summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/s3_lib.c63
-rw-r--r--src/lib/libssl/src/ssl/s3_lib.c63
-rw-r--r--src/lib/libssl/src/ssl/ssl_ciph.c22
-rw-r--r--src/lib/libssl/src/ssl/ssl_locl.h6
-rw-r--r--src/lib/libssl/src/ssl/t1_enc.c109
-rw-r--r--src/lib/libssl/src/ssl/tls1.h14
-rw-r--r--src/lib/libssl/ssl_ciph.c22
-rw-r--r--src/lib/libssl/ssl_locl.h6
-rw-r--r--src/lib/libssl/t1_enc.c109
-rw-r--r--src/lib/libssl/tls1.h14
10 files changed, 336 insertions, 92 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index e7f71d6b6f..e873c17c87 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.107 2016/01/27 02:06:16 beck Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.108 2016/04/28 16:39:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1810,6 +1810,57 @@ SSL_CIPHER ssl3_ciphers[] = {
1810 /* Cipher CC13 */ 1810 /* Cipher CC13 */
1811 { 1811 {
1812 .valid = 1, 1812 .valid = 1,
1813 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD,
1814 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD,
1815 .algorithm_mkey = SSL_kECDHE,
1816 .algorithm_auth = SSL_aRSA,
1817 .algorithm_enc = SSL_CHACHA20POLY1305_OLD,
1818 .algorithm_mac = SSL_AEAD,
1819 .algorithm_ssl = SSL_TLSV1_2,
1820 .algo_strength = SSL_HIGH,
1821 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1822 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
1823 .strength_bits = 256,
1824 .alg_bits = 256,
1825 },
1826
1827 /* Cipher CC14 */
1828 {
1829 .valid = 1,
1830 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD,
1831 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD,
1832 .algorithm_mkey = SSL_kECDHE,
1833 .algorithm_auth = SSL_aECDSA,
1834 .algorithm_enc = SSL_CHACHA20POLY1305_OLD,
1835 .algorithm_mac = SSL_AEAD,
1836 .algorithm_ssl = SSL_TLSV1_2,
1837 .algo_strength = SSL_HIGH,
1838 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1839 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
1840 .strength_bits = 256,
1841 .alg_bits = 256,
1842 },
1843
1844 /* Cipher CC15 */
1845 {
1846 .valid = 1,
1847 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD,
1848 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD,
1849 .algorithm_mkey = SSL_kDHE,
1850 .algorithm_auth = SSL_aRSA,
1851 .algorithm_enc = SSL_CHACHA20POLY1305_OLD,
1852 .algorithm_mac = SSL_AEAD,
1853 .algorithm_ssl = SSL_TLSV1_2,
1854 .algo_strength = SSL_HIGH,
1855 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1856 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
1857 .strength_bits = 256,
1858 .alg_bits = 256,
1859 },
1860
1861 /* Cipher CCA8 */
1862 {
1863 .valid = 1,
1813 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1864 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1814 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1865 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1815 .algorithm_mkey = SSL_kECDHE, 1866 .algorithm_mkey = SSL_kECDHE,
@@ -1819,12 +1870,12 @@ SSL_CIPHER ssl3_ciphers[] = {
1819 .algorithm_ssl = SSL_TLSV1_2, 1870 .algorithm_ssl = SSL_TLSV1_2,
1820 .algo_strength = SSL_HIGH, 1871 .algo_strength = SSL_HIGH,
1821 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1872 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1822 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), 1873 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1823 .strength_bits = 256, 1874 .strength_bits = 256,
1824 .alg_bits = 256, 1875 .alg_bits = 256,
1825 }, 1876 },
1826 1877
1827 /* Cipher CC14 */ 1878 /* Cipher CCA9 */
1828 { 1879 {
1829 .valid = 1, 1880 .valid = 1,
1830 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1881 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
@@ -1836,12 +1887,12 @@ SSL_CIPHER ssl3_ciphers[] = {
1836 .algorithm_ssl = SSL_TLSV1_2, 1887 .algorithm_ssl = SSL_TLSV1_2,
1837 .algo_strength = SSL_HIGH, 1888 .algo_strength = SSL_HIGH,
1838 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1889 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1839 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), 1890 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1840 .strength_bits = 256, 1891 .strength_bits = 256,
1841 .alg_bits = 256, 1892 .alg_bits = 256,
1842 }, 1893 },
1843 1894
1844 /* Cipher CC15 */ 1895 /* Cipher CCAA */
1845 { 1896 {
1846 .valid = 1, 1897 .valid = 1,
1847 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1898 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
@@ -1853,7 +1904,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1853 .algorithm_ssl = SSL_TLSV1_2, 1904 .algorithm_ssl = SSL_TLSV1_2,
1854 .algo_strength = SSL_HIGH, 1905 .algo_strength = SSL_HIGH,
1855 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1906 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1856 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), 1907 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1857 .strength_bits = 256, 1908 .strength_bits = 256,
1858 .alg_bits = 256, 1909 .alg_bits = 256,
1859 }, 1910 },
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index e7f71d6b6f..e873c17c87 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.107 2016/01/27 02:06:16 beck Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.108 2016/04/28 16:39:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1810,6 +1810,57 @@ SSL_CIPHER ssl3_ciphers[] = {
1810 /* Cipher CC13 */ 1810 /* Cipher CC13 */
1811 { 1811 {
1812 .valid = 1, 1812 .valid = 1,
1813 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD,
1814 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD,
1815 .algorithm_mkey = SSL_kECDHE,
1816 .algorithm_auth = SSL_aRSA,
1817 .algorithm_enc = SSL_CHACHA20POLY1305_OLD,
1818 .algorithm_mac = SSL_AEAD,
1819 .algorithm_ssl = SSL_TLSV1_2,
1820 .algo_strength = SSL_HIGH,
1821 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1822 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
1823 .strength_bits = 256,
1824 .alg_bits = 256,
1825 },
1826
1827 /* Cipher CC14 */
1828 {
1829 .valid = 1,
1830 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD,
1831 .id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD,
1832 .algorithm_mkey = SSL_kECDHE,
1833 .algorithm_auth = SSL_aECDSA,
1834 .algorithm_enc = SSL_CHACHA20POLY1305_OLD,
1835 .algorithm_mac = SSL_AEAD,
1836 .algorithm_ssl = SSL_TLSV1_2,
1837 .algo_strength = SSL_HIGH,
1838 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1839 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
1840 .strength_bits = 256,
1841 .alg_bits = 256,
1842 },
1843
1844 /* Cipher CC15 */
1845 {
1846 .valid = 1,
1847 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD,
1848 .id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD,
1849 .algorithm_mkey = SSL_kDHE,
1850 .algorithm_auth = SSL_aRSA,
1851 .algorithm_enc = SSL_CHACHA20POLY1305_OLD,
1852 .algorithm_mac = SSL_AEAD,
1853 .algorithm_ssl = SSL_TLSV1_2,
1854 .algo_strength = SSL_HIGH,
1855 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1856 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
1857 .strength_bits = 256,
1858 .alg_bits = 256,
1859 },
1860
1861 /* Cipher CCA8 */
1862 {
1863 .valid = 1,
1813 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 1864 .name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
1814 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 1865 .id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
1815 .algorithm_mkey = SSL_kECDHE, 1866 .algorithm_mkey = SSL_kECDHE,
@@ -1819,12 +1870,12 @@ SSL_CIPHER ssl3_ciphers[] = {
1819 .algorithm_ssl = SSL_TLSV1_2, 1870 .algorithm_ssl = SSL_TLSV1_2,
1820 .algo_strength = SSL_HIGH, 1871 .algo_strength = SSL_HIGH,
1821 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1872 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1822 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), 1873 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1823 .strength_bits = 256, 1874 .strength_bits = 256,
1824 .alg_bits = 256, 1875 .alg_bits = 256,
1825 }, 1876 },
1826 1877
1827 /* Cipher CC14 */ 1878 /* Cipher CCA9 */
1828 { 1879 {
1829 .valid = 1, 1880 .valid = 1,
1830 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 1881 .name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
@@ -1836,12 +1887,12 @@ SSL_CIPHER ssl3_ciphers[] = {
1836 .algorithm_ssl = SSL_TLSV1_2, 1887 .algorithm_ssl = SSL_TLSV1_2,
1837 .algo_strength = SSL_HIGH, 1888 .algo_strength = SSL_HIGH,
1838 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1889 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1839 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), 1890 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1840 .strength_bits = 256, 1891 .strength_bits = 256,
1841 .alg_bits = 256, 1892 .alg_bits = 256,
1842 }, 1893 },
1843 1894
1844 /* Cipher CC15 */ 1895 /* Cipher CCAA */
1845 { 1896 {
1846 .valid = 1, 1897 .valid = 1,
1847 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 1898 .name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
@@ -1853,7 +1904,7 @@ SSL_CIPHER ssl3_ciphers[] = {
1853 .algorithm_ssl = SSL_TLSV1_2, 1904 .algorithm_ssl = SSL_TLSV1_2,
