1 /** 2 * 3 * \brief Default mbedTLS configuration options for esp-idf 4 * 5 * This set of compile-time options may be used to enable 6 * or disable features selectively, and reduce the global 7 * memory footprint. 8 * 9 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 10 * SPDX-License-Identifier: Apache-2.0 11 * 12 * Licensed under the Apache License, Version 2.0 (the "License"); you may 13 * not use this file except in compliance with the License. 14 * You may obtain a copy of the License at 15 * 16 * http://www.apache.org/licenses/LICENSE-2.0 17 * 18 * Unless required by applicable law or agreed to in writing, software 19 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 20 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 21 * See the License for the specific language governing permissions and 22 * limitations under the License. 23 * 24 * This file is part of mbed TLS (https://tls.mbed.org) 25 */ 26 27 #ifndef ESP_CONFIG_H 28 #define ESP_CONFIG_H 29 30 #include "sdkconfig.h" 31 #include "mbedtls/config.h" 32 #include "soc/soc_caps.h" 33 34 /** 35 * \name SECTION: System support 36 * 37 * This section sets system specific settings. 38 * \{ 39 */ 40 41 /** 42 * \def MBEDTLS_HAVE_TIME 43 * 44 * System has time.h and time(). 45 * The time does not need to be correct, only time differences are used, 46 * by contrast with MBEDTLS_HAVE_TIME_DATE 47 * 48 * Comment if your system does not support time functions 49 */ 50 #ifdef CONFIG_MBEDTLS_HAVE_TIME 51 #define MBEDTLS_HAVE_TIME 52 #else 53 #undef MBEDTLS_HAVE_TIME 54 #endif 55 56 /** 57 * \def MBEDTLS_HAVE_TIME_DATE 58 * 59 * System has time.h and time(), gmtime() and the clock is correct. 60 * The time needs to be correct (not necesarily very accurate, but at least 61 * the date should be correct). This is used to verify the validity period of 62 * X.509 certificates. 63 * 64 * Comment if your system does not have a correct clock. 65 */ 66 #ifdef CONFIG_MBEDTLS_HAVE_TIME_DATE 67 #define MBEDTLS_HAVE_TIME_DATE 68 #else 69 #undef MBEDTLS_HAVE_TIME_DATE 70 #endif 71 72 /** 73 * \def MBEDTLS_PLATFORM_MEMORY 74 * 75 * Enable the memory allocation layer. 76 * 77 * By default mbed TLS uses the system-provided calloc() and free(). 78 * This allows different allocators (self-implemented or provided) to be 79 * provided to the platform abstraction layer. 80 * 81 * Enabling MBEDTLS_PLATFORM_MEMORY without the 82 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 83 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 84 * free() function pointer at runtime. 85 * 86 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 87 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 88 * alternate function at compile time. 89 * 90 * Requires: MBEDTLS_PLATFORM_C 91 * 92 * Enable this layer to allow use of alternative memory allocators. 93 */ 94 #define MBEDTLS_PLATFORM_MEMORY 95 96 /** Override calloc(), free() except for case where memory allocation scheme is not set to custom */ 97 #ifndef CONFIG_MBEDTLS_CUSTOM_MEM_ALLOC 98 #include "esp_mem.h" 99 #define MBEDTLS_PLATFORM_STD_CALLOC esp_mbedtls_mem_calloc 100 #define MBEDTLS_PLATFORM_STD_FREE esp_mbedtls_mem_free 101 #endif 102 103 /* \} name SECTION: System support */ 104 105 /** 106 * \name SECTION: mbed TLS feature support 107 * 108 * This section sets support for features that are or are not needed 109 * within the modules that are enabled. 110 * \{ 111 */ 112 113 /* The following units have ESP32 hardware support, 114 uncommenting each _ALT macro will use the 115 hardware-accelerated implementation. */ 116 #ifdef CONFIG_MBEDTLS_HARDWARE_AES 117 #define MBEDTLS_AES_ALT 118 #else 119 #undef MBEDTLS_AES_ALT 120 #endif 121 122 #ifdef CONFIG_MBEDTLS_HARDWARE_GCM 123 #define MBEDTLS_GCM_ALT 124 #else 125 #undef MBEDTLS_GCM_ALT 126 #endif 127 128 /* MBEDTLS_SHAxx_ALT to enable hardware SHA support 129 with software fallback. 130 */ 131 #ifdef CONFIG_MBEDTLS_HARDWARE_SHA 132 #define MBEDTLS_SHA1_ALT 133 #define MBEDTLS_SHA256_ALT 134 135 #if SOC_SHA_SUPPORT_SHA512 136 #define MBEDTLS_SHA512_ALT 137 #else 138 #undef MBEDTLS_SHA512_ALT 139 #endif 140 141 #else 142 #undef MBEDTLS_SHA1_ALT 143 #undef MBEDTLS_SHA256_ALT 144 #undef MBEDTLS_SHA512_ALT 145 #endif 146 147 /* MBEDTLS_MDx_ALT to enable ROM MD support 148 with software fallback. 149 */ 150 #ifdef CONFIG_MBEDTLS_ROM_MD5 151 #define MBEDTLS_MD5_ALT 152 #else 153 #undef MBEDTLS_MD5_ALT 154 #endif 155 156 /* The following MPI (bignum) functions have ESP32 hardware support. 157 For exponential mod, both software and hardware implementation 158 will be compiled. If CONFIG_MBEDTLS_HARDWARE_MPI is enabled, mod APIs 159 will be wrapped to use hardware implementation. 160 */ 161 #undef MBEDTLS_MPI_EXP_MOD_ALT 162 #ifdef CONFIG_MBEDTLS_HARDWARE_MPI 163 #define MBEDTLS_MPI_MUL_MPI_ALT 164 #else 165 #undef MBEDTLS_MPI_MUL_MPI_ALT 166 #endif 167 168 #ifdef CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN 169 #define MBEDTLS_ECDSA_SIGN_ALT 170 #endif 171 172 #ifdef CONFIG_MBEDTLS_ATCA_HW_ECDSA_VERIFY 173 #define MBEDTLS_ECDSA_VERIFY_ALT 174 #endif 175 176 /** 177 * \def MBEDTLS_ENTROPY_HARDWARE_ALT 178 * 179 * Uncomment this macro to let mbed TLS use your own implementation of a 180 * hardware entropy collector. 181 * 182 * Your function must be called \c mbedtls_hardware_poll(), have the same 183 * prototype as declared in entropy_poll.h, and accept NULL as first argument. 184 * 185 * Uncomment to use your own hardware entropy collector. 186 */ 187 #define MBEDTLS_ENTROPY_HARDWARE_ALT 188 189 /** 190 * \def MBEDTLS_AES_ROM_TABLES 191 * 192 * Store the AES tables in ROM. 193 * 194 * Uncomment this macro to store the AES tables in ROM. 195 */ 196 #define MBEDTLS_AES_ROM_TABLES 197 198 /** 199 * \def MBEDTLS_CIPHER_MODE_CBC 200 * 201 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. 202 */ 203 #define MBEDTLS_CIPHER_MODE_CBC 204 205 /** 206 * \def MBEDTLS_CIPHER_MODE_CFB 207 * 208 * Enable Cipher Feedback mode (CFB) for symmetric ciphers. 209 */ 210 #define MBEDTLS_CIPHER_MODE_CFB 211 212 /** 213 * \def MBEDTLS_CIPHER_MODE_CTR 214 * 215 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. 216 */ 217 #define MBEDTLS_CIPHER_MODE_CTR 218 219 /** 220 * \def MBEDTLS_CIPHER_MODE_OFB 221 * 222 * Enable Output Feedback mode (OFB) for symmetric ciphers. 223 */ 224 #define MBEDTLS_CIPHER_MODE_OFB 225 226 /** 227 * \def MBEDTLS_CIPHER_MODE_XTS 228 * 229 * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. 230 */ 231 #define MBEDTLS_CIPHER_MODE_XTS 232 233 /** 234 * \def MBEDTLS_CIPHER_PADDING_PKCS7 235 * 236 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for 237 * specific padding modes in the cipher layer with cipher modes that support 238 * padding (e.g. CBC) 239 * 240 * If you disable all padding modes, only full blocks can be used with CBC. 241 * 242 * Enable padding modes in the cipher layer. 243 */ 244 #define MBEDTLS_CIPHER_PADDING_PKCS7 245 #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS 246 #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN 247 #define MBEDTLS_CIPHER_PADDING_ZEROS 248 249 /** 250 * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES & MBEDTLS_ARC4_C 251 * 252 * MBEDTLS_ARC4_C 253 * Enable the ARCFOUR stream cipher. 254 * 255 * This module enables/disables the following ciphersuites 256 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 257 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 258 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 259 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 260 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 261 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 262 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 263 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 264 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 265 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 266 * 267 * MBEDTLS_REMOVE_ARC4_CIPHERSUITES 268 * This flag removes the ciphersuites based on RC4 from the default list as 269 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to 270 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them 271 * explicitly. 272 * 273 * Uncomment this macro to remove RC4 ciphersuites by default. 274 */ 275 #ifdef CONFIG_MBEDTLS_RC4_ENABLED 276 #define MBEDTLS_ARC4_C 277 #undef MBEDTLS_REMOVE_ARC4_CIPHERSUITES 278 #elif defined CONFIG_MBEDTLS_RC4_ENABLED_NO_DEFAULT 279 #define MBEDTLS_ARC4_C 280 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES 281 #else 282 #undef MBEDTLS_ARC4_C 283 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES 284 #endif 285 286 /** 287 * \def MBEDTLS_ECP_RESTARTABLE 288 * 289 * Enable "non-blocking" ECC operations that can return early and be resumed. 290 * 291 * This allows various functions to pause by returning 292 * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module, 293 * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in 294 * order to further progress and eventually complete their operation. This is 295 * controlled through mbedtls_ecp_set_max_ops() which limits the maximum 296 * number of ECC operations a function may perform before pausing; see 297 * mbedtls_ecp_set_max_ops() for more information. 298 * 299 * This is useful in non-threaded environments if you want to avoid blocking 300 * for too long on ECC (and, hence, X.509 or SSL/TLS) operations. 301 * 302 * Uncomment this macro to enable restartable ECC computations. 303 * 304 * \note This option only works with the default software implementation of 305 * elliptic curve functionality. It is incompatible with 306 * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT and MBEDTLS_ECDSA_XXX_ALT. 307 */ 308 #ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE 309 #define MBEDTLS_ECP_RESTARTABLE 310 #endif 311 312 /** 313 * \def MBEDTLS_CMAC_C 314 * 315 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block 316 * ciphers. 