = 1s*/
-#define MAX_DTLS_TIMEOUT_MS      60000  /* 1 minute */
-#define DTLS_FINISHED_TIMER_MS  120000  /* Time to wait in FINISHED state */
+#define INITIAL_DTLS_TIMEOUT_MS 1000  /* Default value from RFC 4347 = 1s*/
+#define MAX_DTLS_TIMEOUT_MS 60000     /* 1 minute */
+#define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */
 
-typedef struct sslBufferStr             sslBuffer;
-typedef struct sslConnectInfoStr        sslConnectInfo;
-typedef struct sslGatherStr             sslGather;
-typedef struct sslSecurityInfoStr       sslSecurityInfo;
-typedef struct sslSessionIDStr          sslSessionID;
-typedef struct sslSocketStr             sslSocket;
-typedef struct sslSocketOpsStr          sslSocketOps;
+typedef struct sslBufferStr sslBuffer;
+typedef struct sslConnectInfoStr sslConnectInfo;
+typedef struct sslGatherStr sslGather;
+typedef struct sslSecurityInfoStr sslSecurityInfo;
+typedef struct sslSessionIDStr sslSessionID;
+typedef struct sslSocketStr sslSocket;
+typedef struct sslSocketOpsStr sslSocketOps;
 
-typedef struct ssl3StateStr             ssl3State;
-typedef struct ssl3CertNodeStr          ssl3CertNode;
-typedef struct ssl3BulkCipherDefStr     ssl3BulkCipherDef;
-typedef struct ssl3MACDefStr            ssl3MACDef;
-typedef struct ssl3KeyPairStr           ssl3KeyPair;
-typedef struct ssl3DHParamsStr          ssl3DHParams;
+typedef struct ssl3StateStr ssl3State;
+typedef struct ssl3CertNodeStr ssl3CertNode;
+typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef;
+typedef struct ssl3MACDefStr ssl3MACDef;
+typedef struct ssl3KeyPairStr ssl3KeyPair;
+typedef struct ssl3DHParamsStr ssl3DHParams;
 
 struct ssl3CertNodeStr {
     struct ssl3CertNodeStr *next;
-    CERTCertificate *       cert;
+    CERTCertificate *cert;
 };
 
 typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss);
 
-/* This type points to the low layer send func, 
+/* This type points to the low layer send func,
 ** e.g. ssl2_SendStream or ssl3_SendPlainText.
-** These functions return the same values as PR_Send, 
+** These functions return the same values as PR_Send,
 ** i.e.  >= 0 means number of bytes sent, < 0 means error.
 */
-typedef PRInt32       (*sslSendFunc)(sslSocket *ss, const unsigned char *buf,
-                                     PRInt32 n, PRInt32 flags);
+typedef PRInt32 (*sslSendFunc)(sslSocket *ss, const unsigned char *buf,
+                               PRInt32 n, PRInt32 flags);
 
-typedef void          (*sslSessionIDCacheFunc)  (sslSessionID *sid);
-typedef void          (*sslSessionIDUncacheFunc)(sslSessionID *sid);
-typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr    *addr,
-                                                unsigned char* sid,
-                                                unsigned int   sidLen,
-                                                CERTCertDBHandle * dbHandle);
+typedef void (*sslSessionIDCacheFunc)(sslSessionID *sid);
+typedef void (*sslSessionIDUncacheFunc)(sslSessionID *sid);
+typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr *addr,
+                                                unsigned char *sid,
+                                                unsigned int sidLen,
+                                                CERTCertDBHandle *dbHandle);
 
 /* registerable callback function that either appends extension to buffer
  * or returns length of data that it would have appended.
  */
 typedef PRInt32 (*ssl3HelloExtensionSenderFunc)(sslSocket *ss, PRBool append,
-                                                PRUint32 maxBytes);
+                                                PRUint32 maxBytes);
 
-/* registerable callback function that handles a received extension, 
+/* registerable callback function that handles a received extension,
  * of the given type.
  */
-typedef SECStatus (* ssl3HelloExtensionHandlerFunc)(sslSocket *ss,
-                                                    PRUint16   ex_type,
-                                                    SECItem *  data);
+typedef SECStatus (*ssl3HelloExtensionHandlerFunc)(sslSocket *ss,
+                                                   PRUint16 ex_type,
+                                                   SECItem *data);
 
 /* row in a table of hello extension senders */
 typedef struct {
-    PRInt32                      ex_type;
+    PRInt32 ex_type;
     ssl3HelloExtensionSenderFunc ex_sender;
 } ssl3HelloExtensionSender;
 
 /* row in a table of hello extension handlers */
 typedef struct {
-    PRInt32                       ex_type;
+    PRInt32 ex_type;
     ssl3HelloExtensionHandlerFunc ex_handler;
 } ssl3HelloExtensionHandler;
 
-extern SECStatus 
+extern SECStatus
 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
-                                        ssl3HelloExtensionSenderFunc cb);
+                                        ssl3HelloExtensionSenderFunc cb);
 
 extern PRInt32
 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
                                const ssl3HelloExtensionSender *sender);
 
 extern unsigned int
 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength);
 
 extern PRInt32
 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
-                            PRUint32 maxBytes);
+                            PRUint32 maxBytes);
 
 /* Socket ops */
 struct sslSocketOpsStr {
-    int         (*connect) (sslSocket *, const PRNetAddr *);
-    PRFileDesc *(*accept)  (sslSocket *, PRNetAddr *);
-    int         (*bind)    (sslSocket *, const PRNetAddr *);
-    int         (*listen)  (sslSocket *, int);
-    int         (*shutdown)(sslSocket *, int);
-    int         (*close)   (sslSocket *);
+    int (*connect)(sslSocket *, const PRNetAddr *);
+    PRFileDesc *(*accept)(sslSocket *, PRNetAddr *);
+    int (*bind)(sslSocket *, const PRNetAddr *);
+    int (*listen)(sslSocket *, int);
+    int (*shutdown)(sslSocket *, int);
+    int (*close)(sslSocket *);
 
-    int         (*recv)    (sslSocket *, unsigned char *, int, int);
+    int (*recv)(sslSocket *, unsigned char *, int, int);
 
     /* points to the higher-layer send func, e.g. ssl_SecureSend. */
-    int         (*send)    (sslSocket *, const unsigned char *, int, int);
-    int         (*read)    (sslSocket *, unsigned char *, int);
-    int         (*write)   (sslSocket *, const unsigned char *, int);
+    int (*send)(sslSocket *, const unsigned char *, int, int);
+    int (*read)(sslSocket *, unsigned char *, int);
+    int (*write)(sslSocket *, const unsigned char *, int);
 
-    int         (*getpeername)(sslSocket *, PRNetAddr *);
-    int         (*getsockname)(sslSocket *, PRNetAddr *);
+    int (*getpeername)(sslSocket *, PRNetAddr *);
+    int (*getsockname)(sslSocket *, PRNetAddr *);
 };
 
 /* Flags interpreted by ssl send functions. */
-#define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000
-#define ssl_SEND_FLAG_NO_BUFFER         0x20000000
-#define ssl_SEND_FLAG_USE_EPOCH         0x10000000 /* DTLS only */
-#define ssl_SEND_FLAG_NO_RETRANSMIT     0x08000000 /* DTLS only */
+#define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000
+#define ssl_SEND_FLAG_NO_BUFFER 0x20000000
+#define ssl_SEND_FLAG_USE_EPOCH 0x10000000     /* DTLS only */
+#define ssl_SEND_FLAG_NO_RETRANSMIT 0x08000000 /* DTLS only */
 #define ssl_SEND_FLAG_CAP_RECORD_VERSION \
-                                        0x04000000 /* TLS only */
-#define ssl_SEND_FLAG_MASK              0x7f000000
+    0x04000000 /* TLS only */
+#define ssl_SEND_FLAG_MASK 0x7f000000
 
 /*
 ** A buffer object.
 */
 struct sslBufferStr {
-    unsigned char *     buf;
-    unsigned int        len;
-    unsigned int        space;
+    unsigned char *buf;
+    unsigned int len;
+    unsigned int space;
 };
 
 /*
 ** SSL3 cipher suite policy and preference struct.
 */
 typedef struct {
 #if !defined(_WIN32)
-    unsigned int    cipher_suite : 16;
-    unsigned int    policy       :  8;
-    unsigned int    enabled      :  1;
-    unsigned int    isPresent    :  1;
+    unsigned int cipher_suite : 16;
+    unsigned int policy : 8;
+    unsigned int enabled : 1;
+    unsigned int isPresent : 1;
 #else
     ssl3CipherSuite cipher_suite;
-    PRUint8         policy;
-    unsigned char   enabled   : 1;
-    unsigned char   isPresent : 1;
+    PRUint8 policy;
+    unsigned char enabled : 1;
+    unsigned char isPresent : 1;
 #endif
 } ssl3CipherSuiteCfg;
 
 #ifndef NSS_DISABLE_ECC
-#define ssl_V3_SUITES_IMPLEMENTED 66
+#define ssl_V3_SUITES_IMPLEMENTED 67
 #else
-#define ssl_V3_SUITES_IMPLEMENTED 40
+#define ssl_V3_SUITES_IMPLEMENTED 41
 #endif /* NSS_DISABLE_ECC */
 
 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
 
 /* MAX_SIGNATURE_ALGORITHMS allows for a large number of combinations of
  * SSLSignType and SSLHashType, but not all combinations (specifically, this
  * doesn't allow space for combinations with MD5). */
 #define MAX_SIGNATURE_ALGORITHMS 15
 
-
+/* clang-format off */
 typedef struct sslOptionsStr {
     /* If SSL_SetNextProtoNego has been called, then this contains the
      * list of supported protocols. */
     SECItem nextProtoNego;
 
-    unsigned int useSecurity            : 1;  /*  1 */
-    unsigned int useSocks               : 1;  /*  2 */
-    unsigned int requestCertificate     : 1;  /*  3 */
-    unsigned int requireCertificate     : 2;  /*  4-5 */
-    unsigned int handshakeAsClient      : 1;  /*  6 */
-    unsigned int handshakeAsServer      : 1;  /*  7 */
-    unsigned int enableSSL2             : 1;  /*  8 */
-    unsigned int unusedBit9             : 1;  /*  9 */
-    unsigned int unusedBit10            : 1;  /* 10 */
-    unsigned int noCache                : 1;  /* 11 */
-    unsigned int fdx                    : 1;  /* 12 */
-    unsigned int v2CompatibleHello      : 1;  /* 13 */
-    unsigned int detectRollBack         : 1;  /* 14 */
-    unsigned int noStepDown             : 1;  /* 15 */
-    unsigned int bypassPKCS11           : 1;  /* 16 */
-    unsigned int noLocks                : 1;  /* 17 */
-    unsigned int enableSessionTickets   : 1;  /* 18 */
-    unsigned int enableDeflate          : 1;  /* 19 */
-    unsigned int enableRenegotiation    : 2;  /* 20-21 */
-    unsigned int requireSafeNegotiation : 1;  /* 22 */
-    unsigned int enableFalseStart       : 1;  /* 23 */
-    unsigned int cbcRandomIV            : 1;  /* 24 */
-    unsigned int enableOCSPStapling     : 1;  /* 25 */
-    unsigned int enableNPN              : 1;  /* 26 */
-    unsigned int enableALPN             : 1;  /* 27 */
-    unsigned int reuseServerECDHEKey    : 1;  /* 28 */
-    unsigned int enableFallbackSCSV     : 1;  /* 29 */
-    unsigned int enableServerDhe        : 1;  /* 30 */
-    unsigned int enableExtendedMS       : 1;  /* 31 */
+    unsigned int useSecurity                : 1;  /*  1 */
+    unsigned int useSocks                   : 1;  /*  2 */
+    unsigned int requestCertificate         : 1;  /*  3 */
+    unsigned int requireCertificate         : 2;  /*  4-5 */
+    unsigned int handshakeAsClient          : 1;  /*  6 */
+    unsigned int handshakeAsServer          : 1;  /*  7 */
+    unsigned int enableSSL2                 : 1;  /*  8 */
+    unsigned int unusedBit9                 : 1;  /*  9 */
+    unsigned int unusedBit10                : 1;  /* 10 */
+    unsigned int noCache                    : 1;  /* 11 */
+    unsigned int fdx                        : 1;  /* 12 */
+    unsigned int v2CompatibleHello          : 1;  /* 13 */
+    unsigned int detectRollBack             : 1;  /* 14 */
+    unsigned int noStepDown                 : 1;  /* 15 */
+    unsigned int bypassPKCS11               : 1;  /* 16 */
+    unsigned int noLocks                    : 1;  /* 17 */
+    unsigned int enableSessionTickets       : 1;  /* 18 */
+    unsigned int enableDeflate              : 1;  /* 19 */
+    unsigned int enableRenegotiation        : 2;  /* 20-21 */
+    unsigned int requireSafeNegotiation     : 1;  /* 22 */
+    unsigned int enableFalseStart           : 1;  /* 23 */
+    unsigned int cbcRandomIV                : 1;  /* 24 */
+    unsigned int enableOCSPStapling         : 1;  /* 25 */
+    unsigned int enableNPN                  : 1;  /* 26 */
+    unsigned int enableALPN                 : 1;  /* 27 */
+    unsigned int reuseServerECDHEKey        : 1;  /* 28 */
+    unsigned int enableFallbackSCSV         : 1;  /* 29 */
+    unsigned int enableServerDhe            : 1;  /* 30 */
+    unsigned int enableExtendedMS           : 1;  /* 31 */
     unsigned int enableSignedCertTimestamps : 1;  /* 32 */
 } sslOptions;
+/* clang-format on */
 
 typedef enum { sslHandshakingUndetermined = 0,
-               sslHandshakingAsClient,
-               sslHandshakingAsServer 
+               sslHandshakingAsClient,
+               sslHandshakingAsServer
 } sslHandshakingType;
 
 typedef struct sslServerCertsStr {
     /* Configuration state for server sockets */
-    CERTCertificate *     serverCert;
-    CERTCertificateList * serverCertChain;
-    ssl3KeyPair *         serverKeyPair;
-    unsigned int          serverKeyBits;
+    CERTCertificate *serverCert;
+    CERTCertificateList *serverCertChain;
+    ssl3KeyPair *serverKeyPair;
+    unsigned int serverKeyBits;
 } sslServerCerts;
 
 #define SERVERKEY serverKeyPair->privKey
 
-#define SSL_LOCK_RANK_SPEC      255
-#define SSL_LOCK_RANK_GLOBAL    NSS_RWLOCK_RANK_NONE
+#define SSL_LOCK_RANK_SPEC 255
+#define SSL_LOCK_RANK_GLOBAL NSS_RWLOCK_RANK_NONE
 
-/* These are the valid values for shutdownHow. 
+/* These are the valid values for shutdownHow.
 ** These values are each 1 greater than the NSPR values, and the code
-** depends on that relation to efficiently convert PR_SHUTDOWN values 
-** into ssl_SHUTDOWN values.  These values use one bit for read, and 
+** depends on that relation to efficiently convert PR_SHUTDOWN values
+** into ssl_SHUTDOWN values.  These values use one bit for read, and
 ** another bit for write, and can be used as bitmasks.
 */
-#define ssl_SHUTDOWN_NONE       0       /* NOT shutdown at all */
-#define ssl_SHUTDOWN_RCV        1       /* PR_SHUTDOWN_RCV  +1 */
-#define ssl_SHUTDOWN_SEND       2       /* PR_SHUTDOWN_SEND +1 */
-#define ssl_SHUTDOWN_BOTH       3       /* PR_SHUTDOWN_BOTH +1 */
+#define ssl_SHUTDOWN_NONE 0 /* NOT shutdown at all */
+#define ssl_SHUTDOWN_RCV 1  /* PR_SHUTDOWN_RCV  +1 */
+#define ssl_SHUTDOWN_SEND 2 /* PR_SHUTDOWN_SEND +1 */
+#define ssl_SHUTDOWN_BOTH 3 /* PR_SHUTDOWN_BOTH +1 */
 
 /*
 ** A gather object. Used to read some data until a count has been
 ** satisfied. Primarily for support of async sockets.
 ** Everything in here is protected by the recvBufLock.
 */
 struct sslGatherStr {
-    int           state;        /* see GS_ values below. */     /* ssl 2 & 3 */
+    int state; /* see GS_ values below. */ /* ssl 2 & 3 */
 
     /* "buf" holds received plaintext SSL records, after decrypt and MAC check.
      * SSL2: recv'd ciphertext records are put here, then decrypted in place.
-     * SSL3: recv'd ciphertext records are put in inbuf (see below), then 
+     * SSL3: recv'd ciphertext records are put in inbuf (see below), then
      *       decrypted into buf.
      */
-    sslBuffer     buf;                          /*recvBufLock*/ /* ssl 2 & 3 */
+    sslBuffer buf; /*recvBufLock*/ /* ssl 2 & 3 */
 
-    /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3). 
-    ** (offset - writeOffset) is the number of ciphertext bytes read in but 
+    /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3).
+    ** (offset - writeOffset) is the number of ciphertext bytes read in but
     **     not yet deciphered.
     */
-    unsigned int  offset;                                       /* ssl 2 & 3 */
+    unsigned int offset; /* ssl 2 & 3 */
 
     /* number of bytes to read in next call to ssl_DefRecv (recv) */
-    unsigned int  remainder;                                    /* ssl 2 & 3 */
+    unsigned int remainder; /* ssl 2 & 3 */
 
     /* Number of ciphertext bytes to read in after 2-byte SSL record header. */
-    unsigned int  count;                                        /* ssl2 only */
+    unsigned int count; /* ssl2 only */
 
-    /* size of the final plaintext record. 
+    /* size of the final plaintext record.
     ** == count - (recordPadding + MAC size)
     */
-    unsigned int  recordLen;                                    /* ssl2 only */
+    unsigned int recordLen; /* ssl2 only */
 
     /* number of bytes of padding to be removed after decrypting. */
     /* This value is taken from the record's hdr[2], which means a too large
      * value could crash us.
      */
-    unsigned int  recordPadding;                                /* ssl2 only */
+    unsigned int recordPadding; /* ssl2 only */
 
     /* plaintext DATA begins this many bytes into "buf".  */
-    unsigned int  recordOffset;                                 /* ssl2 only */
+    unsigned int recordOffset; /* ssl2 only */
 
-    int           encrypted;    /* SSL2 session is now encrypted.  ssl2 only */
+    int encrypted; /* SSL2 session is now encrypted.  ssl2 only */
 
-    /* These next two values are used by SSL2 and SSL3.  
+    /* These next two values are used by SSL2 and SSL3.
     ** DoRecv uses them to extract application data.
-    ** The difference between writeOffset and readOffset is the amount of 
-    ** data available to the application.   Note that the actual offset of 
+    ** The difference between writeOffset and readOffset is the amount of
+    ** data available to the application.   Note that the actual offset of
     ** the data in "buf" is recordOffset (above), not readOffset.
-    ** In the current implementation, this is made available before the 
+    ** In the current implementation, this is made available before the
     ** MAC is checked!!
     */
-    unsigned int  readOffset;  /* Spot where DATA reader (e.g. application
+    unsigned int readOffset; /* Spot where DATA reader (e.g. application
                                ** or handshake code) will read next.
                                ** Always zero for SSl3 application data.
-                               */
+                               */
     /* offset in buf/inbuf/hdr into which new data will be read from socket. */
-    unsigned int  writeOffset; 
+    unsigned int writeOffset;
 
     /* Buffer for ssl3 to read (encrypted) data from the socket */
-    sslBuffer     inbuf;                        /*recvBufLock*/ /* ssl3 only */
+    sslBuffer inbuf; /*recvBufLock*/ /* ssl3 only */
 
     /* The ssl[23]_GatherData functions read data into this buffer, rather
-    ** than into buf or inbuf, while in the GS_HEADER state.  
-    ** The portion of the SSL record header put here always comes off the wire 
+    ** than into buf or inbuf, while in the GS_HEADER state.
+    ** The portion of the SSL record header put here always comes off the wire
     ** as plaintext, never ciphertext.
     ** For SSL2, the plaintext portion is two bytes long.  For SSl3 it is 5.
     ** For DTLS it is 13.
     */
-    unsigned char hdr[13];                              /* ssl 2 & 3 or dtls */
+    unsigned char hdr[13]; /* ssl 2 & 3 or dtls */
 
     /* Buffer for DTLS data read off the wire as a single datagram */
-    sslBuffer     dtlsPacket;
+    sslBuffer dtlsPacket;
 
     /* the start of the buffered DTLS record in dtlsPacket */
-    unsigned int  dtlsPacketOffset;
+    unsigned int dtlsPacketOffset;
 };
 
 /* sslGather.state */
-#define GS_INIT         0
-#define GS_HEADER       1
-#define GS_MAC          2
-#define GS_DATA         3
-#define GS_PAD          4
-
-#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
-typedef PCERT_KEY_CONTEXT PlatformKey;
-#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX)
-typedef SecKeyRef PlatformKey;
-#else
-typedef void *PlatformKey;
-#endif
-
-
+#define GS_INIT 0
+#define GS_HEADER 1
+#define GS_MAC 2
+#define GS_DATA 3
+#define GS_PAD 4
 
 /*
 ** ssl3State and CipherSpec structs
 */
 
 /* The SSL bulk cipher definition */
 typedef enum {
     cipher_null,
-    cipher_rc4, 
+    cipher_rc4,
     cipher_rc4_40,
     cipher_rc4_56,
-    cipher_rc2, 
+    cipher_rc2,
     cipher_rc2_40,
-    cipher_des, 
-    cipher_3des, 
+    cipher_des,
+    cipher_3des,
     cipher_des40,
-    cipher_idea, 
+    cipher_idea,
     cipher_aes_128,
     cipher_aes_256,
     cipher_camellia_128,
     cipher_camellia_256,
     cipher_seed,
     cipher_aes_128_gcm,
     cipher_chacha20,
-    cipher_missing              /* reserved for no such supported cipher */
+    cipher_missing /* reserved for no such supported cipher */
     /* This enum must match ssl3_cipherName[] in ssl3con.c.  */
 } SSL3BulkCipher;
 
-typedef enum { type_stream, type_block, type_aead } CipherType;
+typedef enum { type_stream,
+               type_block,
+               type_aead } CipherType;
 
 #define MAX_IV_LENGTH 24
 
 /*
- * Do not depend upon 64 bit arithmetic in the underlying machine. 
+ * Do not depend upon 64 bit arithmetic in the underlying machine.
  */
 typedef struct {
-    PRUint32         high;
-    PRUint32         low;
+    PRUint32 high;
+    PRUint32 low;
 } SSL3SequenceNumber;
 
 typedef PRUint16 DTLSEpoch;
 
 typedef void (*DTLSTimerCb)(sslSocket *);
 
-#define MAX_MAC_CONTEXT_BYTES 400  /* 400 is large enough for MD5, SHA-1, and
-                                    * SHA-256. For SHA-384 support, increase
-                                    * it to 712. */
+/* 400 is large enough for MD5, SHA-1, and SHA-256.
+ * For SHA-384 support, increase it to 712. */
+#define MAX_MAC_CONTEXT_BYTES 400
 #define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8)
 
 #define MAX_CIPHER_CONTEXT_BYTES 2080
 #define MAX_CIPHER_CONTEXT_LLONGS (MAX_CIPHER_CONTEXT_BYTES / 8)
 
 typedef struct {
-    SSL3Opaque        wrapped_master_secret[48];
-    PRUint16          wrapped_master_secret_len;
-    PRUint8           msIsWrapped;
-    PRUint8           resumable;
-    PRUint8           extendedMasterSecretUsed;
+    SSL3Opaque wrapped_master_secret[48];
+    PRUint16 wrapped_master_secret_len;
+    PRUint8 msIsWrapped;
+    PRUint8 resumable;
+    PRUint8 extendedMasterSecretUsed;
 } ssl3SidKeys; /* 52 bytes */
 
 typedef struct {
-    PK11SymKey  *write_key;
-    PK11SymKey  *write_mac_key;
+    PK11SymKey *write_key;
+    PK11SymKey *write_mac_key;
     PK11Context *write_mac_context;
-    SECItem     write_key_item;
-    SECItem     write_iv_item;
-    SECItem     write_mac_key_item;
-    SSL3Opaque  write_iv[MAX_IV_LENGTH];
-    PRUint64    cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
+    SECItem write_key_item;
+    SECItem write_iv_item;
+    SECItem write_mac_key_item;
+    SSL3Opaque write_iv[MAX_IV_LENGTH];
+    PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
 } ssl3KeyMaterial;
 
-typedef SECStatus (*SSLCipher)(void *               context, 
-                               unsigned char *      out,
-                               int *                outlen, 
-                               int                  maxout, 
-                               const unsigned char *in,
-                               int                  inlen);
+typedef SECStatus (*SSLCipher)(void *context,
+                               unsigned char *out,
+                               int *outlen,
+                               int maxout,
+                               const unsigned char *in,
+                               int inlen);
 typedef SECStatus (*SSLAEADCipher)(
-                               ssl3KeyMaterial *    keys,
-                               PRBool               doDecrypt,
-                               unsigned char *      out,
-                               int *                outlen,
-                               int                  maxout,
-                               const unsigned char *in,
-                               int                  inlen,
-                               const unsigned char *additionalData,
-                               int                  additionalDataLen);
-typedef SECStatus (*SSLCompressor)(void *               context,
-                                   unsigned char *      out,
-                                   int *                outlen,
-                                   int                  maxout,
+    ssl3KeyMaterial *keys,
+    PRBool doDecrypt,
+    unsigned char *out,
+    int *outlen,
+    int maxout,
+    const unsigned char *in,
+    int inlen,
+    const unsigned char *additionalData,
+    int additionalDataLen);
+typedef SECStatus (*SSLCompressor)(void *context,
+                                   unsigned char *out,
+                                   int *outlen,
+                                   int maxout,
                                    const unsigned char *in,
-                                   int                  inlen);
+                                   int inlen);
 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
 
 /* The DTLS anti-replay window. Defined here because we need it in
  * the cipher spec. Note that this is a ring buffer but left and
  * right represent the true window, with modular arithmetic used to
  * map them onto the buffer.
  */
-#define DTLS_RECVD_RECORDS_WINDOW 1024 /* Packets; approximate
-                                        * Must be divisible by 8
-                                        */
+#define DTLS_RECVD_RECORDS_WINDOW 1024 /* Packets; approximate   \
+                                        * Must be divisible by 8 \
+                                        */
 typedef struct DTLSRecvdRecordsStr {
-    unsigned char data[DTLS_RECVD_RECORDS_WINDOW/8];
+    unsigned char data[DTLS_RECVD_RECORDS_WINDOW / 8];
     PRUint64 left;
     PRUint64 right;
 } DTLSRecvdRecords;
 
 /*
 ** These are the "specs" in the "ssl3" struct.
 ** Access to the pointers to these specs, and all the specs' contents
 ** (direct and indirect) is protected by the reader/writer lock ss->specLock.
 */
 typedef struct {
     const ssl3BulkCipherDef *cipher_def;
-    const ssl3MACDef * mac_def;
+    const ssl3MACDef *mac_def;
     SSLCompressionMethod compression_method;
-    int                mac_size;
-    SSLCipher          encode;
-    SSLCipher          decode;
-    SSLAEADCipher      aead;
-    SSLDestroy         destroy;
-    void *             encodeContext;
-    void *             decodeContext;
-    SSLCompressor      compressor;    /* Don't name these fields compress */
-    SSLCompressor      decompressor;  /* and uncompress because zconf.h   */
-                                      /* may define them as macros.       */ 
-    SSLDestroy         destroyCompressContext;
-    void *             compressContext;
-    SSLDestroy         destroyDecompressContext;
-    void *             decompressContext;
-    PRBool             bypassCiphers;   /* did double bypass (at least) */
-    PK11SymKey *       master_secret;
+    int mac_size;
+    SSLCipher encode;
+    SSLCipher decode;
+    SSLAEADCipher aead;
+    SSLDestroy destroy;
+    void *encodeContext;
+    void *decodeContext;
+    SSLCompressor compressor;   /* Don't name these fields compress */
+    SSLCompressor decompressor; /* and uncompress because zconf.h   */
+                                /* may define them as macros.       */
+    SSLDestroy destroyCompressContext;
+    void *compressContext;
+    SSLDestroy destroyDecompressContext;
+    void *decompressContext;
+    PRBool bypassCiphers; /* did double bypass (at least) */
+    PK11SymKey *master_secret;
     SSL3SequenceNumber write_seq_num;
     SSL3SequenceNumber read_seq_num;
     SSL3ProtocolVersion version;
-    ssl3KeyMaterial    client;
-    ssl3KeyMaterial    server;
-    SECItem            msItem;
-    unsigned char      key_block[NUM_MIXERS * MD5_LENGTH];
-    unsigned char      raw_master_secret[56];
-    SECItem            srvVirtName;    /* for server: name that was negotiated
-                                        * with a client. For client - is
-                                        * always set to NULL.*/
-    DTLSEpoch          epoch;
-    DTLSRecvdRecords   recvdRecords;
+    ssl3KeyMaterial client;
+    ssl3KeyMaterial server;
+    SECItem msItem;
+    unsigned char key_block[NUM_MIXERS * MD5_LENGTH];
+    unsigned char raw_master_secret[56];
+    SECItem srvVirtName; /* for server: name that was negotiated
+                          * with a client. For client - is
+                          * always set to NULL.*/
+    DTLSEpoch epoch;
+    DTLSRecvdRecords recvdRecords;
 } ssl3CipherSpec;
 
-typedef enum {  never_cached, 
-                in_client_cache, 
-                in_server_cache, 
-                invalid_cache           /* no longer in any cache. */
+typedef enum { never_cached,
+               in_client_cache,
+               in_server_cache,
+               invalid_cache /* no longer in any cache. */
 } Cached;
 
 #define MAX_PEER_CERT_CHAIN_SIZE 8
 
 struct sslSessionIDStr {
     /* The global cache lock must be held when accessing these members when the
      * sid is in any cache.
      */
-    sslSessionID *        next;   /* chain used for client sockets, only */
-    Cached                cached;
-    int                   references;
-    PRUint32              lastAccessTime;       /* seconds since Jan 1, 1970 */
+    sslSessionID *next; /* chain used for client sockets, only */
+    Cached cached;
+    int references;
+    PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
 
     /* The rest of the members, except for the members of u.ssl3.locked, may
      * be modified only when the sid is not in any cache.
      */
 
-    CERTCertificate *     peerCert;
-    CERTCertificate *     peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
-    SECItemArray          peerCertStatus; /* client only */
-    const char *          peerID;     /* client only */
-    const char *          urlSvrName; /* client only */
-    CERTCertificate *     localCert;
+    CERTCertificate *peerCert;
+    CERTCertificate *peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
+    SECItemArray peerCertStatus; /* client only */
+    const char *peerID;          /* client only */
+    const char *urlSvrName;      /* client only */
+    CERTCertificate *localCert;
 
-    PRIPv6Addr            addr;
-    PRUint16              port;
+    PRIPv6Addr addr;
+    PRUint16 port;
 
-    SSL3ProtocolVersion   version;
+    SSL3ProtocolVersion version;
 
-    PRUint32              creationTime;         /* seconds since Jan 1, 1970 */
-    PRUint32              expirationTime;       /* seconds since Jan 1, 1970 */
+    PRUint32 creationTime;   /* seconds since Jan 1, 1970 */
+    PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
 
-    SSLSignType           authAlgorithm;
-    PRUint32              authKeyBits;
-    SSLKEAType            keaType;
-    PRUint32              keaKeyBits;
+    SSLSignType authAlgorithm;
+    PRUint32 authKeyBits;
+    SSLKEAType keaType;
+    PRUint32 keaKeyBits;
 
     union {
-        struct {
-            /* the V2 code depends upon the size of sessionID.  */
-            unsigned char         sessionID[SSL2_SESSIONID_BYTES];
+        struct {
+            /* the V2 code depends upon the size of sessionID.  */
+            unsigned char sessionID[SSL2_SESSIONID_BYTES];
 
-            /* Stuff used to recreate key and read/write cipher objects */
-            SECItem               masterKey;        /* never wrapped */
-            int                   cipherType;
-            SECItem               cipherArg;
-            int                   keyBits;
-            int                   secretKeyBits;
-        } ssl2;
-        struct {
-            /* values that are copied into the server's on-disk SID cache. */
-            PRUint8               sessionIDLength;
-            SSL3Opaque            sessionID[SSL3_SESSIONID_BYTES];
+            /* Stuff used to recreate key and read/write cipher objects */
+            SECItem masterKey; /* never wrapped */
+            int cipherType;
+            SECItem cipherArg;
+            int keyBits;
+            int secretKeyBits;
+        } ssl2;
+        struct {
+            /* values that are copied into the server's on-disk SID cache. */
+            PRUint8 sessionIDLength;
+            SSL3Opaque sessionID[SSL3_SESSIONID_BYTES];
 
-            ssl3CipherSuite       cipherSuite;
-            SSLCompressionMethod  compression;
-            int                   policy;
-            ssl3SidKeys           keys;
-            CK_MECHANISM_TYPE     masterWrapMech;
-                                  /* mechanism used to wrap master secret */
-            SSL3KEAType           exchKeyType;
-                                  /* key type used in exchange algorithm,
-                                   * and to wrap the sym wrapping key. */
+            ssl3CipherSuite cipherSuite;
+            SSLCompressionMethod compression;
+            int policy;
+            ssl3SidKeys keys;
+            CK_MECHANISM_TYPE masterWrapMech;
+            /* mechanism used to wrap master secret */
+            SSL3KEAType exchKeyType;
+            /* key type used in exchange algorithm,
+             * and to wrap the sym wrapping key. */
 #ifndef NSS_DISABLE_ECC
-            PRUint32              negotiatedECCurves;
+            PRUint32 negotiatedECCurves;
 #endif /* NSS_DISABLE_ECC */
 
-            /* The following values are NOT restored from the server's on-disk
-             * session cache, but are restored from the client's cache.
-             */
-            PK11SymKey *      clientWriteKey;
-            PK11SymKey *      serverWriteKey;
+            /* The following values are NOT restored from the server's on-disk
+             * session cache, but are restored from the client's cache.
+             */
+            PK11SymKey *clientWriteKey;
+            PK11SymKey *serverWriteKey;
 
-            /* The following values pertain to the slot that wrapped the 
-            ** master secret. (used only in client)
-            */
-            SECMODModuleID    masterModuleID;
-                                    /* what module wrapped the master secret */
-            CK_SLOT_ID        masterSlotID;
-            PRUint16          masterWrapIndex;
-                                /* what's the key index for the wrapping key */
-            PRUint16          masterWrapSeries;
-                                /* keep track of the slot series, so we don't 
-                                 * accidently try to use new keys after the 
-                                 * card gets removed and replaced.*/
+            /* The following values pertain to the slot that wrapped the
+            ** master secret. (used only in client)
+            */
+            SECMODModuleID masterModuleID;
+            /* what module wrapped the master secret */
+            CK_SLOT_ID masterSlotID;
+            PRUint16 masterWrapIndex;
+            /* what's the key index for the wrapping key */
+            PRUint16 masterWrapSeries;
+            /* keep track of the slot series, so we don't
+             * accidently try to use new keys after the
+             * card gets removed and replaced.*/
 
-            /* The following values pertain to the slot that did the signature
-            ** for client auth.   (used only in client)
-            */
-            SECMODModuleID    clAuthModuleID;
-            CK_SLOT_ID        clAuthSlotID;
-            PRUint16          clAuthSeries;
+            /* The following values pertain to the slot that did the signature
+            ** for client auth.   (used only in client)
+            */
+            SECMODModuleID clAuthModuleID;
+            CK_SLOT_ID clAuthSlotID;
+            PRUint16 clAuthSeries;
 
-            char              masterValid;
-            char              clAuthValid;
+            char masterValid;
+            char clAuthValid;
 
-            SECItem           srvName;
+            SECItem srvName;
 
             /* originalHandshakeHash contains the hash of the original, full
              * handshake prior to the server's final flow. This is either a
              * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for
              * TLS 1.2). This is recorded and used only when ChannelID is
              * negotiated as it's used to bind the ChannelID signature on the
              * resumption handshake to the original handshake. */
-            SECItem           originalHandshakeHash;
+            SECItem originalHandshakeHash;
 
-            /* Signed certificate timestamps received in a TLS extension.
-            ** (used only in client).
-            */
-            SECItem           signedCertTimestamps;
+            /* Signed certificate timestamps received in a TLS extension.
+            ** (used only in client).
+            */
+            SECItem signedCertTimestamps;
 
-            /* This lock is lazily initialized by CacheSID when a sid is first
-             * cached. Before then, there is no need to lock anything because
-             * the sid isn't being shared by anything.
-             */
-            NSSRWLock *lock;
+            /* This lock is lazily initialized by CacheSID when a sid is first
+             * cached. Before then, there is no need to lock anything because
+             * the sid isn't being shared by anything.
+             */
+            PRRWLock *lock;
 
-            /* The lock must be held while reading or writing these members
-             * because they change while the sid is cached.
-             */
-            struct {
-                /* The session ticket, if we have one, is sent as an extension
-                 * in the ClientHello message. This field is used only by
-                 * clients. It is protected by lock when lock is non-null
-                 * (after the sid has been added to the client session cache).
-                 */
-                NewSessionTicket sessionTicket;
-            } locked;
-        } ssl3;
+            /* The lock must be held while reading or writing these members
+             * because they change while the sid is cached.
+             */
+            struct {
+                /* The session ticket, if we have one, is sent as an extension
+                 * in the ClientHello message. This field is used only by
+                 * clients. It is protected by lock when lock is non-null
+                 * (after the sid has been added to the client session cache).
+                 */
+                NewSessionTicket sessionTicket;
+            } locked;
+        } ssl3;
     } u;
 };
 
 typedef struct ssl3CipherSuiteDefStr {
-    ssl3CipherSuite          cipher_suite;
-    SSL3BulkCipher           bulk_cipher_alg;
-    SSL3MACAlgorithm         mac_alg;
+    ssl3CipherSuite cipher_suite;
+    SSL3BulkCipher bulk_cipher_alg;
+    SSL3MACAlgorithm mac_alg;
     SSL3KeyExchangeAlgorithm key_exchange_alg;
 } ssl3CipherSuiteDef;
 
 /*
 ** There are tables of these, all const.
 */
 typedef struct {
     SSL3KeyExchangeAlgorithm kea;
-    SSL3KEAType              exchKeyType;
-    SSL3SignType             signKeyType;
+    SSL3KEAType exchKeyType;
+    SSLSignType signKeyType;
     /* For export cipher suites:
      * is_limited identifies a suite as having a limit on the key size.
      * key_size_limit provides the corresponding limit. */
-    PRBool                   is_limited;
+    PRBool is_limited;
     unsigned int key_size_limit;
-    PRBool                   tls_keygen;
+    PRBool tls_keygen;
     /* True if the key exchange for the suite is ephemeral.  Or to be more
      * precise: true if the ServerKeyExchange message is always required. */
-    PRBool                   ephemeral;
+    PRBool ephemeral;
+    /* An OID describing the key exchange */
+    SECOidTag oid;
 } ssl3KEADef;
 
 /*
 ** There are tables of these, all const.
 */
 struct ssl3BulkCipherDefStr {
-    SSL3BulkCipher  cipher;
+    SSL3BulkCipher cipher;
     SSLCipherAlgorithm calg;
-    int             key_size;
-    int             secret_key_size;
-    CipherType      type;
-    int             iv_size;
-    int             block_size;
-    int             tag_size;  /* authentication tag size for AEAD ciphers. */
-    int             explicit_nonce_size;               /* for AEAD ciphers. */
+    int key_size;
+    int secret_key_size;
+    CipherType type;
+    int iv_size;
+    int block_size;
+    int tag_size;            /* authentication tag size for AEAD ciphers. */
+    int explicit_nonce_size; /* for AEAD ciphers. */
+    SECOidTag oid;
 };
 
 /*
 ** There are tables of these, all const.
 */
 struct ssl3MACDefStr {
     SSL3MACAlgorithm mac;
     CK_MECHANISM_TYPE mmech;
-    int              pad_size;
-    int              mac_size;
+    int pad_size;
+    int mac_size;
+    SECOidTag oid;
 };
 
 typedef enum {
-    wait_client_hello, 
-    wait_client_cert, 
+    wait_client_hello,
+    wait_client_cert,
     wait_client_key,
-    wait_cert_verify, 
-    wait_change_cipher, 
+    wait_cert_verify,
+    wait_change_cipher,
     wait_finished,
-    wait_server_hello, 
+    wait_server_hello,
     wait_certificate_status,
-    wait_server_cert, 
+    wait_server_cert,
     wait_server_key,
-    wait_cert_request, 
+    wait_cert_request,
     wait_hello_done,
     wait_new_session_ticket,
-    idle_handshake
+    wait_encrypted_extensions,
+    idle_handshake,
+    wait_invalid /* Invalid value. There is no handshake message "invalid". */
 } SSL3WaitState;
 
 /*
  * TLS extension related constants and data structures.
  */
-typedef struct TLSExtensionDataStr       TLSExtensionData;
-typedef struct SessionTicketDataStr      SessionTicketData;
+typedef struct TLSExtensionDataStr TLSExtensionData;
+typedef struct SessionTicketDataStr SessionTicketData;
 
 struct TLSExtensionDataStr {
     /* registered callbacks that send server hello extensions */
-    ssl3HelloExtensionSender serverSenders[SSL_MAX_EXTENSIONS];
+    ssl3HelloExtensionSender serverHelloSenders[SSL_MAX_EXTENSIONS];
+    ssl3HelloExtensionSender encryptedExtensionsSenders[SSL_MAX_EXTENSIONS];
+
     /* Keep track of the extensions that are negotiated. */
     PRUint16 numAdvertised;
     PRUint16 numNegotiated;
     PRUint16 advertised[SSL_MAX_EXTENSIONS];
     PRUint16 negotiated[SSL_MAX_EXTENSIONS];
 
     /* SessionTicket Extension related data. */
     PRBool ticketTimestampVerified;
     PRBool emptySessionTicket;
     PRBool sentSessionTicketInClientHello;
@@ skipping 24 matching lines @@
 ** A DTLS queued message (potentially to be retransmitted)
 */
 typedef struct DTLSQueuedMessageStr {
     PRCList link;         /* The linked list link */
     DTLSEpoch epoch;      /* The epoch to use */
     SSL3ContentType type; /* The message type */
     unsigned char *data;  /* The data */
     PRUint16 len;         /* The data length */
 } DTLSQueuedMessage;
 
+typedef struct TLS13KeyShareEntryStr {
+    PRCList link;         /* The linked list link */
+    PRUint16 group;       /* The group for the entry */
+    SECItem key_exchange; /* The share itself */
+} TLS13KeyShareEntry;
+
 typedef enum {
     handshake_hash_unknown = 0,
-    handshake_hash_combo = 1,  /* The MD5/SHA-1 combination */
-    handshake_hash_single = 2  /* A single hash */
+    handshake_hash_combo = 1, /* The MD5/SHA-1 combination */
+    handshake_hash_single = 2 /* A single hash */
 } SSL3HandshakeHashType;
 
 /*
 ** This is the "hs" member of the "ssl3" struct.
 ** This entire struct is protected by ssl3HandshakeLock
 */
 typedef struct SSL3HandshakeStateStr {
-    SSL3Random            server_random;
-    SSL3Random            client_random;
-    SSL3WaitState         ws;
+    SSL3Random server_random;
+    SSL3Random client_random;
+    SSL3WaitState ws; /* May also contain SSL3WaitState | 0x80 for TLS 1.3 */
 
     /* This group of members is used for handshake running hashes. */
     SSL3HandshakeHashType hashType;
-    sslBuffer             messages;    /* Accumulated handshake messages */
+    sslBuffer messages; /* Accumulated handshake messages */
 #ifndef NO_PKCS11_BYPASS
     /* Bypass mode:
      * SSL 3.0 - TLS 1.1 use both |md5_cx| and |sha_cx|. |md5_cx| is used for
      * MD5 and |sha_cx| for SHA-1.
      * TLS 1.2 and later use only |sha_cx|, for SHA-256. NOTE: When we support
      * SHA-384, increase MAX_MAC_CONTEXT_BYTES to 712. */
-    PRUint64              md5_cx[MAX_MAC_CONTEXT_LLONGS];
-    PRUint64              sha_cx[MAX_MAC_CONTEXT_LLONGS];
-    const SECHashObject * sha_obj;
+    PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
+    PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
+    const SECHashObject *sha_obj;
     /* The function prototype of sha_obj->clone() does not match the prototype
      * of the freebl <HASH>_Clone functions, so we need a dedicated function
      * pointer for the <HASH>_Clone function. */
     void (*sha_clone)(void *dest, void *src);
 #endif
     /* PKCS #11 mode:
      * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and
      * |sha| for SHA-1.
      * TLS 1.2 and later use only |sha|, for SHA-256. */
     /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup
      * handshake hash for generating client auth signatures. Confusingly, the
      * backup hash function is SHA-1. */
 #define backupHash md5
-    PK11Context *         md5;
-    PK11Context *         sha;
+    PK11Context *md5;
+    PK11Context *sha;
 
-const ssl3KEADef *        kea_def;
-    ssl3CipherSuite       cipher_suite;
-const ssl3CipherSuiteDef *suite_def;
-    SSLCompressionMethod  compression;
-    sslBuffer             msg_body;    /* protected by recvBufLock */
-                               /* partial handshake message from record layer */
-    unsigned int          header_bytes; 
-                               /* number of bytes consumed from handshake */
-                               /* message for message type and header length */
-    SSL3HandshakeType     msg_type;
-    unsigned long         msg_len;
-    SECItem               ca_list;     /* used only by client */
-    PRBool                isResuming;  /* are we resuming a session */
-    PRBool                usedStepDownKey;  /* we did a server key exchange. */
-    PRBool                sendingSCSV; /* instead of empty RI */
-    sslBuffer             msgState;    /* current state for handshake messages*/
-                                       /* protected by recvBufLock */
+    const ssl3KEADef *kea_def;
+    ssl3CipherSuite cipher_suite;
+    const ssl3CipherSuiteDef *suite_def;
+    SSLCompressionMethod compression;
+    sslBuffer msg_body; /* protected by recvBufLock */
+                        /* partial handshake message from record layer */
+    unsigned int header_bytes;
+    /* number of bytes consumed from handshake */
+    /* message for message type and header length */
+    SSL3HandshakeType msg_type;
+    unsigned long msg_len;
+    SECItem ca_list;        /* used only by client */
+    PRBool isResuming;      /* are we resuming a session */
+    PRBool usedStepDownKey; /* we did a server key exchange. */
+    PRBool sendingSCSV;     /* instead of empty RI */
+    sslBuffer msgState;     /* current state for handshake messages*/
+                            /* protected by recvBufLock */
 
