123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364 |
- # TLS/DTLS related options
- # Copyright (c) 2018 Intel Corporation
- # Copyright (c) 2018 Nordic Semiconductor ASA
- # SPDX-License-Identifier: Apache-2.0
- menu "TLS configuration"
- depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h"
- menu "Supported TLS version"
- config MBEDTLS_TLS_VERSION_1_0
- bool "Enable support for TLS 1.0"
- select MBEDTLS_CIPHER
- select MBEDTLS_MAC_MD5_ENABLED
- select MBEDTLS_MAC_SHA1_ENABLED
- select MBEDTLS_MD
- config MBEDTLS_TLS_VERSION_1_1
- bool "Enable support for TLS 1.1 (DTLS 1.0)"
- select MBEDTLS_CIPHER
- select MBEDTLS_MAC_MD5_ENABLED
- select MBEDTLS_MAC_SHA1_ENABLED
- select MBEDTLS_MD
- config MBEDTLS_TLS_VERSION_1_2
- bool "Enable support for TLS 1.2 (DTLS 1.2)"
- default y if !NET_L2_OPENTHREAD
- select MBEDTLS_CIPHER
- select MBEDTLS_MD
- config MBEDTLS_DTLS
- bool "Enable support for DTLS"
- depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
- config MBEDTLS_SSL_EXPORT_KEYS
- bool "Enable support for exporting SSL key block and master secret"
- depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
- config MBEDTLS_SSL_ALPN
- bool "Enable support for setting the supported Application Layer Protocols"
- depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
- endmenu
- menu "Ciphersuite configuration"
- comment "Supported key exchange modes"
- config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
- bool "Enable all available ciphersuite modes"
- select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
- select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
- select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
- select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
- select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
- select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
- select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
- select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
- select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
- select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
- select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
- config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
- bool "Enable the PSK based ciphersuite modes"
- config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
- bool "Enable the DHE-PSK based ciphersuite modes"
- config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
- bool "Enable the ECDHE-PSK based ciphersuite modes"
- config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
- bool "Enable the RSA-PSK based ciphersuite modes"
- config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
- bool "Enable the RSA-only based ciphersuite modes"
- default y if !NET_L2_OPENTHREAD
- config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
- bool "Enable the DHE-RSA based ciphersuite modes"
- config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
- bool "Enable the ECDHE-RSA based ciphersuite modes"
- config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
- bool "Enable the ECDHE-ECDSA based ciphersuite modes"
- config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
- bool "Enable the ECDH-ECDSA based ciphersuite modes"
- config MBEDTLS_ECDSA_DETERMINISTIC
- bool "Enable deterministic ECDSA (RFC 6979)"
- config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
- bool "Enable the ECDH-RSA based ciphersuite modes"
- config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
- bool "Enable the ECJPAKE based ciphersuite modes"
- if MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
- MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \
- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || \
- MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \
- MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
- comment "Supported elliptic curves"
- config MBEDTLS_ECP_ALL_ENABLED
- bool "Enable all available elliptic curves"
- select MBEDTLS_ECP_DP_SECP192R1_ENABLED
- select MBEDTLS_ECP_DP_SECP192R1_ENABLED
- select MBEDTLS_ECP_DP_SECP224R1_ENABLED
- select MBEDTLS_ECP_DP_SECP256R1_ENABLED
- select MBEDTLS_ECP_DP_SECP384R1_ENABLED
- select MBEDTLS_ECP_DP_SECP521R1_ENABLED
- select MBEDTLS_ECP_DP_SECP192K1_ENABLED
- select MBEDTLS_ECP_DP_SECP224K1_ENABLED
- select MBEDTLS_ECP_DP_SECP256K1_ENABLED
- select MBEDTLS_ECP_DP_BP256R1_ENABLED
- select MBEDTLS_ECP_DP_BP384R1_ENABLED
- select MBEDTLS_ECP_DP_BP512R1_ENABLED
- select MBEDTLS_ECP_DP_CURVE25519_ENABLED
- select MBEDTLS_ECP_DP_CURVE448_ENABLED
- select MBEDTLS_ECP_NIST_OPTIM
- config MBEDTLS_ECP_DP_SECP192R1_ENABLED
- bool "Enable SECP192R1 elliptic curve"
- config MBEDTLS_ECP_DP_SECP224R1_ENABLED
- bool "Enable SECP224R1 elliptic curve"
- config MBEDTLS_ECP_DP_SECP256R1_ENABLED
- bool "Enable SECP256R1 elliptic curve"
- config MBEDTLS_ECP_DP_SECP384R1_ENABLED
- bool "Enable SECP384R1 elliptic curve"
- config MBEDTLS_ECP_DP_SECP521R1_ENABLED
- bool "Enable SECP521R1 elliptic curve"
- config MBEDTLS_ECP_DP_SECP192K1_ENABLED
- bool "Enable SECP192K1 elliptic curve"
- config MBEDTLS_ECP_DP_SECP224K1_ENABLED
- bool "Enable SECP224K1 elliptic curve"
- config MBEDTLS_ECP_DP_SECP256K1_ENABLED
- bool "Enable SECP256K1 elliptic curve"
- config MBEDTLS_ECP_DP_BP256R1_ENABLED
- bool "Enable BP256R1 elliptic curve"
- config MBEDTLS_ECP_DP_BP384R1_ENABLED
- bool "Enable BP384R1 elliptic curve"
- config MBEDTLS_ECP_DP_BP512R1_ENABLED
- bool "Enable BP512R1 elliptic curve"
- config MBEDTLS_ECP_DP_CURVE25519_ENABLED
- bool "Enable CURVE25519 elliptic curve"
- config MBEDTLS_ECP_DP_CURVE448_ENABLED
- bool "Enable CURVE448 elliptic curve"
- config MBEDTLS_ECP_NIST_OPTIM
- bool "Enable NSIT curves optimization"
- endif
- comment "Supported cipher modes"
- config MBEDTLS_CIPHER_ALL_ENABLED
- bool "Enable all available ciphers"
- select MBEDTLS_CIPHER_AES_ENABLED
- select MBEDTLS_CIPHER_CAMELLIA_ENABLED
- select MBEDTLS_CIPHER_DES_ENABLED
- select MBEDTLS_CIPHER_ARC4_ENABLED
- select MBEDTLS_CIPHER_CHACHA20_ENABLED
- select MBEDTLS_CIPHER_BLOWFISH_ENABLED
- select MBEDTLS_CIPHER_CCM_ENABLED
- select MBEDTLS_CIPHER_GCM_ENABLED
- select MBEDTLS_CIPHER_MODE_XTS_ENABLED
- select MBEDTLS_CIPHER_MODE_CBC_ENABLED
- select MBEDTLS_CIPHER_MODE_CTR_ENABLED
- select MBEDTLS_CHACHAPOLY_AEAD_ENABLED
- config MBEDTLS_CIPHER_AES_ENABLED
- bool "Enable the AES block cipher"
- default y
- config MBEDTLS_AES_ROM_TABLES
- depends on MBEDTLS_CIPHER_AES_ENABLED
- bool "Use precomputed AES tables stored in ROM."
- default y
- config MBEDTLS_CIPHER_CAMELLIA_ENABLED
- bool "Enable the Camellia block cipher"
- config MBEDTLS_CIPHER_DES_ENABLED
- bool "Enable the DES block cipher"
- default y if !NET_L2_OPENTHREAD
- config MBEDTLS_CIPHER_ARC4_ENABLED
- bool "Enable the ARC4 stream cipher"
- config MBEDTLS_CIPHER_CHACHA20_ENABLED
- bool "Enable the ChaCha20 stream cipher"
- config MBEDTLS_CIPHER_BLOWFISH_ENABLED
- bool "Enable the Blowfish block cipher"
- config MBEDTLS_CIPHER_CCM_ENABLED
- bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
- depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
- config MBEDTLS_CIPHER_GCM_ENABLED
- bool "Enable the Galois/Counter Mode (GCM) for AES"
- depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
- config MBEDTLS_CIPHER_MODE_XTS_ENABLED
- bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES"
- depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
- config MBEDTLS_CIPHER_MODE_CBC_ENABLED
- bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers"
- default y if !NET_L2_OPENTHREAD
- config MBEDTLS_CIPHER_MODE_CTR_ENABLED
- bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers."
- config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
- bool "Enable the ChaCha20-Poly1305 AEAD algorithm"
- depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
- comment "Supported message authentication methods"
- config MBEDTLS_MAC_ALL_ENABLED
- bool "Enable all available MAC methods"
- select MBEDTLS_MAC_MD4_ENABLED
- select MBEDTLS_MAC_MD5_ENABLED
- select MBEDTLS_MAC_SHA1_ENABLED
- select MBEDTLS_MAC_SHA256_ENABLED
- select MBEDTLS_MAC_SHA512_ENABLED
- select MBEDTLS_MAC_POLY1305_ENABLED
- select MBEDTLS_MAC_CMAC_ENABLED
- config MBEDTLS_MAC_MD4_ENABLED
- bool "Enable the MD4 hash algorithm"
- config MBEDTLS_MAC_MD5_ENABLED
- bool "Enable the MD5 hash algorithm"
- default y if !NET_L2_OPENTHREAD
- config MBEDTLS_MAC_SHA1_ENABLED
- bool "Enable the SHA1 hash algorithm"
- default y if !NET_L2_OPENTHREAD
- config MBEDTLS_MAC_SHA256_ENABLED
- bool "Enable the SHA-224 and SHA-256 hash algorithms"
- default y
- config MBEDTLS_SHA256_SMALLER
- bool "Enable smaller SHA-256 implementation"
- depends on MBEDTLS_MAC_SHA256_ENABLED
- default y
- help
- Enable an implementation of SHA-256 that has lower ROM footprint but also
- lower performance
- config MBEDTLS_MAC_SHA512_ENABLED
- bool "Enable the SHA-384 and SHA-512 hash algorithms"
- config MBEDTLS_MAC_POLY1305_ENABLED
- bool "Enable the Poly1305 MAC algorithm"
- config MBEDTLS_MAC_CMAC_ENABLED
- bool "Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
- depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
- endmenu
- comment "Random number generators"
- config MBEDTLS_CTR_DRBG_ENABLED
- bool "Enable the CTR_DRBG AES-256-based random generator"
- depends on MBEDTLS_CIPHER_AES_ENABLED
- default y
- config MBEDTLS_HMAC_DRBG_ENABLED
- bool "Enable the HMAC_DRBG random generator"
- select MBEDTLS_MD
- comment "Other configurations"
- config MBEDTLS_CIPHER
- bool "Enable the generic cipher layer."
- config MBEDTLS_MD
- bool "Enable the generic message digest layer."
- config MBEDTLS_GENPRIME_ENABLED
- bool "Enable the prime-number generation code."
- config MBEDTLS_PEM_CERTIFICATE_FORMAT
- bool "Enable support for PEM certificate format"
- help
- By default only DER (binary) format of certificates is supported. Enable
- this option to enable support for PEM format.
- config MBEDTLS_HAVE_ASM
- bool "Enable use of assembly code"
- default y if !ARM
- help
- Enable use of assembly code in mbedTLS. This improves the performances
- of asymmetric cryptography, however this might have an impact on the
- code size.
- config MBEDTLS_ENTROPY_ENABLED
- bool "Enable mbedTLS generic entropy pool"
- depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA512_ENABLED
- config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
- bool "Enable mbedTLS optimizations for OpenThread"
- depends on NET_L2_OPENTHREAD
- default y if !NET_SOCKETS_SOCKOPT_TLS
- help
- Enable some OpenThread specific mbedTLS optimizations that allows to
- save some RAM/ROM when OpenThread is used. Note, that when application
- aims to use other mbedTLS services on top of OpenThread (e.g. secure
- sockets), it's advised to disable this option.
- config MBEDTLS_USER_CONFIG_ENABLE
- bool "Enable user mbedTLS config file"
- help
- Enable user mbedTLS config file that will be included at the end of
- the generic config file.
- config MBEDTLS_USER_CONFIG_FILE
- string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE
- help
- User config file that can contain mbedTLS configs that were not
- covered by the generic config file.
- config MBEDTLS_SERVER_NAME_INDICATION
- bool "Enable support for RFC 6066 server name indication (SNI) in SSL"
- help
- Enable this to support RFC 6066 server name indication (SNI) in SSL.
- This requires that MBEDTLS_X509_CRT_PARSE_C is also set.
- config MBEDTLS_PK_WRITE_C
- bool "Enable the generic public (asymetric) key writer"
- help
- Enable generic public key write functions.
- config MBEDTLS_HAVE_TIME_DATE
- bool "Enable date/time validation in mbed TLS"
- help
- System has time.h, time(), and an implementation for gmtime_r().
- There also need to be a valid time source in the system, as mbedTLS
- expects a valid date/time for certificate validation."
- endmenu
|