Name Description Size
Makefile 2291
SSLerrs.h SSL-specific security error codes 25279
authcert.c for PK11_ function calls 3070
cmpcert.c Look to see if any of the signers in the cert chain for "cert" are found in the list of caNames. Returns SECSuccess if so, SECFailure if not. 1812
config.mk 1076
dhe-param.c 20720
dtls13con.c DTLS 1.3 Protocol 19284
dtls13con.h 1859
dtlscon.c DTLS Protocol 47480
dtlscon.h 2693
exports.gyp 672
manifest.mn 1545
notes.txt 3458
os2_err.c Based on win32err.c OS2TODO Stub everything for now to build. HCT 7434
os2_err.h NSPR doesn't make these functions public, so we have to duplicate * them in NSS. 2713
preenc.h Fortezza support is removed. This file remains so that old programs will continue to compile, But this functionality is no longer supported or implemented. 3839
prelib.c 937
selfencrypt.c Structure is. struct { opaque keyName[16]; opaque iv[16]; opaque ciphertext<16..2^16-1>; opaque mac[32]; } SelfEncrypted; We are using AES-CBC + HMAC-SHA256 in Encrypt-then-MAC mode for two reasons: 1. It's what we already used for tickets. 2. We don't have to worry about nonce collisions as much (the chance is lower because we have a random 128-bit nonce and they are less serious than with AES-GCM). 9284
selfencrypt.h Exported for use in unit tests. 1263
ssl.def 5382
ssl.gyp 2252
ssl.h public ssl data types 70145
ssl.rc 1866
ssl3con.c TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. 493152
ssl3ecc.c ECC code moved here from ssl3con.c 29908
ssl3ext.c TLS extension code moved here from ssl3ecc.c 38152
ssl3ext.h Registerable callback function that either appends extension to buffer or returns length of data that it would have appended. 8826
ssl3exthandle.c For tls13_ServerSendStatusRequestXtn. 65569
ssl3exthandle.h 8008
ssl3gthr.c true when ssl3_GatherData encounters an SSLv2 handshake 27286
ssl3prot.h version numbers are defined in sslproto.h 4749
sslauth.c NEED LOCKS IN HERE. 7677
sslbloom.c Error code already set. 2344
sslbloom.h The number of hashes. 1266
sslcert.c for SECOID_GetAlgorithmTag 30139
sslcert.h This type is a bitvector that is indexed by SSLAuthType values. Note that the bit for ssl_auth_null(0) - the least significant bit - isn't used. 2607
sslcon.c for SGN_ funcs 7089
ssldef.c Default (unencrypted) send. For blocking sockets, always returns len or SECFailure, no short writes. For non-blocking sockets: Returns positive count if any data was written, else returns SECFailure. Short writes may occur. 5669
sslencode.c Helper function to encode an unsigned integer into a buffer. 10822
sslencode.h A buffer object, used for assembling messages. 3888
sslenum.c The ordering of cipher suites in this table must match the ordering in the cipherSuites table in ssl3con.c. If new ECC cipher suites are added, also update the ssl3CipherSuite arrays in ssl3ecc.c. Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h. The ordering is as follows: * No-encryption cipher suites last * Export/weak/obsolete cipher suites before no-encryption cipher suites * Order by key exchange algorithm: ECDHE, then DHE, then ECDH, RSA. * Within key agreement sections, prefer AEAD over non-AEAD cipher suites. * Within AEAD sections, order by symmetric encryption algorithm which integrates message authentication algorithm: AES-128-GCM, then ChaCha20-Poly1305, then AES-256-GCM, * Within non-AEAD sections, order by symmetric encryption algorithm: AES-128, then Camellia-128, then AES-256, then Camellia-256, then SEED, then FIPS-3DES, then 3DES, then RC4. AES is commonly accepted as a strong cipher internationally, and is often hardware-accelerated. Camellia also has wide international support across standards organizations. SEED is only recommended by the Korean government. 3DES only provides 112 bits of security. RC4 is now deprecated or forbidden by many standards organizations. * Within non-AEAD symmetric algorithm sections, order by message authentication algorithm: HMAC-SHA256, then HMAC-SHA384, then HMAC-SHA1, then HMAC-MD5. * Within symmetric algorithm sections, order by message authentication algorithm: GCM, then HMAC-SHA1, then HMAC-SHA256, then HMAC-MD5. * Within message authentication algorithm sections, order by asymmetric signature algorithm: ECDSA, then RSA, then DSS. * As a special case, the PSK ciphers, which are only enabled when TLS 1.3 PSK-resumption is in use, come first. Exception: Because some servers ignore the high-order byte of the cipher suite ID, we must be careful about adding cipher suites with IDs larger than 0x00ff; see bug 946147. For these broken servers, the first three cipher suites, with the MSB zeroed, look like: TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F } TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A } TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 } The broken server only supports the third and fourth ones and will select the third one. 6109
sslerr.c look at the current value of PR_GetError, and evaluate it to see if it is meaningful or meaningless (out of context). If it is meaningless, replace it with the hiLevelError. Returns the chosen error value. 1179
sslerr.h clang-format off 16339
sslerrstrs.c 880
sslexp.h The functions in this header file are not guaranteed to remain available in future NSS versions. Code that uses these functions needs to safeguard against the function not being available. 53622
sslgrp.c Function to clear out the ECDHE keys. 5098
sslimpl.h for some formerly private types, now public 81473
sslinfo.c Check if we can properly return the length of data written and that we're not asked to return more information than we know how to provide. 25166
sslinit.c short circuit test if we are already inited 1417
sslmutex.c This ifdef should match the one in sslsnce.c 16800
sslmutex.h What SSL really wants is portable process-shared unnamed mutexes in shared memory, that have the property that if the process that holds them dies, they are released automatically, and that (unlike fcntl record locking) lock to the thread, not to the process. NSPR doesn't provide that. Windows has mutexes that meet that description, but they're not portable. POSIX mutexes are not automatically released when the holder dies, and other processes/threads cannot release the mutex on behalf of the dead holder. POSIX semaphores can be used to accomplish this on systems that implement process-shared unnamed POSIX semaphores, because a watchdog thread can discover and release semaphores that were held by a dead process. On systems that do not support process-shared POSIX unnamed semaphores, they can be emulated using pipes. The performance cost of doing that is not yet measured. So, this API looks a lot like POSIX pthread mutexes. 3324
sslnonce.c sids can be in one of 5 states: never_cached, created, but not yet put into cache. in_client_cache, in the client cache's linked list. in_server_cache, entry came from the server's cache file. invalid_cache has been removed from the cache. in_external_cache sid comes from an external cache. 39585
sslprimitive.c sigh, the API creates a single context, but then uses either encrypt and decrypt on that context. We should take an encrypt/decrypt variable here, but for now create two contexts. 16990
sslproto.h clang-format off 14480
sslreveal.c given PRFileDesc, returns a copy of certificate associated with the socket the caller should delete the cert when done with SSL_DestroyCertificate 3026
sslsecur.c for SECOID_GetALgorithmTag 36794
sslsnce.c Note: ssl_FreeSID() in sslnonce.c gets used for both client and server cache sids! About record locking among different server processes: All processes that are part of the same conceptual server (serving on the same address and port) MUST share a common SSL session cache. This code makes the content of the shared cache accessible to all processes on the same "server". This code works on Unix and Win32 only. We use NSPR anonymous shared memory and move data to & from shared memory. We must do explicit locking of the records for all reads and writes. The set of Cache entries are divided up into "sets" of 128 entries. Each set is protected by a lock. There may be one or more sets protected by each lock. That is, locks to sets are 1:N. There is one lock for the entire cert cache. There is one lock for the set of wrapped sym wrap keys. The anonymous shared memory is laid out as if it were declared like this: struct { cacheDescriptor desc; sidCacheLock sidCacheLocks[ numSIDCacheLocks]; sidCacheLock keyCacheLock; sidCacheLock certCacheLock; sidCacheSet sidCacheSets[ numSIDCacheSets ]; sidCacheEntry sidCacheData[ numSIDCacheEntries]; certCacheEntry certCacheData[numCertCacheEntries]; SSLWrappedSymWrappingKey keyCacheData[SSL_NUM_WRAP_KEYS][SSL_NUM_WRAP_MECHS]; PRUint8 keyNameSuffix[SELF_ENCRYPT_KEY_VAR_NAME_LEN] encKeyCacheEntry ticketEncKey; // Wrapped encKeyCacheEntry ticketMacKey; // Wrapped PRBool ticketKeysValid; sidCacheLock srvNameCacheLock; srvNameCacheEntry srvNameData[ numSrvNameCacheEntries ]; } cacheMemCacheData; 74795
sslsock.c No SSL. 137718
sslspec.c Record protection algorithms, indexed by SSL3BulkCipher. The |max_records| field (|mr| below) is set to a number that is higher than recommended in some literature (esp. TLS 1.3) because we currently abort the connection when this limit is reached and we want to ensure that we only rarely hit this limit. See bug 1268745 for details. 9752
sslspec.h The SSL bulk cipher definition 6668
sslt.h Not a real message. 20458
ssltrace.c 0x 2800
sslver.c Library identity and versioning 460
tls13con.c 213718
tls13con.h Return PR_TRUE if the socket is in one of the given states, else return PR_FALSE. Only call the macro not the function, because the trailing wait_invalid is needed to terminate the argument list. 8648
tls13ech.c We only support SHA256 KDF. 75421
tls13ech.h draft-09, supporting shared-mode and split-mode as a backend server only. Notes on the implementation status: - Padding (https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.2), is not implemented (see bug 1677181). - When multiple ECHConfigs are provided by the server, the first compatible config is selected by the client. Ciphersuite choices are limited and only the AEAD may vary (AES-128-GCM or ChaCha20Poly1305). - Some of the buffering (construction/compression/decompression) could likely be optimized, but the spec is still evolving so that work is deferred. 4714
tls13err.h Use this instead of FATAL_ERROR when an alert isn't possible. 1256
tls13exthandle.c Only send the first entry. 49696
tls13exthandle.h 7297
tls13hashstate.c The cookie is structured as a self-encrypted structure with the inner value being. struct { uint8 indicator = 0xff; // To disambiguate from tickets. uint16 cipherSuite; // Selected cipher suite. uint16 keyShare; // Requested key share group (0=none) HpkeKdfId kdfId; // ECH KDF (uint16) HpkeAeadId aeadId; // ECH AEAD (uint16) opaque echConfigId<0..255>; // ECH config_id opaque echHpkeCtx<0..65535>; // ECH serialized HPKE context opaque applicationToken<0..65535>; // Application token opaque ch_hash[rest_of_buffer]; // H(ClientHello) } CookieInner; An empty echConfigId means that ECH was not offered in the first ClientHello. An empty echHrrPsk means that ECH was not accepted in CH1. 11423
tls13hashstate.h 1400
tls13hkdf.c This table contains the mapping between TLS hash identifiers and the PKCS#11 identifiers 10419
tls13hkdf.h 1167
tls13psk.c We should only have the initial key. Binder keys are derived during the handshake. 6096
tls13psk.h Internally, we have track sslPsk pointers in three locations: 1) An external PSK can be configured to the socket, in which case ss->psk will hold an owned reference. For now, this only holds one external PSK. The value will persist across handshake restarts. 2) When a handshake begins, the ss->psk value is deep-copied into ss->ssl3.hs.psks, which may also hold a resumption PSK. This is essentially a priority-sorted list (where a resumption PSK has higher priority than external), and we currently only send one PskIdentity and binder. 3) During negotiation, ss->xtnData.selectedPsk will either be NULL or it will hold a non-owning refernce to the PSK that has been (or is being) negotiated. 2785
tls13replay.c for NSS_RegisterShutdown 9283
tls13subcerts.c Parses the delegated credential (DC) from the raw extension |b| of length |length|. Memory for the DC is allocated and set to |*dcp|. It's the caller's responsibility to invoke |tls13_DestroyDelegatedCredential| when this data is no longer needed. 25583
tls13subcerts.h The number of seconds for which the delegated credential (DC) is valid following the notBefore parameter of the delegation certificate. 2125
unix_err.c forward declarations. 19292
unix_err.h NSPR doesn't make these functions public, so we have to duplicate * them in NSS. 2891
win32err.c On Win32, we map three kinds of error codes: - GetLastError(): for Win32 functions - WSAGetLastError(): for Winsock functions - errno: for standard C library functions We do not check for WSAEINPROGRESS and WSAEINTR because we do not use blocking Winsock 1.1 calls. Except for the 'socket' call, we do not check for WSAEINITIALISED. It is assumed that if Winsock is not initialized, that fact will be detected at the time we create new sockets. 13713
win32err.h NSPR doesn't make these functions public, so we have to duplicate * them in NSS. 2757