search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Check USB device path access when prompting users to select a device.
[chromium-blink-merge.git] / net / third_party / nss / ssl / sslimpl.h
bloba809616d639777a8243145a58a8f1375c584dba6
1 /*
2 * This file is PRIVATE to SSL and should be the first thing included by
3 * any SSL implementation file.
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8
9 #ifndef __sslimpl_h_
10 #define __sslimpl_h_
11
12 #ifdef DEBUG
13 #undef NDEBUG
14 #else
15 #undef NDEBUG
16 #define NDEBUG
17 #endif
18 #include "secport.h"
19 #include "secerr.h"
20 #include "sslerr.h"
21 #include "ssl3prot.h"
22 #include "hasht.h"
23 #include "keythi.h"
24 #include "nssilock.h"
25 #include "pkcs11t.h"
26 #if defined(XP_UNIX) || defined(XP_BEOS)
27 #include "unistd.h"
28 #endif
29 #include "nssrwlk.h"
30 #include "prthread.h"
31 #include "prclist.h"
32
33 #include "sslt.h" /* for some formerly private types, now public */
34
35 #ifdef NSS_PLATFORM_CLIENT_AUTH
36 #if defined(XP_WIN32)
37 #include <windows.h>
38 #include <wincrypt.h>
39 #elif defined(XP_MACOSX)
40 #include <Security/Security.h>
41 #endif
42 #endif
43
44 /* to make some of these old enums public without namespace pollution,
45 ** it was necessary to prepend ssl_ to the names.
46 ** These #defines preserve compatibility with the old code here in libssl.
47 */
48 typedef SSLKEAType SSL3KEAType;
49 typedef SSLMACAlgorithm SSL3MACAlgorithm;
50 typedef SSLSignType SSL3SignType;
51
52 #define sign_null ssl_sign_null
53 #define sign_rsa ssl_sign_rsa
54 #define sign_dsa ssl_sign_dsa
55 #define sign_ecdsa ssl_sign_ecdsa
56
57 #define calg_null ssl_calg_null
58 #define calg_rc4 ssl_calg_rc4
59 #define calg_rc2 ssl_calg_rc2
60 #define calg_des ssl_calg_des
61 #define calg_3des ssl_calg_3des
62 #define calg_idea ssl_calg_idea
63 #define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */
64 #define calg_aes ssl_calg_aes
65 #define calg_camellia ssl_calg_camellia
66 #define calg_seed ssl_calg_seed
67 #define calg_aes_gcm ssl_calg_aes_gcm
68 #define calg_chacha20 ssl_calg_chacha20
69
70 #define mac_null ssl_mac_null
71 #define mac_md5 ssl_mac_md5
72 #define mac_sha ssl_mac_sha
73 #define hmac_md5 ssl_hmac_md5
74 #define hmac_sha ssl_hmac_sha
75 #define hmac_sha256 ssl_hmac_sha256
76 #define mac_aead ssl_mac_aead
77
78 #define SET_ERROR_CODE /* reminder */
79 #define SEND_ALERT /* reminder */
80 #define TEST_FOR_FAILURE /* reminder */
81 #define DEAL_WITH_FAILURE /* reminder */
82
83 #if defined(DEBUG) || defined(TRACE)
84 #ifdef __cplusplus
85 #define Debug 1
86 #else
87 extern int Debug;
88 #endif
89 #else
90 #undef Debug
91 #endif
92
93 #if defined(DEBUG) && !defined(TRACE) && !defined(NISCC_TEST)
94 #define TRACE
95 #endif
96
97 #ifdef TRACE
98 #define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
99 #define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
100 #define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
101 #else
102 #define SSL_TRC(a,b)
103 #define PRINT_BUF(a,b)
104 #define DUMP_MSG(a,b)
105 #endif
106
107 #ifdef DEBUG
108 #define SSL_DBG(b) if (ssl_debug) ssl_Trace b
109 #else
110 #define SSL_DBG(b)
111 #endif
112
113 #include "private/pprthred.h" /* for PR_InMonitor() */
114 #define ssl_InMonitor(m) PZ_InMonitor(m)
115
116 #define LSB(x) ((unsigned char) ((x) & 0xff))
117 #define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
118
119 /************************************************************************/
120
121 typedef enum { SSLAppOpRead = 0,
122 SSLAppOpWrite,
123 SSLAppOpRDWR,
124 SSLAppOpPost,
125 SSLAppOpHeader
126 } SSLAppOperation;
127
128 #define SSL_MIN_MASTER_KEY_BYTES 5
129 #define SSL_MAX_MASTER_KEY_BYTES 64
130
131 #define SSL2_SESSIONID_BYTES 16
132 #define SSL3_SESSIONID_BYTES 32
133
134 #define SSL_MIN_CHALLENGE_BYTES 16
135 #define SSL_MAX_CHALLENGE_BYTES 32
136 #define SSL_CHALLENGE_BYTES 16
137
138 #define SSL_CONNECTIONID_BYTES 16
139
140 #define SSL_MIN_CYPHER_ARG_BYTES 0
141 #define SSL_MAX_CYPHER_ARG_BYTES 32
142
143 #define SSL_MAX_MAC_BYTES 16
144
145 #define SSL3_RSA_PMS_LENGTH 48
146 #define SSL3_MASTER_SECRET_LENGTH 48
147
148 /* number of wrap mechanisms potentially used to wrap master secrets. */
149 #define SSL_NUM_WRAP_MECHS 16
150
151 /* This makes the cert cache entry exactly 4k. */
152 #define SSL_MAX_CACHED_CERT_LEN 4060
153
154 #define NUM_MIXERS 9
155
156 /* Mask of the 25 named curves we support. */
157 #define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe
158 /* Mask of only 3 curves, suite B */
159 #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000
160
161 #ifndef BPB
162 #define BPB 8 /* Bits Per Byte */
163 #endif
164
165 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
166
167 #define INITIAL_DTLS_TIMEOUT_MS 1000 /* Default value from RFC 4347 = 1s*/
168 #define MAX_DTLS_TIMEOUT_MS 60000 /* 1 minute */
169 #define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */
170
171 typedef struct sslBufferStr sslBuffer;
172 typedef struct sslConnectInfoStr sslConnectInfo;
173 typedef struct sslGatherStr sslGather;
174 typedef struct sslSecurityInfoStr sslSecurityInfo;
175 typedef struct sslSessionIDStr sslSessionID;
176 typedef struct sslSocketStr sslSocket;
177 typedef struct sslSocketOpsStr sslSocketOps;
178
179 typedef struct ssl3StateStr ssl3State;
180 typedef struct ssl3CertNodeStr ssl3CertNode;
181 typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef;
182 typedef struct ssl3MACDefStr ssl3MACDef;
183 typedef struct ssl3KeyPairStr ssl3KeyPair;
184
185 struct ssl3CertNodeStr {
186 struct ssl3CertNodeStr *next;
187 CERTCertificate * cert;
188 };
189
190 typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss);
191
192 /* This type points to the low layer send func,
193 ** e.g. ssl2_SendStream or ssl3_SendPlainText.
194 ** These functions return the same values as PR_Send,
195 ** i.e. >= 0 means number of bytes sent, < 0 means error.
196 */
197 typedef PRInt32 (*sslSendFunc)(sslSocket *ss, const unsigned char *buf,
198 PRInt32 n, PRInt32 flags);
199
200 typedef void (*sslSessionIDCacheFunc) (sslSessionID *sid);
201 typedef void (*sslSessionIDUncacheFunc)(sslSessionID *sid);
202 typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr *addr,
203 unsigned char* sid,
204 unsigned int sidLen,
205 CERTCertDBHandle * dbHandle);
206
207 /* registerable callback function that either appends extension to buffer
208 * or returns length of data that it would have appended.
209 */
210 typedef PRInt32 (*ssl3HelloExtensionSenderFunc)(sslSocket *ss, PRBool append,
211 PRUint32 maxBytes);
212
213 /* registerable callback function that handles a received extension,
214 * of the given type.
215 */
216 typedef SECStatus (* ssl3HelloExtensionHandlerFunc)(sslSocket *ss,
217 PRUint16 ex_type,
218 SECItem * data);
219
220 /* row in a table of hello extension senders */
221 typedef struct {
222 PRInt32 ex_type;
223 ssl3HelloExtensionSenderFunc ex_sender;
224 } ssl3HelloExtensionSender;
225
226 /* row in a table of hello extension handlers */
227 typedef struct {
228 PRInt32 ex_type;
229 ssl3HelloExtensionHandlerFunc ex_handler;
230 } ssl3HelloExtensionHandler;
231
232 extern SECStatus
233 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
234 ssl3HelloExtensionSenderFunc cb);
235
236 extern PRInt32
237 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
238 const ssl3HelloExtensionSender *sender);
239
240 extern unsigned int
241 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength);
242
243 extern PRInt32
244 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
245 PRUint32 maxBytes);
246
247 /* Socket ops */
248 struct sslSocketOpsStr {
249 int (*connect) (sslSocket *, const PRNetAddr *);
250 PRFileDesc *(*accept) (sslSocket *, PRNetAddr *);
251 int (*bind) (sslSocket *, const PRNetAddr *);
252 int (*listen) (sslSocket *, int);
253 int (*shutdown)(sslSocket *, int);
254 int (*close) (sslSocket *);
255
256 int (*recv) (sslSocket *, unsigned char *, int, int);
257
258 /* points to the higher-layer send func, e.g. ssl_SecureSend. */
259 int (*send) (sslSocket *, const unsigned char *, int, int);
260 int (*read) (sslSocket *, unsigned char *, int);
261 int (*write) (sslSocket *, const unsigned char *, int);
262
263 int (*getpeername)(sslSocket *, PRNetAddr *);
264 int (*getsockname)(sslSocket *, PRNetAddr *);
265 };
266
267 /* Flags interpreted by ssl send functions. */
268 #define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000
269 #define ssl_SEND_FLAG_NO_BUFFER 0x20000000
270 #define ssl_SEND_FLAG_USE_EPOCH 0x10000000 /* DTLS only */
271 #define ssl_SEND_FLAG_NO_RETRANSMIT 0x08000000 /* DTLS only */
272 #define ssl_SEND_FLAG_CAP_RECORD_VERSION \
273 0x04000000 /* TLS only */
274 #define ssl_SEND_FLAG_MASK 0x7f000000
275
276 /*
277 ** A buffer object.
