package/libs/openssl/Config.in

   1 if PACKAGE_libopenssl
   2
   3 comment "Build Options"
   4
   5 config OPENSSL_OPTIMIZE_SPEED
   6         bool
   7         default y if x86_64 || i386
   8         prompt "Enable optimization for speed instead of size"
   9         select OPENSSL_WITH_ASM
  10         help
  11                 Enabling this option increases code size (around 20%) and
  12                 performance.  The increase in performance and size depends on the
  13                 target CPU. EC and AES seem to benefit the most, with EC speed
  14                 increased by 20%-50% (mipsel & x86).
  15                 AES-GCM is supposed to be 3x faster on x86. YMMV.
  16
  17 config OPENSSL_WITH_ASM
  18         bool
  19         default y if !SMALL_FLASH || !arm
  20         prompt "Compile with optimized assembly code"
  21         depends on !arc
  22         help
  23                 Disabling this option will reduce code size and performance.
  24                 The increase in performance and size depends on the target
  25                 CPU and on the algorithms being optimized.  As of 1.1.0i*:
  26
  27                 Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
  28                 aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
  29                 arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
  30                 i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
  31                 mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
  32                 mips64      3.7K   BN, aes, sha1, sha256, sha512, poly1305
  33                 powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
  34                 x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
  35
  36                 * Only most common algorithms shown. Your mileage may vary.
  37                   BN (bignum) performance was measured using RSA sign/verify.
  38
  39 config OPENSSL_WITH_SSE2
  40         bool
  41         default y if !TARGET_x86_legacy && !TARGET_x86_geode
  42         prompt "Enable use of x86 SSE2 instructions"
  43         depends on OPENSSL_WITH_ASM && i386
  44         help
  45                 Use of SSE2 instructions greatly increase performance (up to
  46                 3x faster) with a minimum (~0.2%, or 23KB) increase in package
  47                 size, but it will bring no benefit if your hardware does not
  48                 support them, such as Geode GX and LX.  In this case you may
  49                 save 23KB by saying yes here.  AMD Geode NX, and Intel
  50                 Pentium 4 and above support SSE2.
  51
  52 config OPENSSL_WITH_DEPRECATED
  53         bool
  54         default y
  55         prompt "Include deprecated APIs (See help for a list of packages that need this)"
  56         help
  57                 Since openssl 1.1.x is still new to openwrt, some packages
  58                 requiring this option do not list it as a requirement yet:
  59                  * freeswitch-stable, freeswitch, python, python3, squid.
  60
  61 config OPENSSL_NO_DEPRECATED
  62         bool
  63         default !OPENSSL_WITH_DEPRECATED
  64
  65 config OPENSSL_WITH_ERROR_MESSAGES
  66         bool
  67         default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
  68         prompt "Include error messages"
  69         help
  70                 This option aids debugging, but increases package size and
  71                 memory usage.
  72
  73 comment "Protocol Support"
  74
  75 config OPENSSL_WITH_TLS13
  76         bool
  77         default y
  78         prompt "Enable support for TLS 1.3"
  79         select OPENSSL_WITH_EC
  80         help
  81                 TLS 1.3 is the newest version of the TLS specification.
  82                 It aims:
  83                  * to increase the overall security of the protocol,
  84                    removing outdated algorithms, and encrypting more of the
  85                    protocol;
  86                  * to increase performance by reducing the number of round-trips
  87                    when performing a full handshake.
  88                 It increases package size by ~4KB.
  89
  90 config OPENSSL_WITH_DTLS
  91         bool
  92         prompt "Enable DTLS support"
  93         help
  94                 Datagram Transport Layer Security (DTLS) provides TLS-like security
  95                 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
  96
  97 config OPENSSL_WITH_NPN
  98         bool
  99         default y
 100         prompt "Enable NPN support"
 101         help
 102                 NPN is a TLS extension, obsoleted and replaced with ALPN,
 103                 used to negotiate SPDY, and HTTP/2.
 104
 105 config OPENSSL_WITH_SRP
 106         bool
 107         default y
 108         prompt "Enable SRP support"
 109         help
 110                 The Secure Remote Password protocol (SRP) is an augmented
 111                 password-authenticated key agreement (PAKE) protocol, specifically
 112                 designed to work around existing patents.
 113
 114 config OPENSSL_WITH_CMS
 115         bool
 116         default y
 117         prompt "Enable CMS (RFC 5652) support"
 118         help
 119                 Cryptographic Message Syntax (CMS) is used to digitally sign,
 120                 digest, authenticate, or encrypt arbitrary message content.
 121
 122 comment "Algorithm Selection"
 123
 124 config OPENSSL_WITH_EC
 125         bool
 126         default y
 127         prompt "Enable elliptic curve support"
 128         help
 129                 Elliptic-curve cryptography (ECC) is an approach to public-key
 130                 cryptography based on the algebraic structure of elliptic curves
 131                 over finite fields. ECC requires smaller keys compared to non-ECC
 132                 cryptography to provide equivalent security.
 133
 134 config OPENSSL_WITH_EC2M
 135         bool
 136         depends on OPENSSL_WITH_EC
 137         prompt "Enable ec2m support"
 138         help
 139                 This option enables the more efficient, yet less common, binary
 140                 field elliptic curves.
 141
 142 config OPENSSL_WITH_CHACHA_POLY1305
 143         bool
 144         default y
 145         prompt "Enable ChaCha20-Poly1305 ciphersuite support"
 146         help
 147                 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
 148                 combining ChaCha stream cipher with Poly1305 MAC.
 149                 It is 3x faster than AES, when not using a CPU with AES-specific
 150                 instructions, as is the case of most embedded devices.
 151
 152 config OPENSSL_PREFER_CHACHA_OVER_GCM
 153         bool
 154         default y if !x86_64 && !aarch64
 155         prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
 156         depends on OPENSSL_WITH_CHACHA_POLY1305
 157         help
 158                 The default openssl preference is for AES-GCM before ChaCha, but
 159                 that takes into account AES-NI capable chips.  It is not the
 160                 case with most embedded chips, so it may be better to invert
 161                 that preference.  This is just for the default case. The
 162                 application can always override this.
 163
 164 config OPENSSL_WITH_PSK
 165         bool
 166         default y
 167         prompt "Enable PSK support"
 168         help
 169                 Build support for Pre-Shared Key based cipher suites.
 170
 171 comment "Less commonly used build options"
 172
 173 config OPENSSL_WITH_ARIA
 174         bool
 175         prompt "Enable ARIA support"
 176         help
 177                 ARIA is a block cipher developed in South Korea, based on AES.
 178
 179 config OPENSSL_WITH_CAMELLIA
 180         bool
 181         prompt "Enable Camellia cipher support"
 182         help
 183                 Camellia is a bock cipher with security levels and processing
 184                 abilities comparable to AES.
 185
 186 config OPENSSL_WITH_IDEA
 187         bool
 188         prompt "Enable IDEA cipher support"
 189         help
 190                 IDEA is a block cipher with 128-bit keys.
 191
 192 config OPENSSL_WITH_SEED
 193         bool
 194         prompt "Enable SEED cipher support"
 195         help
 196                 SEED is a block cipher with 128-bit keys broadly used in
 197                 South Korea, but seldom found elsewhere.
 198
 199 config OPENSSL_WITH_SM234
 200         bool
 201         prompt "Enable SM2/3/4 algorithms support"
 202         help
 203                 These algorithms are a set of "Commercial Cryptography"
 204                 algorithms approved for use in China.
 205                   * SM2 is an EC algorithm equivalent to ECDSA P-256
 206                   * SM3 is a hash function equivalent to SHA-256
 207                   * SM4 is a 128-block cipher equivalent to AES-128
 208
 209 config OPENSSL_WITH_BLAKE2
 210         bool
 211         prompt "Enable BLAKE2 digest support"
 212         help
 213                 BLAKE2 is a cryptographic hash function based on the ChaCha
 214                 stream cipher.
 215
 216 config OPENSSL_WITH_MDC2
 217         bool
 218         prompt "Enable MDC2 digest support"
 219
 220 config OPENSSL_WITH_WHIRLPOOL
 221         bool
 222         prompt "Enable Whirlpool digest support"
 223
 224 config OPENSSL_WITH_COMPRESSION
 225         bool
 226         prompt "Enable compression support"
 227         help
 228                 TLS compression is not recommended, as it is deemed insecure.
 229                 The CRIME attack exploits this weakness.
 230                 Even with this option turned on, it is disabled by default, and the
 231                 application must explicitly turn it on.
 232
 233 config OPENSSL_WITH_RFC3779
 234         bool
 235         prompt "Enable RFC3779 support (BGP)"
 236         help
 237                 RFC 3779 defines two X.509 v3 certificate extensions.  The first
 238                 binds a list of IP address blocks, or prefixes, to the subject of a
 239                 certificate.  The second binds a list of autonomous system
 240                 identifiers to the subject of a certificate.  These extensions may be
 241                 used to convey the authorization of the subject to use the IP
 242                 addresses and autonomous system identifiers contained in the
 243                 extensions.
 244
 245 comment "Engine/Hardware Support"
 246
 247 config OPENSSL_ENGINE
 248         bool "Enable engine support"
 249         help
 250                 This enables alternative cryptography implementations,
 251                 most commonly for interfacing with external crypto devices,
 252                 or supporting new/alternative ciphers and digests.
 253                 Note that you need to enable KERNEL_AIO to be able to build the
 254                 afalg engine package.
 255
 256 config OPENSSL_ENGINE_BUILTIN
 257         bool "Build chosen engines into libcrypto"
 258         depends on OPENSSL_ENGINE
 259         help
 260                 This builds all chosen engines into libcrypto.so, instead of building
 261                 them as dynamic engines in separate packages.
 262                 The benefit of building the engines into libcrypto is that they won't
 263                 require any configuration to be used by default.
 264
 265 config OPENSSL_ENGINE_BUILTIN_AFALG
 266         bool
 267         prompt "Acceleration support through AF_ALG sockets engine"
 268         depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO && !LINUX_3_18
 269         select PACKAGE_libopenssl-conf
 270         help
 271                 This enables use of hardware acceleration through the
 272                 AF_ALG kenrel interface.
 273
 274 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
 275         bool
 276         prompt "Acceleration support through /dev/crypto"
 277         depends on OPENSSL_ENGINE_BUILTIN
 278         select PACKAGE_libopenssl-conf
 279         help
 280                 This enables use of hardware acceleration through OpenBSD
 281                 Cryptodev API (/dev/crypto) interface.
 282
 283 config OPENSSL_ENGINE_BUILTIN_PADLOCK
 284         bool
 285         prompt "VIA Padlock Acceleration support engine"
 286         depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
 287         select PACKAGE_libopenssl-conf
 288         help
 289                 This enables use of hardware acceleration through the
 290                 VIA Padlock module.
 291
 292 config OPENSSL_WITH_ASYNC
 293         bool
 294         prompt "Enable asynchronous jobs support"
 295         depends on OPENSSL_ENGINE && USE_GLIBC
 296         help
 297                 Enables async-aware applications to be able to use OpenSSL to
 298                 initiate crypto operations asynchronously. In order to work
 299                 this will require the presence of an async capable engine.
 300
 301 config OPENSSL_WITH_GOST
 302         bool
 303         prompt "Prepare library for GOST engine"
 304         depends on OPENSSL_ENGINE
 305         help
 306                 This option prepares the library to accept engine support
 307                 for Russian GOST crypto algorithms.
 308                 The gost engine is not included in standard openwrt feeds.
 309                 To build such engine yourself, see:
 310                 https://github.com/gost-engine/engine
 311
 312 endif