diff options
| author | jsing <> | 2016-04-28 16:39:45 +0000 |
|---|---|---|
| committer | jsing <> | 2016-04-28 16:39:45 +0000 |
| commit | 2d8f8979c793048fd16eabfb070b227f2ecb4042 (patch) | |
| tree | ca382a2cc99fb482286b7f98c3934ee45e6ad36b /src | |
| parent | 611595c84e1e65ad0c3d4becbb8280ee2c6d984c (diff) | |
| download | openbsd-2d8f8979c793048fd16eabfb070b227f2ecb4042.tar.gz openbsd-2d8f8979c793048fd16eabfb070b227f2ecb4042.tar.bz2 openbsd-2d8f8979c793048fd16eabfb070b227f2ecb4042.zip | |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 63 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_lib.c | 63 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_ciph.c | 22 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_locl.h | 6 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_enc.c | 109 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/tls1.h | 14 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 22 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 6 | ||||
| -rw-r--r-- | src/lib/libssl/t1_enc.c | 109 | ||||
| -rw-r--r-- | src/lib/libssl/tls1.h | 14 |
10 files changed, 336 insertions, 92 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index e7f71d6b6f..e873c17c87 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.107 2016/01/27 02:06:16 beck Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.108 2016/04/28 16:39:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1810,6 +1810,57 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 1810 | /* Cipher CC13 */ | 1810 | /* Cipher CC13 */ |
| 1811 | { | 1811 | { |
| 1812 | .valid = 1, | 1812 | .valid = 1, |
| 1813 | .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD, | ||
| 1814 | .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD, | ||
| 1815 | .algorithm_mkey = SSL_kECDHE, | ||
| 1816 | .algorithm_auth = SSL_aRSA, | ||
| 1817 | .algorithm_enc = SSL_CHACHA20POLY1305_OLD, | ||
| 1818 | .algorithm_mac = SSL_AEAD, | ||
| 1819 | .algorithm_ssl = SSL_TLSV1_2, | ||
| 1820 | .algo_strength = SSL_HIGH, | ||
| 1821 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | ||
| 1822 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | ||
| 1823 | .strength_bits = 256, | ||
| 1824 | .alg_bits = 256, | ||
| 1825 | }, | ||
| 1826 | |||
| 1827 | /* Cipher CC14 */ | ||
| 1828 | { | ||
| 1829 | .valid = 1, | ||
| 1830 | .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD, | ||
| 1831 | .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD, | ||
| 1832 | .algorithm_mkey = SSL_kECDHE, | ||
| 1833 | .algorithm_auth = SSL_aECDSA, | ||
| 1834 | .algorithm_enc = SSL_CHACHA20POLY1305_OLD, | ||
| 1835 | .algorithm_mac = SSL_AEAD, | ||
| 1836 | .algorithm_ssl = SSL_TLSV1_2, | ||
| 1837 | .algo_strength = SSL_HIGH, | ||
| 1838 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | ||
| 1839 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | ||
| 1840 | .strength_bits = 256, | ||
| 1841 | .alg_bits = 256, | ||
| 1842 | }, | ||
| 1843 | |||
| 1844 | /* Cipher CC15 */ | ||
| 1845 | { | ||
| 1846 | .valid = 1, | ||
| 1847 | .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD, | ||
| 1848 | .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD, | ||
| 1849 | .algorithm_mkey = SSL_kDHE, | ||
| 1850 | .algorithm_auth = SSL_aRSA, | ||
| 1851 | .algorithm_enc = SSL_CHACHA20POLY1305_OLD, | ||
| 1852 | .algorithm_mac = SSL_AEAD, | ||
| 1853 | .algorithm_ssl = SSL_TLSV1_2, | ||
| 1854 | .algo_strength = SSL_HIGH, | ||
| 1855 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | ||
| 1856 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | ||
| 1857 | .strength_bits = 256, | ||
| 1858 | .alg_bits = 256, | ||
| 1859 | }, | ||
| 1860 | |||
| 1861 | /* Cipher CCA8 */ | ||
| 1862 | { | ||
| 1863 | .valid = 1, | ||
| 1813 | .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, | 1864 | .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, |
| 1814 | .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, | 1865 | .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, |
| 1815 | .algorithm_mkey = SSL_kECDHE, | 1866 | .algorithm_mkey = SSL_kECDHE, |
| @@ -1819,12 +1870,12 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 1819 | .algorithm_ssl = SSL_TLSV1_2, | 1870 | .algorithm_ssl = SSL_TLSV1_2, |
| 1820 | .algo_strength = SSL_HIGH, | 1871 | .algo_strength = SSL_HIGH, |
| 1821 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | 1872 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| |
| 1822 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | 1873 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), |
| 1823 | .strength_bits = 256, | 1874 | .strength_bits = 256, |
| 1824 | .alg_bits = 256, | 1875 | .alg_bits = 256, |
| 1825 | }, | 1876 | }, |
| 1826 | 1877 | ||
| 1827 | /* Cipher CC14 */ | 1878 | /* Cipher CCA9 */ |
| 1828 | { | 1879 | { |
| 1829 | .valid = 1, | 1880 | .valid = 1, |
| 1830 | .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | 1881 | .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, |
| @@ -1836,12 +1887,12 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 1836 | .algorithm_ssl = SSL_TLSV1_2, | 1887 | .algorithm_ssl = SSL_TLSV1_2, |
