8140466: ChaCha20 and Poly1305 TLS Cipher Suites

Reviewed-by: mdoerr Backport-of: 962e755
openjdk · Jun 28, 2021 · e62d6a2f388dda2678b59e079e7e879a46164ce2 · e62d6a2 · openjdk-notifier · Jun 28, 2021
1 parent 8a40d25
commit e62d6a2f388dda2678b59e079e7e879a46164ce2
diff --git a/src/java.base/share/classes/sun/security/ssl/CipherSuite.java b/src/java.base/share/classes/sun/security/ssl/CipherSuite.java
@@ -70,6 +70,9 @@
     TLS_AES_256_GCM_SHA384(
             0x1302, true, "TLS_AES_256_GCM_SHA384",
             ProtocolVersion.PROTOCOLS_OF_13, B_AES_256_GCM_IV, H_SHA384),
+    TLS_CHACHA20_POLY1305_SHA256(
+            0x1303, true, "TLS_CHACHA20_POLY1305_SHA256",
+            ProtocolVersion.PROTOCOLS_OF_13, B_CC20_P1305, H_SHA256),
 
     // Suite B compliant cipher suites, see RFC 6460.
     //
@@ -91,11 +94,22 @@
     // not forward secret cipher suites.
     //
 
+    // Not suite B, but we want it to position the suite early in the list
+    // of 1.2 suites.
+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(
+            0xCCA9, true, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_ECDHE_ECDSA, B_CC20_P1305, M_NULL, H_SHA256),
+
     // AES_256(GCM)
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(
             0xC030, true, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "",
             ProtocolVersion.PROTOCOLS_OF_12,
             K_ECDHE_RSA, B_AES_256_GCM, M_NULL, H_SHA384),
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(
+            0xCCA8, true, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_ECDHE_RSA, B_CC20_P1305, M_NULL, H_SHA256),
     TLS_RSA_WITH_AES_256_GCM_SHA384(
             0x009D, true, "TLS_RSA_WITH_AES_256_GCM_SHA384", "",
             ProtocolVersion.PROTOCOLS_OF_12,
@@ -112,6 +126,10 @@
             0x009F, true, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "",
             ProtocolVersion.PROTOCOLS_OF_12,
             K_DHE_RSA, B_AES_256_GCM, M_NULL, H_SHA384),
+    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(
+            0xCCAA, true, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_DHE_RSA, B_CC20_P1305, M_NULL, H_SHA256),
     TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(
             0x00A3, true, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "",
             ProtocolVersion.PROTOCOLS_OF_12,
@@ -484,8 +502,6 @@
 
     // Definition of the cipher suites that are not supported but the names
     // are known.
-    TLS_CHACHA20_POLY1305_SHA256(                    // TLS 1.3
-            "TLS_CHACHA20_POLY1305_SHA256", 0x1303),
     TLS_AES_128_CCM_SHA256(                          // TLS 1.3
             "TLS_AES_128_CCM_SHA256", 0x1304),
     TLS_AES_128_CCM_8_SHA256(                        // TLS 1.3

diff --git a/src/java.base/share/classes/sun/security/ssl/JsseJce.java b/src/java.base/share/classes/sun/security/ssl/JsseJce.java
@@ -129,6 +129,11 @@ public Object run() {
      */
     static final String CIPHER_AES_GCM = "AES/GCM/NoPadding";
 
+    /**
+     * JCE transformation string for ChaCha20-Poly1305
+     */
+    static final String CIPHER_CHACHA20_POLY1305 = "ChaCha20-Poly1305";
+
     /**
      * JCA identifier string for DSA, i.e. a DSA with SHA-1.
      */