1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
3 Date: Thu, 27 Sep 2018 08:44:39 -0300
4 Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
6 This enables a compile-time option to prefer ChaCha20-Poly1305 over
7 AES-GCM in the openssl default ciphersuite, which is useful in systems
8 without AES specific CPU instructions.
9 OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it.
11 Note that this does not have the same effect as the
12 SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only
13 when the client has it on top of its ciphersuite preference.
15 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
17 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
18 --- a/include/openssl/ssl.h
19 +++ b/include/openssl/ssl.h
20 @@ -173,9 +173,15 @@ extern "C" {
21 # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
22 /* This is the default set of TLSv1.3 ciphersuites */
23 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
24 -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
25 - "TLS_CHACHA20_POLY1305_SHA256:" \
26 - "TLS_AES_128_GCM_SHA256"
27 +# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
28 +# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
29 + "TLS_AES_256_GCM_SHA384:" \
30 + "TLS_AES_128_GCM_SHA256"
32 +# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
33 + "TLS_CHACHA20_POLY1305_SHA256:" \
34 + "TLS_AES_128_GCM_SHA256"
37 # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
38 "TLS_AES_128_GCM_SHA256"
39 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
42 @@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
43 ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
47 + * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305
48 + * will be placed before AES-256. Otherwise, the default behavior of
49 + * preferring GCM over CHACHA is used.
50 + * This is useful for systems that do not have AES-specific CPU
51 + * instructions, where ChaCha20-Poly1305 is 3 times faster than AES.
52 + * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA
53 + * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top
54 + * of its ciphersuite preference.
57 +#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
58 + ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
60 + ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
63 /* Within each strength group, we prefer GCM over CHACHA... */
64 ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
66 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
71 * ...and generally, our preferred cipher is AES.
72 @@ -1527,7 +1545,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
73 * Within each group, ciphers remain sorted by strength and previous
77 + * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined