forked from nrfconnect/sdk-zephyr
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Kconfig.tls-generic
353 lines (269 loc) · 10.7 KB
/
Kconfig.tls-generic
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
# TLS/DTLS related options
# Copyright (c) 2018 Intel Corporation
# Copyright (c) 2018 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0
menu "TLS configuration"
depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h"
menu "Supported TLS version"
config MBEDTLS_TLS_VERSION_1_0
bool "Enable support for TLS 1.0"
select MBEDTLS_CIPHER
select MBEDTLS_MAC_MD5_ENABLED
select MBEDTLS_MAC_SHA1_ENABLED
select MBEDTLS_MD
config MBEDTLS_TLS_VERSION_1_1
bool "Enable support for TLS 1.1 (DTLS 1.0)"
select MBEDTLS_CIPHER
select MBEDTLS_MAC_MD5_ENABLED
select MBEDTLS_MAC_SHA1_ENABLED
select MBEDTLS_MD
config MBEDTLS_TLS_VERSION_1_2
bool "Enable support for TLS 1.2 (DTLS 1.2)"
default y if !NET_L2_OPENTHREAD
select MBEDTLS_CIPHER
select MBEDTLS_MD
config MBEDTLS_DTLS
bool "Enable support for DTLS"
depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
config MBEDTLS_SSL_EXPORT_KEYS
bool "Enable support for exporting SSL key block and master secret"
depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
config MBEDTLS_SSL_ALPN
bool "Enable support for setting the supported Application Layer Protocols"
depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
endmenu
menu "Ciphersuite configuration"
comment "Supported key exchange modes"
config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
bool "Enable all available ciphersuite modes"
select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
bool "Enable the PSK based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
bool "Enable the DHE-PSK based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
bool "Enable the ECDHE-PSK based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
bool "Enable the RSA-PSK based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
bool "Enable the RSA-only based ciphersuite modes"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
bool "Enable the DHE-RSA based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
bool "Enable the ECDHE-RSA based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
bool "Enable the ECDHE-ECDSA based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
bool "Enable the ECDH-ECDSA based ciphersuite modes"
config MBEDTLS_ECDSA_DETERMINISTIC
bool "Enable deterministic ECDSA (RFC 6979)"
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
bool "Enable the ECDH-RSA based ciphersuite modes"
config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
bool "Enable the ECJPAKE based ciphersuite modes"
if MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || \
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
comment "Supported elliptic curves"
config MBEDTLS_ECP_ALL_ENABLED
bool "Enable all available elliptic curves"
select MBEDTLS_ECP_DP_SECP192R1_ENABLED
select MBEDTLS_ECP_DP_SECP192R1_ENABLED
select MBEDTLS_ECP_DP_SECP224R1_ENABLED
select MBEDTLS_ECP_DP_SECP256R1_ENABLED
select MBEDTLS_ECP_DP_SECP384R1_ENABLED
select MBEDTLS_ECP_DP_SECP521R1_ENABLED
select MBEDTLS_ECP_DP_SECP192K1_ENABLED
select MBEDTLS_ECP_DP_SECP224K1_ENABLED
select MBEDTLS_ECP_DP_SECP256K1_ENABLED
select MBEDTLS_ECP_DP_BP256R1_ENABLED
select MBEDTLS_ECP_DP_BP384R1_ENABLED
select MBEDTLS_ECP_DP_BP512R1_ENABLED
select MBEDTLS_ECP_DP_CURVE25519_ENABLED
select MBEDTLS_ECP_DP_CURVE448_ENABLED
select MBEDTLS_ECP_NIST_OPTIM
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
bool "Enable SECP192R1 elliptic curve"
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
bool "Enable SECP224R1 elliptic curve"
config MBEDTLS_ECP_DP_SECP256R1_ENABLED
bool "Enable SECP256R1 elliptic curve"
config MBEDTLS_ECP_DP_SECP384R1_ENABLED
bool "Enable SECP384R1 elliptic curve"
config MBEDTLS_ECP_DP_SECP521R1_ENABLED
bool "Enable SECP521R1 elliptic curve"
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
bool "Enable SECP192K1 elliptic curve"
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
bool "Enable SECP224K1 elliptic curve"
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
bool "Enable SECP256K1 elliptic curve"
config MBEDTLS_ECP_DP_BP256R1_ENABLED
bool "Enable BP256R1 elliptic curve"
config MBEDTLS_ECP_DP_BP384R1_ENABLED
bool "Enable BP384R1 elliptic curve"
config MBEDTLS_ECP_DP_BP512R1_ENABLED
bool "Enable BP512R1 elliptic curve"
config MBEDTLS_ECP_DP_CURVE25519_ENABLED
bool "Enable CURVE25519 elliptic curve"
config MBEDTLS_ECP_DP_CURVE448_ENABLED
bool "Enable CURVE448 elliptic curve"
config MBEDTLS_ECP_NIST_OPTIM
bool "Enable NSIT curves optimization"
endif
comment "Supported cipher modes"
config MBEDTLS_CIPHER_ALL_ENABLED
bool "Enable all available ciphers"
select MBEDTLS_CIPHER_AES_ENABLED
select MBEDTLS_CIPHER_CAMELLIA_ENABLED
select MBEDTLS_CIPHER_DES_ENABLED
select MBEDTLS_CIPHER_ARC4_ENABLED
select MBEDTLS_CIPHER_CHACHA20_ENABLED
select MBEDTLS_CIPHER_BLOWFISH_ENABLED
select MBEDTLS_CIPHER_CCM_ENABLED
select MBEDTLS_CIPHER_GCM_ENABLED
select MBEDTLS_CIPHER_MODE_XTS_ENABLED
select MBEDTLS_CIPHER_MODE_CBC_ENABLED
select MBEDTLS_CIPHER_MODE_CTR_ENABLED
select MBEDTLS_CHACHAPOLY_AEAD_ENABLED
config MBEDTLS_CIPHER_AES_ENABLED
bool "Enable the AES block cipher"
default y
config MBEDTLS_AES_ROM_TABLES
depends on MBEDTLS_CIPHER_AES_ENABLED
bool "Use precomputed AES tables stored in ROM."
default y
config MBEDTLS_CIPHER_CAMELLIA_ENABLED
bool "Enable the Camellia block cipher"
config MBEDTLS_CIPHER_DES_ENABLED
bool "Enable the DES block cipher"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_CIPHER_ARC4_ENABLED
bool "Enable the ARC4 stream cipher"
config MBEDTLS_CIPHER_CHACHA20_ENABLED
bool "Enable the ChaCha20 stream cipher"
config MBEDTLS_CIPHER_BLOWFISH_ENABLED
bool "Enable the Blowfish block cipher"
config MBEDTLS_CIPHER_CCM_ENABLED
bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
config MBEDTLS_CIPHER_GCM_ENABLED
bool "Enable the Galois/Counter Mode (GCM) for AES"
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
config MBEDTLS_CIPHER_MODE_XTS_ENABLED
bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES"
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
config MBEDTLS_CIPHER_MODE_CBC_ENABLED
bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_CIPHER_MODE_CTR_ENABLED
bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers."
config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
bool "Enable the ChaCha20-Poly1305 AEAD algorithm"
depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
comment "Supported message authentication methods"
config MBEDTLS_MAC_ALL_ENABLED
bool "Enable all available MAC methods"
select MBEDTLS_MAC_MD4_ENABLED
select MBEDTLS_MAC_MD5_ENABLED
select MBEDTLS_MAC_SHA1_ENABLED
select MBEDTLS_MAC_SHA256_ENABLED
select MBEDTLS_MAC_SHA512_ENABLED
select MBEDTLS_MAC_POLY1305_ENABLED
select MBEDTLS_MAC_CMAC_ENABLED
config MBEDTLS_MAC_MD4_ENABLED
bool "Enable the MD4 hash algorithm"
config MBEDTLS_MAC_MD5_ENABLED
bool "Enable the MD5 hash algorithm"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_MAC_SHA1_ENABLED
bool "Enable the SHA1 hash algorithm"
default y if !NET_L2_OPENTHREAD
config MBEDTLS_MAC_SHA256_ENABLED
bool "Enable the SHA-224 and SHA-256 hash algorithms"
default y
config MBEDTLS_SHA256_SMALLER
bool "Enable smaller SHA-256 implementation"
depends on MBEDTLS_MAC_SHA256_ENABLED
default y
help
Enable an implementation of SHA-256 that has lower ROM footprint but also
lower performance
config MBEDTLS_MAC_SHA512_ENABLED
bool "Enable the SHA-384 and SHA-512 hash algorithms"
config MBEDTLS_MAC_POLY1305_ENABLED
bool "Enable the Poly1305 MAC algorithm"
config MBEDTLS_MAC_CMAC_ENABLED
bool "Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
endmenu
comment "Random number generators"
config MBEDTLS_CTR_DRBG_ENABLED
bool "Enable the CTR_DRBG AES-256-based random generator"
depends on MBEDTLS_CIPHER_AES_ENABLED
default y
config MBEDTLS_HMAC_DRBG_ENABLED
bool "Enable the HMAC_DRBG random generator"
select MBEDTLS_MD
comment "Other configurations"
config MBEDTLS_CIPHER
bool "Enable the generic cipher layer."
config MBEDTLS_MD
bool "Enable the generic message digest layer."
config MBEDTLS_GENPRIME_ENABLED
bool "Enable the prime-number generation code."
config MBEDTLS_PEM_CERTIFICATE_FORMAT
bool "Enable support for PEM certificate format"
help
By default only DER (binary) format of certificates is supported. Enable
this option to enable support for PEM format.
config MBEDTLS_HAVE_ASM
bool "Enable use of assembly code"
default y if !ARM
help
Enable use of assembly code in mbedTLS. This improves the performances
of asymmetric cryptography, however this might have an impact on the
code size.
config MBEDTLS_ENTROPY_ENABLED
bool "Enable mbedTLS generic entropy pool"
depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA512_ENABLED
config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
bool "Enable mbedTLS optimizations for OpenThread"
depends on NET_L2_OPENTHREAD
default y if !NET_SOCKETS_SOCKOPT_TLS
help
Enable some OpenThread specific mbedTLS optimizations that allows to
save some RAM/ROM when OpenThread is used. Note, that when application
aims to use other mbedTLS services on top of OpenThread (e.g. secure
sockets), it's advised to disable this option.
config MBEDTLS_USER_CONFIG_ENABLE
bool "Enable user mbedTLS config file"
help
Enable user mbedTLS config file that will be included at the end of
the generic config file.
config MBEDTLS_USER_CONFIG_FILE
string "User configuration file for mbedTLS"
depends on MBEDTLS_USER_CONFIG_ENABLE
help
User config file that can contain mbedTLS configs that were not
covered by the generic config file.
config MBEDTLS_SERVER_NAME_INDICATION
bool "Enable support for RFC 6066 server name indication (SNI) in SSL"
help
Enable this to support RFC 6066 server name indication (SNI) in SSL.
This requires that MBEDTLS_X509_CRT_PARSE_C is also set.
endmenu