OLD | NEW |
| (Empty) |
1 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c | |
2 index 299e414..2533679 100644 | |
3 --- a/lib/ssl/ssl3con.c | |
4 +++ b/lib/ssl/ssl3con.c | |
5 @@ -43,6 +43,21 @@ | |
6 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) | |
7 #endif | |
8 | |
9 +/* This is a bodge to allow this code to be compiled against older NSS | |
10 + * headers. */ | |
11 +#ifndef CKM_NSS_CHACHA20_POLY1305 | |
12 +#define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26) | |
13 + | |
14 +typedef struct CK_NSS_AEAD_PARAMS { | |
15 + CK_BYTE_PTR pIv; /* This is the nonce. */ | |
16 + CK_ULONG ulIvLen; | |
17 + CK_BYTE_PTR pAAD; | |
18 + CK_ULONG ulAADLen; | |
19 + CK_ULONG ulTagLen; | |
20 +} CK_NSS_AEAD_PARAMS; | |
21 + | |
22 +#endif | |
23 + | |
24 #include <stdio.h> | |
25 #ifdef NSS_ENABLE_ZLIB | |
26 #include "zlib.h" | |
27 @@ -110,6 +125,8 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEME
NTED] = { | |
28 /* cipher_suite policy enabled isPresent */ | |
29 | |
30 #ifndef NSS_DISABLE_ECC | |
31 + { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | |
32 + { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE}, | |
33 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | |
34 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, | |
35 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around | |
36 @@ -307,6 +324,7 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = { | |
37 {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, | |
38 {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, | |
39 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, | |
40 + {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0}, | |
41 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, | |
42 }; | |
43 | |
44 @@ -433,6 +451,8 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = | |
45 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, | |
46 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_e
cdhe_rsa}, | |
47 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea
_ecdhe_ecdsa}, | |
48 + {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe
_rsa}, | |
49 + {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecd
he_ecdsa}, | |
50 | |
51 {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe
_dss}, | |
52 {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_
dss}, | |
53 @@ -502,6 +522,7 @@ static const SSLCipher2Mech alg2Mech[] = { | |
54 { calg_camellia , CKM_CAMELLIA_CBC }, | |
55 { calg_seed , CKM_SEED_CBC }, | |
56 { calg_aes_gcm , CKM_AES_GCM }, | |
57 + { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305 }, | |
58 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ | |
59 }; | |
60 | |
61 @@ -679,6 +700,8 @@ ssl3_CipherSuiteAllowedForVersionRange( | |
62 case TLS_RSA_WITH_NULL_SHA256: | |
63 return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2; | |
64 | |
65 + case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: | |
66 + case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: | |
67 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: | |
68 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: | |
69 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: | |
70 @@ -2093,6 +2116,46 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys, | |
71 } | |
72 #endif | |
73 | |
74 +static SECStatus | |
75 +ssl3_ChaCha20Poly1305( | |
76 + ssl3KeyMaterial *keys, | |
77 + PRBool doDecrypt, | |
78 + unsigned char *out, | |
79 + int *outlen, | |
80 + int maxout, | |
81 + const unsigned char *in, | |
82 + int inlen, | |
83 + const unsigned char *additionalData, | |
84 + int additionalDataLen) | |
85 +{ | |
86 + SECItem param; | |
87 + SECStatus rv = SECFailure; | |
88 + unsigned int uOutLen; | |
89 + CK_NSS_AEAD_PARAMS aeadParams; | |
90 + static const int tagSize = 16; | |
91 + | |
92 + param.type = siBuffer; | |
93 + param.len = sizeof(aeadParams); | |
94 + param.data = (unsigned char *) &aeadParams; | |
95 + memset(&aeadParams, 0, sizeof(aeadParams)); | |
96 + aeadParams.pIv = (unsigned char *) additionalData; | |
97 + aeadParams.ulIvLen = 8; | |
98 + aeadParams.pAAD = (unsigned char *) additionalData; | |
99 + aeadParams.ulAADLen = additionalDataLen; | |
100 + aeadParams.ulTagLen = tagSize; | |
101 + | |
102 + if (doDecrypt) { | |
103 + rv = pk11_decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m, | |
104 + out, &uOutLen, maxout, in, inlen); | |
