mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-11 23:42:57 +00:00
2407b1edcc
Openssh uses digest contexts across forks, which is not supported by the /dev/crypto engine. The speed of digests is usually not worth enabling them anyway. This changes the default of the DIGESTS option to NONE, so the user still has the option to enable them. Added another patch related to the use of encryption contexts across forks, that ignores a failure to close a previous open session when reinitializing a context, instead of failing the reinitialization. Added a link to the Cryptographic Hardware Accelerators document to the engine pacakges description, to provide more detailed instructions to configure the engines. Revert the removal of the OPENSSL_ENGINE_CRYPTO symbol, currently used by openssh. There is an open PR to update openssh; when merged, this symbol can be safely removed. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [refresh patches]
322 lines
10 KiB
Plaintext
322 lines
10 KiB
Plaintext
if PACKAGE_libopenssl
|
|
|
|
comment "Build Options"
|
|
|
|
config OPENSSL_OPTIMIZE_SPEED
|
|
bool
|
|
default y if x86_64 || i386
|
|
prompt "Enable optimization for speed instead of size"
|
|
select OPENSSL_WITH_ASM
|
|
help
|
|
Enabling this option increases code size (around 20%) and
|
|
performance. The increase in performance and size depends on the
|
|
target CPU. EC and AES seem to benefit the most, with EC speed
|
|
increased by 20%-50% (mipsel & x86).
|
|
AES-GCM is supposed to be 3x faster on x86. YMMV.
|
|
|
|
config OPENSSL_WITH_ASM
|
|
bool
|
|
default y if !SMALL_FLASH || !arm
|
|
prompt "Compile with optimized assembly code"
|
|
depends on !arc
|
|
help
|
|
Disabling this option will reduce code size and performance.
|
|
The increase in performance and size depends on the target
|
|
CPU and on the algorithms being optimized. As of 1.1.0i*:
|
|
|
|
Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
|
|
aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
|
|
arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
|
|
i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
|
|
mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
|
|
mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
|
|
powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
|
|
x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
|
|
|
|
* Only most common algorithms shown. Your mileage may vary.
|
|
BN (bignum) performance was measured using RSA sign/verify.
|
|
|
|
config OPENSSL_WITH_SSE2
|
|
bool
|
|
default y if !TARGET_x86_legacy && !TARGET_x86_geode
|
|
prompt "Enable use of x86 SSE2 instructions"
|
|
depends on OPENSSL_WITH_ASM && i386
|
|
help
|
|
Use of SSE2 instructions greatly increase performance (up to
|
|
3x faster) with a minimum (~0.2%, or 23KB) increase in package
|
|
size, but it will bring no benefit if your hardware does not
|
|
support them, such as Geode GX and LX. In this case you may
|
|
save 23KB by saying yes here. AMD Geode NX, and Intel
|
|
Pentium 4 and above support SSE2.
|
|
|
|
config OPENSSL_WITH_DEPRECATED
|
|
bool
|
|
default y
|
|
prompt "Include deprecated APIs (See help for a list of packages that need this)"
|
|
help
|
|
Since openssl 1.1.x is still new to openwrt, some packages
|
|
requiring this option do not list it as a requirement yet:
|
|
* freeswitch-stable, freeswitch, python, python3, squid.
|
|
|
|
config OPENSSL_NO_DEPRECATED
|
|
bool
|
|
default !OPENSSL_WITH_DEPRECATED
|
|
|
|
config OPENSSL_WITH_ERROR_MESSAGES
|
|
bool
|
|
default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
|
|
prompt "Include error messages"
|
|
help
|
|
This option aids debugging, but increases package size and
|
|
memory usage.
|
|
|
|
comment "Protocol Support"
|
|
|
|
config OPENSSL_WITH_TLS13
|
|
bool
|
|
default y
|
|
prompt "Enable support for TLS 1.3"
|
|
select OPENSSL_WITH_EC
|
|
help
|
|
TLS 1.3 is the newest version of the TLS specification.
|
|
It aims:
|
|
* to increase the overall security of the protocol,
|
|
removing outdated algorithms, and encrypting more of the
|
|
protocol;
|
|
* to increase performance by reducing the number of round-trips
|
|
when performing a full handshake.
|
|
It increases package size by ~4KB.
