Skip to content

ext: lib: crypto: Generic mbedtls config file #8852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 13, 2018
Merged

ext: lib: crypto: Generic mbedtls config file #8852

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1e25fd1
ext: lib: crypto: Add generic mbedTLS config file
rlubos Jul 10, 2018
a7d3008
ext: lib: crypto: Make config-tls-generic.h default config
rlubos Jul 10, 2018
c722189
samples: net: Make echo_client/echo_server use generic mbedTLS config
rlubos Jul 11, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions ext/lib/crypto/mbedtls/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,18 @@ endchoice
config MBEDTLS_CFG_FILE
string "mbed TLS configuration file"
depends on MBEDTLS_BUILTIN
default "config-mini-tls1_2.h"
default "config-tls-generic.h"
help
Use a specific mbed TLS configuration file. The default is suitable to
communicate with majority of HTTPS servers on the Internet, but has
relatively many features enabled. To optimize resources for special
TLS usage, an alternative config may be selected.
Use a specific mbed TLS configuration file. The default config file
file can be tweaked with Kconfig. The default configuration is
suitable to communicate with majority of HTTPS servers on the Internet,
but has relatively many features enabled. To optimize resources for
special TLS usage, use available Kconfig options, or select an
alternative config.

if MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h"
source "ext/lib/crypto/mbedtls/Kconfig.tls-generic"
endif

config MBEDTLS_SSL_MAX_CONTENT_LEN
int "Max payload size for TLS protocol message"
Expand Down
217 changes: 217 additions & 0 deletions ext/lib/crypto/mbedtls/Kconfig.tls-generic
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,217 @@
# Kconfig.tls - TLS/DTLS related options

#
# Copyright (c) 2018 Intel Corporation
# Copyright (c) 2018 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: Apache-2.0
#

menu "TLS configuration"

menu "Supported TLS version"

config TLS_VERSION_1_0
bool "Enable support for TLS 1.0"
select TLS_MAC_MD5_ENABLED
select TLS_MAC_SHA1_ENABLED
default n

config TLS_VERSION_1_1
bool "Enable support for TLS 1.1 (DTLS 1.0)"
select TLS_MAC_MD5_ENABLED
select TLS_MAC_SHA1_ENABLED
default n

config TLS_VERSION_1_2
bool "Enable support for TLS 1.2 (DTLS 1.2)"
default y

config TLS_DTLS
bool "Enable support for DTLS"
depends on TLS_VERSION_1_1 || TLS_VERSION_1_2
default n

endmenu

menu "Ciphersuite configuration"

comment "Supported key exchange modes"

config TLS_KEY_EXCHANGE_PSK_ENABLED
bool "Enable the PSK based ciphersuite modes"
default n

config TLS_KEY_EXCHANGE_DHE_PSK_ENABLED
bool "Enable the DHE-PSK based ciphersuite modes"
default n

config TLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
bool "Enable the ECDHE-PSK based ciphersuite modes"
default n

config TLS_KEY_EXCHANGE_RSA_PSK_ENABLED
bool "Enable the RSA-PSK based ciphersuite modes"
default n

config TLS_KEY_EXCHANGE_RSA_ENABLED
bool "Enable the RSA-only based ciphersuite modes"
default y

config TLS_KEY_EXCHANGE_DHE_RSA_ENABLED
bool "Enable the DHE-RSA based ciphersuite modes"
default n

config TLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
bool "Enable the ECDHE-RSA based ciphersuite modes"
default n

config TLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
bool "Enable the ECDHE-ECDSA based ciphersuite modes"
default n

config TLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
bool "Enable the ECDH-ECDSA based ciphersuite modes"
default n

config TLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
bool "Enable the ECDH-RSA based ciphersuite modes"
default n

config TLS_KEY_EXCHANGE_ECJPAKE_ENABLED
bool "Enable the ECJPAKE based ciphersuite modes"
default n

if TLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
TLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
TLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \
TLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || \
TLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \
TLS_KEY_EXCHANGE_ECJPAKE_ENABLED \

comment "Supported elliptic curves"