317 * 318 * Module: library/cmac.c 319 * 320 * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C 321 * 322 */ 323 #ifdef CONFIG_MBEDTLS_CMAC_C 324 #define MBEDTLS_CMAC_C 325 #endif 326 327 /** 328 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED 329 * 330 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve 331 * module. By default all supported curves are enabled. 332 * 333 * Comment macros to disable the curve and functions for it 334 */ 335 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED 336 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED 337 #else 338 #undef MBEDTLS_ECP_DP_SECP192R1_ENABLED 339 #endif 340 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED 341 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED 342 #else 343 #undef MBEDTLS_ECP_DP_SECP224R1_ENABLED 344 #endif 345 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED 346 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 347 #else 348 #undef MBEDTLS_ECP_DP_SECP256R1_ENABLED 349 #endif 350 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED 351 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED 352 #else 353 #undef MBEDTLS_ECP_DP_SECP384R1_ENABLED 354 #endif 355 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED 356 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED 357 #else 358 #undef MBEDTLS_ECP_DP_SECP521R1_ENABLED 359 #endif 360 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED 361 #define MBEDTLS_ECP_DP_SECP192K1_ENABLED 362 #else 363 #undef MBEDTLS_ECP_DP_SECP192K1_ENABLED 364 #endif 365 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED 366 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED 367 #else 368 #undef MBEDTLS_ECP_DP_SECP224K1_ENABLED 369 #endif 370 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED 371 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED 372 #else 373 #undef MBEDTLS_ECP_DP_SECP256K1_ENABLED 374 #endif 375 #ifdef CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED 376 #define MBEDTLS_ECP_DP_BP256R1_ENABLED 377 #else 378 #undef MBEDTLS_ECP_DP_BP256R1_ENABLED 379 #endif 380 #ifdef CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED 381 #define MBEDTLS_ECP_DP_BP384R1_ENABLED 382 #else 383 #undef MBEDTLS_ECP_DP_BP384R1_ENABLED 384 #endif 385 #ifdef CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED 386 #define MBEDTLS_ECP_DP_BP512R1_ENABLED 387 #else 388 #undef MBEDTLS_ECP_DP_BP512R1_ENABLED 389 #endif 390 #ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED 391 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED 392 #else 393 #undef MBEDTLS_ECP_DP_CURVE25519_ENABLED 394 #endif 395 396 #ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED 397 #undef MBEDTLS_ECP_DP_CURVE448_ENABLED 398 #endif 399 400 /** 401 * \def MBEDTLS_ECP_NIST_OPTIM 402 * 403 * Enable specific 'modulo p' routines for each NIST prime. 404 * Depending on the prime and architecture, makes operations 4 to 8 times 405 * faster on the corresponding curve. 406 * 407 * Comment this macro to disable NIST curves optimisation. 408 */ 409 #ifdef CONFIG_MBEDTLS_ECP_NIST_OPTIM 410 #define MBEDTLS_ECP_NIST_OPTIM 411 #else 412 #undef MBEDTLS_ECP_NIST_OPTIM 413 #endif 414 415 /** 416 * \def MBEDTLS_ECDSA_DETERMINISTIC 417 * 418 * Enable deterministic ECDSA (RFC 6979). 419 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing 420 * may result in a compromise of the long-term signing key. This is avoided by 421 * the deterministic variant. 422 * 423 * Requires: MBEDTLS_HMAC_DRBG_C 424 * 425 * Comment this macro to disable deterministic ECDSA. 426 */ 427 #ifdef CONFIG_MBEDTLS_ECDSA_DETERMINISTIC 428 #define MBEDTLS_ECDSA_DETERMINISTIC 429 #else 430 #undef MBEDTLS_ECDSA_DETERMINISTIC 431 #endif 432 433 /** 434 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 435 * 436 * Enable the PSK based ciphersuite modes in SSL / TLS. 437 * 438 * This enables the following ciphersuites (if other requisites are 439 * enabled as well): 440 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 441 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 442 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 443 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 444 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 445 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 446 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 447 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 448 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 449 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 450 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 451 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 452 */ 453 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK 454 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 455 #else 456 #undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 457 #endif 458 459 /** 460 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 461 * 462 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. 463 * 464 * Requires: MBEDTLS_DHM_C 465 * 466 * This enables the following ciphersuites (if other requisites are 467 * enabled as well): 468 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 469 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 470 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 471 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 472 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 473 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 474 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 475 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 476 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 477 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 478 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 479 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 480 */ 481 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK 482 #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 483 #else 484 #undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 485 #endif 486 487 /** 488 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 489 * 490 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. 491 * 492 * Requires: MBEDTLS_ECDH_C 493 * 494 * This enables the following ciphersuites (if other requisites are 495 * enabled as well): 496 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 497 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 498 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 499 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 500 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 501 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 502 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 503 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 504 */ 505 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK 506 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 507 #else 508 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 509 #endif 510 511 /** 512 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 513 * 514 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. 515 * 516 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 517 * MBEDTLS_X509_CRT_PARSE_C 518 * 519 * This enables the following ciphersuites (if other requisites are 520 * enabled as well): 521 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 522 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 523 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 524 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 525 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 526 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 527 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 528 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 529 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 530 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 531 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 532 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 533 */ 534 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK 535 #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 536 #else 537 #undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 538 #endif 539 540 /** 541 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 542 * 543 * Enable the RSA-only based ciphersuite modes in SSL / TLS. 544 * 545 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 546 * MBEDTLS_X509_CRT_PARSE_C 547 * 548 * This enables the following ciphersuites (if other requisites are 549 * enabled as well): 550 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 551 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 552 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 553 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 554 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 555 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 556 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 557 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 558 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 559 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 560 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 561 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 562 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 563 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 564 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 565 */ 566 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA 567 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 568 #else 569 #undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 570 #endif 571 572 /** 573 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 574 * 575 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. 