3 comment "Build Options"
5 config OPENSSL_OPTIMIZE_SPEED
7 default y if x86_64 || i386
8 prompt "Enable optimization for speed instead of size"
9 select OPENSSL_WITH_ASM
11 Enabling this option increases code size (around 20%) and
12 performance. The increase in performance and size depends on the
13 target CPU. EC and AES seem to benefit the most, with EC speed
14 increased by 20%-50% (mipsel & x86).
15 AES-GCM is supposed to be 3x faster on x86. YMMV.
17 config OPENSSL_WITH_ASM
19 default y if !SMALL_FLASH || !arm
20 prompt "Compile with optimized assembly code"
23 Disabling this option will reduce code size and performance.
24 The increase in performance and size depends on the target
25 CPU and on the algorithms being optimized. As of 1.1.0i*:
27 Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
28 aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
29 arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
30 i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
31 mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
32 mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
33 powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
34 x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
36 * Only most common algorithms shown. Your mileage may vary.
37 BN (bignum) performance was measured using RSA sign/verify.
39 config OPENSSL_WITH_SSE2
41 default y if !TARGET_x86_legacy && !TARGET_x86_geode
42 prompt "Enable use of x86 SSE2 instructions"
43 depends on OPENSSL_WITH_ASM && i386
45 Use of SSE2 instructions greatly increase performance (up to
46 3x faster) with a minimum (~0.2%, or 23KB) increase in package
47 size, but it will bring no benefit if your hardware does not
48 support them, such as Geode GX and LX. In this case you may
49 save 23KB by saying yes here. AMD Geode NX, and Intel
50 Pentium 4 and above support SSE2.
52 config OPENSSL_WITH_DEPRECATED
55 prompt "Include deprecated APIs (See help for a list of packages that need this)"
57 Since openssl 1.1.x is still new to openwrt, some packages
58 requiring this option do not list it as a requirement yet:
59 * freeswitch-stable, freeswitch, python, python3, squid.
61 config OPENSSL_NO_DEPRECATED
63 default !OPENSSL_WITH_DEPRECATED
65 config OPENSSL_WITH_ERROR_MESSAGES
67 default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
68 prompt "Include error messages"
70 This option aids debugging, but increases package size and
73 comment "Protocol Support"
75 config OPENSSL_WITH_TLS13
78 prompt "Enable support for TLS 1.3"
80 TLS 1.3 is the newest version of the TLS specification.
82 * to increase the overall security of the protocol,
83 removing outdated algorithms, and encrypting more of the
85 * to increase performance by reducing the number of round-trips
86 when performing a full handshake.
87 It increases package size by ~4KB.
89 config OPENSSL_WITH_DTLS
91 prompt "Enable DTLS support"
93 Datagram Transport Layer Security (DTLS) provides TLS-like security
94 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
96 config OPENSSL_WITH_NPN
98 prompt "Enable NPN support"
100 NPN is a TLS extension, obsoleted and replaced with ALPN,
101 used to negotiate SPDY, and HTTP/2.
103 config OPENSSL_WITH_SRP
106 prompt "Enable SRP support"
108 The Secure Remote Password protocol (SRP) is an augmented
109 password-authenticated key agreement (PAKE) protocol, specifically
110 designed to work around existing patents.
112 config OPENSSL_WITH_CMS
115 prompt "Enable CMS (RFC 5652) support"
117 Cryptographic Message Syntax (CMS) is used to digitally sign,
118 digest, authenticate, or encrypt arbitrary message content.
120 comment "Algorithm Selection"
122 config OPENSSL_WITH_EC2M
124 prompt "Enable ec2m support"
126 This option enables the more efficient, yet less common, binary
127 field elliptic curves.
129 config OPENSSL_WITH_CHACHA_POLY1305
132 prompt "Enable ChaCha20-Poly1305 ciphersuite support"
134 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
135 combining ChaCha stream cipher with Poly1305 MAC.
136 It is 3x faster than AES, when not using a CPU with AES-specific
137 instructions, as is the case of most embedded devices.
139 config OPENSSL_PREFER_CHACHA_OVER_GCM
141 default y if !x86_64 && !aarch64
142 prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
143 depends on OPENSSL_WITH_CHACHA_POLY1305
145 The default openssl preference is for AES-GCM before ChaCha, but
146 that takes into account AES-NI capable chips. It is not the
147 case with most embedded chips, so it may be better to invert
148 that preference. This is just for the default case. The
149 application can always override this.
151 config OPENSSL_WITH_PSK
154 prompt "Enable PSK support"
156 Build support for Pre-Shared Key based cipher suites.
158 comment "Less commonly used build options"
160 config OPENSSL_WITH_ARIA
162 prompt "Enable ARIA support"
164 ARIA is a block cipher developed in South Korea, based on AES.
166 config OPENSSL_WITH_CAMELLIA
168 prompt "Enable Camellia cipher support"
170 Camellia is a bock cipher with security levels and processing
171 abilities comparable to AES.
173 config OPENSSL_WITH_IDEA
175 prompt "Enable IDEA cipher support"
177 IDEA is a block cipher with 128-bit keys.
179 config OPENSSL_WITH_SEED
181 prompt "Enable SEED cipher support"
183 SEED is a block cipher with 128-bit keys broadly used in
184 South Korea, but seldom found elsewhere.
186 config OPENSSL_WITH_SM234
188 prompt "Enable SM2/3/4 algorithms support"
190 These algorithms are a set of "Commercial Cryptography"
191 algorithms approved for use in China.
192 * SM2 is an EC algorithm equivalent to ECDSA P-256
193 * SM3 is a hash function equivalent to SHA-256
194 * SM4 is a 128-block cipher equivalent to AES-128
196 config OPENSSL_WITH_BLAKE2
198 prompt "Enable BLAKE2 digest support"
200 BLAKE2 is a cryptographic hash function based on the ChaCha
203 config OPENSSL_WITH_MDC2
205 prompt "Enable MDC2 digest support"
207 config OPENSSL_WITH_WHIRLPOOL
209 prompt "Enable Whirlpool digest support"
211 config OPENSSL_WITH_COMPRESSION
213 prompt "Enable compression support"
215 TLS compression is not recommended, as it is deemed insecure.
216 The CRIME attack exploits this weakness.
217 Even with this option turned on, it is disabled by default, and the
218 application must explicitly turn it on.
220 config OPENSSL_WITH_RFC3779
222 prompt "Enable RFC3779 support (BGP)"
224 RFC 3779 defines two X.509 v3 certificate extensions. The first
225 binds a list of IP address blocks, or prefixes, to the subject of a
226 certificate. The second binds a list of autonomous system
227 identifiers to the subject of a certificate. These extensions may be
228 used to convey the authorization of the subject to use the IP
229 addresses and autonomous system identifiers contained in the
232 comment "Engine/Hardware Support"
234 config OPENSSL_ENGINE
235 bool "Enable engine support"
238 This enables alternative cryptography implementations,
239 most commonly for interfacing with external crypto devices,
240 or supporting new/alternative ciphers and digests.
241 If you compile the library with this option disabled, packages built
242 using an engine-enabled library (i.e. from the official repo) may
243 fail to run. Compile and install the packages with engine support
244 disabled, and you should be fine.
245 Note that you need to enable KERNEL_AIO to be able to build the
246 afalg engine package.
248 config OPENSSL_ENGINE_BUILTIN
249 bool "Build chosen engines into libcrypto"
250 depends on OPENSSL_ENGINE
252 This builds all chosen engines into libcrypto.so, instead of building
253 them as dynamic engines in separate packages.
254 The benefit of building the engines into libcrypto is that they won't
255 require any configuration to be used by default.
257 config OPENSSL_ENGINE_BUILTIN_AFALG
259 prompt "Acceleration support through AF_ALG sockets engine"
260 depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
261 select PACKAGE_libopenssl-conf
263 This enables use of hardware acceleration through the
264 AF_ALG kernel interface.
266 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
268 prompt "Acceleration support through /dev/crypto"
269 depends on OPENSSL_ENGINE_BUILTIN
270 select PACKAGE_libopenssl-conf
272 This enables use of hardware acceleration through OpenBSD
273 Cryptodev API (/dev/crypto) interface.
274 Even though configuration is not strictly needed, it is worth seeing
275 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
276 for information on how to configure the engine.
278 config OPENSSL_ENGINE_BUILTIN_PADLOCK
280 prompt "VIA Padlock Acceleration support engine"
281 depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
282 select PACKAGE_libopenssl-conf
284 This enables use of hardware acceleration through the
287 config OPENSSL_WITH_ASYNC
289 prompt "Enable asynchronous jobs support"
290 depends on OPENSSL_ENGINE && USE_GLIBC
292 Enables async-aware applications to be able to use OpenSSL to
293 initiate crypto operations asynchronously. In order to work
294 this will require the presence of an async capable engine.
296 config OPENSSL_WITH_GOST
298 prompt "Prepare library for GOST engine"
299 depends on OPENSSL_ENGINE
301 This option prepares the library to accept engine support
302 for Russian GOST crypto algorithms.
303 The gost engine is not included in standard openwrt feeds.
304 To build such engine yourself, see:
305 https://github.com/gost-engine/engine