diff --git a/modules/mbedtls/Kconfig.crypto b/modules/mbedtls/Kconfig.crypto index 78ba12aae3625b4..5bb4774ee24e959 100644 --- a/modules/mbedtls/Kconfig.crypto +++ b/modules/mbedtls/Kconfig.crypto @@ -380,12 +380,6 @@ endmenu # PSA crypto core config MBEDTLS_HKDF_C bool "HMAC-based Extract-and-Expand Key Derivation Function" -config MBEDTLS_PEM_CERTIFICATE_FORMAT - bool "Support for PEM certificate format" - help - By default only DER (binary) format of certificates is supported. Enable - this option to enable support for PEM format. - config MBEDTLS_HAVE_ASM bool "Use of assembly code" default y if !ARM diff --git a/modules/mbedtls/Kconfig.tls b/modules/mbedtls/Kconfig.tls index 3ddb4bf51cf0a27..271ca7713886f96 100644 --- a/modules/mbedtls/Kconfig.tls +++ b/modules/mbedtls/Kconfig.tls @@ -62,6 +62,7 @@ config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED bool "RSA-PSK based ciphersuite modes" + select MBEDTLS_X509_CRT_PARSE_C imply MBEDTLS_RSA_C if !PSA_CRYPTO_CLIENT imply MBEDTLS_PKCS1_V15 if !PSA_CRYPTO_CLIENT imply MBEDTLS_PKCS1_V21 if !PSA_CRYPTO_CLIENT @@ -77,6 +78,7 @@ config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED bool "RSA-only based ciphersuite modes" default y if UOSCORE || UEDHOC select MBEDTLS_MD + select MBEDTLS_X509_CRT_PARSE_C select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY if PSA_CRYPTO_CLIENT select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT if PSA_CRYPTO_CLIENT select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT if PSA_CRYPTO_CLIENT @@ -87,6 +89,7 @@ config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED bool "DHE-RSA based ciphersuite modes" + select MBEDTLS_X509_CRT_PARSE_C imply MBEDTLS_RSA_C if !PSA_CRYPTO_CLIENT imply MBEDTLS_PKCS1_V15 if !PSA_CRYPTO_CLIENT imply MBEDTLS_PKCS1_V21 if !PSA_CRYPTO_CLIENT @@ -94,16 +97,19 @@ config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED bool "ECDHE-RSA based ciphersuite modes" depends on MBEDTLS_ECDH_C + select MBEDTLS_X509_CRT_PARSE_C imply MBEDTLS_RSA_C if !PSA_CRYPTO_CLIENT imply MBEDTLS_PKCS1_V15 if !PSA_CRYPTO_CLIENT imply MBEDTLS_PKCS1_V21 if !PSA_CRYPTO_CLIENT config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED bool "ECDHE-ECDSA based ciphersuite modes" + select MBEDTLS_X509_CRT_PARSE_C depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA) config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED bool "ECDH-ECDSA based ciphersuite modes" + select MBEDTLS_X509_CRT_PARSE_C depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA) config MBEDTLS_ECDSA_DETERMINISTIC @@ -111,6 +117,7 @@ config MBEDTLS_ECDSA_DETERMINISTIC config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED bool "ECDH-RSA based ciphersuite modes" + select MBEDTLS_X509_CRT_PARSE_C depends on MBEDTLS_ECDH_C config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED @@ -124,19 +131,20 @@ config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED bool "TLS 1.3 ephemeral key exchange mode" + select MBEDTLS_X509_CRT_PARSE_C config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED bool "TLS 1.3 PSK ephemeral key exchange mode" endif # MBEDTLS_TLS_VERSION_1_3 -endmenu # Key exchanges +endmenu # Ciphersuites config MBEDTLS_SERVER_NAME_INDICATION bool "Support for RFC 6066 server name indication (SNI) in SSL" + depends on MBEDTLS_X509_CRT_PARSE_C help Enable this to support RFC 6066 server name indication (SNI) in SSL. - This requires that MBEDTLS_X509_CRT_PARSE_C is also set. config MBEDTLS_SSL_CACHE_C bool "SSL session cache support" @@ -190,21 +198,25 @@ endmenu # TLS menu "X.509" config MBEDTLS_X509_CRL_PARSE_C - bool "X.509 CRL parsing" - help - Used by X.509 CRL parsing + bool "X.509 Certificate Revocation List parsing" config MBEDTLS_X509_CSR_WRITE_C bool "X.509 Certificate Signing Requests writing" - help - For X.509 certificate request writing. config MBEDTLS_X509_CSR_PARSE_C bool "X.509 Certificate Signing Request parsing" - help - For reading X.509 certificate request. + +config MBEDTLS_X509_CRT_PARSE_C + bool "X.509 certificate parsing" config MBEDTLS_X509_CRT_WRITE_C bool "X.509 certificate creation" +config MBEDTLS_PEM_CERTIFICATE_FORMAT + bool "Support for PEM certificate format" + depends on MBEDTLS_X509_CRT_PARSE_C + help + By default only DER (binary) format of certificates is supported. Enable + this option to enable support for PEM format. + endmenu # X.509 diff --git a/modules/mbedtls/configs/config-mbedtls.h b/modules/mbedtls/configs/config-mbedtls.h index d762486cd081429..0029e47ffe1f445 100644 --- a/modules/mbedtls/configs/config-mbedtls.h +++ b/modules/mbedtls/configs/config-mbedtls.h @@ -456,27 +456,11 @@ #define MBEDTLS_PKCS1_V21 #endif -/* Automatic dependencies */ - -#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) -#define MBEDTLS_DHM_C -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) +#if defined(CONFIG_MBEDTLS_X509_CRT_PARSE_C) #define MBEDTLS_X509_CRT_PARSE_C #define MBEDTLS_X509_USE_C #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) - #if defined(CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT) #define MBEDTLS_PEM_PARSE_C #define MBEDTLS_PEM_WRITE_C @@ -487,7 +471,12 @@ #define MBEDTLS_SSL_SERVER_NAME_INDICATION #endif -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +/* Automatic dependencies */ + +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) +#define MBEDTLS_DHM_C +#endif #if defined(MBEDTLS_DHM_C) || \ defined(MBEDTLS_ECP_C) || \