OpenWrt – Diff between revs 2 and 3

Subversion Repositories:

?pathlinks?

Rev 2 – Details – Blame – Last modification – View Log

 if PACKAGE_libopenssl
-comment "Build Options"
-config OPENSSL_OPTIMIZE_SPEED
-	bool
-	default y if x86_64 || i386
-	prompt "Enable optimization for speed instead of size"
-	select OPENSSL_WITH_ASM
-	help
-		Enabling this option increases code size (around 20%) and
-		performance.  The increase in performance and size depends on the
-		target CPU. EC and AES seem to benefit the most, with EC speed
-		increased by 20%-50% (mipsel & x86).
-		AES-GCM is supposed to be 3x faster on x86. YMMV.
-config OPENSSL_WITH_ASM
-	bool
-	default y if !SMALL_FLASH || !arm
-	prompt "Compile with optimized assembly code"
-	depends on !arc
-	help
-		Disabling this option will reduce code size and performance.
-		The increase in performance and size depends on the target
-		CPU and on the algorithms being optimized.  As of 1.1.0i*:
-		Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
-		aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
-		arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
-		i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
-		mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
-		mips64	    3.7K   BN, aes, sha1, sha256, sha512, poly1305
-		powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
-		x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
-		* Only most common algorithms shown. Your mileage may vary.
-		  BN (bignum) performance was measured using RSA sign/verify.
-config OPENSSL_WITH_SSE2
-	bool
-	default y if !TARGET_x86_legacy && !TARGET_x86_geode
-	prompt "Enable use of x86 SSE2 instructions"
-	depends on OPENSSL_WITH_ASM && i386
-	help
-		Use of SSE2 instructions greatly increase performance (up to
-x faster) with a minimum (~0.2%, or 23KB) increase in package
-		size, but it will bring no benefit if your hardware does not
-		support them, such as Geode GX and LX.  In this case you may
-		save 23KB by saying yes here.  AMD Geode NX, and Intel
-		Pentium 4 and above support SSE2.
-config OPENSSL_WITH_DEPRECATED
+config OPENSSL_WITH_EC
 	bool
-	default y
-	prompt "Include deprecated APIs (See help for a list of packages that need this)"
-	help
-		Since openssl 1.1.x is still new to openwrt, some packages
-		requiring this option do not list it as a requirement yet:
+	default y
-		 * freeswitch-stable, freeswitch, python, python3, squid.
+	prompt "Enable elliptic curve support"
-config OPENSSL_NO_DEPRECATED
+config OPENSSL_WITH_EC2M
+        bool
-	bool
+        depends on OPENSSL_WITH_EC
-	default !OPENSSL_WITH_DEPRECATED
+        prompt "Enable ec2m support"
-config OPENSSL_WITH_ERROR_MESSAGES
-	bool
-	default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
-	prompt "Include error messages"
-	help
-		This option aids debugging, but increases package size and
+config OPENSSL_WITH_SSL3
-		memory usage.
+	bool
 	default n
-comment "Protocol Support"
+	prompt "Enable sslv3 support"
-config OPENSSL_WITH_TLS13
-	bool
-	default y
-	prompt "Enable support for TLS 1.3"
-	select OPENSSL_WITH_EC
-	help
-		TLS 1.3 is the newest version of the TLS specification.
-		It aims:
-		 * to increase the overall security of the protocol,
-		   removing outdated algorithms, and encrypting more of the
-		   protocol;
+config OPENSSL_WITH_DEPRECATED
-		 * to increase performance by reducing the number of round-trips
+	bool
+	default y
-		   when performing a full handshake.
+	prompt "Include deprecated APIs"
-		It increases package size by ~4KB.
-config OPENSSL_WITH_DTLS
-	bool
-	prompt "Enable DTLS support"
-	help
-		Datagram Transport Layer Security (DTLS) provides TLS-like security
-		for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
-config OPENSSL_WITH_NPN
-	bool
-	default y
-	prompt "Enable NPN support"
-	help
-		NPN is a TLS extension, obsoleted and replaced with ALPN,
-		used to negotiate SPDY, and HTTP/2.
-config OPENSSL_WITH_SRP
-	bool
-	default y
-	prompt "Enable SRP support"
-	help
-		The Secure Remote Password protocol (SRP) is an augmented
-		password-authenticated key agreement (PAKE) protocol, specifically
-		designed to work around existing patents.
-config OPENSSL_WITH_CMS
-	bool
-	default y
-	prompt "Enable CMS (RFC 5652) support"
-	help
-		Cryptographic Message Syntax (CMS) is used to digitally sign,
-		digest, authenticate, or encrypt arbitrary message content.
-comment "Algorithm Selection"
-config OPENSSL_WITH_EC
-	bool
-	default y
-	prompt "Enable elliptic curve support"
-	help
-		Elliptic-curve cryptography (ECC) is an approach to public-key
+config OPENSSL_WITH_DTLS
-		cryptography based on the algebraic structure of elliptic curves
+	bool
-		over finite fields. ECC requires smaller keys compared to non-ECC
+	default n
-		cryptography to provide equivalent security.
-config OPENSSL_WITH_EC2M
-	bool
+	prompt "Enable DTLS support"
 	depends on OPENSSL_WITH_EC
-	prompt "Enable ec2m support"
+config OPENSSL_WITH_COMPRESSION
-	help
+	bool
-		This option enables the more efficient, yet less common, binary
-		field elliptic curves.
-config OPENSSL_WITH_CHACHA_POLY1305
-	bool
-	default y
-	prompt "Enable ChaCha20-Poly1305 ciphersuite support"
-	help
-		ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
-		combining ChaCha stream cipher with Poly1305 MAC.
-		It is 3x faster than AES, when not using a CPU with AES-specific
-		instructions, as is the case of most embedded devices.
-config OPENSSL_PREFER_CHACHA_OVER_GCM
-	bool
-	default y if !x86_64 && !aarch64
-	prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
-	depends on OPENSSL_WITH_CHACHA_POLY1305
+	default n
-	help
+	prompt "Enable compression support"
 		The default openssl preference is for AES-GCM before ChaCha, but
-		that takes into account AES-NI capable chips.  It is not the
+config OPENSSL_WITH_NPN
-		case with most embedded chips, so it may be better to invert
-		that preference.  This is just for the default case. The
-		application can always override this.
-config OPENSSL_WITH_PSK
-	bool
-	default y
-	prompt "Enable PSK support"
-	help
-		Build support for Pre-Shared Key based cipher suites.
-comment "Less commonly used build options"
-config OPENSSL_WITH_ARIA
-	bool
-	prompt "Enable ARIA support"
-	help
-		ARIA is a block cipher developed in South Korea, based on AES.
-config OPENSSL_WITH_CAMELLIA
-	bool
-	prompt "Enable Camellia cipher support"
-	help
-		Camellia is a bock cipher with security levels and processing
-		abilities comparable to AES.
-config OPENSSL_WITH_IDEA
-	bool
-	prompt "Enable IDEA cipher support"
-	help
-		IDEA is a block cipher with 128-bit keys.
+	bool
 	default y
-config OPENSSL_WITH_SEED
-	bool
+	prompt "Enable NPN support"
-	prompt "Enable SEED cipher support"
-	help
-		SEED is a block cipher with 128-bit keys broadly used in
-		South Korea, but seldom found elsewhere.
-config OPENSSL_WITH_SM234
+config OPENSSL_WITH_PSK
 	bool
-	prompt "Enable SM2/3/4 algorithms support"
+	default y
-	help
-		These algorithms are a set of "Commercial Cryptography"
+	prompt "Enable PSK support"
-		algorithms approved for use in China.
-		  * SM2 is an EC algorithm equivalent to ECDSA P-256
-		  * SM3 is a hash function equivalent to SHA-256
+config OPENSSL_WITH_SRP
+	bool
-		  * SM4 is a 128-block cipher equivalent to AES-128
+	default y
+	prompt "Enable SRP support"
 config OPENSSL_WITH_BLAKE2
+config OPENSSL_ENGINE_DIGEST
 	bool
-	prompt "Enable BLAKE2 digest support"
-	help
-		BLAKE2 is a cryptographic hash function based on the ChaCha
-		stream cipher.
+	depends on OPENSSL_ENGINE_CRYPTO
-config OPENSSL_WITH_MDC2
-	bool
-	prompt "Enable MDC2 digest support"
-config OPENSSL_WITH_WHIRLPOOL
-	bool
-	prompt "Enable Whirlpool digest support"
-config OPENSSL_WITH_COMPRESSION
-	bool
-	prompt "Enable compression support"
-	help
-		TLS compression is not recommended, as it is deemed insecure.
-		The CRIME attack exploits this weakness.
-		Even with this option turned on, it is disabled by default, and the
-		application must explicitly turn it on.
-config OPENSSL_WITH_RFC3779
-	bool
-	prompt "Enable RFC3779 support (BGP)"
-	help
-		RFC 3779 defines two X.509 v3 certificate extensions.  The first
-		binds a list of IP address blocks, or prefixes, to the subject of a
-		certificate.  The second binds a list of autonomous system
-		identifiers to the subject of a certificate.  These extensions may be
-		used to convey the authorization of the subject to use the IP
-		addresses and autonomous system identifiers contained in the
+	prompt "Digests acceleration support"
 		extensions.
+config OPENSSL_HARDWARE_SUPPORT
-comment "Engine/Hardware Support"
-config OPENSSL_ENGINE
+	bool
-	bool "Enable engine support"
-	help
-		This enables alternative cryptography implementations,
-		most commonly for interfacing with external crypto devices,
-		or supporting new/alternative ciphers and digests.
-		Note that you need to enable KERNEL_AIO to be able to build the
-		afalg engine package.
-config OPENSSL_ENGINE_CRYPTO
-	bool
-	select OPENSSL_ENGINE
-	select PACKAGE_kmod-cryptodev
-	select PACKAGE_libopenssl-conf
-	prompt "Acceleration support through /dev/crypto"
-	help
-		This enables use of hardware acceleration through OpenBSD
-		Cryptodev API (/dev/crypto) interface.
-		You must install kmod-cryptodev (under Kernel modules, Cryptographic
-		API modules) for /dev/crypto to show up and use hardware
-		acceleration; otherwise it falls back to software.
-config OPENSSL_WITH_ASYNC
-	bool
-	prompt "Enable asynchronous jobs support"
-	depends on OPENSSL_ENGINE && USE_GLIBC
-	help
-		Enables async-aware applications to be able to use OpenSSL to
-		initiate crypto operations asynchronously. In order to work