1 /**
2  * \file config.h
3  *
4  * \brief Configuration options (set of defines)
5  *
6  *  This set of compile-time options may be used to enable
7  *  or disable features selectively, and reduce the global
8  *  memory footprint.
9  */
10 /*
11  *  Copyright (C) 2006-2022, ARM Limited, All Rights Reserved
12  *  SPDX-License-Identifier: Apache-2.0
13  *
14  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
15  *  not use this file except in compliance with the License.
16  *  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  *  Unless required by applicable law or agreed to in writing, software
21  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23  *  See the License for the specific language governing permissions and
24  *  limitations under the License.
25  *
26  *  This file is part of mbed TLS (https://tls.mbed.org)
27  */
28 
29 #ifndef PROFILE_S_MBEDTLS_CONFIG_H
30 #define PROFILE_S_MBEDTLS_CONFIG_H
31 
32 #include "config_crypto.h"
33 
34 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
35 #define _CRT_SECURE_NO_DEPRECATE 1
36 #endif
37 
38 /**
39  * \name SECTION: System support
40  *
41  * This section sets system specific settings.
42  * \{
43  */
44 
45 /**
46  * \def MBEDTLS_HAVE_ASM
47  *
48  * The compiler has support for asm().
49  *
50  * Requires support for asm() in compiler.
51  *
52  * Used in:
53  *      library/aria.c
54  *      library/timing.c
55  *      include/mbedtls/bn_mul.h
56  *
57  * Required by:
58  *      MBEDTLS_AESNI_C
59  *      MBEDTLS_PADLOCK_C
60  *
61  * Comment to disable the use of assembly code.
62  */
63 #define MBEDTLS_HAVE_ASM
64 
65 /**
66  * \def MBEDTLS_PLATFORM_MEMORY
67  *
68  * Enable the memory allocation layer.
69  *
70  * By default mbed TLS uses the system-provided calloc() and free().
71  * This allows different allocators (self-implemented or provided) to be
72  * provided to the platform abstraction layer.
73  *
74  * Enabling MBEDTLS_PLATFORM_MEMORY without the
75  * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
76  * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
77  * free() function pointer at runtime.
78  *
79  * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
80  * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
81  * alternate function at compile time.
82  *
83  * Requires: MBEDTLS_PLATFORM_C
84  *
85  * Enable this layer to allow use of alternative memory allocators.
86  */
87 #define MBEDTLS_PLATFORM_MEMORY
88 
89 /* \} name SECTION: System support */
90 
91 /**
92  * \name SECTION: mbed TLS feature support
93  *
94  * This section sets support for features that are or are not needed
95  * within the modules that are enabled.
96  * \{
97  */
98 
99 /**
100  * \def MBEDTLS_MD2_PROCESS_ALT
101  *
102  * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
103  * alternate core implementation of symmetric crypto or hash function. Keep in
104  * mind that function prototypes should remain the same.
105  *
106  * This replaces only one function. The header file from mbed TLS is still
107  * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
108  *
109  * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
110  * no longer provide the mbedtls_sha1_process() function, but it will still provide
111  * the other function (using your mbedtls_sha1_process() function) and the definition
112  * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
113  * with this definition.
114  *
115  * \note Because of a signature change, the core AES encryption and decryption routines are
116  *       currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
117  *       respectively. When setting up alternative implementations, these functions should
118  *       be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
119  *       must stay untouched.
120  *
121  * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
122  *       MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
123  *       tables.
124  *
125  * Uncomment a macro to enable alternate implementation of the corresponding
126  * function.
127  *
128  * \warning   MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
129  *            constitutes a security risk. If possible, we recommend avoiding
130  *            dependencies on them, and considering stronger message digests
131  *            and ciphers instead.
132  *
133  */
134 #define MBEDTLS_AES_SETKEY_DEC_ALT
135 #define MBEDTLS_AES_DECRYPT_ALT
136 
137 /**
138  * \def MBEDTLS_AES_ROM_TABLES
139  *
140  * Use precomputed AES tables stored in ROM.
141  *
142  * Uncomment this macro to use precomputed AES tables stored in ROM.
143  * Comment this macro to generate AES tables in RAM at runtime.
144  *
145  * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
146  * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
147  * initialization time before the first AES operation can be performed.
148  * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
149  * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
150  * performance if ROM access is slower than RAM access.
151  *
152  * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
153  *
154  */
155 #define MBEDTLS_AES_ROM_TABLES
156 
157 /**
158  * \def MBEDTLS_AES_FEWER_TABLES
159  *
160  * Use less ROM/RAM for AES tables.
161  *
162  * Uncommenting this macro omits 75% of the AES tables from
163  * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
164  * by computing their values on the fly during operations
165  * (the tables are entry-wise rotations of one another).
166  *
167  * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
168  * by ~6kb but at the cost of more arithmetic operations during
169  * runtime. Specifically, one has to compare 4 accesses within
170  * different tables to 4 accesses with additional arithmetic
171  * operations within the same table. The performance gain/loss
172  * depends on the system and memory details.
173  *
174  * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
175  *
176  */
177 #define MBEDTLS_AES_FEWER_TABLES
178 
179 /**
180  * \def MBEDTLS_ERROR_STRERROR_DUMMY
181  *
182  * Enable a dummy error function to make use of mbedtls_strerror() in
183  * third party libraries easier when MBEDTLS_ERROR_C is disabled
184  * (no effect when MBEDTLS_ERROR_C is enabled).
185  *
186  * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
187  * not using mbedtls_strerror() or error_strerror() in your application.
188  *
189  * Disable if you run into name conflicts and want to really remove the
190  * mbedtls_strerror()
191  */
192 #define MBEDTLS_ERROR_STRERROR_DUMMY
193 
194 /**
195  * \def MBEDTLS_NO_PLATFORM_ENTROPY
196  *
197  * Do not use built-in platform entropy functions.
198  * This is useful if your platform does not support
199  * standards like the /dev/urandom or Windows CryptoAPI.
200  *
201  * Uncomment this macro to disable the built-in platform entropy functions.
202  */
203 #define MBEDTLS_NO_PLATFORM_ENTROPY
204 
205 /**
206  * \def MBEDTLS_ENTROPY_NV_SEED
207  *
208  * Enable the non-volatile (NV) seed file-based entropy source.
209  * (Also enables the NV seed read/write functions in the platform layer)
210  *
211  * This is crucial (if not required) on systems that do not have a
212  * cryptographic entropy source (in hardware or kernel) available.
213  *
214  * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
215  *
216  * \note The read/write functions that are used by the entropy source are
217  *       determined in the platform layer, and can be modified at runtime and/or
218  *       compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
219  *
220  * \note If you use the default implementation functions that read a seedfile
221  *       with regular fopen(), please make sure you make a seedfile with the
222  *       proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
223  *       least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
224  *       and written to or you will get an entropy source error! The default
225  *       implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
226  *       bytes from the file.
227  *
228  * \note The entropy collector will write to the seed file before entropy is
229  *       given to an external source, to update it.
230  */
231 #define MBEDTLS_ENTROPY_NV_SEED
232 
233 /**
234  * \def MBEDTLS_PSA_CRYPTO_SPM
235  *
236  * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
237  * Partition Manager) integration which separates the code into two parts: a
238  * NSPE (Non-Secure Process Environment) and an SPE (Secure Process
239  * Environment).
240  *
241  * Module:  library/psa_crypto.c
242  * Requires: MBEDTLS_PSA_CRYPTO_C
243  *
244  */
245 #define MBEDTLS_PSA_CRYPTO_SPM
246 
247 /**
248  * \def MBEDTLS_SHA256_SMALLER
249  *
250  * Enable an implementation of SHA-256 that has lower ROM footprint but also
251  * lower performance.
252  *
253  * The default implementation is meant to be a reasonnable compromise between
254  * performance and size. This version optimizes more aggressively for size at
255  * the expense of performance. Eg on Cortex-M4 it reduces the size of
256  * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
257  * 30%.
258  *
259  * Uncomment to enable the smaller implementation of SHA256.
260  */
261 #define MBEDTLS_SHA256_SMALLER
262 
263 /**
264  * \def MBEDTLS_PSA_CRYPTO_CONFIG
265  *
266  * This setting allows support for cryptographic mechanisms through the PSA
267  * API to be configured separately from support through the mbedtls API.
268  *
269  * When this option is disabled, the PSA API exposes the cryptographic
270  * mechanisms that can be implemented on top of the `mbedtls_xxx` API
271  * configured with `MBEDTLS_XXX` symbols.
272  *
273  * When this option is enabled, the PSA API exposes the cryptographic
274  * mechanisms requested by the `PSA_WANT_XXX` symbols defined in
275  * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
276  * automatically enabled if required (i.e. if no PSA driver provides the
277  * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
278  * in mbedtls_config.h.
279  *
280  * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
281  * an alternative header to include instead of include/psa/crypto_config.h.
282  *
283  * This feature is still experimental and is not ready for production since
284  * it is not completed.
285  */
286 #define MBEDTLS_PSA_CRYPTO_CONFIG
287 
288 /* \} name SECTION: mbed TLS feature support */
289 
290 /**
291  * \name SECTION: mbed TLS modules
292  *
293  * This section enables or disables entire modules in mbed TLS
294  * \{
295  */
296 
297 /**
298  * \def MBEDTLS_AES_C
299  *
300  * Enable the AES block cipher.
301  *
302  * Module:  library/aes.c
303  * Caller:  library/cipher.c
304  *          library/pem.c
305  *          library/ctr_drbg.c
306  *
307  * This module is required to support the TLS ciphersuites that use the AES
308  * cipher.
309  *
310  * PEM_PARSE uses AES for decrypting encrypted keys.
311  */
312 #define MBEDTLS_AES_C
313 
314 /**
315  * \def MBEDTLS_CIPHER_C
316  *
317  * Enable the generic cipher layer.
318  *
319  * Module:  library/cipher.c
320  *
321  * Uncomment to enable generic cipher wrappers.
322  */
323 #define MBEDTLS_CIPHER_C
324 
325 /**
326  * \def MBEDTLS_CTR_DRBG_C
327  *
328  * Enable the CTR_DRBG AES-based random generator.
329  * The CTR_DRBG generator uses AES-256 by default.
330  * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below.
331  *
332  * Module:  library/ctr_drbg.c
333  * Caller:
334  *
335  * Requires: MBEDTLS_AES_C
336  *
337  * This module provides the CTR_DRBG AES random number generator.
338  */
339 #define MBEDTLS_CTR_DRBG_C
340 
341 /**
342  * \def MBEDTLS_ENTROPY_C
343  *
344  * Enable the platform-specific entropy code.
345  *
346  * Module:  library/entropy.c
347  * Caller:
348  *
349  * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
350  *
351  * This module provides a generic entropy pool
352  */
353 #define MBEDTLS_ENTROPY_C
354 
355 /**
356  * \def MBEDTLS_ERROR_C
357  *
358  * Enable error code to error string conversion.
359  *
360  * Module:  library/error.c
361  * Caller:
362  *
363  * This module enables mbedtls_strerror().
364  */
365 #define MBEDTLS_ERROR_C
366 
367 /**
368  * \def MBEDTLS_HKDF_C
369  *
370  * Enable the HKDF algorithm (RFC 5869).
371  *
372  * Module:  library/hkdf.c
373  * Caller:
374  *
375  * Requires: MBEDTLS_MD_C
376  *
377  * This module adds support for the Hashed Message Authentication Code
378  * (HMAC)-based key derivation function (HKDF).
379  */
380 #define MBEDTLS_HKDF_C /* Used for HUK deriviation */
381 
382 /**
383  * \def MBEDTLS_MD_C
384  *
385  * Enable the generic message digest layer.
386  *
387  * Module:  library/md.c
388  * Caller:
389  *
390  * Uncomment to enable generic message digest wrappers.
391  */
392 #define MBEDTLS_MD_C
393 
394 /**
395  * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
396  *
397  * Enable the buffer allocator implementation that makes use of a (stack)
398  * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
399  * calls)
400  *
401  * Module:  library/memory_buffer_alloc.c
402  *
403  * Requires: MBEDTLS_PLATFORM_C
404  *           MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
405  *
406  * Enable this module to enable the buffer memory allocator.
407  */
408 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C
409 
410 /**
411  * \def MBEDTLS_PLATFORM_C
412  *
413  * Enable the platform abstraction layer that allows you to re-assign
414  * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
415  *
416  * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
417  * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
418  * above to be specified at runtime or compile time respectively.
419  *
420  * \note This abstraction layer must be enabled on Windows (including MSYS2)
421  * as other module rely on it for a fixed snprintf implementation.
422  *
423  * Module:  library/platform.c
424  * Caller:  Most other .c files
425  *
426  * This module enables abstraction of common (libc) functions.
427  */
428 #define MBEDTLS_PLATFORM_C
429 
430 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
431 #define MBEDTLS_PLATFORM_STD_MEM_HDR   <stdlib.h>
432 
433 #include <stdio.h>
434 
435 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO      snprintf
436 #define MBEDTLS_PLATFORM_PRINTF_ALT
437 #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS
438 #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE
439 
440 /**
441  * \def MBEDTLS_PSA_CRYPTO_C
442  *
443  * Enable the Platform Security Architecture cryptography API.
444  *
445  * Module:  library/psa_crypto.c
446  *
447  * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
448  *
449  */
450 #define MBEDTLS_PSA_CRYPTO_C
451 
452 /**
453  * \def MBEDTLS_PSA_CRYPTO_STORAGE_C
454  *
455  * Enable the Platform Security Architecture persistent key storage.
456  *
457  * Module:  library/psa_crypto_storage.c
458  *
459  * Requires: MBEDTLS_PSA_CRYPTO_C,
460  *           either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
461  *           the PSA ITS interface
462  */
463 #define MBEDTLS_PSA_CRYPTO_STORAGE_C
464 
465 /* \} name SECTION: mbed TLS modules */
466 
467 /**
468  * \name SECTION: General configuration options
469  *
470  * This section contains Mbed TLS build settings that are not associated
471  * with a particular module.
472  *
473  * \{
474  */
475 
476 /**
477  * \def MBEDTLS_CONFIG_FILE
478  *
479  * If defined, this is a header which will be included instead of
480  * `"mbedtls/mbedtls_config.h"`.
481  * This header file specifies the compile-time configuration of Mbed TLS.
482  * Unlike other configuration options, this one must be defined on the
483  * compiler command line: a definition in `mbedtls_config.h` would have
484  * no effect.
485  *
486  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
487  * non-standard feature of the C language, so this feature is only available
488  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
489  *
490  * The value of this symbol is typically a path in double quotes, either
491  * absolute or relative to a directory on the include search path.
492  */
493 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
494 
495 /**
496  * \def MBEDTLS_USER_CONFIG_FILE
497  *
498  * If defined, this is a header which will be included after
499  * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
500  * This allows you to modify the default configuration, including the ability
501  * to undefine options that are enabled by default.
502  *
503  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
504  * non-standard feature of the C language, so this feature is only available
505  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
506  *
507  * The value of this symbol is typically a path in double quotes, either
508  * absolute or relative to a directory on the include search path.
509  */
510 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
511 
512 /**
513  * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
514  *
515  * If defined, this is a header which will be included instead of
516  * `"psa/crypto_config.h"`.
517  * This header file specifies which cryptographic mechanisms are available
518  * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
519  * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
520  *
521  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
522  * non-standard feature of the C language, so this feature is only available
523  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
524  *
525  * The value of this symbol is typically a path in double quotes, either
526  * absolute or relative to a directory on the include search path.
527  */
528 //#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
529 
530 /**
531  * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
532  *
533  * If defined, this is a header which will be included after
534  * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
535  * This allows you to modify the default configuration, including the ability
536  * to undefine options that are enabled by default.
537  *
538  * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
539  * non-standard feature of the C language, so this feature is only available
540  * with compilers that perform macro expansion on an <tt>\#include</tt> line.
541  *
542  * The value of this symbol is typically a path in double quotes, either
543  * absolute or relative to a directory on the include search path.
544  */
545 //#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
546 
547 /** \} name SECTION: General configuration options */
548 
549 #if CRYPTO_NV_SEED
550 #include "tfm_mbedcrypto_config_extra_nv_seed.h"
551 #endif /* CRYPTO_NV_SEED */
552 
553 #if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
554 #include "mbedtls_entropy_nv_seed_config.h"
555 #endif
556 
557 #ifdef CRYPTO_HW_ACCELERATOR
558 #include "mbedtls_accelerator_config.h"
559 #endif
560 
561 #endif /* PROFILE_S_MBEDTLS_CONFIG_H */
562