|
|
|
|
config OPENSSL_WITH_DTLS
|
|
bool
|
|
prompt "Enable DTLS support"
|
|
help
|
|
Datagram Transport Layer Security (DTLS) provides TLS-like security
|
|
for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
|
|
|
|
config OPENSSL_WITH_NPN
|
|
bool
|
|
default y
|
|
prompt "Enable NPN support"
|
|
help
|
|
NPN is a TLS extension, obsoleted and replaced with ALPN,
|
|
used to negotiate SPDY, and HTTP/2.
|
|
|
|
config OPENSSL_WITH_SRP
|
|
bool
|
|
default y
|
|
prompt "Enable SRP support"
|
|
help
|
|
The Secure Remote Password protocol (SRP) is an augmented
|
|
password-authenticated key agreement (PAKE) protocol, specifically
|
|
designed to work around existing patents.
|
|
|
|
config OPENSSL_WITH_CMS
|
|
bool
|
|
default y
|
|
prompt "Enable CMS (RFC 5652) support"
|
|
help
|
|
Cryptographic Message Syntax (CMS) is used to digitally sign,
|
|
digest, authenticate, or encrypt arbitrary message content.
|
|
|
|
comment "Algorithm Selection"
|
|
|
|
config OPENSSL_WITH_EC
|
|
bool
|
|
default y
|
|
prompt "Enable elliptic curve support"
|
|
help
|
|
Elliptic-curve cryptography (ECC) is an approach to public-key
|
|
cryptography based on the algebraic structure of elliptic curves
|
|
over finite fields. ECC requires smaller keys compared to non-ECC
|
|
cryptography to provide equivalent security.
|
|
|
|
config OPENSSL_WITH_EC2M
|
|
bool
|
|
depends on OPENSSL_WITH_EC
|
|
prompt "Enable ec2m support"
|
|
help
|
|
This option enables the more efficient, yet less common, binary
|
|
field elliptic curves.
|
|
|
|
config OPENSSL_WITH_CHACHA_POLY1305
|
|
bool
|
|
default y
|
|
prompt "Enable ChaCha20-Poly1305 ciphersuite support"
|
|
help
|
|
ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
|
|
combining ChaCha stream cipher with Poly1305 MAC.
|
|
It is 3x faster than AES, when not using a CPU with AES-specific
|
|
instructions, as is the case of most embedded devices.
|
|
|
|
config OPENSSL_PREFER_CHACHA_OVER_GCM
|
|
bool
|
|
default y if !x86_64 && !aarch64
|
|
prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
|
|
depends on OPENSSL_WITH_CHACHA_POLY1305
|
|
help
|
|
The default openssl preference is for AES-GCM before ChaCha, but
|
|
that takes into account AES-NI capable chips. It is not the
|
|
case with most embedded chips, so it may be better to invert
|
|
that preference. This is just for the default case. The
|
|
application can always override this.
|
|
|
|
config OPENSSL_WITH_PSK
|
|
bool
|
|
default y
|
|
prompt "Enable PSK support"
|
|
help
|
|
Build support for Pre-Shared Key based cipher suites.
|
|
|
|
comment "Less commonly used build options"
|
|
|
|
config OPENSSL_WITH_ARIA
|
|
bool
|
|
prompt "Enable ARIA support"
|
|
help
|
|
ARIA is a block cipher developed in South Korea, based on AES.
|
|
|
|
config OPENSSL_WITH_CAMELLIA
|
|
bool
|
|
prompt "Enable Camellia cipher support"
|
|
help
|
|
Camellia is a bock cipher with security levels and processing
|
|
abilities comparable to AES.
|
|
|
|
config OPENSSL_WITH_IDEA
|
|
bool
|
|
prompt "Enable IDEA cipher support"
|
|
help
|
|
IDEA is a block cipher with 128-bit keys.
|
|
|
|
config OPENSSL_WITH_SEED
|
|
bool
|
|
prompt "Enable SEED cipher support"
|
|
help
|
|
SEED is a block cipher with 128-bit keys broadly used in
|
|
South Korea, but seldom found elsewhere.
|
|
|
|
config OPENSSL_WITH_SM234
|
|
bool
|
|
prompt "Enable SM2/3/4 algorithms support"
|
|
help
|
|
These algorithms are a set of "Commercial Cryptography"
|
|
algorithms approved for use in China.
|
|
* SM2 is an EC algorithm equivalent to ECDSA P-256
|
|
* SM3 is a hash function equivalent to SHA-256
|
|
* SM4 is a 128-block cipher equivalent to AES-128
|
|
|
|
config OPENSSL_WITH_BLAKE2
|
|
bool
|
|
prompt "Enable BLAKE2 digest support"
|
|
help
|
|
BLAKE2 is a cryptographic hash function based on the ChaCha
|
|
stream cipher.
