From 81b51a48e5dcdaf0bd1c23e3525f712b2a75b0ec Mon Sep 17 00:00:00 2001 From: Tim Taubert Date: Thu, 11 Feb 2016 08:42:47 +0100 Subject: Bug 1227905 - Support ChaCha20+Poly1305 cipher suites r=mt,wtc,ekr --- cmd/ssltap/ssltap.c | 4 + external_tests/ssl_gtest/ssl_loopback_unittest.cc | 36 ++++++++ lib/pk11wrap/pk11pars.c | 1 + lib/ssl/ssl3con.c | 101 ++++++++++++++++++++-- lib/ssl/ssl3ecc.c | 4 + lib/ssl/sslenum.c | 3 + lib/ssl/sslimpl.h | 6 +- lib/ssl/sslinfo.c | 4 + lib/ssl/sslproto.h | 4 + lib/ssl/sslt.h | 3 +- lib/util/secoid.c | 3 +- lib/util/secoidt.h | 2 + tests/ssl/ssl.sh | 18 ++-- tests/ssl/sslcov.txt | 3 + 14 files changed, 169 insertions(+), 23 deletions(-) diff --git a/cmd/ssltap/ssltap.c b/cmd/ssltap/ssltap.c index 8ea465ef3..29b91910e 100644 --- a/cmd/ssltap/ssltap.c +++ b/cmd/ssltap/ssltap.c @@ -443,6 +443,10 @@ const char * V2CipherString(int cs_int) case 0x00C02C: cs_str = "TLS/ECDHE-ECDSA/AES256-GCM/SHA384"; break; case 0x00C02F: cs_str = "TLS/ECDHE-RSA/AES128-GCM/SHA256"; break; + case 0x00CCA8: cs_str = "TLS/ECDHE-RSA/CHACHA20-POLY1305/SHA256"; break; + case 0x00CCA9: cs_str = "TLS/ECDHE-ECDSA/CHACHA20-POLY1305/SHA256"; break; + case 0x00CCAA: cs_str = "TLS/DHE-RSA/CHACHA20-POLY1305/SHA256"; break; + case 0x00FEFF: cs_str = "SSL3/RSA-FIPS/3DESEDE-CBC/SHA"; break; case 0x00FEFE: cs_str = "SSL3/RSA-FIPS/DES-CBC/SHA"; break; case 0x00FFE1: cs_str = "SSL3/RSA-FIPS/DES56-CBC/SHA"; break; diff --git a/external_tests/ssl_gtest/ssl_loopback_unittest.cc b/external_tests/ssl_gtest/ssl_loopback_unittest.cc index 443806b87..d903552e4 100644 --- a/external_tests/ssl_gtest/ssl_loopback_unittest.cc +++ b/external_tests/ssl_gtest/ssl_loopback_unittest.cc @@ -108,6 +108,29 @@ class TlsServerKeyExchangeEcdhe { DataBuffer public_key_; }; +class TlsChaCha20Poly1305Test : public TlsConnectTls12 { + public: + void ConnectSendReceive(PRUint32 cipher_suite) + { + // Disable all ciphers. + client_->DisableCiphersByKeyExchange(ssl_kea_rsa); + client_->DisableCiphersByKeyExchange(ssl_kea_dh); + client_->DisableCiphersByKeyExchange(ssl_kea_ecdh); + + // Re-enable ChaCha20/Poly1305. + SECStatus rv = SSL_CipherPrefSet(client_->ssl_fd(), cipher_suite, PR_TRUE); + EXPECT_EQ(SECSuccess, rv); + + Connect(); + SendReceive(); + + // Check that we used the right cipher suite. + int16_t actual, expected = static_cast(cipher_suite); + EXPECT_TRUE(client_->cipher_suite(&actual) && actual == expected); + EXPECT_TRUE(server_->cipher_suite(&actual) && actual == expected); + } +}; + TEST_P(TlsConnectGeneric, SetupOnly) {} TEST_P(TlsConnectGeneric, Connect) { @@ -542,6 +565,19 @@ TEST_P(TlsConnectGeneric, ConnectSendReceive) { SendReceive(); } +TEST_P(TlsChaCha20Poly1305Test, SendReceiveChaCha20Poly1305DheRsa) { + ConnectSendReceive(TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256); +} + +TEST_P(TlsChaCha20Poly1305Test, SendReceiveChaCha20Poly1305EcdheRsa) { + ConnectSendReceive(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256); +} + +TEST_P(TlsChaCha20Poly1305Test, SendReceiveChaCha20Poly1305EcdheEcdsa) { + ResetEcdsa(); + ConnectSendReceive(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); +} + // The next two tests takes advantage of the fact that we // automatically read the first 1024 bytes, so if // we provide 1200 bytes, they overrun the read buffer diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c index 51160bbda..8dd07e7e5 100644 --- a/lib/pk11wrap/pk11pars.c +++ b/lib/pk11wrap/pk11pars.c @@ -354,6 +354,7 @@ static const oidValDef algOptList[] = { {CIPHER_NAME("CAMELLIA128-CBC"), SEC_OID_CAMELLIA_128_CBC, NSS_USE_ALG_IN_SSL}, {CIPHER_NAME("CAMELLIA192-CBC"), SEC_OID_CAMELLIA_192_CBC, NSS_USE_ALG_IN_SSL}, {CIPHER_NAME("CAMELLIA256-CBC"), SEC_OID_CAMELLIA_256_CBC, NSS_USE_ALG_IN_SSL}, + {CIPHER_NAME("CHACHA20-POLY1305"), SEC_OID_CHACHA20_POLY1305, NSS_USE_ALG_IN_SSL}, {CIPHER_NAME("SEED-CBC"), SEC_OID_SEED_CBC, NSS_USE_ALG_IN_SSL}, {CIPHER_NAME("DES-EDE3-CBC"), SEC_OID_DES_EDE3_CBC, NSS_USE_ALG_IN_SSL}, {CIPHER_NAME("DES-40-CBC"), SEC_OID_DES_40_CBC, NSS_USE_ALG_IN_SSL}, diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index cfed4de70..316762b70 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -94,6 +94,8 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { #ifndef NSS_DISABLE_ECC { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around * bug 946147. */ @@ -110,6 +112,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { #endif /* NSS_DISABLE_ECC */ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, @@ -289,6 +292,7 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = { {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0, SEC_OID_CAMELLIA_256_CBC}, {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0, SEC_OID_SEED_CBC}, {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8, SEC_OID_AES_128_GCM}, + {cipher_chacha20, calg_chacha20, 32,32, type_aead, 12, 0,16, 0, SEC_OID_CHACHA20_POLY1305}, {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0, 0}, }; @@ -420,6 +424,10 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss}, {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss}, + {TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_dhe_rsa}, + {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_rsa}, + {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa}, + #ifndef NSS_DISABLE_ECC {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa}, {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa}, @@ -484,6 +492,7 @@ static const SSLCipher2Mech alg2Mech[] = { { calg_camellia , CKM_CAMELLIA_CBC }, { calg_seed , CKM_SEED_CBC }, { calg_aes_gcm , CKM_AES_GCM }, + { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305 }, /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ }; @@ -1795,6 +1804,7 @@ ssl3_InitPendingContextsBypass(sslSocket *ss) case ssl_calg_idea: case ssl_calg_fortezza: case ssl_calg_aes_gcm: + case ssl_calg_chacha20: break; } @@ -1915,8 +1925,9 @@ ssl3_AESGCM(ssl3KeyMaterial *keys, unsigned int uOutLen; CK_GCM_PARAMS gcmParams; - static const int tagSize = 16; - static const int explicitNonceLen = 8; + const int tagSize = bulk_cipher_defs[cipher_aes_128_gcm].tag_size; + const int explicitNonceLen = + bulk_cipher_defs[cipher_aes_128_gcm].explicit_nonce_size; /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the * nonce is formed. */ @@ -1978,8 +1989,9 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys, AESContext *cx; CK_GCM_PARAMS gcmParams; - static const int tagSize = 16; - static const int explicitNonceLen = 8; + const int tagSize = bulk_cipher_defs[cipher_aes_128_gcm].tag_size; + const int explicitNonceLen = + bulk_cipher_defs[cipher_aes_128_gcm].explicit_nonce_size; /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the * nonce is formed. */ @@ -2033,6 +2045,55 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys, } #endif +static SECStatus +ssl3_ChaCha20Poly1305(ssl3KeyMaterial *keys, PRBool doDecrypt, + unsigned char *out, int *outlen, int maxout, + const unsigned char *in, int inlen, + const unsigned char *additionalData, + int additionalDataLen) +{ + size_t i; + SECItem param; + SECStatus rv = SECFailure; + unsigned int uOutLen; + unsigned char nonce[12]; + CK_NSS_AEAD_PARAMS aeadParams; + + const int tagSize = bulk_cipher_defs[cipher_chacha20].tag_size; + + /* See + * https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-04#section-2 + * for details of how the nonce is formed. */ + PORT_Memcpy(nonce, keys->write_iv, 12); + + /* XOR the last 8 bytes of the IV with the sequence number. */ + PORT_Assert(additionalDataLen >= 8); + for (i = 0; i < 8; ++i) { + nonce[4 + i] ^= additionalData[i]; + } + + param.type = siBuffer; + param.len = sizeof(aeadParams); + param.data = (unsigned char *)&aeadParams; + memset(&aeadParams, 0, sizeof(aeadParams)); + aeadParams.pNonce = nonce; + aeadParams.ulNonceLen = sizeof(nonce); + aeadParams.pAAD = (unsigned char *)additionalData; + aeadParams.ulAADLen = additionalDataLen; + aeadParams.ulTagLen = tagSize; + + if (doDecrypt) { + rv = PK11_Decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m, + out, &uOutLen, maxout, in, inlen); + } else { + rv = PK11_Encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m, + out, &uOutLen, maxout, in, inlen); + } + *outlen = (int)uOutLen; + + return rv; +} + /* Initialize encryption and MAC contexts for pending spec. * Master Secret already is derived. * Caller holds Spec write lock. @@ -2066,13 +2127,23 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss) pwSpec->client.write_mac_context = NULL; pwSpec->server.write_mac_context = NULL; - if (calg == calg_aes_gcm) { + if (cipher_def->type == type_aead) { pwSpec->encode = NULL; pwSpec->decode = NULL; pwSpec->destroy = NULL; pwSpec->encodeContext = NULL; pwSpec->decodeContext = NULL; - pwSpec->aead = ssl3_AESGCM; + switch (calg) { + case calg_aes_gcm: + pwSpec->aead = ssl3_AESGCM; + break; + case calg_chacha20: + pwSpec->aead = ssl3_ChaCha20Poly1305; + break; + default: + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } return SECSuccess; } @@ -2185,6 +2256,21 @@ fail: return SECFailure; } +/* Returns whether we can bypass PKCS#11 for a given cipher algorithm. + * + * We do not support PKCS#11 bypass for ChaCha20/Poly1305. + */ +static PRBool +ssl3_CanBypassCipher(SSLCipherAlgorithm calg) +{ + switch (calg) { + case calg_chacha20: + return PR_FALSE; + default: + return PR_TRUE; + } +} + /* Complete the initialization of all keys, ciphers, MACs and their contexts * for the pending Cipher Spec. * Called from: ssl3_SendClientKeyExchange (for Full handshake) @@ -2224,7 +2310,8 @@ ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms) } } #ifndef NO_PKCS11_BYPASS - if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) { + if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data && + ssl3_CanBypassCipher(ss->ssl3.pwSpec->cipher_def->calg)) { /* Double Bypass succeeded in extracting the master_secret */ const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; PRBool isTLS = (PRBool)(kea_def->tls_keygen || diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c index 1a9bb2e2c..bd2e1b93d 100644 --- a/lib/ssl/ssl3ecc.c +++ b/lib/ssl/ssl3ecc.c @@ -1061,6 +1061,7 @@ static const ssl3CipherSuite ecdhe_ecdsa_suites[] = { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 0 /* end of list marker */ @@ -1072,6 +1073,7 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, 0 /* end of list marker */ @@ -1084,6 +1086,7 @@ static const ssl3CipherSuite ecSuites[] = { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, @@ -1091,6 +1094,7 @@ static const ssl3CipherSuite