diff options
author | Job Bautista <jobbautista9@aol.com> | 2023-03-04 13:13:49 +0800 |
---|---|---|
committer | Job Bautista <jobbautista9@aol.com> | 2023-03-04 13:13:49 +0800 |
commit | 43c816cd19e73b37d797b17105e4aede8772a6cf (patch) | |
tree | c9fc76105f89915411a61ab5ab515c855e138aca /security/nss/lib/ssl/sslimpl.h | |
parent | 409d3e66de6517039165ec43dabd9b063a86d29b (diff) | |
download | uxp-43c816cd19e73b37d797b17105e4aede8772a6cf.tar.gz |
Issue #1693 - Update NSS to 3.79.4
Diffstat (limited to 'security/nss/lib/ssl/sslimpl.h')
-rw-r--r-- | security/nss/lib/ssl/sslimpl.h | 107 |
1 files changed, 90 insertions, 17 deletions
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index 62d253224b..7b4e73c88b 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -36,7 +36,11 @@ typedef struct sslSocketStr sslSocket; typedef struct sslNamedGroupDefStr sslNamedGroupDef; -typedef struct sslEsniKeysStr sslEsniKeys; +typedef struct sslEchConfigStr sslEchConfig; +typedef struct sslEchConfigContentsStr sslEchConfigContents; +typedef struct sslEchCookieDataStr sslEchCookieData; +typedef struct sslEchXtnStateStr sslEchXtnState; +typedef struct sslPskStr sslPsk; typedef struct sslDelegatedCredentialStr sslDelegatedCredential; typedef struct sslEphemeralKeyPairStr sslEphemeralKeyPair; typedef struct TLS13KeyShareEntryStr TLS13KeyShareEntry; @@ -282,6 +286,10 @@ typedef struct sslOptionsStr { unsigned int enablePostHandshakeAuth : 1; unsigned int enableDelegatedCredentials : 1; unsigned int enableDtls13VersionCompat : 1; + unsigned int suppressEndOfEarlyData : 1; + unsigned int enableTls13GreaseEch : 1; + unsigned int enableTls13BackendEch : 1; + unsigned int callExtensionWriterOnEchInner : 1; } sslOptions; typedef enum { sslHandshakingUndetermined = 0, @@ -609,17 +617,26 @@ typedef struct { typedef struct SSL3HandshakeStateStr { SSL3Random server_random; SSL3Random client_random; - SSL3WaitState ws; /* May also contain SSL3WaitState | 0x80 for TLS 1.3 */ + SSL3Random client_inner_random; /* TLS 1.3 ECH Inner. */ + SSL3WaitState ws; /* May also contain SSL3WaitState | 0x80 for TLS 1.3 */ /* This group of members is used for handshake running hashes. */ SSL3HandshakeHashType hashType; - sslBuffer messages; /* Accumulated handshake messages */ + sslBuffer messages; /* Accumulated handshake messages */ + sslBuffer echInnerMessages; /* Accumulated ECH Inner handshake messages */ /* PKCS #11 mode: * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and * |sha| for SHA-1. - * TLS 1.2 and later use only |sha|, for SHA-256. */ + * TLS 1.2 and later use only |sha| variants, for SHA-256. + * Under normal (non-1.3 ECH) handshakes, only |sha| and |shaPostHandshake| + * are used. When doing 1.3 ECH, |sha| contains the transcript hash + * corresponding to the outer Client Hello. To facilitate secure retry and + * disablement, |shaEchInner|, tracks, in parallel, the transcript hash + * corresponding to the inner Client Hello. Once we process the SH + * extensions, coalesce into |sha|. */ PK11Context *md5; PK11Context *sha; + PK11Context *shaEchInner; PK11Context *shaPostHandshake; SSLSignatureScheme signatureScheme; const ssl3KEADef *kea_def; @@ -654,15 +671,14 @@ typedef struct SSL3HandshakeStateStr { * One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake, * or ssl3_AlwaysFail */ sslRestartTarget restartTarget; - /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */ - PRBool cacheSID; PRBool canFalseStart; /* Can/did we False Start */ /* Which preliminaryinfo values have been set. */ PRUint32 preliminaryInfo; /* Parsed extensions */ - PRCList remoteExtensions; /* Parsed incoming extensions */ + PRCList remoteExtensions; /* Parsed incoming extensions */ + PRCList echOuterExtensions; /* If ECH, hold CHOuter extensions for decompression. */ /* This group of values is used for DTLS */ PRUint16 sendMessageSeq; /* The sending message sequence @@ -690,9 +706,8 @@ typedef struct SSL3HandshakeStateStr { /* This group of values is used for TLS 1.3 and above */ PK11SymKey *currentSecret; /* The secret down the "left hand side" * of the TLS 1.3 key schedule. */ - PK11SymKey *resumptionMasterSecret; /* The resumption PSK. */ + PK11SymKey *resumptionMasterSecret; /* The resumption_master_secret. */ PK11SymKey *dheSecret; /* The (EC)DHE shared secret. */ - PK11SymKey *pskBinderKey; /* Used to compute the PSK binder. */ PK11SymKey *clientEarlyTrafficSecret; /* The secret we use for 0-RTT. */ PK11SymKey *clientHsTrafficSecret; /* The source keys for handshake */ PK11SymKey *serverHsTrafficSecret; /* traffic keys. */ @@ -711,24 +726,43 @@ typedef struct SSL3HandshakeStateStr { * or received. */ PRBool receivedCcs; /* A server received ChangeCipherSpec * before the handshake started. */ + PRBool rejectCcs; /* Excessive ChangeCipherSpecs are rejected. */ PRBool clientCertRequested; /* True if CertificateRequest received. */ + PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */ ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def * we use for TLS 1.3 */ - PRTime serverHelloTime; /* Time the ServerHello flight was sent. */ PRUint16 ticketNonce; /* A counter we use for tickets. */ SECItem fakeSid; /* ... (server) the SID the client used. */ - PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */ + PRCList psks; /* A list of PSKs, resumption and/or external. */ + + /* rttEstimate is used to guess the round trip time between server and client. + * When the server sends ServerHello it sets this to the current time. + * Only after it receives a message from the client's second flight does it + * set the value to something resembling an RTT estimate. */ + PRTime rttEstimate; /* The following lists contain DTLSHandshakeRecordEntry */ PRCList dtlsSentHandshake; /* Used to map records to handshake fragments. */ PRCList dtlsRcvdHandshake; /* Handshake records we have received * used to generate ACKs. */ + + /* TLS 1.3 ECH state. */ + PRUint8 greaseEchSize; + PRBool echAccepted; /* Client/Server: True if we've commited to using CHInner. */ + PRBool echDecided; + HpkeContext *echHpkeCtx; /* Client/Server: HPKE context for ECH. */ + const char *echPublicName; /* Client: If rejected, the ECHConfig.publicName to + * use for certificate verification. */ + sslBuffer greaseEchBuf; /* Client: Remember GREASE ECH, as advertised, for CH2 (HRR case). + Server: Remember HRR Grease Value, for transcript calculations */ + PRBool echInvalidExtension; /* Client: True if the server offered an invalid extension for the ClientHelloInner */ } SSL3HandshakeState; #define SSL_ASSERT_HASHES_EMPTY(ss) \ do { \ PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); \ PORT_Assert(ss->ssl3.hs.messages.len == 0); \ + PORT_Assert(ss->ssl3.hs.echInnerMessages.len == 0); \ } while (0) /* @@ -1094,12 +1128,21 @@ struct sslSocketStr { /* Whether we are doing stream or datagram mode */ SSLProtocolVariant protocolVariant; - /* The information from the ESNI keys record - * (also the private key for the server). */ - sslEsniKeys *esniKeys; + /* TLS 1.3 Encrypted Client Hello. */ + PRCList echConfigs; /* Client/server: Must not change while hs + * is in-progress. */ + SECKEYPublicKey *echPubKey; /* Server: The ECH keypair used in HPKE. */ + SECKEYPrivateKey *echPrivKey; /* As above. */ /* Anti-replay for TLS 1.3 0-RTT. */ SSLAntiReplayContext *antiReplay; + + /* An out-of-band PSK. */ + sslPsk *psk; + + /* peer data passed in during getClientAuthData */ + const SSLSignatureScheme *peerSignatureSchemes; + unsigned int peerSignatureSchemeCount; }; struct sslSelfEncryptKeysStr { @@ -1252,6 +1295,10 @@ ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type, sslUpdateHandshakeHashes cb); SECStatus ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type, const PRUint8 *b, PRUint32 length); +SECStatus ssl_HashHandshakeMessageEchInner(sslSocket *ss, SSLHandshakeType type, + const PRUint8 *b, PRUint32 length); +SECStatus ssl_HashHandshakeMessageDefault(sslSocket *ss, SSLHandshakeType type, + const PRUint8 *b, PRUint32 length); SECStatus ssl_HashPostHandshakeMessage(sslSocket *ss, SSLHandshakeType type, const PRUint8 *b, PRUint32 length); @@ -1428,6 +1475,11 @@ extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error); extern SECStatus ssl3_HandleV2ClientHello( sslSocket *ss, unsigned char *buffer, unsigned int length, PRUint8 padding); +SECStatus +ssl3_CreateClientHelloPreamble(sslSocket *ss, const sslSessionID *sid, + PRBool realSid, PRUint16 version, PRBool isEchInner, + const sslBuffer *extensions, sslBuffer *preamble); +SECStatus ssl3_InsertChHeaderSize(const sslSocket *ss, sslBuffer *preamble, const sslBuffer *extensions); SECStatus ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type); /* @@ -1669,6 +1721,7 @@ SECStatus ssl3_NegotiateCipherSuiteInner(sslSocket *ss, const SECItem *suites, SECStatus ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites, PRBool initHashes); SECStatus ssl3_InitHandshakeHashes(sslSocket *ss); +void ssl3_CoalesceEchHandshakeHashes(sslSocket *ss); SECStatus ssl3_ServerCallSNICallback(sslSocket *ss); SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags); SECStatus ssl3_CompleteHandleCertificate(sslSocket *ss, @@ -1683,12 +1736,12 @@ SECStatus ssl3_HandleServerSpki(sslSocket *ss); SECStatus ssl3_AuthCertificate(sslSocket *ss); SECStatus ssl_ReadCertificateStatus(sslSocket *ss, PRUint8 *b, PRUint32 length); -SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, +SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert, sslBuffer *buf); SECStatus ssl3_EncodeFilteredSigAlgs(const sslSocket *ss, const SSLSignatureScheme *schemes, PRUint32 numSchemes, sslBuffer *buf); -SECStatus ssl3_FilterSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool disableRsae, +SECStatus ssl3_FilterSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool disableRsae, PRBool forCert, unsigned int maxSchemes, SSLSignatureScheme *filteredSchemes, unsigned int *numFilteredSchemes); SECStatus ssl_GetCertificateRequestCAs(const sslSocket *ss, @@ -1715,6 +1768,7 @@ SECStatus ssl_CreateECDHEphemeralKeyPair(const sslSocket *ss, SECStatus ssl_CreateStaticECDHEKey(sslSocket *ss, const sslNamedGroupDef *ecGroup); SECStatus ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags); +SECStatus ssl3_GetNewRandom(SSL3Random random); PK11SymKey *ssl3_GetWrappingKey(sslSocket *ss, PK11SlotInfo *masterSecretSlot, CK_MECHANISM_TYPE masterWrapMech, @@ -1729,6 +1783,8 @@ PRBool ssl3_CipherSuiteAllowedForVersionRange(ssl3CipherSuite cipherSuite, SECStatus ssl3_SelectServerCert(sslSocket *ss); SECStatus ssl_PrivateKeySupportsRsaPss(SECKEYPrivateKey *privKey, + CERTCertificate *cert, + void *pwArg, PRBool *supportsRsaPss); SECStatus ssl_PickSignatureScheme(sslSocket *ss, CERTCertificate *cert, @@ -1736,8 +1792,16 @@ SECStatus ssl_PickSignatureScheme(sslSocket *ss, SECKEYPrivateKey *privKey, const SSLSignatureScheme *peerSchemes, unsigned int peerSchemeCount, - PRBool requireSha1); + PRBool requireSha1, + SSLSignatureScheme *schemPtr); +SECStatus ssl_PickClientSignatureScheme(sslSocket *ss, + CERTCertificate *clientCertificate, + SECKEYPrivateKey *privKey, + const SSLSignatureScheme *schemes, + unsigned int numSchemes, + SSLSignatureScheme *schemePtr); SECOidTag ssl3_HashTypeToOID(SSLHashType hashType); +SECOidTag ssl3_AuthTypeToOID(SSLAuthType hashType); SSLHashType ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme); SSLAuthType ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme); @@ -1802,6 +1866,9 @@ PK11SymKey *ssl_unwrapSymKey(PK11SymKey *wrapKey, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS keyFlags, void *pinArg); +/* determine if the current ssl connection is operating in FIPS mode */ +PRBool ssl_isFIPS(sslSocket *ss); + /* Experimental APIs. Remove when stable. */ SECStatus SSLExp_SetResumptionTokenCallback(PRFileDesc *fd, @@ -1904,6 +1971,12 @@ SECStatus SSLExp_CreateMask(SSLMaskingContext *ctx, const PRUint8 *sample, SECStatus SSLExp_DestroyMaskingContext(SSLMaskingContext *ctx); +SECStatus SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled); +SECStatus SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size); + +SECStatus SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled); +SECStatus SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled); + SEC_END_PROTOS #if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS) |