diff --git a/ext/lib/crypto/mbedtls/Kconfig b/ext/lib/crypto/mbedtls/Kconfig index 74a04a51f4e86..974ab71441727 100644 --- a/ext/lib/crypto/mbedtls/Kconfig +++ b/ext/lib/crypto/mbedtls/Kconfig @@ -44,12 +44,18 @@ endchoice config MBEDTLS_CFG_FILE string "mbed TLS configuration file" depends on MBEDTLS_BUILTIN - default "config-mini-tls1_2.h" + default "config-tls-generic.h" help - Use a specific mbed TLS configuration file. The default is suitable to - communicate with majority of HTTPS servers on the Internet, but has - relatively many features enabled. To optimize resources for special - TLS usage, an alternative config may be selected. + Use a specific mbed TLS configuration file. The default config file + file can be tweaked with Kconfig. The default configuration is + suitable to communicate with majority of HTTPS servers on the Internet, + but has relatively many features enabled. To optimize resources for + special TLS usage, use available Kconfig options, or select an + alternative config. + +if MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" +source "ext/lib/crypto/mbedtls/Kconfig.tls-generic" +endif config MBEDTLS_SSL_MAX_CONTENT_LEN int "Max payload size for TLS protocol message" diff --git a/ext/lib/crypto/mbedtls/Kconfig.tls-generic b/ext/lib/crypto/mbedtls/Kconfig.tls-generic new file mode 100644 index 0000000000000..5e9b79823b901 --- /dev/null +++ b/ext/lib/crypto/mbedtls/Kconfig.tls-generic @@ -0,0 +1,217 @@ +# Kconfig.tls - TLS/DTLS related options + +# +# Copyright (c) 2018 Intel Corporation +# Copyright (c) 2018 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: Apache-2.0 +# + +menu "TLS configuration" + +menu "Supported TLS version" + +config TLS_VERSION_1_0 + bool "Enable support for TLS 1.0" + select TLS_MAC_MD5_ENABLED + select TLS_MAC_SHA1_ENABLED + default n + +config TLS_VERSION_1_1 + bool "Enable support for TLS 1.1 (DTLS 1.0)" + select TLS_MAC_MD5_ENABLED + select TLS_MAC_SHA1_ENABLED + default n + +config TLS_VERSION_1_2 + bool "Enable support for TLS 1.2 (DTLS 1.2)" + default y + +config TLS_DTLS + bool "Enable support for DTLS" + depends on TLS_VERSION_1_1 || TLS_VERSION_1_2 + default n + +endmenu + +menu "Ciphersuite configuration" + +comment "Supported key exchange modes" + +config TLS_KEY_EXCHANGE_PSK_ENABLED + bool "Enable the PSK based ciphersuite modes" + default n + +config TLS_KEY_EXCHANGE_DHE_PSK_ENABLED + bool "Enable the DHE-PSK based ciphersuite modes" + default n + +config TLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + bool "Enable the ECDHE-PSK based ciphersuite modes" + default n + +config TLS_KEY_EXCHANGE_RSA_PSK_ENABLED + bool "Enable the RSA-PSK based ciphersuite modes" + default n + +config TLS_KEY_EXCHANGE_RSA_ENABLED + bool "Enable the RSA-only based ciphersuite modes" + default y + +config TLS_KEY_EXCHANGE_DHE_RSA_ENABLED + bool "Enable the DHE-RSA based ciphersuite modes" + default n + +config TLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + bool "Enable the ECDHE-RSA based ciphersuite modes" + default n + +config TLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + bool "Enable the ECDHE-ECDSA based ciphersuite modes" + default n + +config TLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + bool "Enable the ECDH-ECDSA based ciphersuite modes" + default n + +config TLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + bool "Enable the ECDH-RSA based ciphersuite modes" + default n + +config TLS_KEY_EXCHANGE_ECJPAKE_ENABLED + bool "Enable the ECJPAKE based ciphersuite modes" + default n + +if TLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ + TLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \ + TLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \ + TLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || \ + TLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \ + TLS_KEY_EXCHANGE_ECJPAKE_ENABLED \ + +comment "Supported elliptic curves" + +config TLS_ECP_DP_SECP192R1_ENABLED + bool "Enable SECP192R1 elliptic curve" + default n + +config TLS_ECP_DP_SECP224R1_ENABLED + bool "Enable SECP224R1 elliptic curve" + default n + +config TLS_ECP_DP_SECP256R1_ENABLED + bool "Enable SECP256R1 elliptic curve" + default n + +config TLS_ECP_DP_SECP384R1_ENABLED + bool "Enable SECP384R1 elliptic curve" + default n + +config TLS_ECP_DP_SECP521R1_ENABLED + bool "Enable SECP521R1 elliptic curve" + default n + +config TLS_ECP_DP_SECP192K1_ENABLED + bool "Enable SECP192K1 elliptic curve" + default n + +config TLS_ECP_DP_SECP224K1_ENABLED + bool "Enable SECP224K1 elliptic curve" + default n + +config TLS_ECP_DP_SECP256K1_ENABLED + bool "Enable SECP256K1 elliptic curve" + default n + +config TLS_ECP_DP_BP256R1_ENABLED + bool "Enable BP256R1 elliptic curve" + default n + +config TLS_ECP_DP_BP384R1_ENABLED + bool "Enable BP384R1 elliptic curve" + default n + +config TLS_ECP_DP_BP512R1_ENABLED + bool "Enable BP512R1 elliptic curve" + default n + +config TLS_ECP_DP_CURVE25519_ENABLED + bool "Enable CURVE25519 elliptic curve" + default n + +config TLS_ECP_DP_CURVE448_ENABLED + bool "Enable CURVE448 elliptic curve" + default n + +config TLS_ECP_NIST_OPTIM + bool "Enable NSIT curves optimization" + default n + +endif + +comment "Supported cipher modes" + +config TLS_CIPHER_AES_ENABLED + bool "Enable the AES block cipher" + default y + +config TLS_CIPHER_CAMELLIA_ENABLED + bool "Enable the Camellia block cipher" + default n + +config TLS_CIPHER_DES_ENABLED + bool "Enable the DES block cipher" + default y + +config TLS_CIPHER_CCM_ENABLED + bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher" + default n + depends on TLS_CIPHER_AES_ENABLED || TLS_CIPHER_CAMELLIA_ENABLED + +config TLS_CIPHER_CBC_ENABLED + bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers" + default y + +comment "Supported message authentication methods" + +config TLS_MAC_MD5_ENABLED + bool "Enable the MD5 hash algorithm" + default y + +config TLS_MAC_SHA1_ENABLED + bool "Enable the SHA1 hash algorithm" + default y + +config TLS_MAC_SHA256_ENABLED + bool "Enable the SHA-224 and SHA-256 hash algorithms" + default y + +config TLS_MAC_SHA512_ENABLED + bool "Enable the SHA-384 and SHA-512 hash algorithms" + default n + +endmenu + +config TLS_PEM_CERTIFICATE_FORMAT + bool "Enable support for PEM certificate format" + default n + help + By default only DER (binary) format of certificates is supported. Enable + this option to enable support for PEM format. + +config TLS_USER_CONFIG_ENABLE + bool "Enable user mbedTLS config file" + default n + help + Enable user mbedTLS config file that will be included at the end of + the generic config file. + +config TLS_USER_CONFIG_FILE + string "User configuration file for mbedTLS" + depends on TLS_USER_CONFIG_ENABLE + default "" + help + User config file that can contain mbedTLS configs that were not + covered by the generic config file. + +endmenu diff --git a/ext/lib/crypto/mbedtls/configs/config-tls-generic.h b/ext/lib/crypto/mbedtls/configs/config-tls-generic.h new file mode 100644 index 0000000000000..64a79abe49e17 --- /dev/null +++ b/ext/lib/crypto/mbedtls/configs/config-tls-generic.h @@ -0,0 +1,337 @@ +/* + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (c) 2017 Intel Corporation. + * Copyright (c) 2018 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: Apache-2.0 + * + * Generic configuration for TLS, manageable by Kconfig. + */ + +#ifndef MBEDTLS_CONFIG_H +#define MBEDTLS_CONFIG_H + +/* System support */ +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_PLATFORM_MEMORY +#define MBEDTLS_MEMORY_BUFFER_ALLOC_C +#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS +#define MBEDTLS_PLATFORM_EXIT_ALT +#define MBEDTLS_NO_PLATFORM_ENTROPY +#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +#define MBEDTLS_PLATFORM_PRINTF_ALT + +#if !defined(CONFIG_ARM) +#define MBEDTLS_HAVE_ASM +#endif + +#if defined(CONFIG_MBEDTLS_TEST) +#define MBEDTLS_SELF_TEST +#define MBEDTLS_DEBUG_C +#endif + +/* mbedTLS feature support */ + +/* Supported TLS versions */ +#if defined(CONFIG_TLS_VERSION_1_0) +#define MBEDTLS_SSL_PROTO_TLS1 +#endif + +#if defined(CONFIG_TLS_VERSION_1_1) +#define MBEDTLS_SSL_PROTO_TLS1_1 +#endif + +#if defined(CONFIG_TLS_VERSION_1_2) +#define MBEDTLS_SSL_PROTO_TLS1_2 +#endif + + +#if defined(CONFIG_TLS_VERSION_1_0) || \ + defined(CONFIG_TLS_VERSION_1_1) || \ + defined(CONFIG_TLS_VERSION_1_2) + +/* Modules required for TLS */ +#define MBEDTLS_SSL_TLS_C +#define MBEDTLS_SSL_SRV_C +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_CIPHER_C +#define MBEDTLS_MD_C +#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + +#endif + +#if defined(CONFIG_TLS_DTLS) +#define MBEDTLS_SSL_PROTO_DTLS +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +#define MBEDTLS_SSL_COOKIE_C +#endif + +/* Supported key exchange methods */ + +#if defined(CONFIG_TLS_KEY_EXCHANGE_PSK_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#endif + +#if defined(CONFIG_TLS_KEY_EXCHANGE_DHE_PSK_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +#endif + +#if defined(CONFIG_TLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#endif + +#if defined(CONFIG_TLS_KEY_EXCHANGE_RSA_PSK_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +#endif + +#if defined(CONFIG_TLS_KEY_EXCHANGE_RSA_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#endif + +#if defined(CONFIG_TLS_KEY_EXCHANGE_DHE_RSA_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +#endif + +#if defined(CONFIG_TLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#endif + +#if defined(CONFIG_TLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#endif + +#if defined(CONFIG_TLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#endif + +#if defined(CONFIG_TLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +#endif + +#if defined(CONFIG_TLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#endif + +/* Supported cipher modes */ + +#if defined(CONFIG_TLS_CIPHER_AES_ENABLED) +#define MBEDTLS_AES_C +#endif + +#if defined(CONFIG_TLS_CIPHER_CAMELLIA_ENABLED) +#define MBEDTLS_CAMELLIA_C +#endif + +#if defined(CONFIG_TLS_CIPHER_DES_ENABLED) +#define MBEDTLS_DES_C +#endif + +#if defined(CONFIG_TLS_CIPHER_CCM_ENABLED) +#define MBEDTLS_CCM_C +#endif + +#if defined(CONFIG_TLS_CIPHER_CBC_ENABLED) +#define MBEDTLS_CIPHER_MODE_CBC +#endif + +/* Supported elliptic curves */ + +#if defined(CONFIG_TLS_ECP_DP_SECP192R1_ENABLED) +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_SECP224R1_ENABLED) +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_SECP256R1_ENABLED) +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_SECP384R1_ENABLED) +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_SECP521R1_ENABLED) +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_SECP192K1_ENABLED) +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_SECP224K1_ENABLED) +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_SECP256K1_ENABLED) +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_BP256R1_ENABLED) +#define MBEDTLS_ECP_DP_BP256R1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_BP384R1_ENABLED) +#define MBEDTLS_ECP_DP_BP384R1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_BP512R1_ENABLED) +#define MBEDTLS_ECP_DP_BP512R1_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_CURVE25519_ENABLED) +#define