Index: lib/ssl/sslimpl.h |
=================================================================== |
--- a/lib/ssl/sslimpl.h |
+++ b/lib/ssl/sslimpl.h |
@@ -142,16 +142,19 @@ typedef enum { SSLAppOpRead = 0, |
/* The default value from RFC 4347 is 1s, which is too slow. */ |
#define DTLS_RETRANSMIT_INITIAL_MS 50 |
/* The maximum time to wait between retransmissions. */ |
#define DTLS_RETRANSMIT_MAX_MS 10000 |
/* Time to wait in FINISHED state for retransmissions. */ |
#define DTLS_RETRANSMIT_FINISHED_MS 30000 |
+/* number of entries in ssl_named_groups */ |
+#define SSL_NAMED_GROUP_COUNT 30 |
+ |
/* Types and names of elliptic curves used in TLS */ |
typedef enum { |
ec_type_explicitPrime = 1, /* not supported */ |
ec_type_explicitChar2Curve = 2, /* not supported */ |
ec_type_named = 3 |
} ECType; |
/* TODO: decide if SSLKEAType might be better here. */ |
@@ -170,16 +173,18 @@ typedef struct { |
unsigned int bits; |
/* Whether the group is Elliptic or Finite-Field. */ |
NamedGroupType type; |
/* The OID that identifies the group to PKCS11. This also determines |
* whether the group is enabled in policy. */ |
SECOidTag oidTag; |
/* Non-suite-B groups are enabled by patching NSS. Yuck. */ |
PRBool suiteb; |
+ /* Defines whether the group is enabled or not */ |
+ PRBool enabled; |
} namedGroupDef; |
typedef struct sslBufferStr sslBuffer; |
typedef struct sslConnectInfoStr sslConnectInfo; |
typedef struct sslGatherStr sslGather; |
typedef struct sslSecurityInfoStr sslSecurityInfo; |
typedef struct sslSessionIDStr sslSessionID; |
typedef struct sslSocketStr sslSocket; |
@@ -602,17 +607,18 @@ struct sslSessionIDStr { |
PRUint32 creationTime; /* seconds since Jan 1, 1970 */ |
PRUint32 expirationTime; /* seconds since Jan 1, 1970 */ |
SSLAuthType authType; |
PRUint32 authKeyBits; |
SSLKEAType keaType; |
PRUint32 keaKeyBits; |
- PRUint32 namedGroups; |
+ namedGroupDef namedGroupPreferences[SSL_NAMED_GROUP_COUNT]; |
mt
2016/09/14 20:22:05
I'd much prefer if this were const namedGroupDef *
|
+ PRUint32 namedGroupPreferenceCount; |
union { |
struct { |
/* values that are copied into the server's on-disk SID cache. */ |
PRUint8 sessionIDLength; |
SSL3Opaque sessionID[SSL3_SESSIONID_BYTES]; |
ssl3CipherSuite cipherSuite; |
@@ -1075,17 +1081,17 @@ typedef struct { |
struct sslKeyPairStr { |
SECKEYPrivateKey *privKey; |
SECKEYPublicKey *pubKey; |
PRInt32 refCount; /* use PR_Atomic calls for this. */ |
}; |
typedef struct { |
PRCList link; |
- const namedGroupDef *group; |
+ namedGroupDef *group; |
mt
2016/09/14 20:22:05
const
|
sslKeyPair *keys; |
} sslEphemeralKeyPair; |
struct ssl3DHParamsStr { |
SSLNamedGroup name; |
SECItem prime; /* p */ |
SECItem base; /* g */ |
}; |
@@ -1297,21 +1303,26 @@ struct sslSocketStr { |
sslBuffer saveBuf; /*xmitBufLock*/ |
sslBuffer pendingBuf; /*xmitBufLock*/ |
/* Configuration state for server sockets */ |
/* One server cert and key for each authentication type. */ |
PRCList /* <sslServerCert> */ serverCerts; |
ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED]; |
- /* This bit mask determines what EC and FFDHE groups are enabled. This |
+ |
+ /* Pointer to a list of groups that are sorted according to user preferences. |
+ * This points to ssl_named_groups by default. |
+ * This list also determines which groups are enabled. This |
* starts with all being enabled and can be modified either by negotiation |
* (in which case groups not supported by a peer are masked off), or by |
- * calling SSL_DHEGroupPrefSet(), which will alter the mask for FFDHE. */ |
- PRUint32 namedGroups; |
+ * calling SSL_DHEGroupPrefSet(). |
+ */ |
+ namedGroupDef namedGroupPreferences[SSL_NAMED_GROUP_COUNT]; |
+ PRUint32 namedGroupPreferenceCount; |
/* SSL3 state info. Formerly was a pointer */ |
ssl3State ssl3; |
/* |
* TLS extension related data. |
*/ |
/* True when the current session is a stateless resume. */ |
@@ -1712,25 +1723,25 @@ extern PRBool ssl_IsDHEEnabled(sslSocket |
#define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \ |
((s <= 1024) ? 160 \ |
: ((s <= 2048) ? 224 \ |
: ((s <= 3072) ? 256 \ |
: ((s <= 7168) ? 384 \ |
: 521 ) ) ) ) |
/* clang-format on */ |
-extern const namedGroupDef *ssl_LookupNamedGroup(SSLNamedGroup group); |
+extern const namedGroupDef *ssl_LookupNamedGroup(sslSocket *ss, SSLNamedGroup group); |
extern PRBool ssl_NamedGroupEnabled(const sslSocket *ss, const namedGroupDef *group); |
extern SECStatus ssl_NamedGroup2ECParams(PLArenaPool *arena, |
const namedGroupDef *curve, |
SECKEYECParams *params); |
extern const namedGroupDef *ssl_ECPubKey2NamedGroup( |
const SECKEYPublicKey *pubKey); |
-extern const namedGroupDef *ssl_GetECGroupWithStrength(PRUint32 curvemsk, |
+extern const namedGroupDef *ssl_GetECGroupWithStrength(sslSocket *ss, |
unsigned int requiredECCbits); |
extern const namedGroupDef *ssl_GetECGroupForServerSocket(sslSocket *ss); |
extern void ssl_DisableNonSuiteBGroups(sslSocket *ss); |
extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on); |
extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on); |
extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on); |