Google Git
Sign in
gfiber / buildroot / 7ffc73b5c010b1246907bb7151bfeccd8661c9ee / . / package / openssl / openssl-chacha20_poly1305_boringssl.patch
blob: 317d98e035f8601d8550a22c87fa2b3ec288ad54 [file] [log] [blame]
diff -Naur openssl-1.0.2j/Configure openssl-1.0.2j-chacha-b/Configure
--- openssl-1.0.2j/Configure 2016-09-26 05:49:07.000000000 -0400
+++ openssl-1.0.2j-chacha-b/Configure 2016-11-30 10:15:54.827072450 -0500
@@ -150,25 +150,25 @@
my $bits1="THIRTY_TWO_BIT ";
my $bits2="SIXTY_FOUR_BIT ";
-my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o::des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
+my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o::des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o::";
my $x86_elf_asm="$x86_asm:elf";
-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o:ecp_nistz256.o ecp_nistz256-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o aesni-gcm-x86_64.o:";
-my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
-my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o vis3-mont.o sparct4-mont.o sparcv9-gf2m.o::des_enc-sparc.o fcrypt_b.o dest4-sparcv9.o:aes_core.o aes_cbc.o aes-sparcv9.o aest4-sparcv9.o::md5-sparcv9.o:sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o::::::camellia.o cmll_misc.o cmll_cbc.o cmllt4-sparcv9.o:ghash-sparcv9.o::void";
-my $sparcv8_asm=":sparcv8.o::des_enc-sparc.o fcrypt_b.o:::::::::::::void";
-my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o::::::sha1-alpha.o:::::::ghash-alpha.o::void";
-my $mips64_asm=":bn-mips.o mips-mont.o:::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
+my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o:ecp_nistz256.o ecp_nistz256-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o aesni-gcm-x86_64.o::";
+my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o:::void";
+my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o vis3-mont.o sparct4-mont.o sparcv9-gf2m.o::des_enc-sparc.o fcrypt_b.o dest4-sparcv9.o:aes_core.o aes_cbc.o aes-sparcv9.o aest4-sparcv9.o::md5-sparcv9.o:sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o::::::camellia.o cmll_misc.o cmll_cbc.o cmllt4-sparcv9.o:ghash-sparcv9.o:::void";
+my $sparcv8_asm=":sparcv8.o::des_enc-sparc.o fcrypt_b.o::::::::::::::void";
+my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o::::::sha1-alpha.o:::::::ghash-alpha.o:::void";
+my $mips64_asm=":bn-mips.o mips-mont.o:::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o:::::::::";
my $mips32_asm=$mips64_asm; $mips32_asm =~ s/\s*sha512\-mips\.o//;
-my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o:::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
-my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o:::aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o ghashv8-armx.o::void";
-my $aarch64_asm="armcap.o arm64cpuid.o mem_clr.o::::aes_core.o aes_cbc.o aesv8-armx.o:::sha1-armv8.o sha256-armv8.o sha512-armv8.o:::::::ghashv8-armx.o:";
-my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
-my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
-my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o:::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o:";
+my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o:::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o::";
+my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o:::aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o ghashv8-armx.o:::void";
+my $aarch64_asm="armcap.o arm64cpuid.o mem_clr.o::::aes_core.o aes_cbc.o aesv8-armx.o:::sha1-armv8.o sha256-armv8.o sha512-armv8.o:::::::ghashv8-armx.o::";
+my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o:::32";
+my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o:::64";
+my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o:::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o::";
my $ppc32_asm=$ppc64_asm;
-my $no_asm="::::::::::::::::void";
+my $no_asm=":::::::::::::::::void";
# As for $BSDthreads. Idea is to maintain "collective" set of flags,
# which would cover all BSD flavors. -pthread applies to them all,
@@ -179,7 +179,7 @@
# seems to be sufficient?
my $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT";
-#config-string $cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $ec_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib
+#config-string $cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $ec_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $chapoly_obj : $engines_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib
my %table=(
# File 'TABLE' (created by 'make TABLE') contains the data from this list,
@@ -713,6 +713,7 @@
my $idx_wp_obj = $idx++;
my $idx_cmll_obj = $idx++;
my $idx_modes_obj = $idx++;
+my $idx_chapoly_obj = $idx++;
my $idx_engines_obj = $idx++;
my $idx_perlasm_scheme = $idx++;
my $idx_dso_scheme = $idx++;
@@ -1239,6 +1240,7 @@
my $wp_obj = $fields[$idx_wp_obj];
my $cmll_obj = $fields[$idx_cmll_obj];
my $modes_obj = $fields[$idx_modes_obj];
+my $chapoly_obj= $fields[$idx_chapoly_obj];
my $engines_obj = $fields[$idx_engines_obj];
my $perlasm_scheme = $fields[$idx_perlasm_scheme];
my $dso_scheme = $fields[$idx_dso_scheme];
@@ -1407,7 +1409,8 @@
{
$cpuid_obj=$bn_obj=$ec_obj=
$des_obj=$aes_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj=$cmll_obj=
- $modes_obj=$sha1_obj=$md5_obj=$rmd160_obj=$wp_obj=$engines_obj="";
+ $modes_obj=$sha1_obj=$md5_obj=$rmd160_obj=$wp_obj=$engines_obj=
+ $chapoly_obj="";
}
if (!$no_shared)
@@ -1622,6 +1625,10 @@
{
$cflags.=" -DECP_NISTZ256_ASM";
}
+if ($chapoly_obj =~ /chacha20_poly1305/)
+ {
+ $cflags.=" -DCHAPOLY_ASM";