1854 .algo_strength = SSL_HIGH, 1905 .algo_strength = SSL_HIGH,
1855 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| 1906 .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
1856 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0), 1907 SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12),
1857 .strength_bits = 256, 1908 .strength_bits = 256,
1858 .alg_bits = 256, 1909 .alg_bits = 256,
1859 }, 1910 },
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 5d1d568ff8..526d98e293 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.85 2016/04/28 16:06:53 jsing Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.86 2016/04/28 16:39:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -414,7 +414,7 @@ static const SSL_CIPHER cipher_aliases[] = {
414 }, 414 },
415 { 415 {
416 .name = SSL_TXT_CHACHA20, 416 .name = SSL_TXT_CHACHA20,
417 .algorithm_enc = SSL_CHACHA20POLY1305, 417 .algorithm_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD,
418 }, 418 },
419 419
420 /* MAC aliases */ 420 /* MAC aliases */
@@ -731,6 +731,9 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
731#endif 731#endif
732#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 732#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
733 case SSL_CHACHA20POLY1305: 733 case SSL_CHACHA20POLY1305:
734 *aead = EVP_aead_chacha20_poly1305();
735 return 1;
736 case SSL_CHACHA20POLY1305_OLD:
734 *aead = EVP_aead_chacha20_poly1305_old(); 737 *aead = EVP_aead_chacha20_poly1305_old();
735 return 1; 738 return 1;
736#endif 739#endif
@@ -1423,15 +1426,19 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1423 */ 1426 */
1424 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, 1427 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0,
1425 CIPHER_ADD, -1, &head, &tail); 1428 CIPHER_ADD, -1, &head, &tail);
1426 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, 1429 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305,
1427 CIPHER_ADD, -1, &head, &tail); 1430 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1431 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD,
1432 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1428 } else { 1433 } else {
1429 /* 1434 /*
1430 * CHACHA20 is fast and safe on all hardware and is thus our 1435 * CHACHA20 is fast and safe on all hardware and is thus our
1431 * preferred symmetric cipher, with AES second. 1436 * preferred symmetric cipher, with AES second.
1432 */ 1437 */
1433 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, 1438 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305,
1434 CIPHER_ADD, -1, &head, &tail); 1439 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1440 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD,
1441 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1435 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, 1442 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0,
1436 CIPHER_ADD, -1, &head, &tail); 1443 CIPHER_ADD, -1, &head, &tail);
1437 } 1444 }
@@ -1667,6 +1674,9 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1667 case SSL_CHACHA20POLY1305: 1674 case SSL_CHACHA20POLY1305:
1668 enc = "ChaCha20-Poly1305"; 1675 enc = "ChaCha20-Poly1305";
1669 break; 1676 break;
1677 case SSL_CHACHA20POLY1305_OLD:
1678 enc = "ChaCha20-Poly1305-Old";
1679 break;
1670 case SSL_eGOST2814789CNT: 1680 case SSL_eGOST2814789CNT:
1671 enc = "GOST-28178-89-CNT"; 1681 enc = "GOST-28178-89-CNT";
1672 break; 1682 break;
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index e05578e4a3..2a521fe26a 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.128 2015/09/12 15:08:54 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.129 2016/04/28 16:39:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -283,6 +283,7 @@
283#define SSL_AES128GCM 0x00000400L 283#define SSL_AES128GCM 0x00000400L
284#define SSL_AES256GCM 0x00000800L 284#define SSL_AES256GCM 0x00000800L
285#define SSL_CHACHA20POLY1305 0x00001000L 285#define SSL_CHACHA20POLY1305 0x00001000L
286#define SSL_CHACHA20POLY1305_OLD 0x00002000L
286 287
287#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) 288#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
288#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) 289#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
@@ -529,9 +530,10 @@ struct ssl_aead_ctx_st {
529 * fixed_nonce contains any bytes of the nonce that are fixed for all 530 * fixed_nonce contains any bytes of the nonce that are fixed for all
530 * records. 531 * records.
531 */ 532 */
532 unsigned char fixed_nonce[8]; 533 unsigned char fixed_nonce[12];
533 unsigned char fixed_nonce_len; 534 unsigned char fixed_nonce_len;
534 unsigned char variable_nonce_len; 535 unsigned char variable_nonce_len;
536 unsigned char xor_fixed_nonce;
535 unsigned char tag_len; 537 unsigned char tag_len;
536 /* 538 /*
537 * variable_nonce_in_record is non-zero if the variable nonce 539 * variable_nonce_in_record is non-zero if the variable nonce
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 5d95419e7e..53570b2d4f 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_enc.c,v 1.84 2016/03/06 14:52:15 beck Exp $ */ 1/* $OpenBSD: t1_enc.c,v 1.85 2016/04/28 16:39:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -471,14 +471,26 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
471 aead_ctx->variable_nonce_in_record = 471 aead_ctx->variable_nonce_in_record =
472 (s->s3->tmp.new_cipher->algorithm2 & 472 (s->s3->tmp.new_cipher->algorithm2 &
473 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; 473 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0;
474 if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != 474 aead_ctx->xor_fixed_nonce =
475 EVP_AEAD_nonce_length(aead)) { 475 s->s3->tmp.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305;
476 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD,
477 ERR_R_INTERNAL_ERROR);
478 return (0);
479 }
480 aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); 476 aead_ctx->tag_len = EVP_AEAD_max_overhead(aead);
481 477
478 if (aead_ctx->xor_fixed_nonce) {
479 if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) ||
480 aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) {
481 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD,
482 ERR_R_INTERNAL_ERROR);
483 return (0);
484 }
485 } else {
486 if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len !=
487 EVP_AEAD_nonce_length(aead)) {
488 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD,
489 ERR_R_INTERNAL_ERROR);
490 return (0);
491 }
492 }
493
482 return (1); 494 return (1);
483} 495}
484 496
@@ -819,8 +831,8 @@ tls1_enc(SSL *s, int send)
819 831
820 if (aead) { 832 if (aead) {
821 unsigned char ad[13], *in, *out, nonce[16]; 833 unsigned char ad[13], *in, *out, nonce[16];
822 unsigned nonce_used; 834 size_t out_len, pad_len = 0;
823 size_t out_len; 835 unsigned int nonce_used;
824 836
825 if (SSL_IS_DTLS(s)) { 837 if (SSL_IS_DTLS(s)) {
826 dtls1_build_sequence_number(ad, seq, 838 dtls1_build_sequence_number(ad, seq,
@@ -834,13 +846,20 @@ tls1_enc(SSL *s, int send)
834 ad[9] = (unsigned char)(s->version >> 8); 846 ad[9] = (unsigned char)(s->version >> 8);
835 ad[10] = (unsigned char)(s->version); 847 ad[10] = (unsigned char)(s->version);
836 848
837 if (aead->fixed_nonce_len + 849 if (aead->variable_nonce_len > 8 ||
838 aead->variable_nonce_len > sizeof(nonce) || 850 aead->variable_nonce_len > sizeof(nonce))
839 aead->variable_nonce_len > 8) 851 return -1;
840 return -1; /* internal error - should never happen. */
841 852
842 memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); 853 if (aead->xor_fixed_nonce) {
843 nonce_used = aead->fixed_nonce_len; 854 if (aead->fixed_nonce_len > sizeof(nonce) ||
855 aead->variable_nonce_len > aead->fixed_nonce_len)
856 return -1; /* Should never happen. */
857 pad_len = aead->fixed_nonce_len - aead->variable_nonce_len;
858 } else {
859 if (aead->fixed_nonce_len +
860 aead->variable_nonce_len > sizeof(nonce))
861 return -1; /* Should never happen. */
862 }
844 863
845 if (send) { 864 if (send) {
846 size_t len = rec->length; 865 size_t len = rec->length;
@@ -848,15 +867,30 @@ tls1_enc(SSL *s, int send)
848 in = rec->input; 867 in = rec->input;
849 out = rec->data; 868 out = rec->data;
850 869
851 /* 870 if (aead->xor_fixed_nonce) {
852 * When sending we use the sequence number as the 871 /*
853 * variable part of the nonce. 872 * The sequence number is left zero
854 */ 873 * padded, then xored with the fixed
855 if (aead->variable_nonce_len > 8) 874 * nonce.
856 return -1; 875 */
857 memcpy(nonce + nonce_used, ad, 876 memset(nonce, 0, pad_len);
858 aead->variable_nonce_len); 877 memcpy(nonce + pad_len, ad,
859 nonce_used += aead->variable_nonce_len; 878 aead->variable_nonce_len);
879 for (i = 0; i < aead->fixed_nonce_len; i++)
880 nonce[i] ^= aead->fixed_nonce[i];
881 nonce_used = aead->fixed_nonce_len;
882 } else {
883 /*
884 * When sending we use the sequence number as
885 * the variable part of the nonce.
886 */
887 memcpy(nonce, aead->fixed_nonce,
888 aead->fixed_nonce_len);
889 nonce_used = aead->fixed_nonce_len;
890 memcpy(nonce + nonce_used, ad,
891 aead->variable_nonce_len);
892 nonce_used += aead->variable_nonce_len;
893 }
860 894
861 /* 895 /*
862 * In do_ssl3_write, rec->input is moved forward by 896 * In do_ssl3_write, rec->input is moved forward by
@@ -890,10 +924,29 @@ tls1_enc(SSL *s, int send)
890 924
891 if (len < aead->variable_nonce_len) 925 if (len < aead->variable_nonce_len)
892 return 0; 926 return 0;
893 memcpy(nonce + nonce_used, 927
894 aead->variable_nonce_in_record ? in : ad, 928 if (aead->xor_fixed_nonce) {
895 aead->variable_nonce_len); 929 /*
896 nonce_used += aead->variable_nonce_len; 930 * The sequence number is left zero
931 * padded, then xored with the fixed
932 * nonce.
933 */
934 memset(nonce, 0, pad_len);
935 memcpy(nonce + pad_len, ad,
936 aead->variable_nonce_len);
937 for (i = 0; i < aead->fixed_nonce_len; i++)
938 nonce[i] ^= aead->fixed_nonce[i];
939 nonce_used = aead->fixed_nonce_len;
940 } else {
941 memcpy(nonce, aead->fixed_nonce,
942 aead->fixed_nonce_len);
943 nonce_used = aead->fixed_nonce_len;
944
945 memcpy(nonce + nonce_used,
946 aead->variable_nonce_in_record ? in : ad,
947 aead->variable_nonce_len);
948 nonce_used += aead->variable_nonce_len;
949 }
897 950
898 if (aead->variable_nonce_in_record) { 951 if (aead->variable_nonce_in_record) {
899 in += aead->variable_nonce_len; 952 in += aead->variable_nonce_len;
diff --git a/src/lib/libssl/src/ssl/tls1.h b/src/lib/libssl/src/ssl/tls1.h
index e564ec23e9..e123117866 100644
--- a/src/lib/libssl/src/ssl/tls1.h
+++ b/src/lib/libssl/src/ssl/tls1.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls1.h,v 1.27 2016/03/07 19:33:26 mmcc Exp $ */ 1/* $OpenBSD: tls1.h,v 1.28 2016/04/28 16:39:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -537,9 +537,12 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
537#define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032 537#define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032
538 538
539/* ChaCha20-Poly1305 based ciphersuites. */ 539/* ChaCha20-Poly1305 based ciphersuites. */
540#define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 0x0300CC13 540#define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC13
541#define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CC14 541#define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD 0x0300CC14
542#define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CC15 542#define TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC15
543#define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 0x0300CCA8
544#define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CCA9
545#define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CCAA
543 546
544#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5" 547#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5"
545#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5" 548#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5"
@@ -701,6 +704,9 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
701#define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384" 704#define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384"
702 705
703/* ChaCha20-Poly1305 based ciphersuites. */ 706/* ChaCha20-Poly1305 based ciphersuites. */
707#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD "ECDHE-RSA-CHACHA20-POLY1305-OLD"
708#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD "ECDHE-ECDSA-CHACHA20-POLY1305-OLD"
709#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD "DHE-RSA-CHACHA20-POLY1305-OLD"
704#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305" 710#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305"
705#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305" 711#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305"
706#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305" 712#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305"
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 5d1d568ff8..526d98e293 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.85 2016/04/28 16:06:53 jsing Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.86 2016/04/28 16:39:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -414,7 +414,7 @@ static const SSL_CIPHER cipher_aliases[] = {
414 }, 414 },
415 { 415 {
416 .name = SSL_TXT_CHACHA20, 416 .name = SSL_TXT_CHACHA20,
417 .algorithm_enc = SSL_CHACHA20POLY1305, 417 .algorithm_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD,
418 }, 418 },
419 419
420 /* MAC aliases */ 420 /* MAC aliases */
@@ -731,6 +731,9 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
731#endif 731#endif
732#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 732#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
733 case SSL_CHACHA20POLY1305: 733 case SSL_CHACHA20POLY1305:
734 *aead = EVP_aead_chacha20_poly1305();
735 return 1;
736 case SSL_CHACHA20POLY1305_OLD:
734 *aead = EVP_aead_chacha20_poly1305_old(); 737 *aead = EVP_aead_chacha20_poly1305_old();
735 return 1; 738 return 1;
736#endif 739#endif
@@ -1423,15 +1426,19 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1423 */ 1426 */
1424 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, 1427 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0,
1425 CIPHER_ADD, -1, &head, &tail); 1428 CIPHER_ADD, -1, &head, &tail);
1426 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, 1429 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305,
1427 CIPHER_ADD, -1, &head, &tail); 1430 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1431 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD,
1432 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1428 } else { 1433 } else {
1429 /* 1434 /*
1430 * CHACHA20 is fast and safe on all hardware and is thus our 1435 * CHACHA20 is fast and safe on all hardware and is thus our
1431 * preferred symmetric cipher, with AES second. 1436 * preferred symmetric cipher, with AES second.
1432 */ 1437 */
1433 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, 1438 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305,
1434 CIPHER_ADD, -1, &head, &tail); 1439 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1440 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD,
1441 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1435 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, 1442 ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0,
1436 CIPHER_ADD, -1, &head, &tail); 1443 CIPHER_ADD, -1, &head, &tail);
1437 } 1444 }
@@ -1667,6 +1674,9 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1667 case SSL_CHACHA20POLY1305: 1674 case SSL_CHACHA20POLY1305:
1668 enc = "ChaCha20-Poly1305"; 1675 enc = "ChaCha20-Poly1305";
1669 break; 1676 break;
1677 case SSL_CHACHA20POLY1305_OLD:
1678 enc = "ChaCha20-Poly1305-Old";
1679 break;
1670 case SSL_eGOST2814789CNT: 1680 case SSL_eGOST2814789CNT:
1671 enc = "GOST-28178-89-CNT"; 1681 enc = "GOST-28178-89-CNT";
1672 break; 1682 break;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index e05578e4a3..2a521fe26a 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.128 2015/09/12 15:08:54 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.129 2016/04/28 16:39:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -283,6 +283,7 @@
283#define SSL_AES128GCM 0x00000400L 283#define SSL_AES128GCM 0x00000400L
284#define SSL_AES256GCM 0x00000800L 284#define SSL_AES256GCM 0x00000800L
285#define SSL_CHACHA20POLY1305 0x00001000L 285#define SSL_CHACHA20POLY1305 0x00001000L
286#define SSL_CHACHA20POLY1305_OLD 0x00002000L
286 287
287#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) 288#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
288#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) 289#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
@@ -529,9 +530,10 @@ struct ssl_aead_ctx_st {
529 * fixed_nonce contains any bytes of the nonce that are fixed for all 530 * fixed_nonce contains any bytes of the nonce that are fixed for all
530 * records. 531 * records.
531 */ 532 */
532 unsigned char fixed_nonce[8]; 533 unsigned char fixed_nonce[12];
533 unsigned char fixed_nonce_len; 534 unsigned char fixed_nonce_len;
534 unsigned char variable_nonce_len; 535 unsigned char variable_nonce_len;
536 unsigned char xor_fixed_nonce;
535 unsigned char tag_len; 537 unsigned char tag_len;
536 /* 538 /*
537 * variable_nonce_in_record is non-zero if the variable nonce 539 * variable_nonce_in_record is non-zero if the variable nonce
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 5d95419e7e..53570b2d4f 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_enc.c,v 1.84 2016/03/06 14:52:15 beck Exp $ */ 1/* $OpenBSD: t1_enc.c,v 1.85 2016/04/28 16:39:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -471,14 +471,26 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
471 aead_ctx->variable_nonce_in_record = 471 aead_ctx->variable_nonce_in_record =
472 (s->s3->tmp.new_cipher->algorithm2 & 472 (s->s3->tmp.new_cipher->algorithm2 &
473 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; 473 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0;
474 if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != 474 aead_ctx->xor_fixed_nonce =
475 EVP_AEAD_nonce_length(aead)) { 475 s->s3->tmp.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305;
476 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD,
477 ERR_R_INTERNAL_ERROR);
478 return (0);
479 }
480 aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); 476 aead_ctx->tag_len = EVP_AEAD_max_overhead(aead);
481 477
478 if (aead_ctx->xor_fixed_nonce) {
479 if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) ||
480 aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) {
481 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD,
482 ERR_R_INTERNAL_ERROR);
483 return (0);
484 }
485 } else {
486 if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len !=
487 EVP_AEAD_nonce_length(aead)) {
488 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD,
489 ERR_R_INTERNAL_ERROR);
490 return (0);
491 }
492 }
493
482 return (1); 494 return (1);
483} 495}
484 496
@@ -819,8 +831,8 @@ tls1_enc(SSL *s, int send)
819 831
820 if (aead) { 832 if (aead) {
821 unsigned char ad[13], *in, *out, nonce[16]; 833 unsigned char ad[13], *in, *out, nonce[16];
822 unsigned nonce_used; 834 size_t out_len, pad_len = 0;
823 size_t out_len; 835 unsigned int nonce_used;
824 836
825 if (SSL_IS_DTLS(s)) { 837 if (SSL_IS_DTLS(s)) {
826 dtls1_build_sequence_number(ad, seq, 838 dtls1_build_sequence_number(ad, seq,
@@ -834,13 +846,20 @@ tls1_enc(SSL *s, int send)
834 ad[9] = (unsigned char)(s->version >> 8); 846 ad[9] = (unsigned char)(s->version >> 8);
835 ad[10] = (unsigned char)(s->version); 847 ad[10] = (unsigned char)(s->version);
836 848
837 if (aead->fixed_nonce_len + 849 if (aead->variable_nonce_len > 8 ||
838 aead->variable_nonce_len > sizeof(nonce) || 850 aead->variable_nonce_len > sizeof(nonce))
839 aead->variable_nonce_len > 8) 851 return -1;
840 return -1; /* internal error - should never happen. */
841 852
842 memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); 853 if (aead->xor_fixed_nonce) {
843 nonce_used = aead->fixed_nonce_len; 854 if (aead->fixed_nonce_len > sizeof(nonce) ||
855 aead->variable_nonce_len > aead->fixed_nonce_len)
856 return -1; /* Should never happen. */
857 pad_len = aead->fixed_nonce_len - aead->variable_nonce_len;
858 } else {
859 if (aead->fixed_nonce_len +
860 aead->variable_nonce_len > sizeof(nonce))
861 return -1; /* Should never happen. */
862 }
844 863
845 if (send) { 864 if (send) {
846 size_t len = rec->length; 865 size_t len = rec->length;
@@ -848,15 +867,30 @@ tls1_enc(SSL *s, int send)
848 in = rec->input; 867 in = rec->input;
849 out = rec->data; 868 out = rec->data;
850 869
851 /* 870 if (aead->xor_fixed_nonce) {
852 * When sending we use the sequence number as the 871 /*
853 * variable part of the nonce. 872 * The sequence number is left zero
854 */ 873 * padded, then xored with the fixed
855 if (aead->variable_nonce_len > 8) 874 * nonce.
856 return -1; 875 */
857 memcpy(nonce + nonce_used, ad, 876 memset(nonce, 0, pad_len);
858 aead->variable_nonce_len); 877 memcpy(nonce + pad_len, ad,
859 nonce_used += aead->variable_nonce_len; 878 aead->variable_nonce_len);
879 for (i = 0; i < aead->fixed_nonce_len; i++)
880 nonce[i] ^= aead->fixed_nonce[i];
881 nonce_used = aead->fixed_nonce_len;
882 } else {
883 /*
884 * When sending we use the sequence number as
885 * the variable part of the nonce.
886 */
887 memcpy(nonce, aead->fixed_nonce,
888 aead->fixed_nonce_len);
889 nonce_used = aead->fixed_nonce_len;
890 memcpy(nonce + nonce_used, ad,
891 aead->variable_nonce_len);
892 nonce_used += aead->variable_nonce_len;
893 }
860 894
861 /* 895 /*
862 * In do_ssl3_write, rec->input is moved forward by 896 * In do_ssl3_write, rec->input is moved forward by
@@ -890,10 +924,29 @@ tls1_enc(SSL *s, int send)
890 924
891 if (len < aead->variable_nonce_len) 925 if (len < aead->variable_nonce_len)
892 return 0; 926 return 0;
893 memcpy(nonce + nonce_used, 927
894 aead->variable_nonce_in_record ? in : ad, 928 if (aead->xor_fixed_nonce) {
895 aead->variable_nonce_len); 929 /*
896 nonce_used += aead->variable_nonce_len; 930 * The sequence number is left zero
931 * padded, then xored with the fixed
932 * nonce.
933 */
934 memset(nonce, 0, pad_len);
935 memcpy(nonce + pad_len, ad,
936 aead->variable_nonce_len);
937 for (i = 0; i < aead->fixed_nonce_len; i++)
938 nonce[i] ^= aead->fixed_nonce[i];
939 nonce_used = aead->fixed_nonce_len;
940 } else {
941 memcpy(nonce, aead->fixed_nonce,
942 aead->fixed_nonce_len);
943 nonce_used = aead->fixed_nonce_len;
944
945 memcpy(nonce + nonce_used,
946 aead->variable_nonce_in_record ? in : ad,
947 aead->variable_nonce_len);
948 nonce_used += aead->variable_nonce_len;
949 }
897 950
898 if (aead->variable_nonce_in_record) { 951 if (aead->variable_nonce_in_record) {
899 in += aead->variable_nonce_len; 952 in += aead->variable_nonce_len;
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index e564ec23e9..e123117866 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls1.h,v 1.27 2016/03/07 19:33:26 mmcc Exp $ */ 1/* $OpenBSD: tls1.h,v 1.28 2016/04/28 16:39:45 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -537,9 +537,12 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
537#define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032 537#define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032
538 538
539/* ChaCha20-Poly1305 based ciphersuites. */ 539/* ChaCha20-Poly1305 based ciphersuites. */
540#define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 0x0300CC13 540#define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC13
541#define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CC14 541#define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD 0x0300CC14
542#define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CC15 542#define TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC15
543#define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305 0x0300CCA8
544#define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305 0x0300CCA9
545#define TLS1_CK_DHE_RSA_CHACHA20_POLY1305 0x0300CCAA
543 546
544#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5" 547#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5"
545#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5" 548#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5"
@@ -701,6 +704,9 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
701#define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384" 704#define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384"
702 705
703/* ChaCha20-Poly1305 based ciphersuites. */ 706/* ChaCha20-Poly1305 based ciphersuites. */
707#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD "ECDHE-RSA-CHACHA20-POLY1305-OLD"
708#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD "ECDHE-ECDSA-CHACHA20-POLY1305-OLD"
709#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_OLD "DHE-RSA-CHACHA20-POLY1305-OLD"
704#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305" 710#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305"
705#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305" 711#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305"
706#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305" 712#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305"
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 19:47:05 +0000