openssl: update to version 1.1.1a

This version adds the following functionality: * TLS 1.3 * AFALG engine support for hardware accelleration * x25519 ECC curve support * CRIME protection: disable use of compression by default * Support for ChaCha20 and Poly1305 Patches fixing bugs in the /dev/crypto engine were applied, from https://github.com/openssl/openssl/pull/7585 This increses the size of the ipk binray on MIPS32 by about 32%: old: 693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk new: 912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk 239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
author: Eneas U de Queiroz <cote2004-github@yahoo.com> 2018-10-24 11:25:00 -0300
committer: Hauke Mehrtens <hauke@hauke-m.de> 2019-02-12 22:23:26 +0100
commit: d872d00b2f7e31b98e11e83922d1aaefc270647e (patch)
tree: 70a74b004144e1a2d16c71b6d4aff626e085c498 /package/libs/openssl/Config.in
parent: be3892284ca77a69615351b106b8dfbadad728c4 (diff)
download: upstream-d872d00b2f7e31b98e11e83922d1aaefc270647e.tar.gz
upstream-d872d00b2f7e31b98e11e83922d1aaefc270647e.tar.bz2
upstream-d872d00b2f7e31b98e11e83922d1aaefc270647e.zip
1 files changed, 61 insertions, 4 deletions
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index fe73229915..53b91ddb94 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -53,7 +53,9 @@ config OPENSSL_WITH_DEPRECATED
 	default y
 	prompt "Include deprecated APIs (See help for a list of packages that need this)"
 	help
-		Squid currently requires this.
+		Since openssl 1.1.x is still new to openwrt, some packages
+		requiring this option do not list it as a requirement yet:
+		 * freeswitch-stable, freeswitch, python, python3, squid.
 
 config OPENSSL_NO_DEPRECATED
 	bool
@@ -68,6 +70,21 @@ config OPENSSL_WITH_ERROR_MESSAGES
 
 comment "Protocol Support"
 
+config OPENSSL_WITH_TLS13
+	bool
+	default y
+	prompt "Enable support for TLS 1.3"
+	select OPENSSL_WITH_EC
+	help
+		TLS 1.3 is the newest version of the TLS specification.
+		It aims:
+		 * to increase the overall security of the protocol,
+		   removing outdated algorithms, and encrypting more of the
+		   protocol;
+		 * to increase performance by reducing the number of round-trips
+		   when performing a full handshake.
+		It increases package size by ~4KB.
+
 config OPENSSL_WITH_DTLS
 	bool
 	prompt "Enable DTLS support"
@@ -120,6 +137,16 @@ config OPENSSL_WITH_EC2M
 		This option enables the more efficient, yet less common, binary
 		field elliptic curves.
 
+config OPENSSL_WITH_CHACHA_POLY1305
+	bool
+	default y
+	prompt "Enable ChaCha20-Poly1305 ciphersuite support"
+	help
+		ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
+		combining ChaCha stream cipher with Poly1305 MAC.
+		It is 3x faster than AES, when not using a CPU with AES-specific
+		instructions, as is the case of most embedded devices.
+
 config OPENSSL_WITH_PSK
 	bool
 	default y
@@ -129,6 +156,12 @@ config OPENSSL_WITH_PSK
 
 comment "Less commonly used build options"
 
+config OPENSSL_WITH_ARIA
+	bool
+	prompt "Enable ARIA support"
+	help
+		ARIA is a block cipher developed in South Korea, based on AES.
+
 config OPENSSL_WITH_CAMELLIA
 	bool
 	prompt "Enable Camellia cipher support"
@@ -149,6 +182,23 @@ config OPENSSL_WITH_SEED
 		SEED is a block cipher with 128-bit keys broadly used in
 		South Korea, but seldom found elsewhere.
 
+config OPENSSL_WITH_SM234
+	bool
+	prompt "Enable SM2/3/4 algorithms support"
+	help
+		These algorithms are a set of "Commercial Cryptography"
+		algorithms approved for use in China.
+		  * SM2 is an EC algorithm equivalent to ECDSA P-256
+		  * SM3 is a hash function equivalent to SHA-256
+		  * SM4 is a 128-block cipher equivalent to AES-128
+
+config OPENSSL_WITH_BLAKE2
+	bool
+	prompt "Enable BLAKE2 digest support"
+	help
+		BLAKE2 is a cryptographic hash function based on the ChaCha
+		stream cipher.
+
 config OPENSSL_WITH_MDC2
 	bool
 	prompt "Enable MDC2 digest support"
@@ -199,10 +249,14 @@ config OPENSSL_ENGINE_CRYPTO
 		API modules) for /dev/crypto to show up and use hardware
 		acceleration; otherwise it falls back to software.
 
-config OPENSSL_ENGINE_DIGEST
+config OPENSSL_WITH_ASYNC
 	bool
-	depends on OPENSSL_ENGINE_CRYPTO
-	prompt "/dev/crypto digest (md5/sha1) acceleration support"
+	prompt "Enable asynchronous jobs support"
+	depends on OPENSSL_ENGINE && USE_GLIBC
+	help
+		Enables async-aware applications to be able to use OpenSSL to
+		initiate crypto operations asynchronously. In order to work
+		this will require the presence of an async capable engine.
 
 config OPENSSL_WITH_GOST
 	bool
@@ -211,6 +265,9 @@ config OPENSSL_WITH_GOST
 	help
 		This option prepares the library to accept engine support
 		for Russian GOST crypto algorithms.
+		The gost engine is not included in standard openwrt feeds.
+		To build such engine yourself, see:
+		https://github.com/gost-engine/engine
 
 endif
author	Eneas U de Queiroz <cote2004-github@yahoo.com>	2018-10-24 11:25:00 -0300
committer	Hauke Mehrtens <hauke@hauke-m.de>	2019-02-12 22:23:26 +0100
commit	d872d00b2f7e31b98e11e83922d1aaefc270647e (patch)
tree	70a74b004144e1a2d16c71b6d4aff626e085c498 /package/libs/openssl/Config.in
parent	be3892284ca77a69615351b106b8dfbadad728c4 (diff)
download	upstream-d872d00b2f7e31b98e11e83922d1aaefc270647e.tar.gz upstream-d872d00b2f7e31b98e11e83922d1aaefc270647e.tar.bz2 upstream-d872d00b2f7e31b98e11e83922d1aaefc270647e.zip