diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 53b91ddb942..c9a853193fa 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -4,6 +4,7 @@ comment "Build Options" config OPENSSL_OPTIMIZE_SPEED bool + default y if x86_64 || i386 prompt "Enable optimization for speed instead of size" select OPENSSL_WITH_ASM help @@ -15,7 +16,7 @@ config OPENSSL_OPTIMIZE_SPEED config OPENSSL_WITH_ASM bool - default y + default y if !SMALL_FLASH || !arm prompt "Compile with optimized assembly code" depends on !arc help @@ -63,6 +64,7 @@ config OPENSSL_NO_DEPRECATED config OPENSSL_WITH_ERROR_MESSAGES bool + default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT prompt "Include error messages" help This option aids debugging, but increases package size and @@ -147,6 +149,18 @@ config OPENSSL_WITH_CHACHA_POLY1305 It is 3x faster than AES, when not using a CPU with AES-specific instructions, as is the case of most embedded devices. +config OPENSSL_PREFER_CHACHA_OVER_GCM + bool + default y if !x86_64 && !aarch64 + prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default" + depends on OPENSSL_WITH_CHACHA_POLY1305 + help + The default openssl preference is for AES-GCM before ChaCha, but + that takes into account AES-NI capable chips. It is not the + case with most embedded chips, so it may be better to invert + that preference. This is just for the default case. The + application can always override this. + config OPENSSL_WITH_PSK bool default y diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 27746c15c62..68cd8fde6b2 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -35,6 +35,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_ENGINE_CRYPTO \ CONFIG_OPENSSL_NO_DEPRECATED \ CONFIG_OPENSSL_OPTIMIZE_SPEED \ + CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \ CONFIG_OPENSSL_WITH_ARIA \ CONFIG_OPENSSL_WITH_ASM \ CONFIG_OPENSSL_WITH_ASYNC \ @@ -153,6 +154,10 @@ endif ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305 OPENSSL_OPTIONS += no-chacha no-poly1305 +else + ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM + OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM + endif endif ifndef CONFIG_OPENSSL_WITH_ASYNC diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch new file mode 100644 index 00000000000..9cbe2213885 --- /dev/null +++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch @@ -0,0 +1,78 @@ +From 286e015bf0d30530707a5e7b3b871509f2ab50d7 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:44:39 -0300 +Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option + +This enables a compile-time option to prefer ChaCha20-Poly1305 over +AES-GCM in the openssl default ciphersuite, which is useful in systems +without AES specific CPU instructions. +OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it. + +Note that this does not have the same effect as the +SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only +when the client has it on top of its ciphersuite preference. + +Signed-off-by: Eneas U de Queiroz + +--- a/include/openssl/ssl.h ++++ b/include/openssl/ssl.h +@@ -173,9 +173,15 @@ extern "C" { + # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" + /* This is the default set of TLSv1.3 ciphersuites */ + # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) +-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ +- "TLS_CHACHA20_POLY1305_SHA256:" \ +- "TLS_AES_128_GCM_SHA256" ++# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM ++# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \ ++ "TLS_AES_256_GCM_SHA384:" \ ++ "TLS_AES_128_GCM_SHA256" ++# else ++# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ ++ "TLS_CHACHA20_POLY1305_SHA256:" \ ++ "TLS_AES_128_GCM_SHA256" ++# endif + # else + # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ + "TLS_AES_128_GCM_SHA256" +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -1464,11 +1464,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, + &tail); + ++ /* ++ * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305 ++ * will be placed before AES-256. Otherwise, the default behavior of ++ * preferring GCM over CHACHA is used. ++ * This is useful for systems that do not have AES-specific CPU ++ * instructions, where ChaCha20-Poly1305 is 3 times faster than AES. ++ * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA ++ * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top ++ * of its ciphersuite preference. ++ */ ++ ++#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM ++ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, ++ &head, &tail); ++ ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, ++ &head, &tail); ++#else + /* Within each strength group, we prefer GCM over CHACHA... */ + ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, + &head, &tail); + ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, + &head, &tail); ++#endif + + /* + * ...and generally, our preferred cipher is AES. +@@ -1524,7 +1542,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * Within each group, ciphers remain sorted by strength and previous + * preference, i.e., + * 1) ECDHE > DHE +- * 2) GCM > CHACHA ++ * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined + * 3) AES > rest + * 4) TLS 1.2 > legacy + *