105 + } else { | |
106 + rv = pk11_encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m, | |
107 + out, &uOutLen, maxout, in, inlen); | |
108 + } | |
109 + *outlen = (int) uOutLen; | |
110 + | |
111 + return rv; | |
112 +} | |
113 + | |
114 /* Initialize encryption and MAC contexts for pending spec. | |
115 * Master Secret already is derived. | |
116 * Caller holds Spec write lock. | |
117 @@ -2126,13 +2189,17 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss) | |
118 pwSpec->client.write_mac_context = NULL; | |
119 pwSpec->server.write_mac_context = NULL; | |
120 | |
121 - if (calg == calg_aes_gcm) { | |
122 + if (calg == calg_aes_gcm || calg == calg_chacha20) { | |
123 pwSpec->encode = NULL; | |
124 pwSpec->decode = NULL; | |
125 pwSpec->destroy = NULL; | |
126 pwSpec->encodeContext = NULL; | |
127 pwSpec->decodeContext = NULL; | |
128 - pwSpec->aead = ssl3_AESGCM; | |
129 + if (calg == calg_aes_gcm) { | |
130 + pwSpec->aead = ssl3_AESGCM; | |
131 + } else { | |
132 + pwSpec->aead = ssl3_ChaCha20Poly1305; | |
133 + } | |
134 return SECSuccess; | |
135 } | |
136 | |
137 diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c | |
138 index cf8e741..ab5ab14 100644 | |
139 --- a/lib/ssl/ssl3ecc.c | |
140 +++ b/lib/ssl/ssl3ecc.c | |
141 @@ -926,6 +926,7 @@ static const ssl3CipherSuite ecdhe_ecdsa_suites[] = { | |
142 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, | |
143 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |
144 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | |
145 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |
146 TLS_ECDHE_ECDSA_WITH_NULL_SHA, | |
147 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, | |
148 0 /* end of list marker */ | |
149 @@ -937,6 +938,7 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = { | |
150 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, | |
151 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |
152 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, | |
153 + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |
154 TLS_ECDHE_RSA_WITH_NULL_SHA, | |
155 TLS_ECDHE_RSA_WITH_RC4_128_SHA, | |
156 0 /* end of list marker */ | |
157 @@ -949,6 +951,7 @@ static const ssl3CipherSuite ecSuites[] = { | |
158 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, | |
159 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |
160 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | |
161 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |
162 TLS_ECDHE_ECDSA_WITH_NULL_SHA, | |
163 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, | |
164 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, | |
165 @@ -956,6 +959,7 @@ static const ssl3CipherSuite ecSuites[] = { | |
166 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, | |
167 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |
168 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, | |
169 + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |
170 TLS_ECDHE_RSA_WITH_NULL_SHA, | |
171 TLS_ECDHE_RSA_WITH_RC4_128_SHA, | |
172 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, | |
173 diff --git a/lib/ssl/sslenum.c b/lib/ssl/sslenum.c | |
174 index f69aed2..b4a8844 100644 | |
175 --- a/lib/ssl/sslenum.c | |
176 +++ b/lib/ssl/sslenum.c | |
177 @@ -37,17 +37,21 @@ | |
178 * | |
179 * Exception: Because some servers ignore the high-order byte of the cipher | |
180 * suite ID, we must be careful about adding cipher suites with IDs larger | |
181 - * than 0x00ff; see bug 946147. For these broken servers, the first four cipher | |
182 + * than 0x00ff; see bug 946147. For these broken servers, the first six cipher | |
183 * suites, with the MSB zeroed, look like: | |
184 + * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA { 0x00,0x14 } | |
185 + * TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 } | |
186 * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 { 0x00,0x2B } | |
187 * TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F } | |
188 * TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A } | |
189 * TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 } | |
190 - * The broken server only supports the third and fourth ones and will select | |
191 - * the third one. | |
192 + * The broken server only supports the fifth and sixth ones and will select | |
193 + * the fifth one. | |
194 */ | |
195 const PRUint16 SSL_ImplementedCiphers[] = { | |
