| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
This change makes a few tiny changes to the code to re-enable the use of
Chacha20 ciphers and align their key type.
There are a lot more changes in tests, mostly just to factor existing tests and
determine that the legacy and final PKCS#11 mechanisms work as expected.
Differential Revision: https://phabricator.services.mozilla.com/D135007
|
| |
|
|
|
|
|
|
|
| |
TestSuite r=bbeurdouche
grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests | xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g
grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed -i '' s/SetUpTestCase/SetUpTestSuite/g
Differential Revision: https://phabricator.services.mozilla.com/D98818
|
| |
|
|
|
|
| |
r=jcj,kjacobs,rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D74801
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and ChaCha Poly
PKCS #11 defines a new interface for handling AEAD type ciphers that allow
multiple AEAD operations without repeating the key schedule. It also allows
tokens to keep track of the number of operations, and generate IVs (depending
on the cipher).
This patch:
1. implement those new functions in softoken.
With the addition of CKF_MESSAGE_* flags to various mechanism, we need
to strip them when using the version 2 API of softoken (since there are
no C_Message* function in version 2). For that we need a separate
C_GetMechanismInfo function. We use the same trick we used to have
a separate version function for the V2 interface.
Also now that the new message functions are in their own file, they
still need access to the common Session state processing functions.
those have gone from static to exported within softoken to accomidate
that. Same with sftk_MapDecryptError() (sftk_MapVerifyError() was also
made global, though nothing else is yet using it).
Only C_MessageEncrptInit(), C_EncryptMessage(), C_MessageEncryptFinal,
C_MessageDecryptInit(), C_DecryptMessage(), and C_MessageDecryptFinal
are implemented. C_EncryptMessageBegin(), C_EncryptMessageNext(),
C_DecryptMessageBegin(), and C_DecryptMessageNext() are all
part of the multi-part withing a multi-part operation and
are only necessary for things like S/MIME (potentially). If we wanted
to implement them, we would need more functions exported from freebl
(and initaead, updateaead, finalaead for each mechanism type).
2. make those interfaces call aes_gcm and chacha20_poly1503
(and make adjustments for those ciphers).
For AES, I added a new function AES_AEAD, which handles both encrypt
and decrypt. Internally, the gcm functions (both the generic gcm and
the intel gcm wrapper) had their init functions split into key scheduling
and counter mode/tag initialization. The latter is still called from
init, but the former is now for each update call. IV generation is
handled by a single function in gcm.c, and shared with intel_gcm_wrapper.c
Since the AES functions already know about the underlying PKCS #11
mechanism parameters, the new AEAD functions also parse the PKCS #11 GCM
parameters.
For Chacha/Poly new aead update functions were created called
ChaChaPoly1305_Encrypt and ChaChaChaPoly1305_Decrypt. There was no
Message specific initialization in the existing chacha_init, so no
changes were needed there. The primary difference between
_Encrypt/_Decrypt and _Seal/_Open is the fact that the tag is put at
the end of the encrypted data buffer in the latter, and in a generic
buffer in the former.
3. create new pk11wrap interfaces that also squash the api differences
between the various mechanisms for aead (similiar to the way we do it for
CBC and ECB crypto today).
To accomplish this I added PK11_AEADOp() and PK11_AEADRawOp(). Both
functions handle the case where the token only supports the single shot
interface, by using the single short interface to simulate the
Message interface. The PK11_AEADOp() also smooths out the
differences in the parameters and symantics of the various mechanism
so the application does not need to worry about the PKCS #11 differences
in the mechanism. Both use contexts from the standard
PK11_CreateContext(), so key schedules are done once for each key rather
than once for each message. MESSAGE/AEAD operations are selected by adding
the psuedo attribute flag CKA_NSS_MESSAGE to the requested operation
(CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY).
4. write tests for the new interfaces
Tests were added to make sure the PK11_AEADRawOp interface works,
The single shot interface is used to test output of the message interface
we also use two test only functions to force the connection to use
the simulation interface, which is also compared to the non-simulate
inteface. The AES_GCM also tests various IV generators.
Differential Revision: https://phabricator.services.mozilla.com/D67552
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and CMAC tests r=franziskus
This patch updates to the latest Wycheproof vectors and adds Wycheproof support for CBC, CMAC, and P256-ECDH:
ChaCha20: +141 tests
Curve25519: +431 tests
GCM: +39 tests
CBC (new): +183 tests
CMAC (new): +308 tests
P256 ECDH (new): +460 tests
Differential Revision: https://phabricator.services.mozilla.com/D57477
|
| |
|
|
|
|
|
|
|
|
| |
This patch contains the changes in NSS, necessary to pick up HACL*v2 in D55413. It has a couple of TODOs:
* The chacha20 saw verification fails for some reason; it's disabled pending Bug 1604130.
* The hacl task on CI requires Bug 1593647 to get fixed.
Depends on D55413.
Differential Revision: https://phabricator.services.mozilla.com/D55414
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This patch contains the changes in NSS, necessary to pick up HACL*v2 in D55413. It has a couple of TODOs:
* The chacha20 saw verification fails for some reason; it's disabled pending Bug 1604130.
* The hacl task on CI requires Bug 1593647 to get fixed.
Depends on D55413.
Differential Revision: https://phabricator.services.mozilla.com/D55414
|
| |
|
|
|
|
|
|
|
|
| |
initialization r=mt
This patch adds an explicit cast to fix a UBSAN issue that was flagged in https://treeherder.mozilla.org/#/jobs?repo=nss-try&selectedJob=280720441.
It also updates the test to use a random IV.
Differential Revision: https://phabricator.services.mozilla.com/D56810
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This modifies the encrypt/decrypt paths to only modify their outparams
when the operation succeeds. It adds tests to verify this.
Reviewers: jcj
Reviewed By: jcj
Bug #: 1528174
Differential Revision: https://phabricator.services.mozilla.com/D20962
|
| |
|
|
|
|
| |
PK11_Decrypt when the plaintext message is empty. r=mt
Differential Revision: https://phabricator.services.mozilla.com/D29249
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This adds a "CTR" mode for ChaCha20. This takes a composite 16 octet "IV",
which is internally decomposed into a nonce and counter.
This operates like a CTR mode cipher on arbitrary input, up to the ChaCha20
limit of 2^32 x 64 octet blocks. The counter provided is a starting counter and
it is incremented if more than 64 octets of input is provided.
Reviewers: ekr
Tags: #secure-revision
Bug #: 1534468
Differential Revision: https://phabricator.services.mozilla.com/D23060
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D14843
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
Adapted chacha20_poly1305 unittests to wycheproof testcases.
Extended test vector header generation script to include chacha.
Depends on D12559.
Reviewers: franziskus
Subscribers: jcj
Bug #: 1508673
Differential Revision: https://phabricator.services.mozilla.com/D13798
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D2719
Differential Revision: https://phabricator.services.mozilla.com/D2720
Differential Revision: https://phabricator.services.mozilla.com/D2861
|
| |
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D229
|
| |
|
