diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-08-14 07:52:35 +0200 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-08-14 16:42:52 +0200 |
commit | ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9 (patch) | |
tree | 5e4677e52b9a349602f04135a44b3000c8baa97b /security/nss/lib/freebl/chacha20poly1305.c | |
parent | f44e99950fc25d16a3cdaffe26dadf7b58a9d38c (diff) | |
download | UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.gz UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.lz UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.xz UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.zip |
Update NSS to 3.38
- Added HACL*Poly1305 32-bit (INRIA/Microsoft)
- Updated to final TLS 1.3 draft version (28)
- Removed TLS 1.3 prerelease draft limit check
- Removed NPN code
- Enabled dev/urandom-only RNG on Linux with NSS_SEED_ONLY_DEV_URANDOM for non-standard environments
- Fixed several bugs with TLS 1.3 negotiation
- Updated internal certificate store
- Added support for the TLS Record Size Limit Extension.
- Fixed CVE-2018-0495
- Various security fixes in the ASN.1 code.
Diffstat (limited to 'security/nss/lib/freebl/chacha20poly1305.c')
-rw-r--r-- | security/nss/lib/freebl/chacha20poly1305.c | 88 |
1 files changed, 37 insertions, 51 deletions
diff --git a/security/nss/lib/freebl/chacha20poly1305.c b/security/nss/lib/freebl/chacha20poly1305.c index 859d05316..302f0db9e 100644 --- a/security/nss/lib/freebl/chacha20poly1305.c +++ b/security/nss/lib/freebl/chacha20poly1305.c @@ -24,36 +24,60 @@ extern void Hacl_Chacha20_Vec128_chacha20(uint8_t *output, uint8_t *plain, extern void Hacl_Chacha20_chacha20(uint8_t *output, uint8_t *plain, uint32_t len, uint8_t *k, uint8_t *n1, uint32_t ctr); -/* Poly1305Do writes the Poly1305 authenticator of the given additional data - * and ciphertext to |out|. */ #if defined(HAVE_INT128_SUPPORT) && (defined(NSS_X86_OR_X64) || defined(__aarch64__)) /* Use HACL* Poly1305 on 64-bit Intel and ARM */ #include "verified/Hacl_Poly1305_64.h" +#define NSS_POLY1305_64 1 +#define Hacl_Poly1305_update Hacl_Poly1305_64_update +#define Hacl_Poly1305_mk_state Hacl_Poly1305_64_mk_state +#define Hacl_Poly1305_init Hacl_Poly1305_64_init +#define Hacl_Poly1305_finish Hacl_Poly1305_64_finish +typedef Hacl_Impl_Poly1305_64_State_poly1305_state Hacl_Impl_Poly1305_State_poly1305_state; +#else +/* All other platforms get the 32-bit poly1305 HACL* implementation. */ +#include "verified/Hacl_Poly1305_32.h" +#define NSS_POLY1305_32 1 +#define Hacl_Poly1305_update Hacl_Poly1305_32_update +#define Hacl_Poly1305_mk_state Hacl_Poly1305_32_mk_state +#define Hacl_Poly1305_init Hacl_Poly1305_32_init +#define Hacl_Poly1305_finish Hacl_Poly1305_32_finish +typedef Hacl_Impl_Poly1305_32_State_poly1305_state Hacl_Impl_Poly1305_State_poly1305_state; +#endif /* HAVE_INT128_SUPPORT */ static void -Poly1305PadUpdate(Hacl_Impl_Poly1305_64_State_poly1305_state state, +Poly1305PadUpdate(Hacl_Impl_Poly1305_State_poly1305_state state, unsigned char *block, const unsigned char *p, const unsigned int pLen) { unsigned int pRemLen = pLen % 16; - Hacl_Poly1305_64_update(state, (uint8_t *)p, (pLen / 16)); + Hacl_Poly1305_update(state, (uint8_t *)p, (pLen / 16)); if (pRemLen > 0) { memcpy(block, p + (pLen - pRemLen), pRemLen); - Hacl_Poly1305_64_update(state, block, 1); + Hacl_Poly1305_update(state, block, 1); } } +/* Poly1305Do writes the Poly1305 authenticator of the given additional data + * and ciphertext to |out|. */ static void Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen, const unsigned char *ciphertext, unsigned int ciphertextLen, const unsigned char key[32]) { - uint64_t tmp1[6U] = { 0U }; - Hacl_Impl_Poly1305_64_State_poly1305_state state = - Hacl_Poly1305_64_mk_state(tmp1, tmp1 + 3); +#ifdef NSS_POLY1305_64 + uint64_t stateStack[6U] = { 0U }; + size_t offset = 3; +#elif defined NSS_POLY1305_32 + uint32_t stateStack[10U] = { 0U }; + size_t offset = 5; +#else +#error "This can't happen." +#endif + Hacl_Impl_Poly1305_State_poly1305_state state = + Hacl_Poly1305_mk_state(stateStack, stateStack + offset); unsigned char block[16] = { 0 }; - Hacl_Poly1305_64_init(state, (uint8_t *)key); + Hacl_Poly1305_init(state, (uint8_t *)key); Poly1305PadUpdate(state, block, ad, adLen); memset(block, 0, 16); @@ -68,49 +92,11 @@ Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen, block[i] = j; } - Hacl_Poly1305_64_update(state, block, 1); - Hacl_Poly1305_64_finish(state, out, (uint8_t *)(key + 16)); + Hacl_Poly1305_update(state, block, 1); + Hacl_Poly1305_finish(state, out, (uint8_t *)(key + 16)); +#undef NSS_POLY1305_64 +#undef NSS_POLY1305_32 } -#else -/* All other platforms get the 32-bit poly1305 reference implementation. */ -#include "poly1305.h" - -static void -Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen, - const unsigned char *ciphertext, unsigned int ciphertextLen, - const unsigned char key[32]) -{ - poly1305_state state; - unsigned int j; - unsigned char lengthBytes[8]; - static const unsigned char zeros[15]; - unsigned int i; - - Poly1305Init(&state, key); - Poly1305Update(&state, ad, adLen); - if (adLen % 16 > 0) { - Poly1305Update(&state, zeros, 16 - adLen % 16); - } - Poly1305Update(&state, ciphertext, ciphertextLen); - if (ciphertextLen % 16 > 0) { - Poly1305Update(&state, zeros, 16 - ciphertextLen % 16); - } - j = adLen; - for (i = 0; i < sizeof(lengthBytes); i++) { - lengthBytes[i] = j; - j >>= 8; - } - Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); - j = ciphertextLen; - for (i = 0; i < sizeof(lengthBytes); i++) { - lengthBytes[i] = j; - j >>= 8; - } - Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); - Poly1305Finish(&state, out); -} - -#endif /* HAVE_INT128_SUPPORT */ #endif /* NSS_DISABLE_CHACHAPOLY */ SECStatus |