mirror of
https://git.openwrt.org/openwrt/openwrt.git
synced 2024-11-24 14:06:15 +00:00
0dc5fc8fa5
This adapts the engine build infrastructure to allow building providers, and packages the legacy provider. Providers are the successors of engines, which have been deprecated. The legacy provider supplies OpenSSL implementations of algorithms that have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool. Even though these algorithms are implemented in a separate package, their removal makes the regular library smaller by 3%, so the build options will remain to allow lean custom builds. Their defaults will change to 'y' if not bulding for a small flash, so that the regular legacy package will contain a complete set of algorithms. The engine build and configuration structure was changed to accomodate providers, and adapt to the new style of openssl.cnf in version 3.0. There is not a clean upgrade path for the /etc/ssl/openssl.cnf file, installed by the openssl-conf package. It is recommended to rename or remove the old config file when flashing an image with the updated openssl-conf package, then apply the changes manually. An old openssl.cnf file will silently work, but new engine or provider packages will not be enabled. Any remaining engine config files under /etc/ssl/engines.cnf.d can be removed. On the build side, the include file used by engine packages was renamed to openssl-module.mk, so the engine packages in other feeds need to adapt. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
311 lines
9.5 KiB
Plaintext
311 lines
9.5 KiB
Plaintext
if PACKAGE_libopenssl
|
|
|
|
comment "Build Options"
|
|
|
|
config OPENSSL_OPTIMIZE_SPEED
|
|
bool
|
|
default y if x86_64 || i386
|
|
prompt "Enable optimization for speed instead of size"
|
|
select OPENSSL_WITH_ASM
|
|
help
|
|
Enabling this option increases code size and performance.
|
|
The increase in performance and size depends on the
|
|
target CPU. EC and AES seem to benefit the most.
|
|
|
|
config OPENSSL_SMALL_FOOTPRINT
|
|
bool
|
|
depends on !OPENSSL_OPTIMIZE_SPEED
|
|
default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
|
|
prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
|
|
help
|
|
This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
|
|
1-3% of of the ipk size. The performance drop depends on
|
|
architecture and algorithm. MIPS drops 13% of performance for
|
|
a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
|
|
size, ghash and GCM performance decreases 90%, while
|
|
Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
|
|
for 3% of performance. Other arches have not been tested.
|
|
|
|
config OPENSSL_WITH_ASM
|
|
bool
|
|
default y
|
|
prompt "Compile with optimized assembly code"
|
|
depends on !arc
|
|
help
|
|
Disabling this option will reduce code size and performance.
|
|
The increase in performance and size depends on the target
|
|
CPU and on the algorithms being optimized.
|
|
|
|
config OPENSSL_WITH_SSE2
|
|
bool
|
|
default y if !TARGET_x86_legacy && !TARGET_x86_geode
|
|
prompt "Enable use of x86 SSE2 instructions"
|
|
depends on OPENSSL_WITH_ASM && i386
|
|
help
|
|
Use of SSE2 instructions greatly increase performance with a
|
|
minimum increase in package size, but it will bring no benefit
|
|
if your hardware does not support them, such as Geode GX and LX.
|
|
AMD Geode NX, and Intel Pentium 4 and above support SSE2.
|
|
|
|
config OPENSSL_WITH_DEPRECATED
|
|
bool
|
|
default y
|
|
prompt "Include deprecated APIs"
|
|
help
|
|
This drops all deprecated API, including engine support.
|
|
|
|
config OPENSSL_NO_DEPRECATED
|
|
bool
|
|
default !OPENSSL_WITH_DEPRECATED
|
|
|
|
config OPENSSL_WITH_ERROR_MESSAGES
|
|
bool
|
|
default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
|
|
prompt "Include error messages"
|
|
help
|
|
This option aids debugging, but increases package size and
|
|
memory usage.
|
|
|
|
comment "Protocol Support"
|
|
|
|
config OPENSSL_WITH_TLS13
|
|
bool
|
|
default y
|
|
prompt "Enable support for TLS 1.3"
|
|
help
|
|
TLS 1.3 is the newest version of the TLS specification.
|
|
It aims:
|
|
* to increase the overall security of the protocol,
|
|
removing outdated algorithms, and encrypting more of the
|
|
protocol;
|
|
* to increase performance by reducing the number of round-trips
|
|
when performing a full handshake.
|
|
|
|
config OPENSSL_WITH_DTLS
|
|
bool
|
|
prompt "Enable DTLS support"
|
|
help
|
|
Datagram Transport Layer Security (DTLS) provides TLS-like security
|
|
for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
|
|
|
|
config OPENSSL_WITH_NPN
|
|
bool
|
|
prompt "Enable NPN support"
|
|
help
|
|
NPN is a TLS extension, obsoleted and replaced with ALPN,
|
|
used to negotiate SPDY, and HTTP/2.
|
|
|
|
config OPENSSL_WITH_SRP
|
|
bool
|
|
default y
|
|
prompt "Enable SRP support"
|
|
help
|
|
The Secure Remote Password protocol (SRP) is an augmented
|
|
password-authenticated key agreement (PAKE) protocol, specifically
|
|
designed to work around existing patents.
|
|
|
|
config OPENSSL_WITH_CMS
|
|
bool
|
|
default y
|
|
prompt "Enable CMS (RFC 5652) support"
|
|
help
|
|
Cryptographic Message Syntax (CMS) is used to digitally sign,
|
|
digest, authenticate, or encrypt arbitrary message content.
|
|
|
|
comment "Algorithm Selection"
|
|
|
|
config OPENSSL_WITH_EC2M
|
|
bool
|
|
prompt "Enable ec2m support"
|
|
help
|
|
This option enables the more efficient, yet less common, binary
|
|
field elliptic curves.
|
|
|
|
config OPENSSL_WITH_CHACHA_POLY1305
|
|
bool
|
|
default y
|
|
prompt "Enable ChaCha20-Poly1305 ciphersuite support"
|
|
help
|
|
ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
|
|
combining ChaCha stream cipher with Poly1305 MAC.
|
|
It is 3x faster than AES, when not using a CPU with AES-specific
|
|
instructions, as is the case of most embedded devices.
|
|
|
|
config OPENSSL_PREFER_CHACHA_OVER_GCM
|
|
bool
|
|
default y if !x86_64 && !aarch64
|
|
prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
|
|
depends on OPENSSL_WITH_CHACHA_POLY1305
|
|
help
|
|
The default openssl preference is for AES-GCM before ChaCha, but
|
|
that takes into account AES-NI capable chips. It is not the
|
|
case with most embedded chips, so it may be better to invert
|
|
that preference. This is just for the default case. The
|
|
application can always override this.
|
|
|
|
config OPENSSL_WITH_PSK
|
|
bool
|
|
default y
|
|
prompt "Enable PSK support"
|
|
help
|
|
Build support for Pre-Shared Key based cipher suites.
|
|
|
|
comment "Less commonly used build options"
|
|
|
|
config OPENSSL_WITH_ARIA
|
|
bool
|
|
prompt "Enable ARIA support"
|
|
help
|
|
ARIA is a block cipher developed in South Korea, based on AES.
|
|
|
|
config OPENSSL_WITH_CAMELLIA
|
|
bool
|
|
prompt "Enable Camellia cipher support"
|
|
help
|
|
Camellia is a bock cipher with security levels and processing
|
|
abilities comparable to AES.
|
|
|
|
config OPENSSL_WITH_IDEA
|
|
bool
|
|
default y if !SMALL_FLASH
|
|
prompt "Enable IDEA cipher support (needs legacy provider)"
|
|
help
|
|
IDEA is a block cipher with 128-bit keys.
|
|
To use the cipher, one must install the libopenssl-legacy
|
|
package, using a main libopenssl package compiled with this
|
|
option enabled as well.
|
|
|
|
config OPENSSL_WITH_SEED
|
|
bool
|
|
default y if !SMALL_FLASH
|
|
prompt "Enable SEED cipher support (needs legacy provider)"
|
|
help
|
|
SEED is a block cipher with 128-bit keys broadly used in
|
|
South Korea, but seldom found elsewhere.
|
|
To use the cipher, one must install the libopenssl-legacy
|
|
package, using a main libopenssl package compiled with this
|
|
option enabled as well.
|
|
|
|
config OPENSSL_WITH_SM234
|
|
bool
|
|
prompt "Enable SM2/3/4 algorithms support"
|
|
help
|
|
These algorithms are a set of "Commercial Cryptography"
|
|
algorithms approved for use in China.
|
|
* SM2 is an EC algorithm equivalent to ECDSA P-256
|
|
* SM3 is a hash function equivalent to SHA-256
|
|
* SM4 is a 128-block cipher equivalent to AES-128
|
|
|
|
config OPENSSL_WITH_BLAKE2
|
|
bool
|
|
prompt "Enable BLAKE2 digest support"
|
|
help
|
|
BLAKE2 is a cryptographic hash function based on the ChaCha
|
|
stream cipher.
