1menu "mbedTLS" 2 3 choice MBEDTLS_MEM_ALLOC_MODE 4 prompt "Memory allocation strategy" 5 default MBEDTLS_INTERNAL_MEM_ALLOC 6 help 7 Allocation strategy for mbedTLS, essentially provides ability to 8 allocate all required dynamic allocations from, 9 10 - Internal DRAM memory only 11 - External SPIRAM memory only 12 - Either internal or external memory based on default malloc() 13 behavior in ESP-IDF 14 - Custom allocation mode, by overwriting calloc()/free() using 15 mbedtls_platform_set_calloc_free() function 16 - Internal IRAM memory wherever applicable else internal DRAM 17 18 Recommended mode here is always internal, since that is most preferred 19 from security perspective. But if application requirement does not 20 allow sufficient free internal memory then alternate mode can be 21 selected. 22 23 config MBEDTLS_INTERNAL_MEM_ALLOC 24 bool "Internal memory" 25 26 config MBEDTLS_EXTERNAL_MEM_ALLOC 27 bool "External SPIRAM" 28 depends on ESP32_SPIRAM_SUPPORT 29 30 config MBEDTLS_DEFAULT_MEM_ALLOC 31 bool "Default alloc mode" 32 33 config MBEDTLS_CUSTOM_MEM_ALLOC 34 bool "Custom alloc mode" 35 36 config MBEDTLS_IRAM_8BIT_MEM_ALLOC 37 bool "Internal IRAM" 38 depends on ESP32_IRAM_AS_8BIT_ACCESSIBLE_MEMORY 39 help 40 Allows to use IRAM memory region as 8bit accessible region. 41 42 TLS input and output buffers will be allocated in IRAM section which is 32bit aligned 43 memory. Every unaligned (8bit or 16bit) access will result in an exception 44 and incur penalty of certain clock cycles per unaligned read/write. 45 46 endchoice #MBEDTLS_MEM_ALLOC_MODE 47 48 config MBEDTLS_SSL_MAX_CONTENT_LEN 49 int "TLS maximum message content length" 50 default 16384 51 range 512 16384 52 depends on !MBEDTLS_ASYMMETRIC_CONTENT_LEN 53 help 54 Maximum TLS message length (in bytes) supported by mbedTLS. 55 56 16384 is the default and this value is required to comply 57 fully with TLS standards. 58 59 However you can set a lower value in order to save RAM. This 60 is safe if the other end of the connection supports Maximum 61 Fragment Length Negotiation Extension (max_fragment_length, 62 see RFC6066) or you know for certain that it will never send a 63 message longer than a certain number of bytes. 64 65 If the value is set too low, symptoms are a failed TLS 66 handshake or a return value of MBEDTLS_ERR_SSL_INVALID_RECORD 67 (-0x7200). 68 69 config MBEDTLS_ASYMMETRIC_CONTENT_LEN 70 bool "Asymmetric in/out fragment length" 71 default y 72 help 73 If enabled, this option allows customizing TLS in/out fragment length 74 in asymmetric way. Please note that enabling this with default values 75 saves 12KB of dynamic memory per TLS connection. 76 77 config MBEDTLS_SSL_IN_CONTENT_LEN 78 int "TLS maximum incoming fragment length" 79 default 16384 80 range 512 16384 81 depends on MBEDTLS_ASYMMETRIC_CONTENT_LEN 82 help 83 This defines maximum incoming fragment length, overriding default 84 maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN). 85 86 config MBEDTLS_SSL_OUT_CONTENT_LEN 87 int "TLS maximum outgoing fragment length" 88 default 4096 89 range 512 16384 90 depends on MBEDTLS_ASYMMETRIC_CONTENT_LEN 91 help 92 This defines maximum outgoing fragment length, overriding default 93 maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN). 94 95 config MBEDTLS_DYNAMIC_BUFFER 96 bool "Using dynamic TX/RX buffer" 97 default n 98 select MBEDTLS_ASYMMETRIC_CONTENT_LEN 99 help 100 Using dynamic TX/RX buffer. After enabling this option, mbedTLS will 101 allocate TX buffer when need to send data and then free it if all data 102 is sent, allocate RX buffer when need to receive data and then free it 103 when all data is used or read by upper layer. 104 105 By default, when SSL is initialized, mbedTLS also allocate TX and 106 RX buffer with the default value of "MBEDTLS_SSL_OUT_CONTENT_LEN" or 107 "MBEDTLS_SSL_IN_CONTENT_LEN", so to save more heap, users can set 108 the options to be an appropriate value. 109 110 config MBEDTLS_DYNAMIC_FREE_PEER_CERT 111 bool "Free SSL peer certificate after its usage" 112 default n 113 depends on MBEDTLS_DYNAMIC_BUFFER 114 help 115 Free peer certificate after its usage in handshake process. 116 117 config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA 118 bool "Free private key and DHM data after its usage" 119 default n 120 depends on MBEDTLS_DYNAMIC_BUFFER 121 help 122 Free private key and DHM data after its usage in handshake process. 123 124 The option will decrease heap cost when handshake, but also lead to problem: 125 126 Becasue all certificate, private key and DHM data are freed so users should register 127 certificate and private key to ssl config object again. 128 129 config MBEDTLS_DYNAMIC_FREE_CA_CERT 130 bool "Free SSL ca certificate after its usage" 131 default y 132 depends on MBEDTLS_DYNAMIC_FREE_CONFIG_DATA 133 help 134 Free ca certificate after its usage in the handshake process. 135 This option will decrease the heap footprint for the TLS handshake, but may lead to a problem: 136 If the respective ssl object needs to perform the TLS handshake again, 137 the ca certificate should once again be registered to the ssl object. 138 139 config MBEDTLS_DEBUG 140 bool "Enable mbedTLS debugging" 141 default n 142 help 143 Enable mbedTLS debugging functions at compile time. 144 145 If this option is enabled, you can include 146 "mbedtls/esp_debug.h" and call mbedtls_esp_enable_debug_log() 147 at runtime in order to enable mbedTLS debug output via the ESP 148 log mechanism. 149 150 choice MBEDTLS_DEBUG_LEVEL 151 bool "Set mbedTLS debugging level" 152 depends on MBEDTLS_DEBUG 153 default MBEDTLS_DEBUG_LEVEL_VERBOSE 154 help 155 Set mbedTLS debugging level 156 157 config MBEDTLS_DEBUG_LEVEL_WARN 158 bool "Warning" 159 config MBEDTLS_DEBUG_LEVEL_INFO 160 bool "Info" 161 config MBEDTLS_DEBUG_LEVEL_DEBUG 162 bool "Debug" 163 config MBEDTLS_DEBUG_LEVEL_VERBOSE 164 bool "Verbose" 165 endchoice 166 167 config MBEDTLS_DEBUG_LEVEL 168 int 169 default 1 if MBEDTLS_DEBUG_LEVEL_WARN 170 default 2 if MBEDTLS_DEBUG_LEVEL_INFO 171 default 3 if MBEDTLS_DEBUG_LEVEL_DEBUG 172 default 4 if MBEDTLS_DEBUG_LEVEL_VERBOSE 173 174 175 menu "Certificate Bundle" 176 177 config MBEDTLS_CERTIFICATE_BUNDLE 178 bool "Enable trusted root certificate bundle" 179 default y 180 help 181 Enable support for large number of default root certificates 182 183 When enabled this option allows user to store default as well 184 as customer specific root certificates in compressed format rather 185 than storing full certificate. For the root certificates the public key and the subject name 186 will be stored. 187 188 choice MBEDTLS_DEFAULT_CERTIFICATE_BUNDLE 189 bool "Default certificate bundle options" 190 depends on MBEDTLS_CERTIFICATE_BUNDLE 191 default MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL 192 193 config MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL 194 bool "Use the full default certificate bundle" 195 config MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN 196 bool "Use only the most common certificates from the default bundles" 197 help 198 Use only the most common certificates from the default bundles, reducing the size with 50%, 199 while still having around 99% coverage. 200 config MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE 201 bool "Do not use the default certificate bundle" 202 endchoice 203 204 config MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE 205 depends on MBEDTLS_CERTIFICATE_BUNDLE 206 default n 207 bool "Add custom certificates to the default bundle" 208 config MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE_PATH 209 depends on MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE 210 string "Custom certificate bundle path" 211 help 212 Name of the custom certificate directory or file. This path is evaluated 213 relative to the project root directory. 214 endmenu 215 216 217 218 219 220 config MBEDTLS_ECP_RESTARTABLE 221 bool "Enable mbedTLS ecp restartable" 222 default n 223 help 224 Enable "non-blocking" ECC operations that can return early and be resumed. 225 226 config MBEDTLS_CMAC_C 227 bool "Enable CMAC mode for block ciphers" 228 default n 229 help 230 Enable the CMAC (Cipher-based Message Authentication Code) mode for 231 block ciphers. 232 233 config MBEDTLS_HARDWARE_AES 234 bool "Enable hardware AES acceleration" 235 default n if IDF_TARGET_ESP32S3 236 default y 237 depends on !SPIRAM_CACHE_WORKAROUND_STRATEGY_DUPLDST 238 help 239 Enable hardware accelerated AES encryption & decryption. 240 241 Note that if the ESP32 CPU is running at 240MHz, hardware AES does not 242 offer any speed boost over software AES. 243 244 config MBEDTLS_AES_USE_INTERRUPT 245 bool "Use interrupt for long AES operations" 246 depends on IDF_TARGET_ESP32S2 && MBEDTLS_HARDWARE_AES 247 default y 248 help 249 Use an interrupt to coordinate long AES operations. 250 251 This allows other code to run on the CPU while an AES operation is pending. 252 Otherwise the CPU busy-waits. 253 254 config MBEDTLS_HARDWARE_GCM 255 bool "Enable partially hardware accelerated GCM" 256 depends on IDF_TARGET_ESP32S2 && MBEDTLS_HARDWARE_AES 257 default y 258 help 259 Enable partially hardware accelerated GCM. GHASH calculation is still done 260 in software. 261 262 If MBEDTLS_HARDWARE_GCM is disabled and MBEDTLS_HARDWARE_AES is enabled then 263 mbedTLS will still use the hardware accelerated AES block operation, but 264 on a single block at a time. 265 266 config MBEDTLS_HARDWARE_MPI 267 bool "Enable hardware MPI (bignum) acceleration" 268 default n if IDF_TARGET_ESP32S3 269 default y 270 depends on !SPIRAM_CACHE_WORKAROUND_STRATEGY_DUPLDST 271 help 272 Enable hardware accelerated multiple precision integer operations. 273 274 Hardware accelerated multiplication, modulo multiplication, 275 and modular exponentiation for up to 4096 bit results. 276 277 These operations are used by RSA. 278 279 config MBEDTLS_HARDWARE_SHA 280 bool "Enable hardware SHA acceleration" 281 default n if IDF_TARGET_ESP32S3 282 default y 283 depends on !SPIRAM_CACHE_WORKAROUND_STRATEGY_DUPLDST 284 help 285 Enable hardware accelerated SHA1, SHA256, SHA384 & SHA512 in mbedTLS. 286 287 Due to a hardware limitation, on the ESP32 hardware acceleration is only 288 guaranteed if SHA digests are calculated one at a time. If more 289 than one SHA digest is calculated at the same time, one will 290 be calculated fully in hardware and the rest will be calculated 291 (at least partially calculated) in software. This happens automatically. 292 293 SHA hardware acceleration is faster than software in some situations but 294 slower in others. You should benchmark to find the best setting for you. 295 296 config MBEDTLS_ROM_MD5 297 bool "Use MD5 implementation in ROM" 298 default y 299 help 300 Use ROM MD5 in mbedTLS. 301 302 config MBEDTLS_ATCA_HW_ECDSA_SIGN 303 bool "Enable hardware ECDSA sign acceleration when using ATECC608A" 304 default n 305 help 306 This option enables hardware acceleration for ECDSA sign function, only 307 when using ATECC608A cryptoauth chip (integrated with ESP32-WROOM-32SE) 308 309 config MBEDTLS_ATCA_HW_ECDSA_VERIFY 310 bool "Enable hardware ECDSA verify acceleration when using ATECC608A" 311 default n 312 help 313 This option enables hardware acceleration for ECDSA sign function, only 314 when using ATECC608A cryptoauth chip (integrated with ESP32-WROOM-32SE) 315 316 config MBEDTLS_HAVE_TIME 317 bool "Enable mbedtls time support" 318 depends on !ESP_TIME_FUNCS_USE_NONE 319 default y 320 help 321 Enable use of time.h functions (time() and gmtime()) by mbedTLS. 322 323 This option doesn't require the system time to be correct, but enables 324 functionality that requires relative timekeeping - for example periodic 325 expiry of TLS session tickets or session cache entries. 326 327 Disabling this option will save some firmware size, particularly if 328 the rest of the firmware doesn't call any standard timekeeeping 329 functions. 330 331 config MBEDTLS_HAVE_TIME_DATE 332 bool "Enable mbedtls certificate expiry check" 333 depends on MBEDTLS_HAVE_TIME 334 default n 335 help 336 Enables X.509 certificate expiry checks in mbedTLS. 337 338 If this option is disabled (default) then X.509 certificate 339 "valid from" and "valid to" timestamp fields are ignored. 340 341 If this option is enabled, these fields are compared with the 342 current system date and time. The time is retrieved using the 343 standard time() and gmtime() functions. If the certificate is not 344 valid for the current system time then verification will fail with 345 code MBEDTLS_X509_BADCERT_FUTURE or MBEDTLS_X509_BADCERT_EXPIRED. 346 347 Enabling this option requires adding functionality in the firmware 348 to set the system clock to a valid timestamp before using TLS. The 349 recommended way to do this is via ESP-IDF's SNTP functionality, but 350 any method can be used. 351 352 In the case where only a small number of certificates are trusted by 353 the device, please carefully consider the tradeoffs of enabling this 354 option. There may be undesired consequences, for example if all 355 trusted certificates expire while the device is offline and a TLS 356 connection is required to update. Or if an issue with the SNTP 357 server means that the system time is invalid for an extended period 358 after a reset. 359 360 config MBEDTLS_ECDSA_DETERMINISTIC 361 bool "Enable deterministic ECDSA" 362 default y 363 help 364 Standard ECDSA is "fragile" in the sense that lack of entropy when signing 365 may result in a compromise of the long-term signing key. 366 367 config MBEDTLS_SHA512_C 368 bool "Enable the SHA-384 and SHA-512 cryptographic hash algorithms" 369 default y 370 help 371 Enable MBEDTLS_SHA512_C adds support for SHA-384 and SHA-512. 372 373 choice MBEDTLS_TLS_MODE 374 bool "TLS Protocol Role" 375 default MBEDTLS_TLS_SERVER_AND_CLIENT 376 help 377 mbedTLS can be compiled with protocol support for the TLS 378 server, TLS client, or both server and client. 379 380 Reducing the number of TLS roles supported saves code size. 381 382 config MBEDTLS_TLS_SERVER_AND_CLIENT 383 bool "Server & Client" 384 select MBEDTLS_TLS_SERVER 385 select MBEDTLS_TLS_CLIENT 386 config MBEDTLS_TLS_SERVER_ONLY 387 bool "Server" 388 select MBEDTLS_TLS_SERVER 389 config MBEDTLS_TLS_CLIENT_ONLY 390 bool "Client" 391 select MBEDTLS_TLS_CLIENT 392 config MBEDTLS_TLS_DISABLED 393 bool "None" 394 395 endchoice 396 397 config MBEDTLS_TLS_SERVER 398 bool 399 select MBEDTLS_TLS_ENABLED 400 config MBEDTLS_TLS_CLIENT 401 bool 402 select MBEDTLS_TLS_ENABLED 403 config MBEDTLS_TLS_ENABLED 404 bool 405 406 menu "TLS Key Exchange Methods" 407 depends on MBEDTLS_TLS_ENABLED 408 409 config MBEDTLS_PSK_MODES 410 bool "Enable pre-shared-key ciphersuites" 411 default n 412 help 413 Enable to show configuration for different types of pre-shared-key TLS authentatication methods. 