Message ID | 20240621161049.4085310-6-dario.binacchi@amarulasolutions.com |
---|---|
State | New |
Headers | show |
Series |
|
Related | show |
Dario, All, On 2024-06-21 18:10 +0200, Dario Binacchi spake thusly: > The transition from version 1.1 to 3.0.9, and subsequently to 3.3.1, > added new compilation options. This led to a significant increase in the > size of the library. These options allow user to disable these features > to obtain a smaller library size. > > To ensure backward compatibility, all items are selected by default. > > Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> > --- [--SNIP--] > +config BR2_PACKAGE_LIBOPENSSL_ENABLE_THREAD_POOL > + bool "enable thread pool" > + default y > + depends on BR2_TOOLCHAIN_HAS_THREADS > + help > + Build with thread pool functionality. If enabled, OpenSSL > + algorithms may use the thread pool to perform parallel > + computation. This option in itself does not enable OpenSSL > + to spawn new threads. Currently the only supported thread > + pool mechanism is the default thread pool. > + > +config BR2_PACKAGE_LIBOPENSSL_ENABLE_DEFAULT_THREAD_POOL > + bool "enable default thread pool" > + default y > + depends on BR2_PACKAGE_LIBOPENSSL_ENABLE_THREAD_POOL > + help > + Build with default thread pool functionality. If enabled, > + OpenSSL may create and manage threads up to a maximum number > + of threads authorized by the application. Supported on POSIX > + compliant platforms. I'm not sure I understand how those two play together... If I understand correctly, BR2_PACKAGE_LIBOPENSSL_ENABLE_THREAD_POOL only adds support for using a thread-pool, but ativates not such thread-pool. When thread-pool support is enabled, we then can also enable BR2_PACKAGE_LIBOPENSSL_ENABLE_DEFAULT_THREAD_POOL, to actually add a thread-pool implementation. If only the first is enabled, I don;t see how that would be useful in practice: the code has support for thread-pools but none is available, and I doubt they might be added at runtime.. So, can't we have a single option enables the default thread-pool? config BR2_PACKAGE_LIBOPENSSL_ENABLE_THREAD_POOL bool "enabled thread-pool" default y depends on BR2_TOOLCHAIN_HAS_THREADS help Build with thread pool functionality. If enabled, OpenSSL algorithms may use the thread pool to perform parallel computation. This option in itself does not enable OpenSSL to spawn new threads. Currently the only supported thread pool mechanism is the default thread pool. And then in the .mk: $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_THREAD_POOL),,no-thread-pool no-default-thread-pool) Uness I missed something, in which case a bit more information might be needed in the commit log; it may even warrant being in its own change, separated from the other, uncontroversial, options. Regards, Yann E. MORIN. > endif # BR2_PACKAGE_LIBOPENSSL > diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk > index 89a9189bb851..ab8454657ebf 100644 > --- a/package/libopenssl/libopenssl.mk > +++ b/package/libopenssl/libopenssl.mk > @@ -107,6 +107,20 @@ define LIBOPENSSL_CONFIGURE_CMDS > $(if $(BR2_PACKAGE_LIBOPENSSL_UNSECURE),,no-unit-test no-crypto-mdebug no-autoerrinit) \ > $(if $(BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE),,no-dynamic-engine ) \ > $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP),,no-comp) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_ARGON2),,no-argon2) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CACHED_FETCH),,no-cached-fetch) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CMP),,no-cmp) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_THREAD_POOL),,no-thread-pool) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_DEFAULT_THREAD_POOL),,no-default-thread-pool) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_ECX),,no-ecx) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_LOADER_ENGINE),,no-loadereng) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_PADLOCK_ENGINE),,no-padlockeng) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MODULE),,no-module) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_QUIC),,no-quic) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_SECURE_MEMORY),,no-secure-memory) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SIV),,no-siv) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SM2_PRECOMP_TABLE),,no-sm2-precomp) \ > + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL_TRACE),,no-ssl-trace) \ > $(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \ > $(if $(BR2_STATIC_LIBS),no-dso) > endef > -- > 2.43.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
diff --git a/package/libopenssl/Config.in b/package/libopenssl/Config.in index 0c8db52e2e1d..036b68241864 100644 --- a/package/libopenssl/Config.in +++ b/package/libopenssl/Config.in @@ -133,4 +133,110 @@ config BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP bool "enable compression" default y +config BR2_PACKAGE_LIBOPENSSL_ENABLE_ARGON2 + bool "enable ARGON2" + default y + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_CACHED_FETCH + bool "enable cached fetch" + default y + help + Cache algorithms when they are fetched from a provider. + Normally, a provider indicates if the algorithms it supplies + can be cached or not. Using this option will reduce run-time + memory usage but it also introduces a significant performance + penalty. This option is primarily designed to help with + detecting incorrect reference counting. + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_CMP + bool "enable CMP" + default y + help + Build support for Certificate Management Protocol (CMP) and + Certificate Request Message Format (CRMF). + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_THREAD_POOL + bool "enable thread pool" + default y + depends on BR2_TOOLCHAIN_HAS_THREADS + help + Build with thread pool functionality. If enabled, OpenSSL + algorithms may use the thread pool to perform parallel + computation. This option in itself does not enable OpenSSL + to spawn new threads. Currently the only supported thread + pool mechanism is the default thread pool. + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_DEFAULT_THREAD_POOL + bool "enable default thread pool" + default y + depends on BR2_PACKAGE_LIBOPENSSL_ENABLE_THREAD_POOL + help + Build with default thread pool functionality. If enabled, + OpenSSL may create and manage threads up to a maximum number + of threads authorized by the application. Supported on POSIX + compliant platforms. + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_ECX + bool "enable ECX" + default y + help + Build with ECX support. Disabling this option can be used + to disable support for X25519, X448, and EdDSA. + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_LOADER_ENGINE + bool "enable 'loader_attic' engine" + default y + depends on BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE + help + Build with 'loader_attic' engine support, which is meant + just for internal OpenSSL testing purposes and supports + loading keys, parameters, certificates, and CRLs from files. + When this engine is used, files with such credentials are + read via this engine. + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_PADLOCK_ENGINE + bool "enable padlock engine" + default y + help + Build the padlock engine. + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_MODULE + bool "enable modules" + default y + help + Build modules. + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_QUIC + bool "enable QUIC" + default y + help + Build with QUIC support. + +config BR2_PACKAGE_LIBOPENSSL_SECURE_MEMORY + bool "enable secure memory" + default y + help + Build with secure memory support. + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_SIV + bool "enable SIV" + default y + help + Build with RFC5297 AES-SIV support. + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_SM2_PRECOMP_TABLE + bool "enable SM2 precomputed table" + default y + depends on BR2_aarch64 + help + Enable using the SM2 precomputed table. Disabling this option + makes the library smaller. + +config BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL_TRACE + bool "enable SSL trace" + default y + help + Build with SSL Trace support. Disabling this option may + provide a small reduction in libssl binary size. + endif # BR2_PACKAGE_LIBOPENSSL diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk index 89a9189bb851..ab8454657ebf 100644 --- a/package/libopenssl/libopenssl.mk +++ b/package/libopenssl/libopenssl.mk @@ -107,6 +107,20 @@ define LIBOPENSSL_CONFIGURE_CMDS $(if $(BR2_PACKAGE_LIBOPENSSL_UNSECURE),,no-unit-test no-crypto-mdebug no-autoerrinit) \ $(if $(BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE),,no-dynamic-engine ) \ $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP),,no-comp) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_ARGON2),,no-argon2) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CACHED_FETCH),,no-cached-fetch) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CMP),,no-cmp) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_THREAD_POOL),,no-thread-pool) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_DEFAULT_THREAD_POOL),,no-default-thread-pool) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_ECX),,no-ecx) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_LOADER_ENGINE),,no-loadereng) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_PADLOCK_ENGINE),,no-padlockeng) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_MODULE),,no-module) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_QUIC),,no-quic) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_SECURE_MEMORY),,no-secure-memory) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SIV),,no-siv) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SM2_PRECOMP_TABLE),,no-sm2-precomp) \ + $(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL_TRACE),,no-ssl-trace) \ $(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \ $(if $(BR2_STATIC_LIBS),no-dso) endef
The transition from version 1.1 to 3.0.9, and subsequently to 3.3.1, added new compilation options. This led to a significant increase in the size of the library. These options allow user to disable these features to obtain a smaller library size. To ensure backward compatibility, all items are selected by default. Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> --- package/libopenssl/Config.in | 106 +++++++++++++++++++++++++++++++ package/libopenssl/libopenssl.mk | 14 ++++ 2 files changed, 120 insertions(+)