/root/firefox-clang/security/nss/lib/ssl/sslimpl.h

Bug Summary

File:

root/firefox-clang/security/nss/lib/ssl/sslimpl.h

Warning:

line 642, column 16
Excessive padding in 'struct SSL3HandshakeStateStr' (53 padding bytes, where 5 is optimal). Optimal fields order: md5, sha, shaEchInner, shaPostHandshake, kea_def, suite_def, msg_len, clientAuthSignatureSchemes, restartTarget, rtTimer, ackTimer, hdTimer, currentSecret, resumptionMasterSecret, dheSecret, clientEarlyTrafficSecret, clientHsTrafficSecret, serverHsTrafficSecret, clientTrafficSecret, serverTrafficSecret, earlyExporterSecret, exporterSecret, rttEstimate, echHpkeCtx, echPublicName, grease, dtlsHandhakeKeyUpdateMessage, chExtensionPermutation, remoteExtensions, echOuterExtensions, lastMessageFlight, cipherSpecs, bufferedEarlyData, psks, dtlsSentHandshake, dtlsRcvdHandshake, messages, echInnerMessages, msg_body, recvdFragments, cookie, srvVirtName, fakeSid, greaseEchBuf, dtls13ClientMessageBuffer, newSessionTicket, timers, ws, hashType, signatureScheme, header_bytes, msg_type, isResuming, sendingSCSV, receivedNewSessionTicket, clientCertificatePending, clientAuthSignatureSchemesLen, authCertificatePending, canFalseStart, preliminaryInfo, recvdHighWater, isKeyUpdateInProgress, allowPreviousEpoch, rtRetries, zeroRttState, zeroRttIgnore, helloRetry, receivedCcs, rejectCcs, clientCertRequested, endOfFlight, echAccepted, echDecided, echInvalidExtension, keyUpdateDeferred, deferredKeyUpdateRequest, kea_def_mutable, cipher_suite, finishedBytes, sendMessageSeq, maxMessageSent, recvMessageSeq, zeroRttSuite, ticketNonce, greaseEchSize, server_random, client_random, client_inner_random, finishedMsgs, consider reordering the fields or adding explicit padding members

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name authcert.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -ffp-contract=off -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/root/firefox-clang/obj-x86_64-pc-linux-gnu/security/nss/lib/ssl/ssl_ssl -fcoverage-compilation-dir=/root/firefox-clang/obj-x86_64-pc-linux-gnu/security/nss/lib/ssl/ssl_ssl -resource-dir /usr/lib/llvm-21/lib/clang/21 -include /root/firefox-clang/obj-x86_64-pc-linux-gnu/mozilla-config.h -U _FORTIFY_SOURCE -D _FORTIFY_SOURCE=2 -D _GLIBCXX_ASSERTIONS -D DEBUG -D NSS_FIPS_DISABLED -D NSS_NO_INIT_SUPPORT -D NSS_X86_OR_X64 -D NSS_X64 -D NSS_USE_64 -D NSS_ALLOW_SSLKEYLOGFILE -D USE_UTIL_DIRECTLY -D NO_NSPR_10_SUPPORT -D SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -D LINUX2_1 -D LINUX -D linux -D _DEFAULT_SOURCE -D _BSD_SOURCE -D _POSIX_SOURCE -D SDB_MEASURE_USE_TEMP_DIR -D HAVE_STRERROR -D XP_UNIX -D _REENTRANT -D NSS_DISABLE_DBM -D NSS_DISABLE_LIBPKIX -I /root/firefox-clang/security/nss/lib/ssl -I /root/firefox-clang/obj-x86_64-pc-linux-gnu/security/nss/lib/ssl/ssl_ssl -I /root/firefox-clang/obj-x86_64-pc-linux-gnu/dist/include/nspr -I /root/firefox-clang/obj-x86_64-pc-linux-gnu/dist/include/private/nss -I /root/firefox-clang/obj-x86_64-pc-linux-gnu/dist/include/nss -I /root/firefox-clang/obj-x86_64-pc-linux-gnu/dist/include -D MOZILLA_CLIENT -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -Wno-error=tautological-type-limit-compare -Wno-range-loop-analysis -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wno-error=atomic-alignment -Wno-error=deprecated-builtins -Wno-psabi -Wno-error=builtin-macro-redefined -Wno-unknown-warning-option -ferror-limit 19 -fstrict-flex-arrays=1 -stack-protector 2 -fstack-clash-protection -ftrivial-auto-var-init=pattern -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -vectorize-loops -vectorize-slp -analyzer-checker optin.performance.Padding -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2025-06-30-093548-1913035-1 -x c /root/firefox-clang/security/nss/lib/ssl/authcert.c

1	/* -- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -- */
2	/*
3	* This file is PRIVATE to SSL and should be the first thing included by
4	* any SSL implementation file.
5	*
6	* This Source Code Form is subject to the terms of the Mozilla Public
7	* License, v. 2.0. If a copy of the MPL was not distributed with this
8	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
9
10	#ifndef __sslimpl_h_
11	#define __sslimpl_h_
12
13	#ifdef DEBUG1
14	#undef NDEBUG
15	#else
16	#undef NDEBUG
17	#define NDEBUG
18	#endif
19	#include "secport.h"
20	#include "secerr.h"
21	#include "sslerr.h"
22	#include "sslexp.h"
23	#include "ssl3prot.h"
24	#include "hasht.h"
25	#include "nssilock.h"
26	#include "pkcs11t.h"
27	#if defined(XP_UNIX1)
28	#include "unistd.h"
29	#elif defined(XP_WIN)
30	#include <process.h>
31	#endif
32	#include "nssrwlk.h"
33	#include "prthread.h"
34	#include "prclist.h"
35	#include "private/pprthred.h"
36
37	#include "sslt.h" /* for some formerly private types, now public */
38
39	typedef struct sslSocketStr sslSocket;
40	typedef struct sslNamedGroupDefStr sslNamedGroupDef;
41	typedef struct sslEchConfigStr sslEchConfig;
42	typedef struct sslEchConfigContentsStr sslEchConfigContents;
43	typedef struct sslEchCookieDataStr sslEchCookieData;
44	typedef struct sslEchXtnStateStr sslEchXtnState;
45	typedef struct sslPskStr sslPsk;
46	typedef struct sslDelegatedCredentialStr sslDelegatedCredential;
47	typedef struct sslEphemeralKeyPairStr sslEphemeralKeyPair;
48	typedef struct TLS13KeyShareEntryStr TLS13KeyShareEntry;
49
50	#include "sslencode.h"
51	#include "sslexp.h"
52	#include "ssl3ext.h"
53	#include "sslspec.h"
54
55	#if defined(DEBUG1) \|\| defined(TRACE)
56	#ifdef __cplusplus
57	#define Debug 1
58	#else
59	extern int Debug;
60	#endif
61	#else
62	#undef Debug
63	#endif
64
65	#if defined(DEBUG1) && !defined(TRACE) && !defined(NISCC_TEST)
66	#define TRACE
67	#endif
68
69	#ifdef TRACE
70	#define SSL_TRC(a, b)if (ssl_trace >= (a)) ssl_Trace b \
71	if (ssl_trace >= (a)) \
72	ssl_Trace b
73	#define PRINT_BUF(a, b)if (ssl_trace >= (a)) ssl_PrintBuf b \
74	if (ssl_trace >= (a)) \
75	ssl_PrintBuf b
76	#define PRINT_KEY(a, b)if (ssl_trace >= (a)) ssl_PrintKey b \
77	if (ssl_trace >= (a)) \
78	ssl_PrintKey b
79	#else
80	#define SSL_TRC(a, b)if (ssl_trace >= (a)) ssl_Trace b
81	#define PRINT_BUF(a, b)if (ssl_trace >= (a)) ssl_PrintBuf b
82	#define PRINT_KEY(a, b)if (ssl_trace >= (a)) ssl_PrintKey b
83	#endif
84
85	#ifdef DEBUG1
86	#define SSL_DBG(b)if (ssl_debug) ssl_Trace b \
87	if (ssl_debug) \
88	ssl_Trace b
89	#else
90	#define SSL_DBG(b)if (ssl_debug) ssl_Trace b
91	#endif
92
93	#define LSB(x)((unsigned char)((x)&0xff)) ((unsigned char)((x)&0xff))
94	#define MSB(x)((unsigned char)(((unsigned)(x)) >> 8)) ((unsigned char)(((unsigned)(x)) >> 8))
95
96	#define CONST_CAST(T, X)((T )(X)) ((T )(X))
97
98	/************************************************************************/
99
100	typedef enum { SSLAppOpRead = 0,
101	SSLAppOpWrite,
102	SSLAppOpRDWR,
103	SSLAppOpPost,
104	SSLAppOpHeader
105	} SSLAppOperation;
106
107	#define SSL3_SESSIONID_BYTES32 32
108
109	#define SSL_MIN_CHALLENGE_BYTES16 16
110	#define SSL_MAX_CHALLENGE_BYTES32 32
111
112	#define SSL3_MASTER_SECRET_LENGTH48 48
113
114	/* number of wrap mechanisms potentially used to wrap master secrets. */
115	#define SSL_NUM_WRAP_MECHS15 15
116	#define SSL_NUM_WRAP_KEYS6 6
117
118	/* This makes the cert cache entry exactly 4k. */
119	#define SSL_MAX_CACHED_CERT_LEN4060 4060
120
121	#ifndef BPB8
122	#define BPB8 8 /* Bits Per Byte */
123	#endif
124
125	/* The default value from RFC 4347 is 1s, which is too slow. */
126	#define DTLS_RETRANSMIT_INITIAL_MS50 50
127	/* The maximum time to wait between retransmissions. */
128	#define DTLS_RETRANSMIT_MAX_MS10000 10000
129	/* Time to wait in FINISHED state for retransmissions. */
130	#define DTLS_RETRANSMIT_FINISHED_MS30000 30000
131
132	/* default number of entries in namedGroupPreferences */
133	#define SSL_NAMED_GROUP_COUNT33 33
134
135	/* The maximum DH and RSA bit-length supported. */
136	#define SSL_MAX_DH_KEY_BITS8192 8192
137	#define SSL_MAX_RSA_KEY_BITS8192 8192
138
139	/* Types and names of elliptic curves used in TLS */
140	typedef enum {
141	ec_type_explicitPrime = 1, /* not supported */
142	ec_type_explicitChar2Curve = 2, /* not supported */
143	ec_type_named = 3
144	} ECType;
145
146	typedef enum {
147	ticket_allow_early_data = 1,
148	ticket_allow_psk_ke = 2,
149	ticket_allow_psk_dhe_ke = 4,
150	ticket_allow_psk_auth = 8,
151	ticket_allow_psk_sign_auth = 16
152	} TLS13SessionTicketFlags;
153
154	typedef enum {
155	update_not_requested = 0,
156	update_requested = 1
157	} tls13KeyUpdateRequest;
158
159	struct sslNamedGroupDefStr {
160	/* The name is the value that is encoded on the wire in TLS. */
161	SSLNamedGroup name;
162	/* The number of bits in the group. */
163	unsigned int bits;
164	/* The key exchange algorithm this group provides. */
165	SSLKEAType keaType;
166	/* The OID that identifies the group to PKCS11. This also determines
167	* whether the group is enabled in policy. */
168	SECOidTag oidTag;
169	/* Assume that the group is always supported. */
170	PRBool assumeSupported;
171	};
172
173	typedef struct sslConnectInfoStr sslConnectInfo;
174	typedef struct sslGatherStr sslGather;
175	typedef struct sslSecurityInfoStr sslSecurityInfo;
176	typedef struct sslSessionIDStr sslSessionID;
177	typedef struct sslSocketOpsStr sslSocketOps;
178
179	typedef struct ssl3StateStr ssl3State;
180	typedef struct ssl3CertNodeStr ssl3CertNode;
181	typedef struct sslKeyPairStr sslKeyPair;
182	typedef struct ssl3DHParamsStr ssl3DHParams;
183
184	struct ssl3CertNodeStr {
185	struct ssl3CertNodeStr *next;
186	SECItem *derCert;
187	};
188
189	typedef SECStatus (sslHandshakeFunc)(sslSocket ss);
190
191	void ssl_CacheSessionID(sslSocket *ss);
192	void ssl_UncacheSessionID(sslSocket *ss);
193	void ssl_ServerCacheSessionID(sslSessionID *sid, PRTime creationTime);
194	void ssl_ServerUncacheSessionID(sslSessionID *sid);
195
196	typedef sslSessionID (sslSessionIDLookupFunc)(PRTime ssl_now,
197	const PRIPv6Addr *addr,
198	unsigned char *sid,
199	unsigned int sidLen,
200	CERTCertDBHandle *dbHandle);
201
202	/* Socket ops */
203	struct sslSocketOpsStr {
204	int (connect)(sslSocket , const PRNetAddr *);
205	PRFileDesc (accept)(sslSocket , PRNetAddr );
206	int (bind)(sslSocket , const PRNetAddr *);
207	int (listen)(sslSocket , int);
208	int (shutdown)(sslSocket , int);
209	int (close)(sslSocket );
210
211	int (recv)(sslSocket , unsigned char *, int, int);
212
213	/* points to the higher-layer send func, e.g. ssl_SecureSend. */
214	int (send)(sslSocket , const unsigned char *, int, int);
215	int (read)(sslSocket , unsigned char *, int);
216	int (write)(sslSocket , const unsigned char *, int);
217
218	int (getpeername)(sslSocket , PRNetAddr *);
219	int (getsockname)(sslSocket , PRNetAddr *);
220	};
221
222	/* Flags interpreted by ssl send functions. */
223	#define ssl_SEND_FLAG_FORCE_INTO_BUFFER0x40000000 0x40000000
224	#define ssl_SEND_FLAG_NO_BUFFER0x20000000 0x20000000
225	#define ssl_SEND_FLAG_NO_RETRANSMIT0x08000000 0x08000000 /* DTLS only */
226	#define ssl_SEND_FLAG_MASK0x7f000000 0x7f000000
227
228	/*
229	** SSL3 cipher suite policy and preference struct.
