Commit e1c7871d authored by Todd Short's avatar Todd Short Committed by Pauli
Browse files

Use ChaCha only if prioritized by clnt 



IFF the client has ChaCha first, and server cipher priority is used,
and the new SSL_OP_PRIORITIZE_CHACHA_FOR_MOBILE option is used,
then reprioritize ChaCha above everything else. This way, A matching
ChaCha cipher will be selected if there is a match. If no ChaCha ciphers
match, then the other ciphers are used.

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4436)
parent 92b1b9a8

apps/apps.h

+4 −0
Original line number Diff line number Diff line
@@ -204,6 +204,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, 
        OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \

        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \

        OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, \

        OPT_S_PRIORITIZE_CHACHA, \

        OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \

        OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \

        OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
@@ -233,6 +234,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, 
            "Disallow initial connection to servers that don't support RI"}, \

        {"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', \

            "In TLSv1.3 allow non-(ec)dhe based key exchange on resumption"}, \

        {"prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', \

            "Prioritize ChaCha ciphers when preferred by clients"}, \

        {"strict", OPT_S_STRICT, '-', \

            "Enforce strict certificate checks as per TLS standard"}, \

        {"sigalgs", OPT_S_SIGALGS, 's', \
@@ -270,6 +273,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, 
        case OPT_S_ONRESUMP: \

        case OPT_S_NOLEGACYCONN: \

        case OPT_S_ALLOW_NO_DHE_KEX: \

        case OPT_S_PRIORITIZE_CHACHA: \

        case OPT_S_STRICT: \

        case OPT_S_SIGALGS: \

        case OPT_S_CLIENTSIGALGS: \

doc/man1/s_server.pod

+9 −1
Original line number Diff line number Diff line
@@ -105,6 +105,7 @@ B<openssl> B<s_server> 
[B<-no_resumption_on_reneg>]

[B<-no_legacy_server_connect>]

[B<-allow_no_dhe_kex>]

[B<-prioritize_chacha>]

[B<-strict>]

[B<-sigalgs val>]

[B<-client_sigalgs val>]
@@ -510,6 +511,10 @@ Disable RFC4507bis session ticket support. 


Use the server's cipher preferences, rather than the client's preferences.



=item B<-prioritize_chacha>



Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.



=item B<-no_resumption_on_reneg>



Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
@@ -718,7 +723,10 @@ L<SSL_CTX_set_max_pipelines(3)> 


=head1 HISTORY



The -no_alt_chains options was first added to OpenSSL 1.1.0.

The -no_alt_chains option was first added to OpenSSL 1.1.0.



The -allow-no-dhe-kex and -prioritize_chacha options were first added to

OpenSSL 1.1.1.



=head1 COPYRIGHT

doc/man3/SSL_CONF_cmd.pod

+20 −6
Original line number Diff line number Diff line
@@ -171,6 +171,13 @@ Use server and not client preference order when determining which cipher suite, 
signature algorithm or elliptic curve to use for an incoming connection.

Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.



=item B<-prioritize_chacha>



Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of

its preference list. This usually indicates a client without AES hardware

acceleration (e.g. mobile) is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>.

Only used by servers. Requires B<-serverpref>.



=item B<-no_resumption_on_reneg>



set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
@@ -382,21 +389,26 @@ B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>. 
B<DHSingle>: enable single use DH keys, set by default. Inverse of

B<SSL_OP_DH_SINGLE>. Only used by servers.



B<ECDHSingle> enable single use ECDH keys, set by default. Inverse of

B<ECDHSingle>: enable single use ECDH keys, set by default. Inverse of

B<SSL_OP_ECDH_SINGLE>. Only used by servers.



B<ServerPreference> use server and not client preference order when

B<ServerPreference>: use server and not client preference order when

determining which cipher suite, signature algorithm or elliptic curve

to use for an incoming connection.  Equivalent to

B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.



B<NoResumptionOnRenegotiation> set

B<PrioritizeChaCha>: prioritizes ChaCha ciphers when the client has a

ChaCha20 cipher at the top of its preference list. This usually indicates

a mobile client is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>.

Only used by servers.



B<NoResumptionOnRenegotiation>: set

B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers.



B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation.

B<UnsafeLegacyRenegotiation>: permits the use of unsafe legacy renegotiation.

Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.



B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation

B<UnsafeLegacyServerConnect>: permits the use of unsafe legacy renegotiation

for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>.

Set by default.
@@ -595,9 +607,11 @@ B<SSL_CONF_TYPE_UNKNOWN>. 


B<MinProtocol> and B<MaxProtocol> where added in OpenSSL 1.1.0.



B<AllowNoDHEKEX> and B<PrioritizeChaCha> were added in OpenSSL 1.1.1.



=head1 COPYRIGHT



Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.

Copyright 2012-2017 The OpenSSL Project Authors. All Rights Reserved.



Licensed under the OpenSSL license (the "License").  You may not use

this file except in compliance with the License.  You can obtain a copy

doc/man3/SSL_CTX_set_options.pod

+12 −1
Original line number Diff line number Diff line
@@ -180,6 +180,15 @@ messages, and ignore renegotiation requests via ClientHello. 
In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means

that there will be no forward secrecy for the resumed session.



=item SSL_OP_PRIORITIZE_CHACHA



When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize

ChaCha20-Poly1305 ciphers to the top of the server cipher list if a

ChaCha20-Poly1305 cipher is at the top of the client cipher list. This helps

those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher is anywhere

in the server cipher list; but still allows other clients to use AES and other

ciphers. Requires B<SSL_OP_CIPHER_SERVER_PREFERENCE>.



=back



The following options no longer have any effect but their identifiers are
@@ -306,9 +315,11 @@ L<dhparam(1)> 
The attempt to always try to use secure renegotiation was added in

Openssl 0.9.8m.



B<SSL_OP_PRIORITIZE_CHACHA> was added in OpenSSL 1.1.1.



=head1 COPYRIGHT



Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.

Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.



Licensed under the OpenSSL license (the "License").  You may not use

this file except in compliance with the License.  You can obtain a copy

include/openssl/ssl.h

+3 −0
Original line number Diff line number Diff line
@@ -338,6 +338,9 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); 
# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        0x00040000U

/* Disable encrypt-then-mac */

# define SSL_OP_NO_ENCRYPT_THEN_MAC                      0x00080000U

/* Prioritize Chacha20Poly1305 when client does.

 * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE */

# define SSL_OP_PRIORITIZE_CHACHA                        0x00200000U

/*

 * Set on servers to choose the cipher according to the server's preferences

 */