1 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c
2 index 375ed6a..adaa9a4 100644
6 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
9 +/* This is a bodge to allow this code to be compiled against older NSS
11 +#ifndef CKM_NSS_CHACHA20_POLY1305
12 +#define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 26)
14 +typedef struct CK_NSS_AEAD_PARAMS {
15 + CK_BYTE_PTR pIv; /* This is the nonce. */
20 +} CK_NSS_AEAD_PARAMS;
25 #ifdef NSS_ENABLE_ZLIB
27 @@ -105,6 +120,8 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
28 /* cipher_suite policy enabled isPresent */
30 #ifndef NSS_DISABLE_ECC
31 + { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE},
32 + { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED, PR_FALSE, PR_FALSE},
33 { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
34 { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
35 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
36 @@ -296,6 +313,7 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = {
37 {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0},
38 {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0},
39 {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8},
40 + {cipher_chacha20, calg_chacha20, 32,32, type_aead, 0, 0,16, 0},
41 {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
44 @@ -422,6 +440,8 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] =
45 {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
46 {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
47 {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
48 + {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_rsa},
49 + {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa},
51 #ifndef NSS_DISABLE_ECC
52 {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa},
53 @@ -487,6 +507,7 @@ static const SSLCipher2Mech alg2Mech[] = {
54 { calg_camellia , CKM_CAMELLIA_CBC },
55 { calg_seed , CKM_SEED_CBC },
56 { calg_aes_gcm , CKM_AES_GCM },
57 + { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305 },
58 /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */
61 @@ -662,6 +683,8 @@ ssl3_CipherSuiteAllowedForVersionRange(
62 case TLS_RSA_WITH_NULL_SHA256:
63 return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2;
65 + case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
66 + case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
67 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
68 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
69 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
70 @@ -2070,6 +2093,46 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
75 +ssl3_ChaCha20Poly1305(
76 + ssl3KeyMaterial *keys,
81 + const unsigned char *in,
83 + const unsigned char *additionalData,
84 + int additionalDataLen)
87 + SECStatus rv = SECFailure;
88 + unsigned int uOutLen;
89 + CK_NSS_AEAD_PARAMS aeadParams;
90 + static const int tagSize = 16;
92 + param.type = siBuffer;
93 + param.len = sizeof(aeadParams);
94 + param.data = (unsigned char *) &aeadParams;
95 + memset(&aeadParams, 0, sizeof(aeadParams));
96 + aeadParams.pIv = (unsigned char *) additionalData;
97 + aeadParams.ulIvLen = 8;
98 + aeadParams.pAAD = (unsigned char *) additionalData;
99 + aeadParams.ulAADLen = additionalDataLen;
100 + aeadParams.ulTagLen = tagSize;
103 + rv = pk11_decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m,
104 + out, &uOutLen, maxout, in, inlen);
106 + rv = pk11_encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, ¶m,
107 + out, &uOutLen, maxout, in, inlen);
109 + *outlen = (int) uOutLen;
114 /* Initialize encryption and MAC contexts for pending spec.
115 * Master Secret already is derived.
116 * Caller holds Spec write lock.
117 @@ -2103,13 +2166,17 @@ ssl3_InitPendingContextsPKCS11(sslSocket *ss)
118 pwSpec->client.write_mac_context = NULL;
119 pwSpec->server.write_mac_context = NULL;
121 - if (calg == calg_aes_gcm) {
122 + if (calg == calg_aes_gcm || calg == calg_chacha20) {
123 pwSpec->encode = NULL;
124 pwSpec->decode = NULL;
125 pwSpec->destroy = NULL;
126 pwSpec->encodeContext = NULL;
127 pwSpec->decodeContext = NULL;
128 - pwSpec->aead = ssl3_AESGCM;
129 + if (calg == calg_aes_gcm) {
130 + pwSpec->aead = ssl3_AESGCM;
132 + pwSpec->aead = ssl3_ChaCha20Poly1305;
137 diff --git a/ssl/ssl3ecc.c b/ssl/ssl3ecc.c
138 index 003ed78..d5d6c9c 100644
141 @@ -920,6 +920,7 @@ static const ssl3CipherSuite ecdhe_ecdsa_suites[] = {
142 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
143 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
144 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
145 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
146 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
147 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
148 0 /* end of list marker */
149 @@ -931,6 +932,7 @@ static const ssl3CipherSuite ecdhe_rsa_suites[] = {
150 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
151 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
152 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
153 + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
154 TLS_ECDHE_RSA_WITH_NULL_SHA,
155 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
156 0 /* end of list marker */
157 @@ -943,6 +945,7 @@ static const ssl3CipherSuite ecSuites[] = {
158 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
159 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
160 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
161 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
162 TLS_ECDHE_ECDSA_WITH_NULL_SHA,
163 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
164 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
165 @@ -950,6 +953,7 @@ static const ssl3CipherSuite ecSuites[] = {
166 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
167 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
168 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
169 + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
170 TLS_ECDHE_RSA_WITH_NULL_SHA,
171 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
172 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
173 diff --git a/ssl/sslenum.c b/ssl/sslenum.c
174 index 09ce43f..a036627 100644
179 * Exception: Because some servers ignore the high-order byte of the cipher
180 * suite ID, we must be careful about adding cipher suites with IDs larger
181 - * than 0x00ff; see bug 946147. For these broken servers, the first four cipher
182 + * than 0x00ff; see bug 946147. For these broken servers, the first six cipher
183 * suites, with the MSB zeroed, look like:
184 + * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA { 0x00,0x14 }
185 + * TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 }
186 * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 { 0x00,0x2B }
187 * TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }
188 * TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }
189 * TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }
190 - * The broken server only supports the third and fourth ones and will select
192 + * The broken server only supports the fifth and sixth ones and will select
195 const PRUint16 SSL_ImplementedCiphers[] = {
196 #ifndef NSS_DISABLE_ECC
197 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
198 + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
199 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
200 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
201 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
202 diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h
203 index 88f559a..643570f 100644
206 @@ -65,6 +65,7 @@ typedef SSLSignType SSL3SignType;
207 #define calg_camellia ssl_calg_camellia
208 #define calg_seed ssl_calg_seed
209 #define calg_aes_gcm ssl_calg_aes_gcm
210 +#define calg_chacha20 ssl_calg_chacha20
212 #define mac_null ssl_mac_null
213 #define mac_md5 ssl_mac_md5
214 @@ -299,7 +300,7 @@ typedef struct {
215 } ssl3CipherSuiteCfg;
217 #ifndef NSS_DISABLE_ECC
218 -#define ssl_V3_SUITES_IMPLEMENTED 61
219 +#define ssl_V3_SUITES_IMPLEMENTED 63
221 #define ssl_V3_SUITES_IMPLEMENTED 37
222 #endif /* NSS_DISABLE_ECC */
223 @@ -485,6 +486,7 @@ typedef enum {
228 cipher_missing /* reserved for no such supported cipher */
229 /* This enum must match ssl3_cipherName[] in ssl3con.c. */
231 diff --git a/ssl/sslinfo.c b/ssl/sslinfo.c
232 index ba230d2..845d9f0 100644
235 @@ -110,6 +110,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
236 #define C_NULL "NULL", calg_null
237 #define C_SJ "SKIPJACK", calg_sj
238 #define C_AESGCM "AES-GCM", calg_aes_gcm
239 +#define C_CHACHA20 "CHACHA20POLY1305", calg_chacha20
241 #define B_256 256, 256, 256
242 #define B_128 128, 128, 128
243 @@ -188,12 +189,14 @@ static const SSLCipherSuiteInfo suiteInfo[] = {
244 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
245 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), S_ECDSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
246 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, },
247 +{0,CS(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305),S_ECDSA,K_ECDHE,C_CHACHA20,B_256,M_AEAD_128,0, 0, 0, },
249 {0,CS(TLS_ECDH_RSA_WITH_NULL_SHA), S_RSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
250 {0,CS(TLS_ECDH_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
251 {0,CS(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
252 {0,CS(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, },
253 {0,CS(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, },
254 +{0,CS(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305), S_RSA,K_ECDHE,C_CHACHA20,B_256,M_AEAD_128, 0, 0, 0, },
256 {0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA), S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, },
257 {0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
258 diff --git a/ssl/sslproto.h b/ssl/sslproto.h
259 index e02442c..dc653c9 100644
263 #define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
264 #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
266 +#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 0xCC13
267 +#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0xCC14
269 /* Netscape "experimental" cipher suites. */
270 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0
271 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1
272 diff --git a/ssl/sslt.h b/ssl/sslt.h
273 index 430d216..fe0ad07 100644
276 @@ -94,7 +94,8 @@ typedef enum {
278 ssl_calg_camellia = 8,
280 - ssl_calg_aes_gcm = 10
281 + ssl_calg_aes_gcm = 10,
282 + ssl_calg_chacha20 = 11
283 } SSLCipherAlgorithm;