package/libs/openssl/Config.in

   1 if PACKAGE_libopenssl
   2
   3 comment "Build Options"
   4
   5 config OPENSSL_OPTIMIZE_SPEED
   6         bool
   7         prompt "Enable optimization for speed instead of size"
   8         select OPENSSL_WITH_ASM
   9         help
  10                 Enabling this option increases code size (around 20%) and
  11                 performance.  The increase in performance and size depends on the
  12                 target CPU. EC and AES seem to benefit the most, with EC speed
  13                 increased by 20%-50% (mipsel & x86).
  14                 AES-GCM is supposed to be 3x faster on x86. YMMV.
  15
  16 config OPENSSL_WITH_ASM
  17         bool
  18         default y
  19         prompt "Compile with optimized assembly code"
  20         depends on !arc
  21         help
  22                 Disabling this option will reduce code size and performance.
  23                 The increase in performance and size depends on the target
  24                 CPU and on the algorithms being optimized.  As of 1.1.0i*:
  25
  26                 Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
  27                 aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
  28                 arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
  29                 i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
  30                 mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
  31                 mips64      3.7K   BN, aes, sha1, sha256, sha512, poly1305
  32                 powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
  33                 x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
  34
  35                 * Only most common algorithms shown. Your mileage may vary.
  36                   BN (bignum) performance was measured using RSA sign/verify.
  37
  38 config OPENSSL_WITH_SSE2
  39         bool
  40         default y if !TARGET_x86_legacy && !TARGET_x86_geode
  41         prompt "Enable use of x86 SSE2 instructions"
  42         depends on OPENSSL_WITH_ASM && i386
  43         help
  44                 Use of SSE2 instructions greatly increase performance (up to
  45                 3x faster) with a minimum (~0.2%, or 23KB) increase in package
  46                 size, but it will bring no benefit if your hardware does not
  47                 support them, such as Geode GX and LX.  In this case you may
  48                 save 23KB by saying yes here.  AMD Geode NX, and Intel
  49                 Pentium 4 and above support SSE2.
  50
  51 config OPENSSL_WITH_DEPRECATED
  52         bool
  53         default y
  54         prompt "Include deprecated APIs (See help for a list of packages that need this)"
  55         help
  56                 Since openssl 1.1.x is still new to openwrt, some packages
  57                 requiring this option do not list it as a requirement yet:
  58                  * freeswitch-stable, freeswitch, python, python3, squid.
  59
  60 config OPENSSL_NO_DEPRECATED
  61         bool
  62         default !OPENSSL_WITH_DEPRECATED
  63
  64 config OPENSSL_WITH_ERROR_MESSAGES
  65         bool
  66         prompt "Include error messages"
  67         help
  68                 This option aids debugging, but increases package size and
  69                 memory usage.
  70
  71 comment "Protocol Support"
  72
  73 config OPENSSL_WITH_TLS13
  74         bool
  75         default y
  76         prompt "Enable support for TLS 1.3"
  77         select OPENSSL_WITH_EC
  78         help
  79                 TLS 1.3 is the newest version of the TLS specification.
  80                 It aims:
  81                  * to increase the overall security of the protocol,
  82                    removing outdated algorithms, and encrypting more of the
  83                    protocol;
  84                  * to increase performance by reducing the number of round-trips
  85                    when performing a full handshake.
  86                 It increases package size by ~4KB.
  87
  88 config OPENSSL_WITH_DTLS
  89         bool
  90         prompt "Enable DTLS support"
  91         help
  92                 Datagram Transport Layer Security (DTLS) provides TLS-like security
  93                 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
  94
  95 config OPENSSL_WITH_NPN
  96         bool
  97         default y
  98         prompt "Enable NPN support"
  99         help
 100                 NPN is a TLS extension, obsoleted and replaced with ALPN,
 101                 used to negotiate SPDY, and HTTP/2.
 102
 103 config OPENSSL_WITH_SRP
 104         bool
 105         default y
 106         prompt "Enable SRP support"
 107         help
 108                 The Secure Remote Password protocol (SRP) is an augmented
 109                 password-authenticated key agreement (PAKE) protocol, specifically
 110                 designed to work around existing patents.
 111
 112 config OPENSSL_WITH_CMS
 113         bool
 114         default y
 115         prompt "Enable CMS (RFC 5652) support"
 116         help
 117                 Cryptographic Message Syntax (CMS) is used to digitally sign,
 118                 digest, authenticate, or encrypt arbitrary message content.
 119
 120 comment "Algorithm Selection"
 121
 122 config OPENSSL_WITH_EC
 123         bool
 124         default y
 125         prompt "Enable elliptic curve support"
 126         help
 127                 Elliptic-curve cryptography (ECC) is an approach to public-key
 128                 cryptography based on the algebraic structure of elliptic curves
 129                 over finite fields. ECC requires smaller keys compared to non-ECC
 130                 cryptography to provide equivalent security.
 131
 132 config OPENSSL_WITH_EC2M
 133         bool
 134         depends on OPENSSL_WITH_EC
 135         prompt "Enable ec2m support"
 136         help
 137                 This option enables the more efficient, yet less common, binary
 138                 field elliptic curves.
 139
 140 config OPENSSL_WITH_CHACHA_POLY1305
 141         bool
 142         default y
 143         prompt "Enable ChaCha20-Poly1305 ciphersuite support"
 144         help
 145                 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
 146                 combining ChaCha stream cipher with Poly1305 MAC.
 147                 It is 3x faster than AES, when not using a CPU with AES-specific
 148                 instructions, as is the case of most embedded devices.
 149
 150 config OPENSSL_WITH_PSK
 151         bool
 152         default y
 153         prompt "Enable PSK support"
 154         help
 155                 Build support for Pre-Shared Key based cipher suites.
 156
 157 comment "Less commonly used build options"
 158
 159 config OPENSSL_WITH_ARIA
 160         bool
 161         prompt "Enable ARIA support"
 162         help
 163                 ARIA is a block cipher developed in South Korea, based on AES.
 164
 165 config OPENSSL_WITH_CAMELLIA
 166         bool
 167         prompt "Enable Camellia cipher support"
 168         help
 169                 Camellia is a bock cipher with security levels and processing
 170                 abilities comparable to AES.
 171
 172 config OPENSSL_WITH_IDEA
 173         bool
 174         prompt "Enable IDEA cipher support"
 175         help
 176                 IDEA is a block cipher with 128-bit keys.
 177
 178 config OPENSSL_WITH_SEED
 179         bool
 180         prompt "Enable SEED cipher support"
 181         help
 182                 SEED is a block cipher with 128-bit keys broadly used in
 183                 South Korea, but seldom found elsewhere.
 184
 185 config OPENSSL_WITH_SM234
 186         bool
 187         prompt "Enable SM2/3/4 algorithms support"
 188         help
 189                 These algorithms are a set of "Commercial Cryptography"
 190                 algorithms approved for use in China.
 191                   * SM2 is an EC algorithm equivalent to ECDSA P-256
 192                   * SM3 is a hash function equivalent to SHA-256
 193                   * SM4 is a 128-block cipher equivalent to AES-128
 194
 195 config OPENSSL_WITH_BLAKE2
 196         bool
 197         prompt "Enable BLAKE2 digest support"
 198         help
 199                 BLAKE2 is a cryptographic hash function based on the ChaCha
 200                 stream cipher.
 201
 202 config OPENSSL_WITH_MDC2
 203         bool
 204         prompt "Enable MDC2 digest support"
 205
 206 config OPENSSL_WITH_WHIRLPOOL
 207         bool
 208         prompt "Enable Whirlpool digest support"
 209
 210 config OPENSSL_WITH_COMPRESSION
 211         bool
 212         prompt "Enable compression support"
 213         help
 214                 TLS compression is not recommended, as it is deemed insecure.
 215                 The CRIME attack exploits this weakness.
 216                 Even with this option turned on, it is disabled by default, and the
 217                 application must explicitly turn it on.
 218
 219 config OPENSSL_WITH_RFC3779
 220         bool
 221         prompt "Enable RFC3779 support (BGP)"
 222         help
 223                 RFC 3779 defines two X.509 v3 certificate extensions.  The first
 224                 binds a list of IP address blocks, or prefixes, to the subject of a
 225                 certificate.  The second binds a list of autonomous system
 226                 identifiers to the subject of a certificate.  These extensions may be
 227                 used to convey the authorization of the subject to use the IP
 228                 addresses and autonomous system identifiers contained in the
 229                 extensions.
 230
 231 comment "Engine/Hardware Support"
 232
 233 config OPENSSL_ENGINE
 234         bool "Enable engine support"
 235         help
 236                 This enables alternative cryptography implementations,
 237                 most commonly for interfacing with external crypto devices,
 238                 or supporting new/alternative ciphers and digests.
 239
 240 config OPENSSL_ENGINE_CRYPTO
 241         bool
 242         select OPENSSL_ENGINE
 243         select PACKAGE_kmod-cryptodev
 244         prompt "Acceleration support through /dev/crypto"
 245         help
 246                 This enables use of hardware acceleration through OpenBSD
 247                 Cryptodev API (/dev/crypto) interface.
 248                 You must install kmod-cryptodev (under Kernel modules, Cryptographic
 249                 API modules) for /dev/crypto to show up and use hardware
 250                 acceleration; otherwise it falls back to software.
 251
 252 config OPENSSL_WITH_ASYNC
 253         bool
 254         prompt "Enable asynchronous jobs support"
 255         depends on OPENSSL_ENGINE && USE_GLIBC
 256         help
 257                 Enables async-aware applications to be able to use OpenSSL to
 258                 initiate crypto operations asynchronously. In order to work
 259                 this will require the presence of an async capable engine.
 260
 261 config OPENSSL_WITH_GOST
 262         bool
 263         prompt "Prepare library for GOST engine"
 264         depends on OPENSSL_ENGINE
 265         help
 266                 This option prepares the library to accept engine support
 267                 for Russian GOST crypto algorithms.
 268                 The gost engine is not included in standard openwrt feeds.
 269                 To build such engine yourself, see:
 270                 https://github.com/gost-engine/engine
 271
 272 endif
 273