[OpenWrt-Devel,v2,1/1] ustream-ssl: mbedtls: use chacha-poly ciphersuites

Message ID mailman.14237.1533131997.25356.openwrt-devel@lists.openwrt.org
State New
Delegated to: Felix Fietkau
Headers show
Series
  • ustream-ssl: mbedtls: use chacha-poly ciphersuites
Related show

Commit Message

Steven Honson via openwrt-devel Aug. 1, 2018, 1:59 p.m.
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
These ciphersuites were added in mbedtls v2.12.0, our current version,
so we may add them to the ustream-ssl ciphersuite list.
They were already part of the list for openssl and wolfssl.
Chacha20-Poly1305 is a 256-bit cipher with AEAD, much faster than AES on
CPUs without special AES instructions (the case for most embedded
chips).

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

Patch

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 347c600..b7d7629 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -94,7 +94,9 @@  static int _urandom(void *ctx, unsigned char *out, size_t len)
 
 static const int default_ciphersuites_server[] =
 {
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
 	AES_CIPHERS(ECDHE_ECDSA),
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 	AES_CIPHERS(ECDHE_RSA),
 	AES_CIPHERS(RSA),
 	0
@@ -102,8 +104,11 @@  static const int default_ciphersuites_server[] =
 
 static const int default_ciphersuites_client[] =
 {
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
 	AES_CIPHERS(ECDHE_ECDSA),
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 	AES_CIPHERS(ECDHE_RSA),
+	MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 	AES_CIPHERS(DHE_RSA),
 	MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
 	AES_CIPHERS(RSA),