package/libs/openssl/Config.in

   1 if PACKAGE_libopenssl
   2
   3 comment "Build Options"
   4
   5 config OPENSSL_OPTIMIZE_SPEED
   6         bool
   7         default y if x86_64 || i386
   8         prompt "Enable optimization for speed instead of size"
   9         select OPENSSL_WITH_ASM
  10         help
  11                 Enabling this option increases code size and performance.
  12                 The increase in performance and size depends on the
  13                 target CPU. EC and AES seem to benefit the most.
  14
  15 config OPENSSL_WITH_ASM
  16         bool
  17         default y if !SMALL_FLASH || !arm
  18         prompt "Compile with optimized assembly code"
  19         depends on !arc
  20         help
  21                 Disabling this option will reduce code size and performance.
  22                 The increase in performance and size depends on the target
  23                 CPU and on the algorithms being optimized.
  24
  25 config OPENSSL_WITH_SSE2
  26         bool
  27         default y if !TARGET_x86_legacy && !TARGET_x86_geode
  28         prompt "Enable use of x86 SSE2 instructions"
  29         depends on OPENSSL_WITH_ASM && i386
  30         help
  31                 Use of SSE2 instructions greatly increase performance with a
  32                 minimum increase in package size, but it will bring no benefit
  33                 if your hardware does not support them, such as Geode GX and LX.
  34                 AMD Geode NX, and Intel Pentium 4 and above support SSE2.
  35
  36 config OPENSSL_WITH_DEPRECATED
  37         bool
  38         default y
  39         prompt "Include deprecated APIs"
  40         help
  41                 This drops all deprecated API, including engine support.
  42
  43 config OPENSSL_NO_DEPRECATED
  44         bool
  45         default !OPENSSL_WITH_DEPRECATED
  46
  47 config OPENSSL_WITH_ERROR_MESSAGES
  48         bool
  49         default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
  50         prompt "Include error messages"
  51         help
  52                 This option aids debugging, but increases package size and
  53                 memory usage.
  54
  55 comment "Protocol Support"
  56
  57 config OPENSSL_WITH_TLS13
  58         bool
  59         default y
  60         prompt "Enable support for TLS 1.3"
  61         help
  62                 TLS 1.3 is the newest version of the TLS specification.
  63                 It aims:
  64                  * to increase the overall security of the protocol,
  65                    removing outdated algorithms, and encrypting more of the
  66                    protocol;
  67                  * to increase performance by reducing the number of round-trips
  68                    when performing a full handshake.
  69
  70 config OPENSSL_WITH_DTLS
  71         bool
  72         prompt "Enable DTLS support"
  73         help
  74                 Datagram Transport Layer Security (DTLS) provides TLS-like security
  75                 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
  76
  77 config OPENSSL_WITH_NPN
  78         bool
  79         prompt "Enable NPN support"
  80         help
  81                 NPN is a TLS extension, obsoleted and replaced with ALPN,
  82                 used to negotiate SPDY, and HTTP/2.
  83
  84 config OPENSSL_WITH_SRP
  85         bool
  86         default y
  87         prompt "Enable SRP support"
  88         help
  89                 The Secure Remote Password protocol (SRP) is an augmented
  90                 password-authenticated key agreement (PAKE) protocol, specifically
  91                 designed to work around existing patents.
  92
  93 config OPENSSL_WITH_CMS
  94         bool
  95         default y
  96         prompt "Enable CMS (RFC 5652) support"
  97         help
  98                 Cryptographic Message Syntax (CMS) is used to digitally sign,
  99                 digest, authenticate, or encrypt arbitrary message content.
 100
 101 comment "Algorithm Selection"
 102
 103 config OPENSSL_WITH_EC2M
 104         bool
 105         prompt "Enable ec2m support"
 106         help
 107                 This option enables the more efficient, yet less common, binary
 108                 field elliptic curves.
 109
 110 config OPENSSL_WITH_CHACHA_POLY1305
 111         bool
 112         default y
 113         prompt "Enable ChaCha20-Poly1305 ciphersuite support"
 114         help
 115                 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
 116                 combining ChaCha stream cipher with Poly1305 MAC.
 117                 It is 3x faster than AES, when not using a CPU with AES-specific
 118                 instructions, as is the case of most embedded devices.
 119
 120 config OPENSSL_PREFER_CHACHA_OVER_GCM
 121         bool
 122         default y if !x86_64 && !aarch64
 123         prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
 124         depends on OPENSSL_WITH_CHACHA_POLY1305
 125         help
 126                 The default openssl preference is for AES-GCM before ChaCha, but
 127                 that takes into account AES-NI capable chips.  It is not the
 128                 case with most embedded chips, so it may be better to invert
 129                 that preference.  This is just for the default case. The
 130                 application can always override this.
 131
 132 config OPENSSL_WITH_PSK
 133         bool
 134         default y
 135         prompt "Enable PSK support"
 136         help
 137                 Build support for Pre-Shared Key based cipher suites.
 138
 139 comment "Less commonly used build options"
 140
 141 config OPENSSL_WITH_ARIA
 142         bool
 143         prompt "Enable ARIA support"
 144         help
 145                 ARIA is a block cipher developed in South Korea, based on AES.
 146
 147 config OPENSSL_WITH_CAMELLIA
 148         bool
 149         prompt "Enable Camellia cipher support"
 150         help
 151                 Camellia is a bock cipher with security levels and processing
 152                 abilities comparable to AES.
 153
 154 config OPENSSL_WITH_IDEA
 155         bool
 156         prompt "Enable IDEA cipher support"
 157         help
 158                 IDEA is a block cipher with 128-bit keys.
 159
 160 config OPENSSL_WITH_SEED
 161         bool
 162         prompt "Enable SEED cipher support"
 163         help
 164                 SEED is a block cipher with 128-bit keys broadly used in
 165                 South Korea, but seldom found elsewhere.
 166
 167 config OPENSSL_WITH_SM234
 168         bool
 169         prompt "Enable SM2/3/4 algorithms support"
 170         help
 171                 These algorithms are a set of "Commercial Cryptography"
 172                 algorithms approved for use in China.
 173                   * SM2 is an EC algorithm equivalent to ECDSA P-256
 174                   * SM3 is a hash function equivalent to SHA-256
 175                   * SM4 is a 128-block cipher equivalent to AES-128
 176
 177 config OPENSSL_WITH_BLAKE2
 178         bool
 179         prompt "Enable BLAKE2 digest support"
 180         help
 181                 BLAKE2 is a cryptographic hash function based on the ChaCha
 182                 stream cipher.
 183
 184 config OPENSSL_WITH_MDC2
 185         bool
 186         prompt "Enable MDC2 digest support"
 187
 188 config OPENSSL_WITH_WHIRLPOOL
 189         bool
 190         prompt "Enable Whirlpool digest support"
 191
 192 config OPENSSL_WITH_COMPRESSION
 193         bool
 194         prompt "Enable compression support"
 195         help
 196                 TLS compression is not recommended, as it is deemed insecure.
 197                 The CRIME attack exploits this weakness.
 198                 Even with this option turned on, it is disabled by default, and the
 199                 application must explicitly turn it on.
 200
 201 config OPENSSL_WITH_RFC3779
 202         bool
 203         prompt "Enable RFC3779 support (BGP)"
 204         help
 205                 RFC 3779 defines two X.509 v3 certificate extensions.  The first
 206                 binds a list of IP address blocks, or prefixes, to the subject of a
 207                 certificate.  The second binds a list of autonomous system
 208                 identifiers to the subject of a certificate.  These extensions may be
 209                 used to convey the authorization of the subject to use the IP
 210                 addresses and autonomous system identifiers contained in the
 211                 extensions.
 212
 213 comment "Engine/Hardware Support"
 214
 215 config OPENSSL_ENGINE
 216         bool "Enable engine support"
 217         select OPENSSL_WITH_DEPRECATED
 218         default y
 219         help
 220                 This enables alternative cryptography implementations,
 221                 most commonly for interfacing with external crypto devices,
 222                 or supporting new/alternative ciphers and digests.
 223                 If you compile the library with this option disabled, packages built
 224                 using an engine-enabled library (i.e. from the official repo) may
 225                 fail to run.  Compile and install the packages with engine support
 226                 disabled, and you should be fine.
 227                 Note that you need to enable KERNEL_AIO to be able to build the
 228                 afalg engine package.
 229
 230 config OPENSSL_ENGINE_BUILTIN
 231         bool "Build chosen engines into libcrypto"
 232         depends on OPENSSL_ENGINE
 233         help
 234                 This builds all chosen engines into libcrypto.so, instead of building
 235                 them as dynamic engines in separate packages.
 236                 The benefit of building the engines into libcrypto is that they won't
 237                 require any configuration to be used by default.
 238
 239 config OPENSSL_ENGINE_BUILTIN_AFALG
 240         bool
 241         prompt "Acceleration support through AF_ALG sockets engine"
 242         depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
 243         select PACKAGE_libopenssl-conf
 244         help
 245                 This enables use of hardware acceleration through the
 246                 AF_ALG kernel interface.
 247
 248 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
 249         bool
 250         prompt "Acceleration support through /dev/crypto"
 251         depends on OPENSSL_ENGINE_BUILTIN
 252         select PACKAGE_libopenssl-conf
 253         help
 254                 This enables use of hardware acceleration through OpenBSD
 255                 Cryptodev API (/dev/crypto) interface.
 256                 Even though configuration is not strictly needed, it is worth seeing
 257                 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 258                 for information on how to configure the engine.
 259
 260 config OPENSSL_ENGINE_BUILTIN_PADLOCK
 261         bool
 262         prompt "VIA Padlock Acceleration support engine"
 263         depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
 264         select PACKAGE_libopenssl-conf
 265         help
 266                 This enables use of hardware acceleration through the
 267                 VIA Padlock module.
 268
 269 config OPENSSL_WITH_ASYNC
 270         bool
 271         prompt "Enable asynchronous jobs support"
 272         depends on OPENSSL_ENGINE && USE_GLIBC
 273         help
 274                 Enables async-aware applications to be able to use OpenSSL to
 275                 initiate crypto operations asynchronously. In order to work
 276                 this will require the presence of an async capable engine.
 277
 278 endif