package/libs/openssl/Config.in

   1 if PACKAGE_libopenssl
   2
   3 comment "Build Options"
   4
   5 config OPENSSL_OPTIMIZE_SPEED
   6         bool
   7         default y if x86_64 || i386
   8         prompt "Enable optimization for speed instead of size"
   9         select OPENSSL_WITH_ASM
  10         help
  11                 Enabling this option increases code size (around 20%) and
  12                 performance.  The increase in performance and size depends on the
  13                 target CPU. EC and AES seem to benefit the most, with EC speed
  14                 increased by 20%-50% (mipsel & x86).
  15                 AES-GCM is supposed to be 3x faster on x86. YMMV.
  16
  17 config OPENSSL_WITH_ASM
  18         bool
  19         default y if !SMALL_FLASH || !arm
  20         prompt "Compile with optimized assembly code"
  21         depends on !arc
  22         help
  23                 Disabling this option will reduce code size and performance.
  24                 The increase in performance and size depends on the target
  25                 CPU and on the algorithms being optimized.  As of 1.1.0i*:
  26
  27                 Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
  28                 aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
  29                 arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
  30                 i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
  31                 mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
  32                 mips64      3.7K   BN, aes, sha1, sha256, sha512, poly1305
  33                 powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
  34                 x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
  35
  36                 * Only most common algorithms shown. Your mileage may vary.
  37                   BN (bignum) performance was measured using RSA sign/verify.
  38
  39 config OPENSSL_WITH_SSE2
  40         bool
  41         default y if !TARGET_x86_legacy && !TARGET_x86_geode
  42         prompt "Enable use of x86 SSE2 instructions"
  43         depends on OPENSSL_WITH_ASM && i386
  44         help
  45                 Use of SSE2 instructions greatly increase performance (up to
  46                 3x faster) with a minimum (~0.2%, or 23KB) increase in package
  47                 size, but it will bring no benefit if your hardware does not
  48                 support them, such as Geode GX and LX.  In this case you may
  49                 save 23KB by saying yes here.  AMD Geode NX, and Intel
  50                 Pentium 4 and above support SSE2.
  51
  52 config OPENSSL_WITH_DEPRECATED
  53         bool
  54         default y
  55         prompt "Include deprecated APIs (See help for a list of packages that need this)"
  56         help
  57                 Since openssl 1.1.x is still new to openwrt, some packages
  58                 requiring this option do not list it as a requirement yet:
  59                  * freeswitch-stable, freeswitch, python, python3, squid.
  60
  61 config OPENSSL_NO_DEPRECATED
  62         bool
  63         default !OPENSSL_WITH_DEPRECATED
  64
  65 config OPENSSL_WITH_ERROR_MESSAGES
  66         bool
  67         default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
  68         prompt "Include error messages"
  69         help
  70                 This option aids debugging, but increases package size and
  71                 memory usage.
  72
  73 comment "Protocol Support"
  74
  75 config OPENSSL_WITH_TLS13
  76         bool
  77         default y
  78         prompt "Enable support for TLS 1.3"
  79         select OPENSSL_WITH_EC
  80         help
  81                 TLS 1.3 is the newest version of the TLS specification.
  82                 It aims:
  83                  * to increase the overall security of the protocol,
  84                    removing outdated algorithms, and encrypting more of the
  85                    protocol;
  86                  * to increase performance by reducing the number of round-trips
  87                    when performing a full handshake.
  88                 It increases package size by ~4KB.
  89
  90 config OPENSSL_WITH_DTLS
  91         bool
  92         prompt "Enable DTLS support"
  93         help
  94                 Datagram Transport Layer Security (DTLS) provides TLS-like security
  95                 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
  96
  97 config OPENSSL_WITH_NPN
  98         bool
  99         prompt "Enable NPN support"
 100         help
 101                 NPN is a TLS extension, obsoleted and replaced with ALPN,
 102                 used to negotiate SPDY, and HTTP/2.
