Name Description Size
authcert.c for PK11_ function calls 8175
cmpcert.c Look to see if any of the signers in the cert chain for "cert" are found in the list of caNames. Returns SECSuccess if so, SECFailure if not. 1812 1019
dhe-param.c 20715
dtls13con.c DTLS 1.3 Protocol 29962
dtls13con.h The structure ssl3CipherSpecStr represents epoch as uint16 (DTLSEpoch epoch), So the maximum epoch is 2 ^ 16 - 1 See bug: 2281
dtlscon.c DTLS Protocol 46634
dtlscon.h 2750
exports.gyp 672
Makefile 2291 1567
notes.txt 3458
os2_err.c Based on win32err.c OS2TODO Stub everything for now to build. HCT 7434
os2_err.h NSPR doesn't make these functions public, so we have to duplicate * them in NSS. 2713
preenc.h Fortezza support is removed. This file remains so that old programs will continue to compile, But this functionality is no longer supported or implemented. 3839
prelib.c 937
selfencrypt.c Structure is. struct { opaque keyName[16]; opaque iv[16]; opaque ciphertext<16..2^16-1>; opaque mac[32]; } SelfEncrypted; We are using AES-CBC + HMAC-SHA256 in Encrypt-then-MAC mode for two reasons: 1. It's what we already used for tickets. 2. We don't have to worry about nonce collisions as much (the chance is lower because we have a random 128-bit nonce and they are less serious than with AES-GCM). 9284
selfencrypt.h Exported for use in unit tests. 1263
ssl.def 5610
ssl.gyp 2275
ssl.h public ssl data types 75458
ssl.rc 1866
ssl3con.c TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. 511647
ssl3ecc.c ECC code moved here from ssl3con.c 30558
ssl3ext.c TLS extension code moved here from ssl3ecc.c 43664
ssl3ext.h Registerable callback function that either appends extension to buffer or returns length of data that it would have appended. 9552
ssl3exthandle.c For tls13_ServerSendStatusRequestXtn. 66699
ssl3exthandle.h 8008
ssl3gthr.c true when ssl3_GatherData encounters an SSLv2 handshake 30103
ssl3prot.h version numbers are defined in sslproto.h 5474
sslauth.c NEED LOCKS IN HERE. 7677
sslbloom.c Error code already set. 2344
sslbloom.h The number of hashes. 1266
sslcert.c for SECOID_GetAlgorithmTag 30276
sslcert.h This type is a bitvector that is indexed by SSLAuthType values. Note that the bit for ssl_auth_null(0) - the least significant bit - isn't used. 2607
sslcon.c for SGN_ funcs 7089
ssldef.c Default (unencrypted) send. For blocking sockets, always returns len or SECFailure, no short writes. For non-blocking sockets: Returns positive count if any data was written, else returns SECFailure. Short writes may occur. 5669
sslencode.c Helper function to encode an unsigned integer into a buffer. 13239
sslencode.h A buffer object, used for assembling messages. 4533
sslenum.c The ordering of cipher suites in this table must match the ordering in the cipherSuites table in ssl3con.c. If new ECC cipher suites are added, also update the ssl3CipherSuite arrays in ssl3ecc.c. Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h. The ordering is as follows: * No-encryption cipher suites last * Export/weak/obsolete cipher suites before no-encryption cipher suites * Order by key exchange algorithm: ECDHE, then DHE, then ECDH, RSA. * Within key agreement sections, prefer AEAD over non-AEAD cipher suites. * Within AEAD sections, order by symmetric encryption algorithm which integrates message authentication algorithm: AES-128-GCM, then ChaCha20-Poly1305, then AES-256-GCM, * Within non-AEAD sections, order by symmetric encryption algorithm: AES-128, then Camellia-128, then AES-256, then Camellia-256, then SEED, then FIPS-3DES, then 3DES, then RC4. AES is commonly accepted as a strong cipher internationally, and is often hardware-accelerated. Camellia also has wide international support across standards organizations. SEED is only recommended by the Korean government. 3DES only provides 112 bits of security. RC4 is now deprecated or forbidden by many standards organizations. * Within non-AEAD symmetric algorithm sections, order by message authentication algorithm: HMAC-SHA256, then HMAC-SHA384, then HMAC-SHA1, then HMAC-MD5. * Within symmetric algorithm sections, order by message authentication algorithm: GCM, then HMAC-SHA1, then HMAC-SHA256, then HMAC-MD5. * Within message authentication algorithm sections, order by asymmetric signature algorithm: ECDSA, then RSA, then DSS. * As a special case, the PSK ciphers, which are only enabled when TLS 1.3 PSK-resumption is in use, come first. Exception: Because some servers ignore the high-order byte of the cipher suite ID, we must be careful about adding cipher suites with IDs larger than 0x00ff; see bug 946147. For these broken servers, the first three cipher suites, with the MSB zeroed, look like: TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F } TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A } TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 } The broken server only supports the third and fourth ones and will select the third one. 6109
