| Index: net/third_party/nss/patches/aesgcm.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/aesgcm.patch (revision 218090)
|
| +++ net/third_party/nss/patches/aesgcm.patch (working copy)
|
| @@ -1,6 +1,6 @@
|
| Index: net/third_party/nss/ssl/sslinfo.c
|
| ===================================================================
|
| ---- net/third_party/nss/ssl/sslinfo.c (revision 215189)
|
| +--- net/third_party/nss/ssl/sslinfo.c (revision 217715)
|
| +++ net/third_party/nss/ssl/sslinfo.c (working copy)
|
| @@ -109,7 +109,7 @@
|
| #define K_ECDHE "ECDHE", kt_ecdh
|
| @@ -19,7 +19,11 @@
|
|
|
| #define B_256 256, 256, 256
|
| #define B_128 128, 128, 128
|
| -@@ -130,9 +131,12 @@
|
| +@@ -127,12 +128,16 @@
|
| + #define B_40 128, 40, 40
|
| + #define B_0 0, 0, 0
|
| +
|
| ++#define M_AEAD_128 "AEAD", ssl_mac_aead, 128
|
| #define M_SHA256 "SHA256", ssl_hmac_sha256, 256
|
| #define M_SHA "SHA1", ssl_mac_sha, 160
|
| #define M_MD5 "MD5", ssl_mac_md5, 128
|
| @@ -27,32 +31,32 @@
|
|
|
| static const SSLCipherSuiteInfo suiteInfo[] = {
|
| /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */
|
| -+{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
|
| ++{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
|
| +
|
| {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
|
| {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
|
| {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, },
|
| -@@ -146,6 +150,7 @@
|
| +@@ -146,6 +151,7 @@
|
| {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
|
| {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
|
| {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
|
| -+{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
|
| ++{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
|
| {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
|
| {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
|
| {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, },
|
| -@@ -175,6 +180,9 @@
|
| +@@ -175,6 +181,9 @@
|
|
|
| #ifdef NSS_ENABLE_ECC
|
| /* ECC cipher suites */
|
| -+{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
|
| -+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
|
| ++{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
|
| ++{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
|
| +
|
| {0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
|
| {0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
|
| {0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
|
| Index: net/third_party/nss/ssl/sslimpl.h
|
| ===================================================================
|
| ---- net/third_party/nss/ssl/sslimpl.h (revision 215189)
|
| +--- net/third_party/nss/ssl/sslimpl.h (revision 217715)
|
| +++ net/third_party/nss/ssl/sslimpl.h (working copy)
|
| @@ -64,6 +64,7 @@
|
| #define calg_aes ssl_calg_aes
|
| @@ -62,7 +66,15 @@
|
|
|
| #define mac_null ssl_mac_null
|
| #define mac_md5 ssl_mac_md5
|
| -@@ -290,9 +291,9 @@
|
| +@@ -71,6 +72,7 @@
|
| + #define hmac_md5 ssl_hmac_md5
|
| + #define hmac_sha ssl_hmac_sha
|
| + #define hmac_sha256 ssl_hmac_sha256
|
| ++#define mac_aead ssl_mac_aead
|
| +
|
| + #define SET_ERROR_CODE /* reminder */
|
| + #define SEND_ALERT /* reminder */
|
| +@@ -290,9 +292,9 @@
|
| } ssl3CipherSuiteCfg;
|
|
|
| #ifdef NSS_ENABLE_ECC
|
| @@ -74,7 +86,7 @@
|
| #endif /* NSS_ENABLE_ECC */
|
|
|
| #define MAX_DTLS_SRTP_CIPHER_SUITES 4
|
| -@@ -440,20 +441,6 @@
|
| +@@ -440,20 +442,6 @@
|
| #define GS_DATA 3
|
| #define GS_PAD 4
|
|
|
| @@ -95,7 +107,7 @@
|
| #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
|
| typedef PCERT_KEY_CONTEXT PlatformKey;
|
| #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX)
|
| -@@ -485,11 +472,12 @@
|
| +@@ -485,11 +473,12 @@
