Uprev NSS (in libssl) to NSS 3.21

net/third_party/nss/patches/chacha20poly1305.patch

-diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c
-index dabe333..6819b03 100644
---- a/ssl/ssl3con.c
-+++ b/ssl/ssl3con.c
-@@ -41,6 +41,21 @@
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+index 299e414..2533679 100644
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -43,6 +43,21 @@
  #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
  #endif
  
 +/* This is a bodge to allow this code to be compiled against older NSS
 + * headers. */
 +#ifndef CKM_NSS_CHACHA20_POLY1305
 +#define CKM_NSS_CHACHA20_POLY1305               (CKM_NSS + 26)
 +
 +typedef struct CK_NSS_AEAD_PARAMS {
 +    CK_BYTE_PTR  pIv;  /* This is the nonce. */
 +    CK_ULONG     ulIvLen;
 +    CK_BYTE_PTR  pAAD;
 +    CK_ULONG     ulAADLen;
 +    CK_ULONG     ulTagLen;
 +} CK_NSS_AEAD_PARAMS;
 +
 +#endif
 +
  #include <stdio.h>
  #ifdef NSS_ENABLE_ZLIB
  #include "zlib.h"
-@@ -105,6 +120,8 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+@@ -110,6 +125,8 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
     /*      cipher_suite                     policy       enabled   isPresent */
  
  #ifndef NSS_DISABLE_ECC
 + { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,  SSL_ALLOWED, PR_FALSE, PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
     /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
-@@ -296,6 +313,7 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = {
+@@ -307,6 +324,7 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = {
      {cipher_camellia_256, calg_camellia,    32,32, type_block, 16,16, 0, 0},
      {cipher_seed,         calg_seed,        16,16, type_block, 16,16, 0, 0},
      {cipher_aes_128_gcm,  calg_aes_gcm,     16,16, type_aead,   4, 0,16, 8},
 +    {cipher_chacha20,     calg_chacha20,    32,32, type_aead,   0, 0,16, 0},
      {cipher_missing,      calg_null,         0, 0, type_stream, 0, 0, 0, 0},
  };
  
-@@ -422,6 +440,8 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] =
+@@ -433,6 +451,8 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] =
      {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
      {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
      {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
 +    {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_rsa},
 +    {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa},
  
- #ifndef NSS_DISABLE_ECC
-     {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
-@@ -487,6 +507,7 @@ static const SSLCipher2Mech alg2Mech[] = {
+     {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss},
+     {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss},
+@@ -502,6 +522,7 @@ static const SSLCipher2Mech alg2Mech[] = {
      { calg_camellia , CKM_CAMELLIA_CBC                 },
      { calg_seed     , CKM_SEED_CBC                     },
      { calg_aes_gcm  , CKM_AES_GCM                      },
 +    { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305                },
  /*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
  };
  
-@@ -662,6 +683,8 @@ ssl3_CipherSuiteAllowedForVersionRange(
+@@ -679,6 +700,8 @@ ssl3_CipherSuiteAllowedForVersionRange(
      case TLS_RSA_WITH_NULL_SHA256:
          return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2;
  
 +    case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
 +    case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
      case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
      case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
      case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
-@@ -2070,6 +2093,46 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
+@@ -2093,6 +2116,46 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
  }
  #endif
  
 +static SECStatus
 +ssl3_ChaCha20Poly1305(
 +       ssl3KeyMaterial *keys,
 +       PRBool doDecrypt,
 +       unsigned char *out,
 +       int *outlen,
 +       int maxout,
@@ skipping 26 matching lines @@
 +                         out, &uOutLen, maxout, in, inlen);
 +    }
 +    *outlen = (int) uOutLen;
 +
 +    return rv;
 +}
 +
  /* Initialize encryption and MAC contexts for pending spec.
   * Master Secret already is derived.
   * Caller holds Spec write lock.
-@@ -2103,13 +2166,17 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss)
+@@ -2126,13 +2189,17 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss)
      pwSpec->client.write_mac_context = NULL;
      pwSpec->server.write_mac_context = NULL;
  
 -    if (calg == calg_aes_gcm) {
 +    if (calg == calg_aes_gcm || calg == calg_chacha20) {
         pwSpec->encode = NULL;
         pwSpec->decode = NULL;
         pwSpec->destroy = NULL;
         pwSpec->encodeContext = NULL;
         pwSpec->decodeContext = NULL;
 -       pwSpec->aead = ssl3_AESGCM;
 +       if (calg == calg_aes_gcm) {
 +           pwSpec->aead = ssl3_AESGCM;
 +       } else {
 +           pwSpec->aead = ssl3_ChaCha20Poly1305;
 +       }
         return SECSuccess;
      }
  
-diff --git a/ssl/ssl3ecc.c b/ssl/ssl3ecc.c
-index 9b91270..31e0774 100644
---- a/ssl/ssl3ecc.c
-+++ b/ssl/ssl3ecc.c
-@@ -921,6 +921,7 @@ static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
+diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c
+index cf8e741..ab5ab14 100644
+--- a/lib/ssl/ssl3ecc.c
++++ b/lib/ssl/ssl3ecc.c
+@@ -926,6 +926,7 @@ static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 +    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
      TLS_ECDHE_ECDSA_WITH_NULL_SHA,
      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
      0 /* end of list marker */
-@@ -932,6 +933,7 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = {
+@@ -937,6 +938,7 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = {
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 +    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
      TLS_ECDHE_RSA_WITH_NULL_SHA,
      TLS_ECDHE_RSA_WITH_RC4_128_SHA,
      0 /* end of list marker */
-@@ -944,6 +946,7 @@ static const ssl3CipherSuite ecSuites[] = {
+@@ -949,6 +951,7 @@ static const ssl3CipherSuite ecSuites[] = {
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 +    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
      TLS_ECDHE_ECDSA_WITH_NULL_SHA,
      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-@@ -951,6 +954,7 @@ static const ssl3CipherSuite ecSuites[] = {
+@@ -956,6 +959,7 @@ static const ssl3CipherSuite ecSuites[] = {
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 +    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
      TLS_ECDHE_RSA_WITH_NULL_SHA,
      TLS_ECDHE_RSA_WITH_RC4_128_SHA,
      TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-diff --git a/ssl/sslenum.c b/ssl/sslenum.c
-index 09ce43f..a036627 100644
---- a/ssl/sslenum.c
-+++ b/ssl/sslenum.c
+diff --git a/lib/ssl/sslenum.c b/lib/ssl/sslenum.c
+index f69aed2..b4a8844 100644
+--- a/lib/ssl/sslenum.c
++++ b/lib/ssl/sslenum.c
 @@ -37,17 +37,21 @@
   *
   * Exception: Because some servers ignore the high-order byte of the cipher
   * suite ID, we must be careful about adding cipher suites with IDs larger
 - * than 0x00ff; see bug 946147. For these broken servers, the first four cipher
 + * than 0x00ff; see bug 946147. For these broken servers, the first six cipher
   * suites, with the MSB zeroed, look like:
 + *      TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA { 0x00,0x14 }
 + *      TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 }
   *      TLS_KRB5_EXPORT_WITH_RC4_40_MD5 { 0x00,0x2B }
   *      TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }
   *      TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }
   *      TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }
 - * The broken server only supports the third and fourth ones and will select
 - * the third one.
 + * The broken server only supports the fifth and sixth ones and will select
 + * the fifth one.
   */
  const PRUint16 SSL_ImplementedCiphers[] = {
  #ifndef NSS_DISABLE_ECC
 +    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 +    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
-diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h
-index ea71975..88b2eba 100644
---- a/ssl/sslimpl.h
-+++ b/ssl/sslimpl.h
-@@ -65,6 +65,7 @@ typedef SSLSignType     SSL3SignType;
+diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
+index 60dd243..d5f326f 100644
+--- a/lib/ssl/sslimpl.h
++++ b/lib/ssl/sslimpl.h
+@@ -66,6 +66,7 @@ typedef SSLSignType     SSL3SignType;
  #define calg_camellia  ssl_calg_camellia
  #define calg_seed      ssl_calg_seed
  #define calg_aes_gcm    ssl_calg_aes_gcm
 +#define calg_chacha20  ssl_calg_chacha20
  
  #define mac_null       ssl_mac_null
  #define mac_md5        ssl_mac_md5
-@@ -299,7 +300,7 @@ typedef struct {
+@@ -301,7 +302,7 @@ typedef struct {
  } ssl3CipherSuiteCfg;
  
  #ifndef NSS_DISABLE_ECC
--#define ssl_V3_SUITES_IMPLEMENTED 61
-+#define ssl_V3_SUITES_IMPLEMENTED 63
+-#define ssl_V3_SUITES_IMPLEMENTED 64
++#define ssl_V3_SUITES_IMPLEMENTED 66
  #else
- #define ssl_V3_SUITES_IMPLEMENTED 37
+ #define ssl_V3_SUITES_IMPLEMENTED 40
  #endif /* NSS_DISABLE_ECC */
-@@ -485,6 +486,7 @@ typedef enum {
+@@ -495,6 +496,7 @@ typedef enum {
      cipher_camellia_256,
      cipher_seed,
      cipher_aes_128_gcm,
 +    cipher_chacha20,
      cipher_missing              /* reserved for no such supported cipher */
      /* This enum must match ssl3_cipherName[] in ssl3con.c.  */
  } SSL3BulkCipher;
-diff --git a/ssl/sslinfo.c b/ssl/sslinfo.c
-index ba230d2..845d9f0 100644
---- a/ssl/sslinfo.c
-+++ b/ssl/sslinfo.c
-@@ -110,6 +110,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
+diff --git a/lib/ssl/sslinfo.c b/lib/ssl/sslinfo.c
+index 7048eb8..bef3190 100644
+--- a/lib/ssl/sslinfo.c
++++ b/lib/ssl/sslinfo.c
+@@ -148,6 +148,7 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd,
  #define C_NULL  "NULL", calg_null
  #define C_SJ   "SKIPJACK", calg_sj
  #define C_AESGCM "AES-GCM", calg_aes_gcm
 +#define C_CHACHA20 "CHACHA20POLY1305", calg_chacha20
  
  #define B_256  256, 256, 256
  #define B_128  128, 128, 128
-@@ -188,12 +189,14 @@ static const SSLCipherSuiteInfo suiteInfo[] = {
+@@ -229,12 +230,14 @@ static const SSLCipherSuiteInfo suiteInfo[] = {
  {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
  {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
  {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA),  S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, },
 +{0,CS(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305),S_ECDSA,K_ECDHE,C_CHACHA20,B_256,M_AEAD_128,0, 0, 0, },
  
  {0,CS(TLS_ECDH_RSA_WITH_NULL_SHA),            S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
  {0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA),         S_RSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
  {0,CS(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA),    S_RSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
  {0,CS(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, },
  {0,CS(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, },
 +{0,CS(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305),  S_RSA,K_ECDHE,C_CHACHA20,B_256,M_AEAD_128, 0, 0, 0, },
  
  {0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA),           S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, },
  {0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA),        S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
-diff --git a/ssl/sslproto.h b/ssl/sslproto.h
-index e02442c..dc653c9 100644
---- a/ssl/sslproto.h
-+++ b/ssl/sslproto.h
-@@ -258,6 +258,9 @@
+diff --git a/lib/ssl/sslproto.h b/lib/ssl/sslproto.h
+index 2db47a5..36ae6c9 100644
+--- a/lib/ssl/sslproto.h
++++ b/lib/ssl/sslproto.h
+@@ -260,6 +260,9 @@
  #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   0xC02F
  #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256    0xC031
  
 +#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305   0xCC13
 +#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0xCC14
 +
  /* Netscape "experimental" cipher suites. */
  #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA   0xffe0
  #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA        0xffe1
-diff --git a/ssl/sslt.h b/ssl/sslt.h
-index 430d216..fe0ad07 100644
---- a/ssl/sslt.h
-+++ b/ssl/sslt.h
-@@ -94,7 +94,8 @@ typedef enum {
+diff --git a/lib/ssl/sslt.h b/lib/ssl/sslt.h
+index 5593579..a2eff62 100644
+--- a/lib/ssl/sslt.h
++++ b/lib/ssl/sslt.h
+@@ -117,7 +117,8 @@ typedef enum {
      ssl_calg_aes      = 7,
      ssl_calg_camellia = 8,
      ssl_calg_seed     = 9,
 -    ssl_calg_aes_gcm  = 10
 +    ssl_calg_aes_gcm  = 10,
 +    ssl_calg_chacha20 = 11
  } SSLCipherAlgorithm;
  
  typedef enum {