2019-11-01 13:45:29 +01:00
|
|
|
# TLS/DTLS related options
|
2018-07-10 10:13:08 +02:00
|
|
|
|
|
|
|
# Copyright (c) 2018 Intel Corporation
|
|
|
|
# Copyright (c) 2018 Nordic Semiconductor ASA
|
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
menu "TLS configuration"
|
2020-02-09 22:26:07 +01:00
|
|
|
depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
|
|
|
menu "Supported TLS version"
|
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_TLS_VERSION_1_0
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Support for TLS 1.0"
|
2020-05-28 15:37:00 +02:00
|
|
|
select MBEDTLS_CIPHER
|
2024-05-24 14:09:02 +02:00
|
|
|
select MBEDTLS_MD5
|
|
|
|
select MBEDTLS_SHA1
|
2020-05-28 15:37:00 +02:00
|
|
|
select MBEDTLS_MD
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_TLS_VERSION_1_1
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Support for TLS 1.1 (DTLS 1.0)"
|
2020-05-28 15:37:00 +02:00
|
|
|
select MBEDTLS_CIPHER
|
2024-05-24 14:09:02 +02:00
|
|
|
select MBEDTLS_MD5
|
|
|
|
select MBEDTLS_SHA1
|
2020-05-28 15:37:00 +02:00
|
|
|
select MBEDTLS_MD
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_TLS_VERSION_1_2
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Support for TLS 1.2 (DTLS 1.2)"
|
2020-05-28 15:37:00 +02:00
|
|
|
default y if !NET_L2_OPENTHREAD
|
|
|
|
select MBEDTLS_CIPHER
|
|
|
|
select MBEDTLS_MD
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_DTLS
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Support for DTLS"
|
2018-12-14 12:14:04 +01:00
|
|
|
depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2019-02-14 13:04:22 +01:00
|
|
|
config MBEDTLS_SSL_EXPORT_KEYS
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Support for exporting SSL key block and master secret"
|
2019-02-14 13:04:22 +01:00
|
|
|
depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
|
|
|
|
|
2020-10-19 16:53:44 +02:00
|
|
|
config MBEDTLS_SSL_ALPN
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Support for setting the supported Application Layer Protocols"
|
2020-10-19 16:53:44 +02:00
|
|
|
depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
|
|
|
|
|
2018-07-10 10:13:08 +02:00
|
|
|
endmenu
|
|
|
|
|
|
|
|
menu "Ciphersuite configuration"
|
|
|
|
|
|
|
|
comment "Supported key exchange modes"
|
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "All available ciphersuite modes"
|
2018-12-14 12:14:04 +01:00
|
|
|
select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
|
|
|
select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
|
|
|
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "PSK based ciphersuite modes"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "DHE-PSK based ciphersuite modes"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "ECDHE-PSK based ciphersuite modes"
|
2022-10-05 15:00:42 +02:00
|
|
|
depends on MBEDTLS_ECDH_C
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "RSA-PSK based ciphersuite modes"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2021-11-08 13:45:28 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
|
|
|
|
bool
|
|
|
|
default y if MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || \
|
|
|
|
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || \
|
|
|
|
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
|
|
|
|
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
|
|
|
|
|
|
|
config MBEDTLS_PSK_MAX_LEN
|
|
|
|
int "Max size of TLS pre-shared keys"
|
|
|
|
default 32
|
|
|
|
depends on MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
|
|
|
|
help
|
|
|
|
Max size of TLS pre-shared keys, in bytes.
|
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "RSA-only based ciphersuite modes"
|
2019-01-28 14:15:26 +01:00
|
|
|
default y if !NET_L2_OPENTHREAD
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "DHE-RSA based ciphersuite modes"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "ECDHE-RSA based ciphersuite modes"
|
2022-10-05 15:00:42 +02:00
|
|
|
depends on MBEDTLS_ECDH_C
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "ECDHE-ECDSA based ciphersuite modes"
|
2022-10-05 15:00:42 +02:00
|
|
|
depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "ECDH-ECDSA based ciphersuite modes"
|
2024-05-15 08:28:24 +02:00
|
|
|
depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2019-08-28 11:31:55 +02:00
|
|
|
config MBEDTLS_ECDSA_DETERMINISTIC
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Deterministic ECDSA (RFC 6979)"
|
2019-08-28 11:31:55 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "ECDH-RSA based ciphersuite modes"
|
2022-10-05 15:00:42 +02:00
|
|
|
depends on MBEDTLS_ECDH_C
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "ECJPAKE based ciphersuite modes"
|
2022-10-05 15:00:42 +02:00
|
|
|
depends on MBEDTLS_ECJPAKE_C
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2024-04-02 06:20:22 +02:00
|
|
|
config MBEDTLS_HKDF_C
|
|
|
|
bool "HMAC-based Extract-and-Expand Key Derivation Function"
|
|
|
|
|
2022-04-29 12:07:55 +02:00
|
|
|
comment "Elliptic curve libraries"
|
|
|
|
|
|
|
|
config MBEDTLS_ECDH_C
|
|
|
|
bool "Elliptic curve Diffie-Hellman library"
|
2022-10-05 15:00:42 +02:00
|
|
|
depends on MBEDTLS_ECP_C
|
2022-04-29 12:07:55 +02:00
|
|
|
|
|
|
|
config MBEDTLS_ECDSA_C
|
|
|
|
bool "Elliptic curve DSA library"
|
2022-10-05 15:00:42 +02:00
|
|
|
depends on MBEDTLS_ECP_C
|
2022-04-29 12:07:55 +02:00
|
|
|
|
|
|
|
config MBEDTLS_ECJPAKE_C
|
|
|
|
bool "Elliptic curve J-PAKE library"
|
2022-10-05 15:00:42 +02:00
|
|
|
depends on MBEDTLS_ECP_C
|
2022-04-29 12:07:55 +02:00
|
|
|
|
|
|
|
config MBEDTLS_ECP_C
|
|
|
|
bool "Elliptic curve over GF(p) library"
|
2022-04-29 14:09:21 +02:00
|
|
|
default y if UOSCORE || UEDHOC
|
2022-04-29 12:07:55 +02:00
|
|
|
|
|
|
|
if MBEDTLS_ECP_C
|
2018-07-10 10:13:08 +02:00
|
|
|
|
|
|
|
comment "Supported elliptic curves"
|
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_ALL_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "All available elliptic curves"
|
2018-12-14 12:14:04 +01:00
|
|
|
select MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_SECP224R1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_SECP521R1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_SECP192K1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_SECP224K1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_SECP256K1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_BP256R1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_BP384R1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_BP512R1_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
|
|
|
select MBEDTLS_ECP_DP_CURVE448_ENABLED
|
|
|
|
select MBEDTLS_ECP_NIST_OPTIM
|
|
|
|
|
|
|
|
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "SECP192R1 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "SECP224R1 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "SECP256R1 elliptic curve"
|
2022-04-29 14:09:21 +02:00
|
|
|
default y if UOSCORE || UEDHOC
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "SECP384R1 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_SECP521R1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "SECP521R1 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "SECP192K1 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "SECP224K1 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "SECP256K1 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_BP256R1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "BP256R1 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_BP384R1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "BP384R1 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_BP512R1_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "BP512R1 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "CURVE25519 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_DP_CURVE448_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "CURVE448 elliptic curve"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_ECP_NIST_OPTIM
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "NSIT curves optimization"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
|
|
|
endif
|
|
|
|
|
2024-05-24 14:09:02 +02:00
|
|
|
comment "Supported ciphers and cipher modes"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_CIPHER_ALL_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "All available ciphers"
|
2018-12-14 12:14:04 +01:00
|
|
|
select MBEDTLS_CIPHER_AES_ENABLED
|
|
|
|
select MBEDTLS_CIPHER_CAMELLIA_ENABLED
|
|
|
|
select MBEDTLS_CIPHER_DES_ENABLED
|
|
|
|
select MBEDTLS_CIPHER_ARC4_ENABLED
|
|
|
|
select MBEDTLS_CIPHER_CHACHA20_ENABLED
|
|
|
|
select MBEDTLS_CIPHER_BLOWFISH_ENABLED
|
|
|
|
select MBEDTLS_CIPHER_CCM_ENABLED
|
2020-02-05 15:42:11 +01:00
|
|
|
select MBEDTLS_CIPHER_GCM_ENABLED
|
2018-12-14 12:14:04 +01:00
|
|
|
select MBEDTLS_CIPHER_MODE_XTS_ENABLED
|
2020-02-05 15:42:11 +01:00
|
|
|
select MBEDTLS_CIPHER_MODE_CBC_ENABLED
|
|
|
|
select MBEDTLS_CIPHER_MODE_CTR_ENABLED
|
2018-12-14 12:14:04 +01:00
|
|
|
select MBEDTLS_CHACHAPOLY_AEAD_ENABLED
|
|
|
|
|
|
|
|
config MBEDTLS_CIPHER_AES_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "AES block cipher"
|
2018-07-10 10:13:08 +02:00
|
|
|
default y
|
|
|
|
|
2019-01-21 16:11:32 +01:00
|
|
|
config MBEDTLS_AES_ROM_TABLES
|
|
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED
|
|
|
|
bool "Use precomputed AES tables stored in ROM."
|
|
|
|
default y
|
|
|
|
|
2023-07-23 10:19:49 +02:00
|
|
|
config MBEDTLS_AES_FEWER_TABLES
|
|
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED
|
|
|
|
bool "Reduce the size of precomputed AES tables by ~6kB"
|
|
|
|
help
|
|
|
|
Reduce the size of the AES tables at a tradeoff of more
|
|
|
|
arithmetic operations at runtime. Specifically 4 table
|
|
|
|
lookups are converted to 1 table lookup, 3 additions
|
|
|
|
and 6 bit shifts.
|
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_CIPHER_CAMELLIA_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "Camellia block cipher"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_CIPHER_DES_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "DES block cipher"
|
2019-01-28 14:15:26 +01:00
|
|
|
default y if !NET_L2_OPENTHREAD
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_CIPHER_ARC4_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "ARC4 stream cipher"
|
2018-12-14 09:47:27 +01:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_CIPHER_CHACHA20_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "ChaCha20 stream cipher"
|
2018-12-14 09:47:27 +01:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_CIPHER_BLOWFISH_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "Blowfish block cipher"
|
2018-12-14 09:47:27 +01:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_CIPHER_CCM_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
|
2018-12-14 12:14:04 +01:00
|
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
|
2022-04-29 14:09:21 +02:00
|
|
|
default y if UOSCORE || UEDHOC
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2020-02-05 15:42:11 +01:00
|
|
|
config MBEDTLS_CIPHER_GCM_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "Galois/Counter Mode (GCM) for AES"
|
2018-12-14 12:14:04 +01:00
|
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
|
2018-12-14 09:47:27 +01:00
|
|
|
|
2020-02-05 15:42:11 +01:00
|
|
|
config MBEDTLS_CIPHER_MODE_XTS_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES"
|
2018-12-14 12:14:04 +01:00
|
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
|
2018-12-14 09:47:27 +01:00
|
|
|
|
2020-02-05 15:42:11 +01:00
|
|
|
config MBEDTLS_CIPHER_MODE_CBC_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Cipher Block Chaining mode (CBC) for symmetric ciphers"
|
2019-01-28 14:15:26 +01:00
|
|
|
default y if !NET_L2_OPENTHREAD
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2020-02-05 15:42:11 +01:00
|
|
|
config MBEDTLS_CIPHER_MODE_CTR_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Counter Block Cipher mode (CTR) for symmetric ciphers."
|
2020-02-05 15:42:11 +01:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "ChaCha20-Poly1305 AEAD algorithm"
|
2024-05-24 14:09:02 +02:00
|
|
|
depends on MBEDTLS_CIPHER_CHACHA20_ENABLED && MBEDTLS_POLY1305
|
|
|
|
|
|
|
|
config MBEDTLS_CMAC
|
|
|
|
bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
|
|
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
|
2018-12-14 09:47:27 +01:00
|
|
|
|
2024-05-24 14:09:02 +02:00
|
|
|
comment "Supported hash algorithms"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2024-05-24 14:09:02 +02:00
|
|
|
config MBEDTLS_HASH_ALL_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "All available MAC methods"
|
2024-05-24 14:09:02 +02:00
|
|
|
select MBEDTLS_MD4
|
|
|
|
select MBEDTLS_MD5
|
|
|
|
select MBEDTLS_SHA1
|
|
|
|
select MBEDTLS_SHA224
|
|
|
|
select MBEDTLS_SHA256
|
|
|
|
select MBEDTLS_SHA384
|
|
|
|
select MBEDTLS_SHA512
|
|
|
|
select MBEDTLS_POLY1305
|
|
|
|
|
|
|
|
config MBEDTLS_MD4
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "MD4 hash algorithm"
|
2018-12-14 09:47:27 +01:00
|
|
|
|
2024-05-24 14:09:02 +02:00
|
|
|
config MBEDTLS_MD5
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "MD5 hash algorithm"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2024-05-24 14:09:02 +02:00
|
|
|
config MBEDTLS_SHA1
|
|
|
|
bool "SHA-1 hash algorithm"
|
|
|
|
|
|
|
|
config MBEDTLS_SHA224
|
|
|
|
bool "SHA-224 hash algorithm"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2024-05-24 14:09:02 +02:00
|
|
|
config MBEDTLS_SHA256
|
|
|
|
bool "SHA-256 hash algorithm"
|
2018-07-10 10:13:08 +02:00
|
|
|
default y
|
|
|
|
|
2019-02-14 13:04:22 +01:00
|
|
|
config MBEDTLS_SHA256_SMALLER
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Smaller SHA-256 implementation"
|
2024-05-24 14:09:02 +02:00
|
|
|
depends on MBEDTLS_SHA256
|
2019-02-14 13:04:22 +01:00
|
|
|
default y
|
|
|
|
help
|
2024-05-24 14:09:02 +02:00
|
|
|
Enable an implementation of SHA-256 that has a
|
|
|
|
smaller ROM footprint but also lower performance.
|
2019-02-14 13:04:22 +01:00
|
|
|
|
2024-05-24 14:09:02 +02:00
|
|
|
config MBEDTLS_SHA384
|
2022-06-12 23:49:32 +02:00
|
|
|
bool "SHA-384 hash algorithm"
|
|
|
|
|
2024-05-24 14:09:02 +02:00
|
|
|
config MBEDTLS_SHA512
|
2022-06-12 23:49:32 +02:00
|
|
|
bool "SHA-512 hash algorithm"
|
2018-07-10 10:13:08 +02:00
|
|
|
|
2024-05-24 14:09:02 +02:00
|
|
|
config MBEDTLS_POLY1305
|
|
|
|
bool "Poly1305 hash family"
|
2019-02-14 13:04:22 +01:00
|
|
|
|
2018-07-10 10:13:08 +02:00
|
|
|
endmenu
|
|
|
|
|
2018-12-14 09:47:27 +01:00
|
|
|
comment "Random number generators"
|
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_CTR_DRBG_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "CTR_DRBG AES-256-based random generator"
|
2018-12-14 12:14:04 +01:00
|
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED
|
2018-12-14 09:47:27 +01:00
|
|
|
default y
|
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_HMAC_DRBG_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "HMAC_DRBG random generator"
|
2020-05-28 15:37:00 +02:00
|
|
|
select MBEDTLS_MD
|
2018-12-14 09:47:27 +01:00
|
|
|
|
|
|
|
comment "Other configurations"
|
|
|
|
|
2020-05-28 15:37:00 +02:00
|
|
|
config MBEDTLS_CIPHER
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "generic cipher layer."
|
2020-05-28 15:37:00 +02:00
|
|
|
|
|
|
|
config MBEDTLS_MD
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "generic message digest layer."
|
2020-05-28 15:37:00 +02:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_GENPRIME_ENABLED
|
2022-03-09 12:31:16 +01:00
|
|
|
bool "prime-number generation code."
|
2018-12-14 09:47:27 +01:00
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_PEM_CERTIFICATE_FORMAT
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Support for PEM certificate format"
|
2018-07-10 10:13:08 +02:00
|
|
|
help
|
|
|
|
By default only DER (binary) format of certificates is supported. Enable
|
|
|
|
this option to enable support for PEM format.
|
|
|
|
|
2019-01-21 22:21:39 +01:00
|
|
|
config MBEDTLS_HAVE_ASM
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Use of assembly code"
|
2019-01-21 22:21:39 +01:00
|
|
|
default y if !ARM
|
|
|
|
help
|
|
|
|
Enable use of assembly code in mbedTLS. This improves the performances
|
2019-10-29 00:17:17 +01:00
|
|
|
of asymmetric cryptography, however this might have an impact on the
|
2019-01-21 22:21:39 +01:00
|
|
|
code size.
|
|
|
|
|
2019-02-14 13:04:22 +01:00
|
|
|
config MBEDTLS_ENTROPY_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "MbedTLS generic entropy pool"
|
2024-05-24 14:09:02 +02:00
|
|
|
depends on MBEDTLS_SHA256 || MBEDTLS_SHA384 || MBEDTLS_SHA512
|
2022-04-29 14:09:21 +02:00
|
|
|
default y if MBEDTLS_ZEPHYR_ENTROPY
|
2019-02-14 13:04:22 +01:00
|
|
|
|
2019-02-14 09:39:32 +01:00
|
|
|
config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "MbedTLS optimizations for OpenThread"
|
2019-02-14 09:39:32 +01:00
|
|
|
depends on NET_L2_OPENTHREAD
|
|
|
|
default y if !NET_SOCKETS_SOCKOPT_TLS
|
|
|
|
help
|
|
|
|
Enable some OpenThread specific mbedTLS optimizations that allows to
|
|
|
|
save some RAM/ROM when OpenThread is used. Note, that when application
|
|
|
|
aims to use other mbedTLS services on top of OpenThread (e.g. secure
|
|
|
|
sockets), it's advised to disable this option.
|
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_USER_CONFIG_ENABLE
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "User mbedTLS config file"
|
2018-07-10 10:13:08 +02:00
|
|
|
help
|
|
|
|
Enable user mbedTLS config file that will be included at the end of
|
|
|
|
the generic config file.
|
|
|
|
|
2018-12-14 12:14:04 +01:00
|
|
|
config MBEDTLS_USER_CONFIG_FILE
|
2021-04-27 10:07:15 +02:00
|
|
|
string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE
|
2018-07-10 10:13:08 +02:00
|
|
|
help
|
|
|
|
User config file that can contain mbedTLS configs that were not
|
|
|
|
covered by the generic config file.
|
|
|
|
|
2020-09-01 12:14:17 +02:00
|
|
|
config MBEDTLS_SERVER_NAME_INDICATION
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Support for RFC 6066 server name indication (SNI) in SSL"
|
2020-09-01 12:14:17 +02:00
|
|
|
help
|
|
|
|
Enable this to support RFC 6066 server name indication (SNI) in SSL.
|
|
|
|
This requires that MBEDTLS_X509_CRT_PARSE_C is also set.
|
|
|
|
|
2021-03-11 10:21:43 +01:00
|
|
|
config MBEDTLS_PK_WRITE_C
|
2022-03-16 22:07:43 +01:00
|
|
|
bool "The generic public (asymmetric) key writer"
|
2023-07-25 14:48:33 +02:00
|
|
|
default y if MBEDTLS_PSA_CRYPTO_C
|
2021-03-11 10:21:43 +01:00
|
|
|
help
|
|
|
|
Enable generic public key write functions.
|
|
|
|
|
2021-05-19 16:35:18 +02:00
|
|
|
config MBEDTLS_HAVE_TIME_DATE
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Date/time validation in mbed TLS"
|
2021-05-19 16:35:18 +02:00
|
|
|
help
|
|
|
|
System has time.h, time(), and an implementation for gmtime_r().
|
|
|
|
There also need to be a valid time source in the system, as mbedTLS
|
|
|
|
expects a valid date/time for certificate validation."
|
|
|
|
|
2021-11-05 07:24:06 +01:00
|
|
|
config MBEDTLS_PKCS5_C
|
2022-03-09 12:05:12 +01:00
|
|
|
bool "Password-based encryption functions"
|
2021-11-05 07:24:06 +01:00
|
|
|
select MBEDTLS_MD
|
|
|
|
help
|
|
|
|
Enable PKCS5 functions
|
|
|
|
|
2022-03-09 12:43:59 +01:00
|
|
|
config MBEDTLS_SSL_CACHE_C
|
|
|
|
bool "SSL session cache support"
|
|
|
|
help
|
|
|
|
"This option enables simple SSL cache implementation (server side)."
|
|
|
|
|
|
|
|
config MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
|
|
|
|
int "Default timeout for SSL cache entires"
|
|
|
|
depends on MBEDTLS_SSL_CACHE_C
|
|
|
|
default 86400
|
|
|
|
|
|
|
|
config MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
|
|
|
|
int "Maximum number of SSL cache entires"
|
|
|
|
depends on MBEDTLS_SSL_CACHE_C
|
|
|
|
default 5
|
|
|
|
|
2022-02-07 22:32:46 +01:00
|
|
|
config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
|
|
|
|
bool "(D)TLS Extended Master Secret extension"
|
|
|
|
depends on MBEDTLS_TLS_VERSION_1_2
|
|
|
|
help
|
|
|
|
Enable support for the (D)TLS Extended Master Secret extension
|
|
|
|
which ensures that master secrets are different for every
|
|
|
|
connection and every session.
|
|
|
|
|
2024-04-24 16:22:31 +02:00
|
|
|
choice MBEDTLS_PSA_CRYPTO_RND_SOURCE
|
|
|
|
prompt "Select random source for built-in PSA crypto"
|
2024-05-14 16:15:45 +02:00
|
|
|
depends on MBEDTLS_PSA_CRYPTO_C
|
2024-04-24 16:22:31 +02:00
|
|
|
default MBEDTLS_PSA_CRYPTO_LEGACY_RNG
|
|
|
|
|
|
|
|
config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
|
|
|
|
bool "Use a cryptographically secure driver as random source"
|
|
|
|
depends on CSPRNG_ENABLED
|
|
|
|
help
|
|
|
|
Use cryptographically secure random generator to provide random data
|
|
|
|
instead of legacy MbedTLS modules (ENTROPY + CTR_DRBG/HMAC_DRBG).
|
|
|
|
|
|
|
|
config MBEDTLS_PSA_CRYPTO_LEGACY_RNG
|
|
|
|
bool "Use legacy modules to generate random data"
|
|
|
|
select MBEDTLS_ENTROPY_ENABLED
|
|
|
|
select MBEDTLS_CTR_DRBG_ENABLED if !MBEDTLS_HMAC_DRBG_ENABLED
|
|
|
|
help
|
|
|
|
Use legacy MbedTLS modules (ENTROPY + CTR_DRBG/HMAC_DRBG) as random
|
|
|
|
source generators.
|
|
|
|
|
|
|
|
endchoice
|
|
|
|
|
2022-04-27 15:24:00 +02:00
|
|
|
config MBEDTLS_PSA_CRYPTO_C
|
|
|
|
bool "Platform Security Architecture cryptography API"
|
2022-04-29 14:09:21 +02:00
|
|
|
default y if UOSCORE || UEDHOC
|
2022-04-27 15:24:00 +02:00
|
|
|
|
2024-05-02 15:54:56 +02:00
|
|
|
config MBEDTLS_USE_PSA_CRYPTO
|
|
|
|
bool "Use PSA APIs instead of legacy MbedTLS when possible"
|
2024-05-13 10:16:42 +02:00
|
|
|
default y if MBEDTLS_PSA_CRYPTO_CLIENT
|
2024-05-02 15:54:56 +02:00
|
|
|
help
|
|
|
|
Use PSA APIs instead of legacy MbedTLS functions in TLS/DTLS and other
|
|
|
|
"intermediate" modules such as PK, MD and Cipher.
|
|
|
|
|
2024-05-13 14:35:37 +02:00
|
|
|
config MBEDTLS_PSA_CRYPTO_CLIENT
|
|
|
|
bool
|
|
|
|
default y
|
|
|
|
depends on BUILD_WITH_TFM || MBEDTLS_PSA_CRYPTO_C
|
|
|
|
select PSA_CRYPTO_CLIENT
|
|
|
|
|
2022-11-10 22:43:58 +01:00
|
|
|
config MBEDTLS_LMS
|
|
|
|
bool "Support LMS signature schemes"
|
2024-05-03 10:40:01 +02:00
|
|
|
depends on MBEDTLS_PSA_CRYPTO_CLIENT
|
2024-05-24 14:09:02 +02:00
|
|
|
depends on MBEDTLS_SHA256
|
2024-05-03 10:40:01 +02:00
|
|
|
select PSA_WANT_ALG_SHA_256
|
2022-11-10 22:43:58 +01:00
|
|
|
|
2021-07-01 16:42:35 +02:00
|
|
|
config MBEDTLS_SSL_DTLS_CONNECTION_ID
|
|
|
|
bool "DTLS Connection ID extension"
|
|
|
|
depends on MBEDTLS_DTLS
|
|
|
|
help
|
|
|
|
Enable support for the DTLS Connection ID extension
|
|
|
|
which allows to identify DTLS connections across changes
|
|
|
|
in the underlying transport.
|
|
|
|
|
2018-07-10 10:13:08 +02:00
|
|
|
endmenu
|