openssl-3.0.0-dev-chacha_draft.patch

diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
index df8e5a5bcb..81bab72bcf 100644
--- a/crypto/evp/c_allc.c
+++ b/crypto/evp/c_allc.c
@@ -265,6 +265,7 @@ void openssl_add_all_ciphers_int(void)
     EVP_add_cipher(EVP_chacha20());
 # ifndef OPENSSL_NO_POLY1305
     EVP_add_cipher(EVP_chacha20_poly1305());
+    EVP_add_cipher(EVP_chacha20_poly1305_draft());
 # endif
 #endif
 }
diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
index b7340b147d..4080db7554 100644
--- a/crypto/evp/e_chacha20_poly1305.c
+++ b/crypto/evp/e_chacha20_poly1305.c
@@ -156,6 +156,7 @@ typedef struct {
     struct { uint64_t aad, text; } len;
     int aad, mac_inited, tag_len, nonce_len;
     size_t tls_payload_length;
+    unsigned char draft:1;
 } EVP_CHACHA_AEAD_CTX;
 
 #  define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
@@ -176,6 +177,7 @@ static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
     actx->aad = 0;
     actx->mac_inited = 0;
     actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
+    actx->draft = 0;
 
     if (iv != NULL) {
         unsigned char temp[CHACHA_CTR_SIZE] = { 0 };
@@ -197,6 +199,27 @@ static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
     return 1;
 }
 
+static int chacha20_poly1305_draft_init_key(EVP_CIPHER_CTX *ctx,
+   const unsigned char *inkey,
+   const unsigned char *iv, int enc)
+{
+    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
+
+    if (!inkey)
+        return 1;
+
+    actx->len.aad = 0;
+    actx->len.text = 0;
+    actx->aad = 0;
+    actx->mac_inited = 0;
+    actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
+    actx->draft = 1;
+
+    chacha_init_key(ctx, inkey, NULL, enc);
+
+    return 1;
+}
+
 #  if !defined(OPENSSL_SMALL_FOOTPRINT)
 
 #   if defined(POLY1305_ASM) && (defined(__x86_64) || defined(__x86_64__) || \
@@ -367,10 +390,11 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 {
     EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
     size_t rem, plen = actx->tls_payload_length;
+    uint64_t thirteen = EVP_AEAD_TLS1_AAD_LEN;
 
     if (!actx->mac_inited) {
 #  if !defined(OPENSSL_SMALL_FOOTPRINT)
-        if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
+        if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL && !actx->draft)
             return chacha20_poly1305_tls_cipher(ctx, out, in, len);
 #  endif
         actx->key.counter[0] = 0;
@@ -397,9 +421,14 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
             return len;
         } else {                                /* plain- or ciphertext */
             if (actx->aad) {                    /* wrap up aad */
-                if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
-                    Poly1305_Update(POLY1305_ctx(actx), zero,
-                                    POLY1305_BLOCK_SIZE - rem);
+                if (actx->draft) {
+                    thirteen = actx->len.aad;
+                    Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
+                } else {
+                    if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
+                        Poly1305_Update(POLY1305_ctx(actx), zero,
+                                        POLY1305_BLOCK_SIZE - rem);
+                }
                 actx->aad = 0;
             }
 
@@ -432,40 +461,52 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         } is_endian = { 1 };
         unsigned char temp[POLY1305_BLOCK_SIZE];
 
+        if (actx->draft) {
+            thirteen = actx->len.text;
+            Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
+        }
+
         if (actx->aad) {                        /* wrap up aad */
-            if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
-                Poly1305_Update(POLY1305_ctx(actx), zero,
-                                POLY1305_BLOCK_SIZE - rem);
+            if (actx->draft) {
+               thirteen = actx->len.aad;
+               Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
+            } else {
+                if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
+                    Poly1305_Update(POLY1305_ctx(actx), zero,
+                                    POLY1305_BLOCK_SIZE - rem);
+            }
             actx->aad = 0;
         }
 
-        if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
-            Poly1305_Update(POLY1305_ctx(actx), zero,
-                            POLY1305_BLOCK_SIZE - rem);
+        if (!actx->draft) {
+            if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
+                Poly1305_Update(POLY1305_ctx(actx), zero,
+                                POLY1305_BLOCK_SIZE - rem);
 
