25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
 
 
 
 
 

2880 satır
90 KiB

  1. /**
  2. * \file config.h
  3. *
  4. * \brief Configuration options (set of defines)
  5. *
  6. * This set of compile-time options may be used to enable
  7. * or disable features selectively, and reduce the global
  8. * memory footprint.
  9. */
  10. /*
  11. * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  12. * SPDX-License-Identifier: Apache-2.0
  13. *
  14. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  15. * not use this file except in compliance with the License.
  16. * You may obtain a copy of the License at
  17. *
  18. * http://www.apache.org/licenses/LICENSE-2.0
  19. *
  20. * Unless required by applicable law or agreed to in writing, software
  21. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  22. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  23. * See the License for the specific language governing permissions and
  24. * limitations under the License.
  25. *
  26. * This file is part of mbed TLS (https://tls.mbed.org)
  27. */
  28. #ifndef MBEDTLS_CONFIG_H
  29. #define MBEDTLS_CONFIG_H
  30. #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
  31. #define _CRT_SECURE_NO_DEPRECATE 1
  32. #endif
  33. /**
  34. * \name SECTION: System support
  35. *
  36. * This section sets system specific settings.
  37. * \{
  38. */
  39. /**
  40. * \def MBEDTLS_HAVE_ASM
  41. *
  42. * The compiler has support for asm().
  43. *
  44. * Requires support for asm() in compiler.
  45. *
  46. * Used in:
  47. * library/timing.c
  48. * library/padlock.c
  49. * include/mbedtls/bn_mul.h
  50. *
  51. * Comment to disable the use of assembly code.
  52. */
  53. #define MBEDTLS_HAVE_ASM
  54. /**
  55. * \def MBEDTLS_NO_UDBL_DIVISION
  56. *
  57. * The platform lacks support for double-width integer division (64-bit
  58. * division on a 32-bit platform, 128-bit division on a 64-bit platform).
  59. *
  60. * Used in:
  61. * include/mbedtls/bignum.h
  62. * library/bignum.c
  63. *
  64. * The bignum code uses double-width division to speed up some operations.
  65. * Double-width division is often implemented in software that needs to
  66. * be linked with the program. The presence of a double-width integer
  67. * type is usually detected automatically through preprocessor macros,
  68. * but the automatic detection cannot know whether the code needs to
  69. * and can be linked with an implementation of division for that type.
  70. * By default division is assumed to be usable if the type is present.
  71. * Uncomment this option to prevent the use of double-width division.
  72. *
  73. * Note that division for the native integer type is always required.
  74. * Furthermore, a 64-bit type is always required even on a 32-bit
  75. * platform, but it need not support multiplication or division. In some
  76. * cases it is also desirable to disable some double-width operations. For
  77. * example, if double-width division is implemented in software, disabling
  78. * it can reduce code size in some embedded targets.
  79. */
  80. //#define MBEDTLS_NO_UDBL_DIVISION
  81. /**
  82. * \def MBEDTLS_HAVE_SSE2
  83. *
  84. * CPU supports SSE2 instruction set.
  85. *
  86. * Uncomment if the CPU supports SSE2 (IA-32 specific).
  87. */
  88. //#define MBEDTLS_HAVE_SSE2
  89. /**
  90. * \def MBEDTLS_HAVE_TIME
  91. *
  92. * System has time.h and time().
  93. * The time does not need to be correct, only time differences are used,
  94. * by contrast with MBEDTLS_HAVE_TIME_DATE
  95. *
  96. * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
  97. * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
  98. * MBEDTLS_PLATFORM_STD_TIME.
  99. *
  100. * Comment if your system does not support time functions
  101. */
  102. #define MBEDTLS_HAVE_TIME
  103. /**
  104. * \def MBEDTLS_HAVE_TIME_DATE
  105. *
  106. * System has time.h and time(), gmtime() and the clock is correct.
  107. * The time needs to be correct (not necesarily very accurate, but at least
  108. * the date should be correct). This is used to verify the validity period of
  109. * X.509 certificates.
  110. *
  111. * Comment if your system does not have a correct clock.
  112. */
  113. #define MBEDTLS_HAVE_TIME_DATE
  114. /**
  115. * \def MBEDTLS_PLATFORM_MEMORY
  116. *
  117. * Enable the memory allocation layer.
  118. *
  119. * By default mbed TLS uses the system-provided calloc() and free().
  120. * This allows different allocators (self-implemented or provided) to be
  121. * provided to the platform abstraction layer.
  122. *
  123. * Enabling MBEDTLS_PLATFORM_MEMORY without the
  124. * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
  125. * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
  126. * free() function pointer at runtime.
  127. *
  128. * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
  129. * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
  130. * alternate function at compile time.
  131. *
  132. * Requires: MBEDTLS_PLATFORM_C
  133. *
  134. * Enable this layer to allow use of alternative memory allocators.
  135. */
  136. //#define MBEDTLS_PLATFORM_MEMORY
  137. /**
  138. * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
  139. *
  140. * Do not assign standard functions in the platform layer (e.g. calloc() to
  141. * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
  142. *
  143. * This makes sure there are no linking errors on platforms that do not support
  144. * these functions. You will HAVE to provide alternatives, either at runtime
  145. * via the platform_set_xxx() functions or at compile time by setting
  146. * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
  147. * MBEDTLS_PLATFORM_XXX_MACRO.
  148. *
  149. * Requires: MBEDTLS_PLATFORM_C
  150. *
  151. * Uncomment to prevent default assignment of standard functions in the
  152. * platform layer.
  153. */
  154. //#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
  155. /**
  156. * \def MBEDTLS_PLATFORM_EXIT_ALT
  157. *
  158. * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
  159. * function in the platform abstraction layer.
  160. *
  161. * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
  162. * provide a function "mbedtls_platform_set_printf()" that allows you to set an
  163. * alternative printf function pointer.
  164. *
  165. * All these define require MBEDTLS_PLATFORM_C to be defined!
  166. *
  167. * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;
  168. * it will be enabled automatically by check_config.h
  169. *
  170. * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
  171. * MBEDTLS_PLATFORM_XXX_MACRO!
  172. *
  173. * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
  174. *
  175. * Uncomment a macro to enable alternate implementation of specific base
  176. * platform function
  177. */
  178. //#define MBEDTLS_PLATFORM_EXIT_ALT
  179. //#define MBEDTLS_PLATFORM_TIME_ALT
  180. //#define MBEDTLS_PLATFORM_FPRINTF_ALT
  181. //#define MBEDTLS_PLATFORM_PRINTF_ALT
  182. //#define MBEDTLS_PLATFORM_SNPRINTF_ALT
  183. //#define MBEDTLS_PLATFORM_NV_SEED_ALT
  184. //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
  185. /**
  186. * \def MBEDTLS_DEPRECATED_WARNING
  187. *
  188. * Mark deprecated functions so that they generate a warning if used.
  189. * Functions deprecated in one version will usually be removed in the next
  190. * version. You can enable this to help you prepare the transition to a new
  191. * major version by making sure your code is not using these functions.
  192. *
  193. * This only works with GCC and Clang. With other compilers, you may want to
  194. * use MBEDTLS_DEPRECATED_REMOVED
  195. *
  196. * Uncomment to get warnings on using deprecated functions.
  197. */
  198. //#define MBEDTLS_DEPRECATED_WARNING
  199. /**
  200. * \def MBEDTLS_DEPRECATED_REMOVED
  201. *
  202. * Remove deprecated functions so that they generate an error if used.
  203. * Functions deprecated in one version will usually be removed in the next
  204. * version. You can enable this to help you prepare the transition to a new
  205. * major version by making sure your code is not using these functions.
  206. *
  207. * Uncomment to get errors on using deprecated functions.
  208. */
  209. #define MBEDTLS_DEPRECATED_REMOVED
  210. /* \} name SECTION: System support */
  211. /**
  212. * \name SECTION: mbed TLS feature support
  213. *
  214. * This section sets support for features that are or are not needed
  215. * within the modules that are enabled.
  216. * \{
  217. */
  218. /**
  219. * \def MBEDTLS_TIMING_ALT
  220. *
  221. * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(),
  222. * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay()
  223. *
  224. * Only works if you have MBEDTLS_TIMING_C enabled.
  225. *
  226. * You will need to provide a header "timing_alt.h" and an implementation at
  227. * compile time.
  228. */
  229. //#define MBEDTLS_TIMING_ALT
  230. /**
  231. * \def MBEDTLS_AES_ALT
  232. *
  233. * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
  234. * alternate core implementation of a symmetric crypto, an arithmetic or hash
  235. * module (e.g. platform specific assembly optimized implementations). Keep
  236. * in mind that the function prototypes should remain the same.
  237. *
  238. * This replaces the whole module. If you only want to replace one of the
  239. * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
  240. *
  241. * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer
  242. * provide the "struct mbedtls_aes_context" definition and omit the base
  243. * function declarations and implementations. "aes_alt.h" will be included from
  244. * "aes.h" to include the new function definitions.
  245. *
  246. * Uncomment a macro to enable alternate implementation of the corresponding
  247. * module.
  248. *
  249. * \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their
  250. * use constitutes a security risk. If possible, we recommend
  251. * avoiding dependencies on them, and considering stronger message
  252. * digests and ciphers instead.
  253. *
  254. */
  255. //#define MBEDTLS_AES_ALT
  256. //#define MBEDTLS_ARC4_ALT
  257. //#define MBEDTLS_BLOWFISH_ALT
  258. //#define MBEDTLS_CAMELLIA_ALT
  259. //#define MBEDTLS_CCM_ALT
  260. //#define MBEDTLS_CMAC_ALT
  261. //#define MBEDTLS_DES_ALT
  262. //#define MBEDTLS_DHM_ALT
  263. //#define MBEDTLS_ECJPAKE_ALT
  264. //#define MBEDTLS_GCM_ALT
  265. //#define MBEDTLS_MD2_ALT
  266. //#define MBEDTLS_MD4_ALT
  267. //#define MBEDTLS_MD5_ALT
  268. //#define MBEDTLS_RIPEMD160_ALT
  269. //#define MBEDTLS_RSA_ALT
  270. //#define MBEDTLS_SHA1_ALT
  271. //#define MBEDTLS_SHA256_ALT
  272. //#define MBEDTLS_SHA512_ALT
  273. //#define MBEDTLS_XTEA_ALT
  274. /*
  275. * When replacing the elliptic curve module, pleace consider, that it is
  276. * implemented with two .c files:
  277. * - ecp.c
  278. * - ecp_curves.c
  279. * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
  280. * macros as described above. The only difference is that you have to make sure
  281. * that you provide functionality for both .c files.
  282. */
  283. //#define MBEDTLS_ECP_ALT
  284. /**
  285. * \def MBEDTLS_MD2_PROCESS_ALT
  286. *
  287. * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
  288. * alternate core implementation of symmetric crypto or hash function. Keep in
  289. * mind that function prototypes should remain the same.
