prompt "Enable optimization for speed instead of size"
select OPENSSL_WITH_ASM
help
- Enabling this option increases code size (around 20%) and
- performance. The increase in performance and size depends on the
- target CPU. EC and AES seem to benefit the most, with EC speed
- increased by 20%-50% (mipsel & x86).
- AES-GCM is supposed to be 3x faster on x86. YMMV.
+ Enabling this option increases code size and performance.
+ The increase in performance and size depends on the
+ target CPU. EC and AES seem to benefit the most.
+
+config OPENSSL_SMALL_FOOTPRINT
+ bool
+ depends on !OPENSSL_OPTIMIZE_SPEED
+ default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
+ prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
+ help
+ This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
+ 1-3% of of the ipk size. The performance drop depends on
+ architecture and algorithm. MIPS drops 13% of performance for
+ a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
+ size, ghash and GCM performance decreases 90%, while
+ Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
+ for 3% of performance. Other arches have not been tested.
config OPENSSL_WITH_ASM
bool
- default y if !SMALL_FLASH || !arm
+ default y
prompt "Compile with optimized assembly code"
depends on !arc
help
Disabling this option will reduce code size and performance.
The increase in performance and size depends on the target
- CPU and on the algorithms being optimized. As of 1.1.0i*:
-
- Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
- aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
- arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
- i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
- mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
- mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
- powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
- x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
-
- * Only most common algorithms shown. Your mileage may vary.
- BN (bignum) performance was measured using RSA sign/verify.
+ CPU and on the algorithms being optimized.
config OPENSSL_WITH_SSE2
bool
prompt "Enable use of x86 SSE2 instructions"
depends on OPENSSL_WITH_ASM && i386
help
- Use of SSE2 instructions greatly increase performance (up to
- 3x faster) with a minimum (~0.2%, or 23KB) increase in package
- size, but it will bring no benefit if your hardware does not
- support them, such as Geode GX and LX. In this case you may
- save 23KB by saying yes here. AMD Geode NX, and Intel
- Pentium 4 and above support SSE2.
+ Use of SSE2 instructions greatly increase performance with a
+ minimum increase in package size, but it will bring no benefit
+ if your hardware does not support them, such as Geode GX and LX.
+ AMD Geode NX, and Intel Pentium 4 and above support SSE2.
config OPENSSL_WITH_DEPRECATED
bool
default y
- prompt "Include deprecated APIs (See help for a list of packages that need this)"
+ prompt "Include deprecated APIs"
help
- Since openssl 1.1.x is still new to openwrt, some packages
- requiring this option do not list it as a requirement yet:
- * freeswitch-stable, freeswitch, python, python3, squid.
+ This drops all deprecated API, including engine support.
config OPENSSL_NO_DEPRECATED
bool
config OPENSSL_WITH_ERROR_MESSAGES
bool
- default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
+ default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
prompt "Include error messages"
help
This option aids debugging, but increases package size and
bool
default y
prompt "Enable support for TLS 1.3"
- select OPENSSL_WITH_EC
help
TLS 1.3 is the newest version of the TLS specification.
It aims:
protocol;
* to increase performance by reducing the number of round-trips
when performing a full handshake.
- It increases package size by ~4KB.
config OPENSSL_WITH_DTLS
bool
config OPENSSL_WITH_NPN
bool
- default y
prompt "Enable NPN support"
help
NPN is a TLS extension, obsoleted and replaced with ALPN,
comment "Algorithm Selection"
-config OPENSSL_WITH_EC
- bool
- default y
- prompt "Enable elliptic curve support"
- help
- Elliptic-curve cryptography (ECC) is an approach to public-key
- cryptography based on the algebraic structure of elliptic curves
- over finite fields. ECC requires smaller keys compared to non-ECC
- cryptography to provide equivalent security.
-
config OPENSSL_WITH_EC2M
bool
- depends on OPENSSL_WITH_EC
prompt "Enable ec2m support"
help
This option enables the more efficient, yet less common, binary
config OPENSSL_ENGINE
bool "Enable engine support"
+ select OPENSSL_WITH_DEPRECATED
+ default y
help
This enables alternative cryptography implementations,
most commonly for interfacing with external crypto devices,
or supporting new/alternative ciphers and digests.
+ If you compile the library with this option disabled, packages built
+ using an engine-enabled library (i.e. from the official repo) may
+ fail to run. Compile and install the packages with engine support
+ disabled, and you should be fine.
Note that you need to enable KERNEL_AIO to be able to build the
afalg engine package.
config OPENSSL_ENGINE_BUILTIN_AFALG
bool
prompt "Acceleration support through AF_ALG sockets engine"
- depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO && !LINUX_3_18
+ depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through the
AF_ALG kernel interface.
-config OPENSSL_ENGINE_CRYPTO
- # This symbol is deprecated. Currently it is used by the openssh package.
- # Once openwrt/packages#8272 is merged, this can be safely removed.
- bool
- default OPENSSL_ENGINE_BUILTIN_DEVCRYPTO || PACKAGE_libopenssl-devcrypto
-
config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
bool
prompt "Acceleration support through /dev/crypto"
initiate crypto operations asynchronously. In order to work
this will require the presence of an async capable engine.
-config OPENSSL_WITH_GOST
- bool
- prompt "Prepare library for GOST engine"
- depends on OPENSSL_ENGINE
- help
- This option prepares the library to accept engine support
- for Russian GOST crypto algorithms.
- The gost engine is not included in standard openwrt feeds.
- To build such engine yourself, see:
- https://github.com/gost-engine/engine
-
endif