You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

openssl-3.0.0-dev-chacha_draft.patch 21KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499
  1. diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
  2. index a97eaa1685..24112723f0 100644
  3. --- a/crypto/evp/c_allc.c
  4. +++ b/crypto/evp/c_allc.c
  5. @@ -265,6 +265,7 @@ void openssl_add_all_ciphers_int(void)
  6. EVP_add_cipher(EVP_chacha20());
  7. # ifndef OPENSSL_NO_POLY1305
  8. EVP_add_cipher(EVP_chacha20_poly1305());
  9. + EVP_add_cipher(EVP_chacha20_poly1305_draft());
  10. # endif
  11. #endif
  12. }
  13. diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
  14. index 37902000a0..56832b63a0 100644
  15. --- a/crypto/evp/e_chacha20_poly1305.c
  16. +++ b/crypto/evp/e_chacha20_poly1305.c
  17. @@ -156,6 +156,7 @@ typedef struct {
  18. struct { uint64_t aad, text; } len;
  19. int aad, mac_inited, tag_len, nonce_len;
  20. size_t tls_payload_length;
  21. + unsigned char draft:1;
  22. } EVP_CHACHA_AEAD_CTX;
  23. # define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
  24. @@ -176,6 +177,7 @@ static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
  25. actx->aad = 0;
  26. actx->mac_inited = 0;
  27. actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
  28. + actx->draft = 0;
  29. if (iv != NULL) {
  30. unsigned char temp[CHACHA_CTR_SIZE] = { 0 };
  31. @@ -197,6 +199,27 @@ static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
  32. return 1;
  33. }
  34. +static int chacha20_poly1305_draft_init_key(EVP_CIPHER_CTX *ctx,
  35. + const unsigned char *inkey,
  36. + const unsigned char *iv, int enc)
  37. +{
  38. + EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
  39. +
  40. + if (!inkey)
  41. + return 1;
  42. +
  43. + actx->len.aad = 0;
  44. + actx->len.text = 0;
  45. + actx->aad = 0;
  46. + actx->mac_inited = 0;
  47. + actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
  48. + actx->draft = 1;
  49. +
  50. + chacha_init_key(ctx, inkey, NULL, enc);
  51. +
  52. + return 1;
  53. +}
  54. +
  55. # if !defined(OPENSSL_SMALL_FOOTPRINT)
  56. # if defined(POLY1305_ASM) && (defined(__x86_64) || defined(__x86_64__) || \
  57. @@ -367,10 +390,11 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  58. {
  59. EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
  60. size_t rem, plen = actx->tls_payload_length;
  61. + uint64_t thirteen = EVP_AEAD_TLS1_AAD_LEN;
  62. if (!actx->mac_inited) {
  63. # if !defined(OPENSSL_SMALL_FOOTPRINT)
  64. - if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
  65. + if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL && !actx->draft)
  66. return chacha20_poly1305_tls_cipher(ctx, out, in, len);
  67. # endif
  68. actx->key.counter[0] = 0;
  69. @@ -397,9 +421,14 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  70. return len;
  71. } else { /* plain- or ciphertext */
  72. if (actx->aad) { /* wrap up aad */
  73. - if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
  74. - Poly1305_Update(POLY1305_ctx(actx), zero,
  75. - POLY1305_BLOCK_SIZE - rem);
  76. + if (actx->draft) {
  77. + thirteen = actx->len.aad;
  78. + Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
  79. + } else {
  80. + if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
  81. + Poly1305_Update(POLY1305_ctx(actx), zero,
  82. + POLY1305_BLOCK_SIZE - rem);
  83. + }
  84. actx->aad = 0;
  85. }
  86. @@ -432,40 +461,52 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  87. } is_endian = { 1 };
  88. unsigned char temp[POLY1305_BLOCK_SIZE];
  89. + if (actx->draft) {
  90. + thirteen = actx->len.text;
  91. + Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
  92. + }
  93. +
  94. if (actx->aad) { /* wrap up aad */
  95. - if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
  96. - Poly1305_Update(POLY1305_ctx(actx), zero,
  97. - POLY1305_BLOCK_SIZE - rem);
  98. + if (actx->draft) {
  99. + thirteen = actx->len.aad;
  100. + Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
  101. + } else {
  102. + if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
  103. + Poly1305_Update(POLY1305_ctx(actx), zero,
  104. + POLY1305_BLOCK_SIZE - rem);
  105. + }
  106. actx->aad = 0;
  107. }
  108. - if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
