You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
707 lines
22 KiB
707 lines
22 KiB
# TLS/DTLS related options |
|
|
|
# Copyright (c) 2018 Intel Corporation |
|
# Copyright (c) 2018 Nordic Semiconductor ASA |
|
# SPDX-License-Identifier: Apache-2.0 |
|
|
|
menu "Mbed TLS configuration" |
|
depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-mbedtls.h" |
|
|
|
menu "TLS" |
|
|
|
config MBEDTLS_TLS_VERSION_1_2 |
|
bool "Support for TLS 1.2 (DTLS 1.2)" |
|
select MBEDTLS_CIPHER |
|
select MBEDTLS_MD |
|
|
|
if MBEDTLS_TLS_VERSION_1_2 |
|
|
|
config MBEDTLS_DTLS |
|
bool "Support for DTLS" |
|
|
|
endif # MBEDTLS_TLS_VERSION_1_2 |
|
|
|
config MBEDTLS_TLS_VERSION_1_3 |
|
bool "Support for TLS 1.3" |
|
|
|
if MBEDTLS_TLS_VERSION_1_3 |
|
|
|
config MBEDTLS_TLS_SESSION_TICKETS |
|
bool "Support for RFC 5077 session tickets in TLS 1.3" |
|
|
|
endif # MBEDTLS_TLS_VERSION_1_3 |
|
|
|
if MBEDTLS_TLS_VERSION_1_2 || MBEDTLS_TLS_VERSION_1_3 |
|
|
|
config MBEDTLS_SSL_ALPN |
|
bool "Support for setting the supported Application Layer Protocols" |
|
|
|
endif # MBEDTLS_TLS_VERSION_1_2 || MBEDTLS_TLS_VERSION_1_3 |
|
|
|
endmenu # TLS |
|
|
|
menu "Ciphersuite configuration" |
|
|
|
comment "Supported key exchange modes" |
|
|
|
config MBEDTLS_RSA_C |
|
bool "RSA base support" |
|
default y if UOSCORE || UEDHOC |
|
|
|
if MBEDTLS_RSA_C |
|
|
|
config MBEDTLS_PKCS1_V15 |
|
bool "RSA PKCS1 v1.5" |
|
default y if UOSCORE || UEDHOC |
|
|
|
config MBEDTLS_PKCS1_V21 |
|
bool "RSA PKCS1 v2.1" |
|
default y if UOSCORE || UEDHOC |
|
|
|
config MBEDTLS_GENPRIME_ENABLED |
|
bool "Prime number generation code" |
|
|
|
endif # MBEDTLS_RSA_C |
|
|
|
config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED |
|
bool "All available ciphersuite modes" |
|
select MBEDTLS_MD |
|
select MBEDTLS_RSA_C |
|
select MBEDTLS_PKCS1_V15 |
|
select MBEDTLS_PKCS1_V21 |
|
select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED |
|
select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED |
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED |
|
select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED |
|
select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED |
|
select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED |
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED |
|
select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED |
|
select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED |
|
select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED |
|
select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED |
|
|
|
config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED |
|
bool "PSK based ciphersuite modes" |
|
|
|
config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED |
|
bool "DHE-PSK based ciphersuite modes" |
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED |
|
bool "ECDHE-PSK based ciphersuite modes" |
|
depends on MBEDTLS_ECDH_C |
|
|
|
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED |
|
bool "RSA-PSK based ciphersuite modes" |
|
depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21 |
|
|
|
config MBEDTLS_PSK_MAX_LEN |
|
int "Max size of TLS pre-shared keys" |
|
default 32 |
|
help |
|
Max size of TLS pre-shared keys, in bytes. It has no effect if no |
|
PSK key exchange is used. |
|
|
|
config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED |
|
bool "RSA-only based ciphersuite modes" |
|
default y if UOSCORE || UEDHOC |
|
depends on MBEDTLS_MD |
|
depends on PSA_CRYPTO_CLIENT || MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21 |
