On Wed, Nov 25, 2015 at 2:23 PM, <martin.thomson@gmail.com> wrote: > This looks fine to ...
8 years, 4 months ago
(2015-11-25 22:27:27 UTC)
#2
On Wed, Nov 25, 2015 at 2:23 PM, <martin.thomson@gmail.com> wrote:
> This looks fine to me overall.
>
> I'm not sure that this is enough test coverage. Can you have a look at
> tests/ssl/sslcov.txt and maybe add the suites to the lists there? You
> might have to add new flags to the tstclnt and sslserv tools, but I
> think that you can just use the hex values for the identifiers.
>
> I don't see TLS_DHE_RSA_WITH_CHACHA20_POLY1305 here, which would be
> trivial to implement (it's just a matter of adding the various table
> entries). I think we should do that too.
>
>
>
>
https://codereview.appspot.com/277090043/diff/20001/external_tests/ssl_gtest/...
> File external_tests/ssl_gtest/ssl_loopback_unittest.cc (right):
>
>
>
https://codereview.appspot.com/277090043/diff/20001/external_tests/ssl_gtest/...
> external_tests/ssl_gtest/ssl_loopback_unittest.cc:501: SendReceive();
> Please check that the cipher suite is correct.
>
> https://codereview.appspot.com/277090043/diff/20001/lib/ssl/ssl3con.c
> File lib/ssl/ssl3con.c (right):
>
>
>
https://codereview.appspot.com/277090043/diff/20001/lib/ssl/ssl3con.c#newcode99
> lib/ssl/ssl3con.c:99: { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
> SSL_ALLOWED, PR_TRUE, PR_FALSE},
> Can you send an email to the nss-dev mailing list explaining why you
> think that these should be prioritized over AES_128_GCM suites? I'm not
> sure that we need to reorder like this (though I'm on the fence).
>
I generally think we should not be prioritizing over GCM. Remember that most
people who run Firefox probably have AES-NI and so GCM is faster.
-Ekr
On 2015/11/25 22:23:19, mt wrote: > I'm not sure that this is enough test coverage. ...
8 years, 4 months ago
(2015-11-30 17:48:07 UTC)
#3
On 2015/11/25 22:23:19, mt wrote:
> I'm not sure that this is enough test coverage. Can you have a look at
> tests/ssl/sslcov.txt and maybe add the suites to the lists there? You might
> have to add new flags to the tstclnt and sslserv tools, but I think that you
can
> just use the hex values for the identifiers.
Good idea, done. Extended to gtests to cover all three cipher suites too.
> I don't see TLS_DHE_RSA_WITH_CHACHA20_POLY1305 here, which would be trivial to
> implement (it's just a matter of adding the various table entries). I think
we
> should do that too.
Added.
https://codereview.appspot.com/277090043/diff/20001/lib/ssl/ssl3con.c
File lib/ssl/ssl3con.c (right):
https://codereview.appspot.com/277090043/diff/20001/lib/ssl/ssl3con.c#newcode99
lib/ssl/ssl3con.c:99: { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, SSL_ALLOWED,
PR_TRUE, PR_FALSE},
On 2015/11/25 22:23:19, mt wrote:
> Can you send an email to the nss-dev mailing list explaining why you think
that
> these should be prioritized over AES_128_GCM suites? I'm not sure that we
need
> to reorder like this (though I'm on the fence).
This change was carried over from Adam's version. I changed it back based on
your and Eric's comments, I think you're right that we don't want to prioritize
ChaCha over AES-GCM for now.
Should we have a follow-up bug that takes care of that for Firefox for Android?
And maybe Firefox OS?
https://codereview.appspot.com/277090043/diff/20001/lib/ssl/ssl3con.c#newcode...
lib/ssl/ssl3con.c:2043: static const int tagSize = 16;
On 2015/11/25 22:23:19, mt wrote:
> These constants are now in two places: here and in bulk_cipher_defs. Any
reason
> not to index that table? Or maybe #define something.
Using the table now.
