3 comment "Build Options"
5 config OPENSSL_OPTIMIZE_SPEED
7 default y if x86_64 || i386
8 prompt "Enable optimization for speed instead of size"
9 select OPENSSL_WITH_ASM
11 Enabling this option increases code size and performance.
12 The increase in performance and size depends on the
13 target CPU. EC and AES seem to benefit the most.
15 config OPENSSL_SMALL_FOOTPRINT
17 depends on !OPENSSL_OPTIMIZE_SPEED
18 default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
19 prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
21 This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
22 1-3% of of the ipk size. The performance drop depends on
23 architecture and algorithm. MIPS drops 13% of performance for
24 a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
25 size, ghash and GCM performance decreases 90%, while
26 Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
27 for 3% of performance. Other arches have not been tested.
29 config OPENSSL_WITH_ASM
32 prompt "Compile with optimized assembly code"
35 Disabling this option will reduce code size and performance.
36 The increase in performance and size depends on the target
37 CPU and on the algorithms being optimized.
39 config OPENSSL_WITH_SSE2
41 default y if !TARGET_x86_legacy && !TARGET_x86_geode
42 prompt "Enable use of x86 SSE2 instructions"
43 depends on OPENSSL_WITH_ASM && i386
45 Use of SSE2 instructions greatly increase performance with a
46 minimum increase in package size, but it will bring no benefit
47 if your hardware does not support them, such as Geode GX and LX.
48 AMD Geode NX, and Intel Pentium 4 and above support SSE2.
50 config OPENSSL_WITH_DEPRECATED
53 prompt "Include deprecated APIs"
55 This drops all deprecated API, including engine support.
57 config OPENSSL_NO_DEPRECATED
59 default !OPENSSL_WITH_DEPRECATED
61 config OPENSSL_WITH_ERROR_MESSAGES
63 default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
64 prompt "Include error messages"
66 This option aids debugging, but increases package size and
69 comment "Protocol Support"
71 config OPENSSL_WITH_TLS13
74 prompt "Enable support for TLS 1.3"
76 TLS 1.3 is the newest version of the TLS specification.
78 * to increase the overall security of the protocol,
79 removing outdated algorithms, and encrypting more of the
81 * to increase performance by reducing the number of round-trips
82 when performing a full handshake.
84 config OPENSSL_WITH_DTLS
86 prompt "Enable DTLS support"
88 Datagram Transport Layer Security (DTLS) provides TLS-like security
89 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
91 config OPENSSL_WITH_NPN
93 prompt "Enable NPN support"
95 NPN is a TLS extension, obsoleted and replaced with ALPN,
96 used to negotiate SPDY, and HTTP/2.
98 config OPENSSL_WITH_SRP
101 prompt "Enable SRP support"
103 The Secure Remote Password protocol (SRP) is an augmented
104 password-authenticated key agreement (PAKE) protocol, specifically
105 designed to work around existing patents.
107 config OPENSSL_WITH_CMS
110 prompt "Enable CMS (RFC 5652) support"
112 Cryptographic Message Syntax (CMS) is used to digitally sign,
113 digest, authenticate, or encrypt arbitrary message content.
115 comment "Algorithm Selection"
117 config OPENSSL_WITH_EC2M
119 prompt "Enable ec2m support"
121 This option enables the more efficient, yet less common, binary
122 field elliptic curves.
124 config OPENSSL_WITH_CHACHA_POLY1305
127 prompt "Enable ChaCha20-Poly1305 ciphersuite support"
129 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
130 combining ChaCha stream cipher with Poly1305 MAC.
131 It is 3x faster than AES, when not using a CPU with AES-specific
132 instructions, as is the case of most embedded devices.
134 config OPENSSL_PREFER_CHACHA_OVER_GCM
136 default y if !x86_64 && !aarch64
137 prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
138 depends on OPENSSL_WITH_CHACHA_POLY1305
140 The default openssl preference is for AES-GCM before ChaCha, but
141 that takes into account AES-NI capable chips. It is not the
142 case with most embedded chips, so it may be better to invert
143 that preference. This is just for the default case. The
144 application can always override this.
146 config OPENSSL_WITH_PSK
149 prompt "Enable PSK support"
151 Build support for Pre-Shared Key based cipher suites.
153 comment "Less commonly used build options"
155 config OPENSSL_WITH_ARIA
157 prompt "Enable ARIA support"
159 ARIA is a block cipher developed in South Korea, based on AES.
161 config OPENSSL_WITH_CAMELLIA
163 prompt "Enable Camellia cipher support"
165 Camellia is a bock cipher with security levels and processing
166 abilities comparable to AES.
168 config OPENSSL_WITH_IDEA
170 default y if !SMALL_FLASH
171 prompt "Enable IDEA cipher support (needs legacy provider)"
173 IDEA is a block cipher with 128-bit keys.
174 To use the cipher, one must install the libopenssl-legacy
175 package, using a main libopenssl package compiled with this
176 option enabled as well.
178 config OPENSSL_WITH_SEED
180 default y if !SMALL_FLASH
181 prompt "Enable SEED cipher support (needs legacy provider)"
183 SEED is a block cipher with 128-bit keys broadly used in
184 South Korea, but seldom found elsewhere.
185 To use the cipher, one must install the libopenssl-legacy
186 package, using a main libopenssl package compiled with this
187 option enabled as well.
189 config OPENSSL_WITH_SM234
191 prompt "Enable SM2/3/4 algorithms support"
193 These algorithms are a set of "Commercial Cryptography"
194 algorithms approved for use in China.
195 * SM2 is an EC algorithm equivalent to ECDSA P-256
196 * SM3 is a hash function equivalent to SHA-256
197 * SM4 is a 128-block cipher equivalent to AES-128
199 config OPENSSL_WITH_BLAKE2
201 prompt "Enable BLAKE2 digest support"
203 BLAKE2 is a cryptographic hash function based on the ChaCha
206 config OPENSSL_WITH_MDC2
208 default y if !SMALL_FLASH
209 prompt "Enable MDC2 digest support (needs legacy provider)"
211 To use the digest, one must install the libopenssl-legacy
212 package, using a main libopenssl package compiled with this
213 option enabled as well.
215 config OPENSSL_WITH_WHIRLPOOL
217 default y if !SMALL_FLASH
218 prompt "Enable Whirlpool digest support (needs legacy provider)"
220 To use the digest, one must install the libopenssl-legacy
221 package, using a main libopenssl package compiled with this
222 option enabled as well.
224 config OPENSSL_WITH_COMPRESSION
226 prompt "Enable compression support"
228 TLS compression is not recommended, as it is deemed insecure.
229 The CRIME attack exploits this weakness.
230 Even with this option turned on, it is disabled by default, and the
231 application must explicitly turn it on.
233 config OPENSSL_WITH_RFC3779
235 prompt "Enable RFC3779 support (BGP)"
237 RFC 3779 defines two X.509 v3 certificate extensions. The first
238 binds a list of IP address blocks, or prefixes, to the subject of a
239 certificate. The second binds a list of autonomous system
240 identifiers to the subject of a certificate. These extensions may be
241 used to convey the authorization of the subject to use the IP
242 addresses and autonomous system identifiers contained in the
245 comment "Engine/Hardware Support"
247 config OPENSSL_ENGINE
248 bool "Enable engine support"
249 select OPENSSL_WITH_DEPRECATED
252 This enables alternative cryptography implementations,
253 most commonly for interfacing with external crypto devices,
254 or supporting new/alternative ciphers and digests.
255 If you compile the library with this option disabled, packages built
256 using an engine-enabled library (i.e. from the official repo) may
257 fail to run. Compile and install the packages with engine support
258 disabled, and you should be fine.
259 Note that you need to enable KERNEL_AIO to be able to build the
260 afalg engine package.
262 config OPENSSL_ENGINE_BUILTIN
263 bool "Build chosen engines into libcrypto"
264 depends on OPENSSL_ENGINE
266 This builds all chosen engines into libcrypto.so, instead of building
267 them as dynamic engines in separate packages.
268 The benefit of building the engines into libcrypto is that they won't
269 require any configuration to be used by default.
271 config OPENSSL_ENGINE_BUILTIN_AFALG
273 prompt "Acceleration support through AF_ALG sockets engine"
274 depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
275 select PACKAGE_libopenssl-conf
277 This enables use of hardware acceleration through the
278 AF_ALG kernel interface.
280 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
282 prompt "Acceleration support through /dev/crypto"
283 depends on OPENSSL_ENGINE_BUILTIN
284 select PACKAGE_libopenssl-conf
286 This enables use of hardware acceleration through OpenBSD
287 Cryptodev API (/dev/crypto) interface.
288 Even though configuration is not strictly needed, it is worth seeing
289 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
290 for information on how to configure the engine.
292 config OPENSSL_ENGINE_BUILTIN_PADLOCK
294 prompt "VIA Padlock Acceleration support engine"
295 depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
296 select PACKAGE_libopenssl-conf
298 This enables use of hardware acceleration through the
301 config OPENSSL_WITH_ASYNC
303 prompt "Enable asynchronous jobs support"
304 depends on OPENSSL_ENGINE && USE_GLIBC
306 Enables async-aware applications to be able to use OpenSSL to
307 initiate crypto operations asynchronously. In order to work
308 this will require the presence of an async capable engine.