Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(520)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/patches/aesgcm.patch

Issue 111853013: Update net/third_party/nss to NSS 3.15.4. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Update the comment in sslenum.c for the two CHACHA20 cipher suites Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/README.chromium ('k') | net/third_party/nss/patches/aesgcmchromium.patch » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 Index: net/third_party/nss/ssl/sslinfo.c
2 ===================================================================
3 --- net/third_party/nss/ssl/sslinfo.c (revision 217715)
4 +++ net/third_party/nss/ssl/sslinfo.c (working copy)
5 @@ -109,7 +109,7 @@
6 #define K_ECDHE "ECDHE", kt_ecdh
7
8 #define C_SEED "SEED", calg_seed
9 -#define C_CAMELLIA "CAMELLIA", calg_camellia
10 +#define C_CAMELLIA "CAMELLIA", calg_camellia
11 #define C_AES "AES", calg_aes
12 #define C_RC4 "RC4", calg_rc4
13 #define C_RC2 "RC2", calg_rc2
14 @@ -117,6 +117,7 @@
15 #define C_3DES "3DES", calg_3des
16 #define C_NULL "NULL", calg_null
17 #define C_SJ "SKIPJACK", calg_sj
18 +#define C_AESGCM "AES-GCM", calg_aes_gcm
19
20 #define B_256 256, 256, 256
21 #define B_128 128, 128, 128
22 @@ -127,12 +128,16 @@
23 #define B_40 128, 40, 40
24 #define B_0 0, 0, 0
25
26 +#define M_AEAD_128 "AEAD", ssl_mac_aead, 128
27 #define M_SHA256 "SHA256", ssl_hmac_sha256, 256
28 #define M_SHA "SHA1", ssl_mac_sha, 160
29 #define M_MD5 "MD5", ssl_mac_md5, 128
30 +#define M_NULL "NULL", ssl_mac_null, 0
31
32 static const SSLCipherSuiteInfo suiteInfo[] = {
33 /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */
34 +{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_ AEAD_128, 1, 0, 0, },
35 +
36 {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
37 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
38 {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA 256, 1, 0, 0, },
39 @@ -146,6 +151,7 @@
40 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
41 {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA , 0, 0, 0, },
42 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA 256, 1, 0, 0, },
43 +{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_ AEAD_128, 1, 0, 0, },
44 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA , 1, 0, 0, },
45 {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA , 1, 0, 0, },
46 {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA , 1, 0, 0, },
47 @@ -175,6 +181,9 @@
48
49 #ifdef NSS_ENABLE_ECC
50 /* ECC cipher suites */
51 +{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
52 +{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_1 28, M_AEAD_128, 1, 0, 0, },
53 +
54 {0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_S HA, 0, 0, 0, },
55 {0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_ SHA, 0, 0, 0, },
56 {0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
57 Index: net/third_party/nss/ssl/sslimpl.h
58 ===================================================================
59 --- net/third_party/nss/ssl/sslimpl.h (revision 217715)
60 +++ net/third_party/nss/ssl/sslimpl.h (working copy)
61 @@ -64,6 +64,7 @@
62 #define calg_aes ssl_calg_aes
63 #define calg_camellia ssl_calg_camellia
64 #define calg_seed ssl_calg_seed
65 +#define calg_aes_gcm ssl_calg_aes_gcm
66
67 #define mac_null ssl_mac_null
68 #define mac_md5 ssl_mac_md5
69 @@ -71,6 +72,7 @@
70 #define hmac_md5 ssl_hmac_md5
71 #define hmac_sha ssl_hmac_sha
72 #define hmac_sha256 ssl_hmac_sha256
73 +#define mac_aead ssl_mac_aead
74
75 #define SET_ERROR_CODE /* reminder */
76 #define SEND_ALERT /* reminder */
77 @@ -290,9 +292,9 @@
78 } ssl3CipherSuiteCfg;
79
80 #ifdef NSS_ENABLE_ECC
81 -#define ssl_V3_SUITES_IMPLEMENTED 57
82 +#define ssl_V3_SUITES_IMPLEMENTED 61
83 #else
84 -#define ssl_V3_SUITES_IMPLEMENTED 35
85 +#define ssl_V3_SUITES_IMPLEMENTED 37
86 #endif /* NSS_ENABLE_ECC */
87
88 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
89 @@ -440,20 +442,6 @@
90 #define GS_DATA 3
91 #define GS_PAD 4
92
93 -typedef SECStatus (*SSLCipher)(void * context,
94 - unsigned char * out,
95 - int * outlen,
96 - int maxout,
97 - const unsigned char *in,
98 - int inlen);
99 -typedef SECStatus (*SSLCompressor)(void * context,
100 - unsigned char * out,
101 - int * outlen,
102 - int maxout,
103 - const unsigned char *in,
104 - int inlen);
105 -typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
106 -
107 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
108 typedef PCERT_KEY_CONTEXT PlatformKey;
109 #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX)
110 @@ -485,11 +473,12 @@
111 cipher_camellia_128,
112 cipher_camellia_256,
113 cipher_seed,
114 + cipher_aes_128_gcm,
115 cipher_missing /* reserved for no such supported cipher */
116 /* This enum must match ssl3_cipherName[] in ssl3con.c. */
117 } SSL3BulkCipher;
118
119 -typedef enum { type_stream, type_block } CipherType;
120 +typedef enum { type_stream, type_block, type_aead } CipherType;
121
122 #define MAX_IV_LENGTH 24
123
124 @@ -531,6 +520,30 @@
125 PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
126 } ssl3KeyMaterial;
127
128 +typedef SECStatus (*SSLCipher)(void * context,
129 + unsigned char * out,
130 + int * outlen,
131 + int maxout,
132 + const unsigned char *in,
133 + int inlen);
134 +typedef SECStatus (*SSLAEADCipher)(
135 + ssl3KeyMaterial * keys,
136 + PRBool doDecrypt,
137 + unsigned char * out,
138 + int * outlen,
139 + int maxout,
140 + const unsigned char *in,
141 + int inlen,
142 + const unsigned char *additionalData,
143 + int additionalDataLen);
144 +typedef SECStatus (*SSLCompressor)(void * context,
145 + unsigned char * out,
146 + int * outlen,
147 + int maxout,
148 + const unsigned char *in,
149 + int inlen);
150 +typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
151 +
152 /* The DTLS anti-replay window. Defined here because we need it in
153 * the cipher spec. Note that this is a ring buffer but left and
154 * right represent the true window, with modular arithmetic used to
155 @@ -557,6 +570,7 @@
156 int mac_size;
157 SSLCipher encode;
158 SSLCipher decode;
159 + SSLAEADCipher aead;
160 SSLDestroy destroy;
161 void * encodeContext;
162 void * decodeContext;
163 @@ -706,8 +720,6 @@
164 PRBool tls_keygen;
165 } ssl3KEADef;
166
167 -typedef enum { kg_null, kg_strong, kg_export } SSL3KeyGenMode;
168 -
169 /*
170 ** There are tables of these, all const.
171 */
172 @@ -719,7 +731,8 @@
173 CipherType type;
174 int iv_size;
175 int block_size;
176 - SSL3KeyGenMode keygen_mode;
177 + int tag_size; /* authentication tag size for AEAD ciphers. */
178 + int explicit_nonce_size; /* for AEAD ciphers. */
179 };
180
181 /*
182 Index: net/third_party/nss/ssl/ssl3ecc.c
183 ===================================================================
184 --- net/third_party/nss/ssl/ssl3ecc.c (revision 217715)
185 +++ net/third_party/nss/ssl/ssl3ecc.c (working copy)
186 @@ -911,6 +911,7 @@
187 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
188 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
189 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
190 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
191 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
192 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
193 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
194 @@ -921,6 +922,7 @@
195 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
196 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
197 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
198 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
199 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
200 TLS_ECDHE_RSA_WITH_NULL_SHA,
201 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
202 @@ -932,12 +934,14 @@
203 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
204 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
205 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
206 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
207 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
208 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
209 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
210 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
211 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
212 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
213 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
214 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
215 TLS_ECDHE_RSA_WITH_NULL_SHA,
216 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
217 Index: net/third_party/nss/ssl/sslsock.c
218 ===================================================================
219 --- net/third_party/nss/ssl/sslsock.c (revision 217715)
220 +++ net/third_party/nss/ssl/sslsock.c (working copy)
221 @@ -67,8 +67,10 @@
222 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
223 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
224 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
225 + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
226 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
227 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
228 + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
229 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
230 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
231 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
232 @@ -94,6 +96,7 @@
233 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
234 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
235 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
236 + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
237 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
238 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
239 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
240 @@ -105,6 +108,7 @@
241 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
242 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
243 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
244 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
245 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
246 #endif /* NSS_ENABLE_ECC */
247 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
248 Index: net/third_party/nss/ssl/ssl3con.c
249 ===================================================================
250 --- net/third_party/nss/ssl/ssl3con.c (revision 217715)
251 +++ net/third_party/nss/ssl/ssl3con.c (working copy)
252 @@ -78,6 +78,13 @@
253 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
254 int maxOutputLen, const unsigned char *input,
255 int inputLen);
256 +#ifndef NO_PKCS11_BYPASS
257 +static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
258 + unsigned char *out, int *outlen, int maxout,
259 + const unsigned char *in, int inlen,
260 + const unsigned char *additionalData,
261 + int additionalDataLen);
262 +#endif
263
264 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
265 #define MIN_SEND_BUF_LENGTH 4000
266 @@ -90,6 +97,13 @@
267 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
268 /* cipher_suite policy enabled is_present* /
269 #ifdef NSS_ENABLE_ECC
270 + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
271 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
272 +#endif /* NSS_ENABLE_ECC */
273 + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
274 + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
275 +
276 +#ifdef NSS_ENABLE_ECC
277 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
278 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
279 #endif /* NSS_ENABLE_ECC */
280 @@ -233,23 +247,30 @@
281
282 /* indexed by SSL3BulkCipher */
283 static const ssl3BulkCipherDef bulk_cipher_defs[] = {
284 - /* cipher calg keySz secretSz type ivSz BlkSz keygen */
285 - {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null},
286 - {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong},
287 - {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export},
288 - {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export},
289 - {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong},
290 - {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export},
291 - {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong},
292 - {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong},
293 - {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export},
294 - {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong},
295 - {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong},
296 - {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong},
297 - {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong},
298 - {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong},
299 - {cipher_seed, calg_seed, 16, 16, type_block, 16,16, kg_strong},
300 - {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null},
301 + /* |--------- Lengths --------| */
302 + /* cipher calg k s type i b t n */
303 + /* e e v l a o */
304 + /* y c | o g n */
305 + /* | r | c | c */
306 + /* | e | k | e */
307 + /* | t | | | | */
308 + {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
