if PACKAGE_libopenssl comment "Build Options" config OPENSSL_OPTIMIZE_SPEED bool default y if x86_64 || i386 prompt "Enable optimization for speed instead of size" select OPENSSL_WITH_ASM help Enabling this option increases code size (around 20%) and performance. The increase in performance and size depends on the target CPU. EC and AES seem to benefit the most, with EC speed increased by 20%-50% (mipsel & x86). AES-GCM is supposed to be 3x faster on x86. YMMV. config OPENSSL_WITH_ASM bool default y if !SMALL_FLASH || !arm prompt "Compile with optimized assembly code" depends on !arc help Disabling this option will reduce code size and performance. The increase in performance and size depends on the target CPU and on the algorithms being optimized. As of 1.1.0i*: Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% * Only most common algorithms shown. Your mileage may vary. BN (bignum) performance was measured using RSA sign/verify. config OPENSSL_WITH_SSE2 bool default y if !TARGET_x86_legacy && !TARGET_x86_geode prompt "Enable use of x86 SSE2 instructions" depends on OPENSSL_WITH_ASM && i386 help Use of SSE2 instructions greatly increase performance (up to 3x faster) with a minimum (~0.2%, or 23KB) increase in package size, but it will bring no benefit if your hardware does not support them, such as Geode GX and LX. In this case you may save 23KB by saying yes here. AMD Geode NX, and Intel Pentium 4 and above support SSE2. config OPENSSL_WITH_DEPRECATED bool default y prompt "Include deprecated APIs (See help for a list of packages that need this)" help Since openssl 1.1.x is still new to openwrt, some packages requiring this option do not list it as a requirement yet: * freeswitch-stable, freeswitch, python, python3, squid. config OPENSSL_NO_DEPRECATED bool default !OPENSSL_WITH_DEPRECATED config OPENSSL_WITH_ERROR_MESSAGES bool default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT prompt "Include error messages" help This option aids debugging, but increases package size and memory usage. comment "Protocol Support" config OPENSSL_WITH_TLS13 bool default y prompt "Enable support for TLS 1.3" select OPENSSL_WITH_EC help TLS 1.3 is the newest version of the TLS specification. It aims: * to increase the overall security of the protocol, removing outdated algorithms, and encrypting more of the protocol; * to increase performance by reducing the number of round-trips when performing a full handshake. It increases package size by ~4KB. config OPENSSL_WITH_DTLS bool prompt "Enable DTLS support" help Datagram Transport Layer Security (DTLS) provides TLS-like security for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications. config OPENSSL_WITH_NPN bool default y prompt "Enable NPN support" help NPN is a TLS extension, obsoleted and replaced with ALPN, used to negotiate SPDY, and HTTP/2. config OPENSSL_WITH_SRP bool default y prompt "Enable SRP support" help The Secure Remote Password protocol (SRP) is an augmented password-authenticated key agreement (PAKE) protocol, specifically designed to work around existing patents. config OPENSSL_WITH_CMS bool default y prompt "Enable CMS (RFC 5652) support" help Cryptographic Message Syntax (CMS) is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. comment "Algorithm Selection" config OPENSSL_WITH_EC bool default y prompt "Enable elliptic curve support" help Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography to provide equivalent security. config OPENSSL_WITH_EC2M bool depends on OPENSSL_WITH_EC prompt "Enable ec2m support" help This option enables the more efficient, yet less common, binary field elliptic curves. config OPENSSL_WITH_CHACHA_POLY1305 bool default y prompt "Enable ChaCha20-Poly1305 ciphersuite support" help ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys, combining ChaCha stream cipher with Poly1305 MAC. It is 3x faster than AES, when not using a CPU with AES-specific instructions, as is the case of most embedded devices. config OPENSSL_PREFER_CHACHA_OVER_GCM bool default y if !x86_64 && !aarch64 prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default" depends on OPENSSL_WITH_CHACHA_POLY1305 help The default openssl preference is for AES-GCM before ChaCha, but that takes into account AES-NI capable chips. It is not the case with most embedded chips, so it may be better to invert that preference. This is just for the default case. The application can always override this. config OPENSSL_WITH_PSK bool default y prompt "Enable PSK support" help Build support for Pre-Shared Key based cipher suites. comment "Less commonly used build options" config OPENSSL_WITH_ARIA bool prompt "Enable ARIA support" help ARIA is a block cipher developed in South Korea, based on AES. config OPENSSL_WITH_CAMELLIA bool prompt "Enable Camellia cipher support" help Camellia is a bock cipher with security levels and processing abilities comparable to AES. config OPENSSL_WITH_IDEA bool prompt "Enable IDEA cipher support" help IDEA is a block cipher with 128-bit keys. config OPENSSL_WITH_SEED bool prompt "Enable SEED cipher support" help SEED is a block cipher with 128-bit keys broadly used in South Korea, but seldom found elsewhere. config OPENSSL_WITH_SM234 bool prompt "Enable SM2/3/4 algorithms support" help These algorithms are a set of "Commercial Cryptography" algorithms approved for use in China. * SM2 is an EC algorithm equivalent to ECDSA P-256 * SM3 is a hash function equivalent to SHA-256 * SM4 is a 128-block cipher equivalent to AES-128 config OPENSSL_WITH_BLAKE2 bool prompt "Enable BLAKE2 digest support" help BLAKE2 is a cryptographic hash function based on the ChaCha stream cipher. config OPENSSL_WITH_MDC2 bool prompt "Enable MDC2 digest support" config OPENSSL_WITH_WHIRLPOOL bool prompt "Enable Whirlpool digest support" config OPENSSL_WITH_COMPRESSION bool prompt "Enable compression support" help TLS compression is not recommended, as it is deemed insecure. The CRIME attack exploits this weakness. Even with this option turned on, it is disabled by default, and the application must explicitly turn it on. config OPENSSL_WITH_RFC3779 bool prompt "Enable RFC3779 support (BGP)" help RFC 3779 defines two X.509 v3 certificate extensions. The first binds a list of IP address blocks, or prefixes, to the subject of a certificate. The second binds a list of autonomous system identifiers to the subject of a certificate. These extensions may be used to convey the authorization of the subject to use the IP addresses and autonomous system identifiers contained in the extensions. comment "Engine/Hardware Support" config OPENSSL_ENGINE bool "Enable engine support" help This enables alternative cryptography implementations, most commonly for interfacing with external crypto devices, or supporting new/alternative ciphers and digests. config OPENSSL_ENGINE_CRYPTO bool select OPENSSL_ENGINE select PACKAGE_kmod-cryptodev prompt "Acceleration support through /dev/crypto" help This enables use of hardware acceleration through OpenBSD Cryptodev API (/dev/crypto) interface. You must install kmod-cryptodev (under Kernel modules, Cryptographic API modules) for /dev/crypto to show up and use hardware acceleration; otherwise it falls back to software. config OPENSSL_WITH_ASYNC bool prompt "Enable asynchronous jobs support" depends on OPENSSL_ENGINE && USE_GLIBC help Enables async-aware applications to be able to use OpenSSL to initiate crypto operations asynchronously. In order to work this will require the presence of an async capable engine. config OPENSSL_WITH_GOST bool prompt "Prepare library for GOST engine" depends on OPENSSL_ENGINE help This option prepares the library to accept engine support for Russian GOST crypto algorithms. The gost engine is not included in standard openwrt feeds. To build such engine yourself, see: https://github.com/gost-engine/engine endif