OLD | NEW |
1 Index: net/third_party/nss/ssl/sslinfo.c | 1 Index: net/third_party/nss/ssl/sslinfo.c |
2 =================================================================== | 2 =================================================================== |
3 --- net/third_party/nss/ssl/sslinfo.c» (revision 215189) | 3 --- net/third_party/nss/ssl/sslinfo.c» (revision 217715) |
4 +++ net/third_party/nss/ssl/sslinfo.c (working copy) | 4 +++ net/third_party/nss/ssl/sslinfo.c (working copy) |
5 @@ -109,7 +109,7 @@ | 5 @@ -109,7 +109,7 @@ |
6 #define K_ECDHE "ECDHE", kt_ecdh | 6 #define K_ECDHE "ECDHE", kt_ecdh |
7 | 7 |
8 #define C_SEED "SEED", calg_seed | 8 #define C_SEED "SEED", calg_seed |
9 -#define C_CAMELLIA "CAMELLIA", calg_camellia | 9 -#define C_CAMELLIA "CAMELLIA", calg_camellia |
10 +#define C_CAMELLIA "CAMELLIA", calg_camellia | 10 +#define C_CAMELLIA "CAMELLIA", calg_camellia |
11 #define C_AES "AES", calg_aes | 11 #define C_AES "AES", calg_aes |
12 #define C_RC4 "RC4", calg_rc4 | 12 #define C_RC4 "RC4", calg_rc4 |
13 #define C_RC2 "RC2", calg_rc2 | 13 #define C_RC2 "RC2", calg_rc2 |
14 @@ -117,6 +117,7 @@ | 14 @@ -117,6 +117,7 @@ |
15 #define C_3DES "3DES", calg_3des | 15 #define C_3DES "3DES", calg_3des |
16 #define C_NULL "NULL", calg_null | 16 #define C_NULL "NULL", calg_null |
17 #define C_SJ "SKIPJACK", calg_sj | 17 #define C_SJ "SKIPJACK", calg_sj |
18 +#define C_AESGCM "AES-GCM", calg_aes_gcm | 18 +#define C_AESGCM "AES-GCM", calg_aes_gcm |
19 | 19 |
20 #define B_256 256, 256, 256 | 20 #define B_256 256, 256, 256 |
21 #define B_128 128, 128, 128 | 21 #define B_128 128, 128, 128 |
22 @@ -130,9 +131,12 @@ | 22 @@ -127,12 +128,16 @@ |
| 23 #define B_40 128, 40, 40 |
| 24 #define B_0 » 0, 0, 0 |
| 25 |
| 26 +#define M_AEAD_128 "AEAD", ssl_mac_aead, 128 |
23 #define M_SHA256 "SHA256", ssl_hmac_sha256, 256 | 27 #define M_SHA256 "SHA256", ssl_hmac_sha256, 256 |
24 #define M_SHA "SHA1", ssl_mac_sha, 160 | 28 #define M_SHA "SHA1", ssl_mac_sha, 160 |
25 #define M_MD5 "MD5", ssl_mac_md5, 128 | 29 #define M_MD5 "MD5", ssl_mac_md5, 128 |
26 +#define M_NULL "NULL", ssl_mac_null, 0 | 30 +#define M_NULL "NULL", ssl_mac_null, 0 |
27 | 31 |
28 static const SSLCipherSuiteInfo suiteInfo[] = { | 32 static const SSLCipherSuiteInfo suiteInfo[] = { |
29 /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC>
<FIPS> */ | 33 /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC>
<FIPS> */ |
30 +{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_
NULL, 1, 0, 0, }, | 34 +{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_
AEAD_128, 1, 0, 0, }, |
31 + | 35 + |
32 {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256,
M_SHA, 0, 0, 0, }, | 36 {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256,
M_SHA, 0, 0, 0, }, |
33 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256,
M_SHA, 0, 0, 0, }, | 37 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256,
M_SHA, 0, 0, 0, }, |
34 {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA
256, 1, 0, 0, }, | 38 {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA
256, 1, 0, 0, }, |
35 @@ -146,6 +150,7 @@ | 39 @@ -146,6 +151,7 @@ |
36 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128,
M_SHA, 0, 0, 0, }, | 40 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128,
M_SHA, 0, 0, 0, }, |
37 {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA
, 0, 0, 0, }, | 41 {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA
, 0, 0, 0, }, |
38 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA
256, 1, 0, 0, }, | 42 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA
256, 1, 0, 0, }, |
39 +{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_
NULL, 1, 0, 0, }, | 43 +{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_
AEAD_128, 1, 0, 0, }, |
40 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA
, 1, 0, 0, }, | 44 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA
, 1, 0, 0, }, |
41 {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA
, 1, 0, 0, }, | 45 {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA
, 1, 0, 0, }, |
42 {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA
, 1, 0, 0, }, | 46 {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA
, 1, 0, 0, }, |
43 @@ -175,6 +180,9 @@ | 47 @@ -175,6 +181,9 @@ |
44 | 48 |
45 #ifdef NSS_ENABLE_ECC | 49 #ifdef NSS_ENABLE_ECC |
46 /* ECC cipher suites */ | 50 /* ECC cipher suites */ |
47 +{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128,
M_NULL, 1, 0, 0, }, | 51 +{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128,
M_AEAD_128, 1, 0, 0, }, |
48 +{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_1
28, M_NULL, 1, 0, 0, }, | 52 +{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_1
28, M_AEAD_128, 1, 0, 0, }, |
49 + | 53 + |
50 {0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_S
HA, 0, 0, 0, }, | 54 {0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_S
HA, 0, 0, 0, }, |
51 {0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_
SHA, 0, 0, 0, }, | 55 {0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_
SHA, 0, 0, 0, }, |
52 {0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES,
M_SHA, 1, 0, 0, }, | 56 {0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES,
M_SHA, 1, 0, 0, }, |
53 Index: net/third_party/nss/ssl/sslimpl.h | 57 Index: net/third_party/nss/ssl/sslimpl.h |
54 =================================================================== | 58 =================================================================== |
55 --- net/third_party/nss/ssl/sslimpl.h» (revision 215189) | 59 --- net/third_party/nss/ssl/sslimpl.h» (revision 217715) |
56 +++ net/third_party/nss/ssl/sslimpl.h (working copy) | 60 +++ net/third_party/nss/ssl/sslimpl.h (working copy) |
57 @@ -64,6 +64,7 @@ | 61 @@ -64,6 +64,7 @@ |
58 #define calg_aes ssl_calg_aes | 62 #define calg_aes ssl_calg_aes |
59 #define calg_camellia ssl_calg_camellia | 63 #define calg_camellia ssl_calg_camellia |
60 #define calg_seed ssl_calg_seed | 64 #define calg_seed ssl_calg_seed |
61 +#define calg_aes_gcm ssl_calg_aes_gcm | 65 +#define calg_aes_gcm ssl_calg_aes_gcm |
62 | 66 |
63 #define mac_null ssl_mac_null | 67 #define mac_null ssl_mac_null |
64 #define mac_md5 ssl_mac_md5 | 68 #define mac_md5 ssl_mac_md5 |
65 @@ -290,9 +291,9 @@ | 69 @@ -71,6 +72,7 @@ |
| 70 #define hmac_md5» ssl_hmac_md5 |
| 71 #define hmac_sha» ssl_hmac_sha |
| 72 #define hmac_sha256» ssl_hmac_sha256 |
| 73 +#define mac_aead» ssl_mac_aead |
| 74 |
| 75 #define SET_ERROR_CODE»» /* reminder */ |
| 76 #define SEND_ALERT» » /* reminder */ |
| 77 @@ -290,9 +292,9 @@ |
66 } ssl3CipherSuiteCfg; | 78 } ssl3CipherSuiteCfg; |
67 | 79 |
68 #ifdef NSS_ENABLE_ECC | 80 #ifdef NSS_ENABLE_ECC |
69 -#define ssl_V3_SUITES_IMPLEMENTED 57 | 81 -#define ssl_V3_SUITES_IMPLEMENTED 57 |
70 +#define ssl_V3_SUITES_IMPLEMENTED 61 | 82 +#define ssl_V3_SUITES_IMPLEMENTED 61 |
71 #else | 83 #else |
72 -#define ssl_V3_SUITES_IMPLEMENTED 35 | 84 -#define ssl_V3_SUITES_IMPLEMENTED 35 |
73 +#define ssl_V3_SUITES_IMPLEMENTED 37 | 85 +#define ssl_V3_SUITES_IMPLEMENTED 37 |
74 #endif /* NSS_ENABLE_ECC */ | 86 #endif /* NSS_ENABLE_ECC */ |
75 | 87 |
76 #define MAX_DTLS_SRTP_CIPHER_SUITES 4 | 88 #define MAX_DTLS_SRTP_CIPHER_SUITES 4 |
77 @@ -440,20 +441,6 @@ | 89 @@ -440,20 +442,6 @@ |
78 #define GS_DATA 3 | 90 #define GS_DATA 3 |
79 #define GS_PAD 4 | 91 #define GS_PAD 4 |
80 | 92 |
81 -typedef SECStatus (*SSLCipher)(void * context, | 93 -typedef SECStatus (*SSLCipher)(void * context, |
82 - unsigned char * out, | 94 - unsigned char * out, |
83 - int * outlen, | 95 - int * outlen, |
84 - int maxout, | 96 - int maxout, |
85 - const unsigned char *in, | 97 - const unsigned char *in, |
86 - int inlen); | 98 - int inlen); |
87 -typedef SECStatus (*SSLCompressor)(void * context, | 99 -typedef SECStatus (*SSLCompressor)(void * context, |
88 - unsigned char * out, | 100 - unsigned char * out, |
89 - int * outlen, | 101 - int * outlen, |
90 - int maxout, | 102 - int maxout, |
91 - const unsigned char *in, | 103 - const unsigned char *in, |
92 - int inlen); | 104 - int inlen); |
93 -typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); | 105 -typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); |
94 - | 106 - |
95 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) | 107 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) |
96 typedef PCERT_KEY_CONTEXT PlatformKey; | 108 typedef PCERT_KEY_CONTEXT PlatformKey; |
97 #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) | 109 #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) |
98 @@ -485,11 +472,12 @@ | 110 @@ -485,11 +473,12 @@ |
99 cipher_camellia_128, | 111 cipher_camellia_128, |
100 cipher_camellia_256, | 112 cipher_camellia_256, |
101 cipher_seed, | 113 cipher_seed, |
102 + cipher_aes_128_gcm, | 114 + cipher_aes_128_gcm, |
103 cipher_missing /* reserved for no such supported cipher */ | 115 cipher_missing /* reserved for no such supported cipher */ |
104 /* This enum must match ssl3_cipherName[] in ssl3con.c. */ | 116 /* This enum must match ssl3_cipherName[] in ssl3con.c. */ |
105 } SSL3BulkCipher; | 117 } SSL3BulkCipher; |
106 | 118 |
107 -typedef enum { type_stream, type_block } CipherType; | 119 -typedef enum { type_stream, type_block } CipherType; |
108 +typedef enum { type_stream, type_block, type_aead } CipherType; | 120 +typedef enum { type_stream, type_block, type_aead } CipherType; |
109 | 121 |
110 #define MAX_IV_LENGTH 24 | 122 #define MAX_IV_LENGTH 24 |
111 | 123 |
112 @@ -531,6 +519,31 @@ | 124 @@ -531,6 +520,30 @@ |
113 PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS]; | 125 PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS]; |
114 } ssl3KeyMaterial; | 126 } ssl3KeyMaterial; |
115 | 127 |
116 +typedef SECStatus (*SSLCipher)(void * context, | 128 +typedef SECStatus (*SSLCipher)(void * context, |
117 + unsigned char * out, | 129 + unsigned char * out, |
118 + int * outlen, | 130 + int * outlen, |
119 + int maxout, | 131 + int maxout, |
