Skip to content
Permalink
Browse files

openssl: add configuration options, disable ssl3

Adds the following configuration options:
* using optimized assembler code (was always on before)
* use of x86 SSE2 instructions
* dyanic engine support
* include error messages
* Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms
* RFC3779, CMS protocols
* VIA padlock hardware acceleration engine

Installs openssl.cnf with the library as it is used by engines
independent of the openssl util.

Fixes DTLS option that was innefective before.

Disables insecure SSL3 protocol and SHA0.

Adds openwrt-specific targets to Configure script, including asm support
for i386, ppc and mips64.

Strips building dirs from CFLAGS shown in binary.

Skips the fuzz directory during build.

Removed include/crypto/devcrypto.h that was included here, to use the
cryptodev-linux package, now that it was been moved from the packages
feed to the main openwrt repository.

This decreses the size of the ipk binray on MIPS32 by about 3.3%:
old:
706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
  • Loading branch information...
cotequeiroz authored and hauke committed Oct 22, 2018
1 parent b044b52 commit be3892284ca77a69615351b106b8dfbadad728c4
@@ -1,72 +1,216 @@
if PACKAGE_libopenssl

config OPENSSL_WITH_EC
comment "Build Options"

config OPENSSL_OPTIMIZE_SPEED
bool
prompt "Enable optimization for speed instead of size"
select OPENSSL_WITH_ASM
help
Enabling this option increases code size (around 20%) and
performance. The increase in performance and size depends on the
target CPU. EC and AES seem to benefit the most, with EC speed
increased by 20%-50% (mipsel & x86).
AES-GCM is supposed to be 3x faster on x86. YMMV.

config OPENSSL_WITH_ASM
bool
default y
prompt "Enable elliptic curve support"
prompt "Compile with optimized assembly code"
depends on !arc
help
Disabling this option will reduce code size and performance.
The increase in performance and size depends on the target
CPU and on the algorithms being optimized. As of 1.1.0i*:

config OPENSSL_WITH_EC2M
bool
depends on OPENSSL_WITH_EC
prompt "Enable ec2m support"
Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%

config OPENSSL_WITH_SSL3
* Only most common algorithms shown. Your mileage may vary.
BN (bignum) performance was measured using RSA sign/verify.

config OPENSSL_WITH_SSE2
bool
default n
prompt "Enable sslv3 support"
default y if !TARGET_x86_legacy && !TARGET_x86_geode
prompt "Enable use of x86 SSE2 instructions"
depends on OPENSSL_WITH_ASM && i386
help
Use of SSE2 instructions greatly increase performance (up to
3x faster) with a minimum (~0.2%, or 23KB) increase in package
size, but it will bring no benefit if your hardware does not
support them, such as Geode GX and LX. In this case you may
save 23KB by saying yes here. AMD Geode NX, and Intel
Pentium 4 and above support SSE2.

config OPENSSL_WITH_DEPRECATED
bool
default y
prompt "Include deprecated APIs"
prompt "Include deprecated APIs (See help for a list of packages that need this)"
help
Squid currently requires this.

config OPENSSL_NO_DEPRECATED
bool
default !OPENSSL_WITH_DEPRECATED

config OPENSSL_WITH_DTLS
config OPENSSL_WITH_ERROR_MESSAGES
bool
default n
prompt "Enable DTLS support"
prompt "Include error messages"
help
This option aids debugging, but increases package size and
memory usage.

config OPENSSL_WITH_COMPRESSION
comment "Protocol Support"

config OPENSSL_WITH_DTLS
bool
default n
prompt "Enable compression support"
prompt "Enable DTLS support"
help
Datagram Transport Layer Security (DTLS) provides TLS-like security
for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.

config OPENSSL_WITH_NPN
bool
default y
prompt "Enable NPN support"
help
NPN is a TLS extension, obsoleted and replaced with ALPN,
used to negotiate SPDY, and HTTP/2.

config OPENSSL_WITH_SRP
bool
default y
prompt "Enable SRP support"
help
The Secure Remote Password protocol (SRP) is an augmented
password-authenticated key agreement (PAKE) protocol, specifically
designed to work around existing patents.

config OPENSSL_WITH_CMS
bool
default y
prompt "Enable CMS (RFC 5652) support"
help
Cryptographic Message Syntax (CMS) is used to digitally sign,
digest, authenticate, or encrypt arbitrary message content.

comment "Algorithm Selection"

config OPENSSL_WITH_EC
bool
default y
prompt "Enable elliptic curve support"
help
Elliptic-curve cryptography (ECC) is an approach to public-key
cryptography based on the algebraic structure of elliptic curves
over finite fields. ECC requires smaller keys compared to non-ECC
cryptography to provide equivalent security.

config OPENSSL_WITH_EC2M
bool
depends on OPENSSL_WITH_EC
prompt "Enable ec2m support"
help
This option enables the more efficient, yet less common, binary
field elliptic curves.

config OPENSSL_WITH_PSK
bool
default y
prompt "Enable PSK support"
help
Build support for Pre-Shared Key based cipher suites.

config OPENSSL_WITH_SRP
comment "Less commonly used build options"

config OPENSSL_WITH_CAMELLIA
bool
default y
prompt "Enable SRP support"
prompt "Enable Camellia cipher support"
help
Camellia is a bock cipher with security levels and processing
abilities comparable to AES.

config OPENSSL_ENGINE_DIGEST
config OPENSSL_WITH_IDEA
bool
depends on OPENSSL_ENGINE_CRYPTO
prompt "Digests acceleration support"
prompt "Enable IDEA cipher support"
help
IDEA is a block cipher with 128-bit keys.

config OPENSSL_HARDWARE_SUPPORT
config OPENSSL_WITH_SEED
bool
default n
prompt "Enable hardware support"
prompt "Enable SEED cipher support"
help
SEED is a block cipher with 128-bit keys broadly used in
South Korea, but seldom found elsewhere.

config OPENSSL_OPTIMIZE_SPEED
config OPENSSL_WITH_MDC2
bool
default n
prompt "Enable optimization for speed instead of size"
prompt "Enable MDC2 digest support"

endif
config OPENSSL_WITH_WHIRLPOOL
bool
prompt "Enable Whirlpool digest support"

config OPENSSL_WITH_COMPRESSION
bool
prompt "Enable compression support"
help
TLS compression is not recommended, as it is deemed insecure.
The CRIME attack exploits this weakness.
Even with this option turned on, it is disabled by default, and the
application must explicitly turn it on.

config OPENSSL_WITH_RFC3779
bool
prompt "Enable RFC3779 support (BGP)"
help
RFC 3779 defines two X.509 v3 certificate extensions. The first
binds a list of IP address blocks, or prefixes, to the subject of a
certificate. The second binds a list of autonomous system
identifiers to the subject of a certificate. These extensions may be
used to convey the authorization of the subject to use the IP
addresses and autonomous system identifiers contained in the
extensions.

comment "Engine/Hardware Support"

config OPENSSL_ENGINE
bool "Enable engine support"
help
This enables alternative cryptography implementations,
most commonly for interfacing with external crypto devices,
or supporting new/alternative ciphers and digests.

config OPENSSL_ENGINE_CRYPTO
bool
select OPENSSL_HARDWARE_SUPPORT
prompt "Crypto acceleration support" if PACKAGE_libopenssl
select OPENSSL_ENGINE
select PACKAGE_kmod-cryptodev
prompt "Acceleration support through /dev/crypto"
help
This enables use of hardware acceleration through OpenBSD
Cryptodev API (/dev/crypto) interface.
You must install kmod-cryptodev (under Kernel modules, Cryptographic
API modules) for /dev/crypto to show up and use hardware
acceleration; otherwise it falls back to software.

config OPENSSL_ENGINE_DIGEST
bool
depends on OPENSSL_ENGINE_CRYPTO
prompt "/dev/crypto digest (md5/sha1) acceleration support"

config OPENSSL_WITH_GOST
bool
prompt "Prepare library for GOST engine"
depends on OPENSSL_ENGINE
help
This option prepares the library to accept engine support
for Russian GOST crypto algorithms.

endif

0 comments on commit be38922

Please sign in to comment.
You can’t perform that action at this time.