aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/openssl/Config.in
blob: fe7322991578b8f83bc0b98d3d18f69ba1ab0acd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
if PACKAGE_libopenssl

comment "Build Options"

config OPENSSL_OPTIMIZE_SPEED
	bool
	prompt "Enable optimization for speed instead of size"
	select OPENSSL_WITH_ASM
	help
		Enabling this option increases code size (around 20%) and
		performance.  The increase in performance and size depends on the
		target CPU. EC and AES seem to benefit the most, with EC speed
		increased by 20%-50% (mipsel & x86).
		AES-GCM is supposed to be 3x faster on x86. YMMV.

config OPENSSL_WITH_ASM
	bool
	default y
	prompt "Compile with optimized assembly code"
	depends on !arc
	help
		Disabling this option will reduce code size and performance.
		The increase in performance and size depends on the target
		CPU and on the algorithms being optimized.  As of 1.1.0i*:

		Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
		aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
		arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
		i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
		mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
		mips64	    3.7K   BN, aes, sha1, sha256, sha512, poly1305
		powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
		x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%

		* Only most common algorithms shown. Your mileage may vary.
		  BN (bignum) performance was measured using RSA sign/verify.

config OPENSSL_WITH_SSE2
	bool
	default y if !TARGET_x86_legacy && !TARGET_x86_geode
	prompt "Enable use of x86 SSE2 instructions"
	depends on OPENSSL_WITH_ASM && i386
	help
		Use of SSE2 instructions greatly increase performance (up to
		3x faster) with a minimum (~0.2%, or 23KB) increase in package
		size, but it will bring no benefit if your hardware does not
		support them, such as Geode GX and LX.  In this case you may
		save 23KB by saying yes here.  AMD Geode NX, and Intel
		Pentium 4 and above support SSE2.

config OPENSSL_WITH_DEPRECATED
	bool
	default y
	prompt "Include deprecated APIs (See help for a list of packages that need this)"
	help
		Squid currently requires this.

config OPENSSL_NO_DEPRECATED
	bool
	default !OPENSSL_WITH_DEPRECATED

config OPENSSL_WITH_ERROR_MESSAGES
	bool
	prompt "Include error messages"
	help
		This option aids debugging, but increases package size and
		memory usage.

comment "Protocol Support"

config OPENSSL_WITH_DTLS
	bool
	prompt "Enable DTLS support"
	help
		Datagram Transport Layer Security (DTLS) provides TLS-like security
		for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.

config OPENSSL_WITH_NPN
	bool
	default y
	prompt "Enable NPN support"
	help
		NPN is a TLS extension, obsoleted and replaced with ALPN,
		used to negotiate SPDY, and HTTP/2.

config OPENSSL_WITH_SRP
	bool
	default y
	prompt "Enable SRP support"
	help
		The Secure Remote Password protocol (SRP) is an augmented
		password-authenticated key agreement (PAKE) protocol, specifically
		designed to work around existing patents.

config OPENSSL_WITH_CMS
	bool
	default y
	prompt "Enable CMS (RFC 5652) support"
	help
		Cryptographic Message Syntax (CMS) is used to digitally sign,
		digest, authenticate, or encrypt arbitrary message content.

comment "Algorithm Selection"

config OPENSSL_WITH_EC
	bool
	default y
	prompt "Enable elliptic curve support"
	help
		Elliptic-curve cryptography (ECC) is an approach to public-key
		cryptography based on the algebraic structure of elliptic curves
		over finite fields. ECC requires smaller keys compared to non-ECC
		cryptography to provide equivalent security.

config OPENSSL_WITH_EC2M
	bool
	depends on OPENSSL_WITH_EC
	prompt "Enable ec2m support"
	help
		This option enables the more efficient, yet less common, binary
		field elliptic curves.

config OPENSSL_WITH_PSK
	bool
	default y
	prompt "Enable PSK support"
	help
		Build support for Pre-Shared Key based cipher suites.

comment "Less commonly used build options"

config OPENSSL_WITH_CAMELLIA
	bool
	prompt "Enable Camellia cipher support"
	help
		Camellia is a bock cipher with security levels and processing
		abilities comparable to AES.

config OPENSSL_WITH_IDEA
	bool
	prompt "Enable IDEA cipher support"
	help
		IDEA is a block cipher with 128-bit keys.

config OPENSSL_WITH_SEED
	bool
	prompt "Enable SEED cipher support"
	help
		SEED is a block cipher with 128-bit keys broadly used in
		South Korea, but seldom found elsewhere.

config OPENSSL_WITH_MDC2
	bool
	prompt "Enable MDC2 digest support"

config OPENSSL_WITH_WHIRLPOOL
	bool
	prompt "Enable Whirlpool digest support"

config OPENSSL_WITH_COMPRESSION
	bool
	prompt "Enable compression support"
	help
		TLS compression is not recommended, as it is deemed insecure.
		The CRIME attack exploits this weakness.
		Even with this option turned on, it is disabled by default, and the
		application must explicitly turn it on.

config OPENSSL_WITH_RFC3779
	bool
	prompt "Enable RFC3779 support (BGP)"
	help
		RFC 3779 defines two X.509 v3 certificate extensions.  The first
		binds a list of IP address blocks, or prefixes, to the subject of a
		certificate.  The second binds a list of autonomous system
		identifiers to the subject of a certificate.  These extensions may be
		used to convey the authorization of the subject to use the IP
		addresses and autonomous system identifiers contained in the
		extensions.

comment "Engine/Hardware Support"

config OPENSSL_ENGINE
	bool "Enable engine support"
	help
		This enables alternative cryptography implementations,
		most commonly for interfacing with external crypto devices,
		or supporting new/alternative ciphers and digests.

config OPENSSL_ENGINE_CRYPTO
	bool
	select OPENSSL_ENGINE
	select PACKAGE_kmod-cryptodev
	prompt "Acceleration support through /dev/crypto"
	help
		This enables use of hardware acceleration through OpenBSD
		Cryptodev API (/dev/crypto) interface.
		You must install kmod-cryptodev (under Kernel modules, Cryptographic
		API modules) for /dev/crypto to show up and use hardware
		acceleration; otherwise it falls back to software.

config OPENSSL_ENGINE_DIGEST
	bool
	depends on OPENSSL_ENGINE_CRYPTO
	prompt "/dev/crypto digest (md5/sha1) acceleration support"

config OPENSSL_WITH_GOST
	bool
	prompt "Prepare library for GOST engine"
	depends on OPENSSL_ENGINE
	help
		This option prepares the library to accept engine support
		for Russian GOST crypto algorithms.

endif