From d872d00b2f7e31b98e11e83922d1aaefc270647e Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Wed, 24 Oct 2018 11:25:00 -0300 Subject: openssl: update to version 1.1.1a This version adds the following functionality: * TLS 1.3 * AFALG engine support for hardware accelleration * x25519 ECC curve support * CRIME protection: disable use of compression by default * Support for ChaCha20 and Poly1305 Patches fixing bugs in the /dev/crypto engine were applied, from https://github.com/openssl/openssl/pull/7585 This increses the size of the ipk binray on MIPS32 by about 32%: old: 693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk new: 912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk 239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Config.in | 65 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 61 insertions(+), 4 deletions(-) (limited to 'package/libs/openssl/Config.in') diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index fe73229915..53b91ddb94 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -53,7 +53,9 @@ config OPENSSL_WITH_DEPRECATED default y prompt "Include deprecated APIs (See help for a list of packages that need this)" help - Squid currently requires this. + Since openssl 1.1.x is still new to openwrt, some packages + requiring this option do not list it as a requirement yet: + * freeswitch-stable, freeswitch, python, python3, squid. config OPENSSL_NO_DEPRECATED bool @@ -68,6 +70,21 @@ config OPENSSL_WITH_ERROR_MESSAGES comment "Protocol Support" +config OPENSSL_WITH_TLS13 + bool + default y + prompt "Enable support for TLS 1.3" + select OPENSSL_WITH_EC + help + TLS 1.3 is the newest version of the TLS specification. + It aims: + * to increase the overall security of the protocol, + removing outdated algorithms, and encrypting more of the + protocol; + * to increase performance by reducing the number of round-trips + when performing a full handshake. + It increases package size by ~4KB. + config OPENSSL_WITH_DTLS bool prompt "Enable DTLS support" @@ -120,6 +137,16 @@ config OPENSSL_WITH_EC2M This option enables the more efficient, yet less common, binary field elliptic curves. +config OPENSSL_WITH_CHACHA_POLY1305 + bool + default y + prompt "Enable ChaCha20-Poly1305 ciphersuite support" + help + ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys, + combining ChaCha stream cipher with Poly1305 MAC. + It is 3x faster than AES, when not using a CPU with AES-specific + instructions, as is the case of most embedded devices. + config OPENSSL_WITH_PSK bool default y @@ -129,6 +156,12 @@ config OPENSSL_WITH_PSK comment "Less commonly used build options" +config OPENSSL_WITH_ARIA + bool + prompt "Enable ARIA support" + help + ARIA is a block cipher developed in South Korea, based on AES. + config OPENSSL_WITH_CAMELLIA bool prompt "Enable Camellia cipher support" @@ -149,6 +182,23 @@ config OPENSSL_WITH_SEED SEED is a block cipher with 128-bit keys broadly used in South Korea, but seldom found elsewhere. +config OPENSSL_WITH_SM234 + bool + prompt "Enable SM2/3/4 algorithms support" + help + These algorithms are a set of "Commercial Cryptography" + algorithms approved for use in China. + * SM2 is an EC algorithm equivalent to ECDSA P-256 + * SM3 is a hash function equivalent to SHA-256 + * SM4 is a 128-block cipher equivalent to AES-128 + +config OPENSSL_WITH_BLAKE2 + bool + prompt "Enable BLAKE2 digest support" + help + BLAKE2 is a cryptographic hash function based on the ChaCha + stream cipher. + config OPENSSL_WITH_MDC2 bool prompt "Enable MDC2 digest support" @@ -199,10 +249,14 @@ config OPENSSL_ENGINE_CRYPTO API modules) for /dev/crypto to show up and use hardware acceleration; otherwise it falls back to software. -config OPENSSL_ENGINE_DIGEST +config OPENSSL_WITH_ASYNC bool - depends on OPENSSL_ENGINE_CRYPTO - prompt "/dev/crypto digest (md5/sha1) acceleration support" + prompt "Enable asynchronous jobs support" + depends on OPENSSL_ENGINE && USE_GLIBC + help + Enables async-aware applications to be able to use OpenSSL to + initiate crypto operations asynchronously. In order to work + this will require the presence of an async capable engine. config OPENSSL_WITH_GOST bool @@ -211,6 +265,9 @@ config OPENSSL_WITH_GOST help This option prepares the library to accept engine support for Russian GOST crypto algorithms. + The gost engine is not included in standard openwrt feeds. + To build such engine yourself, see: + https://github.com/gost-engine/engine endif -- cgit v1.2.3