1 /** 2 * 3 * \brief Default mbedTLS configuration options for ESP-IDF 4 * 5 * This set of compile-time options may be used to enable 6 * or disable features selectively, and reduce the global 7 * memory footprint. 8 */ 9 /* 10 * Copyright The Mbed TLS Contributors 11 * SPDX-License-Identifier: Apache-2.0 12 * 13 * This set of compile-time options may be used to enable 14 * or disable features selectively, and reduce the global 15 * memory footprint. 16 * 17 * SPDX-FileCopyrightText: The Mbed TLS Contributors 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 */ 25 #ifndef ESP_CONFIG_H 26 #define ESP_CONFIG_H 27 28 #include "sdkconfig.h" 29 #include "mbedtls/mbedtls_config.h" 30 #include "soc/soc_caps.h" 31 32 /** 33 * \name SECTION: System support 34 * 35 * This section sets system specific settings. 36 * \{ 37 */ 38 39 /** 40 * \def MBEDTLS_HAVE_TIME 41 * 42 * System has time.h and time(). 43 * The time does not need to be correct, only time differences are used, 44 * by contrast with MBEDTLS_HAVE_TIME_DATE 45 * 46 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, 47 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and 48 * MBEDTLS_PLATFORM_STD_TIME. 49 * 50 * Comment if your system does not support time functions. 51 * 52 * \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing 53 * interface - timing.c will include time.h on suitable platforms 54 * regardless of the setting of MBEDTLS_HAVE_TIME, unless 55 * MBEDTLS_TIMING_ALT is used. See timing.c for more information. 56 */ 57 #ifdef CONFIG_MBEDTLS_HAVE_TIME 58 #define MBEDTLS_HAVE_TIME 59 /** 60 * \def MBEDTLS_PLATFORM_MS_TIME_ALT 61 * 62 * Define platform specific function to get time since bootup in milliseconds. 63 */ 64 #define MBEDTLS_PLATFORM_MS_TIME_ALT 65 #else 66 #undef MBEDTLS_HAVE_TIME 67 #undef MBEDTLS_PLATFORM_MS_TIME_ALT 68 #endif 69 70 /** 71 * \def MBEDTLS_HAVE_TIME_DATE 72 * 73 * System has time.h and time(), gmtime() and the clock is correct. 74 * The time needs to be correct (not necessarily very accurate, but at least 75 * the date should be correct). This is used to verify the validity period of 76 * X.509 certificates. 77 * 78 * Comment if your system does not have a correct clock. 79 */ 80 #ifdef CONFIG_MBEDTLS_HAVE_TIME_DATE 81 #define MBEDTLS_HAVE_TIME_DATE 82 #else 83 #undef MBEDTLS_HAVE_TIME_DATE 84 #endif 85 86 87 /** 88 * \def MBEDTLS_PLATFORM_TIME_ALT 89 * 90 * mbed TLS will provide a function "mbedtls_platform_set_time()" 91 * that allows you to set an alternative time function pointer. 92 * 93 * All these define require MBEDTLS_PLATFORM_C to be defined! 94 * 95 * \warning MBEDTLS_PLATFORM_TIME_ALT cannot be defined at the same time as 96 * MBEDTLS_PLATFORM_TIME_MACRO! 97 * 98 * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME 99 */ 100 #ifdef CONFIG_MBEDTLS_PLATFORM_TIME_ALT 101 #define MBEDTLS_PLATFORM_TIME_ALT 102 #else 103 #undef MBEDTLS_PLATFORM_TIME_ALT 104 #endif 105 106 /** 107 * \def MBEDTLS_PLATFORM_MEMORY 108 * 109 * Enable the memory allocation layer. 110 * 111 * By default mbed TLS uses the system-provided calloc() and free(). 112 * This allows different allocators (self-implemented or provided) to be 113 * provided to the platform abstraction layer. 114 * 115 * Enabling MBEDTLS_PLATFORM_MEMORY without the 116 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 117 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 118 * free() function pointer at runtime. 119 * 120 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 121 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 122 * alternate function at compile time. 123 * 124 * Requires: MBEDTLS_PLATFORM_C 125 * 126 * Enable this layer to allow use of alternative memory allocators. 127 */ 128 #define MBEDTLS_PLATFORM_MEMORY 129 130 /** Override calloc(), free() except for case where memory allocation scheme is not set to custom */ 131 #ifndef CONFIG_MBEDTLS_CUSTOM_MEM_ALLOC 132 #include "esp_mem.h" 133 #define MBEDTLS_PLATFORM_STD_CALLOC esp_mbedtls_mem_calloc 134 #define MBEDTLS_PLATFORM_STD_FREE esp_mbedtls_mem_free 135 #endif 136 137 /* \} name SECTION: System support */ 138 139 /** 140 * \name SECTION: mbed TLS feature support 141 * 142 * This section sets support for features that are or are not needed 143 * within the modules that are enabled. 144 * \{ 145 */ 146 147 /* The following units have ESP32 hardware support, 148 uncommenting each _ALT macro will use the 149 hardware-accelerated implementation. */ 150 #ifdef CONFIG_MBEDTLS_HARDWARE_AES 151 #define MBEDTLS_AES_ALT 152 #else 153 #undef MBEDTLS_AES_ALT 154 #endif 155 156 #ifdef CONFIG_MBEDTLS_HARDWARE_AES 157 #define MBEDTLS_GCM_ALT 158 #ifdef CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER 159 /* Prefer hardware and fallback to software */ 160 #define MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK 161 #else 162 #undef MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK 163 #endif 164 #endif 165 166 /* MBEDTLS_SHAxx_ALT to enable hardware SHA support 167 with software fallback. 168 */ 169 #ifdef CONFIG_MBEDTLS_HARDWARE_SHA 170 #define MBEDTLS_SHA1_ALT 171 #define MBEDTLS_SHA256_ALT 172 173 #if SOC_SHA_SUPPORT_SHA512 174 #define MBEDTLS_SHA512_ALT 175 #else 176 #undef MBEDTLS_SHA512_ALT 177 #endif 178 179 #else 180 #undef MBEDTLS_SHA1_ALT 181 #undef MBEDTLS_SHA256_ALT 182 #undef MBEDTLS_SHA512_ALT 183 #endif 184 185 /* MBEDTLS_MDx_ALT to enable ROM MD support 186 with software fallback. 187 */ 188 #ifdef CONFIG_MBEDTLS_ROM_MD5 189 #define MBEDTLS_MD5_ALT 190 #else 191 #undef MBEDTLS_MD5_ALT 192 #endif 193 194 /* The following MPI (bignum) functions have hardware support. 195 * Uncommenting these macros will use the hardware-accelerated 196 * implementations. 197 */ 198 #ifdef CONFIG_MBEDTLS_HARDWARE_MPI 199 #ifdef CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI 200 /* Prefer hardware and fallback to software */ 201 #define MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK 202 #else 203 /* Hardware only mode */ 204 #define MBEDTLS_MPI_EXP_MOD_ALT 205 #endif 206 #define MBEDTLS_MPI_MUL_MPI_ALT 207 #else 208 #undef MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK 209 #undef MBEDTLS_MPI_EXP_MOD_ALT 210 #undef MBEDTLS_MPI_MUL_MPI_ALT 211 #endif 212 213 #ifdef CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN 214 #define MBEDTLS_ECDSA_SIGN_ALT 215 #endif 216 217 #ifdef CONFIG_MBEDTLS_ATCA_HW_ECDSA_VERIFY 218 #define MBEDTLS_ECDSA_VERIFY_ALT 219 #endif 220 221 #ifdef CONFIG_MBEDTLS_HARDWARE_ECC 222 #ifdef CONFIG_MBEDTLS_ECC_OTHER_CURVES_SOFT_FALLBACK 223 /* Use hardware accelerator for SECP192R1 and SECP256R1 curves, 224 * software implementation for rest of the curves 225 */ 226 #define MBEDTLS_ECP_MUL_ALT_SOFT_FALLBACK 227 #define MBEDTLS_ECP_VERIFY_ALT_SOFT_FALLBACK 228 #else 229 /* Only hardware accelerator support */ 230 #define MBEDTLS_ECP_MUL_ALT 231 #define MBEDTLS_ECP_VERIFY_ALT 232 #endif 233 234 #else 235 #undef MBEDTLS_ECP_MUL_ALT 236 #undef MBEDTLS_ECP_MUL_ALT_SOFT_FALLBACK 237 #undef MBEDTLS_ECP_VERIFY_ALT 238 #undef MBEDTLS_ECP_VERIFY_ALT_SOFT_FALLBACK 239 #endif 240 241 /** 242 * \def MBEDTLS_ENTROPY_HARDWARE_ALT 243 * 244 * Uncomment this macro to let mbed TLS use your own implementation of a 245 * hardware entropy collector. 246 * 247 * Your function must be called \c mbedtls_hardware_poll(), have the same 248 * prototype as declared in entropy_poll.h, and accept NULL as first argument. 249 * 250 * Uncomment to use your own hardware entropy collector. 251 */ 252 #define MBEDTLS_ENTROPY_HARDWARE_ALT 253 254 /** 255 * \def MBEDTLS_AES_ROM_TABLES 256 * 257 * Store the AES tables in ROM. 258 * 259 * Uncomment this macro to store the AES tables in ROM. 260 */ 261 #define MBEDTLS_AES_ROM_TABLES 262 263 /** 264 * \def MBEDTLS_CIPHER_MODE_CBC 265 * 266 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. 267 */ 268 #define MBEDTLS_CIPHER_MODE_CBC 269 270 /** 271 * \def MBEDTLS_CIPHER_MODE_CFB 272 * 273 * Enable Cipher Feedback mode (CFB) for symmetric ciphers. 274 */ 275 #define MBEDTLS_CIPHER_MODE_CFB 276 277 /** 278 * \def MBEDTLS_CIPHER_MODE_CTR 279 * 280 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. 281 */ 282 #define MBEDTLS_CIPHER_MODE_CTR 283 284 /** 285 * \def MBEDTLS_CIPHER_MODE_OFB 286 * 287 * Enable Output Feedback mode (OFB) for symmetric ciphers. 288 */ 289 #define MBEDTLS_CIPHER_MODE_OFB 290 291 /** 292 * \def MBEDTLS_CIPHER_MODE_XTS 293 * 294 * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. 295 */ 296 #define MBEDTLS_CIPHER_MODE_XTS 297 298 /** 299 * \def MBEDTLS_CIPHER_PADDING_PKCS7 300 * 301 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for 302 * specific padding modes in the cipher layer with cipher modes that support 303 * padding (e.g. CBC) 304 * 305 * If you disable all padding modes, only full blocks can be used with CBC. 306 * 307 * Enable padding modes in the cipher layer. 308 */ 309 #define MBEDTLS_CIPHER_PADDING_PKCS7 310 #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS 311 #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN 312 #define MBEDTLS_CIPHER_PADDING_ZEROS 313 314 /** 315 * \def MBEDTLS_ECP_RESTARTABLE 316 * 317 * Enable "non-blocking" ECC operations that can return early and be resumed. 318 * 319 * This allows various functions to pause by returning 320 * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module, 321 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in 322 * order to further progress and eventually complete their operation. This is 323 * controlled through mbedtls_ecp_set_max_ops() which limits the maximum 324 * number of ECC operations a function may perform before pausing; see 325 * mbedtls_ecp_set_max_ops() for more information. 326 * 327 * This is useful in non-threaded environments if you want to avoid blocking 328 * for too long on ECC (and, hence, X.509 or SSL/TLS) operations. 329 * 330 * This option: 331 * - Adds xxx_restartable() variants of existing operations in the 332 * following modules, with corresponding restart context types: 333 * - ECP (for Short Weierstrass curves only): scalar multiplication (mul), 334 * linear combination (muladd); 335 * - ECDSA: signature generation & verification; 336 * - PK: signature generation & verification; 337 * - X509: certificate chain verification. 338 * - Adds mbedtls_ecdh_enable_restart() in the ECDH module. 339 * - Changes the behaviour of TLS 1.2 clients (not servers) when using the 340 * ECDHE-ECDSA key exchange (not other key exchanges) to make all ECC 341 * computations restartable: 342 * - ECDH operations from the key exchange, only for Short Weierstrass 343 * curves, only when MBEDTLS_USE_PSA_CRYPTO is not enabled. 344 * - verification of the server's key exchange signature; 345 * - verification of the server's certificate chain; 346 * - generation of the client's signature if client authentication is used, 347 * with an ECC key/certificate. 348 * 349 * \note In the cases above, the usual SSL/TLS functions, such as 350 * mbedtls_ssl_handshake(), can now return 351 * MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS. 352 * 353 * \note This option only works with the default software implementation of 354 * elliptic curve functionality. It is incompatible with 355 * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT. 356 * 357 * Requires: MBEDTLS_ECP_C 358 * 359 * Uncomment this macro to enable restartable ECC computations. 360 */ 361 #ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE 362 #define MBEDTLS_ECP_RESTARTABLE 363 #endif 364 365 /** 366 * \def MBEDTLS_ECDH_LEGACY_CONTEXT 367 * 368 * Use a backward compatible ECDH context. 369 * 370 * Mbed TLS supports two formats for ECDH contexts (#mbedtls_ecdh_context 371 * defined in `ecdh.h`). For most applications, the choice of format makes 372 * no difference, since all library functions can work with either format, 373 * except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE. 374 375 * The new format used when this option is disabled is smaller 376 * (56 bytes on a 32-bit platform). In future versions of the library, it 377 * will support alternative implementations of ECDH operations. 378 * The new format is incompatible with applications that access 379 * context fields directly and with restartable ECP operations. 380 * 381 * Define this macro if you enable MBEDTLS_ECP_RESTARTABLE or if you 382 * want to access ECDH context fields directly. Otherwise you should 383 * comment out this macro definition. 