| 1837 | .algo_strength = SSL_HIGH, | 1888 | .algo_strength = SSL_HIGH, |
| 1838 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | 1889 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| |
| 1839 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | 1890 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), |
| 1840 | .strength_bits = 256, | 1891 | .strength_bits = 256, |
| 1841 | .alg_bits = 256, | 1892 | .alg_bits = 256, |
| 1842 | }, | 1893 | }, |
| 1843 | 1894 | ||
| 1844 | /* Cipher CC15 */ | 1895 | /* Cipher CCAA */ |
| 1845 | { | 1896 | { |
| 1846 | .valid = 1, | 1897 | .valid = 1, |
| 1847 | .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, | 1898 | .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, |
| @@ -1853,7 +1904,7 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 1853 | .algorithm_ssl = SSL_TLSV1_2, | 1904 | .algorithm_ssl = SSL_TLSV1_2, |
| 1854 | .algo_strength = SSL_HIGH, | 1905 | .algo_strength = SSL_HIGH, |
| 1855 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | 1906 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| |
| 1856 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | 1907 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), |
| 1857 | .strength_bits = 256, | 1908 | .strength_bits = 256, |
| 1858 | .alg_bits = 256, | 1909 | .alg_bits = 256, |
| 1859 | }, | 1910 | }, |
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index e7f71d6b6f..e873c17c87 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.107 2016/01/27 02:06:16 beck Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.108 2016/04/28 16:39:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1810,6 +1810,57 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 1810 | /* Cipher CC13 */ | 1810 | /* Cipher CC13 */ |
| 1811 | { | 1811 | { |
| 1812 | .valid = 1, | 1812 | .valid = 1, |
| 1813 | .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD, | ||
| 1814 | .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD, | ||
| 1815 | .algorithm_mkey = SSL_kECDHE, | ||
| 1816 | .algorithm_auth = SSL_aRSA, | ||
| 1817 | .algorithm_enc = SSL_CHACHA20POLY1305_OLD, | ||
| 1818 | .algorithm_mac = SSL_AEAD, | ||
| 1819 | .algorithm_ssl = SSL_TLSV1_2, | ||
| 1820 | .algo_strength = SSL_HIGH, | ||
| 1821 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | ||
| 1822 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | ||
| 1823 | .strength_bits = 256, | ||
| 1824 | .alg_bits = 256, | ||
| 1825 | }, | ||
| 1826 | |||
| 1827 | /* Cipher CC14 */ | ||
| 1828 | { | ||
| 1829 | .valid = 1, | ||
| 1830 | .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD, | ||
| 1831 | .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD, | ||
| 1832 | .algorithm_mkey = SSL_kECDHE, | ||
| 1833 | .algorithm_auth = SSL_aECDSA, | ||
| 1834 | .algorithm_enc = SSL_CHACHA20POLY1305_OLD, | ||
| 1835 | .algorithm_mac = SSL_AEAD, | ||
| 1836 | .algorithm_ssl = SSL_TLSV1_2, | ||
| 1837 | .algo_strength = SSL_HIGH, | ||
| 1838 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | ||
| 1839 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | ||
| 1840 | .strength_bits = 256, | ||
| 1841 | .alg_bits = 256, | ||
| 1842 | }, | ||
| 1843 | |||
| 1844 | /* Cipher CC15 */ | ||
| 1845 | { | ||
| 1846 | .valid = 1, | ||
| 1847 | .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD, | ||
| 1848 | .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD, | ||
| 1849 | .algorithm_mkey = SSL_kDHE, | ||
| 1850 | .algorithm_auth = SSL_aRSA, | ||
| 1851 | .algorithm_enc = SSL_CHACHA20POLY1305_OLD, | ||
| 1852 | .algorithm_mac = SSL_AEAD, | ||
| 1853 | .algorithm_ssl = SSL_TLSV1_2, | ||
| 1854 | .algo_strength = SSL_HIGH, | ||
| 1855 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | ||
| 1856 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | ||
| 1857 | .strength_bits = 256, | ||
| 1858 | .alg_bits = 256, | ||
| 1859 | }, | ||
| 1860 | |||
| 1861 | /* Cipher CCA8 */ | ||
| 1862 | { | ||
| 1863 | .valid = 1, | ||
| 1813 | .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, | 1864 | .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, |
| 1814 | .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, | 1865 | .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, |
| 1815 | .algorithm_mkey = SSL_kECDHE, | 1866 | .algorithm_mkey = SSL_kECDHE, |
| @@ -1819,12 +1870,12 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 1819 | .algorithm_ssl = SSL_TLSV1_2, | 1870 | .algorithm_ssl = SSL_TLSV1_2, |
| 1820 | .algo_strength = SSL_HIGH, | 1871 | .algo_strength = SSL_HIGH, |
| 1821 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | 1872 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| |
| 1822 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | 1873 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), |
| 1823 | .strength_bits = 256, | 1874 | .strength_bits = 256, |
| 1824 | .alg_bits = 256, | 1875 | .alg_bits = 256, |
| 1825 | }, | 1876 | }, |
| 1826 | 1877 | ||
| 1827 | /* Cipher CC14 */ | 1878 | /* Cipher CCA9 */ |
| 1828 | { | 1879 | { |
| 1829 | .valid = 1, | 1880 | .valid = 1, |
| 1830 | .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | 1881 | .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, |
| @@ -1836,12 +1887,12 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 1836 | .algorithm_ssl = SSL_TLSV1_2, | 1887 | .algorithm_ssl = SSL_TLSV1_2, |
| 1837 | .algo_strength = SSL_HIGH, | 1888 | .algo_strength = SSL_HIGH, |
| 1838 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | 1889 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| |
| 1839 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | 1890 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), |
| 1840 | .strength_bits = 256, | 1891 | .strength_bits = 256, |
| 1841 | .alg_bits = 256, | 1892 | .alg_bits = 256, |
| 1842 | }, | 1893 | }, |
| 1843 | 1894 | ||
| 1844 | /* Cipher CC15 */ | 1895 | /* Cipher CCAA */ |
| 1845 | { | 1896 | { |
| 1846 | .valid = 1, | 1897 | .valid = 1, |
| 1847 | .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, | 1898 | .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, |
| @@ -1853,7 +1904,7 @@ SSL_CIPHER ssl3_ciphers[] = { | |||
| 1853 | .algorithm_ssl = SSL_TLSV1_2, | 1904 | .algorithm_ssl = SSL_TLSV1_2, |
| 1854 | .algo_strength = SSL_HIGH, | 1905 | .algo_strength = SSL_HIGH, |
| 1855 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| | 1906 | .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| |
| 1856 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), | 1907 | SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), |
| 1857 | .strength_bits = 256, | 1908 | .strength_bits = 256, |
| 1858 | .alg_bits = 256, | 1909 | .alg_bits = 256, |
| 1859 | }, | 1910 | }, |
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c index 5d1d568ff8..526d98e293 100644 --- a/src/lib/libssl/src/ssl/ssl_ciph.c +++ b/src/lib/libssl/src/ssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.85 2016/04/28 16:06:53 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.86 2016/04/28 16:39:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -414,7 +414,7 @@ static const SSL_CIPHER cipher_aliases[] = { | |||
| 414 | }, | 414 | }, |
| 415 | { | 415 | { |
| 416 | .name = SSL_TXT_CHACHA20, | 416 | .name = SSL_TXT_CHACHA20, |
| 417 | .algorithm_enc = SSL_CHACHA20POLY1305, | 417 | .algorithm_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD, |
| 418 | }, | 418 | }, |
| 419 | 419 | ||
| 420 | /* MAC aliases */ | 420 | /* MAC aliases */ |
| @@ -731,6 +731,9 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead) | |||
| 731 | #endif | 731 | #endif |
| 732 | #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) | 732 | #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) |
| 733 | case SSL_CHACHA20POLY1305: | 733 | case SSL_CHACHA20POLY1305: |
| 734 | *aead = EVP_aead_chacha20_poly1305(); | ||
| 735 | return 1; | ||
| 736 | case SSL_CHACHA20POLY1305_OLD: | ||
| 734 | *aead = EVP_aead_chacha20_poly1305_old(); | 737 | *aead = EVP_aead_chacha20_poly1305_old(); |
| 735 | return 1; | 738 | return 1; |
| 736 | #endif | 739 | #endif |
| @@ -1423,15 +1426,19 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1423 | */ | 1426 | */ |
| 1424 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, | 1427 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, |
| 1425 | CIPHER_ADD, -1, &head, &tail); | 1428 | CIPHER_ADD, -1, &head, &tail); |
| 1426 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, | 1429 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, |
| 1427 | CIPHER_ADD, -1, &head, &tail); | 1430 | 0, 0, 0, CIPHER_ADD, -1, &head, &tail); |
| 1431 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD, | ||
| 1432 | 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | ||
| 1428 | } else { | 1433 | } else { |
| 1429 | /* | 1434 | /* |
| 1430 | * CHACHA20 is fast and safe on all hardware and is thus our | 1435 | * CHACHA20 is fast and safe on all hardware and is thus our |
| 1431 | * preferred symmetric cipher, with AES second. | 1436 | * preferred symmetric cipher, with AES second. |
| 1432 | */ | 1437 | */ |
| 1433 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, | 1438 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, |
| 1434 | CIPHER_ADD, -1, &head, &tail); | 1439 | 0, 0, 0, CIPHER_ADD, -1, &head, &tail); |
| 1440 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD, | ||
| 1441 | 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | ||
| 1435 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, | 1442 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, |
| 1436 | CIPHER_ADD, -1, &head, &tail); | 1443 | CIPHER_ADD, -1, &head, &tail); |
| 1437 | } | 1444 | } |
| @@ -1667,6 +1674,9 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1667 | case SSL_CHACHA20POLY1305: | 1674 | case SSL_CHACHA20POLY1305: |
| 1668 | enc = "ChaCha20-Poly1305"; | 1675 | enc = "ChaCha20-Poly1305"; |
| 1669 | break; | 1676 | break; |
| 1677 | case SSL_CHACHA20POLY1305_OLD: | ||
| 1678 | enc = "ChaCha20-Poly1305-Old"; | ||
| 1679 | break; | ||
| 1670 | case SSL_eGOST2814789CNT: | 1680 | case SSL_eGOST2814789CNT: |
| 1671 | enc = "GOST-28178-89-CNT"; | 1681 | enc = "GOST-28178-89-CNT"; |
| 1672 | break; | 1682 | break; |
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index e05578e4a3..2a521fe26a 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.128 2015/09/12 15:08:54 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.129 2016/04/28 16:39:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -283,6 +283,7 @@ | |||
| 283 | #define SSL_AES128GCM 0x00000400L | 283 | #define SSL_AES128GCM 0x00000400L |
| 284 | #define SSL_AES256GCM 0x00000800L | 284 | #define SSL_AES256GCM 0x00000800L |
| 285 | #define SSL_CHACHA20POLY1305 0x00001000L | 285 | #define SSL_CHACHA20POLY1305 0x00001000L |
| 286 | #define SSL_CHACHA20POLY1305_OLD 0x00002000L | ||
| 286 | 287 | ||
| 287 | #define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) | 288 | #define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) |
| 288 | #define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) | 289 | #define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) |
| @@ -529,9 +530,10 @@ struct ssl_aead_ctx_st { | |||
| 529 | * fixed_nonce contains any bytes of the nonce that are fixed for all | 530 | * fixed_nonce contains any bytes of the nonce that are fixed for all |
| 530 | * records. | 531 | * records. |
| 531 | */ | 532 | */ |
| 532 | unsigned char fixed_nonce[8]; | 533 | unsigned char fixed_nonce[12]; |
| 533 | unsigned char fixed_nonce_len; | 534 | unsigned char fixed_nonce_len; |
| 534 | unsigned char variable_nonce_len; | 535 | unsigned char variable_nonce_len; |
| 536 | unsigned char xor_fixed_nonce; | ||
| 535 | unsigned char tag_len; | 537 | unsigned char tag_len; |
| 536 | /* | 538 | /* |
| 537 | * variable_nonce_in_record is non-zero if the variable nonce | 539 | * variable_nonce_in_record is non-zero if the variable nonce |
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c index 5d95419e7e..53570b2d4f 100644 --- a/src/lib/libssl/src/ssl/t1_enc.c +++ b/src/lib/libssl/src/ssl/t1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_enc.c,v 1.84 2016/03/06 14:52:15 beck Exp $ */ | 1 | /* $OpenBSD: t1_enc.c,v 1.85 2016/04/28 16:39:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -471,14 +471,26 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, | |||
| 471 | aead_ctx->variable_nonce_in_record = | 471 | aead_ctx->variable_nonce_in_record = |
| 472 | (s->s3->tmp.new_cipher->algorithm2 & | 472 | (s->s3->tmp.new_cipher->algorithm2 & |
| 473 | SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; | 473 | SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; |
| 474 | if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != | 474 | aead_ctx->xor_fixed_nonce = |
| 475 | EVP_AEAD_nonce_length(aead)) { | 475 | s->s3->tmp.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305; |
| 476 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 477 | ERR_R_INTERNAL_ERROR); | ||
| 478 | return (0); | ||
| 479 | } | ||
| 480 | aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); | 476 | aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); |
| 481 | 477 | ||
| 478 | if (aead_ctx->xor_fixed_nonce) { | ||
| 479 | if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) || | ||
| 480 | aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) { | ||
| 481 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 482 | ERR_R_INTERNAL_ERROR); | ||
| 483 | return (0); | ||
| 484 | } | ||
| 485 | } else { | ||
| 486 | if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != | ||
| 487 | EVP_AEAD_nonce_length(aead)) { | ||
| 488 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 489 | ERR_R_INTERNAL_ERROR); | ||
| 490 | return (0); | ||
| 491 | } | ||
| 492 | } | ||
| 493 | |||
| 482 | return (1); | 494 | return (1); |
| 483 | } | 495 | } |
| 484 | 496 | ||
| @@ -819,8 +831,8 @@ tls1_enc(SSL *s, int send) | |||
| 819 | 831 | ||
| 820 | if (aead) { | 832 | if (aead) { |
| 821 | unsigned char ad[13], *in, *out, nonce[16]; | 833 | unsigned char ad[13], *in, *out, nonce[16]; |
| 822 | unsigned nonce_used; | 834 | size_t out_len, pad_len = 0; |
| 823 | size_t out_len; | 835 | unsigned int nonce_used; |
| 824 | 836 | ||
| 825 | if (SSL_IS_DTLS(s)) { | 837 | if (SSL_IS_DTLS(s)) { |
| 826 | dtls1_build_sequence_number(ad, seq, | 838 | dtls1_build_sequence_number(ad, seq, |
| @@ -834,13 +846,20 @@ tls1_enc(SSL *s, int send) | |||
| 834 | ad[9] = (unsigned char)(s->version >> 8); | 846 | ad[9] = (unsigned char)(s->version >> 8); |
| 835 | ad[10] = (unsigned char)(s->version); | 847 | ad[10] = (unsigned char)(s->version); |
| 836 | 848 | ||
| 837 | if (aead->fixed_nonce_len + | 849 | if (aead->variable_nonce_len > 8 || |
| 838 | aead->variable_nonce_len > sizeof(nonce) || | 850 | aead->variable_nonce_len > sizeof(nonce)) |
| 839 | aead->variable_nonce_len > 8) | 851 | return -1; |
| 840 | return -1; /* internal error - should never happen. */ | ||
| 841 | 852 | ||
| 842 | memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); | 853 | if (aead->xor_fixed_nonce) { |
| 843 | nonce_used = aead->fixed_nonce_len; | 854 | if (aead->fixed_nonce_len > sizeof(nonce) || |
| 855 | aead->variable_nonce_len > aead->fixed_nonce_len) | ||
| 856 | return -1; /* Should never happen. */ | ||
| 857 | pad_len = aead->fixed_nonce_len - aead->variable_nonce_len; | ||
| 858 | } else { | ||