278 */
279 struct sslBufferStr {
280 unsigned char * buf;
281 unsigned int len;
282 unsigned int space;
283 };
284
285 /*
286 ** SSL3 cipher suite policy and preference struct.
287 */
288 typedef struct {
289 #if !defined(_WIN32)
290 unsigned int cipher_suite : 16;
291 unsigned int policy : 8;
292 unsigned int enabled : 1;
293 unsigned int isPresent : 1;
294 #else
295 ssl3CipherSuite cipher_suite;
296 PRUint8 policy;
297 unsigned char enabled : 1;
298 unsigned char isPresent : 1;
299 #endif
300 } ssl3CipherSuiteCfg;
301
302 #ifndef NSS_DISABLE_ECC
303 #define ssl_V3_SUITES_IMPLEMENTED 63
304 #else
305 #define ssl_V3_SUITES_IMPLEMENTED 37
306 #endif /* NSS_DISABLE_ECC */
307
308 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
309
310 typedef struct sslOptionsStr {
311 /* If SSL_SetNextProtoNego has been called, then this contains the
312 * list of supported protocols. */
313 SECItem nextProtoNego;
314
315 unsigned int useSecurity : 1; /* 1 */
316 unsigned int useSocks : 1; /* 2 */
317 unsigned int requestCertificate : 1; /* 3 */
318 unsigned int requireCertificate : 2; /* 4-5 */
319 unsigned int handshakeAsClient : 1; /* 6 */
320 unsigned int handshakeAsServer : 1; /* 7 */
321 unsigned int enableSSL2 : 1; /* 8 */
322 unsigned int unusedBit9 : 1; /* 9 */
323 unsigned int unusedBit10 : 1; /* 10 */
324 unsigned int noCache : 1; /* 11 */
325 unsigned int fdx : 1; /* 12 */
326 unsigned int v2CompatibleHello : 1; /* 13 */
327 unsigned int detectRollBack : 1; /* 14 */
328 unsigned int noStepDown : 1; /* 15 */
329 unsigned int bypassPKCS11 : 1; /* 16 */
330 unsigned int noLocks : 1; /* 17 */
331 unsigned int enableSessionTickets : 1; /* 18 */
332 unsigned int enableDeflate : 1; /* 19 */
333 unsigned int enableRenegotiation : 2; /* 20-21 */
334 unsigned int requireSafeNegotiation : 1; /* 22 */
335 unsigned int enableFalseStart : 1; /* 23 */
336 unsigned int cbcRandomIV : 1; /* 24 */
337 unsigned int enableOCSPStapling : 1; /* 25 */
338 unsigned int enableNPN : 1; /* 26 */
339 unsigned int enableALPN : 1; /* 27 */
340 unsigned int reuseServerECDHEKey : 1; /* 28 */
341 unsigned int enableFallbackSCSV : 1; /* 29 */
342 unsigned int enableSignedCertTimestamps : 1; /* 30 */
343 } sslOptions;
344
345 typedef enum { sslHandshakingUndetermined = 0,
346 sslHandshakingAsClient,
347 sslHandshakingAsServer
348 } sslHandshakingType;
349
350 typedef struct sslServerCertsStr {
351 /* Configuration state for server sockets */
352 CERTCertificate * serverCert;
353 CERTCertificateList * serverCertChain;
354 ssl3KeyPair * serverKeyPair;
355 unsigned int serverKeyBits;
356 } sslServerCerts;
357
358 #define SERVERKEY serverKeyPair->privKey
359
360 #define SSL_LOCK_RANK_SPEC 255
361 #define SSL_LOCK_RANK_GLOBAL NSS_RWLOCK_RANK_NONE
362
363 /* These are the valid values for shutdownHow.
364 ** These values are each 1 greater than the NSPR values, and the code
365 ** depends on that relation to efficiently convert PR_SHUTDOWN values
366 ** into ssl_SHUTDOWN values. These values use one bit for read, and
367 ** another bit for write, and can be used as bitmasks.
368 */
369 #define ssl_SHUTDOWN_NONE 0 /* NOT shutdown at all */
370 #define ssl_SHUTDOWN_RCV 1 /* PR_SHUTDOWN_RCV +1 */
371 #define ssl_SHUTDOWN_SEND 2 /* PR_SHUTDOWN_SEND +1 */
372 #define ssl_SHUTDOWN_BOTH 3 /* PR_SHUTDOWN_BOTH +1 */
373
374 /*
375 ** A gather object. Used to read some data until a count has been
376 ** satisfied. Primarily for support of async sockets.
377 ** Everything in here is protected by the recvBufLock.
378 */
379 struct sslGatherStr {
380 int state; /* see GS_ values below. */ /* ssl 2 & 3 */
381
382 /* "buf" holds received plaintext SSL records, after decrypt and MAC check.
383 * SSL2: recv'd ciphertext records are put here, then decrypted in place.
384 * SSL3: recv'd ciphertext records are put in inbuf (see below), then
385 * decrypted into buf.
386 */
387 sslBuffer buf; /*recvBufLock*/ /* ssl 2 & 3 */
388
389 /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3).
390 ** (offset - writeOffset) is the number of ciphertext bytes read in but
391 ** not yet deciphered.
392 */
393 unsigned int offset; /* ssl 2 & 3 */
394
395 /* number of bytes to read in next call to ssl_DefRecv (recv) */
396 unsigned int remainder; /* ssl 2 & 3 */
397
398 /* Number of ciphertext bytes to read in after 2-byte SSL record header. */
399 unsigned int count; /* ssl2 only */
400
401 /* size of the final plaintext record.
402 ** == count - (recordPadding + MAC size)
403 */
404 unsigned int recordLen; /* ssl2 only */
405
406 /* number of bytes of padding to be removed after decrypting. */
407 /* This value is taken from the record's hdr[2], which means a too large
408 * value could crash us.
409 */
410 unsigned int recordPadding; /* ssl2 only */
411
412 /* plaintext DATA begins this many bytes into "buf". */
413 unsigned int recordOffset; /* ssl2 only */
414
415 int encrypted; /* SSL2 session is now encrypted. ssl2 only */
416
417 /* These next two values are used by SSL2 and SSL3.
418 ** DoRecv uses them to extract application data.
419 ** The difference between writeOffset and readOffset is the amount of
420 ** data available to the application. Note that the actual offset of
421 ** the data in "buf" is recordOffset (above), not readOffset.
422 ** In the current implementation, this is made available before the
423 ** MAC is checked!!
424 */
425 unsigned int readOffset; /* Spot where DATA reader (e.g. application
426 ** or handshake code) will read next.
427 ** Always zero for SSl3 application data.
428 */
429 /* offset in buf/inbuf/hdr into which new data will be read from socket. */
430 unsigned int writeOffset;
431
432 /* Buffer for ssl3 to read (encrypted) data from the socket */
433 sslBuffer inbuf; /*recvBufLock*/ /* ssl3 only */
434
435 /* The ssl[23]_GatherData functions read data into this buffer, rather
436 ** than into buf or inbuf, while in the GS_HEADER state.
437 ** The portion of the SSL record header put here always comes off the wire
438 ** as plaintext, never ciphertext.
439 ** For SSL2, the plaintext portion is two bytes long. For SSl3 it is 5.
440 ** For DTLS it is 13.
441 */
442 unsigned char hdr[13]; /* ssl 2 & 3 or dtls */
443
444 /* Buffer for DTLS data read off the wire as a single datagram */
445 sslBuffer dtlsPacket;
446
447 /* the start of the buffered DTLS record in dtlsPacket */
448 unsigned int dtlsPacketOffset;
449 };
450
451 /* sslGather.state */
452 #define GS_INIT 0
453 #define GS_HEADER 1
454 #define GS_MAC 2
455 #define GS_DATA 3
456 #define GS_PAD 4
457
458 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
459 typedef PCERT_KEY_CONTEXT PlatformKey;
460 #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX)
461 typedef SecKeyRef PlatformKey;
462 #else
463 typedef void *PlatformKey;
464 #endif
465
466
467
468 /*
469 ** ssl3State and CipherSpec structs
470 */
471
472 /* The SSL bulk cipher definition */
473 typedef enum {
474 cipher_null,
475 cipher_rc4,
476 cipher_rc4_40,
477 cipher_rc4_56,
478 cipher_rc2,
479 cipher_rc2_40,
480 cipher_des,
481 cipher_3des,
482 cipher_des40,
483 cipher_idea,
484 cipher_aes_128,
485 cipher_aes_256,
486 cipher_camellia_128,
487 cipher_camellia_256,
488 cipher_seed,
489 cipher_aes_128_gcm,
490 cipher_chacha20,
491 cipher_missing /* reserved for no such supported cipher */
492 /* This enum must match ssl3_cipherName[] in ssl3con.c. */
493 } SSL3BulkCipher;
494
495 typedef enum { type_stream, type_block, type_aead } CipherType;
496
497 #define MAX_IV_LENGTH 24
498
499 /*
500 * Do not depend upon 64 bit arithmetic in the underlying machine.
501 */
502 typedef struct {
503 PRUint32 high;
504 PRUint32 low;
505 } SSL3SequenceNumber;
506
507 typedef PRUint16 DTLSEpoch;
508
509 typedef void (*DTLSTimerCb)(sslSocket *);
510
511 #define MAX_MAC_CONTEXT_BYTES 400 /* 400 is large enough for MD5, SHA-1, and
512 * SHA-256. For SHA-384 support, increase
513 * it to 712. */
514 #define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8)
515
516 #define MAX_CIPHER_CONTEXT_BYTES 2080
517 #define MAX_CIPHER_CONTEXT_LLONGS (MAX_CIPHER_CONTEXT_BYTES / 8)
518
519 typedef struct {
520 SSL3Opaque wrapped_master_secret[48];
521 PRUint16 wrapped_master_secret_len;
522 PRUint8 msIsWrapped;
523 PRUint8 resumable;
524 } ssl3SidKeys; /* 52 bytes */
525
526 typedef struct {
527 PK11SymKey *write_key;
528 PK11SymKey *write_mac_key;
529 PK11Context *write_mac_context;
530 SECItem write_key_item;
531 SECItem write_iv_item;
532 SECItem write_mac_key_item;
533 SSL3Opaque write_iv[MAX_IV_LENGTH];
534 PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
535 } ssl3KeyMaterial;
536
537 typedef SECStatus (*SSLCipher)(void * context,
538 unsigned char * out,
539 int * outlen,
540 int maxout,
541 const unsigned char *in,
542 int inlen);
543 typedef SECStatus (*SSLAEADCipher)(
544 ssl3KeyMaterial * keys,
545 PRBool doDecrypt,
546 unsigned char * out,
547 int * outlen,
548 int maxout,
549 const unsigned char *in,
550 int inlen,
551 const unsigned char *additionalData,
552 int additionalDataLen);
553 typedef SECStatus (*SSLCompressor)(void * context,
554 unsigned char * out,
555 int * outlen,
556 int maxout,
557 const unsigned char *in,
558 int inlen);
559 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
560
561 /* The DTLS anti-replay window. Defined here because we need it in
562 * the cipher spec. Note that this is a ring buffer but left and
563 * right represent the true window, with modular arithmetic used to
564 * map them onto the buffer.
565 */
566 #define DTLS_RECVD_RECORDS_WINDOW 1024 /* Packets; approximate
567 * Must be divisible by 8
568 */
569 typedef struct DTLSRecvdRecordsStr {
570 unsigned char data[DTLS_RECVD_RECORDS_WINDOW/8];
571 PRUint64 left;
572 PRUint64 right;
573 } DTLSRecvdRecords;
574
575 /*
576 ** These are the "specs" in the "ssl3" struct.
577 ** Access to the pointers to these specs, and all the specs' contents
578 ** (direct and indirect) is protected by the reader/writer lock ss->specLock.
579 */
580 typedef struct {
581 const ssl3BulkCipherDef *cipher_def;
582 const ssl3MACDef * mac_def;
583 SSLCompressionMethod compression_method;
584 int mac_size;
585 SSLCipher encode;
586 SSLCipher decode;
587 SSLAEADCipher aead;
588 SSLDestroy destroy;
589 void * encodeContext;
590 void * decodeContext;
591 SSLCompressor compressor; /* Don't name these fields compress */
592 SSLCompressor decompressor; /* and uncompress because zconf.h */
593 /* may define them as macros. */
594 SSLDestroy destroyCompressContext;
595 void * compressContext;
596 SSLDestroy destroyDecompressContext;
597 void * decompressContext;
598 PRBool bypassCiphers; /* did double bypass (at least) */
599 PK11SymKey * master_secret;
600 SSL3SequenceNumber write_seq_num;
601 SSL3SequenceNumber read_seq_num;
602 SSL3ProtocolVersion version;
603 ssl3KeyMaterial client;
604 ssl3KeyMaterial server;
605 SECItem msItem;
606 unsigned char key_block[NUM_MIXERS * MD5_LENGTH];
607 unsigned char raw_master_secret[56];
608 SECItem srvVirtName; /* for server: name that was negotiated
609 * with a client. For client - is
610 * always set to NULL.*/
611 DTLSEpoch epoch;
612 DTLSRecvdRecords recvdRecords;
613 } ssl3CipherSpec;
614
615 typedef enum { never_cached,
616 in_client_cache,
617 in_server_cache,
618 invalid_cache /* no longer in any cache. */
619 } Cached;
620
621 #define MAX_PEER_CERT_CHAIN_SIZE 8
622
623 struct sslSessionIDStr {
624 /* The global cache lock must be held when accessing these members when the
625 * sid is in any cache.
626 */
627 sslSessionID * next; /* chain used for client sockets, only */
628 Cached cached;
629 int references;
630 PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
631
632 /* The rest of the members, except for the members of u.ssl3.locked, may
633 * be modified only when the sid is not in any cache.
634 */
635
636 CERTCertificate * peerCert;
637 CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
638 SECItemArray peerCertStatus; /* client only */
639 const char * peerID; /* client only */
640 const char * urlSvrName; /* client only */
641 CERTCertificate * localCert;
642
643 PRIPv6Addr addr;
644 PRUint16 port;
645
646 SSL3ProtocolVersion version;
647
648 PRUint32 creationTime; /* seconds since Jan 1, 1970 */
649 PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
650
651 SSLSignType authAlgorithm;
652 PRUint32 authKeyBits;
653 SSLKEAType keaType;
654 PRUint32 keaKeyBits;
655
656 union {
657 struct {
658 /* the V2 code depends upon the size of sessionID. */
659 unsigned char sessionID[SSL2_SESSIONID_BYTES];
660
661 /* Stuff used to recreate key and read/write cipher objects */
662 SECItem masterKey; /* never wrapped */
663 int cipherType;
664 SECItem cipherArg;
665 int keyBits;
666 int secretKeyBits;
667 } ssl2;
668 struct {
669 /* values that are copied into the server's on-disk SID cache. */
670 PRUint8 sessionIDLength;
671 SSL3Opaque sessionID[SSL3_SESSIONID_BYTES];
672
673 ssl3CipherSuite cipherSuite;
674 SSLCompressionMethod compression;
675 int policy;
676 ssl3SidKeys keys;
677 CK_MECHANISM_TYPE masterWrapMech;
678 /* mechanism used to wrap master secret */
679 SSL3KEAType exchKeyType;
680 /* key type used in exchange algorithm,
681 * and to wrap the sym wrapping key. */
682 #ifndef NSS_DISABLE_ECC
683 PRUint32 negotiatedECCurves;
684 #endif /* NSS_DISABLE_ECC */
685
686 /* The following values are NOT restored from the server's on-disk
687 * session cache, but are restored from the client's cache.
688 */
689 PK11SymKey * clientWriteKey;
690 PK11SymKey * serverWriteKey;
691
692 /* The following values pertain to the slot that wrapped the
693 ** master secret. (used only in client)
694 */
695 SECMODModuleID masterModuleID;
696 /* what module wrapped the master secret */
697 CK_SLOT_ID masterSlotID;
698 PRUint16 masterWrapIndex;
699 /* what's the key index for the wrapping key */
700 PRUint16 masterWrapSeries;
701 /* keep track of the slot series, so we don't
702 * accidently try to use new keys after the
703 * card gets removed and replaced.*/
704
705 /* The following values pertain to the slot that did the signature
706 ** for client auth. (used only in client)
707 */
708 SECMODModuleID clAuthModuleID;
709 CK_SLOT_ID clAuthSlotID;
710 PRUint16 clAuthSeries;
711
712 char masterValid;
713 char clAuthValid;
714
715 SECItem srvName;
716
717 /* originalHandshakeHash contains the hash of the original, full
718 * handshake prior to the server's final flow. This is either a
719 * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for
720 * TLS 1.2). This is recorded and used only when ChannelID is
721 * negotiated as it's used to bind the ChannelID signature on the
722 * resumption handshake to the original handshake. */
723 SECItem originalHandshakeHash;
724
725 /* Signed certificate timestamps received in a TLS extension.
726 ** (used only in client).
727 */
728 SECItem signedCertTimestamps;
729
730 /* This lock is lazily initialized by CacheSID when a sid is first
731 * cached. Before then, there is no need to lock anything because
732 * the sid isn't being shared by anything.
733 */
734 NSSRWLock *lock;
735
736 /* The lock must be held while reading or writing these members
737 * because they change while the sid is cached.
738 */
739 struct {
740 /* The session ticket, if we have one, is sent as an extension
741 * in the ClientHello message. This field is used only by
742 * clients. It is protected by lock when lock is non-null
743 * (after the sid has been added to the client session cache).
744 */
745 NewSessionTicket sessionTicket;
746 } locked;
747 } ssl3;
748 } u;
749 };
750
751 typedef struct ssl3CipherSuiteDefStr {
752 ssl3CipherSuite cipher_suite;
753 SSL3BulkCipher bulk_cipher_alg;
754 SSL3MACAlgorithm mac_alg;
755 SSL3KeyExchangeAlgorithm key_exchange_alg;
756 } ssl3CipherSuiteDef;
757
758 /*
759 ** There are tables of these, all const.
760 */
761 typedef struct {
762 SSL3KeyExchangeAlgorithm kea;
763 SSL3KEAType exchKeyType;
764 SSL3SignType signKeyType;
765 PRBool is_limited;
766 int key_size_limit;
767 PRBool tls_keygen;
768 } ssl3KEADef;
769
770 /*
771 ** There are tables of these, all const.
772 */
773 struct ssl3BulkCipherDefStr {
774 SSL3BulkCipher cipher;
775 SSLCipherAlgorithm calg;
776 int key_size;
777 int secret_key_size;
778 CipherType type;
779 int iv_size;
780 int block_size;
781 int tag_size; /* authentication tag size for AEAD ciphers. */
782 int explicit_nonce_size; /* for AEAD ciphers. */
783 };
784
785 /*
786 ** There are tables of these, all const.
787 */
788 struct ssl3MACDefStr {
789 SSL3MACAlgorithm mac;
790 CK_MECHANISM_TYPE mmech;
791 int pad_size;
792 int mac_size;
793 };
794
795 typedef enum {
796 wait_client_hello,
797 wait_client_cert,
798 wait_client_key,
799 wait_cert_verify,
800 wait_change_cipher,
801 wait_finished,
802 wait_server_hello,
803 wait_certificate_status,
804 wait_server_cert,
805 wait_server_key,
806 wait_cert_request,
807 wait_hello_done,
808 wait_new_session_ticket,
809 idle_handshake
810 } SSL3WaitState;
811
812 /*
813 * TLS extension related constants and data structures.
814 */
815 typedef struct TLSExtensionDataStr TLSExtensionData;
816 typedef struct SessionTicketDataStr SessionTicketData;
817
818 struct TLSExtensionDataStr {
819 /* registered callbacks that send server hello extensions */
820 ssl3HelloExtensionSender serverSenders[SSL_MAX_EXTENSIONS];
821 /* Keep track of the extensions that are negotiated. */
822 PRUint16 numAdvertised;
823 PRUint16 numNegotiated;
824 PRUint16 advertised[SSL_MAX_EXTENSIONS];
825 PRUint16 negotiated[SSL_MAX_EXTENSIONS];
826
827 /* SessionTicket Extension related data. */
828 PRBool ticketTimestampVerified;
829 PRBool emptySessionTicket;
830 PRBool sentSessionTicketInClientHello;
831
832 /* SNI Extension related data
833 * Names data is not coppied from the input buffer. It can not be
834 * used outside the scope where input buffer is defined and that
835 * is beyond ssl3_HandleClientHello function. */
836 SECItem *sniNameArr;
837 PRUint32 sniNameArrSize;
838
839 /* Signed Certificate Timestamps extracted from the TLS extension.
840 * (client only).
841 * This container holds a temporary pointer to the extension data,
842 * until a session structure (the sec.ci.sid of an sslSocket) is setup
843 * that can hold a permanent copy of the data
844 * (in sec.ci.sid.u.ssl3.signedCertTimestamps).
845 * The data pointed to by this structure is neither explicitly allocated
846 * nor copied: the pointer points to the handshake message buffer and is
847 * only valid in the scope of ssl3_HandleServerHello.
848 */
849 SECItem signedCertTimestamps;
850 };
851
852 typedef SECStatus (*sslRestartTarget)(sslSocket *);
853
854 /*
855 ** A DTLS queued message (potentially to be retransmitted)
856 */
857 typedef struct DTLSQueuedMessageStr {
858 PRCList link; /* The linked list link */
859 DTLSEpoch epoch; /* The epoch to use */
860 SSL3ContentType type; /* The message type */
861 unsigned char *data; /* The data */
862 PRUint16 len; /* The data length */
863 } DTLSQueuedMessage;
864
865 typedef enum {
866 handshake_hash_unknown = 0,
867 handshake_hash_combo = 1, /* The MD5/SHA-1 combination */
868 handshake_hash_single = 2 /* A single hash */
869 } SSL3HandshakeHashType;
870
871 /*
872 ** This is the "hs" member of the "ssl3" struct.
873 ** This entire struct is protected by ssl3HandshakeLock
874 */
875 typedef struct SSL3HandshakeStateStr {
876 SSL3Random server_random;
877 SSL3Random client_random;
878 SSL3WaitState ws;
879
880 /* This group of members is used for handshake running hashes. */
881 SSL3HandshakeHashType hashType;
882 sslBuffer messages; /* Accumulated handshake messages */
883 #ifndef NO_PKCS11_BYPASS
884 /* Bypass mode:
885 * SSL 3.0 - TLS 1.1 use both |md5_cx| and |sha_cx|. |md5_cx| is used for
886 * MD5 and |sha_cx| for SHA-1.
887 * TLS 1.2 and later use only |sha_cx|, for SHA-256. NOTE: When we support
888 * SHA-384, increase MAX_MAC_CONTEXT_BYTES to 712. */
889 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
890 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
891 const SECHashObject * sha_obj;
892 /* The function prototype of sha_obj->clone() does not match the prototype
893 * of the freebl <HASH>_Clone functions, so we need a dedicated function
894 * pointer for the <HASH>_Clone function. */
895 void (*sha_clone)(void *dest, void *src);
896 #endif
897 /* PKCS #11 mode:
898 * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and
899 * |sha| for SHA-1.
900 * TLS 1.2 and later use only |sha|, for SHA-256. */
901 /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup
902 * handshake hash for generating client auth signatures. Confusingly, the
903 * backup hash function is SHA-1. */
904 #define backupHash md5
905 PK11Context * md5;
906 PK11Context * sha;
907
908 const ssl3KEADef * kea_def;
909 ssl3CipherSuite cipher_suite;
910 const ssl3CipherSuiteDef *suite_def;
911 SSLCompressionMethod compression;
912 sslBuffer msg_body; /* protected by recvBufLock */
913 /* partial handshake message from record layer */
914 unsigned int header_bytes;
915 /* number of bytes consumed from handshake */
916 /* message for message type and header length */
917 SSL3HandshakeType msg_type;
918 unsigned long msg_len;
919 SECItem ca_list; /* used only by client */
920 PRBool isResuming; /* are we resuming a session */
921 PRBool usedStepDownKey; /* we did a server key exchange. */
922 PRBool sendingSCSV; /* instead of empty RI */
923 sslBuffer msgState; /* current state for handshake messages*/
924 /* protected by recvBufLock */
925
926 /* The session ticket received in a NewSessionTicket message is temporarily
927 * stored in newSessionTicket until the handshake is finished; then it is
928 * moved to the sid.
929 */
930 PRBool receivedNewSessionTicket;
931 NewSessionTicket newSessionTicket;
932
933 PRUint16 finishedBytes; /* size of single finished below */
934 union {
935 TLSFinished tFinished[2]; /* client, then server */
936 SSL3Finished sFinished[2];
937 SSL3Opaque data[72];
938 } finishedMsgs;
939 #ifndef NSS_DISABLE_ECC
940 PRUint32 negotiatedECCurves; /* bit mask */
941 #endif /* NSS_DISABLE_ECC */
942
943 PRBool authCertificatePending;
944 /* Which function should SSL_RestartHandshake* call if we're blocked?
945 * One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake,
946 * or ssl3_AlwaysFail */
947 sslRestartTarget restartTarget;
948 /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
949 PRBool cacheSID;
950
951 PRBool canFalseStart; /* Can/did we False Start */
952
953 /* clientSigAndHash contains the contents of the signature_algorithms
954 * extension (if any) from the client. This is only valid for TLS 1.2
955 * or later. */
956 SSL3SignatureAndHashAlgorithm *clientSigAndHash;
957 unsigned int numClientSigAndHash;
958
959 /* This group of values is used for DTLS */
960 PRUint16 sendMessageSeq; /* The sending message sequence
961 * number */
962 PRCList lastMessageFlight; /* The last message flight we
963 * sent */
964 PRUint16 maxMessageSent; /* The largest message we sent */
965 PRUint16 recvMessageSeq; /* The receiving message sequence
966 * number */
967 sslBuffer recvdFragments; /* The fragments we have received in
968 * a bitmask */
969 PRInt32 recvdHighWater; /* The high water mark for fragments
970 * received. -1 means no reassembly
971 * in progress. */
972 unsigned char cookie[32]; /* The cookie */
973 unsigned char cookieLen; /* The length of the cookie */
974 PRIntervalTime rtTimerStarted; /* When the timer was started */
975 DTLSTimerCb rtTimerCb; /* The function to call on expiry */
976 PRUint32 rtTimeoutMs; /* The length of the current timeout
977 * used for backoff (in ms) */
978 PRUint32 rtRetries; /* The retry counter */
979 } SSL3HandshakeState;
980
981
982
983 /*
984 ** This is the "ssl3" struct, as in "ss->ssl3".
985 ** note:
986 ** usually, crSpec == cwSpec and prSpec == pwSpec.
987 ** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
988 ** But there are never more than 2 actual specs.
989 ** No spec must ever be modified if either "current" pointer points to it.
990 */
991 struct ssl3StateStr {
992
993 /*
994 ** The following Specs and Spec pointers must be protected using the
995 ** Spec Lock.
996 */
997 ssl3CipherSpec * crSpec; /* current read spec. */
998 ssl3CipherSpec * prSpec; /* pending read spec. */
999 ssl3CipherSpec * cwSpec; /* current write spec. */
1000 ssl3CipherSpec * pwSpec; /* pending write spec. */
1001
1002 CERTCertificate * clientCertificate; /* used by client */
1003 SECKEYPrivateKey * clientPrivateKey; /* used by client */
1004 /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not
1005 * defined in order to allow cleaner conditional code.
1006 * At most one of clientPrivateKey and platformClientKey may be set. */
1007 PlatformKey platformClientKey; /* used by client */
1008 CERTCertificateList *clientCertChain; /* used by client */
1009 PRBool sendEmptyCert; /* used by client */
1010
1011 SECKEYPrivateKey *channelID; /* used by client */
1012 SECKEYPublicKey *channelIDPub; /* used by client */
1013
1014 int policy;
1015 /* This says what cipher suites we can do, and should
1016 * be either SSL_ALLOWED or SSL_RESTRICTED
1017 */
1018 PLArenaPool * peerCertArena;
1019 /* These are used to keep track of the peer CA */
1020 void * peerCertChain;
1021 /* chain while we are trying to validate it. */
1022 CERTDistNames * ca_list;
1023 /* used by server. trusted CAs for this socket. */
1024 PRBool initialized;
1025 SSL3HandshakeState hs;
1026 ssl3CipherSpec specs[2]; /* one is current, one is pending. */
1027
1028 /* In a client: if the server supports Next Protocol Negotiation, then
1029 * this is the protocol that was negotiated.
1030 */
1031 SECItem nextProto;
1032 SSLNextProtoState nextProtoState;
1033
1034 PRUint16 mtu; /* Our estimate of the MTU */
1035
1036 /* DTLS-SRTP cipher suite preferences (if any) */
1037 PRUint16 dtlsSRTPCiphers[MAX_DTLS_SRTP_CIPHER_SUITES];
1038 PRUint16 dtlsSRTPCipherCount;
1039 PRUint16 dtlsSRTPCipherSuite; /* 0 if not selected */
1040 };
1041
1042 #define DTLS_MAX_MTU 1500 /* Ethernet MTU but without subtracting the
1043 * headers, so slightly larger than expected */
1044 #define IS_DTLS(ss) (ss->protocolVariant == ssl_variant_datagram)
1045
1046 typedef struct {
1047 SSL3ContentType type;
1048 SSL3ProtocolVersion version;
1049 SSL3SequenceNumber seq_num; /* DTLS only */
1050 sslBuffer * buf;
1051 } SSL3Ciphertext;
1052
1053 struct ssl3KeyPairStr {
1054 SECKEYPrivateKey * privKey;
1055 SECKEYPublicKey * pubKey;
1056 PRInt32 refCount; /* use PR_Atomic calls for this. */
1057 };
1058
1059 typedef struct SSLWrappedSymWrappingKeyStr {
1060 SSL3Opaque wrappedSymmetricWrappingkey[512];
1061 CK_MECHANISM_TYPE symWrapMechanism;
1062 /* unwrapped symmetric wrapping key uses this mechanism */
1063 CK_MECHANISM_TYPE asymWrapMechanism;
1064 /* mechanism used to wrap the SymmetricWrappingKey using
1065 * server's public and/or private keys. */
1066 SSL3KEAType exchKeyType; /* type of keys used to wrap SymWrapKey*/
1067 PRInt32 symWrapMechIndex;
1068 PRUint16 wrappedSymKeyLen;
1069 } SSLWrappedSymWrappingKey;
1070
1071 typedef struct SessionTicketStr {
1072 PRUint16 ticket_version;
1073 SSL3ProtocolVersion ssl_version;
1074 ssl3CipherSuite cipher_suite;
1075 SSLCompressionMethod compression_method;
1076 SSLSignType authAlgorithm;
1077 PRUint32 authKeyBits;
1078 SSLKEAType keaType;
1079 PRUint32 keaKeyBits;
1080 /*
1081 * exchKeyType and msWrapMech contain meaningful values only if
1082 * ms_is_wrapped is true.