|
| cipher_camellia_128,
|
| cipher_camellia_256,
|
| cipher_seed,
|
| @@ -109,7 +121,7 @@
|
|
|
| #define MAX_IV_LENGTH 24
|
|
|
| -@@ -531,6 +519,31 @@
|
| +@@ -531,6 +520,30 @@
|
| PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
|
| } ssl3KeyMaterial;
|
|
|
| @@ -127,9 +139,8 @@
|
| + int maxout,
|
| + const unsigned char *in,
|
| + int inlen,
|
| -+ SSL3ContentType type,
|
| -+ SSL3ProtocolVersion version,
|
| -+ SSL3SequenceNumber seqnum);
|
| ++ const unsigned char *additionalData,
|
| ++ int additionalDataLen);
|
| +typedef SECStatus (*SSLCompressor)(void * context,
|
| + unsigned char * out,
|
| + int * outlen,
|
| @@ -170,7 +181,7 @@
|
| /*
|
| Index: net/third_party/nss/ssl/ssl3ecc.c
|
| ===================================================================
|
| ---- net/third_party/nss/ssl/ssl3ecc.c (revision 215189)
|
| +--- net/third_party/nss/ssl/ssl3ecc.c (revision 217715)
|
| +++ net/third_party/nss/ssl/ssl3ecc.c (working copy)
|
| @@ -911,6 +911,7 @@
|
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
|
| @@ -205,7 +216,7 @@
|
| TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
| Index: net/third_party/nss/ssl/sslsock.c
|
| ===================================================================
|
| ---- net/third_party/nss/ssl/sslsock.c (revision 215189)
|
| +--- net/third_party/nss/ssl/sslsock.c (revision 217715)
|
| +++ net/third_party/nss/ssl/sslsock.c (working copy)
|
| @@ -67,8 +67,10 @@
|
| { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
|
| @@ -236,9 +247,9 @@
|
| { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
|
| Index: net/third_party/nss/ssl/ssl3con.c
|
| ===================================================================
|
| ---- net/third_party/nss/ssl/ssl3con.c (revision 215189)
|
| +--- net/third_party/nss/ssl/ssl3con.c (revision 217715)
|
| +++ net/third_party/nss/ssl/ssl3con.c (working copy)
|
| -@@ -78,6 +78,14 @@
|
| +@@ -78,6 +78,13 @@
|
| static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
|
| int maxOutputLen, const unsigned char *input,
|
| int inputLen);
|
| @@ -246,14 +257,13 @@
|
| +static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
|
| + unsigned char *out, int *outlen, int maxout,
|
| + const unsigned char *in, int inlen,
|
| -+ SSL3ContentType type,
|
| -+ SSL3ProtocolVersion version,
|
| -+ SSL3SequenceNumber seq_num);
|
| ++ const unsigned char *additionalData,
|
| ++ int additionalDataLen);
|
| +#endif
|
|
|
| #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
|
| #define MIN_SEND_BUF_LENGTH 4000
|
| -@@ -90,6 +98,13 @@
|
| +@@ -90,6 +97,13 @@
|
| static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
|
| /* cipher_suite policy enabled is_present*/
|
| #ifdef NSS_ENABLE_ECC
|
| @@ -267,7 +277,7 @@
|
| { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
|
| #endif /* NSS_ENABLE_ECC */
|
| -@@ -233,23 +248,30 @@
|
| +@@ -233,23 +247,30 @@
|
|
|
| /* indexed by SSL3BulkCipher */
|
| static const ssl3BulkCipherDef bulk_cipher_defs[] = {
|
| @@ -315,19 +325,19 @@
|
| };
|
|
|
| static const ssl3KEADef kea_defs[] =
|
| -@@ -371,6 +393,11 @@
|
| +@@ -371,6 +392,11 @@
|
| {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
|
| {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
|
|
|
| -+ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_rsa},
|
| -+ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa},
|
| -+ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_rsa},
|
| -+ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_ecdsa},
|
| ++ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
|
| ++ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
|
| ++ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
|
| ++ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
