Implement the AES GCM cipher suites for TLS.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 26 matching lines @@
 #define CKM_NSS_TLS_PRF_GENERAL_SHA256          (CKM_NSS + 21)
 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256    (CKM_NSS + 22)
 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
 #endif
 
 #include <stdio.h>
 #ifdef NSS_ENABLE_ZLIB
 #include "zlib.h"
 #endif
+#ifdef LINUX
+#include <dlfcn.h>
+#endif
 
 #ifndef PK11_SETATTRS
 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
                 (x)->pValue=(v); (x)->ulValueLen = (l);
 #endif
 
 static SECStatus ssl3_AuthCertificate(sslSocket *ss);
 static void      ssl3_CleanupPeerCerts(sslSocket *ss);
 static void      ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
@@ skipping 25 matching lines @@
 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
 #define MIN_SEND_BUF_LENGTH  4000
 
 /* This list of SSL3 cipher suites is sorted in descending order of
  * precedence (desirability).  It only includes cipher suites we implement.
  * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
  * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
  */
 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
    /*      cipher_suite                         policy      enabled is_present*/
+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},

[wtc, 2013/08/10 01:22:59]

I added TLS_DHE_RSA_WITH_AES_128_GCM_SHA256.

[Ryan Sleevi, 2013/08/13 21:05:45]

Do we really want DHE_RSA over the ECDHE case?

I would think the order should be:

#ifdef NSS_ENABLE_ECC
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#endif

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256

#ifdef NSS_ENABLE_ECC
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
#endif

[wtc, 2013/08/14 01:57:02]

Done.

+ { TLS_RSA_WITH_AES_128_GCM_SHA256,        SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
 #ifdef NSS_ENABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,  SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
  { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
 #ifdef NSS_ENABLE_ECC
  { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
@@ skipping 123 matching lines @@
 
 
 /* This global item is used only in servers.  It is is initialized by
 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
 */
 CERTDistNames *ssl3_server_ca_list = NULL;
 static SSL3Statistics ssl3stats;
 
 /* indexed by SSL3BulkCipher */
 static const ssl3BulkCipherDef bulk_cipher_defs[] = {
-    /* cipher          calg        keySz secretSz  type  ivSz BlkSz keygen */
-    {cipher_null,      calg_null,      0,  0, type_stream,  0, 0, kg_null},
-    {cipher_rc4,       calg_rc4,      16, 16, type_stream,  0, 0, kg_strong},
-    {cipher_rc4_40,    calg_rc4,      16,  5, type_stream,  0, 0, kg_export},
-    {cipher_rc4_56,    calg_rc4,      16,  7, type_stream,  0, 0, kg_export},
-    {cipher_rc2,       calg_rc2,      16, 16, type_block,   8, 8, kg_strong},
-    {cipher_rc2_40,    calg_rc2,      16,  5, type_block,   8, 8, kg_export},
-    {cipher_des,       calg_des,       8,  8, type_block,   8, 8, kg_strong},
-    {cipher_3des,      calg_3des,     24, 24, type_block,   8, 8, kg_strong},
-    {cipher_des40,     calg_des,       8,  5, type_block,   8, 8, kg_export},
-    {cipher_idea,      calg_idea,     16, 16, type_block,   8, 8, kg_strong},
-    {cipher_aes_128,   calg_aes,      16, 16, type_block,  16,16, kg_strong},
-    {cipher_aes_256,   calg_aes,      32, 32, type_block,  16,16, kg_strong},
-    {cipher_camellia_128, calg_camellia,16, 16, type_block,  16,16, kg_strong},
-    {cipher_camellia_256, calg_camellia,32, 32, type_block,  16,16, kg_strong},
-    {cipher_seed,      calg_seed,     16, 16, type_block,  16,16, kg_strong},
-    {cipher_missing,   calg_null,      0,  0, type_stream,  0, 0, kg_null},
+    /*                                       |--------- Lengths --------| */
+    /* cipher             calg               k  s  type         i  b  t  n */
+    /*                                       e  e               v  l  a  o */
+    /*                                       y  c               |  o  g  n */
+    /*                                       |  r               |  c  |  c */
+    /*                                       |  e               |  k  |  e */
+    /*                                       |  t               |  |  |  | */
+    {cipher_null,         calg_null,         0, 0, type_stream, 0, 0, 0, 0},
+    {cipher_rc4,          calg_rc4,         16,16, type_stream, 0, 0, 0, 0},
+    {cipher_rc4_40,       calg_rc4,         16, 5, type_stream, 0, 0, 0, 0},
+    {cipher_rc4_56,       calg_rc4,         16, 7, type_stream, 0, 0, 0, 0},
+    {cipher_rc2,          calg_rc2,         16,16, type_block,  8, 8, 0, 0},
+    {cipher_rc2_40,       calg_rc2,         16, 5, type_block,  8, 8, 0, 0},
+    {cipher_des,          calg_des,          8, 8, type_block,  8, 8, 0, 0},
+    {cipher_3des,         calg_3des,        24,24, type_block,  8, 8, 0, 0},
+    {cipher_des40,        calg_des,          8, 5, type_block,  8, 8, 0, 0},
+    {cipher_idea,         calg_idea,        16,16, type_block,  8, 8, 0, 0},
+    {cipher_aes_128,      calg_aes,         16,16, type_block, 16,16, 0, 0},
+    {cipher_aes_256,      calg_aes,         32,32, type_block, 16,16, 0, 0},
+    {cipher_camellia_128, calg_camellia,    16,16, type_block, 16,16, 0, 0},
+    {cipher_camellia_256, calg_camellia,    32,32, type_block, 16,16, 0, 0},
+    {cipher_seed,         calg_seed,        16,16, type_block, 16,16, 0, 0},
+    {cipher_aes_128_gcm,  calg_aes_gcm,     16,16, type_aead,   4, 0,16, 8},

[wtc, 2013/08/10 01:22:59]

I renamed calg_aes_128_gcm to calg_aes_gcm because the other calg_xxx enums are
independent of key size.

+    {cipher_missing,      calg_null,         0, 0, type_stream, 0, 0, 0, 0},
 };
 
 static const ssl3KEADef kea_defs[] = 
 { /* indexed by SSL3KeyExchangeAlgorithm */
     /* kea              exchKeyType signKeyType is_limited limit  tls_keygen */
     {kea_null,           kt_null,     sign_null, PR_FALSE,   0, PR_FALSE},
     {kea_rsa,            kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_FALSE},
     {kea_rsa_export,     kt_rsa,      sign_rsa,  PR_TRUE,  512, PR_FALSE},
     {kea_rsa_export_1024,kt_rsa,      sign_rsa,  PR_TRUE, 1024, PR_FALSE},
     {kea_dh_dss,         kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
@@ skipping 101 matching lines @@
      cipher_camellia_256, mac_sha, kea_dhe_rsa},
 
     {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
                                     cipher_des,    mac_sha,kea_rsa_export_1024},
     {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
                                     cipher_rc4_56, mac_sha,kea_rsa_export_1024},
 
     {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
     {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
 
+    {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_rsa},
+    {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa},
+    {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_rsa},
+    {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_ecdsa},
+
 #ifdef NSS_ENABLE_ECC
     {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
 
     {TLS_ECDHE_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdhe_ecdsa},
     {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
     {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
@@ skipping 43 matching lines @@
     { calg_null     , (CK_MECHANISM_TYPE)0x80000000L    },
     { calg_rc4      , CKM_RC4                           },
     { calg_rc2      , CKM_RC2_CBC                       },
     { calg_des      , CKM_DES_CBC                       },
     { calg_3des     , CKM_DES3_CBC                      },
     { calg_idea     , CKM_IDEA_CBC                      },
     { calg_fortezza , CKM_SKIPJACK_CBC64                },
     { calg_aes      , CKM_AES_CBC                       },
     { calg_camellia , CKM_CAMELLIA_CBC                  },
     { calg_seed     , CKM_SEED_CBC                      },
+    { calg_aes_gcm  , CKM_AES_GCM                       },
 /*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
 };
 
 #define mmech_null     (CK_MECHANISM_TYPE)0x80000000L
 #define mmech_md5      CKM_SSL3_MD5_MAC
 #define mmech_sha      CKM_SSL3_SHA1_MAC
 #define mmech_md5_hmac CKM_MD5_HMAC
 #define mmech_sha_hmac CKM_SHA_1_HMAC
 #define mmech_sha256_hmac CKM_SHA256_HMAC
 
@@ skipping 18 matching lines @@
     "RC2-CBC-40",
     "DES-CBC",
     "3DES-EDE-CBC",
     "DES-CBC-40",
     "IDEA-CBC",
     "AES-128",
     "AES-256",
     "Camellia-128",
     "Camellia-256",
     "SEED-CBC",
+    "AES-128-GCM",
     "missing"
 };
 
 #ifdef NSS_ENABLE_ECC
 /* The ECCWrappedKeyInfo structure defines how various pieces of 
  * information are laid out within wrappedSymmetricWrappingkey 
  * for ECDH key exchange. Since wrappedSymmetricWrappingkey is 
  * a 512-byte buffer (see sslimpl.h), the variable length field 
  * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
  *
@@ skipping 106 matching lines @@
      *   SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:   never implemented
      *   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:  never implemented
      *   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:  never implemented
      *   SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5:     never implemented
      *   SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:  never implemented
      */
         return version <= SSL_LIBRARY_VERSION_TLS_1_0;
     case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
     case TLS_RSA_WITH_AES_256_CBC_SHA256:
     case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
+    case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
     case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
+    case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
     case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
+    case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
     case TLS_RSA_WITH_AES_128_CBC_SHA256:
+    case TLS_RSA_WITH_AES_128_GCM_SHA256:
     case TLS_RSA_WITH_NULL_SHA256:
         return version >= SSL_LIBRARY_VERSION_TLS_1_2;
     default:
         return PR_TRUE;
     }
 }
 
 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
 /* XXX This does a linear search.  A binary search would be better. */
 static const ssl3CipherSuiteDef *
@@ skipping 739 matching lines @@
     if (IS_DTLS(ss)) {
         /* Double-check that we did not pick an RC4 suite */
         PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) &&
                     (suite_def->bulk_cipher_alg != cipher_rc4_40) &&
                     (suite_def->bulk_cipher_alg != cipher_rc4_56));
     }
 
     cipher = suite_def->bulk_cipher_alg;
     kea    = suite_def->key_exchange_alg;
     mac    = suite_def->mac_alg;
-    if (mac <= ssl_mac_sha && isTLS)
+    if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS)
         mac += 2;
 
     ss->ssl3.hs.suite_def = suite_def;
     ss->ssl3.hs.kea_def   = &kea_defs[kea];
     PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
 
     pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
     PORT_Assert(pwSpec->cipher_def->cipher == cipher);
 
     pwSpec->mac_def = &mac_defs[mac];
@@ skipping 173 matching lines @@
       ssl3CipherSpec  *  pwSpec;
       const ssl3BulkCipherDef *cipher_def;
       void *             serverContext = NULL;
       void *             clientContext = NULL;
       BLapiInitContextFunc initFn = (BLapiInitContextFunc)NULL;
       int                mode     = 0;
       unsigned int       optArg1  = 0;
       unsigned int       optArg2  = 0;
       PRBool             server_encrypts = ss->sec.isServer;
       SSLCipherAlgorithm calg;
-      SSLCompressionMethod compression_method;
       SECStatus          rv;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
     cipher_def    = pwSpec->cipher_def;
 
     calg = cipher_def->calg;
-    compression_method = pwSpec->compression_method;
 
     serverContext = pwSpec->server.cipher_context;
     clientContext = pwSpec->client.cipher_context;
 
     switch (calg) {
     case ssl_calg_null:
         pwSpec->encode  = Null_Cipher;
         pwSpec->decode  = Null_Cipher;
         pwSpec->destroy = NULL;
         goto success;
@@ skipping 135 matching lines @@
         case CKM_RC2_MAC:
         case CKM_RC2_MAC_GENERAL:
         case CKM_RC2_CBC_PAD:
             *(CK_RC2_PARAMS *)param->data = ulEffectiveBits;
         default: break;
         }
     }
     return param;
 }
 
+/* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which
+ * is included in the MAC) to |out| and returns its length. */
+static unsigned int
+ssl3_BuildRecordPseudoHeader(unsigned char *out,
+                             SSL3SequenceNumber seq_num,
+                             SSL3ContentType type,
+                             PRBool includesVersion,
+                             SSL3ProtocolVersion version,
+                             PRBool isDTLS,
+                             int length)
+{
+    out[0] = (unsigned char)(seq_num.high >> 24);
+    out[1] = (unsigned char)(seq_num.high >> 16);
+    out[2] = (unsigned char)(seq_num.high >>  8);
+    out[3] = (unsigned char)(seq_num.high >>  0);
+    out[4] = (unsigned char)(seq_num.low  >> 24);
+    out[5] = (unsigned char)(seq_num.low  >> 16);
+    out[6] = (unsigned char)(seq_num.low  >>  8);
+    out[7] = (unsigned char)(seq_num.low  >>  0);
+    out[8] = type;
+
+    /* SSL3 MAC doesn't include the record's version field. */
+    if (!includesVersion) {
+        out[9]  = MSB(length);
+        out[10] = LSB(length);
+        return 11;
+    }
+
+    /* TLS MAC and AEAD additional data include version. */
+    if (isDTLS) {
+        SSL3ProtocolVersion dtls_version;
+
+        dtls_version = dtls_TLSVersionToDTLSVersion(version);
+        out[9]  = MSB(dtls_version);
+        out[10] = LSB(dtls_version);
+    } else {
+        out[9]  = MSB(version);
+        out[10] = LSB(version);
+    }
+    out[11] = MSB(length);
+    out[12] = LSB(length);
+    return 13;
+}
+
+typedef SECStatus (*PK11CryptFcn)(
+    PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, SECItem *param,
+    unsigned char *out, unsigned int *outLen, unsigned int maxLen,
+    const unsigned char *in, unsigned int inLen);
+
+static PK11CryptFcn pk11_encrypt = NULL;
+static PK11CryptFcn pk11_decrypt = NULL;
+
+static PRCallOnceType resolvePK11CryptOnce;
+
+static PRStatus
+ssl3_ResolvePK11CryptFunctions(void)
+{
+#ifdef LINUX
+    /* On Linux we use the system NSS libraries. Look up the PK11_Encrypt and
+     * PK11_Decrypt functions at run time. */
+    void *handle = dlopen(NULL, RTLD_LAZY);
+    if (!handle) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return PR_FAILURE;
+    }
+    pk11_encrypt = (PK11CryptFcn)dlsym(handle, "PK11_Encrypt");
+    pk11_decrypt = (PK11CryptFcn)dlsym(handle, "PK11_Decrypt");
+    dlclose(handle);
+    return PR_SUCCESS;
+#else
+    /* On other platforms we use our own copy of NSS. PK11_Encrypt and
+     * PK11_Decrypt are known to be available. */
+    pk11_encrypt = PK11_Encrypt;
+    pk11_decrypt = PK11_Decrypt;
+    return PR_SUCCESS;
+#endif
+}
+
+/* 
+ * In NSS 3.15, PK11_Encrypt and PK11_Decrypt were added to provide access
+ * to the AES GCM implementation in the NSS softoken. So the presence of
+ * these two functions implies the NSS version supports AES GCM.
+ */
+static PRBool
+ssl3_HasGCMSupport(void)
+{
+    (void)PR_CallOnce(&resolvePK11CryptOnce, ssl3_ResolvePK11CryptFunctions);
+    return pk11_encrypt != NULL;
+}
+
+/* On this socket, disable the GCM cipher suites */
+SECStatus
+ssl3_DisableGCMSuites(sslSocket * ss)
+{
+    unsigned int i;
+
+    for (i = 0; i < PR_ARRAY_SIZE(cipher_suite_defs); i++) {
+        const ssl3CipherSuiteDef *cipher_def = &cipher_suite_defs[i];
+        if (cipher_def->bulk_cipher_alg == cipher_aes_128_gcm) {
+            SECStatus rv = ssl3_CipherPrefSet(ss, cipher_def->cipher_suite,
+                                              PR_FALSE);
+            PORT_Assert(rv == SECSuccess); /* else is coding error */
+        }
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+ssl3_AESGCM(ssl3KeyMaterial *keys,
+            PRBool doDecrypt,
+            unsigned char *out,
+            int *outlen,
+            int maxout,
+            const unsigned char *in,
+            int inlen,

[wtc, 2013/08/10 01:22:59]

I removed the explicitNonce input.

