1 /**
2  * \file config.h
3  *
4  * \brief Configuration options (set of defines)
5  *
6  *  This set of compile-time options may be used to enable
7  *  or disable features selectively, and reduce the global
8  *  memory footprint.
9  */
10 /*
11  *  Copyright (C) 2006-2022, ARM Limited, All Rights Reserved
12  *  SPDX-License-Identifier: Apache-2.0
13  *
14  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
15  *  not use this file except in compliance with the License.
16  *  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  *  Unless required by applicable law or agreed to in writing, software
21  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23  *  See the License for the specific language governing permissions and
24  *  limitations under the License.
25  *
26  *  This file is part of mbed TLS (https://tls.mbed.org)
27  */
28 
29 #ifndef MBEDTLS_CONFIG_H
30 #define MBEDTLS_CONFIG_H
31 
32 #include "config_crypto.h"
33 
34 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
35 #define _CRT_SECURE_NO_DEPRECATE 1
36 #endif
37 
38 /**
39  * \name SECTION: System support
40  *
41  * This section sets system specific settings.
42  * \{
43  */
44 
45 /**
46  * \def MBEDTLS_HAVE_ASM
47  *
48  * The compiler has support for asm().
49  *
50  * Requires support for asm() in compiler.
51  *
52  * Used in:
53  *      library/aria.c
54  *      library/timing.c
55  *      include/mbedtls/bn_mul.h
56  *
57  * Required by:
58  *      MBEDTLS_AESNI_C
59  *      MBEDTLS_PADLOCK_C
60  *
61  * Comment to disable the use of assembly code.
62  */
63 
64 /* Due to an outstanding bug with mbedtls and arm compiler 6, this feature is
65  * disabled temporarily on cortex-m0 and m0-plus.
66  * https://github.com/ARMmbed/mbedtls/issues/1077
67  */
68 #define MBEDTLS_HAVE_ASM
69 
70 /**
71  * \def MBEDTLS_HAVE_TIME
72  *
73  * System has time.h and time().
74  * The time does not need to be correct, only time differences are used,
75  * by contrast with MBEDTLS_HAVE_TIME_DATE
76  *
77  * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
78  * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
79  * MBEDTLS_PLATFORM_STD_TIME.
80  *
81  * Comment if your system does not support time functions
82  */
83 //#define MBEDTLS_HAVE_TIME
84 
85 /**
86  * \def MBEDTLS_HAVE_TIME_DATE
87  *
88  * System has time.h, time(), and an implementation for
89  * mbedtls_platform_gmtime_r() (see below).
90  * The time needs to be correct (not necessarily very accurate, but at least
91  * the date should be correct). This is used to verify the validity period of
92  * X.509 certificates.
93  *
94  * Comment if your system does not have a correct clock.
95  *
96  * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
97  * behaves similarly to the gmtime_r() function from the C standard. Refer to
98  * the documentation for mbedtls_platform_gmtime_r() for more information.
99  *
100  * \note It is possible to configure an implementation for
101  * mbedtls_platform_gmtime_r() at compile-time by using the macro
102  * MBEDTLS_PLATFORM_GMTIME_R_ALT.
103  */
104 //#define MBEDTLS_HAVE_TIME_DATE
105 
106 /**
107  * \def MBEDTLS_PLATFORM_MEMORY
108  *
109  * Enable the memory allocation layer.
110  *
111  * By default mbed TLS uses the system-provided calloc() and free().
112  * This allows different allocators (self-implemented or provided) to be
113  * provided to the platform abstraction layer.
114  *
115  * Enabling MBEDTLS_PLATFORM_MEMORY without the
116  * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
117  * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
118  * free() function pointer at runtime.
119  *
120  * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
121  * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
122  * alternate function at compile time.
123  *
124  * Requires: MBEDTLS_PLATFORM_C
125  *
126  * Enable this layer to allow use of alternative memory allocators.
127  */
128 #define MBEDTLS_PLATFORM_MEMORY
129 
130 /* \} name SECTION: System support */
131 
132 /**
133  * \name SECTION: mbed TLS feature support
134  *
135  * This section sets support for features that are or are not needed
136  * within the modules that are enabled.
137  * \{
138  */
139 
140 /**
141  * \def MBEDTLS_ECP_NIST_OPTIM
142  *
143  * Enable specific 'modulo p' routines for each NIST prime.
144  * Depending on the prime and architecture, makes operations 4 to 8 times
145  * faster on the corresponding curve.
146  *
147  * Comment this macro to disable NIST curves optimisation.
148  */
149 #define MBEDTLS_ECP_NIST_OPTIM
150 
151 /**
152  * \def MBEDTLS_PK_PARSE_EC_EXTENDED
153  *
154  * Enhance support for reading EC keys using variants of SEC1 not allowed by
155  * RFC 5915 and RFC 5480.
156  *
157  * Currently this means parsing the SpecifiedECDomain choice of EC
158  * parameters (only known groups are supported, not arbitrary domains, to
159  * avoid validation issues).
160  *
161  * Disable if you only need to support RFC 5915 + 5480 key formats.
162  */
163 #define MBEDTLS_PK_PARSE_EC_EXTENDED
164 
165 /**
166  * \def MBEDTLS_ERROR_STRERROR_DUMMY
167  *
168  * Enable a dummy error function to make use of mbedtls_strerror() in
169  * third party libraries easier when MBEDTLS_ERROR_C is disabled
170  * (no effect when MBEDTLS_ERROR_C is enabled).
171  *
172  * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
173  * not using mbedtls_strerror() or error_strerror() in your application.
174  *
175  * Disable if you run into name conflicts and want to really remove the
176  * mbedtls_strerror()
177  */
178 #define MBEDTLS_ERROR_STRERROR_DUMMY
179 
180 /**
181  * \def MBEDTLS_NO_PLATFORM_ENTROPY
182  *
183  * Do not use built-in platform entropy functions.
184  * This is useful if your platform does not support
185  * standards like the /dev/urandom or Windows CryptoAPI.
186  *
187  * Uncomment this macro to disable the built-in platform entropy functions.
188  */
189 #define MBEDTLS_NO_PLATFORM_ENTROPY
190 
191 /**
192  * \def MBEDTLS_ENTROPY_NV_SEED
193  *
194  * Enable the non-volatile (NV) seed file-based entropy source.
195  * (Also enables the NV seed read/write functions in the platform layer)
196  *
197  * This is crucial (if not required) on systems that do not have a
198  * cryptographic entropy source (in hardware or kernel) available.
199  *
200  * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
201  *
202  * \note The read/write functions that are used by the entropy source are
203  *       determined in the platform layer, and can be modified at runtime and/or
204  *       compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
205  *
206  * \note If you use the default implementation functions that read a seedfile
207  *       with regular fopen(), please make sure you make a seedfile with the
208  *       proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
209  *       least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
210  *       and written to or you will get an entropy source error! The default
211  *       implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
212  *       bytes from the file.
213  *
214  * \note The entropy collector will write to the seed file before entropy is
215  *       given to an external source, to update it.
216  */
217 #define MBEDTLS_ENTROPY_NV_SEED
218 
219 /**
220  * \def MBEDTLS_PK_RSA_ALT_SUPPORT
221  *
222  * Support external private RSA keys (eg from a HSM) in the PK layer.
223  *
224  * Comment this macro to disable support for external private RSA keys.
225  */
226 #define MBEDTLS_PK_RSA_ALT_SUPPORT
227 
228 /**
229  * \def MBEDTLS_PSA_CRYPTO_SPM
230  *
231  * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
232  * Partition Manager) integration which separates the code into two parts: a
233  * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
234  * Environment).
235  *
236  * Module:  library/psa_crypto.c
237  * Requires: MBEDTLS_PSA_CRYPTO_C
238  *
239  */
240 #define MBEDTLS_PSA_CRYPTO_SPM
241 
242 /**
243  * \def MBEDTLS_PSA_CRYPTO_CONFIG
244  *
245  * This setting allows support for cryptographic mechanisms through the PSA
246  * API to be configured separately from support through the mbedtls API.
247  *
248  * When this option is disabled, the PSA API exposes the cryptographic
249  * mechanisms that can be implemented on top of the `mbedtls_xxx` API
250  * configured with `MBEDTLS_XXX` symbols.
251  *
252  * When this option is enabled, the PSA API exposes the cryptographic
253  * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
254  * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
255  * automatically enabled if required (i.e. if no PSA driver provides the
256  * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
257  * in mbedtls_config.h.
258  *
259  * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
260  * an alternative header to include instead of include/psa/crypto_config.h.
261  *
262  * This feature is still experimental and is not ready for production since
263  * it is not completed.
264  */
265 #define MBEDTLS_PSA_CRYPTO_CONFIG
266 
267 /* \} name SECTION: mbed TLS feature support */
268 
269 /**
270  * \name SECTION: mbed TLS modules
271  *
272  * This section enables or disables entire modules in mbed TLS
273  * \{
274  */
275 
276 /**
277  * \def MBEDTLS_AES_C
278  *
279  * Enable the AES block cipher.
280  *
281  * Module:  library/aes.c
282  * Caller:  library/cipher.c
283  *          library/pem.c
284  *          library/ctr_drbg.c
285  *
286  * This module is required to support the TLS ciphersuites that use the AES
287  * cipher.
288  *
289  * PEM_PARSE uses AES for decrypting encrypted keys.
290  */
291 #define MBEDTLS_AES_C
292 
293 /**
294  * \def MBEDTLS_CIPHER_C
295  *
296  * Enable the generic cipher layer.
297  *
298  * Module:  library/cipher.c
299  *
300  * Uncomment to enable generic cipher wrappers.
301  */
302 #define MBEDTLS_CIPHER_C
303 
304 /**
305  * \def MBEDTLS_CTR_DRBG_C
306  *
307  * Enable the CTR_DRBG AES-based random generator.
308  * The CTR_DRBG generator uses AES-256 by default.
309  * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
310  *
311  * Module:  library/ctr_drbg.c
312  * Caller:
313  *
314  * Requires: MBEDTLS_AES_C
315  *
316  * This module provides the CTR_DRBG AES random number generator.
317  */
318 #define MBEDTLS_CTR_DRBG_C
319 
320 /**
321  * \def MBEDTLS_ENTROPY_C
322  *
323  * Enable the platform-specific entropy code.
324  *
325  * Module:  library/entropy.c
326  * Caller:
327  *
328  * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
329  *
330  * This module provides a generic entropy pool
331  */
332 #define MBEDTLS_ENTROPY_C
333 
334 /**
335  * \def MBEDTLS_ERROR_C
336  *
337  * Enable error code to error string conversion.
338  *
339  * Module:  library/error.c
340  * Caller:
341  *
342  * This module enables mbedtls_strerror().
343  */
344 #define MBEDTLS_ERROR_C
345 
346 /**
347  * \def MBEDTLS_HKDF_C
348  *
349  * Enable the HKDF algorithm (RFC 5869).
350  *
351  * Module:  library/hkdf.c
352  * Caller:
353  *
354  * Requires: MBEDTLS_MD_C
355  *
356  * This module adds support for the Hashed Message Authentication Code
357  * (HMAC)-based key derivation function (HKDF).
358  */
359 #define MBEDTLS_HKDF_C /* Used for HUK deriviation */
360 
361 /**
362  * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
363  *
364  * Enable the buffer allocator implementation that makes use of a (stack)
365  * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
366  * calls)
367  *
368  * Module:  library/memory_buffer_alloc.c
369  *
370  * Requires: MBEDTLS_PLATFORM_C
371  *           MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
372  *
373  * Enable this module to enable the buffer memory allocator.
374  */
375 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C
376 
377 /**
378  * \def MBEDTLS_PLATFORM_C
379  *
380  * Enable the platform abstraction layer that allows you to re-assign
381  * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
382  *
383  * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
384  * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
385  * above to be specified at runtime or compile time respectively.
386  *
387  * \note This abstraction layer must be enabled on Windows (including MSYS2)
388  * as other module rely on it for a fixed snprintf implementation.
389  *
390  * Module:  library/platform.c
391  * Caller:  Most other .c files
392  *
393  * This module enables abstraction of common (libc) functions.
394  */
395 #define MBEDTLS_PLATFORM_C
396 
397 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
398 #define MBEDTLS_PLATFORM_STD_MEM_HDR   <stdlib.h>
399 
400 #include <stdio.h>
401 
402 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO      snprintf
403 #define MBEDTLS_PLATFORM_PRINTF_ALT
404 #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS
405 #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE
406 
407 /**
408  * \def MBEDTLS_PSA_CRYPTO_C
409  *
410  * Enable the Platform Security Architecture cryptography API.
411  *
412  * Module:  library/psa_crypto.c
413  *
414  * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
415  *
416  */
417 #define MBEDTLS_PSA_CRYPTO_C
418 
419 /**
420  * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
421  *
422  * Enable the Platform Security Architecture persistent key storage.
423  *
424  * Module:  library/psa_crypto_storage.c
425  *
426  * Requires: MBEDTLS_PSA_CRYPTO_C,
427  *           either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
428  *           the PSA ITS interface
429  */
430 #define MBEDTLS_PSA_CRYPTO_STORAGE_C
431 
432 /* \} name SECTION: mbed TLS modules */
433 
434 /**
435  * \name SECTION: General configuration options
436  *
437  * This section contains Mbed TLS build settings that are not associated
438  * with a particular module.
439  *
440  * \{
441  */
442 
443 /**
444  * \def MBEDTLS_CONFIG_FILE
445  *
446  * If defined, this is a header which will be included instead of
447  * `"mbedtls/mbedtls_config.h"`.
448  * This header file specifies the compile-time configuration of Mbed TLS.
449  * Unlike other configuration options, this one must be defined on the
450  * compiler command line: a definition in `mbedtls_config.h` would have
451  * no effect.
452  *
453  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
454  * non-standard feature of the C language, so this feature is only available
455  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
456  *
457  * The value of this symbol is typically a path in double quotes, either
458  * absolute or relative to a directory on the include search path.
459  */
460 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
461 
462 /**
463  * \def MBEDTLS_USER_CONFIG_FILE
464  *
465  * If defined, this is a header which will be included after
466  * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
467  * This allows you to modify the default configuration, including the ability
468  * to undefine options that are enabled by default.
469  *
470  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
471  * non-standard feature of the C language, so this feature is only available
472  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
473  *
474  * The value of this symbol is typically a path in double quotes, either
475  * absolute or relative to a directory on the include search path.
476  */
477 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
478 
479 /**
480  * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
481  *
482  * If defined, this is a header which will be included instead of
483  * `"psa/crypto_config.h"`.
484  * This header file specifies which cryptographic mechanisms are available
485  * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
486  * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
487  *
488  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
489  * non-standard feature of the C language, so this feature is only available
490  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
491  *
492  * The value of this symbol is typically a path in double quotes, either
493  * absolute or relative to a directory on the include search path.
494  */
495 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
496 
497 /**
498  * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
499  *
500  * If defined, this is a header which will be included after
501  * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
502  * This allows you to modify the default configuration, including the ability
503  * to undefine options that are enabled by default.
504  *
505  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
506  * non-standard feature of the C language, so this feature is only available
507  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
508  *
509  * The value of this symbol is typically a path in double quotes, either
510  * absolute or relative to a directory on the include search path.
511  */
512 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
513 
514 /** \} name SECTION: General configuration options */
515 
516 /**
517  * \name SECTION: Module configuration options
518  *
519  * This section allows for the setting of module specific sizes and
520  * configuration options. The default values are already present in the
521  * relevant header files and should suffice for the regular use cases.
522  *
523  * Our advice is to enable options and change their values here
524  * only if you have a good reason and know the consequences.
525  *
526  * Please check the respective header file for documentation on these
527  * parameters (to prevent duplicate documentation).
528  * \{
529  */
530 
531 /* ECP options */
532 #define MBEDTLS_ECP_FIXED_POINT_OPTIM        0 /**< Disable fixed-point speed-up */
533 
534 /* \} name SECTION: Customisation configuration options */
535 
536 #if CRYPTO_NV_SEED
537 #include "tfm_mbedcrypto_config_extra_nv_seed.h"
538 #endif /* CRYPTO_NV_SEED */
539 
540 #if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
541 #include "mbedtls_entropy_nv_seed_config.h"
542 #endif
543 
544 #ifdef CRYPTO_HW_ACCELERATOR
545 #include "mbedtls_accelerator_config.h"
546 #endif
547 
548 #endif /* MBEDTLS_CONFIG_H */
549