Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1623374 Need to support the new PKCS #11 Message interface for AE…
…S GCM and ChaCha Poly r=mt

Update ssl to use the new PK11_AEADOp() interface.
 1. We restore the use of PK11Context_Create() for AEAD operations.
 2. AES GCM and CHACHA/Poly specific functions are no longer needed as
  PK11_AEADOp() handles all the mechanism specific processing.
 3. TLS semantic differences between the two algorithms is handled by their
  parameters:
       1. Nonce length is the length of the nonce counter. If it's zero, then
       XOR_Counter is used (and the nonce length is the
       sizeof(sslSequenceNumber)).
       2. IV length is the full IV length - nonce length.
       3. TLS 1.3 always uses XOR_Counter.
 4. The IV is returned from the token in the encrypt case. Only in the explict
  nonce case is it examined. (The code depends on the fact that the count in
  the token will match sslSequenceNumber). I did have assert code to verify
  this was happening for testing, but it's removed from this patch it can be
  added back.
 5. All the decrypt instances of XOR_Counter IV creation have been colapsed
  into tls13_WriteNonce().
 6. Even tough PK11_AEADOp returns and accepts the tag separately (for encrypt
  and decrypt respectively). The SSL code still returns the values as
  buffer||tag.
 7. tls13_AEAD() has been enhanced so all uses of AEAD outside of the TLS
  stream can use it instead of their own wrapped version. It can handle streams
  (CreateContext() tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot
  tls13_AEAD(context=NULL). In the later case, the keys for the single shot
  operation should not be resued.
 8. libssl_internals.c in the gtests directory has been updated to handle
  advancing the internal iv counter when we artifically advance the seqNum.
  Since we don't have access to any token iv counter (including softoken),
  The code switches to simulated message mode, and updates the simulated state
  as appropriate. (obviously this is for testing only code as it reaches into
  normally private data structures).

Differential Revision: https://phabricator.services.mozilla.com/D68480
  • Loading branch information
rjrelyea committed Mar 26, 2020
1 parent 468dbd9 commit d0c9616
Show file tree
Hide file tree
Showing 10 changed files with 454 additions and 405 deletions.
44 changes: 43 additions & 1 deletion gtests/ssl_gtest/libssl_internals.c
Expand Up @@ -9,8 +9,11 @@

#include "nss.h"
#include "pk11pub.h"
#include "pk11priv.h"
#include "seccomon.h"
#include "selfencrypt.h"
#include "secmodti.h"
#include "sslproto.h"

SECStatus SSLInt_SetDCAdvertisedSigSchemes(PRFileDesc *fd,
const SSLSignatureScheme *schemes,
Expand Down Expand Up @@ -331,6 +334,9 @@ SECStatus SSLInt_AdvanceReadSeqNum(PRFileDesc *fd, PRUint64 to) {

SECStatus SSLInt_AdvanceWriteSeqNum(PRFileDesc *fd, PRUint64 to) {
sslSocket *ss;
ssl3CipherSpec *spec;
PK11Context *pk11ctxt;
const ssl3BulkCipherDef *cipher_def;

ss = ssl_FindSocket(fd);
if (!ss) {
Expand All @@ -341,7 +347,43 @@ SECStatus SSLInt_AdvanceWriteSeqNum(PRFileDesc *fd, PRUint64 to) {
return SECFailure;
}
ssl_GetSpecWriteLock(ss);
ss->ssl3.cwSpec->nextSeqNum = to;
spec = ss->ssl3.cwSpec;
cipher_def = spec->cipherDef;
spec->nextSeqNum = to;
if (cipher_def->type != type_aead) {
ssl_ReleaseSpecWriteLock(ss);
return SECSuccess;
}
/* If we are using aead, we need to advance the counter in the
* internal IV generator as well.
* This could be in the token or software. */
pk11ctxt = spec->cipherContext;
/* If counter is in the token, we need to switch it to software,
* since we don't have access to the internal state of the token. We do
* that by turning on the simulated message interface, then setting up the
* software IV generator */
if (pk11ctxt->ivCounter == 0) {
_PK11_ContextSetAEADSimulation(pk11ctxt);
pk11ctxt->ivLen = cipher_def->iv_size + cipher_def->explicit_nonce_size;
pk11ctxt->ivMaxCount = PR_UINT64(0xffffffffffffffff);
if ((cipher_def->explicit_nonce_size == 0) ||
(spec->version >= SSL_LIBRARY_VERSION_TLS_1_3)) {
pk11ctxt->ivFixedBits =
(pk11ctxt->ivLen - sizeof(sslSequenceNumber)) * BPB;
pk11ctxt->ivGen = CKG_GENERATE_COUNTER_XOR;
} else {
pk11ctxt->ivFixedBits = cipher_def->iv_size * BPB;
pk11ctxt->ivGen = CKG_GENERATE_COUNTER;
}
/* DTLS included the epoch in the fixed portion of the IV */
if (IS_DTLS(ss)) {
pk11ctxt->ivFixedBits += 2 * BPB;
}
}
/* now we can update the internal counter (either we are already using
* the software IV generator, or we just switched to it above */
pk11ctxt->ivCounter = to;

ssl_ReleaseSpecWriteLock(ss);
return SECSuccess;
}
Expand Down
3 changes: 2 additions & 1 deletion lib/pk11wrap/exports.gyp
Expand Up @@ -26,7 +26,8 @@
{
'files': [
'dev3hack.h',
'secmodi.h'
'secmodi.h',
'secmodti.h'
],
'destination': '<(nss_private_dist_dir)/<(module)'
}
Expand Down
1 change: 1 addition & 0 deletions lib/pk11wrap/manifest.mn
Expand Up @@ -17,6 +17,7 @@ EXPORTS = \

PRIVATE_EXPORTS = \
secmodi.h \
secmodti.h \
dev3hack.h \
$(NULL)

Expand Down

0 comments on commit d0c9616

Please sign in to comment.