X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fopenwrt.git;a=blobdiff_plain;f=package%2Flibs%2Fopenssl%2FConfig.in;h=d1281ec6fa09b5f6fd3de5f7c7758668ebc6286d;hp=70d520cd1c7c9c85ad63b7cfa2136a1193c33013;hb=da10d4a7795ec0bf55c665ff74eceab930623959;hpb=96bb7c123b8b47dfc43002edf4a52aceb410f852 diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 70d520cd1c..d1281ec6fa 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -1,13 +1,307 @@ -menu "Configuration" - depends on PACKAGE_libopenssl +if PACKAGE_libopenssl -config OPENSSL_ENGINE_CRYPTO +comment "Build Options" + +config OPENSSL_OPTIMIZE_SPEED + bool + default y if x86_64 || i386 + prompt "Enable optimization for speed instead of size" + select OPENSSL_WITH_ASM + help + Enabling this option increases code size (around 20%) and + performance. The increase in performance and size depends on the + target CPU. EC and AES seem to benefit the most, with EC speed + increased by 20%-50% (mipsel & x86). + AES-GCM is supposed to be 3x faster on x86. YMMV. + +config OPENSSL_WITH_ASM + bool + default y if !SMALL_FLASH || !arm + prompt "Compile with optimized assembly code" + depends on !arc + help + Disabling this option will reduce code size and performance. + The increase in performance and size depends on the target + CPU and on the algorithms being optimized. As of 1.1.0i*: + + Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase + aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 + arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 + i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% + mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% + mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 + powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 + x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% + + * Only most common algorithms shown. Your mileage may vary. + BN (bignum) performance was measured using RSA sign/verify. + +config OPENSSL_WITH_SSE2 + bool + default y if !TARGET_x86_legacy && !TARGET_x86_geode + prompt "Enable use of x86 SSE2 instructions" + depends on OPENSSL_WITH_ASM && i386 + help + Use of SSE2 instructions greatly increase performance (up to + 3x faster) with a minimum (~0.2%, or 23KB) increase in package + size, but it will bring no benefit if your hardware does not + support them, such as Geode GX and LX. In this case you may + save 23KB by saying yes here. AMD Geode NX, and Intel + Pentium 4 and above support SSE2. + +config OPENSSL_WITH_DEPRECATED + bool + default y + prompt "Include deprecated APIs (See help for a list of packages that need this)" + help + Since openssl 1.1.x is still new to openwrt, some packages + requiring this option do not list it as a requirement yet: + * freeswitch-stable, freeswitch, python, python3, squid. + +config OPENSSL_NO_DEPRECATED + bool + default !OPENSSL_WITH_DEPRECATED + +config OPENSSL_WITH_ERROR_MESSAGES + bool + default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT + prompt "Include error messages" + help + This option aids debugging, but increases package size and + memory usage. + +comment "Protocol Support" + +config OPENSSL_WITH_TLS13 + bool + default y + prompt "Enable support for TLS 1.3" + help + TLS 1.3 is the newest version of the TLS specification. + It aims: + * to increase the overall security of the protocol, + removing outdated algorithms, and encrypting more of the + protocol; + * to increase performance by reducing the number of round-trips + when performing a full handshake. + It increases package size by ~4KB. + +config OPENSSL_WITH_DTLS + bool + prompt "Enable DTLS support" + help + Datagram Transport Layer Security (DTLS) provides TLS-like security + for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications. + +config OPENSSL_WITH_NPN + bool + prompt "Enable NPN support" + help + NPN is a TLS extension, obsoleted and replaced with ALPN, + used to negotiate SPDY, and HTTP/2. + +config OPENSSL_WITH_SRP + bool + default y + prompt "Enable SRP support" + help + The Secure Remote Password protocol (SRP) is an augmented + password-authenticated key agreement (PAKE) protocol, specifically + designed to work around existing patents. + +config OPENSSL_WITH_CMS + bool + default y + prompt "Enable CMS (RFC 5652) support" + help + Cryptographic Message Syntax (CMS) is used to digitally sign, + digest, authenticate, or encrypt arbitrary message content. + +comment "Algorithm Selection" + +config OPENSSL_WITH_EC2M + bool + prompt "Enable ec2m support" + help + This option enables the more efficient, yet less common, binary + field elliptic curves. + +config OPENSSL_WITH_CHACHA_POLY1305 + bool + default y + prompt "Enable ChaCha20-Poly1305 ciphersuite support" + help + ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys, + combining ChaCha stream cipher with Poly1305 MAC. + It is 3x faster than AES, when not using a CPU with AES-specific + instructions, as is the case of most embedded devices. + +config OPENSSL_PREFER_CHACHA_OVER_GCM + bool + default y if !x86_64 && !aarch64 + prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default" + depends on OPENSSL_WITH_CHACHA_POLY1305 + help + The default openssl preference is for AES-GCM before ChaCha, but + that takes into account AES-NI capable chips. It is not the + case with most embedded chips, so it may be better to invert + that preference. This is just for the default case. The + application can always override this. + +config OPENSSL_WITH_PSK + bool + default y + prompt "Enable PSK support" + help + Build support for Pre-Shared Key based cipher suites. + +comment "Less commonly used build options" + +config OPENSSL_WITH_ARIA + bool + prompt "Enable ARIA support" + help + ARIA is a block cipher developed in South Korea, based on AES. + +config OPENSSL_WITH_CAMELLIA + bool + prompt "Enable Camellia cipher support" + help + Camellia is a bock cipher with security levels and processing + abilities comparable to AES. + +config OPENSSL_WITH_IDEA + bool + prompt "Enable IDEA cipher support" + help + IDEA is a block cipher with 128-bit keys. + +config OPENSSL_WITH_SEED + bool + prompt "Enable SEED cipher support" + help + SEED is a block cipher with 128-bit keys broadly used in + South Korea, but seldom found elsewhere. + +config OPENSSL_WITH_SM234 + bool + prompt "Enable SM2/3/4 algorithms support" + help + These algorithms are a set of "Commercial Cryptography" + algorithms approved for use in China. + * SM2 is an EC algorithm equivalent to ECDSA P-256 + * SM3 is a hash function equivalent to SHA-256 + * SM4 is a 128-block cipher equivalent to AES-128 + +config OPENSSL_WITH_BLAKE2 + bool + prompt "Enable BLAKE2 digest support" + help + BLAKE2 is a cryptographic hash function based on the ChaCha + stream cipher. + +config OPENSSL_WITH_MDC2 + bool + prompt "Enable MDC2 digest support" + +config OPENSSL_WITH_WHIRLPOOL + bool + prompt "Enable Whirlpool digest support" + +config OPENSSL_WITH_COMPRESSION + bool + prompt "Enable compression support" + help + TLS compression is not recommended, as it is deemed insecure. + The CRIME attack exploits this weakness. + Even with this option turned on, it is disabled by default, and the + application must explicitly turn it on. + +config OPENSSL_WITH_RFC3779 + bool + prompt "Enable RFC3779 support (BGP)" + help + RFC 3779 defines two X.509 v3 certificate extensions. The first + binds a list of IP address blocks, or prefixes, to the subject of a + certificate. The second binds a list of autonomous system + identifiers to the subject of a certificate. These extensions may be + used to convey the authorization of the subject to use the IP + addresses and autonomous system identifiers contained in the + extensions. + +comment "Engine/Hardware Support" + +config OPENSSL_ENGINE + bool "Enable engine support" + default y + help + This enables alternative cryptography implementations, + most commonly for interfacing with external crypto devices, + or supporting new/alternative ciphers and digests. + If you compile the library with this option disabled, packages built + using an engine-enabled library (i.e. from the official repo) may + fail to run. Compile and install the packages with engine support + disabled, and you should be fine. + Note that you need to enable KERNEL_AIO to be able to build the + afalg engine package. + +config OPENSSL_ENGINE_BUILTIN + bool "Build chosen engines into libcrypto" + depends on OPENSSL_ENGINE + help + This builds all chosen engines into libcrypto.so, instead of building + them as dynamic engines in separate packages. + The benefit of building the engines into libcrypto is that they won't + require any configuration to be used by default. + +config OPENSSL_ENGINE_BUILTIN_AFALG + bool + prompt "Acceleration support through AF_ALG sockets engine" + depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO + select PACKAGE_libopenssl-conf + help + This enables use of hardware acceleration through the + AF_ALG kernel interface. + +config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO + bool + prompt "Acceleration support through /dev/crypto" + depends on OPENSSL_ENGINE_BUILTIN + select PACKAGE_libopenssl-conf + help + This enables use of hardware acceleration through OpenBSD + Cryptodev API (/dev/crypto) interface. + Even though configuration is not strictly needed, it is worth seeing + https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators + for information on how to configure the engine. + +config OPENSSL_ENGINE_BUILTIN_PADLOCK + bool + prompt "VIA Padlock Acceleration support engine" + depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86 + select PACKAGE_libopenssl-conf + help + This enables use of hardware acceleration through the + VIA Padlock module. + +config OPENSSL_WITH_ASYNC bool - prompt "Crypto acceleration support" + prompt "Enable asynchronous jobs support" + depends on OPENSSL_ENGINE && USE_GLIBC + help + Enables async-aware applications to be able to use OpenSSL to + initiate crypto operations asynchronously. In order to work + this will require the presence of an async capable engine. -config OPENSSL_ENGINE_DIGEST +config OPENSSL_WITH_GOST bool - depends on OPENSSL_ENGINE_CRYPTO - prompt "Digests acceleration support" + prompt "Prepare library for GOST engine" + depends on OPENSSL_ENGINE + help + This option prepares the library to accept engine support + for Russian GOST crypto algorithms. + The gost engine is not included in standard openwrt feeds. + To build such engine yourself, see: + https://github.com/gost-engine/engine -endmenu +endif