1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
|
if PACKAGE_libopenssl
comment "Build Options"
config OPENSSL_OPTIMIZE_SPEED
bool
default y if x86_64 || i386
prompt "Enable optimization for speed instead of size"
select OPENSSL_WITH_ASM
help
Enabling this option increases code size and performance.
The increase in performance and size depends on the
target CPU. EC and AES seem to benefit the most.
config OPENSSL_SMALL_FOOTPRINT
bool
depends on !OPENSSL_OPTIMIZE_SPEED
default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
help
This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
1-3% of of the ipk size. The performance drop depends on
architecture and algorithm. MIPS drops 13% of performance for
a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
size, ghash and GCM performance decreases 90%, while
Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
for 3% of performance. Other arches have not been tested.
config OPENSSL_WITH_ASM
bool
default y
prompt "Compile with optimized assembly code"
depends on !arc
help
Disabling this option will reduce code size and performance.
The increase in performance and size depends on the target
CPU and on the algorithms being optimized.
config OPENSSL_WITH_SSE2
bool
default y if !TARGET_x86_legacy && !TARGET_x86_geode
prompt "Enable use of x86 SSE2 instructions"
depends on OPENSSL_WITH_ASM && i386
help
Use of SSE2 instructions greatly increase performance with a
minimum increase in package size, but it will bring no benefit
if your hardware does not support them, such as Geode GX and LX.
AMD Geode NX, and Intel Pentium 4 and above support SSE2.
config OPENSSL_WITH_DEPRECATED
bool
default y
prompt "Include deprecated APIs"
help
This drops all deprecated API, including engine support.
config OPENSSL_NO_DEPRECATED
bool
default !OPENSSL_WITH_DEPRECATED
config OPENSSL_WITH_ERROR_MESSAGES
bool
default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
prompt "Include error messages"
help
This option aids debugging, but increases package size and
memory usage.
comment "Protocol Support"
config OPENSSL_WITH_TLS13
bool
default y
prompt "Enable support for TLS 1.3"
help
TLS 1.3 is the newest version of the TLS specification.
It aims:
* to increase the overall security of the protocol,
removing outdated algorithms, and encrypting more of the
protocol;
* to increase performance by reducing the number of round-trips
when performing a full handshake.
config OPENSSL_WITH_DTLS
bool
prompt "Enable DTLS support"
help
Datagram Transport Layer Security (DTLS) provides TLS-like security
for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
config OPENSSL_WITH_NPN
bool
prompt "Enable NPN support"
help
NPN is a TLS extension, obsoleted and replaced with ALPN,
used to negotiate SPDY, and HTTP/2.
config OPENSSL_WITH_SRP
bool
default y
prompt "Enable SRP support"
help
The Secure Remote Password protocol (SRP) is an augmented
password-authenticated key agreement (PAKE) protocol, specifically
designed to work around existing patents.
config OPENSSL_WITH_CMS
bool
default y
prompt "Enable CMS (RFC 5652) support"
help
Cryptographic Message Syntax (CMS) is used to digitally sign,
digest, authenticate, or encrypt arbitrary message content.
comment "Algorithm Selection"
config OPENSSL_WITH_EC2M
bool
prompt "Enable ec2m support"
help
This option enables the more efficient, yet less common, binary
field elliptic curves.
config OPENSSL_WITH_CHACHA_POLY1305
bool
default y
prompt "Enable ChaCha20-Poly1305 ciphersuite support"
help
ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
combining ChaCha stream cipher with Poly1305 MAC.
It is 3x faster than AES, when not using a CPU with AES-specific
instructions, as is the case of most embedded devices.
config OPENSSL_PREFER_CHACHA_OVER_GCM
bool
default y if !x86_64 && !aarch64
prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
depends on OPENSSL_WITH_CHACHA_POLY1305
help
The default openssl preference is for AES-GCM before ChaCha, but
that takes into account AES-NI capable chips. It is not the
case with most embedded chips, so it may be better to invert
that preference. This is just for the default case. The
application can always override this.
config OPENSSL_WITH_PSK
bool
default y
prompt "Enable PSK support"
help
Build support for Pre-Shared Key based cipher suites.
comment "Less commonly used build options"
config OPENSSL_WITH_ARIA
bool
prompt "Enable ARIA support"
help
ARIA is a block cipher developed in South Korea, based on AES.
config OPENSSL_WITH_CAMELLIA
bool
prompt "Enable Camellia cipher support"
help
Camellia is a bock cipher with security levels and processing
abilities comparable to AES.
config OPENSSL_WITH_IDEA
bool
default y if !SMALL_FLASH
prompt "Enable IDEA cipher support (needs legacy provider)"
help
IDEA is a block cipher with 128-bit keys.
To use the cipher, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_SEED
bool
default y if !SMALL_FLASH
prompt "Enable SEED cipher support (needs legacy provider)"
help
SEED is a block cipher with 128-bit keys broadly used in
South Korea, but seldom found elsewhere.
To use the cipher, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_SM234
bool
prompt "Enable SM2/3/4 algorithms support"
help
These algorithms are a set of "Commercial Cryptography"
algorithms approved for use in China.
* SM2 is an EC algorithm equivalent to ECDSA P-256
* SM3 is a hash function equivalent to SHA-256
* SM4 is a 128-block cipher equivalent to AES-128
config OPENSSL_WITH_BLAKE2
bool
prompt "Enable BLAKE2 digest support"
help
BLAKE2 is a cryptographic hash function based on the ChaCha
stream cipher.
config OPENSSL_WITH_MDC2
bool
default y if !SMALL_FLASH
prompt "Enable MDC2 digest support (needs legacy provider)"
help
To use the digest, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_WHIRLPOOL
bool
default y if !SMALL_FLASH
prompt "Enable Whirlpool digest support (needs legacy provider)"
help
To use the digest, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_COMPRESSION
bool
prompt "Enable compression support"
help
TLS compression is not recommended, as it is deemed insecure.
The CRIME attack exploits this weakness.
Even with this option turned on, it is disabled by default, and the
application must explicitly turn it on.
config OPENSSL_WITH_RFC3779
bool
prompt "Enable RFC3779 support (BGP)"
help
RFC 3779 defines two X.509 v3 certificate extensions. The first
binds a list of IP address blocks, or prefixes, to the subject of a
certificate. The second binds a list of autonomous system
identifiers to the subject of a certificate. These extensions may be
used to convey the authorization of the subject to use the IP
addresses and autonomous system identifiers contained in the
extensions.
comment "Engine/Hardware Support"
config OPENSSL_ENGINE
bool "Enable engine support"
select OPENSSL_WITH_DEPRECATED
default y
help
This enables alternative cryptography implementations,
most commonly for interfacing with external crypto devices,
or supporting new/alternative ciphers and digests.
If you compile the library with this option disabled, packages built
using an engine-enabled library (i.e. from the official repo) may
fail to run. Compile and install the packages with engine support
disabled, and you should be fine.
Note that you need to enable KERNEL_AIO to be able to build the
afalg engine package.
config OPENSSL_ENGINE_BUILTIN
bool "Build chosen engines into libcrypto"
depends on OPENSSL_ENGINE
help
This builds all chosen engines into libcrypto.so, instead of building
them as dynamic engines in separate packages.
The benefit of building the engines into libcrypto is that they won't
require any configuration to be used by default.
config OPENSSL_ENGINE_BUILTIN_AFALG
bool
prompt "Acceleration support through AF_ALG sockets engine"
depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through the
AF_ALG kernel interface.
config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
bool
prompt "Acceleration support through /dev/crypto"
depends on OPENSSL_ENGINE_BUILTIN
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through OpenBSD
Cryptodev API (/dev/crypto) interface.
Even though configuration is not strictly needed, it is worth seeing
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
for information on how to configure the engine.
config OPENSSL_ENGINE_BUILTIN_PADLOCK
bool
prompt "VIA Padlock Acceleration support engine"
depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through the
VIA Padlock module.
config OPENSSL_WITH_ASYNC
bool
prompt "Enable asynchronous jobs support"
depends on OPENSSL_ENGINE && USE_GLIBC
help
Enables async-aware applications to be able to use OpenSSL to
initiate crypto operations asynchronously. In order to work
this will require the presence of an async capable engine.
endif
|