search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / net / third_party / nss / ssl / sslimpl.h
blobefcbf9faddcb17bbe70a7b430c26b9a0af7da817
1 /*
2 * This file is PRIVATE to SSL and should be the first thing included by
3 * any SSL implementation file.
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8
9 #ifndef __sslimpl_h_
10 #define __sslimpl_h_
11
12 #ifdef DEBUG
13 #undef NDEBUG
14 #else
15 #undef NDEBUG
16 #define NDEBUG
17 #endif
18 #include "secport.h"
19 #include "secerr.h"
20 #include "sslerr.h"
21 #include "ssl3prot.h"
22 #include "hasht.h"
23 #include "keythi.h"
24 #include "nssilock.h"
25 #include "pkcs11t.h"
26 #if defined(XP_UNIX) || defined(XP_BEOS)
27 #include "unistd.h"
28 #endif
29 #include "nssrwlk.h"
30 #include "prthread.h"
31 #include "prclist.h"
32
33 #include "sslt.h" /* for some formerly private types, now public */
34
35 #ifdef NSS_PLATFORM_CLIENT_AUTH
36 #if defined(XP_WIN32)
37 #include <windows.h>
38 #include <wincrypt.h>
39 #elif defined(XP_MACOSX)
40 #include <Security/Security.h>
41 #endif
42 #endif
43
44 /* to make some of these old enums public without namespace pollution,
45 ** it was necessary to prepend ssl_ to the names.
46 ** These #defines preserve compatibility with the old code here in libssl.
47 */
48 typedef SSLKEAType SSL3KEAType;
49 typedef SSLMACAlgorithm SSL3MACAlgorithm;
50 typedef SSLSignType SSL3SignType;
51
52 #define sign_null ssl_sign_null
53 #define sign_rsa ssl_sign_rsa
54 #define sign_dsa ssl_sign_dsa
55 #define sign_ecdsa ssl_sign_ecdsa
56
57 #define calg_null ssl_calg_null
58 #define calg_rc4 ssl_calg_rc4
59 #define calg_rc2 ssl_calg_rc2
60 #define calg_des ssl_calg_des
61 #define calg_3des ssl_calg_3des
62 #define calg_idea ssl_calg_idea
63 #define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */
64 #define calg_aes ssl_calg_aes
65 #define calg_camellia ssl_calg_camellia
66 #define calg_seed ssl_calg_seed
67 #define calg_aes_gcm ssl_calg_aes_gcm
68 #define calg_chacha20 ssl_calg_chacha20
69
70 #define mac_null ssl_mac_null
71 #define mac_md5 ssl_mac_md5
72 #define mac_sha ssl_mac_sha
73 #define hmac_md5 ssl_hmac_md5
74 #define hmac_sha ssl_hmac_sha
75 #define hmac_sha256 ssl_hmac_sha256
76 #define mac_aead ssl_mac_aead
77
78 #define SET_ERROR_CODE /* reminder */
79 #define SEND_ALERT /* reminder */
80 #define TEST_FOR_FAILURE /* reminder */
81 #define DEAL_WITH_FAILURE /* reminder */
82
83 #if defined(DEBUG) || defined(TRACE)
84 #ifdef __cplusplus
85 #define Debug 1
86 #else
87 extern int Debug;
88 #endif
89 #else
90 #undef Debug
91 #endif
92
93 #if defined(DEBUG) && !defined(TRACE) && !defined(NISCC_TEST)
94 #define TRACE
95 #endif
96
97 #ifdef TRACE
98 #define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
99 #define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
100 #define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
101 #else
102 #define SSL_TRC(a,b)
103 #define PRINT_BUF(a,b)
104 #define DUMP_MSG(a,b)
105 #endif
106
107 #ifdef DEBUG
108 #define SSL_DBG(b) if (ssl_debug) ssl_Trace b
109 #else
110 #define SSL_DBG(b)
111 #endif
112
113 #include "private/pprthred.h" /* for PR_InMonitor() */
114 #define ssl_InMonitor(m) PZ_InMonitor(m)
115
116 #define LSB(x) ((unsigned char) ((x) & 0xff))
117 #define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
118
119 /************************************************************************/
120
121 typedef enum { SSLAppOpRead = 0,
122 SSLAppOpWrite,
123 SSLAppOpRDWR,
124 SSLAppOpPost,
125 SSLAppOpHeader
126 } SSLAppOperation;
127
128 #define SSL_MIN_MASTER_KEY_BYTES 5
129 #define SSL_MAX_MASTER_KEY_BYTES 64
130
131 #define SSL2_SESSIONID_BYTES 16
132 #define SSL3_SESSIONID_BYTES 32
133
134 #define SSL_MIN_CHALLENGE_BYTES 16
135 #define SSL_MAX_CHALLENGE_BYTES 32
136 #define SSL_CHALLENGE_BYTES 16
137
138 #define SSL_CONNECTIONID_BYTES 16
139
140 #define SSL_MIN_CYPHER_ARG_BYTES 0
141 #define SSL_MAX_CYPHER_ARG_BYTES 32
142
143 #define SSL_MAX_MAC_BYTES 16
144
145 #define SSL3_RSA_PMS_LENGTH 48
146 #define SSL3_MASTER_SECRET_LENGTH 48
147
148 /* number of wrap mechanisms potentially used to wrap master secrets. */
149 #define SSL_NUM_WRAP_MECHS 16
150
151 /* This makes the cert cache entry exactly 4k. */
152 #define SSL_MAX_CACHED_CERT_LEN 4060
153
154 #define NUM_MIXERS 9
155
156 /* Mask of the 25 named curves we support. */
157 #define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe
158 /* Mask of only 3 curves, suite B */
159 #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000
160
161 #ifndef BPB
162 #define BPB 8 /* Bits Per Byte */
163 #endif
164
165 #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
166
167 #define INITIAL_DTLS_TIMEOUT_MS 1000 /* Default value from RFC 4347 = 1s*/
168 #define MAX_DTLS_TIMEOUT_MS 60000 /* 1 minute */
169 #define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */
170
171 typedef struct sslBufferStr sslBuffer;
172 typedef struct sslConnectInfoStr sslConnectInfo;
173 typedef struct sslGatherStr sslGather;
174 typedef struct sslSecurityInfoStr sslSecurityInfo;
175 typedef struct sslSessionIDStr sslSessionID;
176 typedef struct sslSocketStr sslSocket;
177 typedef struct sslSocketOpsStr sslSocketOps;
178
179 typedef struct ssl3StateStr ssl3State;
180 typedef struct ssl3CertNodeStr ssl3CertNode;
181 typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef;
182 typedef struct ssl3MACDefStr ssl3MACDef;
183 typedef struct ssl3KeyPairStr ssl3KeyPair;
184
185 struct ssl3CertNodeStr {
186 struct ssl3CertNodeStr *next;
187 CERTCertificate * cert;
188 };
189
190 typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss);
191
192 /* This type points to the low layer send func,
193 ** e.g. ssl2_SendStream or ssl3_SendPlainText.
194 ** These functions return the same values as PR_Send,
195 ** i.e. >= 0 means number of bytes sent, < 0 means error.
196 */
197 typedef PRInt32 (*sslSendFunc)(sslSocket *ss, const unsigned char *buf,
198 PRInt32 n, PRInt32 flags);
199
200 typedef void (*sslSessionIDCacheFunc) (sslSessionID *sid);
201 typedef void (*sslSessionIDUncacheFunc)(sslSessionID *sid);
202 typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr *addr,
203 unsigned char* sid,
204 unsigned int sidLen,
205 CERTCertDBHandle * dbHandle);
206
207 /* registerable callback function that either appends extension to buffer
208 * or returns length of data that it would have appended.
209 */
210 typedef PRInt32 (*ssl3HelloExtensionSenderFunc)(sslSocket *ss, PRBool append,
211 PRUint32 maxBytes);
212
213 /* registerable callback function that handles a received extension,
214 * of the given type.
215 */
216 typedef SECStatus (* ssl3HelloExtensionHandlerFunc)(sslSocket *ss,
217 PRUint16 ex_type,
218 SECItem * data);
219
220 /* row in a table of hello extension senders */
221 typedef struct {
222 PRInt32 ex_type;
223 ssl3HelloExtensionSenderFunc ex_sender;
224 } ssl3HelloExtensionSender;
225
226 /* row in a table of hello extension handlers */
227 typedef struct {
228 PRInt32 ex_type;
229 ssl3HelloExtensionHandlerFunc ex_handler;
230 } ssl3HelloExtensionHandler;
231
232 extern SECStatus
233 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
234 ssl3HelloExtensionSenderFunc cb);
235
236 extern PRInt32
237 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
238 const ssl3HelloExtensionSender *sender);
239
240 extern unsigned int
241 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength);
242
243 extern PRInt32
244 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
245 PRUint32 maxBytes);
246
247 /* Socket ops */
248 struct sslSocketOpsStr {
249 int (*connect) (sslSocket *, const PRNetAddr *);
250 PRFileDesc *(*accept) (sslSocket *, PRNetAddr *);
251 int (*bind) (sslSocket *, const PRNetAddr *);
252 int (*listen) (sslSocket *, int);
253 int (*shutdown)(sslSocket *, int);
254 int (*close) (sslSocket *);
255
256 int (*recv) (sslSocket *, unsigned char *, int, int);
257
258 /* points to the higher-layer send func, e.g. ssl_SecureSend. */
259 int (*send) (sslSocket *, const unsigned char *, int, int);
260 int (*read) (sslSocket *, unsigned char *, int);
261 int (*write) (sslSocket *, const unsigned char *, int);
262
263 int (*getpeername)(sslSocket *, PRNetAddr *);
264 int (*getsockname)(sslSocket *, PRNetAddr *);
265 };
266
267 /* Flags interpreted by ssl send functions. */
268 #define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000
269 #define ssl_SEND_FLAG_NO_BUFFER 0x20000000
270 #define ssl_SEND_FLAG_USE_EPOCH 0x10000000 /* DTLS only */
271 #define ssl_SEND_FLAG_NO_RETRANSMIT 0x08000000 /* DTLS only */
272 #define ssl_SEND_FLAG_CAP_RECORD_VERSION \
273 0x04000000 /* TLS only */
274 #define ssl_SEND_FLAG_MASK 0x7f000000
275
276 /*
277 ** A buffer object.
278 */
279 struct sslBufferStr {
280 unsigned char * buf;
281 unsigned int len;
282 unsigned int space;
283 };
284
285 /*
286 ** SSL3 cipher suite policy and preference struct.
287 */
288 typedef struct {
289 #if !defined(_WIN32)
290 unsigned int cipher_suite : 16;
291 unsigned int policy : 8;
292 unsigned int enabled : 1;
293 unsigned int isPresent : 1;
294 #else
295 ssl3CipherSuite cipher_suite;
296 PRUint8 policy;
297 unsigned char enabled : 1;
298 unsigned char isPresent : 1;
299 #endif
300 } ssl3CipherSuiteCfg;
301
302 #ifndef NSS_DISABLE_ECC
303 #define ssl_V3_SUITES_IMPLEMENTED 63
304 #else
305 #define ssl_V3_SUITES_IMPLEMENTED 37
306 #endif /* NSS_DISABLE_ECC */
307
308 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
309
310 typedef struct sslOptionsStr {
311 /* If SSL_SetNextProtoNego has been called, then this contains the
312 * list of supported protocols. */
313 SECItem nextProtoNego;
314
315 unsigned int useSecurity : 1; /* 1 */
316 unsigned int useSocks : 1; /* 2 */
317 unsigned int requestCertificate : 1; /* 3 */
318 unsigned int requireCertificate : 2; /* 4-5 */
319 unsigned int handshakeAsClient : 1; /* 6 */
320 unsigned int handshakeAsServer : 1; /* 7 */
321 unsigned int enableSSL2 : 1; /* 8 */
322 unsigned int unusedBit9 : 1; /* 9 */
323 unsigned int unusedBit10 : 1; /* 10 */
324 unsigned int noCache : 1; /* 11 */
325 unsigned int fdx : 1; /* 12 */
326 unsigned int v2CompatibleHello : 1; /* 13 */
327 unsigned int detectRollBack : 1; /* 14 */
328 unsigned int noStepDown : 1; /* 15 */
329 unsigned int bypassPKCS11 : 1; /* 16 */
330 unsigned int noLocks : 1; /* 17 */
331 unsigned int enableSessionTickets : 1; /* 18 */
332 unsigned int enableDeflate : 1; /* 19 */
333 unsigned int enableRenegotiation : 2; /* 20-21 */
334 unsigned int requireSafeNegotiation : 1; /* 22 */
335 unsigned int enableFalseStart : 1; /* 23 */
336 unsigned int cbcRandomIV : 1; /* 24 */
337 unsigned int enableOCSPStapling : 1; /* 25 */
338 unsigned int enableNPN : 1; /* 26 */
339 unsigned int enableALPN : 1; /* 27 */
340 unsigned int reuseServerECDHEKey : 1; /* 28 */
341 unsigned int enableFallbackSCSV : 1; /* 29 */
342 unsigned int enableSignedCertTimestamps : 1; /* 30 */
343 } sslOptions;
344
345 typedef enum { sslHandshakingUndetermined = 0,
346 sslHandshakingAsClient,
347 sslHandshakingAsServer
348 } sslHandshakingType;
349
350 typedef struct sslServerCertsStr {
351 /* Configuration state for server sockets */
352 CERTCertificate * serverCert;
353 CERTCertificateList * serverCertChain;
354 ssl3KeyPair * serverKeyPair;
355 unsigned int serverKeyBits;
356 } sslServerCerts;
357
358 #define SERVERKEY serverKeyPair->privKey
359
360 #define SSL_LOCK_RANK_SPEC 255
361 #define SSL_LOCK_RANK_GLOBAL NSS_RWLOCK_RANK_NONE
362
363 /* These are the valid values for shutdownHow.
364 ** These values are each 1 greater than the NSPR values, and the code
365 ** depends on that relation to efficiently convert PR_SHUTDOWN values
366 ** into ssl_SHUTDOWN values. These values use one bit for read, and
367 ** another bit for write, and can be used as bitmasks.
368 */
369 #define ssl_SHUTDOWN_NONE 0 /* NOT shutdown at all */
370 #define ssl_SHUTDOWN_RCV 1 /* PR_SHUTDOWN_RCV +1 */
371 #define ssl_SHUTDOWN_SEND 2 /* PR_SHUTDOWN_SEND +1 */
372 #define ssl_SHUTDOWN_BOTH 3 /* PR_SHUTDOWN_BOTH +1 */
373
374 /*
375 ** A gather object. Used to read some data until a count has been
376 ** satisfied. Primarily for support of async sockets.
377 ** Everything in here is protected by the recvBufLock.
378 */
379 struct sslGatherStr {
380 int state; /* see GS_ values below. */ /* ssl 2 & 3 */
381
382 /* "buf" holds received plaintext SSL records, after decrypt and MAC check.
383 * SSL2: recv'd ciphertext records are put here, then decrypted in place.
384 * SSL3: recv'd ciphertext records are put in inbuf (see below), then
385 * decrypted into buf.
386 */
387 sslBuffer buf; /*recvBufLock*/ /* ssl 2 & 3 */
388
389 /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3).
390 ** (offset - writeOffset) is the number of ciphertext bytes read in but
391 ** not yet deciphered.
392 */
393 unsigned int offset; /* ssl 2 & 3 */
394
395 /* number of bytes to read in next call to ssl_DefRecv (recv) */
396 unsigned int remainder; /* ssl 2 & 3 */
397
398 /* Number of ciphertext bytes to read in after 2-byte SSL record header. */
399 unsigned int count; /* ssl2 only */
400
401 /* size of the final plaintext record.
402 ** == count - (recordPadding + MAC size)
403 */
404 unsigned int recordLen; /* ssl2 only */
405
406 /* number of bytes of padding to be removed after decrypting. */
407 /* This value is taken from the record's hdr[2], which means a too large
408 * value could crash us.
409 */
410 unsigned int recordPadding; /* ssl2 only */
411
412 /* plaintext DATA begins this many bytes into "buf". */
413 unsigned int recordOffset; /* ssl2 only */
414
415 int encrypted; /* SSL2 session is now encrypted. ssl2 only */
416
417 /* These next two values are used by SSL2 and SSL3.
418 ** DoRecv uses them to extract application data.
419 ** The difference between writeOffset and readOffset is the amount of
420 ** data available to the application. Note that the actual offset of
421 ** the data in "buf" is recordOffset (above), not readOffset.
422 ** In the current implementation, this is made available before the
423 ** MAC is checked!!
424 */
425 unsigned int readOffset; /* Spot where DATA reader (e.g. application
426 ** or handshake code) will read next.
427 ** Always zero for SSl3 application data.
428 */
429 /* offset in buf/inbuf/hdr into which new data will be read from socket. */
430 unsigned int writeOffset;
431
432 /* Buffer for ssl3 to read (encrypted) data from the socket */
433 sslBuffer inbuf; /*recvBufLock*/ /* ssl3 only */
434
435 /* The ssl[23]_GatherData functions read data into this buffer, rather
436 ** than into buf or inbuf, while in the GS_HEADER state.
437 ** The portion of the SSL record header put here always comes off the wire
438 ** as plaintext, never ciphertext.
439 ** For SSL2, the plaintext portion is two bytes long. For SSl3 it is 5.
440 ** For DTLS it is 13.
441 */
442 unsigned char hdr[13]; /* ssl 2 & 3 or dtls */
443
444 /* Buffer for DTLS data read off the wire as a single datagram */
445 sslBuffer dtlsPacket;
446
447 /* the start of the buffered DTLS record in dtlsPacket */
448 unsigned int dtlsPacketOffset;
449 };
450
451 /* sslGather.state */
452 #define GS_INIT 0
453 #define GS_HEADER 1
454 #define GS_MAC 2
455 #define GS_DATA 3
456 #define GS_PAD 4
457
458 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
459 typedef PCERT_KEY_CONTEXT PlatformKey;
460 #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX)
461 typedef SecKeyRef PlatformKey;
462 #else
463 typedef void *PlatformKey;
464 #endif
465
466
467
468 /*
469 ** ssl3State and CipherSpec structs
470 */
471
472 /* The SSL bulk cipher definition */
473 typedef enum {
474 cipher_null,
475 cipher_rc4,
476 cipher_rc4_40,
477 cipher_rc4_56,
478 cipher_rc2,
479 cipher_rc2_40,
480 cipher_des,
481 cipher_3des,
482 cipher_des40,
483 cipher_idea,
484 cipher_aes_128,
485 cipher_aes_256,
486 cipher_camellia_128,
487 cipher_camellia_256,
488 cipher_seed,
489 cipher_aes_128_gcm,
490 cipher_chacha20,
491 cipher_missing /* reserved for no such supported cipher */
492 /* This enum must match ssl3_cipherName[] in ssl3con.c. */
493 } SSL3BulkCipher;
494
495 typedef enum { type_stream, type_block, type_aead } CipherType;
496
497 #define MAX_IV_LENGTH 24
498
499 /*
500 * Do not depend upon 64 bit arithmetic in the underlying machine.
