Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(165)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/patches/aesgcm.patch

Issue 21696002: Implement the AES GCM cipher suites for TLS. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Add a TODO to README.chromium to remove cbc.patch Created 7 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/README.chromium ('k') | net/third_party/nss/patches/aesgcmchromium.patch » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 Index: net/third_party/nss/ssl/sslinfo.c
2 ===================================================================
3 --- net/third_party/nss/ssl/sslinfo.c (revision 215189)
4 +++ net/third_party/nss/ssl/sslinfo.c (working copy)
5 @@ -109,7 +109,7 @@
6 #define K_ECDHE "ECDHE", kt_ecdh
7
8 #define C_SEED "SEED", calg_seed
9 -#define C_CAMELLIA "CAMELLIA", calg_camellia
10 +#define C_CAMELLIA "CAMELLIA", calg_camellia
11 #define C_AES "AES", calg_aes
12 #define C_RC4 "RC4", calg_rc4
13 #define C_RC2 "RC2", calg_rc2
14 @@ -117,6 +117,7 @@
15 #define C_3DES "3DES", calg_3des
16 #define C_NULL "NULL", calg_null
17 #define C_SJ "SKIPJACK", calg_sj
18 +#define C_AESGCM "AES-GCM", calg_aes_gcm
19
20 #define B_256 256, 256, 256
21 #define B_128 128, 128, 128
22 @@ -130,9 +131,12 @@
23 #define M_SHA256 "SHA256", ssl_hmac_sha256, 256
24 #define M_SHA "SHA1", ssl_mac_sha, 160
25 #define M_MD5 "MD5", ssl_mac_md5, 128
26 +#define M_NULL "NULL", ssl_mac_null, 0
27
28 static const SSLCipherSuiteInfo suiteInfo[] = {
29 /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */
30 +{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_ NULL, 1, 0, 0, },
31 +
32 {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
33 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
34 {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA 256, 1, 0, 0, },
35 @@ -146,6 +150,7 @@
36 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
37 {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA , 0, 0, 0, },
38 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA 256, 1, 0, 0, },
39 +{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_ NULL, 1, 0, 0, },
40 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA , 1, 0, 0, },
41 {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA , 1, 0, 0, },
42 {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA , 1, 0, 0, },
43 @@ -175,6 +180,9 @@
44
45 #ifdef NSS_ENABLE_ECC
46 /* ECC cipher suites */
47 +{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
48 +{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_1 28, M_NULL, 1, 0, 0, },
49 +
50 {0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_S HA, 0, 0, 0, },
51 {0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_ SHA, 0, 0, 0, },
52 {0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
53 Index: net/third_party/nss/ssl/sslimpl.h
54 ===================================================================
55 --- net/third_party/nss/ssl/sslimpl.h (revision 215189)
56 +++ net/third_party/nss/ssl/sslimpl.h (working copy)
57 @@ -64,6 +64,7 @@
58 #define calg_aes ssl_calg_aes
59 #define calg_camellia ssl_calg_camellia
60 #define calg_seed ssl_calg_seed
61 +#define calg_aes_gcm ssl_calg_aes_gcm
62
63 #define mac_null ssl_mac_null
64 #define mac_md5 ssl_mac_md5
65 @@ -290,9 +291,9 @@
66 } ssl3CipherSuiteCfg;
67
68 #ifdef NSS_ENABLE_ECC
69 -#define ssl_V3_SUITES_IMPLEMENTED 57
70 +#define ssl_V3_SUITES_IMPLEMENTED 61
71 #else
72 -#define ssl_V3_SUITES_IMPLEMENTED 35
73 +#define ssl_V3_SUITES_IMPLEMENTED 37
74 #endif /* NSS_ENABLE_ECC */
75
76 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
77 @@ -440,20 +441,6 @@
78 #define GS_DATA 3
79 #define GS_PAD 4
80
81 -typedef SECStatus (*SSLCipher)(void * context,
82 - unsigned char * out,
83 - int * outlen,
84 - int maxout,
85 - const unsigned char *in,
86 - int inlen);
87 -typedef SECStatus (*SSLCompressor)(void * context,
88 - unsigned char * out,
89 - int * outlen,
90 - int maxout,
91 - const unsigned char *in,
92 - int inlen);
93 -typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
94 -
95 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
96 typedef PCERT_KEY_CONTEXT PlatformKey;
97 #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX)
98 @@ -485,11 +472,12 @@
99 cipher_camellia_128,
100 cipher_camellia_256,
101 cipher_seed,
102 + cipher_aes_128_gcm,
103 cipher_missing /* reserved for no such supported cipher */
104 /* This enum must match ssl3_cipherName[] in ssl3con.c. */
105 } SSL3BulkCipher;
106
107 -typedef enum { type_stream, type_block } CipherType;
108 +typedef enum { type_stream, type_block, type_aead } CipherType;
109
110 #define MAX_IV_LENGTH 24
111
112 @@ -531,6 +519,31 @@
113 PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
114 } ssl3KeyMaterial;
115
116 +typedef SECStatus (*SSLCipher)(void * context,
117 + unsigned char * out,
118 + int * outlen,
119 + int maxout,
120 + const unsigned char *in,
121 + int inlen);
122 +typedef SECStatus (*SSLAEADCipher)(
123 + ssl3KeyMaterial * keys,
124 + PRBool doDecrypt,
125 + unsigned char * out,
126 + int * outlen,
127 + int maxout,
128 + const unsigned char *in,
129 + int inlen,
130 + SSL3ContentType type,
131 + SSL3ProtocolVersion version,
132 + SSL3SequenceNumber seqnum);
133 +typedef SECStatus (*SSLCompressor)(void * context,
134 + unsigned char * out,
135 + int * outlen,
136 + int maxout,
137 + const unsigned char *in,
138 + int inlen);
139 +typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
140 +
141 /* The DTLS anti-replay window. Defined here because we need it in
142 * the cipher spec. Note that this is a ring buffer but left and
143 * right represent the true window, with modular arithmetic used to
144 @@ -557,6 +570,7 @@
145 int mac_size;
146 SSLCipher encode;
147 SSLCipher decode;
148 + SSLAEADCipher aead;
149 SSLDestroy destroy;
150 void * encodeContext;
151 void * decodeContext;
152 @@ -706,8 +720,6 @@
153 PRBool tls_keygen;
154 } ssl3KEADef;
155
156 -typedef enum { kg_null, kg_strong, kg_export } SSL3KeyGenMode;
157 -
158 /*
159 ** There are tables of these, all const.
160 */
161 @@ -719,7 +731,8 @@
162 CipherType type;
163 int iv_size;
164 int block_size;
165 - SSL3KeyGenMode keygen_mode;
166 + int tag_size; /* authentication tag size for AEAD ciphers. */
167 + int explicit_nonce_size; /* for AEAD ciphers. */
168 };
169
170 /*
171 Index: net/third_party/nss/ssl/ssl3ecc.c
172 ===================================================================
173 --- net/third_party/nss/ssl/ssl3ecc.c (revision 215189)
174 +++ net/third_party/nss/ssl/ssl3ecc.c (working copy)
175 @@ -911,6 +911,7 @@
176 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
177 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
178 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
179 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
180 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
181 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
182 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
183 @@ -921,6 +922,7 @@
184 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
185 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
186 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
187 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
188 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
189 TLS_ECDHE_RSA_WITH_NULL_SHA,
190 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
191 @@ -932,12 +934,14 @@
192 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
193 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
194 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
195 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
196 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
197 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
198 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
199 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
200 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
201 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
202 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
203 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
204 TLS_ECDHE_RSA_WITH_NULL_SHA,
205 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
206 Index: net/third_party/nss/ssl/sslsock.c
207 ===================================================================
208 --- net/third_party/nss/ssl/sslsock.c (revision 215189)
209 +++ net/third_party/nss/ssl/sslsock.c (working copy)
210 @@ -67,8 +67,10 @@
211 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
212 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
213 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
214 + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
215 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
216 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
217 + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
218 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
219 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
220 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
221 @@ -94,6 +96,7 @@
222 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
223 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
224 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
225 + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
226 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
227 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED },
228 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
229 @@ -105,6 +108,7 @@
230 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
231 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
232 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
233 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
234 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
235 #endif /* NSS_ENABLE_ECC */
236 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
237 Index: net/third_party/nss/ssl/ssl3con.c
238 ===================================================================
239 --- net/third_party/nss/ssl/ssl3con.c (revision 215189)
240 +++ net/third_party/nss/ssl/ssl3con.c (working copy)
241 @@ -78,6 +78,14 @@
242 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
243 int maxOutputLen, const unsigned char *input,
244 int inputLen);
245 +#ifndef NO_PKCS11_BYPASS
246 +static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
247 + unsigned char *out, int *outlen, int maxout,
248 + const unsigned char *in, int inlen,
249 + SSL3ContentType type,
250 + SSL3ProtocolVersion version,
251 + SSL3SequenceNumber seq_num);
252 +#endif
253
254 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
255 #define MIN_SEND_BUF_LENGTH 4000
256 @@ -90,6 +98,13 @@
257 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
258 /* cipher_suite policy enabled is_present* /
259 #ifdef NSS_ENABLE_ECC
260 + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
261 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
262 +#endif /* NSS_ENABLE_ECC */
263 + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
264 + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
265 +
266 +#ifdef NSS_ENABLE_ECC
267 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
268 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
269 #endif /* NSS_ENABLE_ECC */
270 @@ -233,23 +248,30 @@
271
272 /* indexed by SSL3BulkCipher */
273 static const ssl3BulkCipherDef bulk_cipher_defs[] = {
274 - /* cipher calg keySz secretSz type ivSz BlkSz keygen */
275 - {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null},
276 - {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong},
277 - {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export},
278 - {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export},
279 - {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong},
