Skip to content

Instantly share code, notes, and snippets.

@h-yamamo

h-yamamo/camellia-gcm.patch

Created September 4, 2016 13:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save h-yamamo/27241d8d96966317adce6b83e6a3bdfd to your computer and use it in GitHub Desktop.
Save h-yamamo/27241d8d96966317adce6b83e6a3bdfd to your computer and use it in GitHub Desktop.
Download ZIP
Support Camellia-GCM cipher suites (RFC 6367) for debian jessie-backports openssl package
Raw
camellia-gcm.patch
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/openssl.ld 2016-09-04 00:00:00.000000000 +0900
+++ b/openssl.ld 2016-09-04 20:00:00.000000000 +0900
@@ -4482,6 +4482,8 @@
EVP_AEAD_CTX_cleanup;
EVP_AEAD_CTX_seal;
EVP_AEAD_CTX_open;
+ EVP_aead_camellia_128_gcm;
+ EVP_aead_camellia_256_gcm;
} OPENSSL_1.0.0;
OPENSSL_1.0.1d {
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/apps/speed.c 2016-09-04 00:00:00.000000000 +0900
+++ b/apps/speed.c 2016-09-04 20:00:00.000000000 +0900
@@ -241,7 +241,7 @@
static int do_multi(int multi);
# endif
-# define ALGOR_NUM 33
+# define ALGOR_NUM 35
# define SIZE_NUM 5
# define RSA_NUM 4
# define DSA_NUM 3
@@ -257,7 +257,8 @@
"camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc",
"evp", "sha256", "sha512", "whirlpool",
"aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash",
- "aes-128 gcm", "aes-256 gcm", "chacha20 poly1305"
+ "aes-128 gcm", "aes-256 gcm", "chacha20 poly1305",
+ "camellia-128 gcm", "camellia-256 gcm"
};
static double results[ALGOR_NUM][SIZE_NUM];
@@ -520,6 +521,8 @@
# define D_AES_128_GCM 30
# define D_AES_256_GCM 31
# define D_CHACHA20_POLY1305 32
+# define D_CAMELLIA_128_GCM 33
+# define D_CAMELLIA_256_GCM 34
double d = 0.0;
long c[ALGOR_NUM][SIZE_NUM];
# define R_DSA_512 0
@@ -887,6 +890,11 @@
else if (strcmp(*argv, "camellia-256-cbc") == 0)
doit[D_CBC_256_CML] = 1;
else
+ if (strcmp(*argv, "camellia-128-gcm") == 0)
+ doit[D_CAMELLIA_128_GCM] = 1;
+ else if (strcmp(*argv, "camellia-256-gcm") == 0)
+ doit[D_CAMELLIA_256_GCM] = 1;
+ else
# endif
# ifndef OPENSSL_NO_RSA
# if 0 /* was: #ifdef RSAref */
@@ -1150,7 +1158,8 @@
# ifndef OPENSSL_NO_CAMELLIA
BIO_printf(bio_err, "\n");
BIO_printf(bio_err,
- "camellia-128-cbc camellia-192-cbc camellia-256-cbc ");
+ "camellia-128-cbc camellia-192-cbc camellia-256-cbc\n");
+ BIO_printf(bio_err, "camellia-128-gcm camellia-256-gcm ");
# endif
# ifndef OPENSSL_NO_RC4
BIO_printf(bio_err, "rc4");
@@ -1390,6 +1399,8 @@
c[D_AES_128_GCM][0] = count;
c[D_AES_256_GCM][0] = count;
c[D_CHACHA20_POLY1305][0] = count;
+ c[D_CAMELLIA_128_GCM][0] = count;
+ c[D_CAMELLIA_256_GCM][0] = count;
for (i = 1; i < SIZE_NUM; i++) {
c[D_MD2][i] = c[D_MD2][0] * 4 * lengths[0] / lengths[i];
@@ -1429,6 +1440,8 @@
c[D_AES_128_GCM][i] = c[D_AES_128_GCM][i - 1] * l0 / l1;
c[D_AES_256_GCM][i] = c[D_AES_256_GCM][i - 1] * l0 / l1;
c[D_CHACHA20_POLY1305][i] = c[D_CHACHA20_POLY1305][i - 1] * l0 / l1;
+ c[D_CAMELLIA_128_GCM][i] = c[D_CAMELLIA_128_GCM][i - 1] * l0 / l1;
+ c[D_CAMELLIA_256_GCM][i] = c[D_CAMELLIA_256_GCM][i - 1] * l0 / l1;
