| if PACKAGE_libopenssl |
| |
| comment "Build Options" |
| |
| config OPENSSL_OPTIMIZE_SPEED |
| bool |
| default y if x86_64 || i386 |
| prompt "Enable optimization for speed instead of size" |
| select OPENSSL_WITH_ASM |
| help |
| Enabling this option increases code size and performance. |
| The increase in performance and size depends on the |
| target CPU. EC and AES seem to benefit the most. |
| |
| config OPENSSL_SMALL_FOOTPRINT |
| bool |
| depends on !OPENSSL_OPTIMIZE_SPEED |
| default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT |
| prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)" |
| help |
| This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only |
| 1-3% of of the ipk size. The performance drop depends on |
| architecture and algorithm. MIPS drops 13% of performance for |
| a 3% decrease in ipk size. On Aarch64, for a 1% reduction in |
| size, ghash and GCM performance decreases 90%, while |
| Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size |
| for 3% of performance. Other arches have not been tested. |
| |
| config OPENSSL_WITH_ASM |
| bool |
| default y |
| prompt "Compile with optimized assembly code" |
| depends on !arc |
| help |
| Disabling this option will reduce code size and performance. |
| The increase in performance and size depends on the target |
| CPU and on the algorithms being optimized. |
| |
| config OPENSSL_WITH_SSE2 |
| bool |
| default y if !TARGET_x86_legacy && !TARGET_x86_geode |
| prompt "Enable use of x86 SSE2 instructions" |
| depends on OPENSSL_WITH_ASM && i386 |
| help |
| Use of SSE2 instructions greatly increase performance with a |
| minimum increase in package size, but it will bring no benefit |
| if your hardware does not support them, such as Geode GX and LX. |
| AMD Geode NX, and Intel Pentium 4 and above support SSE2. |
| |
| config OPENSSL_WITH_DEPRECATED |
| bool |
| default y |
| prompt "Include deprecated APIs" |
| help |
| This drops all deprecated API, including engine support. |
| |
| config OPENSSL_NO_DEPRECATED |
| bool |
| default !OPENSSL_WITH_DEPRECATED |
| |
| config OPENSSL_WITH_ERROR_MESSAGES |
| bool |
| default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT) |
| prompt "Include error messages" |
| help |
| This option aids debugging, but increases package size and |
| memory usage. |
| |
| comment "Protocol Support" |
| |
| config OPENSSL_WITH_TLS13 |
| bool |
| default y |
| prompt "Enable support for TLS 1.3" |
| help |
| TLS 1.3 is the newest version of the TLS specification. |
| It aims: |
| * to increase the overall security of the protocol, |
| removing outdated algorithms, and encrypting more of the |
| protocol; |
| * to increase performance by reducing the number of round-trips |
| when performing a full handshake. |
| |
| config OPENSSL_WITH_DTLS |
| bool |
| prompt "Enable DTLS support" |
| help |
| Datagram Transport Layer Security (DTLS) provides TLS-like security |
| for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications. |
| |
| config OPENSSL_WITH_NPN |
| bool |
| prompt "Enable NPN support" |
| help |
| NPN is a TLS extension, obsoleted and replaced with ALPN, |
| used to negotiate SPDY, and HTTP/2. |
| |
| config OPENSSL_WITH_SRP |
| bool |
| default y |
| prompt "Enable SRP support" |
| help |
| The Secure Remote Password protocol (SRP) is an augmented |
| password-authenticated key agreement (PAKE) protocol, specifically |
| designed to work around existing patents. |
| |
| config OPENSSL_WITH_CMS |
| bool |
| default y |
| prompt "Enable CMS (RFC 5652) support" |
| help |
| Cryptographic Message Syntax (CMS) is used to digitally sign, |
| digest, authenticate, or encrypt arbitrary message content. |
| |
| comment "Algorithm Selection" |
| |
| config OPENSSL_WITH_EC2M |
| bool |
| prompt "Enable ec2m support" |
| help |
| This option enables the more efficient, yet less common, binary |
| field elliptic curves. |
| |
| config OPENSSL_WITH_CHACHA_POLY1305 |
| bool |
| default y |
| prompt "Enable ChaCha20-Poly1305 ciphersuite support" |
| help |
| ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys, |
| combining ChaCha stream cipher with Poly1305 MAC. |
| It is 3x faster than AES, when not using a CPU with AES-specific |
| instructions, as is the case of most embedded devices. |
| |
| config OPENSSL_PREFER_CHACHA_OVER_GCM |
| bool |
| default y if !x86_64 && !aarch64 |
| prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default" |
| depends on OPENSSL_WITH_CHACHA_POLY1305 |
| help |
| The default openssl preference is for AES-GCM before ChaCha, but |
| that takes into account AES-NI capable chips. It is not the |
| case with most embedded chips, so it may be better to invert |
| that preference. This is just for the default case. The |
| application can always override this. |
| |
| config OPENSSL_WITH_PSK |
| bool |
| default y |
| prompt "Enable PSK support" |
| help |
| Build support for Pre-Shared Key based cipher suites. |
| |
| comment "Less commonly used build options" |
| |
| config OPENSSL_WITH_ARIA |
| bool |
| prompt "Enable ARIA support" |
| help |
| ARIA is a block cipher developed in South Korea, based on AES. |
| |
| config OPENSSL_WITH_CAMELLIA |
| bool |
| prompt "Enable Camellia cipher support" |
| help |
| Camellia is a bock cipher with security levels and processing |
| abilities comparable to AES. |
| |
| config OPENSSL_WITH_IDEA |
| bool |
| default y if !SMALL_FLASH |
| prompt "Enable IDEA cipher support (needs legacy provider)" |
| help |
| IDEA is a block cipher with 128-bit keys. |
| To use the cipher, one must install the libopenssl-legacy |
| package, using a main libopenssl package compiled with this |
| option enabled as well. |
| |
| config OPENSSL_WITH_SEED |
| bool |
| default y if !SMALL_FLASH |
| prompt "Enable SEED cipher support (needs legacy provider)" |
| help |
| SEED is a block cipher with 128-bit keys broadly used in |
| South Korea, but seldom found elsewhere. |
| To use the cipher, one must install the libopenssl-legacy |
| package, using a main libopenssl package compiled with this |
| option enabled as well. |
| |
| config OPENSSL_WITH_SM234 |
| bool |
| prompt "Enable SM2/3/4 algorithms support" |
| help |
| These algorithms are a set of "Commercial Cryptography" |
| algorithms approved for use in China. |
| * SM2 is an EC algorithm equivalent to ECDSA P-256 |
| * SM3 is a hash function equivalent to SHA-256 |
| * SM4 is a 128-block cipher equivalent to AES-128 |
| |
| config OPENSSL_WITH_BLAKE2 |
| bool |
| prompt "Enable BLAKE2 digest support" |
| help |
| BLAKE2 is a cryptographic hash function based on the ChaCha |
| stream cipher. |
| |
| config OPENSSL_WITH_MDC2 |
| bool |
| default y if !SMALL_FLASH |
| prompt "Enable MDC2 digest support (needs legacy provider)" |
| help |
| To use the digest, one must install the libopenssl-legacy |
| package, using a main libopenssl package compiled with this |
| option enabled as well. |
| |
| config OPENSSL_WITH_WHIRLPOOL |
| bool |
| default y if !SMALL_FLASH |
| prompt "Enable Whirlpool digest support (needs legacy provider)" |
| help |
| To use the digest, one must install the libopenssl-legacy |
| package, using a main libopenssl package compiled with this |
| option enabled as well. |
| |
| config OPENSSL_WITH_COMPRESSION |
| bool |
| prompt "Enable compression support" |
| help |
| TLS compression is not recommended, as it is deemed insecure. |
| The CRIME attack exploits this weakness. |
| Even with this option turned on, it is disabled by default, and the |
| application must explicitly turn it on. |
| |
| config OPENSSL_WITH_RFC3779 |
| bool |
| prompt "Enable RFC3779 support (BGP)" |
| help |
| RFC 3779 defines two X.509 v3 certificate extensions. The first |
| binds a list of IP address blocks, or prefixes, to the subject of a |
| certificate. The second binds a list of autonomous system |
| identifiers to the subject of a certificate. These extensions may be |
| used to convey the authorization of the subject to use the IP |
| addresses and autonomous system identifiers contained in the |
| extensions. |
| |
| comment "Engine/Hardware Support" |
| |
| config OPENSSL_ENGINE |
| bool "Enable engine support" |
| select OPENSSL_WITH_DEPRECATED |
| default y |
| help |
| This enables alternative cryptography implementations, |
| most commonly for interfacing with external crypto devices, |
| or supporting new/alternative ciphers and digests. |
| If you compile the library with this option disabled, packages built |
| using an engine-enabled library (i.e. from the official repo) may |
| fail to run. Compile and install the packages with engine support |
| disabled, and you should be fine. |
| Note that you need to enable KERNEL_AIO to be able to build the |
| afalg engine package. |
| |
| config OPENSSL_ENGINE_BUILTIN |
| bool "Build chosen engines into libcrypto" |
| depends on OPENSSL_ENGINE |
| help |
| This builds all chosen engines into libcrypto.so, instead of building |
| them as dynamic engines in separate packages. |
| The benefit of building the engines into libcrypto is that they won't |
| require any configuration to be used by default. |
| |
| config OPENSSL_ENGINE_BUILTIN_AFALG |
| bool |
| prompt "Acceleration support through AF_ALG sockets engine" |
| depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO |
| select PACKAGE_libopenssl-conf |
| help |
| This enables use of hardware acceleration through the |
| AF_ALG kernel interface. |
| |
| config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO |
| bool |
| prompt "Acceleration support through /dev/crypto" |
| depends on OPENSSL_ENGINE_BUILTIN |
| select PACKAGE_libopenssl-conf |
| help |
| This enables use of hardware acceleration through OpenBSD |
| Cryptodev API (/dev/crypto) interface. |
| Even though configuration is not strictly needed, it is worth seeing |
| https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators |
| for information on how to configure the engine. |
| |
| config OPENSSL_ENGINE_BUILTIN_PADLOCK |
| bool |
| prompt "VIA Padlock Acceleration support engine" |
| depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86 |
| select PACKAGE_libopenssl-conf |
| help |
| This enables use of hardware acceleration through the |
| VIA Padlock module. |
| |
| config OPENSSL_WITH_ASYNC |
| bool |
| prompt "Enable asynchronous jobs support" |
| depends on OPENSSL_ENGINE && USE_GLIBC |
| help |
| Enables async-aware applications to be able to use OpenSSL to |
| initiate crypto operations asynchronously. In order to work |
| this will require the presence of an async capable engine. |
| |
| endif |