309 + {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0},
310 + {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0},
311 + {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0},
312 + {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0},
313 + {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0},
314 + {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0},
315 + {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0},
316 + {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0},
317 + {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0},
318 + {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0},
319 + {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0},
320 + {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0},
321 + {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0},
322 + {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0},
323 + {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8},
324 + {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
325 };
326
327 static const ssl3KEADef kea_defs[] =
328 @@ -371,6 +392,11 @@
329 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
330 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
331
332 + {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe _rsa},
333 + {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
334 + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_e cdhe_rsa},
335 + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea _ecdhe_ecdsa},
336 +
337 #ifdef NSS_ENABLE_ECC
338 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa} ,
339 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa} ,
340 @@ -434,25 +460,29 @@
341 { calg_aes , CKM_AES_CBC },
342 { calg_camellia , CKM_CAMELLIA_CBC },
343 { calg_seed , CKM_SEED_CBC },
344 + { calg_aes_gcm , CKM_AES_GCM },
345 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
346 };
347
348 -#define mmech_null (CK_MECHANISM_TYPE)0x80000000L
349 +#define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L
350 #define mmech_md5 CKM_SSL3_MD5_MAC
351 #define mmech_sha CKM_SSL3_SHA1_MAC
352 #define mmech_md5_hmac CKM_MD5_HMAC
353 #define mmech_sha_hmac CKM_SHA_1_HMAC
354 #define mmech_sha256_hmac CKM_SHA256_HMAC
355 +#define mmech_sha384_hmac CKM_SHA384_HMAC
356 +#define mmech_sha512_hmac CKM_SHA512_HMAC
357
358 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
359 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
360 /* mac mmech pad_size mac_size */
361 - { mac_null, mmech_null, 0, 0 },
362 + { mac_null, mmech_invalid, 0, 0 },
363 { mac_md5, mmech_md5, 48, MD5_LENGTH },
364 { mac_sha, mmech_sha, 40, SHA1_LENGTH},
365 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH },
366 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
367 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
368 + { mac_aead, mmech_invalid, 0, 0 },
369 };
370
371 /* indexed by SSL3BulkCipher */
372 @@ -472,6 +502,7 @@
373 "Camellia-128",
374 "Camellia-256",
375 "SEED-CBC",
376 + "AES-128-GCM",
377 "missing"
378 };
379
380 @@ -598,9 +629,13 @@
381 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
382 case TLS_RSA_WITH_AES_256_CBC_SHA256:
383 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
384 + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
385 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
386 + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
387 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
388 + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
389 case TLS_RSA_WITH_AES_128_CBC_SHA256:
390 + case TLS_RSA_WITH_AES_128_GCM_SHA256:
391 case TLS_RSA_WITH_NULL_SHA256:
392 return version >= SSL_LIBRARY_VERSION_TLS_1_2;
393 default:
394 @@ -1360,7 +1395,7 @@
395 cipher = suite_def->bulk_cipher_alg;
396 kea = suite_def->key_exchange_alg;
397 mac = suite_def->mac_alg;
398 - if (mac <= ssl_mac_sha && isTLS)
399 + if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS)
400 mac += 2;
401
402 ss->ssl3.hs.suite_def = suite_def;
403 @@ -1554,7 +1589,6 @@
404 unsigned int optArg2 = 0;
405 PRBool server_encrypts = ss->sec.isServer;
406 SSLCipherAlgorithm calg;
407 - SSLCompressionMethod compression_method;
408 SECStatus rv;
409
410 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
411 @@ -1565,8 +1599,18 @@
412 cipher_def = pwSpec->cipher_def;
413
414 calg = cipher_def->calg;
415 - compression_method = pwSpec->compression_method;
416
417 + if (calg == calg_aes_gcm) {
418 + pwSpec->encode = NULL;
419 + pwSpec->decode = NULL;
420 + pwSpec->destroy = NULL;
421 + pwSpec->encodeContext = NULL;
422 + pwSpec->decodeContext = NULL;
423 + pwSpec->aead = ssl3_AESGCMBypass;
424 + ssl3_InitCompressionContext(pwSpec);
425 + return SECSuccess;
426 + }
427 +
428 serverContext = pwSpec->server.cipher_context;
429 clientContext = pwSpec->client.cipher_context;
430
431 @@ -1721,6 +1765,195 @@
432 return param;
433 }
434
435 +/* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data
436 + * which is included in the MAC or AEAD additional data) to |out| and returns
437 + * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
438 + * definition of the AEAD additional data.
439 + *
440 + * TLS pseudo-header includes the record's version field, SSL's doesn't. Which
441 + * pseudo-header defintiion to use should be decided based on the version of
442 + * the protocol that was negotiated when the cipher spec became current, NOT
443 + * based on the version value in the record itself, and the decision is passed
444 + * to this function as the |includesVersion| argument. But, the |version|
445 + * argument should be the record's version value.
446 + */
447 +static unsigned int
448 +ssl3_BuildRecordPseudoHeader(unsigned char *out,
449 + SSL3SequenceNumber seq_num,
450 + SSL3ContentType type,
451 + PRBool includesVersion,
452 + SSL3ProtocolVersion version,
453 + PRBool isDTLS,
454 + int length)
455 +{
456 + out[0] = (unsigned char)(seq_num.high >> 24);
457 + out[1] = (unsigned char)(seq_num.high >> 16);
458 + out[2] = (unsigned char)(seq_num.high >> 8);
459 + out[3] = (unsigned char)(seq_num.high >> 0);
460 + out[4] = (unsigned char)(seq_num.low >> 24);
461 + out[5] = (unsigned char)(seq_num.low >> 16);
462 + out[6] = (unsigned char)(seq_num.low >> 8);
463 + out[7] = (unsigned char)(seq_num.low >> 0);
464 + out[8] = type;
465 +
466 + /* SSL3 MAC doesn't include the record's version field. */
467 + if (!includesVersion) {
468 + out[9] = MSB(length);
469 + out[10] = LSB(length);
470 + return 11;
471 + }
472 +
473 + /* TLS MAC and AEAD additional data include version. */
474 + if (isDTLS) {
475 + SSL3ProtocolVersion dtls_version;
476 +
477 + dtls_version = dtls_TLSVersionToDTLSVersion(version);
478 + out[9] = MSB(dtls_version);
479 + out[10] = LSB(dtls_version);
480 + } else {
481 + out[9] = MSB(version);
482 + out[10] = LSB(version);
483 + }
484 + out[11] = MSB(length);
485 + out[12] = LSB(length);
486 + return 13;
487 +}
488 +
489 +static SECStatus
490 +ssl3_AESGCM(ssl3KeyMaterial *keys,
491 + PRBool doDecrypt,
492 + unsigned char *out,
493 + int *outlen,
494 + int maxout,
495 + const unsigned char *in,
496 + int inlen,
497 + const unsigned char *additionalData,
498 + int additionalDataLen)
499 +{
500 + SECItem param;
501 + SECStatus rv = SECFailure;
502 + unsigned char nonce[12];
503 + unsigned int uOutLen;
504 + CK_GCM_PARAMS gcmParams;
505 +
506 + static const int tagSize = 16;
507 + static const int explicitNonceLen = 8;
508 +
509 + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
510 + * nonce is formed. */
511 + memcpy(nonce, keys->write_iv, 4);
512 + if (doDecrypt) {
513 + memcpy(nonce + 4, in, explicitNonceLen);
514 + in += explicitNonceLen;
515 + inlen -= explicitNonceLen;
516 + *outlen = 0;
517 + } else {
518 + if (maxout < explicitNonceLen) {
519 + PORT_SetError(SEC_ERROR_INPUT_LEN);
520 + return SECFailure;
521 + }
522 + /* Use the 64-bit sequence number as the explicit nonce. */
523 + memcpy(nonce + 4, additionalData, explicitNonceLen);
524 + memcpy(out, additionalData, explicitNonceLen);
525 + out += explicitNonceLen;
526 + maxout -= explicitNonceLen;
527 + *outlen = explicitNonceLen;
528 + }
529 +
530 + param.type = siBuffer;
531 + param.data = (unsigned char *) &gcmParams;
532 + param.len = sizeof(gcmParams);
533 + gcmParams.pIv = nonce;
534 + gcmParams.ulIvLen = sizeof(nonce);
535 + gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
536 + gcmParams.ulAADLen = additionalDataLen;
537 + gcmParams.ulTagBits = tagSize * 8;
538 +
539 + if (doDecrypt) {
540 + rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
541 + maxout, in, inlen);
542 + } else {
543 + rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
544 + maxout, in, inlen);
545 + }
546 + *outlen += (int) uOutLen;
547 +
548 + return rv;
549 +}
550 +
551 +#ifndef NO_PKCS11_BYPASS
552 +static SECStatus
553 +ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
554 + PRBool doDecrypt,
555 + unsigned char *out,
556 + int *outlen,
557 + int maxout,
558 + const unsigned char *in,
559 + int inlen,
560 + const unsigned char *additionalData,
561 + int additionalDataLen)
562 +{
563 + SECStatus rv = SECFailure;
564 + unsigned char nonce[12];
565 + unsigned int uOutLen;
566 + AESContext *cx;
567 + CK_GCM_PARAMS gcmParams;
568 +
569 + static const int tagSize = 16;
570 + static const int explicitNonceLen = 8;
571 +
572 + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
573 + * nonce is formed. */
574 + PORT_Assert(keys->write_iv_item.len == 4);
575 + if (keys->write_iv_item.len != 4) {
576 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
577 + return SECFailure;
578 + }
579 + memcpy(nonce, keys->write_iv_item.data, 4);
580 + if (doDecrypt) {
581 + memcpy(nonce + 4, in, explicitNonceLen);
582 + in += explicitNonceLen;
583 + inlen -= explicitNonceLen;
584 + *outlen = 0;
585 + } else {
586 + if (maxout < explicitNonceLen) {
587 + PORT_SetError(SEC_ERROR_INPUT_LEN);
588 + return SECFailure;
589 + }
590 + /* Use the 64-bit sequence number as the explicit nonce. */
591 + memcpy(nonce + 4, additionalData, explicitNonceLen);
592 + memcpy(out, additionalData, explicitNonceLen);
593 + out += explicitNonceLen;
594 + maxout -= explicitNonceLen;
595 + *outlen = explicitNonceLen;
596 + }
597 +
598 + gcmParams.pIv = nonce;
599 + gcmParams.ulIvLen = sizeof(nonce);
600 + gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
601 + gcmParams.ulAADLen = additionalDataLen;
602 + gcmParams.ulTagBits = tagSize * 8;
603 +
604 + cx = (AESContext *)keys->cipher_context;
605 + rv = AES_InitContext(cx, keys->write_key_item.data,
606 + keys->write_key_item.len,
607 + (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt,
608 + AES_BLOCK_SIZE);
609 + if (rv != SECSuccess) {
610 + return rv;
611 + }
612 + if (doDecrypt) {
613 + rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen);
614 + } else {
615 + rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen);
616 + }
617 + AES_DestroyContext(cx, PR_FALSE);
618 + *outlen += (int) uOutLen;
619 +
620 + return rv;
621 +}
622 +#endif
623 +
624 /* Initialize encryption and MAC contexts for pending spec.
625 * Master Secret already is derived.
626 * Caller holds Spec write lock.
627 @@ -1748,14 +1981,27 @@
628 pwSpec = ss->ssl3.pwSpec;
629 cipher_def = pwSpec->cipher_def;
630 macLength = pwSpec->mac_size;
631 + calg = cipher_def->calg;
632 + PORT_Assert(alg2Mech[calg].calg == calg);
633
634 + pwSpec->client.write_mac_context = NULL;
635 + pwSpec->server.write_mac_context = NULL;
636 +
637 + if (calg == calg_aes_gcm) {
638 + pwSpec->encode = NULL;
639 + pwSpec->decode = NULL;
640 + pwSpec->destroy = NULL;
641 + pwSpec->encodeContext = NULL;
642 + pwSpec->decodeContext = NULL;
643 + pwSpec->aead = ssl3_AESGCM;
644 + return SECSuccess;
645 + }
646 +
647 /*
648 ** Now setup the MAC contexts,
649 ** crypto contexts are setup below.
650 */
651
652 - pwSpec->client.write_mac_context = NULL;
653 - pwSpec->server.write_mac_context = NULL;
654 mac_mech = pwSpec->mac_def->mmech;
655 mac_param.data = (unsigned char *)&macLength;
656 mac_param.len = sizeof(macLength);
657 @@ -1778,9 +2024,6 @@
658 ** Now setup the crypto contexts.
659 */
660
661 - calg = cipher_def->calg;
662 - PORT_Assert(alg2Mech[calg].calg == calg);
663 -
664 if (calg == calg_null) {
665 pwSpec->encode = Null_Cipher;
666 pwSpec->decode = Null_Cipher;
667 @@ -1988,10 +2231,8 @@
668 ssl3_ComputeRecordMAC(
669 ssl3CipherSpec * spec,
670 PRBool useServerMacKey,
671 - PRBool isDTLS,
672 - SSL3ContentType type,
673 - SSL3ProtocolVersion version,
674 - SSL3SequenceNumber seq_num,
675 + const unsigned char *header,
676 + unsigned int headerLen,
677 const SSL3Opaque * input,
678 int inputLength,
679 unsigned char * outbuf,
680 @@ -1999,56 +2240,8 @@
681 {
682 const ssl3MACDef * mac_def;
683 SECStatus rv;
684 -#ifndef NO_PKCS11_BYPASS
685 - PRBool isTLS;
686 -#endif
687 - unsigned int tempLen;
688 - unsigned char temp[MAX_MAC_LENGTH];
689
690 - temp[0] = (unsigned char)(seq_num.high >> 24);
691 - temp[1] = (unsigned char)(seq_num.high >> 16);
692 - temp[2] = (unsigned char)(seq_num.high >> 8);
693 - temp[3] = (unsigned char)(seq_num.high >> 0);
694 - temp[4] = (unsigned char)(seq_num.low >> 24);
695 - temp[5] = (unsigned char)(seq_num.low >> 16);
696 - temp[6] = (unsigned char)(seq_num.low >> 8);
697 - temp[7] = (unsigned char)(seq_num.low >> 0);
698 - temp[8] = type;
699 -
700 - /* TLS MAC includes the record's version field, SSL's doesn't.
