1 From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001
2 From: Eneas U de Queiroz <cote2004-github@yahoo.com>
3 Date: Thu, 27 Sep 2018 08:44:39 -0300
4 Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
6 This enables a compile-time option to prefer ChaCha20-Poly1305 over
7 AES-GCM in the openssl default ciphersuite, which is useful in systems
8 without AES specific CPU instructions.
9 OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it.
11 Note that this does not have the same effect as the
12 SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only
13 when the client has it on top of its ciphersuite preference.
15 Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
17 diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
18 index 6724ccf2d2..96d959427e 100644
19 --- a/include/openssl/ssl.h
20 +++ b/include/openssl/ssl.h
21 @@ -173,9 +173,15 @@ extern "C" {
22 # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
23 /* This is the default set of TLSv1.3 ciphersuites */
24 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
25 -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
26 - "TLS_CHACHA20_POLY1305_SHA256:" \
27 - "TLS_AES_128_GCM_SHA256"
28 +# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
29 +# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
30 + "TLS_AES_256_GCM_SHA384:" \
31 + "TLS_AES_128_GCM_SHA256"
33 +# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
34 + "TLS_CHACHA20_POLY1305_SHA256:" \
35 + "TLS_AES_128_GCM_SHA256"
38 # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
39 "TLS_AES_128_GCM_SHA256"
40 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
41 index 27a1b2ec68..7039811323 100644
44 @@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
45 ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
49 + * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305
50 + * will be placed before AES-256. Otherwise, the default behavior of
51 + * preferring GCM over CHACHA is used.
52 + * This is useful for systems that do not have AES-specific CPU
53 + * instructions, where ChaCha20-Poly1305 is 3 times faster than AES.
54 + * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA
55 + * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top
56 + * of its ciphersuite preference.
59 +#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
60 + ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
62 + ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
65 /* Within each strength group, we prefer GCM over CHACHA... */
66 ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
68 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
73 * ...and generally, our preferred cipher is AES.
74 @@ -1527,7 +1545,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
75 * Within each group, ciphers remain sorted by strength and previous
79 + * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined