1 diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c 2 index 8be517c..53c29f0 100644 3 --- a/nss/lib/ssl/ssl3con.c 4 +++ b/nss/lib/ssl/ssl3con.c 5 @@ -40,6 +40,21 @@ 6 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) 7 #endif 8 9 +/* This is a bodge to allow this code to be compiled against older NSS 10 + * headers. */ 11 +#ifndef CKM_NSS_CHACHA20_POLY1305 12 +#define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26) 13 + 14 +typedef struct CK_NSS_AEAD_PARAMS { 15 + CK_BYTE_PTR pIv; /* This is the nonce. */ 16 + CK_ULONG ulIvLen; 17 + CK_BYTE_PTR pAAD; 18 + CK_ULONG ulAADLen; 19 + CK_ULONG ulTagLen; 20 +} CK_NSS_AEAD_PARAMS; 21 + 22 +#endif 23 + 24 #include <stdio.h> 25 #ifdef NSS_ENABLE_ZLIB 26 #include "zlib.h" 27 @@ -100,6 +115,8 @@ static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt, 28 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { 29 /* cipher_suite policy enabled is_present*/ 30 #ifdef NSS_ENABLE_ECC 31 + { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 32 + { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 33 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 34 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 35 #endif /* NSS_ENABLE_ECC */ 36 @@ -273,6 +290,7 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = { 37 {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0}, 38 {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0}, 39 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8}, 40 + {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0}, 41 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0}, 42 }; 43 44 @@ -399,6 +417,8 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = 45 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa}, 46 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, 47 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, 48 + {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_rsa}, 49 + {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa}, 50 51 #ifdef NSS_ENABLE_ECC 52 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, 53 @@ -464,6 +484,7 @@ static const SSLCipher2Mech alg2Mech[] = { 54 { calg_camellia , CKM_CAMELLIA_CBC }, 55 { calg_seed , CKM_SEED_CBC }, 56 { calg_aes_gcm , CKM_AES_GCM }, 57 + { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305 }, 58 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ 59 }; 60 61 @@ -2020,6 +2041,46 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys, 62 } 63 #endif 64 65 +static SECStatus 66 +ssl3_ChaCha20Poly1305( 67 + ssl3KeyMaterial *keys, 68 + PRBool doDecrypt, 69 + unsigned char *out, 70 + int *outlen, 71 + int maxout, 72 + const unsigned char *in, 73 + int inlen, 74 + const unsigned char *additionalData, 75 + int additionalDataLen) 76 +{ 77 + SECItem param; 78 + SECStatus rv = SECFailure; 79 + unsigned int uOutLen; 80 + CK_NSS_AEAD_PARAMS aeadParams; 81 + static const int tagSize = 16; 82 + 83 + param.type = siBuffer; 84 + param.len = sizeof(aeadParams); 85 + param.data = (unsigned char *) &aeadParams; 86 + memset(&aeadParams, 0, sizeof(aeadParams)); 87 + aeadParams.pIv = (unsigned char *) additionalData; 88 + aeadParams.ulIvLen = 8; 89 + aeadParams.pAAD = (unsigned char *) additionalData; 90 + aeadParams.ulAADLen = additionalDataLen; 91 + aeadParams.ulTagLen = tagSize; 92 + 93 + if (doDecrypt) { 94 + rv = pk11_decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m, 95 + out, &uOutLen, maxout, in, inlen); 96 + } else { 97 + rv = pk11_encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m, 98 + out, &uOutLen, maxout, in, inlen); 99 + } 100 + *outlen = (int) uOutLen; 101 + 102 + return rv; 103 +} 104 + 105 /* Initialize encryption and MAC contexts for pending spec. 106 * Master Secret already is derived. 107 * Caller holds Spec write lock. 108 @@ -2053,13 +2114,17 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss) 109 pwSpec->client.write_mac_context = NULL; 110 pwSpec->server.write_mac_context = NULL; 111 112 - if (calg == calg_aes_gcm) { 113 + if (calg == calg_aes_gcm || calg == calg_chacha20) { 114 pwSpec->encode = NULL; 115 pwSpec->decode = NULL; 116 pwSpec->destroy = NULL; 117 pwSpec->encodeContext = NULL; 118 pwSpec->decodeContext = NULL; 119 - pwSpec->aead = ssl3_AESGCM; 120 + if (calg == calg_aes_gcm) { 121 + pwSpec->aead = ssl3_AESGCM; 122 + } else { 123 + pwSpec->aead = ssl3_ChaCha20Poly1305; 124 + } 125 return SECSuccess; 126 } 127 128 diff --git a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c 129 index a3638e7..21a5e05 100644 130 --- a/nss/lib/ssl/ssl3ecc.c 131 +++ b/nss/lib/ssl/ssl3ecc.c 132 @@ -913,6 +913,7 @@ static const ssl3CipherSuite ecdhe_ecdsa_suites[] = { 133 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 134 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 135 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 136 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 137 TLS_ECDHE_ECDSA_WITH_NULL_SHA, 138 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 139 0 /* end of list marker */ 140 @@ -924,6 +925,7 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = { 141 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 142 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 143 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 144 + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 145 TLS_ECDHE_RSA_WITH_NULL_SHA, 146 TLS_ECDHE_RSA_WITH_RC4_128_SHA, 147 0 /* end of list marker */ 148 @@ -936,6 +938,7 @@ static const ssl3CipherSuite ecSuites[] = { 149 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 150 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 151 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 152 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 153 