280 - {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export},
281 - {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong},
282 - {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong},
283 - {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export},
284 - {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong},
285 - {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong},
286 - {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong},
287 - {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong},
288 - {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong},
289 - {cipher_seed, calg_seed, 16, 16, type_block, 16,16, kg_strong},
290 - {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null},
291 + /* |--------- Lengths --------| */
292 + /* cipher calg k s type i b t n */
293 + /* e e v l a o */
294 + /* y c | o g n */
295 + /* | r | c | c */
296 + /* | e | k | e */
297 + /* | t | | | | */
298 + {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
299 + {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0},
300 + {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0},
301 + {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0},
302 + {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0},
303 + {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0},
304 + {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0},
305 + {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0},
306 + {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0},
307 + {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0},
308 + {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0},
309 + {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0},
310 + {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0},
311 + {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0},
312 + {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0},
313 + {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8},
314 + {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
315 };
316
317 static const ssl3KEADef kea_defs[] =
318 @@ -371,6 +393,11 @@
319 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
320 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
321
322 + {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe _rsa},
323 + {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa},
324 + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_e cdhe_rsa},
325 + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea _ecdhe_ecdsa},
326 +
327 #ifdef NSS_ENABLE_ECC
328 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa} ,
329 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa} ,
330 @@ -434,6 +461,7 @@
331 { calg_aes , CKM_AES_CBC },
332 { calg_camellia , CKM_CAMELLIA_CBC },
333 { calg_seed , CKM_SEED_CBC },
334 + { calg_aes_gcm , CKM_AES_GCM },
335 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
336 };
337
338 @@ -472,6 +500,7 @@
339 "Camellia-128",
340 "Camellia-256",
341 "SEED-CBC",
342 + "AES-128-GCM",
343 "missing"
344 };
345
346 @@ -598,9 +627,13 @@
347 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
348 case TLS_RSA_WITH_AES_256_CBC_SHA256:
349 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
350 + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
351 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
352 + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
353 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
354 + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
355 case TLS_RSA_WITH_AES_128_CBC_SHA256:
356 + case TLS_RSA_WITH_AES_128_GCM_SHA256:
357 case TLS_RSA_WITH_NULL_SHA256:
358 return version >= SSL_LIBRARY_VERSION_TLS_1_2;
359 default:
360 @@ -1360,7 +1393,7 @@
361 cipher = suite_def->bulk_cipher_alg;
362 kea = suite_def->key_exchange_alg;
363 mac = suite_def->mac_alg;
364 - if (mac <= ssl_mac_sha && isTLS)
365 + if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS)
366 mac += 2;
367
368 ss->ssl3.hs.suite_def = suite_def;
369 @@ -1554,7 +1587,6 @@
370 unsigned int optArg2 = 0;
371 PRBool server_encrypts = ss->sec.isServer;
372 SSLCipherAlgorithm calg;
373 - SSLCompressionMethod compression_method;
374 SECStatus rv;
375
376 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
377 @@ -1565,8 +1597,18 @@
378 cipher_def = pwSpec->cipher_def;
379
380 calg = cipher_def->calg;
381 - compression_method = pwSpec->compression_method;
382
383 + if (calg == calg_aes_gcm) {
384 + pwSpec->encode = NULL;
385 + pwSpec->decode = NULL;
386 + pwSpec->destroy = NULL;
387 + pwSpec->encodeContext = NULL;
388 + pwSpec->decodeContext = NULL;
389 + pwSpec->aead = ssl3_AESGCMBypass;
390 + ssl3_InitCompressionContext(pwSpec);
391 + return SECSuccess;
392 + }
393 +
394 serverContext = pwSpec->server.cipher_context;
395 clientContext = pwSpec->client.cipher_context;
396
397 @@ -1721,6 +1763,207 @@
398 return param;
399 }
400
401 +/* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which
402 + * is included in the MAC) to |out| and returns its length. */
403 +static unsigned int
404 +ssl3_BuildRecordPseudoHeader(unsigned char *out,
405 + SSL3SequenceNumber seq_num,
406 + SSL3ContentType type,
407 + PRBool includesVersion,
408 + SSL3ProtocolVersion version,
409 + PRBool isDTLS,
410 + int length)
411 +{
412 + out[0] = (unsigned char)(seq_num.high >> 24);
413 + out[1] = (unsigned char)(seq_num.high >> 16);
414 + out[2] = (unsigned char)(seq_num.high >> 8);
415 + out[3] = (unsigned char)(seq_num.high >> 0);
416 + out[4] = (unsigned char)(seq_num.low >> 24);
417 + out[5] = (unsigned char)(seq_num.low >> 16);
418 + out[6] = (unsigned char)(seq_num.low >> 8);
419 + out[7] = (unsigned char)(seq_num.low >> 0);
420 + out[8] = type;
421 +
