diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-04-25 21:33:33 +0200 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-04-25 21:33:33 +0200 |
commit | fba28f19754f62b5227650143d5441fc86d4c7d7 (patch) | |
tree | 26629d73f83543ff92a060fd7b310bb748b13173 /security/nss/lib/ssl/sslimpl.h | |
parent | b4154e043bfc0d2f301d88304efc896989d650bf (diff) | |
download | UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.gz UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.lz UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.xz UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.zip |
Revert "Update NSS to 3.35-RTM"
This reverts commit f1a0f0a56fdd0fc39f255174ce08c06b91c66c94.
Diffstat (limited to 'security/nss/lib/ssl/sslimpl.h')
-rw-r--r-- | security/nss/lib/ssl/sslimpl.h | 483 |
1 files changed, 339 insertions, 144 deletions
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index dee9aa20f..64694b0df 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -19,7 +19,6 @@ #include "secport.h" #include "secerr.h" #include "sslerr.h" -#include "sslexp.h" #include "ssl3prot.h" #include "hasht.h" #include "nssilock.h" @@ -35,11 +34,36 @@ #include "sslt.h" /* for some formerly private types, now public */ typedef struct sslSocketStr sslSocket; -typedef struct sslNamedGroupDefStr sslNamedGroupDef; -#include "sslencode.h" -#include "sslexp.h" +typedef struct ssl3CipherSpecStr ssl3CipherSpec; #include "ssl3ext.h" -#include "sslspec.h" + +/* to make some of these old enums public without namespace pollution, +** it was necessary to prepend ssl_ to the names. +** These #defines preserve compatibility with the old code here in libssl. +*/ +typedef SSLMACAlgorithm SSL3MACAlgorithm; + +#define calg_null ssl_calg_null +#define calg_rc4 ssl_calg_rc4 +#define calg_rc2 ssl_calg_rc2 +#define calg_des ssl_calg_des +#define calg_3des ssl_calg_3des +#define calg_idea ssl_calg_idea +#define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */ +#define calg_aes ssl_calg_aes +#define calg_camellia ssl_calg_camellia +#define calg_seed ssl_calg_seed +#define calg_aes_gcm ssl_calg_aes_gcm +#define calg_chacha20 ssl_calg_chacha20 + +#define mac_null ssl_mac_null +#define mac_md5 ssl_mac_md5 +#define mac_sha ssl_mac_sha +#define hmac_md5 ssl_hmac_md5 +#define hmac_sha ssl_hmac_sha +#define hmac_sha256 ssl_hmac_sha256 +#define hmac_sha384 ssl_hmac_sha384 +#define mac_aead ssl_mac_aead #if defined(DEBUG) || defined(TRACE) #ifdef __cplusplus @@ -136,7 +160,7 @@ typedef enum { ticket_allow_psk_sign_auth = 16 } TLS13SessionTicketFlags; -struct sslNamedGroupDefStr { +typedef struct { /* The name is the value that is encoded on the wire in TLS. */ SSLNamedGroup name; /* The number of bits in the group. */ @@ -148,8 +172,9 @@ struct sslNamedGroupDefStr { SECOidTag oidTag; /* Assume that the group is always supported. */ PRBool assumeSupported; -}; +} sslNamedGroupDef; +typedef struct sslBufferStr sslBuffer; typedef struct sslConnectInfoStr sslConnectInfo; typedef struct sslGatherStr sslGather; typedef struct sslSecurityInfoStr sslSecurityInfo; @@ -158,6 +183,8 @@ typedef struct sslSocketOpsStr sslSocketOps; typedef struct ssl3StateStr ssl3State; typedef struct ssl3CertNodeStr ssl3CertNode; +typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef; +typedef struct ssl3MACDefStr ssl3MACDef; typedef struct sslKeyPairStr sslKeyPair; typedef struct ssl3DHParamsStr ssl3DHParams; @@ -174,6 +201,9 @@ typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr *addr, unsigned char *sid, unsigned int sidLen, CERTCertDBHandle *dbHandle); +typedef void (*sslCipherSpecChangedFunc)(void *arg, + PRBool sending, + ssl3CipherSpec *newSpec); /* Socket ops */ struct sslSocketOpsStr { @@ -199,9 +229,20 @@ struct sslSocketOpsStr { #define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000 #define ssl_SEND_FLAG_NO_BUFFER 0x20000000 #define ssl_SEND_FLAG_NO_RETRANSMIT 0x08000000 /* DTLS only */ +#define ssl_SEND_FLAG_CAP_RECORD_VERSION \ + 0x04000000 /* TLS only */ #define ssl_SEND_FLAG_MASK 0x7f000000 /* +** A buffer object. +*/ +struct sslBufferStr { + unsigned char *buf; + unsigned int len; + unsigned int space; +}; + +/* ** SSL3 cipher suite policy and preference struct. */ typedef struct { @@ -241,7 +282,7 @@ typedef struct sslOptionsStr { unsigned int detectRollBack : 1; unsigned int noLocks : 1; unsigned int enableSessionTickets : 1; - unsigned int enableDeflate : 1; /* Deprecated. */ + unsigned int enableDeflate : 1; unsigned int enableRenegotiation : 2; unsigned int requireSafeNegotiation : 1; unsigned int enableFalseStart : 1; @@ -256,7 +297,7 @@ typedef struct sslOptionsStr { unsigned int enableSignedCertTimestamps : 1; unsigned int requireDHENamedGroups : 1; unsigned int enable0RttData : 1; - unsigned int enableTls13CompatMode : 1; + unsigned int enableShortHeaders : 1; } sslOptions; typedef enum { sslHandshakingUndetermined = 0, @@ -341,13 +382,136 @@ struct sslGatherStr { #define GS_HEADER 1 #define GS_DATA 2 +/* +** ssl3State and CipherSpec structs +*/ + +/* The SSL bulk cipher definition */ +typedef enum { + cipher_null, + cipher_rc4, + cipher_des, + cipher_3des, + cipher_aes_128, + cipher_aes_256, + cipher_camellia_128, + cipher_camellia_256, + cipher_seed, + cipher_aes_128_gcm, + cipher_aes_256_gcm, + cipher_chacha20, + cipher_missing /* reserved for no such supported cipher */ + /* This enum must match ssl3_cipherName[] in ssl3con.c. */ +} SSL3BulkCipher; + +typedef enum { type_stream, + type_block, + type_aead } CipherType; + +#define MAX_IV_LENGTH 24 + +typedef PRUint64 sslSequenceNumber; +typedef PRUint16 DTLSEpoch; + +typedef void (*DTLSTimerCb)(sslSocket *); + typedef struct { PRUint8 wrapped_master_secret[48]; PRUint16 wrapped_master_secret_len; + PRUint8 msIsWrapped; PRUint8 resumable; PRUint8 extendedMasterSecretUsed; } ssl3SidKeys; /* 52 bytes */ +typedef struct { + PK11SymKey *write_key; + PK11SymKey *write_mac_key; + PK11Context *write_mac_context; + SECItem write_key_item; + SECItem write_iv_item; + SECItem write_mac_key_item; + PRUint8 write_iv[MAX_IV_LENGTH]; +} ssl3KeyMaterial; + +typedef SECStatus (*SSLCipher)(void *context, + unsigned char *out, + int *outlen, + int maxout, + const unsigned char *in, + int inlen); +typedef SECStatus (*SSLAEADCipher)( + ssl3KeyMaterial *keys, + PRBool doDecrypt, + unsigned char *out, + int *outlen, + int maxout, + const unsigned char *in, + int inlen, + const unsigned char *additionalData, + int additionalDataLen); +typedef SECStatus (*SSLCompressor)(void *context, + unsigned char *out, + int *outlen, + int maxout, + const unsigned char *in, + int inlen); +typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); + +/* The DTLS anti-replay window in number of packets. Defined here because we + * need it in the cipher spec. Note that this is a ring buffer but left and + * right represent the true window, with modular arithmetic used to map them + * onto the buffer. + */ +#define DTLS_RECVD_RECORDS_WINDOW 1024 +#define RECORD_SEQ_MAX ((1ULL << 48) - 1) +PR_STATIC_ASSERT(DTLS_RECVD_RECORDS_WINDOW % 8 == 0); + +typedef struct DTLSRecvdRecordsStr { + unsigned char data[DTLS_RECVD_RECORDS_WINDOW / 8]; + sslSequenceNumber left; + sslSequenceNumber right; +} DTLSRecvdRecords; + +/* +** These are the "specs" in the "ssl3" struct. +** Access to the pointers to these specs, and all the specs' contents +** (direct and indirect) is protected by the reader/writer lock ss->specLock. +*/ +struct ssl3CipherSpecStr { + PRCList link; + const ssl3BulkCipherDef *cipher_def; + const ssl3MACDef *mac_def; + SSLCompressionMethod compression_method; + int mac_size; + SSLCipher encode; + SSLCipher decode; + SSLAEADCipher aead; + void *encodeContext; + void *decodeContext; + SSLCompressor compressor; /* Don't name these fields compress */ + SSLCompressor decompressor; /* and uncompress because zconf.h */ + /* may