384 * 385 * This option has no effect if #MBEDTLS_ECDH_C is not enabled. 386 * 387 * \note This configuration option is experimental. Future versions of the 388 * library may modify the way the ECDH context layout is configured 389 * and may modify the layout of the new context type. 390 */ 391 #ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT 392 #define MBEDTLS_ECDH_LEGACY_CONTEXT 393 #endif 394 395 /** 396 * \def MBEDTLS_CMAC_C 397 * 398 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block 399 * ciphers. 400 * 401 * \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying 402 * implementation of the CMAC algorithm is provided by an alternate 403 * implementation, that alternate implementation may opt to not support 404 * AES-192 or 3DES as underlying block ciphers for the CMAC operation. 405 * 406 * Module: library/cmac.c 407 * 408 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C 409 * 410 */ 411 #ifdef CONFIG_MBEDTLS_CMAC_C 412 #define MBEDTLS_CMAC_C 413 #endif 414 415 /** 416 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED 417 * 418 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve 419 * module. By default all supported curves are enabled. 420 * 421 * Comment macros to disable the curve and functions for it 422 */ 423 /* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */ 424 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED 425 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED 426 #else 427 #undef MBEDTLS_ECP_DP_SECP192R1_ENABLED 428 #endif 429 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED 430 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED 431 #else 432 #undef MBEDTLS_ECP_DP_SECP224R1_ENABLED 433 #endif 434 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED 435 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 436 #else 437 #undef MBEDTLS_ECP_DP_SECP256R1_ENABLED 438 #endif 439 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED 440 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED 441 #else 442 #undef MBEDTLS_ECP_DP_SECP384R1_ENABLED 443 #endif 444 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED 445 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED 446 #else 447 #undef MBEDTLS_ECP_DP_SECP521R1_ENABLED 448 #endif 449 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED 450 #define MBEDTLS_ECP_DP_SECP192K1_ENABLED 451 #else 452 #undef MBEDTLS_ECP_DP_SECP192K1_ENABLED 453 #endif 454 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED 455 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED 456 #else 457 #undef MBEDTLS_ECP_DP_SECP224K1_ENABLED 458 #endif 459 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED 460 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED 461 #else 462 #undef MBEDTLS_ECP_DP_SECP256K1_ENABLED 463 #endif 464 #ifdef CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED 465 #define MBEDTLS_ECP_DP_BP256R1_ENABLED 466 #else 467 #undef MBEDTLS_ECP_DP_BP256R1_ENABLED 468 #endif 469 #ifdef CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED 470 #define MBEDTLS_ECP_DP_BP384R1_ENABLED 471 #else 472 #undef MBEDTLS_ECP_DP_BP384R1_ENABLED 473 #endif 474 #ifdef CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED 475 #define MBEDTLS_ECP_DP_BP512R1_ENABLED 476 #else 477 #undef MBEDTLS_ECP_DP_BP512R1_ENABLED 478 #endif 479 /* Montgomery curves (supporting ECP) */ 480 #ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED 481 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED 482 #else 483 #undef MBEDTLS_ECP_DP_CURVE25519_ENABLED 484 #endif 485 #ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED 486 #undef MBEDTLS_ECP_DP_CURVE448_ENABLED 487 #endif 488 489 /** 490 * \def MBEDTLS_ECP_NIST_OPTIM 491 * 492 * Enable specific 'modulo p' routines for each NIST prime. 493 * Depending on the prime and architecture, makes operations 4 to 8 times 494 * faster on the corresponding curve. 495 * 496 * Comment this macro to disable NIST curves optimisation. 497 */ 498 #ifdef CONFIG_MBEDTLS_ECP_NIST_OPTIM 499 #define MBEDTLS_ECP_NIST_OPTIM 500 #else 501 #undef MBEDTLS_ECP_NIST_OPTIM 502 #endif 503 504 /** 505 * \def MBEDTLS_ECP_FIXED_POINT_OPTIM 506 * 507 * Enable speed up fixed-point multiplication. 508 * 509 * Comment this macro to disable FIXED POINT curves optimisation. 510 */ 511 #ifdef CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM 512 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 513 #else 514 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 515 #endif 516 517 /** 518 * \def MBEDTLS_ECDSA_DETERMINISTIC 519 * 520 * Enable deterministic ECDSA (RFC 6979). 521 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing 522 * may result in a compromise of the long-term signing key. This is avoided by 523 * the deterministic variant. 524 * 525 * Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C 526 * 527 * Comment this macro to disable deterministic ECDSA. 528 */ 529 #ifdef CONFIG_MBEDTLS_ECDSA_DETERMINISTIC 530 #define MBEDTLS_ECDSA_DETERMINISTIC 531 #else 532 #undef MBEDTLS_ECDSA_DETERMINISTIC 533 #endif 534 535 /** 536 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 537 * 538 * Enable the PSK based ciphersuite modes in SSL / TLS. 539 * 540 * This enables the following ciphersuites (if other requisites are 541 * enabled as well): 542 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 543 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 544 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 545 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 546 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 547 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 548 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 549 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 550 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 551 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 552 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 553 */ 554 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK 555 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 556 #else 557 #undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 558 #endif 559 560 /** 561 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 562 * 563 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. 564 * 565 * Requires: MBEDTLS_DHM_C 566 * 567 * This enables the following ciphersuites (if other requisites are 568 * enabled as well): 569 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 570 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 571 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 572 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 573 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 574 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 575 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 576 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 577 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 578 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 579 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 580 */ 581 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK 582 #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 583 #else 584 #undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 585 #endif 586 587 /** 588 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 589 * 590 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. 591 * 592 * Requires: MBEDTLS_ECDH_C 593 * 594 * This enables the following ciphersuites (if other requisites are 595 * enabled as well): 596 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 597 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 598 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 599 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 600 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 601 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 602 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 603 */ 604 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK 605 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 606 #else 607 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 608 #endif 609 610 /** 611 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 612 * 613 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. 614 * 615 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 616 * MBEDTLS_X509_CRT_PARSE_C 617 * 618 * This enables the following ciphersuites (if other requisites are 619 * enabled as well): 620 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 621 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 622 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 623 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 624 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 625 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 626 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 627 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 628 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 629 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 630 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 631 */ 632 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK 633 #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 634 #else 635 #undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 636 #endif 637 638 /** 639 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 640 * 641 * Enable the RSA-only based ciphersuite modes in SSL / TLS. 642 * 643 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 644 * MBEDTLS_X509_CRT_PARSE_C 645 * 646 * This enables the following ciphersuites (if other requisites are 647 * enabled as well): 648 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 649 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 650 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 651 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 652 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 653 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 654 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 655 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 656 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 657 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 658 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 659 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 660 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 661 */ 662 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA 663 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 664 #else 665 #undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 666 #endif 667 668 /** 669 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 670 * 671 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. 672 * 673 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 674 * MBEDTLS_X509_CRT_PARSE_C 675 * 676 * This enables the following ciphersuites (if other requisites are 677 * enabled as well): 678 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 679 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 680 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 681 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 682 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 683 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 684 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 685 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 686 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 687 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 688 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 689 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 690 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 691 */ 692 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA 693 #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 694 #else 695 #undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 696 #endif 697 698 /** 699 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 700 * 701 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. 702 * 703 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 704 * MBEDTLS_X509_CRT_PARSE_C 705 * 706 * This enables the following ciphersuites (if other requisites are 707 * enabled as well): 708 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 709 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 710 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 711 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 712 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 713 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 714 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 715 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 716 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 717 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 718 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 719 */ 720 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA 721 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 722 #else 723 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 724 #endif 725 726 /** 727 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 728 * 729 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. 730 * 731 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, 732 * 733 * This enables the following ciphersuites (if other requisites are 734 * enabled as well): 735 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 736 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 737 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 738 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 739 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 740 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 741 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 742 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 743 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 744 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 745 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 746 */ 747 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA 748 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 749 #else 750 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 751 #endif 752 753 /** 754 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 755 * 756 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. 757 * 758 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C 759 * 760 * This enables the following ciphersuites (if other requisites are 761 * enabled as well): 762 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 763 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 764 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 765 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 766 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 767 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 768 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 769 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 770 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 771 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 772 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 773 */ 774 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA 775 #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 776 #else 777 #undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 778 #endif 779 780 /** 781 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 782 * 783 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. 784 * 785 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_X509_CRT_PARSE_C 786 * 787 * This enables the following ciphersuites (if other requisites are 788 * enabled as well): 789 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 790 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 791 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 792 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 793 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 794 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 795 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 796 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 797 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 798 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 799 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 800 */ 801 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA 802 #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 803 #else 804 #undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 805 #endif 806 807 /** 808 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 809 * 810 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. 811 * 812 * \warning This is currently experimental. EC J-PAKE support is based on the 813 * Thread v1.0.0 specification; incompatible changes to the specification 814 * might still happen. For this reason, this is disabled by default. 815 * 816 * Requires: MBEDTLS_ECJPAKE_C 817 * MBEDTLS_SHA256_C 818 * MBEDTLS_ECP_DP_SECP256R1_ENABLED 819 * 820 * This enables the following ciphersuites (if other requisites are 821 * enabled as well): 822 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 823 */ 824 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE 825 #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 826 #else 827 #undef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 828 #endif 829 830 /** 831 * \def MBEDTLS_PK_PARSE_EC_EXTENDED 832 * 833 * Enhance support for reading EC keys using variants of SEC1 not allowed by 834 * RFC 5915 and RFC 5480. 835 * 836 * Currently this means parsing the SpecifiedECDomain choice of EC 837 * parameters (only known groups are supported, not arbitrary domains, to 838 * avoid validation issues). 839 * 840 * Disable if you only need to support RFC 5915 + 5480 key formats. 841 */ 842 #define MBEDTLS_PK_PARSE_EC_EXTENDED 843 844 /** 845 * \def MBEDTLS_ERROR_STRERROR_DUMMY 846 * 847 * Enable a dummy error function to make use of mbedtls_strerror() in 848 * third party libraries easier when MBEDTLS_ERROR_C is disabled 849 * (no effect when MBEDTLS_ERROR_C is enabled). 850 * 851 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 852 * not using mbedtls_strerror() or error_strerror() in your application. 853 * 854 * Disable if you run into name conflicts and want to really remove the 855 * mbedtls_strerror() 856 */ 857 #define MBEDTLS_ERROR_STRERROR_DUMMY 858 859 /** 860 * \def MBEDTLS_GENPRIME 861 * 862 * Enable the prime-number generation code. 863 * 864 * Requires: MBEDTLS_BIGNUM_C 865 */ 866 #define MBEDTLS_GENPRIME 867 868 /** 869 * \def MBEDTLS_FS_IO 870 * 871 * Enable functions that use the filesystem. 872 */ 873 #define MBEDTLS_FS_IO 874 875 /** 876 * \def MBEDTLS_NO_PLATFORM_ENTROPY 877 * 878 * Do not use built-in platform entropy functions. 879 * This is useful if your platform does not support 880 * standards like the /dev/urandom or Windows CryptoAPI. 881 * 882 * Uncomment this macro to disable the built-in platform entropy functions. 883 */ 884 #define MBEDTLS_NO_PLATFORM_ENTROPY 885 886 /** 887 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 888 * 889 * Support external private RSA keys (eg from a HSM) in the PK layer. 890 * 891 * Comment this macro to disable support for external private RSA keys. 892 */ 893 #define MBEDTLS_PK_RSA_ALT_SUPPORT 894 895 /** 896 * \def MBEDTLS_PKCS1_V15 897 * 898 * Enable support for PKCS#1 v1.5 encoding. 899 * 900 * Requires: MBEDTLS_RSA_C 901 * 902 * This enables support for PKCS#1 v1.5 operations. 903 */ 904 #define MBEDTLS_PKCS1_V15 905 906 /** 907 * \def MBEDTLS_PKCS1_V21 908 * 909 * Enable support for PKCS#1 v2.1 encoding. 910 * 911 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C 912 * 913 * This enables support for RSAES-OAEP and RSASSA-PSS operations. 914 */ 915 #define MBEDTLS_PKCS1_V21 916 917 /** 918 * \def MBEDTLS_SELF_TEST 919 * 920 * Enable the checkup functions (*_self_test). 921 */ 922 #define MBEDTLS_SELF_TEST 923 924 /** 925 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES 926 * 927 * Enable sending of alert messages in case of encountered errors as per RFC. 928 * If you choose not to send the alert messages, mbed TLS can still communicate 929 * with other servers, only debugging of failures is harder. 930 * 931 * The advantage of not sending alert messages, is that no information is given 932 * about reasons for failures thus preventing adversaries of gaining intel. 933 * 934 * Enable sending of all alert messages 935 */ 936 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES 937 938 /** 939 * \def MBEDTLS_SSL_DTLS_CONNECTION_ID 940 * 941 * Enable support for the DTLS Connection ID (CID) extension, 942 * which allows to identify DTLS connections across changes 943 * in the underlying transport. The CID functionality is described 944 * in RFC 9146. 945 * 946 * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, 947 * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and 948 * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for 949 * more information. 950 * 951 * The maximum lengths of outgoing and incoming CIDs can be configured 952 * through the options 953 * - MBEDTLS_SSL_CID_OUT_LEN_MAX 954 * - MBEDTLS_SSL_CID_IN_LEN_MAX. 955 * 956 * Requires: MBEDTLS_SSL_PROTO_DTLS 957 * 958 * Uncomment to enable the Connection ID extension. 959 */ 960 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 961 #define MBEDTLS_SSL_DTLS_CONNECTION_ID 962 #else 963 #undef MBEDTLS_SSL_DTLS_CONNECTION_ID 964 #endif 965 966 /** 967 * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 968 * 969 * Defines whether RFC 9146 (default) or the legacy version 970 * (version draft-ietf-tls-dtls-connection-id-05, 971 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) 972 * is used. 973 * 974 * Set the value to 0 for the standard version, and 975 * 1 for the legacy draft version. 976 * 977 * \deprecated Support for the legacy version of the DTLS 978 * Connection ID feature is deprecated. Please 979 * switch to the standardized version defined 980 * in RFC 9146 enabled by utilizing 981 * MBEDTLS_SSL_DTLS_CONNECTION_ID without use 982 * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT. 983 * 984 * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID 985 */ 986 #undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 987 988 /** 989 * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION 990 * 991 * Enable serialization of the TLS context structures, through use of the 992 * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load(). 993 * 994 * This pair of functions allows one side of a connection to serialize the 995 * context associated with the connection, then free or reuse that context 996 * while the serialized state is persisted elsewhere, and finally deserialize 997 * that state to a live context for resuming read/write operations on the 998 * connection. From a protocol perspective, the state of the connection is 999 * unaffected, in particular this is entirely transparent to the peer. 1000 * 1001 * Note: this is distinct from TLS session resumption, which is part of the 1002 * protocol and fully visible by the peer. TLS session resumption enables 1003 * establishing new connections associated to a saved session with shorter, 1004 * lighter handshakes, while context serialization is a local optimization in 1005 * handling a single, potentially long-lived connection. 1006 * 1007 * Enabling these APIs makes some SSL structures larger, as 64 extra bytes are 1008 * saved after the handshake to allow for more efficient serialization, so if 1009 * you don't need this feature you'll save RAM by disabling it. 1010 * 1011 * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C 1012 * 1013 * Comment to disable the context serialization APIs. 1014 */ 1015 #ifdef CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION 1016 #define MBEDTLS_SSL_CONTEXT_SERIALIZATION 1017 #else 1018 #undef MBEDTLS_SSL_CONTEXT_SERIALIZATION 1019 #endif 1020 1021 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC 1022 * 1023 * Enable support for Encrypt-then-MAC, RFC 7366. 1024 * 1025 * This allows peers that both support it to use a more robust protection for 1026 * ciphersuites using CBC, providing deep resistance against timing attacks 1027 * on the padding or underlying cipher. 1028 * 1029 * This only affects CBC ciphersuites, and is useless if none is defined. 1030 * 1031 * Requires: MBEDTLS_SSL_PROTO_TLS1_2 1032 * 1033 * Comment this macro to disable support for Encrypt-then-MAC 1034 */ 1035 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 1036 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC 1037 #else 1038 #undef MBEDTLS_SSL_ENCRYPT_THEN_MAC 1039 #endif 1040 1041 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET 1042 * 1043 * Enable support for RFC 7627: Session Hash and Extended Master Secret 1044 * Extension. 1045 * 1046 * This was introduced as "the proper fix" to the Triple Handshake family of 1047 * attacks, but it is recommended to always use it (even if you disable 1048 * renegotiation), since it actually fixes a more fundamental issue in the 1049 * original SSL/TLS design, and has implications beyond Triple Handshake. 1050 * 1051 * Requires: MBEDTLS_SSL_PROTO_TLS1_2 1052 * 1053 * Comment this macro to disable support for Extended Master Secret. 1054 */ 1055 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 1056 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET 1057 #else 1058 #undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET 1059 #endif 1060 1061 /** 1062 * \def MBEDTLS_SSL_FALLBACK_SCSV 1063 * 1064 * Enable support for RFC 7507: Fallback Signaling Cipher Suite Value (SCSV) 1065 * for Preventing Protocol Downgrade Attacks. 1066 * 1067 * For servers, it is recommended to always enable this, unless you support 1068 * only one version of TLS, or know for sure that none of your clients 1069 * implements a fallback strategy. 1070 * 1071 * For clients, you only need this if you're using a fallback strategy, which 1072 * is not recommended in the first place, unless you absolutely need it to 1073 * interoperate with buggy (version-intolerant) servers. 1074 * 1075 * Comment this macro to disable support for FALLBACK_SCSV 1076 */ 1077 #define MBEDTLS_SSL_FALLBACK_SCSV 1078 1079 /** 1080 * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1081 * 1082 * This option controls the availability of the API mbedtls_ssl_get_peer_cert() 1083 * giving access to the peer's certificate after completion of the handshake. 1084 * 1085 * Unless you need mbedtls_ssl_peer_cert() in your application, it is 1086 * recommended to disable this option for reduced RAM usage. 1087 * 1088 * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still 1089 * defined, but always returns \c NULL. 1090 * 1091 * \note This option has no influence on the protection against the 1092 * triple handshake attack. Even if it is disabled, Mbed TLS will 1093 * still ensure that certificates do not change during renegotiation, 1094 * for example by keeping a hash of the peer's certificate. 1095 * 1096 * \note This option is required if MBEDTLS_SSL_PROTO_TLS1_3 is set. 1097 * 1098 * Comment this macro to disable storing the peer's certificate 1099 * after the handshake. 1100 */ 1101 #ifdef CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1102 #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1103 #else 1104 #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1105 #endif 1106 1107 /** 1108 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING 1109 * 1110 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. 1111 * 1112 * This is a countermeasure to the BEAST attack, which also minimizes the risk 1113 * of interoperability issues compared to sending 0-length records. 1114 * 1115 * Comment this macro to disable 1/n-1 record splitting. 1116 */ 1117 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 1118 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING 1119 #else 1120 #undef MBEDTLS_SSL_CBC_RECORD_SPLITTING 1121 #endif 1122 1123 /** 1124 * \def MBEDTLS_SSL_RENEGOTIATION 1125 * 1126 * Enable support for TLS renegotiation. 1127 * 1128 * The two main uses of renegotiation are (1) refresh keys on long-lived 1129 * connections and (2) client authentication after the initial handshake. 1130 * If you don't need renegotiation, it's probably better to disable it, since 1131 * it has been associated with security issues in the past and is easy to 1132 * misuse/misunderstand. 1133 * 1134 * Comment this to disable support for renegotiation. 1135 * 1136 * \note Even if this option is disabled, both client and server are aware 1137 * of the Renegotiation Indication Extension (RFC 5746) used to 1138 * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1). 1139 * (See \c mbedtls_ssl_conf_legacy_renegotiation for the 1140 * configuration of this extension). 1141 * 1142 */ 1143 #ifdef CONFIG_MBEDTLS_SSL_RENEGOTIATION 1144 #define MBEDTLS_SSL_RENEGOTIATION 1145 #else 1146 #undef MBEDTLS_SSL_RENEGOTIATION 1147 #endif 1148 1149 /** 1150 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 1151 * 1152 * Enable support for RFC 6066 max_fragment_length extension in SSL. 1153 * 1154 * Comment this macro to disable support for the max_fragment_length extension 1155 */ 1156 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 1157 1158 /** 1159 * \def MBEDTLS_SSL_RECORD_SIZE_LIMIT 1160 * 1161 * Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only). 1162 * 1163 * \warning This extension is currently in development and must NOT be used except 1164 * for testing purposes. 1165 * 1166 * Requires: MBEDTLS_SSL_PROTO_TLS1_3 1167 * 1168 * Uncomment this macro to enable support for the record_size_limit extension 1169 */ 1170 //#define MBEDTLS_SSL_RECORD_SIZE_LIMIT 1171 1172 /** 1173 * \def MBEDTLS_SSL_PROTO_TLS1_2 1174 * 1175 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). 1176 * 1177 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C 1178 * (Depends on ciphersuites) 1179 * 1180 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 1181 */ 1182 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 1183 #define MBEDTLS_SSL_PROTO_TLS1_2 1184 #else 1185 #undef MBEDTLS_SSL_PROTO_TLS1_2 1186 #endif 1187 1188 /** 1189 * \def MBEDTLS_SSL_PROTO_TLS1_3 1190 * 1191 * Enable support for TLS 1.3. 1192 * 1193 * \note The support for TLS 1.3 is not comprehensive yet, in particular 1194 * pre-shared keys are not supported. 1195 * See docs/architecture/tls13-support.md for a description of the TLS 1196 * 1.3 support that this option enables. 1197 * 1198 * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1199 * 1200 * Uncomment this macro to enable the support for TLS 1.3. 1201 * 1202 */ 1203 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 1204 #define MBEDTLS_SSL_PROTO_TLS1_3 1205 #else 1206 #undef MBEDTLS_SSL_PROTO_TLS1_3 1207 #endif 1208 1209 /** 1210 * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 1211 * 1212 * Enable TLS 1.3 middlebox compatibility mode. 1213 * 1214 * As specified in Section D.4 of RFC 8446, TLS 1.3 offers a compatibility 1215 * mode to make a TLS 1.3 connection more likely to pass through middle boxes 1216 * expecting TLS 1.2 traffic. 1217 * 1218 * Turning on the compatibility mode comes at the cost of a few added bytes 1219 * on the wire, but it doesn't affect compatibility with TLS 1.3 implementations 1220 * that don't use it. Therefore, unless transmission bandwidth is critical and 1221 * you know that middlebox compatibility issues won't occur, it is therefore 1222 * recommended to set this option. 1223 * 1224 * Comment to disable compatibility mode for TLS 1.3. If 1225 * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any 1226 * effect on the build. 1227 * 1228 */ 1229 #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 1230 #define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 1231 #else 1232 #undef MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 1233 #endif 1234 1235 /** 1236 * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 1237 * 1238 * Enable TLS 1.3 PSK key exchange mode. 1239 * 1240 * Comment to disable support for the PSK key exchange mode in TLS 1.3. If 1241 * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any 1242 * effect on the build. 1243 * 1244 */ 1245 #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_PSK 1246 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 1247 #else 1248 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 1249 #endif 1250 1251 /** 1252 * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 1253 * 1254 * Enable TLS 1.3 ephemeral key exchange mode. 1255 * 1256 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C, MBEDTLS_ECDSA_C or 1257 * MBEDTLS_PKCS1_V21 1258 * 1259 * Comment to disable support for the ephemeral key exchange mode in TLS 1.3. 1260 * If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any 1261 * effect on the build. 1262 * 1263 */ 1264 #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_EPHEMERAL 1265 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 1266 #else 1267 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 1268 #endif 1269 1270 /** 1271 * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 1272 * 1273 * Enable TLS 1.3 PSK ephemeral key exchange mode. 1274 * 1275 * Requires: MBEDTLS_ECDH_C 1276 * 1277 * Comment to disable support for the PSK ephemeral key exchange mode in 1278 * TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not 1279 * have any effect on the build. 1280 * 1281 */ 1282 #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_PSK_EPHEMERAL 1283 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 1284 #else 1285 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 1286 #endif 1287 1288 /** 1289 * \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 1290 * 1291 * Maximum time difference in milliseconds tolerated between the age of a 1292 * ticket from the server and client point of view. 1293 * From the client point of view, the age of a ticket is the time difference 1294 * between the time when the client proposes to the server to use the ticket 1295 * (time of writing of the Pre-Shared Key Extension including the ticket) and 1296 * the time the client received the ticket from the server. 1297 * From the server point of view, the age of a ticket is the time difference 1298 * between the time when the server receives a proposition from the client 1299 * to use the ticket and the time when the ticket was created by the server. 1300 * The server age is expected to be always greater than the client one and 1301 * MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE defines the 1302 * maximum difference tolerated for the server to accept the ticket. 1303 * This is not used in TLS 1.2. 1304 * 1305 */ 1306 #define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 1307 1308 /** 1309 * \def MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 1310 * 1311 * Size in bytes of a ticket nonce. This is not used in TLS 1.2. 1312 * 1313 * This must be less than 256. 1314 */ 1315 #define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 1316 1317 /** 1318 * \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1319 * 1320 * Default number of NewSessionTicket messages to be sent by a TLS 1.3 server 1321 * after handshake completion. This is not used in TLS 1.2 and relevant only if 1322 * the MBEDTLS_SSL_SESSION_TICKETS option is enabled. 1323 * 1324 */ 1325 #define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 1326 1327 /** 1328 * \def MBEDTLS_SSL_EARLY_DATA 1329 * 1330 * Enable support for RFC 8446 TLS 1.3 early data. 1331 * 1332 * Requires: MBEDTLS_SSL_SESSION_TICKETS and either 1333 * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or 1334 * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 1335 * 1336 * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 1337 * is not enabled, this option does not have any effect on the build. 1338 * 1339 * This feature is experimental, not completed and thus not ready for 1340 * production. 1341 * 1342 */ 1343 //#define MBEDTLS_SSL_EARLY_DATA 1344 1345 /** 1346 * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1347 * 1348 * The default maximum amount of 0-RTT data. See the documentation of 1349 * \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information. 1350 * 1351 * It must be positive and smaller than UINT32_MAX. 1352 * 1353 * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not 1354 * have any impact on the build. 1355 * 1356 * This feature is experimental, not completed and thus not ready for 1357 * production. 1358 * 1359 */ 1360 #define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 1361 1362 1363 /** 1364 * \def MBEDTLS_SSL_PROTO_DTLS 1365 * 1366 * Enable support for DTLS (all available versions). 1367 * 1368 * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. 1369 * 1370 * Requires: MBEDTLS_SSL_PROTO_TLS1_2 1371 * 1372 * Comment this macro to disable support for DTLS 1373 */ 1374 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1375 #define MBEDTLS_SSL_PROTO_DTLS 1376 #else 1377 #undef MBEDTLS_SSL_PROTO_DTLS 1378 #endif 1379 1380 /** 1381 * \def MBEDTLS_SSL_ALPN 1382 * 1383 * Enable support for RFC 7301 Application Layer Protocol Negotiation. 