Config.in 9.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310
  1. if PACKAGE_libopenssl
  2. comment "Build Options"
  3. config OPENSSL_OPTIMIZE_SPEED
  4. bool
  5. default y if x86_64 || i386
  6. prompt "Enable optimization for speed instead of size"
  7. select OPENSSL_WITH_ASM
  8. help
  9. Enabling this option increases code size and performance.
  10. The increase in performance and size depends on the
  11. target CPU. EC and AES seem to benefit the most.
  12. config OPENSSL_SMALL_FOOTPRINT
  13. bool
  14. depends on !OPENSSL_OPTIMIZE_SPEED
  15. default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
  16. prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
  17. help
  18. This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
  19. 1-3% of of the ipk size. The performance drop depends on
  20. architecture and algorithm. MIPS drops 13% of performance for
  21. a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
  22. size, ghash and GCM performance decreases 90%, while
  23. Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
  24. for 3% of performance. Other arches have not been tested.
  25. config OPENSSL_WITH_ASM
  26. bool
  27. default y
  28. prompt "Compile with optimized assembly code"
  29. depends on !arc
  30. help
  31. Disabling this option will reduce code size and performance.
  32. The increase in performance and size depends on the target
  33. CPU and on the algorithms being optimized.
  34. config OPENSSL_WITH_SSE2
  35. bool
  36. default y if !TARGET_x86_legacy && !TARGET_x86_geode
  37. prompt "Enable use of x86 SSE2 instructions"
  38. depends on OPENSSL_WITH_ASM && i386
  39. help
  40. Use of SSE2 instructions greatly increase performance with a
  41. minimum increase in package size, but it will bring no benefit
  42. if your hardware does not support them, such as Geode GX and LX.
  43. AMD Geode NX, and Intel Pentium 4 and above support SSE2.
  44. config OPENSSL_WITH_DEPRECATED
  45. bool
  46. default y
  47. prompt "Include deprecated APIs"
  48. help
  49. This drops all deprecated API, including engine support.
  50. config OPENSSL_NO_DEPRECATED
  51. bool
  52. default !OPENSSL_WITH_DEPRECATED
  53. config OPENSSL_WITH_ERROR_MESSAGES
  54. bool
  55. default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
  56. prompt "Include error messages"
  57. help
  58. This option aids debugging, but increases package size and
  59. memory usage.
  60. comment "Protocol Support"
  61. config OPENSSL_WITH_TLS13
  62. bool
  63. default y
  64. prompt "Enable support for TLS 1.3"
  65. help
  66. TLS 1.3 is the newest version of the TLS specification.
  67. It aims:
  68. * to increase the overall security of the protocol,
  69. removing outdated algorithms, and encrypting more of the
  70. protocol;
  71. * to increase performance by reducing the number of round-trips
  72. when performing a full handshake.
  73. config OPENSSL_WITH_DTLS
  74. bool
  75. prompt "Enable DTLS support"
  76. help
  77. Datagram Transport Layer Security (DTLS) provides TLS-like security
  78. for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
  79. config OPENSSL_WITH_NPN
  80. bool
  81. prompt "Enable NPN support"
  82. help
  83. NPN is a TLS extension, obsoleted and replaced with ALPN,
  84. used to negotiate SPDY, and HTTP/2.
  85. config OPENSSL_WITH_SRP
  86. bool
  87. default y
  88. prompt "Enable SRP support"
  89. help
  90. The Secure Remote Password protocol (SRP) is an augmented
  91. password-authenticated key agreement (PAKE) protocol, specifically
  92. designed to work around existing patents.
  93. config OPENSSL_WITH_CMS
  94. bool
  95. default y
  96. prompt "Enable CMS (RFC 5652) support"
  97. help
  98. Cryptographic Message Syntax (CMS) is used to digitally sign,
  99. digest, authenticate, or encrypt arbitrary message content.
  100. comment "Algorithm Selection"
  101. config OPENSSL_WITH_EC2M
  102. bool
  103. prompt "Enable ec2m support"
  104. help
  105. This option enables the more efficient, yet less common, binary
  106. field elliptic curves.
  107. config OPENSSL_WITH_CHACHA_POLY1305
  108. bool
  109. default y
  110. prompt "Enable ChaCha20-Poly1305 ciphersuite support"
  111. help
  112. ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
  113. combining ChaCha stream cipher with Poly1305 MAC.
  114. It is 3x faster than AES, when not using a CPU with AES-specific
  115. instructions, as is the case of most embedded devices.
  116. config OPENSSL_PREFER_CHACHA_OVER_GCM
  117. bool
  118. default y if !x86_64 && !aarch64
  119. prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
  120. depends on OPENSSL_WITH_CHACHA_POLY1305
  121. help
  122. The default openssl preference is for AES-GCM before ChaCha, but
  123. that takes into account AES-NI capable chips. It is not the
  124. case with most embedded chips, so it may be better to invert
  125. that preference. This is just for the default case. The
  126. application can always override this.
  127. config OPENSSL_WITH_PSK
  128. bool
  129. default y
  130. prompt "Enable PSK support"
  131. help
  132. Build support for Pre-Shared Key based cipher suites.
  133. comment "Less commonly used build options"
  134. config OPENSSL_WITH_ARIA
  135. bool
  136. prompt "Enable ARIA support"
  137. help
  138. ARIA is a block cipher developed in South Korea, based on AES.
  139. config OPENSSL_WITH_CAMELLIA
  140. bool
  141. prompt "Enable Camellia cipher support"
  142. help
  143. Camellia is a bock cipher with security levels and processing
  144. abilities comparable to AES.
  145. config OPENSSL_WITH_IDEA
  146. bool
  147. default y if !SMALL_FLASH
  148. prompt "Enable IDEA cipher support (needs legacy provider)"
  149. help
  150. IDEA is a block cipher with 128-bit keys.
  151. To use the cipher, one must install the libopenssl-legacy
  152. package, using a main libopenssl package compiled with this
  153. option enabled as well.
  154. config OPENSSL_WITH_SEED
  155. bool
  156. default y if !SMALL_FLASH
  157. prompt "Enable SEED cipher support (needs legacy provider)"
  158. help
  159. SEED is a block cipher with 128-bit keys broadly used in
  160. South Korea, but seldom found elsewhere.
  161. To use the cipher, one must install the libopenssl-legacy
  162. package, using a main libopenssl package compiled with this
  163. option enabled as well.
  164. config OPENSSL_WITH_SM234
  165. bool
  166. prompt "Enable SM2/3/4 algorithms support"
  167. help
  168. These algorithms are a set of "Commercial Cryptography"
  169. algorithms approved for use in China.
  170. * SM2 is an EC algorithm equivalent to ECDSA P-256
  171. * SM3 is a hash function equivalent to SHA-256
  172. * SM4 is a 128-block cipher equivalent to AES-128
  173. config OPENSSL_WITH_BLAKE2
  174. bool
  175. prompt "Enable BLAKE2 digest support"
  176. help
  177. BLAKE2 is a cryptographic hash function based on the ChaCha
  178. stream cipher.
  179. config OPENSSL_WITH_MDC2
  180. bool
  181. default y if !SMALL_FLASH
  182. prompt "Enable MDC2 digest support (needs legacy provider)"
  183. help
  184. To use the digest, one must install the libopenssl-legacy
  185. package, using a main libopenssl package compiled with this
  186. option enabled as well.
  187. config OPENSSL_WITH_WHIRLPOOL
  188. bool
  189. default y if !SMALL_FLASH
  190. prompt "Enable Whirlpool digest support (needs legacy provider)"
  191. help
  192. To use the digest, one must install the libopenssl-legacy
  193. package, using a main libopenssl package compiled with this
  194. option enabled as well.
  195. config OPENSSL_WITH_COMPRESSION
  196. bool
  197. prompt "Enable compression support"
  198. help
  199. TLS compression is not recommended, as it is deemed insecure.
  200. The CRIME attack exploits this weakness.
  201. Even with this option turned on, it is disabled by default, and the
  202. application must explicitly turn it on.
  203. config OPENSSL_WITH_RFC3779
  204. bool
  205. prompt "Enable RFC3779 support (BGP)"
  206. help
  207. RFC 3779 defines two X.509 v3 certificate extensions. The first
  208. binds a list of IP address blocks, or prefixes, to the subject of a
  209. certificate. The second binds a list of autonomous system
  210. identifiers to the subject of a certificate. These extensions may be
  211. used to convey the authorization of the subject to use the IP
  212. addresses and autonomous system identifiers contained in the
  213. extensions.
  214. comment "Engine/Hardware Support"
  215. config OPENSSL_ENGINE
  216. bool "Enable engine support"
  217. select OPENSSL_WITH_DEPRECATED
  218. default y
  219. help
  220. This enables alternative cryptography implementations,
  221. most commonly for interfacing with external crypto devices,
  222. or supporting new/alternative ciphers and digests.
  223. If you compile the library with this option disabled, packages built
  224. using an engine-enabled library (i.e. from the official repo) may
  225. fail to run. Compile and install the packages with engine support
  226. disabled, and you should be fine.
  227. Note that you need to enable KERNEL_AIO to be able to build the
  228. afalg engine package.
  229. config OPENSSL_ENGINE_BUILTIN
  230. bool "Build chosen engines into libcrypto"
  231. depends on OPENSSL_ENGINE
  232. help
  233. This builds all chosen engines into libcrypto.so, instead of building
  234. them as dynamic engines in separate packages.
  235. The benefit of building the engines into libcrypto is that they won't
  236. require any configuration to be used by default.
  237. config OPENSSL_ENGINE_BUILTIN_AFALG
  238. bool
  239. prompt "Acceleration support through AF_ALG sockets engine"
  240. depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
  241. select PACKAGE_libopenssl-conf
  242. help
  243. This enables use of hardware acceleration through the
  244. AF_ALG kernel interface.
  245. config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
  246. bool
  247. prompt "Acceleration support through /dev/crypto"
  248. depends on OPENSSL_ENGINE_BUILTIN
  249. select PACKAGE_libopenssl-conf
  250. help
  251. This enables use of hardware acceleration through OpenBSD
  252. Cryptodev API (/dev/crypto) interface.
  253. Even though configuration is not strictly needed, it is worth seeing
  254. https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
  255. for information on how to configure the engine.
  256. config OPENSSL_ENGINE_BUILTIN_PADLOCK
  257. bool
  258. prompt "VIA Padlock Acceleration support engine"
  259. depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
  260. select PACKAGE_libopenssl-conf
  261. help
  262. This enables use of hardware acceleration through the
  263. VIA Padlock module.
  264. config OPENSSL_WITH_ASYNC
  265. bool
  266. prompt "Enable asynchronous jobs support"
  267. depends on OPENSSL_ENGINE && USE_GLIBC
  268. help
  269. Enables async-aware applications to be able to use OpenSSL to
  270. initiate crypto operations asynchronously. In order to work
  271. this will require the presence of an async capable engine.
  272. endif