1 /**
2  * @file
3  * Application layered TCP/TLS connection API (to be used from TCPIP thread)
4  *
5  * This file contains options for an mbedtls port of the TLS layer.
6  */
7 
8 /*
9  * Copyright (c) 2017 Simon Goldschmidt
10  * All rights reserved.
11  *
12  * Redistribution and use in source and binary forms, with or without modification,
13  * are permitted provided that the following conditions are met:
14  *
15  * 1. Redistributions of source code must retain the above copyright notice,
16  *    this list of conditions and the following disclaimer.
17  * 2. Redistributions in binary form must reproduce the above copyright notice,
18  *    this list of conditions and the following disclaimer in the documentation
19  *    and/or other materials provided with the distribution.
20  * 3. The name of the author may not be used to endorse or promote products
21  *    derived from this software without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
24  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
25  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
26  * SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
27  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
28  * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
31  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
32  * OF SUCH DAMAGE.
33  *
34  * This file is part of the lwIP TCP/IP stack.
35  *
36  * Author: Simon Goldschmidt <goldsimon@gmx.de>
37  *
38  */
39 #ifndef LWIP_HDR_ALTCP_TLS_OPTS_H
40 #define LWIP_HDR_ALTCP_TLS_OPTS_H
41 
42 #include "lwip/opt.h"
43 
44 #if LWIP_ALTCP /* don't build if not configured for use in lwipopts.h */
45 
46 /** LWIP_ALTCP_TLS_MBEDTLS==1: use mbedTLS for TLS support for altcp API
47  * mbedtls include directory must be reachable via include search path
48  */
49 #ifndef LWIP_ALTCP_TLS_MBEDTLS
50 #define LWIP_ALTCP_TLS_MBEDTLS                        0
51 #endif
52 
53 /** Configure debug level of this file */
54 #ifndef ALTCP_MBEDTLS_DEBUG
55 #define ALTCP_MBEDTLS_DEBUG                           LWIP_DBG_OFF
56 #endif
57 
58 /** Configure lwIP debug level of the mbedTLS library */
59 #ifndef ALTCP_MBEDTLS_LIB_DEBUG
60 #define ALTCP_MBEDTLS_LIB_DEBUG                       LWIP_DBG_OFF
61 #endif
62 
63 /** Configure minimum internal debug level of the mbedTLS library */
64 #ifndef ALTCP_MBEDTLS_LIB_DEBUG_LEVEL_MIN
65 #define ALTCP_MBEDTLS_LIB_DEBUG_LEVEL_MIN             0
66 #endif
67 
68 /** Enable the basic session cache
69  * ATTENTION: Using a session cache can lower security by reusing keys!
70  */
71 #ifndef ALTCP_MBEDTLS_USE_SESSION_CACHE
72 #define ALTCP_MBEDTLS_USE_SESSION_CACHE               0
73 #endif
74 
75 /** Maximum cache size of the basic session cache */
76 #ifndef ALTCP_MBEDTLS_SESSION_CACHE_SIZE
77 #define ALTCP_MBEDTLS_SESSION_CACHE_SIZE              30
78 #endif
79 
80 /** Set a session timeout in seconds for the basic session cache  */
81 #ifndef ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS
82 #define ALTCP_MBEDTLS_SESSION_CACHE_TIMEOUT_SECONDS   (60 * 60)
83 #endif
84 
85 /** Use session tickets to speed up connection setup (needs
86  * MBEDTLS_SSL_SESSION_TICKETS enabled in mbedTLS config).
87  * ATTENTION: Using session tickets can lower security by reusing keys!
88  */
89 #ifndef ALTCP_MBEDTLS_USE_SESSION_TICKETS
90 #define ALTCP_MBEDTLS_USE_SESSION_TICKETS             0
91 #endif
92 
93 /** Session ticket cipher */
94 #ifndef ALTCP_MBEDTLS_SESSION_TICKET_CIPHER
95 #define ALTCP_MBEDTLS_SESSION_TICKET_CIPHER           MBEDTLS_CIPHER_AES_256_GCM
96 #endif
97 
98 /** Maximum timeout for session tickets */
99 #ifndef ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS
100 #define ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS  (60 * 60 * 24)
101 #endif
102 
103 /** Certificate verification mode: MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL (default),
104  * MBEDTLS_SSL_VERIFY_REQUIRED (recommended)*/
105 #ifndef ALTCP_MBEDTLS_AUTHMODE
106 #define ALTCP_MBEDTLS_AUTHMODE                        MBEDTLS_SSL_VERIFY_OPTIONAL
107 #endif
108 
109 #endif /* LWIP_ALTCP */
110 
111 #endif /* LWIP_HDR_ALTCP_TLS_OPTS_H */
112