search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Roll src/third_party/WebKit 8121bc6:918aba1 (svn 188871:188878)
[chromium-blink-merge.git] / net / third_party / nss / ssl / sslimpl.h
blob8754e16f7d39af3c793e4cee7498d2afa0562f8e
1 /*
2 * This file is PRIVATE to SSL and should be the first thing included by
3 * any SSL implementation file.
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8
9 #ifndef __sslimpl_h_
10 #define __sslimpl_h_
11
12 #ifdef DEBUG
13 #undef NDEBUG
14 #else
15 #undef NDEBUG
16 #define NDEBUG
17 #endif
18 #include "secport.h"
19 #include "secerr.h"
20 #include "sslerr.h"
21 #include "ssl3prot.h"
22 #include "hasht.h"
23 #include "keythi.h"
24 #include "nssilock.h"
25 #include "pkcs11t.h"
26 #if defined(XP_UNIX) || defined(XP_BEOS)
27 #include "unistd.h"
28 #endif
29 #include "nssrwlk.h"
30 #include "prthread.h"
31 #include "prclist.h"
32
33 #include "sslt.h" /* for some formerly private types, now public */
34
35 #ifdef NSS_PLATFORM_CLIENT_AUTH
36 #if defined(XP_WIN32)
37 #include <windows.h>
38 #include <wincrypt.h>
39 #elif defined(XP_MACOSX)
40 #include <Security/Security.h>
41 #endif
42 #endif
43
44 /* to make some of these old enums public without namespace pollution,
45 ** it was necessary to prepend ssl_ to the names.
46 ** These #defines preserve compatibility with the old code here in libssl.
47 */
48 typedef SSLKEAType SSL3KEAType;
49 typedef SSLMACAlgorithm SSL3MACAlgorithm;
50 typedef SSLSignType SSL3SignType;
51
52 #define sign_null ssl_sign_null
53 #define sign_rsa ssl_sign_rsa
54 #define sign_dsa ssl_sign_dsa
55 #define sign_ecdsa ssl_sign_ecdsa
56
57 #define calg_null ssl_calg_null
58 #define calg_rc4 ssl_calg_rc4
59 #define calg_rc2 ssl_calg_rc2
60 #define calg_des ssl_calg_des
61 #define calg_3des ssl_calg_3des
62 #define calg_idea ssl_calg_idea
63 #define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */
64 #define calg_aes ssl_calg_aes
65 #define calg_camellia ssl_calg_camellia
66 #define calg_seed ssl_calg_seed
67 #define calg_aes_gcm ssl_calg_aes_gcm
68 #define calg_chacha20 ssl_calg_chacha20
69
70 #define mac_null ssl_mac_null
71 #define mac_md5 ssl_mac_md5
72 #define mac_sha ssl_mac_sha
73 #define hmac_md5 ssl_hmac_md5
74 #define hmac_sha ssl_hmac_sha
75 #define hmac_sha256 ssl_hmac_sha256
76 #define mac_aead ssl_mac_aead
77
78 #define SET_ERROR_CODE /* reminder */
79 #define SEND_ALERT /* reminder */
80 #define TEST_FOR_FAILURE /* reminder */
81 #define DEAL_WITH_FAILURE /* reminder */
82
83 #if defined(DEBUG) || defined(TRACE)
84 #ifdef __cplusplus
85 #define Debug 1
86 #else
87 extern int Debug;
88 #endif
89 #else
90 #undef Debug
91 #endif
92
93 #if defined(DEBUG) && !defined(TRACE) && !defined(NISCC_TEST)
94 #define TRACE
95 #endif
96
97 #ifdef TRACE
98 #define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
99 #define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
100 #define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
101 #else
102 #define SSL_TRC(a,b)
103 #define PRINT_BUF(a,b)
104 #define DUMP_MSG(a,b)
105 #endif
106
107 #ifdef DEBUG
108 #define SSL_DBG(b) if (ssl_debug) ssl_Trace b
109 #else
110 #define SSL_DBG(b)
111 #endif
112
113 #include "private/pprthred.h" /* for PR_InMonitor() */
114 #define ssl_InMonitor(m) PZ_InMonitor(m)
115
116 #define LSB(x) ((unsigned char) ((x) & 0xff))
117 #define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
118
119 /************************************************************************/
120
121 typedef enum { SSLAppOpRead = 0,
122 SSLAppOpWrite,
123 SSLAppOpRDWR,
124 SSLAppOpPost,
125 SSLAppOpHeader
126 } SSLAppOperation;
127
128 #define SSL_MIN_MASTER_KEY_BYTES 5
129 #define SSL_MAX_MASTER_KEY_BYTES 64
130
131 #define SSL2_SESSIONID_BYTES 16
132 #define SSL3_SESSIONID_BYTES 32
133
134 #define SSL_MIN_CHALLENGE_BYTES 16
135 #define SSL_MAX_CHALLENGE_BYTES 32
136 #define SSL_CHALLENGE_BYTES 16
137
138 #define SSL_CONNECTIONID_BYTES 16
139
140 #define SSL_MIN_CYPHER_ARG_BYTES 0
141 #define SSL_MAX_CYPHER_ARG_BYTES 32
142
143 #define SSL_MAX_MAC_BYTES 16
144
145 #define SSL3_RSA_PMS_LENGTH 48
146 #define SSL3_MASTER_SECRET_LENGTH 48
147
148 /* number of wrap mechanisms potentially used to wrap master secrets. */
149 #define SSL_NUM_WRAP_MECHS 16
150
151 /* This makes the cert cache entry exactly 4k. */
152 #define SSL_MAX_CACHED_CERT_LEN 4060
153
154 #define NUM_MIXERS 9
155
156 /* Mask of the 25 named curves we support. */
157 #define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe
158 /* Mask of only 3 curves, suite B */
159 #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000
160
161 #ifndef BPB
162 #define BPB 8 /* Bits Per Byte */
163 #endif
164
165 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
166
167 #define INITIAL_DTLS_TIMEOUT_MS 1000 /* Default value from RFC 4347 = 1s*/
168 #define MAX_DTLS_TIMEOUT_MS 60000 /* 1 minute */
169 #define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */
170
171 typedef struct sslBufferStr sslBuffer;
172 typedef struct sslConnectInfoStr sslConnectInfo;
173 typedef struct sslGatherStr sslGather;
174 typedef struct sslSecurityInfoStr sslSecurityInfo;
175 typedef struct sslSessionIDStr sslSessionID;
176 typedef struct sslSocketStr sslSocket;
177 typedef struct sslSocketOpsStr sslSocketOps;
178
179 typedef struct ssl3StateStr ssl3State;
180 typedef struct ssl3CertNodeStr ssl3CertNode;
181 typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef;
182 typedef struct ssl3MACDefStr ssl3MACDef;
183 typedef struct ssl3KeyPairStr ssl3KeyPair;
184
185 struct ssl3CertNodeStr {
186 struct ssl3CertNodeStr *next;
187 CERTCertificate * cert;
188 };
189
190 typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss);
191
192 /* This type points to the low layer send func,
193 ** e.g. ssl2_SendStream or ssl3_SendPlainText.
194 ** These functions return the same values as PR_Send,
195 ** i.e. >= 0 means number of bytes sent, < 0 means error.
196 */
197 typedef PRInt32 (*sslSendFunc)(sslSocket *ss, const unsigned char *buf,
198 PRInt32 n, PRInt32 flags);
199
200 typedef void (*sslSessionIDCacheFunc) (sslSessionID *sid);
201 typedef void (*sslSessionIDUncacheFunc)(sslSessionID *sid);
202 typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr *addr,
203 unsigned char* sid,
204 unsigned int sidLen,
205 CERTCertDBHandle * dbHandle);
206
207 /* registerable callback function that either appends extension to buffer
208 * or returns length of data that it would have appended.
209 */
210 typedef PRInt32 (*ssl3HelloExtensionSenderFunc)(sslSocket *ss, PRBool append,
211 PRUint32 maxBytes);
212
213 /* registerable callback function that handles a received extension,
214 * of the given type.
215 */
216 typedef SECStatus (* ssl3HelloExtensionHandlerFunc)(sslSocket *ss,
217 PRUint16 ex_type,
218 SECItem * data);
219
220 /* row in a table of hello extension senders */
221 typedef struct {
222 PRInt32 ex_type;
223 ssl3HelloExtensionSenderFunc ex_sender;
224 } ssl3HelloExtensionSender;
225
226 /* row in a table of hello extension handlers */
227 typedef struct {
228 PRInt32 ex_type;
229 ssl3HelloExtensionHandlerFunc ex_handler;
230 } ssl3HelloExtensionHandler;
231
232 extern SECStatus
233 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
234 ssl3HelloExtensionSenderFunc cb);
235
236 extern PRInt32
237 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
238 const ssl3HelloExtensionSender *sender);
239
240 extern unsigned int
241 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength);
242
243 extern PRInt32
244 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
245 PRUint32 maxBytes);
246
247 /* Socket ops */
248 struct sslSocketOpsStr {
249 int (*connect) (sslSocket *, const PRNetAddr *);
250 PRFileDesc *(*accept) (sslSocket *, PRNetAddr *);
251 int (*bind) (sslSocket *, const PRNetAddr *);
252 int (*listen) (sslSocket *, int);
253 int (*shutdown)(sslSocket *, int);
254 int (*close) (sslSocket *);
255
256 int (*recv) (sslSocket *, unsigned char *, int, int);
257
258 /* points to the higher-layer send func, e.g. ssl_SecureSend. */
259 int (*send) (sslSocket *, const unsigned char *, int, int);
260 int (*read) (sslSocket *, unsigned char *, int);
261 int (*write) (sslSocket *, const unsigned char *, int);
262
263 int (*getpeername)(sslSocket *, PRNetAddr *);
264 int (*getsockname)(sslSocket *, PRNetAddr *);
265 };
266
267 /* Flags interpreted by ssl send functions. */
268 #define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000
269 #define ssl_SEND_FLAG_NO_BUFFER 0x20000000
270 #define ssl_SEND_FLAG_USE_EPOCH 0x10000000 /* DTLS only */
271 #define ssl_SEND_FLAG_NO_RETRANSMIT 0x08000000 /* DTLS only */
272 #define ssl_SEND_FLAG_CAP_RECORD_VERSION \
273 0x04000000 /* TLS only */
274 #define ssl_SEND_FLAG_MASK 0x7f000000
275
276 /*
277 ** A buffer object.
278 */
279 struct sslBufferStr {
280 unsigned char * buf;
281 unsigned int len;
282 unsigned int space;
283 };
284
285 /*
286 ** SSL3 cipher suite policy and preference struct.
287 */
288 typedef struct {
289 #if !defined(_WIN32)
290 unsigned int cipher_suite : 16;
291 unsigned int policy : 8;
292 unsigned int enabled : 1;
293 unsigned int isPresent : 1;
294 #else
295 ssl3CipherSuite cipher_suite;
296 PRUint8 policy;
297 unsigned char enabled : 1;
298 unsigned char isPresent : 1;
299 #endif
300 } ssl3CipherSuiteCfg;
301
302 #ifdef NSS_ENABLE_ECC
303 #define ssl_V3_SUITES_IMPLEMENTED 63
304 #else
305 #define ssl_V3_SUITES_IMPLEMENTED 37
306 #endif /* NSS_ENABLE_ECC */
307
308 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
309
310 typedef struct sslOptionsStr {
311 /* If SSL_SetNextProtoNego has been called, then this contains the
312 * list of supported protocols. */
313 SECItem nextProtoNego;
314
315 unsigned int useSecurity : 1; /* 1 */
316 unsigned int useSocks : 1; /* 2 */
317 unsigned int requestCertificate : 1; /* 3 */
318 unsigned int requireCertificate : 2; /* 4-5 */
319 unsigned int handshakeAsClient : 1; /* 6 */
320 unsigned int handshakeAsServer : 1; /* 7 */
321 unsigned int enableSSL2 : 1; /* 8 */
322 unsigned int unusedBit9 : 1; /* 9 */
323 unsigned int unusedBit10 : 1; /* 10 */
324 unsigned int noCache : 1; /* 11 */
325 unsigned int fdx : 1; /* 12 */
326 unsigned int v2CompatibleHello : 1; /* 13 */
327 unsigned int detectRollBack : 1; /* 14 */
328 unsigned int noStepDown : 1; /* 15 */
329 unsigned int bypassPKCS11 : 1; /* 16 */
330 unsigned int noLocks : 1; /* 17 */
331 unsigned int enableSessionTickets : 1; /* 18 */
332 unsigned int enableDeflate : 1; /* 19 */
333 unsigned int enableRenegotiation : 2; /* 20-21 */
334 unsigned int requireSafeNegotiation : 1; /* 22 */
335 unsigned int enableFalseStart : 1; /* 23 */
336 unsigned int cbcRandomIV : 1; /* 24 */
337 unsigned int enableOCSPStapling : 1; /* 25 */
338 unsigned int enableNPN : 1; /* 26 */
339 unsigned int enableALPN : 1; /* 27 */
340 unsigned int enableSignedCertTimestamps : 1; /* 28 */
341 unsigned int enableFallbackSCSV : 1; /* 29 */
342 } sslOptions;
343
344 typedef enum { sslHandshakingUndetermined = 0,
345 sslHandshakingAsClient,
346 sslHandshakingAsServer
347 } sslHandshakingType;
348
349 typedef struct sslServerCertsStr {
350 /* Configuration state for server sockets */
351 CERTCertificate * serverCert;
352 CERTCertificateList * serverCertChain;
353 ssl3KeyPair * serverKeyPair;
354 unsigned int serverKeyBits;
355 } sslServerCerts;
356
357 #define SERVERKEY serverKeyPair->privKey
358
359 #define SSL_LOCK_RANK_SPEC 255
360 #define SSL_LOCK_RANK_GLOBAL NSS_RWLOCK_RANK_NONE
361
362 /* These are the valid values for shutdownHow.
363 ** These values are each 1 greater than the NSPR values, and the code
364 ** depends on that relation to efficiently convert PR_SHUTDOWN values
365 ** into ssl_SHUTDOWN values. These values use one bit for read, and
366 ** another bit for write, and can be used as bitmasks.
367 */
368 #define ssl_SHUTDOWN_NONE 0 /* NOT shutdown at all */
369 #define ssl_SHUTDOWN_RCV 1 /* PR_SHUTDOWN_RCV +1 */
370 #define ssl_SHUTDOWN_SEND 2 /* PR_SHUTDOWN_SEND +1 */
371 #define ssl_SHUTDOWN_BOTH 3 /* PR_SHUTDOWN_BOTH +1 */
372
373 /*
374 ** A gather object. Used to read some data until a count has been
375 ** satisfied. Primarily for support of async sockets.
376 ** Everything in here is protected by the recvBufLock.
377 */
378 struct sslGatherStr {
379 int state; /* see GS_ values below. */ /* ssl 2 & 3 */
380
381 /* "buf" holds received plaintext SSL records, after decrypt and MAC check.
382 * SSL2: recv'd ciphertext records are put here, then decrypted in place.
383 * SSL3: recv'd ciphertext records are put in inbuf (see below), then
384 * decrypted into buf.
385 */
386 sslBuffer buf; /*recvBufLock*/ /* ssl 2 & 3 */
387
388 /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3).
389 ** (offset - writeOffset) is the number of ciphertext bytes read in but
390 ** not yet deciphered.
391 */
392 unsigned int offset; /* ssl 2 & 3 */
393
394 /* number of bytes to read in next call to ssl_DefRecv (recv) */
395 unsigned int remainder; /* ssl 2 & 3 */
396
397 /* Number of ciphertext bytes to read in after 2-byte SSL record header. */
398 unsigned int count; /* ssl2 only */
399
400 /* size of the final plaintext record.
401 ** == count - (recordPadding + MAC size)
402 */
403 unsigned int recordLen; /* ssl2 only */
404
405 /* number of bytes of padding to be removed after decrypting. */
406 /* This value is taken from the record's hdr[2], which means a too large
407 * value could crash us.
408 */
409 unsigned int recordPadding; /* ssl2 only */
410
411 /* plaintext DATA begins this many bytes into "buf". */
412 unsigned int recordOffset; /* ssl2 only */
413
414 int encrypted; /* SSL2 session is now encrypted. ssl2 only */
415
416 /* These next two values are used by SSL2 and SSL3.
417 ** DoRecv uses them to extract application data.
418 ** The difference between writeOffset and readOffset is the amount of
419 ** data available to the application. Note that the actual offset of
420 ** the data in "buf" is recordOffset (above), not readOffset.
421 ** In the current implementation, this is made available before the
422 ** MAC is checked!!
423 */
424 unsigned int readOffset; /* Spot where DATA reader (e.g. application
425 ** or handshake code) will read next.
426 ** Always zero for SSl3 application data.
427 */
428 /* offset in buf/inbuf/hdr into which new data will be read from socket. */
429 unsigned int writeOffset;
430
431 /* Buffer for ssl3 to read (encrypted) data from the socket */
432 sslBuffer inbuf; /*recvBufLock*/ /* ssl3 only */
433
434 /* The ssl[23]_GatherData functions read data into this buffer, rather
435 ** than into buf or inbuf, while in the GS_HEADER state.
436 ** The portion of the SSL record header put here always comes off the wire
437 ** as plaintext, never ciphertext.
438 ** For SSL2, the plaintext portion is two bytes long. For SSl3 it is 5.
439 ** For DTLS it is 13.
440 */
441 unsigned char hdr[13]; /* ssl 2 & 3 or dtls */
442
443 /* Buffer for DTLS data read off the wire as a single datagram */
444 sslBuffer dtlsPacket;
445
446 /* the start of the buffered DTLS record in dtlsPacket */
447 unsigned int dtlsPacketOffset;
448 };
449
450 /* sslGather.state */
451 #define GS_INIT 0
452 #define GS_HEADER 1
453 #define GS_MAC 2
454 #define GS_DATA 3
455 #define GS_PAD 4
456
457 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
458 typedef PCERT_KEY_CONTEXT PlatformKey;
459 #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX)
460 typedef SecKeyRef PlatformKey;
461 #else
462 typedef void *PlatformKey;
463 #endif
464
465
466
467 /*
468 ** ssl3State and CipherSpec structs
469 */
470
471 /* The SSL bulk cipher definition */
472 typedef enum {
473 cipher_null,
474 cipher_rc4,
475 cipher_rc4_40,
476 cipher_rc4_56,
477 cipher_rc2,
478 cipher_rc2_40,
479 cipher_des,
480 cipher_3des,
481 cipher_des40,
482 cipher_idea,
483 cipher_aes_128,
484 cipher_aes_256,
485 cipher_camellia_128,
486 cipher_camellia_256,
487 cipher_seed,
488 cipher_aes_128_gcm,
489 cipher_chacha20,
490 cipher_missing /* reserved for no such supported cipher */
491 /* This enum must match ssl3_cipherName[] in ssl3con.c. */
492 } SSL3BulkCipher;
493
494 typedef enum { type_stream, type_block, type_aead } CipherType;
495
496 #define MAX_IV_LENGTH 24
497
498 /*
499 * Do not depend upon 64 bit arithmetic in the underlying machine.
