Index: net/third_party/nss/patches/aesgcm.patch |
=================================================================== |
--- net/third_party/nss/patches/aesgcm.patch (revision 218090) |
+++ net/third_party/nss/patches/aesgcm.patch (working copy) |
@@ -1,6 +1,6 @@ |
Index: net/third_party/nss/ssl/sslinfo.c |
=================================================================== |
---- net/third_party/nss/ssl/sslinfo.c (revision 215189) |
+--- net/third_party/nss/ssl/sslinfo.c (revision 217715) |
+++ net/third_party/nss/ssl/sslinfo.c (working copy) |
@@ -109,7 +109,7 @@ |
#define K_ECDHE "ECDHE", kt_ecdh |
@@ -19,7 +19,11 @@ |
#define B_256 256, 256, 256 |
#define B_128 128, 128, 128 |
-@@ -130,9 +131,12 @@ |
+@@ -127,12 +128,16 @@ |
+ #define B_40 128, 40, 40 |
+ #define B_0 0, 0, 0 |
+ |
++#define M_AEAD_128 "AEAD", ssl_mac_aead, 128 |
#define M_SHA256 "SHA256", ssl_hmac_sha256, 256 |
#define M_SHA "SHA1", ssl_mac_sha, 160 |
#define M_MD5 "MD5", ssl_mac_md5, 128 |
@@ -27,32 +31,32 @@ |
static const SSLCipherSuiteInfo suiteInfo[] = { |
/* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */ |
-+{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_NULL, 1, 0, 0, }, |
++{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, |
+ |
{0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, }, |
{0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, }, |
{0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, }, |
-@@ -146,6 +150,7 @@ |
+@@ -146,6 +151,7 @@ |
{0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, }, |
{0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, |
{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, |
-+{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, }, |
++{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, |
{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, |
{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, |
{0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, }, |
-@@ -175,6 +180,9 @@ |
+@@ -175,6 +181,9 @@ |
#ifdef NSS_ENABLE_ECC |
/* ECC cipher suites */ |
-+{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, }, |
-+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, }, |
++{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, |
++{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, |
+ |
{0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, }, |
{0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, }, |
{0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, }, |
Index: net/third_party/nss/ssl/sslimpl.h |
=================================================================== |
---- net/third_party/nss/ssl/sslimpl.h (revision 215189) |
+--- net/third_party/nss/ssl/sslimpl.h (revision 217715) |
+++ net/third_party/nss/ssl/sslimpl.h (working copy) |
@@ -64,6 +64,7 @@ |
#define calg_aes ssl_calg_aes |
@@ -62,7 +66,15 @@ |
#define mac_null ssl_mac_null |
#define mac_md5 ssl_mac_md5 |
-@@ -290,9 +291,9 @@ |
+@@ -71,6 +72,7 @@ |
+ #define hmac_md5 ssl_hmac_md5 |
+ #define hmac_sha ssl_hmac_sha |
+ #define hmac_sha256 ssl_hmac_sha256 |
++#define mac_aead ssl_mac_aead |
+ |
+ #define SET_ERROR_CODE /* reminder */ |
+ #define SEND_ALERT /* reminder */ |
+@@ -290,9 +292,9 @@ |
} ssl3CipherSuiteCfg; |
#ifdef NSS_ENABLE_ECC |
@@ -74,7 +86,7 @@ |
#endif /* NSS_ENABLE_ECC */ |
#define MAX_DTLS_SRTP_CIPHER_SUITES 4 |
-@@ -440,20 +441,6 @@ |
+@@ -440,20 +442,6 @@ |
#define GS_DATA 3 |
#define GS_PAD 4 |
@@ -95,7 +107,7 @@ |
#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) |
typedef PCERT_KEY_CONTEXT PlatformKey; |
#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) |
-@@ -485,11 +472,12 @@ |
+@@ -485,11 +473,12 @@ |
cipher_camellia_128, |
cipher_camellia_256, |
cipher_seed, |
@@ -109,7 +121,7 @@ |
#define MAX_IV_LENGTH 24 |
-@@ -531,6 +519,31 @@ |
+@@ -531,6 +520,30 @@ |
PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS]; |
} ssl3KeyMaterial; |
@@ -127,9 +139,8 @@ |
+ int maxout, |
+ const unsigned char *in, |
+ int inlen, |
-+ SSL3ContentType type, |
-+ SSL3ProtocolVersion version, |
-+ SSL3SequenceNumber seqnum); |
++ const unsigned char *additionalData, |
++ int additionalDataLen); |
+typedef SECStatus (*SSLCompressor)(void * context, |
+ unsigned char * out, |
+ int * outlen, |
@@ -170,7 +181,7 @@ |
/* |
Index: net/third_party/nss/ssl/ssl3ecc.c |
=================================================================== |
---- net/third_party/nss/ssl/ssl3ecc.c (revision 215189) |
+--- net/third_party/nss/ssl/ssl3ecc.c (revision 217715) |
+++ net/third_party/nss/ssl/ssl3ecc.c (working copy) |
@@ -911,6 +911,7 @@ |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, |
@@ -205,7 +216,7 @@ |
TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
Index: net/third_party/nss/ssl/sslsock.c |
=================================================================== |
---- net/third_party/nss/ssl/sslsock.c (revision 215189) |
+--- net/third_party/nss/ssl/sslsock.c (revision 217715) |
+++ net/third_party/nss/ssl/sslsock.c (working copy) |
@@ -67,8 +67,10 @@ |
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, |
@@ -236,9 +247,9 @@ |
{ 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } |
Index: net/third_party/nss/ssl/ssl3con.c |
=================================================================== |
---- net/third_party/nss/ssl/ssl3con.c (revision 215189) |
+--- net/third_party/nss/ssl/ssl3con.c (revision 217715) |
+++ net/third_party/nss/ssl/ssl3con.c (working copy) |
-@@ -78,6 +78,14 @@ |
+@@ -78,6 +78,13 @@ |
static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, |
int maxOutputLen, const unsigned char *input, |
int inputLen); |
@@ -246,14 +257,13 @@ |
+static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, |
+ unsigned char *out, int *outlen, int maxout, |
+ const unsigned char *in, int inlen, |
-+ SSL3ContentType type, |
-+ SSL3ProtocolVersion version, |
-+ SSL3SequenceNumber seq_num); |
++ const unsigned char *additionalData, |
++ int additionalDataLen); |
+#endif |
#define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ |
#define MIN_SEND_BUF_LENGTH 4000 |
-@@ -90,6 +98,13 @@ |
+@@ -90,6 +97,13 @@ |
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { |
/* cipher_suite policy enabled is_present*/ |
#ifdef NSS_ENABLE_ECC |
@@ -267,7 +277,7 @@ |
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, |
#endif /* NSS_ENABLE_ECC */ |
-@@ -233,23 +248,30 @@ |
+@@ -233,23 +247,30 @@ |
/* indexed by SSL3BulkCipher */ |
static const ssl3BulkCipherDef bulk_cipher_defs[] = { |
@@ -315,19 +325,19 @@ |
}; |
static const ssl3KEADef kea_defs[] = |
-@@ -371,6 +393,11 @@ |
+@@ -371,6 +392,11 @@ |
{SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, |
{SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, |
-+ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_rsa}, |
-+ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa}, |
-+ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_rsa}, |
-+ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_ecdsa}, |
++ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa}, |
++ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, |
++ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, |
++ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, |
+ |
#ifdef NSS_ENABLE_ECC |
{TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, |
{TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, |