+ }
# "Stringify" the C flags string. This permits it to be made part of a string
# and works as well on command lines.
@@ -1751,6 +1758,7 @@
s/^WP_ASM_OBJ=.*$/WP_ASM_OBJ= $wp_obj/;
s/^CMLL_ENC=.*$/CMLL_ENC= $cmll_obj/;
s/^MODES_ASM_OBJ.=*$/MODES_ASM_OBJ= $modes_obj/;
+ s/^CHAPOLY_ASM=.*$/CHAPOLY_ASM= $chapoly_obj/;
s/^ENGINES_ASM_OBJ.=*$/ENGINES_ASM_OBJ= $engines_obj/;
s/^PERLASM_SCHEME=.*$/PERLASM_SCHEME= $perlasm_scheme/;
s/^PROCESSOR=.*/PROCESSOR= $processor/;
@@ -1812,6 +1820,7 @@
print "RMD160_OBJ_ASM=$rmd160_obj\n";
print "CMLL_ENC =$cmll_obj\n";
print "MODES_OBJ =$modes_obj\n";
+print "CHAPOLY_ASM =$chapoly_obj\n";
print "ENGINES_OBJ =$engines_obj\n";
print "PROCESSOR =$processor\n";
print "RANLIB =$ranlib\n";
@@ -2093,7 +2102,7 @@
VALUE "ProductVersion", "$version\\0"
// Optional:
//VALUE "Comments", "\\0"
- VALUE "LegalCopyright", "Copyright © 1998-2005 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
+ VALUE "LegalCopyright", "Copyright � 1998-2005 The OpenSSL Project. Copyright � 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
//VALUE "LegalTrademarks", "\\0"
//VALUE "PrivateBuild", "\\0"
//VALUE "SpecialBuild", "\\0"
@@ -2211,7 +2220,7 @@
my ($cc, $cflags, $unistd, $thread_cflag, $sys_id, $lflags,
$bn_ops, $cpuid_obj, $bn_obj, $ec_obj, $des_obj, $aes_obj, $bf_obj,
$md5_obj, $sha1_obj, $cast_obj, $rc4_obj, $rmd160_obj,
- $rc5_obj, $wp_obj, $cmll_obj, $modes_obj, $engines_obj,
+ $rc5_obj, $wp_obj, $cmll_obj, $modes_obj, $chapoly_obj, $engines_obj,
$perlasm_scheme, $dso_scheme, $shared_target, $shared_cflag,
$shared_ldflag, $shared_extension, $ranlib, $arflags, $multilib)=
split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
@@ -2241,6 +2250,7 @@
\$wp_obj = $wp_obj
\$cmll_obj = $cmll_obj
\$modes_obj = $modes_obj
+\$chapoly_obj = $chapoly_obj
\$engines_obj = $engines_obj
\$perlasm_scheme = $perlasm_scheme
\$dso_scheme = $dso_scheme
diff -Naur openssl-1.0.2j/crypto/chacha20_poly1305/chacha20.c openssl-1.0.2j-chacha-b/crypto/chacha20_poly1305/chacha20.c
--- openssl-1.0.2j/crypto/chacha20_poly1305/chacha20.c 1969-12-31 19:00:00.000000000 -0500
+++ openssl-1.0.2j-chacha-b/crypto/chacha20_poly1305/chacha20.c 2016-11-30 15:39:13.591807208 -0500
@@ -0,0 +1,119 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+/* Adapted from the public domain, estream code by D. Bernstein. */
+
+#include "chacha20poly1305.h"
+
+#include <assert.h>
+#include <string.h>
+
+#define U8TO32_LITTLE(p) \
+ (((uint32_t)((p)[0])) | ((uint32_t)((p)[1]) << 8) | \
+ ((uint32_t)((p)[2]) << 16) | ((uint32_t)((p)[3]) << 24))
+
+/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
+static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
+ '2', '-', 'b', 'y', 't', 'e', ' ', 'k' };
+
+#define ROTATE(v, n) (((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U32TO8_LITTLE(p, v) \
+ { \
+ (p)[0] = (v >> 0) & 0xff; \
+ (p)[1] = (v >> 8) & 0xff; \
+ (p)[2] = (v >> 16) & 0xff; \
+ (p)[3] = (v >> 24) & 0xff; \
+ }
+
+/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
+#define QUARTERROUND(a, b, c, d) \
+ x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 16); \
+ x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 12); \
+ x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 8); \
+ x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 7);
+
+/* chacha_core performs 20 rounds of ChaCha on the input words in
+ * |input| and writes the 64 output bytes to |output|. */
+static void chacha_core(uint8_t output[64], const uint32_t input[16]) {
+ uint32_t x[16];
+ int i;
+
+ memcpy(x, input, sizeof(uint32_t) * 16);
+ for (i = 20; i > 0; i -= 2) {
+ QUARTERROUND(0, 4, 8, 12)
+ QUARTERROUND(1, 5, 9, 13)
+ QUARTERROUND(2, 6, 10, 14)
+ QUARTERROUND(3, 7, 11, 15)
+ QUARTERROUND(0, 5, 10, 15)
+ QUARTERROUND(1, 6, 11, 12)
+ QUARTERROUND(2, 7, 8, 13)
+ QUARTERROUND(3, 4, 9, 14)
+ }
+
+ for (i = 0; i < 16; ++i) {
+ x[i] += input[i];
+ }
+ for (i = 0; i < 16; ++i) {
+ U32TO8_LITTLE(output + 4 * i, x[i]);
+ }
+}
+
+void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
+ const uint8_t key[32], const uint8_t nonce[12],
+ uint32_t counter) {
+ assert(!buffers_alias(out, in_len, in, in_len) || in == out);
+
+ uint32_t input[16];
+ uint8_t buf[64];
+ size_t todo, i;
+
+ input[0] = U8TO32_LITTLE(sigma + 0);
+ input[1] = U8TO32_LITTLE(sigma + 4);
+ input[2] = U8TO32_LITTLE(sigma + 8);
+ input[3] = U8TO32_LITTLE(sigma + 12);
+
+ input[4] = U8TO32_LITTLE(key + 0);
+ input[5] = U8TO32_LITTLE(key + 4);
+ input[6] = U8TO32_LITTLE(key + 8);
+ input[7] = U8TO32_LITTLE(key + 12);
+
+ input[8] = U8TO32_LITTLE(key + 16);
+ input[9] = U8TO32_LITTLE(key + 20);
+ input[10] = U8TO32_LITTLE(key + 24);
+ input[11] = U8TO32_LITTLE(key + 28);
+
+ input[12] = counter;
+ input[13] = U8TO32_LITTLE(nonce + 0);
+ input[14] = U8TO32_LITTLE(nonce + 4);
+ input[15] = U8TO32_LITTLE(nonce + 8);
+
+ while (in_len > 0) {
+ todo = sizeof(buf);
+ if (in_len < todo) {
+ todo = in_len;
+ }
+
+ chacha_core(buf, input);
+ for (i = 0; i < todo; i++) {
+ out[i] = in[i] ^ buf[i];
+ }
+
+ out += todo;
+ in += todo;
+ in_len -= todo;
+
+ input[12]++;
+ }
+}
diff -Naur openssl-1.0.2j/crypto/chacha20_poly1305/chacha20poly1305.h openssl-1.0.2j-chacha-b/crypto/chacha20_poly1305/chacha20poly1305.h
--- openssl-1.0.2j/crypto/chacha20_poly1305/chacha20poly1305.h 1969-12-31 19:00:00.000000000 -0500
+++ openssl-1.0.2j-chacha-b/crypto/chacha20_poly1305/chacha20poly1305.h 2016-11-30 15:38:09.987960605 -0500
@@ -0,0 +1,69 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_POLY1305_H
+#define OPENSSL_HEADER_POLY1305_H
+
+#include <stdint.h>
+#include <stddef.h>
+#include <string.h>
+#include "crypto.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+typedef uint8_t poly1305_state[512];
+
+/* CRYPTO_poly1305_init sets up |state| so that it can be used to calculate an
+ * authentication tag with the one-time key |key|. Note that |key| is a
+ * one-time key and therefore there is no `reset' method because that would
+ * enable several messages to be authenticated with the same key. */
+void CRYPTO_poly1305_init(poly1305_state* state, const uint8_t key[32]);
+
+/* CRYPTO_poly1305_update processes |in_len| bytes from |in|. It can be called
+ * zero or more times after poly1305_init. */
+void CRYPTO_poly1305_update(poly1305_state* state, const uint8_t* in,
+ size_t in_len);
+
+/* CRYPTO_poly1305_finish completes the poly1305 calculation and writes a 16
+ * byte authentication tag to |mac|. The |mac| address must be 16-byte
+ * aligned. */
+void CRYPTO_poly1305_finish(poly1305_state* state, uint8_t mac[16]);
+
+/* CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and
+ * nonce and writes the result to |out|. If |in| and |out| alias, they must be
+ * equal. The initial block counter is specified by |counter|. */
+void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in,
+ size_t in_len, const uint8_t key[32],
+ const uint8_t nonce[12], uint32_t counter);
+
+/* buffers_alias returns one if |a| and |b| alias and zero otherwise. */
+static inline int buffers_alias(const uint8_t *a, size_t a_len,
+ const uint8_t *b, size_t b_len) {
+ /* Cast |a| and |b| to integers. In C, pointer comparisons between unrelated
+ * objects are undefined whereas pointer to integer conversions are merely
+ * implementation-defined. We assume the implementation defined it in a sane
+ * way. */
+ uintptr_t a_u = (uintptr_t)a;
+ uintptr_t b_u = (uintptr_t)b;
+ return a_u + a_len > b_u && b_u + b_len > a_u;
+}
+
+#if defined(__cplusplus)
+} /* extern C */
+#endif
+
+#endif /* OPENSSL_HEADER_POLY1305_H */
diff -Naur openssl-1.0.2j/crypto/chacha20_poly1305/Makefile openssl-1.0.2j-chacha-b/crypto/chacha20_poly1305/Makefile
--- openssl-1.0.2j/crypto/chacha20_poly1305/Makefile 1969-12-31 19:00:00.000000000 -0500
+++ openssl-1.0.2j-chacha-b/crypto/chacha20_poly1305/Makefile 2016-11-30 09:53:43.738441196 -0500
@@ -0,0 +1,80 @@
+#
+# crypto/chacha20poly1305/Makefile
+#
+
+DIR= chacha20poly1305
+TOP= ../..
+CC= cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g
+MAKEFILE= Makefile
+AR= ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)
+AFLAGS= $(ASFLAGS)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= chacha20.c poly1305.c
+LIBOBJ= chacha20.o poly1305.o $(CHAPOLY_ASM)
+
+SRC= $(LIBSRC)
+
+EXHEADER= chacha20poly1305.h
+HEADER= $(EXHEADER)
+
+ALL= $(GENERAL) $(SRC) $(HEADER)
+
+top:
+ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all: lib
+
+lib: $(LIBOBJ)
+ $(AR) $(LIB) $(LIBOBJ)
+ $(RANLIB) $(LIB) || echo Never mind.
+ @touch lib
+
+files:
+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+links:
+ @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+ @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+ @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+ @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
+ do \
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+
+tags:
+ ctags $(SRC)
+
+tests:
+
+lint:
+ lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
+ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+ mv -f Makefile.new $(MAKEFILE)
+
+clean:
+ rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+chacha20.o: ../../include/openssl/chacha20poly1305.h chacha20.c
+poly1305.o: ../../include/openssl/chacha20poly1305.h poly1305.c
diff -Naur openssl-1.0.2j/crypto/chacha20_poly1305/poly1305.c openssl-1.0.2j-chacha-b/crypto/chacha20_poly1305/poly1305.c
--- openssl-1.0.2j/crypto/chacha20_poly1305/poly1305.c 1969-12-31 19:00:00.000000000 -0500
+++ openssl-1.0.2j-chacha-b/crypto/chacha20_poly1305/poly1305.c 2016-11-30 10:56:58.000853676 -0500
@@ -0,0 +1,306 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+/* This implementation of poly1305 is by Andrew Moon
+ * (https://github.com/floodyberry/poly1305-donna) and released as public
+ * domain. */
+
+#include "chacha20poly1305.h"
+
+#include <string.h>
+
+#if !defined(B_ENDIAN)
+/* We can assume little-endian. */
+static uint32_t U8TO32_LE(const uint8_t *m) {
+ uint32_t r;
+ memcpy(&r, m, sizeof(r));
+ return r;
+}
+
+static void U32TO8_LE(uint8_t *m, uint32_t v) { memcpy(m, &v, sizeof(v)); }
+#else
+static uint32_t U8TO32_LE(const uint8_t *m) {
+ return (uint32_t)m[0] | (uint32_t)m[1] << 8 | (uint32_t)m[2] << 16 |
+ (uint32_t)m[3] << 24;
+}
+
+static void U32TO8_LE(uint8_t *m, uint32_t v) {
+ m[0] = v;
+ m[1] = v >> 8;
+ m[2] = v >> 16;
+ m[3] = v >> 24;
+}
+#endif
+
+static uint64_t mul32x32_64(uint32_t a, uint32_t b) { return (uint64_t)a * b; }
+
+struct poly1305_state_st {
+ uint32_t r0, r1, r2, r3, r4;
+ uint32_t s1, s2, s3, s4;
+ uint32_t h0, h1, h2, h3, h4;
+ uint8_t buf[16];
+ unsigned int buf_used;
+ uint8_t key[16];
+};
+
+static inline struct poly1305_state_st *poly1305_aligned_state(
+ poly1305_state *state) {
+ return (struct poly1305_state_st *)(((uintptr_t)state + 63) & ~63);
+}
+
+/* poly1305_blocks updates |state| given some amount of input data. This
+ * function may only be called with a |len| that is not a multiple of 16 at the
+ * end of the data. Otherwise the input must be buffered into 16 byte blocks. */
+static void poly1305_update(struct poly1305_state_st *state, const uint8_t *in,
+ size_t len) {
+ uint32_t t0, t1, t2, t3;
+ uint64_t t[5];
+ uint32_t b;
+ uint64_t c;
+ size_t j;
+ uint8_t mp[16];
+
+ if (len < 16) {
+ goto poly1305_donna_atmost15bytes;
+ }
+
+poly1305_donna_16bytes:
+ t0 = U8TO32_LE(in);
+ t1 = U8TO32_LE(in + 4);
+ t2 = U8TO32_LE(in + 8);
+ t3 = U8TO32_LE(in + 12);
+
+ in += 16;
+ len -= 16;
+
+ state->h0 += t0 & 0x3ffffff;
+ state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
+ state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
+ state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
+ state->h4 += (t3 >> 8) | (1 << 24);
+
+poly1305_donna_mul:
+ t[0] = mul32x32_64(state->h0, state->r0) + mul32x32_64(state->h1, state->s4) +
+ mul32x32_64(state->h2, state->s3) + mul32x32_64(state->h3, state->s2) +
+ mul32x32_64(state->h4, state->s1);
+ t[1] = mul32x32_64(state->h0, state->r1) + mul32x32_64(state->h1, state->r0) +
+ mul32x32_64(state->h2, state->s4) + mul32x32_64(state->h3, state->s3) +
+ mul32x32_64(state->h4, state->s2);
+ t[2] = mul32x32_64(state->h0, state->r2) + mul32x32_64(state->h1, state->r1) +
+ mul32x32_64(state->h2, state->r0) + mul32x32_64(state->h3, state->s4) +
+ mul32x32_64(state->h4, state->s3);
+ t[3] = mul32x32_64(state->h0, state->r3) + mul32x32_64(state->h1, state->r2) +
+ mul32x32_64(state->h2, state->r1) + mul32x32_64(state->h3, state->r0) +
+ mul32x32_64(state->h4, state->s4);
+ t[4] = mul32x32_64(state->h0, state->r4) + mul32x32_64(state->h1, state->r3) +
+ mul32x32_64(state->h2, state->r2) + mul32x32_64(state->h3, state->r1) +
+ mul32x32_64(state->h4, state->r0);
+
+ state->h0 = (uint32_t)t[0] & 0x3ffffff;
+ c = (t[0] >> 26);
+ t[1] += c;
+ state->h1 = (uint32_t)t[1] & 0x3ffffff;
+ b = (uint32_t)(t[1] >> 26);
+ t[2] += b;
+ state->h2 = (uint32_t)t[2] & 0x3ffffff;
+ b = (uint32_t)(t[2] >> 26);
+ t[3] += b;
+ state->h3 = (uint32_t)t[3] & 0x3ffffff;
+ b = (uint32_t)(t[3] >> 26);
+ t[4] += b;
+ state->h4 = (uint32_t)t[4] & 0x3ffffff;
+ b = (uint32_t)(t[4] >> 26);
+ state->h0 += b * 5;
+
+ if (len >= 16) {
+ goto poly1305_donna_16bytes;
+ }
+
+/* final bytes */
+poly1305_donna_atmost15bytes:
+ if (!len) {
+ return;
+ }
+
+ for (j = 0; j < len; j++) {
+ mp[j] = in[j];
+ }
+ mp[j++] = 1;
+ for (; j < 16; j++) {
+ mp[j] = 0;
+ }
+ len = 0;
+
+ t0 = U8TO32_LE(mp + 0);
+ t1 = U8TO32_LE(mp + 4);
+ t2 = U8TO32_LE(mp + 8);
+ t3 = U8TO32_LE(mp + 12);
+
+ state->h0 += t0 & 0x3ffffff;
+ state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
+ state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
+ state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
+ state->h4 += (t3 >> 8);
+
+ goto poly1305_donna_mul;
+}
+
+void CRYPTO_poly1305_init(poly1305_state *statep, const uint8_t key[32]) {
+ struct poly1305_state_st *state = poly1305_aligned_state(statep);
+ uint32_t t0, t1, t2, t3;
+
+ t0 = U8TO32_LE(key + 0);
+ t1 = U8TO32_LE(key + 4);
+ t2 = U8TO32_LE(key + 8);
+ t3 = U8TO32_LE(key + 12);
+
+ /* precompute multipliers */
+ state->r0 = t0 & 0x3ffffff;
+ t0 >>= 26;
+ t0 |= t1 << 6;
+ state->r1 = t0 & 0x3ffff03;
+ t1 >>= 20;
+ t1 |= t2 << 12;
+ state->r2 = t1 & 0x3ffc0ff;
+ t2 >>= 14;
+ t2 |= t3 << 18;
+ state->r3 = t2 & 0x3f03fff;
+ t3 >>= 8;
+ state->r4 = t3 & 0x00fffff;
+
+ state->s1 = state->r1 * 5;
+ state->s2 = state->r2 * 5;
+ state->s3 = state->r3 * 5;
+ state->s4 = state->r4 * 5;
+
+ /* init state */
+ state->h0 = 0;
+ state->h1 = 0;
+ state->h2 = 0;
+ state->h3 = 0;
+ state->h4 = 0;
+
+ state->buf_used = 0;
+ memcpy(state->key, key + 16, sizeof(state->key));
+}
+
+void CRYPTO_poly1305_update(poly1305_state *statep, const uint8_t *in,
+ size_t in_len) {
+ unsigned int i;
+ struct poly1305_state_st *state = poly1305_aligned_state(statep);
+
+ if (state->buf_used) {
+ unsigned todo = 16 - state->buf_used;
+ if (todo > in_len) {
+ todo = (unsigned)in_len;
+ }
+ for (i = 0; i < todo; i++) {
+ state->buf[state->buf_used + i] = in[i];
+ }
+ state->buf_used += todo;
+ in_len -= todo;
+ in += todo;
+
+ if (state->buf_used == 16) {
+ poly1305_update(state, state->buf, 16);
+ state->buf_used = 0;
+ }
+ }
+
+ if (in_len >= 16) {
+ size_t todo = in_len & ~0xf;
+ poly1305_update(state, in, todo);
+ in += todo;
+ in_len &= 0xf;
+ }
+
+ if (in_len) {
+ for (i = 0; i < in_len; i++) {
+ state->buf[i] = in[i];
+ }
+ state->buf_used = (unsigned)in_len;
+ }
+}
+
+void CRYPTO_poly1305_finish(poly1305_state *statep, uint8_t mac[16]) {
+ struct poly1305_state_st *state = poly1305_aligned_state(statep);
+ uint64_t f0, f1, f2, f3;
+ uint32_t g0, g1, g2, g3, g4;
+ uint32_t b, nb;
+
+
+
+
+
+
+
+
+ if (state->buf_used) {
+ poly1305_update(state, state->buf, state->buf_used);
+ }
+
+ b = state->h0 >> 26;
+ state->h0 = state->h0 & 0x3ffffff;
+ state->h1 += b;
+ b = state->h1 >> 26;
+ state->h1 = state->h1 & 0x3ffffff;
+ state->h2 += b;
+ b = state->h2 >> 26;
+ state->h2 = state->h2 & 0x3ffffff;
+ state->h3 += b;
+ b = state->h3 >> 26;
+ state->h3 = state->h3 & 0x3ffffff;
+ state->h4 += b;
+ b = state->h4 >> 26;
+ state->h4 = state->h4 & 0x3ffffff;
+ state->h0 += b * 5;
+
+ g0 = state->h0 + 5;
+ b = g0 >> 26;
+ g0 &= 0x3ffffff;
+ g1 = state->h1 + b;
+ b = g1 >> 26;
+ g1 &= 0x3ffffff;
+ g2 = state->h2 + b;
+ b = g2 >> 26;
+ g2 &= 0x3ffffff;
+ g3 = state->h3 + b;
+ b = g3 >> 26;
+ g3 &= 0x3ffffff;
+ g4 = state->h4 + b - (1 << 26);
+
+ b = (g4 >> 31) - 1;
+ nb = ~b;
+ state->h0 = (state->h0 & nb) | (g0 & b);
+ state->h1 = (state->h1 & nb) | (g1 & b);
+ state->h2 = (state->h2 & nb) | (g2 & b);
+ state->h3 = (state->h3 & nb) | (g3 & b);
+ state->h4 = (state->h4 & nb) | (g4 & b);
+
+ f0 = ((state->h0) | (state->h1 << 26)) + (uint64_t)U8TO32_LE(&state->key[0]);
+ f1 = ((state->h1 >> 6) | (state->h2 << 20)) +
+ (uint64_t)U8TO32_LE(&state->key[4]);
+ f2 = ((state->h2 >> 12) | (state->h3 << 14)) +
+ (uint64_t)U8TO32_LE(&state->key[8]);
+ f3 = ((state->h3 >> 18) | (state->h4 << 8)) +
+ (uint64_t)U8TO32_LE(&state->key[12]);
+
+ U32TO8_LE(&mac[0], f0);
+ f1 += (f0 >> 32);
+ U32TO8_LE(&mac[4], f1);
+ f2 += (f1 >> 32);
+ U32TO8_LE(&mac[8], f2);
+ f3 += (f2 >> 32);
+ U32TO8_LE(&mac[12], f3);
+}
diff -Naur openssl-1.0.2j/crypto/evp/c_allc.c openssl-1.0.2j-chacha-b/crypto/evp/c_allc.c
--- openssl-1.0.2j/crypto/evp/c_allc.c 2016-09-26 05:49:07.000000000 -0400
+++ openssl-1.0.2j-chacha-b/crypto/evp/c_allc.c 2016-11-30 09:42:31.152158937 -0500
@@ -238,4 +238,8 @@
EVP_add_cipher_alias(SN_camellia_256_cbc, "CAMELLIA256");
EVP_add_cipher_alias(SN_camellia_256_cbc, "camellia256");
#endif
+
+#ifndef OPENSSL_NO_CHACHA_POLY
+ EVP_add_cipher(EVP_chacha20_poly1305());
+#endif
}
diff -Naur openssl-1.0.2j/crypto/evp/e_chacha20_poly1305.c openssl-1.0.2j-chacha-b/crypto/evp/e_chacha20_poly1305.c
--- openssl-1.0.2j/crypto/evp/e_chacha20_poly1305.c 1969-12-31 19:00:00.000000000 -0500
+++ openssl-1.0.2j-chacha-b/crypto/evp/e_chacha20_poly1305.c 2016-12-01 10:26:39.156489503 -0500
@@ -0,0 +1,252 @@
+/* ====================================================================
+ * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_CHACHA_POLY
+# include <openssl/evp.h>
+# include <openssl/chacha20poly1305.h>
+
+#define FILL_BUFFER ((size_t)128)
+
+#define POLY1305_TAG_LEN 16
+
+typedef struct {
+ uint8_t key[32];
+ uint8_t iv[12];
+ uint8_t nonce[12];
+ uint8_t aad[EVP_AEAD_TLS1_AAD_LEN];
+ size_t aad_l; // Should always be EVP_AEAD_TLS1_AAD_LEN
+ unsigned valid:1;
+} EVP_CHACHA20_POLY1305_CTX;
+
+static int EVP_chacha20_poly1305_init(EVP_CIPHER_CTX *ctx,
+ const unsigned char *key,
+ const unsigned char *iv,
+ int enc)
+{
+ EVP_CHACHA20_POLY1305_CTX *aead_ctx = ctx->cipher_data;
+ memcpy(aead_ctx->key, key, 32);
+ memcpy(aead_ctx->iv, iv, 12);
+ memcpy(aead_ctx->nonce, iv, 12);
+ aead_ctx->valid = 0;
+ return 1;
+}
+
+
+static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
+ uint8_t length_bytes[8];
+ unsigned i;
+
+ for (i = 0; i < sizeof(length_bytes); i++) {
+ length_bytes[i] = data_len;
+ data_len >>= 8;
+ }
+
+ CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
+}
+
+typedef void (*aead_poly1305_update)(poly1305_state *ctx, const uint8_t *ad,
+ size_t ad_len, const uint8_t *ciphertext,
+ size_t ciphertext_len);
+
+/* aead_poly1305 fills |tag| with the authentication tag for the given
+ * inputs, using |update| to control the order and format that the inputs are
+ * signed/authenticated. */
+static void aead_poly1305(aead_poly1305_update update,
+ uint8_t tag[POLY1305_TAG_LEN],
+ const EVP_CHACHA20_POLY1305_CTX *c20_ctx,
+ const uint8_t nonce[12], const uint8_t *ad,
+ size_t ad_len, const uint8_t *ciphertext,
+ size_t ciphertext_len) {
+ uint8_t poly1305_key[32];
+ memset(poly1305_key, 0, sizeof(poly1305_key));
+ CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
+ c20_ctx->key, nonce, 0);
+ poly1305_state ctx;
+ CRYPTO_poly1305_init(&ctx, poly1305_key);
+ update(&ctx, ad, ad_len, ciphertext, ciphertext_len);
+ CRYPTO_poly1305_finish(&ctx, tag);
+}
+
+static void poly1305_update_padded_16(poly1305_state *poly1305,
+ const uint8_t *data, size_t data_len) {
+ static const uint8_t padding[16] = { 0 }; /* Padding is all zeros. */
+
+ CRYPTO_poly1305_update(poly1305, data, data_len);
+ if (data_len % 16 != 0) {
+ CRYPTO_poly1305_update(poly1305, padding, sizeof(padding) - (data_len % 16));
+ }
+}
+
+static void poly1305_update(poly1305_state *ctx, const uint8_t *ad,
+ size_t ad_len, const uint8_t *ciphertext,
+ size_t ciphertext_len) {
+ poly1305_update_padded_16(ctx, ad, ad_len);
+ poly1305_update_padded_16(ctx, ciphertext, ciphertext_len);
+ poly1305_update_length(ctx, ad_len);
+ poly1305_update_length(ctx, ciphertext_len);
+}
+
+static int EVP_chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx,
+ unsigned char *out,
+ const unsigned char *in,
+ size_t inl)
+{
+ EVP_CHACHA20_POLY1305_CTX *aead_ctx = ctx->cipher_data;
+ const uint64_t in_len_64 = inl;
+
+ if (!aead_ctx->valid)
+ return 0;
+
+ if (inl < POLY1305_TAG_LEN)
+ return -1;
+
+ if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
+ return -1;
+ }
+
+ inl -= POLY1305_TAG_LEN;
+ if (!ctx->encrypt) {
+ uint8_t tag[POLY1305_TAG_LEN];
+ aead_poly1305(poly1305_update, tag, aead_ctx, aead_ctx->nonce,
+ aead_ctx->aad, aead_ctx->aad_l, in, inl);
+ if (CRYPTO_memcmp(tag, in + inl, POLY1305_TAG_LEN) != 0) {
+ OPENSSL_cleanse(out, inl);
+ return -1;
+ }
+ CRYPTO_chacha_20(out, in, inl, aead_ctx->key, aead_ctx->nonce, 1);
+ }
+
+
+ if (ctx->encrypt) {
+ CRYPTO_chacha_20(out, in, inl, aead_ctx->key, aead_ctx->nonce, 1);
+ uint8_t tag[POLY1305_TAG_LEN];
+ aead_poly1305(poly1305_update, tag, aead_ctx, aead_ctx->nonce,
+ aead_ctx->aad, aead_ctx->aad_l, out, inl);
+
+ memcpy(out + inl, tag, POLY1305_TAG_LEN);
+ }
+
+ aead_ctx->valid = 0;
+
+ if (ctx->encrypt) {
+ return inl + POLY1305_TAG_LEN;
+ } else { /* Decryption */
+ return inl;
+ }
+}
+
+
+static int EVP_chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)
+{
+ return 1;
+}
+
+
+static int EVP_chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx,
+ int type,
+ int arg,
+ void *ptr)
+{
+ EVP_CHACHA20_POLY1305_CTX *aead_ctx = ctx->cipher_data;
+ switch (type) {
+ case EVP_CTRL_AEAD_TLS1_AAD:
+ /* Save the AAD for later use */
+ if (arg != EVP_AEAD_TLS1_AAD_LEN)
+ return 0;
+ memcpy(aead_ctx->aad, ptr, arg);
+ aead_ctx->aad_l = arg;
+ memcpy(aead_ctx->nonce, aead_ctx->iv, sizeof(aead_ctx->nonce));
+ int xor_index;
+ for(xor_index=0; xor_index < 8; ++xor_index) {
+ aead_ctx->nonce[4 + xor_index] ^= aead_ctx->aad[xor_index];
+ }
+ /* If decrypting fix length for tag */
+ if (!ctx->encrypt) {
+ unsigned int len = (aead_ctx->aad[arg-2] << 8) |
+ aead_ctx->aad[arg-1];
+ len -= POLY1305_TAG_LEN;
+ aead_ctx->aad[arg-2] = len >> 8;
+ aead_ctx->aad[arg-1] = len & 0xff;
+ }
+ aead_ctx->valid = 1;
+ return POLY1305_TAG_LEN;
+ default:
+ return -1;
+ }
+}
+
+
+#define CUSTOM_FLAGS (\
+ EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
+ | EVP_CIPH_ALWAYS_CALL_INIT \
+ | EVP_CIPH_CUSTOM_COPY)
+
+
+static const EVP_CIPHER chacha20_poly1305 = {
+ NID_chacha20_poly1305,
+ 1, /* block size, sorta */
+ 32, /* key len */
+ 12, /* iv len */
+ CUSTOM_FLAGS|EVP_CIPH_FLAG_AEAD_CIPHER, /* flags */
+ EVP_chacha20_poly1305_init,
+ EVP_chacha20_poly1305_cipher,
+ EVP_chacha20_poly1305_cleanup,
+ sizeof(EVP_CHACHA20_POLY1305_CTX), /* ctx size */
+ NULL,
+ NULL,
+ EVP_chacha20_poly1305_ctrl,
+ NULL
+ };
+
+
+const EVP_CIPHER *EVP_chacha20_poly1305(void)
+{ return &chacha20_poly1305; }
+#endif
diff -Naur openssl-1.0.2j/crypto/evp/evp.h openssl-1.0.2j-chacha-b/crypto/evp/evp.h
--- openssl-1.0.2j/crypto/evp/evp.h 2016-09-26 05:49:07.000000000 -0400
+++ openssl-1.0.2j-chacha-b/crypto/evp/evp.h 2016-11-30 09:43:02.676078178 -0500
@@ -902,6 +902,10 @@
const EVP_CIPHER *EVP_seed_ofb(void);
# endif
+# ifndef OPENSSL_NO_CHACHA_POLY
+const EVP_CIPHER *EVP_chacha20_poly1305(void);
+# endif
+
void OPENSSL_add_all_algorithms_noconf(void);
void OPENSSL_add_all_algorithms_conf(void);
diff -Naur openssl-1.0.2j/crypto/evp/Makefile openssl-1.0.2j-chacha-b/crypto/evp/Makefile
--- openssl-1.0.2j/crypto/evp/Makefile 2016-09-26 05:49:41.000000000 -0400
+++ openssl-1.0.2j-chacha-b/crypto/evp/Makefile 2016-11-30 09:43:20.856031604 -0500
@@ -29,7 +29,8 @@
c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
- e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c
+ e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
+ e_chacha20_poly1305.c
LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\
@@ -42,7 +43,8 @@
c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o \
- e_aes_cbc_hmac_sha1.o e_aes_cbc_hmac_sha256.o e_rc4_hmac_md5.o
+ e_aes_cbc_hmac_sha1.o e_aes_cbc_hmac_sha256.o e_rc4_hmac_md5.o \
+ e_chacha20_poly1305.o
SRC= $(LIBSRC)
@@ -793,3 +795,5 @@
pmeth_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
pmeth_lib.o: ../../include/openssl/x509_vfy.h ../asn1/asn1_locl.h ../cryptlib.h
pmeth_lib.o: evp_locl.h pmeth_lib.c
+e_chacha20_poly1305.o: ../../include/openssl/chacha20poly1305.h
+e_chacha20_poly1305.o: e_chacha20_poly1305.c
diff -Naur openssl-1.0.2j/crypto/objects/obj_dat.h openssl-1.0.2j-chacha-b/crypto/objects/obj_dat.h
--- openssl-1.0.2j/crypto/objects/obj_dat.h 2016-09-26 05:49:34.000000000 -0400
+++ openssl-1.0.2j-chacha-b/crypto/objects/obj_dat.h 2016-11-30 11:07:04.203345918 -0500
@@ -62,9 +62,9 @@
* [including the GNU Public Licence.]
*/
-#define NUM_NID 958
-#define NUM_SN 951
-#define NUM_LN 951
+#define NUM_NID 959
+#define NUM_SN 952
+#define NUM_LN 952
#define NUM_OBJ 890
static const unsigned char lvalues[6255]={
@@ -2514,6 +2514,7 @@
NID_jurisdictionStateOrProvinceName,11,&(lvalues[6232]),0},
{"jurisdictionC","jurisdictionCountryName",
NID_jurisdictionCountryName,11,&(lvalues[6243]),0},
+{"CHACHA20-POLY1305","chacha20-poly1305",NID_chacha20_poly1305,0,NULL,0},
};
static const unsigned int sn_objs[NUM_SN]={
@@ -2574,6 +2575,7 @@
110, /* "CAST5-CFB" */
109, /* "CAST5-ECB" */
111, /* "CAST5-OFB" */
+958, /* "CHACHA20-POLY1305" */
894, /* "CMAC" */
13, /* "CN" */
141, /* "CRLReason" */
@@ -3728,6 +3730,7 @@
677, /* "certicom-arc" */
517, /* "certificate extensions" */
883, /* "certificateRevocationList" */
+958, /* "chacha20-poly1305" */
54, /* "challengePassword" */
407, /* "characteristic-two-field" */
395, /* "clearance" */
diff -Naur openssl-1.0.2j/crypto/objects/objects.txt openssl-1.0.2j-chacha-b/crypto/objects/objects.txt
--- openssl-1.0.2j/crypto/objects/objects.txt 2016-09-26 05:49:07.000000000 -0400
+++ openssl-1.0.2j-chacha-b/crypto/objects/objects.txt 2016-11-30 09:44:49.167805374 -0500
@@ -1294,6 +1294,7 @@
: AES-128-CBC-HMAC-SHA256 : aes-128-cbc-hmac-sha256
: AES-192-CBC-HMAC-SHA256 : aes-192-cbc-hmac-sha256
: AES-256-CBC-HMAC-SHA256 : aes-256-cbc-hmac-sha256
+ : CHACHA20-POLY1305 : chacha20-poly1305
ISO-US 10046 2 1 : dhpublicnumber : X9.42 DH
diff -Naur openssl-1.0.2j/crypto/objects/obj_mac.h openssl-1.0.2j-chacha-b/crypto/objects/obj_mac.h
--- openssl-1.0.2j/crypto/objects/obj_mac.h 2016-09-26 05:49:33.000000000 -0400
+++ openssl-1.0.2j-chacha-b/crypto/objects/obj_mac.h 2016-11-30 09:44:27.127861834 -0500
@@ -4047,6 +4047,10 @@
#define LN_aes_256_cbc_hmac_sha256 "aes-256-cbc-hmac-sha256"
#define NID_aes_256_cbc_hmac_sha256 950
+#define SN_chacha20_poly1305 "CHACHA20-POLY1305"
+#define LN_chacha20_poly1305 "chacha20-poly1305"
+#define NID_chacha20_poly1305 958
+
#define SN_dhpublicnumber "dhpublicnumber"
#define LN_dhpublicnumber "X9.42 DH"
#define NID_dhpublicnumber 920
diff -Naur openssl-1.0.2j/crypto/objects/obj_mac.num openssl-1.0.2j-chacha-b/crypto/objects/obj_mac.num
--- openssl-1.0.2j/crypto/objects/obj_mac.num 2016-09-26 05:49:32.000000000 -0400
+++ openssl-1.0.2j-chacha-b/crypto/objects/obj_mac.num 2016-11-30 09:44:37.175836093 -0500
@@ -955,3 +955,4 @@
jurisdictionLocalityName 955
jurisdictionStateOrProvinceName 956
jurisdictionCountryName 957
+chacha20_poly1305 958
diff -Naur openssl-1.0.2j/Makefile.org openssl-1.0.2j-chacha-b/Makefile.org
--- openssl-1.0.2j/Makefile.org 2016-09-26 05:49:07.000000000 -0400
+++ openssl-1.0.2j-chacha-b/Makefile.org 2016-11-30 10:16:08.403038020 -0500
@@ -103,6 +103,7 @@
CMLL_ENC=
MODES_ASM_OBJ=
ENGINES_ASM_OBJ=
+CHAPOLY_ASM=
PERLASM_SCHEME=
# KRB5 stuff
@@ -149,7 +150,7 @@
bn ec rsa dsa ecdsa dh ecdh dso engine \
buffer bio stack lhash rand err \
evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
- cms pqueue ts jpake srp store cmac
+ cms pqueue ts jpake srp store cmac chacha20_poly1305
# keep in mind that the above list is adjusted by ./Configure
# according to no-xxx arguments...
@@ -240,6 +241,7 @@
FIPSLIBDIR='${FIPSLIBDIR}' \
FIPSDIR='${FIPSDIR}' \
FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
+ CHAPOLY_ASM='$(CHAPOLY_ASM)' \
THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
# which in turn eliminates ambiguities in variable treatment with -e.
diff -Naur openssl-1.0.2j/ssl/s3_lib.c openssl-1.0.2j-chacha-b/ssl/s3_lib.c
--- openssl-1.0.2j/ssl/s3_lib.c 2016-09-26 05:49:07.000000000 -0400
+++ openssl-1.0.2j-chacha-b/ssl/s3_lib.c 2016-11-30 09:46:01.715619535 -0500
@@ -2945,6 +2945,65 @@
256},
#endif
+#if !defined(OPENSSL_NO_CHACHA_POLY)
+ /* RFC ciphers */
+ {
+ 1,
+ TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+ TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+ SSL_kECDHE,
+ SSL_aRSA,
+ SSL_CHACHA20POLY1305,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
+ },
+ {
+ 1,
+ TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+ TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+ SSL_kECDHE,
+ SSL_aECDSA,
+ SSL_CHACHA20POLY1305,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
+ },
+ {
+ 1,
+ TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
+ TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
+ SSL_kDHE,
+ SSL_aRSA,
+ SSL_CHACHA20POLY1305,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
+ },
+ {
+ 1,
+ TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
+ TLS1_CK_PSK_WITH_CHACHA20_POLY1305,
+ SSL_kPSK,
+ SSL_aPSK,
+ SSL_CHACHA20POLY1305,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_HIGH,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+ 256,
+ 256,
+ },
+#endif
/* end of list */
};
@@ -4090,6 +4149,7 @@
int i, ii, ok;
CERT *cert;
unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a;
+ int use_chacha = 0;
/* Let's see which ciphers we can support */
cert = s->cert;
@@ -4119,13 +4179,20 @@
fprintf(stderr, "%p:%s\n", (void *)c, c->name);
}
#endif
-
+retry:
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
prio = srvr;
allow = clnt;
+ /* Use ChaCha20+Poly1305 iff it's client's most preferred cipher suite */
+ if (sk_SSL_CIPHER_num(clnt) > 0) {
+ c = sk_SSL_CIPHER_value(clnt, 0);
+ if (c->algorithm_enc == SSL_CHACHA20POLY1305)
+ use_chacha = 1;
+ }
} else {
prio = clnt;
allow = srvr;
+ use_chacha = 1;
}
tls1_set_cert_validity(s);
@@ -4137,6 +4204,10 @@
if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s))
continue;
+ /* Skip ChaCha unless top client priority */
+ if (c->algorithm_enc == SSL_CHACHA20POLY1305 && !use_chacha)
+ continue;
+
ssl_set_cert_masks(cert, c);
mask_k = cert->mask_k;
mask_a = cert->mask_a;
@@ -4216,6 +4287,14 @@
break;
}
}
+
+ if (ret == NULL && !use_chacha) {
+ /* If no shared cipher was found due to some unusual preferences, try
+ * again with CHACHA enabled even if not top priority */
+ use_chacha = 1;
+ goto retry;
+ }
+
return (ret);
}
diff -Naur openssl-1.0.2j/ssl/ssl_ciph.c openssl-1.0.2j-chacha-b/ssl/ssl_ciph.c
--- openssl-1.0.2j/ssl/ssl_ciph.c 2016-09-26 05:49:07.000000000 -0400
+++ openssl-1.0.2j-chacha-b/ssl/ssl_ciph.c 2016-11-30 09:47:05.087457855 -0500
@@ -164,11 +164,12 @@
#define SSL_ENC_SEED_IDX 11
#define SSL_ENC_AES128GCM_IDX 12
#define SSL_ENC_AES256GCM_IDX 13
-#define SSL_ENC_NUM_IDX 14
+#define SSL_ENC_CHACHA20POLY1305_IDX 14
+#define SSL_ENC_NUM_IDX 15
static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
- NULL, NULL
+ NULL, NULL, NULL
};
#define SSL_COMP_NULL_IDX 0
@@ -315,6 +316,7 @@
{0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA128 | SSL_CAMELLIA256, 0, 0, 0,
0, 0, 0},
+ {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, 0, 0, 0},
/* MAC aliases */
{0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0},
@@ -431,6 +433,9 @@
ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] =
EVP_get_cipherbyname(SN_aes_256_gcm);
+ ssl_cipher_methods[SSL_ENC_CHACHA20POLY1305_IDX] =
+ EVP_chacha20_poly1305();
+
ssl_digest_methods[SSL_MD_MD5_IDX] = EVP_get_digestbyname(SN_md5);
ssl_mac_secret_size[SSL_MD_MD5_IDX] =
EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
@@ -581,6 +586,9 @@
case SSL_AES256GCM:
i = SSL_ENC_AES256GCM_IDX;
break;
+ case SSL_CHACHA20POLY1305:
+ i = SSL_ENC_CHACHA20POLY1305_IDX;
+ break;
default:
i = -1;
break;
@@ -805,6 +813,9 @@
(ssl_cipher_methods[SSL_ENC_GOST89_IDX] ==
NULL) ? SSL_eGOST2814789CNT : 0;
*enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED : 0;
+ *enc |=
+ (ssl_cipher_methods[SSL_ENC_CHACHA20POLY1305_IDX] ==
+ NULL) ? SSL_CHACHA20POLY1305 : 0;
*mac |= (ssl_digest_methods[SSL_MD_MD5_IDX] == NULL) ? SSL_MD5 : 0;
*mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0;
@@ -1824,6 +1835,9 @@
case SSL_eGOST2814789CNT:
enc = "GOST89(256)";
break;
+ case SSL_CHACHA20POLY1305:
+ enc = "ChaCha20-Poly1305";
+ break;
default:
enc = "unknown";
break;
diff -Naur openssl-1.0.2j/ssl/ssl.h openssl-1.0.2j-chacha-b/ssl/ssl.h
--- openssl-1.0.2j/ssl/ssl.h 2016-09-26 05:49:07.000000000 -0400
+++ openssl-1.0.2j-chacha-b/ssl/ssl.h 2016-11-30 09:46:12.019593142 -0500
@@ -297,6 +297,7 @@
# define SSL_TXT_CAMELLIA128 "CAMELLIA128"
# define SSL_TXT_CAMELLIA256 "CAMELLIA256"
# define SSL_TXT_CAMELLIA "CAMELLIA"
+# define SSL_TXT_CHACHA20 "CHACHA20"
# define SSL_TXT_MD5 "MD5"
# define SSL_TXT_SHA1 "SHA1"
diff -Naur openssl-1.0.2j/ssl/ssl_locl.h openssl-1.0.2j-chacha-b/ssl/ssl_locl.h
--- openssl-1.0.2j/ssl/ssl_locl.h 2016-09-26 05:49:07.000000000 -0400
+++ openssl-1.0.2j-chacha-b/ssl/ssl_locl.h 2016-11-30 09:47:21.327416453 -0500
@@ -354,6 +354,7 @@
# define SSL_SEED 0x00000800L
# define SSL_AES128GCM 0x00001000L
# define SSL_AES256GCM 0x00002000L
+# define SSL_CHACHA20POLY1305 0x00080000L /* Value from openssl */
# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
# define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
diff -Naur openssl-1.0.2j/ssl/tls1.h openssl-1.0.2j-chacha-b/ssl/tls1.h
--- openssl-1.0.2j/ssl/tls1.h 2016-09-26 05:49:07.000000000 -0400
+++ openssl-1.0.2j-chacha-b/ssl/tls1.h 2016-11-30 09:47:40.743366950 -0500
@@ -563,6 +563,15 @@
# define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256 0x0300C031
# define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032
+/* ChaCha20-Poly1305 ciphersuites from RFC */
+# define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305 0x0300CCA8
+# define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 0x0300CCA9
+# define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305 0x0300CCAA
+# define TLS1_CK_PSK_WITH_CHACHA20_POLY1305 0x0300CCAB
+# define TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305 0x0300CCAC
+# define TLS1_CK_DHE_PSK_WITH_CHACHA20_POLY1305 0x0300CCAD
+# define TLS1_CK_RSA_PSK_WITH_CHACHA20_POLY1305 0x0300CCAE
+
/*
* XXX * Backward compatibility alert: + * Older versions of OpenSSL gave
* some DHE ciphers names with "EDH" + * instead of "DHE". Going forward, we
@@ -713,6 +722,15 @@
# define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256 "ECDH-RSA-AES128-GCM-SHA256"
# define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384"
+/* Chacha20-Poly1305 ciphersuites from RFC */
+# define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 "ECDHE-RSA-CHACHA20-POLY1305"
+# define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305"
+# define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305"
+# define TLS1_TXT_PSK_WITH_CHACHA20_POLY1305 "PSK-CHACHA20-POLY1305"
+# define TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305 "ECDHE-PSK-CHACHA20-POLY1305"
+# define TLS1_TXT_DHE_PSK_WITH_CHACHA20_POLY1305 "DHE-PSK-CHACHA20-POLY1305"
+# define TLS1_TXT_RSA_PSK_WITH_CHACHA20_POLY1305 "RSA-PSK-CHACHA20-POLY1305"
+
# define TLS_CT_RSA_SIGN 1
# define TLS_CT_DSS_SIGN 2
# define TLS_CT_RSA_FIXED_DH 3