summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/ssl/sslimpl.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/ssl/sslimpl.h')
-rw-r--r--security/nss/lib/ssl/sslimpl.h483
1 files changed, 339 insertions, 144 deletions
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
index dee9aa20f..64694b0df 100644
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -19,7 +19,6 @@
#include "secport.h"
#include "secerr.h"
#include "sslerr.h"
-#include "sslexp.h"
#include "ssl3prot.h"
#include "hasht.h"
#include "nssilock.h"
@@ -35,11 +34,36 @@
#include "sslt.h" /* for some formerly private types, now public */
typedef struct sslSocketStr sslSocket;
-typedef struct sslNamedGroupDefStr sslNamedGroupDef;
-#include "sslencode.h"
-#include "sslexp.h"
+typedef struct ssl3CipherSpecStr ssl3CipherSpec;
#include "ssl3ext.h"
-#include "sslspec.h"
+
+/* to make some of these old enums public without namespace pollution,
+** it was necessary to prepend ssl_ to the names.
+** These #defines preserve compatibility with the old code here in libssl.
+*/
+typedef SSLMACAlgorithm SSL3MACAlgorithm;
+
+#define calg_null ssl_calg_null
+#define calg_rc4 ssl_calg_rc4
+#define calg_rc2 ssl_calg_rc2
+#define calg_des ssl_calg_des
+#define calg_3des ssl_calg_3des
+#define calg_idea ssl_calg_idea
+#define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */
+#define calg_aes ssl_calg_aes
+#define calg_camellia ssl_calg_camellia
+#define calg_seed ssl_calg_seed
+#define calg_aes_gcm ssl_calg_aes_gcm
+#define calg_chacha20 ssl_calg_chacha20
+
+#define mac_null ssl_mac_null
+#define mac_md5 ssl_mac_md5
+#define mac_sha ssl_mac_sha
+#define hmac_md5 ssl_hmac_md5
+#define hmac_sha ssl_hmac_sha
+#define hmac_sha256 ssl_hmac_sha256
+#define hmac_sha384 ssl_hmac_sha384
+#define mac_aead ssl_mac_aead
#if defined(DEBUG) || defined(TRACE)
#ifdef __cplusplus
@@ -136,7 +160,7 @@ typedef enum {
ticket_allow_psk_sign_auth = 16
} TLS13SessionTicketFlags;
-struct sslNamedGroupDefStr {
+typedef struct {
/* The name is the value that is encoded on the wire in TLS. */
SSLNamedGroup name;
/* The number of bits in the group. */
@@ -148,8 +172,9 @@ struct sslNamedGroupDefStr {
SECOidTag oidTag;
/* Assume that the group is always supported. */
PRBool assumeSupported;
-};
+} sslNamedGroupDef;
+typedef struct sslBufferStr sslBuffer;
typedef struct sslConnectInfoStr sslConnectInfo;
typedef struct sslGatherStr sslGather;
typedef struct sslSecurityInfoStr sslSecurityInfo;
@@ -158,6 +183,8 @@ typedef struct sslSocketOpsStr sslSocketOps;
typedef struct ssl3StateStr ssl3State;
typedef struct ssl3CertNodeStr ssl3CertNode;
+typedef struct ssl3BulkCipherDefStr ssl3BulkCipherDef;
+typedef struct ssl3MACDefStr ssl3MACDef;
typedef struct sslKeyPairStr sslKeyPair;
typedef struct ssl3DHParamsStr ssl3DHParams;
@@ -174,6 +201,9 @@ typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr *addr,
unsigned char *sid,
unsigned int sidLen,
CERTCertDBHandle *dbHandle);
+typedef void (*sslCipherSpecChangedFunc)(void *arg,
+ PRBool sending,
+ ssl3CipherSpec *newSpec);
/* Socket ops */
struct sslSocketOpsStr {
@@ -199,9 +229,20 @@ struct sslSocketOpsStr {
#define ssl_SEND_FLAG_FORCE_INTO_BUFFER 0x40000000
#define ssl_SEND_FLAG_NO_BUFFER 0x20000000
#define ssl_SEND_FLAG_NO_RETRANSMIT 0x08000000 /* DTLS only */
+#define ssl_SEND_FLAG_CAP_RECORD_VERSION \
+ 0x04000000 /* TLS only */
#define ssl_SEND_FLAG_MASK 0x7f000000
/*
+** A buffer object.