     /* The session ticket received in a NewSessionTicket message is temporarily
      * stored in newSessionTicket until the handshake is finished; then it is
      * moved to the sid.
      */
-    PRBool                receivedNewSessionTicket;
-    NewSessionTicket      newSessionTicket;
+    PRBool receivedNewSessionTicket;
+    NewSessionTicket newSessionTicket;
 
-    PRUint16              finishedBytes; /* size of single finished below */
+    PRUint16 finishedBytes; /* size of single finished below */
     union {
-        TLSFinished       tFinished[2]; /* client, then server */
-        SSL3Finished      sFinished[2];
-        SSL3Opaque        data[72];
-    }                     finishedMsgs;
+        TLSFinished tFinished[2]; /* client, then server */
+        SSL3Finished sFinished[2];
+        SSL3Opaque data[72];
+    } finishedMsgs;
 #ifndef NSS_DISABLE_ECC
-    PRUint32              negotiatedECCurves; /* bit mask */
-#endif /* NSS_DISABLE_ECC */
+    PRUint32 negotiatedECCurves; /* bit mask */
+#endif                           /* NSS_DISABLE_ECC */
 
-    PRBool                authCertificatePending;
+    PRBool authCertificatePending;
     /* Which function should SSL_RestartHandshake* call if we're blocked?
      * One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake,
      * or ssl3_AlwaysFail */
-    sslRestartTarget      restartTarget;
+    sslRestartTarget restartTarget;
     /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
-    PRBool                cacheSID;
+    PRBool cacheSID;
 
-    PRBool                canFalseStart;   /* Can/did we False Start */
+    PRBool canFalseStart; /* Can/did we False Start */
     /* Which preliminaryinfo values have been set. */
-    PRUint32              preliminaryInfo;
+    PRUint32 preliminaryInfo;
 
     /* clientSigAndHash contains the contents of the signature_algorithms
      * extension (if any) from the client. This is only valid for TLS 1.2
      * or later. */
     SSLSignatureAndHashAlg *clientSigAndHash;
     unsigned int numClientSigAndHash;
 
     /* This group of values is used for DTLS */
-    PRUint16              sendMessageSeq;  /* The sending message sequence
-                                            * number */
-    PRCList               lastMessageFlight; /* The last message flight we
-                                              * sent */
-    PRUint16              maxMessageSent;    /* The largest message we sent */
-    PRUint16              recvMessageSeq;  /* The receiving message sequence
-                                            * number */
-    sslBuffer             recvdFragments;  /* The fragments we have received in
-                                            * a bitmask */
-    PRInt32               recvdHighWater;  /* The high water mark for fragments
-                                            * received. -1 means no reassembly
-                                            * in progress. */
-    unsigned char         cookie[32];      /* The cookie */
-    unsigned char         cookieLen;       /* The length of the cookie */
-    PRIntervalTime        rtTimerStarted;  /* When the timer was started */
-    DTLSTimerCb           rtTimerCb;       /* The function to call on expiry */
-    PRUint32              rtTimeoutMs;     /* The length of the current timeout
-                                            * used for backoff (in ms) */
-    PRUint32              rtRetries;       /* The retry counter */
+    PRUint16 sendMessageSeq;       /* The sending message sequence
+                                    * number */
+    PRCList lastMessageFlight;     /* The last message flight we
+                                    * sent */
+    PRUint16 maxMessageSent;       /* The largest message we sent */
+    PRUint16 recvMessageSeq;       /* The receiving message sequence
+                                    * number */
+    sslBuffer recvdFragments;      /* The fragments we have received in
+                                    * a bitmask */
+    PRInt32 recvdHighWater;        /* The high water mark for fragments
+                                    * received. -1 means no reassembly
+                                    * in progress. */
+    unsigned char cookie[32];      /* The cookie */
+    unsigned char cookieLen;       /* The length of the cookie */
+    PRIntervalTime rtTimerStarted; /* When the timer was started */
+    DTLSTimerCb rtTimerCb;         /* The function to call on expiry */
+    PRUint32 rtTimeoutMs;          /* The length of the current timeout
+                                    * used for backoff (in ms) */
+    PRUint32 rtRetries;            /* The retry counter */
+
+    /* This group of values is used for TLS 1.3 and above */
+    PRCList remoteKeyShares;           /* The other side's public keys */
+    PK11SymKey *xSS;                   /* Extracted static secret */
+    PK11SymKey *xES;                   /* Extracted ephemeral secret */
+    PK11SymKey *trafficSecret;         /* The source key to use to generate
+                                        * traffic keys */
+    PK11SymKey *clientFinishedSecret;  /* Used for client Finished */
+    PK11SymKey *serverFinishedSecret;  /* Used for server Finished */
+    unsigned char certReqContext[255]; /* Ties CertificateRequest
+                                        * to Certificate */
+    PRUint8 certReqContextLen;         /* Length of the context
+                                        * cannot be greater than 255. */
 } SSL3HandshakeState;
 
-
-
 /*
 ** This is the "ssl3" struct, as in "ss->ssl3".
 ** note:
-** usually,   crSpec == cwSpec and prSpec == pwSpec.  
+** usually,   crSpec == cwSpec and prSpec == pwSpec.
 ** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
-** But there are never more than 2 actual specs.  
+** But there are never more than 2 actual specs.
 ** No spec must ever be modified if either "current" pointer points to it.
 */
 struct ssl3StateStr {
 
     /*
-    ** The following Specs and Spec pointers must be protected using the 
+    ** The following Specs and Spec pointers must be protected using the
     ** Spec Lock.
     */
-    ssl3CipherSpec *     crSpec;        /* current read spec. */
-    ssl3CipherSpec *     prSpec;        /* pending read spec. */
-    ssl3CipherSpec *     cwSpec;        /* current write spec. */
-    ssl3CipherSpec *     pwSpec;        /* pending write spec. */
+    ssl3CipherSpec *crSpec; /* current read spec. */
+    ssl3CipherSpec *prSpec; /* pending read spec. */
+    ssl3CipherSpec *cwSpec; /* current write spec. */
+    ssl3CipherSpec *pwSpec; /* pending write spec. */
 
-    CERTCertificate *    clientCertificate;  /* used by client */
-    SECKEYPrivateKey *   clientPrivateKey;   /* used by client */
-    /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not
-     * defined in order to allow cleaner conditional code.
-     * At most one of clientPrivateKey and platformClientKey may be set. */
-    PlatformKey          platformClientKey;  /* used by client */
-    CERTCertificateList *clientCertChain;    /* used by client */
-    PRBool               sendEmptyCert;      /* used by client */
+    CERTCertificate *clientCertificate;   /* used by client */
+    SECKEYPrivateKey *clientPrivateKey;   /* used by client */
+    CERTCertificateList *clientCertChain; /* used by client */
+    PRBool sendEmptyCert;                 /* used by client */
 
-    SECKEYPrivateKey    *channelID;          /* used by client */
-    SECKEYPublicKey     *channelIDPub;       /* used by client */
+    SECKEYPrivateKey *channelID;   /* used by client */
+    SECKEYPublicKey *channelIDPub; /* used by client */
 
-    int                  policy;
-                        /* This says what cipher suites we can do, and should 
-                         * be either SSL_ALLOWED or SSL_RESTRICTED 
-                         */
-    PLArenaPool *        peerCertArena;
-                            /* These are used to keep track of the peer CA */
-    void *               peerCertChain;     
-                            /* chain while we are trying to validate it.   */
-    CERTDistNames *      ca_list; 
-                            /* used by server.  trusted CAs for this socket. */
-    PRBool               initialized;
-    SSL3HandshakeState   hs;
-    ssl3CipherSpec       specs[2];      /* one is current, one is pending. */
+    int policy;
+    /* This says what cipher suites we can do, and should
+     * be either SSL_ALLOWED or SSL_RESTRICTED
+     */
+    PLArenaPool *peerCertArena;
+    /* These are used to keep track of the peer CA */
+    void *peerCertChain;
+    /* chain while we are trying to validate it.   */
+    CERTDistNames *ca_list;
+    /* used by server.  trusted CAs for this socket. */
+    PRBool initialized;
+    SSL3HandshakeState hs;
+    ssl3CipherSpec specs[2]; /* one is current, one is pending. */
 
     /* In a client: if the server supports Next Protocol Negotiation, then
      * this is the protocol that was negotiated.
      */
-    SECItem              nextProto;
-    SSLNextProtoState    nextProtoState;
+    SECItem nextProto;
+    SSLNextProtoState nextProtoState;
 
-    PRUint16             mtu;   /* Our estimate of the MTU */
+    PRUint16 mtu; /* Our estimate of the MTU */
 
     /* DTLS-SRTP cipher suite preferences (if any) */
-    PRUint16             dtlsSRTPCiphers[MAX_DTLS_SRTP_CIPHER_SUITES];
-    PRUint16             dtlsSRTPCipherCount;
-    PRUint16             dtlsSRTPCipherSuite;   /* 0 if not selected */
-    PRBool               fatalAlertSent;
-    PRUint16             numDHEGroups;        /* used by server */
-    SSLDHEGroupType *    dheGroups;           /* used by server */
-    PRBool               dheWeakGroupEnabled; /* used by server */
+    PRUint16 dtlsSRTPCiphers[MAX_DTLS_SRTP_CIPHER_SUITES];
+    PRUint16 dtlsSRTPCipherCount;
+    PRUint16 dtlsSRTPCipherSuite; /* 0 if not selected */
+    PRBool fatalAlertSent;
+    PRUint16 numDHEGroups;      /* used by server */
+    SSLDHEGroupType *dheGroups; /* used by server */
+    PRBool dheWeakGroupEnabled; /* used by server */
 
     /* TLS 1.2 introduces separate signature algorithm negotiation.
      * This is our preference order. */
     SSLSignatureAndHashAlg signatureAlgorithms[MAX_SIGNATURE_ALGORITHMS];
     unsigned int signatureAlgorithmCount;
+
+    /* The version to check if we fell back from our highest version
+     * of TLS. Default is 0 in which case we check against the maximum
+     * configured version for this socket. Used only on the client. */
+    SSL3ProtocolVersion downgradeCheckVersion;
 };
 
-#define DTLS_MAX_MTU  1500U     /* Ethernet MTU but without subtracting the
-                                 * headers, so slightly larger than expected */
+/* Ethernet MTU but without subtracting the headers,
+ * so slightly larger than expected */
+#define DTLS_MAX_MTU 1500U
 #define IS_DTLS(ss) (ss->protocolVariant == ssl_variant_datagram)
 
 typedef struct {
-    SSL3ContentType      type;
-    SSL3ProtocolVersion  version;
-    SSL3SequenceNumber   seq_num;  /* DTLS only */
-    sslBuffer *          buf;
+    SSL3ContentType type;
+    SSL3ProtocolVersion version;
+    SSL3SequenceNumber seq_num; /* DTLS only */
+    sslBuffer *buf;
 } SSL3Ciphertext;
 
 struct ssl3KeyPairStr {
-    SECKEYPrivateKey *    privKey;
-    SECKEYPublicKey *     pubKey;
-    PRInt32               refCount;     /* use PR_Atomic calls for this. */
+    SECKEYPrivateKey *privKey;
+    SECKEYPublicKey *pubKey;
+    PRInt32 refCount; /* use PR_Atomic calls for this. */
 };
 
 struct ssl3DHParamsStr {
     SECItem prime; /* p */
-    SECItem base; /* g */
+    SECItem base;  /* g */
 };
 
 typedef struct SSLWrappedSymWrappingKeyStr {
-    SSL3Opaque        wrappedSymmetricWrappingkey[512];
-    CK_MECHANISM_TYPE symWrapMechanism;  
-                    /* unwrapped symmetric wrapping key uses this mechanism */
-    CK_MECHANISM_TYPE asymWrapMechanism; 
-                    /* mechanism used to wrap the SymmetricWrappingKey using
-                     * server's public and/or private keys. */
-    SSL3KEAType       exchKeyType;   /* type of keys used to wrap SymWrapKey*/
-    PRInt32           symWrapMechIndex;
-    PRUint16          wrappedSymKeyLen;
+    SSL3Opaque wrappedSymmetricWrappingkey[512];
+    CK_MECHANISM_TYPE symWrapMechanism;
+    /* unwrapped symmetric wrapping key uses this mechanism */
+    CK_MECHANISM_TYPE asymWrapMechanism;
+    /* mechanism used to wrap the SymmetricWrappingKey using
+     * server's public and/or private keys. */
+    SSL3KEAType exchKeyType; /* type of keys used to wrap SymWrapKey*/
+    PRInt32 symWrapMechIndex;
+    PRUint16 wrappedSymKeyLen;
 } SSLWrappedSymWrappingKey;
 
 typedef struct SessionTicketStr {
-    PRUint16              ticket_version;
-    SSL3ProtocolVersion   ssl_version;
-    ssl3CipherSuite       cipher_suite;
-    SSLCompressionMethod  compression_method;
-    SSLSignType           authAlgorithm;
-    PRUint32              authKeyBits;
-    SSLKEAType            keaType;
-    PRUint32              keaKeyBits;
+    PRUint16 ticket_version;
+    SSL3ProtocolVersion ssl_version;
+    ssl3CipherSuite cipher_suite;
+    SSLCompressionMethod compression_method;
+    SSLSignType authAlgorithm;
+    PRUint32 authKeyBits;
+    SSLKEAType keaType;
+    PRUint32 keaKeyBits;
     /*
      * exchKeyType and msWrapMech contain meaningful values only if
      * ms_is_wrapped is true.
      */
-    PRUint8               ms_is_wrapped;
-    SSLKEAType            exchKeyType; /* XXX(wtc): same as keaType above? */
-    CK_MECHANISM_TYPE     msWrapMech;
-    PRUint16              ms_length;
-    SSL3Opaque            master_secret[48];
-    PRBool                extendedMasterSecretUsed;
-    ClientIdentity        client_identity;
-    SECItem               peer_cert;
-    PRUint32              timestamp;
-    SECItem               srvName; /* negotiated server name */
-}  SessionTicket;
+    PRUint8 ms_is_wrapped;
+    SSLKEAType exchKeyType; /* XXX(wtc): same as keaType above? */
+    CK_MECHANISM_TYPE msWrapMech;
+    PRUint16 ms_length;
+    SSL3Opaque master_secret[48];
+    PRBool extendedMasterSecretUsed;
+    ClientIdentity client_identity;
+    SECItem peer_cert;
+    PRUint32 timestamp;
+    SECItem srvName; /* negotiated server name */
+} SessionTicket;
 
 /*
  * SSL2 buffers used in SSL3.
  *     writeBuf in the SecurityInfo maintained by sslsecur.c is used
  *              to hold the data just about to be passed to the kernel
  *     sendBuf in the ConnectInfo maintained by sslcon.c is used
  *              to hold handshake messages as they are accumulated
  */
 
 /*
 ** This is "ci", as in "ss->sec.ci".
 **
-** Protection:  All the variables in here are protected by 
-** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock 
+** Protection:  All the variables in here are protected by
+** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock
 */
 struct sslConnectInfoStr {
     /* outgoing handshakes appended to this. */
-    sslBuffer       sendBuf;                    /*xmitBufLock*/ /* ssl 2 & 3 */
+    sslBuffer sendBuf; /*xmitBufLock*/ /* ssl 2 & 3 */
 