701 - ** We decide which MAC defintiion to use based on the version of
702 - ** the protocol that was negotiated when the spec became current,
703 - ** NOT based on the version value in the record itself.
704 - ** But, we use the record'v version value in the computation.
705 - */
706 - if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
707 - temp[9] = MSB(inputLength);
708 - temp[10] = LSB(inputLength);
709 - tempLen = 11;
710 -#ifndef NO_PKCS11_BYPASS
711 - isTLS = PR_FALSE;
712 -#endif
713 - } else {
714 - /* New TLS hash includes version. */
715 - if (isDTLS) {
716 - SSL3ProtocolVersion dtls_version;
717 -
718 - dtls_version = dtls_TLSVersionToDTLSVersion(version);
719 - temp[9] = MSB(dtls_version);
720 - temp[10] = LSB(dtls_version);
721 - } else {
722 - temp[9] = MSB(version);
723 - temp[10] = LSB(version);
724 - }
725 - temp[11] = MSB(inputLength);
726 - temp[12] = LSB(inputLength);
727 - tempLen = 13;
728 -#ifndef NO_PKCS11_BYPASS
729 - isTLS = PR_TRUE;
730 -#endif
731 - }
732 -
733 - PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
734 + PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen));
735 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
736
737 mac_def = spec->mac_def;
738 @@ -2093,7 +2286,10 @@
739 return SECFailure;
740 }
741
742 - if (!isTLS) {
743 + if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
744 + unsigned int tempLen;
745 + unsigned char temp[MAX_MAC_LENGTH];
746 +
747 /* compute "inner" part of SSL3 MAC */
748 hashObj->begin(write_mac_context);
749 if (useServerMacKey)
750 @@ -2105,7 +2301,7 @@
751 spec->client.write_mac_key_item.data,
752 spec->client.write_mac_key_item.len);
753 hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
754 - hashObj->update(write_mac_context, temp, tempLen);
755 + hashObj->update(write_mac_context, header, headerLen);
756 hashObj->update(write_mac_context, input, inputLength);
757 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp);
758
759 @@ -2136,7 +2332,7 @@
760 }
761 if (rv == SECSuccess) {
762 HMAC_Begin(cx);
763 - HMAC_Update(cx, temp, tempLen);
764 + HMAC_Update(cx, header, headerLen);
765 HMAC_Update(cx, input, inputLength);
766 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
767 HMAC_Destroy(cx, PR_FALSE);
768 @@ -2150,7 +2346,7 @@
769 (useServerMacKey ? spec->server.write_mac_context
770 : spec->client.write_mac_context);
771 rv = PK11_DigestBegin(mac_context);
772 - rv |= PK11_DigestOp(mac_context, temp, tempLen);
773 + rv |= PK11_DigestOp(mac_context, header, headerLen);
774 rv |= PK11_DigestOp(mac_context, input, inputLength);
775 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
776 }
777 @@ -2190,10 +2386,8 @@
778 ssl3_ComputeRecordMACConstantTime(
779 ssl3CipherSpec * spec,
780 PRBool useServerMacKey,
781 - PRBool isDTLS,
782 - SSL3ContentType type,
783 - SSL3ProtocolVersion version,
784 - SSL3SequenceNumber seq_num,
785 + const unsigned char *header,
786 + unsigned int headerLen,
787 const SSL3Opaque * input,
788 int inputLen,
789 int originalLen,
790 @@ -2205,9 +2399,7 @@
791 PK11Context * mac_context;
792 SECItem param;
793 SECStatus rv;
794 - unsigned char header[13];
795 PK11SymKey * key;
796 - int recordLength;
797
798 PORT_Assert(inputLen >= spec->mac_size);
799 PORT_Assert(originalLen >= inputLen);
800 @@ -2223,42 +2415,15 @@
801 return SECSuccess;
802 }
803
804 - header[0] = (unsigned char)(seq_num.high >> 24);
805 - header[1] = (unsigned char)(seq_num.high >> 16);
806 - header[2] = (unsigned char)(seq_num.high >> 8);
807 - header[3] = (unsigned char)(seq_num.high >> 0);
808 - header[4] = (unsigned char)(seq_num.low >> 24);
809 - header[5] = (unsigned char)(seq_num.low >> 16);
810 - header[6] = (unsigned char)(seq_num.low >> 8);
811 - header[7] = (unsigned char)(seq_num.low >> 0);
812 - header[8] = type;
813 -
814 macType = CKM_NSS_HMAC_CONSTANT_TIME;
815 - recordLength = inputLen - spec->mac_size;
816 if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
817 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME;
818 - header[9] = recordLength >> 8;
819 - header[10] = recordLength;
820 - params.ulHeaderLen = 11;
821 - } else {
822 - if (isDTLS) {
823 - SSL3ProtocolVersion dtls_version;
824 -
825 - dtls_version = dtls_TLSVersionToDTLSVersion(version);
826 - header[9] = dtls_version >> 8;
827 - header[10] = dtls_version;
828 - } else {
829 - header[9] = version >> 8;
830 - header[10] = version;
831 - }
832 - header[11] = recordLength >> 8;
833 - header[12] = recordLength;
834 - params.ulHeaderLen = 13;
835 }
836
837 params.macAlg = spec->mac_def->mmech;
838 params.ulBodyTotalLen = originalLen;
839 - params.pHeader = header;
840 + params.pHeader = (unsigned char *) header; /* const cast */
841 + params.ulHeaderLen = headerLen;
842
843 param.data = (unsigned char*) &params;
844 param.len = sizeof(params);
845 @@ -2291,9 +2456,8 @@
846 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
847 * length already. */
848 inputLen -= spec->mac_size;
849 - return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type,
850 - version, seq_num, input, inputLen,
851 - outbuf, outLen);
852 + return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen,
853 + input, inputLen, outbuf, outLen);
854 }
855
856 static PRBool
857 @@ -2345,6 +2509,8 @@
858 PRUint16 headerLen;
859 int ivLen = 0;
860 int cipherBytes = 0;
861 + unsigned char pseudoHeader[13];
862 + unsigned int pseudoHeaderLen;
863
864 cipher_def = cwSpec->cipher_def;
865 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
866 @@ -2390,86 +2556,117 @@
867 contentLen = outlen;
868 }
869
870 - /*
871 - * Add the MAC
872 - */
873 - rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
874 - type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
875 - wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
876 - if (rv != SECSuccess) {
877 - ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
878 - return SECFailure;
879 - }
880 - p1Len = contentLen;
881 - p2Len = macLen;
882 - fragLen = contentLen + macLen; /* needs to be encrypted */
883 - PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
884 + pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(
885 + pseudoHeader, cwSpec->write_seq_num, type,
886 + cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version,
887 + isDTLS, contentLen);
888 + PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader));
889 + if (cipher_def->type == type_aead) {
890 + const int nonceLen = cipher_def->explicit_nonce_size;
891 + const int tagLen = cipher_def->tag_size;
892
893 - /*
894 - * Pad the text (if we're doing a block cipher)
895 - * then Encrypt it
896 - */
897 - if (cipher_def->type == type_block) {
898 - unsigned char * pBuf;
899 - int padding_length;
900 - int i;
901 + if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) {
902 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
903 + return SECFailure;
904 + }
905
906 - oddLen = contentLen % cipher_def->block_size;
907 - /* Assume blockSize is a power of two */
908 - padding_length = cipher_def->block_size - 1 -
909 - ((fragLen) & (cipher_def->block_size - 1));
910 - fragLen += padding_length + 1;
911 - PORT_Assert((fragLen % cipher_def->block_size) == 0);
912 -
913 - /* Pad according to TLS rules (also acceptable to SSL3). */
914 - pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
915 - for (i = padding_length + 1; i > 0; --i) {
916 - *pBuf-- = padding_length;
917 + cipherBytes = contentLen;
918 + rv = cwSpec->aead(
919 + isServer ? &cwSpec->server : &cwSpec->client,
920 + PR_FALSE, /* do encrypt */
921 + wrBuf->buf + headerLen, /* output */
922 + &cipherBytes, /* out len */
923 + wrBuf->space - headerLen, /* max out */
924 + pIn, contentLen, /* input */
925 + pseudoHeader, pseudoHeaderLen);
926 + if (rv != SECSuccess) {
927 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
928 + return SECFailure;
929 }
930 - /* now, if contentLen is not a multiple of block size, fix it */
931 - p2Len = fragLen - p1Len;
932 - }
933 - if (p1Len < 256) {
934 - oddLen = p1Len;
935 - p1Len = 0;
936 } else {
937 - p1Len -= oddLen;
938 - }
939 - if (oddLen) {
940 - p2Len += oddLen;
941 - PORT_Assert( (cipher_def->block_size < 2) || \
942 - (p2Len % cipher_def->block_size) == 0);
943 - memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen);
944 - }
945 - if (p1Len > 0) {
946 - int cipherBytesPart1 = -1;
947 - rv = cwSpec->encode( cwSpec->encodeContext,
948 - wrBuf->buf + headerLen + ivLen, /* output */
949 - &cipherBytesPart1, /* actual outlen */
950 - p1Len, /* max outlen */
951 - pIn, p1Len); /* input, and inputlen */
952 - PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
953 - if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
954 - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
955 + /*
956 + * Add the MAC
957 + */
958 + rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
959 + pseudoHeader, pseudoHeaderLen, pIn, contentLen,
960 + wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
961 + if (rv != SECSuccess) {
962 + ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
963 return SECFailure;
964 }
965 - cipherBytes += cipherBytesPart1;
966 + p1Len = contentLen;
967 + p2Len = macLen;
968 + fragLen = contentLen + macLen; /* needs to be encrypted */
969 + PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
970 +
971 + /*
972 + * Pad the text (if we're doing a block cipher)
973 + * then Encrypt it
974 + */
975 + if (cipher_def->type == type_block) {
976 + unsigned char * pBuf;
977 + int padding_length;
978 + int i;
979 +
980 + oddLen = contentLen % cipher_def->block_size;
981 + /* Assume blockSize is a power of two */
982 + padding_length = cipher_def->block_size - 1 -
983 + ((fragLen) & (cipher_def->block_size - 1));
984 + fragLen += padding_length + 1;
985 + PORT_Assert((fragLen % cipher_def->block_size) == 0);
986 +
987 + /* Pad according to TLS rules (also acceptable to SSL3). */
988 + pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
989 + for (i = padding_length + 1; i > 0; --i) {
990 + *pBuf-- = padding_length;
991 + }
992 + /* now, if contentLen is not a multiple of block size, fix it */
993 + p2Len = fragLen - p1Len;
994 + }
995 + if (p1Len < 256) {
996 + oddLen = p1Len;
997 + p1Len = 0;
998 + } else {
999 + p1Len -= oddLen;
1000 + }
1001 + if (oddLen) {
1002 + p2Len += oddLen;
1003 + PORT_Assert( (cipher_def->block_size < 2) || \
1004 + (p2Len % cipher_def->block_size) == 0);
1005 + memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len,
1006 + oddLen);
1007 + }
1008 + if (p1Len > 0) {
1009 + int cipherBytesPart1 = -1;
1010 + rv = cwSpec->encode( cwSpec->encodeContext,
1011 + wrBuf->buf + headerLen + ivLen, /* output */
1012 + &cipherBytesPart1, /* actual outlen */
1013 + p1Len, /* max outlen */
1014 + pIn, p1Len); /* input, and inputlen */
1015 + PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
1016 + if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
1017 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
1018 + return SECFailure;
1019 + }
1020 + cipherBytes += cipherBytesPart1;
1021 + }
1022 + if (p2Len > 0) {
1023 + int cipherBytesPart2 = -1;
1024 + rv = cwSpec->encode( cwSpec->encodeContext,
1025 + wrBuf->buf + headerLen + ivLen + p1Len,
1026 + &cipherBytesPart2, /* output and actual outLen */
1027 + p2Len, /* max outlen */
1028 + wrBuf->buf + headerLen + ivLen + p1Len,
1029 + p2Len); /* input and inputLen*/
1030 + PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
1031 + if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
1032 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
1033 + return SECFailure;
1034 + }
1035 + cipherBytes += cipherBytesPart2;
1036 + }
1037 }
1038 - if (p2Len > 0) {
1039 - int cipherBytesPart2 = -1;
1040 - rv = cwSpec->encode( cwSpec->encodeContext,
1041 - wrBuf->buf + headerLen + ivLen + p1Len,
1042 - &cipherBytesPart2, /* output and actual outLen */
1043 - p2Len, /* max outlen */
1044 - wrBuf->buf + headerLen + ivLen + p1Len,
1045 - p2Len); /* input and inputLen*/
1046 - PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
1047 - if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
1048 - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
1049 - return SECFailure;
1050 - }
1051 - cipherBytes += cipherBytesPart2;
1052 - }
1053 +
1054 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
1055
1056 wrBuf->len = cipherBytes + headerLen;
1057 @@ -3012,9 +3209,6 @@
1058 static SECStatus
1059 ssl3_IllegalParameter(sslSocket *ss)
1060 {
1061 - PRBool isTLS;
1062 -
1063 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
1064 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
1065 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
1066 : SSL_ERROR_BAD_SERVER );
1067 @@ -3538,7 +3732,6 @@
1068 }
1069
1070 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
1071 - /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
1072
1073 key_material_params.RandomInfo.pClientRandom = cr;
1074 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
1075 @@ -9946,7 +10139,6 @@
1076 static void
1077 ssl3_RecordKeyLog(sslSocket *ss)
1078 {
1079 - sslSessionID *sid;
1080 SECStatus rv;
1081 SECItem *keyData;
1082 char buf[14 /* "CLIENT_RANDOM " */ +
1083 @@ -9958,8 +10150,6 @@
1084
1085 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
1086
1087 - sid = ss->sec.ci.sid;
1088 -
1089 if (!ssl_keylog_iob)
1090 return;
1091
1092 @@ -11095,6 +11285,8 @@
1093 unsigned int originalLen = 0;
1094 unsigned int good;
1095 unsigned int minLength;
1096 + unsigned char header[13];
1097 + unsigned int headerLen;
1098
1099 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
1100
1101 @@ -11171,12 +11363,14 @@
1102 /* With >= TLS 1.1, CBC records have an explicit IV. */
1103 minLength += cipher_def->iv_size;
1104 }
1105 + } else if (cipher_def->type == type_aead) {
1106 + minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size;
1107 }
1108
1109 /* We can perform this test in variable time because the record's total
1110 * length and the ciphersuite are both public knowledge. */
1111 if (cText->buf->len < minLength) {
1112 - goto decrypt_loser;
1113 + goto decrypt_loser;
1114 }
1115
1116 if (cipher_def->type == type_block &&
1117 @@ -11244,78 +11438,104 @@
1118 return SECFailure;
1119 }
1120
1121 - if (cipher_def->type == type_block &&
1122 - ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
1123 - goto decrypt_loser;
1124 - }
1125 + rType = cText->type;
1126 + if (cipher_def->type == type_aead) {
1127 + /* XXX For many AEAD ciphers, the plaintext is shorter than the
1128 + * ciphertext by a fixed byte count, but it is not true in general.
1129 + * Each AEAD cipher should provide a function that returns the
1130 + * plaintext length for a given ciphertext. */
1131 + unsigned int decryptedLen =
1132 + cText->buf->len - cipher_def->explicit_nonce_size -
1133 + cipher_def->tag_size;
1134 + headerLen = ssl3_BuildRecordPseudoHeader(
1135 + header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
1136 + rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen);
1137 + PORT_Assert(headerLen <= sizeof(header));
1138 + rv = crSpec->aead(
1139 + ss->sec.isServer ? &crSpec->client : &crSpec->server,
1140 + PR_TRUE, /* do decrypt */
1141 + plaintext->buf, /* out */
1142 + (int*) &plaintext->len, /* outlen */
1143 + plaintext->space, /* maxout */
1144 + cText->buf->buf, /* in */
1145 + cText->buf->len, /* inlen */
1146 + header, headerLen);
1147 + if (rv != SECSuccess) {
1148 + good = 0;
1149 + }
1150 + } else {
1151 + if (cipher_def->type == type_block &&
1152 + ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
1153 + goto decrypt_loser;
1154 + }
1155
1156 - /* decrypt from cText buf to plaintext. */
1157 - rv = crSpec->decode(
1158 - crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
1159 - plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
1160 - if (rv != SECSuccess) {
1161 - goto decrypt_loser;
1162 - }
1163 + /* decrypt from cText buf to plaintext. */
1164 + rv = crSpec->decode(
1165 + crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
1166 + plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
1167 + if (rv != SECSuccess) {
1168 + goto decrypt_loser;
1169 + }
1170
1171 - PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
1172 + PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
1173
1174 - originalLen = plaintext->len;
1175 + originalLen = plaintext->len;
1176
1177 - /* If it's a block cipher, check and strip the padding. */
1178 - if (cipher_def->type == type_block) {
1179 - const unsigned int blockSize = cipher_def->block_size;
1180 - const unsigned int macSize = crSpec->mac_size;
1181 + /* If it's a block cipher, check and strip the padding. */
1182 + if (cipher_def->type == type_block) {
1183 + const unsigned int blockSize = cipher_def->block_size;
1184 + const unsigned int macSize = crSpec->mac_size;
1185
1186 - if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
1187 - good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
1188 - plaintext, blockSize, macSize));
1189 - } else {
1190 - good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
1191 - plaintext, macSize));
1192 + if (!isTLS) {
1193 + good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
1194 + plaintext, blockSize, macSize));
1195 + } else {
1196 + good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
1197 + plaintext, macSize));
1198 + }
1199 }
1200 - }
1201
1202 - /* compute the MAC */
1203 - rType = cText->type;
1204 - if (cipher_def->type == type_block) {
1205 - rv = ssl3_ComputeRecordMACConstantTime(
1206 - crSpec, (PRBool)(!ss->sec.isServer),
1207 - IS_DTLS(ss), rType, cText->version,
1208 - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
1209 - plaintext->buf, plaintext->len, originalLen,
1210 - hash, &hashBytes);
1211 + /* compute the MAC */
1212 + headerLen = ssl3_BuildRecordPseudoHeader(
1213 + header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
1214 + rType, isTLS, cText->version, IS_DTLS(ss),
1215 + plaintext->len - crSpec->mac_size);
1216 + PORT_Assert(headerLen <= sizeof(header));
1217 + if (cipher_def->type == type_block) {
1218 + rv = ssl3_ComputeRecordMACConstantTime(
1219 + crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
1220 + plaintext->buf, plaintext->len, originalLen,
1221 + hash, &hashBytes);
1222
1223 - ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
1224 - crSpec->mac_size);
1225 - givenHash = givenHashBuf;
1226 + ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
1227 + crSpec->mac_size);
1228 + givenHash = givenHashBuf;
1229
1230 - /* plaintext->len will always have enough space to remove the MAC
1231 - * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
1232 - * plaintext->len if the result has enough space for the MAC and we
1233 - * tested the unadjusted size against minLength, above. */
1234 - plaintext->len -= crSpec->mac_size;
1235 - } else {
1236 - /* This is safe because we checked the minLength above. */
1237 - plaintext->len -= crSpec->mac_size;
1238 + /* plaintext->len will always have enough space to remove the MAC
1239 + * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
1240 + * plaintext->len if the result has enough space for the MAC and we
1241 + * tested the unadjusted size against minLength, above. */
1242 + plaintext->len -= crSpec->mac_size;
1243 + } else {
1244 + /* This is safe because we checked the minLength above. */
1245 + plaintext->len -= crSpec->mac_size;
1246
1247 - rv = ssl3_ComputeRecordMAC(
1248 - crSpec, (PRBool)(!ss->sec.isServer),
1249 - IS_DTLS(ss), rType, cText->version,
1250 - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
1251 - plaintext->buf, plaintext->len,
1252 - hash, &hashBytes);
1253 + rv = ssl3_ComputeRecordMAC(
1254 + crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
1255 + plaintext->buf, plaintext->len, hash, &hashBytes);
1256
1257 - /* We can read the MAC directly from the record because its location is
1258 - * public when a stream cipher is used. */
1259 - givenHash = plaintext->buf + plaintext->len;
1260 - }
1261 + /* We can read the MAC directly from the record because its location
1262 + * is public when a stream cipher is used. */
1263 + givenHash = plaintext->buf + plaintext->len;
1264 + }
1265
1266 - good &= SECStatusToMask(rv);
1267 + good &= SECStatusToMask(rv);
1268
1269 - if (hashBytes != (unsigned)crSpec->mac_size ||
1270 - NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
1271 - /* We're allowed to leak whether or not the MAC check was correct */
1272 - good = 0;
1273 + if (hashBytes != (unsigned)crSpec->mac_size ||
1274 + NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
1275 + /* We're allowed to leak whether or not the MAC check was correct */
1276 + good = 0;
1277 + }
1278 }
1279
1280 if (good == 0) {
1281 Index: net/third_party/nss/ssl/sslenum.c
1282 ===================================================================
1283 --- net/third_party/nss/ssl/sslenum.c (revision 217715)
1284 +++ net/third_party/nss/ssl/sslenum.c (working copy)
1285 @@ -29,6 +29,14 @@
1286 * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
1287 */
1288 const PRUint16 SSL_ImplementedCiphers[] = {
1289 + /* AES-GCM */
1290 +#ifdef NSS_ENABLE_ECC
1291 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1292 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1293 +#endif /* NSS_ENABLE_ECC */
1294 + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
1295 + TLS_RSA_WITH_AES_128_GCM_SHA256,
1296 +
1297 /* 256-bit */
1298 #ifdef NSS_ENABLE_ECC
1299 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1300 Index: net/third_party/nss/ssl/sslproto.h
1301 ===================================================================
1302 --- net/third_party/nss/ssl/sslproto.h (revision 217715)
1303 +++ net/third_party/nss/ssl/sslproto.h (working copy)
1304 @@ -162,6 +162,10 @@
1305
1306 #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096
1307
1308 +#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
1309 +#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
1310 +#define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2
1311 +
1312 /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client.
1313 * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending
1314 * back an empty Renegotiation Info (RI) server hello extension.
1315 @@ -204,6 +208,11 @@
1316 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
1317 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
1318
1319 +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
1320 +#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
1321 +#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
1322 +#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
1323 +
1324 /* Netscape "experimental" cipher suites. */
1325 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0
1326 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1
1327 Index: net/third_party/nss/ssl/sslt.h
1328 ===================================================================
1329 --- net/third_party/nss/ssl/sslt.h (revision 217715)
1330 +++ net/third_party/nss/ssl/sslt.h (working copy)
1331 @@ -91,9 +91,10 @@
1332 ssl_calg_3des = 4,
1333 ssl_calg_idea = 5,
1334 ssl_calg_fortezza = 6, /* deprecated, now unused */
1335 - ssl_calg_aes = 7, /* coming soon */
1336 + ssl_calg_aes = 7,
1337 ssl_calg_camellia = 8,
1338 - ssl_calg_seed = 9
1339 + ssl_calg_seed = 9,
1340 + ssl_calg_aes_gcm = 10
1341 } SSLCipherAlgorithm;
1342
1343 typedef enum {
1344 @@ -102,7 +103,8 @@
1345 ssl_mac_sha = 2,
1346 ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */
1347 ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */
1348 - ssl_hmac_sha256 = 5
1349 + ssl_hmac_sha256 = 5,
1350 + ssl_mac_aead = 6
1351 } SSLMACAlgorithm;
1352
1353 typedef enum {
1354 @@ -158,6 +160,9 @@
1355 PRUint16 effectiveKeyBits;
1356
1357 /* MAC info */
1358 + /* AEAD ciphers don't have a MAC. For an AEAD cipher, macAlgorithmName
1359 + * is "AEAD", macAlgorithm is ssl_mac_aead, and macBits is the length in
1360 + * bits of the authentication tag. */
1361 const char * macAlgorithmName;
1362 SSLMACAlgorithm macAlgorithm;
1363 PRUint16 macBits;
OLDNEW
« no previous file with comments | « net/third_party/nss/README.chromium ('k') | net/third_party/nss/patches/aesgcmchromium.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698