diff options
Diffstat (limited to 'security/nss/lib/ssl/sslimpl.h')
-rw-r--r-- | security/nss/lib/ssl/sslimpl.h | 48 |
1 files changed, 36 insertions, 12 deletions
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index a2209e90a1..35240d2fba 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -36,6 +36,10 @@ typedef struct sslSocketStr sslSocket; typedef struct sslNamedGroupDefStr sslNamedGroupDef; +typedef struct sslEsniKeysStr sslEsniKeys; +typedef struct sslEphemeralKeyPairStr sslEphemeralKeyPair; +typedef struct TLS13KeyShareEntryStr TLS13KeyShareEntry; + #include "sslencode.h" #include "sslexp.h" #include "ssl3ext.h" @@ -230,7 +234,7 @@ typedef struct { #define MAX_DTLS_SRTP_CIPHER_SUITES 4 /* MAX_SIGNATURE_SCHEMES allows for all the values we support. */ -#define MAX_SIGNATURE_SCHEMES 15 +#define MAX_SIGNATURE_SCHEMES 18 typedef struct sslOptionsStr { /* If SSL_SetNextProtoNego has been called, then this contains the @@ -266,6 +270,8 @@ typedef struct sslOptionsStr { unsigned int enable0RttData : 1; unsigned int enableTls13CompatMode : 1; unsigned int enableDtlsShortHeader : 1; + unsigned int enableHelloDowngradeCheck : 1; + unsigned int enableV2CompatibleHello : 1; } sslOptions; typedef enum { sslHandshakingUndetermined = 0, @@ -552,16 +558,16 @@ typedef SECStatus (*sslRestartTarget)(sslSocket *); typedef struct DTLSQueuedMessageStr { PRCList link; /* The linked list link */ ssl3CipherSpec *cwSpec; /* The cipher spec to use, null for none */ - SSL3ContentType type; /* The message type */ + SSLContentType type; /* The message type */ unsigned char *data; /* The data */ PRUint16 len; /* The data length */ } DTLSQueuedMessage; -typedef struct TLS13KeyShareEntryStr { +struct TLS13KeyShareEntryStr { PRCList link; /* The linked list link */ const sslNamedGroupDef *group; /* The group for the entry */ SECItem key_exchange; /* The share itself */ -} TLS13KeyShareEntry; +}; typedef struct TLS13EarlyDataStr { PRCList link; /* The linked list link */ @@ -803,11 +809,11 @@ struct sslKeyPairStr { PRInt32 refCount; /* use PR_Atomic calls for this. */ }; -typedef struct { +struct sslEphemeralKeyPairStr { PRCList link; const sslNamedGroupDef *group; sslKeyPair *keys; -} sslEphemeralKeyPair; +}; struct ssl3DHParamsStr { SSLNamedGroup name; @@ -1064,6 +1070,10 @@ struct sslSocketStr { /* Whether we are doing stream or datagram mode */ SSLProtocolVariant protocolVariant; + + /* The information from the ESNI keys record + * (also the private key for the server). */ + sslEsniKeys *esniKeys; }; struct sslSelfEncryptKeysStr { @@ -1168,11 +1178,13 @@ extern int ssl_Do1stHandshake(sslSocket *ss); extern SECStatus ssl3_InitPendingCipherSpecs(sslSocket *ss, PK11SymKey *secret, PRBool derive); +extern void ssl_DestroyKeyMaterial(ssl3KeyMaterial *keyMaterial); extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server); extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID, const char *urlSvrName); extern void ssl_FreeSID(sslSessionID *sid); extern void ssl_DestroySID(sslSessionID *sid, PRBool freeIt); +extern sslSessionID *ssl_ReferenceSID(sslSessionID *sid); extern int ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in, int len, int flags); @@ -1215,7 +1227,7 @@ SECStatus ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type, extern PRBool ssl3_WaitingForServerSecondRound(sslSocket *ss); extern PRInt32 ssl3_SendRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, - SSL3ContentType type, + SSLContentType type, const PRUint8 *pIn, PRInt32 nIn, PRInt32 flags); @@ -1387,7 +1399,7 @@ SECStatus ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type); * input into the SSL3 machinery from the actualy network reading code */ SECStatus ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cipher); -SECStatus ssl3_HandleNonApplicationData(sslSocket *ss, SSL3ContentType rType, +SECStatus ssl3_HandleNonApplicationData(sslSocket *ss, SSLContentType rType, DTLSEpoch epoch, sslSequenceNumber seqNum, sslBuffer *databuf); @@ -1497,7 +1509,7 @@ extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss, sslKeyPair *serverKeys); extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss); extern SECStatus ssl_ImportECDHKeyShare( - sslSocket *ss, SECKEYPublicKey *peerKey, + SECKEYPublicKey *peerKey, PRUint8 *b, PRUint32 length, const sslNamedGroupDef *curve); extern SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg, @@ -1562,6 +1574,12 @@ extern void ssl_FreePRSocket(PRFileDesc *fd); * various ciphers */ extern unsigned int ssl3_config_match_init(sslSocket *); +/* Return PR_TRUE if suite is usable. This if the suite is permitted by policy, + * enabled, has a certificate (as needed), has a viable key agreement method, is + * usable with the negotiated TLS version, and is otherwise usable. */ +PRBool ssl3_config_match(const ssl3CipherSuiteCfg *suite, PRUint8 policy, + const SSLVersionRange *vrange, const sslSocket *ss); + /* calls for accessing wrapping keys across processes. */ extern SECStatus ssl_GetWrappingKey(unsigned int symWrapMechIndex, unsigned int wrapKeyIndex, @@ -1591,6 +1609,8 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit); extern SECStatus ssl_FreeSessionCacheLocks(void); CK_MECHANISM_TYPE ssl3_Alg2Mech(SSLCipherAlgorithm calg); +SECStatus ssl3_NegotiateCipherSuiteInner(sslSocket *ss, const SECItem *suites, + PRUint16 version, PRUint16 *suitep); SECStatus ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites, PRBool initHashes); SECStatus ssl3_InitHandshakeHashes(sslSocket *ss); @@ -1638,8 +1658,12 @@ PK11SymKey *ssl3_GetWrappingKey(sslSocket *ss, SECStatus ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid, PK11SymKey *secret); const ssl3CipherSuiteDef *ssl_LookupCipherSuiteDef(ssl3CipherSuite suite); +const ssl3CipherSuiteCfg *ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, + const ssl3CipherSuiteCfg *suites); + SECStatus ssl3_SelectServerCert(sslSocket *ss); SECStatus ssl_PickSignatureScheme(sslSocket *ss, + CERTCertificate *cert, SECKEYPublicKey *pubKey, SECKEYPrivateKey *privKey, const SSLSignatureScheme *peerSchemes, @@ -1647,11 +1671,11 @@ SECStatus ssl_PickSignatureScheme(sslSocket *ss, PRBool requireSha1); SECOidTag ssl3_HashTypeToOID(SSLHashType hashType); SSLHashType ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme); -KeyType ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme); +SSLAuthType ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme); SECStatus ssl3_SetupCipherSuite(sslSocket *ss, PRBool initHashes); SECStatus ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec, - SSL3ContentType contentType, sslBuffer *wrBuf, + SSLContentType contentType, sslBuffer *wrBuf, PRBool *needsLength); /* Pull in DTLS functions */ @@ -1703,7 +1727,7 @@ void ssl_Trace(const char *format, ...); void ssl_CacheExternalToken(sslSocket *ss); SECStatus ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedTicket, PRUint32 encodedTicketLen); -PRBool ssl_IsResumptionTokenValid(sslSocket *ss); +PRBool ssl_IsResumptionTokenUsable(sslSocket *ss, sslSessionID *sid); /* Remove when stable. */ |