-    PRIPv6Addr      peer;                                       /* ssl 2 & 3 */
-    unsigned short  port;                                       /* ssl 2 & 3 */
+    PRIPv6Addr peer;     /* ssl 2 & 3 */
+    unsigned short port; /* ssl 2 & 3 */
 
-    sslSessionID   *sid;                                        /* ssl 2 & 3 */
+    sslSessionID *sid; /* ssl 2 & 3 */
 
     /* see CIS_HAVE defines below for the bit values in *elements. */
-    char            elements;                                   /* ssl2 only */
-    char            requiredElements;                           /* ssl2 only */
-    char            sentElements;                               /* ssl2 only */
+    char elements;         /* ssl2 only */
+    char requiredElements; /* ssl2 only */
+    char sentElements;     /* ssl2 only */
 
-    char            sentFinished;                               /* ssl2 only */
+    char sentFinished; /* ssl2 only */
 
     /* Length of server challenge.  Used by client when saving challenge */
-    int             serverChallengeLen;                         /* ssl2 only */
+    int serverChallengeLen; /* ssl2 only */
     /* type of authentication requested by server */
-    unsigned char   authType;                                   /* ssl2 only */
+    unsigned char authType; /* ssl2 only */
 
     /* Challenge sent by client to server in client-hello message */
     /* SSL3 gets a copy of this.  See ssl3_StartHandshakeHash().  */
-    unsigned char   clientChallenge[SSL_MAX_CHALLENGE_BYTES];   /* ssl 2 & 3 */
+    unsigned char clientChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl 2 & 3 */
 
     /* Connection-id sent by server to client in server-hello message */
-    unsigned char   connectionID[SSL_CONNECTIONID_BYTES];       /* ssl2 only */
+    unsigned char connectionID[SSL_CONNECTIONID_BYTES]; /* ssl2 only */
 
     /* Challenge sent by server to client in request-certificate message */
-    unsigned char   serverChallenge[SSL_MAX_CHALLENGE_BYTES];   /* ssl2 only */
+    unsigned char serverChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl2 only */
 
     /* Information kept to handle a request-certificate message */
-    unsigned char   readKey[SSL_MAX_MASTER_KEY_BYTES];          /* ssl2 only */
-    unsigned char   writeKey[SSL_MAX_MASTER_KEY_BYTES];         /* ssl2 only */
-    unsigned        keySize;                                    /* ssl2 only */
+    unsigned char readKey[SSL_MAX_MASTER_KEY_BYTES];  /* ssl2 only */
+    unsigned char writeKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */
+    unsigned keySize;                                 /* ssl2 only */
 };
 
 /* bit values for ci->elements, ci->requiredElements, sentElements. */
-#define CIS_HAVE_MASTER_KEY             0x01
-#define CIS_HAVE_CERTIFICATE            0x02
-#define CIS_HAVE_FINISHED               0x04
-#define CIS_HAVE_VERIFY                 0x08
+#define CIS_HAVE_MASTER_KEY 0x01
+#define CIS_HAVE_CERTIFICATE 0x02
+#define CIS_HAVE_FINISHED 0x04
+#define CIS_HAVE_VERIFY 0x08
 
 /* Note: The entire content of this struct and whatever it points to gets
  * blown away by SSL_ResetHandshake().  This is "sec" as in "ss->sec".
  *
- * Unless otherwise specified below, the contents of this struct are 
+ * Unless otherwise specified below, the contents of this struct are
  * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock.
  */
 struct sslSecurityInfoStr {
-    sslSendFunc      send;                      /*xmitBufLock*/ /* ssl 2 & 3 */
-    int              isServer;                  /* Spec Lock?*/ /* ssl 2 & 3 */
-    sslBuffer        writeBuf;                  /*xmitBufLock*/ /* ssl 2 & 3 */
+    sslSendFunc send; /*xmitBufLock*/   /* ssl 2 & 3 */
+    int isServer; /* Spec Lock?*/       /* ssl 2 & 3 */
+    sslBuffer writeBuf; /*xmitBufLock*/ /* ssl 2 & 3 */
 
-    int              cipherType;                                /* ssl 2 & 3 */
-    int              keyBits;                                   /* ssl 2 & 3 */
-    int              secretKeyBits;                             /* ssl 2 & 3 */
-    CERTCertificate *localCert;                                 /* ssl 2 & 3 */
-    CERTCertificate *peerCert;                                  /* ssl 2 & 3 */
-    SECKEYPublicKey *peerKey;                                   /* ssl3 only */
+    int cipherType;             /* ssl 2 & 3 */
+    int keyBits;                /* ssl 2 & 3 */
+    int secretKeyBits;          /* ssl 2 & 3 */
+    CERTCertificate *localCert; /* ssl 2 & 3 */
+    CERTCertificate *peerCert;  /* ssl 2 & 3 */
+    SECKEYPublicKey *peerKey;   /* ssl3 only */
 
-    SSLSignType      authAlgorithm;
-    PRUint32         authKeyBits;
-    SSLKEAType       keaType;
-    PRUint32         keaKeyBits;
+    SSLSignType authAlgorithm;
+    PRUint32 authKeyBits;
+    SSLKEAType keaType;
+    PRUint32 keaKeyBits;
 
     /*
-    ** Procs used for SID cache (nonce) management. 
-    ** Different implementations exist for clients/servers 
+    ** Procs used for SID cache (nonce) management.
+    ** Different implementations exist for clients/servers
     ** The lookup proc is only used for servers.  Baloney!
     */
-    sslSessionIDCacheFunc     cache;                            /* ssl 2 & 3 */
-    sslSessionIDUncacheFunc   uncache;                          /* ssl 2 & 3 */
+    sslSessionIDCacheFunc cache;     /* ssl 2 & 3 */
+    sslSessionIDUncacheFunc uncache; /* ssl 2 & 3 */
 
     /*
     ** everything below here is for ssl2 only.
-    ** This stuff is equivalent to SSL3's "spec", and is protected by the 
+    ** This stuff is equivalent to SSL3's "spec", and is protected by the
     ** same "Spec Lock" as used for SSL3's specs.
     */
-    PRUint32           sendSequence;            /*xmitBufLock*/ /* ssl2 only */
-    PRUint32           rcvSequence;             /*recvBufLock*/ /* ssl2 only */
+    PRUint32 sendSequence; /*xmitBufLock*/ /* ssl2 only */
+    PRUint32 rcvSequence; /*recvBufLock*/  /* ssl2 only */
 
     /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */
-    const SECHashObject   *hash;                /* Spec Lock */ /* ssl2 only */
-    void            *hashcx;                    /* Spec Lock */ /* ssl2 only */
+    const SECHashObject *hash; /* Spec Lock */ /* ssl2 only */
+    void *hashcx; /* Spec Lock */              /* ssl2 only */
 
-    SECItem          sendSecret;                /* Spec Lock */ /* ssl2 only */
-    SECItem          rcvSecret;                 /* Spec Lock */ /* ssl2 only */
+    SECItem sendSecret; /* Spec Lock */ /* ssl2 only */
+    SECItem rcvSecret; /* Spec Lock */  /* ssl2 only */
 
     /* Session cypher contexts; one for each direction */
-    void            *readcx;                    /* Spec Lock */ /* ssl2 only */
-    void            *writecx;                   /* Spec Lock */ /* ssl2 only */
-    SSLCipher        enc;                       /* Spec Lock */ /* ssl2 only */
-    SSLCipher        dec;                       /* Spec Lock */ /* ssl2 only */
-    void           (*destroy)(void *, PRBool);  /* Spec Lock */ /* ssl2 only */
+    void *readcx; /* Spec Lock */                    /* ssl2 only */
+    void *writecx; /* Spec Lock */                   /* ssl2 only */
+    SSLCipher enc; /* Spec Lock */                   /* ssl2 only */
+    SSLCipher dec; /* Spec Lock */                   /* ssl2 only */
+    void (*destroy)(void *, PRBool); /* Spec Lock */ /* ssl2 only */
 
     /* Blocking information for the session cypher */
-    int              blockShift;                /* Spec Lock */ /* ssl2 only */
-    int              blockSize;                 /* Spec Lock */ /* ssl2 only */
+    int blockShift; /* Spec Lock */ /* ssl2 only */
+    int blockSize; /* Spec Lock */  /* ssl2 only */
 
     /* These are used during a connection handshake */
-    sslConnectInfo   ci;                                        /* ssl 2 & 3 */
-
+    sslConnectInfo ci; /* ssl 2 & 3 */
 };
 
 /*
 ** SSL Socket struct
 **
 ** Protection:  XXX
 */
 struct sslSocketStr {
-    PRFileDesc *        fd;
+    PRFileDesc *fd;
 
     /* Pointer to operations vector for this socket */
-    const sslSocketOps * ops;
+    const sslSocketOps *ops;
 
     /* SSL socket options */
-    sslOptions       opt;
+    sslOptions opt;
     /* Enabled version range */
-    SSLVersionRange  vrange;
+    SSLVersionRange vrange;
 
     /* State flags */
-    unsigned long    clientAuthRequested;
-    unsigned long    delayDisabled;       /* Nagle delay disabled */
-    unsigned long    firstHsDone;         /* first handshake is complete. */
-    unsigned long    enoughFirstHsDone;   /* enough of the first handshake is
-                                           * done for callbacks to be able to
-                                           * retrieve channel security
-                                           * parameters from the SSL socket. */
-    unsigned long    handshakeBegun;     
-    unsigned long    lastWriteBlocked;   
-    unsigned long    recvdCloseNotify;    /* received SSL EOF. */
-    unsigned long    TCPconnected;       
-    unsigned long    appDataBuffered;
-    unsigned long    peerRequestedProtection; /* from old renegotiation */
+    unsigned long clientAuthRequested;
+    unsigned long delayDisabled;     /* Nagle delay disabled */
+    unsigned long firstHsDone;       /* first handshake is complete. */
+    unsigned long enoughFirstHsDone; /* enough of the first handshake is
+                                      * done for callbacks to be able to
+                                      * retrieve channel security
+                                      * parameters from the SSL socket. */
+    unsigned long handshakeBegun;
+    unsigned long lastWriteBlocked;
+    unsigned long recvdCloseNotify; /* received SSL EOF. */
+    unsigned long TCPconnected;
+    unsigned long appDataBuffered;
+    unsigned long peerRequestedProtection; /* from old renegotiation */
 
     /* version of the protocol to use */
     SSL3ProtocolVersion version;
     SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
 
-    sslSecurityInfo  sec;               /* not a pointer any more */
+    sslSecurityInfo sec; /* not a pointer any more */
 
     /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */
-    const char      *url;                               /* ssl 2 & 3 */
+    const char *url; /* ssl 2 & 3 */
 
-    sslHandshakeFunc handshake;                         /*firstHandshakeLock*/
-    sslHandshakeFunc nextHandshake;                     /*firstHandshakeLock*/
-    sslHandshakeFunc securityHandshake;                 /*firstHandshakeLock*/
+    sslHandshakeFunc handshake;         /*firstHandshakeLock*/
+    sslHandshakeFunc nextHandshake;     /*firstHandshakeLock*/
+    sslHandshakeFunc securityHandshake; /*firstHandshakeLock*/
 
     /* the following variable is only used with socks or other proxies. */
-    char *           peerID;    /* String uniquely identifies target server. */
+    char *peerID; /* String uniquely identifies target server. */
 
-    unsigned char *  cipherSpecs;
-    unsigned int     sizeCipherSpecs;
-const unsigned char *  preferredCipher;
+    unsigned char *cipherSpecs;
+    unsigned int sizeCipherSpecs;
+    const unsigned char *preferredCipher;
 
     /* TLS ClientCertificateTypes requested during HandleCertificateRequest. */
     /* Will be NULL at all other times. */
-    const SECItem      *requestedCertTypes;
+    const SECItem *requestedCertTypes;
 
-    ssl3KeyPair *         stepDownKeyPair;      /* RSA step down keys */
+    ssl3KeyPair *stepDownKeyPair; /* RSA step down keys */
 
-    const ssl3DHParams *dheParams;          /* DHE param */
-    ssl3KeyPair *       dheKeyPair;         /* DHE keys */
+    const ssl3DHParams *dheParams; /* DHE param */
+    ssl3KeyPair *dheKeyPair;       /* DHE keys */
 
     /* Callbacks */
-    SSLAuthCertificate        authCertificate;
-    void                     *authCertificateArg;
-    SSLGetClientAuthData      getClientAuthData;
-    void                     *getClientAuthDataArg;
-#ifdef NSS_PLATFORM_CLIENT_AUTH
-    SSLGetPlatformClientAuthData getPlatformClientAuthData;
-    void                        *getPlatformClientAuthDataArg;
-#endif  /* NSS_PLATFORM_CLIENT_AUTH */
-    SSLSNISocketConfig        sniSocketConfig;
-    void                     *sniSocketConfigArg;
-    SSLBadCertHandler         handleBadCert;
-    void                     *badCertArg;
-    SSLHandshakeCallback      handshakeCallback;
-    void                     *handshakeCallbackData;
-    SSLCanFalseStartCallback  canFalseStartCallback;
-    void                     *canFalseStartCallbackData;
-    void                     *pkcs11PinArg;
-    SSLNextProtoCallback      nextProtoCallback;
-    void                     *nextProtoArg;
+    SSLAuthCertificate authCertificate;
+    void *authCertificateArg;
+    SSLGetClientAuthData getClientAuthData;
+    void *getClientAuthDataArg;
+    SSLSNISocketConfig sniSocketConfig;
+    void *sniSocketConfigArg;
+    SSLBadCertHandler handleBadCert;
+    void *badCertArg;
+    SSLHandshakeCallback handshakeCallback;
+    void *handshakeCallbackData;
+    SSLCanFalseStartCallback canFalseStartCallback;
+    void *canFalseStartCallbackData;
+    void *pkcs11PinArg;
+    SSLNextProtoCallback nextProtoCallback;
+    void *nextProtoArg;
+
     SSLClientChannelIDCallback getChannelID;
-    void                     *getChannelIDArg;
+    void *getChannelIDArg;
 
-    PRIntervalTime            rTimeout; /* timeout for NSPR I/O */
-    PRIntervalTime            wTimeout; /* timeout for NSPR I/O */
-    PRIntervalTime            cTimeout; /* timeout for NSPR I/O */
+    PRIntervalTime rTimeout; /* timeout for NSPR I/O */
+    PRIntervalTime wTimeout; /* timeout for NSPR I/O */
+    PRIntervalTime cTimeout; /* timeout for NSPR I/O */
 
-    PZLock *      recvLock;     /* lock against multiple reader threads. */
-    PZLock *      sendLock;     /* lock against multiple sender threads. */
+    PZLock *recvLock; /* lock against multiple reader threads. */
+    PZLock *sendLock; /* lock against multiple sender threads. */
 
-    PZMonitor *   recvBufLock;  /* locks low level recv buffers. */
-    PZMonitor *   xmitBufLock;  /* locks low level xmit buffers. */
+    PZMonitor *recvBufLock; /* locks low level recv buffers. */
+    PZMonitor *xmitBufLock; /* locks low level xmit buffers. */
 
     /* Only one thread may operate on the socket until the initial handshake
     ** is complete.  This Monitor ensures that.  Since SSL2 handshake is
     ** only done once, this is also effectively the SSL2 handshake lock.
     */
-    PZMonitor *   firstHandshakeLock; 
+    PZMonitor *firstHandshakeLock;
 
