if PACKAGE_libopenssl
+comment "Build Options"
+
+config OPENSSL_OPTIMIZE_SPEED
+ bool
+ default y if x86_64 || i386
+ prompt "Enable optimization for speed instead of size"
+ select OPENSSL_WITH_ASM
+ help
+ Enabling this option increases code size (around 20%) and
+ performance. The increase in performance and size depends on the
+ target CPU. EC and AES seem to benefit the most, with EC speed
+ increased by 20%-50% (mipsel & x86).
+ AES-GCM is supposed to be 3x faster on x86. YMMV.
+
+config OPENSSL_WITH_ASM
+ bool
+ default y if !SMALL_FLASH || !arm
+ prompt "Compile with optimized assembly code"
+ depends on !arc
+ help
+ Disabling this option will reduce code size and performance.
+ The increase in performance and size depends on the target
+ CPU and on the algorithms being optimized. As of 1.1.0i*:
+
+ Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
+ aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
+ arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
+ i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
+ mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
+ mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
+ powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
+ x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
+
+ * Only most common algorithms shown. Your mileage may vary.
+ BN (bignum) performance was measured using RSA sign/verify.
+
+config OPENSSL_WITH_SSE2
+ bool
+ default y if !TARGET_x86_legacy && !TARGET_x86_geode
+ prompt "Enable use of x86 SSE2 instructions"
+ depends on OPENSSL_WITH_ASM && i386
+ help
+ Use of SSE2 instructions greatly increase performance (up to
+ 3x faster) with a minimum (~0.2%, or 23KB) increase in package
+ size, but it will bring no benefit if your hardware does not
+ support them, such as Geode GX and LX. In this case you may
+ save 23KB by saying yes here. AMD Geode NX, and Intel
+ Pentium 4 and above support SSE2.
+
+config OPENSSL_WITH_DEPRECATED
+ bool
+ default y
+ prompt "Include deprecated APIs (See help for a list of packages that need this)"
+ help
+ Since openssl 1.1.x is still new to openwrt, some packages
+ requiring this option do not list it as a requirement yet:
+ * freeswitch-stable, freeswitch, python, python3, squid.
+
+config OPENSSL_NO_DEPRECATED
+ bool
+ default !OPENSSL_WITH_DEPRECATED
+
+config OPENSSL_WITH_ERROR_MESSAGES
+ bool
+ default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
+ prompt "Include error messages"
+ help
+ This option aids debugging, but increases package size and
+ memory usage.
+
+comment "Protocol Support"
+
+config OPENSSL_WITH_TLS13
+ bool
+ default y
+ prompt "Enable support for TLS 1.3"
+ select OPENSSL_WITH_EC
+ help
+ TLS 1.3 is the newest version of the TLS specification.
+ It aims:
+ * to increase the overall security of the protocol,
+ removing outdated algorithms, and encrypting more of the
+ protocol;
+ * to increase performance by reducing the number of round-trips
+ when performing a full handshake.
+ It increases package size by ~4KB.
+
+config OPENSSL_WITH_DTLS
+ bool
+ prompt "Enable DTLS support"
+ help
+ Datagram Transport Layer Security (DTLS) provides TLS-like security
+ for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
+
+config OPENSSL_WITH_NPN
+ bool
+ default y
+ prompt "Enable NPN support"
+ help
+ NPN is a TLS extension, obsoleted and replaced with ALPN,
+ used to negotiate SPDY, and HTTP/2.
+
+config OPENSSL_WITH_SRP
+ bool
+ default y
+ prompt "Enable SRP support"
+ help
+ The Secure Remote Password protocol (SRP) is an augmented
+ password-authenticated key agreement (PAKE) protocol, specifically
+ designed to work around existing patents.
+
+config OPENSSL_WITH_CMS
+ bool
+ default y
+ prompt "Enable CMS (RFC 5652) support"
+ help
+ Cryptographic Message Syntax (CMS) is used to digitally sign,
+ digest, authenticate, or encrypt arbitrary message content.
+
+comment "Algorithm Selection"
+
config OPENSSL_WITH_EC
bool
default y
prompt "Enable elliptic curve support"
+ help
+ Elliptic-curve cryptography (ECC) is an approach to public-key
+ cryptography based on the algebraic structure of elliptic curves
+ over finite fields. ECC requires smaller keys compared to non-ECC
+ cryptography to provide equivalent security.
config OPENSSL_WITH_EC2M
- bool
- depends on OPENSSL_WITH_EC
- prompt "Enable ec2m support"
+ bool
+ depends on OPENSSL_WITH_EC
+ prompt "Enable ec2m support"
+ help
+ This option enables the more efficient, yet less common, binary
+ field elliptic curves.
-config OPENSSL_WITH_SSL3
+config OPENSSL_WITH_CHACHA_POLY1305
bool
- default n
- prompt "Enable sslv3 support"
+ default y
+ prompt "Enable ChaCha20-Poly1305 ciphersuite support"
+ help
+ ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
+ combining ChaCha stream cipher with Poly1305 MAC.
+ It is 3x faster than AES, when not using a CPU with AES-specific
+ instructions, as is the case of most embedded devices.
-config OPENSSL_WITH_DEPRECATED
+config OPENSSL_PREFER_CHACHA_OVER_GCM
+ bool
+ default y if !x86_64 && !aarch64
+ prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
+ depends on OPENSSL_WITH_CHACHA_POLY1305
+ help
+ The default openssl preference is for AES-GCM before ChaCha, but
+ that takes into account AES-NI capable chips. It is not the
+ case with most embedded chips, so it may be better to invert
+ that preference. This is just for the default case. The
+ application can always override this.
+
+config OPENSSL_WITH_PSK
bool
default y
- prompt "Include deprecated APIs"
+ prompt "Enable PSK support"
+ help
+ Build support for Pre-Shared Key based cipher suites.
+
+comment "Less commonly used build options"
-config OPENSSL_ENGINE_DIGEST
+config OPENSSL_WITH_ARIA
bool
- depends on OPENSSL_ENGINE_CRYPTO
- prompt "Digests acceleration support"
+ prompt "Enable ARIA support"
+ help
+ ARIA is a block cipher developed in South Korea, based on AES.
-config OPENSSL_HARDWARE_SUPPORT
+config OPENSSL_WITH_CAMELLIA
bool
- default n
- prompt "Enable hardware support"
+ prompt "Enable Camellia cipher support"
+ help
+ Camellia is a bock cipher with security levels and processing
+ abilities comparable to AES.
-endif
+config OPENSSL_WITH_IDEA
+ bool
+ prompt "Enable IDEA cipher support"
+ help
+ IDEA is a block cipher with 128-bit keys.
+
+config OPENSSL_WITH_SEED
+ bool
+ prompt "Enable SEED cipher support"
+ help
+ SEED is a block cipher with 128-bit keys broadly used in
+ South Korea, but seldom found elsewhere.
+
+config OPENSSL_WITH_SM234
+ bool
+ prompt "Enable SM2/3/4 algorithms support"
+ help
+ These algorithms are a set of "Commercial Cryptography"
+ algorithms approved for use in China.
+ * SM2 is an EC algorithm equivalent to ECDSA P-256
+ * SM3 is a hash function equivalent to SHA-256
+ * SM4 is a 128-block cipher equivalent to AES-128
+
+config OPENSSL_WITH_BLAKE2
+ bool
+ prompt "Enable BLAKE2 digest support"
+ help
+ BLAKE2 is a cryptographic hash function based on the ChaCha
+ stream cipher.
+
+config OPENSSL_WITH_MDC2
+ bool
+ prompt "Enable MDC2 digest support"
+
+config OPENSSL_WITH_WHIRLPOOL
+ bool
+ prompt "Enable Whirlpool digest support"
-config OPENSSL_ENGINE_CRYPTO
+config OPENSSL_WITH_COMPRESSION
bool
- prompt "Crypto acceleration support" if PACKAGE_libopenssl
+ prompt "Enable compression support"
+ help
+ TLS compression is not recommended, as it is deemed insecure.
+ The CRIME attack exploits this weakness.
+ Even with this option turned on, it is disabled by default, and the
+ application must explicitly turn it on.
+
+config OPENSSL_WITH_RFC3779
+ bool
+ prompt "Enable RFC3779 support (BGP)"
+ help
+ RFC 3779 defines two X.509 v3 certificate extensions. The first
+ binds a list of IP address blocks, or prefixes, to the subject of a
+ certificate. The second binds a list of autonomous system
+ identifiers to the subject of a certificate. These extensions may be
+ used to convey the authorization of the subject to use the IP
+ addresses and autonomous system identifiers contained in the
+ extensions.
+
+comment "Engine/Hardware Support"
+
+config OPENSSL_ENGINE
+ bool "Enable engine support"
+ help
+ This enables alternative cryptography implementations,
+ most commonly for interfacing with external crypto devices,
+ or supporting new/alternative ciphers and digests.
+ Note that you need to enable KERNEL_AIO to be able to build the
+ afalg engine package.
+
+config OPENSSL_ENGINE_BUILTIN
+ bool "Build chosen engines into libcrypto"
+ depends on OPENSSL_ENGINE
+ help
+ This builds all chosen engines into libcrypto.so, instead of building
+ them as dynamic engines in separate packages.
+ The benefit of building the engines into libcrypto is that they won't
+ require any configuration to be used by default.
+
+config OPENSSL_ENGINE_BUILTIN_AFALG
+ bool
+ prompt "Acceleration support through AF_ALG sockets engine"
+ depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO && !LINUX_3_18
+ select PACKAGE_libopenssl-conf
+ help
+ This enables use of hardware acceleration through the
+ AF_ALG kenrel interface.
+
+config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
+ bool
+ prompt "Acceleration support through /dev/crypto"
+ depends on OPENSSL_ENGINE_BUILTIN
+ select PACKAGE_libopenssl-conf
+ help
+ This enables use of hardware acceleration through OpenBSD
+ Cryptodev API (/dev/crypto) interface.
+
+config OPENSSL_ENGINE_BUILTIN_PADLOCK
+ bool
+ prompt "VIA Padlock Acceleration support engine"
+ depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
+ select PACKAGE_libopenssl-conf
+ help
+ This enables use of hardware acceleration through the
+ VIA Padlock module.
+
+config OPENSSL_WITH_ASYNC
+ bool
+ prompt "Enable asynchronous jobs support"
+ depends on OPENSSL_ENGINE && USE_GLIBC
+ help
+ Enables async-aware applications to be able to use OpenSSL to
+ initiate crypto operations asynchronously. In order to work
+ this will require the presence of an async capable engine.
+
+config OPENSSL_WITH_GOST
+ bool
+ prompt "Prepare library for GOST engine"
+ depends on OPENSSL_ENGINE
+ help
+ This option prepares the library to accept engine support
+ for Russian GOST crypto algorithms.
+ The gost engine is not included in standard openwrt feeds.
+ To build such engine yourself, see:
+ https://github.com/gost-engine/engine
+
+endif