1# TLS/DTLS related options 2 3# Copyright (c) 2018 Intel Corporation 4# Copyright (c) 2018 Nordic Semiconductor ASA 5# SPDX-License-Identifier: Apache-2.0 6 7menu "TLS configuration" 8 depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" 9 10menu "Supported TLS version" 11 12config MBEDTLS_TLS_VERSION_1_0 13 bool "Enable support for TLS 1.0" 14 select MBEDTLS_CIPHER 15 select MBEDTLS_MAC_MD5_ENABLED 16 select MBEDTLS_MAC_SHA1_ENABLED 17 select MBEDTLS_MD 18 19config MBEDTLS_TLS_VERSION_1_1 20 bool "Enable support for TLS 1.1 (DTLS 1.0)" 21 select MBEDTLS_CIPHER 22 select MBEDTLS_MAC_MD5_ENABLED 23 select MBEDTLS_MAC_SHA1_ENABLED 24 select MBEDTLS_MD 25 26config MBEDTLS_TLS_VERSION_1_2 27 bool "Enable support for TLS 1.2 (DTLS 1.2)" 28 default y if !NET_L2_OPENTHREAD 29 select MBEDTLS_CIPHER 30 select MBEDTLS_MD 31 32config MBEDTLS_DTLS 33 bool "Enable support for DTLS" 34 depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 35 36config MBEDTLS_SSL_EXPORT_KEYS 37 bool "Enable support for exporting SSL key block and master secret" 38 depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 39 40config MBEDTLS_SSL_ALPN 41 bool "Enable support for setting the supported Application Layer Protocols" 42 depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 43 44endmenu 45 46menu "Ciphersuite configuration" 47 48comment "Supported key exchange modes" 49 50config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED 51 bool "Enable all available ciphersuite modes" 52 select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 53 select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 54 select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 55 select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 56 select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 57 select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 58 select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 59 select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 60 select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 61 select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 62 select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 63 64config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 65 bool "Enable the PSK based ciphersuite modes" 66 67config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 68 bool "Enable the DHE-PSK based ciphersuite modes" 69 70config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 71 bool "Enable the ECDHE-PSK based ciphersuite modes" 72 73config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 74 bool "Enable the RSA-PSK based ciphersuite modes" 75 76config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 77 bool "Enable the RSA-only based ciphersuite modes" 78 default y if !NET_L2_OPENTHREAD 79 80config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 81 bool "Enable the DHE-RSA based ciphersuite modes" 82 83config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 84 bool "Enable the ECDHE-RSA based ciphersuite modes" 85 86config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 87 bool "Enable the ECDHE-ECDSA based ciphersuite modes" 88 89config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 90 bool "Enable the ECDH-ECDSA based ciphersuite modes" 91 92config MBEDTLS_ECDSA_DETERMINISTIC 93 bool "Enable deterministic ECDSA (RFC 6979)" 94 95config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 96 bool "Enable the ECDH-RSA based ciphersuite modes" 97 98config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 99 bool "Enable the ECJPAKE based ciphersuite modes" 100 101if MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ 102 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \ 103 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \ 104 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || \ 105 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \ 106 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 107 108comment "Supported elliptic curves" 109 110config MBEDTLS_ECP_ALL_ENABLED 111 bool "Enable all available elliptic curves" 112 select MBEDTLS_ECP_DP_SECP192R1_ENABLED 113 select MBEDTLS_ECP_DP_SECP192R1_ENABLED 114 select MBEDTLS_ECP_DP_SECP224R1_ENABLED 115 select MBEDTLS_ECP_DP_SECP256R1_ENABLED 116 select MBEDTLS_ECP_DP_SECP384R1_ENABLED 117 select MBEDTLS_ECP_DP_SECP521R1_ENABLED 118 select MBEDTLS_ECP_DP_SECP192K1_ENABLED 119 select MBEDTLS_ECP_DP_SECP224K1_ENABLED 120 select MBEDTLS_ECP_DP_SECP256K1_ENABLED 121 select MBEDTLS_ECP_DP_BP256R1_ENABLED 122 select MBEDTLS_ECP_DP_BP384R1_ENABLED 123 select MBEDTLS_ECP_DP_BP512R1_ENABLED 124 select MBEDTLS_ECP_DP_CURVE25519_ENABLED 125 select MBEDTLS_ECP_DP_CURVE448_ENABLED 126 select MBEDTLS_ECP_NIST_OPTIM 127 128config MBEDTLS_ECP_DP_SECP192R1_ENABLED 129 bool "Enable SECP192R1 elliptic curve" 130 131config MBEDTLS_ECP_DP_SECP224R1_ENABLED 132 bool "Enable SECP224R1 elliptic curve" 133 134config MBEDTLS_ECP_DP_SECP256R1_ENABLED 135 bool "Enable SECP256R1 elliptic curve" 136 137config MBEDTLS_ECP_DP_SECP384R1_ENABLED 138 bool "Enable SECP384R1 elliptic curve" 139 140config MBEDTLS_ECP_DP_SECP521R1_ENABLED 141 bool "Enable SECP521R1 elliptic curve" 142 143config MBEDTLS_ECP_DP_SECP192K1_ENABLED 144 bool "Enable SECP192K1 elliptic curve" 145 146config MBEDTLS_ECP_DP_SECP224K1_ENABLED 147 bool "Enable SECP224K1 elliptic curve" 148 149config MBEDTLS_ECP_DP_SECP256K1_ENABLED 150 bool "Enable SECP256K1 elliptic curve" 151 152config MBEDTLS_ECP_DP_BP256R1_ENABLED 153 bool "Enable BP256R1 elliptic curve" 154 155config MBEDTLS_ECP_DP_BP384R1_ENABLED 156 bool "Enable BP384R1 elliptic curve" 157 158config MBEDTLS_ECP_DP_BP512R1_ENABLED 159 bool "Enable BP512R1 elliptic curve" 160 161config MBEDTLS_ECP_DP_CURVE25519_ENABLED 162 bool "Enable CURVE25519 elliptic curve" 163 164config MBEDTLS_ECP_DP_CURVE448_ENABLED 165 bool "Enable CURVE448 elliptic curve" 166 167config MBEDTLS_ECP_NIST_OPTIM 168 bool "Enable NSIT curves optimization" 169 170endif 171 172comment "Supported cipher modes" 173 174config MBEDTLS_CIPHER_ALL_ENABLED 175 bool "Enable all available ciphers" 176 select MBEDTLS_CIPHER_AES_ENABLED 177 select MBEDTLS_CIPHER_CAMELLIA_ENABLED 178 select MBEDTLS_CIPHER_DES_ENABLED 179 select MBEDTLS_CIPHER_ARC4_ENABLED 180 select MBEDTLS_CIPHER_CHACHA20_ENABLED 181 select MBEDTLS_CIPHER_BLOWFISH_ENABLED 182 select MBEDTLS_CIPHER_CCM_ENABLED 183 select MBEDTLS_CIPHER_GCM_ENABLED 184 select MBEDTLS_CIPHER_MODE_XTS_ENABLED 185 select MBEDTLS_CIPHER_MODE_CBC_ENABLED 186 select MBEDTLS_CIPHER_MODE_CTR_ENABLED 187 select MBEDTLS_CHACHAPOLY_AEAD_ENABLED 188 189config MBEDTLS_CIPHER_AES_ENABLED 190 bool "Enable the AES block cipher" 191 default y 192 193config MBEDTLS_AES_ROM_TABLES 194 depends on MBEDTLS_CIPHER_AES_ENABLED 195 bool "Use precomputed AES tables stored in ROM." 196 default y 197 198config MBEDTLS_CIPHER_CAMELLIA_ENABLED 199 bool "Enable the Camellia block cipher" 200 201config MBEDTLS_CIPHER_DES_ENABLED 202 bool "Enable the DES block cipher" 203 default y if !NET_L2_OPENTHREAD 204 205config MBEDTLS_CIPHER_ARC4_ENABLED 206 bool "Enable the ARC4 stream cipher" 207 208config MBEDTLS_CIPHER_CHACHA20_ENABLED 209 bool "Enable the ChaCha20 stream cipher" 210 211config MBEDTLS_CIPHER_BLOWFISH_ENABLED 212 bool "Enable the Blowfish block cipher" 213 214config MBEDTLS_CIPHER_CCM_ENABLED 215 bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher" 216 depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED 217 218config MBEDTLS_CIPHER_GCM_ENABLED 219 bool "Enable the Galois/Counter Mode (GCM) for AES" 220 depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED 221 222config MBEDTLS_CIPHER_MODE_XTS_ENABLED 223 bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES" 224 depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED 225 226config MBEDTLS_CIPHER_MODE_CBC_ENABLED 227 bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers" 228 default y if !NET_L2_OPENTHREAD 229 230config MBEDTLS_CIPHER_MODE_CTR_ENABLED 231 bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers." 232 233config MBEDTLS_CHACHAPOLY_AEAD_ENABLED 234 bool "Enable the ChaCha20-Poly1305 AEAD algorithm" 235 depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED 236 237comment "Supported message authentication methods" 238 239config MBEDTLS_MAC_ALL_ENABLED 240 bool "Enable all available MAC methods" 241 select MBEDTLS_MAC_MD4_ENABLED 242 select MBEDTLS_MAC_MD5_ENABLED 243 select MBEDTLS_MAC_SHA1_ENABLED 244 select MBEDTLS_MAC_SHA256_ENABLED 245 select MBEDTLS_MAC_SHA512_ENABLED 246 select MBEDTLS_MAC_POLY1305_ENABLED 247 select MBEDTLS_MAC_CMAC_ENABLED 248 249config MBEDTLS_MAC_MD4_ENABLED 250 bool "Enable the MD4 hash algorithm" 251 252config MBEDTLS_MAC_MD5_ENABLED 253 bool "Enable the MD5 hash algorithm" 254 default y if !NET_L2_OPENTHREAD 255 256config MBEDTLS_MAC_SHA1_ENABLED 257 bool "Enable the SHA1 hash algorithm" 258 default y if !NET_L2_OPENTHREAD 259 260config MBEDTLS_MAC_SHA256_ENABLED 261 bool "Enable the SHA-224 and SHA-256 hash algorithms" 262 default y 263 264config MBEDTLS_SHA256_SMALLER 265 bool "Enable smaller SHA-256 implementation" 266 depends on MBEDTLS_MAC_SHA256_ENABLED 267 default y 268 help 269 Enable an implementation of SHA-256 that has lower ROM footprint but also 270 lower performance 271 272config MBEDTLS_MAC_SHA512_ENABLED 273 bool "Enable the SHA-384 and SHA-512 hash algorithms" 274 275config MBEDTLS_MAC_POLY1305_ENABLED 276 bool "Enable the Poly1305 MAC algorithm" 277 278config MBEDTLS_MAC_CMAC_ENABLED 279 bool "Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers." 280 depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED 281 282endmenu 283 284comment "Random number generators" 285 286config MBEDTLS_CTR_DRBG_ENABLED 287 bool "Enable the CTR_DRBG AES-256-based random generator" 288 depends on MBEDTLS_CIPHER_AES_ENABLED 289 default y 290 291config MBEDTLS_HMAC_DRBG_ENABLED 292 bool "Enable the HMAC_DRBG random generator" 293 select MBEDTLS_MD 294 295comment "Other configurations" 296 297config MBEDTLS_CIPHER 298 bool "Enable the generic cipher layer." 299 300config MBEDTLS_MD 301 bool "Enable the generic message digest layer." 302 303config MBEDTLS_GENPRIME_ENABLED 304 bool "Enable the prime-number generation code." 305 306config MBEDTLS_PEM_CERTIFICATE_FORMAT 307 bool "Enable support for PEM certificate format" 308 help 309 By default only DER (binary) format of certificates is supported. Enable 310 this option to enable support for PEM format. 311 312config MBEDTLS_HAVE_ASM 313 bool "Enable use of assembly code" 314 default y if !ARM 315 help 316 Enable use of assembly code in mbedTLS. This improves the performances 317 of asymmetric cryptography, however this might have an impact on the 318 code size. 319 320config MBEDTLS_ENTROPY_ENABLED 321 bool "Enable mbedTLS generic entropy pool" 322 depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA512_ENABLED 323 324config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED 325 bool "Enable mbedTLS optimizations for OpenThread" 326 depends on NET_L2_OPENTHREAD 327 default y if !NET_SOCKETS_SOCKOPT_TLS 328 help 329 Enable some OpenThread specific mbedTLS optimizations that allows to 330 save some RAM/ROM when OpenThread is used. Note, that when application 331 aims to use other mbedTLS services on top of OpenThread (e.g. secure 332 sockets), it's advised to disable this option. 333 334config MBEDTLS_USER_CONFIG_ENABLE 335 bool "Enable user mbedTLS config file" 336 help 337 Enable user mbedTLS config file that will be included at the end of 338 the generic config file. 339 340config MBEDTLS_USER_CONFIG_FILE 341 string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE 342 help 343 User config file that can contain mbedTLS configs that were not 344 covered by the generic config file. 345 346config MBEDTLS_SERVER_NAME_INDICATION 347 bool "Enable support for RFC 6066 server name indication (SNI) in SSL" 348 help 349 Enable this to support RFC 6066 server name indication (SNI) in SSL. 350 This requires that MBEDTLS_X509_CRT_PARSE_C is also set. 351 352config MBEDTLS_PK_WRITE_C 353 bool "Enable the generic public (asymetric) key writer" 354 help 355 Enable generic public key write functions. 356 357config MBEDTLS_HAVE_TIME_DATE 358 bool "Enable date/time validation in mbed TLS" 359 help 360 System has time.h, time(), and an implementation for gmtime_r(). 361 There also need to be a valid time source in the system, as mbedTLS 362 expects a valid date/time for certificate validation." 363 364endmenu 365