     /* This monitor protects the ssl3 handshake state machine data.
     ** Only one thread (reader or writer) may be in the ssl3 handshake state
     ** machine at any time.  */
-    PZMonitor *   ssl3HandshakeLock;
+    PZMonitor *ssl3HandshakeLock;
 
     /* reader/writer lock, protects the secret data needed to encrypt and MAC
-    ** outgoing records, and to decrypt and MAC check incoming ciphertext 
+    ** outgoing records, and to decrypt and MAC check incoming ciphertext
     ** records.  */
-    NSSRWLock *   specLock;
+    NSSRWLock *specLock;
 
-    /* handle to perm cert db (and implicitly to the temp cert db) used 
-    ** with this socket. 
+    /* handle to perm cert db (and implicitly to the temp cert db) used
+    ** with this socket.
     */
-    CERTCertDBHandle * dbHandle;
+    CERTCertDBHandle *dbHandle;
 
-    PRThread *  writerThread;   /* thread holds SSL_LOCK_WRITER lock */
+    PRThread *writerThread; /* thread holds SSL_LOCK_WRITER lock */
 
-    PRUint16    shutdownHow;    /* See ssl_SHUTDOWN defines below. */
+    PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */
 
-    PRUint16    allowedByPolicy;          /* copy of global policy bits. */
-    PRUint16    maybeAllowedByPolicy;     /* copy of global policy bits. */
-    PRUint16    chosenPreference;         /* SSL2 cipher preferences. */
+    PRUint16 allowedByPolicy;      /* copy of global policy bits. */
+    PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */
+    PRUint16 chosenPreference;     /* SSL2 cipher preferences. */
 
     sslHandshakingType handshaking;
 
     /* Gather object used for gathering data */
-    sslGather        gs;                                /*recvBufLock*/
+    sslGather gs; /*recvBufLock*/
 
-    sslBuffer        saveBuf;                           /*xmitBufLock*/
-    sslBuffer        pendingBuf;                        /*xmitBufLock*/
+    sslBuffer saveBuf;    /*xmitBufLock*/
+    sslBuffer pendingBuf; /*xmitBufLock*/
 
     /* Configuration state for server sockets */
     /* server cert and key for each KEA type */
-    sslServerCerts        serverCerts[kt_kea_size];
+    sslServerCerts serverCerts[kt_kea_size];
     /* each cert needs its own status */
-    SECItemArray *        certStatusArray[kt_kea_size];
+    SECItemArray *certStatusArray[kt_kea_size];
+    /* Serialized signed certificate timestamps to be sent to the client
+    ** in a TLS extension (server only). Each certificate needs its own
+    ** timestamps item.
+    */
+    SECItem signedCertTimestamps[kt_kea_size];
 
     ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
-    ssl3KeyPair *         ephemeralECDHKeyPair; /* for ECDHE-* handshake */
+    ssl3KeyPair *ephemeralECDHKeyPair; /* for ECDHE-* handshake */
 
     /* SSL3 state info.  Formerly was a pointer */
-    ssl3State        ssl3;
+    ssl3State ssl3;
 
     /*
      * TLS extension related data.
      */
     /* True when the current session is a stateless resume. */
-    PRBool               statelessResume;
-    TLSExtensionData     xtnData;
+    PRBool statelessResume;
+    TLSExtensionData xtnData;
 
     /* Whether we are doing stream or datagram mode */
-    SSLProtocolVariant   protocolVariant;
+    SSLProtocolVariant protocolVariant;
 };
 
-
-
-/* All the global data items declared here should be protected using the 
+/* All the global data items declared here should be protected using the
 ** ssl_global_data_lock, which is a reader/writer lock.
 */
-extern NSSRWLock *             ssl_global_data_lock;
-extern char                    ssl_debug;
-extern char                    ssl_trace;
-extern FILE *                  ssl_trace_iob;
-extern FILE *                  ssl_keylog_iob;
-extern CERTDistNames *         ssl3_server_ca_list;
-extern PRUint32                ssl_sid_timeout;
-extern PRUint32                ssl3_sid_timeout;
+extern NSSRWLock *ssl_global_data_lock;
+extern char ssl_debug;
+extern char ssl_trace;
+extern FILE *ssl_trace_iob;
+extern FILE *ssl_keylog_iob;
+extern CERTDistNames *ssl3_server_ca_list;
+extern PRUint32 ssl_sid_timeout;
+extern PRUint32 ssl3_sid_timeout;
 
-extern const char * const      ssl_cipherName[];
-extern const char * const      ssl3_cipherName[];
+extern const char *const ssl_cipherName[];
+extern const char *const ssl3_cipherName[];
 
-extern sslSessionIDLookupFunc  ssl_sid_lookup;
-extern sslSessionIDCacheFunc   ssl_sid_cache;
+extern sslSessionIDLookupFunc ssl_sid_lookup;
+extern sslSessionIDCacheFunc ssl_sid_cache;
 extern sslSessionIDUncacheFunc ssl_sid_uncache;
 
 /************************************************************************/
 
 SEC_BEGIN_PROTOS
 
-/* Functions for handling SECItemArrays, added in NSS 3.15 */
-extern SECItemArray *SECITEM_AllocArray(PLArenaPool *arena,
-                                        SECItemArray *array,
-                                        unsigned int len);
-extern SECItemArray *SECITEM_DupArray(PLArenaPool *arena,
-                                      const SECItemArray *from);
-extern void SECITEM_FreeArray(SECItemArray *array, PRBool freeit);
-extern void SECITEM_ZfreeArray(SECItemArray *array, PRBool freeit);
-
 /* Internal initialization and installation of the SSL error tables */
 extern SECStatus ssl_Init(void);
 extern SECStatus ssl_InitializePRErrorTable(void);
 
 /* Implementation of ops for default (non socks, non secure) case */
 extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
 extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
 extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
 extern int ssl_DefListen(sslSocket *ss, int backlog);
 extern int ssl_DefShutdown(sslSocket *ss, int how);
 extern int ssl_DefClose(sslSocket *ss);
 extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
 extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf,
-                       int len, int flags);
+                       int len, int flags);
 extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len);
 extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len);
 extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name);
 extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name);
 extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
-                             void *optval, PRInt32 *optlen);
+                             void *optval, PRInt32 *optlen);
 extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
-                             const void *optval, PRInt32 optlen);
+                             const void *optval, PRInt32 optlen);
 
 /* Implementation of ops for socks only case */
 extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr);
 extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr);
 extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr);
 extern int ssl_SocksListen(sslSocket *ss, int backlog);
 extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name);
 extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
 extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf,
-                         int len, int flags);
+                         int len, int flags);
 extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len);
 extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len);
 
 /* Implementation of ops for secure only case */
 extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr);
 extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr);
 extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf,
-                          int len, int flags);
+                          int len, int flags);
 extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf,
-                          int len, int flags);
+                          int len, int flags);
 extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len);
 extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len);
 extern int ssl_SecureShutdown(sslSocket *ss, int how);
 extern int ssl_SecureClose(sslSocket *ss);
 
 /* Implementation of ops for secure socks case */
 extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr);
 extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr);
 extern PRFileDesc *ssl_FindTop(sslSocket *ss);
 
 /* Gather funcs. */
-extern sslGather * ssl_NewGather(void);
-extern SECStatus   ssl_InitGather(sslGather *gs);
-extern void        ssl_DestroyGather(sslGather *gs);
-extern int         ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags);
-extern int         ssl2_GatherRecord(sslSocket *ss, int flags);
-extern SECStatus   ssl_GatherRecord1stHandshake(sslSocket *ss);
+extern sslGather *ssl_NewGather(void);
+extern SECStatus ssl_InitGather(sslGather *gs);
+extern void ssl_DestroyGather(sslGather *gs);
+extern int ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags);
+extern int ssl2_GatherRecord(sslSocket *ss, int flags);
+extern SECStatus ssl_GatherRecord1stHandshake(sslSocket *ss);
 
-extern SECStatus   ssl2_HandleClientHelloMessage(sslSocket *ss);
-extern SECStatus   ssl2_HandleServerHelloMessage(sslSocket *ss);
+extern SECStatus ssl2_HandleClientHelloMessage(sslSocket *ss);
+extern SECStatus ssl2_HandleServerHelloMessage(sslSocket *ss);
 
-extern SECStatus   ssl_CreateSecurityInfo(sslSocket *ss);
-extern SECStatus   ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os);
-extern void        ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset);
-extern void        ssl_DestroySecurityInfo(sslSecurityInfo *sec);
+extern SECStatus ssl_CreateSecurityInfo(sslSocket *ss);
+extern SECStatus ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os);
+extern void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset);
+extern void ssl_DestroySecurityInfo(sslSecurityInfo *sec);
 
-extern void        ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len);
-extern void        ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len);
+extern void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len);
+extern void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len);
 
-extern int         ssl_SendSavedWriteData(sslSocket *ss);
-extern SECStatus ssl_SaveWriteData(sslSocket *ss, 
-                                   const void* p, unsigned int l);
+extern int ssl_SendSavedWriteData(sslSocket *ss);
+extern SECStatus ssl_SaveWriteData(sslSocket *ss,
+                                   const void *p, unsigned int l);
 extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss);
 extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss);
-extern int       ssl_Do1stHandshake(sslSocket *ss);
+extern int ssl_Do1stHandshake(sslSocket *ss);
 
 extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
-extern SECStatus sslBuffer_Append(sslBuffer *b, const void * data, 
-                                  unsigned int len);
+extern SECStatus sslBuffer_Append(sslBuffer *b, const void *data,
+                                  unsigned int len);
 
-extern void      ssl2_UseClearSendFunc(sslSocket *ss);
-extern void      ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
+extern void ssl2_UseClearSendFunc(sslSocket *ss);
+extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
 
 extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server);
-extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, 
+extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port,
                                    const char *peerID, const char *urlSvrName);
-extern void      ssl_FreeSID(sslSessionID *sid);
+extern void ssl_FreeSID(sslSessionID *sid);
 
-extern int       ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
-                                          int len, int flags);
+extern int ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
+                                    int len, int flags);
 
-extern PRBool    ssl_FdIsBlocking(PRFileDesc *fd);
+extern PRBool ssl_FdIsBlocking(PRFileDesc *fd);
 
-extern PRBool    ssl_SocketIsBlocking(sslSocket *ss);
+extern PRBool ssl_SocketIsBlocking(sslSocket *ss);
 
-extern void      ssl3_SetAlwaysBlock(sslSocket *ss);
+extern void ssl3_SetAlwaysBlock(sslSocket *ss);
 
 extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
 
-extern void      ssl_FinishHandshake(sslSocket *ss);
+extern void ssl_FinishHandshake(sslSocket *ss);
 
-/* Returns PR_TRUE if we are still waiting for the server to respond to our
- * client second round. Once we've received any part of the server's second
- * round then we don't bother trying to false start since it is almost always
- * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages
- * were sent in the same packet and we want to process them all at the same
- * time. If we were to try to false start in the middle of the server's second
- * round, then we would increase the number of I/O operations
- * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake.
+extern SECStatus ssl_CipherPolicySet(PRInt32 which, PRInt32 policy);
+
+extern SECStatus ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
+
+extern SECStatus ssl3_ConstrainRangeByPolicy(void);
+
+/* Returns PR_TRUE if we are still waiting for the server to complete its
+ * response to our client second round. Once we've received the Finished from
+ * the server then there is no need to check false start.
  */
-extern PRBool    ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss);
+extern PRBool ssl3_WaitingForServerSecondRound(sslSocket *ss);
 
 extern SECStatus
-ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
-                              PRBool             isServer,
-                              PRBool             isDTLS,
-                              PRBool             capRecordVersion,
-                              SSL3ContentType    type,
-                              const SSL3Opaque * pIn,
-                              PRUint32           contentLen,
-                              sslBuffer *        wrBuf);
-extern PRInt32   ssl3_SendRecord(sslSocket *ss, DTLSEpoch epoch,
-                                 SSL3ContentType type,
-                                 const SSL3Opaque* pIn, PRInt32 nIn,
-                                 PRInt32 flags);
+ssl3_CompressMACEncryptRecord(ssl3CipherSpec *cwSpec,
+                              PRBool isServer,
+                              PRBool isDTLS,
+                              PRBool capRecordVersion,
+                              SSL3ContentType type,
+                              const SSL3Opaque *pIn,
+                              PRUint32 contentLen,
+                              sslBuffer *wrBuf);
 
-#ifdef NSS_ENABLE_ZLIB
+extern PRInt32 ssl3_SendRecord(sslSocket *ss, DTLSEpoch epoch,
+                               SSL3ContentType type,
+                               const SSL3Opaque *pIn, PRInt32 nIn,
+                               PRInt32 flags);
+
+#ifdef NSS_SSL_ENABLE_ZLIB
 /*
  * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
  * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
  */
 #define SSL3_COMPRESSION_MAX_EXPANSION 29
-#else  /* !NSS_ENABLE_ZLIB */
+#else /* !NSS_SSL_ENABLE_ZLIB */
 #define SSL3_COMPRESSION_MAX_EXPANSION 0
 #endif
 
 /*
  * make sure there is room in the write buffer for padding and
  * other compression and cryptographic expansions.
  */
-#define SSL3_BUFFER_FUDGE     100 + SSL3_COMPRESSION_MAX_EXPANSION
+#define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION
 
-#define SSL_LOCK_READER(ss)             if (ss->recvLock) PZ_Lock(ss->recvLock)
-#define SSL_UNLOCK_READER(ss)           if (ss->recvLock) PZ_Unlock(ss->recvLock)
-#define SSL_LOCK_WRITER(ss)             if (ss->sendLock) PZ_Lock(ss->sendLock)
-#define SSL_UNLOCK_WRITER(ss)           if (ss->sendLock) PZ_Unlock(ss->sendLock)
+#define SSL_LOCK_READER(ss) \
+    if (ss->recvLock)       \
+    PZ_Lock(ss->recvLock)
+#define SSL_UNLOCK_READER(ss) \
+    if (ss->recvLock)         \
+    PZ_Unlock(ss->recvLock)
+#define SSL_LOCK_WRITER(ss) \
+    if (ss->sendLock)       \
+    PZ_Lock(ss->sendLock)
+#define SSL_UNLOCK_WRITER(ss) \
+    if (ss->sendLock)         \
+    PZ_Unlock(ss->sendLock)
 
 /* firstHandshakeLock -> recvBufLock */
-#define ssl_Get1stHandshakeLock(ss)     \
-    { if (!ss->opt.noLocks) { \
-          PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \
-                      !ssl_HaveRecvBufLock(ss)); \
-          PZ_EnterMonitor((ss)->firstHandshakeLock); \
-      } }
-#define ssl_Release1stHandshakeLock(ss) \
-    { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
-#define ssl_Have1stHandshakeLock(ss)    \
+#define ssl_Get1stHandshakeLock(ss)                               \
+    {                                                             \
+        if (!ss->opt.noLocks) {                                   \
+            PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \
+                        !ssl_HaveRecvBufLock(ss));                \
+            PZ_EnterMonitor((ss)->firstHandshakeLock);            \
+        }                                                         \
+    }
+#define ssl_Release1stHandshakeLock(ss)               \
+    {                                                 \
+        if (!ss->opt.noLocks)                         \
+            PZ_ExitMonitor((ss)->firstHandshakeLock); \
+    }
+#define ssl_Have1stHandshakeLock(ss) \
     (PZ_InMonitor((ss)->firstHandshakeLock))
 
 /* ssl3HandshakeLock -> xmitBufLock */
-#define ssl_GetSSL3HandshakeLock(ss)    \
-    { if (!ss->opt.noLocks) { \
-          PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
-          PZ_EnterMonitor((ss)->ssl3HandshakeLock); \
-      } }
-#define ssl_ReleaseSSL3HandshakeLock(ss) \
-    { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
-#define ssl_HaveSSL3HandshakeLock(ss)   \
+#define ssl_GetSSL3HandshakeLock(ss)                  \
+    {                                                 \
+        if (!ss->opt.noLocks) {                       \
+            PORT_Assert(!ssl_HaveXmitBufLock(ss));    \
+            PZ_EnterMonitor((ss)->ssl3HandshakeLock); \
+        }                                             \
+    }
+#define ssl_ReleaseSSL3HandshakeLock(ss)             \
+    {                                                \
+        if (!ss->opt.noLocks)                        \
+            PZ_ExitMonitor((ss)->ssl3HandshakeLock); \
+    }
+#define ssl_HaveSSL3HandshakeLock(ss) \
     (PZ_InMonitor((ss)->ssl3HandshakeLock))
 
-#define ssl_GetSpecReadLock(ss)         \
-    { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
-#define ssl_ReleaseSpecReadLock(ss)     \
-    { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
+#define ssl_GetSpecReadLock(ss)                 \
+    {                                           \
+        if (!ss->opt.noLocks)                   \
+            NSSRWLock_LockRead((ss)->specLock); \
+    }
+#define ssl_ReleaseSpecReadLock(ss)               \
+    {                                             \
+        if (!ss->opt.noLocks)                     \
+            NSSRWLock_UnlockRead((ss)->specLock); \
+    }
 /* NSSRWLock_HaveReadLock is not exported so there's no
  * ssl_HaveSpecReadLock macro. */
 
-#define ssl_GetSpecWriteLock(ss)        \
-    { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
-#define ssl_ReleaseSpecWriteLock(ss)    \
-    { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
-#define ssl_HaveSpecWriteLock(ss)       \
+#define ssl_GetSpecWriteLock(ss)                 \
+    {                                            \
+        if (!ss->opt.noLocks)                    \
+            NSSRWLock_LockWrite((ss)->specLock); \
+    }
+#define ssl_ReleaseSpecWriteLock(ss)               \
+    {                                              \
+        if (!ss->opt.noLocks)                      \
+            NSSRWLock_UnlockWrite((ss)->specLock); \
+    }
+#define ssl_HaveSpecWriteLock(ss) \
     (NSSRWLock_HaveWriteLock((ss)->specLock))
 
 /* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */
-#define ssl_GetRecvBufLock(ss)          \
-    { if (!ss->opt.noLocks) { \
-          PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \
-          PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
-          PZ_EnterMonitor((ss)->recvBufLock); \
-      } }
-#define ssl_ReleaseRecvBufLock(ss)      \
-    { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
-#define ssl_HaveRecvBufLock(ss)         \
+#define ssl_GetRecvBufLock(ss)                           \
+    {                                                    \
+        if (!ss->opt.noLocks) {                          \
+            PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \
+            PORT_Assert(!ssl_HaveXmitBufLock(ss));       \
+            PZ_EnterMonitor((ss)->recvBufLock);          \
+        }                                                \
+    }
+#define ssl_ReleaseRecvBufLock(ss)             \
+    {                                          \
+        if (!ss->opt.noLocks)                  \
+            PZ_ExitMonitor((ss)->recvBufLock); \
+    }
+#define ssl_HaveRecvBufLock(ss) \
     (PZ_InMonitor((ss)->recvBufLock))
 
 /* xmitBufLock -> specLock */
-#define ssl_GetXmitBufLock(ss)          \
-    { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
-#define ssl_ReleaseXmitBufLock(ss)      \
-    { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
-#define ssl_HaveXmitBufLock(ss)         \
+#define ssl_GetXmitBufLock(ss)                  \
+    {                                           \
+        if (!ss->opt.noLocks)                   \
+            PZ_EnterMonitor((ss)->xmitBufLock); \
+    }
+#define ssl_ReleaseXmitBufLock(ss)             \
+    {                                          \
+        if (!ss->opt.noLocks)                  \
+            PZ_ExitMonitor((ss)->xmitBufLock); \
+    }
+#define ssl_HaveXmitBufLock(ss) \
     (PZ_InMonitor((ss)->xmitBufLock))
 
 /* Placeholder value used in version ranges when SSL 3.0 and all
  * versions of TLS are disabled.
  */
 #define SSL_LIBRARY_VERSION_NONE 0
 
-/* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version 
+/* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version
  * of libssl supports. Applications should use SSL_VersionRangeGetSupported at
  * runtime to determine which versions are supported by the version of libssl
  * in use.
  */
 #ifdef NSS_ENABLE_TLS_1_3
 #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_3
 #else
 #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_2
 #endif
 
 /* Rename this macro SSL_ALL_VERSIONS_DISABLED when SSL 2.0 is removed. */
 #define SSL3_ALL_VERSIONS_DISABLED(vrange) \
     ((vrange)->min == SSL_LIBRARY_VERSION_NONE)
 
 extern PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
-                                      SSL3ProtocolVersion version);
+                                      SSL3ProtocolVersion version);
 
-extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec * pwSpec,
-                    const unsigned char * cr, const unsigned char * sr,
-                    PRBool isTLS, PRBool isExport);
-extern  SECStatus ssl3_MasterSecretDeriveBypass( ssl3CipherSpec * pwSpec,
-                    const unsigned char * cr, const unsigned char * sr,
-                    const SECItem * pms, PRBool isTLS, PRBool isRSA);
+extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec *pwSpec,
+                                            const unsigned char *cr, const unsigned char *sr,
+                                            PRBool isTLS, PRBool isExport);
+extern SECStatus ssl3_MasterSecretDeriveBypass(ssl3CipherSpec *pwSpec,
+                                               const unsigned char *cr, const unsigned char *sr,
+                                               const SECItem *pms, PRBool isTLS, PRBool isRSA);
 
 /* These functions are called from secnav, even though they're "private". */
 
 extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
 extern sslSocket *ssl_FindSocket(PRFileDesc *fd);
 extern void ssl_FreeSocket(struct sslSocketStr *ssl);
 extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
-                                SSL3AlertDescription desc);
+                                SSL3AlertDescription desc);
 extern SECStatus ssl3_DecodeError(sslSocket *ss);
 
-extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket *    ss,
-                                             CERTCertificate *    cert, 
-                                             SECKEYPrivateKey *   key,
-                                             CERTCertificateList *certChain);
+extern SECStatus ssl3_RestartHandshakeAfterCertReq(struct sslSocketStr *ss,
+                                                   CERTCertificate *cert,
+                                                   SECKEYPrivateKey *key,
+                                                   CERTCertificateList *certChain);
 
 extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq(
     sslSocket *ss,
     SECKEYPublicKey *channelIDPub,
     SECKEYPrivateKey *channelID);
 
 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
 
 /*
  * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
@@ skipping 10 matching lines @@
 
 /*
  * input into the SSL3 machinery from the actualy network reading code
  */
 SECStatus ssl3_HandleRecord(
     sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out);
 
 int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
 int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
 /*
- * When talking to export clients or using export cipher suites, servers 
+ * When talking to export clients or using export cipher suites, servers
  * with public RSA keys larger than 512 bits need to use a 512-bit public
  * key, signed by the larger key.  The smaller key is a "step down" key.
  * Generate that key pair and keep it around.
  */
 extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
 
 extern SECStatus ssl3_SelectDHParams(sslSocket *ss);
 
 #ifndef NSS_DISABLE_ECC
-extern void      ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
-extern PRBool    ssl3_IsECCEnabled(sslSocket *ss);
-extern SECStatus ssl3_DisableECCSuites(sslSocket * ss, 
-                                       const ssl3CipherSuite * suite);
-extern PRUint32  ssl3_GetSupportedECCurveMask(sslSocket *ss);
-
+extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
+extern PRBool ssl3_IsECCEnabled(sslSocket *ss);
+extern SECStatus ssl3_DisableECCSuites(sslSocket *ss,
+                                       const ssl3CipherSuite *suite);
+extern PRUint32 ssl3_GetSupportedECCurveMask(sslSocket *ss);
 
 /* Macro for finding a curve equivalent in strength to RSA key's */
-#define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \
-        ((s <= 1024) ? 160 \
-          : ((s <= 2048) ? 224 \
-            : ((s <= 3072) ? 256 \
-              : ((s <= 7168) ? 384 : 521 ) ) ) )
+/* clang-format off */
+#define SSL_RSASTRENGTH_TO_ECSTRENGTH(s)                                       \
+        ((s <= 1024) ? 160                                                     \
+                     : ((s <= 2048) ? 224                                      \
+                                    : ((s <= 3072) ? 256                       \
+                                                   : ((s <= 7168) ? 384        \
+                                                                  : 521 ) ) ) )
+/* clang-format on */
 
 /* Types and names of elliptic curves used in TLS */
-typedef enum { ec_type_explicitPrime      = 1,
-               ec_type_explicitChar2Curve = 2,
-               ec_type_named
+typedef enum { ec_type_explicitPrime = 1,
+               ec_type_explicitChar2Curve = 2,
+               ec_type_named
 } ECType;
 
-typedef enum { ec_noName     = 0,
-               ec_sect163k1  = 1, 
-               ec_sect163r1  = 2, 
-               ec_sect163r2  = 3,
-               ec_sect193r1  = 4, 
-               ec_sect193r2  = 5, 
-               ec_sect233k1  = 6,
-               ec_sect233r1  = 7, 
-               ec_sect239k1  = 8, 
-               ec_sect283k1  = 9,
-               ec_sect283r1  = 10, 
-               ec_sect409k1  = 11, 
-               ec_sect409r1  = 12,
-               ec_sect571k1  = 13, 
-               ec_sect571r1  = 14, 
-               ec_secp160k1  = 15,
-               ec_secp160r1  = 16, 
-               ec_secp160r2  = 17, 
-               ec_secp192k1  = 18,
-               ec_secp192r1  = 19, 
-               ec_secp224k1  = 20, 
-               ec_secp224r1  = 21,
-               ec_secp256k1  = 22, 
-               ec_secp256r1  = 23, 
-               ec_secp384r1  = 24,
-               ec_secp521r1  = 25,
-               ec_pastLastName
+typedef enum { ec_noName = 0,
+               ec_sect163k1 = 1,
+               ec_sect163r1 = 2,
+               ec_sect163r2 = 3,
+               ec_sect193r1 = 4,
+               ec_sect193r2 = 5,
+               ec_sect233k1 = 6,
+               ec_sect233r1 = 7,
+               ec_sect239k1 = 8,
+               ec_sect283k1 = 9,
+               ec_sect283r1 = 10,
+               ec_sect409k1 = 11,
+               ec_sect409r1 = 12,
+               ec_sect571k1 = 13,
+               ec_sect571r1 = 14,
+               ec_secp160k1 = 15,
+               ec_secp160r1 = 16,
+               ec_secp160r2 = 17,
+               ec_secp192k1 = 18,
+               ec_secp192r1 = 19,
+               ec_secp224k1 = 20,
+               ec_secp224r1 = 21,
+               ec_secp256k1 = 22,
+               ec_secp256r1 = 23,
+               ec_secp384r1 = 24,
+               ec_secp521r1 = 25,
+               ec_pastLastName
 } ECName;
 
 extern SECStatus ssl3_ECName2Params(PLArenaPool *arena, ECName curve,
-                                   SECKEYECParams *params);
-ECName  ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits);
+                                    SECKEYECParams *params);
+ECName ssl3_PubKey2ECName(SECKEYPublicKey *pubKey);
 
+ECName ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits);
+ECName ssl3_GetCurveNameForServerSocket(sslSocket *ss);
 
 #endif /* NSS_DISABLE_ECC */
 
 extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
 extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
 extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
 extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
 
 extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
 extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
 extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
 extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
 extern SECStatus ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *cipher,
-                                     unsigned int len);
+                                     unsigned int len);
 
 extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
 extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
 extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
 extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
 
-extern void      ssl2_InitSocketPolicy(sslSocket *ss);
-extern void      ssl3_InitSocketPolicy(sslSocket *ss);
+extern void ssl2_InitSocketPolicy(sslSocket *ss);
+extern void ssl3_InitSocketPolicy(sslSocket *ss);
 
 extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
-                                                 unsigned char *cs, int *size);
+                                                 unsigned char *cs, int *size);
 
 extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
-extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, 
-                                             PRUint32 length);
+extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b,
+                                             PRUint32 length);
 
 extern void ssl3_DestroySSL3Info(sslSocket *ss);
 
-extern SECStatus ssl3_NegotiateVersion(sslSocket *ss, 
-                                       SSL3ProtocolVersion peerVersion,
-                                       PRBool allowLargerPeerVersion);
+extern SECStatus ssl3_NegotiateVersion(sslSocket *ss,
+                                       SSL3ProtocolVersion peerVersion,
+                                       PRBool allowLargerPeerVersion);
 
 extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
 
 #ifndef NSS_DISABLE_ECC
 /* ECDH functions */
-extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket * ss, 
-                             SECKEYPublicKey * svrPubKey);
-extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss, 
-                                        SSL3Opaque *b, PRUint32 length);
-extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss, 
-                                     SSL3Opaque *b, PRUint32 length,
-                                     SECKEYPublicKey *srvrPubKey,
-                                     SECKEYPrivateKey *srvrPrivKey);
+extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket *ss,
+                                                SECKEYPublicKey *svrPubKey);
+extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss,
+                                                  SSL3Opaque *b, PRUint32 length);
+extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss,
+                                                  SSL3Opaque *b, PRUint32 length,
+                                                  SECKEYPublicKey *srvrPubKey,
+                                                  SECKEYPrivateKey *srvrPrivKey);
 extern SECStatus ssl3_SendECDHServerKeyExchange(
     sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash);
+SECKEYPublicKey *tls13_ImportECDHKeyShare(
+    sslSocket *ss, SSL3Opaque *b, PRUint32 length, ECName curve);
+ECName tls13_GroupForECDHEKeyShare(ssl3KeyPair *pair);
+unsigned int tls13_SizeOfECDHEKeyShareKEX(ssl3KeyPair *pair);
+SECStatus tls13_EncodeECDHEKeyShareKEX(sslSocket *ss, ssl3KeyPair *pair);
 #endif
 
 extern SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg,
-                                PRUint8 * hashBuf,
-                                unsigned int bufLen, SSL3Hashes *hashes, 
-                                PRBool bypassPKCS11);
+                                           PRUint8 *hashBuf,
+                                           unsigned int bufLen, SSL3Hashes *hashes,
+                                           PRBool bypassPKCS11);
 extern void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName);
 extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms);
-extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src, 
-                        PRInt32 bytes);
-extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss, 
-                        SSL3HandshakeType t, PRUint32 length);
-extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, 
-                        PRInt32 lenSize);
-extern SECStatus ssl3_AppendHandshakeVariable( sslSocket *ss, 
-                        const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize);
+extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src,
+                                      PRInt32 bytes);
+extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss,
+                                            SSL3HandshakeType t, PRUint32 length);
+extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num,
+                                            PRInt32 lenSize);
+extern SECStatus ssl3_AppendHandshakeVariable(sslSocket *ss,
+                                              const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize);
 extern SECStatus ssl3_AppendSignatureAndHashAlgorithm(
-    sslSocket *ss, const SSLSignatureAndHashAlg* sigAndHash);
-extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, 
-                        SSL3Opaque **b, PRUint32 *length);
-extern PRInt32   ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, 
-                        SSL3Opaque **b, PRUint32 *length);
-extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, 
-                        PRInt32 bytes, SSL3Opaque **b, PRUint32 *length);
+    sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash);
+extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes,
+                                       SSL3Opaque **b, PRUint32 *length);
+extern PRInt32 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes,
+                                           SSL3Opaque **b, PRUint32 *length);
+extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i,
+                                               PRInt32 bytes, SSL3Opaque **b, PRUint32 *length);
 extern PRBool ssl3_IsSupportedSignatureAlgorithm(
     const SSLSignatureAndHashAlg *alg);
 extern SECStatus ssl3_CheckSignatureAndHashAlgorithmConsistency(
     sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash,
-    CERTCertificate* cert);
+    CERTCertificate *cert);
 extern SECStatus ssl3_ConsumeSignatureAndHashAlgorithm(
     sslSocket *ss, SSL3Opaque **b, PRUint32 *length,
     SSLSignatureAndHashAlg *out);
-extern SECStatus ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, 
-                        SECItem *buf, PRBool isTLS);
-extern SECStatus ssl3_VerifySignedHashes(SSL3Hashes *hash, 
-                        CERTCertificate *cert, SECItem *buf, PRBool isTLS, 
-                        void *pwArg);
+extern SECStatus ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key,
+                                 SECItem *buf, PRBool isTLS);
+extern SECStatus ssl3_VerifySignedHashes(SSL3Hashes *hash,
+                                         CERTCertificate *cert, SECItem *buf, PRBool isTLS,
+                                         void *pwArg);
 extern SECStatus ssl3_CacheWrappedMasterSecret(sslSocket *ss,
-                        sslSessionID *sid, ssl3CipherSpec *spec,
-                        SSL3KEAType effectiveExchKeyType);
+                                               sslSessionID *sid, ssl3CipherSpec *spec,
+                                               SSL3KEAType effectiveExchKeyType);
 