500 */
501 typedef struct {
502 PRUint32 high;
503 PRUint32 low;
504 } SSL3SequenceNumber;
505
506 typedef PRUint16 DTLSEpoch;
507
508 typedef void (*DTLSTimerCb)(sslSocket *);
509
510 #define MAX_MAC_CONTEXT_BYTES 400 /* 400 is large enough for MD5, SHA-1, and
511 * SHA-256. For SHA-384 support, increase
512 * it to 712. */
513 #define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8)
514
515 #define MAX_CIPHER_CONTEXT_BYTES 2080
516 #define MAX_CIPHER_CONTEXT_LLONGS (MAX_CIPHER_CONTEXT_BYTES / 8)
517
518 typedef struct {
519 SSL3Opaque wrapped_master_secret[48];
520 PRUint16 wrapped_master_secret_len;
521 PRUint8 msIsWrapped;
522 PRUint8 resumable;
523 } ssl3SidKeys; /* 52 bytes */
524
525 typedef struct {
526 PK11SymKey *write_key;
527 PK11SymKey *write_mac_key;
528 PK11Context *write_mac_context;
529 SECItem write_key_item;
530 SECItem write_iv_item;
531 SECItem write_mac_key_item;
532 SSL3Opaque write_iv[MAX_IV_LENGTH];
533 PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
534 } ssl3KeyMaterial;
535
536 typedef SECStatus (*SSLCipher)(void * context,
537 unsigned char * out,
538 int * outlen,
539 int maxout,
540 const unsigned char *in,
541 int inlen);
542 typedef SECStatus (*SSLAEADCipher)(
543 ssl3KeyMaterial * keys,
544 PRBool doDecrypt,
545 unsigned char * out,
546 int * outlen,
547 int maxout,
548 const unsigned char *in,
549 int inlen,
550 const unsigned char *additionalData,
551 int additionalDataLen);
552 typedef SECStatus (*SSLCompressor)(void * context,
553 unsigned char * out,
554 int * outlen,
555 int maxout,
556 const unsigned char *in,
557 int inlen);
558 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
559
560 /* The DTLS anti-replay window. Defined here because we need it in
561 * the cipher spec. Note that this is a ring buffer but left and
562 * right represent the true window, with modular arithmetic used to
563 * map them onto the buffer.
564 */
565 #define DTLS_RECVD_RECORDS_WINDOW 1024 /* Packets; approximate
566 * Must be divisible by 8
567 */
568 typedef struct DTLSRecvdRecordsStr {
569 unsigned char data[DTLS_RECVD_RECORDS_WINDOW/8];
570 PRUint64 left;
571 PRUint64 right;
572 } DTLSRecvdRecords;
573
574 /*
575 ** These are the "specs" in the "ssl3" struct.
576 ** Access to the pointers to these specs, and all the specs' contents
577 ** (direct and indirect) is protected by the reader/writer lock ss->specLock.
578 */
579 typedef struct {
580 const ssl3BulkCipherDef *cipher_def;
581 const ssl3MACDef * mac_def;
582 SSLCompressionMethod compression_method;
583 int mac_size;
584 SSLCipher encode;
585 SSLCipher decode;
586 SSLAEADCipher aead;
587 SSLDestroy destroy;
588 void * encodeContext;
589 void * decodeContext;
590 SSLCompressor compressor; /* Don't name these fields compress */
591 SSLCompressor decompressor; /* and uncompress because zconf.h */
592 /* may define them as macros. */
593 SSLDestroy destroyCompressContext;
594 void * compressContext;
595 SSLDestroy destroyDecompressContext;
596 void * decompressContext;
597 PRBool bypassCiphers; /* did double bypass (at least) */
598 PK11SymKey * master_secret;
599 SSL3SequenceNumber write_seq_num;
600 SSL3SequenceNumber read_seq_num;
601 SSL3ProtocolVersion version;
602 ssl3KeyMaterial client;
603 ssl3KeyMaterial server;
604 SECItem msItem;
605 unsigned char key_block[NUM_MIXERS * MD5_LENGTH];
606 unsigned char raw_master_secret[56];
607 SECItem srvVirtName; /* for server: name that was negotiated
608 * with a client. For client - is
609 * always set to NULL.*/
610 DTLSEpoch epoch;
611 DTLSRecvdRecords recvdRecords;
612 } ssl3CipherSpec;
613
614 typedef enum { never_cached,
615 in_client_cache,
616 in_server_cache,
617 invalid_cache /* no longer in any cache. */
618 } Cached;
619
620 #define MAX_PEER_CERT_CHAIN_SIZE 8
621
622 struct sslSessionIDStr {
623 /* The global cache lock must be held when accessing these members when the
624 * sid is in any cache.
625 */
626 sslSessionID * next; /* chain used for client sockets, only */
627 Cached cached;
628 int references;
629 PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
630
631 /* The rest of the members, except for the members of u.ssl3.locked, may
632 * be modified only when the sid is not in any cache.
633 */
634
635 CERTCertificate * peerCert;
636 CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
637 SECItemArray peerCertStatus; /* client only */
638 const char * peerID; /* client only */
639 const char * urlSvrName; /* client only */
640 CERTCertificate * localCert;
641
642 PRIPv6Addr addr;
643 PRUint16 port;
644
645 SSL3ProtocolVersion version;
646
647 PRUint32 creationTime; /* seconds since Jan 1, 1970 */
648 PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
649
650 SSLSignType authAlgorithm;
651 PRUint32 authKeyBits;
652 SSLKEAType keaType;
653 PRUint32 keaKeyBits;
654
655 union {
656 struct {
657 /* the V2 code depends upon the size of sessionID. */
658 unsigned char sessionID[SSL2_SESSIONID_BYTES];
659
660 /* Stuff used to recreate key and read/write cipher objects */
661 SECItem masterKey; /* never wrapped */
662 int cipherType;
663 SECItem cipherArg;
664 int keyBits;
665 int secretKeyBits;
666 } ssl2;
667 struct {
668 /* values that are copied into the server's on-disk SID cache. */
669 PRUint8 sessionIDLength;
670 SSL3Opaque sessionID[SSL3_SESSIONID_BYTES];
671
672 ssl3CipherSuite cipherSuite;
673 SSLCompressionMethod compression;
674 int policy;
675 ssl3SidKeys keys;
676 CK_MECHANISM_TYPE masterWrapMech;
677 /* mechanism used to wrap master secret */
678 SSL3KEAType exchKeyType;
679 /* key type used in exchange algorithm,
680 * and to wrap the sym wrapping key. */
681 #ifdef NSS_ENABLE_ECC
682 PRUint32 negotiatedECCurves;
683 #endif /* NSS_ENABLE_ECC */
684
685 /* The following values are NOT restored from the server's on-disk
686 * session cache, but are restored from the client's cache.
687 */
688 PK11SymKey * clientWriteKey;
689 PK11SymKey * serverWriteKey;
690
691 /* The following values pertain to the slot that wrapped the
692 ** master secret. (used only in client)
693 */
694 SECMODModuleID masterModuleID;
695 /* what module wrapped the master secret */
696 CK_SLOT_ID masterSlotID;
697 PRUint16 masterWrapIndex;
698 /* what's the key index for the wrapping key */
699 PRUint16 masterWrapSeries;
700 /* keep track of the slot series, so we don't
701 * accidently try to use new keys after the
702 * card gets removed and replaced.*/
703
704 /* The following values pertain to the slot that did the signature
705 ** for client auth. (used only in client)
706 */
707 SECMODModuleID clAuthModuleID;
708 CK_SLOT_ID clAuthSlotID;
709 PRUint16 clAuthSeries;
710
711 char masterValid;
712 char clAuthValid;
713
714 SECItem srvName;
715
716 /* originalHandshakeHash contains the hash of the original, full
717 * handshake prior to the server's final flow. This is either a
718 * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for
719 * TLS 1.2). This is recorded and used only when ChannelID is
720 * negotiated as it's used to bind the ChannelID signature on the
721 * resumption handshake to the original handshake. */
722 SECItem originalHandshakeHash;
723
724 /* Signed certificate timestamps received in a TLS extension.
725 ** (used only in client).
726 */
727 SECItem signedCertTimestamps;
728
729 /* This lock is lazily initialized by CacheSID when a sid is first
730 * cached. Before then, there is no need to lock anything because
731 * the sid isn't being shared by anything.
732 */
733 NSSRWLock *lock;
734
735 /* The lock must be held while reading or writing these members
736 * because they change while the sid is cached.
737 */
738 struct {
739 /* The session ticket, if we have one, is sent as an extension
740 * in the ClientHello message. This field is used only by
741 * clients. It is protected by lock when lock is non-null
742 * (after the sid has been added to the client session cache).
743 */
744 NewSessionTicket sessionTicket;
745 } locked;
746 } ssl3;
747 } u;
748 };
749
750 typedef struct ssl3CipherSuiteDefStr {
751 ssl3CipherSuite cipher_suite;
752 SSL3BulkCipher bulk_cipher_alg;
753 SSL3MACAlgorithm mac_alg;
754 SSL3KeyExchangeAlgorithm key_exchange_alg;
755 } ssl3CipherSuiteDef;
756
757 /*
758 ** There are tables of these, all const.
759 */
760 typedef struct {
761 SSL3KeyExchangeAlgorithm kea;
762 SSL3KEAType exchKeyType;
763 SSL3SignType signKeyType;
764 PRBool is_limited;
765 int key_size_limit;
766 PRBool tls_keygen;
767 } ssl3KEADef;
768
769 /*
770 ** There are tables of these, all const.
771 */
772 struct ssl3BulkCipherDefStr {
773 SSL3BulkCipher cipher;
774 SSLCipherAlgorithm calg;
775 int key_size;
776 int secret_key_size;
777 CipherType type;
778 int iv_size;
779 int block_size;
780 int tag_size; /* authentication tag size for AEAD ciphers. */
781 int explicit_nonce_size; /* for AEAD ciphers. */
782 };
783
784 /*
785 ** There are tables of these, all const.
786 */
787 struct ssl3MACDefStr {
788 SSL3MACAlgorithm mac;
789 CK_MECHANISM_TYPE mmech;
790 int pad_size;
791 int mac_size;
792 };
793
794 typedef enum {
795 wait_client_hello,
796 wait_client_cert,
797 wait_client_key,
798 wait_cert_verify,
799 wait_change_cipher,
800 wait_finished,
801 wait_server_hello,
802 wait_certificate_status,
803 wait_server_cert,
804 wait_server_key,
805 wait_cert_request,
806 wait_hello_done,
807 wait_new_session_ticket,
808 idle_handshake
809 } SSL3WaitState;
810
811 /*
812 * TLS extension related constants and data structures.
813 */
814 typedef struct TLSExtensionDataStr TLSExtensionData;
815 typedef struct SessionTicketDataStr SessionTicketData;
816
817 struct TLSExtensionDataStr {
818 /* registered callbacks that send server hello extensions */
819 ssl3HelloExtensionSender serverSenders[SSL_MAX_EXTENSIONS];
820 /* Keep track of the extensions that are negotiated. */
821 PRUint16 numAdvertised;
822 PRUint16 numNegotiated;
823 PRUint16 advertised[SSL_MAX_EXTENSIONS];
824 PRUint16 negotiated[SSL_MAX_EXTENSIONS];
825
826 /* SessionTicket Extension related data. */
827 PRBool ticketTimestampVerified;
828 PRBool emptySessionTicket;
829 PRBool sentSessionTicketInClientHello;
830
831 /* SNI Extension related data
832 * Names data is not coppied from the input buffer. It can not be
833 * used outside the scope where input buffer is defined and that
834 * is beyond ssl3_HandleClientHello function. */
835 SECItem *sniNameArr;
836 PRUint32 sniNameArrSize;
837
838 /* Signed Certificate Timestamps extracted from the TLS extension.
839 * (client only).
840 * This container holds a temporary pointer to the extension data,
841 * until a session structure (the sec.ci.sid of an sslSocket) is setup
842 * that can hold a permanent copy of the data
843 * (in sec.ci.sid.u.ssl3.signedCertTimestamps).
844 * The data pointed to by this structure is neither explicitly allocated
845 * nor copied: the pointer points to the handshake message buffer and is
846 * only valid in the scope of ssl3_HandleServerHello.
847 */
848 SECItem signedCertTimestamps;
849 };
850
851 typedef SECStatus (*sslRestartTarget)(sslSocket *);
852
853 /*
854 ** A DTLS queued message (potentially to be retransmitted)
855 */
856 typedef struct DTLSQueuedMessageStr {
857 PRCList link; /* The linked list link */
858 DTLSEpoch epoch; /* The epoch to use */
859 SSL3ContentType type; /* The message type */
860 unsigned char *data; /* The data */
861 PRUint16 len; /* The data length */
862 } DTLSQueuedMessage;
863
864 typedef enum {
865 handshake_hash_unknown = 0,
866 handshake_hash_combo = 1, /* The MD5/SHA-1 combination */
867 handshake_hash_single = 2 /* A single hash */
868 } SSL3HandshakeHashType;
869
870 /*
871 ** This is the "hs" member of the "ssl3" struct.
872 ** This entire struct is protected by ssl3HandshakeLock
873 */
874 typedef struct SSL3HandshakeStateStr {
875 SSL3Random server_random;
876 SSL3Random client_random;
877 SSL3WaitState ws;
878
879 /* This group of members is used for handshake running hashes. */
880 SSL3HandshakeHashType hashType;
881 sslBuffer messages; /* Accumulated handshake messages */
882 #ifndef NO_PKCS11_BYPASS
883 /* Bypass mode:
884 * SSL 3.0 - TLS 1.1 use both |md5_cx| and |sha_cx|. |md5_cx| is used for
885 * MD5 and |sha_cx| for SHA-1.
886 * TLS 1.2 and later use only |sha_cx|, for SHA-256. NOTE: When we support
887 * SHA-384, increase MAX_MAC_CONTEXT_BYTES to 712. */
888 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
889 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
890 const SECHashObject * sha_obj;
891 /* The function prototype of sha_obj->clone() does not match the prototype
892 * of the freebl <HASH>_Clone functions, so we need a dedicated function
893 * pointer for the <HASH>_Clone function. */
894 void (*sha_clone)(void *dest, void *src);
895 #endif
896 /* PKCS #11 mode:
897 * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and
898 * |sha| for SHA-1.
899 * TLS 1.2 and later use only |sha|, for SHA-256. */
900 /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup
901 * handshake hash for generating client auth signatures. Confusingly, the
902 * backup hash function is SHA-1. */
903 #define backupHash md5
904 PK11Context * md5;
905 PK11Context * sha;
906
907 const ssl3KEADef * kea_def;
908 ssl3CipherSuite cipher_suite;
909 const ssl3CipherSuiteDef *suite_def;
910 SSLCompressionMethod compression;
911 sslBuffer msg_body; /* protected by recvBufLock */
912 /* partial handshake message from record layer */
913 unsigned int header_bytes;
914 /* number of bytes consumed from handshake */
915 /* message for message type and header length */
916 SSL3HandshakeType msg_type;
917 unsigned long msg_len;
918 SECItem ca_list; /* used only by client */
919 PRBool isResuming; /* are we resuming a session */
920 PRBool usedStepDownKey; /* we did a server key exchange. */
921 PRBool sendingSCSV; /* instead of empty RI */
922 sslBuffer msgState; /* current state for handshake messages*/
923 /* protected by recvBufLock */
924
925 /* The session ticket received in a NewSessionTicket message is temporarily
926 * stored in newSessionTicket until the handshake is finished; then it is
927 * moved to the sid.
928 */
929 PRBool receivedNewSessionTicket;
930 NewSessionTicket newSessionTicket;
931
932 PRUint16 finishedBytes; /* size of single finished below */
933 union {
934 TLSFinished tFinished[2]; /* client, then server */
935 SSL3Finished sFinished[2];
936 SSL3Opaque data[72];
937 } finishedMsgs;
938 #ifdef NSS_ENABLE_ECC
939 PRUint32 negotiatedECCurves; /* bit mask */
940 #endif /* NSS_ENABLE_ECC */
941
942 PRBool authCertificatePending;
943 /* Which function should SSL_RestartHandshake* call if we're blocked?
944 * One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake,
945 * or ssl3_AlwaysFail */
946 sslRestartTarget restartTarget;
947 /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
948 PRBool cacheSID;
949
950 PRBool canFalseStart; /* Can/did we False Start */
951
952 /* clientSigAndHash contains the contents of the signature_algorithms
953 * extension (if any) from the client. This is only valid for TLS 1.2
954 * or later. */
955 SSL3SignatureAndHashAlgorithm *clientSigAndHash;
956 unsigned int numClientSigAndHash;
957
958 /* This group of values is used for DTLS */
959 PRUint16 sendMessageSeq; /* The sending message sequence
960 * number */
961 PRCList lastMessageFlight; /* The last message flight we
962 * sent */
963 PRUint16 maxMessageSent; /* The largest message we sent */
964 PRUint16 recvMessageSeq; /* The receiving message sequence
965 * number */
966 sslBuffer recvdFragments; /* The fragments we have received in
967 * a bitmask */
968 PRInt32 recvdHighWater; /* The high water mark for fragments
969 * received. -1 means no reassembly
970 * in progress. */
971 unsigned char cookie[32]; /* The cookie */
972 unsigned char cookieLen; /* The length of the cookie */
973 PRIntervalTime rtTimerStarted; /* When the timer was started */
974 DTLSTimerCb rtTimerCb; /* The function to call on expiry */
975 PRUint32 rtTimeoutMs; /* The length of the current timeout
976 * used for backoff (in ms) */
977 PRUint32 rtRetries; /* The retry counter */
978 } SSL3HandshakeState;
979
980
981
982 /*
983 ** This is the "ssl3" struct, as in "ss->ssl3".
984 ** note:
985 ** usually, crSpec == cwSpec and prSpec == pwSpec.
986 ** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
987 ** But there are never more than 2 actual specs.
988 ** No spec must ever be modified if either "current" pointer points to it.
989 */
990 struct ssl3StateStr {
991
992 /*
993 ** The following Specs and Spec pointers must be protected using the
994 ** Spec Lock.
995 */
996 ssl3CipherSpec * crSpec; /* current read spec. */
997 ssl3CipherSpec * prSpec; /* pending read spec. */
998 ssl3CipherSpec * cwSpec; /* current write spec. */
999 ssl3CipherSpec * pwSpec; /* pending write spec. */
1000
1001 CERTCertificate * clientCertificate; /* used by client */
1002 SECKEYPrivateKey * clientPrivateKey; /* used by client */
1003 /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not
1004 * defined in order to allow cleaner conditional code.
1005 * At most one of clientPrivateKey and platformClientKey may be set. */
1006 PlatformKey platformClientKey; /* used by client */
1007 CERTCertificateList *clientCertChain; /* used by client */
1008 PRBool sendEmptyCert; /* used by client */
1009
1010 SECKEYPrivateKey *channelID; /* used by client */
1011 SECKEYPublicKey *channelIDPub; /* used by client */
1012
1013 int policy;
1014 /* This says what cipher suites we can do, and should
1015 * be either SSL_ALLOWED or SSL_RESTRICTED
1016 */
1017 PLArenaPool * peerCertArena;
1018 /* These are used to keep track of the peer CA */
1019 void * peerCertChain;
1020 /* chain while we are trying to validate it. */
1021 CERTDistNames * ca_list;
1022 /* used by server. trusted CAs for this socket. */
1023 PRBool initialized;
1024 SSL3HandshakeState hs;
1025 ssl3CipherSpec specs[2]; /* one is current, one is pending. */
1026
1027 /* In a client: if the server supports Next Protocol Negotiation, then
1028 * this is the protocol that was negotiated.
1029 */
1030 SECItem nextProto;
1031 SSLNextProtoState nextProtoState;
1032
1033 PRUint16 mtu; /* Our estimate of the MTU */
1034
1035 /* DTLS-SRTP cipher suite preferences (if any) */
1036 PRUint16 dtlsSRTPCiphers[MAX_DTLS_SRTP_CIPHER_SUITES];
1037 PRUint16 dtlsSRTPCipherCount;
1038 PRUint16 dtlsSRTPCipherSuite; /* 0 if not selected */
1039 };
1040
1041 #define DTLS_MAX_MTU 1500 /* Ethernet MTU but without subtracting the
1042 * headers, so slightly larger than expected */
1043 #define IS_DTLS(ss) (ss->protocolVariant == ssl_variant_datagram)
1044
1045 typedef struct {
1046 SSL3ContentType type;
1047 SSL3ProtocolVersion version;
1048 SSL3SequenceNumber seq_num; /* DTLS only */
1049 sslBuffer * buf;
1050 } SSL3Ciphertext;
1051
1052 struct ssl3KeyPairStr {
1053 SECKEYPrivateKey * privKey;
1054 SECKEYPublicKey * pubKey;
1055 PRInt32 refCount; /* use PR_Atomic calls for this. */
1056 };
1057
1058 typedef struct SSLWrappedSymWrappingKeyStr {
1059 SSL3Opaque wrappedSymmetricWrappingkey[512];
1060 CK_MECHANISM_TYPE symWrapMechanism;
1061 /* unwrapped symmetric wrapping key uses this mechanism */
1062 CK_MECHANISM_TYPE asymWrapMechanism;
1063 /* mechanism used to wrap the SymmetricWrappingKey using
1064 * server's public and/or private keys. */
1065 SSL3KEAType exchKeyType; /* type of keys used to wrap SymWrapKey*/
1066 PRInt32 symWrapMechIndex;
1067 PRUint16 wrappedSymKeyLen;
1068 } SSLWrappedSymWrappingKey;
1069
1070 typedef struct SessionTicketStr {
1071 PRUint16 ticket_version;
1072 SSL3ProtocolVersion ssl_version;
1073 ssl3CipherSuite cipher_suite;
1074 SSLCompressionMethod compression_method;
1075 SSLSignType authAlgorithm;
1076 PRUint32 authKeyBits;
1077 SSLKEAType keaType;
1078 PRUint32 keaKeyBits;
1079 /*
1080 * exchKeyType and msWrapMech contain meaningful values only if
1081 * ms_is_wrapped is true.