config TLS_ECP_DP_SECP192R1_ENABLED
bool "Enable SECP192R1 elliptic curve"
default n

config TLS_ECP_DP_SECP224R1_ENABLED
bool "Enable SECP224R1 elliptic curve"
default n

config TLS_ECP_DP_SECP256R1_ENABLED
bool "Enable SECP256R1 elliptic curve"
default n

config TLS_ECP_DP_SECP384R1_ENABLED
bool "Enable SECP384R1 elliptic curve"
default n

config TLS_ECP_DP_SECP521R1_ENABLED
bool "Enable SECP521R1 elliptic curve"
default n

config TLS_ECP_DP_SECP192K1_ENABLED
bool "Enable SECP192K1 elliptic curve"
default n

config TLS_ECP_DP_SECP224K1_ENABLED
bool "Enable SECP224K1 elliptic curve"
default n

config TLS_ECP_DP_SECP256K1_ENABLED
bool "Enable SECP256K1 elliptic curve"
default n

config TLS_ECP_DP_BP256R1_ENABLED
bool "Enable BP256R1 elliptic curve"
default n

config TLS_ECP_DP_BP384R1_ENABLED
bool "Enable BP384R1 elliptic curve"
default n

config TLS_ECP_DP_BP512R1_ENABLED
bool "Enable BP512R1 elliptic curve"
default n

config TLS_ECP_DP_CURVE25519_ENABLED
bool "Enable CURVE25519 elliptic curve"
default n

config TLS_ECP_DP_CURVE448_ENABLED
bool "Enable CURVE448 elliptic curve"
default n

config TLS_ECP_NIST_OPTIM
bool "Enable NSIT curves optimization"
default n

endif

comment "Supported cipher modes"

config TLS_CIPHER_AES_ENABLED
bool "Enable the AES block cipher"
default y

config TLS_CIPHER_CAMELLIA_ENABLED
bool "Enable the Camellia block cipher"
default n

config TLS_CIPHER_DES_ENABLED
bool "Enable the DES block cipher"
default y

config TLS_CIPHER_CCM_ENABLED
bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
default n
depends on TLS_CIPHER_AES_ENABLED || TLS_CIPHER_CAMELLIA_ENABLED

config TLS_CIPHER_CBC_ENABLED
bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers"
default y

comment "Supported message authentication methods"

config TLS_MAC_MD5_ENABLED
bool "Enable the MD5 hash algorithm"
default y

config TLS_MAC_SHA1_ENABLED
bool "Enable the SHA1 hash algorithm"
default y

config TLS_MAC_SHA256_ENABLED
bool "Enable the SHA-224 and SHA-256 hash algorithms"
default y

config TLS_MAC_SHA512_ENABLED
bool "Enable the SHA-384 and SHA-512 hash algorithms"
default n

endmenu

config TLS_PEM_CERTIFICATE_FORMAT
bool "Enable support for PEM certificate format"
default n
help
By default only DER (binary) format of certificates is supported. Enable
this option to enable support for PEM format.

config TLS_USER_CONFIG_ENABLE
Copy link
Contributor

@pfalcon pfalcon Jul 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you consider having just a single Kconfig options for this? E.g. if TLS_USER_CONFIG_FILE is defined to non-empty value, #include it?

Copy link
Contributor Author

@rlubos rlubos Jul 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that was my initial thought, but that would require to check for an empty string in preprocessor, and I didn't find an easy way to do that. Any suggestions on this?

Copy link
Contributor

@pfalcon pfalcon Jul 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I never thought what #if "" would evaluate too, but it's actually an error to use strings in #if at all:

a.c:1:11: error: token ""foo"" is not valid in preprocessor expressions
 #define a "foo"
           ^
a.c:3:5: note: in expansion of macro ‘a’
 #if a
     ^

So, nevermind.

bool "Enable user mbedTLS config file"
default n
help
Enable user mbedTLS config file that will be included at the end of
the generic config file.

config TLS_USER_CONFIG_FILE
string "User configuration file for mbedTLS"
depends on TLS_USER_CONFIG_ENABLE
default ""
help
User config file that can contain mbedTLS configs that were not
covered by the generic config file.

endmenu
Loading