openwrt/package/libs/openssl/Config.in

if PACKAGE_libopenssl

comment "Build Options"

config OPENSSL_OPTIMIZE_SPEED
	bool
	default y if x86_64 || i386
	prompt "Enable optimization for speed instead of size"
	select OPENSSL_WITH_ASM
	help
		Enabling this option increases code size and performance.
		The increase in performance and size depends on the
		target CPU. EC and AES seem to benefit the most.

config OPENSSL_SMALL_FOOTPRINT
	bool
	depends on !OPENSSL_OPTIMIZE_SPEED
	default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
	prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
	help
		This turns on -DOPENSSL_SMALL_FOOTPRINT.  This will save only
		1-3% of of the ipk size.  The performance drop depends on
		architecture and algorithm.  MIPS drops 13% of performance for
		a 3% decrease in ipk size.  On Aarch64, for a 1% reduction in
		size, ghash and GCM performance decreases 90%, while
		Chacha20-Poly1305 is 15% slower.  X86_64 drops 1% of its size
		for 3% of performance.  Other arches have not been tested.

config OPENSSL_KTLS
	bool
	prompt "Enable kTLS support"
	select PACKAGE_kmod-tls
	help
		This will enable kTLS support, allowing data encryption
		operations to be performed in kernel space.

config OPENSSL_WITH_ASM
	bool
	default y
	prompt "Compile with optimized assembly code"
	depends on !arc
	help
		Disabling this option will reduce code size and performance.
		The increase in performance and size depends on the target
		CPU and on the algorithms being optimized.

config OPENSSL_WITH_SSE2
	bool
	default y if !TARGET_x86_legacy && !TARGET_x86_geode
	prompt "Enable use of x86 SSE2 instructions"
	depends on OPENSSL_WITH_ASM && i386
	help
		Use of SSE2 instructions greatly increase performance with a
		minimum increase in package size, but it will bring no benefit
		if your hardware does not support them, such as Geode GX and LX.
		AMD Geode NX, and Intel Pentium 4 and above support SSE2.

config OPENSSL_WITH_DEPRECATED
	bool
	default y
	prompt "Include deprecated APIs"
	help
		This drops all deprecated API, including engine support.

config OPENSSL_NO_DEPRECATED
	bool
	default !OPENSSL_WITH_DEPRECATED

config OPENSSL_WITH_ERROR_MESSAGES
	bool
	default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
	prompt "Include error messages"
	help
		This option aids debugging, but increases package size and
		memory usage.

comment "Protocol Support"

config OPENSSL_WITH_TLS13
	bool
	default y
	prompt "Enable support for TLS 1.3"
	help
		TLS 1.3 is the newest version of the TLS specification.
		It aims:
		 * to increase the overall security of the protocol,
		   removing outdated algorithms, and encrypting more of the
		   protocol;
		 * to increase performance by reducing the number of round-trips
		   when performing a full handshake.

config OPENSSL_WITH_DTLS
	bool
	prompt "Enable DTLS support"
	help
		Datagram Transport Layer Security (DTLS) provides TLS-like security
		for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.

config OPENSSL_WITH_NPN
	bool
	prompt "Enable NPN support"
	help
		NPN is a TLS extension, obsoleted and replaced with ALPN,
		used to negotiate SPDY, and HTTP/2.

config OPENSSL_WITH_SRP
	bool
	default y
	prompt "Enable SRP support"
	help
		The Secure Remote Password protocol (SRP) is an augmented
		password-authenticated key agreement (PAKE) protocol, specifically
		designed to work around existing patents.

config OPENSSL_WITH_CMS
	bool
	default y
	prompt "Enable CMS (RFC 5652) support"
	help
		Cryptographic Message Syntax (CMS) is used to digitally sign,
		digest, authenticate, or encrypt arbitrary message content.

comment "Algorithm Selection"

config OPENSSL_WITH_EC2M
	bool
	prompt "Enable ec2m support"
	help
		This option enables the more efficient, yet less common, binary
		field elliptic curves.

config OPENSSL_WITH_CHACHA_POLY1305
	bool
	default y
	prompt "Enable ChaCha20-Poly1305 ciphersuite support"
	help
		ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
		combining ChaCha stream cipher with Poly1305 MAC.
		It is 3x faster than AES, when not using a CPU with AES-specific
		instructions, as is the case of most embedded devices.

config OPENSSL_PREFER_CHACHA_OVER_GCM
	bool
	default y if !x86_64 && !aarch64
	prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
	depends on OPENSSL_WITH_CHACHA_POLY1305
	help
		The default openssl preference is for AES-GCM before ChaCha, but
		that takes into account AES-NI capable chips.  It is not the
		case with most embedded chips, so it may be better to invert
		that preference.  This is just for the default case. The
		application can always override this.

config OPENSSL_WITH_PSK
	bool
	default y
	prompt "Enable PSK support"
	help
		Build support for Pre-Shared Key based cipher suites.

comment "Less commonly used build options"

config OPENSSL_WITH_ARIA
	bool
	prompt "Enable ARIA support"
	help
		ARIA is a block cipher developed in South Korea, based on AES.

config OPENSSL_WITH_CAMELLIA
	bool
	prompt "Enable Camellia cipher support"
	help
		Camellia is a bock cipher with security levels and processing
		abilities comparable to AES.

config OPENSSL_WITH_IDEA
	bool
	default y if !SMALL_FLASH
	prompt "Enable IDEA cipher support (needs legacy provider)"
	help
		IDEA is a block cipher with 128-bit keys.
		To use the cipher, one must install the libopenssl-legacy
		package, using a main libopenssl package compiled with this
		option enabled as well.

config OPENSSL_WITH_SEED
	bool
	default y if !SMALL_FLASH
	prompt "Enable SEED cipher support (needs legacy provider)"
	help
		SEED is a block cipher with 128-bit keys broadly used in
		South Korea, but seldom found elsewhere.
		To use the cipher, one must install the libopenssl-legacy
		package, using a main libopenssl package compiled with this
		option enabled as well.

config OPENSSL_WITH_SM234
	bool
	prompt "Enable SM2/3/4 algorithms support"
	help
		These algorithms are a set of "Commercial Cryptography"
		algorithms approved for use in China.
		  * SM2 is an EC algorithm equivalent to ECDSA P-256
		  * SM3 is a hash function equivalent to SHA-256
		  * SM4 is a 128-block cipher equivalent to AES-128

config OPENSSL_WITH_BLAKE2
	bool
	prompt "Enable BLAKE2 digest support"
	help
		BLAKE2 is a cryptographic hash function based on the ChaCha
		stream cipher.

config OPENSSL_WITH_MDC2
	bool
	default y if !SMALL_FLASH
	prompt "Enable MDC2 digest support (needs legacy provider)"
	help
		To use the digest, one must install the libopenssl-legacy
		package, using a main libopenssl package compiled with this
		option enabled as well.

config OPENSSL_WITH_WHIRLPOOL
	bool
	default y if !SMALL_FLASH
	prompt "Enable Whirlpool digest support (needs legacy provider)"
	help
		To use the digest, one must install the libopenssl-legacy
		package, using a main libopenssl package compiled with this
		option enabled as well.

config OPENSSL_WITH_COMPRESSION
	bool
	prompt "Enable compression support"
	help
		TLS compression is not recommended, as it is deemed insecure.
		The CRIME attack exploits this weakness.
		Even with this option turned on, it is disabled by default, and the
		application must explicitly turn it on.

config OPENSSL_WITH_RFC3779
	bool
	prompt "Enable RFC3779 support (BGP)"
	help
		RFC 3779 defines two X.509 v3 certificate extensions.  The first
		binds a list of IP address blocks, or prefixes, to the subject of a
		certificate.  The second binds a list of autonomous system
		identifiers to the subject of a certificate.  These extensions may be
		used to convey the authorization of the subject to use the IP
		addresses and autonomous system identifiers contained in the
		extensions.

comment "Engine/Hardware Support"

config OPENSSL_ENGINE
	bool "Enable engine support"
	select OPENSSL_WITH_DEPRECATED
	default y
	help
		This enables alternative cryptography implementations,
		most commonly for interfacing with external crypto devices,
		or supporting new/alternative ciphers and digests.
		If you compile the library with this option disabled, packages built
		using an engine-enabled library (i.e. from the official repo) may
		fail to run.  Compile and install the packages with engine support
		disabled, and you should be fine.
		Note that you need to enable KERNEL_AIO to be able to build the
		afalg engine package.

config OPENSSL_ENGINE_BUILTIN
	bool "Build chosen engines into libcrypto"
	depends on OPENSSL_ENGINE
	help
		This builds all chosen engines into libcrypto.so, instead of building
		them as dynamic engines in separate packages.
		The benefit of building the engines into libcrypto is that they won't
		require any configuration to be used by default.

config OPENSSL_ENGINE_BUILTIN_AFALG
	bool
	prompt "Acceleration support through AF_ALG sockets engine"
	depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
	select PACKAGE_libopenssl-conf
	help
		This enables use of hardware acceleration through the
		AF_ALG kernel interface.

config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
	bool
	prompt "Acceleration support through /dev/crypto"
	depends on OPENSSL_ENGINE_BUILTIN
	select PACKAGE_libopenssl-conf
	help
		This enables use of hardware acceleration through OpenBSD
		Cryptodev API (/dev/crypto) interface.
		Even though configuration is not strictly needed, it is worth seeing
		https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
		for information on how to configure the engine.

config OPENSSL_ENGINE_BUILTIN_PADLOCK
	bool
	prompt "VIA Padlock Acceleration support engine"
	depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
	select PACKAGE_libopenssl-conf
	help
		This enables use of hardware acceleration through the
		VIA Padlock module.

config OPENSSL_WITH_ASYNC
	bool
	prompt "Enable asynchronous jobs support"
	depends on OPENSSL_ENGINE && USE_GLIBC
	help
		Enables async-aware applications to be able to use OpenSSL to
		initiate crypto operations asynchronously. In order to work
		this will require the presence of an async capable engine.

endif