414 415 Leaving this options disabled will save code size if they are not used. 416 417 config MBEDTLS_KEY_EXCHANGE_PSK 418 bool "Enable PSK based ciphersuite modes" 419 depends on MBEDTLS_PSK_MODES 420 default n 421 help 422 Enable to support symmetric key PSK (pre-shared-key) TLS key exchange modes. 423 424 config MBEDTLS_KEY_EXCHANGE_DHE_PSK 425 bool "Enable DHE-PSK based ciphersuite modes" 426 depends on MBEDTLS_PSK_MODES 427 default y 428 help 429 Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. 430 431 config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK 432 bool "Enable ECDHE-PSK based ciphersuite modes" 433 depends on MBEDTLS_PSK_MODES && MBEDTLS_ECDH_C 434 default y 435 help 436 Enable to support Elliptic-Curve-Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. 437 438 config MBEDTLS_KEY_EXCHANGE_RSA_PSK 439 bool "Enable RSA-PSK based ciphersuite modes" 440 depends on MBEDTLS_PSK_MODES 441 default y 442 help 443 Enable to support RSA PSK (pre-shared-key) TLS authentication modes. 444 445 config MBEDTLS_KEY_EXCHANGE_RSA 446 bool "Enable RSA-only based ciphersuite modes" 447 default y 448 help 449 Enable to support ciphersuites with prefix TLS-RSA-WITH- 450 451 config MBEDTLS_KEY_EXCHANGE_DHE_RSA 452 bool "Enable DHE-RSA based ciphersuite modes" 453 default y 454 help 455 Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH- 456 457 config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE 458 bool "Support Elliptic Curve based ciphersuites" 459 depends on MBEDTLS_ECP_C 460 default y 461 help 462 Enable to show Elliptic Curve based ciphersuite mode options. 463 464 Disabling all Elliptic Curve ciphersuites saves code size and 465 can give slightly faster TLS handshakes, provided the server supports 466 RSA-only ciphersuite modes. 467 468 config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA 469 bool "Enable ECDHE-RSA based ciphersuite modes" 470 depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C 471 default y 472 help 473 Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- 474 475 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA 476 bool "Enable ECDHE-ECDSA based ciphersuite modes" 477 depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C 478 default y 479 help 480 Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- 481 482 config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA 483 bool "Enable ECDH-ECDSA based ciphersuite modes" 484 depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C 485 default y 486 help 487 Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- 488 489 config MBEDTLS_KEY_EXCHANGE_ECDH_RSA 490 bool "Enable ECDH-RSA based ciphersuite modes" 491 depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C 492 default y 493 help 494 Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- 495 496 config MBEDTLS_KEY_EXCHANGE_ECJPAKE 497 bool "Enable ECJPAKE based ciphersuite modes" 498 depends on MBEDTLS_ECJPAKE_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED 499 default n 500 help 501 Enable to support ciphersuites with prefix TLS-ECJPAKE-WITH- 502 503 endmenu # TLS key exchange modes 504 505 config MBEDTLS_SSL_RENEGOTIATION 506 bool "Support TLS renegotiation" 507 depends on MBEDTLS_TLS_ENABLED 508 default y 509 help 510 The two main uses of renegotiation are (1) refresh keys on long-lived 511 connections and (2) client authentication after the initial handshake. 512 If you don't need renegotiation, disabling it will save code size and 513 reduce the possibility of abuse/vulnerability. 514 515 config MBEDTLS_SSL_PROTO_SSL3 516 bool "Legacy SSL 3.0 support" 517 depends on MBEDTLS_TLS_ENABLED 518 default n 519 help 520 Support the legacy SSL 3.0 protocol. Most servers will speak a newer 521 TLS protocol these days. 522 523 config MBEDTLS_SSL_PROTO_TLS1 524 bool "Support TLS 1.0 protocol" 525 depends on MBEDTLS_TLS_ENABLED 526 default y 527 528 config MBEDTLS_SSL_PROTO_TLS1_1 529 bool "Support TLS 1.1 protocol" 530 depends on MBEDTLS_TLS_ENABLED 531 default y 532 533 config MBEDTLS_SSL_PROTO_TLS1_2 534 bool "Support TLS 1.2 protocol" 535 depends on MBEDTLS_TLS_ENABLED 536 default y 537 538 config MBEDTLS_SSL_PROTO_DTLS 539 bool "Support DTLS protocol (all versions)" 540 default n 541 depends on MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 542 help 543 Requires TLS 1.1 to be enabled for DTLS 1.0 544 Requires TLS 1.2 to be enabled for DTLS 1.2 545 546 config MBEDTLS_SSL_ALPN 547 bool "Support ALPN (Application Layer Protocol Negotiation)" 548 depends on MBEDTLS_TLS_ENABLED 549 default y 550 help 551 Disabling this option will save some code size if it is not needed. 552 553 config MBEDTLS_CLIENT_SSL_SESSION_TICKETS 554 bool "TLS: Client Support for RFC 5077 SSL session tickets" 555 default y 556 depends on MBEDTLS_TLS_ENABLED 557 help 558 Client support for RFC 5077 session tickets. See mbedTLS documentation for more details. 559 Disabling this option will save some code size. 560 561 config MBEDTLS_SERVER_SSL_SESSION_TICKETS 562 bool "TLS: Server Support for RFC 5077 SSL session tickets" 563 default y 564 depends on MBEDTLS_TLS_ENABLED 565 help 566 Server support for RFC 5077 session tickets. See mbedTLS documentation for more details. 567 Disabling this option will save some code size. 568 569 menu "Symmetric Ciphers" 570 571 config MBEDTLS_AES_C 572 bool "AES block cipher" 573 default y 574 575 config MBEDTLS_CAMELLIA_C 576 bool "Camellia block cipher" 577 default n 578 579 config MBEDTLS_DES_C 580 bool "DES block cipher (legacy, insecure)" 581 default n 582 help 583 Enables the DES block cipher to support 3DES-based TLS ciphersuites. 584 585 3DES is vulnerable to the Sweet32 attack and should only be enabled 586 if absolutely necessary. 587 588 choice MBEDTLS_RC4_MODE 589 prompt "RC4 Stream Cipher (legacy, insecure)" 590 default MBEDTLS_RC4_DISABLED 591 help 592 ARCFOUR (RC4) stream cipher can be disabled entirely, enabled but not 593 added to default ciphersuites, or enabled completely. 594 595 Please consider the security implications before enabling RC4. 596 597 config MBEDTLS_RC4_DISABLED 598 bool "Disabled" 599 config MBEDTLS_RC4_ENABLED_NO_DEFAULT 600 bool "Enabled, not in default ciphersuites" 601 config MBEDTLS_RC4_ENABLED 602 bool "Enabled" 603 endchoice 604 605 config MBEDTLS_BLOWFISH_C 606 bool "Blowfish block cipher (read help)" 607 default n 608 help 609 Enables the Blowfish block cipher (not used for TLS sessions.) 610 611 The Blowfish cipher is not used for mbedTLS TLS sessions but can be 612 used for other purposes. Read up on the limitations of Blowfish (including 613 Sweet32) before enabling. 614 615 config MBEDTLS_XTEA_C 616 bool "XTEA block cipher" 617 default n 618 help 619 Enables the XTEA block cipher. 620 621 622 config MBEDTLS_CCM_C 623 bool "CCM (Counter with CBC-MAC) block cipher modes" 624 default y 625 depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C 626 help 627 Enable Counter with CBC-MAC (CCM) modes for AES and/or Camellia ciphers. 