+*/
+struct sslBufferStr {
+ unsigned char *buf;
+ unsigned int len;
+ unsigned int space;
+};
+
+/*
** SSL3 cipher suite policy and preference struct.
*/
typedef struct {
@@ -241,7 +282,7 @@ typedef struct sslOptionsStr {
unsigned int detectRollBack : 1;
unsigned int noLocks : 1;
unsigned int enableSessionTickets : 1;
- unsigned int enableDeflate : 1; /* Deprecated. */
+ unsigned int enableDeflate : 1;
unsigned int enableRenegotiation : 2;
unsigned int requireSafeNegotiation : 1;
unsigned int enableFalseStart : 1;
@@ -256,7 +297,7 @@ typedef struct sslOptionsStr {
unsigned int enableSignedCertTimestamps : 1;
unsigned int requireDHENamedGroups : 1;
unsigned int enable0RttData : 1;
- unsigned int enableTls13CompatMode : 1;
+ unsigned int enableShortHeaders : 1;
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
@@ -341,13 +382,136 @@ struct sslGatherStr {
#define GS_HEADER 1
#define GS_DATA 2
+/*
+** ssl3State and CipherSpec structs
+*/
+
+/* The SSL bulk cipher definition */
+typedef enum {
+ cipher_null,
+ cipher_rc4,
+ cipher_des,
+ cipher_3des,
+ cipher_aes_128,
+ cipher_aes_256,
+ cipher_camellia_128,
+ cipher_camellia_256,
+ cipher_seed,
+ cipher_aes_128_gcm,
+ cipher_aes_256_gcm,
+ cipher_chacha20,
+ cipher_missing /* reserved for no such supported cipher */
+ /* This enum must match ssl3_cipherName[] in ssl3con.c. */
+} SSL3BulkCipher;
+
+typedef enum { type_stream,
+ type_block,
+ type_aead } CipherType;
+
+#define MAX_IV_LENGTH 24
+
+typedef PRUint64 sslSequenceNumber;
+typedef PRUint16 DTLSEpoch;
+
+typedef void (*DTLSTimerCb)(sslSocket *);
+
typedef struct {
PRUint8 wrapped_master_secret[48];
PRUint16 wrapped_master_secret_len;
+ PRUint8 msIsWrapped;
PRUint8 resumable;
PRUint8 extendedMasterSecretUsed;
} ssl3SidKeys; /* 52 bytes */
+typedef struct {
+ PK11SymKey *write_key;
+ PK11SymKey *write_mac_key;
+ PK11Context *write_mac_context;
+ SECItem write_key_item;
+ SECItem write_iv_item;
+ SECItem write_mac_key_item;
+ PRUint8 write_iv[MAX_IV_LENGTH];
+} ssl3KeyMaterial;
+
+typedef SECStatus (*SSLCipher)(void *context,
+ unsigned char *out,
+ int *outlen,
+ int maxout,
+ const unsigned char *in,
+ int inlen);
+typedef SECStatus (*SSLAEADCipher)(
+ ssl3KeyMaterial *keys,
+ PRBool doDecrypt,
+ unsigned char *out,
+ int *outlen,
+ int maxout,
+ const unsigned char *in,
+ int inlen,
+ const unsigned char *additionalData,
+ int additionalDataLen);
+typedef SECStatus (*SSLCompressor)(void *context,
+ unsigned char *out,
+ int *outlen,
+ int maxout,
+ const unsigned char *in,
+ int inlen);
+typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
+
+/* The DTLS anti-replay window in number of packets. Defined here because we
+ * need it in the cipher spec. Note that this is a ring buffer but left and
+ * right represent the true window, with modular arithmetic used to map them
+ * onto the buffer.
+ */
+#define DTLS_RECVD_RECORDS_WINDOW 1024
+#define RECORD_SEQ_MAX ((1ULL << 48) - 1)
+PR_STATIC_ASSERT(DTLS_RECVD_RECORDS_WINDOW % 8 == 0);
+
+typedef struct DTLSRecvdRecordsStr {
+ unsigned char data[DTLS_RECVD_RECORDS_WINDOW / 8];
+ sslSequenceNumber left;
+ sslSequenceNumber right;
+} DTLSRecvdRecords;
+
+/*
+** These are the "specs" in the "ssl3" struct.
+** Access to the pointers to these specs, and all the specs' contents
+** (direct and indirect) is protected by the reader/writer lock ss->specLock.
+*/
+struct ssl3CipherSpecStr {
+ PRCList link;
+ const ssl3BulkCipherDef *cipher_def;
+ const ssl3MACDef *mac_def;
+ SSLCompressionMethod compression_method;
+ int mac_size;
+ SSLCipher encode;
+ SSLCipher decode;
+ SSLAEADCipher aead;
+ void *encodeContext;
+ void *decodeContext;
+ SSLCompressor compressor; /* Don't name these fields compress */
+ SSLCompressor decompressor; /* and uncompress because zconf.h */
+ /* may define them as macros. */
+ SSLDestroy destroyCompressContext;
+ void *compressContext;
+ SSLDestroy destroyDecompressContext;
+ void *decompressContext;
+ PK11SymKey *master_secret;
+ sslSequenceNumber write_seq_num;
+ sslSequenceNumber read_seq_num;
+ SSL3ProtocolVersion version;
+ ssl3KeyMaterial client;
+ ssl3KeyMaterial server;
+ SECItem msItem;
+ DTLSEpoch epoch;
+ DTLSRecvdRecords recvdRecords;
+ /* The number of 0-RTT bytes that can be sent or received in TLS 1.3. This
+ * will be zero for everything but 0-RTT. */
+ PRUint32 earlyDataRemaining;
+
+ PRUint8 refCt;
+ const char *phase;
+};
+
typedef enum { never_cached,
in_client_cache,
in_server_cache,
@@ -363,7 +527,7 @@ struct sslSessionIDStr {
sslSessionID *next; /* chain used for client sockets, only */
Cached cached;
int references;
- PRTime lastAccessTime;
+ PRUint32 lastAccessTime; /* seconds since Jan 1, 1970 */
/* The rest of the members, except for the members of u.ssl3.locked, may
* be modified only when the sid is not in any cache.
@@ -381,15 +545,13 @@ struct sslSessionIDStr {
SSL3ProtocolVersion version;
- PRTime creationTime;
- PRTime expirationTime;
+ PRUint32 creationTime; /* seconds since Jan 1, 1970 */
+ PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
SSLAuthType authType;
PRUint32 authKeyBits;
SSLKEAType keaType;
PRUint32 keaKeyBits;
- SSLNamedGroup keaGroup;
- SSLSignatureScheme sigScheme;
union {
struct {
@@ -398,6 +560,7 @@ struct sslSessionIDStr {
PRUint8 sessionID[SSL3_SESSIONID_BYTES];
ssl3CipherSuite cipherSuite;
+ SSLCompressionMethod compression;
int policy;
ssl3SidKeys keys;
/* mechanism used to wrap master secret */
@@ -464,13 +627,13 @@ struct sslSessionIDStr {
} u;
};
-struct ssl3CipherSuiteDefStr {
+typedef struct ssl3CipherSuiteDefStr {
ssl3CipherSuite cipher_suite;
SSL3BulkCipher bulk_cipher_alg;
SSL3MACAlgorithm mac_alg;
SSL3KeyExchangeAlgorithm key_exchange_alg;
SSLHashType prf_hash;
-};
+} ssl3CipherSuiteDef;
/*
** There are tables of these, all const.
@@ -493,6 +656,37 @@ typedef struct {
SECOidTag oid;
} ssl3KEADef;
+/*
+** There are tables of these, all const.
+*/
+struct ssl3BulkCipherDefStr {
+ SSL3BulkCipher cipher;
+ SSLCipherAlgorithm calg;
+ unsigned int key_size;
+ unsigned int secret_key_size;
+ CipherType type;
+ unsigned int iv_size;
+ unsigned int block_size;
+ unsigned int tag_size; /* for AEAD ciphers. */
+ unsigned int explicit_nonce_size; /* for AEAD ciphers. */
+ SECOidTag oid;
+ const char *short_name;
+ /* The maximum number of records that can be sent/received with the same
+ * symmetric key before the connection will be terminated. */
+ PRUint64 max_records;
+};
+
+/*
+** There are tables of these, all const.
+*/
+struct ssl3MACDefStr {
+ SSL3MACAlgorithm mac;
+ CK_MECHANISM_TYPE mmech;
+ int pad_size;
+ int mac_size;
+ SECOidTag oid;
+};
+
typedef enum {
ssl_0rtt_none, /* 0-RTT not present */
ssl_0rtt_sent, /* 0-RTT sent (no decision yet) */
@@ -510,7 +704,6 @@ typedef enum {
typedef enum {
idle_handshake,
wait_client_hello,
- wait_end_of_early_data,
wait_client_cert,
wait_client_key,
wait_cert_verify,
@@ -567,15 +760,14 @@ typedef enum {
handshake_hash_record
} SSL3HandshakeHashType;
-// A DTLS Timer.
-typedef void (*DTLSTimerCb)(sslSocket *);
-
-typedef struct {
- const char *label;
- DTLSTimerCb cb;
- PRIntervalTime started;
- PRUint32 timeout;
-} dtlsTimer;
+/* This holds state for TLS 1.3 CertificateRequest handling. */
+typedef struct TLS13CertificateRequestStr {
+ PLArenaPool *arena;
+ SECItem context;
+ SSLSignatureScheme *signatureSchemes;
+ unsigned int signatureSchemeCount;
+ CERTDistNames ca_list;
+} TLS13CertificateRequest;
/*
** This is the "hs" member of the "ssl3" struct.
@@ -599,12 +791,13 @@ typedef struct SSL3HandshakeStateStr {
const ssl3KEADef *kea_def;
ssl3CipherSuite cipher_suite;
const ssl3CipherSuiteDef *suite_def;
+ SSLCompressionMethod compression;
sslBuffer msg_body; /* protected by recvBufLock */
/* partial handshake message from record layer */
unsigned int header_bytes;
/* number of bytes consumed from handshake */
/* message for message type and header length */
- SSLHandshakeType msg_type;
+ SSL3HandshakeType msg_type;
unsigned long msg_len;
PRBool isResuming; /* we are resuming (not used in TLS 1.3) */
PRBool sendingSCSV; /* instead of empty RI */
@@ -641,25 +834,25 @@ typedef struct SSL3HandshakeStateStr {
PRCList remoteExtensions; /* Parsed incoming extensions */
/* This group of values is used for DTLS */
- PRUint16 sendMessageSeq; /* The sending message sequence
+ PRUint16 sendMessageSeq; /* The sending message sequence
* number */
- PRCList lastMessageFlight; /* The last message flight we
+ PRCList lastMessageFlight; /* The last message flight we
* sent */
- PRUint16 maxMessageSent; /* The largest message we sent */
- PRUint16 recvMessageSeq; /* The receiving message sequence
+ PRUint16 maxMessageSent; /* The largest message we sent */
+ PRUint16 recvMessageSeq; /* The receiving message sequence
* number */
- sslBuffer recvdFragments; /* The fragments we have received in
+ sslBuffer recvdFragments; /* The fragments we have received in
* a bitmask */
- PRInt32 recvdHighWater; /* The high water mark for fragments
+ PRInt32 recvdHighWater; /* The high water mark for fragments
* received. -1 means no reassembly
* in progress. */
- SECItem cookie; /* The Hello(Retry|Verify)Request cookie. */
- dtlsTimer timers[3]; /* Holder for timers. */
- dtlsTimer *rtTimer; /* Retransmit timer. */
- dtlsTimer *ackTimer; /* Ack timer (DTLS 1.3 only). */
- dtlsTimer *hdTimer; /* Read cipher holddown timer (DLTS 1.3 only) */
- PRUint32 rtRetries; /* The retry counter */
- SECItem srvVirtName; /* for server: name that was negotiated
+ SECItem cookie; /* The Hello(Retry|Verify)Request cookie. */
+ PRIntervalTime rtTimerStarted; /* When the timer was started */
+ DTLSTimerCb rtTimerCb; /* The function to call on expiry */
+ PRUint32 rtTimeoutMs; /* The length of the current timeout
+ * used for backoff (in ms) */
+ PRUint32 rtRetries; /* The retry counter */
+ SECItem srvVirtName; /* for server: name that was negotiated
* with a client. For client - is
* always set to NULL.*/
@@ -676,37 +869,22 @@ typedef struct SSL3HandshakeStateStr {
PK11SymKey *serverTrafficSecret; /* traffic keys */
PK11SymKey *earlyExporterSecret; /* for 0-RTT exporters */
PK11SymKey *exporterSecret; /* for exporters */
- PRCList cipherSpecs; /* The cipher specs in the sequence they
- * will be applied. */
- sslZeroRttState zeroRttState; /* Are we doing a 0-RTT handshake? */
- sslZeroRttIgnore zeroRttIgnore; /* Are we ignoring 0-RTT? */
- ssl3CipherSuite zeroRttSuite; /* The cipher suite we used for 0-RTT. */
- PRCList bufferedEarlyData; /* Buffered TLS 1.3 early data
- * on server.*/
- PRBool helloRetry; /* True if HelloRetryRequest has been sent
- * or received. */
- PRBool receivedCcs; /* A server received ChangeCipherSpec
- * before the handshake started. */
- PRBool clientCertRequested; /* True if CertificateRequest received. */
- ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def
- * we use for TLS 1.3 */
- PRTime serverHelloTime; /* Time the ServerHello flight was sent. */
- PRUint16 ticketNonce; /* A counter we use for tickets. */
- SECItem fakeSid; /* ... (server) the SID the client used. */
- PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */
-
- /* The following lists contain DTLSHandshakeRecordEntry */
- PRCList dtlsSentHandshake; /* Used to map records to handshake fragments. */
- PRCList dtlsRcvdHandshake; /* Handshake records we have received
- * used to generate ACKs. */
+ /* The certificate request from the server. */
+ TLS13CertificateRequest *certificateRequest;
+ PRCList cipherSpecs; /* The cipher specs in the sequence they
+ * will be applied. */
+ sslZeroRttState zeroRttState; /* Are we doing a 0-RTT handshake? */
+ sslZeroRttIgnore zeroRttIgnore; /* Are we ignoring 0-RTT? */
+ ssl3CipherSuite zeroRttSuite; /* The cipher suite we used for 0-RTT. */
+ PRCList bufferedEarlyData; /* Buffered TLS 1.3 early data
+ * on server.*/
+ PRBool helloRetry; /* True if HelloRetryRequest has been sent
+ * or received. */
+ ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def
+ * we use for TLS 1.3 */
+ PRBool shortHeaders; /* Assigned if we are doing short headers. */
} SSL3HandshakeState;
-#define SSL_ASSERT_HASHES_EMPTY(ss) \
- do { \
- PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); \
- PORT_Assert(ss->ssl3.hs.messages.len == 0); \
- } while (0)
-
/*
** This is the "ssl3" struct, as in "ss->ssl3".
** note:
@@ -726,10 +904,6 @@ struct ssl3StateStr {
ssl3CipherSpec *cwSpec; /* current write spec. */
ssl3CipherSpec *pwSpec; /* pending write spec. */
- /* This is true after the peer requests a key update; false after a key
- * update is initiated locally. */
- PRBool peerRequestedKeyUpdate;
-
/* Internal callback for when we do a cipher suite change. Used for
* debugging in TLS 1.3. This can only be set by non-public functions. */
sslCipherSpecChangedFunc changedCipherSpecFunc;
@@ -750,7 +924,9 @@ struct ssl3StateStr {
/* chain while we are trying to validate it. */
CERTDistNames *ca_list;
/* used by server. trusted CAs for this socket. */
+ PRBool initialized;
SSL3HandshakeState hs;
+ ssl3CipherSpec specs[2]; /* one is current, one is pending. */
PRUint16 mtu; /* Our estimate of the MTU */
@@ -819,12 +995,11 @@ typedef struct SessionTicketStr {
PRBool valid;
SSL3ProtocolVersion ssl_version;
ssl3CipherSuite cipher_suite;
+ SSLCompressionMethod compression_method;
SSLAuthType authType;
PRUint32 authKeyBits;
SSLKEAType keaType;
PRUint32 keaKeyBits;
- SSLNamedGroup originalKeaGroup;
- SSLSignatureScheme signatureScheme;
const sslNamedGroupDef *namedCurve; /* For certificate lookup. */
/*
@@ -837,13 +1012,11 @@ typedef struct SessionTicketStr {
PRBool extendedMasterSecretUsed;
ClientAuthenticationType client_auth_type;
SECItem peer_cert;
- PRTime timestamp;
+ PRUint32 timestamp;
PRUint32 flags;
SECItem srvName; /* negotiated server name */
SECItem alpnSelection;
PRUint32 maxEarlyData;
- PRUint32 ticketAgeBaseline;
- SECItem applicationToken;
} SessionTicket;
/*
@@ -893,7 +1066,6 @@ struct sslSecurityInfoStr {
SSLKEAType keaType;
PRUint32 keaKeyBits;
const sslNamedGroupDef *keaGroup;
- const sslNamedGroupDef *originalKeaGroup;
/* The selected certificate (for servers only). */
const sslServerCert *serverCert;
@@ -979,9 +1151,6 @@ struct sslSocketStr {
void *pkcs11PinArg;
SSLNextProtoCallback nextProtoCallback;
void *nextProtoArg;
- SSLHelloRetryRequestCallback hrrCallback;
- void *hrrCallbackArg;
- PRCList extensionHooks;
PRIntervalTime rTimeout; /* timeout for NSPR I/O */
PRIntervalTime wTimeout; /* timeout for NSPR I/O */
@@ -1072,7 +1241,6 @@ extern char ssl_debug;
extern char ssl_trace;
extern FILE *ssl_trace_iob;
extern FILE *ssl_keylog_iob;
-extern PZLock *ssl_keylog_lock;
extern PRUint32 ssl3_sid_timeout;
extern PRUint32 ssl_ticket_lifetime;
extern PRUint32 ssl_max_early_data_size;
@@ -1163,10 +1331,14 @@ extern SECStatus ssl_BeginClientHandshake(sslSocket *ss);
extern SECStatus ssl_BeginServerHandshake(sslSocket *ss);
extern int ssl_Do1stHandshake(sslSocket *ss);
+extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
+extern SECStatus sslBuffer_Append(sslBuffer *b, const void *data,
+ unsigned int len);
+extern void sslBuffer_Clear(sslBuffer *b);
+
extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
-extern SECStatus ssl3_InitPendingCipherSpecs(sslSocket *ss, PK11SymKey *secret,
- PRBool derive);
+extern void ssl3_InitCipherSpec(ssl3CipherSpec *spec);
extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server);
extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port,
const char *peerID, const char *urlSvrName);
@@ -1191,20 +1363,11 @@ extern SECStatus ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
extern SECStatus ssl3_ConstrainRangeByPolicy(void);
-extern SECStatus ssl3_InitState(sslSocket *ss);
-extern SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
- int maxOutputLen, const unsigned char *input,
- int inputLen);
+extern void ssl3_InitState(sslSocket *ss);
extern void ssl3_RestartHandshakeHashes(sslSocket *ss);
extern SECStatus ssl3_UpdateHandshakeHashes(sslSocket *ss,
const unsigned char *b,
unsigned int l);
-SECStatus
-ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type,
- PRUint32 dtlsSeq,
- const PRUint8 *b, PRUint32 length);
-SECStatus ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type,
- const PRUint8 *b, PRUint32 length);
/* Returns PR_TRUE if we are still waiting for the server to complete its
* response to our client second round. Once we've received the Finished from
@@ -1217,14 +1380,21 @@ extern PRInt32 ssl3_SendRecord(sslSocket *ss, ssl3CipherSpec *cwSpec,
const PRUint8 *pIn, PRInt32 nIn,
PRInt32 flags);
-/* Clear any PRCList, optionally calling f on the value. */
-void ssl_ClearPRCList(PRCList *list, void (*f)(void *));
+#ifdef NSS_SSL_ENABLE_ZLIB
+/*
+ * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
+ * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
+ */
+#define SSL3_COMPRESSION_MAX_EXPANSION 29
+#else /* !NSS_SSL_ENABLE_ZLIB */
+#define SSL3_COMPRESSION_MAX_EXPANSION 0
+#endif
/*
- * Make sure there is room in the write buffer for padding and
- * cryptographic expansions.
+ * make sure there is room in the write buffer for padding and
+ * other compression and cryptographic expansions.
*/
-#define SSL3_BUFFER_FUDGE 100
+#define SSL3_BUFFER_FUDGE 100 + SSL3_COMPRESSION_MAX_EXPANSION
#define SSL_LOCK_READER(ss) \
if (ss->recvLock) \
@@ -1377,7 +1547,7 @@ extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
* for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
*/
extern SECStatus ssl3_HandleV2ClientHello(
- sslSocket *ss, unsigned char *buffer, unsigned int length, PRUint8 padding);
+ sslSocket *ss, unsigned char *buffer, int length, PRUint8 padding);
SECStatus ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type);
@@ -1413,7 +1583,7 @@ extern PRBool ssl_HaveEphemeralKeyPair(const sslSocket *ss,
const sslNamedGroupDef *groupDef);
extern void ssl_FreeEphemeralKeyPairs(sslSocket *ss);
-extern SECStatus ssl_AppendPaddedDHKeyShare(sslBuffer *buf,
+extern SECStatus ssl_AppendPaddedDHKeyShare(const sslSocket *ss,
const SECKEYPublicKey *pubKey,
PRBool appendLength);
extern const ssl3DHParams *ssl_GetDHEParams(const sslNamedGroupDef *groupDef);
@@ -1475,10 +1645,6 @@ extern SECStatus ssl_ClientReadVersion(sslSocket *ss, PRUint8 **b,
extern SECStatus ssl3_NegotiateVersion(sslSocket *ss,
SSL3ProtocolVersion peerVersion,
PRBool allowLargerPeerVersion);
-extern SECStatus ssl_ClientSetCipherSuite(sslSocket *ss,
- SSL3ProtocolVersion version,
- ssl3CipherSuite suite,
- PRBool initHashes);
extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
@@ -1494,11 +1660,23 @@ extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss);
extern SECStatus ssl_ImportECDHKeyShare(
sslSocket *ss, SECKEYPublicKey *peerKey,
PRUint8 *b, PRUint32 length, const sslNamedGroupDef *curve);
+SECStatus tls13_EncodeECDHEKeyShareKEX(const sslSocket *ss,
+ const SECKEYPublicKey *pubKey);
extern SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg,
PRUint8 *hashBuf,
unsigned int bufLen,
SSL3Hashes *hashes);
+extern void ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName);
+extern SECStatus ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms);
+extern SECStatus ssl3_AppendHandshake(sslSocket *ss, const void *void_src,
+ PRInt32 bytes);
+extern SECStatus ssl3_AppendHandshakeHeader(sslSocket *ss,
+ SSL3HandshakeType t, PRUint32 length);
+extern SECStatus ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num,
+ PRInt32 lenSize);
+extern SECStatus ssl3_AppendHandshakeVariable(sslSocket *ss,
+ const PRUint8 *src, PRInt32 bytes, PRInt32 lenSize);
extern SECStatus ssl3_AppendSignatureAndHashAlgorithm(
sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash);
extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRUint32 bytes,
@@ -1506,12 +1684,11 @@ extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRUint32 bytes,
extern SECStatus ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRUint32 *num,
PRUint32 bytes, PRUint8 **b,
PRUint32 *length);
-extern SECStatus ssl3_ConsumeHandshakeNumber64(sslSocket *ss, PRUint64 *num,
- PRUint32 bytes, PRUint8 **b,
- PRUint32 *length);
extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i,
PRUint32 bytes, PRUint8 **b,
PRUint32 *length);
+extern PRUint8 *ssl_EncodeUintX(PRUint64 value, unsigned int bytes,
+ PRUint8 *to);
extern PRBool ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme);
extern SECStatus ssl_CheckSignatureSchemeConsistency(
sslSocket *ss, SSLSignatureScheme scheme, CERTCertificate *cert);
@@ -1526,20 +1703,16 @@ extern SECStatus ssl3_SignHashes(sslSocket *ss, SSL3Hashes *hash,
SECKEYPrivateKey *key, SECItem *buf);
extern SECStatus ssl3_VerifySignedHashes(sslSocket *ss, SSLSignatureScheme scheme,
SSL3Hashes *hash, SECItem *buf);
-extern SECStatus ssl3_CacheWrappedSecret(sslSocket *ss, sslSessionID *sid,
- PK11SymKey *secret);
+extern SECStatus ssl3_CacheWrappedMasterSecret(
+ sslSocket *ss, sslSessionID *sid, ssl3CipherSpec *spec);
extern void ssl3_FreeSniNameArray(TLSExtensionData *xtnData);
/* Hello Extension related routines. */
extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
/*in/out*/ NewSessionTicket *session_ticket);
SECStatus ssl3_EncodeSessionTicket(sslSocket *ss,
- const NewSessionTicket *ticket,
- const PRUint8 *appToken,
- unsigned int appTokenLen,
- PK11SymKey *secret, SECItem *ticket_data);
-SECStatus SSLExp_SendSessionTicket(PRFileDesc *fd, const PRUint8 *token,
- unsigned int tokenLen);
+ const NewSessionTicket *ticket_input,
+ SECItem *ticket_data);
SECStatus ssl_MaybeSetSelfEncryptKeyPair(const sslKeyPair *keyPair);
SECStatus ssl_GetSelfEncryptKeys(sslSocket *ss, unsigned char *keyName,
@@ -1555,7 +1728,7 @@ extern void ssl_FreePRSocket(PRFileDesc *fd);
/* Internal config function so SSL3 can initialize the present state of
* various ciphers */
-extern unsigned int ssl3_config_match_init(sslSocket *);
+extern int ssl3_config_match_init(sslSocket *);
/* calls for accessing wrapping keys across processes. */
extern SECStatus
@@ -1585,11 +1758,44 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
extern SECStatus ssl_FreeSessionCacheLocks(void);
+/**************** DTLS-specific functions **************/
+extern void dtls_FreeHandshakeMessage(DTLSQueuedMessage *msg);
+extern void dtls_FreeHandshakeMessages(PRCList *lst);
+
+extern SECStatus dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf);
+extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss,
+ PRUint8 *b, PRUint32 length);
+extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss);
+extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
+ const PRUint8 *pIn, PRInt32 nIn);
+extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
+SECStatus ssl3_DisableNonDTLSSuites(sslSocket *ss);
+extern SECStatus dtls_StartHolddownTimer(sslSocket *ss);
+extern void dtls_CheckTimer(sslSocket *ss);
+extern void dtls_CancelTimer(sslSocket *ss);
+extern void dtls_SetMTU(sslSocket *ss, PRUint16 advertised);
+extern void dtls_InitRecvdRecords(DTLSRecvdRecords *records);
+extern int dtls_RecordGetRecvd(const DTLSRecvdRecords *records,
+ sslSequenceNumber seq);
+extern void dtls_RecordSetRecvd(DTLSRecvdRecords *records,
+ sslSequenceNumber seq);
+extern void dtls_RehandshakeCleanup(sslSocket *ss);
+extern SSL3ProtocolVersion
+dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv);
+extern SSL3ProtocolVersion
+dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv);
+extern PRBool dtls_IsRelevant(sslSocket *ss, const SSL3Ciphertext *cText,
+ PRBool *sameEpoch, PRUint64 *seqNum);
+extern SECStatus dtls_MaybeRetransmitHandshake(sslSocket *ss,
+ const SSL3Ciphertext *cText,
+ PRBool sameEpoch);
+
CK_MECHANISM_TYPE ssl3_Alg2Mech(SSLCipherAlgorithm calg);