1082 */
1083 PRUint8 ms_is_wrapped;
1084 SSLKEAType exchKeyType; /* XXX(wtc): same as keaType above? */
1085 CK_MECHANISM_TYPE msWrapMech;
1086 PRUint16 ms_length;
1087 SSL3Opaque master_secret[48];
1088 ClientIdentity client_identity;
1089 SECItem peer_cert;
1090 PRUint32 timestamp;
1091 SECItem srvName; /* negotiated server name */
1092 } SessionTicket;
1093
1094 /*
1095 * SSL2 buffers used in SSL3.
1096 * writeBuf in the SecurityInfo maintained by sslsecur.c is used
1097 * to hold the data just about to be passed to the kernel
1098 * sendBuf in the ConnectInfo maintained by sslcon.c is used
1099 * to hold handshake messages as they are accumulated
1100 */
1101
1102 /*
1103 ** This is "ci", as in "ss->sec.ci".
1104 **
1105 ** Protection: All the variables in here are protected by
1106 ** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock
1107 */
1108 struct sslConnectInfoStr {
1109 /* outgoing handshakes appended to this. */
1110 sslBuffer sendBuf; /*xmitBufLock*/ /* ssl 2 & 3 */
1111
1112 PRIPv6Addr peer; /* ssl 2 & 3 */
1113 unsigned short port; /* ssl 2 & 3 */
1114
1115 sslSessionID *sid; /* ssl 2 & 3 */
1116
1117 /* see CIS_HAVE defines below for the bit values in *elements. */
1118 char elements; /* ssl2 only */
1119 char requiredElements; /* ssl2 only */
1120 char sentElements; /* ssl2 only */
1121
1122 char sentFinished; /* ssl2 only */
1123
1124 /* Length of server challenge. Used by client when saving challenge */
1125 int serverChallengeLen; /* ssl2 only */
1126 /* type of authentication requested by server */
1127 unsigned char authType; /* ssl2 only */
1128
1129 /* Challenge sent by client to server in client-hello message */
1130 /* SSL3 gets a copy of this. See ssl3_StartHandshakeHash(). */
1131 unsigned char clientChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl 2 & 3 */
1132
1133 /* Connection-id sent by server to client in server-hello message */
1134 unsigned char connectionID[SSL_CONNECTIONID_BYTES]; /* ssl2 only */
1135
1136 /* Challenge sent by server to client in request-certificate message */
1137 unsigned char serverChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl2 only */
1138
1139 /* Information kept to handle a request-certificate message */
1140 unsigned char readKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */
1141 unsigned char writeKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */
1142 unsigned keySize; /* ssl2 only */
1143 };
1144
1145 /* bit values for ci->elements, ci->requiredElements, sentElements. */
1146 #define CIS_HAVE_MASTER_KEY 0x01
1147 #define CIS_HAVE_CERTIFICATE 0x02
1148 #define CIS_HAVE_FINISHED 0x04
1149 #define CIS_HAVE_VERIFY 0x08
1150
1151 /* Note: The entire content of this struct and whatever it points to gets
1152 * blown away by SSL_ResetHandshake(). This is "sec" as in "ss->sec".
1153 *
1154 * Unless otherwise specified below, the contents of this struct are
1155 * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock.
1156 */
1157 struct sslSecurityInfoStr {
1158 sslSendFunc send; /*xmitBufLock*/ /* ssl 2 & 3 */
1159 int isServer; /* Spec Lock?*/ /* ssl 2 & 3 */
1160 sslBuffer writeBuf; /*xmitBufLock*/ /* ssl 2 & 3 */
1161
1162 int cipherType; /* ssl 2 & 3 */
1163 int keyBits; /* ssl 2 & 3 */
1164 int secretKeyBits; /* ssl 2 & 3 */
1165 CERTCertificate *localCert; /* ssl 2 & 3 */
1166 CERTCertificate *peerCert; /* ssl 2 & 3 */
1167 SECKEYPublicKey *peerKey; /* ssl3 only */
1168
1169 SSLSignType authAlgorithm;
1170 PRUint32 authKeyBits;
1171 SSLKEAType keaType;
1172 PRUint32 keaKeyBits;
1173
1174 /*
1175 ** Procs used for SID cache (nonce) management.
1176 ** Different implementations exist for clients/servers
1177 ** The lookup proc is only used for servers. Baloney!
1178 */
1179 sslSessionIDCacheFunc cache; /* ssl 2 & 3 */
1180 sslSessionIDUncacheFunc uncache; /* ssl 2 & 3 */
1181
1182 /*
1183 ** everything below here is for ssl2 only.
1184 ** This stuff is equivalent to SSL3's "spec", and is protected by the
1185 ** same "Spec Lock" as used for SSL3's specs.
1186 */
1187 PRUint32 sendSequence; /*xmitBufLock*/ /* ssl2 only */
1188 PRUint32 rcvSequence; /*recvBufLock*/ /* ssl2 only */
1189
1190 /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */
1191 const SECHashObject *hash; /* Spec Lock */ /* ssl2 only */
1192 void *hashcx; /* Spec Lock */ /* ssl2 only */
1193
1194 SECItem sendSecret; /* Spec Lock */ /* ssl2 only */
1195 SECItem rcvSecret; /* Spec Lock */ /* ssl2 only */
1196
1197 /* Session cypher contexts; one for each direction */
1198 void *readcx; /* Spec Lock */ /* ssl2 only */
1199 void *writecx; /* Spec Lock */ /* ssl2 only */
1200 SSLCipher enc; /* Spec Lock */ /* ssl2 only */
1201 SSLCipher dec; /* Spec Lock */ /* ssl2 only */
1202 void (*destroy)(void *, PRBool); /* Spec Lock */ /* ssl2 only */
1203
1204 /* Blocking information for the session cypher */
1205 int blockShift; /* Spec Lock */ /* ssl2 only */
1206 int blockSize; /* Spec Lock */ /* ssl2 only */
1207
1208 /* These are used during a connection handshake */
1209 sslConnectInfo ci; /* ssl 2 & 3 */
1210
1211 };
1212
1213 /*
1214 ** SSL Socket struct
1215 **
1216 ** Protection: XXX
1217 */
1218 struct sslSocketStr {
1219 PRFileDesc * fd;
1220
1221 /* Pointer to operations vector for this socket */
1222 const sslSocketOps * ops;
1223
1224 /* SSL socket options */
1225 sslOptions opt;
1226 /* Enabled version range */
1227 SSLVersionRange vrange;
1228
1229 /* State flags */
1230 unsigned long clientAuthRequested;
1231 unsigned long delayDisabled; /* Nagle delay disabled */
1232 unsigned long firstHsDone; /* first handshake is complete. */
1233 unsigned long enoughFirstHsDone; /* enough of the first handshake is
1234 * done for callbacks to be able to
1235 * retrieve channel security
1236 * parameters from the SSL socket. */
1237 unsigned long handshakeBegun;
1238 unsigned long lastWriteBlocked;
1239 unsigned long recvdCloseNotify; /* received SSL EOF. */
1240 unsigned long TCPconnected;
1241 unsigned long appDataBuffered;
1242 unsigned long peerRequestedProtection; /* from old renegotiation */
1243
1244 /* version of the protocol to use */
1245 SSL3ProtocolVersion version;
1246 SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
1247
1248 sslSecurityInfo sec; /* not a pointer any more */
1249
1250 /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */
1251 const char *url; /* ssl 2 & 3 */
1252
1253 sslHandshakeFunc handshake; /*firstHandshakeLock*/
1254 sslHandshakeFunc nextHandshake; /*firstHandshakeLock*/
1255 sslHandshakeFunc securityHandshake; /*firstHandshakeLock*/
1256
1257 /* the following variable is only used with socks or other proxies. */
1258 char * peerID; /* String uniquely identifies target server. */
1259
1260 unsigned char * cipherSpecs;
1261 unsigned int sizeCipherSpecs;
1262 const unsigned char * preferredCipher;
1263
1264 /* TLS ClientCertificateTypes requested during HandleCertificateRequest. */
1265 /* Will be NULL at all other times. */
1266 const SECItem *requestedCertTypes;
1267
1268 ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */
1269
1270 /* Callbacks */
1271 SSLAuthCertificate authCertificate;
1272 void *authCertificateArg;
1273 SSLGetClientAuthData getClientAuthData;
1274 void *getClientAuthDataArg;
1275 #ifdef NSS_PLATFORM_CLIENT_AUTH
1276 SSLGetPlatformClientAuthData getPlatformClientAuthData;
1277 void *getPlatformClientAuthDataArg;
1278 #endif /* NSS_PLATFORM_CLIENT_AUTH */
1279 SSLSNISocketConfig sniSocketConfig;
1280 void *sniSocketConfigArg;
1281 SSLBadCertHandler handleBadCert;
1282 void *badCertArg;
1283 SSLHandshakeCallback handshakeCallback;
1284 void *handshakeCallbackData;
1285 SSLCanFalseStartCallback canFalseStartCallback;
1286 void *canFalseStartCallbackData;
1287 void *pkcs11PinArg;
1288 SSLNextProtoCallback nextProtoCallback;
1289 void *nextProtoArg;
1290 SSLClientChannelIDCallback getChannelID;
1291 void *getChannelIDArg;
1292
1293 PRIntervalTime rTimeout; /* timeout for NSPR I/O */
1294 PRIntervalTime wTimeout; /* timeout for NSPR I/O */
1295 PRIntervalTime cTimeout; /* timeout for NSPR I/O */
1296
1297 PZLock * recvLock; /* lock against multiple reader threads. */
1298 PZLock * sendLock; /* lock against multiple sender threads. */
1299
1300 PZMonitor * recvBufLock; /* locks low level recv buffers. */
1301 PZMonitor * xmitBufLock; /* locks low level xmit buffers. */
1302
1303 /* Only one thread may operate on the socket until the initial handshake
1304 ** is complete. This Monitor ensures that. Since SSL2 handshake is
1305 ** only done once, this is also effectively the SSL2 handshake lock.
1306 */
1307 PZMonitor * firstHandshakeLock;
1308
1309 /* This monitor protects the ssl3 handshake state machine data.
1310 ** Only one thread (reader or writer) may be in the ssl3 handshake state
1311 ** machine at any time. */
1312 PZMonitor * ssl3HandshakeLock;
1313
1314 /* reader/writer lock, protects the secret data needed to encrypt and MAC
1315 ** outgoing records, and to decrypt and MAC check incoming ciphertext
1316 ** records. */
1317 NSSRWLock * specLock;
1318
1319 /* handle to perm cert db (and implicitly to the temp cert db) used
1320 ** with this socket.
1321 */
1322 CERTCertDBHandle * dbHandle;
1323
1324 PRThread * writerThread; /* thread holds SSL_LOCK_WRITER lock */
1325
1326 PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */
1327
1328 PRUint16 allowedByPolicy; /* copy of global policy bits. */
1329 PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */
1330 PRUint16 chosenPreference; /* SSL2 cipher preferences. */
1331
1332 sslHandshakingType handshaking;
1333
1334 /* Gather object used for gathering data */
1335 sslGather gs; /*recvBufLock*/
1336
1337 sslBuffer saveBuf; /*xmitBufLock*/
1338 sslBuffer pendingBuf; /*xmitBufLock*/
1339
1340 /* Configuration state for server sockets */
1341 /* server cert and key for each KEA type */
1342 sslServerCerts serverCerts[kt_kea_size];
1343 /* each cert needs its own status */
1344 SECItemArray * certStatusArray[kt_kea_size];
1345
1346 ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
1347 ssl3KeyPair * ephemeralECDHKeyPair; /* for ECDHE-* handshake */
1348
1349 /* SSL3 state info. Formerly was a pointer */
1350 ssl3State ssl3;
1351
1352 /*
1353 * TLS extension related data.
1354 */
1355 /* True when the current session is a stateless resume. */
1356 PRBool statelessResume;
1357 TLSExtensionData xtnData;
1358
1359 /* Whether we are doing stream or datagram mode */
1360 SSLProtocolVariant protocolVariant;
1361 };
1362
1363
1364
1365 /* All the global data items declared here should be protected using the
1366 ** ssl_global_data_lock, which is a reader/writer lock.
1367 */
1368 extern NSSRWLock * ssl_global_data_lock;
1369 extern char ssl_debug;
1370 extern char ssl_trace;
1371 extern FILE * ssl_trace_iob;
1372 extern FILE * ssl_keylog_iob;
1373 extern CERTDistNames * ssl3_server_ca_list;
1374 extern PRUint32 ssl_sid_timeout;
1375 extern PRUint32 ssl3_sid_timeout;
1376
1377 extern const char * const ssl_cipherName[];
1378 extern const char * const ssl3_cipherName[];
1379
1380 extern sslSessionIDLookupFunc ssl_sid_lookup;
1381 extern sslSessionIDCacheFunc ssl_sid_cache;
1382 extern sslSessionIDUncacheFunc ssl_sid_uncache;
1383
1384 /************************************************************************/
1385
1386 SEC_BEGIN_PROTOS
1387
1388 /* Functions for handling SECItemArrays, added in NSS 3.15 */
1389 extern SECItemArray *SECITEM_AllocArray(PLArenaPool *arena,
1390 SECItemArray *array,
1391 unsigned int len);
1392 extern SECItemArray *SECITEM_DupArray(PLArenaPool *arena,
1393 const SECItemArray *from);
1394 extern void SECITEM_FreeArray(SECItemArray *array, PRBool freeit);
1395 extern void SECITEM_ZfreeArray(SECItemArray *array, PRBool freeit);
1396
1397 /* Internal initialization and installation of the SSL error tables */
1398 extern SECStatus ssl_Init(void);
1399 extern SECStatus ssl_InitializePRErrorTable(void);
1400
1401 /* Implementation of ops for default (non socks, non secure) case */
1402 extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
1403 extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
1404 extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
1405 extern int ssl_DefListen(sslSocket *ss, int backlog);
1406 extern int ssl_DefShutdown(sslSocket *ss, int how);
1407 extern int ssl_DefClose(sslSocket *ss);
1408 extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
1409 extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf,
1410 int len, int flags);
1411 extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len);
1412 extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len);
1413 extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name);
1414 extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name);
1415 extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
1416 void *optval, PRInt32 *optlen);
1417 extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
1418 const void *optval, PRInt32 optlen);
1419
1420 /* Implementation of ops for socks only case */
1421 extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr);
1422 extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr);
1423 extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr);
1424 extern int ssl_SocksListen(sslSocket *ss, int backlog);
1425 extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name);
1426 extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
1427 extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf,
1428 int len, int flags);
1429 extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len);
1430 extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len);
1431
1432 /* Implementation of ops for secure only case */
1433 extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr);
1434 extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr);
1435 extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf,
1436 int len, int flags);
1437 extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf,
1438 int len, int flags);
1439 extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len);
1440 extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len);
1441 extern int ssl_SecureShutdown(sslSocket *ss, int how);
1442 extern int ssl_SecureClose(sslSocket *ss);
1443
1444 /* Implementation of ops for secure socks case */
1445 extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr);
1446 extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr);
1447 extern PRFileDesc *ssl_FindTop(sslSocket *ss);
1448
1449 /* Gather funcs. */
1450 extern sslGather * ssl_NewGather(void);
1451 extern SECStatus ssl_InitGather(sslGather *gs);
1452 extern void ssl_DestroyGather(sslGather *gs);
1453 extern int ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags);
1454 extern int ssl2_GatherRecord(sslSocket *ss, int flags);
1455 extern SECStatus ssl_GatherRecord1stHandshake(sslSocket *ss);
1456
1457 extern SECStatus ssl2_HandleClientHelloMessage(sslSocket *ss);
1458 extern SECStatus ssl2_HandleServerHelloMessage(sslSocket *ss);
1459 extern int ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs,
1460 unsigned int count);
1461
1462 extern SECStatus ssl_CreateSecurityInfo(sslSocket *ss);
1463 extern SECStatus ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os);
1464 extern void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset);
1465 extern void ssl_DestroySecurityInfo(sslSecurityInfo *sec);
1466
1467 extern void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len);
1468 extern void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len);
1469
1470 extern int ssl_SendSavedWriteData(sslSocket *ss);
1471 extern SECStatus ssl_SaveWriteData(sslSocket *ss,
1472 const void* p, unsigned int l);
1473 extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss);
1474 extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss);
1475 extern int ssl_Do1stHandshake(sslSocket *ss);
1476
1477 extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
1478 extern SECStatus sslBuffer_Append(sslBuffer *b, const void * data,
1479 unsigned int len);
1480
1481 extern void ssl2_UseClearSendFunc(sslSocket *ss);
1482 extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
1483
1484 extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server);
1485 extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port,
1486 const char *peerID, const char *urlSvrName);
1487 extern void ssl_FreeSID(sslSessionID *sid);
1488
1489 extern int ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
1490 int len, int flags);
1491
1492 extern PRBool ssl_FdIsBlocking(PRFileDesc *fd);
1493
1494 extern PRBool ssl_SocketIsBlocking(sslSocket *ss);
1495
1496 extern void ssl3_SetAlwaysBlock(sslSocket *ss);
1497
1498 extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
1499
1500 extern void ssl_FinishHandshake(sslSocket *ss);
1501
1502 /* Returns PR_TRUE if we are still waiting for the server to respond to our
1503 * client second round. Once we've received any part of the server's second
1504 * round then we don't bother trying to false start since it is almost always
1505 * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages
1506 * were sent in the same packet and we want to process them all at the same
1507 * time. If we were to try to false start in the middle of the server's second
1508 * round, then we would increase the number of I/O operations
1509 * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake.
1510 */
1511 extern PRBool ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss);
1512
1513 extern SECStatus
1514 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
1515 PRBool isServer,
1516 PRBool isDTLS,
1517 PRBool capRecordVersion,
1518 SSL3ContentType type,
1519 const SSL3Opaque * pIn,
1520 PRUint32 contentLen,
1521 sslBuffer * wrBuf);
1522 extern PRInt32 ssl3_SendRecord(sslSocket *ss, DTLSEpoch epoch,
1523 SSL3ContentType type,
1524 const SSL3Opaque* pIn, PRInt32 nIn,
1525 PRInt32 flags);
1526
1527 #ifdef NSS_ENABLE_ZLIB
1528 /*
1529 * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
1530 * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
1531 */
1532 #define SSL3_COMPRESSION_MAX_EXPANSION 29
1533 #else /* !NSS_ENABLE_ZLIB */
1534 #define SSL3_COMPRESSION_MAX_EXPANSION 0
1535 #endif
1536
1537 /*
1538 * make sure there is room in the write buffer for padding and
1539 * other compression and cryptographic expansions.
