1# TLS/DTLS related options 2 3# Copyright (c) 2018 Intel Corporation 4# Copyright (c) 2018 Nordic Semiconductor ASA 5# SPDX-License-Identifier: Apache-2.0 6 7menu "TLS configuration" 8 depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" 9 10menu "Supported TLS version" 11 12config MBEDTLS_TLS_VERSION_1_0 13 bool "Support for TLS 1.0" 14 select MBEDTLS_CIPHER 15 select MBEDTLS_MD5 16 select MBEDTLS_SHA1 17 select MBEDTLS_MD 18 19config MBEDTLS_TLS_VERSION_1_1 20 bool "Support for TLS 1.1 (DTLS 1.0)" 21 select MBEDTLS_CIPHER 22 select MBEDTLS_MD5 23 select MBEDTLS_SHA1 24 select MBEDTLS_MD 25 26config MBEDTLS_TLS_VERSION_1_2 27 bool "Support for TLS 1.2 (DTLS 1.2)" 28 select MBEDTLS_CIPHER 29 select MBEDTLS_MD 30 31config MBEDTLS_DTLS 32 bool "Support for DTLS" 33 depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 34 35config MBEDTLS_SSL_EXPORT_KEYS 36 bool "Support for exporting SSL key block and master secret" 37 depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 38 39config MBEDTLS_SSL_ALPN 40 bool "Support for setting the supported Application Layer Protocols" 41 depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 42 43endmenu 44 45menu "Ciphersuite configuration" 46 47comment "Supported key exchange modes" 48 49config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED 50 bool "All available ciphersuite modes" 51 select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 52 select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 53 select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 54 select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 55 select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 56 select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 57 select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 58 select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 59 select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 60 select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 61 select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 62 63config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 64 bool "PSK based ciphersuite modes" 65 66config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 67 bool "DHE-PSK based ciphersuite modes" 68 69config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 70 bool "ECDHE-PSK based ciphersuite modes" 71 depends on MBEDTLS_ECDH_C 72 73config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 74 bool "RSA-PSK based ciphersuite modes" 75 76config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED 77 bool 78 default y 79 depends on \ 80 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || \ 81 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || \ 82 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ 83 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 84 85config MBEDTLS_PSK_MAX_LEN 86 int "Max size of TLS pre-shared keys" 87 default 32 88 depends on MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED 89 help 90 Max size of TLS pre-shared keys, in bytes. 91 92config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 93 bool "RSA-only based ciphersuite modes" 94 default y if UOSCORE || UEDHOC 95 select MBEDTLS_MD 96 select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY if PSA_CRYPTO_CLIENT 97 select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC if PSA_CRYPTO_CLIENT 98 select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT if PSA_CRYPTO_CLIENT 99 100config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 101 bool "DHE-RSA based ciphersuite modes" 102 103config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 104 bool "ECDHE-RSA based ciphersuite modes" 105 depends on MBEDTLS_ECDH_C 106 107config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 108 bool "ECDHE-ECDSA based ciphersuite modes" 109 depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C 110 111config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 112 bool "ECDH-ECDSA based ciphersuite modes" 113 depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA) 114 115config MBEDTLS_ECDSA_DETERMINISTIC 116 bool "Deterministic ECDSA (RFC 6979)" 117 118config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 119 bool "ECDH-RSA based ciphersuite modes" 120 depends on MBEDTLS_ECDH_C 121 122config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 123 bool "ECJPAKE based ciphersuite modes" 124 depends on MBEDTLS_ECJPAKE_C 125 126config MBEDTLS_HKDF_C 127 bool "HMAC-based Extract-and-Expand Key Derivation Function" 128 129comment "Elliptic curve libraries" 130 131config MBEDTLS_ECDH_C 132 bool "Elliptic curve Diffie-Hellman library" 133 depends on MBEDTLS_ECP_C 134 135config MBEDTLS_ECDSA_C 136 bool "Elliptic curve DSA library" 137 depends on MBEDTLS_ECP_C 138 139config MBEDTLS_ECJPAKE_C 140 bool "Elliptic curve J-PAKE library" 141 depends on MBEDTLS_ECP_C 142 143config MBEDTLS_ECP_C 144 bool "Elliptic curve over GF(p) library" 145 default y if UOSCORE || UEDHOC 146 147if MBEDTLS_ECP_C 148 149comment "Supported elliptic curves" 150 151config MBEDTLS_ECP_ALL_ENABLED 152 bool "All available elliptic curves" 153 select MBEDTLS_ECP_DP_SECP192R1_ENABLED 154 select MBEDTLS_ECP_DP_SECP192R1_ENABLED 155 select MBEDTLS_ECP_DP_SECP224R1_ENABLED 156 select MBEDTLS_ECP_DP_SECP256R1_ENABLED 157 select MBEDTLS_ECP_DP_SECP384R1_ENABLED 158 select MBEDTLS_ECP_DP_SECP521R1_ENABLED 159 select MBEDTLS_ECP_DP_SECP192K1_ENABLED 160 select MBEDTLS_ECP_DP_SECP224K1_ENABLED 161 select MBEDTLS_ECP_DP_SECP256K1_ENABLED 162 select MBEDTLS_ECP_DP_BP256R1_ENABLED 163 select MBEDTLS_ECP_DP_BP384R1_ENABLED 164 select MBEDTLS_ECP_DP_BP512R1_ENABLED 165 select MBEDTLS_ECP_DP_CURVE25519_ENABLED 166 select MBEDTLS_ECP_DP_CURVE448_ENABLED 167 select MBEDTLS_ECP_NIST_OPTIM 168 169config MBEDTLS_ECP_DP_SECP192R1_ENABLED 170 bool "SECP192R1 elliptic curve" 171 172config MBEDTLS_ECP_DP_SECP224R1_ENABLED 173 bool "SECP224R1 elliptic curve" 174 175config MBEDTLS_ECP_DP_SECP256R1_ENABLED 176 bool "SECP256R1 elliptic curve" 177 default y if UOSCORE || UEDHOC 178 179config MBEDTLS_ECP_DP_SECP384R1_ENABLED 180 bool "SECP384R1 elliptic curve" 181 182config MBEDTLS_ECP_DP_SECP521R1_ENABLED 183 bool "SECP521R1 elliptic curve" 184 185config MBEDTLS_ECP_DP_SECP192K1_ENABLED 186 bool "SECP192K1 elliptic curve" 187 188config MBEDTLS_ECP_DP_SECP224K1_ENABLED 189 bool "SECP224K1 elliptic curve" 190 191config MBEDTLS_ECP_DP_SECP256K1_ENABLED 192 bool "SECP256K1 elliptic curve" 193 194config MBEDTLS_ECP_DP_BP256R1_ENABLED 195 bool "BP256R1 elliptic curve" 196 197config MBEDTLS_ECP_DP_BP384R1_ENABLED 198 bool "BP384R1 elliptic curve" 199 200config MBEDTLS_ECP_DP_BP512R1_ENABLED 201 bool "BP512R1 elliptic curve" 202 203config MBEDTLS_ECP_DP_CURVE25519_ENABLED 204 bool "CURVE25519 elliptic curve" 205 206config MBEDTLS_ECP_DP_CURVE448_ENABLED 207 bool "CURVE448 elliptic curve" 208 209config MBEDTLS_ECP_NIST_OPTIM 210 bool "NSIT curves optimization" 211 212endif 213 214comment "Supported ciphers and cipher modes" 215 216config MBEDTLS_CIPHER_ALL_ENABLED 217 bool "All available ciphers and modes" 218 select MBEDTLS_CIPHER_AES_ENABLED 