mbedtls: set most of the functions of mbedtls to be configurable

(1)reduce size and improve compilation efficiency
(2)provide more options for greater flexibility
Signed-off-by: makejian <makejian@xiaomi.com>
This commit is contained in:
makejian 2023-08-29 17:58:43 +08:00 committed by Xiang Xiao
parent 4981dbe32b
commit 53878a53db
2 changed files with 384 additions and 4 deletions

View File

@ -41,6 +41,7 @@ config MBEDTLS_SSL_SRV_C
config MBEDTLS_PLATFORM_MEMORY config MBEDTLS_PLATFORM_MEMORY
bool "Enable the memory allocation layer." bool "Enable the memory allocation layer."
depends on MBEDTLS_PLATFORM_C
default n default n
config MBEDTLS_ENTROPY_HARDWARE_ALT config MBEDTLS_ENTROPY_HARDWARE_ALT
@ -59,6 +60,7 @@ config MBEDTLS_NO_PLATFORM_ENTROPY
config MBEDTLS_ECP_RESTARTABLE config MBEDTLS_ECP_RESTARTABLE
bool "Enable the restartable ECC." bool "Enable the restartable ECC."
depends on MBEDTLS_ECP_C
default n default n
config MBEDTLS_SELF_TEST config MBEDTLS_SELF_TEST
@ -67,6 +69,7 @@ config MBEDTLS_SELF_TEST
config MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE config MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
bool "Enable server-side support for clients that reconnect from the same port." bool "Enable server-side support for clients that reconnect from the same port."
depends on MBEDTLS_SSL_DTLS_HELLO_VERIFY
default n default n
config MBEDTLS_BLOWFISH_C config MBEDTLS_BLOWFISH_C
@ -185,6 +188,383 @@ config MBEDTLS_X509_CRT_POOL
bool "Enable the X509 Certificate Pool" bool "Enable the X509 Certificate Pool"
default n default n
config MBEDTLS_HAVE_ASM
bool "Enable compiler support for asm."
default n
config MBEDTLS_HAVE_TIME_DATE
bool "Enable to verify the validity period of X.509 certificates when system have correct clock."
default n
config MBEDTLS_CIPHER_MODE_CFB
bool "Enable Cipher Feedback mode (CFB) for symmetric ciphers."
default n
config MBEDTLS_CIPHER_MODE_CTR
bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers."
default n
config MBEDTLS_CIPHER_MODE_OFB
bool "Enable Output Feedback mode (OFB) for symmetric ciphers."
default n
config MBEDTLS_CIPHER_MODE_XTS
bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES."
default n
config MBEDTLS_CIPHER_PADDING_PKCS7
bool "Enable PKCS7 padding mode in the cipher layer."
default n
config MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
bool "Enable bit padding mode in the cipher layer."
default n
config MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
bool "Enable zero and length padding mode in the cipher layer."
default n
config MBEDTLS_CIPHER_PADDING_ZEROS
bool "Enable zeros padding mode in the cipher layer."
default n
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
bool "Enables SECP192R1 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
bool "Enables SECP224R1 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_SECP384R1_ENABLED
bool "Enables SECP384R1 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_SECP521R1_ENABLED
bool "Enables SECP521R1 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
bool "Enables SECP192K1 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
bool "Enables SECP224K1 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
bool "Enables SECP256K1 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_BP256R1_ENABLED
bool "Enables BP256R1 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_BP384R1_ENABLED
bool "Enables BP384R1 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_BP512R1_ENABLED
bool "Enables BP512R1 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_CURVE25519_ENABLED
bool "Enables CURVE25519 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_DP_CURVE448_ENABLED
bool "Enables CURVE448 curve within the Elliptic Curve module."
default n
config MBEDTLS_ECP_NIST_OPTIM
bool "Enable specific 'modulo p' routines for each NIST prime."
default n
config MBEDTLS_ECDSA_DETERMINISTIC
bool "Enable deterministic ECDSA (RFC 6979)."
depends on MBEDTLS_HMAC_DRBG_C && MBEDTLS_ECDSA_C
default n
config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
bool "Enable the PSK based ciphersuite modes in SSL / TLS."
default n
config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
bool "Enable the DHE-PSK based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_DHM_C
default n
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
bool "Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_ECDH_C
default n
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
bool "Enable the RSA-PSK based ciphersuite modes in SSL / TLS."
default n
config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
bool "Enable the DHE-RSA based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_DHM_C
default n
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
bool "Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_ECDH_C
default n
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
bool "Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
default n
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
bool "Enable the ECDH-RSA based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_ECDH_C
default n
config MBEDTLS_PK_PARSE_EC_EXTENDED
bool "Enhance support for reading EC keys using variants of SEC1 not allowed by RFC 5915 and RFC 5480."
default n
config MBEDTLS_ERROR_STRERROR_DUMMY
bool "Enable a dummy error function to make use of mbedtls_strerror()."
default n
config MBEDTLS_GENPRIME
bool "Enable the prime-number generation code."
default n
config MBEDTLS_PK_RSA_ALT_SUPPORT
bool "Support external private RSA keys (eg from a HSM) in the PK layer."
default n
config MBEDTLS_SSL_CONTEXT_SERIALIZATION
bool "Enable serialization of the TLS context structures."
depends on MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C
default n
config MBEDTLS_SSL_ENCRYPT_THEN_MAC
bool "Enable support for Encrypt-then-MAC, RFC 7366."
default n
config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
bool "Enable Session Hash and Extended Master Secret Extension."
default n
config MBEDTLS_SSL_RENEGOTIATION
bool "Enable support for TLS renegotiation."
default n
config MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
bool "Enable support for RFC 6066 max_fragment_length extension in SSL."
default n
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
bool "Enable TLS 1.3 PSK key exchange mode."
default n
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
bool "Enable TLS 1.3 ephemeral key exchange mode."
depends on MBEDTLS_ECDH_C
default n
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
bool "Enable TLS 1.3 PSK ephemeral key exchange mode."
depends on MBEDTLS_ECDH_C
default n
config CONFIG_MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
int "The default maximum amount of 0-RTT data."
default 1024
config MBEDTLS_SSL_SESSION_TICKETS
bool "Enable support for RFC 5077 session tickets in SSL."
default n
config MBEDTLS_SSL_SERVER_NAME_INDICATION
bool "Enable support for RFC 6066 server name indication (SNI) in SSL."
default n
config MBEDTLS_THREADING_PTHREAD
bool "Enable the pthread wrapper layer for the threading layer."
depends on MBEDTLS_THREADING_C
default n
config MBEDTLS_VERSION_FEATURES
bool "Allow run-time checking of compile-time enabled features."
depends on MBEDTLS_VERSION_C
default n
config MBEDTLS_X509_RSASSA_PSS_SUPPORT
bool "Enable parsing and verification of X.509 certificates, CRLs and CSRS signed with RSASSA-PSS."
default n
config MBEDTLS_AESCE_C
bool "Enable AES cryptographic extension support on 64-bit Arm."
depends on MBEDTLS_HAVE_ASM
default n
config MBEDTLS_ARC4_C
bool "Enable the ARCFOUR stream cipher."
default n
config MBEDTLS_ARIA_C
bool "Enable the ARIA block cipher."
default n
config MBEDTLS_CCM_C
bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher."
default n
config MBEDTLS_CHACHA20_C
bool "Enable the ChaCha20 stream cipher."
default n
config MBEDTLS_CHACHAPOLY_C
bool "Enable the ChaCha20-Poly1305 AEAD algorithm."
depends on MBEDTLS_CHACHA20_C && MBEDTLS_POLY1305_C
default n
config MBEDTLS_DHM_C
bool "Enable the Diffie-Hellman-Merkle module."
default n
config MBEDTLS_ECDH_C
bool "Enable the elliptic curve Diffie-Hellman library."
depends on MBEDTLS_ECP_C
default n
config MBEDTLS_ECDSA_C
bool "Enable the elliptic curve DSA library."
depends on MBEDTLS_ECP_C
default n
config MBEDTLS_ECJPAKE_C
bool "Enable the elliptic curve J-PAKE library."
depends on MBEDTLS_ECP_C
default n
config MBEDTLS_ECP_C
bool "Enable the elliptic curve over GF(p) library."
depends on MBEDTLS_ECP_DP_SECP256R1_ENABLED || MBEDTLS_ECP_DP_SECP192R1_ENABLED \
|| MBEDTLS_ECP_DP_SECP224R1_ENABLED || MBEDTLS_ECP_DP_SECP384R1_ENABLED \
|| MBEDTLS_ECP_DP_SECP521R1_ENABLED || MBEDTLS_ECP_DP_SECP192K1_ENABLED \
|| MBEDTLS_ECP_DP_SECP224K1_ENABLED || MBEDTLS_ECP_DP_SECP256K1_ENABLED \
|| MBEDTLS_ECP_DP_BP256R1_ENABLED || MBEDTLS_ECP_DP_BP384R1_ENABLED \
|| MBEDTLS_ECP_DP_BP512R1_ENABLED || MBEDTLS_ECP_DP_CURVE25519_ENABLED \
|| MBEDTLS_ECP_DP_CURVE448_ENABLED
default n
config MBEDTLS_ERROR_C
bool "Enable error code to error string conversion."
default n
config MBEDTLS_GCM_C
bool "Enable the Galois/Counter Mode (GCM)."
default n
config MBEDTLS_HKDF_C
bool "Enable the HKDF algorithm (RFC 5869)."
default n
config MBEDTLS_HMAC_DRBG_C
bool "Enable the HMAC_DRBG random generator."
default n
config MBEDTLS_LMS_C
bool "Enable the LMS stateful-hash asymmetric signature algorithm."
depends on MBEDTLS_PSA_CRYPTO_C
default n
config MBEDTLS_NIST_KW_C
bool "Enable the Key Wrapping mode for 128-bit block ciphers."
default n
config MBEDTLS_PKCS5_C
bool "Enable PKCS#5 functions."
default n
config MBEDTLS_PKCS7_C
bool "Enable PKCS #7 core for using PKCS #7-formatted signatures."
depends on MBEDTLS_X509_CRL_PARSE_C
default n
config MBEDTLS_PKCS12_C
bool "Enable PKCS#12 PBE functions."
default n
config MBEDTLS_PLATFORM_C
bool "Enable the platform abstraction layer."
default n
config MBEDTLS_POLY1305_C
bool "Enable the Poly1305 MAC algorithm."
default n
config MBEDTLS_PSA_CRYPTO_C
bool "Enable the Platform Security Architecture cryptography API."
default n
config MBEDTLS_PSA_CRYPTO_STORAGE_C
bool "Enable the Platform Security Architecture persistent key storage."
depends on MBEDTLS_PSA_CRYPTO_C
default n
config MBEDTLS_PSA_ITS_FILE_C
bool "Enable the emulation of the Platform Security Architecture Internal Trusted Storage (PSA ITS) over files."
default n
config MBEDTLS_RIPEMD160_C
bool "Enable the RIPEMD-160 hash algorithm."
default n
config MBEDTLS_SHA384_C
bool "Enable the SHA-384 cryptographic hash algorithm."
default n
config MBEDTLS_SHA512_C
bool "Enable SHA-512 cryptographic hash algorithms."
default n
config MBEDTLS_SSL_CACHE_C
bool "Enable simple SSL cache implementation."
default n
config MBEDTLS_SSL_TICKET_C
bool "Enable an implementation of TLS server-side callbacks for session tickets."
depends on (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) && \
(MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)
default n
config MBEDTLS_THREADING_C
bool "Enable the threading abstraction layer."
default n
config MBEDTLS_VERSION_C
bool "Enable run-time version information."
default n
config MBEDTLS_X509_CRL_PARSE_C
bool "Enable X.509 CRL parsing."
default n
config MBEDTLS_XTEA_C
bool "Enable the XTEA block cipher."
default n
config MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE
int "Maximum time difference in milliseconds tolerated between the age of a ticket from the server and client point of view."
default 6000
config MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH
int "Size in bytes of a ticket nonce."
default 32
config MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH
int "Default number of NewSessionTicket messages to be sent by a TLS 1.3 server after handshake completion."
default 1
if CRYPTO_CRYPTODEV if CRYPTO_CRYPTODEV
config MBEDTLS_ALT config MBEDTLS_ALT

View File

@ -1919,7 +1919,7 @@
* *
*/ */
#ifdef CONFIG_MBEDTLS_SSL_MAX_EARLY_DATA_SIZE #ifdef CONFIG_MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 #define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE CONFIG_MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
#endif #endif
/** /**
@ -4506,7 +4506,7 @@
* *
*/ */
#ifdef CONFIG_MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE
#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 #define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE CONFIG_MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE
#endif #endif
/** /**
@ -4517,7 +4517,7 @@
* This must be less than 256. * This must be less than 256.
*/ */
#ifdef CONFIG_MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH
#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 #define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH CONFIG_MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH
#endif #endif
/** /**
@ -4530,7 +4530,7 @@
* *
*/ */
#ifdef CONFIG_MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS
#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 #define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS CONFIG_MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS
#endif #endif
/* X509 options */ /* X509 options */