ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-02-20 17:32:57 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
openwrt/package/libs/openssl/Makefile
Eneas U de Queiroz 975036f6f9
openssl: avoid OPENSSL_SMALL_FOOTPRINT, no-asm 
Building openssl with OPENSSL_SMALL_FOOTPRINT yelds only from 1% to 3%
decrease in size, dropping performance from 2% to 91%, depending on the
target and algorithm.

For example, using AES256-GCM with 1456-bytes operations, X86_64 appears
to be the least affected with 2% performance penalty and 1% reduction in
size; mips drops performance by 13%, size by 3%;  Arm drops 29% in
performance, 2% in size.

On aarch64, it slows down ghash so much that I consider it broken
(-91%).  SMALL_FOOTPRINT will reduce AES256-GCM performance by 88%, and
size by only 1%.  It makes an AES-capable CPU run AES128-GCM at 35% of
the speed of Chacha20-Poly1305:

Block-size=1456 bytes   AES256-GCM   AES128-GCM  ChaCha20-Poly1305
SMALL_FOOTPRINT           62014.44     65063.23          177090.50
regular                  504220.08    565630.28          182706.16

OpenSSL 1.1.1 numbers are about the same, so this should have been
noticed a long time ago.

This creates an option to use OPENSSL_SMALL_FOOTPRINT, but it is turned
off by default unless SMALL_FLASH or LOW_MEMORY_FOOTPRINT is used.

Compiling with -O3 instead of -Os, for comparison, will increase size by
about 14-15%, with no measureable effect on AES256-GCM performance, and
about 2% increase in Chacha20-Poly1305 performance on Aarch64.

There are no Arm devices with the small flash feature, so drop the
conditional default.  The package is built on phase2, so even if we
include an Arm device with small flash later, a no-asm library would
have to be built from source anyway.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00