|
| +
|
| #ifdef NSS_ENABLE_ECC
|
| {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
|
| {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
|
| -@@ -434,6 +461,7 @@
|
| +@@ -434,25 +460,29 @@
|
| { calg_aes , CKM_AES_CBC },
|
| { calg_camellia , CKM_CAMELLIA_CBC },
|
| { calg_seed , CKM_SEED_CBC },
|
| @@ -335,7 +345,31 @@
|
| /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
|
| };
|
|
|
| -@@ -472,6 +500,7 @@
|
| +-#define mmech_null (CK_MECHANISM_TYPE)0x80000000L
|
| ++#define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L
|
| + #define mmech_md5 CKM_SSL3_MD5_MAC
|
| + #define mmech_sha CKM_SSL3_SHA1_MAC
|
| + #define mmech_md5_hmac CKM_MD5_HMAC
|
| + #define mmech_sha_hmac CKM_SHA_1_HMAC
|
| + #define mmech_sha256_hmac CKM_SHA256_HMAC
|
| ++#define mmech_sha384_hmac CKM_SHA384_HMAC
|
| ++#define mmech_sha512_hmac CKM_SHA512_HMAC
|
| +
|
| + static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
|
| + /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
|
| + /* mac mmech pad_size mac_size */
|
| +- { mac_null, mmech_null, 0, 0 },
|
| ++ { mac_null, mmech_invalid, 0, 0 },
|
| + { mac_md5, mmech_md5, 48, MD5_LENGTH },
|
| + { mac_sha, mmech_sha, 40, SHA1_LENGTH},
|
| + {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH },
|
| + {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
|
| + {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
|
| ++ { mac_aead, mmech_invalid, 0, 0 },
|
| + };
|
| +
|
| + /* indexed by SSL3BulkCipher */
|
| +@@ -472,6 +502,7 @@
|
| "Camellia-128",
|
| "Camellia-256",
|
| "SEED-CBC",
|
| @@ -343,7 +377,7 @@
|
| "missing"
|
| };
|
|
|
| -@@ -598,9 +627,13 @@
|
| +@@ -598,9 +629,13 @@
|
| case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
|
| case TLS_RSA_WITH_AES_256_CBC_SHA256:
|
| case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
|
| @@ -357,7 +391,7 @@
|
| case TLS_RSA_WITH_NULL_SHA256:
|
| return version >= SSL_LIBRARY_VERSION_TLS_1_2;
|
| default:
|
| -@@ -1360,7 +1393,7 @@
|
| +@@ -1360,7 +1395,7 @@
|
| cipher = suite_def->bulk_cipher_alg;
|
| kea = suite_def->key_exchange_alg;
|
| mac = suite_def->mac_alg;
|
| @@ -366,7 +400,7 @@
|
| mac += 2;
|
|
|
| ss->ssl3.hs.suite_def = suite_def;
|
| -@@ -1554,7 +1587,6 @@
|
| +@@ -1554,7 +1589,6 @@
|
| unsigned int optArg2 = 0;
|
| PRBool server_encrypts = ss->sec.isServer;
|
| SSLCipherAlgorithm calg;
|
| @@ -374,7 +408,7 @@
|
| SECStatus rv;
|
|
|
| PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
|
| -@@ -1565,8 +1597,18 @@
|
| +@@ -1565,8 +1599,18 @@
|
| cipher_def = pwSpec->cipher_def;
|
|
|
| calg = cipher_def->calg;
|
| @@ -394,12 +428,22 @@
|
| serverContext = pwSpec->server.cipher_context;
|
| clientContext = pwSpec->client.cipher_context;
|
|
|
| -@@ -1721,6 +1763,207 @@
|
| +@@ -1721,6 +1765,195 @@
|
| return param;
|
| }
|
|
|
| -+/* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which
|
| -+ * is included in the MAC) to |out| and returns its length. */
|
| ++/* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data
|
| ++ * which is included in the MAC or AEAD additional data) to |out| and returns
|
| ++ * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
|
| ++ * definition of the AEAD additional data.
|
| ++ *
|
| ++ * TLS pseudo-header includes the record's version field, SSL's doesn't. Which
|
| ++ * pseudo-header defintiion to use should be decided based on the version of
|
| ++ * the protocol that was negotiated when the cipher spec became current, NOT
|
| ++ * based on the version value in the record itself, and the decision is passed
|
| ++ * to this function as the |includesVersion| argument. But, the |version|
|
| ++ * argument should be the record's version value.