501 */
502 typedef struct {
503 PRUint32 high;
504 PRUint32 low;
505 } SSL3SequenceNumber;
506
507 typedef PRUint16 DTLSEpoch;
508
509 typedef void (*DTLSTimerCb)(sslSocket *);
510
511 #define MAX_MAC_CONTEXT_BYTES 400 /* 400 is large enough for MD5, SHA-1, and
512 * SHA-256. For SHA-384 support, increase
513 * it to 712. */
514 #define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8)
515
516 #define MAX_CIPHER_CONTEXT_BYTES 2080
517 #define MAX_CIPHER_CONTEXT_LLONGS (MAX_CIPHER_CONTEXT_BYTES / 8)
518
519 typedef struct {
520 SSL3Opaque wrapped_master_secret[48];
521 PRUint16 wrapped_master_secret_len;
522 PRUint8 msIsWrapped;
523 PRUint8 resumable;
524 } ssl3SidKeys; /* 52 bytes */
525
526 typedef struct {
527 PK11SymKey *write_key;
528 PK11SymKey *write_mac_key;
529 PK11Context *write_mac_context;
530 SECItem write_key_item;
531 SECItem write_iv_item;
532 SECItem write_mac_key_item;
533 SSL3Opaque write_iv[MAX_IV_LENGTH];
534 PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
535 } ssl3KeyMaterial;
536
537 typedef SECStatus (*SSLCipher)(void * context,
538 unsigned char * out,
539 int * outlen,
540 int maxout,
541 const unsigned char *in,
542 int inlen);
543 typedef SECStatus (*SSLAEADCipher)(
544 ssl3KeyMaterial * keys,
545 PRBool doDecrypt,
546 unsigned char * out,
547 int * outlen,
548 int maxout,
549 const unsigned char *in,
550 int inlen,
551 const unsigned char *additionalData,
552 int additionalDataLen);
553 typedef SECStatus (*SSLCompressor)(void * context,
554 unsigned char * out,
555 int * outlen,
556 int maxout,
557 const unsigned char *in,
558 int inlen);
559 typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
560
561 /* The DTLS anti-replay window. Defined here because we need it in
562 * the cipher spec. Note that this is a ring buffer but left and
563 * right represent the true window, with modular arithmetic used to
564 * map them onto the buffer.
565 */
566 #define DTLS_RECVD_RECORDS_WINDOW 1024 /* Packets; approximate
567 * Must be divisible by 8
568 */
569 typedef struct DTLSRecvdRecordsStr {
570 unsigned char data[DTLS_RECVD_RECORDS_WINDOW/8];
571 PRUint64 left;
572 PRUint64 right;
573 } DTLSRecvdRecords;
574
575 /*
576 ** These are the "specs" in the "ssl3" struct.
577 ** Access to the pointers to these specs, and all the specs' contents
578 ** (direct and indirect) is protected by the reader/writer lock ss->specLock.
579 */
580 typedef struct {
581 const ssl3BulkCipherDef *cipher_def;
582 const ssl3MACDef * mac_def;
583 SSLCompressionMethod compression_method;
584 int mac_size;
585 SSLCipher encode;
586 SSLCipher decode;
587 SSLAEADCipher aead;
588 SSLDestroy destroy;
589 void * encodeContext;
590 void * decodeContext;
591 SSLCompressor compressor; /* Don't name these fields compress */
592 SSLCompressor decompressor; /* and uncompress because zconf.h */
593 /* may define them as macros. */
594 SSLDestroy destroyCompressContext;
595 void * compressContext;
596 SSLDestroy destroyDecompressContext;
597 void * decompressContext;
598 PRBool bypassCiphers; /* did double bypass (at least) */
599 PK11SymKey * master_secret;
600 SSL3SequenceNumber write_seq_num;
601 SSL3SequenceNumber read_seq_num;
602 SSL3ProtocolVersion version;
603 ssl3KeyMaterial client;
604 ssl3KeyMaterial server;
605 SECItem msItem;
606 unsigned char key_block[NUM_MIXERS * MD5_LENGTH];
607 unsigned char raw_master_secret[56];
608 SECItem srvVirtName; /* for server: name that was negotiated
609 * with a client. For client - is
610 * always set to NULL.*/
611 DTLSEpoch epoch;
612 DTLSRecvdRecords recvdRecords;
613 } ssl3CipherSpec;
614
615 typedef enum { never_cached,
616 in_client_cache,
617 in_server_cache,
618 invalid_cache /* no longer in any cache. */
619 } Cached;
620
621 #define MAX_PEER_CERT_CHAIN_SIZE 8
622
623 struct sslSessionIDStr {
624 /* The global cache lock must be held when accessing these members when the
625 * sid is in any cache.
626 */
627 sslSessionID * next; /* chain used for client sockets, only */
628 Cached cached;
629 int references;
630 PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
631
632 /* The rest of the members, except for the members of u.ssl3.locked, may
633 * be modified only when the sid is not in any cache.
634 */
635
636 CERTCertificate * peerCert;
637 CERTCertificate * peerCertChain[MAX_PEER_CERT_CHAIN_SIZE];
638 SECItemArray peerCertStatus; /* client only */
639 const char * peerID; /* client only */
640 const char * urlSvrName; /* client only */
641 CERTCertificate * localCert;
642
643 PRIPv6Addr addr;
644 PRUint16 port;
645
646 SSL3ProtocolVersion version;
647
648 PRUint32 creationTime; /* seconds since Jan 1, 1970 */
649 PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
650
651 SSLSignType authAlgorithm;
652 PRUint32 authKeyBits;
653 SSLKEAType keaType;
654 PRUint32 keaKeyBits;
655
656 union {
657 struct {
658 /* the V2 code depends upon the size of sessionID. */
659 unsigned char sessionID[SSL2_SESSIONID_BYTES];
660
661 /* Stuff used to recreate key and read/write cipher objects */
662 SECItem masterKey; /* never wrapped */
663 int cipherType;
664 SECItem cipherArg;
665 int keyBits;
666 int secretKeyBits;
667 } ssl2;
668 struct {
669 /* values that are copied into the server's on-disk SID cache. */
670 PRUint8 sessionIDLength;
671 SSL3Opaque sessionID[SSL3_SESSIONID_BYTES];
672
673 ssl3CipherSuite cipherSuite;
674 SSLCompressionMethod compression;
675 int policy;
676 ssl3SidKeys keys;
677 CK_MECHANISM_TYPE masterWrapMech;
678 /* mechanism used to wrap master secret */
679 SSL3KEAType exchKeyType;
680 /* key type used in exchange algorithm,
681 * and to wrap the sym wrapping key. */
682 #ifndef NSS_DISABLE_ECC
683 PRUint32 negotiatedECCurves;
684 #endif /* NSS_DISABLE_ECC */
685
686 /* The following values are NOT restored from the server's on-disk
687 * session cache, but are restored from the client's cache.
688 */
689 PK11SymKey * clientWriteKey;
690 PK11SymKey * serverWriteKey;
691
692 /* The following values pertain to the slot that wrapped the
693 ** master secret. (used only in client)
694 */
695 SECMODModuleID masterModuleID;
696 /* what module wrapped the master secret */
697 CK_SLOT_ID masterSlotID;
698 PRUint16 masterWrapIndex;
699 /* what's the key index for the wrapping key */
700 PRUint16 masterWrapSeries;
701 /* keep track of the slot series, so we don't
702 * accidently try to use new keys after the
703 * card gets removed and replaced.*/
704
705 /* The following values pertain to the slot that did the signature
706 ** for client auth. (used only in client)
707 */
708 SECMODModuleID clAuthModuleID;
709 CK_SLOT_ID clAuthSlotID;
710 PRUint16 clAuthSeries;
711
712 char masterValid;
713 char clAuthValid;
714
715 SECItem srvName;
716
717 /* originalHandshakeHash contains the hash of the original, full
718 * handshake prior to the server's final flow. This is either a
719 * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for
720 * TLS 1.2). This is recorded and used only when ChannelID is
721 * negotiated as it's used to bind the ChannelID signature on the
722 * resumption handshake to the original handshake. */
723 SECItem originalHandshakeHash;
724
725 /* Signed certificate timestamps received in a TLS extension.
726 ** (used only in client).
727 */
728 SECItem signedCertTimestamps;
729
730 /* This lock is lazily initialized by CacheSID when a sid is first
731 * cached. Before then, there is no need to lock anything because
732 * the sid isn't being shared by anything.
733 */
734 NSSRWLock *lock;
735
736 /* The lock must be held while reading or writing these members
737 * because they change while the sid is cached.
738 */
739 struct {
740 /* The session ticket, if we have one, is sent as an extension
741 * in the ClientHello message. This field is used only by
742 * clients. It is protected by lock when lock is non-null
743 * (after the sid has been added to the client session cache).
744 */
745 NewSessionTicket sessionTicket;
746 } locked;
747 } ssl3;
748 } u;
749 };
750
751 typedef struct ssl3CipherSuiteDefStr {
752 ssl3CipherSuite cipher_suite;
753 SSL3BulkCipher bulk_cipher_alg;
754 SSL3MACAlgorithm mac_alg;
755 SSL3KeyExchangeAlgorithm key_exchange_alg;
756 } ssl3CipherSuiteDef;
757
758 /*
759 ** There are tables of these, all const.
760 */
761 typedef struct {
762 SSL3KeyExchangeAlgorithm kea;
763 SSL3KEAType exchKeyType;
764 SSL3SignType signKeyType;
765 /* For export cipher suites:
766 * is_limited identifies a suite as having a limit on the key size.
767 * key_size_limit provides the corresponding limit. */
768 PRBool is_limited;
769 int key_size_limit;
770 PRBool tls_keygen;
771 /* True if the key exchange for the suite can be ephemeral. Or to be more
772 * precise: true if the ServerKeyExchange message is required. */
773 PRBool ephemeral;
774 } ssl3KEADef;
775
776 /*
777 ** There are tables of these, all const.
778 */
779 struct ssl3BulkCipherDefStr {
780 SSL3BulkCipher cipher;
781 SSLCipherAlgorithm calg;
782 int key_size;
783 int secret_key_size;
784 CipherType type;
785 int iv_size;
786 int block_size;
787 int tag_size; /* authentication tag size for AEAD ciphers. */
788 int explicit_nonce_size; /* for AEAD ciphers. */
789 };
790
791 /*
792 ** There are tables of these, all const.
793 */
794 struct ssl3MACDefStr {
795 SSL3MACAlgorithm mac;
796 CK_MECHANISM_TYPE mmech;
797 int pad_size;
798 int mac_size;
799 };
800
801 typedef enum {
802 wait_client_hello,
803 wait_client_cert,
804 wait_client_key,
805 wait_cert_verify,
806 wait_change_cipher,
807 wait_finished,
808 wait_server_hello,
809 wait_certificate_status,
810 wait_server_cert,
811 wait_server_key,
812 wait_cert_request,
813 wait_hello_done,
814 wait_new_session_ticket,
815 idle_handshake
816 } SSL3WaitState;
817
818 /*
819 * TLS extension related constants and data structures.
820 */
821 typedef struct TLSExtensionDataStr TLSExtensionData;
822 typedef struct SessionTicketDataStr SessionTicketData;
823
824 struct TLSExtensionDataStr {
825 /* registered callbacks that send server hello extensions */
826 ssl3HelloExtensionSender serverSenders[SSL_MAX_EXTENSIONS];
827 /* Keep track of the extensions that are negotiated. */
828 PRUint16 numAdvertised;
829 PRUint16 numNegotiated;
830 PRUint16 advertised[SSL_MAX_EXTENSIONS];
831 PRUint16 negotiated[SSL_MAX_EXTENSIONS];
832
833 /* SessionTicket Extension related data. */
834 PRBool ticketTimestampVerified;
835 PRBool emptySessionTicket;
836 PRBool sentSessionTicketInClientHello;
837
838 /* SNI Extension related data
839 * Names data is not coppied from the input buffer. It can not be
840 * used outside the scope where input buffer is defined and that
841 * is beyond ssl3_HandleClientHello function. */
842 SECItem *sniNameArr;
843 PRUint32 sniNameArrSize;
844
845 /* Signed Certificate Timestamps extracted from the TLS extension.
846 * (client only).
847 * This container holds a temporary pointer to the extension data,
848 * until a session structure (the sec.ci.sid of an sslSocket) is setup
849 * that can hold a permanent copy of the data
850 * (in sec.ci.sid.u.ssl3.signedCertTimestamps).
851 * The data pointed to by this structure is neither explicitly allocated
852 * nor copied: the pointer points to the handshake message buffer and is
853 * only valid in the scope of ssl3_HandleServerHello.
854 */
855 SECItem signedCertTimestamps;
856 };
857
858 typedef SECStatus (*sslRestartTarget)(sslSocket *);
859
860 /*
861 ** A DTLS queued message (potentially to be retransmitted)
862 */
863 typedef struct DTLSQueuedMessageStr {
864 PRCList link; /* The linked list link */
865 DTLSEpoch epoch; /* The epoch to use */
866 SSL3ContentType type; /* The message type */
867 unsigned char *data; /* The data */
868 PRUint16 len; /* The data length */
869 } DTLSQueuedMessage;
870
871 typedef enum {
872 handshake_hash_unknown = 0,
873 handshake_hash_combo = 1, /* The MD5/SHA-1 combination */
874 handshake_hash_single = 2 /* A single hash */
875 } SSL3HandshakeHashType;
876
877 /*
878 ** This is the "hs" member of the "ssl3" struct.
879 ** This entire struct is protected by ssl3HandshakeLock
880 */
881 typedef struct SSL3HandshakeStateStr {
882 SSL3Random server_random;
883 SSL3Random client_random;
884 SSL3WaitState ws;
885
886 /* This group of members is used for handshake running hashes. */
887 SSL3HandshakeHashType hashType;
888 sslBuffer messages; /* Accumulated handshake messages */
889 #ifndef NO_PKCS11_BYPASS
890 /* Bypass mode:
891 * SSL 3.0 - TLS 1.1 use both |md5_cx| and |sha_cx|. |md5_cx| is used for
892 * MD5 and |sha_cx| for SHA-1.
893 * TLS 1.2 and later use only |sha_cx|, for SHA-256. NOTE: When we support
894 * SHA-384, increase MAX_MAC_CONTEXT_BYTES to 712. */
895 PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
896 PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
897 const SECHashObject * sha_obj;
898 /* The function prototype of sha_obj->clone() does not match the prototype
899 * of the freebl <HASH>_Clone functions, so we need a dedicated function
900 * pointer for the <HASH>_Clone function. */
901 void (*sha_clone)(void *dest, void *src);
902 #endif
903 /* PKCS #11 mode:
904 * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and
905 * |sha| for SHA-1.
906 * TLS 1.2 and later use only |sha|, for SHA-256. */
907 /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup
908 * handshake hash for generating client auth signatures. Confusingly, the
909 * backup hash function is SHA-1. */
910 #define backupHash md5
911 PK11Context * md5;
912 PK11Context * sha;
913
914 const ssl3KEADef * kea_def;
915 ssl3CipherSuite cipher_suite;
916 const ssl3CipherSuiteDef *suite_def;
917 SSLCompressionMethod compression;
918 sslBuffer msg_body; /* protected by recvBufLock */
919 /* partial handshake message from record layer */
920 unsigned int header_bytes;
921 /* number of bytes consumed from handshake */
922 /* message for message type and header length */
923 SSL3HandshakeType msg_type;
924 unsigned long msg_len;
925 SECItem ca_list; /* used only by client */
926 PRBool isResuming; /* are we resuming a session */
927 PRBool usedStepDownKey; /* we did a server key exchange. */
928 PRBool sendingSCSV; /* instead of empty RI */
929 sslBuffer msgState; /* current state for handshake messages*/
930 /* protected by recvBufLock */
931
932 /* The session ticket received in a NewSessionTicket message is temporarily
933 * stored in newSessionTicket until the handshake is finished; then it is
934 * moved to the sid.
935 */
936 PRBool receivedNewSessionTicket;
937 NewSessionTicket newSessionTicket;
938
939 PRUint16 finishedBytes; /* size of single finished below */
940 union {
941 TLSFinished tFinished[2]; /* client, then server */
942 SSL3Finished sFinished[2];
943 SSL3Opaque data[72];
944 } finishedMsgs;
945 #ifndef NSS_DISABLE_ECC
946 PRUint32 negotiatedECCurves; /* bit mask */
947 #endif /* NSS_DISABLE_ECC */
948
949 PRBool authCertificatePending;
950 /* Which function should SSL_RestartHandshake* call if we're blocked?
951 * One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake,
952 * or ssl3_AlwaysFail */
953 sslRestartTarget restartTarget;
954 /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
955 PRBool cacheSID;
956
957 PRBool canFalseStart; /* Can/did we False Start */
958
959 /* clientSigAndHash contains the contents of the signature_algorithms
960 * extension (if any) from the client. This is only valid for TLS 1.2
961 * or later. */
962 SSL3SignatureAndHashAlgorithm *clientSigAndHash;
963 unsigned int numClientSigAndHash;
964
965 /* This group of values is used for DTLS */
966 PRUint16 sendMessageSeq; /* The sending message sequence
967 * number */
968 PRCList lastMessageFlight; /* The last message flight we
969 * sent */
970 PRUint16 maxMessageSent; /* The largest message we sent */
971 PRUint16 recvMessageSeq; /* The receiving message sequence
972 * number */
973 sslBuffer recvdFragments; /* The fragments we have received in
974 * a bitmask */
975 PRInt32 recvdHighWater; /* The high water mark for fragments
976 * received. -1 means no reassembly
977 * in progress. */
978 unsigned char cookie[32]; /* The cookie */
979 unsigned char cookieLen; /* The length of the cookie */
980 PRIntervalTime rtTimerStarted; /* When the timer was started */
981 DTLSTimerCb rtTimerCb; /* The function to call on expiry */
982 PRUint32 rtTimeoutMs; /* The length of the current timeout
983 * used for backoff (in ms) */
984 PRUint32 rtRetries; /* The retry counter */
985 } SSL3HandshakeState;
986
987
988
989 /*
990 ** This is the "ssl3" struct, as in "ss->ssl3".
991 ** note:
992 ** usually, crSpec == cwSpec and prSpec == pwSpec.
993 ** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
994 ** But there are never more than 2 actual specs.
995 ** No spec must ever be modified if either "current" pointer points to it.
996 */
997 struct ssl3StateStr {
998
999 /*
1000 ** The following Specs and Spec pointers must be protected using the
1001 ** Spec Lock.
1002 */
1003 ssl3CipherSpec * crSpec; /* current read spec. */
1004 ssl3CipherSpec * prSpec; /* pending read spec. */
1005 ssl3CipherSpec * cwSpec; /* current write spec. */
1006 ssl3CipherSpec * pwSpec; /* pending write spec. */
1007
1008 CERTCertificate * clientCertificate; /* used by client */
1009 SECKEYPrivateKey * clientPrivateKey; /* used by client */
1010 /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not
1011 * defined in order to allow cleaner conditional code.
1012 * At most one of clientPrivateKey and platformClientKey may be set. */
1013 PlatformKey platformClientKey; /* used by client */
1014 CERTCertificateList *clientCertChain; /* used by client */
1015 PRBool sendEmptyCert; /* used by client */
1016
1017 SECKEYPrivateKey *channelID; /* used by client */
1018 SECKEYPublicKey *channelIDPub; /* used by client */
1019
1020 int policy;
1021 /* This says what cipher suites we can do, and should
1022 * be either SSL_ALLOWED or SSL_RESTRICTED
1023 */
1024 PLArenaPool * peerCertArena;
1025 /* These are used to keep track of the peer CA */
1026 void * peerCertChain;
1027 /* chain while we are trying to validate it. */
1028 CERTDistNames * ca_list;
1029 /* used by server. trusted CAs for this socket. */
1030 PRBool initialized;
1031 SSL3HandshakeState hs;
1032 ssl3CipherSpec specs[2]; /* one is current, one is pending. */
1033
1034 /* In a client: if the server supports Next Protocol Negotiation, then
1035 * this is the protocol that was negotiated.
1036 */
1037 SECItem nextProto;
1038 SSLNextProtoState nextProtoState;
1039
1040 PRUint16 mtu; /* Our estimate of the MTU */
1041
1042 /* DTLS-SRTP cipher suite preferences (if any) */
1043 PRUint16 dtlsSRTPCiphers[MAX_DTLS_SRTP_CIPHER_SUITES];
1044 PRUint16 dtlsSRTPCipherCount;
1045 PRUint16 dtlsSRTPCipherSuite; /* 0 if not selected */
1046 PRBool fatalAlertSent;
1047 };
1048
1049 #define DTLS_MAX_MTU 1500 /* Ethernet MTU but without subtracting the
1050 * headers, so slightly larger than expected */
1051 #define IS_DTLS(ss) (ss->protocolVariant == ssl_variant_datagram)
1052
1053 typedef struct {
1054 SSL3ContentType type;
1055 SSL3ProtocolVersion version;
1056 SSL3SequenceNumber seq_num; /* DTLS only */
1057 sslBuffer * buf;
1058 } SSL3Ciphertext;
1059
1060 struct ssl3KeyPairStr {
1061 SECKEYPrivateKey * privKey;
1062 SECKEYPublicKey * pubKey;
1063 PRInt32 refCount; /* use PR_Atomic calls for this. */
1064 };
1065
1066 typedef struct SSLWrappedSymWrappingKeyStr {
1067 SSL3Opaque wrappedSymmetricWrappingkey[512];
1068 CK_MECHANISM_TYPE symWrapMechanism;
1069 /* unwrapped symmetric wrapping key uses this mechanism */
1070 CK_MECHANISM_TYPE asymWrapMechanism;
1071 /* mechanism used to wrap the SymmetricWrappingKey using
1072 * server's public and/or private keys. */
1073 SSL3KEAType exchKeyType; /* type of keys used to wrap SymWrapKey*/
1074 PRInt32 symWrapMechIndex;
1075 PRUint16 wrappedSymKeyLen;
1076 } SSLWrappedSymWrappingKey;
1077
1078 typedef struct SessionTicketStr {
1079 PRUint16 ticket_version;
1080 SSL3ProtocolVersion ssl_version;
1081 ssl3CipherSuite cipher_suite;
1082 SSLCompressionMethod compression_method;
1083 SSLSignType authAlgorithm;
1084 PRUint32 authKeyBits;
1085 SSLKEAType keaType;
1086 PRUint32 keaKeyBits;
1087 /*
1088 * exchKeyType and msWrapMech contain meaningful values only if
1089 * ms_is_wrapped is true.
1090 */
1091 PRUint8 ms_is_wrapped;
1092 SSLKEAType exchKeyType; /* XXX(wtc): same as keaType above? */
1093 CK_MECHANISM_TYPE msWrapMech;
1094 PRUint16 ms_length;
1095 SSL3Opaque master_secret[48];
1096 ClientIdentity client_identity;
1097 SECItem peer_cert;
1098 PRUint32 timestamp;
1099 SECItem srvName; /* negotiated server name */
1100 } SessionTicket;
1101
1102 /*
1103 * SSL2 buffers used in SSL3.
1104 * writeBuf in the SecurityInfo maintained by sslsecur.c is used
1105 * to hold the data just about to be passed to the kernel
1106 * sendBuf in the ConnectInfo maintained by sslcon.c is used
1107 * to hold handshake messages as they are accumulated
1108 */
1109
1110 /*
1111 ** This is "ci", as in "ss->sec.ci".
1112 **
1113 ** Protection: All the variables in here are protected by
1114 ** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock
1115 */
1116 struct sslConnectInfoStr {
1117 /* outgoing handshakes appended to this. */
1118 sslBuffer sendBuf; /*xmitBufLock*/ /* ssl 2 & 3 */
1119
1120 PRIPv6Addr peer; /* ssl 2 & 3 */
1121 unsigned short port; /* ssl 2 & 3 */
1122
1123 sslSessionID *sid; /* ssl 2 & 3 */
1124
1125 /* see CIS_HAVE defines below for the bit values in *elements. */
1126 char elements; /* ssl2 only */
1127 char requiredElements; /* ssl2 only */
1128 char sentElements; /* ssl2 only */
1129
1130 char sentFinished; /* ssl2 only */
1131
1132 /* Length of server challenge. Used by client when saving challenge */
1133 int serverChallengeLen; /* ssl2 only */
1134 /* type of authentication requested by server */
1135 unsigned char authType; /* ssl2 only */
1136
1137 /* Challenge sent by client to server in client-hello message */
1138 /* SSL3 gets a copy of this. See ssl3_StartHandshakeHash(). */
1139 unsigned char clientChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl 2 & 3 */
1140
1141 /* Connection-id sent by server to client in server-hello message */
1142 unsigned char connectionID[SSL_CONNECTIONID_BYTES]; /* ssl2 only */
1143
1144 /* Challenge sent by server to client in request-certificate message */
1145 unsigned char serverChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl2 only */
1146
1147 /* Information kept to handle a request-certificate message */
1148 unsigned char readKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */
1149 unsigned char writeKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */
1150 unsigned keySize; /* ssl2 only */
1151 };
1152
1153 /* bit values for ci->elements, ci->requiredElements, sentElements. */
1154 #define CIS_HAVE_MASTER_KEY 0x01
1155 #define CIS_HAVE_CERTIFICATE 0x02
1156 #define CIS_HAVE_FINISHED 0x04
1157 #define CIS_HAVE_VERIFY 0x08
1158
1159 /* Note: The entire content of this struct and whatever it points to gets
1160 * blown away by SSL_ResetHandshake(). This is "sec" as in "ss->sec".
1161 *
1162 * Unless otherwise specified below, the contents of this struct are
1163 * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock.
1164 */
1165 struct sslSecurityInfoStr {
1166 sslSendFunc send; /*xmitBufLock*/ /* ssl 2 & 3 */
1167 int isServer; /* Spec Lock?*/ /* ssl 2 & 3 */
1168 sslBuffer writeBuf; /*xmitBufLock*/ /* ssl 2 & 3 */
1169
1170 int cipherType; /* ssl 2 & 3 */
1171 int keyBits; /* ssl 2 & 3 */
1172 int secretKeyBits; /* ssl 2 & 3 */
1173 CERTCertificate *localCert; /* ssl 2 & 3 */
1174 CERTCertificate *peerCert; /* ssl 2 & 3 */
1175 SECKEYPublicKey *peerKey; /* ssl3 only */
1176
1177 SSLSignType authAlgorithm;
1178 PRUint32 authKeyBits;
1179 SSLKEAType keaType;
1180 PRUint32 keaKeyBits;
1181
1182 /*
1183 ** Procs used for SID cache (nonce) management.
1184 ** Different implementations exist for clients/servers
1185 ** The lookup proc is only used for servers. Baloney!
1186 */
1187 sslSessionIDCacheFunc cache; /* ssl 2 & 3 */
1188 sslSessionIDUncacheFunc uncache; /* ssl 2 & 3 */
1189
1190 /*
1191 ** everything below here is for ssl2 only.
1192 ** This stuff is equivalent to SSL3's "spec", and is protected by the
1193 ** same "Spec Lock" as used for SSL3's specs.
1194 */
1195 PRUint32 sendSequence; /*xmitBufLock*/ /* ssl2 only */
1196 PRUint32 rcvSequence; /*recvBufLock*/ /* ssl2 only */
1197
1198 /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */
1199 const SECHashObject *hash; /* Spec Lock */ /* ssl2 only */
1200 void *hashcx; /* Spec Lock */ /* ssl2 only */
1201
1202 SECItem sendSecret; /* Spec Lock */ /* ssl2 only */
1203 SECItem rcvSecret; /* Spec Lock */ /* ssl2 only */
1204
1205 /* Session cypher contexts; one for each direction */
1206 void *readcx; /* Spec Lock */ /* ssl2 only */
1207 void *writecx; /* Spec Lock */ /* ssl2 only */
1208 SSLCipher enc; /* Spec Lock */ /* ssl2 only */
1209 SSLCipher dec; /* Spec Lock */ /* ssl2 only */
1210 void (*destroy)(void *, PRBool); /* Spec Lock */ /* ssl2 only */
1211
1212 /* Blocking information for the session cypher */
1213 int blockShift; /* Spec Lock */ /* ssl2 only */
1214 int blockSize; /* Spec Lock */ /* ssl2 only */
1215
1216 /* These are used during a connection handshake */
1217 sslConnectInfo ci; /* ssl 2 & 3 */
1218
1219 };
1220
1221 /*
1222 ** SSL Socket struct
1223 **
1224 ** Protection: XXX
1225 */
1226 struct sslSocketStr {
1227 PRFileDesc * fd;
1228
1229 /* Pointer to operations vector for this socket */
1230 const sslSocketOps * ops;
1231
1232 /* SSL socket options */
1233 sslOptions opt;
1234 /* Enabled version range */
1235 SSLVersionRange vrange;
1236
1237 /* State flags */
1238 unsigned long clientAuthRequested;
1239 unsigned long delayDisabled; /* Nagle delay disabled */
1240 unsigned long firstHsDone; /* first handshake is complete. */
1241 unsigned long enoughFirstHsDone; /* enough of the first handshake is
1242 * done for callbacks to be able to
1243 * retrieve channel security
1244 * parameters from the SSL socket. */
1245 unsigned long handshakeBegun;
1246 unsigned long lastWriteBlocked;
1247 unsigned long recvdCloseNotify; /* received SSL EOF. */
1248 unsigned long TCPconnected;
1249 unsigned long appDataBuffered;
1250 unsigned long peerRequestedProtection; /* from old renegotiation */
1251
1252 /* version of the protocol to use */
1253 SSL3ProtocolVersion version;
1254 SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
1255
1256 sslSecurityInfo sec; /* not a pointer any more */
1257
1258 /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */
1259 const char *url; /* ssl 2 & 3 */
1260
1261 sslHandshakeFunc handshake; /*firstHandshakeLock*/
1262 sslHandshakeFunc nextHandshake; /*firstHandshakeLock*/
1263 sslHandshakeFunc securityHandshake; /*firstHandshakeLock*/
1264
1265 /* the following variable is only used with socks or other proxies. */
1266 char * peerID; /* String uniquely identifies target server. */
1267
1268 unsigned char * cipherSpecs;
1269 unsigned int sizeCipherSpecs;
1270 const unsigned char * preferredCipher;
1271
1272 /* TLS ClientCertificateTypes requested during HandleCertificateRequest. */
1273 /* Will be NULL at all other times. */
1274 const SECItem *requestedCertTypes;
1275
1276 ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */
1277
1278 /* Callbacks */
1279 SSLAuthCertificate authCertificate;
1280 void *authCertificateArg;
1281 SSLGetClientAuthData getClientAuthData;
1282 void *getClientAuthDataArg;
1283 #ifdef NSS_PLATFORM_CLIENT_AUTH
1284 SSLGetPlatformClientAuthData getPlatformClientAuthData;
1285 void *getPlatformClientAuthDataArg;
1286 #endif /* NSS_PLATFORM_CLIENT_AUTH */
1287 SSLSNISocketConfig sniSocketConfig;
1288 void *sniSocketConfigArg;
1289 SSLBadCertHandler handleBadCert;
1290 void *badCertArg;
1291 SSLHandshakeCallback handshakeCallback;
1292 void *handshakeCallbackData;
1293 SSLCanFalseStartCallback canFalseStartCallback;
1294 void *canFalseStartCallbackData;
1295 void *pkcs11PinArg;
1296 SSLNextProtoCallback nextProtoCallback;
1297 void *nextProtoArg;
1298 SSLClientChannelIDCallback getChannelID;
1299 void *getChannelIDArg;
1300
1301 PRIntervalTime rTimeout; /* timeout for NSPR I/O */
1302 PRIntervalTime wTimeout; /* timeout for NSPR I/O */
1303 PRIntervalTime cTimeout; /* timeout for NSPR I/O */
1304
1305 PZLock * recvLock; /* lock against multiple reader threads. */
1306 PZLock * sendLock; /* lock against multiple sender threads. */
1307
1308 PZMonitor * recvBufLock; /* locks low level recv buffers. */
1309 PZMonitor * xmitBufLock; /* locks low level xmit buffers. */
1310
1311 /* Only one thread may operate on the socket until the initial handshake
1312 ** is complete. This Monitor ensures that. Since SSL2 handshake is
1313 ** only done once, this is also effectively the SSL2 handshake lock.
1314 */
1315 PZMonitor * firstHandshakeLock;
1316
1317 /* This monitor protects the ssl3 handshake state machine data.
1318 ** Only one thread (reader or writer) may be in the ssl3 handshake state
1319 ** machine at any time. */
1320 PZMonitor * ssl3HandshakeLock;
1321
1322 /* reader/writer lock, protects the secret data needed to encrypt and MAC
1323 ** outgoing records, and to decrypt and MAC check incoming ciphertext
1324 ** records. */
1325 NSSRWLock * specLock;
1326
1327 /* handle to perm cert db (and implicitly to the temp cert db) used
1328 ** with this socket.
1329 */
1330 CERTCertDBHandle * dbHandle;
1331
1332 PRThread * writerThread; /* thread holds SSL_LOCK_WRITER lock */
1333
1334 PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */
1335
1336 PRUint16 allowedByPolicy; /* copy of global policy bits. */
1337 PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */
1338 PRUint16 chosenPreference; /* SSL2 cipher preferences. */
1339
1340 sslHandshakingType handshaking;
1341
1342 /* Gather object used for gathering data */
1343 sslGather gs; /*recvBufLock*/
1344
1345 sslBuffer saveBuf; /*xmitBufLock*/
1346 sslBuffer pendingBuf; /*xmitBufLock*/
1347
1348 /* Configuration state for server sockets */
1349 /* server cert and key for each KEA type */
1350 sslServerCerts serverCerts[kt_kea_size];
1351 /* each cert needs its own status */
1352 SECItemArray * certStatusArray[kt_kea_size];
1353
1354 ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
1355 ssl3KeyPair * ephemeralECDHKeyPair; /* for ECDHE-* handshake */
1356
1357 /* SSL3 state info. Formerly was a pointer */
1358 ssl3State ssl3;
1359
1360 /*
1361 * TLS extension related data.
1362 */
1363 /* True when the current session is a stateless resume. */
1364 PRBool statelessResume;
1365 TLSExtensionData xtnData;
1366
1367 /* Whether we are doing stream or datagram mode */
1368 SSLProtocolVariant protocolVariant;
1369 };
1370
1371
1372
1373 /* All the global data items declared here should be protected using the
1374 ** ssl_global_data_lock, which is a reader/writer lock.
1375 */
1376 extern NSSRWLock * ssl_global_data_lock;
1377 extern char ssl_debug;
1378 extern char ssl_trace;
1379 extern FILE * ssl_trace_iob;
1380 extern FILE * ssl_keylog_iob;
1381 extern CERTDistNames * ssl3_server_ca_list;
1382 extern PRUint32 ssl_sid_timeout;
1383 extern PRUint32 ssl3_sid_timeout;
1384
1385 extern const char * const ssl_cipherName[];
1386 extern const char * const ssl3_cipherName[];
1387
1388 extern sslSessionIDLookupFunc ssl_sid_lookup;
1389 extern sslSessionIDCacheFunc ssl_sid_cache;
1390 extern sslSessionIDUncacheFunc ssl_sid_uncache;
1391
1392 /************************************************************************/
1393
1394 SEC_BEGIN_PROTOS
1395
1396 /* Functions for handling SECItemArrays, added in NSS 3.15 */
1397 extern SECItemArray *SECITEM_AllocArray(PLArenaPool *arena,
1398 SECItemArray *array,
1399 unsigned int len);
1400 extern SECItemArray *SECITEM_DupArray(PLArenaPool *arena,
1401 const SECItemArray *from);
1402 extern void SECITEM_FreeArray(SECItemArray *array, PRBool freeit);
1403 extern void SECITEM_ZfreeArray(SECItemArray *array, PRBool freeit);
1404
1405 /* Internal initialization and installation of the SSL error tables */
1406 extern SECStatus ssl_Init(void);
1407 extern SECStatus ssl_InitializePRErrorTable(void);
1408
1409 /* Implementation of ops for default (non socks, non secure) case */
1410 extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
1411 extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
1412 extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
1413 extern int ssl_DefListen(sslSocket *ss, int backlog);
1414 extern int ssl_DefShutdown(sslSocket *ss, int how);
1415 extern int ssl_DefClose(sslSocket *ss);
1416 extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
1417 extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf,
1418 int len, int flags);
1419 extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len);
1420 extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len);
1421 extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name);
1422 extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name);
1423 extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
1424 void *optval, PRInt32 *optlen);
1425 extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
1426 const void *optval, PRInt32 optlen);
1427
1428 /* Implementation of ops for socks only case */
1429 extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr);
1430 extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr);
1431 extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr);
1432 extern int ssl_SocksListen(sslSocket *ss, int backlog);
1433 extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name);
1434 extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
1435 extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf,
1436 int len, int flags);
1437 extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len);
1438 extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len);
1439
1440 /* Implementation of ops for secure only case */
1441 extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr);
1442 extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr);
1443 extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf,
1444 int len, int flags);
1445 extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf,
1446 int len, int flags);
1447 extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len);
1448 extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len);
1449 extern int ssl_SecureShutdown(sslSocket *ss, int how);
1450 extern int ssl_SecureClose(sslSocket *ss);
1451
1452 /* Implementation of ops for secure socks case */
1453 extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr);
1454 extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr);
1455 extern PRFileDesc *ssl_FindTop(sslSocket *ss);
1456
1457 /* Gather funcs. */
1458 extern sslGather * ssl_NewGather(void);
1459 extern SECStatus ssl_InitGather(sslGather *gs);
1460 extern void ssl_DestroyGather(sslGather *gs);
1461 extern int ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags);
1462 extern int ssl2_GatherRecord(sslSocket *ss, int flags);
1463 extern SECStatus ssl_GatherRecord1stHandshake(sslSocket *ss);
1464
1465 extern SECStatus ssl2_HandleClientHelloMessage(sslSocket *ss);
1466 extern SECStatus ssl2_HandleServerHelloMessage(sslSocket *ss);
1467
1468 extern SECStatus ssl_CreateSecurityInfo(sslSocket *ss);
1469 extern SECStatus ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os);
1470 extern void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset);
1471 extern void ssl_DestroySecurityInfo(sslSecurityInfo *sec);
1472
1473 extern void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len);
1474 extern void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len);
1475
1476 extern int ssl_SendSavedWriteData(sslSocket *ss);
1477 extern SECStatus ssl_SaveWriteData(sslSocket *ss,
1478 const void* p, unsigned int l);
1479 extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss);
1480 extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss);
1481 extern int ssl_Do1stHandshake(sslSocket *ss);
1482
1483 extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
1484 extern SECStatus sslBuffer_Append(sslBuffer *b, const void * data,
1485 unsigned int len);
1486
1487 extern void ssl2_UseClearSendFunc(sslSocket *ss);
1488 extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
1489
1490 extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server);
1491 extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port,
1492 const char *peerID, const char *urlSvrName);
1493 extern void ssl_FreeSID(sslSessionID *sid);
1494
1495 extern int ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
1496 int len, int flags);
1497
1498 extern PRBool ssl_FdIsBlocking(PRFileDesc *fd);
1499
1500 extern PRBool ssl_SocketIsBlocking(sslSocket *ss);
1501
1502 extern void ssl3_SetAlwaysBlock(sslSocket *ss);
1503
1504 extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
1505
1506 extern void ssl_FinishHandshake(sslSocket *ss);
1507
1508 /* Returns PR_TRUE if we are still waiting for the server to respond to our
1509 * client second round. Once we've received any part of the server's second
1510 * round then we don't bother trying to false start since it is almost always
1511 * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages
1512 * were sent in the same packet and we want to process them all at the same
1513 * time. If we were to try to false start in the middle of the server's second
1514 * round, then we would increase the number of I/O operations
1515 * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake.
1516 */
1517 extern PRBool ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss);
1518
1519 extern SECStatus
1520 ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
1521 PRBool isServer,
1522 PRBool isDTLS,
1523 PRBool capRecordVersion,
1524 SSL3ContentType type,
1525 const SSL3Opaque * pIn,
1526 PRUint32 contentLen,
1527 sslBuffer * wrBuf);
1528 extern PRInt32 ssl3_SendRecord(sslSocket *ss, DTLSEpoch epoch,
1529 SSL3ContentType type,
1530 const SSL3Opaque* pIn, PRInt32 nIn,
1531 PRInt32 flags);
1532
1533 #ifdef NSS_ENABLE_ZLIB
1534 /*
1535 * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
1536 * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
1537 */
1538 #define SSL3_COMPRESSION_MAX_EXPANSION 29
1539 #else /* !NSS_ENABLE_ZLIB */
1540 #define SSL3_COMPRESSION_MAX_EXPANSION 0
1541 #endif
1542
1543 /*
1544 * make sure there is room in the write buffer for padding and
1545 * other compression and cryptographic expansions.