| 859 | if (aead->fixed_nonce_len + | ||
| 860 | aead->variable_nonce_len > sizeof(nonce)) | ||
| 861 | return -1; /* Should never happen. */ | ||
| 862 | } | ||
| 844 | 863 | ||
| 845 | if (send) { | 864 | if (send) { |
| 846 | size_t len = rec->length; | 865 | size_t len = rec->length; |
| @@ -848,15 +867,30 @@ tls1_enc(SSL *s, int send) | |||
| 848 | in = rec->input; | 867 | in = rec->input; |
| 849 | out = rec->data; | 868 | out = rec->data; |
| 850 | 869 | ||
| 851 | /* | 870 | if (aead->xor_fixed_nonce) { |
| 852 | * When sending we use the sequence number as the | 871 | /* |
| 853 | * variable part of the nonce. | 872 | * The sequence number is left zero |
| 854 | */ | 873 | * padded, then xored with the fixed |
| 855 | if (aead->variable_nonce_len > 8) | 874 | * nonce. |
| 856 | return -1; | 875 | */ |
| 857 | memcpy(nonce + nonce_used, ad, | 876 | memset(nonce, 0, pad_len); |
| 858 | aead->variable_nonce_len); | 877 | memcpy(nonce + pad_len, ad, |
| 859 | nonce_used += aead->variable_nonce_len; | 878 | aead->variable_nonce_len); |
| 879 | for (i = 0; i < aead->fixed_nonce_len; i++) | ||
| 880 | nonce[i] ^= aead->fixed_nonce[i]; | ||
| 881 | nonce_used = aead->fixed_nonce_len; | ||
| 882 | } else { | ||
| 883 | /* | ||
| 884 | * When sending we use the sequence number as | ||
| 885 | * the variable part of the nonce. | ||
| 886 | */ | ||
| 887 | memcpy(nonce, aead->fixed_nonce, | ||
| 888 | aead->fixed_nonce_len); | ||
| 889 | nonce_used = aead->fixed_nonce_len; | ||
| 890 | memcpy(nonce + nonce_used, ad, | ||
| 891 | aead->variable_nonce_len); | ||
| 892 | nonce_used += aead->variable_nonce_len; | ||
| 893 | } | ||
| 860 | 894 | ||
| 861 | /* | 895 | /* |
| 862 | * In do_ssl3_write, rec->input is moved forward by | 896 | * In do_ssl3_write, rec->input is moved forward by |
| @@ -890,10 +924,29 @@ tls1_enc(SSL *s, int send) | |||
| 890 | 924 | ||
| 891 | if (len < aead->variable_nonce_len) | 925 | if (len < aead->variable_nonce_len) |
| 892 | return 0; | 926 | return 0; |
| 893 | memcpy(nonce + nonce_used, | 927 | |
| 894 | aead->variable_nonce_in_record ? in : ad, | 928 | if (aead->xor_fixed_nonce) { |
| 895 | aead->variable_nonce_len); | 929 | /* |
| 896 | nonce_used += aead->variable_nonce_len; | 930 | * The sequence number is left zero |
| 931 | * padded, then xored with the fixed | ||
| 932 | * nonce. | ||
| 933 | */ | ||
| 934 | memset(nonce, 0, pad_len); | ||
| 935 | memcpy(nonce + pad_len, ad, | ||
| 936 | aead->variable_nonce_len); | ||
| 937 | for (i = 0; i < aead->fixed_nonce_len; i++) | ||
| 938 | nonce[i] ^= aead->fixed_nonce[i]; | ||
| 939 | nonce_used = aead->fixed_nonce_len; | ||
| 940 | } else { | ||
| 941 | memcpy(nonce, aead->fixed_nonce, | ||
| 942 | aead->fixed_nonce_len); | ||
| 943 | nonce_used = aead->fixed_nonce_len; | ||
| 944 | |||
| 945 | memcpy(nonce + nonce_used, | ||
| 946 | aead->variable_nonce_in_record ? in : ad, | ||
| 947 | aead->variable_nonce_len); | ||
| 948 | nonce_used += aead->variable_nonce_len; | ||
| 949 | } | ||
| 897 | 950 | ||
| 898 | if (aead->variable_nonce_in_record) { | 951 | if (aead->variable_nonce_in_record) { |
| 899 | in += aead->variable_nonce_len; | 952 | in += aead->variable_nonce_len; |
diff --git a/src/lib/libssl/src/ssl/tls1.h b/src/lib/libssl/src/ssl/tls1.h index e564ec23e9..e123117866 100644 --- a/src/lib/libssl/src/ssl/tls1.h +++ b/src/lib/libssl/src/ssl/tls1.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls1.h,v 1.27 2016/03/07 19:33:26 mmcc Exp $ */ | 1 | /* $OpenBSD: tls1.h,v 1.28 2016/04/28 16:39:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -537,9 +537,12 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) | |||
| 537 | #define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032 | 537 | #define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032 |
| 538 | 538 | ||
| 539 | /* ChaCha20-Poly1305 based ciphersuites. */ | 539 | /* ChaCha20-Poly1305 based ciphersuites. */ |
| 540 | #define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 0x0300CC13 | 540 | #define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC13 |
| 541 | #define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CC14 | 541 | #define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD 0x0300CC14 |
| 542 | #define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CC15 | 542 | #define TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC15 |
| 543 | #define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 0x0300CCA8 | ||
| 544 | #define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CCA9 | ||
| 545 | #define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CCAA | ||
| 543 | 546 | ||
| 544 | #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5" | 547 | #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5" |
| 545 | #define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5" | 548 | #define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5" |
| @@ -701,6 +704,9 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) | |||
| 701 | #define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384" | 704 | #define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384" |