230	*/
231	typedef struct {
232	#if !defined(_WIN32)
233	unsigned int cipher_suite : 16;
234	unsigned int policy : 8;
235	unsigned int enabled : 1;
236	unsigned int isPresent : 1;
237	#else
238	ssl3CipherSuite cipher_suite;
239	PRUint8 policy;
240	unsigned char enabled : 1;
241	unsigned char isPresent : 1;
242	#endif
243	} ssl3CipherSuiteCfg;
244
245	#define ssl_V3_SUITES_IMPLEMENTED71 71
246
247	#define MAX_DTLS_SRTP_CIPHER_SUITES4 4
248
249	/* MAX_SIGNATURE_SCHEMES allows for all the values we support. */
250	#define MAX_SIGNATURE_SCHEMES18 18
251
252	#define MAX_SUPPORTED_CERTIFICATE_COMPRESSION_ALGS32 32
253
254	typedef struct sslOptionsStr {
255	/* If SSL_SetNextProtoNego has been called, then this contains the
256	* list of supported protocols. */
257	SECItem nextProtoNego;
258	PRUint16 recordSizeLimit;
259
260	PRUint32 maxEarlyDataSize;
261	unsigned int useSecurity : 1;
262	unsigned int useSocks : 1;
263	unsigned int requestCertificate : 1;
264	unsigned int requireCertificate : 2;
265	unsigned int handshakeAsClient : 1;
266	unsigned int handshakeAsServer : 1;
267	unsigned int noCache : 1;
268	unsigned int fdx : 1;
269	unsigned int detectRollBack : 1;
270	unsigned int noLocks : 1;
271	unsigned int enableSessionTickets : 1;
272	unsigned int enableDeflate : 1; /* Deprecated. */
273	unsigned int enableRenegotiation : 2;
274	unsigned int requireSafeNegotiation : 1;
275	unsigned int enableFalseStart : 1;
276	unsigned int cbcRandomIV : 1;
277	unsigned int enableOCSPStapling : 1;
278	unsigned int enableALPN : 1;
279	unsigned int reuseServerECDHEKey : 1;
280	unsigned int enableFallbackSCSV : 1;
281	unsigned int enableServerDhe : 1;
282	unsigned int enableExtendedMS : 1;
283	unsigned int enableSignedCertTimestamps : 1;
284	unsigned int requireDHENamedGroups : 1;
285	unsigned int enable0RttData : 1;
286	unsigned int enableTls13CompatMode : 1;
287	unsigned int enableDtlsShortHeader : 1;
288	unsigned int enableHelloDowngradeCheck : 1;
289	unsigned int enableV2CompatibleHello : 1;
290	unsigned int enablePostHandshakeAuth : 1;
291	unsigned int enableDelegatedCredentials : 1;
292	unsigned int enableDtls13VersionCompat : 1;
293	unsigned int suppressEndOfEarlyData : 1;
294	unsigned int enableTls13GreaseEch : 1;
295	unsigned int enableTls13BackendEch : 1;
296	unsigned int callExtensionWriterOnEchInner : 1;
297	unsigned int enableGrease : 1;
298	unsigned int enableChXtnPermutation : 1;
299	unsigned int dbLoadCertChain : 1;
300	} sslOptions;
301
302	typedef enum { sslHandshakingUndetermined = 0,
303	sslHandshakingAsClient,
304	sslHandshakingAsServer
305	} sslHandshakingType;
306
307	#define SSL_LOCK_RANK_SPEC255 255
308
309	/* These are the valid values for shutdownHow.
310	** These values are each 1 greater than the NSPR values, and the code
311	** depends on that relation to efficiently convert PR_SHUTDOWN values
312	** into ssl_SHUTDOWN values. These values use one bit for read, and
313	** another bit for write, and can be used as bitmasks.
314	*/
315	#define ssl_SHUTDOWN_NONE0 0 /* NOT shutdown at all */
316	#define ssl_SHUTDOWN_RCV1 1 /* PR_SHUTDOWN_RCV +1 */
317	#define ssl_SHUTDOWN_SEND2 2 /* PR_SHUTDOWN_SEND +1 */
318	#define ssl_SHUTDOWN_BOTH3 3 /* PR_SHUTDOWN_BOTH +1 */
319
320	/*
321	** A gather object. Used to read some data until a count has been
322	** satisfied. Primarily for support of async sockets.
323	** Everything in here is protected by the recvBufLock.
324	*/
325	struct sslGatherStr {
326	int state; /* see GS_ values below. */
327
328	/* "buf" holds received plaintext SSL records, after decrypt and MAC check.
329	* recv'd ciphertext records are put in inbuf (see below), then decrypted
330	* into buf.
331	*/
332	sslBuffer buf; /recvBufLock/
333
334	/* number of bytes previously read into hdr or inbuf.
335	** (offset - writeOffset) is the number of ciphertext bytes read in but
336	** not yet deciphered.
337	*/
338	unsigned int offset;
339
340	/* number of bytes to read in next call to ssl_DefRecv (recv) */
341	unsigned int remainder;
342
343	/* DoRecv uses the next two values to extract application data.
344	** The difference between writeOffset and readOffset is the amount of
345	** data available to the application. Note that the actual offset of
346	** the data in "buf" is recordOffset (above), not readOffset.
347	** In the current implementation, this is made available before the
348	** MAC is checked!!
349	*/
350	unsigned int readOffset; /* Spot where DATA reader (e.g. application
351	** or handshake code) will read next.
352	** Always zero for SSl3 application data.
353	*/
354	/* offset in buf/inbuf/hdr into which new data will be read from socket. */
355	unsigned int writeOffset;
356
357	/* Buffer for ssl3 to read (encrypted) data from the socket */
358	sslBuffer inbuf; /recvBufLock/
359
360	/* The ssl[23]_GatherData functions read data into this buffer, rather
361	** than into buf or inbuf, while in the GS_HEADER state.
362	** The portion of the SSL record header put here always comes off the wire
363	** as plaintext, never ciphertext.
364	** For SSL3/TLS, the plaintext portion is 5 bytes long. For DTLS it
365	** varies based on version and header type.
366	*/
367	unsigned char hdr[13];
368	unsigned int hdrLen;
369
370	/* Buffer for DTLS data read off the wire as a single datagram */
371	sslBuffer dtlsPacket;
372
373	/* the start of the buffered DTLS record in dtlsPacket */
374	unsigned int dtlsPacketOffset;
375
376	/* tracks whether we've seen a v3-type record before and must reject
377	* any further v2-type records. */
378	PRBool rejectV2Records;
379	};
380
381	/* sslGather.state */
382	#define GS_INIT0 0
383	#define GS_HEADER1 1
384	#define GS_DATA2 2
385
386	#define WRAPPED_MASTER_SECRET_SIZE48 48
387
388	typedef struct {
389	PRUint8 wrapped_master_secret[WRAPPED_MASTER_SECRET_SIZE48];
390	PRUint8 wrapped_master_secret_len;
391	PRUint8 resumable;
392	PRUint8 extendedMasterSecretUsed;
393	} ssl3SidKeys; /* 52 bytes */
394
395	typedef enum { never_cached,
396	in_client_cache,
397	in_server_cache,
398	invalid_cache, /* no longer in any cache. */
399	in_external_cache
400	} Cached;
401
402	#include "sslcert.h"
403
404	struct sslSessionIDStr {
405	/* The global cache lock must be held when accessing these members when the
406	* sid is in any cache.
407	*/
408	sslSessionID next; / chain used for client sockets, only */
409	Cached cached;
410	int references;
411	PRTime lastAccessTime;
412
413	/* The rest of the members, except for the members of u.ssl3.locked, may
414	* be modified only when the sid is not in any cache.
415	*/
416
417	CERTCertificate *peerCert;
418	SECItemArray peerCertStatus; /* client only */
419	const char peerID; / client only */
420	const char urlSvrName; / client only */
421	const sslNamedGroupDef namedCurve; / (server) for certificate lookup */
422	CERTCertificate *localCert;
423
424	PRIPv6Addr addr;
425	PRUint16 port;
426
427	SSL3ProtocolVersion version;
428
429	PRTime creationTime;
430	PRTime expirationTime;
431
432	SSLAuthType authType;
433	PRUint32 authKeyBits;
434	SSLKEAType keaType;
435	PRUint32 keaKeyBits;
436	SSLNamedGroup keaGroup;
437	SSLSignatureScheme sigScheme;
438
439	union {
440	struct {
441	/* values that are copied into the server's on-disk SID cache. */
442	PRUint8 sessionIDLength;
443	PRUint8 sessionID[SSL3_SESSIONID_BYTES32];
444
445	ssl3CipherSuite cipherSuite;
446	PRUint8 policy;
447	ssl3SidKeys keys;
448	/* mechanism used to wrap master secret */
449	CK_MECHANISM_TYPE masterWrapMech;
450
451	/* The following values pertain to the slot that wrapped the
452	** master secret. (used only in client)
453	*/
454	SECMODModuleID masterModuleID;
455	/* what module wrapped the master secret */
456	CK_SLOT_ID masterSlotID;
457	PRUint16 masterWrapIndex;
458	/* what's the key index for the wrapping key */
459	PRUint16 masterWrapSeries;
460	/* keep track of the slot series, so we don't
461	* accidently try to use new keys after the
462	* card gets removed and replaced.*/
463
464	/* The following values pertain to the slot that did the signature
465	** for client auth. (used only in client)
466	*/
467	SECMODModuleID clAuthModuleID;
468	CK_SLOT_ID clAuthSlotID;
469	PRUint16 clAuthSeries;
470
471	char masterValid;
472	char clAuthValid;
473
474	SECItem srvName;
475
476	/* Signed certificate timestamps received in a TLS extension.
477	** (used only in client).
478	*/
479	SECItem signedCertTimestamps;
480
481	/* The ALPN value negotiated in the original connection.
482	* Used for TLS 1.3. */
483	SECItem alpnSelection;
484
485	/* This lock is lazily initialized by CacheSID when a sid is first
486	* cached. Before then, there is no need to lock anything because
487	* the sid isn't being shared by anything.
488	*/
489	PRRWLock *lock;
490
491	/* The lock must be held while reading or writing these members
492	* because they change while the sid is cached.
493	*/
494	struct {
495	/* The session ticket, if we have one, is sent as an extension
496	* in the ClientHello message. This field is used only by
497	* clients. It is protected by lock when lock is non-null
498	* (after the sid has been added to the client session cache).
499	*/
500	NewSessionTicket sessionTicket;
501	} locked;
502	} ssl3;
503	} u;
504	};
505
506	struct ssl3CipherSuiteDefStr {
507	ssl3CipherSuite cipher_suite;
508	SSL3BulkCipher bulk_cipher_alg;
509	SSL3MACAlgorithm mac_alg;
510	SSL3KeyExchangeAlgorithm key_exchange_alg;
511	SSLHashType prf_hash;
512	};
513
514	/*
515	** There are tables of these, all const.
516	*/
517	typedef struct {
518	/* An identifier for this struct. */
519	SSL3KeyExchangeAlgorithm kea;
520	/* The type of key exchange used by the cipher suite. */
521	SSLKEAType exchKeyType;
522	/* If the cipher suite uses a signature, the type of key used in the
523	* signature. */
524	KeyType signKeyType;
525	/* In most cases, cipher suites depend on their signature type for
526	* authentication, ECDH certificates being the exception. */
527	SSLAuthType authKeyType;
528	/* True if the key exchange for the suite is ephemeral. Or to be more
529	* precise: true if the ServerKeyExchange message is always required. */
530	PRBool ephemeral;
531	/* An OID describing the key exchange */
532	SECOidTag oid;
533	} ssl3KEADef;
534
535	typedef enum {
536	ssl_0rtt_none, /* 0-RTT not present */
537	ssl_0rtt_sent, /* 0-RTT sent (no decision yet) */
538	ssl_0rtt_accepted, /* 0-RTT sent and accepted */
539	ssl_0rtt_ignored, /* 0-RTT sent but rejected/ignored */
540	ssl_0rtt_done /* 0-RTT accepted, but finished */
541	} sslZeroRttState;
542
543	typedef enum {
544	ssl_0rtt_ignore_none, /* not ignoring */
545	ssl_0rtt_ignore_trial, /* ignoring with trial decryption */
546	ssl_0rtt_ignore_hrr /* ignoring until ClientHello (due to HRR) */
547	} sslZeroRttIgnore;
548
549	typedef enum {
550	idle_handshake,
551	wait_client_hello,
552	wait_end_of_early_data,
553	wait_client_cert,
554	wait_client_key,
555	wait_cert_verify,
556	wait_change_cipher,
557	wait_finished,
558	wait_server_hello,
559	wait_certificate_status,
560	wait_server_cert,
561	wait_server_key,
562	wait_cert_request,
563	wait_hello_done,
564	wait_new_session_ticket,
565	wait_encrypted_extensions,
566	wait_invalid /* Invalid value. There is no handshake message "invalid". */
567	} SSL3WaitState;
568
569	typedef enum {
570	client_hello_initial, /* The first attempt. */
571	client_hello_retry, /* If we receive HelloRetryRequest. */
572	client_hello_retransmit, /* In DTLS, if we receive HelloVerifyRequest. */
573	client_hello_renegotiation /* A renegotiation attempt. */
574	} sslClientHelloType;
575
576	typedef struct SessionTicketDataStr SessionTicketData;
577
578	typedef SECStatus (sslRestartTarget)(sslSocket );
579
580	/*
581	** A DTLS queued message (potentially to be retransmitted)
582	*/
583	typedef struct DTLSQueuedMessageStr {
584	PRCList link; /* The linked list link */
585	ssl3CipherSpec cwSpec; / The cipher spec to use, null for none */
586	SSLContentType type; /* The message type */
587	unsigned char data; / The data */
588	PRUint16 len; /* The data length */
589	} DTLSQueuedMessage;
590
591	struct TLS13KeyShareEntryStr {
592	PRCList link; /* The linked list link */
593	const sslNamedGroupDef group; / The group for the entry */
594	SECItem key_exchange; /* The share itself */
595	};
596
597	typedef struct TLS13EarlyDataStr {
598	PRCList link; /* The linked list link */
599	unsigned int consumed; /* How much has been read. */
600	SECItem data; /* The data */
601	} TLS13EarlyData;
602
603	typedef enum {
604	handshake_hash_unknown = 0,
605	handshake_hash_combo = 1, /* The MD5/SHA-1 combination */
606	handshake_hash_single = 2, /* A single hash */
607	handshake_hash_record
608	} SSL3HandshakeHashType;
609
610	// A DTLS Timer.