MBEDTLS_ECP_DP_CURVE25519_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_DP_CURVE448_ENABLED) +#define MBEDTLS_ECP_DP_CURVE448_ENABLED +#endif + +#if defined(CONFIG_TLS_ECP_NIST_OPTIM) +#define MBEDTLS_ECP_NIST_OPTIM +#endif + +/* Supported message authentication methods */ + +#if defined(CONFIG_TLS_MAC_MD5_ENABLED) +#define MBEDTLS_MD5_C +#endif + +#if defined(CONFIG_TLS_MAC_SHA1_ENABLED) +#define MBEDTLS_SHA1_C +#endif + +#if defined(CONFIG_TLS_MAC_SHA256_ENABLED) +#define MBEDTLS_SHA256_C +#endif + +#if defined(CONFIG_TLS_MAC_SHA512_ENABLED) +#define MBEDTLS_SHA512_C +#endif + +/* Automatic dependencies */ + +#if defined (MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) +#define MBEDTLS_DHM_C +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) +#define MBEDTLS_ECDH_C +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) +#define MBEDTLS_RSA_C +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) +#define MBEDTLS_PKCS1_V15 +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) +#define MBEDTLS_X509_CRT_PARSE_C +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#define MBEDTLS_ECDSA_C +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#define MBEDTLS_ECJPAKE_C +#endif + +#if defined(MBEDTLS_ECDH_C) || \ + defined(MBEDTLS_ECDSA_C) || \ + defined(MBEDTLS_ECJPAKE_C) +#define MBEDTLS_ECP_C +#endif + +#if defined(MBEDTLS_X509_CRT_PARSE_C) +#define MBEDTLS_X509_USE_C +#endif + +#if defined(MBEDTLS_X509_USE_C) || \ + defined(MBEDTLS_ECDSA_C) +#define MBEDTLS_ASN1_PARSE_C +#endif + +#if defined(MBEDTLS_ECDSA_C) +#define MBEDTLS_ASN1_WRITE_C +#endif + +#if defined(MBEDTLS_DHM_C) || \ + defined(MBEDTLS_ECP_C) || \ + defined(MBEDTLS_RSA_C) || \ + defined(MBEDTLS_X509_USE_C) +#define MBEDTLS_BIGNUM_C +#endif + +#if defined(MBEDTLS_RSA_C) || \ + defined(MBEDTLS_X509_USE_C) +#define MBEDTLS_OID_C +#endif + +#if defined(MBEDTLS_X509_USE_C) +#define MBEDTLS_PK_PARSE_C +#endif + +#if defined(MBEDTLS_PK_PARSE_C) +#define MBEDTLS_PK_C +#endif + +/* mbedTLS modules */ +#if defined (CONFIG_TLS_PEM_CERTIFICATE_FORMAT) && \ + defined(MBEDTLS_X509_CRT_PARSE_C) +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_BASE64_C +#endif + +#if defined(MBEDTLS_AES_C) +#define MBEDTLS_CTR_DRBG_C +#endif + +#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA512_C) +#define MBEDTLS_ENTROPY_C +#endif + +/* For test certificates */ +#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) +#define MBEDTLS_CERTS_C +#endif + +#if defined(CONFIG_MBEDTLS_DEBUG) +#define MBEDTLS_ERROR_C +#define MBEDTLS_DEBUG_C +#define MBEDTLS_SSL_DEBUG_ALL +#define MBEDTLS_SSL_ALL_ALERT_MESSAGES +#endif + +#define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN + +/* User config file */ + +#if defined(CONFIG_TLS_USER_CONFIG_ENABLE) +#include CONFIG_TLS_USER_CONFIG_FILE +#endif + +#include "mbedtls/check_config.h" + +#endif /* MBEDTLS_CONFIG_H */ diff --git a/samples/net/echo_client/prj_qemu_x86_tls.conf b/samples/net/echo_client/prj_qemu_x86_tls.conf index 76895c3380e4f..24abc49d9ede4 100644 --- a/samples/net/echo_client/prj_qemu_x86_tls.conf +++ b/samples/net/echo_client/prj_qemu_x86_tls.conf @@ -40,7 +40,6 @@ CONFIG_MBEDTLS=y CONFIG_MBEDTLS_BUILTIN=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=30000 -CONFIG_MBEDTLS_CFG_FILE="config-mini-tls1_2.h" CONFIG_NET_DEBUG_NET_PKT=y diff --git a/samples/net/echo_server/prj_qemu_x86_tls.conf b/samples/net/echo_server/prj_qemu_x86_tls.conf index 1c5f9edd58413..fec57bc8fc31c 100644 --- a/samples/net/echo_server/prj_qemu_x86_tls.conf +++ b/samples/net/echo_server/prj_qemu_x86_tls.conf @@ -26,7 +26,6 @@ CONFIG_NET_SHELL=y CONFIG_MBEDTLS=y CONFIG_MBEDTLS_BUILTIN=y -CONFIG_MBEDTLS_CFG_FILE="config-mini-tls1_2.h" CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=30000