| 702 | 705 | ||
| 703 | /* ChaCha20-Poly1305 based ciphersuites. */ | 706 | /* ChaCha20-Poly1305 based ciphersuites. */ |
| 707 | #define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD "ECDHE-RSA-CHACHA20-POLY1305-OLD" | ||
| 708 | #define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD "ECDHE-ECDSA-CHACHA20-POLY1305-OLD" | ||
| 709 | #define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD "DHE-RSA-CHACHA20-POLY1305-OLD" | ||
| 704 | #define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305" | 710 | #define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305" |
| 705 | #define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305" | 711 | #define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305" |
| 706 | #define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305" | 712 | #define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305" |
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 5d1d568ff8..526d98e293 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.85 2016/04/28 16:06:53 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.86 2016/04/28 16:39:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -414,7 +414,7 @@ static const SSL_CIPHER cipher_aliases[] = { | |||
| 414 | }, | 414 | }, |
| 415 | { | 415 | { |
| 416 | .name = SSL_TXT_CHACHA20, | 416 | .name = SSL_TXT_CHACHA20, |
| 417 | .algorithm_enc = SSL_CHACHA20POLY1305, | 417 | .algorithm_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD, |
| 418 | }, | 418 | }, |
| 419 | 419 | ||
| 420 | /* MAC aliases */ | 420 | /* MAC aliases */ |
| @@ -731,6 +731,9 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead) | |||
| 731 | #endif | 731 | #endif |
| 732 | #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) | 732 | #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) |
| 733 | case SSL_CHACHA20POLY1305: | 733 | case SSL_CHACHA20POLY1305: |
| 734 | *aead = EVP_aead_chacha20_poly1305(); | ||
| 735 | return 1; | ||
| 736 | case SSL_CHACHA20POLY1305_OLD: | ||
| 734 | *aead = EVP_aead_chacha20_poly1305_old(); | 737 | *aead = EVP_aead_chacha20_poly1305_old(); |
| 735 | return 1; | 738 | return 1; |
| 736 | #endif | 739 | #endif |
| @@ -1423,15 +1426,19 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1423 | */ | 1426 | */ |
| 1424 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, | 1427 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, |
| 1425 | CIPHER_ADD, -1, &head, &tail); | 1428 | CIPHER_ADD, -1, &head, &tail); |
| 1426 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, | 1429 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, |
| 1427 | CIPHER_ADD, -1, &head, &tail); | 1430 | 0, 0, 0, CIPHER_ADD, -1, &head, &tail); |
| 1431 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD, | ||
| 1432 | 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | ||
| 1428 | } else { | 1433 | } else { |
| 1429 | /* | 1434 | /* |
| 1430 | * CHACHA20 is fast and safe on all hardware and is thus our | 1435 | * CHACHA20 is fast and safe on all hardware and is thus our |
| 1431 | * preferred symmetric cipher, with AES second. | 1436 | * preferred symmetric cipher, with AES second. |
| 1432 | */ | 1437 | */ |
| 1433 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, | 1438 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, |
| 1434 | CIPHER_ADD, -1, &head, &tail); | 1439 | 0, 0, 0, CIPHER_ADD, -1, &head, &tail); |
| 1440 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD, | ||
| 1441 | 0, 0, 0, CIPHER_ADD, -1, &head, &tail); | ||
| 1435 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, | 1442 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, |
| 1436 | CIPHER_ADD, -1, &head, &tail); | 1443 | CIPHER_ADD, -1, &head, &tail); |
| 1437 | } | 1444 | } |
| @@ -1667,6 +1674,9 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1667 | case SSL_CHACHA20POLY1305: | 1674 | case SSL_CHACHA20POLY1305: |
| 1668 | enc = "ChaCha20-Poly1305"; | 1675 | enc = "ChaCha20-Poly1305"; |
| 1669 | break; | 1676 | break; |
| 1677 | case SSL_CHACHA20POLY1305_OLD: | ||
| 1678 | enc = "ChaCha20-Poly1305-Old"; | ||
| 1679 | break; | ||
| 1670 | case SSL_eGOST2814789CNT: | 1680 | case SSL_eGOST2814789CNT: |
| 1671 | enc = "GOST-28178-89-CNT"; | 1681 | enc = "GOST-28178-89-CNT"; |
| 1672 | break; | 1682 | break; |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index e05578e4a3..2a521fe26a 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.128 2015/09/12 15:08:54 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.129 2016/04/28 16:39:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -283,6 +283,7 @@ | |||
| 283 | #define SSL_AES128GCM 0x00000400L | 283 | #define SSL_AES128GCM 0x00000400L |
| 284 | #define SSL_AES256GCM 0x00000800L | 284 | #define SSL_AES256GCM 0x00000800L |
| 285 | #define SSL_CHACHA20POLY1305 0x00001000L | 285 | #define SSL_CHACHA20POLY1305 0x00001000L |
| 286 | #define SSL_CHACHA20POLY1305_OLD 0x00002000L | ||
| 286 | 287 | ||
| 287 | #define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) | 288 | #define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) |
| 288 | #define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) | 289 | #define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) |
| @@ -529,9 +530,10 @@ struct ssl_aead_ctx_st { | |||
| 529 | * fixed_nonce contains any bytes of the nonce that are fixed for all | 530 | * fixed_nonce contains any bytes of the nonce that are fixed for all |
| 530 | * records. | 531 | * records. |
| 531 | */ | 532 | */ |
| 532 | unsigned char fixed_nonce[8]; | 533 | unsigned char fixed_nonce[12]; |
| 533 | unsigned char fixed_nonce_len; | 534 | unsigned char fixed_nonce_len; |
| 534 | unsigned char variable_nonce_len; | 535 | unsigned char variable_nonce_len; |
| 536 | unsigned char xor_fixed_nonce; | ||
| 535 | unsigned char tag_len; | 537 | unsigned char tag_len; |
| 536 | /* | 538 | /* |
| 537 | * variable_nonce_in_record is non-zero if the variable nonce | 539 | * variable_nonce_in_record is non-zero if the variable nonce |
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 5d95419e7e..53570b2d4f 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_enc.c,v 1.84 2016/03/06 14:52:15 beck Exp $ */ | 1 | /* $OpenBSD: t1_enc.c,v 1.85 2016/04/28 16:39:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -471,14 +471,26 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, | |||
| 471 | aead_ctx->variable_nonce_in_record = | 471 | aead_ctx->variable_nonce_in_record = |
| 472 | (s->s3->tmp.new_cipher->algorithm2 & | 472 | (s->s3->tmp.new_cipher->algorithm2 & |
| 473 | SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; | 473 | SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; |
| 474 | if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != | 474 | aead_ctx->xor_fixed_nonce = |
| 475 | EVP_AEAD_nonce_length(aead)) { | 475 | s->s3->tmp.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305; |
| 476 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 477 | ERR_R_INTERNAL_ERROR); | ||
| 478 | return (0); | ||
| 479 | } | ||
| 480 | aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); | 476 | aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); |
| 481 | 477 | ||
| 478 | if (aead_ctx->xor_fixed_nonce) { | ||
| 479 | if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) || | ||
| 480 | aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) { | ||
| 481 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 482 | ERR_R_INTERNAL_ERROR); | ||
| 483 | return (0); | ||
| 484 | } | ||
| 485 | } else { | ||
| 486 | if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != | ||
| 487 | EVP_AEAD_nonce_length(aead)) { | ||
| 488 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, | ||
| 489 | ERR_R_INTERNAL_ERROR); | ||
| 490 | return (0); | ||
| 491 | } | ||
| 492 | } | ||
| 493 | |||
| 482 | return (1); | 494 | return (1); |
| 483 | } | 495 | } |
| 484 | 496 | ||
| @@ -819,8 +831,8 @@ tls1_enc(SSL *s, int send) | |||
| 819 | 831 | ||
| 820 | if (aead) { | 832 | if (aead) { |
| 821 | unsigned char ad[13], *in, *out, nonce[16]; | 833 | unsigned char ad[13], *in, *out, nonce[16]; |
| 822 | unsigned nonce_used; | 834 | size_t out_len, pad_len = 0; |
| 823 | size_t out_len; | 835 | unsigned int nonce_used; |
| 824 | 836 | ||
| 825 | if (SSL_IS_DTLS(s)) { | 837 | if (SSL_IS_DTLS(s)) { |
| 826 | dtls1_build_sequence_number(ad, seq, | 838 | dtls1_build_sequence_number(ad, seq, |
| @@ -834,13 +846,20 @@ tls1_enc(SSL *s, int send) | |||
| 834 | ad[9] = (unsigned char)(s->version >> 8); | 846 | ad[9] = (unsigned char)(s->version >> 8); |
| 835 | ad[10] = (unsigned char)(s->version); | 847 | ad[10] = (unsigned char)(s->version); |
| 836 | 848 | ||
| 837 | if (aead->fixed_nonce_len + | 849 | if (aead->variable_nonce_len > 8 || |
| 838 | aead->variable_nonce_len > sizeof(nonce) || | 850 | aead->variable_nonce_len > sizeof(nonce)) |
| 839 | aead->variable_nonce_len > 8) | 851 | return -1; |
| 840 | return -1; /* internal error - should never happen. */ | ||
| 841 | 852 | ||
| 842 | memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); | 853 | if (aead->xor_fixed_nonce) { |
| 843 | nonce_used = aead->fixed_nonce_len; | 854 | if (aead->fixed_nonce_len > sizeof(nonce) || |
| 855 | aead->variable_nonce_len > aead->fixed_nonce_len) | ||
| 856 | return -1; /* Should never happen. */ | ||
| 857 | pad_len = aead->fixed_nonce_len - aead->variable_nonce_len; | ||
| 858 | } else { | ||
| 859 | if (aead->fixed_nonce_len + | ||
| 860 | aead->variable_nonce_len > sizeof(nonce)) | ||
| 861 | return -1; /* Should never happen. */ | ||
| 862 | } | ||
| 844 | 863 | ||
| 845 | if (send) { | 864 | if (send) { |
| 846 | size_t len = rec->length; | 865 | size_t len = rec->length; |
| @@ -848,15 +867,30 @@ tls1_enc(SSL *s, int send) | |||
| 848 | in = rec->input; | 867 | in = rec->input; |
| 849 | out = rec->data; | 868 | out = rec->data; |
| 850 | 869 | ||
| 851 | /* | 870 | if (aead->xor_fixed_nonce) { |
| 852 | * When sending we use the sequence number as the | 871 | /* |
| 853 | * variable part of the nonce. | 872 | * The sequence number is left zero |
| 854 | */ | 873 | * padded, then xored with the fixed |
| 855 | if (aead->variable_nonce_len > 8) | 874 | * nonce. |
| 856 | return -1; | 875 | */ |
| 857 | memcpy(nonce + nonce_used, ad, | 876 | memset(nonce, 0, pad_len); |
