mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-23 04:48:22 +00:00
3c0ef48bc8
The ARIA block cipher is pretty uncommon in TLS, deactivate it for now. This saves some space and reduces the possible variations and attack vectors of mbedtls. ARIA support was deactivated in OpenWrt 23.05 by default. Link: https://github.com/openwrt/openwrt/pull/17342 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
231 lines
5.0 KiB
Plaintext
231 lines
5.0 KiB
Plaintext
if PACKAGE_libmbedtls
|
|
|
|
comment "Option details in source code: include/mbedtls/mbedtls_config.h"
|
|
|
|
comment "Ciphers - unselect old or less-used ciphers to reduce binary size"
|
|
|
|
config MBEDTLS_AES_C
|
|
bool "MBEDTLS_AES_C"
|
|
default y
|
|
|
|
config MBEDTLS_ARIA_C
|
|
bool "MBEDTLS_ARIA_C"
|
|
default n
|
|
|
|
config MBEDTLS_CAMELLIA_C
|
|
bool "MBEDTLS_CAMELLIA_C"
|
|
default n
|
|
|
|
config MBEDTLS_CCM_C
|
|
bool "MBEDTLS_CCM_C"
|
|
default n
|
|
|
|
config MBEDTLS_CMAC_C
|
|
bool "MBEDTLS_CMAC_C (old but used by hostapd)"
|
|
default y
|
|
|
|
config MBEDTLS_DES_C
|
|
bool "MBEDTLS_DES_C (old but used by hostapd)"
|
|
default y
|
|
|
|
config MBEDTLS_GCM_C
|
|
bool "MBEDTLS_GCM_C"
|
|
default y
|
|
|
|
config MBEDTLS_NIST_KW_C
|
|
bool "MBEDTLS_NIST_KW_C (old but used by hostapd)"
|
|
default y
|
|
|
|
config MBEDTLS_RIPEMD160_C
|
|
bool "MBEDTLS_RIPEMD160_C"
|
|
default n
|
|
|
|
config MBEDTLS_RSA_NO_CRT
|
|
bool "MBEDTLS_RSA_NO_CRT"
|
|
default y
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
|
bool "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED"
|
|
default y
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
|
|
bool "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
|
bool "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED"
|
|
default y
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
|
bool "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
|
bool "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
|
bool "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
|
bool "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED"
|
|
default y
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
|
bool "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
|
|
default y
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
|
bool "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
|
bool "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED"
|
|
default n
|
|
|
|
comment "Curves - unselect old or less-used curves to reduce binary size"
|
|
|
|
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_SECP192R1_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_SECP224R1_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_SECP256R1_ENABLED"
|
|
default y
|
|
|
|
config MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_SECP384R1_ENABLED"
|
|
default y
|
|
|
|
config MBEDTLS_ECP_DP_SECP521R1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_SECP521R1_ENABLED"
|
|
default y
|
|
|
|
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_SECP192K1_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_SECP224K1_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_SECP256K1_ENABLED"
|
|
default y
|
|
|
|
config MBEDTLS_ECP_DP_BP256R1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_BP256R1_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_ECP_DP_BP384R1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_BP384R1_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_ECP_DP_BP512R1_ENABLED
|
|
bool "MBEDTLS_ECP_DP_BP512R1_ENABLED"
|
|
default n
|
|
|
|
config MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
|
bool "MBEDTLS_ECP_DP_CURVE25519_ENABLED"
|
|
default y
|
|
|
|
config MBEDTLS_ECP_DP_CURVE448_ENABLED
|
|
bool "MBEDTLS_ECP_DP_CURVE448_ENABLED"
|
|
default n
|
|
|
|
comment "Build Options - unselect features to reduce binary size"
|
|
|
|
config MBEDTLS_CIPHER_MODE_OFB
|
|
bool "MBEDTLS_CIPHER_MODE_OFB"
|
|
default n
|
|
|
|
config MBEDTLS_CIPHER_MODE_XTS
|
|
bool "MBEDTLS_CIPHER_MODE_XTS"
|
|
default n
|
|
|
|
config MBEDTLS_DEBUG_C
|
|
bool "MBEDTLS_DEBUG_C"
|
|
default n
|
|
|
|
config MBEDTLS_HKDF_C
|
|
bool "MBEDTLS_HKDF_C"
|
|
default n
|
|
|
|
config MBEDTLS_PLATFORM_C
|
|
bool "MBEDTLS_PLATFORM_C"
|
|
default n
|
|
|
|
config MBEDTLS_SELF_TEST
|
|
bool "MBEDTLS_SELF_TEST"
|
|
default n
|
|
|
|
config MBEDTLS_THREADING_C
|
|
bool "MBEDTLS_THREADING_C"
|
|
default y
|
|
|
|
config MBEDTLS_THREADING_PTHREAD
|
|
def_bool MBEDTLS_THREADING_C
|
|
|
|
config MBEDTLS_VERSION_C
|
|
bool "MBEDTLS_VERSION_C"
|
|
default n
|
|
|
|
config MBEDTLS_VERSION_FEATURES
|
|
bool "MBEDTLS_VERSION_FEATURES"
|
|
default n
|
|
|
|
config MBEDTLS_PSA_CRYPTO_CLIENT
|
|
bool "MBEDTLS_PSA_CRYPTO_CLIENT"
|
|
|
|
config MBEDTLS_DEPRECATED_WARNING
|
|
bool "MBEDTLS_DEPRECATED_WARNING"
|
|
default n
|
|
|
|
config MBEDTLS_SSL_PROTO_TLS1_2
|
|
bool "MBEDTLS_SSL_PROTO_TLS1_2"
|
|
default y
|
|
|
|
config MBEDTLS_SSL_PROTO_TLS1_3
|
|
bool "MBEDTLS_SSL_PROTO_TLS1_3"
|
|
select MBEDTLS_PSA_CRYPTO_CLIENT
|
|
select MBEDTLS_HKDF_C
|
|
default y
|
|
|
|
config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
|
bool "MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE"
|
|
depends on MBEDTLS_SSL_PROTO_TLS1_3
|
|
default y
|
|
|
|
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|
bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED"
|
|
depends on MBEDTLS_SSL_PROTO_TLS1_3
|
|
default y
|
|
|
|
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
|
bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED"
|
|
depends on MBEDTLS_SSL_PROTO_TLS1_3
|
|
default y
|
|
|
|
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
|
bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED"
|
|
depends on MBEDTLS_SSL_PROTO_TLS1_3
|
|
default y
|
|
|
|
comment "Build Options"
|
|
|
|
config MBEDTLS_ENTROPY_FORCE_SHA256
|
|
bool "MBEDTLS_ENTROPY_FORCE_SHA256"
|
|
default y
|
|
|
|
config MBEDTLS_SSL_RENEGOTIATION
|
|
bool "MBEDTLS_SSL_RENEGOTIATION"
|
|
depends on MBEDTLS_SSL_PROTO_TLS1_2
|
|
default n
|
|
|
|
endif
|