2
0

Config.in 9.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307
  1. if PACKAGE_libopenssl
  2. comment "Build Options"
  3. config OPENSSL_OPTIMIZE_SPEED
  4. bool
  5. default y if x86_64 || i386
  6. prompt "Enable optimization for speed instead of size"
  7. select OPENSSL_WITH_ASM
  8. help
  9. Enabling this option increases code size (around 20%) and
  10. performance. The increase in performance and size depends on the
  11. target CPU. EC and AES seem to benefit the most, with EC speed
  12. increased by 20%-50% (mipsel & x86).
  13. AES-GCM is supposed to be 3x faster on x86. YMMV.
  14. config OPENSSL_WITH_ASM
  15. bool
  16. default y if !SMALL_FLASH || !arm
  17. prompt "Compile with optimized assembly code"
  18. depends on !arc
  19. help
  20. Disabling this option will reduce code size and performance.
  21. The increase in performance and size depends on the target
  22. CPU and on the algorithms being optimized. As of 1.1.0i*:
  23. Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
  24. aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
  25. arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
  26. i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
  27. mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
  28. mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
  29. powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
  30. x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
  31. * Only most common algorithms shown. Your mileage may vary.
  32. BN (bignum) performance was measured using RSA sign/verify.
  33. config OPENSSL_WITH_SSE2
  34. bool
  35. default y if !TARGET_x86_legacy && !TARGET_x86_geode
  36. prompt "Enable use of x86 SSE2 instructions"
  37. depends on OPENSSL_WITH_ASM && i386
  38. help
  39. Use of SSE2 instructions greatly increase performance (up to
  40. 3x faster) with a minimum (~0.2%, or 23KB) increase in package
  41. size, but it will bring no benefit if your hardware does not
  42. support them, such as Geode GX and LX. In this case you may
  43. save 23KB by saying yes here. AMD Geode NX, and Intel
  44. Pentium 4 and above support SSE2.
  45. config OPENSSL_WITH_DEPRECATED
  46. bool
  47. default y
  48. prompt "Include deprecated APIs (See help for a list of packages that need this)"
  49. help
  50. Since openssl 1.1.x is still new to librecmc, some packages
  51. requiring this option do not list it as a requirement yet:
  52. * freeswitch-stable, freeswitch, python, python3, squid.
  53. config OPENSSL_NO_DEPRECATED
  54. bool
  55. default !OPENSSL_WITH_DEPRECATED
  56. config OPENSSL_WITH_ERROR_MESSAGES
  57. bool
  58. default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
  59. prompt "Include error messages"
  60. help
  61. This option aids debugging, but increases package size and
  62. memory usage.
  63. comment "Protocol Support"
  64. config OPENSSL_WITH_TLS13
  65. bool
  66. default y
  67. prompt "Enable support for TLS 1.3"
  68. help
  69. TLS 1.3 is the newest version of the TLS specification.
  70. It aims:
  71. * to increase the overall security of the protocol,
  72. removing outdated algorithms, and encrypting more of the
  73. protocol;
  74. * to increase performance by reducing the number of round-trips
  75. when performing a full handshake.
  76. It increases package size by ~4KB.
  77. config OPENSSL_WITH_DTLS
  78. bool
  79. prompt "Enable DTLS support"
  80. help
  81. Datagram Transport Layer Security (DTLS) provides TLS-like security
  82. for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
  83. config OPENSSL_WITH_NPN
  84. bool
  85. prompt "Enable NPN support"
  86. help
  87. NPN is a TLS extension, obsoleted and replaced with ALPN,
  88. used to negotiate SPDY, and HTTP/2.
  89. config OPENSSL_WITH_SRP
  90. bool
  91. default y
  92. prompt "Enable SRP support"
  93. help
  94. The Secure Remote Password protocol (SRP) is an augmented
  95. password-authenticated key agreement (PAKE) protocol, specifically
  96. designed to work around existing patents.
  97. config OPENSSL_WITH_CMS
  98. bool
  99. default y
  100. prompt "Enable CMS (RFC 5652) support"
  101. help
  102. Cryptographic Message Syntax (CMS) is used to digitally sign,
  103. digest, authenticate, or encrypt arbitrary message content.
  104. comment "Algorithm Selection"
  105. config OPENSSL_WITH_EC2M
  106. bool
  107. prompt "Enable ec2m support"
  108. help
  109. This option enables the more efficient, yet less common, binary
  110. field elliptic curves.
  111. config OPENSSL_WITH_CHACHA_POLY1305
  112. bool
  113. default y
  114. prompt "Enable ChaCha20-Poly1305 ciphersuite support"
  115. help
  116. ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
  117. combining ChaCha stream cipher with Poly1305 MAC.
  118. It is 3x faster than AES, when not using a CPU with AES-specific
  119. instructions, as is the case of most embedded devices.
  120. config OPENSSL_PREFER_CHACHA_OVER_GCM
  121. bool
  122. default y if !x86_64 && !aarch64
  123. prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
  124. depends on OPENSSL_WITH_CHACHA_POLY1305
  125. help
  126. The default openssl preference is for AES-GCM before ChaCha, but
  127. that takes into account AES-NI capable chips. It is not the
  128. case with most embedded chips, so it may be better to invert
  129. that preference. This is just for the default case. The
  130. application can always override this.
  131. config OPENSSL_WITH_PSK
  132. bool
  133. default y
  134. prompt "Enable PSK support"
  135. help
  136. Build support for Pre-Shared Key based cipher suites.
  137. comment "Less commonly used build options"
  138. config OPENSSL_WITH_ARIA
  139. bool
  140. prompt "Enable ARIA support"
  141. help
  142. ARIA is a block cipher developed in South Korea, based on AES.
  143. config OPENSSL_WITH_CAMELLIA
  144. bool
  145. prompt "Enable Camellia cipher support"
  146. help
  147. Camellia is a bock cipher with security levels and processing
  148. abilities comparable to AES.
  149. config OPENSSL_WITH_IDEA
  150. bool
  151. prompt "Enable IDEA cipher support"
  152. help
  153. IDEA is a block cipher with 128-bit keys.
  154. config OPENSSL_WITH_SEED
  155. bool
  156. prompt "Enable SEED cipher support"
  157. help
  158. SEED is a block cipher with 128-bit keys broadly used in
  159. South Korea, but seldom found elsewhere.
  160. config OPENSSL_WITH_SM234
  161. bool
  162. prompt "Enable SM2/3/4 algorithms support"
  163. help
  164. These algorithms are a set of "Commercial Cryptography"
  165. algorithms approved for use in China.
  166. * SM2 is an EC algorithm equivalent to ECDSA P-256
  167. * SM3 is a hash function equivalent to SHA-256
  168. * SM4 is a 128-block cipher equivalent to AES-128
  169. config OPENSSL_WITH_BLAKE2
  170. bool
  171. prompt "Enable BLAKE2 digest support"
  172. help
  173. BLAKE2 is a cryptographic hash function based on the ChaCha
  174. stream cipher.
  175. config OPENSSL_WITH_MDC2
  176. bool
  177. prompt "Enable MDC2 digest support"
  178. config OPENSSL_WITH_WHIRLPOOL
  179. bool
  180. prompt "Enable Whirlpool digest support"
  181. config OPENSSL_WITH_COMPRESSION
  182. bool
  183. prompt "Enable compression support"
  184. help
  185. TLS compression is not recommended, as it is deemed insecure.
  186. The CRIME attack exploits this weakness.
  187. Even with this option turned on, it is disabled by default, and the
  188. application must explicitly turn it on.
  189. config OPENSSL_WITH_RFC3779
  190. bool
  191. prompt "Enable RFC3779 support (BGP)"
  192. help
  193. RFC 3779 defines two X.509 v3 certificate extensions. The first
  194. binds a list of IP address blocks, or prefixes, to the subject of a
  195. certificate. The second binds a list of autonomous system
  196. identifiers to the subject of a certificate. These extensions may be
  197. used to convey the authorization of the subject to use the IP
  198. addresses and autonomous system identifiers contained in the
  199. extensions.
  200. comment "Engine/Hardware Support"
  201. config OPENSSL_ENGINE
  202. bool "Enable engine support"
  203. default y
  204. help
  205. This enables alternative cryptography implementations,
  206. most commonly for interfacing with external crypto devices,
  207. or supporting new/alternative ciphers and digests.
  208. If you compile the library with this option disabled, packages built
  209. using an engine-enabled library (i.e. from the official repo) may
  210. fail to run. Compile and install the packages with engine support
  211. disabled, and you should be fine.
  212. Note that you need to enable KERNEL_AIO to be able to build the
  213. afalg engine package.
  214. config OPENSSL_ENGINE_BUILTIN
  215. bool "Build chosen engines into libcrypto"
  216. depends on OPENSSL_ENGINE
  217. help
  218. This builds all chosen engines into libcrypto.so, instead of building
  219. them as dynamic engines in separate packages.
  220. The benefit of building the engines into libcrypto is that they won't
  221. require any configuration to be used by default.
  222. config OPENSSL_ENGINE_BUILTIN_AFALG
  223. bool
  224. prompt "Acceleration support through AF_ALG sockets engine"
  225. depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
  226. select PACKAGE_libopenssl-conf
  227. help
  228. This enables use of hardware acceleration through the
  229. AF_ALG kernel interface.
  230. config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
  231. bool
  232. prompt "Acceleration support through /dev/crypto"
  233. depends on OPENSSL_ENGINE_BUILTIN
  234. select PACKAGE_libopenssl-conf
  235. help
  236. This enables use of hardware acceleration through OpenBSD
  237. Cryptodev API (/dev/crypto) interface.
  238. Even though configuration is not strictly needed, it is worth seeing
  239. https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
  240. for information on how to configure the engine.
  241. config OPENSSL_ENGINE_BUILTIN_PADLOCK
  242. bool
  243. prompt "VIA Padlock Acceleration support engine"
  244. depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
  245. select PACKAGE_libopenssl-conf
  246. help
  247. This enables use of hardware acceleration through the
  248. VIA Padlock module.
  249. config OPENSSL_WITH_ASYNC
  250. bool
  251. prompt "Enable asynchronous jobs support"
  252. depends on OPENSSL_ENGINE && USE_GLIBC
  253. help
  254. Enables async-aware applications to be able to use OpenSSL to
  255. initiate crypto operations asynchronously. In order to work
  256. this will require the presence of an async capable engine.
  257. config OPENSSL_WITH_GOST
  258. bool
  259. prompt "Prepare library for GOST engine"
  260. depends on OPENSSL_ENGINE
  261. help
  262. This option prepares the library to accept engine support
  263. for Russian GOST crypto algorithms.
  264. The gost engine is not included in standard librecmc feeds.
  265. To build such engine yourself, see:
  266. https://github.com/gost-engine/engine
  267. endif