1 /** 2 * 3 * \brief Default mbedTLS configuration options for ESP-IDF 4 * 5 * This set of compile-time options may be used to enable 6 * or disable features selectively, and reduce the global 7 * memory footprint. 8 */ 9 /* 10 * Copyright The Mbed TLS Contributors 11 * SPDX-License-Identifier: Apache-2.0 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 */ 25 26 #ifndef ESP_CONFIG_H 27 #define ESP_CONFIG_H 28 29 #include "sdkconfig.h" 30 #include "mbedtls/config.h" 31 #include "soc/soc_caps.h" 32 33 /** 34 * \name SECTION: System support 35 * 36 * This section sets system specific settings. 37 * \{ 38 */ 39 40 /** 41 * \def MBEDTLS_HAVE_TIME 42 * 43 * System has time.h and time(). 44 * The time does not need to be correct, only time differences are used, 45 * by contrast with MBEDTLS_HAVE_TIME_DATE 46 * 47 * Comment if your system does not support time functions 48 */ 49 #ifdef CONFIG_MBEDTLS_HAVE_TIME 50 #define MBEDTLS_HAVE_TIME 51 #else 52 #undef MBEDTLS_HAVE_TIME 53 #endif 54 55 /** 56 * \def MBEDTLS_HAVE_TIME_DATE 57 * 58 * System has time.h and time(), gmtime() and the clock is correct. 59 * The time needs to be correct (not necesarily very accurate, but at least 60 * the date should be correct). This is used to verify the validity period of 61 * X.509 certificates. 62 * 63 * Comment if your system does not have a correct clock. 64 */ 65 #ifdef CONFIG_MBEDTLS_HAVE_TIME_DATE 66 #define MBEDTLS_HAVE_TIME_DATE 67 #else 68 #undef MBEDTLS_HAVE_TIME_DATE 69 #endif 70 71 /** 72 * \def MBEDTLS_PLATFORM_MEMORY 73 * 74 * Enable the memory allocation layer. 75 * 76 * By default mbed TLS uses the system-provided calloc() and free(). 77 * This allows different allocators (self-implemented or provided) to be 78 * provided to the platform abstraction layer. 79 * 80 * Enabling MBEDTLS_PLATFORM_MEMORY without the 81 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 82 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 83 * free() function pointer at runtime. 84 * 85 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 86 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 87 * alternate function at compile time. 88 * 89 * Requires: MBEDTLS_PLATFORM_C 90 * 91 * Enable this layer to allow use of alternative memory allocators. 92 */ 93 #define MBEDTLS_PLATFORM_MEMORY 94 95 /** Override calloc(), free() except for case where memory allocation scheme is not set to custom */ 96 #ifndef CONFIG_MBEDTLS_CUSTOM_MEM_ALLOC 97 #include "esp_mem.h" 98 #define MBEDTLS_PLATFORM_STD_CALLOC esp_mbedtls_mem_calloc 99 #define MBEDTLS_PLATFORM_STD_FREE esp_mbedtls_mem_free 100 #endif 101 102 /* \} name SECTION: System support */ 103 104 /** 105 * \name SECTION: mbed TLS feature support 106 * 107 * This section sets support for features that are or are not needed 108 * within the modules that are enabled. 109 * \{ 110 */ 111 112 /* The following units have ESP32 hardware support, 113 uncommenting each _ALT macro will use the 114 hardware-accelerated implementation. */ 115 #ifdef CONFIG_MBEDTLS_HARDWARE_AES 116 #define MBEDTLS_AES_ALT 117 #else 118 #undef MBEDTLS_AES_ALT 119 #endif 120 121 #ifdef CONFIG_MBEDTLS_HARDWARE_GCM 122 #define MBEDTLS_GCM_ALT 123 #else 124 #undef MBEDTLS_GCM_ALT 125 #endif 126 127 /* MBEDTLS_SHAxx_ALT to enable hardware SHA support 128 with software fallback. 129 */ 130 #ifdef CONFIG_MBEDTLS_HARDWARE_SHA 131 #define MBEDTLS_SHA1_ALT 132 #define MBEDTLS_SHA256_ALT 133 134 #if SOC_SHA_SUPPORT_SHA512 135 #define MBEDTLS_SHA512_ALT 136 #else 137 #undef MBEDTLS_SHA512_ALT 138 #endif 139 140 #else 141 #undef MBEDTLS_SHA1_ALT 142 #undef MBEDTLS_SHA256_ALT 143 #undef MBEDTLS_SHA512_ALT 144 #endif 145 146 /* MBEDTLS_MDx_ALT to enable ROM MD support 147 with software fallback. 148 */ 149 #ifdef CONFIG_MBEDTLS_ROM_MD5 150 #define MBEDTLS_MD5_ALT 151 #else 152 #undef MBEDTLS_MD5_ALT 153 #endif 154 155 /* The following MPI (bignum) functions have hardware support. 156 * Uncommenting these macros will use the hardware-accelerated 157 * implementations. 158 */ 159 #ifdef CONFIG_MBEDTLS_HARDWARE_MPI 160 #ifdef CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI 161 /* Prefer hardware and fallback to software */ 162 #define MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK 163 #else 164 /* Hardware only mode */ 165 #define MBEDTLS_MPI_EXP_MOD_ALT 166 #endif 167 #define MBEDTLS_MPI_MUL_MPI_ALT 168 #else 169 #undef MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK 170 #undef MBEDTLS_MPI_EXP_MOD_ALT 171 #undef MBEDTLS_MPI_MUL_MPI_ALT 172 #endif 173 174 #ifdef CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN 175 #define MBEDTLS_ECDSA_SIGN_ALT 176 #endif 177 178 #ifdef CONFIG_MBEDTLS_ATCA_HW_ECDSA_VERIFY 179 #define MBEDTLS_ECDSA_VERIFY_ALT 180 #endif 181 182 /** 183 * \def MBEDTLS_ENTROPY_HARDWARE_ALT 184 * 185 * Uncomment this macro to let mbed TLS use your own implementation of a 186 * hardware entropy collector. 187 * 188 * Your function must be called \c mbedtls_hardware_poll(), have the same 189 * prototype as declared in entropy_poll.h, and accept NULL as first argument. 190 * 191 * Uncomment to use your own hardware entropy collector. 192 */ 193 #define MBEDTLS_ENTROPY_HARDWARE_ALT 194 195 /** 196 * \def MBEDTLS_AES_ROM_TABLES 197 * 198 * Store the AES tables in ROM. 199 * 200 * Uncomment this macro to store the AES tables in ROM. 201 */ 202 #define MBEDTLS_AES_ROM_TABLES 203 204 /** 205 * \def MBEDTLS_CIPHER_MODE_CBC 206 * 207 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. 208 */ 209 #define MBEDTLS_CIPHER_MODE_CBC 210 211 /** 212 * \def MBEDTLS_CIPHER_MODE_CFB 213 * 214 * Enable Cipher Feedback mode (CFB) for symmetric ciphers. 215 */ 216 #define MBEDTLS_CIPHER_MODE_CFB 217 218 /** 219 * \def MBEDTLS_CIPHER_MODE_CTR 220 * 221 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. 222 */ 223 #define MBEDTLS_CIPHER_MODE_CTR 224 225 /** 226 * \def MBEDTLS_CIPHER_MODE_OFB 227 * 228 * Enable Output Feedback mode (OFB) for symmetric ciphers. 229 */ 230 #define MBEDTLS_CIPHER_MODE_OFB 231 232 /** 233 * \def MBEDTLS_CIPHER_MODE_XTS 234 * 235 * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. 236 */ 237 #define MBEDTLS_CIPHER_MODE_XTS 238 239 /** 240 * \def MBEDTLS_CIPHER_PADDING_PKCS7 241 * 242 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for 243 * specific padding modes in the cipher layer with cipher modes that support 244 * padding (e.g. CBC) 245 * 246 * If you disable all padding modes, only full blocks can be used with CBC. 247 * 248 * Enable padding modes in the cipher layer. 249 */ 250 #define MBEDTLS_CIPHER_PADDING_PKCS7 251 #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS 252 #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN 253 #define MBEDTLS_CIPHER_PADDING_ZEROS 254 255 /** 256 * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES & MBEDTLS_ARC4_C 257 * 258 * MBEDTLS_ARC4_C 259 * Enable the ARCFOUR stream cipher. 260 * 261 * This module enables/disables the following ciphersuites 262 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 263 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 264 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 265 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 266 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 267 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 268 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 269 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 270 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 271 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 272 * 273 * MBEDTLS_REMOVE_ARC4_CIPHERSUITES 274 * This flag removes the ciphersuites based on RC4 from the default list as 275 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to 276 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them 277 * explicitly. 278 * 279 * Uncomment this macro to remove RC4 ciphersuites by default. 280 */ 281 #ifdef CONFIG_MBEDTLS_RC4_ENABLED 282 #define MBEDTLS_ARC4_C 283 #undef MBEDTLS_REMOVE_ARC4_CIPHERSUITES 284 #elif defined CONFIG_MBEDTLS_RC4_ENABLED_NO_DEFAULT 285 #define MBEDTLS_ARC4_C 286 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES 287 #else 288 #undef MBEDTLS_ARC4_C 289 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES 290 #endif 291 292 /** 293 * \def MBEDTLS_ECP_RESTARTABLE 294 * 295 * Enable "non-blocking" ECC operations that can return early and be resumed. 296 * 297 * This allows various functions to pause by returning 298 * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module, 299 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in 300 * order to further progress and eventually complete their operation. This is 301 * controlled through mbedtls_ecp_set_max_ops() which limits the maximum 302 * number of ECC operations a function may perform before pausing; see 303 * mbedtls_ecp_set_max_ops() for more information. 304 * 305 * This is useful in non-threaded environments if you want to avoid blocking 306 * for too long on ECC (and, hence, X.509 or SSL/TLS) operations. 307 * 308 * Uncomment this macro to enable restartable ECC computations. 309 * 310 * \note This option only works with the default software implementation of 311 * elliptic curve functionality. It is incompatible with 312 * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT 313 * and MBEDTLS_ECDH_LEGACY_CONTEXT. 314 */ 315 #ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE 316 #define MBEDTLS_ECP_RESTARTABLE 317 #endif 318 319 /** 320 * \def MBEDTLS_ECDH_LEGACY_CONTEXT 321 * 322 * Use a backward compatible ECDH context. 323 * 324 * Mbed TLS supports two formats for ECDH contexts (#mbedtls_ecdh_context 325 * defined in `ecdh.h`). For most applications, the choice of format makes 326 * no difference, since all library functions can work with either format, 327 * except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE. 328 329 * The new format used when this option is disabled is smaller 330 * (56 bytes on a 32-bit platform). In future versions of the library, it 331 * will support alternative implementations of ECDH operations. 332 * The new format is incompatible with applications that access 333 * context fields directly and with restartable ECP operations. 334 * 335 * Define this macro if you enable MBEDTLS_ECP_RESTARTABLE or if you 336 * want to access ECDH context fields directly. Otherwise you should 337 * comment out this macro definition. 338 * 339 * This option has no effect if #MBEDTLS_ECDH_C is not enabled. 340 * 341 * \note This configuration option is experimental. Future versions of the 342 * library may modify the way the ECDH context layout is configured 343 * and may modify the layout of the new context type. 344 */ 345 #ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT 346 #define MBEDTLS_ECDH_LEGACY_CONTEXT 347 #endif 348 349 /** 350 * \def MBEDTLS_CMAC_C 351 * 352 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block 353 * ciphers. 354 * 355 * \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying 356 * implementation of the CMAC algorithm is provided by an alternate 357 * implementation, that alternate implementation may opt to not support 358 * AES-192 or 3DES as underlying block ciphers for the CMAC operation. 