611	typedef void (DTLSTimerCb)(sslSocket );
612
613	typedef struct {
614	const char *label;
615	DTLSTimerCb cb;
616	PRIntervalTime started;
617	PRUint32 timeout;
618	} dtlsTimer;
619
620	/* TLS 1.3 client GREASE entry indices. */
621	typedef enum {
622	grease_cipher,
623	grease_extension1,
624	grease_extension2,
625	grease_group,
626	grease_sigalg,
627	grease_version,
628	grease_alpn,
629	grease_entries
630	} tls13ClientGreaseEntry;
631
632	/* TLS 1.3 client GREASE values struct. */
633	typedef struct tls13ClientGreaseStr {
634	PRUint16 idx[grease_entries];
635	PRUint8 pskKem;
636	} tls13ClientGrease;
637
638	/*
639	** This is the "hs" member of the "ssl3" struct.
640	** This entire struct is protected by ssl3HandshakeLock
641	*/
642	typedef struct SSL3HandshakeStateStr {
	Excessive padding in 'struct SSL3HandshakeStateStr' (53 padding bytes, where 5 is optimal). Optimal fields order: md5, sha, shaEchInner, shaPostHandshake, kea_def, suite_def, msg_len, clientAuthSignatureSchemes, restartTarget, rtTimer, ackTimer, hdTimer, currentSecret, resumptionMasterSecret, dheSecret, clientEarlyTrafficSecret, clientHsTrafficSecret, serverHsTrafficSecret, clientTrafficSecret, serverTrafficSecret, earlyExporterSecret, exporterSecret, rttEstimate, echHpkeCtx, echPublicName, grease, dtlsHandhakeKeyUpdateMessage, chExtensionPermutation, remoteExtensions, echOuterExtensions, lastMessageFlight, cipherSpecs, bufferedEarlyData, psks, dtlsSentHandshake, dtlsRcvdHandshake, messages, echInnerMessages, msg_body, recvdFragments, cookie, srvVirtName, fakeSid, greaseEchBuf, dtls13ClientMessageBuffer, newSessionTicket, timers, ws, hashType, signatureScheme, header_bytes, msg_type, isResuming, sendingSCSV, receivedNewSessionTicket, clientCertificatePending, clientAuthSignatureSchemesLen, authCertificatePending, canFalseStart, preliminaryInfo, recvdHighWater, isKeyUpdateInProgress, allowPreviousEpoch, rtRetries, zeroRttState, zeroRttIgnore, helloRetry, receivedCcs, rejectCcs, clientCertRequested, endOfFlight, echAccepted, echDecided, echInvalidExtension, keyUpdateDeferred, deferredKeyUpdateRequest, kea_def_mutable, cipher_suite, finishedBytes, sendMessageSeq, maxMessageSent, recvMessageSeq, zeroRttSuite, ticketNonce, greaseEchSize, server_random, client_random, client_inner_random, finishedMsgs, consider reordering the fields or adding explicit padding members
643	SSL3Random server_random;
644	SSL3Random client_random;
645	SSL3Random client_inner_random; /* TLS 1.3 ECH Inner. */
646	SSL3WaitState ws; /* May also contain SSL3WaitState \| 0x80 for TLS 1.3 */
647
648	/* This group of members is used for handshake running hashes. */
649	SSL3HandshakeHashType hashType;
650	sslBuffer messages; /* Accumulated handshake messages */
651	sslBuffer echInnerMessages; /* Accumulated ECH Inner handshake messages */
652	/* PKCS #11 mode:
653	* SSL 3.0 - TLS 1.1 use both \|md5\| and \|sha\|. \|md5\| is used for MD5 and
654	* \|sha\| for SHA-1.
655	* TLS 1.2 and later use only \|sha\| variants, for SHA-256.
656	* Under normal (non-1.3 ECH) handshakes, only \|sha\| and \|shaPostHandshake\|
657	* are used. When doing 1.3 ECH, \|sha\| contains the transcript hash
658	* corresponding to the outer Client Hello. To facilitate secure retry and
659	* disablement, \|shaEchInner\|, tracks, in parallel, the transcript hash
660	* corresponding to the inner Client Hello. Once we process the SH
661	* extensions, coalesce into \|sha\|. */
662	PK11Context *md5;
663	PK11Context *sha;
664	PK11Context *shaEchInner;
665	PK11Context *shaPostHandshake;
666	SSLSignatureScheme signatureScheme;
667	const ssl3KEADef *kea_def;
668	ssl3CipherSuite cipher_suite;
669	const ssl3CipherSuiteDef *suite_def;
670	sslBuffer msg_body; /* protected by recvBufLock */
671	/* partial handshake message from record layer */
672	unsigned int header_bytes;
673	/* number of bytes consumed from handshake */
674	/* message for message type and header length */
675	SSLHandshakeType msg_type;
676	unsigned long msg_len;
677	PRBool isResuming; /* we are resuming (not used in TLS 1.3) */
678	PRBool sendingSCSV; /* instead of empty RI */
679
680	/* The session ticket received in a NewSessionTicket message is temporarily
681	* stored in newSessionTicket until the handshake is finished; then it is
682	* moved to the sid.
683	*/
684	PRBool receivedNewSessionTicket;
685	NewSessionTicket newSessionTicket;
686
687	PRUint16 finishedBytes; /* size of single finished below */
688	union {
689	TLSFinished tFinished[2]; /* client, then server */
690	SSL3Finished sFinished[2];
691	PRUint8 data[72];
692	} finishedMsgs;
693
694	/* True when handshake is blocked on client certificate selection */
695	PRBool clientCertificatePending;
696	/* Parameters stored whilst waiting for client certificate */
697	SSLSignatureScheme *clientAuthSignatureSchemes;
698	unsigned int clientAuthSignatureSchemesLen;
699
700	PRBool authCertificatePending;
701	/* Which function should SSL_RestartHandshake* call if we're blocked?
702	* One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake,
703	* or ssl3_AlwaysFail */
704	sslRestartTarget restartTarget;
705
706	PRBool canFalseStart; /* Can/did we False Start */
707	/* Which preliminaryinfo values have been set. */
708	PRUint32 preliminaryInfo;
709
710	/* Parsed extensions */
711	PRCList remoteExtensions; /* Parsed incoming extensions */
712	PRCList echOuterExtensions; /* If ECH, hold CHOuter extensions for decompression. */
713
714	/* This group of values is used for DTLS */
715	PRUint16 sendMessageSeq; /* The sending message sequence
716	* number */
717	PRCList lastMessageFlight; /* The last message flight we
718	* sent */
719	PRUint16 maxMessageSent; /* The largest message we sent */
720	PRUint16 recvMessageSeq; /* The receiving message sequence
721	* number */
722	sslBuffer recvdFragments; /* The fragments we have received in
723	* a bitmask */
724	PRInt32 recvdHighWater; /* The high water mark for fragments
725	* received. -1 means no reassembly
726	* in progress. */
727	SECItem cookie; /* The Hello(Retry\|Verify)Request cookie. */
728	dtlsTimer timers[3]; /* Holder for timers. */
729	dtlsTimer rtTimer; / Retransmit timer. */
730	dtlsTimer ackTimer; / Ack timer (DTLS 1.3 only). */
731	dtlsTimer hdTimer; / Read cipher holddown timer (DLTS 1.3 only) */
732
733	/* KeyUpdate state machines */
734	PRBool isKeyUpdateInProgress; /* The status of KeyUpdate -: {true == started, false == finished}. */
735	PRBool allowPreviousEpoch; /* The flag whether the previous epoch messages are allowed or not: {true == allowed, false == forbidden}. */
736
737	PRUint32 rtRetries; /* The retry counter */
738	SECItem srvVirtName; /* for server: name that was negotiated
739	* with a client. For client - is
740	* always set to NULL.*/
741
742	/* This group of values is used for TLS 1.3 and above */
743	PK11SymKey currentSecret; / The secret down the "left hand side"
744	* of the TLS 1.3 key schedule. */
745	PK11SymKey resumptionMasterSecret; / The resumption_master_secret. */
746	PK11SymKey dheSecret; / The (EC)DHE shared secret. */
747	PK11SymKey clientEarlyTrafficSecret; / The secret we use for 0-RTT. */
748	PK11SymKey clientHsTrafficSecret; / The source keys for handshake */
749	PK11SymKey serverHsTrafficSecret; / traffic keys. */
750	PK11SymKey clientTrafficSecret; / The source keys for application */
751	PK11SymKey serverTrafficSecret; / traffic keys */
752	PK11SymKey earlyExporterSecret; / for 0-RTT exporters */
753	PK11SymKey exporterSecret; / for exporters */
754	PRCList cipherSpecs; /* The cipher specs in the sequence they
755	* will be applied. */
756	sslZeroRttState zeroRttState; /* Are we doing a 0-RTT handshake? */
757	sslZeroRttIgnore zeroRttIgnore; /* Are we ignoring 0-RTT? */
758	ssl3CipherSuite zeroRttSuite; /* The cipher suite we used for 0-RTT. */
759	PRCList bufferedEarlyData; /* Buffered TLS 1.3 early data
760	* on server.*/
761	PRBool helloRetry; /* True if HelloRetryRequest has been sent
762	* or received. */
763	PRBool receivedCcs; /* A server received ChangeCipherSpec
764	* before the handshake started. */
765	PRBool rejectCcs; /* Excessive ChangeCipherSpecs are rejected. */
766	PRBool clientCertRequested; /* True if CertificateRequest received. */
767	PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */
768	ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def
769	* we use for TLS 1.3 */
770	PRUint16 ticketNonce; /* A counter we use for tickets. */
771	SECItem fakeSid; /* ... (server) the SID the client used. */
772	PRCList psks; /* A list of PSKs, resumption and/or external. */
773
774	/* rttEstimate is used to guess the round trip time between server and client.
775	* When the server sends ServerHello it sets this to the current time.
776	* Only after it receives a message from the client's second flight does it
777	* set the value to something resembling an RTT estimate. */
778	PRTime rttEstimate;
779
780	/* The following lists contain DTLSHandshakeRecordEntry */
781	PRCList dtlsSentHandshake; /* Used to map records to handshake fragments. */
782	PRCList dtlsRcvdHandshake; /* Handshake records we have received
783	* used to generate ACKs. */
784
785	/* TLS 1.3 ECH state. */
786	PRUint8 greaseEchSize;
787	PRBool echAccepted; /* Client/Server: True if we've commited to using CHInner. */
788	PRBool echDecided;
789	HpkeContext echHpkeCtx; / Client/Server: HPKE context for ECH. */
790	const char echPublicName; / Client: If rejected, the ECHConfig.publicName to
791	* use for certificate verification. */
792	sslBuffer greaseEchBuf; /* Client: Remember GREASE ECH, as advertised, for CH2 (HRR case).
793	Server: Remember HRR Grease Value, for transcript calculations */
794	PRBool echInvalidExtension; /* Client: True if the server offered an invalid extension for the ClientHelloInner */
795
796	/* TLS 1.3 GREASE state. */
797	tls13ClientGrease *grease;
798
799	/*
800	KeyUpdate variables:
801	This is true if we deferred sending a key update as
802	* post-handshake auth is in progress. */
803	PRBool keyUpdateDeferred;
804	tls13KeyUpdateRequest deferredKeyUpdateRequest;
805	/* The identifier of the keyUpdate message that is sent but not yet acknowledged */
806	PRUint64 dtlsHandhakeKeyUpdateMessage;
807
808	/* ClientHello Extension Permutation state. */
809	sslExtensionBuilder *chExtensionPermutation;
810
811	/* Used by client to store a message that's to be hashed during the HandleServerHello. */
812	sslBuffer dtls13ClientMessageBuffer;
813	} SSL3HandshakeState;
814
815	#define SSL_ASSERT_HASHES_EMPTY(ss)do { ((ss->ssl3.hs.hashType == handshake_hash_unknown)?((void )0):PR_Assert("ss->ssl3.hs.hashType == handshake_hash_unknown" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",815)); ( (ss->ssl3.hs.messages.len == 0)?((void)0):PR_Assert("ss->ssl3.hs.messages.len == 0" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",815)); ( (ss->ssl3.hs.echInnerMessages.len == 0)?((void)0):PR_Assert ("ss->ssl3.hs.echInnerMessages.len == 0","/root/firefox-clang/security/nss/lib/ssl/sslimpl.h" ,815)); } while (0) \
816	do { \
817	PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown)((ss->ssl3.hs.hashType == handshake_hash_unknown)?((void)0 ):PR_Assert("ss->ssl3.hs.hashType == handshake_hash_unknown" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",817)); \
818	PORT_Assert(ss->ssl3.hs.messages.len == 0)((ss->ssl3.hs.messages.len == 0)?((void)0):PR_Assert("ss->ssl3.hs.messages.len == 0" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",818)); \
819	PORT_Assert(ss->ssl3.hs.echInnerMessages.len == 0)((ss->ssl3.hs.echInnerMessages.len == 0)?((void)0):PR_Assert ("ss->ssl3.hs.echInnerMessages.len == 0","/root/firefox-clang/security/nss/lib/ssl/sslimpl.h" ,819)); \
820	} while (0)
821	/*
822	** This is the "ssl3" struct, as in "ss->ssl3".
823	** note:
824	** usually, crSpec == cwSpec and prSpec == pwSpec.
825	** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
826	** But there are never more than 2 actual specs.
827	** No spec must ever be modified if either "current" pointer points to it.
828	*/
829	struct ssl3StateStr {
830
831	/*
832	** The following Specs and Spec pointers must be protected using the
833	** Spec Lock.
834	*/
835	ssl3CipherSpec crSpec; / current read spec. */
836	ssl3CipherSpec prSpec; / pending read spec. */
837	ssl3CipherSpec cwSpec; / current write spec. */
838	ssl3CipherSpec pwSpec; / pending write spec. */
839
840	/* This is true after the peer requests a key update; false after a key
841	* update is initiated locally. */
842	PRBool peerRequestedKeyUpdate;
843
844	/* This is true after the server requests client certificate;
845	* false after the client certificate is received. Used by the
846	* server. */
847	PRBool clientCertRequested;
848
849	CERTCertificate clientCertificate; / used by client */
850	SECKEYPrivateKey clientPrivateKey; / used by client */
851	CERTCertificateList clientCertChain; / used by client */
852	PRBool sendEmptyCert; /* used by client */
853
854	PRUint8 policy;
855	/* This says what cipher suites we can do, and should
856	* be either SSL_ALLOWED or SSL_RESTRICTED
857	*/
858	PLArenaPool *peerCertArena;
859	/* These are used to keep track of the peer CA */
860	void *peerCertChain;
861	/* chain while we are trying to validate it. */
862	CERTDistNames *ca_list;
863	/* used by server. trusted CAs for this socket. */
864	SSL3HandshakeState hs;
865
866	PRUint16 mtu; /* Our estimate of the MTU */
867
868	/* DTLS-SRTP cipher suite preferences (if any) */
869	PRUint16 dtlsSRTPCiphers[MAX_DTLS_SRTP_CIPHER_SUITES4];
870	PRUint16 dtlsSRTPCipherCount;
871	PRBool fatalAlertSent;
872	PRBool dheWeakGroupEnabled; /* used by server */
873	const sslNamedGroupDef *dhePreferredGroup;
874
875	/* TLS 1.2 introduces separate signature algorithm negotiation.
876	* TLS 1.3 combined signature and hash into a single enum.
877	* This is our preference order. */
878	SSLSignatureScheme signatureSchemes[MAX_SIGNATURE_SCHEMES18];
879	unsigned int signatureSchemeCount;
880
881	/* The version to check if we fell back from our highest version
882	* of TLS. Default is 0 in which case we check against the maximum
883	* configured version for this socket. Used only on the client. */
884	SSL3ProtocolVersion downgradeCheckVersion;
885	/* supported certificate compression algorithms (if any) */
886	SSLCertificateCompressionAlgorithm supportedCertCompressionAlgorithms[MAX_SUPPORTED_CERTIFICATE_COMPRESSION_ALGS32];
887	PRUint8 supportedCertCompressionAlgorithmsCount;
888	};
889
890	/* Ethernet MTU but without subtracting the headers,
891	* so slightly larger than expected */
892	#define DTLS_MAX_MTU1500U 1500U
893	#define IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) (ss->protocolVariant == ssl_variant_datagram)
894	#define IS_DTLS_1_OR_12(ss)((ss->protocolVariant == ssl_variant_datagram) && ss ->version < SSL_LIBRARY_VERSION_TLS_1_3) (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && ss->version < SSL_LIBRARY_VERSION_TLS_1_3)
895	#define IS_DTLS_13_OR_ABOVE(ss)((ss->protocolVariant == ssl_variant_datagram) && ss ->version >= SSL_LIBRARY_VERSION_TLS_1_3) (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)
896
897	typedef struct {
898	/* \|seqNum\| eventually contains the reconstructed sequence number. */
899	sslSequenceNumber seqNum;
900	/* The header of the cipherText. */
901	PRUint8 *hdr;
902	unsigned int hdrLen;
903
904	/* \|buf\| is the payload of the ciphertext. */
905	sslBuffer *buf;
906	} SSL3Ciphertext;
907
908	struct sslKeyPairStr {
909	SECKEYPrivateKey *privKey;
910	SECKEYPublicKey *pubKey;
911	PRInt32 refCount; /* use PR_Atomic calls for this. */
912	};
913
914	struct sslEphemeralKeyPairStr {
915	PRCList link;
916	const sslNamedGroupDef *group;
917	sslKeyPair *keys;
918	sslKeyPair *kemKeys;
919	SECItem *kemCt;
920	};
921
922	struct ssl3DHParamsStr {
923	SSLNamedGroup name;
924	SECItem prime; /* p */
925	SECItem base; /* g */
926	};
927
928	typedef struct SSLWrappedSymWrappingKeyStr {
929	PRUint8 wrappedSymmetricWrappingkey[SSL_MAX_RSA_KEY_BITS8192 / 8];
930	CK_MECHANISM_TYPE symWrapMechanism;
931	/* unwrapped symmetric wrapping key uses this mechanism */
932	CK_MECHANISM_TYPE asymWrapMechanism;
933	/* mechanism used to wrap the SymmetricWrappingKey using
934	* server's public and/or private keys. */
935	PRInt16 wrapMechIndex;
936	PRUint16 wrapKeyIndex;
937	PRUint16 wrappedSymKeyLen;
938	} SSLWrappedSymWrappingKey;
939
940	typedef struct SessionTicketStr {
941	PRBool valid;
942	SSL3ProtocolVersion ssl_version;
943	ssl3CipherSuite cipher_suite;
944	SSLAuthType authType;
945	PRUint32 authKeyBits;
946	SSLKEAType keaType;
947	PRUint32 keaKeyBits;
948	SSLNamedGroup originalKeaGroup;
949	SSLSignatureScheme signatureScheme;
950	const sslNamedGroupDef namedCurve; / For certificate lookup. */
951
952	/*
953	* msWrapMech contains a meaningful value only if ms_is_wrapped is true.
954	*/
955	PRUint8 ms_is_wrapped;
956	CK_MECHANISM_TYPE msWrapMech;
957	PRUint16 ms_length;
958	PRUint8 master_secret[48];
959	PRBool extendedMasterSecretUsed;
960	ClientAuthenticationType client_auth_type;
961	SECItem peer_cert;
962	PRTime timestamp;
963	PRUint32 flags;
964	SECItem srvName; /* negotiated server name */
965	SECItem alpnSelection;
966	PRUint32 maxEarlyData;
967	PRUint32 ticketAgeBaseline;
968	SECItem applicationToken;
969	} SessionTicket;
970
971	/*
972	* SSL2 buffers used in SSL3.
973	* writeBuf in the SecurityInfo maintained by sslsecur.c is used
974	* to hold the data just about to be passed to the kernel
975	* sendBuf in the ConnectInfo maintained by sslcon.c is used
976	* to hold handshake messages as they are accumulated
977	*/
978
979	/*
980	** This is "ci", as in "ss->sec.ci".
981	**
982	** Protection: All the variables in here are protected by
983	** firstHandshakeLock AND ssl3HandshakeLock
984	*/
985	struct sslConnectInfoStr {
986	/* outgoing handshakes appended to this. */
987	sslBuffer sendBuf; /xmitBufLock/
988
989	PRIPv6Addr peer;
990	unsigned short port;
991
992	sslSessionID *sid;
993	};
994
995	/* Note: The entire content of this struct and whatever it points to gets
996	* blown away by SSL_ResetHandshake(). This is "sec" as in "ss->sec".
997	*
998	* Unless otherwise specified below, the contents of this struct are
999	* protected by firstHandshakeLock AND ssl3HandshakeLock.
1000	*/
1001	struct sslSecurityInfoStr {
1002
1003	#define SSL_ROLE(ss)(ss->sec.isServer ? "server" : "client") (ss->sec.isServer ? "server" : "client")
1004
1005	PRBool isServer;
1006	sslBuffer writeBuf; /xmitBufLock/
1007
1008	CERTCertificate *localCert;
1009	CERTCertificate *peerCert;
1010	SECKEYPublicKey *peerKey;
1011
1012	SSLAuthType authType;
1013	PRUint32 authKeyBits;
1014	SSLSignatureScheme signatureScheme;
1015	SSLKEAType keaType;
1016	PRUint32 keaKeyBits;
1017	const sslNamedGroupDef *keaGroup;
1018	const sslNamedGroupDef *originalKeaGroup;
1019	/* The selected certificate (for servers only). */
1020	const sslServerCert *serverCert;
1021
1022	/* These are used during a connection handshake */
1023	sslConnectInfo ci;
1024	};
1025
1026	/*
1027	** SSL Socket struct
1028	**
1029	** Protection: XXX
1030	*/
1031	struct sslSocketStr {
1032	PRFileDesc *fd;
1033
1034	/* Pointer to operations vector for this socket */
1035	const sslSocketOps *ops;
1036
1037	/* SSL socket options */
1038	sslOptions opt;
1039	/* Enabled version range */
1040	SSLVersionRange vrange;
1041
1042	/* A function that returns the current time. */
1043	SSLTimeFunc now;
1044	void *nowArg;
1045
1046	/* State flags */
1047	unsigned long clientAuthRequested;
1048	unsigned long delayDisabled; /* Nagle delay disabled */
1049	unsigned long firstHsDone; /* first handshake is complete. */
1050	unsigned long enoughFirstHsDone; /* enough of the first handshake is
1051	* done for callbacks to be able to
1052	* retrieve channel security
1053	* parameters from the SSL socket. */
1054	unsigned long handshakeBegun;
1055	unsigned long lastWriteBlocked;
1056	unsigned long recvdCloseNotify; /* received SSL EOF. */
1057	unsigned long TCPconnected;
1058	unsigned long appDataBuffered;
1059	unsigned long peerRequestedProtection; /* from old renegotiation */
1060
1061	/* version of the protocol to use */
1062	SSL3ProtocolVersion version;
1063	SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
1064
1065	sslSecurityInfo sec; /* not a pointer any more */
1066
1067	/* protected by firstHandshakeLock AND ssl3HandshakeLock. */
1068	const char *url;
1069
1070	sslHandshakeFunc handshake; /firstHandshakeLock/
1071
1072	/* the following variable is only used with socks or other proxies. */
1073	char peerID; / String uniquely identifies target server. */
1074
1075	/* ECDHE and DHE keys: In TLS 1.3, we might have to maintain multiple of
1076	* these on the client side. The server inserts a single value into this
1077	* list for all versions. */
1078	PRCList /<sslEphemeralKeyPair>/ ephemeralKeyPairs;
1079
1080	/* Callbacks */
1081	SSLAuthCertificate authCertificate;
1082	void *authCertificateArg;
1083	SSLGetClientAuthData getClientAuthData;
1084	void *getClientAuthDataArg;
1085	SSLSNISocketConfig sniSocketConfig;
1086	void *sniSocketConfigArg;
1087	SSLAlertCallback alertReceivedCallback;
1088	void *alertReceivedCallbackArg;
1089	SSLAlertCallback alertSentCallback;
1090	void *alertSentCallbackArg;
1091	SSLBadCertHandler handleBadCert;
1092	void *badCertArg;
1093	SSLHandshakeCallback handshakeCallback;
1094	void *handshakeCallbackData;
1095	SSLCanFalseStartCallback canFalseStartCallback;
1096	void *canFalseStartCallbackData;
1097	void *pkcs11PinArg;
1098	SSLNextProtoCallback nextProtoCallback;
1099	void *nextProtoArg;
1100	SSLHelloRetryRequestCallback hrrCallback;
1101	void *hrrCallbackArg;
1102	PRCList extensionHooks;
1103	SSLResumptionTokenCallback resumptionTokenCallback;
1104	void *resumptionTokenContext;
1105	SSLSecretCallback secretCallback;
1106	void *secretCallbackArg;
1107	SSLRecordWriteCallback recordWriteCallback;
1108	void *recordWriteCallbackArg;
1109
1110	PRIntervalTime rTimeout; /* timeout for NSPR I/O */
1111	PRIntervalTime wTimeout; /* timeout for NSPR I/O */
1112	PRIntervalTime cTimeout; /* timeout for NSPR I/O */
1113
1114	PZLockPRLock recvLock; / lock against multiple reader threads. */
1115	PZLockPRLock sendLock; / lock against multiple sender threads. */
1116
1117	PZMonitorPRMonitor recvBufLock; / locks low level recv buffers. */
1118	PZMonitorPRMonitor xmitBufLock; / locks low level xmit buffers. */
1119
1120	/* Only one thread may operate on the socket until the initial handshake
1121	** is complete. This Monitor ensures that. Since SSL2 handshake is
1122	** only done once, this is also effectively the SSL2 handshake lock.
1123	*/
1124	PZMonitorPRMonitor *firstHandshakeLock;
1125
1126	/* This monitor protects the ssl3 handshake state machine data.
1127	** Only one thread (reader or writer) may be in the ssl3 handshake state
1128	** machine at any time. */
1129	PZMonitorPRMonitor *ssl3HandshakeLock;
1130
1131	/* reader/writer lock, protects the secret data needed to encrypt and MAC
1132	** outgoing records, and to decrypt and MAC check incoming ciphertext
1133	** records. */
1134	NSSRWLock *specLock;
1135
1136	/* handle to perm cert db (and implicitly to the temp cert db) used
1137	** with this socket.
1138	*/
1139	CERTCertDBHandle *dbHandle;
1140
1141	PRThread writerThread; / thread holds SSL_LOCK_WRITER lock */
1142
1143	PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */
1144
1145	sslHandshakingType handshaking;
1146
1147	/* Gather object used for gathering data */
1148	sslGather gs; /recvBufLock/
1149
1150	sslBuffer saveBuf; /xmitBufLock/
1151	sslBuffer pendingBuf; /xmitBufLock/
1152
1153	/* Configuration state for server sockets */
1154	/* One server cert and key for each authentication type. */
1155	PRCList /* <sslServerCert> */ serverCerts;
1156
1157	ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED71];
1158
1159	/* A list of groups that are sorted according to user preferences pointing
1160	* to entries of ssl_named_groups. By default this list contains pointers
1161	* to all elements in ssl_named_groups in the default order.
1162	* This list also determines which groups are enabled. This
1163	* starts with all being enabled and can be modified either by negotiation
1164	* (in which case groups not supported by a peer are masked off), or by
1165	* calling SSL_DHEGroupPrefSet().
1166	* Note that renegotiation will ignore groups that were disabled in the
1167	* first handshake.
1168	*/
1169	const sslNamedGroupDef *namedGroupPreferences[SSL_NAMED_GROUP_COUNT33];
1170	/* The number of additional shares to generate for the TLS 1.3 ClientHello */
1171	unsigned int additionalShares;
1172
1173	/* SSL3 state info. Formerly was a pointer */
1174	ssl3State ssl3;
1175
1176	/*
1177	* TLS extension related data.
1178	*/
1179	/* True when the current session is a stateless resume. */
1180	PRBool statelessResume;
1181	TLSExtensionData xtnData;
1182
1183	/* Whether we are doing stream or datagram mode */
1184	SSLProtocolVariant protocolVariant;
1185
1186	/* TLS 1.3 Encrypted Client Hello. */
1187	PRCList echConfigs; /* Client/server: Must not change while hs
1188	* is in-progress. */
1189	SECKEYPublicKey echPubKey; / Server: The ECH keypair used in HPKE. */
1190	SECKEYPrivateKey echPrivKey; / As above. */
1191
1192	/* Anti-replay for TLS 1.3 0-RTT. */
1193	SSLAntiReplayContext *antiReplay;
1194
1195	/* An out-of-band PSK. */
1196	sslPsk *psk;
1197	};
1198
1199	struct sslSelfEncryptKeysStr {
1200	PRCallOnceType setup;
1201	PRUint8 keyName[SELF_ENCRYPT_KEY_NAME_LEN16];
1202	PK11SymKey *encKey;
1203	PK11SymKey *macKey;
1204	};
1205	typedef struct sslSelfEncryptKeysStr sslSelfEncryptKeys;
1206
1207	extern char ssl_debug;
1208	extern char ssl_trace;
1209	extern FILE *ssl_trace_iob;
1210	extern FILE *ssl_keylog_iob;
1211	extern PZLockPRLock *ssl_keylog_lock;
1212	static const PRUint32 ssl_ticket_lifetime = 2 * 24 * 60 * 60; // 2 days.
1213
1214	extern const char *const ssl3_cipherName[];
1215
1216	extern sslSessionIDLookupFunc ssl_sid_lookup;
1217
1218	extern const sslNamedGroupDef ssl_named_groups[];
1219
1220	/************************************************************************/
1221
1222	SEC_BEGIN_PROTOS
1223
1224	/* Internal initialization and installation of the SSL error tables */
1225	extern SECStatus ssl_Init(void);
1226	extern SECStatus ssl_InitializePRErrorTable(void);
1227
1228	/* Implementation of ops for default (non socks, non secure) case */
1229	extern int ssl_DefConnect(sslSocket ss, const PRNetAddr addr);
1230	extern PRFileDesc ssl_DefAccept(sslSocket ss, PRNetAddr *addr);
1231	extern int ssl_DefBind(sslSocket ss, const PRNetAddr addr);
1232	extern int ssl_DefListen(sslSocket *ss, int backlog);
1233	extern int ssl_DefShutdown(sslSocket *ss, int how);
1234	extern int ssl_DefClose(sslSocket *ss);
1235	extern int ssl_DefRecv(sslSocket ss, unsigned char buf, int len, int flags);
1236	extern int ssl_DefSend(sslSocket ss, const unsigned char buf,
1237	int len, int flags);
1238	extern int ssl_DefRead(sslSocket ss, unsigned char buf, int len);
1239	extern int ssl_DefWrite(sslSocket ss, const unsigned char buf, int len);
1240	extern int ssl_DefGetpeername(sslSocket ss, PRNetAddr name);
1241	extern int ssl_DefGetsockname(sslSocket ss, PRNetAddr name);
1242	extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
1243	void optval, PRInt32 optlen);
1244	extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
1245	const void *optval, PRInt32 optlen);
1246
1247	/* Implementation of ops for socks only case */
1248	extern int ssl_SocksConnect(sslSocket ss, const PRNetAddr addr);
1249	extern PRFileDesc ssl_SocksAccept(sslSocket ss, PRNetAddr *addr);
1250	extern int ssl_SocksBind(sslSocket ss, const PRNetAddr addr);
1251	extern int ssl_SocksListen(sslSocket *ss, int backlog);
1252	extern int ssl_SocksGetsockname(sslSocket ss, PRNetAddr name);
1253	extern int ssl_SocksRecv(sslSocket ss, unsigned char buf, int len, int flags);
1254	extern int ssl_SocksSend(sslSocket ss, const unsigned char buf,
1255	int len, int flags);
1256	extern int ssl_SocksRead(sslSocket ss, unsigned char buf, int len);
1257	extern int ssl_SocksWrite(sslSocket ss, const unsigned char buf, int len);
1258
1259	/* Implementation of ops for secure only case */
1260	extern int ssl_SecureConnect(sslSocket ss, const PRNetAddr addr);
1261	extern PRFileDesc ssl_SecureAccept(sslSocket ss, PRNetAddr *addr);
1262	extern int ssl_SecureRecv(sslSocket ss, unsigned char buf,
1263	int len, int flags);
1264	extern int ssl_SecureSend(sslSocket ss, const unsigned char buf,
1265	int len, int flags);
1266	extern int ssl_SecureRead(sslSocket ss, unsigned char buf, int len);
1267	extern int ssl_SecureWrite(sslSocket ss, const unsigned char buf, int len);
1268	extern int ssl_SecureShutdown(sslSocket *ss, int how);
1269	extern int ssl_SecureClose(sslSocket *ss);
1270
1271	/* Implementation of ops for secure socks case */
1272	extern int ssl_SecureSocksConnect(sslSocket ss, const PRNetAddr addr);
1273	extern PRFileDesc ssl_SecureSocksAccept(sslSocket ss, PRNetAddr *addr);
1274	extern PRFileDesc ssl_FindTop(sslSocket ss);
1275
1276	/* Gather funcs. */
1277	extern sslGather *ssl_NewGather(void);
1278	extern SECStatus ssl3_InitGather(sslGather *gs);
1279	extern void ssl3_DestroyGather(sslGather *gs);
1280	extern SECStatus ssl_GatherRecord1stHandshake(sslSocket *ss);
1281
1282	extern SECStatus ssl_CreateSecurityInfo(sslSocket *ss);
1283	extern SECStatus ssl_CopySecurityInfo(sslSocket ss, sslSocket os);
1284	extern void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset);
1285	extern void ssl_DestroySecurityInfo(sslSecurityInfo *sec);
1286
1287	extern void ssl_PrintBuf(const sslSocket ss, const char msg, const void *cp,
1288	int len);
1289	extern void ssl_PrintKey(const sslSocket ss, const char msg, PK11SymKey *key);
1290
1291	extern int ssl_SendSavedWriteData(sslSocket *ss);
1292	extern SECStatus ssl_SaveWriteData(sslSocket *ss,
1293	const void *p, unsigned int l);
1294	extern SECStatus ssl_BeginClientHandshake(sslSocket *ss);
1295	extern SECStatus ssl_BeginServerHandshake(sslSocket *ss);
1296	extern SECStatus ssl_Do1stHandshake(sslSocket *ss);
1297
1298	extern SECStatus ssl3_InitPendingCipherSpecs(sslSocket ss, PK11SymKey secret,
1299	PRBool derive);
1300	extern void ssl_DestroyKeyMaterial(ssl3KeyMaterial *keyMaterial);
1301	extern sslSessionID ssl3_NewSessionID(sslSocket ss, PRBool is_server);
1302	extern sslSessionID ssl_LookupSID(PRTime now, const PRIPv6Addr addr,
1303	PRUint16 port, const char *peerID,
1304	const char *urlSvrName);
1305	extern void ssl_FreeSID(sslSessionID *sid);
1306	extern void ssl_DestroySID(sslSessionID *sid, PRBool freeIt);
1307	extern sslSessionID ssl_ReferenceSID(sslSessionID sid);
1308
1309	extern int ssl3_SendApplicationData(sslSocket ss, const PRUint8 in,
1310	int len, int flags);
1311
1312	extern PRBool ssl_FdIsBlocking(PRFileDesc *fd);
1313
1314	extern PRBool ssl_SocketIsBlocking(sslSocket *ss);
1315
1316	extern void ssl3_SetAlwaysBlock(sslSocket *ss);
1317
1318	extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
1319
1320	extern SECStatus ssl_FinishHandshake(sslSocket *ss);
1321
1322	extern SECStatus ssl_CipherPolicySet(PRInt32 which, PRInt32 policy);
1323
1324	extern SECStatus ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
1325
1326	extern SECStatus ssl3_ConstrainRangeByPolicy(void);
1327
1328	extern SECStatus ssl3_InitState(sslSocket *ss);
1329	extern SECStatus Null_Cipher(void ctx, unsigned char output, unsigned int *outputLen,
1330	unsigned int maxOutputLen, const unsigned char *input,
1331	unsigned int inputLen);
1332	extern void ssl3_RestartHandshakeHashes(sslSocket *ss);
1333	typedef SECStatus (sslUpdateHandshakeHashes)(sslSocket ss,
1334	const unsigned char *b,
1335	unsigned int l);
1336	extern SECStatus ssl3_UpdateHandshakeHashes(sslSocket *ss,
1337	const unsigned char *b,
1338	unsigned int l);
1339	extern SECStatus ssl3_UpdatePostHandshakeHashes(sslSocket *ss,
1340	const unsigned char *b,
1341	unsigned int l);
1342	SECStatus
1343	ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type,
1344	PRUint32 dtlsSeq,
1345	const PRUint8 *b, PRUint32 length,
1346	sslUpdateHandshakeHashes cb);
1347	SECStatus ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type,
1348	const PRUint8 *b, PRUint32 length);
1349	SECStatus ssl_HashHandshakeMessageEchInner(sslSocket *ss, SSLHandshakeType type,
1350	const PRUint8 *b, PRUint32 length);
1351	SECStatus ssl_HashHandshakeMessageDefault(sslSocket *ss, SSLHandshakeType type,
1352	const PRUint8 *b, PRUint32 length);
1353	SECStatus ssl_HashPostHandshakeMessage(sslSocket *ss, SSLHandshakeType type,
1354	const PRUint8 *b, PRUint32 length);
1355
1356	/* Returns PR_TRUE if we are still waiting for the server to complete its
1357	* response to our client second round. Once we've received the Finished from
1358	* the server then there is no need to check false start.
1359	*/
1360	extern PRBool ssl3_WaitingForServerSecondRound(sslSocket *ss);
1361
1362	extern PRInt32 ssl3_SendRecord(sslSocket ss, ssl3CipherSpec cwSpec,
1363	SSLContentType type,
1364	const PRUint8 *pIn, PRInt32 nIn,
1365	PRInt32 flags);
1366
1367	/* Clear any PRCList, optionally calling f on the value. */
1368	void ssl_ClearPRCList(PRCList list, void (f)(void *));
1369
1370	/*
1371	* Make sure there is room in the write buffer for padding and
1372	* cryptographic expansions.
