Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
OpenWrt
/
openwrt
-ын хуулбар https://github.com/openwrt/openwrt.git
2
0
Салаа 0
Файлууд Асуудлууд 0 Мэдлэгийн сан
Мод: d872d00b2f
Салаанууд Тагууд
openwrt
/
package
/
libs
/
openssl
/
Config.in

Config.in 8.2 KB
Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273 
  1. if PACKAGE_libopenssl
    2. 

  2. 

  3. comment "Build Options"
    4. 

  4. 

  5. config OPENSSL_OPTIMIZE_SPEED
    6. 

  6. 	bool
    7. 

  7. 	prompt "Enable optimization for speed instead of size"
    8. 

  8. 	select OPENSSL_WITH_ASM
    9. 

  9. 	help
    10. 

  10. 		Enabling this option increases code size (around 20%) and
    11. 

  11. 		performance.  The increase in performance and size depends on the
    12. 

  12. 		target CPU. EC and AES seem to benefit the most, with EC speed
    13. 

  13. 		increased by 20%-50% (mipsel & x86).
    14. 

  14. 		AES-GCM is supposed to be 3x faster on x86. YMMV.
    15. 

  15. 

  16. config OPENSSL_WITH_ASM
    17. 

  17. 	bool
    18. 

  18. 	default y
    19. 

  19. 	prompt "Compile with optimized assembly code"
    20. 

  20. 	depends on !arc
    21. 

  21. 	help
    22. 

  22. 		Disabling this option will reduce code size and performance.
    23. 

  23. 		The increase in performance and size depends on the target
    24. 

  24. 		CPU and on the algorithms being optimized.  As of 1.1.0i*:
    25. 

  25. 

  26. 		Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
    27. 

  27. 		aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
    28. 

  28. 		arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
    29. 

  29. 		i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
    30. 

  30. 		mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
    31. 

  31. 		mips64	    3.7K   BN, aes, sha1, sha256, sha512, poly1305
    32. 

  32. 		powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
    33. 

  33. 		x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
    34. 

  34. 

  35. 		* Only most common algorithms shown. Your mileage may vary.
    36. 

  36. 		  BN (bignum) performance was measured using RSA sign/verify.
    37. 

  37. 

  38. config OPENSSL_WITH_SSE2
    39. 

  39. 	bool
    40. 

  40. 	default y if !TARGET_x86_legacy && !TARGET_x86_geode
    41. 

  41. 	prompt "Enable use of x86 SSE2 instructions"
    42. 

  42. 	depends on OPENSSL_WITH_ASM && i386
    43. 

  43. 	help
    44. 

  44. 		Use of SSE2 instructions greatly increase performance (up to
    45. 

  45. 		3x faster) with a minimum (~0.2%, or 23KB) increase in package
    46. 

  46. 		size, but it will bring no benefit if your hardware does not
    47. 

  47. 		support them, such as Geode GX and LX.  In this case you may
    48. 

  48. 		save 23KB by saying yes here.  AMD Geode NX, and Intel
    49. 

  49. 		Pentium 4 and above support SSE2.
    50. 

  50. 

  51. config OPENSSL_WITH_DEPRECATED
    52. 

  52. 	bool
    53. 

  53. 	default y
    54. 

  54. 	prompt "Include deprecated APIs (See help for a list of packages that need this)"
    55. 

  55. 	help
    56. 

  56. 		Since openssl 1.1.x is still new to openwrt, some packages
    57. 

  57. 		requiring this option do not list it as a requirement yet:
    58. 

  58. 		 * freeswitch-stable, freeswitch, python, python3, squid.
    59. 

  59. 

  60. config OPENSSL_NO_DEPRECATED
    61. 

  61. 	bool
    62. 

  62. 	default !OPENSSL_WITH_DEPRECATED
    63. 

  63. 

  64. config OPENSSL_WITH_ERROR_MESSAGES
    65. 

  65. 	bool
    66. 

  66. 	prompt "Include error messages"
    67. 

  67. 	help
    68. 

  68. 		This option aids debugging, but increases package size and
    69. 

  69. 		memory usage.
    70. 

  70. 

  71. comment "Protocol Support"
    72. 

  72. 

  73. config OPENSSL_WITH_TLS13
    74. 

  74. 	bool
    75. 

  75. 	default y
    76. 

  76. 	prompt "Enable support for TLS 1.3"
    77. 

  77. 	select OPENSSL_WITH_EC
    78. 

  78. 	help
    79. 

  79. 		TLS 1.3 is the newest version of the TLS specification.
    80. 

  80. 		It aims:
    81. 

  81. 		 * to increase the overall security of the protocol,
    82. 

  82. 		   removing outdated algorithms, and encrypting more of the
    83. 

  83. 		   protocol;
    84. 

  84. 		 * to increase performance by reducing the number of round-trips
    85. 