  109. - Poly1305_Update(POLY1305_ctx(actx), zero,
  110. - POLY1305_BLOCK_SIZE - rem);
  111. + if (!actx->draft) {
  112. + if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
  113. + Poly1305_Update(POLY1305_ctx(actx), zero,
  114. + POLY1305_BLOCK_SIZE - rem);
  115. - if (is_endian.little) {
  116. - Poly1305_Update(POLY1305_ctx(actx),
  117. - (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
  118. - } else {
  119. - temp[0] = (unsigned char)(actx->len.aad);
  120. - temp[1] = (unsigned char)(actx->len.aad>>8);
  121. - temp[2] = (unsigned char)(actx->len.aad>>16);
  122. - temp[3] = (unsigned char)(actx->len.aad>>24);
  123. - temp[4] = (unsigned char)(actx->len.aad>>32);
  124. - temp[5] = (unsigned char)(actx->len.aad>>40);
  125. - temp[6] = (unsigned char)(actx->len.aad>>48);
  126. - temp[7] = (unsigned char)(actx->len.aad>>56);
  127. -
  128. - temp[8] = (unsigned char)(actx->len.text);
  129. - temp[9] = (unsigned char)(actx->len.text>>8);
  130. - temp[10] = (unsigned char)(actx->len.text>>16);
  131. - temp[11] = (unsigned char)(actx->len.text>>24);
  132. - temp[12] = (unsigned char)(actx->len.text>>32);
  133. - temp[13] = (unsigned char)(actx->len.text>>40);
  134. - temp[14] = (unsigned char)(actx->len.text>>48);
  135. - temp[15] = (unsigned char)(actx->len.text>>56);
  136. -
  137. - Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
  138. + if (is_endian.little) {
  139. + Poly1305_Update(POLY1305_ctx(actx),
  140. + (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
  141. + } else {
  142. + temp[0] = (unsigned char)(actx->len.aad);
  143. + temp[1] = (unsigned char)(actx->len.aad>>8);
  144. + temp[2] = (unsigned char)(actx->len.aad>>16);
  145. + temp[3] = (unsigned char)(actx->len.aad>>24);
  146. + temp[4] = (unsigned char)(actx->len.aad>>32);
  147. + temp[5] = (unsigned char)(actx->len.aad>>40);
  148. + temp[6] = (unsigned char)(actx->len.aad>>48);
  149. + temp[7] = (unsigned char)(actx->len.aad>>56);
  150. +
  151. + temp[8] = (unsigned char)(actx->len.text);
  152. + temp[9] = (unsigned char)(actx->len.text>>8);
  153. + temp[10] = (unsigned char)(actx->len.text>>16);
  154. + temp[11] = (unsigned char)(actx->len.text>>24);
  155. + temp[12] = (unsigned char)(actx->len.text>>32);
  156. + temp[13] = (unsigned char)(actx->len.text>>40);
  157. + temp[14] = (unsigned char)(actx->len.text>>48);
  158. + temp[15] = (unsigned char)(actx->len.text>>56);
  159. +
  160. + Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
  161. + }
  162. }
  163. Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
  164. : temp);
  165. @@ -535,12 +576,14 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
  166. return 1;
  167. case EVP_CTRL_AEAD_SET_IVLEN:
  168. + if (actx->draft) return -1;
  169. if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
  170. return 0;
  171. actx->nonce_len = arg;
  172. return 1;
  173. case EVP_CTRL_AEAD_SET_IV_FIXED:
  174. + if (actx->draft) return -1;
  175. if (arg != 12)
  176. return 0;
  177. actx->nonce[0] = actx->key.counter[1]
  178. @@ -624,9 +667,32 @@ static EVP_CIPHER chacha20_poly1305 = {
  179. NULL /* app_data */
  180. };
  181. +static EVP_CIPHER chacha20_poly1305_draft = {
  182. + NID_chacha20_poly1305_draft,
  183. + 1, /* block_size */
  184. + CHACHA_KEY_SIZE, /* key_len */
  185. + 0, /* iv_len, none */
  186. + EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |
  187. + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
  188. + EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER,
  189. + chacha20_poly1305_draft_init_key,
  190. + chacha20_poly1305_cipher,
  191. + chacha20_poly1305_cleanup,
  192. + 0, /* 0 moves context-specific structure allocation to ctrl */
  193. + NULL, /* set_asn1_parameters */
  194. + NULL, /* get_asn1_parameters */
  195. + chacha20_poly1305_ctrl,
  196. + NULL /* app_data */
  197. +};
  198. +
  199. const EVP_CIPHER *EVP_chacha20_poly1305(void)
  200. {
  201. return(&chacha20_poly1305);
  202. }
  203. +
  204. +const EVP_CIPHER *EVP_chacha20_poly1305_draft(void)
  205. +{
  206. + return(&chacha20_poly1305_draft);
  207. +}
  208. # endif
  209. #endif
  210. diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
  211. index 913e107974..339aaa703c 100644
