package/libs/openssl/Config.in

   1 if PACKAGE_libopenssl
   2
   3 comment "Build Options"
   4
   5 config OPENSSL_OPTIMIZE_SPEED
   6         bool
   7         default y if x86_64 || i386
   8         prompt "Enable optimization for speed instead of size"
   9         select OPENSSL_WITH_ASM
  10         help
  11                 Enabling this option increases code size and performance.
  12                 The increase in performance and size depends on the
  13                 target CPU. EC and AES seem to benefit the most.
  14
  15 config OPENSSL_SMALL_FOOTPRINT
  16         bool
  17         depends on !OPENSSL_OPTIMIZE_SPEED
  18         default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
  19         prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
  20         help
  21                 This turns on -DOPENSSL_SMALL_FOOTPRINT.  This will save only
  22                 1-3% of of the ipk size.  The performance drop depends on
  23                 architecture and algorithm.  MIPS drops 13% of performance for
  24                 a 3% decrease in ipk size.  On Aarch64, for a 1% reduction in
  25                 size, ghash and GCM performance decreases 90%, while
  26                 Chacha20-Poly1305 is 15% slower.  X86_64 drops 1% of its size
  27                 for 3% of performance.  Other arches have not been tested.
  28
  29 config OPENSSL_WITH_ASM
  30         bool
  31         default y
  32         prompt "Compile with optimized assembly code"
  33         depends on !arc
  34         help
  35                 Disabling this option will reduce code size and performance.
  36                 The increase in performance and size depends on the target
  37                 CPU and on the algorithms being optimized.
  38
  39 config OPENSSL_WITH_SSE2
  40         bool
  41         default y if !TARGET_x86_legacy && !TARGET_x86_geode
  42         prompt "Enable use of x86 SSE2 instructions"
  43         depends on OPENSSL_WITH_ASM && i386
  44         help
  45                 Use of SSE2 instructions greatly increase performance with a
  46                 minimum increase in package size, but it will bring no benefit
  47                 if your hardware does not support them, such as Geode GX and LX.
  48                 AMD Geode NX, and Intel Pentium 4 and above support SSE2.
  49
  50 config OPENSSL_WITH_DEPRECATED
  51         bool
  52         default y
  53         prompt "Include deprecated APIs"
  54         help
  55                 This drops all deprecated API, including engine support.
  56
  57 config OPENSSL_NO_DEPRECATED
  58         bool
  59         default !OPENSSL_WITH_DEPRECATED
  60
  61 config OPENSSL_WITH_ERROR_MESSAGES
  62         bool
  63         default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
  64         prompt "Include error messages"
  65         help
  66                 This option aids debugging, but increases package size and
  67                 memory usage.
  68
  69 comment "Protocol Support"
  70
  71 config OPENSSL_WITH_TLS13
  72         bool
  73         default y
  74         prompt "Enable support for TLS 1.3"
  75         help
  76                 TLS 1.3 is the newest version of the TLS specification.
  77                 It aims:
  78                  * to increase the overall security of the protocol,
  79                    removing outdated algorithms, and encrypting more of the
  80                    protocol;
  81                  * to increase performance by reducing the number of round-trips
  82                    when performing a full handshake.
  83
  84 config OPENSSL_WITH_DTLS
  85         bool
  86         prompt "Enable DTLS support"
  87         help
  88                 Datagram Transport Layer Security (DTLS) provides TLS-like security
  89                 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
  90
  91 config OPENSSL_WITH_NPN
  92         bool
  93         prompt "Enable NPN support"
  94         help
  95                 NPN is a TLS extension, obsoleted and replaced with ALPN,
  96                 used to negotiate SPDY, and HTTP/2.
  97
  98 config OPENSSL_WITH_SRP
  99         bool
 100         default y
 101         prompt "Enable SRP support"
 102         help
 103                 The Secure Remote Password protocol (SRP) is an augmented
 104                 password-authenticated key agreement (PAKE) protocol, specifically
 105                 designed to work around existing patents.
