| blob | fb2e9f9a3463f4eafeb79875bb94bf7db559339e |
1 /*
2 * This file is PRIVATE to SSL and should be the first thing included by
3 * any SSL implementation file.
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 /* $Id: sslimpl.h,v 1.108 2012/09/28 01:46:45 wtc%google.com Exp $ */
10 #ifndef __sslimpl_h_
11 #define __sslimpl_h_
13 #ifdef DEBUG
14 #undef NDEBUG
15 #else
16 #undef NDEBUG
17 #define NDEBUG
18 #endif
26 #if defined(XP_UNIX) || defined(XP_BEOS)
28 #endif
35 #ifdef NSS_PLATFORM_CLIENT_AUTH
36 #if defined(XP_WIN32)
37 #include <windows.h>
38 #include <wincrypt.h>
39 #elif defined(XP_MACOSX)
40 #include <Security/Security.h>
41 #endif
42 #endif
44 /* to make some of these old enums public without namespace pollution,
45 ** it was necessary to prepend ssl_ to the names.
46 ** These #defines preserve compatibility with the old code here in libssl.
47 */
52 #define sign_null ssl_sign_null
53 #define sign_rsa ssl_sign_rsa
54 #define sign_dsa ssl_sign_dsa
55 #define sign_ecdsa ssl_sign_ecdsa
57 #define calg_null ssl_calg_null
58 #define calg_rc4 ssl_calg_rc4
59 #define calg_rc2 ssl_calg_rc2
60 #define calg_des ssl_calg_des
61 #define calg_3des ssl_calg_3des
62 #define calg_idea ssl_calg_idea
64 #define calg_aes ssl_calg_aes
65 #define calg_camellia ssl_calg_camellia
66 #define calg_seed ssl_calg_seed
68 #define mac_null ssl_mac_null
69 #define mac_md5 ssl_mac_md5
70 #define mac_sha ssl_mac_sha
71 #define hmac_md5 ssl_hmac_md5
72 #define hmac_sha ssl_hmac_sha
79 #if defined(DEBUG) || defined(TRACE)
80 #ifdef __cplusplus
81 #define Debug 1
82 #else
84 #endif
85 #else
86 #undef Debug
87 #endif
89 #if defined(DEBUG) && !defined(TRACE) && !defined(NISCC_TEST)
90 #define TRACE
91 #endif
93 #ifdef TRACE
94 #define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
95 #define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
96 #define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
97 #else
98 #define SSL_TRC(a,b)
99 #define PRINT_BUF(a,b)
100 #define DUMP_MSG(a,b)
101 #endif
103 #ifdef DEBUG
104 #define SSL_DBG(b) if (ssl_debug) ssl_Trace b
105 #else
106 #define SSL_DBG(b)
107 #endif
110 #define ssl_InMonitor(m) PZ_InMonitor(m)
112 #define LSB(x) ((unsigned char) ((x) & 0xff))
113 #define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
115 /************************************************************************/
118 SSLAppOpWrite,
119 SSLAppOpRDWR,
120 SSLAppOpPost,
121 SSLAppOpHeader
124 #define SSL_MIN_MASTER_KEY_BYTES 5
125 #define SSL_MAX_MASTER_KEY_BYTES 64
127 #define SSL2_SESSIONID_BYTES 16
128 #define SSL3_SESSIONID_BYTES 32
130 #define SSL_MIN_CHALLENGE_BYTES 16
131 #define SSL_MAX_CHALLENGE_BYTES 32
132 #define SSL_CHALLENGE_BYTES 16
134 #define SSL_CONNECTIONID_BYTES 16
136 #define SSL_MIN_CYPHER_ARG_BYTES 0
137 #define SSL_MAX_CYPHER_ARG_BYTES 32
139 #define SSL_MAX_MAC_BYTES 16
141 #define SSL3_RSA_PMS_LENGTH 48
142 #define SSL3_MASTER_SECRET_LENGTH 48
144 /* number of wrap mechanisms potentially used to wrap master secrets. */
145 #define SSL_NUM_WRAP_MECHS 16
147 /* This makes the cert cache entry exactly 4k. */
148 #define SSL_MAX_CACHED_CERT_LEN 4060
150 #define NUM_MIXERS 9
152 /* Mask of the 25 named curves we support. */
153 #ifndef NSS_ECC_MORE_THAN_SUITE_B
155 #else
156 #define SSL3_SUPPORTED_CURVES_MASK 0x3fffffe
157 #endif
159 #ifndef BPB
161 #endif
186 };
190 /* This type points to the low layer send func,
191 ** e.g. ssl2_SendStream or ssl3_SendPlainText.
192 ** These functions return the same values as PR_Send,
193 ** i.e. >= 0 means number of bytes sent, < 0 means error.
194 */
205 /* registerable callback function that either appends extension to buffer
206 * or returns length of data that it would have appended.
207 */
209 PRUint32 maxBytes);
211 /* registerable callback function that handles a received extension,
212 * of the given type.
213 */
215 PRUint16 ex_type,
218 /* row in a table of hello extension senders */
220 PRInt32 ex_type;
221 ssl3HelloExtensionSenderFunc ex_sender;
224 /* row in a table of hello extension handlers */
226 PRInt32 ex_type;
227 ssl3HelloExtensionHandlerFunc ex_handler;
230 extern SECStatus
232 ssl3HelloExtensionSenderFunc cb);
234 extern PRInt32
238 /* Socket ops */
249 /* points to the higher-layer send func, e.g. ssl_SecureSend. */
256 };
258 /* Flags interpreted by ssl send functions. */
259 #define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000
260 #define ssl_SEND_FLAG_NO_BUFFER 0x20000000
263 #define ssl_SEND_FLAG_CAP_RECORD_VERSION \
265 #define ssl_SEND_FLAG_MASK 0x7f000000
267 /*
268 ** A buffer object.
269 */
274 };
276 /*
277 ** SSL3 cipher suite policy and preference struct.
278 */
280 #if !defined(_WIN32)
285 #else
286 ssl3CipherSuite cipher_suite;
287 PRUint8 policy;
290 #endif
293 #ifdef NSS_ENABLE_ECC
294 #define ssl_V3_SUITES_IMPLEMENTED 50
295 #else
296 #define ssl_V3_SUITES_IMPLEMENTED 30
299 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
302 /* If SSL_SetNextProtoNego has been called, then this contains the
303 * list of supported protocols. */
304 SECItem nextProtoNego;
332 sslHandshakingAsClient,
333 sslHandshakingAsServer
337 /* Configuration state for server sockets */
344 #define SERVERKEY serverKeyPair->privKey
346 #define SSL_LOCK_RANK_SPEC 255
347 #define SSL_LOCK_RANK_GLOBAL NSS_RWLOCK_RANK_NONE
349 /* These are the valid values for shutdownHow.
350 ** These values are each 1 greater than the NSPR values, and the code
351 ** depends on that relation to efficiently convert PR_SHUTDOWN values
352 ** into ssl_SHUTDOWN values. These values use one bit for read, and
353 ** another bit for write, and can be used as bitmasks.
354 */
360 /*
361 ** A gather object. Used to read some data until a count has been
362 ** satisfied. Primarily for support of async sockets.
363 ** Everything in here is protected by the recvBufLock.
364 */
368 /* "buf" holds received plaintext SSL records, after decrypt and MAC check.
369 * SSL2: recv'd ciphertext records are put here, then decrypted in place.
370 * SSL3: recv'd ciphertext records are put in inbuf (see below), then
371 * decrypted into buf.
372 */
375 /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3).
376 ** (offset - writeOffset) is the number of ciphertext bytes read in but
377 ** not yet deciphered.
378 */
381 /* number of bytes to read in next call to ssl_DefRecv (recv) */
384 /* Number of ciphertext bytes to read in after 2-byte SSL record header. */
387 /* size of the final plaintext record.
388 ** == count - (recordPadding + MAC size)
389 */
392 /* number of bytes of padding to be removed after decrypting. */
393 /* This value is taken from the record's hdr[2], which means a too large
394 * value could crash us.
395 */
398 /* plaintext DATA begins this many bytes into "buf". */
403 /* These next two values are used by SSL2 and SSL3.
404 ** DoRecv uses them to extract application data.
405 ** The difference between writeOffset and readOffset is the amount of
406 ** data available to the application. Note that the actual offset of
407 ** the data in "buf" is recordOffset (above), not readOffset.
408 ** In the current implementation, this is made available before the
409 ** MAC is checked!!
410 */
412 ** or handshake code) will read next.
413 ** Always zero for SSl3 application data.
414 */
415 /* offset in buf/inbuf/hdr into which new data will be read from socket. */
418 /* Buffer for ssl3 to read (encrypted) data from the socket */
421 /* The ssl[23]_GatherData functions read data into this buffer, rather
422 ** than into buf or inbuf, while in the GS_HEADER state.
423 ** The portion of the SSL record header put here always comes off the wire
424 ** as plaintext, never ciphertext.
425 ** For SSL2, the plaintext portion is two bytes long. For SSl3 it is 5.
426 ** For DTLS it is 13.
427 */
430 /* Buffer for DTLS data read off the wire as a single datagram */
431 sslBuffer dtlsPacket;
433 /* the start of the buffered DTLS record in dtlsPacket */
435 };
437 /* sslGather.state */
438 #define GS_INIT 0
439 #define GS_HEADER 1
440 #define GS_MAC 2
441 #define GS_DATA 3
442 #define GS_PAD 4
458 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
460 #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX)
462 #else
464 #endif
468 /*
469 ** ssl3State and CipherSpec structs
470 */
472 /* The SSL bulk cipher definition */
474 cipher_null,
475 cipher_rc4,
476 cipher_rc4_40,
477 cipher_rc4_56,
478 cipher_rc2,
479 cipher_rc2_40,
480 cipher_des,
481 cipher_3des,
482 cipher_des40,
483 cipher_idea,
484 cipher_aes_128,
485 cipher_aes_256,
486 cipher_camellia_128,
487 cipher_camellia_256,
488 cipher_seed,
489 cipher_missing /* reserved for no such supported cipher */
490 /* This enum must match ssl3_cipherName[] in ssl3con.c. */
495 #define MAX_IV_LENGTH 24
497 /*
498 * Do not depend upon 64 bit arithmetic in the underlying machine.
499 */
501 PRUint32 high;
502 PRUint32 low;
509 #define MAX_MAC_CONTEXT_BYTES 400
510 #define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8)
512 #define MAX_CIPHER_CONTEXT_BYTES 2080
513 #define MAX_CIPHER_CONTEXT_LLONGS (MAX_CIPHER_CONTEXT_BYTES / 8)
517 PRUint16 wrapped_master_secret_len;
518 PRUint8 msIsWrapped;
519 PRUint8 resumable;
526 SECItem write_key_item;
527 SECItem write_iv_item;
528 SECItem write_mac_key_item;
533 /* The DTLS anti-replay window. Defined here because we need it in
534 * the cipher spec. Note that this is a ring buffer but left and
535 * right represent the true window, with modular arithmetic used to
536 * map them onto the buffer.
537 */
539 * Must be divisible by 8
540 */
543 PRUint64 left;
544 PRUint64 right;
547 /*
548 ** These are the "specs" in the "ssl3" struct.
549 ** Access to the pointers to these specs, and all the specs' contents
550 ** (direct and indirect) is protected by the reader/writer lock ss->specLock.
551 */
555 SSLCompressionMethod compression_method;
557 SSLCipher encode;
558 SSLCipher decode;
559 SSLDestroy destroy;
564 /* may define them as macros. */
565 SSLDestroy destroyCompressContext;
567 SSLDestroy destroyDecompressContext;
571 SSL3SequenceNumber write_seq_num;
572 SSL3SequenceNumber read_seq_num;
573 SSL3ProtocolVersion version;
574 ssl3KeyMaterial client;
575 ssl3KeyMaterial server;
576 SECItem msItem;
580 * with a client. For client - is
581 * always set to NULL.*/
582 DTLSEpoch epoch;
583 DTLSRecvdRecords recvdRecords;
587 in_client_cache,
588 in_server_cache,
589 invalid_cache /* no longer in any cache. */
592 #define MAX_PEER_CERT_CHAIN_SIZE 8
603 PRIPv6Addr addr;
604 PRUint16 port;
606 SSL3ProtocolVersion version;
611 Cached cached;
614 SSLSignType authAlgorithm;
615 PRUint32 authKeyBits;
616 SSLKEAType keaType;
617 PRUint32 keaKeyBits;
621 /* the V2 code depends upon the size of sessionID. */
624 /* Stuff used to recreate key and read/write cipher objects */
627 SECItem cipherArg;
632 /* values that are copied into the server's on-disk SID cache. */
633 uint8 sessionIDLength;
636 ssl3CipherSuite cipherSuite;
637 SSLCompressionMethod compression;
639 ssl3SidKeys keys;
640 CK_MECHANISM_TYPE masterWrapMech;
641 /* mechanism used to wrap master secret */
642 SSL3KEAType exchKeyType;
643 /* key type used in exchange algorithm,
644 * and to wrap the sym wrapping key. */
645 #ifdef NSS_ENABLE_ECC
646 PRUint32 negotiatedECCurves;
649 /* The following values are NOT restored from the server's on-disk
650 * session cache, but are restored from the client's cache.
651 */
655 /* The following values pertain to the slot that wrapped the
656 ** master secret. (used only in client)
657 */
658 SECMODModuleID masterModuleID;
659 /* what module wrapped the master secret */
660 CK_SLOT_ID masterSlotID;
661 PRUint16 masterWrapIndex;
662 /* what's the key index for the wrapping key */
663 PRUint16 masterWrapSeries;
664 /* keep track of the slot series, so we don't
665 * accidently try to use new keys after the
666 * card gets removed and replaced.*/
668 /* The following values pertain to the slot that did the signature
669 ** for client auth. (used only in client)
670 */
671 SECMODModuleID clAuthModuleID;
672 CK_SLOT_ID clAuthSlotID;
673 PRUint16 clAuthSeries;
678 /* Session ticket if we have one, is sent as an extension in the
679 * ClientHello message. This field is used by clients.
680 */
681 NewSessionTicket sessionTicket;
682 SECItem srvName;
685 };
689 ssl3CipherSuite cipher_suite;
690 SSL3BulkCipher bulk_cipher_alg;
691 SSL3MACAlgorithm mac_alg;
692 SSL3KeyExchangeAlgorithm key_exchange_alg;
695 /*
696 ** There are tables of these, all const.
697 */
699 SSL3KeyExchangeAlgorithm kea;
700 SSL3KEAType exchKeyType;
701 SSL3SignType signKeyType;
702 PRBool is_limited;
704 PRBool tls_keygen;
709 /*
710 ** There are tables of these, all const.
711 */
713 SSL3BulkCipher cipher;
714 SSLCipherAlgorithm calg;
717 CipherType type;
720 SSL3KeyGenMode keygen_mode;
721 };
723 /*
724 ** There are tables of these, all const.
725 */
727 SSL3MACAlgorithm mac;
728 CK_MECHANISM_TYPE mmech;
731 };
734 wait_client_hello,
735 wait_client_cert,
736 wait_client_key,
737 wait_cert_verify,
738 wait_change_cipher,
739 wait_finished,
740 wait_server_hello,
741 wait_server_cert,
742 wait_server_key,
743 wait_cert_request,
744 wait_hello_done,
745 wait_new_session_ticket,
746 idle_handshake
749 /*
750 * TLS extension related constants and data structures.
751 */
756 /* registered callbacks that send server hello extensions */
758 /* Keep track of the extensions that are negotiated. */
759 PRUint16 numAdvertised;
760 PRUint16 numNegotiated;
764 /* SessionTicket Extension related data. */
765 PRBool ticketTimestampVerified;
766 PRBool emptySessionTicket;
768 /* SNI Extension related data
769 * Names data is not coppied from the input buffer. It can not be
770 * used outside the scope where input buffer is defined and that
771 * is beyond ssl3_HandleClientHello function. */
773 PRUint32 sniNameArrSize;
774 };
778 /*
779 ** A DTLS queued message (potentially to be retransmitted)
780 */
789 /*
790 ** This is the "hs" member of the "ssl3" struct.
791 ** This entire struct is protected by ssl3HandshakeLock
792 */
794 SSL3Random server_random;
795 SSL3Random client_random;
796 SSL3WaitState ws;
802 ssl3CipherSuite cipher_suite;
804 SSLCompressionMethod compression;
806 /* partial handshake message from record layer */
808 /* number of bytes consumed from handshake */
809 /* message for message type and header length */
810 SSL3HandshakeType msg_type;
817 * status_request extension so
818 * may send a CertificateStatus
819 * handshake message. */
821 * save temporarily if we may get
822 * a CertificateStatus message */
825 /* protected by recvBufLock */
833 #ifdef NSS_ENABLE_ECC
837 PRBool authCertificatePending;
838 /* Which function should SSL_RestartHandshake* call if we're blocked?
839 * One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake,
840 * or ssl3_AlwaysFail */
841 sslRestartTarget restartTarget;
842 /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
843 PRBool cacheSID;
845 /* This group of values is used for DTLS */
847 * number */
849 * sent */
852 * number */
854 * a bitmask */
856 * received. -1 means no reassembly
857 * in progress. */
863 * used for backoff (in ms) */
869 /*
870 ** This is the "ssl3" struct, as in "ss->ssl3".
871 ** note:
872 ** usually, crSpec == cwSpec and prSpec == pwSpec.
873 ** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
874 ** But there are never more than 2 actual specs.
875 ** No spec must ever be modified if either "current" pointer points to it.
876 */
879 /*
880 ** The following Specs and Spec pointers must be protected using the
881 ** Spec Lock.
882 */
890 /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not
891 * defined in order to allow cleaner conditional code.
892 * At most one of clientPrivateKey and platformClientKey may be set. */
901 /* This says what cipher suites we can do, and should
902 * be either SSL_ALLOWED or SSL_RESTRICTED
903 */
905 /* These are used to keep track of the peer CA */
907 /* chain while we are trying to validate it. */
909 /* used by server. trusted CAs for this socket. */
910 PRBool initialized;
911 SSL3HandshakeState hs;
914 /* In a client: if the server supports Next Protocol Negotiation, then
915 * this is the protocol that was negotiated.
916 */
917 SECItem nextProto;
918 SSLNextProtoState nextProtoState;
922 /* DTLS-SRTP cipher suite preferences (if any) */
924 PRUint16 dtlsSRTPCipherCount;
926 };
929 * headers, so slightly larger than expected */
930 #define IS_DTLS(ss) (ss->protocolVariant == ssl_variant_datagram)
933 SSL3ContentType type;
934 SSL3ProtocolVersion version;
943 };
947 CK_MECHANISM_TYPE symWrapMechanism;
948 /* unwrapped symmetric wrapping key uses this mechanism */
949 CK_MECHANISM_TYPE asymWrapMechanism;
950 /* mechanism used to wrap the SymmetricWrappingKey using
951 * server's public and/or private keys. */
953 PRInt32 symWrapMechIndex;
954 PRUint16 wrappedSymKeyLen;
958 uint16 ticket_version;
959 SSL3ProtocolVersion ssl_version;
960 ssl3CipherSuite cipher_suite;
961 SSLCompressionMethod compression_method;
962 SSLSignType authAlgorithm;
963 uint32 authKeyBits;
964 SSLKEAType keaType;
965 uint32 keaKeyBits;
966 /*
967 * exchKeyType and msWrapMech contain meaningful values only if
968 * ms_is_wrapped is true.
969 */
970 uint8 ms_is_wrapped;
972 CK_MECHANISM_TYPE msWrapMech;
973 uint16 ms_length;
975 ClientIdentity client_identity;
976 SECItem peer_cert;
977 uint32 timestamp;
981 /*
982 * SSL2 buffers used in SSL3.
983 * writeBuf in the SecurityInfo maintained by sslsecur.c is used
984 * to hold the data just about to be passed to the kernel
985 * sendBuf in the ConnectInfo maintained by sslcon.c is used
986 * to hold handshake messages as they are accumulated
987 */
989 /*
990 ** This is "ci", as in "ss->sec.ci".
991 **
992 ** Protection: All the variables in here are protected by
993 ** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock
994 */
996 /* outgoing handshakes appended to this. */
1004 /* see CIS_HAVE defines below for the bit values in *elements. */
1011 /* Length of server challenge. Used by client when saving challenge */
1013 /* type of authentication requested by server */
1016 /* Challenge sent by client to server in client-hello message */
1017 /* SSL3 gets a copy of this. See ssl3_StartHandshakeHash(). */
1020 /* Connection-id sent by server to client in server-hello message */
1023 /* Challenge sent by server to client in request-certificate message */
1026 /* Information kept to handle a request-certificate message */
1030 };
1032 /* bit values for ci->elements, ci->requiredElements, sentElements. */
1033 #define CIS_HAVE_MASTER_KEY 0x01
1034 #define CIS_HAVE_CERTIFICATE 0x02
1035 #define CIS_HAVE_FINISHED 0x04
1036 #define CIS_HAVE_VERIFY 0x08
1038 /* Note: The entire content of this struct and whatever it points to gets
1039 * blown away by SSL_ResetHandshake(). This is "sec" as in "ss->sec".
1040 *
1041 * Unless otherwise specified below, the contents of this struct are
1042 * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock.
1043 */
1056 SSLSignType authAlgorithm;
1057 PRUint32 authKeyBits;
1058 SSLKEAType keaType;
1059 PRUint32 keaKeyBits;
1061 /*
1062 ** Procs used for SID cache (nonce) management.
1063 ** Different implementations exist for clients/servers
1064 ** The lookup proc is only used for servers. Baloney!
1065 */
1069 /*
1070 ** everything below here is for ssl2 only.
1071 ** This stuff is equivalent to SSL3's "spec", and is protected by the
1072 ** same "Spec Lock" as used for SSL3's specs.
1073 */
1077 /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */
1084 /* Session cypher contexts; one for each direction */
1091 /* Blocking information for the session cypher */
1095 /* These are used during a connection handshake */
1098 };
1100 /*
1101 ** SSL Socket struct
1102 **
1103 ** Protection: XXX
1104 */
1108 /* Pointer to operations vector for this socket */
1111 /* SSL socket options */
1112 sslOptions opt;
1113 /* Enabled version range */
1114 SSLVersionRange vrange;
1116 /* State flags */
1127 /* version of the protocol to use */
1128 SSL3ProtocolVersion version;
1133 /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */
1140 /* the following variable is only used with socks or other proxies. */
1147 /* TLS ClientCertificateTypes requested during HandleCertificateRequest. */
1148 /* Will be NULL at all other times. */
1153 /* Callbacks */
1154 SSLAuthCertificate authCertificate;
1156 SSLGetClientAuthData getClientAuthData;
1158 #ifdef NSS_PLATFORM_CLIENT_AUTH
1159 SSLGetPlatformClientAuthData getPlatformClientAuthData;
1162 SSLSNISocketConfig sniSocketConfig;
1164 SSLBadCertHandler handleBadCert;
1166 SSLHandshakeCallback handshakeCallback;
1169 SSLNextProtoCallback nextProtoCallback;
1171 SSLClientChannelIDCallback getChannelID;
1184 /* Only one thread may operate on the socket until the initial handshake
1185 ** is complete. This Monitor ensures that. Since SSL2 handshake is
1186 ** only done once, this is also effectively the SSL2 handshake lock.
1187 */
1190 /* This monitor protects the ssl3 handshake state machine data.
1191 ** Only one thread (reader or writer) may be in the ssl3 handshake state
1192 ** machine at any time. */
1195 /* reader/writer lock, protects the secret data needed to encrypt and MAC
1196 ** outgoing records, and to decrypt and MAC check incoming ciphertext
1197 ** records. */
1200 /* handle to perm cert db (and implicitly to the temp cert db) used
1201 ** with this socket.
1202 */
1213 sslHandshakingType handshaking;
1215 /* Gather object used for gathering data */
1221 /* Configuration state for server sockets */
1222 /* server cert and key for each KEA type */
1228 /* SSL3 state info. Formerly was a pointer */
1229 ssl3State ssl3;
1231 /*
1232 * TLS extension related data.
1233 */
1234 /* True when the current session is a stateless resume. */
1235 PRBool statelessResume;
1236 TLSExtensionData xtnData;
1238 /* Whether we are doing stream or datagram mode */
1239 SSLProtocolVariant protocolVariant;
1240 };
1244 /* All the global data items declared here should be protected using the
1245 ** ssl_global_data_lock, which is a reader/writer lock.
1246 */
1263 /************************************************************************/
1265 SEC_BEGIN_PROTOS
1267 /* Internal initialization and installation of the SSL error tables */
1271 /* Implementation of ops for default (non socks, non secure) case */
1290 /* Implementation of ops for socks only case */
1302 /* Implementation of ops for secure only case */
1314 /* Implementation of ops for secure socks case */
1319 /* Gather funcs. */
1371 extern SECStatus
1373 PRBool isServer,
1374 PRBool isDTLS,
1375 PRBool capRecordVersion,
1376 SSL3ContentType type,
1378 PRUint32 contentLen,
1381 SSL3ContentType type,
1383 PRInt32 flags);
1385 #ifdef NSS_ENABLE_ZLIB
1386 /*
1387 * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
1388 * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
1389 */
1390 #define SSL3_COMPRESSION_MAX_EXPANSION 29
1392 #define SSL3_COMPRESSION_MAX_EXPANSION 0
1393 #endif
1395 /*
1396 * make sure there is room in the write buffer for padding and
1397 * other compression and cryptographic expansions.
1398 */
1399 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION
1401 #define SSL_LOCK_READER(ss) if (ss->recvLock) PZ_Lock(ss->recvLock)
1402 #define SSL_UNLOCK_READER(ss) if (ss->recvLock) PZ_Unlock(ss->recvLock)
1403 #define SSL_LOCK_WRITER(ss) if (ss->sendLock) PZ_Lock(ss->sendLock)
1404 #define SSL_UNLOCK_WRITER(ss) if (ss->sendLock) PZ_Unlock(ss->sendLock)
1406 /* firstHandshakeLock -> recvBufLock */
1407 #define ssl_Get1stHandshakeLock(ss) \
1408 { if (!ss->opt.noLocks) { \
1409 PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \
1410 !ssl_HaveRecvBufLock(ss)); \
1411 PZ_EnterMonitor((ss)->firstHandshakeLock); \
1412 } }
1413 #define ssl_Release1stHandshakeLock(ss) \
1414 { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
1415 #define ssl_Have1stHandshakeLock(ss) \
1416 (PZ_InMonitor((ss)->firstHandshakeLock))
1418 /* ssl3HandshakeLock -> xmitBufLock */
1419 #define ssl_GetSSL3HandshakeLock(ss) \
1420 { if (!ss->opt.noLocks) { \
1421 PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
1422 PZ_EnterMonitor((ss)->ssl3HandshakeLock); \
1423 } }
1424 #define ssl_ReleaseSSL3HandshakeLock(ss) \
1425 { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
1426 #define ssl_HaveSSL3HandshakeLock(ss) \
1427 (PZ_InMonitor((ss)->ssl3HandshakeLock))
1429 #define ssl_GetSpecReadLock(ss) \
1430 { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
1431 #define ssl_ReleaseSpecReadLock(ss) \
1432 { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
1433 /* NSSRWLock_HaveReadLock is not exported so there's no
1434 * ssl_HaveSpecReadLock macro. */
1436 #define ssl_GetSpecWriteLock(ss) \
1437 { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
1438 #define ssl_ReleaseSpecWriteLock(ss) \
1439 { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
1440 #define ssl_HaveSpecWriteLock(ss) \
1441 (NSSRWLock_HaveWriteLock((ss)->specLock))
1443 /* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */
1444 #define ssl_GetRecvBufLock(ss) \
1445 { if (!ss->opt.noLocks) { \
1446 PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \
1447 PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
1448 PZ_EnterMonitor((ss)->recvBufLock); \
1449 } }
1450 #define ssl_ReleaseRecvBufLock(ss) \
1451 { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
1452 #define ssl_HaveRecvBufLock(ss) \
1453 (PZ_InMonitor((ss)->recvBufLock))
1455 /* xmitBufLock -> specLock */
1456 #define ssl_GetXmitBufLock(ss) \
1457 { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
1458 #define ssl_ReleaseXmitBufLock(ss) \
1459 { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
1460 #define ssl_HaveXmitBufLock(ss) \
1461 (PZ_InMonitor((ss)->xmitBufLock))
1463 /* Placeholder value used in version ranges when SSL 3.0 and all
1464 * versions of TLS are disabled.
1465 */
1466 #define SSL_LIBRARY_VERSION_NONE 0
1468 /* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version
1469 * of libssl supports. Applications should use SSL_VersionRangeGetSupported at
1470 * runtime to determine which versions are supported by the version of libssl
1471 * in use.
1472 */
1473 #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_1
1475 /* Rename this macro SSL_ALL_VERSIONS_DISABLED when SSL 2.0 is removed. */
1476 #define SSL3_ALL_VERSIONS_DISABLED(vrange) \
1477 ((vrange)->min == SSL_LIBRARY_VERSION_NONE)
1480 SSL3ProtocolVersion version);
1489 /* These functions are called from secnav, even though they're "private". */
1495 SSL3AlertDescription desc);
1510 /*
1511 * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
1512 */
1518 /*
1519 * SSL3 specific routines
1520 */
1523 /*
1524 * input into the SSL3 machinery from the actualy network reading code
1525 */
1531 /*
1532 * When talking to export clients or using export cipher suites, servers
1533 * with public RSA keys larger than 512 bits need to use a 512-bit public
1534 * key, signed by the larger key. The smaller key is a "step down" key.
1535 * Generate that key pair and keep it around.
1536 */
1539 #ifdef NSS_ENABLE_ECC
1545 /* Macro for finding a curve equivalent in strength to RSA key's */
1546 #define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \
1547 ((s <= 1024) ? 160 \
1548 : ((s <= 2048) ? 224 \
1549 : ((s <= 3072) ? 256 \
1550 : ((s <= 7168) ? 384 : 521 ) ) ) )
1552 /* Types and names of elliptic curves used in TLS */
1555 ec_type_named
1584 ec_pastLastName
1617 PRUint32 length);
1622 SSL3ProtocolVersion peerVersion,
1623 PRBool allowLargerPeerVersion);
1627 #ifdef NSS_ENABLE_ECC
1628 /* ECDH functions */
1638 #endif
1642 PRBool bypassPKCS11);
1646 PRInt32 bytes);
1650 PRInt32 lenSize);
1666 SSL3KEAType effectiveExchKeyType);
1668 /* Functions that handle ClientHello and ServerHello extensions. */
1682 /* ClientHello and ServerHello extension senders.
1683 * Note that not all extension senders are exposed here; only those that
1684 * that need exposure.
1685 */
1687 PRUint32 maxBytes);
1689 PRUint32 maxBytes);
1691 /* ClientHello and ServerHello extension senders.
1692 * The code is in ssl3ext.c.
1693 */
1695 PRUint32 maxBytes);
1697 /* Assigns new cert, cert chain and keys to ss->serverCerts
1698 * struct. If certChain is NULL, tries to find one. Aborts if
1699 * fails to do so. If cert and keyPair are NULL - unconfigures
1700 * sslSocket of kea type.*/
1705 #ifdef NSS_ENABLE_ECC
1710 #endif
1712 /* call the registered extension handlers. */
1716 /* Hello Extension related routines. */
1728 /* Tell clients to consider tickets valid for this long. */
1730 #define TLS_EX_SESS_TICKET_VERSION (0x0100)
1740 /* Construct a new NSPR socket for the app to use */
1744 /* Internal config function so SSL2 can initialize the present state of
1745 * various ciphers */
1748 /* Create a new ref counted key pair object from two keys. */
1752 /* get a new reference (bump ref count) to an ssl3KeyPair. */
1755 /* Decrement keypair's ref count and free if zero. */
1758 /* calls for accessing wrapping keys across processes. */
1759 extern PRBool
1761 SSL3KEAType exchKeyType,
1764 /* The caller passes in the new value it wants
1765 * to set. This code tests the wrapped sym key entry in the file on disk.
1766 * If it is uninitialized, this function writes the caller's value into
1767 * the disk entry, and returns false.
1768 * Otherwise, it overwrites the caller's wswk with the value obtained from
1769 * the disk, and returns PR_TRUE.
1770 * This is all done while holding the locks/semaphores necessary to make
1771 * the operation atomic.
1772 */
1773 extern PRBool
1776 /* get rid of the symmetric wrapping key references. */
1787 /***************** platform client auth ****************/
1789 #ifdef NSS_PLATFORM_CLIENT_AUTH
1790 // Releases the platform key.
1793 // Implement the client CertificateVerify message for SSL3/TLS1.0
1796 PRBool isTLS);
1798 // Converts a CERTCertList* (A collection of CERTCertificates) into a
1799 // CERTCertificateList* (A collection of SECItems), or returns NULL if
1800 // it cannot be converted.
1801 // This is to allow the platform-supplied chain to be created with purely
1802 // public API functions, using the preferred CERTCertList mutators, rather
1803 // pushing this hack to clients.
1808 /**************** DTLS-specific functions **************/
1821 DTLSEpoch epoch,
1822 PRBool use_epoch,
1823 SSL3ContentType type,
1825 PRUint32 contentLen,
1830 DTLSTimerCb cb);
1839 extern SSL3ProtocolVersion
1841 extern SSL3ProtocolVersion
1844 /********************** misc calls *********************/
1856 extern SECStatus
1862 #ifdef TRACE
1863 #define SSL_TRACE(msg) ssl_Trace msg
1864 #else
1865 #define SSL_TRACE(msg)
1866 #endif
1870 SEC_END_PROTOS
1872 #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
1873 #define SSL_GETPID getpid
1874 #elif defined(_WIN32_WCE)
1875 #define SSL_GETPID GetCurrentProcessId
1876 #elif defined(WIN32)
1878 #define SSL_GETPID _getpid
1879 #else
1880 #define SSL_GETPID() 0
1881 #endif