New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 255241 link

Starred by 33 users

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Aug 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature



Sign in to add a comment

Support the AES GCM cipher suites for TLS

Reported by wtc@chromium.org, Jun 27 2013

Issue description

We should support the AES GCM cipher suites for TLS specified in
RFC 5288 and RFC 5289.

The Chromium CL is at https://codereview.chromium.org/16618003/,
based on an NSS patch I received from Adam Langley. The upstream
NSS bug is https://bugzilla.mozilla.org/show_bug.cgi?id=880543.

 

Comment 1 by wtc@chromium.org, Aug 2 2013

Labels: -M-30 M-31
I moved the Chromium CL to https://codereview.chromium.org/21696002/.
Project Member

Comment 2 by bugdroid1@chromium.org, Aug 15 2013

------------------------------------------------------------------------
r217716 | wtc@chromium.org | 2013-08-15T00:51:34.156463Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/sslsock.c?r1=217716&r2=217715&pathrev=217716
   A http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/patches/aesgcm.patch?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/ssl3con.c?r1=217716&r2=217715&pathrev=217716
   A http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/patches/aesgcmchromium.patch?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/dtlscon.c?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/sslenum.c?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/sslimpl.h?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/sslproto.h?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/sslt.h?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/patches/applypatches.sh?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/README.chromium?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/sslinfo.c?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/socket/nss_ssl_util.cc?r1=217716&r2=217715&pathrev=217716
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/ssl3ecc.c?r1=217716&r2=217715&pathrev=217716

Implement the AES GCM cipher suites for TLS.

The AES GCM cipher suites are disabled in DTLS. This will be fixed soon.

Disable the HMAC-SHA256 cipher suites so that our ClientHello doesn't
become too big.

Patch by Adam Langley.

R=agl@chromium.org,rsleevi@chromium.org
BUG= 255241 
TEST=none

Review URL: https://chromiumcodereview.appspot.com/21696002
------------------------------------------------------------------------
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 20 2013

------------------------------------------------------------------------
r218564 | wtc@chromium.org | 2013-08-20T22:59:07.040778Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/net/socket/ssl_client_socket_openssl.cc?r1=218564&r2=218563&pathrev=218564

Disable the HMAC-SHA256 and AES_256_GCM cipher suites for
SSLClientSocketOpenSSL.

R=rsleevi@chromium.org
BUG= 255241 
TEST=none

Review URL: https://chromiumcodereview.appspot.com/23038011
------------------------------------------------------------------------

Comment 4 by wtc@chromium.org, Aug 21 2013

Status: Fixed
The CL https://codereview.chromium.org/23299002/ made the AES-GCM cipher suites
work in DTLS and make SSL_GetCipherSuiteInfo report reasonable MAC algorithm info
for AEAD ciphers. The CL was committed as r218606.
Project Member

Comment 5 by bugdroid1@chromium.org, Aug 21 2013

Can you comment on why you're supporting AES128-GCM but not AES256-GCM?  Looking at the cipher priority list (sslenum.c), there's no support for TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

see https://bugzilla.mozilla.org/show_bug.cgi?id=880543

Comment 8 by sbc@chromium.org, Sep 27 2013

Looks like this change broke the ARM linux builder (still isn't on the main waterfall I'm afraid :(

http://build.chromium.org/p/chromium.fyi/builders/Linux%20ARM%20Cross-Compile/builds/18321/steps/compile/logs/stdio

Seems that the version of libnss3-dev in our arm precise image is slightly old as
it doesn't contain the security updates and is missing the AES GCM stuff.  I'm working
on a new arm root image that includes the security updates for precise.
Cc: sbc@chromium.org
Thanks for the heads up.

Note that the minimum version of libnss required to build is 3.14.3. I updated the install scripts to reflect this, as the build deps.

In order to make sure that future uprevs of NSS don't cause any trouble, can you point to where/how your root images are configured - and their dependencies?

Comment 10 by sbc@chromium.org, Sep 27 2013

This root image we use is built by a script in the native_client repository and
installed by build/linux/install-arm-sysroot.sh.

I've got a CL out to update the image and add instructions on how to rebuild:
https://codereview.chromium.org/25000006/

There is a trybot now for linux ARM called "linux_arm_cross_compile".  I'm working on getting on the main waterfall ASAP.

Project Member

Comment 11 by bugdroid1@chromium.org, Sep 30 2013

------------------------------------------------------------------------
r226019 | sbc@chromium.org | 2013-09-30T18:51:46.053406Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/build/linux/install-arm-sysroot.py?r1=226019&r2=226018&pathrev=226019

Update the linux ARM root image.

This brings in precise security updates which fixes the
linux ARM cross build.  The image itself was updated to
include these in the following NaCl CL:

https://codereview.chromium.org/25041003/

BUG= 255241 
TEST=linux_arm_cross_compile bot
R=bradnelson@google.com

Review URL: https://codereview.chromium.org/25000006
------------------------------------------------------------------------

Sign in to add a comment