define them as macros. */ + SSLDestroy destroyCompressContext; + void *compressContext; + SSLDestroy destroyDecompressContext; + void *decompressContext; + PK11SymKey *master_secret; + sslSequenceNumber write_seq_num; + sslSequenceNumber read_seq_num; + SSL3ProtocolVersion version; + ssl3KeyMaterial client; + ssl3KeyMaterial server; + SECItem msItem; + DTLSEpoch epoch; + DTLSRecvdRecords recvdRecords; + /* The number of 0-RTT bytes that can be sent or received in TLS 1.3. This + * will be zero for everything but 0-RTT. */ + PRUint32 earlyDataRemaining; + + PRUint8 refCt; + const char *phase; +}; + typedef enum { never_cached, in_client_cache, in_server_cache, @@ -363,7 +527,7 @@ struct sslSessionIDStr { sslSessionID *next; /* chain used for client sockets, only */ Cached cached; int references; - PRTime lastAccessTime; + PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */ /* The rest of the members, except for the members of u.ssl3.locked, may * be modified only when the sid is not in any cache. @@ -381,15 +545,13 @@ struct sslSessionIDStr { SSL3ProtocolVersion version; - PRTime creationTime; - PRTime expirationTime; + PRUint32 creationTime; /* seconds since Jan 1, 1970 */ + PRUint32 expirationTime; /* seconds since Jan 1, 1970 */ SSLAuthType authType; PRUint32 authKeyBits; SSLKEAType keaType; PRUint32 keaKeyBits; - SSLNamedGroup keaGroup; - SSLSignatureScheme sigScheme; union { struct { @@ -398,6 +560,7 @@ struct sslSessionIDStr { PRUint8 sessionID[SSL3_SESSIONID_BYTES]; ssl3CipherSuite cipherSuite; + SSLCompressionMethod compression; int policy; ssl3SidKeys keys; /* mechanism used to wrap master secret */ @@ -464,13 +627,13 @@ struct sslSessionIDStr { } u; }; -struct ssl3CipherSuiteDefStr { +typedef struct ssl3CipherSuiteDefStr { ssl3CipherSuite cipher_suite; SSL3BulkCipher bulk_cipher_alg; SSL3MACAlgorithm mac_alg; SSL3KeyExchangeAlgorithm key_exchange_alg; SSLHashType prf_hash; -}; +} ssl3CipherSuiteDef; /* ** There are tables of these, all const. @@ -493,6 +656,37 @@ typedef struct { SECOidTag oid; } ssl3KEADef; +/* +** There are tables of these, all const. +*/ +struct ssl3BulkCipherDefStr { + SSL3BulkCipher cipher; + SSLCipherAlgorithm calg; + unsigned int key_size; + unsigned int secret_key_size; + CipherType type; + unsigned int iv_size; + unsigned int block_size; + unsigned int tag_size; /* for AEAD ciphers. */ + unsigned int explicit_nonce_size; /* for AEAD ciphers. */ + SECOidTag oid; + const char *short_name; + /* The maximum number of records that can be sent/received with the same + * symmetric key before the connection will be terminated. */ + PRUint64 max_records; +}; + +/* +** There are tables of these, all const. +*/ +struct ssl3MACDefStr { + SSL3MACAlgorithm mac; + CK_MECHANISM_TYPE mmech; + int pad_size; + int mac_size; + SECOidTag oid; +}; + typedef enum { ssl_0rtt_none, /* 0-RTT not present */ ssl_0rtt_sent, /* 0-RTT sent (no decision yet) */ @@ -510,7 +704,6 @@ typedef enum { typedef enum { idle_handshake, wait_client_hello, - wait_end_of_early_data, wait_client_cert, wait_client_key, wait_cert_verify, @@ -567,15 +760,14 @@ typedef enum { handshake_hash_record } SSL3HandshakeHashType; -// A DTLS Timer. -typedef void (*DTLSTimerCb)(sslSocket *); - -typedef struct { - const char *label; - DTLSTimerCb cb; - PRIntervalTime started; - PRUint32 timeout; -} dtlsTimer; +/* This holds state for TLS 1.3 CertificateRequest handling. */ +typedef struct TLS13CertificateRequestStr { + PLArenaPool *arena; + SECItem context; + SSLSignatureScheme *signatureSchemes; + unsigned int signatureSchemeCount; + CERTDistNames ca_list; +} TLS13CertificateRequest; /* ** This is the "hs" member of the "ssl3" struct. @@ -599,12 +791,13 @@ typedef struct SSL3HandshakeStateStr { const ssl3KEADef *kea_def; ssl3CipherSuite cipher_suite; const ssl3CipherSuiteDef *suite_def; + SSLCompressionMethod compression; sslBuffer msg_body; /* protected by recvBufLock */ /* partial