3 comment "Build Options"
5 config OPENSSL_OPTIMIZE_SPEED
7 default y if x86_64 || i386
8 prompt "Enable optimization for speed instead of size"
9 select OPENSSL_WITH_ASM
11 Enabling this option increases code size and performance.
12 The increase in performance and size depends on the
13 target CPU. EC and AES seem to benefit the most.
15 config OPENSSL_WITH_ASM
17 default y if !SMALL_FLASH || !arm
18 prompt "Compile with optimized assembly code"
21 Disabling this option will reduce code size and performance.
22 The increase in performance and size depends on the target
23 CPU and on the algorithms being optimized.
25 config OPENSSL_WITH_SSE2
27 default y if !TARGET_x86_legacy && !TARGET_x86_geode
28 prompt "Enable use of x86 SSE2 instructions"
29 depends on OPENSSL_WITH_ASM && i386
31 Use of SSE2 instructions greatly increase performance with a
32 minimum increase in package size, but it will bring no benefit
33 if your hardware does not support them, such as Geode GX and LX.
34 AMD Geode NX, and Intel Pentium 4 and above support SSE2.
36 config OPENSSL_WITH_DEPRECATED
39 prompt "Include deprecated APIs"
41 This drops all deprecated API, including engine support.
43 config OPENSSL_NO_DEPRECATED
45 default !OPENSSL_WITH_DEPRECATED
47 config OPENSSL_WITH_ERROR_MESSAGES
49 default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
50 prompt "Include error messages"
52 This option aids debugging, but increases package size and
55 comment "Protocol Support"
57 config OPENSSL_WITH_TLS13
60 prompt "Enable support for TLS 1.3"
62 TLS 1.3 is the newest version of the TLS specification.
64 * to increase the overall security of the protocol,
65 removing outdated algorithms, and encrypting more of the
67 * to increase performance by reducing the number of round-trips
68 when performing a full handshake.
70 config OPENSSL_WITH_DTLS
72 prompt "Enable DTLS support"
74 Datagram Transport Layer Security (DTLS) provides TLS-like security
75 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
77 config OPENSSL_WITH_NPN
79 prompt "Enable NPN support"
81 NPN is a TLS extension, obsoleted and replaced with ALPN,
82 used to negotiate SPDY, and HTTP/2.
84 config OPENSSL_WITH_SRP
87 prompt "Enable SRP support"
89 The Secure Remote Password protocol (SRP) is an augmented
90 password-authenticated key agreement (PAKE) protocol, specifically
91 designed to work around existing patents.
93 config OPENSSL_WITH_CMS
96 prompt "Enable CMS (RFC 5652) support"
98 Cryptographic Message Syntax (CMS) is used to digitally sign,
99 digest, authenticate, or encrypt arbitrary message content.
101 comment "Algorithm Selection"
103 config OPENSSL_WITH_EC2M
105 prompt "Enable ec2m support"
107 This option enables the more efficient, yet less common, binary
108 field elliptic curves.
110 config OPENSSL_WITH_CHACHA_POLY1305
113 prompt "Enable ChaCha20-Poly1305 ciphersuite support"
115 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
116 combining ChaCha stream cipher with Poly1305 MAC.
117 It is 3x faster than AES, when not using a CPU with AES-specific
118 instructions, as is the case of most embedded devices.
120 config OPENSSL_PREFER_CHACHA_OVER_GCM
122 default y if !x86_64 && !aarch64
123 prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
124 depends on OPENSSL_WITH_CHACHA_POLY1305
126 The default openssl preference is for AES-GCM before ChaCha, but
127 that takes into account AES-NI capable chips. It is not the
128 case with most embedded chips, so it may be better to invert
129 that preference. This is just for the default case. The
130 application can always override this.
132 config OPENSSL_WITH_PSK
135 prompt "Enable PSK support"
137 Build support for Pre-Shared Key based cipher suites.
139 comment "Less commonly used build options"
141 config OPENSSL_WITH_ARIA
143 prompt "Enable ARIA support"
145 ARIA is a block cipher developed in South Korea, based on AES.
147 config OPENSSL_WITH_CAMELLIA
149 prompt "Enable Camellia cipher support"
151 Camellia is a bock cipher with security levels and processing
152 abilities comparable to AES.
154 config OPENSSL_WITH_IDEA
156 prompt "Enable IDEA cipher support"
158 IDEA is a block cipher with 128-bit keys.
160 config OPENSSL_WITH_SEED
162 prompt "Enable SEED cipher support"
164 SEED is a block cipher with 128-bit keys broadly used in
165 South Korea, but seldom found elsewhere.
167 config OPENSSL_WITH_SM234
169 prompt "Enable SM2/3/4 algorithms support"
171 These algorithms are a set of "Commercial Cryptography"
172 algorithms approved for use in China.
173 * SM2 is an EC algorithm equivalent to ECDSA P-256
174 * SM3 is a hash function equivalent to SHA-256
175 * SM4 is a 128-block cipher equivalent to AES-128
177 config OPENSSL_WITH_BLAKE2
179 prompt "Enable BLAKE2 digest support"
181 BLAKE2 is a cryptographic hash function based on the ChaCha
184 config OPENSSL_WITH_MDC2
186 prompt "Enable MDC2 digest support"
188 config OPENSSL_WITH_WHIRLPOOL
190 prompt "Enable Whirlpool digest support"
192 config OPENSSL_WITH_COMPRESSION
194 prompt "Enable compression support"
196 TLS compression is not recommended, as it is deemed insecure.
197 The CRIME attack exploits this weakness.
198 Even with this option turned on, it is disabled by default, and the
199 application must explicitly turn it on.
201 config OPENSSL_WITH_RFC3779
203 prompt "Enable RFC3779 support (BGP)"
205 RFC 3779 defines two X.509 v3 certificate extensions. The first
206 binds a list of IP address blocks, or prefixes, to the subject of a
207 certificate. The second binds a list of autonomous system
208 identifiers to the subject of a certificate. These extensions may be
209 used to convey the authorization of the subject to use the IP
210 addresses and autonomous system identifiers contained in the
213 comment "Engine/Hardware Support"
215 config OPENSSL_ENGINE
216 bool "Enable engine support"
217 select OPENSSL_WITH_DEPRECATED
220 This enables alternative cryptography implementations,
221 most commonly for interfacing with external crypto devices,
222 or supporting new/alternative ciphers and digests.
223 If you compile the library with this option disabled, packages built
224 using an engine-enabled library (i.e. from the official repo) may
225 fail to run. Compile and install the packages with engine support
226 disabled, and you should be fine.
227 Note that you need to enable KERNEL_AIO to be able to build the
228 afalg engine package.
230 config OPENSSL_ENGINE_BUILTIN
231 bool "Build chosen engines into libcrypto"
232 depends on OPENSSL_ENGINE
234 This builds all chosen engines into libcrypto.so, instead of building
235 them as dynamic engines in separate packages.
236 The benefit of building the engines into libcrypto is that they won't
237 require any configuration to be used by default.
239 config OPENSSL_ENGINE_BUILTIN_AFALG
241 prompt "Acceleration support through AF_ALG sockets engine"
242 depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
243 select PACKAGE_libopenssl-conf
245 This enables use of hardware acceleration through the
246 AF_ALG kernel interface.
248 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
250 prompt "Acceleration support through /dev/crypto"
251 depends on OPENSSL_ENGINE_BUILTIN
252 select PACKAGE_libopenssl-conf
254 This enables use of hardware acceleration through OpenBSD
255 Cryptodev API (/dev/crypto) interface.
256 Even though configuration is not strictly needed, it is worth seeing
257 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
258 for information on how to configure the engine.
260 config OPENSSL_ENGINE_BUILTIN_PADLOCK
262 prompt "VIA Padlock Acceleration support engine"
263 depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
264 select PACKAGE_libopenssl-conf
266 This enables use of hardware acceleration through the
269 config OPENSSL_WITH_ASYNC
271 prompt "Enable asynchronous jobs support"
272 depends on OPENSSL_ENGINE && USE_GLIBC
274 Enables async-aware applications to be able to use OpenSSL to
275 initiate crypto operations asynchronously. In order to work
276 this will require the presence of an async capable engine.