|
select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY if PSA_CRYPTO_CLIENT |
|
select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT if PSA_CRYPTO_CLIENT |
|
select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT if PSA_CRYPTO_CLIENT |
|
select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE if PSA_CRYPTO_CLIENT |
|
|
|
config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED |
|
bool "DHE-RSA based ciphersuite modes" |
|
depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21 |
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED |
|
bool "ECDHE-RSA based ciphersuite modes" |
|
depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21 |
|
depends on MBEDTLS_ECDH_C |
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED |
|
bool "ECDHE-ECDSA based ciphersuite modes" |
|
depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA) |
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED |
|
bool "ECDH-ECDSA based ciphersuite modes" |
|
depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA) |
|
|
|
config MBEDTLS_ECDSA_DETERMINISTIC |
|
bool "Deterministic ECDSA (RFC 6979)" |
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED |
|
bool "ECDH-RSA based ciphersuite modes" |
|
depends on MBEDTLS_ECDH_C |
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED |
|
bool "ECJPAKE based ciphersuite modes" |
|
depends on MBEDTLS_ECJPAKE_C |
|
|
|
if MBEDTLS_TLS_VERSION_1_3 |
|
|
|
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED |
|
bool "TLS 1.3 PSK key exchange mode" |
|
|
|
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED |
|
bool "TLS 1.3 ephemeral key exchange mode" |
|
|
|
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED |
|
bool "TLS 1.3 PSK ephemeral key exchange mode" |
|
|
|
endif # MBEDTLS_TLS_VERSION_1_3 |
|
|
|
config MBEDTLS_HKDF_C |
|
bool "HMAC-based Extract-and-Expand Key Derivation Function" |
|
|
|
comment "Elliptic curve libraries" |
|
|
|
config MBEDTLS_ECDH_C |
|
bool "Elliptic curve Diffie-Hellman library" |
|
depends on MBEDTLS_ECP_C |
|
|
|
config MBEDTLS_ECDSA_C |
|
bool "Elliptic curve DSA library" |
|
depends on MBEDTLS_ECP_C |
|
select MBEDTLS_ASN1_PARSE_C |
|
|
|
config MBEDTLS_ECJPAKE_C |
|
bool "Elliptic curve J-PAKE library" |
|
depends on MBEDTLS_ECP_C |
|
|
|
config MBEDTLS_ECP_C |
|
bool "Elliptic curve over GF(p) library" |
|
default y if UOSCORE || UEDHOC |
|
|
|
if MBEDTLS_ECP_C |
|
|
|
comment "Supported elliptic curves" |
|
|
|
config MBEDTLS_ECP_ALL_ENABLED |
|
bool "All available elliptic curves" |
|
select MBEDTLS_ECP_DP_SECP192R1_ENABLED |
|
select MBEDTLS_ECP_DP_SECP192R1_ENABLED |
|
select MBEDTLS_ECP_DP_SECP224R1_ENABLED |
|
select MBEDTLS_ECP_DP_SECP256R1_ENABLED |
|
select MBEDTLS_ECP_DP_SECP384R1_ENABLED |
|
select MBEDTLS_ECP_DP_SECP521R1_ENABLED |
|
select MBEDTLS_ECP_DP_SECP192K1_ENABLED |
|
select MBEDTLS_ECP_DP_SECP224K1_ENABLED |
|
select MBEDTLS_ECP_DP_SECP256K1_ENABLED |
|
select MBEDTLS_ECP_DP_BP256R1_ENABLED |
|
select MBEDTLS_ECP_DP_BP384R1_ENABLED |
|
select MBEDTLS_ECP_DP_BP512R1_ENABLED |
|
select MBEDTLS_ECP_DP_CURVE25519_ENABLED |
|
select MBEDTLS_ECP_DP_CURVE448_ENABLED |
|
select MBEDTLS_ECP_NIST_OPTIM |
|
|
|
config MBEDTLS_ECP_DP_SECP192R1_ENABLED |
|
bool "SECP192R1 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_SECP224R1_ENABLED |
|
bool "SECP224R1 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_SECP256R1_ENABLED |
|
bool "SECP256R1 elliptic curve" |
|
default y if UOSCORE || UEDHOC |
|
|
|
config MBEDTLS_ECP_DP_SECP384R1_ENABLED |
|
bool "SECP384R1 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_SECP521R1_ENABLED |
|
bool "SECP521R1 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_SECP192K1_ENABLED |
|
bool "SECP192K1 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_SECP224K1_ENABLED |
|
bool "SECP224K1 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_SECP256K1_ENABLED |
|
bool "SECP256K1 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_BP256R1_ENABLED |
|
bool "BP256R1 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_BP384R1_ENABLED |
|
bool "BP384R1 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_BP512R1_ENABLED |
|
bool "BP512R1 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_CURVE25519_ENABLED |
|
bool "CURVE25519 elliptic curve" |
|
|
|
config MBEDTLS_ECP_DP_CURVE448_ENABLED |
|
bool "CURVE448 elliptic curve" |
|
|
|
config MBEDTLS_ECP_NIST_OPTIM |
|
bool "NSIT curves optimization" |
|
|
|
endif |
|
|
|
comment "Supported ciphers and cipher modes" |
|
|
|
config MBEDTLS_CIPHER_ALL_ENABLED |
|
bool "All available ciphers and modes" |
|
select MBEDTLS_CIPHER_AES_ENABLED |
|
select MBEDTLS_CIPHER_CAMELLIA_ENABLED |
|
select MBEDTLS_CIPHER_DES_ENABLED |
|
select MBEDTLS_CIPHER_CHACHA20_ENABLED |
|
select MBEDTLS_CIPHER_CCM_ENABLED |
|
select MBEDTLS_CIPHER_GCM_ENABLED |
|
select MBEDTLS_CIPHER_MODE_XTS_ENABLED |
|
select MBEDTLS_CIPHER_MODE_CBC_ENABLED |
|
select MBEDTLS_CIPHER_MODE_CTR_ENABLED |
|
select MBEDTLS_CHACHAPOLY_AEAD_ENABLED |
|
|
|
config MBEDTLS_SOME_AEAD_CIPHER_ENABLED |
|
bool |
|
default y |
|
depends on \ |
|
MBEDTLS_CIPHER_AES_ENABLED || \ |
|
MBEDTLS_CIPHER_CAMELLIA_ENABLED |
|
|
|
config MBEDTLS_SOME_CIPHER_ENABLED |
|
bool |
|
default y |
|
depends on \ |
|
MBEDTLS_SOME_AEAD_CIPHER_ENABLED || \ |
|
MBEDTLS_CIPHER_DES_ENABLED || \ |
|
MBEDTLS_CIPHER_CHACHA20_ENABLED |
|
|
|
config MBEDTLS_CIPHER_AES_ENABLED |
|
bool "AES block cipher" |
|
default y if PSA_WANT_KEY_TYPE_AES && MBEDTLS_PSA_CRYPTO_C |
|
|
|
if MBEDTLS_CIPHER_AES_ENABLED |
|
|
|
config MBEDTLS_AES_ROM_TABLES |
|
bool "Use precomputed AES tables stored in ROM." |
|
|
|
config MBEDTLS_AES_FEWER_TABLES |
|
bool "Reduce the size of precomputed AES tables by ~6kB" |
|
default y |
|
depends on MBEDTLS_AES_ROM_TABLES |
|
help |
|
Reduce the size of the AES tables at a tradeoff of more |
|
arithmetic operations at runtime. Specifically 4 table |
|
lookups are converted to 1 table lookup, 3 additions |
|
and 6 bit shifts. |
|
|
|
config MBEDTLS_CIPHER_MODE_XTS_ENABLED |
|
bool "Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES" |
|
|
|
endif # MBEDTLS_CIPHER_AES_ENABLED |
|
|
|
config MBEDTLS_CIPHER_CAMELLIA_ENABLED |
|
bool "Camellia block cipher" |
|
|
|
config MBEDTLS_CIPHER_DES_ENABLED |
|
bool "DES block cipher" |
|
|
|
config MBEDTLS_CIPHER_CHACHA20_ENABLED |
|
bool "ChaCha20 stream cipher" |
|
|
|
if MBEDTLS_SOME_AEAD_CIPHER_ENABLED |
|
|
|
config MBEDTLS_CIPHER_CCM_ENABLED |
|
bool "Counter with CBC-MAC (CCM) mode for 128-bit block cipher" |
|
default y if UOSCORE || UEDHOC |
|
|
|
config MBEDTLS_CIPHER_GCM_ENABLED |
|
bool "Galois/Counter Mode (GCM) for symmetric ciphers" |
|
|
|
endif # MBEDTLS_SOME_AEAD_CIPHER_ENABLED |
|
|
|
if MBEDTLS_SOME_CIPHER_ENABLED |
|
|
|
config MBEDTLS_CIPHER_MODE_CBC_ENABLED |
|
bool "Cipher Block Chaining mode (CBC) for symmetric ciphers" |
|
default y if !NET_L2_OPENTHREAD |
|
|
|
config MBEDTLS_CIPHER_MODE_CTR_ENABLED |
|
bool "Counter Block Cipher mode (CTR) for symmetric ciphers" |
|
|
|
endif # MBEDTLS_SOME_CIPHER_ENABLED |
|
|
|
config MBEDTLS_CHACHAPOLY_AEAD_ENABLED |
|
bool "ChaCha20-Poly1305 AEAD algorithm" |
|
depends on MBEDTLS_CIPHER_CHACHA20_ENABLED && MBEDTLS_POLY1305 |
|
|
|
config MBEDTLS_CMAC |
|
bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers." |
|
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED |
|
|
|
comment "Supported hash algorithms" |
|
|
|
config MBEDTLS_HASH_ALL_ENABLED |
|
bool "All available MAC methods" |
|
select MBEDTLS_MD5 |
|
select MBEDTLS_SHA1 |
|
select MBEDTLS_SHA224 |
|
select MBEDTLS_SHA256 |
|
select MBEDTLS_SHA384 |
|
select MBEDTLS_SHA512 |
|
select MBEDTLS_POLY1305 |
|
|
|
config MBEDTLS_MD5 |
|
bool "MD5 hash algorithm" |
|
|
|
config MBEDTLS_SHA1 |
|
bool "SHA-1 hash algorithm" |
|
|
|
config MBEDTLS_SHA224 |
|
bool "SHA-224 hash algorithm" |
|
|
|
config MBEDTLS_SHA256 |
|
bool "SHA-256 hash algorithm" |
|
default y |
|
|
|
config MBEDTLS_SHA256_SMALLER |
|
bool "Smaller SHA-256 implementation" |
|
depends on MBEDTLS_SHA256 |
|
default y |
|
help |
|
Enable an implementation of SHA-256 that has a |
|
smaller ROM footprint but also lower performance. |
|
|
|
config MBEDTLS_SHA384 |
|
bool "SHA-384 hash algorithm" |
|
|
|
config MBEDTLS_SHA512 |
|
bool "SHA-512 hash algorithm" |
|
|
|
config MBEDTLS_POLY1305 |
|
bool "Poly1305 hash family" |
|
|
|
endmenu |
|
|
|
comment "Random number generators" |
|
|
|
config MBEDTLS_CTR_DRBG_ENABLED |
|
bool "CTR_DRBG AES-256-based random generator" |
|
depends on MBEDTLS_CIPHER_AES_ENABLED |
|
default y |
|
|
|
config MBEDTLS_HMAC_DRBG_ENABLED |
|
bool "HMAC_DRBG random generator" |
|
select MBEDTLS_MD |
|
|
|
comment "Other configurations" |
|
|
|
config MBEDTLS_CIPHER |
|
bool "generic cipher layer." |
|
default y if PSA_WANT_ALG_CMAC |
|
|
|
config MBEDTLS_MD |
|
bool "generic message digest layer." |
|
default y if UOSCORE || UEDHOC |
|
|
|
config MBEDTLS_ASN1_PARSE_C |
|
bool "Support for ASN1 parser functions" |
|
|
|
config MBEDTLS_PLATFORM_NO_STD_FUNCTIONS |
|
bool "Remove usage of standard libc functions" |
|
help |
|
This prevents Mbed TLS from linking against the following standard functions |
|
from libc: `snprintf`, `vsnprintf`, `printf`, `fprintf`, `calloc`, `free`, `setbuf`, `exit` |
|
and `time`. By default Mbed TLS will use stub functions for all these functions. |
|
These stubs are just meant to return successfully, but they don't implement |
|
the required functionality. |
|
Users can individually override each of these stubs by calling |
|
`mbedtls_platform_set_xxx()` to set the their implementation of `xxx()` function |
|
at runtime. |
|
|
|
if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS |
|
|
|
config MBEDTLS_PLATFORM_SNPRINTF_ALT |
|
bool "Allow setting custom snprintf at run-time" |
|
help |
|
Allow setting a custom `snprintf()` function with `mbedtls_platform_set_snprintf()`. |
|
Include `mbedtls/platform.h` for the prototype of this function. |
|
|
|
endif # MBEDTLS_PLATFORM_NO_STD_FUNCTIONS |
|
|
|
config MBEDTLS_PEM_CERTIFICATE_FORMAT |
|
bool "Support for PEM certificate format" |
|
help |
|
By default only DER (binary) format of certificates is supported. Enable |
|
this option to enable support for PEM format. |
|
|
|
config MBEDTLS_HAVE_ASM |
|
bool "Use of assembly code" |
|
default y if !ARM |
|
help |
|
Enable use of assembly code in mbedTLS. This improves the performances |
|
of asymmetric cryptography, however this might have an impact on the |
|
code size. |
|
|
|
config MBEDTLS_ENTROPY_C |
|
bool "Mbed TLS entropy accumulator" |
|
depends on MBEDTLS_SHA256 || MBEDTLS_SHA384 || MBEDTLS_SHA512 |
|
help |
|
This module gathers entropy data from enabled entropy sources. It's |
|
mostly used in conjunction with CTR_DRBG or HMAC_DRBG to create |
|
a deterministic random number generator. |
|
|
|
config MBEDTLS_ENTROPY_POLL_ZEPHYR |
|
bool "Provide entropy data to Mbed TLS through entropy driver or random generator" |
|
default y |
|
depends on MBEDTLS_ENTROPY_C |
|
help |
|
Provide entropy data to the Mbed TLS's entropy module through either |
|
an entropy driver (if available in the system) or a generic random |
|
number generator. |
|
Warning: the latter choice is potentially non secure because it might |
|
end up using weaker/test-only sources (ex: random number generator |
|
built on system timer). |
|
|
|
config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED |
|
bool "MbedTLS optimizations for OpenThread" |
|
depends on NET_L2_OPENTHREAD |
|
default y if !NET_SOCKETS_SOCKOPT_TLS |
|
help |
|
Enable some OpenThread specific mbedTLS optimizations that allows to |
|
save some RAM/ROM when OpenThread is used. Note, that when application |
|
aims to use other mbedTLS services on top of OpenThread (e.g. secure |
|
sockets), it's advised to disable this option. |
|
|
|
config MBEDTLS_USER_CONFIG_ENABLE |
|
bool "User mbedTLS config file" |
|
help |
|
Enable user mbedTLS config file that will be included at the end of |
|
the generic config file. |
|
|
|
config MBEDTLS_USER_CONFIG_FILE |
|
string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE |
|
help |
|
User config file that can contain mbedTLS configs that were not |
|
covered by the generic config file. |
|
|
|
config MBEDTLS_SERVER_NAME_INDICATION |
|
bool "Support for RFC 6066 server name indication (SNI) in SSL" |
|
help |
|
Enable this to support RFC 6066 server name indication (SNI) in SSL. |
|
This requires that MBEDTLS_X509_CRT_PARSE_C is also set. |
|
|
|
config MBEDTLS_PK_WRITE_C |
|
bool "The generic public (asymmetric) key writer" |
|
help |
|
Enable generic public key write functions. |
|
|
|
config MBEDTLS_HAVE_TIME_DATE |
|
bool "Date/time validation in mbed TLS" |
|
help |
|
System has time.h, time(), and an implementation for gmtime_r(). |
|
There also need to be a valid time source in the system, as mbedTLS |
|
expects a valid date/time for certificate validation." |
|
|
|
config MBEDTLS_PKCS5_C |
|
bool "Password-based encryption functions" |
|
select MBEDTLS_MD |
|
help |
|
Enable PKCS5 functions |
|
|
|
config MBEDTLS_SSL_CACHE_C |
|
bool "SSL session cache support" |
|
help |
|
"This option enables simple SSL cache implementation (server side)." |
|
|
|
if MBEDTLS_SSL_CACHE_C |
|
|
|
config MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT |
|
int "Default timeout for SSL cache entires" |
|
default 86400 |
|
|
|
config MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES |
|
int "Maximum number of SSL cache entires" |
|
default 5 |
|
|
|
endif # MBEDTLS_SSL_CACHE_C |
|
|
|
config MBEDTLS_SSL_EXTENDED_MASTER_SECRET |
|
bool "(D)TLS Extended Master Secret extension" |
|
depends on MBEDTLS_TLS_VERSION_1_2 |
|
help |
|
Enable support for the (D)TLS Extended Master Secret extension |
|
which ensures that master secrets are different for every |
|
connection and every session. |
|
|
|
choice MBEDTLS_PSA_CRYPTO_RNG_SOURCE |
|
prompt "Select random source for built-in PSA crypto" |
|
depends on MBEDTLS_PSA_CRYPTO_C |
|
# The only way to check if there is any entropy driver available on the |
|
# platform is to check if the "zephyr,entropy" chosen property exists. |
|
# CONFIG_CSPRNG_ENABLED cannot be used for this because it gets enabled by |
|
# entropy drivers but these are gated by CONFIG_ENTROPY_GENERATOR which |
|
# is disabled by default. |
|
default MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if CSPRNG_AVAILABLE |
|
default MBEDTLS_PSA_CRYPTO_LEGACY_RNG |
|
|
|
config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG |
|
bool "Use a cryptographically secure driver as random source" |
|
select ENTROPY_GENERATOR |
|
help |
|
Use a cryptographically secure random generator to provide random data |
|
instead of legacy Mbed TLS modules. This has a smaller footprint |
|
than its legacy counterpart MBEDTLS_PSA_CRYPTO_LEGACY_RNG, but it |
|
requires a cryptographically secure random number generator (CSPRNG) |
|
to be available in the system. If no CSPRNG is available: |
|
- there is no fallback to weak entropy random generators. |
|
- the initialization of PSA crypto will fail and none of its API |
|
will be available. |
|
|
|
config MBEDTLS_PSA_CRYPTO_LEGACY_RNG |
|
bool "Use legacy modules to generate random data" |
|
select MBEDTLS_ENTROPY_C |
|
select MBEDTLS_HMAC_DRBG_ENABLED if !MBEDTLS_CTR_DRBG_ENABLED |
|
# If there is any entropy driver in the system, then the choice would be |
|
# CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. If we fall here, then the only |
|
# way to get some random data is to enable CONFIG_TEST_RANDOM_GENERATOR. |
|
select TEST_RANDOM_GENERATOR |
|
help |
|
Use legacy Mbed TLS modules to generate random data. In this |
|
configuration the entropy module is used to gather some data and then |
|
either ctr_drbg or hmac_drbg are applied on top of it to improve |
|
the randomness. |
|
Security level in this case really depends on the type of entropy |
|
sources which are enabled in the system: if weak entropy sources are |
|
used, then the generated data will only be pseudo random. Strong |
|
entropy sources are strongly recommended (if possible) to have real |
|
random data. |
|
Another difference betwen this implementation and the |
|
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG counterpart is the memory footprint: |
|
this implementation brings in legacy modules which are not required |
|
in the "external" version, so the footprint is larger. |
|
|
|
endchoice |
|
|
|
config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG_ALLOW_NON_CSPRNG |
|
bool "Allow non cryptographically secure random sources (for test only!)" |
|
depends on MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG |
|
help |
|
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is by default limited to rely only |
|
on cryptographically secure random number generators. However, only |
|
for test purposes, it might be useful to enable external random |
|
number generation, but have it using weak random sources (non |
|
cryptographically secure). |
|
Warning: this is meant to be enabled only for tests, not in production |
|
as the generated values are not cryptographically secure! |
|
|
|
config MBEDTLS_PSA_CRYPTO_C |
|
bool "Platform Security Architecture cryptography API" |
|
depends on !BUILD_WITH_TFM |
|
default y if UOSCORE || UEDHOC |
|
|
|
config MBEDTLS_USE_PSA_CRYPTO |
|
bool "Use PSA APIs instead of legacy MbedTLS when possible" |
|
default y if MBEDTLS_PSA_CRYPTO_CLIENT |
|
help |
|
Use PSA APIs instead of legacy MbedTLS functions in TLS/DTLS and other |
|
"intermediate" modules such as PK, MD and Cipher. |
|
|
|
config MBEDTLS_PSA_CRYPTO_CLIENT |
|
bool |
|
