From patchwork Wed Aug  1 13:59:58 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thomas Richard via openwrt-devel
 <openwrt-devel@lists.openwrt.org>
X-Patchwork-Id: 952204
X-Patchwork-Delegate: nbd@openwrt.org
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=lists.openwrt.org
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="JjBqwJyY";
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41gZgl3gwYz9s3q
	for <incoming@patchwork.ozlabs.org>;
	Thu,  2 Aug 2018 00:00:03 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209;
	h=Date:Sender:Content-Type:
	Subject:List-Help:Reply-To:List-Archive:List-Unsubscribe:List-Subscribe:Cc:
	From:List-Post:List-Id:Message-ID:MIME-Version:References:In-Reply-To:To:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=mcjPJYQga2D1sBST65kAlzRuX9DkYGOvT2Qa+CJb6zc=;
	b=JjBqwJyYlOWIPOKRaiQTbV5Di
	2N5CRlcBzpul2YddrIvJ1VuDCY4RfjnCWJ7VflkHfM+IkCfE8chsfQ0mT9Jqrh0tcWGByjn5Nh7/e
	UYFz3Z24jNxggi3Bl1+GZk6Mwxhdm9Teb5KlpxOSvlU8/fnnlXdo4uVntHinqp8/a6rQWsj49HQ/w
	I+TSvsrELiFRYpgdDsnmSaSbW10hJPQ677w+WRpJs6CGx5WRzHlpQZMWGnpTUmCLhHFTuJpQLAp3R
	5JzsN5HnYhURSGK1gRJgEQ5AbhVfKjXyioVU9QL6BwU9b0AYS2M3driadBiiAIIkLggHxYWMiWC/x
	v2zB7yWXA==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1fkrfS-0008Qh-Ej; Wed, 01 Aug 2018 13:59:58 +0000
To: openwrt-devel@lists.openwrt.org
In-Reply-To: <20180801135913.5960-1-cote2004-github@yahoo.com>
References: <580f0e74-866b-67bf-d23e-ed7efe377bfd@phrozen.org>
	<20180801135913.5960-1-cote2004-github@yahoo.com>
MIME-Version: 1.0
Message-ID: <mailman.14237.1533131997.25356.openwrt-devel@lists.openwrt.org>
List-Id: <openwrt-devel.lists.openwrt.org>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
X-Patchwork-Original-From: Eneas U de Queiroz via openwrt-devel
 <openwrt-devel@lists.openwrt.org>
From: Thomas Richard via openwrt-devel <openwrt-devel@lists.openwrt.org>
Precedence: list
Cc: Eneas U de Queiroz <cote2004-github@yahoo.com>
X-Mailman-Version: 2.1.21
X-BeenThere: openwrt-devel@lists.openwrt.org
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/openwrt-devel/>
Reply-To: Eneas U de Queiroz <cote2004-github@yahoo.com>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
Subject: [OpenWrt-Devel] [PATCH v2 1/1] ustream-ssl: mbedtls: use
	chacha-poly ciphersuites
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Date: Wed, 01 Aug 2018 13:59:58 +0000
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
These ciphersuites were added in mbedtls v2.12.0, our current version,
so we may add them to the ustream-ssl ciphersuite list.
They were already part of the list for openssl and wolfssl.
Chacha20-Poly1305 is a 256-bit cipher with AEAD, much faster than AES on
CPUs without special AES instructions (the case for most embedded
chips).

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 347c600..b7d7629 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -94,7 +94,9 @@ static int _urandom(void *ctx, unsigned char *out, size_t len)
 
 static const int default_ciphersuites_server[] =
 {
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
 	AES_CIPHERS(ECDHE_ECDSA),
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 	AES_CIPHERS(ECDHE_RSA),
 	AES_CIPHERS(RSA),
 	0
@@ -102,8 +104,11 @@ static const int default_ciphersuites_server[] =
 
 static const int default_ciphersuites_client[] =
 {
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
 	AES_CIPHERS(ECDHE_ECDSA),
+	MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 	AES_CIPHERS(ECDHE_RSA),
+	MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 	AES_CIPHERS(DHE_RSA),
 	MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
 	AES_CIPHERS(RSA),