1384 * 1385 * Comment this macro to disable support for ALPN. 1386 */ 1387 #ifdef CONFIG_MBEDTLS_SSL_ALPN 1388 #define MBEDTLS_SSL_ALPN 1389 #else 1390 #undef MBEDTLS_SSL_ALPN 1391 #endif 1392 1393 /** 1394 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY 1395 * 1396 * Enable support for the anti-replay mechanism in DTLS. 1397 * 1398 * Requires: MBEDTLS_SSL_TLS_C 1399 * MBEDTLS_SSL_PROTO_DTLS 1400 * 1401 * \warning Disabling this is often a security risk! 1402 * See mbedtls_ssl_conf_dtls_anti_replay() for details. 1403 * 1404 * Comment this to disable anti-replay in DTLS. 1405 */ 1406 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1407 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY 1408 #else 1409 #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY 1410 #endif 1411 1412 /** 1413 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY 1414 * 1415 * Enable support for HelloVerifyRequest on DTLS servers. 1416 * 1417 * This feature is highly recommended to prevent DTLS servers being used as 1418 * amplifiers in DoS attacks against other hosts. It should always be enabled 1419 * unless you know for sure amplification cannot be a problem in the 1420 * environment in which your server operates. 1421 * 1422 * \warning Disabling this can ba a security risk! (see above) 1423 * 1424 * Requires: MBEDTLS_SSL_PROTO_DTLS 1425 * 1426 * Comment this to disable support for HelloVerifyRequest. 1427 */ 1428 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1429 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY 1430 #else 1431 #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY 1432 #endif 1433 1434 /** 1435 * \def MBEDTLS_SSL_DTLS_SRTP 1436 * 1437 * Enable support for negotiation of DTLS-SRTP (RFC 5764) 1438 * through the use_srtp extension. 1439 * 1440 * \note This feature provides the minimum functionality required 1441 * to negotiate the use of DTLS-SRTP and to allow the derivation of 1442 * the associated SRTP packet protection key material. 1443 * In particular, the SRTP packet protection itself, as well as the 1444 * demultiplexing of RTP and DTLS packets at the datagram layer 1445 * (see Section 5 of RFC 5764), are not handled by this feature. 1446 * Instead, after successful completion of a handshake negotiating 1447 * the use of DTLS-SRTP, the extended key exporter API 1448 * mbedtls_ssl_conf_export_keys_ext_cb() should be used to implement 1449 * the key exporter described in Section 4.2 of RFC 5764 and RFC 5705 1450 * (this is implemented in the SSL example programs). 1451 * The resulting key should then be passed to an SRTP stack. 1452 * 1453 * Setting this option enables the runtime API 1454 * mbedtls_ssl_conf_dtls_srtp_protection_profiles() 1455 * through which the supported DTLS-SRTP protection 1456 * profiles can be configured. You must call this API at 1457 * runtime if you wish to negotiate the use of DTLS-SRTP. 1458 * 1459 * Requires: MBEDTLS_SSL_PROTO_DTLS 1460 * 1461 * Uncomment this to enable support for use_srtp extension. 1462 */ 1463 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1464 #define MBEDTLS_SSL_DTLS_SRTP 1465 #else 1466 #undef MBEDTLS_SSL_DTLS_SRTP 1467 #endif 1468 1469 /** 1470 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1471 * 1472 * Enable server-side support for clients that reconnect from the same port. 1473 * 1474 * Some clients unexpectedly close the connection and try to reconnect using the 1475 * same source port. This needs special support from the server to handle the 1476 * new connection securely, as described in section 4.2.8 of RFC 6347. This 1477 * flag enables that support. 1478 * 1479 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY 1480 * 1481 * Comment this to disable support for clients reusing the source port. 1482 */ 1483 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1484 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1485 #else 1486 #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1487 #endif 1488 1489 /** 1490 * \def MBEDTLS_SSL_SESSION_TICKETS 1491 * 1492 * Enable support for RFC 5077 session tickets in SSL. 1493 * Client-side, provides full support for session tickets (maintenance of a 1494 * session store remains the responsibility of the application, though). 1495 * Server-side, you also need to provide callbacks for writing and parsing 1496 * tickets, including authenticated encryption and key management. Example 1497 * callbacks are provided by MBEDTLS_SSL_TICKET_C. 1498 * 1499 * Comment this macro to disable support for SSL session tickets 1500 */ 1501 #ifdef CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS 1502 #define MBEDTLS_SSL_SESSION_TICKETS 1503 #else 1504 #undef MBEDTLS_SSL_SESSION_TICKETS 1505 #endif 1506 1507 /** 1508 * \def MBEDTLS_SSL_EXPORT_KEYS 1509 * 1510 * Enable support for exporting key block and master secret. 1511 * This is required for certain users of TLS, e.g. EAP-TLS. 1512 * 1513 * Comment this macro to disable support for key export 1514 */ 1515 #define MBEDTLS_SSL_EXPORT_KEYS 1516 1517 /** 1518 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION 1519 * 1520 * Enable support for RFC 6066 server name indication (SNI) in SSL. 1521 * 1522 * Requires: MBEDTLS_X509_CRT_PARSE_C 1523 * 1524 * Comment this macro to disable support for server name indication in SSL 1525 */ 1526 #define MBEDTLS_SSL_SERVER_NAME_INDICATION 1527 1528 1529 /** 1530 * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1531 * 1532 * When this option is enabled, the SSL buffer will be resized automatically 1533 * based on the negotiated maximum fragment length in each direction. 1534 * 1535 * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 1536 */ 1537 #ifdef CONFIG_MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1538 #define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1539 #else 1540 #undef MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1541 #endif 1542 1543 /** 1544 * 1545 * \def MBEDTLS_VERSION_FEATURES 1546 * 1547 * Allow run-time checking of compile-time enabled features. Thus allowing users 1548 * to check at run-time if the library is for instance compiled with threading 1549 * support via mbedtls_version_check_feature(). 1550 * 1551 * Requires: MBEDTLS_VERSION_C 1552 * 1553 * Comment this to disable run-time checking and save ROM space 1554 */ 1555 #define MBEDTLS_VERSION_FEATURES 1556 1557 1558 /** 1559 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT 1560 * 1561 * Enable parsing and verification of X.509 certificates, CRLs and CSRS 1562 * signed with RSASSA-PSS (aka PKCS#1 v2.1). 1563 * 1564 * Comment this macro to disallow using RSASSA-PSS in certificates. 1565 */ 1566 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT 1567 1568 1569 /* \} name SECTION: mbed TLS feature support */ 1570 1571 /** 1572 * \name SECTION: mbed TLS modules 1573 * 1574 * This section enables or disables entire modules in mbed TLS 1575 * \{ 1576 */ 1577 1578 /** 1579 * \def MBEDTLS_AESNI_C 1580 * 1581 * Enable AES-NI support on x86-64. 1582 * 1583 * Module: library/aesni.c 1584 * Caller: library/aes.c 1585 * 1586 * Requires: MBEDTLS_HAVE_ASM 1587 * 1588 * This modules adds support for the AES-NI instructions on x86-64 1589 */ 1590 #define MBEDTLS_AESNI_C 1591 1592 /** 1593 * \def MBEDTLS_AES_C 1594 * 1595 * Enable the AES block cipher. 1596 * 1597 * Module: library/aes.c 1598 * Caller: library/ssl_tls.c 1599 * library/pem.c 1600 * library/ctr_drbg.c 1601 * 1602 * This module enables the following ciphersuites (if other requisites are 1603 * enabled as well): 1604 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 1605 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 1606 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 1607 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 1608 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 1609 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 1610 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 1611 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 1612 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 1613 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 1614 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 1615 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 1616 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 1617 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 1618 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 1619 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 1620 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 1621 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 1622 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 1623 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 1624 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 1625 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 1626 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 1627 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 1628 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 1629 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 1630 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 1631 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 1632 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 1633 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1634 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 1635 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 1636 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 1637 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 1638 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 1639 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 1640 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 1641 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 1642 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 1643 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 1644 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 1645 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 1646 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 1647 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 1648 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 1649 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 1650 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 1651 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 1652 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 1653 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 1654 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 1655 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 1656 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 1657 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 1658 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 1659 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 1660 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 1661 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 1662 * 1663 * PEM_PARSE uses AES for decrypting encrypted keys. 1664 */ 1665 #ifdef CONFIG_MBEDTLS_AES_C 1666 #define MBEDTLS_AES_C 1667 #else 1668 #undef MBEDTLS_AES_C 1669 #endif 1670 1671 /** 1672 * \def MBEDTLS_ASN1_PARSE_C 1673 * 1674 * Enable the generic ASN1 parser. 1675 * 1676 * Module: library/asn1.c 1677 * Caller: library/x509.c 1678 * library/dhm.c 1679 * library/pkcs12.c 1680 * library/pkcs5.c 1681 * library/pkparse.c 1682 */ 1683 #define MBEDTLS_ASN1_PARSE_C 1684 1685 /** 1686 * \def MBEDTLS_ASN1_WRITE_C 1687 * 1688 * Enable the generic ASN1 writer. 1689 * 1690 * Module: library/asn1write.c 1691 * Caller: library/ecdsa.c 1692 * library/pkwrite.c 1693 * library/x509_create.c 1694 * library/x509write_crt.c 1695 * library/mbedtls_x509write_csr.c 1696 */ 1697 #define MBEDTLS_ASN1_WRITE_C 1698 1699 /** 1700 * \def MBEDTLS_BASE64_C 1701 * 1702 * Enable the Base64 module. 1703 * 1704 * Module: library/base64.c 1705 * Caller: library/pem.c 1706 * 1707 * This module is required for PEM support (required by X.509). 1708 */ 1709 #define MBEDTLS_BASE64_C 1710 1711 /** 1712 * \def MBEDTLS_BIGNUM_C 1713 * 1714 * Enable the multi-precision integer library. 