# Kconfig template
#
# Copyright (C) 2006-2024 wolfSSL Inc.  All rights reserved.
#
# This file is part of wolfSSL.
#
# wolfSSL is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# wolfSSL is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
#

# Kconfig File Version 5.7.2.001 for esp-idf integration

# Kconfig Format Rules
#
# See:
#  https://docs.espressif.com/projects/esp-idf/en/stable/esp32/api-reference/kconfig.html
#
# Format rules for Kconfig files are as follows:
#
# Option names in any menus should have consistent prefixes. The prefix
# currently should have at least 3 characters.
#
# The unit of indentation should be 4 spaces. All sub-items belonging to a
# parent item are indented by one level deeper. For example, menu is indented
# by 0 spaces, config menu by 4 spaces, help in config by 8 spaces, and the
# text under help by 12 spaces.
#
# No trailing spaces are allowed at the end of the lines.
#
# The maximum length of options is NOT 50 characters as documented.
#   kconfcheck will complain that options should be 40 at most.
#
# Fix option lengths first. Superfluous errors on other lines may occur.
#
# The maximum length of lines is 120 characters.
#
# python -m kconfcheck <path_to_kconfig_file>
#
# ---------------------------------------------------------------------------------------------------------------------
# Begin main wolfSSL configuration menu
# ---------------------------------------------------------------------------------------------------------------------
#   See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL

menu "wolfSSL"

    menu "Hardening"
        config ESP_WOLFSSL_WC_NO_HARDEN
            bool "Disable wolfSSL hardening"
            default n
            help
                Sets WC_NO_HARDEN

        config ESP_WOLFSSL_TFM_TIMING_RESISTANT
            bool "Enable TFM Timing Resistant Code"
            default n
            help
                Sets TFM_TIMING_RESISTANT.

    endmenu # Hardening

    config ESP_WOLFSSL_ENABLE_BENCHMARK
        bool "Enable wolfSSL Benchmark Library"
        default n
        help
            Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK.


    menu "Benchmark Debug"
        config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING
            bool "Enable benchmark timing debug"
            depends on ESP_WOLFSSL_ENABLE_BENCHMARK
            default n
            help
                Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc).

        config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG
            bool "Enable benchmark timer debug"
            depends on ESP_WOLFSSL_ENABLE_BENCHMARK
            default n
            help
                Turn on timer debugging (used when CPU cycles not available)

    endmenu # Benchmark Debug

    # -----------------------------------------------------------------------------------------------------------------
    # wolfCrypt Test
    # -----------------------------------------------------------------------------------------------------------------
    config ESP_WOLFSSL_ENABLE_TEST
        bool "Enable wolfCrypt Test Library"
        default n
        help
            Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST.

    menu "wolfCrypt tests"
        config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS
            bool "Enable wolfCrypt Test Options"
            depends on ESP_WOLFSSL_ENABLE_TEST
            default n
            help
                Enables HAVE_WOLFCRYPT_TEST_OPTIONS

        config TEST_ESPIDF_ALL_WOLFSSL
            bool "Enable all features to use in tests"
            depends on ESP_WOLFSSL_ENABLE_TEST
            default n
            help
                Enables TEST_ESPIDF_ALL_WOLFSSL

    endmenu # wolfCrypt tests

    # -----------------------------------------------------------------------------------------------------------------
    # Apple HomeKit Options
    # -----------------------------------------------------------------------------------------------------------------
    menu "Apple HomeKit"
        config WOLFSSL_APPLE_HOMEKIT
            bool "Enable Apple HomeKit options"
            default n
            help
                Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit.
    endmenu # Apple HomeKit
    # -----------------------------------------------------------------------------------------------------------------

    config ESP_WOLFSSL_DISABLE_MY_ECC
        bool "Disable ECC in my project"
        default "n"
        help
            ECC is enabled by default. Select this option to disable.

    config ESP_WOLFSSL_ENABLE_MY_USE_RSA
        bool "Enable RSA in my project"
        default "n"
        help
            RSA is disabled by default. Select this option to enable.

    config ESP_WOLFSSL_BENCHMARK
        bool "Enable wolfSSL Benchmark"
        default n
        help
            Enables user settings relevant to benchmark code

    config ESP_TLS_USING_WOLFSSL_SPECIFIED
        bool "Use the specified wolfssl for ESP-TLS"
        default Y
        help
            Includes wolfSSL from specified directory (not using esp-wolfssl).

    config ESP_WOLFSSL_NO_USE_FAST_MATH
        bool "Disable FAST_MATH library and all ESP32 Hardware Acceleration"
        select ESP_WOLFSSL_NO_HW
        select ESP_WOLFSSL_NO_HW_AES
        select ESP_WOLFSSL_NO_HW_HASH
        select ESP_WOLFSSL_NO_HW_RSA_PRI
        select ESP_WOLFSSL_NO_HW_RSA_PRI_MP_MUL
        select ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD
        select ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD
        default n
        help
            When disabling all hardware acceleration for smaller memory footprint,
            disabling TFM fast math provides faster wolfSSL software algorithms in an
            even smaller flash memory footprint.

    menu "Protocol Config"
        config WOLFSSL_HAVE_ALPN
            bool "Enable ALPN (Application Layer Protocol Negotiation) in wolfSSL"
            default y

        config WOLFSSL_ALLOW_TLS13
            bool "Allow TLS 1.3"
            default y
            help
                Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2.
                When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted.

        config WOLFSSL_ALLOW_TLS12
            bool "Allow TLS 1.2"
            default n
            help
                Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2.
                When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted.

        config WOLFSSL_HAVE_TLS_EXTENSIONS
            bool "Enable TLS Extensions"
            default y
            help
                Sets HAVE_TLS_EXTENSIONS which is needed for TLS 1.3, SNI, ALPN, and more.

        config WOLFSSL_ALT_CERT_CHAINS
            bool "Enable Alternate Certificate Chains"
            default n
            help
                The option relaxes the default strict wolfSSL certificate chain processing. This
                will typically need to be enabled when loading only a CA file. Typically solves
                the -188 ASN_NO_SIGNER_E error. Use with caution.

        config WOLFSSL_HAVE_OCSP
            bool "Enable OCSP (Online Certificate Status Protocol) in wolfSSL"
            default n
            help
                Sets HAVE_OCSP

    endmenu # Protocol Config
    # -----------------------------------------------------------------------------------------------------------------

    # -----------------------------------------------------------------------------------------------------------------
    config TLS_STACK_WOLFSSL
        # Invisible option that locks TLS_STACK_WOLFSSL to ESP_TLS_USING_WOLFSSL
        bool
        default n
        select FREERTOS_ENABLE_BACKWARD_COMPATIBILITY
        help
            Includes wolfSSL in ESP-TLS so that it can be compiled with wolfSSL as its SSL/TLS library.
            Enabled when wolfSSL is selected in ESP_TLS_LIBRARY_CHOOSE.

    menu "wolfSSL ESP-TLS"
        depends on ESP_TLS_USING_WOLFSSL

        menu "Certificate Bundle"
            depends on ESP_TLS_USING_WOLFSSL

            config WOLFSSL_CERTIFICATE_BUNDLE
                bool "Enable trusted root certificate bundle"
                default y if ESP_TLS_USING_WOLFSSL
                default n
                depends on ESP_TLS_USING_WOLFSSL
                help
                    Enable support for large number of default root certificates

                    When enabled this option allows user to store default as well
                    as customer specific root certificates in compressed format rather
                    than storing full certificate. For the root certificates the public key and the subject name
                    will be stored.

            config WOLFSSL_NO_ASN_STRICT
                bool "Relax Certificate ASN Strict Checks"
                default n
                depends on ESP_TLS_USING_WOLFSSL
                help
                    Allows sub-optimal certificate ASN checks. Unless using a bundle with known issues,
                    it is recommended to NOT enable this.

            config WOLFSSL_ASN_ALLOW_0_SERIAL
                bool "Allow cert missing an ASN Serial Number"
                default y
                depends on ESP_TLS_USING_WOLFSSL
                help
                    Although not recommended, there may be certificates in the bundle that are missing
                    a serial number. This option allows the missing value without having to fully
                    disable strict ASN checking with WOLFSSL_NO_ASN_STRICT.

            choice WOLFSSL_DEFAULT_CERTIFICATE_BUNDLE
                bool "Default certificate bundle options"
                depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL
                default WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_FULL

                config WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_FULL
                    bool "Use the full default certificate bundle"
                config WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_CMN
                    bool "Use only the most common certificates from the default bundles"
                    help
                        Use only the most common certificates from the default bundles, reducing the size with 50%,
                        while still having around 99% coverage.
                config WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE
                    bool "Do not use the default certificate bundle"
            endchoice

            config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE
                depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL
                default n
                bool "Add custom certificates to the default bundle"
            config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH
                depends on WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL
                string "Custom certificate bundle path"
                help
                    Name of the custom certificate directory or file. This path is evaluated
                    relative to the project root directory.

            config WOLFSSL_CERTIFICATE_BUNDLE_DEPRECATED_LIST
                bool "Add deprecated root certificates"
                depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL && !WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE
                help
                    Include the deprecated list of root certificates in the bundle.
                    This list gets updated when a certificate is removed from the Mozilla's
                    NSS root certificate store. This config can be enabled if you would like
                    to ensure that none of the certificates that were deployed in the product
                    are affected because of the update to bundle. In turn, enabling this
                    config keeps expired, retracted certificates in the bundle and it may
                    pose a security risk.

                    - Deprecated cert list may grow based based on sync with upstream bundle
                    - Deprecated certs would be be removed in ESP-IDF (next) major release

            config WOLFSSL_CERTIFICATE_BUNDLE_MAX_CERTS
                int "Maximum no of certificates allowed in certificate bundle"
                default 200
                depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL

        endmenu
    endmenu # wolfSSL ESP-TLS
    # -----------------------------------------------------------------------------------------------------------------

    # -----------------------------------------------------------------------------------------------------------------
    config ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
        bool "Modify default hardware acceleration settings"
        default n
        help
            When disabling all hardware acceleration for smaller memory footprint,
            disabling TFM fast math provides faster wolfSSL software algorithms in an
            even smaller flash memory footprint.
            Typically used for debugging, analysis, or optimizations. The default
            hardware acceleration features can be each manually adjusted.

    menu "wolfSSL Hardware Acceleration"

        config ESP_WOLFSSL_NO_ESP32_CRYPT
            bool "Disable all ESP32 Hardware Acceleration"
            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
            default n
            select ESP_WOLFSSL_NO_HW_AES
            select ESP_WOLFSSL_NO_HW_HASH
            select ESP_WOLFSSL_NO_HW_RSA_PRI
            select ESP_WOLFSSL_NO_HW_RSA_PRI_MP_MUL
            select ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD
            select ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD
            help
                Hardware acceleration enabled by default. When selected defines: NO_ESP32_CRYPT.
                Consider disabling FASTMATH (other libraries are faster in software and smaller)

        config ESP_WOLFSSL_NO_HW_AES
            bool "Disable all ESP32 AES Hardware Acceleration"
            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
            default n
            help
                Hardware acceleration enabled by default.When selected defines: NO_HW_AES

        config ESP_WOLFSSL_NO_HW_HASH
            bool "Disable all ESP32 SHA Hash Hardware Acceleration"
            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
            default n
            help
                Hardware acceleration enabled by default. When selected defines: NO_HW_HASH

        config ESP_WOLFSSL_NO_HW_RSA_PRI
            bool "Disable all ESP32 RSA Hardware Acceleration"
            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
            default n
            select ESP_WOLFSSL_NO_HW_PRI_MP_MUL
            select ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD
            select ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD
            help
                Hardware acceleration enabled by default. When selected defines: NO_HW_RSA_PRI

        config ESP_WOLFSSL_NO_HW_RSA_PRI_MP_MUL
            bool "Disable all ESP32 Multiplication Hardware Acceleration"
            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
            default n
            help
                Hardware acceleration enabled by default. When selected defines: NO_HW_RSA_PRI_MP_MUL

        config ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD
            bool "Disable all ESP32 Modular Multiplication Hardware Acceleration"
            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
            default n
            help
                Hardware acceleration enabled by default. When selected defines: NO_HW_RSA_PRI_MULMOD

        config ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD
            bool "Disable all ESP32 RSA Exponential Math Hardware Acceleration"
            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
            default n
            help
                Hardware acceleration enabled by default.
                Select this option to force disable: NO_HW_RSA_PRI_EXPTMOD

        config ESP_WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
            bool "Enable debugging of RSA Multiplication operand length"
            default n
            help
                Prints an esp log warning to the default console UART when one of the
                multiplication operands exceeds the maximum size supported by hardware,
                requiring fallback to software. This can be helpful to pick key sizes
                when performance is critical. See also metrics for counting instances.

        config ESP_WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
            bool "Enable debugging of RSA Modular operand length"
            default n
            help
                Prints an esp log warning to the default console UART when one of the
                modular math operands exceeds the maximum size supported by hardware,
                requiring fallback to software. This can be helpful to pick key sizes
                when performance is critical. See also metrics for counting instances.

    endmenu # wolfSSL Hardware Acceleration
    # -----------------------------------------------------------------------------------------------------------------

    # -----------------------------------------------------------------------------------------------------------------
    menu "wolfSSL Experimental Options"

        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
            bool "Enable wolfSSL Experimental Settings"
            default n
            help
                Enables experimental settings for wolfSSL. See documentation.

        config ESP_WOLFSSL_ENABLE_KYBER
            bool "Enable wolfSSL Kyber"
            default n
            help
                Enable debugging messages for wolfSSL. See user_settings.h for additional debug options.

    endmenu # wolfSSL Experimental Options
    # -----------------------------------------------------------------------------------------------------------------

    # -----------------------------------------------------------------------------------------------------------------
    menu "wolfSSL Debug Options"
        config ESP_WOLFSSL_DEBUG_WOLFSSL
            bool "Enable wolfSSL Debugging"
            default n
            help
                Enable debugging messages for wolfSSL. See user_settings.h for additional debug options.

        config ESP_WOLFSSL_TEST_LOOP
            bool "Run test apps in a loop until failure"
            default y
            help
                Enable a loop wrapper for benchmark, http_client, and wolfssl test apps.

    endmenu # wolfSSL Debug Options
    # -----------------------------------------------------------------------------------------------------------------

    # -----------------------------------------------------------------------------------------------------------------
    menu "wolfSSL Customization"
        config CUSTOM_SETTING_WOLFSSL_ROOT
            string "Enter a path for wolfSSL source code"
            default "~/workspace/wolfssl"
            help
                This option lets you specify a directory for the wolfSSL source code (typically a git clone).
                Enter the path using forward slashes (e.g., C:/myfolder/mysubfolder) or double backslashes
                (e.g., C:\\myfolder\\mysubfolder).

    endmenu # wolfSSL Customization
    # -----------------------------------------------------------------------------------------------------------------

    # -----------------------------------------------------------------------------------------------------------------
    menu "Component Config"
        config IGNORE_ESP_IDF_WOLFSSL_COMPONENT
            bool "Ignore the ESP-IDF component of wolfSSL (if present)"
            default n
            help
                Ignores wolfSSL present in the esp-idf/components directory. Requires wolfssl as a local component.

        config IGNORE_LOCAL_WOLFSSL_COMPONENT
            bool "Ignore the local component of wolfSSL (if present)"
            default n
            help
                Ignores wolfSSL present in the local project components directory.
                Requires wolfssl as a ESP-IDF component.

    endmenu # Component Config
    # -----------------------------------------------------------------------------------------------------------------

    # -----------------------------------------------------------------------------------------------------------------
    menu "Utility Config"
        config USE_WOLFSSL_ESP_SDK_TIME
            bool "Enable wolfSSL time helper functions"
            default n
            help
                Enables use of various time and date setting functions found in the esp-sdk-lib.h file.

        config USE_WOLFSSL_ESP_SDK_WIFI
            bool "Enable wolfSSL WiFi helper functions"
            default n
            help
                Enables use of various time and date setting functions found in the esp-sdk-lib.h file.

    endmenu # Utility Config
endmenu # wolfSSL
# ---------------------------------------------------------------------------------------------------------------------


# ---------------------------------------------------------------------------------------------------------------------
menu "wolfSSH"
    config ESP_ENABLE_WOLFSSH
        bool "Enable wolfSSH options"
        default n
        help
            Enables WOLFSSH_TERM, WOLFSSL_KEY_GEN, WOLFSSL_PTHREADS, WOLFSSH_TEST_SERVER, WOLFSSH_TEST_THREADING

    config ESP_WOLFSSL_DEBUG_WOLFSSH
        bool "Enable wolfSSH debugging"
        default n
        help
            Enable wolfSSH debugging macro. See user_settings.h

endmenu # wolfSSH
# ---------------------------------------------------------------------------------------------------------------------

# ---------------------------------------------------------------------------------------------------------------------
menu "wolfMQTT"
    config ESP_ENABLE_WOLFMQTT
        bool "Enable wolfMQTT options"
        default n
        help
            Enables WOLFMQTT

    config ESP_WOLFSSL_DEBUG_WOLFMQTT
        bool "Enable wolfMQTT debugging"
        default n
        help
            Enable wolfMQTT debugging macro. See user_settings.h

endmenu # wolfMQTT
# ---------------------------------------------------------------------------------------------------------------------