  290. *
  291. * This replaces only one function. The header file from mbed TLS is still
  292. * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
  293. *
  294. * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
  295. * no longer provide the mbedtls_sha1_process() function, but it will still provide
  296. * the other function (using your mbedtls_sha1_process() function) and the definition
  297. * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
  298. * with this definition.
  299. *
  300. * \note Because of a signature change, the core AES encryption and decryption routines are
  301. * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
  302. * respectively. When setting up alternative implementations, these functions should
  303. * be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
  304. * must stay untouched.
  305. *
  306. * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
  307. * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
  308. * tables.
  309. *
  310. * Uncomment a macro to enable alternate implementation of the corresponding
  311. * function.
  312. *
  313. * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
  314. * constitutes a security risk. If possible, we recommend avoiding
  315. * dependencies on them, and considering stronger message digests
  316. * and ciphers instead.
  317. *
  318. */
  319. //#define MBEDTLS_MD2_PROCESS_ALT
  320. //#define MBEDTLS_MD4_PROCESS_ALT
  321. //#define MBEDTLS_MD5_PROCESS_ALT
  322. //#define MBEDTLS_RIPEMD160_PROCESS_ALT
  323. //#define MBEDTLS_SHA1_PROCESS_ALT
  324. //#define MBEDTLS_SHA256_PROCESS_ALT
  325. //#define MBEDTLS_SHA512_PROCESS_ALT
  326. //#define MBEDTLS_DES_SETKEY_ALT
  327. //#define MBEDTLS_DES_CRYPT_ECB_ALT
  328. //#define MBEDTLS_DES3_CRYPT_ECB_ALT
  329. //#define MBEDTLS_AES_SETKEY_ENC_ALT
  330. //#define MBEDTLS_AES_SETKEY_DEC_ALT
  331. //#define MBEDTLS_AES_ENCRYPT_ALT
  332. //#define MBEDTLS_AES_DECRYPT_ALT
  333. //#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
  334. //#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
  335. //#define MBEDTLS_ECDSA_VERIFY_ALT
  336. //#define MBEDTLS_ECDSA_SIGN_ALT
  337. //#define MBEDTLS_ECDSA_GENKEY_ALT
  338. /**
  339. * \def MBEDTLS_ECP_INTERNAL_ALT
  340. *
  341. * Expose a part of the internal interface of the Elliptic Curve Point module.
  342. *
  343. * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your
  344. * alternative core implementation of elliptic curve arithmetic. Keep in mind
  345. * that function prototypes should remain the same.
  346. *
  347. * This partially replaces one function. The header file from mbed TLS is still
  348. * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
  349. * is still present and it is used for group structures not supported by the
  350. * alternative.
  351. *
  352. * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
  353. * and implementing the following functions:
  354. * unsigned char mbedtls_internal_ecp_grp_capable(
  355. * const mbedtls_ecp_group *grp )
  356. * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
  357. * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
  358. * The mbedtls_internal_ecp_grp_capable function should return 1 if the
  359. * replacement functions implement arithmetic for the given group and 0
  360. * otherwise.
  361. * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
  362. * called before and after each point operation and provide an opportunity to
  363. * implement optimized set up and tear down instructions.
  364. *
  365. * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
  366. * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
  367. * function, but will use your mbedtls_internal_ecp_double_jac if the group is
  368. * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
  369. * receives it as an argument). If the group is not supported then the original
  370. * implementation is used. The other functions and the definition of
  371. * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
  372. * implementation of mbedtls_internal_ecp_double_jac and
  373. * mbedtls_internal_ecp_grp_capable must be compatible with this definition.
  374. *
  375. * Uncomment a macro to enable alternate implementation of the corresponding
  376. * function.
  377. */
  378. /* Required for all the functions in this section */
  379. //#define MBEDTLS_ECP_INTERNAL_ALT
  380. /* Support for Weierstrass curves with Jacobi representation */
  381. //#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
  382. //#define MBEDTLS_ECP_ADD_MIXED_ALT
  383. //#define MBEDTLS_ECP_DOUBLE_JAC_ALT
  384. //#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
  385. //#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
  386. /* Support for curves with Montgomery arithmetic */
  387. //#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
  388. //#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
  389. //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
  390. /**
  391. * \def MBEDTLS_TEST_NULL_ENTROPY
  392. *
  393. * Enables testing and use of mbed TLS without any configured entropy sources.
  394. * This permits use of the library on platforms before an entropy source has
  395. * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
  396. * MBEDTLS_ENTROPY_NV_SEED switches).
  397. *
  398. * WARNING! This switch MUST be disabled in production builds, and is suitable
  399. * only for development.
  400. * Enabling the switch negates any security provided by the library.
  401. *
  402. * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
  403. *
  404. */
  405. //#define MBEDTLS_TEST_NULL_ENTROPY
  406. /**
  407. * \def MBEDTLS_ENTROPY_HARDWARE_ALT
  408. *
  409. * Uncomment this macro to let mbed TLS use your own implementation of a
  410. * hardware entropy collector.
  411. *
  412. * Your function must be called \c mbedtls_hardware_poll(), have the same
  413. * prototype as declared in entropy_poll.h, and accept NULL as first argument.
  414. *
  415. * Uncomment to use your own hardware entropy collector.
  416. */
  417. //#define MBEDTLS_ENTROPY_HARDWARE_ALT
  418. /**
  419. * \def MBEDTLS_AES_ROM_TABLES
  420. *
  421. * Use precomputed AES tables stored in ROM.
  422. *
  423. * Uncomment this macro to use precomputed AES tables stored in ROM.
  424. * Comment this macro to generate AES tables in RAM at runtime.
  425. *
  426. * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
  427. * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
  428. * initialization time before the first AES operation can be performed.
  429. * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
  430. * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
  431. * performance if ROM access is slower than RAM access.
  432. *
  433. * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
  434. *
  435. */
  436. //#define MBEDTLS_AES_ROM_TABLES
  437. /**
  438. * \def MBEDTLS_AES_FEWER_TABLES
  439. *
  440. * Use less ROM/RAM for AES tables.
  441. *
  442. * Uncommenting this macro omits 75% of the AES tables from
  443. * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
  444. * by computing their values on the fly during operations
  445. * (the tables are entry-wise rotations of one another).
  446. *
  447. * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
  448. * by ~6kb but at the cost of more arithmetic operations during
  449. * runtime. Specifically, one has to compare 4 accesses within
  450. * different tables to 4 accesses with additional arithmetic
  451. * operations within the same table. The performance gain/loss
  452. * depends on the system and memory details.
  453. *
  454. * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
  455. *
  456. */
  457. //#define MBEDTLS_AES_FEWER_TABLES
  458. /**
  459. * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
  460. *
  461. * Use less ROM for the Camellia implementation (saves about 768 bytes).
  462. *
  463. * Uncomment this macro to use less memory for Camellia.
  464. */
  465. //#define MBEDTLS_CAMELLIA_SMALL_MEMORY
  466. /**
  467. * \def MBEDTLS_CIPHER_MODE_CBC
  468. *
  469. * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
  470. */
  471. //#define MBEDTLS_CIPHER_MODE_CBC
  472. /**
  473. * \def MBEDTLS_CIPHER_MODE_CFB
  474. *
  475. * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
  476. */
  477. //#define MBEDTLS_CIPHER_MODE_CFB
  478. /**
  479. * \def MBEDTLS_CIPHER_MODE_CTR
  480. *
  481. * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
  482. */
  483. //#define MBEDTLS_CIPHER_MODE_CTR
  484. /**
  485. * \def MBEDTLS_CIPHER_NULL_CIPHER
  486. *
  487. * Enable NULL cipher.
  488. * Warning: Only do so when you know what you are doing. This allows for
  489. * encryption or channels without any security!
  490. *
  491. * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
  492. * the following ciphersuites:
  493. * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
  494. * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
  495. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
  496. * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
  497. * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
  498. * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
  499. * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
  500. * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
  501. * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
  502. * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
  503. * MBEDTLS_TLS_RSA_WITH_NULL_SHA256
  504. * MBEDTLS_TLS_RSA_WITH_NULL_SHA
  505. * MBEDTLS_TLS_RSA_WITH_NULL_MD5
  506. * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
  507. * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
  508. * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
  509. * MBEDTLS_TLS_PSK_WITH_NULL_SHA384
  510. * MBEDTLS_TLS_PSK_WITH_NULL_SHA256
  511. * MBEDTLS_TLS_PSK_WITH_NULL_SHA
  512. *
  513. * Uncomment this macro to enable the NULL cipher and ciphersuites
  514. */
  515. //#define MBEDTLS_CIPHER_NULL_CIPHER
  516. /**
  517. * \def MBEDTLS_CIPHER_PADDING_PKCS7
  518. *
  519. * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
  520. * specific padding modes in the cipher layer with cipher modes that support
  521. * padding (e.g. CBC)
  522. *
  523. * If you disable all padding modes, only full blocks can be used with CBC.
  524. *
  525. * Enable padding modes in the cipher layer.
  526. */
  527. #define MBEDTLS_CIPHER_PADDING_PKCS7
  528. //#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
  529. //#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
  530. //#define MBEDTLS_CIPHER_PADDING_ZEROS
  531. /**
  532. * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
  533. *
  534. * Enable weak ciphersuites in SSL / TLS.
  535. * Warning: Only do so when you know what you are doing. This allows for
  536. * channels with virtually no security at all!
  537. *
  538. * This enables the following ciphersuites:
  539. * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
  540. * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
  541. *
  542. * Uncomment this macro to enable weak ciphersuites
  543. *
  544. * \warning DES is considered a weak cipher and its use constitutes a
  545. * security risk. We recommend considering stronger ciphers instead.
  546. */
  547. //#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
  548. /**
  549. * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES
  550. *
  551. * Remove RC4 ciphersuites by default in SSL / TLS.
  552. * This flag removes the ciphersuites based on RC4 from the default list as
  553. * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
  554. * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
  555. * explicitly.
  556. *
  557. * Uncomment this macro to remove RC4 ciphersuites by default.
  558. */
  559. #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
  560. /**
  561. * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
  562. *
  563. * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
  564. * module. By default all supported curves are enabled.
  565. *
  566. * Comment macros to disable the curve and functions for it
  567. */
  568. //#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
  569. //#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
  570. #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
  571. //#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
  572. //#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
  573. //#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
  574. //#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
  575. //#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
  576. //#define MBEDTLS_ECP_DP_BP256R1_ENABLED
  577. //#define MBEDTLS_ECP_DP_BP384R1_ENABLED
  578. //#define MBEDTLS_ECP_DP_BP512R1_ENABLED
  579. #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
  580. #define MBEDTLS_ECP_DP_CURVE448_ENABLED
  581. /**
  582. * \def MBEDTLS_ECP_NIST_OPTIM
  583. *
  584. * Enable specific 'modulo p' routines for each NIST prime.
