diff --git a/crypto/mbedtls/Kconfig b/crypto/mbedtls/Kconfig index b4b7da68bcc..af1fa986045 100644 --- a/crypto/mbedtls/Kconfig +++ b/crypto/mbedtls/Kconfig @@ -21,15 +21,21 @@ config MBEDTLS_DEBUG_C ---help--- This module provides debugging functions. -config MBEDTLS_SSL_MAX_CONTENT_LEN - int "Maximum length (in bytes) of incoming and outgoing plaintext fragments." +config MBEDTLS_SSL_IN_CONTENT_LEN + int "Maximum length (in bytes) of incoming plaintext fragments." default 16384 ---help--- - Maximum length (in bytes) of incoming and outgoing plaintext fragments. + Maximum length (in bytes) of incoming plaintext fragments. + +config MBEDTLS_SSL_OUT_CONTENT_LEN + int "Maximum length (in bytes) of outgoing plaintext fragments." + default 16384 + ---help--- + Maximum length (in bytes) of outgoing plaintext fragments. config MBEDTLS_SSL_SRV_C bool "This module is required for SSL/TLS server support." - default y + default n ---help--- This module is required for SSL/TLS server support. @@ -47,10 +53,6 @@ config MBEDTLS_AES_ROM_TABLES bool "Store the AES tables in ROM." default n -config MBEDTLS_REMOVE_ARC4_CIPHERSUITES - bool "Remove RC4 ciphersuites by default in SSL / TLS." - default n - config MBEDTLS_NO_PLATFORM_ENTROPY bool "Do not use built-in platform entropy functions." default n @@ -61,27 +63,23 @@ config MBEDTLS_ECP_RESTARTABLE config MBEDTLS_SELF_TEST bool "Enable the checkup functions (*_self_test)." - default y + default n config MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE bool "Enable server-side support for clients that reconnect from the same port." - default n + default y config MBEDTLS_BLOWFISH_C bool "Enable the Blowfish block cipher." - default n + default y config MBEDTLS_CAMELLIA_C bool "Enable the Camellia block cipher." - default n - -config MBEDTLS_CERTS_C - bool "Enable the test certificates." - default n + default y config MBEDTLS_PADLOCK_C bool "Enable VIA Padlock support on x86." - default n + default y if !MBEDTLS_AES_ALT config MBEDTLS_TIMING_C bool "Enable the semi-portable timing interface." @@ -89,40 +87,40 @@ config MBEDTLS_TIMING_C config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE bool "Enable the availability of the API mbedtls_ssl_get_peer_cert() giving access to the peer's certificate after completion of the handshake." - default n + default y config MBEDTLS_SSL_PROTO_DTLS bool "Enable support for DTLS (all available versions)." - default n + default y if MBEDTLS_SSL_PROTO_DTLS config MBEDTLS_SSL_DTLS_ANTI_REPLAY bool "Enable support for the anti-replay mechanism in DTLS." - default n + default y config MBEDTLS_SSL_DTLS_HELLO_VERIFY bool "Enable support for HelloVerifyRequest on DTLS servers." - default n + default y config MBEDTLS_SSL_DTLS_BADMAC_LIMIT bool "Enable support for a limit of records with bad MAC." - default n + default y config MBEDTLS_SSL_DTLS_CONNECTION_ID bool "Enable the Connection ID extension." - default n + default y config MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT bool "Enable the standard version of DTLS Connection ID feature." depends on MBEDTLS_SSL_DTLS_CONNECTION_ID - default n + default y endif # MBEDTLS_SSL_PROTO_DTLS config MBEDTLS_SSL_ALPN bool "Enable support for RFC 7301 Application Layer Protocol Negotiation." - default n + default y config MBEDTLS_AESNI_C bool "Enable AES-NI support on x86-64." @@ -134,7 +132,7 @@ config MBEDTLS_ECP_WINDOW_SIZE config MBEDTLS_ECP_FIXED_POINT_OPTIM bool "Enable fixed-point speed-up" - default n + default y config MBEDTLS_CMAC_C bool "Enable the CMAC (Cipher-based Message Authentication Code) mode for block" @@ -183,6 +181,10 @@ config MBEDTLS_X509_CSR_PARSE_C bool "Enable X.509 Certificate Signing Request (CSR) parsing." default n +config MBEDTLS_X509_CRT_POOL + bool "Enable the X509 Certificate Pool" + default n + if CRYPTO_CRYPTODEV config MBEDTLS_ALT diff --git a/crypto/mbedtls/include/mbedtls/mbedtls_config.h b/crypto/mbedtls/include/mbedtls/mbedtls_config.h index 77e4d666b3d..3e810a48204 100644 --- a/crypto/mbedtls/include/mbedtls/mbedtls_config.h +++ b/crypto/mbedtls/include/mbedtls/mbedtls_config.h @@ -4381,8 +4381,8 @@ * * Uncomment to set the maximum plaintext size of the incoming I/O buffer. */ -#ifdef CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN -#define MBEDTLS_SSL_IN_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN +#ifdef CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN +#define MBEDTLS_SSL_IN_CONTENT_LEN CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN #endif /** \def MBEDTLS_SSL_CID_IN_LEN_MAX @@ -4437,8 +4437,8 @@ * * Uncomment to set the maximum plaintext size of the outgoing I/O buffer. */ -#ifdef CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN -#define MBEDTLS_SSL_OUT_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN +#ifdef CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN +#define MBEDTLS_SSL_OUT_CONTENT_LEN CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN #endif /** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING