dfe9a91da2
Before mbedTLS 3.0 there was just SHA512 option, which enabled both SHA384 and SHA512 support. mbedTLS 3.0 introduced SHA384 specific option, which means that SHA384 got unsupported after merging commit4e6cfb67f9("modules: mbedTLS: Bump mbedTLS to 3.0"). Introduce SHA384 Kconfig options, so that support for it can be selected in project configuration if needed. Since SHA384 still depends on SHA512 to be selected, add such dependency in Kconfig. Select SHA384 support in non-generic (not configured by Kconfig) mbedTLS config headers, so that previous (before mbedTLS 3.0 was merged) behavior is regained. Fixes:4e6cfb67f9("modules: mbedTLS: Bump mbedTLS to 3.0") Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
434 lines
12 KiB
Plaintext
434 lines
12 KiB
Plaintext
# TLS/DTLS related options
|
|
|
|
# Copyright (c) 2018 Intel Corporation
|
|
# Copyright (c) 2018 Nordic Semiconductor ASA
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
menu "TLS configuration"
|
|
depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h"
|
|
|
|
menu "Supported TLS version"
|
|
|
|
config MBEDTLS_TLS_VERSION_1_0
|
|
bool "Support for TLS 1.0"
|
|
select MBEDTLS_CIPHER
|
|
select MBEDTLS_MAC_MD5_ENABLED
|
|
select MBEDTLS_MAC_SHA1_ENABLED
|
|
select MBEDTLS_MD
|
|
|
|
config MBEDTLS_TLS_VERSION_1_1
|
|
bool "Support for TLS 1.1 (DTLS 1.0)"
|
|
select MBEDTLS_CIPHER
|
|
select MBEDTLS_MAC_MD5_ENABLED
|
|
select MBEDTLS_MAC_SHA1_ENABLED
|
|
select MBEDTLS_MD
|
|
|
|
config MBEDTLS_TLS_VERSION_1_2
|
|
bool "Support for TLS 1.2 (DTLS 1.2)"
|
|
default y if !NET_L2_OPENTHREAD
|
|
select MBEDTLS_CIPHER
|
|
select MBEDTLS_MD
|
|
|
|
config MBEDTLS_DTLS
|
|
bool "Support for DTLS"
|
|
depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
|
|
|
|
config MBEDTLS_SSL_EXPORT_KEYS
|
|
bool "Support for exporting SSL key block and master secret"
|
|
depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
|
|
|
|
config MBEDTLS_SSL_ALPN
|
|
bool "Support for setting the supported Application Layer Protocols"
|
|
depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
|
|
|
|
endmenu
|
|
|
|
menu "Ciphersuite configuration"
|
|
|
|
comment "Supported key exchange modes"
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
|
|
bool "All available ciphersuite modes"
|
|
select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
|
select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
|
bool "PSK based ciphersuite modes"
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
|
|
bool "DHE-PSK based ciphersuite modes"
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
|
bool "ECDHE-PSK based ciphersuite modes"
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
|
bool "RSA-PSK based ciphersuite modes"
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
|
|
bool
|
|
default y if MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || \
|
|
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || \
|
|
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
|
|
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
|
|
|
config MBEDTLS_PSK_MAX_LEN
|
|
int "Max size of TLS pre-shared keys"
|
|
default 32
|
|
depends on MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
|
|
help
|
|
Max size of TLS pre-shared keys, in bytes.
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
|
bool "RSA-only based ciphersuite modes"
|
|
default y if !NET_L2_OPENTHREAD
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
|
bool "DHE-RSA based ciphersuite modes"
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
|
bool "ECDHE-RSA based ciphersuite modes"
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
|
bool "ECDHE-ECDSA based ciphersuite modes"
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
|
bool "ECDH-ECDSA based ciphersuite modes"
|
|
|
|
config MBEDTLS_ECDSA_DETERMINISTIC
|
|
bool "Deterministic ECDSA (RFC 6979)"
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
|
bool "ECDH-RSA based ciphersuite modes"
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
|
bool "ECJPAKE based ciphersuite modes"
|
|
|
|
if MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
|
|
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
|
|
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \
|
|
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || \
|
|
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \
|
|
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
|
|
|
comment "Supported elliptic curves"
|
|
|
|
config MBEDTLS_ECP_ALL_ENABLED
|
|
bool "All available elliptic curves"
|
|
select MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
|
select MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
|
select MBEDTLS_ECP_DP_SECP224R1_ENABLED
|
|
select MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
|
select MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
|
select MBEDTLS_ECP_DP_SECP521R1_ENABLED
|
|
select MBEDTLS_ECP_DP_SECP192K1_ENABLED
|
|
select MBEDTLS_ECP_DP_SECP224K1_ENABLED
|
|
select MBEDTLS_ECP_DP_SECP256K1_ENABLED
|
|
select MBEDTLS_ECP_DP_BP256R1_ENABLED
|
|
select MBEDTLS_ECP_DP_BP384R1_ENABLED
|
|
select MBEDTLS_ECP_DP_BP512R1_ENABLED
|
|
select MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
|
select MBEDTLS_ECP_DP_CURVE448_ENABLED
|
|
select MBEDTLS_ECP_NIST_OPTIM
|
|
|
|
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
|
bool "SECP192R1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
|
|
bool "SECP224R1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
|
bool "SECP256R1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
|
bool "SECP384R1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_SECP521R1_ENABLED
|
|
bool "SECP521R1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
|
|
bool "SECP192K1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
|
|
bool "SECP224K1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
|
|
bool "SECP256K1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_BP256R1_ENABLED
|
|
bool "BP256R1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_BP384R1_ENABLED
|
|
bool "BP384R1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_BP512R1_ENABLED
|
|
bool "BP512R1 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
|
bool "CURVE25519 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_DP_CURVE448_ENABLED
|
|
bool "CURVE448 elliptic curve"
|
|
|
|
config MBEDTLS_ECP_NIST_OPTIM
|
|
bool "NSIT curves optimization"
|
|
|
|
endif
|
|
|
|
comment "Supported hash"
|
|
|
|
config MBEDTLS_HASH_ALL_ENABLED
|
|
bool "All available hashes"
|
|
select MBEDTLS_HASH_SHA256_ENABLED
|
|
select MBEDTLS_HASH_SHA384_ENABLED
|
|
select MBEDTLS_HASH_SHA512_ENABLED
|
|
|
|
config MBEDTLS_HASH_SHA256_ENABLED
|
|
bool "SHA256 hash"
|
|
default y if !NET_L2_OPENTHREAD
|
|
|
|
config MBEDTLS_HASH_SHA384_ENABLED
|
|
bool "SHA384 hash"
|
|
default y if !NET_L2_OPENTHREAD
|
|
select MBEDTLS_HASH_SHA512_ENABLED
|
|
|
|
config MBEDTLS_HASH_SHA512_ENABLED
|
|
bool "SHA512 hash"
|
|
default y if !NET_L2_OPENTHREAD
|
|
|
|
comment "Supported cipher modes"
|
|
|
|
config MBEDTLS_CIPHER_ALL_ENABLED
|
|
bool "All available ciphers"
|
|
select MBEDTLS_CIPHER_AES_ENABLED
|
|
select MBEDTLS_CIPHER_CAMELLIA_ENABLED
|
|
select MBEDTLS_CIPHER_DES_ENABLED
|
|
select MBEDTLS_CIPHER_ARC4_ENABLED
|
|
select MBEDTLS_CIPHER_CHACHA20_ENABLED
|
|
select MBEDTLS_CIPHER_BLOWFISH_ENABLED
|
|
select MBEDTLS_CIPHER_CCM_ENABLED
|
|
select MBEDTLS_CIPHER_GCM_ENABLED
|
|
select MBEDTLS_CIPHER_MODE_XTS_ENABLED
|
|
select MBEDTLS_CIPHER_MODE_CBC_ENABLED
|
|
select MBEDTLS_CIPHER_MODE_CTR_ENABLED
|
|
select MBEDTLS_CHACHAPOLY_AEAD_ENABLED
|
|
|
|
config MBEDTLS_CIPHER_AES_ENABLED
|
|
bool "AES block cipher"
|
|
default y
|
|
|
|
config MBEDTLS_AES_ROM_TABLES
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED
|
|
bool "Use precomputed AES tables stored in ROM."
|
|
default y
|
|
|
|
config MBEDTLS_CIPHER_CAMELLIA_ENABLED
|
|
bool "Camellia block cipher"
|
|
|
|
config MBEDTLS_CIPHER_DES_ENABLED
|
|
bool "DES block cipher"
|
|
default y if !NET_L2_OPENTHREAD
|
|
|
|
config MBEDTLS_CIPHER_ARC4_ENABLED
|
|
bool "ARC4 stream cipher"
|
|
|
|
config MBEDTLS_CIPHER_CHACHA20_ENABLED
|
|
bool "ChaCha20 stream cipher"
|
|
|
|
config MBEDTLS_CIPHER_BLOWFISH_ENABLED
|
|
bool "Blowfish block cipher"
|
|
|
|
config MBEDTLS_CIPHER_CCM_ENABLED
|
|
bool "Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
|
|
|
|
config MBEDTLS_CIPHER_GCM_ENABLED
|
|
bool "Galois/Counter Mode (GCM) for AES"
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
|
|
|
|
config MBEDTLS_CIPHER_MODE_XTS_ENABLED
|
|
bool "Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES"
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
|
|
|
|
config MBEDTLS_CIPHER_MODE_CBC_ENABLED
|
|
bool "Cipher Block Chaining mode (CBC) for symmetric ciphers"
|
|
default y if !NET_L2_OPENTHREAD
|
|
|
|
config MBEDTLS_CIPHER_MODE_CTR_ENABLED
|
|
bool "Counter Block Cipher mode (CTR) for symmetric ciphers."
|
|
|
|
config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
|
|
bool "ChaCha20-Poly1305 AEAD algorithm"
|
|
depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
|
|
|
|
comment "Supported message authentication methods"
|
|
|
|
config MBEDTLS_MAC_ALL_ENABLED
|
|
bool "All available MAC methods"
|
|
select MBEDTLS_MAC_MD4_ENABLED
|
|
select MBEDTLS_MAC_MD5_ENABLED
|
|
select MBEDTLS_MAC_SHA1_ENABLED
|
|
select MBEDTLS_MAC_SHA256_ENABLED
|
|
select MBEDTLS_MAC_SHA384_ENABLED
|
|
select MBEDTLS_MAC_SHA512_ENABLED
|
|
select MBEDTLS_MAC_POLY1305_ENABLED
|
|
select MBEDTLS_MAC_CMAC_ENABLED
|
|
|
|
config MBEDTLS_MAC_MD4_ENABLED
|
|
bool "MD4 hash algorithm"
|
|
|
|
config MBEDTLS_MAC_MD5_ENABLED
|
|
bool "MD5 hash algorithm"
|
|
default y if !NET_L2_OPENTHREAD
|
|
|
|
config MBEDTLS_MAC_SHA1_ENABLED
|
|
bool "SHA1 hash algorithm"
|
|
default y if !NET_L2_OPENTHREAD
|
|
|
|
config MBEDTLS_MAC_SHA256_ENABLED
|
|
bool "SHA-224 and SHA-256 hash algorithms"
|
|
default y
|
|
|
|
config MBEDTLS_SHA256_SMALLER
|
|
bool "Smaller SHA-256 implementation"
|
|
depends on MBEDTLS_MAC_SHA256_ENABLED
|
|
default y
|
|
help
|
|
Enable an implementation of SHA-256 that has lower ROM footprint but also
|
|
lower performance
|
|
|
|
config MBEDTLS_MAC_SHA384_ENABLED
|
|
bool "SHA-384 hash algorithm"
|
|
select MBEDTLS_MAC_SHA512_ENABLED
|
|
|
|
config MBEDTLS_MAC_SHA512_ENABLED
|
|
bool "SHA-512 hash algorithm"
|
|
|
|
config MBEDTLS_MAC_POLY1305_ENABLED
|
|
bool "Poly1305 MAC algorithm"
|
|
|
|
config MBEDTLS_MAC_CMAC_ENABLED
|
|
bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
|
|
|
|
endmenu
|
|
|
|
comment "Random number generators"
|
|
|
|
config MBEDTLS_CTR_DRBG_ENABLED
|
|
bool "CTR_DRBG AES-256-based random generator"
|
|
depends on MBEDTLS_CIPHER_AES_ENABLED
|
|
default y
|
|
|
|
config MBEDTLS_HMAC_DRBG_ENABLED
|
|
bool "HMAC_DRBG random generator"
|
|
select MBEDTLS_MD
|
|
|
|
comment "Other configurations"
|
|
|
|
config MBEDTLS_CIPHER
|
|
bool "generic cipher layer."
|
|
|
|
config MBEDTLS_MD
|
|
bool "generic message digest layer."
|
|
|
|
config MBEDTLS_GENPRIME_ENABLED
|
|
bool "prime-number generation code."
|
|
|
|
config MBEDTLS_PEM_CERTIFICATE_FORMAT
|
|
bool "Support for PEM certificate format"
|
|
help
|
|
By default only DER (binary) format of certificates is supported. Enable
|
|
this option to enable support for PEM format.
|
|
|
|
config MBEDTLS_HAVE_ASM
|
|
bool "Use of assembly code"
|
|
default y if !ARM
|
|
help
|
|
Enable use of assembly code in mbedTLS. This improves the performances
|
|
of asymmetric cryptography, however this might have an impact on the
|
|
code size.
|
|
|
|
config MBEDTLS_ENTROPY_ENABLED
|
|
bool "MbedTLS generic entropy pool"
|
|
depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA384_ENABLED || MBEDTLS_MAC_SHA512_ENABLED
|
|
|
|
config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
|
|
bool "MbedTLS optimizations for OpenThread"
|
|
depends on NET_L2_OPENTHREAD
|
|
default y if !NET_SOCKETS_SOCKOPT_TLS
|
|
help
|
|
Enable some OpenThread specific mbedTLS optimizations that allows to
|
|
save some RAM/ROM when OpenThread is used. Note, that when application
|
|
aims to use other mbedTLS services on top of OpenThread (e.g. secure
|
|
sockets), it's advised to disable this option.
|
|
|
|
config MBEDTLS_USER_CONFIG_ENABLE
|
|
bool "User mbedTLS config file"
|
|
help
|
|
Enable user mbedTLS config file that will be included at the end of
|
|
the generic config file.
|
|
|
|
config MBEDTLS_USER_CONFIG_FILE
|
|
string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE
|
|
help
|
|
User config file that can contain mbedTLS configs that were not
|
|
covered by the generic config file.
|
|
|
|
config MBEDTLS_SERVER_NAME_INDICATION
|
|
bool "Support for RFC 6066 server name indication (SNI) in SSL"
|
|
help
|
|
Enable this to support RFC 6066 server name indication (SNI) in SSL.
|
|
This requires that MBEDTLS_X509_CRT_PARSE_C is also set.
|
|
|
|
config MBEDTLS_PK_WRITE_C
|
|
bool "The generic public (asymmetric) key writer"
|
|
help
|
|
Enable generic public key write functions.
|
|
|
|
config MBEDTLS_HAVE_TIME_DATE
|
|
bool "Date/time validation in mbed TLS"
|
|
help
|
|
System has time.h, time(), and an implementation for gmtime_r().
|
|
There also need to be a valid time source in the system, as mbedTLS
|
|
expects a valid date/time for certificate validation."
|
|
|
|
config MBEDTLS_PKCS5_C
|
|
bool "Password-based encryption functions"
|
|
select MBEDTLS_MD
|
|
help
|
|
Enable PKCS5 functions
|
|
|
|
config MBEDTLS_SSL_CACHE_C
|
|
bool "SSL session cache support"
|
|
help
|
|
"This option enables simple SSL cache implementation (server side)."
|
|
|
|
config MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
|
|
int "Default timeout for SSL cache entires"
|
|
depends on MBEDTLS_SSL_CACHE_C
|
|
default 86400
|
|
|
|
config MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
|
|
int "Maximum number of SSL cache entires"
|
|
depends on MBEDTLS_SSL_CACHE_C
|
|
default 5
|
|
|
|
config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
|
|
bool "(D)TLS Extended Master Secret extension"
|
|
depends on MBEDTLS_TLS_VERSION_1_2
|
|
help
|
|
Enable support for the (D)TLS Extended Master Secret extension
|
|
which ensures that master secrets are different for every
|
|
connection and every session.
|
|
|
|
endmenu
|