1546 */
1547 #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION
1548
1549 #define SSL_LOCK_READER(ss) if (ss->recvLock) PZ_Lock(ss->recvLock)
1550 #define SSL_UNLOCK_READER(ss) if (ss->recvLock) PZ_Unlock(ss->recvLock)
1551 #define SSL_LOCK_WRITER(ss) if (ss->sendLock) PZ_Lock(ss->sendLock)
1552 #define SSL_UNLOCK_WRITER(ss) if (ss->sendLock) PZ_Unlock(ss->sendLock)
1553
1554 /* firstHandshakeLock -> recvBufLock */
1555 #define ssl_Get1stHandshakeLock(ss) \
1556 { if (!ss->opt.noLocks) { \
1557 PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \
1558 !ssl_HaveRecvBufLock(ss)); \
1559 PZ_EnterMonitor((ss)->firstHandshakeLock); \
1560 } }
1561 #define ssl_Release1stHandshakeLock(ss) \
1562 { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
1563 #define ssl_Have1stHandshakeLock(ss) \
1564 (PZ_InMonitor((ss)->firstHandshakeLock))
1565
1566 /* ssl3HandshakeLock -> xmitBufLock */
1567 #define ssl_GetSSL3HandshakeLock(ss) \
1568 { if (!ss->opt.noLocks) { \
1569 PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
1570 PZ_EnterMonitor((ss)->ssl3HandshakeLock); \
1571 } }
1572 #define ssl_ReleaseSSL3HandshakeLock(ss) \
1573 { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
1574 #define ssl_HaveSSL3HandshakeLock(ss) \
1575 (PZ_InMonitor((ss)->ssl3HandshakeLock))
1576
1577 #define ssl_GetSpecReadLock(ss) \
1578 { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
1579 #define ssl_ReleaseSpecReadLock(ss) \
1580 { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
1581 /* NSSRWLock_HaveReadLock is not exported so there's no
1582 * ssl_HaveSpecReadLock macro. */
1583
1584 #define ssl_GetSpecWriteLock(ss) \
1585 { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
1586 #define ssl_ReleaseSpecWriteLock(ss) \
1587 { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
1588 #define ssl_HaveSpecWriteLock(ss) \
1589 (NSSRWLock_HaveWriteLock((ss)->specLock))
1590
1591 /* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */
1592 #define ssl_GetRecvBufLock(ss) \
1593 { if (!ss->opt.noLocks) { \
1594 PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \
1595 PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
1596 PZ_EnterMonitor((ss)->recvBufLock); \
1597 } }
1598 #define ssl_ReleaseRecvBufLock(ss) \
1599 { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
1600 #define ssl_HaveRecvBufLock(ss) \
1601 (PZ_InMonitor((ss)->recvBufLock))
1602
1603 /* xmitBufLock -> specLock */
1604 #define ssl_GetXmitBufLock(ss) \
1605 { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
1606 #define ssl_ReleaseXmitBufLock(ss) \
1607 { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
1608 #define ssl_HaveXmitBufLock(ss) \
1609 (PZ_InMonitor((ss)->xmitBufLock))
1610
1611 /* Placeholder value used in version ranges when SSL 3.0 and all
1612 * versions of TLS are disabled.
1613 */
1614 #define SSL_LIBRARY_VERSION_NONE 0
1615
1616 /* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version
1617 * of libssl supports. Applications should use SSL_VersionRangeGetSupported at
1618 * runtime to determine which versions are supported by the version of libssl
1619 * in use.
1620 */
1621 #ifdef NSS_ENABLE_TLS_1_3
1622 #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_3
1623 #else
1624 #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_2
1625 #endif
1626
1627 /* Rename this macro SSL_ALL_VERSIONS_DISABLED when SSL 2.0 is removed. */
1628 #define SSL3_ALL_VERSIONS_DISABLED(vrange) \
1629 ((vrange)->min == SSL_LIBRARY_VERSION_NONE)
1630
1631 extern PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
1632 SSL3ProtocolVersion version);
1633
1634 extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec * pwSpec,
1635 const unsigned char * cr, const unsigned char * sr,
1636 PRBool isTLS, PRBool isExport);
1637 extern SECStatus ssl3_MasterKeyDeriveBypass( ssl3CipherSpec * pwSpec,
1638 const unsigned char * cr, const unsigned char * sr,
1639 const SECItem * pms, PRBool isTLS, PRBool isRSA);
1640
1641 /* These functions are called from secnav, even though they're "private". */
1642
1643 extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
1644 extern sslSocket *ssl_FindSocket(PRFileDesc *fd);
1645 extern void ssl_FreeSocket(struct sslSocketStr *ssl);
1646 extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
1647 SSL3AlertDescription desc);
1648 extern SECStatus ssl3_DecodeError(sslSocket *ss);
1649
1650 extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket * ss,
1651 CERTCertificate * cert,
1652 SECKEYPrivateKey * key,
1653 CERTCertificateList *certChain);
1654
1655 extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq(
1656 sslSocket *ss,
1657 SECKEYPublicKey *channelIDPub,
1658 SECKEYPrivateKey *channelID);
1659
1660 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
1661
1662 /*
1663 * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
1664 */
1665 extern SECStatus ssl3_HandleV2ClientHello(
1666 sslSocket *ss, unsigned char *buffer, int length);
1667 extern SECStatus ssl3_StartHandshakeHash(
1668 sslSocket *ss, unsigned char *buf, int length);
1669
1670 /*
1671 * SSL3 specific routines
1672 */
1673 SECStatus ssl3_SendClientHello(sslSocket *ss, PRBool resending);
1674
1675 /*
1676 * input into the SSL3 machinery from the actualy network reading code
1677 */
1678 SECStatus ssl3_HandleRecord(
1679 sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out);
1680
1681 int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
1682 int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
1683 /*
1684 * When talking to export clients or using export cipher suites, servers
1685 * with public RSA keys larger than 512 bits need to use a 512-bit public
1686 * key, signed by the larger key. The smaller key is a "step down" key.
1687 * Generate that key pair and keep it around.
1688 */
1689 extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
1690
1691 #ifndef NSS_DISABLE_ECC
1692 extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
1693 extern PRBool ssl3_IsECCEnabled(sslSocket *ss);
1694 extern SECStatus ssl3_DisableECCSuites(sslSocket * ss,
1695 const ssl3CipherSuite * suite);
1696 extern PRUint32 ssl3_GetSupportedECCurveMask(sslSocket *ss);
1697
1698
1699 /* Macro for finding a curve equivalent in strength to RSA key's */
1700 #define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \
1701 ((s <= 1024) ? 160 \
1702 : ((s <= 2048) ? 224 \
1703 : ((s <= 3072) ? 256 \
1704 : ((s <= 7168) ? 384 : 521 ) ) ) )
1705
1706 /* Types and names of elliptic curves used in TLS */
1707 typedef enum { ec_type_explicitPrime = 1,
1708 ec_type_explicitChar2Curve = 2,
1709 ec_type_named
1710 } ECType;
1711
1712 typedef enum { ec_noName = 0,
1713 ec_sect163k1 = 1,
1714 ec_sect163r1 = 2,
1715 ec_sect163r2 = 3,
1716 ec_sect193r1 = 4,
1717 ec_sect193r2 = 5,
1718 ec_sect233k1 = 6,
1719 ec_sect233r1 = 7,
1720 ec_sect239k1 = 8,
1721 ec_sect283k1 = 9,
1722 ec_sect283r1 = 10,
1723 ec_sect409k1 = 11,
1724 ec_sect409r1 = 12,
1725 ec_sect571k1 = 13,
1726 ec_sect571r1 = 14,
1727 ec_secp160k1 = 15,
1728 ec_secp160r1 = 16,
1729 ec_secp160r2 = 17,
1730 ec_secp192k1 = 18,
1731 ec_secp192r1 = 19,
1732 ec_secp224k1 = 20,
1733 ec_secp224r1 = 21,
1734 ec_secp256k1 = 22,
1735 ec_secp256r1 = 23,
1736 ec_secp384r1 = 24,
1737 ec_secp521r1 = 25,
1738 ec_pastLastName
1739 } ECName;
1740
1741 extern SECStatus ssl3_ECName2Params(PLArenaPool *arena, ECName curve,
1742 SECKEYECParams *params);
1743 ECName ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits);
1744
1745
1746 #endif /* NSS_DISABLE_ECC */
1747
1748 extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
1749 extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
1750 extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
1751 extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
1752
1753 extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
1754 extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
1755 extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
1756 extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
1757 extern SECStatus ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *cipher,
1758 unsigned int len);
1759
1760 extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
1761 extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
1762 extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
1763 extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
1764
1765 extern void ssl2_InitSocketPolicy(sslSocket *ss);
1766 extern void ssl3_InitSocketPolicy(sslSocket *ss);
1767
1768 extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
1769 unsigned char *cs, int *size);
1770
1771 extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
1772 extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b,
1773 PRUint32 length);
1774
1775 extern void ssl3_DestroySSL3Info(sslSocket *ss);
1776
1777 extern SECStatus ssl3_NegotiateVersion(sslSocket *ss,
1778 SSL3ProtocolVersion peerVersion,
1779 PRBool allowLargerPeerVersion);
1780
1781 extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
1782
1783 #ifndef NSS_DISABLE_ECC
1784 /* ECDH functions */
1785 extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket * ss,
1786 SECKEYPublicKey * svrPubKey);
1787 extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss,
1788 SSL3Opaque *b, PRUint32 length);
1789 extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss,
1790 SSL3Opaque *b, PRUint32 length,
1791 SECKEYPublicKey *srvrPubKey,
1792 SECKEYPrivateKey *srvrPrivKey);
1793 extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss,
1794 const SSL3SignatureAndHashAlgorithm *sigAndHash);
1795 #endif
1796
1797 extern SECStatus ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
1798 PRUint8 * hashBuf,
1799 unsigned int bufLen, SSL3Hashes *hashes,
1800 PRBool bypassPKCS11);
1801 extern void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName);
1802 extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms);
1803 extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src,
1804 PRInt32 bytes);
1805 extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss,
1806 SSL3HandshakeType t, PRUint32 length);
1807 extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num,
1808 PRInt32 lenSize);
1809 extern SECStatus ssl3_AppendHandshakeVariable( sslSocket *ss,
1810 const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize);
1811 extern SECStatus ssl3_AppendSignatureAndHashAlgorithm(sslSocket *ss,
1812 const SSL3SignatureAndHashAlgorithm* sigAndHash);
1813 extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes,
1814 SSL3Opaque **b, PRUint32 *length);
1815 extern PRInt32 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes,
1816 SSL3Opaque **b, PRUint32 *length);
1817 extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i,
1818 PRInt32 bytes, SSL3Opaque **b, PRUint32 *length);
1819 extern SECOidTag ssl3_TLSHashAlgorithmToOID(int hashFunc);
1820 extern SECStatus ssl3_CheckSignatureAndHashAlgorithmConsistency(
1821 const SSL3SignatureAndHashAlgorithm *sigAndHash,
1822 CERTCertificate* cert);
1823 extern SECStatus ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
1824 SSL3Opaque **b, PRUint32 *length,
1825 SSL3SignatureAndHashAlgorithm *out);
1826 extern SECStatus ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key,
1827 SECItem *buf, PRBool isTLS);
1828 extern SECStatus ssl3_VerifySignedHashes(SSL3Hashes *hash,
1829 CERTCertificate *cert, SECItem *buf, PRBool isTLS,
1830 void *pwArg);
1831 extern SECStatus ssl3_CacheWrappedMasterSecret(sslSocket *ss,
1832 sslSessionID *sid, ssl3CipherSpec *spec,
1833 SSL3KEAType effectiveExchKeyType);
1834
1835 /* Functions that handle ClientHello and ServerHello extensions. */
1836 extern SECStatus ssl3_HandleServerNameXtn(sslSocket * ss,
1837 PRUint16 ex_type, SECItem *data);
1838 extern SECStatus ssl3_HandleSupportedCurvesXtn(sslSocket * ss,
1839 PRUint16 ex_type, SECItem *data);
1840 extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
1841 PRUint16 ex_type, SECItem *data);
1842 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
1843 PRUint16 ex_type, SECItem *data);
1844 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
1845 PRUint16 ex_type, SECItem *data);
1846
1847 /* ClientHello and ServerHello extension senders.