576 * 577 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 578 * MBEDTLS_X509_CRT_PARSE_C 579 * 580 * This enables the following ciphersuites (if other requisites are 581 * enabled as well): 582 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 583 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 584 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 585 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 586 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 587 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 588 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 589 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 590 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 591 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 592 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 593 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 594 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 595 */ 596 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA 597 #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 598 #else 599 #undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 600 #endif 601 602 /** 603 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 604 * 605 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. 606 * 607 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 608 * MBEDTLS_X509_CRT_PARSE_C 609 * 610 * This enables the following ciphersuites (if other requisites are 611 * enabled as well): 612 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 613 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 614 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 615 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 616 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 617 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 618 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 619 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 620 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 621 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 622 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 623 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 624 */ 625 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA 626 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 627 #else 628 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 629 #endif 630 631 /** 632 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 633 * 634 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. 635 * 636 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, 637 * 638 * This enables the following ciphersuites (if other requisites are 639 * enabled as well): 640 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 641 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 642 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 643 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 644 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 645 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 646 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 647 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 648 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 649 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 650 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 651 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 652 */ 653 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA 654 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 655 #else 656 #undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 657 #endif 658 659 /** 660 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 661 * 662 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. 663 * 664 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C 665 * 666 * This enables the following ciphersuites (if other requisites are 667 * enabled as well): 668 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 669 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 670 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 671 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 672 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 673 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 674 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 675 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 676 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 677 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 678 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 679 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 680 */ 681 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA 682 #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 683 #else 684 #undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 685 #endif 686 687 /** 688 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 689 * 690 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. 691 * 692 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C 693 * 694 * This enables the following ciphersuites (if other requisites are 695 * enabled as well): 696 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 697 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 698 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 699 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 700 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 701 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 702 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 703 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 704 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 705 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 706 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 707 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 708 */ 709 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA 710 #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 711 #else 712 #undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 713 #endif 714 715 /** 716 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 717 * 718 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. 719 * 720 * \warning This is currently experimental. EC J-PAKE support is based on the 721 * Thread v1.0.0 specification; incompatible changes to the specification 722 * might still happen. For this reason, this is disabled by default. 723 * 724 * Requires: MBEDTLS_ECJPAKE_C 725 * MBEDTLS_SHA256_C 726 * MBEDTLS_ECP_DP_SECP256R1_ENABLED 727 * 728 * This enables the following ciphersuites (if other requisites are 729 * enabled as well): 730 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 731 */ 732 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE 733 #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 734 #else 735 #undef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 736 #endif 737 738 /** 739 * \def MBEDTLS_PK_PARSE_EC_EXTENDED 740 * 741 * Enhance support for reading EC keys using variants of SEC1 not allowed by 742 * RFC 5915 and RFC 5480. 743 * 744 * Currently this means parsing the SpecifiedECDomain choice of EC 745 * parameters (only known groups are supported, not arbitrary domains, to 746 * avoid validation issues). 747 * 748 * Disable if you only need to support RFC 5915 + 5480 key formats. 749 */ 750 #define MBEDTLS_PK_PARSE_EC_EXTENDED 751 752 /** 753 * \def MBEDTLS_ERROR_STRERROR_DUMMY 754 * 755 * Enable a dummy error function to make use of mbedtls_strerror() in 756 * third party libraries easier when MBEDTLS_ERROR_C is disabled 757 * (no effect when MBEDTLS_ERROR_C is enabled). 758 * 759 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 760 * not using mbedtls_strerror() or error_strerror() in your application. 761 * 762 * Disable if you run into name conflicts and want to really remove the 763 * mbedtls_strerror() 764 */ 765 #define MBEDTLS_ERROR_STRERROR_DUMMY 766 767 /** 768 * \def MBEDTLS_GENPRIME 769 * 770 * Enable the prime-number generation code. 771 * 772 * Requires: MBEDTLS_BIGNUM_C 773 */ 774 #define MBEDTLS_GENPRIME 775 776 /** 777 * \def MBEDTLS_FS_IO 778 * 779 * Enable functions that use the filesystem. 780 */ 781 #define MBEDTLS_FS_IO 782 783 /** 784 * \def MBEDTLS_NO_PLATFORM_ENTROPY 785 * 786 * Do not use built-in platform entropy functions. 787 * This is useful if your platform does not support 788 * standards like the /dev/urandom or Windows CryptoAPI. 789 * 790 * Uncomment this macro to disable the built-in platform entropy functions. 791 */ 792 #define MBEDTLS_NO_PLATFORM_ENTROPY 793 794 /** 795 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 796 * 797 * Support external private RSA keys (eg from a HSM) in the PK layer. 798 * 799 * Comment this macro to disable support for external private RSA keys. 800 */ 801 #define MBEDTLS_PK_RSA_ALT_SUPPORT 802 803 /** 804 * \def MBEDTLS_PKCS1_V15 805 * 806 * Enable support for PKCS#1 v1.5 encoding. 807 * 808 * Requires: MBEDTLS_RSA_C 809 * 810 * This enables support for PKCS#1 v1.5 operations. 811 */ 812 #define MBEDTLS_PKCS1_V15 813 814 /** 815 * \def MBEDTLS_PKCS1_V21 816 * 817 * Enable support for PKCS#1 v2.1 encoding. 818 * 819 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C 820 * 821 * This enables support for RSAES-OAEP and RSASSA-PSS operations. 822 */ 823 #define MBEDTLS_PKCS1_V21 824 825 /** 826 * \def MBEDTLS_SELF_TEST 827 * 828 * Enable the checkup functions (*_self_test). 829 */ 830 #define MBEDTLS_SELF_TEST 831 832 /** 833 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES 834 * 835 * Enable sending of alert messages in case of encountered errors as per RFC. 836 * If you choose not to send the alert messages, mbed TLS can still communicate 837 * with other servers, only debugging of failures is harder. 