  212. --- a/crypto/objects/obj_dat.h
  213. +++ b/crypto/objects/obj_dat.h
  214. @@ -1080,7 +1080,7 @@ static const unsigned char so[7775] = {
  215. 0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x75, /* [ 7766] OBJ_SM2_with_SM3 */
  216. };
  217. -#define NUM_NID 1205
  218. +#define NUM_NID 1206
  219. static const ASN1_OBJECT nid_objs[NUM_NID] = {
  220. {"UNDEF", "undefined", NID_undef},
  221. {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
  222. @@ -2287,9 +2287,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
  223. {"BLAKE2SMAC", "blake2smac", NID_blake2smac},
  224. {"SSHKDF", "sshkdf", NID_sshkdf},
  225. {"SM2-SM3", "SM2-with-SM3", NID_SM2_with_SM3, 8, &so[7766]},
  226. + {"ChaCha20-Poly1305-D", "chacha20-poly1305-draft", NID_chacha20_poly1305_draft},
  227. };
  228. -#define NUM_SN 1196
  229. +#define NUM_SN 1197
  230. static const unsigned int sn_objs[NUM_SN] = {
  231. 364, /* "AD_DVCS" */
  232. 419, /* "AES-128-CBC" */
  233. @@ -2412,6 +2413,7 @@ static const unsigned int sn_objs[NUM_SN] = {
  234. 417, /* "CSPName" */
  235. 1019, /* "ChaCha20" */
  236. 1018, /* "ChaCha20-Poly1305" */
  237. + 1205, /* "ChaCha20-Poly1305-D" */
  238. 367, /* "CrlID" */
  239. 391, /* "DC" */
  240. 31, /* "DES-CBC" */
  241. @@ -3489,7 +3491,7 @@ static const unsigned int sn_objs[NUM_SN] = {
  242. 1093, /* "x509ExtAdmission" */
  243. };
  244. -#define NUM_LN 1196
  245. +#define NUM_LN 1197
  246. static const unsigned int ln_objs[NUM_LN] = {
  247. 363, /* "AD Time Stamping" */
  248. 405, /* "ANSI X9.62" */
  249. @@ -3874,6 +3876,7 @@ static const unsigned int ln_objs[NUM_LN] = {
  250. 883, /* "certificateRevocationList" */
  251. 1019, /* "chacha20" */
  252. 1018, /* "chacha20-poly1305" */
  253. + 1205, /* "chacha20-poly1305-draft" */
  254. 54, /* "challengePassword" */
  255. 407, /* "characteristic-two-field" */
  256. 395, /* "clearance" */
  257. diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
  258. index cfd06d4c29..4d3e79d4c6 100644
  259. --- a/crypto/objects/obj_mac.num
  260. +++ b/crypto/objects/obj_mac.num
  261. @@ -1202,3 +1202,4 @@ blake2bmac 1201
  262. blake2smac 1202
  263. sshkdf 1203
  264. SM2_with_SM3 1204
  265. +chacha20_poly1305_draft 1205
  266. diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
  267. index 78ebff6ada..2f236c3037 100644
  268. --- a/crypto/objects/objects.txt
  269. +++ b/crypto/objects/objects.txt
  270. @@ -1545,6 +1545,7 @@ sm-scheme 104 7 : SM4-CTR : sm4-ctr
  271. : AES-192-CBC-HMAC-SHA256 : aes-192-cbc-hmac-sha256
  272. : AES-256-CBC-HMAC-SHA256 : aes-256-cbc-hmac-sha256
  273. : ChaCha20-Poly1305 : chacha20-poly1305
  274. + : ChaCha20-Poly1305-D : chacha20-poly1305-draft
  275. : ChaCha20 : chacha20
  276. ISO-US 10046 2 1 : dhpublicnumber : X9.42 DH
  277. diff --git a/include/openssl/evp.h b/include/openssl/evp.h
  278. index 72060e7e96..125bc1c425 100644
  279. --- a/include/openssl/evp.h
  280. +++ b/include/openssl/evp.h
  281. @@ -924,6 +924,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
  282. const EVP_CIPHER *EVP_chacha20(void);
  283. # ifndef OPENSSL_NO_POLY1305
  284. const EVP_CIPHER *EVP_chacha20_poly1305(void);
  285. +const EVP_CIPHER *EVP_chacha20_poly1305_draft(void);
  286. # endif
  287. # endif
  288. diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
  289. index c8cb5ce92d..2ad7e07709 100644
  290. --- a/include/openssl/obj_mac.h
  291. +++ b/include/openssl/obj_mac.h
  292. @@ -4833,6 +4833,10 @@
  293. #define LN_chacha20_poly1305 "chacha20-poly1305"
  294. #define NID_chacha20_poly1305 1018
  295. +#define SN_chacha20_poly1305_draft "ChaCha20-Poly1305-D"
  296. +#define LN_chacha20_poly1305_draft "chacha20-poly1305-draft"
  297. +#define NID_chacha20_poly1305_draft 1205
  298. +
  299. #define SN_chacha20 "ChaCha20"
  300. #define LN_chacha20 "chacha20"
  301. #define NID_chacha20 1019
  302. diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
  303. index 1091b1c8b9..fcfc428cd1 100644
  304. --- a/include/openssl/ssl.h
  305. +++ b/include/openssl/ssl.h
  306. @@ -125,6 +125,7 @@ extern "C" {
  307. # define SSL_TXT_CAMELLIA256 "CAMELLIA256"
  308. # define SSL_TXT_CAMELLIA "CAMELLIA"
  309. # define SSL_TXT_CHACHA20 "CHACHA20"
  310. +# define SSL_TXT_CHACHA20_D "CHACHA20-D"