219 select MBEDTLS_CIPHER_CAMELLIA_ENABLED 220 select MBEDTLS_CIPHER_DES_ENABLED 221 select MBEDTLS_CIPHER_CHACHA20_ENABLED 222 select MBEDTLS_CIPHER_CCM_ENABLED 223 select MBEDTLS_CIPHER_GCM_ENABLED 224 select MBEDTLS_CIPHER_MODE_XTS_ENABLED 225 select MBEDTLS_CIPHER_MODE_CBC_ENABLED 226 select MBEDTLS_CIPHER_MODE_CTR_ENABLED 227 select MBEDTLS_CHACHAPOLY_AEAD_ENABLED 228 229config MBEDTLS_SOME_AEAD_CIPHER_ENABLED 230 bool 231 default y 232 depends on \ 233 MBEDTLS_CIPHER_AES_ENABLED || \ 234 MBEDTLS_CIPHER_CAMELLIA_ENABLED 235 236config MBEDTLS_SOME_CIPHER_ENABLED 237 bool 238 default y 239 depends on \ 240 MBEDTLS_SOME_AEAD_CIPHER_ENABLED || \ 241 MBEDTLS_CIPHER_DES_ENABLED || \ 242 MBEDTLS_CIPHER_CHACHA20_ENABLED 243 244config MBEDTLS_CIPHER_AES_ENABLED 245 bool "AES block cipher" 246 247if MBEDTLS_CIPHER_AES_ENABLED 248 249config MBEDTLS_AES_ROM_TABLES 250 bool "Use precomputed AES tables stored in ROM." 251 252config MBEDTLS_AES_FEWER_TABLES 253 bool "Reduce the size of precomputed AES tables by ~6kB" 254 default y 255 depends on MBEDTLS_AES_ROM_TABLES 256 help 257 Reduce the size of the AES tables at a tradeoff of more 258 arithmetic operations at runtime. Specifically 4 table 259 lookups are converted to 1 table lookup, 3 additions 260 and 6 bit shifts. 261 262config MBEDTLS_CIPHER_MODE_XTS_ENABLED 263 bool "Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES" 264 265endif # MBEDTLS_CIPHER_AES_ENABLED 266 267config MBEDTLS_CIPHER_CAMELLIA_ENABLED 268 bool "Camellia block cipher" 269 270config MBEDTLS_CIPHER_DES_ENABLED 271 bool "DES block cipher" 272 273config MBEDTLS_CIPHER_CHACHA20_ENABLED 274 bool "ChaCha20 stream cipher" 275 276if MBEDTLS_SOME_AEAD_CIPHER_ENABLED 277 278config MBEDTLS_CIPHER_CCM_ENABLED 279 bool "Counter with CBC-MAC (CCM) mode for 128-bit block cipher" 280 default y if UOSCORE || UEDHOC 281 282config MBEDTLS_CIPHER_GCM_ENABLED 283 bool "Galois/Counter Mode (GCM) for symmetric ciphers" 284 285endif # MBEDTLS_SOME_AEAD_CIPHER_ENABLED 286 287if MBEDTLS_SOME_CIPHER_ENABLED 288 289config MBEDTLS_CIPHER_MODE_CBC_ENABLED 290 bool "Cipher Block Chaining mode (CBC) for symmetric ciphers" 291 default y if !NET_L2_OPENTHREAD 292 293config MBEDTLS_CIPHER_MODE_CTR_ENABLED 294 bool "Counter Block Cipher mode (CTR) for symmetric ciphers" 295 296endif # MBEDTLS_SOME_CIPHER_ENABLED 297 298config MBEDTLS_CHACHAPOLY_AEAD_ENABLED 299 bool "ChaCha20-Poly1305 AEAD algorithm" 300 depends on MBEDTLS_CIPHER_CHACHA20_ENABLED && MBEDTLS_POLY1305 301 302config MBEDTLS_CMAC 303 bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers." 304 depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED 305 306comment "Supported hash algorithms" 307 308config MBEDTLS_HASH_ALL_ENABLED 309 bool "All available MAC methods" 310 select MBEDTLS_MD5 311 select MBEDTLS_SHA1 312 select MBEDTLS_SHA224 313 select MBEDTLS_SHA256 314 select MBEDTLS_SHA384 315 select MBEDTLS_SHA512 316 select MBEDTLS_POLY1305 317 318config MBEDTLS_MD5 319 bool "MD5 hash algorithm" 320 321config MBEDTLS_SHA1 322 bool "SHA-1 hash algorithm" 323 324config MBEDTLS_SHA224 325 bool "SHA-224 hash algorithm" 326 327config MBEDTLS_SHA256 328 bool "SHA-256 hash algorithm" 329 default y 330 331config MBEDTLS_SHA256_SMALLER 332 bool "Smaller SHA-256 implementation" 333 depends on MBEDTLS_SHA256 334 default y 335 help 336 Enable an implementation of SHA-256 that has a 337 smaller ROM footprint but also lower performance. 338 339config MBEDTLS_SHA384 340 bool "SHA-384 hash algorithm" 341 342config MBEDTLS_SHA512 343 bool "SHA-512 hash algorithm" 344 345config MBEDTLS_POLY1305 346 bool "Poly1305 hash family" 347 348endmenu 349 350comment "Random number generators" 351 352config MBEDTLS_CTR_DRBG_ENABLED 353 bool "CTR_DRBG AES-256-based random generator" 354 depends on MBEDTLS_CIPHER_AES_ENABLED 355 default y 356 357config MBEDTLS_HMAC_DRBG_ENABLED 358 bool "HMAC_DRBG random generator" 359 select MBEDTLS_MD 360 361comment "Other configurations" 362 363config MBEDTLS_CIPHER 364 bool "generic cipher layer." 365 default y if PSA_WANT_ALG_CMAC 366 367config MBEDTLS_MD 368 bool "generic message digest layer." 369 370config MBEDTLS_GENPRIME_ENABLED 371 bool "prime-number generation code." 372 373config MBEDTLS_PEM_CERTIFICATE_FORMAT 374 bool "Support for PEM certificate format" 375 help 376 By default only DER (binary) format of certificates is supported. Enable 377 this option to enable support for PEM format. 378 379config MBEDTLS_HAVE_ASM 380 bool "Use of assembly code" 381 default y if !ARM 382 help 383 Enable use of assembly code in mbedTLS. This improves the performances 384 of asymmetric cryptography, however this might have an impact on the 385 code size. 386 387config MBEDTLS_ENTROPY_ENABLED 388 bool "MbedTLS generic entropy pool" 389 depends on MBEDTLS_SHA256 || MBEDTLS_SHA384 || MBEDTLS_SHA512 390 default y if MBEDTLS_ZEPHYR_ENTROPY 391 392config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED 393 bool "MbedTLS optimizations for OpenThread" 394 depends on NET_L2_OPENTHREAD 395 default y if !NET_SOCKETS_SOCKOPT_TLS 396 help 397 Enable some OpenThread specific mbedTLS optimizations that allows to 398 save some RAM/ROM when OpenThread is used. Note, that when application 399 aims to use other mbedTLS services on top of OpenThread (e.g. secure 400 sockets), it's advised to disable this option. 401 402config MBEDTLS_USER_CONFIG_ENABLE 403 bool "User mbedTLS config file" 404 help 405 Enable user mbedTLS config file that will be included at the end of 406 the generic config file. 407 408config MBEDTLS_USER_CONFIG_FILE 409 string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE 410 help 411 User config file that can contain mbedTLS configs that were not 412 covered by the generic config file. 413 414config MBEDTLS_SERVER_NAME_INDICATION 415 bool "Support for RFC 6066 server name indication (SNI) in SSL" 416 help 417 Enable this to support RFC 6066 server name indication (SNI) in SSL. 418 This requires that MBEDTLS_X509_CRT_PARSE_C is also set. 419 420config MBEDTLS_PK_WRITE_C 421 bool "The generic public (asymmetric) key writer" 422 help 423 Enable generic public key write functions. 424 425config MBEDTLS_HAVE_TIME_DATE 426 bool "Date/time validation in mbed TLS" 427 help 428 System has time.h, time(), and an implementation for gmtime_r(). 429 There also need to be a valid time source in the system, as mbedTLS 430 expects a valid date/time for certificate validation." 431 432config MBEDTLS_PKCS5_C 433 bool "Password-based encryption functions" 434 select MBEDTLS_MD 435 help 436 Enable PKCS5 functions 437 438config MBEDTLS_SSL_CACHE_C 439 bool "SSL session cache support" 440 help 441 "This option enables simple SSL cache implementation (server side)." 442 443if MBEDTLS_SSL_CACHE_C 444 445config MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 446 int "Default timeout for SSL cache entires" 447 default 86400 448 449config MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 450 int "Maximum number of SSL cache entires" 451 default 5 452 453endif # MBEDTLS_SSL_CACHE_C 454 455config MBEDTLS_SSL_EXTENDED_MASTER_SECRET 456 bool "(D)TLS Extended Master Secret extension" 457 depends on MBEDTLS_TLS_VERSION_1_2 458 help 459 Enable support for the (D)TLS Extended Master Secret extension 460 which ensures that master secrets are different for every 461 connection and every session. 462 463choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE 464 prompt "Select random source for built-in PSA crypto" 465 depends on MBEDTLS_PSA_CRYPTO_C 466 default MBEDTLS_PSA_CRYPTO_LEGACY_RNG 467 468config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 469 bool "Use a cryptographically secure driver as random source" 470 depends on CSPRNG_ENABLED 471 help 472 Use cryptographically secure random generator to provide random data 473 instead of legacy MbedTLS modules (ENTROPY + CTR_DRBG/HMAC_DRBG). 474 475config MBEDTLS_PSA_CRYPTO_LEGACY_RNG 476 bool "Use legacy modules to generate random data" 477 select MBEDTLS_ENTROPY_ENABLED 478 select MBEDTLS_HMAC_DRBG_ENABLED if !MBEDTLS_CTR_DRBG_ENABLED 479 help 480 Use legacy MbedTLS modules (ENTROPY + CTR_DRBG/HMAC_DRBG) as random 481 source generators. 482 483endchoice 484 485config MBEDTLS_PSA_CRYPTO_C 486 bool "Platform Security Architecture cryptography API" 487 depends on !BUILD_WITH_TFM 488 default y if UOSCORE || UEDHOC 489 490config MBEDTLS_USE_PSA_CRYPTO 491 bool "Use PSA APIs instead of legacy MbedTLS when possible" 492 default y if MBEDTLS_PSA_CRYPTO_CLIENT 493 help 494 Use PSA APIs instead of legacy MbedTLS functions in TLS/DTLS and other 495 "intermediate" modules such as PK, MD and Cipher. 496 497config MBEDTLS_PSA_CRYPTO_CLIENT 498 bool 499 default y 500 depends on BUILD_WITH_TFM || MBEDTLS_PSA_CRYPTO_C 501 select PSA_CRYPTO_CLIENT 502 503config MBEDTLS_LMS 504 bool "Support LMS signature schemes" 505 depends on MBEDTLS_PSA_CRYPTO_CLIENT 506 depends on MBEDTLS_SHA256 507 select PSA_WANT_ALG_SHA_256 508 509config MBEDTLS_PSA_P256M_DRIVER_ENABLED 510 bool "P256-M driver" 511 depends on MBEDTLS_PSA_CRYPTO_C 512 imply PSA_WANT_ALG_SHA_256 513 help 514 Enable support for the optimized sofware implementation of the secp256r1 515 curve through the standard PSA API. 516 517config MBEDTLS_PSA_P256M_DRIVER_RAW 518 bool "Access p256-m driver directly (without PSA interface)" 519 depends on MBEDTLS_PSA_P256M_DRIVER_ENABLED 520 help 521 Allow direct access to the p256-m driver interface. 522 Warning: Usage of this Kconfig option is prohibited in Zephyr's codebase. 523 Users can enable it in case of very memory-constrained devices, but be aware that the p256-m interface is absolutely not guaranted to remain stable over time. 524 525config MBEDTLS_SSL_DTLS_CONNECTION_ID 526 bool "DTLS Connection ID extension" 527 depends on MBEDTLS_DTLS 528 help 529 Enable support for the DTLS Connection ID extension 530 which allows to identify DTLS connections across changes 531 in the underlying transport. 532 533 534config MBEDTLS_NIST_KW_C 535 bool "NIST key wrap" 536 depends on MBEDTLS_CIPHER_AES_ENABLED 537 help 538 Key Wrapping mode for 128-bit block ciphers, 539 as defined in NIST SP 800-38F. 540 541config MBEDTLS_DHM_C 542 bool "Diffie-Hellman-Merkle mode" 543 help 544 Used by the following key exchanges, 545 DHE-RSA, DHE-PSK 546 547config MBEDTLS_X509_CRL_PARSE_C 548 bool "X509 CRL parsing" 549 help 550 Used by X509 CRL parsing 551 552config MBEDTLS_X509_CSR_WRITE_C 553 bool "X509 Certificate Signing Requests writing" 554 help 555 For X.509 certificate request writing. 556 557config MBEDTLS_X509_CSR_PARSE_C 558 bool "X509 Certificate Signing Request parsing" 559 help 560 For reading X.509 certificate request. 561endmenu 562
