3 comment "Build Options"
5 config OPENSSL_OPTIMIZE_SPEED
7 default y if x86_64 || i386
8 prompt "Enable optimization for speed instead of size"
9 select OPENSSL_WITH_ASM
11 Enabling this option increases code size (around 20%) and
12 performance. The increase in performance and size depends on the
13 target CPU. EC and AES seem to benefit the most, with EC speed
14 increased by 20%-50% (mipsel & x86).
15 AES-GCM is supposed to be 3x faster on x86. YMMV.
17 config OPENSSL_WITH_ASM
19 default y if !SMALL_FLASH || !arm
20 prompt "Compile with optimized assembly code"
23 Disabling this option will reduce code size and performance.
24 The increase in performance and size depends on the target
25 CPU and on the algorithms being optimized. As of 1.1.0i*:
27 Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
28 aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
29 arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
30 i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
31 mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
32 mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
33 powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
34 x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
36 * Only most common algorithms shown. Your mileage may vary.
37 BN (bignum) performance was measured using RSA sign/verify.
39 config OPENSSL_WITH_SSE2
41 default y if !TARGET_x86_legacy && !TARGET_x86_geode
42 prompt "Enable use of x86 SSE2 instructions"
43 depends on OPENSSL_WITH_ASM && i386
45 Use of SSE2 instructions greatly increase performance (up to
46 3x faster) with a minimum (~0.2%, or 23KB) increase in package
47 size, but it will bring no benefit if your hardware does not
48 support them, such as Geode GX and LX. In this case you may
49 save 23KB by saying yes here. AMD Geode NX, and Intel
50 Pentium 4 and above support SSE2.
52 config OPENSSL_WITH_DEPRECATED
55 prompt "Include deprecated APIs (See help for a list of packages that need this)"
57 Since openssl 1.1.x is still new to openwrt, some packages
58 requiring this option do not list it as a requirement yet:
59 * freeswitch-stable, freeswitch, python, python3, squid.
61 config OPENSSL_NO_DEPRECATED
63 default !OPENSSL_WITH_DEPRECATED
65 config OPENSSL_WITH_ERROR_MESSAGES
67 default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
68 prompt "Include error messages"
70 This option aids debugging, but increases package size and
73 comment "Protocol Support"
75 config OPENSSL_WITH_TLS13
78 prompt "Enable support for TLS 1.3"
79 select OPENSSL_WITH_EC
81 TLS 1.3 is the newest version of the TLS specification.
83 * to increase the overall security of the protocol,
84 removing outdated algorithms, and encrypting more of the
86 * to increase performance by reducing the number of round-trips
87 when performing a full handshake.
88 It increases package size by ~4KB.
90 config OPENSSL_WITH_DTLS
92 prompt "Enable DTLS support"
94 Datagram Transport Layer Security (DTLS) provides TLS-like security
95 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
97 config OPENSSL_WITH_NPN
99 prompt "Enable NPN support"
101 NPN is a TLS extension, obsoleted and replaced with ALPN,
102 used to negotiate SPDY, and HTTP/2.
104 config OPENSSL_WITH_SRP
107 prompt "Enable SRP support"
109 The Secure Remote Password protocol (SRP) is an augmented
110 password-authenticated key agreement (PAKE) protocol, specifically
111 designed to work around existing patents.
113 config OPENSSL_WITH_CMS
116 prompt "Enable CMS (RFC 5652) support"
118 Cryptographic Message Syntax (CMS) is used to digitally sign,
119 digest, authenticate, or encrypt arbitrary message content.
121 comment "Algorithm Selection"
123 config OPENSSL_WITH_EC
126 prompt "Enable elliptic curve support"
128 Elliptic-curve cryptography (ECC) is an approach to public-key
129 cryptography based on the algebraic structure of elliptic curves
130 over finite fields. ECC requires smaller keys compared to non-ECC
131 cryptography to provide equivalent security.
133 config OPENSSL_WITH_EC2M
135 depends on OPENSSL_WITH_EC
136 prompt "Enable ec2m support"
138 This option enables the more efficient, yet less common, binary
139 field elliptic curves.
141 config OPENSSL_WITH_CHACHA_POLY1305
144 prompt "Enable ChaCha20-Poly1305 ciphersuite support"
146 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
147 combining ChaCha stream cipher with Poly1305 MAC.
148 It is 3x faster than AES, when not using a CPU with AES-specific
149 instructions, as is the case of most embedded devices.
151 config OPENSSL_PREFER_CHACHA_OVER_GCM
153 default y if !x86_64 && !aarch64
154 prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
155 depends on OPENSSL_WITH_CHACHA_POLY1305
157 The default openssl preference is for AES-GCM before ChaCha, but
158 that takes into account AES-NI capable chips. It is not the
159 case with most embedded chips, so it may be better to invert
160 that preference. This is just for the default case. The
161 application can always override this.
163 config OPENSSL_WITH_PSK
166 prompt "Enable PSK support"
168 Build support for Pre-Shared Key based cipher suites.
170 comment "Less commonly used build options"
172 config OPENSSL_WITH_ARIA
174 prompt "Enable ARIA support"
176 ARIA is a block cipher developed in South Korea, based on AES.
178 config OPENSSL_WITH_CAMELLIA
180 prompt "Enable Camellia cipher support"
182 Camellia is a bock cipher with security levels and processing
183 abilities comparable to AES.
185 config OPENSSL_WITH_IDEA
187 prompt "Enable IDEA cipher support"
189 IDEA is a block cipher with 128-bit keys.
191 config OPENSSL_WITH_SEED
193 prompt "Enable SEED cipher support"
195 SEED is a block cipher with 128-bit keys broadly used in
196 South Korea, but seldom found elsewhere.
198 config OPENSSL_WITH_SM234
200 prompt "Enable SM2/3/4 algorithms support"
202 These algorithms are a set of "Commercial Cryptography"
203 algorithms approved for use in China.
204 * SM2 is an EC algorithm equivalent to ECDSA P-256
205 * SM3 is a hash function equivalent to SHA-256
206 * SM4 is a 128-block cipher equivalent to AES-128
208 config OPENSSL_WITH_BLAKE2
210 prompt "Enable BLAKE2 digest support"
212 BLAKE2 is a cryptographic hash function based on the ChaCha
215 config OPENSSL_WITH_MDC2
217 prompt "Enable MDC2 digest support"
219 config OPENSSL_WITH_WHIRLPOOL
221 prompt "Enable Whirlpool digest support"
223 config OPENSSL_WITH_COMPRESSION
225 prompt "Enable compression support"
227 TLS compression is not recommended, as it is deemed insecure.
228 The CRIME attack exploits this weakness.
229 Even with this option turned on, it is disabled by default, and the
230 application must explicitly turn it on.
232 config OPENSSL_WITH_RFC3779
234 prompt "Enable RFC3779 support (BGP)"
236 RFC 3779 defines two X.509 v3 certificate extensions. The first
237 binds a list of IP address blocks, or prefixes, to the subject of a
238 certificate. The second binds a list of autonomous system
239 identifiers to the subject of a certificate. These extensions may be
240 used to convey the authorization of the subject to use the IP
241 addresses and autonomous system identifiers contained in the
244 comment "Engine/Hardware Support"
246 config OPENSSL_ENGINE
247 bool "Enable engine support"
250 This enables alternative cryptography implementations,
251 most commonly for interfacing with external crypto devices,
252 or supporting new/alternative ciphers and digests.
253 If you compile the library with this option disabled, packages built
254 using an engine-enabled library (i.e. from the official repo) may
255 fail to run. Compile and install the packages with engine support
256 disabled, and you should be fine.
257 Note that you need to enable KERNEL_AIO to be able to build the
258 afalg engine package.
260 config OPENSSL_ENGINE_BUILTIN
261 bool "Build chosen engines into libcrypto"
262 depends on OPENSSL_ENGINE
264 This builds all chosen engines into libcrypto.so, instead of building
265 them as dynamic engines in separate packages.
266 The benefit of building the engines into libcrypto is that they won't
267 require any configuration to be used by default.
269 config OPENSSL_ENGINE_BUILTIN_AFALG
271 prompt "Acceleration support through AF_ALG sockets engine"
272 depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
273 select PACKAGE_libopenssl-conf
275 This enables use of hardware acceleration through the
276 AF_ALG kernel interface.
278 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
280 prompt "Acceleration support through /dev/crypto"
281 depends on OPENSSL_ENGINE_BUILTIN
282 select PACKAGE_libopenssl-conf
284 This enables use of hardware acceleration through OpenBSD
285 Cryptodev API (/dev/crypto) interface.
286 Even though configuration is not strictly needed, it is worth seeing
287 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
288 for information on how to configure the engine.
290 config OPENSSL_ENGINE_BUILTIN_PADLOCK
292 prompt "VIA Padlock Acceleration support engine"
293 depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
294 select PACKAGE_libopenssl-conf
296 This enables use of hardware acceleration through the
299 config OPENSSL_WITH_ASYNC
301 prompt "Enable asynchronous jobs support"
302 depends on OPENSSL_ENGINE && USE_GLIBC
304 Enables async-aware applications to be able to use OpenSSL to
305 initiate crypto operations asynchronously. In order to work
306 this will require the presence of an async capable engine.
308 config OPENSSL_WITH_GOST
310 prompt "Prepare library for GOST engine"
311 depends on OPENSSL_ENGINE
313 This option prepares the library to accept engine support
314 for Russian GOST crypto algorithms.
315 The gost engine is not included in standard openwrt feeds.
316 To build such engine yourself, see:
317 https://github.com/gost-engine/engine