| authcert.c |
for PK11_ function calls |
8175 |
- |
| cmpcert.c |
Look to see if any of the signers in the cert chain for "cert" are found
in the list of caNames.
Returns SECSuccess if so, SECFailure if not.
|
1812 |
- |
| config.mk |
|
1019 |
- |
| dhe-param.c |
|
20715 |
- |
| dtls13con.c |
DTLS 1.3 Protocol
|
29962 |
- |
| dtls13con.h |
The structure ssl3CipherSpecStr represents epoch as uint16 (DTLSEpoch epoch),
So the maximum epoch is 2 ^ 16 - 1
See bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1809196 |
2281 |
- |
| dtlscon.c |
DTLS Protocol
|
47810 |
- |
| dtlscon.h |
|
2750 |
- |
| exports.gyp |
|
672 |
- |
| Makefile |
|
2237 |
- |
| manifest.mn |
|
1594 |
- |
| notes.txt |
|
3458 |
- |
| preenc.h |
Fortezza support is removed.
This file remains so that old programs will continue to compile,
But this functionality is no longer supported or implemented.
|
3839 |
- |
| prelib.c |
|
937 |
- |
| selfencrypt.c |
Structure is.
struct {
opaque keyName[16];
opaque iv[16];
opaque ciphertext<16..2^16-1>;
opaque mac[32];
} SelfEncrypted;
We are using AES-CBC + HMAC-SHA256 in Encrypt-then-MAC mode for
two reasons:
1. It's what we already used for tickets.
2. We don't have to worry about nonce collisions as much
(the chance is lower because we have a random 128-bit nonce
and they are less serious than with AES-GCM).
|
9284 |
- |
| selfencrypt.h |
Exported for use in unit tests. |
1263 |
- |
| ssl.def |
|
5610 |
- |
| ssl.gyp |
|
2303 |
- |
| ssl.h |
public ssl data types |
75673 |
- |
| ssl.rc |
|
1866 |
- |
| ssl3con.c |
TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. |
517196 |
- |
| ssl3ecc.c |
ECC code moved here from ssl3con.c |
32137 |
- |
| ssl3ext.c |
TLS extension code moved here from ssl3ecc.c |
43821 |
- |
| ssl3ext.h |
Registerable callback function that either appends extension to buffer
or returns length of data that it would have appended.
|
9552 |
- |
| ssl3exthandle.c |
For tls13_ServerSendStatusRequestXtn. |
66617 |
- |
| ssl3exthandle.h |
|
8008 |
- |
| ssl3gthr.c |
true when ssl3_GatherData encounters an SSLv2 handshake |
30068 |
- |
| ssl3prot.h |
version numbers are defined in sslproto.h |
5474 |
- |
| sslauth.c |
NEED LOCKS IN HERE. |
9425 |
- |
| sslbloom.c |
Error code already set. |
2344 |
- |
| sslbloom.h |
The number of hashes. |
1266 |
- |
| sslcert.c |
for SECOID_GetAlgorithmTag |
30276 |
- |
| sslcert.h |
This type is a bitvector that is indexed by SSLAuthType values. Note that
the bit for ssl_auth_null(0) - the least significant bit - isn't used. |
2607 |
- |
| sslcon.c |
for SGN_ funcs |
7089 |
- |
| ssldef.c |
Default (unencrypted) send.
For blocking sockets, always returns len or SECFailure, no short writes.
For non-blocking sockets:
Returns positive count if any data was written, else returns SECFailure.
Short writes may occur.
|
5669 |
- |
| sslencode.c |
Helper function to encode an unsigned integer into a buffer. |
13244 |
- |
| sslencode.h |
A buffer object, used for assembling messages. |
4532 |
- |
| sslenum.c |
The ordering of cipher suites in this table must match the ordering in
the cipherSuites table in ssl3con.c.
If new ECC cipher suites are added, also update the ssl3CipherSuite arrays
in ssl3ecc.c.
Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
The ordering is as follows:
* No-encryption cipher suites last
* Export/weak/obsolete cipher suites before no-encryption cipher suites
* Order by key exchange algorithm: ECDHE, then DHE, then ECDH, RSA.
* Within key agreement sections, prefer AEAD over non-AEAD cipher suites.
* Within AEAD sections, order by symmetric encryption algorithm which
integrates message authentication algorithm: AES-128-GCM, then
ChaCha20-Poly1305, then AES-256-GCM,
* Within non-AEAD sections, order by symmetric encryption algorithm:
AES-128, then Camellia-128, then AES-256, then Camellia-256, then SEED,
then FIPS-3DES, then 3DES, then RC4. AES is commonly accepted as a
strong cipher internationally, and is often hardware-accelerated.
Camellia also has wide international support across standards
organizations. SEED is only recommended by the Korean government. 3DES
only provides 112 bits of security. RC4 is now deprecated or forbidden
by many standards organizations.
* Within non-AEAD symmetric algorithm sections, order by message
authentication algorithm: HMAC-SHA256, then HMAC-SHA384, then HMAC-SHA1,
then HMAC-MD5.
* Within symmetric algorithm sections, order by message authentication
algorithm: GCM, then HMAC-SHA1, then HMAC-SHA256, then HMAC-MD5.
* Within message authentication algorithm sections, order by asymmetric
signature algorithm: ECDSA, then RSA, then DSS.
* As a special case, the PSK ciphers, which are only enabled when
TLS 1.3 PSK-resumption is in use, come first.
Exception: Because some servers ignore the high-order byte of the cipher
suite ID, we must be careful about adding cipher suites with IDs larger
than 0x00ff; see bug 946147. For these broken servers, the first three
cipher suites, with the MSB zeroed, look like:
TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }
TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }
TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }
The broken server only supports the third and fourth ones and will select
the third one.
|
6109 |
- |
| sslerr.c |
look at the current value of PR_GetError, and evaluate it to see
if it is meaningful or meaningless (out of context).
If it is meaningless, replace it with the hiLevelError.
Returns the chosen error value.
|
1179 |
- |
| sslerr.h |
clang-format off |
16411 |
- |
| SSLerrs.h |
SSL-specific security error codes |
25473 |
- |
| sslerrstrs.c |
|
880 |
- |
| sslexp.h |
The functions in this header file are not guaranteed to remain available in
future NSS versions. Code that uses these functions needs to safeguard
against the function not being available. |
56875 |
- |
| sslgrp.c |
Function to clear out the ECDHE keys. |
5266 |
- |
| sslimpl.h |
for some formerly private types, now public |
84010 |
- |
| sslinfo.c |
Check if we can properly return the length of data written and that
we're not asked to return more information than we know how to provide.
|
25407 |
- |
| sslinit.c |
|
1466 |
- |
| sslmutex.c |
This ifdef should match the one in sslsnce.c |
16781 |
- |
| sslmutex.h |
What SSL really wants is portable process-shared unnamed mutexes in
shared memory, that have the property that if the process that holds
them dies, they are released automatically, and that (unlike fcntl
record locking) lock to the thread, not to the process.
NSPR doesn't provide that.
Windows has mutexes that meet that description, but they're not portable.
POSIX mutexes are not automatically released when the holder dies,
and other processes/threads cannot release the mutex on behalf of the
dead holder.
POSIX semaphores can be used to accomplish this on systems that implement
process-shared unnamed POSIX semaphores, because a watchdog thread can
discover and release semaphores that were held by a dead process.
On systems that do not support process-shared POSIX unnamed semaphores,
they can be emulated using pipes.
The performance cost of doing that is not yet measured.
So, this API looks a lot like POSIX pthread mutexes.
|
3307 |
- |
| sslnonce.c |
sids can be in one of 5 states:
never_cached, created, but not yet put into cache.
in_client_cache, in the client cache's linked list.
in_server_cache, entry came from the server's cache file.
invalid_cache has been removed from the cache.
in_external_cache sid comes from an external cache.
|
39565 |
- |
| sslprimitive.c |
sigh, the API creates a single context, but then uses either encrypt
and decrypt on that context. We should take an encrypt/decrypt
variable here, but for now create two contexts. |
17030 |
- |
| sslproto.h |
clang-format off |
14472 |
- |
| sslreveal.c |
given PRFileDesc, returns a copy of certificate associated with the socket
the caller should delete the cert when done with SSL_DestroyCertificate
|
3026 |
- |
| sslsecur.c |
for SECOID_GetALgorithmTag |
40004 |
- |
| sslsnce.c |
Note: ssl_FreeSID() in sslnonce.c gets used for both client and server
cache sids!
About record locking among different server processes:
All processes that are part of the same conceptual server (serving on
the same address and port) MUST share a common SSL session cache.
This code makes the content of the shared cache accessible to all
processes on the same "server". This code works on Unix and Win32 only.
We use NSPR anonymous shared memory and move data to & from shared memory.
We must do explicit locking of the records for all reads and writes.
The set of Cache entries are divided up into "sets" of 128 entries.
Each set is protected by a lock. There may be one or more sets protected
by each lock. That is, locks to sets are 1:N.
There is one lock for the entire cert cache.
There is one lock for the set of wrapped sym wrap keys.
The anonymous shared memory is laid out as if it were declared like this:
struct {
cacheDescriptor desc;
sidCacheLock sidCacheLocks[ numSIDCacheLocks];
sidCacheLock keyCacheLock;
sidCacheLock certCacheLock;
sidCacheSet sidCacheSets[ numSIDCacheSets ];
sidCacheEntry sidCacheData[ numSIDCacheEntries];
certCacheEntry certCacheData[numCertCacheEntries];
SSLWrappedSymWrappingKey keyCacheData[SSL_NUM_WRAP_KEYS][SSL_NUM_WRAP_MECHS];
PRUint8 keyNameSuffix[SELF_ENCRYPT_KEY_VAR_NAME_LEN]
encKeyCacheEntry ticketEncKey; // Wrapped
encKeyCacheEntry ticketMacKey; // Wrapped
PRBool ticketKeysValid;
sidCacheLock srvNameCacheLock;
srvNameCacheEntry srvNameData[ numSrvNameCacheEntries ];
} cacheMemCacheData;
|
74232 |
- |
| sslsock.c |
No SSL. |
142404 |
- |
| sslspec.c |
Record protection algorithms, indexed by SSL3BulkCipher.
The |max_records| field (|mr| below) is set to a number that is higher than
recommended in some literature (esp. TLS 1.3) because we currently abort the
connection when this limit is reached and we want to ensure that we only
rarely hit this limit. See bug 1268745 for details.
|
9751 |
- |
| sslspec.h |
The SSL bulk cipher definition |
6667 |
- |
| sslt.h |
Not a real message. |
22116 |
- |
| ssltrace.c |
0x |
2800 |
- |
| sslver.c |
Library identity and versioning |
460 |
- |
| tls13con.c |
|
258885 |
- |
| tls13con.h |
Return PR_TRUE if the socket is in one of the given states, else return
PR_FALSE. Only call the macro not the function, because the trailing
wait_invalid is needed to terminate the argument list. |
9175 |
- |
| tls13ech.c |
struct {
HpkeKdfId kdf_id;
HpkeAeadId aead_id;
} HpkeSymmetricCipherSuite;
struct {
uint8 config_id;
HpkeKemId kem_id;
HpkePublicKey public_key;
HpkeSymmetricCipherSuite cipher_suites<4..2^16-4>;
} HpkeKeyConfig;
struct {
HpkeKeyConfig key_config;
uint16 maximum_name_length;
opaque public_name<1..2^16-1>;
Extension extensions<0..2^16-1>;
} ECHConfigContents;
struct {
uint16 version;
uint16 length;
select (ECHConfig.version) {
case 0xfe0d: ECHConfigContents contents;
}
} ECHConfig;
|
99852 |
- |
| tls13ech.h |
draft-09, supporting shared-mode and split-mode as a backend server only.
Notes on the implementation status:
- Padding (https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.2),
is not implemented (see bug 1677181).
- When multiple ECHConfigs are provided by the server, the first compatible
config is selected by the client. Ciphersuite choices are limited and only
the AEAD may vary (AES-128-GCM or ChaCha20Poly1305).
- Some of the buffering (construction/compression/decompression) could likely
be optimized, but the spec is still evolving so that work is deferred.
|
5982 |
- |
| tls13echv.c |
Validation functions for ECH public names. |
4807 |
- |
| tls13err.h |
Use this instead of FATAL_ERROR when an alert isn't possible. |
1256 |
- |
| tls13exthandle.c |
Only send the first entry. |
66491 |
- |
| tls13exthandle.h |
|
8574 |
- |
| tls13hashstate.c |
The cookie is structured as a self-encrypted structure with the
inner value being.
struct {
uint8 indicator = 0xff; // To disambiguate from tickets.
uint16 cipherSuite; // Selected cipher suite.
uint16 keyShare; // Requested key share group (0=none)
PRUint8 echConfigId; // ECH config_id
HpkeKdfId kdfId; // ECH KDF (uint16)
HpkeAeadId aeadId; // ECH AEAD (uint16)
opaque echHpkeCtx<0..65535>; // ECH serialized HPKE context
opaque applicationToken<0..65535>; // Application token
opaque ch_hash[rest_of_buffer]; // H(ClientHello)
} CookieInner;
An empty echConfigId means that ECH was not offered in the first ClientHello.
An empty echHrrPsk means that ECH was not accepted in CH1.
|
12377 |
- |
| tls13hashstate.h |
|
1207 |
- |
| tls13hkdf.c |
This table contains the mapping between TLS hash identifiers and the
PKCS#11 identifiers |
10419 |
- |
| tls13hkdf.h |
|
1167 |
- |
| tls13psk.c |
We should only have the initial key. Binder keys
are derived during the handshake. |
6096 |
- |
| tls13psk.h |
Internally, we have track sslPsk pointers in three locations:
1) An external PSK can be configured to the socket, in which case ss->psk will hold an owned reference.
For now, this only holds one external PSK. The value will persist across handshake restarts.
2) When a handshake begins, the ss->psk value is deep-copied into ss->ssl3.hs.psks, which may also hold
a resumption PSK. This is essentially a priority-sorted list (where a resumption PSK has higher
priority than external), and we currently only send one PskIdentity and binder.
3) During negotiation, ss->xtnData.selectedPsk will either be NULL or it will hold a non-owning refernce
to the PSK that has been (or is being) negotiated.
|
2785 |
- |
| tls13replay.c |
for NSS_RegisterShutdown |
9283 |
- |
| tls13signature.c |
we put this here because it only affects TLS 1.3, and not TLS 1.2 and earlier
which use the old sign hashes interface. The TLS 1.3 protocol is friendly to
algorthims that don't have a signed hashes interface |
7148 |
- |
| tls13subcerts.c |
Parses the delegated credential (DC) from the raw extension |b| of length
|length|. Memory for the DC is allocated and set to |*dcp|.
It's the caller's responsibility to invoke |tls13_DestroyDelegatedCredential|
when this data is no longer needed.
|
25729 |
- |
| tls13subcerts.h |
The number of seconds for which the delegated credential (DC) is valid
following the notBefore parameter of the delegation certificate.
|
2125 |
- |
| unix_err.c |
forward declarations. |
18879 |
- |
| unix_err.h |
NSPR doesn't make these functions public, so we have to duplicate
* them in NSS.
|
2891 |
- |
| win32err.c |
On Win32, we map three kinds of error codes:
- GetLastError(): for Win32 functions
- WSAGetLastError(): for Winsock functions
- errno: for standard C library functions
We do not check for WSAEINPROGRESS and WSAEINTR because we do not
use blocking Winsock 1.1 calls.
Except for the 'socket' call, we do not check for WSAEINITIALISED.
It is assumed that if Winsock is not initialized, that fact will
be detected at the time we create new sockets.
|
13713 |
- |
| win32err.h |
NSPR doesn't make these functions public, so we have to duplicate
* them in NSS.
|
2757 |
- |