handshake message from record layer */ unsigned int header_bytes; /* number of bytes consumed from handshake */ /* message for message type and header length */ - SSLHandshakeType msg_type; + SSL3HandshakeType msg_type; unsigned long msg_len; PRBool isResuming; /* we are resuming (not used in TLS 1.3) */ PRBool sendingSCSV; /* instead of empty RI */ @@ -641,25 +834,25 @@ typedef struct SSL3HandshakeStateStr { PRCList remoteExtensions; /* Parsed incoming extensions */ /* This group of values is used for DTLS */ - PRUint16 sendMessageSeq; /* The sending message sequence + PRUint16 sendMessageSeq; /* The sending message sequence * number */ - PRCList lastMessageFlight; /* The last message flight we + PRCList lastMessageFlight; /* The last message flight we * sent */ - PRUint16 maxMessageSent; /* The largest message we sent */ - PRUint16 recvMessageSeq; /* The receiving message sequence + PRUint16 maxMessageSent; /* The largest message we sent */ + PRUint16 recvMessageSeq; /* The receiving message sequence * number */ - sslBuffer recvdFragments; /* The fragments we have received in + sslBuffer recvdFragments; /* The fragments we have received in * a bitmask */ - PRInt32 recvdHighWater; /* The high water mark for fragments + PRInt32 recvdHighWater; /* The high water mark for fragments * received. -1 means no reassembly * in progress. */ - SECItem cookie; /* The Hello(Retry|Verify)Request cookie. */ - dtlsTimer timers[3]; /* Holder for timers. */ - dtlsTimer *rtTimer; /* Retransmit timer. */ - dtlsTimer *ackTimer; /* Ack timer (DTLS 1.3 only). */ - dtlsTimer *hdTimer; /* Read cipher holddown timer (DLTS 1.3 only) */ - PRUint32 rtRetries; /* The retry counter */ - SECItem srvVirtName; /* for server: name that was negotiated + SECItem cookie; /* The Hello(Retry|Verify)Request cookie. */ + PRIntervalTime rtTimerStarted; /* When the timer was started */ + DTLSTimerCb rtTimerCb; /* The function to call on expiry */ + PRUint32 rtTimeoutMs; /* The length of the current timeout + * used for backoff (in ms) */ + PRUint32 rtRetries; /* The retry counter */ + SECItem srvVirtName; /* for server: name that was negotiated * with a client. For client - is * always set to NULL.*/ @@ -676,37 +869,22 @@ typedef struct SSL3HandshakeStateStr { PK11SymKey *serverTrafficSecret; /* traffic keys */ PK11SymKey *earlyExporterSecret; /* for 0-RTT exporters */ PK11SymKey *exporterSecret; /* for exporters */ - PRCList cipherSpecs; /* The cipher specs in the sequence they - * will be applied. */ - sslZeroRttState zeroRttState; /* Are we doing a 0-RTT handshake? */ - sslZeroRttIgnore zeroRttIgnore; /* Are we ignoring 0-RTT? */ - ssl3CipherSuite zeroRttSuite; /* The cipher suite we used for 0-RTT. */ - PRCList bufferedEarlyData; /* Buffered TLS 1.3 early data - * on server.*/ - PRBool helloRetry; /* True if HelloRetryRequest has been sent - * or received. */ - PRBool receivedCcs; /* A server received ChangeCipherSpec - * before the handshake started. */ - PRBool clientCertRequested; /* True if CertificateRequest received. */ - ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def - * we use for TLS 1.3 */ - PRTime serverHelloTime; /* Time the ServerHello flight was sent. */ - PRUint16 ticketNonce; /* A counter we use for tickets. */ - SECItem fakeSid; /* ... (server) the SID the client used. */ - PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */ - - /* The following lists contain DTLSHandshakeRecordEntry */ - PRCList dtlsSentHandshake; /* Used to map records to handshake fragments. */ - PRCList dtlsRcvdHandshake; /* Handshake records we have received - * used to generate ACKs. */ + /* The certificate request from the server. */ + TLS13CertificateRequest *certificateRequest; + PRCList cipherSpecs; /* The cipher specs in the sequence they + * will be applied. */ + sslZeroRttState zeroRttState; /* Are we doing a 0-RTT handshake? */ + sslZeroRttIgnore zeroRttIgnore; /* Are we ignoring 0-RTT? */ + ssl3CipherSuite zeroRttSuite; /* The cipher suite we used for 0-RTT. */ + PRCList bufferedEarlyData; /* Buffered TLS 1.3 early data + * on server.*/ + PRBool helloRetry; /* True if HelloRetryRequest has been sent + * or received. */ + ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def + * we use for TLS 1.3 */ + PRBool shortHeaders; /* Assigned if we are doing short headers. */ } SSL3HandshakeState; -#define SSL_ASSERT_HASHES_EMPTY(ss) \ - do { \ - PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); \ - PORT_Assert(ss->ssl3.hs.messages.len == 0); \ - } while (0) - /* ** This is the "ssl3" struct, as in "ss->ssl3". ** note: @@ -726,10 +904,6 @@ struct ssl3StateStr { ssl3CipherSpec *cwSpec; /* current write spec. */ ssl3CipherSpec *pwSpec; /* pending write spec. */ - /* This is true after the peer requests a key update; false after a key - * update is initiated locally. */ - PRBool peerRequestedKeyUpdate; - /* Internal callback for when we do a cipher suite change. Used for * debugging in TLS 1.3. This can only be set by non-public functions. */ sslCipherSpecChangedFunc changedCipherSpecFunc; @@ -750,7 +924,9 @@ struct ssl3StateStr { /* chain while we are trying to validate it. */ CERTDistNames *ca_list; /* used by server. trusted CAs for this socket. */ + PRBool initialized; SSL3HandshakeState hs; + ssl3CipherSpec specs[2]; /* one is current, one is pending. */ PRUint16 mtu; /* Our estimate of the MTU */ @@ -819,12 +995,11 @@ typedef struct SessionTicketStr { PRBool valid; SSL3ProtocolVersion ssl_version; ssl3CipherSuite cipher_suite; + SSLCompressionMethod compression_method; SSLAuthType authType; PRUint32 authKeyBits; SSLKEAType keaType; PRUint32 keaKeyBits; - SSLNamedGroup originalKeaGroup; - SSLSignatureScheme signatureScheme; const sslNamedGroupDef *namedCurve; /* For certificate lookup. */ /* @@ -837,13 +1012,11 @@ typedef struct SessionTicketStr { PRBool extendedMasterSecretUsed; ClientAuthenticationType client_auth_type; SECItem peer_cert; - PRTime timestamp; + PRUint32 timestamp; PRUint32 flags; SECItem srvName; /* negotiated server name */ SECItem alpnSelection; PRUint32 maxEarlyData; - PRUint32 ticketAgeBaseline; - SECItem applicationToken; } SessionTicket; /* @@ -893,7 +1066,6 @@ struct sslSecurityInfoStr { SSLKEAType keaType; PRUint32 keaKeyBits; const sslNamedGroupDef *keaGroup; - const sslNamedGroupDef *originalKeaGroup; /* The selected certificate (for servers only). */ const sslServerCert *serverCert; @@ -979,9 +1151,6 @@ struct sslSocketStr { void *pkcs11PinArg; SSLNextProtoCallback nextProtoCallback; void *nextProtoArg; - SSLHelloRetryRequestCallback hrrCallback; - void *hrrCallbackArg; - PRCList extensionHooks; PRIntervalTime rTimeout; /* timeout for NSPR I/O */ PRIntervalTime wTimeout; /* timeout for NSPR I/O */ @@ -1072,7 +1241,6 @@ extern char ssl_debug; extern char ssl_trace; extern FILE *ssl_trace_iob; extern FILE *ssl_keylog_iob; -extern PZLock *ssl_keylog_lock; extern PRUint32 ssl3_sid_timeout; extern PRUint32 ssl_ticket_lifetime; extern PRUint32 ssl_max_early_data_size; @@ -1163,10 +1331,14 @@ extern SECStatus ssl_BeginClientHandshake(sslSocket *ss); extern SECStatus ssl_BeginServerHandshake(sslSocket *ss); extern int ssl_Do1stHandshake(sslSocket *ss); +extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen); +extern SECStatus sslBuffer_Append(sslBuffer *b, const void *data, + unsigned int len); +extern void sslBuffer_Clear(sslBuffer *b); + extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec); -extern SECStatus ssl3_InitPendingCipherSpecs(sslSocket *ss, PK11SymKey *secret, - PRBool derive); +extern void ssl3_InitCipherSpec(ssl3CipherSpec *spec); extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server); extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID, const char *urlSvrName); @@ -1191,20 +1363,11 @@ extern SECStatus ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled); extern SECStatus ssl3_ConstrainRangeByPolicy(void); -extern SECStatus ssl3_InitState(sslSocket *ss); -extern SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, - int maxOutputLen, const unsigned char *input, - int inputLen); +extern void ssl3_InitState(sslSocket *ss); extern void ssl3_RestartHandshakeHashes(sslSocket *ss); extern SECStatus ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, unsigned int l); -SECStatus -ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type, - PRUint32 dtlsSeq, - const PRUint8 *b, PRUint32 length); -SECStatus ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type, - const PRUint8 *b, PRUint32 length); /* Returns PR_TRUE if we are still waiting for the server to complete its * response to our client second round. Once we've received the Finished from @@ -1217,14 +1380,21 @@ extern PRInt32 ssl3_SendRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, const PRUint8 *pIn, PRInt32 nIn, PRInt32 flags); -/* Clear any PRCList, optionally calling f on the value. */ -void ssl_ClearPRCList(PRCList *list, void (*f)(void *)); +#ifdef NSS_SSL_ENABLE_ZLIB +/* + * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a + * maximum TLS record payload of 2**14 bytes, that's 29 bytes. + */ +#define SSL3_COMPRESSION_MAX_EXPANSION 29 +#else /* !NSS_SSL_ENABLE_ZLIB */ +#define SSL3_COMPRESSION_MAX_EXPANSION 0 +#endif /* - * Make sure there is room in the write buffer for padding and - * cryptographic expansions. + * make sure there is room in the write buffer for padding and + * other compression and cryptographic expansions. */ -#define SSL3_BUFFER_FUDGE 100 +#define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION #define SSL_LOCK_READER(ss) \ if (ss->recvLock) \ @@ -1377,7 +1547,7 @@ extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error); * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos */ extern SECStatus ssl3_HandleV2ClientHello( - sslSocket *ss, unsigned char *buffer, unsigned int length, PRUint8 padding); + sslSocket *ss, unsigned char *buffer, int length, PRUint8 padding); SECStatus ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type); @@ -1413,7 +1583,7 @@ extern PRBool ssl_HaveEphemeralKeyPair(const sslSocket *ss, const sslNamedGroupDef *groupDef); extern void ssl_FreeEphemeralKeyPairs(sslSocket *ss); -extern SECStatus ssl_AppendPaddedDHKeyShare(sslBuffer *buf, +extern SECStatus ssl_AppendPaddedDHKeyShare(const sslSocket *ss, const SECKEYPublicKey *pubKey, PRBool appendLength); extern const ssl3DHParams *ssl_GetDHEParams(const sslNamedGroupDef *groupDef); @@ -1475,10 +1645,6 @@ extern SECStatus ssl_ClientReadVersion(sslSocket *ss, PRUint8 **b, extern SECStatus ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion, PRBool allowLargerPeerVersion); -extern SECStatus ssl_ClientSetCipherSuite(sslSocket *ss, - SSL3ProtocolVersion version, - ssl3CipherSuite suite, - PRBool initHashes); extern SECStatus ssl_GetPeerInfo(sslSocket *ss); @@ -1494,11 +1660,23 @@ extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss); extern SECStatus ssl_ImportECDHKeyShare( sslSocket *ss, SECKEYPublicKey *peerKey, PRUint8 *b, PRUint32 length, const sslNamedGroupDef *curve); +SECStatus tls13_EncodeECDHEKeyShareKEX(const sslSocket *ss, + const SECKEYPublicKey *pubKey); extern SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg, PRUint8 *hashBuf, unsigned int bufLen, SSL3Hashes *hashes); +extern void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName); +extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms); +extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src, + PRInt32 bytes); +extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss, + SSL3HandshakeType t, PRUint32 length); +extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, + PRInt32 lenSize); +extern SECStatus ssl3_AppendHandshakeVariable(sslSocket *ss, + const PRUint8 *src, PRInt32 bytes, PRInt32 lenSize); extern SECStatus ssl3_AppendSignatureAndHashAlgorithm( sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash); extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRUint32 bytes, @@ -1506,12 +1684,11 @@ extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRUint32 bytes, extern SECStatus ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRUint32 *num, PRUint32 bytes, PRUint8 **b, PRUint32 *length); -extern SECStatus ssl3_ConsumeHandshakeNumber64(sslSocket *ss, PRUint64 *num, - PRUint32 bytes, PRUint8 **b, - PRUint32 *length); extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRUint32 bytes, PRUint8 **b, PRUint32 *length); +extern PRUint8 *ssl_EncodeUintX(PRUint64 value, unsigned int bytes, + PRUint8 *to); extern PRBool ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme); extern SECStatus ssl_CheckSignatureSchemeConsistency( sslSocket *ss, SSLSignatureScheme scheme, CERTCertificate *cert); @@ -1526,20 +1703,16 @@ extern SECStatus ssl3_SignHashes(sslSocket *ss, SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf); extern SECStatus ssl3_VerifySignedHashes(sslSocket *ss, SSLSignatureScheme scheme, SSL3Hashes *hash, SECItem *buf); -extern SECStatus ssl3_CacheWrappedSecret(sslSocket *ss, sslSessionID *sid, - PK11SymKey *secret); +extern SECStatus ssl3_CacheWrappedMasterSecret( + sslSocket *ss, sslSessionID *sid, ssl3CipherSpec *spec); extern void ssl3_FreeSniNameArray(TLSExtensionData *xtnData); /* Hello Extension related routines. */ extern void ssl3_SetSIDSessionTicket(sslSessionID *sid, /*in/out*/ NewSessionTicket *session_ticket); SECStatus ssl3_EncodeSessionTicket(sslSocket *ss, - const NewSessionTicket *ticket, - const PRUint8 *appToken, - unsigned int appTokenLen, - PK11SymKey *secret, SECItem *ticket_data); -SECStatus SSLExp_SendSessionTicket(PRFileDesc *fd, const PRUint8 *token, - unsigned int tokenLen); + const NewSessionTicket *ticket_input, + SECItem *ticket_data); SECStatus ssl_MaybeSetSelfEncryptKeyPair(const sslKeyPair *keyPair); SECStatus ssl_GetSelfEncryptKeys(sslSocket *ss, unsigned char *keyName, @@ -1555,7 +1728,7 @@ extern void ssl_FreePRSocket(PRFileDesc *fd); /* Internal config function so SSL3 can initialize the present state of * various ciphers */ -extern unsigned int ssl3_config_match_init(sslSocket *); +extern int ssl3_config_match_init(sslSocket *); /* calls for accessing wrapping keys across processes. */ extern SECStatus @@ -1585,11 +1758,44 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit); extern SECStatus ssl_FreeSessionCacheLocks(void); +/**************** DTLS-specific functions **************/ +extern void dtls_FreeHandshakeMessage(DTLSQueuedMessage *msg); +extern void dtls_FreeHandshakeMessages(PRCList *lst); + +extern SECStatus dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf); +extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss, + PRUint8 *b, PRUint32 length); +extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss); +extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type, + const PRUint8 *pIn, PRInt32 nIn); +extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags); +SECStatus ssl3_DisableNonDTLSSuites(sslSocket *ss); +extern SECStatus dtls_StartHolddownTimer(sslSocket *ss); +extern void dtls_CheckTimer(sslSocket *ss); +extern void dtls_CancelTimer(sslSocket *ss); +extern void dtls_SetMTU(sslSocket *ss, PRUint16 advertised); +extern void dtls_InitRecvdRecords(DTLSRecvdRecords *records); +extern int dtls_RecordGetRecvd(const DTLSRecvdRecords *records, + sslSequenceNumber seq); +extern void dtls_RecordSetRecvd(DTLSRecvdRecords *records, + sslSequenceNumber seq); +extern void dtls_RehandshakeCleanup(sslSocket *ss); +extern SSL3ProtocolVersion +dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv); +extern SSL3ProtocolVersion +dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv); +extern PRBool dtls_IsRelevant(sslSocket *ss, const SSL3Ciphertext *cText, + PRBool *sameEpoch, PRUint64 *seqNum); +extern SECStatus