406 lines
12 KiB
Makefile
Raw Blame History

#
# Copyright (C) 2006-2016 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_VERSION:=3.0.8
PKG_RELEASE:=5
PKG_BUILD_FLAGS:=no-mips16 gc-sections
PKG_BUILD_PARALLEL:=1
PKG_BASE:=$(subst $(space),.,$(wordlist 1,2,$(subst .,$(space),$(PKG_VERSION))))
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
http://www.openssl.org/source/ \
http://www.openssl.org/source/old/$(PKG_BASE)/ \
http://ftp.fi.muni.cz/pub/openssl/source/ \
http://ftp.fi.muni.cz/pub/openssl/source/old/$(PKG_BASE)/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
PKG_HASH:=6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE
PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
PKG_CPE_ID:=cpe:/a:openssl:openssl
PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_ENGINE \
CONFIG_OPENSSL_ENGINE_BUILTIN \
CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG \
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO \
CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK \
CONFIG_OPENSSL_NO_DEPRECATED \
CONFIG_OPENSSL_OPTIMIZE_SPEED \
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \
CONFIG_OPENSSL_SMALL_FOOTPRINT \
CONFIG_OPENSSL_WITH_ARIA \
CONFIG_OPENSSL_WITH_ASM \
CONFIG_OPENSSL_WITH_ASYNC \
CONFIG_OPENSSL_WITH_BLAKE2 \
CONFIG_OPENSSL_WITH_CAMELLIA \
CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \
CONFIG_OPENSSL_WITH_CMS \
CONFIG_OPENSSL_WITH_COMPRESSION \
CONFIG_OPENSSL_WITH_DTLS \
CONFIG_OPENSSL_WITH_EC2M \
CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
CONFIG_OPENSSL_WITH_IDEA \
CONFIG_OPENSSL_WITH_MDC2 \
CONFIG_OPENSSL_WITH_NPN \
CONFIG_OPENSSL_WITH_PSK \
CONFIG_OPENSSL_WITH_RFC3779 \
CONFIG_OPENSSL_WITH_SEED \
CONFIG_OPENSSL_WITH_SM234 \
CONFIG_OPENSSL_WITH_SRP \
CONFIG_OPENSSL_WITH_SSE2 \
CONFIG_OPENSSL_WITH_TLS13 \
CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/openssl-engine.mk
ifneq ($(CONFIG_CCACHE),)
HOSTCC=$(HOSTCC_NOCACHE)
HOSTCXX=$(HOSTCXX_NOCACHE)
endif
define Package/openssl/Default
TITLE:=Open source SSL toolkit
URL:=http://www.openssl.org/
SECTION:=libs
CATEGORY:=Libraries
endef
define Package/libopenssl/config
source "$(SOURCE)/Config.in"
endef
define Package/openssl/Default/description
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing the
Transport Layer Security (TLS) protocol as well as a full-strength
general-purpose cryptography library.
endef
define Package/libopenssl
$(call Package/openssl/Default)
SUBMENU:=SSL
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \
+OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \
+OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \
+OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock \
+(arm||armeb||mips||mipsel||powerpc||arc):libatomic
TITLE+= (libraries)
ABI_VERSION:=$(firstword $(subst .,$(space),$(PKG_VERSION)))
MENU:=1
endef
define Package/libopenssl/description
$(call Package/openssl/Default/description)
This package contains the OpenSSL shared libraries, needed by other programs.
endef
define Package/openssl-util
$(call Package/openssl/Default)
SECTION:=utils
CATEGORY:=Utilities
DEPENDS:=+libopenssl +libopenssl-conf
TITLE+= (utility)
endef
define Package/openssl-util/description
$(call Package/openssl/Default/description)
This package contains the OpenSSL command-line utility.
endef
define Package/libopenssl-conf
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=/etc/ssl/openssl.cnf config file
DEPENDS:=libopenssl
endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/engines.cnf.d/padlock.cnf)
endef
define Package/libopenssl-conf/description
$(call Package/openssl/Default/description)
This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
endef
$(eval $(call Package/openssl/add-engine,afalg))
define Package/libopenssl-afalg
$(call Package/openssl/Default)
$(call Package/openssl/engine/Default)
TITLE:=AFALG hardware acceleration engine
DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
@!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg"
endef
$(eval $(call Package/openssl/add-engine,devcrypto))
define Package/libopenssl-devcrypto
$(call Package/openssl/Default)
$(call Package/openssl/engine/Default)
TITLE:=/dev/crypto hardware acceleration engine
DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto"
endef
$(eval $(call Package/openssl/add-engine,padlock))
define Package/libopenssl-padlock
$(call Package/openssl/Default)
$(call Package/openssl/engine/Default)
TITLE:=VIA Padlock hardware acceleration engine
DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
@!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock"
endef
OPENSSL_OPTIONS:= shared no-tests
ifndef CONFIG_OPENSSL_WITH_BLAKE2
OPENSSL_OPTIONS += no-blake2
endif
ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
OPENSSL_OPTIONS += no-chacha no-poly1305
else
ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM
OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM
endif
endif
ifndef CONFIG_OPENSSL_WITH_ASYNC
OPENSSL_OPTIONS += no-async
endif
ifndef CONFIG_OPENSSL_WITH_EC2M
OPENSSL_OPTIONS += no-ec2m
endif
ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
OPENSSL_OPTIONS += no-err
endif
ifndef CONFIG_OPENSSL_WITH_TLS13
OPENSSL_OPTIONS += no-tls1_3
endif
ifndef CONFIG_OPENSSL_WITH_ARIA
OPENSSL_OPTIONS += no-aria
endif
ifndef CONFIG_OPENSSL_WITH_SM234
OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
endif
ifndef CONFIG_OPENSSL_WITH_CAMELLIA
OPENSSL_OPTIONS += no-camellia
endif
ifndef CONFIG_OPENSSL_WITH_IDEA
OPENSSL_OPTIONS += no-idea
endif
ifndef CONFIG_OPENSSL_WITH_SEED
OPENSSL_OPTIONS += no-seed
endif
ifndef CONFIG_OPENSSL_WITH_MDC2
OPENSSL_OPTIONS += no-mdc2
endif
ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL
OPENSSL_OPTIONS += no-whirlpool
endif
ifndef CONFIG_OPENSSL_WITH_CMS
OPENSSL_OPTIONS += no-cms
endif
ifndef CONFIG_OPENSSL_WITH_RFC3779
OPENSSL_OPTIONS += no-rfc3779
endif
ifdef CONFIG_OPENSSL_NO_DEPRECATED
OPENSSL_OPTIONS += no-deprecated
endif
ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3
endif
ifeq ($(CONFIG_OPENSSL_SMALL_FOOTPRINT),y)
OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
endif
ifdef CONFIG_OPENSSL_ENGINE
ifdef CONFIG_OPENSSL_ENGINE_BUILTIN
OPENSSL_OPTIONS += disable-dynamic-engine
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG
OPENSSL_OPTIONS += no-afalgeng
endif
ifdef CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK
OPENSSL_OPTIONS += no-padlockeng
endif
else
ifdef CONFIG_PACKAGE_libopenssl-devcrypto
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_PACKAGE_libopenssl-afalg
OPENSSL_OPTIONS += no-afalgeng
endif
ifndef CONFIG_PACKAGE_libopenssl-padlock
OPENSSL_OPTIONS += no-padlockeng
endif
endif
else
OPENSSL_OPTIONS += no-engine
endif
ifndef CONFIG_OPENSSL_WITH_DTLS
OPENSSL_OPTIONS += no-dtls
endif
ifdef CONFIG_OPENSSL_WITH_COMPRESSION
OPENSSL_OPTIONS += zlib-dynamic
else
OPENSSL_OPTIONS += no-comp
endif
ifndef CONFIG_OPENSSL_WITH_NPN
OPENSSL_OPTIONS += no-nextprotoneg
endif
ifndef CONFIG_OPENSSL_WITH_PSK
OPENSSL_OPTIONS += no-psk
endif
ifndef CONFIG_OPENSSL_WITH_SRP
OPENSSL_OPTIONS += no-srp
endif
ifndef CONFIG_OPENSSL_WITH_ASM
OPENSSL_OPTIONS += no-asm
endif
ifdef CONFIG_i386
ifndef CONFIG_OPENSSL_WITH_SSE2
OPENSSL_OPTIONS += no-sse2
endif
endif
OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt
STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | $(MKHASH) md5)
define Build/Configure
(cd $(PKG_BUILD_DIR); \
./Configure $(OPENSSL_TARGET) \
--prefix=/usr \
--libdir=lib \
--openssldir=/etc/ssl \
--cross-compile-prefix="$(TARGET_CROSS)" \
$(TARGET_CPPFLAGS) \
$(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) && \
{ [ -f $(STAMP_CONFIGURED) ] || make clean; } \
)
endef
TARGET_CFLAGS += $(FPIC)
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CC="$(TARGET_CC)" \
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
all
$(MAKE) -C $(PKG_BUILD_DIR) \
CC="$(TARGET_CC)" \
DESTDIR="$(PKG_INSTALL_DIR)" \
$(OPENSSL_MAKEFLAGS) \
install_sw install_ssldirs
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/include/openssl $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib{crypto,ssl}.{a,so*} $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/{openssl,libcrypto,libssl}.pc $(1)/usr/lib/pkgconfig/
[ -n "$(TARGET_LDFLAGS)" ] && $(SED) 's#$(TARGET_LDFLAGS)##g' $(1)/usr/lib/pkgconfig/{openssl,libcrypto,libssl}.pc || true
endef
define Package/libopenssl/install
$(INSTALL_DIR) $(1)/etc/ssl/certs
$(INSTALL_DIR) $(1)/etc/ssl/private
chmod 0700 $(1)/etc/ssl/private
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/
$(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR))
endef
define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
$(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
endef
define Package/openssl-util/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef
$(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-conf))
$(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-devcrypto))
$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))
Reference in New Issue View Git Blame Copy Permalink