| 858 | aead->variable_nonce_len); | 877 | memcpy(nonce + pad_len, ad, |
| 859 | nonce_used += aead->variable_nonce_len; | 878 | aead->variable_nonce_len); |
| 879 | for (i = 0; i < aead->fixed_nonce_len; i++) | ||
| 880 | nonce[i] ^= aead->fixed_nonce[i]; | ||
| 881 | nonce_used = aead->fixed_nonce_len; | ||
| 882 | } else { | ||
| 883 | /* | ||
| 884 | * When sending we use the sequence number as | ||
| 885 | * the variable part of the nonce. | ||
| 886 | */ | ||
| 887 | memcpy(nonce, aead->fixed_nonce, | ||
| 888 | aead->fixed_nonce_len); | ||
| 889 | nonce_used = aead->fixed_nonce_len; | ||
| 890 | memcpy(nonce + nonce_used, ad, | ||
| 891 | aead->variable_nonce_len); | ||
| 892 | nonce_used += aead->variable_nonce_len; | ||
| 893 | } | ||
| 860 | 894 | ||
| 861 | /* | 895 | /* |
| 862 | * In do_ssl3_write, rec->input is moved forward by | 896 | * In do_ssl3_write, rec->input is moved forward by |
| @@ -890,10 +924,29 @@ tls1_enc(SSL *s, int send) | |||
| 890 | 924 | ||
| 891 | if (len < aead->variable_nonce_len) | 925 | if (len < aead->variable_nonce_len) |
| 892 | return 0; | 926 | return 0; |
| 893 | memcpy(nonce + nonce_used, | 927 | |
| 894 | aead->variable_nonce_in_record ? in : ad, | 928 | if (aead->xor_fixed_nonce) { |
| 895 | aead->variable_nonce_len); | 929 | /* |
| 896 | nonce_used += aead->variable_nonce_len; | 930 | * The sequence number is left zero |
| 931 | * padded, then xored with the fixed | ||
| 932 | * nonce. | ||
| 933 | */ | ||
| 934 | memset(nonce, 0, pad_len); | ||
| 935 | memcpy(nonce + pad_len, ad, | ||
| 936 | aead->variable_nonce_len); | ||
| 937 | for (i = 0; i < aead->fixed_nonce_len; i++) | ||
| 938 | nonce[i] ^= aead->fixed_nonce[i]; | ||
| 939 | nonce_used = aead->fixed_nonce_len; | ||
| 940 | } else { | ||
| 941 | memcpy(nonce, aead->fixed_nonce, | ||
| 942 | aead->fixed_nonce_len); | ||
| 943 | nonce_used = aead->fixed_nonce_len; | ||
| 944 | |||
| 945 | memcpy(nonce + nonce_used, | ||
| 946 | aead->variable_nonce_in_record ? in : ad, | ||
| 947 | aead->variable_nonce_len); | ||
| 948 | nonce_used += aead->variable_nonce_len; | ||
| 949 | } | ||
| 897 | 950 | ||
| 898 | if (aead->variable_nonce_in_record) { | 951 | if (aead->variable_nonce_in_record) { |
| 899 | in += aead->variable_nonce_len; | 952 | in += aead->variable_nonce_len; |
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h index e564ec23e9..e123117866 100644 --- a/src/lib/libssl/tls1.h +++ b/src/lib/libssl/tls1.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls1.h,v 1.27 2016/03/07 19:33:26 mmcc Exp $ */ | 1 | /* $OpenBSD: tls1.h,v 1.28 2016/04/28 16:39:45 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -537,9 +537,12 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) | |||
| 537 | #define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032 | 537 | #define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032 |
| 538 | 538 | ||
| 539 | /* ChaCha20-Poly1305 based ciphersuites. */ | 539 | /* ChaCha20-Poly1305 based ciphersuites. */ |
| 540 | #define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 0x0300CC13 | 540 | #define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC13 |
| 541 | #define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CC14 | 541 | #define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD 0x0300CC14 |
| 542 | #define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CC15 | 542 | #define TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC15 |
| 543 | #define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 0x0300CCA8 | ||
| 544 | #define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CCA9 | ||
| 545 | #define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CCAA | ||
| 543 | 546 | ||
| 544 | #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5" | 547 | #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5" |
| 545 | #define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5" | 548 | #define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5" |
| @@ -701,6 +704,9 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) | |||
| 701 | #define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384" | 704 | #define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384" |
| 702 | 705 | ||
| 703 | /* ChaCha20-Poly1305 based ciphersuites. */ | 706 | /* ChaCha20-Poly1305 based ciphersuites. */ |
| 707 | #define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD "ECDHE-RSA-CHACHA20-POLY1305-OLD" | ||
| 708 | #define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD "ECDHE-ECDSA-CHACHA20-POLY1305-OLD" | ||
| 709 | #define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD "DHE-RSA-CHACHA20-POLY1305-OLD" | ||
| 704 | #define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305" | 710 | #define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305" |
| 705 | #define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305" | 711 | #define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305" |
| 706 | #define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305" | 712 | #define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305" |