1540 */
1541 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION
1542
1543 #define SSL_LOCK_READER(ss) if (ss->recvLock) PZ_Lock(ss->recvLock)
1544 #define SSL_UNLOCK_READER(ss) if (ss->recvLock) PZ_Unlock(ss->recvLock)
1545 #define SSL_LOCK_WRITER(ss) if (ss->sendLock) PZ_Lock(ss->sendLock)
1546 #define SSL_UNLOCK_WRITER(ss) if (ss->sendLock) PZ_Unlock(ss->sendLock)
1547
1548 /* firstHandshakeLock -> recvBufLock */
1549 #define ssl_Get1stHandshakeLock(ss) \
1550 { if (!ss->opt.noLocks) { \
1551 PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \
1552 !ssl_HaveRecvBufLock(ss)); \
1553 PZ_EnterMonitor((ss)->firstHandshakeLock); \
1554 } }
1555 #define ssl_Release1stHandshakeLock(ss) \
1556 { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
1557 #define ssl_Have1stHandshakeLock(ss) \
1558 (PZ_InMonitor((ss)->firstHandshakeLock))
1559
1560 /* ssl3HandshakeLock -> xmitBufLock */
1561 #define ssl_GetSSL3HandshakeLock(ss) \
1562 { if (!ss->opt.noLocks) { \
1563 PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
1564 PZ_EnterMonitor((ss)->ssl3HandshakeLock); \
1565 } }
1566 #define ssl_ReleaseSSL3HandshakeLock(ss) \
1567 { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
1568 #define ssl_HaveSSL3HandshakeLock(ss) \
1569 (PZ_InMonitor((ss)->ssl3HandshakeLock))
1570
1571 #define ssl_GetSpecReadLock(ss) \
1572 { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
1573 #define ssl_ReleaseSpecReadLock(ss) \
1574 { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
1575 /* NSSRWLock_HaveReadLock is not exported so there's no
1576 * ssl_HaveSpecReadLock macro. */
1577
1578 #define ssl_GetSpecWriteLock(ss) \
1579 { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
1580 #define ssl_ReleaseSpecWriteLock(ss) \
1581 { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
1582 #define ssl_HaveSpecWriteLock(ss) \
1583 (NSSRWLock_HaveWriteLock((ss)->specLock))
1584
1585 /* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */
1586 #define ssl_GetRecvBufLock(ss) \
1587 { if (!ss->opt.noLocks) { \
1588 PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \
1589 PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
1590 PZ_EnterMonitor((ss)->recvBufLock); \
1591 } }
1592 #define ssl_ReleaseRecvBufLock(ss) \
1593 { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
1594 #define ssl_HaveRecvBufLock(ss) \
1595 (PZ_InMonitor((ss)->recvBufLock))
1596
1597 /* xmitBufLock -> specLock */
1598 #define ssl_GetXmitBufLock(ss) \
1599 { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
1600 #define ssl_ReleaseXmitBufLock(ss) \
1601 { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
1602 #define ssl_HaveXmitBufLock(ss) \
1603 (PZ_InMonitor((ss)->xmitBufLock))
1604
1605 /* Placeholder value used in version ranges when SSL 3.0 and all
1606 * versions of TLS are disabled.
1607 */
1608 #define SSL_LIBRARY_VERSION_NONE 0
1609
1610 /* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version
1611 * of libssl supports. Applications should use SSL_VersionRangeGetSupported at
1612 * runtime to determine which versions are supported by the version of libssl
1613 * in use.
1614 */
1615 #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_2
1616
1617 /* Rename this macro SSL_ALL_VERSIONS_DISABLED when SSL 2.0 is removed. */
1618 #define SSL3_ALL_VERSIONS_DISABLED(vrange) \
1619 ((vrange)->min == SSL_LIBRARY_VERSION_NONE)
1620
1621 extern PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
1622 SSL3ProtocolVersion version);
1623
1624 extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec * pwSpec,
1625 const unsigned char * cr, const unsigned char * sr,
1626 PRBool isTLS, PRBool isExport);
1627 extern SECStatus ssl3_MasterKeyDeriveBypass( ssl3CipherSpec * pwSpec,
1628 const unsigned char * cr, const unsigned char * sr,
1629 const SECItem * pms, PRBool isTLS, PRBool isRSA);
1630
1631 /* These functions are called from secnav, even though they're "private". */
1632
1633 extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
1634 extern sslSocket *ssl_FindSocket(PRFileDesc *fd);
1635 extern void ssl_FreeSocket(struct sslSocketStr *ssl);
1636 extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
1637 SSL3AlertDescription desc);
1638 extern SECStatus ssl3_DecodeError(sslSocket *ss);
1639
1640 extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket * ss,
1641 CERTCertificate * cert,
1642 SECKEYPrivateKey * key,
1643 CERTCertificateList *certChain);
1644
1645 extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq(
1646 sslSocket *ss,
1647 SECKEYPublicKey *channelIDPub,
1648 SECKEYPrivateKey *channelID);
1649
1650 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
1651
1652 /*
1653 * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
1654 */
1655 extern SECStatus ssl3_HandleV2ClientHello(
1656 sslSocket *ss, unsigned char *buffer, int length);
1657 extern SECStatus ssl3_StartHandshakeHash(
1658 sslSocket *ss, unsigned char *buf, int length);
1659
1660 /*
1661 * SSL3 specific routines
1662 */
1663 SECStatus ssl3_SendClientHello(sslSocket *ss, PRBool resending);
1664
1665 /*
1666 * input into the SSL3 machinery from the actualy network reading code
1667 */
1668 SECStatus ssl3_HandleRecord(
1669 sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out);
1670
1671 int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
1672 int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
1673 /*
1674 * When talking to export clients or using export cipher suites, servers
1675 * with public RSA keys larger than 512 bits need to use a 512-bit public
1676 * key, signed by the larger key. The smaller key is a "step down" key.
1677 * Generate that key pair and keep it around.
1678 */
1679 extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
1680
1681 #ifdef NSS_ENABLE_ECC
1682 extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
1683 extern PRBool ssl3_IsECCEnabled(sslSocket *ss);
1684 extern SECStatus ssl3_DisableECCSuites(sslSocket * ss,
1685 const ssl3CipherSuite * suite);
1686 extern PRUint32 ssl3_GetSupportedECCurveMask(sslSocket *ss);
1687
1688
1689 /* Macro for finding a curve equivalent in strength to RSA key's */
1690 #define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \
1691 ((s <= 1024) ? 160 \
1692 : ((s <= 2048) ? 224 \
1693 : ((s <= 3072) ? 256 \
1694 : ((s <= 7168) ? 384 : 521 ) ) ) )
1695
1696 /* Types and names of elliptic curves used in TLS */
1697 typedef enum { ec_type_explicitPrime = 1,
1698 ec_type_explicitChar2Curve = 2,
1699 ec_type_named
1700 } ECType;
1701
1702 typedef enum { ec_noName = 0,
1703 ec_sect163k1 = 1,
1704 ec_sect163r1 = 2,
1705 ec_sect163r2 = 3,
1706 ec_sect193r1 = 4,
1707 ec_sect193r2 = 5,
1708 ec_sect233k1 = 6,
1709 ec_sect233r1 = 7,
1710 ec_sect239k1 = 8,
1711 ec_sect283k1 = 9,
1712 ec_sect283r1 = 10,
1713 ec_sect409k1 = 11,
1714 ec_sect409r1 = 12,
1715 ec_sect571k1 = 13,
1716 ec_sect571r1 = 14,
1717 ec_secp160k1 = 15,
1718 ec_secp160r1 = 16,
1719 ec_secp160r2 = 17,
1720 ec_secp192k1 = 18,
1721 ec_secp192r1 = 19,
1722 ec_secp224k1 = 20,
1723 ec_secp224r1 = 21,
1724 ec_secp256k1 = 22,
1725 ec_secp256r1 = 23,
1726 ec_secp384r1 = 24,
1727 ec_secp521r1 = 25,
1728 ec_pastLastName
1729 } ECName;
1730
1731 extern SECStatus ssl3_ECName2Params(PLArenaPool *arena, ECName curve,
1732 SECKEYECParams *params);
1733 ECName ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits);
1734
1735
1736 #endif /* NSS_ENABLE_ECC */
1737
1738 extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
1739 extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
1740 extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
1741 extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
1742
1743 extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
1744 extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
1745 extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
1746 extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
1747 extern SECStatus ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *cipher,
1748 unsigned int len);
1749
1750 extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
1751 extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
1752 extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
1753 extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
1754
1755 extern void ssl2_InitSocketPolicy(sslSocket *ss);
1756 extern void ssl3_InitSocketPolicy(sslSocket *ss);
1757
1758 extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
1759 unsigned char *cs, int *size);
1760
1761 extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
1762 extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b,
1763 PRUint32 length);
1764
1765 extern void ssl3_DestroySSL3Info(sslSocket *ss);
1766
1767 extern SECStatus ssl3_NegotiateVersion(sslSocket *ss,
1768 SSL3ProtocolVersion peerVersion,
1769 PRBool allowLargerPeerVersion);
1770
1771 extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
1772
1773 #ifdef NSS_ENABLE_ECC
1774 /* ECDH functions */
1775 extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket * ss,
1776 SECKEYPublicKey * svrPubKey);
1777 extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss,
1778 SSL3Opaque *b, PRUint32 length);
1779 extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss,
1780 SSL3Opaque *b, PRUint32 length,
1781 SECKEYPublicKey *srvrPubKey,
1782 SECKEYPrivateKey *srvrPrivKey);
1783 extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss,
1784 const SSL3SignatureAndHashAlgorithm *sigAndHash);
1785 #endif
1786
1787 extern SECStatus ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
1788 PRUint8 * hashBuf,
1789 unsigned int bufLen, SSL3Hashes *hashes,
1790 PRBool bypassPKCS11);
1791 extern void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName);
1792 extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms);
1793 extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src,
1794 PRInt32 bytes);
1795 extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss,
1796 SSL3HandshakeType t, PRUint32 length);
1797 extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num,
1798 PRInt32 lenSize);
1799 extern SECStatus ssl3_AppendHandshakeVariable( sslSocket *ss,
1800 const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize);
1801 extern SECStatus ssl3_AppendSignatureAndHashAlgorithm(sslSocket *ss,
1802 const SSL3SignatureAndHashAlgorithm* sigAndHash);
1803 extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes,
1804 SSL3Opaque **b, PRUint32 *length);
1805 extern PRInt32 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes,
1806 SSL3Opaque **b, PRUint32 *length);
1807 extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i,
1808 PRInt32 bytes, SSL3Opaque **b, PRUint32 *length);
1809 extern SECOidTag ssl3_TLSHashAlgorithmToOID(int hashFunc);
1810 extern SECStatus ssl3_CheckSignatureAndHashAlgorithmConsistency(
1811 const SSL3SignatureAndHashAlgorithm *sigAndHash,
1812 CERTCertificate* cert);
1813 extern SECStatus ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
1814 SSL3Opaque **b, PRUint32 *length,
1815 SSL3SignatureAndHashAlgorithm *out);
1816 extern SECStatus ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key,
1817 SECItem *buf, PRBool isTLS);
1818 extern SECStatus ssl3_VerifySignedHashes(SSL3Hashes *hash,
1819 CERTCertificate *cert, SECItem *buf, PRBool isTLS,
1820 void *pwArg);
1821 extern SECStatus ssl3_CacheWrappedMasterSecret(sslSocket *ss,
1822 sslSessionID *sid, ssl3CipherSpec *spec,
1823 SSL3KEAType effectiveExchKeyType);
1824
1825 /* Functions that handle ClientHello and ServerHello extensions. */
1826 extern SECStatus ssl3_HandleServerNameXtn(sslSocket * ss,
1827 PRUint16 ex_type, SECItem *data);
1828 extern SECStatus ssl3_HandleSupportedCurvesXtn(sslSocket * ss,
1829 PRUint16 ex_type, SECItem *data);
1830 extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
1831 PRUint16 ex_type, SECItem *data);
1832 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
1833 PRUint16 ex_type, SECItem *data);
1834 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
1835 PRUint16 ex_type, SECItem *data);
1836
1837 /* ClientHello and ServerHello extension senders.
1838 * Note that not all extension senders are exposed here; only those that
1839 * that need exposure.
1840 */
1841 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
1842 PRUint32 maxBytes);
1843
1844 /* ClientHello and ServerHello extension senders.
1845 * The code is in ssl3ext.c.
1846 */
1847 extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
1848 PRUint32 maxBytes);
1849
1850 /* Assigns new cert, cert chain and keys to ss->serverCerts
1851 * struct. If certChain is NULL, tries to find one. Aborts if
1852 * fails to do so. If cert and keyPair are NULL - unconfigures
1853 * sslSocket of kea type.*/
1854 extern SECStatus ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
1855 const CERTCertificateList *certChain,
1856 ssl3KeyPair *keyPair, SSLKEAType kea);
1857
1858 #ifdef NSS_ENABLE_ECC
1859 extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
1860 PRBool append, PRUint32 maxBytes);
1861 extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss,
1862 PRBool append, PRUint32 maxBytes);
1863 #endif
1864
1865 /* call the registered extension handlers. */
1866 extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss,
1867 SSL3Opaque **b, PRUint32 *length);
1868
1869 /* Hello Extension related routines. */
1870 extern PRBool ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type);
1871 extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
1872 /*in/out*/ NewSessionTicket *session_ticket);
1873 extern SECStatus ssl3_SendNewSessionTicket(sslSocket *ss);
1874 extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName,
1875 unsigned char *encKey, unsigned char *macKey);
1876 extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
1877 SECKEYPublicKey *svrPubKey, void *pwArg,
1878 unsigned char *keyName, PK11SymKey **aesKey,
1879 PK11SymKey **macKey);
1880
1881 /* Tell clients to consider tickets valid for this long. */
1882 #define TLS_EX_SESS_TICKET_LIFETIME_HINT (2 * 24 * 60 * 60) /* 2 days */
1883 #define TLS_EX_SESS_TICKET_VERSION (0x0100)
1884
1885 extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data,
1886 unsigned int length);
1887
1888 extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
1889 unsigned char *out,
1890 unsigned int *outLen,
1891 unsigned int outLenMax);
1892
1893 /* Construct a new NSPR socket for the app to use */
1894 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
1895 extern void ssl_FreePRSocket(PRFileDesc *fd);
1896
1897 /* Internal config function so SSL3 can initialize the present state of
1898 * various ciphers */
1899 extern int ssl3_config_match_init(sslSocket *);
1900
1901
1902 /* Create a new ref counted key pair object from two keys. */
1903 extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey,
1904 SECKEYPublicKey * pubKey);
1905
1906 /* get a new reference (bump ref count) to an ssl3KeyPair. */
1907 extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair);
1908
1909 /* Decrement keypair's ref count and free if zero. */
1910 extern void ssl3_FreeKeyPair(ssl3KeyPair * keyPair);
1911
1912 /* calls for accessing wrapping keys across processes. */
1913 extern PRBool
1914 ssl_GetWrappingKey( PRInt32 symWrapMechIndex,
1915 SSL3KEAType exchKeyType,
1916 SSLWrappedSymWrappingKey *wswk);
1917
1918 /* The caller passes in the new value it wants
1919 * to set. This code tests the wrapped sym key entry in the file on disk.
1920 * If it is uninitialized, this function writes the caller's value into
1921 * the disk entry, and returns false.
1922 * Otherwise, it overwrites the caller's wswk with the value obtained from
1923 * the disk, and returns PR_TRUE.
1924 * This is all done while holding the locks/semaphores necessary to make
1925 * the operation atomic.
1926 */
1927 extern PRBool
1928 ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
1929
1930 /* get rid of the symmetric wrapping key references. */
1931 extern SECStatus SSL3_ShutdownServerCache(void);
1932
1933 extern SECStatus ssl_InitSymWrapKeysLock(void);
1934
1935 extern SECStatus ssl_FreeSymWrapKeysLock(void);
1936
1937 extern SECStatus ssl_InitSessionCacheLocks(void);
1938
1939 /***************** platform client auth ****************/
1940
1941 #ifdef NSS_PLATFORM_CLIENT_AUTH
1942 // Releases the platform key.
1943 extern void ssl_FreePlatformKey(PlatformKey key);
1944
1945 // Implement the client CertificateVerify message for SSL3/TLS1.0
1946 extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash,
1947 PlatformKey key, SECItem *buf,
1948 PRBool isTLS, KeyType keyType);
1949
1950 // Converts a CERTCertList* (A collection of CERTCertificates) into a
1951 // CERTCertificateList* (A collection of SECItems), or returns NULL if
1952 // it cannot be converted.
1953 // This is to allow the platform-supplied chain to be created with purely
1954 // public API functions, using the preferred CERTCertList mutators, rather
1955 // pushing this hack to clients.
1956 extern CERTCertificateList* hack_NewCertificateListFromCertList(
1957 CERTCertList* list);
1958 #endif /* NSS_PLATFORM_CLIENT_AUTH */
1959
1960 /**************** DTLS-specific functions **************/
1961 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg);
1962 extern void dtls_FreeQueuedMessages(PRCList *lst);
1963 extern void dtls_FreeHandshakeMessages(PRCList *lst);
1964
1965 extern SECStatus dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf);
1966 extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss,
1967 SSL3Opaque *b, PRUint32 length);
1968 extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss);
1969 extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
1970 const SSL3Opaque *pIn, PRInt32 nIn);
1971 extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
1972 extern SECStatus dtls_CompressMACEncryptRecord(sslSocket *ss,
1973 DTLSEpoch epoch,
1974 PRBool use_epoch,
1975 SSL3ContentType type,
1976 const SSL3Opaque *pIn,
1977 PRUint32 contentLen,
1978 sslBuffer *wrBuf);
1979 SECStatus ssl3_DisableNonDTLSSuites(sslSocket * ss);
1980 extern SECStatus dtls_StartTimer(sslSocket *ss, DTLSTimerCb cb);
1981 extern SECStatus dtls_RestartTimer(sslSocket *ss, PRBool backoff,
1982 DTLSTimerCb cb);
1983 extern void dtls_CheckTimer(sslSocket *ss);
1984 extern void dtls_CancelTimer(sslSocket *ss);
1985 extern void dtls_FinishedTimerCb(sslSocket *ss);
1986 extern void dtls_SetMTU(sslSocket *ss, PRUint16 advertised);
1987 extern void dtls_InitRecvdRecords(DTLSRecvdRecords *records);
1988 extern int dtls_RecordGetRecvd(DTLSRecvdRecords *records, PRUint64 seq);
1989 extern void dtls_RecordSetRecvd(DTLSRecvdRecords *records, PRUint64 seq);
1990 extern void dtls_RehandshakeCleanup(sslSocket *ss);
1991 extern SSL3ProtocolVersion
1992 dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv);
1993 extern SSL3ProtocolVersion
1994 dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv);
1995
1996 /********************** misc calls *********************/
1997
1998 #ifdef DEBUG
1999 extern void ssl3_CheckCipherSuiteOrderConsistency();
2000 #endif
2001
2002 extern int ssl_MapLowLevelError(int hiLevelError);
2003
2004 extern PRUint32 ssl_Time(void);
2005
2006 extern void SSL_AtomicIncrementLong(long * x);
2007
2008 SECStatus SSL_DisableDefaultExportCipherSuites(void);
2009 SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
2010 PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite);
2011
2012 extern SECStatus
2013 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec,
2014 const char *label, unsigned int labelLen,
2015 const unsigned char *val, unsigned int valLen,
2016 unsigned char *out, unsigned int outLen);
2017
2018 #ifdef TRACE
2019 #define SSL_TRACE(msg) ssl_Trace msg
2020 #else
2021 #define SSL_TRACE(msg)
2022 #endif
2023
2024 void ssl_Trace(const char *format, ...);
2025
2026 SEC_END_PROTOS
2027
2028 #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
2029 #define SSL_GETPID getpid
2030 #elif defined(WIN32)
2031 extern int __cdecl _getpid(void);
2032 #define SSL_GETPID _getpid
2033 #else
2034 #define SSL_GETPID() 0
2035 #endif
2036
2037 #endif /* __sslimpl_h_ */