1 /** 2 * 3 * \brief Default mbedTLS configuration options for ESP-IDF 4 * 5 * This set of compile-time options may be used to enable 6 * or disable features selectively, and reduce the global 7 * memory footprint. 8 */ 9 /* 10 * Copyright The Mbed TLS Contributors 11 * SPDX-License-Identifier: Apache-2.0 12 * 13 * This set of compile-time options may be used to enable 14 * or disable features selectively, and reduce the global 15 * memory footprint. 16 * 17 * SPDX-FileCopyrightText: The Mbed TLS Contributors 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 */ 25 #ifndef ESP_CONFIG_H 26 #define ESP_CONFIG_H 27 28 #include "sdkconfig.h" 29 #include "mbedtls/mbedtls_config.h" 30 #include "soc/soc_caps.h" 31 32 /** 33 * \name SECTION: System support 34 * 35 * This section sets system specific settings. 36 * \{ 37 */ 38 39 /** 40 * \def MBEDTLS_HAVE_TIME 41 * 42 * System has time.h and time(). 43 * The time does not need to be correct, only time differences are used, 44 * by contrast with MBEDTLS_HAVE_TIME_DATE 45 * 46 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, 47 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and 48 * MBEDTLS_PLATFORM_STD_TIME. 49 * 50 * Comment if your system does not support time functions. 51 * 52 * \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing 53 * interface - timing.c will include time.h on suitable platforms 54 * regardless of the setting of MBEDTLS_HAVE_TIME, unless 55 * MBEDTLS_TIMING_ALT is used. See timing.c for more information. 56 */ 57 #ifdef CONFIG_MBEDTLS_HAVE_TIME 58 #define MBEDTLS_HAVE_TIME 59 #else 60 #undef MBEDTLS_HAVE_TIME 61 #endif 62 63 /** 64 * \def MBEDTLS_HAVE_TIME_DATE 65 * 66 * System has time.h and time(), gmtime() and the clock is correct. 67 * The time needs to be correct (not necesarily very accurate, but at least 68 * the date should be correct). This is used to verify the validity period of 69 * X.509 certificates. 70 * 71 * Comment if your system does not have a correct clock. 72 */ 73 #ifdef CONFIG_MBEDTLS_HAVE_TIME_DATE 74 #define MBEDTLS_HAVE_TIME_DATE 75 #else 76 #undef MBEDTLS_HAVE_TIME_DATE 77 #endif 78 79 80 /** 81 * \def MBEDTLS_PLATFORM_TIME_ALT 82 * 83 * mbed TLS will provide a function "mbedtls_platform_set_time()" 84 * that allows you to set an alternative time function pointer. 85 * 86 * All these define require MBEDTLS_PLATFORM_C to be defined! 87 * 88 * \warning MBEDTLS_PLATFORM_TIME_ALT cannot be defined at the same time as 89 * MBEDTLS_PLATFORM_TIME_MACRO! 90 * 91 * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME 92 */ 93 #ifdef CONFIG_MBEDTLS_PLATFORM_TIME_ALT 94 #define MBEDTLS_PLATFORM_TIME_ALT 95 #else 96 #undef MBEDTLS_PLATFORM_TIME_ALT 97 #endif 98 99 /** 100 * \def MBEDTLS_PLATFORM_MEMORY 101 * 102 * Enable the memory allocation layer. 103 * 104 * By default mbed TLS uses the system-provided calloc() and free(). 105 * This allows different allocators (self-implemented or provided) to be 106 * provided to the platform abstraction layer. 107 * 108 * Enabling MBEDTLS_PLATFORM_MEMORY without the 109 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 110 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 111 * free() function pointer at runtime. 112 * 113 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 114 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 115 * alternate function at compile time. 116 * 117 * Requires: MBEDTLS_PLATFORM_C 118 * 119 * Enable this layer to allow use of alternative memory allocators. 120 */ 121 #define MBEDTLS_PLATFORM_MEMORY 122 123 /** Override calloc(), free() except for case where memory allocation scheme is not set to custom */ 124 #ifndef CONFIG_MBEDTLS_CUSTOM_MEM_ALLOC 125 #include "esp_mem.h" 126 #define MBEDTLS_PLATFORM_STD_CALLOC esp_mbedtls_mem_calloc 127 #define MBEDTLS_PLATFORM_STD_FREE esp_mbedtls_mem_free 128 #endif 129 130 /* \} name SECTION: System support */ 131 132 /** 133 * \name SECTION: mbed TLS feature support 134 * 135 * This section sets support for features that are or are not needed 136 * within the modules that are enabled. 137 * \{ 138 */ 139 140 /* The following units have ESP32 hardware support, 141 uncommenting each _ALT macro will use the 142 hardware-accelerated implementation. */ 143 #ifdef CONFIG_MBEDTLS_HARDWARE_AES 144 #define MBEDTLS_AES_ALT 145 #else 146 #undef MBEDTLS_AES_ALT 147 #endif 148 149 #ifdef CONFIG_MBEDTLS_HARDWARE_AES 150 #define MBEDTLS_GCM_ALT 151 #endif 152 153 /* MBEDTLS_SHAxx_ALT to enable hardware SHA support 154 with software fallback. 155 */ 156 #ifdef CONFIG_MBEDTLS_HARDWARE_SHA 157 #define MBEDTLS_SHA1_ALT 158 #define MBEDTLS_SHA256_ALT 159 160 #if SOC_SHA_SUPPORT_SHA512 161 #define MBEDTLS_SHA512_ALT 162 #else 163 #undef MBEDTLS_SHA512_ALT 164 #endif 165 166 #else 167 #undef MBEDTLS_SHA1_ALT 168 #undef MBEDTLS_SHA256_ALT 169 #undef MBEDTLS_SHA512_ALT 170 #endif 171 172 /* MBEDTLS_MDx_ALT to enable ROM MD support 173 with software fallback. 174 */ 175 #ifdef CONFIG_MBEDTLS_ROM_MD5 176 #define MBEDTLS_MD5_ALT 177 #else 178 #undef MBEDTLS_MD5_ALT 179 #endif 180 181 /* The following MPI (bignum) functions have hardware support. 182 * Uncommenting these macros will use the hardware-accelerated 183 * implementations. 184 */ 185 #ifdef CONFIG_MBEDTLS_HARDWARE_MPI 186 #ifdef CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI 187 /* Prefer hardware and fallback to software */ 188 #define MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK 189 #else 190 /* Hardware only mode */ 191 #define MBEDTLS_MPI_EXP_MOD_ALT 192 #endif 193 #define MBEDTLS_MPI_MUL_MPI_ALT 194 #else 195 #undef MBEDTLS_MPI_EXP_MOD_ALT_FALLBACK 196 #undef MBEDTLS_MPI_EXP_MOD_ALT 197 #undef MBEDTLS_MPI_MUL_MPI_ALT 198 #endif 199 200 #ifdef CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN 201 #define MBEDTLS_ECDSA_SIGN_ALT 202 #endif 203 204 #ifdef CONFIG_MBEDTLS_ATCA_HW_ECDSA_VERIFY 205 #define MBEDTLS_ECDSA_VERIFY_ALT 206 #endif 207 208 #ifdef CONFIG_MBEDTLS_HARDWARE_ECC 209 #ifdef CONFIG_MBEDTLS_ECC_OTHER_CURVES_SOFT_FALLBACK 210 /* Use hardware accelerator for SECP192R1 and SECP256R1 curves, 211 * software implementation for rest of the curves 212 */ 213 #define MBEDTLS_ECP_MUL_ALT_SOFT_FALLBACK 214 #define MBEDTLS_ECP_VERIFY_ALT_SOFT_FALLBACK 215 #else 216 /* Only hardware accelerator support */ 217 #define MBEDTLS_ECP_MUL_ALT 218 #define MBEDTLS_ECP_VERIFY_ALT 219 #endif 220 221 #else 222 #undef MBEDTLS_ECP_MUL_ALT 223 #undef MBEDTLS_ECP_MUL_ALT_SOFT_FALLBACK 224 #undef MBEDTLS_ECP_VERIFY_ALT 225 #undef MBEDTLS_ECP_VERIFY_ALT_SOFT_FALLBACK 226 #endif 227 228 /** 229 * \def MBEDTLS_ENTROPY_HARDWARE_ALT 230 * 231 * Uncomment this macro to let mbed TLS use your own implementation of a 232 * hardware entropy collector. 233 * 234 * Your function must be called \c mbedtls_hardware_poll(), have the same 235 * prototype as declared in entropy_poll.h, and accept NULL as first argument. 236 * 237 * Uncomment to use your own hardware entropy collector. 238 */ 239 #define MBEDTLS_ENTROPY_HARDWARE_ALT 240 241 /** 242 * \def MBEDTLS_AES_ROM_TABLES 243 * 244 * Store the AES tables in ROM. 245 * 246 * Uncomment this macro to store the AES tables in ROM. 247 */ 248 #define MBEDTLS_AES_ROM_TABLES 249 250 /** 251 * \def MBEDTLS_CIPHER_MODE_CBC 252 * 253 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. 254 */ 255 #define MBEDTLS_CIPHER_MODE_CBC 256 257 /** 258 * \def MBEDTLS_CIPHER_MODE_CFB 259 * 260 * Enable Cipher Feedback mode (CFB) for symmetric ciphers. 261 */ 262 #define MBEDTLS_CIPHER_MODE_CFB 263 264 /** 265 * \def MBEDTLS_CIPHER_MODE_CTR 266 * 267 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. 268 */ 269 #define MBEDTLS_CIPHER_MODE_CTR 270 271 /** 272 * \def MBEDTLS_CIPHER_MODE_OFB 273 * 274 * Enable Output Feedback mode (OFB) for symmetric ciphers. 275 */ 276 #define MBEDTLS_CIPHER_MODE_OFB 277 278 /** 279 * \def MBEDTLS_CIPHER_MODE_XTS 280 * 281 * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. 282 */ 283 #define MBEDTLS_CIPHER_MODE_XTS 284 285 /** 286 * \def MBEDTLS_CIPHER_PADDING_PKCS7 287 * 288 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for 289 * specific padding modes in the cipher layer with cipher modes that support 290 * padding (e.g. CBC) 291 * 292 * If you disable all padding modes, only full blocks can be used with CBC. 293 * 294 * Enable padding modes in the cipher layer. 295 */ 296 #define MBEDTLS_CIPHER_PADDING_PKCS7 297 #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS 298 #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN 299 #define MBEDTLS_CIPHER_PADDING_ZEROS 300 301 /** 302 * \def MBEDTLS_ECP_RESTARTABLE 303 * 304 * Enable "non-blocking" ECC operations that can return early and be resumed. 305 * 306 * This allows various functions to pause by returning 307 * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module, 308 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in 309 * order to further progress and eventually complete their operation. This is 310 * controlled through mbedtls_ecp_set_max_ops() which limits the maximum 311 * number of ECC operations a function may perform before pausing; see 312 * mbedtls_ecp_set_max_ops() for more information. 313 * 314 * This is useful in non-threaded environments if you want to avoid blocking 315 * for too long on ECC (and, hence, X.509 or SSL/TLS) operations. 316 * 317 * This option: 318 * - Adds xxx_restartable() variants of existing operations in the 319 * following modules, with corresponding restart context types: 320 * - ECP (for Short Weierstrass curves only): scalar multiplication (mul), 321 * linear combination (muladd); 322 * - ECDSA: signature generation & verification; 323 * - PK: signature generation & verification; 324 * - X509: certificate chain verification. 325 * - Adds mbedtls_ecdh_enable_restart() in the ECDH module. 326 * - Changes the behaviour of TLS 1.2 clients (not servers) when using the 327 * ECDHE-ECDSA key exchange (not other key exchanges) to make all ECC 328 * computations restartable: 329 * - ECDH operations from the key exchange, only for Short Weierstrass 330 * curves, only when MBEDTLS_USE_PSA_CRYPTO is not enabled. 331 * - verification of the server's key exchange signature; 332 * - verification of the server's certificate chain; 333 * - generation of the client's signature if client authentication is used, 334 * with an ECC key/certificate. 335 * 336 * \note In the cases above, the usual SSL/TLS functions, such as 337 * mbedtls_ssl_handshake(), can now return 338 * MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS. 339 * 340 * \note This option only works with the default software implementation of 341 * elliptic curve functionality. It is incompatible with 342 * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT. 343 * 344 * Requires: MBEDTLS_ECP_C 345 * 346 * Uncomment this macro to enable restartable ECC computations. 347 */ 348 #ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE 349 #define MBEDTLS_ECP_RESTARTABLE 350 #endif 351 352 /** 353 * \def MBEDTLS_ECDH_LEGACY_CONTEXT 354 * 355 * Use a backward compatible ECDH context. 356 * 357 * Mbed TLS supports two formats for ECDH contexts (#mbedtls_ecdh_context 358 * defined in `ecdh.h`). For most applications, the choice of format makes 359 * no difference, since all library functions can work with either format, 360 * except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE. 361 362 * The new format used when this option is disabled is smaller 363 * (56 bytes on a 32-bit platform). In future versions of the library, it 364 * will support alternative implementations of ECDH operations. 365 * The new format is incompatible with applications that access 366 * context fields directly and with restartable ECP operations. 367 * 368 * Define this macro if you enable MBEDTLS_ECP_RESTARTABLE or if you 369 * want to access ECDH context fields directly. Otherwise you should 370 * comment out this macro definition. 371 * 372 * This option has no effect if #MBEDTLS_ECDH_C is not enabled. 373 * 374 * \note This configuration option is experimental. Future versions of the 375 * library may modify the way the ECDH context layout is configured 376 * and may modify the layout of the new context type. 377 */ 378 #ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT 379 #define MBEDTLS_ECDH_LEGACY_CONTEXT 380 #endif 381 382 /** 383 * \def MBEDTLS_CMAC_C 384 * 385 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block 386 * ciphers. 