3 comment "Build Options"
5 config OPENSSL_OPTIMIZE_SPEED
7 default y if x86_64 || i386
8 prompt "Enable optimization for speed instead of size"
9 select OPENSSL_WITH_ASM
11 Enabling this option increases code size (around 20%) and
12 performance. The increase in performance and size depends on the
13 target CPU. EC and AES seem to benefit the most, with EC speed
14 increased by 20%-50% (mipsel & x86).
15 AES-GCM is supposed to be 3x faster on x86. YMMV.
17 config OPENSSL_WITH_ASM
19 default y if !SMALL_FLASH || !arm
20 prompt "Compile with optimized assembly code"
23 Disabling this option will reduce code size and performance.
24 The increase in performance and size depends on the target
25 CPU and on the algorithms being optimized. As of 1.1.0i*:
27 Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
28 aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
29 arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
30 i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
31 mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
32 mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
33 powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
34 x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
36 * Only most common algorithms shown. Your mileage may vary.
37 BN (bignum) performance was measured using RSA sign/verify.
39 config OPENSSL_WITH_SSE2
41 default y if !TARGET_x86_legacy && !TARGET_x86_geode
42 prompt "Enable use of x86 SSE2 instructions"
43 depends on OPENSSL_WITH_ASM && i386
45 Use of SSE2 instructions greatly increase performance (up to
46 3x faster) with a minimum (~0.2%, or 23KB) increase in package
47 size, but it will bring no benefit if your hardware does not
48 support them, such as Geode GX and LX. In this case you may
49 save 23KB by saying yes here. AMD Geode NX, and Intel
50 Pentium 4 and above support SSE2.
52 config OPENSSL_WITH_DEPRECATED
55 prompt "Include deprecated APIs (See help for a list of packages that need this)"
57 Since openssl 1.1.x is still new to openwrt, some packages
58 requiring this option do not list it as a requirement yet:
59 * freeswitch-stable, freeswitch, python, python3, squid.
61 config OPENSSL_NO_DEPRECATED
63 default !OPENSSL_WITH_DEPRECATED
65 config OPENSSL_WITH_ERROR_MESSAGES
67 default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
68 prompt "Include error messages"
70 This option aids debugging, but increases package size and
73 comment "Protocol Support"
75 config OPENSSL_WITH_TLS13
78 prompt "Enable support for TLS 1.3"
79 select OPENSSL_WITH_EC
81 TLS 1.3 is the newest version of the TLS specification.
83 * to increase the overall security of the protocol,
84 removing outdated algorithms, and encrypting more of the
86 * to increase performance by reducing the number of round-trips
87 when performing a full handshake.
88 It increases package size by ~4KB.
90 config OPENSSL_WITH_DTLS
92 prompt "Enable DTLS support"
94 Datagram Transport Layer Security (DTLS) provides TLS-like security
95 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
97 config OPENSSL_WITH_NPN
100 prompt "Enable NPN support"
102 NPN is a TLS extension, obsoleted and replaced with ALPN,
103 used to negotiate SPDY, and HTTP/2.
105 config OPENSSL_WITH_SRP
108 prompt "Enable SRP support"
110 The Secure Remote Password protocol (SRP) is an augmented
111 password-authenticated key agreement (PAKE) protocol, specifically
112 designed to work around existing patents.
114 config OPENSSL_WITH_CMS
117 prompt "Enable CMS (RFC 5652) support"
119 Cryptographic Message Syntax (CMS) is used to digitally sign,
120 digest, authenticate, or encrypt arbitrary message content.
122 comment "Algorithm Selection"
124 config OPENSSL_WITH_EC
127 prompt "Enable elliptic curve support"
129 Elliptic-curve cryptography (ECC) is an approach to public-key
130 cryptography based on the algebraic structure of elliptic curves
131 over finite fields. ECC requires smaller keys compared to non-ECC
132 cryptography to provide equivalent security.
134 config OPENSSL_WITH_EC2M
136 depends on OPENSSL_WITH_EC
137 prompt "Enable ec2m support"
139 This option enables the more efficient, yet less common, binary
140 field elliptic curves.
142 config OPENSSL_WITH_CHACHA_POLY1305
145 prompt "Enable ChaCha20-Poly1305 ciphersuite support"
147 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
148 combining ChaCha stream cipher with Poly1305 MAC.
149 It is 3x faster than AES, when not using a CPU with AES-specific
150 instructions, as is the case of most embedded devices.
152 config OPENSSL_PREFER_CHACHA_OVER_GCM
154 default y if !x86_64 && !aarch64
155 prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
156 depends on OPENSSL_WITH_CHACHA_POLY1305
158 The default openssl preference is for AES-GCM before ChaCha, but
159 that takes into account AES-NI capable chips. It is not the
160 case with most embedded chips, so it may be better to invert
161 that preference. This is just for the default case. The
162 application can always override this.
164 config OPENSSL_WITH_PSK
167 prompt "Enable PSK support"
169 Build support for Pre-Shared Key based cipher suites.
171 comment "Less commonly used build options"
173 config OPENSSL_WITH_ARIA
175 prompt "Enable ARIA support"
177 ARIA is a block cipher developed in South Korea, based on AES.
179 config OPENSSL_WITH_CAMELLIA
181 prompt "Enable Camellia cipher support"
183 Camellia is a bock cipher with security levels and processing
184 abilities comparable to AES.
186 config OPENSSL_WITH_IDEA
188 prompt "Enable IDEA cipher support"
190 IDEA is a block cipher with 128-bit keys.
192 config OPENSSL_WITH_SEED
194 prompt "Enable SEED cipher support"
196 SEED is a block cipher with 128-bit keys broadly used in
197 South Korea, but seldom found elsewhere.
199 config OPENSSL_WITH_SM234
201 prompt "Enable SM2/3/4 algorithms support"
203 These algorithms are a set of "Commercial Cryptography"
204 algorithms approved for use in China.
205 * SM2 is an EC algorithm equivalent to ECDSA P-256
206 * SM3 is a hash function equivalent to SHA-256
207 * SM4 is a 128-block cipher equivalent to AES-128
209 config OPENSSL_WITH_BLAKE2
211 prompt "Enable BLAKE2 digest support"
213 BLAKE2 is a cryptographic hash function based on the ChaCha
216 config OPENSSL_WITH_MDC2
218 prompt "Enable MDC2 digest support"
220 config OPENSSL_WITH_WHIRLPOOL
222 prompt "Enable Whirlpool digest support"
224 config OPENSSL_WITH_COMPRESSION
226 prompt "Enable compression support"
228 TLS compression is not recommended, as it is deemed insecure.
229 The CRIME attack exploits this weakness.
230 Even with this option turned on, it is disabled by default, and the
231 application must explicitly turn it on.
233 config OPENSSL_WITH_RFC3779
235 prompt "Enable RFC3779 support (BGP)"
237 RFC 3779 defines two X.509 v3 certificate extensions. The first
238 binds a list of IP address blocks, or prefixes, to the subject of a
239 certificate. The second binds a list of autonomous system
240 identifiers to the subject of a certificate. These extensions may be
241 used to convey the authorization of the subject to use the IP
242 addresses and autonomous system identifiers contained in the
245 comment "Engine/Hardware Support"
247 config OPENSSL_ENGINE
248 bool "Enable engine support"
250 This enables alternative cryptography implementations,
251 most commonly for interfacing with external crypto devices,
252 or supporting new/alternative ciphers and digests.
253 Note that you need to enable KERNEL_AIO to be able to build the
254 afalg engine package.
256 config OPENSSL_ENGINE_BUILTIN
257 bool "Build chosen engines into libcrypto"
258 depends on OPENSSL_ENGINE
260 This builds all chosen engines into libcrypto.so, instead of building
261 them as dynamic engines in separate packages.
262 The benefit of building the engines into libcrypto is that they won't
263 require any configuration to be used by default.
265 config OPENSSL_ENGINE_BUILTIN_AFALG
267 prompt "Acceleration support through AF_ALG sockets engine"
268 depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO && !LINUX_3_18
269 select PACKAGE_libopenssl-conf
271 This enables use of hardware acceleration through the
272 AF_ALG kernel interface.
274 config OPENSSL_ENGINE_CRYPTO
275 # This symbol is deprecated. Currently it is used by the openssh package.
276 # Once openwrt/packages#8272 is merged, this can be safely removed.
278 default OPENSSL_ENGINE_BUILTIN_DEVCRYPTO || PACKAGE_libopenssl-devcrypto
280 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
282 prompt "Acceleration support through /dev/crypto"
283 depends on OPENSSL_ENGINE_BUILTIN
284 select PACKAGE_libopenssl-conf
286 This enables use of hardware acceleration through OpenBSD
287 Cryptodev API (/dev/crypto) interface.
288 Even though configuration is not strictly needed, it is worth seeing
289 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
290 for information on how to configure the engine.
292 config OPENSSL_ENGINE_BUILTIN_PADLOCK
294 prompt "VIA Padlock Acceleration support engine"
295 depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
296 select PACKAGE_libopenssl-conf
298 This enables use of hardware acceleration through the
301 config OPENSSL_WITH_ASYNC
303 prompt "Enable asynchronous jobs support"
304 depends on OPENSSL_ENGINE && USE_GLIBC
306 Enables async-aware applications to be able to use OpenSSL to
307 initiate crypto operations asynchronously. In order to work
308 this will require the presence of an async capable engine.
310 config OPENSSL_WITH_GOST
312 prompt "Prepare library for GOST engine"
313 depends on OPENSSL_ENGINE
315 This option prepares the library to accept engine support
316 for Russian GOST crypto algorithms.
317 The gost engine is not included in standard openwrt feeds.
318 To build such engine yourself, see:
319 https://github.com/gost-engine/engine