From: Tan Zien <nabsdh9@gmail.com>
Date: Sun, 28 Dec 2025 00:08:33 +0000 (+0800)
Subject: openssl: add kTLS support option
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34836dffb1a06f84a0112982c2a88b2e5e212e87;p=thirdparty%2Fopenwrt.git

openssl: add kTLS support option

This commit add option to enable kTLS support, improving
performance by offloading TLS encryption and decryption to
kernel space.

- Reduced CPU usage by minimizing data copying between user space
  and kernel space.
- Enables the use of the sendfile() system call with encrypted
  sockets for zero-copy data transmission.
- Leverages hardware-accelerated NIC that support TLS offloading.

Signed-off-by: Tan Zien <nabsdh9@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21306
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---

diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index 871080a4cbe..ad2396df0b2 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -26,6 +26,14 @@ config OPENSSL_SMALL_FOOTPRINT
 		Chacha20-Poly1305 is 15% slower.  X86_64 drops 1% of its size
 		for 3% of performance.  Other arches have not been tested.
 
+config OPENSSL_KTLS
+	bool
+	prompt "Enable kTLS support"
+	select PACKAGE_kmod-tls
+	help
+		This will enable kTLS support, allowing data encryption
+		operations to be performed in kernel space.
+
 config OPENSSL_WITH_ASM
 	bool
 	default y
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index fc80373a07c..a50d5e03924 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_VERSION:=3.5.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto
 
 PKG_BUILD_PARALLEL:=1
@@ -37,6 +37,7 @@ PKG_CONFIG_DEPENDS:= \
 	CONFIG_OPENSSL_OPTIMIZE_SPEED \
 	CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \
 	CONFIG_OPENSSL_SMALL_FOOTPRINT \
+	CONFIG_OPENSSL_KTLS \
 	CONFIG_OPENSSL_WITH_ARIA \
 	CONFIG_OPENSSL_WITH_ASM \
 	CONFIG_OPENSSL_WITH_ASYNC \
@@ -293,6 +294,10 @@ ifeq ($(CONFIG_OPENSSL_SMALL_FOOTPRINT),y)
   OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
 endif
 
+ifdef CONFIG_OPENSSL_KTLS
+  OPENSSL_OPTIONS += enable-ktls
+endif
+
 ifdef CONFIG_OPENSSL_ENGINE
   ifdef CONFIG_OPENSSL_ENGINE_BUILTIN
     OPENSSL_OPTIONS += disable-dynamic-engine