Kconfig.tls-generic 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364
  1. # TLS/DTLS related options
  2. # Copyright (c) 2018 Intel Corporation
  3. # Copyright (c) 2018 Nordic Semiconductor ASA
  4. # SPDX-License-Identifier: Apache-2.0
  5. menu "TLS configuration"
  6. depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h"
  7. menu "Supported TLS version"
  8. config MBEDTLS_TLS_VERSION_1_0
  9. bool "Enable support for TLS 1.0"
  10. select MBEDTLS_CIPHER
  11. select MBEDTLS_MAC_MD5_ENABLED
  12. select MBEDTLS_MAC_SHA1_ENABLED
  13. select MBEDTLS_MD
  14. config MBEDTLS_TLS_VERSION_1_1
  15. bool "Enable support for TLS 1.1 (DTLS 1.0)"
  16. select MBEDTLS_CIPHER
  17. select MBEDTLS_MAC_MD5_ENABLED
  18. select MBEDTLS_MAC_SHA1_ENABLED
  19. select MBEDTLS_MD
  20. config MBEDTLS_TLS_VERSION_1_2
  21. bool "Enable support for TLS 1.2 (DTLS 1.2)"
  22. default y if !NET_L2_OPENTHREAD
  23. select MBEDTLS_CIPHER
  24. select MBEDTLS_MD
  25. config MBEDTLS_DTLS
  26. bool "Enable support for DTLS"
  27. depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
  28. config MBEDTLS_SSL_EXPORT_KEYS
  29. bool "Enable support for exporting SSL key block and master secret"
  30. depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
  31. config MBEDTLS_SSL_ALPN
  32. bool "Enable support for setting the supported Application Layer Protocols"
  33. depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
  34. endmenu
  35. menu "Ciphersuite configuration"
  36. comment "Supported key exchange modes"
  37. config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
  38. bool "Enable all available ciphersuite modes"
  39. select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
  40. select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
  41. select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
  42. select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
  43. select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
  44. select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
  45. select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
  46. select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
  47. select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
  48. select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
  49. select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
  50. config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
  51. bool "Enable the PSK based ciphersuite modes"
  52. config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
  53. bool "Enable the DHE-PSK based ciphersuite modes"
  54. config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
  55. bool "Enable the ECDHE-PSK based ciphersuite modes"
  56. config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
  57. bool "Enable the RSA-PSK based ciphersuite modes"
  58. config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
  59. bool "Enable the RSA-only based ciphersuite modes"
  60. default y if !NET_L2_OPENTHREAD
  61. config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
  62. bool "Enable the DHE-RSA based ciphersuite modes"
  63. config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
  64. bool "Enable the ECDHE-RSA based ciphersuite modes"
  65. config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
  66. bool "Enable the ECDHE-ECDSA based ciphersuite modes"
  67. config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
  68. bool "Enable the ECDH-ECDSA based ciphersuite modes"
  69. config MBEDTLS_ECDSA_DETERMINISTIC
  70. bool "Enable deterministic ECDSA (RFC 6979)"
  71. config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
  72. bool "Enable the ECDH-RSA based ciphersuite modes"
  73. config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
  74. bool "Enable the ECJPAKE based ciphersuite modes"
  75. if MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
  76. MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
  77. MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \
  78. MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || \
  79. MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \
  80. MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
  81. comment "Supported elliptic curves"
  82. config MBEDTLS_ECP_ALL_ENABLED
  83. bool "Enable all available elliptic curves"
  84. select MBEDTLS_ECP_DP_SECP192R1_ENABLED
  85. select MBEDTLS_ECP_DP_SECP192R1_ENABLED
  86. select MBEDTLS_ECP_DP_SECP224R1_ENABLED
  87. select MBEDTLS_ECP_DP_SECP256R1_ENABLED
  88. select MBEDTLS_ECP_DP_SECP384R1_ENABLED
  89. select MBEDTLS_ECP_DP_SECP521R1_ENABLED
  90. select MBEDTLS_ECP_DP_SECP192K1_ENABLED
  91. select MBEDTLS_ECP_DP_SECP224K1_ENABLED
  92. select MBEDTLS_ECP_DP_SECP256K1_ENABLED
  93. select MBEDTLS_ECP_DP_BP256R1_ENABLED
  94. select MBEDTLS_ECP_DP_BP384R1_ENABLED
  95. select MBEDTLS_ECP_DP_BP512R1_ENABLED
  96. select MBEDTLS_ECP_DP_CURVE25519_ENABLED
  97. select MBEDTLS_ECP_DP_CURVE448_ENABLED
  98. select MBEDTLS_ECP_NIST_OPTIM
  99. config MBEDTLS_ECP_DP_SECP192R1_ENABLED
  100. bool "Enable SECP192R1 elliptic curve"
  101. config MBEDTLS_ECP_DP_SECP224R1_ENABLED
  102. bool "Enable SECP224R1 elliptic curve"
  103. config MBEDTLS_ECP_DP_SECP256R1_ENABLED
  104. bool "Enable SECP256R1 elliptic curve"
  105. config MBEDTLS_ECP_DP_SECP384R1_ENABLED
  106. bool "Enable SECP384R1 elliptic curve"
  107. config MBEDTLS_ECP_DP_SECP521R1_ENABLED
  108. bool "Enable SECP521R1 elliptic curve"
  109. config MBEDTLS_ECP_DP_SECP192K1_ENABLED
  110. bool "Enable SECP192K1 elliptic curve"
  111. config MBEDTLS_ECP_DP_SECP224K1_ENABLED
  112. bool "Enable SECP224K1 elliptic curve"
  113. config MBEDTLS_ECP_DP_SECP256K1_ENABLED
  114. bool "Enable SECP256K1 elliptic curve"
  115. config MBEDTLS_ECP_DP_BP256R1_ENABLED
  116. bool "Enable BP256R1 elliptic curve"
  117. config MBEDTLS_ECP_DP_BP384R1_ENABLED
  118. bool "Enable BP384R1 elliptic curve"
  119. config MBEDTLS_ECP_DP_BP512R1_ENABLED
  120. bool "Enable BP512R1 elliptic curve"
  121. config MBEDTLS_ECP_DP_CURVE25519_ENABLED
  122. bool "Enable CURVE25519 elliptic curve"
  123. config MBEDTLS_ECP_DP_CURVE448_ENABLED
  124. bool "Enable CURVE448 elliptic curve"
  125. config MBEDTLS_ECP_NIST_OPTIM
  126. bool "Enable NSIT curves optimization"
  127. endif
  128. comment "Supported cipher modes"
  129. config MBEDTLS_CIPHER_ALL_ENABLED
  130. bool "Enable all available ciphers"
  131. select MBEDTLS_CIPHER_AES_ENABLED
  132. select MBEDTLS_CIPHER_CAMELLIA_ENABLED
  133. select MBEDTLS_CIPHER_DES_ENABLED
  134. select MBEDTLS_CIPHER_ARC4_ENABLED
  135. select MBEDTLS_CIPHER_CHACHA20_ENABLED
  136. select MBEDTLS_CIPHER_BLOWFISH_ENABLED
  137. select MBEDTLS_CIPHER_CCM_ENABLED
  138. select MBEDTLS_CIPHER_GCM_ENABLED
  139. select MBEDTLS_CIPHER_MODE_XTS_ENABLED
  140. select MBEDTLS_CIPHER_MODE_CBC_ENABLED
  141. select MBEDTLS_CIPHER_MODE_CTR_ENABLED
  142. select MBEDTLS_CHACHAPOLY_AEAD_ENABLED
  143. config MBEDTLS_CIPHER_AES_ENABLED
  144. bool "Enable the AES block cipher"
  145. default y
  146. config MBEDTLS_AES_ROM_TABLES
  147. depends on MBEDTLS_CIPHER_AES_ENABLED
  148. bool "Use precomputed AES tables stored in ROM."
  149. default y
  150. config MBEDTLS_CIPHER_CAMELLIA_ENABLED
  151. bool "Enable the Camellia block cipher"
  152. config MBEDTLS_CIPHER_DES_ENABLED
  153. bool "Enable the DES block cipher"
  154. default y if !NET_L2_OPENTHREAD
  155. config MBEDTLS_CIPHER_ARC4_ENABLED
  156. bool "Enable the ARC4 stream cipher"
  157. config MBEDTLS_CIPHER_CHACHA20_ENABLED
  158. bool "Enable the ChaCha20 stream cipher"
  159. config MBEDTLS_CIPHER_BLOWFISH_ENABLED
  160. bool "Enable the Blowfish block cipher"
  161. config MBEDTLS_CIPHER_CCM_ENABLED
  162. bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
  163. depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
  164. config MBEDTLS_CIPHER_GCM_ENABLED
  165. bool "Enable the Galois/Counter Mode (GCM) for AES"
  166. depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
  167. config MBEDTLS_CIPHER_MODE_XTS_ENABLED
  168. bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES"
  169. depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
  170. config MBEDTLS_CIPHER_MODE_CBC_ENABLED
  171. bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers"
  172. default y if !NET_L2_OPENTHREAD
  173. config MBEDTLS_CIPHER_MODE_CTR_ENABLED
  174. bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers."
  175. config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
  176. bool "Enable the ChaCha20-Poly1305 AEAD algorithm"
  177. depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
  178. comment "Supported message authentication methods"
  179. config MBEDTLS_MAC_ALL_ENABLED
  180. bool "Enable all available MAC methods"
  181. select MBEDTLS_MAC_MD4_ENABLED
  182. select MBEDTLS_MAC_MD5_ENABLED
  183. select MBEDTLS_MAC_SHA1_ENABLED
  184. select MBEDTLS_MAC_SHA256_ENABLED
  185. select MBEDTLS_MAC_SHA512_ENABLED
  186. select MBEDTLS_MAC_POLY1305_ENABLED
  187. select MBEDTLS_MAC_CMAC_ENABLED
  188. config MBEDTLS_MAC_MD4_ENABLED
  189. bool "Enable the MD4 hash algorithm"
  190. config MBEDTLS_MAC_MD5_ENABLED
  191. bool "Enable the MD5 hash algorithm"
  192. default y if !NET_L2_OPENTHREAD
  193. config MBEDTLS_MAC_SHA1_ENABLED
  194. bool "Enable the SHA1 hash algorithm"
  195. default y if !NET_L2_OPENTHREAD
  196. config MBEDTLS_MAC_SHA256_ENABLED
  197. bool "Enable the SHA-224 and SHA-256 hash algorithms"
  198. default y
  199. config MBEDTLS_SHA256_SMALLER
  200. bool "Enable smaller SHA-256 implementation"
  201. depends on MBEDTLS_MAC_SHA256_ENABLED
  202. default y
  203. help
  204. Enable an implementation of SHA-256 that has lower ROM footprint but also
  205. lower performance
  206. config MBEDTLS_MAC_SHA512_ENABLED
  207. bool "Enable the SHA-384 and SHA-512 hash algorithms"
  208. config MBEDTLS_MAC_POLY1305_ENABLED
  209. bool "Enable the Poly1305 MAC algorithm"
  210. config MBEDTLS_MAC_CMAC_ENABLED
  211. bool "Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
  212. depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
  213. endmenu
  214. comment "Random number generators"
  215. config MBEDTLS_CTR_DRBG_ENABLED
  216. bool "Enable the CTR_DRBG AES-256-based random generator"
  217. depends on MBEDTLS_CIPHER_AES_ENABLED
  218. default y
  219. config MBEDTLS_HMAC_DRBG_ENABLED
  220. bool "Enable the HMAC_DRBG random generator"
  221. select MBEDTLS_MD
  222. comment "Other configurations"
  223. config MBEDTLS_CIPHER
  224. bool "Enable the generic cipher layer."
  225. config MBEDTLS_MD
  226. bool "Enable the generic message digest layer."
  227. config MBEDTLS_GENPRIME_ENABLED
  228. bool "Enable the prime-number generation code."
  229. config MBEDTLS_PEM_CERTIFICATE_FORMAT
  230. bool "Enable support for PEM certificate format"
  231. help
  232. By default only DER (binary) format of certificates is supported. Enable
  233. this option to enable support for PEM format.
  234. config MBEDTLS_HAVE_ASM
  235. bool "Enable use of assembly code"
  236. default y if !ARM
  237. help
  238. Enable use of assembly code in mbedTLS. This improves the performances
  239. of asymmetric cryptography, however this might have an impact on the
  240. code size.
  241. config MBEDTLS_ENTROPY_ENABLED
  242. bool "Enable mbedTLS generic entropy pool"
  243. depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA512_ENABLED
  244. config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
  245. bool "Enable mbedTLS optimizations for OpenThread"
  246. depends on NET_L2_OPENTHREAD
  247. default y if !NET_SOCKETS_SOCKOPT_TLS
  248. help
  249. Enable some OpenThread specific mbedTLS optimizations that allows to
  250. save some RAM/ROM when OpenThread is used. Note, that when application
  251. aims to use other mbedTLS services on top of OpenThread (e.g. secure
  252. sockets), it's advised to disable this option.
  253. config MBEDTLS_USER_CONFIG_ENABLE
  254. bool "Enable user mbedTLS config file"
  255. help
  256. Enable user mbedTLS config file that will be included at the end of
  257. the generic config file.
  258. config MBEDTLS_USER_CONFIG_FILE
  259. string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE
  260. help
  261. User config file that can contain mbedTLS configs that were not
  262. covered by the generic config file.
  263. config MBEDTLS_SERVER_NAME_INDICATION
  264. bool "Enable support for RFC 6066 server name indication (SNI) in SSL"
  265. help
  266. Enable this to support RFC 6066 server name indication (SNI) in SSL.
  267. This requires that MBEDTLS_X509_CRT_PARSE_C is also set.
  268. config MBEDTLS_PK_WRITE_C
  269. bool "Enable the generic public (asymetric) key writer"
  270. help
  271. Enable generic public key write functions.
  272. config MBEDTLS_HAVE_TIME_DATE
  273. bool "Enable date/time validation in mbed TLS"
  274. help
  275. System has time.h, time(), and an implementation for gmtime_r().
  276. There also need to be a valid time source in the system, as mbedTLS
  277. expects a valid date/time for certificate validation."
  278. endmenu