Support ChaCha20+Poly1305 cipher suites.

nss/lib/softoken/pkcs11c.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * This file implements PKCS 11 on top of our existing security modules
  *
  * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
  *   This implementation has two slots:
  *      slot 1 is our generic crypto support. It does not require login.
  *   It supports Public Key ops, and all they bulk ciphers and hashes. 
@@ skipping 457 matching lines @@
 
 static SECStatus
 sftk_DecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
                  unsigned int *outputLen, unsigned int maxLen,
                  unsigned char *input, unsigned int inputLen)
 {
     return RSA_DecryptOAEP(info->params, info->key, output, outputLen,
                            maxLen, input, inputLen);
 }
 
+static SFTKChaCha20Poly1305Info *
+sftk_ChaCha20Poly1305_New(const unsigned char *key,
+                          const CK_NSS_AEAD_PARAMS* params)
+{
+    SFTKChaCha20Poly1305Info *ctx;
+
+    if (params->ulIvLen != sizeof(ctx->nonce)) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return NULL;
+    }
+
+    if (params->ulTagBits == 0 ||
+        params->ulTagBits > 128 ||
+        (params->ulTagBits & 7) != 0) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return NULL;
+    }
+
+    ctx = PORT_New(SFTKChaCha20Poly1305Info);
+    if (ctx == NULL) {
+        return NULL;
+    }
+
+    memcpy(ctx->key, key, sizeof(ctx->key));
+    memcpy(ctx->nonce, params->pIv, sizeof(ctx->nonce));
+    ctx->tagLen = params->ulTagBits >> 3;
+
+    if (params->ulAADLen > sizeof(ctx->ad)) {
+        /* Need to allocate an overflow buffer for the additional data. */
+        ctx->adOverflow = (unsigned char *)PORT_Alloc(params->ulAADLen);
+        if (!ctx->adOverflow) {
+            PORT_Free(ctx);
+            return NULL;
+        }
+        memcpy(ctx->adOverflow, params->pAAD, params->ulAADLen);
+    } else {
+        ctx->adOverflow = NULL;
+        memcpy(ctx->ad, params->pAAD, params->ulAADLen);
+    }
+    ctx->adLen = params->ulAADLen;
+
+    return ctx;
+}
+
+static void
+sftk_ChaCha20Poly1305_Free(SFTKChaCha20Poly1305Info *ctx)
+{
+    if (ctx->adOverflow != NULL) {
+        PORT_Free(ctx->adOverflow);
+    }
+    PORT_Free(ctx);
+}
+
+static SECStatus
+sftk_ChaCha20Poly1305_Seal(const SFTKChaCha20Poly1305Info *ctx,
+                           unsigned char *output, unsigned int *outputLen,
+                           unsigned int maxOutputLen,
+                           const unsigned char *input, unsigned int inputLen)
+{
+    const unsigned char *ad = ctx->adOverflow;
+
+    *outputLen = inputLen + ctx->tagLen;
+    if (maxOutputLen < *outputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    if (ad == NULL) {
+        ad = ctx->ad;
+    }
+
+    return ChaCha20Poly1305_Seal(output, ad, ctx->adLen, input, inputLen,
+                                 ctx->tagLen, ctx->key, ctx->nonce);
+}
+
+static SECStatus
+sftk_ChaCha20Poly1305_Open(const SFTKChaCha20Poly1305Info *ctx,
+                           unsigned char *output, unsigned int *outputLen,
+                           unsigned int maxOutputLen,
+                           const unsigned char *input, unsigned int inputLen)
+{
+    const unsigned char *ad = ctx->adOverflow;
+
+    if (inputLen < ctx->tagLen) {
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return SECFailure;
+    }
+    *outputLen = inputLen - ctx->tagLen;
+    if (maxOutputLen < *outputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+
+    if (ad == NULL) {
+        ad = ctx->ad;
+    }
+
+    return ChaCha20Poly1305_Open(output, ad, ctx->adLen, input, inputLen,
+                                 ctx->tagLen, ctx->key, ctx->nonce);
+}
+
 /** NSC_CryptInit initializes an encryption/Decryption operation.
  *
  * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey.
  * Called by NSC_SignInit, NSC_VerifyInit (via sftk_InitCBCMac) only for block
  *  ciphers MAC'ing.
  */
 static CK_RV
 sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
      CK_OBJECT_HANDLE hKey,
      CK_ATTRIBUTE_TYPE mechUsage, CK_ATTRIBUTE_TYPE keyUsage,
@@ skipping 375 matching lines @@
             isEncrypt, att->attrib.ulValueLen, 16);
         sftk_FreeAttribute(att);
         if (context->cipherInfo == NULL) {
             crv = CKR_HOST_MEMORY;
             break;
         }
         context->update = (SFTKCipher) (isEncrypt ? AES_Encrypt : AES_Decrypt);
         context->destroy = (SFTKDestroy) AES_DestroyContext;
         break;
 
+    case CKM_NSS_CHACHA20_POLY1305:
+        context->multi = PR_FALSE;
+        if (key_type != CKK_NSS_CHACHA20) {
+            crv = CKR_KEY_TYPE_INCONSISTENT;
+            break;
+        }
+        att = sftk_FindAttribute(key,CKA_VALUE);
+        if (att == NULL) {
+            crv = CKR_KEY_HANDLE_INVALID;
+            break;
+        }
+        context->cipherInfo = sftk_ChaCha20Poly1305_New(
+                (unsigned char*) att->attrib.pValue,
+                (CK_NSS_AEAD_PARAMS*) pMechanism->pParameter);
+        sftk_FreeAttribute(att);
+        if (context->cipherInfo == NULL) {
+            crv = CKR_HOST_MEMORY;
+            break;
+        }
+        context->update = (SFTKCipher) (isEncrypt ? sftk_ChaCha20Poly1305_Seal :
+                                        sftk_ChaCha20Poly1305_Open);
+        context->destroy = (SFTKDestroy) sftk_ChaCha20Poly1305_Free;
+        break;
+
     case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
         context->doPad = PR_TRUE;
         /* fall thru */
     case CKM_NETSCAPE_AES_KEY_WRAP:
         context->multi = PR_FALSE;
         context->blockSize = 8;
         if (key_type != CKK_AES) {
             crv = CKR_KEY_TYPE_INCONSISTENT;
             break;
         }
@@ skipping 2382 matching lines @@
         *key_length = 16;
         break;
     case CKM_CAMELLIA_KEY_GEN:
         *key_type = CKK_CAMELLIA;
         if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
         break;
     case CKM_AES_KEY_GEN:
         *key_type = CKK_AES;
         if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
         break;
+    case CKM_NSS_CHACHA20_KEY_GEN:
+        *key_type = CKK_NSS_CHACHA20;
+        if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+        break;
     default:
         PORT_Assert(0);
         crv = CKR_MECHANISM_INVALID;
         break;
     }
 
     return crv;
 }
 
 CK_RV
@@ skipping 224 matching lines @@
     case CKM_DES_KEY_GEN:
     case CKM_DES2_KEY_GEN:
     case CKM_DES3_KEY_GEN:
         checkWeak = PR_TRUE;
     case CKM_RC2_KEY_GEN:
     case CKM_RC4_KEY_GEN:
     case CKM_GENERIC_SECRET_KEY_GEN:
     case CKM_SEED_KEY_GEN:
     case CKM_CAMELLIA_KEY_GEN:
     case CKM_AES_KEY_GEN:
+    case CKM_NSS_CHACHA20_KEY_GEN:
 #if NSS_SOFTOKEN_DOES_RC5
     case CKM_RC5_KEY_GEN:
 #endif
         crv = nsc_SetupBulkKeyGen(pMechanism->mechanism,&key_type,&key_length);
         break;
     case CKM_SSL3_PRE_MASTER_KEY_GEN:
         key_type = CKK_GENERIC_SECRET;
         key_length = 48;
         key_gen_type = nsc_ssl;
         break;
@@ skipping 3418 matching lines @@
     att = sftk_FindAttribute(key,CKA_VALUE);
     sftk_FreeObject(key);
     if (!att) {
         return CKR_KEY_HANDLE_INVALID;        
     }
     crv = NSC_DigestUpdate(hSession,(CK_BYTE_PTR)att->attrib.pValue,
                            att->attrib.ulValueLen);
     sftk_FreeAttribute(att);
     return crv;
 }