422 + /* SSL3 MAC doesn't include the record's version field. */
423 + if (!includesVersion) {
424 + out[9] = MSB(length);
425 + out[10] = LSB(length);
426 + return 11;
427 + }
428 +
429 + /* TLS MAC and AEAD additional data include version. */
430 + if (isDTLS) {
431 + SSL3ProtocolVersion dtls_version;
432 +
433 + dtls_version = dtls_TLSVersionToDTLSVersion(version);
434 + out[9] = MSB(dtls_version);
435 + out[10] = LSB(dtls_version);
436 + } else {
437 + out[9] = MSB(version);
438 + out[10] = LSB(version);
439 + }
440 + out[11] = MSB(length);
441 + out[12] = LSB(length);
442 + return 13;
443 +}
444 +
445 +static SECStatus
446 +ssl3_AESGCM(ssl3KeyMaterial *keys,
447 + PRBool doDecrypt,
448 + unsigned char *out,
449 + int *outlen,
450 + int maxout,
451 + const unsigned char *in,
452 + int inlen,
453 + SSL3ContentType type,
454 + SSL3ProtocolVersion version,
455 + SSL3SequenceNumber seq_num)
456 +{
457 + SECItem param;
458 + SECStatus rv = SECFailure;
459 + unsigned char nonce[12];
460 + unsigned char additionalData[13];
461 + unsigned int additionalDataLen;
462 + unsigned int uOutLen;
463 + CK_GCM_PARAMS gcmParams;
464 +
465 + static const int tagSize = 16;
466 + static const int explicitNonceLen = 8;
467 +
468 + /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
469 + * definition of the AEAD additional data. */
470 + additionalDataLen = ssl3_BuildRecordPseudoHeader(
471 + additionalData, seq_num, type, PR_TRUE /* includes version */,
472 + version, PR_FALSE /* not DTLS */,
473 + inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
474 + PORT_Assert(additionalDataLen <= sizeof(additionalData));
475 +
476 + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
477 + * nonce is formed. */
478 + memcpy(nonce, keys->write_iv, 4);
479 + if (doDecrypt) {
480 + memcpy(nonce + 4, in, explicitNonceLen);
481 + in += explicitNonceLen;
482 + inlen -= explicitNonceLen;
483 + *outlen = 0;
484 + } else {
485 + if (maxout < explicitNonceLen) {
486 + PORT_SetError(SEC_ERROR_INPUT_LEN);
487 + return SECFailure;
488 + }
489 + /* Use the 64-bit sequence number as the explicit nonce. */
490 + memcpy(nonce + 4, additionalData, explicitNonceLen);
491 + memcpy(out, additionalData, explicitNonceLen);
492 + out += explicitNonceLen;
493 + maxout -= explicitNonceLen;
494 + *outlen = explicitNonceLen;
495 + }
496 +
497 + param.type = siBuffer;
498 + param.data = (unsigned char *) &gcmParams;
499 + param.len = sizeof(gcmParams);
500 + gcmParams.pIv = nonce;
501 + gcmParams.ulIvLen = sizeof(nonce);
502 + gcmParams.pAAD = additionalData;
503 + gcmParams.ulAADLen = additionalDataLen;
504 + gcmParams.ulTagBits = tagSize * 8;
505 +
506 + if (doDecrypt) {
507 + rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
508 + maxout, in, inlen);
509 + } else {
510 + rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
511 + maxout, in, inlen);
512 + }
513 + *outlen += (int) uOutLen;
514 +
515 + return rv;
516 +}
517 +
518 +#ifndef NO_PKCS11_BYPASS
519 +static SECStatus
520 +ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
521 + PRBool doDecrypt,
522 + unsigned char *out,
523 + int *outlen,
524 + int maxout,
525 + const unsigned char *in,
526 + int inlen,
527 + SSL3ContentType type,
528 + SSL3ProtocolVersion version,
529 + SSL3SequenceNumber seq_num)
530 +{
531 + SECStatus rv = SECFailure;
532 + unsigned char nonce[12];
533 + unsigned char additionalData[13];
534 + unsigned int additionalDataLen;
535 + unsigned int uOutLen;
536 + AESContext *cx;
537 + CK_GCM_PARAMS gcmParams;
538 +
539 + static const int tagSize = 16;
540 + static const int explicitNonceLen = 8;
541 +
542 + /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
543 + * definition of the AEAD additional data. */
544 + additionalDataLen = ssl3_BuildRecordPseudoHeader(
545 + additionalData, seq_num, type, PR_TRUE /* includes version */,
546 + version, PR_FALSE /* not DTLS */,
547 + inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
548 + PORT_Assert(additionalDataLen <= sizeof(additionalData));
549 +
550 + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
551 + * nonce is formed. */
552 + PORT_Assert(keys->write_iv_item.len == 4);
553 + if (keys->write_iv_item.len != 4) {
554 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
555 + return SECFailure;
556 + }
557 + memcpy(nonce, keys->write_iv_item.data, 4);
558 + if (doDecrypt) {
559 + memcpy(nonce + 4, in, explicitNonceLen);
560 + in += explicitNonceLen;
561 + inlen -= explicitNonceLen;
562 + *outlen = 0;
563 + } else {
564 + if (maxout < explicitNonceLen) {
565 + PORT_SetError(SEC_ERROR_INPUT_LEN);
566 + return SECFailure;
567 + }
568 + /* Use the 64-bit sequence number as the explicit nonce. */
569 + memcpy(nonce + 4, additionalData, explicitNonceLen);
570 + memcpy(out, additionalData, explicitNonceLen);
571 + out += explicitNonceLen;
572 + maxout -= explicitNonceLen;
573 + *outlen = explicitNonceLen;
574 + }
575 +
576 + gcmParams.pIv = nonce;
577 + gcmParams.ulIvLen = sizeof(nonce);
578 + gcmParams.pAAD = additionalData;
579 + gcmParams.ulAADLen = additionalDataLen;
580 + gcmParams.ulTagBits = tagSize * 8;
581 +
582 + cx = (AESContext *)keys->cipher_context;
583 + rv = AES_InitContext(cx, keys->write_key_item.data,
584 + keys->write_key_item.len,
585 + (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt,
586 + AES_BLOCK_SIZE);
587 + if (rv != SECSuccess) {
588 + return rv;
589 + }
590 + if (doDecrypt) {
591 + rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen);
592 + } else {
593 + rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen);
594 + }
595 + AES_DestroyContext(cx, PR_FALSE);
596 + *outlen += (int) uOutLen;
597 +
598 + return rv;
599 +}
600 +#endif
601 +
602 /* Initialize encryption and MAC contexts for pending spec.
