summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-08-21 02:46:01 +0000
committerwtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-08-21 02:46:01 +0000
commit9e7aceeceac9b1907652ac4d38941cb723b9a62f (patch)
treeb172fe61cea52fb9d46c53bc4f5395d6fde1b882
parentec069f72d0cd83823271e2e95ca94acc2e5d76ef (diff)
downloadchromium_src-9e7aceeceac9b1907652ac4d38941cb723b9a62f.zip
chromium_src-9e7aceeceac9b1907652ac4d38941cb723b9a62f.tar.gz
chromium_src-9e7aceeceac9b1907652ac4d38941cb723b9a62f.tar.bz2
Make the AES-GCM cipher suites work in DTLS, by moving the
ssl3_BuildRecordPseudoHeader calls to where the isDTLS boolean is available. Make the three MAC-related fields of the SSLCipherSuiteInfo structure report reasonable values for AEAD ciphers, which don't use a MAC. R=rsleevi@chromium.org BUG=255241 TEST=none Review URL: https://chromiumcodereview.appspot.com/23299002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@218606 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat
-rw-r--r--net/third_party/nss/patches/aesgcm.patch440
-rw-r--r--net/third_party/nss/patches/aesgcmchromium.patch12
-rw-r--r--net/third_party/nss/ssl/dtlscon.c7
-rw-r--r--net/third_party/nss/ssl/ssl3con.c193
-rw-r--r--net/third_party/nss/ssl/sslimpl.h6
-rw-r--r--net/third_party/nss/ssl/sslinfo.c9
-rw-r--r--net/third_party/nss/ssl/sslt.h6
7 files changed, 409 insertions, 264 deletions
diff --git a/net/third_party/nss/patches/aesgcm.patch b/net/third_party/nss/patches/aesgcm.patch
index 8de0a69..03fdf8e 100644
--- a/net/third_party/nss/patches/aesgcm.patch
+++ b/net/third_party/nss/patches/aesgcm.patch
@@ -1,6 +1,6 @@
Index: net/third_party/nss/ssl/sslinfo.c
===================================================================
---- net/third_party/nss/ssl/sslinfo.c (revision 215189)
+--- net/third_party/nss/ssl/sslinfo.c (revision 217715)
+++ net/third_party/nss/ssl/sslinfo.c (working copy)
@@ -109,7 +109,7 @@
#define K_ECDHE "ECDHE", kt_ecdh
@@ -19,7 +19,11 @@ Index: net/third_party/nss/ssl/sslinfo.c
#define B_256 256, 256, 256
#define B_128 128, 128, 128
-@@ -130,9 +131,12 @@
+@@ -127,12 +128,16 @@
+ #define B_40 128, 40, 40
+ #define B_0 0, 0, 0
+
++#define M_AEAD_128 "AEAD", ssl_mac_aead, 128
#define M_SHA256 "SHA256", ssl_hmac_sha256, 256
#define M_SHA "SHA1", ssl_mac_sha, 160
#define M_MD5 "MD5", ssl_mac_md5, 128
@@ -27,32 +31,32 @@ Index: net/third_party/nss/ssl/sslinfo.c
static const SSLCipherSuiteInfo suiteInfo[] = {
/* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */
-+{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
++{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
+
{0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
{0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
{0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), S_RSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, },
-@@ -146,6 +150,7 @@
+@@ -146,6 +151,7 @@
{0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
{0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
-+{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
++{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
{0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, },
-@@ -175,6 +180,9 @@
+@@ -175,6 +181,9 @@
#ifdef NSS_ENABLE_ECC
/* ECC cipher suites */
-+{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
-+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
++{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
++{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
+
{0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
{0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
{0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA), S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
Index: net/third_party/nss/ssl/sslimpl.h
===================================================================
---- net/third_party/nss/ssl/sslimpl.h (revision 215189)
+--- net/third_party/nss/ssl/sslimpl.h (revision 217715)
+++ net/third_party/nss/ssl/sslimpl.h (working copy)
@@ -64,6 +64,7 @@
#define calg_aes ssl_calg_aes
@@ -62,7 +66,15 @@ Index: net/third_party/nss/ssl/sslimpl.h
#define mac_null ssl_mac_null
#define mac_md5 ssl_mac_md5
-@@ -290,9 +291,9 @@
+@@ -71,6 +72,7 @@
+ #define hmac_md5 ssl_hmac_md5
+ #define hmac_sha ssl_hmac_sha
+ #define hmac_sha256 ssl_hmac_sha256
++#define mac_aead ssl_mac_aead
+
+ #define SET_ERROR_CODE /* reminder */
+ #define SEND_ALERT /* reminder */
+@@ -290,9 +292,9 @@
} ssl3CipherSuiteCfg;
#ifdef NSS_ENABLE_ECC
@@ -74,7 +86,7 @@ Index: net/third_party/nss/ssl/sslimpl.h
#endif /* NSS_ENABLE_ECC */
#define MAX_DTLS_SRTP_CIPHER_SUITES 4
-@@ -440,20 +441,6 @@
+@@ -440,20 +442,6 @@
#define GS_DATA 3
#define GS_PAD 4
@@ -95,7 +107,7 @@ Index: net/third_party/nss/ssl/sslimpl.h
#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
typedef PCERT_KEY_CONTEXT PlatformKey;
#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX)
-@@ -485,11 +472,12 @@
+@@ -485,11 +473,12 @@
cipher_camellia_128,
cipher_camellia_256,
cipher_seed,
@@ -109,7 +121,7 @@ Index: net/third_party/nss/ssl/sslimpl.h
#define MAX_IV_LENGTH 24
-@@ -531,6 +519,31 @@
+@@ -531,6 +520,30 @@
PRUint64 cipher_context[MAX_CIPHER_CONTEXT_LLONGS];
} ssl3KeyMaterial;
@@ -127,9 +139,8 @@ Index: net/third_party/nss/ssl/sslimpl.h
+ int maxout,
+ const unsigned char *in,
+ int inlen,
-+ SSL3ContentType type,
-+ SSL3ProtocolVersion version,
-+ SSL3SequenceNumber seqnum);
++ const unsigned char *additionalData,
++ int additionalDataLen);
+typedef SECStatus (*SSLCompressor)(void * context,
+ unsigned char * out,
+ int * outlen,
@@ -170,7 +181,7 @@ Index: net/third_party/nss/ssl/sslimpl.h
/*
Index: net/third_party/nss/ssl/ssl3ecc.c
===================================================================
---- net/third_party/nss/ssl/ssl3ecc.c (revision 215189)
+--- net/third_party/nss/ssl/ssl3ecc.c (revision 217715)
+++ net/third_party/nss/ssl/ssl3ecc.c (working copy)
@@ -911,6 +911,7 @@
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
@@ -205,7 +216,7 @@ Index: net/third_party/nss/ssl/ssl3ecc.c
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
Index: net/third_party/nss/ssl/sslsock.c
===================================================================
---- net/third_party/nss/ssl/sslsock.c (revision 215189)
+--- net/third_party/nss/ssl/sslsock.c (revision 217715)
+++ net/third_party/nss/ssl/sslsock.c (working copy)
@@ -67,8 +67,10 @@
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
@@ -236,9 +247,9 @@ Index: net/third_party/nss/ssl/sslsock.c
{ 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
Index: net/third_party/nss/ssl/ssl3con.c
===================================================================
---- net/third_party/nss/ssl/ssl3con.c (revision 215189)
+--- net/third_party/nss/ssl/ssl3con.c (revision 217715)
+++ net/third_party/nss/ssl/ssl3con.c (working copy)
-@@ -78,6 +78,14 @@
+@@ -78,6 +78,13 @@
static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
int maxOutputLen, const unsigned char *input,
int inputLen);
@@ -246,14 +257,13 @@ Index: net/third_party/nss/ssl/ssl3con.c
+static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
+ unsigned char *out, int *outlen, int maxout,
+ const unsigned char *in, int inlen,
-+ SSL3ContentType type,
-+ SSL3ProtocolVersion version,
-+ SSL3SequenceNumber seq_num);
++ const unsigned char *additionalData,
++ int additionalDataLen);
+#endif
#define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
#define MIN_SEND_BUF_LENGTH 4000
-@@ -90,6 +98,13 @@
+@@ -90,6 +97,13 @@
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
/* cipher_suite policy enabled is_present*/
#ifdef NSS_ENABLE_ECC
@@ -267,7 +277,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
#endif /* NSS_ENABLE_ECC */
-@@ -233,23 +248,30 @@
+@@ -233,23 +247,30 @@
/* indexed by SSL3BulkCipher */
static const ssl3BulkCipherDef bulk_cipher_defs[] = {
@@ -315,19 +325,19 @@ Index: net/third_party/nss/ssl/ssl3con.c
};
static const ssl3KEADef kea_defs[] =
-@@ -371,6 +393,11 @@
+@@ -371,6 +392,11 @@
{SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
{SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
-+ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_rsa},
-+ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa},
-+ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_rsa},
-+ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_ecdsa},
++ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
++ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
++ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
++ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
+
#ifdef NSS_ENABLE_ECC
{TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
{TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa},
-@@ -434,6 +461,7 @@
+@@ -434,25 +460,29 @@
{ calg_aes , CKM_AES_CBC },
{ calg_camellia , CKM_CAMELLIA_CBC },
{ calg_seed , CKM_SEED_CBC },
@@ -335,7 +345,31 @@ Index: net/third_party/nss/ssl/ssl3con.c
/* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
};
-@@ -472,6 +500,7 @@
+-#define mmech_null (CK_MECHANISM_TYPE)0x80000000L
++#define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L
+ #define mmech_md5 CKM_SSL3_MD5_MAC
+ #define mmech_sha CKM_SSL3_SHA1_MAC
+ #define mmech_md5_hmac CKM_MD5_HMAC
+ #define mmech_sha_hmac CKM_SHA_1_HMAC
+ #define mmech_sha256_hmac CKM_SHA256_HMAC
++#define mmech_sha384_hmac CKM_SHA384_HMAC
++#define mmech_sha512_hmac CKM_SHA512_HMAC
+
+ static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
+ /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
+ /* mac mmech pad_size mac_size */
+- { mac_null, mmech_null, 0, 0 },
++ { mac_null, mmech_invalid, 0, 0 },
+ { mac_md5, mmech_md5, 48, MD5_LENGTH },
+ { mac_sha, mmech_sha, 40, SHA1_LENGTH},
+ {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH },
+ {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
+ {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
++ { mac_aead, mmech_invalid, 0, 0 },
+ };
+
+ /* indexed by SSL3BulkCipher */
+@@ -472,6 +502,7 @@
"Camellia-128",
"Camellia-256",
"SEED-CBC",
@@ -343,7 +377,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
"missing"
};
-@@ -598,9 +627,13 @@
+@@ -598,9 +629,13 @@
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
case TLS_RSA_WITH_AES_256_CBC_SHA256:
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
@@ -357,7 +391,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
case TLS_RSA_WITH_NULL_SHA256:
return version >= SSL_LIBRARY_VERSION_TLS_1_2;
default:
-@@ -1360,7 +1393,7 @@
+@@ -1360,7 +1395,7 @@
cipher = suite_def->bulk_cipher_alg;
kea = suite_def->key_exchange_alg;
mac = suite_def->mac_alg;
@@ -366,7 +400,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
mac += 2;
ss->ssl3.hs.suite_def = suite_def;
-@@ -1554,7 +1587,6 @@
+@@ -1554,7 +1589,6 @@
unsigned int optArg2 = 0;
PRBool server_encrypts = ss->sec.isServer;
SSLCipherAlgorithm calg;
@@ -374,7 +408,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
SECStatus rv;
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-@@ -1565,8 +1597,18 @@
+@@ -1565,8 +1599,18 @@
cipher_def = pwSpec->cipher_def;
calg = cipher_def->calg;
@@ -394,12 +428,22 @@ Index: net/third_party/nss/ssl/ssl3con.c
serverContext = pwSpec->server.cipher_context;
clientContext = pwSpec->client.cipher_context;
-@@ -1721,6 +1763,207 @@
+@@ -1721,6 +1765,195 @@
return param;
}
-+/* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which
-+ * is included in the MAC) to |out| and returns its length. */
++/* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data
++ * which is included in the MAC or AEAD additional data) to |out| and returns
++ * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
++ * definition of the AEAD additional data.
++ *
++ * TLS pseudo-header includes the record's version field, SSL's doesn't. Which
++ * pseudo-header defintiion to use should be decided based on the version of
++ * the protocol that was negotiated when the cipher spec became current, NOT
++ * based on the version value in the record itself, and the decision is passed
++ * to this function as the |includesVersion| argument. But, the |version|
++ * argument should be the record's version value.
++ */
+static unsigned int
+ssl3_BuildRecordPseudoHeader(unsigned char *out,
+ SSL3SequenceNumber seq_num,
@@ -450,29 +494,18 @@ Index: net/third_party/nss/ssl/ssl3con.c
+ int maxout,
+ const unsigned char *in,
+ int inlen,
-+ SSL3ContentType type,
-+ SSL3ProtocolVersion version,
-+ SSL3SequenceNumber seq_num)
++ const unsigned char *additionalData,
++ int additionalDataLen)
+{
+ SECItem param;
+ SECStatus rv = SECFailure;
+ unsigned char nonce[12];
-+ unsigned char additionalData[13];
-+ unsigned int additionalDataLen;
+ unsigned int uOutLen;
+ CK_GCM_PARAMS gcmParams;
+
+ static const int tagSize = 16;
+ static const int explicitNonceLen = 8;
+
-+ /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
-+ * definition of the AEAD additional data. */
-+ additionalDataLen = ssl3_BuildRecordPseudoHeader(
-+ additionalData, seq_num, type, PR_TRUE /* includes version */,
-+ version, PR_FALSE /* not DTLS */,
-+ inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
-+ PORT_Assert(additionalDataLen <= sizeof(additionalData));
-+
+ /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
+ * nonce is formed. */
+ memcpy(nonce, keys->write_iv, 4);
@@ -499,7 +532,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
+ param.len = sizeof(gcmParams);
+ gcmParams.pIv = nonce;
+ gcmParams.ulIvLen = sizeof(nonce);
-+ gcmParams.pAAD = additionalData;
++ gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
+ gcmParams.ulAADLen = additionalDataLen;
+ gcmParams.ulTagBits = tagSize * 8;
+
@@ -524,14 +557,11 @@ Index: net/third_party/nss/ssl/ssl3con.c
+ int maxout,
+ const unsigned char *in,
+ int inlen,
-+ SSL3ContentType type,
-+ SSL3ProtocolVersion version,
-+ SSL3SequenceNumber seq_num)
++ const unsigned char *additionalData,
++ int additionalDataLen)
+{
+ SECStatus rv = SECFailure;
+ unsigned char nonce[12];
-+ unsigned char additionalData[13];
-+ unsigned int additionalDataLen;
+ unsigned int uOutLen;
+ AESContext *cx;
+ CK_GCM_PARAMS gcmParams;
@@ -539,14 +569,6 @@ Index: net/third_party/nss/ssl/ssl3con.c
+ static const int tagSize = 16;
+ static const int explicitNonceLen = 8;
+
-+ /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
-+ * definition of the AEAD additional data. */
-+ additionalDataLen = ssl3_BuildRecordPseudoHeader(
-+ additionalData, seq_num, type, PR_TRUE /* includes version */,
-+ version, PR_FALSE /* not DTLS */,
-+ inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
-+ PORT_Assert(additionalDataLen <= sizeof(additionalData));
-+
+ /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
+ * nonce is formed. */
+ PORT_Assert(keys->write_iv_item.len == 4);
@@ -575,7 +597,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
+
+ gcmParams.pIv = nonce;
+ gcmParams.ulIvLen = sizeof(nonce);
-+ gcmParams.pAAD = additionalData;
++ gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
+ gcmParams.ulAADLen = additionalDataLen;
+ gcmParams.ulTagBits = tagSize * 8;
+
@@ -602,7 +624,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
/* Initialize encryption and MAC contexts for pending spec.
* Master Secret already is derived.
* Caller holds Spec write lock.
-@@ -1748,14 +1991,27 @@
+@@ -1748,14 +1981,27 @@
pwSpec = ss->ssl3.pwSpec;
cipher_def = pwSpec->cipher_def;
macLength = pwSpec->mac_size;
@@ -632,7 +654,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
mac_mech = pwSpec->mac_def->mmech;
mac_param.data = (unsigned char *)&macLength;
mac_param.len = sizeof(macLength);
-@@ -1778,9 +2034,6 @@
+@@ -1778,9 +2024,6 @@
** Now setup the crypto contexts.
*/
@@ -642,15 +664,28 @@ Index: net/third_party/nss/ssl/ssl3con.c
if (calg == calg_null) {
pwSpec->encode = Null_Cipher;
pwSpec->decode = Null_Cipher;
-@@ -1999,55 +2252,21 @@
+@@ -1988,10 +2231,8 @@
+ ssl3_ComputeRecordMAC(
+ ssl3CipherSpec * spec,
+ PRBool useServerMacKey,
+- PRBool isDTLS,
+- SSL3ContentType type,
+- SSL3ProtocolVersion version,
+- SSL3SequenceNumber seq_num,
++ const unsigned char *header,
++ unsigned int headerLen,
+ const SSL3Opaque * input,
+ int inputLength,
+ unsigned char * outbuf,
+@@ -1999,56 +2240,8 @@
{
const ssl3MACDef * mac_def;
SECStatus rv;
-#ifndef NO_PKCS11_BYPASS
- PRBool isTLS;
+- PRBool isTLS;
-#endif
- unsigned int tempLen;
- unsigned char temp[MAX_MAC_LENGTH];
+- unsigned int tempLen;
+- unsigned char temp[MAX_MAC_LENGTH];
- temp[0] = (unsigned char)(seq_num.high >> 24);
- temp[1] = (unsigned char)(seq_num.high >> 16);
@@ -662,13 +697,12 @@ Index: net/third_party/nss/ssl/ssl3con.c
- temp[7] = (unsigned char)(seq_num.low >> 0);
- temp[8] = type;
-
- /* TLS MAC includes the record's version field, SSL's doesn't.
- ** We decide which MAC defintiion to use based on the version of
- ** the protocol that was negotiated when the spec became current,
- ** NOT based on the version value in the record itself.
+- /* TLS MAC includes the record's version field, SSL's doesn't.
+- ** We decide which MAC defintiion to use based on the version of
+- ** the protocol that was negotiated when the spec became current,
+- ** NOT based on the version value in the record itself.
- ** But, we use the record'v version value in the computation.
-+ ** But, we use the record's version value in the computation.
- */
+- */
- if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
- temp[9] = MSB(inputLength);
- temp[10] = LSB(inputLength);
@@ -680,11 +714,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
- /* New TLS hash includes version. */
- if (isDTLS) {
- SSL3ProtocolVersion dtls_version;
-+ isTLS = spec->version > SSL_LIBRARY_VERSION_3_0;
-+ tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS,
-+ version, isDTLS, inputLength);
-+ PORT_Assert(tempLen <= sizeof(temp));
-
+-
- dtls_version = dtls_TLSVersionToDTLSVersion(version);
- temp[9] = MSB(dtls_version);
- temp[10] = LSB(dtls_version);
@@ -700,10 +730,140 @@ Index: net/third_party/nss/ssl/ssl3con.c
-#endif
- }
-
- PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
+- PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
++ PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen));
PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
-@@ -2390,86 +2609,112 @@
+ mac_def = spec->mac_def;
+@@ -2093,7 +2286,10 @@
+ return SECFailure;
+ }
+
+- if (!isTLS) {
++ if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
++ unsigned int tempLen;
++ unsigned char temp[MAX_MAC_LENGTH];
++
+ /* compute "inner" part of SSL3 MAC */
+ hashObj->begin(write_mac_context);
+ if (useServerMacKey)
+@@ -2105,7 +2301,7 @@
+ spec->client.write_mac_key_item.data,
+ spec->client.write_mac_key_item.len);
+ hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
+- hashObj->update(write_mac_context, temp, tempLen);
++ hashObj->update(write_mac_context, header, headerLen);
+ hashObj->update(write_mac_context, input, inputLength);
+ hashObj->end(write_mac_context, temp, &tempLen, sizeof temp);
+
+@@ -2136,7 +2332,7 @@
+ }
+ if (rv == SECSuccess) {
+ HMAC_Begin(cx);
+- HMAC_Update(cx, temp, tempLen);
++ HMAC_Update(cx, header, headerLen);
+ HMAC_Update(cx, input, inputLength);
+ rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
+ HMAC_Destroy(cx, PR_FALSE);
+@@ -2150,7 +2346,7 @@
+ (useServerMacKey ? spec->server.write_mac_context
+ : spec->client.write_mac_context);
+ rv = PK11_DigestBegin(mac_context);
+- rv |= PK11_DigestOp(mac_context, temp, tempLen);
++ rv |= PK11_DigestOp(mac_context, header, headerLen);
+ rv |= PK11_DigestOp(mac_context, input, inputLength);
+ rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
+ }
+@@ -2190,10 +2386,8 @@
+ ssl3_ComputeRecordMACConstantTime(
+ ssl3CipherSpec * spec,
+ PRBool useServerMacKey,
+- PRBool isDTLS,
+- SSL3ContentType type,
+- SSL3ProtocolVersion version,
+- SSL3SequenceNumber seq_num,
++ const unsigned char *header,
++ unsigned int headerLen,
+ const SSL3Opaque * input,
+ int inputLen,
+ int originalLen,
+@@ -2205,9 +2399,7 @@
+ PK11Context * mac_context;
+ SECItem param;
+ SECStatus rv;
+- unsigned char header[13];
+ PK11SymKey * key;
+- int recordLength;
+
+ PORT_Assert(inputLen >= spec->mac_size);
+ PORT_Assert(originalLen >= inputLen);
+@@ -2223,42 +2415,15 @@
+ return SECSuccess;
+ }
+
+- header[0] = (unsigned char)(seq_num.high >> 24);
+- header[1] = (unsigned char)(seq_num.high >> 16);
+- header[2] = (unsigned char)(seq_num.high >> 8);
+- header[3] = (unsigned char)(seq_num.high >> 0);
+- header[4] = (unsigned char)(seq_num.low >> 24);
+- header[5] = (unsigned char)(seq_num.low >> 16);
+- header[6] = (unsigned char)(seq_num.low >> 8);
+- header[7] = (unsigned char)(seq_num.low >> 0);
+- header[8] = type;
+-
+ macType = CKM_NSS_HMAC_CONSTANT_TIME;
+- recordLength = inputLen - spec->mac_size;
+ if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
+ macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME;
+- header[9] = recordLength >> 8;
+- header[10] = recordLength;
+- params.ulHeaderLen = 11;
+- } else {
+- if (isDTLS) {
+- SSL3ProtocolVersion dtls_version;
+-
+- dtls_version = dtls_TLSVersionToDTLSVersion(version);
+- header[9] = dtls_version >> 8;
+- header[10] = dtls_version;
+- } else {
+- header[9] = version >> 8;
+- header[10] = version;
+- }
+- header[11] = recordLength >> 8;
+- header[12] = recordLength;
+- params.ulHeaderLen = 13;
+ }
+
+ params.macAlg = spec->mac_def->mmech;
+ params.ulBodyTotalLen = originalLen;
+- params.pHeader = header;
++ params.pHeader = (unsigned char *) header; /* const cast */
++ params.ulHeaderLen = headerLen;
+
+ param.data = (unsigned char*) &params;
+ param.len = sizeof(params);
+@@ -2291,9 +2456,8 @@
+ /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
+ * length already. */
+ inputLen -= spec->mac_size;
+- return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type,
+- version, seq_num, input, inputLen,
+- outbuf, outLen);
++ return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen,
++ input, inputLen, outbuf, outLen);
+ }
+
+ static PRBool
+@@ -2345,6 +2509,8 @@
+ PRUint16 headerLen;
+ int ivLen = 0;
+ int cipherBytes = 0;
++ unsigned char pseudoHeader[13];
++ unsigned int pseudoHeaderLen;
+
+ cipher_def = cwSpec->cipher_def;
+ headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
+@@ -2390,86 +2556,117 @@
contentLen = outlen;
}
@@ -721,6 +881,11 @@ Index: net/third_party/nss/ssl/ssl3con.c
- p2Len = macLen;
- fragLen = contentLen + macLen; /* needs to be encrypted */
- PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
++ pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(
++ pseudoHeader, cwSpec->write_seq_num, type,
++ cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version,
++ isDTLS, contentLen);
++ PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader));
+ if (cipher_def->type == type_aead) {
+ const int nonceLen = cipher_def->explicit_nonce_size;
+ const int tagLen = cipher_def->tag_size;
@@ -757,7 +922,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
+ &cipherBytes, /* out len */
+ wrBuf->space - headerLen, /* max out */
+ pIn, contentLen, /* input */
-+ type, cwSpec->version, cwSpec->write_seq_num);
++ pseudoHeader, pseudoHeaderLen);
+ if (rv != SECSuccess) {
+ PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
+ return SECFailure;
@@ -790,8 +955,8 @@ Index: net/third_party/nss/ssl/ssl3con.c
+ /*
+ * Add the MAC
+ */
-+ rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
-+ type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
++ rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
++ pseudoHeader, pseudoHeaderLen, pIn, contentLen,
+ wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
+ if (rv != SECSuccess) {
+ ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
@@ -889,7 +1054,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
wrBuf->len = cipherBytes + headerLen;
-@@ -3012,9 +3257,6 @@
+@@ -3012,9 +3209,6 @@
static SECStatus
ssl3_IllegalParameter(sslSocket *ss)
{
@@ -899,7 +1064,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
(void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
: SSL_ERROR_BAD_SERVER );
-@@ -3538,7 +3780,6 @@
+@@ -3538,7 +3732,6 @@
}
key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
@@ -907,7 +1072,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
key_material_params.RandomInfo.pClientRandom = cr;
key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
-@@ -9946,7 +10187,6 @@
+@@ -9946,7 +10139,6 @@
static void
ssl3_RecordKeyLog(sslSocket *ss)
{
@@ -915,7 +1080,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
SECStatus rv;
SECItem *keyData;
char buf[14 /* "CLIENT_RANDOM " */ +
-@@ -9958,8 +10198,6 @@
+@@ -9958,8 +10150,6 @@
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
@@ -924,7 +1089,16 @@ Index: net/third_party/nss/ssl/ssl3con.c
if (!ssl_keylog_iob)
return;
-@@ -11171,12 +11409,14 @@
+@@ -11095,6 +11285,8 @@
+ unsigned int originalLen = 0;
+ unsigned int good;
+ unsigned int minLength;
++ unsigned char header[13];
++ unsigned int headerLen;
+
+ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+
+@@ -11171,12 +11363,14 @@
/* With >= TLS 1.1, CBC records have an explicit IV. */
minLength += cipher_def->iv_size;
}
@@ -940,7 +1114,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
}
if (cipher_def->type == type_block &&
-@@ -11244,78 +11484,95 @@
+@@ -11244,78 +11438,104 @@
return SECFailure;
}
@@ -950,6 +1124,17 @@ Index: net/third_party/nss/ssl/ssl3con.c
- }
+ rType = cText->type;
+ if (cipher_def->type == type_aead) {
++ /* XXX For many AEAD ciphers, the plaintext is shorter than the
++ * ciphertext by a fixed byte count, but it is not true in general.
++ * Each AEAD cipher should provide a function that returns the
++ * plaintext length for a given ciphertext. */
++ unsigned int decryptedLen =
++ cText->buf->len - cipher_def->explicit_nonce_size -
++ cipher_def->tag_size;
++ headerLen = ssl3_BuildRecordPseudoHeader(
++ header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
++ rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen);
++ PORT_Assert(headerLen <= sizeof(header));
+ rv = crSpec->aead(
+ ss->sec.isServer ? &crSpec->client : &crSpec->server,
+ PR_TRUE, /* do decrypt */
@@ -958,9 +1143,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
+ plaintext->space, /* maxout */
+ cText->buf->buf, /* in */
+ cText->buf->len, /* inlen */
-+ rType, /* record type */
-+ cText->version,
-+ IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num);
++ header, headerLen);
+ if (rv != SECSuccess) {
+ good = 0;
+ }
@@ -1006,7 +1189,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
- } else {
- good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
- plaintext, macSize));
-+ if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
++ if (!isTLS) {
+ good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
+ plaintext, blockSize, macSize));
+ } else {
@@ -1026,11 +1209,14 @@ Index: net/third_party/nss/ssl/ssl3con.c
- plaintext->buf, plaintext->len, originalLen,
- hash, &hashBytes);
+ /* compute the MAC */
++ headerLen = ssl3_BuildRecordPseudoHeader(
++ header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
++ rType, isTLS, cText->version, IS_DTLS(ss),
++ plaintext->len - crSpec->mac_size);
++ PORT_Assert(headerLen <= sizeof(header));
+ if (cipher_def->type == type_block) {
+ rv = ssl3_ComputeRecordMACConstantTime(
-+ crSpec, (PRBool)(!ss->sec.isServer),
-+ IS_DTLS(ss), rType, cText->version,
-+ IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
++ crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
+ plaintext->buf, plaintext->len, originalLen,
+ hash, &hashBytes);
@@ -1065,11 +1251,8 @@ Index: net/third_party/nss/ssl/ssl3con.c
- plaintext->buf, plaintext->len,
- hash, &hashBytes);
+ rv = ssl3_ComputeRecordMAC(
-+ crSpec, (PRBool)(!ss->sec.isServer),
-+ IS_DTLS(ss), rType, cText->version,
-+ IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
-+ plaintext->buf, plaintext->len,
-+ hash, &hashBytes);
++ crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
++ plaintext->buf, plaintext->len, hash, &hashBytes);
- /* We can read the MAC directly from the record because its location is
- * public when a stream cipher is used. */
@@ -1097,7 +1280,7 @@ Index: net/third_party/nss/ssl/ssl3con.c
if (good == 0) {
Index: net/third_party/nss/ssl/sslenum.c
===================================================================
---- net/third_party/nss/ssl/sslenum.c (revision 215189)
+--- net/third_party/nss/ssl/sslenum.c (revision 217715)
+++ net/third_party/nss/ssl/sslenum.c (working copy)
@@ -29,6 +29,14 @@
* Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
@@ -1116,7 +1299,7 @@ Index: net/third_party/nss/ssl/sslenum.c
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
Index: net/third_party/nss/ssl/sslproto.h
===================================================================
---- net/third_party/nss/ssl/sslproto.h (revision 215189)
+--- net/third_party/nss/ssl/sslproto.h (revision 217715)
+++ net/third_party/nss/ssl/sslproto.h (working copy)
@@ -162,6 +162,10 @@
@@ -1143,7 +1326,7 @@ Index: net/third_party/nss/ssl/sslproto.h
#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1
Index: net/third_party/nss/ssl/sslt.h
===================================================================
---- net/third_party/nss/ssl/sslt.h (revision 215189)
+--- net/third_party/nss/ssl/sslt.h (revision 217715)
+++ net/third_party/nss/ssl/sslt.h (working copy)
@@ -91,9 +91,10 @@
ssl_calg_3des = 4,
@@ -1158,22 +1341,23 @@ Index: net/third_party/nss/ssl/sslt.h
} SSLCipherAlgorithm;
typedef enum {
-Index: net/third_party/nss/ssl/dtlscon.c
-===================================================================
---- net/third_party/nss/ssl/dtlscon.c (revision 215189)
-+++ net/third_party/nss/ssl/dtlscon.c (working copy)
-@@ -30,7 +30,14 @@
+@@ -102,7 +103,8 @@
+ ssl_mac_sha = 2,
+ ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */
+ ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */
+- ssl_hmac_sha256 = 5
++ ssl_hmac_sha256 = 5,
++ ssl_mac_aead = 6
+ } SSLMACAlgorithm;
- /* List copied from ssl3con.c:cipherSuites */
- static const ssl3CipherSuite nonDTLSSuites[] = {
-+ /* XXX Make AES-GCM work with DTLS. */
- #ifdef NSS_ENABLE_ECC
-+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-+#endif /* NSS_ENABLE_ECC */
-+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
-+ TLS_RSA_WITH_AES_128_GCM_SHA256,
-+#ifdef NSS_ENABLE_ECC
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
- TLS_ECDHE_RSA_WITH_RC4_128_SHA,
- #endif /* NSS_ENABLE_ECC */
+ typedef enum {
+@@ -158,6 +160,9 @@
+ PRUint16 effectiveKeyBits;
+
+ /* MAC info */
++ /* AEAD ciphers don't have a MAC. For an AEAD cipher, macAlgorithmName
++ * is "AEAD", macAlgorithm is ssl_mac_aead, and macBits is the length in
++ * bits of the authentication tag. */
+ const char * macAlgorithmName;
+ SSLMACAlgorithm macAlgorithm;
+ PRUint16 macBits;
diff --git a/net/third_party/nss/patches/aesgcmchromium.patch b/net/third_party/nss/patches/aesgcmchromium.patch
index 8cd72bb..f9ec6cb 100644
--- a/net/third_party/nss/patches/aesgcmchromium.patch
+++ b/net/third_party/nss/patches/aesgcmchromium.patch
@@ -1,5 +1,5 @@
---- net/third_party/nss/ssl/ssl3con.c.orig 2013-08-14 14:22:50.479780305 -0700
-+++ net/third_party/nss/ssl/ssl3con.c 2013-08-14 14:23:57.670788603 -0700
+--- net/third_party/nss/ssl/ssl3con.c.orig 2013-08-20 12:00:16.742760827 -0700
++++ net/third_party/nss/ssl/ssl3con.c 2013-08-20 11:59:56.782463207 -0700
@@ -44,6 +44,9 @@
#ifdef NSS_ENABLE_ZLIB
#include "zlib.h"
@@ -10,7 +10,7 @@
#ifndef PK11_SETATTRS
#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
-@@ -1807,6 +1810,69 @@ ssl3_BuildRecordPseudoHeader(unsigned ch
+@@ -1819,6 +1822,69 @@ ssl3_BuildRecordPseudoHeader(unsigned ch
return 13;
}
@@ -80,7 +80,7 @@
static SECStatus
ssl3_AESGCM(ssl3KeyMaterial *keys,
PRBool doDecrypt,
-@@ -1869,10 +1935,10 @@ ssl3_AESGCM(ssl3KeyMaterial *keys,
+@@ -1870,10 +1936,10 @@ ssl3_AESGCM(ssl3KeyMaterial *keys,
gcmParams.ulTagBits = tagSize * 8;
if (doDecrypt) {
@@ -93,7 +93,7 @@
maxout, in, inlen);
}
*outlen += (int) uOutLen;
-@@ -5071,6 +5137,10 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
+@@ -5023,6 +5089,10 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
ssl3_DisableNonDTLSSuites(ss);
}
@@ -104,7 +104,7 @@
/* how many suites are permitted by policy and user preference? */
num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
if (!num_suites)
-@@ -7776,6 +7846,10 @@ ssl3_HandleClientHello(sslSocket *ss, SS
+@@ -7728,6 +7798,10 @@ ssl3_HandleClientHello(sslSocket *ss, SS
ssl3_DisableNonDTLSSuites(ss);
}
diff --git a/net/third_party/nss/ssl/dtlscon.c b/net/third_party/nss/ssl/dtlscon.c
index e86ae01..78371e6 100644
--- a/net/third_party/nss/ssl/dtlscon.c
+++ b/net/third_party/nss/ssl/dtlscon.c
@@ -30,13 +30,6 @@ static const PRUint16 COMMON_MTU_VALUES[] = {
/* List copied from ssl3con.c:cipherSuites */
static const ssl3CipherSuite nonDTLSSuites[] = {
- /* XXX Make AES-GCM work with DTLS. */
-#ifdef NSS_ENABLE_ECC
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-#endif /* NSS_ENABLE_ECC */
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS_RSA_WITH_AES_128_GCM_SHA256,
#ifdef NSS_ENABLE_ECC
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index e614eab..1ed0d90 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -85,9 +85,8 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
unsigned char *out, int *outlen, int maxout,
const unsigned char *in, int inlen,
- SSL3ContentType type,
- SSL3ProtocolVersion version,
- SSL3SequenceNumber seq_num);
+ const unsigned char *additionalData,
+ int additionalDataLen);
#endif
#define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
@@ -396,10 +395,10 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] =
{SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
{SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips},
- {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_dhe_rsa},
- {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_rsa},
- {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_rsa},
- {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_null, kea_ecdhe_ecdsa},
+ {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
+ {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
+ {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
+ {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
#ifdef NSS_ENABLE_ECC
{TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
@@ -468,22 +467,25 @@ static const SSLCipher2Mech alg2Mech[] = {
/* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
};
-#define mmech_null (CK_MECHANISM_TYPE)0x80000000L
+#define mmech_invalid (CK_MECHANISM_TYPE)0x80000000L
#define mmech_md5 CKM_SSL3_MD5_MAC
#define mmech_sha CKM_SSL3_SHA1_MAC
#define mmech_md5_hmac CKM_MD5_HMAC
#define mmech_sha_hmac CKM_SHA_1_HMAC
#define mmech_sha256_hmac CKM_SHA256_HMAC
+#define mmech_sha384_hmac CKM_SHA384_HMAC
+#define mmech_sha512_hmac CKM_SHA512_HMAC
static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
/* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
/* mac mmech pad_size mac_size */
- { mac_null, mmech_null, 0, 0 },
+ { mac_null, mmech_invalid, 0, 0 },
{ mac_md5, mmech_md5, 48, MD5_LENGTH },
{ mac_sha, mmech_sha, 40, SHA1_LENGTH},
{hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH },
{hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
{hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
+ { mac_aead, mmech_invalid, 0, 0 },
};
/* indexed by SSL3BulkCipher */
@@ -1766,8 +1768,18 @@ ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits)
return param;
}
-/* ssl3_BuildRecordPseudoHeader writes the TLS pseudo-header (the data which
- * is included in the MAC) to |out| and returns its length. */
+/* ssl3_BuildRecordPseudoHeader writes the SSL/TLS pseudo-header (the data
+ * which is included in the MAC or AEAD additional data) to |out| and returns
+ * its length. See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
+ * definition of the AEAD additional data.
+ *
+ * TLS pseudo-header includes the record's version field, SSL's doesn't. Which
+ * pseudo-header defintiion to use should be decided based on the version of
+ * the protocol that was negotiated when the cipher spec became current, NOT
+ * based on the version value in the record itself, and the decision is passed
+ * to this function as the |includesVersion| argument. But, the |version|
+ * argument should be the record's version value.
+ */
static unsigned int
ssl3_BuildRecordPseudoHeader(unsigned char *out,
SSL3SequenceNumber seq_num,
@@ -1881,29 +1893,18 @@ ssl3_AESGCM(ssl3KeyMaterial *keys,
int maxout,
const unsigned char *in,
int inlen,
- SSL3ContentType type,
- SSL3ProtocolVersion version,
- SSL3SequenceNumber seq_num)
+ const unsigned char *additionalData,
+ int additionalDataLen)
{
SECItem param;
SECStatus rv = SECFailure;
unsigned char nonce[12];
- unsigned char additionalData[13];
- unsigned int additionalDataLen;
unsigned int uOutLen;
CK_GCM_PARAMS gcmParams;
static const int tagSize = 16;
static const int explicitNonceLen = 8;
- /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
- * definition of the AEAD additional data. */
- additionalDataLen = ssl3_BuildRecordPseudoHeader(
- additionalData, seq_num, type, PR_TRUE /* includes version */,
- version, PR_FALSE /* not DTLS */,
- inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
- PORT_Assert(additionalDataLen <= sizeof(additionalData));
-
/* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
* nonce is formed. */
memcpy(nonce, keys->write_iv, 4);
@@ -1930,7 +1931,7 @@ ssl3_AESGCM(ssl3KeyMaterial *keys,
param.len = sizeof(gcmParams);
gcmParams.pIv = nonce;
gcmParams.ulIvLen = sizeof(nonce);
- gcmParams.pAAD = additionalData;
+ gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
gcmParams.ulAADLen = additionalDataLen;
gcmParams.ulTagBits = tagSize * 8;
@@ -1955,14 +1956,11 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
int maxout,
const unsigned char *in,
int inlen,
- SSL3ContentType type,
- SSL3ProtocolVersion version,
- SSL3SequenceNumber seq_num)
+ const unsigned char *additionalData,
+ int additionalDataLen)
{
SECStatus rv = SECFailure;
unsigned char nonce[12];
- unsigned char additionalData[13];
- unsigned int additionalDataLen;
unsigned int uOutLen;
AESContext *cx;
CK_GCM_PARAMS gcmParams;
@@ -1970,14 +1968,6 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
static const int tagSize = 16;
static const int explicitNonceLen = 8;
- /* See https://tools.ietf.org/html/rfc5246#section-6.2.3.3 for the
- * definition of the AEAD additional data. */
- additionalDataLen = ssl3_BuildRecordPseudoHeader(
- additionalData, seq_num, type, PR_TRUE /* includes version */,
- version, PR_FALSE /* not DTLS */,
- inlen - (doDecrypt ? explicitNonceLen + tagSize : 0));
- PORT_Assert(additionalDataLen <= sizeof(additionalData));
-
/* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
* nonce is formed. */
PORT_Assert(keys->write_iv_item.len == 4);
@@ -2006,7 +1996,7 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
gcmParams.pIv = nonce;
gcmParams.ulIvLen = sizeof(nonce);
- gcmParams.pAAD = additionalData;
+ gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
gcmParams.ulAADLen = additionalDataLen;
gcmParams.ulTagBits = tagSize * 8;
@@ -2307,10 +2297,8 @@ static SECStatus
ssl3_ComputeRecordMAC(
ssl3CipherSpec * spec,
PRBool useServerMacKey,
- PRBool isDTLS,
- SSL3ContentType type,
- SSL3ProtocolVersion version,
- SSL3SequenceNumber seq_num,
+ const unsigned char *header,
+ unsigned int headerLen,
const SSL3Opaque * input,
int inputLength,
unsigned char * outbuf,
@@ -2318,22 +2306,8 @@ ssl3_ComputeRecordMAC(
{
const ssl3MACDef * mac_def;
SECStatus rv;
- PRBool isTLS;
- unsigned int tempLen;
- unsigned char temp[MAX_MAC_LENGTH];
-
- /* TLS MAC includes the record's version field, SSL's doesn't.
- ** We decide which MAC defintiion to use based on the version of
- ** the protocol that was negotiated when the spec became current,
- ** NOT based on the version value in the record itself.
- ** But, we use the record's version value in the computation.
- */
- isTLS = spec->version > SSL_LIBRARY_VERSION_3_0;
- tempLen = ssl3_BuildRecordPseudoHeader(temp, seq_num, type, isTLS,
- version, isDTLS, inputLength);
- PORT_Assert(tempLen <= sizeof(temp));
- PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
+ PRINT_BUF(95, (NULL, "frag hash1: header", header, headerLen));
PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
mac_def = spec->mac_def;
@@ -2378,7 +2352,10 @@ ssl3_ComputeRecordMAC(
return SECFailure;
}
- if (!isTLS) {
+ if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
+ unsigned int tempLen;
+ unsigned char temp[MAX_MAC_LENGTH];
+
/* compute "inner" part of SSL3 MAC */
hashObj->begin(write_mac_context);
if (useServerMacKey)
@@ -2390,7 +2367,7 @@ ssl3_ComputeRecordMAC(
spec->client.write_mac_key_item.data,
spec->client.write_mac_key_item.len);
hashObj->update(write_mac_context, mac_pad_1, pad_bytes);
- hashObj->update(write_mac_context, temp, tempLen);
+ hashObj->update(write_mac_context, header, headerLen);
hashObj->update(write_mac_context, input, inputLength);
hashObj->end(write_mac_context, temp, &tempLen, sizeof temp);
@@ -2421,7 +2398,7 @@ ssl3_ComputeRecordMAC(
}
if (rv == SECSuccess) {
HMAC_Begin(cx);
- HMAC_Update(cx, temp, tempLen);
+ HMAC_Update(cx, header, headerLen);
HMAC_Update(cx, input, inputLength);
rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
HMAC_Destroy(cx, PR_FALSE);
@@ -2435,7 +2412,7 @@ ssl3_ComputeRecordMAC(
(useServerMacKey ? spec->server.write_mac_context
: spec->client.write_mac_context);
rv = PK11_DigestBegin(mac_context);
- rv |= PK11_DigestOp(mac_context, temp, tempLen);
+ rv |= PK11_DigestOp(mac_context, header, headerLen);
rv |= PK11_DigestOp(mac_context, input, inputLength);
rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
}
@@ -2475,10 +2452,8 @@ static SECStatus
ssl3_ComputeRecordMACConstantTime(
ssl3CipherSpec * spec,
PRBool useServerMacKey,
- PRBool isDTLS,
- SSL3ContentType type,
- SSL3ProtocolVersion version,
- SSL3SequenceNumber seq_num,
+ const unsigned char *header,
+ unsigned int headerLen,
const SSL3Opaque * input,
int inputLen,
int originalLen,
@@ -2490,9 +2465,7 @@ ssl3_ComputeRecordMACConstantTime(
PK11Context * mac_context;
SECItem param;
SECStatus rv;
- unsigned char header[13];
PK11SymKey * key;
- int recordLength;
PORT_Assert(inputLen >= spec->mac_size);
PORT_Assert(originalLen >= inputLen);
@@ -2508,42 +2481,15 @@ ssl3_ComputeRecordMACConstantTime(
return SECSuccess;
}
- header[0] = (unsigned char)(seq_num.high >> 24);
- header[1] = (unsigned char)(seq_num.high >> 16);
- header[2] = (unsigned char)(seq_num.high >> 8);
- header[3] = (unsigned char)(seq_num.high >> 0);
- header[4] = (unsigned char)(seq_num.low >> 24);
- header[5] = (unsigned char)(seq_num.low >> 16);
- header[6] = (unsigned char)(seq_num.low >> 8);
- header[7] = (unsigned char)(seq_num.low >> 0);
- header[8] = type;
-
macType = CKM_NSS_HMAC_CONSTANT_TIME;
- recordLength = inputLen - spec->mac_size;
if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
macType = CKM_NSS_SSL3_MAC_CONSTANT_TIME;
- header[9] = recordLength >> 8;
- header[10] = recordLength;
- params.ulHeaderLen = 11;
- } else {
- if (isDTLS) {
- SSL3ProtocolVersion dtls_version;
-
- dtls_version = dtls_TLSVersionToDTLSVersion(version);
- header[9] = dtls_version >> 8;
- header[10] = dtls_version;
- } else {
- header[9] = version >> 8;
- header[10] = version;
- }
- header[11] = recordLength >> 8;
- header[12] = recordLength;
- params.ulHeaderLen = 13;
}
params.macAlg = spec->mac_def->mmech;
params.ulBodyTotalLen = originalLen;
- params.pHeader = header;
+ params.pHeader = (unsigned char *) header; /* const cast */
+ params.ulHeaderLen = headerLen;
param.data = (unsigned char*) &params;
param.len = sizeof(params);
@@ -2576,9 +2522,8 @@ fallback:
/* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
* length already. */
inputLen -= spec->mac_size;
- return ssl3_ComputeRecordMAC(spec, useServerMacKey, isDTLS, type,
- version, seq_num, input, inputLen,
- outbuf, outLen);
+ return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen,
+ input, inputLen, outbuf, outLen);
}
static PRBool
@@ -2630,6 +2575,8 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
PRUint16 headerLen;
int ivLen = 0;
int cipherBytes = 0;
+ unsigned char pseudoHeader[13];
+ unsigned int pseudoHeaderLen;
cipher_def = cwSpec->cipher_def;
headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
@@ -2675,6 +2622,11 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
contentLen = outlen;
}
+ pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(
+ pseudoHeader, cwSpec->write_seq_num, type,
+ cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version,
+ isDTLS, contentLen);
+ PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader));
if (cipher_def->type == type_aead) {
const int nonceLen = cipher_def->explicit_nonce_size;
const int tagLen = cipher_def->tag_size;
@@ -2692,7 +2644,7 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
&cipherBytes, /* out len */
wrBuf->space - headerLen, /* max out */
pIn, contentLen, /* input */
- type, cwSpec->version, cwSpec->write_seq_num);
+ pseudoHeader, pseudoHeaderLen);
if (rv != SECSuccess) {
PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
return SECFailure;
@@ -2701,8 +2653,8 @@ ssl3_CompressMACEncryptRecord(ssl3CipherSpec * cwSpec,
/*
* Add the MAC
*/
- rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
- type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
+ rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
+ pseudoHeader, pseudoHeaderLen, pIn, contentLen,
wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
@@ -11407,6 +11359,8 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
unsigned int originalLen = 0;
unsigned int good;
unsigned int minLength;
+ unsigned char header[13];
+ unsigned int headerLen;
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
@@ -11560,6 +11514,17 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
rType = cText->type;
if (cipher_def->type == type_aead) {
+ /* XXX For many AEAD ciphers, the plaintext is shorter than the
+ * ciphertext by a fixed byte count, but it is not true in general.
+ * Each AEAD cipher should provide a function that returns the
+ * plaintext length for a given ciphertext. */
+ unsigned int decryptedLen =
+ cText->buf->len - cipher_def->explicit_nonce_size -
+ cipher_def->tag_size;
+ headerLen = ssl3_BuildRecordPseudoHeader(
+ header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
+ rType, isTLS, cText->version, IS_DTLS(ss), decryptedLen);
+ PORT_Assert(headerLen <= sizeof(header));
rv = crSpec->aead(
ss->sec.isServer ? &crSpec->client : &crSpec->server,
PR_TRUE, /* do decrypt */
@@ -11568,9 +11533,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
plaintext->space, /* maxout */
cText->buf->buf, /* in */
cText->buf->len, /* inlen */
- rType, /* record type */
- cText->version,
- IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num);
+ header, headerLen);
if (rv != SECSuccess) {
good = 0;
}
@@ -11597,7 +11560,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
const unsigned int blockSize = cipher_def->block_size;
const unsigned int macSize = crSpec->mac_size;
- if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
+ if (!isTLS) {
good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
plaintext, blockSize, macSize));
} else {
@@ -11607,11 +11570,14 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
}
/* compute the MAC */
+ headerLen = ssl3_BuildRecordPseudoHeader(
+ header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
+ rType, isTLS, cText->version, IS_DTLS(ss),
+ plaintext->len - crSpec->mac_size);
+ PORT_Assert(headerLen <= sizeof(header));
if (cipher_def->type == type_block) {
rv = ssl3_ComputeRecordMACConstantTime(
- crSpec, (PRBool)(!ss->sec.isServer),
- IS_DTLS(ss), rType, cText->version,
- IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
+ crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
plaintext->buf, plaintext->len, originalLen,
hash, &hashBytes);
@@ -11629,11 +11595,8 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
plaintext->len -= crSpec->mac_size;
rv = ssl3_ComputeRecordMAC(
- crSpec, (PRBool)(!ss->sec.isServer),
- IS_DTLS(ss), rType, cText->version,
- IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
- plaintext->buf, plaintext->len,
- hash, &hashBytes);
+ crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
+ plaintext->buf, plaintext->len, hash, &hashBytes);
/* We can read the MAC directly from the record because its location
* is public when a stream cipher is used. */
diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
index da302abe..1f08542 100644
--- a/net/third_party/nss/ssl/sslimpl.h
+++ b/net/third_party/nss/ssl/sslimpl.h
@@ -72,6 +72,7 @@ typedef SSLSignType SSL3SignType;
#define hmac_md5 ssl_hmac_md5
#define hmac_sha ssl_hmac_sha
#define hmac_sha256 ssl_hmac_sha256
+#define mac_aead ssl_mac_aead
#define SET_ERROR_CODE /* reminder */
#define SEND_ALERT /* reminder */
@@ -533,9 +534,8 @@ typedef SECStatus (*SSLAEADCipher)(
int maxout,
const unsigned char *in,
int inlen,
- SSL3ContentType type,
- SSL3ProtocolVersion version,
- SSL3SequenceNumber seqnum);
+ const unsigned char *additionalData,
+ int additionalDataLen);
typedef SECStatus (*SSLCompressor)(void * context,
unsigned char * out,
int * outlen,
diff --git a/net/third_party/nss/ssl/sslinfo.c b/net/third_party/nss/ssl/sslinfo.c
index 215731e..9597209 100644
--- a/net/third_party/nss/ssl/sslinfo.c
+++ b/net/third_party/nss/ssl/sslinfo.c
@@ -128,6 +128,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
#define B_40 128, 40, 40
#define B_0 0, 0, 0
+#define M_AEAD_128 "AEAD", ssl_mac_aead, 128
#define M_SHA256 "SHA256", ssl_hmac_sha256, 256
#define M_SHA "SHA1", ssl_mac_sha, 160
#define M_MD5 "MD5", ssl_mac_md5, 128
@@ -135,7 +136,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
static const SSLCipherSuiteInfo suiteInfo[] = {
/* <------ Cipher suite --------------------> <auth> <KEA> <bulk cipher> <MAC> <FIPS> */
-{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
+{0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
{0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
{0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0, },
@@ -150,7 +151,7 @@ static const SSLCipherSuiteInfo suiteInfo[] = {
{0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
{0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
-{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
+{0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
{0,CS(TLS_RSA_WITH_SEED_CBC_SHA), S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, },
@@ -180,8 +181,8 @@ static const SSLCipherSuiteInfo suiteInfo[] = {
#ifdef NSS_ENABLE_ECC
/* ECC cipher suites */
-{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
-{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_NULL, 1, 0, 0, },
+{0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
+{0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
{0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA), S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
{0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA), S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
index f4be174..b03422e 100644
--- a/net/third_party/nss/ssl/sslt.h
+++ b/net/third_party/nss/ssl/sslt.h
@@ -103,7 +103,8 @@ typedef enum {
ssl_mac_sha = 2,
ssl_hmac_md5 = 3, /* TLS HMAC version of mac_md5 */
ssl_hmac_sha = 4, /* TLS HMAC version of mac_sha */
- ssl_hmac_sha256 = 5
+ ssl_hmac_sha256 = 5,
+ ssl_mac_aead = 6
} SSLMACAlgorithm;
typedef enum {
@@ -159,6 +160,9 @@ typedef struct SSLCipherSuiteInfoStr {
PRUint16 effectiveKeyBits;
/* MAC info */
+ /* AEAD ciphers don't have a MAC. For an AEAD cipher, macAlgorithmName
+ * is "AEAD", macAlgorithm is ssl_mac_aead, and macBits is the length in
+ * bits of the authentication tag. */
const char * macAlgorithmName;
SSLMACAlgorithm macAlgorithm;
PRUint16 macBits;
generated by cgit v1.1 at 2025-01-18 18:56:41 +0000