OpenWrt – Diff between revs 2 and 3
?pathlinks?
Rev 2 | Rev 3 | |||
---|---|---|---|---|
Line 1... | Line 1... | |||
1 | if PACKAGE_libopenssl |
1 | if PACKAGE_libopenssl |
|
Line 2... | Line -... | |||
2 | |
- | ||
3 | comment "Build Options" |
- | ||
4 | |
- | ||
5 | config OPENSSL_OPTIMIZE_SPEED |
- | ||
6 | bool |
- | ||
7 | default y if x86_64 || i386 |
- | ||
8 | prompt "Enable optimization for speed instead of size" |
- | ||
9 | select OPENSSL_WITH_ASM |
- | ||
10 | help |
- | ||
11 | Enabling this option increases code size (around 20%) and |
- | ||
12 | performance. The increase in performance and size depends on the |
- | ||
13 | target CPU. EC and AES seem to benefit the most, with EC speed |
- | ||
14 | increased by 20%-50% (mipsel & x86). |
- | ||
15 | AES-GCM is supposed to be 3x faster on x86. YMMV. |
- | ||
16 | |
- | ||
17 | config OPENSSL_WITH_ASM |
- | ||
18 | bool |
- | ||
19 | default y if !SMALL_FLASH || !arm |
- | ||
20 | prompt "Compile with optimized assembly code" |
- | ||
21 | depends on !arc |
- | ||
22 | help |
- | ||
23 | Disabling this option will reduce code size and performance. |
- | ||
24 | The increase in performance and size depends on the target |
- | ||
25 | CPU and on the algorithms being optimized. As of 1.1.0i*: |
- | ||
26 | |
- | ||
27 | Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase |
- | ||
28 | aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 |
- | ||
29 | arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 |
- | ||
30 | i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% |
- | ||
31 | mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% |
- | ||
32 | mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 |
- | ||
33 | powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 |
- | ||
34 | x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% |
- | ||
35 | |
- | ||
36 | * Only most common algorithms shown. Your mileage may vary. |
- | ||
37 | BN (bignum) performance was measured using RSA sign/verify. |
- | ||
38 | |
2 | |
|
39 | config OPENSSL_WITH_SSE2 |
- | ||
40 | bool |
- | ||
41 | default y if !TARGET_x86_legacy && !TARGET_x86_geode |
- | ||
42 | prompt "Enable use of x86 SSE2 instructions" |
- | ||
43 | depends on OPENSSL_WITH_ASM && i386 |
- | ||
44 | help |
- | ||
45 | Use of SSE2 instructions greatly increase performance (up to |
- | ||
46 | 3x faster) with a minimum (~0.2%, or 23KB) increase in package |
- | ||
47 | size, but it will bring no benefit if your hardware does not |
- | ||
48 | support them, such as Geode GX and LX. In this case you may |
- | ||
49 | save 23KB by saying yes here. AMD Geode NX, and Intel |
- | ||
50 | Pentium 4 and above support SSE2. |
- | ||
51 | |
- | ||
52 | config OPENSSL_WITH_DEPRECATED |
3 | config OPENSSL_WITH_EC |
|
53 | bool |
4 | bool |
|
54 | default y |
- | ||
55 | prompt "Include deprecated APIs (See help for a list of packages that need this)" |
- | ||
56 | help |
- | ||
57 | Since openssl 1.1.x is still new to openwrt, some packages |
- | ||
58 | requiring this option do not list it as a requirement yet: |
5 | default y |
|
Line 59... | Line 6... | |||
59 | * freeswitch-stable, freeswitch, python, python3, squid. |
6 | prompt "Enable elliptic curve support" |
|
60 | |
7 | |
|
61 | config OPENSSL_NO_DEPRECATED |
8 | config OPENSSL_WITH_EC2M |
|
- | 9 | bool |
||
Line 62... | Line 10... | |||
62 | bool |
10 | depends on OPENSSL_WITH_EC |
