blob: 3f48996fcd59769538d8f9332cebe935a1586869 [file] [log] [blame]
# TLS/DTLS related options
# Copyright (c) 2018 Intel Corporation
# Copyright (c) 2018 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0
menu "TLS configuration"
depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h"
menu "Supported TLS version"
config MBEDTLS_TLS_VERSION_1_0
bool "Support for TLS 1.0"
select MBEDTLS_CIPHER
select MBEDTLS_MAC_MD5_ENABLED
select MBEDTLS_MAC_SHA1_ENABLED
select MBEDTLS_MD
config MBEDTLS_TLS_VERSION_1_1
bool "Support for TLS 1.1 (DTLS 1.0)"
select MBEDTLS_CIPHER
select MBEDTLS_MAC_MD5_ENABLED
select MBEDTLS_MAC_SHA1_ENABLED
select MBEDTLS_MD
config MBEDTLS_TLS_VERSION_1_2
bool "Support for TLS 1.2 (DTLS 1.2)"
default y if !NET_L2_OPENTHREAD
select MBEDTLS_CIPHER
select MBEDTLS_MD
config MBEDTLS_DTLS
bool "Support for DTLS"
depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
config MBEDTLS_SSL_EXPORT_KEYS
bool "Support for exporting SSL key block and master secret"
depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
config MBEDTLS_SSL_ALPN
bool "Support for setting the supported Application Layer Protocols"
depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
endmenu
menu "Ciphersuite configuration"
comment "Supported key exchange modes"
config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
bool "All available ciphersuite modes"
select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
bool "PSK based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
bool "DHE-PSK based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
bool "ECDHE-PSK based ciphersuite modes"
depends on MBEDTLS_ECDH_C
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
bool "RSA-PSK based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
bool
default y if MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || \
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || \
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
config MBEDTLS_PSK_MAX_LEN
int "Max size of TLS pre-shared keys"
default 32
depends on MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
help
Max size of TLS pre-shared keys, in bytes.
config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
bool "RSA-only based ciphersuite modes"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
bool "DHE-RSA based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
bool "ECDHE-RSA based ciphersuite modes"
depends on MBEDTLS_ECDH_C
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
bool "ECDHE-ECDSA based ciphersuite modes"
depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
bool "ECDH-ECDSA based ciphersuite modes"
depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
config MBEDTLS_ECDSA_DETERMINISTIC
bool "Deterministic ECDSA (RFC 6979)"
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
bool "ECDH-RSA based ciphersuite modes"
depends on MBEDTLS_ECDH_C
config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
bool "ECJPAKE based ciphersuite modes"
depends on MBEDTLS_ECJPAKE_C
config MBEDTLS_HKDF_C
bool "HMAC-based Extract-and-Expand Key Derivation Function"
comment "Elliptic curve libraries"
config MBEDTLS_ECDH_C
bool "Elliptic curve Diffie-Hellman library"
depends on MBEDTLS_ECP_C
config MBEDTLS_ECDSA_C
bool "Elliptic curve DSA library"
depends on MBEDTLS_ECP_C
config MBEDTLS_ECJPAKE_C
bool "Elliptic curve J-PAKE library"
depends on MBEDTLS_ECP_C
config MBEDTLS_ECP_C
bool "Elliptic curve over GF(p) library"
default y if UOSCORE || UEDHOC
if MBEDTLS_ECP_C
comment "Supported elliptic curves"
config MBEDTLS_ECP_ALL_ENABLED
bool "All available elliptic curves"
select MBEDTLS_ECP_DP_SECP192R1_ENABLED
select MBEDTLS_ECP_DP_SECP192R1_ENABLED
select MBEDTLS_ECP_DP_SECP224R1_ENABLED
select MBEDTLS_ECP_DP_SECP256R1_ENABLED
select MBEDTLS_ECP_DP_SECP384R1_ENABLED
select MBEDTLS_ECP_DP_SECP521R1_ENABLED
select MBEDTLS_ECP_DP_SECP192K1_ENABLED
select MBEDTLS_ECP_DP_SECP224K1_ENABLED
select MBEDTLS_ECP_DP_SECP256K1_ENABLED
select MBEDTLS_ECP_DP_BP256R1_ENABLED
select MBEDTLS_ECP_DP_BP384R1_ENABLED
select MBEDTLS_ECP_DP_BP512R1_ENABLED
select MBEDTLS_ECP_DP_CURVE25519_ENABLED
select MBEDTLS_ECP_DP_CURVE448_ENABLED
select MBEDTLS_ECP_NIST_OPTIM
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
bool "SECP192R1 elliptic curve"
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
bool "SECP224R1 elliptic curve"
config MBEDTLS_ECP_DP_SECP256R1_ENABLED
bool "SECP256R1 elliptic curve"
default y if UOSCORE || UEDHOC
config MBEDTLS_ECP_DP_SECP384R1_ENABLED
bool "SECP384R1 elliptic curve"
config MBEDTLS_ECP_DP_SECP521R1_ENABLED
bool "SECP521R1 elliptic curve"
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
bool "SECP192K1 elliptic curve"
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
bool "SECP224K1 elliptic curve"
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
bool "SECP256K1 elliptic curve"
config MBEDTLS_ECP_DP_BP256R1_ENABLED
bool "BP256R1 elliptic curve"
config MBEDTLS_ECP_DP_BP384R1_ENABLED
bool "BP384R1 elliptic curve"
config MBEDTLS_ECP_DP_BP512R1_ENABLED
bool "BP512R1 elliptic curve"
config MBEDTLS_ECP_DP_CURVE25519_ENABLED
bool "CURVE25519 elliptic curve"
config MBEDTLS_ECP_DP_CURVE448_ENABLED
bool "CURVE448 elliptic curve"
config MBEDTLS_ECP_NIST_OPTIM
bool "NSIT curves optimization"
endif
comment "Supported hash"
config MBEDTLS_HASH_ALL_ENABLED
bool "All available hashes"
select MBEDTLS_HASH_SHA256_ENABLED
select MBEDTLS_HASH_SHA384_ENABLED
select MBEDTLS_HASH_SHA512_ENABLED
config MBEDTLS_HASH_SHA256_ENABLED
bool "SHA256 hash"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_HASH_SHA384_ENABLED
bool "SHA384 hash"
default y if !NET_L2_OPENTHREAD
select MBEDTLS_HASH_SHA512_ENABLED
config MBEDTLS_HASH_SHA512_ENABLED
bool "SHA512 hash"
default y if !NET_L2_OPENTHREAD
comment "Supported cipher modes"
config MBEDTLS_CIPHER_ALL_ENABLED
bool "All available ciphers"
select MBEDTLS_CIPHER_AES_ENABLED
select MBEDTLS_CIPHER_CAMELLIA_ENABLED
select MBEDTLS_CIPHER_DES_ENABLED
select MBEDTLS_CIPHER_ARC4_ENABLED
select MBEDTLS_CIPHER_CHACHA20_ENABLED
select MBEDTLS_CIPHER_BLOWFISH_ENABLED
select MBEDTLS_CIPHER_CCM_ENABLED
select MBEDTLS_CIPHER_GCM_ENABLED
select MBEDTLS_CIPHER_MODE_XTS_ENABLED
select MBEDTLS_CIPHER_MODE_CBC_ENABLED
select MBEDTLS_CIPHER_MODE_CTR_ENABLED
select MBEDTLS_CHACHAPOLY_AEAD_ENABLED
config MBEDTLS_CIPHER_AES_ENABLED
bool "AES block cipher"
default y
config MBEDTLS_AES_ROM_TABLES
depends on MBEDTLS_CIPHER_AES_ENABLED
bool "Use precomputed AES tables stored in ROM."
default y
config MBEDTLS_AES_FEWER_TABLES
depends on MBEDTLS_CIPHER_AES_ENABLED
bool "Reduce the size of precomputed AES tables by ~6kB"
help
Reduce the size of the AES tables at a tradeoff of more
arithmetic operations at runtime. Specifically 4 table
lookups are converted to 1 table lookup, 3 additions
and 6 bit shifts.
config MBEDTLS_CIPHER_CAMELLIA_ENABLED
bool "Camellia block cipher"
config MBEDTLS_CIPHER_DES_ENABLED
bool "DES block cipher"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_CIPHER_ARC4_ENABLED
bool "ARC4 stream cipher"
config MBEDTLS_CIPHER_CHACHA20_ENABLED
bool "ChaCha20 stream cipher"
config MBEDTLS_CIPHER_BLOWFISH_ENABLED
bool "Blowfish block cipher"
config MBEDTLS_CIPHER_CCM_ENABLED
bool "Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
default y if UOSCORE || UEDHOC
config MBEDTLS_CIPHER_GCM_ENABLED
bool "Galois/Counter Mode (GCM) for AES"
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
config MBEDTLS_CIPHER_MODE_XTS_ENABLED
bool "Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES"
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
config MBEDTLS_CIPHER_MODE_CBC_ENABLED
bool "Cipher Block Chaining mode (CBC) for symmetric ciphers"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_CIPHER_MODE_CTR_ENABLED
bool "Counter Block Cipher mode (CTR) for symmetric ciphers."
config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
bool "ChaCha20-Poly1305 AEAD algorithm"
depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
comment "Supported message authentication methods"
config MBEDTLS_MAC_ALL_ENABLED
bool "All available MAC methods"
select MBEDTLS_MAC_MD4_ENABLED
select MBEDTLS_MAC_MD5_ENABLED
select MBEDTLS_MAC_SHA1_ENABLED
select MBEDTLS_MAC_SHA256_ENABLED
select MBEDTLS_MAC_SHA384_ENABLED
select MBEDTLS_MAC_SHA512_ENABLED
select MBEDTLS_MAC_POLY1305_ENABLED
select MBEDTLS_MAC_CMAC_ENABLED
config MBEDTLS_MAC_MD4_ENABLED
bool "MD4 hash algorithm"
config MBEDTLS_MAC_MD5_ENABLED
bool "MD5 hash algorithm"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_MAC_SHA1_ENABLED
bool "SHA1 hash algorithm"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_MAC_SHA256_ENABLED
bool "SHA-224 and SHA-256 hash algorithms"
default y
config MBEDTLS_SHA256_SMALLER
bool "Smaller SHA-256 implementation"
depends on MBEDTLS_MAC_SHA256_ENABLED
default y
help
Enable an implementation of SHA-256 that has lower ROM footprint but also
lower performance
config MBEDTLS_MAC_SHA384_ENABLED
bool "SHA-384 hash algorithm"
select MBEDTLS_MAC_SHA512_ENABLED
config MBEDTLS_MAC_SHA512_ENABLED
bool "SHA-512 hash algorithm"
config MBEDTLS_MAC_POLY1305_ENABLED
bool "Poly1305 MAC algorithm"
config MBEDTLS_MAC_CMAC_ENABLED
bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
endmenu
comment "Random number generators"
config MBEDTLS_CTR_DRBG_ENABLED
bool "CTR_DRBG AES-256-based random generator"
depends on MBEDTLS_CIPHER_AES_ENABLED
default y
config MBEDTLS_HMAC_DRBG_ENABLED
bool "HMAC_DRBG random generator"
select MBEDTLS_MD
comment "Other configurations"
config MBEDTLS_CIPHER
bool "generic cipher layer."
config MBEDTLS_MD
bool "generic message digest layer."
config MBEDTLS_GENPRIME_ENABLED
bool "prime-number generation code."
config MBEDTLS_PEM_CERTIFICATE_FORMAT
bool "Support for PEM certificate format"
help
By default only DER (binary) format of certificates is supported. Enable
this option to enable support for PEM format.
config MBEDTLS_HAVE_ASM
bool "Use of assembly code"
default y if !ARM
help
Enable use of assembly code in mbedTLS. This improves the performances
of asymmetric cryptography, however this might have an impact on the
code size.
config MBEDTLS_ENTROPY_ENABLED
bool "MbedTLS generic entropy pool"
depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA384_ENABLED || MBEDTLS_MAC_SHA512_ENABLED
default y if MBEDTLS_ZEPHYR_ENTROPY
config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
bool "MbedTLS optimizations for OpenThread"
depends on NET_L2_OPENTHREAD
default y if !NET_SOCKETS_SOCKOPT_TLS
help
Enable some OpenThread specific mbedTLS optimizations that allows to
save some RAM/ROM when OpenThread is used. Note, that when application
aims to use other mbedTLS services on top of OpenThread (e.g. secure
sockets), it's advised to disable this option.
config MBEDTLS_USER_CONFIG_ENABLE
bool "User mbedTLS config file"
help
Enable user mbedTLS config file that will be included at the end of
the generic config file.
config MBEDTLS_USER_CONFIG_FILE
string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE
help
User config file that can contain mbedTLS configs that were not
covered by the generic config file.
config MBEDTLS_SERVER_NAME_INDICATION
bool "Support for RFC 6066 server name indication (SNI) in SSL"
help
Enable this to support RFC 6066 server name indication (SNI) in SSL.
This requires that MBEDTLS_X509_CRT_PARSE_C is also set.
config MBEDTLS_PK_WRITE_C
bool "The generic public (asymmetric) key writer"
default y if MBEDTLS_PSA_CRYPTO_C
help
Enable generic public key write functions.
config MBEDTLS_HAVE_TIME_DATE
bool "Date/time validation in mbed TLS"
help
System has time.h, time(), and an implementation for gmtime_r().
There also need to be a valid time source in the system, as mbedTLS
expects a valid date/time for certificate validation."
config MBEDTLS_PKCS5_C
bool "Password-based encryption functions"
select MBEDTLS_MD
help
Enable PKCS5 functions
config MBEDTLS_SSL_CACHE_C
bool "SSL session cache support"
help
"This option enables simple SSL cache implementation (server side)."
config MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
int "Default timeout for SSL cache entires"
depends on MBEDTLS_SSL_CACHE_C
default 86400
config MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
int "Maximum number of SSL cache entires"
depends on MBEDTLS_SSL_CACHE_C
default 5
config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
bool "(D)TLS Extended Master Secret extension"
depends on MBEDTLS_TLS_VERSION_1_2
help
Enable support for the (D)TLS Extended Master Secret extension
which ensures that master secrets are different for every
connection and every session.
config MBEDTLS_PSA_CRYPTO_C
bool "Platform Security Architecture cryptography API"
depends on MBEDTLS_ENTROPY_ENABLED
depends on MBEDTLS_CTR_DRBG_ENABLED || MBEDTLS_HMAC_DRBG_ENABLED
default y if UOSCORE || UEDHOC
config MBEDTLS_LMS
bool "Support LMS signature schemes"
depends on MBEDTLS_PSA_CRYPTO_C
depends on MBEDTLS_HASH_SHA256_ENABLED
config MBEDTLS_SSL_DTLS_CONNECTION_ID
bool "DTLS Connection ID extension"
depends on MBEDTLS_DTLS
help
Enable support for the DTLS Connection ID extension
which allows to identify DTLS connections across changes
in the underlying transport.
endmenu