That looks fine to me. https://codereview.appspot.com/277090043/diff/60001/external_tests/ssl_gtest/ssl_loopback_unittest.cc File external_tests/ssl_gtest/ssl_loopback_unittest.cc (right): https://codereview.appspot.com/277090043/diff/60001/external_tests/ssl_gtest/ssl_loopback_unittest.cc#newcode91 external_tests/ssl_gtest/ssl_loopback_unittest.cc:91: void ConnectSendReceive(PRInt32 cipher_suite) I ...
8 years, 4 months ago
(2015-12-02 04:25:11 UTC)
#5
On 2015/12/02 04:25:11, mt wrote: > https://codereview.appspot.com/277090043/diff/60001/external_tests/ssl_gtest/ssl_loopback_unittest.cc#newcode91 > external_tests/ssl_gtest/ssl_loopback_unittest.cc:91: void > ConnectSendReceive(PRInt32 cipher_suite) > I ...
8 years, 4 months ago
(2015-12-02 07:36:32 UTC)
#6
On 2015/12/02 04:25:11, mt wrote:
>
https://codereview.appspot.com/277090043/diff/60001/external_tests/ssl_gtest/...
> external_tests/ssl_gtest/ssl_loopback_unittest.cc:91: void
> ConnectSendReceive(PRInt32 cipher_suite)
> I think that int16_t would be best here to avoid the static_cast.
Fixed.
BTW, please ignore the ssl3con.c changes in patch set 4, guess I shouldn't have
rebased my branch :/
On 2015/12/02 07:36:32, ttaubert wrote: > BTW, please ignore the ssl3con.c changes in patch set ...
8 years, 4 months ago
(2015-12-02 07:44:41 UTC)
#7
On 2015/12/02 07:36:32, ttaubert wrote:
> BTW, please ignore the ssl3con.c changes in patch set 4, guess I shouldn't
have
> rebased my branch :/
FWIW, these changes are from
https://hg.mozilla.org/projects/nss/rev/ddfaae48f249
LGTM Lost the last one apparently. https://codereview.appspot.com/277090043/diff/80001/lib/ssl/ssl3con.c File lib/ssl/ssl3con.c (right): https://codereview.appspot.com/277090043/diff/80001/lib/ssl/ssl3con.c#newcode2123 lib/ssl/ssl3con.c:2123: } Might be ...
8 years, 4 months ago
(2015-12-08 20:55:50 UTC)
#8
Updated to draft-ietf-tls-chacha20-poly1305-04 and had to rebase due to Bob's changes. It would be good ...
8 years, 3 months ago
(2016-01-12 15:57:27 UTC)
#10
Updated to draft-ietf-tls-chacha20-poly1305-04 and had to rebase due to Bob's
changes. It would be good to look at the SEC_OID_ changes I think.
Unfortunately Rietveld included a few other changes due to the rebase that
aren't mine. What do we usually do? Should I open a new issue here and ask for
review again?
On 2016/01/12 15:57:27, ttaubert wrote: > Updated to draft-ietf-tls-chacha20-poly1305-04 and had to rebase due to ...
8 years, 3 months ago
(2016-01-12 18:33:16 UTC)
#11
On 2016/01/12 15:57:27, ttaubert wrote:
> Updated to draft-ietf-tls-chacha20-poly1305-04 and had to rebase due to Bob's
> changes. It would be good to look at the SEC_OID_ changes I think.
>
> Unfortunately Rietveld included a few other changes due to the rebase that
> aren't mine. What do we usually do? Should I open a new issue here and ask for
> review again?
I didn't review the earlier patch sets, but everything in patch set 7 is
related to Chacha20+Poly1305 cipher suites. I don't understand why you
said Rietveld included some other changes. If they are only visible in
the diffs between patch set 7 and an earlier patch set, that is to be
expected after a rebase.
As long as patch set 7 contains the expected changes, you don't need to
open a new issue.
8 years, 3 months ago
(2016-01-15 14:04:32 UTC)
#20
>
https://codereview.appspot.com/277090043/diff/120001/lib/util/secoid.c#newcod...
> lib/util/secoid.c:203: CONST_OID chacha20_poly1305[] = {
> ALGORITHM, 0x1e };
>
> IMPORTANT: where does this OID come from?
So the problem is that it seems as with Bob's patch from bug 1009429 we need an
OID for ChaCha20/Poly1305 but there is none. How do we deal with that,
can/should we create a temporary one until an official one is assigned?
Would it be better to use CONST_OID chacha20_poly1305[] = { NETSCAPE_ALGS, 0x02 }; as long ...
8 years, 3 months ago
(2016-01-15 14:39:48 UTC)
#21
Would it be better to use
CONST_OID chacha20_poly1305[] = { NETSCAPE_ALGS, 0x02 };
as long as ChaCha20/Poly1305 is still a "Netscape-defined" algorithm?
On 2016/01/15 14:04:32, ttaubert wrote: > > So the problem is that it seems as ...
8 years, 3 months ago
(2016-01-15 18:27:12 UTC)
#23
On 2016/01/15 14:04:32, ttaubert wrote:
>
> So the problem is that it seems as with Bob's patch from bug 1009429 we need
an
> OID for ChaCha20/Poly1305 but there is none. How do we deal with that,
> can/should we create a temporary one until an official one is assigned?
I suggest we deal with the OID in a separate patch because libSSL
doesn't need it.
Please ask Bob, Richard, and Ryan about how we should allocate an
OID for ChaCha20/Poly1305. ChaCha20/Poly1305 is not a Netscape or
NSS-defined algorithm. It is standardized in RFC 7539.
On 2016/01/15 18:27:12, wtc1 wrote: > On 2016/01/15 14:04:32, ttaubert wrote: > > > > ...
8 years, 3 months ago
(2016-01-16 12:35:03 UTC)
#24
On 2016/01/15 18:27:12, wtc1 wrote:
> On 2016/01/15 14:04:32, ttaubert wrote:
> >
> > So the problem is that it seems as with Bob's patch from bug 1009429 we need
> an
> > OID for ChaCha20/Poly1305 but there is none. How do we deal with that,
> > can/should we create a temporary one until an official one is assigned?
>
> I suggest we deal with the OID in a separate patch because libSSL
> doesn't need it.
Removed the invalid OID.
> Please ask Bob, Richard, and Ryan about how we should allocate an
> OID for ChaCha20/Poly1305. ChaCha20/Poly1305 is not a Netscape or
> NSS-defined algorithm. It is standardized in RFC 7539.
Will do.
Patch set 12 LGTM! https://codereview.appspot.com/277090043/diff/220001/tests/ssl/ssl.sh File tests/ssl/ssl.sh (right): https://codereview.appspot.com/277090043/diff/220001/tests/ssl/ssl.sh#newcode93 tests/ssl/ssl.sh:93: CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz" Perhaps the definition ...
8 years, 3 months ago
(2016-01-20 22:04:20 UTC)
#25
Patch set 12 LGTM!
https://codereview.appspot.com/277090043/diff/220001/tests/ssl/ssl.sh
File tests/ssl/ssl.sh (right):
https://codereview.appspot.com/277090043/diff/220001/tests/ssl/ssl.sh#newcode93
tests/ssl/ssl.sh:93: CLONG="-c
ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009E:00A2cdefgijklmnvyz"
Perhaps the definition of CSHORT and CLONG should be moved
into the if-then-else statement above (lines 86-90) to make
it clear they are only used under certain conditions?
At least, we should add comments to explain what CSHORT and
CLONG are. I thought CSHORT was just a shorter list of
cipher suites.
On 2016/01/20 22:04:20, wtc1 wrote: > Perhaps the definition of CSHORT and CLONG should be ...
8 years, 3 months ago
(2016-01-21 13:42:34 UTC)
#26
On 2016/01/20 22:04:20, wtc1 wrote:
> Perhaps the definition of CSHORT and CLONG should be moved
> into the if-then-else statement above (lines 86-90) to make
> it clear they are only used under certain conditions?
Moved the definitions into the if-then-else statement and unified both under a
single variable called CIPHER_SUITES. Removed all other CLONG/CSHORT references
in the file.
> At least, we should add comments to explain what CSHORT and
> CLONG are. I thought CSHORT was just a shorter list of
> cipher suites.
Added.
Issue 277090043: Bug 1227905 - Support ChaCha20+Poly1305 cipher suites
(Closed)
Created 8 years, 4 months ago by ttaubert
Modified 8 years, 2 months ago
Reviewers: mt, ekr, ekr-rietveld, wtc, wtc1
Base URL:
Comments: 28