For decrypt, the |in| buffer starts with the explicit nonce.

For encrypt, we use the sequence number as the explicit
nonce (allowed by RFC 5288) and write the explicit nonce
to the beginning of the |out| buffer.

+            SSL3ContentType type,
+            SSL3ProtocolVersion version,
+            SSL3SequenceNumber seq_num)
+{
+    SECItem            param;
+    SECStatus          rv = SECFailure;
+    unsigned char      nonce[12];
+    unsigned char      additionalData[13];
+    unsigned int       additionalDataLen;
+    unsigned int       uOutLen;
+    CK_GCM_PARAMS      gcmParams;
+
+    static const int   tagSize = 16;
+    static const int   explicitNonceLen = 8;
+    PR_STATIC_ASSERT(sizeof(seq_num) == explicitNonceLen);
+
+    /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
+     * nonce is formed. */
+    memcpy(nonce, keys->write_iv, 4);
+    if (doDecrypt) {
+        if (inlen < explicitNonceLen) {
+            PORT_SetError(SEC_ERROR_INPUT_LEN);
+            return SECFailure;
+        }
+        memcpy(nonce + 4, in, explicitNonceLen);
+        in += explicitNonceLen;
+        inlen -= explicitNonceLen;
+        *outlen = 0;
+    } else {
+        if (maxout < explicitNonceLen) {
+            PORT_SetError(SEC_ERROR_INPUT_LEN);
+            return SECFailure;
+        }
+        /* Use the 64-bit sequence number as the explicit nonce. */
+        memcpy(nonce + 4, &seq_num, explicitNonceLen);

[agl, 2013/08/13 12:17:12]

This is coping directly out of the SSL3SequenceNumber struct, which gives me the
willies. An ABI could add padding in the struct causing nonce duplication. It's
also gives away the endianness of the machine.

Could these 8 bytes be read from the pseudo-header?

[wtc, 2013/08/14 01:57:02]

Done.

+        memcpy(out, &seq_num, explicitNonceLen);
+        out += explicitNonceLen;
+        maxout -= explicitNonceLen;
+        *outlen = explicitNonceLen;
+    }
+
+    /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
+     * definition of the AEAD additional data. */
+    additionalDataLen = ssl3_BuildRecordPseudoHeader(
+        additionalData, seq_num, type, PR_TRUE /* includes version */,
+        version, PR_FALSE /* not DTLS */,
+        inlen - (doDecrypt ? tagSize : 0));
+    PORT_Assert(additionalDataLen <= sizeof(additionalData));
+
+    param.type = siBuffer;
+    param.data = (unsigned char *) &gcmParams;
+    param.len = sizeof(gcmParams);
+    gcmParams.pIv = nonce;
+    gcmParams.ulIvLen = sizeof(nonce);
+    gcmParams.pAAD = additionalData;
+    gcmParams.ulAADLen = additionalDataLen;
+    gcmParams.ulTagBits = tagSize * 8;
+
+    if (doDecrypt) {
+        rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
+                          maxout, in, inlen);
+    } else {
+        rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
+                          maxout, in, inlen);
+    }
+    *outlen += (int) uOutLen;
+
+    return rv;
+}
+
 /* Initialize encryption and MAC contexts for pending spec.
  * Master Secret already is derived.
  * Caller holds Spec write lock.
  */
 static SECStatus
 ssl3_InitPendingContextsPKCS11(sslSocket *ss)
 {
       ssl3CipherSpec  *  pwSpec;
       const ssl3BulkCipherDef *cipher_def;
       PK11Context *      serverContext = NULL;
       PK11Context *      clientContext = NULL;
       SECItem *          param;
       CK_MECHANISM_TYPE  mechanism;
       CK_MECHANISM_TYPE  mac_mech;
       CK_ULONG           macLength;
       CK_ULONG           effKeyBits;
       SECItem            iv;
       SECItem            mac_param;
       SSLCipherAlgorithm calg;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
     cipher_def    = pwSpec->cipher_def;
     macLength     = pwSpec->mac_size;
+    calg          = cipher_def->calg;
+    PORT_Assert(alg2Mech[calg].calg == calg);
+
+    pwSpec->client.write_mac_context = NULL;
+    pwSpec->server.write_mac_context = NULL;
+
+    if (calg == calg_aes_gcm) {
+        pwSpec->encode = NULL;
+        pwSpec->decode = NULL;
+        pwSpec->destroy = NULL;
+        pwSpec->encodeContext = NULL;
+        pwSpec->decodeContext = NULL;
+        pwSpec->aead = ssl3_AESGCM;
+        return SECSuccess;
+    }
 
     /* 
     ** Now setup the MAC contexts, 
     **   crypto contexts are setup below.
     */
 
-    pwSpec->client.write_mac_context = NULL;
-    pwSpec->server.write_mac_context = NULL;
     mac_mech       = pwSpec->mac_def->mmech;
     mac_param.data = (unsigned char *)&macLength;
     mac_param.len  = sizeof(macLength);
     mac_param.type = 0;
 
     pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
             mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
     if (pwSpec->client.write_mac_context == NULL)  {
         ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
         goto fail;
     }
     pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
             mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
     if (pwSpec->server.write_mac_context == NULL) {
         ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
         goto fail;
     }
 
     /* 
     ** Now setup the crypto contexts.
     */
 
-    calg = cipher_def->calg;
-    PORT_Assert(alg2Mech[calg].calg == calg);
-
     if (calg == calg_null) {
         pwSpec->encode  = Null_Cipher;
         pwSpec->decode  = Null_Cipher;
         pwSpec->destroy = NULL;
         return SECSuccess;
     }
     mechanism = alg2Mech[calg].cmech;
     effKeyBits = cipher_def->key_size * BPB;
 
     /*
@@ skipping 198 matching lines @@
     SSL3ContentType    type,
     SSL3ProtocolVersion version,
     SSL3SequenceNumber seq_num,
     const SSL3Opaque * input,
     int                inputLength,
     unsigned char *    outbuf,
     unsigned int *     outLength)
 {
     const ssl3MACDef * mac_def;
     SECStatus          rv;
-#ifndef NO_PKCS11_BYPASS
     PRBool             isTLS;
-#endif
     unsigned int       tempLen;
     unsigned char      temp[MAX_MAC_LENGTH];
 
-    temp[0] = (unsigned char)(seq_num.high >> 24);
-    temp[1] = (unsigned char)(seq_num.high >> 16);
-    temp[2] = (unsigned char)(seq_num.high >>  8);
-    temp[3] = (unsigned char)(seq_num.high >>  0);
-    temp[4] = (unsigned char)(seq_num.low  >> 24);
-    temp[5] = (unsigned char)(seq_num.low  >> 16);
-    temp[6] = (unsigned char)(seq_num.low  >>  8);
-    temp[7] = (unsigned char)(seq_num.low  >>  0);
-    temp[8] = type;
-
     /* TLS MAC includes the record's version field, SSL's doesn't.
     ** We decide which MAC defintiion to use based on the version of 
     ** the protocol that was negotiated when the spec became current,
     ** NOT based on the version value in the record itself.
     ** But, we use the record'v version value in the computation.

[agl, 2013/08/13 12:17:12]

This relocated comment contains a typo ("record'v")

[wtc, 2013/08/14 01:57:02]

Done.

     */
-    if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
-        temp[9]  = MSB(inputLength);
-        temp[10] = LSB(inputLength);
-        tempLen  = 11;
-#ifndef NO_PKCS11_BYPASS
-        isTLS    = PR_FALSE;
-#endif
-    } else {
-        /* New TLS hash includes version. */
-        if (isDTLS) {
-            SSL3ProtocolVersion dtls_version;
-
-            dtls_version = dtls_TLSVersionToDTLSVersion(version);
-            temp[9]  = MSB(dtls_version);
-            temp[10] = LSB(dtls_version);
-        } else {
-            temp[9]  = MSB(version);
-            temp[10] = LSB(version);
-        }
-        temp[11] = MSB(inputLength);
-        temp[12] = LSB(inputLength);
-        tempLen  = 13;
-#ifndef NO_PKCS11_BYPASS
-        isTLS    = PR_TRUE;
-#endif
-    }
+    isTLS = spec->version > SSL_LIBRARY_VERSION_3_0;
+    tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS,
+                                           version, isDTLS, inputLength);
+    PORT_Assert(tempLen <= sizeof(temp));
 
     PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
     PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
 
     mac_def = spec->mac_def;
     if (mac_def->mac == mac_null) {
         *outLength = 0;
         return SECSuccess;
     }
 #ifndef NO_PKCS11_BYPASS
@@ skipping 103 matching lines @@
         rv = SECFailure;
         ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
     }
     return rv;
 }
 
 /* This is a bodge to allow this code to be compiled against older NSS headers
  * that don't contain the CBC constant-time changes. */
 #ifndef CKM_NSS_HMAC_CONSTANT_TIME
 #define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19)
 #define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20)

[Ryan Sleevi, 2013/08/13 21:34:46]

We can remove this in a follow-up patch, now that NSS 3.14.3 is the minimum
compile-time version.

[wtc, 2013/08/14 22:05:42]

Done. Added a TODO to README.chromium to remove cbc.patch.

 
 typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS {
     CK_MECHANISM_TYPE macAlg;   /* in */
     CK_ULONG ulBodyTotalLen;    /* in */
     CK_BYTE * pHeader;          /* in */
     CK_ULONG ulHeaderLen;       /* in */
 } CK_NSS_MAC_CONSTANT_TIME_PARAMS;
 #endif
 
 /* Called from: ssl3_HandleRecord()
@@ skipping 199 matching lines @@
         rv = cwSpec->compressor(
             cwSpec->compressContext,
             wrBuf->buf + headerLen + ivLen, &outlen,
             wrBuf->space - headerLen - ivLen, pIn, contentLen);
         if (rv != SECSuccess)
             return rv;
         pIn = wrBuf->buf + headerLen + ivLen;
         contentLen = outlen;
     }
 
-    /*
-     * Add the MAC
-     */
-    rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
-        type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
-        wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
-    if (rv != SECSuccess) {
-        ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-        return SECFailure;
-    }
-    p1Len   = contentLen;
-    p2Len   = macLen;
-    fragLen = contentLen + macLen;      /* needs to be encrypted */
-    PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
+    if (cipher_def->type == type_aead) {
+        const int nonceLen = cipher_def->explicit_nonce_size;

[agl, 2013/08/13 12:17:12]

The explicit nonce size in the cipher_def is now only used here. However,
cwSpec->aead should be doing the length check on 2581, no? In which case it
could be removed and so could a column of the cipher_def table.

[wtc, 2013/08/14 01:57:02]

cipher_def->explicit_nonce_size is also used in the length check on line 11382
in ssl3_HandleRecord. But you are right, both length checks could be done by
c{r/w}Spec->aead. I will think about this more.

+        const int tagLen = cipher_def->tag_size;
 
-    /*
-     * Pad the text (if we're doing a block cipher)
-     * then Encrypt it
-     */
-    if (cipher_def->type == type_block) {
-        unsigned char * pBuf;
-        int             padding_length;
-        int             i;
+        if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) {
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            return SECFailure;
+        }
 
-        oddLen = contentLen % cipher_def->block_size;
-        /* Assume blockSize is a power of two */
-        padding_length = cipher_def->block_size - 1 -
-                        ((fragLen) & (cipher_def->block_size - 1));
-        fragLen += padding_length + 1;
-        PORT_Assert((fragLen % cipher_def->block_size) == 0);
-
-        /* Pad according to TLS rules (also acceptable to SSL3). */
-        pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
-        for (i = padding_length + 1; i > 0; --i) {
-            *pBuf-- = padding_length;
-        }
-        /* now, if contentLen is not a multiple of block size, fix it */
-        p2Len = fragLen - p1Len;
-    }
-    if (p1Len < 256) {
-        oddLen = p1Len;
-        p1Len = 0;
-    } else {
-        p1Len -= oddLen;
-    }
-    if (oddLen) {
-        p2Len += oddLen;
-        PORT_Assert( (cipher_def->block_size < 2) || \
-                     (p2Len % cipher_def->block_size) == 0);
-        memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen);
-    }
-    if (p1Len > 0) {
-        int cipherBytesPart1 = -1;
-        rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + headerLen + ivLen,         /* output */
-            &cipherBytesPart1,                      /* actual outlen */
-            p1Len,                                  /* max outlen */
-            pIn, p1Len);                      /* input, and inputlen */
-        PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
-        if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
+        cipherBytes = contentLen;
+        rv = cwSpec->aead(
+                isServer ? &cwSpec->server : &cwSpec->client,
+                PR_FALSE,                                   /* do encrypt */
+                wrBuf->buf + headerLen,                     /* output  */
+                &cipherBytes,                               /* out len */
+                wrBuf->space - headerLen,                   /* max out */
+                pIn, contentLen,                            /* input   */
+                type, cwSpec->version, cwSpec->write_seq_num);
+        if (rv != SECSuccess) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
-        cipherBytes += cipherBytesPart1;
-    }
-    if (p2Len > 0) {
-        int cipherBytesPart2 = -1;
-        rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + headerLen + ivLen + p1Len,
-            &cipherBytesPart2,          /* output and actual outLen */
-            p2Len,                             /* max outlen */
-            wrBuf->buf + headerLen + ivLen + p1Len,
-            p2Len);                            /* input and inputLen*/
-        PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
-        if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
-            PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
+    } else {
+        /*
+         * Add the MAC
+         */
+        rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
+            type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
+            wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
+        if (rv != SECSuccess) {
+            ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
             return SECFailure;
         }
-        cipherBytes += cipherBytesPart2;
-    }   
+        p1Len   = contentLen;
+        p2Len   = macLen;
+        fragLen = contentLen + macLen;  /* needs to be encrypted */
+        PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
+
+        /*
+         * Pad the text (if we're doing a block cipher)
+         * then Encrypt it
+         */
+        if (cipher_def->type == type_block) {
+            unsigned char * pBuf;
+            int             padding_length;
+            int             i;
+
+            oddLen = contentLen % cipher_def->block_size;
+            /* Assume blockSize is a power of two */
+            padding_length = cipher_def->block_size - 1 -
+                            ((fragLen) & (cipher_def->block_size - 1));
+            fragLen += padding_length + 1;
+            PORT_Assert((fragLen % cipher_def->block_size) == 0);
+
+            /* Pad according to TLS rules (also acceptable to SSL3). */
+            pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
+            for (i = padding_length + 1; i > 0; --i) {
+                *pBuf-- = padding_length;
+            }
+            /* now, if contentLen is not a multiple of block size, fix it */
+            p2Len = fragLen - p1Len;
+        }
+        if (p1Len < 256) {
+            oddLen = p1Len;
+            p1Len = 0;
+        } else {
+            p1Len -= oddLen;
+        }
+        if (oddLen) {
+            p2Len += oddLen;
+            PORT_Assert( (cipher_def->block_size < 2) || \
+                         (p2Len % cipher_def->block_size) == 0);
+            memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len,
+                    oddLen);
+        }
+        if (p1Len > 0) {
+            int cipherBytesPart1 = -1;
+            rv = cwSpec->encode( cwSpec->encodeContext, 
+                wrBuf->buf + headerLen + ivLen,         /* output */
+                &cipherBytesPart1,                      /* actual outlen */
+                p1Len,                                  /* max outlen */
+                pIn, p1Len);                      /* input, and inputlen */
+            PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
+            if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
+                PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
+                return SECFailure;
+            }
+            cipherBytes += cipherBytesPart1;
+        }
+        if (p2Len > 0) {
+            int cipherBytesPart2 = -1;
+            rv = cwSpec->encode( cwSpec->encodeContext, 
+                wrBuf->buf + headerLen + ivLen + p1Len,
+                &cipherBytesPart2,          /* output and actual outLen */
+                p2Len,                             /* max outlen */
+                wrBuf->buf + headerLen + ivLen + p1Len,
+                p2Len);                            /* input and inputLen*/
+            PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
+            if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
+                PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
+                return SECFailure;
+            }
+            cipherBytes += cipherBytesPart2;
+        }
+    }
+
     PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
 
     wrBuf->len    = cipherBytes + headerLen;
     wrBuf->buf[0] = type;
     if (isDTLS) {
         SSL3ProtocolVersion version;
 
         version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
         wrBuf->buf[1] = MSB(version);
         wrBuf->buf[2] = LSB(version);
@@ skipping 522 matching lines @@
     ssl_ReleaseSSL3HandshakeLock(ss);
     return rv;  /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
 }
 
 /*
  * Send illegal_parameter alert.  Set generic error number.
  */
 static SECStatus
 ssl3_IllegalParameter(sslSocket *ss)
 {
-    PRBool isTLS;
-
-    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
     (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
     PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
                                    : SSL_ERROR_BAD_SERVER );
     return SECFailure;
 }
 
 /*
  * Send handshake_Failure alert.  Set generic error number.
  */
 static SECStatus
@@ skipping 503 matching lines @@
     key_material_params.ulIVSizeInBits  = cipher_def->iv_size        * BPB;
     if (cipher_def->type == type_block &&
         pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Block ciphers in >= TLS 1.1 use a per-record, explicit IV. */
         key_material_params.ulIVSizeInBits = 0;
         memset(pwSpec->client.write_iv, 0, cipher_def->iv_size);
         memset(pwSpec->server.write_iv, 0, cipher_def->iv_size);
     }
 
     key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
-    /* was:     (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
 
     key_material_params.RandomInfo.pClientRandom     = cr;
     key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
     key_material_params.RandomInfo.pServerRandom     = sr;
     key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
     key_material_params.pReturnedKeyMaterial         = &returnedKeys;
 
     returnedKeys.pIVClient = pwSpec->client.write_iv;
     returnedKeys.pIVServer = pwSpec->server.write_iv;
     keySize                = cipher_def->key_size;
@@ skipping 1271 matching lines @@
     if (!total_exten_len || !isTLS) {
         /* not sending the elliptic_curves and ec_point_formats extensions */
         ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     }
 #endif
 
     if (IS_DTLS(ss)) {
         ssl3_DisableNonDTLSSuites(ss);
     }
 
+    if (!ssl3_HasGCMSupport()) {
+        ssl3_DisableGCMSuites(ss);
+    }
+
     /* how many suites are permitted by policy and user preference? */
     num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
     if (!num_suites)
         return SECFailure;      /* count_cipher_suites has set error code. */
     if (ss->ssl3.hs.sendingSCSV) {
         ++num_suites;   /* make room for SCSV */
     }
 
     /* count compression methods */
     numCompressionMethods = 0;
@@ skipping 5096 matching lines @@
     return rv;
 }
 
 /* called from ssl3_SendFinished
  *
  * This function is simply a debugging aid and therefore does not return a
  * SECStatus. */
 static void
 ssl3_RecordKeyLog(sslSocket *ss)
 {
-    sslSessionID *sid;
     SECStatus rv;
     SECItem *keyData;
     char buf[14 /* "CLIENT_RANDOM " */ +
              SSL3_RANDOM_LENGTH*2 /* client_random */ +
              1 /* " " */ +
              48*2 /* master secret */ +
              1 /* new line */];
     unsigned int j;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
-    sid = ss->sec.ci.sid;
-
     if (!ssl_keylog_iob)
         return;
 
     rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);
     if (rv != SECSuccess)
         return;
 
     ssl_GetSpecReadLock(ss);
 
     /* keyData does not need to be freed. */
@@ skipping 1191 matching lines @@
 
     good = ~0U;
     minLength = crSpec->mac_size;
     if (cipher_def->type == type_block) {
         /* CBC records have a padding length byte at the end. */
         minLength++;
         if (crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
             /* With >= TLS 1.1, CBC records have an explicit IV. */
             minLength += cipher_def->iv_size;
         }
+    } else if (cipher_def->type == type_aead) {
+        minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size;
     }
 
     /* We can perform this test in variable time because the record's total
      * length and the ciphersuite are both public knowledge. */
     if (cText->buf->len < minLength) {
-        goto decrypt_loser;
+        goto decrypt_loser;
     }
 
     if (cipher_def->type == type_block &&
         crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states
          * "The receiver decrypts the entire GenericBlockCipher structure and
          * then discards the first cipher block corresponding to the IV
          * component." Instead, we decrypt the first cipher block and then
          * discard it before decrypting the rest.
          */
@@ skipping 47 matching lines @@
 
     isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
 
     if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) {
         ssl_ReleaseSpecReadLock(ss);
         SSL3_SendAlert(ss, alert_fatal, record_overflow);
         PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
         return SECFailure;
     }
 
-    if (cipher_def->type == type_block &&
-        ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
-        goto decrypt_loser;
-    }
+    rType = cText->type;
+    if (cipher_def->type == type_aead) {
+        rv = crSpec->aead(
+                ss->sec.isServer ? &crSpec->client : &crSpec->server,
+                PR_TRUE,                          /* do decrypt */
+                plaintext->buf,                   /* out */
+                (int*) &plaintext->len,           /* outlen */
+                plaintext->space,                 /* maxout */
+                cText->buf->buf,                  /* in */
+                cText->buf->len,                  /* inlen */
+                rType,                            /* record type */
+                cText->version,

[wtc, 2013/08/10 01:22:59]

Note: we still need to pass a "PRBool isDTLS" argument to
crSpec->aead so that we can convert cText->version to the
wire format for AEAD additional data.