628 629 Disabling this option saves some code size. 630 631 config MBEDTLS_GCM_C 632 bool "GCM (Galois/Counter) block cipher modes" 633 default y 634 depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C 635 help 636 Enable Galois/Counter Mode for AES and/or Camellia ciphers. 637 638 This option is generally faster than CCM. 639 640 endmenu # Symmetric Ciphers 641 642 config MBEDTLS_RIPEMD160_C 643 bool "Enable RIPEMD-160 hash algorithm" 644 default n 645 help 646 Enable the RIPEMD-160 hash algorithm. 647 648 menu "Certificates" 649 650 config MBEDTLS_PEM_PARSE_C 651 bool "Read & Parse PEM formatted certificates" 652 default y 653 help 654 Enable decoding/parsing of PEM formatted certificates. 655 656 If your certificates are all in the simpler DER format, disabling 657 this option will save some code size. 658 659 config MBEDTLS_PEM_WRITE_C 660 bool "Write PEM formatted certificates" 661 default y 662 help 663 Enable writing of PEM formatted certificates. 664 665 If writing certificate data only in DER format, disabling this 666 option will save some code size. 667 668 config MBEDTLS_X509_CRL_PARSE_C 669 bool "X.509 CRL parsing" 670 default y 671 help 672 Support for parsing X.509 Certifificate Revocation Lists. 673 674 config MBEDTLS_X509_CSR_PARSE_C 675 bool "X.509 CSR parsing" 676 default y 677 help 678 Support for parsing X.509 Certifificate Signing Requests 679 680 endmenu # Certificates 681 682 menuconfig MBEDTLS_ECP_C 683 bool "Elliptic Curve Ciphers" 684 default y 685 686 config MBEDTLS_ECDH_C 687 bool "Elliptic Curve Diffie-Hellman (ECDH)" 688 depends on MBEDTLS_ECP_C 689 default y 690 help 691 Enable ECDH. Needed to use ECDHE-xxx TLS ciphersuites. 692 693 config MBEDTLS_ECDSA_C 694 bool "Elliptic Curve DSA" 695 depends on MBEDTLS_ECDH_C 696 default y 697 help 698 Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites. 699 700 config MBEDTLS_ECJPAKE_C 701 bool "Elliptic curve J-PAKE" 702 depends on MBEDTLS_ECP_C 703 default n 704 help 705 Enable ECJPAKE. Needed to use ECJPAKE-xxx TLS ciphersuites. 706 707 config MBEDTLS_ECP_DP_SECP192R1_ENABLED 708 bool "Enable SECP192R1 curve" 709 depends on MBEDTLS_ECP_C 710 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 711 help 712 Enable support for SECP192R1 Elliptic Curve. 713 714 config MBEDTLS_ECP_DP_SECP224R1_ENABLED 715 bool "Enable SECP224R1 curve" 716 depends on MBEDTLS_ECP_C 717 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 718 help 719 Enable support for SECP224R1 Elliptic Curve. 720 721 config MBEDTLS_ECP_DP_SECP256R1_ENABLED 722 bool "Enable SECP256R1 curve" 723 depends on MBEDTLS_ECP_C 724 default y 725 help 726 Enable support for SECP256R1 Elliptic Curve. 727 728 config MBEDTLS_ECP_DP_SECP384R1_ENABLED 729 bool "Enable SECP384R1 curve" 730 depends on MBEDTLS_ECP_C 731 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 732 help 733 Enable support for SECP384R1 Elliptic Curve. 734 735 config MBEDTLS_ECP_DP_SECP521R1_ENABLED 736 bool "Enable SECP521R1 curve" 737 depends on MBEDTLS_ECP_C 738 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 739 help 740 Enable support for SECP521R1 Elliptic Curve. 741 742 config MBEDTLS_ECP_DP_SECP192K1_ENABLED 743 bool "Enable SECP192K1 curve" 744 depends on MBEDTLS_ECP_C 745 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 746 help 747 Enable support for SECP192K1 Elliptic Curve. 748 749 config MBEDTLS_ECP_DP_SECP224K1_ENABLED 750 bool "Enable SECP224K1 curve" 751 depends on MBEDTLS_ECP_C 752 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 753 help 754 Enable support for SECP224K1 Elliptic Curve. 755 756 config MBEDTLS_ECP_DP_SECP256K1_ENABLED 757 bool "Enable SECP256K1 curve" 758 depends on MBEDTLS_ECP_C 759 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 760 help 761 Enable support for SECP256K1 Elliptic Curve. 762 763 config MBEDTLS_ECP_DP_BP256R1_ENABLED 764 bool "Enable BP256R1 curve" 765 depends on MBEDTLS_ECP_C 766 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 767 help 768 support for DP Elliptic Curve. 769 770 config MBEDTLS_ECP_DP_BP384R1_ENABLED 771 bool "Enable BP384R1 curve" 772 depends on MBEDTLS_ECP_C 773 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 774 help 775 support for DP Elliptic Curve. 776 777 config MBEDTLS_ECP_DP_BP512R1_ENABLED 778 bool "Enable BP512R1 curve" 779 depends on MBEDTLS_ECP_C 780 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 781 help 782 support for DP Elliptic Curve. 783 784 config MBEDTLS_ECP_DP_CURVE25519_ENABLED 785 bool "Enable CURVE25519 curve" 786 depends on MBEDTLS_ECP_C 787 default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) 788 help 789 Enable support for CURVE25519 Elliptic Curve. 790 791 config MBEDTLS_ECP_NIST_OPTIM 792 bool "NIST 'modulo p' optimisations" 793 depends on MBEDTLS_ECP_C 794 default y 795 help 796 NIST 'modulo p' optimisations increase Elliptic Curve operation performance. 797 798 Disabling this option saves some code size. 799 800 # end of Elliptic Curve options 801 802 config MBEDTLS_POLY1305_C 803 bool "Poly1305 MAC algorithm" 804 default n 805 help 806 Enable support for Poly1305 MAC algorithm. 807 808 config MBEDTLS_CHACHA20_C 809 bool "Chacha20 stream cipher" 810 default n 811 help 812 Enable support for Chacha20 stream cipher. 813 814 config MBEDTLS_CHACHAPOLY_C 815 bool "ChaCha20-Poly1305 AEAD algorithm" 816 default n 817 depends on MBEDTLS_CHACHA20_C && MBEDTLS_POLY1305_C 818 help 819 Enable support for ChaCha20-Poly1305 AEAD algorithm. 820 821 config MBEDTLS_HKDF_C 822 bool "HKDF algorithm (RFC 5869)" 823 default n 824 help 825 Enable support for the Hashed Message Authentication Code 826 (HMAC)-based key derivation function (HKDF). 827 828 config MBEDTLS_THREADING_C 829 bool "Enable the threading abstraction layer" 830 default n 831 help 832 If you do intend to use contexts between threads, you will need to enable 833 this layer to prevent race conditions. 834 835 config MBEDTLS_THREADING_ALT 836 bool "Enable threading alternate implementation" 837 depends on MBEDTLS_THREADING_C 838 default y 839 help 840 Enable threading alt to allow your own alternate threading implementation. 841 842 config MBEDTLS_THREADING_PTHREAD 843 bool "Enable threading pthread implementation" 844 depends on MBEDTLS_THREADING_C 845 default n 846 help 847 Enable the pthread wrapper layer for the threading layer. 848 849 config MBEDTLS_LARGE_KEY_SOFTWARE_MPI 850 bool "Fallback to software implementation for larger MPI values" 851 depends on MBEDTLS_HARDWARE_MPI 852 default y if IDF_TARGET_ESP32C3 # HW max 3072 bits 853 default n 854 help 855 Fallback to software implementation for RSA key lengths 856 larger than SOC_RSA_MAX_BIT_LEN. If this is not active 857 then the ESP will be unable to process keys greater 858 than SOC_RSA_MAX_BIT_LEN. 859 860 menuconfig MBEDTLS_SECURITY_RISKS 861 bool "Show configurations with potential security risks" 862 default n 863 864 config MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT 865 bool "X.509 CRT parsing with unsupported critical extensions" 866 depends on MBEDTLS_SECURITY_RISKS 867 default n 868 help 869 Allow the X.509 certificate parser to load certificates 870 with unsupported critical extensions 871 872endmenu # mbedTLS 873