1715 * 1716 * Module: library/bignum.c 1717 * library/bignum_core.c 1718 * library/bignum_mod.c 1719 * library/bignum_mod_raw.c 1720 * Caller: library/dhm.c 1721 * library/ecp.c 1722 * library/ecdsa.c 1723 * library/rsa.c 1724 * library/rsa_alt_helpers.c 1725 * library/ssl_tls.c 1726 * 1727 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. 1728 */ 1729 #define MBEDTLS_BIGNUM_C 1730 1731 /** 1732 * \def MBEDTLS_BLOWFISH_C 1733 * 1734 * Enable the Blowfish block cipher. 1735 * 1736 * Module: library/blowfish.c 1737 */ 1738 #ifdef CONFIG_MBEDTLS_BLOWFISH_C 1739 #define MBEDTLS_BLOWFISH_C 1740 #else 1741 #undef MBEDTLS_BLOWFISH_C 1742 #endif 1743 1744 /** 1745 * \def MBEDTLS_CAMELLIA_C 1746 * 1747 * Enable the Camellia block cipher. 1748 * 1749 * Module: library/camellia.c 1750 * Caller: library/ssl_tls.c 1751 * 1752 * This module enables the following ciphersuites (if other requisites are 1753 * enabled as well): 1754 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 1755 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 1756 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 1757 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 1758 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 1759 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 1760 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 1761 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 1762 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 1763 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 1764 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 1765 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 1766 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 1767 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 1768 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 1769 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 1770 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 1771 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 1772 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 1773 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 1774 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 1775 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 1776 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 1777 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 1778 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 1779 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 1780 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 1781 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 1782 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 1783 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 1784 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 1785 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 1786 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 1787 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 1788 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 1789 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 1790 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 1791 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 1792 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 1793 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 1794 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 1795 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 1796 */ 1797 #ifdef CONFIG_MBEDTLS_CAMELLIA_C 1798 #define MBEDTLS_CAMELLIA_C 1799 #else 1800 #undef MBEDTLS_CAMELLIA_C 1801 #endif 1802 1803 /** 1804 * \def MBEDTLS_CCM_C 1805 * 1806 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. 1807 * 1808 * Module: library/ccm.c 1809 * 1810 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or 1811 * MBEDTLS_ARIA_C 1812 * 1813 * This module enables the AES-CCM ciphersuites, if other requisites are 1814 * enabled as well. 1815 */ 1816 #ifdef CONFIG_MBEDTLS_CCM_C 1817 #define MBEDTLS_CCM_C 1818 #else 1819 #undef MBEDTLS_CCM_C 1820 #endif 1821 1822 /** 1823 * \def MBEDTLS_CERTS_C 1824 * 1825 * Enable the test certificates. 1826 * 1827 * Module: library/certs.c 1828 * Caller: 1829 * 1830 * This module is used for testing (ssl_client/server). 1831 */ 1832 #define MBEDTLS_CERTS_C 1833 1834 /** 1835 * \def MBEDTLS_CHACHA20_C 1836 * 1837 * Enable the ChaCha20 stream cipher. 1838 * 1839 * Module: library/chacha20.c 1840 */ 1841 #ifdef CONFIG_MBEDTLS_CHACHA20_C 1842 #define MBEDTLS_CHACHA20_C 1843 #else 1844 #undef MBEDTLS_CHACHA20_C 1845 #endif 1846 1847 /** 1848 * \def MBEDTLS_CHACHAPOLY_C 1849 * 1850 * Enable the ChaCha20-Poly1305 AEAD algorithm. 1851 * 1852 * Module: library/chachapoly.c 1853 * 1854 * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C 1855 */ 1856 #ifdef CONFIG_MBEDTLS_CHACHAPOLY_C 1857 #define MBEDTLS_CHACHAPOLY_C 1858 #else 1859 #undef MBEDTLS_CHACHAPOLY_C 1860 #endif 1861 1862 /** 1863 * \def MBEDTLS_CIPHER_C 1864 * 1865 * Enable the generic cipher layer. 1866 * 1867 * Module: library/cipher.c 1868 * Caller: library/ccm.c 1869 * library/cmac.c 1870 * library/gcm.c 1871 * library/nist_kw.c 1872 * library/pkcs12.c 1873 * library/pkcs5.c 1874 * library/psa_crypto_aead.c 1875 * library/psa_crypto_mac.c 1876 * library/ssl_ciphersuites.c 1877 * library/ssl_msg.c 1878 * library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled) 1879 * 1880 * Uncomment to enable generic cipher wrappers. 1881 */ 1882 #define MBEDTLS_CIPHER_C 1883 1884 /** 1885 * \def MBEDTLS_CTR_DRBG_C 1886 * 1887 * Enable the CTR_DRBG AES-256-based random generator. 1888 * 1889 * Module: library/ctr_drbg.c 1890 * Caller: 1891 * 1892 * Requires: MBEDTLS_AES_C 1893 * 1894 * This module provides the CTR_DRBG AES-256 random number generator. 1895 */ 1896 #define MBEDTLS_CTR_DRBG_C 1897 1898 /** 1899 * \def MBEDTLS_DEBUG_C 1900 * 1901 * Enable the debug functions. 1902 * 1903 * Module: library/debug.c 1904 * Caller: library/ssl_msg.c 1905 * library/ssl_tls.c 1906 * library/ssl_tls12_*.c 1907 * library/ssl_tls13_*.c 1908 * 1909 * This module provides debugging functions. 1910 */ 1911 #if CONFIG_MBEDTLS_DEBUG 1912 #define MBEDTLS_DEBUG_C 1913 #else 1914 #undef MBEDTLS_DEBUG_C 1915 #endif 1916 1917 /** 1918 * \def MBEDTLS_DES_C 1919 * 1920 * Enable the DES block cipher. 1921 * 1922 * Module: library/des.c 1923 * Caller: library/pem.c 1924 * library/ssl_tls.c 1925 * 1926 * This module enables the following ciphersuites (if other requisites are 1927 * enabled as well): 1928 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 1929 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 1930 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 1931 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 1932 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 1933 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 1934 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 1935 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 1936 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 1937 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 1938 * 1939 * PEM_PARSE uses DES/3DES for decrypting encrypted keys. 1940 */ 1941 #ifdef CONFIG_MBEDTLS_DES_C 1942 #define MBEDTLS_DES_C 1943 #else 1944 #undef MBEDTLS_DES_C 1945 #endif 1946 1947 /** 1948 * \def MBEDTLS_DHM_C 1949 * 1950 * Enable the Diffie-Hellman-Merkle module. 1951 * 1952 * Module: library/dhm.c 1953 * Caller: library/ssl_tls.c 1954 * library/ssl*_client.c 1955 * library/ssl*_server.c 1956 * 1957 * This module is used by the following key exchanges: 1958 * DHE-RSA, DHE-PSK 1959 */ 1960 #ifdef CONFIG_MBEDTLS_DHM_C 1961 #define MBEDTLS_DHM_C 1962 #else 1963 #undef MBEDTLS_DHM_C 1964 #endif 1965 1966 /** 1967 * \def MBEDTLS_ECDH_C 1968 * 1969 * Enable the elliptic curve Diffie-Hellman library. 1970 * 1971 * Module: library/ecdh.c 1972 * Caller: library/psa_crypto.c 1973 * library/ssl_tls.c 1974 * library/ssl*_client.c 1975 * library/ssl*_server.c 1976 * 1977 * This module is used by the following key exchanges: 1978 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK 1979 * 1980 * Requires: MBEDTLS_ECP_C 1981 */ 1982 #ifdef CONFIG_MBEDTLS_ECDH_C 1983 #define MBEDTLS_ECDH_C 1984 #else 1985 #undef MBEDTLS_ECDH_C 1986 #endif 1987 1988 /** 1989 * \def MBEDTLS_ECDSA_C 1990 * 1991 * Enable the elliptic curve DSA library. 1992 * 1993 * Module: library/ecdsa.c 1994 * Caller: 1995 * 1996 * This module is used by the following key exchanges: 1997 * ECDHE-ECDSA 1998 * 1999 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C, 2000 * and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a 2001 * short Weierstrass curve. 2002 */ 2003 #ifdef CONFIG_MBEDTLS_ECDSA_C 2004 #define MBEDTLS_ECDSA_C 2005 #else 2006 #undef MBEDTLS_ECDSA_C 2007 #endif 2008 2009 /** 2010 * \def MBEDTLS_ECJPAKE_C 2011 * 2012 * Enable the elliptic curve J-PAKE library. 2013 * 2014 * \warning This is currently experimental. EC J-PAKE support is based on the 2015 * Thread v1.0.0 specification; incompatible changes to the specification 2016 * might still happen. For this reason, this is disabled by default. 2017 * 2018 * Module: library/ecjpake.c 2019 * Caller: 2020 * 2021 * This module is used by the following key exchanges: 2022 * ECJPAKE 2023 * 2024 * Requires: MBEDTLS_ECP_C and MBEDTLS_MD_C 2025 * 2026 */ 2027 #ifdef CONFIG_MBEDTLS_ECJPAKE_C 2028 #define MBEDTLS_ECJPAKE_C 2029 #else 2030 #undef MBEDTLS_ECJPAKE_C 2031 #endif 2032 2033 /** 2034 * \def MBEDTLS_ECP_C 2035 * 2036 * Enable the elliptic curve over GF(p) library. 2037 * 2038 * Module: library/ecp.c 2039 * Caller: library/ecdh.c 2040 * library/ecdsa.c 2041 * library/ecjpake.c 2042 * 2043 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED 2044 */ 2045 #ifdef CONFIG_MBEDTLS_ECP_C 2046 #define MBEDTLS_ECP_C 2047 #else 2048 #undef MBEDTLS_ECP_C 2049 #endif 2050 2051 /** 2052 * \def MBEDTLS_ENTROPY_C 2053 * 2054 * Enable the platform-specific entropy code. 2055 * 2056 * Module: library/entropy.c 2057 * Caller: 2058 * 2059 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 2060 * 2061 * This module provides a generic entropy pool 2062 */ 2063 #define MBEDTLS_ENTROPY_C 2064 2065 /** 2066 * \def MBEDTLS_ERROR_C 2067 * 2068 * Enable error code to error string conversion. 2069 * 2070 * Module: library/error.c 2071 * Caller: 2072 * 2073 * This module enables mbedtls_strerror(). 2074 */ 2075 #if CONFIG_MBEDTLS_ERROR_STRINGS 2076 #define MBEDTLS_ERROR_C 2077 #else 2078 #undef MBEDTLS_ERROR_C 2079 #endif 2080 2081 /** 2082 * \def MBEDTLS_GCM_C 2083 * 2084 * Enable the Galois/Counter Mode (GCM). 2085 * 2086 * Module: library/gcm.c 2087 * 2088 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or 2089 * MBEDTLS_ARIA_C 2090 * 2091 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other 2092 * requisites are enabled as well. 2093 */ 2094 #ifdef CONFIG_MBEDTLS_GCM_C 2095 #define MBEDTLS_GCM_C 2096 #else 2097 #undef MBEDTLS_GCM_C 2098 #endif 2099 2100 /** 2101 * \def MBEDTLS_HKDF_C 2102 * 2103 * Enable the HKDF algorithm (RFC 5869). 2104 * 2105 * Module: library/hkdf.c 2106 * Caller: 2107 * 2108 * Requires: MBEDTLS_MD_C 2109 * 2110 * This module enables support for the Hashed Message Authentication Code 2111 * (HMAC)-based key derivation function (HKDF). 2112 */ 2113 #ifdef CONFIG_MBEDTLS_HKDF_C 2114 #define MBEDTLS_HKDF_C 2115 #else 2116 #undef MBEDTLS_HKDF_C 2117 #endif 2118 2119 /** 2120 * \def MBEDTLS_HMAC_DRBG_C 2121 * 2122 * Enable the HMAC_DRBG random generator. 2123 * 2124 * Module: library/hmac_drbg.c 2125 * Caller: 2126 * 2127 * Requires: MBEDTLS_MD_C 2128 * 2129 * Uncomment to enable the HMAC_DRBG random number generator. 2130 */ 2131 #define MBEDTLS_HMAC_DRBG_C 2132 2133 /** 2134 * \def MBEDTLS_MD_C 2135 * 2136 * Enable the generic message digest layer. 2137 * 2138 * Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C, 2139 * MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C, 2140 * MBEDTLS_SHA512_C. 2141 * 2142 * Module: library/md.c 2143 * Caller: library/constant_time.c 2144 * library/ecdsa.c 2145 * library/ecjpake.c 2146 * library/hkdf.c 2147 * library/hmac_drbg.c 2148 * library/pk.c 2149 * library/pkcs5.c 2150 * library/pkcs12.c 2151 * library/psa_crypto_ecp.c 2152 * library/psa_crypto_rsa.c 2153 * library/rsa.c 2154 * library/ssl_cookie.c 2155 * library/ssl_msg.c 2156 * library/ssl_tls.c 2157 * library/x509.c 2158 * library/x509_crt.c 2159 * library/x509write_crt.c 2160 * library/x509write_csr.c 2161 * 2162 * Uncomment to enable generic message digest wrappers. 