387 * 388 * \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying 389 * implementation of the CMAC algorithm is provided by an alternate 390 * implementation, that alternate implementation may opt to not support 391 * AES-192 or 3DES as underlying block ciphers for the CMAC operation. 392 * 393 * Module: library/cmac.c 394 * 395 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C 396 * 397 */ 398 #ifdef CONFIG_MBEDTLS_CMAC_C 399 #define MBEDTLS_CMAC_C 400 #endif 401 402 /** 403 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED 404 * 405 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve 406 * module. By default all supported curves are enabled. 407 * 408 * Comment macros to disable the curve and functions for it 409 */ 410 /* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */ 411 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED 412 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED 413 #else 414 #undef MBEDTLS_ECP_DP_SECP192R1_ENABLED 415 #endif 416 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED 417 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED 418 #else 419 #undef MBEDTLS_ECP_DP_SECP224R1_ENABLED 420 #endif 421 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED 422 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 423 #else 424 #undef MBEDTLS_ECP_DP_SECP256R1_ENABLED 425 #endif 426 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED 427 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED 428 #else 429 #undef MBEDTLS_ECP_DP_SECP384R1_ENABLED 430 #endif 431 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED 432 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED 433 #else 434 #undef MBEDTLS_ECP_DP_SECP521R1_ENABLED 435 #endif 436 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED 437 #define MBEDTLS_ECP_DP_SECP192K1_ENABLED 438 #else 439 #undef MBEDTLS_ECP_DP_SECP192K1_ENABLED 440 #endif 441 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED 442 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED 443 #else 444 #undef MBEDTLS_ECP_DP_SECP224K1_ENABLED 445 #endif 446 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED 447 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED 448 #else 449 #undef MBEDTLS_ECP_DP_SECP256K1_ENABLED 450 #endif 451 #ifdef CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED 452 #define MBEDTLS_ECP_DP_BP256R1_ENABLED 453 #else 454 #undef MBEDTLS_ECP_DP_BP256R1_ENABLED 455 #endif 456 #ifdef CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED 457 #define MBEDTLS_ECP_DP_BP384R1_ENABLED 458 #else 459 #undef MBEDTLS_ECP_DP_BP384R1_ENABLED 460 #endif 461 #ifdef CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED 462 #define MBEDTLS_ECP_DP_BP512R1_ENABLED 463 #else 464 #undef MBEDTLS_ECP_DP_BP512R1_ENABLED 465 #endif 466 /* Montgomery curves (supporting ECP) */ 467 #ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED 468 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED 469 #else 470 #undef MBEDTLS_ECP_DP_CURVE25519_ENABLED 471 #endif 472 #ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED 473 #undef MBEDTLS_ECP_DP_CURVE448_ENABLED 474 #endif 475 476 /** 477 * \def MBEDTLS_ECP_NIST_OPTIM 478 * 479 * Enable specific 'modulo p' routines for each NIST prime. 480 * Depending on the prime and architecture, makes operations 4 to 8 times 481 * faster on the corresponding curve. 482 * 483 * Comment this macro to disable NIST curves optimisation. 484 */ 485 #ifdef CONFIG_MBEDTLS_ECP_NIST_OPTIM 486 #define MBEDTLS_ECP_NIST_OPTIM 487 #else 488 #undef MBEDTLS_ECP_NIST_OPTIM 489 #endif 490 491 /** 492 * \def MBEDTLS_ECDSA_DETERMINISTIC 493 * 494 * Enable deterministic ECDSA (RFC 6979). 495 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing 496 * may result in a compromise of the long-term signing key. This is avoided by 497 * the deterministic variant. 498 * 499 * Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C 500 * 501 * Comment this macro to disable deterministic ECDSA. 502 */ 503 #ifdef CONFIG_MBEDTLS_ECDSA_DETERMINISTIC 504 #define MBEDTLS_ECDSA_DETERMINISTIC 505 #else 506 #undef MBEDTLS_ECDSA_DETERMINISTIC 507 #endif 508 509 /** 510 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 511 * 512 * Enable the PSK based ciphersuite modes in SSL / TLS. 513 * 514 * This enables the following ciphersuites (if other requisites are 515 * enabled as well): 516 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 517 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 518 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 519 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 520 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 521 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 522 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 523 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 524 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 525 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 526 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 527 */ 528 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK 529 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 530 #else 531 #undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 532 #endif 533 534 /** 535 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 536 * 537 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. 538 * 539 * Requires: MBEDTLS_DHM_C 540 * 541 * This enables the following ciphersuites (if other requisites are 542 * enabled as well): 543 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 544 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 545 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 546 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 547 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 548 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 549 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 550 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 551 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 552 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 553 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 554 */ 555 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK 556 #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 557 #else 558 #undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 559 #endif 560 561 /** 562 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 563 * 564 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. 565 * 566 * Requires: MBEDTLS_ECDH_C 567 * 568 * This enables the following ciphersuites (if other requisites are 569 * enabled as well): 570 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 571 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 572 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 573 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 574 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 575 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 576 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 577 */ 578 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK 579 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 580 #else 581 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 582 #endif 583 584 /** 585 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 586 * 587 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. 588 * 589 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 590 * MBEDTLS_X509_CRT_PARSE_C 591 * 592 * This enables the following ciphersuites (if other requisites are 593 * enabled as well): 594 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 595 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 596 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 597 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 598 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 599 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 600 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 601 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 602 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 603 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 604 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 605 */ 606 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK 607 #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 608 #else 609 #undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 610 #endif 611 612 /** 613 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 614 * 615 * Enable the RSA-only based ciphersuite modes in SSL / TLS. 616 * 617 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 618 * MBEDTLS_X509_CRT_PARSE_C 619 * 620 * This enables the following ciphersuites (if other requisites are 621 * enabled as well): 622 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 623 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 624 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 625 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 626 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 627 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 628 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 629 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 630 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 631 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 632 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 633 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 634 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 635 */ 636 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA 637 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 638 #else 639 #undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 640 #endif 641 642 /** 643 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 644 * 645 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. 646 * 647 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 648 * MBEDTLS_X509_CRT_PARSE_C 649 * 650 * This enables the following ciphersuites (if other requisites are 651 * enabled as well): 652 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 653 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 654 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 655 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 656 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 657 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 658 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 659 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 660 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 661 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 662 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 663 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 664 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 665 */ 666 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA 667 #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 668 #else 669 #undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 670 #endif 671 672 /** 673 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 674 * 675 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. 676 * 677 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 678 * MBEDTLS_X509_CRT_PARSE_C 679 * 680 * This enables the following ciphersuites (if other requisites are 681 * enabled as well): 682 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 683 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 684 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 685 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 686 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 687 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 688 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 689 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 690 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 691 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 692 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 693 */ 694 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA 695 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 696 #else 697 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 698 #endif 699 700 /** 701 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 702 * 703 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. 704 * 705 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, 706 * 707 * This enables the following ciphersuites (if other requisites are 708 * enabled as well): 709 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 710 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 711 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 712 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 713 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 714 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 715 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 716 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 717 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 718 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 719 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 720 */ 721 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA 722 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 723 #else 724 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 725 #endif 726 727 /** 728 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 729 * 730 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. 731 * 732 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C 733 * 734 * This enables the following ciphersuites (if other requisites are 735 * enabled as well): 736 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 737 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 738 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 739 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 740 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 741 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 742 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 743 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 744 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 745 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 746 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 747 */ 748 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA 749 #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 750 #else 751 #undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 752 #endif 753 754 /** 755 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 756 * 757 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. 758 * 759 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_X509_CRT_PARSE_C 760 * 761 * This enables the following ciphersuites (if other requisites are 762 * enabled as well): 763 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 764 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 765 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 766 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 767 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 768 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 769 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 770 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 771 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 772 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 773 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 774 */ 775 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA 776 #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 777 #else 778 #undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 779 #endif 780 781 /** 782 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 783 * 784 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. 785 * 786 * \warning This is currently experimental. EC J-PAKE support is based on the 787 * Thread v1.0.0 specification; incompatible changes to the specification 788 * might still happen. For this reason, this is disabled by default. 789 * 790 * Requires: MBEDTLS_ECJPAKE_C 791 * MBEDTLS_SHA256_C 792 * MBEDTLS_ECP_DP_SECP256R1_ENABLED 793 * 794 * This enables the following ciphersuites (if other requisites are 795 * enabled as well): 796 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 797 */ 798 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE 799 #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 800 #else 801 #undef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 802 #endif 803 804 /** 805 * \def MBEDTLS_PK_PARSE_EC_EXTENDED 806 * 807 * Enhance support for reading EC keys using variants of SEC1 not allowed by 808 * RFC 5915 and RFC 5480. 809 * 810 * Currently this means parsing the SpecifiedECDomain choice of EC 811 * parameters (only known groups are supported, not arbitrary domains, to 812 * avoid validation issues). 813 * 814 * Disable if you only need to support RFC 5915 + 5480 key formats. 815 */ 816 #define MBEDTLS_PK_PARSE_EC_EXTENDED 817 818 /** 819 * \def MBEDTLS_ERROR_STRERROR_DUMMY 820 * 821 * Enable a dummy error function to make use of mbedtls_strerror() in 822 * third party libraries easier when MBEDTLS_ERROR_C is disabled 823 * (no effect when MBEDTLS_ERROR_C is enabled). 824 * 825 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 826 * not using mbedtls_strerror() or error_strerror() in your application. 827 * 828 * Disable if you run into name conflicts and want to really remove the 829 * mbedtls_strerror() 830 */ 831 #define MBEDTLS_ERROR_STRERROR_DUMMY 832 833 /** 834 * \def MBEDTLS_GENPRIME 835 * 836 * Enable the prime-number generation code. 837 * 838 * Requires: MBEDTLS_BIGNUM_C 839 */ 840 #define MBEDTLS_GENPRIME 841 842 /** 843 * \def MBEDTLS_FS_IO 844 * 845 * Enable functions that use the filesystem. 846 */ 847 #define MBEDTLS_FS_IO 848 849 /** 850 * \def MBEDTLS_NO_PLATFORM_ENTROPY 851 * 852 * Do not use built-in platform entropy functions. 853 * This is useful if your platform does not support 854 * standards like the /dev/urandom or Windows CryptoAPI. 855 * 856 * Uncomment this macro to disable the built-in platform entropy functions. 857 */ 858 #define MBEDTLS_NO_PLATFORM_ENTROPY 859 860 /** 861 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 862 * 863 * Support external private RSA keys (eg from a HSM) in the PK layer. 864 * 865 * Comment this macro to disable support for external private RSA keys. 866 */ 867 #define MBEDTLS_PK_RSA_ALT_SUPPORT 868 869 /** 870 * \def MBEDTLS_PKCS1_V15 871 * 872 * Enable support for PKCS#1 v1.5 encoding. 873 * 874 * Requires: MBEDTLS_RSA_C 875 * 876 * This enables support for PKCS#1 v1.5 operations. 877 */ 878 #define MBEDTLS_PKCS1_V15 879 880 /** 881 * \def MBEDTLS_PKCS1_V21 882 * 883 * Enable support for PKCS#1 v2.1 encoding. 884 * 885 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C 886 * 887 * This enables support for RSAES-OAEP and RSASSA-PSS operations. 888 */ 889 #define MBEDTLS_PKCS1_V21 890 891 /** 892 * \def MBEDTLS_SELF_TEST 893 * 894 * Enable the checkup functions (*_self_test). 895 */ 896 #define MBEDTLS_SELF_TEST 897 898 /** 899 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES 900 * 901 * Enable sending of alert messages in case of encountered errors as per RFC. 902 * If you choose not to send the alert messages, mbed TLS can still communicate 903 * with other servers, only debugging of failures is harder. 904 * 905 * The advantage of not sending alert messages, is that no information is given 906 * about reasons for failures thus preventing adversaries of gaining intel. 907 * 908 * Enable sending of all alert messages 909 */ 910 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES 911 912 /** 913 * \def MBEDTLS_SSL_DTLS_CONNECTION_ID 914 * 915 * Enable support for the DTLS Connection ID (CID) extension, 916 * which allows to identify DTLS connections across changes 917 * in the underlying transport. The CID functionality is described 918 * in RFC 9146. 919 * 920 * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, 921 * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and 922 * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for 923 * more information. 924 * 925 * The maximum lengths of outgoing and incoming CIDs can be configured 926 * through the options 927 * - MBEDTLS_SSL_CID_OUT_LEN_MAX 928 * - MBEDTLS_SSL_CID_IN_LEN_MAX. 929 * 930 * Requires: MBEDTLS_SSL_PROTO_DTLS 931 * 932 * Uncomment to enable the Connection ID extension. 933 */ 934 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 935 #define MBEDTLS_SSL_DTLS_CONNECTION_ID 936 #else 937 #undef MBEDTLS_SSL_DTLS_CONNECTION_ID 938 #endif 939 940 /** 941 * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 942 * 943 * Defines whether RFC 9146 (default) or the legacy version 944 * (version draft-ietf-tls-dtls-connection-id-05, 945 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) 946 * is used. 947 * 948 * Set the value to 0 for the standard version, and 949 * 1 for the legacy draft version. 950 * 951 * \deprecated Support for the legacy version of the DTLS 952 * Connection ID feature is deprecated. Please 953 * switch to the standardized version defined 954 * in RFC 9146 enabled by utilizing 955 * MBEDTLS_SSL_DTLS_CONNECTION_ID without use 956 * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT. 957 * 958 * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID 959 */ 960 #undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 961 962 /** 963 * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION 964 * 965 * Enable serialization of the TLS context structures, through use of the 966 * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load(). 967 * 968 * This pair of functions allows one side of a connection to serialize the 969 * context associated with the connection, then free or re-use that context 970 * while the serialized state is persisted elsewhere, and finally deserialize 971 * that state to a live context for resuming read/write operations on the 972 * connection. From a protocol perspective, the state of the connection is 973 * unaffected, in particular this is entirely transparent to the peer. 974 * 975 * Note: this is distinct from TLS session resumption, which is part of the 976 * protocol and fully visible by the peer. TLS session resumption enables 977 * establishing new connections associated to a saved session with shorter, 978 * lighter handshakes, while context serialization is a local optimization in 979 * handling a single, potentially long-lived connection. 980 * 981 * Enabling these APIs makes some SSL structures larger, as 64 extra bytes are 982 * saved after the handshake to allow for more efficient serialization, so if 983 * you don't need this feature you'll save RAM by disabling it. 984 * 985 * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C 986 * 987 * Comment to disable the context serialization APIs. 988 */ 989 #ifdef CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION 990 #define MBEDTLS_SSL_CONTEXT_SERIALIZATION 991 #else 992 #undef MBEDTLS_SSL_CONTEXT_SERIALIZATION 993 #endif 994 995 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC 996 * 997 * Enable support for Encrypt-then-MAC, RFC 7366. 998 * 999 * This allows peers that both support it to use a more robust protection for 1000 * ciphersuites using CBC, providing deep resistance against timing attacks 1001 * on the padding or underlying cipher. 1002 * 1003 * This only affects CBC ciphersuites, and is useless if none is defined. 1004 * 1005 * Requires: MBEDTLS_SSL_PROTO_TLS1_2 1006 * 1007 * Comment this macro to disable support for Encrypt-then-MAC 1008 */ 1009 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 1010 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC 1011 #else 1012 #undef MBEDTLS_SSL_ENCRYPT_THEN_MAC 1013 #endif 1014 1015 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET 1016 * 1017 * Enable support for RFC 7627: Session Hash and Extended Master Secret 1018 * Extension. 1019 * 1020 * This was introduced as "the proper fix" to the Triple Handshake family of 1021 * attacks, but it is recommended to always use it (even if you disable 1022 * renegotiation), since it actually fixes a more fundamental issue in the 1023 * original SSL/TLS design, and has implications beyond Triple Handshake. 1024 * 1025 * Requires: MBEDTLS_SSL_PROTO_TLS1_2 1026 * 1027 * Comment this macro to disable support for Extended Master Secret. 