-        if (is_endian.little) {
-            Poly1305_Update(POLY1305_ctx(actx),
-                            (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
-        } else {
-            temp[0]  = (unsigned char)(actx->len.aad);
-            temp[1]  = (unsigned char)(actx->len.aad>>8);
-            temp[2]  = (unsigned char)(actx->len.aad>>16);
-            temp[3]  = (unsigned char)(actx->len.aad>>24);
-            temp[4]  = (unsigned char)(actx->len.aad>>32);
-            temp[5]  = (unsigned char)(actx->len.aad>>40);
-            temp[6]  = (unsigned char)(actx->len.aad>>48);
-            temp[7]  = (unsigned char)(actx->len.aad>>56);
-
-            temp[8]  = (unsigned char)(actx->len.text);
-            temp[9]  = (unsigned char)(actx->len.text>>8);
-            temp[10] = (unsigned char)(actx->len.text>>16);
-            temp[11] = (unsigned char)(actx->len.text>>24);
-            temp[12] = (unsigned char)(actx->len.text>>32);
-            temp[13] = (unsigned char)(actx->len.text>>40);
-            temp[14] = (unsigned char)(actx->len.text>>48);
-            temp[15] = (unsigned char)(actx->len.text>>56);
-
-            Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
+            if (is_endian.little) {
+                Poly1305_Update(POLY1305_ctx(actx),
+                                (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
+            } else {
+                temp[0]  = (unsigned char)(actx->len.aad);
+                temp[1]  = (unsigned char)(actx->len.aad>>8);
+                temp[2]  = (unsigned char)(actx->len.aad>>16);
+                temp[3]  = (unsigned char)(actx->len.aad>>24);
+                temp[4]  = (unsigned char)(actx->len.aad>>32);
+                temp[5]  = (unsigned char)(actx->len.aad>>40);
+                temp[6]  = (unsigned char)(actx->len.aad>>48);
+                temp[7]  = (unsigned char)(actx->len.aad>>56);
+
+                temp[8]  = (unsigned char)(actx->len.text);
+                temp[9]  = (unsigned char)(actx->len.text>>8);
+                temp[10] = (unsigned char)(actx->len.text>>16);
+                temp[11] = (unsigned char)(actx->len.text>>24);
+                temp[12] = (unsigned char)(actx->len.text>>32);
+                temp[13] = (unsigned char)(actx->len.text>>40);
+                temp[14] = (unsigned char)(actx->len.text>>48);
+                temp[15] = (unsigned char)(actx->len.text>>56);
+
+                Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
+            }
         }
         Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
                                                         : temp);
@@ -539,12 +580,14 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
         return 1;
 
     case EVP_CTRL_AEAD_SET_IVLEN:
+        if (actx->draft) return -1;
         if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
             return 0;
         actx->nonce_len = arg;
         return 1;
 
     case EVP_CTRL_AEAD_SET_IV_FIXED:
+        if (actx->draft) return -1;
         if (arg != 12)
             return 0;
         actx->nonce[0] = actx->key.counter[1]
@@ -629,9 +672,32 @@ static EVP_CIPHER chacha20_poly1305 = {
     NULL        /* app_data */
 };
 
+static EVP_CIPHER chacha20_poly1305_draft = {
+    NID_chacha20_poly1305_draft,
+    1,                  /* block_size */
+    CHACHA_KEY_SIZE,    /* key_len */
+    0,                  /* iv_len, none */
+    EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |
+    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
+    EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER,
+    chacha20_poly1305_draft_init_key,
+    chacha20_poly1305_cipher,
+    chacha20_poly1305_cleanup,
+    0,          /* 0 moves context-specific structure allocation to ctrl */
+    NULL,       /* set_asn1_parameters */
+    NULL,       /* get_asn1_parameters */
+    chacha20_poly1305_ctrl,
+    NULL        /* app_data */
+};
+
 const EVP_CIPHER *EVP_chacha20_poly1305(void)
 {
     return(&chacha20_poly1305);
 }
+
+const EVP_CIPHER *EVP_chacha20_poly1305_draft(void)
+{
+    return(&chacha20_poly1305_draft);
+}
 # endif
 #endif
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 77b4418cd4..6b3d7f9085 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -1088,7 +1088,7 @@ static const unsigned char so[7845] = {
     0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x08,       /* [ 7836] OBJ_NAIRealm */
 };
 
-#define NUM_NID 1218
+#define NUM_NID 1219
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2308,9 +2308,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"modp_4096", "modp_4096", NID_modp_4096},
     {"modp_6144", "modp_6144", NID_modp_6144},
     {"modp_8192", "modp_8192", NID_modp_8192},
+    {"ChaCha20-Poly1305-D", "chacha20-poly1305-draft", NID_chacha20_poly1305_draft},
 };
 
-#define NUM_SN 1209
+#define NUM_SN 1210
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -2433,6 +2434,7 @@ static const unsigned int sn_objs[NUM_SN] = {
      417,    /* "CSPName" */
     1019,    /* "ChaCha20" */
     1018,    /* "ChaCha20-Poly1305" */
+    1218,    /* "ChaCha20-Poly1305-D" */
      367,    /* "CrlID" */
      391,    /* "DC" */
       31,    /* "DES-CBC" */
@@ -3523,7 +3525,7 @@ static const unsigned int sn_objs[NUM_SN] = {
     1093,    /* "x509ExtAdmission" */
 };
 
-#define NUM_LN 1209
+#define NUM_LN 1210
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -3912,6 +3914,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      883,    /* "certificateRevocationList" */
     1019,    /* "chacha20" */
     1018,    /* "chacha20-poly1305" */
+    1218,    /* "chacha20-poly1305-draft" */
       54,    /* "challengePassword" */
      407,    /* "characteristic-two-field" */
      395,    /* "clearance" */
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 15aa1e9772..6fb028c1e8 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -1215,3 +1215,4 @@ modp_3072		1214
 modp_4096		1215
 modp_6144		1216
 modp_8192		1217
+chacha20_poly1305_draft		1218
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 9819c539b7..bb4a9958d0 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -1549,6 +1549,7 @@ sm-scheme 104 7         : SM4-CTR             : sm4-ctr
 			: AES-192-CBC-HMAC-SHA256	: aes-192-cbc-hmac-sha256
 			: AES-256-CBC-HMAC-SHA256	: aes-256-cbc-hmac-sha256
 			: ChaCha20-Poly1305		: chacha20-poly1305
+			: ChaCha20-Poly1305-D		: chacha20-poly1305-draft
 			: ChaCha20			: chacha20
 
 ISO-US 10046 2 1	: dhpublicnumber		: X9.42 DH
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 7aa56b3e93..da87052bfa 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -985,6 +985,7 @@ const EVP_CIPHER *EVP_camellia_256_ctr(void);
 const EVP_CIPHER *EVP_chacha20(void);
 #  ifndef OPENSSL_NO_POLY1305
 const EVP_CIPHER *EVP_chacha20_poly1305(void);
+const EVP_CIPHER *EVP_chacha20_poly1305_draft(void);
 #  endif
 # endif
 
diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
index 0e564ac6d2..3a074d62cb 100644
--- a/include/openssl/obj_mac.h
+++ b/include/openssl/obj_mac.h
@@ -4857,6 +4857,10 @@
 #define LN_chacha20_poly1305            "chacha20-poly1305"
 #define NID_chacha20_poly1305           1018
 
+#define SN_chacha20_poly1305_draft              "ChaCha20-Poly1305-D"
+#define LN_chacha20_poly1305_draft              "chacha20-poly1305-draft"
+#define NID_chacha20_poly1305_draft             1218
+
 #define SN_chacha20             "ChaCha20"
 #define LN_chacha20             "chacha20"
 #define NID_chacha20            1019
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index c1b6b8e5dc..4f1717c14d 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -131,6 +131,7 @@ extern "C" {
 # define SSL_TXT_CAMELLIA256     "CAMELLIA256"
 # define SSL_TXT_CAMELLIA        "CAMELLIA"
 # define SSL_TXT_CHACHA20        "CHACHA20"
+# define SSL_TXT_CHACHA20_D      "CHACHA20-D"
 # define SSL_TXT_GOST            "GOST89"
 # define SSL_TXT_ARIA            "ARIA"
 # define SSL_TXT_ARIA_GCM        "ARIAGCM"
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 9181e0d2c1..0244b1ab99 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -578,7 +578,12 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb
 # define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256   0x0300C09A
 # define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384   0x0300C09B
 
-/* draft-ietf-tls-chacha20-poly1305-03 */
+/* Chacha20-Poly1305-Draft ciphersuites from draft-agl-tls-chacha20poly1305-04 */
+# define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_D       0x0300CC13
+# define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D     0x0300CC14
+# define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305_D         0x0300CC15
+
+/* Chacha20-Poly1305 ciphersuites from RFC7905 */
 # define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305         0x0300CCA8
 # define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305       0x0300CCA9
 # define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305           0x0300CCAA
@@ -743,6 +748,9 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb
 # define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
 # define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305       "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
 # define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305     "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+# define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305_D       "OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+# define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305_D     "OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+# define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D   "OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
 # define TLS1_RFC_PSK_WITH_CHACHA20_POLY1305             "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"
 # define TLS1_RFC_ECDHE_PSK_WITH_CHACHA20_POLY1305       "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
 # define TLS1_RFC_DHE_PSK_WITH_CHACHA20_POLY1305         "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
@@ -1071,7 +1079,12 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb
 # define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    "ECDH-RSA-CAMELLIA128-SHA256"
 # define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    "ECDH-RSA-CAMELLIA256-SHA384"
 
-/* draft-ietf-tls-chacha20-poly1305-03 */
+/* Chacha20-Poly1305-Draft ciphersuites from draft-agl-tls-chacha20poly1305-04 */
+# define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_D       "ECDHE-RSA-CHACHA20-POLY1305-OLD"
+# define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D     "ECDHE-ECDSA-CHACHA20-POLY1305-OLD"
+# define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_D         "DHE-RSA-CHACHA20-POLY1305-OLD"
+
+/* Chacha20-Poly1305 ciphersuites from RFC7905 */
 # define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305         "ECDHE-RSA-CHACHA20-POLY1305"
 # define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305       "ECDHE-ECDSA-CHACHA20-POLY1305"
 # define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305           "DHE-RSA-CHACHA20-POLY1305"
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 706290be9b..9733581b0c 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2083,6 +2083,54 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
+    {
+      1,
+      TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_D,
+      TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305_D,
+      TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305_D,
+      SSL_kDHE,
+      SSL_aRSA,
+      SSL_CHACHA20POLY1305_D,
+      SSL_AEAD,
+      TLS1_2_VERSION, TLS1_2_VERSION,
+      DTLS1_2_VERSION, DTLS1_2_VERSION,
+      SSL_HIGH,
+      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+      256,
+      256,
+     },
+    {
+     1,
+     TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
+     TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
+     TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
+     SSL_kECDHE,
+     SSL_aRSA,
+     SSL_CHACHA20POLY1305_D,
+     SSL_AEAD,
+     TLS1_2_VERSION, TLS1_2_VERSION,
+     DTLS1_2_VERSION, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+    {
+     1,
+     TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
+     TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
+     TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_CHACHA20POLY1305_D,
+     SSL_AEAD,
+     TLS1_2_VERSION, TLS1_2_VERSION,
+     DTLS1_2_VERSION, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
     {
      1,
      TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 64c791636a..55f744dc53 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -53,6 +53,7 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
     {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
     {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */
     {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
+    {SSL_CHACHA20POLY1305_D, NID_chacha20_poly1305_draft}, /* SSL_ENC_CHACHA20POLY1305_IDX 22 */
 };
 
 #define SSL_COMP_NULL_IDX       0
@@ -237,6 +238,7 @@ static const SSL_CIPHER cipher_aliases[] = {
     {0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256},
     {0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA},
     {0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20},
+    {0, SSL_TXT_CHACHA20_D, NULL, 0, 0, 0, SSL_CHACHA20POLY1305_D},
 
     {0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA},
     {0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM},
@@ -1776,6 +1778,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     case SSL_CHACHA20POLY1305:
         enc = "CHACHA20/POLY1305(256)";
         break;
+    case SSL_CHACHA20POLY1305_D:
+        enc = "CHACHA20/POLY1305-Draft(256)";
+        break;
     default:
         enc = "unknown";
         break;
@@ -2095,7 +2100,7 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
         out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16;
     } else if (c->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) {
         out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8;
-    } else if (c->algorithm_enc & SSL_CHACHA20POLY1305) {
+    } else if (c->algorithm_enc & (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_D)) {
         out = 16;
     } else if (c->algorithm_mac & SSL_AEAD) {
         /* We're supposed to have handled all the AEAD modes above */
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 31c01328ce..d9aee332f1 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -234,12 +234,13 @@
 # define SSL_CHACHA20POLY1305    0x00080000U
 # define SSL_ARIA128GCM          0x00100000U
 # define SSL_ARIA256GCM          0x00200000U
+# define SSL_CHACHA20POLY1305_D  0x00400000U
 
 # define SSL_AESGCM              (SSL_AES128GCM | SSL_AES256GCM)
 # define SSL_AESCCM              (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
 # define SSL_AES                 (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)
 # define SSL_CAMELLIA            (SSL_CAMELLIA128|SSL_CAMELLIA256)
-# define SSL_CHACHA20            (SSL_CHACHA20POLY1305)
+# define SSL_CHACHA20            (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_D)
 # define SSL_ARIAGCM             (SSL_ARIA128GCM | SSL_ARIA256GCM)
 # define SSL_ARIA                (SSL_ARIAGCM)
 
@@ -413,7 +414,8 @@
 # define SSL_ENC_CHACHA_IDX      19
 # define SSL_ENC_ARIA128GCM_IDX  20
 # define SSL_ENC_ARIA256GCM_IDX  21
-# define SSL_ENC_NUM_IDX         22
+# define SSL_ENC_CHACHA20_D_IDX  22
+# define SSL_ENC_NUM_IDX         23
 
 /*-
  * SSL_kRSA <- RSA_ENC
diff --git a/util/libcrypto.num b/util/libcrypto.num
index dc6515cfc9..8d8fc45acf 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4918,3 +4918,4 @@ PKCS8_pkey_add1_attr_by_OBJ             ?	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_private_check                  ?	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_pairwise_check                 ?	3_0_0	EXIST::FUNCTION:
 ASN1_item_verify_ctx                    ?	3_0_0	EXIST::FUNCTION:
+EVP_chacha20_poly1305_draft             ?	3_0_0	EXIST::FUNCTION:CHACHA,POLY1305