OpenSSL: Add support for Chacha20-Poly1305 to kernel TLS on FreeBSD.

FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3. NB: This commit has not yet been merged upstream as it is deemed a new feature and did not make the feature freeze cutoff for OpenSSL 3.0. Reviewed by: jkim MFC after: 5 days Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D31443
2021-08-17 14:40:16 -07:00 · 2021-08-17 14:40:16 -07:00 · 6372fd253e
commit 6372fd253e
parent d6e78ecb0b
2 changed files with 15 additions and 0 deletions
--- a/crypto/openssl/include/internal/ktls.h
+++ b/crypto/openssl/include/internal/ktls.h
@ -38,6 +38,11 @@
 #   define OPENSSL_KTLS_AES_GCM_128
 #   define OPENSSL_KTLS_AES_GCM_256
 #   define OPENSSL_KTLS_TLS13
+#   ifdef TLS_CHACHA20_IV_LEN
+#    ifndef OPENSSL_NO_CHACHA
+#     define OPENSSL_KTLS_CHACHA20_POLY1305
+#    endif
+#   endif

 typedef struct tls_enable ktls_crypto_info_t;

--- a/crypto/openssl/ssl/ktls.c
+++ b/crypto/openssl/ssl/ktls.c
@ -37,6 +37,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
    case SSL_AES128GCM:
    case SSL_AES256GCM:
        return 1;
+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
+    case SSL_CHACHA20POLY1305:
+        return 1;
+# endif
    case SSL_AES128:
    case SSL_AES256:
        if (s->ext.use_etm)
@ -71,6 +75,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
        else
            crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
        break;
+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
+    case SSL_CHACHA20POLY1305:
+        crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305;
+        crypto_info->iv_len = EVP_CIPHER_CTX_iv_length(dd);
+        break;
+# endif
    case SSL_AES128:
    case SSL_AES256:
        switch (s->s3->tmp.new_cipher->algorithm_mac) {