| # TLS/DTLS related options |
| |
| # Copyright (c) 2018 Intel Corporation |
| # Copyright (c) 2018 Nordic Semiconductor ASA |
| # SPDX-License-Identifier: Apache-2.0 |
| |
| menu "TLS configuration" |
| depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" |
| |
| menu "Supported TLS version" |
| |
| config MBEDTLS_TLS_VERSION_1_0 |
| bool "Support for TLS 1.0" |
| select MBEDTLS_CIPHER |
| select MBEDTLS_MAC_MD5_ENABLED |
| select MBEDTLS_MAC_SHA1_ENABLED |
| select MBEDTLS_MD |
| |
| config MBEDTLS_TLS_VERSION_1_1 |
| bool "Support for TLS 1.1 (DTLS 1.0)" |
| select MBEDTLS_CIPHER |
| select MBEDTLS_MAC_MD5_ENABLED |
| select MBEDTLS_MAC_SHA1_ENABLED |
| select MBEDTLS_MD |
| |
| config MBEDTLS_TLS_VERSION_1_2 |
| bool "Support for TLS 1.2 (DTLS 1.2)" |
| default y if !NET_L2_OPENTHREAD |
| select MBEDTLS_CIPHER |
| select MBEDTLS_MD |
| |
| config MBEDTLS_DTLS |
| bool "Support for DTLS" |
| depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 |
| |
| config MBEDTLS_SSL_EXPORT_KEYS |
| bool "Support for exporting SSL key block and master secret" |
| depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 |
| |
| config MBEDTLS_SSL_ALPN |
| bool "Support for setting the supported Application Layer Protocols" |
| depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 |
| |
| endmenu |
| |
| menu "Ciphersuite configuration" |
| |
| comment "Supported key exchange modes" |
| |
| config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED |
| bool "All available ciphersuite modes" |
| select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED |
| select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED |
| select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED |
| select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED |
| select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED |
| select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED |
| select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED |
| select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED |
| select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED |
| select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED |
| select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED |
| |
| config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED |
| bool "PSK based ciphersuite modes" |
| |
| config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED |
| bool "DHE-PSK based ciphersuite modes" |
| |
| config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED |
| bool "ECDHE-PSK based ciphersuite modes" |
| depends on MBEDTLS_ECDH_C |
| |
| config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED |
| bool "RSA-PSK based ciphersuite modes" |
| |
| config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED |
| bool |
| default y if MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || \ |
| MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || \ |
| MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ |
| MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED |
| |
| config MBEDTLS_PSK_MAX_LEN |
| int "Max size of TLS pre-shared keys" |
| default 32 |
| depends on MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED |
| help |
| Max size of TLS pre-shared keys, in bytes. |
| |
| config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED |
| bool "RSA-only based ciphersuite modes" |
| default y if !NET_L2_OPENTHREAD |
| |
| config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED |
| bool "DHE-RSA based ciphersuite modes" |
| |
| config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED |
| bool "ECDHE-RSA based ciphersuite modes" |
| depends on MBEDTLS_ECDH_C |
| |
| config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED |
| bool "ECDHE-ECDSA based ciphersuite modes" |
| depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C |
| |
| config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED |
| bool "ECDH-ECDSA based ciphersuite modes" |
| depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C |
| |
| config MBEDTLS_ECDSA_DETERMINISTIC |
| bool "Deterministic ECDSA (RFC 6979)" |
| |
| config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED |
| bool "ECDH-RSA based ciphersuite modes" |
| depends on MBEDTLS_ECDH_C |
| |
| config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED |
| bool "ECJPAKE based ciphersuite modes" |
| depends on MBEDTLS_ECJPAKE_C |
| |
| config MBEDTLS_HKDF_C |
| bool "HMAC-based Extract-and-Expand Key Derivation Function" |
| |
| comment "Elliptic curve libraries" |
| |
| config MBEDTLS_ECDH_C |
| bool "Elliptic curve Diffie-Hellman library" |
| depends on MBEDTLS_ECP_C |
| |
| config MBEDTLS_ECDSA_C |
| bool "Elliptic curve DSA library" |
| depends on MBEDTLS_ECP_C |
| |
| config MBEDTLS_ECJPAKE_C |
| bool "Elliptic curve J-PAKE library" |
| depends on MBEDTLS_ECP_C |
| |
| config MBEDTLS_ECP_C |
| bool "Elliptic curve over GF(p) library" |
| default y if UOSCORE || UEDHOC |
| |
| if MBEDTLS_ECP_C |
| |
| comment "Supported elliptic curves" |
| |
| config MBEDTLS_ECP_ALL_ENABLED |
| bool "All available elliptic curves" |
| select MBEDTLS_ECP_DP_SECP192R1_ENABLED |
| select MBEDTLS_ECP_DP_SECP192R1_ENABLED |
| select MBEDTLS_ECP_DP_SECP224R1_ENABLED |
| select MBEDTLS_ECP_DP_SECP256R1_ENABLED |
| select MBEDTLS_ECP_DP_SECP384R1_ENABLED |
| select MBEDTLS_ECP_DP_SECP521R1_ENABLED |
| select MBEDTLS_ECP_DP_SECP192K1_ENABLED |
| select MBEDTLS_ECP_DP_SECP224K1_ENABLED |
| select MBEDTLS_ECP_DP_SECP256K1_ENABLED |
| select MBEDTLS_ECP_DP_BP256R1_ENABLED |
| select MBEDTLS_ECP_DP_BP384R1_ENABLED |
| select MBEDTLS_ECP_DP_BP512R1_ENABLED |
| select MBEDTLS_ECP_DP_CURVE25519_ENABLED |
| select MBEDTLS_ECP_DP_CURVE448_ENABLED |
| select MBEDTLS_ECP_NIST_OPTIM |
| |
| config MBEDTLS_ECP_DP_SECP192R1_ENABLED |
| bool "SECP192R1 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_SECP224R1_ENABLED |
| bool "SECP224R1 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_SECP256R1_ENABLED |
| bool "SECP256R1 elliptic curve" |
| default y if UOSCORE || UEDHOC |
| |
| config MBEDTLS_ECP_DP_SECP384R1_ENABLED |
| bool "SECP384R1 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_SECP521R1_ENABLED |
| bool "SECP521R1 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_SECP192K1_ENABLED |
| bool "SECP192K1 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_SECP224K1_ENABLED |
| bool "SECP224K1 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_SECP256K1_ENABLED |
| bool "SECP256K1 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_BP256R1_ENABLED |
| bool "BP256R1 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_BP384R1_ENABLED |
| bool "BP384R1 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_BP512R1_ENABLED |
| bool "BP512R1 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_CURVE25519_ENABLED |
| bool "CURVE25519 elliptic curve" |
| |
| config MBEDTLS_ECP_DP_CURVE448_ENABLED |
| bool "CURVE448 elliptic curve" |
| |
| config MBEDTLS_ECP_NIST_OPTIM |
| bool "NSIT curves optimization" |
| |
| endif |
| |
| comment "Supported hash" |
| |
| config MBEDTLS_HASH_ALL_ENABLED |
| bool "All available hashes" |
| select MBEDTLS_HASH_SHA256_ENABLED |
| select MBEDTLS_HASH_SHA384_ENABLED |
| select MBEDTLS_HASH_SHA512_ENABLED |
| |
| config MBEDTLS_HASH_SHA256_ENABLED |
| bool "SHA256 hash" |
| default y if !NET_L2_OPENTHREAD |
| |
| config MBEDTLS_HASH_SHA384_ENABLED |
| bool "SHA384 hash" |
| default y if !NET_L2_OPENTHREAD |
| select MBEDTLS_HASH_SHA512_ENABLED |
| |
| config MBEDTLS_HASH_SHA512_ENABLED |
| bool "SHA512 hash" |
| default y if !NET_L2_OPENTHREAD |
| |
| comment "Supported cipher modes" |
| |
| config MBEDTLS_CIPHER_ALL_ENABLED |
| bool "All available ciphers" |
| select MBEDTLS_CIPHER_AES_ENABLED |
| select MBEDTLS_CIPHER_CAMELLIA_ENABLED |
| select MBEDTLS_CIPHER_DES_ENABLED |
| select MBEDTLS_CIPHER_ARC4_ENABLED |
| select MBEDTLS_CIPHER_CHACHA20_ENABLED |
| select MBEDTLS_CIPHER_BLOWFISH_ENABLED |
| select MBEDTLS_CIPHER_CCM_ENABLED |
| select MBEDTLS_CIPHER_GCM_ENABLED |
| select MBEDTLS_CIPHER_MODE_XTS_ENABLED |
| select MBEDTLS_CIPHER_MODE_CBC_ENABLED |
| select MBEDTLS_CIPHER_MODE_CTR_ENABLED |
| select MBEDTLS_CHACHAPOLY_AEAD_ENABLED |
| |
| config MBEDTLS_CIPHER_AES_ENABLED |
| bool "AES block cipher" |
| default y |
| |
| config MBEDTLS_AES_ROM_TABLES |
| depends on MBEDTLS_CIPHER_AES_ENABLED |
| bool "Use precomputed AES tables stored in ROM." |
| default y |
| |
| config MBEDTLS_AES_FEWER_TABLES |
| depends on MBEDTLS_CIPHER_AES_ENABLED |
| bool "Reduce the size of precomputed AES tables by ~6kB" |
| help |
| Reduce the size of the AES tables at a tradeoff of more |
| arithmetic operations at runtime. Specifically 4 table |
| lookups are converted to 1 table lookup, 3 additions |
| and 6 bit shifts. |
| |
| config MBEDTLS_CIPHER_CAMELLIA_ENABLED |
| bool "Camellia block cipher" |
| |
| config MBEDTLS_CIPHER_DES_ENABLED |
| bool "DES block cipher" |
| default y if !NET_L2_OPENTHREAD |
| |
| config MBEDTLS_CIPHER_ARC4_ENABLED |
| bool "ARC4 stream cipher" |
| |
| config MBEDTLS_CIPHER_CHACHA20_ENABLED |
| bool "ChaCha20 stream cipher" |
| |
| config MBEDTLS_CIPHER_BLOWFISH_ENABLED |
| bool "Blowfish block cipher" |
| |
| config MBEDTLS_CIPHER_CCM_ENABLED |
| bool "Counter with CBC-MAC (CCM) mode for 128-bit block cipher" |
| depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED |
| default y if UOSCORE || UEDHOC |
| |
| config MBEDTLS_CIPHER_GCM_ENABLED |
| bool "Galois/Counter Mode (GCM) for AES" |
| depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED |
| |
| config MBEDTLS_CIPHER_MODE_XTS_ENABLED |
| bool "Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES" |
| depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED |
| |
| config MBEDTLS_CIPHER_MODE_CBC_ENABLED |
| bool "Cipher Block Chaining mode (CBC) for symmetric ciphers" |
| default y if !NET_L2_OPENTHREAD |
| |
| config MBEDTLS_CIPHER_MODE_CTR_ENABLED |
| bool "Counter Block Cipher mode (CTR) for symmetric ciphers." |
| |
| config MBEDTLS_CHACHAPOLY_AEAD_ENABLED |
| bool "ChaCha20-Poly1305 AEAD algorithm" |
| depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED |
| |
| comment "Supported message authentication methods" |
| |
| config MBEDTLS_MAC_ALL_ENABLED |
| bool "All available MAC methods" |
| select MBEDTLS_MAC_MD4_ENABLED |
| select MBEDTLS_MAC_MD5_ENABLED |
| select MBEDTLS_MAC_SHA1_ENABLED |
| select MBEDTLS_MAC_SHA256_ENABLED |
| select MBEDTLS_MAC_SHA384_ENABLED |
| select MBEDTLS_MAC_SHA512_ENABLED |
| select MBEDTLS_MAC_POLY1305_ENABLED |
| select MBEDTLS_MAC_CMAC_ENABLED |
| |
| config MBEDTLS_MAC_MD4_ENABLED |
| bool "MD4 hash algorithm" |
| |
| config MBEDTLS_MAC_MD5_ENABLED |
| bool "MD5 hash algorithm" |
| default y if !NET_L2_OPENTHREAD |
| |
| config MBEDTLS_MAC_SHA1_ENABLED |
| bool "SHA1 hash algorithm" |
| default y if !NET_L2_OPENTHREAD |
| |
| config MBEDTLS_MAC_SHA256_ENABLED |
| bool "SHA-224 and SHA-256 hash algorithms" |
| default y |
| |
| config MBEDTLS_SHA256_SMALLER |
| bool "Smaller SHA-256 implementation" |
| depends on MBEDTLS_MAC_SHA256_ENABLED |
| default y |
| help |
| Enable an implementation of SHA-256 that has lower ROM footprint but also |
| lower performance |
| |
| config MBEDTLS_MAC_SHA384_ENABLED |
| bool "SHA-384 hash algorithm" |
| select MBEDTLS_MAC_SHA512_ENABLED |
| |
| config MBEDTLS_MAC_SHA512_ENABLED |
| bool "SHA-512 hash algorithm" |
| |
| config MBEDTLS_MAC_POLY1305_ENABLED |
| bool "Poly1305 MAC algorithm" |
| |
| config MBEDTLS_MAC_CMAC_ENABLED |
| bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers." |
| depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED |
| |
| endmenu |
| |
| comment "Random number generators" |
| |
| config MBEDTLS_CTR_DRBG_ENABLED |
| bool "CTR_DRBG AES-256-based random generator" |
| depends on MBEDTLS_CIPHER_AES_ENABLED |
| default y |
| |
| config MBEDTLS_HMAC_DRBG_ENABLED |
| bool "HMAC_DRBG random generator" |
| select MBEDTLS_MD |
| |
| comment "Other configurations" |
| |
| config MBEDTLS_CIPHER |
| bool "generic cipher layer." |
| |
| config MBEDTLS_MD |
| bool "generic message digest layer." |
| |
| config MBEDTLS_GENPRIME_ENABLED |
| bool "prime-number generation code." |
| |
| config MBEDTLS_PEM_CERTIFICATE_FORMAT |
| bool "Support for PEM certificate format" |
| help |
| By default only DER (binary) format of certificates is supported. Enable |
| this option to enable support for PEM format. |
| |
| config MBEDTLS_HAVE_ASM |
| bool "Use of assembly code" |
| default y if !ARM |
| help |
| Enable use of assembly code in mbedTLS. This improves the performances |
| of asymmetric cryptography, however this might have an impact on the |
| code size. |
| |
| config MBEDTLS_ENTROPY_ENABLED |
| bool "MbedTLS generic entropy pool" |
| depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA384_ENABLED || MBEDTLS_MAC_SHA512_ENABLED |
| default y if MBEDTLS_ZEPHYR_ENTROPY |
| |
| config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED |
| bool "MbedTLS optimizations for OpenThread" |
| depends on NET_L2_OPENTHREAD |
| default y if !NET_SOCKETS_SOCKOPT_TLS |
| help |
| Enable some OpenThread specific mbedTLS optimizations that allows to |
| save some RAM/ROM when OpenThread is used. Note, that when application |
| aims to use other mbedTLS services on top of OpenThread (e.g. secure |
| sockets), it's advised to disable this option. |
| |
| config MBEDTLS_USER_CONFIG_ENABLE |
| bool "User mbedTLS config file" |
| help |
| Enable user mbedTLS config file that will be included at the end of |
| the generic config file. |
| |
| config MBEDTLS_USER_CONFIG_FILE |
| string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE |
| help |
| User config file that can contain mbedTLS configs that were not |
| covered by the generic config file. |
| |
| config MBEDTLS_SERVER_NAME_INDICATION |
| bool "Support for RFC 6066 server name indication (SNI) in SSL" |
| help |
| Enable this to support RFC 6066 server name indication (SNI) in SSL. |
| This requires that MBEDTLS_X509_CRT_PARSE_C is also set. |
| |
| config MBEDTLS_PK_WRITE_C |
| bool "The generic public (asymmetric) key writer" |
| default y if MBEDTLS_PSA_CRYPTO_C |
| help |
| Enable generic public key write functions. |
| |
| config MBEDTLS_HAVE_TIME_DATE |
| bool "Date/time validation in mbed TLS" |
| help |
| System has time.h, time(), and an implementation for gmtime_r(). |
| There also need to be a valid time source in the system, as mbedTLS |
| expects a valid date/time for certificate validation." |
| |
| config MBEDTLS_PKCS5_C |
| bool "Password-based encryption functions" |
| select MBEDTLS_MD |
| help |
| Enable PKCS5 functions |
| |
| config MBEDTLS_SSL_CACHE_C |
| bool "SSL session cache support" |
| help |
| "This option enables simple SSL cache implementation (server side)." |
| |
| config MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT |
| int "Default timeout for SSL cache entires" |
| depends on MBEDTLS_SSL_CACHE_C |
| default 86400 |
| |
| config MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES |
| int "Maximum number of SSL cache entires" |
| depends on MBEDTLS_SSL_CACHE_C |
| default 5 |
| |
| config MBEDTLS_SSL_EXTENDED_MASTER_SECRET |
| bool "(D)TLS Extended Master Secret extension" |
| depends on MBEDTLS_TLS_VERSION_1_2 |
| help |
| Enable support for the (D)TLS Extended Master Secret extension |
| which ensures that master secrets are different for every |
| connection and every session. |
| |
| config MBEDTLS_PSA_CRYPTO_C |
| bool "Platform Security Architecture cryptography API" |
| depends on MBEDTLS_ENTROPY_ENABLED |
| depends on MBEDTLS_CTR_DRBG_ENABLED || MBEDTLS_HMAC_DRBG_ENABLED |
| default y if UOSCORE || UEDHOC |
| |
| config MBEDTLS_LMS |
| bool "Support LMS signature schemes" |
| depends on MBEDTLS_PSA_CRYPTO_C |
| depends on MBEDTLS_HASH_SHA256_ENABLED |
| |
| config MBEDTLS_SSL_DTLS_CONNECTION_ID |
| bool "DTLS Connection ID extension" |
| depends on MBEDTLS_DTLS |
| help |
| Enable support for the DTLS Connection ID extension |
| which allows to identify DTLS connections across changes |
| in the underlying transport. |
| |
| endmenu |