  85. 		   when performing a full handshake.
    86. 

  86. 		It increases package size by ~4KB.
    87. 

  87. 

  88. config OPENSSL_WITH_DTLS
    89. 

  89. 	bool
    90. 

  90. 	prompt "Enable DTLS support"
    91. 

  91. 	help
    92. 

  92. 		Datagram Transport Layer Security (DTLS) provides TLS-like security
    93. 

  93. 		for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
    94. 

  94. 

  95. config OPENSSL_WITH_NPN
    96. 

  96. 	bool
    97. 

  97. 	default y
    98. 

  98. 	prompt "Enable NPN support"
    99. 

  99. 	help
    100. 

  100. 		NPN is a TLS extension, obsoleted and replaced with ALPN,
    101. 

  101. 		used to negotiate SPDY, and HTTP/2.
    102. 

  102. 

  103. config OPENSSL_WITH_SRP
    104. 

  104. 	bool
    105. 

  105. 	default y
    106. 

  106. 	prompt "Enable SRP support"
    107. 

  107. 	help
    108. 

  108. 		The Secure Remote Password protocol (SRP) is an augmented
    109. 

  109. 		password-authenticated key agreement (PAKE) protocol, specifically
    110. 

  110. 		designed to work around existing patents.
    111. 

  111. 

  112. config OPENSSL_WITH_CMS
    113. 

  113. 	bool
    114. 

  114. 	default y
    115. 

  115. 	prompt "Enable CMS (RFC 5652) support"
    116. 

  116. 	help
    117. 

  117. 		Cryptographic Message Syntax (CMS) is used to digitally sign,
    118. 

  118. 		digest, authenticate, or encrypt arbitrary message content.
    119. 

  119. 

  120. comment "Algorithm Selection"
    121. 

  121. 

  122. config OPENSSL_WITH_EC
    123. 

  123. 	bool
    124. 

  124. 	default y
    125. 

  125. 	prompt "Enable elliptic curve support"
    126. 

  126. 	help
    127. 

  127. 		Elliptic-curve cryptography (ECC) is an approach to public-key
    128. 

  128. 		cryptography based on the algebraic structure of elliptic curves
    129. 

  129. 		over finite fields. ECC requires smaller keys compared to non-ECC
    130. 

  130. 		cryptography to provide equivalent security.
    131. 

  131. 

  132. config OPENSSL_WITH_EC2M
    133. 

  133. 	bool
    134. 

  134. 	depends on OPENSSL_WITH_EC
    135. 

  135. 	prompt "Enable ec2m support"
    136. 

  136. 	help
    137. 

  137. 		This option enables the more efficient, yet less common, binary
    138. 

  138. 		field elliptic curves.
    139. 

  139. 

  140. config OPENSSL_WITH_CHACHA_POLY1305
    141. 

  141. 	bool
    142. 

  142. 	default y
    143. 

  143. 	prompt "Enable ChaCha20-Poly1305 ciphersuite support"
    144. 

  144. 	help
    145. 

  145. 		ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
    146. 

  146. 		combining ChaCha stream cipher with Poly1305 MAC.
    147. 

  147. 		It is 3x faster than AES, when not using a CPU with AES-specific
    148. 

  148. 		instructions, as is the case of most embedded devices.
    149. 

  149. 

  150. config OPENSSL_WITH_PSK
    151. 

  151. 	bool
    152. 

  152. 	default y
    153. 

  153. 	prompt "Enable PSK support"
    154. 

  154. 	help
    155. 

  155. 		Build support for Pre-Shared Key based cipher suites.
    156. 

  156. 

  157. comment "Less commonly used build options"
    158. 

  158. 

  159. config OPENSSL_WITH_ARIA
    160. 

  160. 	bool
    161. 

  161. 	prompt "Enable ARIA support"
    162. 

  162. 	help
    163. 

  163. 		ARIA is a block cipher developed in South Korea, based on AES.
    164. 

  164. 

  165. config OPENSSL_WITH_CAMELLIA
    166. 

  166. 	bool
    167. 

  167. 	prompt "Enable Camellia cipher support"
    168. 

  168. 	help
    169. 

  169. 		Camellia is a bock cipher with security levels and processing
    170. 

  170. 		abilities comparable to AES.
    171. 

  171. 

  172. config OPENSSL_WITH_IDEA
    173. 

  173. 	bool
    174. 

  174. 	prompt "Enable IDEA cipher support"
    175. 

  175. 	help
    176. 

  176. 		IDEA is a block cipher with 128-bit keys.
    177. 

  177. 

  178. config OPENSSL_WITH_SEED
    179. 

  179. 	bool
    180. 

  180. 	prompt "Enable SEED cipher support"
    181. 

  181. 	help
    182. 

  182. 		SEED is a block cipher with 128-bit keys broadly used in
    183. 

  183. 		South Korea, but seldom found elsewhere.
    184. 

  184. 

  185. config OPENSSL_WITH_SM234
    186. 

  186. 	bool
    187. 

  187. 	prompt "Enable SM2/3/4 algorithms support"
    188. 

  188. 	help
    189. 

  189. 		These algorithms are a set of "Commercial Cryptography"
    190. 

  190. 		algorithms approved for use in China.
    191. 

  191. 		  * SM2 is an EC algorithm equivalent to ECDSA P-256
    192. 

  192. 		  * SM3 is a hash function equivalent to SHA-256
    193. 

  193. 		  * SM4 is a 128-block cipher equivalent to AES-128
    194. 

  194. 

  195. config OPENSSL_WITH_BLAKE2
    196. 

  196. 	bool
    197. 

  197. 	prompt "Enable BLAKE2 digest support"
    198. 

  198. 	help
    199. 

  199. 		BLAKE2 is a cryptographic hash function based on the ChaCha
    200. 

  200. 		stream cipher.
    201. 

  201. 

  202. config OPENSSL_WITH_MDC2
    203. 

  203. 	bool
    204. 

  204. 	prompt "Enable MDC2 digest support"
    205. 

  205. 

  206. config OPENSSL_WITH_WHIRLPOOL
    207. 

  207. 	bool
    208. 

  208. 	prompt "Enable Whirlpool digest support"
    209. 

  209. 

  210. config OPENSSL_WITH_COMPRESSION
    211. 

  211. 	bool
    212. 

  212. 	prompt "Enable compression support"
    213. 

  213. 	help
    214. 

  214. 		TLS compression is not recommended, as it is deemed insecure.
    215. 

  215. 		The CRIME attack exploits this weakness.
    216. 

  216. 		Even with this option turned on, it is disabled by default, and the
    217. 

  217. 		application must explicitly turn it on.
    218. 

  218. 

  219. config OPENSSL_WITH_RFC3779
    220. 

  220. 	bool
    221. 

  221. 	prompt "Enable RFC3779 support (BGP)"
    222. 

  222. 	help
    223. 

  223. 		RFC 3779 defines two X.509 v3 certificate extensions.  The first
    224. 

  224. 		binds a list of IP address blocks, or prefixes, to the subject of a
    225. 

  225. 		certificate.  The second binds a list of autonomous system
    226. 

  226. 		identifiers to the subject of a certificate.  These extensions may be
    227. 

  227. 		used to convey the authorization of the subject to use the IP
    228. 

  228. 		addresses and autonomous system identifiers contained in the
    229. 

  229. 		extensions.
    230. 

  230. 

  231. comment "Engine/Hardware Support"
    232. 

  232. 

  233. config OPENSSL_ENGINE
    234. 

  234. 	bool "Enable engine support"
    235. 

  235. 	help
    236. 

  236. 		This enables alternative cryptography implementations,
    237. 

  237. 		most commonly for interfacing with external crypto devices,
    238. 

  238. 		or supporting new/alternative ciphers and digests.
    239. 

  239. 

  240. config OPENSSL_ENGINE_CRYPTO
    241. 

  241. 	bool
    242. 

  242. 	select OPENSSL_ENGINE
    243. 

  243. 	select PACKAGE_kmod-cryptodev
    244. 

  244. 	prompt "Acceleration support through /dev/crypto"
    245. 

  245. 	help
    246. 

  246. 		This enables use of hardware acceleration through OpenBSD
    247. 

  247. 		Cryptodev API (/dev/crypto) interface.
    248. 

  248. 		You must install kmod-cryptodev (under Kernel modules, Cryptographic
    249. 

  249. 		API modules) for /dev/crypto to show up and use hardware
    250. 

  250. 		acceleration; otherwise it falls back to software.
    251. 

  251. 

  252. config OPENSSL_WITH_ASYNC
    253. 

  253. 	bool
    254. 

  254. 	prompt "Enable asynchronous jobs support"
    255. 

  255. 	depends on OPENSSL_ENGINE && USE_GLIBC
    256. 

  256. 	help
    257. 

  257. 		Enables async-aware applications to be able to use OpenSSL to
    258. 

  258. 		initiate crypto operations asynchronously. In order to work
    259. 

  259. 		this will require the presence of an async capable engine.
    260. 

  260. 

  261. config OPENSSL_WITH_GOST
    262. 

  262. 	bool
    263. 

  263. 	prompt "Prepare library for GOST engine"
    264. 

  264. 	depends on OPENSSL_ENGINE
    265. 

  265. 	help
    266. 

  266. 		This option prepares the library to accept engine support
    267. 

  267. 		for Russian GOST crypto algorithms.
    268. 

  268. 		The gost engine is not included in standard openwrt feeds.
    269. 

  269. 		To build such engine yourself, see:
    270. 

  270. 		https://github.com/gost-engine/engine
    271. 

  271. 

  272. endif
    273. 

  273.