/root/firefox-clang/security/nss/lib/ssl/sslimpl.h

Bug Summary

File:

root/firefox-clang/security/nss/lib/ssl/sslimpl.h

Warning:

line 642, column 16
Excessive padding in 'struct SSL3HandshakeStateStr' (53 padding bytes, where 5 is optimal). Optimal fields order: md5, sha, shaEchInner, shaPostHandshake, kea_def, suite_def, msg_len, clientAuthSignatureSchemes, restartTarget, rtTimer, ackTimer, hdTimer, currentSecret, resumptionMasterSecret, dheSecret, clientEarlyTrafficSecret, clientHsTrafficSecret, serverHsTrafficSecret, clientTrafficSecret, serverTrafficSecret, earlyExporterSecret, exporterSecret, rttEstimate, echHpkeCtx, echPublicName, grease, dtlsHandhakeKeyUpdateMessage, chExtensionPermutation, remoteExtensions, echOuterExtensions, lastMessageFlight, cipherSpecs, bufferedEarlyData, psks, dtlsSentHandshake, dtlsRcvdHandshake, messages, echInnerMessages, msg_body, recvdFragments, cookie, srvVirtName, fakeSid, greaseEchBuf, dtls13ClientMessageBuffer, newSessionTicket, timers, ws, hashType, signatureScheme, header_bytes, msg_type, isResuming, sendingSCSV, receivedNewSessionTicket, clientCertificatePending, clientAuthSignatureSchemesLen, authCertificatePending, canFalseStart, preliminaryInfo, recvdHighWater, isKeyUpdateInProgress, allowPreviousEpoch, rtRetries, zeroRttState, zeroRttIgnore, helloRetry, receivedCcs, rejectCcs, clientCertRequested, endOfFlight, echAccepted, echDecided, echInvalidExtension, keyUpdateDeferred, deferredKeyUpdateRequest, kea_def_mutable, cipher_suite, finishedBytes, sendMessageSeq, maxMessageSent, recvMessageSeq, zeroRttSuite, ticketNonce, greaseEchSize, server_random, client_random, client_inner_random, finishedMsgs, consider reordering the fields or adding explicit padding members

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -O2 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name authcert.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -ffp-contract=off -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/root/firefox-clang/obj-x86_64-pc-linux-gnu/security/nss/lib/ssl/ssl_ssl -fcoverage-compilation-dir=/root/firefox-clang/obj-x86_64-pc-linux-gnu/security/nss/lib/ssl/ssl_ssl -resource-dir /usr/lib/llvm-22/lib/clang/22 -include /root/firefox-clang/obj-x86_64-pc-linux-gnu/mozilla-config.h -U _FORTIFY_SOURCE -D _FORTIFY_SOURCE=2 -D _GLIBCXX_ASSERTIONS -D DEBUG -D NSS_FIPS_DISABLED -D NSS_NO_INIT_SUPPORT -D NSS_X86_OR_X64 -D NSS_X64 -D NSS_USE_64 -D NSS_ALLOW_SSLKEYLOGFILE -D USE_UTIL_DIRECTLY -D NO_NSPR_10_SUPPORT -D SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -D LINUX2_1 -D LINUX -D linux -D _DEFAULT_SOURCE -D _BSD_SOURCE -D _POSIX_SOURCE -D SDB_MEASURE_USE_TEMP_DIR -D HAVE_STRERROR -D XP_UNIX -D _REENTRANT -D NSS_DISABLE_DBM -D NSS_DISABLE_LIBPKIX -I /root/firefox-clang/security/nss/lib/ssl -I /root/firefox-clang/obj-x86_64-pc-linux-gnu/security/nss/lib/ssl/ssl_ssl -I /root/firefox-clang/obj-x86_64-pc-linux-gnu/dist/include/nspr -I /root/firefox-clang/obj-x86_64-pc-linux-gnu/dist/include/private/nss -I /root/firefox-clang/obj-x86_64-pc-linux-gnu/dist/include/nss -I /root/firefox-clang/obj-x86_64-pc-linux-gnu/dist/include -D MOZILLA_CLIENT -internal-isystem /usr/lib/llvm-22/lib/clang/22/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/15/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -Wno-error=tautological-type-limit-compare -Wno-range-loop-analysis -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wno-error=atomic-alignment -Wno-error=deprecated-builtins -Wno-psabi -Wno-error=builtin-macro-redefined -Wno-unknown-warning-option -Wno-character-conversion -ferror-limit 19 -fstrict-flex-arrays=1 -stack-protector 2 -fstack-clash-protection -ftrivial-auto-var-init=pattern -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -vectorize-loops -vectorize-slp -analyzer-checker optin.performance.Padding -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -fdwarf2-cfi-asm -o /tmp/scan-build-2026-01-01-094441-2823109-1 -x c /root/firefox-clang/security/nss/lib/ssl/authcert.c

1	/* -- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -- */
2	/*
3	* This file is PRIVATE to SSL and should be the first thing included by
4	* any SSL implementation file.
5	*
6	* This Source Code Form is subject to the terms of the Mozilla Public
7	* License, v. 2.0. If a copy of the MPL was not distributed with this
8	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
9
10	#ifndef __sslimpl_h_
11	#define __sslimpl_h_
12
13	#ifdef DEBUG1
14	#undef NDEBUG
15	#else
16	#undef NDEBUG
17	#define NDEBUG
18	#endif
19	#include "secport.h"
20	#include "secerr.h"
21	#include "sslerr.h"
22	#include "sslexp.h"
23	#include "ssl3prot.h"
24	#include "hasht.h"
25	#include "nssilock.h"
26	#include "pkcs11t.h"
27	#if defined(XP_UNIX1)
28	#include "unistd.h"
29	#elif defined(XP_WIN)
30	#include <process.h>
31	#endif
32	#include "nssrwlk.h"
33	#include "prthread.h"
34	#include "prclist.h"
35	#include "private/pprthred.h"
36
37	#include "sslt.h" /* for some formerly private types, now public */
38
39	typedef struct sslSocketStr sslSocket;
40	typedef struct sslNamedGroupDefStr sslNamedGroupDef;
41	typedef struct sslEchConfigStr sslEchConfig;
42	typedef struct sslEchConfigContentsStr sslEchConfigContents;
43	typedef struct sslEchCookieDataStr sslEchCookieData;
44	typedef struct sslEchXtnStateStr sslEchXtnState;
45	typedef struct sslPskStr sslPsk;
46	typedef struct sslDelegatedCredentialStr sslDelegatedCredential;
47	typedef struct sslEphemeralKeyPairStr sslEphemeralKeyPair;
48	typedef struct TLS13KeyShareEntryStr TLS13KeyShareEntry;
49
50	#include "sslencode.h"
51	#include "sslexp.h"
52	#include "ssl3ext.h"
53	#include "sslspec.h"
54
55	#if defined(DEBUG1) \|\| defined(TRACE)
56	#ifdef __cplusplus
57	#define Debug 1
58	#else
59	extern int Debug;
60	#endif
61	#else
62	#undef Debug
63	#endif
64
65	#if defined(DEBUG1) && !defined(TRACE) && !defined(NISCC_TEST)
66	#define TRACE
67	#endif
68
69	#ifdef TRACE
70	#define SSL_TRC(a, b)if (ssl_trace >= (a)) ssl_Trace b \
71	if (ssl_trace >= (a)) \
72	ssl_Trace b
73	#define PRINT_BUF(a, b)if (ssl_trace >= (a)) ssl_PrintBuf b \
74	if (ssl_trace >= (a)) \
75	ssl_PrintBuf b
76	#define PRINT_KEY(a, b)if (ssl_trace >= (a)) ssl_PrintKey b \
77	if (ssl_trace >= (a)) \
78	ssl_PrintKey b
79	#else
80	#define SSL_TRC(a, b)if (ssl_trace >= (a)) ssl_Trace b
81	#define PRINT_BUF(a, b)if (ssl_trace >= (a)) ssl_PrintBuf b
82	#define PRINT_KEY(a, b)if (ssl_trace >= (a)) ssl_PrintKey b
83	#endif
84
85	#ifdef DEBUG1
86	#define SSL_DBG(b)if (ssl_debug) ssl_Trace b \
87	if (ssl_debug) \
88	ssl_Trace b
89	#else
90	#define SSL_DBG(b)if (ssl_debug) ssl_Trace b
91	#endif
92
93	#define LSB(x)((unsigned char)((x)&0xff)) ((unsigned char)((x)&0xff))
94	#define MSB(x)((unsigned char)(((unsigned)(x)) >> 8)) ((unsigned char)(((unsigned)(x)) >> 8))
95
96	#define CONST_CAST(T, X)((T )(X)) ((T )(X))
97
98	/************************************************************************/
99
100	typedef enum { SSLAppOpRead = 0,
101	SSLAppOpWrite,
102	SSLAppOpRDWR,
103	SSLAppOpPost,
104	SSLAppOpHeader
105	} SSLAppOperation;
106
107	#define SSL3_SESSIONID_BYTES32 32
108
109	#define SSL_MIN_CHALLENGE_BYTES16 16
110	#define SSL_MAX_CHALLENGE_BYTES32 32
111
112	#define SSL3_MASTER_SECRET_LENGTH48 48
113
114	/* number of wrap mechanisms potentially used to wrap master secrets. */
115	#define SSL_NUM_WRAP_MECHS15 15
116	#define SSL_NUM_WRAP_KEYS6 6
117
118	/* This makes the cert cache entry exactly 4k. */
119	#define SSL_MAX_CACHED_CERT_LEN4060 4060
120
121	#ifndef BPB8
122	#define BPB8 8 /* Bits Per Byte */
123	#endif
124
125	/* The default value from RFC 4347 is 1s, which is too slow. */
126	#define DTLS_RETRANSMIT_INITIAL_MS50 50
127	/* The maximum time to wait between retransmissions. */
128	#define DTLS_RETRANSMIT_MAX_MS10000 10000
129	/* Time to wait in FINISHED state for retransmissions. */
130	#define DTLS_RETRANSMIT_FINISHED_MS30000 30000
131
132	/* default number of entries in namedGroupPreferences */
133	#define SSL_NAMED_GROUP_COUNT33 33
134
135	/* The maximum DH and RSA bit-length supported. */
136	#define SSL_MAX_DH_KEY_BITS8192 8192
137	#define SSL_MAX_RSA_KEY_BITS8192 8192
138
139	/* Types and names of elliptic curves used in TLS */
140	typedef enum {
141	ec_type_explicitPrime = 1, /* not supported */
142	ec_type_explicitChar2Curve = 2, /* not supported */
143	ec_type_named = 3
144	} ECType;
145
146	typedef enum {
147	ticket_allow_early_data = 1,
148	ticket_allow_psk_ke = 2,
149	ticket_allow_psk_dhe_ke = 4,
150	ticket_allow_psk_auth = 8,
151	ticket_allow_psk_sign_auth = 16
152	} TLS13SessionTicketFlags;
153
154	typedef enum {
155	update_not_requested = 0,
156	update_requested = 1
157	} tls13KeyUpdateRequest;
158
159	struct sslNamedGroupDefStr {
160	/* The name is the value that is encoded on the wire in TLS. */
161	SSLNamedGroup name;
162	/* The number of bits in the group. */
163	unsigned int bits;
164	/* The key exchange algorithm this group provides. */
165	SSLKEAType keaType;
166	/* The OID that identifies the group to PKCS11. This also determines
167	* whether the group is enabled in policy. */
168	SECOidTag oidTag;
169	/* Assume that the group is always supported. */
170	PRBool assumeSupported;
171	};
172
173	typedef struct sslConnectInfoStr sslConnectInfo;
174	typedef struct sslGatherStr sslGather;
175	typedef struct sslSecurityInfoStr sslSecurityInfo;
176	typedef struct sslSessionIDStr sslSessionID;
177	typedef struct sslSocketOpsStr sslSocketOps;
178
179	typedef struct ssl3StateStr ssl3State;
180	typedef struct ssl3CertNodeStr ssl3CertNode;
181	typedef struct sslKeyPairStr sslKeyPair;
182	typedef struct ssl3DHParamsStr ssl3DHParams;
183
184	struct ssl3CertNodeStr {
185	struct ssl3CertNodeStr *next;
186	SECItem *derCert;
187	};
188
189	typedef SECStatus (sslHandshakeFunc)(sslSocket ss);
190
191	void ssl_CacheSessionID(sslSocket *ss);
192	void ssl_UncacheSessionID(sslSocket *ss);
193	void ssl_ServerCacheSessionID(sslSessionID *sid, PRTime creationTime);
194	void ssl_ServerUncacheSessionID(sslSessionID *sid);
195
196	typedef sslSessionID (sslSessionIDLookupFunc)(PRTime ssl_now,
197	const PRIPv6Addr *addr,
198	unsigned char *sid,
199	unsigned int sidLen,
200	CERTCertDBHandle *dbHandle);
201
202	/* Socket ops */
203	struct sslSocketOpsStr {
204	int (connect)(sslSocket , const PRNetAddr *);
205	PRFileDesc (accept)(sslSocket , PRNetAddr );
206	int (bind)(sslSocket , const PRNetAddr *);
207	int (listen)(sslSocket , int);
208	int (shutdown)(sslSocket , int);
209	int (close)(sslSocket );
210
211	int (recv)(sslSocket , unsigned char *, int, int);
212
213	/* points to the higher-layer send func, e.g. ssl_SecureSend. */
214	int (send)(sslSocket , const unsigned char *, int, int);
215	int (read)(sslSocket , unsigned char *, int);
216	int (write)(sslSocket , const unsigned char *, int);
217
218	int (getpeername)(sslSocket , PRNetAddr *);
219	int (getsockname)(sslSocket , PRNetAddr *);
220	};
221
222	/* Flags interpreted by ssl send functions. */
223	#define ssl_SEND_FLAG_FORCE_INTO_BUFFER0x40000000 0x40000000
224	#define ssl_SEND_FLAG_NO_BUFFER0x20000000 0x20000000
225	#define ssl_SEND_FLAG_NO_RETRANSMIT0x08000000 0x08000000 /* DTLS only */
226	#define ssl_SEND_FLAG_MASK0x7f000000 0x7f000000
227
228	/*
229	** SSL3 cipher suite policy and preference struct.
230	*/
231	typedef struct {
232	#if !defined(_WIN32)
233	unsigned int cipher_suite : 16;
234	unsigned int policy : 8;
235	unsigned int enabled : 1;
236	unsigned int isPresent : 1;
237	#else
238	ssl3CipherSuite cipher_suite;
239	PRUint8 policy;
240	unsigned char enabled : 1;
241	unsigned char isPresent : 1;
242	#endif
243	} ssl3CipherSuiteCfg;
244
245	#define ssl_V3_SUITES_IMPLEMENTED71 71
246
247	#define MAX_DTLS_SRTP_CIPHER_SUITES4 4
248
249	/* MAX_SIGNATURE_SCHEMES allows for all the values we support. */
250	#define MAX_SIGNATURE_SCHEMES18 18
251
252	#define MAX_SUPPORTED_CERTIFICATE_COMPRESSION_ALGS32 32
253
254	typedef struct sslOptionsStr {
255	/* If SSL_SetNextProtoNego has been called, then this contains the
256	* list of supported protocols. */
257	SECItem nextProtoNego;
258	PRUint16 recordSizeLimit;
259
260	PRUint32 maxEarlyDataSize;
261	unsigned int useSecurity : 1;
262	unsigned int useSocks : 1;
263	unsigned int requestCertificate : 1;
264	unsigned int requireCertificate : 2;
265	unsigned int handshakeAsClient : 1;
266	unsigned int handshakeAsServer : 1;
267	unsigned int noCache : 1;
268	unsigned int fdx : 1;
269	unsigned int detectRollBack : 1;
270	unsigned int noLocks : 1;
271	unsigned int enableSessionTickets : 1;
272	unsigned int enableDeflate : 1; /* Deprecated. */
273	unsigned int enableRenegotiation : 2;
274	unsigned int requireSafeNegotiation : 1;
275	unsigned int enableFalseStart : 1;
276	unsigned int cbcRandomIV : 1;
277	unsigned int enableOCSPStapling : 1;
278	unsigned int enableALPN : 1;
279	unsigned int reuseServerECDHEKey : 1;
280	unsigned int enableFallbackSCSV : 1;
281	unsigned int enableServerDhe : 1;
282	unsigned int enableExtendedMS : 1;
283	unsigned int enableSignedCertTimestamps : 1;
284	unsigned int requireDHENamedGroups : 1;
285	unsigned int enable0RttData : 1;
286	unsigned int enableTls13CompatMode : 1;
287	unsigned int enableDtlsShortHeader : 1;
288	unsigned int enableHelloDowngradeCheck : 1;
289	unsigned int enableV2CompatibleHello : 1;
290	unsigned int enablePostHandshakeAuth : 1;
291	unsigned int enableDelegatedCredentials : 1;
292	unsigned int enableDtls13VersionCompat : 1;
293	unsigned int suppressEndOfEarlyData : 1;
294	unsigned int enableTls13GreaseEch : 1;
295	unsigned int enableTls13BackendEch : 1;
296	unsigned int callExtensionWriterOnEchInner : 1;
297	unsigned int enableGrease : 1;
298	unsigned int enableChXtnPermutation : 1;
299	unsigned int dbLoadCertChain : 1;
300	} sslOptions;
301
302	typedef enum { sslHandshakingUndetermined = 0,
303	sslHandshakingAsClient,
304	sslHandshakingAsServer
305	} sslHandshakingType;
306
307	#define SSL_LOCK_RANK_SPEC255 255
308
309	/* These are the valid values for shutdownHow.
310	** These values are each 1 greater than the NSPR values, and the code
311	** depends on that relation to efficiently convert PR_SHUTDOWN values
312	** into ssl_SHUTDOWN values. These values use one bit for read, and
313	** another bit for write, and can be used as bitmasks.
314	*/
315	#define ssl_SHUTDOWN_NONE0 0 /* NOT shutdown at all */
316	#define ssl_SHUTDOWN_RCV1 1 /* PR_SHUTDOWN_RCV +1 */
317	#define ssl_SHUTDOWN_SEND2 2 /* PR_SHUTDOWN_SEND +1 */
318	#define ssl_SHUTDOWN_BOTH3 3 /* PR_SHUTDOWN_BOTH +1 */
319
320	/*
321	** A gather object. Used to read some data until a count has been
322	** satisfied. Primarily for support of async sockets.
323	** Everything in here is protected by the recvBufLock.
324	*/
325	struct sslGatherStr {
326	int state; /* see GS_ values below. */
327
328	/* "buf" holds received plaintext SSL records, after decrypt and MAC check.
329	* recv'd ciphertext records are put in inbuf (see below), then decrypted
330	* into buf.
331	*/
332	sslBuffer buf; /recvBufLock/
333
334	/* number of bytes previously read into hdr or inbuf.
335	** (offset - writeOffset) is the number of ciphertext bytes read in but
336	** not yet deciphered.
337	*/
338	unsigned int offset;
339
340	/* number of bytes to read in next call to ssl_DefRecv (recv) */
341	unsigned int remainder;
342
343	/* DoRecv uses the next two values to extract application data.
344	** The difference between writeOffset and readOffset is the amount of
345	** data available to the application. Note that the actual offset of
346	** the data in "buf" is recordOffset (above), not readOffset.
347	** In the current implementation, this is made available before the
348	** MAC is checked!!
349	*/
350	unsigned int readOffset; /* Spot where DATA reader (e.g. application
351	** or handshake code) will read next.
352	** Always zero for SSl3 application data.
353	*/
354	/* offset in buf/inbuf/hdr into which new data will be read from socket. */
355	unsigned int writeOffset;
356
357	/* Buffer for ssl3 to read (encrypted) data from the socket */
358	sslBuffer inbuf; /recvBufLock/
359
360	/* The ssl[23]_GatherData functions read data into this buffer, rather
361	** than into buf or inbuf, while in the GS_HEADER state.
362	** The portion of the SSL record header put here always comes off the wire
363	** as plaintext, never ciphertext.
364	** For SSL3/TLS, the plaintext portion is 5 bytes long. For DTLS it
365	** varies based on version and header type.
366	*/
367	unsigned char hdr[13];
368	unsigned int hdrLen;
369
370	/* Buffer for DTLS data read off the wire as a single datagram */
371	sslBuffer dtlsPacket;
372
373	/* the start of the buffered DTLS record in dtlsPacket */
374	unsigned int dtlsPacketOffset;
375
376	/* tracks whether we've seen a v3-type record before and must reject
377	* any further v2-type records. */
378	PRBool rejectV2Records;
379	};
380
381	/* sslGather.state */
382	#define GS_INIT0 0
383	#define GS_HEADER1 1
384	#define GS_DATA2 2
385
386	#define WRAPPED_MASTER_SECRET_SIZE48 48
387
388	typedef struct {
389	PRUint8 wrapped_master_secret[WRAPPED_MASTER_SECRET_SIZE48];
390	PRUint8 wrapped_master_secret_len;
391	PRUint8 resumable;
392	PRUint8 extendedMasterSecretUsed;
393	} ssl3SidKeys; /* 52 bytes */
394
395	typedef enum { never_cached,
396	in_client_cache,
397	in_server_cache,
398	invalid_cache, /* no longer in any cache. */
399	in_external_cache
400	} Cached;
401
402	#include "sslcert.h"
403
404	struct sslSessionIDStr {
405	/* The global cache lock must be held when accessing these members when the
406	* sid is in any cache.
407	*/
408	sslSessionID next; / chain used for client sockets, only */
409	Cached cached;
410	int references;
411	PRTime lastAccessTime;
412
413	/* The rest of the members, except for the members of u.ssl3.locked, may
414	* be modified only when the sid is not in any cache.
415	*/
416
417	CERTCertificate *peerCert;
418	SECItemArray peerCertStatus; /* client only */
419	const char peerID; / client only */
420	const char urlSvrName; / client only */
421	const sslNamedGroupDef namedCurve; / (server) for certificate lookup */
422	CERTCertificate *localCert;
423
424	PRIPv6Addr addr;
425	PRUint16 port;
426
427	SSL3ProtocolVersion version;
428
429	PRTime creationTime;
430	PRTime expirationTime;
431
432	SSLAuthType authType;
433	PRUint32 authKeyBits;
434	SSLKEAType keaType;
435	PRUint32 keaKeyBits;
436	SSLNamedGroup keaGroup;
437	SSLSignatureScheme sigScheme;
438
439	union {
440	struct {
441	/* values that are copied into the server's on-disk SID cache. */
442	PRUint8 sessionIDLength;
443	PRUint8 sessionID[SSL3_SESSIONID_BYTES32];
444
445	ssl3CipherSuite cipherSuite;
446	PRUint8 policy;
447	ssl3SidKeys keys;
448	/* mechanism used to wrap master secret */
449	CK_MECHANISM_TYPE masterWrapMech;
450
451	/* The following values pertain to the slot that wrapped the
452	** master secret. (used only in client)
453	*/
454	SECMODModuleID masterModuleID;
455	/* what module wrapped the master secret */
456	CK_SLOT_ID masterSlotID;
457	PRUint16 masterWrapIndex;
458	/* what's the key index for the wrapping key */
459	PRUint16 masterWrapSeries;
460	/* keep track of the slot series, so we don't
461	* accidently try to use new keys after the
462	* card gets removed and replaced.*/
463
464	/* The following values pertain to the slot that did the signature
465	** for client auth. (used only in client)
466	*/
467	SECMODModuleID clAuthModuleID;
468	CK_SLOT_ID clAuthSlotID;
469	PRUint16 clAuthSeries;
470
471	char masterValid;
472	char clAuthValid;
473
474	SECItem srvName;
475
476	/* Signed certificate timestamps received in a TLS extension.
477	** (used only in client).
478	*/
479	SECItem signedCertTimestamps;
480
481	/* The ALPN value negotiated in the original connection.
482	* Used for TLS 1.3. */
483	SECItem alpnSelection;
484
485	/* This lock is lazily initialized by CacheSID when a sid is first
486	* cached. Before then, there is no need to lock anything because
487	* the sid isn't being shared by anything.
488	*/
489	PRRWLock *lock;
490
491	/* The lock must be held while reading or writing these members
492	* because they change while the sid is cached.
493	*/
494	struct {
495	/* The session ticket, if we have one, is sent as an extension
496	* in the ClientHello message. This field is used only by
497	* clients. It is protected by lock when lock is non-null
498	* (after the sid has been added to the client session cache).
499	*/
500	NewSessionTicket sessionTicket;
501	} locked;
502	} ssl3;
503	} u;
504	};
505
506	struct ssl3CipherSuiteDefStr {
507	ssl3CipherSuite cipher_suite;
508	SSL3BulkCipher bulk_cipher_alg;
509	SSL3MACAlgorithm mac_alg;
510	SSL3KeyExchangeAlgorithm key_exchange_alg;
511	SSLHashType prf_hash;
512	};
513
514	/*
515	** There are tables of these, all const.
516	*/
517	typedef struct {
518	/* An identifier for this struct. */
519	SSL3KeyExchangeAlgorithm kea;
520	/* The type of key exchange used by the cipher suite. */
521	SSLKEAType exchKeyType;
522	/* If the cipher suite uses a signature, the type of key used in the
523	* signature. */
524	KeyType signKeyType;
525	/* In most cases, cipher suites depend on their signature type for
526	* authentication, ECDH certificates being the exception. */
527	SSLAuthType authKeyType;
528	/* True if the key exchange for the suite is ephemeral. Or to be more
529	* precise: true if the ServerKeyExchange message is always required. */
530	PRBool ephemeral;
531	/* An OID describing the key exchange */
532	SECOidTag oid;
533	} ssl3KEADef;
534
535	typedef enum {
536	ssl_0rtt_none, /* 0-RTT not present */
537	ssl_0rtt_sent, /* 0-RTT sent (no decision yet) */
538	ssl_0rtt_accepted, /* 0-RTT sent and accepted */
539	ssl_0rtt_ignored, /* 0-RTT sent but rejected/ignored */
540	ssl_0rtt_done /* 0-RTT accepted, but finished */
541	} sslZeroRttState;
542
543	typedef enum {
544	ssl_0rtt_ignore_none, /* not ignoring */
545	ssl_0rtt_ignore_trial, /* ignoring with trial decryption */
546	ssl_0rtt_ignore_hrr /* ignoring until ClientHello (due to HRR) */
547	} sslZeroRttIgnore;
548
549	typedef enum {
550	idle_handshake,
551	wait_client_hello,
552	wait_end_of_early_data,
553	wait_client_cert,
554	wait_client_key,
555	wait_cert_verify,
556	wait_change_cipher,
557	wait_finished,
558	wait_server_hello,
559	wait_certificate_status,
560	wait_server_cert,
561	wait_server_key,
562	wait_cert_request,
563	wait_hello_done,
564	wait_new_session_ticket,
565	wait_encrypted_extensions,
566	wait_invalid /* Invalid value. There is no handshake message "invalid". */
567	} SSL3WaitState;
568
569	typedef enum {
570	client_hello_initial, /* The first attempt. */
571	client_hello_retry, /* If we receive HelloRetryRequest. */
572	client_hello_retransmit, /* In DTLS, if we receive HelloVerifyRequest. */
573	client_hello_renegotiation /* A renegotiation attempt. */
574	} sslClientHelloType;
575
576	typedef struct SessionTicketDataStr SessionTicketData;
577
578	typedef SECStatus (sslRestartTarget)(sslSocket );
579
580	/*
581	** A DTLS queued message (potentially to be retransmitted)
582	*/
583	typedef struct DTLSQueuedMessageStr {
584	PRCList link; /* The linked list link */
585	ssl3CipherSpec cwSpec; / The cipher spec to use, null for none */
586	SSLContentType type; /* The message type */
587	unsigned char data; / The data */
588	PRUint16 len; /* The data length */
589	} DTLSQueuedMessage;
590
591	struct TLS13KeyShareEntryStr {
592	PRCList link; /* The linked list link */
593	const sslNamedGroupDef group; / The group for the entry */
594	SECItem key_exchange; /* The share itself */
595	};
596
597	typedef struct TLS13EarlyDataStr {
598	PRCList link; /* The linked list link */
599	unsigned int consumed; /* How much has been read. */
600	SECItem data; /* The data */
601	} TLS13EarlyData;
602
603	typedef enum {
604	handshake_hash_unknown = 0,
605	handshake_hash_combo = 1, /* The MD5/SHA-1 combination */
606	handshake_hash_single = 2, /* A single hash */
607	handshake_hash_record
608	} SSL3HandshakeHashType;
609
610	// A DTLS Timer.
611	typedef void (DTLSTimerCb)(sslSocket );
612
613	typedef struct {
614	const char *label;
615	DTLSTimerCb cb;
616	PRIntervalTime started;
617	PRUint32 timeout;
618	} dtlsTimer;
619
620	/* TLS 1.3 client GREASE entry indices. */
621	typedef enum {
622	grease_cipher,
623	grease_extension1,
624	grease_extension2,
625	grease_group,
626	grease_sigalg,
627	grease_version,
628	grease_alpn,
629	grease_entries
630	} tls13ClientGreaseEntry;
631
632	/* TLS 1.3 client GREASE values struct. */
633	typedef struct tls13ClientGreaseStr {
634	PRUint16 idx[grease_entries];
635	PRUint8 pskKem;
636	} tls13ClientGrease;
637
638	/*
639	** This is the "hs" member of the "ssl3" struct.
640	** This entire struct is protected by ssl3HandshakeLock
641	*/
642	typedef struct SSL3HandshakeStateStr {
	Excessive padding in 'struct SSL3HandshakeStateStr' (53 padding bytes, where 5 is optimal). Optimal fields order: md5, sha, shaEchInner, shaPostHandshake, kea_def, suite_def, msg_len, clientAuthSignatureSchemes, restartTarget, rtTimer, ackTimer, hdTimer, currentSecret, resumptionMasterSecret, dheSecret, clientEarlyTrafficSecret, clientHsTrafficSecret, serverHsTrafficSecret, clientTrafficSecret, serverTrafficSecret, earlyExporterSecret, exporterSecret, rttEstimate, echHpkeCtx, echPublicName, grease, dtlsHandhakeKeyUpdateMessage, chExtensionPermutation, remoteExtensions, echOuterExtensions, lastMessageFlight, cipherSpecs, bufferedEarlyData, psks, dtlsSentHandshake, dtlsRcvdHandshake, messages, echInnerMessages, msg_body, recvdFragments, cookie, srvVirtName, fakeSid, greaseEchBuf, dtls13ClientMessageBuffer, newSessionTicket, timers, ws, hashType, signatureScheme, header_bytes, msg_type, isResuming, sendingSCSV, receivedNewSessionTicket, clientCertificatePending, clientAuthSignatureSchemesLen, authCertificatePending, canFalseStart, preliminaryInfo, recvdHighWater, isKeyUpdateInProgress, allowPreviousEpoch, rtRetries, zeroRttState, zeroRttIgnore, helloRetry, receivedCcs, rejectCcs, clientCertRequested, endOfFlight, echAccepted, echDecided, echInvalidExtension, keyUpdateDeferred, deferredKeyUpdateRequest, kea_def_mutable, cipher_suite, finishedBytes, sendMessageSeq, maxMessageSent, recvMessageSeq, zeroRttSuite, ticketNonce, greaseEchSize, server_random, client_random, client_inner_random, finishedMsgs, consider reordering the fields or adding explicit padding members
643	SSL3Random server_random;
644	SSL3Random client_random;
645	SSL3Random client_inner_random; /* TLS 1.3 ECH Inner. */
646	SSL3WaitState ws; /* May also contain SSL3WaitState \| 0x80 for TLS 1.3 */
647
648	/* This group of members is used for handshake running hashes. */
649	SSL3HandshakeHashType hashType;
650	sslBuffer messages; /* Accumulated handshake messages */
651	sslBuffer echInnerMessages; /* Accumulated ECH Inner handshake messages */
652	/* PKCS #11 mode:
653	* SSL 3.0 - TLS 1.1 use both \|md5\| and \|sha\|. \|md5\| is used for MD5 and
654	* \|sha\| for SHA-1.
655	* TLS 1.2 and later use only \|sha\| variants, for SHA-256.
656	* Under normal (non-1.3 ECH) handshakes, only \|sha\| and \|shaPostHandshake\|
657	* are used. When doing 1.3 ECH, \|sha\| contains the transcript hash
658	* corresponding to the outer Client Hello. To facilitate secure retry and
659	* disablement, \|shaEchInner\|, tracks, in parallel, the transcript hash
660	* corresponding to the inner Client Hello. Once we process the SH
661	* extensions, coalesce into \|sha\|. */
662	PK11Context *md5;
663	PK11Context *sha;
664	PK11Context *shaEchInner;
665	PK11Context *shaPostHandshake;
666	SSLSignatureScheme signatureScheme;
667	const ssl3KEADef *kea_def;
668	ssl3CipherSuite cipher_suite;
669	const ssl3CipherSuiteDef *suite_def;
670	sslBuffer msg_body; /* protected by recvBufLock */
671	/* partial handshake message from record layer */
672	unsigned int header_bytes;
673	/* number of bytes consumed from handshake */
674	/* message for message type and header length */
675	SSLHandshakeType msg_type;
676	unsigned long msg_len;
677	PRBool isResuming; /* we are resuming (not used in TLS 1.3) */
678	PRBool sendingSCSV; /* instead of empty RI */
679
680	/* The session ticket received in a NewSessionTicket message is temporarily
681	* stored in newSessionTicket until the handshake is finished; then it is
682	* moved to the sid.
683	*/
684	PRBool receivedNewSessionTicket;
685	NewSessionTicket newSessionTicket;
686
687	PRUint16 finishedBytes; /* size of single finished below */
688	union {
689	TLSFinished tFinished[2]; /* client, then server */
690	SSL3Finished sFinished[2];
691	PRUint8 data[72];
692	} finishedMsgs;
693
694	/* True when handshake is blocked on client certificate selection */
695	PRBool clientCertificatePending;
696	/* Parameters stored whilst waiting for client certificate */
697	SSLSignatureScheme *clientAuthSignatureSchemes;
698	unsigned int clientAuthSignatureSchemesLen;
699
700	PRBool authCertificatePending;
701	/* Which function should SSL_RestartHandshake* call if we're blocked?
702	* One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake,
703	* or ssl3_AlwaysFail */
704	sslRestartTarget restartTarget;
705
706	PRBool canFalseStart; /* Can/did we False Start */
707	/* Which preliminaryinfo values have been set. */
708	PRUint32 preliminaryInfo;
709
710	/* Parsed extensions */
711	PRCList remoteExtensions; /* Parsed incoming extensions */
712	PRCList echOuterExtensions; /* If ECH, hold CHOuter extensions for decompression. */
713
714	/* This group of values is used for DTLS */
715	PRUint16 sendMessageSeq; /* The sending message sequence
716	* number */
717	PRCList lastMessageFlight; /* The last message flight we
718	* sent */
719	PRUint16 maxMessageSent; /* The largest message we sent */
720	PRUint16 recvMessageSeq; /* The receiving message sequence
721	* number */
722	sslBuffer recvdFragments; /* The fragments we have received in
723	* a bitmask */
724	PRInt32 recvdHighWater; /* The high water mark for fragments
725	* received. -1 means no reassembly
726	* in progress. */
727	SECItem cookie; /* The Hello(Retry\|Verify)Request cookie. */
728	dtlsTimer timers[3]; /* Holder for timers. */
729	dtlsTimer rtTimer; / Retransmit timer. */
730	dtlsTimer ackTimer; / Ack timer (DTLS 1.3 only). */
731	dtlsTimer hdTimer; / Read cipher holddown timer. */
732
733	/* KeyUpdate state machines */
734	PRBool isKeyUpdateInProgress; /* The status of KeyUpdate -: {true == started, false == finished}. */
735	PRBool allowPreviousEpoch; /* The flag whether the previous epoch messages are allowed or not: {true == allowed, false == forbidden}. */
736
737	PRUint32 rtRetries; /* The retry counter */
738	SECItem srvVirtName; /* for server: name that was negotiated
739	* with a client. For client - is
740	* always set to NULL.*/
741
742	/* This group of values is used for TLS 1.3 and above */
743	PK11SymKey currentSecret; / The secret down the "left hand side"
744	* of the TLS 1.3 key schedule. */
745	PK11SymKey resumptionMasterSecret; / The resumption_master_secret. */
746	PK11SymKey dheSecret; / The (EC)DHE shared secret. */
747	PK11SymKey clientEarlyTrafficSecret; / The secret we use for 0-RTT. */
748	PK11SymKey clientHsTrafficSecret; / The source keys for handshake */
749	PK11SymKey serverHsTrafficSecret; / traffic keys. */
750	PK11SymKey clientTrafficSecret; / The source keys for application */
751	PK11SymKey serverTrafficSecret; / traffic keys */
752	PK11SymKey earlyExporterSecret; / for 0-RTT exporters */
753	PK11SymKey exporterSecret; / for exporters */
754	PRCList cipherSpecs; /* The cipher specs in the sequence they
755	* will be applied. */
756	sslZeroRttState zeroRttState; /* Are we doing a 0-RTT handshake? */
757	sslZeroRttIgnore zeroRttIgnore; /* Are we ignoring 0-RTT? */
758	ssl3CipherSuite zeroRttSuite; /* The cipher suite we used for 0-RTT. */
759	PRCList bufferedEarlyData; /* Buffered TLS 1.3 early data
760	* on server.*/
761	PRBool helloRetry; /* True if HelloRetryRequest has been sent
762	* or received. */
763	PRBool receivedCcs; /* A server received ChangeCipherSpec
764	* before the handshake started. */
765	PRBool rejectCcs; /* Excessive ChangeCipherSpecs are rejected. */
766	PRBool clientCertRequested; /* True if CertificateRequest received. */
767	PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */
768	ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def
769	* we use for TLS 1.3 */
770	PRUint16 ticketNonce; /* A counter we use for tickets. */
771	SECItem fakeSid; /* ... (server) the SID the client used. */
772	PRCList psks; /* A list of PSKs, resumption and/or external. */
773
774	/* rttEstimate is used to guess the round trip time between server and client.
775	* When the server sends ServerHello it sets this to the current time.
776	* Only after it receives a message from the client's second flight does it
777	* set the value to something resembling an RTT estimate. */
778	PRTime rttEstimate;
779
780	/* The following lists contain DTLSHandshakeRecordEntry */
781	PRCList dtlsSentHandshake; /* Used to map records to handshake fragments. */
782	PRCList dtlsRcvdHandshake; /* Handshake records we have received
783	* used to generate ACKs. */
784
785	/* TLS 1.3 ECH state. */
786	PRUint8 greaseEchSize;
787	PRBool echAccepted; /* Client/Server: True if we've commited to using CHInner. */
788	PRBool echDecided;
789	HpkeContext echHpkeCtx; / Client/Server: HPKE context for ECH. */
790	const char echPublicName; / Client: If rejected, the ECHConfig.publicName to
791	* use for certificate verification. */
792	sslBuffer greaseEchBuf; /* Client: Remember GREASE ECH, as advertised, for CH2 (HRR case).
793	Server: Remember HRR Grease Value, for transcript calculations */
794	PRBool echInvalidExtension; /* Client: True if the server offered an invalid extension for the ClientHelloInner */
795
796	/* TLS 1.3 GREASE state. */
797	tls13ClientGrease *grease;
798
799	/*
800	KeyUpdate variables:
801	This is true if we deferred sending a key update as
802	* post-handshake auth is in progress. */
803	PRBool keyUpdateDeferred;
804	tls13KeyUpdateRequest deferredKeyUpdateRequest;
805	/* The identifier of the keyUpdate message that is sent but not yet acknowledged */
806	PRUint64 dtlsHandhakeKeyUpdateMessage;
807
808	/* ClientHello Extension Permutation state. */
809	sslExtensionBuilder *chExtensionPermutation;
810
811	/* Used by client to store a message that's to be hashed during the HandleServerHello. */
812	sslBuffer dtls13ClientMessageBuffer;
813	} SSL3HandshakeState;
814
815	#define SSL_ASSERT_HASHES_EMPTY(ss)do { ((ss->ssl3.hs.hashType == handshake_hash_unknown)?((void )0):PR_Assert("ss->ssl3.hs.hashType == handshake_hash_unknown" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",815)); ( (ss->ssl3.hs.messages.len == 0)?((void)0):PR_Assert("ss->ssl3.hs.messages.len == 0" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",815)); ( (ss->ssl3.hs.echInnerMessages.len == 0)?((void)0):PR_Assert ("ss->ssl3.hs.echInnerMessages.len == 0","/root/firefox-clang/security/nss/lib/ssl/sslimpl.h" ,815)); } while (0) \
816	do { \
817	PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown)((ss->ssl3.hs.hashType == handshake_hash_unknown)?((void)0 ):PR_Assert("ss->ssl3.hs.hashType == handshake_hash_unknown" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",817)); \
818	PORT_Assert(ss->ssl3.hs.messages.len == 0)((ss->ssl3.hs.messages.len == 0)?((void)0):PR_Assert("ss->ssl3.hs.messages.len == 0" ,"/root/firefox-clang/security/nss/lib/ssl/sslimpl.h",818)); \
819	PORT_Assert(ss->ssl3.hs.echInnerMessages.len == 0)((ss->ssl3.hs.echInnerMessages.len == 0)?((void)0):PR_Assert ("ss->ssl3.hs.echInnerMessages.len == 0","/root/firefox-clang/security/nss/lib/ssl/sslimpl.h" ,819)); \
820	} while (0)
821	/*
822	** This is the "ssl3" struct, as in "ss->ssl3".
823	** note:
824	** usually, crSpec == cwSpec and prSpec == pwSpec.
825	** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
826	** But there are never more than 2 actual specs.
827	** No spec must ever be modified if either "current" pointer points to it.
828	*/
829	struct ssl3StateStr {
830
831	/*
832	** The following Specs and Spec pointers must be protected using the
833	** Spec Lock.
834	*/
835	ssl3CipherSpec crSpec; / current read spec. */
836	ssl3CipherSpec prSpec; / pending read spec. */
837	ssl3CipherSpec cwSpec; / current write spec. */
838	ssl3CipherSpec pwSpec; / pending write spec. */
839
840	/* This is true after the peer requests a key update; false after a key
841	* update is initiated locally. */
842	PRBool peerRequestedKeyUpdate;
843
844	/* This is true after the server requests client certificate;
845	* false after the client certificate is received. Used by the
846	* server. */
847	PRBool clientCertRequested;
848
849	CERTCertificate clientCertificate; / used by client */
850	SECKEYPrivateKey clientPrivateKey; / used by client */
851	CERTCertificateList clientCertChain; / used by client */
852	PRBool sendEmptyCert; /* used by client */
853
854	PRUint8 policy;
855	/* This says what cipher suites we can do, and should
856	* be either SSL_ALLOWED or SSL_RESTRICTED
857	*/
858	PLArenaPool *peerCertArena;
859	/* These are used to keep track of the peer CA */
860	void *peerCertChain;
861	/* chain while we are trying to validate it. */
862	CERTDistNames *ca_list;
863	/* used by server. trusted CAs for this socket. */
864	SSL3HandshakeState hs;
865
866	PRUint16 mtu; /* Our estimate of the MTU */
867
868	/* DTLS-SRTP cipher suite preferences (if any) */
869	PRUint16 dtlsSRTPCiphers[MAX_DTLS_SRTP_CIPHER_SUITES4];
870	PRUint16 dtlsSRTPCipherCount;
871	PRBool fatalAlertSent;
872	PRBool dheWeakGroupEnabled; /* used by server */
873	const sslNamedGroupDef *dhePreferredGroup;
874
875	/* TLS 1.2 introduces separate signature algorithm negotiation.
876	* TLS 1.3 combined signature and hash into a single enum.
877	* This is our preference order. */
878	SSLSignatureScheme signatureSchemes[MAX_SIGNATURE_SCHEMES18];
879	unsigned int signatureSchemeCount;
880
881	/* The version to check if we fell back from our highest version
882	* of TLS. Default is 0 in which case we check against the maximum
883	* configured version for this socket. Used only on the client. */
884	SSL3ProtocolVersion downgradeCheckVersion;
885	/* supported certificate compression algorithms (if any) */
886	SSLCertificateCompressionAlgorithm supportedCertCompressionAlgorithms[MAX_SUPPORTED_CERTIFICATE_COMPRESSION_ALGS32];
887	PRUint8 supportedCertCompressionAlgorithmsCount;
888	};
889
890	/* Ethernet MTU but without subtracting the headers,
891	* so slightly larger than expected */
892	#define DTLS_MAX_MTU1500U 1500U
893	#define IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) (ss->protocolVariant == ssl_variant_datagram)
894	#define IS_DTLS_1_OR_12(ss)((ss->protocolVariant == ssl_variant_datagram) && ss ->version < SSL_LIBRARY_VERSION_TLS_1_3) (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && ss->version < SSL_LIBRARY_VERSION_TLS_1_3)
895	#define IS_DTLS_13_OR_ABOVE(ss)((ss->protocolVariant == ssl_variant_datagram) && ss ->version >= SSL_LIBRARY_VERSION_TLS_1_3) (IS_DTLS(ss)(ss->protocolVariant == ssl_variant_datagram) && ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)
896
897	typedef struct {
898	/* \|seqNum\| eventually contains the reconstructed sequence number. */
899	sslSequenceNumber seqNum;
900	/* The header of the cipherText. */
901	PRUint8 *hdr;
902	unsigned int hdrLen;
903
904	/* \|buf\| is the payload of the ciphertext. */
905	sslBuffer *buf;
906	} SSL3Ciphertext;
907
908	struct sslKeyPairStr {
909	SECKEYPrivateKey *privKey;
910	SECKEYPublicKey *pubKey;
911	PRInt32 refCount; /* use PR_Atomic calls for this. */
912	};
913
914	struct sslEphemeralKeyPairStr {
915	PRCList link;
916	const sslNamedGroupDef *group;
917	sslKeyPair *keys;
918	sslKeyPair *kemKeys;
919	SECItem *kemCt;
920	};
921
922	struct ssl3DHParamsStr {
923	SSLNamedGroup name;
924	SECItem prime; /* p */
925	SECItem base; /* g */
926	};
927
928	typedef struct SSLWrappedSymWrappingKeyStr {
929	PRUint8 wrappedSymmetricWrappingkey[SSL_MAX_RSA_KEY_BITS8192 / 8];
930	CK_MECHANISM_TYPE symWrapMechanism;
931	/* unwrapped symmetric wrapping key uses this mechanism */
932	CK_MECHANISM_TYPE asymWrapMechanism;
933	/* mechanism used to wrap the SymmetricWrappingKey using
934	* server's public and/or private keys. */
935	PRInt16 wrapMechIndex;
936	PRUint16 wrapKeyIndex;
937	PRUint16 wrappedSymKeyLen;
938	} SSLWrappedSymWrappingKey;
939
940	typedef struct SessionTicketStr {
941	PRBool valid;
942	SSL3ProtocolVersion ssl_version;
943	ssl3CipherSuite cipher_suite;
944	SSLAuthType authType;
945	PRUint32 authKeyBits;
946	SSLKEAType keaType;
947	PRUint32 keaKeyBits;
948	SSLNamedGroup originalKeaGroup;
949	SSLSignatureScheme signatureScheme;
950	const sslNamedGroupDef namedCurve; / For certificate lookup. */
951
952	/*
953	* msWrapMech contains a meaningful value only if ms_is_wrapped is true.
954	*/
955	PRUint8 ms_is_wrapped;
956	CK_MECHANISM_TYPE msWrapMech;
957	PRUint16 ms_length;
958	PRUint8 master_secret[48];
959	PRBool extendedMasterSecretUsed;
960	ClientAuthenticationType client_auth_type;
961	SECItem peer_cert;
962	PRTime timestamp;
963	PRUint32 flags;
964	SECItem srvName; /* negotiated server name */
965	SECItem alpnSelection;
966	PRUint32 maxEarlyData;
967	PRUint32 ticketAgeBaseline;
968	SECItem applicationToken;
969	} SessionTicket;
970
971	/*
972	* SSL2 buffers used in SSL3.
973	* writeBuf in the SecurityInfo maintained by sslsecur.c is used
974	* to hold the data just about to be passed to the kernel
975	* sendBuf in the ConnectInfo maintained by sslcon.c is used
976	* to hold handshake messages as they are accumulated
977	*/
978
979	/*
980	** This is "ci", as in "ss->sec.ci".
981	**
982	** Protection: All the variables in here are protected by
983	** firstHandshakeLock AND ssl3HandshakeLock
984	*/
985	struct sslConnectInfoStr {
986	/* outgoing handshakes appended to this. */
987	sslBuffer sendBuf; /xmitBufLock/
988
989	PRIPv6Addr peer;
990	unsigned short port;
991
992	sslSessionID *sid;
993	};
994
995	/* Note: The entire content of this struct and whatever it points to gets
996	* blown away by SSL_ResetHandshake(). This is "sec" as in "ss->sec".
997	*
998	* Unless otherwise specified below, the contents of this struct are
999	* protected by firstHandshakeLock AND ssl3HandshakeLock.
1000	*/
1001	struct sslSecurityInfoStr {
1002
1003	#define SSL_ROLE(ss)(ss->sec.isServer ? "server" : "client") (ss->sec.isServer ? "server" : "client")
1004
1005	PRBool isServer;
1006	sslBuffer writeBuf; /xmitBufLock/
1007
1008	CERTCertificate *localCert;
1009	CERTCertificate *peerCert;
1010	SECKEYPublicKey *peerKey;
1011
1012	SSLAuthType authType;
1013	PRUint32 authKeyBits;
1014	SSLSignatureScheme signatureScheme;
1015	SSLKEAType keaType;
1016	PRUint32 keaKeyBits;
1017	const sslNamedGroupDef *keaGroup;
1018	const sslNamedGroupDef *originalKeaGroup;
1019	/* The selected certificate (for servers only). */
1020	const sslServerCert *serverCert;
1021
1022	/* These are used during a connection handshake */
1023	sslConnectInfo ci;
1024	};
1025
1026	/*
1027	** SSL Socket struct
1028	**
1029	** Protection: XXX
1030	*/
1031	struct sslSocketStr {
1032	PRFileDesc *fd;
1033
1034	/* Pointer to operations vector for this socket */
1035	const sslSocketOps *ops;
1036
1037	/* SSL socket options */
1038	sslOptions opt;
1039	/* Enabled version range */
1040	SSLVersionRange vrange;
1041
1042	/* A function that returns the current time. */
1043	SSLTimeFunc now;
1044	void *nowArg;
1045
1046	/* State flags */
1047	unsigned long clientAuthRequested;
1048	unsigned long delayDisabled; /* Nagle delay disabled */
1049	unsigned long firstHsDone; /* first handshake is complete. */
1050	unsigned long enoughFirstHsDone; /* enough of the first handshake is
1051	* done for callbacks to be able to
1052	* retrieve channel security
1053	* parameters from the SSL socket. */
1054	unsigned long handshakeBegun;
1055	unsigned long lastWriteBlocked;
1056	unsigned long recvdCloseNotify; /* received SSL EOF. */
1057	unsigned long TCPconnected;
1058	unsigned long appDataBuffered;
1059	unsigned long peerRequestedProtection; /* from old renegotiation */
1060
1061	/* version of the protocol to use */
1062	SSL3ProtocolVersion version;
1063	SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
1064
1065	sslSecurityInfo sec; /* not a pointer any more */
1066
1067	/* protected by firstHandshakeLock AND ssl3HandshakeLock. */
1068	const char *url;
1069
1070	sslHandshakeFunc handshake; /firstHandshakeLock/
1071
1072	/* the following variable is only used with socks or other proxies. */
1073	char peerID; / String uniquely identifies target server. */
1074
1075	/* ECDHE and DHE keys: In TLS 1.3, we might have to maintain multiple of
1076	* these on the client side. The server inserts a single value into this
1077	* list for all versions. */
1078	PRCList /<sslEphemeralKeyPair>/ ephemeralKeyPairs;
1079
1080	/* Callbacks */
1081	SSLAuthCertificate authCertificate;
1082	void *authCertificateArg;
1083	SSLGetClientAuthData getClientAuthData;
1084	void *getClientAuthDataArg;
1085	SSLSNISocketConfig sniSocketConfig;
1086	void *sniSocketConfigArg;
1087	SSLAlertCallback alertReceivedCallback;
1088	void *alertReceivedCallbackArg;
1089	SSLAlertCallback alertSentCallback;
1090	void *alertSentCallbackArg;
1091	SSLBadCertHandler handleBadCert;
1092	void *badCertArg;
1093	SSLHandshakeCallback handshakeCallback;
1094	void *handshakeCallbackData;
1095	SSLCanFalseStartCallback canFalseStartCallback;
1096	void *canFalseStartCallbackData;
1097	void *pkcs11PinArg;
1098	SSLNextProtoCallback nextProtoCallback;
1099	void *nextProtoArg;
1100	SSLHelloRetryRequestCallback hrrCallback;
1101	void *hrrCallbackArg;
1102	PRCList extensionHooks;
1103	SSLResumptionTokenCallback resumptionTokenCallback;
1104	void *resumptionTokenContext;
1105	SSLSecretCallback secretCallback;
1106	void *secretCallbackArg;
1107	SSLRecordWriteCallback recordWriteCallback;
1108	void *recordWriteCallbackArg;
1109
1110	PRIntervalTime rTimeout; /* timeout for NSPR I/O */
1111	PRIntervalTime wTimeout; /* timeout for NSPR I/O */
1112	PRIntervalTime cTimeout; /* timeout for NSPR I/O */
1113
1114	PZLockPRLock recvLock; / lock against multiple reader threads. */
1115	PZLockPRLock sendLock; / lock against multiple sender threads. */
1116
1117	PZMonitorPRMonitor recvBufLock; / locks low level recv buffers. */
1118	PZMonitorPRMonitor xmitBufLock; / locks low level xmit buffers. */
1119
1120	/* Only one thread may operate on the socket until the initial handshake
1121	** is complete. This Monitor ensures that. Since SSL2 handshake is
1122	** only done once, this is also effectively the SSL2 handshake lock.
1123	*/
1124	PZMonitorPRMonitor *firstHandshakeLock;
1125
1126	/* This monitor protects the ssl3 handshake state machine data.
1127	** Only one thread (reader or writer) may be in the ssl3 handshake state
1128	** machine at any time. */
1129	PZMonitorPRMonitor *ssl3HandshakeLock;
1130
1131	/* reader/writer lock, protects the secret data needed to encrypt and MAC
1132	** outgoing records, and to decrypt and MAC check incoming ciphertext
1133	** records. */
1134	NSSRWLock *specLock;
1135
1136	/* handle to perm cert db (and implicitly to the temp cert db) used
1137	** with this socket.
1138	*/
1139	CERTCertDBHandle *dbHandle;
1140
1141	PRThread writerThread; / thread holds SSL_LOCK_WRITER lock */
1142
1143	PRUint16 shutdownHow; /* See ssl_SHUTDOWN defines below. */
1144
1145	sslHandshakingType handshaking;
1146
1147	/* Gather object used for gathering data */
1148	sslGather gs; /recvBufLock/
1149
1150	sslBuffer saveBuf; /xmitBufLock/
1151	sslBuffer pendingBuf; /xmitBufLock/
1152
1153	/* Configuration state for server sockets */
1154	/* One server cert and key for each authentication type. */
1155	PRCList /* <sslServerCert> */ serverCerts;
1156
1157	ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED71];
1158
1159	/* A list of groups that are sorted according to user preferences pointing
1160	* to entries of ssl_named_groups. By default this list contains pointers
1161	* to all elements in ssl_named_groups in the default order.
1162	* This list also determines which groups are enabled. This
1163	* starts with all being enabled and can be modified either by negotiation
1164	* (in which case groups not supported by a peer are masked off), or by
1165	* calling SSL_DHEGroupPrefSet().
1166	* Note that renegotiation will ignore groups that were disabled in the
1167	* first handshake.
1168	*/
1169	const sslNamedGroupDef *namedGroupPreferences[SSL_NAMED_GROUP_COUNT33];
1170	/* The number of additional shares to generate for the TLS 1.3 ClientHello */
1171	unsigned int additionalShares;
1172
1173	/* SSL3 state info. Formerly was a pointer */
1174	ssl3State ssl3;
1175
1176	/*
1177	* TLS extension related data.
1178	*/
1179	/* True when the current session is a stateless resume. */
1180	PRBool statelessResume;
1181	TLSExtensionData xtnData;
1182
1183	/* Whether we are doing stream or datagram mode */
1184	SSLProtocolVariant protocolVariant;
1185
1186	/* TLS 1.3 Encrypted Client Hello. */
1187	PRCList echConfigs; /* Client/server: Must not change while hs
1188	* is in-progress. */
1189	SECKEYPublicKey echPubKey; / Server: The ECH keypair used in HPKE. */
1190	SECKEYPrivateKey echPrivKey; / As above. */
1191
1192	/* Anti-replay for TLS 1.3 0-RTT. */
1193	SSLAntiReplayContext *antiReplay;
1194
1195	/* An out-of-band PSK. */
1196	sslPsk *psk;
1197	};
1198
1199	struct sslSelfEncryptKeysStr {
1200	PRCallOnceType setup;
1201	PRUint8 keyName[SELF_ENCRYPT_KEY_NAME_LEN16];
1202	PK11SymKey *encKey;
1203	PK11SymKey *macKey;
1204	};
1205	typedef struct sslSelfEncryptKeysStr sslSelfEncryptKeys;
1206
1207	extern char ssl_debug;
1208	extern char ssl_trace;
1209	extern FILE *ssl_trace_iob;
1210	extern FILE *ssl_keylog_iob;
1211	extern PZLockPRLock *ssl_keylog_lock;
1212	static const PRUint32 ssl_ticket_lifetime = 2 * 24 * 60 * 60; // 2 days.
1213
1214	extern const char *const ssl3_cipherName[];
1215
1216	extern sslSessionIDLookupFunc ssl_sid_lookup;
1217
1218	extern const sslNamedGroupDef ssl_named_groups[];
1219
1220	/************************************************************************/
1221
1222	SEC_BEGIN_PROTOS
1223
1224	/* Internal initialization and installation of the SSL error tables */
1225	extern SECStatus ssl_Init(void);
1226	extern SECStatus ssl_InitializePRErrorTable(void);
1227
1228	/* Implementation of ops for default (non socks, non secure) case */
1229	extern int ssl_DefConnect(sslSocket ss, const PRNetAddr addr);
1230	extern PRFileDesc ssl_DefAccept(sslSocket ss, PRNetAddr *addr);
1231	extern int ssl_DefBind(sslSocket ss, const PRNetAddr addr);
1232	extern int ssl_DefListen(sslSocket *ss, int backlog);
1233	extern int ssl_DefShutdown(sslSocket *ss, int how);
1234	extern int ssl_DefClose(sslSocket *ss);
1235	extern int ssl_DefRecv(sslSocket ss, unsigned char buf, int len, int flags);
1236	extern int ssl_DefSend(sslSocket ss, const unsigned char buf,
1237	int len, int flags);
1238	extern int ssl_DefRead(sslSocket ss, unsigned char buf, int len);
1239	extern int ssl_DefWrite(sslSocket ss, const unsigned char buf, int len);
1240	extern int ssl_DefGetpeername(sslSocket ss, PRNetAddr name);
1241	extern int ssl_DefGetsockname(sslSocket ss, PRNetAddr name);
1242	extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
1243	void optval, PRInt32 optlen);
1244	extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
1245	const void *optval, PRInt32 optlen);
1246
1247	/* Implementation of ops for socks only case */
1248	extern int ssl_SocksConnect(sslSocket ss, const PRNetAddr addr);
1249	extern PRFileDesc ssl_SocksAccept(sslSocket ss, PRNetAddr *addr);
1250	extern int ssl_SocksBind(sslSocket ss, const PRNetAddr addr);
1251	extern int ssl_SocksListen(sslSocket *ss, int backlog);
1252	extern int ssl_SocksGetsockname(sslSocket ss, PRNetAddr name);
1253	extern int ssl_SocksRecv(sslSocket ss, unsigned char buf, int len, int flags);
1254	extern int ssl_SocksSend(sslSocket ss, const unsigned char buf,
1255	int len, int flags);
1256	extern int ssl_SocksRead(sslSocket ss, unsigned char buf, int len);
1257	extern int ssl_SocksWrite(sslSocket ss, const unsigned char buf, int len);
1258
1259	/* Implementation of ops for secure only case */
1260	extern int ssl_SecureConnect(sslSocket ss, const PRNetAddr addr);
1261	extern PRFileDesc ssl_SecureAccept(sslSocket ss, PRNetAddr *addr);
1262	extern int ssl_SecureRecv(sslSocket ss, unsigned char buf,
1263	int len, int flags);
1264	extern int ssl_SecureSend(sslSocket ss, const unsigned char buf,
1265	int len, int flags);
1266	extern int ssl_SecureRead(sslSocket ss, unsigned char buf, int len);
1267	extern int ssl_SecureWrite(sslSocket ss, const unsigned char buf, int len);
1268	extern int ssl_SecureShutdown(sslSocket *ss, int how);
1269	extern int ssl_SecureClose(sslSocket *ss);
1270
1271	/* Implementation of ops for secure socks case */
1272	extern int ssl_SecureSocksConnect(sslSocket ss, const PRNetAddr addr);
1273	extern PRFileDesc ssl_SecureSocksAccept(sslSocket ss, PRNetAddr *addr);
1274	extern PRFileDesc ssl_FindTop(sslSocket ss);
1275
1276	/* Gather funcs. */
1277	extern sslGather *ssl_NewGather(void);
1278	extern SECStatus ssl3_InitGather(sslGather *gs);
1279	extern void ssl3_DestroyGather(sslGather *gs);
1280	extern SECStatus ssl_GatherRecord1stHandshake(sslSocket *ss);
1281
1282	extern SECStatus ssl_CreateSecurityInfo(sslSocket *ss);
1283	extern SECStatus ssl_CopySecurityInfo(sslSocket ss, sslSocket os);
1284	extern void ssl_ResetSecurityInfo(sslSecurityInfo *sec, PRBool doMemset);
1285	extern void ssl_DestroySecurityInfo(sslSecurityInfo *sec);
1286
1287	extern void ssl_PrintBuf(const sslSocket ss, const char msg, const void *cp,
1288	int len);
1289	extern void ssl_PrintKey(const sslSocket ss, const char msg, PK11SymKey *key);
1290
1291	extern int ssl_SendSavedWriteData(sslSocket *ss);
1292	extern SECStatus ssl_SaveWriteData(sslSocket *ss,
1293	const void *p, unsigned int l);
1294	extern SECStatus ssl_BeginClientHandshake(sslSocket *ss);
1295	extern SECStatus ssl_BeginServerHandshake(sslSocket *ss);
1296	extern SECStatus ssl_Do1stHandshake(sslSocket *ss);
1297
1298	extern SECStatus ssl3_InitPendingCipherSpecs(sslSocket ss, PK11SymKey secret,
1299	PRBool derive);
1300	extern void ssl_DestroyKeyMaterial(ssl3KeyMaterial *keyMaterial);
1301	extern sslSessionID ssl3_NewSessionID(sslSocket ss, PRBool is_server);
1302	extern sslSessionID ssl_LookupSID(PRTime now, const PRIPv6Addr addr,
1303	PRUint16 port, const char *peerID,
1304	const char *urlSvrName);
1305	extern void ssl_FreeSID(sslSessionID *sid);
1306	extern void ssl_DestroySID(sslSessionID *sid, PRBool freeIt);
1307	extern sslSessionID ssl_ReferenceSID(sslSessionID sid);
1308
1309	extern int ssl3_SendApplicationData(sslSocket ss, const PRUint8 in,
1310	int len, int flags);
1311
1312	extern PRBool ssl_FdIsBlocking(PRFileDesc *fd);
1313
1314	extern PRBool ssl_SocketIsBlocking(sslSocket *ss);
1315
1316	extern void ssl3_SetAlwaysBlock(sslSocket *ss);
1317
1318	extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
1319
1320	extern SECStatus ssl_FinishHandshake(sslSocket *ss);
1321
1322	extern SECStatus ssl_CipherPolicySet(PRInt32 which, PRInt32 policy);
1323
1324	extern SECStatus ssl_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
1325
1326	extern SECStatus ssl3_ConstrainRangeByPolicy(void);
1327
1328	extern SECStatus ssl3_InitState(sslSocket *ss);
1329	extern SECStatus Null_Cipher(void ctx, unsigned char output, unsigned int *outputLen,
1330	unsigned int maxOutputLen, const unsigned char *input,
1331	unsigned int inputLen);
1332	extern void ssl3_RestartHandshakeHashes(sslSocket *ss);
1333	typedef SECStatus (sslUpdateHandshakeHashes)(sslSocket ss,
1334	const unsigned char *b,
1335	unsigned int l);
1336	extern SECStatus ssl3_UpdateHandshakeHashes(sslSocket *ss,
1337	const unsigned char *b,
1338	unsigned int l);
1339	extern SECStatus ssl3_UpdatePostHandshakeHashes(sslSocket *ss,
1340	const unsigned char *b,
1341	unsigned int l);
1342	SECStatus
1343	ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type,
1344	PRUint32 dtlsSeq,
1345	const PRUint8 *b, PRUint32 length,
1346	sslUpdateHandshakeHashes cb);
1347	SECStatus ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type,
1348	const PRUint8 *b, PRUint32 length);
1349	SECStatus ssl_HashHandshakeMessageEchInner(sslSocket *ss, SSLHandshakeType type,
1350	const PRUint8 *b, PRUint32 length);
1351	SECStatus ssl_HashHandshakeMessageDefault(sslSocket *ss, SSLHandshakeType type,
1352	const PRUint8 *b, PRUint32 length);
1353	SECStatus ssl_HashPostHandshakeMessage(sslSocket *ss, SSLHandshakeType type,
1354	const PRUint8 *b, PRUint32 length);
1355
1356	/* Returns PR_TRUE if we are still waiting for the server to complete its
1357	* response to our client second round. Once we've received the Finished from
1358	* the server then there is no need to check false start.
1359	*/
1360	extern PRBool ssl3_WaitingForServerSecondRound(sslSocket *ss);
1361
1362	extern PRInt32 ssl3_SendRecord(sslSocket ss, ssl3CipherSpec cwSpec,
1363	SSLContentType type,
1364	const PRUint8 *pIn, PRInt32 nIn,
1365	PRInt32 flags);
1366
1367	/* Clear any PRCList, optionally calling f on the value. */
1368	void ssl_ClearPRCList(PRCList list, void (f)(void *));
1369
1370	/*
1371	* Make sure there is room in the write buffer for padding and
1372	* cryptographic expansions.
1373	*/
1374	#define SSL3_BUFFER_FUDGE100 100
1375
1376	#define SSL_LOCK_READER(ss)if (ss->recvLock) PR_Lock((ss->recvLock)) \
1377	if (ss->recvLock) \
1378	PZ_Lock(ss->recvLock)PR_Lock((ss->recvLock))
1379	#define SSL_UNLOCK_READER(ss)if (ss->recvLock) PR_Unlock((ss->recvLock)) \
1380	if (ss->recvLock) \
1381	PZ_Unlock(ss->recvLock)PR_Unlock((ss->recvLock))
1382	#define SSL_LOCK_WRITER(ss)if (ss->sendLock) PR_Lock((ss->sendLock)) \
1383	if (ss->sendLock) \
1384	PZ_Lock(ss->sendLock)PR_Lock((ss->sendLock))
1385	#define SSL_UNLOCK_WRITER(ss)if (ss->sendLock) PR_Unlock((ss->sendLock)) \
1386	if (ss->sendLock) \
1387	PZ_Unlock(ss->sendLock)PR_Unlock((ss->sendLock))
1388
1389	PRBool ssl_HaveRecvBufLock(sslSocket *ss);
1390	PRBool ssl_HaveXmitBufLock(sslSocket *ss);
1391	PRBool ssl_Have1stHandshakeLock(sslSocket *ss);
1392	PRBool ssl_HaveSSL3HandshakeLock(sslSocket *ss);
1393	PRBool ssl_HaveSpecWriteLock(sslSocket *ss);
1394
1395	void ssl_Get1stHandshakeLock(sslSocket *ss);
1396	void ssl_Release1stHandshakeLock(sslSocket *ss);
1397
1398	void ssl_GetSSL3HandshakeLock(sslSocket *ss);
1399	void ssl_ReleaseSSL3HandshakeLock(sslSocket *ss);
1400
1401	void ssl_GetSpecReadLock(sslSocket *ss);
1402	void ssl_ReleaseSpecReadLock(sslSocket *ss);
1403
1404	void ssl_GetSpecWriteLock(sslSocket *ss);
1405	void ssl_ReleaseSpecWriteLock(sslSocket *ss);
1406
1407	void ssl_GetRecvBufLock(sslSocket *ss);
1408	void ssl_ReleaseRecvBufLock(sslSocket *ss);
1409
1410	void ssl_GetXmitBufLock(sslSocket *ss);
1411	void ssl_ReleaseXmitBufLock(sslSocket *ss);
1412
1413	/* Placeholder value used in version ranges when SSL 3.0 and all
1414	* versions of TLS are disabled.
1415	*/
1416	#define SSL_LIBRARY_VERSION_NONE0 0
1417
1418	/* SSL_LIBRARY_VERSION_MIN_SUPPORTED is the minimum version that this version
1419	* of libssl supports. Applications should use SSL_VersionRangeGetSupported at
1420	* runtime to determine which versions are supported by the version of libssl
1421	* in use.
1422	*/
1423	#define SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAMSSL_LIBRARY_VERSION_TLS_1_1 SSL_LIBRARY_VERSION_TLS_1_1
1424	#define SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAMSSL_LIBRARY_VERSION_3_0 SSL_LIBRARY_VERSION_3_0
1425
1426	/* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version
1427	* of libssl supports. Applications should use SSL_VersionRangeGetSupported at
1428	* runtime to determine which versions are supported by the version of libssl
1429	* in use.
1430	*/
1431	#ifndef NSS_DISABLE_TLS_1_3
1432	#define SSL_LIBRARY_VERSION_MAX_SUPPORTEDSSL_LIBRARY_VERSION_TLS_1_3 SSL_LIBRARY_VERSION_TLS_1_3
1433	#else
1434	#define SSL_LIBRARY_VERSION_MAX_SUPPORTEDSSL_LIBRARY_VERSION_TLS_1_3 SSL_LIBRARY_VERSION_TLS_1_2
1435	#endif
1436
1437	#define SSL_ALL_VERSIONS_DISABLED(vrange)((vrange)->min == 0) \
1438	((vrange)->min == SSL_LIBRARY_VERSION_NONE0)
1439
1440	extern PRBool ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
1441	SSL3ProtocolVersion version);
1442
1443	/* These functions are called from secnav, even though they're "private". */
1444
1445	extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss,
1446	CERTCertificate *cert,
1447	SECKEYPrivateKey *key,
1448	CERTCertificateList *certChain);
1449	extern sslSocket ssl_FindSocket(PRFileDesc fd);
1450	extern void ssl_FreeSocket(struct sslSocketStr *ssl);
1451	extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
1452	SSL3AlertDescription desc);
1453	extern SECStatus ssl3_DecodeError(sslSocket *ss);
1454
1455	extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
1456	extern SECStatus ssl3_ClientCertCallbackComplete(sslSocket ss, SECStatus outcome, SECKEYPrivateKey clientPrivateKey, CERTCertificate *clientCertificate);
1457
1458	/*
1459	* for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
1460	*/
1461	extern SECStatus ssl3_HandleV2ClientHello(
1462	sslSocket ss, unsigned char buffer, unsigned int length, PRUint8 padding);
1463
1464	SECStatus
1465	ssl3_CreateClientHelloPreamble(sslSocket ss, const sslSessionID sid,
1466	PRBool realSid, PRUint16 version, PRBool isEchInner,
1467	const sslBuffer extensions, sslBuffer preamble);
1468	SECStatus ssl3_InsertChHeaderSize(const sslSocket ss, sslBuffer preamble, const sslBuffer *extensions);
1469	SECStatus ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type);
1470
1471	/*
1472	* input into the SSL3 machinery from the actualy network reading code
1473	*/
1474	SECStatus ssl3_HandleRecord(sslSocket ss, SSL3Ciphertext cipher);
1475	SECStatus ssl3_HandleNonApplicationData(sslSocket *ss, SSLContentType rType,
1476	DTLSEpoch epoch,
1477	sslSequenceNumber seqNum,
1478	sslBuffer *databuf);
1479	SECStatus ssl_RemoveTLSCBCPadding(sslBuffer *plaintext, unsigned int macSize);
1480
1481	int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
1482	int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
1483
1484	/* Create a new ref counted key pair object from two keys. */
1485	extern sslKeyPair ssl_NewKeyPair(SECKEYPrivateKey privKey,
1486	SECKEYPublicKey *pubKey);
1487
1488	/* get a new reference (bump ref count) to an ssl3KeyPair. */
1489	extern sslKeyPair ssl_GetKeyPairRef(sslKeyPair keyPair);
1490
1491	/* Decrement keypair's ref count and free if zero. */
1492	extern void ssl_FreeKeyPair(sslKeyPair *keyPair);
1493
1494	extern sslEphemeralKeyPair *ssl_NewEphemeralKeyPair(
1495	const sslNamedGroupDef *group,
1496	SECKEYPrivateKey privKey, SECKEYPublicKey pubKey);
1497	extern sslEphemeralKeyPair *ssl_CopyEphemeralKeyPair(
1498	sslEphemeralKeyPair *keyPair);
1499	extern void ssl_FreeEphemeralKeyPair(sslEphemeralKeyPair *keyPair);
1500	extern sslEphemeralKeyPair *ssl_LookupEphemeralKeyPair(
1501	sslSocket ss, const sslNamedGroupDef groupDef);
1502	extern PRBool ssl_HaveEphemeralKeyPair(const sslSocket *ss,
1503	const sslNamedGroupDef *groupDef);
1504	extern void ssl_FreeEphemeralKeyPairs(sslSocket *ss);
1505
1506	extern SECStatus ssl_AppendPaddedDHKeyShare(sslBuffer *buf,
1507	const SECKEYPublicKey *pubKey,
1508	PRBool appendLength);
1509	extern PRBool ssl_CanUseSignatureScheme(SSLSignatureScheme scheme,
1510	const SSLSignatureScheme *peerSchemes,
1511	unsigned int peerSchemeCount,
1512	PRBool requireSha1,
1513	PRBool slotDoesPss);
1514	extern const ssl3DHParams ssl_GetDHEParams(const sslNamedGroupDef groupDef);
1515	extern SECStatus ssl_SelectDHEGroup(sslSocket *ss,
1516	const sslNamedGroupDef **groupDef);
1517	extern SECStatus ssl_CreateDHEKeyPair(const sslNamedGroupDef *groupDef,
1518	const ssl3DHParams *params,
1519	sslEphemeralKeyPair **keyPair);
1520	extern PRBool ssl_IsValidDHEShare(const SECItem dh_p, const SECItem dh_Ys);
1521	extern SECStatus ssl_ValidateDHENamedGroup(sslSocket *ss,
1522	const SECItem *dh_p,
1523	const SECItem *dh_g,
1524	const sslNamedGroupDef **groupDef,
1525	const ssl3DHParams **dhParams);
1526
1527	extern PRBool ssl_IsECCEnabled(const sslSocket *ss);
1528	extern PRBool ssl_IsDHEEnabled(const sslSocket *ss);
1529
1530	/* Macro for finding a curve equivalent in strength to RSA key's */
1531	#define SSL_RSASTRENGTH_TO_ECSTRENGTH(s)((s <= 1024) ? 160 : ((s <= 2048) ? 224 : ((s <= 3072 ) ? 256 : ((s <= 7168) ? 384 : 521)))) \
1532	((s <= 1024) ? 160 \
1533	: ((s <= 2048) ? 224 \
1534	: ((s <= 3072) ? 256 \
1535	: ((s <= 7168) ? 384 \
1536	: 521))))
1537
1538	extern const sslNamedGroupDef *ssl_LookupNamedGroup(SSLNamedGroup group);
1539	extern PRBool ssl_NamedGroupEnabled(const sslSocket ss, const sslNamedGroupDef group);
1540	extern SECStatus ssl_NamedGroup2ECParams(PLArenaPool *arena,
1541	const sslNamedGroupDef *curve,
1542	SECKEYECParams *params);
1543	extern const sslNamedGroupDef *ssl_ECPubKey2NamedGroup(
1544	const SECKEYPublicKey *pubKey);
1545
1546	extern const sslNamedGroupDef ssl_GetECGroupForServerSocket(sslSocket ss);
1547	extern void ssl_FilterSupportedGroups(sslSocket *ss);
1548
1549	extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
1550	extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
1551
1552	extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
1553	extern SECStatus ssl3_CipherPrefGet(const sslSocket ss, ssl3CipherSuite which, PRBool on);
1554
1555	extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
1556	extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
1557
1558	extern void ssl3_InitSocketPolicy(sslSocket *ss);
1559
1560	extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
1561	extern SECStatus ssl3_HandleHandshakeMessage(sslSocket ss, PRUint8 b,
1562	PRUint32 length,
1563	PRBool endOfRecord);
1564
1565	extern void ssl3_DestroySSL3Info(sslSocket *ss);
1566
1567	extern SECStatus ssl_ClientReadVersion(sslSocket ss, PRUint8 *b,
1568	PRUint32 *length,
1569	SSL3ProtocolVersion *version);
1570	extern SECStatus ssl3_NegotiateVersion(sslSocket *ss,
1571	SSL3ProtocolVersion peerVersion,
1572	PRBool allowLargerPeerVersion);
1573	extern SECStatus ssl_ClientSetCipherSuite(sslSocket *ss,
1574	SSL3ProtocolVersion version,
1575	ssl3CipherSuite suite,
1576	PRBool initHashes);
1577
1578	extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
1579
1580	/* ECDH functions */
1581	extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket *ss,
1582	SECKEYPublicKey *svrPubKey);
1583	extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss,
1584	PRUint8 *b, PRUint32 length);
1585	extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss,
1586	PRUint8 *b, PRUint32 length,
1587	sslKeyPair *serverKeys);
1588	extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss);
1589	extern SECStatus ssl_ImportECDHKeyShare(
1590	SECKEYPublicKey *peerKey,
1591	PRUint8 b, PRUint32 length, const sslNamedGroupDef curve);
1592
1593	extern SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg,
1594	PRUint8 *hashBuf,
1595	unsigned int bufLen,
1596	SSL3Hashes *hashes);
1597	extern SECStatus ssl3_AppendSignatureAndHashAlgorithm(
1598	sslSocket ss, const SSLSignatureAndHashAlg sigAndHash);
1599	extern SECStatus ssl3_ConsumeHandshake(sslSocket ss, void v, PRUint32 bytes,
1600	PRUint8 *b, PRUint32 length);
1601	extern SECStatus ssl3_ConsumeHandshakeNumber(sslSocket ss, PRUint32 num,
1602	PRUint32 bytes, PRUint8 **b,
1603	PRUint32 *length);
1604	extern SECStatus ssl3_ConsumeHandshakeNumber64(sslSocket ss, PRUint64 num,
1605	PRUint32 bytes, PRUint8 **b,
1606	PRUint32 *length);
1607	extern SECStatus ssl3_ConsumeHandshakeVariable(sslSocket ss, SECItem i,
1608	PRUint32 bytes, PRUint8 **b,
1609	PRUint32 *length);
1610	extern SECStatus ssl_SignatureSchemeFromSpki(const CERTSubjectPublicKeyInfo *spki,
1611	PRBool isTls13,
1612	SSLSignatureScheme *scheme);
1613	extern PRBool ssl_SignatureSchemeEnabled(const sslSocket *ss,
1614	SSLSignatureScheme scheme);
1615	extern PRBool ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme);
1616	extern SECStatus ssl_CheckSignatureSchemeConsistency(
1617	sslSocket ss, SSLSignatureScheme scheme, CERTSubjectPublicKeyInfo spki);
1618	extern SECStatus ssl_ParseSignatureSchemes(const sslSocket ss, PLArenaPool arena,
1619	SSLSignatureScheme **schemesOut,
1620	unsigned int *numSchemesOut,
1621	unsigned char **b,
1622	unsigned int *len);
1623	extern SECStatus ssl_ConsumeSignatureScheme(
1624	sslSocket ss, PRUint8 b, PRUint32 length, SSLSignatureScheme *out);
1625	extern SECStatus ssl3_SignHashesWithPrivKey(SSL3Hashes *hash,
1626	SECKEYPrivateKey *key,
1627	SSLSignatureScheme scheme,
1628	PRBool isTls,
1629	SECItem *buf);
1630	extern SECStatus ssl3_SignHashes(sslSocket ss, SSL3Hashes hash,
1631	SECKEYPrivateKey key, SECItem buf);
1632	extern SECStatus ssl_VerifySignedHashesWithPubKey(sslSocket *ss,
1633	SECKEYPublicKey *spki,
1634	SSLSignatureScheme scheme,
1635	SSL3Hashes *hash,
1636	SECItem *buf);
1637	extern SECStatus ssl3_VerifySignedHashes(sslSocket *ss, SSLSignatureScheme scheme,
1638	SSL3Hashes hash, SECItem buf);
1639	extern SECStatus ssl3_CacheWrappedSecret(sslSocket ss, sslSessionID sid,
1640	PK11SymKey *secret);
1641	extern void ssl3_FreeSniNameArray(TLSExtensionData *xtnData);
1642
1643	/* Hello Extension related routines. */
1644	extern void ssl3_SetSIDSessionTicket(sslSessionID *sid,
1645	/in/out/ NewSessionTicket *session_ticket);
1646	SECStatus ssl3_EncodeSessionTicket(sslSocket *ss,
1647	const NewSessionTicket *ticket,
1648	const PRUint8 *appToken,
1649	unsigned int appTokenLen,
1650	PK11SymKey secret, SECItem ticket_data);
1651	SECStatus SSLExp_SendSessionTicket(PRFileDesc fd, const PRUint8 token,
1652	unsigned int tokenLen);
1653
1654	SECStatus ssl_MaybeSetSelfEncryptKeyPair(const sslKeyPair *keyPair);
1655	SECStatus ssl_GetSelfEncryptKeys(sslSocket ss, unsigned char keyName,
1656	PK11SymKey encKey, PK11SymKey macKey);
1657	void ssl_ResetSelfEncryptKeys();
1658
1659	extern SECStatus ssl3_ValidateAppProtocol(const unsigned char *data,
1660	unsigned int length);
1661
1662	/* Construct a new NSPR socket for the app to use */
1663	extern PRFileDesc ssl_NewPRSocket(sslSocket ss, PRFileDesc *fd);
1664	extern void ssl_FreePRSocket(PRFileDesc *fd);
1665
1666	/* Internal config function so SSL3 can initialize the present state of
1667	* various ciphers */
1668	extern unsigned int ssl3_config_match_init(sslSocket *);
1669
1670	/* Return PR_TRUE if suite is usable. This if the suite is permitted by policy,
1671	* enabled, has a certificate (as needed), has a viable key agreement method, is
1672	* usable with the negotiated TLS version, and is otherwise usable. */
1673	PRBool ssl3_config_match(const ssl3CipherSuiteCfg *suite, PRUint8 policy,
1674	const SSLVersionRange vrange, const sslSocket ss);
1675
1676	/* calls for accessing wrapping keys across processes. */
1677	extern SECStatus
1678	ssl_GetWrappingKey(unsigned int symWrapMechIndex,
1679	unsigned int wrapKeyIndex, SSLWrappedSymWrappingKey *wswk);
1680
1681	/* The caller passes in the new value it wants
1682	* to set. This code tests the wrapped sym key entry in the file on disk.
1683	* If it is uninitialized, this function writes the caller's value into
1684	* the disk entry, and returns false.
1685	* Otherwise, it overwrites the caller's wswk with the value obtained from
1686	* the disk, and returns PR_TRUE.
1687	* This is all done while holding the locks/semaphores necessary to make
1688	* the operation atomic.
1689	*/
1690	extern SECStatus
1691	ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
1692
1693	/* get rid of the symmetric wrapping key references. */
1694	extern SECStatus SSL3_ShutdownServerCache(void);
1695
1696	extern SECStatus ssl_InitSymWrapKeysLock(void);
1697
1698	extern SECStatus ssl_FreeSymWrapKeysLock(void);
1699
1700	extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
1701
1702	extern SECStatus ssl_FreeSessionCacheLocks(void);
1703
1704	CK_MECHANISM_TYPE ssl3_Alg2Mech(SSLCipherAlgorithm calg);
1705	SECStatus ssl3_NegotiateCipherSuiteInner(sslSocket ss, const SECItem suites,
1706	PRUint16 version, PRUint16 *suitep);
1707	SECStatus ssl3_NegotiateCipherSuite(sslSocket ss, const SECItem suites,
1708	PRBool initHashes);
1709	SECStatus ssl3_InitHandshakeHashes(sslSocket *ss);
1710	void ssl3_CoalesceEchHandshakeHashes(sslSocket *ss);
1711	SECStatus ssl3_ServerCallSNICallback(sslSocket *ss);
1712	SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags);
1713	SECStatus ssl3_CompleteHandleCertificate(sslSocket *ss,
1714	PRUint8 *b, PRUint32 length);
1715	void ssl3_SendAlertForCertError(sslSocket *ss, PRErrorCode errCode);
1716	SECStatus ssl3_HandleNoCertificate(sslSocket *ss);
1717	SECStatus ssl3_SendEmptyCertificate(sslSocket *ss);
1718	void ssl3_CleanupPeerCerts(sslSocket *ss);
1719	SECStatus ssl3_SendCertificateStatus(sslSocket *ss);
1720	SECStatus ssl_SetAuthKeyBits(sslSocket ss, const SECKEYPublicKey pubKey);
1721	SECStatus ssl3_HandleServerSpki(sslSocket *ss);
1722	SECStatus ssl3_AuthCertificate(sslSocket *ss);
1723	SECStatus ssl_ReadCertificateStatus(sslSocket ss, PRUint8 b,
1724	PRUint32 length);
1725	SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert,
1726	PRBool grease, sslBuffer *buf);
1727	SECStatus ssl3_EncodeFilteredSigAlgs(const sslSocket *ss,
1728	const SSLSignatureScheme *schemes,
1729	PRUint32 numSchemes, PRBool grease, sslBuffer *buf);
1730	SECStatus ssl3_FilterSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool disableRsae, PRBool forCert,
1731	unsigned int maxSchemes, SSLSignatureScheme *filteredSchemes,
1732	unsigned int *numFilteredSchemes);
1733	SECStatus ssl_GetCertificateRequestCAs(const sslSocket *ss,
1734	unsigned int *calenp,
1735	const SECItem **namesp,
1736	unsigned int *nnamesp);
1737	SECStatus ssl3_ParseCertificateRequestCAs(sslSocket ss, PRUint8 *b,
1738	PRUint32 length, CERTDistNames ca_list);
1739	SECStatus ssl3_BeginHandleCertificateRequest(
1740	sslSocket ss, const SSLSignatureScheme signatureSchemes,
1741	unsigned int signatureSchemeCount, CERTDistNames *ca_list);
1742	SECStatus ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry,
1743	const sslBuffer *extensionBuf,
1744	sslBuffer *messageBuf);
1745	SECStatus ssl3_SendServerHello(sslSocket *ss);
1746	SECStatus ssl3_SendChangeCipherSpecsInt(sslSocket *ss);
1747	SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss,
1748	ssl3CipherSpec *spec,
1749	SSL3Hashes *hashes,
1750	PRUint32 sender);
1751	SECStatus ssl_CreateECDHEphemeralKeyPair(const sslSocket *ss,
1752	const sslNamedGroupDef *ecGroup,
1753	sslEphemeralKeyPair **keyPair);
1754	SECStatus ssl_CreateStaticECDHEKey(sslSocket *ss,
1755	const sslNamedGroupDef *ecGroup);
1756	SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags);
1757	SECStatus ssl3_GetNewRandom(SSL3Random random);
1758	PK11SymKey ssl3_GetWrappingKey(sslSocket ss,
1759	PK11SlotInfo *masterSecretSlot,
1760	CK_MECHANISM_TYPE masterWrapMech,
1761	void *pwArg);
1762	SECStatus ssl3_FillInCachedSID(sslSocket ss, sslSessionID sid,
1763	PK11SymKey *secret);
1764	const ssl3CipherSuiteDef *ssl_LookupCipherSuiteDef(ssl3CipherSuite suite);
1765	const ssl3CipherSuiteCfg *ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite,
1766	const ssl3CipherSuiteCfg *suites);
1767	PRBool ssl3_CipherSuiteAllowedForVersionRange(ssl3CipherSuite cipherSuite,
1768	const SSLVersionRange *vrange);
1769
1770	SECStatus ssl3_SelectServerCert(sslSocket *ss);
1771	SECStatus ssl_PrivateKeySupportsRsaPss(SECKEYPrivateKey *privKey,
1772	CERTCertificate *cert,
1773	void *pwArg,
1774	PRBool *supportsRsaPss);
1775	SECStatus ssl_PickSignatureScheme(sslSocket *ss,
1776	CERTCertificate *cert,
1777	SECKEYPublicKey *pubKey,
1778	SECKEYPrivateKey *privKey,
1779	const SSLSignatureScheme *peerSchemes,
1780	unsigned int peerSchemeCount,
1781	PRBool requireSha1,
1782	SSLSignatureScheme *schemPtr);
1783	SECStatus ssl_PickClientSignatureScheme(sslSocket *ss,
1784	CERTCertificate *clientCertificate,
1785	SECKEYPrivateKey *privKey,
1786	const SSLSignatureScheme *schemes,
1787	unsigned int numSchemes,
1788	SSLSignatureScheme *schemePtr);
1789	SECOidTag ssl3_HashTypeToOID(SSLHashType hashType);
1790	SECOidTag ssl3_AuthTypeToOID(SSLAuthType hashType);
1791	SSLHashType ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme);
1792	SSLAuthType ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme);
1793
1794	SECStatus ssl3_SetupCipherSuite(sslSocket *ss, PRBool initHashes);
1795	SECStatus ssl_InsertRecordHeader(const sslSocket ss, ssl3CipherSpec cwSpec,
1796	SSLContentType contentType, sslBuffer *wrBuf,
1797	PRBool *needsLength);
1798	PRBool ssl_SignatureSchemeValid(SSLSignatureScheme scheme, SECOidTag spkiOid,
1799	PRBool isTls13);
1800
1801	/* Pull in DTLS functions */
1802	#include "dtlscon.h"
1803
1804	/* Pull in TLS 1.3 functions */
1805	#include "tls13con.h"
1806	#include "dtls13con.h"
1807
1808	/******************** misc calls *******************/
1809
1810	#ifdef DEBUG1
1811	extern void ssl3_CheckCipherSuiteOrderConsistency();
1812	#endif
1813
1814	extern int ssl_MapLowLevelError(int hiLevelError);
1815
1816	PRTime ssl_Time(const sslSocket *ss);
1817	PRBool ssl_TicketTimeValid(const sslSocket ss, const NewSessionTicket ticket);
1818
1819	extern void SSL_AtomicIncrementLong(long *x);
1820
1821	SECStatus ssl3_ApplyNSSPolicy(void);
1822
1823	extern SECStatus
1824	ssl3_TLSPRFWithMasterSecret(sslSocket ss, ssl3CipherSpec spec,
1825	const char *label, unsigned int labelLen,
1826	const unsigned char *val, unsigned int valLen,
1827	unsigned char *out, unsigned int outLen);
1828
1829	extern void
1830	ssl3_RecordKeyLog(sslSocket ss, const char label, PK11SymKey *secret);
1831
1832	PRBool ssl_AlpnTagAllowed(const sslSocket ss, const SECItem tag);
1833
1834	#ifdef TRACE
1835	#define SSL_TRACE(msg)ssl_Trace msg ssl_Trace msg
1836	#else
1837	#define SSL_TRACE(msg)ssl_Trace msg
1838	#endif
1839
1840	void ssl_Trace(const char *format, ...);
1841
1842	void ssl_CacheExternalToken(sslSocket *ss);
1843	SECStatus ssl_DecodeResumptionToken(sslSessionID sid, const PRUint8 encodedTicket,
1844	PRUint32 encodedTicketLen);
1845	PRBool ssl_IsResumptionTokenUsable(sslSocket ss, sslSessionID sid);
1846
1847	/* unwrap helper function to handle the case where the wrapKey doesn't wind
1848	* * up in the correct token for the master secret */
1849	PK11SymKey ssl_unwrapSymKey(PK11SymKey wrapKey,
1850	CK_MECHANISM_TYPE wrapType, SECItem *param,
1851	SECItem *wrappedKey,
1852	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
1853	int keySize, CK_FLAGS keyFlags, void *pinArg);
1854
1855	/* determine if the current ssl connection is operating in FIPS mode */
1856	PRBool ssl_isFIPS(sslSocket *ss);
1857
1858	/* Experimental APIs. Remove when stable. */
1859
1860	SECStatus SSLExp_SetResumptionTokenCallback(PRFileDesc *fd,
1861	SSLResumptionTokenCallback cb,
1862	void *ctx);
1863	SECStatus SSLExp_SetResumptionToken(PRFileDesc fd, const PRUint8 token,
1864	unsigned int len);
1865
1866	SECStatus SSLExp_GetResumptionTokenInfo(const PRUint8 *tokenData, unsigned int tokenLen,
1867	SSLResumptionTokenInfo *token, unsigned int version);
1868
1869	SECStatus SSLExp_DestroyResumptionTokenInfo(SSLResumptionTokenInfo *token);
1870
1871	SECStatus SSLExp_SecretCallback(PRFileDesc *fd, SSLSecretCallback cb,
1872	void *arg);
1873	SECStatus SSLExp_RecordLayerWriteCallback(PRFileDesc *fd,
1874	SSLRecordWriteCallback write,
1875	void *arg);
1876	SECStatus SSLExp_RecordLayerData(PRFileDesc *fd, PRUint16 epoch,
1877	SSLContentType contentType,
1878	const PRUint8 *data, unsigned int len);
1879	SECStatus SSLExp_GetCurrentEpoch(PRFileDesc fd, PRUint16 readEpoch,
1880	PRUint16 *writeEpoch);
1881
1882	#define SSLResumptionTokenVersion2 2
1883
1884	SECStatus SSLExp_MakeAead(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *secret,
1885	const char *labelPrefix, unsigned int labelPrefixLen,
1886	SSLAeadContext **ctx);
1887
1888	SECStatus SSLExp_MakeVariantAead(PRUint16 version, PRUint16 cipherSuite, SSLProtocolVariant variant,
1889	PK11SymKey secret, const char labelPrefix,
1890	unsigned int labelPrefixLen, SSLAeadContext **ctx);
1891	SECStatus SSLExp_DestroyAead(SSLAeadContext *ctx);
1892	SECStatus SSLExp_AeadEncrypt(const SSLAeadContext *ctx, PRUint64 counter,
1893	const PRUint8 *aad, unsigned int aadLen,
1894	const PRUint8 *plaintext, unsigned int plaintextLen,
1895	PRUint8 out, unsigned int outLen, unsigned int maxOut);
1896	SECStatus SSLExp_AeadDecrypt(const SSLAeadContext *ctx, PRUint64 counter,
1897	const PRUint8 *aad, unsigned int aadLen,
1898	const PRUint8 *plaintext, unsigned int plaintextLen,
1899	PRUint8 out, unsigned int outLen, unsigned int maxOut);
1900
1901	/* The next function is responsible for registering a certificate compression mechanism
1902	to be used for TLS connection.
1903	The caller passes SSLCertificateCompressionAlgorithm algorithm:
1904
1905	typedef struct SSLCertificateCompressionAlgorithmStr {
1906	SSLCertificateCompressionAlgorithmID id;
1907	const char* name;
1908	SECStatus (encode)(const SECItem input, SECItem* output);
1909	SECStatus (decode)(const SECItem input, unsigned char* output, size_t outputLen, size_t* usedLen);
1910	} SSLCertificateCompressionAlgorithm;
1911
1912	Certificate Compression encoding function is responsible for allocating the output buffer itself.
1913	If encoding function fails, the function has the install the appropriate error code and return an error.
1914
1915	Certificate Compression decoding function operates an output buffer allocated in NSS.
1916	The function returns success or an error code.
1917	If successful, the function sets the number of bytes used to stored the decoded certificate
1918	in the outparam usedLen. If provided buffer is not enough to store the output (or any problem has occured during
1919	decoding of the buffer), the function has the install the appropriate error code and return an error.
1920	Note: usedLen is always <= outputLen.
1921
1922	*/
1923	SECStatus SSLExp_SetCertificateCompressionAlgorithm(PRFileDesc *fd, SSLCertificateCompressionAlgorithm alg);
1924	SECStatus SSLExp_HkdfExtract(PRUint16 version, PRUint16 cipherSuite,
1925	PK11SymKey salt, PK11SymKey ikm, PK11SymKey **keyp);
1926	SECStatus SSLExp_HkdfExpandLabel(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
1927	const PRUint8 *hsHash, unsigned int hsHashLen,
1928	const char *label, unsigned int labelLen,
1929	PK11SymKey **key);
1930	SECStatus SSLExp_HkdfVariantExpandLabel(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
1931	const PRUint8 *hsHash, unsigned int hsHashLen,
1932	const char *label, unsigned int labelLen,
1933	SSLProtocolVariant variant, PK11SymKey **key);
1934	SECStatus
1935	SSLExp_HkdfExpandLabelWithMech(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
1936	const PRUint8 *hsHash, unsigned int hsHashLen,
1937	const char *label, unsigned int labelLen,
1938	CK_MECHANISM_TYPE mech, unsigned int keySize,
1939	PK11SymKey **keyp);
1940	SECStatus
1941	SSLExp_HkdfVariantExpandLabelWithMech(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
1942	const PRUint8 *hsHash, unsigned int hsHashLen,
1943	const char *label, unsigned int labelLen,
1944	CK_MECHANISM_TYPE mech, unsigned int keySize,
1945	SSLProtocolVariant variant, PK11SymKey **keyp);
1946
1947	SECStatus SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled);
1948
1949	SECStatus SSLExp_SetTimeFunc(PRFileDesc fd, SSLTimeFunc f, void arg);
1950
1951	extern SECStatus ssl_CreateMaskingContextInner(PRUint16 version, PRUint16 cipherSuite,
1952	SSLProtocolVariant variant,
1953	PK11SymKey *secret,
1954	const char *label,
1955	unsigned int labelLen,
1956	SSLMaskingContext **ctx);
1957
1958	extern SECStatus ssl_CreateMaskInner(SSLMaskingContext ctx, const PRUint8 sample,
1959	unsigned int sampleLen, PRUint8 *outMask,
1960	unsigned int maskLen);
1961
1962	extern SECStatus ssl_DestroyMaskingContextInner(SSLMaskingContext *ctx);
1963
1964	SECStatus SSLExp_CreateMaskingContext(PRUint16 version, PRUint16 cipherSuite,
1965	PK11SymKey *secret,
1966	const char *label,
1967	unsigned int labelLen,
1968	SSLMaskingContext **ctx);
1969
1970	SECStatus SSLExp_CreateVariantMaskingContext(PRUint16 version, PRUint16 cipherSuite,
1971	SSLProtocolVariant variant,
1972	PK11SymKey *secret,
1973	const char *label,
1974	unsigned int labelLen,
1975	SSLMaskingContext **ctx);
1976
1977	SECStatus SSLExp_CreateMask(SSLMaskingContext ctx, const PRUint8 sample,
1978	unsigned int sampleLen, PRUint8 *mask,
1979	unsigned int len);
1980
1981	SECStatus SSLExp_DestroyMaskingContext(SSLMaskingContext *ctx);
1982
1983	SECStatus SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled);
1984	SECStatus SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size);
1985
1986	SECStatus SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled);
1987	SECStatus SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled);
1988
1989	SECStatus SSLExp_PeerCertificateChainDER(PRFileDesc fd, SECItemArray *out);
1990
1991	SEC_END_PROTOS
1992
1993	#if defined(XP_UNIX1)
1994	#define SSL_GETPIDgetpid getpid
1995	#elif defined(WIN32)
1996	#define SSL_GETPIDgetpid _getpid
1997	#else
1998	#define SSL_GETPIDgetpid() 0
1999	#endif
2000
2001	#endif /* __sslimpl_h_ */