Add ChaCha20-Poly1305 based ciphersuites.

Based on Adam Langley's chromium patches.

Tested by and ok sthen@

5 files changed, 81 insertions, 7 deletions

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 939557e48ee..fa7df59779c 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.60 2014/06/13 13:21:09 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.61 2014/06/13 13:28:53 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2287,6 +2287,57 @@ SSL_CIPHER ssl3_ciphers[] = {
 		.alg_bits = 256
 	},
 #endif
+
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+	{
+		.valid = 1,
+		.name = TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+		.id = TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
+		.algorithm_mkey = SSL_kEECDH,
+		.algorithm_auth = SSL_aRSA,
+		.algorithm_enc = SSL_CHACHA20POLY1305,
+		.algorithm_mac = SSL_AEAD,
+		.algorithm_ssl = SSL_TLSV1_2,
+		.algo_strength = SSL_NOT_EXP|SSL_HIGH,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
+		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
+		.strength_bits = 256,
+		.alg_bits = 0,
+	},
+
+	{
+		.valid = 1,
+		.name = TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+		.id = TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
+		.algorithm_mkey = SSL_kEECDH,
+		.algorithm_auth = SSL_aECDSA,
+		.algorithm_enc = SSL_CHACHA20POLY1305,
+		.algorithm_mac = SSL_AEAD,
+		.algorithm_ssl = SSL_TLSV1_2,
+		.algo_strength = SSL_NOT_EXP|SSL_HIGH,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
+		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
+		.strength_bits = 256,
+		.alg_bits = 0,
+	},
+
+	{
+		.valid = 1,
+		.name = TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
+		.id = TLS1_CK_DHE_RSA_CHACHA20_POLY1305,
+		.algorithm_mkey = SSL_kEDH,
+		.algorithm_auth = SSL_aRSA,
+		.algorithm_enc = SSL_CHACHA20POLY1305,
+		.algorithm_mac = SSL_AEAD,
+		.algorithm_ssl = SSL_TLSV1_2,
+		.algo_strength = SSL_NOT_EXP|SSL_HIGH,
+		.algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|
+		    SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(0),
+		.strength_bits = 256,
+		.alg_bits = 0,
+	},
+#endif
+
 	/* end of list */
 };
 
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 1a2bdf76285..3e09bd35219 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.55 2014/06/13 11:52:03 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.56 2014/06/13 13:28:53 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -289,6 +289,7 @@ extern "C" {
 #define SSL_TXT_CAMELLIA128	"CAMELLIA128"
 #define SSL_TXT_CAMELLIA256	"CAMELLIA256"
 #define SSL_TXT_CAMELLIA	"CAMELLIA"
+#define SSL_TXT_CHACHA20	"CHACHA20"
 
 #define SSL_TXT_MD5		"MD5"
 #define SSL_TXT_SHA1		"SHA1"
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c
index 25291bfd4ac..a89c8253c8f 100644
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.52 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.53 2014/06/13 13:28:53 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -916,6 +916,11 @@ ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
 		*aead = EVP_aead_aes_256_gcm();
 		return 1;
 #endif
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+	case SSL_CHACHA20POLY1305:
+		*aead = EVP_aead_chacha20_poly1305();
+		return 1;
+#endif
 	default:
 		break;
 	}
@@ -1617,7 +1622,11 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
 	ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
 
-	/* AES is our preferred symmetric cipher */
+	/*
+	 * CHACHA20 is fast and safe on all hardware and is thus our preferred
+	 * symmetric cipher, with AES second.
+	 */
+	ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
 	ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
 
 	/* Temporarily enable everything else for sorting */
@@ -1871,6 +1880,9 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_SEED:
 		enc="SEED(128)";
 		break;
+	case SSL_CHACHA20POLY1305:
+		enc = "ChaCha20-Poly1305";
+		break;
 	default:
 		enc="unknown";
 		break;
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index ea5f8c3d4e5..6ce2e17a155 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.50 2014/06/13 10:52:24 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.51 2014/06/13 13:28:53 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -296,6 +296,7 @@
 #define SSL_SEED		0x00000800L
 #define SSL_AES128GCM		0x00001000L
 #define SSL_AES256GCM		0x00002000L
+#define SSL_CHACHA20POLY1305	0x00004000L
 
 #define SSL_AES        		(SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
 #define SSL_CAMELLIA		(SSL_CAMELLIA128|SSL_CAMELLIA256)
diff --git a/lib/libssl/tls1.h b/lib/libssl/tls1.h
index dbe8979a883..3bbb2acc2ff 100644
--- a/lib/libssl/tls1.h
+++ b/lib/libssl/tls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls1.h,v 1.18 2014/06/13 04:29:13 miod Exp $ */
+/* $OpenBSD: tls1.h,v 1.19 2014/06/13 13:28:53 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -479,7 +479,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA	0x0300C022
 
 /* ECDH HMAC based ciphersuites from RFC5289 */
-
 #define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256         0x0300C023
 #define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384         0x0300C024
 #define TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256          0x0300C025
@@ -499,6 +498,11 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256        0x0300C031
 #define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384        0x0300C032
 
+/* ChaCha20-Poly1305 based ciphersuites. */
+#define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305		0x0300CC13
+#define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305		0x0300CC14
+#define TLS1_CK_DHE_RSA_CHACHA20_POLY1305		0x0300CC15
+
 /* XXX
  * Inconsistency alert:
  * The OpenSSL names of ciphers with ephemeral DH here include the string
@@ -650,6 +654,11 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256       "ECDH-RSA-AES128-GCM-SHA256"
 #define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384       "ECDH-RSA-AES256-GCM-SHA384"
 
+/* ChaCha20-Poly1305 based ciphersuites. */
+#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305	"ECDHE-RSA-CHACHA20-POLY1305"
+#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305	"ECDHE-ECDSA-CHACHA20-POLY1305"
+#define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305		"DHE-RSA-CHACHA20-POLY1305"
+
 #define TLS_CT_RSA_SIGN			1
 #define TLS_CT_DSS_SIGN			2
 #define TLS_CT_RSA_FIXED_DH		3