|
|
|
|
config OPENSSL_WITH_MDC2
|
|
bool
|
|
prompt "Enable MDC2 digest support"
|
|
|
|
config OPENSSL_WITH_WHIRLPOOL
|
|
bool
|
|
prompt "Enable Whirlpool digest support"
|
|
|
|
config OPENSSL_WITH_COMPRESSION
|
|
bool
|
|
prompt "Enable compression support"
|
|
help
|
|
TLS compression is not recommended, as it is deemed insecure.
|
|
The CRIME attack exploits this weakness.
|
|
Even with this option turned on, it is disabled by default, and the
|
|
application must explicitly turn it on.
|
|
|
|
config OPENSSL_WITH_RFC3779
|
|
bool
|
|
prompt "Enable RFC3779 support (BGP)"
|
|
help
|
|
RFC 3779 defines two X.509 v3 certificate extensions. The first
|
|
binds a list of IP address blocks, or prefixes, to the subject of a
|
|
certificate. The second binds a list of autonomous system
|
|
identifiers to the subject of a certificate. These extensions may be
|
|
used to convey the authorization of the subject to use the IP
|
|
addresses and autonomous system identifiers contained in the
|
|
extensions.
|
|
|
|
comment "Engine/Hardware Support"
|
|
|
|
config OPENSSL_ENGINE
|
|
bool "Enable engine support"
|
|
help
|
|
This enables alternative cryptography implementations,
|
|
most commonly for interfacing with external crypto devices,
|
|
or supporting new/alternative ciphers and digests.
|
|
Note that you need to enable KERNEL_AIO to be able to build the
|
|
afalg engine package.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN
|
|
bool "Build chosen engines into libcrypto"
|
|
depends on OPENSSL_ENGINE
|
|
help
|
|
This builds all chosen engines into libcrypto.so, instead of building
|
|
them as dynamic engines in separate packages.
|
|
The benefit of building the engines into libcrypto is that they won't
|
|
require any configuration to be used by default.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN_AFALG
|
|
bool
|
|
prompt "Acceleration support through AF_ALG sockets engine"
|
|
depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO && !LINUX_3_18
|
|
select PACKAGE_libopenssl-conf
|
|
help
|
|
This enables use of hardware acceleration through the
|
|
AF_ALG kernel interface.
|
|
|
|
config OPENSSL_ENGINE_CRYPTO
|
|
# This symbol is deprecated. Currently it is used by the openssh package.
|
|
# Once openwrt/packages#8272 is merged, this can be safely removed.
|
|
bool
|
|
default OPENSSL_ENGINE_BUILTIN_DEVCRYPTO || PACKAGE_libopenssl-devcrypto
|
|
|
|
config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
|
|
bool
|
|
prompt "Acceleration support through /dev/crypto"
|
|
depends on OPENSSL_ENGINE_BUILTIN
|
|
select PACKAGE_libopenssl-conf
|
|
help
|
|
This enables use of hardware acceleration through OpenBSD
|
|
Cryptodev API (/dev/crypto) interface.
|
|
Even though configuration is not strictly needed, it is worth seeing
|
|
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
|
|
for information on how to configure the engine.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN_PADLOCK
|
|
bool
|
|
prompt "VIA Padlock Acceleration support engine"
|
|
depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
|
|
select PACKAGE_libopenssl-conf
|
|
help
|
|
This enables use of hardware acceleration through the
|
|
VIA Padlock module.
|
|
|
|
config OPENSSL_WITH_ASYNC
|
|
bool
|
|
prompt "Enable asynchronous jobs support"
|
|
depends on OPENSSL_ENGINE && USE_GLIBC
|
|
help
|
|
Enables async-aware applications to be able to use OpenSSL to
|
|
initiate crypto operations asynchronously. In order to work
|
|
this will require the presence of an async capable engine.
|
|
|
|
config OPENSSL_WITH_GOST
|
|
bool
|
|
prompt "Prepare library for GOST engine"
|
|
depends on OPENSSL_ENGINE
|
|
help
|
|
This option prepares the library to accept engine support
|
|
for Russian GOST crypto algorithms.
|
|
The gost engine is not included in standard openwrt feeds.
|
|
To build such engine yourself, see:
|
|
https://github.com/gost-engine/engine
|
|
|
|
endif
|