default y |
|
depends on BUILD_WITH_TFM || MBEDTLS_PSA_CRYPTO_C |
|
select PSA_CRYPTO_CLIENT |
|
|
|
config MBEDTLS_LMS |
|
bool "Support LMS signature schemes" |
|
depends on MBEDTLS_PSA_CRYPTO_CLIENT |
|
depends on MBEDTLS_SHA256 |
|
select PSA_WANT_ALG_SHA_256 |
|
|
|
if MBEDTLS_PSA_CRYPTO_C |
|
|
|
config MBEDTLS_PSA_P256M_DRIVER_ENABLED |
|
bool "P256-M driver" |
|
imply PSA_WANT_ALG_SHA_256 |
|
help |
|
Enable support for the optimized sofware implementation of the secp256r1 |
|
curve through the standard PSA API. |
|
|
|
config MBEDTLS_PSA_P256M_DRIVER_RAW |
|
bool "Access p256-m driver directly (without PSA interface)" |
|
depends on MBEDTLS_PSA_P256M_DRIVER_ENABLED |
|
help |
|
Allow direct access to the p256-m driver interface. |
|
Warning: Usage of this Kconfig option is prohibited in Zephyr's codebase. |
|
Users can enable it in case of very memory-constrained devices, but be aware that the p256-m interface is absolutely not guaranted to remain stable over time. |
|
|
|
config MBEDTLS_PSA_CRYPTO_STORAGE_C |
|
bool |
|
|
|
config MBEDTLS_PSA_STATIC_KEY_SLOTS |
|
bool "Use statically allocated key buffers to store key material" |
|
default y if !MBEDTLS_ENABLE_HEAP |
|
help |
|
By default Mbed TLS's PSA Crypto core uses heap memory to store the |
|
key material for each key slot. This might impose an undesired |
|
requirement to support heap memory and its management code, affecting |
|
RAM and ROM footprints at the same time. |
|
Enabling this symbol causes Mbed TLS to pre-allocate all the key slot |
|
buffers that are used to store the key material at build time, thus |
|
removing the need for heap memory. Each buffer will be sized to |
|
contain the largest asymmetric/symmetric key type enabled in the build |
|
through PSA_WANT symbols. |
|
|
|
config MBEDTLS_PSA_KEY_SLOT_COUNT |
|
int "Number of key slots in PSA Crypto core" |
|
default 16 |
|
help |
|
Set the number of key slots that are available in the PSA Crypto core. |
|
Be aware that each slot, even if unused, increases RAM consumption |
|
by ~40 bytes plus: |
|
* the length of the largest asymmetric/symmetric key type enabled in |
|
the build through PSA_WANT symbols, if MBEDTLS_PSA_STATIC_KEY_SLOTS |
|
is set. (This is all defined statically at build time). |
|
* the heap-allocated memory to store the key material of a given slot, |
|
if it is used and MBEDTLS_PSA_STATIC_KEY_SLOTS is not set. |
|
|
|
endif # MBEDTLS_PSA_CRYPTO_C |
|
|
|
config MBEDTLS_SSL_DTLS_CONNECTION_ID |
|
bool "DTLS Connection ID extension" |
|
depends on MBEDTLS_DTLS |
|
help |
|
Enable support for the DTLS Connection ID extension |
|
which allows to identify DTLS connections across changes |
|
in the underlying transport. |
|
|
|
|
|
config MBEDTLS_NIST_KW_C |
|
bool "NIST key wrap" |
|
depends on MBEDTLS_CIPHER_AES_ENABLED |
|
help |
|
Key Wrapping mode for 128-bit block ciphers, |
|
as defined in NIST SP 800-38F. |
|
|
|
config MBEDTLS_DHM_C |
|
bool "Diffie-Hellman-Merkle mode" |
|
help |
|
Used by the following key exchanges, |
|
DHE-RSA, DHE-PSK |
|
|
|
config MBEDTLS_X509_CRL_PARSE_C |
|
bool "X.509 CRL parsing" |
|
help |
|
Used by X.509 CRL parsing |
|
|
|
config MBEDTLS_X509_CSR_WRITE_C |
|
bool "X.509 Certificate Signing Requests writing" |
|
help |
|
For X.509 certificate request writing. |
|
|
|
config MBEDTLS_X509_CSR_PARSE_C |
|
bool "X.509 Certificate Signing Request parsing" |
|
help |
|
For reading X.509 certificate request. |
|
|
|
config MBEDTLS_X509_CRT_WRITE_C |
|
bool "X.509 certificate creation" |
|
|
|
endmenu
|
|
|