# TLS/DTLS related options # Copyright (c) 2018 Intel Corporation # Copyright (c) 2018 Nordic Semiconductor ASA # SPDX-License-Identifier: Apache-2.0 menu "TLS configuration" depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" menu "Supported TLS version" config MBEDTLS_TLS_VERSION_1_0 bool "Enable support for TLS 1.0" select MBEDTLS_CIPHER select MBEDTLS_MAC_MD5_ENABLED select MBEDTLS_MAC_SHA1_ENABLED select MBEDTLS_MD config MBEDTLS_TLS_VERSION_1_1 bool "Enable support for TLS 1.1 (DTLS 1.0)" select MBEDTLS_CIPHER select MBEDTLS_MAC_MD5_ENABLED select MBEDTLS_MAC_SHA1_ENABLED select MBEDTLS_MD config MBEDTLS_TLS_VERSION_1_2 bool "Enable support for TLS 1.2 (DTLS 1.2)" default y if !NET_L2_OPENTHREAD select MBEDTLS_CIPHER select MBEDTLS_MD config MBEDTLS_DTLS bool "Enable support for DTLS" depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 config MBEDTLS_SSL_EXPORT_KEYS bool "Enable support for exporting SSL key block and master secret" depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 config MBEDTLS_SSL_ALPN bool "Enable support for setting the supported Application Layer Protocols" depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 endmenu menu "Ciphersuite configuration" comment "Supported key exchange modes" config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED bool "Enable all available ciphersuite modes" select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED bool "Enable the PSK based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED bool "Enable the DHE-PSK based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED bool "Enable the ECDHE-PSK based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED bool "Enable the RSA-PSK based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED bool default y if MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || \ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || \ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED config MBEDTLS_PSK_MAX_LEN int "Max size of TLS pre-shared keys" default 32 depends on MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED help Max size of TLS pre-shared keys, in bytes. config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED bool "Enable the RSA-only based ciphersuite modes" default y if !NET_L2_OPENTHREAD config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED bool "Enable the DHE-RSA based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED bool "Enable the ECDHE-RSA based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED bool "Enable the ECDHE-ECDSA based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED bool "Enable the ECDH-ECDSA based ciphersuite modes" config MBEDTLS_ECDSA_DETERMINISTIC bool "Enable deterministic ECDSA (RFC 6979)" config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED bool "Enable the ECDH-RSA based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED bool "Enable the ECJPAKE based ciphersuite modes" if MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || \ MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED comment "Supported elliptic curves" config MBEDTLS_ECP_ALL_ENABLED bool "Enable all available elliptic curves" select MBEDTLS_ECP_DP_SECP192R1_ENABLED select MBEDTLS_ECP_DP_SECP192R1_ENABLED select MBEDTLS_ECP_DP_SECP224R1_ENABLED select MBEDTLS_ECP_DP_SECP256R1_ENABLED select MBEDTLS_ECP_DP_SECP384R1_ENABLED select MBEDTLS_ECP_DP_SECP521R1_ENABLED select MBEDTLS_ECP_DP_SECP192K1_ENABLED select MBEDTLS_ECP_DP_SECP224K1_ENABLED select MBEDTLS_ECP_DP_SECP256K1_ENABLED select MBEDTLS_ECP_DP_BP256R1_ENABLED select MBEDTLS_ECP_DP_BP384R1_ENABLED select MBEDTLS_ECP_DP_BP512R1_ENABLED select MBEDTLS_ECP_DP_CURVE25519_ENABLED select MBEDTLS_ECP_DP_CURVE448_ENABLED select MBEDTLS_ECP_NIST_OPTIM config MBEDTLS_ECP_DP_SECP192R1_ENABLED bool "Enable SECP192R1 elliptic curve" config MBEDTLS_ECP_DP_SECP224R1_ENABLED bool "Enable SECP224R1 elliptic curve" config MBEDTLS_ECP_DP_SECP256R1_ENABLED bool "Enable SECP256R1 elliptic curve" config MBEDTLS_ECP_DP_SECP384R1_ENABLED bool "Enable SECP384R1 elliptic curve" config MBEDTLS_ECP_DP_SECP521R1_ENABLED bool "Enable SECP521R1 elliptic curve" config MBEDTLS_ECP_DP_SECP192K1_ENABLED bool "Enable SECP192K1 elliptic curve" config MBEDTLS_ECP_DP_SECP224K1_ENABLED bool "Enable SECP224K1 elliptic curve" config MBEDTLS_ECP_DP_SECP256K1_ENABLED bool "Enable SECP256K1 elliptic curve" config MBEDTLS_ECP_DP_BP256R1_ENABLED bool "Enable BP256R1 elliptic curve" config MBEDTLS_ECP_DP_BP384R1_ENABLED bool "Enable BP384R1 elliptic curve" config MBEDTLS_ECP_DP_BP512R1_ENABLED bool "Enable BP512R1 elliptic curve" config MBEDTLS_ECP_DP_CURVE25519_ENABLED bool "Enable CURVE25519 elliptic curve" config MBEDTLS_ECP_DP_CURVE448_ENABLED bool "Enable CURVE448 elliptic curve" config MBEDTLS_ECP_NIST_OPTIM bool "Enable NSIT curves optimization" endif comment "Supported cipher modes" config MBEDTLS_CIPHER_ALL_ENABLED bool "Enable all available ciphers" select MBEDTLS_CIPHER_AES_ENABLED select MBEDTLS_CIPHER_CAMELLIA_ENABLED select MBEDTLS_CIPHER_DES_ENABLED select MBEDTLS_CIPHER_ARC4_ENABLED select MBEDTLS_CIPHER_CHACHA20_ENABLED select MBEDTLS_CIPHER_BLOWFISH_ENABLED select MBEDTLS_CIPHER_CCM_ENABLED select MBEDTLS_CIPHER_GCM_ENABLED select MBEDTLS_CIPHER_MODE_XTS_ENABLED select MBEDTLS_CIPHER_MODE_CBC_ENABLED select MBEDTLS_CIPHER_MODE_CTR_ENABLED select MBEDTLS_CHACHAPOLY_AEAD_ENABLED config MBEDTLS_CIPHER_AES_ENABLED bool "Enable the AES block cipher" default y config MBEDTLS_AES_ROM_TABLES depends on MBEDTLS_CIPHER_AES_ENABLED bool "Use precomputed AES tables stored in ROM." default y config MBEDTLS_CIPHER_CAMELLIA_ENABLED bool "Enable the Camellia block cipher" config MBEDTLS_CIPHER_DES_ENABLED bool "Enable the DES block cipher" default y if !NET_L2_OPENTHREAD config MBEDTLS_CIPHER_ARC4_ENABLED bool "Enable the ARC4 stream cipher" config MBEDTLS_CIPHER_CHACHA20_ENABLED bool "Enable the ChaCha20 stream cipher" config MBEDTLS_CIPHER_BLOWFISH_ENABLED bool "Enable the Blowfish block cipher" config MBEDTLS_CIPHER_CCM_ENABLED bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher" depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED config MBEDTLS_CIPHER_GCM_ENABLED bool "Enable the Galois/Counter Mode (GCM) for AES" depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED config MBEDTLS_CIPHER_MODE_XTS_ENABLED bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES" depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED config MBEDTLS_CIPHER_MODE_CBC_ENABLED bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers" default y if !NET_L2_OPENTHREAD config MBEDTLS_CIPHER_MODE_CTR_ENABLED bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers." config MBEDTLS_CHACHAPOLY_AEAD_ENABLED bool "Enable the ChaCha20-Poly1305 AEAD algorithm" depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED comment "Supported message authentication methods" config MBEDTLS_MAC_ALL_ENABLED bool "Enable all available MAC methods" select MBEDTLS_MAC_MD4_ENABLED select MBEDTLS_MAC_MD5_ENABLED select MBEDTLS_MAC_SHA1_ENABLED select MBEDTLS_MAC_SHA256_ENABLED select MBEDTLS_MAC_SHA512_ENABLED select MBEDTLS_MAC_POLY1305_ENABLED select MBEDTLS_MAC_CMAC_ENABLED config MBEDTLS_MAC_MD4_ENABLED bool "Enable the MD4 hash algorithm" config MBEDTLS_MAC_MD5_ENABLED bool "Enable the MD5 hash algorithm" default y if !NET_L2_OPENTHREAD config MBEDTLS_MAC_SHA1_ENABLED bool "Enable the SHA1 hash algorithm" default y if !NET_L2_OPENTHREAD config MBEDTLS_MAC_SHA256_ENABLED bool "Enable the SHA-224 and SHA-256 hash algorithms" default y config MBEDTLS_SHA256_SMALLER bool "Enable smaller SHA-256 implementation" depends on MBEDTLS_MAC_SHA256_ENABLED default y help Enable an implementation of SHA-256 that has lower ROM footprint but also lower performance config MBEDTLS_MAC_SHA512_ENABLED bool "Enable the SHA-384 and SHA-512 hash algorithms" config MBEDTLS_MAC_POLY1305_ENABLED bool "Enable the Poly1305 MAC algorithm" config MBEDTLS_MAC_CMAC_ENABLED bool "Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers." depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED endmenu comment "Random number generators" config MBEDTLS_CTR_DRBG_ENABLED bool "Enable the CTR_DRBG AES-256-based random generator" depends on MBEDTLS_CIPHER_AES_ENABLED default y config MBEDTLS_HMAC_DRBG_ENABLED bool "Enable the HMAC_DRBG random generator" select MBEDTLS_MD comment "Other configurations" config MBEDTLS_CIPHER bool "Enable the generic cipher layer." config MBEDTLS_MD bool "Enable the generic message digest layer." config MBEDTLS_GENPRIME_ENABLED bool "Enable the prime-number generation code." config MBEDTLS_PEM_CERTIFICATE_FORMAT bool "Enable support for PEM certificate format" help By default only DER (binary) format of certificates is supported. Enable this option to enable support for PEM format. config MBEDTLS_HAVE_ASM bool "Enable use of assembly code" default y if !ARM help Enable use of assembly code in mbedTLS. This improves the performances of asymmetric cryptography, however this might have an impact on the code size. config MBEDTLS_ENTROPY_ENABLED bool "Enable mbedTLS generic entropy pool" depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA512_ENABLED config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED bool "Enable mbedTLS optimizations for OpenThread" depends on NET_L2_OPENTHREAD default y if !NET_SOCKETS_SOCKOPT_TLS help Enable some OpenThread specific mbedTLS optimizations that allows to save some RAM/ROM when OpenThread is used. Note, that when application aims to use other mbedTLS services on top of OpenThread (e.g. secure sockets), it's advised to disable this option. config MBEDTLS_USER_CONFIG_ENABLE bool "Enable user mbedTLS config file" help Enable user mbedTLS config file that will be included at the end of the generic config file. config MBEDTLS_USER_CONFIG_FILE string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE help User config file that can contain mbedTLS configs that were not covered by the generic config file. config MBEDTLS_SERVER_NAME_INDICATION bool "Enable support for RFC 6066 server name indication (SNI) in SSL" help Enable this to support RFC 6066 server name indication (SNI) in SSL. This requires that MBEDTLS_X509_CRT_PARSE_C is also set. config MBEDTLS_PK_WRITE_C bool "Enable the generic public (asymetric) key writer" help Enable generic public key write functions. config MBEDTLS_HAVE_TIME_DATE bool "Enable date/time validation in mbed TLS" help System has time.h, time(), and an implementation for gmtime_r(). There also need to be a valid time source in the system, as mbedTLS expects a valid date/time for certificate validation." config MBEDTLS_PKCS5_C bool "Enable password-based encryption functions" select MBEDTLS_MD help Enable PKCS5 functions endmenu