120 + const unsigned char *in, | 132 + const unsigned char *in, |
121 + int inlen); | 133 + int inlen); |
122 +typedef SECStatus (*SSLAEADCipher)( | 134 +typedef SECStatus (*SSLAEADCipher)( |
123 + ssl3KeyMaterial * keys, | 135 + ssl3KeyMaterial * keys, |
124 + PRBool doDecrypt, | 136 + PRBool doDecrypt, |
125 + unsigned char * out, | 137 + unsigned char * out, |
126 + int * outlen, | 138 + int * outlen, |
127 + int maxout, | 139 + int maxout, |
128 + const unsigned char *in, | 140 + const unsigned char *in, |
129 + int inlen, | 141 + int inlen, |
130 +» » » SSL3ContentType type, | 142 +» » » const unsigned char *additionalData, |
131 +» » » SSL3ProtocolVersion version, | 143 +» » » int additionalDataLen); |
132 +» » » SSL3SequenceNumber seqnum); | |
133 +typedef SECStatus (*SSLCompressor)(void * context, | 144 +typedef SECStatus (*SSLCompressor)(void * context, |
134 + unsigned char * out, | 145 + unsigned char * out, |
135 + int * outlen, | 146 + int * outlen, |
136 + int maxout, | 147 + int maxout, |
137 + const unsigned char *in, | 148 + const unsigned char *in, |
138 + int inlen); | 149 + int inlen); |
139 +typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); | 150 +typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); |
140 + | 151 + |
141 /* The DTLS anti-replay window. Defined here because we need it in | 152 /* The DTLS anti-replay window. Defined here because we need it in |
142 * the cipher spec. Note that this is a ring buffer but left and | 153 * the cipher spec. Note that this is a ring buffer but left and |
(...skipping 20 matching lines...) Expand all Loading... |
163 int iv_size; | 174 int iv_size; |
164 int block_size; | 175 int block_size; |
165 - SSL3KeyGenMode keygen_mode; | 176 - SSL3KeyGenMode keygen_mode; |
166 + int tag_size; /* authentication tag size for AEAD ciphers. */ | 177 + int tag_size; /* authentication tag size for AEAD ciphers. */ |
167 + int explicit_nonce_size; /* for AEAD ciphers. */ | 178 + int explicit_nonce_size; /* for AEAD ciphers. */ |
168 }; | 179 }; |
169 | 180 |
170 /* | 181 /* |
171 Index: net/third_party/nss/ssl/ssl3ecc.c | 182 Index: net/third_party/nss/ssl/ssl3ecc.c |
172 =================================================================== | 183 =================================================================== |
173 --- net/third_party/nss/ssl/ssl3ecc.c» (revision 215189) | 184 --- net/third_party/nss/ssl/ssl3ecc.c» (revision 217715) |
174 +++ net/third_party/nss/ssl/ssl3ecc.c (working copy) | 185 +++ net/third_party/nss/ssl/ssl3ecc.c (working copy) |
175 @@ -911,6 +911,7 @@ | 186 @@ -911,6 +911,7 @@ |
176 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, | 187 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
177 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | 188 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, |
178 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, | 189 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, |
179 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | 190 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
180 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | 191 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
181 TLS_ECDHE_ECDSA_WITH_NULL_SHA, | 192 TLS_ECDHE_ECDSA_WITH_NULL_SHA, |
182 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, | 193 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
183 @@ -921,6 +922,7 @@ | 194 @@ -921,6 +922,7 @@ |
(...skipping 14 matching lines...) Expand all Loading... |
198 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, | 209 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
199 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, | 210 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, |
200 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, | 211 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, |
201 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, | 212 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, |
202 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | 213 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
203 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, | 214 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, |
204 TLS_ECDHE_RSA_WITH_NULL_SHA, | 215 TLS_ECDHE_RSA_WITH_NULL_SHA, |
205 TLS_ECDHE_RSA_WITH_RC4_128_SHA, | 216 TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
206 Index: net/third_party/nss/ssl/sslsock.c | 217 Index: net/third_party/nss/ssl/sslsock.c |
207 =================================================================== | 218 =================================================================== |
208 --- net/third_party/nss/ssl/sslsock.c» (revision 215189) | 219 --- net/third_party/nss/ssl/sslsock.c» (revision 217715) |
209 +++ net/third_party/nss/ssl/sslsock.c (working copy) | 220 +++ net/third_party/nss/ssl/sslsock.c (working copy) |
210 @@ -67,8 +67,10 @@ | 221 @@ -67,8 +67,10 @@ |
211 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 222 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
212 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 223 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
213 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 224 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
214 + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 225 + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
215 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 226 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
216 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 227 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
217 + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 228 + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
218 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 229 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
(...skipping 10 matching lines...) Expand all Loading... |
229 @@ -105,6 +108,7 @@ | 240 @@ -105,6 +108,7 @@ |
230 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 241 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
231 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 242 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
232 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 243 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
233 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 244 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
234 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, | 245 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
235 #endif /* NSS_ENABLE_ECC */ | 246 #endif /* NSS_ENABLE_ECC */ |
236 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } | 247 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } |
237 Index: net/third_party/nss/ssl/ssl3con.c | 248 Index: net/third_party/nss/ssl/ssl3con.c |
238 =================================================================== | 249 =================================================================== |
239 --- net/third_party/nss/ssl/ssl3con.c» (revision 215189) | 250 --- net/third_party/nss/ssl/ssl3con.c» (revision 217715) |
240 +++ net/third_party/nss/ssl/ssl3con.c (working copy) | 251 +++ net/third_party/nss/ssl/ssl3con.c (working copy) |
241 @@ -78,6 +78,14 @@ | 252 @@ -78,6 +78,13 @@ |
242 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, | 253 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
243 int maxOutputLen, const unsigned char *input, | 254 int maxOutputLen, const unsigned char *input, |
244 int inputLen); | 255 int inputLen); |
245 +#ifndef NO_PKCS11_BYPASS | 256 +#ifndef NO_PKCS11_BYPASS |
246 +static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, | 257 +static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, |
247 + unsigned char *out, int *outlen, int maxout, | 258 + unsigned char *out, int *outlen, int maxout, |
248 + const unsigned char *in, int inlen, | 259 + const unsigned char *in, int inlen, |
249 +» » » » SSL3ContentType type, | 260 +» » » » const unsigned char *additionalData, |
250 +» » » » SSL3ProtocolVersion version, | 261 +» » » » int additionalDataLen); |
251 +» » » » SSL3SequenceNumber seq_num); | |
252 +#endif | 262 +#endif |
253 | 263 |
254 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ | 264 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
255 #define MIN_SEND_BUF_LENGTH 4000 | 265 #define MIN_SEND_BUF_LENGTH 4000 |
256 @@ -90,6 +98,13 @@ | 266 @@ -90,6 +97,13 @@ |
257 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { | 267 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
258 /* cipher_suite policy enabled is_present*
/ | 268 /* cipher_suite policy enabled is_present*
/ |
259 #ifdef NSS_ENABLE_ECC | 269 #ifdef NSS_ENABLE_ECC |
260 + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 270 + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
261 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 271 + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
262 +#endif /* NSS_ENABLE_ECC */ | 272 +#endif /* NSS_ENABLE_ECC */ |
263 + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 273 + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
264 + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, | 274 + { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, |
265 + | 275 + |
266 +#ifdef NSS_ENABLE_ECC | 276 +#ifdef NSS_ENABLE_ECC |
267 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 277 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
268 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, | 278 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
269 #endif /* NSS_ENABLE_ECC */ | 279 #endif /* NSS_ENABLE_ECC */ |
270 @@ -233,23 +248,30 @@ | 280 @@ -233,23 +247,30 @@ |
271 | 281 |
272 /* indexed by SSL3BulkCipher */ | 282 /* indexed by SSL3BulkCipher */ |
273 static const ssl3BulkCipherDef bulk_cipher_defs[] = { | 283 static const ssl3BulkCipherDef bulk_cipher_defs[] = { |
274 - /* cipher calg keySz secretSz type ivSz BlkSz keygen */ | 284 - /* cipher calg keySz secretSz type ivSz BlkSz keygen */ |
275 - {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null}, | 285 - {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null}, |
276 - {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong}, | 286 - {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong}, |
277 - {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export}, | 287 - {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export}, |
278 - {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export}, | 288 - {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export}, |
279 - {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong}, | 289 - {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong}, |
280 - {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export}, | 290 - {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export}, |
(...skipping 27 matching lines...) Expand all Loading... |
308 + {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0}, | 318 + {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0}, |
309 + {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0}, | 319 + {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0}, |
310 + {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0}, | 320 + {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0}, |
311 + {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, | 321 + {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, |
312 + {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, | 322 + {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, |
313 + {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, | 323 + {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, |
314 + {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, | 324 + {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, |
315 }; | 325 }; |
316 | 326 |
317 static const ssl3KEADef kea_defs[] = | 327 static const ssl3KEADef kea_defs[] = |
318 @@ -371,6 +393,11 @@ | 328 @@ -371,6 +392,11 @@ |
319 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, | 329 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, |
320 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, | 330 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, |
321 | 331 |
322 + {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe
_rsa}, | 332 + {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe
_rsa}, |
323 + {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa}, | 333 + {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, |
324 + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_e
cdhe_rsa}, | 334 + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_e
cdhe_rsa}, |
325 + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea
_ecdhe_ecdsa}, | 335 + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea
_ecdhe_ecdsa}, |
326 + | 336 + |
327 #ifdef NSS_ENABLE_ECC | 337 #ifdef NSS_ENABLE_ECC |
328 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}
, | 338 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}
, |
329 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}
, | 339 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}
, |
330 @@ -434,6 +461,7 @@ | 340 @@ -434,25 +460,29 @@ |
331 { calg_aes , CKM_AES_CBC }, | 341 { calg_aes , CKM_AES_CBC }, |
332 { calg_camellia , CKM_CAMELLIA_CBC }, | 342 { calg_camellia , CKM_CAMELLIA_CBC }, |
333 { calg_seed , CKM_SEED_CBC }, | 343 { calg_seed , CKM_SEED_CBC }, |
334 + { calg_aes_gcm , CKM_AES_GCM }, | 344 + { calg_aes_gcm , CKM_AES_GCM }, |
335 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ | 345 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ |
336 }; | 346 }; |
337 | 347 |
338 @@ -472,6 +500,7 @@ | 348 -#define mmech_null (CK_MECHANISM_TYPE)0x80000000L |
| 349 +#define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L |
| 350 #define mmech_md5 CKM_SSL3_MD5_MAC |
| 351 #define mmech_sha CKM_SSL3_SHA1_MAC |
| 352 #define mmech_md5_hmac CKM_MD5_HMAC |
| 353 #define mmech_sha_hmac CKM_SHA_1_HMAC |
| 354 #define mmech_sha256_hmac CKM_SHA256_HMAC |
| 355 +#define mmech_sha384_hmac CKM_SHA384_HMAC |
| 356 +#define mmech_sha512_hmac CKM_SHA512_HMAC |
| 357 |
| 358 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ |
| 359 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ |
| 360 /* mac mmech pad_size mac_size */ |
| 361 - { mac_null, mmech_null, 0, 0 }, |
| 362 + { mac_null, mmech_invalid, 0, 0 }, |
| 363 { mac_md5, mmech_md5, 48, MD5_LENGTH }, |
| 364 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, |
| 365 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, |
| 366 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, |
| 367 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, |
| 368 + { mac_aead, mmech_invalid, 0, 0 }, |
| 369 }; |
| 370 |
| 371 /* indexed by SSL3BulkCipher */ |
| 372 @@ -472,6 +502,7 @@ |
339 "Camellia-128", | 373 "Camellia-128", |
340 "Camellia-256", | 374 "Camellia-256", |
341 "SEED-CBC", | 375 "SEED-CBC", |
342 + "AES-128-GCM", | 376 + "AES-128-GCM", |
343 "missing" | 377 "missing" |
344 }; | 378 }; |
345 | 379 |
346 @@ -598,9 +627,13 @@ | 380 @@ -598,9 +629,13 @@ |
347 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: | 381 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: |
348 case TLS_RSA_WITH_AES_256_CBC_SHA256: | 382 case TLS_RSA_WITH_AES_256_CBC_SHA256: |
349 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: | 383 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: |
350 + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: | 384 + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: |
351 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: | 385 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: |
352 + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: | 386 + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: |
353 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: | 387 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: |
354 + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: | 388 + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: |
355 case TLS_RSA_WITH_AES_128_CBC_SHA256: | 389 case TLS_RSA_WITH_AES_128_CBC_SHA256: |
356 + case TLS_RSA_WITH_AES_128_GCM_SHA256: | 390 + case TLS_RSA_WITH_AES_128_GCM_SHA256: |
357 case TLS_RSA_WITH_NULL_SHA256: | 391 case TLS_RSA_WITH_NULL_SHA256: |
358 return version >= SSL_LIBRARY_VERSION_TLS_1_2; | 392 return version >= SSL_LIBRARY_VERSION_TLS_1_2; |
359 default: | 393 default: |
360 @@ -1360,7 +1393,7 @@ | 394 @@ -1360,7 +1395,7 @@ |
361 cipher = suite_def->bulk_cipher_alg; | 395 cipher = suite_def->bulk_cipher_alg; |
362 kea = suite_def->key_exchange_alg; | 396 kea = suite_def->key_exchange_alg; |
363 mac = suite_def->mac_alg; | 397 mac = suite_def->mac_alg; |
364 - if (mac <= ssl_mac_sha && isTLS) | 398 - if (mac <= ssl_mac_sha && isTLS) |
365 + if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS) | 399 + if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS) |
366 mac += 2; | 400 mac += 2; |
367 | 401 |
368 ss->ssl3.hs.suite_def = suite_def; | 402 ss->ssl3.hs.suite_def = suite_def; |
369 @@ -1554,7 +1587,6 @@ | 403 @@ -1554,7 +1589,6 @@ |
370 unsigned int optArg2 = 0; | 404 unsigned int optArg2 = 0; |
371 PRBool server_encrypts = ss->sec.isServer; | 405 PRBool server_encrypts = ss->sec.isServer; |
372 SSLCipherAlgorithm calg; | 406 SSLCipherAlgorithm calg; |
373 - SSLCompressionMethod compression_method; | 407 - SSLCompressionMethod compression_method; |
374 SECStatus rv; | 408 SECStatus rv; |
375 | 409 |
376 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 410 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
377 @@ -1565,8 +1597,18 @@ | 411 @@ -1565,8 +1599,18 @@ |
378 cipher_def = pwSpec->cipher_def; | 412 cipher_def = pwSpec->cipher_def; |
379 | 413 |
380 calg = cipher_def->calg; | 414 calg = cipher_def->calg; |
381 - compression_method = pwSpec->compression_method; | 415 - compression_method = pwSpec->compression_method; |
382 | 416 |
383 + if (calg == calg_aes_gcm) { | 417 + if (calg == calg_aes_gcm) { |
384 + pwSpec->encode = NULL; | 418 + pwSpec->encode = NULL; |
385 + pwSpec->decode = NULL; | 419 + pwSpec->decode = NULL; |
386 + pwSpec->destroy = NULL; | 420 + pwSpec->destroy = NULL; |
387 + pwSpec->encodeContext = NULL; | 421 + pwSpec->encodeContext = NULL; |
388 + pwSpec->decodeContext = NULL; | 422 + pwSpec->decodeContext = NULL; |
389 + pwSpec->aead = ssl3_AESGCMBypass; | 423 + pwSpec->aead = ssl3_AESGCMBypass; |
390 + ssl3_InitCompressionContext(pwSpec); | 424 + ssl3_InitCompressionContext(pwSpec); |
391 + return SECSuccess; | 425 + return SECSuccess; |
392 + } | 426 + } |
393 + | 427 + |
394 serverContext = pwSpec->server.cipher_context; | 428 serverContext = pwSpec->server.cipher_context; |
395 clientContext = pwSpec->client.cipher_context; | 429 clientContext = pwSpec->client.cipher_context; |
396 | 430 |
397 @@ -1721,6 +1763,207 @@ | 431 @@ -1721,6 +1765,195 @@ |
398 return param; | 432 return param; |
399 } | 433 } |
400 | 434 |
401 +/* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which | 435 +/* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data |
402 + * is included in the MAC) to |out| and returns its length. */ | 436 + * which is included in the MAC or AEAD additional data) to |out| and returns |
| 437 + * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the |
| 438 + * definition of the AEAD additional data. |
| 439 + * |
| 440 + * TLS pseudo-header includes the record's version field, SSL's doesn't. Which |
| 441 + * pseudo-header defintiion to use should be decided based on the version of |
| 442 + * the protocol that was negotiated when the cipher spec became current, NOT |
| 443 + * based on the version value in the record itself, and the decision is passed |
| 444 + * to this function as the |includesVersion| argument. But, the |version| |
| 445 + * argument should be the record's version value. |
| 446 + */ |
403 +static unsigned int | 447 +static unsigned int |
404 +ssl3_BuildRecordPseudoHeader(unsigned char *out, | 448 +ssl3_BuildRecordPseudoHeader(unsigned char *out, |
405 + SSL3SequenceNumber seq_num, | 449 + SSL3SequenceNumber seq_num, |
406 + SSL3ContentType type, | 450 + SSL3ContentType type, |
407 + PRBool includesVersion, | 451 + PRBool includesVersion, |
408 + SSL3ProtocolVersion version, | 452 + SSL3ProtocolVersion version, |
409 + PRBool isDTLS, | 453 + PRBool isDTLS, |
410 + int length) | 454 + int length) |
411 +{ | 455 +{ |
412 + out[0] = (unsigned char)(seq_num.high >> 24); | 456 + out[0] = (unsigned char)(seq_num.high >> 24); |
(...skipping 30 matching lines...) Expand all Loading... |
443 +} | 487 +} |
444 + | 488 + |
445 +static SECStatus | 489 +static SECStatus |
446 +ssl3_AESGCM(ssl3KeyMaterial *keys, | 490 +ssl3_AESGCM(ssl3KeyMaterial *keys, |
447 + PRBool doDecrypt, | 491 + PRBool doDecrypt, |
448 + unsigned char *out, | 492 + unsigned char *out, |
449 + int *outlen, | 493 + int *outlen, |
450 + int maxout, | 494 + int maxout, |
451 + const unsigned char *in, | 495 + const unsigned char *in, |
452 + int inlen, | 496 + int inlen, |
453 +» SSL3ContentType type, | 497 +» const unsigned char *additionalData, |
454 +» SSL3ProtocolVersion version, | 498 +» int additionalDataLen) |
455 +» SSL3SequenceNumber seq_num) | |
456 +{ | 499 +{ |
457 + SECItem param; | 500 + SECItem param; |
458 + SECStatus rv = SECFailure; | 501 + SECStatus rv = SECFailure; |
459 + unsigned char nonce[12]; | 502 + unsigned char nonce[12]; |
460 + unsigned char additionalData[13]; | |
461 + unsigned int additionalDataLen; | |
462 + unsigned int uOutLen; | 503 + unsigned int uOutLen; |
463 + CK_GCM_PARAMS gcmParams; | 504 + CK_GCM_PARAMS gcmParams; |
464 + | 505 + |
465 + static const int tagSize = 16; | 506 + static const int tagSize = 16; |
466 + static const int explicitNonceLen = 8; | 507 + static const int explicitNonceLen = 8; |
467 + | 508 + |
468 + /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the | |
469 + * definition of the AEAD additional data. */ | |
470 + additionalDataLen = ssl3_BuildRecordPseudoHeader( | |
471 + additionalData, seq_num, type, PR_TRUE /* includes version */, | |
472 + version, PR_FALSE /* not DTLS */, | |
473 + inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); | |
474 + PORT_Assert(additionalDataLen <= sizeof(additionalData)); | |
475 + | |
476 + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the | 509 + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
477 + * nonce is formed. */ | 510 + * nonce is formed. */ |
478 + memcpy(nonce, keys->write_iv, 4); | 511 + memcpy(nonce, keys->write_iv, 4); |
479 + if (doDecrypt) { | 512 + if (doDecrypt) { |
480 + memcpy(nonce + 4, in, explicitNonceLen); | 513 + memcpy(nonce + 4, in, explicitNonceLen); |
481 + in += explicitNonceLen; | 514 + in += explicitNonceLen; |
482 + inlen -= explicitNonceLen; | 515 + inlen -= explicitNonceLen; |
483 + *outlen = 0; | 516 + *outlen = 0; |
484 + } else { | 517 + } else { |
485 + if (maxout < explicitNonceLen) { | 518 + if (maxout < explicitNonceLen) { |
486 + PORT_SetError(SEC_ERROR_INPUT_LEN); | 519 + PORT_SetError(SEC_ERROR_INPUT_LEN); |
487 + return SECFailure; | 520 + return SECFailure; |
488 + } | 521 + } |
489 + /* Use the 64-bit sequence number as the explicit nonce. */ | 522 + /* Use the 64-bit sequence number as the explicit nonce. */ |
490 + memcpy(nonce + 4, additionalData, explicitNonceLen); | 523 + memcpy(nonce + 4, additionalData, explicitNonceLen); |
491 + memcpy(out, additionalData, explicitNonceLen); | 524 + memcpy(out, additionalData, explicitNonceLen); |
492 + out += explicitNonceLen; | 525 + out += explicitNonceLen; |
493 + maxout -= explicitNonceLen; | 526 + maxout -= explicitNonceLen; |
494 + *outlen = explicitNonceLen; | 527 + *outlen = explicitNonceLen; |
495 + } | 528 + } |
496 + | 529 + |
497 + param.type = siBuffer; | 530 + param.type = siBuffer; |
498 + param.data = (unsigned char *) &gcmParams; | 531 + param.data = (unsigned char *) &gcmParams; |
499 + param.len = sizeof(gcmParams); | 532 + param.len = sizeof(gcmParams); |
500 + gcmParams.pIv = nonce; | 533 + gcmParams.pIv = nonce; |
501 + gcmParams.ulIvLen = sizeof(nonce); | 534 + gcmParams.ulIvLen = sizeof(nonce); |
502 + gcmParams.pAAD = additionalData; | 535 + gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ |
503 + gcmParams.ulAADLen = additionalDataLen; | 536 + gcmParams.ulAADLen = additionalDataLen; |
504 + gcmParams.ulTagBits = tagSize * 8; | 537 + gcmParams.ulTagBits = tagSize * 8; |
505 + | 538 + |
506 + if (doDecrypt) { | 539 + if (doDecrypt) { |
507 + rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, | 540 + rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
508 + maxout, in, inlen); | 541 + maxout, in, inlen); |
509 + } else { | 542 + } else { |
510 + rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, | 543 + rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, |
511 + maxout, in, inlen); | 544 + maxout, in, inlen); |
512 + } | 545 + } |
513 + *outlen += (int) uOutLen; | 546 + *outlen += (int) uOutLen; |
514 + | 547 + |
515 + return rv; | 548 + return rv; |
516 +} | 549 +} |
517 + | 550 + |
518 +#ifndef NO_PKCS11_BYPASS | 551 +#ifndef NO_PKCS11_BYPASS |
519 +static SECStatus | 552 +static SECStatus |
520 +ssl3_AESGCMBypass(ssl3KeyMaterial *keys, | 553 +ssl3_AESGCMBypass(ssl3KeyMaterial *keys, |
521 + PRBool doDecrypt, | 554 + PRBool doDecrypt, |
522 + unsigned char *out, | 555 + unsigned char *out, |
523 + int *outlen, | 556 + int *outlen, |
524 + int maxout, | 557 + int maxout, |
525 + const unsigned char *in, | 558 + const unsigned char *in, |
526 + int inlen, | 559 + int inlen, |
527 +» » SSL3ContentType type, | 560 +» » const unsigned char *additionalData, |
528 +» » SSL3ProtocolVersion version, | 561 +» » int additionalDataLen) |
529 +» » SSL3SequenceNumber seq_num) | |
530 +{ | 562 +{ |
531 + SECStatus rv = SECFailure; | 563 + SECStatus rv = SECFailure; |
532 + unsigned char nonce[12]; | 564 + unsigned char nonce[12]; |
533 + unsigned char additionalData[13]; | |
534 + unsigned int additionalDataLen; | |
535 + unsigned int uOutLen; | 565 + unsigned int uOutLen; |
536 + AESContext *cx; | 566 + AESContext *cx; |
537 + CK_GCM_PARAMS gcmParams; | 567 + CK_GCM_PARAMS gcmParams; |
538 + | 568 + |
539 + static const int tagSize = 16; | 569 + static const int tagSize = 16; |
540 + static const int explicitNonceLen = 8; | 570 + static const int explicitNonceLen = 8; |
541 + | 571 + |
542 + /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the | |
543 + * definition of the AEAD additional data. */ | |
544 + additionalDataLen = ssl3_BuildRecordPseudoHeader( | |
545 + additionalData, seq_num, type, PR_TRUE /* includes version */, | |
546 + version, PR_FALSE /* not DTLS */, | |
547 + inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); | |
548 + PORT_Assert(additionalDataLen <= sizeof(additionalData)); | |
549 + | |
550 + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the | 572 + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
551 + * nonce is formed. */ | 573 + * nonce is formed. */ |
552 + PORT_Assert(keys->write_iv_item.len == 4); | 574 + PORT_Assert(keys->write_iv_item.len == 4); |
553 + if (keys->write_iv_item.len != 4) { | 575 + if (keys->write_iv_item.len != 4) { |
554 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | 576 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
555 + return SECFailure; | 577 + return SECFailure; |
556 + } | 578 + } |
557 + memcpy(nonce, keys->write_iv_item.data, 4); | 579 + memcpy(nonce, keys->write_iv_item.data, 4); |
558 + if (doDecrypt) { | 580 + if (doDecrypt) { |
559 + memcpy(nonce + 4, in, explicitNonceLen); | 581 + memcpy(nonce + 4, in, explicitNonceLen); |
560 + in += explicitNonceLen; | 582 + in += explicitNonceLen; |
561 + inlen -= explicitNonceLen; | 583 + inlen -= explicitNonceLen; |
562 + *outlen = 0; | 584 + *outlen = 0; |
563 + } else { | 585 + } else { |
564 + if (maxout < explicitNonceLen) { | 586 + if (maxout < explicitNonceLen) { |
565 + PORT_SetError(SEC_ERROR_INPUT_LEN); | 587 + PORT_SetError(SEC_ERROR_INPUT_LEN); |
566 + return SECFailure; | 588 + return SECFailure; |
567 + } | 589 + } |
568 + /* Use the 64-bit sequence number as the explicit nonce. */ | 590 + /* Use the 64-bit sequence number as the explicit nonce. */ |
569 + memcpy(nonce + 4, additionalData, explicitNonceLen); | 591 + memcpy(nonce + 4, additionalData, explicitNonceLen); |
570 + memcpy(out, additionalData, explicitNonceLen); | 592 + memcpy(out, additionalData, explicitNonceLen); |
571 + out += explicitNonceLen; | 593 + out += explicitNonceLen; |
572 + maxout -= explicitNonceLen; | 594 + maxout -= explicitNonceLen; |
573 + *outlen = explicitNonceLen; | 595 + *outlen = explicitNonceLen; |
574 + } | 596 + } |
575 + | 597 + |
576 + gcmParams.pIv = nonce; | 598 + gcmParams.pIv = nonce; |
577 + gcmParams.ulIvLen = sizeof(nonce); | 599 + gcmParams.ulIvLen = sizeof(nonce); |
578 + gcmParams.pAAD = additionalData; | 600 + gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ |
579 + gcmParams.ulAADLen = additionalDataLen; | 601 + gcmParams.ulAADLen = additionalDataLen; |
580 + gcmParams.ulTagBits = tagSize * 8; | 602 + gcmParams.ulTagBits = tagSize * 8; |
581 + | 603 + |
582 + cx = (AESContext *)keys->cipher_context; | 604 + cx = (AESContext *)keys->cipher_context; |
583 + rv = AES_InitContext(cx, keys->write_key_item.data, | 605 + rv = AES_InitContext(cx, keys->write_key_item.data, |
584 + keys->write_key_item.len, | 606 + keys->write_key_item.len, |
585 + (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, | 607 + (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, |
586 + AES_BLOCK_SIZE); | 608 + AES_BLOCK_SIZE); |
587 + if (rv != SECSuccess) { | 609 + if (rv != SECSuccess) { |
588 + return rv; | 610 + return rv; |
589 + } | 611 + } |
590 + if (doDecrypt) { | 612 + if (doDecrypt) { |
