diff options
Diffstat (limited to 'package/libs/openssl/Config.in')
-rw-r--r-- | package/libs/openssl/Config.in | 206 |
1 files changed, 175 insertions, 31 deletions
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index c39e28510f..fe73229915 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -1,72 +1,216 @@ if PACKAGE_libopenssl -config OPENSSL_WITH_EC +comment "Build Options" + +config OPENSSL_OPTIMIZE_SPEED + bool + prompt "Enable optimization for speed instead of size" + select OPENSSL_WITH_ASM + help + Enabling this option increases code size (around 20%) and + performance. The increase in performance and size depends on the + target CPU. EC and AES seem to benefit the most, with EC speed + increased by 20%-50% (mipsel & x86). + AES-GCM is supposed to be 3x faster on x86. YMMV. + +config OPENSSL_WITH_ASM bool default y - prompt "Enable elliptic curve support" + prompt "Compile with optimized assembly code" + depends on !arc + help + Disabling this option will reduce code size and performance. + The increase in performance and size depends on the target + CPU and on the algorithms being optimized. As of 1.1.0i*: -config OPENSSL_WITH_EC2M - bool - depends on OPENSSL_WITH_EC - prompt "Enable ec2m support" + Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase + aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 + arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 + i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% + mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% + mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 + powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 + x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% -config OPENSSL_WITH_SSL3 + * Only most common algorithms shown. Your mileage may vary. + BN (bignum) performance was measured using RSA sign/verify. + +config OPENSSL_WITH_SSE2 bool - default n - prompt "Enable sslv3 support" + default y if !TARGET_x86_legacy && !TARGET_x86_geode + prompt "Enable use of x86 SSE2 instructions" + depends on OPENSSL_WITH_ASM && i386 + help + Use of SSE2 instructions greatly increase performance (up to + 3x faster) with a minimum (~0.2%, or 23KB) increase in package + size, but it will bring no benefit if your hardware does not + support them, such as Geode GX and LX. In this case you may + save 23KB by saying yes here. AMD Geode NX, and Intel + Pentium 4 and above support SSE2. config OPENSSL_WITH_DEPRECATED bool default y - prompt "Include deprecated APIs" + prompt "Include deprecated APIs (See help for a list of packages that need this)" + help + Squid currently requires this. config OPENSSL_NO_DEPRECATED bool default !OPENSSL_WITH_DEPRECATED -config OPENSSL_WITH_DTLS +config OPENSSL_WITH_ERROR_MESSAGES bool - default n - prompt "Enable DTLS support" + prompt "Include error messages" + help + This option aids debugging, but increases package size and + memory usage. -config OPENSSL_WITH_COMPRESSION +comment "Protocol Support" + +config OPENSSL_WITH_DTLS bool - default n - prompt "Enable compression support" + prompt "Enable DTLS support" + help + Datagram Transport Layer Security (DTLS) provides TLS-like security + for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications. config OPENSSL_WITH_NPN bool default y prompt "Enable NPN support" + help + NPN is a TLS extension, obsoleted and replaced with ALPN, + used to negotiate SPDY, and HTTP/2. + +config OPENSSL_WITH_SRP + bool + default y + prompt "Enable SRP support" + help + The Secure Remote Password protocol (SRP) is an augmented + password-authenticated key agreement (PAKE) protocol, specifically + designed to work around existing patents. + +config OPENSSL_WITH_CMS + bool + default y + prompt "Enable CMS (RFC 5652) support" + help + Cryptographic Message Syntax (CMS) is used to digitally sign, + digest, authenticate, or encrypt arbitrary message content. + +comment "Algorithm Selection" + +config OPENSSL_WITH_EC + bool + default y + prompt "Enable elliptic curve support" + help + Elliptic-curve cryptography (ECC) is an approach to public-key + cryptography based on the algebraic structure of elliptic curves + over finite fields. ECC requires smaller keys compared to non-ECC + cryptography to provide equivalent security. + +config OPENSSL_WITH_EC2M + bool + depends on OPENSSL_WITH_EC + prompt "Enable ec2m support" + help + This option enables the more efficient, yet less common, binary + field elliptic curves. config OPENSSL_WITH_PSK bool default y prompt "Enable PSK support" + help + Build support for Pre-Shared Key based cipher suites. -config OPENSSL_WITH_SRP +comment "Less commonly used build options" + +config OPENSSL_WITH_CAMELLIA bool - default y - prompt "Enable SRP support" + prompt "Enable Camellia cipher support" + help + Camellia is a bock cipher with security levels and processing + abilities comparable to AES. -config OPENSSL_ENGINE_DIGEST +config OPENSSL_WITH_IDEA bool - depends on OPENSSL_ENGINE_CRYPTO - prompt "Digests acceleration support" + prompt "Enable IDEA cipher support" + help + IDEA is a block cipher with 128-bit keys. -config OPENSSL_HARDWARE_SUPPORT +config OPENSSL_WITH_SEED bool - default n - prompt "Enable hardware support" + prompt "Enable SEED cipher support" + help + SEED is a block cipher with 128-bit keys broadly used in + South Korea, but seldom found elsewhere. -config OPENSSL_OPTIMIZE_SPEED +config OPENSSL_WITH_MDC2 bool - default n - prompt "Enable optimization for speed instead of size" + prompt "Enable MDC2 digest support" -endif +config OPENSSL_WITH_WHIRLPOOL + bool + prompt "Enable Whirlpool digest support" + +config OPENSSL_WITH_COMPRESSION + bool + prompt "Enable compression support" + help + TLS compression is not recommended, as it is deemed insecure. + The CRIME attack exploits this weakness. + Even with this option turned on, it is disabled by default, and the + application must explicitly turn it on. + +config OPENSSL_WITH_RFC3779 + bool + prompt "Enable RFC3779 support (BGP)" + help + RFC 3779 defines two X.509 v3 certificate extensions. The first + binds a list of IP address blocks, or prefixes, to the subject of a + certificate. The second binds a list of autonomous system + identifiers to the subject of a certificate. These extensions may be + used to convey the authorization of the subject to use the IP + addresses and autonomous system identifiers contained in the + extensions. + +comment "Engine/Hardware Support" + +config OPENSSL_ENGINE + bool "Enable engine support" + help + This enables alternative cryptography implementations, + most commonly for interfacing with external crypto devices, + or supporting new/alternative ciphers and digests. config OPENSSL_ENGINE_CRYPTO bool - select OPENSSL_HARDWARE_SUPPORT - prompt "Crypto acceleration support" if PACKAGE_libopenssl + select OPENSSL_ENGINE + select PACKAGE_kmod-cryptodev + prompt "Acceleration support through /dev/crypto" + help + This enables use of hardware acceleration through OpenBSD + Cryptodev API (/dev/crypto) interface. + You must install kmod-cryptodev (under Kernel modules, Cryptographic + API modules) for /dev/crypto to show up and use hardware + acceleration; otherwise it falls back to software. + +config OPENSSL_ENGINE_DIGEST + bool + depends on OPENSSL_ENGINE_CRYPTO + prompt "/dev/crypto digest (md5/sha1) acceleration support" + +config OPENSSL_WITH_GOST + bool + prompt "Prepare library for GOST engine" + depends on OPENSSL_ENGINE + help + This option prepares the library to accept engine support + for Russian GOST crypto algorithms. + +endif + |