michael@0: /* michael@0: * This file is PRIVATE to SSL and should be the first thing included by michael@0: * any SSL implementation file. michael@0: * michael@0: * This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #ifndef __sslimpl_h_ michael@0: #define __sslimpl_h_ michael@0: michael@0: #ifdef DEBUG michael@0: #undef NDEBUG michael@0: #else michael@0: #undef NDEBUG michael@0: #define NDEBUG michael@0: #endif michael@0: #include "secport.h" michael@0: #include "secerr.h" michael@0: #include "sslerr.h" michael@0: #include "ssl3prot.h" michael@0: #include "hasht.h" michael@0: #include "nssilock.h" michael@0: #include "pkcs11t.h" michael@0: #if defined(XP_UNIX) || defined(XP_BEOS) michael@0: #include "unistd.h" michael@0: #endif michael@0: #include "nssrwlk.h" michael@0: #include "prthread.h" michael@0: #include "prclist.h" michael@0: michael@0: #include "sslt.h" /* for some formerly private types, now public */ michael@0: michael@0: /* to make some of these old enums public without namespace pollution, michael@0: ** it was necessary to prepend ssl_ to the names. michael@0: ** These #defines preserve compatibility with the old code here in libssl. michael@0: */ michael@0: typedef SSLKEAType SSL3KEAType; michael@0: typedef SSLMACAlgorithm SSL3MACAlgorithm; michael@0: typedef SSLSignType SSL3SignType; michael@0: michael@0: #define sign_null ssl_sign_null michael@0: #define sign_rsa ssl_sign_rsa michael@0: #define sign_dsa ssl_sign_dsa michael@0: #define sign_ecdsa ssl_sign_ecdsa michael@0: michael@0: #define calg_null ssl_calg_null michael@0: #define calg_rc4 ssl_calg_rc4 michael@0: #define calg_rc2 ssl_calg_rc2 michael@0: #define calg_des ssl_calg_des michael@0: #define calg_3des ssl_calg_3des michael@0: #define calg_idea ssl_calg_idea michael@0: #define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */ michael@0: #define calg_aes ssl_calg_aes michael@0: #define calg_camellia ssl_calg_camellia michael@0: #define calg_seed ssl_calg_seed michael@0: #define calg_aes_gcm ssl_calg_aes_gcm michael@0: michael@0: #define mac_null ssl_mac_null michael@0: #define mac_md5 ssl_mac_md5 michael@0: #define mac_sha ssl_mac_sha michael@0: #define hmac_md5 ssl_hmac_md5 michael@0: #define hmac_sha ssl_hmac_sha michael@0: #define hmac_sha256 ssl_hmac_sha256 michael@0: #define mac_aead ssl_mac_aead michael@0: michael@0: #define SET_ERROR_CODE /* reminder */ michael@0: #define SEND_ALERT /* reminder */ michael@0: #define TEST_FOR_FAILURE /* reminder */ michael@0: #define DEAL_WITH_FAILURE /* reminder */ michael@0: michael@0: #if defined(DEBUG) || defined(TRACE) michael@0: #ifdef __cplusplus michael@0: #define Debug 1 michael@0: #else michael@0: extern int Debug; michael@0: #endif michael@0: #else michael@0: #undef Debug michael@0: #endif michael@0: michael@0: #if defined(DEBUG) && !defined(TRACE) && !defined(NISCC_TEST) michael@0: #define TRACE michael@0: #endif michael@0: michael@0: #ifdef TRACE michael@0: #define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b michael@0: #define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b michael@0: #define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b michael@0: #else michael@0: #define SSL_TRC(a,b) michael@0: #define PRINT_BUF(a,b) michael@0: #define DUMP_MSG(a,b) michael@0: #endif michael@0: michael@0: #ifdef DEBUG michael@0: #define SSL_DBG(b) if (ssl_debug) ssl_Trace b michael@0: #else michael@0: #define SSL_DBG(b) michael@0: #endif michael@0: michael@0: #include "private/pprthred.h" /* for PR_InMonitor() */ michael@0: #define ssl_InMonitor(m) PZ_InMonitor(m) michael@0: michael@0: #define LSB(x) ((unsigned char) ((x) & 0xff)) michael@0: #define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8)) michael@0: michael@0: /************************************************************************/ michael@0: michael@0: typedef enum { SSLAppOpRead = 0, michael@0: SSLAppOpWrite, michael@0: SSLAppOpRDWR, michael@0: SSLAppOpPost, michael@0: SSLAppOpHeader michael@0: } SSLAppOperation; michael@0: michael@0: #define SSL_MIN_MASTER_KEY_BYTES 5 michael@0: #define SSL_MAX_MASTER_KEY_BYTES 64 michael@0: michael@0: #define SSL2_SESSIONID_BYTES 16 michael@0: #define SSL3_SESSIONID_BYTES 32 michael@0: michael@0: #define SSL_MIN_CHALLENGE_BYTES 16 michael@0: #define SSL_MAX_CHALLENGE_BYTES 32 michael@0: #define SSL_CHALLENGE_BYTES 16 michael@0: michael@0: #define SSL_CONNECTIONID_BYTES 16 michael@0: michael@0: #define SSL_MIN_CYPHER_ARG_BYTES 0 michael@0: #define SSL_MAX_CYPHER_ARG_BYTES 32 michael@0: michael@0: #define SSL_MAX_MAC_BYTES 16 michael@0: michael@0: #define SSL3_RSA_PMS_LENGTH 48 michael@0: #define SSL3_MASTER_SECRET_LENGTH 48 michael@0: michael@0: /* number of wrap mechanisms potentially used to wrap master secrets. */ michael@0: #define SSL_NUM_WRAP_MECHS 16 michael@0: michael@0: /* This makes the cert cache entry exactly 4k. */ michael@0: #define SSL_MAX_CACHED_CERT_LEN 4060 michael@0: michael@0: #define NUM_MIXERS 9 michael@0: michael@0: /* Mask of the 25 named curves we support. */ michael@0: #define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe michael@0: /* Mask of only 3 curves, suite B */ michael@0: #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000 michael@0: michael@0: #ifndef BPB michael@0: #define BPB 8 /* Bits Per Byte */ michael@0: #endif michael@0: michael@0: #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ michael@0: michael@0: #define INITIAL_DTLS_TIMEOUT_MS 1000 /* Default value from RFC 4347 = 1s*/ michael@0: #define MAX_DTLS_TIMEOUT_MS 60000 /* 1 minute */ michael@0: #define DTLS_FINISHED_TIMER_MS 120000 /* Time to wait in FINISHED state */ michael@0: michael@0: typedef struct sslBufferStr sslBuffer; michael@0: typedef struct sslConnectInfoStr sslConnectInfo; michael@0: typedef struct sslGatherStr sslGather; michael@0: typedef struct sslSecurityInfoStr sslSecurityInfo; michael@0: typedef struct sslSessionIDStr sslSessionID; michael@0: typedef struct sslSocketStr sslSocket; michael@0: typedef struct sslSocketOpsStr sslSocketOps; michael@0: michael@0: typedef struct ssl3StateStr ssl3State; michael@0: typedef struct ssl3CertNodeStr ssl3CertNode; michael@0: typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef; michael@0: typedef struct ssl3MACDefStr ssl3MACDef; michael@0: typedef struct ssl3KeyPairStr ssl3KeyPair; michael@0: michael@0: struct ssl3CertNodeStr { michael@0: struct ssl3CertNodeStr *next; michael@0: CERTCertificate * cert; michael@0: }; michael@0: michael@0: typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss); michael@0: michael@0: /* This type points to the low layer send func, michael@0: ** e.g. ssl2_SendStream or ssl3_SendPlainText. michael@0: ** These functions return the same values as PR_Send, michael@0: ** i.e. >= 0 means number of bytes sent, < 0 means error. michael@0: */ michael@0: typedef PRInt32 (*sslSendFunc)(sslSocket *ss, const unsigned char *buf, michael@0: PRInt32 n, PRInt32 flags); michael@0: michael@0: typedef void (*sslSessionIDCacheFunc) (sslSessionID *sid); michael@0: typedef void (*sslSessionIDUncacheFunc)(sslSessionID *sid); michael@0: typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr *addr, michael@0: unsigned char* sid, michael@0: unsigned int sidLen, michael@0: CERTCertDBHandle * dbHandle); michael@0: michael@0: /* registerable callback function that either appends extension to buffer michael@0: * or returns length of data that it would have appended. michael@0: */ michael@0: typedef PRInt32 (*ssl3HelloExtensionSenderFunc)(sslSocket *ss, PRBool append, michael@0: PRUint32 maxBytes); michael@0: michael@0: /* registerable callback function that handles a received extension, michael@0: * of the given type. michael@0: */ michael@0: typedef SECStatus (* ssl3HelloExtensionHandlerFunc)(sslSocket *ss, michael@0: PRUint16 ex_type, michael@0: SECItem * data); michael@0: michael@0: /* row in a table of hello extension senders */ michael@0: typedef struct { michael@0: PRInt32 ex_type; michael@0: ssl3HelloExtensionSenderFunc ex_sender; michael@0: } ssl3HelloExtensionSender; michael@0: michael@0: /* row in a table of hello extension handlers */ michael@0: typedef struct { michael@0: PRInt32 ex_type; michael@0: ssl3HelloExtensionHandlerFunc ex_handler; michael@0: } ssl3HelloExtensionHandler; michael@0: michael@0: extern SECStatus michael@0: ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type, michael@0: ssl3HelloExtensionSenderFunc cb); michael@0: michael@0: extern PRInt32 michael@0: ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes, michael@0: const ssl3HelloExtensionSender *sender); michael@0: michael@0: extern unsigned int michael@0: ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength); michael@0: michael@0: extern PRInt32 michael@0: ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen, michael@0: PRUint32 maxBytes); michael@0: michael@0: /* Socket ops */ michael@0: struct sslSocketOpsStr { michael@0: int (*connect) (sslSocket *, const PRNetAddr *); michael@0: PRFileDesc *(*accept) (sslSocket *, PRNetAddr *); michael@0: int (*bind) (sslSocket *, const PRNetAddr *); michael@0: int (*listen) (sslSocket *, int); michael@0: int (*shutdown)(sslSocket *, int); michael@0: int (*close) (sslSocket *); michael@0: michael@0: int (*recv) (sslSocket *, unsigned char *, int, int); michael@0: michael@0: /* points to the higher-layer send func, e.g. ssl_SecureSend. */ michael@0: int (*send) (sslSocket *, const unsigned char *, int, int); michael@0: int (*read) (sslSocket *, unsigned char *, int); michael@0: int (*write) (sslSocket *, const unsigned char *, int); michael@0: michael@0: int (*getpeername)(sslSocket *, PRNetAddr *); michael@0: int (*getsockname)(sslSocket *, PRNetAddr *); michael@0: }; michael@0: michael@0: /* Flags interpreted by ssl send functions. */ michael@0: #define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000 michael@0: #define ssl_SEND_FLAG_NO_BUFFER 0x20000000 michael@0: #define ssl_SEND_FLAG_USE_EPOCH 0x10000000 /* DTLS only */ michael@0: #define ssl_SEND_FLAG_NO_RETRANSMIT 0x08000000 /* DTLS only */ michael@0: #define ssl_SEND_FLAG_CAP_RECORD_VERSION \ michael@0: 0x04000000 /* TLS only */ michael@0: #define ssl_SEND_FLAG_MASK 0x7f000000 michael@0: michael@0: /* michael@0: ** A buffer object. michael@0: */ michael@0: struct sslBufferStr { michael@0: unsigned char * buf; michael@0: unsigned int len; michael@0: unsigned int space; michael@0: }; michael@0: michael@0: /* michael@0: ** SSL3 cipher suite policy and preference struct. michael@0: */ michael@0: typedef struct { michael@0: #if !defined(_WIN32) michael@0: unsigned int cipher_suite : 16; michael@0: unsigned int policy : 8; michael@0: unsigned int enabled : 1; michael@0: unsigned int isPresent : 1; michael@0: #else michael@0: ssl3CipherSuite cipher_suite; michael@0: PRUint8 policy; michael@0: unsigned char enabled : 1; michael@0: unsigned char isPresent : 1; michael@0: #endif michael@0: } ssl3CipherSuiteCfg; michael@0: michael@0: #ifndef NSS_DISABLE_ECC michael@0: #define ssl_V3_SUITES_IMPLEMENTED 61 michael@0: #else michael@0: #define ssl_V3_SUITES_IMPLEMENTED 37 michael@0: #endif /* NSS_DISABLE_ECC */ michael@0: michael@0: #define MAX_DTLS_SRTP_CIPHER_SUITES 4 michael@0: michael@0: typedef struct sslOptionsStr { michael@0: /* If SSL_SetNextProtoNego has been called, then this contains the michael@0: * list of supported protocols. */ michael@0: SECItem nextProtoNego; michael@0: michael@0: unsigned int useSecurity : 1; /* 1 */ michael@0: unsigned int useSocks : 1; /* 2 */ michael@0: unsigned int requestCertificate : 1; /* 3 */ michael@0: unsigned int requireCertificate : 2; /* 4-5 */ michael@0: unsigned int handshakeAsClient : 1; /* 6 */ michael@0: unsigned int handshakeAsServer : 1; /* 7 */ michael@0: unsigned int enableSSL2 : 1; /* 8 */ michael@0: unsigned int unusedBit9 : 1; /* 9 */ michael@0: unsigned int unusedBit10 : 1; /* 10 */ michael@0: unsigned int noCache : 1; /* 11 */ michael@0: unsigned int fdx : 1; /* 12 */ michael@0: unsigned int v2CompatibleHello : 1; /* 13 */ michael@0: unsigned int detectRollBack : 1; /* 14 */ michael@0: unsigned int noStepDown : 1; /* 15 */ michael@0: unsigned int bypassPKCS11 : 1; /* 16 */ michael@0: unsigned int noLocks : 1; /* 17 */ michael@0: unsigned int enableSessionTickets : 1; /* 18 */ michael@0: unsigned int enableDeflate : 1; /* 19 */ michael@0: unsigned int enableRenegotiation : 2; /* 20-21 */ michael@0: unsigned int requireSafeNegotiation : 1; /* 22 */ michael@0: unsigned int enableFalseStart : 1; /* 23 */ michael@0: unsigned int cbcRandomIV : 1; /* 24 */ michael@0: unsigned int enableOCSPStapling : 1; /* 25 */ michael@0: unsigned int enableNPN : 1; /* 26 */ michael@0: unsigned int enableALPN : 1; /* 27 */ michael@0: unsigned int dummy : 1; /* 28 */ michael@0: unsigned int enableFallbackSCSV : 1; /* 29 */ michael@0: } sslOptions; michael@0: michael@0: typedef enum { sslHandshakingUndetermined = 0, michael@0: sslHandshakingAsClient, michael@0: sslHandshakingAsServer michael@0: } sslHandshakingType; michael@0: michael@0: typedef struct sslServerCertsStr { michael@0: /* Configuration state for server sockets */ michael@0: CERTCertificate * serverCert; michael@0: CERTCertificateList * serverCertChain; michael@0: ssl3KeyPair * serverKeyPair; michael@0: unsigned int serverKeyBits; michael@0: } sslServerCerts; michael@0: michael@0: #define SERVERKEY serverKeyPair->privKey michael@0: michael@0: #define SSL_LOCK_RANK_SPEC 255 michael@0: #define SSL_LOCK_RANK_GLOBAL NSS_RWLOCK_RANK_NONE michael@0: michael@0: /* These are the valid values for shutdownHow. michael@0: ** These values are each 1 greater than the NSPR values, and the code michael@0: ** depends on that relation to efficiently convert PR_SHUTDOWN values michael@0: ** into ssl_SHUTDOWN values. These values use one bit for read, and michael@0: ** another bit for write, and can be used as bitmasks. michael@0: */ michael@0: #define ssl_SHUTDOWN_NONE 0 /* NOT shutdown at all */ michael@0: #define ssl_SHUTDOWN_RCV 1 /* PR_SHUTDOWN_RCV +1 */ michael@0: #define ssl_SHUTDOWN_SEND 2 /* PR_SHUTDOWN_SEND +1 */ michael@0: #define ssl_SHUTDOWN_BOTH 3 /* PR_SHUTDOWN_BOTH +1 */ michael@0: michael@0: /* michael@0: ** A gather object. Used to read some data until a count has been michael@0: ** satisfied. Primarily for support of async sockets. michael@0: ** Everything in here is protected by the recvBufLock. michael@0: */ michael@0: struct sslGatherStr { michael@0: int state; /* see GS_ values below. */ /* ssl 2 & 3 */ michael@0: michael@0: /* "buf" holds received plaintext SSL records, after decrypt and MAC check. michael@0: * SSL2: recv'd ciphertext records are put here, then decrypted in place. michael@0: * SSL3: recv'd ciphertext records are put in inbuf (see below), then michael@0: * decrypted into buf. michael@0: */ michael@0: sslBuffer buf; /*recvBufLock*/ /* ssl 2 & 3 */ michael@0: michael@0: /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3). michael@0: ** (offset - writeOffset) is the number of ciphertext bytes read in but michael@0: ** not yet deciphered. michael@0: */ michael@0: unsigned int offset; /* ssl 2 & 3 */ michael@0: michael@0: /* number of bytes to read in next call to ssl_DefRecv (recv) */ michael@0: unsigned int remainder; /* ssl 2 & 3 */ michael@0: michael@0: /* Number of ciphertext bytes to read in after 2-byte SSL record header. */ michael@0: unsigned int count; /* ssl2 only */ michael@0: michael@0: /* size of the final plaintext record. michael@0: ** == count - (recordPadding + MAC size) michael@0: */ michael@0: unsigned int recordLen; /* ssl2 only */ michael@0: michael@0: /* number of bytes of padding to be removed after decrypting. */ michael@0: /* This value is taken from the record's hdr[2], which means a too large michael@0: * value could crash us. michael@0: */ michael@0: unsigned int recordPadding; /* ssl2 only */ michael@0: michael@0: /* plaintext DATA begins this many bytes into "buf". */ michael@0: unsigned int recordOffset; /* ssl2 only */ michael@0: michael@0: int encrypted; /* SSL2 session is now encrypted. ssl2 only */ michael@0: michael@0: /* These next two values are used by SSL2 and SSL3. michael@0: ** DoRecv uses them to extract application data. michael@0: ** The difference between writeOffset and readOffset is the amount of michael@0: ** data available to the application. Note that the actual offset of michael@0: ** the data in "buf" is recordOffset (above), not readOffset. michael@0: ** In the current implementation, this is made available before the michael@0: ** MAC is checked!! michael@0: */ michael@0: unsigned int readOffset; /* Spot where DATA reader (e.g. application michael@0: ** or handshake code) will read next. michael@0: ** Always zero for SSl3 application data. michael@0: */ michael@0: /* offset in buf/inbuf/hdr into which new data will be read from socket. */ michael@0: unsigned int writeOffset; michael@0: michael@0: /* Buffer for ssl3 to read (encrypted) data from the socket */ michael@0: sslBuffer inbuf; /*recvBufLock*/ /* ssl3 only */ michael@0: michael@0: /* The ssl[23]_GatherData functions read data into this buffer, rather michael@0: ** than into buf or inbuf, while in the GS_HEADER state. michael@0: ** The portion of the SSL record header put here always comes off the wire michael@0: ** as plaintext, never ciphertext. michael@0: ** For SSL2, the plaintext portion is two bytes long. For SSl3 it is 5. michael@0: ** For DTLS it is 13. michael@0: */ michael@0: unsigned char hdr[13]; /* ssl 2 & 3 or dtls */ michael@0: michael@0: /* Buffer for DTLS data read off the wire as a single datagram */ michael@0: sslBuffer dtlsPacket; michael@0: michael@0: /* the start of the buffered DTLS record in dtlsPacket */ michael@0: unsigned int dtlsPacketOffset; michael@0: }; michael@0: michael@0: /* sslGather.state */ michael@0: #define GS_INIT 0 michael@0: #define GS_HEADER 1 michael@0: #define GS_MAC 2 michael@0: #define GS_DATA 3 michael@0: #define GS_PAD 4 michael@0: michael@0: michael@0: michael@0: /* michael@0: ** ssl3State and CipherSpec structs michael@0: */ michael@0: michael@0: /* The SSL bulk cipher definition */ michael@0: typedef enum { michael@0: cipher_null, michael@0: cipher_rc4, michael@0: cipher_rc4_40, michael@0: cipher_rc4_56, michael@0: cipher_rc2, michael@0: cipher_rc2_40, michael@0: cipher_des, michael@0: cipher_3des, michael@0: cipher_des40, michael@0: cipher_idea, michael@0: cipher_aes_128, michael@0: cipher_aes_256, michael@0: cipher_camellia_128, michael@0: cipher_camellia_256, michael@0: cipher_seed, michael@0: cipher_aes_128_gcm, michael@0: cipher_missing /* reserved for no such supported cipher */ michael@0: /* This enum must match ssl3_cipherName[] in ssl3con.c. */ michael@0: } SSL3BulkCipher; michael@0: michael@0: typedef enum { type_stream, type_block, type_aead } CipherType; michael@0: michael@0: #define MAX_IV_LENGTH 24 michael@0: michael@0: /* michael@0: * Do not depend upon 64 bit arithmetic in the underlying machine. michael@0: */ michael@0: typedef struct { michael@0: PRUint32 high; michael@0: PRUint32 low; michael@0: } SSL3SequenceNumber; michael@0: michael@0: typedef PRUint16 DTLSEpoch; michael@0: michael@0: typedef void (*DTLSTimerCb)(sslSocket *); michael@0: michael@0: #define MAX_MAC_CONTEXT_BYTES 400 /* 400 is large enough for MD5, SHA-1, and michael@0: * SHA-256. For SHA-384 support, increase michael@0: * it to 712. */ michael@0: #define MAX_MAC_CONTEXT_LLONGS (MAX_MAC_CONTEXT_BYTES / 8) michael@0: michael@0: #define MAX_CIPHER_CONTEXT_BYTES 2080 michael@0: #define MAX_CIPHER_CONTEXT_LLONGS (MAX_CIPHER_CONTEXT_BYTES / 8) michael@0: michael@0: typedef struct { michael@0: SSL3Opaque wrapped_master_secret[48]; michael@0: PRUint16 wrapped_master_secret_len; michael@0: PRUint8 msIsWrapped; michael@0: PRUint8 resumable; michael@0: } ssl3SidKeys; /* 52 bytes */ michael@0: michael@0: typedef struct { michael@0: PK11SymKey *write_key; michael@0: PK11SymKey *write_mac_key; michael@0: PK11Context *write_mac_context; michael@0: SECItem write_key_item; michael@0: SECItem write_iv_item; michael@0: SECItem write_mac_key_item; michael@0: SSL3Opaque write_iv[MAX_IV_LENGTH]; michael@0: PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS]; michael@0: } ssl3KeyMaterial; michael@0: michael@0: typedef SECStatus (*SSLCipher)(void * context, michael@0: unsigned char * out, michael@0: int * outlen, michael@0: int maxout, michael@0: const unsigned char *in, michael@0: int inlen); michael@0: typedef SECStatus (*SSLAEADCipher)( michael@0: ssl3KeyMaterial * keys, michael@0: PRBool doDecrypt, michael@0: unsigned char * out, michael@0: int * outlen, michael@0: int maxout, michael@0: const unsigned char *in, michael@0: int inlen, michael@0: const unsigned char *additionalData, michael@0: int additionalDataLen); michael@0: typedef SECStatus (*SSLCompressor)(void * context, michael@0: unsigned char * out, michael@0: int * outlen, michael@0: int maxout, michael@0: const unsigned char *in, michael@0: int inlen); michael@0: typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); michael@0: michael@0: /* The DTLS anti-replay window. Defined here because we need it in michael@0: * the cipher spec. Note that this is a ring buffer but left and michael@0: * right represent the true window, with modular arithmetic used to michael@0: * map them onto the buffer. michael@0: */ michael@0: #define DTLS_RECVD_RECORDS_WINDOW 1024 /* Packets; approximate michael@0: * Must be divisible by 8 michael@0: */ michael@0: typedef struct DTLSRecvdRecordsStr { michael@0: unsigned char data[DTLS_RECVD_RECORDS_WINDOW/8]; michael@0: PRUint64 left; michael@0: PRUint64 right; michael@0: } DTLSRecvdRecords; michael@0: michael@0: /* michael@0: ** These are the "specs" in the "ssl3" struct. michael@0: ** Access to the pointers to these specs, and all the specs' contents michael@0: ** (direct and indirect) is protected by the reader/writer lock ss->specLock. michael@0: */ michael@0: typedef struct { michael@0: const ssl3BulkCipherDef *cipher_def; michael@0: const ssl3MACDef * mac_def; michael@0: SSLCompressionMethod compression_method; michael@0: int mac_size; michael@0: SSLCipher encode; michael@0: SSLCipher decode; michael@0: SSLAEADCipher aead; michael@0: SSLDestroy destroy; michael@0: void * encodeContext; michael@0: void * decodeContext; michael@0: SSLCompressor compressor; /* Don't name these fields compress */ michael@0: SSLCompressor decompressor; /* and uncompress because zconf.h */ michael@0: /* may define them as macros. */ michael@0: SSLDestroy destroyCompressContext; michael@0: void * compressContext; michael@0: SSLDestroy destroyDecompressContext; michael@0: void * decompressContext; michael@0: PRBool bypassCiphers; /* did double bypass (at least) */ michael@0: PK11SymKey * master_secret; michael@0: SSL3SequenceNumber write_seq_num; michael@0: SSL3SequenceNumber read_seq_num; michael@0: SSL3ProtocolVersion version; michael@0: ssl3KeyMaterial client; michael@0: ssl3KeyMaterial server; michael@0: SECItem msItem; michael@0: unsigned char key_block[NUM_MIXERS * MD5_LENGTH]; michael@0: unsigned char raw_master_secret[56]; michael@0: SECItem srvVirtName; /* for server: name that was negotiated michael@0: * with a client. For client - is michael@0: * always set to NULL.*/ michael@0: DTLSEpoch epoch; michael@0: DTLSRecvdRecords recvdRecords; michael@0: } ssl3CipherSpec; michael@0: michael@0: typedef enum { never_cached, michael@0: in_client_cache, michael@0: in_server_cache, michael@0: invalid_cache /* no longer in any cache. */ michael@0: } Cached; michael@0: michael@0: struct sslSessionIDStr { michael@0: /* The global cache lock must be held when accessing these members when the michael@0: * sid is in any cache. michael@0: */ michael@0: sslSessionID * next; /* chain used for client sockets, only */ michael@0: Cached cached; michael@0: int references; michael@0: PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */ michael@0: michael@0: /* The rest of the members, except for the members of u.ssl3.locked, may michael@0: * be modified only when the sid is not in any cache. michael@0: */ michael@0: michael@0: CERTCertificate * peerCert; michael@0: SECItemArray peerCertStatus; /* client only */ michael@0: const char * peerID; /* client only */ michael@0: const char * urlSvrName; /* client only */ michael@0: CERTCertificate * localCert; michael@0: michael@0: PRIPv6Addr addr; michael@0: PRUint16 port; michael@0: michael@0: SSL3ProtocolVersion version; michael@0: michael@0: PRUint32 creationTime; /* seconds since Jan 1, 1970 */ michael@0: PRUint32 expirationTime; /* seconds since Jan 1, 1970 */ michael@0: michael@0: SSLSignType authAlgorithm; michael@0: PRUint32 authKeyBits; michael@0: SSLKEAType keaType; michael@0: PRUint32 keaKeyBits; michael@0: michael@0: union { michael@0: struct { michael@0: /* the V2 code depends upon the size of sessionID. */ michael@0: unsigned char sessionID[SSL2_SESSIONID_BYTES]; michael@0: michael@0: /* Stuff used to recreate key and read/write cipher objects */ michael@0: SECItem masterKey; /* never wrapped */ michael@0: int cipherType; michael@0: SECItem cipherArg; michael@0: int keyBits; michael@0: int secretKeyBits; michael@0: } ssl2; michael@0: struct { michael@0: /* values that are copied into the server's on-disk SID cache. */ michael@0: PRUint8 sessionIDLength; michael@0: SSL3Opaque sessionID[SSL3_SESSIONID_BYTES]; michael@0: michael@0: ssl3CipherSuite cipherSuite; michael@0: SSLCompressionMethod compression; michael@0: int policy; michael@0: ssl3SidKeys keys; michael@0: CK_MECHANISM_TYPE masterWrapMech; michael@0: /* mechanism used to wrap master secret */ michael@0: SSL3KEAType exchKeyType; michael@0: /* key type used in exchange algorithm, michael@0: * and to wrap the sym wrapping key. */ michael@0: #ifndef NSS_DISABLE_ECC michael@0: PRUint32 negotiatedECCurves; michael@0: #endif /* NSS_DISABLE_ECC */ michael@0: michael@0: /* The following values are NOT restored from the server's on-disk michael@0: * session cache, but are restored from the client's cache. michael@0: */ michael@0: PK11SymKey * clientWriteKey; michael@0: PK11SymKey * serverWriteKey; michael@0: michael@0: /* The following values pertain to the slot that wrapped the michael@0: ** master secret. (used only in client) michael@0: */ michael@0: SECMODModuleID masterModuleID; michael@0: /* what module wrapped the master secret */ michael@0: CK_SLOT_ID masterSlotID; michael@0: PRUint16 masterWrapIndex; michael@0: /* what's the key index for the wrapping key */ michael@0: PRUint16 masterWrapSeries; michael@0: /* keep track of the slot series, so we don't michael@0: * accidently try to use new keys after the michael@0: * card gets removed and replaced.*/ michael@0: michael@0: /* The following values pertain to the slot that did the signature michael@0: ** for client auth. (used only in client) michael@0: */ michael@0: SECMODModuleID clAuthModuleID; michael@0: CK_SLOT_ID clAuthSlotID; michael@0: PRUint16 clAuthSeries; michael@0: michael@0: char masterValid; michael@0: char clAuthValid; michael@0: michael@0: SECItem srvName; michael@0: michael@0: /* This lock is lazily initialized by CacheSID when a sid is first michael@0: * cached. Before then, there is no need to lock anything because michael@0: * the sid isn't being shared by anything. michael@0: */ michael@0: PRRWLock *lock; michael@0: michael@0: /* The lock must be held while reading or writing these members michael@0: * because they change while the sid is cached. michael@0: */ michael@0: struct { michael@0: /* The session ticket, if we have one, is sent as an extension michael@0: * in the ClientHello message. This field is used only by michael@0: * clients. It is protected by lock when lock is non-null michael@0: * (after the sid has been added to the client session cache). michael@0: */ michael@0: NewSessionTicket sessionTicket; michael@0: } locked; michael@0: } ssl3; michael@0: } u; michael@0: }; michael@0: michael@0: typedef struct ssl3CipherSuiteDefStr { michael@0: ssl3CipherSuite cipher_suite; michael@0: SSL3BulkCipher bulk_cipher_alg; michael@0: SSL3MACAlgorithm mac_alg; michael@0: SSL3KeyExchangeAlgorithm key_exchange_alg; michael@0: } ssl3CipherSuiteDef; michael@0: michael@0: /* michael@0: ** There are tables of these, all const. michael@0: */ michael@0: typedef struct { michael@0: SSL3KeyExchangeAlgorithm kea; michael@0: SSL3KEAType exchKeyType; michael@0: SSL3SignType signKeyType; michael@0: PRBool is_limited; michael@0: int key_size_limit; michael@0: PRBool tls_keygen; michael@0: } ssl3KEADef; michael@0: michael@0: /* michael@0: ** There are tables of these, all const. michael@0: */ michael@0: struct ssl3BulkCipherDefStr { michael@0: SSL3BulkCipher cipher; michael@0: SSLCipherAlgorithm calg; michael@0: int key_size; michael@0: int secret_key_size; michael@0: CipherType type; michael@0: int iv_size; michael@0: int block_size; michael@0: int tag_size; /* authentication tag size for AEAD ciphers. */ michael@0: int explicit_nonce_size; /* for AEAD ciphers. */ michael@0: }; michael@0: michael@0: /* michael@0: ** There are tables of these, all const. michael@0: */ michael@0: struct ssl3MACDefStr { michael@0: SSL3MACAlgorithm mac; michael@0: CK_MECHANISM_TYPE mmech; michael@0: int pad_size; michael@0: int mac_size; michael@0: }; michael@0: michael@0: typedef enum { michael@0: wait_client_hello, michael@0: wait_client_cert, michael@0: wait_client_key, michael@0: wait_cert_verify, michael@0: wait_change_cipher, michael@0: wait_finished, michael@0: wait_server_hello, michael@0: wait_certificate_status, michael@0: wait_server_cert, michael@0: wait_server_key, michael@0: wait_cert_request, michael@0: wait_hello_done, michael@0: wait_new_session_ticket, michael@0: idle_handshake michael@0: } SSL3WaitState; michael@0: michael@0: /* michael@0: * TLS extension related constants and data structures. michael@0: */ michael@0: typedef struct TLSExtensionDataStr TLSExtensionData; michael@0: typedef struct SessionTicketDataStr SessionTicketData; michael@0: michael@0: struct TLSExtensionDataStr { michael@0: /* registered callbacks that send server hello extensions */ michael@0: ssl3HelloExtensionSender serverSenders[SSL_MAX_EXTENSIONS]; michael@0: /* Keep track of the extensions that are negotiated. */ michael@0: PRUint16 numAdvertised; michael@0: PRUint16 numNegotiated; michael@0: PRUint16 advertised[SSL_MAX_EXTENSIONS]; michael@0: PRUint16 negotiated[SSL_MAX_EXTENSIONS]; michael@0: michael@0: /* SessionTicket Extension related data. */ michael@0: PRBool ticketTimestampVerified; michael@0: PRBool emptySessionTicket; michael@0: PRBool sentSessionTicketInClientHello; michael@0: michael@0: /* SNI Extension related data michael@0: * Names data is not coppied from the input buffer. It can not be michael@0: * used outside the scope where input buffer is defined and that michael@0: * is beyond ssl3_HandleClientHello function. */ michael@0: SECItem *sniNameArr; michael@0: PRUint32 sniNameArrSize; michael@0: }; michael@0: michael@0: typedef SECStatus (*sslRestartTarget)(sslSocket *); michael@0: michael@0: /* michael@0: ** A DTLS queued message (potentially to be retransmitted) michael@0: */ michael@0: typedef struct DTLSQueuedMessageStr { michael@0: PRCList link; /* The linked list link */ michael@0: DTLSEpoch epoch; /* The epoch to use */ michael@0: SSL3ContentType type; /* The message type */ michael@0: unsigned char *data; /* The data */ michael@0: PRUint16 len; /* The data length */ michael@0: } DTLSQueuedMessage; michael@0: michael@0: typedef enum { michael@0: handshake_hash_unknown = 0, michael@0: handshake_hash_combo = 1, /* The MD5/SHA-1 combination */ michael@0: handshake_hash_single = 2 /* A single hash */ michael@0: } SSL3HandshakeHashType; michael@0: michael@0: /* michael@0: ** This is the "hs" member of the "ssl3" struct. michael@0: ** This entire struct is protected by ssl3HandshakeLock michael@0: */ michael@0: typedef struct SSL3HandshakeStateStr { michael@0: SSL3Random server_random; michael@0: SSL3Random client_random; michael@0: SSL3WaitState ws; michael@0: michael@0: /* This group of members is used for handshake running hashes. */ michael@0: SSL3HandshakeHashType hashType; michael@0: sslBuffer messages; /* Accumulated handshake messages */ michael@0: #ifndef NO_PKCS11_BYPASS michael@0: /* Bypass mode: michael@0: * SSL 3.0 - TLS 1.1 use both |md5_cx| and |sha_cx|. |md5_cx| is used for michael@0: * MD5 and |sha_cx| for SHA-1. michael@0: * TLS 1.2 and later use only |sha_cx|, for SHA-256. NOTE: When we support michael@0: * SHA-384, increase MAX_MAC_CONTEXT_BYTES to 712. */ michael@0: PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; michael@0: PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; michael@0: const SECHashObject * sha_obj; michael@0: /* The function prototype of sha_obj->clone() does not match the prototype michael@0: * of the freebl _Clone functions, so we need a dedicated function michael@0: * pointer for the _Clone function. */ michael@0: void (*sha_clone)(void *dest, void *src); michael@0: #endif michael@0: /* PKCS #11 mode: michael@0: * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and michael@0: * |sha| for SHA-1. michael@0: * TLS 1.2 and later use only |sha|, for SHA-256. */ michael@0: /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup michael@0: * handshake hash for generating client auth signatures. Confusingly, the michael@0: * backup hash function is SHA-1. */ michael@0: #define backupHash md5 michael@0: PK11Context * md5; michael@0: PK11Context * sha; michael@0: michael@0: const ssl3KEADef * kea_def; michael@0: ssl3CipherSuite cipher_suite; michael@0: const ssl3CipherSuiteDef *suite_def; michael@0: SSLCompressionMethod compression; michael@0: sslBuffer msg_body; /* protected by recvBufLock */ michael@0: /* partial handshake message from record layer */ michael@0: unsigned int header_bytes; michael@0: /* number of bytes consumed from handshake */ michael@0: /* message for message type and header length */ michael@0: SSL3HandshakeType msg_type; michael@0: unsigned long msg_len; michael@0: SECItem ca_list; /* used only by client */ michael@0: PRBool isResuming; /* are we resuming a session */ michael@0: PRBool usedStepDownKey; /* we did a server key exchange. */ michael@0: PRBool sendingSCSV; /* instead of empty RI */ michael@0: sslBuffer msgState; /* current state for handshake messages*/ michael@0: /* protected by recvBufLock */ michael@0: michael@0: /* The session ticket received in a NewSessionTicket message is temporarily michael@0: * stored in newSessionTicket until the handshake is finished; then it is michael@0: * moved to the sid. michael@0: */ michael@0: PRBool receivedNewSessionTicket; michael@0: NewSessionTicket newSessionTicket; michael@0: michael@0: PRUint16 finishedBytes; /* size of single finished below */ michael@0: union { michael@0: TLSFinished tFinished[2]; /* client, then server */ michael@0: SSL3Finished sFinished[2]; michael@0: SSL3Opaque data[72]; michael@0: } finishedMsgs; michael@0: #ifndef NSS_DISABLE_ECC michael@0: PRUint32 negotiatedECCurves; /* bit mask */ michael@0: #endif /* NSS_DISABLE_ECC */ michael@0: michael@0: PRBool authCertificatePending; michael@0: /* Which function should SSL_RestartHandshake* call if we're blocked? michael@0: * One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake, michael@0: * or ssl3_AlwaysFail */ michael@0: sslRestartTarget restartTarget; michael@0: /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */ michael@0: PRBool cacheSID; michael@0: michael@0: PRBool canFalseStart; /* Can/did we False Start */ michael@0: michael@0: /* clientSigAndHash contains the contents of the signature_algorithms michael@0: * extension (if any) from the client. This is only valid for TLS 1.2 michael@0: * or later. */ michael@0: SSL3SignatureAndHashAlgorithm *clientSigAndHash; michael@0: unsigned int numClientSigAndHash; michael@0: michael@0: /* This group of values is used for DTLS */ michael@0: PRUint16 sendMessageSeq; /* The sending message sequence michael@0: * number */ michael@0: PRCList lastMessageFlight; /* The last message flight we michael@0: * sent */ michael@0: PRUint16 maxMessageSent; /* The largest message we sent */ michael@0: PRUint16 recvMessageSeq; /* The receiving message sequence michael@0: * number */ michael@0: sslBuffer recvdFragments; /* The fragments we have received in michael@0: * a bitmask */ michael@0: PRInt32 recvdHighWater; /* The high water mark for fragments michael@0: * received. -1 means no reassembly michael@0: * in progress. */ michael@0: unsigned char cookie[32]; /* The cookie */ michael@0: unsigned char cookieLen; /* The length of the cookie */ michael@0: PRIntervalTime rtTimerStarted; /* When the timer was started */ michael@0: DTLSTimerCb rtTimerCb; /* The function to call on expiry */ michael@0: PRUint32 rtTimeoutMs; /* The length of the current timeout michael@0: * used for backoff (in ms) */ michael@0: PRUint32 rtRetries; /* The retry counter */ michael@0: } SSL3HandshakeState; michael@0: michael@0: michael@0: michael@0: /* michael@0: ** This is the "ssl3" struct, as in "ss->ssl3". michael@0: ** note: michael@0: ** usually, crSpec == cwSpec and prSpec == pwSpec. michael@0: ** Sometimes, crSpec == pwSpec and prSpec == cwSpec. michael@0: ** But there are never more than 2 actual specs. michael@0: ** No spec must ever be modified if either "current" pointer points to it. michael@0: */ michael@0: struct ssl3StateStr { michael@0: michael@0: /* michael@0: ** The following Specs and Spec pointers must be protected using the michael@0: ** Spec Lock. michael@0: */ michael@0: ssl3CipherSpec * crSpec; /* current read spec. */ michael@0: ssl3CipherSpec * prSpec; /* pending read spec. */ michael@0: ssl3CipherSpec * cwSpec; /* current write spec. */ michael@0: ssl3CipherSpec * pwSpec; /* pending write spec. */ michael@0: michael@0: CERTCertificate * clientCertificate; /* used by client */ michael@0: SECKEYPrivateKey * clientPrivateKey; /* used by client */ michael@0: CERTCertificateList *clientCertChain; /* used by client */ michael@0: PRBool sendEmptyCert; /* used by client */ michael@0: michael@0: int policy; michael@0: /* This says what cipher suites we can do, and should michael@0: * be either SSL_ALLOWED or SSL_RESTRICTED michael@0: */ michael@0: PLArenaPool * peerCertArena; michael@0: /* These are used to keep track of the peer CA */ michael@0: void * peerCertChain; michael@0: /* chain while we are trying to validate it. */ michael@0: CERTDistNames * ca_list; michael@0: /* used by server. trusted CAs for this socket. */ michael@0: PRBool initialized; michael@0: SSL3HandshakeState hs; michael@0: ssl3CipherSpec specs[2]; /* one is current, one is pending. */ michael@0: michael@0: /* In a client: if the server supports Next Protocol Negotiation, then michael@0: * this is the protocol that was negotiated. michael@0: */ michael@0: SECItem nextProto; michael@0: SSLNextProtoState nextProtoState; michael@0: michael@0: PRUint16 mtu; /* Our estimate of the MTU */ michael@0: michael@0: /* DTLS-SRTP cipher suite preferences (if any) */ michael@0: PRUint16 dtlsSRTPCiphers[MAX_DTLS_SRTP_CIPHER_SUITES]; michael@0: PRUint16 dtlsSRTPCipherCount; michael@0: PRUint16 dtlsSRTPCipherSuite; /* 0 if not selected */ michael@0: }; michael@0: michael@0: #define DTLS_MAX_MTU 1500 /* Ethernet MTU but without subtracting the michael@0: * headers, so slightly larger than expected */ michael@0: #define IS_DTLS(ss) (ss->protocolVariant == ssl_variant_datagram) michael@0: michael@0: typedef struct { michael@0: SSL3ContentType type; michael@0: SSL3ProtocolVersion version; michael@0: SSL3SequenceNumber seq_num; /* DTLS only */ michael@0: sslBuffer * buf; michael@0: } SSL3Ciphertext; michael@0: michael@0: struct ssl3KeyPairStr { michael@0: SECKEYPrivateKey * privKey; michael@0: SECKEYPublicKey * pubKey; michael@0: PRInt32 refCount; /* use PR_Atomic calls for this. */ michael@0: }; michael@0: michael@0: typedef struct SSLWrappedSymWrappingKeyStr { michael@0: SSL3Opaque wrappedSymmetricWrappingkey[512]; michael@0: CK_MECHANISM_TYPE symWrapMechanism; michael@0: /* unwrapped symmetric wrapping key uses this mechanism */ michael@0: CK_MECHANISM_TYPE asymWrapMechanism; michael@0: /* mechanism used to wrap the SymmetricWrappingKey using michael@0: * server's public and/or private keys. */ michael@0: SSL3KEAType exchKeyType; /* type of keys used to wrap SymWrapKey*/ michael@0: PRInt32 symWrapMechIndex; michael@0: PRUint16 wrappedSymKeyLen; michael@0: } SSLWrappedSymWrappingKey; michael@0: michael@0: typedef struct SessionTicketStr { michael@0: PRUint16 ticket_version; michael@0: SSL3ProtocolVersion ssl_version; michael@0: ssl3CipherSuite cipher_suite; michael@0: SSLCompressionMethod compression_method; michael@0: SSLSignType authAlgorithm; michael@0: PRUint32 authKeyBits; michael@0: SSLKEAType keaType; michael@0: PRUint32 keaKeyBits; michael@0: /* michael@0: * exchKeyType and msWrapMech contain meaningful values only if michael@0: * ms_is_wrapped is true. michael@0: */ michael@0: PRUint8 ms_is_wrapped; michael@0: SSLKEAType exchKeyType; /* XXX(wtc): same as keaType above? */ michael@0: CK_MECHANISM_TYPE msWrapMech; michael@0: PRUint16 ms_length; michael@0: SSL3Opaque master_secret[48]; michael@0: ClientIdentity client_identity; michael@0: SECItem peer_cert; michael@0: PRUint32 timestamp; michael@0: SECItem srvName; /* negotiated server name */ michael@0: } SessionTicket; michael@0: michael@0: /* michael@0: * SSL2 buffers used in SSL3. michael@0: * writeBuf in the SecurityInfo maintained by sslsecur.c is used michael@0: * to hold the data just about to be passed to the kernel michael@0: * sendBuf in the ConnectInfo maintained by sslcon.c is used michael@0: * to hold handshake messages as they are accumulated michael@0: */ michael@0: michael@0: /* michael@0: ** This is "ci", as in "ss->sec.ci". michael@0: ** michael@0: ** Protection: All the variables in here are protected by michael@0: ** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock michael@0: */ michael@0: struct sslConnectInfoStr { michael@0: /* outgoing handshakes appended to this. */ michael@0: sslBuffer sendBuf; /*xmitBufLock*/ /* ssl 2 & 3 */ michael@0: michael@0: PRIPv6Addr peer; /* ssl 2 & 3 */ michael@0: unsigned short port; /* ssl 2 & 3 */ michael@0: michael@0: sslSessionID *sid; /* ssl 2 & 3 */ michael@0: michael@0: /* see CIS_HAVE defines below for the bit values in *elements. */ michael@0: char elements; /* ssl2 only */ michael@0: char requiredElements; /* ssl2 only */ michael@0: char sentElements; /* ssl2 only */ michael@0: michael@0: char sentFinished; /* ssl2 only */ michael@0: michael@0: /* Length of server challenge. Used by client when saving challenge */ michael@0: int serverChallengeLen; /* ssl2 only */ michael@0: /* type of authentication requested by server */ michael@0: unsigned char authType; /* ssl2 only */ michael@0: michael@0: /* Challenge sent by client to server in client-hello message */ michael@0: /* SSL3 gets a copy of this. See ssl3_StartHandshakeHash(). */ michael@0: unsigned char clientChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl 2 & 3 */ michael@0: michael@0: /* Connection-id sent by server to client in server-hello message */ michael@0: unsigned char connectionID[SSL_CONNECTIONID_BYTES]; /* ssl2 only */ michael@0: michael@0: /* Challenge sent by server to client in request-certificate message */ michael@0: unsigned char serverChallenge[SSL_MAX_CHALLENGE_BYTES]; /* ssl2 only */ michael@0: michael@0: /* Information kept to handle a request-certificate message */ michael@0: unsigned char readKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */ michael@0: unsigned char writeKey[SSL_MAX_MASTER_KEY_BYTES]; /* ssl2 only */ michael@0: unsigned keySize; /* ssl2 only */ michael@0: }; michael@0: michael@0: /* bit values for ci->elements, ci->requiredElements, sentElements. */ michael@0: #define CIS_HAVE_MASTER_KEY 0x01 michael@0: #define CIS_HAVE_CERTIFICATE 0x02 michael@0: #define CIS_HAVE_FINISHED 0x04 michael@0: #define CIS_HAVE_VERIFY 0x08 michael@0: michael@0: /* Note: The entire content of this struct and whatever it points to gets michael@0: * blown away by SSL_ResetHandshake(). This is "sec" as in "ss->sec". michael@0: * michael@0: * Unless otherwise specified below, the contents of this struct are michael@0: * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. michael@0: */ michael@0: struct sslSecurityInfoStr { michael@0: sslSendFunc send; /*xmitBufLock*/ /* ssl 2 & 3 */ michael@0: int isServer; /* Spec Lock?*/ /* ssl 2 & 3 */ michael@0: sslBuffer writeBuf; /*xmitBufLock*/ /* ssl 2 & 3 */ michael@0: michael@0: int cipherType; /* ssl 2 & 3 */ michael@0: int keyBits; /* ssl 2 & 3 */ michael@0: int secretKeyBits; /* ssl 2 & 3 */ michael@0: CERTCertificate *localCert; /* ssl 2 & 3 */ michael@0: CERTCertificate *peerCert; /* ssl 2 & 3 */ michael@0: SECKEYPublicKey *peerKey; /* ssl3 only */ michael@0: michael@0: SSLSignType authAlgorithm; michael@0: PRUint32 authKeyBits; michael@0: SSLKEAType keaType; michael@0: PRUint32 keaKeyBits; michael@0: michael@0: /* michael@0: ** Procs used for SID cache (nonce) management. michael@0: ** Different implementations exist for clients/servers michael@0: ** The lookup proc is only used for servers. Baloney! michael@0: */ michael@0: sslSessionIDCacheFunc cache; /* ssl 2 & 3 */ michael@0: sslSessionIDUncacheFunc uncache; /* ssl 2 & 3 */ michael@0: michael@0: /* michael@0: ** everything below here is for ssl2 only. michael@0: ** This stuff is equivalent to SSL3's "spec", and is protected by the michael@0: ** same "Spec Lock" as used for SSL3's specs. michael@0: */ michael@0: PRUint32 sendSequence; /*xmitBufLock*/ /* ssl2 only */ michael@0: PRUint32 rcvSequence; /*recvBufLock*/ /* ssl2 only */ michael@0: michael@0: /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */ michael@0: const SECHashObject *hash; /* Spec Lock */ /* ssl2 only */ michael@0: void *hashcx; /* Spec Lock */ /* ssl2 only */ michael@0: michael@0: SECItem sendSecret; /* Spec Lock */ /* ssl2 only */ michael@0: SECItem rcvSecret; /* Spec Lock */ /* ssl2 only */ michael@0: michael@0: /* Session cypher contexts; one for each direction */ michael@0: void *readcx; /* Spec Lock */ /* ssl2 only */ michael@0: void *writecx; /* Spec Lock */ /* ssl2 only */ michael@0: SSLCipher enc; /* Spec Lock */ /* ssl2 only */ michael@0: SSLCipher dec; /* Spec Lock */ /* ssl2 only */ michael@0: void (*destroy)(void *, PRBool); /* Spec Lock */ /* ssl2 only */ michael@0: michael@0: /* Blocking information for the session cypher */ michael@0: int blockShift; /* Spec Lock */ /* ssl2 only */ michael@0: int blockSize; /* Spec Lock */ /* ssl2 only */ michael@0: michael@0: /* These are used during a connection handshake */ michael@0: sslConnectInfo ci; /* ssl 2 & 3 */ michael@0: michael@0: }; michael@0: michael@0: /* michael@0: ** SSL Socket struct michael@0: ** michael@0: ** Protection: XXX michael@0: */ michael@0: struct sslSocketStr { michael@0: PRFileDesc * fd; michael@0: michael@0: /* Pointer to operations vector for this socket */ michael@0: const sslSocketOps * ops; michael@0: michael@0: /* SSL socket options */ michael@0: sslOptions opt; michael@0: /* Enabled version range */ michael@0: SSLVersionRange vrange; michael@0: michael@0: /* State flags */ michael@0: unsigned long clientAuthRequested; michael@0: unsigned long delayDisabled; /* Nagle delay disabled */ michael@0: unsigned long firstHsDone; /* first handshake is complete. */ michael@0: unsigned long enoughFirstHsDone; /* enough of the first handshake is michael@0: * done for callbacks to be able to michael@0: * retrieve channel security michael@0: * parameters from the SSL socket. */ michael@0: unsigned long handshakeBegun; michael@0: unsigned long lastWriteBlocked; michael@0: unsigned long recvdCloseNotify; /* received SSL EOF. */ michael@0: unsigned long TCPconnected; michael@0: unsigned long appDataBuffered; michael@0: unsigned long peerRequestedProtection; /* from old renegotiation */ michael@0: michael@0: /* version of the protocol to use */ michael@0: SSL3ProtocolVersion version; michael@0: SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */ michael@0: michael@0: sslSecurityInfo sec; /* not a pointer any more */ michael@0: michael@0: /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */ michael@0: const char *url; /* ssl 2 & 3 */ michael@0: michael@0: sslHandshakeFunc handshake; /*firstHandshakeLock*/ michael@0: sslHandshakeFunc nextHandshake; /*firstHandshakeLock*/ michael@0: sslHandshakeFunc securityHandshake; /*firstHandshakeLock*/ michael@0: michael@0: /* the following variable is only used with socks or other proxies. */ michael@0: char * peerID; /* String uniquely identifies target server. */ michael@0: michael@0: unsigned char * cipherSpecs; michael@0: unsigned int sizeCipherSpecs; michael@0: const unsigned char * preferredCipher; michael@0: michael@0: ssl3KeyPair * stepDownKeyPair; /* RSA step down keys */ michael@0: michael@0: /* Callbacks */ michael@0: SSLAuthCertificate authCertificate; michael@0: void *authCertificateArg; michael@0: SSLGetClientAuthData getClientAuthData; michael@0: void *getClientAuthDataArg; michael@0: SSLSNISocketConfig sniSocketConfig; michael@0: void *sniSocketConfigArg; michael@0: SSLBadCertHandler handleBadCert; michael@0: void *badCertArg; michael@0: SSLHandshakeCallback handshakeCallback; michael@0: void *handshakeCallbackData; michael@0: SSLCanFalseStartCallback canFalseStartCallback; michael@0: void *canFalseStartCallbackData; michael@0: void *pkcs11PinArg; michael@0: SSLNextProtoCallback nextProtoCallback; michael@0: void *nextProtoArg; michael@0: michael@0: PRIntervalTime rTimeout; /* timeout for NSPR I/O */ michael@0: PRIntervalTime wTimeout; /* timeout for NSPR I/O */ michael@0: PRIntervalTime cTimeout; /* timeout for NSPR I/O */ michael@0: michael@0: PZLock * recvLock; /* lock against multiple reader threads. */ michael@0: PZLock * sendLock; /* lock against multiple sender threads. */ michael@0: michael@0: PZMonitor * recvBufLock; /* locks low level recv buffers. */ michael@0: PZMonitor * xmitBufLock; /* locks low level xmit buffers. */ michael@0: michael@0: /* Only one thread may operate on the socket until the initial handshake michael@0: ** is complete. This Monitor ensures that. Since SSL2 handshake is michael@0: ** only done once, this is also effectively the SSL2 handshake lock. michael@0: */ michael@0: PZMonitor * firstHandshakeLock; michael@0: michael@0: /* This monitor protects the ssl3 handshake state machine data. michael@0: ** Only one thread (reader or writer) may be in the ssl3 handshake state michael@0: ** machine at any time. */ michael@0: PZMonitor * ssl3HandshakeLock; michael@0: michael@0: /* reader/writer lock, protects the secret data needed to encrypt and MAC michael@0: ** outgoing records, and to decrypt and MAC check incoming ciphertext michael@0: ** records. */ michael@0: NSSRWLock * specLock; michael@0: michael@0: /* handle to perm cert db (and implicitly to the temp cert db) used michael@0: ** with this socket. michael@0: */ michael@0: CERTCertDBHandle * dbHandle; michael@0: michael@0: PRThread * writerThread; /* thread holds SSL_LOCK_WRITER lock */ michael@0: michael@0: PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */ michael@0: michael@0: PRUint16 allowedByPolicy; /* copy of global policy bits. */ michael@0: PRUint16 maybeAllowedByPolicy; /* copy of global policy bits. */ michael@0: PRUint16 chosenPreference; /* SSL2 cipher preferences. */ michael@0: michael@0: sslHandshakingType handshaking; michael@0: michael@0: /* Gather object used for gathering data */ michael@0: sslGather gs; /*recvBufLock*/ michael@0: michael@0: sslBuffer saveBuf; /*xmitBufLock*/ michael@0: sslBuffer pendingBuf; /*xmitBufLock*/ michael@0: michael@0: /* Configuration state for server sockets */ michael@0: /* server cert and key for each KEA type */ michael@0: sslServerCerts serverCerts[kt_kea_size]; michael@0: /* each cert needs its own status */ michael@0: SECItemArray * certStatusArray[kt_kea_size]; michael@0: michael@0: ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED]; michael@0: ssl3KeyPair * ephemeralECDHKeyPair; /* for ECDHE-* handshake */ michael@0: michael@0: /* SSL3 state info. Formerly was a pointer */ michael@0: ssl3State ssl3; michael@0: michael@0: /* michael@0: * TLS extension related data. michael@0: */ michael@0: /* True when the current session is a stateless resume. */ michael@0: PRBool statelessResume; michael@0: TLSExtensionData xtnData; michael@0: michael@0: /* Whether we are doing stream or datagram mode */ michael@0: SSLProtocolVariant protocolVariant; michael@0: }; michael@0: michael@0: michael@0: michael@0: /* All the global data items declared here should be protected using the michael@0: ** ssl_global_data_lock, which is a reader/writer lock. michael@0: */ michael@0: extern NSSRWLock * ssl_global_data_lock; michael@0: extern char ssl_debug; michael@0: extern char ssl_trace; michael@0: extern FILE * ssl_trace_iob; michael@0: extern FILE * ssl_keylog_iob; michael@0: extern CERTDistNames * ssl3_server_ca_list; michael@0: extern PRUint32 ssl_sid_timeout; michael@0: extern PRUint32 ssl3_sid_timeout; michael@0: michael@0: extern const char * const ssl_cipherName[]; michael@0: extern const char * const ssl3_cipherName[]; michael@0: michael@0: extern sslSessionIDLookupFunc ssl_sid_lookup; michael@0: extern sslSessionIDCacheFunc ssl_sid_cache; michael@0: extern sslSessionIDUncacheFunc ssl_sid_uncache; michael@0: michael@0: /************************************************************************/ michael@0: michael@0: SEC_BEGIN_PROTOS michael@0: michael@0: /* Internal initialization and installation of the SSL error tables */ michael@0: extern SECStatus ssl_Init(void); michael@0: extern SECStatus ssl_InitializePRErrorTable(void); michael@0: michael@0: /* Implementation of ops for default (non socks, non secure) case */ michael@0: extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr); michael@0: extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr); michael@0: extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr); michael@0: extern int ssl_DefListen(sslSocket *ss, int backlog); michael@0: extern int ssl_DefShutdown(sslSocket *ss, int how); michael@0: extern int ssl_DefClose(sslSocket *ss); michael@0: extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags); michael@0: extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf, michael@0: int len, int flags); michael@0: extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len); michael@0: extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len); michael@0: extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name); michael@0: extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name); michael@0: extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname, michael@0: void *optval, PRInt32 *optlen); michael@0: extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname, michael@0: const void *optval, PRInt32 optlen); michael@0: michael@0: /* Implementation of ops for socks only case */ michael@0: extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr); michael@0: extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr); michael@0: extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr); michael@0: extern int ssl_SocksListen(sslSocket *ss, int backlog); michael@0: extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name); michael@0: extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags); michael@0: extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf, michael@0: int len, int flags); michael@0: extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len); michael@0: extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len); michael@0: michael@0: /* Implementation of ops for secure only case */ michael@0: extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr); michael@0: extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr); michael@0: extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf, michael@0: int len, int flags); michael@0: extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf, michael@0: int len, int flags); michael@0: extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len); michael@0: extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len); michael@0: extern int ssl_SecureShutdown(sslSocket *ss, int how); michael@0: extern int ssl_SecureClose(sslSocket *ss); michael@0: michael@0: /* Implementation of ops for secure socks case */ michael@0: extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr); michael@0: extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr); michael@0: extern PRFileDesc *ssl_FindTop(sslSocket *ss); michael@0: michael@0: /* Gather funcs. */ michael@0: extern sslGather * ssl_NewGather(void); michael@0: extern SECStatus ssl_InitGather(sslGather *gs); michael@0: extern void ssl_DestroyGather(sslGather *gs); michael@0: extern int ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags); michael@0: extern int ssl2_GatherRecord(sslSocket *ss, int flags); michael@0: extern SECStatus ssl_GatherRecord1stHandshake(sslSocket *ss); michael@0: michael@0: extern SECStatus ssl2_HandleClientHelloMessage(sslSocket *ss); michael@0: extern SECStatus ssl2_HandleServerHelloMessage(sslSocket *ss); michael@0: michael@0: extern SECStatus ssl_CreateSecurityInfo(sslSocket *ss); michael@0: extern SECStatus ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os); michael@0: extern void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset); michael@0: extern void ssl_DestroySecurityInfo(sslSecurityInfo *sec); michael@0: michael@0: extern void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len); michael@0: extern void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len); michael@0: michael@0: extern int ssl_SendSavedWriteData(sslSocket *ss); michael@0: extern SECStatus ssl_SaveWriteData(sslSocket *ss, michael@0: const void* p, unsigned int l); michael@0: extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss); michael@0: extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss); michael@0: extern int ssl_Do1stHandshake(sslSocket *ss); michael@0: michael@0: extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen); michael@0: extern SECStatus sslBuffer_Append(sslBuffer *b, const void * data, michael@0: unsigned int len); michael@0: michael@0: extern void ssl2_UseClearSendFunc(sslSocket *ss); michael@0: extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec); michael@0: michael@0: extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server); michael@0: extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, michael@0: const char *peerID, const char *urlSvrName); michael@0: extern void ssl_FreeSID(sslSessionID *sid); michael@0: michael@0: extern int ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in, michael@0: int len, int flags); michael@0: michael@0: extern PRBool ssl_FdIsBlocking(PRFileDesc *fd); michael@0: michael@0: extern PRBool ssl_SocketIsBlocking(sslSocket *ss); michael@0: michael@0: extern void ssl3_SetAlwaysBlock(sslSocket *ss); michael@0: michael@0: extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled); michael@0: michael@0: extern void ssl_FinishHandshake(sslSocket *ss); michael@0: michael@0: /* Returns PR_TRUE if we are still waiting for the server to respond to our michael@0: * client second round. Once we've received any part of the server's second michael@0: * round then we don't bother trying to false start since it is almost always michael@0: * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages michael@0: * were sent in the same packet and we want to process them all at the same michael@0: * time. If we were to try to false start in the middle of the server's second michael@0: * round, then we would increase the number of I/O operations michael@0: * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake. michael@0: */ michael@0: extern PRBool ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss); michael@0: michael@0: extern SECStatus michael@0: ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec, michael@0: PRBool isServer, michael@0: PRBool isDTLS, michael@0: PRBool capRecordVersion, michael@0: SSL3ContentType type, michael@0: const SSL3Opaque * pIn, michael@0: PRUint32 contentLen, michael@0: sslBuffer * wrBuf); michael@0: extern PRInt32 ssl3_SendRecord(sslSocket *ss, DTLSEpoch epoch, michael@0: SSL3ContentType type, michael@0: const SSL3Opaque* pIn, PRInt32 nIn, michael@0: PRInt32 flags); michael@0: michael@0: #ifdef NSS_ENABLE_ZLIB michael@0: /* michael@0: * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a michael@0: * maximum TLS record payload of 2**14 bytes, that's 29 bytes. michael@0: */ michael@0: #define SSL3_COMPRESSION_MAX_EXPANSION 29 michael@0: #else /* !NSS_ENABLE_ZLIB */ michael@0: #define SSL3_COMPRESSION_MAX_EXPANSION 0 michael@0: #endif michael@0: michael@0: /* michael@0: * make sure there is room in the write buffer for padding and michael@0: * other compression and cryptographic expansions. michael@0: */ michael@0: #define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION michael@0: michael@0: #define SSL_LOCK_READER(ss) if (ss->recvLock) PZ_Lock(ss->recvLock) michael@0: #define SSL_UNLOCK_READER(ss) if (ss->recvLock) PZ_Unlock(ss->recvLock) michael@0: #define SSL_LOCK_WRITER(ss) if (ss->sendLock) PZ_Lock(ss->sendLock) michael@0: #define SSL_UNLOCK_WRITER(ss) if (ss->sendLock) PZ_Unlock(ss->sendLock) michael@0: michael@0: /* firstHandshakeLock -> recvBufLock */ michael@0: #define ssl_Get1stHandshakeLock(ss) \ michael@0: { if (!ss->opt.noLocks) { \ michael@0: PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) || \ michael@0: !ssl_HaveRecvBufLock(ss)); \ michael@0: PZ_EnterMonitor((ss)->firstHandshakeLock); \ michael@0: } } michael@0: #define ssl_Release1stHandshakeLock(ss) \ michael@0: { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->firstHandshakeLock); } michael@0: #define ssl_Have1stHandshakeLock(ss) \ michael@0: (PZ_InMonitor((ss)->firstHandshakeLock)) michael@0: michael@0: /* ssl3HandshakeLock -> xmitBufLock */ michael@0: #define ssl_GetSSL3HandshakeLock(ss) \ michael@0: { if (!ss->opt.noLocks) { \ michael@0: PORT_Assert(!ssl_HaveXmitBufLock(ss)); \ michael@0: PZ_EnterMonitor((ss)->ssl3HandshakeLock); \ michael@0: } } michael@0: #define ssl_ReleaseSSL3HandshakeLock(ss) \ michael@0: { if (!ss->opt.noLocks) PZ_ExitMonitor((ss)->ssl3HandshakeLock); } michael@0: #define ssl_HaveSSL3HandshakeLock(ss) \ michael@0: (PZ_InMonitor((ss)->ssl3HandshakeLock)) michael@0: michael@0: #define ssl_GetSpecReadLock(ss) \ michael@0: { if (!ss->opt.noLocks) NSSRWLock_LockRead((ss)->specLock); } michael@0: #define ssl_ReleaseSpecReadLock(ss) \ michael@0: { if (!ss->opt.noLocks) NSSRWLock_UnlockRead((ss)->specLock); } michael@0: /* NSSRWLock_HaveReadLock is not exported so there's no michael@0: * ssl_HaveSpecReadLock macro. */ michael@0: michael@0: #define ssl_GetSpecWriteLock(ss) \ michael@0: { if (!ss->opt.noLocks) NSSRWLock_LockWrite((ss)->specLock); } michael@0: #define ssl_ReleaseSpecWriteLock(ss) \ michael@0: { if (!ss->opt.noLocks) NSSRWLock_UnlockWrite((ss)->specLock); } michael@0: #define ssl_HaveSpecWriteLock(ss) \ michael@0: (NSSRWLock_HaveWriteLock((ss)->specLock)) michael@0: michael@0: /* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */ michael@0: #define ssl_GetRecvBufLock(ss) \ michael@0: { if (!ss->opt.noLocks) { \ michael@0: PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss)); \ michael@0: PORT_Assert(!ssl_HaveXmitBufLock(ss)); \ michael@0: PZ_EnterMonitor((ss)->recvBufLock); \ michael@0: } } michael@0: #define ssl_ReleaseRecvBufLock(ss) \ michael@0: { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->recvBufLock); } michael@0: #define ssl_HaveRecvBufLock(ss) \ michael@0: (PZ_InMonitor((ss)->recvBufLock)) michael@0: michael@0: /* xmitBufLock -> specLock */ michael@0: #define ssl_GetXmitBufLock(ss) \ michael@0: { if (!ss->opt.noLocks) PZ_EnterMonitor((ss)->xmitBufLock); } michael@0: #define ssl_ReleaseXmitBufLock(ss) \ michael@0: { if (!ss->opt.noLocks) PZ_ExitMonitor( (ss)->xmitBufLock); } michael@0: #define ssl_HaveXmitBufLock(ss) \ michael@0: (PZ_InMonitor((ss)->xmitBufLock)) michael@0: michael@0: /* Placeholder value used in version ranges when SSL 3.0 and all michael@0: * versions of TLS are disabled. michael@0: */ michael@0: #define SSL_LIBRARY_VERSION_NONE 0 michael@0: michael@0: /* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version michael@0: * of libssl supports. Applications should use SSL_VersionRangeGetSupported at michael@0: * runtime to determine which versions are supported by the version of libssl michael@0: * in use. michael@0: */ michael@0: #define SSL_LIBRARY_VERSION_MAX_SUPPORTED SSL_LIBRARY_VERSION_TLS_1_2 michael@0: michael@0: /* Rename this macro SSL_ALL_VERSIONS_DISABLED when SSL 2.0 is removed. */ michael@0: #define SSL3_ALL_VERSIONS_DISABLED(vrange) \ michael@0: ((vrange)->min == SSL_LIBRARY_VERSION_NONE) michael@0: michael@0: extern PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant, michael@0: SSL3ProtocolVersion version); michael@0: michael@0: extern SECStatus ssl3_KeyAndMacDeriveBypass(ssl3CipherSpec * pwSpec, michael@0: const unsigned char * cr, const unsigned char * sr, michael@0: PRBool isTLS, PRBool isExport); michael@0: extern SECStatus ssl3_MasterKeyDeriveBypass( ssl3CipherSpec * pwSpec, michael@0: const unsigned char * cr, const unsigned char * sr, michael@0: const SECItem * pms, PRBool isTLS, PRBool isRSA); michael@0: michael@0: /* These functions are called from secnav, even though they're "private". */ michael@0: michael@0: extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error); michael@0: extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss, michael@0: CERTCertificate *cert, michael@0: SECKEYPrivateKey *key, michael@0: CERTCertificateList *certChain); michael@0: extern sslSocket *ssl_FindSocket(PRFileDesc *fd); michael@0: extern void ssl_FreeSocket(struct sslSocketStr *ssl); michael@0: extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, michael@0: SSL3AlertDescription desc); michael@0: extern SECStatus ssl3_DecodeError(sslSocket *ss); michael@0: michael@0: extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error); michael@0: michael@0: /* michael@0: * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos michael@0: */ michael@0: extern SECStatus ssl3_HandleV2ClientHello( michael@0: sslSocket *ss, unsigned char *buffer, int length); michael@0: extern SECStatus ssl3_StartHandshakeHash( michael@0: sslSocket *ss, unsigned char *buf, int length); michael@0: michael@0: /* michael@0: * SSL3 specific routines michael@0: */ michael@0: SECStatus ssl3_SendClientHello(sslSocket *ss, PRBool resending); michael@0: michael@0: /* michael@0: * input into the SSL3 machinery from the actualy network reading code michael@0: */ michael@0: SECStatus ssl3_HandleRecord( michael@0: sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out); michael@0: michael@0: int ssl3_GatherAppDataRecord(sslSocket *ss, int flags); michael@0: int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags); michael@0: /* michael@0: * When talking to export clients or using export cipher suites, servers michael@0: * with public RSA keys larger than 512 bits need to use a 512-bit public michael@0: * key, signed by the larger key. The smaller key is a "step down" key. michael@0: * Generate that key pair and keep it around. michael@0: */ michael@0: extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss); michael@0: michael@0: #ifndef NSS_DISABLE_ECC michael@0: extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss); michael@0: extern PRBool ssl3_IsECCEnabled(sslSocket *ss); michael@0: extern SECStatus ssl3_DisableECCSuites(sslSocket * ss, michael@0: const ssl3CipherSuite * suite); michael@0: extern PRUint32 ssl3_GetSupportedECCurveMask(sslSocket *ss); michael@0: michael@0: michael@0: /* Macro for finding a curve equivalent in strength to RSA key's */ michael@0: #define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \ michael@0: ((s <= 1024) ? 160 \ michael@0: : ((s <= 2048) ? 224 \ michael@0: : ((s <= 3072) ? 256 \ michael@0: : ((s <= 7168) ? 384 : 521 ) ) ) ) michael@0: michael@0: /* Types and names of elliptic curves used in TLS */ michael@0: typedef enum { ec_type_explicitPrime = 1, michael@0: ec_type_explicitChar2Curve = 2, michael@0: ec_type_named michael@0: } ECType; michael@0: michael@0: typedef enum { ec_noName = 0, michael@0: ec_sect163k1 = 1, michael@0: ec_sect163r1 = 2, michael@0: ec_sect163r2 = 3, michael@0: ec_sect193r1 = 4, michael@0: ec_sect193r2 = 5, michael@0: ec_sect233k1 = 6, michael@0: ec_sect233r1 = 7, michael@0: ec_sect239k1 = 8, michael@0: ec_sect283k1 = 9, michael@0: ec_sect283r1 = 10, michael@0: ec_sect409k1 = 11, michael@0: ec_sect409r1 = 12, michael@0: ec_sect571k1 = 13, michael@0: ec_sect571r1 = 14, michael@0: ec_secp160k1 = 15, michael@0: ec_secp160r1 = 16, michael@0: ec_secp160r2 = 17, michael@0: ec_secp192k1 = 18, michael@0: ec_secp192r1 = 19, michael@0: ec_secp224k1 = 20, michael@0: ec_secp224r1 = 21, michael@0: ec_secp256k1 = 22, michael@0: ec_secp256r1 = 23, michael@0: ec_secp384r1 = 24, michael@0: ec_secp521r1 = 25, michael@0: ec_pastLastName michael@0: } ECName; michael@0: michael@0: extern SECStatus ssl3_ECName2Params(PLArenaPool *arena, ECName curve, michael@0: SECKEYECParams *params); michael@0: ECName ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits); michael@0: michael@0: michael@0: #endif /* NSS_DISABLE_ECC */ michael@0: michael@0: extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on); michael@0: extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on); michael@0: extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled); michael@0: extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled); michael@0: michael@0: extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on); michael@0: extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on); michael@0: extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled); michael@0: extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled); michael@0: michael@0: extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy); michael@0: extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy); michael@0: extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy); michael@0: extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy); michael@0: michael@0: extern void ssl2_InitSocketPolicy(sslSocket *ss); michael@0: extern void ssl3_InitSocketPolicy(sslSocket *ss); michael@0: michael@0: extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, michael@0: unsigned char *cs, int *size); michael@0: michael@0: extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache); michael@0: extern SECStatus ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, michael@0: PRUint32 length); michael@0: michael@0: extern void ssl3_DestroySSL3Info(sslSocket *ss); michael@0: michael@0: extern SECStatus ssl3_NegotiateVersion(sslSocket *ss, michael@0: SSL3ProtocolVersion peerVersion, michael@0: PRBool allowLargerPeerVersion); michael@0: michael@0: extern SECStatus ssl_GetPeerInfo(sslSocket *ss); michael@0: michael@0: #ifndef NSS_DISABLE_ECC michael@0: /* ECDH functions */ michael@0: extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket * ss, michael@0: SECKEYPublicKey * svrPubKey); michael@0: extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss, michael@0: SSL3Opaque *b, PRUint32 length); michael@0: extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss, michael@0: SSL3Opaque *b, PRUint32 length, michael@0: SECKEYPublicKey *srvrPubKey, michael@0: SECKEYPrivateKey *srvrPrivKey); michael@0: extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss, michael@0: const SSL3SignatureAndHashAlgorithm *sigAndHash); michael@0: #endif michael@0: michael@0: extern SECStatus ssl3_ComputeCommonKeyHash(SECOidTag hashAlg, michael@0: PRUint8 * hashBuf, michael@0: unsigned int bufLen, SSL3Hashes *hashes, michael@0: PRBool bypassPKCS11); michael@0: extern void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName); michael@0: extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms); michael@0: extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src, michael@0: PRInt32 bytes); michael@0: extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss, michael@0: SSL3HandshakeType t, PRUint32 length); michael@0: extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, michael@0: PRInt32 lenSize); michael@0: extern SECStatus ssl3_AppendHandshakeVariable( sslSocket *ss, michael@0: const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize); michael@0: extern SECStatus ssl3_AppendSignatureAndHashAlgorithm(sslSocket *ss, michael@0: const SSL3SignatureAndHashAlgorithm* sigAndHash); michael@0: extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, michael@0: SSL3Opaque **b, PRUint32 *length); michael@0: extern PRInt32 ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, michael@0: SSL3Opaque **b, PRUint32 *length); michael@0: extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, michael@0: PRInt32 bytes, SSL3Opaque **b, PRUint32 *length); michael@0: extern SECOidTag ssl3_TLSHashAlgorithmToOID(int hashFunc); michael@0: extern SECStatus ssl3_CheckSignatureAndHashAlgorithmConsistency( michael@0: const SSL3SignatureAndHashAlgorithm *sigAndHash, michael@0: CERTCertificate* cert); michael@0: extern SECStatus ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss, michael@0: SSL3Opaque **b, PRUint32 *length, michael@0: SSL3SignatureAndHashAlgorithm *out); michael@0: extern SECStatus ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, michael@0: SECItem *buf, PRBool isTLS); michael@0: extern SECStatus ssl3_VerifySignedHashes(SSL3Hashes *hash, michael@0: CERTCertificate *cert, SECItem *buf, PRBool isTLS, michael@0: void *pwArg); michael@0: extern SECStatus ssl3_CacheWrappedMasterSecret(sslSocket *ss, michael@0: sslSessionID *sid, ssl3CipherSpec *spec, michael@0: SSL3KEAType effectiveExchKeyType); michael@0: michael@0: /* Functions that handle ClientHello and ServerHello extensions. */ michael@0: extern SECStatus ssl3_HandleServerNameXtn(sslSocket * ss, michael@0: PRUint16 ex_type, SECItem *data); michael@0: extern SECStatus ssl3_HandleSupportedCurvesXtn(sslSocket * ss, michael@0: PRUint16 ex_type, SECItem *data); michael@0: extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss, michael@0: PRUint16 ex_type, SECItem *data); michael@0: extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, michael@0: PRUint16 ex_type, SECItem *data); michael@0: extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, michael@0: PRUint16 ex_type, SECItem *data); michael@0: michael@0: /* ClientHello and ServerHello extension senders. michael@0: * Note that not all extension senders are exposed here; only those that michael@0: * that need exposure. michael@0: */ michael@0: extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append, michael@0: PRUint32 maxBytes); michael@0: michael@0: /* ClientHello and ServerHello extension senders. michael@0: * The code is in ssl3ext.c. michael@0: */ michael@0: extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append, michael@0: PRUint32 maxBytes); michael@0: michael@0: /* Assigns new cert, cert chain and keys to ss->serverCerts michael@0: * struct. If certChain is NULL, tries to find one. Aborts if michael@0: * fails to do so. If cert and keyPair are NULL - unconfigures michael@0: * sslSocket of kea type.*/ michael@0: extern SECStatus ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert, michael@0: const CERTCertificateList *certChain, michael@0: ssl3KeyPair *keyPair, SSLKEAType kea); michael@0: michael@0: #ifndef NSS_DISABLE_ECC michael@0: extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss, michael@0: PRBool append, PRUint32 maxBytes); michael@0: extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss, michael@0: PRBool append, PRUint32 maxBytes); michael@0: #endif michael@0: michael@0: /* call the registered extension handlers. */ michael@0: extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, michael@0: SSL3Opaque **b, PRUint32 *length); michael@0: michael@0: /* Hello Extension related routines. */ michael@0: extern PRBool ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type); michael@0: extern void ssl3_SetSIDSessionTicket(sslSessionID *sid, michael@0: /*in/out*/ NewSessionTicket *session_ticket); michael@0: extern SECStatus ssl3_SendNewSessionTicket(sslSocket *ss); michael@0: extern PRBool ssl_GetSessionTicketKeys(unsigned char *keyName, michael@0: unsigned char *encKey, unsigned char *macKey); michael@0: extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey, michael@0: SECKEYPublicKey *svrPubKey, void *pwArg, michael@0: unsigned char *keyName, PK11SymKey **aesKey, michael@0: PK11SymKey **macKey); michael@0: michael@0: /* Tell clients to consider tickets valid for this long. */ michael@0: #define TLS_EX_SESS_TICKET_LIFETIME_HINT (2 * 24 * 60 * 60) /* 2 days */ michael@0: #define TLS_EX_SESS_TICKET_VERSION (0x0100) michael@0: michael@0: extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data, michael@0: unsigned int length); michael@0: michael@0: /* Construct a new NSPR socket for the app to use */ michael@0: extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); michael@0: extern void ssl_FreePRSocket(PRFileDesc *fd); michael@0: michael@0: /* Internal config function so SSL3 can initialize the present state of michael@0: * various ciphers */ michael@0: extern int ssl3_config_match_init(sslSocket *); michael@0: michael@0: michael@0: /* Create a new ref counted key pair object from two keys. */ michael@0: extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, michael@0: SECKEYPublicKey * pubKey); michael@0: michael@0: /* get a new reference (bump ref count) to an ssl3KeyPair. */ michael@0: extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair); michael@0: michael@0: /* Decrement keypair's ref count and free if zero. */ michael@0: extern void ssl3_FreeKeyPair(ssl3KeyPair * keyPair); michael@0: michael@0: /* calls for accessing wrapping keys across processes. */ michael@0: extern PRBool michael@0: ssl_GetWrappingKey( PRInt32 symWrapMechIndex, michael@0: SSL3KEAType exchKeyType, michael@0: SSLWrappedSymWrappingKey *wswk); michael@0: michael@0: /* The caller passes in the new value it wants michael@0: * to set. This code tests the wrapped sym key entry in the file on disk. michael@0: * If it is uninitialized, this function writes the caller's value into michael@0: * the disk entry, and returns false. michael@0: * Otherwise, it overwrites the caller's wswk with the value obtained from michael@0: * the disk, and returns PR_TRUE. michael@0: * This is all done while holding the locks/semaphores necessary to make michael@0: * the operation atomic. michael@0: */ michael@0: extern PRBool michael@0: ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk); michael@0: michael@0: /* get rid of the symmetric wrapping key references. */ michael@0: extern SECStatus SSL3_ShutdownServerCache(void); michael@0: michael@0: extern SECStatus ssl_InitSymWrapKeysLock(void); michael@0: michael@0: extern SECStatus ssl_FreeSymWrapKeysLock(void); michael@0: michael@0: extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit); michael@0: michael@0: extern SECStatus ssl_FreeSessionCacheLocks(void); michael@0: michael@0: michael@0: /**************** DTLS-specific functions **************/ michael@0: extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg); michael@0: extern void dtls_FreeQueuedMessages(PRCList *lst); michael@0: extern void dtls_FreeHandshakeMessages(PRCList *lst); michael@0: michael@0: extern SECStatus dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf); michael@0: extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss, michael@0: SSL3Opaque *b, PRUint32 length); michael@0: extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss); michael@0: extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type, michael@0: const SSL3Opaque *pIn, PRInt32 nIn); michael@0: extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); michael@0: extern SECStatus dtls_CompressMACEncryptRecord(sslSocket *ss, michael@0: DTLSEpoch epoch, michael@0: PRBool use_epoch, michael@0: SSL3ContentType type, michael@0: const SSL3Opaque *pIn, michael@0: PRUint32 contentLen, michael@0: sslBuffer *wrBuf); michael@0: SECStatus ssl3_DisableNonDTLSSuites(sslSocket * ss); michael@0: extern SECStatus dtls_StartTimer(sslSocket *ss, DTLSTimerCb cb); michael@0: extern SECStatus dtls_RestartTimer(sslSocket *ss, PRBool backoff, michael@0: DTLSTimerCb cb); michael@0: extern void dtls_CheckTimer(sslSocket *ss); michael@0: extern void dtls_CancelTimer(sslSocket *ss); michael@0: extern void dtls_FinishedTimerCb(sslSocket *ss); michael@0: extern void dtls_SetMTU(sslSocket *ss, PRUint16 advertised); michael@0: extern void dtls_InitRecvdRecords(DTLSRecvdRecords *records); michael@0: extern int dtls_RecordGetRecvd(DTLSRecvdRecords *records, PRUint64 seq); michael@0: extern void dtls_RecordSetRecvd(DTLSRecvdRecords *records, PRUint64 seq); michael@0: extern void dtls_RehandshakeCleanup(sslSocket *ss); michael@0: extern SSL3ProtocolVersion michael@0: dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv); michael@0: extern SSL3ProtocolVersion michael@0: dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv); michael@0: michael@0: /********************** misc calls *********************/ michael@0: michael@0: #ifdef DEBUG michael@0: extern void ssl3_CheckCipherSuiteOrderConsistency(); michael@0: #endif michael@0: michael@0: extern int ssl_MapLowLevelError(int hiLevelError); michael@0: michael@0: extern PRUint32 ssl_Time(void); michael@0: michael@0: extern void SSL_AtomicIncrementLong(long * x); michael@0: michael@0: SECStatus SSL_DisableDefaultExportCipherSuites(void); michael@0: SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd); michael@0: PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite); michael@0: michael@0: extern SECStatus michael@0: ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, michael@0: const char *label, unsigned int labelLen, michael@0: const unsigned char *val, unsigned int valLen, michael@0: unsigned char *out, unsigned int outLen); michael@0: michael@0: #ifdef TRACE michael@0: #define SSL_TRACE(msg) ssl_Trace msg michael@0: #else michael@0: #define SSL_TRACE(msg) michael@0: #endif michael@0: michael@0: void ssl_Trace(const char *format, ...); michael@0: michael@0: SEC_END_PROTOS michael@0: michael@0: #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS) michael@0: #define SSL_GETPID getpid michael@0: #elif defined(WIN32) michael@0: extern int __cdecl _getpid(void); michael@0: #define SSL_GETPID _getpid michael@0: #else michael@0: #define SSL_GETPID() 0 michael@0: #endif michael@0: michael@0: #endif /* __sslimpl_h_ */