}
# ifndef OPENSSL_NO_RSA
rsa_c[R_RSA_512][0] = count / 2000;
@@ -1958,6 +1971,59 @@
print_result(D_CBC_256_CML, j, count, d);
}
}
+ { if (doit[D_CAMELLIA_128_GCM])
+ {
+ const EVP_AEAD *aead = EVP_aead_camellia_128_gcm();
+ const unsigned char *nonce = iv;
+ size_t out_len, nonce_len;
+ EVP_AEAD_CTX ctx;
+
+ EVP_AEAD_CTX_init(&ctx, aead, key32, EVP_AEAD_key_length(aead),
+ EVP_AEAD_DEFAULT_TAG_LENGTH, NULL);
+ nonce_len = EVP_AEAD_nonce_length(aead);
+
+ for (j=0; j<SIZE_NUM; j++)
+ {
+ print_message(names[D_CAMELLIA_128_GCM],
+ c[D_CAMELLIA_128_GCM][j], lengths[j]);
+ Time_F(START);
+ for (count=0,run=1; COND(c[D_CAMELLIA_128_GCM][j]); count++)
+ if (!EVP_AEAD_CTX_seal(&ctx, buf, &out_len, BUFSIZE,
+ nonce, nonce_len, buf, lengths[j],
+ NULL, 0))
+ exit(1);
+ d=Time_F(STOP);
+ print_result(D_CAMELLIA_128_GCM,j,count,d);
+ }
+ EVP_AEAD_CTX_cleanup(&ctx);
+ }
+ if (doit[D_CAMELLIA_256_GCM])
+ {
+ const EVP_AEAD *aead = EVP_aead_camellia_256_gcm();
+ const unsigned char *nonce = iv;
+ size_t out_len, nonce_len;
+ EVP_AEAD_CTX ctx;
+
+ EVP_AEAD_CTX_init(&ctx, aead, key32, EVP_AEAD_key_length(aead),
+ EVP_AEAD_DEFAULT_TAG_LENGTH, NULL);
+ nonce_len = EVP_AEAD_nonce_length(aead);
+
+ for (j=0; j<SIZE_NUM; j++)
+ {
+ print_message(names[D_CAMELLIA_256_GCM],
+ c[D_CAMELLIA_256_GCM][j], lengths[j]);
+ Time_F(START);
+ for (count=0,run=1; COND(c[D_CAMELLIA_256_GCM][j]); count++)
+ if (!EVP_AEAD_CTX_seal(&ctx, buf, &out_len, BUFSIZE,
+ nonce, nonce_len, buf, lengths[j],
+ NULL, 0))
+ exit(1);
+ d=Time_F(STOP);
+ print_result(D_CAMELLIA_256_GCM,j,count,d);
+ }
+ EVP_AEAD_CTX_cleanup(&ctx);
+ }
+ }
# endif
# ifndef OPENSSL_NO_IDEA
if (doit[D_CBC_IDEA]) {
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/crypto/evp/aeadtest.c 2016-04-17 15:00:00.000000000 +0900
+++ b/crypto/evp/aeadtest.c 2016-04-23 22:00:00.000000000 +0900
@@ -257,6 +257,24 @@
return 0;
#endif
}
+ else if (strcmp(argv[1], "camellia-128-gcm") == 0)
+ {
+#ifndef OPENSSL_NO_CAMELLIA
+ aead = EVP_aead_camellia_128_gcm();
+#else
+ fprintf(stderr, "No Camellia support. Skipping test.\n");
+ return 0;
+#endif
+ }
+ else if (strcmp(argv[1], "camellia-256-gcm") == 0)
+ {
+#ifndef OPENSSL_NO_CAMELLIA
+ aead = EVP_aead_camellia_256_gcm();
+#else
+ fprintf(stderr, "No Camellia support. Skipping test.\n");
+ return 0;
+#endif
+ }
else
{
fprintf(stderr, "Unknown AEAD: %s\n", argv[1]);
diff -u openssl-1.0.2h-1~bpo8+2 +camellia-gcm
--- a/crypto/evp/e_camellia.c 2016-05-03 13:44:42.000000000 +0000
+++ b/crypto/evp/e_camellia.c 2016-09-04 20:00:00.000000000 +0900
@@ -385,6 +385,200 @@
BLOCK_CIPHER_generic_pack(NID_camellia, 128, 0)
BLOCK_CIPHER_generic_pack(NID_camellia, 192, 0)
BLOCK_CIPHER_generic_pack(NID_camellia, 256, 0)
+
+
+static ctr128_f camellia_gcm_set_key(CAMELLIA_KEY *camellia_key,
+ GCM128_CONTEXT *gcm_ctx,
+ const unsigned char *key, size_t key_len)
+ {
+ Camellia_set_key(key, key_len*8, camellia_key);
+ CRYPTO_gcm128_init(gcm_ctx, camellia_key, (block128_f)Camellia_encrypt);
+#if 0 /* CAMELLIA_CTR_ASM */
+ return (ctr128_f)func;
+#else
+ return NULL;
+#endif
+ }
+
+#define EVP_AEAD_CAMELLIA_GCM_TAG_LEN 16
+
+struct aead_camellia_gcm_ctx {
+ union { double align; CAMELLIA_KEY ks; } ks;
+ GCM128_CONTEXT gcm;
+ ctr128_f ctr;
+ unsigned tag_len;
+};
+
+static int aead_camellia_gcm_init(EVP_AEAD_CTX *ctx,
+ const unsigned char *key, size_t key_len, size_t tag_len)
+ {
+ struct aead_camellia_gcm_ctx *gcm_ctx;
+ const size_t key_bits = key_len * 8;
+
+ if (key_bits != 128 && key_bits != 256)
+ {
+ EVPerr(EVP_F_AEAD_CAMELLIA_GCM_INIT, EVP_R_BAD_KEY_LENGTH);
+ return 0; /* EVP_AEAD_CTX_init should catch this. */
+ }
+
+ if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH)
+ tag_len = EVP_AEAD_CAMELLIA_GCM_TAG_LEN;
+
+ if (tag_len > EVP_AEAD_CAMELLIA_GCM_TAG_LEN)
+ {
+ EVPerr(EVP_F_AEAD_CAMELLIA_GCM_INIT, EVP_R_TAG_TOO_LARGE);
+ return 0;
+ }
+
+ gcm_ctx = OPENSSL_malloc(sizeof(struct aead_camellia_gcm_ctx));
+ if (gcm_ctx == NULL)
+ return 0;
+
+ gcm_ctx->ctr = camellia_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
+ key, key_len);
+ gcm_ctx->tag_len = tag_len;
+ ctx->aead_state = gcm_ctx;
+
+ return 1;
+ }
+
+static void aead_camellia_gcm_cleanup(EVP_AEAD_CTX *ctx)
+ {
+ struct aead_camellia_gcm_ctx *gcm_ctx = ctx->aead_state;
+ OPENSSL_cleanse(gcm_ctx, sizeof(*gcm_ctx));
+ OPENSSL_free(gcm_ctx);
+ }
+
+static int aead_camellia_gcm_seal(const EVP_AEAD_CTX *ctx,
+ unsigned char *out, size_t *out_len, size_t max_out_len,
+ const unsigned char *nonce, size_t nonce_len,
+ const unsigned char *in, size_t in_len,
+ const unsigned char *ad, size_t ad_len)
+ {
+ size_t bulk = 0;
+ const struct aead_camellia_gcm_ctx *gcm_ctx = ctx->aead_state;
+ GCM128_CONTEXT gcm;
+
+ if (max_out_len < in_len + gcm_ctx->tag_len)
+ {
+ EVPerr(EVP_F_AEAD_CAMELLIA_GCM_SEAL, EVP_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
+ CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
+
+ if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
+ return 0;
+
+/** if (gcm_ctx->ctr) #if CAMELLIA_CTR_ASM
+ {
+ if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
+ in_len - bulk, gcm_ctx->ctr))
+ return 0;
+ }
+ else **/
+ {
+ if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
+ in_len - bulk))
+ return 0;
+ }
+
+ CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
+ *out_len = in_len + gcm_ctx->tag_len;
+ return 1;
+ }
+
+static int aead_camellia_gcm_open(const EVP_AEAD_CTX *ctx,
+ unsigned char *out, size_t *out_len, size_t max_out_len,
+ const unsigned char *nonce, size_t nonce_len,
+ const unsigned char *in, size_t in_len,
+ const unsigned char *ad, size_t ad_len)
+ {
+ size_t bulk = 0;
+ const struct aead_camellia_gcm_ctx *gcm_ctx = ctx->aead_state;
+ unsigned char tag[EVP_AEAD_CAMELLIA_GCM_TAG_LEN];
+ size_t plaintext_len;
+ GCM128_CONTEXT gcm;
+
+ if (in_len < gcm_ctx->tag_len)
+ {
+ EVPerr(EVP_F_AEAD_CAMELLIA_GCM_OPEN, EVP_R_BAD_DECRYPT);
+ return 0;
+ }
+
+ plaintext_len = in_len - gcm_ctx->tag_len;
+
+ if (max_out_len < plaintext_len)
+ {
+ EVPerr(EVP_F_AEAD_CAMELLIA_GCM_OPEN, EVP_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
+ CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len);
+
+ if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
+ return 0;
+
+/** if (gcm_ctx->ctr) #if CAMELLIA_CTR_ASM
+ {
+ if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
+ in_len-bulk-gcm_ctx->tag_len,
+ gcm_ctx->ctr))
+ return 0;
+ }
+ else **/
+ {
+ if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
+ in_len - bulk - gcm_ctx->tag_len))
+ return 0;
+ }
+
+ CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
+ if (CRYPTO_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0)
+ {
+ EVPerr(EVP_F_AEAD_CAMELLIA_GCM_OPEN, EVP_R_BAD_DECRYPT);
+ return 0;
+ }
+
+ *out_len = plaintext_len;
+ return 1;
+ }
+
+static const EVP_AEAD aead_camellia_128_gcm = {
+ 16, /* key len */
+ 12, /* nonce len */
+ EVP_AEAD_CAMELLIA_GCM_TAG_LEN, /* overhead */
+ EVP_AEAD_CAMELLIA_GCM_TAG_LEN, /* max tag length */
+
+ aead_camellia_gcm_init,
+ aead_camellia_gcm_cleanup,
+ aead_camellia_gcm_seal,
+ aead_camellia_gcm_open,
+};
+
+static const EVP_AEAD aead_camellia_256_gcm = {
+ 32, /* key len */
+ 12, /* nonce len */
+ EVP_AEAD_CAMELLIA_GCM_TAG_LEN, /* overhead */
+ EVP_AEAD_CAMELLIA_GCM_TAG_LEN, /* max tag length */
+
+ aead_camellia_gcm_init,
+ aead_camellia_gcm_cleanup,
+ aead_camellia_gcm_seal,
+ aead_camellia_gcm_open,
+};
+
+const EVP_AEAD *EVP_aead_camellia_128_gcm()
+ {
+ return &aead_camellia_128_gcm;
+ }
+
+const EVP_AEAD *EVP_aead_camellia_256_gcm()
+ {
+ return &aead_camellia_256_gcm;
+ }
#else
# ifdef PEDANTIC
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/crypto/evp/evp.h 2016-09-04 00:00:00.000000000 +0900
+++ b/crypto/evp/evp.h 2016-09-04 20:00:00.000000000 +0900
@@ -1382,6 +1382,11 @@
const EVP_AEAD *EVP_aead_aes_256_gcm(void);
# endif
+# ifndef OPENSSL_NO_CAMELLIA
+const EVP_AEAD *EVP_aead_camellia_128_gcm(void);
+const EVP_AEAD *EVP_aead_camellia_256_gcm(void);
+# endif
+
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
/* EVP_aead_chacha20_poly1305 is ChaCha20 with a Poly1305 authenticator. */
const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
@@ -1501,6 +1506,9 @@
# define EVP_F_AEAD_AES_GCM_INIT 187
# define EVP_F_AEAD_AES_GCM_OPEN 188
# define EVP_F_AEAD_AES_GCM_SEAL 189
+# define EVP_F_AEAD_CAMELLIA_GCM_INIT 195
+# define EVP_F_AEAD_CAMELLIA_GCM_OPEN 196
+# define EVP_F_AEAD_CAMELLIA_GCM_SEAL 197
# define EVP_F_AEAD_CHACHA20_POLY1305_INIT 192
# define EVP_F_AEAD_CHACHA20_POLY1305_OPEN 193
# define EVP_F_AEAD_CHACHA20_POLY1305_SEAL 194
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/crypto/evp/evp_err.c 2016-09-04 00:00:00.000000000 +0900
+++ b/crypto/evp/evp_err.c 2016-09-04 20:00:00.000000000 +0900
@@ -73,6 +73,9 @@
{ERR_FUNC(EVP_F_AEAD_AES_GCM_INIT), "AEAD_AES_GCM_INIT"},
{ERR_FUNC(EVP_F_AEAD_AES_GCM_OPEN), "AEAD_AES_GCM_OPEN"},
{ERR_FUNC(EVP_F_AEAD_AES_GCM_SEAL), "AEAD_AES_GCM_SEAL"},
+ {ERR_FUNC(EVP_F_AEAD_CAMELLIA_GCM_INIT), "AEAD_CAMELLIA_GCM_INIT"},
+ {ERR_FUNC(EVP_F_AEAD_CAMELLIA_GCM_OPEN), "AEAD_CAMELLIA_GCM_OPEN"},
