net: add ChaCha20+Poly1305 support to libssl.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 22 matching lines @@
 
 /* This is a bodge to allow this code to be compiled against older NSS headers
  * that don't contain the TLS 1.2 changes. */
 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256
 #define CKM_NSS_TLS_PRF_GENERAL_SHA256          (CKM_NSS + 21)
 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256    (CKM_NSS + 22)
 #define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
 #endif
 
+/* This is a bodge to allow this code to be compiled against older NSS
+ * headers. */
+#ifndef CKM_NSS_CHACHA20_POLY1305
+#define CKM_NSS_CHACHA20_POLY1305               (CKM_NSS + 25)
+
+typedef struct CK_AEAD_PARAMS {
+  CK_BYTE_PTR  pIv;  /* This is the nonce. */
+  CK_ULONG     ulIvLen;
+  CK_BYTE_PTR  pAAD;
+  CK_ULONG     ulAADLen;
+} CK_AEAD_PARAMS;

[wtc, 2013/09/13 17:29:14]

This differs from CK_GCM_PARAMS only in the ulTagBits field. Do you think the
a ulTagBits field could be useful?

[agl, 2013/09/13 20:51:45]

I don't plan on truncating the MAC, but others might. Even so, it would seem odd
to use CK_GCM_PARAMS with other algorithms. Would you prefer that the code
support ulTagBits in order to keep the structs the same? If so, you would like
to use CK_GCM_PARAMS for ChaCha, or typedef CK_GCM_PARAMS CK_AEAD_PARAMS?

[wtc, 2013/09/13 21:32:26]

For the struct to be named CK_AEAD_PARAMS, it should be
general enough to support all AEAD algorithms. This is why
I compared CK_AEAD_PARAMS with CK_GCM_PARAMS and noticed
that it is missing ulTagBit.

I just checked CK_CCM_PARAMS and found it also has a
ulDataLen field (the other fields seem equivalent to the
fields of CK_GCM_PARAMS even though the names are different).

1517 /* CK_CCM_PARAMS is new for version 2.30 */
1518 typedef struct CK_CCM_PARAMS {
1519   CK_ULONG     ulDataLen;
1520   CK_BYTE_PTR  pNonce;
1521   CK_ULONG     ulNonceLen;
1522   CK_BYTE_PTR  pAAD;
1523   CK_ULONG     ulAADLen;
1524   CK_ULONG     ulMACLen;
1525 } CK_CCM_PARAMS;

So, I would prefer that we either have a CK_AEAD_PARAMS
that is general, or just have a CK_CHACHA20_POLY1305_PARAMS.

[agl, 2013/09/16 22:19:07]

I've added the ulTagBit member.

+
+#endif
+
 #include <stdio.h>
 #ifdef NSS_ENABLE_ZLIB
 #include "zlib.h"
 #endif
 #ifdef LINUX
 #include <dlfcn.h>
 #endif
 
 #ifndef PK11_SETATTRS
 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
@@ skipping 40 matching lines @@
 #define MIN_SEND_BUF_LENGTH  4000
 
 /* This list of SSL3 cipher suites is sorted in descending order of
  * precedence (desirability).  It only includes cipher suites we implement.
  * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
  * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
  */
 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
    /*      cipher_suite                         policy      enabled is_present*/
 #ifdef NSS_ENABLE_ECC
+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,   SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},

[wtc, 2013/09/13 17:29:14]

The |enabled| setting for the two CHACHA20_POLY1305 ciphers should be PR_FALSE
because these are ECC ciphers.

The CHACHA20_POLY1305 ciphers are listed before AES_128_GCM ciphers. I assume
this is because CHACHA20_POLY1305 uses 256-bit keys.

[agl, 2013/09/13 20:51:45]

Done.
Initially it's because I wanted to test but I do think that the ChaCha ciphers
are safer than AES_GCM because not all systems have AES-NI. With optimisation
enabled, they run at about 50% the speed of AES-GCM with AES-NI.

In the future I would like the AES_GCM ciphers to be listed first in cases where
the system has AES-NI. (Perhaps AES256 as, with AES-NI, that's not a major
performance issue.) Servers would need to be able to select different ciphers
depending on the client's cipher preference without always respecting the client
cipher preference, so it's a little complex. For now however, ChaCha is a safe
choice as a first-preference cipher.

  { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
  { TLS_RSA_WITH_AES_128_GCM_SHA256,        SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
 
 #ifdef NSS_ENABLE_ECC
  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
@@ skipping 153 matching lines @@
     {cipher_des,          calg_des,          8, 8, type_block,  8, 8, 0, 0},
     {cipher_3des,         calg_3des,        24,24, type_block,  8, 8, 0, 0},
     {cipher_des40,        calg_des,          8, 5, type_block,  8, 8, 0, 0},
     {cipher_idea,         calg_idea,        16,16, type_block,  8, 8, 0, 0},
     {cipher_aes_128,      calg_aes,         16,16, type_block, 16,16, 0, 0},
     {cipher_aes_256,      calg_aes,         32,32, type_block, 16,16, 0, 0},
     {cipher_camellia_128, calg_camellia,    16,16, type_block, 16,16, 0, 0},
     {cipher_camellia_256, calg_camellia,    32,32, type_block, 16,16, 0, 0},
     {cipher_seed,         calg_seed,        16,16, type_block, 16,16, 0, 0},
     {cipher_aes_128_gcm,  calg_aes_gcm,     16,16, type_aead,   4, 0,16, 8},
+    {cipher_c20p1305,     calg_c20p1305,    32,32, type_aead,   0, 0,16, 0},
     {cipher_missing,      calg_null,         0, 0, type_stream, 0, 0, 0, 0},
 };
 
 static const ssl3KEADef kea_defs[] = 
 { /* indexed by SSL3KeyExchangeAlgorithm */
     /* kea              exchKeyType signKeyType is_limited limit  tls_keygen */
     {kea_null,           kt_null,     sign_null, PR_FALSE,   0, PR_FALSE},
     {kea_rsa,            kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_FALSE},
     {kea_rsa_export,     kt_rsa,      sign_rsa,  PR_TRUE,  512, PR_FALSE},
     {kea_rsa_export_1024,kt_rsa,      sign_rsa,  PR_TRUE, 1024, PR_FALSE},
@@ skipping 106 matching lines @@
     {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
                                     cipher_rc4_56, mac_sha,kea_rsa_export_1024},
 
     {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
     {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
 
     {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
     {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
     {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
     {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_c20p1305, mac_null, kea_ecdhe_ecdsa},
+    {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_c20p1305, mac_null, kea_ecdhe_rsa},

[wtc, 2013/09/13 17:29:14]

Use mac_aead instead of mac_null.

Nit: list ECDHE_RSA before ECDHE_ECDSA, matching the {0xcc, 0x13}, {0xcc, 0x14}
order.

[agl, 2013/09/13 20:51:45]

Done.

 
 #ifdef NSS_ENABLE_ECC
     {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
 
     {TLS_ECDHE_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdhe_ecdsa},
     {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
@@ skipping 45 matching lines @@
     { calg_rc4      , CKM_RC4                           },
     { calg_rc2      , CKM_RC2_CBC                       },
     { calg_des      , CKM_DES_CBC                       },
     { calg_3des     , CKM_DES3_CBC                      },
     { calg_idea     , CKM_IDEA_CBC                      },
     { calg_fortezza , CKM_SKIPJACK_CBC64                },
     { calg_aes      , CKM_AES_CBC                       },
     { calg_camellia , CKM_CAMELLIA_CBC                  },
     { calg_seed     , CKM_SEED_CBC                      },
     { calg_aes_gcm  , CKM_AES_GCM                       },
+    { calg_c20p1305 , CKM_NSS_CHACHA20_POLY1305         },
 /*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
 };
 
 #define mmech_invalid  (CK_MECHANISM_TYPE)0x80000000L
 #define mmech_md5      CKM_SSL3_MD5_MAC
 #define mmech_sha      CKM_SSL3_SHA1_MAC
 #define mmech_md5_hmac CKM_MD5_HMAC
 #define mmech_sha_hmac CKM_SHA_1_HMAC
 #define mmech_sha256_hmac CKM_SHA256_HMAC
 #define mmech_sha384_hmac CKM_SHA384_HMAC
@@ skipping 1536 matching lines @@
     } else {
         rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen);
     }
     AES_DestroyContext(cx, PR_FALSE);
     *outlen += (int) uOutLen;
 
     return rv;
 }
 #endif
 
+static SECStatus
+ssl3_ChaCha20Poly1305(
+        ssl3KeyMaterial *keys,
+        PRBool doDecrypt,
+        unsigned char *out,
+        int *outlen,
+        int maxout,
+        const unsigned char *in,
+        int inlen,
+        const unsigned char *additionalData,
+        int additionalDataLen)
+{
+    SECItem            param;
+    SECStatus          rv = SECFailure;
+    static const int   tagSize = 16;

[wtc, 2013/09/13 17:29:14]

Delete tagSize. It's not used.

[agl, 2013/09/13 20:51:45]

Done.

+    unsigned int       uOutLen;
+    CK_AEAD_PARAMS     aeadParams;
+
+    memset(&param, 0, sizeof(param));
+    param.len = sizeof(CK_AEAD_PARAMS);

[wtc, 2013/09/13 17:29:14]

Nit: use sizeof(aeadParams).

Nit: SECItem has just three fields. In NSS we usually just assign them without
using a memset to zero the struct first:

  param.type = siBuffer;
  param.data = (unsigned char *) &aeadParams;
  param.len = sizeof(aeadParams);

[agl, 2013/09/13 20:51:45]

Done.

+    param.data = (unsigned char *) &aeadParams;
+    memset(&aeadParams, 0, sizeof(CK_AEAD_PARAMS));
+    aeadParams.pIv = (unsigned char *) additionalData;
+    aeadParams.ulIvLen = 8;
+    aeadParams.pAAD = (unsigned char *) additionalData;
+    aeadParams.ulAADLen = additionalDataLen;
+
+    if (doDecrypt) {
+        rv = pk11_decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, &param,
+                          out, &uOutLen, maxout, in, inlen);
+    } else {
+        rv = pk11_encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, &param,
+                          out, &uOutLen, maxout, in, inlen);
+    }
+    *outlen = (int) uOutLen;
+
+    return rv;
+}
+
 /* Initialize encryption and MAC contexts for pending spec.
  * Master Secret already is derived.
  * Caller holds Spec write lock.
  */
 static SECStatus
 ssl3_InitPendingContextsPKCS11(sslSocket *ss)
 {
       ssl3CipherSpec  *  pwSpec;
       const ssl3BulkCipherDef *cipher_def;
       PK11Context *      serverContext = NULL;
@@ skipping 13 matching lines @@
 
     pwSpec        = ss->ssl3.pwSpec;
     cipher_def    = pwSpec->cipher_def;
     macLength     = pwSpec->mac_size;
     calg          = cipher_def->calg;
     PORT_Assert(alg2Mech[calg].calg == calg);
 
     pwSpec->client.write_mac_context = NULL;
     pwSpec->server.write_mac_context = NULL;
 
-    if (calg == calg_aes_gcm) {
+    if (calg == calg_aes_gcm || calg == calg_c20p1305) {

[wtc, 2013/09/13 17:29:14]

We should have a more systematic way to set the pwSpec->aead function pointer
if AEAD ciphers proliferate.

         pwSpec->encode = NULL;
         pwSpec->decode = NULL;
         pwSpec->destroy = NULL;
         pwSpec->encodeContext = NULL;
         pwSpec->decodeContext = NULL;
-        pwSpec->aead = ssl3_AESGCM;
+        if (calg == calg_aes_gcm) {
+            pwSpec->aead = ssl3_AESGCM;
+        } else {
+            pwSpec->aead = ssl3_ChaCha20Poly1305;
+        }
         return SECSuccess;
     }
 
     /* 
     ** Now setup the MAC contexts, 
     **   crypto contexts are setup below.
     */
 
     mac_mech       = pwSpec->mac_def->mmech;
     mac_param.data = (unsigned char *)&macLength;
@@ skipping 10318 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */