| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262 |
- --
- -- Copyright (C) 2014 by Ole Reinhardt <ole.reinhardt@embedded-it.de>
- -- All rights reserved.
- --
- -- Redistribution and use in source and binary forms, with or without
- -- modification, are permitted provided that the following conditions
- -- are met:
- --
- -- 1. Redistributions of source code must retain the above copyright
- -- notice, this list of conditions and the following disclaimer.
- -- 2. Redistributions in binary form must reproduce the above copyright
- -- notice, this list of conditions and the following disclaimer in the
- -- documentation and/or other materials provided with the distribution.
- -- 3. Neither the name of the copyright holders nor the names of
- -- contributors may be used to endorse or promote products derived
- -- from this software without specific prior written permission.
- --
- -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- -- ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- -- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- -- FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- -- COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
- -- INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
- -- BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
- -- OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
- -- AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- -- OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
- -- THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- -- SUCH DAMAGE.
- --
- -- For additional information see http://www.ethernut.de/
- --
- -- TLS client and server library
- --
- --
- tls_mode = {
- "TLS_SSL_SERVER_ONLY",
- "TLS_SSL_CERT_VERIFICATION",
- "TLS_SSL_ENABLE_CLIENT",
- "TLS_SSL_FULL_MODE"
- }
- tls_protocol_preference = {
- "TLS_SSL_PROT_LOW",
- "TLS_SSL_PROT_MEDIUM",
- "TLS_SSL_PROT_HIGH"
- }
- nuttls =
- {
- {
- name = "nuttls_tls1",
- brief = "SSL/TLSv1 client / server",
- description = "SSL/TLSv1 client and server implementation",
- requires = { "CRYPTO_AES", "CRYPTO_MD2", "CRYPTO_MD5", "CRYPTO_SHA1", "CRYPTO_RSA" },
- provides = { "TLS_TLS1" },
- sources =
- {
- "tls_misc.c", "asn1.c", "tls1.c", "tls1_clnt.c", "tls1_svr.c"
- },
- options =
- {
- --
- -- TLS Mode settings (client / server)
- --
- {
- macro = "TLS_SSL_SERVER_ONLY",
- brief = "Server only - no verification",
- description = "Enable server functionality (no client functionality).\n\n"..
- "This mode still supports sessions and chaining (which can be turned "..
- "off in configuration).\n\n"..
- "This is the most space efficient of the modes with the library "..
- "about 45kB in size on ARM. Use this mode if you are doing standard SSL server "..
- "work.",
- flavor = "boolean",
- exclusivity = tls_mode,
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_SSL_CERT_VERIFICATION",
- brief = "Server only - with verification",
- description = "Enable server functionality with client authentication (no client functionality).\n\n"..
- "This mode produces a library about 49kB in size. Use this mode if you "..
- "have an SSL server which requires client authentication (which is "..
- "uncommon in browser applications).",
- flavor = "boolean",
- exclusivity = tls_mode,
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_SSL_ENABLE_CLIENT",
- brief = "Client & Server enabled",
- description = "Enable client/server functionality (including peer authentication)\n\n"..
- "This mode produces a library about 51kB in size. Use this mode if you "..
- "require axTLS to use SSL client functionality (the SSL server code "..
- "is always enabled).",
- flavor = "boolean",
- exclusivity = tls_mode,
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_SSL_FULL_MODE",
- brief = "Client/Server enabled with diagnostics",
- description = "Enable client/server functionality including diagnostics. "..
- "Most of the extra size in this mode is due to the storage "..
- "of various strings that are used.\n\n"..
- "This mode produces a library about 58kB in size. It is suggested that "..
- "this mode is used only during development, or systems that have more "..
- "generous memory limits.\n",
- flavor = "boolean",
- exclusivity = tls_mode,
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_SSL_CTX_MUTEXING",
- brief = "Enable SSL_CTX mutexing",
- description = "Normally mutexing is not required - each SSL_CTX object can deal with "..
- "many SSL objects (as long as each SSL_CTX object is using a single "..
- "thread).\n\n"..
- "If the SSL_CTX object is not thread safe e.g. the case where a "..
- "new thread is created for each SSL object, then mutexing is required.\n\n"..
- "Select y when a mutex on the SSL_CTX object is required.",
- flavor = "boolean",
- file = "include/cfg/tls.h",
- },
- },
- },
- {
- name = "nuttls_protocol",
- brief = "SSL/TLSv1 protocol settings",
- description = "SSL/TLSv1 protocol settings",
- requires = { "TLS_TLS1"},
- provides = { "TLS_TLS1_PROTOCOL" },
- options =
- {
- --
- -- TLS protocol security preferences
- --
- {
- macro = "TLS_SSL_PROT_LOW",
- brief = "Low security mode",
- description = "Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA.\n\n"..
- "This will use the fastest cipher(s) but at the expense of security. ",
- flavor = "boolean",
- exclusivity = tls_protocol_preference,
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_SSL_PROT_MEDIUM",
- brief = "Medium security mode",
- description = "Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA.\n\n"..
- "This mode is a balance between speed and security and is the default. ",
- flavor = "boolean",
- exclusivity = tls_protocol_preference,
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_SSL_PROT_HIGH",
- brief = "High security mode",
- description = "Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA.\n\n"..
- "This will use the strongest cipher(s) at the cost of speed. ",
- flavor = "boolean",
- exclusivity = tls_protocol_preference,
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_SSL_ENABLE_V23_HANDSHAKE",
- brief = "Enable v23 Handshake",
- description = "Some browsers use the v23 handshake client hello message "..
- "(an SSL2 format message which all SSL servers can understand). "..
- "It may be used if SSL2 is enabled in the browser.\n\n"..
- "Since this feature takes a kB or so, this feature may be disabled - at "..
- "the risk of making it incompatible with some browsers (IE6 is ok, "..
- "Firefox 1.5 and below use it).\n\n"..
- "Disable if backwards compatibility is not an issue (i.e. the client is "..
- "always using TLS1.0)",
- flavor = "boolean",
- file = "include/cfg/tls.h",
- },
- },
- },
- {
- name = "nuttls_certificates",
- brief = "Certificate handling",
- description = "Certificate handling",
- requires = { "TLS_TLS1" },
- provides = { "TLS_TLS1_CERTIFICATES" },
- sources =
- {
- "gen_cert.c", "loader.c", "p12.c", "x509.c"
- },
- options =
- {
- --
- -- Certificate settings
- --
- {
- macro = "TLS_SSL_HAS_PEM",
- brief = "Enable PEM",
- description = "Enable the use of PEM format for certificates and private keys.\n\n"..
- "PEM is not normally needed - PEM files can be converted into DER files "..
- "quite easily. However they have the convenience of allowing multiple "..
- "certificates/keys in the same file.\n\n"..
- "This feature will add a couple of kB to the library.\n\n"..
- "Disable if PEM is not used (which will be in most cases).",
- flavor = "boolean",
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_SSL_USE_PKCS12",
- brief = "Use PKCS8/PKCS12",
- description = "PKCS#12 certificates combine private keys and certificates "..
- "together in one file.\n\n"..
- "PKCS#8 private keys are also suppported (as it is a subset of PKCS#12).\n\n"..
- "The decryption of these certificates uses RC4-128 (and these "..
- "certificates must be encrypted using this cipher). The actual "..
- "algorithm is 'PBE-SHA1-RC4-128'.\n\n"..
- "Disable if PKCS#12 is not used (which will be in most cases).",
- flavor = "boolean",
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_SSL_EXPIRY_TIME",
- brief = "Session expiry time (in hours)",
- description = "The time (in hours) before a session expires.\n\n"..
- "A longer time means that the expensive parts of a handshake don't "..
- "need to be run when a client reconnects later.\n\n"..
- "The default is 1 day.",
- default = 24,
- flavor = "integer",
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_X509_MAX_CA_CERTS",
- brief = "Maximum number of certificate authorites",
- description = "Determines the number of CA's allowed.\n\n"..
- "Increase this figure if more trusted sites are allowed. Each "..
- "certificate adds about 300 bytes (when added).\n\n"..
- "The default is to allow the Debian cert bundle to be parsed.",
- default = 150,
- flavor = "integer",
- file = "include/cfg/tls.h",
- },
- {
- macro = "TLS_SSL_MAX_CERTS",
- brief = "Maximum number of chained certificates",
- description = "Determines the number of certificates used in a certificate "..
- "chain. The chain length must be at least 1.\n\n"..
- "Increase this figure if more certificates are to be added to the "..
- "chain. Each certificate adds about 300 bytes (when added).\n\n"..
- "The default is to allow one certificate + 2 certificates in the chain.",
- default = 3,
- flavor = "integer",
- file = "include/cfg/tls.h",
- },
- },
- },
- }
|
