openssl: add configuration options, disable ssl3

Adds the following configuration options:
* using optimized assembler code (was always on before)
* use of x86 SSE2 instructions
* dyanic engine support
* include error messages
* Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms
* RFC3779, CMS protocols
* VIA padlock hardware acceleration engine

Installs openssl.cnf with the library as it is used by engines
independent of the openssl util.

Fixes DTLS option that was innefective before.

Disables insecure SSL3 protocol and SHA0.

Adds openwrt-specific targets to Configure script, including asm support
for i386, ppc and mips64.

Strips building dirs from CFLAGS shown in binary.

Skips the fuzz directory during build.

Removed include/crypto/devcrypto.h that was included here, to use the
cryptodev-linux package, now that it was been moved from the packages
feed to the main openwrt repository.

This decreses the size of the ipk binray on MIPS32 by about 3.3%:
old:
706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

1 files changed, 175 insertions, 31 deletions

diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index c39e28510f..fe73229915 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -1,72 +1,216 @@
 if PACKAGE_libopenssl
 
-config OPENSSL_WITH_EC
+comment "Build Options"
+
+config OPENSSL_OPTIMIZE_SPEED
+	bool
+	prompt "Enable optimization for speed instead of size"
+	select OPENSSL_WITH_ASM
+	help
+		Enabling this option increases code size (around 20%) and
+		performance.  The increase in performance and size depends on the
+		target CPU. EC and AES seem to benefit the most, with EC speed
+		increased by 20%-50% (mipsel & x86).
+		AES-GCM is supposed to be 3x faster on x86. YMMV.
+
+config OPENSSL_WITH_ASM
 	bool
 	default y
-	prompt "Enable elliptic curve support"
+	prompt "Compile with optimized assembly code"
+	depends on !arc
+	help
+		Disabling this option will reduce code size and performance.
+		The increase in performance and size depends on the target
+		CPU and on the algorithms being optimized.  As of 1.1.0i*:
 
-config OPENSSL_WITH_EC2M
-        bool
-        depends on OPENSSL_WITH_EC
-        prompt "Enable ec2m support"
+		Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
+		aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
+		arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
+		i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
+		mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
+		mips64	    3.7K   BN, aes, sha1, sha256, sha512, poly1305
+		powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
+		x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
 
-config OPENSSL_WITH_SSL3
+		* Only most common algorithms shown. Your mileage may vary.
+		  BN (bignum) performance was measured using RSA sign/verify.
+
+config OPENSSL_WITH_SSE2
 	bool
-	default n
-	prompt "Enable sslv3 support"
+	default y if !TARGET_x86_legacy && !TARGET_x86_geode
+	prompt "Enable use of x86 SSE2 instructions"
+	depends on OPENSSL_WITH_ASM && i386
+	help
+		Use of SSE2 instructions greatly increase performance (up to
+		3x faster) with a minimum (~0.2%, or 23KB) increase in package
+		size, but it will bring no benefit if your hardware does not
+		support them, such as Geode GX and LX.  In this case you may
+		save 23KB by saying yes here.  AMD Geode NX, and Intel
+		Pentium 4 and above support SSE2.
 
 config OPENSSL_WITH_DEPRECATED
 	bool
 	default y
-	prompt "Include deprecated APIs"
+	prompt "Include deprecated APIs (See help for a list of packages that need this)"
+	help
+		Squid currently requires this.
 
 config OPENSSL_NO_DEPRECATED
 	bool
 	default !OPENSSL_WITH_DEPRECATED
 
-config OPENSSL_WITH_DTLS
+config OPENSSL_WITH_ERROR_MESSAGES
 	bool
-	default n
-	prompt "Enable DTLS support"
+	prompt "Include error messages"
+	help
+		This option aids debugging, but increases package size and
+		memory usage.
 
-config OPENSSL_WITH_COMPRESSION
+comment "Protocol Support"
+
+config OPENSSL_WITH_DTLS
 	bool
-	default n
-	prompt "Enable compression support"
+	prompt "Enable DTLS support"
+	help
+		Datagram Transport Layer Security (DTLS) provides TLS-like security
+		for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
 
 config OPENSSL_WITH_NPN
 	bool
 	default y
 	prompt "Enable NPN support"
+	help
+		NPN is a TLS extension, obsoleted and replaced with ALPN,
+		used to negotiate SPDY, and HTTP/2.
+
+config OPENSSL_WITH_SRP
+	bool
+	default y
+	prompt "Enable SRP support"
+	help
+		The Secure Remote Password protocol (SRP) is an augmented
+		password-authenticated key agreement (PAKE) protocol, specifically
+		designed to work around existing patents.
+
+config OPENSSL_WITH_CMS
+	bool
+	default y
+	prompt "Enable CMS (RFC 5652) support"
+	help
+		Cryptographic Message Syntax (CMS) is used to digitally sign,
+		digest, authenticate, or encrypt arbitrary message content.
+
+comment "Algorithm Selection"
+
+config OPENSSL_WITH_EC
+	bool
+	default y
+	prompt "Enable elliptic curve support"
+	help
+		Elliptic-curve cryptography (ECC) is an approach to public-key
+		cryptography based on the algebraic structure of elliptic curves
+		over finite fields. ECC requires smaller keys compared to non-ECC
+		cryptography to provide equivalent security.
+
+config OPENSSL_WITH_EC2M
+	bool
+	depends on OPENSSL_WITH_EC
+	prompt "Enable ec2m support"
+	help
+		This option enables the more efficient, yet less common, binary
+		field elliptic curves.
 
 config OPENSSL_WITH_PSK
 	bool
 	default y
 	prompt "Enable PSK support"
+	help
+		Build support for Pre-Shared Key based cipher suites.
 
-config OPENSSL_WITH_SRP
+comment "Less commonly used build options"
+
+config OPENSSL_WITH_CAMELLIA
 	bool
-	default y
-	prompt "Enable SRP support"
+	prompt "Enable Camellia cipher support"
+	help
+		Camellia is a bock cipher with security levels and processing
+		abilities comparable to AES.
 
-config OPENSSL_ENGINE_DIGEST
+config OPENSSL_WITH_IDEA
 	bool
-	depends on OPENSSL_ENGINE_CRYPTO
-	prompt "Digests acceleration support"
+	prompt "Enable IDEA cipher support"
+	help
+		IDEA is a block cipher with 128-bit keys.
 
-config OPENSSL_HARDWARE_SUPPORT
+config OPENSSL_WITH_SEED
 	bool
-	default n
-	prompt "Enable hardware support"
+	prompt "Enable SEED cipher support"
+	help
+		SEED is a block cipher with 128-bit keys broadly used in
+		South Korea, but seldom found elsewhere.
 
-config OPENSSL_OPTIMIZE_SPEED
+config OPENSSL_WITH_MDC2
 	bool
-	default n
-	prompt "Enable optimization for speed instead of size"
+	prompt "Enable MDC2 digest support"
 
-endif
+config OPENSSL_WITH_WHIRLPOOL
+	bool
+	prompt "Enable Whirlpool digest support"
+
+config OPENSSL_WITH_COMPRESSION
+	bool
+	prompt "Enable compression support"
+	help
+		TLS compression is not recommended, as it is deemed insecure.
+		The CRIME attack exploits this weakness.
+		Even with this option turned on, it is disabled by default, and the
+		application must explicitly turn it on.
+
+config OPENSSL_WITH_RFC3779
+	bool
+	prompt "Enable RFC3779 support (BGP)"
+	help
+		RFC 3779 defines two X.509 v3 certificate extensions.  The first
+		binds a list of IP address blocks, or prefixes, to the subject of a
+		certificate.  The second binds a list of autonomous system
+		identifiers to the subject of a certificate.  These extensions may be
+		used to convey the authorization of the subject to use the IP
+		addresses and autonomous system identifiers contained in the
+		extensions.
+
+comment "Engine/Hardware Support"
+
+config OPENSSL_ENGINE
+	bool "Enable engine support"
+	help
+		This enables alternative cryptography implementations,
+		most commonly for interfacing with external crypto devices,
+		or supporting new/alternative ciphers and digests.
 
 config OPENSSL_ENGINE_CRYPTO
 	bool
-	select OPENSSL_HARDWARE_SUPPORT
-	prompt "Crypto acceleration support" if PACKAGE_libopenssl
+	select OPENSSL_ENGINE
+	select PACKAGE_kmod-cryptodev
+	prompt "Acceleration support through /dev/crypto"
+	help
+		This enables use of hardware acceleration through OpenBSD
+		Cryptodev API (/dev/crypto) interface.
+		You must install kmod-cryptodev (under Kernel modules, Cryptographic
+		API modules) for /dev/crypto to show up and use hardware
+		acceleration; otherwise it falls back to software.
+
+config OPENSSL_ENGINE_DIGEST
+	bool
+	depends on OPENSSL_ENGINE_CRYPTO
+	prompt "/dev/crypto digest (md5/sha1) acceleration support"
+
+config OPENSSL_WITH_GOST
+	bool
+	prompt "Prepare library for GOST engine"
+	depends on OPENSSL_ENGINE
+	help
+		This option prepares the library to accept engine support
+		for Russian GOST crypto algorithms.
+
+endif
+