+                IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num);
+        if (rv != SECSuccess) {
+            good = 0;
+        }
+    } else {
+        if (cipher_def->type == type_block &&
+            ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
+            goto decrypt_loser;
+        }
 
-    /* decrypt from cText buf to plaintext. */
-    rv = crSpec->decode(
-        crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
-        plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
-    if (rv != SECSuccess) {
-        goto decrypt_loser;
-    }
+        /* decrypt from cText buf to plaintext. */
+        rv = crSpec->decode(
+            crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
+            plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
+        if (rv != SECSuccess) {
+            goto decrypt_loser;
+        }
 
-    PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
+        PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
 
-    originalLen = plaintext->len;
+        originalLen = plaintext->len;
 
-    /* If it's a block cipher, check and strip the padding. */
-    if (cipher_def->type == type_block) {
-        const unsigned int blockSize = cipher_def->block_size;
-        const unsigned int macSize = crSpec->mac_size;
+        /* If it's a block cipher, check and strip the padding. */
+        if (cipher_def->type == type_block) {
+            const unsigned int blockSize = cipher_def->block_size;
+            const unsigned int macSize = crSpec->mac_size;
 
-        if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
-            good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
-                        plaintext, blockSize, macSize));
+            if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
+                good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
+                            plaintext, blockSize, macSize));
+            } else {
+                good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
+                            plaintext, macSize));
+            }
+        }
+
+        /* compute the MAC */
+        if (cipher_def->type == type_block) {
+            rv = ssl3_ComputeRecordMACConstantTime(
+                crSpec, (PRBool)(!ss->sec.isServer),
+                IS_DTLS(ss), rType, cText->version,
+                IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
+                plaintext->buf, plaintext->len, originalLen,
+                hash, &hashBytes);
+
+            ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
+                              crSpec->mac_size);
+            givenHash = givenHashBuf;
+
+            /* plaintext->len will always have enough space to remove the MAC
+             * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
+             * plaintext->len if the result has enough space for the MAC and we
+             * tested the unadjusted size against minLength, above. */
+            plaintext->len -= crSpec->mac_size;
         } else {
-            good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
-                        plaintext, macSize));
+            /* This is safe because we checked the minLength above. */
+            plaintext->len -= crSpec->mac_size;
+
+            rv = ssl3_ComputeRecordMAC(
+                crSpec, (PRBool)(!ss->sec.isServer),
+                IS_DTLS(ss), rType, cText->version,
+                IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
+                plaintext->buf, plaintext->len,
+                hash, &hashBytes);
+
+            /* We can read the MAC directly from the record because its location
+             * is public when a stream cipher is used. */
+            givenHash = plaintext->buf + plaintext->len;
+        }
+
+        good &= SECStatusToMask(rv);
+
+        if (hashBytes != (unsigned)crSpec->mac_size ||
+            NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
+            /* We're allowed to leak whether or not the MAC check was correct */
+            good = 0;
         }
     }
 
-    /* compute the MAC */
-    rType = cText->type;
-    if (cipher_def->type == type_block) {
-        rv = ssl3_ComputeRecordMACConstantTime(
-            crSpec, (PRBool)(!ss->sec.isServer),
-            IS_DTLS(ss), rType, cText->version,
-            IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
-            plaintext->buf, plaintext->len, originalLen,
-            hash, &hashBytes);
-
-        ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf,
-                          crSpec->mac_size);
-        givenHash = givenHashBuf;
-
-        /* plaintext->len will always have enough space to remove the MAC
-         * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust
-         * plaintext->len if the result has enough space for the MAC and we
-         * tested the unadjusted size against minLength, above. */
-        plaintext->len -= crSpec->mac_size;
-    } else {
-        /* This is safe because we checked the minLength above. */
-        plaintext->len -= crSpec->mac_size;
-
-        rv = ssl3_ComputeRecordMAC(
-            crSpec, (PRBool)(!ss->sec.isServer),
-            IS_DTLS(ss), rType, cText->version,
-            IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
-            plaintext->buf, plaintext->len,
-            hash, &hashBytes);
-
-        /* We can read the MAC directly from the record because its location is
-         * public when a stream cipher is used. */
-        givenHash = plaintext->buf + plaintext->len;
-    }
-
-    good &= SECStatusToMask(rv);
-
-    if (hashBytes != (unsigned)crSpec->mac_size ||
-        NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
-        /* We're allowed to leak whether or not the MAC check was correct */
-        good = 0;
-    }
-
     if (good == 0) {
 decrypt_loser:
         /* must not hold spec lock when calling SSL3_SendAlert. */
         ssl_ReleaseSpecReadLock(ss);
 
         SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
 
         if (!IS_DTLS(ss)) {
             SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
             /* always log mac error, in case attacker can read server logs. */
@@ skipping 639 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */