# TLS/DTLS related options # Copyright (c) 2018 Intel Corporation # Copyright (c) 2018 Nordic Semiconductor ASA # SPDX-License-Identifier: Apache-2.0 menu "TLS configuration" depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" menu "Supported TLS version" config MBEDTLS_TLS_VERSION_1_0 bool "Support for TLS 1.0" select MBEDTLS_CIPHER select MBEDTLS_MAC_MD5_ENABLED select MBEDTLS_MAC_SHA1_ENABLED select MBEDTLS_MD config MBEDTLS_TLS_VERSION_1_1 bool "Support for TLS 1.1 (DTLS 1.0)" select MBEDTLS_CIPHER select MBEDTLS_MAC_MD5_ENABLED select MBEDTLS_MAC_SHA1_ENABLED select MBEDTLS_MD config MBEDTLS_TLS_VERSION_1_2 bool "Support for TLS 1.2 (DTLS 1.2)" default y if !NET_L2_OPENTHREAD select MBEDTLS_CIPHER select MBEDTLS_MD config MBEDTLS_DTLS bool "Support for DTLS" depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 config MBEDTLS_SSL_EXPORT_KEYS bool "Support for exporting SSL key block and master secret" depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 config MBEDTLS_SSL_ALPN bool "Support for setting the supported Application Layer Protocols" depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2 endmenu menu "Ciphersuite configuration" comment "Supported key exchange modes" config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED bool "All available ciphersuite modes" select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED select MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED bool "PSK based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED bool "DHE-PSK based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED bool "ECDHE-PSK based ciphersuite modes" select MBEDTLS_ECDH_C config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED bool "RSA-PSK based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED bool default y if MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || \ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || \ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED config MBEDTLS_PSK_MAX_LEN int "Max size of TLS pre-shared keys" default 32 depends on MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED help Max size of TLS pre-shared keys, in bytes. config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED bool "RSA-only based ciphersuite modes" default y if !NET_L2_OPENTHREAD config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED bool "DHE-RSA based ciphersuite modes" config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED bool "ECDHE-RSA based ciphersuite modes" select MBEDTLS_ECDH_C config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED bool "ECDHE-ECDSA based ciphersuite modes" select MBEDTLS_ECDH_C select MBEDTLS_ECDSA_C config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED bool "ECDH-ECDSA based ciphersuite modes" select MBEDTLS_ECDH_C select MBEDTLS_ECDSA_C config MBEDTLS_ECDSA_DETERMINISTIC bool "Deterministic ECDSA (RFC 6979)" config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED bool "ECDH-RSA based ciphersuite modes" select MBEDTLS_ECDH_C config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED bool "ECJPAKE based ciphersuite modes" select MBEDTLS_ECJPAKE_C comment "Elliptic curve libraries" config MBEDTLS_ECDH_C bool "Elliptic curve Diffie-Hellman library" select MBEDTLS_ECP_C config MBEDTLS_ECDSA_C bool "Elliptic curve DSA library" select MBEDTLS_ECP_C config MBEDTLS_ECJPAKE_C bool "Elliptic curve J-PAKE library" select MBEDTLS_ECP_C config MBEDTLS_ECP_C bool "Elliptic curve over GF(p) library" default y if UOSCORE || UEDHOC if MBEDTLS_ECP_C comment "Supported elliptic curves" config MBEDTLS_ECP_ALL_ENABLED bool "All available elliptic curves" select MBEDTLS_ECP_DP_SECP192R1_ENABLED select MBEDTLS_ECP_DP_SECP192R1_ENABLED select MBEDTLS_ECP_DP_SECP224R1_ENABLED select MBEDTLS_ECP_DP_SECP256R1_ENABLED select MBEDTLS_ECP_DP_SECP384R1_ENABLED select MBEDTLS_ECP_DP_SECP521R1_ENABLED select MBEDTLS_ECP_DP_SECP192K1_ENABLED select MBEDTLS_ECP_DP_SECP224K1_ENABLED select MBEDTLS_ECP_DP_SECP256K1_ENABLED select MBEDTLS_ECP_DP_BP256R1_ENABLED select MBEDTLS_ECP_DP_BP384R1_ENABLED select MBEDTLS_ECP_DP_BP512R1_ENABLED select MBEDTLS_ECP_DP_CURVE25519_ENABLED select MBEDTLS_ECP_DP_CURVE448_ENABLED select MBEDTLS_ECP_NIST_OPTIM config MBEDTLS_ECP_DP_SECP192R1_ENABLED bool "SECP192R1 elliptic curve" config MBEDTLS_ECP_DP_SECP224R1_ENABLED bool "SECP224R1 elliptic curve" config MBEDTLS_ECP_DP_SECP256R1_ENABLED bool "SECP256R1 elliptic curve" default y if UOSCORE || UEDHOC config MBEDTLS_ECP_DP_SECP384R1_ENABLED bool "SECP384R1 elliptic curve" config MBEDTLS_ECP_DP_SECP521R1_ENABLED bool "SECP521R1 elliptic curve" config MBEDTLS_ECP_DP_SECP192K1_ENABLED bool "SECP192K1 elliptic curve" config MBEDTLS_ECP_DP_SECP224K1_ENABLED bool "SECP224K1 elliptic curve" config MBEDTLS_ECP_DP_SECP256K1_ENABLED bool "SECP256K1 elliptic curve" config MBEDTLS_ECP_DP_BP256R1_ENABLED bool "BP256R1 elliptic curve" config MBEDTLS_ECP_DP_BP384R1_ENABLED bool "BP384R1 elliptic curve" config MBEDTLS_ECP_DP_BP512R1_ENABLED bool "BP512R1 elliptic curve" config MBEDTLS_ECP_DP_CURVE25519_ENABLED bool "CURVE25519 elliptic curve" config MBEDTLS_ECP_DP_CURVE448_ENABLED bool "CURVE448 elliptic curve" config MBEDTLS_ECP_NIST_OPTIM bool "NSIT curves optimization" endif comment "Supported hash" config MBEDTLS_HASH_ALL_ENABLED bool "All available hashes" select MBEDTLS_HASH_SHA256_ENABLED select MBEDTLS_HASH_SHA384_ENABLED select MBEDTLS_HASH_SHA512_ENABLED config MBEDTLS_HASH_SHA256_ENABLED bool "SHA256 hash" default y if !NET_L2_OPENTHREAD config MBEDTLS_HASH_SHA384_ENABLED bool "SHA384 hash" default y if !NET_L2_OPENTHREAD select MBEDTLS_HASH_SHA512_ENABLED config MBEDTLS_HASH_SHA512_ENABLED bool "SHA512 hash" default y if !NET_L2_OPENTHREAD comment "Supported cipher modes" config MBEDTLS_CIPHER_ALL_ENABLED bool "All available ciphers" select MBEDTLS_CIPHER_AES_ENABLED select MBEDTLS_CIPHER_CAMELLIA_ENABLED select MBEDTLS_CIPHER_DES_ENABLED select MBEDTLS_CIPHER_ARC4_ENABLED select MBEDTLS_CIPHER_CHACHA20_ENABLED select MBEDTLS_CIPHER_BLOWFISH_ENABLED select MBEDTLS_CIPHER_CCM_ENABLED select MBEDTLS_CIPHER_GCM_ENABLED select MBEDTLS_CIPHER_MODE_XTS_ENABLED select MBEDTLS_CIPHER_MODE_CBC_ENABLED select MBEDTLS_CIPHER_MODE_CTR_ENABLED select MBEDTLS_CHACHAPOLY_AEAD_ENABLED config MBEDTLS_CIPHER_AES_ENABLED bool "AES block cipher" default y config MBEDTLS_AES_ROM_TABLES depends on MBEDTLS_CIPHER_AES_ENABLED bool "Use precomputed AES tables stored in ROM." default y config MBEDTLS_CIPHER_CAMELLIA_ENABLED bool "Camellia block cipher" config MBEDTLS_CIPHER_DES_ENABLED bool "DES block cipher" default y if !NET_L2_OPENTHREAD config MBEDTLS_CIPHER_ARC4_ENABLED bool "ARC4 stream cipher" config MBEDTLS_CIPHER_CHACHA20_ENABLED bool "ChaCha20 stream cipher" config MBEDTLS_CIPHER_BLOWFISH_ENABLED bool "Blowfish block cipher" config MBEDTLS_CIPHER_CCM_ENABLED bool "Counter with CBC-MAC (CCM) mode for 128-bit block cipher" depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED default y if UOSCORE || UEDHOC config MBEDTLS_CIPHER_GCM_ENABLED bool "Galois/Counter Mode (GCM) for AES" depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED config MBEDTLS_CIPHER_MODE_XTS_ENABLED bool "Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES" depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED config MBEDTLS_CIPHER_MODE_CBC_ENABLED bool "Cipher Block Chaining mode (CBC) for symmetric ciphers" default y if !NET_L2_OPENTHREAD config MBEDTLS_CIPHER_MODE_CTR_ENABLED bool "Counter Block Cipher mode (CTR) for symmetric ciphers." config MBEDTLS_CHACHAPOLY_AEAD_ENABLED bool "ChaCha20-Poly1305 AEAD algorithm" depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED comment "Supported message authentication methods" config MBEDTLS_MAC_ALL_ENABLED bool "All available MAC methods" select MBEDTLS_MAC_MD4_ENABLED select MBEDTLS_MAC_MD5_ENABLED select MBEDTLS_MAC_SHA1_ENABLED select MBEDTLS_MAC_SHA256_ENABLED select MBEDTLS_MAC_SHA384_ENABLED select MBEDTLS_MAC_SHA512_ENABLED select MBEDTLS_MAC_POLY1305_ENABLED select MBEDTLS_MAC_CMAC_ENABLED config MBEDTLS_MAC_MD4_ENABLED bool "MD4 hash algorithm" config MBEDTLS_MAC_MD5_ENABLED bool "MD5 hash algorithm" default y if !NET_L2_OPENTHREAD config MBEDTLS_MAC_SHA1_ENABLED bool "SHA1 hash algorithm" default y if !NET_L2_OPENTHREAD config MBEDTLS_MAC_SHA256_ENABLED bool "SHA-224 and SHA-256 hash algorithms" default y config MBEDTLS_SHA256_SMALLER bool "Smaller SHA-256 implementation" depends on MBEDTLS_MAC_SHA256_ENABLED default y help Enable an implementation of SHA-256 that has lower ROM footprint but also lower performance config MBEDTLS_MAC_SHA384_ENABLED bool "SHA-384 hash algorithm" select MBEDTLS_MAC_SHA512_ENABLED config MBEDTLS_MAC_SHA512_ENABLED bool "SHA-512 hash algorithm" config MBEDTLS_MAC_POLY1305_ENABLED bool "Poly1305 MAC algorithm" config MBEDTLS_MAC_CMAC_ENABLED bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers." depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED endmenu comment "Random number generators" config MBEDTLS_CTR_DRBG_ENABLED bool "CTR_DRBG AES-256-based random generator" depends on MBEDTLS_CIPHER_AES_ENABLED default y config MBEDTLS_HMAC_DRBG_ENABLED bool "HMAC_DRBG random generator" select MBEDTLS_MD comment "Other configurations" config MBEDTLS_CIPHER bool "generic cipher layer." config MBEDTLS_MD bool "generic message digest layer." config MBEDTLS_GENPRIME_ENABLED bool "prime-number generation code." config MBEDTLS_PEM_CERTIFICATE_FORMAT bool "Support for PEM certificate format" help By default only DER (binary) format of certificates is supported. Enable this option to enable support for PEM format. config MBEDTLS_HAVE_ASM bool "Use of assembly code" default y if !ARM help Enable use of assembly code in mbedTLS. This improves the performances of asymmetric cryptography, however this might have an impact on the code size. config MBEDTLS_ENTROPY_ENABLED bool "MbedTLS generic entropy pool" depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA384_ENABLED || MBEDTLS_MAC_SHA512_ENABLED default y if MBEDTLS_ZEPHYR_ENTROPY config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED bool "MbedTLS optimizations for OpenThread" depends on NET_L2_OPENTHREAD default y if !NET_SOCKETS_SOCKOPT_TLS help Enable some OpenThread specific mbedTLS optimizations that allows to save some RAM/ROM when OpenThread is used. Note, that when application aims to use other mbedTLS services on top of OpenThread (e.g. secure sockets), it's advised to disable this option. config MBEDTLS_USER_CONFIG_ENABLE bool "User mbedTLS config file" help Enable user mbedTLS config file that will be included at the end of the generic config file. config MBEDTLS_USER_CONFIG_FILE string "User configuration file for mbed TLS" if MBEDTLS_USER_CONFIG_ENABLE help User config file that can contain mbedTLS configs that were not covered by the generic config file. config MBEDTLS_SERVER_NAME_INDICATION bool "Support for RFC 6066 server name indication (SNI) in SSL" help Enable this to support RFC 6066 server name indication (SNI) in SSL. This requires that MBEDTLS_X509_CRT_PARSE_C is also set. config MBEDTLS_PK_WRITE_C bool "The generic public (asymmetric) key writer" help Enable generic public key write functions. config MBEDTLS_HAVE_TIME_DATE bool "Date/time validation in mbed TLS" help System has time.h, time(), and an implementation for gmtime_r(). There also need to be a valid time source in the system, as mbedTLS expects a valid date/time for certificate validation." config MBEDTLS_PKCS5_C bool "Password-based encryption functions" select MBEDTLS_MD help Enable PKCS5 functions config MBEDTLS_SSL_CACHE_C bool "SSL session cache support" help "This option enables simple SSL cache implementation (server side)." config MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT int "Default timeout for SSL cache entires" depends on MBEDTLS_SSL_CACHE_C default 86400 config MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES int "Maximum number of SSL cache entires" depends on MBEDTLS_SSL_CACHE_C default 5 config MBEDTLS_SSL_EXTENDED_MASTER_SECRET bool "(D)TLS Extended Master Secret extension" depends on MBEDTLS_TLS_VERSION_1_2 help Enable support for the (D)TLS Extended Master Secret extension which ensures that master secrets are different for every connection and every session. config MBEDTLS_PSA_CRYPTO_C bool "Platform Security Architecture cryptography API" depends on MBEDTLS_ENTROPY_ENABLED depends on MBEDTLS_CTR_DRBG_ENABLED || MBEDTLS_HMAC_DRBG_ENABLED default y if UOSCORE || UEDHOC endmenu