591 + rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen); | 613 + rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen); |
592 + } else { | 614 + } else { |
593 + rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen); | 615 + rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen); |
594 + } | 616 + } |
595 + AES_DestroyContext(cx, PR_FALSE); | 617 + AES_DestroyContext(cx, PR_FALSE); |
596 + *outlen += (int) uOutLen; | 618 + *outlen += (int) uOutLen; |
597 + | 619 + |
598 + return rv; | 620 + return rv; |
599 +} | 621 +} |
600 +#endif | 622 +#endif |
601 + | 623 + |
602 /* Initialize encryption and MAC contexts for pending spec. | 624 /* Initialize encryption and MAC contexts for pending spec. |
603 * Master Secret already is derived. | 625 * Master Secret already is derived. |
604 * Caller holds Spec write lock. | 626 * Caller holds Spec write lock. |
605 @@ -1748,14 +1991,27 @@ | 627 @@ -1748,14 +1981,27 @@ |
606 pwSpec = ss->ssl3.pwSpec; | 628 pwSpec = ss->ssl3.pwSpec; |
607 cipher_def = pwSpec->cipher_def; | 629 cipher_def = pwSpec->cipher_def; |
608 macLength = pwSpec->mac_size; | 630 macLength = pwSpec->mac_size; |
609 + calg = cipher_def->calg; | 631 + calg = cipher_def->calg; |
610 + PORT_Assert(alg2Mech[calg].calg == calg); | 632 + PORT_Assert(alg2Mech[calg].calg == calg); |
611 | 633 |
612 + pwSpec->client.write_mac_context = NULL; | 634 + pwSpec->client.write_mac_context = NULL; |
613 + pwSpec->server.write_mac_context = NULL; | 635 + pwSpec->server.write_mac_context = NULL; |
614 + | 636 + |
615 + if (calg == calg_aes_gcm) { | 637 + if (calg == calg_aes_gcm) { |
616 + pwSpec->encode = NULL; | 638 + pwSpec->encode = NULL; |
617 + pwSpec->decode = NULL; | 639 + pwSpec->decode = NULL; |
618 + pwSpec->destroy = NULL; | 640 + pwSpec->destroy = NULL; |
619 + pwSpec->encodeContext = NULL; | 641 + pwSpec->encodeContext = NULL; |
620 + pwSpec->decodeContext = NULL; | 642 + pwSpec->decodeContext = NULL; |
621 + pwSpec->aead = ssl3_AESGCM; | 643 + pwSpec->aead = ssl3_AESGCM; |
622 + return SECSuccess; | 644 + return SECSuccess; |
623 + } | 645 + } |
624 + | 646 + |
625 /* | 647 /* |
626 ** Now setup the MAC contexts, | 648 ** Now setup the MAC contexts, |
627 ** crypto contexts are setup below. | 649 ** crypto contexts are setup below. |
628 */ | 650 */ |
629 | 651 |
630 - pwSpec->client.write_mac_context = NULL; | 652 - pwSpec->client.write_mac_context = NULL; |
631 - pwSpec->server.write_mac_context = NULL; | 653 - pwSpec->server.write_mac_context = NULL; |
632 mac_mech = pwSpec->mac_def->mmech; | 654 mac_mech = pwSpec->mac_def->mmech; |
633 mac_param.data = (unsigned char *)&macLength; | 655 mac_param.data = (unsigned char *)&macLength; |
634 mac_param.len = sizeof(macLength); | 656 mac_param.len = sizeof(macLength); |
635 @@ -1778,9 +2034,6 @@ | 657 @@ -1778,9 +2024,6 @@ |
636 ** Now setup the crypto contexts. | 658 ** Now setup the crypto contexts. |
637 */ | 659 */ |
638 | 660 |
639 - calg = cipher_def->calg; | 661 - calg = cipher_def->calg; |
640 - PORT_Assert(alg2Mech[calg].calg == calg); | 662 - PORT_Assert(alg2Mech[calg].calg == calg); |
641 - | 663 - |
642 if (calg == calg_null) { | 664 if (calg == calg_null) { |
643 pwSpec->encode = Null_Cipher; | 665 pwSpec->encode = Null_Cipher; |
644 pwSpec->decode = Null_Cipher; | 666 pwSpec->decode = Null_Cipher; |
645 @@ -1999,55 +2252,21 @@ | 667 @@ -1988,10 +2231,8 @@ |
| 668 ssl3_ComputeRecordMAC( |
| 669 ssl3CipherSpec * spec, |
| 670 PRBool useServerMacKey, |
| 671 - PRBool isDTLS, |
| 672 - SSL3ContentType type, |
| 673 - SSL3ProtocolVersion version, |
| 674 - SSL3SequenceNumber seq_num, |
| 675 + const unsigned char *header, |
| 676 + unsigned int headerLen, |
| 677 const SSL3Opaque * input, |
| 678 int inputLength, |
| 679 unsigned char * outbuf, |
| 680 @@ -1999,56 +2240,8 @@ |
646 { | 681 { |
647 const ssl3MACDef * mac_def; | 682 const ssl3MACDef * mac_def; |
648 SECStatus rv; | 683 SECStatus rv; |
649 -#ifndef NO_PKCS11_BYPASS | 684 -#ifndef NO_PKCS11_BYPASS |
650 PRBool isTLS; | 685 - PRBool isTLS; |
651 -#endif | 686 -#endif |
652 unsigned int tempLen; | 687 - unsigned int tempLen; |
653 unsigned char temp[MAX_MAC_LENGTH]; | 688 - unsigned char temp[MAX_MAC_LENGTH]; |
654 | 689 |
655 - temp[0] = (unsigned char)(seq_num.high >> 24); | 690 - temp[0] = (unsigned char)(seq_num.high >> 24); |
656 - temp[1] = (unsigned char)(seq_num.high >> 16); | 691 - temp[1] = (unsigned char)(seq_num.high >> 16); |
657 - temp[2] = (unsigned char)(seq_num.high >> 8); | 692 - temp[2] = (unsigned char)(seq_num.high >> 8); |
658 - temp[3] = (unsigned char)(seq_num.high >> 0); | 693 - temp[3] = (unsigned char)(seq_num.high >> 0); |
659 - temp[4] = (unsigned char)(seq_num.low >> 24); | 694 - temp[4] = (unsigned char)(seq_num.low >> 24); |
660 - temp[5] = (unsigned char)(seq_num.low >> 16); | 695 - temp[5] = (unsigned char)(seq_num.low >> 16); |
661 - temp[6] = (unsigned char)(seq_num.low >> 8); | 696 - temp[6] = (unsigned char)(seq_num.low >> 8); |
662 - temp[7] = (unsigned char)(seq_num.low >> 0); | 697 - temp[7] = (unsigned char)(seq_num.low >> 0); |
663 - temp[8] = type; | 698 - temp[8] = type; |
664 - | 699 - |
665 /* TLS MAC includes the record's version field, SSL's doesn't. | 700 - /* TLS MAC includes the record's version field, SSL's doesn't. |
666 ** We decide which MAC defintiion to use based on the version of | 701 - ** We decide which MAC defintiion to use based on the version of |
667 ** the protocol that was negotiated when the spec became current, | 702 - ** the protocol that was negotiated when the spec became current, |
668 ** NOT based on the version value in the record itself. | 703 - ** NOT based on the version value in the record itself. |
669 - ** But, we use the record'v version value in the computation. | 704 - ** But, we use the record'v version value in the computation. |
670 + ** But, we use the record's version value in the computation. | 705 - */ |
671 */ | |
672 - if (spec->version <= SSL_LIBRARY_VERSION_3_0) { | 706 - if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
673 - temp[9] = MSB(inputLength); | 707 - temp[9] = MSB(inputLength); |
674 - temp[10] = LSB(inputLength); | 708 - temp[10] = LSB(inputLength); |
675 - tempLen = 11; | 709 - tempLen = 11; |
676 -#ifndef NO_PKCS11_BYPASS | 710 -#ifndef NO_PKCS11_BYPASS |
677 - isTLS = PR_FALSE; | 711 - isTLS = PR_FALSE; |
678 -#endif | 712 -#endif |
679 - } else { | 713 - } else { |
680 - /* New TLS hash includes version. */ | 714 - /* New TLS hash includes version. */ |
681 - if (isDTLS) { | 715 - if (isDTLS) { |
682 - SSL3ProtocolVersion dtls_version; | 716 - SSL3ProtocolVersion dtls_version; |
683 + isTLS = spec->version > SSL_LIBRARY_VERSION_3_0; | 717 - |
684 + tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS, | |
685 +» » » » » version, isDTLS, inputLength); | |
686 + PORT_Assert(tempLen <= sizeof(temp)); | |
687 | |
688 - dtls_version = dtls_TLSVersionToDTLSVersion(version); | 718 - dtls_version = dtls_TLSVersionToDTLSVersion(version); |
689 - temp[9] = MSB(dtls_version); | 719 - temp[9] = MSB(dtls_version); |
690 - temp[10] = LSB(dtls_version); | 720 - temp[10] = LSB(dtls_version); |
691 - } else { | 721 - } else { |
692 - temp[9] = MSB(version); | 722 - temp[9] = MSB(version); |
693 - temp[10] = LSB(version); | 723 - temp[10] = LSB(version); |
694 - } | 724 - } |
695 - temp[11] = MSB(inputLength); | 725 - temp[11] = MSB(inputLength); |
696 - temp[12] = LSB(inputLength); | 726 - temp[12] = LSB(inputLength); |
697 - tempLen = 13; | 727 - tempLen = 13; |
698 -#ifndef NO_PKCS11_BYPASS | 728 -#ifndef NO_PKCS11_BYPASS |
699 - isTLS = PR_TRUE; | 729 - isTLS = PR_TRUE; |
700 -#endif | 730 -#endif |
701 - } | 731 - } |
702 - | 732 - |
703 PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); | 733 - PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); |
| 734 + PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen)); |
704 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); | 735 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
705 | 736 |
706 @@ -2390,86 +2609,112 @@ | 737 mac_def = spec->mac_def; |
| 738 @@ -2093,7 +2286,10 @@ |
| 739 » return SECFailure; |
| 740 » } |
| 741 |
| 742 -» if (!isTLS) { |
| 743 +» if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
| 744 +» unsigned int tempLen; |
| 745 +» unsigned char temp[MAX_MAC_LENGTH]; |
| 746 + |
| 747 » /* compute "inner" part of SSL3 MAC */ |
| 748 » hashObj->begin(write_mac_context); |
| 749 » if (useServerMacKey) |
| 750 @@ -2105,7 +2301,7 @@ |
| 751 » » » » spec->client.write_mac_key_item.data, |
| 752 » » » » spec->client.write_mac_key_item.len); |
| 753 » hashObj->update(write_mac_context, mac_pad_1, pad_bytes); |
| 754 -» hashObj->update(write_mac_context, temp, tempLen); |
| 755 +» hashObj->update(write_mac_context, header, headerLen); |
| 756 » hashObj->update(write_mac_context, input, inputLength); |
| 757 » hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); |
| 758 |
| 759 @@ -2136,7 +2332,7 @@ |
| 760 » } |
| 761 » if (rv == SECSuccess) { |
| 762 » » HMAC_Begin(cx); |
| 763 -» » HMAC_Update(cx, temp, tempLen); |
| 764 +» » HMAC_Update(cx, header, headerLen); |
| 765 » » HMAC_Update(cx, input, inputLength); |
| 766 » » rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); |
| 767 » » HMAC_Destroy(cx, PR_FALSE); |
| 768 @@ -2150,7 +2346,7 @@ |
| 769 » (useServerMacKey ? spec->server.write_mac_context |
| 770 » : spec->client.write_mac_context); |
| 771 » rv = PK11_DigestBegin(mac_context); |
| 772 -» rv |= PK11_DigestOp(mac_context, temp, tempLen); |
| 773 +» rv |= PK11_DigestOp(mac_context, header, headerLen); |
| 774 » rv |= PK11_DigestOp(mac_context, input, inputLength); |
| 775 » rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); |
| 776 } |
| 777 @@ -2190,10 +2386,8 @@ |
| 778 ssl3_ComputeRecordMACConstantTime( |
| 779 ssl3CipherSpec * spec, |
| 780 PRBool useServerMacKey, |
| 781 - PRBool isDTLS, |
| 782 - SSL3ContentType type, |
| 783 - SSL3ProtocolVersion version, |
| 784 - SSL3SequenceNumber seq_num, |
| 785 + const unsigned char *header, |
| 786 + unsigned int headerLen, |
| 787 const SSL3Opaque * input, |
| 788 int inputLen, |
| 789 int originalLen, |
| 790 @@ -2205,9 +2399,7 @@ |
| 791 PK11Context * mac_context; |
| 792 SECItem param; |
| 793 SECStatus rv; |
| 794 - unsigned char header[13]; |
| 795 PK11SymKey * key; |
| 796 - int recordLength; |
| 797 |
| 798 PORT_Assert(inputLen >= spec->mac_size); |
| 799 PORT_Assert(originalLen >= inputLen); |
| 800 @@ -2223,42 +2415,15 @@ |
| 801 » return SECSuccess; |
| 802 } |
| 803 |
| 804 - header[0] = (unsigned char)(seq_num.high >> 24); |
| 805 - header[1] = (unsigned char)(seq_num.high >> 16); |
| 806 - header[2] = (unsigned char)(seq_num.high >> 8); |
| 807 - header[3] = (unsigned char)(seq_num.high >> 0); |
| 808 - header[4] = (unsigned char)(seq_num.low >> 24); |
| 809 - header[5] = (unsigned char)(seq_num.low >> 16); |
| 810 - header[6] = (unsigned char)(seq_num.low >> 8); |
| 811 - header[7] = (unsigned char)(seq_num.low >> 0); |
| 812 - header[8] = type; |
| 813 - |
| 814 macType = CKM_NSS_HMAC_CONSTANT_TIME; |
| 815 - recordLength = inputLen - spec->mac_size; |
| 816 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
| 817 » macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; |
| 818 -» header[9] = recordLength >> 8; |
| 819 -» header[10] = recordLength; |
| 820 -» params.ulHeaderLen = 11; |
| 821 - } else { |
| 822 -» if (isDTLS) { |
| 823 -» SSL3ProtocolVersion dtls_version; |
| 824 - |
| 825 -» dtls_version = dtls_TLSVersionToDTLSVersion(version); |
| 826 -» header[9] = dtls_version >> 8; |
| 827 -» header[10] = dtls_version; |
| 828 -» } else { |
| 829 -» header[9] = version >> 8; |
| 830 -» header[10] = version; |
| 831 -» } |
| 832 -» header[11] = recordLength >> 8; |
| 833 -» header[12] = recordLength; |
| 834 -» params.ulHeaderLen = 13; |
| 835 } |
| 836 |
| 837 params.macAlg = spec->mac_def->mmech; |
| 838 params.ulBodyTotalLen = originalLen; |
| 839 - params.pHeader = header; |
| 840 + params.pHeader = (unsigned char *) header; /* const cast */ |
| 841 + params.ulHeaderLen = headerLen; |
| 842 |
| 843 param.data = (unsigned char*) ¶ms; |
| 844 param.len = sizeof(params); |
| 845 @@ -2291,9 +2456,8 @@ |
| 846 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the |
| 847 * length already. */ |
| 848 inputLen -= spec->mac_size; |
| 849 - return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type, |
| 850 -» » » » version, seq_num, input, inputLen, |
| 851 -» » » » outbuf, outLen); |
| 852 + return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen, |
| 853 +» » » » input, inputLen, outbuf, outLen); |
| 854 } |
| 855 |
| 856 static PRBool |
| 857 @@ -2345,6 +2509,8 @@ |
| 858 PRUint16 headerLen; |
| 859 int ivLen = 0; |
| 860 int cipherBytes = 0; |
| 861 + unsigned char pseudoHeader[13]; |
| 862 + unsigned int pseudoHeaderLen; |
| 863 |
| 864 cipher_def = cwSpec->cipher_def; |
| 865 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; |
| 866 @@ -2390,86 +2556,117 @@ |
707 contentLen = outlen; | 867 contentLen = outlen; |
708 } | 868 } |
709 | 869 |
710 - /* | 870 - /* |
711 - * Add the MAC | 871 - * Add the MAC |
712 - */ | 872 - */ |
713 - rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, | 873 - rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, |
714 - type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | 874 - type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
715 - wrBuf->buf + headerLen + ivLen + contentLen, &macLen); | 875 - wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
716 - if (rv != SECSuccess) { | 876 - if (rv != SECSuccess) { |
717 - ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 877 - ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
718 - return SECFailure; | 878 - return SECFailure; |
719 - } | 879 - } |
720 - p1Len = contentLen; | 880 - p1Len = contentLen; |
721 - p2Len = macLen; | 881 - p2Len = macLen; |
722 - fragLen = contentLen + macLen; /* needs to be encrypted */ | 882 - fragLen = contentLen + macLen; /* needs to be encrypted */ |
723 - PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | 883 - PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
| 884 + pseudoHeaderLen = ssl3_BuildRecordPseudoHeader( |
| 885 + pseudoHeader, cwSpec->write_seq_num, type, |
| 886 + cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version, |
| 887 + isDTLS, contentLen); |
| 888 + PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader)); |
724 + if (cipher_def->type == type_aead) { | 889 + if (cipher_def->type == type_aead) { |
725 + const int nonceLen = cipher_def->explicit_nonce_size; | 890 + const int nonceLen = cipher_def->explicit_nonce_size; |
726 + const int tagLen = cipher_def->tag_size; | 891 + const int tagLen = cipher_def->tag_size; |
727 | 892 |
728 - /* | 893 - /* |
729 - * Pad the text (if we're doing a block cipher) | 894 - * Pad the text (if we're doing a block cipher) |
730 - * then Encrypt it | 895 - * then Encrypt it |
731 - */ | 896 - */ |
732 - if (cipher_def->type == type_block) { | 897 - if (cipher_def->type == type_block) { |
733 - unsigned char * pBuf; | 898 - unsigned char * pBuf; |
(...skipping 16 matching lines...) Expand all Loading... |
750 - for (i = padding_length + 1; i > 0; --i) { | 915 - for (i = padding_length + 1; i > 0; --i) { |
751 - *pBuf-- = padding_length; | 916 - *pBuf-- = padding_length; |
752 + cipherBytes = contentLen; | 917 + cipherBytes = contentLen; |
753 + rv = cwSpec->aead( | 918 + rv = cwSpec->aead( |
754 + isServer ? &cwSpec->server : &cwSpec->client, | 919 + isServer ? &cwSpec->server : &cwSpec->client, |
755 + PR_FALSE, /* do encrypt */ | 920 + PR_FALSE, /* do encrypt */ |
756 + wrBuf->buf + headerLen, /* output */ | 921 + wrBuf->buf + headerLen, /* output */ |
757 + &cipherBytes, /* out len */ | 922 + &cipherBytes, /* out len */ |
758 + wrBuf->space - headerLen, /* max out */ | 923 + wrBuf->space - headerLen, /* max out */ |
759 + pIn, contentLen, /* input */ | 924 + pIn, contentLen, /* input */ |
760 +» » type, cwSpec->version, cwSpec->write_seq_num); | 925 +» » pseudoHeader, pseudoHeaderLen); |
761 + if (rv != SECSuccess) { | 926 + if (rv != SECSuccess) { |
762 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 927 + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
763 + return SECFailure; | 928 + return SECFailure; |
764 } | 929 } |
765 - /* now, if contentLen is not a multiple of block size, fix it */ | 930 - /* now, if contentLen is not a multiple of block size, fix it */ |
766 - p2Len = fragLen - p1Len; | 931 - p2Len = fragLen - p1Len; |
767 - } | 932 - } |
768 - if (p1Len < 256) { | 933 - if (p1Len < 256) { |
769 - oddLen = p1Len; | 934 - oddLen = p1Len; |
770 - p1Len = 0; | 935 - p1Len = 0; |
(...skipping 12 matching lines...) Expand all Loading... |
783 - wrBuf->buf + headerLen + ivLen, /* output */ | 948 - wrBuf->buf + headerLen + ivLen, /* output */ |
784 - &cipherBytesPart1, /* actual outlen */ | 949 - &cipherBytesPart1, /* actual outlen */ |
785 - p1Len, /* max outlen */ | 950 - p1Len, /* max outlen */ |
786 - pIn, p1Len); /* input, and inputlen */ | 951 - pIn, p1Len); /* input, and inputlen */ |
787 - PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); | 952 - PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); |
788 - if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { | 953 - if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { |
789 - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 954 - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
790 + /* | 955 + /* |
791 + * Add the MAC | 956 + * Add the MAC |
792 + */ | 957 + */ |
793 +» rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, | 958 +» rv = ssl3_ComputeRecordMAC(cwSpec, isServer, |
794 +» type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, | 959 +» pseudoHeader, pseudoHeaderLen, pIn, contentLen, |
795 + wrBuf->buf + headerLen + ivLen + contentLen, &macLen); | 960 + wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
796 + if (rv != SECSuccess) { | 961 + if (rv != SECSuccess) { |
797 + ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); | 962 + ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
798 return SECFailure; | 963 return SECFailure; |
799 } | 964 } |
800 - cipherBytes += cipherBytesPart1; | 965 - cipherBytes += cipherBytesPart1; |
801 + p1Len = contentLen; | 966 + p1Len = contentLen; |
802 + p2Len = macLen; | 967 + p2Len = macLen; |
803 + fragLen = contentLen + macLen; /* needs to be encrypted */ | 968 + fragLen = contentLen + macLen; /* needs to be encrypted */ |
804 + PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); | 969 + PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
882 - if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { | 1047 - if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { |
883 - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); | 1048 - PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
884 - return SECFailure; | 1049 - return SECFailure; |
885 - } | 1050 - } |
886 - cipherBytes += cipherBytesPart2; | 1051 - cipherBytes += cipherBytesPart2; |
887 - } | 1052 - } |
888 + | 1053 + |
889 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); | 1054 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
890 | 1055 |
891 wrBuf->len = cipherBytes + headerLen; | 1056 wrBuf->len = cipherBytes + headerLen; |
892 @@ -3012,9 +3257,6 @@ | 1057 @@ -3012,9 +3209,6 @@ |
893 static SECStatus | 1058 static SECStatus |
894 ssl3_IllegalParameter(sslSocket *ss) | 1059 ssl3_IllegalParameter(sslSocket *ss) |
895 { | 1060 { |
896 - PRBool isTLS; | 1061 - PRBool isTLS; |
897 - | 1062 - |
898 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 1063 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
899 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); | 1064 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
900 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT | 1065 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT |
901 : SSL_ERROR_BAD_SERVER ); | 1066 : SSL_ERROR_BAD_SERVER ); |
902 @@ -3538,7 +3780,6 @@ | 1067 @@ -3538,7 +3732,6 @@ |
903 } | 1068 } |
904 | 1069 |
905 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); | 1070 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); |
906 - /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */ | 1071 - /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */ |
907 | 1072 |
908 key_material_params.RandomInfo.pClientRandom = cr; | 1073 key_material_params.RandomInfo.pClientRandom = cr; |
909 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; | 1074 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; |
910 @@ -9946,7 +10187,6 @@ | 1075 @@ -9946,7 +10139,6 @@ |
911 static void | 1076 static void |
912 ssl3_RecordKeyLog(sslSocket *ss) | 1077 ssl3_RecordKeyLog(sslSocket *ss) |
913 { | 1078 { |
914 - sslSessionID *sid; | 1079 - sslSessionID *sid; |
915 SECStatus rv; | 1080 SECStatus rv; |
916 SECItem *keyData; | 1081 SECItem *keyData; |
917 char buf[14 /* "CLIENT_RANDOM " */ + | 1082 char buf[14 /* "CLIENT_RANDOM " */ + |
918 @@ -9958,8 +10198,6 @@ | 1083 @@ -9958,8 +10150,6 @@ |
919 | 1084 |
920 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 1085 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
921 | 1086 |
922 - sid = ss->sec.ci.sid; | 1087 - sid = ss->sec.ci.sid; |
923 - | 1088 - |
924 if (!ssl_keylog_iob) | 1089 if (!ssl_keylog_iob) |
925 return; | 1090 return; |
926 | 1091 |
927 @@ -11171,12 +11409,14 @@ | 1092 @@ -11095,6 +11285,8 @@ |
| 1093 unsigned int originalLen = 0; |
| 1094 unsigned int good; |
| 1095 unsigned int minLength; |
| 1096 + unsigned char header[13]; |
| 1097 + unsigned int headerLen; |
| 1098 |
| 1099 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 1100 |
| 1101 @@ -11171,12 +11363,14 @@ |
928 /* With >= TLS 1.1, CBC records have an explicit IV. */ | 1102 /* With >= TLS 1.1, CBC records have an explicit IV. */ |
929 minLength += cipher_def->iv_size; | 1103 minLength += cipher_def->iv_size; |
930 } | 1104 } |
931 + } else if (cipher_def->type == type_aead) { | 1105 + } else if (cipher_def->type == type_aead) { |
932 + minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; | 1106 + minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; |
933 } | 1107 } |
934 | 1108 |
935 /* We can perform this test in variable time because the record's total | 1109 /* We can perform this test in variable time because the record's total |
936 * length and the ciphersuite are both public knowledge. */ | 1110 * length and the ciphersuite are both public knowledge. */ |
937 if (cText->buf->len < minLength) { | 1111 if (cText->buf->len < minLength) { |
938 - goto decrypt_loser; | 1112 - goto decrypt_loser; |
939 + goto decrypt_loser; | 1113 + goto decrypt_loser; |
940 } | 1114 } |
941 | 1115 |
942 if (cipher_def->type == type_block && | 1116 if (cipher_def->type == type_block && |
943 @@ -11244,78 +11484,95 @@ | 1117 @@ -11244,78 +11438,104 @@ |
944 return SECFailure; | 1118 return SECFailure; |
945 } | 1119 } |
946 | 1120 |
947 - if (cipher_def->type == type_block && | 1121 - if (cipher_def->type == type_block && |
948 - ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { | 1122 - ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { |
949 - goto decrypt_loser; | 1123 - goto decrypt_loser; |
950 - } | 1124 - } |
951 + rType = cText->type; | 1125 + rType = cText->type; |
952 + if (cipher_def->type == type_aead) { | 1126 + if (cipher_def->type == type_aead) { |
| 1127 + /* XXX For many AEAD ciphers, the plaintext is shorter than the |
| 1128 + * ciphertext by a fixed byte count, but it is not true in general. |
| 1129 + * Each AEAD cipher should provide a function that returns the |
| 1130 + * plaintext length for a given ciphertext. */ |
| 1131 + unsigned int decryptedLen = |
| 1132 + cText->buf->len - cipher_def->explicit_nonce_size - |
| 1133 + cipher_def->tag_size; |
| 1134 + headerLen = ssl3_BuildRecordPseudoHeader( |
| 1135 + header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 1136 + rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen); |
| 1137 + PORT_Assert(headerLen <= sizeof(header)); |
953 + rv = crSpec->aead( | 1138 + rv = crSpec->aead( |
954 + ss->sec.isServer ? &crSpec->client : &crSpec->server, | 1139 + ss->sec.isServer ? &crSpec->client : &crSpec->server, |
955 + PR_TRUE, /* do decrypt */ | 1140 + PR_TRUE, /* do decrypt */ |
956 + plaintext->buf, /* out */ | 1141 + plaintext->buf, /* out */ |
957 + (int*) &plaintext->len, /* outlen */ | 1142 + (int*) &plaintext->len, /* outlen */ |
958 + plaintext->space, /* maxout */ | 1143 + plaintext->space, /* maxout */ |
959 + cText->buf->buf, /* in */ | 1144 + cText->buf->buf, /* in */ |
960 + cText->buf->len, /* inlen */ | 1145 + cText->buf->len, /* inlen */ |
961 +» » rType, /* record type */ | 1146 +» » header, headerLen); |
962 +» » cText->version, | |
963 +» » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num); | |
964 + if (rv != SECSuccess) { | 1147 + if (rv != SECSuccess) { |
965 + good = 0; | 1148 + good = 0; |
966 + } | 1149 + } |
967 + } else { | 1150 + } else { |
968 + if (cipher_def->type == type_block && | 1151 + if (cipher_def->type == type_block && |
969 + ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { | 1152 + ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { |
970 + goto decrypt_loser; | 1153 + goto decrypt_loser; |
971 + } | 1154 + } |
972 | 1155 |
973 - /* decrypt from cText buf to plaintext. */ | 1156 - /* decrypt from cText buf to plaintext. */ |
(...skipping 25 matching lines...) Expand all Loading... |
999 + if (cipher_def->type == type_block) { | 1182 + if (cipher_def->type == type_block) { |
1000 + const unsigned int blockSize = cipher_def->block_size; | 1183 + const unsigned int blockSize = cipher_def->block_size; |
1001 + const unsigned int macSize = crSpec->mac_size; | 1184 + const unsigned int macSize = crSpec->mac_size; |
1002 | 1185 |
1003 - if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { | 1186 - if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { |
1004 - good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( | 1187 - good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
1005 - plaintext, blockSize, macSize)); | 1188 - plaintext, blockSize, macSize)); |
1006 - } else { | 1189 - } else { |
1007 - good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( | 1190 - good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( |
1008 - plaintext, macSize)); | 1191 - plaintext, macSize)); |
1009 +» if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { | 1192 +» if (!isTLS) { |
1010 + good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( | 1193 + good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
1011 + plaintext, blockSize, macSize)); | 1194 + plaintext, blockSize, macSize)); |
1012 + } else { | 1195 + } else { |
1013 + good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( | 1196 + good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( |
1014 + plaintext, macSize)); | 1197 + plaintext, macSize)); |
1015 + } | 1198 + } |
1016 } | 1199 } |
1017 - } | 1200 - } |
1018 | 1201 |
1019 - /* compute the MAC */ | 1202 - /* compute the MAC */ |
1020 - rType = cText->type; | 1203 - rType = cText->type; |
1021 - if (cipher_def->type == type_block) { | 1204 - if (cipher_def->type == type_block) { |
1022 - rv = ssl3_ComputeRecordMACConstantTime( | 1205 - rv = ssl3_ComputeRecordMACConstantTime( |
1023 - crSpec, (PRBool)(!ss->sec.isServer), | 1206 - crSpec, (PRBool)(!ss->sec.isServer), |
1024 - IS_DTLS(ss), rType, cText->version, | 1207 - IS_DTLS(ss), rType, cText->version, |
1025 - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | 1208 - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
1026 - plaintext->buf, plaintext->len, originalLen, | 1209 - plaintext->buf, plaintext->len, originalLen, |
1027 - hash, &hashBytes); | 1210 - hash, &hashBytes); |
1028 + /* compute the MAC */ | 1211 + /* compute the MAC */ |
| 1212 + headerLen = ssl3_BuildRecordPseudoHeader( |
| 1213 + header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
| 1214 + rType, isTLS, cText->version, IS_DTLS(ss), |
| 1215 + plaintext->len - crSpec->mac_size); |
| 1216 + PORT_Assert(headerLen <= sizeof(header)); |
1029 + if (cipher_def->type == type_block) { | 1217 + if (cipher_def->type == type_block) { |
1030 + rv = ssl3_ComputeRecordMACConstantTime( | 1218 + rv = ssl3_ComputeRecordMACConstantTime( |
1031 +» » crSpec, (PRBool)(!ss->sec.isServer), | 1219 +» » crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, |
1032 +» » IS_DTLS(ss), rType, cText->version, | |
1033 +» » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
1034 + plaintext->buf, plaintext->len, originalLen, | 1220 + plaintext->buf, plaintext->len, originalLen, |
1035 + hash, &hashBytes); | 1221 + hash, &hashBytes); |
1036 | 1222 |
1037 - ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, | 1223 - ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, |
1038 - crSpec->mac_size); | 1224 - crSpec->mac_size); |
1039 - givenHash = givenHashBuf; | 1225 - givenHash = givenHashBuf; |
1040 + ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, | 1226 + ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, |
1041 + crSpec->mac_size); | 1227 + crSpec->mac_size); |
1042 + givenHash = givenHashBuf; | 1228 + givenHash = givenHashBuf; |
1043 | 1229 |
(...skipping 14 matching lines...) Expand all Loading... |
1058 + /* This is safe because we checked the minLength above. */ | 1244 + /* This is safe because we checked the minLength above. */ |
1059 + plaintext->len -= crSpec->mac_size; | 1245 + plaintext->len -= crSpec->mac_size; |
1060 | 1246 |
1061 - rv = ssl3_ComputeRecordMAC( | 1247 - rv = ssl3_ComputeRecordMAC( |
1062 - crSpec, (PRBool)(!ss->sec.isServer), | 1248 - crSpec, (PRBool)(!ss->sec.isServer), |
1063 - IS_DTLS(ss), rType, cText->version, | 1249 - IS_DTLS(ss), rType, cText->version, |
1064 - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | 1250 - IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
1065 - plaintext->buf, plaintext->len, | 1251 - plaintext->buf, plaintext->len, |
1066 - hash, &hashBytes); | 1252 - hash, &hashBytes); |
1067 + rv = ssl3_ComputeRecordMAC( | 1253 + rv = ssl3_ComputeRecordMAC( |
1068 +» » crSpec, (PRBool)(!ss->sec.isServer), | 1254 +» » crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, |
1069 +» » IS_DTLS(ss), rType, cText->version, | 1255 +» » plaintext->buf, plaintext->len, hash, &hashBytes); |
1070 +» » IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, | |
1071 +» » plaintext->buf, plaintext->len, | |
1072 +» » hash, &hashBytes); | |
1073 | 1256 |
1074 - /* We can read the MAC directly from the record because its location is | 1257 - /* We can read the MAC directly from the record because its location is |
1075 - * public when a stream cipher is used. */ | 1258 - * public when a stream cipher is used. */ |
1076 - givenHash = plaintext->buf + plaintext->len; | 1259 - givenHash = plaintext->buf + plaintext->len; |
1077 - } | 1260 - } |
1078 + /* We can read the MAC directly from the record because its location | 1261 + /* We can read the MAC directly from the record because its location |
1079 + * is public when a stream cipher is used. */ | 1262 + * is public when a stream cipher is used. */ |
1080 + givenHash = plaintext->buf + plaintext->len; | 1263 + givenHash = plaintext->buf + plaintext->len; |
1081 + } | 1264 + } |
1082 | 1265 |
1083 - good &= SECStatusToMask(rv); | 1266 - good &= SECStatusToMask(rv); |
1084 + good &= SECStatusToMask(rv); | 1267 + good &= SECStatusToMask(rv); |
1085 | 1268 |
1086 - if (hashBytes != (unsigned)crSpec->mac_size || | 1269 - if (hashBytes != (unsigned)crSpec->mac_size || |
1087 - NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { | 1270 - NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { |
1088 - /* We're allowed to leak whether or not the MAC check was correct */ | 1271 - /* We're allowed to leak whether or not the MAC check was correct */ |
1089 - good = 0; | 1272 - good = 0; |
1090 + if (hashBytes != (unsigned)crSpec->mac_size || | 1273 + if (hashBytes != (unsigned)crSpec->mac_size || |
1091 + NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { | 1274 + NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { |
1092 + /* We're allowed to leak whether or not the MAC check was correct */ | 1275 + /* We're allowed to leak whether or not the MAC check was correct */ |
1093 + good = 0; | 1276 + good = 0; |
1094 + } | 1277 + } |
1095 } | 1278 } |
1096 | 1279 |
1097 if (good == 0) { | 1280 if (good == 0) { |
1098 Index: net/third_party/nss/ssl/sslenum.c | 1281 Index: net/third_party/nss/ssl/sslenum.c |
1099 =================================================================== | 1282 =================================================================== |
1100 --- net/third_party/nss/ssl/sslenum.c» (revision 215189) | 1283 --- net/third_party/nss/ssl/sslenum.c» (revision 217715) |
1101 +++ net/third_party/nss/ssl/sslenum.c (working copy) | 1284 +++ net/third_party/nss/ssl/sslenum.c (working copy) |
1102 @@ -29,6 +29,14 @@ | 1285 @@ -29,6 +29,14 @@ |
1103 * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h. | 1286 * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h. |
1104 */ | 1287 */ |
1105 const PRUint16 SSL_ImplementedCiphers[] = { | 1288 const PRUint16 SSL_ImplementedCiphers[] = { |
1106 + /* AES-GCM */ | 1289 + /* AES-GCM */ |
1107 +#ifdef NSS_ENABLE_ECC | 1290 +#ifdef NSS_ENABLE_ECC |
1108 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | 1291 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
1109 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | 1292 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
1110 +#endif /* NSS_ENABLE_ECC */ | 1293 +#endif /* NSS_ENABLE_ECC */ |
1111 + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, | 1294 + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, |
1112 + TLS_RSA_WITH_AES_128_GCM_SHA256, | 1295 + TLS_RSA_WITH_AES_128_GCM_SHA256, |
1113 + | 1296 + |
1114 /* 256-bit */ | 1297 /* 256-bit */ |
1115 #ifdef NSS_ENABLE_ECC | 1298 #ifdef NSS_ENABLE_ECC |
1116 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | 1299 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
1117 Index: net/third_party/nss/ssl/sslproto.h | 1300 Index: net/third_party/nss/ssl/sslproto.h |
1118 =================================================================== | 1301 =================================================================== |
1119 --- net/third_party/nss/ssl/sslproto.h» (revision 215189) | 1302 --- net/third_party/nss/ssl/sslproto.h» (revision 217715) |
1120 +++ net/third_party/nss/ssl/sslproto.h (working copy) | 1303 +++ net/third_party/nss/ssl/sslproto.h (working copy) |
1121 @@ -162,6 +162,10 @@ | 1304 @@ -162,6 +162,10 @@ |
1122 | 1305 |
1123 #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 | 1306 #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 |
1124 | 1307 |
1125 +#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C | 1308 +#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C |
1126 +#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E | 1309 +#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E |
1127 +#define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 | 1310 +#define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 |
1128 + | 1311 + |
1129 /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client. | 1312 /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client. |
1130 * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending | 1313 * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending |
1131 * back an empty Renegotiation Info (RI) server hello extension. | 1314 * back an empty Renegotiation Info (RI) server hello extension. |
1132 @@ -204,6 +208,11 @@ | 1315 @@ -204,6 +208,11 @@ |
1133 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 | 1316 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 |
1134 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 | 1317 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 |
1135 | 1318 |
1136 +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B | 1319 +#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B |
1137 +#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D | 1320 +#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D |
1138 +#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F | 1321 +#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F |
1139 +#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 | 1322 +#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 |
1140 + | 1323 + |
1141 /* Netscape "experimental" cipher suites. */ | 1324 /* Netscape "experimental" cipher suites. */ |
1142 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 | 1325 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 |
1143 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 | 1326 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 |
1144 Index: net/third_party/nss/ssl/sslt.h | 1327 Index: net/third_party/nss/ssl/sslt.h |
1145 =================================================================== | 1328 =================================================================== |
1146 --- net/third_party/nss/ssl/sslt.h» (revision 215189) | 1329 --- net/third_party/nss/ssl/sslt.h» (revision 217715) |
1147 +++ net/third_party/nss/ssl/sslt.h (working copy) | 1330 +++ net/third_party/nss/ssl/sslt.h (working copy) |
1148 @@ -91,9 +91,10 @@ | 1331 @@ -91,9 +91,10 @@ |
1149 ssl_calg_3des = 4, | 1332 ssl_calg_3des = 4, |
1150 ssl_calg_idea = 5, | 1333 ssl_calg_idea = 5, |
1151 ssl_calg_fortezza = 6, /* deprecated, now unused */ | 1334 ssl_calg_fortezza = 6, /* deprecated, now unused */ |
1152 - ssl_calg_aes = 7, /* coming soon */ | 1335 - ssl_calg_aes = 7, /* coming soon */ |
1153 + ssl_calg_aes = 7, | 1336 + ssl_calg_aes = 7, |
1154 ssl_calg_camellia = 8, | 1337 ssl_calg_camellia = 8, |
1155 - ssl_calg_seed = 9 | 1338 - ssl_calg_seed = 9 |
1156 + ssl_calg_seed = 9, | 1339 + ssl_calg_seed = 9, |
1157 + ssl_calg_aes_gcm = 10 | 1340 + ssl_calg_aes_gcm = 10 |
1158 } SSLCipherAlgorithm; | 1341 } SSLCipherAlgorithm; |
1159 | 1342 |
1160 typedef enum { | 1343 typedef enum { |
1161 Index: net/third_party/nss/ssl/dtlscon.c | 1344 @@ -102,7 +103,8 @@ |
1162 =================================================================== | 1345 ssl_mac_sha = 2, |
1163 --- net/third_party/nss/ssl/dtlscon.c» (revision 215189) | 1346 ssl_hmac_md5 = 3, » /* TLS HMAC version of mac_md5 */ |
1164 +++ net/third_party/nss/ssl/dtlscon.c» (working copy) | 1347 ssl_hmac_sha = 4, » /* TLS HMAC version of mac_sha */ |
1165 @@ -30,7 +30,14 @@ | 1348 - ssl_hmac_sha256 = 5 |
| 1349 + ssl_hmac_sha256 = 5, |
| 1350 + ssl_mac_aead = 6 |
| 1351 } SSLMACAlgorithm; |
1166 | 1352 |
1167 /* List copied from ssl3con.c:cipherSuites */ | 1353 typedef enum { |
1168 static const ssl3CipherSuite nonDTLSSuites[] = { | 1354 @@ -158,6 +160,9 @@ |
1169 + /* XXX Make AES-GCM work with DTLS. */ | 1355 PRUint16 effectiveKeyBits; |
1170 #ifdef NSS_ENABLE_ECC | 1356 |
1171 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | 1357 /* MAC info */ |
1172 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | 1358 + /* AEAD ciphers don't have a MAC. For an AEAD cipher, macAlgorithmName |
1173 +#endif /* NSS_ENABLE_ECC */ | 1359 + * is "AEAD", macAlgorithm is ssl_mac_aead, and macBits is the length in |
1174 + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, | 1360 + * bits of the authentication tag. */ |
1175 + TLS_RSA_WITH_AES_128_GCM_SHA256, | 1361 const char * macAlgorithmName; |
1176 +#ifdef NSS_ENABLE_ECC | 1362 SSLMACAlgorithm macAlgorithm; |
1177 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, | 1363 PRUint16 macBits; |
1178 TLS_ECDHE_RSA_WITH_RC4_128_SHA, | |
1179 #endif /* NSS_ENABLE_ECC */ | |
OLD | NEW |