311 lines
9.5 KiB
Plaintext
311 lines
9.5 KiB
Plaintext
if PACKAGE_libopenssl
|
|
|
|
comment "Build Options"
|
|
|
|
config OPENSSL_OPTIMIZE_SPEED
|
|
bool
|
|
default y if x86_64 || i386
|
|
prompt "Enable optimization for speed instead of size"
|
|
select OPENSSL_WITH_ASM
|
|
help
|
|
Enabling this option increases code size and performance.
|
|
The increase in performance and size depends on the
|
|
target CPU. EC and AES seem to benefit the most.
|
|
|
|
config OPENSSL_SMALL_FOOTPRINT
|
|
bool
|
|
depends on !OPENSSL_OPTIMIZE_SPEED
|
|
default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
|
|
prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
|
|
help
|
|
This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
|
|
1-3% of of the ipk size. The performance drop depends on
|
|
architecture and algorithm. MIPS drops 13% of performance for
|
|
a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
|
|
size, ghash and GCM performance decreases 90%, while
|
|
Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
|
|
for 3% of performance. Other arches have not been tested.
|
|
|
|
config OPENSSL_WITH_ASM
|
|
bool
|
|
default y
|
|
prompt "Compile with optimized assembly code"
|
|
depends on !arc
|
|
help
|
|
Disabling this option will reduce code size and performance.
|
|
The increase in performance and size depends on the target
|
|
CPU and on the algorithms being optimized.
|
|
|
|
config OPENSSL_WITH_SSE2
|
|
bool
|
|
default y if !TARGET_x86_legacy && !TARGET_x86_geode
|
|
prompt "Enable use of x86 SSE2 instructions"
|
|
depends on OPENSSL_WITH_ASM && i386
|
|
help
|
|
Use of SSE2 instructions greatly increase performance with a
|
|
minimum increase in package size, but it will bring no benefit
|
|
if your hardware does not support them, such as Geode GX and LX.
|
|
AMD Geode NX, and Intel Pentium 4 and above support SSE2.
|
|
|
|
config OPENSSL_WITH_DEPRECATED
|
|
bool
|
|
default y
|
|
prompt "Include deprecated APIs"
|
|
help
|
|
This drops all deprecated API, including engine support.
|
|
|
|
config OPENSSL_NO_DEPRECATED
|
|
bool
|
|
default !OPENSSL_WITH_DEPRECATED
|
|
|
|
config OPENSSL_WITH_ERROR_MESSAGES
|
|
bool
|
|
default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
|
|
prompt "Include error messages"
|
|
help
|
|
This option aids debugging, but increases package size and
|
|
memory usage.
|
|
|
|
comment "Protocol Support"
|
|
|
|
config OPENSSL_WITH_TLS13
|
|
bool
|
|
default y
|
|
prompt "Enable support for TLS 1.3"
|
|
help
|
|
TLS 1.3 is the newest version of the TLS specification.
|
|
It aims:
|
|
* to increase the overall security of the protocol,
|
|
removing outdated algorithms, and encrypting more of the
|
|
protocol;
|
|
* to increase performance by reducing the number of round-trips
|
|
when performing a full handshake.
|
|
|
|
config OPENSSL_WITH_DTLS
|
|
bool
|
|
prompt "Enable DTLS support"
|
|
help
|
|
Datagram Transport Layer Security (DTLS) provides TLS-like security
|
|
for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
|
|
|
|
config OPENSSL_WITH_NPN
|
|
bool
|
|
prompt "Enable NPN support"
|
|
help
|
|
NPN is a TLS extension, obsoleted and replaced with ALPN,
|
|
used to negotiate SPDY, and HTTP/2.
|
|
|
|
config OPENSSL_WITH_SRP
|
|
bool
|
|
default y
|
|
prompt "Enable SRP support"
|
|
help
|
|
The Secure Remote Password protocol (SRP) is an augmented
|
|
password-authenticated key agreement (PAKE) protocol, specifically
|
|
designed to work around existing patents.
|
|
|
|
config OPENSSL_WITH_CMS
|
|
bool
|
|
default y
|
|
prompt "Enable CMS (RFC 5652) support"
|
|
help
|
|
Cryptographic Message Syntax (CMS) is used to digitally sign,
|
|
digest, authenticate, or encrypt arbitrary message content.
|
|
|
|
comment "Algorithm Selection"
|
|
|
|
config OPENSSL_WITH_EC2M
|
|
bool
|
|
prompt "Enable ec2m support"
|
|
help
|
|
This option enables the more efficient, yet less common, binary
|
|
field elliptic curves.
|
|
|
|
config OPENSSL_WITH_CHACHA_POLY1305
|
|
bool
|
|
default y
|
|
prompt "Enable ChaCha20-Poly1305 ciphersuite support"
|
|
help
|
|
ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
|
|
combining ChaCha stream cipher with Poly1305 MAC.
|
|
It is 3x faster than AES, when not using a CPU with AES-specific
|
|
instructions, as is the case of most embedded devices.
|
|
|
|
config OPENSSL_PREFER_CHACHA_OVER_GCM
|
|
bool
|
|
default y if !x86_64 && !aarch64
|
|
prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
|
|
depends on OPENSSL_WITH_CHACHA_POLY1305
|
|
help
|
|
The default openssl preference is for AES-GCM before ChaCha, but
|
|
that takes into account AES-NI capable chips. It is not the
|
|
case with most embedded chips, so it may be better to invert
|
|
that preference. This is just for the default case. The
|
|
application can always override this.
|
|
|
|
config OPENSSL_WITH_PSK
|
|
bool
|
|
default y
|
|
prompt "Enable PSK support"
|
|
help
|
|
Build support for Pre-Shared Key based cipher suites.
|
|
|
|
comment "Less commonly used build options"
|
|
|
|
config OPENSSL_WITH_ARIA
|
|
bool
|
|
prompt "Enable ARIA support"
|
|
help
|
|
ARIA is a block cipher developed in South Korea, based on AES.
|
|
|
|
config OPENSSL_WITH_CAMELLIA
|
|
bool
|
|
prompt "Enable Camellia cipher support"
|
|
help
|
|
Camellia is a bock cipher with security levels and processing
|
|
abilities comparable to AES.
|
|
|
|
config OPENSSL_WITH_IDEA
|
|
bool
|
|
default y if !SMALL_FLASH
|
|
prompt "Enable IDEA cipher support (needs legacy provider)"
|
|
help
|
|
IDEA is a block cipher with 128-bit keys.
|
|
To use the cipher, one must install the libopenssl-legacy
|
|
package, using a main libopenssl package compiled with this
|
|
option enabled as well.
|
|
|
|
config OPENSSL_WITH_SEED
|
|
bool
|
|
default y if !SMALL_FLASH
|
|
prompt "Enable SEED cipher support (needs legacy provider)"
|
|
help
|
|
SEED is a block cipher with 128-bit keys broadly used in
|
|
South Korea, but seldom found elsewhere.
|
|
To use the cipher, one must install the libopenssl-legacy
|
|
package, using a main libopenssl package compiled with this
|
|
option enabled as well.
|
|
|
|
config OPENSSL_WITH_SM234
|
|
bool
|
|
prompt "Enable SM2/3/4 algorithms support"
|
|
help
|
|
These algorithms are a set of "Commercial Cryptography"
|
|
algorithms approved for use in China.
|
|
* SM2 is an EC algorithm equivalent to ECDSA P-256
|
|
* SM3 is a hash function equivalent to SHA-256
|
|
* SM4 is a 128-block cipher equivalent to AES-128
|
|
|
|
config OPENSSL_WITH_BLAKE2
|
|
bool
|
|
prompt "Enable BLAKE2 digest support"
|
|
help
|
|
BLAKE2 is a cryptographic hash function based on the ChaCha
|
|
stream cipher.
|
|
|
|
config OPENSSL_WITH_MDC2
|
|
bool
|
|
default y if !SMALL_FLASH
|
|
prompt "Enable MDC2 digest support (needs legacy provider)"
|
|
help
|
|
To use the digest, one must install the libopenssl-legacy
|
|
package, using a main libopenssl package compiled with this
|
|
option enabled as well.
|
|
|
|
config OPENSSL_WITH_WHIRLPOOL
|
|
bool
|
|
default y if !SMALL_FLASH
|
|
prompt "Enable Whirlpool digest support (needs legacy provider)"
|
|
help
|
|
To use the digest, one must install the libopenssl-legacy
|
|
package, using a main libopenssl package compiled with this
|
|
option enabled as well.
|
|
|
|
config OPENSSL_WITH_COMPRESSION
|
|
bool
|
|
prompt "Enable compression support"
|
|
help
|
|
TLS compression is not recommended, as it is deemed insecure.
|
|
The CRIME attack exploits this weakness.
|
|
Even with this option turned on, it is disabled by default, and the
|
|
application must explicitly turn it on.
|
|
|
|
config OPENSSL_WITH_RFC3779
|
|
bool
|
|
prompt "Enable RFC3779 support (BGP)"
|
|
help
|
|
RFC 3779 defines two X.509 v3 certificate extensions. The first
|
|
binds a list of IP address blocks, or prefixes, to the subject of a
|
|
certificate. The second binds a list of autonomous system
|
|
identifiers to the subject of a certificate. These extensions may be
|
|
used to convey the authorization of the subject to use the IP
|
|
addresses and autonomous system identifiers contained in the
|
|
extensions.
|
|
|
|
comment "Engine/Hardware Support"
|
|
|
|
config OPENSSL_ENGINE
|
|
bool "Enable engine support"
|
|
select OPENSSL_WITH_DEPRECATED
|
|
default y
|
|
help
|
|
This enables alternative cryptography implementations,
|
|
most commonly for interfacing with external crypto devices,
|
|
or supporting new/alternative ciphers and digests.
|
|
If you compile the library with this option disabled, packages built
|
|
using an engine-enabled library (i.e. from the official repo) may
|
|
fail to run. Compile and install the packages with engine support
|
|
disabled, and you should be fine.
|
|
Note that you need to enable KERNEL_AIO to be able to build the
|
|
afalg engine package.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN
|
|
bool "Build chosen engines into libcrypto"
|
|
depends on OPENSSL_ENGINE
|
|
help
|
|
This builds all chosen engines into libcrypto.so, instead of building
|
|
them as dynamic engines in separate packages.
|
|
The benefit of building the engines into libcrypto is that they won't
|
|
require any configuration to be used by default.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN_AFALG
|
|
bool
|
|
prompt "Acceleration support through AF_ALG sockets engine"
|
|
depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
|
|
select PACKAGE_libopenssl-conf
|
|
help
|
|
This enables use of hardware acceleration through the
|
|
AF_ALG kernel interface.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
|
|
bool
|
|
prompt "Acceleration support through /dev/crypto"
|
|
depends on OPENSSL_ENGINE_BUILTIN
|
|
select PACKAGE_libopenssl-conf
|
|
help
|
|
This enables use of hardware acceleration through OpenBSD
|
|
Cryptodev API (/dev/crypto) interface.
|
|
Even though configuration is not strictly needed, it is worth seeing
|
|
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
|
|
for information on how to configure the engine.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN_PADLOCK
|
|
bool
|
|
prompt "VIA Padlock Acceleration support engine"
|
|
depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
|
|
select PACKAGE_libopenssl-conf
|
|
help
|
|
This enables use of hardware acceleration through the
|
|
VIA Padlock module.
|
|
|
|
config OPENSSL_WITH_ASYNC
|
|
bool
|
|
prompt "Enable asynchronous jobs support"
|
|
depends on OPENSSL_ENGINE && USE_GLIBC
|
|
help
|
|
Enables async-aware applications to be able to use OpenSSL to
|
|
initiate crypto operations asynchronously. In order to work
|
|
this will require the presence of an async capable engine.
|
|
|
|
endif
|