603 * Master Secret already is derived.
604 * Caller holds Spec write lock.
605 @@ -1748,14 +1991,27 @@
606 pwSpec = ss->ssl3.pwSpec;
607 cipher_def = pwSpec->cipher_def;
608 macLength = pwSpec->mac_size;
609 + calg = cipher_def->calg;
610 + PORT_Assert(alg2Mech[calg].calg == calg);
611
612 + pwSpec->client.write_mac_context = NULL;
613 + pwSpec->server.write_mac_context = NULL;
614 +
615 + if (calg == calg_aes_gcm) {
616 + pwSpec->encode = NULL;
617 + pwSpec->decode = NULL;
618 + pwSpec->destroy = NULL;
619 + pwSpec->encodeContext = NULL;
620 + pwSpec->decodeContext = NULL;
621 + pwSpec->aead = ssl3_AESGCM;
622 + return SECSuccess;
623 + }
624 +
625 /*
626 ** Now setup the MAC contexts,
627 ** crypto contexts are setup below.
628 */
629
630 - pwSpec->client.write_mac_context = NULL;
631 - pwSpec->server.write_mac_context = NULL;
632 mac_mech = pwSpec->mac_def->mmech;
633 mac_param.data = (unsigned char *)&macLength;
634 mac_param.len = sizeof(macLength);
635 @@ -1778,9 +2034,6 @@
636 ** Now setup the crypto contexts.
637 */
638
639 - calg = cipher_def->calg;
640 - PORT_Assert(alg2Mech[calg].calg == calg);
641 -
642 if (calg == calg_null) {
643 pwSpec->encode = Null_Cipher;
644 pwSpec->decode = Null_Cipher;
645 @@ -1999,55 +2252,21 @@
646 {
647 const ssl3MACDef * mac_def;
648 SECStatus rv;
649 -#ifndef NO_PKCS11_BYPASS
650 PRBool isTLS;
651 -#endif
652 unsigned int tempLen;
653 unsigned char temp[MAX_MAC_LENGTH];
654
655 - temp[0] = (unsigned char)(seq_num.high >> 24);
656 - temp[1] = (unsigned char)(seq_num.high >> 16);
657 - temp[2] = (unsigned char)(seq_num.high >> 8);
658 - temp[3] = (unsigned char)(seq_num.high >> 0);
659 - temp[4] = (unsigned char)(seq_num.low >> 24);
660 - temp[5] = (unsigned char)(seq_num.low >> 16);
661 - temp[6] = (unsigned char)(seq_num.low >> 8);
662 - temp[7] = (unsigned char)(seq_num.low >> 0);
663 - temp[8] = type;
664 -
665 /* TLS MAC includes the record's version field, SSL's doesn't.
666 ** We decide which MAC defintiion to use based on the version of
667 ** the protocol that was negotiated when the spec became current,
668 ** NOT based on the version value in the record itself.
669 - ** But, we use the record'v version value in the computation.
670 + ** But, we use the record's version value in the computation.
671 */
672 - if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
673 - temp[9] = MSB(inputLength);
674 - temp[10] = LSB(inputLength);
675 - tempLen = 11;
676 -#ifndef NO_PKCS11_BYPASS
677 - isTLS = PR_FALSE;
678 -#endif
679 - } else {
680 - /* New TLS hash includes version. */
681 - if (isDTLS) {
682 - SSL3ProtocolVersion dtls_version;
683 + isTLS = spec->version > SSL_LIBRARY_VERSION_3_0;
684 + tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS,
685 + version, isDTLS, inputLength);
686 + PORT_Assert(tempLen <= sizeof(temp));
687
688 - dtls_version = dtls_TLSVersionToDTLSVersion(version);
689 - temp[9] = MSB(dtls_version);
690 - temp[10] = LSB(dtls_version);
691 - } else {
692 - temp[9] = MSB(version);
693 - temp[10] = LSB(version);
694 - }
695 - temp[11] = MSB(inputLength);
696 - temp[12] = LSB(inputLength);
697 - tempLen = 13;
698 -#ifndef NO_PKCS11_BYPASS
699 - isTLS = PR_TRUE;
700 -#endif
701 - }
702 -
703 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
704 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
705
706 @@ -2390,86 +2609,112 @@
707 contentLen = outlen;
708 }
709
710 - /*
711 - * Add the MAC
712 - */
713 - rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
714 - type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
715 - wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
716 - if (rv != SECSuccess) {
717 - ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
718 - return SECFailure;
719 - }
720 - p1Len = contentLen;
721 - p2Len = macLen;
722 - fragLen = contentLen + macLen; /* needs to be encrypted */
723 - PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
724 + if (cipher_def->type == type_aead) {
725 + const int nonceLen = cipher_def->explicit_nonce_size;
726 + const int tagLen = cipher_def->tag_size;
727
728 - /*
729 - * Pad the text (if we're doing a block cipher)
730 - * then Encrypt it
731 - */
732 - if (cipher_def->type == type_block) {
733 - unsigned char * pBuf;
734 - int padding_length;
735 - int i;
736 + if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) {
737 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
738 + return SECFailure;
739 + }
740
741 - oddLen = contentLen % cipher_def->block_size;
742 - /* Assume blockSize is a power of two */
743 - padding_length = cipher_def->block_size - 1 -
744 - ((fragLen) & (cipher_def->block_size - 1));
745 - fragLen += padding_length + 1;
746 - PORT_Assert((fragLen % cipher_def->block_size) == 0);
747 -
748 - /* Pad according to TLS rules (also acceptable to SSL3). */
749 - pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
750 - for (i = padding_length + 1; i > 0; --i) {
751 - *pBuf-- = padding_length;
752 + cipherBytes = contentLen;
753 + rv = cwSpec->aead(
754 + isServer ? &cwSpec->server : &cwSpec->client,
755 + PR_FALSE, /* do encrypt */
756 + wrBuf->buf + headerLen, /* output */
757 + &cipherBytes, /* out len */
758 + wrBuf->space - headerLen, /* max out */
759 + pIn, contentLen, /* input */
760 + type, cwSpec->version, cwSpec->write_seq_num);
761 + if (rv != SECSuccess) {
762 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
763 + return SECFailure;
764 }
765 - /* now, if contentLen is not a multiple of block size, fix it */
766 - p2Len = fragLen - p1Len;
767 - }
768 - if (p1Len < 256) {
769 - oddLen = p1Len;
770 - p1Len = 0;
771 } else {
772 - p1Len -= oddLen;
773 - }
774 - if (oddLen) {
775 - p2Len += oddLen;
776 - PORT_Assert( (cipher_def->block_size < 2) || \
777 - (p2Len % cipher_def->block_size) == 0);
778 - memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen);
779 - }
780 - if (p1Len > 0) {
781 - int cipherBytesPart1 = -1;
782 - rv = cwSpec->encode( cwSpec->encodeContext,
783 - wrBuf->buf + headerLen + ivLen, /* output */
784 - &cipherBytesPart1, /* actual outlen */
785 - p1Len, /* max outlen */
786 - pIn, p1Len); /* input, and inputlen */
787 - PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
788 - if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
789 - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
790 + /*
791 + * Add the MAC
792 + */
793 + rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
794 + type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
795 + wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
796 + if (rv != SECSuccess) {
797 + ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
798 return SECFailure;
799 }
800 - cipherBytes += cipherBytesPart1;
801 + p1Len = contentLen;
802 + p2Len = macLen;
803 + fragLen = contentLen + macLen; /* needs to be encrypted */
804 + PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
805 +
806 + /*
807 + * Pad the text (if we're doing a block cipher)
808 + * then Encrypt it
809 + */
810 + if (cipher_def->type == type_block) {
811 + unsigned char * pBuf;
812 + int padding_length;
813 + int i;
814 +
815 + oddLen = contentLen % cipher_def->block_size;
816 + /* Assume blockSize is a power of two */
817 + padding_length = cipher_def->block_size - 1 -
818 + ((fragLen) & (cipher_def->block_size - 1));
819 + fragLen += padding_length + 1;
820 + PORT_Assert((fragLen % cipher_def->block_size) == 0);
821 +
822 + /* Pad according to TLS rules (also acceptable to SSL3). */
823 + pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
824 + for (i = padding_length + 1; i > 0; --i) {
825 + *pBuf-- = padding_length;
826 + }
827 + /* now, if contentLen is not a multiple of block size, fix it */
828 + p2Len = fragLen - p1Len;
829 + }
830 + if (p1Len < 256) {
831 + oddLen = p1Len;
832 + p1Len = 0;
833 + } else {
834 + p1Len -= oddLen;
835 + }
836 + if (oddLen) {
837 + p2Len += oddLen;
838 + PORT_Assert( (cipher_def->block_size < 2) || \
839 + (p2Len % cipher_def->block_size) == 0);
840 + memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len,
841 + oddLen);
842 + }
843 + if (p1Len > 0) {
844 + int cipherBytesPart1 = -1;
845 + rv = cwSpec->encode( cwSpec->encodeContext,
846 + wrBuf->buf + headerLen + ivLen, /* output */
847 + &cipherBytesPart1, /* actual outlen */
848 + p1Len, /* max outlen */
849 + pIn, p1Len); /* input, and inputlen */
850 + PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
851 + if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
852 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
853 + return SECFailure;
854 + }
855 + cipherBytes += cipherBytesPart1;
856 + }
857 + if (p2Len > 0) {
858 + int cipherBytesPart2 = -1;
859 + rv = cwSpec->encode( cwSpec->encodeContext,
860 + wrBuf->buf + headerLen + ivLen + p1Len,
861 + &cipherBytesPart2, /* output and actual outLen */
862 + p2Len, /* max outlen */
863 + wrBuf->buf + headerLen + ivLen + p1Len,
864 + p2Len); /* input and inputLen*/
865 + PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
866 + if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
867 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
868 + return SECFailure;
869 + }
870 + cipherBytes += cipherBytesPart2;
871 + }
872 }
873 - if (p2Len > 0) {
874 - int cipherBytesPart2 = -1;
875 - rv = cwSpec->encode( cwSpec->encodeContext,
876 - wrBuf->buf + headerLen + ivLen + p1Len,
877 - &cipherBytesPart2, /* output and actual outLen */
878 - p2Len, /* max outlen */
879 - wrBuf->buf + headerLen + ivLen + p1Len,
880 - p2Len); /* input and inputLen*/
881 - PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
882 - if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
883 - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
884 - return SECFailure;
885 - }
886 - cipherBytes += cipherBytesPart2;
887 - }
888 +
889 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
890
891 wrBuf->len = cipherBytes + headerLen;
892 @@ -3012,9 +3257,6 @@
893 static SECStatus
894 ssl3_IllegalParameter(sslSocket *ss)
895 {
896 - PRBool isTLS;
897 -
898 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
899 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
900 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
901 : SSL_ERROR_BAD_SERVER );
902 @@ -3538,7 +3780,6 @@
903 }
904
905 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
906 - /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
907
908 key_material_params.RandomInfo.pClientRandom = cr;
909 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
910 @@ -9946,7 +10187,6 @@
911 static void
912 ssl3_RecordKeyLog(sslSocket *ss)
913 {
914 - sslSessionID *sid;
915 SECStatus rv;
916 SECItem *keyData;
917 char buf[14 /* "CLIENT_RANDOM " */ +
918 @@ -9958,8 +10198,6 @@
919
920 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
921
922 - sid = ss->sec.ci.sid;
923 -
924 if (!ssl_keylog_iob)
925 return;
926
927 @@ -11171,12 +11409,14 @@
928 /* With >= TLS 1.1, CBC records have an explicit IV. */
929 minLength += cipher_def->iv_size;
930 }
931 + } else if (cipher_def->type == type_aead) {
932 + minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size;
933 }
934
935 /* We can perform this test in variable time because the record's total
936 * length and the ciphersuite are both public knowledge. */
937 if (cText->buf->len < minLength) {
938 - goto decrypt_loser;
939 + goto decrypt_loser;
940 }
941
942 if (cipher_def->type == type_block &&
943 @@ -11244,78 +11484,95 @@
944 return SECFailure;
945 }
946
947 - if (cipher_def->type == type_block &&
948 - ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
949 - goto decrypt_loser;
950 - }
951 + rType = cText->type;
952 + if (cipher_def->type == type_aead) {
953 + rv = crSpec->aead(
954 + ss->sec.isServer ? &crSpec->client : &crSpec->server,
955 + PR_TRUE, /* do decrypt */
956 + plaintext->buf, /* out */
957 + (int*) &plaintext->len, /* outlen */
958 + plaintext->space, /* maxout */
959 + cText->buf->buf, /* in */
960 + cText->buf->len, /* inlen */
961 + rType, /* record type */
962 + cText->version,
963 + IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num);
964 + if (rv != SECSuccess) {
965 + good = 0;
966 + }
967 + } else {
968 + if (cipher_def->type == type_block &&
969 + ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
970 + goto decrypt_loser;
971 + }
972
973 - /* decrypt from cText buf to plaintext. */
974 - rv = crSpec->decode(
975 - crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
976 - plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
977 - if (rv != SECSuccess) {
978 - goto decrypt_loser;
979 - }
980 + /* decrypt from cText buf to plaintext. */
981 + rv = crSpec->decode(
982 + crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
983 + plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
984 + if (rv != SECSuccess) {
985 + goto decrypt_loser;
986 + }
987
988 - PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
989 + PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
990
991 - originalLen = plaintext->len;
992 + originalLen = plaintext->len;
993
994 - /* If it's a block cipher, check and strip the padding. */
995 - if (cipher_def->type == type_block) {
996 - const unsigned int blockSize = cipher_def->block_size;
997 - const unsigned int macSize = crSpec->mac_size;
998 + /* If it's a block cipher, check and strip the padding. */
999 + if (cipher_def->type == type_block) {
1000 + const unsigned int blockSize = cipher_def->block_size;
1001 + const unsigned int macSize = crSpec->mac_size;
1002
1003 - if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
1004 - good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
1005 - plaintext, blockSize, macSize));
1006 - } else {
1007 - good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
1008 - plaintext, macSize));
1009 + if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
1010 + good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
1011 + plaintext, blockSize, macSize));
1012 + } else {
1013 + good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
1014 + plaintext, macSize));
1015 + }
1016 }
1017 - }
1018
1019 - /* compute the MAC */
1020 - rType = cText->type;
1021 - if (cipher_def->type == type_block) {
1022 - rv = ssl3_ComputeRecordMACConstantTime(
1023 - crSpec, (PRBool)(!ss->sec.isServer),
1024 - IS_DTLS(ss), rType, cText->version,
1025 - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
1026 - plaintext->buf, plaintext->len, originalLen,
1027 - hash, &hashBytes);
1028 + /* compute the MAC */
1029 + if (cipher_def->type == type_block) {
1030 + rv = ssl3_ComputeRecordMACConstantTime(
1031 + crSpec, (PRBool)(!ss->sec.isServer),
1032 + IS_DTLS(ss), rType, cText->version,
1033 + IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
1034 + plaintext->buf, plaintext->len, originalLen,
1035 + hash, &hashBytes);
1036
1037 - ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
1038 - crSpec->mac_size);
1039 - givenHash = givenHashBuf;
1040 + ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
1041 + crSpec->mac_size);
1042 + givenHash = givenHashBuf;
1043
1044 - /* plaintext->len will always have enough space to remove the MAC
1045 - * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
1046 - * plaintext->len if the result has enough space for the MAC and we
1047 - * tested the unadjusted size against minLength, above. */
1048 - plaintext->len -= crSpec->mac_size;
1049 - } else {
1050 - /* This is safe because we checked the minLength above. */
1051 - plaintext->len -= crSpec->mac_size;
1052 + /* plaintext->len will always have enough space to remove the MAC
1053 + * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
1054 + * plaintext->len if the result has enough space for the MAC and we
1055 + * tested the unadjusted size against minLength, above. */
1056 + plaintext->len -= crSpec->mac_size;
1057 + } else {
1058 + /* This is safe because we checked the minLength above. */
1059 + plaintext->len -= crSpec->mac_size;
1060
1061 - rv = ssl3_ComputeRecordMAC(
1062 - crSpec, (PRBool)(!ss->sec.isServer),
1063 - IS_DTLS(ss), rType, cText->version,
1064 - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
1065 - plaintext->buf, plaintext->len,
1066 - hash, &hashBytes);
1067 + rv = ssl3_ComputeRecordMAC(
1068 + crSpec, (PRBool)(!ss->sec.isServer),
1069 + IS_DTLS(ss), rType, cText->version,
1070 + IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
1071 + plaintext->buf, plaintext->len,
1072 + hash, &hashBytes);
1073
1074 - /* We can read the MAC directly from the record because its location is
1075 - * public when a stream cipher is used. */
1076 - givenHash = plaintext->buf + plaintext->len;
1077 - }
1078 + /* We can read the MAC directly from the record because its location
1079 + * is public when a stream cipher is used. */
1080 + givenHash = plaintext->buf + plaintext->len;
1081 + }
1082
1083 - good &= SECStatusToMask(rv);
1084 + good &= SECStatusToMask(rv);
1085
1086 - if (hashBytes != (unsigned)crSpec->mac_size ||
1087 - NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
1088 - /* We're allowed to leak whether or not the MAC check was correct */
1089 - good = 0;
1090 + if (hashBytes != (unsigned)crSpec->mac_size ||
1091 + NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
1092 + /* We're allowed to leak whether or not the MAC check was correct */
1093 + good = 0;
1094 + }
1095 }
1096
1097 if (good == 0) {
1098 Index: net/third_party/nss/ssl/sslenum.c
1099 ===================================================================
1100 --- net/third_party/nss/ssl/sslenum.c (revision 215189)
1101 +++ net/third_party/nss/ssl/sslenum.c (working copy)
1102 @@ -29,6 +29,14 @@
1103 * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
1104 */
1105 const PRUint16 SSL_ImplementedCiphers[] = {
1106 + /* AES-GCM */
1107 +#ifdef NSS_ENABLE_ECC
1108 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1109 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1110 +#endif /* NSS_ENABLE_ECC */
1111 + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
1112 + TLS_RSA_WITH_AES_128_GCM_SHA256,
1113 +
1114 /* 256-bit */
1115 #ifdef NSS_ENABLE_ECC
1116 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
1117 Index: net/third_party/nss/ssl/sslproto.h
1118 ===================================================================
1119 --- net/third_party/nss/ssl/sslproto.h (revision 215189)
1120 +++ net/third_party/nss/ssl/sslproto.h (working copy)
1121 @@ -162,6 +162,10 @@
1122
1123 #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096
1124
1125 +#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
1126 +#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
1127 +#define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2
1128 +
1129 /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client.
1130 * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending
1131 * back an empty Renegotiation Info (RI) server hello extension.
1132 @@ -204,6 +208,11 @@
1133 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023
1134 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027
1135
1136 +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B
1137 +#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D
1138 +#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
1139 +#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
1140 +
1141 /* Netscape "experimental" cipher suites. */
1142 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0
1143 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1
1144 Index: net/third_party/nss/ssl/sslt.h
1145 ===================================================================
1146 --- net/third_party/nss/ssl/sslt.h (revision 215189)
1147 +++ net/third_party/nss/ssl/sslt.h (working copy)
1148 @@ -91,9 +91,10 @@
1149 ssl_calg_3des = 4,
1150 ssl_calg_idea = 5,
1151 ssl_calg_fortezza = 6, /* deprecated, now unused */
1152 - ssl_calg_aes = 7, /* coming soon */
1153 + ssl_calg_aes = 7,
1154 ssl_calg_camellia = 8,
1155 - ssl_calg_seed = 9
1156 + ssl_calg_seed = 9,
1157 + ssl_calg_aes_gcm = 10
1158 } SSLCipherAlgorithm;
1159
1160 typedef enum {
1161 Index: net/third_party/nss/ssl/dtlscon.c
1162 ===================================================================
1163 --- net/third_party/nss/ssl/dtlscon.c (revision 215189)
1164 +++ net/third_party/nss/ssl/dtlscon.c (working copy)
1165 @@ -30,7 +30,14 @@
1166
1167 /* List copied from ssl3con.c:cipherSuites */
1168 static const ssl3CipherSuite nonDTLSSuites[] = {
1169 + /* XXX Make AES-GCM work with DTLS. */
1170 #ifdef NSS_ENABLE_ECC
1171 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1172 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1173 +#endif /* NSS_ENABLE_ECC */
1174 + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
1175 + TLS_RSA_WITH_AES_128_GCM_SHA256,
1176 +#ifdef NSS_ENABLE_ECC
1177 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
1178 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
1179 #endif /* NSS_ENABLE_ECC */
OLDNEW
« no previous file with comments | « net/third_party/nss/README.chromium ('k') | net/third_party/nss/patches/aesgcmchromium.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698