+ {ERR_FUNC(EVP_F_AEAD_CAMELLIA_GCM_SEAL), "AEAD_CAMELLIA_GCM_SEAL"},
{ERR_FUNC(EVP_F_AEAD_CHACHA20_POLY1305_INIT),
"AEAD_CHACHA20_POLY1305_INIT"},
{ERR_FUNC(EVP_F_AEAD_CHACHA20_POLY1305_OPEN),
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/ssl/s3_lib.c 2016-09-04 00:00:00.000000000 +0900
+++ b/ssl/s3_lib.c 2016-09-04 20:00:00.000000000 +0900
@@ -2893,6 +2893,154 @@
#endif /* OPENSSL_NO_ECDH */
+#ifndef OPENSSL_NO_CAMELLIA
+ /* GCM-Based Cipher Suites from RFC 6367 */
+# if 0 /* change 0 to 1 if you need RSA and DHE suites. */
+ /* Cipher C07A */
+ {
+ 1,
+ TLS1_TXT_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS1_CK_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_CAMELLIA128GCM,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|
+ FIXED_NONCE_LEN(4)|
+ SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 128,
+ 128,
+ },
+
+ /* Cipher C07B */
+ {
+ 1,
+ TLS1_TXT_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS1_CK_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_CAMELLIA256GCM,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|
+ FIXED_NONCE_LEN(4)|
+ SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 256,
+ 256,
+ },
+
+ /* Cipher C07C */
+ {
+ 1,
+ TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ SSL_kEDH,
+ SSL_aRSA,
+ SSL_CAMELLIA128GCM,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|
+ FIXED_NONCE_LEN(4)|
+ SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 128,
+ 128,
+ },
+
+ /* Cipher C07D */
+ {
+ 1,
+ TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ SSL_kEDH,
+ SSL_aRSA,
+ SSL_CAMELLIA256GCM,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|
+ FIXED_NONCE_LEN(4)|
+ SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 256,
+ 256,
+ },
+# endif
+ /* Cipher C086 */
+ {
+ 1,
+ TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+ SSL_kEECDH,
+ SSL_aECDSA,
+ SSL_CAMELLIA128GCM,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|
+ FIXED_NONCE_LEN(4)|
+ SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 128,
+ 128,
+ },
+
+ /* Cipher C087 */
+ {
+ 1,
+ TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+ SSL_kEECDH,
+ SSL_aECDSA,
+ SSL_CAMELLIA256GCM,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|
+ FIXED_NONCE_LEN(4)|
+ SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 256,
+ 256,
+ },
+
+ /* Cipher C08A */
+ {
+ 1,
+ TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+ SSL_kEECDH,
+ SSL_aRSA,
+ SSL_CAMELLIA128GCM,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256|SSL_CIPHER_ALGORITHM2_AEAD|
+ FIXED_NONCE_LEN(4)|
+ SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 128,
+ 128,
+ },
+
+ /* Cipher C08B */
+ {
+ 1,
+ TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+ SSL_kEECDH,
+ SSL_aRSA,
+ SSL_CAMELLIA256GCM,
+ SSL_AEAD,
+ SSL_TLSV1_2,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384|SSL_CIPHER_ALGORITHM2_AEAD|
+ FIXED_NONCE_LEN(4)|
+ SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
+ 256,
+ 256,
+ },
+#endif /* OPENSSL_NO_CAMELLIA */
+
#ifdef TEMP_GOST_TLS
/* Cipher FF00 */
{
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/ssl/ssl.h 2016-09-04 00:00:00.000000000 +0900
+++ b/ssl/ssl.h 2016-09-04 20:00:00.000000000 +0900
@@ -297,6 +297,7 @@
# define SSL_TXT_CAMELLIA128 "CAMELLIA128"
# define SSL_TXT_CAMELLIA256 "CAMELLIA256"
# define SSL_TXT_CAMELLIA "CAMELLIA"
+# define SSL_TXT_CAMELLIA_GCM "CAMELLIAGCM"
# define SSL_TXT_CHACHA20 "CHACHA20"
# define SSL_TXT_MD5 "MD5"
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/ssl/ssl_ciph.c 2016-09-04 00:00:00.000000000 +0900
+++ b/ssl/ssl_ciph.c 2016-09-04 20:00:00.000000000 +0900
@@ -311,10 +311,14 @@
{0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM, 0, 0, 0, 0,
0, 0},
- {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128 | SSL_CAMELLIA128GCM, 0,
+ 0, 0, 0, 0, 0},
+ {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256 | SSL_CAMELLIA256GCM, 0,
+ 0, 0, 0, 0, 0},
{0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA128 | SSL_CAMELLIA256, 0, 0, 0,
0, 0, 0},
+ {0, SSL_TXT_CAMELLIA_GCM, 0, 0, 0, SSL_CAMELLIA128GCM | SSL_CAMELLIA256GCM,
+ 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, 0, 0, 0},
/* MAC aliases */
@@ -555,6 +559,14 @@
*aead = EVP_aead_aes_256_gcm();
return 1;
#endif
+#ifndef OPENSSL_NO_CAMELLIA
+ case SSL_CAMELLIA128GCM:
+ *aead = EVP_aead_camellia_128_gcm();
+ return 1;
+ case SSL_CAMELLIA256GCM:
+ *aead = EVP_aead_camellia_256_gcm();
+ return 1;
+#endif
#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
case SSL_CHACHA20POLY1305:
if (c->id & 0x80)
@@ -1876,6 +1888,12 @@
case SSL_CHACHA20POLY1305:
enc = "ChaCha20-Poly1305";
break;
+ case SSL_CAMELLIA128GCM:
+ enc="CamelliaGCM(128)";
+ break;
+ case SSL_CAMELLIA256GCM:
+ enc="CamelliaGCM(256)";
+ break;
default:
enc = "unknown";
break;
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/ssl/ssl_locl.h 2016-09-04 00:00:00.000000000 +0900
+++ b/ssl/ssl_locl.h 2016-09-04 20:00:00.000000000 +0900
@@ -355,9 +355,12 @@
# define SSL_AES128GCM 0x00001000L
# define SSL_AES256GCM 0x00002000L
# define SSL_CHACHA20POLY1305 0x00004000L
+# define SSL_CAMELLIA128GCM 0x00008000L
+# define SSL_CAMELLIA256GCM 0x00010000L
# define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
-# define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
+# define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256| \
+ SSL_CAMELLIA128GCM|SSL_CAMELLIA256GCM)
/* Bits for algorithm_mac (symmetric authentication) */
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/ssl/tls1.h 2016-09-04 00:00:00.000000000 +0900
+++ b/ssl/tls1.h 2016-09-04 20:00:00.000000000 +0900
@@ -563,6 +563,16 @@
# define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256 0x0300C031
# define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032
+/* Camellia GCM based ciphersuites from RFC6367 */
+# define TLS1_CK_RSA_WITH_CAMELLIA_128_GCM_SHA256 0x0300C07A
+# define TLS1_CK_RSA_WITH_CAMELLIA_256_GCM_SHA384 0x0300C07B
+# define TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 0x0300C07C
+# define TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 0x0300C07D
+# define TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0x0300C086
+# define TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0x0300C087
+# define TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 0x0300C08A
+# define TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 0x0300C08B
+
# define TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC13
# define TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD 0x0300CC14
# define TLS1_CK_DHE_RSA_CHACHA20_POLY1305_OLD 0x0300CC15
@@ -720,6 +730,15 @@
# define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256 "ECDH-RSA-AES128-GCM-SHA256"
# define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384"
+# define TLS1_TXT_RSA_WITH_CAMELLIA_128_GCM_SHA256 "CAMELLIA128-GCM-SHA256"
+# define TLS1_TXT_RSA_WITH_CAMELLIA_256_GCM_SHA384 "CAMELLIA256-GCM-SHA384"
+# define TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 "DHE-RSA-CAMELLIA128-GCM-SHA256"
+# define TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 "DHE-RSA-CAMELLIA256-GCM-SHA384"
+# define TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 "ECDHE-ECDSA-CAMELLIA128-GCM-SHA256"
+# define TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 "ECDHE-ECDSA-CAMELLIA256-GCM-SHA384"
+# define TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 "ECDHE-RSA-CAMELLIA128-GCM-SHA256"
+# define TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 "ECDHE-RSA-CAMELLIA256-GCM-SHA384"
+
# define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 "ECDHE-RSA-CHACHA20-POLY1305"
# define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 "ECDHE-ECDSA-CHACHA20-POLY1305"
# define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 "DHE-RSA-CHACHA20-POLY1305"
diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/test/Makefile 2016-09-04 00:00:00.000000000 +0900
+++ b/test/Makefile 2016-09-04 20:00:00.000000000 +0900
@@ -382,7 +382,8 @@
../util/shlib_wrap.sh ./$(POLY1305TEST)
test_aead: $(AEADTEST)$(EXE_EXT) chacha20_poly1305_old_tests.txt \
- chacha20_poly1305_tests.txt aes_128_gcm_tests.txt aes_256_gcm_tests.txt
+ chacha20_poly1305_tests.txt aes_128_gcm_tests.txt aes_256_gcm_tests.txt \
+ camellia_128_gcm_tests.txt camellia_256_gcm_tests.txt
@echo "Test ChaCha20+Poly1305(rfc7539)"
../util/shlib_wrap.sh ./$(AEADTEST) chacha20-poly1305 \
chacha20_poly1305_tests.txt
@@ -395,6 +396,12 @@
@echo "Test AES-256-GCM"
../util/shlib_wrap.sh ./$(AEADTEST) aes-256-gcm \
aes_256_gcm_tests.txt
+ @echo "Test Camellia-128-GCM"
+ ../util/shlib_wrap.sh ./$(AEADTEST) camellia-128-gcm \
+ camellia_128_gcm_tests.txt
+ @echo "Test Camellia-256-GCM"
+ ../util/shlib_wrap.sh ./$(AEADTEST) camellia-256-gcm \
+ camellia_256_gcm_tests.txt
lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
diff -uN 1.0.2h-1~bpo8+2 +camellia-gcm
--- /dev/null 1970-01-01 09:00:00.000000000 +0900
+++ b/test/camellia_128_gcm_tests.txt 2016-02-03 01:33:12.000000000 +0900
@@ -0,0 +1,49 @@
+# Test vector from draft-kato-ipsec-camellia-gcm Section 4.
+
+# Case 1
+KEY: 00000000000000000000000000000000
+NONCE: 000000000000000000000000
+IN: ""
+AD: ""
+CT: ""
+TAG: f5574acc3148dfcb9015200631024df9
+
+# Case 2
+KEY: 00000000000000000000000000000000
+NONCE: 000000000000000000000000
+IN: 00000000000000000000000000000000
+AD: ""
+CT: defe3e0b5c54c94b4f2a0f5a46f6210d
+TAG: f672b94d192266c7c8c8dbb427cc989a
+
+# Case 3
+KEY: feffe9928665731c6d6a8f9467308308
+NONCE: cafebabefacedbaddecaf888
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+AD: ""
+CT: d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815
+TAG: 86e318012dd8329dc9dae6a170f61b24
+
+# Case 4
+KEY: feffe9928665731c6d6a8f9467308308
+NONCE: cafebabefacedbaddecaf888
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+AD: feedfacedeadbeeffeedfacedeadbeefabaddad2
+CT: d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606
+TAG: 9f458869431576ea6a095456ec6b8101
+
+# Case 5
+KEY: feffe9928665731c6d6a8f9467308308
+NONCE: cafebabefacedbad
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+AD: feedfacedeadbeeffeedfacedeadbeefabaddad2
+CT: 28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd
+TAG: e86f8f2e730c49d536f00fb5225d28b1
+
+# Case 6
+KEY: feffe9928665731c6d6a8f9467308308
+NONCE: 9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+AD: feedfacedeadbeeffeedfacedeadbeefabaddad2
+CT: 2e582b8417c93f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647
+TAG: ceae5569b2af8641572622731aed3e53
diff -uN 1.0.2h-1~bpo8+2 +camellia-gcm
--- /dev/null 1970-01-01 09:00:00.000000000 +0900
+++ b/test/camellia_256_gcm_tests.txt 2016-02-03 01:36:49.000000000 +0900
@@ -0,0 +1,49 @@
+# Test vector from draft-kato-ipsec-camellia-gcm Section 4.
+
+# Case 13
+KEY: 0000000000000000000000000000000000000000000000000000000000000000
+NONCE: 000000000000000000000000
+IN: ""
+AD: ""
+CT: ""
+TAG: 9cdb269b5d293bc5db9c55b057d9b591
+
+# Case 14
+KEY: 0000000000000000000000000000000000000000000000000000000000000000
+NONCE: 000000000000000000000000
+IN: 00000000000000000000000000000000
+AD: ""
+CT: 3d4b2cde666761ba5dfb305178e667fb
+TAG: 284b63bb143c40ce100fb4dea6bb617b
+
+# Case 15
+KEY: feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+NONCE: cafebabefacedbaddecaf888
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+AD: ""
+CT: ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b776549e092
+TAG: c912686270a2b9966415fca3be75c468
+
+# Case 16
+KEY: feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+NONCE: cafebabefacedbaddecaf888
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+AD: feedfacedeadbeeffeedfacedeadbeefabaddad2
+CT: ad142c11579dd95e41f3c1f324dabc255864d920f1b65759d8f560d4948d447758dfdcf77aa9f62581c7ff572a037f810cb1a9c4b3ca6ed638179b77
+TAG: 4e4b178d8fe26fdc95e2e7246dd94bec
+
+# Case 17
+KEY: feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+NONCE: cafebabefacedbad
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+AD: feedfacedeadbeeffeedfacedeadbeefabaddad2
+CT: 6ca95fbb7d16577a9ef2fded94dc85b5d40c629f6bef2c649888e3cbb0ededc7810c04b12c2983bbbbc482e16e45c9215ae12c15c55f2f4809d06652
+TAG: e6472b8ebd331bfcc7c0fa63ce094461
+
+# Case 18
+KEY: feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+NONCE: 9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+IN: d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+AD: feedfacedeadbeeffeedfacedeadbeefabaddad2
+CT: e0cddd7564d09c4dc522dd65949262bbf9dcdb07421cf67f3032becb7253c284a16e5bf0f556a308043f53fab9eebb526be7f7ad33d697ac77c67862
+TAG: 5791883f822013f8bd136fc36fb9946b
@h-yamamo
Copy link
Author

h-yamamo commented Sep 4, 2016

This patch requires the preceding chacha20poly1305.patch.
How to build packages:

apt-get -d source openssl
tar xf openssl_1.0.2h.orig.tar.gz
cd openssl-1.0.2h
tar xf ../openssl_1.0.2h-1~bpo8+2.debian.tar.xz
cp -av (openssl-chacha20poly1305 repository)/jessie-backports/debian/* debian/
cp (somewhere)/camellia-gcm.patch debian/patches/
echo camellia-gcm.patch >> debian/patches/series
vi debian/changelog  # add description about camellia-gcm
debuild -uc -us

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment