1# TLS/DTLS related options
2
3# Copyright (c) 2018 Intel Corporation
4# Copyright (c) 2018 Nordic Semiconductor ASA
5# SPDX-License-Identifier: Apache-2.0
6
7menu "TLS configuration"
8	depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h"
9
10menu "Supported TLS version"
11
12config MBEDTLS_TLS_VERSION_1_0
13	bool "Support for TLS 1.0"
14	select MBEDTLS_CIPHER
15	select MBEDTLS_MAC_MD5_ENABLED
16	select MBEDTLS_MAC_SHA1_ENABLED
17	select MBEDTLS_MD
18
19config MBEDTLS_TLS_VERSION_1_1
20	bool "Support for TLS 1.1 (DTLS 1.0)"
21	select MBEDTLS_CIPHER
22	select MBEDTLS_MAC_MD5_ENABLED
23	select MBEDTLS_MAC_SHA1_ENABLED
24	select MBEDTLS_MD
25
26config MBEDTLS_TLS_VERSION_1_2
27	bool "Support for TLS 1.2 (DTLS 1.2)"
28	default y if !NET_L2_OPENTHREAD
29	select MBEDTLS_CIPHER
30	select MBEDTLS_MD
31
32config MBEDTLS_DTLS
33	bool "Support for DTLS"
34	depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
35
36config MBEDTLS_SSL_EXPORT_KEYS
37	bool "Support for exporting SSL key block and master secret"
38	depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
39
40config MBEDTLS_SSL_ALPN
41	bool "Support for setting the supported Application Layer Protocols"
42	depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
43
44endmenu
45
46menu "Ciphersuite configuration"
47
48comment "Supported key exchange modes"
49
50config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
51	bool "All available ciphersuite modes"
52	select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
53	select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
54	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
55	select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
56	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
57	select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
58	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
59	select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
60	select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
61	select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
62	select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
63
64config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
65	bool "PSK based ciphersuite modes"
66
67config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
68	bool "DHE-PSK based ciphersuite modes"
69
70config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
71	bool "ECDHE-PSK based ciphersuite modes"
72	depends on MBEDTLS_ECDH_C
73
74config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
75	bool "RSA-PSK based ciphersuite modes"
76
77config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
78	bool
79	default y if MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || \
80		MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || \
81		MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
82		MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
83
84config MBEDTLS_PSK_MAX_LEN
85	int "Max size of TLS pre-shared keys"
86	default 32
87	depends on MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
88	help
89	  Max size of TLS pre-shared keys, in bytes.
90
91config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
92	bool "RSA-only based ciphersuite modes"
93	default y if !NET_L2_OPENTHREAD
94
95config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
96	bool "DHE-RSA based ciphersuite modes"
97
98config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
99	bool "ECDHE-RSA based ciphersuite modes"
100	depends on MBEDTLS_ECDH_C
101
102config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
103	bool "ECDHE-ECDSA based ciphersuite modes"
104	depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
105
106config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
107	bool "ECDH-ECDSA based ciphersuite modes"
108	depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
109
110config MBEDTLS_ECDSA_DETERMINISTIC
111	bool "Deterministic ECDSA (RFC 6979)"
112
113config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
114	bool "ECDH-RSA based ciphersuite modes"
115	depends on MBEDTLS_ECDH_C
116
117config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
118	bool "ECJPAKE based ciphersuite modes"
119	depends on MBEDTLS_ECJPAKE_C
120
121comment "Elliptic curve libraries"
122
123config MBEDTLS_ECDH_C
124	bool "Elliptic curve Diffie-Hellman library"
125	depends on MBEDTLS_ECP_C
126
127config MBEDTLS_ECDSA_C
128	bool "Elliptic curve DSA library"
129	depends on MBEDTLS_ECP_C
130
131config MBEDTLS_ECJPAKE_C
132	bool "Elliptic curve J-PAKE library"
133	depends on MBEDTLS_ECP_C
134
135config MBEDTLS_ECP_C
136	bool "Elliptic curve over GF(p) library"
137	default y if UOSCORE || UEDHOC
138
139if MBEDTLS_ECP_C
140
141comment "Supported elliptic curves"
142
143config MBEDTLS_ECP_ALL_ENABLED
144	bool "All available elliptic curves"
145	select MBEDTLS_ECP_DP_SECP192R1_ENABLED
146	select MBEDTLS_ECP_DP_SECP192R1_ENABLED
147	select MBEDTLS_ECP_DP_SECP224R1_ENABLED
148	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
149	select MBEDTLS_ECP_DP_SECP384R1_ENABLED
150	select MBEDTLS_ECP_DP_SECP521R1_ENABLED
151	select MBEDTLS_ECP_DP_SECP192K1_ENABLED
152	select MBEDTLS_ECP_DP_SECP224K1_ENABLED
153	select MBEDTLS_ECP_DP_SECP256K1_ENABLED
154	select MBEDTLS_ECP_DP_BP256R1_ENABLED
155	select MBEDTLS_ECP_DP_BP384R1_ENABLED
156	select MBEDTLS_ECP_DP_BP512R1_ENABLED
157	select MBEDTLS_ECP_DP_CURVE25519_ENABLED
158	select MBEDTLS_ECP_DP_CURVE448_ENABLED
159	select MBEDTLS_ECP_NIST_OPTIM
160
161config MBEDTLS_ECP_DP_SECP192R1_ENABLED
162	bool "SECP192R1 elliptic curve"
163
164config MBEDTLS_ECP_DP_SECP224R1_ENABLED
165	bool "SECP224R1 elliptic curve"
166
167config MBEDTLS_ECP_DP_SECP256R1_ENABLED
168	bool "SECP256R1 elliptic curve"
169	default y if UOSCORE || UEDHOC
170
171config MBEDTLS_ECP_DP_SECP384R1_ENABLED
172	bool "SECP384R1 elliptic curve"
173
174config MBEDTLS_ECP_DP_SECP521R1_ENABLED
175	bool "SECP521R1 elliptic curve"
176
177config MBEDTLS_ECP_DP_SECP192K1_ENABLED
178	bool "SECP192K1 elliptic curve"
179
180config MBEDTLS_ECP_DP_SECP224K1_ENABLED
181	bool "SECP224K1 elliptic curve"
182
183config MBEDTLS_ECP_DP_SECP256K1_ENABLED
184	bool "SECP256K1 elliptic curve"
185
186config MBEDTLS_ECP_DP_BP256R1_ENABLED
187	bool "BP256R1 elliptic curve"
188
189config MBEDTLS_ECP_DP_BP384R1_ENABLED
190	bool "BP384R1 elliptic curve"
191
192config MBEDTLS_ECP_DP_BP512R1_ENABLED
193	bool "BP512R1 elliptic curve"
194
195config MBEDTLS_ECP_DP_CURVE25519_ENABLED
196	bool "CURVE25519 elliptic curve"
197
198config MBEDTLS_ECP_DP_CURVE448_ENABLED
199	bool "CURVE448 elliptic curve"
200
201config MBEDTLS_ECP_NIST_OPTIM
202	bool "NSIT curves optimization"
203
204endif
205
206comment "Supported hash"
207
208config MBEDTLS_HASH_ALL_ENABLED
209	bool "All available hashes"
210	select MBEDTLS_HASH_SHA256_ENABLED
211	select MBEDTLS_HASH_SHA384_ENABLED
212	select MBEDTLS_HASH_SHA512_ENABLED
213
214config MBEDTLS_HASH_SHA256_ENABLED
215	bool "SHA256 hash"
216	default y if !NET_L2_OPENTHREAD
217
218config MBEDTLS_HASH_SHA384_ENABLED
219	bool "SHA384 hash"
220	default y if !NET_L2_OPENTHREAD
221	select MBEDTLS_HASH_SHA512_ENABLED
222
223config MBEDTLS_HASH_SHA512_ENABLED
224	bool "SHA512 hash"
225	default y if !NET_L2_OPENTHREAD
226
227comment "Supported cipher modes"
228
229config MBEDTLS_CIPHER_ALL_ENABLED
230	bool "All available ciphers"
231	select MBEDTLS_CIPHER_AES_ENABLED
232	select MBEDTLS_CIPHER_CAMELLIA_ENABLED
233	select MBEDTLS_CIPHER_DES_ENABLED
234	select MBEDTLS_CIPHER_ARC4_ENABLED
235	select MBEDTLS_CIPHER_CHACHA20_ENABLED
236	select MBEDTLS_CIPHER_BLOWFISH_ENABLED
237	select MBEDTLS_CIPHER_CCM_ENABLED
238	select MBEDTLS_CIPHER_GCM_ENABLED
239	select MBEDTLS_CIPHER_MODE_XTS_ENABLED
240	select MBEDTLS_CIPHER_MODE_CBC_ENABLED
241	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
242	select MBEDTLS_CHACHAPOLY_AEAD_ENABLED
243
244config MBEDTLS_CIPHER_AES_ENABLED
245	bool "AES block cipher"
246	default y
247
248config MBEDTLS_AES_ROM_TABLES
249	depends on MBEDTLS_CIPHER_AES_ENABLED
250	bool "Use precomputed AES tables stored in ROM."
251	default y
252
253config MBEDTLS_AES_FEWER_TABLES
254	depends on MBEDTLS_CIPHER_AES_ENABLED
255	bool "Reduce the size of precomputed AES tables by ~6kB"
256	help
257	  Reduce the size of the AES tables at a tradeoff of more
258	  arithmetic operations at runtime. Specifically 4 table
259	  lookups are converted to 1 table lookup, 3 additions
260	  and 6 bit shifts.
261
262config MBEDTLS_CIPHER_CAMELLIA_ENABLED
263	bool "Camellia block cipher"
264
265config MBEDTLS_CIPHER_DES_ENABLED
266	bool "DES block cipher"
267	default y if !NET_L2_OPENTHREAD
268
269config MBEDTLS_CIPHER_ARC4_ENABLED
270	bool "ARC4 stream cipher"
271
272config MBEDTLS_CIPHER_CHACHA20_ENABLED
273	bool "ChaCha20 stream cipher"
274
275config MBEDTLS_CIPHER_BLOWFISH_ENABLED
276	bool "Blowfish block cipher"
277
278config MBEDTLS_CIPHER_CCM_ENABLED
279	bool "Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
280	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
281	default y if UOSCORE || UEDHOC
282
283config MBEDTLS_CIPHER_GCM_ENABLED
284	bool "Galois/Counter Mode (GCM) for AES"
285	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
286
287config MBEDTLS_CIPHER_MODE_XTS_ENABLED
288	bool "Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES"
289	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
290
291config MBEDTLS_CIPHER_MODE_CBC_ENABLED
292	bool "Cipher Block Chaining mode (CBC) for symmetric ciphers"
293	default y if !NET_L2_OPENTHREAD
294
295config MBEDTLS_CIPHER_MODE_CTR_ENABLED
296	bool "Counter Block Cipher mode (CTR) for symmetric ciphers."
297
298config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
299	bool "ChaCha20-Poly1305 AEAD algorithm"
300	depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
301
302comment "Supported message authentication methods"
303
304config MBEDTLS_MAC_ALL_ENABLED
305	bool "All available MAC methods"
306	select MBEDTLS_MAC_MD4_ENABLED
307	select MBEDTLS_MAC_MD5_ENABLED
308	select MBEDTLS_MAC_SHA1_ENABLED
309	select MBEDTLS_MAC_SHA256_ENABLED
310	select MBEDTLS_MAC_SHA384_ENABLED
311	select MBEDTLS_MAC_SHA512_ENABLED
312	select MBEDTLS_MAC_POLY1305_ENABLED
313	select MBEDTLS_MAC_CMAC_ENABLED
314
315config MBEDTLS_MAC_MD4_ENABLED
316	bool "MD4 hash algorithm"
317
318config MBEDTLS_MAC_MD5_ENABLED
319	bool "MD5 hash algorithm"
320	default y if !NET_L2_OPENTHREAD
321
322config MBEDTLS_MAC_SHA1_ENABLED
323	bool "SHA1 hash algorithm"
324	default y if !NET_L2_OPENTHREAD
325
326config MBEDTLS_MAC_SHA256_ENABLED
327	bool "SHA-224 and SHA-256 hash algorithms"
328	default y
329
330config MBEDTLS_SHA256_SMALLER
331	bool "Smaller SHA-256 implementation"
332	depends on MBEDTLS_MAC_SHA256_ENABLED
333	default y
334	help
335	  Enable an implementation of SHA-256 that has lower ROM footprint but also
336	  lower performance
337
338config MBEDTLS_MAC_SHA384_ENABLED
339	bool "SHA-384 hash algorithm"
340	select MBEDTLS_MAC_SHA512_ENABLED
341
342config MBEDTLS_MAC_SHA512_ENABLED
343	bool "SHA-512 hash algorithm"
344
345config MBEDTLS_MAC_POLY1305_ENABLED
346	bool "Poly1305 MAC algorithm"
347
348config MBEDTLS_MAC_CMAC_ENABLED
349	bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
350	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
351
352endmenu
353
354comment "Random number generators"
355
356config MBEDTLS_CTR_DRBG_ENABLED
357	bool "CTR_DRBG AES-256-based random generator"
358	depends on MBEDTLS_CIPHER_AES_ENABLED
359	default y
360
361config MBEDTLS_HMAC_DRBG_ENABLED
362	bool "HMAC_DRBG random generator"
363	select MBEDTLS_MD
364
365comment "Other configurations"
366
367config MBEDTLS_CIPHER
368	bool "generic cipher layer."
369
370config MBEDTLS_MD
371	bool "generic message digest layer."
372
373config MBEDTLS_GENPRIME_ENABLED
374	bool "prime-number generation code."
375
376config MBEDTLS_PEM_CERTIFICATE_FORMAT
377	bool "Support for PEM certificate format"
378	help
379	  By default only DER (binary) format of certificates is supported. Enable
380	  this option to enable support for PEM format.
381
382config MBEDTLS_HAVE_ASM
383	bool "Use of assembly code"
384	default y if !ARM
385	help
386	  Enable use of assembly code in mbedTLS. This improves the performances
387	  of asymmetric cryptography, however this might have an impact on the
388	  code size.
389
390config MBEDTLS_ENTROPY_ENABLED
391	bool "MbedTLS generic entropy pool"
392	depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA384_ENABLED || MBEDTLS_MAC_SHA512_ENABLED
393	default y if MBEDTLS_ZEPHYR_ENTROPY
394
395config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
396	bool "MbedTLS optimizations for OpenThread"
397	depends on NET_L2_OPENTHREAD
398	default y if !NET_SOCKETS_SOCKOPT_TLS
399	help
400	  Enable some OpenThread specific mbedTLS optimizations that allows to
401	  save some RAM/ROM when OpenThread is used. Note, that when application
402	  aims to use other mbedTLS services on top of OpenThread (e.g. secure
403	  sockets), it's advised to disable this option.
404
405config MBEDTLS_USER_CONFIG_ENABLE
406	bool "User mbedTLS config file"
407	help
408	  Enable user mbedTLS config file that will be included at the end of
409	  the generic config file.
410
411config MBEDTLS_USER_CONFIG_FILE
412	string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE
413	help
414	  User config file that can contain mbedTLS configs that were not
415	  covered by the generic config file.
416
417config MBEDTLS_SERVER_NAME_INDICATION
418	bool "Support for RFC 6066 server name indication (SNI) in SSL"
419	help
420	  Enable this to support RFC 6066 server name indication (SNI) in SSL.
421	  This requires that MBEDTLS_X509_CRT_PARSE_C is also set.
422
423config MBEDTLS_PK_WRITE_C
424	bool "The generic public (asymmetric) key writer"
425	default y if MBEDTLS_PSA_CRYPTO_C
426	help
427	  Enable generic public key write functions.
428
429config MBEDTLS_HAVE_TIME_DATE
430	bool "Date/time validation in mbed TLS"
431	help
432	  System has time.h, time(), and an implementation for gmtime_r().
433	  There also need to be a valid time source in the system, as mbedTLS
434	  expects a valid date/time for certificate validation."
435
436config MBEDTLS_PKCS5_C
437	bool "Password-based encryption functions"
438	select MBEDTLS_MD
439	help
440	  Enable PKCS5 functions
441
442config MBEDTLS_SSL_CACHE_C
443	bool "SSL session cache support"
444	help
445	  "This option enables simple SSL cache implementation (server side)."
446
447config MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
448	int "Default timeout for SSL cache entires"
449	depends on MBEDTLS_SSL_CACHE_C
450	default 86400
451
452config MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
453	int "Maximum number of SSL cache entires"
454	depends on MBEDTLS_SSL_CACHE_C
455	default 5
456
457config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
458	bool "(D)TLS Extended Master Secret extension"
459	depends on MBEDTLS_TLS_VERSION_1_2
460	help
461	  Enable support for the (D)TLS Extended Master Secret extension
462	  which ensures that master secrets are different for every
463	  connection and every session.
464
465config MBEDTLS_PSA_CRYPTO_C
466	bool "Platform Security Architecture cryptography API"
467	depends on MBEDTLS_ENTROPY_ENABLED
468	depends on MBEDTLS_CTR_DRBG_ENABLED || MBEDTLS_HMAC_DRBG_ENABLED
469	default y if UOSCORE || UEDHOC
470
471config MBEDTLS_LMS
472	bool "Support LMS signature schemes"
473	depends on MBEDTLS_PSA_CRYPTO_C
474	depends on MBEDTLS_HASH_SHA256_ENABLED
475
476config MBEDTLS_SSL_DTLS_CONNECTION_ID
477	bool "DTLS Connection ID extension"
478	depends on MBEDTLS_DTLS
479	help
480	  Enable support for the DTLS Connection ID extension
481	  which allows to identify DTLS connections across changes
482	  in the underlying transport.
483
484endmenu
485