Make CKM_AES_GCM usable.

mozilla/security/nss/lib/freebl/gcm.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 #include "blapii.h"
 #include "blapit.h"
 #include "gcm.h"
@@ skipping 212 matching lines @@
     if (len != blocksize) {
         PORT_Memset(X,0,blocksize-len);
         X += blocksize-len;
     }
 
     err = mp_to_unsigned_octets(&ghash->X, X, len);
     if (err < 0) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
-    gcm_reverse(T, X, blocksize);
+    gcm_reverse(T, tmp_buf, blocksize);

[wtc, 2013/03/26 18:24:46]

The original code passes |X| as the second argument. Note that
|X| may be incremented on line 225, which is necessary for
the mp_to_unsigned_octets call on line 228 but would be wrong
for the gcm_reverse call.

If both the AAD and plaintext are zero-length, we will
encounter this bug. For other inputs, it seems that we have
a probability of at least 1/256 to encounter this bug (if
the logical first byte of ghash->X is 0). 

[wtc, 2013/03/26 18:41:56]

If this bug in gcm_getX() only affects the zero-length AAD
and plaintext case, then I can look into bypassing the
pk11wrap layer and using the NSS softoken directly.

But I am worried that for other inputs we may still have a
1/256 probability of encountering this bug. If so, we
won't be able to use QUIC's AES GCM encrypter and decrypter
on any Linux computer (because NSS 3.15 hasn't been released
yet).

     return SECSuccess;
 }
 
 static SECStatus
 gcm_HashMult(gcmHashContext *ghash, const unsigned char *buf,
                 unsigned int count, unsigned int blocksize)
 {
     SECStatus rv = SECFailure;
     mp_err err = MP_OKAY;
     unsigned char tmp_buf[MAX_BLOCK_SIZE];
@@ skipping 324 matching lines @@
     PORT_Memset(ghash->counterBuf, 0, GCM_HASH_LEN_LEN*2);
     ghash->bufLen = 0;
     gcm_zeroX(ghash);
 
     /* now kick things off by hashing the Additional Authenticated Data */
     if (AADLen != 0) {
         rv = gcmHash_Update(ghash, AAD, AADLen, blocksize);
         if (rv != SECSuccess) {
             return SECFailure;
         }
-        rv = gcmHash_Sync(ghash, blocksize);
-        if (rv != SECSuccess) {
-            return SECFailure;
-        }
     }
+    rv = gcmHash_Sync(ghash, blocksize);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }

[wtc, 2013/03/26 18:24:46]

This change is not necessary (because ghash->counterBuf is
initialized to all zeros on line 568, which happens to be
the encoding of a zero length), but I think it makes the
code easier to understand.

     return SECSuccess;
 }
 
 /**************************************************************************
  *           Now implement the GCM using gcmHash and CTR                  *
  **************************************************************************/
 
 /* state to handle the full GCM operation (hash and counter) */
 struct GCMContextStr {
     gcmHashContext ghash_context;
@@ skipping 242 matching lines @@
      * preserve the masked off missing bits.  */
     if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
         /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
         PORT_SetError(SEC_ERROR_BAD_DATA);
         return SECFailure;
     }
     /* finish the decryption */
     return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
                           inbuf, inlen, blocksize);
 }