 106
 107 config OPENSSL_WITH_CMS
 108         bool
 109         default y
 110         prompt "Enable CMS (RFC 5652) support"
 111         help
 112                 Cryptographic Message Syntax (CMS) is used to digitally sign,
 113                 digest, authenticate, or encrypt arbitrary message content.
 114
 115 comment "Algorithm Selection"
 116
 117 config OPENSSL_WITH_EC2M
 118         bool
 119         prompt "Enable ec2m support"
 120         help
 121                 This option enables the more efficient, yet less common, binary
 122                 field elliptic curves.
 123
 124 config OPENSSL_WITH_CHACHA_POLY1305
 125         bool
 126         default y
 127         prompt "Enable ChaCha20-Poly1305 ciphersuite support"
 128         help
 129                 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
 130                 combining ChaCha stream cipher with Poly1305 MAC.
 131                 It is 3x faster than AES, when not using a CPU with AES-specific
 132                 instructions, as is the case of most embedded devices.
 133
 134 config OPENSSL_PREFER_CHACHA_OVER_GCM
 135         bool
 136         default y if !x86_64 && !aarch64
 137         prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
 138         depends on OPENSSL_WITH_CHACHA_POLY1305
 139         help
 140                 The default openssl preference is for AES-GCM before ChaCha, but
 141                 that takes into account AES-NI capable chips.  It is not the
 142                 case with most embedded chips, so it may be better to invert
 143                 that preference.  This is just for the default case. The
 144                 application can always override this.
 145
 146 config OPENSSL_WITH_PSK
 147         bool
 148         default y
 149         prompt "Enable PSK support"
 150         help
 151                 Build support for Pre-Shared Key based cipher suites.
 152
 153 comment "Less commonly used build options"
 154
 155 config OPENSSL_WITH_ARIA
 156         bool
 157         prompt "Enable ARIA support"
 158         help
 159                 ARIA is a block cipher developed in South Korea, based on AES.
 160
 161 config OPENSSL_WITH_CAMELLIA
 162         bool
 163         prompt "Enable Camellia cipher support"
 164         help
 165                 Camellia is a bock cipher with security levels and processing
 166                 abilities comparable to AES.
 167
 168 config OPENSSL_WITH_IDEA
 169         bool
 170         default y if !SMALL_FLASH
 171         prompt "Enable IDEA cipher support (needs legacy provider)"
 172         help
 173                 IDEA is a block cipher with 128-bit keys.
 174                 To use the cipher, one must install the libopenssl-legacy
 175                 package, using a main libopenssl package compiled with this
 176                 option enabled as well.
 177
 178 config OPENSSL_WITH_SEED
 179         bool
 180         default y if !SMALL_FLASH
 181         prompt "Enable SEED cipher support (needs legacy provider)"
 182         help
 183                 SEED is a block cipher with 128-bit keys broadly used in
 184                 South Korea, but seldom found elsewhere.
 185                 To use the cipher, one must install the libopenssl-legacy
 186                 package, using a main libopenssl package compiled with this
 187                 option enabled as well.
 188
 189 config OPENSSL_WITH_SM234
 190         bool
 191         prompt "Enable SM2/3/4 algorithms support"
 192         help
 193                 These algorithms are a set of "Commercial Cryptography"
 194                 algorithms approved for use in China.
 195                   * SM2 is an EC algorithm equivalent to ECDSA P-256
 196                   * SM3 is a hash function equivalent to SHA-256
 197                   * SM4 is a 128-block cipher equivalent to AES-128
 198
 199 config OPENSSL_WITH_BLAKE2
 200         bool
 201         prompt "Enable BLAKE2 digest support"
 202         help
 203                 BLAKE2 is a cryptographic hash function based on the ChaCha
 204                 stream cipher.
 205
 206 config OPENSSL_WITH_MDC2
 207         bool
 208         default y if !SMALL_FLASH
 209         prompt "Enable MDC2 digest support (needs legacy provider)"
 210         help
 211                 To use the digest, one must install the libopenssl-legacy
 212                 package, using a main libopenssl package compiled with this
 213                 option enabled as well.
 214
 215 config OPENSSL_WITH_WHIRLPOOL
 216         bool
 217         default y if !SMALL_FLASH
 218         prompt "Enable Whirlpool digest support (needs legacy provider)"
 219         help
 220                 To use the digest, one must install the libopenssl-legacy
 221                 package, using a main libopenssl package compiled with this
 222                 option enabled as well.
 223
 224 config OPENSSL_WITH_COMPRESSION
 225         bool
 226         prompt "Enable compression support"
 227         help
 228                 TLS compression is not recommended, as it is deemed insecure.
 229                 The CRIME attack exploits this weakness.
 230                 Even with this option turned on, it is disabled by default, and the
 231                 application must explicitly turn it on.
 232
 233 config OPENSSL_WITH_RFC3779
 234         bool
 235         prompt "Enable RFC3779 support (BGP)"
 236         help
 237                 RFC 3779 defines two X.509 v3 certificate extensions.  The first
 238                 binds a list of IP address blocks, or prefixes, to the subject of a
 239                 certificate.  The second binds a list of autonomous system
 240                 identifiers to the subject of a certificate.  These extensions may be
 241                 used to convey the authorization of the subject to use the IP
 242                 addresses and autonomous system identifiers contained in the
 243                 extensions.
 244
 245 comment "Engine/Hardware Support"
 246
 247 config OPENSSL_ENGINE
 248         bool "Enable engine support"
 249         select OPENSSL_WITH_DEPRECATED
 250         default y
 251         help
 252                 This enables alternative cryptography implementations,
 253                 most commonly for interfacing with external crypto devices,
 254                 or supporting new/alternative ciphers and digests.
 255                 If you compile the library with this option disabled, packages built
 256                 using an engine-enabled library (i.e. from the official repo) may
 257                 fail to run.  Compile and install the packages with engine support
 258                 disabled, and you should be fine.
 259                 Note that you need to enable KERNEL_AIO to be able to build the
 260                 afalg engine package.
 261
 262 config OPENSSL_ENGINE_BUILTIN
 263         bool "Build chosen engines into libcrypto"
 264         depends on OPENSSL_ENGINE
 265         help
 266                 This builds all chosen engines into libcrypto.so, instead of building
 267                 them as dynamic engines in separate packages.
 268                 The benefit of building the engines into libcrypto is that they won't
 269                 require any configuration to be used by default.
 270
 271 config OPENSSL_ENGINE_BUILTIN_AFALG
 272         bool
 273         prompt "Acceleration support through AF_ALG sockets engine"
 274         depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
 275         select PACKAGE_libopenssl-conf
 276         help
 277                 This enables use of hardware acceleration through the
 278                 AF_ALG kernel interface.
 279
 280 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
 281         bool
 282         prompt "Acceleration support through /dev/crypto"
 283         depends on OPENSSL_ENGINE_BUILTIN
 284         select PACKAGE_libopenssl-conf
 285         help
 286                 This enables use of hardware acceleration through OpenBSD
 287                 Cryptodev API (/dev/crypto) interface.
 288                 Even though configuration is not strictly needed, it is worth seeing
 289                 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 290                 for information on how to configure the engine.
 291
 292 config OPENSSL_ENGINE_BUILTIN_PADLOCK
 293         bool
 294         prompt "VIA Padlock Acceleration support engine"
 295         depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
 296         select PACKAGE_libopenssl-conf
 297         help
 298                 This enables use of hardware acceleration through the
 299                 VIA Padlock module.
 300
 301 config OPENSSL_WITH_ASYNC
 302         bool
 303         prompt "Enable asynchronous jobs support"
 304         depends on OPENSSL_ENGINE && USE_GLIBC
 305         help
 306                 Enables async-aware applications to be able to use OpenSSL to
 307                 initiate crypto operations asynchronously. In order to work
 308                 this will require the presence of an async capable engine.
 309
 310 endif