140-allow-prefer-chacha20.patch 3.7 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182
  1. From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001
  2. From: Eneas U de Queiroz <cote2004-github@yahoo.com>
  3. Date: Thu, 27 Sep 2018 08:44:39 -0300
  4. Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
  5. This enables a compile-time option to prefer ChaCha20-Poly1305 over
  6. AES-GCM in the openssl default ciphersuite, which is useful in systems
  7. without AES specific CPU instructions.
  8. OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it.
  9. Note that this does not have the same effect as the
  10. SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only
  11. when the client has it on top of its ciphersuite preference.
  12. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
  13. diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
  14. index 6724ccf2d2..96d959427e 100644
  15. --- a/include/openssl/ssl.h
  16. +++ b/include/openssl/ssl.h
  17. @@ -173,9 +173,15 @@ extern "C" {
  18. # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
  19. /* This is the default set of TLSv1.3 ciphersuites */
  20. # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
  21. -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
  22. - "TLS_CHACHA20_POLY1305_SHA256:" \
  23. - "TLS_AES_128_GCM_SHA256"
  24. +# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
  25. +# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
  26. + "TLS_AES_256_GCM_SHA384:" \
  27. + "TLS_AES_128_GCM_SHA256"
  28. +# else
  29. +# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
  30. + "TLS_CHACHA20_POLY1305_SHA256:" \
  31. + "TLS_AES_128_GCM_SHA256"
  32. +# endif
  33. # else
  34. # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
  35. "TLS_AES_128_GCM_SHA256"
  36. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
  37. index 27a1b2ec68..7039811323 100644
  38. --- a/ssl/ssl_ciph.c
  39. +++ b/ssl/ssl_ciph.c
  40. @@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  41. ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
  42. &tail);
  43. + /*
  44. + * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305
  45. + * will be placed before AES-256. Otherwise, the default behavior of
  46. + * preferring GCM over CHACHA is used.
  47. + * This is useful for systems that do not have AES-specific CPU
  48. + * instructions, where ChaCha20-Poly1305 is 3 times faster than AES.
  49. + * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA
  50. + * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top
  51. + * of its ciphersuite preference.
  52. + */
  53. +
  54. +#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
  55. + ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
  56. + &head, &tail);
  57. + ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
  58. + &head, &tail);
  59. +#else
  60. /* Within each strength group, we prefer GCM over CHACHA... */
  61. ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
  62. &head, &tail);
  63. ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
  64. &head, &tail);
  65. +#endif
  66. /*
  67. * ...and generally, our preferred cipher is AES.
  68. @@ -1527,7 +1545,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  69. * Within each group, ciphers remain sorted by strength and previous
  70. * preference, i.e.,
  71. * 1) ECDHE > DHE
  72. - * 2) GCM > CHACHA
  73. + * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined
  74. * 3) AES > rest
  75. * 4) TLS 1.2 > legacy
  76. *