Initial commit

package/libs/openssl/Config.in

@@ -0,0 +1,310 @@
+if PACKAGE_libopenssl
+
+comment "Build Options"
+
+config OPENSSL_OPTIMIZE_SPEED
+	bool
+	default y if x86_64 || i386
+	prompt "Enable optimization for speed instead of size"
+	select OPENSSL_WITH_ASM
+	help
+		Enabling this option increases code size and performance.
+		The increase in performance and size depends on the
+		target CPU. EC and AES seem to benefit the most.
+
+config OPENSSL_SMALL_FOOTPRINT
+	bool
+	depends on !OPENSSL_OPTIMIZE_SPEED
+	default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
+	prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
+	help
+		This turns on -DOPENSSL_SMALL_FOOTPRINT.  This will save only
+		1-3% of of the ipk size.  The performance drop depends on
+		architecture and algorithm.  MIPS drops 13% of performance for
+		a 3% decrease in ipk size.  On Aarch64, for a 1% reduction in
+		size, ghash and GCM performance decreases 90%, while
+		Chacha20-Poly1305 is 15% slower.  X86_64 drops 1% of its size
+		for 3% of performance.  Other arches have not been tested.
+
+config OPENSSL_WITH_ASM
+	bool
+	default y
+	prompt "Compile with optimized assembly code"
+	depends on !arc
+	help
+		Disabling this option will reduce code size and performance.
+		The increase in performance and size depends on the target
+		CPU and on the algorithms being optimized.
+
+config OPENSSL_WITH_SSE2
+	bool
+	default y if !TARGET_x86_legacy && !TARGET_x86_geode
+	prompt "Enable use of x86 SSE2 instructions"
+	depends on OPENSSL_WITH_ASM && i386
+	help
+		Use of SSE2 instructions greatly increase performance with a
+		minimum increase in package size, but it will bring no benefit
+		if your hardware does not support them, such as Geode GX and LX.
+		AMD Geode NX, and Intel Pentium 4 and above support SSE2.
+
+config OPENSSL_WITH_DEPRECATED
+	bool
+	default y
+	prompt "Include deprecated APIs"
+	help
+		This drops all deprecated API, including engine support.
+
+config OPENSSL_NO_DEPRECATED
+	bool
+	default !OPENSSL_WITH_DEPRECATED
+
+config OPENSSL_WITH_ERROR_MESSAGES
+	bool
+	default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
+	prompt "Include error messages"
+	help
+		This option aids debugging, but increases package size and
+		memory usage.
+
+comment "Protocol Support"
+
+config OPENSSL_WITH_TLS13
+	bool
+	default y
+	prompt "Enable support for TLS 1.3"
+	help
+		TLS 1.3 is the newest version of the TLS specification.
+		It aims:
+		 * to increase the overall security of the protocol,
+		   removing outdated algorithms, and encrypting more of the
+		   protocol;
+		 * to increase performance by reducing the number of round-trips
+		   when performing a full handshake.
+
+config OPENSSL_WITH_DTLS
+	bool
+	prompt "Enable DTLS support"
+	help
+		Datagram Transport Layer Security (DTLS) provides TLS-like security
+		for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
+
+config OPENSSL_WITH_NPN
+	bool
+	prompt "Enable NPN support"
+	help
+		NPN is a TLS extension, obsoleted and replaced with ALPN,
+		used to negotiate SPDY, and HTTP/2.
+
+config OPENSSL_WITH_SRP
+	bool
+	default y
+	prompt "Enable SRP support"
+	help
+		The Secure Remote Password protocol (SRP) is an augmented
+		password-authenticated key agreement (PAKE) protocol, specifically
+		designed to work around existing patents.
+
+config OPENSSL_WITH_CMS
+	bool
+	default y
+	prompt "Enable CMS (RFC 5652) support"
+	help
+		Cryptographic Message Syntax (CMS) is used to digitally sign,
+		digest, authenticate, or encrypt arbitrary message content.
+
+comment "Algorithm Selection"
+
+config OPENSSL_WITH_EC2M
+	bool
+	prompt "Enable ec2m support"
+	help
+		This option enables the more efficient, yet less common, binary
+		field elliptic curves.
+
+config OPENSSL_WITH_CHACHA_POLY1305
+	bool
+	default y
+	prompt "Enable ChaCha20-Poly1305 ciphersuite support"
+	help
+		ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
+		combining ChaCha stream cipher with Poly1305 MAC.
+		It is 3x faster than AES, when not using a CPU with AES-specific
+		instructions, as is the case of most embedded devices.
+
+config OPENSSL_PREFER_CHACHA_OVER_GCM
+	bool
+	default y if !x86_64 && !aarch64
+	prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
+	depends on OPENSSL_WITH_CHACHA_POLY1305
+	help
+		The default openssl preference is for AES-GCM before ChaCha, but
+		that takes into account AES-NI capable chips.  It is not the
+		case with most embedded chips, so it may be better to invert
+		that preference.  This is just for the default case. The
+		application can always override this.
+
+config OPENSSL_WITH_PSK
+	bool
+	default y
+	prompt "Enable PSK support"
+	help
+		Build support for Pre-Shared Key based cipher suites.
+
+comment "Less commonly used build options"
+
+config OPENSSL_WITH_ARIA
+	bool
+	prompt "Enable ARIA support"
+	help
+		ARIA is a block cipher developed in South Korea, based on AES.
+
+config OPENSSL_WITH_CAMELLIA
+	bool
+	prompt "Enable Camellia cipher support"
+	help
+		Camellia is a bock cipher with security levels and processing
+		abilities comparable to AES.
+
+config OPENSSL_WITH_IDEA
+	bool
+	default y if !SMALL_FLASH
+	prompt "Enable IDEA cipher support (needs legacy provider)"
+	help
+		IDEA is a block cipher with 128-bit keys.
+		To use the cipher, one must install the libopenssl-legacy
+		package, using a main libopenssl package compiled with this
+		option enabled as well.
+
+config OPENSSL_WITH_SEED
+	bool
+	default y if !SMALL_FLASH
+	prompt "Enable SEED cipher support (needs legacy provider)"
+	help
+		SEED is a block cipher with 128-bit keys broadly used in
+		South Korea, but seldom found elsewhere.
+		To use the cipher, one must install the libopenssl-legacy
+		package, using a main libopenssl package compiled with this
+		option enabled as well.
+
+config OPENSSL_WITH_SM234
+	bool
+	prompt "Enable SM2/3/4 algorithms support"
+	help
+		These algorithms are a set of "Commercial Cryptography"
+		algorithms approved for use in China.
+		  * SM2 is an EC algorithm equivalent to ECDSA P-256
+		  * SM3 is a hash function equivalent to SHA-256
+		  * SM4 is a 128-block cipher equivalent to AES-128
+
+config OPENSSL_WITH_BLAKE2
+	bool
+	prompt "Enable BLAKE2 digest support"
+	help
+		BLAKE2 is a cryptographic hash function based on the ChaCha
+		stream cipher.
+
+config OPENSSL_WITH_MDC2
+	bool
+	default y if !SMALL_FLASH
+	prompt "Enable MDC2 digest support (needs legacy provider)"
+	help
+		To use the digest, one must install the libopenssl-legacy
+		package, using a main libopenssl package compiled with this
+		option enabled as well.
+
+config OPENSSL_WITH_WHIRLPOOL
+	bool
+	default y if !SMALL_FLASH
+	prompt "Enable Whirlpool digest support (needs legacy provider)"
+	help
+		To use the digest, one must install the libopenssl-legacy
+		package, using a main libopenssl package compiled with this
+		option enabled as well.
+
+config OPENSSL_WITH_COMPRESSION
+	bool
+	prompt "Enable compression support"
+	help
+		TLS compression is not recommended, as it is deemed insecure.
+		The CRIME attack exploits this weakness.
+		Even with this option turned on, it is disabled by default, and the
+		application must explicitly turn it on.
+
+config OPENSSL_WITH_RFC3779
+	bool
+	prompt "Enable RFC3779 support (BGP)"
+	help
+		RFC 3779 defines two X.509 v3 certificate extensions.  The first
+		binds a list of IP address blocks, or prefixes, to the subject of a
+		certificate.  The second binds a list of autonomous system
+		identifiers to the subject of a certificate.  These extensions may be
+		used to convey the authorization of the subject to use the IP
+		addresses and autonomous system identifiers contained in the
+		extensions.
+
+comment "Engine/Hardware Support"
+
+config OPENSSL_ENGINE
+	bool "Enable engine support"
+	select OPENSSL_WITH_DEPRECATED
+	default y
+	help
+		This enables alternative cryptography implementations,
+		most commonly for interfacing with external crypto devices,
+		or supporting new/alternative ciphers and digests.
+		If you compile the library with this option disabled, packages built
+		using an engine-enabled library (i.e. from the official repo) may
+		fail to run.  Compile and install the packages with engine support
+		disabled, and you should be fine.
+		Note that you need to enable KERNEL_AIO to be able to build the
+		afalg engine package.
+
+config OPENSSL_ENGINE_BUILTIN
+	bool "Build chosen engines into libcrypto"
+	depends on OPENSSL_ENGINE
+	help
+		This builds all chosen engines into libcrypto.so, instead of building
+		them as dynamic engines in separate packages.
+		The benefit of building the engines into libcrypto is that they won't
+		require any configuration to be used by default.
+
+config OPENSSL_ENGINE_BUILTIN_AFALG
+	bool
+	prompt "Acceleration support through AF_ALG sockets engine"
+	depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
+	select PACKAGE_libopenssl-conf
+	help
+		This enables use of hardware acceleration through the
+		AF_ALG kernel interface.
+
+config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
+	bool
+	prompt "Acceleration support through /dev/crypto"
+	depends on OPENSSL_ENGINE_BUILTIN
+	select PACKAGE_libopenssl-conf
+	help
+		This enables use of hardware acceleration through OpenBSD
+		Cryptodev API (/dev/crypto) interface.
+		Even though configuration is not strictly needed, it is worth seeing
+		https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
+		for information on how to configure the engine.
+
+config OPENSSL_ENGINE_BUILTIN_PADLOCK
+	bool
+	prompt "VIA Padlock Acceleration support engine"
+	depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
+	select PACKAGE_libopenssl-conf
+	help
+		This enables use of hardware acceleration through the
+		VIA Padlock module.
+
+config OPENSSL_WITH_ASYNC
+	bool
+	prompt "Enable asynchronous jobs support"
+	depends on OPENSSL_ENGINE && USE_GLIBC
+	help
+		Enables async-aware applications to be able to use OpenSSL to
+		initiate crypto operations asynchronously. In order to work
+		this will require the presence of an async capable engine.
+
+endif