This is an automated email from the ASF dual-hosted git repository.
xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx-apps.git
The following commit(s) were added to refs/heads/master by this push:
new 8c95ab94d crypto/mbedtls: Unified configuration with mbedtls default
configuration
8c95ab94d is described below
commit 8c95ab94d339bbd87ab3590f93198101955558df
Author: makejian <makej...@xiaomi.com>
AuthorDate: Sun Sep 24 17:36:25 2023 +0800
crypto/mbedtls: Unified configuration with mbedtls default configuration
The configuration of Kconfig used by the nuttx before is not consistent
with the mbedtls default configuration. This patch update configuration is
consistent with the default configuration.
Signed-off-by: makejian <makej...@xiaomi.com>
---
crypto/mbedtls/Kconfig | 230 +++++++++++-------------
crypto/mbedtls/include/mbedtls/mbedtls_config.h | 2 +-
2 files changed, 108 insertions(+), 124 deletions(-)
diff --git a/crypto/mbedtls/Kconfig b/crypto/mbedtls/Kconfig
index c5e938d98..d61e6b3f5 100644
--- a/crypto/mbedtls/Kconfig
+++ b/crypto/mbedtls/Kconfig
@@ -17,7 +17,7 @@ config MBEDTLS_VERSION
config MBEDTLS_DEBUG_C
bool "This module provides debugging functions."
- default n
+ default DEBUG_FEATURES
---help---
This module provides debugging functions.
@@ -70,19 +70,15 @@ config MBEDTLS_SELF_TEST
config MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
bool "Enable server-side support for clients that reconnect from the
same port."
depends on MBEDTLS_SSL_DTLS_HELLO_VERIFY
- default n
-
-config MBEDTLS_BLOWFISH_C
- bool "Enable the Blowfish block cipher."
- default n
+ default y
config MBEDTLS_CAMELLIA_C
bool "Enable the Camellia block cipher."
- default n
+ default y
config MBEDTLS_PADLOCK_C
bool "Enable VIA Padlock support on x86."
- default n
+ default !MBEDTLS_AES_ALT
config MBEDTLS_TIMING_C
bool "Enable the semi-portable timing interface."
@@ -90,44 +86,41 @@ config MBEDTLS_TIMING_C
config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
bool "Enable the availability of the API mbedtls_ssl_get_peer_cert()
giving access to the peer's certificate after completion of the handshake."
- default n
+ default y
config MBEDTLS_SSL_PROTO_DTLS
bool "Enable support for DTLS (all available versions)."
- default n
+ default y
if MBEDTLS_SSL_PROTO_DTLS
config MBEDTLS_SSL_DTLS_ANTI_REPLAY
bool "Enable support for the anti-replay mechanism in DTLS."
- default n
+ default y
config MBEDTLS_SSL_DTLS_HELLO_VERIFY
bool "Enable support for HelloVerifyRequest on DTLS servers."
- default n
-
-config MBEDTLS_SSL_DTLS_BADMAC_LIMIT
- bool "Enable support for a limit of records with bad MAC."
- default n
+ default y
config MBEDTLS_SSL_DTLS_CONNECTION_ID
bool "Enable the Connection ID extension."
- default n
+ default y
config MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
- bool "Enable the standard version of DTLS Connection ID feature."
+ int "Enable the standard version of DTLS Connection ID feature."
depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
- default n
+ default 0
endif # MBEDTLS_SSL_PROTO_DTLS
config MBEDTLS_SSL_ALPN
bool "Enable support for RFC 7301 Application Layer Protocol
Negotiation."
- default n
+ default y
config MBEDTLS_AESNI_C
bool "Enable AES-NI support on x86-64."
- default n
+ depends on ARCH_X86_64
+ default !MBEDTLS_AES_ALT
config MBEDTLS_ECP_WINDOW_SIZE
int "Maximum window size used"
@@ -139,50 +132,49 @@ config MBEDTLS_ECP_FIXED_POINT_OPTIM
config MBEDTLS_CMAC_C
bool "Enable the CMAC (Cipher-based Message Authentication Code) mode
for block"
- default n
+ default y
config MBEDTLS_NET_C
bool "Enable the TCP and UDP over IPv6/IPv4 networking routines"
- default y if LIBC_NETDB
- default n if !LIBC_NETDB
+ default LIBC_NETDB
config MBEDTLS_ECDSA_C
bool "Enable the elliptic curve DSA library."
- default n
+ default y
config MBEDTLS_ECP_C
bool "Enable the elliptic curve over GF(p) library."
- default n
+ default y
config MBEDTLS_ECP_DP_SECP256R1_ENABLED
bool "Enables specific curves within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_PEM_WRITE_C
bool "Enable PEM encoding / writing."
- default n
+ default y
config MBEDTLS_PK_WRITE_C
bool "Enable the generic public (asymmetric) key writer."
- default n
+ default y
config MBEDTLS_X509_CREATE_C
bool "Enable X.509 core for creating certificates."
- default n
+ default y
config MBEDTLS_X509_CRT_WRITE_C
bool "Enable creating X.509 certificates."
- select MBEDTLS_X509_CREATE_C
- default n
+ depends on MBEDTLS_X509_CREATE_C
+ default y
config MBEDTLS_X509_CSR_WRITE_C
bool "Enable creating X.509 Certificate Signing Requests (CSR)."
- select MBEDTLS_X509_CREATE_C
- default n
+ depends on MBEDTLS_X509_CREATE_C
+ default y
config MBEDTLS_X509_CSR_PARSE_C
bool "Enable X.509 Certificate Signing Request (CSR) parsing."
- default n
+ default y
config MBEDTLS_X509_CRT_POOL
bool "Enable the X509 Certificate Pool"
@@ -190,189 +182,189 @@ config MBEDTLS_X509_CRT_POOL
config MBEDTLS_HAVE_ASM
bool "Enable compiler support for asm."
- default n
+ default y
config MBEDTLS_HAVE_TIME_DATE
bool "Enable to verify the validity period of X.509 certificates when
system have correct clock."
- default n
+ default y
config MBEDTLS_CIPHER_MODE_CFB
bool "Enable Cipher Feedback mode (CFB) for symmetric ciphers."
- default n
+ default y
config MBEDTLS_CIPHER_MODE_CTR
bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers."
- default n
+ default y
config MBEDTLS_CIPHER_MODE_OFB
bool "Enable Output Feedback mode (OFB) for symmetric ciphers."
- default n
+ default y
config MBEDTLS_CIPHER_MODE_XTS
bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for
AES."
- default n
+ default y
config MBEDTLS_CIPHER_PADDING_PKCS7
bool "Enable PKCS7 padding mode in the cipher layer."
- default n
+ default y
config MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
bool "Enable bit padding mode in the cipher layer."
- default n
+ default y
config MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
bool "Enable zero and length padding mode in the cipher layer."
- default n
+ default y
config MBEDTLS_CIPHER_PADDING_ZEROS
bool "Enable zeros padding mode in the cipher layer."
- default n
+ default y
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
bool "Enables SECP192R1 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
bool "Enables SECP224R1 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_SECP384R1_ENABLED
bool "Enables SECP384R1 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_SECP521R1_ENABLED
bool "Enables SECP521R1 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
bool "Enables SECP192K1 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
bool "Enables SECP224K1 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
bool "Enables SECP256K1 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_BP256R1_ENABLED
bool "Enables BP256R1 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_BP384R1_ENABLED
bool "Enables BP384R1 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_BP512R1_ENABLED
bool "Enables BP512R1 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_CURVE25519_ENABLED
bool "Enables CURVE25519 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_DP_CURVE448_ENABLED
bool "Enables CURVE448 curve within the Elliptic Curve module."
- default n
+ default y
config MBEDTLS_ECP_NIST_OPTIM
bool "Enable specific 'modulo p' routines for each NIST prime."
- default n
+ default y
config MBEDTLS_ECDSA_DETERMINISTIC
bool "Enable deterministic ECDSA (RFC 6979)."
depends on MBEDTLS_HMAC_DRBG_C && MBEDTLS_ECDSA_C
- default n
+ default y
config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
bool "Enable the PSK based ciphersuite modes in SSL / TLS."
- default n
+ default y
config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
bool "Enable the DHE-PSK based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_DHM_C
- default n
+ default y
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
bool "Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_ECDH_C
- default n
+ default y
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
bool "Enable the RSA-PSK based ciphersuite modes in SSL / TLS."
- default n
+ default y
config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
bool "Enable the DHE-RSA based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_DHM_C
- default n
+ default y
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
bool "Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_ECDH_C
- default n
+ default y
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
bool "Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
- default n
+ default y
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
bool "Enable the ECDH-RSA based ciphersuite modes in SSL / TLS."
depends on MBEDTLS_ECDH_C
- default n
+ default y
config MBEDTLS_PK_PARSE_EC_EXTENDED
bool "Enhance support for reading EC keys using variants of SEC1 not
allowed by RFC 5915 and RFC 5480."
- default n
+ default y
config MBEDTLS_ERROR_STRERROR_DUMMY
bool "Enable a dummy error function to make use of mbedtls_strerror()."
- default n
+ default y
config MBEDTLS_GENPRIME
bool "Enable the prime-number generation code."
- default n
+ default y
config MBEDTLS_PK_RSA_ALT_SUPPORT
bool "Support external private RSA keys (eg from a HSM) in the PK
layer."
- default n
+ default y
config MBEDTLS_SSL_CONTEXT_SERIALIZATION
bool "Enable serialization of the TLS context structures."
depends on MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C
- default n
+ default y
config MBEDTLS_SSL_ENCRYPT_THEN_MAC
bool "Enable support for Encrypt-then-MAC, RFC 7366."
- default n
+ default y
config MBEDTLS_SSL_EXTENDED_MASTER_SECRET
bool "Enable Session Hash and Extended Master Secret Extension."
- default n
+ default y
config MBEDTLS_SSL_RENEGOTIATION
bool "Enable support for TLS renegotiation."
- default n
+ default y
config MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
bool "Enable support for RFC 6066 max_fragment_length extension in SSL."
- default n
+ default y
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
bool "Enable TLS 1.3 PSK key exchange mode."
- default n
+ default y
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
bool "Enable TLS 1.3 ephemeral key exchange mode."
depends on MBEDTLS_ECDH_C
- default n
+ default y
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
bool "Enable TLS 1.3 PSK ephemeral key exchange mode."
depends on MBEDTLS_ECDH_C
- default n
+ default y
config MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
int "The default maximum amount of 0-RTT data."
@@ -380,11 +372,11 @@ config MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
config MBEDTLS_SSL_SESSION_TICKETS
bool "Enable support for RFC 5077 session tickets in SSL."
- default n
+ default y
config MBEDTLS_SSL_SERVER_NAME_INDICATION
bool "Enable support for RFC 6066 server name indication (SNI) in SSL."
- default n
+ default y
config MBEDTLS_THREADING_PTHREAD
bool "Enable the pthread wrapper layer for the threading layer."
@@ -394,56 +386,52 @@ config MBEDTLS_THREADING_PTHREAD
config MBEDTLS_VERSION_FEATURES
bool "Allow run-time checking of compile-time enabled features."
depends on MBEDTLS_VERSION_C
- default n
+ default y
config MBEDTLS_X509_RSASSA_PSS_SUPPORT
bool "Enable parsing and verification of X.509 certificates, CRLs and
CSRS signed with RSASSA-PSS."
- default n
+ default y
config MBEDTLS_AESCE_C
bool "Enable AES cryptographic extension support on 64-bit Arm."
depends on MBEDTLS_HAVE_ASM
- default n
-
-config MBEDTLS_ARC4_C
- bool "Enable the ARCFOUR stream cipher."
- default n
+ default y
config MBEDTLS_ARIA_C
bool "Enable the ARIA block cipher."
- default n
+ default y
config MBEDTLS_CCM_C
bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block
cipher."
- default n
+ default y
config MBEDTLS_CHACHA20_C
bool "Enable the ChaCha20 stream cipher."
- default n
+ default y
config MBEDTLS_CHACHAPOLY_C
bool "Enable the ChaCha20-Poly1305 AEAD algorithm."
depends on MBEDTLS_CHACHA20_C && MBEDTLS_POLY1305_C
- default n
+ default y
config MBEDTLS_DHM_C
bool "Enable the Diffie-Hellman-Merkle module."
- default n
+ default y
config MBEDTLS_ECDH_C
bool "Enable the elliptic curve Diffie-Hellman library."
depends on MBEDTLS_ECP_C
- default n
+ default y
config MBEDTLS_ECDSA_C
bool "Enable the elliptic curve DSA library."
depends on MBEDTLS_ECP_C
- default n
+ default y
config MBEDTLS_ECJPAKE_C
bool "Enable the elliptic curve J-PAKE library."
depends on MBEDTLS_ECP_C
- default n
+ default y
config MBEDTLS_ECP_C
bool "Enable the elliptic curve over GF(p) library."
@@ -454,88 +442,88 @@ config MBEDTLS_ECP_C
|| MBEDTLS_ECP_DP_BP256R1_ENABLED ||
MBEDTLS_ECP_DP_BP384R1_ENABLED \
|| MBEDTLS_ECP_DP_BP512R1_ENABLED ||
MBEDTLS_ECP_DP_CURVE25519_ENABLED \
|| MBEDTLS_ECP_DP_CURVE448_ENABLED
- default n
+ default y
config MBEDTLS_ERROR_C
bool "Enable error code to error string conversion."
- default n
+ default y
config MBEDTLS_GCM_C
bool "Enable the Galois/Counter Mode (GCM)."
- default n
+ default y
config MBEDTLS_HKDF_C
bool "Enable the HKDF algorithm (RFC 5869)."
- default n
+ default y
config MBEDTLS_HMAC_DRBG_C
bool "Enable the HMAC_DRBG random generator."
- default n
+ default y
config MBEDTLS_LMS_C
bool "Enable the LMS stateful-hash asymmetric signature algorithm."
depends on MBEDTLS_PSA_CRYPTO_C
- default n
+ default y
config MBEDTLS_NIST_KW_C
bool "Enable the Key Wrapping mode for 128-bit block ciphers."
- default n
+ default y
config MBEDTLS_PKCS5_C
bool "Enable PKCS#5 functions."
- default n
+ default y
config MBEDTLS_PKCS7_C
bool "Enable PKCS #7 core for using PKCS #7-formatted signatures."
depends on MBEDTLS_X509_CRL_PARSE_C
- default n
+ default y
config MBEDTLS_PKCS12_C
bool "Enable PKCS#12 PBE functions."
- default n
+ default y
config MBEDTLS_PLATFORM_C
bool "Enable the platform abstraction layer."
- default n
+ default y
config MBEDTLS_POLY1305_C
bool "Enable the Poly1305 MAC algorithm."
- default n
+ default y
config MBEDTLS_PSA_CRYPTO_C
bool "Enable the Platform Security Architecture cryptography API."
- default n
+ default y
config MBEDTLS_PSA_CRYPTO_STORAGE_C
bool "Enable the Platform Security Architecture persistent key storage."
depends on MBEDTLS_PSA_CRYPTO_C
- default n
+ default y
config MBEDTLS_PSA_ITS_FILE_C
bool "Enable the emulation of the Platform Security Architecture
Internal Trusted Storage (PSA ITS) over files."
- default n
+ default y
config MBEDTLS_RIPEMD160_C
bool "Enable the RIPEMD-160 hash algorithm."
- default n
+ default y
config MBEDTLS_SHA384_C
bool "Enable the SHA-384 cryptographic hash algorithm."
- default n
+ default y
config MBEDTLS_SHA512_C
bool "Enable SHA-512 cryptographic hash algorithms."
- default n
+ default y
config MBEDTLS_SSL_CACHE_C
bool "Enable simple SSL cache implementation."
- default n
+ default y
config MBEDTLS_SSL_TICKET_C
bool "Enable an implementation of TLS server-side callbacks for session
tickets."
depends on (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) && \
(MBEDTLS_GCM_C || MBEDTLS_CCM_C ||
MBEDTLS_CHACHAPOLY_C)
- default n
+ default y
config MBEDTLS_THREADING_C
bool "Enable the threading abstraction layer."
@@ -543,15 +531,11 @@ config MBEDTLS_THREADING_C
config MBEDTLS_VERSION_C
bool "Enable run-time version information."
- default n
+ default y
config MBEDTLS_X509_CRL_PARSE_C
bool "Enable X.509 CRL parsing."
- default n
-
-config MBEDTLS_XTEA_C
- bool "Enable the XTEA block cipher."
- default n
+ default y
config MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE
int "Maximum time difference in milliseconds tolerated between the age
of a ticket from the server and client point of view."
@@ -561,7 +545,7 @@ config MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH
int "Size in bytes of a ticket nonce."
default 32
-config MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH
+config MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS
int "Default number of NewSessionTicket messages to be sent by a TLS
1.3 server after handshake completion."
default 1
diff --git a/crypto/mbedtls/include/mbedtls/mbedtls_config.h
b/crypto/mbedtls/include/mbedtls/mbedtls_config.h
index bb70253fd..9f7c3bb5f 100644
--- a/crypto/mbedtls/include/mbedtls/mbedtls_config.h
+++ b/crypto/mbedtls/include/mbedtls/mbedtls_config.h
@@ -1605,7 +1605,7 @@
* Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID
*/
#ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
-#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
+#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
#endif
/**
