3 comment "Build Options"
5 config OPENSSL_OPTIMIZE_SPEED
7 default y if x86_64 || i386
8 prompt "Enable optimization for speed instead of size"
9 select OPENSSL_WITH_ASM
11 Enabling this option increases code size and performance.
12 The increase in performance and size depends on the
13 target CPU. EC and AES seem to benefit the most.
15 config OPENSSL_SMALL_FOOTPRINT
17 depends on !OPENSSL_OPTIMIZE_SPEED
18 default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
19 prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
21 This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
22 1-3% of of the ipk size. The performance drop depends on
23 architecture and algorithm. MIPS drops 13% of performance for
24 a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
25 size, ghash and GCM performance decreases 90%, while
26 Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
27 for 3% of performance. Other arches have not been tested.
29 config OPENSSL_WITH_ASM
32 prompt "Compile with optimized assembly code"
35 Disabling this option will reduce code size and performance.
36 The increase in performance and size depends on the target
37 CPU and on the algorithms being optimized.
39 config OPENSSL_WITH_SSE2
41 default y if !TARGET_x86_legacy && !TARGET_x86_geode
42 prompt "Enable use of x86 SSE2 instructions"
43 depends on OPENSSL_WITH_ASM && i386
45 Use of SSE2 instructions greatly increase performance with a
46 minimum increase in package size, but it will bring no benefit
47 if your hardware does not support them, such as Geode GX and LX.
48 AMD Geode NX, and Intel Pentium 4 and above support SSE2.
50 config OPENSSL_WITH_DEPRECATED
53 prompt "Include deprecated APIs"
55 This drops all deprecated API, including engine support.
57 config OPENSSL_NO_DEPRECATED
59 default !OPENSSL_WITH_DEPRECATED
61 config OPENSSL_WITH_ERROR_MESSAGES
63 default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
64 prompt "Include error messages"
66 This option aids debugging, but increases package size and
69 comment "Protocol Support"
71 config OPENSSL_WITH_TLS13
74 prompt "Enable support for TLS 1.3"
76 TLS 1.3 is the newest version of the TLS specification.
78 * to increase the overall security of the protocol,
79 removing outdated algorithms, and encrypting more of the
81 * to increase performance by reducing the number of round-trips
82 when performing a full handshake.
84 config OPENSSL_WITH_DTLS
86 prompt "Enable DTLS support"
88 Datagram Transport Layer Security (DTLS) provides TLS-like security
89 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
91 config OPENSSL_WITH_NPN
93 prompt "Enable NPN support"
95 NPN is a TLS extension, obsoleted and replaced with ALPN,
96 used to negotiate SPDY, and HTTP/2.
98 config OPENSSL_WITH_SRP
101 prompt "Enable SRP support"
103 The Secure Remote Password protocol (SRP) is an augmented
104 password-authenticated key agreement (PAKE) protocol, specifically
105 designed to work around existing patents.
107 config OPENSSL_WITH_CMS
110 prompt "Enable CMS (RFC 5652) support"
112 Cryptographic Message Syntax (CMS) is used to digitally sign,
113 digest, authenticate, or encrypt arbitrary message content.
115 comment "Algorithm Selection"
117 config OPENSSL_WITH_EC2M
119 prompt "Enable ec2m support"
121 This option enables the more efficient, yet less common, binary
122 field elliptic curves.
124 config OPENSSL_WITH_CHACHA_POLY1305
127 prompt "Enable ChaCha20-Poly1305 ciphersuite support"
129 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
130 combining ChaCha stream cipher with Poly1305 MAC.
131 It is 3x faster than AES, when not using a CPU with AES-specific
132 instructions, as is the case of most embedded devices.
134 config OPENSSL_PREFER_CHACHA_OVER_GCM
136 default y if !x86_64 && !aarch64
137 prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
138 depends on OPENSSL_WITH_CHACHA_POLY1305
140 The default openssl preference is for AES-GCM before ChaCha, but
141 that takes into account AES-NI capable chips. It is not the
142 case with most embedded chips, so it may be better to invert
143 that preference. This is just for the default case. The
144 application can always override this.
146 config OPENSSL_WITH_PSK
149 prompt "Enable PSK support"
151 Build support for Pre-Shared Key based cipher suites.
153 comment "Less commonly used build options"
155 config OPENSSL_WITH_ARIA
157 prompt "Enable ARIA support"
159 ARIA is a block cipher developed in South Korea, based on AES.
161 config OPENSSL_WITH_CAMELLIA
163 prompt "Enable Camellia cipher support"
165 Camellia is a bock cipher with security levels and processing
166 abilities comparable to AES.
168 config OPENSSL_WITH_IDEA
170 prompt "Enable IDEA cipher support"
172 IDEA is a block cipher with 128-bit keys.
174 config OPENSSL_WITH_SEED
176 prompt "Enable SEED cipher support"
178 SEED is a block cipher with 128-bit keys broadly used in
179 South Korea, but seldom found elsewhere.
181 config OPENSSL_WITH_SM234
183 prompt "Enable SM2/3/4 algorithms support"
185 These algorithms are a set of "Commercial Cryptography"
186 algorithms approved for use in China.
187 * SM2 is an EC algorithm equivalent to ECDSA P-256
188 * SM3 is a hash function equivalent to SHA-256
189 * SM4 is a 128-block cipher equivalent to AES-128
191 config OPENSSL_WITH_BLAKE2
193 prompt "Enable BLAKE2 digest support"
195 BLAKE2 is a cryptographic hash function based on the ChaCha
198 config OPENSSL_WITH_MDC2
200 prompt "Enable MDC2 digest support"
202 config OPENSSL_WITH_WHIRLPOOL
204 prompt "Enable Whirlpool digest support"
206 config OPENSSL_WITH_COMPRESSION
208 prompt "Enable compression support"
210 TLS compression is not recommended, as it is deemed insecure.
211 The CRIME attack exploits this weakness.
212 Even with this option turned on, it is disabled by default, and the
213 application must explicitly turn it on.
215 config OPENSSL_WITH_RFC3779
217 prompt "Enable RFC3779 support (BGP)"
219 RFC 3779 defines two X.509 v3 certificate extensions. The first
220 binds a list of IP address blocks, or prefixes, to the subject of a
221 certificate. The second binds a list of autonomous system
222 identifiers to the subject of a certificate. These extensions may be
223 used to convey the authorization of the subject to use the IP
224 addresses and autonomous system identifiers contained in the
227 comment "Engine/Hardware Support"
229 config OPENSSL_ENGINE
230 bool "Enable engine support"
231 select OPENSSL_WITH_DEPRECATED
234 This enables alternative cryptography implementations,
235 most commonly for interfacing with external crypto devices,
236 or supporting new/alternative ciphers and digests.
237 If you compile the library with this option disabled, packages built
238 using an engine-enabled library (i.e. from the official repo) may
239 fail to run. Compile and install the packages with engine support
240 disabled, and you should be fine.
241 Note that you need to enable KERNEL_AIO to be able to build the
242 afalg engine package.
244 config OPENSSL_ENGINE_BUILTIN
245 bool "Build chosen engines into libcrypto"
246 depends on OPENSSL_ENGINE
248 This builds all chosen engines into libcrypto.so, instead of building
249 them as dynamic engines in separate packages.
250 The benefit of building the engines into libcrypto is that they won't
251 require any configuration to be used by default.
253 config OPENSSL_ENGINE_BUILTIN_AFALG
255 prompt "Acceleration support through AF_ALG sockets engine"
256 depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
257 select PACKAGE_libopenssl-conf
259 This enables use of hardware acceleration through the
260 AF_ALG kernel interface.
262 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
264 prompt "Acceleration support through /dev/crypto"
265 depends on OPENSSL_ENGINE_BUILTIN
266 select PACKAGE_libopenssl-conf
268 This enables use of hardware acceleration through OpenBSD
269 Cryptodev API (/dev/crypto) interface.
270 Even though configuration is not strictly needed, it is worth seeing
271 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
272 for information on how to configure the engine.
274 config OPENSSL_ENGINE_BUILTIN_PADLOCK
276 prompt "VIA Padlock Acceleration support engine"
277 depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
278 select PACKAGE_libopenssl-conf
280 This enables use of hardware acceleration through the
283 config OPENSSL_WITH_ASYNC
285 prompt "Enable asynchronous jobs support"
286 depends on OPENSSL_ENGINE && USE_GLIBC
288 Enables async-aware applications to be able to use OpenSSL to
289 initiate crypto operations asynchronously. In order to work
290 this will require the presence of an async capable engine.