diff options
| author | jsing <> | 2015-09-13 09:10:01 +0000 |
|---|---|---|
| committer | jsing <> | 2015-09-13 09:10:01 +0000 |
| commit | 80f33b2a4b53b6e712873ba41c9f333f62edbb3b (patch) | |
| tree | e6910b9c8212ca0ff39bc598f5bc89c4f83180f0 /src/lib | |
| parent | 37a8e8e2fe93b45ab3b39108d9af4b75cf4dd663 (diff) | |
| download | openbsd-80f33b2a4b53b6e712873ba41c9f333f62edbb3b.tar.gz openbsd-80f33b2a4b53b6e712873ba41c9f333f62edbb3b.tar.bz2 openbsd-80f33b2a4b53b6e712873ba41c9f333f62edbb3b.zip | |
If we have hardware acceleration for AES, prefer AES as a symmetric cipher
over CHACHA20. Otherwise, prefer CHACHA20 with AES second.
ok beck@ miod@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_ciph.c | 37 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 37 |
2 files changed, 60 insertions, 14 deletions
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c index 96b4099d19..42fdaad338 100644 --- a/src/lib/libssl/src/ssl/ssl_ciph.c +++ b/src/lib/libssl/src/ssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.81 2015/02/07 04:17:11 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.82 2015/09/13 09:10:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1358,6 +1358,16 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | |||
| 1358 | return (retval); | 1358 | return (retval); |
| 1359 | } | 1359 | } |
| 1360 | 1360 | ||
| 1361 | static inline int | ||
| 1362 | ssl_aes_is_accelerated(void) | ||
| 1363 | { | ||
| 1364 | #if defined(__x86_64__) | ||
| 1365 | return ((OPENSSL_ia32cap_loc()[0] & (1UL << 57)) != 0); | ||
| 1366 | #else | ||
| 1367 | return (0); | ||
| 1368 | #endif | ||
| 1369 | } | ||
| 1370 | |||
| 1361 | STACK_OF(SSL_CIPHER) * | 1371 | STACK_OF(SSL_CIPHER) * |
| 1362 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 1372 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, |
| 1363 | STACK_OF(SSL_CIPHER) **cipher_list, | 1373 | STACK_OF(SSL_CIPHER) **cipher_list, |
| @@ -1406,12 +1416,25 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1406 | ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | 1416 | ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); |
| 1407 | ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); | 1417 | ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); |
| 1408 | 1418 | ||
| 1409 | /* | 1419 | if (ssl_aes_is_accelerated() == 1) { |
| 1410 | * CHACHA20 is fast and safe on all hardware and is thus our preferred | 1420 | /* |
| 1411 | * symmetric cipher, with AES second. | 1421 | * We have hardware assisted AES - prefer AES as a symmetric |
| 1412 | */ | 1422 | * cipher, with CHACHA20 second. |
| 1413 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | 1423 | */ |
| 1414 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | 1424 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, |
| 1425 | CIPHER_ADD, -1, &head, &tail); | ||
| 1426 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, | ||
| 1427 | CIPHER_ADD, -1, &head, &tail); | ||
| 1428 | } else { | ||
| 1429 | /* | ||
| 1430 | * CHACHA20 is fast and safe on all hardware and is thus our | ||
| 1431 | * preferred symmetric cipher, with AES second. | ||
| 1432 | */ | ||
| 1433 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, | ||
| 1434 | CIPHER_ADD, -1, &head, &tail); | ||
| 1435 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, | ||
| 1436 | CIPHER_ADD, -1, &head, &tail); | ||
| 1437 | } | ||
| 1415 | 1438 | ||
| 1416 | /* Temporarily enable everything else for sorting */ | 1439 | /* Temporarily enable everything else for sorting */ |
| 1417 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | 1440 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); |
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 96b4099d19..42fdaad338 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.81 2015/02/07 04:17:11 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.82 2015/09/13 09:10:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1358,6 +1358,16 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | |||
| 1358 | return (retval); | 1358 | return (retval); |
| 1359 | } | 1359 | } |
| 1360 | 1360 | ||
| 1361 | static inline int | ||
| 1362 | ssl_aes_is_accelerated(void) | ||
| 1363 | { | ||
| 1364 | #if defined(__x86_64__) | ||
| 1365 | return ((OPENSSL_ia32cap_loc()[0] & (1UL << 57)) != 0); | ||
| 1366 | #else | ||
| 1367 | return (0); | ||
| 1368 | #endif | ||
| 1369 | } | ||
| 1370 | |||
| 1361 | STACK_OF(SSL_CIPHER) * | 1371 | STACK_OF(SSL_CIPHER) * |
| 1362 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 1372 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, |
| 1363 | STACK_OF(SSL_CIPHER) **cipher_list, | 1373 | STACK_OF(SSL_CIPHER) **cipher_list, |
| @@ -1406,12 +1416,25 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1406 | ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | 1416 | ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); |
| 1407 | ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); | 1417 | ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); |
| 1408 | 1418 | ||
| 1409 | /* | 1419 | if (ssl_aes_is_accelerated() == 1) { |
| 1410 | * CHACHA20 is fast and safe on all hardware and is thus our preferred | 1420 | /* |
| 1411 | * symmetric cipher, with AES second. | 1421 | * We have hardware assisted AES - prefer AES as a symmetric |
| 1412 | */ | 1422 | * cipher, with CHACHA20 second. |
| 1413 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | 1423 | */ |
| 1414 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | 1424 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, |
| 1425 | CIPHER_ADD, -1, &head, &tail); | ||
| 1426 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, | ||
| 1427 | CIPHER_ADD, -1, &head, &tail); | ||
| 1428 | } else { | ||
| 1429 | /* | ||
| 1430 | * CHACHA20 is fast and safe on all hardware and is thus our | ||
| 1431 | * preferred symmetric cipher, with AES second. | ||
| 1432 | */ | ||
| 1433 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, | ||
| 1434 | CIPHER_ADD, -1, &head, &tail); | ||
| 1435 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, | ||
| 1436 | CIPHER_ADD, -1, &head, &tail); | ||
| 1437 | } | ||
| 1415 | 1438 | ||
| 1416 | /* Temporarily enable everything else for sorting */ | 1439 | /* Temporarily enable everything else for sorting */ |
| 1417 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | 1440 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); |