Implement the AES GCM cipher suites for TLS.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 26 matching lines @@
 #define CKM_NSS_TLS_PRF_GENERAL_SHA256          (CKM_NSS + 21)
 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256    (CKM_NSS + 22)
 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
 #endif
 
 #include <stdio.h>
 #ifdef NSS_ENABLE_ZLIB
 #include "zlib.h"
 #endif
+#ifdef LINUX
+#include <dlfcn.h>
+#endif
 
 #ifndef PK11_SETATTRS
 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
                 (x)->pValue=(v); (x)->ulValueLen = (l);
 #endif
 
 static SECStatus ssl3_AuthCertificate(sslSocket *ss);
 static void      ssl3_CleanupPeerCerts(sslSocket *ss);
 static void      ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
@@ skipping 25 matching lines @@
 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
 #define MIN_SEND_BUF_LENGTH  4000
 
 /* This list of SSL3 cipher suites is sorted in descending order of
  * precedence (desirability).  It only includes cipher suites we implement.
  * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
  * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
  */
 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
    /*      cipher_suite                         policy      enabled is_present*/
+ { TLS_RSA_WITH_AES_128_GCM_SHA256,        SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
 #ifdef NSS_ENABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,  SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
  { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
 #ifdef NSS_ENABLE_ECC
  { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
@@ skipping 123 matching lines @@
 
 
 /* This global item is used only in servers.  It is is initialized by
 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
 */
 CERTDistNames *ssl3_server_ca_list = NULL;
 static SSL3Statistics ssl3stats;
 
 /* indexed by SSL3BulkCipher */
 static const ssl3BulkCipherDef bulk_cipher_defs[] = {
-    /* cipher          calg        keySz secretSz  type  ivSz BlkSz keygen */
-    {cipher_null,      calg_null,      0,  0, type_stream,  0, 0, kg_null},
-    {cipher_rc4,       calg_rc4,      16, 16, type_stream,  0, 0, kg_strong},
-    {cipher_rc4_40,    calg_rc4,      16,  5, type_stream,  0, 0, kg_export},
-    {cipher_rc4_56,    calg_rc4,      16,  7, type_stream,  0, 0, kg_export},
-    {cipher_rc2,       calg_rc2,      16, 16, type_block,   8, 8, kg_strong},
-    {cipher_rc2_40,    calg_rc2,      16,  5, type_block,   8, 8, kg_export},
-    {cipher_des,       calg_des,       8,  8, type_block,   8, 8, kg_strong},
-    {cipher_3des,      calg_3des,     24, 24, type_block,   8, 8, kg_strong},
-    {cipher_des40,     calg_des,       8,  5, type_block,   8, 8, kg_export},
-    {cipher_idea,      calg_idea,     16, 16, type_block,   8, 8, kg_strong},
-    {cipher_aes_128,   calg_aes,      16, 16, type_block,  16,16, kg_strong},
-    {cipher_aes_256,   calg_aes,      32, 32, type_block,  16,16, kg_strong},
-    {cipher_camellia_128, calg_camellia,16, 16, type_block,  16,16, kg_strong},
-    {cipher_camellia_256, calg_camellia,32, 32, type_block,  16,16, kg_strong},
-    {cipher_seed,      calg_seed,     16, 16, type_block,  16,16, kg_strong},
-    {cipher_missing,   calg_null,      0,  0, type_stream,  0, 0, kg_null},
+    /*                                       |--------- Lengths --------| */
+    /* cipher          calg                  K  S   type       I  B  T  N */
+    /*                                       e  e              V  l  a  o */
+    /*                                       y  c              |  o  g  n */
+    /*                                       |  r              |  c  |  c */
+    /*                                       |  e              |  k  |  e */
+    /*                                       |  t              |  |  |  | */
+    {cipher_null,         calg_null,         0, 0, type_stream, 0, 0, 0, 0},
+    {cipher_rc4,          calg_rc4,         16,16, type_stream, 0, 0, 0, 0},
+    {cipher_rc4_40,       calg_rc4,         16, 5, type_stream, 0, 0, 0, 0},
+    {cipher_rc4_56,       calg_rc4,         16, 7, type_stream, 0, 0, 0, 0},
+    {cipher_rc2,          calg_rc2,         16,16, type_block,  8, 8, 0, 0},
+    {cipher_rc2_40,       calg_rc2,         16, 5, type_block,  8, 8, 0, 0},
+    {cipher_des,          calg_des,          8, 8, type_block,  8, 8, 0, 0},
+    {cipher_3des,         calg_3des,        24,24, type_block,  8, 8, 0, 0},
+    {cipher_des40,        calg_des,          8, 5, type_block,  8, 8, 0, 0},
+    {cipher_idea,         calg_idea,        16,16, type_block,  8, 8, 0, 0},
+    {cipher_aes_128,      calg_aes,         16,16, type_block, 16,16, 0, 0},
+    {cipher_aes_256,      calg_aes,         32,32, type_block, 16,16, 0, 0},
+    {cipher_camellia_128, calg_camellia,    16,16, type_block, 16,16, 0, 0},
+    {cipher_camellia_256, calg_camellia,    32,32, type_block, 16,16, 0, 0},
+    {cipher_seed,         calg_seed,        16,16, type_block, 16,16, 0, 0},
+    {cipher_aes_128_gcm,  calg_aes_128_gcm, 16,16, type_aead,   4, 0,16, 8},
+    {cipher_missing,      calg_null,         0, 0, type_stream, 0, 0, 0, 0},
 };
 
 static const ssl3KEADef kea_defs[] = 
 { /* indexed by SSL3KeyExchangeAlgorithm */
     /* kea              exchKeyType signKeyType is_limited limit  tls_keygen */
     {kea_null,           kt_null,     sign_null, PR_FALSE,   0, PR_FALSE},
     {kea_rsa,            kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_FALSE},
     {kea_rsa_export,     kt_rsa,      sign_rsa,  PR_TRUE,  512, PR_FALSE},
     {kea_rsa_export_1024,kt_rsa,      sign_rsa,  PR_TRUE, 1024, PR_FALSE},
     {kea_dh_dss,         kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
@@ skipping 101 matching lines @@
      cipher_camellia_256, mac_sha, kea_dhe_rsa},
 
     {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
                                     cipher_des,    mac_sha,kea_rsa_export_1024},
     {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
                                     cipher_rc4_56, mac_sha,kea_rsa_export_1024},
 
     {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
     {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
 
+    {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa},
+    {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_rsa},
+    {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_ecdsa},
+
 #ifdef NSS_ENABLE_ECC
     {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
 
     {TLS_ECDHE_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdhe_ecdsa},
     {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
     {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
@@ skipping 43 matching lines @@
     { calg_null     , (CK_MECHANISM_TYPE)0x80000000L    },
     { calg_rc4      , CKM_RC4                           },
     { calg_rc2      , CKM_RC2_CBC                       },
     { calg_des      , CKM_DES_CBC                       },
     { calg_3des     , CKM_DES3_CBC                      },
     { calg_idea     , CKM_IDEA_CBC                      },
     { calg_fortezza , CKM_SKIPJACK_CBC64                },
     { calg_aes      , CKM_AES_CBC                       },
     { calg_camellia , CKM_CAMELLIA_CBC                  },
     { calg_seed     , CKM_SEED_CBC                      },
+    { calg_aes_128_gcm, CKM_AES_GCM                     },
 /*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
 };
 
 #define mmech_null     (CK_MECHANISM_TYPE)0x80000000L
 #define mmech_md5      CKM_SSL3_MD5_MAC
 #define mmech_sha      CKM_SSL3_SHA1_MAC
 #define mmech_md5_hmac CKM_MD5_HMAC
 #define mmech_sha_hmac CKM_SHA_1_HMAC
 #define mmech_sha256_hmac CKM_SHA256_HMAC
 
@@ skipping 18 matching lines @@
     "RC2-CBC-40",
     "DES-CBC",
     "3DES-EDE-CBC",
     "DES-CBC-40",
     "IDEA-CBC",
     "AES-128",
     "AES-256",
     "Camellia-128",
     "Camellia-256",
     "SEED-CBC",
+    "AES-128-GCM",
     "missing"
 };
 
 #ifdef NSS_ENABLE_ECC
 /* The ECCWrappedKeyInfo structure defines how various pieces of 
  * information are laid out within wrappedSymmetricWrappingkey 
  * for ECDH key exchange. Since wrappedSymmetricWrappingkey is 
  * a 512-byte buffer (see sslimpl.h), the variable length field 
  * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
  *
@@ skipping 106 matching lines @@
      *   SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:   never implemented
      *   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:  never implemented
      *   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:  never implemented
      *   SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5:     never implemented
      *   SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:  never implemented
      */
         return version <= SSL_LIBRARY_VERSION_TLS_1_0;
     case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
     case TLS_RSA_WITH_AES_256_CBC_SHA256:
     case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
+    case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
     case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
+    case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
     case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
     case TLS_RSA_WITH_AES_128_CBC_SHA256:
+    case TLS_RSA_WITH_AES_128_GCM_SHA256:
     case TLS_RSA_WITH_NULL_SHA256:
         return version >= SSL_LIBRARY_VERSION_TLS_1_2;
     default:
         return PR_TRUE;
     }
 }
 
 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
 /* XXX This does a linear search.  A binary search would be better. */
 static const ssl3CipherSuiteDef *
@@ skipping 739 matching lines @@
     if (IS_DTLS(ss)) {
         /* Double-check that we did not pick an RC4 suite */
         PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) &&
                     (suite_def->bulk_cipher_alg != cipher_rc4_40) &&
                     (suite_def->bulk_cipher_alg != cipher_rc4_56));
     }
 
     cipher = suite_def->bulk_cipher_alg;
     kea    = suite_def->key_exchange_alg;
     mac    = suite_def->mac_alg;
-    if (mac <= ssl_mac_sha && isTLS)
+    if (mac <= ssl_mac_sha && mac != mac_null && isTLS)
         mac += 2;
 
     ss->ssl3.hs.suite_def = suite_def;
     ss->ssl3.hs.kea_def   = &kea_defs[kea];
     PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
 
     pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
     PORT_Assert(pwSpec->cipher_def->cipher == cipher);
 