|
|
|
|
config OPENSSL_WITH_MDC2
|
|
bool
|
|
default y if !SMALL_FLASH
|
|
prompt "Enable MDC2 digest support (needs legacy provider)"
|
|
help
|
|
To use the digest, one must install the libopenssl-legacy
|
|
package, using a main libopenssl package compiled with this
|
|
option enabled as well.
|
|
|
|
config OPENSSL_WITH_WHIRLPOOL
|
|
bool
|
|
default y if !SMALL_FLASH
|
|
prompt "Enable Whirlpool digest support (needs legacy provider)"
|
|
help
|
|
To use the digest, one must install the libopenssl-legacy
|
|
package, using a main libopenssl package compiled with this
|
|
option enabled as well.
|
|
|
|
config OPENSSL_WITH_COMPRESSION
|
|
bool
|
|
prompt "Enable compression support"
|
|
help
|
|
TLS compression is not recommended, as it is deemed insecure.
|
|
The CRIME attack exploits this weakness.
|
|
Even with this option turned on, it is disabled by default, and the
|
|
application must explicitly turn it on.
|
|
|
|
config OPENSSL_WITH_RFC3779
|
|
bool
|
|
prompt "Enable RFC3779 support (BGP)"
|
|
help
|
|
RFC 3779 defines two X.509 v3 certificate extensions. The first
|
|
binds a list of IP address blocks, or prefixes, to the subject of a
|
|
certificate. The second binds a list of autonomous system
|
|
identifiers to the subject of a certificate. These extensions may be
|
|
used to convey the authorization of the subject to use the IP
|
|
addresses and autonomous system identifiers contained in the
|
|
extensions.
|
|
|
|
comment "Engine/Hardware Support"
|
|
|
|
config OPENSSL_ENGINE
|
|
bool "Enable engine support"
|
|
select OPENSSL_WITH_DEPRECATED
|
|
default y
|
|
help
|
|
This enables alternative cryptography implementations,
|
|
most commonly for interfacing with external crypto devices,
|
|
or supporting new/alternative ciphers and digests.
|
|
If you compile the library with this option disabled, packages built
|
|
using an engine-enabled library (i.e. from the official repo) may
|
|
fail to run. Compile and install the packages with engine support
|
|
disabled, and you should be fine.
|
|
Note that you need to enable KERNEL_AIO to be able to build the
|
|
afalg engine package.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN
|
|
bool "Build chosen engines into libcrypto"
|
|
depends on OPENSSL_ENGINE
|
|
help
|
|
This builds all chosen engines into libcrypto.so, instead of building
|
|
them as dynamic engines in separate packages.
|
|
The benefit of building the engines into libcrypto is that they won't
|
|
require any configuration to be used by default.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN_AFALG
|
|
bool
|
|
prompt "Acceleration support through AF_ALG sockets engine"
|
|
depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
|
|
select PACKAGE_libopenssl-conf
|
|
help
|
|
This enables use of hardware acceleration through the
|
|
AF_ALG kernel interface.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
|
|
bool
|
|
prompt "Acceleration support through /dev/crypto"
|
|
depends on OPENSSL_ENGINE_BUILTIN
|
|
select PACKAGE_libopenssl-conf
|
|
help
|
|
This enables use of hardware acceleration through OpenBSD
|
|
Cryptodev API (/dev/crypto) interface.
|
|
Even though configuration is not strictly needed, it is worth seeing
|
|
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
|
|
for information on how to configure the engine.
|
|
|
|
config OPENSSL_ENGINE_BUILTIN_PADLOCK
|
|
bool
|
|
prompt "VIA Padlock Acceleration support engine"
|
|
depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
|
|
select PACKAGE_libopenssl-conf
|
|
help
|
|
This enables use of hardware acceleration through the
|
|
VIA Padlock module.
|
|
|
|
config OPENSSL_WITH_ASYNC
|
|
bool
|
|
prompt "Enable asynchronous jobs support"
|
|
depends on OPENSSL_ENGINE && USE_GLIBC
|
|
help
|
|
Enables async-aware applications to be able to use OpenSSL to
|
|
initiate crypto operations asynchronously. In order to work
|
|
this will require the presence of an async capable engine.
|
|
|
|
endif
|