OLD | NEW |
| (Empty) |
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | |
2 /* | |
3 * This file is PRIVATE to SSL and should be the first thing included by | |
4 * any SSL implementation file. | |
5 * | |
6 * This Source Code Form is subject to the terms of the Mozilla Public | |
7 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
9 | |
10 #ifndef __sslimpl_h_ | |
11 #define __sslimpl_h_ | |
12 | |
13 #ifdef DEBUG | |
14 #undef NDEBUG | |
15 #else | |
16 #undef NDEBUG | |
17 #define NDEBUG | |
18 #endif | |
19 #include "secport.h" | |
20 #include "secerr.h" | |
21 #include "sslerr.h" | |
22 #include "ssl3prot.h" | |
23 #include "hasht.h" | |
24 #include "nssilock.h" | |
25 #include "pkcs11t.h" | |
26 #if defined(XP_UNIX) || defined(XP_BEOS) | |
27 #include "unistd.h" | |
28 #endif | |
29 #include "nssrwlk.h" | |
30 #include "prthread.h" | |
31 #include "prclist.h" | |
32 | |
33 #include "sslt.h" /* for some formerly private types, now public */ | |
34 | |
35 /* to make some of these old enums public without namespace pollution, | |
36 ** it was necessary to prepend ssl_ to the names. | |
37 ** These #defines preserve compatibility with the old code here in libssl. | |
38 */ | |
39 typedef SSLKEAType SSL3KEAType; | |
40 typedef SSLMACAlgorithm SSL3MACAlgorithm; | |
41 | |
42 #define calg_null ssl_calg_null | |
43 #define calg_rc4 ssl_calg_rc4 | |
44 #define calg_rc2 ssl_calg_rc2 | |
45 #define calg_des ssl_calg_des | |
46 #define calg_3des ssl_calg_3des | |
47 #define calg_idea ssl_calg_idea | |
48 #define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */ | |
49 #define calg_aes ssl_calg_aes | |
50 #define calg_camellia ssl_calg_camellia | |
51 #define calg_seed ssl_calg_seed | |
52 #define calg_aes_gcm ssl_calg_aes_gcm | |
53 #define calg_chacha20 ssl_calg_chacha20 | |
54 | |
55 #define mac_null ssl_mac_null | |
56 #define mac_md5 ssl_mac_md5 | |
57 #define mac_sha ssl_mac_sha | |
58 #define hmac_md5 ssl_hmac_md5 | |
59 #define hmac_sha ssl_hmac_sha | |
60 #define hmac_sha256 ssl_hmac_sha256 | |
61 #define mac_aead ssl_mac_aead | |
62 | |
63 #define SET_ERROR_CODE /* reminder */ | |
64 #define SEND_ALERT /* reminder */ | |
65 #define TEST_FOR_FAILURE /* reminder */ | |
66 #define DEAL_WITH_FAILURE /* reminder */ | |
67 | |
68 #if defined(DEBUG) || defined(TRACE) | |
69 #ifdef __cplusplus | |
70 #define Debug 1 | |
71 #else | |
72 extern int Debug; | |
73 #endif | |
74 #else | |
75 #undef Debug | |
76 #endif | |
77 | |
78 #if defined(DEBUG) && !defined(TRACE) && !defined(NISCC_TEST) | |
79 #define TRACE | |
80 #endif | |
81 | |
82 #ifdef TRACE | |
83 #define SSL_TRC(a, b) \ | |
84 if (ssl_trace >= (a)) \ | |
85 ssl_Trace b | |
86 #define PRINT_BUF(a, b) \ | |
87 if (ssl_trace >= (a)) \ | |
88 ssl_PrintBuf b | |
89 #define DUMP_MSG(a, b) \ | |
90 if (ssl_trace >= (a)) \ | |
91 ssl_DumpMsg b | |
92 #else | |
93 #define SSL_TRC(a, b) | |
94 #define PRINT_BUF(a, b) | |
95 #define DUMP_MSG(a, b) | |
96 #endif | |
97 | |
98 #ifdef DEBUG | |
99 #define SSL_DBG(b) \ | |
100 if (ssl_debug) \ | |
101 ssl_Trace b | |
102 #else | |
103 #define SSL_DBG(b) | |
104 #endif | |
105 | |
106 #include "private/pprthred.h" /* for PR_InMonitor() */ | |
107 #define ssl_InMonitor(m) PZ_InMonitor(m) | |
108 | |
109 #define LSB(x) ((unsigned char)((x)&0xff)) | |
110 #define MSB(x) ((unsigned char)(((unsigned)(x)) >> 8)) | |
111 | |
112 /************************************************************************/ | |
113 | |
114 typedef enum { SSLAppOpRead = 0, | |
115 SSLAppOpWrite, | |
116 SSLAppOpRDWR, | |
117 SSLAppOpPost, | |
118 SSLAppOpHeader | |
119 } SSLAppOperation; | |
120 | |
121 #define SSL_MIN_MASTER_KEY_BYTES 5 | |
122 #define SSL_MAX_MASTER_KEY_BYTES 64 | |
123 | |
124 #define SSL2_SESSIONID_BYTES 16 | |
125 #define SSL3_SESSIONID_BYTES 32 | |
126 | |
127 #define SSL_MIN_CHALLENGE_BYTES 16 | |
128 #define SSL_MAX_CHALLENGE_BYTES 32 | |
129 #define SSL_CHALLENGE_BYTES 16 | |
130 | |
131 #define SSL_CONNECTIONID_BYTES 16 | |
132 | |
133 #define SSL_MIN_CYPHER_ARG_BYTES 0 | |
134 #define SSL_MAX_CYPHER_ARG_BYTES 32 | |
135 | |
136 #define SSL_MAX_MAC_BYTES 16 | |
137 | |
138 #define SSL3_RSA_PMS_LENGTH 48 | |
139 #define SSL3_MASTER_SECRET_LENGTH 48 | |
140 | |
141 /* number of wrap mechanisms potentially used to wrap master secrets. */ | |
142 #define SSL_NUM_WRAP_MECHS 16 | |
143 | |
144 /* This makes the cert cache entry exactly 4k. */ | |
145 #define SSL_MAX_CACHED_CERT_LEN 4060 | |
146 | |
147 #define NUM_MIXERS 9 | |
148 | |
149 /* Mask of the 25 named curves we support. */ | |
150 #define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe | |
151 /* Mask of only 3 curves, suite B */ | |
152 #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000 | |
153 | |
154 #ifndef BPB | |
155 #define BPB 8 /* Bits Per Byte */ | |
156 #endif | |
157 | |
158 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ | |
159 | |
160 #define INITIAL_DTLS_TIMEOUT_MS 1000 /* Default value from RFC 4347 = 1s*/ | |
161 #define MAX_DTLS_TIMEOUT_MS 60000 /* 1 minute */ | |
162 #define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */ | |
163 | |
164 typedef struct sslBufferStr sslBuffer; | |
165 typedef struct sslConnectInfoStr sslConnectInfo; | |
166 typedef struct sslGatherStr sslGather; | |
167 typedef struct sslSecurityInfoStr sslSecurityInfo; | |
168 typedef struct sslSessionIDStr sslSessionID; | |
169 typedef struct sslSocketStr sslSocket; | |
170 typedef struct sslSocketOpsStr sslSocketOps; | |
171 | |
172 typedef struct ssl3StateStr ssl3State; | |
173 typedef struct ssl3CertNodeStr ssl3CertNode; | |
174 typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef; | |
175 typedef struct ssl3MACDefStr ssl3MACDef; | |
176 typedef struct ssl3KeyPairStr ssl3KeyPair; | |
177 typedef struct ssl3DHParamsStr ssl3DHParams; | |
178 | |
179 struct ssl3CertNodeStr { | |
180 struct ssl3CertNodeStr *next; | |
181 CERTCertificate *cert; | |
182 }; | |
183 | |
184 typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss); | |
185 | |
186 /* This type points to the low layer send func, | |
187 ** e.g. ssl2_SendStream or ssl3_SendPlainText. | |
188 ** These functions return the same values as PR_Send, | |
189 ** i.e. >= 0 means number of bytes sent, < 0 means error. | |
190 */ | |
191 typedef PRInt32 (*sslSendFunc)(sslSocket *ss, const unsigned char *buf, | |
192 PRInt32 n, PRInt32 flags); | |
193 | |
194 typedef void (*sslSessionIDCacheFunc)(sslSessionID *sid); | |
195 typedef void (*sslSessionIDUncacheFunc)(sslSessionID *sid); | |
196 typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr *addr, | |
197 unsigned char *sid, | |
198 unsigned int sidLen, | |
199 CERTCertDBHandle *dbHandle); | |
200 | |
201 /* registerable callback function that either appends extension to buffer | |
202 * or returns length of data that it would have appended. | |
203 */ | |
204 typedef PRInt32 (*ssl3HelloExtensionSenderFunc)(sslSocket *ss, PRBool append, | |
205 PRUint32 maxBytes); | |
206 | |
207 /* registerable callback function that handles a received extension, | |
208 * of the given type. | |
209 */ | |
210 typedef SECStatus (*ssl3HelloExtensionHandlerFunc)(sslSocket *ss, | |
211 PRUint16 ex_type, | |
212 SECItem *data); | |
213 | |
214 /* row in a table of hello extension senders */ | |
215 typedef struct { | |
216 PRInt32 ex_type; | |
217 ssl3HelloExtensionSenderFunc ex_sender; | |
218 } ssl3HelloExtensionSender; | |
219 | |
220 /* row in a table of hello extension handlers */ | |
221 typedef struct { | |
222 PRInt32 ex_type; | |
223 ssl3HelloExtensionHandlerFunc ex_handler; | |
224 } ssl3HelloExtensionHandler; | |
225 | |
226 extern SECStatus | |
227 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, | |
228 ssl3HelloExtensionSenderFunc cb); | |
229 | |
230 extern PRInt32 | |
231 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, | |
232 const ssl3HelloExtensionSender *sender); | |
233 | |
234 extern unsigned int | |
235 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength); | |
236 | |
237 extern PRInt32 | |
238 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, | |
239 PRUint32 maxBytes); | |
240 | |
241 /* Socket ops */ | |
242 struct sslSocketOpsStr { | |
243 int (*connect)(sslSocket *, const PRNetAddr *); | |
244 PRFileDesc *(*accept)(sslSocket *, PRNetAddr *); | |
245 int (*bind)(sslSocket *, const PRNetAddr *); | |
246 int (*listen)(sslSocket *, int); | |
247 int (*shutdown)(sslSocket *, int); | |
248 int (*close)(sslSocket *); | |
249 | |
250 int (*recv)(sslSocket *, unsigned char *, int, int); | |
251 | |
252 /* points to the higher-layer send func, e.g. ssl_SecureSend. */ | |
253 int (*send)(sslSocket *, const unsigned char *, int, int); | |
254 int (*read)(sslSocket *, unsigned char *, int); | |
255 int (*write)(sslSocket *, const unsigned char *, int); | |
256 | |
257 int (*getpeername)(sslSocket *, PRNetAddr *); | |
258 int (*getsockname)(sslSocket *, PRNetAddr *); | |
259 }; | |
260 | |
261 /* Flags interpreted by ssl send functions. */ | |
262 #define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000 | |
263 #define ssl_SEND_FLAG_NO_BUFFER 0x20000000 | |
264 #define ssl_SEND_FLAG_USE_EPOCH 0x10000000 /* DTLS only */ | |
265 #define ssl_SEND_FLAG_NO_RETRANSMIT 0x08000000 /* DTLS only */ | |
266 #define ssl_SEND_FLAG_CAP_RECORD_VERSION \ | |
267 0x04000000 /* TLS only */ | |
268 #define ssl_SEND_FLAG_MASK 0x7f000000 | |
269 | |
270 /* | |
271 ** A buffer object. | |
272 */ | |
273 struct sslBufferStr { | |
274 unsigned char *buf; | |
275 unsigned int len; | |
276 unsigned int space; | |
277 }; | |
278 | |
279 /* | |
280 ** SSL3 cipher suite policy and preference struct. | |
281 */ | |
282 typedef struct { | |
283 #if !defined(_WIN32) | |
284 unsigned int cipher_suite : 16; | |
285 unsigned int policy : 8; | |
286 unsigned int enabled : 1; | |
287 unsigned int isPresent : 1; | |
288 #else | |
289 ssl3CipherSuite cipher_suite; | |
290 PRUint8 policy; | |
291 unsigned char enabled : 1; | |
292 unsigned char isPresent : 1; | |
293 #endif | |
294 } ssl3CipherSuiteCfg; | |
295 | |
296 #ifndef NSS_DISABLE_ECC | |
297 #define ssl_V3_SUITES_IMPLEMENTED 67 | |
298 #else | |
299 #define ssl_V3_SUITES_IMPLEMENTED 41 | |
300 #endif /* NSS_DISABLE_ECC */ | |
301 | |
302 #define MAX_DTLS_SRTP_CIPHER_SUITES 4 | |
303 | |
304 /* MAX_SIGNATURE_ALGORITHMS allows for a large number of combinations of | |
305 * SSLSignType and SSLHashType, but not all combinations (specifically, this | |
306 * doesn't allow space for combinations with MD5). */ | |
307 #define MAX_SIGNATURE_ALGORITHMS 15 | |
308 | |
309 /* clang-format off */ | |
310 typedef struct sslOptionsStr { | |
311 /* If SSL_SetNextProtoNego has been called, then this contains the | |
312 * list of supported protocols. */ | |
313 SECItem nextProtoNego; | |
314 | |
315 unsigned int useSecurity : 1; /* 1 */ | |
316 unsigned int useSocks : 1; /* 2 */ | |
317 unsigned int requestCertificate : 1; /* 3 */ | |
318 unsigned int requireCertificate : 2; /* 4-5 */ | |
319 unsigned int handshakeAsClient : 1; /* 6 */ | |
320 unsigned int handshakeAsServer : 1; /* 7 */ | |
321 unsigned int enableSSL2 : 1; /* 8 */ | |
322 unsigned int unusedBit9 : 1; /* 9 */ | |
323 unsigned int unusedBit10 : 1; /* 10 */ | |
324 unsigned int noCache : 1; /* 11 */ | |
325 unsigned int fdx : 1; /* 12 */ | |
326 unsigned int v2CompatibleHello : 1; /* 13 */ | |
327 unsigned int detectRollBack : 1; /* 14 */ | |
328 unsigned int noStepDown : 1; /* 15 */ | |
329 unsigned int bypassPKCS11 : 1; /* 16 */ | |
330 unsigned int noLocks : 1; /* 17 */ | |
331 unsigned int enableSessionTickets : 1; /* 18 */ | |
332 unsigned int enableDeflate : 1; /* 19 */ | |
333 unsigned int enableRenegotiation : 2; /* 20-21 */ | |
334 unsigned int requireSafeNegotiation : 1; /* 22 */ | |
335 unsigned int enableFalseStart : 1; /* 23 */ | |
336 unsigned int cbcRandomIV : 1; /* 24 */ | |
337 unsigned int enableOCSPStapling : 1; /* 25 */ | |
338 unsigned int enableNPN : 1; /* 26 */ | |
339 unsigned int enableALPN : 1; /* 27 */ | |
340 unsigned int reuseServerECDHEKey : 1; /* 28 */ | |
341 unsigned int enableFallbackSCSV : 1; /* 29 */ | |
342 unsigned int enableServerDhe : 1; /* 30 */ | |
343 unsigned int enableExtendedMS : 1; /* 31 */ | |
344 unsigned int enableSignedCertTimestamps : 1; /* 32 */ | |
345 } sslOptions; | |
346 /* clang-format on */ | |
347 | |
348 typedef enum { sslHandshakingUndetermined = 0, | |
349 sslHandshakingAsClient, | |
350 sslHandshakingAsServer | |
351 } sslHandshakingType; | |
352 | |
353 typedef struct sslServerCertsStr { | |
354 /* Configuration state for server sockets */ | |
355 CERTCertificate *serverCert; | |
356 CERTCertificateList *serverCertChain; | |
357 ssl3KeyPair *serverKeyPair; | |
358 unsigned int serverKeyBits; | |
359 } sslServerCerts; | |
360 | |
361 #define SERVERKEY serverKeyPair->privKey | |
362 | |
363 #define SSL_LOCK_RANK_SPEC 255 | |
364 #define SSL_LOCK_RANK_GLOBAL NSS_RWLOCK_RANK_NONE | |
365 | |
366 /* These are the valid values for shutdownHow. | |
367 ** These values are each 1 greater than the NSPR values, and the code | |
368 ** depends on that relation to efficiently convert PR_SHUTDOWN values | |
369 ** into ssl_SHUTDOWN values. These values use one bit for read, and | |
370 ** another bit for write, and can be used as bitmasks. | |
371 */ | |
372 #define ssl_SHUTDOWN_NONE 0 /* NOT shutdown at all */ | |
373 #define ssl_SHUTDOWN_RCV 1 /* PR_SHUTDOWN_RCV +1 */ | |
374 #define ssl_SHUTDOWN_SEND 2 /* PR_SHUTDOWN_SEND +1 */ | |
375 #define ssl_SHUTDOWN_BOTH 3 /* PR_SHUTDOWN_BOTH +1 */ | |
376 | |
377 /* | |
378 ** A gather object. Used to read some data until a count has been | |
379 ** satisfied. Primarily for support of async sockets. | |
380 ** Everything in here is protected by the recvBufLock. | |
381 */ | |
382 struct sslGatherStr { | |
383 int state; /* see GS_ values below. */ /* ssl 2 & 3 */ | |
384 | |
385 /* "buf" holds received plaintext SSL records, after decrypt and MAC check. | |
386 * SSL2: recv'd ciphertext records are put here, then decrypted in place. | |
387 * SSL3: recv'd ciphertext records are put in inbuf (see below), then | |
388 * decrypted into buf. | |
389 */ | |
390 sslBuffer buf; /*recvBufLock*/ /* ssl 2 & 3 */ | |
391 | |
392 /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3). | |
393 ** (offset - writeOffset) is the number of ciphertext bytes read in but | |
394 ** not yet deciphered. | |
395 */ | |
396 unsigned int offset; /* ssl 2 & 3 */ | |
397 | |
398 /* number of bytes to read in next call to ssl_DefRecv (recv) */ | |
399 unsigned int remainder; /* ssl 2 & 3 */ | |
400 | |
401 /* Number of ciphertext bytes to read in after 2-byte SSL record header. */ | |
402 unsigned int count; /* ssl2 only */ | |
403 | |
404 /* size of the final plaintext record. | |
405 ** == count - (recordPadding + MAC size) | |
406 */ | |
407 unsigned int recordLen; /* ssl2 only */ | |
408 | |
409 /* number of bytes of padding to be removed after decrypting. */ | |
410 /* This value is taken from the record's hdr[2], which means a too large | |
411 * value could crash us. | |
412 */ | |
413 unsigned int recordPadding; /* ssl2 only */ | |
414 | |
415 /* plaintext DATA begins this many bytes into "buf". */ | |
416 unsigned int recordOffset; /* ssl2 only */ | |
417 | |
418 int encrypted; /* SSL2 session is now encrypted. ssl2 only */ | |
419 | |
420 /* These next two values are used by SSL2 and SSL3. | |
421 ** DoRecv uses them to extract application data. | |
422 ** The difference between writeOffset and readOffset is the amount of | |
423 ** data available to the application. Note that the actual offset of | |
424 ** the data in "buf" is recordOffset (above), not readOffset. | |
425 ** In the current implementation, this is made available before the | |
426 ** MAC is checked!! | |
427 */ | |
428 unsigned int readOffset; /* Spot where DATA reader (e.g. application | |
429 ** or handshake code) will read next. | |
430 ** Always zero for SSl3 application data. | |
431 */ | |
432 /* offset in buf/inbuf/hdr into which new data will be read from socket. */ | |
433 unsigned int writeOffset; | |
434 | |
435 /* Buffer for ssl3 to read (encrypted) data from the socket */ | |
436 sslBuffer inbuf; /*recvBufLock*/ /* ssl3 only */ | |
437 | |
438 /* The ssl[23]_GatherData functions read data into this buffer, rather | |
439 ** than into buf or inbuf, while in the GS_HEADER state. | |
440 ** The portion of the SSL record header put here always comes off the wire | |
441 ** as plaintext, never ciphertext. | |
442 ** For SSL2, the plaintext portion is two bytes long. For SSl3 it is 5. | |
443 ** For DTLS it is 13. | |
444 */ | |
445 unsigned char hdr[13]; /* ssl 2 & 3 or dtls */ | |
446 | |
447 /* Buffer for DTLS data read off the wire as a single datagram */ | |
448 sslBuffer dtlsPacket; | |
449 | |
450 /* the start of the buffered DTLS record in dtlsPacket */ | |
451 unsigned int dtlsPacketOffset; | |
452 }; | |
453 | |
454 /* sslGather.state */ | |
455 #define GS_INIT 0 | |
456 #define GS_HEADER 1 | |
457 #define GS_MAC 2 | |
458 #define GS_DATA 3 | |
459 #define GS_PAD 4 | |
460 | |
461 /* | |
462 ** ssl3State and CipherSpec structs | |
463 */ | |
464 | |
465 /* The SSL bulk cipher definition */ | |
466 typedef enum { | |
467 cipher_null, | |
468 cipher_rc4, | |
469 cipher_rc4_40, | |
470 cipher_rc4_56, | |
471 cipher_rc2, | |
472 cipher_rc2_40, | |
473 cipher_des, | |
474 cipher_3des, | |
475 cipher_des40, | |
476 cipher_idea, | |
477 cipher_aes_128, | |
478 cipher_aes_256, | |
479 cipher_camellia_128, | |
480 cipher_camellia_256, | |
481 cipher_seed, | |
482 cipher_aes_128_gcm, | |
483 cipher_chacha20, | |
484 cipher_missing /* reserved for no such supported cipher */ | |
485 /* This enum must match ssl3_cipherName[] in ssl3con.c. */ | |
486 } SSL3BulkCipher; | |
487 | |
488 typedef enum { type_stream, | |
489 type_block, | |
490 type_aead } CipherType; | |
491 | |
492 #define MAX_IV_LENGTH 24 | |
493 | |
494 /* | |
495 * Do not depend upon 64 bit arithmetic in the underlying machine. | |
496 */ | |
497 typedef struct { | |
498 PRUint32 high; | |
499 PRUint32 low; | |
500 } SSL3SequenceNumber; | |
501 | |
502 typedef PRUint16 DTLSEpoch; | |
503 | |
504 typedef void (*DTLSTimerCb)(sslSocket *); | |
505 | |
506 /* 400 is large enough for MD5, SHA-1, and SHA-256. | |
507 * For SHA-384 support, increase it to 712. */ | |
508 #define MAX_MAC_CONTEXT_BYTES 400 | |
509 #define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8) | |
510 | |
511 #define MAX_CIPHER_CONTEXT_BYTES 2080 | |
512 #define MAX_CIPHER_CONTEXT_LLONGS (MAX_CIPHER_CONTEXT_BYTES / 8) | |
513 | |
514 typedef struct { | |
515 SSL3Opaque wrapped_master_secret[48]; | |
516 PRUint16 wrapped_master_secret_len; | |
517 PRUint8 msIsWrapped; | |
518 PRUint8 resumable; | |
519 PRUint8 extendedMasterSecretUsed; | |
520 } ssl3SidKeys; /* 52 bytes */ | |
521 | |
522 typedef struct { | |
523 PK11SymKey *write_key; | |
524 PK11SymKey *write_mac_key; | |
525 PK11Context *write_mac_context; | |
526 SECItem write_key_item; | |
527 SECItem write_iv_item; | |
528 SECItem write_mac_key_item; | |
529 SSL3Opaque write_iv[MAX_IV_LENGTH]; | |
530 PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS]; | |
531 } ssl3KeyMaterial; | |
532 | |
533 typedef SECStatus (*SSLCipher)(void *context, | |
534 unsigned char *out, | |
535 int *outlen, | |
536 int maxout, | |
537 const unsigned char *in, | |
538 int inlen); | |
539 typedef SECStatus (*SSLAEADCipher)( | |
540 ssl3KeyMaterial *keys, | |
541 PRBool doDecrypt, | |
542 unsigned char *out, | |
543 int *outlen, | |
544 int maxout, | |
545 const unsigned char *in, | |
546 int inlen, | |
547 const unsigned char *additionalData, | |
548 int additionalDataLen); | |
549 typedef SECStatus (*SSLCompressor)(void *context, | |
550 unsigned char *out, | |
551 int *outlen, | |
552 int maxout, | |
553 const unsigned char *in, | |
554 int inlen); | |
555 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); | |
556 | |
557 /* The DTLS anti-replay window. Defined here because we need it in | |
558 * the cipher spec. Note that this is a ring buffer but left and | |
559 * right represent the true window, with modular arithmetic used to | |
560 * map them onto the buffer. | |
561 */ | |
562 #define DTLS_RECVD_RECORDS_WINDOW 1024 /* Packets; approximate \ | |
563 * Must be divisible by 8 \ | |
564 */ | |
565 typedef struct DTLSRecvdRecordsStr { | |
566 unsigned char data[DTLS_RECVD_RECORDS_WINDOW / 8]; | |
567 PRUint64 left; | |
568 PRUint64 right; | |
569 } DTLSRecvdRecords; | |
570 | |
571 /* | |
572 ** These are the "specs" in the "ssl3" struct. | |
573 ** Access to the pointers to these specs, and all the specs' contents | |
574 ** (direct and indirect) is protected by the reader/writer lock ss->specLock. | |
575 */ | |
576 typedef struct { | |
577 const ssl3BulkCipherDef *cipher_def; | |
578 const ssl3MACDef *mac_def; | |
579 SSLCompressionMethod compression_method; | |
580 int mac_size; | |
581 SSLCipher encode; | |
582 SSLCipher decode; | |
583 SSLAEADCipher aead; | |
584 SSLDestroy destroy; | |
585 void *encodeContext; | |
586 void *decodeContext; | |
587 SSLCompressor compressor; /* Don't name these fields compress */ | |
588 SSLCompressor decompressor; /* and uncompress because zconf.h */ | |
589 /* may define them as macros. */ | |
590 SSLDestroy destroyCompressContext; | |
591 void *compressContext; | |
592 SSLDestroy destroyDecompressContext; | |
593 void *decompressContext; | |
594 PRBool bypassCiphers; /* did double bypass (at least) */ | |
595 PK11SymKey *master_secret; | |
596 SSL3SequenceNumber write_seq_num; | |
597 SSL3SequenceNumber read_seq_num; | |
598 SSL3ProtocolVersion version; | |
599 ssl3KeyMaterial client; | |
600 ssl3KeyMaterial server; | |
601 SECItem msItem; | |
602 unsigned char key_block[NUM_MIXERS * MD5_LENGTH]; | |
603 unsigned char raw_master_secret[56]; | |
604 SECItem srvVirtName; /* for server: name that was negotiated | |
605 * with a client. For client - is | |
606 * always set to NULL.*/ | |
607 DTLSEpoch epoch; | |
608 DTLSRecvdRecords recvdRecords; | |
609 } ssl3CipherSpec; | |
610 | |
611 typedef enum { never_cached, | |
612 in_client_cache, | |
613 in_server_cache, | |
614 invalid_cache /* no longer in any cache. */ | |
615 } Cached; | |
616 | |
617 #define MAX_PEER_CERT_CHAIN_SIZE 8 | |
618 | |
619 struct sslSessionIDStr { | |
620 /* The global cache lock must be held when accessing these members when the | |
621 * sid is in any cache. | |
622 */ | |
623 sslSessionID *next; /* chain used for client sockets, only */ | |
624 Cached cached; | |
625 int references; | |
626 PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */ | |
627 | |
628 /* The rest of the members, except for the members of u.ssl3.locked, may | |
629 * be modified only when the sid is not in any cache. | |
630 */ | |
631 | |
632 CERTCertificate *peerCert; | |
633 CERTCertificate *peerCertChain[MAX_PEER_CERT_CHAIN_SIZE]; | |
634 SECItemArray peerCertStatus; /* client only */ | |
635 const char *peerID; /* client only */ | |
636 const char *urlSvrName; /* client only */ | |
637 CERTCertificate *localCert; | |
638 | |
639 PRIPv6Addr addr; | |
640 PRUint16 port; | |
641 | |
642 SSL3ProtocolVersion version; | |
643 | |
644 PRUint32 creationTime; /* seconds since Jan 1, 1970 */ | |
645 PRUint32 expirationTime; /* seconds since Jan 1, 1970 */ | |
646 | |
647 SSLSignType authAlgorithm; | |
648 PRUint32 authKeyBits; | |
649 SSLKEAType keaType; | |
650 PRUint32 keaKeyBits; | |
651 | |
652 union { | |
653 struct { | |
654 /* the V2 code depends upon the size of sessionID. */ | |
655 unsigned char sessionID[SSL2_SESSIONID_BYTES]; | |
656 | |
657 /* Stuff used to recreate key and read/write cipher objects */ | |
658 SECItem masterKey; /* never wrapped */ | |
659 int cipherType; | |
660 SECItem cipherArg; | |
661 int keyBits; | |
662 int secretKeyBits; | |
663 } ssl2; | |
664 struct { | |
665 /* values that are copied into the server's on-disk SID cache. */ | |
666 PRUint8 sessionIDLength; | |
667 SSL3Opaque sessionID[SSL3_SESSIONID_BYTES]; | |
668 | |
669 ssl3CipherSuite cipherSuite; | |
670 SSLCompressionMethod compression; | |
671 int policy; | |
672 ssl3SidKeys keys; | |
673 CK_MECHANISM_TYPE masterWrapMech; | |
674 /* mechanism used to wrap master secret */ | |
675 SSL3KEAType exchKeyType; | |
676 /* key type used in exchange algorithm, | |
677 * and to wrap the sym wrapping key. */ | |
678 #ifndef NSS_DISABLE_ECC | |
679 PRUint32 negotiatedECCurves; | |
680 #endif /* NSS_DISABLE_ECC */ | |
681 | |
682 /* The following values are NOT restored from the server's on-disk | |
683 * session cache, but are restored from the client's cache. | |
684 */ | |
685 PK11SymKey *clientWriteKey; | |
686 PK11SymKey *serverWriteKey; | |
687 | |
688 /* The following values pertain to the slot that wrapped the | |
689 ** master secret. (used only in client) | |
690 */ | |
691 SECMODModuleID masterModuleID; | |
692 /* what module wrapped the master secret */ | |
693 CK_SLOT_ID masterSlotID; | |
694 PRUint16 masterWrapIndex; | |
695 /* what's the key index for the wrapping key */ | |
696 PRUint16 masterWrapSeries; | |
697 /* keep track of the slot series, so we don't | |
698 * accidently try to use new keys after the | |
699 * card gets removed and replaced.*/ | |
700 | |
701 /* The following values pertain to the slot that did the signature | |
702 ** for client auth. (used only in client) | |
703 */ | |
704 SECMODModuleID clAuthModuleID; | |
705 CK_SLOT_ID clAuthSlotID; | |
706 PRUint16 clAuthSeries; | |
707 | |
708 char masterValid; | |
709 char clAuthValid; | |
710 | |
711 SECItem srvName; | |
712 | |
713 /* originalHandshakeHash contains the hash of the original, full | |
714 * handshake prior to the server's final flow. This is either a | |
715 * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for | |
716 * TLS 1.2). This is recorded and used only when ChannelID is | |
717 * negotiated as it's used to bind the ChannelID signature on the | |
718 * resumption handshake to the original handshake. */ | |
719 SECItem originalHandshakeHash; | |
720 | |
721 /* Signed certificate timestamps received in a TLS extension. | |
722 ** (used only in client). | |
723 */ | |
724 SECItem signedCertTimestamps; | |
725 | |
726 /* This lock is lazily initialized by CacheSID when a sid is first | |
727 * cached. Before then, there is no need to lock anything because | |
728 * the sid isn't being shared by anything. | |
729 */ | |
730 PRRWLock *lock; | |
731 | |
732 /* The lock must be held while reading or writing these members | |
733 * because they change while the sid is cached. | |
734 */ | |
735 struct { | |
736 /* The session ticket, if we have one, is sent as an extension | |
737 * in the ClientHello message. This field is used only by | |
738 * clients. It is protected by lock when lock is non-null | |
739 * (after the sid has been added to the client session cache). | |
740 */ | |
741 NewSessionTicket sessionTicket; | |
742 } locked; | |
743 } ssl3; | |
744 } u; | |
745 }; | |
746 | |
747 typedef struct ssl3CipherSuiteDefStr { | |
748 ssl3CipherSuite cipher_suite; | |
749 SSL3BulkCipher bulk_cipher_alg; | |
750 SSL3MACAlgorithm mac_alg; | |
751 SSL3KeyExchangeAlgorithm key_exchange_alg; | |
752 } ssl3CipherSuiteDef; | |
753 | |
754 /* | |
755 ** There are tables of these, all const. | |
756 */ | |
757 typedef struct { | |
758 SSL3KeyExchangeAlgorithm kea; | |
759 SSL3KEAType exchKeyType; | |
760 SSLSignType signKeyType; | |
761 /* For export cipher suites: | |
762 * is_limited identifies a suite as having a limit on the key size. | |
763 * key_size_limit provides the corresponding limit. */ | |
764 PRBool is_limited; | |
765 unsigned int key_size_limit; | |
766 PRBool tls_keygen; | |
767 /* True if the key exchange for the suite is ephemeral. Or to be more | |
768 * precise: true if the ServerKeyExchange message is always required. */ | |
769 PRBool ephemeral; | |
770 /* An OID describing the key exchange */ | |
771 SECOidTag oid; | |
772 } ssl3KEADef; | |
773 | |
774 /* | |
775 ** There are tables of these, all const. | |
776 */ | |
777 struct ssl3BulkCipherDefStr { | |
778 SSL3BulkCipher cipher; | |
779 SSLCipherAlgorithm calg; | |
780 int key_size; | |
781 int secret_key_size; | |
782 CipherType type; | |
783 int iv_size; | |
784 int block_size; | |
785 int tag_size; /* authentication tag size for AEAD ciphers. */ | |
786 int explicit_nonce_size; /* for AEAD ciphers. */ | |
787 SECOidTag oid; | |
788 }; | |
789 | |
790 /* | |
791 ** There are tables of these, all const. | |
792 */ | |
793 struct ssl3MACDefStr { | |
794 SSL3MACAlgorithm mac; | |
795 CK_MECHANISM_TYPE mmech; | |
796 int pad_size; | |
797 int mac_size; | |
798 SECOidTag oid; | |
799 }; | |
800 | |
801 typedef enum { | |
802 wait_client_hello, | |
803 wait_client_cert, | |
804 wait_client_key, | |
805 wait_cert_verify, | |
806 wait_change_cipher, | |
807 wait_finished, | |
808 wait_server_hello, | |
809 wait_certificate_status, | |
810 wait_server_cert, | |
811 wait_server_key, | |
812 wait_cert_request, | |
813 wait_hello_done, | |
814 wait_new_session_ticket, | |
815 wait_encrypted_extensions, | |
816 idle_handshake, | |
817 wait_invalid /* Invalid value. There is no handshake message "invalid". */ | |
818 } SSL3WaitState; | |
819 | |
820 /* | |
821 * TLS extension related constants and data structures. | |
822 */ | |
823 typedef struct TLSExtensionDataStr TLSExtensionData; | |
824 typedef struct SessionTicketDataStr SessionTicketData; | |
825 | |
826 struct TLSExtensionDataStr { | |
827 /* registered callbacks that send server hello extensions */ | |
828 ssl3HelloExtensionSender serverHelloSenders[SSL_MAX_EXTENSIONS]; | |
829 ssl3HelloExtensionSender encryptedExtensionsSenders[SSL_MAX_EXTENSIONS]; | |
830 | |
831 /* Keep track of the extensions that are negotiated. */ | |
832 PRUint16 numAdvertised; | |
833 PRUint16 numNegotiated; | |
834 PRUint16 advertised[SSL_MAX_EXTENSIONS]; | |
835 PRUint16 negotiated[SSL_MAX_EXTENSIONS]; | |
836 | |
837 /* SessionTicket Extension related data. */ | |
838 PRBool ticketTimestampVerified; | |
839 PRBool emptySessionTicket; | |
840 PRBool sentSessionTicketInClientHello; | |
841 | |
842 /* SNI Extension related data | |
843 * Names data is not coppied from the input buffer. It can not be | |
844 * used outside the scope where input buffer is defined and that | |
845 * is beyond ssl3_HandleClientHello function. */ | |
846 SECItem *sniNameArr; | |
847 PRUint32 sniNameArrSize; | |
848 | |
849 /* Signed Certificate Timestamps extracted from the TLS extension. | |
850 * (client only). | |
851 * This container holds a temporary pointer to the extension data, | |
852 * until a session structure (the sec.ci.sid of an sslSocket) is setup | |
853 * that can hold a permanent copy of the data | |
854 * (in sec.ci.sid.u.ssl3.signedCertTimestamps). | |
855 * The data pointed to by this structure is neither explicitly allocated | |
856 * nor copied: the pointer points to the handshake message buffer and is | |
857 * only valid in the scope of ssl3_HandleServerHello. | |
858 */ | |
859 SECItem signedCertTimestamps; | |
860 }; | |
861 | |
862 typedef SECStatus (*sslRestartTarget)(sslSocket *); | |
863 | |
864 /* | |
865 ** A DTLS queued message (potentially to be retransmitted) | |
866 */ | |
867 typedef struct DTLSQueuedMessageStr { | |
868 PRCList link; /* The linked list link */ | |
869 DTLSEpoch epoch; /* The epoch to use */ | |
870 SSL3ContentType type; /* The message type */ | |
871 unsigned char *data; /* The data */ | |
872 PRUint16 len; /* The data length */ | |
873 } DTLSQueuedMessage; | |
874 | |
875 typedef struct TLS13KeyShareEntryStr { | |
876 PRCList link; /* The linked list link */ | |
877 PRUint16 group; /* The group for the entry */ | |
878 SECItem key_exchange; /* The share itself */ | |
879 } TLS13KeyShareEntry; | |
880 | |
881 typedef enum { | |
882 handshake_hash_unknown = 0, | |
883 handshake_hash_combo = 1, /* The MD5/SHA-1 combination */ | |
884 handshake_hash_single = 2 /* A single hash */ | |
885 } SSL3HandshakeHashType; | |
886 | |
887 /* | |
888 ** This is the "hs" member of the "ssl3" struct. | |
889 ** This entire struct is protected by ssl3HandshakeLock | |
890 */ | |
891 typedef struct SSL3HandshakeStateStr { | |
892 SSL3Random server_random; | |
893 SSL3Random client_random; | |
894 SSL3WaitState ws; /* May also contain SSL3WaitState | 0x80 for TLS 1.3 */ | |
895 | |
896 /* This group of members is used for handshake running hashes. */ | |
897 SSL3HandshakeHashType hashType; | |
898 sslBuffer messages; /* Accumulated handshake messages */ | |
899 #ifndef NO_PKCS11_BYPASS | |
900 /* Bypass mode: | |
901 * SSL 3.0 - TLS 1.1 use both |md5_cx| and |sha_cx|. |md5_cx| is used for | |
902 * MD5 and |sha_cx| for SHA-1. | |
903 * TLS 1.2 and later use only |sha_cx|, for SHA-256. NOTE: When we support | |
904 * SHA-384, increase MAX_MAC_CONTEXT_BYTES to 712. */ | |
905 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; | |
906 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; | |
907 const SECHashObject *sha_obj; | |
908 /* The function prototype of sha_obj->clone() does not match the prototype | |
909 * of the freebl <HASH>_Clone functions, so we need a dedicated function | |
910 * pointer for the <HASH>_Clone function. */ | |
911 void (*sha_clone)(void *dest, void *src); | |
912 #endif | |
913 /* PKCS #11 mode: | |
914 * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and | |
915 * |sha| for SHA-1. | |
916 * TLS 1.2 and later use only |sha|, for SHA-256. */ | |
917 /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup | |
918 * handshake hash for generating client auth signatures. Confusingly, the | |
919 * backup hash function is SHA-1. */ | |
920 #define backupHash md5 | |
921 PK11Context *md5; | |
922 PK11Context *sha; | |
923 | |
924 const ssl3KEADef *kea_def; | |
925 ssl3CipherSuite cipher_suite; | |
926 const ssl3CipherSuiteDef *suite_def; | |
927 SSLCompressionMethod compression; | |
928 sslBuffer msg_body; /* protected by recvBufLock */ | |
929 /* partial handshake message from record layer */ | |
930 unsigned int header_bytes; | |
931 /* number of bytes consumed from handshake */ | |
932 /* message for message type and header length */ | |
933 SSL3HandshakeType msg_type; | |
934 unsigned long msg_len; | |
935 SECItem ca_list; /* used only by client */ | |
936 PRBool isResuming; /* are we resuming a session */ | |
937 PRBool usedStepDownKey; /* we did a server key exchange. */ | |
938 PRBool sendingSCSV; /* instead of empty RI */ | |
939 sslBuffer msgState; /* current state for handshake messages*/ | |
940 /* protected by recvBufLock */ | |
941 | |
942 /* The session ticket received in a NewSessionTicket message is temporarily | |
943 * stored in newSessionTicket until the handshake is finished; then it is | |
944 * moved to the sid. | |
945 */ | |
946 PRBool receivedNewSessionTicket; | |
947 NewSessionTicket newSessionTicket; | |
948 | |
949 PRUint16 finishedBytes; /* size of single finished below */ | |
950 union { | |
951 TLSFinished tFinished[2]; /* client, then server */ | |
952 SSL3Finished sFinished[2]; | |
953 SSL3Opaque data[72]; | |
954 } finishedMsgs; | |
955 #ifndef NSS_DISABLE_ECC | |
956 PRUint32 negotiatedECCurves; /* bit mask */ | |
957 #endif /* NSS_DISABLE_ECC */ | |
958 | |
959 PRBool authCertificatePending; | |
960 /* Which function should SSL_RestartHandshake* call if we're blocked? | |
961 * One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake, | |
962 * or ssl3_AlwaysFail */ | |
963 sslRestartTarget restartTarget; | |
964 /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */ | |
965 PRBool cacheSID; | |
966 | |
967 PRBool canFalseStart; /* Can/did we False Start */ | |
968 /* Which preliminaryinfo values have been set. */ | |
969 PRUint32 preliminaryInfo; | |
970 | |
971 /* clientSigAndHash contains the contents of the signature_algorithms | |
972 * extension (if any) from the client. This is only valid for TLS 1.2 | |
973 * or later. */ | |
974 SSLSignatureAndHashAlg *clientSigAndHash; | |
975 unsigned int numClientSigAndHash; | |
976 | |
977 /* This group of values is used for DTLS */ | |
978 PRUint16 sendMessageSeq; /* The sending message sequence | |
979 * number */ | |
980 PRCList lastMessageFlight; /* The last message flight we | |
981 * sent */ | |
982 PRUint16 maxMessageSent; /* The largest message we sent */ | |
983 PRUint16 recvMessageSeq; /* The receiving message sequence | |
984 * number */ | |
985 sslBuffer recvdFragments; /* The fragments we have received in | |
986 * a bitmask */ | |
987 PRInt32 recvdHighWater; /* The high water mark for fragments | |
988 * received. -1 means no reassembly | |
989 * in progress. */ | |
990 unsigned char cookie[32]; /* The cookie */ | |
991 unsigned char cookieLen; /* The length of the cookie */ | |
992 PRIntervalTime rtTimerStarted; /* When the timer was started */ | |
993 DTLSTimerCb rtTimerCb; /* The function to call on expiry */ | |
994 PRUint32 rtTimeoutMs; /* The length of the current timeout | |
995 * used for backoff (in ms) */ | |
996 PRUint32 rtRetries; /* The retry counter */ | |
997 | |
998 /* This group of values is used for TLS 1.3 and above */ | |
999 PRCList remoteKeyShares; /* The other side's public keys */ | |
1000 PK11SymKey *xSS; /* Extracted static secret */ | |
1001 PK11SymKey *xES; /* Extracted ephemeral secret */ | |
1002 PK11SymKey *trafficSecret; /* The source key to use to generate | |
1003 * traffic keys */ | |
1004 PK11SymKey *clientFinishedSecret; /* Used for client Finished */ | |
1005 PK11SymKey *serverFinishedSecret; /* Used for server Finished */ | |
1006 unsigned char certReqContext[255]; /* Ties CertificateRequest | |
1007 * to Certificate */ | |
1008 PRUint8 certReqContextLen; /* Length of the context | |
1009 * cannot be greater than 255. */ | |
1010 } SSL3HandshakeState; | |
1011 | |
1012 /* | |
1013 ** This is the "ssl3" struct, as in "ss->ssl3". | |
1014 ** note: | |
1015 ** usually, crSpec == cwSpec and prSpec == pwSpec. | |
1016 ** Sometimes, crSpec == pwSpec and prSpec == cwSpec. | |
1017 ** But there are never more than 2 actual specs. | |
1018 ** No spec must ever be modified if either "current" pointer points to it. | |
1019 */ | |
1020 struct ssl3StateStr { | |
1021 | |
1022 /* | |
1023 ** The following Specs and Spec pointers must be protected using the | |
1024 ** Spec Lock. | |
1025 */ | |
1026 ssl3CipherSpec *crSpec; /* current read spec. */ | |
1027 ssl3CipherSpec *prSpec; /* pending read spec. */ | |
1028 ssl3CipherSpec *cwSpec; /* current write spec. */ | |
1029 ssl3CipherSpec *pwSpec; /* pending write spec. */ | |
1030 | |
1031 CERTCertificate *clientCertificate; /* used by client */ | |
1032 SECKEYPrivateKey *clientPrivateKey; /* used by client */ | |
1033 CERTCertificateList *clientCertChain; /* used by client */ | |
1034 PRBool sendEmptyCert; /* used by client */ | |
1035 | |
1036 SECKEYPrivateKey *channelID; /* used by client */ | |
1037 SECKEYPublicKey *channelIDPub; /* used by client */ | |
1038 | |
1039 int policy; | |
1040 /* This says what cipher suites we can do, and should | |
1041 * be either SSL_ALLOWED or SSL_RESTRICTED | |
1042 */ | |
1043 PLArenaPool *peerCertArena; | |
1044 /* These are used to keep track of the peer CA */ | |
1045 void *peerCertChain; | |
1046 /* chain while we are trying to validate it. */ | |
1047 CERTDistNames *ca_list; | |
1048 /* used by server. trusted CAs for this socket. */ | |
1049 PRBool initialized; | |
1050 SSL3HandshakeState hs; | |
1051 ssl3CipherSpec specs[2]; /* one is current, one is pending. */ | |
1052 | |
1053 /* In a client: if the server supports Next Protocol Negotiation, then | |
1054 * this is the protocol that was negotiated. | |
1055 */ | |
1056 SECItem nextProto; | |
1057 SSLNextProtoState nextProtoState; | |
1058 | |
1059 PRUint16 mtu; /* Our estimate of the MTU */ | |
1060 | |
1061 /* DTLS-SRTP cipher suite preferences (if any) */ | |
1062 PRUint16 dtlsSRTPCiphers[MAX_DTLS_SRTP_CIPHER_SUITES]; | |
1063 PRUint16 dtlsSRTPCipherCount; | |
1064 PRUint16 dtlsSRTPCipherSuite; /* 0 if not selected */ | |
1065 PRBool fatalAlertSent; | |
1066 PRUint16 numDHEGroups; /* used by server */ | |
1067 SSLDHEGroupType *dheGroups; /* used by server */ | |
1068 PRBool dheWeakGroupEnabled; /* used by server */ | |
1069 | |
1070 /* TLS 1.2 introduces separate signature algorithm negotiation. | |
1071 * This is our preference order. */ | |
1072 SSLSignatureAndHashAlg signatureAlgorithms[MAX_SIGNATURE_ALGORITHMS]; | |
1073 unsigned int signatureAlgorithmCount; | |
1074 | |
1075 /* The version to check if we fell back from our highest version | |
1076 * of TLS. Default is 0 in which case we check against the maximum | |
1077 * configured version for this socket. Used only on the client. */ | |
1078 SSL3ProtocolVersion downgradeCheckVersion; | |
1079 }; | |
1080 | |
1081 /* Ethernet MTU but without subtracting the headers, | |
1082 * so slightly larger than expected */ | |
1083 #define DTLS_MAX_MTU 1500U | |
1084 #define IS_DTLS(ss) (ss->protocolVariant == ssl_variant_datagram) | |
1085 | |
1086 typedef struct { | |
1087 SSL3ContentType type; | |
1088 SSL3ProtocolVersion version; | |
1089 SSL3SequenceNumber seq_num; /* DTLS only */ | |
1090 sslBuffer *buf; | |
1091 } SSL3Ciphertext; | |
1092 | |
1093 struct ssl3KeyPairStr { | |
1094 SECKEYPrivateKey *privKey; | |
1095 SECKEYPublicKey *pubKey; | |
1096 PRInt32 refCount; /* use PR_Atomic calls for this. */ | |
1097 }; | |
1098 | |
1099 struct ssl3DHParamsStr { | |
1100 SECItem prime; /* p */ | |
1101 SECItem base; /* g */ | |
1102 }; | |
1103 | |
1104 typedef struct SSLWrappedSymWrappingKeyStr { | |
1105 SSL3Opaque wrappedSymmetricWrappingkey[512]; | |
1106 CK_MECHANISM_TYPE symWrapMechanism; | |
1107 /* unwrapped symmetric wrapping key uses this mechanism */ | |
1108 CK_MECHANISM_TYPE asymWrapMechanism; | |
1109 /* mechanism used to wrap the SymmetricWrappingKey using | |
1110 * server's public and/or private keys. */ | |
1111 SSL3KEAType exchKeyType; /* type of keys used to wrap SymWrapKey*/ | |
1112 PRInt32 symWrapMechIndex; | |
1113 PRUint16 wrappedSymKeyLen; | |
1114 } SSLWrappedSymWrappingKey; | |
1115 | |
1116 typedef struct SessionTicketStr { | |
1117 PRUint16 ticket_version; | |
1118 SSL3ProtocolVersion ssl_version; | |
1119 ssl3CipherSuite cipher_suite; | |
1120 SSLCompressionMethod compression_method; | |
1121 SSLSignType authAlgorithm; | |
1122 PRUint32 authKeyBits; | |
1123 SSLKEAType keaType; | |
1124 PRUint32 keaKeyBits; | |
1125 /* | |
1126 * exchKeyType and msWrapMech contain meaningful values only if | |
1127 * ms_is_wrapped is true. | |
1128 */ | |
1129 PRUint8 ms_is_wrapped; | |
1130 SSLKEAType exchKeyType; /* XXX(wtc): same as keaType above? */ | |
1131 CK_MECHANISM_TYPE msWrapMech; | |
1132 PRUint16 ms_length; | |
1133 SSL3Opaque master_secret[48]; | |
1134 PRBool extendedMasterSecretUsed; | |
1135 ClientIdentity client_identity; | |
1136 SECItem peer_cert; | |
1137 PRUint32 timestamp; | |
1138 SECItem srvName; /* negotiated server name */ | |
1139 } SessionTicket; | |
1140 | |
1141 /* | |
1142 * SSL2 buffers used in SSL3. | |
1143 * writeBuf in the SecurityInfo maintained by sslsecur.c is used | |
1144 * to hold the data just about to be passed to the kernel | |
1145 * sendBuf in the ConnectInfo maintained by sslcon.c is used | |
1146 * to hold handshake messages as they are accumulated | |
1147 */ | |
1148 | |
1149 /* | |
1150 ** This is "ci", as in "ss->sec.ci". | |
1151 ** | |
1152 ** Protection: All the variables in here are protected by | |
1153 ** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock | |
1154 */ | |
1155 struct sslConnectInfoStr { | |
1156 /* outgoing handshakes appended to this. */ | |
1157 sslBuffer sendBuf; /*xmitBufLock*/ /* ssl 2 & 3 */ | |
1158 | |
1159 PRIPv6Addr peer; /* ssl 2 & 3 */ | |
1160 unsigned short port; /* ssl 2 & 3 */ | |
1161 | |
1162 sslSessionID *sid; /* ssl 2 & 3 */ | |
1163 | |
1164 /* see CIS_HAVE defines below for the bit values in *elements. */ | |
1165 char elements; /* ssl2 only */ | |
1166 char requiredElements; /* ssl2 only */ | |
1167 char sentElements; /* ssl2 only */ | |
1168 | |
1169 char sentFinished; /* ssl2 only */ | |
1170 | |
1171 /* Length of server challenge. Used by client when saving challenge */ | |
1172 int serverChallengeLen; /* ssl2 only */ | |
1173 /* type of authentication requested by server */ | |
1174 unsigned char authType; /* ssl2 only */ | |
1175 | |
1176 /* Challenge sent by client to server in client-hello message */ | |
1177 /* SSL3 gets a copy of this. See ssl3_StartHandshakeHash(). */ | |
1178 unsigned char clientChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl 2 & 3 */ | |
1179 | |
1180 /* Connection-id sent by server to client in server-hello message */ | |
1181 unsigned char connectionID[SSL_CONNECTIONID_BYTES]; /* ssl2 only */ | |
1182 | |
1183 /* Challenge sent by server to client in request-certificate message */ | |
1184 unsigned char serverChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl2 only */ | |
1185 | |
1186 /* Information kept to handle a request-certificate message */ | |
1187 unsigned char readKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */ | |
1188 unsigned char writeKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */ | |
1189 unsigned keySize; /* ssl2 only */ | |
1190 }; | |
1191 | |
1192 /* bit values for ci->elements, ci->requiredElements, sentElements. */ | |
1193 #define CIS_HAVE_MASTER_KEY 0x01 | |
1194 #define CIS_HAVE_CERTIFICATE 0x02 | |
1195 #define CIS_HAVE_FINISHED 0x04 | |
1196 #define CIS_HAVE_VERIFY 0x08 | |
1197 | |
1198 /* Note: The entire content of this struct and whatever it points to gets | |
1199 * blown away by SSL_ResetHandshake(). This is "sec" as in "ss->sec". | |
1200 * | |
1201 * Unless otherwise specified below, the contents of this struct are | |
1202 * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. | |
1203 */ | |
1204 struct sslSecurityInfoStr { | |
1205 sslSendFunc send; /*xmitBufLock*/ /* ssl 2 & 3 */ | |
1206 int isServer; /* Spec Lock?*/ /* ssl 2 & 3 */ | |
1207 sslBuffer writeBuf; /*xmitBufLock*/ /* ssl 2 & 3 */ | |
1208 | |
1209 int cipherType; /* ssl 2 & 3 */ | |
1210 int keyBits; /* ssl 2 & 3 */ | |
1211 int secretKeyBits; /* ssl 2 & 3 */ | |
1212 CERTCertificate *localCert; /* ssl 2 & 3 */ | |
1213 CERTCertificate *peerCert; /* ssl 2 & 3 */ | |
1214 SECKEYPublicKey *peerKey; /* ssl3 only */ | |
1215 | |
1216 SSLSignType authAlgorithm; | |
1217 PRUint32 authKeyBits; | |
1218 SSLKEAType keaType; | |
1219 PRUint32 keaKeyBits; | |
1220 | |
1221 /* | |
1222 ** Procs used for SID cache (nonce) management. | |
1223 ** Different implementations exist for clients/servers | |
1224 ** The lookup proc is only used for servers. Baloney! | |
1225 */ | |
1226 sslSessionIDCacheFunc cache; /* ssl 2 & 3 */ | |
1227 sslSessionIDUncacheFunc uncache; /* ssl 2 & 3 */ | |
1228 | |
1229 /* | |
1230 ** everything below here is for ssl2 only. | |
1231 ** This stuff is equivalent to SSL3's "spec", and is protected by the | |
1232 ** same "Spec Lock" as used for SSL3's specs. | |
1233 */ | |
1234 PRUint32 sendSequence; /*xmitBufLock*/ /* ssl2 only */ | |
1235 PRUint32 rcvSequence; /*recvBufLock*/ /* ssl2 only */ | |
1236 | |
1237 /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */ | |
1238 const SECHashObject *hash; /* Spec Lock */ /* ssl2 only */ | |
1239 void *hashcx; /* Spec Lock */ /* ssl2 only */ | |
1240 | |
1241 SECItem sendSecret; /* Spec Lock */ /* ssl2 only */ | |
1242 SECItem rcvSecret; /* Spec Lock */ /* ssl2 only */ | |
1243 | |
1244 /* Session cypher contexts; one for each direction */ | |
1245 void *readcx; /* Spec Lock */ /* ssl2 only */ | |
1246 void *writecx; /* Spec Lock */ /* ssl2 only */ | |
1247 SSLCipher enc; /* Spec Lock */ /* ssl2 only */ | |
1248 SSLCipher dec; /* Spec Lock */ /* ssl2 only */ | |
1249 void (*destroy)(void *, PRBool); /* Spec Lock */ /* ssl2 only */ | |
1250 | |
1251 /* Blocking information for the session cypher */ | |
1252 int blockShift; /* Spec Lock */ /* ssl2 only */ | |
1253 int blockSize; /* Spec Lock */ /* ssl2 only */ | |
1254 | |
1255 /* These are used during a connection handshake */ | |
1256 sslConnectInfo ci; /* ssl 2 & 3 */ | |
1257 }; | |
1258 | |
1259 /* | |
1260 ** SSL Socket struct | |
1261 ** | |
1262 ** Protection: XXX | |
1263 */ | |
1264 struct sslSocketStr { | |
1265 PRFileDesc *fd; | |
1266 | |
1267 /* Pointer to operations vector for this socket */ | |
1268 const sslSocketOps *ops; | |
1269 | |
1270 /* SSL socket options */ | |
1271 sslOptions opt; | |
1272 /* Enabled version range */ | |
1273 SSLVersionRange vrange; | |
1274 | |
1275 /* State flags */ | |
1276 unsigned long clientAuthRequested; | |
1277 unsigned long delayDisabled; /* Nagle delay disabled */ | |
1278 unsigned long firstHsDone; /* first handshake is complete. */ | |
1279 unsigned long enoughFirstHsDone; /* enough of the first handshake is | |
1280 * done for callbacks to be able to | |
1281 * retrieve channel security | |
1282 * parameters from the SSL socket. */ | |
1283 unsigned long handshakeBegun; | |
1284 unsigned long lastWriteBlocked; | |
1285 unsigned long recvdCloseNotify; /* received SSL EOF. */ | |
1286 unsigned long TCPconnected; | |
1287 unsigned long appDataBuffered; | |
1288 unsigned long peerRequestedProtection; /* from old renegotiation */ | |
1289 | |
1290 /* version of the protocol to use */ | |
1291 SSL3ProtocolVersion version; | |
1292 SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */ | |
1293 | |
1294 sslSecurityInfo sec; /* not a pointer any more */ | |
1295 | |
1296 /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */ | |
1297 const char *url; /* ssl 2 & 3 */ | |
1298 | |
1299 sslHandshakeFunc handshake; /*firstHandshakeLock*/ | |
1300 sslHandshakeFunc nextHandshake; /*firstHandshakeLock*/ | |
1301 sslHandshakeFunc securityHandshake; /*firstHandshakeLock*/ | |
1302 | |
1303 /* the following variable is only used with socks or other proxies. */ | |
1304 char *peerID; /* String uniquely identifies target server. */ | |
1305 | |
1306 unsigned char *cipherSpecs; | |
1307 unsigned int sizeCipherSpecs; | |
1308 const unsigned char *preferredCipher; | |
1309 | |
1310 /* TLS ClientCertificateTypes requested during HandleCertificateRequest. */ | |
1311 /* Will be NULL at all other times. */ | |
1312 const SECItem *requestedCertTypes; | |
1313 | |
1314 ssl3KeyPair *stepDownKeyPair; /* RSA step down keys */ | |
1315 | |
1316 const ssl3DHParams *dheParams; /* DHE param */ | |
1317 ssl3KeyPair *dheKeyPair; /* DHE keys */ | |
1318 | |
1319 /* Callbacks */ | |
1320 SSLAuthCertificate authCertificate; | |
1321 void *authCertificateArg; | |
1322 SSLGetClientAuthData getClientAuthData; | |
1323 void *getClientAuthDataArg; | |
1324 SSLSNISocketConfig sniSocketConfig; | |
1325 void *sniSocketConfigArg; | |
1326 SSLBadCertHandler handleBadCert; | |
1327 void *badCertArg; | |
1328 SSLHandshakeCallback handshakeCallback; | |
1329 void *handshakeCallbackData; | |
1330 SSLCanFalseStartCallback canFalseStartCallback; | |
1331 void *canFalseStartCallbackData; | |
1332 void *pkcs11PinArg; | |
1333 SSLNextProtoCallback nextProtoCallback; | |
1334 void *nextProtoArg; | |
1335 | |
1336 SSLClientChannelIDCallback getChannelID; | |
1337 void *getChannelIDArg; | |
1338 | |
1339 PRIntervalTime rTimeout; /* timeout for NSPR I/O */ | |
1340 PRIntervalTime wTimeout; /* timeout for NSPR I/O */ | |
1341 PRIntervalTime cTimeout; /* timeout for NSPR I/O */ | |
1342 | |
1343 PZLock *recvLock; /* lock against multiple reader threads. */ | |
1344 PZLock *sendLock; /* lock against multiple sender threads. */ | |
1345 | |
1346 PZMonitor *recvBufLock; /* locks low level recv buffers. */ | |
1347 PZMonitor *xmitBufLock; /* locks low level xmit buffers. */ | |
1348 | |
1349 /* Only one thread may operate on the socket until the initial handshake | |
1350 ** is complete. This Monitor ensures that. Since SSL2 handshake is | |
1351 ** only done once, this is also effectively the SSL2 handshake lock. | |
1352 */ | |
1353 PZMonitor *firstHandshakeLock; | |
1354 | |
1355 /* This monitor protects the ssl3 handshake state machine data. | |
1356 ** Only one thread (reader or writer) may be in the ssl3 handshake state | |
1357 ** machine at any time. */ | |
1358 PZMonitor *ssl3HandshakeLock; | |
1359 | |
1360 /* reader/writer lock, protects the secret data needed to encrypt and MAC | |
1361 ** outgoing records, and to decrypt and MAC check incoming ciphertext | |
1362 ** records. */ | |
1363 NSSRWLock *specLock; | |
1364 | |
1365 /* handle to perm cert db (and implicitly to the temp cert db) used | |
1366 ** with this socket. | |
1367 */ | |
1368 CERTCertDBHandle *dbHandle; | |
1369 | |
1370 PRThread *writerThread; /* thread holds SSL_LOCK_WRITER lock */ | |
1371 | |
1372 PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */ | |
1373 | |
1374 PRUint16 allowedByPolicy; /* copy of global policy bits. */ | |
1375 PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */ | |
1376 PRUint16 chosenPreference; /* SSL2 cipher preferences. */ | |
1377 | |
1378 sslHandshakingType handshaking; | |
1379 | |
1380 /* Gather object used for gathering data */ | |
1381 sslGather gs; /*recvBufLock*/ | |
1382 | |
1383 sslBuffer saveBuf; /*xmitBufLock*/ | |
1384 sslBuffer pendingBuf; /*xmitBufLock*/ | |
1385 | |
1386 /* Configuration state for server sockets */ | |
1387 /* server cert and key for each KEA type */ | |
1388 sslServerCerts serverCerts[kt_kea_size]; | |
1389 /* each cert needs its own status */ | |
1390 SECItemArray *certStatusArray[kt_kea_size]; | |
1391 /* Serialized signed certificate timestamps to be sent to the client | |
1392 ** in a TLS extension (server only). Each certificate needs its own | |
1393 ** timestamps item. | |
1394 */ | |
1395 SECItem signedCertTimestamps[kt_kea_size]; | |
1396 | |
1397 ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED]; | |
1398 ssl3KeyPair *ephemeralECDHKeyPair; /* for ECDHE-* handshake */ | |
1399 | |
1400 /* SSL3 state info. Formerly was a pointer */ | |
1401 ssl3State ssl3; | |
1402 | |
1403 /* | |
1404 * TLS extension related data. | |
1405 */ | |
1406 /* True when the current session is a stateless resume. */ | |
1407 PRBool statelessResume; | |
1408 TLSExtensionData xtnData; | |
1409 | |
1410 /* Whether we are doing stream or datagram mode */ | |
1411 SSLProtocolVariant protocolVariant; | |
1412 }; | |
1413 | |
1414 /* All the global data items declared here should be protected using the | |