 103
 104 config OPENSSL_WITH_SRP
 105         bool
 106         default y
 107         prompt "Enable SRP support"
 108         help
 109                 The Secure Remote Password protocol (SRP) is an augmented
 110                 password-authenticated key agreement (PAKE) protocol, specifically
 111                 designed to work around existing patents.
 112
 113 config OPENSSL_WITH_CMS
 114         bool
 115         default y
 116         prompt "Enable CMS (RFC 5652) support"
 117         help
 118                 Cryptographic Message Syntax (CMS) is used to digitally sign,
 119                 digest, authenticate, or encrypt arbitrary message content.
 120
 121 comment "Algorithm Selection"
 122
 123 config OPENSSL_WITH_EC
 124         bool
 125         default y
 126         prompt "Enable elliptic curve support"
 127         help
 128                 Elliptic-curve cryptography (ECC) is an approach to public-key
 129                 cryptography based on the algebraic structure of elliptic curves
 130                 over finite fields. ECC requires smaller keys compared to non-ECC
 131                 cryptography to provide equivalent security.
 132
 133 config OPENSSL_WITH_EC2M
 134         bool
 135         depends on OPENSSL_WITH_EC
 136         prompt "Enable ec2m support"
 137         help
 138                 This option enables the more efficient, yet less common, binary
 139                 field elliptic curves.
 140
 141 config OPENSSL_WITH_CHACHA_POLY1305
 142         bool
 143         default y
 144         prompt "Enable ChaCha20-Poly1305 ciphersuite support"
 145         help
 146                 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
 147                 combining ChaCha stream cipher with Poly1305 MAC.
 148                 It is 3x faster than AES, when not using a CPU with AES-specific
 149                 instructions, as is the case of most embedded devices.
 150
 151 config OPENSSL_PREFER_CHACHA_OVER_GCM
 152         bool
 153         default y if !x86_64 && !aarch64
 154         prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
 155         depends on OPENSSL_WITH_CHACHA_POLY1305
 156         help
 157                 The default openssl preference is for AES-GCM before ChaCha, but
 158                 that takes into account AES-NI capable chips.  It is not the
 159                 case with most embedded chips, so it may be better to invert
 160                 that preference.  This is just for the default case. The
 161                 application can always override this.
 162
 163 config OPENSSL_WITH_PSK
 164         bool
 165         default y
 166         prompt "Enable PSK support"
 167         help
 168                 Build support for Pre-Shared Key based cipher suites.
 169
 170 comment "Less commonly used build options"
 171
 172 config OPENSSL_WITH_ARIA
 173         bool
 174         prompt "Enable ARIA support"
 175         help
 176                 ARIA is a block cipher developed in South Korea, based on AES.
 177
 178 config OPENSSL_WITH_CAMELLIA
 179         bool
 180         prompt "Enable Camellia cipher support"
 181         help
 182                 Camellia is a bock cipher with security levels and processing
 183                 abilities comparable to AES.
 184
 185 config OPENSSL_WITH_IDEA
 186         bool
 187         prompt "Enable IDEA cipher support"
 188         help
 189                 IDEA is a block cipher with 128-bit keys.
 190
 191 config OPENSSL_WITH_SEED
 192         bool
 193         prompt "Enable SEED cipher support"
 194         help
 195                 SEED is a block cipher with 128-bit keys broadly used in
 196                 South Korea, but seldom found elsewhere.
 197
 198 config OPENSSL_WITH_SM234
 199         bool
 200         prompt "Enable SM2/3/4 algorithms support"
 201         help
 202                 These algorithms are a set of "Commercial Cryptography"
 203                 algorithms approved for use in China.
 204                   * SM2 is an EC algorithm equivalent to ECDSA P-256
 205                   * SM3 is a hash function equivalent to SHA-256
 206                   * SM4 is a 128-block cipher equivalent to AES-128
 207
 208 config OPENSSL_WITH_BLAKE2
 209         bool
 210         prompt "Enable BLAKE2 digest support"
 211         help
 212                 BLAKE2 is a cryptographic hash function based on the ChaCha
 213                 stream cipher.
 214
 215 config OPENSSL_WITH_MDC2
 216         bool
 217         prompt "Enable MDC2 digest support"
 218
 219 config OPENSSL_WITH_WHIRLPOOL
 220         bool
 221         prompt "Enable Whirlpool digest support"
 222
 223 config OPENSSL_WITH_COMPRESSION
 224         bool
 225         prompt "Enable compression support"
 226         help
 227                 TLS compression is not recommended, as it is deemed insecure.
 228                 The CRIME attack exploits this weakness.
 229                 Even with this option turned on, it is disabled by default, and the
 230                 application must explicitly turn it on.
 231
 232 config OPENSSL_WITH_RFC3779
 233         bool
 234         prompt "Enable RFC3779 support (BGP)"
 235         help
 236                 RFC 3779 defines two X.509 v3 certificate extensions.  The first
 237                 binds a list of IP address blocks, or prefixes, to the subject of a
 238                 certificate.  The second binds a list of autonomous system
 239                 identifiers to the subject of a certificate.  These extensions may be
 240                 used to convey the authorization of the subject to use the IP
 241                 addresses and autonomous system identifiers contained in the
 242                 extensions.
 243
 244 comment "Engine/Hardware Support"
 245
 246 config OPENSSL_ENGINE
 247         bool "Enable engine support"
 248         default y
 249         help
 250                 This enables alternative cryptography implementations,
 251                 most commonly for interfacing with external crypto devices,
 252                 or supporting new/alternative ciphers and digests.
 253                 If you compile the library with this option disabled, packages built
 254                 using an engine-enabled library (i.e. from the official repo) may
 255                 fail to run.  Compile and install the packages with engine support
 256                 disabled, and you should be fine.
 257                 Note that you need to enable KERNEL_AIO to be able to build the
 258                 afalg engine package.
 259
 260 config OPENSSL_ENGINE_BUILTIN
 261         bool "Build chosen engines into libcrypto"
 262         depends on OPENSSL_ENGINE
 263         help
 264                 This builds all chosen engines into libcrypto.so, instead of building
 265                 them as dynamic engines in separate packages.
 266                 The benefit of building the engines into libcrypto is that they won't
 267                 require any configuration to be used by default.
 268
 269 config OPENSSL_ENGINE_BUILTIN_AFALG
 270         bool
 271         prompt "Acceleration support through AF_ALG sockets engine"
 272         depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO && !LINUX_3_18
 273         select PACKAGE_libopenssl-conf
 274         help
 275                 This enables use of hardware acceleration through the
 276                 AF_ALG kernel interface.
 277
 278 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
 279         bool
 280         prompt "Acceleration support through /dev/crypto"
 281         depends on OPENSSL_ENGINE_BUILTIN
 282         select PACKAGE_libopenssl-conf
 283         help
 284                 This enables use of hardware acceleration through OpenBSD
 285                 Cryptodev API (/dev/crypto) interface.
 286                 Even though configuration is not strictly needed, it is worth seeing
 287                 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 288                 for information on how to configure the engine.
 289
 290 config OPENSSL_ENGINE_BUILTIN_PADLOCK
 291         bool
 292         prompt "VIA Padlock Acceleration support engine"
 293         depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
 294         select PACKAGE_libopenssl-conf
 295         help
 296                 This enables use of hardware acceleration through the
 297                 VIA Padlock module.
 298
 299 config OPENSSL_WITH_ASYNC
 300         bool
 301         prompt "Enable asynchronous jobs support"
 302         depends on OPENSSL_ENGINE && USE_GLIBC
 303         help
 304                 Enables async-aware applications to be able to use OpenSSL to
 305                 initiate crypto operations asynchronously. In order to work
 306                 this will require the presence of an async capable engine.
 307
 308 config OPENSSL_WITH_GOST
 309         bool
 310         prompt "Prepare library for GOST engine"
 311         depends on OPENSSL_ENGINE
 312         help
 313                 This option prepares the library to accept engine support
 314                 for Russian GOST crypto algorithms.
 315                 The gost engine is not included in standard openwrt feeds.
 316                 To build such engine yourself, see:
 317                 https://github.com/gost-engine/engine
 318
 319 endif