1373	*/
1374	#define SSL3_BUFFER_FUDGE100 100
1375
1376	#define SSL_LOCK_READER(ss)if (ss->recvLock) PR_Lock((ss->recvLock)) \
1377	if (ss->recvLock) \
1378	PZ_Lock(ss->recvLock)PR_Lock((ss->recvLock))
1379	#define SSL_UNLOCK_READER(ss)if (ss->recvLock) PR_Unlock((ss->recvLock)) \
1380	if (ss->recvLock) \
1381	PZ_Unlock(ss->recvLock)PR_Unlock((ss->recvLock))
1382	#define SSL_LOCK_WRITER(ss)if (ss->sendLock) PR_Lock((ss->sendLock)) \
1383	if (ss->sendLock) \
1384	PZ_Lock(ss->sendLock)PR_Lock((ss->sendLock))
1385	#define SSL_UNLOCK_WRITER(ss)if (ss->sendLock) PR_Unlock((ss->sendLock)) \
1386	if (ss->sendLock) \
1387	PZ_Unlock(ss->sendLock)PR_Unlock((ss->sendLock))
1388
1389	/* firstHandshakeLock -> recvBufLock */
1390	#define ssl_Get1stHandshakeLock(ss){ if (!ss->opt.noLocks) { (((PR_GetMonitorEntryCount(((ss) ->firstHandshakeLock)) > 0) \|\| !((PR_GetMonitorEntryCount (((ss)->recvBufLock)) > 0)))?((void)0):PR_Assert("PZ_InMonitor((ss)->firstHandshakeLock) \|\| !ssl_HaveRecvBufLock(ss)" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",1390)); PR_EnterMonitor(((ss)->firstHandshakeLock)); } } \
1391	{ \
1392	if (!ss->opt.noLocks) { \
1393	PORT_Assert(PZ_InMonitor((ss)->firstHandshakeLock) \|\| \(((PR_GetMonitorEntryCount(((ss)->firstHandshakeLock)) > 0) \|\| !((PR_GetMonitorEntryCount(((ss)->recvBufLock)) > 0)))?((void)0):PR_Assert("PZ_InMonitor((ss)->firstHandshakeLock) \|\| !ssl_HaveRecvBufLock(ss)" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",1394))
1394	!ssl_HaveRecvBufLock(ss))(((PR_GetMonitorEntryCount(((ss)->firstHandshakeLock)) > 0) \|\| !((PR_GetMonitorEntryCount(((ss)->recvBufLock)) > 0)))?((void)0):PR_Assert("PZ_InMonitor((ss)->firstHandshakeLock) \|\| !ssl_HaveRecvBufLock(ss)" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",1394)); \
1395	PZ_EnterMonitor((ss)->firstHandshakeLock)PR_EnterMonitor(((ss)->firstHandshakeLock)); \
1396	} \
1397	}
1398	#define ssl_Release1stHandshakeLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->firstHandshakeLock )); } \
1399	{ \
1400	if (!ss->opt.noLocks) \
1401	PZ_ExitMonitor((ss)->firstHandshakeLock)PR_ExitMonitor(((ss)->firstHandshakeLock)); \
1402	}
1403	#define ssl_Have1stHandshakeLock(ss)((PR_GetMonitorEntryCount(((ss)->firstHandshakeLock)) > 0)) \
1404	(PZ_InMonitor((ss)->firstHandshakeLock)(PR_GetMonitorEntryCount(((ss)->firstHandshakeLock)) > 0 ))
1405
1406	/* ssl3HandshakeLock -> xmitBufLock */
1407	#define ssl_GetSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) { ((!((PR_GetMonitorEntryCount(((ss )->xmitBufLock)) > 0)))?((void)0):PR_Assert("!ssl_HaveXmitBufLock(ss)" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",1407)); PR_EnterMonitor(((ss)->ssl3HandshakeLock)); } } \
1408	{ \
1409	if (!ss->opt.noLocks) { \
1410	PORT_Assert(!ssl_HaveXmitBufLock(ss))((!((PR_GetMonitorEntryCount(((ss)->xmitBufLock)) > 0)) )?((void)0):PR_Assert("!ssl_HaveXmitBufLock(ss)","/root/firefox-clang/security/nss/lib/ssl/sslimpl.h" ,1410)); \
1411	PZ_EnterMonitor((ss)->ssl3HandshakeLock)PR_EnterMonitor(((ss)->ssl3HandshakeLock)); \
1412	} \
1413	}
1414	#define ssl_ReleaseSSL3HandshakeLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->ssl3HandshakeLock )); } \
1415	{ \
1416	if (!ss->opt.noLocks) \
1417	PZ_ExitMonitor((ss)->ssl3HandshakeLock)PR_ExitMonitor(((ss)->ssl3HandshakeLock)); \
1418	}
1419	#define ssl_HaveSSL3HandshakeLock(ss)((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock)) > 0 )) \
1420	(PZ_InMonitor((ss)->ssl3HandshakeLock)(PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock)) > 0 ))
1421
1422	#define ssl_GetSpecReadLock(ss){ if (!ss->opt.noLocks) NSSRWLock_LockRead_Util((ss)->specLock ); } \
1423	{ \
1424	if (!ss->opt.noLocks) \
1425	NSSRWLock_LockReadNSSRWLock_LockRead_Util((ss)->specLock); \
1426	}
1427	#define ssl_ReleaseSpecReadLock(ss){ if (!ss->opt.noLocks) NSSRWLock_UnlockRead_Util((ss)-> specLock); } \
1428	{ \
1429	if (!ss->opt.noLocks) \
1430	NSSRWLock_UnlockReadNSSRWLock_UnlockRead_Util((ss)->specLock); \
1431	}
1432	/* NSSRWLock_HaveReadLock is not exported so there's no
1433	* ssl_HaveSpecReadLock macro. */
1434
1435	#define ssl_GetSpecWriteLock(ss){ if (!ss->opt.noLocks) NSSRWLock_LockWrite_Util((ss)-> specLock); } \
1436	{ \
1437	if (!ss->opt.noLocks) \
1438	NSSRWLock_LockWriteNSSRWLock_LockWrite_Util((ss)->specLock); \
1439	}
1440	#define ssl_ReleaseSpecWriteLock(ss){ if (!ss->opt.noLocks) NSSRWLock_UnlockWrite_Util((ss)-> specLock); } \
1441	{ \
1442	if (!ss->opt.noLocks) \
1443	NSSRWLock_UnlockWriteNSSRWLock_UnlockWrite_Util((ss)->specLock); \
1444	}
1445	#define ssl_HaveSpecWriteLock(ss)(NSSRWLock_HaveWriteLock_Util((ss)->specLock)) \
1446	(NSSRWLock_HaveWriteLockNSSRWLock_HaveWriteLock_Util((ss)->specLock))
1447
1448	/* recvBufLock -> ssl3HandshakeLock -> xmitBufLock */
1449	#define ssl_GetRecvBufLock(ss){ if (!ss->opt.noLocks) { ((!((PR_GetMonitorEntryCount(((ss )->ssl3HandshakeLock)) > 0)))?((void)0):PR_Assert("!ssl_HaveSSL3HandshakeLock(ss)" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",1449)); ((!((PR_GetMonitorEntryCount(((ss)->xmitBufLock)) > 0) ))?((void)0):PR_Assert("!ssl_HaveXmitBufLock(ss)","/root/firefox-clang/security/nss/lib/ssl/sslimpl.h" ,1449)); PR_EnterMonitor(((ss)->recvBufLock)); } } \
1450	{ \
1451	if (!ss->opt.noLocks) { \
1452	PORT_Assert(!ssl_HaveSSL3HandshakeLock(ss))((!((PR_GetMonitorEntryCount(((ss)->ssl3HandshakeLock)) > 0)))?((void)0):PR_Assert("!ssl_HaveSSL3HandshakeLock(ss)","/root/firefox-clang/security/nss/lib/ssl/sslimpl.h" ,1452)); \
1453	PORT_Assert(!ssl_HaveXmitBufLock(ss))((!((PR_GetMonitorEntryCount(((ss)->xmitBufLock)) > 0)) )?((void)0):PR_Assert("!ssl_HaveXmitBufLock(ss)","/root/firefox-clang/security/nss/lib/ssl/sslimpl.h" ,1453)); \
1454	PZ_EnterMonitor((ss)->recvBufLock)PR_EnterMonitor(((ss)->recvBufLock)); \
1455	} \
1456	}
1457	#define ssl_ReleaseRecvBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->recvBufLock )); } \
1458	{ \
1459	if (!ss->opt.noLocks) \
1460	PZ_ExitMonitor((ss)->recvBufLock)PR_ExitMonitor(((ss)->recvBufLock)); \
1461	}
1462	#define ssl_HaveRecvBufLock(ss)((PR_GetMonitorEntryCount(((ss)->recvBufLock)) > 0)) \
1463	(PZ_InMonitor((ss)->recvBufLock)(PR_GetMonitorEntryCount(((ss)->recvBufLock)) > 0))
1464
1465	/* xmitBufLock -> specLock */
1466	#define ssl_GetXmitBufLock(ss){ if (!ss->opt.noLocks) PR_EnterMonitor(((ss)->xmitBufLock )); } \
1467	{ \
1468	if (!ss->opt.noLocks) \
1469	PZ_EnterMonitor((ss)->xmitBufLock)PR_EnterMonitor(((ss)->xmitBufLock)); \
1470	}
1471	#define ssl_ReleaseXmitBufLock(ss){ if (!ss->opt.noLocks) PR_ExitMonitor(((ss)->xmitBufLock )); } \
1472	{ \
1473	if (!ss->opt.noLocks) \
1474	PZ_ExitMonitor((ss)->xmitBufLock)PR_ExitMonitor(((ss)->xmitBufLock)); \
1475	}
1476	#define ssl_HaveXmitBufLock(ss)((PR_GetMonitorEntryCount(((ss)->xmitBufLock)) > 0)) \
1477	(PZ_InMonitor((ss)->xmitBufLock)(PR_GetMonitorEntryCount(((ss)->xmitBufLock)) > 0))
1478
1479	/* Placeholder value used in version ranges when SSL 3.0 and all
1480	* versions of TLS are disabled.
1481	*/
1482	#define SSL_LIBRARY_VERSION_NONE0 0
1483
1484	/* SSL_LIBRARY_VERSION_MIN_SUPPORTED is the minimum version that this version
1485	* of libssl supports. Applications should use SSL_VersionRangeGetSupported at
1486	* runtime to determine which versions are supported by the version of libssl
1487	* in use.
1488	*/
1489	#define SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAMSSL_LIBRARY_VERSION_TLS_1_1 SSL_LIBRARY_VERSION_TLS_1_1
1490	#define SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAMSSL_LIBRARY_VERSION_3_0 SSL_LIBRARY_VERSION_3_0
1491
1492	/* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version
1493	* of libssl supports. Applications should use SSL_VersionRangeGetSupported at
1494	* runtime to determine which versions are supported by the version of libssl
1495	* in use.
1496	*/
1497	#ifndef NSS_DISABLE_TLS_1_3
1498	#define SSL_LIBRARY_VERSION_MAX_SUPPORTEDSSL_LIBRARY_VERSION_TLS_1_3 SSL_LIBRARY_VERSION_TLS_1_3
1499	#else
1500	#define SSL_LIBRARY_VERSION_MAX_SUPPORTEDSSL_LIBRARY_VERSION_TLS_1_3 SSL_LIBRARY_VERSION_TLS_1_2
1501	#endif
1502
1503	#define SSL_ALL_VERSIONS_DISABLED(vrange)((vrange)->min == 0) \
1504	((vrange)->min == SSL_LIBRARY_VERSION_NONE0)
1505
1506	extern PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
1507	SSL3ProtocolVersion version);
1508
1509	/* These functions are called from secnav, even though they're "private". */
1510
1511	extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss,
1512	CERTCertificate *cert,
1513	SECKEYPrivateKey *key,
1514	CERTCertificateList *certChain);
1515	extern sslSocket ssl_FindSocket(PRFileDesc fd);
1516	extern void ssl_FreeSocket(struct sslSocketStr *ssl);
1517	extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
1518	SSL3AlertDescription desc);
1519	extern SECStatus ssl3_DecodeError(sslSocket *ss);
1520
1521	extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
1522	extern SECStatus ssl3_ClientCertCallbackComplete(sslSocket ss, SECStatus outcome, SECKEYPrivateKey clientPrivateKey, CERTCertificate *clientCertificate);
1523
1524	/*
1525	* for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
1526	*/
1527	extern SECStatus ssl3_HandleV2ClientHello(
1528	sslSocket ss, unsigned char buffer, unsigned int length, PRUint8 padding);
1529
1530	SECStatus
1531	ssl3_CreateClientHelloPreamble(sslSocket ss, const sslSessionID sid,
1532	PRBool realSid, PRUint16 version, PRBool isEchInner,
1533	const sslBuffer extensions, sslBuffer preamble);
1534	SECStatus ssl3_InsertChHeaderSize(const sslSocket ss, sslBuffer preamble, const sslBuffer *extensions);
1535	SECStatus ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type);
1536
1537	/*
1538	* input into the SSL3 machinery from the actualy network reading code
1539	*/
1540	SECStatus ssl3_HandleRecord(sslSocket ss, SSL3Ciphertext cipher);
1541	SECStatus ssl3_HandleNonApplicationData(sslSocket *ss, SSLContentType rType,
1542	DTLSEpoch epoch,
1543	sslSequenceNumber seqNum,
1544	sslBuffer *databuf);
1545	SECStatus ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize);
1546
1547	int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
1548	int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
1549
1550	/* Create a new ref counted key pair object from two keys. */
1551	extern sslKeyPair ssl_NewKeyPair(SECKEYPrivateKey privKey,
1552	SECKEYPublicKey *pubKey);
1553
1554	/* get a new reference (bump ref count) to an ssl3KeyPair. */
1555	extern sslKeyPair ssl_GetKeyPairRef(sslKeyPair keyPair);
1556
1557	/* Decrement keypair's ref count and free if zero. */
1558	extern void ssl_FreeKeyPair(sslKeyPair *keyPair);
1559
1560	extern sslEphemeralKeyPair *ssl_NewEphemeralKeyPair(
1561	const sslNamedGroupDef *group,
1562	SECKEYPrivateKey privKey, SECKEYPublicKey pubKey);
1563	extern sslEphemeralKeyPair *ssl_CopyEphemeralKeyPair(
1564	sslEphemeralKeyPair *keyPair);
1565	extern void ssl_FreeEphemeralKeyPair(sslEphemeralKeyPair *keyPair);
1566	extern sslEphemeralKeyPair *ssl_LookupEphemeralKeyPair(
1567	sslSocket ss, const sslNamedGroupDef groupDef);
1568	extern PRBool ssl_HaveEphemeralKeyPair(const sslSocket *ss,
1569	const sslNamedGroupDef *groupDef);
1570	extern void ssl_FreeEphemeralKeyPairs(sslSocket *ss);
1571
1572	extern SECStatus ssl_AppendPaddedDHKeyShare(sslBuffer *buf,
1573	const SECKEYPublicKey *pubKey,
1574	PRBool appendLength);
1575	extern PRBool ssl_CanUseSignatureScheme(SSLSignatureScheme scheme,
1576	const SSLSignatureScheme *peerSchemes,
1577	unsigned int peerSchemeCount,
1578	PRBool requireSha1,
1579	PRBool slotDoesPss);
1580	extern const ssl3DHParams ssl_GetDHEParams(const sslNamedGroupDef groupDef);
1581	extern SECStatus ssl_SelectDHEGroup(sslSocket *ss,
1582	const sslNamedGroupDef **groupDef);
1583	extern SECStatus ssl_CreateDHEKeyPair(const sslNamedGroupDef *groupDef,
1584	const ssl3DHParams *params,
1585	sslEphemeralKeyPair **keyPair);
1586	extern PRBool ssl_IsValidDHEShare(const SECItem dh_p, const SECItem dh_Ys);
1587	extern SECStatus ssl_ValidateDHENamedGroup(sslSocket *ss,
1588	const SECItem *dh_p,
1589	const SECItem *dh_g,
1590	const sslNamedGroupDef **groupDef,
1591	const ssl3DHParams **dhParams);
1592
1593	extern PRBool ssl_IsECCEnabled(const sslSocket *ss);
1594	extern PRBool ssl_IsDHEEnabled(const sslSocket *ss);
1595
1596	/* Macro for finding a curve equivalent in strength to RSA key's */
1597	#define SSL_RSASTRENGTH_TO_ECSTRENGTH(s)((s <= 1024) ? 160 : ((s <= 2048) ? 224 : ((s <= 3072 ) ? 256 : ((s <= 7168) ? 384 : 521)))) \
1598	((s <= 1024) ? 160 \
1599	: ((s <= 2048) ? 224 \
1600	: ((s <= 3072) ? 256 \
1601	: ((s <= 7168) ? 384 \
1602	: 521))))
1603
1604	extern const sslNamedGroupDef *ssl_LookupNamedGroup(SSLNamedGroup group);
1605	extern PRBool ssl_NamedGroupEnabled(const sslSocket ss, const sslNamedGroupDef group);
1606	extern SECStatus ssl_NamedGroup2ECParams(PLArenaPool *arena,
1607	const sslNamedGroupDef *curve,
1608	SECKEYECParams *params);
1609	extern const sslNamedGroupDef *ssl_ECPubKey2NamedGroup(
1610	const SECKEYPublicKey *pubKey);
1611
1612	extern const sslNamedGroupDef ssl_GetECGroupForServerSocket(sslSocket ss);
1613	extern void ssl_FilterSupportedGroups(sslSocket *ss);
1614
1615	extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
1616	extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
1617
1618	extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
1619	extern SECStatus ssl3_CipherPrefGet(const sslSocket ss, ssl3CipherSuite which, PRBool on);
1620
1621	extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
1622	extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
1623
1624	extern void ssl3_InitSocketPolicy(sslSocket *ss);
1625
1626	extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
1627	extern SECStatus ssl3_HandleHandshakeMessage(sslSocket ss, PRUint8 b,
1628	PRUint32 length,
1629	PRBool endOfRecord);
1630
1631	extern void ssl3_DestroySSL3Info(sslSocket *ss);
1632
1633	extern SECStatus ssl_ClientReadVersion(sslSocket ss, PRUint8 *b,
1634	PRUint32 *length,
1635	SSL3ProtocolVersion *version);
1636	extern SECStatus ssl3_NegotiateVersion(sslSocket *ss,
1637	SSL3ProtocolVersion peerVersion,
1638	PRBool allowLargerPeerVersion);
1639	extern SECStatus ssl_ClientSetCipherSuite(sslSocket *ss,
1640	SSL3ProtocolVersion version,
1641	ssl3CipherSuite suite,
1642	PRBool initHashes);
1643
1644	extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
1645
1646	/* ECDH functions */
1647	extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket *ss,
1648	SECKEYPublicKey *svrPubKey);
1649	extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss,
1650	PRUint8 *b, PRUint32 length);
1651	extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss,
1652	PRUint8 *b, PRUint32 length,
1653	sslKeyPair *serverKeys);
1654	extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss);
1655	extern SECStatus ssl_ImportECDHKeyShare(
1656	SECKEYPublicKey *peerKey,
1657	PRUint8 b, PRUint32 length, const sslNamedGroupDef curve);
1658
1659	extern SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg,
1660	PRUint8 *hashBuf,
1661	unsigned int bufLen,
1662	SSL3Hashes *hashes);
1663	extern SECStatus ssl3_AppendSignatureAndHashAlgorithm(
1664	sslSocket ss, const SSLSignatureAndHashAlg sigAndHash);
1665	extern SECStatus ssl3_ConsumeHandshake(sslSocket ss, void v, PRUint32 bytes,
1666	PRUint8 *b, PRUint32 length);
1667	extern SECStatus ssl3_ConsumeHandshakeNumber(sslSocket ss, PRUint32 num,
1668	PRUint32 bytes, PRUint8 **b,
1669	PRUint32 *length);
1670	extern SECStatus ssl3_ConsumeHandshakeNumber64(sslSocket ss, PRUint64 num,
1671	PRUint32 bytes, PRUint8 **b,
1672	PRUint32 *length);
1673	extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket ss, SECItem i,
1674	PRUint32 bytes, PRUint8 **b,
1675	PRUint32 *length);
1676	extern SECStatus ssl_SignatureSchemeFromSpki(const CERTSubjectPublicKeyInfo *spki,
1677	PRBool isTls13,
1678	SSLSignatureScheme *scheme);
1679	extern PRBool ssl_SignatureSchemeEnabled(const sslSocket *ss,
1680	SSLSignatureScheme scheme);
1681	extern PRBool ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme);
1682	extern SECStatus ssl_CheckSignatureSchemeConsistency(
1683	sslSocket ss, SSLSignatureScheme scheme, CERTSubjectPublicKeyInfo spki);
1684	extern SECStatus ssl_ParseSignatureSchemes(const sslSocket ss, PLArenaPool arena,
1685	SSLSignatureScheme **schemesOut,
1686	unsigned int *numSchemesOut,
1687	unsigned char **b,
1688	unsigned int *len);
1689	extern SECStatus ssl_ConsumeSignatureScheme(
1690	sslSocket ss, PRUint8 b, PRUint32 length, SSLSignatureScheme *out);
1691	extern SECStatus ssl3_SignHashesWithPrivKey(SSL3Hashes *hash,
1692	SECKEYPrivateKey *key,
1693	SSLSignatureScheme scheme,
1694	PRBool isTls,
1695	SECItem *buf);
1696	extern SECStatus ssl3_SignHashes(sslSocket ss, SSL3Hashes hash,
1697	SECKEYPrivateKey key, SECItem buf);
1698	extern SECStatus ssl_VerifySignedHashesWithPubKey(sslSocket *ss,
1699	SECKEYPublicKey *spki,
1700	SSLSignatureScheme scheme,
1701	SSL3Hashes *hash,
1702	SECItem *buf);
1703	extern SECStatus ssl3_VerifySignedHashes(sslSocket *ss, SSLSignatureScheme scheme,
1704	SSL3Hashes hash, SECItem buf);
1705	extern SECStatus ssl3_CacheWrappedSecret(sslSocket ss, sslSessionID sid,
1706	PK11SymKey *secret);
1707	extern void ssl3_FreeSniNameArray(TLSExtensionData *xtnData);
1708
1709	/* Hello Extension related routines. */
1710	extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
1711	/in/out/ NewSessionTicket *session_ticket);
1712	SECStatus ssl3_EncodeSessionTicket(sslSocket *ss,
1713	const NewSessionTicket *ticket,
1714	const PRUint8 *appToken,
1715	unsigned int appTokenLen,
1716	PK11SymKey secret, SECItem ticket_data);
1717	SECStatus SSLExp_SendSessionTicket(PRFileDesc fd, const PRUint8 token,
1718	unsigned int tokenLen);
1719
1720	SECStatus ssl_MaybeSetSelfEncryptKeyPair(const sslKeyPair *keyPair);
1721	SECStatus ssl_GetSelfEncryptKeys(sslSocket ss, unsigned char keyName,
1722	PK11SymKey encKey, PK11SymKey macKey);
1723	void ssl_ResetSelfEncryptKeys();
1724
1725	extern SECStatus ssl3_ValidateAppProtocol(const unsigned char *data,
1726	unsigned int length);
1727
1728	/* Construct a new NSPR socket for the app to use */
1729	extern PRFileDesc ssl_NewPRSocket(sslSocket ss, PRFileDesc *fd);
1730	extern void ssl_FreePRSocket(PRFileDesc *fd);
1731
1732	/* Internal config function so SSL3 can initialize the present state of
1733	* various ciphers */
1734	extern unsigned int ssl3_config_match_init(sslSocket *);
1735
1736	/* Return PR_TRUE if suite is usable. This if the suite is permitted by policy,
1737	* enabled, has a certificate (as needed), has a viable key agreement method, is
1738	* usable with the negotiated TLS version, and is otherwise usable. */
1739	PRBool ssl3_config_match(const ssl3CipherSuiteCfg *suite, PRUint8 policy,
1740	const SSLVersionRange vrange, const sslSocket ss);
1741
1742	/* calls for accessing wrapping keys across processes. */
1743	extern SECStatus
1744	ssl_GetWrappingKey(unsigned int symWrapMechIndex,
1745	unsigned int wrapKeyIndex, SSLWrappedSymWrappingKey *wswk);
1746
1747	/* The caller passes in the new value it wants
1748	* to set. This code tests the wrapped sym key entry in the file on disk.
1749	* If it is uninitialized, this function writes the caller's value into
1750	* the disk entry, and returns false.
1751	* Otherwise, it overwrites the caller's wswk with the value obtained from
1752	* the disk, and returns PR_TRUE.
1753	* This is all done while holding the locks/semaphores necessary to make
1754	* the operation atomic.
1755	*/
1756	extern SECStatus
1757	ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
1758
1759	/* get rid of the symmetric wrapping key references. */
1760	extern SECStatus SSL3_ShutdownServerCache(void);
1761
1762	extern SECStatus ssl_InitSymWrapKeysLock(void);
1763
1764	extern SECStatus ssl_FreeSymWrapKeysLock(void);
1765
1766	extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
1767
1768	extern SECStatus ssl_FreeSessionCacheLocks(void);
1769
1770	CK_MECHANISM_TYPE ssl3_Alg2Mech(SSLCipherAlgorithm calg);
1771	SECStatus ssl3_NegotiateCipherSuiteInner(sslSocket ss, const SECItem suites,
1772	PRUint16 version, PRUint16 *suitep);
1773	SECStatus ssl3_NegotiateCipherSuite(sslSocket ss, const SECItem suites,
1774	PRBool initHashes);
1775	SECStatus ssl3_InitHandshakeHashes(sslSocket *ss);
1776	void ssl3_CoalesceEchHandshakeHashes(sslSocket *ss);
1777	SECStatus ssl3_ServerCallSNICallback(sslSocket *ss);
1778	SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags);
1779	SECStatus ssl3_CompleteHandleCertificate(sslSocket *ss,
1780	PRUint8 *b, PRUint32 length);
1781	void ssl3_SendAlertForCertError(sslSocket *ss, PRErrorCode errCode);
1782	SECStatus ssl3_HandleNoCertificate(sslSocket *ss);
1783	SECStatus ssl3_SendEmptyCertificate(sslSocket *ss);
1784	void ssl3_CleanupPeerCerts(sslSocket *ss);
1785	SECStatus ssl3_SendCertificateStatus(sslSocket *ss);
1786	SECStatus ssl_SetAuthKeyBits(sslSocket ss, const SECKEYPublicKey pubKey);
1787	SECStatus ssl3_HandleServerSpki(sslSocket *ss);
1788	SECStatus ssl3_AuthCertificate(sslSocket *ss);
1789	SECStatus ssl_ReadCertificateStatus(sslSocket ss, PRUint8 b,
1790	PRUint32 length);
1791	SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert,
1792	PRBool grease, sslBuffer *buf);
1793	SECStatus ssl3_EncodeFilteredSigAlgs(const sslSocket *ss,
1794	const SSLSignatureScheme *schemes,
1795	PRUint32 numSchemes, PRBool grease, sslBuffer *buf);
1796	SECStatus ssl3_FilterSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool disableRsae, PRBool forCert,
1797	unsigned int maxSchemes, SSLSignatureScheme *filteredSchemes,
1798	unsigned int *numFilteredSchemes);
1799	SECStatus ssl_GetCertificateRequestCAs(const sslSocket *ss,
1800	unsigned int *calenp,
1801	const SECItem **namesp,
1802	unsigned int *nnamesp);
1803	SECStatus ssl3_ParseCertificateRequestCAs(sslSocket ss, PRUint8 *b,
1804	PRUint32 length, CERTDistNames ca_list);
1805	SECStatus ssl3_BeginHandleCertificateRequest(
1806	sslSocket ss, const SSLSignatureScheme signatureSchemes,
1807	unsigned int signatureSchemeCount, CERTDistNames *ca_list);
1808	SECStatus ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry,
1809	const sslBuffer *extensionBuf,
1810	sslBuffer *messageBuf);
1811	SECStatus ssl3_SendServerHello(sslSocket *ss);
1812	SECStatus ssl3_SendChangeCipherSpecsInt(sslSocket *ss);
1813	SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss,
1814	ssl3CipherSpec *spec,
1815	SSL3Hashes *hashes,
1816	PRUint32 sender);
1817	SECStatus ssl_CreateECDHEphemeralKeyPair(const sslSocket *ss,
1818	const sslNamedGroupDef *ecGroup,
1819	sslEphemeralKeyPair **keyPair);
1820	SECStatus ssl_CreateStaticECDHEKey(sslSocket *ss,
1821	const sslNamedGroupDef *ecGroup);
1822	SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags);
1823	SECStatus ssl3_GetNewRandom(SSL3Random random);
1824	PK11SymKey ssl3_GetWrappingKey(sslSocket ss,
1825	PK11SlotInfo *masterSecretSlot,
1826	CK_MECHANISM_TYPE masterWrapMech,
1827	void *pwArg);
1828	SECStatus ssl3_FillInCachedSID(sslSocket ss, sslSessionID sid,
1829	PK11SymKey *secret);
1830	const ssl3CipherSuiteDef *ssl_LookupCipherSuiteDef(ssl3CipherSuite suite);
1831	const ssl3CipherSuiteCfg *ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite,
1832	const ssl3CipherSuiteCfg *suites);
1833	PRBool ssl3_CipherSuiteAllowedForVersionRange(ssl3CipherSuite cipherSuite,
1834	const SSLVersionRange *vrange);
1835
1836	SECStatus ssl3_SelectServerCert(sslSocket *ss);
1837	SECStatus ssl_PrivateKeySupportsRsaPss(SECKEYPrivateKey *privKey,
1838	CERTCertificate *cert,
1839	void *pwArg,
1840	PRBool *supportsRsaPss);
1841	SECStatus ssl_PickSignatureScheme(sslSocket *ss,
1842	CERTCertificate *cert,
1843	SECKEYPublicKey *pubKey,
1844	SECKEYPrivateKey *privKey,
1845	const SSLSignatureScheme *peerSchemes,
1846	unsigned int peerSchemeCount,
1847	PRBool requireSha1,
1848	SSLSignatureScheme *schemPtr);
1849	SECStatus ssl_PickClientSignatureScheme(sslSocket *ss,
1850	CERTCertificate *clientCertificate,
1851	SECKEYPrivateKey *privKey,
1852	const SSLSignatureScheme *schemes,
1853	unsigned int numSchemes,
1854	SSLSignatureScheme *schemePtr);
1855	SECOidTag ssl3_HashTypeToOID(SSLHashType hashType);
1856	SECOidTag ssl3_AuthTypeToOID(SSLAuthType hashType);
1857	SSLHashType ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme);
1858	SSLAuthType ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme);
1859
1860	SECStatus ssl3_SetupCipherSuite(sslSocket *ss, PRBool initHashes);
1861	SECStatus ssl_InsertRecordHeader(const sslSocket ss, ssl3CipherSpec cwSpec,
1862	SSLContentType contentType, sslBuffer *wrBuf,
1863	PRBool *needsLength);
1864	PRBool ssl_SignatureSchemeValid(SSLSignatureScheme scheme, SECOidTag spkiOid,
1865	PRBool isTls13);
1866
1867	/* Pull in DTLS functions */
1868	#include "dtlscon.h"
1869
1870	/* Pull in TLS 1.3 functions */
1871	#include "tls13con.h"
1872	#include "dtls13con.h"
1873
1874	/******************** misc calls *******************/
1875
1876	#ifdef DEBUG1
1877	extern void ssl3_CheckCipherSuiteOrderConsistency();
1878	#endif
1879
1880	extern int ssl_MapLowLevelError(int hiLevelError);
1881
1882	PRTime ssl_Time(const sslSocket *ss);
1883	PRBool ssl_TicketTimeValid(const sslSocket ss, const NewSessionTicket ticket);
1884
1885	extern void SSL_AtomicIncrementLong(long *x);
1886
1887	SECStatus ssl3_ApplyNSSPolicy(void);
1888
1889	extern SECStatus
1890	ssl3_TLSPRFWithMasterSecret(sslSocket ss, ssl3CipherSpec spec,
1891	const char *label, unsigned int labelLen,
1892	const unsigned char *val, unsigned int valLen,
1893	unsigned char *out, unsigned int outLen);
1894
1895	extern void
1896	ssl3_RecordKeyLog(sslSocket ss, const char label, PK11SymKey *secret);
1897
1898	PRBool ssl_AlpnTagAllowed(const sslSocket ss, const SECItem tag);
1899
1900	#ifdef TRACE
1901	#define SSL_TRACE(msg)ssl_Trace msg ssl_Trace msg
1902	#else
1903	#define SSL_TRACE(msg)ssl_Trace msg
1904	#endif
1905
1906	void ssl_Trace(const char *format, ...);
1907
1908	void ssl_CacheExternalToken(sslSocket *ss);
1909	SECStatus ssl_DecodeResumptionToken(sslSessionID sid, const PRUint8 encodedTicket,
1910	PRUint32 encodedTicketLen);
1911	PRBool ssl_IsResumptionTokenUsable(sslSocket ss, sslSessionID sid);
1912
1913	/* unwrap helper function to handle the case where the wrapKey doesn't wind
1914	* * up in the correct token for the master secret */
1915	PK11SymKey ssl_unwrapSymKey(PK11SymKey wrapKey,
1916	CK_MECHANISM_TYPE wrapType, SECItem *param,
1917	SECItem *wrappedKey,
1918	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
1919	int keySize, CK_FLAGS keyFlags, void *pinArg);
1920
1921	/* determine if the current ssl connection is operating in FIPS mode */
1922	PRBool ssl_isFIPS(sslSocket *ss);
1923
1924	/* Experimental APIs. Remove when stable. */
1925
1926	SECStatus SSLExp_SetResumptionTokenCallback(PRFileDesc *fd,
1927	SSLResumptionTokenCallback cb,
1928	void *ctx);
1929	SECStatus SSLExp_SetResumptionToken(PRFileDesc fd, const PRUint8 token,
1930	unsigned int len);
1931
1932	SECStatus SSLExp_GetResumptionTokenInfo(const PRUint8 *tokenData, unsigned int tokenLen,
1933	SSLResumptionTokenInfo *token, unsigned int version);
1934
1935	SECStatus SSLExp_DestroyResumptionTokenInfo(SSLResumptionTokenInfo *token);
1936
1937	SECStatus SSLExp_SecretCallback(PRFileDesc *fd, SSLSecretCallback cb,
1938	void *arg);
1939	SECStatus SSLExp_RecordLayerWriteCallback(PRFileDesc *fd,
1940	SSLRecordWriteCallback write,
1941	void *arg);
1942	SECStatus SSLExp_RecordLayerData(PRFileDesc *fd, PRUint16 epoch,
1943	SSLContentType contentType,
1944	const PRUint8 *data, unsigned int len);
1945	SECStatus SSLExp_GetCurrentEpoch(PRFileDesc fd, PRUint16 readEpoch,
1946	PRUint16 *writeEpoch);
1947
1948	#define SSLResumptionTokenVersion2 2
1949
1950	SECStatus SSLExp_MakeAead(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *secret,
1951	const char *labelPrefix, unsigned int labelPrefixLen,
1952	SSLAeadContext **ctx);
1953
1954	SECStatus SSLExp_MakeVariantAead(PRUint16 version, PRUint16 cipherSuite, SSLProtocolVariant variant,
1955	PK11SymKey secret, const char labelPrefix,
1956	unsigned int labelPrefixLen, SSLAeadContext **ctx);
1957	SECStatus SSLExp_DestroyAead(SSLAeadContext *ctx);
1958	SECStatus SSLExp_AeadEncrypt(const SSLAeadContext *ctx, PRUint64 counter,
1959	const PRUint8 *aad, unsigned int aadLen,
1960	const PRUint8 *plaintext, unsigned int plaintextLen,
1961	PRUint8 out, unsigned int outLen, unsigned int maxOut);
1962	SECStatus SSLExp_AeadDecrypt(const SSLAeadContext *ctx, PRUint64 counter,
1963	const PRUint8 *aad, unsigned int aadLen,
1964	const PRUint8 *plaintext, unsigned int plaintextLen,
1965	PRUint8 out, unsigned int outLen, unsigned int maxOut);
1966
1967	/* The next function is responsible for registering a certificate compression mechanism
1968	to be used for TLS connection.
1969	The caller passes SSLCertificateCompressionAlgorithm algorithm:
1970
1971	typedef struct SSLCertificateCompressionAlgorithmStr {
1972	SSLCertificateCompressionAlgorithmID id;
1973	const char* name;
1974	SECStatus (encode)(const SECItem input, SECItem* output);
1975	SECStatus (decode)(const SECItem input, unsigned char* output, size_t outputLen, size_t* usedLen);
1976	} SSLCertificateCompressionAlgorithm;
1977
1978	Certificate Compression encoding function is responsible for allocating the output buffer itself.
1979	If encoding function fails, the function has the install the appropriate error code and return an error.
1980
1981	Certificate Compression decoding function operates an output buffer allocated in NSS.
1982	The function returns success or an error code.
1983	If successful, the function sets the number of bytes used to stored the decoded certificate
1984	in the outparam usedLen. If provided buffer is not enough to store the output (or any problem has occured during
1985	decoding of the buffer), the function has the install the appropriate error code and return an error.
1986	Note: usedLen is always <= outputLen.
1987
1988	*/
1989	SECStatus SSLExp_SetCertificateCompressionAlgorithm(PRFileDesc *fd, SSLCertificateCompressionAlgorithm alg);
1990	SECStatus SSLExp_HkdfExtract(PRUint16 version, PRUint16 cipherSuite,
1991	PK11SymKey salt, PK11SymKey ikm, PK11SymKey **keyp);
1992	SECStatus SSLExp_HkdfExpandLabel(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
1993	const PRUint8 *hsHash, unsigned int hsHashLen,
1994	const char *label, unsigned int labelLen,
1995	PK11SymKey **key);
1996	SECStatus SSLExp_HkdfVariantExpandLabel(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
1997	const PRUint8 *hsHash, unsigned int hsHashLen,
1998	const char *label, unsigned int labelLen,
1999	SSLProtocolVariant variant, PK11SymKey **key);
2000	SECStatus
2001	SSLExp_HkdfExpandLabelWithMech(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
2002	const PRUint8 *hsHash, unsigned int hsHashLen,
2003	const char *label, unsigned int labelLen,
2004	CK_MECHANISM_TYPE mech, unsigned int keySize,
2005	PK11SymKey **keyp);
2006	SECStatus
2007	SSLExp_HkdfVariantExpandLabelWithMech(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
2008	const PRUint8 *hsHash, unsigned int hsHashLen,
2009	const char *label, unsigned int labelLen,
2010	CK_MECHANISM_TYPE mech, unsigned int keySize,
2011	SSLProtocolVariant variant, PK11SymKey **keyp);
2012
2013	SECStatus SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled);
2014
2015	SECStatus SSLExp_SetTimeFunc(PRFileDesc fd, SSLTimeFunc f, void arg);
2016
2017	extern SECStatus ssl_CreateMaskingContextInner(PRUint16 version, PRUint16 cipherSuite,
2018	SSLProtocolVariant variant,
2019	PK11SymKey *secret,
2020	const char *label,
2021	unsigned int labelLen,
2022	SSLMaskingContext **ctx);
2023
2024	extern SECStatus ssl_CreateMaskInner(SSLMaskingContext ctx, const PRUint8 sample,
2025	unsigned int sampleLen, PRUint8 *outMask,
2026	unsigned int maskLen);
2027
2028	extern SECStatus ssl_DestroyMaskingContextInner(SSLMaskingContext *ctx);
2029
2030	SECStatus SSLExp_CreateMaskingContext(PRUint16 version, PRUint16 cipherSuite,
2031	PK11SymKey *secret,
2032	const char *label,
2033	unsigned int labelLen,
2034	SSLMaskingContext **ctx);
2035
2036	SECStatus SSLExp_CreateVariantMaskingContext(PRUint16 version, PRUint16 cipherSuite,
2037	SSLProtocolVariant variant,
2038	PK11SymKey *secret,
2039	const char *label,
2040	unsigned int labelLen,
2041	SSLMaskingContext **ctx);
2042
2043	SECStatus SSLExp_CreateMask(SSLMaskingContext ctx, const PRUint8 sample,
2044	unsigned int sampleLen, PRUint8 *mask,
2045	unsigned int len);
2046
2047	SECStatus SSLExp_DestroyMaskingContext(SSLMaskingContext *ctx);
2048
2049	SECStatus SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled);
2050	SECStatus SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size);
2051
2052	SECStatus SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled);
2053	SECStatus SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled);
2054
2055	SECStatus SSLExp_PeerCertificateChainDER(PRFileDesc fd, SECItemArray *out);
2056
2057	SEC_END_PROTOS
2058
2059	#if defined(XP_UNIX1)
2060	#define SSL_GETPIDgetpid getpid
2061	#elif defined(WIN32)
2062	#define SSL_GETPIDgetpid _getpid
2063	#else
2064	#define SSL_GETPIDgetpid() 0
2065	#endif
2066
2067	#endif /* __sslimpl_h_ */