|
| ++ */
|
| +static unsigned int
|
| +ssl3_BuildRecordPseudoHeader(unsigned char *out,
|
| + SSL3SequenceNumber seq_num,
|
| @@ -450,29 +494,18 @@
|
| + int maxout,
|
| + const unsigned char *in,
|
| + int inlen,
|
| -+ SSL3ContentType type,
|
| -+ SSL3ProtocolVersion version,
|
| -+ SSL3SequenceNumber seq_num)
|
| ++ const unsigned char *additionalData,
|
| ++ int additionalDataLen)
|
| +{
|
| + SECItem param;
|
| + SECStatus rv = SECFailure;
|
| + unsigned char nonce[12];
|
| -+ unsigned char additionalData[13];
|
| -+ unsigned int additionalDataLen;
|
| + unsigned int uOutLen;
|
| + CK_GCM_PARAMS gcmParams;
|
| +
|
| + static const int tagSize = 16;
|
| + static const int explicitNonceLen = 8;
|
| +
|
| -+ /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
|
| -+ * definition of the AEAD additional data. */
|
| -+ additionalDataLen = ssl3_BuildRecordPseudoHeader(
|
| -+ additionalData, seq_num, type, PR_TRUE /* includes version */,
|
| -+ version, PR_FALSE /* not DTLS */,
|
| -+ inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
|
| -+ PORT_Assert(additionalDataLen <= sizeof(additionalData));
|
| -+
|
| + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
|
| + * nonce is formed. */
|
| + memcpy(nonce, keys->write_iv, 4);
|
| @@ -499,7 +532,7 @@
|
| + param.len = sizeof(gcmParams);
|
| + gcmParams.pIv = nonce;
|
| + gcmParams.ulIvLen = sizeof(nonce);
|
| -+ gcmParams.pAAD = additionalData;
|
| ++ gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
|
| + gcmParams.ulAADLen = additionalDataLen;
|
| + gcmParams.ulTagBits = tagSize * 8;
|
| +
|
| @@ -524,14 +557,11 @@
|
| + int maxout,
|
| + const unsigned char *in,
|
| + int inlen,
|
| -+ SSL3ContentType type,
|
| -+ SSL3ProtocolVersion version,
|
| -+ SSL3SequenceNumber seq_num)
|
| ++ const unsigned char *additionalData,
|
| ++ int additionalDataLen)
|
| +{
|
| + SECStatus rv = SECFailure;
|
| + unsigned char nonce[12];
|
| -+ unsigned char additionalData[13];
|
| -+ unsigned int additionalDataLen;
|
| + unsigned int uOutLen;
|
| + AESContext *cx;
|
| + CK_GCM_PARAMS gcmParams;
|
| @@ -539,14 +569,6 @@
|
| + static const int tagSize = 16;
|
| + static const int explicitNonceLen = 8;
|
| +
|
| -+ /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
|
| -+ * definition of the AEAD additional data. */
|
| -+ additionalDataLen = ssl3_BuildRecordPseudoHeader(
|
| -+ additionalData, seq_num, type, PR_TRUE /* includes version */,
|
| -+ version, PR_FALSE /* not DTLS */,
|
| -+ inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
|
| -+ PORT_Assert(additionalDataLen <= sizeof(additionalData));
|
| -+
|
| + /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
|
| + * nonce is formed. */
|
| + PORT_Assert(keys->write_iv_item.len == 4);
|
| @@ -575,7 +597,7 @@
|
| +
|
| + gcmParams.pIv = nonce;
|
| + gcmParams.ulIvLen = sizeof(nonce);
|
| -+ gcmParams.pAAD = additionalData;
|
| ++ gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
|
| + gcmParams.ulAADLen = additionalDataLen;
|
| + gcmParams.ulTagBits = tagSize * 8;
|
| +
|
| @@ -602,7 +624,7 @@
|
| /* Initialize encryption and MAC contexts for pending spec.
|
| * Master Secret already is derived.
|
| * Caller holds Spec write lock.
|
| -@@ -1748,14 +1991,27 @@
|
| +@@ -1748,14 +1981,27 @@
|
| pwSpec = ss->ssl3.pwSpec;
|
| cipher_def = pwSpec->cipher_def;
|
| macLength = pwSpec->mac_size;
|
| @@ -632,7 +654,7 @@
|
| mac_mech = pwSpec->mac_def->mmech;
|
| mac_param.data = (unsigned char *)&macLength;
|
| mac_param.len = sizeof(macLength);
|
| -@@ -1778,9 +2034,6 @@
|
| +@@ -1778,9 +2024,6 @@
|
| ** Now setup the crypto contexts.
|
| */
|
|
|
| @@ -642,15 +664,28 @@
|
| if (calg == calg_null) {
|
| pwSpec->encode = Null_Cipher;
|
| pwSpec->decode = Null_Cipher;
|
| -@@ -1999,55 +2252,21 @@
|
| +@@ -1988,10 +2231,8 @@
|
| + ssl3_ComputeRecordMAC(
|
| + ssl3CipherSpec * spec,
|
| + PRBool useServerMacKey,
|
| +- PRBool isDTLS,
|
| +- SSL3ContentType type,
|
| +- SSL3ProtocolVersion version,
|
| +- SSL3SequenceNumber seq_num,
|
| ++ const unsigned char *header,
|
| ++ unsigned int headerLen,
|
| + const SSL3Opaque * input,
|
| + int inputLength,
|
| + unsigned char * outbuf,
|
| +@@ -1999,56 +2240,8 @@
|
| {
|
| const ssl3MACDef * mac_def;
|
| SECStatus rv;
|
| -#ifndef NO_PKCS11_BYPASS
|
| - PRBool isTLS;
|
| +- PRBool isTLS;
|
| -#endif
|
| - unsigned int tempLen;
|
| - unsigned char temp[MAX_MAC_LENGTH];
|
| +- unsigned int tempLen;
|
| +- unsigned char temp[MAX_MAC_LENGTH];
|
|
|
| - temp[0] = (unsigned char)(seq_num.high >> 24);
|
| - temp[1] = (unsigned char)(seq_num.high >> 16);
|
| @@ -662,13 +697,12 @@
|
| - temp[7] = (unsigned char)(seq_num.low >> 0);
|
| - temp[8] = type;
|
| -
|
| - /* TLS MAC includes the record's version field, SSL's doesn't.
|
| - ** We decide which MAC defintiion to use based on the version of
|
| - ** the protocol that was negotiated when the spec became current,
|
| - ** NOT based on the version value in the record itself.
|
| +- /* TLS MAC includes the record's version field, SSL's doesn't.
|
| +- ** We decide which MAC defintiion to use based on the version of
|
| +- ** the protocol that was negotiated when the spec became current,
|
| +- ** NOT based on the version value in the record itself.
|
| - ** But, we use the record'v version value in the computation.
|
| -+ ** But, we use the record's version value in the computation.
|
| - */
|
| +- */
|
| - if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
|
| - temp[9] = MSB(inputLength);
|
| - temp[10] = LSB(inputLength);
|
| @@ -680,11 +714,7 @@
|
| - /* New TLS hash includes version. */
|
| - if (isDTLS) {
|
| - SSL3ProtocolVersion dtls_version;
|
| -+ isTLS = spec->version > SSL_LIBRARY_VERSION_3_0;
|
| -+ tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS,
|
| -+ version, isDTLS, inputLength);
|
| -+ PORT_Assert(tempLen <= sizeof(temp));
|
| -
|
| +-
|
| - dtls_version = dtls_TLSVersionToDTLSVersion(version);
|
| - temp[9] = MSB(dtls_version);
|
| - temp[10] = LSB(dtls_version);
|
| @@ -700,10 +730,140 @@
|
| -#endif
|
| - }
|
| -
|
| - PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
|
| +- PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
|
| ++ PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen));
|
| PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
|
|
|
| -@@ -2390,86 +2609,112 @@
|
| + mac_def = spec->mac_def;
|
| +@@ -2093,7 +2286,10 @@
|
| + return SECFailure;
|
| + }
|
| +
|
| +- if (!isTLS) {
|
| ++ if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
|
| ++ unsigned int tempLen;
|
| ++ unsigned char temp[MAX_MAC_LENGTH];
|
| ++
|
| + /* compute "inner" part of SSL3 MAC */
|
| + hashObj->begin(write_mac_context);
|
| + if (useServerMacKey)
|
| +@@ -2105,7 +2301,7 @@
|
| + spec->client.write_mac_key_item.data,
|
| + spec->client.write_mac_key_item.len);
|
| + hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
|
| +- hashObj->update(write_mac_context, temp, tempLen);
|
| ++ hashObj->update(write_mac_context, header, headerLen);
|
| + hashObj->update(write_mac_context, input, inputLength);
|
| + hashObj->end(write_mac_context, temp, &tempLen, sizeof temp);
|
| +
|
| +@@ -2136,7 +2332,7 @@
|
| + }
|
| + if (rv == SECSuccess) {
|
| + HMAC_Begin(cx);
|
| +- HMAC_Update(cx, temp, tempLen);
|
| ++ HMAC_Update(cx, header, headerLen);
|
| + HMAC_Update(cx, input, inputLength);
|
| + rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
|
| + HMAC_Destroy(cx, PR_FALSE);
|
| +@@ -2150,7 +2346,7 @@
|
| + (useServerMacKey ? spec->server.write_mac_context
|
| + : spec->client.write_mac_context);
|
| + rv = PK11_DigestBegin(mac_context);
|
| +- rv |= PK11_DigestOp(mac_context, temp, tempLen);
|
| ++ rv |= PK11_DigestOp(mac_context, header, headerLen);
|
| + rv |= PK11_DigestOp(mac_context, input, inputLength);
|
| + rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
|
| + }
|
| +@@ -2190,10 +2386,8 @@
|
| + ssl3_ComputeRecordMACConstantTime(
|
| + ssl3CipherSpec * spec,
|
| + PRBool useServerMacKey,
|
| +- PRBool isDTLS,
|
| +- SSL3ContentType type,
|
| +- SSL3ProtocolVersion version,
|
| +- SSL3SequenceNumber seq_num,
|
| ++ const unsigned char *header,
|
| ++ unsigned int headerLen,
|
| + const SSL3Opaque * input,
|
| + int inputLen,
|
| + int originalLen,
|
| +@@ -2205,9 +2399,7 @@
|
| + PK11Context * mac_context;
|
| + SECItem param;
|
| + SECStatus rv;
|
| +- unsigned char header[13];
|
| + PK11SymKey * key;
|
| +- int recordLength;
|
| +
|
| + PORT_Assert(inputLen >= spec->mac_size);
|
| + PORT_Assert(originalLen >= inputLen);
|
| +@@ -2223,42 +2415,15 @@
|
| + return SECSuccess;
|
| + }
|
| +
|
| +- header[0] = (unsigned char)(seq_num.high >> 24);
|
| +- header[1] = (unsigned char)(seq_num.high >> 16);
|
| +- header[2] = (unsigned char)(seq_num.high >> 8);
|
| +- header[3] = (unsigned char)(seq_num.high >> 0);
|
| +- header[4] = (unsigned char)(seq_num.low >> 24);
|
| +- header[5] = (unsigned char)(seq_num.low >> 16);
|
| +- header[6] = (unsigned char)(seq_num.low >> 8);
|
| +- header[7] = (unsigned char)(seq_num.low >> 0);
|
| +- header[8] = type;
|
| +-
|
| + macType = CKM_NSS_HMAC_CONSTANT_TIME;
|
| +- recordLength = inputLen - spec->mac_size;
|
| + if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
|
| + macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME;
|
| +- header[9] = recordLength >> 8;
|
| +- header[10] = recordLength;
|
| +- params.ulHeaderLen = 11;
|
| +- } else {
|
| +- if (isDTLS) {
|
| +- SSL3ProtocolVersion dtls_version;
|
| +-
|
| +- dtls_version = dtls_TLSVersionToDTLSVersion(version);
|
| +- header[9] = dtls_version >> 8;
|
| +- header[10] = dtls_version;
|
| +- } else {
|
| +- header[9] = version >> 8;
|
| +- header[10] = version;
|
| +- }
|
| +- header[11] = recordLength >> 8;
|
| +- header[12] = recordLength;
|
| +- params.ulHeaderLen = 13;
|
| + }
|
| +
|
| + params.macAlg = spec->mac_def->mmech;
|
| + params.ulBodyTotalLen = originalLen;
|
| +- params.pHeader = header;
|
| ++ params.pHeader = (unsigned char *) header; /* const cast */
|
| ++ params.ulHeaderLen = headerLen;
|
| +
|
| + param.data = (unsigned char*) ¶ms;
|
| + param.len = sizeof(params);
|
| +@@ -2291,9 +2456,8 @@
|
| + /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
|
| + * length already. */
|
| + inputLen -= spec->mac_size;
|
| +- return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type,
|
| +- version, seq_num, input, inputLen,
|
| +- outbuf, outLen);
|
| ++ return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen,
|
| ++ input, inputLen, outbuf, outLen);
|
| + }
|
| +
|
| + static PRBool
|
| +@@ -2345,6 +2509,8 @@
|
| + PRUint16 headerLen;
|
| + int ivLen = 0;
|
| + int cipherBytes = 0;
|
| ++ unsigned char pseudoHeader[13];
|
| ++ unsigned int pseudoHeaderLen;
|
| +
|
| + cipher_def = cwSpec->cipher_def;
|
| + headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
|
| +@@ -2390,86 +2556,117 @@
|
| contentLen = outlen;
|
| }
|
|
|
| @@ -721,6 +881,11 @@
|
| - p2Len = macLen;
|
| - fragLen = contentLen + macLen; /* needs to be encrypted */
|
| - PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
|
| ++ pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(
|
| ++ pseudoHeader, cwSpec->write_seq_num, type,
|
| ++ cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version,
|
| ++ isDTLS, contentLen);
|
| ++ PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader));
|
| + if (cipher_def->type == type_aead) {
|
| + const int nonceLen = cipher_def->explicit_nonce_size;
|
| + const int tagLen = cipher_def->tag_size;
|
| @@ -757,7 +922,7 @@
|
| + &cipherBytes, /* out len */
|
| + wrBuf->space - headerLen, /* max out */
|
| + pIn, contentLen, /* input */
|
| -+ type, cwSpec->version, cwSpec->write_seq_num);
|
| ++ pseudoHeader, pseudoHeaderLen);
|
| + if (rv != SECSuccess) {
|
| + PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
|
| + return SECFailure;
|
| @@ -790,8 +955,8 @@
|
| + /*
|
| + * Add the MAC
|
| + */
|
| -+ rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
|
| -+ type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
|
| ++ rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
|
| ++ pseudoHeader, pseudoHeaderLen, pIn, contentLen,
|
| + wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
|
| + if (rv != SECSuccess) {
|
| + ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
|
| @@ -889,7 +1054,7 @@
|
| PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
|
|
|
| wrBuf->len = cipherBytes + headerLen;
|
| -@@ -3012,9 +3257,6 @@
|
| +@@ -3012,9 +3209,6 @@
|
| static SECStatus
|
| ssl3_IllegalParameter(sslSocket *ss)
|
| {
|
| @@ -899,7 +1064,7 @@
|
| (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
|
| PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
|
| : SSL_ERROR_BAD_SERVER );
|
| -@@ -3538,7 +3780,6 @@
|
| +@@ -3538,7 +3732,6 @@
|
| }
|
|
|
| key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
|
| @@ -907,7 +1072,7 @@
|
|
|
| key_material_params.RandomInfo.pClientRandom = cr;
|
| key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
|
| -@@ -9946,7 +10187,6 @@
|
| +@@ -9946,7 +10139,6 @@
|
| static void
|
| ssl3_RecordKeyLog(sslSocket *ss)
|
| {
|
| @@ -915,7 +1080,7 @@
|
| SECStatus rv;
|
| SECItem *keyData;
|
| char buf[14 /* "CLIENT_RANDOM " */ +
|
| -@@ -9958,8 +10198,6 @@
|
| +@@ -9958,8 +10150,6 @@
|
|
|
| PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
|
|
|
| @@ -924,7 +1089,16 @@
|
| if (!ssl_keylog_iob)
|
| return;
|
|
|
| -@@ -11171,12 +11409,14 @@
|
| +@@ -11095,6 +11285,8 @@
|
| + unsigned int originalLen = 0;
|
| + unsigned int good;
|
| + unsigned int minLength;
|
| ++ unsigned char header[13];
|
| ++ unsigned int headerLen;
|
| +
|
| + PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
|
| +
|
| +@@ -11171,12 +11363,14 @@
|
| /* With >= TLS 1.1, CBC records have an explicit IV. */
|
| minLength += cipher_def->iv_size;
|
| }
|
| @@ -940,7 +1114,7 @@
|
| }
|
|
|
| if (cipher_def->type == type_block &&
|
| -@@ -11244,78 +11484,95 @@
|
| +@@ -11244,78 +11438,104 @@
|
| return SECFailure;
|
| }
|
|
|
| @@ -950,6 +1124,17 @@
|
| - }
|
| + rType = cText->type;
|
| + if (cipher_def->type == type_aead) {
|
| ++ /* XXX For many AEAD ciphers, the plaintext is shorter than the
|
| ++ * ciphertext by a fixed byte count, but it is not true in general.
|
| ++ * Each AEAD cipher should provide a function that returns the
|
| ++ * plaintext length for a given ciphertext. */
|
| ++ unsigned int decryptedLen =
|
| ++ cText->buf->len - cipher_def->explicit_nonce_size -
|
| ++ cipher_def->tag_size;
|
| ++ headerLen = ssl3_BuildRecordPseudoHeader(
|
| ++ header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
|
| ++ rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen);
|
| ++ PORT_Assert(headerLen <= sizeof(header));
|
| + rv = crSpec->aead(
|
| + ss->sec.isServer ? &crSpec->client : &crSpec->server,
|
| + PR_TRUE, /* do decrypt */
|
| @@ -958,9 +1143,7 @@
|
| + plaintext->space, /* maxout */
|
| + cText->buf->buf, /* in */
|
| + cText->buf->len, /* inlen */
|
| -+ rType, /* record type */
|
| -+ cText->version,
|
| -+ IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num);
|
| ++ header, headerLen);
|
| + if (rv != SECSuccess) {
|
| + good = 0;
|
| + }
|
| @@ -1006,7 +1189,7 @@
|
| - } else {
|
| - good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
|
| - plaintext, macSize));
|
| -+ if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
|
| ++ if (!isTLS) {
|
| + good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
|
| + plaintext, blockSize, macSize));
|
| + } else {
|
| @@ -1026,11 +1209,14 @@
|
| - plaintext->buf, plaintext->len, originalLen,
|
| - hash, &hashBytes);
|
| + /* compute the MAC */
|
| ++ headerLen = ssl3_BuildRecordPseudoHeader(
|
| ++ header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
|
| ++ rType, isTLS, cText->version, IS_DTLS(ss),
|
| ++ plaintext->len - crSpec->mac_size);
|
| ++ PORT_Assert(headerLen <= sizeof(header));
|
| + if (cipher_def->type == type_block) {
|
| + rv = ssl3_ComputeRecordMACConstantTime(
|
| -+ crSpec, (PRBool)(!ss->sec.isServer),
|
| -+ IS_DTLS(ss), rType, cText->version,
|
| -+ IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
|
| ++ crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
|
| + plaintext->buf, plaintext->len, originalLen,
|
| + hash, &hashBytes);
|
|
|
| @@ -1065,11 +1251,8 @@
|
| - plaintext->buf, plaintext->len,
|
| - hash, &hashBytes);
|
| + rv = ssl3_ComputeRecordMAC(
|
| -+ crSpec, (PRBool)(!ss->sec.isServer),
|
| -+ IS_DTLS(ss), rType, cText->version,
|
| -+ IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
|
| -+ plaintext->buf, plaintext->len,
|
| -+ hash, &hashBytes);
|
| ++ crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
|
| ++ plaintext->buf, plaintext->len, hash, &hashBytes);
|
|
|
| - /* We can read the MAC directly from the record because its location is
|
| - * public when a stream cipher is used. */
|
| @@ -1097,7 +1280,7 @@
|
| if (good == 0) {
|
| Index: net/third_party/nss/ssl/sslenum.c
|
| ===================================================================
|
| ---- net/third_party/nss/ssl/sslenum.c (revision 215189)
|
| +--- net/third_party/nss/ssl/sslenum.c (revision 217715)
|
| +++ net/third_party/nss/ssl/sslenum.c (working copy)
|
| @@ -29,6 +29,14 @@
|
| * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
|
| @@ -1116,7 +1299,7 @@
|
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
| Index: net/third_party/nss/ssl/sslproto.h
|
| ===================================================================
|
| ---- net/third_party/nss/ssl/sslproto.h (revision 215189)
|
| +--- net/third_party/nss/ssl/sslproto.h (revision 217715)
|
| +++ net/third_party/nss/ssl/sslproto.h (working copy)
|
| @@ -162,6 +162,10 @@
|
|
|
| @@ -1143,7 +1326,7 @@
|
| #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1
|
| Index: net/third_party/nss/ssl/sslt.h
|
| ===================================================================
|
| ---- net/third_party/nss/ssl/sslt.h (revision 215189)
|
| +--- net/third_party/nss/ssl/sslt.h (revision 217715)
|
| +++ net/third_party/nss/ssl/sslt.h (working copy)
|
| @@ -91,9 +91,10 @@
|
| ssl_calg_3des = 4,
|
| @@ -1158,22 +1341,23 @@
|
| } SSLCipherAlgorithm;
|
|
|
| typedef enum {
|
| -Index: net/third_party/nss/ssl/dtlscon.c
|
| -===================================================================
|
| ---- net/third_party/nss/ssl/dtlscon.c (revision 215189)
|
| -+++ net/third_party/nss/ssl/dtlscon.c (working copy)
|
| -@@ -30,7 +30,14 @@
|
| +@@ -102,7 +103,8 @@
|
| + ssl_mac_sha = 2,
|
| + ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */
|
| + ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */
|
| +- ssl_hmac_sha256 = 5
|
| ++ ssl_hmac_sha256 = 5,
|
| ++ ssl_mac_aead = 6
|
| + } SSLMACAlgorithm;
|
|
|
| - /* List copied from ssl3con.c:cipherSuites */
|
| - static const ssl3CipherSuite nonDTLSSuites[] = {
|
| -+ /* XXX Make AES-GCM work with DTLS. */
|
| - #ifdef NSS_ENABLE_ECC
|
| -+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
| -+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
| -+#endif /* NSS_ENABLE_ECC */
|
| -+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
|
| -+ TLS_RSA_WITH_AES_128_GCM_SHA256,
|
| -+#ifdef NSS_ENABLE_ECC
|
| - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
|
| - TLS_ECDHE_RSA_WITH_RC4_128_SHA,
|
| - #endif /* NSS_ENABLE_ECC */
|
| + typedef enum {
|
| +@@ -158,6 +160,9 @@
|
| + PRUint16 effectiveKeyBits;
|
| +
|
| + /* MAC info */
|
| ++ /* AEAD ciphers don't have a MAC. For an AEAD cipher, macAlgorithmName
|
| ++ * is "AEAD", macAlgorithm is ssl_mac_aead, and macBits is the length in
|
| ++ * bits of the authentication tag. */
|
| + const char * macAlgorithmName;
|
| + SSLMACAlgorithm macAlgorithm;
|
| + PRUint16 macBits;
|
|
|
Chromium Code Reviews
Issue 23299002:
Make the AES-GCM cipher suites work in DTLS, by moving the (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/