mirror of https://github.com/hak5/openwrt.git
217 lines
6.3 KiB
Plaintext
217 lines
6.3 KiB
Plaintext
if PACKAGE_libopenssl
|
|
|
|
comment "Build Options"
|
|
|
|
config OPENSSL_OPTIMIZE_SPEED
|
|
bool
|
|
prompt "Enable optimization for speed instead of size"
|
|
select OPENSSL_WITH_ASM
|
|
help
|
|
Enabling this option increases code size (around 20%) and
|
|
performance. The increase in performance and size depends on the
|
|
target CPU. EC and AES seem to benefit the most, with EC speed
|
|
increased by 20%-50% (mipsel & x86).
|
|
AES-GCM is supposed to be 3x faster on x86. YMMV.
|
|
|
|
config OPENSSL_WITH_ASM
|
|
bool
|
|
default y
|
|
prompt "Compile with optimized assembly code"
|
|
depends on !arc
|
|
help
|
|
Disabling this option will reduce code size and performance.
|
|
The increase in performance and size depends on the target
|
|
CPU and on the algorithms being optimized. As of 1.1.0i*:
|
|
|
|
Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
|
|
aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
|
|
arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
|
|
i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
|
|
mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
|
|
mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
|
|
powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
|
|
x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
|
|
|
|
* Only most common algorithms shown. Your mileage may vary.
|
|
BN (bignum) performance was measured using RSA sign/verify.
|
|
|
|
config OPENSSL_WITH_SSE2
|
|
bool
|
|
default y if !TARGET_x86_legacy && !TARGET_x86_geode
|
|
prompt "Enable use of x86 SSE2 instructions"
|
|
depends on OPENSSL_WITH_ASM && i386
|
|
help
|
|
Use of SSE2 instructions greatly increase performance (up to
|
|
3x faster) with a minimum (~0.2%, or 23KB) increase in package
|
|
size, but it will bring no benefit if your hardware does not
|
|
support them, such as Geode GX and LX. In this case you may
|
|
save 23KB by saying yes here. AMD Geode NX, and Intel
|
|
Pentium 4 and above support SSE2.
|
|
|
|
config OPENSSL_WITH_DEPRECATED
|
|
bool
|
|
default y
|
|
prompt "Include deprecated APIs (See help for a list of packages that need this)"
|
|
help
|
|
Squid currently requires this.
|
|
|
|
config OPENSSL_NO_DEPRECATED
|
|
bool
|
|
default !OPENSSL_WITH_DEPRECATED
|
|
|
|
config OPENSSL_WITH_ERROR_MESSAGES
|
|
bool
|
|
prompt "Include error messages"
|
|
help
|
|
This option aids debugging, but increases package size and
|
|
memory usage.
|
|
|
|
comment "Protocol Support"
|
|
|
|
config OPENSSL_WITH_DTLS
|
|
bool
|
|
prompt "Enable DTLS support"
|
|
help
|
|
Datagram Transport Layer Security (DTLS) provides TLS-like security
|
|
for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
|
|
|
|
config OPENSSL_WITH_NPN
|
|
bool
|
|
default y
|
|
prompt "Enable NPN support"
|
|
help
|
|
NPN is a TLS extension, obsoleted and replaced with ALPN,
|
|
used to negotiate SPDY, and HTTP/2.
|
|
|
|
config OPENSSL_WITH_SRP
|
|
bool
|
|
default y
|
|
prompt "Enable SRP support"
|
|
help
|
|
The Secure Remote Password protocol (SRP) is an augmented
|
|
password-authenticated key agreement (PAKE) protocol, specifically
|
|
designed to work around existing patents.
|
|
|
|
config OPENSSL_WITH_CMS
|
|
bool
|
|
default y
|
|
prompt "Enable CMS (RFC 5652) support"
|
|
help
|
|
Cryptographic Message Syntax (CMS) is used to digitally sign,
|
|
digest, authenticate, or encrypt arbitrary message content.
|
|
|
|
comment "Algorithm Selection"
|
|
|
|
config OPENSSL_WITH_EC
|
|
bool
|
|
default y
|
|
prompt "Enable elliptic curve support"
|
|
help
|
|
Elliptic-curve cryptography (ECC) is an approach to public-key
|
|
cryptography based on the algebraic structure of elliptic curves
|
|
over finite fields. ECC requires smaller keys compared to non-ECC
|
|
cryptography to provide equivalent security.
|
|
|
|
config OPENSSL_WITH_EC2M
|
|
bool
|
|
depends on OPENSSL_WITH_EC
|
|
prompt "Enable ec2m support"
|
|
help
|
|
This option enables the more efficient, yet less common, binary
|
|
field elliptic curves.
|
|
|
|
config OPENSSL_WITH_PSK
|
|
bool
|
|
default y
|
|
prompt "Enable PSK support"
|
|
help
|
|
Build support for Pre-Shared Key based cipher suites.
|
|
|
|
comment "Less commonly used build options"
|
|
|
|
config OPENSSL_WITH_CAMELLIA
|
|
bool
|
|
prompt "Enable Camellia cipher support"
|
|
help
|
|
Camellia is a bock cipher with security levels and processing
|
|
abilities comparable to AES.
|
|
|
|
config OPENSSL_WITH_IDEA
|
|
bool
|
|
prompt "Enable IDEA cipher support"
|
|
help
|
|
IDEA is a block cipher with 128-bit keys.
|
|
|
|
config OPENSSL_WITH_SEED
|
|
bool
|
|
prompt "Enable SEED cipher support"
|
|
help
|
|
SEED is a block cipher with 128-bit keys broadly used in
|
|
South Korea, but seldom found elsewhere.
|
|
|
|
config OPENSSL_WITH_MDC2
|
|
bool
|
|
prompt "Enable MDC2 digest support"
|
|
|
|
config OPENSSL_WITH_WHIRLPOOL
|
|
bool
|
|
prompt "Enable Whirlpool digest support"
|
|
|
|
config OPENSSL_WITH_COMPRESSION
|
|
bool
|
|
prompt "Enable compression support"
|
|
help
|
|
TLS compression is not recommended, as it is deemed insecure.
|
|
The CRIME attack exploits this weakness.
|
|
Even with this option turned on, it is disabled by default, and the
|
|
application must explicitly turn it on.
|
|
|
|
config OPENSSL_WITH_RFC3779
|
|
bool
|
|
prompt "Enable RFC3779 support (BGP)"
|
|
help
|
|
RFC 3779 defines two X.509 v3 certificate extensions. The first
|
|
binds a list of IP address blocks, or prefixes, to the subject of a
|
|
certificate. The second binds a list of autonomous system
|
|
identifiers to the subject of a certificate. These extensions may be
|
|
used to convey the authorization of the subject to use the IP
|
|
addresses and autonomous system identifiers contained in the
|
|
extensions.
|
|
|
|
comment "Engine/Hardware Support"
|
|
|
|
config OPENSSL_ENGINE
|
|
bool "Enable engine support"
|
|
help
|
|
This enables alternative cryptography implementations,
|
|
most commonly for interfacing with external crypto devices,
|
|
or supporting new/alternative ciphers and digests.
|
|
|
|
config OPENSSL_ENGINE_CRYPTO
|
|
bool
|
|
select OPENSSL_ENGINE
|
|
select PACKAGE_kmod-cryptodev
|
|
prompt "Acceleration support through /dev/crypto"
|
|
help
|
|
This enables use of hardware acceleration through OpenBSD
|
|
Cryptodev API (/dev/crypto) interface.
|
|
You must install kmod-cryptodev (under Kernel modules, Cryptographic
|
|
API modules) for /dev/crypto to show up and use hardware
|
|
acceleration; otherwise it falls back to software.
|
|
|
|
config OPENSSL_ENGINE_DIGEST
|
|
bool
|
|
depends on OPENSSL_ENGINE_CRYPTO
|
|
prompt "/dev/crypto digest (md5/sha1) acceleration support"
|
|
|
|
config OPENSSL_WITH_GOST
|
|
bool
|
|
prompt "Prepare library for GOST engine"
|
|
depends on OPENSSL_ENGINE
|
|
help
|
|
This option prepares the library to accept engine support
|
|
for Russian GOST crypto algorithms.
|
|
|
|
endif
|
|
|