838 * 839 * The advantage of not sending alert messages, is that no information is given 840 * about reasons for failures thus preventing adversaries of gaining intel. 841 * 842 * Enable sending of all alert messages 843 */ 844 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES 845 846 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC 847 * 848 * Enable support for Encrypt-then-MAC, RFC 7366. 849 * 850 * This allows peers that both support it to use a more robust protection for 851 * ciphersuites using CBC, providing deep resistance against timing attacks 852 * on the padding or underlying cipher. 853 * 854 * This only affects CBC ciphersuites, and is useless if none is defined. 855 * 856 * Requires: MBEDTLS_SSL_PROTO_TLS1 or 857 * MBEDTLS_SSL_PROTO_TLS1_1 or 858 * MBEDTLS_SSL_PROTO_TLS1_2 859 * 860 * Comment this macro to disable support for Encrypt-then-MAC 861 */ 862 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 863 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC 864 #else 865 #undef MBEDTLS_SSL_ENCRYPT_THEN_MAC 866 #endif 867 868 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET 869 * 870 * Enable support for Extended Master Secret, aka Session Hash 871 * (draft-ietf-tls-session-hash-02). 872 * 873 * This was introduced as "the proper fix" to the Triple Handshake familiy of 874 * attacks, but it is recommended to always use it (even if you disable 875 * renegotiation), since it actually fixes a more fundamental issue in the 876 * original SSL/TLS design, and has implications beyond Triple Handshake. 877 * 878 * Requires: MBEDTLS_SSL_PROTO_TLS1 or 879 * MBEDTLS_SSL_PROTO_TLS1_1 or 880 * MBEDTLS_SSL_PROTO_TLS1_2 881 * 882 * Comment this macro to disable support for Extended Master Secret. 883 */ 884 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 885 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET 886 #else 887 #undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET 888 #endif 889 890 /** 891 * \def MBEDTLS_SSL_FALLBACK_SCSV 892 * 893 * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00). 894 * 895 * For servers, it is recommended to always enable this, unless you support 896 * only one version of TLS, or know for sure that none of your clients 897 * implements a fallback strategy. 898 * 899 * For clients, you only need this if you're using a fallback strategy, which 900 * is not recommended in the first place, unless you absolutely need it to 901 * interoperate with buggy (version-intolerant) servers. 902 * 903 * Comment this macro to disable support for FALLBACK_SCSV 904 */ 905 #define MBEDTLS_SSL_FALLBACK_SCSV 906 907 /** 908 * \def MBEDTLS_SSL_PROTO_TLS1 909 * 910 * Enable support for TLS 1.0. 911 * 912 * Requires: MBEDTLS_MD5_C 913 * MBEDTLS_SHA1_C 914 * 915 * Comment this macro to disable support for TLS 1.0 916 */ 917 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1 918 #define MBEDTLS_SSL_PROTO_TLS1 919 #else 920 #undef MBEDTLS_SSL_PROTO_TLS1 921 #endif 922 923 /** 924 * \def MBEDTLS_SSL_PROTO_SSL3 925 * 926 * Enable support for SSL 3.0. 927 * 928 * Requires: MBEDTLS_MD5_C 929 * MBEDTLS_SHA1_C 930 * 931 * Comment this macro to disable support for SSL 3.0 932 */ 933 #ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3 934 #define MBEDTLS_SSL_PROTO_SSL3 935 #else 936 #undef MBEDTLS_SSL_PROTO_SSL3 937 #endif 938 939 /** 940 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING 941 * 942 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. 943 * 944 * This is a countermeasure to the BEAST attack, which also minimizes the risk 945 * of interoperability issues compared to sending 0-length records. 946 * 947 * Comment this macro to disable 1/n-1 record splitting. 948 */ 949 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 950 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING 951 #else 952 #undef MBEDTLS_SSL_CBC_RECORD_SPLITTING 953 #endif 954 955 /** 956 * \def MBEDTLS_SSL_RENEGOTIATION 957 * 958 * Disable support for TLS renegotiation. 959 * 960 * The two main uses of renegotiation are (1) refresh keys on long-lived 961 * connections and (2) client authentication after the initial handshake. 962 * If you don't need renegotiation, it's probably better to disable it, since 963 * it has been associated with security issues in the past and is easy to 964 * misuse/misunderstand. 965 * 966 * Comment this to disable support for renegotiation. 967 */ 968 #ifdef CONFIG_MBEDTLS_SSL_RENEGOTIATION 969 #define MBEDTLS_SSL_RENEGOTIATION 970 #else 971 #undef MBEDTLS_SSL_RENEGOTIATION 972 #endif 973 974 /** 975 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 976 * 977 * Enable support for RFC 6066 max_fragment_length extension in SSL. 978 * 979 * Comment this macro to disable support for the max_fragment_length extension 980 */ 981 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 982 983 /** 984 * \def MBEDTLS_SSL_PROTO_TLS1_1 985 * 986 * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). 987 * 988 * Requires: MBEDTLS_MD5_C 989 * MBEDTLS_SHA1_C 990 * 991 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 992 */ 993 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_1 994 #define MBEDTLS_SSL_PROTO_TLS1_1 995 #else 996 #undef MBEDTLS_SSL_PROTO_TLS1_1 997 #endif 998 999 /** 1000 * \def MBEDTLS_SSL_PROTO_TLS1_2 1001 * 1002 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). 1003 * 1004 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C 1005 * (Depends on ciphersuites) 1006 * 1007 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 1008 */ 1009 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 1010 #define MBEDTLS_SSL_PROTO_TLS1_2 1011 #else 1012 #undef MBEDTLS_SSL_PROTO_TLS1_2 1013 #endif 1014 1015 /** 1016 * \def MBEDTLS_SSL_PROTO_DTLS 1017 * 1018 * Enable support for DTLS (all available versions). 1019 * 1020 * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, 1021 * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. 1022 * 1023 * Requires: MBEDTLS_SSL_PROTO_TLS1_1 1024 * or MBEDTLS_SSL_PROTO_TLS1_2 1025 * 1026 * Comment this macro to disable support for DTLS 1027 */ 1028 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1029 #define MBEDTLS_SSL_PROTO_DTLS 1030 #else 1031 #undef MBEDTLS_SSL_PROTO_DTLS 1032 #endif 1033 1034 /** 1035 * \def MBEDTLS_SSL_ALPN 1036 * 1037 * Enable support for RFC 7301 Application Layer Protocol Negotiation. 1038 * 1039 * Comment this macro to disable support for ALPN. 1040 */ 1041 #ifdef CONFIG_MBEDTLS_SSL_ALPN 1042 #define MBEDTLS_SSL_ALPN 1043 #else 1044 #undef MBEDTLS_SSL_ALPN 1045 #endif 1046 1047 /** 1048 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY 1049 * 1050 * Enable support for the anti-replay mechanism in DTLS. 1051 * 1052 * Requires: MBEDTLS_SSL_TLS_C 1053 * MBEDTLS_SSL_PROTO_DTLS 1054 * 1055 * \warning Disabling this is often a security risk! 1056 * See mbedtls_ssl_conf_dtls_anti_replay() for details. 1057 * 1058 * Comment this to disable anti-replay in DTLS. 1059 */ 1060 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1061 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY 1062 #else 1063 #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY 1064 #endif 1065 1066 /** 1067 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY 1068 * 1069 * Enable support for HelloVerifyRequest on DTLS servers. 1070 * 1071 * This feature is highly recommended to prevent DTLS servers being used as 1072 * amplifiers in DoS attacks against other hosts. It should always be enabled 1073 * unless you know for sure amplification cannot be a problem in the 1074 * environment in which your server operates. 1075 * 1076 * \warning Disabling this can ba a security risk! (see above) 1077 * 1078 * Requires: MBEDTLS_SSL_PROTO_DTLS 1079 * 1080 * Comment this to disable support for HelloVerifyRequest. 1081 */ 1082 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1083 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY 1084 #else 1085 #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY 1086 #endif 1087 1088 /** 1089 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1090 * 1091 * Enable server-side support for clients that reconnect from the same port. 1092 * 1093 * Some clients unexpectedly close the connection and try to reconnect using the 1094 * same source port. This needs special support from the server to handle the 1095 * new connection securely, as described in section 4.2.8 of RFC 6347. This 1096 * flag enables that support. 1097 * 1098 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY 1099 * 1100 * Comment this to disable support for clients reusing the source port. 1101 */ 1102 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1103 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1104 #else 1105 #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 1106 #endif 1107 1108 /** 1109 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT 1110 * 1111 * Enable support for a limit of records with bad MAC. 1112 * 1113 * See mbedtls_ssl_conf_dtls_badmac_limit(). 1114 * 1115 * Requires: MBEDTLS_SSL_PROTO_DTLS 1116 */ 1117 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS 1118 #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT 1119 #else 1120 #undef MBEDTLS_SSL_DTLS_BADMAC_LIMIT 1121 #endif 1122 1123 /** 1124 * \def MBEDTLS_SSL_SESSION_TICKETS 1125 * 1126 * Enable support for RFC 5077 session tickets in SSL. 1127 * Client-side, provides full support for session tickets (maintainance of a 1128 * session store remains the responsibility of the application, though). 