openssl: optimizations based on ARCH/small flash

Add a patch to enable the option to change the default ciphersuite list
ordering to prefer ChaCha20 over AES-GCM.  This is used by default for
all platforms, except for x86_64 and aarch64. The assumption is that
only the latter have AES-specific CPU instructions and asm code that
uses them in openssl.  Chacha20Poly1305 is 3x faster than AES-256 in
systems without AES instructions, with an equivalent strength.

Disable error messages by default except for devices with small flash or
RAM, to aid debugging.

Disable ASM by default on arm platform with small flash.  Size
difference on mips and powerpc, the other platforms with small flash
devices, are not really relevant (using 100K as a threshold).  All of
the affected platforms are source-only anyway.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index 53b91ddb942a77f8ad5d39d69cfd7295b1533690..c9a853193fa265dc35737df19a00158565777488 100644 (file)
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -4,6 +4,7 @@ comment "Build Options"
 
 config OPENSSL_OPTIMIZE_SPEED
        bool
+       default y if x86_64 || i386
        prompt "Enable optimization for speed instead of size"
        select OPENSSL_WITH_ASM
        help
@@ -15,7 +16,7 @@ config OPENSSL_OPTIMIZE_SPEED
 
 config OPENSSL_WITH_ASM
        bool
-       default y
+       default y if !SMALL_FLASH || !arm
        prompt "Compile with optimized assembly code"
        depends on !arc
        help
@@ -63,6 +64,7 @@ config OPENSSL_NO_DEPRECATED
 
 config OPENSSL_WITH_ERROR_MESSAGES
        bool
+       default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
        prompt "Include error messages"
        help
                This option aids debugging, but increases package size and
@@ -147,6 +149,18 @@ config OPENSSL_WITH_CHACHA_POLY1305
                It is 3x faster than AES, when not using a CPU with AES-specific
                instructions, as is the case of most embedded devices.
 
+config OPENSSL_PREFER_CHACHA_OVER_GCM
+       bool
+       default y if !x86_64 && !aarch64
+       prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
+       depends on OPENSSL_WITH_CHACHA_POLY1305
+       help
+               The default openssl preference is for AES-GCM before ChaCha, but
+               that takes into account AES-NI capable chips.  It is not the
+               case with most embedded chips, so it may be better to invert
+               that preference.  This is just for the default case. The
+               application can always override this.
+
 config OPENSSL_WITH_PSK
        bool
        default y

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 27746c15c6206b3daba6f9aecb3df6e8dc342308..68cd8fde6b24d959fa5c0fab11d6ad911423cde0 100644 (file)
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -35,6 +35,7 @@ PKG_CONFIG_DEPENDS:= \
        CONFIG_OPENSSL_ENGINE_CRYPTO \
        CONFIG_OPENSSL_NO_DEPRECATED \
        CONFIG_OPENSSL_OPTIMIZE_SPEED \
+       CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \
        CONFIG_OPENSSL_WITH_ARIA \
        CONFIG_OPENSSL_WITH_ASM \
        CONFIG_OPENSSL_WITH_ASYNC \
@@ -153,6 +154,10 @@ endif
 
 ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
   OPENSSL_OPTIONS += no-chacha no-poly1305
+else
+  ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM
+    OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM
+  endif
 endif
 
 ifndef CONFIG_OPENSSL_WITH_ASYNC

diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
new file mode 100644 (file)
index 0000000..9cbe221
--- /dev/null
+++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
@@ -0,0 +1,78 @@
+From 286e015bf0d30530707a5e7b3b871509f2ab50d7 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:44:39 -0300
+Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
+
+This enables a compile-time option to prefer ChaCha20-Poly1305 over
+AES-GCM in the openssl default ciphersuite, which is useful in systems
+without AES specific CPU instructions.
+OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it.
+
+Note that this does not have the same effect as the
+SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only
+when the client has it on top of its ciphersuite preference.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/include/openssl/ssl.h
++++ b/include/openssl/ssl.h
+@@ -173,9 +173,15 @@ extern "C" {
+ # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+ /* This is the default set of TLSv1.3 ciphersuites */
+ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+-#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+-                                   "TLS_CHACHA20_POLY1305_SHA256:" \
+-                                   "TLS_AES_128_GCM_SHA256"
++#  ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
++#   define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
++                                    "TLS_AES_256_GCM_SHA384:" \
++                                    "TLS_AES_128_GCM_SHA256"
++#  else
++#   define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
++                                    "TLS_CHACHA20_POLY1305_SHA256:" \
++                                    "TLS_AES_128_GCM_SHA256"
++#  endif
+ # else
+ #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+                                    "TLS_AES_128_GCM_SHA256"
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -1464,11 +1464,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
+                           &tail);
+ 
++    /*
++     * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305
++     * will be placed before AES-256.  Otherwise, the default behavior of
++     * preferring GCM over CHACHA is used.
++     * This is useful for systems that do not have AES-specific CPU
++     * instructions, where ChaCha20-Poly1305 is 3 times faster than AES.
++     * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA
++     * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top
++     * of its ciphersuite preference.
++     */
++
++#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
++    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
++                          &head, &tail);
++    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
++                          &head, &tail);
++#else
+     /* Within each strength group, we prefer GCM over CHACHA... */
+     ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
+                           &head, &tail);
+     ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
+                           &head, &tail);
++#endif
+ 
+     /*
+      * ...and generally, our preferred cipher is AES.
+@@ -1524,7 +1542,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      * Within each group, ciphers remain sorted by strength and previous
+      * preference, i.e.,
+      * 1) ECDHE > DHE
+-     * 2) GCM > CHACHA
++     * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined
+      * 3) AES > rest
+      * 4) TLS 1.2 > legacy
+      *