  311. # define SSL_TXT_GOST "GOST89"
  312. # define SSL_TXT_ARIA "ARIA"
  313. # define SSL_TXT_ARIA_GCM "ARIAGCM"
  314. diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
  315. index 166f15ad5c..4fa1d8a32d 100644
  316. --- a/include/openssl/tls1.h
  317. +++ b/include/openssl/tls1.h
  318. @@ -599,7 +599,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  319. # define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0x0300C09A
  320. # define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0x0300C09B
  321. -/* draft-ietf-tls-chacha20-poly1305-03 */
  322. +/* Chacha20-Poly1305-Draft ciphersuites from draft-agl-tls-chacha20poly1305-04 */
  323. +# define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_D 0x0300CC13
  324. +# define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D 0x0300CC14
  325. +# define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305_D 0x0300CC15
  326. +
  327. +/* Chacha20-Poly1305 ciphersuites from RFC7905 */
  328. # define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305 0x0300CCA8
  329. # define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0x0300CCA9
  330. # define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305 0x0300CCAA
  331. @@ -764,6 +769,9 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  332. # define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305 "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
  333. # define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
  334. # define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
  335. +# define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305_D "OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
  336. +# define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305_D "OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
  337. +# define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D "OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
  338. # define TLS1_RFC_PSK_WITH_CHACHA20_POLY1305 "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"
  339. # define TLS1_RFC_ECDHE_PSK_WITH_CHACHA20_POLY1305 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
  340. # define TLS1_RFC_DHE_PSK_WITH_CHACHA20_POLY1305 "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
  341. @@ -1092,7 +1100,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
  342. # define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 "ECDH-RSA-CAMELLIA128-SHA256"
  343. # define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 "ECDH-RSA-CAMELLIA256-SHA384"
  344. -/* draft-ietf-tls-chacha20-poly1305-03 */
  345. +/* Chacha20-Poly1305-Draft ciphersuites from draft-agl-tls-chacha20poly1305-04 */
  346. +# define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_D "ECDHE-RSA-CHACHA20-POLY1305-OLD"
  347. +# define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D "ECDHE-ECDSA-CHACHA20-POLY1305-OLD"
  348. +# define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_D "DHE-RSA-CHACHA20-POLY1305-OLD"
  349. +
  350. +/* Chacha20-Poly1305 ciphersuites from RFC7905 */
  351. # define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305"
  352. # define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305"
  353. # define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305"
  354. diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
  355. index a3639fd18c..c13137e1af 100644
  356. --- a/ssl/s3_lib.c
  357. +++ b/ssl/s3_lib.c
  358. @@ -2083,6 +2083,54 @@ static SSL_CIPHER ssl3_ciphers[] = {
  359. 256,
  360. 256,
  361. },
  362. + {
  363. + 1,
  364. + TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_D,
  365. + TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305_D,
  366. + TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305_D,
  367. + SSL_kDHE,
  368. + SSL_aRSA,
  369. + SSL_CHACHA20POLY1305_D,
  370. + SSL_AEAD,
  371. + TLS1_2_VERSION, TLS1_2_VERSION,
  372. + DTLS1_2_VERSION, DTLS1_2_VERSION,
  373. + SSL_HIGH,
  374. + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
  375. + 256,
  376. + 256,
  377. + },
  378. + {
  379. + 1,
  380. + TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
  381. + TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
  382. + TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
