3 comment "Build Options"
5 config OPENSSL_OPTIMIZE_SPEED
7 prompt "Enable optimization for speed instead of size"
8 select OPENSSL_WITH_ASM
10 Enabling this option increases code size (around 20%) and
11 performance. The increase in performance and size depends on the
12 target CPU. EC and AES seem to benefit the most, with EC speed
13 increased by 20%-50% (mipsel & x86).
14 AES-GCM is supposed to be 3x faster on x86. YMMV.
16 config OPENSSL_WITH_ASM
19 prompt "Compile with optimized assembly code"
22 Disabling this option will reduce code size and performance.
23 The increase in performance and size depends on the target
24 CPU and on the algorithms being optimized. As of 1.1.0i*:
26 Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
27 aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
28 arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
29 i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
30 mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
31 mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
32 powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
33 x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
35 * Only most common algorithms shown. Your mileage may vary.
36 BN (bignum) performance was measured using RSA sign/verify.
38 config OPENSSL_WITH_SSE2
40 default y if !TARGET_x86_legacy && !TARGET_x86_geode
41 prompt "Enable use of x86 SSE2 instructions"
42 depends on OPENSSL_WITH_ASM && i386
44 Use of SSE2 instructions greatly increase performance (up to
45 3x faster) with a minimum (~0.2%, or 23KB) increase in package
46 size, but it will bring no benefit if your hardware does not
47 support them, such as Geode GX and LX. In this case you may
48 save 23KB by saying yes here. AMD Geode NX, and Intel
49 Pentium 4 and above support SSE2.
51 config OPENSSL_WITH_DEPRECATED
54 prompt "Include deprecated APIs (See help for a list of packages that need this)"
56 Squid currently requires this.
58 config OPENSSL_NO_DEPRECATED
60 default !OPENSSL_WITH_DEPRECATED
62 config OPENSSL_WITH_ERROR_MESSAGES
64 prompt "Include error messages"
66 This option aids debugging, but increases package size and
69 comment "Protocol Support"
71 config OPENSSL_WITH_DTLS
73 prompt "Enable DTLS support"
75 Datagram Transport Layer Security (DTLS) provides TLS-like security
76 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
78 config OPENSSL_WITH_NPN
81 prompt "Enable NPN support"
83 NPN is a TLS extension, obsoleted and replaced with ALPN,
84 used to negotiate SPDY, and HTTP/2.
86 config OPENSSL_WITH_SRP
89 prompt "Enable SRP support"
91 The Secure Remote Password protocol (SRP) is an augmented
92 password-authenticated key agreement (PAKE) protocol, specifically
93 designed to work around existing patents.
95 config OPENSSL_WITH_CMS
98 prompt "Enable CMS (RFC 5652) support"
100 Cryptographic Message Syntax (CMS) is used to digitally sign,
101 digest, authenticate, or encrypt arbitrary message content.
103 comment "Algorithm Selection"
105 config OPENSSL_WITH_EC
108 prompt "Enable elliptic curve support"
110 Elliptic-curve cryptography (ECC) is an approach to public-key
111 cryptography based on the algebraic structure of elliptic curves
112 over finite fields. ECC requires smaller keys compared to non-ECC
113 cryptography to provide equivalent security.
115 config OPENSSL_WITH_EC2M
117 depends on OPENSSL_WITH_EC
118 prompt "Enable ec2m support"
120 This option enables the more efficient, yet less common, binary
121 field elliptic curves.
123 config OPENSSL_WITH_PSK
126 prompt "Enable PSK support"
128 Build support for Pre-Shared Key based cipher suites.
130 comment "Less commonly used build options"
132 config OPENSSL_WITH_CAMELLIA
134 prompt "Enable Camellia cipher support"
136 Camellia is a bock cipher with security levels and processing
137 abilities comparable to AES.
139 config OPENSSL_WITH_IDEA
141 prompt "Enable IDEA cipher support"
143 IDEA is a block cipher with 128-bit keys.
145 config OPENSSL_WITH_SEED
147 prompt "Enable SEED cipher support"
149 SEED is a block cipher with 128-bit keys broadly used in
150 South Korea, but seldom found elsewhere.
152 config OPENSSL_WITH_MDC2
154 prompt "Enable MDC2 digest support"
156 config OPENSSL_WITH_WHIRLPOOL
158 prompt "Enable Whirlpool digest support"
160 config OPENSSL_WITH_COMPRESSION
162 prompt "Enable compression support"
164 TLS compression is not recommended, as it is deemed insecure.
165 The CRIME attack exploits this weakness.
166 Even with this option turned on, it is disabled by default, and the
167 application must explicitly turn it on.
169 config OPENSSL_WITH_RFC3779
171 prompt "Enable RFC3779 support (BGP)"
173 RFC 3779 defines two X.509 v3 certificate extensions. The first
174 binds a list of IP address blocks, or prefixes, to the subject of a
175 certificate. The second binds a list of autonomous system
176 identifiers to the subject of a certificate. These extensions may be
177 used to convey the authorization of the subject to use the IP
178 addresses and autonomous system identifiers contained in the
181 comment "Engine/Hardware Support"
183 config OPENSSL_ENGINE
184 bool "Enable engine support"
186 This enables alternative cryptography implementations,
187 most commonly for interfacing with external crypto devices,
188 or supporting new/alternative ciphers and digests.
190 config OPENSSL_ENGINE_CRYPTO
192 select OPENSSL_ENGINE
193 select PACKAGE_kmod-cryptodev
194 prompt "Acceleration support through /dev/crypto"
196 This enables use of hardware acceleration through OpenBSD
197 Cryptodev API (/dev/crypto) interface.
198 You must install kmod-cryptodev (under Kernel modules, Cryptographic
199 API modules) for /dev/crypto to show up and use hardware
200 acceleration; otherwise it falls back to software.
202 config OPENSSL_ENGINE_DIGEST
204 depends on OPENSSL_ENGINE_CRYPTO
205 prompt "/dev/crypto digest (md5/sha1) acceleration support"
207 config OPENSSL_WITH_GOST
209 prompt "Prepare library for GOST engine"
210 depends on OPENSSL_ENGINE
212 This option prepares the library to accept engine support
213 for Russian GOST crypto algorithms.