  585. * Depending on the prime and architecture, makes operations 4 to 8 times
  586. * faster on the corresponding curve.
  587. *
  588. * Comment this macro to disable NIST curves optimisation.
  589. */
  590. #define MBEDTLS_ECP_NIST_OPTIM
  591. /**
  592. * \def MBEDTLS_ECDSA_DETERMINISTIC
  593. *
  594. * Enable deterministic ECDSA (RFC 6979).
  595. * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
  596. * may result in a compromise of the long-term signing key. This is avoided by
  597. * the deterministic variant.
  598. *
  599. * Requires: MBEDTLS_HMAC_DRBG_C
  600. *
  601. * Comment this macro to disable deterministic ECDSA.
  602. */
  603. #define MBEDTLS_ECDSA_DETERMINISTIC
  604. /**
  605. * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
  606. *
  607. * Enable the PSK based ciphersuite modes in SSL / TLS.
  608. *
  609. * This enables the following ciphersuites (if other requisites are
  610. * enabled as well):
  611. * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
  612. * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
  613. * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
  614. * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
  615. * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
  616. * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
  617. * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
  618. * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
  619. * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
  620. * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
  621. * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
  622. * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
  623. */
  624. //#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
  625. /**
  626. * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
  627. *
  628. * Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
  629. *
  630. * Requires: MBEDTLS_DHM_C
  631. *
  632. * This enables the following ciphersuites (if other requisites are
  633. * enabled as well):
  634. * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
  635. * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
  636. * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
  637. * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
  638. * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
  639. * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
  640. * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
  641. * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
  642. * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
  643. * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
  644. * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
  645. * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
  646. *
  647. * \warning Using DHE constitutes a security risk as it
  648. * is not possible to validate custom DH parameters.
  649. * If possible, it is recommended users should consider
  650. * preferring other methods of key exchange.
  651. * See dhm.h for more details.
  652. *
  653. */
  654. //#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
  655. /**
  656. * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
  657. *
  658. * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
  659. *
  660. * Requires: MBEDTLS_ECDH_C
  661. *
  662. * This enables the following ciphersuites (if other requisites are
  663. * enabled as well):
  664. * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
  665. * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
  666. * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
  667. * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
  668. * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
  669. * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
  670. * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
  671. * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
  672. */
  673. //#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
  674. /**
  675. * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
  676. *
  677. * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
  678. *
  679. * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
  680. * MBEDTLS_X509_CRT_PARSE_C
  681. *
  682. * This enables the following ciphersuites (if other requisites are
  683. * enabled as well):
  684. * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
  685. * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
  686. * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
  687. * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
  688. * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
  689. * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
  690. * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
  691. * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
  692. * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
  693. * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
  694. * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
  695. * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
  696. */
  697. //#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
  698. /**
  699. * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
  700. *
  701. * Enable the RSA-only based ciphersuite modes in SSL / TLS.
  702. *
  703. * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
  704. * MBEDTLS_X509_CRT_PARSE_C
  705. *
  706. * This enables the following ciphersuites (if other requisites are
  707. * enabled as well):
  708. * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
  709. * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
  710. * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
  711. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
  712. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
  713. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  714. * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
  715. * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
  716. * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
  717. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
  718. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
  719. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  720. * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
  721. * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
  722. * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
  723. */
  724. //#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
  725. /**
  726. * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
  727. *
  728. * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
  729. *
  730. * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
  731. * MBEDTLS_X509_CRT_PARSE_C
  732. *
  733. * This enables the following ciphersuites (if other requisites are
  734. * enabled as well):
  735. * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  736. * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  737. * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  738. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
  739. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
  740. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
  741. * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  742. * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  743. * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  744. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
  745. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  746. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  747. * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  748. *
  749. * \warning Using DHE constitutes a security risk as it
  750. * is not possible to validate custom DH parameters.
  751. * If possible, it is recommended users should consider
  752. * preferring other methods of key exchange.
  753. * See dhm.h for more details.
  754. *
  755. */
  756. //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
  757. /**
  758. * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
  759. *
  760. * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
  761. *
  762. * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
  763. * MBEDTLS_X509_CRT_PARSE_C
  764. *
  765. * This enables the following ciphersuites (if other requisites are
  766. * enabled as well):
  767. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  768. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  769. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  770. * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
  771. * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
  772. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  773. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  774. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  775. * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
  776. * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  777. * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  778. * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
  779. */
  780. // #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
  781. /**
  782. * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
  783. *
  784. * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
  785. *
  786. * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
  787. *
  788. * This enables the following ciphersuites (if other requisites are
  789. * enabled as well):
  790. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  791. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  792. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  793. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
  794. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
  795. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  796. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  797. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  798. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  799. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
  800. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  801. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  802. */
  803. #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
  804. /**
  805. * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
  806. *
  807. * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
  808. *
  809. * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
  810. *
  811. * This enables the following ciphersuites (if other requisites are
  812. * enabled as well):
  813. * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  814. * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  815. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  816. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  817. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  818. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  819. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  820. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  821. * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
  822. * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
  823. * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  824. * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
  825. */
  826. #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
  827. /**
  828. * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
  829. *
  830. * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
  831. *
  832. * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
  833. *
  834. * This enables the following ciphersuites (if other requisites are
  835. * enabled as well):
  836. * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
  837. * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  838. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  839. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  840. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  841. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  842. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  843. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  844. * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
  845. * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
  846. * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
  847. * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
  848. */
  849. //#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
  850. /**
  851. * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
  852. *
  853. * Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
  854. *
  855. * \warning This is currently experimental. EC J-PAKE support is based on the
  856. * Thread v1.0.0 specification; incompatible changes to the specification
  857. * might still happen. For this reason, this is disabled by default.
  858. *
  859. * Requires: MBEDTLS_ECJPAKE_C
  860. * MBEDTLS_SHA256_C
  861. * MBEDTLS_ECP_DP_SECP256R1_ENABLED
  862. *
  863. * This enables the following ciphersuites (if other requisites are
  864. * enabled as well):
  865. * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
  866. */
  867. //#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
  868. /**
  869. * \def MBEDTLS_PK_PARSE_EC_EXTENDED
  870. *
  871. * Enhance support for reading EC keys using variants of SEC1 not allowed by
  872. * RFC 5915 and RFC 5480.
  873. *
  874. * Currently this means parsing the SpecifiedECDomain choice of EC
  875. * parameters (only known groups are supported, not arbitrary domains, to
  876. * avoid validation issues).
  877. *
  878. * Disable if you only need to support RFC 5915 + 5480 key formats.
  879. */
  880. #define MBEDTLS_PK_PARSE_EC_EXTENDED
  881. /**
  882. * \def MBEDTLS_ERROR_STRERROR_DUMMY
  883. *
  884. * Enable a dummy error function to make use of mbedtls_strerror() in
  885. * third party libraries easier when MBEDTLS_ERROR_C is disabled
  886. * (no effect when MBEDTLS_ERROR_C is enabled).
  887. *
  888. * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
  889. * not using mbedtls_strerror() or error_strerror() in your application.
  890. *
  891. * Disable if you run into name conflicts and want to really remove the
  892. * mbedtls_strerror()
  893. */
  894. //#define MBEDTLS_ERROR_STRERROR_DUMMY
  895. /**
  896. * \def MBEDTLS_GENPRIME
  897. *
  898. * Enable the prime-number generation code.
  899. *
  900. * Requires: MBEDTLS_BIGNUM_C
  901. */
  902. #define MBEDTLS_GENPRIME
  903. /**
  904. * \def MBEDTLS_FS_IO
  905. *
  906. * Enable functions that use the filesystem.
  907. */
  908. #define MBEDTLS_FS_IO
  909. /**
  910. * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
  911. *
  912. * Do not add default entropy sources. These are the platform specific,
  913. * mbedtls_timing_hardclock and HAVEGE based poll functions.
  914. *
  915. * This is useful to have more control over the added entropy sources in an
  916. * application.
  917. *
  918. * Uncomment this macro to prevent loading of default entropy functions.
  919. */
  920. //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
  921. /**
  922. * \def MBEDTLS_NO_PLATFORM_ENTROPY
  923. *
  924. * Do not use built-in platform entropy functions.
  925. * This is useful if your platform does not support
  926. * standards like the /dev/urandom or Windows CryptoAPI.
  927. *
  928. * Uncomment this macro to disable the built-in platform entropy functions.
  929. */
  930. //#define MBEDTLS_NO_PLATFORM_ENTROPY
  931. /**
  932. * \def MBEDTLS_ENTROPY_FORCE_SHA256
  933. *
  934. * Force the entropy accumulator to use a SHA-256 accumulator instead of the
  935. * default SHA-512 based one (if both are available).
  936. *
  937. * Requires: MBEDTLS_SHA256_C
  938. *
  939. * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
  940. * if you have performance concerns.
  941. *
  942. * This option is only useful if both MBEDTLS_SHA256_C and
  943. * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
  944. */
  945. //#define MBEDTLS_ENTROPY_FORCE_SHA256
  946. /**
  947. * \def MBEDTLS_ENTROPY_NV_SEED
  948. *
  949. * Enable the non-volatile (NV) seed file-based entropy source.
  950. * (Also enables the NV seed read/write functions in the platform layer)
  951. *
  952. * This is crucial (if not required) on systems that do not have a
  953. * cryptographic entropy source (in hardware or kernel) available.
  954. *
  955. * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
  956. *
  957. * \note The read/write functions that are used by the entropy source are
  958. * determined in the platform layer, and can be modified at runtime and/or
  959. * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
  960. *
  961. * \note If you use the default implementation functions that read a seedfile
  962. * with regular fopen(), please make sure you make a seedfile with the
  963. * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
  964. * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
  965. * and written to or you will get an entropy source error! The default
  966. * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
  967. * bytes from the file.
  968. *
  969. * \note The entropy collector will write to the seed file before entropy is
  970. * given to an external source, to update it.
  971. */
  972. //#define MBEDTLS_ENTROPY_NV_SEED
  973. /**
  974. * \def MBEDTLS_MEMORY_DEBUG
  975. *
  976. * Enable debugging of buffer allocator memory issues. Automatically prints
  977. * (to stderr) all (fatal) messages on memory allocation issues. Enables
  978. * function for 'debug output' of allocated memory.
  979. *
  980. * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
  981. *
  982. * Uncomment this macro to let the buffer allocator print out error messages.
  983. */
  984. //#define MBEDTLS_MEMORY_DEBUG
  985. /**
  986. * \def MBEDTLS_MEMORY_BACKTRACE
  987. *
  988. * Include backtrace information with each allocated block.
  989. *
  990. * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
  991. * GLIBC-compatible backtrace() an backtrace_symbols() support
  992. *
  993. * Uncomment this macro to include backtrace information
  994. */
  995. //#define MBEDTLS_MEMORY_BACKTRACE
  996. /**
  997. * \def MBEDTLS_PK_RSA_ALT_SUPPORT
  998. *
  999. * Support external private RSA keys (eg from a HSM) in the PK layer.
