Chacha20_Poly1305


#1

This https://tools.ietf.org/html/rfc7539 is the definition of CHACHA20_POLY1305, it has nothing todo with Elliptic Curve.
Also there is an older draft that is the reason there are two sets of cipher suites. One now called old and an RFC conformant. That use different AEAD construction.


#2

thanks for heads up… was wondering why dev.ssllabs.com reports OLD prefix in front of chacha20_poly1305. I am using LibreSSL 2.2.5 with Nginx 1.9 for chacha20_poly1305 support


#3

looks like i need to start looking at LibreSSL 2.3.2 https://github.com/libressl-portable/portable/commit/d7317353a98930650711fa94c6110b16f191d4f2

* Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
  construction introduced in RFC 7539, which is different than that
  already used in TLS with EVP_aead_chacha20_poly1305()

#4

I’m also on LibreSSL … however, I’d keep an eye on OpenSSL 1.1 as they’re in the process of releasing a version with proper chacha20_poly1305 support according to https://www.openssl.org/news/openssl-1.1.0-notes.html


#5

You can try cloudflare patch, it works fine with openssl 1.0.2
adds only chacha20 poly1305


#6

ah almost forgot, just patched OpenSSL 1.0.2f as well as my Nginx stack can switch between LibreSSL 2.2.6 and OpenSSL 1.0.2f https://community.centminmod.com/threads/update-openssl-1-0-2-cloudflare-patch-for-chacha20_poly1305-support.5925/ :slight_smile:


#7

Hi @eva2000, just to be the one to disappoint you: I just installed libressl-2.3.2 and found the available chacha20_poly1305 to use the old IDs 0xcc13–0xcc15 instead of 0xcca8–0xccaa.

$ openssl version
LibreSSL 2.3.2
$ openssl ciphers -V CHACHA20
      0xCC,0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
      0xCC,0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
      0xCC,0x15 - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD

#8

yeah same here tried 2.3.2 and it has yet to merge or commit the newer chacha20_poly1305 in yet :frowning:


#9

@ecdsa-chacha20 LibreSSL 2.3.2 is official out now http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.2-relnotes.txt but if according to your ID info still old ?

openssl ciphers -V CHACHA20
          0xCC,0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
          0xCC,0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
          0xCC,0x15 - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD

#10

Hi, yes these 3 types are the old non rfc version.
The new one are:
“TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256” , 0xCCa8
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" , 0xCCa9
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305" , 0xCCAA


#11

posted a question at https://github.com/libressl-portable/portable/issues/170 then :slight_smile:


#12

There are two Differences:
one is the calculation of the poly tag:
RFC : Poly1305( 16BytePadded(aad) , 16BytePadded(data) , 64bit(aad.length), 64bit(data.length) )
DRAFT: Poly1305( aad , 64bit(aad.length) , data , 64bit(data.length) )
And the other is different nonce initialization.


#13

Hi, im running nginx 1.9.12 with LibreSSL 2.3.2 and also get these three old Suites when typing in:

$ openssl ciphers -V CHACHA20 0xCC,0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD 0xCC,0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD 0xCC,0x15 - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD

Could there be any changes in telling nginx to use the new Ciphers by adding different Parameters in the nginx config files?


#14

@Henrock, no way. It’s not nginx to know ciphers, it’s the SSL library. Additionally, the new ciphers are a little different than the one LibreSSL 2.3.2 supports. So either switch to OpenSSL 1.1 or wait for the LibreSSL guys to catch up.


#15

@ecdsa-chacha20 Haha, i know it’s not nginx that includes these ciphers, i only meant that maybe there is a parameter to set in cfg of nginx to activate the ssl libraries newer ChaCha20-Poly1305 Ciphers…
But anyways, thank you.


#16

CloudFlare has a new patch for OpenSSL 1.0.2g with the old ánd new ChaChaPolysomething :slight_smile: Works like a charm on my server, when I edited the patch a little bit.


#17

BTW OpenSSL 1.1.0 also adds ChaCha20-Poly1305 support (among support for x25519 and such stuff). However it is in beta…

And the Cloudflare patch for OpenSSL 1.0.2 is - unfortunately - outdated as the latest release (which fixes some security issues) is OpenSSL 1.0.2h.


#18

Compiles semi-fine on my Gentoo system… I’ve got an extra patch for the Makefile, because it would fail otherwise: https://gist.github.com/osirisinferi/60c1a2e8bff6df464ba12fd45f6ed0c1

And I’ve moved one line in the original patch:

osiris@server openssl $ diff /tmp/original-chacha-patch-from-cloudflare.patch openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch 
4433a4434
> +    poly1305_state poly_state;
4438d4438
< +    poly1305_state poly_state;
osiris@server openssl $ 

In the original patch the line above is on line 4438, but I moved it to line number 4434 (just outside the #ifdef):

+    uint16_t       poly_buffer_used;
+    uint16_t       chacha_used;
+    poly1305_state poly_state;
+#ifdef CHAPOLY_x86_64_ASM
+    void (*poly1305_init_ptr)(poly1305_state *, const uint8_t *);

As far as I know, it doesn’t give any new bugs :stuck_out_tongue: Also, I don’t know if this fixes anything on your system or if it’s really needed… I don’t know why the #ifdef CHAPOLY_x86_64_ASM isn’t triggered on my system (it’s a 64 bits system ánd I’m compiling it with assembler code support… Perhaps some Gentoo specific fluke…)


#20

yeah i switched back to LibreSSL 2.3 for my nginx LEMP stack installs for now


#21

I’ve been running OpenSSL 1.1.0 pre 3 and 4 (and now 5) (from https://openssl.org/source/) on one production server for the last few weeks and for ‘normal’ webserver usage (apache+php+mysql) it seems to work fine, also with the ChaCha20-Poly1305 ciphersuites.