1 files changed, 175 insertions, 31 deletions
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index c39e28510f..fe73229915 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -1,72 +1,216 @@
 if PACKAGE_libopenssl
 
-config OPENSSL_WITH_EC
+comment "Build Options"
+
+config OPENSSL_OPTIMIZE_SPEED
+	bool
+	prompt "Enable optimization for speed instead of size"
+	select OPENSSL_WITH_ASM
+	help
+		Enabling this option increases code size (around 20%) and
+		performance.  The increase in performance and size depends on the
+		target CPU. EC and AES seem to benefit the most, with EC speed
+		increased by 20%-50% (mipsel & x86).
+		AES-GCM is supposed to be 3x faster on x86. YMMV.
+
+config OPENSSL_WITH_ASM
 	bool
 	default y
-	prompt "Enable elliptic curve support"
+	prompt "Compile with optimized assembly code"
+	depends on !arc
+	help
+		Disabling this option will reduce code size and performance.
+		The increase in performance and size depends on the target
+		CPU and on the algorithms being optimized.  As of 1.1.0i*:
 
-config OPENSSL_WITH_EC2M
-        bool
-        depends on OPENSSL_WITH_EC
-        prompt "Enable ec2m support"
+		Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
+		aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
+		arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
+		i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
+		mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
+		mips64	    3.7K   BN, aes, sha1, sha256, sha512, poly1305
+		powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
+		x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
 
-config OPENSSL_WITH_SSL3
+		* Only most common algorithms shown. Your mileage may vary.
+		  BN (bignum) performance was measured using RSA sign/verify.
+
+config OPENSSL_WITH_SSE2
 	bool
-	default n
-	prompt "Enable sslv3 support"
+	default y if !TARGET_x86_legacy && !TARGET_x86_geode
+	prompt "Enable use of x86 SSE2 instructions"
+	depends on OPENSSL_WITH_ASM && i386
+	help
+		Use of SSE2 instructions greatly increase performance (up to
+		3x faster) with a minimum (~0.2%, or 23KB) increase in package
+		size, but it will bring no benefit if your hardware does not
+		support them, such as Geode GX and LX.  In this case you may
+		save 23KB by saying yes here.  AMD Geode NX, and Intel
+		Pentium 4 and above support SSE2.
 
 config OPENSSL_WITH_DEPRECATED
 	bool
 	default y
-	prompt "Include deprecated APIs"
+	prompt "Include deprecated APIs (See help for a list of packages that need this)"
+	help
+		Squid currently requires this.
 
 config OPENSSL_NO_DEPRECATED
 	bool
 	default !OPENSSL_WITH_DEPRECATED
 
-config OPENSSL_WITH_DTLS
+config OPENSSL_WITH_ERROR_MESSAGES
 	bool
-	default n
-	prompt "Enable DTLS support"
+	prompt "Include error messages"
+	help
+		This option aids debugging, but increases package size and
+		memory usage.
 
-config OPENSSL_WITH_COMPRESSION
+comment "Protocol Support"
+
+config OPENSSL_WITH_DTLS
 	bool
-	default n
-	prompt "Enable compression support"
+	prompt "Enable DTLS support"
+	help
+		Datagram Transport Layer Security (DTLS) provides TLS-like security
+		for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
 
 config OPENSSL_WITH_NPN
 	bool
 	default y
 	prompt "Enable NPN support"
+	help
+		NPN is a TLS extension, obsoleted and replaced with ALPN,
+		used to negotiate SPDY, and HTTP/2.
+
+config OPENSSL_WITH_SRP
+	bool
+	default y
+	prompt "Enable SRP support"
+	help
+		The Secure Remote Password protocol (SRP) is an augmented
+		password-authenticated key agreement (PAKE) protocol, specifically
+		designed to work around existing patents.
+
+config OPENSSL_WITH_CMS
+	bool
+	default y
+	prompt "Enable CMS (RFC 5652) support"
+	help
+		Cryptographic Message Syntax (CMS) is used to digitally sign,
+		digest, authenticate, or encrypt arbitrary message content.
+
+comment "Algorithm Selection"
+
+config OPENSSL_WITH_EC
+	bool
+	default y
+	prompt "Enable elliptic curve support"
+	help
+		Elliptic-curve cryptography (ECC) is an approach to public-key
+		cryptography based on the algebraic structure of elliptic curves
+		over finite fields. ECC requires smaller keys compared to non-ECC
+		cryptography to provide equivalent security.
+
+config OPENSSL_WITH_EC2M
+	bool
+	depends on OPENSSL_WITH_EC
+	prompt "Enable ec2m support"
+	help
+		This option enables the more efficient, yet less common, binary
+		field elliptic curves.
 
 config OPENSSL_WITH_PSK
 	bool
 	default y
 	prompt "Enable PSK support"
+	help
+		Build support for Pre-Shared Key based cipher suites.
 
-config OPENSSL_WITH_SRP
+comment "Less commonly used build options"
+
+config OPENSSL_WITH_CAMELLIA
 	bool
-	default y
-	prompt "Enable SRP support"
+	prompt "Enable Camellia cipher support"
+	help
+		Camellia is a bock cipher with security levels and processing
+		abilities comparable to AES.
 
-config OPENSSL_ENGINE_DIGEST
+config OPENSSL_WITH_IDEA
 	bool
-	depends on OPENSSL_ENGINE_CRYPTO
-	prompt "Digests acceleration support"
+	prompt "Enable IDEA cipher support"
+	help
+		IDEA is a block cipher with 128-bit keys.
 
-config OPENSSL_HARDWARE_SUPPORT
+config OPENSSL_WITH_SEED
 	bool
-	default n
-	prompt "Enable hardware support"
+	prompt "Enable SEED cipher support"
+	help
+		SEED is a block cipher with 128-bit keys broadly used in
+		South Korea, but seldom found elsewhere.
 
-config OPENSSL_OPTIMIZE_SPEED
+config OPENSSL_WITH_MDC2
 	bool
-	default n
-	prompt "Enable optimization for speed instead of size"
+	prompt "Enable MDC2 digest support"
 
-endif
+config OPENSSL_WITH_WHIRLPOOL
+	bool
+	prompt "Enable Whirlpool digest support"
+
+config OPENSSL_WITH_COMPRESSION
+	bool
+	prompt "Enable compression support"
+	help
+		TLS compression is not recommended, as it is deemed insecure.
+		The CRIME attack exploits this weakness.
+		Even with this option turned on, it is disabled by default, and the
+		application must explicitly turn it on.
+
+config OPENSSL_WITH_RFC3779
+	bool
+	prompt "Enable RFC3779 support (BGP)"
+	help
+		RFC 3779 defines two X.509 v3 certificate extensions.  The first
+		binds a list of IP address blocks, or prefixes, to the subject of a
+		certificate.  The second binds a list of autonomous system
+		identifiers to the subject of a certificate.  These extensions may be
+		used to convey the authorization of the subject to use the IP
+		addresses and autonomous system identifiers contained in the
+		extensions.
+
+comment "Engine/Hardware Support"
+
+config OPENSSL_ENGINE
+	bool "Enable engine support"
+	help
+		This enables alternative cryptography implementations,
+		most commonly for interfacing with external crypto devices,
+		or supporting new/alternative ciphers and digests.
 
 config OPENSSL_ENGINE_CRYPTO
 	bool
-	select OPENSSL_HARDWARE_SUPPORT
-	prompt "Crypto acceleration support" if PACKAGE_libopenssl
+	select OPENSSL_ENGINE
+	select PACKAGE_kmod-cryptodev
+	prompt "Acceleration support through /dev/crypto"
+	help
+		This enables use of hardware acceleration through OpenBSD
+		Cryptodev API (/dev/crypto) interface.
+		You must install kmod-cryptodev (under Kernel modules, Cryptographic
+		API modules) for /dev/crypto to show up and use hardware
+		acceleration; otherwise it falls back to software.
+
+config OPENSSL_ENGINE_DIGEST
+	bool
+	depends on OPENSSL_ENGINE_CRYPTO
+	prompt "/dev/crypto digest (md5/sha1) acceleration support"
+
+config OPENSSL_WITH_GOST
+	bool
+	prompt "Prepare library for GOST engine"
+	depends on OPENSSL_ENGINE
+	help
+		This option prepares the library to accept engine support
+		for Russian GOST crypto algorithms.
+
+endif
+