  383. + SSL_kECDHE,
  384. + SSL_aRSA,
  385. + SSL_CHACHA20POLY1305_D,
  386. + SSL_AEAD,
  387. + TLS1_2_VERSION, TLS1_2_VERSION,
  388. + DTLS1_2_VERSION, DTLS1_2_VERSION,
  389. + SSL_HIGH,
  390. + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
  391. + 256,
  392. + 256,
  393. + },
  394. + {
  395. + 1,
  396. + TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
  397. + TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
  398. + TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
  399. + SSL_kECDHE,
  400. + SSL_aECDSA,
  401. + SSL_CHACHA20POLY1305_D,
  402. + SSL_AEAD,
  403. + TLS1_2_VERSION, TLS1_2_VERSION,
  404. + DTLS1_2_VERSION, DTLS1_2_VERSION,
  405. + SSL_HIGH,
  406. + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
  407. + 256,
  408. + 256,
  409. + },
  410. {
  411. 1,
  412. TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
  413. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
  414. index 5aa04dbd53..71094c195e 100644
  415. --- a/ssl/ssl_ciph.c
  416. +++ b/ssl/ssl_ciph.c
  417. @@ -44,7 +44,8 @@
  418. #define SSL_ENC_CHACHA_IDX 19
  419. #define SSL_ENC_ARIA128GCM_IDX 20
  420. #define SSL_ENC_ARIA256GCM_IDX 21
  421. -#define SSL_ENC_NUM_IDX 22
  422. +#define SSL_ENC_CHACHA20_D_IDX 22
  423. +#define SSL_ENC_NUM_IDX 23
  424. /* NB: make sure indices in these tables match values above */
  425. @@ -77,6 +78,7 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
  426. {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
  427. {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */
  428. {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
  429. + {SSL_CHACHA20POLY1305_D, NID_chacha20_poly1305_draft}, /* SSL_ENC_CHACHA20POLY1305_IDX 22 */
  430. };
  431. static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
  432. @@ -276,6 +278,7 @@ static const SSL_CIPHER cipher_aliases[] = {
  433. {0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256},
  434. {0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA},
  435. {0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20},
  436. + {0, SSL_TXT_CHACHA20_D, NULL, 0, 0, 0, SSL_CHACHA20POLY1305_D},
  437. {0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA},
  438. {0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM},
  439. @@ -2122,7 +2125,7 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
  440. out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16;
  441. } else if (c->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) {
  442. out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8;
  443. - } else if (c->algorithm_enc & SSL_CHACHA20POLY1305) {
  444. + } else if (c->algorithm_enc & (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_D)) {
  445. out = 16;
  446. } else if (c->algorithm_mac & SSL_AEAD) {
  447. /* We're supposed to have handled all the AEAD modes above */
  448. diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
  449. index 1d3397d880..d5ff8520b6 100644
  450. --- a/ssl/ssl_locl.h
  451. +++ b/ssl/ssl_locl.h
  452. @@ -234,12 +234,13 @@
  453. # define SSL_CHACHA20POLY1305 0x00080000U
  454. # define SSL_ARIA128GCM 0x00100000U
  455. # define SSL_ARIA256GCM 0x00200000U
  456. +# define SSL_CHACHA20POLY1305_D 0x00400000U
  457. # define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
  458. # define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
  459. # define SSL_AES (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)
  460. # define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
  461. -# define SSL_CHACHA20 (SSL_CHACHA20POLY1305)
  462. +# define SSL_CHACHA20 (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_D)
  463. # define SSL_ARIAGCM (SSL_ARIA128GCM | SSL_ARIA256GCM)
  464. # define SSL_ARIA (SSL_ARIAGCM)
  465. diff --git a/util/libcrypto.num b/util/libcrypto.num
  466. index 817c8bbaf4..4d946530b4 100644
  467. --- a/util/libcrypto.num
  468. +++ b/util/libcrypto.num
  469. @@ -4790,3 +4790,4 @@ OSSL_PARAM_get_octet_ptr 4737 3_0_0 EXIST::FUNCTION:
  470. OSSL_PARAM_set_octet_ptr 4738 3_0_0 EXIST::FUNCTION:
  471. X509_set_sm2_id 4739 3_0_0 EXIST::FUNCTION:
  472. X509_get0_sm2_id 4740 3_0_0 EXIST::FUNCTION:
  473. +EVP_chacha20_poly1305_draft 4741 3_0_0 EXIST::FUNCTION:CHACHA,POLY1305