1#
2# For a description of the syntax of this configuration file,
3# see scripts/config/Kconfig-language.txt
4#
5
6menu "SSL Library"
7
8choice
9    prompt "Mode"
10    default CONFIG_SSL_FULL_MODE
11
12config CONFIG_SSL_SERVER_ONLY
13    bool "Server only - no verification"
14    help
15        Enable server functionality (no client functionality).
16        This mode still supports sessions and chaining (which can be turned
17        off in configuration).
18
19        The axssl sample runs with the minimum of features.
20
21        This is the most space efficient of the modes with the library
22        about 45kB in size. Use this mode if you are doing standard SSL server
23        work.
24
25config CONFIG_SSL_CERT_VERIFICATION
26    bool "Server only - with verification"
27    help
28        Enable server functionality with client authentication (no client
29        functionality).
30
31        The axssl sample runs with the "-verify" and "-CAfile" options.
32
33        This mode produces a library about 49kB in size. Use this mode if you
34        have an SSL server which requires client authentication (which is
35        uncommon in browser applications).
36
37
38config CONFIG_SSL_FULL_MODE
39    bool "Client/Server enabled with diagnostics"
40    help
41        Enable client/server functionality including diagnostics. Most of the
42        extra size in this mode is due to the storage of various strings that
43        are used.
44
45        The axssl sample has 3 more options, "-debug", "-state" and "-show-rsa"
46
47        This mode produces a library about 58kB in size. It is suggested that
48        this mode is used only during development, or systems that have more
49        generous memory limits.
50
51        It is the default to demonstrate the features of axTLS.
52
53config CONFIG_SSL_SKELETON_MODE
54    bool "Skeleton mode - the smallest server mode"
55    help
56        This is an experiment to build the smallest library at the expense of
57        features and speed.
58
59        * Server mode only.
60        * The AES cipher is disabled.
61        * No session resumption.
62        * No external keys/certificates are supported.
63        * The bigint library has most of the performance features disabled.
64        * Some other features/API calls may not work.
65
66        This mode produces a library about 37kB in size. The main
67        disadvantage of this mode is speed - it will be much slower than the
68        other build modes.
69
70endchoice
71
72config CONFIG_SSL_ENABLE_SERVER
73    bool "Server enabled"
74    help
75        Enable server functionality.
76
77config CONFIG_SSL_ENABLE_CLIENT
78    bool "Client enabled"
79    help
80        Enable client functionality.
81
82        The axssl sample runs with the "s_client" option enabled.
83
84        This mode produces a library about 51kB in size. Use this mode if you
85        require axTLS to use SSL client functionality (the SSL server code
86        is always enabled).
87
88config CONFIG_SSL_DIAGNOSTICS
89    bool "Diagnostic messages"
90    help
91        Enable support for diagnostics of connection progress and state.
92
93choice
94    prompt "Protocol Preference"
95#    depends on !CONFIG_SSL_SKELETON_MODE
96    default CONFIG_SSL_PROT_MEDIUM
97
98config CONFIG_SSL_PROT_LOW
99    bool "Low"
100    help
101        Chooses the cipher in the order of AES128-SHA, AES128-SHA256,
102        AES256-SHA256.
103
104        This will use the fastest cipher(s) but at the expense of security.
105
106config CONFIG_SSL_PROT_MEDIUM
107    bool "Medium"
108    help
109        Chooses the cipher in the order of AES128-SHA256, AES256-SHA256,
110        AES128-SHA
111
112        This mode is a balance between speed and security and is the default.
113
114config CONFIG_SSL_PROT_HIGH
115    bool "High"
116    help
117        Chooses the cipher in the order of AES256-SHA256, AES128-SHA256,
118        AES128-SHA.
119
120        This will use the strongest cipher(s) at the cost of speed.
121
122endchoice
123
124config CONFIG_SSL_AES
125    bool "Enable AES cipher"
126    default y
127    help
128        Enable/disable AES support.
129
130config CONFIG_SSL_USE_DEFAULT_KEY
131    bool "Enable default key"
132#    depends on !CONFIG_SSL_SKELETON_MODE
133    default y
134    help
135        Some applications will not require the default private key/certificate
136        that is built in. This is one way to save on a couple of kB's if an
137        external private key/certificate is used.
138
139        The private key is in ssl/private_key.h and the certificate is in
140        ssl/cert.h.
141
142        The advantage of a built-in private key/certificate is that no file
143        system is required for access. Both the certificate and the private
144        key will be automatically loaded on a ssl_ctx_new().
145
146        However this private key/certificate can never be changed (without a
147        code update).
148
149        This mode is enabled by default. Disable this mode if the
150        built-in key/certificate is not used.
151
152config CONFIG_SSL_PRIVATE_KEY_LOCATION
153    string "Private key file location"
154    depends on !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
155    help
156        The file location of the private key which will be automatically
157        loaded on a ssl_ctx_new().
158
159config CONFIG_SSL_PRIVATE_KEY_PASSWORD
160    string "Private key password"
161    depends on !CONFIG_SSL_USE_DEFAULT_KEY && CONFIG_SSL_HAS_PEM
162    help
163        The password required to decrypt a PEM-encoded password file.
164
165config CONFIG_SSL_X509_CERT_LOCATION
166    string "X.509 certificate file location"
167    depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE
168    help
169        The file location of the X.509 certificate which will be automatically
170        loaded on a ssl_ctx_new().