ecSuites[] = { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, diff --git a/lib/ssl/sslenum.c b/lib/ssl/sslenum.c index f69aed2df..391bbe4bc 100644 --- a/lib/ssl/sslenum.c +++ b/lib/ssl/sslenum.c @@ -50,6 +50,8 @@ const PRUint16 SSL_ImplementedCiphers[] = { #ifndef NSS_DISABLE_ECC TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147. */ @@ -66,6 +68,7 @@ const PRUint16 SSL_ImplementedCiphers[] = { #endif /* NSS_DISABLE_ECC */ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h index a7ebc9aa6..c7f9d1f4e 100644 --- a/lib/ssl/sslimpl.h +++ b/lib/ssl/sslimpl.h @@ -50,6 +50,7 @@ typedef SSLMACAlgorithm SSL3MACAlgorithm; #define calg_camellia ssl_calg_camellia #define calg_seed ssl_calg_seed #define calg_aes_gcm ssl_calg_aes_gcm +#define calg_chacha20 ssl_calg_chacha20 #define mac_null ssl_mac_null #define mac_md5 ssl_mac_md5 @@ -285,9 +286,9 @@ typedef struct { } ssl3CipherSuiteCfg; #ifndef NSS_DISABLE_ECC -#define ssl_V3_SUITES_IMPLEMENTED 64 +#define ssl_V3_SUITES_IMPLEMENTED 67 #else -#define ssl_V3_SUITES_IMPLEMENTED 40 +#define ssl_V3_SUITES_IMPLEMENTED 41 #endif /* NSS_DISABLE_ECC */ #define MAX_DTLS_SRTP_CIPHER_SUITES 4 @@ -472,6 +473,7 @@ typedef enum { cipher_camellia_256, cipher_seed, cipher_aes_128_gcm, + cipher_chacha20, cipher_missing /* reserved for no such supported cipher */ /* This enum must match ssl3_cipherName[] in ssl3con.c. */ } SSL3BulkCipher; diff --git a/lib/ssl/sslinfo.c b/lib/ssl/sslinfo.c index 3208bbef3..437de8f2d 100644 --- a/lib/ssl/sslinfo.c +++ b/lib/ssl/sslinfo.c @@ -151,6 +151,7 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd, #define C_NULL "NULL", calg_null #define C_SJ "SKIPJACK", calg_sj #define C_AESGCM "AES-GCM", calg_aes_gcm +#define C_CHACHA20 "CHACHA20POLY1305", calg_chacha20 #define B_256 256, 256, 256 #define B_128 128, 128, 128 @@ -170,6 +171,7 @@ SSL_GetPreliminaryChannelInfo(PRFileDesc *fd, static const SSLCipherSuiteInfo suiteInfo[] = { /* <------ Cipher suite --------------------> */ {0,CS(TLS_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_RSA, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0 }, +{0,CS(TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256), S_RSA, K_DHE, C_CHACHA20, B_256, M_AEAD_128, 0, 0, 0 }, {0,CS(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), S_RSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0 }, {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_256, M_SHA, 0, 0, 0 }, @@ -232,6 +234,7 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0 }, {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0 }, {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0 }, +{0,CS(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), S_ECDSA, K_ECDHE, C_CHACHA20, B_256, M_AEAD_128, 0, 0, 0 }, {0,CS(TLS_ECDH_RSA_WITH_NULL_SHA), S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0 }, {0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0 }, @@ -245,6 +248,7 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0 }, {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0 }, {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0 }, +{0,CS(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), S_RSA, K_ECDHE, C_CHACHA20, B_256, M_AEAD_128, 0, 0, 0 }, #endif /* NSS_DISABLE_ECC */ /* SSL 2 table */ diff --git a/lib/ssl/sslproto.h b/lib/ssl/sslproto.h index 2db47a53e..57ad220c3 100644 --- a/lib/ssl/sslproto.h +++ b/lib/ssl/sslproto.h @@ -260,6 +260,10 @@ #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 +#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 +#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 +#define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA + /* Netscape "experimental" cipher suites. */ #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 diff --git a/lib/ssl/sslt.h b/lib/ssl/sslt.h index 1035ab9a0..3750382c6 100644 --- a/lib/ssl/sslt.h +++ b/lib/ssl/sslt.h @@ -104,7 +104,8 @@ typedef enum { ssl_calg_aes = 7, ssl_calg_camellia = 8, ssl_calg_seed = 9, - ssl_calg_aes_gcm = 10 + ssl_calg_aes_gcm = 10, + ssl_calg_chacha20 = 11 } SSLCipherAlgorithm; typedef enum { diff --git a/lib/util/secoid.c b/lib/util/secoid.c index 6f2edb1ae..4f16ed386 100644 --- a/lib/util/secoid.c +++ b/lib/util/secoid.c @@ -1652,7 +1652,6 @@ const static SECOidData oids[SEC_OID_TOTAL] = { OD( x520Name, SEC_OID_AVA_NAME, "X520 Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), - OD( aes128_GCM, SEC_OID_AES_128_GCM, "AES-128-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION ), OD( aes192_GCM, SEC_OID_AES_192_GCM, @@ -1710,6 +1709,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = { "TLS DH-ANON-EXPORT key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), ODE( SEC_OID_APPLY_SSL_POLICY, "Apply SSL policy (pseudo-OID)", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), + ODE( SEC_OID_CHACHA20_POLY1305, + "ChaCha20-Poly1305", CKM_NSS_CHACHA20_POLY1305, INVALID_CERT_EXTENSION ), }; diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h index 0b4bfc4a4..d9386a75a 100644 --- a/lib/util/secoidt.h +++ b/lib/util/secoidt.h @@ -479,6 +479,8 @@ typedef enum { SEC_OID_TLS_DH_ANON_EXPORT = 344, SEC_OID_APPLY_SSL_POLICY = 345, + SEC_OID_CHACHA20_POLY1305 = 346, + SEC_OID_TOTAL } SECOidTag; diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh index 35b56ffc6..125ad59cc 100755 --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -85,12 +85,14 @@ ssl_init() if [ -z "$NSS_DISABLE_ECC" ] ; then ECC_STRING=" - with ECC" + # List of cipher suites to test, including ECC cipher suites. + CIPHER_SUITES="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz" else ECC_STRING="" + # List of cipher suites to test, excluding ECC cipher suites. + CIPHER_SUITES="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2:CCAAcdefgijklmnvyz" fi - CSHORT="-c ABCDEF:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz" - CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz" if [ "${OS_ARCH}" != "WINNT" ]; then ulimit -n 1000 # make sure we have enough file descriptors @@ -260,11 +262,7 @@ ssl_cov() html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" testname="" - if [ -z "$NSS_DISABLE_ECC" ] ; then - sparam="$CLONG" - else - sparam="$CSHORT" - fi + sparam="$CIPHER_SUITES" mixed=0 start_selfserv # Launch the server @@ -731,11 +729,7 @@ ssl_policy() html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING" testname="" - if [ -z "$NSS_DISABLE_ECC" ] ; then - sparam="$CLONG" - else - sparam="$CSHORT" - fi + sparam="$CIPHER_SUITES" if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then return; diff --git a/tests/ssl/sslcov.txt b/tests/ssl/sslcov.txt index c050dd8b4..da6f23e76 100644 --- a/tests/ssl/sslcov.txt +++ b/tests/ssl/sslcov.txt @@ -101,6 +101,7 @@ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 noECC TLS12 :009E TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256 noECC TLS12 :00A2 TLS12_DHE_DSS_WITH_AES_128_GCM_SHA256 + noECC TLS12 :CCAA TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 # # ECC ciphers (TLS) # @@ -170,3 +171,5 @@ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -- cgit v1.2.1