1Index: net/third_party/nss/ssl/sslinfo.c 2=================================================================== 3--- net/third_party/nss/ssl/sslinfo.c (revision 217715) 4+++ net/third_party/nss/ssl/sslinfo.c (working copy) 5@@ -109,7 +109,7 @@ 6 #define K_ECDHE "ECDHE", kt_ecdh 7 8 #define C_SEED "SEED", calg_seed 9-#define C_CAMELLIA "CAMELLIA", calg_camellia 10+#define C_CAMELLIA "CAMELLIA", calg_camellia 11 #define C_AES "AES", calg_aes 12 #define C_RC4 "RC4", calg_rc4 13 #define C_RC2 "RC2", calg_rc2 14@@ -117,6 +117,7 @@ 15 #define C_3DES "3DES", calg_3des 16 #define C_NULL "NULL", calg_null 17 #define C_SJ "SKIPJACK", calg_sj 18+#define C_AESGCM "AES-GCM", calg_aes_gcm 19 20 #define B_256 256, 256, 256 21 #define B_128 128, 128, 128 22@@ -127,12 +128,16 @@ 23 #define B_40 128, 40, 40 24 #define B_0 0, 0, 0 25 26+#define M_AEAD_128 "AEAD", ssl_mac_aead, 128 27 #define M_SHA256 "SHA256", ssl_hmac_sha256, 256 28 #define M_SHA "SHA1", ssl_mac_sha, 160 29 #define M_MD5 "MD5", ssl_mac_md5, 128 30+#define M_NULL "NULL", ssl_mac_null, 0 31 32 static const SSLCipherSuiteInfo suiteInfo[] = { 33 /* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */ 34+{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, 35+ 36 {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, }, 37 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, }, 38 {0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, }, 39@@ -146,6 +151,7 @@ 40 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, }, 41 {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, 42 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, 43+{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, 44 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, 45 {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, }, 46 {0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, }, 47@@ -175,6 +181,9 @@ 48 49 #ifdef NSS_ENABLE_ECC 50 /* ECC cipher suites */ 51+{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, 52+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, 53+ 54 {0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, }, 55 {0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, }, 56 {0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, }, 57Index: net/third_party/nss/ssl/sslimpl.h 58=================================================================== 59--- net/third_party/nss/ssl/sslimpl.h (revision 217715) 60+++ net/third_party/nss/ssl/sslimpl.h (working copy) 61@@ -64,6 +64,7 @@ 62 #define calg_aes ssl_calg_aes 63 #define calg_camellia ssl_calg_camellia 64 #define calg_seed ssl_calg_seed 65+#define calg_aes_gcm ssl_calg_aes_gcm 66 67 #define mac_null ssl_mac_null 68 #define mac_md5 ssl_mac_md5 69@@ -71,6 +72,7 @@ 70 #define hmac_md5 ssl_hmac_md5 71 #define hmac_sha ssl_hmac_sha 72 #define hmac_sha256 ssl_hmac_sha256 73+#define mac_aead ssl_mac_aead 74 75 #define SET_ERROR_CODE /* reminder */ 76 #define SEND_ALERT /* reminder */ 77@@ -290,9 +292,9 @@ 78 } ssl3CipherSuiteCfg; 79 80 #ifdef NSS_ENABLE_ECC 81-#define ssl_V3_SUITES_IMPLEMENTED 57 82+#define ssl_V3_SUITES_IMPLEMENTED 61 83 #else 84-#define ssl_V3_SUITES_IMPLEMENTED 35 85+#define ssl_V3_SUITES_IMPLEMENTED 37 86 #endif /* NSS_ENABLE_ECC */ 87 88 #define MAX_DTLS_SRTP_CIPHER_SUITES 4 89@@ -440,20 +442,6 @@ 90 #define GS_DATA 3 91 #define GS_PAD 4 92 93-typedef SECStatus (*SSLCipher)(void * context, 94- unsigned char * out, 95- int * outlen, 96- int maxout, 97- const unsigned char *in, 98- int inlen); 99-typedef SECStatus (*SSLCompressor)(void * context, 100- unsigned char * out, 101- int * outlen, 102- int maxout, 103- const unsigned char *in, 104- int inlen); 105-typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); 106- 107 #if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32) 108 typedef PCERT_KEY_CONTEXT PlatformKey; 109 #elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX) 110@@ -485,11 +473,12 @@ 111 cipher_camellia_128, 112 cipher_camellia_256, 113 cipher_seed, 114+ cipher_aes_128_gcm, 115 cipher_missing /* reserved for no such supported cipher */ 116 /* This enum must match ssl3_cipherName[] in ssl3con.c. */ 117 } SSL3BulkCipher; 118 119-typedef enum { type_stream, type_block } CipherType; 120+typedef enum { type_stream, type_block, type_aead } CipherType; 121 122 #define MAX_IV_LENGTH 24 123 124@@ -531,6 +520,30 @@ 125 PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS]; 126 } ssl3KeyMaterial; 127 128+typedef SECStatus (*SSLCipher)(void * context, 129+ unsigned char * out, 130+ int * outlen, 131+ int maxout, 132+ const unsigned char *in, 133+ int inlen); 134+typedef SECStatus (*SSLAEADCipher)( 135+ ssl3KeyMaterial * keys, 136+ PRBool doDecrypt, 137+ unsigned char * out, 138+ int * outlen, 139+ int maxout, 140+ const unsigned char *in, 141+ int inlen, 142+ const unsigned char *additionalData, 143+ int additionalDataLen); 144+typedef SECStatus (*SSLCompressor)(void * context, 145+ unsigned char * out, 146+ int * outlen, 147+ int maxout, 148+ const unsigned char *in, 149+ int inlen); 150+typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit); 151+ 152 /* The DTLS anti-replay window. Defined here because we need it in 153 * the cipher spec. Note that this is a ring buffer but left and 154 * right represent the true window, with modular arithmetic used to 155@@ -557,6 +570,7 @@ 156 int mac_size; 157 SSLCipher encode; 158 SSLCipher decode; 159+ SSLAEADCipher aead; 160 SSLDestroy destroy; 161 void * encodeContext; 162 void * decodeContext; 163@@ -706,8 +720,6 @@ 164 PRBool tls_keygen; 165 } ssl3KEADef; 166 167-typedef enum { kg_null, kg_strong, kg_export } SSL3KeyGenMode; 168- 169 /* 170 ** There are tables of these, all const. 171 */ 172@@ -719,7 +731,8 @@ 173 CipherType type; 174 int iv_size; 175 int block_size; 176- SSL3KeyGenMode keygen_mode; 177+ int tag_size; /* authentication tag size for AEAD ciphers. */ 178+ int explicit_nonce_size; /* for AEAD ciphers. */ 179 }; 180 181 /* 182Index: net/third_party/nss/ssl/ssl3ecc.c 183=================================================================== 184--- net/third_party/nss/ssl/ssl3ecc.c (revision 217715) 185+++ net/third_party/nss/ssl/ssl3ecc.c (working copy) 186@@ -911,6 +911,7 @@ 187 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 188 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 189 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 190+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 191 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 192 TLS_ECDHE_ECDSA_WITH_NULL_SHA, 193 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 194@@ -921,6 +922,7 @@ 195 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 196 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 197 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 198+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 199 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 200 TLS_ECDHE_RSA_WITH_NULL_SHA, 201 TLS_ECDHE_RSA_WITH_RC4_128_SHA, 202@@ -932,12 +934,14 @@ 203 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 204 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 205 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 206+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 207 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 208 TLS_ECDHE_ECDSA_WITH_NULL_SHA, 209 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 210 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 211 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 212 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 213+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 214 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 215 TLS_ECDHE_RSA_WITH_NULL_SHA, 216 TLS_ECDHE_RSA_WITH_RC4_128_SHA, 217Index: net/third_party/nss/ssl/sslsock.c 218=================================================================== 219--- net/third_party/nss/ssl/sslsock.c (revision 217715) 220+++ net/third_party/nss/ssl/sslsock.c (working copy) 221@@ -67,8 +67,10 @@ 222 { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 223 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 224 { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 225+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 226 { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 227 { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 228+ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 229 { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 230 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 231 { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 232@@ -94,6 +96,7 @@ 233 { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 234 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 235 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 236+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 237 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 238 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, 239 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 240@@ -105,6 +108,7 @@ 241 { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 242 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 243 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 244+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 245 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 246 #endif /* NSS_ENABLE_ECC */ 247 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } 248Index: net/third_party/nss/ssl/ssl3con.c 249=================================================================== 250--- net/third_party/nss/ssl/ssl3con.c (revision 217715) 251+++ net/third_party/nss/ssl/ssl3con.c (working copy) 252@@ -78,6 +78,13 @@ 253 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, 254 int maxOutputLen, const unsigned char *input, 255 int inputLen); 256+#ifndef NO_PKCS11_BYPASS 257+static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, 258+ unsigned char *out, int *outlen, int maxout, 259+ const unsigned char *in, int inlen, 260+ const unsigned char *additionalData, 261+ int additionalDataLen); 262+#endif 263 264 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */ 265 #define MIN_SEND_BUF_LENGTH 4000 266@@ -90,6 +97,13 @@ 267 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { 268 /* cipher_suite policy enabled is_present*/ 269 #ifdef NSS_ENABLE_ECC 270+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 271+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 272+#endif /* NSS_ENABLE_ECC */ 273+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 274+ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE}, 275+ 276+#ifdef NSS_ENABLE_ECC 277 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 278 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 279 #endif /* NSS_ENABLE_ECC */ 280@@ -233,23 +247,30 @@ 281 282 /* indexed by SSL3BulkCipher */ 283 static const ssl3BulkCipherDef bulk_cipher_defs[] = { 284- /* cipher calg keySz secretSz type ivSz BlkSz keygen */ 285- {cipher_null, calg_null, 0, 0, type_stream, 0, 0, kg_null}, 286- {cipher_rc4, calg_rc4, 16, 16, type_stream, 0, 0, kg_strong}, 287- {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, kg_export}, 288- {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, kg_export}, 289- {cipher_rc2, calg_rc2, 16, 16, type_block, 8, 8, kg_strong}, 290- {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, kg_export}, 291- {cipher_des, calg_des, 8, 8, type_block, 8, 8, kg_strong}, 292- {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong}, 293- {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export}, 294- {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong}, 295- {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong}, 296- {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong}, 297- {cipher_camellia_128, calg_camellia,16, 16, type_block, 16,16, kg_strong}, 298- {cipher_camellia_256, calg_camellia,32, 32, type_block, 16,16, kg_strong}, 299- {cipher_seed, calg_seed, 16, 16, type_block, 16,16, kg_strong}, 300- {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null}, 301+ /* |--------- Lengths --------| */ 302+ /* cipher calg k s type i b t n */ 303+ /* e e v l a o */ 304+ /* y c | o g n */ 305+ /* | r | c | c */ 306+ /* | e | k | e */ 307+ /* | t | | | | */ 308+ {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, 309+ {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0}, 310+ {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0}, 311+ {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0}, 312+ {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0}, 313+ {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0}, 314+ {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0}, 315+ {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0}, 316+ {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0}, 317+ {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0}, 318+ {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0}, 319+ {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0}, 320+ {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0}, 321+ {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, 322+ {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, 323+ {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, 324+ {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, 325 }; 326 327 static const ssl3KEADef kea_defs[] = 328@@ -371,6 +392,11 @@ 329 {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips}, 330 {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips}, 331 332+ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa}, 333+ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, 334+ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, 335+ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, 336+ 337 #ifdef NSS_ENABLE_ECC 338 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, 339 {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, 340@@ -434,25 +460,29 @@ 341 { calg_aes , CKM_AES_CBC }, 342 { calg_camellia , CKM_CAMELLIA_CBC }, 343 { calg_seed , CKM_SEED_CBC }, 344+ { calg_aes_gcm , CKM_AES_GCM }, 345 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ 346 }; 347 348-#define mmech_null (CK_MECHANISM_TYPE)0x80000000L 349+#define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L 350 #define mmech_md5 CKM_SSL3_MD5_MAC 351 #define mmech_sha CKM_SSL3_SHA1_MAC 352 #define mmech_md5_hmac CKM_MD5_HMAC 353 #define mmech_sha_hmac CKM_SHA_1_HMAC 354 #define mmech_sha256_hmac CKM_SHA256_HMAC 355+#define mmech_sha384_hmac CKM_SHA384_HMAC 356+#define mmech_sha512_hmac CKM_SHA512_HMAC 357 358 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */ 359 /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */ 360 /* mac mmech pad_size mac_size */ 361- { mac_null, mmech_null, 0, 0 }, 362+ { mac_null, mmech_invalid, 0, 0 }, 363 { mac_md5, mmech_md5, 48, MD5_LENGTH }, 364 { mac_sha, mmech_sha, 40, SHA1_LENGTH}, 365 {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH }, 366 {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH}, 367 {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH}, 368+ { mac_aead, mmech_invalid, 0, 0 }, 369 }; 370 371 /* indexed by SSL3BulkCipher */ 372@@ -472,6 +502,7 @@ 373 "Camellia-128", 374 "Camellia-256", 375 "SEED-CBC", 376+ "AES-128-GCM", 377 "missing" 378 }; 379 380@@ -598,9 +629,13 @@ 381 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: 382 case TLS_RSA_WITH_AES_256_CBC_SHA256: 383 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: 384+ case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: 385 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: 386+ case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: 387 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: 388+ case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: 389 case TLS_RSA_WITH_AES_128_CBC_SHA256: 390+ case TLS_RSA_WITH_AES_128_GCM_SHA256: 391 case TLS_RSA_WITH_NULL_SHA256: 392 return version >= SSL_LIBRARY_VERSION_TLS_1_2; 393 default: 394@@ -1360,7 +1395,7 @@ 395 cipher = suite_def->bulk_cipher_alg; 396 kea = suite_def->key_exchange_alg; 397 mac = suite_def->mac_alg; 398- if (mac <= ssl_mac_sha && isTLS) 399+ if (mac <= ssl_mac_sha && mac != ssl_mac_null && isTLS) 400 mac += 2; 401 402 ss->ssl3.hs.suite_def = suite_def; 403@@ -1554,7 +1589,6 @@ 404 unsigned int optArg2 = 0; 405 PRBool server_encrypts = ss->sec.isServer; 406 SSLCipherAlgorithm calg; 407- SSLCompressionMethod compression_method; 408 SECStatus rv; 409 410 PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 411@@ -1565,8 +1599,18 @@ 412 cipher_def = pwSpec->cipher_def; 413 414 calg = cipher_def->calg; 415- compression_method = pwSpec->compression_method; 416 417+ if (calg == calg_aes_gcm) { 418+ pwSpec->encode = NULL; 419+ pwSpec->decode = NULL; 420+ pwSpec->destroy = NULL; 421+ pwSpec->encodeContext = NULL; 422+ pwSpec->decodeContext = NULL; 423+ pwSpec->aead = ssl3_AESGCMBypass; 424+ ssl3_InitCompressionContext(pwSpec); 425+ return SECSuccess; 426+ } 427+ 428 serverContext = pwSpec->server.cipher_context; 429 clientContext = pwSpec->client.cipher_context; 430 431@@ -1721,6 +1765,195 @@ 432 return param; 433 } 434 435+/* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data 436+ * which is included in the MAC or AEAD additional data) to |out| and returns 437+ * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the 438+ * definition of the AEAD additional data. 439+ * 440+ * TLS pseudo-header includes the record's version field, SSL's doesn't. Which 441+ * pseudo-header defintiion to use should be decided based on the version of 442+ * the protocol that was negotiated when the cipher spec became current, NOT 443+ * based on the version value in the record itself, and the decision is passed 444+ * to this function as the |includesVersion| argument. But, the |version| 445+ * argument should be the record's version value. 446+ */ 447+static unsigned int 448+ssl3_BuildRecordPseudoHeader(unsigned char *out, 449+ SSL3SequenceNumber seq_num, 450+ SSL3ContentType type, 451+ PRBool includesVersion, 452+ SSL3ProtocolVersion version, 453+ PRBool isDTLS, 454+ int length) 455+{ 456+ out[0] = (unsigned char)(seq_num.high >> 24); 457+ out[1] = (unsigned char)(seq_num.high >> 16); 458+ out[2] = (unsigned char)(seq_num.high >> 8); 459+ out[3] = (unsigned char)(seq_num.high >> 0); 460+ out[4] = (unsigned char)(seq_num.low >> 24); 461+ out[5] = (unsigned char)(seq_num.low >> 16); 462+ out[6] = (unsigned char)(seq_num.low >> 8); 463+ out[7] = (unsigned char)(seq_num.low >> 0); 464+ out[8] = type; 465+ 466+ /* SSL3 MAC doesn't include the record's version field. */ 467+ if (!includesVersion) { 468+ out[9] = MSB(length); 469+ out[10] = LSB(length); 470+ return 11; 471+ } 472+ 473+ /* TLS MAC and AEAD additional data include version. */ 474+ if (isDTLS) { 475+ SSL3ProtocolVersion dtls_version; 476+ 477+ dtls_version = dtls_TLSVersionToDTLSVersion(version); 478+ out[9] = MSB(dtls_version); 479+ out[10] = LSB(dtls_version); 480+ } else { 481+ out[9] = MSB(version); 482+ out[10] = LSB(version); 483+ } 484+ out[11] = MSB(length); 485+ out[12] = LSB(length); 486+ return 13; 487+} 488+ 489+static SECStatus 490+ssl3_AESGCM(ssl3KeyMaterial *keys, 491+ PRBool doDecrypt, 492+ unsigned char *out, 493+ int *outlen, 494+ int maxout, 495+ const unsigned char *in, 496+ int inlen, 497+ const unsigned char *additionalData, 498+ int additionalDataLen) 499+{ 500+ SECItem param; 501+ SECStatus rv = SECFailure; 502+ unsigned char nonce[12]; 503+ unsigned int uOutLen; 504+ CK_GCM_PARAMS gcmParams; 505+ 506+ static const int tagSize = 16; 507+ static const int explicitNonceLen = 8; 508+ 509+ /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the 510+ * nonce is formed. */ 511+ memcpy(nonce, keys->write_iv, 4); 512+ if (doDecrypt) { 513+ memcpy(nonce + 4, in, explicitNonceLen); 514+ in += explicitNonceLen; 515+ inlen -= explicitNonceLen; 516+ *outlen = 0; 517+ } else { 518+ if (maxout < explicitNonceLen) { 519+ PORT_SetError(SEC_ERROR_INPUT_LEN); 520+ return SECFailure; 521+ } 522+ /* Use the 64-bit sequence number as the explicit nonce. */ 523+ memcpy(nonce + 4, additionalData, explicitNonceLen); 524+ memcpy(out, additionalData, explicitNonceLen); 525+ out += explicitNonceLen; 526+ maxout -= explicitNonceLen; 527+ *outlen = explicitNonceLen; 528+ } 529+ 530+ param.type = siBuffer; 531+ param.data = (unsigned char *) &gcmParams; 532+ param.len = sizeof(gcmParams); 533+ gcmParams.pIv = nonce; 534+ gcmParams.ulIvLen = sizeof(nonce); 535+ gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ 536+ gcmParams.ulAADLen = additionalDataLen; 537+ gcmParams.ulTagBits = tagSize * 8; 538+ 539+ if (doDecrypt) { 540+ rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, 541+ maxout, in, inlen); 542+ } else { 543+ rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen, 544+ maxout, in, inlen); 545+ } 546+ *outlen += (int) uOutLen; 547+ 548+ return rv; 549+} 550+ 551+#ifndef NO_PKCS11_BYPASS 552+static SECStatus 553+ssl3_AESGCMBypass(ssl3KeyMaterial *keys, 554+ PRBool doDecrypt, 555+ unsigned char *out, 556+ int *outlen, 557+ int maxout, 558+ const unsigned char *in, 559+ int inlen, 560+ const unsigned char *additionalData, 561+ int additionalDataLen) 562+{ 563+ SECStatus rv = SECFailure; 564+ unsigned char nonce[12]; 565+ unsigned int uOutLen; 566+ AESContext *cx; 567+ CK_GCM_PARAMS gcmParams; 568+ 569+ static const int tagSize = 16; 570+ static const int explicitNonceLen = 8; 571+ 572+ /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the 573+ * nonce is formed. */ 574+ PORT_Assert(keys->write_iv_item.len == 4); 575+ if (keys->write_iv_item.len != 4) { 576+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 577+ return SECFailure; 578+ } 579+ memcpy(nonce, keys->write_iv_item.data, 4); 580+ if (doDecrypt) { 581+ memcpy(nonce + 4, in, explicitNonceLen); 582+ in += explicitNonceLen; 583+ inlen -= explicitNonceLen; 584+ *outlen = 0; 585+ } else { 586+ if (maxout < explicitNonceLen) { 587+ PORT_SetError(SEC_ERROR_INPUT_LEN); 588+ return SECFailure; 589+ } 590+ /* Use the 64-bit sequence number as the explicit nonce. */ 591+ memcpy(nonce + 4, additionalData, explicitNonceLen); 592+ memcpy(out, additionalData, explicitNonceLen); 593+ out += explicitNonceLen; 594+ maxout -= explicitNonceLen; 595+ *outlen = explicitNonceLen; 596+ } 597+ 598+ gcmParams.pIv = nonce; 599+ gcmParams.ulIvLen = sizeof(nonce); 600+ gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */ 601+ gcmParams.ulAADLen = additionalDataLen; 602+ gcmParams.ulTagBits = tagSize * 8; 603+ 604+ cx = (AESContext *)keys->cipher_context; 605+ rv = AES_InitContext(cx, keys->write_key_item.data, 606+ keys->write_key_item.len, 607+ (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt, 608+ AES_BLOCK_SIZE); 609+ if (rv != SECSuccess) { 610+ return rv; 611+ } 612+ if (doDecrypt) { 613+ rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen); 614+ } else { 615+ rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen); 616+ } 617+ AES_DestroyContext(cx, PR_FALSE); 618+ *outlen += (int) uOutLen; 619+ 620+ return rv; 621+} 622+#endif 623+ 624 /* Initialize encryption and MAC contexts for pending spec. 625 * Master Secret already is derived. 626 * Caller holds Spec write lock. 627@@ -1748,14 +1981,27 @@ 628 pwSpec = ss->ssl3.pwSpec; 629 cipher_def = pwSpec->cipher_def; 630 macLength = pwSpec->mac_size; 631+ calg = cipher_def->calg; 632+ PORT_Assert(alg2Mech[calg].calg == calg); 633 634+ pwSpec->client.write_mac_context = NULL; 635+ pwSpec->server.write_mac_context = NULL; 636+ 637+ if (calg == calg_aes_gcm) { 638+ pwSpec->encode = NULL; 639+ pwSpec->decode = NULL; 640+ pwSpec->destroy = NULL; 641+ pwSpec->encodeContext = NULL; 642+ pwSpec->decodeContext = NULL; 643+ pwSpec->aead = ssl3_AESGCM; 644+ return SECSuccess; 645+ } 646+ 647 /* 648 ** Now setup the MAC contexts, 649 ** crypto contexts are setup below. 650 */ 651 652- pwSpec->client.write_mac_context = NULL; 653- pwSpec->server.write_mac_context = NULL; 654 mac_mech = pwSpec->mac_def->mmech; 655 mac_param.data = (unsigned char *)&macLength; 656 mac_param.len = sizeof(macLength); 657@@ -1778,9 +2024,6 @@ 658 ** Now setup the crypto contexts. 659 */ 660 661- calg = cipher_def->calg; 662- PORT_Assert(alg2Mech[calg].calg == calg); 663- 664 if (calg == calg_null) { 665 pwSpec->encode = Null_Cipher; 666 pwSpec->decode = Null_Cipher; 667@@ -1988,10 +2231,8 @@ 668 ssl3_ComputeRecordMAC( 669 ssl3CipherSpec * spec, 670 PRBool useServerMacKey, 671- PRBool isDTLS, 672- SSL3ContentType type, 673- SSL3ProtocolVersion version, 674- SSL3SequenceNumber seq_num, 675+ const unsigned char *header, 676+ unsigned int headerLen, 677 const SSL3Opaque * input, 678 int inputLength, 679 unsigned char * outbuf, 680@@ -1999,56 +2240,8 @@ 681 { 682 const ssl3MACDef * mac_def; 683 SECStatus rv; 684-#ifndef NO_PKCS11_BYPASS 685- PRBool isTLS; 686-#endif 687- unsigned int tempLen; 688- unsigned char temp[MAX_MAC_LENGTH]; 689 690- temp[0] = (unsigned char)(seq_num.high >> 24); 691- temp[1] = (unsigned char)(seq_num.high >> 16); 692- temp[2] = (unsigned char)(seq_num.high >> 8); 693- temp[3] = (unsigned char)(seq_num.high >> 0); 694- temp[4] = (unsigned char)(seq_num.low >> 24); 695- temp[5] = (unsigned char)(seq_num.low >> 16); 696- temp[6] = (unsigned char)(seq_num.low >> 8); 697- temp[7] = (unsigned char)(seq_num.low >> 0); 698- temp[8] = type; 699- 700- /* TLS MAC includes the record's version field, SSL's doesn't. 701- ** We decide which MAC defintiion to use based on the version of 702- ** the protocol that was negotiated when the spec became current, 703- ** NOT based on the version value in the record itself. 704- ** But, we use the record'v version value in the computation. 705- */ 706- if (spec->version <= SSL_LIBRARY_VERSION_3_0) { 707- temp[9] = MSB(inputLength); 708- temp[10] = LSB(inputLength); 709- tempLen = 11; 710-#ifndef NO_PKCS11_BYPASS 711- isTLS = PR_FALSE; 712-#endif 713- } else { 714- /* New TLS hash includes version. */ 715- if (isDTLS) { 716- SSL3ProtocolVersion dtls_version; 717- 718- dtls_version = dtls_TLSVersionToDTLSVersion(version); 719- temp[9] = MSB(dtls_version); 720- temp[10] = LSB(dtls_version); 721- } else { 722- temp[9] = MSB(version); 723- temp[10] = LSB(version); 724- } 725- temp[11] = MSB(inputLength); 726- temp[12] = LSB(inputLength); 727- tempLen = 13; 728-#ifndef NO_PKCS11_BYPASS 729- isTLS = PR_TRUE; 730-#endif 731- } 732- 733- PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen)); 734+ PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen)); 735 PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength)); 736 737 mac_def = spec->mac_def; 738@@ -2093,7 +2286,10 @@ 739 return SECFailure; 740 } 741 742- if (!isTLS) { 743+ if (spec->version <= SSL_LIBRARY_VERSION_3_0) { 744+ unsigned int tempLen; 745+ unsigned char temp[MAX_MAC_LENGTH]; 746+ 747 /* compute "inner" part of SSL3 MAC */ 748 hashObj->begin(write_mac_context); 749 if (useServerMacKey) 750@@ -2105,7 +2301,7 @@ 751 spec->client.write_mac_key_item.data, 752 spec->client.write_mac_key_item.len); 753 hashObj->update(write_mac_context, mac_pad_1, pad_bytes); 754- hashObj->update(write_mac_context, temp, tempLen); 755+ hashObj->update(write_mac_context, header, headerLen); 756 hashObj->update(write_mac_context, input, inputLength); 757 hashObj->end(write_mac_context, temp, &tempLen, sizeof temp); 758 759@@ -2136,7 +2332,7 @@ 760 } 761 if (rv == SECSuccess) { 762 HMAC_Begin(cx); 763- HMAC_Update(cx, temp, tempLen); 764+ HMAC_Update(cx, header, headerLen); 765 HMAC_Update(cx, input, inputLength); 766 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size); 767 HMAC_Destroy(cx, PR_FALSE); 768@@ -2150,7 +2346,7 @@ 769 (useServerMacKey ? spec->server.write_mac_context 770 : spec->client.write_mac_context); 771 rv = PK11_DigestBegin(mac_context); 772- rv |= PK11_DigestOp(mac_context, temp, tempLen); 773+ rv |= PK11_DigestOp(mac_context, header, headerLen); 774 rv |= PK11_DigestOp(mac_context, input, inputLength); 775 rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size); 776 } 777@@ -2190,10 +2386,8 @@ 778 ssl3_ComputeRecordMACConstantTime( 779 ssl3CipherSpec * spec, 780 PRBool useServerMacKey, 781- PRBool isDTLS, 782- SSL3ContentType type, 783- SSL3ProtocolVersion version, 784- SSL3SequenceNumber seq_num, 785+ const unsigned char *header, 786+ unsigned int headerLen, 787 const SSL3Opaque * input, 788 int inputLen, 789 int originalLen, 790@@ -2205,9 +2399,7 @@ 791 PK11Context * mac_context; 792 SECItem param; 793 SECStatus rv; 794- unsigned char header[13]; 795 PK11SymKey * key; 796- int recordLength; 797 798 PORT_Assert(inputLen >= spec->mac_size); 799 PORT_Assert(originalLen >= inputLen); 800@@ -2223,42 +2415,15 @@ 801 return SECSuccess; 802 } 803 804- header[0] = (unsigned char)(seq_num.high >> 24); 805- header[1] = (unsigned char)(seq_num.high >> 16); 806- header[2] = (unsigned char)(seq_num.high >> 8); 807- header[3] = (unsigned char)(seq_num.high >> 0); 808- header[4] = (unsigned char)(seq_num.low >> 24); 809- header[5] = (unsigned char)(seq_num.low >> 16); 810- header[6] = (unsigned char)(seq_num.low >> 8); 811- header[7] = (unsigned char)(seq_num.low >> 0); 812- header[8] = type; 813- 814 macType = CKM_NSS_HMAC_CONSTANT_TIME; 815- recordLength = inputLen - spec->mac_size; 816 if (spec->version <= SSL_LIBRARY_VERSION_3_0) { 817 macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME; 818- header[9] = recordLength >> 8; 819- header[10] = recordLength; 820- params.ulHeaderLen = 11; 821- } else { 822- if (isDTLS) { 823- SSL3ProtocolVersion dtls_version; 824- 825- dtls_version = dtls_TLSVersionToDTLSVersion(version); 826- header[9] = dtls_version >> 8; 827- header[10] = dtls_version; 828- } else { 829- header[9] = version >> 8; 830- header[10] = version; 831- } 832- header[11] = recordLength >> 8; 833- header[12] = recordLength; 834- params.ulHeaderLen = 13; 835 } 836 837 params.macAlg = spec->mac_def->mmech; 838 params.ulBodyTotalLen = originalLen; 839- params.pHeader = header; 840+ params.pHeader = (unsigned char *) header; /* const cast */ 841+ params.ulHeaderLen = headerLen; 842 843 param.data = (unsigned char*) ¶ms; 844 param.len = sizeof(params); 845@@ -2291,9 +2456,8 @@ 846 /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the 847 * length already. */ 848 inputLen -= spec->mac_size; 849- return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type, 850- version, seq_num, input, inputLen, 851- outbuf, outLen); 852+ return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen, 853+ input, inputLen, outbuf, outLen); 854 } 855 856 static PRBool 857@@ -2345,6 +2509,8 @@ 858 PRUint16 headerLen; 859 int ivLen = 0; 860 int cipherBytes = 0; 861+ unsigned char pseudoHeader[13]; 862+ unsigned int pseudoHeaderLen; 863 864 cipher_def = cwSpec->cipher_def; 865 headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH; 866@@ -2390,86 +2556,117 @@ 867 contentLen = outlen; 868 } 869 870- /* 871- * Add the MAC 872- */ 873- rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS, 874- type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen, 875- wrBuf->buf + headerLen + ivLen + contentLen, &macLen); 876- if (rv != SECSuccess) { 877- ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 878- return SECFailure; 879- } 880- p1Len = contentLen; 881- p2Len = macLen; 882- fragLen = contentLen + macLen; /* needs to be encrypted */ 883- PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); 884+ pseudoHeaderLen = ssl3_BuildRecordPseudoHeader( 885+ pseudoHeader, cwSpec->write_seq_num, type, 886+ cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version, 887+ isDTLS, contentLen); 888+ PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader)); 889+ if (cipher_def->type == type_aead) { 890+ const int nonceLen = cipher_def->explicit_nonce_size; 891+ const int tagLen = cipher_def->tag_size; 892 893- /* 894- * Pad the text (if we're doing a block cipher) 895- * then Encrypt it 896- */ 897- if (cipher_def->type == type_block) { 898- unsigned char * pBuf; 899- int padding_length; 900- int i; 901+ if (headerLen + nonceLen + contentLen + tagLen > wrBuf->space) { 902+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 903+ return SECFailure; 904+ } 905 906- oddLen = contentLen % cipher_def->block_size; 907- /* Assume blockSize is a power of two */ 908- padding_length = cipher_def->block_size - 1 - 909- ((fragLen) & (cipher_def->block_size - 1)); 910- fragLen += padding_length + 1; 911- PORT_Assert((fragLen % cipher_def->block_size) == 0); 912- 913- /* Pad according to TLS rules (also acceptable to SSL3). */ 914- pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; 915- for (i = padding_length + 1; i > 0; --i) { 916- *pBuf-- = padding_length; 917+ cipherBytes = contentLen; 918+ rv = cwSpec->aead( 919+ isServer ? &cwSpec->server : &cwSpec->client, 920+ PR_FALSE, /* do encrypt */ 921+ wrBuf->buf + headerLen, /* output */ 922+ &cipherBytes, /* out len */ 923+ wrBuf->space - headerLen, /* max out */ 924+ pIn, contentLen, /* input */ 925+ pseudoHeader, pseudoHeaderLen); 926+ if (rv != SECSuccess) { 927+ PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 928+ return SECFailure; 929 } 930- /* now, if contentLen is not a multiple of block size, fix it */ 931- p2Len = fragLen - p1Len; 932- } 933- if (p1Len < 256) { 934- oddLen = p1Len; 935- p1Len = 0; 936 } else { 937- p1Len -= oddLen; 938- } 939- if (oddLen) { 940- p2Len += oddLen; 941- PORT_Assert( (cipher_def->block_size < 2) || \ 942- (p2Len % cipher_def->block_size) == 0); 943- memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen); 944- } 945- if (p1Len > 0) { 946- int cipherBytesPart1 = -1; 947- rv = cwSpec->encode( cwSpec->encodeContext, 948- wrBuf->buf + headerLen + ivLen, /* output */ 949- &cipherBytesPart1, /* actual outlen */ 950- p1Len, /* max outlen */ 951- pIn, p1Len); /* input, and inputlen */ 952- PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); 953- if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { 954- PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 955+ /* 956+ * Add the MAC 957+ */ 958+ rv = ssl3_ComputeRecordMAC(cwSpec, isServer, 959+ pseudoHeader, pseudoHeaderLen, pIn, contentLen, 960+ wrBuf->buf + headerLen + ivLen + contentLen, &macLen); 961+ if (rv != SECSuccess) { 962+ ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE); 963 return SECFailure; 964 } 965- cipherBytes += cipherBytesPart1; 966+ p1Len = contentLen; 967+ p2Len = macLen; 968+ fragLen = contentLen + macLen; /* needs to be encrypted */ 969+ PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024); 970+ 971+ /* 972+ * Pad the text (if we're doing a block cipher) 973+ * then Encrypt it 974+ */ 975+ if (cipher_def->type == type_block) { 976+ unsigned char * pBuf; 977+ int padding_length; 978+ int i; 979+ 980+ oddLen = contentLen % cipher_def->block_size; 981+ /* Assume blockSize is a power of two */ 982+ padding_length = cipher_def->block_size - 1 - 983+ ((fragLen) & (cipher_def->block_size - 1)); 984+ fragLen += padding_length + 1; 985+ PORT_Assert((fragLen % cipher_def->block_size) == 0); 986+ 987+ /* Pad according to TLS rules (also acceptable to SSL3). */ 988+ pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1]; 989+ for (i = padding_length + 1; i > 0; --i) { 990+ *pBuf-- = padding_length; 991+ } 992+ /* now, if contentLen is not a multiple of block size, fix it */ 993+ p2Len = fragLen - p1Len; 994+ } 995+ if (p1Len < 256) { 996+ oddLen = p1Len; 997+ p1Len = 0; 998+ } else { 999+ p1Len -= oddLen; 1000+ } 1001+ if (oddLen) { 1002+ p2Len += oddLen; 1003+ PORT_Assert( (cipher_def->block_size < 2) || \ 1004+ (p2Len % cipher_def->block_size) == 0); 1005+ memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, 1006+ oddLen); 1007+ } 1008+ if (p1Len > 0) { 1009+ int cipherBytesPart1 = -1; 1010+ rv = cwSpec->encode( cwSpec->encodeContext, 1011+ wrBuf->buf + headerLen + ivLen, /* output */ 1012+ &cipherBytesPart1, /* actual outlen */ 1013+ p1Len, /* max outlen */ 1014+ pIn, p1Len); /* input, and inputlen */ 1015+ PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len); 1016+ if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) { 1017+ PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 1018+ return SECFailure; 1019+ } 1020+ cipherBytes += cipherBytesPart1; 1021+ } 1022+ if (p2Len > 0) { 1023+ int cipherBytesPart2 = -1; 1024+ rv = cwSpec->encode( cwSpec->encodeContext, 1025+ wrBuf->buf + headerLen + ivLen + p1Len, 1026+ &cipherBytesPart2, /* output and actual outLen */ 1027+ p2Len, /* max outlen */ 1028+ wrBuf->buf + headerLen + ivLen + p1Len, 1029+ p2Len); /* input and inputLen*/ 1030+ PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); 1031+ if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { 1032+ PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 1033+ return SECFailure; 1034+ } 1035+ cipherBytes += cipherBytesPart2; 1036+ } 1037 } 1038- if (p2Len > 0) { 1039- int cipherBytesPart2 = -1; 1040- rv = cwSpec->encode( cwSpec->encodeContext, 1041- wrBuf->buf + headerLen + ivLen + p1Len, 1042- &cipherBytesPart2, /* output and actual outLen */ 1043- p2Len, /* max outlen */ 1044- wrBuf->buf + headerLen + ivLen + p1Len, 1045- p2Len); /* input and inputLen*/ 1046- PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len); 1047- if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) { 1048- PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE); 1049- return SECFailure; 1050- } 1051- cipherBytes += cipherBytesPart2; 1052- } 1053+ 1054 PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024); 1055 1056 wrBuf->len = cipherBytes + headerLen; 1057@@ -3012,9 +3209,6 @@ 1058 static SECStatus 1059 ssl3_IllegalParameter(sslSocket *ss) 1060 { 1061- PRBool isTLS; 1062- 1063- isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 1064 (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter); 1065 PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT 1066 : SSL_ERROR_BAD_SERVER ); 1067@@ -3538,7 +3732,6 @@ 1068 } 1069 1070 key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited); 1071- /* was: (CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */ 1072 1073 key_material_params.RandomInfo.pClientRandom = cr; 1074 key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH; 1075@@ -9946,7 +10139,6 @@ 1076 static void 1077 ssl3_RecordKeyLog(sslSocket *ss) 1078 { 1079- sslSessionID *sid; 1080 SECStatus rv; 1081 SECItem *keyData; 1082 char buf[14 /* "CLIENT_RANDOM " */ + 1083@@ -9958,8 +10150,6 @@ 1084 1085 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 1086 1087- sid = ss->sec.ci.sid; 1088- 1089 if (!ssl_keylog_iob) 1090 return; 1091 1092@@ -11095,6 +11285,8 @@ 1093 unsigned int originalLen = 0; 1094 unsigned int good; 1095 unsigned int minLength; 1096+ unsigned char header[13]; 1097+ unsigned int headerLen; 1098 1099 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 1100 1101@@ -11171,12 +11363,14 @@ 1102 /* With >= TLS 1.1, CBC records have an explicit IV. */ 1103 minLength += cipher_def->iv_size; 1104 } 1105+ } else if (cipher_def->type == type_aead) { 1106+ minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size; 1107 } 1108 1109 /* We can perform this test in variable time because the record's total 1110 * length and the ciphersuite are both public knowledge. */ 1111 if (cText->buf->len < minLength) { 1112- goto decrypt_loser; 1113+ goto decrypt_loser; 1114 } 1115 1116 if (cipher_def->type == type_block && 1117@@ -11244,78 +11438,104 @@ 1118 return SECFailure; 1119 } 1120 1121- if (cipher_def->type == type_block && 1122- ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { 1123- goto decrypt_loser; 1124- } 1125+ rType = cText->type; 1126+ if (cipher_def->type == type_aead) { 1127+ /* XXX For many AEAD ciphers, the plaintext is shorter than the 1128+ * ciphertext by a fixed byte count, but it is not true in general. 1129+ * Each AEAD cipher should provide a function that returns the 1130+ * plaintext length for a given ciphertext. */ 1131+ unsigned int decryptedLen = 1132+ cText->buf->len - cipher_def->explicit_nonce_size - 1133+ cipher_def->tag_size; 1134+ headerLen = ssl3_BuildRecordPseudoHeader( 1135+ header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, 1136+ rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen); 1137+ PORT_Assert(headerLen <= sizeof(header)); 1138+ rv = crSpec->aead( 1139+ ss->sec.isServer ? &crSpec->client : &crSpec->server, 1140+ PR_TRUE, /* do decrypt */ 1141+ plaintext->buf, /* out */ 1142+ (int*) &plaintext->len, /* outlen */ 1143+ plaintext->space, /* maxout */ 1144+ cText->buf->buf, /* in */ 1145+ cText->buf->len, /* inlen */ 1146+ header, headerLen); 1147+ if (rv != SECSuccess) { 1148+ good = 0; 1149+ } 1150+ } else { 1151+ if (cipher_def->type == type_block && 1152+ ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) { 1153+ goto decrypt_loser; 1154+ } 1155 1156- /* decrypt from cText buf to plaintext. */ 1157- rv = crSpec->decode( 1158- crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, 1159- plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); 1160- if (rv != SECSuccess) { 1161- goto decrypt_loser; 1162- } 1163+ /* decrypt from cText buf to plaintext. */ 1164+ rv = crSpec->decode( 1165+ crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len, 1166+ plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen); 1167+ if (rv != SECSuccess) { 1168+ goto decrypt_loser; 1169+ } 1170 1171- PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); 1172+ PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len)); 1173 1174- originalLen = plaintext->len; 1175+ originalLen = plaintext->len; 1176 1177- /* If it's a block cipher, check and strip the padding. */ 1178- if (cipher_def->type == type_block) { 1179- const unsigned int blockSize = cipher_def->block_size; 1180- const unsigned int macSize = crSpec->mac_size; 1181+ /* If it's a block cipher, check and strip the padding. */ 1182+ if (cipher_def->type == type_block) { 1183+ const unsigned int blockSize = cipher_def->block_size; 1184+ const unsigned int macSize = crSpec->mac_size; 1185 1186- if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) { 1187- good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( 1188- plaintext, blockSize, macSize)); 1189- } else { 1190- good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( 1191- plaintext, macSize)); 1192+ if (!isTLS) { 1193+ good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding( 1194+ plaintext, blockSize, macSize)); 1195+ } else { 1196+ good &= SECStatusToMask(ssl_RemoveTLSCBCPadding( 1197+ plaintext, macSize)); 1198+ } 1199 } 1200- } 1201 1202- /* compute the MAC */ 1203- rType = cText->type; 1204- if (cipher_def->type == type_block) { 1205- rv = ssl3_ComputeRecordMACConstantTime( 1206- crSpec, (PRBool)(!ss->sec.isServer), 1207- IS_DTLS(ss), rType, cText->version, 1208- IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, 1209- plaintext->buf, plaintext->len, originalLen, 1210- hash, &hashBytes); 1211+ /* compute the MAC */ 1212+ headerLen = ssl3_BuildRecordPseudoHeader( 1213+ header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, 1214+ rType, isTLS, cText->version, IS_DTLS(ss), 1215+ plaintext->len - crSpec->mac_size); 1216+ PORT_Assert(headerLen <= sizeof(header)); 1217+ if (cipher_def->type == type_block) { 1218+ rv = ssl3_ComputeRecordMACConstantTime( 1219+ crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, 1220+ plaintext->buf, plaintext->len, originalLen, 1221+ hash, &hashBytes); 1222 1223- ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, 1224- crSpec->mac_size); 1225- givenHash = givenHashBuf; 1226+ ssl_CBCExtractMAC(plaintext, originalLen, givenHashBuf, 1227+ crSpec->mac_size); 1228+ givenHash = givenHashBuf; 1229 1230- /* plaintext->len will always have enough space to remove the MAC 1231- * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust 1232- * plaintext->len if the result has enough space for the MAC and we 1233- * tested the unadjusted size against minLength, above. */ 1234- plaintext->len -= crSpec->mac_size; 1235- } else { 1236- /* This is safe because we checked the minLength above. */ 1237- plaintext->len -= crSpec->mac_size; 1238+ /* plaintext->len will always have enough space to remove the MAC 1239+ * because in ssl_Remove{SSLv3|TLS}CBCPadding we only adjust 1240+ * plaintext->len if the result has enough space for the MAC and we 1241+ * tested the unadjusted size against minLength, above. */ 1242+ plaintext->len -= crSpec->mac_size; 1243+ } else { 1244+ /* This is safe because we checked the minLength above. */ 1245+ plaintext->len -= crSpec->mac_size; 1246 1247- rv = ssl3_ComputeRecordMAC( 1248- crSpec, (PRBool)(!ss->sec.isServer), 1249- IS_DTLS(ss), rType, cText->version, 1250- IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, 1251- plaintext->buf, plaintext->len, 1252- hash, &hashBytes); 1253+ rv = ssl3_ComputeRecordMAC( 1254+ crSpec, (PRBool)(!ss->sec.isServer), header, headerLen, 1255+ plaintext->buf, plaintext->len, hash, &hashBytes); 1256 1257- /* We can read the MAC directly from the record because its location is 1258- * public when a stream cipher is used. */ 1259- givenHash = plaintext->buf + plaintext->len; 1260- } 1261+ /* We can read the MAC directly from the record because its location 1262+ * is public when a stream cipher is used. */ 1263+ givenHash = plaintext->buf + plaintext->len; 1264+ } 1265 1266- good &= SECStatusToMask(rv); 1267+ good &= SECStatusToMask(rv); 1268 1269- if (hashBytes != (unsigned)crSpec->mac_size || 1270- NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { 1271- /* We're allowed to leak whether or not the MAC check was correct */ 1272- good = 0; 1273+ if (hashBytes != (unsigned)crSpec->mac_size || 1274+ NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) { 1275+ /* We're allowed to leak whether or not the MAC check was correct */ 1276+ good = 0; 1277+ } 1278 } 1279 1280 if (good == 0) { 1281Index: net/third_party/nss/ssl/sslenum.c 1282=================================================================== 1283--- net/third_party/nss/ssl/sslenum.c (revision 217715) 1284+++ net/third_party/nss/ssl/sslenum.c (working copy) 1285@@ -29,6 +29,14 @@ 1286 * Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h. 1287 */ 1288 const PRUint16 SSL_ImplementedCiphers[] = { 1289+ /* AES-GCM */ 1290+#ifdef NSS_ENABLE_ECC 1291+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 1292+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 1293+#endif /* NSS_ENABLE_ECC */ 1294+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 1295+ TLS_RSA_WITH_AES_128_GCM_SHA256, 1296+ 1297 /* 256-bit */ 1298 #ifdef NSS_ENABLE_ECC 1299 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1300Index: net/third_party/nss/ssl/sslproto.h 1301=================================================================== 1302--- net/third_party/nss/ssl/sslproto.h (revision 217715) 1303+++ net/third_party/nss/ssl/sslproto.h (working copy) 1304@@ -162,6 +162,10 @@ 1305 1306 #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 1307 1308+#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C 1309+#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E 1310+#define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 1311+ 1312 /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client. 1313 * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending 1314 * back an empty Renegotiation Info (RI) server hello extension. 1315@@ -204,6 +208,11 @@ 1316 #define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 1317 #define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 1318 1319+#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B 1320+#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D 1321+#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F 1322+#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 1323+ 1324 /* Netscape "experimental" cipher suites. */ 1325 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 1326 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 1327Index: net/third_party/nss/ssl/sslt.h 1328=================================================================== 1329--- net/third_party/nss/ssl/sslt.h (revision 217715) 1330+++ net/third_party/nss/ssl/sslt.h (working copy) 1331@@ -91,9 +91,10 @@ 1332 ssl_calg_3des = 4, 1333 ssl_calg_idea = 5, 1334 ssl_calg_fortezza = 6, /* deprecated, now unused */ 1335- ssl_calg_aes = 7, /* coming soon */ 1336+ ssl_calg_aes = 7, 1337 ssl_calg_camellia = 8, 1338- ssl_calg_seed = 9 1339+ ssl_calg_seed = 9, 1340+ ssl_calg_aes_gcm = 10 1341 } SSLCipherAlgorithm; 1342 1343 typedef enum { 1344@@ -102,7 +103,8 @@ 1345 ssl_mac_sha = 2, 1346 ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */ 1347 ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */ 1348- ssl_hmac_sha256 = 5 1349+ ssl_hmac_sha256 = 5, 1350+ ssl_mac_aead = 6 1351 } SSLMACAlgorithm; 1352 1353 typedef enum { 1354@@ -158,6 +160,9 @@ 1355 PRUint16 effectiveKeyBits; 1356 1357 /* MAC info */ 1358+ /* AEAD ciphers don't have a MAC. For an AEAD cipher, macAlgorithmName 1359+ * is "AEAD", macAlgorithm is ssl_mac_aead, and macBits is the length in 1360+ * bits of the authentication tag. */ 1361 const char * macAlgorithmName; 1362 SSLMACAlgorithm macAlgorithm; 1363 PRUint16 macBits; 1364