-@@ -434,6 +461,7 @@ |
+@@ -434,25 +460,29 @@ |
{ calg_aes , CKM_AES_CBC }, |
{ calg_camellia , CKM_CAMELLIA_CBC }, |
{ calg_seed , CKM_SEED_CBC }, |
@@ -335,7 +345,31 @@ |
/* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ |
}; |
-@@ -472,6 +500,7 @@ |
+-#define mmech_null (CK_MECHANISM_TYPE)0x80000000L |
++#define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L |
+ #define mmech_md5 CKM_SSL3_MD5_MAC |
+ #define mmech_sha CKM_SSL3_SHA1_MAC |
+ #define mmech_md5_hmac CKM_MD5_HMAC |
+ #define mmech_sha_hmac CKM_SHA_1_HMAC |
+ #define mmech_sha256_hmac CKM_SHA256_HMAC |
++#define mmech_sha384_hmac CKM_SHA384_HMAC |
++#define mmech_sha512_hmac CKM_SHA512_HMAC |
+ |
+ static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ |
+ /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ |
+ /* mac mmech pad_size mac_size */ |
+- { mac_null, mmech_null, 0, 0 }, |
++ { mac_null, mmech_invalid, 0, 0 }, |
+ { mac_md5, mmech_md5, 48, MD5_LENGTH }, |
+ { mac_sha, mmech_sha, 40, SHA1_LENGTH}, |
+ {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, |
+ {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, |
+ {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, |
++ { mac_aead, mmech_invalid, 0, 0 }, |
+ }; |
+ |
+ /* indexed by SSL3BulkCipher */ |
+@@ -472,6 +502,7 @@ |
"Camellia-128", |
"Camellia-256", |
"SEED-CBC", |
@@ -343,7 +377,7 @@ |
"missing" |
}; |
-@@ -598,9 +627,13 @@ |
+@@ -598,9 +629,13 @@ |
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: |
case TLS_RSA_WITH_AES_256_CBC_SHA256: |
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: |
@@ -357,7 +391,7 @@ |
case TLS_RSA_WITH_NULL_SHA256: |
return version >= SSL_LIBRARY_VERSION_TLS_1_2; |
default: |
-@@ -1360,7 +1393,7 @@ |
+@@ -1360,7 +1395,7 @@ |
cipher = suite_def->bulk_cipher_alg; |
kea = suite_def->key_exchange_alg; |
mac = suite_def->mac_alg; |
@@ -366,7 +400,7 @@ |
mac += 2; |
ss->ssl3.hs.suite_def = suite_def; |
-@@ -1554,7 +1587,6 @@ |
+@@ -1554,7 +1589,6 @@ |
unsigned int optArg2 = 0; |
PRBool server_encrypts = ss->sec.isServer; |
SSLCipherAlgorithm calg; |
@@ -374,7 +408,7 @@ |
SECStatus rv; |
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
-@@ -1565,8 +1597,18 @@ |
+@@ -1565,8 +1599,18 @@ |
cipher_def = pwSpec->cipher_def; |
calg = cipher_def->calg; |
@@ -394,12 +428,22 @@ |
serverContext = pwSpec->server.cipher_context; |
clientContext = pwSpec->client.cipher_context; |
-@@ -1721,6 +1763,207 @@ |
+@@ -1721,6 +1765,195 @@ |
return param; |
} |
-+/* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which |
-+ * is included in the MAC) to |out| and returns its length. */ |
++/* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data |
++ * which is included in the MAC or AEAD additional data) to |out| and returns |
++ * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the |
++ * definition of the AEAD additional data. |
++ * |
++ * TLS pseudo-header includes the record's version field, SSL's doesn't. Which |
++ * pseudo-header defintiion to use should be decided based on the version of |
++ * the protocol that was negotiated when the cipher spec became current, NOT |
++ * based on the version value in the record itself, and the decision is passed |
++ * to this function as the |includesVersion| argument. But, the |version| |
++ * argument should be the record's version value. |
++ */ |
+static unsigned int |
+ssl3_BuildRecordPseudoHeader(unsigned char *out, |
+ SSL3SequenceNumber seq_num, |
@@ -450,29 +494,18 @@ |
+ int maxout, |
+ const unsigned char *in, |
+ int inlen, |
-+ SSL3ContentType type, |
-+ SSL3ProtocolVersion version, |
-+ SSL3SequenceNumber seq_num) |
++ const unsigned char *additionalData, |
++ int additionalDataLen) |
+{ |
+ SECItem param; |
+ SECStatus rv = SECFailure; |
+ unsigned char nonce[12]; |
-+ unsigned char additionalData[13]; |
-+ unsigned int additionalDataLen; |
+ unsigned int uOutLen; |
+ CK_GCM_PARAMS gcmParams; |
+ |
+ static const int tagSize = 16; |
+ static const int explicitNonceLen = 8; |
+ |
-+ /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the |
-+ * definition of the AEAD additional data. */ |
-+ additionalDataLen = ssl3_BuildRecordPseudoHeader( |
-+ additionalData, seq_num, type, PR_TRUE /* includes version */, |
-+ version, PR_FALSE /* not DTLS */, |
-+ inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); |
-+ PORT_Assert(additionalDataLen <= sizeof(additionalData)); |
-+ |
+ /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
+ * nonce is formed. */ |
+ memcpy(nonce, keys->write_iv, 4); |
@@ -499,7 +532,7 @@ |
+ param.len = sizeof(gcmParams); |
+ gcmParams.pIv = nonce; |
+ gcmParams.ulIvLen = sizeof(nonce); |
-+ gcmParams.pAAD = additionalData; |
++ gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ |
+ gcmParams.ulAADLen = additionalDataLen; |
+ gcmParams.ulTagBits = tagSize * 8; |
+ |
@@ -524,14 +557,11 @@ |
+ int maxout, |
+ const unsigned char *in, |
+ int inlen, |
-+ SSL3ContentType type, |
-+ SSL3ProtocolVersion version, |
-+ SSL3SequenceNumber seq_num) |
++ const unsigned char *additionalData, |
++ int additionalDataLen) |
+{ |
+ SECStatus rv = SECFailure; |
+ unsigned char nonce[12]; |
-+ unsigned char additionalData[13]; |
-+ unsigned int additionalDataLen; |
+ unsigned int uOutLen; |
+ AESContext *cx; |
+ CK_GCM_PARAMS gcmParams; |
@@ -539,14 +569,6 @@ |
+ static const int tagSize = 16; |
+ static const int explicitNonceLen = 8; |
+ |
-+ /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the |
-+ * definition of the AEAD additional data. */ |
-+ additionalDataLen = ssl3_BuildRecordPseudoHeader( |
-+ additionalData, seq_num, type, PR_TRUE /* includes version */, |
-+ version, PR_FALSE /* not DTLS */, |
-+ inlen - (doDecrypt ? explicitNonceLen + tagSize : 0)); |
-+ PORT_Assert(additionalDataLen <= sizeof(additionalData)); |
-+ |
+ /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the |
+ * nonce is formed. */ |
+ PORT_Assert(keys->write_iv_item.len == 4); |
@@ -575,7 +597,7 @@ |
+ |
+ gcmParams.pIv = nonce; |
+ gcmParams.ulIvLen = sizeof(nonce); |
-+ gcmParams.pAAD = additionalData; |
++ gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ |
+ gcmParams.ulAADLen = additionalDataLen; |
+ gcmParams.ulTagBits = tagSize * 8; |
+ |
@@ -602,7 +624,7 @@ |
/* Initialize encryption and MAC contexts for pending spec. |
* Master Secret already is derived. |
* Caller holds Spec write lock. |
-@@ -1748,14 +1991,27 @@ |
+@@ -1748,14 +1981,27 @@ |
pwSpec = ss->ssl3.pwSpec; |
cipher_def = pwSpec->cipher_def; |
macLength = pwSpec->mac_size; |
@@ -632,7 +654,7 @@ |
mac_mech = pwSpec->mac_def->mmech; |
mac_param.data = (unsigned char *)&macLength; |
mac_param.len = sizeof(macLength); |
-@@ -1778,9 +2034,6 @@ |
+@@ -1778,9 +2024,6 @@ |
** Now setup the crypto contexts. |
*/ |
@@ -642,15 +664,28 @@ |
if (calg == calg_null) { |
pwSpec->encode = Null_Cipher; |
pwSpec->decode = Null_Cipher; |
-@@ -1999,55 +2252,21 @@ |
+@@ -1988,10 +2231,8 @@ |
+ ssl3_ComputeRecordMAC( |
+ ssl3CipherSpec * spec, |
+ PRBool useServerMacKey, |
+- PRBool isDTLS, |
+- SSL3ContentType type, |
+- SSL3ProtocolVersion version, |
+- SSL3SequenceNumber seq_num, |
++ const unsigned char *header, |
++ unsigned int headerLen, |
+ const SSL3Opaque * input, |
+ int inputLength, |
+ unsigned char * outbuf, |
+@@ -1999,56 +2240,8 @@ |
{ |
const ssl3MACDef * mac_def; |
SECStatus rv; |
-#ifndef NO_PKCS11_BYPASS |
- PRBool isTLS; |
+- PRBool isTLS; |
-#endif |
- unsigned int tempLen; |
- unsigned char temp[MAX_MAC_LENGTH]; |
+- unsigned int tempLen; |
+- unsigned char temp[MAX_MAC_LENGTH]; |
- temp[0] = (unsigned char)(seq_num.high >> 24); |
- temp[1] = (unsigned char)(seq_num.high >> 16); |
@@ -662,13 +697,12 @@ |
- temp[7] = (unsigned char)(seq_num.low >> 0); |
- temp[8] = type; |
- |
- /* TLS MAC includes the record's version field, SSL's doesn't. |
- ** We decide which MAC defintiion to use based on the version of |
- ** the protocol that was negotiated when the spec became current, |
- ** NOT based on the version value in the record itself. |
+- /* TLS MAC includes the record's version field, SSL's doesn't. |
+- ** We decide which MAC defintiion to use based on the version of |
+- ** the protocol that was negotiated when the spec became current, |
+- ** NOT based on the version value in the record itself. |
- ** But, we use the record'v version value in the computation. |
-+ ** But, we use the record's version value in the computation. |
- */ |
+- */ |
- if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
- temp[9] = MSB(inputLength); |
- temp[10] = LSB(inputLength); |
@@ -680,11 +714,7 @@ |
- /* New TLS hash includes version. */ |
- if (isDTLS) { |
- SSL3ProtocolVersion dtls_version; |
-+ isTLS = spec->version > SSL_LIBRARY_VERSION_3_0; |
-+ tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS, |
-+ version, isDTLS, inputLength); |
-+ PORT_Assert(tempLen <= sizeof(temp)); |
- |
+- |
- dtls_version = dtls_TLSVersionToDTLSVersion(version); |
- temp[9] = MSB(dtls_version); |
- temp[10] = LSB(dtls_version); |
@@ -700,10 +730,140 @@ |
-#endif |
- } |
- |
- PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); |
+- PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); |
++ PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen)); |
PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); |
-@@ -2390,86 +2609,112 @@ |
+ mac_def = spec->mac_def; |
+@@ -2093,7 +2286,10 @@ |
+ return SECFailure; |
+ } |
+ |
+- if (!isTLS) { |
++ if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
++ unsigned int tempLen; |
++ unsigned char temp[MAX_MAC_LENGTH]; |
++ |
+ /* compute "inner" part of SSL3 MAC */ |
+ hashObj->begin(write_mac_context); |
+ if (useServerMacKey) |
+@@ -2105,7 +2301,7 @@ |
+ spec->client.write_mac_key_item.data, |
+ spec->client.write_mac_key_item.len); |
+ hashObj->update(write_mac_context, mac_pad_1, pad_bytes); |
+- hashObj->update(write_mac_context, temp, tempLen); |
++ hashObj->update(write_mac_context, header, headerLen); |
+ hashObj->update(write_mac_context, input, inputLength); |
+ hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); |
+ |
+@@ -2136,7 +2332,7 @@ |
+ } |
+ if (rv == SECSuccess) { |
+ HMAC_Begin(cx); |
+- HMAC_Update(cx, temp, tempLen); |
++ HMAC_Update(cx, header, headerLen); |
+ HMAC_Update(cx, input, inputLength); |
+ rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); |
+ HMAC_Destroy(cx, PR_FALSE); |
+@@ -2150,7 +2346,7 @@ |
+ (useServerMacKey ? spec->server.write_mac_context |
+ : spec->client.write_mac_context); |
+ rv = PK11_DigestBegin(mac_context); |
+- rv |= PK11_DigestOp(mac_context, temp, tempLen); |
++ rv |= PK11_DigestOp(mac_context, header, headerLen); |
+ rv |= PK11_DigestOp(mac_context, input, inputLength); |
+ rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); |
+ } |
+@@ -2190,10 +2386,8 @@ |
+ ssl3_ComputeRecordMACConstantTime( |
+ ssl3CipherSpec * spec, |
+ PRBool useServerMacKey, |
+- PRBool isDTLS, |
+- SSL3ContentType type, |
+- SSL3ProtocolVersion version, |
+- SSL3SequenceNumber seq_num, |
++ const unsigned char *header, |
++ unsigned int headerLen, |
+ const SSL3Opaque * input, |
+ int inputLen, |
+ int originalLen, |
+@@ -2205,9 +2399,7 @@ |
+ PK11Context * mac_context; |
+ SECItem param; |
+ SECStatus rv; |
+- unsigned char header[13]; |
+ PK11SymKey * key; |
+- int recordLength; |
+ |
+ PORT_Assert(inputLen >= spec->mac_size); |
+ PORT_Assert(originalLen >= inputLen); |
+@@ -2223,42 +2415,15 @@ |
+ return SECSuccess; |
+ } |
+ |
+- header[0] = (unsigned char)(seq_num.high >> 24); |
+- header[1] = (unsigned char)(seq_num.high >> 16); |
+- header[2] = (unsigned char)(seq_num.high >> 8); |
+- header[3] = (unsigned char)(seq_num.high >> 0); |
+- header[4] = (unsigned char)(seq_num.low >> 24); |
+- header[5] = (unsigned char)(seq_num.low >> 16); |
+- header[6] = (unsigned char)(seq_num.low >> 8); |
+- header[7] = (unsigned char)(seq_num.low >> 0); |
+- header[8] = type; |
+- |
+ macType = CKM_NSS_HMAC_CONSTANT_TIME; |
+- recordLength = inputLen - spec->mac_size; |
+ if (spec->version <= SSL_LIBRARY_VERSION_3_0) { |
+ macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; |
+- header[9] = recordLength >> 8; |
+- header[10] = recordLength; |
+- params.ulHeaderLen = 11; |
+- } else { |
+- if (isDTLS) { |
+- SSL3ProtocolVersion dtls_version; |
+- |
+- dtls_version = dtls_TLSVersionToDTLSVersion(version); |
+- header[9] = dtls_version >> 8; |
+- header[10] = dtls_version; |
+- } else { |
+- header[9] = version >> 8; |
+- header[10] = version; |
+- } |
+- header[11] = recordLength >> 8; |
+- header[12] = recordLength; |
+- params.ulHeaderLen = 13; |
+ } |
+ |
+ params.macAlg = spec->mac_def->mmech; |
+ params.ulBodyTotalLen = originalLen; |
+- params.pHeader = header; |
++ params.pHeader = (unsigned char *) header; /* const cast */ |
++ params.ulHeaderLen = headerLen; |
+ |
+ param.data = (unsigned char*) ¶ms; |
+ param.len = sizeof(params); |
+@@ -2291,9 +2456,8 @@ |
+ /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the |
+ * length already. */ |
+ inputLen -= spec->mac_size; |
+- return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type, |
+- version, seq_num, input, inputLen, |
+- outbuf, outLen); |
++ return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen, |
++ input, inputLen, outbuf, outLen); |
+ } |
+ |
+ static PRBool |
+@@ -2345,6 +2509,8 @@ |
+ PRUint16 headerLen; |
+ int ivLen = 0; |
+ int cipherBytes = 0; |
++ unsigned char pseudoHeader[13]; |
++ unsigned int pseudoHeaderLen; |
+ |
+ cipher_def = cwSpec->cipher_def; |
+ headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; |
+@@ -2390,86 +2556,117 @@ |
contentLen = outlen; |
} |
@@ -721,6 +881,11 @@ |
- p2Len = macLen; |
- fragLen = contentLen + macLen; /* needs to be encrypted */ |
- PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); |
++ pseudoHeaderLen = ssl3_BuildRecordPseudoHeader( |
++ pseudoHeader, cwSpec->write_seq_num, type, |
++ cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version, |
++ isDTLS, contentLen); |
++ PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader)); |
+ if (cipher_def->type == type_aead) { |
+ const int nonceLen = cipher_def->explicit_nonce_size; |
+ const int tagLen = cipher_def->tag_size; |
@@ -757,7 +922,7 @@ |
+ &cipherBytes, /* out len */ |
+ wrBuf->space - headerLen, /* max out */ |
+ pIn, contentLen, /* input */ |
-+ type, cwSpec->version, cwSpec->write_seq_num); |
++ pseudoHeader, pseudoHeaderLen); |
+ if (rv != SECSuccess) { |
+ PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); |
+ return SECFailure; |
@@ -790,8 +955,8 @@ |
+ /* |
+ * Add the MAC |
+ */ |
-+ rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, |
-+ type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, |
++ rv = ssl3_ComputeRecordMAC(cwSpec, isServer, |
++ pseudoHeader, pseudoHeaderLen, pIn, contentLen, |
+ wrBuf->buf + headerLen + ivLen + contentLen, &macLen); |
+ if (rv != SECSuccess) { |
+ ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); |
@@ -889,7 +1054,7 @@ |
PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); |
wrBuf->len = cipherBytes + headerLen; |
-@@ -3012,9 +3257,6 @@ |
+@@ -3012,9 +3209,6 @@ |
static SECStatus |
ssl3_IllegalParameter(sslSocket *ss) |
{ |
@@ -899,7 +1064,7 @@ |
(void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); |
PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT |
: SSL_ERROR_BAD_SERVER ); |
-@@ -3538,7 +3780,6 @@ |
+@@ -3538,7 +3732,6 @@ |
} |
key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); |
@@ -907,7 +1072,7 @@ |
key_material_params.RandomInfo.pClientRandom = cr; |
key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; |
-@@ -9946,7 +10187,6 @@ |
+@@ -9946,7 +10139,6 @@ |
static void |
ssl3_RecordKeyLog(sslSocket *ss) |
{ |
@@ -915,7 +1080,7 @@ |
SECStatus rv; |
SECItem *keyData; |
char buf[14 /* "CLIENT_RANDOM " */ + |
-@@ -9958,8 +10198,6 @@ |
+@@ -9958,8 +10150,6 @@ |
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
@@ -924,7 +1089,16 @@ |
if (!ssl_keylog_iob) |
return; |
-@@ -11171,12 +11409,14 @@ |
+@@ -11095,6 +11285,8 @@ |
+ unsigned int originalLen = 0; |
+ unsigned int good; |
+ unsigned int minLength; |
++ unsigned char header[13]; |
++ unsigned int headerLen; |
+ |
+ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
+ |
+@@ -11171,12 +11363,14 @@ |
/* With >= TLS 1.1, CBC records have an explicit IV. */ |
minLength += cipher_def->iv_size; |
} |
@@ -940,7 +1114,7 @@ |
} |
if (cipher_def->type == type_block && |
-@@ -11244,78 +11484,95 @@ |
+@@ -11244,78 +11438,104 @@ |
return SECFailure; |
} |
@@ -950,6 +1124,17 @@ |
- } |
+ rType = cText->type; |
+ if (cipher_def->type == type_aead) { |
++ /* XXX For many AEAD ciphers, the plaintext is shorter than the |
++ * ciphertext by a fixed byte count, but it is not true in general. |
++ * Each AEAD cipher should provide a function that returns the |
++ * plaintext length for a given ciphertext. */ |
++ unsigned int decryptedLen = |
++ cText->buf->len - cipher_def->explicit_nonce_size - |
++ cipher_def->tag_size; |
++ headerLen = ssl3_BuildRecordPseudoHeader( |
++ header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
++ rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen); |
++ PORT_Assert(headerLen <= sizeof(header)); |
+ rv = crSpec->aead( |
+ ss->sec.isServer ? &crSpec->client : &crSpec->server, |
+ PR_TRUE, /* do decrypt */ |
@@ -958,9 +1143,7 @@ |
+ plaintext->space, /* maxout */ |
+ cText->buf->buf, /* in */ |
+ cText->buf->len, /* inlen */ |
-+ rType, /* record type */ |
-+ cText->version, |
-+ IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num); |
++ header, headerLen); |
+ if (rv != SECSuccess) { |
+ good = 0; |
+ } |
@@ -1006,7 +1189,7 @@ |
- } else { |
- good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( |
- plaintext, macSize)); |
-+ if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { |
++ if (!isTLS) { |
+ good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( |
+ plaintext, blockSize, macSize)); |
+ } else { |
@@ -1026,11 +1209,14 @@ |
- plaintext->buf, plaintext->len, originalLen, |
- hash, &hashBytes); |
+ /* compute the MAC */ |
++ headerLen = ssl3_BuildRecordPseudoHeader( |
++ header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
++ rType, isTLS, cText->version, IS_DTLS(ss), |
++ plaintext->len - crSpec->mac_size); |
++ PORT_Assert(headerLen <= sizeof(header)); |
+ if (cipher_def->type == type_block) { |
+ rv = ssl3_ComputeRecordMACConstantTime( |
-+ crSpec, (PRBool)(!ss->sec.isServer), |
-+ IS_DTLS(ss), rType, cText->version, |
-+ IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
++ crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, |
+ plaintext->buf, plaintext->len, originalLen, |
+ hash, &hashBytes); |
@@ -1065,11 +1251,8 @@ |
- plaintext->buf, plaintext->len, |
- hash, &hashBytes); |
+ rv = ssl3_ComputeRecordMAC( |
-+ crSpec, (PRBool)(!ss->sec.isServer), |
-+ IS_DTLS(ss), rType, cText->version, |
-+ IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, |
-+ plaintext->buf, plaintext->len, |
-+ hash, &hashBytes); |
++ crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, |
++ plaintext->buf, plaintext->len, hash, &hashBytes); |
- /* We can read the MAC directly from the record because its location is |
- * public when a stream cipher is used. */ |
@@ -1097,7 +1280,7 @@ |
if (good == 0) { |
Index: net/third_party/nss/ssl/sslenum.c |
=================================================================== |
---- net/third_party/nss/ssl/sslenum.c (revision 215189) |
+--- net/third_party/nss/ssl/sslenum.c (revision 217715) |
+++ net/third_party/nss/ssl/sslenum.c (working copy) |
@@ -29,6 +29,14 @@ |
* Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h. |
@@ -1116,7 +1299,7 @@ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, |
Index: net/third_party/nss/ssl/sslproto.h |
=================================================================== |
---- net/third_party/nss/ssl/sslproto.h (revision 215189) |
+--- net/third_party/nss/ssl/sslproto.h (revision 217715) |
+++ net/third_party/nss/ssl/sslproto.h (working copy) |
@@ -162,6 +162,10 @@ |
@@ -1143,7 +1326,7 @@ |
#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 |
Index: net/third_party/nss/ssl/sslt.h |
=================================================================== |
---- net/third_party/nss/ssl/sslt.h (revision 215189) |
+--- net/third_party/nss/ssl/sslt.h (revision 217715) |
+++ net/third_party/nss/ssl/sslt.h (working copy) |
@@ -91,9 +91,10 @@ |
ssl_calg_3des = 4, |
@@ -1158,22 +1341,23 @@ |
} SSLCipherAlgorithm; |
typedef enum { |
-Index: net/third_party/nss/ssl/dtlscon.c |
-=================================================================== |
---- net/third_party/nss/ssl/dtlscon.c (revision 215189) |
-+++ net/third_party/nss/ssl/dtlscon.c (working copy) |
-@@ -30,7 +30,14 @@ |
+@@ -102,7 +103,8 @@ |
+ ssl_mac_sha = 2, |
+ ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */ |
+ ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */ |
+- ssl_hmac_sha256 = 5 |
++ ssl_hmac_sha256 = 5, |
++ ssl_mac_aead = 6 |
+ } SSLMACAlgorithm; |
- /* List copied from ssl3con.c:cipherSuites */ |
- static const ssl3CipherSuite nonDTLSSuites[] = { |
-+ /* XXX Make AES-GCM work with DTLS. */ |
- #ifdef NSS_ENABLE_ECC |
-+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, |
-+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, |
-+#endif /* NSS_ENABLE_ECC */ |
-+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, |
-+ TLS_RSA_WITH_AES_128_GCM_SHA256, |
-+#ifdef NSS_ENABLE_ECC |
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, |
- TLS_ECDHE_RSA_WITH_RC4_128_SHA, |
- #endif /* NSS_ENABLE_ECC */ |
+ typedef enum { |
+@@ -158,6 +160,9 @@ |
+ PRUint16 effectiveKeyBits; |
+ |
+ /* MAC info */ |
++ /* AEAD ciphers don't have a MAC. For an AEAD cipher, macAlgorithmName |
++ * is "AEAD", macAlgorithm is ssl_mac_aead, and macBits is the length in |
++ * bits of the authentication tag. */ |
+ const char * macAlgorithmName; |
+ SSLMACAlgorithm macAlgorithm; |
+ PRUint16 macBits; |