171
172config CONFIG_SSL_GENERATE_X509_CERT
173    bool "Generate X.509 Certificate"
174    default n
175    help
176        An X.509 certificate can be automatically generated on a
177        ssl_ctx_new(). A private key still needs to be provided (the private
178        key in ss/private_key.h will be used unless
179        CONFIG_SSL_PRIVATE_KEY_LOCATION is set).
180
181        The certificate is generated on the fly, and so a minor start-up time
182        penalty is to be expected. This feature adds around 5kB to the
183        library.
184
185        This feature is disabled by default.
186
187config CONFIG_SSL_X509_COMMON_NAME
188    string "X.509 Common Name"
189    depends on CONFIG_SSL_GENERATE_X509_CERT
190    help
191        The common name for the X.509 certificate. This should be the fully
192        qualified domain name (FQDN), e.g. www.foo.com.
193
194        If this is blank, then this will be value from gethostname() and
195        getdomainname().
196
197config CONFIG_SSL_X509_ORGANIZATION_NAME
198    string "X.509 Organization Name"
199    depends on CONFIG_SSL_GENERATE_X509_CERT
200    help
201        The organization name for the generated X.509 certificate.
202
203        This field is optional.
204
205config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME
206    string "X.509 Organization Unit Name"
207    depends on CONFIG_SSL_GENERATE_X509_CERT
208    help
209        The organization unit name for the generated X.509 certificate.
210
211        This field is optional.
212
213config CONFIG_SSL_HAS_PEM
214    bool "Enable PEM"
215    default n if !CONFIG_SSL_FULL_MODE
216    default y if CONFIG_SSL_FULL_MODE
217    depends on !CONFIG_SSL_SKELETON_MODE
218    help
219        Enable the use of PEM format for certificates and private keys.
220
221        PEM is not normally needed - PEM files can be converted into DER files
222        quite easily. However they have the convenience of allowing multiple
223        certificates/keys in the same file.
224
225        This feature will add a couple of kB to the library.
226
227        Disable if PEM is not used (which will be in most cases).
228
229config CONFIG_SSL_USE_PKCS12
230    bool "Use PKCS8/PKCS12"
231    default n if !CONFIG_SSL_FULL_MODE
232    default y if CONFIG_SSL_FULL_MODE
233    depends on !CONFIG_SSL_SKELETON_MODE
234    help
235        PKCS#12 certificates combine private keys and certificates together in
236        one file.
237
238        PKCS#8 private keys are also suppported (as it is a subset of PKCS#12).
239
240        The decryption of these certificates uses RC4-128 (and these
241        certificates must be encrypted using this cipher). The actual
242        algorithm is "PBE-SHA1-RC4-128".
243
244        Disable if PKCS#12 is not used (which will be in most cases).
245
246config CONFIG_SSL_EXPIRY_TIME
247    int "Session expiry time (in hours)"
248    depends on !CONFIG_SSL_SKELETON_MODE
249    default 24
250    help
251        The time (in hours) before a session expires.
252
253        A longer time means that the expensive parts of a handshake don't
254        need to be run when a client reconnects later.
255
256        The default is 1 day.
257
258config CONFIG_X509_MAX_CA_CERTS
259    int "Maximum number of certificate authorites"
260    default 150
261#    depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
262    help
263        Determines the number of CA's allowed.
264
265        Increase this figure if more trusted sites are allowed. Each
266        certificate adds about 300 bytes (when added).
267
268        The default is to allow the Debian cert bundle to be parsed.
269
270config CONFIG_SSL_MAX_CERTS
271    int "Maximum number of chained certificates"
272    default 3
273    help
274        Determines the number of certificates used in a certificate
275        chain. The chain length must be at least 1.
276
277        Increase this figure if more certificates are to be added to the
278        chain. Each certificate adds about 300 bytes (when added).
279
280        The default is to allow one certificate + 2 certificates in the chain.
281
282config CONFIG_SSL_CTX_MUTEXING
283    bool "Enable SSL_CTX mutexing"
284    default n
285    help
286        Normally mutexing is not required - each SSL_CTX object can deal with
287        many SSL objects (as long as each SSL_CTX object is using a single
288        thread).
289
290        If the SSL_CTX object is not thread safe e.g. the case where a
291        new thread is created for each SSL object, then mutexing is required.
292
293        Select y when a mutex on the SSL_CTX object is required.
294
295config CONFIG_USE_DEV_URANDOM
296    bool "Use /dev/urandom"
297    default y
298    depends on !CONFIG_PLATFORM_WIN32
299    help
300        Use /dev/urandom. Otherwise a custom RNG is used.
301
302        This will be the default on most Linux systems.
303
304config CONFIG_WIN32_USE_CRYPTO_LIB
305    bool "Use Win32 Crypto Library"
306    depends on CONFIG_PLATFORM_WIN32
307    help
308        Microsoft produce a Crypto API which requires the Platform SDK to be
309        installed. It's used for the RNG.
310
311        This will be the default on most Win32 systems.
312
313config CONFIG_OPENSSL_COMPATIBLE
314    bool "Enable openssl API compatibility"
315    default n
316    help
317        To ease the porting of openssl applications, a subset of the openssl
318        API is wrapped around the axTLS API.
319
320        Note: not all the API is implemented, so parts may still break. And
321        it's definitely not 100% compatible.
322
323config CONFIG_PERFORMANCE_TESTING
324    bool "Build the bigint performance test tool"
325    default n
326    depends on CONFIG_SSL_CERT_VERIFICATION
327    help
328        Used for performance testing of bigint.
329
330        This is a testing tool and is normally disabled.
331
332config CONFIG_SSL_TEST
333    bool "Build the SSL testing tool"
334    default n
335    depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT
336    help
337        Used for sanity checking the SSL handshaking.
338
339        This is a testing tool and is normally disabled.
340
341endmenu
342