Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(1521)

Unified Diff: lib/ssl/sslimpl.h

Issue 307060043: Named group preferences
Patch Set: Created 7 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: lib/ssl/sslimpl.h
===================================================================
--- a/lib/ssl/sslimpl.h
+++ b/lib/ssl/sslimpl.h
@@ -142,16 +142,19 @@ typedef enum { SSLAppOpRead = 0,
/* The default value from RFC 4347 is 1s, which is too slow. */
#define DTLS_RETRANSMIT_INITIAL_MS 50
/* The maximum time to wait between retransmissions. */
#define DTLS_RETRANSMIT_MAX_MS 10000
/* Time to wait in FINISHED state for retransmissions. */
#define DTLS_RETRANSMIT_FINISHED_MS 30000
+/* number of entries in ssl_named_groups */
+#define SSL_NAMED_GROUP_COUNT 30
+
/* Types and names of elliptic curves used in TLS */
typedef enum {
ec_type_explicitPrime = 1, /* not supported */
ec_type_explicitChar2Curve = 2, /* not supported */
ec_type_named = 3
} ECType;
/* TODO: decide if SSLKEAType might be better here. */
@@ -170,16 +173,18 @@ typedef struct {
unsigned int bits;
/* Whether the group is Elliptic or Finite-Field. */
NamedGroupType type;
/* The OID that identifies the group to PKCS11. This also determines
* whether the group is enabled in policy. */
SECOidTag oidTag;
/* Non-suite-B groups are enabled by patching NSS. Yuck. */
PRBool suiteb;
+ /* Defines whether the group is enabled or not */
+ PRBool enabled;
} namedGroupDef;
typedef struct sslBufferStr sslBuffer;
typedef struct sslConnectInfoStr sslConnectInfo;
typedef struct sslGatherStr sslGather;
typedef struct sslSecurityInfoStr sslSecurityInfo;
typedef struct sslSessionIDStr sslSessionID;
typedef struct sslSocketStr sslSocket;
@@ -602,17 +607,18 @@ struct sslSessionIDStr {
PRUint32 creationTime; /* seconds since Jan 1, 1970 */
PRUint32 expirationTime; /* seconds since Jan 1, 1970 */
SSLAuthType authType;
PRUint32 authKeyBits;
SSLKEAType keaType;
PRUint32 keaKeyBits;
- PRUint32 namedGroups;
+ namedGroupDef namedGroupPreferences[SSL_NAMED_GROUP_COUNT];
mt 2016/09/14 20:22:05 I'd much prefer if this were const namedGroupDef *
+ PRUint32 namedGroupPreferenceCount;
union {
struct {
/* values that are copied into the server's on-disk SID cache. */
PRUint8 sessionIDLength;
SSL3Opaque sessionID[SSL3_SESSIONID_BYTES];
ssl3CipherSuite cipherSuite;
@@ -1075,17 +1081,17 @@ typedef struct {
struct sslKeyPairStr {
SECKEYPrivateKey *privKey;
SECKEYPublicKey *pubKey;
PRInt32 refCount; /* use PR_Atomic calls for this. */
};
typedef struct {
PRCList link;
- const namedGroupDef *group;
+ namedGroupDef *group;
mt 2016/09/14 20:22:05 const
sslKeyPair *keys;
} sslEphemeralKeyPair;
struct ssl3DHParamsStr {
SSLNamedGroup name;
SECItem prime; /* p */
SECItem base; /* g */
};
@@ -1297,21 +1303,26 @@ struct sslSocketStr {
sslBuffer saveBuf; /*xmitBufLock*/
sslBuffer pendingBuf; /*xmitBufLock*/
/* Configuration state for server sockets */
/* One server cert and key for each authentication type. */
PRCList /* <sslServerCert> */ serverCerts;
ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
- /* This bit mask determines what EC and FFDHE groups are enabled. This
+
+ /* Pointer to a list of groups that are sorted according to user preferences.
+ * This points to ssl_named_groups by default.
+ * This list also determines which groups are enabled. This
* starts with all being enabled and can be modified either by negotiation
* (in which case groups not supported by a peer are masked off), or by
- * calling SSL_DHEGroupPrefSet(), which will alter the mask for FFDHE. */
- PRUint32 namedGroups;
+ * calling SSL_DHEGroupPrefSet().
+ */
+ namedGroupDef namedGroupPreferences[SSL_NAMED_GROUP_COUNT];
+ PRUint32 namedGroupPreferenceCount;
/* SSL3 state info. Formerly was a pointer */
ssl3State ssl3;
/*
* TLS extension related data.
*/
/* True when the current session is a stateless resume. */
@@ -1712,25 +1723,25 @@ extern PRBool ssl_IsDHEEnabled(sslSocket
#define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \
((s <= 1024) ? 160 \
: ((s <= 2048) ? 224 \
: ((s <= 3072) ? 256 \
: ((s <= 7168) ? 384 \
: 521 ) ) ) )
/* clang-format on */
-extern const namedGroupDef *ssl_LookupNamedGroup(SSLNamedGroup group);
+extern const namedGroupDef *ssl_LookupNamedGroup(sslSocket *ss, SSLNamedGroup group);
extern PRBool ssl_NamedGroupEnabled(const sslSocket *ss, const namedGroupDef *group);
extern SECStatus ssl_NamedGroup2ECParams(PLArenaPool *arena,
const namedGroupDef *curve,
SECKEYECParams *params);
extern const namedGroupDef *ssl_ECPubKey2NamedGroup(
const SECKEYPublicKey *pubKey);
-extern const namedGroupDef *ssl_GetECGroupWithStrength(PRUint32 curvemsk,
+extern const namedGroupDef *ssl_GetECGroupWithStrength(sslSocket *ss,
unsigned int requiredECCbits);
extern const namedGroupDef *ssl_GetECGroupForServerSocket(sslSocket *ss);
extern void ssl_DisableNonSuiteBGroups(sslSocket *ss);
extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b