/** * \file config.h * * \brief Configuration options (set of defines) * * This set of compile-time options may be used to enable * or disable features selectively, and reduce the global * memory footprint. */ /* * Copyright (C) 2006-2022, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * This file is part of mbed TLS (https://tls.mbed.org) */ #ifndef MBEDTLS_CONFIG_H #define MBEDTLS_CONFIG_H #include "config_crypto.h" #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) #define _CRT_SECURE_NO_DEPRECATE 1 #endif /** * \name SECTION: System support * * This section sets system specific settings. * \{ */ /** * \def MBEDTLS_HAVE_ASM * * The compiler has support for asm(). * * Requires support for asm() in compiler. * * Used in: * library/aria.c * library/timing.c * include/mbedtls/bn_mul.h * * Required by: * MBEDTLS_AESNI_C * MBEDTLS_PADLOCK_C * * Comment to disable the use of assembly code. */ /* Due to an outstanding bug with mbedtls and arm compiler 6, this feature is * disabled temporarily on cortex-m0 and m0-plus. * https://github.com/ARMmbed/mbedtls/issues/1077 */ #define MBEDTLS_HAVE_ASM /** * \def MBEDTLS_HAVE_TIME * * System has time.h and time(). * The time does not need to be correct, only time differences are used, * by contrast with MBEDTLS_HAVE_TIME_DATE * * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and * MBEDTLS_PLATFORM_STD_TIME. * * Comment if your system does not support time functions */ //#define MBEDTLS_HAVE_TIME /** * \def MBEDTLS_HAVE_TIME_DATE * * System has time.h, time(), and an implementation for * mbedtls_platform_gmtime_r() (see below). * The time needs to be correct (not necessarily very accurate, but at least * the date should be correct). This is used to verify the validity period of * X.509 certificates. * * Comment if your system does not have a correct clock. * * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that * behaves similarly to the gmtime_r() function from the C standard. Refer to * the documentation for mbedtls_platform_gmtime_r() for more information. * * \note It is possible to configure an implementation for * mbedtls_platform_gmtime_r() at compile-time by using the macro * MBEDTLS_PLATFORM_GMTIME_R_ALT. */ //#define MBEDTLS_HAVE_TIME_DATE /** * \def MBEDTLS_PLATFORM_MEMORY * * Enable the memory allocation layer. * * By default mbed TLS uses the system-provided calloc() and free(). * This allows different allocators (self-implemented or provided) to be * provided to the platform abstraction layer. * * Enabling MBEDTLS_PLATFORM_MEMORY without the * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and * free() function pointer at runtime. * * Enabling MBEDTLS_PLATFORM_MEMORY and specifying * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the * alternate function at compile time. * * Requires: MBEDTLS_PLATFORM_C * * Enable this layer to allow use of alternative memory allocators. */ #define MBEDTLS_PLATFORM_MEMORY /* \} name SECTION: System support */ /** * \name SECTION: mbed TLS feature support * * This section sets support for features that are or are not needed * within the modules that are enabled. * \{ */ /** * \def MBEDTLS_ECP_NIST_OPTIM * * Enable specific 'modulo p' routines for each NIST prime. * Depending on the prime and architecture, makes operations 4 to 8 times * faster on the corresponding curve. * * Comment this macro to disable NIST curves optimisation. */ #define MBEDTLS_ECP_NIST_OPTIM /** * \def MBEDTLS_PK_PARSE_EC_EXTENDED * * Enhance support for reading EC keys using variants of SEC1 not allowed by * RFC 5915 and RFC 5480. * * Currently this means parsing the SpecifiedECDomain choice of EC * parameters (only known groups are supported, not arbitrary domains, to * avoid validation issues). * * Disable if you only need to support RFC 5915 + 5480 key formats. */ #define MBEDTLS_PK_PARSE_EC_EXTENDED /** * \def MBEDTLS_ERROR_STRERROR_DUMMY * * Enable a dummy error function to make use of mbedtls_strerror() in * third party libraries easier when MBEDTLS_ERROR_C is disabled * (no effect when MBEDTLS_ERROR_C is enabled). * * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're * not using mbedtls_strerror() or error_strerror() in your application. * * Disable if you run into name conflicts and want to really remove the * mbedtls_strerror() */ #define MBEDTLS_ERROR_STRERROR_DUMMY /** * \def MBEDTLS_NO_PLATFORM_ENTROPY * * Do not use built-in platform entropy functions. * This is useful if your platform does not support * standards like the /dev/urandom or Windows CryptoAPI. * * Uncomment this macro to disable the built-in platform entropy functions. */ #define MBEDTLS_NO_PLATFORM_ENTROPY /** * \def MBEDTLS_ENTROPY_NV_SEED * * Enable the non-volatile (NV) seed file-based entropy source. * (Also enables the NV seed read/write functions in the platform layer) * * This is crucial (if not required) on systems that do not have a * cryptographic entropy source (in hardware or kernel) available. * * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C * * \note The read/write functions that are used by the entropy source are * determined in the platform layer, and can be modified at runtime and/or * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. * * \note If you use the default implementation functions that read a seedfile * with regular fopen(), please make sure you make a seedfile with the * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from * and written to or you will get an entropy source error! The default * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE * bytes from the file. * * \note The entropy collector will write to the seed file before entropy is * given to an external source, to update it. */ #define MBEDTLS_ENTROPY_NV_SEED /** * \def MBEDTLS_PK_RSA_ALT_SUPPORT * * Support external private RSA keys (eg from a HSM) in the PK layer. * * Comment this macro to disable support for external private RSA keys. */ #define MBEDTLS_PK_RSA_ALT_SUPPORT /** * \def MBEDTLS_PSA_CRYPTO_SPM * * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure * Partition Manager) integration which separates the code into two parts: a * NSPE (Non-Secure Process Environment) and an SPE (Secure Process * Environment). * * Module: library/psa_crypto.c * Requires: MBEDTLS_PSA_CRYPTO_C * */ #define MBEDTLS_PSA_CRYPTO_SPM /** * \def MBEDTLS_PSA_CRYPTO_CONFIG * * This setting allows support for cryptographic mechanisms through the PSA * API to be configured separately from support through the mbedtls API. * * When this option is disabled, the PSA API exposes the cryptographic * mechanisms that can be implemented on top of the `mbedtls_xxx` API * configured with `MBEDTLS_XXX` symbols. * * When this option is enabled, the PSA API exposes the cryptographic * mechanisms requested by the `PSA_WANT_XXX` symbols defined in * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are * automatically enabled if required (i.e. if no PSA driver provides the * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols * in mbedtls_config.h. * * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies * an alternative header to include instead of include/psa/crypto_config.h. * * This feature is still experimental and is not ready for production since * it is not completed. */ #define MBEDTLS_PSA_CRYPTO_CONFIG /* \} name SECTION: mbed TLS feature support */ /** * \name SECTION: mbed TLS modules * * This section enables or disables entire modules in mbed TLS * \{ */ /** * \def MBEDTLS_AES_C * * Enable the AES block cipher. * * Module: library/aes.c * Caller: library/cipher.c * library/pem.c * library/ctr_drbg.c * * This module is required to support the TLS ciphersuites that use the AES * cipher. * * PEM_PARSE uses AES for decrypting encrypted keys. */ #define MBEDTLS_AES_C /** * \def MBEDTLS_CIPHER_C * * Enable the generic cipher layer. * * Module: library/cipher.c * * Uncomment to enable generic cipher wrappers. */ #define MBEDTLS_CIPHER_C /** * \def MBEDTLS_CTR_DRBG_C * * Enable the CTR_DRBG AES-based random generator. * The CTR_DRBG generator uses AES-256 by default. * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. * * Module: library/ctr_drbg.c * Caller: * * Requires: MBEDTLS_AES_C * * This module provides the CTR_DRBG AES random number generator. */ #define MBEDTLS_CTR_DRBG_C /** * \def MBEDTLS_ENTROPY_C * * Enable the platform-specific entropy code. * * Module: library/entropy.c * Caller: * * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C * * This module provides a generic entropy pool */ #define MBEDTLS_ENTROPY_C /** * \def MBEDTLS_ERROR_C * * Enable error code to error string conversion. * * Module: library/error.c * Caller: * * This module enables mbedtls_strerror(). */ #define MBEDTLS_ERROR_C /** * \def MBEDTLS_HKDF_C * * Enable the HKDF algorithm (RFC 5869). * * Module: library/hkdf.c * Caller: * * Requires: MBEDTLS_MD_C * * This module adds support for the Hashed Message Authentication Code * (HMAC)-based key derivation function (HKDF). */ #define MBEDTLS_HKDF_C /* Used for HUK deriviation */ /** * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C * * Enable the buffer allocator implementation that makes use of a (stack) * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() * calls) * * Module: library/memory_buffer_alloc.c * * Requires: MBEDTLS_PLATFORM_C * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) * * Enable this module to enable the buffer memory allocator. */ #define MBEDTLS_MEMORY_BUFFER_ALLOC_C /** * \def MBEDTLS_PLATFORM_C * * Enable the platform abstraction layer that allows you to re-assign * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). * * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned * above to be specified at runtime or compile time respectively. * * \note This abstraction layer must be enabled on Windows (including MSYS2) * as other module rely on it for a fixed snprintf implementation. * * Module: library/platform.c * Caller: Most other .c files * * This module enables abstraction of common (libc) functions. */ #define MBEDTLS_PLATFORM_C #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS #define MBEDTLS_PLATFORM_STD_MEM_HDR #include #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf #define MBEDTLS_PLATFORM_PRINTF_ALT #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE /** * \def MBEDTLS_PSA_CRYPTO_C * * Enable the Platform Security Architecture cryptography API. * * Module: library/psa_crypto.c * * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C * */ #define MBEDTLS_PSA_CRYPTO_C /** * \def MBEDTLS_PSA_CRYPTO_STORAGE_C * * Enable the Platform Security Architecture persistent key storage. * * Module: library/psa_crypto_storage.c * * Requires: MBEDTLS_PSA_CRYPTO_C, * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of * the PSA ITS interface */ #define MBEDTLS_PSA_CRYPTO_STORAGE_C /* \} name SECTION: mbed TLS modules */ /** * \name SECTION: General configuration options * * This section contains Mbed TLS build settings that are not associated * with a particular module. * * \{ */ /** * \def MBEDTLS_CONFIG_FILE * * If defined, this is a header which will be included instead of * `"mbedtls/mbedtls_config.h"`. * This header file specifies the compile-time configuration of Mbed TLS. * Unlike other configuration options, this one must be defined on the * compiler command line: a definition in `mbedtls_config.h` would have * no effect. * * This macro is expanded after an \#include directive. This is a popular but * non-standard feature of the C language, so this feature is only available * with compilers that perform macro expansion on an \#include line. * * The value of this symbol is typically a path in double quotes, either * absolute or relative to a directory on the include search path. */ //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" /** * \def MBEDTLS_USER_CONFIG_FILE * * If defined, this is a header which will be included after * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. * This allows you to modify the default configuration, including the ability * to undefine options that are enabled by default. * * This macro is expanded after an \#include directive. This is a popular but * non-standard feature of the C language, so this feature is only available * with compilers that perform macro expansion on an \#include line. * * The value of this symbol is typically a path in double quotes, either * absolute or relative to a directory on the include search path. */ //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" /** * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE * * If defined, this is a header which will be included instead of * `"psa/crypto_config.h"`. * This header file specifies which cryptographic mechanisms are available * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. * * This macro is expanded after an \#include directive. This is a popular but * non-standard feature of the C language, so this feature is only available * with compilers that perform macro expansion on an \#include line. * * The value of this symbol is typically a path in double quotes, either * absolute or relative to a directory on the include search path. */ //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" /** * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE * * If defined, this is a header which will be included after * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE. * This allows you to modify the default configuration, including the ability * to undefine options that are enabled by default. * * This macro is expanded after an \#include directive. This is a popular but * non-standard feature of the C language, so this feature is only available * with compilers that perform macro expansion on an \#include line. * * The value of this symbol is typically a path in double quotes, either * absolute or relative to a directory on the include search path. */ //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" /** \} name SECTION: General configuration options */ /** * \name SECTION: Module configuration options * * This section allows for the setting of module specific sizes and * configuration options. The default values are already present in the * relevant header files and should suffice for the regular use cases. * * Our advice is to enable options and change their values here * only if you have a good reason and know the consequences. * * Please check the respective header file for documentation on these * parameters (to prevent duplicate documentation). * \{ */ /* ECP options */ #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */ /* \} name SECTION: Customisation configuration options */ #if CRYPTO_NV_SEED #include "tfm_mbedcrypto_config_extra_nv_seed.h" #endif /* CRYPTO_NV_SEED */ #if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED) #include "mbedtls_entropy_nv_seed_config.h" #endif #ifdef CRYPTO_HW_ACCELERATOR #include "mbedtls_accelerator_config.h" #endif #endif /* MBEDTLS_CONFIG_H */