chacha20-poly1305 support

[edwintorok]

ChaCha20-Poly1305 has been adopted as RFC7539, and will be useful when it is approved for TLS.
Although Chrome already uses it, so it might be useful even before that.

It is a lot faster than AES-GCM when there is no hardware acceleration available, especially on ARM, but AFAIK ocaml-nocrypto doesn't use AES-NI so ChaCha20-Poly1305 will probably always be faster.

[pqwy]

It will be a useful addition, true. I'll slowly investigate the options here.

OTOH nocrypto does use AES-NI with bulk performance in simple encryption/decryption with CTR and CBC neck-to-neck with openssl's libcrypt. 😄

The branch needs a little more polish in some modes to get merged, and is the very next thing on TODO.

[hannesm]

according to the IETF tls working group mailing list, this is not yet standardised (crypto and algorithms are, ciphersuite isn't). a draft (which is not precise) is at https://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls-05 and will get more precise and might be published on standard track http://www.ietf.org/mail-archive/web/tls/current/msg16322.html

[pqwy]

Now, this is not to say ChaCha/Poly will not happen, but, uhm, this.

[cfcs]

FWIW I believe this is no longer in draft status:

• crypto primitives (ChaCha20 + Poly1305): https://tools.ietf.org/html/rfc7539
• TLS ciphersuite (that @hannesm was referencing above): https://tools.ietf.org/html/rfc7905