196 #ifndef NSS_DISABLE_ECC | |
197 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |
198 + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | |
199 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |
200 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |
201 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before | |
202 diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h | |
203 index 60dd243..d5f326f 100644 | |
204 --- a/lib/ssl/sslimpl.h | |
205 +++ b/lib/ssl/sslimpl.h | |
206 @@ -66,6 +66,7 @@ typedef SSLSignType SSL3SignType; | |
207 #define calg_camellia ssl_calg_camellia | |
208 #define calg_seed ssl_calg_seed | |
209 #define calg_aes_gcm ssl_calg_aes_gcm | |
210 +#define calg_chacha20 ssl_calg_chacha20 | |
211 | |
212 #define mac_null ssl_mac_null | |
213 #define mac_md5 ssl_mac_md5 | |
214 @@ -301,7 +302,7 @@ typedef struct { | |
215 } ssl3CipherSuiteCfg; | |
216 | |
217 #ifndef NSS_DISABLE_ECC | |
218 -#define ssl_V3_SUITES_IMPLEMENTED 64 | |
219 +#define ssl_V3_SUITES_IMPLEMENTED 66 | |
220 #else | |
221 #define ssl_V3_SUITES_IMPLEMENTED 40 | |
222 #endif /* NSS_DISABLE_ECC */ | |
223 @@ -495,6 +496,7 @@ typedef enum { | |
224 cipher_camellia_256, | |
225 cipher_seed, | |
226 cipher_aes_128_gcm, | |
227 + cipher_chacha20, | |
228 cipher_missing /* reserved for no such supported cipher */ | |
229 /* This enum must match ssl3_cipherName[] in ssl3con.c. */ | |
230 } SSL3BulkCipher; | |
231 diff --git a/lib/ssl/sslinfo.c b/lib/ssl/sslinfo.c | |
232 index 7048eb8..bef3190 100644 | |
233 --- a/lib/ssl/sslinfo.c | |
234 +++ b/lib/ssl/sslinfo.c | |
235 @@ -148,6 +148,7 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd, | |
236 #define C_NULL "NULL", calg_null | |
237 #define C_SJ "SKIPJACK", calg_sj | |
238 #define C_AESGCM "AES-GCM", calg_aes_gcm | |
239 +#define C_CHACHA20 "CHACHA20POLY1305", calg_chacha20 | |
240 | |
241 #define B_256 256, 256, 256 | |
242 #define B_128 128, 128, 128 | |
243 @@ -229,12 +230,14 @@ static const SSLCipherSuiteInfo suiteInfo[] = { | |
244 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_128, M
_SHA, 1, 0, 0, }, | |
245 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128,
M_SHA256, 1, 0, 0, }, | |
246 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_256, M
_SHA, 1, 0, 0, }, | |
247 +{0,CS(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305),S_ECDSA,K_ECDHE,C_CHACHA20,B_256,
M_AEAD_128,0, 0, 0, }, | |
248 | |
249 {0,CS(TLS_ECDH_RSA_WITH_NULL_SHA), S_RSA, K_ECDH, C_NULL, B_0, M_SHA
, 0, 0, 0, }, | |
250 {0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDH, C_RC4, B_128, M_SH
A, 0, 0, 0, }, | |
251 {0,CS(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_ECDH, C_3DES, B_3DES, M_
SHA, 1, 0, 0, }, | |
252 {0,CS(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDH, C_AES, B_128, M_SH
A, 1, 0, 0, }, | |
253 {0,CS(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDH, C_AES, B_256, M_SH
A, 1, 0, 0, }, | |
254 +{0,CS(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305), S_RSA,K_ECDHE,C_CHACHA20,B_256,M_
AEAD_128, 0, 0, 0, }, | |
255 | |
256 {0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA), S_RSA, K_ECDHE, C_NULL, B_0, M_SH
A, 0, 0, 0, }, | |
257 {0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_S
HA, 0, 0, 0, }, | |
258 diff --git a/lib/ssl/sslproto.h b/lib/ssl/sslproto.h | |
259 index 2db47a5..36ae6c9 100644 | |
260 --- a/lib/ssl/sslproto.h | |
261 +++ b/lib/ssl/sslproto.h | |
262 @@ -260,6 +260,9 @@ | |
263 #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F | |
264 #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 | |
265 | |
266 +#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 0xCC13 | |
267 +#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0xCC14 | |
268 + | |
269 /* Netscape "experimental" cipher suites. */ | |
270 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 | |
271 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 | |
272 diff --git a/lib/ssl/sslt.h b/lib/ssl/sslt.h | |
273 index 5593579..a2eff62 100644 | |
274 --- a/lib/ssl/sslt.h | |
275 +++ b/lib/ssl/sslt.h | |
276 @@ -117,7 +117,8 @@ typedef enum { | |
277 ssl_calg_aes = 7, | |
278 ssl_calg_camellia = 8, | |
279 ssl_calg_seed = 9, | |
280 - ssl_calg_aes_gcm = 10 | |
281 + ssl_calg_aes_gcm = 10, | |
282 + ssl_calg_chacha20 = 11 | |
283 } SSLCipherAlgorithm; | |
284 | |
285 typedef enum { | |
OLD | NEW |