1 /** 2 * \file config.h 3 * 4 * \brief Configuration options (set of defines) 5 * 6 * This set of compile-time options may be used to enable 7 * or disable features selectively, and reduce the global 8 * memory footprint. 9 */ 10 /* 11 * Copyright (C) 2006-2022, ARM Limited, All Rights Reserved 12 * SPDX-License-Identifier: Apache-2.0 13 * 14 * Licensed under the Apache License, Version 2.0 (the "License"); you may 15 * not use this file except in compliance with the License. 16 * You may obtain a copy of the License at 17 * 18 * http://www.apache.org/licenses/LICENSE-2.0 19 * 20 * Unless required by applicable law or agreed to in writing, software 21 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 22 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 23 * See the License for the specific language governing permissions and 24 * limitations under the License. 25 * 26 * This file is part of mbed TLS (https://tls.mbed.org) 27 */ 28 29 #ifndef MBEDTLS_CONFIG_H 30 #define MBEDTLS_CONFIG_H 31 32 #include "config_crypto.h" 33 34 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 35 #define _CRT_SECURE_NO_DEPRECATE 1 36 #endif 37 38 /** 39 * \name SECTION: System support 40 * 41 * This section sets system specific settings. 42 * \{ 43 */ 44 45 /** 46 * \def MBEDTLS_HAVE_ASM 47 * 48 * The compiler has support for asm(). 49 * 50 * Requires support for asm() in compiler. 51 * 52 * Used in: 53 * library/aria.c 54 * library/timing.c 55 * include/mbedtls/bn_mul.h 56 * 57 * Required by: 58 * MBEDTLS_AESNI_C 59 * MBEDTLS_PADLOCK_C 60 * 61 * Comment to disable the use of assembly code. 62 */ 63 64 /* Due to an outstanding bug with mbedtls and arm compiler 6, this feature is 65 * disabled temporarily on cortex-m0 and m0-plus. 66 * https://github.com/ARMmbed/mbedtls/issues/1077 67 */ 68 #define MBEDTLS_HAVE_ASM 69 70 /** 71 * \def MBEDTLS_HAVE_TIME 72 * 73 * System has time.h and time(). 74 * The time does not need to be correct, only time differences are used, 75 * by contrast with MBEDTLS_HAVE_TIME_DATE 76 * 77 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, 78 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and 79 * MBEDTLS_PLATFORM_STD_TIME. 80 * 81 * Comment if your system does not support time functions 82 */ 83 //#define MBEDTLS_HAVE_TIME 84 85 /** 86 * \def MBEDTLS_HAVE_TIME_DATE 87 * 88 * System has time.h, time(), and an implementation for 89 * mbedtls_platform_gmtime_r() (see below). 90 * The time needs to be correct (not necessarily very accurate, but at least 91 * the date should be correct). This is used to verify the validity period of 92 * X.509 certificates. 93 * 94 * Comment if your system does not have a correct clock. 95 * 96 * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that 97 * behaves similarly to the gmtime_r() function from the C standard. Refer to 98 * the documentation for mbedtls_platform_gmtime_r() for more information. 99 * 100 * \note It is possible to configure an implementation for 101 * mbedtls_platform_gmtime_r() at compile-time by using the macro 102 * MBEDTLS_PLATFORM_GMTIME_R_ALT. 103 */ 104 //#define MBEDTLS_HAVE_TIME_DATE 105 106 /** 107 * \def MBEDTLS_PLATFORM_MEMORY 108 * 109 * Enable the memory allocation layer. 110 * 111 * By default mbed TLS uses the system-provided calloc() and free(). 112 * This allows different allocators (self-implemented or provided) to be 113 * provided to the platform abstraction layer. 114 * 115 * Enabling MBEDTLS_PLATFORM_MEMORY without the 116 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 117 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 118 * free() function pointer at runtime. 119 * 120 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 121 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 122 * alternate function at compile time. 123 * 124 * Requires: MBEDTLS_PLATFORM_C 125 * 126 * Enable this layer to allow use of alternative memory allocators. 127 */ 128 #define MBEDTLS_PLATFORM_MEMORY 129 130 /* \} name SECTION: System support */ 131 132 /** 133 * \name SECTION: mbed TLS feature support 134 * 135 * This section sets support for features that are or are not needed 136 * within the modules that are enabled. 137 * \{ 138 */ 139 140 /** 141 * \def MBEDTLS_ECP_NIST_OPTIM 142 * 143 * Enable specific 'modulo p' routines for each NIST prime. 144 * Depending on the prime and architecture, makes operations 4 to 8 times 145 * faster on the corresponding curve. 