1415 ** ssl_global_data_lock, which is a reader/writer lock. | |
1416 */ | |
1417 extern NSSRWLock *ssl_global_data_lock; | |
1418 extern char ssl_debug; | |
1419 extern char ssl_trace; | |
1420 extern FILE *ssl_trace_iob; | |
1421 extern FILE *ssl_keylog_iob; | |
1422 extern CERTDistNames *ssl3_server_ca_list; | |
1423 extern PRUint32 ssl_sid_timeout; | |
1424 extern PRUint32 ssl3_sid_timeout; | |
1425 | |
1426 extern const char *const ssl_cipherName[]; | |
1427 extern const char *const ssl3_cipherName[]; | |
1428 | |
1429 extern sslSessionIDLookupFunc ssl_sid_lookup; | |
1430 extern sslSessionIDCacheFunc ssl_sid_cache; | |
1431 extern sslSessionIDUncacheFunc ssl_sid_uncache; | |
1432 | |
1433 /************************************************************************/ | |
1434 | |
1435 SEC_BEGIN_PROTOS | |
1436 | |
1437 /* Internal initialization and installation of the SSL error tables */ | |
1438 extern SECStatus ssl_Init(void); | |
1439 extern SECStatus ssl_InitializePRErrorTable(void); | |
1440 | |
1441 /* Implementation of ops for default (non socks, non secure) case */ | |
1442 extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr); | |
1443 extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr); | |
1444 extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr); | |
1445 extern int ssl_DefListen(sslSocket *ss, int backlog); | |
1446 extern int ssl_DefShutdown(sslSocket *ss, int how); | |
1447 extern int ssl_DefClose(sslSocket *ss); | |
1448 extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags); | |
1449 extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf, | |
1450 int len, int flags); | |
1451 extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len); | |
1452 extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len); | |
1453 extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name); | |
1454 extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name); | |
1455 extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname, | |
1456 void *optval, PRInt32 *optlen); | |
1457 extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname, | |
1458 const void *optval, PRInt32 optlen); | |
1459 | |
1460 /* Implementation of ops for socks only case */ | |
1461 extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr); | |
1462 extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr); | |
1463 extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr); | |
1464 extern int ssl_SocksListen(sslSocket *ss, int backlog); | |
1465 extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name); | |
1466 extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags); | |
1467 extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf, | |
1468 int len, int flags); | |
1469 extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len); | |
1470 extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len); | |
1471 | |
1472 /* Implementation of ops for secure only case */ | |
1473 extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr); | |
1474 extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr); | |
1475 extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf, | |
1476 int len, int flags); | |
1477 extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf, | |
1478 int len, int flags); | |
1479 extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len); | |
1480 extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len); | |
1481 extern int ssl_SecureShutdown(sslSocket *ss, int how); | |
1482 extern int ssl_SecureClose(sslSocket *ss); | |
1483 | |
1484 /* Implementation of ops for secure socks case */ | |
1485 extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr); | |
1486 extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr); | |
1487 extern PRFileDesc *ssl_FindTop(sslSocket *ss); | |
1488 | |
1489 /* Gather funcs. */ | |
1490 extern sslGather *ssl_NewGather(void); | |
1491 extern SECStatus ssl_InitGather(sslGather *gs); | |
1492 extern void ssl_DestroyGather(sslGather *gs); | |
1493 extern int ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags); | |
1494 extern int ssl2_GatherRecord(sslSocket *ss, int flags); | |
1495 extern SECStatus ssl_GatherRecord1stHandshake(sslSocket *ss); | |
1496 | |
1497 extern SECStatus ssl2_HandleClientHelloMessage(sslSocket *ss); | |
1498 extern SECStatus ssl2_HandleServerHelloMessage(sslSocket *ss); | |
1499 | |
1500 extern SECStatus ssl_CreateSecurityInfo(sslSocket *ss); | |
1501 extern SECStatus ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os); | |
1502 extern void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset); | |
1503 extern void ssl_DestroySecurityInfo(sslSecurityInfo *sec); | |
1504 | |
1505 extern void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len
); | |
1506 extern void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len); | |
1507 | |
1508 extern int ssl_SendSavedWriteData(sslSocket *ss); | |
1509 extern SECStatus ssl_SaveWriteData(sslSocket *ss, | |
1510 const void *p, unsigned int l); | |
1511 extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss); | |
1512 extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss); | |
1513 extern int ssl_Do1stHandshake(sslSocket *ss); | |
1514 | |
1515 extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen); | |
1516 extern SECStatus sslBuffer_Append(sslBuffer *b, const void *data, | |
1517 unsigned int len); | |
1518 | |
1519 extern void ssl2_UseClearSendFunc(sslSocket *ss); | |
1520 extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec); | |
1521 | |
1522 extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server); | |
1523 extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, | |
1524 const char *peerID, const char *urlSvrName); | |
1525 extern void ssl_FreeSID(sslSessionID *sid); | |
1526 | |
1527 extern int ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in, | |
1528 int len, int flags); | |
1529 | |
1530 extern PRBool ssl_FdIsBlocking(PRFileDesc *fd); | |
1531 | |
1532 extern PRBool ssl_SocketIsBlocking(sslSocket *ss); | |
1533 | |
1534 extern void ssl3_SetAlwaysBlock(sslSocket *ss); | |
1535 | |
1536 extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled); | |
1537 | |
1538 extern void ssl_FinishHandshake(sslSocket *ss); | |
1539 | |
1540 extern SECStatus ssl_CipherPolicySet(PRInt32 which, PRInt32 policy); | |
1541 | |
1542 extern SECStatus ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled); | |
1543 | |
1544 extern SECStatus ssl3_ConstrainRangeByPolicy(void); | |
1545 | |
1546 /* Returns PR_TRUE if we are still waiting for the server to complete its | |
1547 * response to our client second round. Once we've received the Finished from | |
1548 * the server then there is no need to check false start. | |
1549 */ | |
1550 extern PRBool ssl3_WaitingForServerSecondRound(sslSocket *ss); | |
1551 | |
1552 extern SECStatus | |
1553 ssl3_CompressMACEncryptRecord(ssl3CipherSpec *cwSpec, | |
1554 PRBool isServer, | |
1555 PRBool isDTLS, | |
1556 PRBool capRecordVersion, | |
1557 SSL3ContentType type, | |
1558 const SSL3Opaque *pIn, | |
1559 PRUint32 contentLen, | |
1560 sslBuffer *wrBuf); | |
1561 | |
1562 extern PRInt32 ssl3_SendRecord(sslSocket *ss, DTLSEpoch epoch, | |
1563 SSL3ContentType type, | |
1564 const SSL3Opaque *pIn, PRInt32 nIn, | |
1565 PRInt32 flags); | |
1566 | |
1567 #ifdef NSS_SSL_ENABLE_ZLIB | |
1568 /* | |
1569 * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a | |
1570 * maximum TLS record payload of 2**14 bytes, that's 29 bytes. | |
1571 */ | |
1572 #define SSL3_COMPRESSION_MAX_EXPANSION 29 | |
1573 #else /* !NSS_SSL_ENABLE_ZLIB */ | |
1574 #define SSL3_COMPRESSION_MAX_EXPANSION 0 | |
1575 #endif | |
1576 | |
1577 /* | |
1578 * make sure there is room in the write buffer for padding and | |
1579 * other compression and cryptographic expansions. | |
1580 */ | |
1581 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION | |
1582 | |
1583 #define SSL_LOCK_READER(ss) \ | |
1584 if (ss->recvLock) \ | |
1585 PZ_Lock(ss->recvLock) | |
1586 #define SSL_UNLOCK_READER(ss) \ | |
1587 if (ss->recvLock) \ | |
1588 PZ_Unlock(ss->recvLock) | |
1589 #define SSL_LOCK_WRITER(ss) \ | |
1590 if (ss->sendLock) \ | |
1591 PZ_Lock(ss->sendLock) | |
1592 #define SSL_UNLOCK_WRITER(ss) \ | |
1593 if (ss->sendLock) \ | |
1594 PZ_Unlock(ss->sendLock) | |
1595 | |
1596 /* firstHandshakeLock -> recvBufLock */ | |
1597 #define ssl_Get1stHandshakeLock(ss) \ | |
1598 { \ | |
1599 if (!ss->opt.noLocks) { \ | |
1600 PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \ | |
1601 !ssl_HaveRecvBufLock(ss)); \ | |
1602 PZ_EnterMonitor((ss)->firstHandshakeLock); \ | |
1603 } \ | |
1604 } | |
1605 #define ssl_Release1stHandshakeLock(ss) \ | |
1606 { \ | |
1607 if (!ss->opt.noLocks) \ | |
1608 PZ_ExitMonitor((ss)->firstHandshakeLock); \ | |
1609 } | |
1610 #define ssl_Have1stHandshakeLock(ss) \ | |
1611 (PZ_InMonitor((ss)->firstHandshakeLock)) | |
1612 | |
1613 /* ssl3HandshakeLock -> xmitBufLock */ | |
1614 #define ssl_GetSSL3HandshakeLock(ss) \ | |
1615 { \ | |
1616 if (!ss->opt.noLocks) { \ | |
1617 PORT_Assert(!ssl_HaveXmitBufLock(ss)); \ | |
1618 PZ_EnterMonitor((ss)->ssl3HandshakeLock); \ | |
1619 } \ | |
1620 } | |
1621 #define ssl_ReleaseSSL3HandshakeLock(ss) \ | |
1622 { \ | |
1623 if (!ss->opt.noLocks) \ | |
1624 PZ_ExitMonitor((ss)->ssl3HandshakeLock); \ | |
1625 } | |
1626 #define ssl_HaveSSL3HandshakeLock(ss) \ | |
1627 (PZ_InMonitor((ss)->ssl3HandshakeLock)) | |
1628 | |
1629 #define ssl_GetSpecReadLock(ss) \ | |
1630 { \ | |
1631 if (!ss->opt.noLocks) \ | |
1632 NSSRWLock_LockRead((ss)->specLock); \ | |
1633 } | |
1634 #define ssl_ReleaseSpecReadLock(ss) \ | |
1635 { \ | |
1636 if (!ss->opt.noLocks) \ | |
1637 NSSRWLock_UnlockRead((ss)->specLock); \ | |
1638 } | |
1639 /* NSSRWLock_HaveReadLock is not exported so there's no | |
1640 * ssl_HaveSpecReadLock macro. */ | |
1641 | |
1642 #define ssl_GetSpecWriteLock(ss) \ | |
1643 { \ | |
1644 if (!ss->opt.noLocks) \ | |
1645 NSSRWLock_LockWrite((ss)->specLock); \ | |
1646 } | |
1647 #define ssl_ReleaseSpecWriteLock(ss) \ | |
1648 { \ | |
1649 if (!ss->opt.noLocks) \ | |
1650 NSSRWLock_UnlockWrite((ss)->specLock); \ | |
1651 } | |
1652 #define ssl_HaveSpecWriteLock(ss) \ | |
1653 (NSSRWLock_HaveWriteLock((ss)->specLock)) | |
1654 | |
1655 /* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */ | |
1656 #define ssl_GetRecvBufLock(ss) \ | |
1657 { \ | |
1658 if (!ss->opt.noLocks) { \ | |
1659 PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \ | |
1660 PORT_Assert(!ssl_HaveXmitBufLock(ss)); \ | |
1661 PZ_EnterMonitor((ss)->recvBufLock); \ | |
1662 } \ | |
1663 } | |
1664 #define ssl_ReleaseRecvBufLock(ss) \ | |
1665 { \ | |
1666 if (!ss->opt.noLocks) \ | |
1667 PZ_ExitMonitor((ss)->recvBufLock); \ | |
1668 } | |
1669 #define ssl_HaveRecvBufLock(ss) \ | |
1670 (PZ_InMonitor((ss)->recvBufLock)) | |
1671 | |
1672 /* xmitBufLock -> specLock */ | |
1673 #define ssl_GetXmitBufLock(ss) \ | |
1674 { \ | |
1675 if (!ss->opt.noLocks) \ | |
1676 PZ_EnterMonitor((ss)->xmitBufLock); \ | |
1677 } | |
1678 #define ssl_ReleaseXmitBufLock(ss) \ | |
1679 { \ | |
1680 if (!ss->opt.noLocks) \ | |
1681 PZ_ExitMonitor((ss)->xmitBufLock); \ | |
1682 } | |
1683 #define ssl_HaveXmitBufLock(ss) \ | |
1684 (PZ_InMonitor((ss)->xmitBufLock)) | |
1685 | |
1686 /* Placeholder value used in version ranges when SSL 3.0 and all | |
1687 * versions of TLS are disabled. | |
1688 */ | |
1689 #define SSL_LIBRARY_VERSION_NONE 0 | |
1690 | |
1691 /* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version | |
1692 * of libssl supports. Applications should use SSL_VersionRangeGetSupported at | |
1693 * runtime to determine which versions are supported by the version of libssl | |
1694 * in use. | |
1695 */ | |
1696 #ifdef NSS_ENABLE_TLS_1_3 | |
1697 #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_3 | |
1698 #else | |
1699 #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_2 | |
1700 #endif | |
1701 | |
1702 /* Rename this macro SSL_ALL_VERSIONS_DISABLED when SSL 2.0 is removed. */ | |
1703 #define SSL3_ALL_VERSIONS_DISABLED(vrange) \ | |
1704 ((vrange)->min == SSL_LIBRARY_VERSION_NONE) | |
1705 | |
1706 extern PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, | |
1707 SSL3ProtocolVersion version); | |
1708 | |
1709 extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec *pwSpec, | |
1710 const unsigned char *cr, const unsig
ned char *sr, | |
1711 PRBool isTLS, PRBool isExport); | |
1712 extern SECStatus ssl3_MasterSecretDeriveBypass(ssl3CipherSpec *pwSpec, | |
1713 const unsigned char *cr, const un
signed char *sr, | |
1714 const SECItem *pms, PRBool isTLS,
PRBool isRSA); | |
1715 | |
1716 /* These functions are called from secnav, even though they're "private". */ | |
1717 | |
1718 extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error); | |
1719 extern sslSocket *ssl_FindSocket(PRFileDesc *fd); | |
1720 extern void ssl_FreeSocket(struct sslSocketStr *ssl); | |
1721 extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, | |
1722 SSL3AlertDescription desc); | |
1723 extern SECStatus ssl3_DecodeError(sslSocket *ss); | |
1724 | |
1725 extern SECStatus ssl3_RestartHandshakeAfterCertReq(struct sslSocketStr *ss, | |
1726 CERTCertificate *cert, | |
1727 SECKEYPrivateKey *key, | |
1728 CERTCertificateList *certChai
n); | |
1729 | |
1730 extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq( | |
1731 sslSocket *ss, | |
1732 SECKEYPublicKey *channelIDPub, | |
1733 SECKEYPrivateKey *channelID); | |
1734 | |
1735 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error); | |
1736 | |
1737 /* | |
1738 * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos | |
1739 */ | |
1740 extern SECStatus ssl3_HandleV2ClientHello( | |
1741 sslSocket *ss, unsigned char *buffer, int length); | |
1742 extern SECStatus ssl3_StartHandshakeHash( | |
1743 sslSocket *ss, unsigned char *buf, int length); | |
1744 | |
1745 /* | |
1746 * SSL3 specific routines | |
1747 */ | |
1748 SECStatus ssl3_SendClientHello(sslSocket *ss, PRBool resending); | |
1749 | |
1750 /* | |
1751 * input into the SSL3 machinery from the actualy network reading code | |
1752 */ | |
1753 SECStatus ssl3_HandleRecord( | |
1754 sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out); | |
1755 | |
1756 int ssl3_GatherAppDataRecord(sslSocket *ss, int flags); | |
1757 int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags); | |
1758 /* | |
1759 * When talking to export clients or using export cipher suites, servers | |
1760 * with public RSA keys larger than 512 bits need to use a 512-bit public | |
1761 * key, signed by the larger key. The smaller key is a "step down" key. | |
1762 * Generate that key pair and keep it around. | |
1763 */ | |
1764 extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss); | |
1765 | |
1766 extern SECStatus ssl3_SelectDHParams(sslSocket *ss); | |
1767 | |
1768 #ifndef NSS_DISABLE_ECC | |
1769 extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss); | |
1770 extern PRBool ssl3_IsECCEnabled(sslSocket *ss); | |
1771 extern SECStatus ssl3_DisableECCSuites(sslSocket *ss, | |
1772 const ssl3CipherSuite *suite); | |
1773 extern PRUint32 ssl3_GetSupportedECCurveMask(sslSocket *ss); | |
1774 | |
1775 /* Macro for finding a curve equivalent in strength to RSA key's */ | |
1776 /* clang-format off */ | |
1777 #define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \ | |
1778 ((s <= 1024) ? 160 \ | |
1779 : ((s <= 2048) ? 224 \ | |
1780 : ((s <= 3072) ? 256 \ | |
1781 : ((s <= 7168) ? 384 \ | |
1782 : 521 ) ) ) ) | |
1783 /* clang-format on */ | |
1784 | |
1785 /* Types and names of elliptic curves used in TLS */ | |
1786 typedef enum { ec_type_explicitPrime = 1, | |
1787 ec_type_explicitChar2Curve = 2, | |
1788 ec_type_named | |
1789 } ECType; | |
1790 | |
1791 typedef enum { ec_noName = 0, | |
1792 ec_sect163k1 = 1, | |
1793 ec_sect163r1 = 2, | |
1794 ec_sect163r2 = 3, | |
1795 ec_sect193r1 = 4, | |
1796 ec_sect193r2 = 5, | |
1797 ec_sect233k1 = 6, | |
1798 ec_sect233r1 = 7, | |
1799 ec_sect239k1 = 8, | |
1800 ec_sect283k1 = 9, | |
1801 ec_sect283r1 = 10, | |
1802 ec_sect409k1 = 11, | |
1803 ec_sect409r1 = 12, | |
1804 ec_sect571k1 = 13, | |
1805 ec_sect571r1 = 14, | |
1806 ec_secp160k1 = 15, | |
1807 ec_secp160r1 = 16, | |
1808 ec_secp160r2 = 17, | |
1809 ec_secp192k1 = 18, | |
1810 ec_secp192r1 = 19, | |
1811 ec_secp224k1 = 20, | |
1812 ec_secp224r1 = 21, | |
1813 ec_secp256k1 = 22, | |
1814 ec_secp256r1 = 23, | |
1815 ec_secp384r1 = 24, | |
1816 ec_secp521r1 = 25, | |
1817 ec_pastLastName | |
1818 } ECName; | |
1819 | |
1820 extern SECStatus ssl3_ECName2Params(PLArenaPool *arena, ECName curve, | |
1821 SECKEYECParams *params); | |
1822 ECName ssl3_PubKey2ECName(SECKEYPublicKey *pubKey); | |
1823 | |
1824 ECName ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits); | |
1825 ECName ssl3_GetCurveNameForServerSocket(sslSocket *ss); | |
1826 | |
1827 #endif /* NSS_DISABLE_ECC */ | |
1828 | |
1829 extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on); | |
1830 extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on); | |
1831 extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled); | |
1832 extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled); | |
1833 | |
1834 extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool
on); | |
1835 extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool
*on); | |
1836 extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled
); | |
1837 extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enable
d); | |
1838 extern SECStatus ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphe
r, | |
1839 unsigned int len); | |
1840 | |
1841 extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy); | |
1842 extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy); | |
1843 extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy); | |
1844 extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy); | |
1845 | |
1846 extern void ssl2_InitSocketPolicy(sslSocket *ss); | |
1847 extern void ssl3_InitSocketPolicy(sslSocket *ss); | |
1848 | |
1849 extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, | |
1850 unsigned char *cs, int *size); | |
1851 | |
1852 extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache); | |
1853 extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, | |
1854 PRUint32 length); | |
1855 | |
1856 extern void ssl3_DestroySSL3Info(sslSocket *ss); | |
1857 | |
1858 extern SECStatus ssl3_NegotiateVersion(sslSocket *ss, | |
1859 SSL3ProtocolVersion peerVersion, | |
1860 PRBool allowLargerPeerVersion); | |
1861 | |
1862 extern SECStatus ssl_GetPeerInfo(sslSocket *ss); | |
1863 | |
1864 #ifndef NSS_DISABLE_ECC | |
1865 /* ECDH functions */ | |
1866 extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket *ss, | |
1867 SECKEYPublicKey *svrPubKey); | |
1868 extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss, | |
1869 SSL3Opaque *b, PRUint32 length
); | |
1870 extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss, | |
1871 SSL3Opaque *b, PRUint32 length
, | |
1872 SECKEYPublicKey *srvrPubKey, | |
1873 SECKEYPrivateKey *srvrPrivKey)
; | |
1874 extern SECStatus ssl3_SendECDHServerKeyExchange( | |
1875 sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash); | |
1876 SECKEYPublicKey *tls13_ImportECDHKeyShare( | |
1877 sslSocket *ss, SSL3Opaque *b, PRUint32 length, ECName curve); | |
1878 ECName tls13_GroupForECDHEKeyShare(ssl3KeyPair *pair); | |
1879 unsigned int tls13_SizeOfECDHEKeyShareKEX(ssl3KeyPair *pair); | |
1880 SECStatus tls13_EncodeECDHEKeyShareKEX(sslSocket *ss, ssl3KeyPair *pair); | |
1881 #endif | |
1882 | |
1883 extern SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg, | |
1884 PRUint8 *hashBuf, | |
1885 unsigned int bufLen, SSL3Hashes *hash
es, | |
1886 PRBool bypassPKCS11); | |
1887 extern void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName); | |
1888 extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms); | |
1889 extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src, | |
1890 PRInt32 bytes); | |
1891 extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss, | |
1892 SSL3HandshakeType t, PRUint32 length
); | |
1893 extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, | |
1894 PRInt32 lenSize); | |
1895 extern SECStatus ssl3_AppendHandshakeVariable(sslSocket *ss, | |
1896 const SSL3Opaque *src, PRInt32 byt
es, PRInt32 lenSize); | |
1897 extern SECStatus ssl3_AppendSignatureAndHashAlgorithm( | |
1898 sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash); | |
1899 extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, | |
1900 SSL3Opaque **b, PRUint32 *length); | |
1901 extern PRInt32 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, | |
1902 SSL3Opaque **b, PRUint32 *length); | |
1903 extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, | |
1904 PRInt32 bytes, SSL3Opaque **b, PR
Uint32 *length); | |
1905 extern PRBool ssl3_IsSupportedSignatureAlgorithm( | |
1906 const SSLSignatureAndHashAlg *alg); | |
1907 extern SECStatus ssl3_CheckSignatureAndHashAlgorithmConsistency( | |
1908 sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash, | |
1909 CERTCertificate *cert); | |
1910 extern SECStatus ssl3_ConsumeSignatureAndHashAlgorithm( | |
1911 sslSocket *ss, SSL3Opaque **b, PRUint32 *length, | |
1912 SSLSignatureAndHashAlg *out); | |
1913 extern SECStatus ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, | |
1914 SECItem *buf, PRBool isTLS); | |
1915 extern SECStatus ssl3_VerifySignedHashes(SSL3Hashes *hash, | |
1916 CERTCertificate *cert, SECItem *buf, PR
Bool isTLS, | |
1917 void *pwArg); | |
1918 extern SECStatus ssl3_CacheWrappedMasterSecret(sslSocket *ss, | |
1919 sslSessionID *sid, ssl3CipherSpec
*spec, | |
1920 SSL3KEAType effectiveExchKeyType)
; | |
1921 | |
