1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/ssl/sslimpl.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1930 @@
1.4 +/*
1.5 + * This file is PRIVATE to SSL and should be the first thing included by
1.6 + * any SSL implementation file.
1.7 + *
1.8 + * This Source Code Form is subject to the terms of the Mozilla Public
1.9 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.10 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.11 +
1.12 +#ifndef __sslimpl_h_
1.13 +#define __sslimpl_h_
1.14 +
1.15 +#ifdef DEBUG
1.16 +#undef NDEBUG
1.17 +#else
1.18 +#undef NDEBUG
1.19 +#define NDEBUG
1.20 +#endif
1.21 +#include "secport.h"
1.22 +#include "secerr.h"
1.23 +#include "sslerr.h"
1.24 +#include "ssl3prot.h"
1.25 +#include "hasht.h"
1.26 +#include "nssilock.h"
1.27 +#include "pkcs11t.h"
1.28 +#if defined(XP_UNIX) || defined(XP_BEOS)
1.29 +#include "unistd.h"
1.30 +#endif
1.31 +#include "nssrwlk.h"
1.32 +#include "prthread.h"
1.33 +#include "prclist.h"
1.34 +
1.35 +#include "sslt.h" /* for some formerly private types, now public */
1.36 +
1.37 +/* to make some of these old enums public without namespace pollution,
1.38 +** it was necessary to prepend ssl_ to the names.
1.39 +** These #defines preserve compatibility with the old code here in libssl.
1.40 +*/
1.41 +typedef SSLKEAType SSL3KEAType;
1.42 +typedef SSLMACAlgorithm SSL3MACAlgorithm;
1.43 +typedef SSLSignType SSL3SignType;
1.44 +
1.45 +#define sign_null ssl_sign_null
1.46 +#define sign_rsa ssl_sign_rsa
1.47 +#define sign_dsa ssl_sign_dsa
1.48 +#define sign_ecdsa ssl_sign_ecdsa
1.49 +
1.50 +#define calg_null ssl_calg_null
1.51 +#define calg_rc4 ssl_calg_rc4
1.52 +#define calg_rc2 ssl_calg_rc2
1.53 +#define calg_des ssl_calg_des
1.54 +#define calg_3des ssl_calg_3des
1.55 +#define calg_idea ssl_calg_idea
1.56 +#define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */
1.57 +#define calg_aes ssl_calg_aes
1.58 +#define calg_camellia ssl_calg_camellia
1.59 +#define calg_seed ssl_calg_seed
1.60 +#define calg_aes_gcm ssl_calg_aes_gcm
1.61 +
1.62 +#define mac_null ssl_mac_null
1.63 +#define mac_md5 ssl_mac_md5
1.64 +#define mac_sha ssl_mac_sha
1.65 +#define hmac_md5 ssl_hmac_md5
1.66 +#define hmac_sha ssl_hmac_sha
1.67 +#define hmac_sha256 ssl_hmac_sha256
1.68 +#define mac_aead ssl_mac_aead
1.69 +
1.70 +#define SET_ERROR_CODE /* reminder */
1.71 +#define SEND_ALERT /* reminder */
1.72 +#define TEST_FOR_FAILURE /* reminder */
1.73 +#define DEAL_WITH_FAILURE /* reminder */
1.74 +
1.75 +#if defined(DEBUG) || defined(TRACE)
1.76 +#ifdef __cplusplus
1.77 +#define Debug 1
1.78 +#else
1.79 +extern int Debug;
1.80 +#endif
1.81 +#else
1.82 +#undef Debug
1.83 +#endif
1.84 +
1.85 +#if defined(DEBUG) && !defined(TRACE) && !defined(NISCC_TEST)
1.86 +#define TRACE
1.87 +#endif
1.88 +
1.89 +#ifdef TRACE
1.90 +#define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
1.91 +#define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
1.92 +#define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
1.93 +#else
1.94 +#define SSL_TRC(a,b)
1.95 +#define PRINT_BUF(a,b)
1.96 +#define DUMP_MSG(a,b)
1.97 +#endif
1.98 +
1.99 +#ifdef DEBUG
1.100 +#define SSL_DBG(b) if (ssl_debug) ssl_Trace b
1.101 +#else
1.102 +#define SSL_DBG(b)
1.103 +#endif
1.104 +
1.105 +#include "private/pprthred.h" /* for PR_InMonitor() */
1.106 +#define ssl_InMonitor(m) PZ_InMonitor(m)
1.107 +
1.108 +#define LSB(x) ((unsigned char) ((x) & 0xff))
1.109 +#define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
1.110 +
1.111 +/************************************************************************/
1.112 +
1.113 +typedef enum { SSLAppOpRead = 0,
1.114 + SSLAppOpWrite,
1.115 + SSLAppOpRDWR,
1.116 + SSLAppOpPost,
1.117 + SSLAppOpHeader
1.118 +} SSLAppOperation;
1.119 +
1.120 +#define SSL_MIN_MASTER_KEY_BYTES 5
1.121 +#define SSL_MAX_MASTER_KEY_BYTES 64
1.122 +
1.123 +#define SSL2_SESSIONID_BYTES 16
1.124 +#define SSL3_SESSIONID_BYTES 32
1.125 +
1.126 +#define SSL_MIN_CHALLENGE_BYTES 16
1.127 +#define SSL_MAX_CHALLENGE_BYTES 32
1.128 +#define SSL_CHALLENGE_BYTES 16
1.129 +
1.130 +#define SSL_CONNECTIONID_BYTES 16
1.131 +
1.132 +#define SSL_MIN_CYPHER_ARG_BYTES 0
1.133 +#define SSL_MAX_CYPHER_ARG_BYTES 32
1.134 +
1.135 +#define SSL_MAX_MAC_BYTES 16
1.136 +
1.137 +#define SSL3_RSA_PMS_LENGTH 48
1.138 +#define SSL3_MASTER_SECRET_LENGTH 48
1.139 +
1.140 +/* number of wrap mechanisms potentially used to wrap master secrets. */
1.141 +#define SSL_NUM_WRAP_MECHS 16
1.142 +
1.143 +/* This makes the cert cache entry exactly 4k. */
1.144 +#define SSL_MAX_CACHED_CERT_LEN 4060
1.145 +
1.146 +#define NUM_MIXERS 9
1.147 +
1.148 +/* Mask of the 25 named curves we support. */
1.149 +#define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe
1.150 +/* Mask of only 3 curves, suite B */
1.151 +#define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000
1.152 +
1.153 +#ifndef BPB
1.154 +#define BPB 8 /* Bits Per Byte */
1.155 +#endif
1.156 +
1.157 +#define EXPORT_RSA_KEY_LENGTH 64 /* bytes */
1.158 +
1.159 +#define INITIAL_DTLS_TIMEOUT_MS 1000 /* Default value from RFC 4347 = 1s*/
1.160 +#define MAX_DTLS_TIMEOUT_MS 60000 /* 1 minute */
1.161 +#define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */
1.162 +
1.163 +typedef struct sslBufferStr sslBuffer;
1.164 +typedef struct sslConnectInfoStr sslConnectInfo;
1.165 +typedef struct sslGatherStr sslGather;
1.166 +typedef struct sslSecurityInfoStr sslSecurityInfo;
1.167 +typedef struct sslSessionIDStr sslSessionID;
1.168 +typedef struct sslSocketStr sslSocket;
1.169 +typedef struct sslSocketOpsStr sslSocketOps;
1.170 +
1.171 +typedef struct ssl3StateStr ssl3State;
1.172 +typedef struct ssl3CertNodeStr ssl3CertNode;
1.173 +typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef;
1.174 +typedef struct ssl3MACDefStr ssl3MACDef;
1.175 +typedef struct ssl3KeyPairStr ssl3KeyPair;
1.176 +
1.177 +struct ssl3CertNodeStr {
1.178 + struct ssl3CertNodeStr *next;
1.179 + CERTCertificate * cert;
1.180 +};
1.181 +
1.182 +typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss);
1.183 +
1.184 +/* This type points to the low layer send func,
1.185 +** e.g. ssl2_SendStream or ssl3_SendPlainText.
1.186 +** These functions return the same values as PR_Send,
1.187 +** i.e. >= 0 means number of bytes sent, < 0 means error.
1.188 +*/
1.189 +typedef PRInt32 (*sslSendFunc)(sslSocket *ss, const unsigned char *buf,
1.190 + PRInt32 n, PRInt32 flags);
1.191 +
1.192 +typedef void (*sslSessionIDCacheFunc) (sslSessionID *sid);
1.193 +typedef void (*sslSessionIDUncacheFunc)(sslSessionID *sid);
1.194 +typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr *addr,
1.195 + unsigned char* sid,
1.196 + unsigned int sidLen,
1.197 + CERTCertDBHandle * dbHandle);
1.198 +
1.199 +/* registerable callback function that either appends extension to buffer
1.200 + * or returns length of data that it would have appended.
1.201 + */
1.202 +typedef PRInt32 (*ssl3HelloExtensionSenderFunc)(sslSocket *ss, PRBool append,
1.203 + PRUint32 maxBytes);
1.204 +
1.205 +/* registerable callback function that handles a received extension,
1.206 + * of the given type.
1.207 + */
1.208 +typedef SECStatus (* ssl3HelloExtensionHandlerFunc)(sslSocket *ss,
1.209 + PRUint16 ex_type,
1.210 + SECItem * data);
1.211 +
1.212 +/* row in a table of hello extension senders */
1.213 +typedef struct {
1.214 + PRInt32 ex_type;
1.215 + ssl3HelloExtensionSenderFunc ex_sender;
1.216 +} ssl3HelloExtensionSender;
1.217 +
1.218 +/* row in a table of hello extension handlers */
1.219 +typedef struct {
1.220 + PRInt32 ex_type;
1.221 + ssl3HelloExtensionHandlerFunc ex_handler;
1.222 +} ssl3HelloExtensionHandler;
1.223 +
1.224 +extern SECStatus
1.225 +ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
1.226 + ssl3HelloExtensionSenderFunc cb);
1.227 +
1.228 +extern PRInt32
1.229 +ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
1.230 + const ssl3HelloExtensionSender *sender);
1.231 +
1.232 +extern unsigned int
1.233 +ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength);
1.234 +
1.235 +extern PRInt32
1.236 +ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
1.237 + PRUint32 maxBytes);
1.238 +
1.239 +/* Socket ops */
1.240 +struct sslSocketOpsStr {
1.241 + int (*connect) (sslSocket *, const PRNetAddr *);
1.242 + PRFileDesc *(*accept) (sslSocket *, PRNetAddr *);
1.243 + int (*bind) (sslSocket *, const PRNetAddr *);
1.244 + int (*listen) (sslSocket *, int);
1.245 + int (*shutdown)(sslSocket *, int);
1.246 + int (*close) (sslSocket *);
1.247 +
1.248 + int (*recv) (sslSocket *, unsigned char *, int, int);
1.249 +
1.250 + /* points to the higher-layer send func, e.g. ssl_SecureSend. */
1.251 + int (*send) (sslSocket *, const unsigned char *, int, int);
1.252 + int (*read) (sslSocket *, unsigned char *, int);
1.253 + int (*write) (sslSocket *, const unsigned char *, int);
1.254 +
1.255 + int (*getpeername)(sslSocket *, PRNetAddr *);
1.256 + int (*getsockname)(sslSocket *, PRNetAddr *);
1.257 +};
1.258 +
1.259 +/* Flags interpreted by ssl send functions. */
1.260 +#define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000
1.261 +#define ssl_SEND_FLAG_NO_BUFFER 0x20000000
1.262 +#define ssl_SEND_FLAG_USE_EPOCH 0x10000000 /* DTLS only */
1.263 +#define ssl_SEND_FLAG_NO_RETRANSMIT 0x08000000 /* DTLS only */
1.264 +#define ssl_SEND_FLAG_CAP_RECORD_VERSION \
1.265 + 0x04000000 /* TLS only */
1.266 +#define ssl_SEND_FLAG_MASK 0x7f000000
1.267 +
1.268 +/*
1.269 +** A buffer object.
1.270 +*/
1.271 +struct sslBufferStr {
1.272 + unsigned char * buf;
1.273 + unsigned int len;
1.274 + unsigned int space;
1.275 +};
1.276 +
1.277 +/*
1.278 +** SSL3 cipher suite policy and preference struct.
1.279 +*/
1.280 +typedef struct {
1.281 +#if !defined(_WIN32)
1.282 + unsigned int cipher_suite : 16;
1.283 + unsigned int policy : 8;
1.284 + unsigned int enabled : 1;
1.285 + unsigned int isPresent : 1;
1.286 +#else
1.287 + ssl3CipherSuite cipher_suite;
1.288 + PRUint8 policy;
1.289 + unsigned char enabled : 1;
1.290 + unsigned char isPresent : 1;
1.291 +#endif
1.292 +} ssl3CipherSuiteCfg;
1.293 +
1.294 +#ifndef NSS_DISABLE_ECC
1.295 +#define ssl_V3_SUITES_IMPLEMENTED 61
1.296 +#else
1.297 +#define ssl_V3_SUITES_IMPLEMENTED 37
1.298 +#endif /* NSS_DISABLE_ECC */
1.299 +
1.300 +#define MAX_DTLS_SRTP_CIPHER_SUITES 4
1.301 +
1.302 +typedef struct sslOptionsStr {
1.303 + /* If SSL_SetNextProtoNego has been called, then this contains the
1.304 + * list of supported protocols. */
1.305 + SECItem nextProtoNego;
1.306 +
1.307 + unsigned int useSecurity : 1; /* 1 */
1.308 + unsigned int useSocks : 1; /* 2 */
1.309 + unsigned int requestCertificate : 1; /* 3 */
1.310 + unsigned int requireCertificate : 2; /* 4-5 */
1.311 + unsigned int handshakeAsClient : 1; /* 6 */
1.312 + unsigned int handshakeAsServer : 1; /* 7 */
1.313 + unsigned int enableSSL2 : 1; /* 8 */
1.314 + unsigned int unusedBit9 : 1; /* 9 */
1.315 + unsigned int unusedBit10 : 1; /* 10 */
1.316 + unsigned int noCache : 1; /* 11 */
1.317 + unsigned int fdx : 1; /* 12 */
1.318 + unsigned int v2CompatibleHello : 1; /* 13 */
1.319 + unsigned int detectRollBack : 1; /* 14 */
1.320 + unsigned int noStepDown : 1; /* 15 */
1.321 + unsigned int bypassPKCS11 : 1; /* 16 */
1.322 + unsigned int noLocks : 1; /* 17 */
1.323 + unsigned int enableSessionTickets : 1; /* 18 */
1.324 + unsigned int enableDeflate : 1; /* 19 */
1.325 + unsigned int enableRenegotiation : 2; /* 20-21 */
1.326 + unsigned int requireSafeNegotiation : 1; /* 22 */
1.327 + unsigned int enableFalseStart : 1; /* 23 */
1.328 + unsigned int cbcRandomIV : 1; /* 24 */
1.329 + unsigned int enableOCSPStapling : 1; /* 25 */
1.330 + unsigned int enableNPN : 1; /* 26 */
1.331 + unsigned int enableALPN : 1; /* 27 */
1.332 + unsigned int dummy : 1; /* 28 */
1.333 + unsigned int enableFallbackSCSV : 1; /* 29 */
1.334 +} sslOptions;
1.335 +
1.336 +typedef enum { sslHandshakingUndetermined = 0,
1.337 + sslHandshakingAsClient,
1.338 + sslHandshakingAsServer
1.339 +} sslHandshakingType;
1.340 +
1.341 +typedef struct sslServerCertsStr {
1.342 + /* Configuration state for server sockets */
1.343 + CERTCertificate * serverCert;
1.344 + CERTCertificateList * serverCertChain;
1.345 + ssl3KeyPair * serverKeyPair;
1.346 + unsigned int serverKeyBits;
1.347 +} sslServerCerts;
1.348 +
1.349 +#define SERVERKEY serverKeyPair->privKey
1.350 +
1.351 +#define SSL_LOCK_RANK_SPEC 255
1.352 +#define SSL_LOCK_RANK_GLOBAL NSS_RWLOCK_RANK_NONE
1.353 +
1.354 +/* These are the valid values for shutdownHow.
1.355 +** These values are each 1 greater than the NSPR values, and the code
1.356 +** depends on that relation to efficiently convert PR_SHUTDOWN values
1.357 +** into ssl_SHUTDOWN values. These values use one bit for read, and
1.358 +** another bit for write, and can be used as bitmasks.
1.359 +*/
1.360 +#define ssl_SHUTDOWN_NONE 0 /* NOT shutdown at all */
1.361 +#define ssl_SHUTDOWN_RCV 1 /* PR_SHUTDOWN_RCV +1 */
1.362 +#define ssl_SHUTDOWN_SEND 2 /* PR_SHUTDOWN_SEND +1 */
1.363 +#define ssl_SHUTDOWN_BOTH 3 /* PR_SHUTDOWN_BOTH +1 */
1.364 +
1.365 +/*
1.366 +** A gather object. Used to read some data until a count has been
1.367 +** satisfied. Primarily for support of async sockets.
1.368 +** Everything in here is protected by the recvBufLock.
1.369 +*/
1.370 +struct sslGatherStr {
1.371 + int state; /* see GS_ values below. */ /* ssl 2 & 3 */
1.372 +
1.373 + /* "buf" holds received plaintext SSL records, after decrypt and MAC check.
1.374 + * SSL2: recv'd ciphertext records are put here, then decrypted in place.
1.375 + * SSL3: recv'd ciphertext records are put in inbuf (see below), then
1.376 + * decrypted into buf.
1.377 + */
1.378 + sslBuffer buf; /*recvBufLock*/ /* ssl 2 & 3 */
1.379 +
1.380 + /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3).
1.381 + ** (offset - writeOffset) is the number of ciphertext bytes read in but
1.382 + ** not yet deciphered.
1.383 + */
1.384 + unsigned int offset; /* ssl 2 & 3 */
1.385 +
1.386 + /* number of bytes to read in next call to ssl_DefRecv (recv) */
1.387 + unsigned int remainder; /* ssl 2 & 3 */
1.388 +
1.389 + /* Number of ciphertext bytes to read in after 2-byte SSL record header. */
1.390 + unsigned int count; /* ssl2 only */
1.391 +
1.392 + /* size of the final plaintext record.
1.393 + ** == count - (recordPadding + MAC size)
1.394 + */
1.395 + unsigned int recordLen; /* ssl2 only */
1.396 +
1.397 + /* number of bytes of padding to be removed after decrypting. */
1.398 + /* This value is taken from the record's hdr[2], which means a too large
1.399 + * value could crash us.
1.400 + */
1.401 + unsigned int recordPadding; /* ssl2 only */
1.402 +
1.403 + /* plaintext DATA begins this many bytes into "buf". */
1.404 + unsigned int recordOffset; /* ssl2 only */
1.405 +
1.406 + int encrypted; /* SSL2 session is now encrypted. ssl2 only */
1.407 +
1.408 + /* These next two values are used by SSL2 and SSL3.
1.409 + ** DoRecv uses them to extract application data.
1.410 + ** The difference between writeOffset and readOffset is the amount of
1.411 + ** data available to the application. Note that the actual offset of
1.412 + ** the data in "buf" is recordOffset (above), not readOffset.
1.413 + ** In the current implementation, this is made available before the
1.414 + ** MAC is checked!!
1.415 + */
1.416 + unsigned int readOffset; /* Spot where DATA reader (e.g. application
1.417 + ** or handshake code) will read next.
1.418 + ** Always zero for SSl3 application data.
1.419 + */
1.420 + /* offset in buf/inbuf/hdr into which new data will be read from socket. */
1.421 + unsigned int writeOffset;
1.422 +
1.423 + /* Buffer for ssl3 to read (encrypted) data from the socket */
1.424 + sslBuffer inbuf; /*recvBufLock*/ /* ssl3 only */
1.425 +
1.426 + /* The ssl[23]_GatherData functions read data into this buffer, rather
1.427 + ** than into buf or inbuf, while in the GS_HEADER state.
1.428 + ** The portion of the SSL record header put here always comes off the wire
1.429 + ** as plaintext, never ciphertext.
1.430 + ** For SSL2, the plaintext portion is two bytes long. For SSl3 it is 5.
1.431 + ** For DTLS it is 13.
1.432 + */
1.433 + unsigned char hdr[13]; /* ssl 2 & 3 or dtls */
1.434 +
1.435 + /* Buffer for DTLS data read off the wire as a single datagram */
1.436 + sslBuffer dtlsPacket;
1.437 +
1.438 + /* the start of the buffered DTLS record in dtlsPacket */
1.439 + unsigned int dtlsPacketOffset;
1.440 +};
1.441 +
1.442 +/* sslGather.state */
1.443 +#define GS_INIT 0
1.444 +#define GS_HEADER 1
1.445 +#define GS_MAC 2
1.446 +#define GS_DATA 3
1.447 +#define GS_PAD 4
1.448 +
1.449 +
1.450 +
1.451 +/*
1.452 +** ssl3State and CipherSpec structs
1.453 +*/
1.454 +
1.455 +/* The SSL bulk cipher definition */
1.456 +typedef enum {
1.457 + cipher_null,
1.458 + cipher_rc4,
1.459 + cipher_rc4_40,
1.460 + cipher_rc4_56,
1.461 + cipher_rc2,
1.462 + cipher_rc2_40,
1.463 + cipher_des,
1.464 + cipher_3des,
1.465 + cipher_des40,
1.466 + cipher_idea,
1.467 + cipher_aes_128,
1.468 + cipher_aes_256,
1.469 + cipher_camellia_128,
1.470 + cipher_camellia_256,
1.471 + cipher_seed,
1.472 + cipher_aes_128_gcm,
1.473 + cipher_missing /* reserved for no such supported cipher */
1.474 + /* This enum must match ssl3_cipherName[] in ssl3con.c. */
1.475 +} SSL3BulkCipher;
1.476 +
1.477 +typedef enum { type_stream, type_block, type_aead } CipherType;
1.478 +
1.479 +#define MAX_IV_LENGTH 24
1.480 +
1.481 +/*
1.482 + * Do not depend upon 64 bit arithmetic in the underlying machine.
1.483 + */
1.484 +typedef struct {
1.485 + PRUint32 high;
1.486 + PRUint32 low;
1.487 +} SSL3SequenceNumber;
1.488 +
1.489 +typedef PRUint16 DTLSEpoch;
1.490 +
1.491 +typedef void (*DTLSTimerCb)(sslSocket *);
1.492 +
1.493 +#define MAX_MAC_CONTEXT_BYTES 400 /* 400 is large enough for MD5, SHA-1, and
1.494 + * SHA-256. For SHA-384 support, increase
1.495 + * it to 712. */
1.496 +#define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8)
1.497 +
1.498 +#define MAX_CIPHER_CONTEXT_BYTES 2080
1.499 +#define MAX_CIPHER_CONTEXT_LLONGS (MAX_CIPHER_CONTEXT_BYTES / 8)
1.500 +
1.501 +typedef struct {
1.502 + SSL3Opaque wrapped_master_secret[48];
1.503 + PRUint16 wrapped_master_secret_len;
1.504 + PRUint8 msIsWrapped;
1.505 + PRUint8 resumable;
1.506 +} ssl3SidKeys; /* 52 bytes */
1.507 +
1.508 +typedef struct {
1.509 + PK11SymKey *write_key;
1.510 + PK11SymKey *write_mac_key;
1.511 + PK11Context *write_mac_context;
1.512 + SECItem write_key_item;
1.513 + SECItem write_iv_item;
1.514 + SECItem write_mac_key_item;
1.515 + SSL3Opaque write_iv[MAX_IV_LENGTH];
1.516 + PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
1.517 +} ssl3KeyMaterial;
1.518 +
1.519 +typedef SECStatus (*SSLCipher)(void * context,
1.520 + unsigned char * out,
1.521 + int * outlen,
1.522 + int maxout,
1.523 + const unsigned char *in,
1.524 + int inlen);
1.525 +typedef SECStatus (*SSLAEADCipher)(
1.526 + ssl3KeyMaterial * keys,
1.527 + PRBool doDecrypt,
1.528 + unsigned char * out,
1.529 + int * outlen,
1.530 + int maxout,
1.531 + const unsigned char *in,
1.532 + int inlen,
1.533 + const unsigned char *additionalData,
1.534 + int additionalDataLen);
1.535 +typedef SECStatus (*SSLCompressor)(void * context,
1.536 + unsigned char * out,
1.537 + int * outlen,
1.538 + int maxout,
1.539 + const unsigned char *in,
1.540 + int inlen);
1.541 +typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
1.542 +
1.543 +/* The DTLS anti-replay window. Defined here because we need it in
1.544 + * the cipher spec. Note that this is a ring buffer but left and
1.545 + * right represent the true window, with modular arithmetic used to
1.546 + * map them onto the buffer.
1.547 + */
1.548 +#define DTLS_RECVD_RECORDS_WINDOW 1024 /* Packets; approximate
1.549 + * Must be divisible by 8
1.550 + */
1.551 +typedef struct DTLSRecvdRecordsStr {
1.552 + unsigned char data[DTLS_RECVD_RECORDS_WINDOW/8];
1.553 + PRUint64 left;
1.554 + PRUint64 right;
1.555 +} DTLSRecvdRecords;
1.556 +
1.557 +/*
1.558 +** These are the "specs" in the "ssl3" struct.
1.559 +** Access to the pointers to these specs, and all the specs' contents
1.560 +** (direct and indirect) is protected by the reader/writer lock ss->specLock.
1.561 +*/
1.562 +typedef struct {
1.563 + const ssl3BulkCipherDef *cipher_def;
1.564 + const ssl3MACDef * mac_def;
1.565 + SSLCompressionMethod compression_method;
1.566 + int mac_size;
1.567 + SSLCipher encode;
1.568 + SSLCipher decode;
1.569 + SSLAEADCipher aead;
1.570 + SSLDestroy destroy;
1.571 + void * encodeContext;
1.572 + void * decodeContext;
1.573 + SSLCompressor compressor; /* Don't name these fields compress */
1.574 + SSLCompressor decompressor; /* and uncompress because zconf.h */
1.575 + /* may define them as macros. */
1.576 + SSLDestroy destroyCompressContext;
1.577 + void * compressContext;
1.578 + SSLDestroy destroyDecompressContext;
1.579 + void * decompressContext;
1.580 + PRBool bypassCiphers; /* did double bypass (at least) */
1.581 + PK11SymKey * master_secret;
1.582 + SSL3SequenceNumber write_seq_num;
1.583 + SSL3SequenceNumber read_seq_num;
1.584 + SSL3ProtocolVersion version;
1.585 + ssl3KeyMaterial client;
1.586 + ssl3KeyMaterial server;
1.587 + SECItem msItem;
1.588 + unsigned char key_block[NUM_MIXERS * MD5_LENGTH];
1.589 + unsigned char raw_master_secret[56];
1.590 + SECItem srvVirtName; /* for server: name that was negotiated
1.591 + * with a client. For client - is
1.592 + * always set to NULL.*/
1.593 + DTLSEpoch epoch;
1.594 + DTLSRecvdRecords recvdRecords;
1.595 +} ssl3CipherSpec;
1.596 +
1.597 +typedef enum { never_cached,
1.598 + in_client_cache,
1.599 + in_server_cache,
1.600 + invalid_cache /* no longer in any cache. */
1.601 +} Cached;
1.602 +
1.603 +struct sslSessionIDStr {
1.604 + /* The global cache lock must be held when accessing these members when the
1.605 + * sid is in any cache.
1.606 + */
1.607 + sslSessionID * next; /* chain used for client sockets, only */
1.608 + Cached cached;
1.609 + int references;
1.610 + PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
1.611 +
1.612 + /* The rest of the members, except for the members of u.ssl3.locked, may
1.613 + * be modified only when the sid is not in any cache.
1.614 + */
1.615 +
1.616 + CERTCertificate * peerCert;
1.617 + SECItemArray peerCertStatus; /* client only */
1.618 + const char * peerID; /* client only */
1.619 + const char * urlSvrName; /* client only */
1.620 + CERTCertificate * localCert;
1.621 +
1.622 + PRIPv6Addr addr;
1.623 + PRUint16 port;
1.624 +
1.625 + SSL3ProtocolVersion version;
1.626 +
1.627 + PRUint32 creationTime; /* seconds since Jan 1, 1970 */
1.628 + PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
1.629 +
1.630 + SSLSignType authAlgorithm;
1.631 + PRUint32 authKeyBits;
1.632 + SSLKEAType keaType;
1.633 + PRUint32 keaKeyBits;
1.634 +
1.635 + union {
1.636 + struct {
1.637 + /* the V2 code depends upon the size of sessionID. */
1.638 + unsigned char sessionID[SSL2_SESSIONID_BYTES];
1.639 +
1.640 + /* Stuff used to recreate key and read/write cipher objects */
1.641 + SECItem masterKey; /* never wrapped */
1.642 + int cipherType;
1.643 + SECItem cipherArg;
1.644 + int keyBits;
1.645 + int secretKeyBits;
1.646 + } ssl2;
1.647 + struct {
1.648 + /* values that are copied into the server's on-disk SID cache. */
1.649 + PRUint8 sessionIDLength;
1.650 + SSL3Opaque sessionID[SSL3_SESSIONID_BYTES];
1.651 +
1.652 + ssl3CipherSuite cipherSuite;
1.653 + SSLCompressionMethod compression;
1.654 + int policy;
1.655 + ssl3SidKeys keys;
1.656 + CK_MECHANISM_TYPE masterWrapMech;
1.657 + /* mechanism used to wrap master secret */
1.658 + SSL3KEAType exchKeyType;
1.659 + /* key type used in exchange algorithm,
1.660 + * and to wrap the sym wrapping key. */
1.661 +#ifndef NSS_DISABLE_ECC
1.662 + PRUint32 negotiatedECCurves;
1.663 +#endif /* NSS_DISABLE_ECC */
1.664 +
1.665 + /* The following values are NOT restored from the server's on-disk
1.666 + * session cache, but are restored from the client's cache.
1.667 + */
1.668 + PK11SymKey * clientWriteKey;
1.669 + PK11SymKey * serverWriteKey;
1.670 +
1.671 + /* The following values pertain to the slot that wrapped the
1.672 + ** master secret. (used only in client)
1.673 + */
1.674 + SECMODModuleID masterModuleID;
1.675 + /* what module wrapped the master secret */
1.676 + CK_SLOT_ID masterSlotID;
1.677 + PRUint16 masterWrapIndex;
1.678 + /* what's the key index for the wrapping key */
1.679 + PRUint16 masterWrapSeries;
1.680 + /* keep track of the slot series, so we don't
1.681 + * accidently try to use new keys after the
1.682 + * card gets removed and replaced.*/
1.683 +
1.684 + /* The following values pertain to the slot that did the signature
1.685 + ** for client auth. (used only in client)
1.686 + */
1.687 + SECMODModuleID clAuthModuleID;
1.688 + CK_SLOT_ID clAuthSlotID;
1.689 + PRUint16 clAuthSeries;
1.690 +
1.691 + char masterValid;
1.692 + char clAuthValid;
1.693 +
1.694 + SECItem srvName;
1.695 +
1.696 + /* This lock is lazily initialized by CacheSID when a sid is first
1.697 + * cached. Before then, there is no need to lock anything because
1.698 + * the sid isn't being shared by anything.
1.699 + */
1.700 + PRRWLock *lock;
1.701 +
1.702 + /* The lock must be held while reading or writing these members
1.703 + * because they change while the sid is cached.
1.704 + */
1.705 + struct {
1.706 + /* The session ticket, if we have one, is sent as an extension
1.707 + * in the ClientHello message. This field is used only by
1.708 + * clients. It is protected by lock when lock is non-null
1.709 + * (after the sid has been added to the client session cache).
1.710 + */
1.711 + NewSessionTicket sessionTicket;
1.712 + } locked;
1.713 + } ssl3;
1.714 + } u;
1.715 +};
1.716 +
1.717 +typedef struct ssl3CipherSuiteDefStr {
1.718 + ssl3CipherSuite cipher_suite;
1.719 + SSL3BulkCipher bulk_cipher_alg;
1.720 + SSL3MACAlgorithm mac_alg;
1.721 + SSL3KeyExchangeAlgorithm key_exchange_alg;
1.722 +} ssl3CipherSuiteDef;
1.723 +
1.724 +/*
1.725 +** There are tables of these, all const.
1.726 +*/
1.727 +typedef struct {
1.728 + SSL3KeyExchangeAlgorithm kea;
1.729 + SSL3KEAType exchKeyType;
1.730 + SSL3SignType signKeyType;
1.731 + PRBool is_limited;
1.732 + int key_size_limit;
1.733 + PRBool tls_keygen;
1.734 +} ssl3KEADef;
1.735 +
1.736 +/*
1.737 +** There are tables of these, all const.
1.738 +*/
1.739 +struct ssl3BulkCipherDefStr {
1.740 + SSL3BulkCipher cipher;
1.741 + SSLCipherAlgorithm calg;
1.742 + int key_size;
1.743 + int secret_key_size;
1.744 + CipherType type;
1.745 + int iv_size;
1.746 + int block_size;
1.747 + int tag_size; /* authentication tag size for AEAD ciphers. */
1.748 + int explicit_nonce_size; /* for AEAD ciphers. */
1.749 +};
1.750 +
1.751 +/*
1.752 +** There are tables of these, all const.
1.753 +*/
1.754 +struct ssl3MACDefStr {
1.755 + SSL3MACAlgorithm mac;
1.756 + CK_MECHANISM_TYPE mmech;
1.757 + int pad_size;
1.758 + int mac_size;
1.759 +};
1.760 +
1.761 +typedef enum {
1.762 + wait_client_hello,
1.763 + wait_client_cert,
1.764 + wait_client_key,
1.765 + wait_cert_verify,
1.766 + wait_change_cipher,
1.767 + wait_finished,
1.768 + wait_server_hello,
1.769 + wait_certificate_status,
1.770 + wait_server_cert,
1.771 + wait_server_key,
1.772 + wait_cert_request,
1.773 + wait_hello_done,
1.774 + wait_new_session_ticket,
1.775 + idle_handshake
1.776 +} SSL3WaitState;
1.777 +
1.778 +/*
1.779 + * TLS extension related constants and data structures.
1.780 + */
1.781 +typedef struct TLSExtensionDataStr TLSExtensionData;
1.782 +typedef struct SessionTicketDataStr SessionTicketData;
1.783 +
1.784 +struct TLSExtensionDataStr {
1.785 + /* registered callbacks that send server hello extensions */
1.786 + ssl3HelloExtensionSender serverSenders[SSL_MAX_EXTENSIONS];
1.787 + /* Keep track of the extensions that are negotiated. */
1.788 + PRUint16 numAdvertised;
1.789 + PRUint16 numNegotiated;
1.790 + PRUint16 advertised[SSL_MAX_EXTENSIONS];
1.791 + PRUint16 negotiated[SSL_MAX_EXTENSIONS];
1.792 +
1.793 + /* SessionTicket Extension related data. */
1.794 + PRBool ticketTimestampVerified;
1.795 + PRBool emptySessionTicket;
1.796 + PRBool sentSessionTicketInClientHello;
1.797 +
1.798 + /* SNI Extension related data
1.799 + * Names data is not coppied from the input buffer. It can not be
1.800 + * used outside the scope where input buffer is defined and that
1.801 + * is beyond ssl3_HandleClientHello function. */
1.802 + SECItem *sniNameArr;
1.803 + PRUint32 sniNameArrSize;
1.804 +};
1.805 +
1.806 +typedef SECStatus (*sslRestartTarget)(sslSocket *);
1.807 +
1.808 +/*
1.809 +** A DTLS queued message (potentially to be retransmitted)
1.810 +*/
1.811 +typedef struct DTLSQueuedMessageStr {
1.812 + PRCList link; /* The linked list link */
1.813 + DTLSEpoch epoch; /* The epoch to use */
1.814 + SSL3ContentType type; /* The message type */
1.815 + unsigned char *data; /* The data */
1.816 + PRUint16 len; /* The data length */
1.817 +} DTLSQueuedMessage;
1.818 +
1.819 +typedef enum {
1.820 + handshake_hash_unknown = 0,
1.821 + handshake_hash_combo = 1, /* The MD5/SHA-1 combination */
1.822 + handshake_hash_single = 2 /* A single hash */
1.823 +} SSL3HandshakeHashType;
1.824 +
1.825 +/*
1.826 +** This is the "hs" member of the "ssl3" struct.
1.827 +** This entire struct is protected by ssl3HandshakeLock
1.828 +*/
1.829 +typedef struct SSL3HandshakeStateStr {
1.830 + SSL3Random server_random;
1.831 + SSL3Random client_random;
1.832 + SSL3WaitState ws;
1.833 +
1.834 + /* This group of members is used for handshake running hashes. */
1.835 + SSL3HandshakeHashType hashType;
1.836 + sslBuffer messages; /* Accumulated handshake messages */
1.837 +#ifndef NO_PKCS11_BYPASS
1.838 + /* Bypass mode:
1.839 + * SSL 3.0 - TLS 1.1 use both |md5_cx| and |sha_cx|. |md5_cx| is used for
1.840 + * MD5 and |sha_cx| for SHA-1.
1.841 + * TLS 1.2 and later use only |sha_cx|, for SHA-256. NOTE: When we support
1.842 + * SHA-384, increase MAX_MAC_CONTEXT_BYTES to 712. */
1.843 + PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS];
1.844 + PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS];
1.845 + const SECHashObject * sha_obj;
1.846 + /* The function prototype of sha_obj->clone() does not match the prototype
1.847 + * of the freebl <HASH>_Clone functions, so we need a dedicated function
1.848 + * pointer for the <HASH>_Clone function. */
1.849 + void (*sha_clone)(void *dest, void *src);
1.850 +#endif
1.851 + /* PKCS #11 mode:
1.852 + * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and
1.853 + * |sha| for SHA-1.
1.854 + * TLS 1.2 and later use only |sha|, for SHA-256. */
1.855 + /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup
1.856 + * handshake hash for generating client auth signatures. Confusingly, the
1.857 + * backup hash function is SHA-1. */
1.858 +#define backupHash md5
1.859 + PK11Context * md5;
1.860 + PK11Context * sha;
1.861 +
1.862 +const ssl3KEADef * kea_def;
1.863 + ssl3CipherSuite cipher_suite;
1.864 +const ssl3CipherSuiteDef *suite_def;
1.865 + SSLCompressionMethod compression;
1.866 + sslBuffer msg_body; /* protected by recvBufLock */
1.867 + /* partial handshake message from record layer */
1.868 + unsigned int header_bytes;
1.869 + /* number of bytes consumed from handshake */
1.870 + /* message for message type and header length */
1.871 + SSL3HandshakeType msg_type;
1.872 + unsigned long msg_len;
1.873 + SECItem ca_list; /* used only by client */
1.874 + PRBool isResuming; /* are we resuming a session */
1.875 + PRBool usedStepDownKey; /* we did a server key exchange. */
1.876 + PRBool sendingSCSV; /* instead of empty RI */
1.877 + sslBuffer msgState; /* current state for handshake messages*/
1.878 + /* protected by recvBufLock */
1.879 +
1.880 + /* The session ticket received in a NewSessionTicket message is temporarily
1.881 + * stored in newSessionTicket until the handshake is finished; then it is
1.882 + * moved to the sid.
1.883 + */
1.884 + PRBool receivedNewSessionTicket;
1.885 + NewSessionTicket newSessionTicket;
1.886 +
1.887 + PRUint16 finishedBytes; /* size of single finished below */
1.888 + union {
1.889 + TLSFinished tFinished[2]; /* client, then server */
1.890 + SSL3Finished sFinished[2];
1.891 + SSL3Opaque data[72];
1.892 + } finishedMsgs;
1.893 +#ifndef NSS_DISABLE_ECC
1.894 + PRUint32 negotiatedECCurves; /* bit mask */
1.895 +#endif /* NSS_DISABLE_ECC */
1.896 +
1.897 + PRBool authCertificatePending;
1.898 + /* Which function should SSL_RestartHandshake* call if we're blocked?
1.899 + * One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake,
1.900 + * or ssl3_AlwaysFail */
1.901 + sslRestartTarget restartTarget;
1.902 + /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
1.903 + PRBool cacheSID;
1.904 +
1.905 + PRBool canFalseStart; /* Can/did we False Start */
1.906 +
1.907 + /* clientSigAndHash contains the contents of the signature_algorithms
1.908 + * extension (if any) from the client. This is only valid for TLS 1.2
1.909 + * or later. */
1.910 + SSL3SignatureAndHashAlgorithm *clientSigAndHash;
1.911 + unsigned int numClientSigAndHash;
1.912 +
1.913 + /* This group of values is used for DTLS */
1.914 + PRUint16 sendMessageSeq; /* The sending message sequence
1.915 + * number */
1.916 + PRCList lastMessageFlight; /* The last message flight we
1.917 + * sent */
1.918 + PRUint16 maxMessageSent; /* The largest message we sent */
1.919 + PRUint16 recvMessageSeq; /* The receiving message sequence
1.920 + * number */
1.921 + sslBuffer recvdFragments; /* The fragments we have received in
1.922 + * a bitmask */
1.923 + PRInt32 recvdHighWater; /* The high water mark for fragments
1.924 + * received. -1 means no reassembly
1.925 + * in progress. */
1.926 + unsigned char cookie[32]; /* The cookie */
1.927 + unsigned char cookieLen; /* The length of the cookie */
1.928 + PRIntervalTime rtTimerStarted; /* When the timer was started */
1.929 + DTLSTimerCb rtTimerCb; /* The function to call on expiry */
1.930 + PRUint32 rtTimeoutMs; /* The length of the current timeout
1.931 + * used for backoff (in ms) */
1.932 + PRUint32 rtRetries; /* The retry counter */
1.933 +} SSL3HandshakeState;
1.934 +
1.935 +
1.936 +
1.937 +/*
1.938 +** This is the "ssl3" struct, as in "ss->ssl3".
1.939 +** note:
1.940 +** usually, crSpec == cwSpec and prSpec == pwSpec.
1.941 +** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
1.942 +** But there are never more than 2 actual specs.
1.943 +** No spec must ever be modified if either "current" pointer points to it.
1.944 +*/
1.945 +struct ssl3StateStr {
1.946 +
1.947 + /*
1.948 + ** The following Specs and Spec pointers must be protected using the
1.949 + ** Spec Lock.
1.950 + */
1.951 + ssl3CipherSpec * crSpec; /* current read spec. */
1.952 + ssl3CipherSpec * prSpec; /* pending read spec. */
1.953 + ssl3CipherSpec * cwSpec; /* current write spec. */
1.954 + ssl3CipherSpec * pwSpec; /* pending write spec. */
1.955 +
1.956 + CERTCertificate * clientCertificate; /* used by client */
1.957 + SECKEYPrivateKey * clientPrivateKey; /* used by client */
1.958 + CERTCertificateList *clientCertChain; /* used by client */
1.959 + PRBool sendEmptyCert; /* used by client */
1.960 +
1.961 + int policy;
1.962 + /* This says what cipher suites we can do, and should
1.963 + * be either SSL_ALLOWED or SSL_RESTRICTED
1.964 + */
1.965 + PLArenaPool * peerCertArena;
1.966 + /* These are used to keep track of the peer CA */
1.967 + void * peerCertChain;
1.968 + /* chain while we are trying to validate it. */
1.969 + CERTDistNames * ca_list;
1.970 + /* used by server. trusted CAs for this socket. */
1.971 + PRBool initialized;
1.972 + SSL3HandshakeState hs;
1.973 + ssl3CipherSpec specs[2]; /* one is current, one is pending. */
1.974 +
1.975 + /* In a client: if the server supports Next Protocol Negotiation, then
1.976 + * this is the protocol that was negotiated.
1.977 + */
1.978 + SECItem nextProto;
1.979 + SSLNextProtoState nextProtoState;
1.980 +
1.981 + PRUint16 mtu; /* Our estimate of the MTU */
1.982 +
1.983 + /* DTLS-SRTP cipher suite preferences (if any) */
1.984 + PRUint16 dtlsSRTPCiphers[MAX_DTLS_SRTP_CIPHER_SUITES];
1.985 + PRUint16 dtlsSRTPCipherCount;
1.986 + PRUint16 dtlsSRTPCipherSuite; /* 0 if not selected */
1.987 +};
1.988 +
1.989 +#define DTLS_MAX_MTU 1500 /* Ethernet MTU but without subtracting the
1.990 + * headers, so slightly larger than expected */
1.991 +#define IS_DTLS(ss) (ss->protocolVariant == ssl_variant_datagram)
1.992 +
1.993 +typedef struct {
1.994 + SSL3ContentType type;
1.995 + SSL3ProtocolVersion version;
1.996 + SSL3SequenceNumber seq_num; /* DTLS only */
1.997 + sslBuffer * buf;
1.998 +} SSL3Ciphertext;
1.999 +
1.1000 +struct ssl3KeyPairStr {
1.1001 + SECKEYPrivateKey * privKey;
1.1002 + SECKEYPublicKey * pubKey;
1.1003 + PRInt32 refCount; /* use PR_Atomic calls for this. */
1.1004 +};
1.1005 +
1.1006 +typedef struct SSLWrappedSymWrappingKeyStr {
1.1007 + SSL3Opaque wrappedSymmetricWrappingkey[512];
1.1008 + CK_MECHANISM_TYPE symWrapMechanism;
1.1009 + /* unwrapped symmetric wrapping key uses this mechanism */
1.1010 + CK_MECHANISM_TYPE asymWrapMechanism;
1.1011 + /* mechanism used to wrap the SymmetricWrappingKey using
1.1012 + * server's public and/or private keys. */
1.1013 + SSL3KEAType exchKeyType; /* type of keys used to wrap SymWrapKey*/
1.1014 + PRInt32 symWrapMechIndex;
1.1015 + PRUint16 wrappedSymKeyLen;
1.1016 +} SSLWrappedSymWrappingKey;
1.1017 +
1.1018 +typedef struct SessionTicketStr {
1.1019 + PRUint16 ticket_version;
1.1020 + SSL3ProtocolVersion ssl_version;
1.1021 + ssl3CipherSuite cipher_suite;
1.1022 + SSLCompressionMethod compression_method;
1.1023 + SSLSignType authAlgorithm;
1.1024 + PRUint32 authKeyBits;
1.1025 + SSLKEAType keaType;
1.1026 + PRUint32 keaKeyBits;
1.1027 + /*
1.1028 + * exchKeyType and msWrapMech contain meaningful values only if
1.1029 + * ms_is_wrapped is true.
1.1030 + */
1.1031 + PRUint8 ms_is_wrapped;
1.1032 + SSLKEAType exchKeyType; /* XXX(wtc): same as keaType above? */
1.1033 + CK_MECHANISM_TYPE msWrapMech;
1.1034 + PRUint16 ms_length;
1.1035 + SSL3Opaque master_secret[48];
1.1036 + ClientIdentity client_identity;
1.1037 + SECItem peer_cert;
1.1038 + PRUint32 timestamp;
1.1039 + SECItem srvName; /* negotiated server name */
1.1040 +} SessionTicket;
1.1041 +
1.1042 +/*
1.1043 + * SSL2 buffers used in SSL3.
1.1044 + * writeBuf in the SecurityInfo maintained by sslsecur.c is used
1.1045 + * to hold the data just about to be passed to the kernel
1.1046 + * sendBuf in the ConnectInfo maintained by sslcon.c is used
1.1047 + * to hold handshake messages as they are accumulated
1.1048 + */
1.1049 +
1.1050 +/*
1.1051 +** This is "ci", as in "ss->sec.ci".
1.1052 +**
1.1053 +** Protection: All the variables in here are protected by
1.1054 +** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock
1.1055 +*/
1.1056 +struct sslConnectInfoStr {
1.1057 + /* outgoing handshakes appended to this. */
1.1058 + sslBuffer sendBuf; /*xmitBufLock*/ /* ssl 2 & 3 */
1.1059 +
1.1060 + PRIPv6Addr peer; /* ssl 2 & 3 */
1.1061 + unsigned short port; /* ssl 2 & 3 */
1.1062 +
1.1063 + sslSessionID *sid; /* ssl 2 & 3 */
1.1064 +
1.1065 + /* see CIS_HAVE defines below for the bit values in *elements. */
1.1066 + char elements; /* ssl2 only */
1.1067 + char requiredElements; /* ssl2 only */
1.1068 + char sentElements; /* ssl2 only */
1.1069 +
1.1070 + char sentFinished; /* ssl2 only */
1.1071 +
1.1072 + /* Length of server challenge. Used by client when saving challenge */
1.1073 + int serverChallengeLen; /* ssl2 only */
1.1074 + /* type of authentication requested by server */
1.1075 + unsigned char authType; /* ssl2 only */
1.1076 +
1.1077 + /* Challenge sent by client to server in client-hello message */
1.1078 + /* SSL3 gets a copy of this. See ssl3_StartHandshakeHash(). */
1.1079 + unsigned char clientChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl 2 & 3 */
1.1080 +
1.1081 + /* Connection-id sent by server to client in server-hello message */
1.1082 + unsigned char connectionID[SSL_CONNECTIONID_BYTES]; /* ssl2 only */
1.1083 +
1.1084 + /* Challenge sent by server to client in request-certificate message */
1.1085 + unsigned char serverChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl2 only */
1.1086 +
1.1087 + /* Information kept to handle a request-certificate message */
1.1088 + unsigned char readKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */
1.1089 + unsigned char writeKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */
1.1090 + unsigned keySize; /* ssl2 only */
1.1091 +};
1.1092 +
1.1093 +/* bit values for ci->elements, ci->requiredElements, sentElements. */
1.1094 +#define CIS_HAVE_MASTER_KEY 0x01
1.1095 +#define CIS_HAVE_CERTIFICATE 0x02
1.1096 +#define CIS_HAVE_FINISHED 0x04
1.1097 +#define CIS_HAVE_VERIFY 0x08
1.1098 +
1.1099 +/* Note: The entire content of this struct and whatever it points to gets
1.1100 + * blown away by SSL_ResetHandshake(). This is "sec" as in "ss->sec".
1.1101 + *
1.1102 + * Unless otherwise specified below, the contents of this struct are
1.1103 + * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock.
1.1104 + */
1.1105 +struct sslSecurityInfoStr {
1.1106 + sslSendFunc send; /*xmitBufLock*/ /* ssl 2 & 3 */
1.1107 + int isServer; /* Spec Lock?*/ /* ssl 2 & 3 */
1.1108 + sslBuffer writeBuf; /*xmitBufLock*/ /* ssl 2 & 3 */
1.1109 +
1.1110 + int cipherType; /* ssl 2 & 3 */
1.1111 + int keyBits; /* ssl 2 & 3 */
1.1112 + int secretKeyBits; /* ssl 2 & 3 */
1.1113 + CERTCertificate *localCert; /* ssl 2 & 3 */
1.1114 + CERTCertificate *peerCert; /* ssl 2 & 3 */
1.1115 + SECKEYPublicKey *peerKey; /* ssl3 only */
1.1116 +
1.1117 + SSLSignType authAlgorithm;
1.1118 + PRUint32 authKeyBits;
1.1119 + SSLKEAType keaType;
1.1120 + PRUint32 keaKeyBits;
1.1121 +
1.1122 + /*
1.1123 + ** Procs used for SID cache (nonce) management.
1.1124 + ** Different implementations exist for clients/servers
1.1125 + ** The lookup proc is only used for servers. Baloney!
1.1126 + */
1.1127 + sslSessionIDCacheFunc cache; /* ssl 2 & 3 */
1.1128 + sslSessionIDUncacheFunc uncache; /* ssl 2 & 3 */
1.1129 +
1.1130 + /*
1.1131 + ** everything below here is for ssl2 only.
1.1132 + ** This stuff is equivalent to SSL3's "spec", and is protected by the
1.1133 + ** same "Spec Lock" as used for SSL3's specs.
1.1134 + */
1.1135 + PRUint32 sendSequence; /*xmitBufLock*/ /* ssl2 only */
1.1136 + PRUint32 rcvSequence; /*recvBufLock*/ /* ssl2 only */
1.1137 +
1.1138 + /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */
1.1139 + const SECHashObject *hash; /* Spec Lock */ /* ssl2 only */
1.1140 + void *hashcx; /* Spec Lock */ /* ssl2 only */
1.1141 +
1.1142 + SECItem sendSecret; /* Spec Lock */ /* ssl2 only */
1.1143 + SECItem rcvSecret; /* Spec Lock */ /* ssl2 only */
1.1144 +
1.1145 + /* Session cypher contexts; one for each direction */
1.1146 + void *readcx; /* Spec Lock */ /* ssl2 only */
1.1147 + void *writecx; /* Spec Lock */ /* ssl2 only */
1.1148 + SSLCipher enc; /* Spec Lock */ /* ssl2 only */
1.1149 + SSLCipher dec; /* Spec Lock */ /* ssl2 only */
1.1150 + void (*destroy)(void *, PRBool); /* Spec Lock */ /* ssl2 only */
1.1151 +
1.1152 + /* Blocking information for the session cypher */
1.1153 + int blockShift; /* Spec Lock */ /* ssl2 only */
1.1154 + int blockSize; /* Spec Lock */ /* ssl2 only */
1.1155 +
1.1156 + /* These are used during a connection handshake */
1.1157 + sslConnectInfo ci; /* ssl 2 & 3 */
1.1158 +
1.1159 +};
1.1160 +
1.1161 +/*
1.1162 +** SSL Socket struct
1.1163 +**
1.1164 +** Protection: XXX
1.1165 +*/
1.1166 +struct sslSocketStr {
1.1167 + PRFileDesc * fd;
1.1168 +
1.1169 + /* Pointer to operations vector for this socket */
1.1170 + const sslSocketOps * ops;
1.1171 +
1.1172 + /* SSL socket options */
1.1173 + sslOptions opt;
1.1174 + /* Enabled version range */
1.1175 + SSLVersionRange vrange;
1.1176 +
1.1177 + /* State flags */
1.1178 + unsigned long clientAuthRequested;
1.1179 + unsigned long delayDisabled; /* Nagle delay disabled */
1.1180 + unsigned long firstHsDone; /* first handshake is complete. */
1.1181 + unsigned long enoughFirstHsDone; /* enough of the first handshake is
1.1182 + * done for callbacks to be able to
1.1183 + * retrieve channel security
1.1184 + * parameters from the SSL socket. */
1.1185 + unsigned long handshakeBegun;
1.1186 + unsigned long lastWriteBlocked;
1.1187 + unsigned long recvdCloseNotify; /* received SSL EOF. */
1.1188 + unsigned long TCPconnected;
1.1189 + unsigned long appDataBuffered;
1.1190 + unsigned long peerRequestedProtection; /* from old renegotiation */
1.1191 +
1.1192 + /* version of the protocol to use */
1.1193 + SSL3ProtocolVersion version;
1.1194 + SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
1.1195 +
1.1196 + sslSecurityInfo sec; /* not a pointer any more */
1.1197 +
1.1198 + /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */
1.1199 + const char *url; /* ssl 2 & 3 */
1.1200 +
1.1201 + sslHandshakeFunc handshake; /*firstHandshakeLock*/
1.1202 + sslHandshakeFunc nextHandshake; /*firstHandshakeLock*/
1.1203 + sslHandshakeFunc securityHandshake; /*firstHandshakeLock*/
1.1204 +
1.1205 + /* the following variable is only used with socks or other proxies. */
1.1206 + char * peerID; /* String uniquely identifies target server. */
1.1207 +
1.1208 + unsigned char * cipherSpecs;
1.1209 + unsigned int sizeCipherSpecs;
1.1210 +const unsigned char * preferredCipher;
1.1211 +
1.1212 + ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */
1.1213 +
1.1214 + /* Callbacks */
1.1215 + SSLAuthCertificate authCertificate;
1.1216 + void *authCertificateArg;
1.1217 + SSLGetClientAuthData getClientAuthData;
1.1218 + void *getClientAuthDataArg;
1.1219 + SSLSNISocketConfig sniSocketConfig;
1.1220 + void *sniSocketConfigArg;
1.1221 + SSLBadCertHandler handleBadCert;
1.1222 + void *badCertArg;
1.1223 + SSLHandshakeCallback handshakeCallback;
1.1224 + void *handshakeCallbackData;
1.1225 + SSLCanFalseStartCallback canFalseStartCallback;
1.1226 + void *canFalseStartCallbackData;
1.1227 + void *pkcs11PinArg;
1.1228 + SSLNextProtoCallback nextProtoCallback;
1.1229 + void *nextProtoArg;
1.1230 +
1.1231 + PRIntervalTime rTimeout; /* timeout for NSPR I/O */
1.1232 + PRIntervalTime wTimeout; /* timeout for NSPR I/O */
1.1233 + PRIntervalTime cTimeout; /* timeout for NSPR I/O */
1.1234 +
1.1235 + PZLock * recvLock; /* lock against multiple reader threads. */
1.1236 + PZLock * sendLock; /* lock against multiple sender threads. */
1.1237 +
1.1238 + PZMonitor * recvBufLock; /* locks low level recv buffers. */
1.1239 + PZMonitor * xmitBufLock; /* locks low level xmit buffers. */
1.1240 +
1.1241 + /* Only one thread may operate on the socket until the initial handshake
1.1242 + ** is complete. This Monitor ensures that. Since SSL2 handshake is
1.1243 + ** only done once, this is also effectively the SSL2 handshake lock.
1.1244 + */
1.1245 + PZMonitor * firstHandshakeLock;
1.1246 +
1.1247 + /* This monitor protects the ssl3 handshake state machine data.
1.1248 + ** Only one thread (reader or writer) may be in the ssl3 handshake state
1.1249 + ** machine at any time. */
1.1250 + PZMonitor * ssl3HandshakeLock;
1.1251 +
1.1252 + /* reader/writer lock, protects the secret data needed to encrypt and MAC
1.1253 + ** outgoing records, and to decrypt and MAC check incoming ciphertext
1.1254 + ** records. */
1.1255 + NSSRWLock * specLock;
1.1256 +
1.1257 + /* handle to perm cert db (and implicitly to the temp cert db) used
1.1258 + ** with this socket.
1.1259 + */
1.1260 + CERTCertDBHandle * dbHandle;
1.1261 +
1.1262 + PRThread * writerThread; /* thread holds SSL_LOCK_WRITER lock */
1.1263 +
1.1264 + PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */
1.1265 +
1.1266 + PRUint16 allowedByPolicy; /* copy of global policy bits. */
1.1267 + PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */
1.1268 + PRUint16 chosenPreference; /* SSL2 cipher preferences. */
1.1269 +
1.1270 + sslHandshakingType handshaking;
1.1271 +
1.1272 + /* Gather object used for gathering data */
1.1273 + sslGather gs; /*recvBufLock*/
1.1274 +
1.1275 + sslBuffer saveBuf; /*xmitBufLock*/
1.1276 + sslBuffer pendingBuf; /*xmitBufLock*/
1.1277 +
1.1278 + /* Configuration state for server sockets */
1.1279 + /* server cert and key for each KEA type */
1.1280 + sslServerCerts serverCerts[kt_kea_size];
1.1281 + /* each cert needs its own status */
1.1282 + SECItemArray * certStatusArray[kt_kea_size];
1.1283 +
1.1284 + ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
1.1285 + ssl3KeyPair * ephemeralECDHKeyPair; /* for ECDHE-* handshake */
1.1286 +
1.1287 + /* SSL3 state info. Formerly was a pointer */
1.1288 + ssl3State ssl3;
1.1289 +
1.1290 + /*
1.1291 + * TLS extension related data.
1.1292 + */
1.1293 + /* True when the current session is a stateless resume. */
1.1294 + PRBool statelessResume;
1.1295 + TLSExtensionData xtnData;
1.1296 +
1.1297 + /* Whether we are doing stream or datagram mode */
1.1298 + SSLProtocolVariant protocolVariant;
1.1299 +};
1.1300 +
1.1301 +
1.1302 +
1.1303 +/* All the global data items declared here should be protected using the
1.1304 +** ssl_global_data_lock, which is a reader/writer lock.
1.1305 +*/
1.1306 +extern NSSRWLock * ssl_global_data_lock;
1.1307 +extern char ssl_debug;
1.1308 +extern char ssl_trace;
1.1309 +extern FILE * ssl_trace_iob;
1.1310 +extern FILE * ssl_keylog_iob;
1.1311 +extern CERTDistNames * ssl3_server_ca_list;
1.1312 +extern PRUint32 ssl_sid_timeout;
1.1313 +extern PRUint32 ssl3_sid_timeout;
1.1314 +
1.1315 +extern const char * const ssl_cipherName[];
1.1316 +extern const char * const ssl3_cipherName[];
1.1317 +
1.1318 +extern sslSessionIDLookupFunc ssl_sid_lookup;
1.1319 +extern sslSessionIDCacheFunc ssl_sid_cache;
1.1320 +extern sslSessionIDUncacheFunc ssl_sid_uncache;
1.1321 +
1.1322 +/************************************************************************/
1.1323 +
1.1324 +SEC_BEGIN_PROTOS
1.1325 +
1.1326 +/* Internal initialization and installation of the SSL error tables */
1.1327 +extern SECStatus ssl_Init(void);
1.1328 +extern SECStatus ssl_InitializePRErrorTable(void);
1.1329 +
1.1330 +/* Implementation of ops for default (non socks, non secure) case */
1.1331 +extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
1.1332 +extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
1.1333 +extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
1.1334 +extern int ssl_DefListen(sslSocket *ss, int backlog);
1.1335 +extern int ssl_DefShutdown(sslSocket *ss, int how);
1.1336 +extern int ssl_DefClose(sslSocket *ss);
1.1337 +extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
1.1338 +extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf,
1.1339 + int len, int flags);
1.1340 +extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len);
1.1341 +extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len);
1.1342 +extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name);
1.1343 +extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name);
1.1344 +extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
1.1345 + void *optval, PRInt32 *optlen);
1.1346 +extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
1.1347 + const void *optval, PRInt32 optlen);
1.1348 +
1.1349 +/* Implementation of ops for socks only case */
1.1350 +extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr);
1.1351 +extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr);
1.1352 +extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr);
1.1353 +extern int ssl_SocksListen(sslSocket *ss, int backlog);
1.1354 +extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name);
1.1355 +extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
1.1356 +extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf,
1.1357 + int len, int flags);
1.1358 +extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len);
1.1359 +extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len);
1.1360 +
1.1361 +/* Implementation of ops for secure only case */
1.1362 +extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr);
1.1363 +extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr);
1.1364 +extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf,
1.1365 + int len, int flags);
1.1366 +extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf,
1.1367 + int len, int flags);
1.1368 +extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len);
1.1369 +extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len);
1.1370 +extern int ssl_SecureShutdown(sslSocket *ss, int how);
1.1371 +extern int ssl_SecureClose(sslSocket *ss);
1.1372 +
1.1373 +/* Implementation of ops for secure socks case */
1.1374 +extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr);
1.1375 +extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr);
1.1376 +extern PRFileDesc *ssl_FindTop(sslSocket *ss);
1.1377 +
1.1378 +/* Gather funcs. */
1.1379 +extern sslGather * ssl_NewGather(void);
1.1380 +extern SECStatus ssl_InitGather(sslGather *gs);
1.1381 +extern void ssl_DestroyGather(sslGather *gs);
1.1382 +extern int ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags);
1.1383 +extern int ssl2_GatherRecord(sslSocket *ss, int flags);
1.1384 +extern SECStatus ssl_GatherRecord1stHandshake(sslSocket *ss);
1.1385 +
1.1386 +extern SECStatus ssl2_HandleClientHelloMessage(sslSocket *ss);
1.1387 +extern SECStatus ssl2_HandleServerHelloMessage(sslSocket *ss);
1.1388 +
1.1389 +extern SECStatus ssl_CreateSecurityInfo(sslSocket *ss);
1.1390 +extern SECStatus ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os);
1.1391 +extern void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset);
1.1392 +extern void ssl_DestroySecurityInfo(sslSecurityInfo *sec);
1.1393 +
1.1394 +extern void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len);
1.1395 +extern void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len);
1.1396 +
1.1397 +extern int ssl_SendSavedWriteData(sslSocket *ss);
1.1398 +extern SECStatus ssl_SaveWriteData(sslSocket *ss,
1.1399 + const void* p, unsigned int l);
1.1400 +extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss);
1.1401 +extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss);
1.1402 +extern int ssl_Do1stHandshake(sslSocket *ss);
1.1403 +
1.1404 +extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
1.1405 +extern SECStatus sslBuffer_Append(sslBuffer *b, const void * data,
1.1406 + unsigned int len);
1.1407 +
1.1408 +extern void ssl2_UseClearSendFunc(sslSocket *ss);
1.1409 +extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
1.1410 +
1.1411 +extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server);
1.1412 +extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port,
1.1413 + const char *peerID, const char *urlSvrName);
1.1414 +extern void ssl_FreeSID(sslSessionID *sid);
1.1415 +
1.1416 +extern int ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
1.1417 + int len, int flags);
1.1418 +
1.1419 +extern PRBool ssl_FdIsBlocking(PRFileDesc *fd);
1.1420 +
1.1421 +extern PRBool ssl_SocketIsBlocking(sslSocket *ss);
1.1422 +
1.1423 +extern void ssl3_SetAlwaysBlock(sslSocket *ss);
1.1424 +
1.1425 +extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
1.1426 +
1.1427 +extern void ssl_FinishHandshake(sslSocket *ss);
1.1428 +
1.1429 +/* Returns PR_TRUE if we are still waiting for the server to respond to our
1.1430 + * client second round. Once we've received any part of the server's second
1.1431 + * round then we don't bother trying to false start since it is almost always
1.1432 + * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages
1.1433 + * were sent in the same packet and we want to process them all at the same
1.1434 + * time. If we were to try to false start in the middle of the server's second
1.1435 + * round, then we would increase the number of I/O operations
1.1436 + * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake.
1.1437 + */
1.1438 +extern PRBool ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss);
1.1439 +
1.1440 +extern SECStatus
1.1441 +ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
1.1442 + PRBool isServer,
1.1443 + PRBool isDTLS,
1.1444 + PRBool capRecordVersion,
1.1445 + SSL3ContentType type,
1.1446 + const SSL3Opaque * pIn,
1.1447 + PRUint32 contentLen,
1.1448 + sslBuffer * wrBuf);
1.1449 +extern PRInt32 ssl3_SendRecord(sslSocket *ss, DTLSEpoch epoch,
1.1450 + SSL3ContentType type,
1.1451 + const SSL3Opaque* pIn, PRInt32 nIn,
1.1452 + PRInt32 flags);
1.1453 +
1.1454 +#ifdef NSS_ENABLE_ZLIB
1.1455 +/*
1.1456 + * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
1.1457 + * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
1.1458 + */
1.1459 +#define SSL3_COMPRESSION_MAX_EXPANSION 29
1.1460 +#else /* !NSS_ENABLE_ZLIB */
1.1461 +#define SSL3_COMPRESSION_MAX_EXPANSION 0
1.1462 +#endif
1.1463 +
1.1464 +/*
1.1465 + * make sure there is room in the write buffer for padding and
1.1466 + * other compression and cryptographic expansions.
1.1467 + */
1.1468 +#define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION
1.1469 +
1.1470 +#define SSL_LOCK_READER(ss) if (ss->recvLock) PZ_Lock(ss->recvLock)
1.1471 +#define SSL_UNLOCK_READER(ss) if (ss->recvLock) PZ_Unlock(ss->recvLock)
1.1472 +#define SSL_LOCK_WRITER(ss) if (ss->sendLock) PZ_Lock(ss->sendLock)
1.1473 +#define SSL_UNLOCK_WRITER(ss) if (ss->sendLock) PZ_Unlock(ss->sendLock)
1.1474 +
1.1475 +/* firstHandshakeLock -> recvBufLock */
1.1476 +#define ssl_Get1stHandshakeLock(ss) \
1.1477 + { if (!ss->opt.noLocks) { \
1.1478 + PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \
1.1479 + !ssl_HaveRecvBufLock(ss)); \
1.1480 + PZ_EnterMonitor((ss)->firstHandshakeLock); \
1.1481 + } }
1.1482 +#define ssl_Release1stHandshakeLock(ss) \
1.1483 + { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); }
1.1484 +#define ssl_Have1stHandshakeLock(ss) \
1.1485 + (PZ_InMonitor((ss)->firstHandshakeLock))
1.1486 +
1.1487 +/* ssl3HandshakeLock -> xmitBufLock */
1.1488 +#define ssl_GetSSL3HandshakeLock(ss) \
1.1489 + { if (!ss->opt.noLocks) { \
1.1490 + PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
1.1491 + PZ_EnterMonitor((ss)->ssl3HandshakeLock); \
1.1492 + } }
1.1493 +#define ssl_ReleaseSSL3HandshakeLock(ss) \
1.1494 + { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); }
1.1495 +#define ssl_HaveSSL3HandshakeLock(ss) \
1.1496 + (PZ_InMonitor((ss)->ssl3HandshakeLock))
1.1497 +
1.1498 +#define ssl_GetSpecReadLock(ss) \
1.1499 + { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); }
1.1500 +#define ssl_ReleaseSpecReadLock(ss) \
1.1501 + { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); }
1.1502 +/* NSSRWLock_HaveReadLock is not exported so there's no
1.1503 + * ssl_HaveSpecReadLock macro. */
1.1504 +
1.1505 +#define ssl_GetSpecWriteLock(ss) \
1.1506 + { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); }
1.1507 +#define ssl_ReleaseSpecWriteLock(ss) \
1.1508 + { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); }
1.1509 +#define ssl_HaveSpecWriteLock(ss) \
1.1510 + (NSSRWLock_HaveWriteLock((ss)->specLock))
1.1511 +
1.1512 +/* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */
1.1513 +#define ssl_GetRecvBufLock(ss) \
1.1514 + { if (!ss->opt.noLocks) { \
1.1515 + PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \
1.1516 + PORT_Assert(!ssl_HaveXmitBufLock(ss)); \
1.1517 + PZ_EnterMonitor((ss)->recvBufLock); \
1.1518 + } }
1.1519 +#define ssl_ReleaseRecvBufLock(ss) \
1.1520 + { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); }
1.1521 +#define ssl_HaveRecvBufLock(ss) \
1.1522 + (PZ_InMonitor((ss)->recvBufLock))
1.1523 +
1.1524 +/* xmitBufLock -> specLock */
1.1525 +#define ssl_GetXmitBufLock(ss) \
1.1526 + { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); }
1.1527 +#define ssl_ReleaseXmitBufLock(ss) \
1.1528 + { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); }
1.1529 +#define ssl_HaveXmitBufLock(ss) \
1.1530 + (PZ_InMonitor((ss)->xmitBufLock))
1.1531 +
1.1532 +/* Placeholder value used in version ranges when SSL 3.0 and all
1.1533 + * versions of TLS are disabled.
1.1534 + */
1.1535 +#define SSL_LIBRARY_VERSION_NONE 0
1.1536 +
1.1537 +/* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version
1.1538 + * of libssl supports. Applications should use SSL_VersionRangeGetSupported at
1.1539 + * runtime to determine which versions are supported by the version of libssl
1.1540 + * in use.
1.1541 + */
1.1542 +#define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_2
1.1543 +
1.1544 +/* Rename this macro SSL_ALL_VERSIONS_DISABLED when SSL 2.0 is removed. */
1.1545 +#define SSL3_ALL_VERSIONS_DISABLED(vrange) \
1.1546 + ((vrange)->min == SSL_LIBRARY_VERSION_NONE)
1.1547 +
1.1548 +extern PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
1.1549 + SSL3ProtocolVersion version);
1.1550 +
1.1551 +extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec * pwSpec,
1.1552 + const unsigned char * cr, const unsigned char * sr,
1.1553 + PRBool isTLS, PRBool isExport);
1.1554 +extern SECStatus ssl3_MasterKeyDeriveBypass( ssl3CipherSpec * pwSpec,
1.1555 + const unsigned char * cr, const unsigned char * sr,
1.1556 + const SECItem * pms, PRBool isTLS, PRBool isRSA);
1.1557 +
1.1558 +/* These functions are called from secnav, even though they're "private". */
1.1559 +
1.1560 +extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
1.1561 +extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss,
1.1562 + CERTCertificate *cert,
1.1563 + SECKEYPrivateKey *key,
1.1564 + CERTCertificateList *certChain);
1.1565 +extern sslSocket *ssl_FindSocket(PRFileDesc *fd);
1.1566 +extern void ssl_FreeSocket(struct sslSocketStr *ssl);
1.1567 +extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
1.1568 + SSL3AlertDescription desc);
1.1569 +extern SECStatus ssl3_DecodeError(sslSocket *ss);
1.1570 +
1.1571 +extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
1.1572 +
1.1573 +/*
1.1574 + * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
1.1575 + */
1.1576 +extern SECStatus ssl3_HandleV2ClientHello(
1.1577 + sslSocket *ss, unsigned char *buffer, int length);
1.1578 +extern SECStatus ssl3_StartHandshakeHash(
1.1579 + sslSocket *ss, unsigned char *buf, int length);
1.1580 +
1.1581 +/*
1.1582 + * SSL3 specific routines
1.1583 + */
1.1584 +SECStatus ssl3_SendClientHello(sslSocket *ss, PRBool resending);
1.1585 +
1.1586 +/*
1.1587 + * input into the SSL3 machinery from the actualy network reading code
1.1588 + */
1.1589 +SECStatus ssl3_HandleRecord(
1.1590 + sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out);
1.1591 +
1.1592 +int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
1.1593 +int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
1.1594 +/*
1.1595 + * When talking to export clients or using export cipher suites, servers
1.1596 + * with public RSA keys larger than 512 bits need to use a 512-bit public
1.1597 + * key, signed by the larger key. The smaller key is a "step down" key.
1.1598 + * Generate that key pair and keep it around.
1.1599 + */
1.1600 +extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
1.1601 +
1.1602 +#ifndef NSS_DISABLE_ECC
1.1603 +extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
1.1604 +extern PRBool ssl3_IsECCEnabled(sslSocket *ss);
1.1605 +extern SECStatus ssl3_DisableECCSuites(sslSocket * ss,
1.1606 + const ssl3CipherSuite * suite);
1.1607 +extern PRUint32 ssl3_GetSupportedECCurveMask(sslSocket *ss);
1.1608 +
1.1609 +
1.1610 +/* Macro for finding a curve equivalent in strength to RSA key's */
1.1611 +#define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \
1.1612 + ((s <= 1024) ? 160 \
1.1613 + : ((s <= 2048) ? 224 \
1.1614 + : ((s <= 3072) ? 256 \
1.1615 + : ((s <= 7168) ? 384 : 521 ) ) ) )
1.1616 +
1.1617 +/* Types and names of elliptic curves used in TLS */
1.1618 +typedef enum { ec_type_explicitPrime = 1,
1.1619 + ec_type_explicitChar2Curve = 2,
1.1620 + ec_type_named
1.1621 +} ECType;
1.1622 +
1.1623 +typedef enum { ec_noName = 0,
1.1624 + ec_sect163k1 = 1,
1.1625 + ec_sect163r1 = 2,
1.1626 + ec_sect163r2 = 3,
1.1627 + ec_sect193r1 = 4,
1.1628 + ec_sect193r2 = 5,
1.1629 + ec_sect233k1 = 6,
1.1630 + ec_sect233r1 = 7,
1.1631 + ec_sect239k1 = 8,
1.1632 + ec_sect283k1 = 9,
1.1633 + ec_sect283r1 = 10,
1.1634 + ec_sect409k1 = 11,
1.1635 + ec_sect409r1 = 12,
1.1636 + ec_sect571k1 = 13,
1.1637 + ec_sect571r1 = 14,
1.1638 + ec_secp160k1 = 15,
1.1639 + ec_secp160r1 = 16,
1.1640 + ec_secp160r2 = 17,
1.1641 + ec_secp192k1 = 18,
1.1642 + ec_secp192r1 = 19,
1.1643 + ec_secp224k1 = 20,
1.1644 + ec_secp224r1 = 21,
1.1645 + ec_secp256k1 = 22,
1.1646 + ec_secp256r1 = 23,
1.1647 + ec_secp384r1 = 24,
1.1648 + ec_secp521r1 = 25,
1.1649 + ec_pastLastName
1.1650 +} ECName;
1.1651 +
1.1652 +extern SECStatus ssl3_ECName2Params(PLArenaPool *arena, ECName curve,
1.1653 + SECKEYECParams *params);
1.1654 +ECName ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits);
1.1655 +
1.1656 +
1.1657 +#endif /* NSS_DISABLE_ECC */
1.1658 +
1.1659 +extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
1.1660 +extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
1.1661 +extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
1.1662 +extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
1.1663 +
1.1664 +extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
1.1665 +extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
1.1666 +extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
1.1667 +extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
1.1668 +
1.1669 +extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
1.1670 +extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
1.1671 +extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
1.1672 +extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
1.1673 +
1.1674 +extern void ssl2_InitSocketPolicy(sslSocket *ss);
1.1675 +extern void ssl3_InitSocketPolicy(sslSocket *ss);
1.1676 +
1.1677 +extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
1.1678 + unsigned char *cs, int *size);
1.1679 +
1.1680 +extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
1.1681 +extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b,
1.1682 + PRUint32 length);
1.1683 +
1.1684 +extern void ssl3_DestroySSL3Info(sslSocket *ss);
1.1685 +
1.1686 +extern SECStatus ssl3_NegotiateVersion(sslSocket *ss,
1.1687 + SSL3ProtocolVersion peerVersion,
1.1688 + PRBool allowLargerPeerVersion);
1.1689 +
1.1690 +extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
1.1691 +
1.1692 +#ifndef NSS_DISABLE_ECC
1.1693 +/* ECDH functions */
1.1694 +extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket * ss,
1.1695 + SECKEYPublicKey * svrPubKey);
1.1696 +extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss,
1.1697 + SSL3Opaque *b, PRUint32 length);
1.1698 +extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss,
1.1699 + SSL3Opaque *b, PRUint32 length,
1.1700 + SECKEYPublicKey *srvrPubKey,
1.1701 + SECKEYPrivateKey *srvrPrivKey);
1.1702 +extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss,
1.1703 + const SSL3SignatureAndHashAlgorithm *sigAndHash);
1.1704 +#endif
1.1705 +
1.1706 +extern SECStatus ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
1.1707 + PRUint8 * hashBuf,
1.1708 + unsigned int bufLen, SSL3Hashes *hashes,
1.1709 + PRBool bypassPKCS11);
1.1710 +extern void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName);
1.1711 +extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms);
1.1712 +extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src,
1.1713 + PRInt32 bytes);
1.1714 +extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss,
1.1715 + SSL3HandshakeType t, PRUint32 length);
1.1716 +extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num,
1.1717 + PRInt32 lenSize);
1.1718 +extern SECStatus ssl3_AppendHandshakeVariable( sslSocket *ss,
1.1719 + const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize);
1.1720 +extern SECStatus ssl3_AppendSignatureAndHashAlgorithm(sslSocket *ss,
1.1721 + const SSL3SignatureAndHashAlgorithm* sigAndHash);
1.1722 +extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes,
1.1723 + SSL3Opaque **b, PRUint32 *length);
1.1724 +extern PRInt32 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes,
1.1725 + SSL3Opaque **b, PRUint32 *length);
1.1726 +extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i,
1.1727 + PRInt32 bytes, SSL3Opaque **b, PRUint32 *length);
1.1728 +extern SECOidTag ssl3_TLSHashAlgorithmToOID(int hashFunc);
1.1729 +extern SECStatus ssl3_CheckSignatureAndHashAlgorithmConsistency(
1.1730 + const SSL3SignatureAndHashAlgorithm *sigAndHash,
1.1731 + CERTCertificate* cert);
1.1732 +extern SECStatus ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
1.1733 + SSL3Opaque **b, PRUint32 *length,
1.1734 + SSL3SignatureAndHashAlgorithm *out);
1.1735 +extern SECStatus ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key,
1.1736 + SECItem *buf, PRBool isTLS);
1.1737 +extern SECStatus ssl3_VerifySignedHashes(SSL3Hashes *hash,
1.1738 + CERTCertificate *cert, SECItem *buf, PRBool isTLS,
1.1739 + void *pwArg);
1.1740 +extern SECStatus ssl3_CacheWrappedMasterSecret(sslSocket *ss,
1.1741 + sslSessionID *sid, ssl3CipherSpec *spec,
1.1742 + SSL3KEAType effectiveExchKeyType);
1.1743 +
1.1744 +/* Functions that handle ClientHello and ServerHello extensions. */
1.1745 +extern SECStatus ssl3_HandleServerNameXtn(sslSocket * ss,
1.1746 + PRUint16 ex_type, SECItem *data);
1.1747 +extern SECStatus ssl3_HandleSupportedCurvesXtn(sslSocket * ss,
1.1748 + PRUint16 ex_type, SECItem *data);
1.1749 +extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
1.1750 + PRUint16 ex_type, SECItem *data);
1.1751 +extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
1.1752 + PRUint16 ex_type, SECItem *data);
1.1753 +extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
1.1754 + PRUint16 ex_type, SECItem *data);
1.1755 +
1.1756 +/* ClientHello and ServerHello extension senders.
1.1757 + * Note that not all extension senders are exposed here; only those that
1.1758 + * that need exposure.
1.1759 + */
1.1760 +extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
1.1761 + PRUint32 maxBytes);
1.1762 +
1.1763 +/* ClientHello and ServerHello extension senders.
1.1764 + * The code is in ssl3ext.c.
1.1765 + */
1.1766 +extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
1.1767 + PRUint32 maxBytes);
1.1768 +
1.1769 +/* Assigns new cert, cert chain and keys to ss->serverCerts
1.1770 + * struct. If certChain is NULL, tries to find one. Aborts if
1.1771 + * fails to do so. If cert and keyPair are NULL - unconfigures
1.1772 + * sslSocket of kea type.*/
1.1773 +extern SECStatus ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
1.1774 + const CERTCertificateList *certChain,
1.1775 + ssl3KeyPair *keyPair, SSLKEAType kea);
1.1776 +
1.1777 +#ifndef NSS_DISABLE_ECC
1.1778 +extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
1.1779 + PRBool append, PRUint32 maxBytes);
1.1780 +extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss,
1.1781 + PRBool append, PRUint32 maxBytes);
1.1782 +#endif
1.1783 +
1.1784 +/* call the registered extension handlers. */
1.1785 +extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss,
1.1786 + SSL3Opaque **b, PRUint32 *length);
1.1787 +
1.1788 +/* Hello Extension related routines. */
1.1789 +extern PRBool ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type);
1.1790 +extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
1.1791 + /*in/out*/ NewSessionTicket *session_ticket);
1.1792 +extern SECStatus ssl3_SendNewSessionTicket(sslSocket *ss);
1.1793 +extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName,
1.1794 + unsigned char *encKey, unsigned char *macKey);
1.1795 +extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
1.1796 + SECKEYPublicKey *svrPubKey, void *pwArg,
1.1797 + unsigned char *keyName, PK11SymKey **aesKey,
1.1798 + PK11SymKey **macKey);
1.1799 +
1.1800 +/* Tell clients to consider tickets valid for this long. */
1.1801 +#define TLS_EX_SESS_TICKET_LIFETIME_HINT (2 * 24 * 60 * 60) /* 2 days */
1.1802 +#define TLS_EX_SESS_TICKET_VERSION (0x0100)
1.1803 +
1.1804 +extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data,
1.1805 + unsigned int length);
1.1806 +
1.1807 +/* Construct a new NSPR socket for the app to use */
1.1808 +extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
1.1809 +extern void ssl_FreePRSocket(PRFileDesc *fd);
1.1810 +
1.1811 +/* Internal config function so SSL3 can initialize the present state of
1.1812 + * various ciphers */
1.1813 +extern int ssl3_config_match_init(sslSocket *);
1.1814 +
1.1815 +
1.1816 +/* Create a new ref counted key pair object from two keys. */
1.1817 +extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey,
1.1818 + SECKEYPublicKey * pubKey);
1.1819 +
1.1820 +/* get a new reference (bump ref count) to an ssl3KeyPair. */
1.1821 +extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair);
1.1822 +
1.1823 +/* Decrement keypair's ref count and free if zero. */
1.1824 +extern void ssl3_FreeKeyPair(ssl3KeyPair * keyPair);
1.1825 +
1.1826 +/* calls for accessing wrapping keys across processes. */
1.1827 +extern PRBool
1.1828 +ssl_GetWrappingKey( PRInt32 symWrapMechIndex,
1.1829 + SSL3KEAType exchKeyType,
1.1830 + SSLWrappedSymWrappingKey *wswk);
1.1831 +
1.1832 +/* The caller passes in the new value it wants
1.1833 + * to set. This code tests the wrapped sym key entry in the file on disk.
1.1834 + * If it is uninitialized, this function writes the caller's value into
1.1835 + * the disk entry, and returns false.
1.1836 + * Otherwise, it overwrites the caller's wswk with the value obtained from
1.1837 + * the disk, and returns PR_TRUE.
1.1838 + * This is all done while holding the locks/semaphores necessary to make
1.1839 + * the operation atomic.
1.1840 + */
1.1841 +extern PRBool
1.1842 +ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
1.1843 +
1.1844 +/* get rid of the symmetric wrapping key references. */
1.1845 +extern SECStatus SSL3_ShutdownServerCache(void);
1.1846 +
1.1847 +extern SECStatus ssl_InitSymWrapKeysLock(void);
1.1848 +
1.1849 +extern SECStatus ssl_FreeSymWrapKeysLock(void);
1.1850 +
1.1851 +extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
1.1852 +
1.1853 +extern SECStatus ssl_FreeSessionCacheLocks(void);
1.1854 +
1.1855 +
1.1856 +/**************** DTLS-specific functions **************/
1.1857 +extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg);
1.1858 +extern void dtls_FreeQueuedMessages(PRCList *lst);
1.1859 +extern void dtls_FreeHandshakeMessages(PRCList *lst);
1.1860 +
1.1861 +extern SECStatus dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf);
1.1862 +extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss,
1.1863 + SSL3Opaque *b, PRUint32 length);
1.1864 +extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss);
1.1865 +extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
1.1866 + const SSL3Opaque *pIn, PRInt32 nIn);
1.1867 +extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
1.1868 +extern SECStatus dtls_CompressMACEncryptRecord(sslSocket *ss,
1.1869 + DTLSEpoch epoch,
1.1870 + PRBool use_epoch,
1.1871 + SSL3ContentType type,
1.1872 + const SSL3Opaque *pIn,
1.1873 + PRUint32 contentLen,
1.1874 + sslBuffer *wrBuf);
1.1875 +SECStatus ssl3_DisableNonDTLSSuites(sslSocket * ss);
1.1876 +extern SECStatus dtls_StartTimer(sslSocket *ss, DTLSTimerCb cb);
1.1877 +extern SECStatus dtls_RestartTimer(sslSocket *ss, PRBool backoff,
1.1878 + DTLSTimerCb cb);
1.1879 +extern void dtls_CheckTimer(sslSocket *ss);
1.1880 +extern void dtls_CancelTimer(sslSocket *ss);
1.1881 +extern void dtls_FinishedTimerCb(sslSocket *ss);
1.1882 +extern void dtls_SetMTU(sslSocket *ss, PRUint16 advertised);
1.1883 +extern void dtls_InitRecvdRecords(DTLSRecvdRecords *records);
1.1884 +extern int dtls_RecordGetRecvd(DTLSRecvdRecords *records, PRUint64 seq);
1.1885 +extern void dtls_RecordSetRecvd(DTLSRecvdRecords *records, PRUint64 seq);
1.1886 +extern void dtls_RehandshakeCleanup(sslSocket *ss);
1.1887 +extern SSL3ProtocolVersion
1.1888 +dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv);
1.1889 +extern SSL3ProtocolVersion
1.1890 +dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv);
1.1891 +
1.1892 +/********************** misc calls *********************/
1.1893 +
1.1894 +#ifdef DEBUG
1.1895 +extern void ssl3_CheckCipherSuiteOrderConsistency();
1.1896 +#endif
1.1897 +
1.1898 +extern int ssl_MapLowLevelError(int hiLevelError);
1.1899 +
1.1900 +extern PRUint32 ssl_Time(void);
1.1901 +
1.1902 +extern void SSL_AtomicIncrementLong(long * x);
1.1903 +
1.1904 +SECStatus SSL_DisableDefaultExportCipherSuites(void);
1.1905 +SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
1.1906 +PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite);
1.1907 +
1.1908 +extern SECStatus
1.1909 +ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec,
1.1910 + const char *label, unsigned int labelLen,
1.1911 + const unsigned char *val, unsigned int valLen,
1.1912 + unsigned char *out, unsigned int outLen);
1.1913 +
1.1914 +#ifdef TRACE
1.1915 +#define SSL_TRACE(msg) ssl_Trace msg
1.1916 +#else
1.1917 +#define SSL_TRACE(msg)
1.1918 +#endif
1.1919 +
1.1920 +void ssl_Trace(const char *format, ...);
1.1921 +
1.1922 +SEC_END_PROTOS
1.1923 +
1.1924 +#if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
1.1925 +#define SSL_GETPID getpid
1.1926 +#elif defined(WIN32)
1.1927 +extern int __cdecl _getpid(void);
1.1928 +#define SSL_GETPID _getpid
1.1929 +#else
1.1930 +#define SSL_GETPID() 0
1.1931 +#endif
1.1932 +
1.1933 +#endif /* __sslimpl_h_ */