359 * 360 * Module: library/cmac.c 361 * 362 * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C 363 * 364 */ 365 #ifdef CONFIG_MBEDTLS_CMAC_C 366 #define MBEDTLS_CMAC_C 367 #endif 368 369 /** 370 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED 371 * 372 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve 373 * module. By default all supported curves are enabled. 374 * 375 * Comment macros to disable the curve and functions for it 376 */ 377 /* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */ 378 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED 379 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED 380 #else 381 #undef MBEDTLS_ECP_DP_SECP192R1_ENABLED 382 #endif 383 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED 384 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED 385 #else 386 #undef MBEDTLS_ECP_DP_SECP224R1_ENABLED 387 #endif 388 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED 389 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 390 #else 391 #undef MBEDTLS_ECP_DP_SECP256R1_ENABLED 392 #endif 393 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED 394 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED 395 #else 396 #undef MBEDTLS_ECP_DP_SECP384R1_ENABLED 397 #endif 398 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED 399 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED 400 #else 401 #undef MBEDTLS_ECP_DP_SECP521R1_ENABLED 402 #endif 403 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED 404 #define MBEDTLS_ECP_DP_SECP192K1_ENABLED 405 #else 406 #undef MBEDTLS_ECP_DP_SECP192K1_ENABLED 407 #endif 408 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED 409 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED 410 #else 411 #undef MBEDTLS_ECP_DP_SECP224K1_ENABLED 412 #endif 413 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED 414 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED 415 #else 416 #undef MBEDTLS_ECP_DP_SECP256K1_ENABLED 417 #endif 418 #ifdef CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED 419 #define MBEDTLS_ECP_DP_BP256R1_ENABLED 420 #else 421 #undef MBEDTLS_ECP_DP_BP256R1_ENABLED 422 #endif 423 #ifdef CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED 424 #define MBEDTLS_ECP_DP_BP384R1_ENABLED 425 #else 426 #undef MBEDTLS_ECP_DP_BP384R1_ENABLED 427 #endif 428 #ifdef CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED 429 #define MBEDTLS_ECP_DP_BP512R1_ENABLED 430 #else 431 #undef MBEDTLS_ECP_DP_BP512R1_ENABLED 432 #endif 433 /* Montgomery curves (supporting ECP) */ 434 #ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED 435 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED 436 #else 437 #undef MBEDTLS_ECP_DP_CURVE25519_ENABLED 438 #endif 439 #ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED 440 #undef MBEDTLS_ECP_DP_CURVE448_ENABLED 441 #endif 442 443 /** 444 * \def MBEDTLS_ECP_NIST_OPTIM 445 * 446 * Enable specific 'modulo p' routines for each NIST prime. 447 * Depending on the prime and architecture, makes operations 4 to 8 times 448 * faster on the corresponding curve. 449 * 450 * Comment this macro to disable NIST curves optimisation. 451 */ 452 #ifdef CONFIG_MBEDTLS_ECP_NIST_OPTIM 453 #define MBEDTLS_ECP_NIST_OPTIM 454 #else 455 #undef MBEDTLS_ECP_NIST_OPTIM 456 #endif 457 458 /** 459 * \def MBEDTLS_ECDSA_DETERMINISTIC 460 * 461 * Enable deterministic ECDSA (RFC 6979). 462 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing 463 * may result in a compromise of the long-term signing key. This is avoided by 464 * the deterministic variant. 465 * 466 * Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C 467 * 468 * Comment this macro to disable deterministic ECDSA. 469 */ 470 #ifdef CONFIG_MBEDTLS_ECDSA_DETERMINISTIC 471 #define MBEDTLS_ECDSA_DETERMINISTIC 472 #else 473 #undef MBEDTLS_ECDSA_DETERMINISTIC 474 #endif 475 476 /** 477 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 478 * 479 * Enable the PSK based ciphersuite modes in SSL / TLS. 480 * 481 * This enables the following ciphersuites (if other requisites are 482 * enabled as well): 483 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 484 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 485 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 486 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 487 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 488 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 489 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 490 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 491 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 492 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 493 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 494 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 495 */ 496 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK 497 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 498 #else 499 #undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 500 #endif 501 502 /** 503 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 504 * 505 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. 506 * 507 * Requires: MBEDTLS_DHM_C 508 * 509 * This enables the following ciphersuites (if other requisites are 510 * enabled as well): 511 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 512 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 513 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 514 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 515 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 516 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 517 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 518 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 519 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 520 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 521 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 522 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 523 */ 524 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK 525 #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 526 #else 527 #undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 528 #endif 529 530 /** 531 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 532 * 533 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. 534 * 535 * Requires: MBEDTLS_ECDH_C 536 * 537 * This enables the following ciphersuites (if other requisites are 538 * enabled as well): 539 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 540 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 541 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 542 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 543 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 544 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 545 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 546 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 547 */ 548 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK 549 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 550 #else 551 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 552 #endif 553 554 /** 555 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 556 * 557 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. 558 * 559 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 560 * MBEDTLS_X509_CRT_PARSE_C 561 * 562 * This enables the following ciphersuites (if other requisites are 563 * enabled as well): 564 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 565 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 566 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 567 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 568 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 569 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 570 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 571 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 572 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 573 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 574 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 575 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 576 */ 577 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK 578 #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 579 #else 580 #undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 581 #endif 582 583 /** 584 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 585 * 586 * Enable the RSA-only based ciphersuite modes in SSL / TLS. 587 * 588 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 589 * MBEDTLS_X509_CRT_PARSE_C 590 * 591 * This enables the following ciphersuites (if other requisites are 592 * enabled as well): 593 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 594 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 595 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 596 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 597 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 598 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 599 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 600 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 601 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 602 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 603 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 604 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 605 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 606 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 607 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 608 */ 609 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA 610 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 611 #else 612 #undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 613 #endif 614 615 /** 616 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 617 * 618 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. 619 * 620 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 621 * MBEDTLS_X509_CRT_PARSE_C 622 * 623 * This enables the following ciphersuites (if other requisites are 624 * enabled as well): 625 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 626 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 627 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 628 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 629 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 630 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 631 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 632 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 633 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 634 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 635 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 636 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 637 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 638 */ 639 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA 640 #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 641 #else 642 #undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 643 #endif 644 645 /** 646 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 647 * 648 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. 649 * 650 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 651 * MBEDTLS_X509_CRT_PARSE_C 652 * 653 * This enables the following ciphersuites (if other requisites are 654 * enabled as well): 655 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 656 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 657 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 658 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 659 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 660 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 661 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 662 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 663 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 664 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 665 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 666 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 667 */ 668 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA 669 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 670 #else 671 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 672 #endif 673 674 /** 675 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 676 * 677 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. 678 * 679 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, 680 * 681 * This enables the following ciphersuites (if other requisites are 682 * enabled as well): 683 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 684 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 685 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 686 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 687 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 688 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 689 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 690 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 691 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 692 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 693 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 694 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 695 */ 696 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA 697 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 698 #else 699 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 700 #endif 701 702 /** 703 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 704 * 705 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. 706 * 707 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C 708 * 709 * This enables the following ciphersuites (if other requisites are 710 * enabled as well): 711 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 712 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 713 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 714 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 715 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 716 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 717 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 718 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 719 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 720 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 721 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 722 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 723 */ 724 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA 725 #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 726 #else 727 #undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 728 #endif 729 730 /** 731 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 732 * 733 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. 734 * 735 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_X509_CRT_PARSE_C 736 * 737 * This enables the following ciphersuites (if other requisites are 738 * enabled as well): 739 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 740 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 741 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 742 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 743 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 744 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 745 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 746 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 747 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 748 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 749 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 750 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 751 */ 752 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA 753 #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 754 #else 755 #undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 756 #endif 757 758 /** 759 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 760 * 761 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. 762 * 763 * \warning This is currently experimental. EC J-PAKE support is based on the 764 * Thread v1.0.0 specification; incompatible changes to the specification 765 * might still happen. For this reason, this is disabled by default. 766 * 767 * Requires: MBEDTLS_ECJPAKE_C 768 * MBEDTLS_SHA256_C 769 * MBEDTLS_ECP_DP_SECP256R1_ENABLED 770 * 771 * This enables the following ciphersuites (if other requisites are 772 * enabled as well): 773 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 774 */ 775 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE 776 #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 777 #else 778 #undef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 779 #endif 780 781 /** 782 * \def MBEDTLS_PK_PARSE_EC_EXTENDED 783 * 784 * Enhance support for reading EC keys using variants of SEC1 not allowed by 785 * RFC 5915 and RFC 5480. 786 * 787 * Currently this means parsing the SpecifiedECDomain choice of EC 788 * parameters (only known groups are supported, not arbitrary domains, to 789 * avoid validation issues). 790 * 791 * Disable if you only need to support RFC 5915 + 5480 key formats. 792 */ 793 #define MBEDTLS_PK_PARSE_EC_EXTENDED 794 795 /** 796 * \def MBEDTLS_ERROR_STRERROR_DUMMY 797 * 798 * Enable a dummy error function to make use of mbedtls_strerror() in 799 * third party libraries easier when MBEDTLS_ERROR_C is disabled 800 * (no effect when MBEDTLS_ERROR_C is enabled). 801 * 802 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 803 * not using mbedtls_strerror() or error_strerror() in your application. 804 * 805 * Disable if you run into name conflicts and want to really remove the 806 * mbedtls_strerror() 807 */ 808 #define MBEDTLS_ERROR_STRERROR_DUMMY 809 810 /** 811 * \def MBEDTLS_GENPRIME 812 * 813 * Enable the prime-number generation code. 814 * 815 * Requires: MBEDTLS_BIGNUM_C 816 */ 817 #define MBEDTLS_GENPRIME 818 819 /** 820 * \def MBEDTLS_FS_IO 821 * 822 * Enable functions that use the filesystem. 823 */ 824 #define MBEDTLS_FS_IO 825 826 /** 827 * \def MBEDTLS_NO_PLATFORM_ENTROPY 828 * 829 * Do not use built-in platform entropy functions. 830 * This is useful if your platform does not support 831 * standards like the /dev/urandom or Windows CryptoAPI. 832 * 833 * Uncomment this macro to disable the built-in platform entropy functions. 834 */ 835 #define MBEDTLS_NO_PLATFORM_ENTROPY 836 837 /** 838 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 839 * 840 * Support external private RSA keys (eg from a HSM) in the PK layer. 841 * 842 * Comment this macro to disable support for external private RSA keys. 843 */ 844 #define MBEDTLS_PK_RSA_ALT_SUPPORT 845 846 /** 847 * \def MBEDTLS_PKCS1_V15 848 * 849 * Enable support for PKCS#1 v1.5 encoding. 850 * 851 * Requires: MBEDTLS_RSA_C 852 * 853 * This enables support for PKCS#1 v1.5 operations. 854 */ 855 #define MBEDTLS_PKCS1_V15 856 857 /** 858 * \def MBEDTLS_PKCS1_V21 859 * 860 * Enable support for PKCS#1 v2.1 encoding. 861 * 862 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C 863 * 864 * This enables support for RSAES-OAEP and RSASSA-PSS operations. 865 */ 866 #define MBEDTLS_PKCS1_V21 867 868 /** 869 * \def MBEDTLS_SELF_TEST 870 * 871 * Enable the checkup functions (*_self_test). 872 */ 873 #define MBEDTLS_SELF_TEST 874 875 /** 876 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES 877 * 878 * Enable sending of alert messages in case of encountered errors as per RFC. 879 * If you choose not to send the alert messages, mbed TLS can still communicate 880 * with other servers, only debugging of failures is harder. 881 * 882 * The advantage of not sending alert messages, is that no information is given 883 * about reasons for failures thus preventing adversaries of gaining intel. 884 * 885 * Enable sending of all alert messages 886 */ 887 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES 888 889 /** 890 * \def MBEDTLS_SSL_DTLS_CONNECTION_ID 891 * 892 * Enable support for the DTLS Connection ID extension 893 * (version draft-ietf-tls-dtls-connection-id-05, 894 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) 895 * which allows to identify DTLS connections across changes 896 * in the underlying transport. 897 * 898 * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, 899 * `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`. 900 * See the corresponding documentation for more information. 901 * 902 * \warning The Connection ID extension is still in draft state. 903 * We make no stability promises for the availability 904 * or the shape of the API controlled by this option. 905 * 906 * The maximum lengths of outgoing and incoming CIDs can be configured 907 * through the options 908 * - MBEDTLS_SSL_CID_OUT_LEN_MAX 909 * - MBEDTLS_SSL_CID_IN_LEN_MAX. 910 * 911 * Requires: MBEDTLS_SSL_PROTO_DTLS 912 * 913 * Uncomment to enable the Connection ID extension. 914 */ 915 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 916 #define MBEDTLS_SSL_DTLS_CONNECTION_ID 917 #else 918 #undef MBEDTLS_SSL_DTLS_CONNECTION_ID 919 #endif 920 921 /** 922 * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION 923 * 924 * Enable serialization of the TLS context structures, through use of the 925 * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load(). 926 * 927 * This pair of functions allows one side of a connection to serialize the 928 * context associated with the connection, then free or re-use that context 929 * while the serialized state is persisted elsewhere, and finally deserialize 930 * that state to a live context for resuming read/write operations on the 931 * connection. From a protocol perspective, the state of the connection is 932 * unaffected, in particular this is entirely transparent to the peer. 933 * 934 * Note: this is distinct from TLS session resumption, which is part of the 935 * protocol and fully visible by the peer. TLS session resumption enables 936 * establishing new connections associated to a saved session with shorter, 937 * lighter handshakes, while context serialization is a local optimization in 938 * handling a single, potentially long-lived connection. 939 * 940 * Enabling these APIs makes some SSL structures larger, as 64 extra bytes are 941 * saved after the handshake to allow for more efficient serialization, so if 942 * you don't need this feature you'll save RAM by disabling it. 943 * 944 * Comment to disable the context serialization APIs. 945 */ 946 #ifdef CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION 947 #define MBEDTLS_SSL_CONTEXT_SERIALIZATION 948 #else 949 #undef MBEDTLS_SSL_CONTEXT_SERIALIZATION 950 #endif 951 952 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC 953 * 954 * Enable support for Encrypt-then-MAC, RFC 7366. 955 * 956 * This allows peers that both support it to use a more robust protection for 957 * ciphersuites using CBC, providing deep resistance against timing attacks 958 * on the padding or underlying cipher. 959 * 960 * This only affects CBC ciphersuites, and is useless if none is defined. 961 * 962 * Requires: MBEDTLS_SSL_PROTO_TLS1 or 963 * MBEDTLS_SSL_PROTO_TLS1_1 or 964 * MBEDTLS_SSL_PROTO_TLS1_2 965 * 966 * Comment this macro to disable support for Encrypt-then-MAC 967 */ 968 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 969 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC 970 #else 971 #undef MBEDTLS_SSL_ENCRYPT_THEN_MAC 972 #endif 973 974 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET 975 * 976 * Enable support for RFC 7627: Session Hash and Extended Master Secret 977 * Extension. 978 * 979 * This was introduced as "the proper fix" to the Triple Handshake familiy of 980 * attacks, but it is recommended to always use it (even if you disable 981 * renegotiation), since it actually fixes a more fundamental issue in the 982 * original SSL/TLS design, and has implications beyond Triple Handshake. 983 * 984 * Requires: MBEDTLS_SSL_PROTO_TLS1 or 985 * MBEDTLS_SSL_PROTO_TLS1_1 or 986 * MBEDTLS_SSL_PROTO_TLS1_2 987 * 988 * Comment this macro to disable support for Extended Master Secret. 989 */ 990 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 991 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET 992 #else 993 #undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET 994 #endif 995 996 /** 997 * \def MBEDTLS_SSL_FALLBACK_SCSV 998 * 999 * Enable support for RFC 7507: Fallback Signaling Cipher Suite Value (SCSV) 1000 * for Preventing Protocol Downgrade Attacks. 1001 * 1002 * For servers, it is recommended to always enable this, unless you support 1003 * only one version of TLS, or know for sure that none of your clients 1004 * implements a fallback strategy. 1005 * 1006 * For clients, you only need this if you're using a fallback strategy, which 1007 * is not recommended in the first place, unless you absolutely need it to 1008 * interoperate with buggy (version-intolerant) servers. 1009 * 1010 * Comment this macro to disable support for FALLBACK_SCSV 1011 */ 1012 #define MBEDTLS_SSL_FALLBACK_SCSV 1013 1014 /** 1015 * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1016 * 1017 * This option controls the availability of the API mbedtls_ssl_get_peer_cert() 1018 * giving access to the peer's certificate after completion of the handshake. 1019 * 1020 * Unless you need mbedtls_ssl_peer_cert() in your application, it is 1021 * recommended to disable this option for reduced RAM usage. 1022 * 1023 * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still 1024 * defined, but always returns \c NULL. 1025 * 1026 * \note This option has no influence on the protection against the 1027 * triple handshake attack. Even if it is disabled, Mbed TLS will 1028 * still ensure that certificates do not change during renegotiation, 1029 * for exaple by keeping a hash of the peer's certificate. 1030 * 1031 * Comment this macro to disable storing the peer's certificate 1032 * after the handshake. 1033 */ 1034 #ifdef CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1035 #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1036 #else 1037 #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1038 #endif 1039 1040 /** 1041 * \def MBEDTLS_SSL_PROTO_TLS1 1042 * 1043 * Enable support for TLS 1.0. 1044 * 1045 * Requires: MBEDTLS_MD5_C 1046 * MBEDTLS_SHA1_C 1047 * 1048 * Comment this macro to disable support for TLS 1.0 1049 */ 1050 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1 1051 #define MBEDTLS_SSL_PROTO_TLS1 1052 #else 1053 #undef MBEDTLS_SSL_PROTO_TLS1 1054 #endif 1055 1056 /** 1057 * \def MBEDTLS_SSL_PROTO_SSL3 1058 * 1059 * Enable support for SSL 3.0. 1060 * 1061 * Requires: MBEDTLS_MD5_C 1062 * MBEDTLS_SHA1_C 1063 * 1064 * \deprecated This option is deprecated and will be removed in a future 1065 * version of Mbed TLS. 1066 * 1067 * Comment this macro to disable support for SSL 3.0 1068 */ 1069 #ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3 1070 #define MBEDTLS_SSL_PROTO_SSL3 1071 #else 1072 #undef MBEDTLS_SSL_PROTO_SSL3 1073 #endif 1074 1075 /** 1076 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING 1077 * 1078 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. 1079 * 1080 * This is a countermeasure to the BEAST attack, which also minimizes the risk 1081 * of interoperability issues compared to sending 0-length records. 1082 * 1083 * Comment this macro to disable 1/n-1 record splitting. 1084 */ 1085 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 1086 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING 1087 #else 1088 #undef MBEDTLS_SSL_CBC_RECORD_SPLITTING 1089 #endif 1090 1091 /** 1092 * \def MBEDTLS_SSL_RENEGOTIATION 1093 * 1094 * Disable support for TLS renegotiation. 1095 * 1096 * The two main uses of renegotiation are (1) refresh keys on long-lived 1097 * connections and (2) client authentication after the initial handshake. 1098 * If you don't need renegotiation, it's probably better to disable it, since 1099 * it has been associated with security issues in the past and is easy to 1100 * misuse/misunderstand. 1101 * 1102 * Comment this to disable support for renegotiation. 1103 */ 1104 #ifdef CONFIG_MBEDTLS_SSL_RENEGOTIATION 1105 #define MBEDTLS_SSL_RENEGOTIATION 1106 #else 1107 #undef MBEDTLS_SSL_RENEGOTIATION 1108 #endif 1109 1110 /** 1111 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 1112 * 1113 * Enable support for RFC 6066 max_fragment_length extension in SSL. 1114 * 1115 * Comment this macro to disable support for the max_fragment_length extension 1116 */ 1117 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 1118 1119 /** 1120 * \def MBEDTLS_SSL_PROTO_TLS1_1 1121 * 1122 * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). 1123 * 1124 * Requires: MBEDTLS_MD5_C 1125 * MBEDTLS_SHA1_C 1126 * 1127 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 1128 */ 1129 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_1 1130 #define MBEDTLS_SSL_PROTO_TLS1_1 1131 #else 1132 #undef MBEDTLS_SSL_PROTO_TLS1_1 1133 #endif 1134 1135 /** 1136 * \def MBEDTLS_SSL_PROTO_TLS1_2 1137 * 1138 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). 1139 * 1140 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C 1141 * (Depends on ciphersuites) 1142 * 1143 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 1144 */ 1145 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 1146 #define MBEDTLS_SSL_PROTO_TLS1_2 1147 #else 1148 #undef MBEDTLS_SSL_PROTO_TLS1_2 1149 #endif 1150 1151 /** 1152 * \def MBEDTLS_SSL_PROTO_DTLS 1153 * 1154 * Enable support for DTLS (all available versions). 1155 * 1156 * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, 1157 * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. 1158 * 1159 * Requires: MBEDTLS_SSL_PROTO_TLS1_1 1160 * or MBEDTLS_SSL_PROTO_TLS1_2 1161 * 1162 * Comment this macro to disable support for DTLS 1163 */ 1164 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1165 #define MBEDTLS_SSL_PROTO_DTLS 1166 #else 1167 #undef MBEDTLS_SSL_PROTO_DTLS 1168 #endif 1169 1170 /** 1171 * \def MBEDTLS_SSL_ALPN 1172 * 1173 * Enable support for RFC 7301 Application Layer Protocol Negotiation. 1174 * 1175 * Comment this macro to disable support for ALPN. 1176 */ 1177 #ifdef CONFIG_MBEDTLS_SSL_ALPN 1178 #define MBEDTLS_SSL_ALPN 1179 #else 1180 #undef MBEDTLS_SSL_ALPN 1181 #endif 1182 1183 /** 1184 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY 1185 * 1186 * Enable support for the anti-replay mechanism in DTLS. 1187 * 1188 * Requires: MBEDTLS_SSL_TLS_C 1189 * MBEDTLS_SSL_PROTO_DTLS 1190 * 1191 * \warning Disabling this is often a security risk! 1192 * See mbedtls_ssl_conf_dtls_anti_replay() for details. 1193 * 1194 * Comment this to disable anti-replay in DTLS. 1195 */ 1196 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1197 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY 1198 #else 1199 #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY 1200 #endif 1201 1202 /** 1203 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY 1204 * 1205 * Enable support for HelloVerifyRequest on DTLS servers. 1206 * 1207 * This feature is highly recommended to prevent DTLS servers being used as 1208 * amplifiers in DoS attacks against other hosts. It should always be enabled 1209 * unless you know for sure amplification cannot be a problem in the 1210 * environment in which your server operates. 1211 * 1212 * \warning Disabling this can ba a security risk! (see above) 1213 * 1214 * Requires: MBEDTLS_SSL_PROTO_DTLS 1215 * 1216 * Comment this to disable support for HelloVerifyRequest. 1217 */ 1218 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1219 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY 1220 #else 1221 #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY 1222 #endif 1223 1224 /** 1225 * \def MBEDTLS_SSL_DTLS_SRTP 1226 * 1227 * Enable support for negotiation of DTLS-SRTP (RFC 5764) 1228 * through the use_srtp extension. 1229 * 1230 * \note This feature provides the minimum functionality required 1231 * to negotiate the use of DTLS-SRTP and to allow the derivation of 1232 * the associated SRTP packet protection key material. 1233 * In particular, the SRTP packet protection itself, as well as the 1234 * demultiplexing of RTP and DTLS packets at the datagram layer 1235 * (see Section 5 of RFC 5764), are not handled by this feature. 1236 * Instead, after successful completion of a handshake negotiating 1237 * the use of DTLS-SRTP, the extended key exporter API 1238 * mbedtls_ssl_conf_export_keys_ext_cb() should be used to implement 1239 * the key exporter described in Section 4.2 of RFC 5764 and RFC 5705 1240 * (this is implemented in the SSL example programs). 1241 * The resulting key should then be passed to an SRTP stack. 1242 * 1243 * Setting this option enables the runtime API 1244 * mbedtls_ssl_conf_dtls_srtp_protection_profiles() 1245 * through which the supported DTLS-SRTP protection 1246 * profiles can be configured. You must call this API at 1247 * runtime if you wish to negotiate the use of DTLS-SRTP. 1248 * 1249 * Requires: MBEDTLS_SSL_PROTO_DTLS 1250 * 1251 * Uncomment this to enable support for use_srtp extension. 