 /* Functions that handle ClientHello and ServerHello extensions. */
-extern SECStatus ssl3_HandleServerNameXtn(sslSocket * ss,
-                        PRUint16 ex_type, SECItem *data);
-extern SECStatus ssl3_HandleSupportedCurvesXtn(sslSocket * ss,
-                        PRUint16 ex_type, SECItem *data);
-extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
-                        PRUint16 ex_type, SECItem *data);
+extern SECStatus ssl3_HandleServerNameXtn(sslSocket *ss,
+                                          PRUint16 ex_type, SECItem *data);
+extern SECStatus ssl3_HandleSupportedCurvesXtn(sslSocket *ss,
+                                               PRUint16 ex_type, SECItem *data);
+extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket *ss,
+                                                     PRUint16 ex_type, SECItem *data);
 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
-                        PRUint16 ex_type, SECItem *data);
+                                                   PRUint16 ex_type, SECItem *data);
 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
-                        PRUint16 ex_type, SECItem *data);
+                                                   PRUint16 ex_type, SECItem *data);
 
 /* ClientHello and ServerHello extension senders.
  * Note that not all extension senders are exposed here; only those that
  * that need exposure.
  */
 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
-                        PRUint32 maxBytes);
+                                         PRUint32 maxBytes);
 
 /* ClientHello and ServerHello extension senders.
  * The code is in ssl3ext.c.
  */
 extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
-                     PRUint32 maxBytes);
+                                      PRUint32 maxBytes);
 
 /* Assigns new cert, cert chain and keys to ss->serverCerts
  * struct. If certChain is NULL, tries to find one. Aborts if
  * fails to do so. If cert and keyPair are NULL - unconfigures
  * sslSocket of kea type.*/
 extern SECStatus ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
                                         const CERTCertificateList *certChain,
                                         ssl3KeyPair *keyPair, SSLKEAType kea);
 
 #ifndef NSS_DISABLE_ECC
 extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
-                        PRBool append, PRUint32 maxBytes);
+                                           PRBool append, PRUint32 maxBytes);
 extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss,
-                        PRBool append, PRUint32 maxBytes);
+                                                 PRBool append, PRUint32 maxBytes);
 #endif
 
 /* call the registered extension handlers. */
-extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, 
-                        SSL3Opaque **b, PRUint32 *length);
+extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss,
+                                            SSL3Opaque **b, PRUint32 *length,
+                                            SSL3HandshakeType handshakeMessage);
 
 /* Hello Extension related routines. */
 extern PRBool ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type);
 extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
-                        /*in/out*/ NewSessionTicket *session_ticket);
+                                     /*in/out*/ NewSessionTicket *session_ticket);
 extern SECStatus ssl3_SendNewSessionTicket(sslSocket *ss);
 extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName,
-                        unsigned char *encKey, unsigned char *macKey);
+                                       unsigned char *encKey, unsigned char *macKey);
 extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
-                        SECKEYPublicKey *svrPubKey, void *pwArg,
-                        unsigned char *keyName, PK11SymKey **aesKey,
-                        PK11SymKey **macKey);
+                                             SECKEYPublicKey *svrPubKey, void *pwArg,
+                                             unsigned char *keyName, PK11SymKey **aesKey,
+                                             PK11SymKey **macKey);
 
 /* Tell clients to consider tickets valid for this long. */
-#define TLS_EX_SESS_TICKET_LIFETIME_HINT    (2 * 24 * 60 * 60) /* 2 days */
-#define TLS_EX_SESS_TICKET_VERSION          (0x0101)
+#define TLS_EX_SESS_TICKET_LIFETIME_HINT (2 * 24 * 60 * 60) /* 2 days */
+#define TLS_EX_SESS_TICKET_VERSION (0x0101)
 
-extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data,
-                                            unsigned int length);
+extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char *data,
+                                            unsigned int length);
 
 extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
-                                                 unsigned char *out,
-                                                 unsigned int *outLen,
-                                                 unsigned int outLenMax);
+                                                 unsigned char *out,
+                                                 unsigned int *outLen,
+                                                 unsigned int outLenMax);
 
 /* Construct a new NSPR socket for the app to use */
 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
 extern void ssl_FreePRSocket(PRFileDesc *fd);
 
 /* Internal config function so SSL3 can initialize the present state of
  * various ciphers */
 extern int ssl3_config_match_init(sslSocket *);
 
-
 /* Create a new ref counted key pair object from two keys. */
-extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, 
-                                      SECKEYPublicKey * pubKey);
+extern ssl3KeyPair *ssl3_NewKeyPair(SECKEYPrivateKey *privKey,
+                                    SECKEYPublicKey *pubKey);
 
 /* get a new reference (bump ref count) to an ssl3KeyPair. */
-extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair);
+extern ssl3KeyPair *ssl3_GetKeyPairRef(ssl3KeyPair *keyPair);
 
 /* Decrement keypair's ref count and free if zero. */
-extern void ssl3_FreeKeyPair(ssl3KeyPair * keyPair);
+extern void ssl3_FreeKeyPair(ssl3KeyPair *keyPair);
 
 /* calls for accessing wrapping keys across processes. */
 extern PRBool
-ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
-                    SSL3KEAType               exchKeyType, 
-                    SSLWrappedSymWrappingKey *wswk);
+ssl_GetWrappingKey(PRInt32 symWrapMechIndex,
+                   SSL3KEAType exchKeyType,
+                   SSLWrappedSymWrappingKey *wswk);
 
 /* The caller passes in the new value it wants
- * to set.  This code tests the wrapped sym key entry in the file on disk.  
- * If it is uninitialized, this function writes the caller's value into 
- * the disk entry, and returns false.  
- * Otherwise, it overwrites the caller's wswk with the value obtained from 
- * the disk, and returns PR_TRUE.  
- * This is all done while holding the locks/semaphores necessary to make 
+ * to set.  This code tests the wrapped sym key entry in the file on disk.
+ * If it is uninitialized, this function writes the caller's value into
+ * the disk entry, and returns false.
+ * Otherwise, it overwrites the caller's wswk with the value obtained from
+ * the disk, and returns PR_TRUE.
+ * This is all done while holding the locks/semaphores necessary to make
  * the operation atomic.
  */
 extern PRBool
 ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
 
 /* get rid of the symmetric wrapping key references. */
 extern SECStatus SSL3_ShutdownServerCache(void);
 
 extern SECStatus ssl_InitSymWrapKeysLock(void);
 
 extern SECStatus ssl_FreeSymWrapKeysLock(void);
 
 extern SECStatus ssl_InitSessionCacheLocks(void);
 
-/***************** platform client auth ****************/
-
-#ifdef NSS_PLATFORM_CLIENT_AUTH
-// Releases the platform key.
-extern void ssl_FreePlatformKey(PlatformKey key);
-
-// Implement the client CertificateVerify message for SSL3/TLS1.0
-extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash,
-                                         PlatformKey key, SECItem *buf,
-                                         PRBool isTLS, KeyType keyType);
-
-// Converts a CERTCertList* (A collection of CERTCertificates) into a
-// CERTCertificateList* (A collection of SECItems), or returns NULL if
-// it cannot be converted.
-// This is to allow the platform-supplied chain to be created with purely
-// public API functions, using the preferred CERTCertList mutators, rather
-// pushing this hack to clients.
-extern CERTCertificateList* hack_NewCertificateListFromCertList(
-        CERTCertList* list);
-#endif  /* NSS_PLATFORM_CLIENT_AUTH */
-
 /**************** DTLS-specific functions **************/
 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg);
 extern void dtls_FreeQueuedMessages(PRCList *lst);
 extern void dtls_FreeHandshakeMessages(PRCList *lst);
 
 extern SECStatus dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf);
 extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss,
-                                               SSL3Opaque *b, PRUint32 length);
+                                               SSL3Opaque *b, PRUint32 length);
 extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss);
 extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
-                                   const SSL3Opaque *pIn, PRInt32 nIn);
+                                   const SSL3Opaque *pIn, PRInt32 nIn);
 extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
 extern SECStatus dtls_CompressMACEncryptRecord(sslSocket *ss,
-                                               DTLSEpoch epoch,
-                                               PRBool use_epoch,
-                                               SSL3ContentType type,
-                                               const SSL3Opaque *pIn,
-                                               PRUint32 contentLen,
-                                               sslBuffer *wrBuf);
-SECStatus ssl3_DisableNonDTLSSuites(sslSocket * ss);
+                                               DTLSEpoch epoch,
+                                               PRBool use_epoch,
+                                               SSL3ContentType type,
+                                               const SSL3Opaque *pIn,
+                                               PRUint32 contentLen,
+                                               sslBuffer *wrBuf);
+SECStatus ssl3_DisableNonDTLSSuites(sslSocket *ss);
 extern SECStatus dtls_StartTimer(sslSocket *ss, DTLSTimerCb cb);
 extern SECStatus dtls_RestartTimer(sslSocket *ss, PRBool backoff,
-                                   DTLSTimerCb cb);
+                                   DTLSTimerCb cb);
 extern void dtls_CheckTimer(sslSocket *ss);
 extern void dtls_CancelTimer(sslSocket *ss);
 extern void dtls_FinishedTimerCb(sslSocket *ss);
 extern void dtls_SetMTU(sslSocket *ss, PRUint16 advertised);
 extern void dtls_InitRecvdRecords(DTLSRecvdRecords *records);
-extern int dtls_RecordGetRecvd(DTLSRecvdRecords *records, PRUint64 seq);
+extern int dtls_RecordGetRecvd(const DTLSRecvdRecords *records, PRUint64 seq);
 extern void dtls_RecordSetRecvd(DTLSRecvdRecords *records, PRUint64 seq);
 extern void dtls_RehandshakeCleanup(sslSocket *ss);
 extern SSL3ProtocolVersion
 dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv);
 extern SSL3ProtocolVersion
 dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv);
+extern PRBool dtls_IsRelevant(sslSocket *ss, const ssl3CipherSpec *crSpec,
+                              const SSL3Ciphertext *cText, PRUint64 *seqNum);
+
+CK_MECHANISM_TYPE ssl3_Alg2Mech(SSLCipherAlgorithm calg);
+SECStatus ssl3_SetupPendingCipherSpec(sslSocket *ss);
+SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags);
+SECStatus ssl3_SendCertificate(sslSocket *ss);
+SECStatus ssl3_CompleteHandleCertificate(sslSocket *ss,
+                                         SSL3Opaque *b, PRUint32 length);
+SECStatus ssl3_SendEmptyCertificate(sslSocket *ss);
+SECStatus ssl3_SendCertificateStatus(sslSocket *ss);
+SECStatus ssl3_CompleteHandleCertificateStatus(sslSocket *ss, SSL3Opaque *b,
+                                               PRUint32 length);
+SECStatus ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf,
+                                               unsigned maxLen, PRUint32 *len);
+void ssl3_GetCertificateRequestCAs(sslSocket *ss, int *calenp, SECItem **namesp,
+                                   int *nnamesp);
+SECStatus ssl3_ParseCertificateRequestCAs(sslSocket *ss, SSL3Opaque **b,
+                                          PRUint32 *length, PLArenaPool *arena,
+                                          CERTDistNames *ca_list);
+SECStatus ssl3_CompleteHandleCertificateRequest(sslSocket *ss,
+                                                SECItem *algorithms,
+                                                CERTDistNames *ca_list);
+SECStatus ssl3_SendCertificateVerify(sslSocket *ss,
+                                     SECKEYPrivateKey *privKey);
+SECStatus ssl3_SendServerHello(sslSocket *ss);
+SECOidTag ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc);
+SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss,
+                                      ssl3CipherSpec *spec,
+                                      SSL3Hashes *hashes,
+                                      PRUint32 sender);
+void ssl3_BumpSequenceNumber(SSL3SequenceNumber *num);
+PRInt32 tls13_ServerSendKeyShareXtn(sslSocket *ss, PRBool append,
+                                    PRUint32 maxBytes);
+#ifndef NSS_DISABLE_ECC
+SECStatus ssl3_CreateECDHEphemeralKeyPair(ECName ec_curve,
+                                          ssl3KeyPair **keyPair);
+PK11SymKey *tls13_ComputeECDHSharedKey(sslSocket *ss,
+                                       SECKEYPrivateKey *myPrivKey,
+                                       SECKEYPublicKey *peerKey);
+#endif
+
+/* Pull in TLS 1.3 functions */
+#include "tls13con.h"
 
 /********************** misc calls *********************/
 
 #ifdef DEBUG
 extern void ssl3_CheckCipherSuiteOrderConsistency();
 #endif
 
 extern int ssl_MapLowLevelError(int hiLevelError);
 
 extern PRUint32 ssl_Time(void);
 
-extern void SSL_AtomicIncrementLong(long * x);
+extern void SSL_AtomicIncrementLong(long *x);
 
 SECStatus SSL_DisableDefaultExportCipherSuites(void);
-SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
-PRBool    SSL_IsExportCipherSuite(PRUint16 cipherSuite);
+SECStatus SSL_DisableExportCipherSuites(PRFileDesc *fd);
+PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite);
+
+SECStatus ssl3_ApplyNSSPolicy(void);
 
 extern SECStatus
 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec,
                             const char *label, unsigned int labelLen,
                             const unsigned char *val, unsigned int valLen,
                             unsigned char *out, unsigned int outLen);
 extern SECOidTag
 ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc);
 
 #ifdef TRACE
 #define SSL_TRACE(msg) ssl_Trace msg
 #else
 #define SSL_TRACE(msg)
 #endif
 
 void ssl_Trace(const char *format, ...);
 
 SEC_END_PROTOS
 
 #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
 #define SSL_GETPID getpid
 #elif defined(WIN32)
 extern int __cdecl _getpid(void);
 #define SSL_GETPID _getpid
 #else
 #define SSL_GETPID() 0
 #endif
 
 #endif /* __sslimpl_h_ */