openssl: add package for openssl.cnf, misc changes
[openwrt/staging/jogo.git] / package / libs / openssl / Config.in
1 if PACKAGE_libopenssl
2
3 comment "Build Options"
4
5 config OPENSSL_OPTIMIZE_SPEED
6 bool
7 default y if x86_64 || i386
8 prompt "Enable optimization for speed instead of size"
9 select OPENSSL_WITH_ASM
10 help
11 Enabling this option increases code size (around 20%) and
12 performance. The increase in performance and size depends on the
13 target CPU. EC and AES seem to benefit the most, with EC speed
14 increased by 20%-50% (mipsel & x86).
15 AES-GCM is supposed to be 3x faster on x86. YMMV.
16
17 config OPENSSL_WITH_ASM
18 bool
19 default y if !SMALL_FLASH || !arm
20 prompt "Compile with optimized assembly code"
21 depends on !arc
22 help
23 Disabling this option will reduce code size and performance.
24 The increase in performance and size depends on the target
25 CPU and on the algorithms being optimized. As of 1.1.0i*:
26
27 Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
28 aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
29 arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
30 i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
31 mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
32 mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
33 powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
34 x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
35
36 * Only most common algorithms shown. Your mileage may vary.
37 BN (bignum) performance was measured using RSA sign/verify.
38
39 config OPENSSL_WITH_SSE2
40 bool
41 default y if !TARGET_x86_legacy && !TARGET_x86_geode
42 prompt "Enable use of x86 SSE2 instructions"
43 depends on OPENSSL_WITH_ASM && i386
44 help
45 Use of SSE2 instructions greatly increase performance (up to
46 3x faster) with a minimum (~0.2%, or 23KB) increase in package
47 size, but it will bring no benefit if your hardware does not
48 support them, such as Geode GX and LX. In this case you may
49 save 23KB by saying yes here. AMD Geode NX, and Intel
50 Pentium 4 and above support SSE2.
51
52 config OPENSSL_WITH_DEPRECATED
53 bool
54 default y
55 prompt "Include deprecated APIs (See help for a list of packages that need this)"
56 help
57 Since openssl 1.1.x is still new to openwrt, some packages
58 requiring this option do not list it as a requirement yet:
59 * freeswitch-stable, freeswitch, python, python3, squid.
60
61 config OPENSSL_NO_DEPRECATED
62 bool
63 default !OPENSSL_WITH_DEPRECATED
64
65 config OPENSSL_WITH_ERROR_MESSAGES
66 bool
67 default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
68 prompt "Include error messages"
69 help
70 This option aids debugging, but increases package size and
71 memory usage.
72
73 comment "Protocol Support"
74
75 config OPENSSL_WITH_TLS13
76 bool
77 default y
78 prompt "Enable support for TLS 1.3"
79 select OPENSSL_WITH_EC
80 help
81 TLS 1.3 is the newest version of the TLS specification.
82 It aims:
83 * to increase the overall security of the protocol,
84 removing outdated algorithms, and encrypting more of the
85 protocol;
86 * to increase performance by reducing the number of round-trips
87 when performing a full handshake.
88 It increases package size by ~4KB.
89
90 config OPENSSL_WITH_DTLS
91 bool
92 prompt "Enable DTLS support"
93 help
94 Datagram Transport Layer Security (DTLS) provides TLS-like security
95 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
96
97 config OPENSSL_WITH_NPN
98 bool
99 default y
100 prompt "Enable NPN support"
101 help
102 NPN is a TLS extension, obsoleted and replaced with ALPN,
103 used to negotiate SPDY, and HTTP/2.
104
105 config OPENSSL_WITH_SRP
106 bool
107 default y
108 prompt "Enable SRP support"
109 help
110 The Secure Remote Password protocol (SRP) is an augmented
111 password-authenticated key agreement (PAKE) protocol, specifically
112 designed to work around existing patents.
113
114 config OPENSSL_WITH_CMS
115 bool
116 default y
117 prompt "Enable CMS (RFC 5652) support"
118 help
119 Cryptographic Message Syntax (CMS) is used to digitally sign,
120 digest, authenticate, or encrypt arbitrary message content.
121
122 comment "Algorithm Selection"
123
124 config OPENSSL_WITH_EC
125 bool
126 default y
127 prompt "Enable elliptic curve support"
128 help
129 Elliptic-curve cryptography (ECC) is an approach to public-key
130 cryptography based on the algebraic structure of elliptic curves
131 over finite fields. ECC requires smaller keys compared to non-ECC
132 cryptography to provide equivalent security.
133
134 config OPENSSL_WITH_EC2M
135 bool
136 depends on OPENSSL_WITH_EC
137 prompt "Enable ec2m support"
138 help
139 This option enables the more efficient, yet less common, binary
140 field elliptic curves.
141
142 config OPENSSL_WITH_CHACHA_POLY1305
143 bool
144 default y
145 prompt "Enable ChaCha20-Poly1305 ciphersuite support"
146 help
147 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
148 combining ChaCha stream cipher with Poly1305 MAC.
149 It is 3x faster than AES, when not using a CPU with AES-specific
150 instructions, as is the case of most embedded devices.
151
152 config OPENSSL_PREFER_CHACHA_OVER_GCM
153 bool
154 default y if !x86_64 && !aarch64
155 prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
156 depends on OPENSSL_WITH_CHACHA_POLY1305
157 help
158 The default openssl preference is for AES-GCM before ChaCha, but
159 that takes into account AES-NI capable chips. It is not the
160 case with most embedded chips, so it may be better to invert
161 that preference. This is just for the default case. The
162 application can always override this.
163
164 config OPENSSL_WITH_PSK
165 bool
166 default y
167 prompt "Enable PSK support"
168 help
169 Build support for Pre-Shared Key based cipher suites.
170
171 comment "Less commonly used build options"
172
173 config OPENSSL_WITH_ARIA
174 bool
175 prompt "Enable ARIA support"
176 help
177 ARIA is a block cipher developed in South Korea, based on AES.
178
179 config OPENSSL_WITH_CAMELLIA
180 bool
181 prompt "Enable Camellia cipher support"
182 help
183 Camellia is a bock cipher with security levels and processing
184 abilities comparable to AES.
185
186 config OPENSSL_WITH_IDEA
187 bool
188 prompt "Enable IDEA cipher support"
189 help
190 IDEA is a block cipher with 128-bit keys.
191
192 config OPENSSL_WITH_SEED
193 bool
194 prompt "Enable SEED cipher support"
195 help
196 SEED is a block cipher with 128-bit keys broadly used in
197 South Korea, but seldom found elsewhere.
198
199 config OPENSSL_WITH_SM234
200 bool
201 prompt "Enable SM2/3/4 algorithms support"
202 help
203 These algorithms are a set of "Commercial Cryptography"
204 algorithms approved for use in China.
205 * SM2 is an EC algorithm equivalent to ECDSA P-256
206 * SM3 is a hash function equivalent to SHA-256
207 * SM4 is a 128-block cipher equivalent to AES-128
208
209 config OPENSSL_WITH_BLAKE2
210 bool
211 prompt "Enable BLAKE2 digest support"
212 help
213 BLAKE2 is a cryptographic hash function based on the ChaCha
214 stream cipher.
215
216 config OPENSSL_WITH_MDC2
217 bool
218 prompt "Enable MDC2 digest support"
219
220 config OPENSSL_WITH_WHIRLPOOL
221 bool
222 prompt "Enable Whirlpool digest support"
223
224 config OPENSSL_WITH_COMPRESSION
225 bool
226 prompt "Enable compression support"
227 help
228 TLS compression is not recommended, as it is deemed insecure.
229 The CRIME attack exploits this weakness.
230 Even with this option turned on, it is disabled by default, and the
231 application must explicitly turn it on.
232
233 config OPENSSL_WITH_RFC3779
234 bool
235 prompt "Enable RFC3779 support (BGP)"
236 help
237 RFC 3779 defines two X.509 v3 certificate extensions. The first
238 binds a list of IP address blocks, or prefixes, to the subject of a
239 certificate. The second binds a list of autonomous system
240 identifiers to the subject of a certificate. These extensions may be
241 used to convey the authorization of the subject to use the IP
242 addresses and autonomous system identifiers contained in the
243 extensions.
244
245 comment "Engine/Hardware Support"
246
247 config OPENSSL_ENGINE
248 bool "Enable engine support"
249 help
250 This enables alternative cryptography implementations,
251 most commonly for interfacing with external crypto devices,
252 or supporting new/alternative ciphers and digests.
253 Note that you need to enable KERNEL_AIO to be able to build the
254 afalg engine package.
255
256 config OPENSSL_ENGINE_CRYPTO
257 bool
258 select OPENSSL_ENGINE
259 select PACKAGE_kmod-cryptodev
260 select PACKAGE_libopenssl-conf
261 prompt "Acceleration support through /dev/crypto"
262 help
263 This enables use of hardware acceleration through OpenBSD
264 Cryptodev API (/dev/crypto) interface.
265 You must install kmod-cryptodev (under Kernel modules, Cryptographic
266 API modules) for /dev/crypto to show up and use hardware
267 acceleration; otherwise it falls back to software.
268
269 config OPENSSL_WITH_ASYNC
270 bool
271 prompt "Enable asynchronous jobs support"
272 depends on OPENSSL_ENGINE && USE_GLIBC
273 help
274 Enables async-aware applications to be able to use OpenSSL to
275 initiate crypto operations asynchronously. In order to work
276 this will require the presence of an async capable engine.
277
278 config OPENSSL_WITH_GOST
279 bool
280 prompt "Prepare library for GOST engine"
281 depends on OPENSSL_ENGINE
282 help
283 This option prepares the library to accept engine support
284 for Russian GOST crypto algorithms.
285 The gost engine is not included in standard openwrt feeds.
286 To build such engine yourself, see:
287 https://github.com/gost-engine/engine
288
289 endif