SECStatus ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites,
PRBool initHashes);
SECStatus ssl3_InitHandshakeHashes(sslSocket *ss);
SECStatus ssl3_ServerCallSNICallback(sslSocket *ss);
+SECStatus ssl3_SetupPendingCipherSpec(sslSocket *ss);
SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags);
SECStatus ssl3_CompleteHandleCertificate(sslSocket *ss,
PRUint8 *b, PRUint32 length);
@@ -1601,21 +1807,17 @@ SECStatus ssl3_SendCertificateStatus(sslSocket *ss);
SECStatus ssl3_AuthCertificate(sslSocket *ss);
SECStatus ssl_ReadCertificateStatus(sslSocket *ss, PRUint8 *b,
PRUint32 length);
-SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, sslBuffer *buf);
-SECStatus ssl_GetCertificateRequestCAs(const sslSocket *ss,
- unsigned int *calenp,
- const SECItem **namesp,
- unsigned int *nnamesp);
+SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint8 *buf,
+ unsigned maxLen, PRUint32 *len);
+SECStatus ssl_GetCertificateRequestCAs(sslSocket *ss, unsigned int *calenp,
+ SECItem **namesp, unsigned int *nnamesp);
SECStatus ssl3_ParseCertificateRequestCAs(sslSocket *ss, PRUint8 **b,
- PRUint32 *length, CERTDistNames *ca_list);
+ PRUint32 *length, PLArenaPool *arena,
+ CERTDistNames *ca_list);
SECStatus ssl3_CompleteHandleCertificateRequest(
sslSocket *ss, const SSLSignatureScheme *signatureSchemes,
unsigned int signatureSchemeCount, CERTDistNames *ca_list);
-SECStatus ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry,
- const sslBuffer *extensionBuf,
- sslBuffer *messageBuf);
SECStatus ssl3_SendServerHello(sslSocket *ss);
-SECStatus ssl3_SendChangeCipherSpecsInt(sslSocket *ss);
SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss,
ssl3CipherSpec *spec,
SSL3Hashes *hashes,
@@ -1630,9 +1832,10 @@ PK11SymKey *ssl3_GetWrappingKey(sslSocket *ss,
PK11SlotInfo *masterSecretSlot,
CK_MECHANISM_TYPE masterWrapMech,
void *pwArg);
-SECStatus ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid,
- PK11SymKey *secret);
+SECStatus ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid);
const ssl3CipherSuiteDef *ssl_LookupCipherSuiteDef(ssl3CipherSuite suite);
+const ssl3BulkCipherDef *
+ssl_GetBulkCipherDef(const ssl3CipherSuiteDef *cipher_def);
SECStatus ssl3_SelectServerCert(sslSocket *ss);
SECStatus ssl_PickSignatureScheme(sslSocket *ss,
SECKEYPublicKey *pubKey,
@@ -1644,14 +1847,11 @@ SECOidTag ssl3_HashTypeToOID(SSLHashType hashType);
SSLHashType ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme);
KeyType ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme);
-SECStatus ssl3_SetupCipherSuite(sslSocket *ss, PRBool initHashes);
-
-/* Pull in DTLS functions */
-#include "dtlscon.h"
+SECStatus ssl3_SetCipherSuite(sslSocket *ss, ssl3CipherSuite chosenSuite,
+ PRBool initHashes);
/* Pull in TLS 1.3 functions */
#include "tls13con.h"
-#include "dtls13con.h"
/********************** misc calls *********************/
@@ -1661,27 +1861,22 @@ extern void ssl3_CheckCipherSuiteOrderConsistency();
extern int ssl_MapLowLevelError(int hiLevelError);
-extern PRUint32 ssl_TimeSec(void);
-#ifdef UNSAFE_FUZZER_MODE
-#define ssl_TimeUsec() ((PRTime)12345678)
-#else
-#define ssl_TimeUsec() (PR_Now())
-#endif
+extern PRUint32 ssl_Time(void);
extern PRBool ssl_TicketTimeValid(const NewSessionTicket *ticket);
extern void SSL_AtomicIncrementLong(long *x);
SECStatus ssl3_ApplyNSSPolicy(void);
+extern HASH_HashType
+ssl3_GetTls12HashType(sslSocket *ss);
+
extern SECStatus
ssl3_TLSPRFWithMasterSecret(sslSocket *ss, ssl3CipherSpec *spec,
const char *label, unsigned int labelLen,
const unsigned char *val, unsigned int valLen,
unsigned char *out, unsigned int outLen);
-extern void
-ssl3_RecordKeyLog(sslSocket *ss, const char *label, PK11SymKey *secret);
-
PRBool ssl_AlpnTagAllowed(const sslSocket *ss, const SECItem *tag);
#ifdef TRACE