1 files changed, 66 insertions, 113 deletions

diff --git a/security/nss/gtests/ssl_gtest/tls_protect.cc b/security/nss/gtests/ssl_gtest/tls_protect.cc
index c715a36a6..de91982f7 100644
--- a/security/nss/gtests/ssl_gtest/tls_protect.cc
+++ b/security/nss/gtests/ssl_gtest/tls_protect.cc
@@ -5,145 +5,98 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "tls_protect.h"
+#include "sslproto.h"
 #include "tls_filter.h"
 
 namespace nss_test {
 
-AeadCipher::~AeadCipher() {
-  if (key_) {
-    PK11_FreeSymKey(key_);
+static uint64_t FirstSeqno(bool dtls, uint16_t epoc) {
+  if (dtls) {
+    return static_cast<uint64_t>(epoc) << 48;
   }
+  return 0;
 }
 
-bool AeadCipher::Init(PK11SymKey *key, const uint8_t *iv) {
-  key_ = PK11_ReferenceSymKey(key);
-  if (!key_) return false;
-
-  memcpy(iv_, iv, sizeof(iv_));
-  return true;
-}
-
-void AeadCipher::FormatNonce(uint64_t seq, uint8_t *nonce) {
-  memcpy(nonce, iv_, 12);
-
-  for (size_t i = 0; i < 8; ++i) {
-    nonce[12 - (i + 1)] ^= seq & 0xff;
-    seq >>= 8;
+TlsCipherSpec::TlsCipherSpec(bool dtls, uint16_t epoc)
+    : dtls_(dtls),
+      epoch_(epoc),
+      in_seqno_(FirstSeqno(dtls, epoc)),
+      out_seqno_(FirstSeqno(dtls, epoc)) {}
+
+bool TlsCipherSpec::SetKeys(SSLCipherSuiteInfo* cipherinfo,
+                            PK11SymKey* secret) {
+  SSLAeadContext* ctx;
+  SECStatus rv = SSL_MakeAead(SSL_LIBRARY_VERSION_TLS_1_3,
+                              cipherinfo->cipherSuite, secret, "",
+                              0,  // Use the default labels.
+                              &ctx);
+  if (rv != SECSuccess) {
+    return false;
   }
-
-  DataBuffer d(nonce, 12);
-}
-
-bool AeadCipher::AeadInner(bool decrypt, void *params, size_t param_length,
-                           const uint8_t *in, size_t inlen, uint8_t *out,
-                           size_t *outlen, size_t maxlen) {
-  SECStatus rv;
-  unsigned int uoutlen = 0;
-  SECItem param = {
-      siBuffer, static_cast<unsigned char *>(params),
-      static_cast<unsigned int>(param_length),
-  };
-
-  if (decrypt) {
-    rv = PK11_Decrypt(key_, mech_, &param, out, &uoutlen, maxlen, in, inlen);
-  } else {
-    rv = PK11_Encrypt(key_, mech_, &param, out, &uoutlen, maxlen, in, inlen);
-  }
-  *outlen = (int)uoutlen;
-
-  return rv == SECSuccess;
-}
-
-bool AeadCipherAesGcm::Aead(bool decrypt, const uint8_t *hdr, size_t hdr_len,
-                            uint64_t seq, const uint8_t *in, size_t inlen,
-                            uint8_t *out, size_t *outlen, size_t maxlen) {
-  CK_GCM_PARAMS aeadParams;
-  unsigned char nonce[12];
-
-  memset(&aeadParams, 0, sizeof(aeadParams));
-  aeadParams.pIv = nonce;
-  aeadParams.ulIvLen = sizeof(nonce);
-  aeadParams.pAAD = const_cast<uint8_t *>(hdr);
-  aeadParams.ulAADLen = hdr_len;
-  aeadParams.ulTagBits = 128;
-
-  FormatNonce(seq, nonce);
-  return AeadInner(decrypt, (unsigned char *)&aeadParams, sizeof(aeadParams),
-                   in, inlen, out, outlen, maxlen);
-}
-
-bool AeadCipherChacha20Poly1305::Aead(bool decrypt, const uint8_t *hdr,
-                                      size_t hdr_len, uint64_t seq,
-                                      const uint8_t *in, size_t inlen,
-                                      uint8_t *out, size_t *outlen,
-                                      size_t maxlen) {
-  CK_NSS_AEAD_PARAMS aeadParams;
-  unsigned char nonce[12];
-
-  memset(&aeadParams, 0, sizeof(aeadParams));
-  aeadParams.pNonce = nonce;
-  aeadParams.ulNonceLen = sizeof(nonce);
-  aeadParams.pAAD = const_cast<uint8_t *>(hdr);
-  aeadParams.ulAADLen = hdr_len;
-  aeadParams.ulTagLen = 16;
-
-  FormatNonce(seq, nonce);
-  return AeadInner(decrypt, (unsigned char *)&aeadParams, sizeof(aeadParams),
-                   in, inlen, out, outlen, maxlen);
+  aead_.reset(ctx);
+  return true;
 }
 
-bool TlsCipherSpec::Init(uint16_t epoc, SSLCipherAlgorithm cipher,
-                         PK11SymKey *key, const uint8_t *iv) {
-  epoch_ = epoc;
-  switch (cipher) {
-    case ssl_calg_aes_gcm:
-      aead_.reset(new AeadCipherAesGcm());
-      break;
-    case ssl_calg_chacha20:
-      aead_.reset(new AeadCipherChacha20Poly1305());
-      break;
-    default:
-      return false;
+bool TlsCipherSpec::Unprotect(const TlsRecordHeader& header,
+                              const DataBuffer& ciphertext,
+                              DataBuffer* plaintext) {
+  if (aead_ == nullptr) {
+    return false;
   }
-
-  return aead_->Init(key, iv);
-}
-
-bool TlsCipherSpec::Unprotect(const TlsRecordHeader &header,
-                              const DataBuffer &ciphertext,
-                              DataBuffer *plaintext) {
   // Make space.
   plaintext->Allocate(ciphertext.len());
 
   auto header_bytes = header.header();
-  size_t len;
-  bool ret =
-      aead_->Aead(true, header_bytes.data(), header_bytes.len(),
-                  header.sequence_number(), ciphertext.data(), ciphertext.len(),
-                  plaintext->data(), &len, plaintext->len());
-  if (!ret) return false;
+  unsigned int len;
+  uint64_t seqno;
+  if (dtls_) {
+    seqno = header.sequence_number();
+  } else {
+    seqno = in_seqno_;
+  }
+  SECStatus rv =
+      SSL_AeadDecrypt(aead_.get(), seqno, header_bytes.data(),
+                      header_bytes.len(), ciphertext.data(), ciphertext.len(),
+                      plaintext->data(), &len, plaintext->len());
+  if (rv != SECSuccess) {
+    return false;
+  }
 
-  plaintext->Truncate(len);
+  RecordUnprotected(seqno);
+  plaintext->Truncate(static_cast<size_t>(len));
 
   return true;
 }
 
-bool TlsCipherSpec::Protect(const TlsRecordHeader &header,
-                            const DataBuffer &plaintext,
-                            DataBuffer *ciphertext) {
+bool TlsCipherSpec::Protect(const TlsRecordHeader& header,
+                            const DataBuffer& plaintext,
+                            DataBuffer* ciphertext) {
+  if (aead_ == nullptr) {
+    return false;
+  }
   // Make a padded buffer.
-
   ciphertext->Allocate(plaintext.len() +
                        32);  // Room for any plausible auth tag
-  size_t len;
+  unsigned int len;
 
   DataBuffer header_bytes;
   (void)header.WriteHeader(&header_bytes, 0, plaintext.len() + 16);
-  bool ret =
-      aead_->Aead(false, header_bytes.data(), header_bytes.len(),
-                  header.sequence_number(), plaintext.data(), plaintext.len(),
-                  ciphertext->data(), &len, ciphertext->len());
-  if (!ret) return false;
+  uint64_t seqno;
+  if (dtls_) {
+    seqno = header.sequence_number();
+  } else {
+    seqno = out_seqno_;
+  }
+
+  SECStatus rv =
+      SSL_AeadEncrypt(aead_.get(), seqno, header_bytes.data(),
+                      header_bytes.len(), plaintext.data(), plaintext.len(),
+                      ciphertext->data(), &len, ciphertext->len());
+  if (rv != SECSuccess) {
+    return false;
+  }
+
+  RecordProtected();
   ciphertext->Truncate(len);
 
   return true;