package/libs/openssl/Config.in

   1 if PACKAGE_libopenssl
   2
   3 comment "Build Options"
   4
   5 config OPENSSL_OPTIMIZE_SPEED
   6         bool
   7         default y if x86_64 || i386
   8         prompt "Enable optimization for speed instead of size"
   9         select OPENSSL_WITH_ASM
  10         help
  11                 Enabling this option increases code size (around 20%) and
  12                 performance.  The increase in performance and size depends on the
  13                 target CPU. EC and AES seem to benefit the most, with EC speed
  14                 increased by 20%-50% (mipsel & x86).
  15                 AES-GCM is supposed to be 3x faster on x86. YMMV.
  16
  17 config OPENSSL_WITH_ASM
  18         bool
  19         default y if !SMALL_FLASH || !arm
  20         prompt "Compile with optimized assembly code"
  21         depends on !arc
  22         help
  23                 Disabling this option will reduce code size and performance.
  24                 The increase in performance and size depends on the target
  25                 CPU and on the algorithms being optimized.  As of 1.1.0i*:
  26
  27                 Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
  28                 aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
  29                 arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
  30                 i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
  31                 mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
  32                 mips64      3.7K   BN, aes, sha1, sha256, sha512, poly1305
  33                 powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
  34                 x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
  35
  36                 * Only most common algorithms shown. Your mileage may vary.
  37                   BN (bignum) performance was measured using RSA sign/verify.
  38
  39 config OPENSSL_WITH_SSE2
  40         bool
  41         default y if !TARGET_x86_legacy && !TARGET_x86_geode
  42         prompt "Enable use of x86 SSE2 instructions"
  43         depends on OPENSSL_WITH_ASM && i386
  44         help
  45                 Use of SSE2 instructions greatly increase performance (up to
  46                 3x faster) with a minimum (~0.2%, or 23KB) increase in package
  47                 size, but it will bring no benefit if your hardware does not
  48                 support them, such as Geode GX and LX.  In this case you may
  49                 save 23KB by saying yes here.  AMD Geode NX, and Intel
  50                 Pentium 4 and above support SSE2.
  51
  52 config OPENSSL_WITH_DEPRECATED
  53         bool
  54         default y
  55         prompt "Include deprecated APIs (See help for a list of packages that need this)"
  56         help
  57                 Since openssl 1.1.x is still new to openwrt, some packages
  58                 requiring this option do not list it as a requirement yet:
  59                  * freeswitch-stable, freeswitch, python, python3, squid.
  60
  61 config OPENSSL_NO_DEPRECATED
  62         bool
  63         default !OPENSSL_WITH_DEPRECATED
  64
  65 config OPENSSL_WITH_ERROR_MESSAGES
  66         bool
  67         default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
  68         prompt "Include error messages"
  69         help
  70                 This option aids debugging, but increases package size and
  71                 memory usage.
  72
  73 comment "Protocol Support"
  74
  75 config OPENSSL_WITH_TLS13
  76         bool
  77         default y
  78         prompt "Enable support for TLS 1.3"
  79         help
  80                 TLS 1.3 is the newest version of the TLS specification.
  81                 It aims:
  82                  * to increase the overall security of the protocol,
  83                    removing outdated algorithms, and encrypting more of the
  84                    protocol;
  85                  * to increase performance by reducing the number of round-trips
  86                    when performing a full handshake.
  87                 It increases package size by ~4KB.
  88
  89 config OPENSSL_WITH_DTLS
  90         bool
  91         prompt "Enable DTLS support"
  92         help
  93                 Datagram Transport Layer Security (DTLS) provides TLS-like security
  94                 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
  95
  96 config OPENSSL_WITH_NPN
  97         bool
  98         prompt "Enable NPN support"
  99         help
 100                 NPN is a TLS extension, obsoleted and replaced with ALPN,
 101                 used to negotiate SPDY, and HTTP/2.
 102
 103 config OPENSSL_WITH_SRP
 104         bool
 105         default y
 106         prompt "Enable SRP support"
 107         help
 108                 The Secure Remote Password protocol (SRP) is an augmented
 109                 password-authenticated key agreement (PAKE) protocol, specifically
 110                 designed to work around existing patents.
 111
 112 config OPENSSL_WITH_CMS
 113         bool
 114         default y
 115         prompt "Enable CMS (RFC 5652) support"
 116         help
 117                 Cryptographic Message Syntax (CMS) is used to digitally sign,
 118                 digest, authenticate, or encrypt arbitrary message content.
 119
 120 comment "Algorithm Selection"
 121
 122 config OPENSSL_WITH_EC2M
 123         bool
 124         prompt "Enable ec2m support"
 125         help
 126                 This option enables the more efficient, yet less common, binary
 127                 field elliptic curves.
 128
 129 config OPENSSL_WITH_CHACHA_POLY1305
 130         bool
 131         default y
 132         prompt "Enable ChaCha20-Poly1305 ciphersuite support"
 133         help
 134                 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
 135                 combining ChaCha stream cipher with Poly1305 MAC.
 136                 It is 3x faster than AES, when not using a CPU with AES-specific
 137                 instructions, as is the case of most embedded devices.
 138
 139 config OPENSSL_PREFER_CHACHA_OVER_GCM
 140         bool
 141         default y if !x86_64 && !aarch64
 142         prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
 143         depends on OPENSSL_WITH_CHACHA_POLY1305
 144         help
 145                 The default openssl preference is for AES-GCM before ChaCha, but
 146                 that takes into account AES-NI capable chips.  It is not the
 147                 case with most embedded chips, so it may be better to invert
 148                 that preference.  This is just for the default case. The
 149                 application can always override this.
 150
 151 config OPENSSL_WITH_PSK
 152         bool
 153         default y
 154         prompt "Enable PSK support"
 155         help
 156                 Build support for Pre-Shared Key based cipher suites.
 157
 158 comment "Less commonly used build options"
 159
 160 config OPENSSL_WITH_ARIA
 161         bool
 162         prompt "Enable ARIA support"
 163         help
 164                 ARIA is a block cipher developed in South Korea, based on AES.
 165
 166 config OPENSSL_WITH_CAMELLIA
 167         bool
 168         prompt "Enable Camellia cipher support"
 169         help
 170                 Camellia is a bock cipher with security levels and processing
 171                 abilities comparable to AES.
 172
 173 config OPENSSL_WITH_IDEA
 174         bool
 175         prompt "Enable IDEA cipher support"
 176         help
 177                 IDEA is a block cipher with 128-bit keys.
 178
 179 config OPENSSL_WITH_SEED
 180         bool
 181         prompt "Enable SEED cipher support"
 182         help
 183                 SEED is a block cipher with 128-bit keys broadly used in
 184                 South Korea, but seldom found elsewhere.
 185
 186 config OPENSSL_WITH_SM234
 187         bool
 188         prompt "Enable SM2/3/4 algorithms support"
 189         help
 190                 These algorithms are a set of "Commercial Cryptography"
 191                 algorithms approved for use in China.
 192                   * SM2 is an EC algorithm equivalent to ECDSA P-256
 193                   * SM3 is a hash function equivalent to SHA-256
 194                   * SM4 is a 128-block cipher equivalent to AES-128
 195
 196 config OPENSSL_WITH_BLAKE2
 197         bool
 198         prompt "Enable BLAKE2 digest support"
 199         help
 200                 BLAKE2 is a cryptographic hash function based on the ChaCha
 201                 stream cipher.
 202
 203 config OPENSSL_WITH_MDC2
 204         bool
 205         prompt "Enable MDC2 digest support"
 206
 207 config OPENSSL_WITH_WHIRLPOOL
 208         bool
 209         prompt "Enable Whirlpool digest support"
 210
 211 config OPENSSL_WITH_COMPRESSION
 212         bool
 213         prompt "Enable compression support"
 214         help
 215                 TLS compression is not recommended, as it is deemed insecure.
 216                 The CRIME attack exploits this weakness.
 217                 Even with this option turned on, it is disabled by default, and the
 218                 application must explicitly turn it on.
 219
 220 config OPENSSL_WITH_RFC3779
 221         bool
 222         prompt "Enable RFC3779 support (BGP)"
 223         help
 224                 RFC 3779 defines two X.509 v3 certificate extensions.  The first
 225                 binds a list of IP address blocks, or prefixes, to the subject of a
 226                 certificate.  The second binds a list of autonomous system
 227                 identifiers to the subject of a certificate.  These extensions may be
 228                 used to convey the authorization of the subject to use the IP
 229                 addresses and autonomous system identifiers contained in the
 230                 extensions.
 231
 232 comment "Engine/Hardware Support"
 233
 234 config OPENSSL_ENGINE
 235         bool "Enable engine support"
 236         default y
 237         help
 238                 This enables alternative cryptography implementations,
 239                 most commonly for interfacing with external crypto devices,
 240                 or supporting new/alternative ciphers and digests.
 241                 If you compile the library with this option disabled, packages built
 242                 using an engine-enabled library (i.e. from the official repo) may
 243                 fail to run.  Compile and install the packages with engine support
 244                 disabled, and you should be fine.
 245                 Note that you need to enable KERNEL_AIO to be able to build the
 246                 afalg engine package.
 247
 248 config OPENSSL_ENGINE_BUILTIN
 249         bool "Build chosen engines into libcrypto"
 250         depends on OPENSSL_ENGINE
 251         help
 252                 This builds all chosen engines into libcrypto.so, instead of building
 253                 them as dynamic engines in separate packages.
 254                 The benefit of building the engines into libcrypto is that they won't
 255                 require any configuration to be used by default.
 256
 257 config OPENSSL_ENGINE_BUILTIN_AFALG
 258         bool
 259         prompt "Acceleration support through AF_ALG sockets engine"
 260         depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
 261         select PACKAGE_libopenssl-conf
 262         help
 263                 This enables use of hardware acceleration through the
 264                 AF_ALG kernel interface.
 265
 266 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
 267         bool
 268         prompt "Acceleration support through /dev/crypto"
 269         depends on OPENSSL_ENGINE_BUILTIN
 270         select PACKAGE_libopenssl-conf
 271         help
 272                 This enables use of hardware acceleration through OpenBSD
 273                 Cryptodev API (/dev/crypto) interface.
 274                 Even though configuration is not strictly needed, it is worth seeing
 275                 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 276                 for information on how to configure the engine.
 277
 278 config OPENSSL_ENGINE_BUILTIN_PADLOCK
 279         bool
 280         prompt "VIA Padlock Acceleration support engine"
 281         depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
 282         select PACKAGE_libopenssl-conf
 283         help
 284                 This enables use of hardware acceleration through the
 285                 VIA Padlock module.
 286
 287 config OPENSSL_WITH_ASYNC
 288         bool
 289         prompt "Enable asynchronous jobs support"
 290         depends on OPENSSL_ENGINE && USE_GLIBC
 291         help
 292                 Enables async-aware applications to be able to use OpenSSL to
 293                 initiate crypto operations asynchronously. In order to work
 294                 this will require the presence of an async capable engine.
 295
 296 endif