2163 */ 2164 #define MBEDTLS_MD_C 2165 2166 /** 2167 * \def MBEDTLS_MD5_C 2168 * 2169 * Enable the MD5 hash algorithm. 2170 * 2171 * Module: library/mbedtls_md5.c 2172 * Caller: library/mbedtls_md.c 2173 * library/pem.c 2174 * library/ssl_tls.c 2175 * 2176 * This module is required for SSL/TLS and X.509. 2177 * PEM_PARSE uses MD5 for decrypting encrypted keys. 2178 */ 2179 #define MBEDTLS_MD5_C 2180 2181 /** 2182 * \def MBEDTLS_NET_C 2183 * 2184 * Enable the TCP and UDP over IPv6/IPv4 networking routines. 2185 * 2186 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X) 2187 * and Windows. For other platforms, you'll want to disable it, and write your 2188 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio(). 2189 * 2190 * \note See also our Knowledge Base article about porting to a new 2191 * environment: 2192 * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 2193 * 2194 * Module: library/net_sockets.c 2195 * 2196 * This module provides networking routines. 2197 */ 2198 #ifdef MBEDTLS_NET_C 2199 #undef MBEDTLS_NET_C 2200 #endif 2201 2202 /** 2203 * \def MBEDTLS_OID_C 2204 * 2205 * Enable the OID database. 2206 * 2207 * Module: library/oid.c 2208 * Caller: library/asn1write.c 2209 * library/pkcs5.c 2210 * library/pkparse.c 2211 * library/pkwrite.c 2212 * library/rsa.c 2213 * library/x509.c 2214 * library/x509_create.c 2215 * library/mbedtls_x509_crl.c 2216 * library/mbedtls_x509_crt.c 2217 * library/mbedtls_x509_csr.c 2218 * library/x509write_crt.c 2219 * library/mbedtls_x509write_csr.c 2220 * 2221 * This modules translates between OIDs and internal values. 2222 */ 2223 #define MBEDTLS_OID_C 2224 2225 /** 2226 * \def MBEDTLS_PADLOCK_C 2227 * 2228 * Enable VIA Padlock support on x86. 2229 * 2230 * Module: library/padlock.c 2231 * Caller: library/aes.c 2232 * 2233 * Requires: MBEDTLS_HAVE_ASM 2234 * 2235 * This modules adds support for the VIA PadLock on x86. 2236 */ 2237 #define MBEDTLS_PADLOCK_C 2238 2239 /** 2240 * \def MBEDTLS_PEM_PARSE_C 2241 * 2242 * Enable PEM decoding / parsing. 2243 * 2244 * Module: library/pem.c 2245 * Caller: library/dhm.c 2246 * library/pkparse.c 2247 * library/mbedtls_x509_crl.c 2248 * library/mbedtls_x509_crt.c 2249 * library/mbedtls_x509_csr.c 2250 * 2251 * Requires: MBEDTLS_BASE64_C 2252 * 2253 * This modules adds support for decoding / parsing PEM files. 2254 */ 2255 #ifdef CONFIG_MBEDTLS_PEM_PARSE_C 2256 #define MBEDTLS_PEM_PARSE_C 2257 #else 2258 #undef MBEDTLS_PEM_PARSE_C 2259 #endif 2260 2261 /** 2262 * \def MBEDTLS_PEM_WRITE_C 2263 * 2264 * Enable PEM encoding / writing. 2265 * 2266 * Module: library/pem.c 2267 * Caller: library/pkwrite.c 2268 * library/x509write_crt.c 2269 * library/mbedtls_x509write_csr.c 2270 * 2271 * Requires: MBEDTLS_BASE64_C 2272 * 2273 * This modules adds support for encoding / writing PEM files. 2274 */ 2275 #ifdef CONFIG_MBEDTLS_PEM_WRITE_C 2276 #define MBEDTLS_PEM_WRITE_C 2277 #else 2278 #undef MBEDTLS_PEM_WRITE_C 2279 #endif 2280 2281 /** 2282 * \def MBEDTLS_PK_C 2283 * 2284 * Enable the generic public (asymmetric) key layer. 2285 * 2286 * Module: library/pk.c 2287 * Caller: library/psa_crypto_rsa.c 2288 * library/ssl_tls.c 2289 * library/ssl*_client.c 2290 * library/ssl*_server.c 2291 * library/x509.c 2292 * 2293 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C 2294 * 2295 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C 2296 * 2297 * Uncomment to enable generic public key wrappers. 2298 */ 2299 #define MBEDTLS_PK_C 2300 2301 /** 2302 * \def MBEDTLS_PK_PARSE_C 2303 * 2304 * Enable the generic public (asymmetric) key parser. 2305 * 2306 * Module: library/pkparse.c 2307 * Caller: library/mbedtls_x509_crt.c 2308 * library/mbedtls_x509_csr.c 2309 * 2310 * Requires: MBEDTLS_PK_C 2311 * 2312 * Uncomment to enable generic public key parse functions. 2313 */ 2314 #define MBEDTLS_PK_PARSE_C 2315 2316 /** 2317 * \def MBEDTLS_PK_WRITE_C 2318 * 2319 * Enable the generic public (asymmetric) key writer. 2320 * 2321 * Module: library/pkwrite.c 2322 * Caller: library/x509write.c 2323 * 2324 * Requires: MBEDTLS_PK_C 2325 * 2326 * Uncomment to enable generic public key write functions. 2327 */ 2328 #define MBEDTLS_PK_WRITE_C 2329 2330 /** 2331 * \def MBEDTLS_PKCS5_C 2332 * 2333 * Enable PKCS#5 functions. 2334 * 2335 * Module: library/pkcs5.c 2336 * 2337 * Requires: MBEDTLS_CIPHER_C and MBEDTLS_MD_C 2338 * 2339 * This module adds support for the PKCS#5 functions. 2340 */ 2341 #define MBEDTLS_PKCS5_C 2342 2343 /** 2344 * \def MBEDTLS_PKCS7_C 2345 * 2346 * This feature is a work in progress and not ready for production. Testing and 2347 * validation is incomplete, and handling of malformed inputs may not be robust. 2348 * The API may change. 2349 * 2350 * Enable PKCS7 core for using PKCS7 formatted signatures. 2351 * RFC Link - https://tools.ietf.org/html/rfc2315 2352 * 2353 * Module: library/pkcs7.c 2354 * 2355 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, 2356 * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, 2357 * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C 2358 * 2359 * This module is required for the PKCS #7 parsing modules. 2360 */ 2361 #ifdef CONFIG_MBEDTLS_PKCS7_C 2362 #define MBEDTLS_PKCS7_C 2363 #else 2364 #undef MBEDTLS_PKCS7_C 2365 #endif 2366 2367 /** 2368 * \def MBEDTLS_PKCS12_C 2369 * 2370 * Enable PKCS#12 PBE functions. 2371 * Adds algorithms for parsing PKCS#8 encrypted private keys 2372 * 2373 * Module: library/pkcs12.c 2374 * Caller: library/pkparse.c 2375 * 2376 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C 2377 * 2378 * This module enables PKCS#12 functions. 2379 */ 2380 #define MBEDTLS_PKCS12_C 2381 2382 /** 2383 * \def MBEDTLS_PLATFORM_C 2384 * 2385 * Enable the platform abstraction layer that allows you to re-assign 2386 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 2387 * 2388 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 2389 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 2390 * above to be specified at runtime or compile time respectively. 2391 * 2392 * \note This abstraction layer must be enabled on Windows (including MSYS2) 2393 * as other modules rely on it for a fixed snprintf implementation. 2394 * 2395 * Module: library/platform.c 2396 * Caller: Most other .c files 2397 * 2398 * This module enables abstraction of common (libc) functions. 2399 */ 2400 #define MBEDTLS_PLATFORM_C 2401 2402 /** 2403 * \def MBEDTLS_POLY1305_C 2404 * 2405 * Enable the Poly1305 MAC algorithm. 2406 * 2407 * Module: library/poly1305.c 2408 * Caller: library/chachapoly.c 2409 */ 2410 #ifdef CONFIG_MBEDTLS_POLY1305_C 2411 #define MBEDTLS_POLY1305_C 2412 #else 2413 #undef MBEDTLS_POLY1305_C 2414 #endif 2415 2416 /** 2417 * \def MBEDTLS_RIPEMD160_C 2418 * 2419 * Enable the RIPEMD-160 hash algorithm. 2420 * 2421 * Module: library/mbedtls_ripemd160.c 2422 * Caller: library/mbedtls_md.c 2423 * 2424 */ 2425 #ifdef CONFIG_MBEDTLS_RIPEMD160_C 2426 #define MBEDTLS_RIPEMD160_C 2427 #else 2428 #undef MBEDTLS_RIPEMD160_C 2429 #endif 2430 2431 /** 2432 * \def MBEDTLS_RSA_C 2433 * 2434 * Enable the RSA public-key cryptosystem. 2435 * 2436 * Module: library/rsa.c 2437 * library/rsa_alt_helpers.c 2438 * Caller: library/pk.c 2439 * library/psa_crypto.c 2440 * library/ssl_tls.c 2441 * library/ssl*_client.c 2442 * library/ssl*_server.c 2443 * 2444 * This module is used by the following key exchanges: 2445 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK 2446 * 2447 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C 2448 */ 2449 #define MBEDTLS_RSA_C 2450 2451 /** 2452 * \def MBEDTLS_SHA1_C 2453 * 2454 * Enable the SHA1 cryptographic hash algorithm. 2455 * 2456 * Module: library/sha1.c 2457 * Caller: library/md.c 2458 * library/psa_crypto_hash.c 2459 * 2460 * This module is required for TLS 1.2 depending on the handshake parameters, 2461 * and for SHA1-signed certificates. 2462 * 2463 * \warning SHA-1 is considered a weak message digest and its use constitutes 2464 * a security risk. If possible, we recommend avoiding dependencies 2465 * on it, and considering stronger message digests instead. 2466 * 2467 */ 2468 #define MBEDTLS_SHA1_C 2469 2470 /** 2471 * \def MBEDTLS_SHA224_C 2472 * 2473 * Enable the SHA-224 cryptographic hash algorithm. 2474 * 2475 * Requires: MBEDTLS_SHA256_C. The library does not currently support enabling 2476 * SHA-224 without SHA-256. 2477 * 2478 * Module: library/sha256.c 2479 * Caller: library/md.c 2480 * library/ssl_cookie.c 2481 * 2482 * This module adds support for SHA-224. 2483 */ 2484 #define MBEDTLS_SHA224_C 2485 2486 /** 2487 * \def MBEDTLS_SHA256_C 2488 * 2489 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms. 2490 * 2491 * Module: library/mbedtls_sha256.c 2492 * Caller: library/entropy.c 2493 * library/mbedtls_md.c 2494 * library/ssl_tls.c 2495 * library/ssl*_client.c 2496 * library/ssl*_server.c= 2497 * 2498 * This module adds support for SHA-224 and SHA-256. 2499 * This module is required for the SSL/TLS 1.2 PRF function. 2500 */ 2501 #define MBEDTLS_SHA256_C 2502 2503 /** 2504 * \def MBEDTLS_SHA512_C 2505 * 2506 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms. 2507 * 2508 * Module: library/sha512.c 2509 * Caller: library/entropy.c 2510 * library/md.c 2511 * library/ssl_tls.c 2512 * library/ssl_cookie.c 2513 * 2514 * This module adds support for SHA-384 and SHA-512. 2515 */ 2516 #ifdef CONFIG_MBEDTLS_SHA512_C 2517 #define MBEDTLS_SHA384_C 2518 #define MBEDTLS_SHA512_C 2519 #else 2520 #undef MBEDTLS_SHA384_C 2521 #undef MBEDTLS_SHA512_C 2522 #endif 2523 2524 /** 2525 * \def MBEDTLS_SHA3_C 2526 * 2527 * Enable the SHA3 cryptographic hash algorithm. 2528 * 2529 * Module: library/sha3.c 2530 * 2531 * This module adds support for SHA3. 2532 */ 2533 #ifdef CONFIG_MBEDTLS_SHA3_C 2534 #define MBEDTLS_SHA3_C 2535 #else 2536 #undef MBEDTLS_SHA3_C 2537 #endif 2538 2539 /** 2540 * \def MBEDTLS_SSL_CACHE_C 2541 * 2542 * Enable simple SSL cache implementation. 2543 * 2544 * Module: library/ssl_cache.c 2545 * Caller: 2546 * 2547 * Requires: MBEDTLS_SSL_CACHE_C 2548 */ 2549 #define MBEDTLS_SSL_CACHE_C 2550 2551 /** 2552 * \def MBEDTLS_SSL_COOKIE_C 2553 * 2554 * Enable basic implementation of DTLS cookies for hello verification. 2555 * 2556 * Module: library/ssl_cookie.c 2557 * Caller: 2558 */ 2559 #define MBEDTLS_SSL_COOKIE_C 2560 2561 /** 2562 * \def MBEDTLS_SSL_TICKET_C 2563 * 2564 * Enable an implementation of TLS server-side callbacks for session tickets. 2565 * 2566 * Module: library/ssl_ticket.c 2567 * Caller: 2568 * 2569 * Requires: (MBEDTLS_CIPHER_C) && 2570 * (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C) 2571 */ 2572 #ifdef CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS 2573 #define MBEDTLS_SSL_TICKET_C 2574 #else 2575 #undef MBEDTLS_SSL_TICKET_C 2576 #endif 2577 2578 /** 2579 * \def MBEDTLS_SSL_CLI_C 2580 * 2581 * Enable the SSL/TLS client code. 2582 * 2583 * Module: library/ssl*_client.c 2584 * Caller: 2585 * 2586 * Requires: MBEDTLS_SSL_TLS_C 2587 * 2588 * This module is required for SSL/TLS client support. 2589 */ 2590 #ifdef CONFIG_MBEDTLS_TLS_CLIENT 2591 #define MBEDTLS_SSL_CLI_C 2592 #else 2593 #undef MBEDTLS_SSL_CLI_C 2594 #endif 2595 2596 /** 2597 * \def MBEDTLS_SSL_SRV_C 2598 * 2599 * Enable the SSL/TLS server code. 2600 * 2601 * Module: library/ssl_srv.c 2602 * Caller: 2603 * 2604 * Requires: MBEDTLS_SSL_TLS_C 2605 * 2606 * This module is required for SSL/TLS server support. 2607 */ 2608 #ifdef CONFIG_MBEDTLS_TLS_SERVER 2609 #define MBEDTLS_SSL_SRV_C 2610 #else 2611 #undef MBEDTLS_SSL_SRV_C 2612 #endif 2613 2614 /** 2615 * \def MBEDTLS_SSL_TLS_C 2616 * 2617 * Enable the generic SSL/TLS code. 2618 * 2619 * Module: library/ssl_tls.c 2620 * Caller: library/ssl*_client.c 2621 * library/ssl*_server.c 2622 * 2623 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C 2624 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines 2625 * 2626 * This module is required for SSL/TLS. 2627 */ 2628 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 2629 #define MBEDTLS_SSL_TLS_C 2630 #else 2631 #undef MBEDTLS_SSL_TLS_C 2632 #endif 2633 2634 /** 2635 * \def MBEDTLS_TIMING_C 2636 * 2637 * Enable the semi-portable timing interface. 2638 * 2639 * \note The provided implementation only works on POSIX/Unix (including Linux, 2640 * BSD and OS X) and Windows. On other platforms, you can either disable that 2641 * module and provide your own implementations of the callbacks needed by 2642 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide 2643 * your own implementation of the whole module by setting 2644 * \c MBEDTLS_TIMING_ALT in the current file. 2645 * 2646 * \note See also our Knowledge Base article about porting to a new 2647 * environment: 2648 * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 2649 * 2650 * Module: library/timing.c 2651 * Caller: library/havege.c 2652 * 2653 * This module is used by the HAVEGE random number generator. 2654 */ 2655 #ifdef MBEDTLS_TIMING_C 2656 #undef MBEDTLS_TIMING_C 2657 #endif 2658 2659 /** 2660 * \def MBEDTLS_VERSION_C 2661 * 2662 * Enable run-time version information. 2663 * 2664 * Module: library/version.c 2665 * 2666 * This module provides run-time version information. 2667 */ 2668 #define MBEDTLS_VERSION_C 2669 2670 /** 2671 * \def MBEDTLS_X509_USE_C 2672 * 2673 * Enable X.509 core for using certificates. 2674 * 2675 * Module: library/x509.c 2676 * Caller: library/mbedtls_x509_crl.c 2677 * library/mbedtls_x509_crt.c 2678 * library/mbedtls_x509_csr.c 2679 * 2680 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, 2681 * MBEDTLS_PK_PARSE_C, MBEDTLS_MD_C 2682 * 2683 * This module is required for the X.509 parsing modules. 2684 */ 2685 #define MBEDTLS_X509_USE_C 2686 2687 /** 2688 * \def MBEDTLS_X509_CRT_PARSE_C 2689 * 2690 * Enable X.509 certificate parsing. 2691 * 2692 * Module: library/mbedtls_x509_crt.c 2693 * Caller: library/ssl_tls.c 2694 * library/ssl*_client.c 2695 * library/ssl*_server.c 2696 * 2697 * Requires: MBEDTLS_X509_USE_C 2698 * 2699 * This module is required for X.509 certificate parsing. 2700 */ 2701 #define MBEDTLS_X509_CRT_PARSE_C 2702 2703 /** 2704 * \def MBEDTLS_X509_CRL_PARSE_C 2705 * 2706 * Enable X.509 CRL parsing. 2707 * 2708 * Module: library/mbedtls_x509_crl.c 2709 * Caller: library/mbedtls_x509_crt.c 2710 * 2711 * Requires: MBEDTLS_X509_USE_C 2712 * 2713 * This module is required for X.509 CRL parsing. 2714 */ 2715 #ifdef CONFIG_MBEDTLS_X509_CRL_PARSE_C 2716 #define MBEDTLS_X509_CRL_PARSE_C 2717 #else 2718 #undef MBEDTLS_X509_CRL_PARSE_C 2719 #endif 2720 2721 /** 2722 * \def MBEDTLS_X509_CSR_PARSE_C 2723 * 2724 * Enable X.509 Certificate Signing Request (CSR) parsing. 2725 * 2726 * Module: library/mbedtls_x509_csr.c 2727 * Caller: library/x509_crt_write.c 2728 * 2729 * Requires: MBEDTLS_X509_USE_C 2730 * 2731 * This module is used for reading X.509 certificate request. 2732 */ 2733 #ifdef CONFIG_MBEDTLS_X509_CSR_PARSE_C 2734 #define MBEDTLS_X509_CSR_PARSE_C 2735 #else 2736 #undef MBEDTLS_X509_CSR_PARSE_C 2737 #endif 2738 2739 /** 2740 * \def MBEDTLS_X509_CREATE_C 2741 * 2742 * Enable X.509 core for creating certificates. 2743 * 2744 * Module: library/x509_create.c 2745 * 2746 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C, 2747 * MBEDTLS_MD_C 2748 * 2749 * This module is the basis for creating X.509 certificates and CSRs. 2750 */ 2751 #define MBEDTLS_X509_CREATE_C 2752 2753 /** 2754 * \def MBEDTLS_X509_CRT_WRITE_C 2755 * 2756 * Enable creating X.509 certificates. 2757 * 2758 * Module: library/x509_crt_write.c 2759 * 2760 * Requires: MBEDTLS_X509_CREATE_C 2761 * 2762 * This module is required for X.509 certificate creation. 2763 */ 2764 #define MBEDTLS_X509_CRT_WRITE_C 2765 2766 /** 2767 * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 2768 * 2769 * If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()` 2770 * and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure 2771 * the set of trusted certificates through a callback instead of a linked 2772 * list. 2773 * 2774 * This is useful for example in environments where a large number of trusted 2775 * certificates is present and storing them in a linked list isn't efficient 2776 * enough, or when the set of trusted certificates changes frequently. 2777 * 2778 * See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and 2779 * `mbedtls_ssl_conf_ca_cb()` for more information. 2780 * 2781 * Uncomment to enable trusted certificate callbacks. 2782 */ 2783 #ifdef CONFIG_MBEDTLS_X509_TRUSTED_CERT_CALLBACK 2784 #define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 2785 #else 2786 #undef MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 2787 #endif 2788 2789 /** 2790 * \def MBEDTLS_X509_CSR_WRITE_C 2791 * 2792 * Enable creating X.509 Certificate Signing Requests (CSR). 2793 * 2794 * Module: library/x509_csr_write.c 2795 * 2796 * Requires: MBEDTLS_X509_CREATE_C 2797 * 2798 * This module is required for X.509 certificate request writing. 2799 */ 2800 #define MBEDTLS_X509_CSR_WRITE_C 2801 2802 /** 2803 * \def MBEDTLS_XTEA_C 2804 * 2805 * Enable the XTEA block cipher. 2806 * 2807 * Module: library/xtea.c 2808 * Caller: 2809 */ 2810 #ifdef CONFIG_MBEDTLS_XTEA_C 2811 #define MBEDTLS_XTEA_C 2812 #else 2813 #undef MBEDTLS_XTEA_C 2814 #endif 2815 2816 /* \} name SECTION: mbed TLS modules */ 2817 2818 /** 2819 * \name SECTION: Module configuration options 2820 * 2821 * This section allows for the setting of module specific sizes and 2822 * configuration options. The default values are already present in the 2823 * relevant header files and should suffice for the regular use cases. 2824 * 2825 * Our advice is to enable options and change their values here 2826 * only if you have a good reason and know the consequences. 2827 * 2828 * Please check the respective header file for documentation on these 2829 * parameters (to prevent duplicate documentation). 2830 * \{ 2831 */ 2832 2833 /* SSL options */ 2834 #ifndef CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN 2835 2836 #define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maximum fragment length in bytes, determines the size of each of the two internal I/O buffers */ 2837 2838 #else 2839 2840 /** \def MBEDTLS_SSL_IN_CONTENT_LEN 2841 * 2842 * Maximum incoming fragment length in bytes. 2843 * 2844 * Uncomment to set the size of the inward TLS buffer independently of the 2845 * outward buffer. 2846 */ 2847 #define MBEDTLS_SSL_IN_CONTENT_LEN CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN 2848 2849 /** \def MBEDTLS_SSL_CID_IN_LEN_MAX 2850 * 2851 * The maximum length of CIDs used for incoming DTLS messages. 2852 * 2853 */ 2854 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 2855 #define MBEDTLS_SSL_CID_IN_LEN_MAX CONFIG_MBEDTLS_SSL_CID_IN_LEN_MAX 2856 #else 2857 #undef MBEDTLS_SSL_CID_IN_LEN_MAX 2858 #endif 2859 2860 2861 /** \def MBEDTLS_SSL_CID_OUT_LEN_MAX 2862 * 2863 * The maximum length of CIDs used for outgoing DTLS messages. 2864 * 2865 */ 2866 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 2867 #define MBEDTLS_SSL_CID_OUT_LEN_MAX CONFIG_MBEDTLS_SSL_CID_OUT_LEN_MAX 2868 #else 2869 #undef MBEDTLS_SSL_CID_OUT_LEN_MAX 2870 #endif 2871 2872 /** \def MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 2873 * 2874 * This option controls the use of record plaintext padding 2875 * in TLS 1.3 and when using the Connection ID extension in DTLS 1.2. 2876 * 2877 * The padding will always be chosen so that the length of the 2878 * padded plaintext is a multiple of the value of this option. 2879 * 2880 * Note: A value of \c 1 means that no padding will be used 2881 * for outgoing records. 2882 * 2883 * Note: On systems lacking division instructions, 2884 * a power of two should be preferred. 2885 * 2886 */ 2887 #ifdef CONFIG_MBEDTLS_SSL_CID_PADDING_GRANULARITY 2888 #define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY CONFIG_MBEDTLS_SSL_CID_PADDING_GRANULARITY 2889 #else 2890 #undef MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 2891 #endif 2892 2893 2894 /** \def MBEDTLS_SSL_OUT_CONTENT_LEN 2895 * 2896 * Maximum outgoing fragment length in bytes. 2897 * 2898 * Uncomment to set the size of the outward TLS buffer independently of the 2899 * inward buffer. 2900 * 2901 * It is possible to save RAM by setting a smaller outward buffer, while keeping 2902 * the default inward 16384 byte buffer to conform to the TLS specification. 2903 * 2904 * The minimum required outward buffer size is determined by the handshake 2905 * protocol's usage. Handshaking will fail if the outward buffer is too small. 2906 * The specific size requirement depends on the configured ciphers and any 2907 * certificate data which is sent during the handshake. 2908 * 2909 * For absolute minimum RAM usage, it's best to enable 2910 * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This 2911 * reduces both incoming and outgoing buffer sizes. However this is only 2912 * guaranteed if the other end of the connection also supports the TLS 2913 * max_fragment_len extension. Otherwise the connection may fail. 2914 */ 2915 #define MBEDTLS_SSL_OUT_CONTENT_LEN CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN 2916 2917 #endif /* !CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN */ 2918 2919 /** 2920 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake 2921 * signature and ciphersuite selection. Without this build-time option, SHA-1 2922 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes. 2923 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by 2924 * default. At the time of writing, there is no practical attack on the use 2925 * of SHA-1 in handshake signatures, hence this option is turned on by default 2926 * for compatibility with existing peers. 2927 * 2928 * \warning SHA-1 is considered a weak message digest and its use constitutes 2929 * a security risk. If possible, we recommend avoiding dependencies 2930 * on it, and considering stronger message digests instead. 2931 */ 2932 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE 2933 2934 /** 2935 * \def MBEDTLS_THREADING_C 2936 * 2937 * Enable the threading abstraction layer. 2938 * By default mbed TLS assumes it is used in a non-threaded environment or that 2939 * contexts are not shared between threads. If you do intend to use contexts 2940 * between threads, you will need to enable this layer to prevent race 2941 * conditions. See also our Knowledge Base article about threading: 2942 * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading 2943 * 2944 * Module: library/threading.c 2945 * 2946 * This allows different threading implementations (self-implemented or 2947 * provided). 2948 * 2949 * You will have to enable either MBEDTLS_THREADING_ALT or 2950 * MBEDTLS_THREADING_PTHREAD. 2951 * 2952 * Enable this layer to allow use of mutexes within mbed TLS 2953 */ 2954 #ifdef CONFIG_MBEDTLS_THREADING_C 2955 #define MBEDTLS_THREADING_C 2956 #else 2957 #undef MBEDTLS_THREADING_C 2958 #endif 2959 2960 /** 2961 * \def MBEDTLS_THREADING_ALT 2962 * 2963 * Provide your own alternate threading implementation. 2964 * 2965 * Requires: MBEDTLS_THREADING_C 2966 * 2967 * Uncomment this to allow your own alternate threading implementation. 2968 */ 2969 #ifdef CONFIG_MBEDTLS_THREADING_ALT 2970 #define MBEDTLS_THREADING_ALT 2971 #else 2972 #undef MBEDTLS_THREADING_ALT 2973 #endif 2974 2975 /** 2976 * \def MBEDTLS_THREADING_PTHREAD 2977 * 2978 * Enable the pthread wrapper layer for the threading layer. 2979 * 2980 * Requires: MBEDTLS_THREADING_C 2981 * 2982 * Uncomment this to enable pthread mutexes. 2983 */ 2984 #ifdef CONFIG_MBEDTLS_THREADING_PTHREAD 2985 #define MBEDTLS_THREADING_PTHREAD 2986 #else 2987 #undef MBEDTLS_THREADING_PTHREAD 2988 #endif 2989 2990 /** 2991 * \def MBEDTLS_NIST_KW_C 2992 * 2993 * Enable AES key wrapping as per NIST 2994 * 2995 * Requires: MBEDTLS_AES_C 2996 * 2997 * Uncomment this to enable aes key wrap. 2998 */ 2999 #ifdef CONFIG_MBEDTLS_NIST_KW_C 3000 #define MBEDTLS_NIST_KW_C 3001 #else 3002 #undef MBEDTLS_NIST_KW_C 3003 #endif 3004 3005 /* \} name SECTION: Module configuration options */ 3006 3007 #if defined(TARGET_LIKE_MBED) 3008 #include "mbedtls/target_config.h" 3009 #endif 3010 3011 /* 3012 * Allow user to override any previous default. 3013 * 3014 * Use two macro names for that, as: 3015 * - with yotta the prefix YOTTA_CFG_ is forced 3016 * - without yotta is looks weird to have a YOTTA prefix. 3017 */ 3018 #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) 3019 #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE 3020 #elif defined(MBEDTLS_USER_CONFIG_FILE) 3021 #include MBEDTLS_USER_CONFIG_FILE 3022 #endif 3023 3024 /* This flag makes sure that we are not using 3025 * any functino that is deprecated by mbedtls */ 3026 #define MBEDTLS_DEPRECATED_REMOVED 3027 3028 #endif /* ESP_CONFIG_H */ 3029
