You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

openssl-1.1.1c-chacha_draft.patch 21KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509
  1. diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
  2. index 086b3c4d51..5699901f7d 100644
  3. --- a/crypto/evp/c_allc.c
  4. +++ b/crypto/evp/c_allc.c
  5. @@ -261,6 +261,7 @@ void openssl_add_all_ciphers_int(void)
  6. EVP_add_cipher(EVP_chacha20());
  7. # ifndef OPENSSL_NO_POLY1305
  8. EVP_add_cipher(EVP_chacha20_poly1305());
  9. + EVP_add_cipher(EVP_chacha20_poly1305_draft());
  10. # endif
  11. #endif
  12. }
  13. diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
  14. index d3e2c622a1..ef679522d1 100644
  15. --- a/crypto/evp/e_chacha20_poly1305.c
  16. +++ b/crypto/evp/e_chacha20_poly1305.c
  17. @@ -156,6 +156,7 @@ typedef struct {
  18. struct { uint64_t aad, text; } len;
  19. int aad, mac_inited, tag_len, nonce_len;
  20. size_t tls_payload_length;
  21. + unsigned char draft:1;
  22. } EVP_CHACHA_AEAD_CTX;
  23. # define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
  24. @@ -176,6 +177,7 @@ static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
  25. actx->aad = 0;
  26. actx->mac_inited = 0;
  27. actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
  28. + actx->draft = 0;
  29. if (iv != NULL) {
  30. unsigned char temp[CHACHA_CTR_SIZE] = { 0 };
  31. @@ -197,6 +199,27 @@ static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
  32. return 1;
  33. }
  34. +static int chacha20_poly1305_draft_init_key(EVP_CIPHER_CTX *ctx,
  35. + const unsigned char *inkey,
  36. + const unsigned char *iv, int enc)
  37. +{
  38. + EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
  39. +
  40. + if (!inkey)
  41. + return 1;
  42. +
  43. + actx->len.aad = 0;
  44. + actx->len.text = 0;
  45. + actx->aad = 0;
  46. + actx->mac_inited = 0;
  47. + actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
  48. + actx->draft = 1;
  49. +
  50. + chacha_init_key(ctx, inkey, NULL, enc);
  51. +
  52. + return 1;
  53. +}
  54. +
  55. # if !defined(OPENSSL_SMALL_FOOTPRINT)
  56. # if defined(POLY1305_ASM) && (defined(__x86_64) || defined(__x86_64__) || \
  57. @@ -367,10 +390,11 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  58. {
  59. EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
  60. size_t rem, plen = actx->tls_payload_length;
  61. + uint64_t thirteen = EVP_AEAD_TLS1_AAD_LEN;
  62. if (!actx->mac_inited) {
  63. # if !defined(OPENSSL_SMALL_FOOTPRINT)
  64. - if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
  65. + if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL && !actx->draft)
  66. return chacha20_poly1305_tls_cipher(ctx, out, in, len);
  67. # endif
  68. actx->key.counter[0] = 0;
  69. @@ -397,9 +421,14 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  70. return len;
  71. } else { /* plain- or ciphertext */
  72. if (actx->aad) { /* wrap up aad */
  73. - if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
  74. - Poly1305_Update(POLY1305_ctx(actx), zero,
  75. - POLY1305_BLOCK_SIZE - rem);
  76. + if (actx->draft) {
  77. + thirteen = actx->len.aad;
  78. + Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
  79. + } else {
  80. + if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
  81. + Poly1305_Update(POLY1305_ctx(actx), zero,
  82. + POLY1305_BLOCK_SIZE - rem);
  83. + }
  84. actx->aad = 0;
  85. }
  86. @@ -432,40 +461,52 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  87. } is_endian = { 1 };
  88. unsigned char temp[POLY1305_BLOCK_SIZE];
  89. + if (actx->draft) {
  90. + thirteen = actx->len.text;
  91. + Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
  92. + }
  93. +
  94. if (actx->aad) { /* wrap up aad */
  95. - if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
  96. - Poly1305_Update(POLY1305_ctx(actx), zero,
  97. - POLY1305_BLOCK_SIZE - rem);
  98. + if (actx->draft) {
  99. + thirteen = actx->len.aad;
  100. + Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
  101. + } else {
  102. + if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
  103. + Poly1305_Update(POLY1305_ctx(actx), zero,
  104. + POLY1305_BLOCK_SIZE - rem);
  105. + }
  106. actx->aad = 0;
  107. }
  108. - if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
  109. - Poly1305_Update(POLY1305_ctx(actx), zero,
  110. - POLY1305_BLOCK_SIZE - rem);
  111. + if (!actx->draft) {
  112. + if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
  113. + Poly1305_Update(POLY1305_ctx(actx), zero,
  114. + POLY1305_BLOCK_SIZE - rem);
  115. - if (is_endian.little) {
  116. - Poly1305_Update(POLY1305_ctx(actx),
  117. - (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
  118. - } else {
  119. - temp[0] = (unsigned char)(actx->len.aad);
  120. - temp[1] = (unsigned char)(actx->len.aad>>8);
  121. - temp[2] = (unsigned char)(actx->len.aad>>16);
  122. - temp[3] = (unsigned char)(actx->len.aad>>24);
  123. - temp[4] = (unsigned char)(actx->len.aad>>32);
  124. - temp[5] = (unsigned char)(actx->len.aad>>40);
  125. - temp[6] = (unsigned char)(actx->len.aad>>48);
  126. - temp[7] = (unsigned char)(actx->len.aad>>56);
  127. -
  128. - temp[8] = (unsigned char)(actx->len.text);
  129. - temp[9] = (unsigned char)(actx->len.text>>8);
  130. - temp[10] = (unsigned char)(actx->len.text>>16);
  131. - temp[11] = (unsigned char)(actx->len.text>>24);
  132. - temp[12] = (unsigned char)(actx->len.text>>32);
  133. - temp[13] = (unsigned char)(actx->len.text>>40);
  134. - temp[14] = (unsigned char)(actx->len.text>>48);
  135. - temp[15] = (unsigned char)(actx->len.text>>56);
  136. -
  137. - Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
  138. + if (is_endian.little) {
  139. + Poly1305_Update(POLY1305_ctx(actx),
  140. + (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
  141. + } else {
  142. + temp[0] = (unsigned char)(actx->len.aad);
  143. + temp[1] = (unsigned char)(actx->len.aad>>8);
  144. + temp[2] = (unsigned char)(actx->len.aad>>16);
  145. + temp[3] = (unsigned char)(actx->len.aad>>24);
  146. + temp[4] = (unsigned char)(actx->len.aad>>32);
  147. + temp[5] = (unsigned char)(actx->len.aad>>40);
  148. + temp[6] = (unsigned char)(actx->len.aad>>48);
  149. + temp[7] = (unsigned char)(actx->len.aad>>56);
  150. +
  151. + temp[8] = (unsigned char)(actx->len.text);
  152. + temp[9] = (unsigned char)(actx->len.text>>8);
  153. + temp[10] = (unsigned char)(actx->len.text>>16);
  154. + temp[11] = (unsigned char)(actx->len.text>>24);
  155. + temp[12] = (unsigned char)(actx->len.text>>32);
  156. + temp[13] = (unsigned char)(actx->len.text>>40);
  157. + temp[14] = (unsigned char)(actx->len.text>>48);
  158. + temp[15] = (unsigned char)(actx->len.text>>56);
  159. +
  160. + Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
  161. + }
  162. }
  163. Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
  164. : temp);
  165. @@ -535,12 +576,14 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
  166. return 1;
  167. case EVP_CTRL_AEAD_SET_IVLEN:
  168. + if (actx->draft) return -1;
  169. if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
  170. return 0;
  171. actx->nonce_len = arg;
  172. return 1;
  173. case EVP_CTRL_AEAD_SET_IV_FIXED:
  174. + if (actx->draft) return -1;
  175. if (arg != 12)
  176. return 0;
  177. actx->nonce[0] = actx->key.counter[1]
  178. @@ -624,9 +667,32 @@ static EVP_CIPHER chacha20_poly1305 = {
  179. NULL /* app_data */
  180. };
  181. +static EVP_CIPHER chacha20_poly1305_draft = {
  182. + NID_chacha20_poly1305_draft,
  183. + 1, /* block_size */
  184. + CHACHA_KEY_SIZE, /* key_len */
  185. + 0, /* iv_len, none */
  186. + EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |
  187. + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
  188. + EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER,
  189. + chacha20_poly1305_draft_init_key,
  190. + chacha20_poly1305_cipher,
  191. + chacha20_poly1305_cleanup,
  192. + 0, /* 0 moves context-specific structure allocation to ctrl */
  193. + NULL, /* set_asn1_parameters */
  194. + NULL, /* get_asn1_parameters */
  195. + chacha20_poly1305_ctrl,
  196. + NULL /* app_data */
  197. +};
  198. +
  199. const EVP_CIPHER *EVP_chacha20_poly1305(void)
  200. {
  201. return(&chacha20_poly1305);
  202. }
  203. +
  204. +const EVP_CIPHER *EVP_chacha20_poly1305_draft(void)
  205. +{
  206. + return(&chacha20_poly1305_draft);
  207. +}
  208. # endif
  209. #endif
  210. diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
  211. index 9ab1a14b9e..ba3e602186 100644
  212. --- a/crypto/objects/obj_dat.h
  213. +++ b/crypto/objects/obj_dat.h
  214. @@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
