X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fopenwrt.git;a=blobdiff_plain;f=package%2Flibs%2Fopenssl%2FConfig.in;h=49f136e84521ea2ed906c42b441b0edf19b0dd5e;hp=53b91ddb942a77f8ad5d39d69cfd7295b1533690;hb=450d44a8ead2217f8acf541a4eaa4ad560b3e5ac;hpb=d872d00b2f7e31b98e11e83922d1aaefc270647e diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 53b91ddb94..49f136e845 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -4,6 +4,7 @@ comment "Build Options" config OPENSSL_OPTIMIZE_SPEED bool + default y if x86_64 || i386 prompt "Enable optimization for speed instead of size" select OPENSSL_WITH_ASM help @@ -15,7 +16,7 @@ config OPENSSL_OPTIMIZE_SPEED config OPENSSL_WITH_ASM bool - default y + default y if !SMALL_FLASH || !arm prompt "Compile with optimized assembly code" depends on !arc help @@ -63,6 +64,7 @@ config OPENSSL_NO_DEPRECATED config OPENSSL_WITH_ERROR_MESSAGES bool + default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT prompt "Include error messages" help This option aids debugging, but increases package size and @@ -94,7 +96,6 @@ config OPENSSL_WITH_DTLS config OPENSSL_WITH_NPN bool - default y prompt "Enable NPN support" help NPN is a TLS extension, obsoleted and replaced with ALPN, @@ -147,6 +148,18 @@ config OPENSSL_WITH_CHACHA_POLY1305 It is 3x faster than AES, when not using a CPU with AES-specific instructions, as is the case of most embedded devices. +config OPENSSL_PREFER_CHACHA_OVER_GCM + bool + default y if !x86_64 && !aarch64 + prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default" + depends on OPENSSL_WITH_CHACHA_POLY1305 + help + The default openssl preference is for AES-GCM before ChaCha, but + that takes into account AES-NI capable chips. It is not the + case with most embedded chips, so it may be better to invert + that preference. This is just for the default case. The + application can always override this. + config OPENSSL_WITH_PSK bool default y @@ -232,22 +245,56 @@ comment "Engine/Hardware Support" config OPENSSL_ENGINE bool "Enable engine support" + default y help This enables alternative cryptography implementations, most commonly for interfacing with external crypto devices, or supporting new/alternative ciphers and digests. + If you compile the library with this option disabled, packages built + using an engine-enabled library (i.e. from the official repo) may + fail to run. Compile and install the packages with engine support + disabled, and you should be fine. + Note that you need to enable KERNEL_AIO to be able to build the + afalg engine package. + +config OPENSSL_ENGINE_BUILTIN + bool "Build chosen engines into libcrypto" + depends on OPENSSL_ENGINE + help + This builds all chosen engines into libcrypto.so, instead of building + them as dynamic engines in separate packages. + The benefit of building the engines into libcrypto is that they won't + require any configuration to be used by default. -config OPENSSL_ENGINE_CRYPTO +config OPENSSL_ENGINE_BUILTIN_AFALG + bool + prompt "Acceleration support through AF_ALG sockets engine" + depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO && !LINUX_3_18 + select PACKAGE_libopenssl-conf + help + This enables use of hardware acceleration through the + AF_ALG kernel interface. + +config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO bool - select OPENSSL_ENGINE - select PACKAGE_kmod-cryptodev prompt "Acceleration support through /dev/crypto" + depends on OPENSSL_ENGINE_BUILTIN + select PACKAGE_libopenssl-conf help This enables use of hardware acceleration through OpenBSD Cryptodev API (/dev/crypto) interface. - You must install kmod-cryptodev (under Kernel modules, Cryptographic - API modules) for /dev/crypto to show up and use hardware - acceleration; otherwise it falls back to software. + Even though configuration is not strictly needed, it is worth seeing + https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators + for information on how to configure the engine. + +config OPENSSL_ENGINE_BUILTIN_PADLOCK + bool + prompt "VIA Padlock Acceleration support engine" + depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86 + select PACKAGE_libopenssl-conf + help + This enables use of hardware acceleration through the + VIA Padlock module. config OPENSSL_WITH_ASYNC bool @@ -270,4 +317,3 @@ config OPENSSL_WITH_GOST https://github.com/gost-engine/engine endif -