sslerr.c look at the current value of PR_GetError, and evaluate it to see if it is meaningful or meaningless (out of context). If it is meaningless, replace it with the hiLevelError. Returns the chosen error value. 1179
sslerr.h clang-format off 16411
SSLerrs.h SSL-specific security error codes 25419
sslerrstrs.c 880
sslexp.h The functions in this header file are not guaranteed to remain available in future NSS versions. Code that uses these functions needs to safeguard against the function not being available. 56180
sslgrp.c Function to clear out the ECDHE keys. 5098
sslimpl.h for some formerly private types, now public 84969
sslinfo.c Check if we can properly return the length of data written and that we're not asked to return more information than we know how to provide. 25407
sslinit.c short circuit test if we are already inited 1417
sslmutex.c This ifdef should match the one in sslsnce.c 16800
sslmutex.h What SSL really wants is portable process-shared unnamed mutexes in shared memory, that have the property that if the process that holds them dies, they are released automatically, and that (unlike fcntl record locking) lock to the thread, not to the process. NSPR doesn't provide that. Windows has mutexes that meet that description, but they're not portable. POSIX mutexes are not automatically released when the holder dies, and other processes/threads cannot release the mutex on behalf of the dead holder. POSIX semaphores can be used to accomplish this on systems that implement process-shared unnamed POSIX semaphores, because a watchdog thread can discover and release semaphores that were held by a dead process. On systems that do not support process-shared POSIX unnamed semaphores, they can be emulated using pipes. The performance cost of doing that is not yet measured. So, this API looks a lot like POSIX pthread mutexes. 3307
sslnonce.c sids can be in one of 5 states: never_cached, created, but not yet put into cache. in_client_cache, in the client cache's linked list. in_server_cache, entry came from the server's cache file. invalid_cache has been removed from the cache. in_external_cache sid comes from an external cache. 39565
sslprimitive.c sigh, the API creates a single context, but then uses either encrypt and decrypt on that context. We should take an encrypt/decrypt variable here, but for now create two contexts. 16990
sslproto.h clang-format off 14472
sslreveal.c given PRFileDesc, returns a copy of certificate associated with the socket the caller should delete the cert when done with SSL_DestroyCertificate 3026
sslsecur.c for SECOID_GetALgorithmTag 40004
sslsnce.c Note: ssl_FreeSID() in sslnonce.c gets used for both client and server cache sids! About record locking among different server processes: All processes that are part of the same conceptual server (serving on the same address and port) MUST share a common SSL session cache. This code makes the content of the shared cache accessible to all processes on the same "server". This code works on Unix and Win32 only. We use NSPR anonymous shared memory and move data to & from shared memory. We must do explicit locking of the records for all reads and writes. The set of Cache entries are divided up into "sets" of 128 entries. Each set is protected by a lock. There may be one or more sets protected by each lock. That is, locks to sets are 1:N. There is one lock for the entire cert cache. There is one lock for the set of wrapped sym wrap keys. The anonymous shared memory is laid out as if it were declared like this: struct { cacheDescriptor desc; sidCacheLock sidCacheLocks[ numSIDCacheLocks]; sidCacheLock keyCacheLock; sidCacheLock certCacheLock; sidCacheSet sidCacheSets[ numSIDCacheSets ]; sidCacheEntry sidCacheData[ numSIDCacheEntries]; certCacheEntry certCacheData[numCertCacheEntries]; SSLWrappedSymWrappingKey keyCacheData[SSL_NUM_WRAP_KEYS][SSL_NUM_WRAP_MECHS]; PRUint8 keyNameSuffix[SELF_ENCRYPT_KEY_VAR_NAME_LEN] encKeyCacheEntry ticketEncKey; // Wrapped encKeyCacheEntry ticketMacKey; // Wrapped PRBool ticketKeysValid; sidCacheLock srvNameCacheLock; srvNameCacheEntry srvNameData[ numSrvNameCacheEntries ]; } cacheMemCacheData; 74602
sslsock.c No SSL. 140006
sslspec.c Record protection algorithms, indexed by SSL3BulkCipher. The |max_records| field (|mr| below) is set to a number that is higher than recommended in some literature (esp. TLS 1.3) because we currently abort the connection when this limit is reached and we want to ensure that we only rarely hit this limit. See bug 1268745 for details. 9751
sslspec.h The SSL bulk cipher definition 6668
sslt.h Not a real message. 21649
ssltrace.c 0x 2800
sslver.c Library identity and versioning 460
tls13con.c 247719
tls13con.h Return PR_TRUE if the socket is in one of the given states, else return PR_FALSE. Only call the macro not the function, because the trailing wait_invalid is needed to terminate the argument list. 9175
tls13ech.c struct { HpkeKdfId kdf_id; HpkeAeadId aead_id; } HpkeSymmetricCipherSuite; struct { uint8 config_id; HpkeKemId kem_id; HpkePublicKey public_key; HpkeSymmetricCipherSuite cipher_suites<4..2^16-4>; } HpkeKeyConfig; struct { HpkeKeyConfig key_config; uint16 maximum_name_length; opaque public_name<1..2^16-1>; Extension extensions<0..2^16-1>; } ECHConfigContents; struct { uint16 version; uint16 length; select (ECHConfig.version) { case 0xfe0d: ECHConfigContents contents; } } ECHConfig; 98594
tls13ech.h draft-09, supporting shared-mode and split-mode as a backend server only. Notes on the implementation status: - Padding (, is not implemented (see bug 1677181). - When multiple ECHConfigs are provided by the server, the first compatible config is selected by the client. Ciphersuite choices are limited and only the AEAD may vary (AES-128-GCM or ChaCha20Poly1305). - Some of the buffering (construction/compression/decompression) could likely be optimized, but the spec is still evolving so that work is deferred. 5946
tls13echv.c Validation functions for ECH public names. 4807
tls13err.h Use this instead of FATAL_ERROR when an alert isn't possible. 1256
tls13exthandle.c Only send the first entry. 63535
tls13exthandle.h 8574
tls13hashstate.c The cookie is structured as a self-encrypted structure with the inner value being. struct { uint8 indicator = 0xff; // To disambiguate from tickets. uint16 cipherSuite; // Selected cipher suite. uint16 keyShare; // Requested key share group (0=none) PRUint8 echConfigId; // ECH config_id HpkeKdfId kdfId; // ECH KDF (uint16) HpkeAeadId aeadId; // ECH AEAD (uint16) opaque echHpkeCtx<0..65535>; // ECH serialized HPKE context opaque applicationToken<0..65535>; // Application token opaque ch_hash[rest_of_buffer]; // H(ClientHello) } CookieInner; An empty echConfigId means that ECH was not offered in the first ClientHello. An empty echHrrPsk means that ECH was not accepted in CH1. 12377
tls13hashstate.h 1207
tls13hkdf.c This table contains the mapping between TLS hash identifiers and the PKCS#11 identifiers 10419
tls13hkdf.h 1167
tls13psk.c We should only have the initial key. Binder keys are derived during the handshake. 6096
tls13psk.h Internally, we have track sslPsk pointers in three locations: 1) An external PSK can be configured to the socket, in which case ss->psk will hold an owned reference. For now, this only holds one external PSK. The value will persist across handshake restarts. 2) When a handshake begins, the ss->psk value is deep-copied into ss->ssl3.hs.psks, which may also hold a resumption PSK. This is essentially a priority-sorted list (where a resumption PSK has higher priority than external), and we currently only send one PskIdentity and binder. 3) During negotiation, ss->xtnData.selectedPsk will either be NULL or it will hold a non-owning refernce to the PSK that has been (or is being) negotiated. 2785
tls13replay.c for NSS_RegisterShutdown 9283
tls13subcerts.c Parses the delegated credential (DC) from the raw extension |b| of length |length|. Memory for the DC is allocated and set to |*dcp|. It's the caller's responsibility to invoke |tls13_DestroyDelegatedCredential| when this data is no longer needed. 25657
tls13subcerts.h The number of seconds for which the delegated credential (DC) is valid following the notBefore parameter of the delegation certificate. 2125
unix_err.c forward declarations. 19275
unix_err.h NSPR doesn't make these functions public, so we have to duplicate * them in NSS. 2891
win32err.c On Win32, we map three kinds of error codes: - GetLastError(): for Win32 functions - WSAGetLastError(): for Winsock functions - errno: for standard C library functions We do not check for WSAEINPROGRESS and WSAEINTR because we do not use blocking Winsock 1.1 calls. Except for the 'socket' call, we do not check for WSAEINITIALISED. It is assumed that if Winsock is not initialized, that fact will be detected at the time we create new sockets. 13713
win32err.h NSPR doesn't make these functions public, so we have to duplicate * them in NSS. 2757