1129 * Server-side, you also need to provide callbacks for writing and parsing 1130 * tickets, including authenticated encryption and key management. Example 1131 * callbacks are provided by MBEDTLS_SSL_TICKET_C. 1132 * 1133 * Comment this macro to disable support for SSL session tickets 1134 */ 1135 #ifdef CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS 1136 #define MBEDTLS_SSL_SESSION_TICKETS 1137 #else 1138 #undef MBEDTLS_SSL_SESSION_TICKETS 1139 #endif 1140 1141 /** 1142 * \def MBEDTLS_SSL_EXPORT_KEYS 1143 * 1144 * Enable support for exporting key block and master secret. 1145 * This is required for certain users of TLS, e.g. EAP-TLS. 1146 * 1147 * Comment this macro to disable support for key export 1148 */ 1149 #define MBEDTLS_SSL_EXPORT_KEYS 1150 1151 /** 1152 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION 1153 * 1154 * Enable support for RFC 6066 server name indication (SNI) in SSL. 1155 * 1156 * Requires: MBEDTLS_X509_CRT_PARSE_C 1157 * 1158 * Comment this macro to disable support for server name indication in SSL 1159 */ 1160 #define MBEDTLS_SSL_SERVER_NAME_INDICATION 1161 1162 /** 1163 * \def MBEDTLS_SSL_TRUNCATED_HMAC 1164 * 1165 * Enable support for RFC 6066 truncated HMAC in SSL. 1166 * 1167 * Comment this macro to disable support for truncated HMAC in SSL 1168 */ 1169 #define MBEDTLS_SSL_TRUNCATED_HMAC 1170 1171 /** 1172 * \def MBEDTLS_VERSION_FEATURES 1173 * 1174 * Allow run-time checking of compile-time enabled features. Thus allowing users 1175 * to check at run-time if the library is for instance compiled with threading 1176 * support via mbedtls_version_check_feature(). 1177 * 1178 * Requires: MBEDTLS_VERSION_C 1179 * 1180 * Comment this to disable run-time checking and save ROM space 1181 */ 1182 #define MBEDTLS_VERSION_FEATURES 1183 1184 /** 1185 * \def MBEDTLS_X509_CHECK_KEY_USAGE 1186 * 1187 * Enable verification of the keyUsage extension (CA and leaf certificates). 1188 * 1189 * Disabling this avoids problems with mis-issued and/or misused 1190 * (intermediate) CA and leaf certificates. 1191 * 1192 * \warning Depending on your PKI use, disabling this can be a security risk! 1193 * 1194 * Comment to skip keyUsage checking for both CA and leaf certificates. 1195 */ 1196 #define MBEDTLS_X509_CHECK_KEY_USAGE 1197 1198 /** 1199 * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 1200 * 1201 * Enable verification of the extendedKeyUsage extension (leaf certificates). 1202 * 1203 * Disabling this avoids problems with mis-issued and/or misused certificates. 1204 * 1205 * \warning Depending on your PKI use, disabling this can be a security risk! 1206 * 1207 * Comment to skip extendedKeyUsage checking for certificates. 1208 */ 1209 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 1210 1211 /** 1212 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT 1213 * 1214 * Enable parsing and verification of X.509 certificates, CRLs and CSRS 1215 * signed with RSASSA-PSS (aka PKCS#1 v2.1). 1216 * 1217 * Comment this macro to disallow using RSASSA-PSS in certificates. 1218 */ 1219 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT 1220 1221 1222 /* \} name SECTION: mbed TLS feature support */ 1223 1224 /** 1225 * \name SECTION: mbed TLS modules 1226 * 1227 * This section enables or disables entire modules in mbed TLS 1228 * \{ 1229 */ 1230 1231 /** 1232 * \def MBEDTLS_AESNI_C 1233 * 1234 * Enable AES-NI support on x86-64. 1235 * 1236 * Module: library/aesni.c 1237 * Caller: library/aes.c 1238 * 1239 * Requires: MBEDTLS_HAVE_ASM 1240 * 1241 * This modules adds support for the AES-NI instructions on x86-64 1242 */ 1243 #define MBEDTLS_AESNI_C 1244 1245 /** 1246 * \def MBEDTLS_AES_C 1247 * 1248 * Enable the AES block cipher. 1249 * 1250 * Module: library/aes.c 1251 * Caller: library/ssl_tls.c 1252 * library/pem.c 1253 * library/ctr_drbg.c 1254 * 1255 * This module enables the following ciphersuites (if other requisites are 1256 * enabled as well): 1257 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 1258 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 1259 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 1260 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 1261 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 1262 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 1263 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 1264 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 1265 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 1266 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 1267 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 1268 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 1269 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 1270 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 1271 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 1272 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 1273 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 1274 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 1275 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 1276 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 1277 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 1278 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 1279 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 1280 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 1281 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 1282 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 1283 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 1284 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 1285 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 1286 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1287 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 1288 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 1289 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 1290 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 1291 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 1292 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 1293 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 1294 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 1295 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 1296 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 1297 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 1298 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 1299 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 1300 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 1301 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 1302 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 1303 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 1304 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 1305 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 1306 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 1307 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 1308 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 1309 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 1310 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 1311 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 1312 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 1313 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 1314 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 1315 * 1316 * PEM_PARSE uses AES for decrypting encrypted keys. 1317 */ 1318 #ifdef CONFIG_MBEDTLS_AES_C 1319 #define MBEDTLS_AES_C 1320 #else 1321 #undef MBEDTLS_AES_C 1322 #endif 1323 1324 /** 1325 * \def MBEDTLS_ASN1_PARSE_C 1326 * 1327 * Enable the generic ASN1 parser. 1328 * 1329 * Module: library/asn1.c 1330 * Caller: library/x509.c 1331 * library/dhm.c 1332 * library/pkcs12.c 1333 * library/pkcs5.c 1334 * library/pkparse.c 1335 */ 1336 #define MBEDTLS_ASN1_PARSE_C 1337 1338 /** 1339 * \def MBEDTLS_ASN1_WRITE_C 1340 * 1341 * Enable the generic ASN1 writer. 1342 * 1343 * Module: library/asn1write.c 1344 * Caller: library/ecdsa.c 1345 * library/pkwrite.c 1346 * library/x509_create.c 1347 * library/x509write_crt.c 1348 * library/mbedtls_x509write_csr.c 1349 */ 1350 #define MBEDTLS_ASN1_WRITE_C 1351 1352 /** 1353 * \def MBEDTLS_BASE64_C 1354 * 1355 * Enable the Base64 module. 1356 * 1357 * Module: library/base64.c 1358 * Caller: library/pem.c 1359 * 1360 * This module is required for PEM support (required by X.509). 1361 */ 1362 #define MBEDTLS_BASE64_C 1363 1364 /** 1365 * \def MBEDTLS_BIGNUM_C 1366 * 1367 * Enable the multi-precision integer library. 1368 * 1369 * Module: library/bignum.c 1370 * Caller: library/dhm.c 1371 * library/ecp.c 1372 * library/ecdsa.c 1373 * library/rsa.c 1374 * library/ssl_tls.c 1375 * 1376 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. 1377 */ 1378 #define MBEDTLS_BIGNUM_C 1379 1380 /** 1381 * \def MBEDTLS_BLOWFISH_C 1382 * 1383 * Enable the Blowfish block cipher. 1384 * 1385 * Module: library/blowfish.c 1386 */ 1387 #ifdef CONFIG_MBEDTLS_BLOWFISH_C 1388 #define MBEDTLS_BLOWFISH_C 1389 #else 1390 #undef MBEDTLS_BLOWFISH_C 1391 #endif 1392 1393 /** 1394 * \def MBEDTLS_CAMELLIA_C 1395 * 1396 * Enable the Camellia block cipher. 1397 * 1398 * Module: library/camellia.c 1399 * Caller: library/ssl_tls.c 1400 * 1401 * This module enables the following ciphersuites (if other requisites are 1402 * enabled as well): 1403 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 1404 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 1405 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 1406 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 1407 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 1408 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 1409 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 1410 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 1411 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 1412 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 1413 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 1414 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 1415 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 1416 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 1417 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 1418 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 1419 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 1420 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 1421 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 1422 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 1423 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 1424 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 1425 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 1426 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 1427 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 1428 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 1429 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 1430 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 1431 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 1432 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 1433 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 1434 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 1435 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 1436 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 1437 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 1438 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 1439 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 1440 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 1441 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 1442 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 1443 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 1444 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 1445 */ 1446 #ifdef CONFIG_MBEDTLS_CAMELLIA_C 1447 #define MBEDTLS_CAMELLIA_C 1448 #else 1449 #undef MBEDTLS_CAMELLIA_C 1450 #endif 1451 1452 /** 1453 * \def MBEDTLS_CCM_C 1454 * 1455 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. 1456 * 1457 * Module: library/ccm.c 1458 * 1459 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C 1460 * 1461 * This module enables the AES-CCM ciphersuites, if other requisites are 1462 * enabled as well. 1463 */ 1464 #ifdef CONFIG_MBEDTLS_CCM_C 1465 #define MBEDTLS_CCM_C 1466 #else 1467 #undef MBEDTLS_CCM_C 1468 #endif 1469 1470 /** 1471 * \def MBEDTLS_CERTS_C 1472 * 1473 * Enable the test certificates. 1474 * 1475 * Module: library/certs.c 1476 * Caller: 1477 * 1478 * This module is used for testing (ssl_client/server). 1479 */ 1480 #define MBEDTLS_CERTS_C 1481 1482 /** 1483 * \def MBEDTLS_CHACHA20_C 1484 * 1485 * Enable the ChaCha20 stream cipher. 1486 * 1487 * Module: library/chacha20.c 1488 */ 1489 #ifdef CONFIG_MBEDTLS_CHACHA20_C 1490 #define MBEDTLS_CHACHA20_C 1491 #else 1492 #undef MBEDTLS_CHACHA20_C 1493 #endif 1494 1495 /** 1496 * \def MBEDTLS_CHACHAPOLY_C 1497 * 1498 * Enable the ChaCha20-Poly1305 AEAD algorithm. 1499 * 1500 * Module: library/chachapoly.c 1501 * 1502 * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C 1503 */ 1504 #ifdef CONFIG_MBEDTLS_CHACHAPOLY_C 1505 #define MBEDTLS_CHACHAPOLY_C 1506 #else 1507 #undef MBEDTLS_CHACHAPOLY_C 1508 #endif 1509 1510 /** 1511 * \def MBEDTLS_CIPHER_C 1512 * 1513 * Enable the generic cipher layer. 1514 * 1515 * Module: library/cipher.c 1516 * Caller: library/ssl_tls.c 1517 * 1518 * Uncomment to enable generic cipher wrappers. 1519 */ 1520 #define MBEDTLS_CIPHER_C 1521 1522 /** 1523 * \def MBEDTLS_CTR_DRBG_C 1524 * 1525 * Enable the CTR_DRBG AES-256-based random generator. 1526 * 1527 * Module: library/ctr_drbg.c 1528 * Caller: 1529 * 1530 * Requires: MBEDTLS_AES_C 1531 * 1532 * This module provides the CTR_DRBG AES-256 random number generator. 1533 */ 1534 #define MBEDTLS_CTR_DRBG_C 1535 1536 /** 1537 * \def MBEDTLS_DEBUG_C 1538 * 1539 * Enable the debug functions. 1540 * 1541 * Module: library/debug.c 1542 * Caller: library/ssl_cli.c 1543 * library/ssl_srv.c 1544 * library/ssl_tls.c 1545 * 1546 * This module provides debugging functions. 1547 */ 1548 #if CONFIG_MBEDTLS_DEBUG 1549 #define MBEDTLS_DEBUG_C 1550 #else 1551 #undef MBEDTLS_DEBUG_C 1552 #endif 1553 1554 /** 1555 * \def MBEDTLS_DES_C 1556 * 1557 * Enable the DES block cipher. 1558 * 1559 * Module: library/des.c 1560 * Caller: library/pem.c 1561 * library/ssl_tls.c 1562 * 1563 * This module enables the following ciphersuites (if other requisites are 1564 * enabled as well): 1565 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 1566 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 1567 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 1568 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 1569 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 1570 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 1571 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 1572 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 1573 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 1574 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 1575 * 1576 * PEM_PARSE uses DES/3DES for decrypting encrypted keys. 1577 */ 1578 #ifdef CONFIG_MBEDTLS_DES_C 1579 #define MBEDTLS_DES_C 1580 #else 1581 #undef MBEDTLS_DES_C 1582 #endif 1583 1584 /** 1585 * \def MBEDTLS_DHM_C 1586 * 1587 * Enable the Diffie-Hellman-Merkle module. 1588 * 1589 * Module: library/dhm.c 1590 * Caller: library/ssl_cli.c 1591 * library/ssl_srv.c 1592 * 1593 * This module is used by the following key exchanges: 1594 * DHE-RSA, DHE-PSK 1595 */ 1596 #define MBEDTLS_DHM_C 1597 1598 /** 1599 * \def MBEDTLS_ECDH_C 1600 * 1601 * Enable the elliptic curve Diffie-Hellman library. 1602 * 1603 * Module: library/ecdh.c 1604 * Caller: library/ssl_cli.c 1605 * library/ssl_srv.c 1606 * 1607 * This module is used by the following key exchanges: 1608 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK 1609 * 1610 * Requires: MBEDTLS_ECP_C 1611 */ 1612 #ifdef CONFIG_MBEDTLS_ECDH_C 1613 #define MBEDTLS_ECDH_C 1614 #else 1615 #undef MBEDTLS_ECDH_C 1616 #endif 1617 1618 /** 1619 * \def MBEDTLS_ECDSA_C 1620 * 1621 * Enable the elliptic curve DSA library. 1622 * 1623 * Module: library/ecdsa.c 1624 * Caller: 1625 * 1626 * This module is used by the following key exchanges: 1627 * ECDHE-ECDSA 1628 * 1629 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C 1630 */ 1631 #ifdef CONFIG_MBEDTLS_ECDSA_C 1632 #define MBEDTLS_ECDSA_C 1633 #else 1634 #undef MBEDTLS_ECDSA_C 1635 #endif 1636 1637 /** 1638 * \def MBEDTLS_ECJPAKE_C 1639 * 1640 * Enable the elliptic curve J-PAKE library. 1641 * 1642 * \warning This is currently experimental. EC J-PAKE support is based on the 1643 * Thread v1.0.0 specification; incompatible changes to the specification 1644 * might still happen. For this reason, this is disabled by default. 1645 * 1646 * Module: library/ecjpake.c 1647 * Caller: 1648 * 1649 * This module is used by the following key exchanges: 1650 * ECJPAKE 1651 * 1652 * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C 1653 */ 1654 #ifdef CONFIG_MBEDTLS_ECJPAKE_C 1655 #define MBEDTLS_ECJPAKE_C 1656 #else 1657 #undef MBEDTLS_ECJPAKE_C 1658 #endif 1659 1660 /** 1661 * \def MBEDTLS_ECP_C 1662 * 1663 * Enable the elliptic curve over GF(p) library. 1664 * 1665 * Module: library/ecp.c 1666 * Caller: library/ecdh.c 1667 * library/ecdsa.c 1668 * library/ecjpake.c 1669 * 1670 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED 1671 */ 1672 #ifdef CONFIG_MBEDTLS_ECP_C 1673 #define MBEDTLS_ECP_C 1674 #else 1675 #undef MBEDTLS_ECP_C 1676 #endif 1677 1678 /** 1679 * \def MBEDTLS_ENTROPY_C 1680 * 1681 * Enable the platform-specific entropy code. 1682 * 1683 * Module: library/entropy.c 1684 * Caller: 1685 * 1686 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 1687 * 1688 * This module provides a generic entropy pool 1689 */ 1690 #define MBEDTLS_ENTROPY_C 1691 1692 /** 1693 * \def MBEDTLS_ERROR_C 1694 * 1695 * Enable error code to error string conversion. 1696 * 1697 * Module: library/error.c 1698 * Caller: 1699 * 1700 * This module enables mbedtls_strerror(). 1701 */ 1702 #define MBEDTLS_ERROR_C 1703 1704 /** 1705 * \def MBEDTLS_GCM_C 1706 * 1707 * Enable the Galois/Counter Mode (GCM) for AES. 1708 * 1709 * Module: library/gcm.c 1710 * 1711 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C 1712 * 1713 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other 1714 * requisites are enabled as well. 1715 */ 1716 #ifdef CONFIG_MBEDTLS_GCM_C 1717 #define MBEDTLS_GCM_C 1718 #else 1719 #undef MBEDTLS_GCM_C 1720 #endif 1721 1722 /** 1723 * \def MBEDTLS_HKDF_C 1724 * 1725 * Enable the HKDF algorithm (RFC 5869). 1726 * 1727 * Module: library/hkdf.c 1728 * Caller: 1729 * 1730 * Requires: MBEDTLS_MD_C 1731 * 1732 * This module enables support for the Hashed Message Authentication Code 1733 * (HMAC)-based key derivation function (HKDF). 1734 */ 1735 #ifdef CONFIG_MBEDTLS_HKDF_C 1736 #define MBEDTLS_HKDF_C 1737 #else 1738 #undef MBEDTLS_HKDF_C 1739 #endif 1740 1741 /** 1742 * \def MBEDTLS_HMAC_DRBG_C 1743 * 1744 * Enable the HMAC_DRBG random generator. 1745 * 1746 * Module: library/hmac_drbg.c 1747 * Caller: 1748 * 1749 * Requires: MBEDTLS_MD_C 1750 * 1751 * Uncomment to enable the HMAC_DRBG random number geerator. 1752 */ 1753 #define MBEDTLS_HMAC_DRBG_C 1754 1755 /** 1756 * \def MBEDTLS_MD_C 1757 * 1758 * Enable the generic message digest layer. 1759 * 1760 * Module: library/mbedtls_md.c 1761 * Caller: 1762 * 1763 * Uncomment to enable generic message digest wrappers. 1764 */ 1765 #define MBEDTLS_MD_C 1766 1767 /** 1768 * \def MBEDTLS_MD5_C 1769 * 1770 * Enable the MD5 hash algorithm. 1771 * 1772 * Module: library/mbedtls_md5.c 1773 * Caller: library/mbedtls_md.c 1774 * library/pem.c 1775 * library/ssl_tls.c 1776 * 1777 * This module is required for SSL/TLS and X.509. 1778 * PEM_PARSE uses MD5 for decrypting encrypted keys. 1779 */ 1780 #define MBEDTLS_MD5_C 1781 1782 /** 1783 * \def MBEDTLS_NET_C 1784 * 1785 * Enable the TCP/IP networking routines. 1786 * 1787 * Module: library/net.c 1788 * 1789 * This module provides TCP/IP networking routines. 1790 */ 1791 #ifdef MBEDTLS_NET_C 1792 #undef MBEDTLS_NET_C 1793 #endif 1794 1795 /** 1796 * \def MBEDTLS_OID_C 1797 * 1798 * Enable the OID database. 1799 * 1800 * Module: library/oid.c 1801 * Caller: library/asn1write.c 1802 * library/pkcs5.c 1803 * library/pkparse.c 1804 * library/pkwrite.c 1805 * library/rsa.c 1806 * library/x509.c 1807 * library/x509_create.c 1808 * library/mbedtls_x509_crl.c 1809 * library/mbedtls_x509_crt.c 1810 * library/mbedtls_x509_csr.c 1811 * library/x509write_crt.c 1812 * library/mbedtls_x509write_csr.c 1813 * 1814 * This modules translates between OIDs and internal values. 1815 */ 1816 #define MBEDTLS_OID_C 1817 1818 /** 1819 * \def MBEDTLS_PADLOCK_C 1820 * 1821 * Enable VIA Padlock support on x86. 1822 * 1823 * Module: library/padlock.c 1824 * Caller: library/aes.c 1825 * 1826 * Requires: MBEDTLS_HAVE_ASM 1827 * 1828 * This modules adds support for the VIA PadLock on x86. 1829 */ 1830 #define MBEDTLS_PADLOCK_C 1831 1832 /** 1833 * \def MBEDTLS_PEM_PARSE_C 1834 * 1835 * Enable PEM decoding / parsing. 1836 * 1837 * Module: library/pem.c 1838 * Caller: library/dhm.c 1839 * library/pkparse.c 1840 * library/mbedtls_x509_crl.c 1841 * library/mbedtls_x509_crt.c 1842 * library/mbedtls_x509_csr.c 1843 * 1844 * Requires: MBEDTLS_BASE64_C 1845 * 1846 * This modules adds support for decoding / parsing PEM files. 1847 */ 1848 #ifdef CONFIG_MBEDTLS_PEM_PARSE_C 1849 #define MBEDTLS_PEM_PARSE_C 1850 #else 1851 #undef MBEDTLS_PEM_PARSE_C 1852 #endif 1853 1854 /** 1855 * \def MBEDTLS_PEM_WRITE_C 1856 * 1857 * Enable PEM encoding / writing. 1858 * 1859 * Module: library/pem.c 1860 * Caller: library/pkwrite.c 1861 * library/x509write_crt.c 1862 * library/mbedtls_x509write_csr.c 1863 * 1864 * Requires: MBEDTLS_BASE64_C 1865 * 1866 * This modules adds support for encoding / writing PEM files. 1867 */ 1868 #ifdef CONFIG_MBEDTLS_PEM_WRITE_C 1869 #define MBEDTLS_PEM_WRITE_C 1870 #else 1871 #undef MBEDTLS_PEM_WRITE_C 1872 #endif 1873 1874 /** 1875 * \def MBEDTLS_PK_C 1876 * 1877 * Enable the generic public (asymetric) key layer. 1878 * 1879 * Module: library/pk.c 1880 * Caller: library/ssl_tls.c 1881 * library/ssl_cli.c 1882 * library/ssl_srv.c 1883 * 1884 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C 1885 * 1886 * Uncomment to enable generic public key wrappers. 1887 */ 1888 #define MBEDTLS_PK_C 1889 1890 /** 1891 * \def MBEDTLS_PK_PARSE_C 1892 * 1893 * Enable the generic public (asymetric) key parser. 1894 * 1895 * Module: library/pkparse.c 1896 * Caller: library/mbedtls_x509_crt.c 1897 * library/mbedtls_x509_csr.c 1898 * 1899 * Requires: MBEDTLS_PK_C 1900 * 1901 * Uncomment to enable generic public key parse functions. 1902 */ 1903 #define MBEDTLS_PK_PARSE_C 1904 1905 /** 1906 * \def MBEDTLS_PK_WRITE_C 1907 * 1908 * Enable the generic public (asymetric) key writer. 1909 * 1910 * Module: library/pkwrite.c 1911 * Caller: library/x509write.c 1912 * 1913 * Requires: MBEDTLS_PK_C 1914 * 1915 * Uncomment to enable generic public key write functions. 1916 */ 1917 #define MBEDTLS_PK_WRITE_C 1918 1919 /** 1920 * \def MBEDTLS_PKCS5_C 1921 * 1922 * Enable PKCS#5 functions. 1923 * 1924 * Module: library/pkcs5.c 1925 * 1926 * Requires: MBEDTLS_MD_C 1927 * 1928 * This module adds support for the PKCS#5 functions. 1929 */ 1930 #define MBEDTLS_PKCS5_C 1931 1932 /** 1933 * \def MBEDTLS_PKCS12_C 1934 * 1935 * Enable PKCS#12 PBE functions. 1936 * Adds algorithms for parsing PKCS#8 encrypted private keys 1937 * 1938 * Module: library/pkcs12.c 1939 * Caller: library/pkparse.c 1940 * 1941 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C 1942 * Can use: MBEDTLS_ARC4_C 1943 * 1944 * This module enables PKCS#12 functions. 1945 */ 1946 #define MBEDTLS_PKCS12_C 1947 1948 /** 1949 * \def MBEDTLS_PLATFORM_C 1950 * 1951 * Enable the platform abstraction layer that allows you to re-assign 1952 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 1953 * 1954 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 1955 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 1956 * above to be specified at runtime or compile time respectively. 1957 * 1958 * \note This abstraction layer must be enabled on Windows (including MSYS2) 1959 * as other module rely on it for a fixed snprintf implementation. 1960 * 1961 * Module: library/platform.c 1962 * Caller: Most other .c files 1963 * 1964 * This module enables abstraction of common (libc) functions. 1965 */ 1966 #define MBEDTLS_PLATFORM_C 1967 1968 /** 1969 * \def MBEDTLS_POLY1305_C 1970 * 1971 * Enable the Poly1305 MAC algorithm. 1972 * 1973 * Module: library/poly1305.c 1974 * Caller: library/chachapoly.c 1975 */ 1976 #ifdef CONFIG_MBEDTLS_POLY1305_C 1977 #define MBEDTLS_POLY1305_C 1978 #else 1979 #undef MBEDTLS_POLY1305_C 1980 #endif 1981 1982 /** 1983 * \def MBEDTLS_RIPEMD160_C 1984 * 1985 * Enable the RIPEMD-160 hash algorithm. 1986 * 1987 * Module: library/mbedtls_ripemd160.c 1988 * Caller: library/mbedtls_md.c 1989 * 1990 */ 1991 #ifdef CONFIG_MBEDTLS_RIPEMD160_C 1992 #define MBEDTLS_RIPEMD160_C 1993 #else 1994 #undef MBEDTLS_RIPEMD160_C 1995 #endif 1996 1997 /** 1998 * \def MBEDTLS_RSA_C 1999 * 2000 * Enable the RSA public-key cryptosystem. 2001 * 2002 * Module: library/rsa.c 2003 * Caller: library/ssl_cli.c 2004 * library/ssl_srv.c 2005 * library/ssl_tls.c 2006 * library/x509.c 2007 * 2008 * This module is used by the following key exchanges: 2009 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK 2010 * 2011 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C 2012 */ 2013 #define MBEDTLS_RSA_C 2014 2015 /** 2016 * \def MBEDTLS_SHA1_C 2017 * 2018 * Enable the SHA1 cryptographic hash algorithm. 2019 * 2020 * Module: library/mbedtls_sha1.c 2021 * Caller: library/mbedtls_md.c 2022 * library/ssl_cli.c 2023 * library/ssl_srv.c 2024 * library/ssl_tls.c 2025 * library/x509write_crt.c 2026 * 2027 * This module is required for SSL/TLS and SHA1-signed certificates. 2028 */ 2029 #define MBEDTLS_SHA1_C 2030 2031 /** 2032 * \def MBEDTLS_SHA256_C 2033 * 2034 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms. 2035 * 2036 * Module: library/mbedtls_sha256.c 2037 * Caller: library/entropy.c 2038 * library/mbedtls_md.c 2039 * library/ssl_cli.c 2040 * library/ssl_srv.c 2041 * library/ssl_tls.c 2042 * 2043 * This module adds support for SHA-224 and SHA-256. 2044 * This module is required for the SSL/TLS 1.2 PRF function. 2045 */ 2046 #define MBEDTLS_SHA256_C 2047 2048 /** 2049 * \def MBEDTLS_SHA512_C 2050 * 2051 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms. 2052 * 2053 * Module: library/mbedtls_sha512.c 2054 * Caller: library/entropy.c 2055 * library/mbedtls_md.c 2056 * library/ssl_cli.c 2057 * library/ssl_srv.c 2058 * 2059 * This module adds support for SHA-384 and SHA-512. 2060 */ 2061 #ifdef CONFIG_MBEDTLS_SHA512_C 2062 #define MBEDTLS_SHA512_C 2063 #else 2064 #undef MBEDTLS_SHA512_C 2065 #endif 2066 2067 /** 2068 * \def MBEDTLS_SSL_CACHE_C 2069 * 2070 * Enable simple SSL cache implementation. 2071 * 2072 * Module: library/ssl_cache.c 2073 * Caller: 2074 * 2075 * Requires: MBEDTLS_SSL_CACHE_C 2076 */ 2077 #define MBEDTLS_SSL_CACHE_C 2078 2079 /** 2080 * \def MBEDTLS_SSL_COOKIE_C 2081 * 2082 * Enable basic implementation of DTLS cookies for hello verification. 2083 * 2084 * Module: library/ssl_cookie.c 2085 * Caller: 2086 */ 2087 #define MBEDTLS_SSL_COOKIE_C 2088 2089 /** 2090 * \def MBEDTLS_SSL_TICKET_C 2091 * 2092 * Enable an implementation of TLS server-side callbacks for session tickets. 2093 * 2094 * Module: library/ssl_ticket.c 2095 * Caller: 2096 * 2097 * Requires: MBEDTLS_CIPHER_C 2098 */ 2099 #ifdef CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS 2100 #define MBEDTLS_SSL_TICKET_C 2101 #else 2102 #undef MBEDTLS_SSL_TICKET_C 2103 #endif 2104 2105 /** 2106 * \def MBEDTLS_SSL_CLI_C 2107 * 2108 * Enable the SSL/TLS client code. 2109 * 2110 * Module: library/ssl_cli.c 2111 * Caller: 2112 * 2113 * Requires: MBEDTLS_SSL_TLS_C 2114 * 2115 * This module is required for SSL/TLS client support. 2116 */ 2117 #ifdef CONFIG_MBEDTLS_TLS_CLIENT 2118 #define MBEDTLS_SSL_CLI_C 2119 #else 2120 #undef MBEDTLS_SSL_CLI_C 2121 #endif 2122 2123 /** 2124 * \def MBEDTLS_SSL_SRV_C 2125 * 2126 * Enable the SSL/TLS server code. 2127 * 2128 * Module: library/ssl_srv.c 2129 * Caller: 2130 * 2131 * Requires: MBEDTLS_SSL_TLS_C 2132 * 2133 * This module is required for SSL/TLS server support. 2134 */ 2135 #ifdef CONFIG_MBEDTLS_TLS_SERVER 2136 #define MBEDTLS_SSL_SRV_C 2137 #else 2138 #undef MBEDTLS_SSL_SRV_C 2139 #endif 2140 2141 /** 2142 * \def MBEDTLS_SSL_TLS_C 2143 * 2144 * Enable the generic SSL/TLS code. 2145 * 2146 * Module: library/ssl_tls.c 2147 * Caller: library/ssl_cli.c 2148 * library/ssl_srv.c 2149 * 2150 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C 2151 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines 2152 * 2153 * This module is required for SSL/TLS. 2154 */ 2155 #ifdef CONFIG_MBEDTLS_TLS_ENABLED 2156 #define MBEDTLS_SSL_TLS_C 2157 #else 2158 #undef MBEDTLS_SSL_TLS_C 2159 #endif 2160 2161 /** 2162 * \def MBEDTLS_TIMING_C 2163 * 2164 * Enable the semi-portable timing interface. 2165 * 2166 * \note The provided implementation only works on POSIX/Unix (including Linux, 2167 * BSD and OS X) and Windows. On other platforms, you can either disable that 2168 * module and provide your own implementations of the callbacks needed by 2169 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide 2170 * your own implementation of the whole module by setting 2171 * \c MBEDTLS_TIMING_ALT in the current file. 2172 * 2173 * \note See also our Knowledge Base article about porting to a new 2174 * environment: 2175 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 2176 * 2177 * Module: library/timing.c 2178 * Caller: library/havege.c 2179 * 2180 * This module is used by the HAVEGE random number generator. 2181 */ 2182 #ifdef MBEDTLS_TIMING_C 2183 #undef MBEDTLS_TIMING_C 2184 #endif 2185 2186 /** 2187 * \def MBEDTLS_VERSION_C 2188 * 2189 * Enable run-time version information. 2190 * 2191 * Module: library/version.c 2192 * 2193 * This module provides run-time version information. 2194 */ 2195 #define MBEDTLS_VERSION_C 2196 2197 /** 2198 * \def MBEDTLS_X509_USE_C 2199 * 2200 * Enable X.509 core for using certificates. 2201 * 2202 * Module: library/x509.c 2203 * Caller: library/mbedtls_x509_crl.c 2204 * library/mbedtls_x509_crt.c 2205 * library/mbedtls_x509_csr.c 2206 * 2207 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, 2208 * MBEDTLS_PK_PARSE_C 2209 * 2210 * This module is required for the X.509 parsing modules. 2211 */ 2212 #define MBEDTLS_X509_USE_C 2213 2214 /** 2215 * \def MBEDTLS_X509_CRT_PARSE_C 2216 * 2217 * Enable X.509 certificate parsing. 2218 * 2219 * Module: library/mbedtls_x509_crt.c 2220 * Caller: library/ssl_cli.c 2221 * library/ssl_srv.c 2222 * library/ssl_tls.c 2223 * 2224 * Requires: MBEDTLS_X509_USE_C 2225 * 2226 * This module is required for X.509 certificate parsing. 2227 */ 2228 #define MBEDTLS_X509_CRT_PARSE_C 2229 2230 /** 2231 * \def MBEDTLS_X509_CRL_PARSE_C 2232 * 2233 * Enable X.509 CRL parsing. 2234 * 2235 * Module: library/mbedtls_x509_crl.c 2236 * Caller: library/mbedtls_x509_crt.c 2237 * 2238 * Requires: MBEDTLS_X509_USE_C 2239 * 2240 * This module is required for X.509 CRL parsing. 2241 */ 2242 #ifdef CONFIG_MBEDTLS_X509_CRL_PARSE_C 2243 #define MBEDTLS_X509_CRL_PARSE_C 2244 #else 2245 #undef MBEDTLS_X509_CRL_PARSE_C 2246 #endif 2247 2248 /** 2249 * \def MBEDTLS_X509_CSR_PARSE_C 2250 * 2251 * Enable X.509 Certificate Signing Request (CSR) parsing. 2252 * 2253 * Module: library/mbedtls_x509_csr.c 2254 * Caller: library/x509_crt_write.c 2255 * 2256 * Requires: MBEDTLS_X509_USE_C 2257 * 2258 * This module is used for reading X.509 certificate request. 2259 */ 2260 #ifdef CONFIG_MBEDTLS_X509_CSR_PARSE_C 2261 #define MBEDTLS_X509_CSR_PARSE_C 2262 #else 2263 #undef MBEDTLS_X509_CSR_PARSE_C 2264 #endif 2265 2266 /** 2267 * \def MBEDTLS_X509_CREATE_C 2268 * 2269 * Enable X.509 core for creating certificates. 2270 * 2271 * Module: library/x509_create.c 2272 * 2273 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C 2274 * 2275 * This module is the basis for creating X.509 certificates and CSRs. 2276 */ 2277 #define MBEDTLS_X509_CREATE_C 2278 2279 /** 2280 * \def MBEDTLS_X509_CRT_WRITE_C 2281 * 2282 * Enable creating X.509 certificates. 2283 * 2284 * Module: library/x509_crt_write.c 2285 * 2286 * Requires: MBEDTLS_X509_CREATE_C 2287 * 2288 * This module is required for X.509 certificate creation. 2289 */ 2290 #define MBEDTLS_X509_CRT_WRITE_C 2291 2292 /** 2293 * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 2294 * 2295 * Alow the X509 parser to not break-off when parsing an X509 certificate 2296 * and encountering an unknown critical extension. 2297 * 2298 * Module: library/x509_crt.c 2299 * 2300 * Requires: MBEDTLS_X509_CRT_PARSE_C 2301 * 2302 * This module is supports loading of certificates with extensions that 2303 * may not be supported by mbedtls. 2304 */ 2305 #ifdef CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT 2306 #define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 2307 #else 2308 #undef MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 2309 #endif 2310 2311 /** 2312 * \def MBEDTLS_X509_CSR_WRITE_C 2313 * 2314 * Enable creating X.509 Certificate Signing Requests (CSR). 2315 * 2316 * Module: library/x509_csr_write.c 2317 * 2318 * Requires: MBEDTLS_X509_CREATE_C 2319 * 2320 * This module is required for X.509 certificate request writing. 2321 */ 2322 #define MBEDTLS_X509_CSR_WRITE_C 2323 2324 /** 2325 * \def MBEDTLS_XTEA_C 2326 * 2327 * Enable the XTEA block cipher. 2328 * 2329 * Module: library/xtea.c 2330 * Caller: 2331 */ 2332 #ifdef CONFIG_MBEDTLS_XTEA_C 2333 #define MBEDTLS_XTEA_C 2334 #else 2335 #undef MBEDTLS_XTEA_C 2336 #endif 2337 2338 /* \} name SECTION: mbed TLS modules */ 2339 2340 /** 2341 * \name SECTION: Module configuration options 2342 * 2343 * This section allows for the setting of module specific sizes and 2344 * configuration options. The default values are already present in the 2345 * relevant header files and should suffice for the regular use cases. 2346 * 2347 * Our advice is to enable options and change their values here 2348 * only if you have a good reason and know the consequences. 2349 * 2350 * Please check the respective header file for documentation on these 2351 * parameters (to prevent duplicate documentation). 2352 * \{ 2353 */ 2354 2355 /* SSL options */ 2356 #ifndef CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN 2357 2358 #define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ 2359 2360 #else 2361 2362 /** \def MBEDTLS_SSL_IN_CONTENT_LEN 2363 * 2364 * Maximum incoming fragment length in bytes. 2365 * 2366 * Uncomment to set the size of the inward TLS buffer independently of the 2367 * outward buffer. 2368 */ 2369 #define MBEDTLS_SSL_IN_CONTENT_LEN CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN 2370 2371 /** \def MBEDTLS_SSL_OUT_CONTENT_LEN 2372 * 2373 * Maximum outgoing fragment length in bytes. 2374 * 2375 * Uncomment to set the size of the outward TLS buffer independently of the 2376 * inward buffer. 2377 * 2378 * It is possible to save RAM by setting a smaller outward buffer, while keeping 2379 * the default inward 16384 byte buffer to conform to the TLS specification. 2380 * 2381 * The minimum required outward buffer size is determined by the handshake 2382 * protocol's usage. Handshaking will fail if the outward buffer is too small. 2383 * The specific size requirement depends on the configured ciphers and any 2384 * certificate data which is sent during the handshake. 2385 * 2386 * For absolute minimum RAM usage, it's best to enable 2387 * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This 2388 * reduces both incoming and outgoing buffer sizes. However this is only 2389 * guaranteed if the other end of the connection also supports the TLS 2390 * max_fragment_len extension. Otherwise the connection may fail. 2391 */ 2392 #define MBEDTLS_SSL_OUT_CONTENT_LEN CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN 2393 2394 #endif /* !CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN */ 2395 2396 /** 2397 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake 2398 * signature and ciphersuite selection. Without this build-time option, SHA-1 2399 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes. 2400 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by 2401 * default. At the time of writing, there is no practical attack on the use 2402 * of SHA-1 in handshake signatures, hence this option is turned on by default 2403 * for compatibility with existing peers. 2404 */ 2405 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE 2406 2407 /** 2408 * \def MBEDTLS_THREADING_C 2409 * 2410 * Enable the threading abstraction layer. 2411 * By default mbed TLS assumes it is used in a non-threaded environment or that 2412 * contexts are not shared between threads. If you do intend to use contexts 2413 * between threads, you will need to enable this layer to prevent race 2414 * conditions. See also our Knowledge Base article about threading: 2415 * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading 2416 * 2417 * Module: library/threading.c 2418 * 2419 * This allows different threading implementations (self-implemented or 2420 * provided). 2421 * 2422 * You will have to enable either MBEDTLS_THREADING_ALT or 2423 * MBEDTLS_THREADING_PTHREAD. 2424 * 2425 * Enable this layer to allow use of mutexes within mbed TLS 2426 */ 2427 #ifdef CONFIG_MBEDTLS_THREADING_C 2428 #define MBEDTLS_THREADING_C 2429 #else 2430 #undef MBEDTLS_THREADING_C 2431 #endif 2432 2433 /** 2434 * \def MBEDTLS_THREADING_ALT 2435 * 2436 * Provide your own alternate threading implementation. 2437 * 2438 * Requires: MBEDTLS_THREADING_C 2439 * 2440 * Uncomment this to allow your own alternate threading implementation. 2441 */ 2442 #ifdef CONFIG_MBEDTLS_THREADING_ALT 2443 #define MBEDTLS_THREADING_ALT 2444 #else 2445 #undef MBEDTLS_THREADING_ALT 2446 #endif 2447 2448 /** 2449 * \def MBEDTLS_THREADING_PTHREAD 2450 * 2451 * Enable the pthread wrapper layer for the threading layer. 2452 * 2453 * Requires: MBEDTLS_THREADING_C 2454 * 2455 * Uncomment this to enable pthread mutexes. 2456 */ 2457 #ifdef CONFIG_MBEDTLS_THREADING_PTHREAD 2458 #define MBEDTLS_THREADING_PTHREAD 2459 #else 2460 #undef MBEDTLS_THREADING_PTHREAD 2461 #endif 2462 2463 /* \} name SECTION: Module configuration options */ 2464 2465 #if defined(TARGET_LIKE_MBED) 2466 #include "mbedtls/target_config.h" 2467 #endif 2468 2469 /* 2470 * Allow user to override any previous default. 2471 * 2472 * Use two macro names for that, as: 2473 * - with yotta the prefix YOTTA_CFG_ is forced 2474 * - without yotta is looks weird to have a YOTTA prefix. 2475 */ 2476 #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) 2477 #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE 2478 #elif defined(MBEDTLS_USER_CONFIG_FILE) 2479 #include MBEDTLS_USER_CONFIG_FILE 2480 #endif 2481 2482 #include "mbedtls/check_config.h" 2483 2484 #endif /* MBEDTLS_CONFIG_H */ 2485
