1 /**
2  * \file config.h
3  *
4  * \brief Configuration options (set of defines)
5  *
6  *  This set of compile-time options may be used to enable
7  *  or disable features selectively, and reduce the global
8  *  memory footprint.
9  */
10 /*
11  *  Copyright (C) 2006-2022, ARM Limited, All Rights Reserved
12  *  SPDX-License-Identifier: Apache-2.0
13  *
14  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
15  *  not use this file except in compliance with the License.
16  *  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  *  Unless required by applicable law or agreed to in writing, software
21  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23  *  See the License for the specific language governing permissions and
24  *  limitations under the License.
25  *
26  *  This file is part of mbed TLS (https://tls.mbed.org)
27  */
28 
29 #ifndef MBEDTLS_CONFIG_H
30 #define MBEDTLS_CONFIG_H
31 
32 #include "config_tfm.h"
33 
34 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
35 #define _CRT_SECURE_NO_DEPRECATE 1
36 #endif
37 
38 /**
39  * \name SECTION: System support
40  *
41  * This section sets system specific settings.
42  * \{
43  */
44 
45 /**
46  * \def MBEDTLS_HAVE_ASM
47  *
48  * The compiler has support for asm().
49  *
50  * Requires support for asm() in compiler.
51  *
52  * Used in:
53  *      library/aria.c
54  *      library/timing.c
55  *      include/mbedtls/bn_mul.h
56  *
57  * Required by:
58  *      MBEDTLS_AESNI_C
59  *      MBEDTLS_PADLOCK_C
60  *
61  * Comment to disable the use of assembly code.
62  */
63 
64 /* Due to an outstanding bug with mbedtls and arm compiler 6, this feature is
65  * disabled temporarily on cortex-m0 and m0-plus.
66  * https://github.com/ARMmbed/mbedtls/issues/1077
67  */
68 #define MBEDTLS_HAVE_ASM
69 
70 /**
71  * \def MBEDTLS_HAVE_TIME
72  *
73  * System has time.h and time().
74  * The time does not need to be correct, only time differences are used,
75  * by contrast with MBEDTLS_HAVE_TIME_DATE
76  *
77  * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
78  * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
79  * MBEDTLS_PLATFORM_STD_TIME.
80  *
81  * Comment if your system does not support time functions
82  */
83 //#define MBEDTLS_HAVE_TIME
84 
85 /**
86  * \def MBEDTLS_HAVE_TIME_DATE
87  *
88  * System has time.h, time(), and an implementation for
89  * mbedtls_platform_gmtime_r() (see below).
90  * The time needs to be correct (not necessarily very accurate, but at least
91  * the date should be correct). This is used to verify the validity period of
92  * X.509 certificates.
93  *
94  * Comment if your system does not have a correct clock.
95  *
96  * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
97  * behaves similarly to the gmtime_r() function from the C standard. Refer to
98  * the documentation for mbedtls_platform_gmtime_r() for more information.
99  *
100  * \note It is possible to configure an implementation for
101  * mbedtls_platform_gmtime_r() at compile-time by using the macro
102  * MBEDTLS_PLATFORM_GMTIME_R_ALT.
103  */
104 //#define MBEDTLS_HAVE_TIME_DATE
105 
106 /**
107  * \def MBEDTLS_PLATFORM_MEMORY
108  *
109  * Enable the memory allocation layer.
110  *
111  * By default mbed TLS uses the system-provided calloc() and free().
112  * This allows different allocators (self-implemented or provided) to be
113  * provided to the platform abstraction layer.
114  *
115  * Enabling MBEDTLS_PLATFORM_MEMORY without the
116  * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
117  * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
118  * free() function pointer at runtime.
119  *
120  * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
121  * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
122  * alternate function at compile time.
123  *
124  * Requires: MBEDTLS_PLATFORM_C
125  *
126  * Enable this layer to allow use of alternative memory allocators.
127  */
128 #define MBEDTLS_PLATFORM_MEMORY
129 
130 /* \} name SECTION: System support */
131 
132 /**
133  * \name SECTION: mbed TLS feature support
134  *
135  * This section sets support for features that are or are not needed
136  * within the modules that are enabled.
137  * \{
138  */
139 
140 /**
141  * \def MBEDTLS_ECP_NIST_OPTIM
142  *
143  * Enable specific 'modulo p' routines for each NIST prime.
144  * Depending on the prime and architecture, makes operations 4 to 8 times
145  * faster on the corresponding curve.
146  *
147  * Comment this macro to disable NIST curves optimisation.
148  */
149 #define MBEDTLS_ECP_NIST_OPTIM
150 
151 /**
152  * \def MBEDTLS_PK_PARSE_EC_EXTENDED
153  *
154  * Enhance support for reading EC keys using variants of SEC1 not allowed by
155  * RFC 5915 and RFC 5480.
156  *
157  * Currently this means parsing the SpecifiedECDomain choice of EC
158  * parameters (only known groups are supported, not arbitrary domains, to
159  * avoid validation issues).
160  *
161  * Disable if you only need to support RFC 5915 + 5480 key formats.
162  */
163 #define MBEDTLS_PK_PARSE_EC_EXTENDED
164 
165 /**
166  * \def MBEDTLS_NO_PLATFORM_ENTROPY
167  *
168  * Do not use built-in platform entropy functions.
169  * This is useful if your platform does not support
170  * standards like the /dev/urandom or Windows CryptoAPI.
171  *
172  * Uncomment this macro to disable the built-in platform entropy functions.
173  */
174 #define MBEDTLS_NO_PLATFORM_ENTROPY
175 
176 /**
177  * \def MBEDTLS_ENTROPY_NV_SEED
178  *
179  * Enable the non-volatile (NV) seed file-based entropy source.
180  * (Also enables the NV seed read/write functions in the platform layer)
181  *
182  * This is crucial (if not required) on systems that do not have a
183  * cryptographic entropy source (in hardware or kernel) available.
184  *
185  * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
186  *
187  * \note The read/write functions that are used by the entropy source are
188  *       determined in the platform layer, and can be modified at runtime and/or
189  *       compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
190  *
191  * \note If you use the default implementation functions that read a seedfile
192  *       with regular fopen(), please make sure you make a seedfile with the
193  *       proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
194  *       least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
195  *       and written to or you will get an entropy source error! The default
196  *       implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
197  *       bytes from the file.
198  *
199  * \note The entropy collector will write to the seed file before entropy is
200  *       given to an external source, to update it.
201  */
202 #define MBEDTLS_ENTROPY_NV_SEED
203 
204 /**
205  * \def MBEDTLS_PK_RSA_ALT_SUPPORT
206  *
207  * Support external private RSA keys (eg from a HSM) in the PK layer.
208  *
209  * Comment this macro to disable support for external private RSA keys.
210  */
211 #define MBEDTLS_PK_RSA_ALT_SUPPORT
212 
213 /**
214  * \def MBEDTLS_PSA_CRYPTO_SPM
215  *
216  * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
217  * Partition Manager) integration which separates the code into two parts: a
218  * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
219  * Environment).
220  *
221  * Module:  library/psa_crypto.c
222  * Requires: MBEDTLS_PSA_CRYPTO_C
223  *
224  */
225 #define MBEDTLS_PSA_CRYPTO_SPM
226 
227 /**
228  * \def MBEDTLS_PSA_CRYPTO_CONFIG
229  *
230  * This setting allows support for cryptographic mechanisms through the PSA
231  * API to be configured separately from support through the mbedtls API.
232  *
233  * When this option is disabled, the PSA API exposes the cryptographic
234  * mechanisms that can be implemented on top of the `mbedtls_xxx` API
235  * configured with `MBEDTLS_XXX` symbols.
236  *
237  * When this option is enabled, the PSA API exposes the cryptographic
238  * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
239  * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
240  * automatically enabled if required (i.e. if no PSA driver provides the
241  * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
242  * in mbedtls_config.h.
243  *
244  * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
245  * an alternative header to include instead of include/psa/crypto_config.h.
246  *
247  * This feature is still experimental and is not ready for production since
248  * it is not completed.
249  */
250 #define MBEDTLS_PSA_CRYPTO_CONFIG
251 
252 /* \} name SECTION: mbed TLS feature support */
253 
254 /**
255  * \name SECTION: mbed TLS modules
256  *
257  * This section enables or disables entire modules in mbed TLS
258  * \{
259  */
260 
261 /**
262  * \def MBEDTLS_AES_C
263  *
264  * Enable the AES block cipher.
265  *
266  * Module:  library/aes.c
267  * Caller:  library/cipher.c
268  *          library/pem.c
269  *          library/ctr_drbg.c
270  *
271  * This module is required to support the TLS ciphersuites that use the AES
272  * cipher.
273  *
274  * PEM_PARSE uses AES for decrypting encrypted keys.
275  */
276 #define MBEDTLS_AES_C
277 
278 /**
279  * \def MBEDTLS_CIPHER_C
280  *
281  * Enable the generic cipher layer.
282  *
283  * Module:  library/cipher.c
284  *
285  * Uncomment to enable generic cipher wrappers.
286  */
287 #define MBEDTLS_CIPHER_C
288 
289 /**
290  * \def MBEDTLS_CTR_DRBG_C
291  *
292  * Enable the CTR_DRBG AES-based random generator.
293  * The CTR_DRBG generator uses AES-256 by default.
294  * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
295  *
296  * Module:  library/ctr_drbg.c
297  * Caller:
298  *
299  * Requires: MBEDTLS_AES_C
300  *
301  * This module provides the CTR_DRBG AES random number generator.
302  */
303 //#define MBEDTLS_CTR_DRBG_C
304 
305 /**
306  * \def MBEDTLS_ENTROPY_C
307  *
308  * Enable the platform-specific entropy code.
309  *
310  * Module:  library/entropy.c
311  * Caller:
312  *
313  * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
314  *
315  * This module provides a generic entropy pool
316  */
317 #define MBEDTLS_ENTROPY_C
318 
319 /**
320  * \def MBEDTLS_HKDF_C
321  *
322  * Enable the HKDF algorithm (RFC 5869).
323  *
324  * Module:  library/hkdf.c
325  * Caller:
326  *
327  * Requires: MBEDTLS_MD_C
328  *
329  * This module adds support for the Hashed Message Authentication Code
330  * (HMAC)-based key derivation function (HKDF).
331  */
332 //#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
333 
334 /**
335  * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
336  *
337  * Enable the buffer allocator implementation that makes use of a (stack)
338  * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
339  * calls)
340  *
341  * Module:  library/memory_buffer_alloc.c
342  *
343  * Requires: MBEDTLS_PLATFORM_C
344  *           MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
345  *
346  * Enable this module to enable the buffer memory allocator.
347  */
348 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C
349 
350 /**
351  * \def MBEDTLS_PLATFORM_C
352  *
353  * Enable the platform abstraction layer that allows you to re-assign
354  * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
355  *
356  * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
357  * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
358  * above to be specified at runtime or compile time respectively.
359  *
360  * \note This abstraction layer must be enabled on Windows (including MSYS2)
361  * as other module rely on it for a fixed snprintf implementation.
362  *
363  * Module:  library/platform.c
364  * Caller:  Most other .c files
365  *
366  * This module enables abstraction of common (libc) functions.
367  */
368 #define MBEDTLS_PLATFORM_C
369 
370 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
371 #define MBEDTLS_PLATFORM_STD_MEM_HDR   <stdlib.h>
372 
373 #include <stdio.h>
374 
375 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO      snprintf
376 #define MBEDTLS_PLATFORM_PRINTF_ALT
377 #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS
378 #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE
379 
380 /**
381  * \def MBEDTLS_PSA_CRYPTO_C
382  *
383  * Enable the Platform Security Architecture cryptography API.
384  *
385  * Module:  library/psa_crypto.c
386  *
387  * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
388  *
389  */
390 #define MBEDTLS_PSA_CRYPTO_C
391 
392 /**
393  * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
394  *
395  * Enable the Platform Security Architecture persistent key storage.
396  *
397  * Module:  library/psa_crypto_storage.c
398  *
399  * Requires: MBEDTLS_PSA_CRYPTO_C,
400  *           either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
401  *           the PSA ITS interface
402  */
403 #define MBEDTLS_PSA_CRYPTO_STORAGE_C
404 
405 /* \} name SECTION: mbed TLS modules */
406 
407 /**
408  * \name SECTION: General configuration options
409  *
410  * This section contains Mbed TLS build settings that are not associated
411  * with a particular module.
412  *
413  * \{
414  */
415 
416 /**
417  * \def MBEDTLS_CONFIG_FILE
418  *
419  * If defined, this is a header which will be included instead of
420  * `"mbedtls/mbedtls_config.h"`.
421  * This header file specifies the compile-time configuration of Mbed TLS.
422  * Unlike other configuration options, this one must be defined on the
423  * compiler command line: a definition in `mbedtls_config.h` would have
424  * no effect.
425  *
426  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
427  * non-standard feature of the C language, so this feature is only available
428  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
429  *
430  * The value of this symbol is typically a path in double quotes, either
431  * absolute or relative to a directory on the include search path.
432  */
433 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
434 
435 /**
436  * \def MBEDTLS_USER_CONFIG_FILE
437  *
438  * If defined, this is a header which will be included after
439  * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
440  * This allows you to modify the default configuration, including the ability
441  * to undefine options that are enabled by default.
442  *
443  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
444  * non-standard feature of the C language, so this feature is only available
445  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
446  *
447  * The value of this symbol is typically a path in double quotes, either
448  * absolute or relative to a directory on the include search path.
449  */
450 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
451 
452 /**
453  * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
454  *
455  * If defined, this is a header which will be included instead of
456  * `"psa/crypto_config.h"`.
457  * This header file specifies which cryptographic mechanisms are available
458  * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
459  * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
460  *
461  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
462  * non-standard feature of the C language, so this feature is only available
463  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
464  *
465  * The value of this symbol is typically a path in double quotes, either
466  * absolute or relative to a directory on the include search path.
467  */
468 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
469 
470 /**
471  * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
472  *
473  * If defined, this is a header which will be included after
474  * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
475  * This allows you to modify the default configuration, including the ability
476  * to undefine options that are enabled by default.
477  *
478  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
479  * non-standard feature of the C language, so this feature is only available
480  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
481  *
482  * The value of this symbol is typically a path in double quotes, either
483  * absolute or relative to a directory on the include search path.
484  */
485 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
486 
487 /** \} name SECTION: General configuration options */
488 
489 /**
490  * \name SECTION: Module configuration options
491  *
492  * This section allows for the setting of module specific sizes and
493  * configuration options. The default values are already present in the
494  * relevant header files and should suffice for the regular use cases.
495  *
496  * Our advice is to enable options and change their values here
497  * only if you have a good reason and know the consequences.
498  *
499  * Please check the respective header file for documentation on these
500  * parameters (to prevent duplicate documentation).
501  * \{
502  */
503 
504 /* ECP options */
505 #define MBEDTLS_ECP_FIXED_POINT_OPTIM        0 /**< Disable fixed-point speed-up */
506 
507 /* \} name SECTION: Customisation configuration options */
508 
509 #if CRYPTO_NV_SEED
510 #include "tfm_mbedcrypto_config_extra_nv_seed.h"
511 #endif /* CRYPTO_NV_SEED */
512 
513 #if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
514 #include "mbedtls_entropy_nv_seed_config.h"
515 #endif
516 
517 #ifdef CRYPTO_HW_ACCELERATOR
518 #include "mbedtls_accelerator_config.h"
519 #endif
520 
521 #endif /* MBEDTLS_CONFIG_H */
522