1028 */ 1029 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 1030 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET 1031 #else 1032 #undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET 1033 #endif 1034 1035 /** 1036 * \def MBEDTLS_SSL_FALLBACK_SCSV 1037 * 1038 * Enable support for RFC 7507: Fallback Signaling Cipher Suite Value (SCSV) 1039 * for Preventing Protocol Downgrade Attacks. 1040 * 1041 * For servers, it is recommended to always enable this, unless you support 1042 * only one version of TLS, or know for sure that none of your clients 1043 * implements a fallback strategy. 1044 * 1045 * For clients, you only need this if you're using a fallback strategy, which 1046 * is not recommended in the first place, unless you absolutely need it to 1047 * interoperate with buggy (version-intolerant) servers. 1048 * 1049 * Comment this macro to disable support for FALLBACK_SCSV 1050 */ 1051 #define MBEDTLS_SSL_FALLBACK_SCSV 1052 1053 /** 1054 * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1055 * 1056 * This option controls the availability of the API mbedtls_ssl_get_peer_cert() 1057 * giving access to the peer's certificate after completion of the handshake. 1058 * 1059 * Unless you need mbedtls_ssl_peer_cert() in your application, it is 1060 * recommended to disable this option for reduced RAM usage. 1061 * 1062 * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still 1063 * defined, but always returns \c NULL. 1064 * 1065 * \note This option has no influence on the protection against the 1066 * triple handshake attack. Even if it is disabled, Mbed TLS will 1067 * still ensure that certificates do not change during renegotiation, 1068 * for example by keeping a hash of the peer's certificate. 1069 * 1070 * \note This option is required if MBEDTLS_SSL_PROTO_TLS1_3 is set. 1071 * 1072 * Comment this macro to disable storing the peer's certificate 1073 * after the handshake. 1074 */ 1075 #ifdef CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1076 #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1077 #else 1078 #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1079 #endif 1080 1081 /** 1082 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING 1083 * 1084 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. 1085 * 1086 * This is a countermeasure to the BEAST attack, which also minimizes the risk 1087 * of interoperability issues compared to sending 0-length records. 1088 * 1089 * Comment this macro to disable 1/n-1 record splitting. 1090 */ 1091 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 1092 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING 1093 #else 1094 #undef MBEDTLS_SSL_CBC_RECORD_SPLITTING 1095 #endif 1096 1097 /** 1098 * \def MBEDTLS_SSL_RENEGOTIATION 1099 * 1100 * Enable support for TLS renegotiation. 1101 * 1102 * The two main uses of renegotiation are (1) refresh keys on long-lived 1103 * connections and (2) client authentication after the initial handshake. 1104 * If you don't need renegotiation, it's probably better to disable it, since 1105 * it has been associated with security issues in the past and is easy to 1106 * misuse/misunderstand. 1107 * 1108 * Comment this to disable support for renegotiation. 1109 * 1110 * \note Even if this option is disabled, both client and server are aware 1111 * of the Renegotiation Indication Extension (RFC 5746) used to 1112 * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1). 1113 * (See \c mbedtls_ssl_conf_legacy_renegotiation for the 1114 * configuration of this extension). 1115 * 1116 */ 1117 #ifdef CONFIG_MBEDTLS_SSL_RENEGOTIATION 1118 #define MBEDTLS_SSL_RENEGOTIATION 1119 #else 1120 #undef MBEDTLS_SSL_RENEGOTIATION 1121 #endif 1122 1123 /** 1124 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 1125 * 1126 * Enable support for RFC 6066 max_fragment_length extension in SSL. 1127 * 1128 * Comment this macro to disable support for the max_fragment_length extension 1129 */ 1130 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 1131 1132 /** 1133 * \def MBEDTLS_SSL_RECORD_SIZE_LIMIT 1134 * 1135 * Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only). 1136 * 1137 * \warning This extension is currently in development and must NOT be used except 1138 * for testing purposes. 1139 * 1140 * Requires: MBEDTLS_SSL_PROTO_TLS1_3 1141 * 1142 * Uncomment this macro to enable support for the record_size_limit extension 1143 */ 1144 //#define MBEDTLS_SSL_RECORD_SIZE_LIMIT 1145 1146 /** 1147 * \def MBEDTLS_SSL_PROTO_TLS1_2 1148 * 1149 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). 1150 * 1151 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C 1152 * (Depends on ciphersuites) 1153 * 1154 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 1155 */ 1156 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 1157 #define MBEDTLS_SSL_PROTO_TLS1_2 1158 #else 1159 #undef MBEDTLS_SSL_PROTO_TLS1_2 1160 #endif 1161 1162 /** 1163 * \def MBEDTLS_SSL_PROTO_TLS1_3 1164 * 1165 * Enable support for TLS 1.3. 1166 * 1167 * \note The support for TLS 1.3 is not comprehensive yet, in particular 1168 * pre-shared keys are not supported. 1169 * See docs/architecture/tls13-support.md for a description of the TLS 1170 * 1.3 support that this option enables. 1171 * 1172 * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 1173 * 1174 * Uncomment this macro to enable the support for TLS 1.3. 1175 * 1176 */ 1177 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 1178 #define MBEDTLS_SSL_PROTO_TLS1_3 1179 #else 1180 #undef MBEDTLS_SSL_PROTO_TLS1_3 1181 #endif 1182 1183 /** 1184 * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 1185 * 1186 * Enable TLS 1.3 middlebox compatibility mode. 1187 * 1188 * As specified in Section D.4 of RFC 8446, TLS 1.3 offers a compatibility 1189 * mode to make a TLS 1.3 connection more likely to pass through middle boxes 1190 * expecting TLS 1.2 traffic. 1191 * 1192 * Turning on the compatibility mode comes at the cost of a few added bytes 1193 * on the wire, but it doesn't affect compatibility with TLS 1.3 implementations 1194 * that don't use it. Therefore, unless transmission bandwidth is critical and 1195 * you know that middlebox compatibility issues won't occur, it is therefore 1196 * recommended to set this option. 1197 * 1198 * Comment to disable compatibility mode for TLS 1.3. If 1199 * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any 1200 * effect on the build. 1201 * 1202 */ 1203 #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 1204 #define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 1205 #else 1206 #undef MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 1207 #endif 1208 1209 /** 1210 * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 1211 * 1212 * Enable TLS 1.3 PSK key exchange mode. 1213 * 1214 * Comment to disable support for the PSK key exchange mode in TLS 1.3. If 1215 * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any 1216 * effect on the build. 1217 * 1218 */ 1219 #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_PSK 1220 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 1221 #else 1222 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 1223 #endif 1224 1225 /** 1226 * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 1227 * 1228 * Enable TLS 1.3 ephemeral key exchange mode. 1229 * 1230 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C, MBEDTLS_ECDSA_C or 1231 * MBEDTLS_PKCS1_V21 1232 * 1233 * Comment to disable support for the ephemeral key exchange mode in TLS 1.3. 1234 * If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any 1235 * effect on the build. 1236 * 1237 */ 1238 #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_EPHEMERAL 1239 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 1240 #else 1241 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 1242 #endif 1243 1244 /** 1245 * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 1246 * 1247 * Enable TLS 1.3 PSK ephemeral key exchange mode. 1248 * 1249 * Requires: MBEDTLS_ECDH_C 1250 * 1251 * Comment to disable support for the PSK ephemeral key exchange mode in 1252 * TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not 1253 * have any effect on the build. 1254 * 1255 */ 1256 #ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_PSK_EPHEMERAL 1257 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 1258 #else 1259 #undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 1260 #endif 1261 1262 /** 1263 * \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 1264 * 1265 * Maximum time difference in milliseconds tolerated between the age of a 1266 * ticket from the server and client point of view. 1267 * From the client point of view, the age of a ticket is the time difference 1268 * between the time when the client proposes to the server to use the ticket 1269 * (time of writing of the Pre-Shared Key Extension including the ticket) and 1270 * the time the client received the ticket from the server. 1271 * From the server point of view, the age of a ticket is the time difference 1272 * between the time when the server receives a proposition from the client 1273 * to use the ticket and the time when the ticket was created by the server. 1274 * The server age is expected to be always greater than the client one and 1275 * MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE defines the 1276 * maximum difference tolerated for the server to accept the ticket. 1277 * This is not used in TLS 1.2. 1278 * 1279 */ 1280 #define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 1281 1282 /** 1283 * \def MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 1284 * 1285 * Size in bytes of a ticket nonce. This is not used in TLS 1.2. 1286 * 1287 * This must be less than 256. 1288 */ 1289 #define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 1290 1291 /** 1292 * \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1293 * 1294 * Default number of NewSessionTicket messages to be sent by a TLS 1.3 server 1295 * after handshake completion. This is not used in TLS 1.2 and relevant only if 1296 * the MBEDTLS_SSL_SESSION_TICKETS option is enabled. 1297 * 1298 */ 1299 #define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 1300 1301 /** 1302 * \def MBEDTLS_SSL_EARLY_DATA 1303 * 1304 * Enable support for RFC 8446 TLS 1.3 early data. 1305 * 1306 * Requires: MBEDTLS_SSL_SESSION_TICKETS and either 1307 * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or 1308 * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 1309 * 1310 * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 1311 * is not enabled, this option does not have any effect on the build. 1312 * 1313 * This feature is experimental, not completed and thus not ready for 1314 * production. 1315 * 1316 */ 1317 //#define MBEDTLS_SSL_EARLY_DATA 1318 1319 /** 1320 * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1321 * 1322 * The default maximum amount of 0-RTT data. See the documentation of 1323 * \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information. 1324 * 1325 * It must be positive and smaller than UINT32_MAX. 1326 * 1327 * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not 1328 * have any impact on the build. 1329 * 1330 * This feature is experimental, not completed and thus not ready for 1331 * production. 1332 * 1333 */ 1334 #define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 1335 1336 1337 /** 1338 * \def MBEDTLS_SSL_PROTO_DTLS 1339 * 1340 * Enable support for DTLS (all available versions). 1341 * 1342 * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. 1343 * 1344 * Requires: MBEDTLS_SSL_PROTO_TLS1_2 1345 * 1346 * Comment this macro to disable support for DTLS 1347 */ 1348 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1349 #define MBEDTLS_SSL_PROTO_DTLS 1350 #else 1351 #undef MBEDTLS_SSL_PROTO_DTLS 1352 #endif 1353 1354 /** 1355 * \def MBEDTLS_SSL_ALPN 1356 * 1357 * Enable support for RFC 7301 Application Layer Protocol Negotiation. 1358 * 1359 * Comment this macro to disable support for ALPN. 1360 */ 1361 #ifdef CONFIG_MBEDTLS_SSL_ALPN 1362 #define MBEDTLS_SSL_ALPN 1363 #else 1364 #undef MBEDTLS_SSL_ALPN 1365 #endif 1366 1367 /** 1368 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY 1369 * 1370 * Enable support for the anti-replay mechanism in DTLS. 1371 * 1372 * Requires: MBEDTLS_SSL_TLS_C 1373 * MBEDTLS_SSL_PROTO_DTLS 1374 * 1375 * \warning Disabling this is often a security risk! 1376 * See mbedtls_ssl_conf_dtls_anti_replay() for details. 1377 * 1378 * Comment this to disable anti-replay in DTLS. 1379 */ 1380 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1381 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY 1382 #else 1383 #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY 1384 #endif 1385 1386 /** 1387 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY 1388 * 1389 * Enable support for HelloVerifyRequest on DTLS servers. 1390 * 1391 * This feature is highly recommended to prevent DTLS servers being used as 1392 * amplifiers in DoS attacks against other hosts. It should always be enabled 1393 * unless you know for sure amplification cannot be a problem in the 1394 * environment in which your server operates. 1395 * 1396 * \warning Disabling this can ba a security risk! (see above) 1397 * 1398 * Requires: MBEDTLS_SSL_PROTO_DTLS 1399 * 1400 * Comment this to disable support for HelloVerifyRequest. 1401 */ 1402 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1403 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY 1404 #else 1405 #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY 1406 #endif 1407 1408 /** 1409 * \def MBEDTLS_SSL_DTLS_SRTP 1410 * 1411 * Enable support for negotiation of DTLS-SRTP (RFC 5764) 1412 * through the use_srtp extension. 1413 * 1414 * \note This feature provides the minimum functionality required 1415 * to negotiate the use of DTLS-SRTP and to allow the derivation of 1416 * the associated SRTP packet protection key material. 1417 * In particular, the SRTP packet protection itself, as well as the 1418 * demultiplexing of RTP and DTLS packets at the datagram layer 1419 * (see Section 5 of RFC 5764), are not handled by this feature. 1420 * Instead, after successful completion of a handshake negotiating 1421 * the use of DTLS-SRTP, the extended key exporter API 1422 * mbedtls_ssl_conf_export_keys_ext_cb() should be used to implement 1423 * the key exporter described in Section 4.2 of RFC 5764 and RFC 5705 1424 * (this is implemented in the SSL example programs). 1425 * The resulting key should then be passed to an SRTP stack. 1426 * 1427 * Setting this option enables the runtime API 1428 * mbedtls_ssl_conf_dtls_srtp_protection_profiles() 1429 * through which the supported DTLS-SRTP protection 1430 * profiles can be configured. You must call this API at 1431 * runtime if you wish to negotiate the use of DTLS-SRTP. 1432 * 1433 * Requires: MBEDTLS_SSL_PROTO_DTLS 1434 * 1435 * Uncomment this to enable support for use_srtp extension. 1436 */ 1437 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1438 #define MBEDTLS_SSL_DTLS_SRTP 1439 #else 1440 #undef MBEDTLS_SSL_DTLS_SRTP 1441 #endif 1442 1443 /** 1444 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1445 * 1446 * Enable server-side support for clients that reconnect from the same port. 1447 * 1448 * Some clients unexpectedly close the connection and try to reconnect using the 1449 * same source port. This needs special support from the server to handle the 1450 * new connection securely, as described in section 4.2.8 of RFC 6347. This 1451 * flag enables that support. 1452 * 1453 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY 1454 * 1455 * Comment this to disable support for clients reusing the source port. 1456 */ 1457 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1458 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1459 #else 1460 #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1461 #endif 1462 1463 /** 1464 * \def MBEDTLS_SSL_SESSION_TICKETS 1465 * 1466 * Enable support for RFC 5077 session tickets in SSL. 1467 * Client-side, provides full support for session tickets (maintainance of a 1468 * session store remains the responsibility of the application, though). 1469 * Server-side, you also need to provide callbacks for writing and parsing 1470 * tickets, including authenticated encryption and key management. Example 1471 * callbacks are provided by MBEDTLS_SSL_TICKET_C. 1472 * 1473 * Comment this macro to disable support for SSL session tickets 1474 */ 1475 #ifdef CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS 1476 #define MBEDTLS_SSL_SESSION_TICKETS 1477 #else 1478 #undef MBEDTLS_SSL_SESSION_TICKETS 1479 #endif 1480 1481 /** 1482 * \def MBEDTLS_SSL_EXPORT_KEYS 1483 * 1484 * Enable support for exporting key block and master secret. 1485 * This is required for certain users of TLS, e.g. EAP-TLS. 1486 * 1487 * Comment this macro to disable support for key export 1488 */ 1489 #define MBEDTLS_SSL_EXPORT_KEYS 1490 1491 /** 1492 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION 1493 * 1494 * Enable support for RFC 6066 server name indication (SNI) in SSL. 1495 * 1496 * Requires: MBEDTLS_X509_CRT_PARSE_C 1497 * 1498 * Comment this macro to disable support for server name indication in SSL 1499 */ 1500 #define MBEDTLS_SSL_SERVER_NAME_INDICATION 1501 1502 1503 /** 1504 * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1505 * 1506 * When this option is enabled, the SSL buffer will be resized automatically 1507 * based on the negotiated maximum fragment length in each direction. 1508 * 1509 * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 1510 */ 1511 #ifdef CONFIG_MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1512 #define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1513 #else 1514 #undef MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 1515 #endif 1516 1517 /** 1518 * 1519 * \def MBEDTLS_VERSION_FEATURES 1520 * 1521 * Allow run-time checking of compile-time enabled features. Thus allowing users 1522 * to check at run-time if the library is for instance compiled with threading 1523 * support via mbedtls_version_check_feature(). 1524 * 1525 * Requires: MBEDTLS_VERSION_C 1526 * 1527 * Comment this to disable run-time checking and save ROM space 1528 */ 1529 #define MBEDTLS_VERSION_FEATURES 1530 1531 1532 /** 1533 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT 1534 * 1535 * Enable parsing and verification of X.509 certificates, CRLs and CSRS 1536 * signed with RSASSA-PSS (aka PKCS#1 v2.1). 1537 * 1538 * Comment this macro to disallow using RSASSA-PSS in certificates. 1539 */ 1540 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT 1541 1542 1543 /* \} name SECTION: mbed TLS feature support */ 1544 1545 /** 1546 * \name SECTION: mbed TLS modules 1547 * 1548 * This section enables or disables entire modules in mbed TLS 1549 * \{ 1550 */ 1551 1552 /** 1553 * \def MBEDTLS_AESNI_C 1554 * 1555 * Enable AES-NI support on x86-64. 1556 * 1557 * Module: library/aesni.c 1558 * Caller: library/aes.c 1559 * 1560 * Requires: MBEDTLS_HAVE_ASM 1561 * 1562 * This modules adds support for the AES-NI instructions on x86-64 1563 */ 1564 #define MBEDTLS_AESNI_C 1565 1566 /** 1567 * \def MBEDTLS_AES_C 1568 * 1569 * Enable the AES block cipher. 1570 * 1571 * Module: library/aes.c 1572 * Caller: library/ssl_tls.c 1573 * library/pem.c 1574 * library/ctr_drbg.c 1575 * 1576 * This module enables the following ciphersuites (if other requisites are 1577 * enabled as well): 1578 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 1579 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 1580 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 1581 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 1582 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 1583 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 1584 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 1585 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 1586 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 1587 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 1588 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 1589 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 1590 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 1591 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 1592 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 1593 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 1594 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 1595 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 1596 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 1597 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 1598 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 1599 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 1600 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 1601 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 1602 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 1603 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 1604 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 1605 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 1606 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 1607 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1608 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 1609 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 1610 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 1611 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 1612 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 1613 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 1614 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 1615 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 1616 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 1617 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 1618 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 1619 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 1620 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 1621 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 1622 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 1623 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 1624 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 1625 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 1626 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 1627 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 1628 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 1629 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 1630 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 1631 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 1632 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 1633 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 1634 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 1635 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 1636 * 1637 * PEM_PARSE uses AES for decrypting encrypted keys. 1638 */ 1639 #ifdef CONFIG_MBEDTLS_AES_C 1640 #define MBEDTLS_AES_C 1641 #else 1642 #undef MBEDTLS_AES_C 1643 #endif 1644 1645 /** 1646 * \def MBEDTLS_ASN1_PARSE_C 1647 * 1648 * Enable the generic ASN1 parser. 1649 * 1650 * Module: library/asn1.c 1651 * Caller: library/x509.c 1652 * library/dhm.c 1653 * library/pkcs12.c 1654 * library/pkcs5.c 1655 * library/pkparse.c 1656 */ 1657 #define MBEDTLS_ASN1_PARSE_C 1658 1659 /** 1660 * \def MBEDTLS_ASN1_WRITE_C 1661 * 1662 * Enable the generic ASN1 writer. 1663 * 1664 * Module: library/asn1write.c 1665 * Caller: library/ecdsa.c 1666 * library/pkwrite.c 1667 * library/x509_create.c 1668 * library/x509write_crt.c 1669 * library/mbedtls_x509write_csr.c 1670 */ 1671 #define MBEDTLS_ASN1_WRITE_C 1672 1673 /** 1674 * \def MBEDTLS_BASE64_C 1675 * 1676 * Enable the Base64 module. 1677 * 1678 * Module: library/base64.c 1679 * Caller: library/pem.c 1680 * 1681 * This module is required for PEM support (required by X.509). 1682 */ 1683 #define MBEDTLS_BASE64_C 1684 1685 /** 1686 * \def MBEDTLS_BIGNUM_C 1687 * 1688 * Enable the multi-precision integer library. 1689 * 1690 * Module: library/bignum.c 1691 * library/bignum_core.c 1692 * library/bignum_mod.c 1693 * library/bignum_mod_raw.c 1694 * Caller: library/dhm.c 1695 * library/ecp.c 1696 * library/ecdsa.c 1697 * library/rsa.c 1698 * library/rsa_alt_helpers.c 1699 * library/ssl_tls.c 1700 * 1701 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. 1702 */ 1703 #define MBEDTLS_BIGNUM_C 1704 1705 /** 1706 * \def MBEDTLS_BLOWFISH_C 1707 * 1708 * Enable the Blowfish block cipher. 1709 * 1710 * Module: library/blowfish.c 1711 */ 1712 #ifdef CONFIG_MBEDTLS_BLOWFISH_C 1713 #define MBEDTLS_BLOWFISH_C 1714 #else 1715 #undef MBEDTLS_BLOWFISH_C 1716 #endif 1717 1718 /** 1719 * \def MBEDTLS_CAMELLIA_C 1720 * 1721 * Enable the Camellia block cipher. 1722 * 1723 * Module: library/camellia.c 1724 * Caller: library/ssl_tls.c 1725 * 1726 * This module enables the following ciphersuites (if other requisites are 1727 * enabled as well): 1728 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 1729 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 1730 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 1731 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 1732 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 1733 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 1734 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 1735 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 1736 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 1737 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 1738 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 1739 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 1740 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 1741 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 1742 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 1743 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 1744 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 1745 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 1746 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 1747 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 1748 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 1749 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 1750 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 1751 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 1752 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 1753 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 1754 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 1755 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 1756 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 1757 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 1758 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 1759 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 1760 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 1761 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 1762 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 1763 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 1764 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 1765 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 1766 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 1767 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 1768 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 1769 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 1770 */ 1771 #ifdef CONFIG_MBEDTLS_CAMELLIA_C 1772 #define MBEDTLS_CAMELLIA_C 1773 #else 1774 #undef MBEDTLS_CAMELLIA_C 1775 #endif 1776 1777 /** 1778 * \def MBEDTLS_CCM_C 1779 * 1780 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. 1781 * 1782 * Module: library/ccm.c 1783 * 1784 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or 1785 * MBEDTLS_ARIA_C 1786 * 1787 * This module enables the AES-CCM ciphersuites, if other requisites are 1788 * enabled as well. 1789 */ 1790 #ifdef CONFIG_MBEDTLS_CCM_C 1791 #define MBEDTLS_CCM_C 1792 #else 1793 #undef MBEDTLS_CCM_C 1794 #endif 1795 1796 /** 1797 * \def MBEDTLS_CERTS_C 1798 * 1799 * Enable the test certificates. 1800 * 1801 * Module: library/certs.c 1802 * Caller: 1803 * 1804 * This module is used for testing (ssl_client/server). 1805 */ 1806 #define MBEDTLS_CERTS_C 1807 1808 /** 1809 * \def MBEDTLS_CHACHA20_C 1810 * 1811 * Enable the ChaCha20 stream cipher. 1812 * 1813 * Module: library/chacha20.c 1814 */ 1815 #ifdef CONFIG_MBEDTLS_CHACHA20_C 1816 #define MBEDTLS_CHACHA20_C 1817 #else 1818 #undef MBEDTLS_CHACHA20_C 1819 #endif 1820 1821 /** 1822 * \def MBEDTLS_CHACHAPOLY_C 1823 * 1824 * Enable the ChaCha20-Poly1305 AEAD algorithm. 1825 * 1826 * Module: library/chachapoly.c 1827 * 1828 * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C 1829 */ 1830 #ifdef CONFIG_MBEDTLS_CHACHAPOLY_C 1831 #define MBEDTLS_CHACHAPOLY_C 1832 #else 1833 #undef MBEDTLS_CHACHAPOLY_C 1834 #endif 1835 1836 /** 1837 * \def MBEDTLS_CIPHER_C 1838 * 1839 * Enable the generic cipher layer. 1840 * 1841 * Module: library/cipher.c 1842 * Caller: library/ccm.c 1843 * library/cmac.c 1844 * library/gcm.c 1845 * library/nist_kw.c 1846 * library/pkcs12.c 1847 * library/pkcs5.c 1848 * library/psa_crypto_aead.c 1849 * library/psa_crypto_mac.c 1850 * library/ssl_ciphersuites.c 1851 * library/ssl_msg.c 1852 * library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled) 1853 * 1854 * Uncomment to enable generic cipher wrappers. 1855 */ 1856 #define MBEDTLS_CIPHER_C 1857 1858 /** 1859 * \def MBEDTLS_CTR_DRBG_C 1860 * 1861 * Enable the CTR_DRBG AES-256-based random generator. 1862 * 1863 * Module: library/ctr_drbg.c 1864 * Caller: 1865 * 1866 * Requires: MBEDTLS_AES_C 1867 * 1868 * This module provides the CTR_DRBG AES-256 random number generator. 1869 */ 1870 #define MBEDTLS_CTR_DRBG_C 1871 1872 /** 1873 * \def MBEDTLS_DEBUG_C 1874 * 1875 * Enable the debug functions. 1876 * 1877 * Module: library/debug.c 1878 * Caller: library/ssl_msg.c 1879 * library/ssl_tls.c 1880 * library/ssl_tls12_*.c 1881 * library/ssl_tls13_*.c 1882 * 1883 * This module provides debugging functions. 1884 */ 1885 #if CONFIG_MBEDTLS_DEBUG 1886 #define MBEDTLS_DEBUG_C 1887 #else 1888 #undef MBEDTLS_DEBUG_C 1889 #endif 1890 1891 /** 1892 * \def MBEDTLS_DES_C 1893 * 1894 * Enable the DES block cipher. 1895 * 1896 * Module: library/des.c 1897 * Caller: library/pem.c 1898 * library/ssl_tls.c 1899 * 1900 * This module enables the following ciphersuites (if other requisites are 1901 * enabled as well): 1902 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 1903 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 1904 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 1905 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 1906 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 1907 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 1908 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 1909 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 1910 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 1911 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 1912 * 1913 * PEM_PARSE uses DES/3DES for decrypting encrypted keys. 1914 */ 1915 #ifdef CONFIG_MBEDTLS_DES_C 1916 #define MBEDTLS_DES_C 1917 #else 1918 #undef MBEDTLS_DES_C 1919 #endif 1920 1921 /** 1922 * \def MBEDTLS_DHM_C 1923 * 1924 * Enable the Diffie-Hellman-Merkle module. 1925 * 1926 * Module: library/dhm.c 1927 * Caller: library/ssl_tls.c 1928 * library/ssl*_client.c 1929 * library/ssl*_server.c 1930 * 1931 * This module is used by the following key exchanges: 1932 * DHE-RSA, DHE-PSK 1933 */ 1934 #ifdef CONFIG_MBEDTLS_DHM_C 1935 #define MBEDTLS_DHM_C 1936 #else 1937 #undef MBEDTLS_DHM_C 1938 #endif 1939 1940 /** 1941 * \def MBEDTLS_ECDH_C 1942 * 1943 * Enable the elliptic curve Diffie-Hellman library. 1944 * 1945 * Module: library/ecdh.c 1946 * Caller: library/psa_crypto.c 1947 * library/ssl_tls.c 1948 * library/ssl*_client.c 1949 * library/ssl*_server.c 1950 * 1951 * This module is used by the following key exchanges: 1952 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK 1953 * 1954 * Requires: MBEDTLS_ECP_C 1955 */ 1956 #ifdef CONFIG_MBEDTLS_ECDH_C 1957 #define MBEDTLS_ECDH_C 1958 #else 1959 #undef MBEDTLS_ECDH_C 1960 #endif 1961 1962 /** 1963 * \def MBEDTLS_ECDSA_C 1964 * 1965 * Enable the elliptic curve DSA library. 1966 * 1967 * Module: library/ecdsa.c 1968 * Caller: 1969 * 1970 * This module is used by the following key exchanges: 1971 * ECDHE-ECDSA 1972 * 1973 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C, 1974 * and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a 1975 * short Weierstrass curve. 1976 */ 1977 #ifdef CONFIG_MBEDTLS_ECDSA_C 1978 #define MBEDTLS_ECDSA_C 1979 #else 1980 #undef MBEDTLS_ECDSA_C 1981 #endif 1982 1983 /** 1984 * \def MBEDTLS_ECJPAKE_C 1985 * 1986 * Enable the elliptic curve J-PAKE library. 1987 * 1988 * \warning This is currently experimental. EC J-PAKE support is based on the 1989 * Thread v1.0.0 specification; incompatible changes to the specification 1990 * might still happen. For this reason, this is disabled by default. 1991 * 1992 * Module: library/ecjpake.c 1993 * Caller: 1994 * 1995 * This module is used by the following key exchanges: 1996 * ECJPAKE 1997 * 1998 * Requires: MBEDTLS_ECP_C and MBEDTLS_MD_C 1999 * 2000 */ 2001 #ifdef CONFIG_MBEDTLS_ECJPAKE_C 2002 #define MBEDTLS_ECJPAKE_C 2003 #else 2004 #undef MBEDTLS_ECJPAKE_C 2005 #endif 2006 2007 /** 2008 * \def MBEDTLS_ECP_C 2009 * 2010 * Enable the elliptic curve over GF(p) library. 2011 * 2012 * Module: library/ecp.c 2013 * Caller: library/ecdh.c 2014 * library/ecdsa.c 2015 * library/ecjpake.c 2016 * 2017 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED 2018 */ 2019 #ifdef CONFIG_MBEDTLS_ECP_C 2020 #define MBEDTLS_ECP_C 2021 #else 2022 #undef MBEDTLS_ECP_C 2023 #endif 2024 2025 /** 2026 * \def MBEDTLS_ENTROPY_C 2027 * 2028 * Enable the platform-specific entropy code. 2029 * 2030 * Module: library/entropy.c 2031 * Caller: 2032 * 2033 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 2034 * 2035 * This module provides a generic entropy pool 2036 */ 2037 #define MBEDTLS_ENTROPY_C 2038 2039 /** 2040 * \def MBEDTLS_ERROR_C 2041 * 2042 * Enable error code to error string conversion. 2043 * 2044 * Module: library/error.c 2045 * Caller: 2046 * 2047 * This module enables mbedtls_strerror(). 2048 */ 2049 #define MBEDTLS_ERROR_C 2050 2051 /** 2052 * \def MBEDTLS_GCM_C 2053 * 2054 * Enable the Galois/Counter Mode (GCM). 2055 * 2056 * Module: library/gcm.c 2057 * 2058 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or 2059 * MBEDTLS_ARIA_C 2060 * 2061 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other 2062 * requisites are enabled as well. 2063 */ 2064 #ifdef CONFIG_MBEDTLS_GCM_C 2065 #define MBEDTLS_GCM_C 2066 #else 2067 #undef MBEDTLS_GCM_C 2068 #endif 2069 2070 /** 2071 * \def MBEDTLS_HKDF_C 2072 * 2073 * Enable the HKDF algorithm (RFC 5869). 2074 * 2075 * Module: library/hkdf.c 2076 * Caller: 2077 * 2078 * Requires: MBEDTLS_MD_C 2079 * 2080 * This module enables support for the Hashed Message Authentication Code 2081 * (HMAC)-based key derivation function (HKDF). 2082 */ 2083 #ifdef CONFIG_MBEDTLS_HKDF_C 2084 #define MBEDTLS_HKDF_C 2085 #else 2086 #undef MBEDTLS_HKDF_C 2087 #endif 2088 2089 /** 2090 * \def MBEDTLS_HMAC_DRBG_C 2091 * 2092 * Enable the HMAC_DRBG random generator. 2093 * 2094 * Module: library/hmac_drbg.c 2095 * Caller: 2096 * 2097 * Requires: MBEDTLS_MD_C 2098 * 2099 * Uncomment to enable the HMAC_DRBG random number geerator. 2100 */ 2101 #define MBEDTLS_HMAC_DRBG_C 2102 2103 /** 2104 * \def MBEDTLS_MD_C 2105 * 2106 * Enable the generic message digest layer. 2107 * 2108 * Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C, 2109 * MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C, 2110 * MBEDTLS_SHA512_C. 2111 * 2112 * Module: library/md.c 2113 * Caller: library/constant_time.c 2114 * library/ecdsa.c 2115 * library/ecjpake.c 2116 * library/hkdf.c 2117 * library/hmac_drbg.c 2118 * library/pk.c 2119 * library/pkcs5.c 2120 * library/pkcs12.c 2121 * library/psa_crypto_ecp.c 2122 * library/psa_crypto_rsa.c 2123 * library/rsa.c 2124 * library/ssl_cookie.c 2125 * library/ssl_msg.c 2126 * library/ssl_tls.c 2127 * library/x509.c 2128 * library/x509_crt.c 2129 * library/x509write_crt.c 2130 * library/x509write_csr.c 2131 * 2132 * Uncomment to enable generic message digest wrappers. 2133 */ 2134 #define MBEDTLS_MD_C 2135 2136 /** 2137 * \def MBEDTLS_MD5_C 2138 * 2139 * Enable the MD5 hash algorithm. 2140 * 2141 * Module: library/mbedtls_md5.c 2142 * Caller: library/mbedtls_md.c 2143 * library/pem.c 2144 * library/ssl_tls.c 2145 * 2146 * This module is required for SSL/TLS and X.509. 2147 * PEM_PARSE uses MD5 for decrypting encrypted keys. 2148 */ 2149 #define MBEDTLS_MD5_C 2150 2151 /** 2152 * \def MBEDTLS_NET_C 2153 * 2154 * Enable the TCP and UDP over IPv6/IPv4 networking routines. 2155 * 2156 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X) 2157 * and Windows. For other platforms, you'll want to disable it, and write your 2158 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio(). 2159 * 2160 * \note See also our Knowledge Base article about porting to a new 2161 * environment: 2162 * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 2163 * 2164 * Module: library/net_sockets.c 2165 * 2166 * This module provides networking routines. 2167 */ 2168 #ifdef MBEDTLS_NET_C 2169 #undef MBEDTLS_NET_C 2170 #endif 2171 2172 /** 2173 * \def MBEDTLS_OID_C 2174 * 2175 * Enable the OID database. 2176 * 2177 * Module: library/oid.c 2178 * Caller: library/asn1write.c 2179 * library/pkcs5.c 2180 * library/pkparse.c 2181 * library/pkwrite.c 2182 * library/rsa.c 2183 * library/x509.c 2184 * library/x509_create.c 2185 * library/mbedtls_x509_crl.c 2186 * library/mbedtls_x509_crt.c 2187 * library/mbedtls_x509_csr.c 2188 * library/x509write_crt.c 2189 * library/mbedtls_x509write_csr.c 2190 * 2191 * This modules translates between OIDs and internal values. 2192 */ 2193 #define MBEDTLS_OID_C 2194 2195 /** 2196 * \def MBEDTLS_PADLOCK_C 2197 * 2198 * Enable VIA Padlock support on x86. 2199 * 2200 * Module: library/padlock.c 2201 * Caller: library/aes.c 2202 * 2203 * Requires: MBEDTLS_HAVE_ASM 2204 * 2205 * This modules adds support for the VIA PadLock on x86. 2206 */ 2207 #define MBEDTLS_PADLOCK_C 2208 2209 /** 2210 * \def MBEDTLS_PEM_PARSE_C 2211 * 2212 * Enable PEM decoding / parsing. 2213 * 2214 * Module: library/pem.c 2215 * Caller: library/dhm.c 2216 * library/pkparse.c 2217 * library/mbedtls_x509_crl.c 2218 * library/mbedtls_x509_crt.c 2219 * library/mbedtls_x509_csr.c 2220 * 2221 * Requires: MBEDTLS_BASE64_C 2222 * 2223 * This modules adds support for decoding / parsing PEM files. 2224 */ 2225 #ifdef CONFIG_MBEDTLS_PEM_PARSE_C 2226 #define MBEDTLS_PEM_PARSE_C 2227 #else 2228 #undef MBEDTLS_PEM_PARSE_C 2229 #endif 2230 2231 /** 2232 * \def MBEDTLS_PEM_WRITE_C 2233 * 2234 * Enable PEM encoding / writing. 2235 * 2236 * Module: library/pem.c 2237 * Caller: library/pkwrite.c 2238 * library/x509write_crt.c 2239 * library/mbedtls_x509write_csr.c 2240 * 2241 * Requires: MBEDTLS_BASE64_C 2242 * 2243 * This modules adds support for encoding / writing PEM files. 2244 */ 2245 #ifdef CONFIG_MBEDTLS_PEM_WRITE_C 2246 #define MBEDTLS_PEM_WRITE_C 2247 #else 2248 #undef MBEDTLS_PEM_WRITE_C 2249 #endif 2250 2251 /** 2252 * \def MBEDTLS_PK_C 2253 * 2254 * Enable the generic public (asymmetric) key layer. 2255 * 2256 * Module: library/pk.c 2257 * Caller: library/psa_crypto_rsa.c 2258 * library/ssl_tls.c 2259 * library/ssl*_client.c 2260 * library/ssl*_server.c 2261 * library/x509.c 2262 * 2263 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C 2264 * 2265 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C 2266 * 2267 * Uncomment to enable generic public key wrappers. 2268 */ 2269 #define MBEDTLS_PK_C 2270 2271 /** 2272 * \def MBEDTLS_PK_PARSE_C 2273 * 2274 * Enable the generic public (asymmetric) key parser. 2275 * 2276 * Module: library/pkparse.c 2277 * Caller: library/mbedtls_x509_crt.c 2278 * library/mbedtls_x509_csr.c 2279 * 2280 * Requires: MBEDTLS_PK_C 2281 * 2282 * Uncomment to enable generic public key parse functions. 2283 */ 2284 #define MBEDTLS_PK_PARSE_C 2285 2286 /** 2287 * \def MBEDTLS_PK_WRITE_C 2288 * 2289 * Enable the generic public (asymmetric) key writer. 2290 * 2291 * Module: library/pkwrite.c 2292 * Caller: library/x509write.c 2293 * 2294 * Requires: MBEDTLS_PK_C 2295 * 2296 * Uncomment to enable generic public key write functions. 2297 */ 2298 #define MBEDTLS_PK_WRITE_C 2299 2300 /** 2301 * \def MBEDTLS_PKCS5_C 2302 * 2303 * Enable PKCS#5 functions. 2304 * 2305 * Module: library/pkcs5.c 2306 * 2307 * Requires: MBEDTLS_CIPHER_C and MBEDTLS_MD_C 2308 * 2309 * This module adds support for the PKCS#5 functions. 2310 */ 2311 #define MBEDTLS_PKCS5_C 2312 2313 /** 2314 * \def MBEDTLS_PKCS7_C 2315 * 2316 * This feature is a work in progress and not ready for production. Testing and 2317 * validation is incomplete, and handling of malformed inputs may not be robust. 2318 * The API may change. 2319 * 2320 * Enable PKCS7 core for using PKCS7 formatted signatures. 2321 * RFC Link - https://tools.ietf.org/html/rfc2315 2322 * 2323 * Module: library/pkcs7.c 2324 * 2325 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, 2326 * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, 2327 * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C 2328 * 2329 * This module is required for the PKCS #7 parsing modules. 2330 */ 2331 #ifdef CONFIG_MBEDTLS_PKCS7_C 2332 #define MBEDTLS_PKCS7_C 2333 #else 2334 #undef MBEDTLS_PKCS7_C 2335 #endif 2336 2337 /** 2338 * \def MBEDTLS_PKCS12_C 2339 * 2340 * Enable PKCS#12 PBE functions. 2341 * Adds algorithms for parsing PKCS#8 encrypted private keys 2342 * 2343 * Module: library/pkcs12.c 2344 * Caller: library/pkparse.c 2345 * 2346 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C 2347 * 2348 * This module enables PKCS#12 functions. 2349 */ 2350 #define MBEDTLS_PKCS12_C 2351 2352 /** 2353 * \def MBEDTLS_PLATFORM_C 2354 * 2355 * Enable the platform abstraction layer that allows you to re-assign 2356 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 2357 * 2358 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 2359 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 2360 * above to be specified at runtime or compile time respectively. 2361 * 2362 * \note This abstraction layer must be enabled on Windows (including MSYS2) 2363 * as other modules rely on it for a fixed snprintf implementation. 2364 * 2365 * Module: library/platform.c 2366 * Caller: Most other .c files 2367 * 2368 * This module enables abstraction of common (libc) functions. 2369 */ 2370 #define MBEDTLS_PLATFORM_C 2371 2372 /** 2373 * \def MBEDTLS_POLY1305_C 2374 * 2375 * Enable the Poly1305 MAC algorithm. 2376 * 2377 * Module: library/poly1305.c 2378 * Caller: library/chachapoly.c 2379 */ 2380 #ifdef CONFIG_MBEDTLS_POLY1305_C 2381 #define MBEDTLS_POLY1305_C 2382 #else 2383 #undef MBEDTLS_POLY1305_C 2384 #endif 2385 2386 /** 2387 * \def MBEDTLS_RIPEMD160_C 2388 * 2389 * Enable the RIPEMD-160 hash algorithm. 2390 * 2391 * Module: library/mbedtls_ripemd160.c 2392 * Caller: library/mbedtls_md.c 2393 * 2394 */ 2395 #ifdef CONFIG_MBEDTLS_RIPEMD160_C 2396 #define MBEDTLS_RIPEMD160_C 2397 #else 2398 #undef MBEDTLS_RIPEMD160_C 2399 #endif 2400 2401 /** 2402 * \def MBEDTLS_RSA_C 2403 * 2404 * Enable the RSA public-key cryptosystem. 2405 * 2406 * Module: library/rsa.c 2407 * library/rsa_alt_helpers.c 2408 * Caller: library/pk.c 2409 * library/psa_crypto.c 2410 * library/ssl_tls.c 2411 * library/ssl*_client.c 2412 * library/ssl*_server.c 2413 * 2414 * This module is used by the following key exchanges: 2415 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK 2416 * 2417 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C 2418 */ 2419 #define MBEDTLS_RSA_C 2420 2421 /** 2422 * \def MBEDTLS_SHA1_C 2423 * 2424 * Enable the SHA1 cryptographic hash algorithm. 2425 * 2426 * Module: library/sha1.c 2427 * Caller: library/md.c 2428 * library/psa_crypto_hash.c 2429 * 2430 * This module is required for TLS 1.2 depending on the handshake parameters, 2431 * and for SHA1-signed certificates. 2432 * 2433 * \warning SHA-1 is considered a weak message digest and its use constitutes 2434 * a security risk. If possible, we recommend avoiding dependencies 2435 * on it, and considering stronger message digests instead. 2436 * 2437 */ 2438 #define MBEDTLS_SHA1_C 2439 2440 /** 2441 * \def MBEDTLS_SHA224_C 2442 * 2443 * Enable the SHA-224 cryptographic hash algorithm. 2444 * 2445 * Requires: MBEDTLS_SHA256_C. The library does not currently support enabling 2446 * SHA-224 without SHA-256. 2447 * 2448 * Module: library/sha256.c 2449 * Caller: library/md.c 2450 * library/ssl_cookie.c 2451 * 2452 * This module adds support for SHA-224. 2453 */ 2454 #define MBEDTLS_SHA224_C 2455 2456 /** 2457 * \def MBEDTLS_SHA256_C 2458 * 2459 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms. 2460 * 2461 * Module: library/mbedtls_sha256.c 2462 * Caller: library/entropy.c 2463 * library/mbedtls_md.c 2464 * library/ssl_tls.c 2465 * library/ssl*_client.c 2466 * library/ssl*_server.c= 2467 * 2468 * This module adds support for SHA-224 and SHA-256. 2469 * This module is required for the SSL/TLS 1.2 PRF function. 2470 */ 2471 #define MBEDTLS_SHA256_C 2472 2473 /** 2474 * \def MBEDTLS_SHA512_C 2475 * 2476 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms. 2477 * 2478 * Module: library/sha512.c 2479 * Caller: library/entropy.c 2480 * library/md.c 2481 * library/ssl_tls.c 2482 * library/ssl_cookie.c 2483 * 2484 * This module adds support for SHA-384 and SHA-512. 2485 */ 2486 #ifdef CONFIG_MBEDTLS_SHA512_C 2487 #define MBEDTLS_SHA384_C 2488 #define MBEDTLS_SHA512_C 2489 #else 2490 #undef MBEDTLS_SHA384_C 2491 #undef MBEDTLS_SHA512_C 2492 #endif 2493 2494 /** 2495 * \def MBEDTLS_SSL_CACHE_C 2496 * 2497 * Enable simple SSL cache implementation. 2498 * 2499 * Module: library/ssl_cache.c 2500 * Caller: 2501 * 2502 * Requires: MBEDTLS_SSL_CACHE_C 2503 */ 2504 #define MBEDTLS_SSL_CACHE_C 2505 2506 /** 2507 * \def MBEDTLS_SSL_COOKIE_C 2508 * 2509 * Enable basic implementation of DTLS cookies for hello verification. 2510 * 2511 * Module: library/ssl_cookie.c 2512 * Caller: 2513 */ 2514 #define MBEDTLS_SSL_COOKIE_C 2515 2516 /** 2517 * \def MBEDTLS_SSL_TICKET_C 2518 * 2519 * Enable an implementation of TLS server-side callbacks for session tickets. 2520 * 2521 * Module: library/ssl_ticket.c 2522 * Caller: 2523 * 2524 * Requires: (MBEDTLS_CIPHER_C) && 2525 * (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C) 2526 */ 2527 #ifdef CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS 2528 #define MBEDTLS_SSL_TICKET_C 2529 #else 2530 #undef MBEDTLS_SSL_TICKET_C 2531 #endif 2532 2533 /** 2534 * \def MBEDTLS_SSL_CLI_C 2535 * 2536 * Enable the SSL/TLS client code. 2537 * 2538 * Module: library/ssl*_client.c 2539 * Caller: 2540 * 2541 * Requires: MBEDTLS_SSL_TLS_C 2542 * 2543 * This module is required for SSL/TLS client support. 2544 */ 2545 #ifdef CONFIG_MBEDTLS_TLS_CLIENT 2546 #define MBEDTLS_SSL_CLI_C 2547 #else 2548 #undef MBEDTLS_SSL_CLI_C 2549 #endif 2550 2551 /** 2552 * \def MBEDTLS_SSL_SRV_C 2553 * 2554 * Enable the SSL/TLS server code. 2555 * 2556 * Module: library/ssl_srv.c 2557 * Caller: 2558 * 2559 * Requires: MBEDTLS_SSL_TLS_C 2560 * 2561 * This module is required for SSL/TLS server support. 2562 */ 2563 #ifdef CONFIG_MBEDTLS_TLS_SERVER 2564 #define MBEDTLS_SSL_SRV_C 2565 #else 2566 #undef MBEDTLS_SSL_SRV_C 2567 #endif 2568 2569 /** 2570 * \def MBEDTLS_SSL_TLS_C 2571 * 2572 * Enable the generic SSL/TLS code. 2573 * 2574 * Module: library/ssl_tls.c 2575 * Caller: library/ssl*_client.c 2576 * library/ssl*_server.c 2577 * 2578 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C 2579 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines 2580 * 2581 * This module is required for SSL/TLS. 2582 */ 2583 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 2584 #define MBEDTLS_SSL_TLS_C 2585 #else 2586 #undef MBEDTLS_SSL_TLS_C 2587 #endif 2588 2589 /** 2590 * \def MBEDTLS_TIMING_C 2591 * 2592 * Enable the semi-portable timing interface. 2593 * 2594 * \note The provided implementation only works on POSIX/Unix (including Linux, 2595 * BSD and OS X) and Windows. On other platforms, you can either disable that 2596 * module and provide your own implementations of the callbacks needed by 2597 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide 2598 * your own implementation of the whole module by setting 2599 * \c MBEDTLS_TIMING_ALT in the current file. 2600 * 2601 * \note See also our Knowledge Base article about porting to a new 2602 * environment: 2603 * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 2604 * 2605 * Module: library/timing.c 2606 * Caller: library/havege.c 2607 * 2608 * This module is used by the HAVEGE random number generator. 2609 */ 2610 #ifdef MBEDTLS_TIMING_C 2611 #undef MBEDTLS_TIMING_C 2612 #endif 2613 2614 /** 2615 * \def MBEDTLS_VERSION_C 2616 * 2617 * Enable run-time version information. 2618 * 2619 * Module: library/version.c 2620 * 2621 * This module provides run-time version information. 2622 */ 2623 #define MBEDTLS_VERSION_C 2624 2625 /** 2626 * \def MBEDTLS_X509_USE_C 2627 * 2628 * Enable X.509 core for using certificates. 2629 * 2630 * Module: library/x509.c 2631 * Caller: library/mbedtls_x509_crl.c 2632 * library/mbedtls_x509_crt.c 2633 * library/mbedtls_x509_csr.c 2634 * 2635 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, 2636 * MBEDTLS_PK_PARSE_C, MBEDTLS_MD_C 2637 * 2638 * This module is required for the X.509 parsing modules. 2639 */ 2640 #define MBEDTLS_X509_USE_C 2641 2642 /** 2643 * \def MBEDTLS_X509_CRT_PARSE_C 2644 * 2645 * Enable X.509 certificate parsing. 2646 * 2647 * Module: library/mbedtls_x509_crt.c 2648 * Caller: library/ssl_tls.c 2649 * library/ssl*_client.c 2650 * library/ssl*_server.c 2651 * 2652 * Requires: MBEDTLS_X509_USE_C 2653 * 2654 * This module is required for X.509 certificate parsing. 2655 */ 2656 #define MBEDTLS_X509_CRT_PARSE_C 2657 2658 /** 2659 * \def MBEDTLS_X509_CRL_PARSE_C 2660 * 2661 * Enable X.509 CRL parsing. 2662 * 2663 * Module: library/mbedtls_x509_crl.c 2664 * Caller: library/mbedtls_x509_crt.c 2665 * 2666 * Requires: MBEDTLS_X509_USE_C 2667 * 2668 * This module is required for X.509 CRL parsing. 2669 */ 2670 #ifdef CONFIG_MBEDTLS_X509_CRL_PARSE_C 2671 #define MBEDTLS_X509_CRL_PARSE_C 2672 #else 2673 #undef MBEDTLS_X509_CRL_PARSE_C 2674 #endif 2675 2676 /** 2677 * \def MBEDTLS_X509_CSR_PARSE_C 2678 * 2679 * Enable X.509 Certificate Signing Request (CSR) parsing. 2680 * 2681 * Module: library/mbedtls_x509_csr.c 2682 * Caller: library/x509_crt_write.c 2683 * 2684 * Requires: MBEDTLS_X509_USE_C 2685 * 2686 * This module is used for reading X.509 certificate request. 2687 */ 2688 #ifdef CONFIG_MBEDTLS_X509_CSR_PARSE_C 2689 #define MBEDTLS_X509_CSR_PARSE_C 2690 #else 2691 #undef MBEDTLS_X509_CSR_PARSE_C 2692 #endif 2693 2694 /** 2695 * \def MBEDTLS_X509_CREATE_C 2696 * 2697 * Enable X.509 core for creating certificates. 2698 * 2699 * Module: library/x509_create.c 2700 * 2701 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C, 2702 * MBEDTLS_MD_C 2703 * 2704 * This module is the basis for creating X.509 certificates and CSRs. 2705 */ 2706 #define MBEDTLS_X509_CREATE_C 2707 2708 /** 2709 * \def MBEDTLS_X509_CRT_WRITE_C 2710 * 2711 * Enable creating X.509 certificates. 2712 * 2713 * Module: library/x509_crt_write.c 2714 * 2715 * Requires: MBEDTLS_X509_CREATE_C 2716 * 2717 * This module is required for X.509 certificate creation. 2718 */ 2719 #define MBEDTLS_X509_CRT_WRITE_C 2720 2721 /** 2722 * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 2723 * 2724 * Alow the X509 parser to not break-off when parsing an X509 certificate 2725 * and encountering an unknown critical extension. 2726 * 2727 * Module: library/x509_crt.c 2728 * 2729 * Requires: MBEDTLS_X509_CRT_PARSE_C 2730 * 2731 * This module is supports loading of certificates with extensions that 2732 * may not be supported by mbedtls. 2733 */ 2734 #ifdef CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT 2735 #define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 2736 #else 2737 #undef MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 2738 #endif 2739 2740 /** 2741 * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 2742 * 2743 * If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()` 2744 * and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure 2745 * the set of trusted certificates through a callback instead of a linked 2746 * list. 2747 * 2748 * This is useful for example in environments where a large number of trusted 2749 * certificates is present and storing them in a linked list isn't efficient 2750 * enough, or when the set of trusted certificates changes frequently. 2751 * 2752 * See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and 2753 * `mbedtls_ssl_conf_ca_cb()` for more information. 2754 * 2755 * Uncomment to enable trusted certificate callbacks. 2756 */ 2757 #ifdef CONFIG_MBEDTLS_X509_TRUSTED_CERT_CALLBACK 2758 #define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 2759 #else 2760 #undef MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 2761 #endif 2762 2763 /** 2764 * \def MBEDTLS_X509_CSR_WRITE_C 2765 * 2766 * Enable creating X.509 Certificate Signing Requests (CSR). 2767 * 2768 * Module: library/x509_csr_write.c 2769 * 2770 * Requires: MBEDTLS_X509_CREATE_C 2771 * 2772 * This module is required for X.509 certificate request writing. 2773 */ 2774 #define MBEDTLS_X509_CSR_WRITE_C 2775 2776 /** 2777 * \def MBEDTLS_XTEA_C 2778 * 2779 * Enable the XTEA block cipher. 2780 * 2781 * Module: library/xtea.c 2782 * Caller: 2783 */ 2784 #ifdef CONFIG_MBEDTLS_XTEA_C 2785 #define MBEDTLS_XTEA_C 2786 #else 2787 #undef MBEDTLS_XTEA_C 2788 #endif 2789 2790 /* \} name SECTION: mbed TLS modules */ 2791 2792 /** 2793 * \name SECTION: Module configuration options 2794 * 2795 * This section allows for the setting of module specific sizes and 2796 * configuration options. The default values are already present in the 2797 * relevant header files and should suffice for the regular use cases. 2798 * 2799 * Our advice is to enable options and change their values here 2800 * only if you have a good reason and know the consequences. 2801 * 2802 * Please check the respective header file for documentation on these 2803 * parameters (to prevent duplicate documentation). 2804 * \{ 2805 */ 2806 2807 /* SSL options */ 2808 #ifndef CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN 2809 2810 #define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ 2811 2812 #else 2813 2814 /** \def MBEDTLS_SSL_IN_CONTENT_LEN 2815 * 2816 * Maximum incoming fragment length in bytes. 2817 * 2818 * Uncomment to set the size of the inward TLS buffer independently of the 2819 * outward buffer. 2820 */ 2821 #define MBEDTLS_SSL_IN_CONTENT_LEN CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN 2822 2823 /** \def MBEDTLS_SSL_CID_IN_LEN_MAX 2824 * 2825 * The maximum length of CIDs used for incoming DTLS messages. 2826 * 2827 */ 2828 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 2829 #define MBEDTLS_SSL_CID_IN_LEN_MAX CONFIG_MBEDTLS_SSL_CID_IN_LEN_MAX 2830 #else 2831 #undef MBEDTLS_SSL_CID_IN_LEN_MAX 2832 #endif 2833 2834 2835 /** \def MBEDTLS_SSL_CID_OUT_LEN_MAX 2836 * 2837 * The maximum length of CIDs used for outgoing DTLS messages. 2838 * 2839 */ 2840 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 2841 #define MBEDTLS_SSL_CID_OUT_LEN_MAX CONFIG_MBEDTLS_SSL_CID_OUT_LEN_MAX 2842 #else 2843 #undef MBEDTLS_SSL_CID_OUT_LEN_MAX 2844 #endif 2845 2846 /** \def MBEDTLS_SSL_CID_PADDING_GRANULARITY 2847 * 2848 * This option controls the use of record plaintext padding 2849 * when using the Connection ID extension in DTLS 1.2. 2850 * 2851 * The padding will always be chosen so that the length of the 2852 * padded plaintext is a multiple of the value of this option. 2853 * 2854 * Note: A value of \c 1 means that no padding will be used 2855 * for outgoing records. 2856 * 2857 * Note: On systems lacking division instructions, 2858 * a power of two should be preferred. 2859 * 2860 */ 2861 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID 2862 #define MBEDTLS_SSL_CID_PADDING_GRANULARITY CONFIG_MBEDTLS_SSL_CID_PADDING_GRANULARITY 2863 #else 2864 #undef MBEDTLS_SSL_CID_PADDING_GRANULARITY 2865 #endif 2866 2867 2868 /** \def MBEDTLS_SSL_OUT_CONTENT_LEN 2869 * 2870 * Maximum outgoing fragment length in bytes. 2871 * 2872 * Uncomment to set the size of the outward TLS buffer independently of the 2873 * inward buffer. 2874 * 2875 * It is possible to save RAM by setting a smaller outward buffer, while keeping 2876 * the default inward 16384 byte buffer to conform to the TLS specification. 2877 * 2878 * The minimum required outward buffer size is determined by the handshake 2879 * protocol's usage. Handshaking will fail if the outward buffer is too small. 2880 * The specific size requirement depends on the configured ciphers and any 2881 * certificate data which is sent during the handshake. 2882 * 2883 * For absolute minimum RAM usage, it's best to enable 2884 * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This 2885 * reduces both incoming and outgoing buffer sizes. However this is only 2886 * guaranteed if the other end of the connection also supports the TLS 2887 * max_fragment_len extension. Otherwise the connection may fail. 2888 */ 2889 #define MBEDTLS_SSL_OUT_CONTENT_LEN CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN 2890 2891 #endif /* !CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN */ 2892 2893 /** 2894 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake 2895 * signature and ciphersuite selection. Without this build-time option, SHA-1 2896 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes. 2897 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by 2898 * default. At the time of writing, there is no practical attack on the use 2899 * of SHA-1 in handshake signatures, hence this option is turned on by default 2900 * for compatibility with existing peers. 2901 * 2902 * \warning SHA-1 is considered a weak message digest and its use constitutes 2903 * a security risk. If possible, we recommend avoiding dependencies 2904 * on it, and considering stronger message digests instead. 2905 */ 2906 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE 2907 2908 /** 2909 * \def MBEDTLS_THREADING_C 2910 * 2911 * Enable the threading abstraction layer. 2912 * By default mbed TLS assumes it is used in a non-threaded environment or that 2913 * contexts are not shared between threads. If you do intend to use contexts 2914 * between threads, you will need to enable this layer to prevent race 2915 * conditions. See also our Knowledge Base article about threading: 2916 * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading 2917 * 2918 * Module: library/threading.c 2919 * 2920 * This allows different threading implementations (self-implemented or 2921 * provided). 2922 * 2923 * You will have to enable either MBEDTLS_THREADING_ALT or 2924 * MBEDTLS_THREADING_PTHREAD. 2925 * 2926 * Enable this layer to allow use of mutexes within mbed TLS 2927 */ 2928 #ifdef CONFIG_MBEDTLS_THREADING_C 2929 #define MBEDTLS_THREADING_C 2930 #else 2931 #undef MBEDTLS_THREADING_C 2932 #endif 2933 2934 /** 2935 * \def MBEDTLS_THREADING_ALT 2936 * 2937 * Provide your own alternate threading implementation. 2938 * 2939 * Requires: MBEDTLS_THREADING_C 2940 * 2941 * Uncomment this to allow your own alternate threading implementation. 2942 */ 2943 #ifdef CONFIG_MBEDTLS_THREADING_ALT 2944 #define MBEDTLS_THREADING_ALT 2945 #else 2946 #undef MBEDTLS_THREADING_ALT 2947 #endif 2948 2949 /** 2950 * \def MBEDTLS_THREADING_PTHREAD 2951 * 2952 * Enable the pthread wrapper layer for the threading layer. 2953 * 2954 * Requires: MBEDTLS_THREADING_C 2955 * 2956 * Uncomment this to enable pthread mutexes. 2957 */ 2958 #ifdef CONFIG_MBEDTLS_THREADING_PTHREAD 2959 #define MBEDTLS_THREADING_PTHREAD 2960 #else 2961 #undef MBEDTLS_THREADING_PTHREAD 2962 #endif 2963 2964 /** 2965 * \def MBEDTLS_NIST_KW_C 2966 * 2967 * Enable AES key wrapping as per NIST 2968 * 2969 * Requires: MBEDTLS_AES_C 2970 * 2971 * Uncomment this to enable aes key wrap. 2972 */ 2973 #ifdef CONFIG_MBEDTLS_NIST_KW_C 2974 #define MBEDTLS_NIST_KW_C 2975 #else 2976 #undef MBEDTLS_NIST_KW_C 2977 #endif 2978 2979 /* \} name SECTION: Module configuration options */ 2980 2981 #if defined(TARGET_LIKE_MBED) 2982 #include "mbedtls/target_config.h" 2983 #endif 2984 2985 /* 2986 * Allow user to override any previous default. 2987 * 2988 * Use two macro names for that, as: 2989 * - with yotta the prefix YOTTA_CFG_ is forced 2990 * - without yotta is looks weird to have a YOTTA prefix. 2991 */ 2992 #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) 2993 #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE 2994 #elif defined(MBEDTLS_USER_CONFIG_FILE) 2995 #include MBEDTLS_USER_CONFIG_FILE 2996 #endif 2997 2998 /* This flag makes sure that we are not using 2999 * any functino that is deprecated by mbedtls */ 3000 #define MBEDTLS_DEPRECATED_REMOVED 3001 3002 #endif /* ESP_CONFIG_H */ 3003