1252 */ 1253 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1254 #define MBEDTLS_SSL_DTLS_SRTP 1255 #else 1256 #undef MBEDTLS_SSL_DTLS_SRTP 1257 #endif 1258 1259 /** 1260 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1261 * 1262 * Enable server-side support for clients that reconnect from the same port. 1263 * 1264 * Some clients unexpectedly close the connection and try to reconnect using the 1265 * same source port. This needs special support from the server to handle the 1266 * new connection securely, as described in section 4.2.8 of RFC 6347. This 1267 * flag enables that support. 1268 * 1269 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY 1270 * 1271 * Comment this to disable support for clients reusing the source port. 1272 */ 1273 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1274 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1275 #else 1276 #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1277 #endif 1278 1279 /** 1280 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT 1281 * 1282 * Enable support for a limit of records with bad MAC. 1283 * 1284 * See mbedtls_ssl_conf_dtls_badmac_limit(). 1285 * 1286 * Requires: MBEDTLS_SSL_PROTO_DTLS 1287 */ 1288 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1289 #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT 1290 #else 1291 #undef MBEDTLS_SSL_DTLS_BADMAC_LIMIT 1292 #endif 1293 1294 /** 1295 * \def MBEDTLS_SSL_SESSION_TICKETS 1296 * 1297 * Enable support for RFC 5077 session tickets in SSL. 1298 * Client-side, provides full support for session tickets (maintainance of a 1299 * session store remains the responsibility of the application, though). 1300 * Server-side, you also need to provide callbacks for writing and parsing 1301 * tickets, including authenticated encryption and key management. Example 1302 * callbacks are provided by MBEDTLS_SSL_TICKET_C. 1303 * 1304 * Comment this macro to disable support for SSL session tickets 1305 */ 1306 #ifdef CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS 1307 #define MBEDTLS_SSL_SESSION_TICKETS 1308 #else 1309 #undef MBEDTLS_SSL_SESSION_TICKETS 1310 #endif 1311 1312 /** 1313 * \def MBEDTLS_SSL_EXPORT_KEYS 1314 * 1315 * Enable support for exporting key block and master secret. 1316 * This is required for certain users of TLS, e.g. EAP-TLS. 1317 * 1318 * Comment this macro to disable support for key export 1319 */ 1320 #define MBEDTLS_SSL_EXPORT_KEYS 1321 1322 /** 1323 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION 1324 * 1325 * Enable support for RFC 6066 server name indication (SNI) in SSL. 1326 * 1327 * Requires: MBEDTLS_X509_CRT_PARSE_C 1328 * 1329 * Comment this macro to disable support for server name indication in SSL 1330 */ 1331 #define MBEDTLS_SSL_SERVER_NAME_INDICATION 1332 1333 /** 1334 * \def MBEDTLS_SSL_TRUNCATED_HMAC 1335 * 1336 * Enable support for RFC 6066 truncated HMAC in SSL. 1337 * 1338 * Comment this macro to disable support for truncated HMAC in SSL 1339 */ 1340 #define MBEDTLS_SSL_TRUNCATED_HMAC 1341 1342 /** 1343 * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1344 * 1345 * When this option is enabled, the SSL buffer will be resized automatically 1346 * based on the negotiated maximum fragment length in each direction. 1347 * 1348 * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 1349 */ 1350 #if defined MBEDTLS_SSL_MAX_FRAGMENT_LENGTH && CONFIG_MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1351 #define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1352 #else 1353 #undef MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1354 #endif 1355 1356 /** 1357 * 1358 * \def MBEDTLS_VERSION_FEATURES 1359 * 1360 * Allow run-time checking of compile-time enabled features. Thus allowing users 1361 * to check at run-time if the library is for instance compiled with threading 1362 * support via mbedtls_version_check_feature(). 1363 * 1364 * Requires: MBEDTLS_VERSION_C 1365 * 1366 * Comment this to disable run-time checking and save ROM space 1367 */ 1368 #define MBEDTLS_VERSION_FEATURES 1369 1370 /** 1371 * \def MBEDTLS_X509_CHECK_KEY_USAGE 1372 * 1373 * Enable verification of the keyUsage extension (CA and leaf certificates). 1374 * 1375 * Disabling this avoids problems with mis-issued and/or misused 1376 * (intermediate) CA and leaf certificates. 1377 * 1378 * \warning Depending on your PKI use, disabling this can be a security risk! 1379 * 1380 * Comment to skip keyUsage checking for both CA and leaf certificates. 1381 */ 1382 #ifdef CONFIG_MBEDTLS_X509_CHECK_KEY_USAGE 1383 #define MBEDTLS_X509_CHECK_KEY_USAGE 1384 #else 1385 #undef MBEDTLS_X509_CHECK_KEY_USAGE 1386 #endif 1387 1388 /** 1389 * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 1390 * 1391 * Enable verification of the extendedKeyUsage extension (leaf certificates). 1392 * 1393 * Disabling this avoids problems with mis-issued and/or misused certificates. 1394 * 1395 * \warning Depending on your PKI use, disabling this can be a security risk! 1396 * 1397 * Comment to skip extendedKeyUsage checking for certificates. 1398 */ 1399 #ifdef CONFIG_MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 1400 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 1401 #else 1402 #undef MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 1403 #endif 1404 1405 /** 1406 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT 1407 * 1408 * Enable parsing and verification of X.509 certificates, CRLs and CSRS 1409 * signed with RSASSA-PSS (aka PKCS#1 v2.1). 1410 * 1411 * Comment this macro to disallow using RSASSA-PSS in certificates. 1412 */ 1413 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT 1414 1415 1416 /* \} name SECTION: mbed TLS feature support */ 1417 1418 /** 1419 * \name SECTION: mbed TLS modules 1420 * 1421 * This section enables or disables entire modules in mbed TLS 1422 * \{ 1423 */ 1424 1425 /** 1426 * \def MBEDTLS_AESNI_C 1427 * 1428 * Enable AES-NI support on x86-64. 1429 * 1430 * Module: library/aesni.c 1431 * Caller: library/aes.c 1432 * 1433 * Requires: MBEDTLS_HAVE_ASM 1434 * 1435 * This modules adds support for the AES-NI instructions on x86-64 1436 */ 1437 #define MBEDTLS_AESNI_C 1438 1439 /** 1440 * \def MBEDTLS_AES_C 1441 * 1442 * Enable the AES block cipher. 1443 * 1444 * Module: library/aes.c 1445 * Caller: library/ssl_tls.c 1446 * library/pem.c 1447 * library/ctr_drbg.c 1448 * 1449 * This module enables the following ciphersuites (if other requisites are 1450 * enabled as well): 1451 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 1452 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 1453 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 1454 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 1455 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 1456 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 1457 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 1458 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 1459 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 1460 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 1461 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 1462 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 1463 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 1464 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 1465 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 1466 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 1467 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 1468 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 1469 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 1470 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 1471 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 1472 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 1473 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 1474 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 1475 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 1476 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 1477 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 1478 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 1479 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 1480 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1481 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 1482 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 1483 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 1484 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 1485 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 1486 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 1487 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 1488 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 1489 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 1490 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 1491 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 1492 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 1493 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 1494 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 1495 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 1496 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 1497 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 1498 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 1499 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 1500 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 1501 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 1502 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 1503 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 1504 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 1505 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 1506 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 1507 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 1508 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 1509 * 1510 * PEM_PARSE uses AES for decrypting encrypted keys. 1511 */ 1512 #ifdef CONFIG_MBEDTLS_AES_C 1513 #define MBEDTLS_AES_C 1514 #else 1515 #undef MBEDTLS_AES_C 1516 #endif 1517 1518 /** 1519 * \def MBEDTLS_ASN1_PARSE_C 1520 * 1521 * Enable the generic ASN1 parser. 1522 * 1523 * Module: library/asn1.c 1524 * Caller: library/x509.c 1525 * library/dhm.c 1526 * library/pkcs12.c 1527 * library/pkcs5.c 1528 * library/pkparse.c 1529 */ 1530 #define MBEDTLS_ASN1_PARSE_C 1531 1532 /** 1533 * \def MBEDTLS_ASN1_WRITE_C 1534 * 1535 * Enable the generic ASN1 writer. 1536 * 1537 * Module: library/asn1write.c 1538 * Caller: library/ecdsa.c 1539 * library/pkwrite.c 1540 * library/x509_create.c 1541 * library/x509write_crt.c 1542 * library/mbedtls_x509write_csr.c 1543 */ 1544 #define MBEDTLS_ASN1_WRITE_C 1545 1546 /** 1547 * \def MBEDTLS_BASE64_C 1548 * 1549 * Enable the Base64 module. 1550 * 1551 * Module: library/base64.c 1552 * Caller: library/pem.c 1553 * 1554 * This module is required for PEM support (required by X.509). 1555 */ 1556 #define MBEDTLS_BASE64_C 1557 1558 /** 1559 * \def MBEDTLS_BIGNUM_C 1560 * 1561 * Enable the multi-precision integer library. 1562 * 1563 * Module: library/bignum.c 1564 * Caller: library/dhm.c 1565 * library/ecp.c 1566 * library/ecdsa.c 1567 * library/rsa.c 1568 * library/ssl_tls.c 1569 * 1570 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. 1571 */ 1572 #define MBEDTLS_BIGNUM_C 1573 1574 /** 1575 * \def MBEDTLS_BLOWFISH_C 1576 * 1577 * Enable the Blowfish block cipher. 1578 * 1579 * Module: library/blowfish.c 1580 */ 1581 #ifdef CONFIG_MBEDTLS_BLOWFISH_C 1582 #define MBEDTLS_BLOWFISH_C 1583 #else 1584 #undef MBEDTLS_BLOWFISH_C 1585 #endif 1586 1587 /** 1588 * \def MBEDTLS_CAMELLIA_C 1589 * 1590 * Enable the Camellia block cipher. 1591 * 1592 * Module: library/camellia.c 1593 * Caller: library/ssl_tls.c 1594 * 1595 * This module enables the following ciphersuites (if other requisites are 1596 * enabled as well): 1597 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 1598 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 1599 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 1600 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 1601 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 1602 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 1603 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 1604 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 1605 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 1606 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 1607 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 1608 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 1609 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 1610 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 1611 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 1612 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 1613 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 1614 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 1615 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 1616 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 1617 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 1618 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 1619 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 1620 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 1621 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 1622 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 1623 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 1624 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 1625 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 1626 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 1627 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 1628 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 1629 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 1630 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 1631 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 1632 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 1633 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 1634 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 1635 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 1636 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 1637 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 1638 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 1639 */ 1640 #ifdef CONFIG_MBEDTLS_CAMELLIA_C 1641 #define MBEDTLS_CAMELLIA_C 1642 #else 1643 #undef MBEDTLS_CAMELLIA_C 1644 #endif 1645 1646 /** 1647 * \def MBEDTLS_CCM_C 1648 * 1649 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. 1650 * 1651 * Module: library/ccm.c 1652 * 1653 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C 1654 * 1655 * This module enables the AES-CCM ciphersuites, if other requisites are 1656 * enabled as well. 1657 */ 1658 #ifdef CONFIG_MBEDTLS_CCM_C 1659 #define MBEDTLS_CCM_C 1660 #else 1661 #undef MBEDTLS_CCM_C 1662 #endif 1663 1664 /** 1665 * \def MBEDTLS_CERTS_C 1666 * 1667 * Enable the test certificates. 1668 * 1669 * Module: library/certs.c 1670 * Caller: 1671 * 1672 * This module is used for testing (ssl_client/server). 1673 */ 1674 #define MBEDTLS_CERTS_C 1675 1676 /** 1677 * \def MBEDTLS_CHACHA20_C 1678 * 1679 * Enable the ChaCha20 stream cipher. 1680 * 1681 * Module: library/chacha20.c 1682 */ 1683 #ifdef CONFIG_MBEDTLS_CHACHA20_C 1684 #define MBEDTLS_CHACHA20_C 1685 #else 1686 #undef MBEDTLS_CHACHA20_C 1687 #endif 1688 1689 /** 1690 * \def MBEDTLS_CHACHAPOLY_C 1691 * 1692 * Enable the ChaCha20-Poly1305 AEAD algorithm. 1693 * 1694 * Module: library/chachapoly.c 1695 * 1696 * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C 1697 */ 1698 #ifdef CONFIG_MBEDTLS_CHACHAPOLY_C 1699 #define MBEDTLS_CHACHAPOLY_C 1700 #else 1701 #undef MBEDTLS_CHACHAPOLY_C 1702 #endif 1703 1704 /** 1705 * \def MBEDTLS_CIPHER_C 1706 * 1707 * Enable the generic cipher layer. 1708 * 1709 * Module: library/cipher.c 1710 * Caller: library/ssl_tls.c 1711 * 1712 * Uncomment to enable generic cipher wrappers. 1713 */ 1714 #define MBEDTLS_CIPHER_C 1715 1716 /** 1717 * \def MBEDTLS_CTR_DRBG_C 1718 * 1719 * Enable the CTR_DRBG AES-256-based random generator. 1720 * 1721 * Module: library/ctr_drbg.c 1722 * Caller: 1723 * 1724 * Requires: MBEDTLS_AES_C 1725 * 1726 * This module provides the CTR_DRBG AES-256 random number generator. 1727 */ 1728 #define MBEDTLS_CTR_DRBG_C 1729 1730 /** 1731 * \def MBEDTLS_DEBUG_C 1732 * 1733 * Enable the debug functions. 1734 * 1735 * Module: library/debug.c 1736 * Caller: library/ssl_cli.c 1737 * library/ssl_srv.c 1738 * library/ssl_tls.c 1739 * 1740 * This module provides debugging functions. 1741 */ 1742 #if CONFIG_MBEDTLS_DEBUG 1743 #define MBEDTLS_DEBUG_C 1744 #else 1745 #undef MBEDTLS_DEBUG_C 1746 #endif 1747 1748 /** 1749 * \def MBEDTLS_DES_C 1750 * 1751 * Enable the DES block cipher. 1752 * 1753 * Module: library/des.c 1754 * Caller: library/pem.c 1755 * library/ssl_tls.c 1756 * 1757 * This module enables the following ciphersuites (if other requisites are 1758 * enabled as well): 1759 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 1760 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 1761 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 1762 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 1763 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 1764 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 1765 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 1766 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 1767 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 1768 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 1769 * 1770 * PEM_PARSE uses DES/3DES for decrypting encrypted keys. 1771 */ 1772 #ifdef CONFIG_MBEDTLS_DES_C 1773 #define MBEDTLS_DES_C 1774 #else 1775 #undef MBEDTLS_DES_C 1776 #endif 1777 1778 /** 1779 * \def MBEDTLS_DHM_C 1780 * 1781 * Enable the Diffie-Hellman-Merkle module. 1782 * 1783 * Module: library/dhm.c 1784 * Caller: library/ssl_cli.c 1785 * library/ssl_srv.c 1786 * 1787 * This module is used by the following key exchanges: 1788 * DHE-RSA, DHE-PSK 1789 */ 1790 #define MBEDTLS_DHM_C 1791 1792 /** 1793 * \def MBEDTLS_ECDH_C 1794 * 1795 * Enable the elliptic curve Diffie-Hellman library. 1796 * 1797 * Module: library/ecdh.c 1798 * Caller: library/ssl_cli.c 1799 * library/ssl_srv.c 1800 * 1801 * This module is used by the following key exchanges: 1802 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK 1803 * 1804 * Requires: MBEDTLS_ECP_C 1805 */ 1806 #ifdef CONFIG_MBEDTLS_ECDH_C 1807 #define MBEDTLS_ECDH_C 1808 #else 1809 #undef MBEDTLS_ECDH_C 1810 #endif 1811 1812 /** 1813 * \def MBEDTLS_ECDSA_C 1814 * 1815 * Enable the elliptic curve DSA library. 1816 * 1817 * Module: library/ecdsa.c 1818 * Caller: 1819 * 1820 * This module is used by the following key exchanges: 1821 * ECDHE-ECDSA 1822 * 1823 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C, 1824 * and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a 1825 * short Weierstrass curve. 1826 */ 1827 #ifdef CONFIG_MBEDTLS_ECDSA_C 1828 #define MBEDTLS_ECDSA_C 1829 #else 1830 #undef MBEDTLS_ECDSA_C 1831 #endif 1832 1833 /** 1834 * \def MBEDTLS_ECJPAKE_C 1835 * 1836 * Enable the elliptic curve J-PAKE library. 1837 * 1838 * \warning This is currently experimental. EC J-PAKE support is based on the 1839 * Thread v1.0.0 specification; incompatible changes to the specification 1840 * might still happen. For this reason, this is disabled by default. 1841 * 1842 * Module: library/ecjpake.c 1843 * Caller: 1844 * 1845 * This module is used by the following key exchanges: 1846 * ECJPAKE 1847 * 1848 * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C 1849 */ 1850 #ifdef CONFIG_MBEDTLS_ECJPAKE_C 1851 #define MBEDTLS_ECJPAKE_C 1852 #else 1853 #undef MBEDTLS_ECJPAKE_C 1854 #endif 1855 1856 /** 1857 * \def MBEDTLS_ECP_C 1858 * 1859 * Enable the elliptic curve over GF(p) library. 1860 * 1861 * Module: library/ecp.c 1862 * Caller: library/ecdh.c 1863 * library/ecdsa.c 1864 * library/ecjpake.c 1865 * 1866 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED 1867 */ 1868 #ifdef CONFIG_MBEDTLS_ECP_C 1869 #define MBEDTLS_ECP_C 1870 #else 1871 #undef MBEDTLS_ECP_C 1872 #endif 1873 1874 /** 1875 * \def MBEDTLS_ENTROPY_C 1876 * 1877 * Enable the platform-specific entropy code. 1878 * 1879 * Module: library/entropy.c 1880 * Caller: 1881 * 1882 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 1883 * 1884 * This module provides a generic entropy pool 1885 */ 1886 #define MBEDTLS_ENTROPY_C 1887 1888 /** 1889 * \def MBEDTLS_ERROR_C 1890 * 1891 * Enable error code to error string conversion. 1892 * 1893 * Module: library/error.c 1894 * Caller: 1895 * 1896 * This module enables mbedtls_strerror(). 1897 */ 1898 #define MBEDTLS_ERROR_C 1899 1900 /** 1901 * \def MBEDTLS_GCM_C 1902 * 1903 * Enable the Galois/Counter Mode (GCM). 1904 * 1905 * Module: library/gcm.c 1906 * 1907 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C 1908 * 1909 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other 1910 * requisites are enabled as well. 1911 */ 1912 #ifdef CONFIG_MBEDTLS_GCM_C 1913 #define MBEDTLS_GCM_C 1914 #else 1915 #undef MBEDTLS_GCM_C 1916 #endif 1917 1918 /** 1919 * \def MBEDTLS_HKDF_C 1920 * 1921 * Enable the HKDF algorithm (RFC 5869). 1922 * 1923 * Module: library/hkdf.c 1924 * Caller: 1925 * 1926 * Requires: MBEDTLS_MD_C 1927 * 1928 * This module enables support for the Hashed Message Authentication Code 1929 * (HMAC)-based key derivation function (HKDF). 1930 */ 1931 #ifdef CONFIG_MBEDTLS_HKDF_C 1932 #define MBEDTLS_HKDF_C 1933 #else 1934 #undef MBEDTLS_HKDF_C 1935 #endif 1936 1937 /** 1938 * \def MBEDTLS_HMAC_DRBG_C 1939 * 1940 * Enable the HMAC_DRBG random generator. 1941 * 1942 * Module: library/hmac_drbg.c 1943 * Caller: 1944 * 1945 * Requires: MBEDTLS_MD_C 1946 * 1947 * Uncomment to enable the HMAC_DRBG random number geerator. 1948 */ 1949 #define MBEDTLS_HMAC_DRBG_C 1950 1951 /** 1952 * \def MBEDTLS_MD_C 1953 * 1954 * Enable the generic message digest layer. 1955 * 1956 * Module: library/mbedtls_md.c 1957 * Caller: 1958 * 1959 * Uncomment to enable generic message digest wrappers. 1960 */ 1961 #define MBEDTLS_MD_C 1962 1963 /** 1964 * \def MBEDTLS_MD5_C 1965 * 1966 * Enable the MD5 hash algorithm. 1967 * 1968 * Module: library/mbedtls_md5.c 1969 * Caller: library/mbedtls_md.c 1970 * library/pem.c 1971 * library/ssl_tls.c 1972 * 1973 * This module is required for SSL/TLS and X.509. 1974 * PEM_PARSE uses MD5 for decrypting encrypted keys. 1975 */ 1976 #define MBEDTLS_MD5_C 1977 1978 /** 1979 * \def MBEDTLS_NET_C 1980 * 1981 * Enable the TCP/IP networking routines. 1982 * 1983 * Module: library/net.c 1984 * 1985 * This module provides TCP/IP networking routines. 1986 */ 1987 #ifdef MBEDTLS_NET_C 1988 #undef MBEDTLS_NET_C 1989 #endif 1990 1991 /** 1992 * \def MBEDTLS_OID_C 1993 * 1994 * Enable the OID database. 1995 * 1996 * Module: library/oid.c 1997 * Caller: library/asn1write.c 1998 * library/pkcs5.c 1999 * library/pkparse.c 2000 * library/pkwrite.c 2001 * library/rsa.c 2002 * library/x509.c 2003 * library/x509_create.c 2004 * library/mbedtls_x509_crl.c 2005 * library/mbedtls_x509_crt.c 2006 * library/mbedtls_x509_csr.c 2007 * library/x509write_crt.c 2008 * library/mbedtls_x509write_csr.c 2009 * 2010 * This modules translates between OIDs and internal values. 2011 */ 2012 #define MBEDTLS_OID_C 2013 2014 /** 2015 * \def MBEDTLS_PADLOCK_C 2016 * 2017 * Enable VIA Padlock support on x86. 2018 * 2019 * Module: library/padlock.c 2020 * Caller: library/aes.c 2021 * 2022 * Requires: MBEDTLS_HAVE_ASM 2023 * 2024 * This modules adds support for the VIA PadLock on x86. 2025 */ 2026 #define MBEDTLS_PADLOCK_C 2027 2028 /** 2029 * \def MBEDTLS_PEM_PARSE_C 2030 * 2031 * Enable PEM decoding / parsing. 2032 * 2033 * Module: library/pem.c 2034 * Caller: library/dhm.c 2035 * library/pkparse.c 2036 * library/mbedtls_x509_crl.c 2037 * library/mbedtls_x509_crt.c 2038 * library/mbedtls_x509_csr.c 2039 * 2040 * Requires: MBEDTLS_BASE64_C 2041 * 2042 * This modules adds support for decoding / parsing PEM files. 2043 */ 2044 #ifdef CONFIG_MBEDTLS_PEM_PARSE_C 2045 #define MBEDTLS_PEM_PARSE_C 2046 #else 2047 #undef MBEDTLS_PEM_PARSE_C 2048 #endif 2049 2050 /** 2051 * \def MBEDTLS_PEM_WRITE_C 2052 * 2053 * Enable PEM encoding / writing. 2054 * 2055 * Module: library/pem.c 2056 * Caller: library/pkwrite.c 2057 * library/x509write_crt.c 2058 * library/mbedtls_x509write_csr.c 2059 * 2060 * Requires: MBEDTLS_BASE64_C 2061 * 2062 * This modules adds support for encoding / writing PEM files. 2063 */ 2064 #ifdef CONFIG_MBEDTLS_PEM_WRITE_C 2065 #define MBEDTLS_PEM_WRITE_C 2066 #else 2067 #undef MBEDTLS_PEM_WRITE_C 2068 #endif 2069 2070 /** 2071 * \def MBEDTLS_PK_C 2072 * 2073 * Enable the generic public (asymetric) key layer. 2074 * 2075 * Module: library/pk.c 2076 * Caller: library/ssl_tls.c 2077 * library/ssl_cli.c 2078 * library/ssl_srv.c 2079 * 2080 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C 2081 * 2082 * Uncomment to enable generic public key wrappers. 2083 */ 2084 #define MBEDTLS_PK_C 2085 2086 /** 2087 * \def MBEDTLS_PK_PARSE_C 2088 * 2089 * Enable the generic public (asymetric) key parser. 2090 * 2091 * Module: library/pkparse.c 2092 * Caller: library/mbedtls_x509_crt.c 2093 * library/mbedtls_x509_csr.c 2094 * 2095 * Requires: MBEDTLS_PK_C 2096 * 2097 * Uncomment to enable generic public key parse functions. 2098 */ 2099 #define MBEDTLS_PK_PARSE_C 2100 2101 /** 2102 * \def MBEDTLS_PK_WRITE_C 2103 * 2104 * Enable the generic public (asymetric) key writer. 2105 * 2106 * Module: library/pkwrite.c 2107 * Caller: library/x509write.c 2108 * 2109 * Requires: MBEDTLS_PK_C 2110 * 2111 * Uncomment to enable generic public key write functions. 2112 */ 2113 #define MBEDTLS_PK_WRITE_C 2114 2115 /** 2116 * \def MBEDTLS_PKCS5_C 2117 * 2118 * Enable PKCS#5 functions. 2119 * 2120 * Module: library/pkcs5.c 2121 * 2122 * Requires: MBEDTLS_MD_C 2123 * 2124 * This module adds support for the PKCS#5 functions. 2125 */ 2126 #define MBEDTLS_PKCS5_C 2127 2128 /** 2129 * \def MBEDTLS_PKCS12_C 2130 * 2131 * Enable PKCS#12 PBE functions. 2132 * Adds algorithms for parsing PKCS#8 encrypted private keys 2133 * 2134 * Module: library/pkcs12.c 2135 * Caller: library/pkparse.c 2136 * 2137 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C 2138 * Can use: MBEDTLS_ARC4_C 2139 * 2140 * This module enables PKCS#12 functions. 2141 */ 2142 #define MBEDTLS_PKCS12_C 2143 2144 /** 2145 * \def MBEDTLS_PLATFORM_C 2146 * 2147 * Enable the platform abstraction layer that allows you to re-assign 2148 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 2149 * 2150 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 2151 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 2152 * above to be specified at runtime or compile time respectively. 2153 * 2154 * \note This abstraction layer must be enabled on Windows (including MSYS2) 2155 * as other module rely on it for a fixed snprintf implementation. 2156 * 2157 * Module: library/platform.c 2158 * Caller: Most other .c files 2159 * 2160 * This module enables abstraction of common (libc) functions. 2161 */ 2162 #define MBEDTLS_PLATFORM_C 2163 2164 /** 2165 * \def MBEDTLS_POLY1305_C 2166 * 2167 * Enable the Poly1305 MAC algorithm. 2168 * 2169 * Module: library/poly1305.c 2170 * Caller: library/chachapoly.c 2171 */ 2172 #ifdef CONFIG_MBEDTLS_POLY1305_C 2173 #define MBEDTLS_POLY1305_C 2174 #else 2175 #undef MBEDTLS_POLY1305_C 2176 #endif 2177 2178 /** 2179 * \def MBEDTLS_RIPEMD160_C 2180 * 2181 * Enable the RIPEMD-160 hash algorithm. 2182 * 2183 * Module: library/mbedtls_ripemd160.c 2184 * Caller: library/mbedtls_md.c 2185 * 2186 */ 2187 #ifdef CONFIG_MBEDTLS_RIPEMD160_C 2188 #define MBEDTLS_RIPEMD160_C 2189 #else 2190 #undef MBEDTLS_RIPEMD160_C 2191 #endif 2192 2193 /** 2194 * \def MBEDTLS_RSA_C 2195 * 2196 * Enable the RSA public-key cryptosystem. 2197 * 2198 * Module: library/rsa.c 2199 * Caller: library/ssl_cli.c 2200 * library/ssl_srv.c 2201 * library/ssl_tls.c 2202 * library/x509.c 2203 * 2204 * This module is used by the following key exchanges: 2205 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK 2206 * 2207 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C 2208 */ 2209 #define MBEDTLS_RSA_C 2210 2211 /** 2212 * \def MBEDTLS_SHA1_C 2213 * 2214 * Enable the SHA1 cryptographic hash algorithm. 2215 * 2216 * Module: library/mbedtls_sha1.c 2217 * Caller: library/mbedtls_md.c 2218 * library/ssl_cli.c 2219 * library/ssl_srv.c 2220 * library/ssl_tls.c 2221 * library/x509write_crt.c 2222 * 2223 * This module is required for SSL/TLS and SHA1-signed certificates. 2224 */ 2225 #define MBEDTLS_SHA1_C 2226 2227 /** 2228 * \def MBEDTLS_SHA256_C 2229 * 2230 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms. 2231 * 2232 * Module: library/mbedtls_sha256.c 2233 * Caller: library/entropy.c 2234 * library/mbedtls_md.c 2235 * library/ssl_cli.c 2236 * library/ssl_srv.c 2237 * library/ssl_tls.c 2238 * 2239 * This module adds support for SHA-224 and SHA-256. 2240 * This module is required for the SSL/TLS 1.2 PRF function. 2241 */ 2242 #define MBEDTLS_SHA256_C 2243 2244 /** 2245 * \def MBEDTLS_SHA512_C 2246 * 2247 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms. 2248 * 2249 * Module: library/mbedtls_sha512.c 2250 * Caller: library/entropy.c 2251 * library/mbedtls_md.c 2252 * library/ssl_cli.c 2253 * library/ssl_srv.c 2254 * 2255 * This module adds support for SHA-384 and SHA-512. 2256 */ 2257 #ifdef CONFIG_MBEDTLS_SHA512_C 2258 #define MBEDTLS_SHA512_C 2259 #else 2260 #undef MBEDTLS_SHA512_C 2261 #endif 2262 2263 /** 2264 * \def MBEDTLS_SSL_CACHE_C 2265 * 2266 * Enable simple SSL cache implementation. 2267 * 2268 * Module: library/ssl_cache.c 2269 * Caller: 2270 * 2271 * Requires: MBEDTLS_SSL_CACHE_C 2272 */ 2273 #define MBEDTLS_SSL_CACHE_C 2274 2275 /** 2276 * \def MBEDTLS_SSL_COOKIE_C 2277 * 2278 * Enable basic implementation of DTLS cookies for hello verification. 2279 * 2280 * Module: library/ssl_cookie.c 2281 * Caller: 2282 */ 2283 #define MBEDTLS_SSL_COOKIE_C 2284 2285 /** 2286 * \def MBEDTLS_SSL_TICKET_C 2287 * 2288 * Enable an implementation of TLS server-side callbacks for session tickets. 2289 * 2290 * Module: library/ssl_ticket.c 2291 * Caller: 2292 * 2293 * Requires: MBEDTLS_CIPHER_C 2294 */ 2295 #ifdef CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS 2296 #define MBEDTLS_SSL_TICKET_C 2297 #else 2298 #undef MBEDTLS_SSL_TICKET_C 2299 #endif 2300 2301 /** 2302 * \def MBEDTLS_SSL_CLI_C 2303 * 2304 * Enable the SSL/TLS client code. 2305 * 2306 * Module: library/ssl_cli.c 2307 * Caller: 2308 * 2309 * Requires: MBEDTLS_SSL_TLS_C 2310 * 2311 * This module is required for SSL/TLS client support. 2312 */ 2313 #ifdef CONFIG_MBEDTLS_TLS_CLIENT 2314 #define MBEDTLS_SSL_CLI_C 2315 #else 2316 #undef MBEDTLS_SSL_CLI_C 2317 #endif 2318 2319 /** 2320 * \def MBEDTLS_SSL_SRV_C 2321 * 2322 * Enable the SSL/TLS server code. 2323 * 2324 * Module: library/ssl_srv.c 2325 * Caller: 2326 * 2327 * Requires: MBEDTLS_SSL_TLS_C 2328 * 2329 * This module is required for SSL/TLS server support. 2330 */ 2331 #ifdef CONFIG_MBEDTLS_TLS_SERVER 2332 #define MBEDTLS_SSL_SRV_C 2333 #else 2334 #undef MBEDTLS_SSL_SRV_C 2335 #endif 2336 2337 /** 2338 * \def MBEDTLS_SSL_TLS_C 2339 * 2340 * Enable the generic SSL/TLS code. 2341 * 2342 * Module: library/ssl_tls.c 2343 * Caller: library/ssl_cli.c 2344 * library/ssl_srv.c 2345 * 2346 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C 2347 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines 2348 * 2349 * This module is required for SSL/TLS. 2350 */ 2351 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 2352 #define MBEDTLS_SSL_TLS_C 2353 #else 2354 #undef MBEDTLS_SSL_TLS_C 2355 #endif 2356 2357 /** 2358 * \def MBEDTLS_TIMING_C 2359 * 2360 * Enable the semi-portable timing interface. 2361 * 2362 * \note The provided implementation only works on POSIX/Unix (including Linux, 2363 * BSD and OS X) and Windows. On other platforms, you can either disable that 2364 * module and provide your own implementations of the callbacks needed by 2365 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide 2366 * your own implementation of the whole module by setting 2367 * \c MBEDTLS_TIMING_ALT in the current file. 2368 * 2369 * \note See also our Knowledge Base article about porting to a new 2370 * environment: 2371 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 2372 * 2373 * Module: library/timing.c 2374 * Caller: library/havege.c 2375 * 2376 * This module is used by the HAVEGE random number generator. 2377 */ 2378 #ifdef MBEDTLS_TIMING_C 2379 #undef MBEDTLS_TIMING_C 2380 #endif 2381 2382 /** 2383 * \def MBEDTLS_VERSION_C 2384 * 2385 * Enable run-time version information. 2386 * 2387 * Module: library/version.c 2388 * 2389 * This module provides run-time version information. 2390 */ 2391 #define MBEDTLS_VERSION_C 2392 2393 /** 2394 * \def MBEDTLS_X509_USE_C 2395 * 2396 * Enable X.509 core for using certificates. 2397 * 2398 * Module: library/x509.c 2399 * Caller: library/mbedtls_x509_crl.c 2400 * library/mbedtls_x509_crt.c 2401 * library/mbedtls_x509_csr.c 2402 * 2403 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, 2404 * MBEDTLS_PK_PARSE_C 2405 * 2406 * This module is required for the X.509 parsing modules. 2407 */ 2408 #define MBEDTLS_X509_USE_C 2409 2410 /** 2411 * \def MBEDTLS_X509_CRT_PARSE_C 2412 * 2413 * Enable X.509 certificate parsing. 2414 * 2415 * Module: library/mbedtls_x509_crt.c 2416 * Caller: library/ssl_cli.c 2417 * library/ssl_srv.c 2418 * library/ssl_tls.c 2419 * 2420 * Requires: MBEDTLS_X509_USE_C 2421 * 2422 * This module is required for X.509 certificate parsing. 2423 */ 2424 #define MBEDTLS_X509_CRT_PARSE_C 2425 2426 /** 2427 * \def MBEDTLS_X509_CRL_PARSE_C 2428 * 2429 * Enable X.509 CRL parsing. 2430 * 2431 * Module: library/mbedtls_x509_crl.c 2432 * Caller: library/mbedtls_x509_crt.c 2433 * 2434 * Requires: MBEDTLS_X509_USE_C 2435 * 2436 * This module is required for X.509 CRL parsing. 2437 */ 2438 #ifdef CONFIG_MBEDTLS_X509_CRL_PARSE_C 2439 #define MBEDTLS_X509_CRL_PARSE_C 2440 #else 2441 #undef MBEDTLS_X509_CRL_PARSE_C 2442 #endif 2443 2444 /** 2445 * \def MBEDTLS_X509_CSR_PARSE_C 2446 * 2447 * Enable X.509 Certificate Signing Request (CSR) parsing. 2448 * 2449 * Module: library/mbedtls_x509_csr.c 2450 * Caller: library/x509_crt_write.c 2451 * 2452 * Requires: MBEDTLS_X509_USE_C 2453 * 2454 * This module is used for reading X.509 certificate request. 2455 */ 2456 #ifdef CONFIG_MBEDTLS_X509_CSR_PARSE_C 2457 #define MBEDTLS_X509_CSR_PARSE_C 2458 #else 2459 #undef MBEDTLS_X509_CSR_PARSE_C 2460 #endif 2461 2462 /** 2463 * \def MBEDTLS_X509_CREATE_C 2464 * 2465 * Enable X.509 core for creating certificates. 2466 * 2467 * Module: library/x509_create.c 2468 * 2469 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C 2470 * 2471 * This module is the basis for creating X.509 certificates and CSRs. 2472 */ 2473 #define MBEDTLS_X509_CREATE_C 2474 2475 /** 2476 * \def MBEDTLS_X509_CRT_WRITE_C 2477 * 2478 * Enable creating X.509 certificates. 2479 * 2480 * Module: library/x509_crt_write.c 2481 * 2482 * Requires: MBEDTLS_X509_CREATE_C 2483 * 2484 * This module is required for X.509 certificate creation. 2485 */ 2486 #define MBEDTLS_X509_CRT_WRITE_C 2487 2488 /** 2489 * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 2490 * 2491 * Alow the X509 parser to not break-off when parsing an X509 certificate 2492 * and encountering an unknown critical extension. 2493 * 2494 * Module: library/x509_crt.c 2495 * 2496 * Requires: MBEDTLS_X509_CRT_PARSE_C 2497 * 2498 * This module is supports loading of certificates with extensions that 2499 * may not be supported by mbedtls. 2500 */ 2501 #ifdef CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT 2502 #define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 2503 #else 2504 #undef MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 2505 #endif 2506 2507 /** 2508 * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 2509 * 2510 * If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()` 2511 * and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure 2512 * the set of trusted certificates through a callback instead of a linked 2513 * list. 2514 * 2515 * This is useful for example in environments where a large number of trusted 2516 * certificates is present and storing them in a linked list isn't efficient 2517 * enough, or when the set of trusted certificates changes frequently. 2518 * 2519 * See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and 2520 * `mbedtls_ssl_conf_ca_cb()` for more information. 2521 * 2522 * Uncomment to enable trusted certificate callbacks. 2523 */ 2524 #ifdef CONFIG_MBEDTLS_X509_TRUSTED_CERT_CALLBACK 2525 #define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 2526 #else 2527 #undef MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 2528 #endif 2529 2530 /** 2531 * \def MBEDTLS_X509_CSR_WRITE_C 2532 * 2533 * Enable creating X.509 Certificate Signing Requests (CSR). 2534 * 2535 * Module: library/x509_csr_write.c 2536 * 2537 * Requires: MBEDTLS_X509_CREATE_C 2538 * 2539 * This module is required for X.509 certificate request writing. 2540 */ 2541 #define MBEDTLS_X509_CSR_WRITE_C 2542 2543 /** 2544 * \def MBEDTLS_XTEA_C 2545 * 2546 * Enable the XTEA block cipher. 2547 * 2548 * Module: library/xtea.c 2549 * Caller: 2550 */ 2551 #ifdef CONFIG_MBEDTLS_XTEA_C 2552 #define MBEDTLS_XTEA_C 2553 #else 2554 #undef MBEDTLS_XTEA_C 2555 #endif 2556 2557 /* \} name SECTION: mbed TLS modules */ 2558 2559 /** 2560 * \name SECTION: Module configuration options 2561 * 2562 * This section allows for the setting of module specific sizes and 2563 * configuration options. The default values are already present in the 2564 * relevant header files and should suffice for the regular use cases. 2565 * 2566 * Our advice is to enable options and change their values here 2567 * only if you have a good reason and know the consequences. 2568 * 2569 * Please check the respective header file for documentation on these 2570 * parameters (to prevent duplicate documentation). 2571 * \{ 2572 */ 2573 2574 /* SSL options */ 2575 #ifndef CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN 2576 2577 #define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ 2578 2579 #else 2580 2581 /** \def MBEDTLS_SSL_IN_CONTENT_LEN 2582 * 2583 * Maximum incoming fragment length in bytes. 2584 * 2585 * Uncomment to set the size of the inward TLS buffer independently of the 2586 * outward buffer. 2587 */ 2588 #define MBEDTLS_SSL_IN_CONTENT_LEN CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN 2589 2590 /** \def MBEDTLS_SSL_CID_IN_LEN_MAX 2591 * 2592 * The maximum length of CIDs used for incoming DTLS messages. 2593 * 2594 */ 2595 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 2596 #define MBEDTLS_SSL_CID_IN_LEN_MAX CONFIG_MBEDTLS_SSL_CID_IN_LEN_MAX 2597 #else 2598 #undef MBEDTLS_SSL_CID_IN_LEN_MAX 2599 #endif 2600 2601 2602 /** \def MBEDTLS_SSL_CID_OUT_LEN_MAX 2603 * 2604 * The maximum length of CIDs used for outgoing DTLS messages. 2605 * 2606 */ 2607 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 2608 #define MBEDTLS_SSL_CID_OUT_LEN_MAX CONFIG_MBEDTLS_SSL_CID_OUT_LEN_MAX 2609 #else 2610 #undef MBEDTLS_SSL_CID_OUT_LEN_MAX 2611 #endif 2612 2613 /** \def MBEDTLS_SSL_CID_PADDING_GRANULARITY 2614 * 2615 * This option controls the use of record plaintext padding 2616 * when using the Connection ID extension in DTLS 1.2. 2617 * 2618 * The padding will always be chosen so that the length of the 2619 * padded plaintext is a multiple of the value of this option. 2620 * 2621 * Note: A value of \c 1 means that no padding will be used 2622 * for outgoing records. 2623 * 2624 * Note: On systems lacking division instructions, 2625 * a power of two should be preferred. 2626 * 2627 */ 2628 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 2629 #define MBEDTLS_SSL_CID_PADDING_GRANULARITY CONFIG_MBEDTLS_SSL_CID_PADDING_GRANULARITY 2630 #else 2631 #undef MBEDTLS_SSL_CID_PADDING_GRANULARITY 2632 #endif 2633 2634 2635 /** \def MBEDTLS_SSL_OUT_CONTENT_LEN 2636 * 2637 * Maximum outgoing fragment length in bytes. 2638 * 2639 * Uncomment to set the size of the outward TLS buffer independently of the 2640 * inward buffer. 2641 * 2642 * It is possible to save RAM by setting a smaller outward buffer, while keeping 2643 * the default inward 16384 byte buffer to conform to the TLS specification. 2644 * 2645 * The minimum required outward buffer size is determined by the handshake 2646 * protocol's usage. Handshaking will fail if the outward buffer is too small. 2647 * The specific size requirement depends on the configured ciphers and any 2648 * certificate data which is sent during the handshake. 2649 * 2650 * For absolute minimum RAM usage, it's best to enable 2651 * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This 2652 * reduces both incoming and outgoing buffer sizes. However this is only 2653 * guaranteed if the other end of the connection also supports the TLS 2654 * max_fragment_len extension. Otherwise the connection may fail. 2655 */ 2656 #define MBEDTLS_SSL_OUT_CONTENT_LEN CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN 2657 2658 #endif /* !CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN */ 2659 2660 /** 2661 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake 2662 * signature and ciphersuite selection. Without this build-time option, SHA-1 2663 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes. 2664 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by 2665 * default. At the time of writing, there is no practical attack on the use 2666 * of SHA-1 in handshake signatures, hence this option is turned on by default 2667 * for compatibility with existing peers. 2668 * 2669 * \warning SHA-1 is considered a weak message digest and its use constitutes 2670 * a security risk. If possible, we recommend avoiding dependencies 2671 * on it, and considering stronger message digests instead. 2672 */ 2673 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE 2674 2675 /** 2676 * \def MBEDTLS_THREADING_C 2677 * 2678 * Enable the threading abstraction layer. 2679 * By default mbed TLS assumes it is used in a non-threaded environment or that 2680 * contexts are not shared between threads. If you do intend to use contexts 2681 * between threads, you will need to enable this layer to prevent race 2682 * conditions. See also our Knowledge Base article about threading: 2683 * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading 2684 * 2685 * Module: library/threading.c 2686 * 2687 * This allows different threading implementations (self-implemented or 2688 * provided). 2689 * 2690 * You will have to enable either MBEDTLS_THREADING_ALT or 2691 * MBEDTLS_THREADING_PTHREAD. 2692 * 2693 * Enable this layer to allow use of mutexes within mbed TLS 2694 */ 2695 #ifdef CONFIG_MBEDTLS_THREADING_C 2696 #define MBEDTLS_THREADING_C 2697 #else 2698 #undef MBEDTLS_THREADING_C 2699 #endif 2700 2701 /** 2702 * \def MBEDTLS_THREADING_ALT 2703 * 2704 * Provide your own alternate threading implementation. 2705 * 2706 * Requires: MBEDTLS_THREADING_C 2707 * 2708 * Uncomment this to allow your own alternate threading implementation. 2709 */ 2710 #ifdef CONFIG_MBEDTLS_THREADING_ALT 2711 #define MBEDTLS_THREADING_ALT 2712 #else 2713 #undef MBEDTLS_THREADING_ALT 2714 #endif 2715 2716 /** 2717 * \def MBEDTLS_THREADING_PTHREAD 2718 * 2719 * Enable the pthread wrapper layer for the threading layer. 2720 * 2721 * Requires: MBEDTLS_THREADING_C 2722 * 2723 * Uncomment this to enable pthread mutexes. 2724 */ 2725 #ifdef CONFIG_MBEDTLS_THREADING_PTHREAD 2726 #define MBEDTLS_THREADING_PTHREAD 2727 #else 2728 #undef MBEDTLS_THREADING_PTHREAD 2729 #endif 2730 2731 /** 2732 * \def MBEDTLS_NIST_KW_C 2733 * 2734 * Enable AES key wrapping as per NIST 2735 * 2736 * Requires: MBEDTLS_AES_C 2737 * 2738 * Uncomment this to enable aes key wrap. 2739 */ 2740 #ifdef CONFIG_MBEDTLS_NIST_KW_C 2741 #define MBEDTLS_NIST_KW_C 2742 #else 2743 #undef MBEDTLS_NIST_KW_C 2744 #endif 2745 2746 /* \} name SECTION: Module configuration options */ 2747 2748 #if defined(TARGET_LIKE_MBED) 2749 #include "mbedtls/target_config.h" 2750 #endif 2751 2752 /* 2753 * Allow user to override any previous default. 2754 * 2755 * Use two macro names for that, as: 2756 * - with yotta the prefix YOTTA_CFG_ is forced 2757 * - without yotta is looks weird to have a YOTTA prefix. 2758 */ 2759 #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) 2760 #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE 2761 #elif defined(MBEDTLS_USER_CONFIG_FILE) 2762 #include MBEDTLS_USER_CONFIG_FILE 2763 #endif 2764 2765 #include "mbedtls/check_config.h" 2766 2767 #endif /* MBEDTLS_CONFIG_H */ 2768
