OLD | NEW |
(Empty) | |
| 1 Index: net/third_party/nss/ssl/sslinfo.c |
| 2 =================================================================== |
| 3 --- net/third_party/nss/ssl/sslinfo.c (revision 215189) |
| 4 +++ net/third_party/nss/ssl/sslinfo.c (working copy) |
| 5 @@ -109,7 +109,7 @@ |
| 6 #define K_ECDHE "ECDHE", kt_ecdh |
| 7 |
| 8 #define C_SEED "SEED", calg_seed |
| 9 -#define C_CAMELLIA "CAMELLIA", calg_camellia |
| 10 +#define C_CAMELLIA "CAMELLIA", calg_camellia |
| 11 #define C_AES "AES", calg_aes |
| 12 #define C_RC4 "RC4", calg_rc4 |
| 13 #define C_RC2 "RC2", calg_rc2 |
| 14 @@ -117,6 +117,7 @@ |
| 15 #define C_3DES "3DES", calg_3des |
| 16 #define C_NULL "NULL", calg_null |
| 17 #define C_SJ "SKIPJACK", calg_sj |
| 18 +#define C_AESGCM "AES-GCM", calg_aes_gcm |
| 19 |
| 20 #define B_256 256, 256, 256 |
| 21 #define B_128 128, 128, 128 |
| 22 @@ -130,9 +131,12 @@ |
| 23 #define M_SHA256 "SHA256", ssl_hmac_sha256, 256 |
| 24 #define M_SHA "SHA1", ssl_mac_sha, 160 |
| 25 #define M_MD5 "MD5", ssl_mac_md5, 128 |
| 26 +#define M_NULL "NULL", ssl_mac_null, 0 |
| 27 |
| 28 static const SSLCipherSuiteInfo suiteInfo[] = { |
| 29 /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC>
<FIPS> */ |
| 30 +{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_
NULL, 1, 0, 0, }, |
| 31 + |
| 32 {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256,
M_SHA, 0, 0, 0, }, |
| 33 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256,
M_SHA, 0, 0, 0, }, |
| 34 {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA
256, 1, 0, 0, }, |
| 35 @@ -146,6 +150,7 @@ |
| 36 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128,
M_SHA, 0, 0, 0, }, |
| 37 {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA
, 0, 0, 0, }, |
| 38 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA
256, 1, 0, 0, }, |
| 39 +{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_
NULL, 1, 0, 0, }, |
| 40 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA
, 1, 0, 0, }, |
| 41 {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA
, 1, 0, 0, }, |
| 42 {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA
, 1, 0, 0, }, |
| 43 @@ -175,6 +180,9 @@ |
| 44 |
| 45 #ifdef NSS_ENABLE_ECC |
| 46 /* ECC cipher suites */ |
| 47 +{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128,
M_NULL, 1, 0, 0, }, |
| 48 +{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_1
28, M_NULL, 1, 0, 0, }, |
| 49 + |
| 50 {0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_S
HA, 0, 0, 0, }, |
| 51 {0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_
SHA, 0, 0, 0, }, |
| 52 {0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES,
M_SHA, 1, 0, 0, }, |
| 53 Index: net/third_party/nss/ssl/sslimpl.h |
| 54 =================================================================== |
| 55 --- net/third_party/nss/ssl/sslimpl.h (revision 215189) |
| 56 +++ net/third_party/nss/ssl/sslimpl.h (working copy) |
| 57 @@ -64,6 +64,7 @@ |
| 58 #define calg_aes ssl_calg_aes |
| 59 #define calg_camellia ssl_calg_camellia |
| 60 #define calg_seed ssl_calg_seed |
| 61 +#define calg_aes_gcm ssl_calg_aes_gcm |
| 62 |
| 63 #define mac_null ssl_mac_null |
| 64 #define mac_md5 ssl_mac_md5 |
| 65 @@ -290,9 +291,9 @@ |
| 66 } ssl3CipherSuiteCfg; |
| 67 |
| 68 #ifdef NSS_ENABLE_ECC |
| 69 -#define ssl_V3_SUITES_IMPLEMENTED 57 |
| 70 +#define ssl_V3_SUITES_IMPLEMENTED 61 |
| 71 #else |
| 72 -#define ssl_V3_SUITES_IMPLEMENTED 35 |
| 73 +#define ssl_V3_SUITES_IMPLEMENTED 37 |
| 74 #endif /* NSS_ENABLE_ECC */ |
| 75 |
| 76 #define MAX_DTLS_SRTP_CIPHER_SUITES 4 |
| 77 @@ -440,20 +441,6 @@ |
| 78 #define GS_DATA 3 |
| 79 #define GS_PAD 4 |
| 80 |
| 81 -typedef SECStatus (*SSLCipher)(void * context, |
| 82 - unsigned char * out, |
| 83 - int * outlen, |
| 84 - int maxout, |
| 85 - const unsigned char *in, |
| 86 - int inlen); |
| 87 -typedef SECStatus (*SSLCompressor)(void * context, |
| 88 - unsigned char * out, |
| 89 - int * outlen, |
| 90 - int maxout, |
| 91 - const unsigned char *in, |
| 92 - int inlen); |
| 93 -typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); |
| 94 - |
| 95 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) |
| 96 typedef PCERT_KEY_CONTEXT PlatformKey; |
| 97 #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) |
| 98 @@ -485,11 +472,12 @@ |
| 99 cipher_camellia_128, |
| 100 cipher_camellia_256, |
| 101 cipher_seed, |
| 102 + cipher_aes_128_gcm, |
| 103 cipher_missing /* reserved for no such supported cipher */ |
| 104 /* This enum must match ssl3_cipherName[] in ssl3con.c. */ |
| 105 } SSL3BulkCipher; |
| 106 |
| 107 -typedef enum { type_stream, type_block } CipherType; |
| 108 +typedef enum { type_stream, type_block, type_aead } CipherType; |
| 109 |
| 110 #define MAX_IV_LENGTH 24 |
| 111 |
| 112 @@ -531,6 +519,31 @@ |
| 113 PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS]; |
| 114 } ssl3KeyMaterial; |
| 115 |
| 116 +typedef SECStatus (*SSLCipher)(void * context, |
| 117 + unsigned char * out, |
| 118 + int * outlen, |
| 119 + int maxout, |
| 120 + const unsigned char *in, |
| 121 + int inlen); |
| 122 +typedef SECStatus (*SSLAEADCipher)( |
| 123 + ssl3KeyMaterial * keys, |
| 124 + PRBool doDecrypt, |
| 125 + unsigned char * out, |
| 126 + int * outlen, |
| 127 + int maxout, |
| 128 + const unsigned char *in, |
| 129 + int inlen, |
| 130 + SSL3ContentType type, |
| 131 + SSL3ProtocolVersion version, |
| 132 + SSL3SequenceNumber seqnum); |
| 133 +typedef SECStatus (*SSLCompressor)(void * context, |
| 134 + unsigned char * out, |
| 135 + int * outlen, |
| 136 + int maxout, |
| 137 + const unsigned char *in, |
| 138 + int inlen); |
| 139 +typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); |
| 140 + |
| 141 /* The DTLS anti-replay window. Defined here because we need it in |
| 142 * the cipher spec. Note that this is a ring buffer but left and |
| 143 * right represent the true window, with modular arithmetic used to |
| 144 @@ -557,6 +570,7 @@ |
| 145 int mac_size; |
| 146 SSLCipher encode; |
| 147 SSLCipher decode; |
| 148 + SSLAEADCipher aead; |
| 149 SSLDestroy destroy; |
| 150 void * encodeContext; |
| 151 void * decodeContext; |
| 152 @@ -706,8 +720,6 @@ |
| 153 PRBool tls_keygen; |
| 154 } ssl3KEADef; |
| 155 |
| 156 -typedef enum { kg_null, kg_strong, kg_export } SSL3KeyGenMode; |
| 157 - |
| 158 /* |
| 159 ** There are tables of these, all const. |
| 160 */ |
| 161 @@ -719,7 +731,8 @@ |
| 162 CipherType type; |
| 163 int iv_size; |
| 164 int block_size; |
| 165 - SSL3KeyGenMode keygen_mode; |
| 166 + int tag_size; /* authentication tag size for AEAD ciphers. */ |
| 167 + int explicit_nonce_size; /* for AEAD ciphers. */ |
| 168 }; |
| 169 |
| 170 /* |
| 171 Index: net/third_party/nss/ssl/ssl3ecc.c |
| 172 =================================================================== |
| 173 --- net/third_party/nss/ssl/ssl3ecc.c (revision 215189) |
| 174 +++ net/third_party/nss/ssl/ssl3ecc.c (working copy) |
| 175 @@ -911,6 +911,7 @@ |
| 176 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
| 177 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
| 178 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
| 179 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
| 180 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
| 181 TLS_ECDHE_ECDSA_WITH_NULL_SHA, |
| 182 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
| 183 @@ -921,6 +922,7 @@ |
| 184 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
| 185 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
| 186 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
| 187 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
| 188 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
| 189 TLS_ECDHE_RSA_WITH_NULL_SHA, |
| 190 TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
| 191 @@ -932,12 +934,14 @@ |
| 192 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
| 193 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
| 194 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
| 195 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
| 196 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
| 197 TLS_ECDHE_ECDSA_WITH_NULL_SHA, |
| 198 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
| 199 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
| 200 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
| 201 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
| 202 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
| 203 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
| 204 TLS_ECDHE_RSA_WITH_NULL_SHA, |
| 205 TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
| 206 Index: net/third_party/nss/ssl/sslsock.c |
| 207 =================================================================== |
| 208 --- net/third_party/nss/ssl/sslsock.c (revision 215189) |
| 209 +++ net/third_party/nss/ssl/sslsock.c (working copy) |
| 210 @@ -67,8 +67,10 @@ |
| 211 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 212 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 213 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 214 + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 215 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 216 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 217 + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 218 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 219 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 220 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 221 @@ -94,6 +96,7 @@ |
| 222 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 223 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 224 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 225 + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 226 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 227 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, |
| 228 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 229 @@ -105,6 +108,7 @@ |
| 230 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 231 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 232 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 233 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 234 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
| 235 #endif /* NSS_ENABLE_ECC */ |
| 236 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } |
| 237 Index: net/third_party/nss/ssl/ssl3con.c |
| 238 =================================================================== |
| 239 --- net/third_party/nss/ssl/ssl3con.c (revision 215189) |
| 240 +++ net/third_party/nss/ssl/ssl3con.c (working copy) |
| 241 @@ -78,6 +78,14 @@ |
| 242 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
| 243 int maxOutputLen, const unsigned char *input, |
| 244 int inputLen); |
| 245 +#ifndef NO_PKCS11_BYPASS |
| 246 +static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, |
| 247 + unsigned char *out, int *outlen, int maxout, |
| 248 + const unsigned char *in, int inlen, |
| 249 + SSL3ContentType type, |
| 250 + SSL3ProtocolVersion version, |
| 251 + SSL3SequenceNumber seq_num); |
| 252 +#endif |
| 253 |
| 254 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
| 255 #define MIN_SEND_BUF_LENGTH 4000 |
| 256 @@ -90,6 +98,13 @@ |
| 257 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
| 258 /* cipher_suite policy enabled is_present*
/ |
| 259 #ifdef NSS_ENABLE_ECC |
| 260 + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 261 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 262 +#endif /* NSS_ENABLE_ECC */ |
| 263 + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 264 + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
| 265 + |
| 266 +#ifdef NSS_ENABLE_ECC |
| 267 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 268 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
| 269 #endif /* NSS_ENABLE_ECC */ |
| 270 @@ -233,23 +248,30 @@ |
| 271 |
| 272 /* indexed by SSL3BulkCipher */ |
| 273 static const ssl3BulkCipherDef bulk_cipher_defs[] = { |
| 274 - /* cipher calg keySz secretSz type ivSz BlkSz keygen */ |
| 275 - {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null}, |
| 276 - {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong}, |
| 277 - {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export}, |
| 278 - {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export}, |
| 279 - {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong}, |
| 280 - {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export}, |
| 281 - {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong}, |
| 282 - {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong}, |
| 283 - {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export}, |
| 284 - {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong}, |
| 285 - {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong}, |
| 286 - {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong}, |
| 287 - {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong}, |
| 288 - {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong}, |
| 289 - {cipher_seed, calg_seed, 16, 16, type_block, 16,16, kg_strong}, |
| 290 - {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null}, |
| 291 + /* |--------- Lengths --------| */ |
| 292 + /* cipher calg k s type i b t n */ |
| 293 + /* e e v l a o */ |
| 294 + /* y c | o g n */ |
| 295 + /* | r | c | c */ |
| 296 + /* | e | k | e */ |
| 297 + /* | t | | | | */ |
| 298 + {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, |
| 299 + {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0}, |
| 300 + {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0}, |
| 301 + {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0}, |
| 302 + {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0}, |
| 303 + {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0}, |
| 304 + {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0}, |
| 305 + {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0}, |
| 306 + {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0}, |
| 307 + {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0}, |
| 308 + {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0}, |
| 309 + {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0}, |
| 310 + {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0}, |
| 311 + {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, |
| 312 + {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, |
| 313 + {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, |
| 314 + {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, |
| 315 }; |
| 316 |
| 317 static const ssl3KEADef kea_defs[] = |
| 318 @@ -371,6 +393,11 @@ |
| 319 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, |
| 320 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, |
| 321 |
| 322 + {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe
_rsa}, |
| 323 + {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa}, |
| 324 + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_e
cdhe_rsa}, |
| 325 + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea
_ecdhe_ecdsa}, |
| 326 + |
| 327 #ifdef NSS_ENABLE_ECC |
| 328 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}
, |
| 329 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}
, |
| 330 @@ -434,6 +461,7 @@ |
| 331 { calg_aes , CKM_AES_CBC }, |
| 332 { calg_camellia , CKM_CAMELLIA_CBC }, |
| 333 { calg_seed , CKM_SEED_CBC }, |
| 334 + { calg_aes_gcm , CKM_AES_GCM }, |
| 335 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ |
| 336 }; |
| 337 |
| 338 @@ -472,6 +500,7 @@ |
| 339 "Camellia-128", |
| 340 "Camellia-256", |
| 341 "SEED-CBC", |
| 342 + "AES-128-GCM", |
| 343 "missing" |
| 344 }; |
| 345 |
| 346 @@ -598,9 +627,13 @@ |
| 347 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: |
| 348 case TLS_RSA_WITH_AES_256_CBC_SHA256: |
| 349 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: |
| 350 + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: |
| 351 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: |
| 352 + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: |
| 353 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: |
| 354 + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: |
| 355 case TLS_RSA_WITH_AES_128_CBC_SHA256: |
| 356 + case TLS_RSA_WITH_AES_128_GCM_SHA256: |
| 357 case TLS_RSA_WITH_NULL_SHA256: |
| 358 return version >= SSL_LIBRARY_VERSION_TLS_1_2; |
| 359 default: |
| 360 @@ -1360,7 +1393,7 @@ |
| 361 cipher = suite_def->bulk_cipher_alg; |
| 362 kea = suite_def->key_exchange_alg; |
| 363 mac = suite_def->mac_alg; |
| 364 - if (mac <= ssl_mac_sha && isTLS) |
| 365 + if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS) |
| 366 mac += 2; |
| 367 |
| 368 ss->ssl3.hs.suite_def = suite_def; |
| 369 @@ -1554,7 +1587,6 @@ |
| 370 unsigned int optArg2 = 0; |
| 371 PRBool server_encrypts = ss->sec.isServer; |
| 372 SSLCipherAlgorithm calg; |
| 373 - SSLCompressionMethod compression_method; |
| 374 SECStatus rv; |
| 375 |
| 376 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 377 @@ -1565,8 +1597,18 @@ |
| 378 cipher_def = pwSpec->cipher_def; |
| 379 |
| 380 calg = cipher_def->calg; |
| 381 - compression_method = pwSpec->compression_method; |
| 382 |
| 383 + if (calg == calg_aes_gcm) { |
| 384 + pwSpec->encode = NULL; |
| 385 + pwSpec->decode = NULL; |
| 386 + pwSpec->destroy = NULL; |
| 387 + pwSpec->encodeContext = NULL; |
| 388 + pwSpec->decodeContext = NULL; |
| 389 + pwSpec->aead = ssl3_AESGCMBypass; |
| 390 + ssl3_InitCompressionContext(pwSpec); |
| 391 + return SECSuccess; |
| 392 + } |
| 393 + |
| 394 serverContext = pwSpec->server.cipher_context; |
| 395 clientContext = pwSpec->client.cipher_context; |
| 396 |
| 397 @@ -1721,6 +1763,207 @@ |
| 398 return param; |
| 399 } |
| 400 |
| 401 +/* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which |
| 402 + * is included in the MAC) to |out| and returns its length. */ |
| 403 +static unsigned int |
| 404 +ssl3_BuildRecordPseudoHeader(unsigned char *out, |
| 405 + SSL3SequenceNumber seq_num, |
| 406 + SSL3ContentType type, |
| 407 + PRBool includesVersion, |
| 408 + SSL3ProtocolVersion version, |
| 409 + PRBool isDTLS, |
| 410 + int length) |
| 411 +{ |
| 412 + out[0] = (unsigned char)(seq_num.high >> 24); |
| 413 + out[1] = (unsigned char)(seq_num.high >> 16); |
| 414 + out[2] = (unsigned char)(seq_num.high >> 8); |
| 415 + out[3] = (unsigned char)(seq_num.high >> 0); |
| 416 + out[4] = (unsigned char)(seq_num.low >> 24); |
| 417 + out[5] = (unsigned char)(seq_num.low >> 16); |
| 418 + out[6] = (unsigned char)(seq_num.low >> 8); |
| 419 + out[7] = (unsigned char)(seq_num.low >> 0); |
| 420 + out[8] = type; |
| 421 + |
| 422 + /* SSL3 MAC doesn't include the record's version field. */ |
| 423 + if (!includesVersion) { |
| 424 + out[9] = MSB(length); |
| 425 + out[10] = LSB(length); |
| 426 + return 11; |
| 427 + } |
| 428 + |
| 429 + /* TLS MAC and AEAD additional data include version. */ |
| 430 + if (isDTLS) { |
| 431 + SSL3ProtocolVersion dtls_version; |
| 432 + |
| 433 + dtls_version = dtls_TLSVersionToDTLSVersion(version); |
| 434 + out[9] = MSB(dtls_version); |
| 435 + out[10] = LSB(dtls_version); |
| 436 + } else { |
| 437 + out[9] = MSB(version); |
| 438 + out[10] = LSB(version); |
| 439 + } |
| 440 + out[11] = MSB(length); |
| 441 + out[12] = LSB(length); |
| 442 + return 13; |
| 443 +} |
| 444 + |
| 445 +static SECStatus |
| 446 +ssl3_AESGCM(ssl3KeyMaterial *keys, |
| 447 + PRBool doDecrypt, |
| 448 + unsigned char *out, |
| 449 + int *outlen, |
| 450 + int maxout, |
| 451 + const unsigned char *in, |
| 452 + int inlen, |
| 453 + SSL3ContentType type, |
| 454 + SSL3ProtocolVersion version, |
| 455 + SSL3SequenceNumber seq_num) |
| 456 +{ |
| 457 + SECItem param; |
| 458 + SECStatus rv = SECFailure; |
| 459 + unsigned char nonce[12]; |
| 460 + unsigned char additionalData[13]; |
| 461 + unsigned int additionalDataLen; |
| 462 + unsigned int uOutLen; |
| 463 + CK_GCM_PARAMS gcmParams; |
| 464 + |
| 465 + static const int tagSize = 16; |
| 466 + static const int explicitNonceLen = 8; |
| 467 + |
| 468 + /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the |
| 469 + * definition of the AEAD additional data. */ |
| 470 + additionalDataLen = ssl3_BuildRecordPseudoHeader( |
| 471 + additionalData, seq_num, type, PR_TRUE /* includes version */, |
| 472 + version, PR_FALSE /* not DTLS */, |
| 473 + inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); |
| 474 + PORT_Assert(additionalDataLen <= sizeof(additionalData)); |
| 475 + |
| 476 + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
| 477 + * nonce is formed. */ |
| 478 + memcpy(nonce, keys->write_iv, 4); |
| 479 + if (doDecrypt) { |
| 480 + memcpy(nonce + 4, in, explicitNonceLen); |
| 481 + in += explicitNonceLen; |
| 482 + inlen -= explicitNonceLen; |
| 483 + *outlen = 0; |
| 484 + } else { |
| 485 + if (maxout < explicitNonceLen) { |
| 486 + PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 487 + return SECFailure; |
| 488 + } |
| 489 + /* Use the 64-bit sequence number as the explicit nonce. */ |
| 490 + memcpy(nonce + 4, additionalData, explicitNonceLen); |
| 491 + memcpy(out, additionalData, explicitNonceLen); |
| 492 + out += explicitNonceLen; |
| 493 + maxout -= explicitNonceLen; |
| 494 + *outlen = explicitNonceLen; |
| 495 + } |
| 496 + |
| 497 + param.type = siBuffer; |
| 498 + param.data = (unsigned char *) &gcmParams; |
| 499 + param.len = sizeof(gcmParams); |
| 500 + gcmParams.pIv = nonce; |
| 501 + gcmParams.ulIvLen = sizeof(nonce); |
| 502 + gcmParams.pAAD = additionalData; |
| 503 + gcmParams.ulAADLen = additionalDataLen; |
| 504 + gcmParams.ulTagBits = tagSize * 8; |
| 505 + |
| 506 + if (doDecrypt) { |
| 507 + rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
| 508 + maxout, in, inlen); |
| 509 + } else { |
| 510 + rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
| 511 + maxout, in, inlen); |
| 512 + } |
| 513 + *outlen += (int) uOutLen; |
| 514 + |
| 515 + return rv; |
| 516 +} |
| 517 + |
| 518 +#ifndef NO_PKCS11_BYPASS |
| 519 +static SECStatus |
| 520 +ssl3_AESGCMBypass(ssl3KeyMaterial *keys, |
| 521 + PRBool doDecrypt, |
| 522 + unsigned char *out, |
| 523 + int *outlen, |
| 524 + int maxout, |
| 525 + const unsigned char *in, |
| 526 + int inlen, |
| 527 + SSL3ContentType type, |
| 528 + SSL3ProtocolVersion version, |
| 529 + SSL3SequenceNumber seq_num) |
| 530 +{ |
| 531 + SECStatus rv = SECFailure; |
| 532 + unsigned char nonce[12]; |
| 533 + unsigned char additionalData[13]; |
| 534 + unsigned int additionalDataLen; |
| 535 + unsigned int uOutLen; |
| 536 + AESContext *cx; |
| 537 + CK_GCM_PARAMS gcmParams; |
| 538 + |
| 539 + static const int tagSize = 16; |
| 540 + static const int explicitNonceLen = 8; |
| 541 + |
| 542 + /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the |
| 543 + * definition of the AEAD additional data. */ |
| 544 + additionalDataLen = ssl3_BuildRecordPseudoHeader( |
| 545 + additionalData, seq_num, type, PR_TRUE /* includes version */, |
| 546 + version, PR_FALSE /* not DTLS */, |
| 547 + inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); |
| 548 + PORT_Assert(additionalDataLen <= sizeof(additionalData)); |
| 549 + |
| 550 + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
| 551 + * nonce is formed. */ |
| 552 + PORT_Assert(keys->write_iv_item.len == 4); |
| 553 + if (keys->write_iv_item.len != 4) { |
| 554 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 555 + return SECFailure; |
| 556 + } |
| 557 + memcpy(nonce, keys->write_iv_item.data, 4); |
| 558 + if (doDecrypt) { |
| 559 + memcpy(nonce + 4, in, explicitNonceLen); |
| 560 + in += explicitNonceLen; |
| 561 + inlen -= explicitNonceLen; |
| 562 + *outlen = 0; |
| 563 + } else { |
| 564 + if (maxout < explicitNonceLen) { |
| 565 + PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 566 + return SECFailure; |
| 567 + } |
| 568 + /* Use the 64-bit sequence number as the explicit nonce. */ |
| 569 + memcpy(nonce + 4, additionalData, explicitNonceLen); |
| 570 + memcpy(out, additionalData, explicitNonceLen); |
| 571 + out += explicitNonceLen; |
| 572 + maxout -= explicitNonceLen; |
| 573 + *outlen = explicitNonceLen; |
| 574 + } |
| 575 + |
| 576 + gcmParams.pIv = nonce; |
| 577 + gcmParams.ulIvLen = sizeof(nonce); |
| 578 + gcmParams.pAAD = additionalData; |
| 579 + gcmParams.ulAADLen = additionalDataLen; |
| 580 + gcmParams.ulTagBits = tagSize * 8; |
| 581 + |
| 582 + cx = (AESContext *)keys->cipher_context; |
| 583 + rv = AES_InitContext(cx, keys->write_key_item.data, |
| 584 + keys->write_key_item.len, |
| 585 + (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, |
| 586 + AES_BLOCK_SIZE); |
| 587 + if (rv != SECSuccess) { |
| 588 + return rv; |
| 589 + } |
| 590 + if (doDecrypt) { |
| 591 + rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen); |
| 592 + } else { |
| 593 + rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen); |
| 594 + } |
| 595 + AES_DestroyContext(cx, PR_FALSE); |
| 596 + *outlen += (int) uOutLen; |
| 597 + |
| 598 + return rv; |
| 599 +} |
| 600 +#endif |
| 601 + |
| 602 /* Initialize encryption and MAC contexts for pending spec. |
| 603 * Master Secret already is derived. |
| 604 * Caller holds Spec write lock. |
| 605 @@ -1748,14 +1991,27 @@ |
| 606 pwSpec = ss->ssl3.pwSpec; |
| 607 cipher_def = pwSpec->cipher_def; |
| 608 macLength = pwSpec->mac_size; |
| 609 + calg = cipher_def->calg; |
| 610 + PORT_Assert(alg2Mech[calg].calg == calg); |
| 611 |
| 612 + pwSpec->client.write_mac_context = NULL; |
| 613 + pwSpec->server.write_mac_context = NULL; |
| 614 + |
| 615 + if (calg == calg_aes_gcm) { |
| 616 + pwSpec->encode = NULL; |
| 617 + pwSpec->decode = NULL; |
| 618 + pwSpec->destroy = NULL; |
| 619 + pwSpec->encodeContext = NULL; |
| 620 + pwSpec->decodeContext = NULL; |
| 621 + pwSpec->aead = ssl3_AESGCM; |
| 622 + return SECSuccess; |
| 623 + } |
| 624 + |
| 625 /* |
| 626 ** Now setup the MAC contexts, |
| 627 ** crypto contexts are setup below. |
| 628 */ |
| 629 |
| 630 - pwSpec->client.write_mac_context = NULL; |
| 631 - pwSpec->server.write_mac_context = NULL; |
| 632 mac_mech = pwSpec->mac_def->mmech; |
| 633 mac_param.data = (unsigned char *)&macLength; |
| 634 mac_param.len = sizeof(macLength); |
| 635 @@ -1778,9 +2034,6 @@ |
| 636 ** Now setup the crypto contexts. |
| 637 */ |
| 638 |
| 639 - calg = cipher_def->calg; |
| 640 - PORT_Assert(alg2Mech[calg].calg == calg); |
| 641 - |
| 642 if (calg == calg_null) { |
| 643 pwSpec->encode = Null_Cipher; |
| 644 pwSpec->decode = Null_Cipher; |
| 645 @@ -1999,55 +2252,21 @@ |
| 646 { |
| 647 const ssl3MACDef * mac_def; |
| 648 SECStatus rv; |
| 649 -#ifndef NO_PKCS11_BYPASS |
| 650 PRBool isTLS; |
| 651 -#endif |
| 652 unsigned int tempLen; |
| 653 unsigned char temp[MAX_MAC_LENGTH]; |
| 654 |
| 655 - temp[0] = (unsigned char)(seq_num.high >> 24); |
| 656 - temp[1] = (unsigned char)(seq_num.high >> 16); |
| 657 - temp[2] = (unsigned char)(seq_num.high >> 8); |
| 658 - temp[3] = (unsigned char)(seq_num.high >> 0); |
| 659 - temp[4] = (unsigned char)(seq_num.low >> 24); |
| 660 - temp[5] = (unsigned char)(seq_num.low >> 16); |
| 661 - temp[6] = (unsigned char)(seq_num.low >> 8); |
| 662 - temp[7] = (unsigned char)(seq_num.low >> 0); |
| 663 - temp[8] = type; |
| 664 - |
| 665 /* TLS MAC includes the record's version field, SSL's doesn't. |
| 666 ** We decide which MAC defintiion to use based on the version of |
| 667 ** the protocol that was negotiated when the spec became current, |
| 668 ** NOT based on the version value in the record itself. |
| 669 - ** But, we use the record'v version value in the computation. |
| 670 + ** But, we use the record's version value in the computation. |
| 671 */ |
| 672 - if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
| 673 - temp[9] = MSB(inputLength); |
| 674 - temp[10] = LSB(inputLength); |
| 675 - tempLen = 11; |
| 676 -#ifndef NO_PKCS11_BYPASS |
| 677 - isTLS = PR_FALSE; |
| 678 -#endif |
| 679 - } else { |
| 680 - /* New TLS hash includes version. */ |
| 681 - if (isDTLS) { |
| 682 - SSL3ProtocolVersion dtls_version; |
| 683 + isTLS = spec->version > SSL_LIBRARY_VERSION_3_0; |
| 684 + tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS, |
| 685 + version, isDTLS, inputLength); |
| 686 + PORT_Assert(tempLen <= sizeof(temp)); |
| 687 |
| 688 - dtls_version = dtls_TLSVersionToDTLSVersion(version); |
| 689 - temp[9] = MSB(dtls_version); |
| 690 - temp[10] = LSB(dtls_version); |
| 691 - } else { |
| 692 - temp[9] = MSB(version); |
| 693 - temp[10] = LSB(version); |
| 694 - } |
| 695 - temp[11] = MSB(inputLength); |
| 696 - temp[12] = LSB(inputLength); |
| 697 - tempLen = 13; |
| 698 -#ifndef NO_PKCS11_BYPASS |
| 699 - isTLS = PR_TRUE; |
| 700 -#endif |
| 701 - } |
| 702 - |
| 703 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); |
| 704 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
| 705 |
| 706 @@ -2390,86 +2609,112 @@ |
| 707 contentLen = outlen; |
| 708 } |
| 709 |
| 710 - /* |
| 711 - * Add the MAC |
| 712 - */ |
| 713 - rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, |
| 714 - type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
| 715 - wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
| 716 - if (rv != SECSuccess) { |
| 717 - ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
| 718 - return SECFailure; |
| 719 - } |
| 720 - p1Len = contentLen; |
| 721 - p2Len = macLen; |
| 722 - fragLen = contentLen + macLen; /* needs to be encrypted */ |
| 723 - PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
| 724 + if (cipher_def->type == type_aead) { |
| 725 + const int nonceLen = cipher_def->explicit_nonce_size; |
| 726 + const int tagLen = cipher_def->tag_size; |
| 727 |
| 728 - /* |
| 729 - * Pad the text (if we're doing a block cipher) |
| 730 - * then Encrypt it |
| 731 - */ |
| 732 - if (cipher_def->type == type_block) { |
| 733 - unsigned char * pBuf; |
| 734 - int padding_length; |
| 735 - int i; |
| 736 + if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { |
| 737 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 738 + return SECFailure; |
| 739 + } |
| 740 |
| 741 - oddLen = contentLen % cipher_def->block_size; |
| 742 - /* Assume blockSize is a power of two */ |
| 743 - padding_length = cipher_def->block_size - 1 - |
| 744 - ((fragLen) & (cipher_def->block_size - 1)); |
| 745 - fragLen += padding_length + 1; |
| 746 - PORT_Assert((fragLen % cipher_def->block_size) == 0); |
| 747 - |
| 748 - /* Pad according to TLS rules (also acceptable to SSL3). */ |
| 749 - pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; |
| 750 - for (i = padding_length + 1; i > 0; --i) { |
| 751 - *pBuf-- = padding_length; |
| 752 + cipherBytes = contentLen; |
| 753 + rv = cwSpec->aead( |
| 754 + isServer ? &cwSpec->server : &cwSpec->client, |
| 755 + PR_FALSE, /* do encrypt */ |
| 756 + wrBuf->buf + headerLen, /* output */ |
| 757 + &cipherBytes, /* out len */ |
| 758 + wrBuf->space - headerLen, /* max out */ |
| 759 + pIn, contentLen, /* input */ |
| 760 + type, cwSpec->version, cwSpec->write_seq_num); |
| 761 + if (rv != SECSuccess) { |
| 762 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 763 + return SECFailure; |
| 764 } |
| 765 - /* now, if contentLen is not a multiple of block size, fix it */ |
| 766 - p2Len = fragLen - p1Len; |
| 767 - } |
| 768 - if (p1Len < 256) { |
| 769 - oddLen = p1Len; |
| 770 - p1Len = 0; |
| 771 } else { |
| 772 - p1Len -= oddLen; |
| 773 - } |
| 774 - if (oddLen) { |
| 775 - p2Len += oddLen; |
| 776 - PORT_Assert( (cipher_def->block_size < 2) || \ |
| 777 - (p2Len % cipher_def->block_size) == 0); |
| 778 - memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen); |
| 779 - } |
| 780 - if (p1Len > 0) { |
| 781 - int cipherBytesPart1 = -1; |
| 782 - rv = cwSpec->encode( cwSpec->encodeContext, |
| 783 - wrBuf->buf + headerLen + ivLen, /* output */ |
| 784 - &cipherBytesPart1, /* actual outlen */ |
| 785 - p1Len, /* max outlen */ |
| 786 - pIn, p1Len); /* input, and inputlen */ |
| 787 - PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); |
| 788 - if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { |
| 789 - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 790 + /* |
| 791 + * Add the MAC |
| 792 + */ |
| 793 + rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, |
| 794 + type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
| 795 + wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
| 796 + if (rv != SECSuccess) { |
| 797 + ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
| 798 return SECFailure; |
| 799 } |
| 800 - cipherBytes += cipherBytesPart1; |
| 801 + p1Len = contentLen; |
| 802 + p2Len = macLen; |
| 803 + fragLen = contentLen + macLen; /* needs to be encrypted */ |
| 804 + PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
| 805 + |
| 806 + /* |
| 807 + * Pad the text (if we're doing a block cipher) |
| 808 + * then Encrypt it |
| 809 + */ |
| 810 + if (cipher_def->type == type_block) { |
| 811 + unsigned char * pBuf; |
| 812 + int padding_length; |
| 813 + int i; |
| 814 + |
| 815 + oddLen = contentLen % cipher_def->block_size; |
| 816 + /* Assume blockSize is a power of two */ |
| 817 + padding_length = cipher_def->block_size - 1 - |
| 818 + ((fragLen) & (cipher_def->block_size - 1)); |
| 819 + fragLen += padding_length + 1; |
| 820 + PORT_Assert((fragLen % cipher_def->block_size) == 0); |
| 821 + |
| 822 + /* Pad according to TLS rules (also acceptable to SSL3). */ |
| 823 + pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; |
| 824 + for (i = padding_length + 1; i > 0; --i) { |
| 825 + *pBuf-- = padding_length; |
| 826 + } |
| 827 + /* now, if contentLen is not a multiple of block size, fix it */ |
| 828 + p2Len = fragLen - p1Len; |
| 829 + } |
| 830 + if (p1Len < 256) { |
| 831 + oddLen = p1Len; |
| 832 + p1Len = 0; |
| 833 + } else { |
| 834 + p1Len -= oddLen; |
| 835 + } |
| 836 + if (oddLen) { |
| 837 + p2Len += oddLen; |
| 838 + PORT_Assert( (cipher_def->block_size < 2) || \ |
| 839 + (p2Len % cipher_def->block_size) == 0); |
| 840 + memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, |
| 841 + oddLen); |
| 842 + } |
| 843 + if (p1Len > 0) { |
| 844 + int cipherBytesPart1 = -1; |
| 845 + rv = cwSpec->encode( cwSpec->encodeContext, |
| 846 + wrBuf->buf + headerLen + ivLen, /* output */ |
| 847 + &cipherBytesPart1, /* actual outlen */ |
| 848 + p1Len, /* max outlen */ |
| 849 + pIn, p1Len); /* input, and inputlen */ |
| 850 + PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); |
| 851 + if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { |
| 852 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 853 + return SECFailure; |
| 854 + } |
| 855 + cipherBytes += cipherBytesPart1; |
| 856 + } |
| 857 + if (p2Len > 0) { |
| 858 + int cipherBytesPart2 = -1; |
| 859 + rv = cwSpec->encode( cwSpec->encodeContext, |
| 860 + wrBuf->buf + headerLen + ivLen + p1Len, |
| 861 + &cipherBytesPart2, /* output and actual outLen */ |
| 862 + p2Len, /* max outlen */ |
| 863 + wrBuf->buf + headerLen + ivLen + p1Len, |
| 864 + p2Len); /* input and inputLen*/ |
| 865 + PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); |
| 866 + if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { |
| 867 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 868 + return SECFailure; |
| 869 + } |
| 870 + cipherBytes += cipherBytesPart2; |
| 871 + } |
| 872 } |
| 873 - if (p2Len > 0) { |
| 874 - int cipherBytesPart2 = -1; |
| 875 - rv = cwSpec->encode( cwSpec->encodeContext, |
| 876 - wrBuf->buf + headerLen + ivLen + p1Len, |
| 877 - &cipherBytesPart2, /* output and actual outLen */ |
| 878 - p2Len, /* max outlen */ |
| 879 - wrBuf->buf + headerLen + ivLen + p1Len, |
| 880 - p2Len); /* input and inputLen*/ |
| 881 - PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); |
| 882 - if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { |
| 883 - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
| 884 - return SECFailure; |
| 885 - } |
| 886 - cipherBytes += cipherBytesPart2; |
| 887 - } |
| 888 + |
| 889 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
| 890 |
| 891 wrBuf->len = cipherBytes + headerLen; |
| 892 @@ -3012,9 +3257,6 @@ |
| 893 static SECStatus |
| 894 ssl3_IllegalParameter(sslSocket *ss) |
| 895 { |
| 896 - PRBool isTLS; |
| 897 - |
| 898 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 899 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
| 900 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT |
| 901 : SSL_ERROR_BAD_SERVER ); |
| 902 @@ -3538,7 +3780,6 @@ |
| 903 } |
| 904 |
| 905 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); |
| 906 - /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */ |
| 907 |
| 908 key_material_params.RandomInfo.pClientRandom = cr; |
| 909 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; |
| 910 @@ -9946,7 +10187,6 @@ |
| 911 static void |
| 912 ssl3_RecordKeyLog(sslSocket *ss) |
| 913 { |
| 914 - sslSessionID *sid; |
| 915 SECStatus rv; |
| 916 SECItem *keyData; |
| 917 char buf[14 /* "CLIENT_RANDOM " */ + |
| 918 @@ -9958,8 +10198,6 @@ |
| 919 |
| 920 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 921 |
| 922 - sid = ss->sec.ci.sid; |
| 923 - |
| 924 if (!ssl_keylog_iob) |
| 925 return; |
| 926 |
| 927 @@ -11171,12 +11409,14 @@ |
| 928 /* With >= TLS 1.1, CBC records have an explicit IV. */ |
| 929 minLength += cipher_def->iv_size; |
| 930 } |
| 931 + } else if (cipher_def->type == type_aead) { |
| 932 + minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; |
| 933 } |
| 934 |
| 935 /* We can perform this test in variable time because the record's total |
| 936 * length and the ciphersuite are both public knowledge. */ |
| 937 if (cText->buf->len < minLength) { |
| 938 - goto decrypt_loser; |
| 939 + goto decrypt_loser; |
| 940 } |
| 941 |
| 942 if (cipher_def->type == type_block && |
| 943 @@ -11244,78 +11484,95 @@ |
| 944 return SECFailure; |
| 945 } |
| 946 |
| 947 - if (cipher_def->type == type_block && |
| 948 - ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { |
| 949 - goto decrypt_loser; |
| 950 - } |
| 951 + rType = cText->type; |
| 952 + if (cipher_def->type == type_aead) { |
| 953 + rv = crSpec->aead( |
| 954 + ss->sec.isServer ? &crSpec->client : &crSpec->server, |
| 955 + PR_TRUE, /* do decrypt */ |
| 956 + plaintext->buf, /* out */ |
| 957 + (int*) &plaintext->len, /* outlen */ |
| 958 + plaintext->space, /* maxout */ |
| 959 + cText->buf->buf, /* in */ |
| 960 + cText->buf->len, /* inlen */ |
| 961 + rType, /* record type */ |
| 962 + cText->version, |
| 963 + IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num); |
| 964 + if (rv != SECSuccess) { |
| 965 + good = 0; |
| 966 + } |
| 967 + } else { |
| 968 + if (cipher_def->type == type_block && |
| 969 + ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { |
| 970 + goto decrypt_loser; |
| 971 + } |
| 972 |
| 973 - /* decrypt from cText buf to plaintext. */ |
| 974 - rv = crSpec->decode( |
| 975 - crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, |
| 976 - plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); |
| 977 - if (rv != SECSuccess) { |
| 978 - goto decrypt_loser; |
| 979 - } |
| 980 + /* decrypt from cText buf to plaintext. */ |
| 981 + rv = crSpec->decode( |
| 982 + crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, |
| 983 + plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); |
| 984 + if (rv != SECSuccess) { |
| 985 + goto decrypt_loser; |
| 986 + } |
| 987 |
| 988 - PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); |
| 989 + PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); |
| 990 |
| 991 - originalLen = plaintext->len; |
| 992 + originalLen = plaintext->len; |
| 993 |
| 994 - /* If it's a block cipher, check and strip the padding. */ |
| 995 - if (cipher_def->type == type_block) { |
| 996 - const unsigned int blockSize = cipher_def->block_size; |
| 997 - const unsigned int macSize = crSpec->mac_size; |
| 998 + /* If it's a block cipher, check and strip the padding. */ |
| 999 + if (cipher_def->type == type_block) { |
| 1000 + const unsigned int blockSize = cipher_def->block_size; |
| 1001 + const unsigned int macSize = crSpec->mac_size; |
| 1002 |
| 1003 - if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { |
| 1004 - good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
| 1005 - plaintext, blockSize, macSize)); |
| 1006 - } else { |
| 1007 - good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( |
| 1008 - plaintext, macSize)); |
| 1009 + if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { |
| 1010 + good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
| 1011 + plaintext, blockSize, macSize)); |
| 1012 + } else { |
| 1013 + good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( |
| 1014 + plaintext, macSize)); |
| 1015 + } |
| 1016 } |
| 1017 - } |
| 1018 |
| 1019 - /* compute the MAC */ |
| 1020 - rType = cText->type; |
| 1021 - if (cipher_def->type == type_block) { |
| 1022 - rv = ssl3_ComputeRecordMACConstantTime( |
| 1023 - crSpec, (PRBool)(!ss->sec.isServer), |
| 1024 - IS_DTLS(ss), rType, cText->version, |
| 1025 - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 1026 - plaintext->buf, plaintext->len, originalLen, |
| 1027 - hash, &hashBytes); |
| 1028 + /* compute the MAC */ |
| 1029 + if (cipher_def->type == type_block) { |
| 1030 + rv = ssl3_ComputeRecordMACConstantTime( |
| 1031 + crSpec, (PRBool)(!ss->sec.isServer), |
| 1032 + IS_DTLS(ss), rType, cText->version, |
| 1033 + IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 1034 + plaintext->buf, plaintext->len, originalLen, |
| 1035 + hash, &hashBytes); |
| 1036 |
| 1037 - ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, |
| 1038 - crSpec->mac_size); |
| 1039 - givenHash = givenHashBuf; |
| 1040 + ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, |
| 1041 + crSpec->mac_size); |
| 1042 + givenHash = givenHashBuf; |
| 1043 |
| 1044 - /* plaintext->len will always have enough space to remove the MAC |
| 1045 - * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust |
| 1046 - * plaintext->len if the result has enough space for the MAC and we |
| 1047 - * tested the unadjusted size against minLength, above. */ |
| 1048 - plaintext->len -= crSpec->mac_size; |
| 1049 - } else { |
| 1050 - /* This is safe because we checked the minLength above. */ |
| 1051 - plaintext->len -= crSpec->mac_size; |
| 1052 + /* plaintext->len will always have enough space to remove the MAC |
| 1053 + * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust |
| 1054 + * plaintext->len if the result has enough space for the MAC and we |
| 1055 + * tested the unadjusted size against minLength, above. */ |
| 1056 + plaintext->len -= crSpec->mac_size; |
| 1057 + } else { |
| 1058 + /* This is safe because we checked the minLength above. */ |
| 1059 + plaintext->len -= crSpec->mac_size; |
| 1060 |
| 1061 - rv = ssl3_ComputeRecordMAC( |
| 1062 - crSpec, (PRBool)(!ss->sec.isServer), |
| 1063 - IS_DTLS(ss), rType, cText->version, |
| 1064 - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 1065 - plaintext->buf, plaintext->len, |
| 1066 - hash, &hashBytes); |
| 1067 + rv = ssl3_ComputeRecordMAC( |
| 1068 + crSpec, (PRBool)(!ss->sec.isServer), |
| 1069 + IS_DTLS(ss), rType, cText->version, |
| 1070 + IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 1071 + plaintext->buf, plaintext->len, |
| 1072 + hash, &hashBytes); |
| 1073 |
| 1074 - /* We can read the MAC directly from the record because its location is |
| 1075 - * public when a stream cipher is used. */ |
| 1076 - givenHash = plaintext->buf + plaintext->len; |
| 1077 - } |
| 1078 + /* We can read the MAC directly from the record because its location |
| 1079 + * is public when a stream cipher is used. */ |
| 1080 + givenHash = plaintext->buf + plaintext->len; |
| 1081 + } |
| 1082 |
| 1083 - good &= SECStatusToMask(rv); |
| 1084 + good &= SECStatusToMask(rv); |
| 1085 |
| 1086 - if (hashBytes != (unsigned)crSpec->mac_size || |
| 1087 - NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { |
| 1088 - /* We're allowed to leak whether or not the MAC check was correct */ |
| 1089 - good = 0; |
| 1090 + if (hashBytes != (unsigned)crSpec->mac_size || |
| 1091 + NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { |
| 1092 + /* We're allowed to leak whether or not the MAC check was correct */ |
| 1093 + good = 0; |
| 1094 + } |
| 1095 } |
| 1096 |
| 1097 if (good == 0) { |
| 1098 Index: net/third_party/nss/ssl/sslenum.c |
| 1099 =================================================================== |
| 1100 --- net/third_party/nss/ssl/sslenum.c (revision 215189) |
| 1101 +++ net/third_party/nss/ssl/sslenum.c (working copy) |
| 1102 @@ -29,6 +29,14 @@ |
| 1103 * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h. |
| 1104 */ |
| 1105 const PRUint16 SSL_ImplementedCiphers[] = { |
| 1106 + /* AES-GCM */ |
| 1107 +#ifdef NSS_ENABLE_ECC |
| 1108 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
| 1109 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
| 1110 +#endif /* NSS_ENABLE_ECC */ |
| 1111 + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, |
| 1112 + TLS_RSA_WITH_AES_128_GCM_SHA256, |
| 1113 + |
| 1114 /* 256-bit */ |
| 1115 #ifdef NSS_ENABLE_ECC |
| 1116 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
| 1117 Index: net/third_party/nss/ssl/sslproto.h |
| 1118 =================================================================== |
| 1119 --- net/third_party/nss/ssl/sslproto.h (revision 215189) |
| 1120 +++ net/third_party/nss/ssl/sslproto.h (working copy) |
| 1121 @@ -162,6 +162,10 @@ |
| 1122 |
| 1123 #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 |
| 1124 |
| 1125 +#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C |
| 1126 +#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E |
| 1127 +#define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 |
| 1128 + |
| 1129 /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client. |
| 1130 * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending |
| 1131 * back an empty Renegotiation Info (RI) server hello extension. |
| 1132 @@ -204,6 +208,11 @@ |
| 1133 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 |
| 1134 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 |
| 1135 |
| 1136 +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B |
| 1137 +#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D |
| 1138 +#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F |
| 1139 +#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 |
| 1140 + |
| 1141 /* Netscape "experimental" cipher suites. */ |
| 1142 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 |
| 1143 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 |
| 1144 Index: net/third_party/nss/ssl/sslt.h |
| 1145 =================================================================== |
| 1146 --- net/third_party/nss/ssl/sslt.h (revision 215189) |
| 1147 +++ net/third_party/nss/ssl/sslt.h (working copy) |
| 1148 @@ -91,9 +91,10 @@ |
| 1149 ssl_calg_3des = 4, |
| 1150 ssl_calg_idea = 5, |
| 1151 ssl_calg_fortezza = 6, /* deprecated, now unused */ |
| 1152 - ssl_calg_aes = 7, /* coming soon */ |
| 1153 + ssl_calg_aes = 7, |
| 1154 ssl_calg_camellia = 8, |
| 1155 - ssl_calg_seed = 9 |
| 1156 + ssl_calg_seed = 9, |
| 1157 + ssl_calg_aes_gcm = 10 |
| 1158 } SSLCipherAlgorithm; |
| 1159 |
| 1160 typedef enum { |
| 1161 Index: net/third_party/nss/ssl/dtlscon.c |
| 1162 =================================================================== |
| 1163 --- net/third_party/nss/ssl/dtlscon.c (revision 215189) |
| 1164 +++ net/third_party/nss/ssl/dtlscon.c (working copy) |
| 1165 @@ -30,7 +30,14 @@ |
| 1166 |
| 1167 /* List copied from ssl3con.c:cipherSuites */ |
| 1168 static const ssl3CipherSuite nonDTLSSuites[] = { |
| 1169 + /* XXX Make AES-GCM work with DTLS. */ |
| 1170 #ifdef NSS_ENABLE_ECC |
| 1171 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
| 1172 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
| 1173 +#endif /* NSS_ENABLE_ECC */ |
| 1174 + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, |
| 1175 + TLS_RSA_WITH_AES_128_GCM_SHA256, |
| 1176 +#ifdef NSS_ENABLE_ECC |
| 1177 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
| 1178 TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
| 1179 #endif /* NSS_ENABLE_ECC */ |
OLD | NEW |