TLS_ECDHE_ECDSA_WITH_NULL_SHA, 154 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 155 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 156 @@ -943,6 +946,7 @@ static const ssl3CipherSuite ecSuites[] = { 157 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 158 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 159 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 160 + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 161 TLS_ECDHE_RSA_WITH_NULL_SHA, 162 TLS_ECDHE_RSA_WITH_RC4_128_SHA, 163 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 164 diff --git a/nss/lib/ssl/sslenum.c b/nss/lib/ssl/sslenum.c 165 index 597ec07..fc6b854 100644 166 --- a/nss/lib/ssl/sslenum.c 167 +++ b/nss/lib/ssl/sslenum.c 168 @@ -31,6 +31,8 @@ 169 const PRUint16 SSL_ImplementedCiphers[] = { 170 /* AES-GCM */ 171 #ifdef NSS_ENABLE_ECC 172 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 173 + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 174 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 175 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 176 #endif /* NSS_ENABLE_ECC */ 177 diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h 178 index 0fe12d0..e3ae9ce 100644 179 --- a/nss/lib/ssl/sslimpl.h 180 +++ b/nss/lib/ssl/sslimpl.h 181 @@ -65,6 +65,7 @@ typedef SSLSignType SSL3SignType; 182 #define calg_camellia ssl_calg_camellia 183 #define calg_seed ssl_calg_seed 184 #define calg_aes_gcm ssl_calg_aes_gcm 185 +#define calg_chacha20 ssl_calg_chacha20 186 187 #define mac_null ssl_mac_null 188 #define mac_md5 ssl_mac_md5 189 @@ -292,7 +293,7 @@ typedef struct { 190 } ssl3CipherSuiteCfg; 191 192 #ifdef NSS_ENABLE_ECC 193 -#define ssl_V3_SUITES_IMPLEMENTED 61 194 +#define ssl_V3_SUITES_IMPLEMENTED 63 195 #else 196 #define ssl_V3_SUITES_IMPLEMENTED 37 197 #endif /* NSS_ENABLE_ECC */ 198 @@ -474,6 +475,7 @@ typedef enum { 199 cipher_camellia_256, 200 cipher_seed, 201 cipher_aes_128_gcm, 202 + cipher_chacha20, 203 cipher_missing /* reserved for no such supported cipher */ 204 /* This enum must match ssl3_cipherName[] in ssl3con.c. */ 205 } SSL3BulkCipher; 206 diff --git a/nss/lib/ssl/sslinfo.c b/nss/lib/ssl/sslinfo.c 207 index 9597209..bfc1676 100644 208 --- a/nss/lib/ssl/sslinfo.c 209 +++ b/nss/lib/ssl/sslinfo.c 210 @@ -118,6 +118,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) 211 #define C_NULL "NULL", calg_null 212 #define C_SJ "SKIPJACK", calg_sj 213 #define C_AESGCM "AES-GCM", calg_aes_gcm 214 +#define C_CHACHA20 "CHACHA20POLY1305", calg_chacha20 215 216 #define B_256 256, 256, 256 217 #define B_128 128, 128, 128 218 @@ -196,12 +197,14 @@ static const SSLCipherSuiteInfo suiteInfo[] = { 219 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, }, 220 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, 221 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, }, 222 +{0,CS(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305),S_ECDSA,K_ECDHE,C_CHACHA20,B_256,M_AEAD_128,0, 0, 0, }, 223 224 {0,CS(TLS_ECDH_RSA_WITH_NULL_SHA), S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, }, 225 {0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, }, 226 {0,CS(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, }, 227 {0,CS(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, }, 228 {0,CS(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, }, 229 +{0,CS(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305), S_RSA,K_ECDHE,C_CHACHA20,B_256,M_AEAD_128, 0, 0, 0, }, 230 231 {0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA), S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, }, 232 {0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, 233 diff --git a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h 234 index 53bba01..6b60a28 100644 235 --- a/nss/lib/ssl/sslproto.h 236 +++ b/nss/lib/ssl/sslproto.h 237 @@ -213,6 +213,9 @@ 238 #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F 239 #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 240 241 +#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 0xCC13 242 +#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0xCC14 243 + 244 /* Netscape "experimental" cipher suites. */ 245 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 246 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 247 diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c 248 index c17c7a3..ffbccc6 100644 249 --- a/nss/lib/ssl/sslsock.c 250 +++ b/nss/lib/ssl/sslsock.c 251 @@ -98,6 +98,7 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ 252 { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 253 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 254 { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 255 + { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 256 { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, SSL_ALLOWED }, 257 { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 258 { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 259 @@ -110,6 +111,7 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ 260 { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 261 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 262 { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 263 + { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, 264 #endif /* NSS_ENABLE_ECC */ 265 { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } 266 }; 267 diff --git a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h 268 index b03422e..a8007d8 100644 269 --- a/nss/lib/ssl/sslt.h 270 +++ b/nss/lib/ssl/sslt.h 271 @@ -94,7 +94,8 @@ typedef enum { 272 ssl_calg_aes = 7, 273 ssl_calg_camellia = 8, 274 ssl_calg_seed = 9, 275 - ssl_calg_aes_gcm = 10 276 + ssl_calg_aes_gcm = 10, 277 + ssl_calg_chacha20 = 11 278 } SSLCipherAlgorithm; 279 280 typedef enum { 281