Rebase from upstream commit : 3bb9dcf44627ffdd313fe92c563ae454b6ff8aa6

[librecmc/librecmc.git] / package / libs / openssl / Config.in

if PACKAGE_libopenssl

comment "Build Options"

config OPENSSL_OPTIMIZE_SPEED
        bool
        default y if x86_64 || i386
        prompt "Enable optimization for speed instead of size"
        select OPENSSL_WITH_ASM
        help
                Enabling this option increases code size (around 20%) and
                performance.  The increase in performance and size depends on the
                target CPU. EC and AES seem to benefit the most, with EC speed
                increased by 20%-50% (mipsel & x86).
                AES-GCM is supposed to be 3x faster on x86. YMMV.

config OPENSSL_WITH_ASM
        bool
        default y if !SMALL_FLASH || !arm
        prompt "Compile with optimized assembly code"
        depends on !arc
        help
                Disabling this option will reduce code size and performance.
                The increase in performance and size depends on the target
                CPU and on the algorithms being optimized.  As of 1.1.0i*:

                Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
                aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
                arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
                i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
                mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
                mips64      3.7K   BN, aes, sha1, sha256, sha512, poly1305
                powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
                x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%

                * Only most common algorithms shown. Your mileage may vary.
                  BN (bignum) performance was measured using RSA sign/verify.

config OPENSSL_WITH_SSE2
        bool
        default y if !TARGET_x86_legacy && !TARGET_x86_geode
        prompt "Enable use of x86 SSE2 instructions"
        depends on OPENSSL_WITH_ASM && i386
        help
                Use of SSE2 instructions greatly increase performance (up to
                3x faster) with a minimum (~0.2%, or 23KB) increase in package
                size, but it will bring no benefit if your hardware does not
                support them, such as Geode GX and LX.  In this case you may
                save 23KB by saying yes here.  AMD Geode NX, and Intel
                Pentium 4 and above support SSE2.

config OPENSSL_WITH_DEPRECATED
        bool
        default y
        prompt "Include deprecated APIs (See help for a list of packages that need this)"
        help
                Since openssl 1.1.x is still new to librecmc, some packages
                requiring this option do not list it as a requirement yet:
                 * freeswitch-stable, freeswitch, python, python3, squid.

config OPENSSL_NO_DEPRECATED
        bool
        default !OPENSSL_WITH_DEPRECATED

config OPENSSL_WITH_ERROR_MESSAGES
        bool
        default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
        prompt "Include error messages"
        help
                This option aids debugging, but increases package size and
                memory usage.

comment "Protocol Support"

config OPENSSL_WITH_TLS13
        bool
        default y
        prompt "Enable support for TLS 1.3"
        select OPENSSL_WITH_EC
        help
                TLS 1.3 is the newest version of the TLS specification.
                It aims:
                 * to increase the overall security of the protocol,
                   removing outdated algorithms, and encrypting more of the
                   protocol;
                 * to increase performance by reducing the number of round-trips
                   when performing a full handshake.
                It increases package size by ~4KB.

config OPENSSL_WITH_DTLS
        bool
        prompt "Enable DTLS support"
        help
                Datagram Transport Layer Security (DTLS) provides TLS-like security
                for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.

config OPENSSL_WITH_NPN
        bool
        default y
        prompt "Enable NPN support"
        help
                NPN is a TLS extension, obsoleted and replaced with ALPN,
                used to negotiate SPDY, and HTTP/2.

config OPENSSL_WITH_SRP
        bool
        default y
        prompt "Enable SRP support"
        help
                The Secure Remote Password protocol (SRP) is an augmented
                password-authenticated key agreement (PAKE) protocol, specifically
                designed to work around existing patents.

config OPENSSL_WITH_CMS
        bool
        default y
        prompt "Enable CMS (RFC 5652) support"
        help
                Cryptographic Message Syntax (CMS) is used to digitally sign,
                digest, authenticate, or encrypt arbitrary message content.

comment "Algorithm Selection"

config OPENSSL_WITH_EC
        bool
        default y
        prompt "Enable elliptic curve support"
        help
                Elliptic-curve cryptography (ECC) is an approach to public-key
                cryptography based on the algebraic structure of elliptic curves
                over finite fields. ECC requires smaller keys compared to non-ECC
                cryptography to provide equivalent security.

config OPENSSL_WITH_EC2M
        bool
        depends on OPENSSL_WITH_EC
        prompt "Enable ec2m support"
        help
                This option enables the more efficient, yet less common, binary
                field elliptic curves.

config OPENSSL_WITH_CHACHA_POLY1305
        bool
        default y
        prompt "Enable ChaCha20-Poly1305 ciphersuite support"
        help
                ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
                combining ChaCha stream cipher with Poly1305 MAC.
                It is 3x faster than AES, when not using a CPU with AES-specific
                instructions, as is the case of most embedded devices.

config OPENSSL_PREFER_CHACHA_OVER_GCM
        bool
        default y if !x86_64 && !aarch64
        prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
        depends on OPENSSL_WITH_CHACHA_POLY1305
        help
                The default openssl preference is for AES-GCM before ChaCha, but
                that takes into account AES-NI capable chips.  It is not the
                case with most embedded chips, so it may be better to invert
                that preference.  This is just for the default case. The
                application can always override this.

config OPENSSL_WITH_PSK
        bool
        default y
        prompt "Enable PSK support"
        help
                Build support for Pre-Shared Key based cipher suites.

comment "Less commonly used build options"

config OPENSSL_WITH_ARIA
        bool
        prompt "Enable ARIA support"
        help
                ARIA is a block cipher developed in South Korea, based on AES.

config OPENSSL_WITH_CAMELLIA
        bool
        prompt "Enable Camellia cipher support"
        help
                Camellia is a bock cipher with security levels and processing
                abilities comparable to AES.

config OPENSSL_WITH_IDEA
        bool
        prompt "Enable IDEA cipher support"
        help
                IDEA is a block cipher with 128-bit keys.

config OPENSSL_WITH_SEED
        bool
        prompt "Enable SEED cipher support"
        help
                SEED is a block cipher with 128-bit keys broadly used in
                South Korea, but seldom found elsewhere.

config OPENSSL_WITH_SM234
        bool
        prompt "Enable SM2/3/4 algorithms support"
        help
                These algorithms are a set of "Commercial Cryptography"
                algorithms approved for use in China.
                  * SM2 is an EC algorithm equivalent to ECDSA P-256
                  * SM3 is a hash function equivalent to SHA-256
                  * SM4 is a 128-block cipher equivalent to AES-128

config OPENSSL_WITH_BLAKE2
        bool
        prompt "Enable BLAKE2 digest support"
        help
                BLAKE2 is a cryptographic hash function based on the ChaCha
                stream cipher.

config OPENSSL_WITH_MDC2
        bool
        prompt "Enable MDC2 digest support"

config OPENSSL_WITH_WHIRLPOOL
        bool
        prompt "Enable Whirlpool digest support"

config OPENSSL_WITH_COMPRESSION
        bool
        prompt "Enable compression support"
        help
                TLS compression is not recommended, as it is deemed insecure.
                The CRIME attack exploits this weakness.
                Even with this option turned on, it is disabled by default, and the
                application must explicitly turn it on.

config OPENSSL_WITH_RFC3779
        bool
        prompt "Enable RFC3779 support (BGP)"
        help
                RFC 3779 defines two X.509 v3 certificate extensions.  The first
                binds a list of IP address blocks, or prefixes, to the subject of a
                certificate.  The second binds a list of autonomous system
                identifiers to the subject of a certificate.  These extensions may be
                used to convey the authorization of the subject to use the IP
                addresses and autonomous system identifiers contained in the
                extensions.

comment "Engine/Hardware Support"

config OPENSSL_ENGINE
        bool "Enable engine support"
        help
                This enables alternative cryptography implementations,
                most commonly for interfacing with external crypto devices,
                or supporting new/alternative ciphers and digests.
                Note that you need to enable KERNEL_AIO to be able to build the
                afalg engine package.

config OPENSSL_ENGINE_CRYPTO
        bool
        select OPENSSL_ENGINE
        select PACKAGE_kmod-cryptodev
        select PACKAGE_libopenssl-conf
        prompt "Acceleration support through /dev/crypto"
        help
                This enables use of hardware acceleration through OpenBSD
                Cryptodev API (/dev/crypto) interface.
                You must install kmod-cryptodev (under Kernel modules, Cryptographic
                API modules) for /dev/crypto to show up and use hardware
                acceleration; otherwise it falls back to software.

config OPENSSL_WITH_ASYNC
        bool
        prompt "Enable asynchronous jobs support"
        depends on OPENSSL_ENGINE && USE_GLIBC
        help
                Enables async-aware applications to be able to use OpenSSL to
                initiate crypto operations asynchronously. In order to work
                this will require the presence of an async capable engine.

config OPENSSL_WITH_GOST
        bool
        prompt "Prepare library for GOST engine"
        depends on OPENSSL_ENGINE
        help
                This option prepares the library to accept engine support
                for Russian GOST crypto algorithms.
                The gost engine is not included in standard librecmc feeds.
                To build such engine yourself, see:
                https://github.com/gost-engine/engine

endif