aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Baldwin <jhb@FreeBSD.org>2021-08-17 21:40:16 +0000
committerJohn Baldwin <jhb@FreeBSD.org>2021-08-17 21:41:42 +0000
commit6372fd253e3266c6eb271f49159f1632d527c9bd (patch)
tree83bbd9f1dfe75ea3192efb9f8f2bb1981b01468e
parentd6e78ecb0bcd5af750c72745c4c51fe211046bff (diff)
downloadsrc-6372fd253e32.tar.gz
src-6372fd253e32.zip
OpenSSL: Add support for Chacha20-Poly1305 to kernel TLS on FreeBSD.
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3. NB: This commit has not yet been merged upstream as it is deemed a new feature and did not make the feature freeze cutoff for OpenSSL 3.0. Reviewed by: jkim MFC after: 5 days Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D31443
-rw-r--r--crypto/openssl/include/internal/ktls.h5
-rw-r--r--crypto/openssl/ssl/ktls.c10
2 files changed, 15 insertions, 0 deletions
diff --git a/crypto/openssl/include/internal/ktls.h b/crypto/openssl/include/internal/ktls.h
index e824cf3f3f92..5f9e3f91edb2 100644
--- a/crypto/openssl/include/internal/ktls.h
+++ b/crypto/openssl/include/internal/ktls.h
@@ -38,6 +38,11 @@
# define OPENSSL_KTLS_AES_GCM_128
# define OPENSSL_KTLS_AES_GCM_256
# define OPENSSL_KTLS_TLS13
+# ifdef TLS_CHACHA20_IV_LEN
+# ifndef OPENSSL_NO_CHACHA
+# define OPENSSL_KTLS_CHACHA20_POLY1305
+# endif
+# endif
typedef struct tls_enable ktls_crypto_info_t;
diff --git a/crypto/openssl/ssl/ktls.c b/crypto/openssl/ssl/ktls.c
index 47328a7c7c73..c7a440b79bd2 100644
--- a/crypto/openssl/ssl/ktls.c
+++ b/crypto/openssl/ssl/ktls.c
@@ -37,6 +37,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
case SSL_AES128GCM:
case SSL_AES256GCM:
return 1;
+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
+ case SSL_CHACHA20POLY1305:
+ return 1;
+# endif
case SSL_AES128:
case SSL_AES256:
if (s->ext.use_etm)
@@ -71,6 +75,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
else
crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
break;
+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
+ case SSL_CHACHA20POLY1305:
+ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305;
+ crypto_info->iv_len = EVP_CIPHER_CTX_iv_length(dd);
+ break;
+# endif
case SSL_AES128:
case SSL_AES256:
switch (s->s3->tmp.new_cipher->algorithm_mac) {