|
63 | default !OPENSSL_WITH_DEPRECATED |
11 | prompt "Enable ec2m support" |
|
64 | |
- | ||
65 | config OPENSSL_WITH_ERROR_MESSAGES |
- | ||
66 | bool |
12 | |
|
67 | default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT |
- | ||
68 | prompt "Include error messages" |
- | ||
69 | help |
- | ||
70 | This option aids debugging, but increases package size and |
13 | config OPENSSL_WITH_SSL3 |
|
Line 71... | Line 14... | |||
71 | memory usage. |
14 | bool |
|
72 | |
15 | default n |
|
73 | comment "Protocol Support" |
16 | prompt "Enable sslv3 support" |
|
74 | |
17 | |
|
75 | config OPENSSL_WITH_TLS13 |
- | ||
76 | bool |
- | ||
77 | default y |
- | ||
78 | prompt "Enable support for TLS 1.3" |
- | ||
79 | select OPENSSL_WITH_EC |
- | ||
80 | help |
- | ||
81 | TLS 1.3 is the newest version of the TLS specification. |
- | ||
82 | It aims: |
- | ||
83 | * to increase the overall security of the protocol, |
- | ||
84 | removing outdated algorithms, and encrypting more of the |
- | ||
Line 85... | Line 18... | |||
85 | protocol; |
18 | config OPENSSL_WITH_DEPRECATED |
|
86 | * to increase performance by reducing the number of round-trips |
19 | bool |
|
- | 20 | default y |
||
87 | when performing a full handshake. |
21 | prompt "Include deprecated APIs" |
|
88 | It increases package size by ~4KB. |
- | ||
89 | |
- | ||
90 | config OPENSSL_WITH_DTLS |
- | ||
91 | bool |
- | ||
92 | prompt "Enable DTLS support" |
- | ||
93 | help |
- | ||
94 | Datagram Transport Layer Security (DTLS) provides TLS-like security |
- | ||
95 | for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications. |
- | ||
96 | |
- | ||
97 | config OPENSSL_WITH_NPN |
- | ||
98 | bool |
- | ||
99 | default y |
- | ||
100 | prompt "Enable NPN support" |
- | ||
101 | help |
- | ||
102 | NPN is a TLS extension, obsoleted and replaced with ALPN, |
- | ||
103 | used to negotiate SPDY, and HTTP/2. |
- | ||
104 | |
- | ||
105 | config OPENSSL_WITH_SRP |
- | ||
106 | bool |
- | ||
107 | default y |
- | ||
108 | prompt "Enable SRP support" |
- | ||
109 | help |
- | ||
110 | The Secure Remote Password protocol (SRP) is an augmented |
- | ||
111 | password-authenticated key agreement (PAKE) protocol, specifically |
- | ||
112 | designed to work around existing patents. |
- | ||
113 | |
- | ||
114 | config OPENSSL_WITH_CMS |
- | ||
115 | bool |
- | ||
116 | default y |
- | ||
117 | prompt "Enable CMS (RFC 5652) support" |
- | ||
118 | help |
- | ||
119 | Cryptographic Message Syntax (CMS) is used to digitally sign, |
- | ||
120 | digest, authenticate, or encrypt arbitrary message content. |
- | ||
121 | |
- | ||
122 | comment "Algorithm Selection" |
- | ||
123 | |
- | ||
124 | config OPENSSL_WITH_EC |
- | ||
125 | bool |
- | ||
126 | default y |
- | ||
127 | prompt "Enable elliptic curve support" |
- | ||
Line 128... | Line 22... | |||
128 | help |
22 | |
|
129 | Elliptic-curve cryptography (ECC) is an approach to public-key |
23 | config OPENSSL_WITH_DTLS |
|
130 | cryptography based on the algebraic structure of elliptic curves |
24 | bool |
|
131 | over finite fields. ECC requires smaller keys compared to non-ECC |
25 | default n |
|
132 | cryptography to provide equivalent security. |
- | ||
133 | |
- | ||
134 | config OPENSSL_WITH_EC2M |
- | ||
Line 135... | Line 26... | |||
135 | bool |
26 | prompt "Enable DTLS support" |
|
136 | depends on OPENSSL_WITH_EC |
27 | |
|
137 | prompt "Enable ec2m support" |
28 | config OPENSSL_WITH_COMPRESSION |
|
138 | help |
29 | bool |
|
139 | This option enables the more efficient, yet less common, binary |
- | ||
140 | field elliptic curves. |
- | ||
141 | |
- | ||
142 | config OPENSSL_WITH_CHACHA_POLY1305 |
- | ||
143 | bool |
- | ||
144 | default y |
- | ||
145 | prompt "Enable ChaCha20-Poly1305 ciphersuite support" |
- | ||
146 | help |
- | ||
147 | ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys, |
- | ||
148 | combining ChaCha stream cipher with Poly1305 MAC. |
- | ||
149 | It is 3x faster than AES, when not using a CPU with AES-specific |
- | ||
150 | instructions, as is the case of most embedded devices. |
- | ||
151 | |
- | ||
152 | config OPENSSL_PREFER_CHACHA_OVER_GCM |
- | ||
153 | bool |
- | ||
154 | default y if !x86_64 && !aarch64 |
- | ||
155 | prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default" |
- | ||
Line 156... | Line 30... | |||
156 | depends on OPENSSL_WITH_CHACHA_POLY1305 |
30 | default n |
|
157 | help |
31 | prompt "Enable compression support" |
|
158 | The default openssl preference is for AES-GCM before ChaCha, but |
32 | |
|
159 | that takes into account AES-NI capable chips. It is not the |
33 | config OPENSSL_WITH_NPN |
|
160 | case with most embedded chips, so it may be better to invert |
- | ||
161 | that preference. This is just for the default case. The |
- | ||
162 | application can always override this. |
- | ||
163 | |
- | ||
164 | config OPENSSL_WITH_PSK |
- | ||
165 | bool |
- | ||
166 | default y |
- | ||
167 | prompt "Enable PSK support" |
- | ||
168 | help |
- | ||
169 | Build support for Pre-Shared Key based cipher suites. |
- | ||
170 | |
- | ||
171 | comment "Less commonly used build options" |
- | ||
172 | |
- | ||
173 | config OPENSSL_WITH_ARIA |
- | ||
174 | bool |
- | ||
175 | prompt "Enable ARIA support" |
- | ||
176 | help |
- | ||
177 | ARIA is a block cipher developed in South Korea, based on AES. |
- | ||
178 | |
- | ||
179 | config OPENSSL_WITH_CAMELLIA |
- | ||
180 | bool |
- | ||
181 | prompt "Enable Camellia cipher support" |
- | ||
182 | help |
- | ||
183 | Camellia is a bock cipher with security levels and processing |
- | ||
184 | abilities comparable to AES. |
- | ||
185 | |
- | ||
186 | config OPENSSL_WITH_IDEA |
- | ||
187 | bool |
- | ||
188 | prompt "Enable IDEA cipher support" |
- | ||
189 | help |
- | ||
Line 190... | Line 34... | |||
190 | IDEA is a block cipher with 128-bit keys. |
34 | bool |
|
191 | |
35 | default y |
|
192 | config OPENSSL_WITH_SEED |
- | ||
193 | bool |
36 | prompt "Enable NPN support" |
|
194 | prompt "Enable SEED cipher support" |
- | ||
195 | help |
37 | |
|
196 | SEED is a block cipher with 128-bit keys broadly used in |
- | ||
197 | South Korea, but seldom found elsewhere. |
- | ||
198 | |
- | ||
Line 199... | Line 38... | |||
199 | config OPENSSL_WITH_SM234 |
38 | config OPENSSL_WITH_PSK |
|
200 | bool |
39 | bool |
|
201 | prompt "Enable SM2/3/4 algorithms support" |
40 | default y |
|
202 | help |
- | ||
203 | These algorithms are a set of "Commercial Cryptography" |
41 | prompt "Enable PSK support" |
|
204 | algorithms approved for use in China. |
- | ||
Line 205... | Line 42... | |||
205 | * SM2 is an EC algorithm equivalent to ECDSA P-256 |
42 | |
|
206 | * SM3 is a hash function equivalent to SHA-256 |
43 | config OPENSSL_WITH_SRP |
|
- | 44 | bool |
||
207 | * SM4 is a 128-block cipher equivalent to AES-128 |
45 | default y |
|
Line 208... | Line 46... | |||
208 | |
46 | prompt "Enable SRP support" |
|
209 | config OPENSSL_WITH_BLAKE2 |
47 | |
|
- | 48 | config OPENSSL_ENGINE_DIGEST |
||
210 | bool |
49 | bool |
|
Line 211... | Line -... | |||
211 | prompt "Enable BLAKE2 digest support" |
- | ||
212 | help |
- | ||
213 | BLAKE2 is a cryptographic hash function based on the ChaCha |
- | ||
214 | stream cipher. |
50 | depends on OPENSSL_ENGINE_CRYPTO |
|
215 | |
- | ||
216 | config OPENSSL_WITH_MDC2 |
- | ||
217 | bool |
- | ||
218 | prompt "Enable MDC2 digest support" |
- | ||
219 | |
- | ||
220 | config OPENSSL_WITH_WHIRLPOOL |
- | ||
221 | bool |
- | ||
222 | prompt "Enable Whirlpool digest support" |
- | ||
223 | |
- | ||
224 | config OPENSSL_WITH_COMPRESSION |
- | ||
225 | bool |
- | ||
226 | prompt "Enable compression support" |
- | ||
227 | help |
- | ||
228 | TLS compression is not recommended, as it is deemed insecure. |
- | ||
229 | The CRIME attack exploits this weakness. |
- | ||
230 | Even with this option turned on, it is disabled by default, and the |
- | ||
231 | application must explicitly turn it on. |
- | ||
232 | |
- | ||
233 | config OPENSSL_WITH_RFC3779 |
- | ||
234 | bool |
- | ||
235 | prompt "Enable RFC3779 support (BGP)" |
- | ||
236 | help |
- | ||
237 | RFC 3779 defines two X.509 v3 certificate extensions. The first |
- | ||
238 | binds a list of IP address blocks, or prefixes, to the subject of a |
- | ||
239 | certificate. The second binds a list of autonomous system |
- | ||
240 | identifiers to the subject of a certificate. These extensions may be |
- | ||
241 | used to convey the authorization of the subject to use the IP |
- | ||
Line 242... | Line 51... | |||
242 | addresses and autonomous system identifiers contained in the |
51 | prompt "Digests acceleration support" |
|
243 | extensions. |
52 | |
|
244 | |
53 | config OPENSSL_HARDWARE_SUPPORT |
|
245 | comment "Engine/Hardware Support" |
- | ||
246 | |
- | ||
247 | config OPENSSL_ENGINE |
54 | bool |
|
248 | bool "Enable engine support" |
- | ||
249 | help |
- | ||
250 | This enables alternative cryptography implementations, |
- | ||
251 | most commonly for interfacing with external crypto devices, |
- | ||
252 | or supporting new/alternative ciphers and digests. |
- | ||
253 | Note that you need to enable KERNEL_AIO to be able to build the |
- | ||
254 | afalg engine package. |
- | ||
255 | |
- | ||
256 | config OPENSSL_ENGINE_CRYPTO |
- | ||
257 | bool |
- | ||
258 | select OPENSSL_ENGINE |
- | ||
259 | select PACKAGE_kmod-cryptodev |
- | ||
260 | select PACKAGE_libopenssl-conf |
- | ||
261 | prompt "Acceleration support through /dev/crypto" |
- | ||
262 | help |
- | ||
263 | This enables use of hardware acceleration through OpenBSD |
- | ||
264 | Cryptodev API (/dev/crypto) interface. |
- | ||
265 | You must install kmod-cryptodev (under Kernel modules, Cryptographic |
- | ||
266 | API modules) for /dev/crypto to show up and use hardware |
- | ||
267 | acceleration; otherwise it falls back to software. |
- | ||
268 | |
- | ||
269 | config OPENSSL_WITH_ASYNC |
- | ||
270 | bool |
- | ||
271 | prompt "Enable asynchronous jobs support" |
- | ||
272 | depends on OPENSSL_ENGINE && USE_GLIBC |
- | ||
273 | help |
- | ||
274 | Enables async-aware applications to be able to use OpenSSL to |
- | ||
275 | initiate crypto operations asynchronously. In order to work |
- |