1848 * Note that not all extension senders are exposed here; only those that
1849 * that need exposure.
1850 */
1851 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
1852 PRUint32 maxBytes);
1853
1854 /* ClientHello and ServerHello extension senders.
1855 * The code is in ssl3ext.c.
1856 */
1857 extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
1858 PRUint32 maxBytes);
1859
1860 /* Assigns new cert, cert chain and keys to ss->serverCerts
1861 * struct. If certChain is NULL, tries to find one. Aborts if
1862 * fails to do so. If cert and keyPair are NULL - unconfigures
1863 * sslSocket of kea type.*/
1864 extern SECStatus ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
1865 const CERTCertificateList *certChain,
1866 ssl3KeyPair *keyPair, SSLKEAType kea);
1867
1868 #ifndef NSS_DISABLE_ECC
1869 extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
1870 PRBool append, PRUint32 maxBytes);
1871 extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss,
1872 PRBool append, PRUint32 maxBytes);
1873 #endif
1874
1875 /* call the registered extension handlers. */
1876 extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss,
1877 SSL3Opaque **b, PRUint32 *length);
1878
1879 /* Hello Extension related routines. */
1880 extern PRBool ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type);
1881 extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
1882 /*in/out*/ NewSessionTicket *session_ticket);
1883 extern SECStatus ssl3_SendNewSessionTicket(sslSocket *ss);
1884 extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName,
1885 unsigned char *encKey, unsigned char *macKey);
1886 extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
1887 SECKEYPublicKey *svrPubKey, void *pwArg,
1888 unsigned char *keyName, PK11SymKey **aesKey,
1889 PK11SymKey **macKey);
1890
1891 /* Tell clients to consider tickets valid for this long. */
1892 #define TLS_EX_SESS_TICKET_LIFETIME_HINT (2 * 24 * 60 * 60) /* 2 days */
1893 #define TLS_EX_SESS_TICKET_VERSION (0x0100)
1894
1895 extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data,
1896 unsigned int length);
1897
1898 extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
1899 unsigned char *out,
1900 unsigned int *outLen,
1901 unsigned int outLenMax);
1902
1903 /* Construct a new NSPR socket for the app to use */
1904 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
1905 extern void ssl_FreePRSocket(PRFileDesc *fd);
1906
1907 /* Internal config function so SSL3 can initialize the present state of
1908 * various ciphers */
1909 extern int ssl3_config_match_init(sslSocket *);
1910
1911
1912 /* Create a new ref counted key pair object from two keys. */
1913 extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey,
1914 SECKEYPublicKey * pubKey);
1915
1916 /* get a new reference (bump ref count) to an ssl3KeyPair. */
1917 extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair);
1918
1919 /* Decrement keypair's ref count and free if zero. */
1920 extern void ssl3_FreeKeyPair(ssl3KeyPair * keyPair);
1921
1922 /* calls for accessing wrapping keys across processes. */
1923 extern PRBool
1924 ssl_GetWrappingKey( PRInt32 symWrapMechIndex,
1925 SSL3KEAType exchKeyType,
1926 SSLWrappedSymWrappingKey *wswk);
1927
1928 /* The caller passes in the new value it wants
1929 * to set. This code tests the wrapped sym key entry in the file on disk.
1930 * If it is uninitialized, this function writes the caller's value into
1931 * the disk entry, and returns false.
1932 * Otherwise, it overwrites the caller's wswk with the value obtained from
1933 * the disk, and returns PR_TRUE.
1934 * This is all done while holding the locks/semaphores necessary to make
1935 * the operation atomic.
1936 */
1937 extern PRBool
1938 ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
1939
1940 /* get rid of the symmetric wrapping key references. */
1941 extern SECStatus SSL3_ShutdownServerCache(void);
1942
1943 extern SECStatus ssl_InitSymWrapKeysLock(void);
1944
1945 extern SECStatus ssl_FreeSymWrapKeysLock(void);
1946
1947 extern SECStatus ssl_InitSessionCacheLocks(void);
1948
1949 /***************** platform client auth ****************/
1950
1951 #ifdef NSS_PLATFORM_CLIENT_AUTH
1952 // Releases the platform key.
1953 extern void ssl_FreePlatformKey(PlatformKey key);
1954
1955 // Implement the client CertificateVerify message for SSL3/TLS1.0
1956 extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash,
1957 PlatformKey key, SECItem *buf,
1958 PRBool isTLS, KeyType keyType);
1959
1960 // Converts a CERTCertList* (A collection of CERTCertificates) into a
1961 // CERTCertificateList* (A collection of SECItems), or returns NULL if
1962 // it cannot be converted.
1963 // This is to allow the platform-supplied chain to be created with purely
1964 // public API functions, using the preferred CERTCertList mutators, rather
1965 // pushing this hack to clients.
1966 extern CERTCertificateList* hack_NewCertificateListFromCertList(
1967 CERTCertList* list);
1968 #endif /* NSS_PLATFORM_CLIENT_AUTH */
1969
1970 /**************** DTLS-specific functions **************/
1971 extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg);
1972 extern void dtls_FreeQueuedMessages(PRCList *lst);
1973 extern void dtls_FreeHandshakeMessages(PRCList *lst);
1974
1975 extern SECStatus dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf);
1976 extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss,
1977 SSL3Opaque *b, PRUint32 length);
1978 extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss);
1979 extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
1980 const SSL3Opaque *pIn, PRInt32 nIn);
1981 extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
1982 extern SECStatus dtls_CompressMACEncryptRecord(sslSocket *ss,
1983 DTLSEpoch epoch,
1984 PRBool use_epoch,
1985 SSL3ContentType type,
1986 const SSL3Opaque *pIn,
1987 PRUint32 contentLen,
1988 sslBuffer *wrBuf);
1989 SECStatus ssl3_DisableNonDTLSSuites(sslSocket * ss);
1990 extern SECStatus dtls_StartTimer(sslSocket *ss, DTLSTimerCb cb);
1991 extern SECStatus dtls_RestartTimer(sslSocket *ss, PRBool backoff,
1992 DTLSTimerCb cb);
1993 extern void dtls_CheckTimer(sslSocket *ss);
1994 extern void dtls_CancelTimer(sslSocket *ss);
1995 extern void dtls_FinishedTimerCb(sslSocket *ss);
1996 extern void dtls_SetMTU(sslSocket *ss, PRUint16 advertised);
1997 extern void dtls_InitRecvdRecords(DTLSRecvdRecords *records);
1998 extern int dtls_RecordGetRecvd(DTLSRecvdRecords *records, PRUint64 seq);
1999 extern void dtls_RecordSetRecvd(DTLSRecvdRecords *records, PRUint64 seq);
2000 extern void dtls_RehandshakeCleanup(sslSocket *ss);
2001 extern SSL3ProtocolVersion
2002 dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv);
2003 extern SSL3ProtocolVersion
2004 dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv);
2005
2006 /********************** misc calls *********************/
2007
2008 #ifdef DEBUG
2009 extern void ssl3_CheckCipherSuiteOrderConsistency();
2010 #endif
2011
2012 extern int ssl_MapLowLevelError(int hiLevelError);
2013
2014 extern PRUint32 ssl_Time(void);
2015
2016 extern void SSL_AtomicIncrementLong(long * x);
2017
2018 SECStatus SSL_DisableDefaultExportCipherSuites(void);
2019 SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
2020 PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite);
2021
2022 extern SECStatus
2023 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec,
2024 const char *label, unsigned int labelLen,
2025 const unsigned char *val, unsigned int valLen,
2026 unsigned char *out, unsigned int outLen);
2027
2028 #ifdef TRACE
2029 #define SSL_TRACE(msg) ssl_Trace msg
2030 #else
2031 #define SSL_TRACE(msg)
2032 #endif
2033
2034 void ssl_Trace(const char *format, ...);
2035
2036 SEC_END_PROTOS
2037
2038 #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
2039 #define SSL_GETPID getpid
2040 #elif defined(WIN32)
2041 extern int __cdecl _getpid(void);
2042 #define SSL_GETPID _getpid
2043 #else
2044 #define SSL_GETPID() 0
2045 #endif
2046
2047 #endif /* __sslimpl_h_ */