1922 /* Functions that handle ClientHello and ServerHello extensions. */ | |
1923 extern SECStatus ssl3_HandleServerNameXtn(sslSocket *ss, | |
1924 PRUint16 ex_type, SECItem *data); | |
1925 extern SECStatus ssl3_HandleSupportedCurvesXtn(sslSocket *ss, | |
1926 PRUint16 ex_type, SECItem *data); | |
1927 extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket *ss, | |
1928 PRUint16 ex_type, SECItem *
data); | |
1929 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, | |
1930 PRUint16 ex_type, SECItem *da
ta); | |
1931 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, | |
1932 PRUint16 ex_type, SECItem *da
ta); | |
1933 | |
1934 /* ClientHello and ServerHello extension senders. | |
1935 * Note that not all extension senders are exposed here; only those that | |
1936 * that need exposure. | |
1937 */ | |
1938 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append, | |
1939 PRUint32 maxBytes); | |
1940 | |
1941 /* ClientHello and ServerHello extension senders. | |
1942 * The code is in ssl3ext.c. | |
1943 */ | |
1944 extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append, | |
1945 PRUint32 maxBytes); | |
1946 | |
1947 /* Assigns new cert, cert chain and keys to ss->serverCerts | |
1948 * struct. If certChain is NULL, tries to find one. Aborts if | |
1949 * fails to do so. If cert and keyPair are NULL - unconfigures | |
1950 * sslSocket of kea type.*/ | |
1951 extern SECStatus ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert, | |
1952 const CERTCertificateList *certChain, | |
1953 ssl3KeyPair *keyPair, SSLKEAType kea); | |
1954 | |
1955 #ifndef NSS_DISABLE_ECC | |
1956 extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss, | |
1957 PRBool append, PRUint32 maxBytes); | |
1958 extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss, | |
1959 PRBool append, PRUint32 maxByte
s); | |
1960 #endif | |
1961 | |
1962 /* call the registered extension handlers. */ | |
1963 extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, | |
1964 SSL3Opaque **b, PRUint32 *length, | |
1965 SSL3HandshakeType handshakeMessage); | |
1966 | |
1967 /* Hello Extension related routines. */ | |
1968 extern PRBool ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type); | |
1969 extern void ssl3_SetSIDSessionTicket(sslSessionID *sid, | |
1970 /*in/out*/ NewSessionTicket *session_ticket
); | |
1971 extern SECStatus ssl3_SendNewSessionTicket(sslSocket *ss); | |
1972 extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName, | |
1973 unsigned char *encKey, unsigned char *mac
Key); | |
1974 extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey, | |
1975 SECKEYPublicKey *svrPubKey, void *p
wArg, | |
1976 unsigned char *keyName, PK11SymKey
**aesKey, | |
1977 PK11SymKey **macKey); | |
1978 | |
1979 /* Tell clients to consider tickets valid for this long. */ | |
1980 #define TLS_EX_SESS_TICKET_LIFETIME_HINT (2 * 24 * 60 * 60) /* 2 days */ | |
1981 #define TLS_EX_SESS_TICKET_VERSION (0x0101) | |
1982 | |
1983 extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char *data, | |
1984 unsigned int length); | |
1985 | |
1986 extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, | |
1987 unsigned char *out, | |
1988 unsigned int *outLen, | |
1989 unsigned int outLenMax); | |
1990 | |
1991 /* Construct a new NSPR socket for the app to use */ | |
1992 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); | |
1993 extern void ssl_FreePRSocket(PRFileDesc *fd); | |
1994 | |
1995 /* Internal config function so SSL3 can initialize the present state of | |
1996 * various ciphers */ | |
1997 extern int ssl3_config_match_init(sslSocket *); | |
1998 | |
1999 /* Create a new ref counted key pair object from two keys. */ | |
2000 extern ssl3KeyPair *ssl3_NewKeyPair(SECKEYPrivateKey *privKey, | |
2001 SECKEYPublicKey *pubKey); | |
2002 | |
2003 /* get a new reference (bump ref count) to an ssl3KeyPair. */ | |
2004 extern ssl3KeyPair *ssl3_GetKeyPairRef(ssl3KeyPair *keyPair); | |
2005 | |
2006 /* Decrement keypair's ref count and free if zero. */ | |
2007 extern void ssl3_FreeKeyPair(ssl3KeyPair *keyPair); | |
2008 | |
2009 /* calls for accessing wrapping keys across processes. */ | |
2010 extern PRBool | |
2011 ssl_GetWrappingKey(PRInt32 symWrapMechIndex, | |
2012 SSL3KEAType exchKeyType, | |
2013 SSLWrappedSymWrappingKey *wswk); | |
2014 | |
2015 /* The caller passes in the new value it wants | |
2016 * to set. This code tests the wrapped sym key entry in the file on disk. | |
2017 * If it is uninitialized, this function writes the caller's value into | |
2018 * the disk entry, and returns false. | |
2019 * Otherwise, it overwrites the caller's wswk with the value obtained from | |
2020 * the disk, and returns PR_TRUE. | |
2021 * This is all done while holding the locks/semaphores necessary to make | |
2022 * the operation atomic. | |
2023 */ | |
2024 extern PRBool | |
2025 ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk); | |
2026 | |
2027 /* get rid of the symmetric wrapping key references. */ | |
2028 extern SECStatus SSL3_ShutdownServerCache(void); | |
2029 | |
2030 extern SECStatus ssl_InitSymWrapKeysLock(void); | |
2031 | |
2032 extern SECStatus ssl_FreeSymWrapKeysLock(void); | |
2033 | |
2034 extern SECStatus ssl_InitSessionCacheLocks(void); | |
2035 | |
2036 /**************** DTLS-specific functions **************/ | |
2037 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); | |
2038 extern void dtls_FreeQueuedMessages(PRCList *lst); | |
2039 extern void dtls_FreeHandshakeMessages(PRCList *lst); | |
2040 | |
2041 extern SECStatus dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf); | |
2042 extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss, | |
2043 SSL3Opaque *b, PRUint32 length); | |
2044 extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss); | |
2045 extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type, | |
2046 const SSL3Opaque *pIn, PRInt32 nIn); | |
2047 extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); | |
2048 extern SECStatus dtls_CompressMACEncryptRecord(sslSocket *ss, | |
2049 DTLSEpoch epoch, | |
2050 PRBool use_epoch, | |
2051 SSL3ContentType type, | |
2052 const SSL3Opaque *pIn, | |
2053 PRUint32 contentLen, | |
2054 sslBuffer *wrBuf); | |
2055 SECStatus ssl3_DisableNonDTLSSuites(sslSocket *ss); | |
2056 extern SECStatus dtls_StartTimer(sslSocket *ss, DTLSTimerCb cb); | |
2057 extern SECStatus dtls_RestartTimer(sslSocket *ss, PRBool backoff, | |
2058 DTLSTimerCb cb); | |
2059 extern void dtls_CheckTimer(sslSocket *ss); | |
2060 extern void dtls_CancelTimer(sslSocket *ss); | |
2061 extern void dtls_FinishedTimerCb(sslSocket *ss); | |
2062 extern void dtls_SetMTU(sslSocket *ss, PRUint16 advertised); | |
2063 extern void dtls_InitRecvdRecords(DTLSRecvdRecords *records); | |
2064 extern int dtls_RecordGetRecvd(const DTLSRecvdRecords *records, PRUint64 seq); | |
2065 extern void dtls_RecordSetRecvd(DTLSRecvdRecords *records, PRUint64 seq); | |
2066 extern void dtls_RehandshakeCleanup(sslSocket *ss); | |
2067 extern SSL3ProtocolVersion | |
2068 dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv); | |
2069 extern SSL3ProtocolVersion | |
2070 dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv); | |
2071 extern PRBool dtls_IsRelevant(sslSocket *ss, const ssl3CipherSpec *crSpec, | |
2072 const SSL3Ciphertext *cText, PRUint64 *seqNum); | |
2073 | |
2074 CK_MECHANISM_TYPE ssl3_Alg2Mech(SSLCipherAlgorithm calg); | |
2075 SECStatus ssl3_SetupPendingCipherSpec(sslSocket *ss); | |
2076 SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags); | |
2077 SECStatus ssl3_SendCertificate(sslSocket *ss); | |
2078 SECStatus ssl3_CompleteHandleCertificate(sslSocket *ss, | |
2079 SSL3Opaque *b, PRUint32 length); | |
2080 SECStatus ssl3_SendEmptyCertificate(sslSocket *ss); | |
2081 SECStatus ssl3_SendCertificateStatus(sslSocket *ss); | |
2082 SECStatus ssl3_CompleteHandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, | |
2083 PRUint32 length); | |
2084 SECStatus ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf, | |
2085 unsigned maxLen, PRUint32 *len); | |
2086 void ssl3_GetCertificateRequestCAs(sslSocket *ss, int *calenp, SECItem **namesp, | |
2087 int *nnamesp); | |
2088 SECStatus ssl3_ParseCertificateRequestCAs(sslSocket *ss, SSL3Opaque **b, | |
2089 PRUint32 *length, PLArenaPool *arena, | |
2090 CERTDistNames *ca_list); | |
2091 SECStatus ssl3_CompleteHandleCertificateRequest(sslSocket *ss, | |
2092 SECItem *algorithms, | |
2093 CERTDistNames *ca_list); | |
2094 SECStatus ssl3_SendCertificateVerify(sslSocket *ss, | |
2095 SECKEYPrivateKey *privKey); | |
2096 SECStatus ssl3_SendServerHello(sslSocket *ss); | |
2097 SECOidTag ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc); | |
2098 SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss, | |
2099 ssl3CipherSpec *spec, | |
2100 SSL3Hashes *hashes, | |
2101 PRUint32 sender); | |
2102 void ssl3_BumpSequenceNumber(SSL3SequenceNumber *num); | |
2103 PRInt32 tls13_ServerSendKeyShareXtn(sslSocket *ss, PRBool append, | |
2104 PRUint32 maxBytes); | |
2105 #ifndef NSS_DISABLE_ECC | |
2106 SECStatus ssl3_CreateECDHEphemeralKeyPair(ECName ec_curve, | |
2107 ssl3KeyPair **keyPair); | |
2108 PK11SymKey *tls13_ComputeECDHSharedKey(sslSocket *ss, | |
2109 SECKEYPrivateKey *myPrivKey, | |
2110 SECKEYPublicKey *peerKey); | |
2111 #endif | |
2112 | |
2113 /* Pull in TLS 1.3 functions */ | |
2114 #include "tls13con.h" | |
2115 | |
2116 /********************** misc calls *********************/ | |
2117 | |
2118 #ifdef DEBUG | |
2119 extern void ssl3_CheckCipherSuiteOrderConsistency(); | |
2120 #endif | |
2121 | |
2122 extern int ssl_MapLowLevelError(int hiLevelError); | |
2123 | |
2124 extern PRUint32 ssl_Time(void); | |
2125 | |
2126 extern void SSL_AtomicIncrementLong(long *x); | |
2127 | |
2128 SECStatus SSL_DisableDefaultExportCipherSuites(void); | |
2129 SECStatus SSL_DisableExportCipherSuites(PRFileDesc *fd); | |
2130 PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite); | |
2131 | |
2132 SECStatus ssl3_ApplyNSSPolicy(void); | |
2133 | |
2134 extern SECStatus | |
2135 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, | |
2136 const char *label, unsigned int labelLen, | |
2137 const unsigned char *val, unsigned int valLen, | |
2138 unsigned char *out, unsigned int outLen); | |
2139 extern SECOidTag | |
2140 ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc); | |
2141 | |
2142 #ifdef TRACE | |
2143 #define SSL_TRACE(msg) ssl_Trace msg | |
2144 #else | |
2145 #define SSL_TRACE(msg) | |
2146 #endif | |
2147 | |
2148 void ssl_Trace(const char *format, ...); | |
2149 | |
2150 SEC_END_PROTOS | |
2151 | |
2152 #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS) | |
2153 #define SSL_GETPID getpid | |
2154 #elif defined(WIN32) | |
2155 extern int __cdecl _getpid(void); | |
2156 #define SSL_GETPID _getpid | |
2157 #else | |
2158 #define SSL_GETPID() 0 | |
2159 #endif | |
2160 | |
2161 #endif /* __sslimpl_h_ */ | |
OLD | NEW |