1083 */
1084 PRUint8 ms_is_wrapped;
1085 SSLKEAType exchKeyType; /* XXX(wtc): same as keaType above? */
1086 CK_MECHANISM_TYPE msWrapMech;
1087 PRUint16 ms_length;
1088 SSL3Opaque master_secret[48];
1089 ClientIdentity client_identity;
1090 SECItem peer_cert;
1091 PRUint32 timestamp;
1092 SECItem srvName; /* negotiated server name */
1093 } SessionTicket;
1094
1095 /*
1096 * SSL2 buffers used in SSL3.
1097 * writeBuf in the SecurityInfo maintained by sslsecur.c is used
1098 * to hold the data just about to be passed to the kernel
1099 * sendBuf in the ConnectInfo maintained by sslcon.c is used
1100 * to hold handshake messages as they are accumulated
1101 */
1102
1103 /*
1104 ** This is "ci", as in "ss->sec.ci".
1105 **
1106 ** Protection: All the variables in here are protected by
1107 ** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock
1108 */
1109 struct sslConnectInfoStr {
1110 /* outgoing handshakes appended to this. */
1111 sslBuffer sendBuf; /*xmitBufLock*/ /* ssl 2 & 3 */
1112
1113 PRIPv6Addr peer; /* ssl 2 & 3 */
1114 unsigned short port; /* ssl 2 & 3 */
1115
1116 sslSessionID *sid; /* ssl 2 & 3 */
1117
1118 /* see CIS_HAVE defines below for the bit values in *elements. */
1119 char elements; /* ssl2 only */
1120 char requiredElements; /* ssl2 only */
1121 char sentElements; /* ssl2 only */
1122
1123 char sentFinished; /* ssl2 only */
1124
1125 /* Length of server challenge. Used by client when saving challenge */
1126 int serverChallengeLen; /* ssl2 only */
1127 /* type of authentication requested by server */
1128 unsigned char authType; /* ssl2 only */
1129
1130 /* Challenge sent by client to server in client-hello message */
1131 /* SSL3 gets a copy of this. See ssl3_StartHandshakeHash(). */
1132 unsigned char clientChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl 2 & 3 */
1133
1134 /* Connection-id sent by server to client in server-hello message */
1135 unsigned char connectionID[SSL_CONNECTIONID_BYTES]; /* ssl2 only */
1136
1137 /* Challenge sent by server to client in request-certificate message */
1138 unsigned char serverChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl2 only */
1139
1140 /* Information kept to handle a request-certificate message */
1141 unsigned char readKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */
1142 unsigned char writeKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */
1143 unsigned keySize; /* ssl2 only */
1144 };
1145
1146 /* bit values for ci->elements, ci->requiredElements, sentElements. */
1147 #define CIS_HAVE_MASTER_KEY 0x01
1148 #define CIS_HAVE_CERTIFICATE 0x02
1149 #define CIS_HAVE_FINISHED 0x04
1150 #define CIS_HAVE_VERIFY 0x08
1151
1152 /* Note: The entire content of this struct and whatever it points to gets
1153 * blown away by SSL_ResetHandshake(). This is "sec" as in "ss->sec".
1154 *
1155 * Unless otherwise specified below, the contents of this struct are
1156 * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock.
1157 */
1158 struct sslSecurityInfoStr {
1159 sslSendFunc send; /*xmitBufLock*/ /* ssl 2 & 3 */
1160 int isServer; /* Spec Lock?*/ /* ssl 2 & 3 */
1161 sslBuffer writeBuf; /*xmitBufLock*/ /* ssl 2 & 3 */
1162
1163 int cipherType; /* ssl 2 & 3 */
1164 int keyBits; /* ssl 2 & 3 */
1165 int secretKeyBits; /* ssl 2 & 3 */
1166 CERTCertificate *localCert; /* ssl 2 & 3 */
1167 CERTCertificate *peerCert; /* ssl 2 & 3 */
1168 SECKEYPublicKey *peerKey; /* ssl3 only */
1169
1170 SSLSignType authAlgorithm;
1171 PRUint32 authKeyBits;
1172 SSLKEAType keaType;
1173 PRUint32 keaKeyBits;
1174
1175 /*
1176 ** Procs used for SID cache (nonce) management.
1177 ** Different implementations exist for clients/servers
1178 ** The lookup proc is only used for servers. Baloney!
1179 */
1180 sslSessionIDCacheFunc cache; /* ssl 2 & 3 */
1181 sslSessionIDUncacheFunc uncache; /* ssl 2 & 3 */
1182
1183 /*
1184 ** everything below here is for ssl2 only.
1185 ** This stuff is equivalent to SSL3's "spec", and is protected by the
1186 ** same "Spec Lock" as used for SSL3's specs.
1187 */
1188 PRUint32 sendSequence; /*xmitBufLock*/ /* ssl2 only */
1189 PRUint32 rcvSequence; /*recvBufLock*/ /* ssl2 only */
1190
1191 /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */
1192 const SECHashObject *hash; /* Spec Lock */ /* ssl2 only */
1193 void *hashcx; /* Spec Lock */ /* ssl2 only */
1194
1195 SECItem sendSecret; /* Spec Lock */ /* ssl2 only */
1196 SECItem rcvSecret; /* Spec Lock */ /* ssl2 only */
1197
1198 /* Session cypher contexts; one for each direction */
1199 void *readcx; /* Spec Lock */ /* ssl2 only */
1200 void *writecx; /* Spec Lock */ /* ssl2 only */
1201 SSLCipher enc; /* Spec Lock */ /* ssl2 only */
1202 SSLCipher dec; /* Spec Lock */ /* ssl2 only */
1203 void (*destroy)(void *, PRBool); /* Spec Lock */ /* ssl2 only */
1204
1205 /* Blocking information for the session cypher */
1206 int blockShift; /* Spec Lock */ /* ssl2 only */
1207 int blockSize; /* Spec Lock */ /* ssl2 only */
1208
1209 /* These are used during a connection handshake */
1210 sslConnectInfo ci; /* ssl 2 & 3 */
1211
1212 };
1213
1214 /*
1215 ** SSL Socket struct
1216 **
1217 ** Protection: XXX
1218 */
1219 struct sslSocketStr {
1220 PRFileDesc * fd;
1221
1222 /* Pointer to operations vector for this socket */
1223 const sslSocketOps * ops;
1224
1225 /* SSL socket options */
1226 sslOptions opt;
1227 /* Enabled version range */
1228 SSLVersionRange vrange;
1229
1230 /* State flags */
1231 unsigned long clientAuthRequested;
1232 unsigned long delayDisabled; /* Nagle delay disabled */
1233 unsigned long firstHsDone; /* first handshake is complete. */
1234 unsigned long enoughFirstHsDone; /* enough of the first handshake is
1235 * done for callbacks to be able to
1236 * retrieve channel security
1237 * parameters from the SSL socket. */
1238 unsigned long handshakeBegun;
1239 unsigned long lastWriteBlocked;
1240 unsigned long recvdCloseNotify; /* received SSL EOF. */
1241 unsigned long TCPconnected;
1242 unsigned long appDataBuffered;
1243 unsigned long peerRequestedProtection; /* from old renegotiation */
1244
1245 /* version of the protocol to use */
1246 SSL3ProtocolVersion version;
1247 SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
1248
1249 sslSecurityInfo sec; /* not a pointer any more */
1250
1251 /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */
1252 const char *url; /* ssl 2 & 3 */
1253
1254 sslHandshakeFunc handshake; /*firstHandshakeLock*/
1255 sslHandshakeFunc nextHandshake; /*firstHandshakeLock*/
1256 sslHandshakeFunc securityHandshake; /*firstHandshakeLock*/
1257
1258 /* the following variable is only used with socks or other proxies. */
1259 char * peerID; /* String uniquely identifies target server. */
1260
1261 unsigned char * cipherSpecs;
1262 unsigned int sizeCipherSpecs;
1263 const unsigned char * preferredCipher;
1264
1265 /* TLS ClientCertificateTypes requested during HandleCertificateRequest. */
1266 /* Will be NULL at all other times. */
1267 const SECItem *requestedCertTypes;
1268
1269 ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */
1270
1271 /* Callbacks */
1272 SSLAuthCertificate authCertificate;
1273 void *authCertificateArg;
1274 SSLGetClientAuthData getClientAuthData;
1275 void *getClientAuthDataArg;
1276 #ifdef NSS_PLATFORM_CLIENT_AUTH
1277 SSLGetPlatformClientAuthData getPlatformClientAuthData;
1278 void *getPlatformClientAuthDataArg;
1279 #endif /* NSS_PLATFORM_CLIENT_AUTH */
1280 SSLSNISocketConfig sniSocketConfig;
1281 void *sniSocketConfigArg;
1282 SSLBadCertHandler handleBadCert;
1283 void *badCertArg;
1284 SSLHandshakeCallback handshakeCallback;
1285 void *handshakeCallbackData;
1286 SSLCanFalseStartCallback canFalseStartCallback;
1287 void *canFalseStartCallbackData;
1288 void *pkcs11PinArg;
1289 SSLNextProtoCallback nextProtoCallback;
1290 void *nextProtoArg;
1291 SSLClientChannelIDCallback getChannelID;
1292 void *getChannelIDArg;
1293
1294 PRIntervalTime rTimeout; /* timeout for NSPR I/O */
1295 PRIntervalTime wTimeout; /* timeout for NSPR I/O */
1296 PRIntervalTime cTimeout; /* timeout for NSPR I/O */
1297
1298 PZLock * recvLock; /* lock against multiple reader threads. */
1299 PZLock * sendLock; /* lock against multiple sender threads. */
1300
1301 PZMonitor * recvBufLock; /* locks low level recv buffers. */
1302 PZMonitor * xmitBufLock; /* locks low level xmit buffers. */
1303
1304 /* Only one thread may operate on the socket until the initial handshake
1305 ** is complete. This Monitor ensures that. Since SSL2 handshake is
1306 ** only done once, this is also effectively the SSL2 handshake lock.
1307 */
1308 PZMonitor * firstHandshakeLock;
1309
1310 /* This monitor protects the ssl3 handshake state machine data.
1311 ** Only one thread (reader or writer) may be in the ssl3 handshake state
1312 ** machine at any time. */
1313 PZMonitor * ssl3HandshakeLock;
1314
1315 /* reader/writer lock, protects the secret data needed to encrypt and MAC
1316 ** outgoing records, and to decrypt and MAC check incoming ciphertext
1317 ** records. */
1318 NSSRWLock * specLock;
1319
1320 /* handle to perm cert db (and implicitly to the temp cert db) used
1321 ** with this socket.
1322 */
1323 CERTCertDBHandle * dbHandle;
1324
1325 PRThread * writerThread; /* thread holds SSL_LOCK_WRITER lock */
1326
1327 PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */
1328
1329 PRUint16 allowedByPolicy; /* copy of global policy bits. */
1330 PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */
1331 PRUint16 chosenPreference; /* SSL2 cipher preferences. */
1332
1333 sslHandshakingType handshaking;
1334
1335 /* Gather object used for gathering data */
1336 sslGather gs; /*recvBufLock*/
1337
1338 sslBuffer saveBuf; /*xmitBufLock*/
1339 sslBuffer pendingBuf; /*xmitBufLock*/
1340
1341 /* Configuration state for server sockets */
1342 /* server cert and key for each KEA type */
1343 sslServerCerts serverCerts[kt_kea_size];
1344 /* each cert needs its own status */
1345 SECItemArray * certStatusArray[kt_kea_size];
1346
1347 ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
1348 ssl3KeyPair * ephemeralECDHKeyPair; /* for ECDHE-* handshake */
1349
1350 /* SSL3 state info. Formerly was a pointer */
1351 ssl3State ssl3;
1352
1353 /*
1354 * TLS extension related data.
1355 */
1356 /* True when the current session is a stateless resume. */
1357 PRBool statelessResume;
1358 TLSExtensionData xtnData;
1359
1360 /* Whether we are doing stream or datagram mode */
1361 SSLProtocolVariant protocolVariant;
1362 };
1363
1364
1365
1366 /* All the global data items declared here should be protected using the
1367 ** ssl_global_data_lock, which is a reader/writer lock.
1368 */
1369 extern NSSRWLock * ssl_global_data_lock;
1370 extern char ssl_debug;
1371 extern char ssl_trace;
1372 extern FILE * ssl_trace_iob;
1373 extern FILE * ssl_keylog_iob;
1374 extern CERTDistNames * ssl3_server_ca_list;
1375 extern PRUint32 ssl_sid_timeout;
1376 extern PRUint32 ssl3_sid_timeout;
1377
1378 extern const char * const ssl_cipherName[];
1379 extern const char * const ssl3_cipherName[];
1380
1381 extern sslSessionIDLookupFunc ssl_sid_lookup;
1382 extern sslSessionIDCacheFunc ssl_sid_cache;
1383 extern sslSessionIDUncacheFunc ssl_sid_uncache;
1384
1385 /************************************************************************/
1386
1387 SEC_BEGIN_PROTOS
1388
1389 /* Functions for handling SECItemArrays, added in NSS 3.15 */
1390 extern SECItemArray *SECITEM_AllocArray(PLArenaPool *arena,
1391 SECItemArray *array,
1392 unsigned int len);
1393 extern SECItemArray *SECITEM_DupArray(PLArenaPool *arena,
1394 const SECItemArray *from);
1395 extern void SECITEM_FreeArray(SECItemArray *array, PRBool freeit);
1396 extern void SECITEM_ZfreeArray(SECItemArray *array, PRBool freeit);
1397
1398 /* Internal initialization and installation of the SSL error tables */
1399 extern SECStatus ssl_Init(void);
1400 extern SECStatus ssl_InitializePRErrorTable(void);
1401
1402 /* Implementation of ops for default (non socks, non secure) case */
1403 extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
1404 extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
1405 extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
1406 extern int ssl_DefListen(sslSocket *ss, int backlog);
1407 extern int ssl_DefShutdown(sslSocket *ss, int how);
1408 extern int ssl_DefClose(sslSocket *ss);
1409 extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
1410 extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf,
1411 int len, int flags);
1412 extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len);
1413 extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len);
1414 extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name);
1415 extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name);
1416 extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
1417 void *optval, PRInt32 *optlen);
1418 extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
1419 const void *optval, PRInt32 optlen);
1420
1421 /* Implementation of ops for socks only case */
1422 extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr);
1423 extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr);
1424 extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr);
1425 extern int ssl_SocksListen(sslSocket *ss, int backlog);
1426 extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name);
1427 extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
1428 extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf,
1429 int len, int flags);
1430 extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len);
1431 extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len);
1432
1433 /* Implementation of ops for secure only case */
1434 extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr);
1435 extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr);
1436 extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf,
1437 int len, int flags);
1438 extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf,
1439 int len, int flags);
1440 extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len);
1441 extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len);
1442 extern int ssl_SecureShutdown(sslSocket *ss, int how);
1443 extern int ssl_SecureClose(sslSocket *ss);
1444
1445 /* Implementation of ops for secure socks case */
1446 extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr);
1447 extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr);
1448 extern PRFileDesc *ssl_FindTop(sslSocket *ss);
1449
1450 /* Gather funcs. */
1451 extern sslGather * ssl_NewGather(void);
1452 extern SECStatus ssl_InitGather(sslGather *gs);
1453 extern void ssl_DestroyGather(sslGather *gs);
1454 extern int ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags);
1455 extern int ssl2_GatherRecord(sslSocket *ss, int flags);
1456 extern SECStatus ssl_GatherRecord1stHandshake(sslSocket *ss);
1457
1458 extern SECStatus ssl2_HandleClientHelloMessage(sslSocket *ss);
1459 extern SECStatus ssl2_HandleServerHelloMessage(sslSocket *ss);
1460
1461 extern SECStatus ssl_CreateSecurityInfo(sslSocket *ss);
1462 extern SECStatus ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os);
1463 extern void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset);
1464 extern void ssl_DestroySecurityInfo(sslSecurityInfo *sec);
1465
1466 extern void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len);
1467 extern void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len);
1468
1469 extern int ssl_SendSavedWriteData(sslSocket *ss);
1470 extern SECStatus ssl_SaveWriteData(sslSocket *ss,
1471 const void* p, unsigned int l);
1472 extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss);
1473 extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss);
1474 extern int ssl_Do1stHandshake(sslSocket *ss);
1475
1476 extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
1477 extern SECStatus sslBuffer_Append(sslBuffer *b, const void * data,
1478 unsigned int len);
1479
1480 extern void ssl2_UseClearSendFunc(sslSocket *ss);
1481 extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
1482
1483 extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server);
1484 extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port,
1485 const char *peerID, const char *urlSvrName);
1486 extern void ssl_FreeSID(sslSessionID *sid);
1487
1488 extern int ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
1489 int len, int flags);
1490
1491 extern PRBool ssl_FdIsBlocking(PRFileDesc *fd);
1492
1493 extern PRBool ssl_SocketIsBlocking(sslSocket *ss);
1494
1495 extern void ssl3_SetAlwaysBlock(sslSocket *ss);
1496
1497 extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
1498
1499 extern void ssl_FinishHandshake(sslSocket *ss);
1500
1501 /* Returns PR_TRUE if we are still waiting for the server to respond to our
1502 * client second round. Once we've received any part of the server's second
1503 * round then we don't bother trying to false start since it is almost always
1504 * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages
1505 * were sent in the same packet and we want to process them all at the same
1506 * time. If we were to try to false start in the middle of the server's second
1507 * round, then we would increase the number of I/O operations
1508 * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake.
1509 */
1510 extern PRBool ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss);
1511
1512 extern SECStatus
1513 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
1514 PRBool isServer,
1515 PRBool isDTLS,
1516 PRBool capRecordVersion,
1517 SSL3ContentType type,
1518 const SSL3Opaque * pIn,
1519 PRUint32 contentLen,
1520 sslBuffer * wrBuf);
1521 extern PRInt32 ssl3_SendRecord(sslSocket *ss, DTLSEpoch epoch,
1522 SSL3ContentType type,
1523 const SSL3Opaque* pIn, PRInt32 nIn,
1524 PRInt32 flags);
1525
1526 #ifdef NSS_ENABLE_ZLIB
1527 /*
1528 * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
1529 * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
1530 */
1531 #define SSL3_COMPRESSION_MAX_EXPANSION 29
1532 #else /* !NSS_ENABLE_ZLIB */
1533 #define SSL3_COMPRESSION_MAX_EXPANSION 0
1534 #endif
1535
1536 /*
1537 * make sure there is room in the write buffer for padding and
1538 * other compression and cryptographic expansions.
1539 */
1540 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION
1541
1542 #define SSL_LOCK_READER(ss) if (ss->recvLock) PZ_Lock(ss->recvLock)
1543 #define SSL_UNLOCK_READER(ss) if (ss->recvLock) PZ_Unlock(ss->recvLock)
1544 #define SSL_LOCK_WRITER(ss) if (ss->sendLock) PZ_Lock(ss->sendLock)
1545 #define SSL_UNLOCK_WRITER(ss) if (ss->sendLock) PZ_Unlock(ss->sendLock)
1546
1547 /* firstHandshakeLock -> recvBufLock */
1548 #define ssl_Get1stHandshakeLock(ss) \
1549 { if (!ss->opt.noLocks) { \
1550 PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \
1551 !ssl_HaveRecvBufLock(ss)); \
1552 PZ_EnterMonitor((ss)->firstHandshakeLock); \
1553 } }
1554 #define ssl_Release1stHandshakeLock(ss) \
1555 { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
1556 #define ssl_Have1stHandshakeLock(ss) \
1557 (PZ_InMonitor((ss)->firstHandshakeLock))
1558
1559 /* ssl3HandshakeLock -> xmitBufLock */
1560 #define ssl_GetSSL3HandshakeLock(ss) \
1561 { if (!ss->opt.noLocks) { \
1562 PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
1563 PZ_EnterMonitor((ss)->ssl3HandshakeLock); \
1564 } }
1565 #define ssl_ReleaseSSL3HandshakeLock(ss) \
1566 { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
1567 #define ssl_HaveSSL3HandshakeLock(ss) \
1568 (PZ_InMonitor((ss)->ssl3HandshakeLock))
1569
1570 #define ssl_GetSpecReadLock(ss) \
1571 { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
1572 #define ssl_ReleaseSpecReadLock(ss) \
1573 { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
1574 /* NSSRWLock_HaveReadLock is not exported so there's no
1575 * ssl_HaveSpecReadLock macro. */
1576
1577 #define ssl_GetSpecWriteLock(ss) \
1578 { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
1579 #define ssl_ReleaseSpecWriteLock(ss) \
1580 { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
1581 #define ssl_HaveSpecWriteLock(ss) \
1582 (NSSRWLock_HaveWriteLock((ss)->specLock))
1583
1584 /* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */
1585 #define ssl_GetRecvBufLock(ss) \
1586 { if (!ss->opt.noLocks) { \
1587 PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \
1588 PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
1589 PZ_EnterMonitor((ss)->recvBufLock); \
1590 } }
1591 #define ssl_ReleaseRecvBufLock(ss) \
1592 { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
1593 #define ssl_HaveRecvBufLock(ss) \
1594 (PZ_InMonitor((ss)->recvBufLock))
1595
1596 /* xmitBufLock -> specLock */
1597 #define ssl_GetXmitBufLock(ss) \
1598 { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
1599 #define ssl_ReleaseXmitBufLock(ss) \
1600 { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
1601 #define ssl_HaveXmitBufLock(ss) \
1602 (PZ_InMonitor((ss)->xmitBufLock))
1603
1604 /* Placeholder value used in version ranges when SSL 3.0 and all
1605 * versions of TLS are disabled.
1606 */
1607 #define SSL_LIBRARY_VERSION_NONE 0
1608
1609 /* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version
1610 * of libssl supports. Applications should use SSL_VersionRangeGetSupported at
1611 * runtime to determine which versions are supported by the version of libssl
1612 * in use.
1613 */
1614 #ifdef NSS_ENABLE_TLS_1_3
1615 #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_3
1616 #else
1617 #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_2
1618 #endif
1619
1620 /* Rename this macro SSL_ALL_VERSIONS_DISABLED when SSL 2.0 is removed. */
1621 #define SSL3_ALL_VERSIONS_DISABLED(vrange) \
1622 ((vrange)->min == SSL_LIBRARY_VERSION_NONE)
1623
1624 extern PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
1625 SSL3ProtocolVersion version);
1626
1627 extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec * pwSpec,
1628 const unsigned char * cr, const unsigned char * sr,
1629 PRBool isTLS, PRBool isExport);
1630 extern SECStatus ssl3_MasterKeyDeriveBypass( ssl3CipherSpec * pwSpec,
1631 const unsigned char * cr, const unsigned char * sr,
1632 const SECItem * pms, PRBool isTLS, PRBool isRSA);
1633
1634 /* These functions are called from secnav, even though they're "private". */
1635
1636 extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
1637 extern sslSocket *ssl_FindSocket(PRFileDesc *fd);
1638 extern void ssl_FreeSocket(struct sslSocketStr *ssl);
1639 extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
1640 SSL3AlertDescription desc);
1641 extern SECStatus ssl3_DecodeError(sslSocket *ss);
1642
1643 extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket * ss,
1644 CERTCertificate * cert,
1645 SECKEYPrivateKey * key,
1646 CERTCertificateList *certChain);
1647
1648 extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq(
1649 sslSocket *ss,
1650 SECKEYPublicKey *channelIDPub,
1651 SECKEYPrivateKey *channelID);
1652
1653 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
1654
1655 /*
1656 * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
1657 */
1658 extern SECStatus ssl3_HandleV2ClientHello(
1659 sslSocket *ss, unsigned char *buffer, int length);
1660 extern SECStatus ssl3_StartHandshakeHash(
1661 sslSocket *ss, unsigned char *buf, int length);
1662
1663 /*
1664 * SSL3 specific routines
1665 */
1666 SECStatus ssl3_SendClientHello(sslSocket *ss, PRBool resending);
1667
1668 /*
1669 * input into the SSL3 machinery from the actualy network reading code
1670 */
1671 SECStatus ssl3_HandleRecord(
1672 sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out);
1673
1674 int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
1675 int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
1676 /*
1677 * When talking to export clients or using export cipher suites, servers
1678 * with public RSA keys larger than 512 bits need to use a 512-bit public
1679 * key, signed by the larger key. The smaller key is a "step down" key.
1680 * Generate that key pair and keep it around.
1681 */
1682 extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
1683
1684 #ifndef NSS_DISABLE_ECC
1685 extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
1686 extern PRBool ssl3_IsECCEnabled(sslSocket *ss);
1687 extern SECStatus ssl3_DisableECCSuites(sslSocket * ss,
1688 const ssl3CipherSuite * suite);
1689 extern PRUint32 ssl3_GetSupportedECCurveMask(sslSocket *ss);
1690
1691
1692 /* Macro for finding a curve equivalent in strength to RSA key's */
1693 #define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \
1694 ((s <= 1024) ? 160 \
1695 : ((s <= 2048) ? 224 \
1696 : ((s <= 3072) ? 256 \
1697 : ((s <= 7168) ? 384 : 521 ) ) ) )
1698
1699 /* Types and names of elliptic curves used in TLS */
1700 typedef enum { ec_type_explicitPrime = 1,
1701 ec_type_explicitChar2Curve = 2,
1702 ec_type_named
1703 } ECType;
1704
1705 typedef enum { ec_noName = 0,
1706 ec_sect163k1 = 1,
1707 ec_sect163r1 = 2,
1708 ec_sect163r2 = 3,
1709 ec_sect193r1 = 4,
1710 ec_sect193r2 = 5,
1711 ec_sect233k1 = 6,
1712 ec_sect233r1 = 7,
1713 ec_sect239k1 = 8,
1714 ec_sect283k1 = 9,
1715 ec_sect283r1 = 10,
1716 ec_sect409k1 = 11,
1717 ec_sect409r1 = 12,
1718 ec_sect571k1 = 13,
1719 ec_sect571r1 = 14,
1720 ec_secp160k1 = 15,
1721 ec_secp160r1 = 16,
1722 ec_secp160r2 = 17,
1723 ec_secp192k1 = 18,
1724 ec_secp192r1 = 19,
1725 ec_secp224k1 = 20,
1726 ec_secp224r1 = 21,
1727 ec_secp256k1 = 22,
1728 ec_secp256r1 = 23,
1729 ec_secp384r1 = 24,
1730 ec_secp521r1 = 25,
1731 ec_pastLastName
1732 } ECName;
1733
1734 extern SECStatus ssl3_ECName2Params(PLArenaPool *arena, ECName curve,
1735 SECKEYECParams *params);
1736 ECName ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits);
1737
1738
1739 #endif /* NSS_DISABLE_ECC */
1740
1741 extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
1742 extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
1743 extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
1744 extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
1745
1746 extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
1747 extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
1748 extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
1749 extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
1750 extern SECStatus ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *cipher,
1751 unsigned int len);
1752
1753 extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
1754 extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
1755 extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
1756 extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
1757
1758 extern void ssl2_InitSocketPolicy(sslSocket *ss);
1759 extern void ssl3_InitSocketPolicy(sslSocket *ss);
1760
1761 extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
1762 unsigned char *cs, int *size);
1763
1764 extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
1765 extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b,
1766 PRUint32 length);
1767
1768 extern void ssl3_DestroySSL3Info(sslSocket *ss);
1769
1770 extern SECStatus ssl3_NegotiateVersion(sslSocket *ss,
1771 SSL3ProtocolVersion peerVersion,
1772 PRBool allowLargerPeerVersion);
1773
1774 extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
1775
1776 #ifndef NSS_DISABLE_ECC
1777 /* ECDH functions */
1778 extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket * ss,
1779 SECKEYPublicKey * svrPubKey);
1780 extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss,
1781 SSL3Opaque *b, PRUint32 length);
1782 extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss,
1783 SSL3Opaque *b, PRUint32 length,
1784 SECKEYPublicKey *srvrPubKey,
1785 SECKEYPrivateKey *srvrPrivKey);
1786 extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss,
1787 const SSL3SignatureAndHashAlgorithm *sigAndHash);
1788 #endif
1789
1790 extern SECStatus ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
1791 PRUint8 * hashBuf,
1792 unsigned int bufLen, SSL3Hashes *hashes,
1793 PRBool bypassPKCS11);
1794 extern void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName);
1795 extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms);
1796 extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src,
1797 PRInt32 bytes);
1798 extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss,
1799 SSL3HandshakeType t, PRUint32 length);
1800 extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num,
1801 PRInt32 lenSize);
1802 extern SECStatus ssl3_AppendHandshakeVariable( sslSocket *ss,
1803 const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize);
1804 extern SECStatus ssl3_AppendSignatureAndHashAlgorithm(sslSocket *ss,
1805 const SSL3SignatureAndHashAlgorithm* sigAndHash);
1806 extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes,
1807 SSL3Opaque **b, PRUint32 *length);
1808 extern PRInt32 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes,
1809 SSL3Opaque **b, PRUint32 *length);
1810 extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i,
1811 PRInt32 bytes, SSL3Opaque **b, PRUint32 *length);
1812 extern SECOidTag ssl3_TLSHashAlgorithmToOID(int hashFunc);
1813 extern SECStatus ssl3_CheckSignatureAndHashAlgorithmConsistency(
1814 const SSL3SignatureAndHashAlgorithm *sigAndHash,
1815 CERTCertificate* cert);
1816 extern SECStatus ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
1817 SSL3Opaque **b, PRUint32 *length,
1818 SSL3SignatureAndHashAlgorithm *out);
1819 extern SECStatus ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key,
1820 SECItem *buf, PRBool isTLS);
1821 extern SECStatus ssl3_VerifySignedHashes(SSL3Hashes *hash,
1822 CERTCertificate *cert, SECItem *buf, PRBool isTLS,
1823 void *pwArg);
1824 extern SECStatus ssl3_CacheWrappedMasterSecret(sslSocket *ss,
1825 sslSessionID *sid, ssl3CipherSpec *spec,
1826 SSL3KEAType effectiveExchKeyType);
1827
1828 /* Functions that handle ClientHello and ServerHello extensions. */
1829 extern SECStatus ssl3_HandleServerNameXtn(sslSocket * ss,
1830 PRUint16 ex_type, SECItem *data);
1831 extern SECStatus ssl3_HandleSupportedCurvesXtn(sslSocket * ss,
1832 PRUint16 ex_type, SECItem *data);
1833 extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
1834 PRUint16 ex_type, SECItem *data);
1835 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
1836 PRUint16 ex_type, SECItem *data);
1837 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
1838 PRUint16 ex_type, SECItem *data);
1839
1840 /* ClientHello and ServerHello extension senders.
1841 * Note that not all extension senders are exposed here; only those that
1842 * that need exposure.
1843 */
1844 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
1845 PRUint32 maxBytes);
1846
1847 /* ClientHello and ServerHello extension senders.
1848 * The code is in ssl3ext.c.
1849 */
1850 extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
1851 PRUint32 maxBytes);
1852
1853 /* Assigns new cert, cert chain and keys to ss->serverCerts
1854 * struct. If certChain is NULL, tries to find one. Aborts if
1855 * fails to do so. If cert and keyPair are NULL - unconfigures
1856 * sslSocket of kea type.*/
1857 extern SECStatus ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
1858 const CERTCertificateList *certChain,
1859 ssl3KeyPair *keyPair, SSLKEAType kea);
1860
1861 #ifndef NSS_DISABLE_ECC
1862 extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
1863 PRBool append, PRUint32 maxBytes);
1864 extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss,
1865 PRBool append, PRUint32 maxBytes);
1866 #endif
1867
1868 /* call the registered extension handlers. */
1869 extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss,
1870 SSL3Opaque **b, PRUint32 *length);
1871
1872 /* Hello Extension related routines. */
1873 extern PRBool ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type);
1874 extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
1875 /*in/out*/ NewSessionTicket *session_ticket);
1876 extern SECStatus ssl3_SendNewSessionTicket(sslSocket *ss);
1877 extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName,
1878 unsigned char *encKey, unsigned char *macKey);
1879 extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
1880 SECKEYPublicKey *svrPubKey, void *pwArg,
1881 unsigned char *keyName, PK11SymKey **aesKey,
1882 PK11SymKey **macKey);
1883
1884 /* Tell clients to consider tickets valid for this long. */
1885 #define TLS_EX_SESS_TICKET_LIFETIME_HINT (2 * 24 * 60 * 60) /* 2 days */
1886 #define TLS_EX_SESS_TICKET_VERSION (0x0100)
1887
1888 extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data,
1889 unsigned int length);
1890
1891 extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
1892 unsigned char *out,
1893 unsigned int *outLen,
1894 unsigned int outLenMax);
1895
1896 /* Construct a new NSPR socket for the app to use */
1897 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
1898 extern void ssl_FreePRSocket(PRFileDesc *fd);
1899
1900 /* Internal config function so SSL3 can initialize the present state of
1901 * various ciphers */
1902 extern int ssl3_config_match_init(sslSocket *);
1903
1904
1905 /* Create a new ref counted key pair object from two keys. */
1906 extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey,
1907 SECKEYPublicKey * pubKey);
1908
1909 /* get a new reference (bump ref count) to an ssl3KeyPair. */
1910 extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair);
1911
1912 /* Decrement keypair's ref count and free if zero. */
1913 extern void ssl3_FreeKeyPair(ssl3KeyPair * keyPair);
1914
1915 /* calls for accessing wrapping keys across processes. */
1916 extern PRBool
1917 ssl_GetWrappingKey( PRInt32 symWrapMechIndex,
1918 SSL3KEAType exchKeyType,
1919 SSLWrappedSymWrappingKey *wswk);
1920
1921 /* The caller passes in the new value it wants
1922 * to set. This code tests the wrapped sym key entry in the file on disk.
1923 * If it is uninitialized, this function writes the caller's value into
1924 * the disk entry, and returns false.
1925 * Otherwise, it overwrites the caller's wswk with the value obtained from
1926 * the disk, and returns PR_TRUE.
1927 * This is all done while holding the locks/semaphores necessary to make
1928 * the operation atomic.
1929 */
1930 extern PRBool
1931 ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
1932
1933 /* get rid of the symmetric wrapping key references. */
1934 extern SECStatus SSL3_ShutdownServerCache(void);
1935
1936 extern SECStatus ssl_InitSymWrapKeysLock(void);
1937
1938 extern SECStatus ssl_FreeSymWrapKeysLock(void);
1939
1940 extern SECStatus ssl_InitSessionCacheLocks(void);
1941
1942 /***************** platform client auth ****************/
1943
1944 #ifdef NSS_PLATFORM_CLIENT_AUTH
1945 // Releases the platform key.
1946 extern void ssl_FreePlatformKey(PlatformKey key);
1947
1948 // Implement the client CertificateVerify message for SSL3/TLS1.0
1949 extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash,
1950 PlatformKey key, SECItem *buf,
1951 PRBool isTLS, KeyType keyType);
1952
1953 // Converts a CERTCertList* (A collection of CERTCertificates) into a
1954 // CERTCertificateList* (A collection of SECItems), or returns NULL if
1955 // it cannot be converted.
1956 // This is to allow the platform-supplied chain to be created with purely
1957 // public API functions, using the preferred CERTCertList mutators, rather
1958 // pushing this hack to clients.
1959 extern CERTCertificateList* hack_NewCertificateListFromCertList(
1960 CERTCertList* list);
1961 #endif /* NSS_PLATFORM_CLIENT_AUTH */
1962
1963 /**************** DTLS-specific functions **************/
1964 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg);
1965 extern void dtls_FreeQueuedMessages(PRCList *lst);
1966 extern void dtls_FreeHandshakeMessages(PRCList *lst);
1967
1968 extern SECStatus dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf);
1969 extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss,
1970 SSL3Opaque *b, PRUint32 length);
1971 extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss);
1972 extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
1973 const SSL3Opaque *pIn, PRInt32 nIn);
1974 extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
1975 extern SECStatus dtls_CompressMACEncryptRecord(sslSocket *ss,
1976 DTLSEpoch epoch,
1977 PRBool use_epoch,
1978 SSL3ContentType type,
1979 const SSL3Opaque *pIn,
1980 PRUint32 contentLen,
1981 sslBuffer *wrBuf);
1982 SECStatus ssl3_DisableNonDTLSSuites(sslSocket * ss);
1983 extern SECStatus dtls_StartTimer(sslSocket *ss, DTLSTimerCb cb);
1984 extern SECStatus dtls_RestartTimer(sslSocket *ss, PRBool backoff,
1985 DTLSTimerCb cb);
1986 extern void dtls_CheckTimer(sslSocket *ss);
1987 extern void dtls_CancelTimer(sslSocket *ss);
1988 extern void dtls_FinishedTimerCb(sslSocket *ss);
1989 extern void dtls_SetMTU(sslSocket *ss, PRUint16 advertised);
1990 extern void dtls_InitRecvdRecords(DTLSRecvdRecords *records);
1991 extern int dtls_RecordGetRecvd(DTLSRecvdRecords *records, PRUint64 seq);
1992 extern void dtls_RecordSetRecvd(DTLSRecvdRecords *records, PRUint64 seq);
1993 extern void dtls_RehandshakeCleanup(sslSocket *ss);
1994 extern SSL3ProtocolVersion
1995 dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv);
1996 extern SSL3ProtocolVersion
1997 dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv);
1998
1999 /********************** misc calls *********************/
2000
2001 #ifdef DEBUG
2002 extern void ssl3_CheckCipherSuiteOrderConsistency();
2003 #endif
2004
2005 extern int ssl_MapLowLevelError(int hiLevelError);
2006
2007 extern PRUint32 ssl_Time(void);
2008
2009 extern void SSL_AtomicIncrementLong(long * x);
2010
2011 SECStatus SSL_DisableDefaultExportCipherSuites(void);
2012 SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
2013 PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite);
2014
2015 extern SECStatus
2016 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec,
2017 const char *label, unsigned int labelLen,
2018 const unsigned char *val, unsigned int valLen,
2019 unsigned char *out, unsigned int outLen);
2020
2021 #ifdef TRACE
2022 #define SSL_TRACE(msg) ssl_Trace msg
2023 #else
2024 #define SSL_TRACE(msg)
2025 #endif
2026
2027 void ssl_Trace(const char *format, ...);
2028
2029 SEC_END_PROTOS
2030
2031 #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
2032 #define SSL_GETPID getpid
2033 #elif defined(WIN32)
2034 extern int __cdecl _getpid(void);
2035 #define SSL_GETPID _getpid
2036 #else
2037 #define SSL_GETPID() 0
2038 #endif
2039
2040 #endif /* __sslimpl_h_ */