     pwSpec->mac_def = &mac_defs[mac];
@@ skipping 173 matching lines @@
       ssl3CipherSpec  *  pwSpec;
       const ssl3BulkCipherDef *cipher_def;
       void *             serverContext = NULL;
       void *             clientContext = NULL;
       BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
       int                mode     = 0;
       unsigned int       optArg1  = 0;
       unsigned int       optArg2  = 0;
       PRBool             server_encrypts = ss->sec.isServer;
       SSLCipherAlgorithm calg;
-      SSLCompressionMethod compression_method;
       SECStatus          rv;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
     cipher_def    = pwSpec->cipher_def;
 
     calg = cipher_def->calg;
-    compression_method = pwSpec->compression_method;
 
     serverContext = pwSpec->server.cipher_context;
     clientContext = pwSpec->client.cipher_context;
 
     switch (calg) {
     case ssl_calg_null:
         pwSpec->encode  = Null_Cipher;
         pwSpec->decode  = Null_Cipher;
         pwSpec->destroy = NULL;
         goto success;
@@ skipping 135 matching lines @@
         case CKM_RC2_MAC:
         case CKM_RC2_MAC_GENERAL:
         case CKM_RC2_CBC_PAD:
             *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
         default: break;
         }
     }
     return param;
 }
 
+/* ssl3_build_record_pseudo_header writes the TLS pseudo-header (the data which
+ * is included in the MAC) to |out| and returns its length. */
+static int
+ssl3_build_record_pseudo_header(unsigned char* out,
+                                SSL3ContentType type,
+                                SSL3ProtocolVersion version,
+                                PRBool isDTLS,
+                                SSL3SequenceNumber seq_num,
+                                int length) {
+    out[0] = (unsigned char)(seq_num.high >> 24);
+    out[1] = (unsigned char)(seq_num.high >> 16);
+    out[2] = (unsigned char)(seq_num.high >>  8);
+    out[3] = (unsigned char)(seq_num.high >>  0);
+    out[4] = (unsigned char)(seq_num.low  >> 24);
+    out[5] = (unsigned char)(seq_num.low  >> 16);
+    out[6] = (unsigned char)(seq_num.low  >>  8);
+    out[7] = (unsigned char)(seq_num.low  >>  0);
+    out[8] = type;
+
+    /* TLS MAC includes the record's version field, SSL's doesn't.  We decide
+     * which MAC defintiion to use based on the version of the protocol that
+     * was negotiated when the spec became current, NOT based on the version
+     * value in the record itself.  But, we use the record'v version value in
+     * the computation. */
+    if (version <= SSL_LIBRARY_VERSION_3_0) {
+        out[9]  = MSB(length);
+        out[10] = LSB(length);
+        return 11;
+    } else {
+        /* New TLS hash includes version. */
+        if (isDTLS) {
+            SSL3ProtocolVersion dtls_version;
+
+            dtls_version = dtls_TLSVersionToDTLSVersion(version);
+            out[9]  = MSB(dtls_version);
+            out[10] = LSB(dtls_version);
+        } else {
+            out[9]  = MSB(version);
+            out[10] = LSB(version);
+        }
+        out[11] = MSB(length);
+        out[12] = LSB(length);
+        return 13;
+    }
+}
+
+typedef SECStatus (*PK11CryptFcn)(
+    PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, SECItem *param,
+    unsigned char *out, unsigned int *outLen, unsigned int maxLen,
+    const unsigned char *in, unsigned int inLen);
+
+static PK11CryptFcn pk11_encrypt = NULL;
+static PK11CryptFcn pk11_decrypt = NULL;
+
+static PRCallOnceType checkGCMSupportOnce;
+
+static PRStatus
+ssl3_CheckGCMSupport(void)

[agl, 2013/08/02 14:59:50]

This function is called CheckGCMSupport, but it doesn't return anything that
indicates whether GCM is supported.

ssl3_MaybeResolvePK11CryptFunctions?

[wtc, 2013/08/03 01:02:15]

Done. Renamed this function ssl3_ResolvePK11CryptFunctions. Also added an
ssl3_HasGCMSupport function.

+{
+#ifdef LINUX
+    void *handle = dlopen(NULL, RTLD_LAZY);
+    if (!handle) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return PR_FAILURE;
+    }
+    pk11_encrypt = (PK11CryptFcn)dlsym(handle, "PK11_Encrypt");
+    pk11_decrypt = (PK11CryptFcn)dlsym(handle, "PK11_Decrypt");
+    dlclose(handle);
+    return PR_SUCCESS;
+#else
+    pk11_encrypt = PK11_Encrypt;
+    pk11_decrypt = PK11_Decrypt;
+    return PR_SUCCESS;
+#endif
+}
+
+/* List of all GCM cipher suites */
+static const ssl3CipherSuite gcmSuites[] = {
+    TLS_RSA_WITH_AES_128_GCM_SHA256,
+#ifdef NSS_ENABLE_ECC
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+#endif
+    0 /* end of list marker */
+};
+
+/* On this socket, disable the GCM cipher suites */
+SECStatus
+ssl3_DisableGCMSuites(sslSocket * ss)
+{
+    const ssl3CipherSuite * suite;

[agl, 2013/08/02 14:59:50]

It occurs that the cipher of the ciphersuites could be tested rather than
listing them. This would catch future additions of GCM ciphersuites
automatically.

[wtc, 2013/08/03 01:02:15]

I re-implemented ssl3_DisableGCMSuites in patch set 4 using this approach.
Please take a look. It requires stepping through a much larger array
(cipher_suite_defs, 60 elements) than the gcmSuites array above, which has
only 3 elements. So it seems worthwhile to maintain a separate gcmSuites array.

I wonder if there is a better data structure that gives us the best of both
worlds.

+
+    for (suite = gcmSuites; *suite; ++suite) {
+        SECStatus rv = ssl3_CipherPrefSet(ss, *suite, PR_FALSE);
+
+        PORT_Assert(rv == SECSuccess); /* else is coding error */
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+ssl3_aes_gcm(ssl3KeyMaterial *keys,
+             PRBool doDecrypt,
+             unsigned char *out,
+             int *outlen,
+             int maxout,
+             const unsigned char *in,
+             int inlen,
+             const unsigned char *explicitNonce,
+             int explicitNonceLen,
+             SSL3ContentType type,
+             SSL3ProtocolVersion version,
+             SSL3SequenceNumber seq_num) {
+    SECItem            param;
+    SECStatus          rv = SECFailure;
+    unsigned char      nonce[12];
+    unsigned char      additionalData[13];
+    int                additionalDataLen;
+    unsigned int       uOutLen;
+    CK_GCM_PARAMS      gcmParams;
+
+    static const int   tagSize = 16;
+
+    PORT_Assert(explicitNonceLen == 8);
+
+    /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
+     * nonce is formed. */
+    memcpy(nonce, keys->write_iv, 4);
+    memcpy(nonce + 4, explicitNonce, 8);
+
+    /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
+     * definition of the AEAD additional data. */
+    additionalDataLen = ssl3_build_record_pseudo_header(
+        additionalData, type, version, PR_FALSE /* not DTLS */, seq_num,
+        inlen - (doDecrypt ? tagSize : 0));
+    PORT_Assert(additionalDataLen <= sizeof(additionalData));
+
+    memset(&param, 0, sizeof(param));
+    param.len = sizeof(CK_GCM_PARAMS);
+    param.data = (unsigned char *) &gcmParams;
+    memset(&gcmParams, 0, sizeof(CK_GCM_PARAMS));
+    gcmParams.pIv = nonce;
+    gcmParams.ulIvLen = sizeof(nonce);
+    gcmParams.pAAD = additionalData;
+    gcmParams.ulAADLen = additionalDataLen;
+    gcmParams.ulTagBits = tagSize * 8;
+
+    if (doDecrypt) {
+        rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
+                          maxout, in, inlen);
+    } else {
+        rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
+                          maxout, in, inlen);
+    }
+    *outlen = (int) uOutLen;
+
+    return rv;
+}
+
 /* Initialize encryption and MAC contexts for pending spec.
  * Master Secret already is derived.
  * Caller holds Spec write lock.
  */
 static SECStatus
 ssl3_InitPendingContextsPKCS11(sslSocket *ss)
 {
       ssl3CipherSpec  *  pwSpec;
       const ssl3BulkCipherDef *cipher_def;
       PK11Context *      serverContext = NULL;
       PK11Context *      clientContext = NULL;
       SECItem *          param;
       CK_MECHANISM_TYPE  mechanism;
       CK_MECHANISM_TYPE  mac_mech;
       CK_ULONG           macLength;
       CK_ULONG           effKeyBits;
       SECItem            iv;
       SECItem            mac_param;
       SSLCipherAlgorithm calg;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
     cipher_def    = pwSpec->cipher_def;
     macLength     = pwSpec->mac_size;
+    calg          = cipher_def->calg;
+    PORT_Assert(alg2Mech[calg].calg == calg);
+    mechanism = alg2Mech[calg].cmech;
+
+    pwSpec->client.write_mac_context = NULL;
+    pwSpec->server.write_mac_context = NULL;
+
+    if (calg == calg_aes_128_gcm) {
+        pwSpec->encode = NULL;
+        pwSpec->decode = NULL;
+        pwSpec->destroy = NULL;
+        pwSpec->encodeContext = NULL;
+        pwSpec->decodeContext = NULL;
+        pwSpec->aead = ssl3_aes_gcm;
+        return SECSuccess;
+    }
 
     /* 
     ** Now setup the MAC contexts, 
     **   crypto contexts are setup below.
     */
 
-    pwSpec->client.write_mac_context = NULL;
-    pwSpec->server.write_mac_context = NULL;
     mac_mech       = pwSpec->mac_def->mmech;
     mac_param.data = (unsigned char *)&macLength;
     mac_param.len  = sizeof(macLength);
     mac_param.type = 0;
 
     pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
             mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
     if (pwSpec->client.write_mac_context == NULL)  {
         ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
         goto fail;
     }
     pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
             mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
     if (pwSpec->server.write_mac_context == NULL) {
         ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
         goto fail;
     }
 
     /* 
     ** Now setup the crypto contexts.
     */
 
-    calg = cipher_def->calg;
-    PORT_Assert(alg2Mech[calg].calg == calg);
-
     if (calg == calg_null) {
         pwSpec->encode  = Null_Cipher;
         pwSpec->decode  = Null_Cipher;
         pwSpec->destroy = NULL;
         return SECSuccess;
     }
-    mechanism = alg2Mech[calg].cmech;
     effKeyBits = cipher_def->key_size * BPB;
 
     /*
      * build the server context
      */
     iv.data = pwSpec->server.write_iv;
     iv.len  = cipher_def->iv_size;
     param = ssl3_ParamFromIV(mechanism, &iv, effKeyBits);
     if (param == NULL) {
         ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
@@ skipping 191 matching lines @@
     SSL3ContentType    type,
     SSL3ProtocolVersion version,
     SSL3SequenceNumber seq_num,
     const SSL3Opaque * input,
     int                inputLength,
     unsigned char *    outbuf,
     unsigned int *     outLength)
 {
     const ssl3MACDef * mac_def;
     SECStatus          rv;
-#ifndef NO_PKCS11_BYPASS
-    PRBool             isTLS;
-#endif
     unsigned int       tempLen;
     unsigned char      temp[MAX_MAC_LENGTH];
+#ifndef NO_PKCS11_BYPASS
+    PRBool             isTLS = PR_FALSE;
 
-    temp[0] = (unsigned char)(seq_num.high >> 24);
-    temp[1] = (unsigned char)(seq_num.high >> 16);
-    temp[2] = (unsigned char)(seq_num.high >>  8);
-    temp[3] = (unsigned char)(seq_num.high >>  0);
-    temp[4] = (unsigned char)(seq_num.low  >> 24);
-    temp[5] = (unsigned char)(seq_num.low  >> 16);
-    temp[6] = (unsigned char)(seq_num.low  >>  8);
-    temp[7] = (unsigned char)(seq_num.low  >>  0);
-    temp[8] = type;
+    if (spec->version >= SSL_LIBRARY_VERSION_3_0) {
+        isTLS = PR_TRUE;
+    }
+#endif
 
-    /* TLS MAC includes the record's version field, SSL's doesn't.
-    ** We decide which MAC defintiion to use based on the version of 
-    ** the protocol that was negotiated when the spec became current,
-    ** NOT based on the version value in the record itself.
-    ** But, we use the record'v version value in the computation.
-    */
-    if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
-        temp[9]  = MSB(inputLength);
-        temp[10] = LSB(inputLength);
-        tempLen  = 11;
-#ifndef NO_PKCS11_BYPASS
-        isTLS    = PR_FALSE;
-#endif
-    } else {
-        /* New TLS hash includes version. */
-        if (isDTLS) {
-            SSL3ProtocolVersion dtls_version;
-
-            dtls_version = dtls_TLSVersionToDTLSVersion(version);
-            temp[9]  = MSB(dtls_version);
-            temp[10] = LSB(dtls_version);
-        } else {
-            temp[9]  = MSB(version);
-            temp[10] = LSB(version);
-        }
-        temp[11] = MSB(inputLength);
-        temp[12] = LSB(inputLength);
-        tempLen  = 13;
-#ifndef NO_PKCS11_BYPASS
-        isTLS    = PR_TRUE;
-#endif
-    }
+    tempLen = ssl3_build_record_pseudo_header(temp, type, version, isDTLS,
+                                              seq_num, inputLength);
+    PORT_Assert(tempLen <= sizeof(temp));
 
     PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
     PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
 
     mac_def = spec->mac_def;
     if (mac_def->mac == mac_null) {
         *outLength = 0;
         return SECSuccess;
     }
 #ifndef NO_PKCS11_BYPASS
@@ skipping 323 matching lines @@
         rv = cwSpec->compressor(
             cwSpec->compressContext,
             wrBuf->buf + headerLen + ivLen, &outlen,
             wrBuf->space - headerLen - ivLen, pIn, contentLen);
         if (rv != SECSuccess)
             return rv;
         pIn = wrBuf->buf + headerLen + ivLen;
         contentLen = outlen;
     }
 
-    /*
-     * Add the MAC
-     */
-    rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
-        type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
-        wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
-    if (rv != SECSuccess) {
-        ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-        return SECFailure;
-    }
-    p1Len   = contentLen;
-    p2Len   = macLen;
-    fragLen = contentLen + macLen;      /* needs to be encrypted */
-    PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
+    if (cipher_def->type == type_aead) {
+        /* Prepend the explicit part of the nonce. See
+         * https://tools.ietf.org/html/rfc5246#section-6.2.3.3 */
+        const int nonceLen = cipher_def->explicit_nonce_size;
+        const int tagLen = cipher_def->tag_size;
 
-    /*
-     * Pad the text (if we're doing a block cipher)
-     * then Encrypt it
-     */
-    if (cipher_def->type == type_block) {
-        unsigned char * pBuf;
-        int             padding_length;
-        int             i;
+        if (nonceLen > wrBuf->space - headerLen) {
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            return SECFailure;
+        }
+        rv = PK11_GenerateRandom(wrBuf->buf + headerLen, nonceLen);
+        if (rv != SECSuccess) {
+            ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
+            return rv;
+        }
+        if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) {
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            return SECFailure;
+        }
 
-        oddLen = contentLen % cipher_def->block_size;
-        /* Assume blockSize is a power of two */
-        padding_length = cipher_def->block_size - 1 -
-                        ((fragLen) & (cipher_def->block_size - 1));
-        fragLen += padding_length + 1;
-        PORT_Assert((fragLen % cipher_def->block_size) == 0);
-
-        /* Pad according to TLS rules (also acceptable to SSL3). */
-        pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
-        for (i = padding_length + 1; i > 0; --i) {
-            *pBuf-- = padding_length;
-        }
-        /* now, if contentLen is not a multiple of block size, fix it */
-        p2Len = fragLen - p1Len;
-    }
-    if (p1Len < 256) {
-        oddLen = p1Len;
-        p1Len = 0;
-    } else {
-        p1Len -= oddLen;
-    }
-    if (oddLen) {
-        p2Len += oddLen;
-        PORT_Assert( (cipher_def->block_size < 2) || \
-                     (p2Len % cipher_def->block_size) == 0);
-        memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen);
-    }
-    if (p1Len > 0) {
-        int cipherBytesPart1 = -1;
-        rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + headerLen + ivLen,         /* output */
-            &cipherBytesPart1,                      /* actual outlen */
-            p1Len,                                  /* max outlen */
-            pIn, p1Len);                      /* input, and inputlen */
-        PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
-        if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
+        cipherBytes = contentLen;
+        rv = cwSpec->aead(
+                isServer ? &cwSpec->server : &cwSpec->client,
+                PR_FALSE,                                   /* do encrypt */
+                wrBuf->buf + headerLen + nonceLen,          /* output  */
+                &cipherBytes,                               /* out len */
+                wrBuf->space - headerLen - nonceLen,        /* max out */
+                pIn, contentLen,                            /* input   */
+                wrBuf->buf + headerLen, nonceLen,           /* explicit nonce */
+                type, cwSpec->version, cwSpec->write_seq_num);
+        if (rv != SECSuccess) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
-        cipherBytes += cipherBytesPart1;
-    }
-    if (p2Len > 0) {
-        int cipherBytesPart2 = -1;
-        rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + headerLen + ivLen + p1Len,
-            &cipherBytesPart2,          /* output and actual outLen */
-            p2Len,                             /* max outlen */
-            wrBuf->buf + headerLen + ivLen + p1Len,
-            p2Len);                            /* input and inputLen*/
-        PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
-        if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
-            PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
+        cipherBytes += nonceLen;
+    } else {
+        /*
+         * Add the MAC
+         */
+        rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
+            type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
+            wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
+        if (rv != SECSuccess) {
+            ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
             return SECFailure;
         }
-        cipherBytes += cipherBytesPart2;
-    }   
+        p1Len   = contentLen;
+        p2Len   = macLen;
+        fragLen = contentLen + macLen;  /* needs to be encrypted */
+        PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
+
+        /*
+         * Pad the text (if we're doing a block cipher)
+         * then Encrypt it
+         */
+        if (cipher_def->type == type_block) {
+            unsigned char * pBuf;
+            int             padding_length;
+            int             i;
+
+            oddLen = contentLen % cipher_def->block_size;
+            /* Assume blockSize is a power of two */
+            padding_length = cipher_def->block_size - 1 -
+                            ((fragLen) & (cipher_def->block_size - 1));
+            fragLen += padding_length + 1;
+            PORT_Assert((fragLen % cipher_def->block_size) == 0);
+
+            /* Pad according to TLS rules (also acceptable to SSL3). */
+            pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
+            for (i = padding_length + 1; i > 0; --i) {
+                *pBuf-- = padding_length;
+            }
+            /* now, if contentLen is not a multiple of block size, fix it */
+            p2Len = fragLen - p1Len;
+        }
+        if (p1Len < 256) {
+            oddLen = p1Len;
+            p1Len = 0;
+        } else {
+            p1Len -= oddLen;
+        }
+        if (oddLen) {
+            p2Len += oddLen;
+            PORT_Assert( (cipher_def->block_size < 2) || \
+                         (p2Len % cipher_def->block_size) == 0);
+            memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen);
+        }
+        if (p1Len > 0) {
+            int cipherBytesPart1 = -1;
+            rv = cwSpec->encode( cwSpec->encodeContext, 
+                wrBuf->buf + headerLen + ivLen,         /* output */
+                &cipherBytesPart1,                      /* actual outlen */
+                p1Len,                                  /* max outlen */
+                pIn, p1Len);                      /* input, and inputlen */
+            PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
+            if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
+                PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
+                return SECFailure;
+            }
+            cipherBytes += cipherBytesPart1;
+        }
+        if (p2Len > 0) {
+            int cipherBytesPart2 = -1;
+            rv = cwSpec->encode( cwSpec->encodeContext, 
+                wrBuf->buf + headerLen + ivLen + p1Len,
+                &cipherBytesPart2,          /* output and actual outLen */
+                p2Len,                             /* max outlen */
+                wrBuf->buf + headerLen + ivLen + p1Len,
+                p2Len);                            /* input and inputLen*/
+            PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
+            if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
+                PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
+                return SECFailure;
+            }
+            cipherBytes += cipherBytesPart2;
+        }
+    }
+
     PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
 
     wrBuf->len    = cipherBytes + headerLen;
     wrBuf->buf[0] = type;
     if (isDTLS) {
         SSL3ProtocolVersion version;
 
         version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
         wrBuf->buf[1] = MSB(version);
         wrBuf->buf[2] = LSB(version);
@@ skipping 522 matching lines @@
     ssl_ReleaseSSL3HandshakeLock(ss);
     return rv;  /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
 }
 
 /*
  * Send illegal_parameter alert.  Set generic error number.
  */
 static SECStatus
 ssl3_IllegalParameter(sslSocket *ss)
 {
-    PRBool isTLS;
-
-    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
     (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
     PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
                                    : SSL_ERROR_BAD_SERVER );
     return SECFailure;
 }
 
 /*
  * Send handshake_Failure alert.  Set generic error number.
  */
 static SECStatus
@@ skipping 1795 matching lines @@
     if (!total_exten_len || !isTLS) {
         /* not sending the elliptic_curves and ec_point_formats extensions */
         ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     }
 #endif
 
     if (IS_DTLS(ss)) {
         ssl3_DisableNonDTLSSuites(ss);
     }
 
+    (void) PR_CallOnce(&checkGCMSupportOnce, ssl3_CheckGCMSupport);
+    if (!pk11_encrypt) {

[agl, 2013/08/02 14:59:50]

(Assuming that PK11_Encrypt and PK11_Decrypt appeared in the same version of
NSS.)

[wtc, 2013/08/03 01:02:15]

Yes, PK11_Encrypt and PK11_Decrypt were added in the same NSS checkin:
https://hg.mozilla.org/projects/nss/rev/75b566f18970

I added a comment to state this assumption.

+        ssl3_DisableGCMSuites(ss);
+    }
+
     /* how many suites are permitted by policy and user preference? */
     num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
     if (!num_suites)
         return SECFailure;      /* count_cipher_suites has set error code. */
     if (ss->ssl3.hs.sendingSCSV) {
         ++num_suites;   /* make room for SCSV */
     }
 
     /* count compression methods */
     numCompressionMethods = 0;
@@ skipping 5096 matching lines @@
     return rv;
 }
 
 /* called from ssl3_SendFinished
  *
  * This function is simply a debugging aid and therefore does not return a
  * SECStatus. */
 static void
 ssl3_RecordKeyLog(sslSocket *ss)
 {
-    sslSessionID *sid;
     SECStatus rv;
     SECItem *keyData;
     char buf[14 /* "CLIENT_RANDOM " */ +
              SSL3_RANDOM_LENGTH*2 /* client_random */ +
              1 /* " " */ +
              48*2 /* master secret */ +
              1 /* new line */];
     unsigned int j;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
-    sid = ss->sec.ci.sid;
-
     if (!ssl_keylog_iob)
         return;
 
     rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);
     if (rv != SECSuccess)
         return;
 
     ssl_GetSpecReadLock(ss);
 
     /* keyData does not need to be freed. */
@@ skipping 1191 matching lines @@
 
     good = ~0U;
     minLength = crSpec->mac_size;
     if (cipher_def->type == type_block) {
         /* CBC records have a padding length byte at the end. */
         minLength++;
         if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
             /* With >= TLS 1.1, CBC records have an explicit IV. */
             minLength += cipher_def->iv_size;
         }
+    } else if (cipher_def->type == type_aead) {
+        minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size;
     }
 
     /* We can perform this test in variable time because the record's total
      * length and the ciphersuite are both public knowledge. */
     if (cText->buf->len < minLength) {
-        goto decrypt_loser;
+        goto decrypt_loser;
     }
 
     if (cipher_def->type == type_block &&
         crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states
          * "The receiver decrypts the entire GenericBlockCipher structure and
          * then discards the first cipher block corresponding to the IV
          * component." Instead, we decrypt the first cipher block and then
          * discard it before decrypting the rest.
          */
@@ skipping 10 matching lines @@
         PRINT_BUF(80, (ss, "IV (ciphertext):", cText->buf->buf, ivLen));
 
         /* The decryption result is garbage, but since we just throw away
          * the block it doesn't matter.  The decryption of the next block
          * depends only on the ciphertext of the IV block.
          */
         rv = crSpec->decode(crSpec->decodeContext, iv, &decoded,
                             sizeof(iv), cText->buf->buf, ivLen);
 
         good &= SECStatusToMask(rv);
+    } else if (cipher_def->type == type_aead) {
+        ivLen = cipher_def->explicit_nonce_size;
     }
 
     /* If we will be decompressing the buffer we need to decrypt somewhere
      * other than into databuf */
     if (crSpec->decompressor) {
         temp_buf.buf = NULL;
         temp_buf.space = 0;
         plaintext = &temp_buf;
     } else {
         plaintext = databuf;
@@ skipping 17 matching lines @@
 
     isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
 
     if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) {
         ssl_ReleaseSpecReadLock(ss);
         SSL3_SendAlert(ss, alert_fatal, record_overflow);
         PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
         return SECFailure;
     }
 
-    if (cipher_def->type == type_block &&
-        ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
-        goto decrypt_loser;
-    }
+    rType = cText->type;
+    if (cipher_def->type == type_aead) {
+        rv = crSpec->aead(
+                ss->sec.isServer ? &crSpec->client : &crSpec->server,
+                PR_TRUE,                          /* do decrypt */
+                plaintext->buf,                   /* out */
+                (int*) &plaintext->len,           /* outlen */
+                plaintext->space,                 /* maxout */
+                cText->buf->buf + ivLen,          /* in */
+                cText->buf->len - ivLen,          /* inlen */
+                cText->buf->buf,                  /* explicitNonce */
+                cipher_def->explicit_nonce_size,  /* explicitNonceLen */
+                rType,                            /* record type */
+                cText->version,
+                crSpec->read_seq_num);
+        if (rv != SECSuccess) {
+            good = 0;
+        }
+    } else {
+        if (cipher_def->type == type_block &&
+            ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
+            goto decrypt_loser;
+        }
 
-    /* decrypt from cText buf to plaintext. */
-    rv = crSpec->decode(
-        crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
-        plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
-    if (rv != SECSuccess) {
-        goto decrypt_loser;
-    }
+        /* decrypt from cText buf to plaintext. */
+        rv = crSpec->decode(
+            crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
+            plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
+        if (rv != SECSuccess) {
+            goto decrypt_loser;
+        }
 
-    PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
+        PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
 
-    originalLen = plaintext->len;
+        originalLen = plaintext->len;
 
-    /* If it's a block cipher, check and strip the padding. */
-    if (cipher_def->type == type_block) {
-        const unsigned int blockSize = cipher_def->block_size;
-        const unsigned int macSize = crSpec->mac_size;
+        /* If it's a block cipher, check and strip the padding. */
+        if (cipher_def->type == type_block) {
+            const unsigned int blockSize = cipher_def->block_size;
+            const unsigned int macSize = crSpec->mac_size;
 
-        if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
-            good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
-                        plaintext, blockSize, macSize));
+            if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
+                good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
+                            plaintext, blockSize, macSize));
+            } else {
+                good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
+                            plaintext, macSize));
+            }
+        }
+
+        /* compute the MAC */
+        if (cipher_def->type == type_block) {
+            rv = ssl3_ComputeRecordMACConstantTime(
+                crSpec, (PRBool)(!ss->sec.isServer),
+                IS_DTLS(ss), rType, cText->version,
+                IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
+                plaintext->buf, plaintext->len, originalLen,
+                hash, &hashBytes);
+
+            ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
+                              crSpec->mac_size);
+            givenHash = givenHashBuf;
+
+            /* plaintext->len will always have enough space to remove the MAC
+             * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
+             * plaintext->len if the result has enough space for the MAC and we
+             * tested the unadjusted size against minLength, above. */
+            plaintext->len -= crSpec->mac_size;
         } else {
-            good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
-                        plaintext, macSize));
+            /* This is safe because we checked the minLength above. */
+            plaintext->len -= crSpec->mac_size;
+
+            rv = ssl3_ComputeRecordMAC(
+                crSpec, (PRBool)(!ss->sec.isServer),
+                IS_DTLS(ss), rType, cText->version,
+                IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
+                plaintext->buf, plaintext->len,
+                hash, &hashBytes);
+
+            /* We can read the MAC directly from the record because its location is
+             * public when a stream cipher is used. */
+            givenHash = plaintext->buf + plaintext->len;
+        }
+
+        good &= SECStatusToMask(rv);
+
+        if (hashBytes != (unsigned)crSpec->mac_size ||
+            NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
+            /* We're allowed to leak whether or not the MAC check was correct */
+            good = 0;
         }
     }
 
-    /* compute the MAC */
-    rType = cText->type;
-    if (cipher_def->type == type_block) {
-        rv = ssl3_ComputeRecordMACConstantTime(
-            crSpec, (PRBool)(!ss->sec.isServer),
-            IS_DTLS(ss), rType, cText->version,
-            IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
-            plaintext->buf, plaintext->len, originalLen,
-            hash, &hashBytes);
-
-        ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
-                          crSpec->mac_size);
-        givenHash = givenHashBuf;
-
-        /* plaintext->len will always have enough space to remove the MAC
-         * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
-         * plaintext->len if the result has enough space for the MAC and we
-         * tested the unadjusted size against minLength, above. */
-        plaintext->len -= crSpec->mac_size;
-    } else {
-        /* This is safe because we checked the minLength above. */
-        plaintext->len -= crSpec->mac_size;
-
-        rv = ssl3_ComputeRecordMAC(
-            crSpec, (PRBool)(!ss->sec.isServer),
-            IS_DTLS(ss), rType, cText->version,
-            IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
-            plaintext->buf, plaintext->len,
-            hash, &hashBytes);
-
-        /* We can read the MAC directly from the record because its location is
-         * public when a stream cipher is used. */
-        givenHash = plaintext->buf + plaintext->len;
-    }
-
-    good &= SECStatusToMask(rv);
-
-    if (hashBytes != (unsigned)crSpec->mac_size ||
-        NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
-        /* We're allowed to leak whether or not the MAC check was correct */
-        good = 0;
-    }
-
     if (good == 0) {
 decrypt_loser:
         /* must not hold spec lock when calling SSL3_SendAlert. */
         ssl_ReleaseSpecReadLock(ss);
 
         SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
 
         if (!IS_DTLS(ss)) {
             SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
             /* always log mac error, in case attacker can read server logs. */
@@ skipping 639 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */