From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] OpenSSL: drop preferring of Chacha20/Poly1305 over AES-GCM
Date: Mon, 04 Nov 2019 18:27:51 +0000
Message-ID: <BE70D812-5B9C-4438-838E-6961733EE23D@ipfire.org>
In-Reply-To: <04de0dcf-7bb6-6075-2681-56e541e153fd@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4415393365057815350=="
List-Id: <development.lists.ipfire.org>

--===============4415393365057815350==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 4 Nov 2019, at 18:24, peter.mueller(a)ipfire.org wrote:
>=20
> As hardware acceleration for AES is emerging (Fireinfo indicates
> 30.98% of reporting installations support this, compared to
> 28.22% in summer), there is no more reason to manually prefer
> Chacha20/Poly1305 over it.
>=20
> Further, overall performance is expected to increase as server
> CPUs usually come with AES-NI today, where Chacha/Poly would
> be an unnecessary bottleneck. Small systems without AES-NI,
> however, compute Chacha/Poly measurable, but not significantly faster,
> so there only was a small advantage of this.

I would like to highlight that practically all mobile phones have AES-NI as w=
ell and that we do not have any applications here which have very heavy encry=
ption load where this could not be changed to something that would suit the u=
sed hardware better.

>=20
> This patch changes the OpenSSL default ciphersuite to:
>=20
> TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DCHACHA20=
/POLY1305(256) Mac=3DAEAD
> TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DAESGCM(256) M=
ac=3DAEAD
> TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=3Dany      Au=3Dany  Enc=3DAESGCM(128) M=
ac=3DAEAD
> ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM=
(256) Mac=3DAEAD
> ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCHACHA=
20/POLY1305(256) Mac=3DAEAD
> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAESGCM=
(128) Mac=3DAEAD
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(25=
6) Mac=3DAEAD
> ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCHACHA20/=
POLY1305(256) Mac=3DAEAD
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAESGCM(12=
8) Mac=3DAEAD
> ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAES(256)  =
Mac=3DSHA384
> ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCamel=
lia(256) Mac=3DSHA384
> ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA384
> ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCamellia=
(256) Mac=3DSHA384
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DAES(128)  =
Mac=3DSHA256
> ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DECDSA Enc=3DCamel=
lia(128) Mac=3DSHA256
> ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
> ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH     Au=3DRSA  Enc=3DCamellia=
(128) Mac=3DSHA256
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(256)=
 Mac=3DAEAD
> DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCHACHA20/PO=
LY1305(256) Mac=3DAEAD
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAESGCM(128)=
 Mac=3DAEAD
> DHE-RSA-AES256-SHA256   TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA256
> DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(2=
56) Mac=3DSHA256
> DHE-RSA-AES128-SHA256   TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
> DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(1=
28) Mac=3DSHA256
> ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=3DECDH     Au=3DECDSA Enc=3DAES(256)  Mac=
=3DSHA1
> ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=3DECDH     Au=3DECDSA Enc=3DAES(128)  Mac=
=3DSHA1
> ECDHE-RSA-AES256-SHA    TLSv1 Kx=3DECDH     Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA1
> ECDHE-RSA-AES128-SHA    TLSv1 Kx=3DECDH     Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA1
> DHE-RSA-AES256-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA1
> DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(256) M=
ac=3DSHA1
> DHE-RSA-AES128-SHA      SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA1
> DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=3DDH       Au=3DRSA  Enc=3DCamellia(128) M=
ac=3DSHA1
> AES256-GCM-SHA384       TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESGCM(256) M=
ac=3DAEAD
> AES128-GCM-SHA256       TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAESGCM(128) M=
ac=3DAEAD
> AES256-SHA256           TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA256
> CAMELLIA256-SHA256      TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(256)=
 Mac=3DSHA256
> AES128-SHA256           TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA256
> CAMELLIA128-SHA256      TLSv1.2 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(128)=
 Mac=3DSHA256
> AES256-SHA              SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DAES(256)  Mac=
=3DSHA1
> CAMELLIA256-SHA         SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(256) M=
ac=3DSHA1
> AES128-SHA              SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DAES(128)  Mac=
=3DSHA1
> CAMELLIA128-SHA         SSLv3 Kx=3DRSA      Au=3DRSA  Enc=3DCamellia(128) M=
ac=3DSHA1
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> lfs/openssl                                         |  2 +-
> src/patches/openssl-1.1.1c-default-cipherlist.patch | 18 ------------------
> src/patches/openssl-1.1.1d-default-cipherlist.patch | 11 +++++++++++
> 3 files changed, 12 insertions(+), 19 deletions(-)
> delete mode 100644 src/patches/openssl-1.1.1c-default-cipherlist.patch
> create mode 100644 src/patches/openssl-1.1.1d-default-cipherlist.patch
>=20
> diff --git a/lfs/openssl b/lfs/openssl
> index f5aa7c3f9..8d978f171 100644
> --- a/lfs/openssl
> +++ b/lfs/openssl
> @@ -117,7 +117,7 @@ $(subst %,%_MD5,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	@$(PREBUILD)
> 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> -	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1c-defau=
lt-cipherlist.patch
> +	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1d-defau=
lt-cipherlist.patch
>=20
> 	# Apply our CFLAGS
> 	cd $(DIR_APP) && sed -i Configure \
> diff --git a/src/patches/openssl-1.1.1c-default-cipherlist.patch b/src/patc=
hes/openssl-1.1.1c-default-cipherlist.patch
> deleted file mode 100644
> index 72f6ce3b1..000000000
> --- a/src/patches/openssl-1.1.1c-default-cipherlist.patch
> +++ /dev/null
> @@ -1,18 +0,0 @@
> -diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/includ=
e/openssl/ssl.h
> ---- openssl-1.1.1c.orig/include/openssl/ssl.h	2019-06-10 20:41:21.20914001=
2 +0200
> -+++ openssl-1.1.1c/include/openssl/ssl.h	2019-06-10 20:42:26.733973129 +02=
00
> -@@ -170,11 +170,11 @@
> -  * an application-defined cipher list string starts with 'DEFAULT'.
> -  * This applies to ciphersuites for TLSv1.2 and below.
> -  */
> --# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
> -+# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH=
:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
> - /* This is the default set of TLSv1.3 ciphersuites */
> - # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
> --#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> --                                   "TLS_CHACHA20_POLY1305_SHA256:" \
> -+#  define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
> -+                                   "TLS_AES_256_GCM_SHA384:" \
> -                                    "TLS_AES_128_GCM_SHA256"
> - # else
> - #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> diff --git a/src/patches/openssl-1.1.1d-default-cipherlist.patch b/src/patc=
hes/openssl-1.1.1d-default-cipherlist.patch
> new file mode 100644
> index 000000000..5ad7829e7
> --- /dev/null
> +++ b/src/patches/openssl-1.1.1d-default-cipherlist.patch
> @@ -0,0 +1,11 @@
> +--- openssl-1.1.1d.orig/include/openssl/ssl.h	2019-11-04 19:13:08.80190579=
6 +0100
> ++++ openssl-1.1.1d/include/openssl/ssl.h	2019-11-04 19:14:05.229896747 +01=
00
> +@@ -170,7 +170,7 @@
> +  * an application-defined cipher list string starts with 'DEFAULT'.
> +  * This applies to ciphersuites for TLSv1.2 and below.
> +  */
> +-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
> ++# define SSL_DEFAULT_CIPHER_LIST "HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kR=
SA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS"
> + /* This is the default set of TLSv1.3 ciphersuites */
> + # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
> + #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
> --=20
> 2.16.4


--===============4415393365057815350==--