projects / openwrt / staging / dedeckeh.git / blob
? search:


b948aab7093fdb4fec316fc19902f10675d7616c
[openwrt/staging/dedeckeh.git] / package / libs / openssl / Config.in
1 if PACKAGE_libopenssl
2
3 comment "Build Options"
4
5 config OPENSSL_OPTIMIZE_SPEED
6 bool
7 default y if x86_64 || i386
8 prompt "Enable optimization for speed instead of size"
9 select OPENSSL_WITH_ASM
10 help
11 Enabling this option increases code size and performance.
12 The increase in performance and size depends on the
13 target CPU. EC and AES seem to benefit the most.
14
15 config OPENSSL_SMALL_FOOTPRINT
16 bool
17 depends on !OPENSSL_OPTIMIZE_SPEED
18 default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
19 prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
20 help
21 This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
22 1-3% of of the ipk size. The performance drop depends on
23 architecture and algorithm. MIPS drops 13% of performance for
24 a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
25 size, ghash and GCM performance decreases 90%, while
26 Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
27 for 3% of performance. Other arches have not been tested.
28
29 config OPENSSL_WITH_ASM
30 bool
31 default y
32 prompt "Compile with optimized assembly code"
33 depends on !arc
34 help
35 Disabling this option will reduce code size and performance.
36 The increase in performance and size depends on the target
37 CPU and on the algorithms being optimized.
38
39 config OPENSSL_WITH_SSE2
40 bool
41 default y if !TARGET_x86_legacy && !TARGET_x86_geode
42 prompt "Enable use of x86 SSE2 instructions"
43 depends on OPENSSL_WITH_ASM && i386
44 help
45 Use of SSE2 instructions greatly increase performance with a
46 minimum increase in package size, but it will bring no benefit
47 if your hardware does not support them, such as Geode GX and LX.
48 AMD Geode NX, and Intel Pentium 4 and above support SSE2.
49
50 config OPENSSL_WITH_DEPRECATED
51 bool
52 default y
53 prompt "Include deprecated APIs"
54 help
55 This drops all deprecated API, including engine support.
56
57 config OPENSSL_NO_DEPRECATED
58 bool
59 default !OPENSSL_WITH_DEPRECATED
60
61 config OPENSSL_WITH_ERROR_MESSAGES
62 bool
63 default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
64 prompt "Include error messages"
65 help
66 This option aids debugging, but increases package size and
67 memory usage.
68
69 comment "Protocol Support"
70
71 config OPENSSL_WITH_TLS13
72 bool
73 default y
74 prompt "Enable support for TLS 1.3"
75 help
76 TLS 1.3 is the newest version of the TLS specification.
77 It aims:
78 * to increase the overall security of the protocol,
79 removing outdated algorithms, and encrypting more of the
80 protocol;
81 * to increase performance by reducing the number of round-trips
82 when performing a full handshake.
83
84 config OPENSSL_WITH_DTLS
85 bool
86 prompt "Enable DTLS support"
87 help
88 Datagram Transport Layer Security (DTLS) provides TLS-like security
89 for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
90
91 config OPENSSL_WITH_NPN
92 bool
93 prompt "Enable NPN support"
94 help
95 NPN is a TLS extension, obsoleted and replaced with ALPN,
96 used to negotiate SPDY, and HTTP/2.
97
98 config OPENSSL_WITH_SRP
99 bool
100 default y
101 prompt "Enable SRP support"
102 help
103 The Secure Remote Password protocol (SRP) is an augmented
104 password-authenticated key agreement (PAKE) protocol, specifically
105 designed to work around existing patents.
106
107 config OPENSSL_WITH_CMS
108 bool
109 default y
110 prompt "Enable CMS (RFC 5652) support"
111 help
112 Cryptographic Message Syntax (CMS) is used to digitally sign,
113 digest, authenticate, or encrypt arbitrary message content.
114
115 comment "Algorithm Selection"
116
117 config OPENSSL_WITH_EC2M
118 bool
119 prompt "Enable ec2m support"
120 help
121 This option enables the more efficient, yet less common, binary
122 field elliptic curves.
123
124 config OPENSSL_WITH_CHACHA_POLY1305
125 bool
126 default y
127 prompt "Enable ChaCha20-Poly1305 ciphersuite support"
128 help
129 ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
130 combining ChaCha stream cipher with Poly1305 MAC.
131 It is 3x faster than AES, when not using a CPU with AES-specific
132 instructions, as is the case of most embedded devices.
133
134 config OPENSSL_PREFER_CHACHA_OVER_GCM
135 bool
136 default y if !x86_64 && !aarch64
137 prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
138 depends on OPENSSL_WITH_CHACHA_POLY1305
139 help
140 The default openssl preference is for AES-GCM before ChaCha, but
141 that takes into account AES-NI capable chips. It is not the
142 case with most embedded chips, so it may be better to invert
143 that preference. This is just for the default case. The
144 application can always override this.
145
146 config OPENSSL_WITH_PSK
147 bool
148 default y
149 prompt "Enable PSK support"
150 help
151 Build support for Pre-Shared Key based cipher suites.
152
153 comment "Less commonly used build options"
154
155 config OPENSSL_WITH_ARIA
156 bool
157 prompt "Enable ARIA support"
158 help
159 ARIA is a block cipher developed in South Korea, based on AES.
160
161 config OPENSSL_WITH_CAMELLIA
162 bool
163 prompt "Enable Camellia cipher support"
164 help
165 Camellia is a bock cipher with security levels and processing
166 abilities comparable to AES.
167
168 config OPENSSL_WITH_IDEA
169 bool
170 prompt "Enable IDEA cipher support"
171 help
172 IDEA is a block cipher with 128-bit keys.
173
174 config OPENSSL_WITH_SEED
175 bool
176 prompt "Enable SEED cipher support"
177 help
178 SEED is a block cipher with 128-bit keys broadly used in
179 South Korea, but seldom found elsewhere.
180
181 config OPENSSL_WITH_SM234
182 bool
183 prompt "Enable SM2/3/4 algorithms support"
184 help
185 These algorithms are a set of "Commercial Cryptography"
186 algorithms approved for use in China.
187 * SM2 is an EC algorithm equivalent to ECDSA P-256
188 * SM3 is a hash function equivalent to SHA-256
189 * SM4 is a 128-block cipher equivalent to AES-128
190
191 config OPENSSL_WITH_BLAKE2
192 bool
193 prompt "Enable BLAKE2 digest support"
194 help
195 BLAKE2 is a cryptographic hash function based on the ChaCha
196 stream cipher.
197
198 config OPENSSL_WITH_MDC2
199 bool
200 prompt "Enable MDC2 digest support"
201
202 config OPENSSL_WITH_WHIRLPOOL
203 bool
204 prompt "Enable Whirlpool digest support"
205
206 config OPENSSL_WITH_COMPRESSION
207 bool
208 prompt "Enable compression support"
209 help
210 TLS compression is not recommended, as it is deemed insecure.
211 The CRIME attack exploits this weakness.
212 Even with this option turned on, it is disabled by default, and the
213 application must explicitly turn it on.
214
215 config OPENSSL_WITH_RFC3779
216 bool
217 prompt "Enable RFC3779 support (BGP)"
218 help
219 RFC 3779 defines two X.509 v3 certificate extensions. The first
220 binds a list of IP address blocks, or prefixes, to the subject of a
221 certificate. The second binds a list of autonomous system
222 identifiers to the subject of a certificate. These extensions may be
223 used to convey the authorization of the subject to use the IP
224 addresses and autonomous system identifiers contained in the
225 extensions.
226
227 comment "Engine/Hardware Support"
228
229 config OPENSSL_ENGINE
230 bool "Enable engine support"
231 select OPENSSL_WITH_DEPRECATED
232 default y
233 help
234 This enables alternative cryptography implementations,
235 most commonly for interfacing with external crypto devices,
236 or supporting new/alternative ciphers and digests.
237 If you compile the library with this option disabled, packages built
238 using an engine-enabled library (i.e. from the official repo) may
239 fail to run. Compile and install the packages with engine support
240 disabled, and you should be fine.
241 Note that you need to enable KERNEL_AIO to be able to build the
242 afalg engine package.
243
244 config OPENSSL_ENGINE_BUILTIN
245 bool "Build chosen engines into libcrypto"
246 depends on OPENSSL_ENGINE
247 help
248 This builds all chosen engines into libcrypto.so, instead of building
249 them as dynamic engines in separate packages.
250 The benefit of building the engines into libcrypto is that they won't
251 require any configuration to be used by default.
252
253 config OPENSSL_ENGINE_BUILTIN_AFALG
254 bool
255 prompt "Acceleration support through AF_ALG sockets engine"
256 depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
257 select PACKAGE_libopenssl-conf
258 help
259 This enables use of hardware acceleration through the
260 AF_ALG kernel interface.
261
262 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
263 bool
264 prompt "Acceleration support through /dev/crypto"
265 depends on OPENSSL_ENGINE_BUILTIN
266 select PACKAGE_libopenssl-conf
267 help
268 This enables use of hardware acceleration through OpenBSD
269 Cryptodev API (/dev/crypto) interface.
270 Even though configuration is not strictly needed, it is worth seeing
271 https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
272 for information on how to configure the engine.
273
274 config OPENSSL_ENGINE_BUILTIN_PADLOCK
275 bool
276 prompt "VIA Padlock Acceleration support engine"
277 depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
278 select PACKAGE_libopenssl-conf
279 help
280 This enables use of hardware acceleration through the
281 VIA Padlock module.
282
283 config OPENSSL_WITH_ASYNC
284 bool
285 prompt "Enable asynchronous jobs support"
286 depends on OPENSSL_ENGINE && USE_GLIBC
287 help
288 Enables async-aware applications to be able to use OpenSSL to
289 initiate crypto operations asynchronously. In order to work
290 this will require the presence of an async capable engine.
291
292 endif
Staging tree of dedeckeh