diff --git a/crypto/mbedtls/Kconfig b/crypto/mbedtls/Kconfig index 3a80b57d1..71c716d3f 100644 --- a/crypto/mbedtls/Kconfig +++ b/crypto/mbedtls/Kconfig @@ -41,6 +41,7 @@ config MBEDTLS_SSL_SRV_C config MBEDTLS_PLATFORM_MEMORY bool "Enable the memory allocation layer." + depends on MBEDTLS_PLATFORM_C default n config MBEDTLS_ENTROPY_HARDWARE_ALT @@ -59,6 +60,7 @@ config MBEDTLS_NO_PLATFORM_ENTROPY config MBEDTLS_ECP_RESTARTABLE bool "Enable the restartable ECC." + depends on MBEDTLS_ECP_C default n config MBEDTLS_SELF_TEST @@ -67,6 +69,7 @@ config MBEDTLS_SELF_TEST config MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE bool "Enable server-side support for clients that reconnect from the same port." + depends on MBEDTLS_SSL_DTLS_HELLO_VERIFY default n config MBEDTLS_BLOWFISH_C @@ -185,6 +188,383 @@ config MBEDTLS_X509_CRT_POOL bool "Enable the X509 Certificate Pool" default n +config MBEDTLS_HAVE_ASM + bool "Enable compiler support for asm." + default n + +config MBEDTLS_HAVE_TIME_DATE + bool "Enable to verify the validity period of X.509 certificates when system have correct clock." + default n + +config MBEDTLS_CIPHER_MODE_CFB + bool "Enable Cipher Feedback mode (CFB) for symmetric ciphers." + default n + +config MBEDTLS_CIPHER_MODE_CTR + bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers." + default n + +config MBEDTLS_CIPHER_MODE_OFB + bool "Enable Output Feedback mode (OFB) for symmetric ciphers." + default n + +config MBEDTLS_CIPHER_MODE_XTS + bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES." + default n + +config MBEDTLS_CIPHER_PADDING_PKCS7 + bool "Enable PKCS7 padding mode in the cipher layer." + default n + +config MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS + bool "Enable bit padding mode in the cipher layer." + default n + +config MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN + bool "Enable zero and length padding mode in the cipher layer." + default n + +config MBEDTLS_CIPHER_PADDING_ZEROS + bool "Enable zeros padding mode in the cipher layer." + default n + +config MBEDTLS_ECP_DP_SECP192R1_ENABLED + bool "Enables SECP192R1 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_SECP224R1_ENABLED + bool "Enables SECP224R1 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_SECP384R1_ENABLED + bool "Enables SECP384R1 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_SECP521R1_ENABLED + bool "Enables SECP521R1 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_SECP192K1_ENABLED + bool "Enables SECP192K1 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_SECP224K1_ENABLED + bool "Enables SECP224K1 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_SECP256K1_ENABLED + bool "Enables SECP256K1 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_BP256R1_ENABLED + bool "Enables BP256R1 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_BP384R1_ENABLED + bool "Enables BP384R1 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_BP512R1_ENABLED + bool "Enables BP512R1 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_CURVE25519_ENABLED + bool "Enables CURVE25519 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_DP_CURVE448_ENABLED + bool "Enables CURVE448 curve within the Elliptic Curve module." + default n + +config MBEDTLS_ECP_NIST_OPTIM + bool "Enable specific 'modulo p' routines for each NIST prime." + default n + +config MBEDTLS_ECDSA_DETERMINISTIC + bool "Enable deterministic ECDSA (RFC 6979)." + depends on MBEDTLS_HMAC_DRBG_C && MBEDTLS_ECDSA_C + default n + +config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + bool "Enable the PSK based ciphersuite modes in SSL / TLS." + default n + +config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + bool "Enable the DHE-PSK based ciphersuite modes in SSL / TLS." + depends on MBEDTLS_DHM_C + default n + +config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + bool "Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS." + depends on MBEDTLS_ECDH_C + default n + +config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + bool "Enable the RSA-PSK based ciphersuite modes in SSL / TLS." + default n + +config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + bool "Enable the DHE-RSA based ciphersuite modes in SSL / TLS." + depends on MBEDTLS_DHM_C + default n + +config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + bool "Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS." + depends on MBEDTLS_ECDH_C + default n + +config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + bool "Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS." + depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C + default n + +config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + bool "Enable the ECDH-RSA based ciphersuite modes in SSL / TLS." + depends on MBEDTLS_ECDH_C + default n + +config MBEDTLS_PK_PARSE_EC_EXTENDED + bool "Enhance support for reading EC keys using variants of SEC1 not allowed by RFC 5915 and RFC 5480." + default n + +config MBEDTLS_ERROR_STRERROR_DUMMY + bool "Enable a dummy error function to make use of mbedtls_strerror()." + default n + +config MBEDTLS_GENPRIME + bool "Enable the prime-number generation code." + default n + +config MBEDTLS_PK_RSA_ALT_SUPPORT + bool "Support external private RSA keys (eg from a HSM) in the PK layer." + default n + +config MBEDTLS_SSL_CONTEXT_SERIALIZATION + bool "Enable serialization of the TLS context structures." + depends on MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C + default n + +config MBEDTLS_SSL_ENCRYPT_THEN_MAC + bool "Enable support for Encrypt-then-MAC, RFC 7366." + default n + +config MBEDTLS_SSL_EXTENDED_MASTER_SECRET + bool "Enable Session Hash and Extended Master Secret Extension." + default n + +config MBEDTLS_SSL_RENEGOTIATION + bool "Enable support for TLS renegotiation." + default n + +config MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + bool "Enable support for RFC 6066 max_fragment_length extension in SSL." + default n + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + bool "Enable TLS 1.3 PSK key exchange mode." + default n + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + bool "Enable TLS 1.3 ephemeral key exchange mode." + depends on MBEDTLS_ECDH_C + default n + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + bool "Enable TLS 1.3 PSK ephemeral key exchange mode." + depends on MBEDTLS_ECDH_C + default n + +config CONFIG_MBEDTLS_SSL_MAX_EARLY_DATA_SIZE + int "The default maximum amount of 0-RTT data." + default 1024 + +config MBEDTLS_SSL_SESSION_TICKETS + bool "Enable support for RFC 5077 session tickets in SSL." + default n + +config MBEDTLS_SSL_SERVER_NAME_INDICATION + bool "Enable support for RFC 6066 server name indication (SNI) in SSL." + default n + +config MBEDTLS_THREADING_PTHREAD + bool "Enable the pthread wrapper layer for the threading layer." + depends on MBEDTLS_THREADING_C + default n + +config MBEDTLS_VERSION_FEATURES + bool "Allow run-time checking of compile-time enabled features." + depends on MBEDTLS_VERSION_C + default n + +config MBEDTLS_X509_RSASSA_PSS_SUPPORT + bool "Enable parsing and verification of X.509 certificates, CRLs and CSRS signed with RSASSA-PSS." + default n + +config MBEDTLS_AESCE_C + bool "Enable AES cryptographic extension support on 64-bit Arm." + depends on MBEDTLS_HAVE_ASM + default n + +config MBEDTLS_ARC4_C + bool "Enable the ARCFOUR stream cipher." + default n + +config MBEDTLS_ARIA_C + bool "Enable the ARIA block cipher." + default n + +config MBEDTLS_CCM_C + bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher." + default n + +config MBEDTLS_CHACHA20_C + bool "Enable the ChaCha20 stream cipher." + default n + +config MBEDTLS_CHACHAPOLY_C + bool "Enable the ChaCha20-Poly1305 AEAD algorithm." + depends on MBEDTLS_CHACHA20_C && MBEDTLS_POLY1305_C + default n + +config MBEDTLS_DHM_C + bool "Enable the Diffie-Hellman-Merkle module." + default n + +config MBEDTLS_ECDH_C + bool "Enable the elliptic curve Diffie-Hellman library." + depends on MBEDTLS_ECP_C + default n + +config MBEDTLS_ECDSA_C + bool "Enable the elliptic curve DSA library." + depends on MBEDTLS_ECP_C + default n + +config MBEDTLS_ECJPAKE_C + bool "Enable the elliptic curve J-PAKE library." + depends on MBEDTLS_ECP_C + default n + +config MBEDTLS_ECP_C + bool "Enable the elliptic curve over GF(p) library." + depends on MBEDTLS_ECP_DP_SECP256R1_ENABLED || MBEDTLS_ECP_DP_SECP192R1_ENABLED \ + || MBEDTLS_ECP_DP_SECP224R1_ENABLED || MBEDTLS_ECP_DP_SECP384R1_ENABLED \ + || MBEDTLS_ECP_DP_SECP521R1_ENABLED || MBEDTLS_ECP_DP_SECP192K1_ENABLED \ + || MBEDTLS_ECP_DP_SECP224K1_ENABLED || MBEDTLS_ECP_DP_SECP256K1_ENABLED \ + || MBEDTLS_ECP_DP_BP256R1_ENABLED || MBEDTLS_ECP_DP_BP384R1_ENABLED \ + || MBEDTLS_ECP_DP_BP512R1_ENABLED || MBEDTLS_ECP_DP_CURVE25519_ENABLED \ + || MBEDTLS_ECP_DP_CURVE448_ENABLED + default n + +config MBEDTLS_ERROR_C + bool "Enable error code to error string conversion." + default n + +config MBEDTLS_GCM_C + bool "Enable the Galois/Counter Mode (GCM)." + default n + +config MBEDTLS_HKDF_C + bool "Enable the HKDF algorithm (RFC 5869)." + default n + +config MBEDTLS_HMAC_DRBG_C + bool "Enable the HMAC_DRBG random generator." + default n + +config MBEDTLS_LMS_C + bool "Enable the LMS stateful-hash asymmetric signature algorithm." + depends on MBEDTLS_PSA_CRYPTO_C + default n + +config MBEDTLS_NIST_KW_C + bool "Enable the Key Wrapping mode for 128-bit block ciphers." + default n + +config MBEDTLS_PKCS5_C + bool "Enable PKCS#5 functions." + default n + +config MBEDTLS_PKCS7_C + bool "Enable PKCS #7 core for using PKCS #7-formatted signatures." + depends on MBEDTLS_X509_CRL_PARSE_C + default n + +config MBEDTLS_PKCS12_C + bool "Enable PKCS#12 PBE functions." + default n + +config MBEDTLS_PLATFORM_C + bool "Enable the platform abstraction layer." + default n + +config MBEDTLS_POLY1305_C + bool "Enable the Poly1305 MAC algorithm." + default n + +config MBEDTLS_PSA_CRYPTO_C + bool "Enable the Platform Security Architecture cryptography API." + default n + +config MBEDTLS_PSA_CRYPTO_STORAGE_C + bool "Enable the Platform Security Architecture persistent key storage." + depends on MBEDTLS_PSA_CRYPTO_C + default n + +config MBEDTLS_PSA_ITS_FILE_C + bool "Enable the emulation of the Platform Security Architecture Internal Trusted Storage (PSA ITS) over files." + default n + +config MBEDTLS_RIPEMD160_C + bool "Enable the RIPEMD-160 hash algorithm." + default n + +config MBEDTLS_SHA384_C + bool "Enable the SHA-384 cryptographic hash algorithm." + default n + +config MBEDTLS_SHA512_C + bool "Enable SHA-512 cryptographic hash algorithms." + default n + +config MBEDTLS_SSL_CACHE_C + bool "Enable simple SSL cache implementation." + default n + +config MBEDTLS_SSL_TICKET_C + bool "Enable an implementation of TLS server-side callbacks for session tickets." + depends on (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) && \ + (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C) + default n + +config MBEDTLS_THREADING_C + bool "Enable the threading abstraction layer." + default n + +config MBEDTLS_VERSION_C + bool "Enable run-time version information." + default n + +config MBEDTLS_X509_CRL_PARSE_C + bool "Enable X.509 CRL parsing." + default n + +config MBEDTLS_XTEA_C + bool "Enable the XTEA block cipher." + default n + +config MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE + int "Maximum time difference in milliseconds tolerated between the age of a ticket from the server and client point of view." + default 6000 + +config MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH + int "Size in bytes of a ticket nonce." + default 32 + +config MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH + int "Default number of NewSessionTicket messages to be sent by a TLS 1.3 server after handshake completion." + default 1 + if CRYPTO_CRYPTODEV config MBEDTLS_ALT diff --git a/crypto/mbedtls/include/mbedtls/mbedtls_config.h b/crypto/mbedtls/include/mbedtls/mbedtls_config.h index 3e810a482..c12e1e7c9 100644 --- a/crypto/mbedtls/include/mbedtls/mbedtls_config.h +++ b/crypto/mbedtls/include/mbedtls/mbedtls_config.h @@ -1919,7 +1919,7 @@ * */ #ifdef CONFIG_MBEDTLS_SSL_MAX_EARLY_DATA_SIZE -#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 +#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE CONFIG_MBEDTLS_SSL_MAX_EARLY_DATA_SIZE #endif /** @@ -4506,7 +4506,7 @@ * */ #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE -#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 +#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE CONFIG_MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE #endif /** @@ -4517,7 +4517,7 @@ * This must be less than 256. */ #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH -#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 +#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH CONFIG_MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH #endif /** @@ -4530,7 +4530,7 @@ * */ #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS -#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 +#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS CONFIG_MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS #endif /* X509 options */