dtls_MaybeRetransmitHandshake(sslSocket *ss, + const SSL3Ciphertext *cText, + PRBool sameEpoch); + CK_MECHANISM_TYPE ssl3_Alg2Mech(SSLCipherAlgorithm calg); SECStatus ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites, PRBool initHashes); SECStatus ssl3_InitHandshakeHashes(sslSocket *ss); SECStatus ssl3_ServerCallSNICallback(sslSocket *ss); +SECStatus ssl3_SetupPendingCipherSpec(sslSocket *ss); SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags); SECStatus ssl3_CompleteHandleCertificate(sslSocket *ss, PRUint8 *b, PRUint32 length); @@ -1601,21 +1807,17 @@ SECStatus ssl3_SendCertificateStatus(sslSocket *ss); SECStatus ssl3_AuthCertificate(sslSocket *ss); SECStatus ssl_ReadCertificateStatus(sslSocket *ss, PRUint8 *b, PRUint32 length); -SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, sslBuffer *buf); -SECStatus ssl_GetCertificateRequestCAs(const sslSocket *ss, - unsigned int *calenp, - const SECItem **namesp, - unsigned int *nnamesp); +SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint8 *buf, + unsigned maxLen, PRUint32 *len); +SECStatus ssl_GetCertificateRequestCAs(sslSocket *ss, unsigned int *calenp, + SECItem **namesp, unsigned int *nnamesp); SECStatus ssl3_ParseCertificateRequestCAs(sslSocket *ss, PRUint8 **b, - PRUint32 *length, CERTDistNames *ca_list); + PRUint32 *length, PLArenaPool *arena, + CERTDistNames *ca_list); SECStatus ssl3_CompleteHandleCertificateRequest( sslSocket *ss, const SSLSignatureScheme *signatureSchemes, unsigned int signatureSchemeCount, CERTDistNames *ca_list); -SECStatus ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry, - const sslBuffer *extensionBuf, - sslBuffer *messageBuf); SECStatus ssl3_SendServerHello(sslSocket *ss); -SECStatus ssl3_SendChangeCipherSpecsInt(sslSocket *ss); SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss, ssl3CipherSpec *spec, SSL3Hashes *hashes, @@ -1630,9 +1832,10 @@ PK11SymKey *ssl3_GetWrappingKey(sslSocket *ss, PK11SlotInfo *masterSecretSlot, CK_MECHANISM_TYPE masterWrapMech, void *pwArg); -SECStatus ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid, - PK11SymKey *secret); +SECStatus ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid); const ssl3CipherSuiteDef *ssl_LookupCipherSuiteDef(ssl3CipherSuite suite); +const ssl3BulkCipherDef * +ssl_GetBulkCipherDef(const ssl3CipherSuiteDef *cipher_def); SECStatus ssl3_SelectServerCert(sslSocket *ss); SECStatus ssl_PickSignatureScheme(sslSocket *ss, SECKEYPublicKey *pubKey, @@ -1644,14 +1847,11 @@ SECOidTag ssl3_HashTypeToOID(SSLHashType hashType); SSLHashType ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme); KeyType ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme); -SECStatus ssl3_SetupCipherSuite(sslSocket *ss, PRBool initHashes); - -/* Pull in DTLS functions */ -#include "dtlscon.h" +SECStatus ssl3_SetCipherSuite(sslSocket *ss, ssl3CipherSuite chosenSuite, + PRBool initHashes); /* Pull in TLS 1.3 functions */ #include "tls13con.h" -#include "dtls13con.h" /********************** misc calls *********************/ @@ -1661,27 +1861,22 @@ extern void ssl3_CheckCipherSuiteOrderConsistency(); extern int ssl_MapLowLevelError(int hiLevelError); -extern PRUint32 ssl_TimeSec(void); -#ifdef UNSAFE_FUZZER_MODE -#define ssl_TimeUsec() ((PRTime)12345678) -#else -#define ssl_TimeUsec() (PR_Now()) -#endif +extern PRUint32 ssl_Time(void); extern PRBool ssl_TicketTimeValid(const NewSessionTicket *ticket); extern void SSL_AtomicIncrementLong(long *x); SECStatus ssl3_ApplyNSSPolicy(void); +extern HASH_HashType +ssl3_GetTls12HashType(sslSocket *ss); + extern SECStatus ssl3_TLSPRFWithMasterSecret(sslSocket *ss, ssl3CipherSpec *spec, const char *label, unsigned int labelLen, const unsigned char *val, unsigned int valLen, unsigned char *out, unsigned int outLen); -extern void -ssl3_RecordKeyLog(sslSocket *ss, const char *label, PK11SymKey *secret); - PRBool ssl_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag); #ifdef TRACE |