  215. 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
  216. };
  217. -#define NUM_NID 1195
  218. +#define NUM_NID 1196
  219. static const ASN1_OBJECT nid_objs[NUM_NID] = {
  220. {"UNDEF", "undefined", NID_undef},
  221. {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
  222. @@ -2275,9 +2275,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
  223. {"magma-mac", "magma-mac", NID_magma_mac},
  224. {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]},
  225. {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]},
  226. + {"ChaCha20-Poly1305-D", "chacha20-poly1305-draft", NID_chacha20_poly1305_draft},
  227. };
  228. -#define NUM_SN 1186
  229. +#define NUM_SN 1187
  230. static const unsigned int sn_objs[NUM_SN] = {
  231. 364, /* "AD_DVCS" */
  232. 419, /* "AES-128-CBC" */
  233. @@ -2395,6 +2396,7 @@ static const unsigned int sn_objs[NUM_SN] = {
  234. 417, /* "CSPName" */
  235. 1019, /* "ChaCha20" */
  236. 1018, /* "ChaCha20-Poly1305" */
  237. + 1195, /* "ChaCha20-Poly1305-D" */
  238. 367, /* "CrlID" */
  239. 391, /* "DC" */
  240. 31, /* "DES-CBC" */
  241. @@ -3467,7 +3469,7 @@ static const unsigned int sn_objs[NUM_SN] = {
  242. 1093, /* "x509ExtAdmission" */
  243. };
  244. -#define NUM_LN 1186
  245. +#define NUM_LN 1187
  246. static const unsigned int ln_objs[NUM_LN] = {
  247. 363, /* "AD Time Stamping" */
  248. 405, /* "ANSI X9.62" */
  249. @@ -3846,6 +3848,7 @@ static const unsigned int ln_objs[NUM_LN] = {
  250. 883, /* "certificateRevocationList" */
  251. 1019, /* "chacha20" */
  252. 1018, /* "chacha20-poly1305" */
  253. + 1195, /* "chacha20-poly1305-draft" */
  254. 54, /* "challengePassword" */
  255. 407, /* "characteristic-two-field" */
  256. 395, /* "clearance" */
  257. diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
  258. index 1b6a9c61a1..c81ca25a53 100644
  259. --- a/crypto/objects/obj_mac.num
  260. +++ b/crypto/objects/obj_mac.num
  261. @@ -1192,3 +1192,4 @@ magma_cfb 1191
  262. magma_mac 1192
  263. hmacWithSHA512_224 1193
  264. hmacWithSHA512_256 1194
  265. +chacha20_poly1305_draft 1195
  266. diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
  267. index 6dbc41ce37..581169eda8 100644
  268. --- a/crypto/objects/objects.txt
  269. +++ b/crypto/objects/objects.txt
  270. @@ -1534,6 +1534,7 @@ sm-scheme 104 7 : SM4-CTR : sm4-ctr
  271. : AES-192-CBC-HMAC-SHA256 : aes-192-cbc-hmac-sha256
  272. : AES-256-CBC-HMAC-SHA256 : aes-256-cbc-hmac-sha256
  273. : ChaCha20-Poly1305 : chacha20-poly1305
  274. + : ChaCha20-Poly1305-D : chacha20-poly1305-draft
  275. : ChaCha20 : chacha20
  276. ISO-US 10046 2 1 : dhpublicnumber : X9.42 DH
  277. diff --git a/include/openssl/evp.h b/include/openssl/evp.h
  278. index 9f05b5a3b7..020895c022 100644
  279. --- a/include/openssl/evp.h
  280. +++ b/include/openssl/evp.h
  281. @@ -915,6 +915,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
  282. const EVP_CIPHER *EVP_chacha20(void);
  283. # ifndef OPENSSL_NO_POLY1305
  284. const EVP_CIPHER *EVP_chacha20_poly1305(void);
  285. +const EVP_CIPHER *EVP_chacha20_poly1305_draft(void);
  286. # endif
  287. # endif
  288. diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
  289. index 31fad4640f..f3669a46c9 100644
  290. --- a/include/openssl/obj_mac.h
  291. +++ b/include/openssl/obj_mac.h
  292. @@ -4807,6 +4807,10 @@
  293. #define LN_chacha20_poly1305 "chacha20-poly1305"
  294. #define NID_chacha20_poly1305 1018
  295. +#define SN_chacha20_poly1305_draft "ChaCha20-Poly1305-D"
  296. +#define LN_chacha20_poly1305_draft "chacha20-poly1305-draft"
  297. +#define NID_chacha20_poly1305_draft 1195
  298. +
  299. #define SN_chacha20 "ChaCha20"
  300. #define LN_chacha20 "chacha20"
  301. #define NID_chacha20 1019
  302. diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
  303. index 48e1152a27..524614cca2 100644
  304. --- a/include/openssl/ssl.h
  305. +++ b/include/openssl/ssl.h
  306. @@ -125,6 +125,7 @@ extern "C" {
  307. # define SSL_TXT_CAMELLIA256 "CAMELLIA256"
  308. # define SSL_TXT_CAMELLIA "CAMELLIA"
  309. # define SSL_TXT_CHACHA20 "CHACHA20"
  310. +# define SSL_TXT_CHACHA20_D "CHACHA20-D"
  311. # define SSL_TXT_GOST "GOST89"
  312. # define SSL_TXT_ARIA "ARIA"
  313. # define SSL_TXT_ARIA_GCM "ARIAGCM"
  314. diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
  315. index e13b5dd4bc..53d43c121e 100644
  316. --- a/include/openssl/tls1.h
  317. +++ b/include/openssl/tls1.h
  318. @@ -597,7 +597,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  319. # define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0x0300C09A
  320. # define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0x0300C09B
  321. -/* draft-ietf-tls-chacha20-poly1305-03 */
  322. +/* Chacha20-Poly1305-Draft ciphersuites from draft-agl-tls-chacha20poly1305-04 */
  323. +# define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_D 0x0300CC13
  324. +# define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D 0x0300CC14
  325. +# define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305_D 0x0300CC15
  326. +
  327. +/* Chacha20-Poly1305 ciphersuites from RFC7905 */
  328. # define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305 0x0300CCA8
  329. # define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0x0300CCA9
  330. # define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305 0x0300CCAA
  331. @@ -762,6 +767,9 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  332. # define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
  333. # define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
  334. # define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
  335. +# define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305_D "OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
  336. +# define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305_D "OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
  337. +# define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D "OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
  338. # define TLS1_RFC_PSK_WITH_CHACHA20_POLY1305 "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"
  339. # define TLS1_RFC_ECDHE_PSK_WITH_CHACHA20_POLY1305 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
  340. # define TLS1_RFC_DHE_PSK_WITH_CHACHA20_POLY1305 "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
  341. @@ -1090,7 +1098,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  342. # define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 "ECDH-RSA-CAMELLIA128-SHA256"
  343. # define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 "ECDH-RSA-CAMELLIA256-SHA384"
  344. -/* draft-ietf-tls-chacha20-poly1305-03 */
  345. +/* Chacha20-Poly1305-Draft ciphersuites from draft-agl-tls-chacha20poly1305-04 */
  346. +# define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_D "ECDHE-RSA-CHACHA20-POLY1305-OLD"
  347. +# define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D "ECDHE-ECDSA-CHACHA20-POLY1305-OLD"
  348. +# define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_D "DHE-RSA-CHACHA20-POLY1305-OLD"
  349. +
  350. +/* Chacha20-Poly1305 ciphersuites from RFC7905 */
  351. # define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305"
  352. # define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305"
  353. # define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305"
  354. diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
  355. index 99ae48199c..7e36a0d7ea 100644
  356. --- a/ssl/s3_lib.c
  357. +++ b/ssl/s3_lib.c
  358. @@ -2082,6 +2082,54 @@ static SSL_CIPHER ssl3_ciphers[] = {
  359. 256,
  360. 256,
  361. },
  362. + {
  363. + 1,
  364. + TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_D,
  365. + TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305_D,
  366. + TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305_D,
  367. + SSL_kDHE,
  368. + SSL_aRSA,
  369. + SSL_CHACHA20POLY1305_D,
  370. + SSL_AEAD,
  371. + TLS1_2_VERSION, TLS1_2_VERSION,
  372. + DTLS1_2_VERSION, DTLS1_2_VERSION,
  373. + SSL_HIGH,
  374. + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
  375. + 256,
  376. + 256,
  377. + },
  378. + {
  379. + 1,
  380. + TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
  381. + TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
  382. + TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
  383. + SSL_kECDHE,
  384. + SSL_aRSA,
  385. + SSL_CHACHA20POLY1305_D,
  386. + SSL_AEAD,
  387. + TLS1_2_VERSION, TLS1_2_VERSION,
  388. + DTLS1_2_VERSION, DTLS1_2_VERSION,
  389. + SSL_HIGH,
  390. + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
  391. + 256,
  392. + 256,
  393. + },
  394. + {
  395. + 1,
  396. + TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
  397. + TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
  398. + TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
  399. + SSL_kECDHE,
  400. + SSL_aECDSA,
  401. + SSL_CHACHA20POLY1305_D,
  402. + SSL_AEAD,
  403. + TLS1_2_VERSION, TLS1_2_VERSION,
  404. + DTLS1_2_VERSION, DTLS1_2_VERSION,
  405. + SSL_HIGH,
  406. + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
  407. + 256,
  408. + 256,
  409. + },
  410. {
  411. 1,
  412. TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
  413. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
  414. index b60d67aa0d..ce750c4425 100644
  415. --- a/ssl/ssl_ciph.c
  416. +++ b/ssl/ssl_ciph.c
  417. @@ -43,7 +43,8 @@
  418. #define SSL_ENC_CHACHA_IDX 19
  419. #define SSL_ENC_ARIA128GCM_IDX 20
  420. #define SSL_ENC_ARIA256GCM_IDX 21
  421. -#define SSL_ENC_NUM_IDX 22
  422. +#define SSL_ENC_CHACHA20_D_IDX 22
  423. +#define SSL_ENC_NUM_IDX 23
  424. /* NB: make sure indices in these tables match values above */
  425. @@ -76,6 +77,7 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
  426. {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
  427. {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */
  428. {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
  429. + {SSL_CHACHA20POLY1305_D, NID_chacha20_poly1305_draft}, /* SSL_ENC_CHACHA20POLY1305_IDX 22 */
  430. };
  431. static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
  432. @@ -275,6 +277,7 @@ static const SSL_CIPHER cipher_aliases[] = {
  433. {0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256},
  434. {0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA},
  435. {0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20},
  436. + {0, SSL_TXT_CHACHA20_D, NULL, 0, 0, 0, SSL_CHACHA20POLY1305_D},
  437. {0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA},
  438. {0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM},
  439. @@ -1791,6 +1794,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
  440. case SSL_CHACHA20POLY1305:
  441. enc = "CHACHA20/POLY1305(256)";
  442. break;
  443. + case SSL_CHACHA20POLY1305_D:
  444. + enc = "CHACHA20/POLY1305-Draft(256)";
  445. + break;
  446. default:
  447. enc = "unknown";
  448. break;
  449. @@ -2115,7 +2121,7 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
  450. out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16;
  451. } else if (c->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) {
  452. out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8;
  453. - } else if (c->algorithm_enc & SSL_CHACHA20POLY1305) {
  454. + } else if (c->algorithm_enc & (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_D)) {
  455. out = 16;
  456. } else if (c->algorithm_mac & SSL_AEAD) {
  457. /* We're supposed to have handled all the AEAD modes above */
  458. diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
  459. index 33db1460ab..00c5ee4cff 100644
  460. --- a/ssl/ssl_locl.h
  461. +++ b/ssl/ssl_locl.h
  462. @@ -230,12 +230,13 @@
  463. # define SSL_CHACHA20POLY1305 0x00080000U
  464. # define SSL_ARIA128GCM 0x00100000U
  465. # define SSL_ARIA256GCM 0x00200000U
  466. +# define SSL_CHACHA20POLY1305_D 0x00400000U
  467. # define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
  468. # define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
  469. # define SSL_AES (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)
  470. # define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
  471. -# define SSL_CHACHA20 (SSL_CHACHA20POLY1305)
  472. +# define SSL_CHACHA20 (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_D)
  473. # define SSL_ARIAGCM (SSL_ARIA128GCM | SSL_ARIA256GCM)
  474. # define SSL_ARIA (SSL_ARIAGCM)
  475. diff --git a/util/libcrypto.num b/util/libcrypto.num
  476. index 32c64cb2c7..86cb7a994b 100644
  477. --- a/util/libcrypto.num
  478. +++ b/util/libcrypto.num
  479. @@ -4579,3 +4579,4 @@ EVP_PKEY_meth_set_digest_custom 4532 1_1_1 EXIST::FUNCTION:
  480. EVP_PKEY_meth_get_digest_custom 4533 1_1_1 EXIST::FUNCTION:
  481. OPENSSL_INIT_set_config_filename 4534 1_1_1b EXIST::FUNCTION:STDIO
  482. OPENSSL_INIT_set_config_file_flags 4535 1_1_1b EXIST::FUNCTION:STDIO
  483. +EVP_chacha20_poly1305_draft 4536 1_1_0 EXIST::FUNCTION:CHACHA,POLY1305