146 * 147 * Comment this macro to disable NIST curves optimisation. 148 */ 149 #define MBEDTLS_ECP_NIST_OPTIM 150 151 /** 152 * \def MBEDTLS_PK_PARSE_EC_EXTENDED 153 * 154 * Enhance support for reading EC keys using variants of SEC1 not allowed by 155 * RFC 5915 and RFC 5480. 156 * 157 * Currently this means parsing the SpecifiedECDomain choice of EC 158 * parameters (only known groups are supported, not arbitrary domains, to 159 * avoid validation issues). 160 * 161 * Disable if you only need to support RFC 5915 + 5480 key formats. 162 */ 163 #define MBEDTLS_PK_PARSE_EC_EXTENDED 164 165 /** 166 * \def MBEDTLS_ERROR_STRERROR_DUMMY 167 * 168 * Enable a dummy error function to make use of mbedtls_strerror() in 169 * third party libraries easier when MBEDTLS_ERROR_C is disabled 170 * (no effect when MBEDTLS_ERROR_C is enabled). 171 * 172 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 173 * not using mbedtls_strerror() or error_strerror() in your application. 174 * 175 * Disable if you run into name conflicts and want to really remove the 176 * mbedtls_strerror() 177 */ 178 #define MBEDTLS_ERROR_STRERROR_DUMMY 179 180 /** 181 * \def MBEDTLS_NO_PLATFORM_ENTROPY 182 * 183 * Do not use built-in platform entropy functions. 184 * This is useful if your platform does not support 185 * standards like the /dev/urandom or Windows CryptoAPI. 186 * 187 * Uncomment this macro to disable the built-in platform entropy functions. 188 */ 189 #define MBEDTLS_NO_PLATFORM_ENTROPY 190 191 /** 192 * \def MBEDTLS_ENTROPY_NV_SEED 193 * 194 * Enable the non-volatile (NV) seed file-based entropy source. 195 * (Also enables the NV seed read/write functions in the platform layer) 196 * 197 * This is crucial (if not required) on systems that do not have a 198 * cryptographic entropy source (in hardware or kernel) available. 199 * 200 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 201 * 202 * \note The read/write functions that are used by the entropy source are 203 * determined in the platform layer, and can be modified at runtime and/or 204 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 205 * 206 * \note If you use the default implementation functions that read a seedfile 207 * with regular fopen(), please make sure you make a seedfile with the 208 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 209 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 210 * and written to or you will get an entropy source error! The default 211 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 212 * bytes from the file. 213 * 214 * \note The entropy collector will write to the seed file before entropy is 215 * given to an external source, to update it. 216 */ 217 #define MBEDTLS_ENTROPY_NV_SEED 218 219 /** 220 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 221 * 222 * Support external private RSA keys (eg from a HSM) in the PK layer. 223 * 224 * Comment this macro to disable support for external private RSA keys. 225 */ 226 #define MBEDTLS_PK_RSA_ALT_SUPPORT 227 228 /** 229 * \def MBEDTLS_PSA_CRYPTO_SPM 230 * 231 * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure 232 * Partition Manager) integration which separates the code into two parts: a 233 * NSPE (Non-Secure Process Environment) and an SPE (Secure Process 234 * Environment). 235 * 236 * Module: library/psa_crypto.c 237 * Requires: MBEDTLS_PSA_CRYPTO_C 238 * 239 */ 240 #define MBEDTLS_PSA_CRYPTO_SPM 241 242 /** 243 * \def MBEDTLS_PSA_CRYPTO_CONFIG 244 * 245 * This setting allows support for cryptographic mechanisms through the PSA 246 * API to be configured separately from support through the mbedtls API. 247 * 248 * When this option is disabled, the PSA API exposes the cryptographic 249 * mechanisms that can be implemented on top of the `mbedtls_xxx` API 250 * configured with `MBEDTLS_XXX` symbols. 251 * 252 * When this option is enabled, the PSA API exposes the cryptographic 253 * mechanisms requested by the `PSA_WANT_XXX` symbols defined in 254 * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are 255 * automatically enabled if required (i.e. if no PSA driver provides the 256 * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols 257 * in mbedtls_config.h. 258 * 259 * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies 260 * an alternative header to include instead of include/psa/crypto_config.h. 261 * 262 * This feature is still experimental and is not ready for production since 263 * it is not completed. 264 */ 265 #define MBEDTLS_PSA_CRYPTO_CONFIG 266 267 /* \} name SECTION: mbed TLS feature support */ 268 269 /** 270 * \name SECTION: mbed TLS modules 271 * 272 * This section enables or disables entire modules in mbed TLS 273 * \{ 274 */ 275 276 /** 277 * \def MBEDTLS_AES_C 278 * 279 * Enable the AES block cipher. 280 * 281 * Module: library/aes.c 282 * Caller: library/cipher.c 283 * library/pem.c 284 * library/ctr_drbg.c 285 * 286 * This module is required to support the TLS ciphersuites that use the AES 287 * cipher. 288 * 289 * PEM_PARSE uses AES for decrypting encrypted keys. 290 */ 291 #define MBEDTLS_AES_C 292 293 /** 294 * \def MBEDTLS_CIPHER_C 295 * 296 * Enable the generic cipher layer. 297 * 298 * Module: library/cipher.c 299 * 300 * Uncomment to enable generic cipher wrappers. 301 */ 302 #define MBEDTLS_CIPHER_C 303 304 /** 305 * \def MBEDTLS_CTR_DRBG_C 306 * 307 * Enable the CTR_DRBG AES-based random generator. 308 * The CTR_DRBG generator uses AES-256 by default. 309 * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. 310 * 311 * Module: library/ctr_drbg.c 312 * Caller: 313 * 314 * Requires: MBEDTLS_AES_C 315 * 316 * This module provides the CTR_DRBG AES random number generator. 317 */ 318 #define MBEDTLS_CTR_DRBG_C 319 320 /** 321 * \def MBEDTLS_ENTROPY_C 322 * 323 * Enable the platform-specific entropy code. 324 * 325 * Module: library/entropy.c 326 * Caller: 327 * 328 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 329 * 330 * This module provides a generic entropy pool 331 */ 332 #define MBEDTLS_ENTROPY_C 333 334 /** 335 * \def MBEDTLS_ERROR_C 336 * 337 * Enable error code to error string conversion. 338 * 339 * Module: library/error.c 340 * Caller: 341 * 342 * This module enables mbedtls_strerror(). 343 */ 344 #define MBEDTLS_ERROR_C 345 346 /** 347 * \def MBEDTLS_HKDF_C 348 * 349 * Enable the HKDF algorithm (RFC 5869). 350 * 351 * Module: library/hkdf.c 352 * Caller: 353 * 354 * Requires: MBEDTLS_MD_C 355 * 356 * This module adds support for the Hashed Message Authentication Code 357 * (HMAC)-based key derivation function (HKDF). 358 */ 359 #define MBEDTLS_HKDF_C /* Used for HUK deriviation */ 360 361 /** 362 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 363 * 364 * Enable the buffer allocator implementation that makes use of a (stack) 365 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 366 * calls) 367 * 368 * Module: library/memory_buffer_alloc.c 369 * 370 * Requires: MBEDTLS_PLATFORM_C 371 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 372 * 373 * Enable this module to enable the buffer memory allocator. 374 */ 375 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 376 377 /** 378 * \def MBEDTLS_PLATFORM_C 379 * 380 * Enable the platform abstraction layer that allows you to re-assign 381 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 382 * 383 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 384 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 385 * above to be specified at runtime or compile time respectively. 386 * 387 * \note This abstraction layer must be enabled on Windows (including MSYS2) 388 * as other module rely on it for a fixed snprintf implementation. 389 * 390 * Module: library/platform.c 391 * Caller: Most other .c files 392 * 393 * This module enables abstraction of common (libc) functions. 394 */ 395 #define MBEDTLS_PLATFORM_C 396 397 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 398 #define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> 399 400 #include <stdio.h> 401 402 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf 403 #define MBEDTLS_PLATFORM_PRINTF_ALT 404 #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS 405 #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE 406 407 /** 408 * \def MBEDTLS_PSA_CRYPTO_C 409 * 410 * Enable the Platform Security Architecture cryptography API. 411 * 412 * Module: library/psa_crypto.c 413 * 414 * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C 415 * 416 */ 417 #define MBEDTLS_PSA_CRYPTO_C 418 419 /** 420 * \def MBEDTLS_PSA_CRYPTO_STORAGE_C 421 * 422 * Enable the Platform Security Architecture persistent key storage. 423 * 424 * Module: library/psa_crypto_storage.c 425 * 426 * Requires: MBEDTLS_PSA_CRYPTO_C, 427 * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of 428 * the PSA ITS interface 429 */ 430 #define MBEDTLS_PSA_CRYPTO_STORAGE_C 431 432 /* \} name SECTION: mbed TLS modules */ 433 434 /** 435 * \name SECTION: General configuration options 436 * 437 * This section contains Mbed TLS build settings that are not associated 438 * with a particular module. 439 * 440 * \{ 441 */ 442 443 /** 444 * \def MBEDTLS_CONFIG_FILE 445 * 446 * If defined, this is a header which will be included instead of 447 * `"mbedtls/mbedtls_config.h"`. 448 * This header file specifies the compile-time configuration of Mbed TLS. 449 * Unlike other configuration options, this one must be defined on the 450 * compiler command line: a definition in `mbedtls_config.h` would have 451 * no effect. 452 * 453 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 454 * non-standard feature of the C language, so this feature is only available 455 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 456 * 457 * The value of this symbol is typically a path in double quotes, either 458 * absolute or relative to a directory on the include search path. 459 */ 460 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" 461 462 /** 463 * \def MBEDTLS_USER_CONFIG_FILE 464 * 465 * If defined, this is a header which will be included after 466 * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. 467 * This allows you to modify the default configuration, including the ability 468 * to undefine options that are enabled by default. 469 * 470 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 471 * non-standard feature of the C language, so this feature is only available 472 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 473 * 474 * The value of this symbol is typically a path in double quotes, either 475 * absolute or relative to a directory on the include search path. 476 */ 477 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" 478 479 /** 480 * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE 481 * 482 * If defined, this is a header which will be included instead of 483 * `"psa/crypto_config.h"`. 484 * This header file specifies which cryptographic mechanisms are available 485 * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and 486 * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. 487 * 488 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 489 * non-standard feature of the C language, so this feature is only available 490 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 491 * 492 * The value of this symbol is typically a path in double quotes, either 493 * absolute or relative to a directory on the include search path. 494 */ 495 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" 496 497 /** 498 * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE 499 * 500 * If defined, this is a header which will be included after 501 * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE. 502 * This allows you to modify the default configuration, including the ability 503 * to undefine options that are enabled by default. 504 * 505 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 506 * non-standard feature of the C language, so this feature is only available 507 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 508 * 509 * The value of this symbol is typically a path in double quotes, either 510 * absolute or relative to a directory on the include search path. 511 */ 512 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" 513 514 /** \} name SECTION: General configuration options */ 515 516 /** 517 * \name SECTION: Module configuration options 518 * 519 * This section allows for the setting of module specific sizes and 520 * configuration options. The default values are already present in the 521 * relevant header files and should suffice for the regular use cases. 522 * 523 * Our advice is to enable options and change their values here 524 * only if you have a good reason and know the consequences. 525 * 526 * Please check the respective header file for documentation on these 527 * parameters (to prevent duplicate documentation). 528 * \{ 529 */ 530 531 /* ECP options */ 532 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */ 533 534 /* \} name SECTION: Customisation configuration options */ 535 536 #if CRYPTO_NV_SEED 537 #include "tfm_mbedcrypto_config_extra_nv_seed.h" 538 #endif /* CRYPTO_NV_SEED */ 539 540 #if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED) 541 #include "mbedtls_entropy_nv_seed_config.h" 542 #endif 543 544 #ifdef CRYPTO_HW_ACCELERATOR 545 #include "mbedtls_accelerator_config.h" 546 #endif 547 548 #endif /* MBEDTLS_CONFIG_H */ 549