  1000. *
  1001. * Comment this macro to disable support for external private RSA keys.
  1002. */
  1003. //#define MBEDTLS_PK_RSA_ALT_SUPPORT
  1004. /**
  1005. * \def MBEDTLS_PKCS1_V15
  1006. *
  1007. * Enable support for PKCS#1 v1.5 encoding.
  1008. *
  1009. * Requires: MBEDTLS_RSA_C
  1010. *
  1011. * This enables support for PKCS#1 v1.5 operations.
  1012. */
  1013. #define MBEDTLS_PKCS1_V15
  1014. /**
  1015. * \def MBEDTLS_PKCS1_V21
  1016. *
  1017. * Enable support for PKCS#1 v2.1 encoding.
  1018. *
  1019. * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C
  1020. *
  1021. * This enables support for RSAES-OAEP and RSASSA-PSS operations.
  1022. */
  1023. #define MBEDTLS_PKCS1_V21
  1024. /**
  1025. * \def MBEDTLS_RSA_NO_CRT
  1026. *
  1027. * Do not use the Chinese Remainder Theorem
  1028. * for the RSA private operation.
  1029. *
  1030. * Uncomment this macro to disable the use of CRT in RSA.
  1031. *
  1032. */
  1033. //#define MBEDTLS_RSA_NO_CRT
  1034. /**
  1035. * \def MBEDTLS_SELF_TEST
  1036. *
  1037. * Enable the checkup functions (*_self_test).
  1038. */
  1039. //#define MBEDTLS_SELF_TEST
  1040. /**
  1041. * \def MBEDTLS_SHA256_SMALLER
  1042. *
  1043. * Enable an implementation of SHA-256 that has lower ROM footprint but also
  1044. * lower performance.
  1045. *
  1046. * The default implementation is meant to be a reasonnable compromise between
  1047. * performance and size. This version optimizes more aggressively for size at
  1048. * the expense of performance. Eg on Cortex-M4 it reduces the size of
  1049. * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
  1050. * 30%.
  1051. *
  1052. * Uncomment to enable the smaller implementation of SHA256.
  1053. */
  1054. //#define MBEDTLS_SHA256_SMALLER
  1055. /**
  1056. * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
  1057. *
  1058. * Enable sending of alert messages in case of encountered errors as per RFC.
  1059. * If you choose not to send the alert messages, mbed TLS can still communicate
  1060. * with other servers, only debugging of failures is harder.
  1061. *
  1062. * The advantage of not sending alert messages, is that no information is given
  1063. * about reasons for failures thus preventing adversaries of gaining intel.
  1064. *
  1065. * Enable sending of all alert messages
  1066. */
  1067. #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
  1068. /**
  1069. * \def MBEDTLS_SSL_DEBUG_ALL
  1070. *
  1071. * Enable the debug messages in SSL module for all issues.
  1072. * Debug messages have been disabled in some places to prevent timing
  1073. * attacks due to (unbalanced) debugging function calls.
  1074. *
  1075. * If you need all error reporting you should enable this during debugging,
  1076. * but remove this for production servers that should log as well.
  1077. *
  1078. * Uncomment this macro to report all debug messages on errors introducing
  1079. * a timing side-channel.
  1080. *
  1081. */
  1082. //#define MBEDTLS_SSL_DEBUG_ALL
  1083. /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
  1084. *
  1085. * Enable support for Encrypt-then-MAC, RFC 7366.
  1086. *
  1087. * This allows peers that both support it to use a more robust protection for
  1088. * ciphersuites using CBC, providing deep resistance against timing attacks
  1089. * on the padding or underlying cipher.
  1090. *
  1091. * This only affects CBC ciphersuites, and is useless if none is defined.
  1092. *
  1093. * Requires: MBEDTLS_SSL_PROTO_TLS1 or
  1094. * MBEDTLS_SSL_PROTO_TLS1_1 or
  1095. * MBEDTLS_SSL_PROTO_TLS1_2
  1096. *
  1097. * Comment this macro to disable support for Encrypt-then-MAC
  1098. */
  1099. #define MBEDTLS_SSL_ENCRYPT_THEN_MAC
  1100. /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
  1101. *
  1102. * Enable support for Extended Master Secret, aka Session Hash
  1103. * (draft-ietf-tls-session-hash-02).
  1104. *
  1105. * This was introduced as "the proper fix" to the Triple Handshake familiy of
  1106. * attacks, but it is recommended to always use it (even if you disable
  1107. * renegotiation), since it actually fixes a more fundamental issue in the
  1108. * original SSL/TLS design, and has implications beyond Triple Handshake.
  1109. *
  1110. * Requires: MBEDTLS_SSL_PROTO_TLS1 or
  1111. * MBEDTLS_SSL_PROTO_TLS1_1 or
  1112. * MBEDTLS_SSL_PROTO_TLS1_2
  1113. *
  1114. * Comment this macro to disable support for Extended Master Secret.
  1115. */
  1116. #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
  1117. /**
  1118. * \def MBEDTLS_SSL_FALLBACK_SCSV
  1119. *
  1120. * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
  1121. *
  1122. * For servers, it is recommended to always enable this, unless you support
  1123. * only one version of TLS, or know for sure that none of your clients
  1124. * implements a fallback strategy.
  1125. *
  1126. * For clients, you only need this if you're using a fallback strategy, which
  1127. * is not recommended in the first place, unless you absolutely need it to
  1128. * interoperate with buggy (version-intolerant) servers.
  1129. *
  1130. * Comment this macro to disable support for FALLBACK_SCSV
  1131. */
  1132. #define MBEDTLS_SSL_FALLBACK_SCSV
  1133. /**
  1134. * \def MBEDTLS_SSL_HW_RECORD_ACCEL
  1135. *
  1136. * Enable hooking functions in SSL module for hardware acceleration of
  1137. * individual records.
  1138. *
  1139. * Uncomment this macro to enable hooking functions.
  1140. */
  1141. //#define MBEDTLS_SSL_HW_RECORD_ACCEL
  1142. /**
  1143. * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
  1144. *
  1145. * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
  1146. *
  1147. * This is a countermeasure to the BEAST attack, which also minimizes the risk
  1148. * of interoperability issues compared to sending 0-length records.
  1149. *
  1150. * Comment this macro to disable 1/n-1 record splitting.
  1151. */
  1152. //#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
  1153. /**
  1154. * \def MBEDTLS_SSL_RENEGOTIATION
  1155. *
  1156. * Disable support for TLS renegotiation.
  1157. *
  1158. * The two main uses of renegotiation are (1) refresh keys on long-lived
  1159. * connections and (2) client authentication after the initial handshake.
  1160. * If you don't need renegotiation, it's probably better to disable it, since
  1161. * it has been associated with security issues in the past and is easy to
  1162. * misuse/misunderstand.
  1163. *
  1164. * Comment this to disable support for renegotiation.
  1165. *
  1166. * \note Even if this option is disabled, both client and server are aware
  1167. * of the Renegotiation Indication Extension (RFC 5746) used to
  1168. * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
  1169. * (See \c mbedtls_ssl_conf_legacy_renegotiation for the
  1170. * configuration of this extension).
  1171. *
  1172. */
  1173. #define MBEDTLS_SSL_RENEGOTIATION
  1174. /**
  1175. * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
  1176. *
  1177. * Enable support for receiving and parsing SSLv2 Client Hello messages for the
  1178. * SSL Server module (MBEDTLS_SSL_SRV_C).
  1179. *
  1180. * Uncomment this macro to enable support for SSLv2 Client Hello messages.
  1181. */
  1182. //#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
  1183. /**
  1184. * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
  1185. *
  1186. * Pick the ciphersuite according to the client's preferences rather than ours
  1187. * in the SSL Server module (MBEDTLS_SSL_SRV_C).
  1188. *
  1189. * Uncomment this macro to respect client's ciphersuite order
  1190. */
  1191. //#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
  1192. /**
  1193. * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
  1194. *
  1195. * Enable support for RFC 6066 max_fragment_length extension in SSL.
  1196. *
  1197. * Comment this macro to disable support for the max_fragment_length extension
  1198. */
  1199. #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
  1200. /**
  1201. * \def MBEDTLS_SSL_PROTO_SSL3
  1202. *
  1203. * Enable support for SSL 3.0.
  1204. *
  1205. * Requires: MBEDTLS_MD5_C
  1206. * MBEDTLS_SHA1_C
  1207. *
  1208. * Comment this macro to disable support for SSL 3.0
  1209. */
  1210. //#define MBEDTLS_SSL_PROTO_SSL3
  1211. /**
  1212. * \def MBEDTLS_SSL_PROTO_TLS1
  1213. *
  1214. * Enable support for TLS 1.0.
  1215. *
  1216. * Requires: MBEDTLS_MD5_C
  1217. * MBEDTLS_SHA1_C
  1218. *
  1219. * Comment this macro to disable support for TLS 1.0
  1220. */
  1221. //#define MBEDTLS_SSL_PROTO_TLS1
  1222. /**
  1223. * \def MBEDTLS_SSL_PROTO_TLS1_1
  1224. *
  1225. * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
  1226. *
  1227. * Requires: MBEDTLS_MD5_C
  1228. * MBEDTLS_SHA1_C
  1229. *
  1230. * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
  1231. */
  1232. //#define MBEDTLS_SSL_PROTO_TLS1_1
  1233. /**
  1234. * \def MBEDTLS_SSL_PROTO_TLS1_2
  1235. *
  1236. * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
  1237. *
  1238. * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
  1239. * (Depends on ciphersuites)
  1240. *
  1241. * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
  1242. */
  1243. #define MBEDTLS_SSL_PROTO_TLS1_2
  1244. /**
  1245. * \def MBEDTLS_SSL_PROTO_DTLS
  1246. *
  1247. * Enable support for DTLS (all available versions).
  1248. *
  1249. * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0,
  1250. * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
  1251. *
  1252. * Requires: MBEDTLS_SSL_PROTO_TLS1_1
  1253. * or MBEDTLS_SSL_PROTO_TLS1_2
  1254. *
  1255. * Comment this macro to disable support for DTLS
  1256. */
  1257. //#define MBEDTLS_SSL_PROTO_DTLS
  1258. /**
  1259. * \def MBEDTLS_SSL_ALPN
  1260. *
  1261. * Enable support for RFC 7301 Application Layer Protocol Negotiation.
  1262. *
  1263. * Comment this macro to disable support for ALPN.
  1264. */
  1265. #define MBEDTLS_SSL_ALPN
  1266. /**
  1267. * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
  1268. *
  1269. * Enable support for the anti-replay mechanism in DTLS.
  1270. *
  1271. * Requires: MBEDTLS_SSL_TLS_C
  1272. * MBEDTLS_SSL_PROTO_DTLS
  1273. *
  1274. * \warning Disabling this is often a security risk!
  1275. * See mbedtls_ssl_conf_dtls_anti_replay() for details.
  1276. *
  1277. * Comment this to disable anti-replay in DTLS.
  1278. */
  1279. //#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
  1280. /**
  1281. * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
  1282. *
  1283. * Enable support for HelloVerifyRequest on DTLS servers.
  1284. *
  1285. * This feature is highly recommended to prevent DTLS servers being used as
  1286. * amplifiers in DoS attacks against other hosts. It should always be enabled
  1287. * unless you know for sure amplification cannot be a problem in the
  1288. * environment in which your server operates.
  1289. *
  1290. * \warning Disabling this can ba a security risk! (see above)
  1291. *
  1292. * Requires: MBEDTLS_SSL_PROTO_DTLS
  1293. *
  1294. * Comment this to disable support for HelloVerifyRequest.
  1295. */
  1296. //#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
  1297. /**
  1298. * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
  1299. *
  1300. * Enable server-side support for clients that reconnect from the same port.
  1301. *
  1302. * Some clients unexpectedly close the connection and try to reconnect using the
  1303. * same source port. This needs special support from the server to handle the
  1304. * new connection securely, as described in section 4.2.8 of RFC 6347. This
  1305. * flag enables that support.
  1306. *
  1307. * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
  1308. *
  1309. * Comment this to disable support for clients reusing the source port.
  1310. */
  1311. //#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
  1312. /**
  1313. * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
  1314. *
  1315. * Enable support for a limit of records with bad MAC.
  1316. *
  1317. * See mbedtls_ssl_conf_dtls_badmac_limit().
  1318. *
  1319. * Requires: MBEDTLS_SSL_PROTO_DTLS
  1320. */
  1321. //#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
  1322. /**
  1323. * \def MBEDTLS_SSL_SESSION_TICKETS
  1324. *
  1325. * Enable support for RFC 5077 session tickets in SSL.
  1326. * Client-side, provides full support for session tickets (maintainance of a
  1327. * session store remains the responsibility of the application, though).
  1328. * Server-side, you also need to provide callbacks for writing and parsing
  1329. * tickets, including authenticated encryption and key management. Example
  1330. * callbacks are provided by MBEDTLS_SSL_TICKET_C.
  1331. *
  1332. * Comment this macro to disable support for SSL session tickets
  1333. */
  1334. #define MBEDTLS_SSL_SESSION_TICKETS
  1335. /**
  1336. * \def MBEDTLS_SSL_EXPORT_KEYS
  1337. *
  1338. * Enable support for exporting key block and master secret.
  1339. * This is required for certain users of TLS, e.g. EAP-TLS.
  1340. *
  1341. * Comment this macro to disable support for key export
  1342. */
  1343. #define MBEDTLS_SSL_EXPORT_KEYS
  1344. /**
  1345. * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
  1346. *
  1347. * Enable support for RFC 6066 server name indication (SNI) in SSL.
  1348. *
  1349. * Requires: MBEDTLS_X509_CRT_PARSE_C
  1350. *
  1351. * Comment this macro to disable support for server name indication in SSL
  1352. */
  1353. #define MBEDTLS_SSL_SERVER_NAME_INDICATION
  1354. /**
  1355. * \def MBEDTLS_SSL_TRUNCATED_HMAC
  1356. *
  1357. * Enable support for RFC 6066 truncated HMAC in SSL.
  1358. *
  1359. * Comment this macro to disable support for truncated HMAC in SSL
  1360. */
  1361. #define MBEDTLS_SSL_TRUNCATED_HMAC
  1362. /**
  1363. * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
  1364. *
  1365. * Fallback to old (pre-2.7), non-conforming implementation of the truncated
  1366. * HMAC extension which also truncates the HMAC key. Note that this option is
  1367. * only meant for a transitory upgrade period and is likely to be removed in
  1368. * a future version of the library.
  1369. *
  1370. * \warning The old implementation is non-compliant and has a security weakness
  1371. * (2^80 brute force attack on the HMAC key used for a single,
  1372. * uninterrupted connection). This should only be enabled temporarily
  1373. * when (1) the use of truncated HMAC is essential in order to save
  1374. * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
  1375. * the fixed implementation yet (pre-2.7).
  1376. *
  1377. * \deprecated This option is deprecated and will likely be removed in a
  1378. * future version of Mbed TLS.
  1379. *
  1380. * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
  1381. *
  1382. * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
  1383. */
  1384. //#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
  1385. /**
  1386. * \def MBEDTLS_THREADING_ALT
  1387. *
  1388. * Provide your own alternate threading implementation.
  1389. *
  1390. * Requires: MBEDTLS_THREADING_C
  1391. *
  1392. * Uncomment this to allow your own alternate threading implementation.
  1393. */
  1394. //#define MBEDTLS_THREADING_ALT
  1395. /**
  1396. * \def MBEDTLS_THREADING_PTHREAD
  1397. *
  1398. * Enable the pthread wrapper layer for the threading layer.
  1399. *
  1400. * Requires: MBEDTLS_THREADING_C
  1401. *
  1402. * Uncomment this to enable pthread mutexes.
  1403. */
  1404. //#define MBEDTLS_THREADING_PTHREAD
  1405. /**
  1406. * \def MBEDTLS_VERSION_FEATURES
  1407. *
  1408. * Allow run-time checking of compile-time enabled features. Thus allowing users
  1409. * to check at run-time if the library is for instance compiled with threading
  1410. * support via mbedtls_version_check_feature().
  1411. *
  1412. * Requires: MBEDTLS_VERSION_C
  1413. *
  1414. * Comment this to disable run-time checking and save ROM space
  1415. */
  1416. #define MBEDTLS_VERSION_FEATURES
  1417. /**
  1418. * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
  1419. *
  1420. * If set, the X509 parser will not break-off when parsing an X509 certificate
  1421. * and encountering an extension in a v1 or v2 certificate.
  1422. *
  1423. * Uncomment to prevent an error.
  1424. */
  1425. //#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
  1426. /**
  1427. * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
  1428. *
  1429. * If set, the X509 parser will not break-off when parsing an X509 certificate
  1430. * and encountering an unknown critical extension.
  1431. *
  1432. * \warning Depending on your PKI use, enabling this can be a security risk!
  1433. *
  1434. * Uncomment to prevent an error.
  1435. */
  1436. //#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
  1437. /**
  1438. * \def MBEDTLS_X509_CHECK_KEY_USAGE
  1439. *
  1440. * Enable verification of the keyUsage extension (CA and leaf certificates).
  1441. *
  1442. * Disabling this avoids problems with mis-issued and/or misused
  1443. * (intermediate) CA and leaf certificates.
  1444. *
  1445. * \warning Depending on your PKI use, disabling this can be a security risk!
  1446. *
  1447. * Comment to skip keyUsage checking for both CA and leaf certificates.
  1448. */
  1449. #define MBEDTLS_X509_CHECK_KEY_USAGE
  1450. /**
  1451. * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
  1452. *
  1453. * Enable verification of the extendedKeyUsage extension (leaf certificates).
  1454. *
  1455. * Disabling this avoids problems with mis-issued and/or misused certificates.
  1456. *
  1457. * \warning Depending on your PKI use, disabling this can be a security risk!
  1458. *
  1459. * Comment to skip extendedKeyUsage checking for certificates.
  1460. */
  1461. #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
  1462. /**
  1463. * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
  1464. *
  1465. * Enable parsing and verification of X.509 certificates, CRLs and CSRS
  1466. * signed with RSASSA-PSS (aka PKCS#1 v2.1).
  1467. *
  1468. * Comment this macro to disallow using RSASSA-PSS in certificates.
  1469. */
  1470. // #define MBEDTLS_X509_RSASSA_PSS_SUPPORT
  1471. /**
  1472. * \def MBEDTLS_ZLIB_SUPPORT
  1473. *
  1474. * If set, the SSL/TLS module uses ZLIB to support compression and
  1475. * decompression of packet data.
  1476. *
  1477. * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
  1478. * CRIME attack. Before enabling this option, you should examine with care if
  1479. * CRIME or similar exploits may be a applicable to your use case.
  1480. *
  1481. * \note Currently compression can't be used with DTLS.
  1482. *
  1483. * \deprecated This feature is deprecated and will be removed
  1484. * in the next major revision of the library.
  1485. *
  1486. * Used in: library/ssl_tls.c
  1487. * library/ssl_cli.c
  1488. * library/ssl_srv.c
  1489. *
  1490. * This feature requires zlib library and headers to be present.
  1491. *
  1492. * Uncomment to enable use of ZLIB
  1493. */
  1494. //#define MBEDTLS_ZLIB_SUPPORT
  1495. /* \} name SECTION: mbed TLS feature support */
  1496. /**
  1497. * \name SECTION: mbed TLS modules
  1498. *
  1499. * This section enables or disables entire modules in mbed TLS
  1500. * \{
  1501. */
  1502. /**
  1503. * \def MBEDTLS_AESNI_C
  1504. *
  1505. * Enable AES-NI support on x86-64.
  1506. *
  1507. * Module: library/aesni.c
  1508. * Caller: library/aes.c
  1509. *
  1510. * Requires: MBEDTLS_HAVE_ASM
  1511. *
  1512. * This modules adds support for the AES-NI instructions on x86-64
  1513. */
  1514. //#define MBEDTLS_AESNI_C
  1515. /**
  1516. * \def MBEDTLS_AES_C
  1517. *
  1518. * Enable the AES block cipher.
  1519. *
  1520. * Module: library/aes.c
  1521. * Caller: library/ssl_tls.c
  1522. * library/pem.c
  1523. * library/ctr_drbg.c
  1524. *
  1525. * This module enables the following ciphersuites (if other requisites are
  1526. * enabled as well):
  1527. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  1528. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  1529. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  1530. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  1531. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  1532. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  1533. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  1534. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  1535. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  1536. * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  1537. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  1538. * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  1539. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  1540. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  1541. * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  1542. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  1543. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  1544. * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  1545. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  1546. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  1547. * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  1548. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  1549. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  1550. * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  1551. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  1552. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  1553. * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  1554. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  1555. * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  1556. * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  1557. * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
  1558. * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
  1559. * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
  1560. * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
  1561. * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
  1562. * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
  1563. * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
  1564. * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
  1565. * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
  1566. * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
  1567. * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
  1568. * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
  1569. * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
  1570. * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
  1571. * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
  1572. * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
  1573. * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
  1574. * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
  1575. * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
  1576. * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
  1577. * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
  1578. * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
  1579. * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
  1580. * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
  1581. * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
  1582. * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
  1583. * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
  1584. * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
  1585. *
  1586. * PEM_PARSE uses AES for decrypting encrypted keys.
  1587. */
  1588. #define MBEDTLS_AES_C
  1589. /**
  1590. * \def MBEDTLS_ARC4_C
  1591. *
  1592. * Enable the ARCFOUR stream cipher.
  1593. *
  1594. * Module: library/arc4.c
  1595. * Caller: library/ssl_tls.c
  1596. *
  1597. * This module enables the following ciphersuites (if other requisites are
  1598. * enabled as well):
  1599. * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  1600. * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
  1601. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  1602. * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
  1603. * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
  1604. * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
  1605. * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
  1606. * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
  1607. * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
  1608. * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
  1609. *
  1610. * \warning ARC4 is considered a weak cipher and its use constitutes a
  1611. * security risk. If possible, we recommend avoidng dependencies on
  1612. * it, and considering stronger ciphers instead.
  1613. *
  1614. */
  1615. //#define MBEDTLS_ARC4_C
  1616. /**
  1617. * \def MBEDTLS_ASN1_PARSE_C
  1618. *
  1619. * Enable the generic ASN1 parser.
  1620. *
  1621. * Module: library/asn1.c
  1622. * Caller: library/x509.c
  1623. * library/dhm.c
  1624. * library/pkcs12.c
  1625. * library/pkcs5.c
  1626. * library/pkparse.c
  1627. */
  1628. #define MBEDTLS_ASN1_PARSE_C
  1629. /**
  1630. * \def MBEDTLS_ASN1_WRITE_C
  1631. *
  1632. * Enable the generic ASN1 writer.
  1633. *
  1634. * Module: library/asn1write.c
  1635. * Caller: library/ecdsa.c
  1636. * library/pkwrite.c
  1637. * library/x509_create.c
  1638. * library/x509write_crt.c
  1639. * library/x509write_csr.c
  1640. */
  1641. #define MBEDTLS_ASN1_WRITE_C
  1642. /**
  1643. * \def MBEDTLS_BASE64_C
  1644. *
  1645. * Enable the Base64 module.
  1646. *
  1647. * Module: library/base64.c
  1648. * Caller: library/pem.c
  1649. *
  1650. * This module is required for PEM support (required by X.509).
  1651. */
  1652. #define MBEDTLS_BASE64_C
  1653. /**
  1654. * \def MBEDTLS_BIGNUM_C
  1655. *
  1656. * Enable the multi-precision integer library.
  1657. *
  1658. * Module: library/bignum.c
  1659. * Caller: library/dhm.c
  1660. * library/ecp.c
  1661. * library/ecdsa.c
  1662. * library/rsa.c
  1663. * library/rsa_internal.c
  1664. * library/ssl_tls.c
  1665. *
  1666. * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
  1667. */
  1668. #define MBEDTLS_BIGNUM_C
  1669. /**
  1670. * \def MBEDTLS_BLOWFISH_C
  1671. *
  1672. * Enable the Blowfish block cipher.
  1673. *
  1674. * Module: library/blowfish.c
  1675. */
  1676. //#define MBEDTLS_BLOWFISH_C
  1677. /**
  1678. * \def MBEDTLS_CAMELLIA_C
  1679. *
  1680. * Enable the Camellia block cipher.
  1681. *
  1682. * Module: library/camellia.c
  1683. * Caller: library/ssl_tls.c
  1684. *
  1685. * This module enables the following ciphersuites (if other requisites are
  1686. * enabled as well):
  1687. * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
  1688. * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
  1689. * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
  1690. * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
  1691. * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  1692. * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
  1693. * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
  1694. * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
  1695. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
  1696. * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
  1697. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
  1698. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
  1699. * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
  1700. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
  1701. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
  1702. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  1703. * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
  1704. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
  1705. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
  1706. * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  1707. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  1708. * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  1709. * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
  1710. * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
  1711. * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
  1712. * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
  1713. * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
  1714. * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
  1715. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
  1716. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
  1717. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  1718. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
  1719. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
  1720. * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  1721. * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
  1722. * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
  1723. * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
  1724. * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
  1725. * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
  1726. * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
  1727. * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
  1728. * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
  1729. */
  1730. //#define MBEDTLS_CAMELLIA_C
  1731. /**
  1732. * \def MBEDTLS_CCM_C
  1733. *
  1734. * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
  1735. *
  1736. * Module: library/ccm.c
  1737. *
  1738. * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
  1739. *
  1740. * This module enables the AES-CCM ciphersuites, if other requisites are
  1741. * enabled as well.
  1742. */
  1743. //#define MBEDTLS_CCM_C
  1744. /**
  1745. * \def MBEDTLS_CERTS_C
  1746. *
  1747. * Enable the test certificates.
  1748. *
  1749. * Module: library/certs.c
  1750. * Caller:
  1751. *
  1752. * This module is used for testing (ssl_client/server).
  1753. */
  1754. #define MBEDTLS_CERTS_C
  1755. /**
  1756. * \def MBEDTLS_CIPHER_C
  1757. *
  1758. * Enable the generic cipher layer.
  1759. *
  1760. * Module: library/cipher.c
  1761. * Caller: library/ssl_tls.c
  1762. *
  1763. * Uncomment to enable generic cipher wrappers.
  1764. */
  1765. #define MBEDTLS_CIPHER_C
  1766. /**
  1767. * \def MBEDTLS_CMAC_C
  1768. *
  1769. * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
  1770. * ciphers.
  1771. *
  1772. * Module: library/cmac.c
  1773. *
  1774. * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
  1775. *
  1776. */
  1777. //#define MBEDTLS_CMAC_C
  1778. /**
  1779. * \def MBEDTLS_CTR_DRBG_C
  1780. *
  1781. * Enable the CTR_DRBG AES-256-based random generator.
  1782. *
  1783. * Module: library/ctr_drbg.c
  1784. * Caller:
  1785. *
  1786. * Requires: MBEDTLS_AES_C
  1787. *
  1788. * This module provides the CTR_DRBG AES-256 random number generator.
  1789. */
  1790. #define MBEDTLS_CTR_DRBG_C
  1791. /**
  1792. * \def MBEDTLS_DEBUG_C
  1793. *
  1794. * Enable the debug functions.
  1795. *
  1796. * Module: library/debug.c
  1797. * Caller: library/ssl_cli.c
  1798. * library/ssl_srv.c
  1799. * library/ssl_tls.c
  1800. *
  1801. * This module provides debugging functions.
  1802. */
  1803. //#define MBEDTLS_DEBUG_C
  1804. /**
  1805. * \def MBEDTLS_DES_C
  1806. *
  1807. * Enable the DES block cipher.
  1808. *
  1809. * Module: library/des.c
  1810. * Caller: library/pem.c
  1811. * library/ssl_tls.c
  1812. *
  1813. * This module enables the following ciphersuites (if other requisites are
  1814. * enabled as well):
  1815. * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  1816. * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  1817. * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  1818. * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  1819. * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  1820. * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
  1821. * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
  1822. * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
  1823. * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
  1824. * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
  1825. *
  1826. * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
  1827. *
  1828. * \warning DES is considered a weak cipher and its use constitutes a
  1829. * security risk. We recommend considering stronger ciphers instead.
  1830. */
  1831. //#define MBEDTLS_DES_C
  1832. /**
  1833. * \def MBEDTLS_DHM_C
  1834. *
  1835. * Enable the Diffie-Hellman-Merkle module.
  1836. *
  1837. * Module: library/dhm.c
  1838. * Caller: library/ssl_cli.c
  1839. * library/ssl_srv.c
  1840. *
  1841. * This module is used by the following key exchanges:
  1842. * DHE-RSA, DHE-PSK
  1843. *
  1844. * \warning Using DHE constitutes a security risk as it
  1845. * is not possible to validate custom DH parameters.
  1846. * If possible, it is recommended users should consider
  1847. * preferring other methods of key exchange.
  1848. * See dhm.h for more details.
  1849. *
  1850. */
  1851. // #define MBEDTLS_DHM_C
  1852. /**
  1853. * \def MBEDTLS_ECDH_C
  1854. *
  1855. * Enable the elliptic curve Diffie-Hellman library.
  1856. *
  1857. * Module: library/ecdh.c
  1858. * Caller: library/ssl_cli.c
  1859. * library/ssl_srv.c
  1860. *
  1861. * This module is used by the following key exchanges:
  1862. * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
  1863. *
  1864. * Requires: MBEDTLS_ECP_C
  1865. */
  1866. #define MBEDTLS_ECDH_C
  1867. /**
  1868. * \def MBEDTLS_ECDSA_C
  1869. *
  1870. * Enable the elliptic curve DSA library.
  1871. *
  1872. * Module: library/ecdsa.c
  1873. * Caller:
  1874. *
  1875. * This module is used by the following key exchanges:
  1876. * ECDHE-ECDSA
  1877. *
  1878. * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
  1879. */
  1880. #define MBEDTLS_ECDSA_C
  1881. /**
  1882. * \def MBEDTLS_ECJPAKE_C
  1883. *
  1884. * Enable the elliptic curve J-PAKE library.
  1885. *
  1886. * \warning This is currently experimental. EC J-PAKE support is based on the
  1887. * Thread v1.0.0 specification; incompatible changes to the specification
  1888. * might still happen. For this reason, this is disabled by default.
  1889. *
  1890. * Module: library/ecjpake.c
  1891. * Caller:
  1892. *
  1893. * This module is used by the following key exchanges:
  1894. * ECJPAKE
  1895. *
  1896. * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
  1897. */
  1898. //#define MBEDTLS_ECJPAKE_C
  1899. /**
  1900. * \def MBEDTLS_ECP_C
  1901. *
  1902. * Enable the elliptic curve over GF(p) library.
  1903. *
  1904. * Module: library/ecp.c
  1905. * Caller: library/ecdh.c
  1906. * library/ecdsa.c
  1907. * library/ecjpake.c
  1908. *
  1909. * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
  1910. */
  1911. #define MBEDTLS_ECP_C
  1912. /**
  1913. * \def MBEDTLS_ENTROPY_C
  1914. *
  1915. * Enable the platform-specific entropy code.
  1916. *
  1917. * Module: library/entropy.c
  1918. * Caller:
  1919. *
  1920. * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
  1921. *
  1922. * This module provides a generic entropy pool
  1923. */
  1924. #define MBEDTLS_ENTROPY_C
  1925. /**
  1926. * \def MBEDTLS_ERROR_C
  1927. *
  1928. * Enable error code to error string conversion.
  1929. *
  1930. * Module: library/error.c
  1931. * Caller:
  1932. *
  1933. * This module enables mbedtls_strerror().
  1934. */
  1935. #define MBEDTLS_ERROR_C
  1936. /**
  1937. * \def MBEDTLS_GCM_C
  1938. *
  1939. * Enable the Galois/Counter Mode (GCM) for AES.
  1940. *
  1941. * Module: library/gcm.c
  1942. *
  1943. * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
  1944. *
  1945. * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
  1946. * requisites are enabled as well.
  1947. */
  1948. #define MBEDTLS_GCM_C
  1949. /**
  1950. * \def MBEDTLS_HAVEGE_C
  1951. *
  1952. * Enable the HAVEGE random generator.
  1953. *
  1954. * Warning: the HAVEGE random generator is not suitable for virtualized
  1955. * environments
  1956. *
  1957. * Warning: the HAVEGE random generator is dependent on timing and specific
  1958. * processor traits. It is therefore not advised to use HAVEGE as
  1959. * your applications primary random generator or primary entropy pool
  1960. * input. As a secondary input to your entropy pool, it IS able add
  1961. * the (limited) extra entropy it provides.
  1962. *
  1963. * Module: library/havege.c
  1964. * Caller:
  1965. *
  1966. * Requires: MBEDTLS_TIMING_C
  1967. *
  1968. * Uncomment to enable the HAVEGE random generator.
  1969. */
  1970. //#define MBEDTLS_HAVEGE_C
  1971. /**
  1972. * \def MBEDTLS_HMAC_DRBG_C
  1973. *
  1974. * Enable the HMAC_DRBG random generator.
  1975. *
  1976. * Module: library/hmac_drbg.c
  1977. * Caller:
  1978. *
  1979. * Requires: MBEDTLS_MD_C
  1980. *
  1981. * Uncomment to enable the HMAC_DRBG random number geerator.
  1982. */
  1983. #define MBEDTLS_HMAC_DRBG_C
  1984. /**
  1985. * \def MBEDTLS_MD_C
  1986. *
  1987. * Enable the generic message digest layer.
  1988. *
  1989. * Module: library/md.c
  1990. * Caller:
  1991. *
  1992. * Uncomment to enable generic message digest wrappers.
  1993. */
  1994. #define MBEDTLS_MD_C
  1995. /**
  1996. * \def MBEDTLS_MD2_C
  1997. *
  1998. * Enable the MD2 hash algorithm.
  1999. *
  2000. * Module: library/md2.c
  2001. * Caller:
  2002. *
  2003. * Uncomment to enable support for (rare) MD2-signed X.509 certs.
  2004. *
  2005. * \warning MD2 is considered a weak message digest and its use constitutes a
  2006. * security risk. If possible, we recommend avoiding dependencies on
  2007. * it, and considering stronger message digests instead.
  2008. *
  2009. */
  2010. //#define MBEDTLS_MD2_C
  2011. /**
  2012. * \def MBEDTLS_MD4_C
  2013. *
  2014. * Enable the MD4 hash algorithm.
  2015. *
  2016. * Module: library/md4.c
  2017. * Caller:
  2018. *
  2019. * Uncomment to enable support for (rare) MD4-signed X.509 certs.
  2020. *
  2021. * \warning MD4 is considered a weak message digest and its use constitutes a
  2022. * security risk. If possible, we recommend avoiding dependencies on
  2023. * it, and considering stronger message digests instead.
  2024. *
  2025. */
  2026. //#define MBEDTLS_MD4_C
  2027. /**
  2028. * \def MBEDTLS_MD5_C
  2029. *
  2030. * Enable the MD5 hash algorithm.
  2031. *
  2032. * Module: library/md5.c
  2033. * Caller: library/md.c
  2034. * library/pem.c
  2035. * library/ssl_tls.c
  2036. *
  2037. * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2
  2038. * depending on the handshake parameters. Further, it is used for checking
  2039. * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded
  2040. * encrypted keys.
  2041. *
  2042. * \warning MD5 is considered a weak message digest and its use constitutes a
  2043. * security risk. If possible, we recommend avoiding dependencies on
  2044. * it, and considering stronger message digests instead.
  2045. *
  2046. */
  2047. //#define MBEDTLS_MD5_C
  2048. /**
  2049. * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
  2050. *
  2051. * Enable the buffer allocator implementation that makes use of a (stack)
  2052. * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
  2053. * calls)
  2054. *
  2055. * Module: library/memory_buffer_alloc.c
  2056. *
  2057. * Requires: MBEDTLS_PLATFORM_C
  2058. * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
  2059. *
  2060. * Enable this module to enable the buffer memory allocator.
  2061. */
  2062. //#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
  2063. /**
  2064. * \def MBEDTLS_NET_C
  2065. *
  2066. * Enable the TCP and UDP over IPv6/IPv4 networking routines.
  2067. *
  2068. * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
  2069. * and Windows. For other platforms, you'll want to disable it, and write your
  2070. * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
  2071. *
  2072. * \note See also our Knowledge Base article about porting to a new
  2073. * environment:
  2074. * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
  2075. *
  2076. * Module: library/net_sockets.c
  2077. *
  2078. * This module provides networking routines.
  2079. */
  2080. #define MBEDTLS_NET_C
  2081. /**
  2082. * \def MBEDTLS_OID_C
  2083. *
  2084. * Enable the OID database.
  2085. *
  2086. * Module: library/oid.c
  2087. * Caller: library/asn1write.c
  2088. * library/pkcs5.c
  2089. * library/pkparse.c
  2090. * library/pkwrite.c
  2091. * library/rsa.c
  2092. * library/x509.c
  2093. * library/x509_create.c
  2094. * library/x509_crl.c
  2095. * library/x509_crt.c
  2096. * library/x509_csr.c
  2097. * library/x509write_crt.c
  2098. * library/x509write_csr.c
  2099. *
  2100. * This modules translates between OIDs and internal values.
  2101. */
  2102. #define MBEDTLS_OID_C
  2103. /**
  2104. * \def MBEDTLS_PADLOCK_C
  2105. *
  2106. * Enable VIA Padlock support on x86.
  2107. *
  2108. * Module: library/padlock.c
  2109. * Caller: library/aes.c
  2110. *
  2111. * Requires: MBEDTLS_HAVE_ASM
  2112. *
  2113. * This modules adds support for the VIA PadLock on x86.
  2114. */
  2115. //#define MBEDTLS_PADLOCK_C
  2116. /**
  2117. * \def MBEDTLS_PEM_PARSE_C
  2118. *
  2119. * Enable PEM decoding / parsing.
  2120. *
  2121. * Module: library/pem.c
  2122. * Caller: library/dhm.c
  2123. * library/pkparse.c
  2124. * library/x509_crl.c
  2125. * library/x509_crt.c
  2126. * library/x509_csr.c
  2127. *
  2128. * Requires: MBEDTLS_BASE64_C
  2129. *
  2130. * This modules adds support for decoding / parsing PEM files.
  2131. */
  2132. #define MBEDTLS_PEM_PARSE_C
  2133. /**
  2134. * \def MBEDTLS_PEM_WRITE_C
  2135. *
  2136. * Enable PEM encoding / writing.
  2137. *
  2138. * Module: library/pem.c
  2139. * Caller: library/pkwrite.c
  2140. * library/x509write_crt.c
  2141. * library/x509write_csr.c
  2142. *
  2143. * Requires: MBEDTLS_BASE64_C
  2144. *
  2145. * This modules adds support for encoding / writing PEM files.
  2146. */
  2147. #define MBEDTLS_PEM_WRITE_C
  2148. /**
  2149. * \def MBEDTLS_PK_C
  2150. *
  2151. * Enable the generic public (asymetric) key layer.
  2152. *
  2153. * Module: library/pk.c
  2154. * Caller: library/ssl_tls.c
  2155. * library/ssl_cli.c
  2156. * library/ssl_srv.c
  2157. *
  2158. * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
  2159. *
  2160. * Uncomment to enable generic public key wrappers.
  2161. */
  2162. #define MBEDTLS_PK_C
  2163. /**
  2164. * \def MBEDTLS_PK_PARSE_C
  2165. *
  2166. * Enable the generic public (asymetric) key parser.
  2167. *
  2168. * Module: library/pkparse.c
  2169. * Caller: library/x509_crt.c
  2170. * library/x509_csr.c
  2171. *
  2172. * Requires: MBEDTLS_PK_C
  2173. *
  2174. * Uncomment to enable generic public key parse functions.
  2175. */
  2176. #define MBEDTLS_PK_PARSE_C
  2177. /**
  2178. * \def MBEDTLS_PK_WRITE_C
  2179. *
  2180. * Enable the generic public (asymetric) key writer.
  2181. *
  2182. * Module: library/pkwrite.c
  2183. * Caller: library/x509write.c
  2184. *
  2185. * Requires: MBEDTLS_PK_C
  2186. *
  2187. * Uncomment to enable generic public key write functions.
  2188. */
  2189. #define MBEDTLS_PK_WRITE_C
  2190. /**
  2191. * \def MBEDTLS_PKCS5_C
  2192. *
  2193. * Enable PKCS#5 functions.
  2194. *
  2195. * Module: library/pkcs5.c
  2196. *
  2197. * Requires: MBEDTLS_MD_C
  2198. *
  2199. * This module adds support for the PKCS#5 functions.
  2200. */
  2201. #define MBEDTLS_PKCS5_C
  2202. /**
  2203. * \def MBEDTLS_PKCS11_C
  2204. *
  2205. * Enable wrapper for PKCS#11 smartcard support.
  2206. *
  2207. * Module: library/pkcs11.c
  2208. * Caller: library/pk.c
  2209. *
  2210. * Requires: MBEDTLS_PK_C
  2211. *
  2212. * This module enables SSL/TLS PKCS #11 smartcard support.
  2213. * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
  2214. */
  2215. //#define MBEDTLS_PKCS11_C
  2216. /**
  2217. * \def MBEDTLS_PKCS12_C
  2218. *
  2219. * Enable PKCS#12 PBE functions.
  2220. * Adds algorithms for parsing PKCS#8 encrypted private keys
  2221. *
  2222. * Module: library/pkcs12.c
  2223. * Caller: library/pkparse.c
  2224. *
  2225. * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C
  2226. * Can use: MBEDTLS_ARC4_C
  2227. *
  2228. * This module enables PKCS#12 functions.
  2229. */
  2230. #define MBEDTLS_PKCS12_C
  2231. /**
  2232. * \def MBEDTLS_PLATFORM_C
  2233. *
  2234. * Enable the platform abstraction layer that allows you to re-assign
  2235. * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
  2236. *
  2237. * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
  2238. * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
  2239. * above to be specified at runtime or compile time respectively.
  2240. *
  2241. * \note This abstraction layer must be enabled on Windows (including MSYS2)
  2242. * as other module rely on it for a fixed snprintf implementation.
  2243. *
  2244. * Module: library/platform.c
  2245. * Caller: Most other .c files
  2246. *
  2247. * This module enables abstraction of common (libc) functions.
  2248. */
  2249. #define MBEDTLS_PLATFORM_C
  2250. /**
  2251. * \def MBEDTLS_RIPEMD160_C
  2252. *
  2253. * Enable the RIPEMD-160 hash algorithm.
  2254. *
  2255. * Module: library/ripemd160.c
  2256. * Caller: library/md.c
  2257. *
  2258. */
  2259. //#define MBEDTLS_RIPEMD160_C
  2260. /**
  2261. * \def MBEDTLS_RSA_C
  2262. *
  2263. * Enable the RSA public-key cryptosystem.
  2264. *
  2265. * Module: library/rsa.c
  2266. * library/rsa_internal.c
  2267. * Caller: library/ssl_cli.c
  2268. * library/ssl_srv.c
  2269. * library/ssl_tls.c
  2270. * library/x509.c
  2271. *
  2272. * This module is used by the following key exchanges:
  2273. * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
  2274. *
  2275. * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
  2276. */
  2277. //#define MBEDTLS_RSA_C
  2278. /**
  2279. * \def MBEDTLS_SHA1_C
  2280. *
  2281. * Enable the SHA1 cryptographic hash algorithm.
  2282. *
  2283. * Module: library/sha1.c
  2284. * Caller: library/md.c
  2285. * library/ssl_cli.c
  2286. * library/ssl_srv.c
  2287. * library/ssl_tls.c
  2288. * library/x509write_crt.c
  2289. *
  2290. * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
  2291. * depending on the handshake parameters, and for SHA1-signed certificates.
  2292. *
  2293. * \warning SHA-1 is considered a weak message digest and its use constitutes
  2294. * a security risk. If possible, we recommend avoiding dependencies
  2295. * on it, and considering stronger message digests instead.
  2296. *
  2297. */
  2298. //#define MBEDTLS_SHA1_C
  2299. /**
  2300. * \def MBEDTLS_SHA256_C
  2301. *
  2302. * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
  2303. *
  2304. * Module: library/sha256.c
  2305. * Caller: library/entropy.c
  2306. * library/md.c
  2307. * library/ssl_cli.c
  2308. * library/ssl_srv.c
  2309. * library/ssl_tls.c
  2310. *
  2311. * This module adds support for SHA-224 and SHA-256.
  2312. * This module is required for the SSL/TLS 1.2 PRF function.
  2313. */
  2314. #define MBEDTLS_SHA256_C
  2315. /**
  2316. * \def MBEDTLS_SHA512_C
  2317. *
  2318. * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
  2319. *
  2320. * Module: library/sha512.c
  2321. * Caller: library/entropy.c
  2322. * library/md.c
  2323. * library/ssl_cli.c
  2324. * library/ssl_srv.c
  2325. *
  2326. * This module adds support for SHA-384 and SHA-512.
  2327. */
  2328. #define MBEDTLS_SHA512_C
  2329. /**
  2330. * \def MBEDTLS_SSL_CACHE_C
  2331. *
  2332. * Enable simple SSL cache implementation.
  2333. *
  2334. * Module: library/ssl_cache.c
  2335. * Caller:
  2336. *
  2337. * Requires: MBEDTLS_SSL_CACHE_C
  2338. */
  2339. #define MBEDTLS_SSL_CACHE_C
  2340. /**
  2341. * \def MBEDTLS_SSL_COOKIE_C
  2342. *
  2343. * Enable basic implementation of DTLS cookies for hello verification.
  2344. *
  2345. * Module: library/ssl_cookie.c
  2346. * Caller:
  2347. */
  2348. #define MBEDTLS_SSL_COOKIE_C
  2349. /**
  2350. * \def MBEDTLS_SSL_TICKET_C
  2351. *
  2352. * Enable an implementation of TLS server-side callbacks for session tickets.
  2353. *
  2354. * Module: library/ssl_ticket.c
  2355. * Caller:
  2356. *
  2357. * Requires: MBEDTLS_CIPHER_C
  2358. */
  2359. #define MBEDTLS_SSL_TICKET_C
  2360. /**
  2361. * \def MBEDTLS_SSL_CLI_C
  2362. *
  2363. * Enable the SSL/TLS client code.
  2364. *
  2365. * Module: library/ssl_cli.c
  2366. * Caller:
  2367. *
  2368. * Requires: MBEDTLS_SSL_TLS_C
  2369. *
  2370. * This module is required for SSL/TLS client support.
  2371. */
  2372. #define MBEDTLS_SSL_CLI_C
  2373. /**
  2374. * \def MBEDTLS_SSL_SRV_C
  2375. *
  2376. * Enable the SSL/TLS server code.
  2377. *
  2378. * Module: library/ssl_srv.c
  2379. * Caller:
  2380. *
  2381. * Requires: MBEDTLS_SSL_TLS_C
  2382. *
  2383. * This module is required for SSL/TLS server support.
  2384. */
  2385. //#define MBEDTLS_SSL_SRV_C
  2386. /**
  2387. * \def MBEDTLS_SSL_TLS_C
  2388. *
  2389. * Enable the generic SSL/TLS code.
  2390. *
  2391. * Module: library/ssl_tls.c
  2392. * Caller: library/ssl_cli.c
  2393. * library/ssl_srv.c
  2394. *
  2395. * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
  2396. * and at least one of the MBEDTLS_SSL_PROTO_XXX defines
  2397. *
  2398. * This module is required for SSL/TLS.
  2399. */
  2400. #define MBEDTLS_SSL_TLS_C
  2401. /**
  2402. * \def MBEDTLS_THREADING_C
  2403. *
  2404. * Enable the threading abstraction layer.
  2405. * By default mbed TLS assumes it is used in a non-threaded environment or that
  2406. * contexts are not shared between threads. If you do intend to use contexts
  2407. * between threads, you will need to enable this layer to prevent race
  2408. * conditions. See also our Knowledge Base article about threading:
  2409. * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
  2410. *
  2411. * Module: library/threading.c
  2412. *
  2413. * This allows different threading implementations (self-implemented or
  2414. * provided).
  2415. *
  2416. * You will have to enable either MBEDTLS_THREADING_ALT or
  2417. * MBEDTLS_THREADING_PTHREAD.
  2418. *
  2419. * Enable this layer to allow use of mutexes within mbed TLS
  2420. */
  2421. //#define MBEDTLS_THREADING_C
  2422. /**
  2423. * \def MBEDTLS_TIMING_C
  2424. *
  2425. * Enable the semi-portable timing interface.
  2426. *
  2427. * \note The provided implementation only works on POSIX/Unix (including Linux,
  2428. * BSD and OS X) and Windows. On other platforms, you can either disable that
  2429. * module and provide your own implementations of the callbacks needed by
  2430. * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
  2431. * your own implementation of the whole module by setting
  2432. * \c MBEDTLS_TIMING_ALT in the current file.
  2433. *
  2434. * \note See also our Knowledge Base article about porting to a new
  2435. * environment:
  2436. * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
  2437. *
  2438. * Module: library/timing.c
  2439. * Caller: library/havege.c
  2440. *
  2441. * This module is used by the HAVEGE random number generator.
  2442. */
  2443. #define MBEDTLS_TIMING_C
  2444. /**
  2445. * \def MBEDTLS_VERSION_C
  2446. *
  2447. * Enable run-time version information.
  2448. *
  2449. * Module: library/version.c
  2450. *
  2451. * This module provides run-time version information.
  2452. */
  2453. #define MBEDTLS_VERSION_C
  2454. /**
  2455. * \def MBEDTLS_X509_USE_C
  2456. *
  2457. * Enable X.509 core for using certificates.
  2458. *
  2459. * Module: library/x509.c
  2460. * Caller: library/x509_crl.c
  2461. * library/x509_crt.c
  2462. * library/x509_csr.c
  2463. *
  2464. * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
  2465. * MBEDTLS_PK_PARSE_C
  2466. *
  2467. * This module is required for the X.509 parsing modules.
  2468. */
  2469. #define MBEDTLS_X509_USE_C
  2470. /**
  2471. * \def MBEDTLS_X509_CRT_PARSE_C
  2472. *
  2473. * Enable X.509 certificate parsing.
  2474. *
  2475. * Module: library/x509_crt.c
  2476. * Caller: library/ssl_cli.c
  2477. * library/ssl_srv.c
  2478. * library/ssl_tls.c
  2479. *
  2480. * Requires: MBEDTLS_X509_USE_C
  2481. *
  2482. * This module is required for X.509 certificate parsing.
  2483. */
  2484. #define MBEDTLS_X509_CRT_PARSE_C
  2485. /**
  2486. * \def MBEDTLS_X509_CRL_PARSE_C
  2487. *
  2488. * Enable X.509 CRL parsing.
  2489. *
  2490. * Module: library/x509_crl.c
  2491. * Caller: library/x509_crt.c
  2492. *
  2493. * Requires: MBEDTLS_X509_USE_C
  2494. *
  2495. * This module is required for X.509 CRL parsing.
  2496. */
  2497. #define MBEDTLS_X509_CRL_PARSE_C
  2498. /**
  2499. * \def MBEDTLS_X509_CSR_PARSE_C
  2500. *
  2501. * Enable X.509 Certificate Signing Request (CSR) parsing.
  2502. *
  2503. * Module: library/x509_csr.c
  2504. * Caller: library/x509_crt_write.c
  2505. *
  2506. * Requires: MBEDTLS_X509_USE_C
  2507. *
  2508. * This module is used for reading X.509 certificate request.
  2509. */
  2510. #define MBEDTLS_X509_CSR_PARSE_C
  2511. /**
  2512. * \def MBEDTLS_X509_CREATE_C
  2513. *
  2514. * Enable X.509 core for creating certificates.
  2515. *
  2516. * Module: library/x509_create.c
  2517. *
  2518. * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
  2519. *
  2520. * This module is the basis for creating X.509 certificates and CSRs.
  2521. */
  2522. //#define MBEDTLS_X509_CREATE_C
  2523. /**
  2524. * \def MBEDTLS_X509_CRT_WRITE_C
  2525. *
  2526. * Enable creating X.509 certificates.
  2527. *
  2528. * Module: library/x509_crt_write.c
  2529. *
  2530. * Requires: MBEDTLS_X509_CREATE_C
  2531. *
  2532. * This module is required for X.509 certificate creation.
  2533. */
  2534. //#define MBEDTLS_X509_CRT_WRITE_C
  2535. /**
  2536. * \def MBEDTLS_X509_CSR_WRITE_C
  2537. *
  2538. * Enable creating X.509 Certificate Signing Requests (CSR).
  2539. *
  2540. * Module: library/x509_csr_write.c
  2541. *
  2542. * Requires: MBEDTLS_X509_CREATE_C
  2543. *
  2544. * This module is required for X.509 certificate request writing.
  2545. */
  2546. //#define MBEDTLS_X509_CSR_WRITE_C
  2547. /**
  2548. * \def MBEDTLS_XTEA_C
  2549. *
  2550. * Enable the XTEA block cipher.
  2551. *
  2552. * Module: library/xtea.c
  2553. * Caller:
  2554. */
  2555. //#define MBEDTLS_XTEA_C
  2556. /* \} name SECTION: mbed TLS modules */
  2557. /**
  2558. * \name SECTION: Module configuration options
  2559. *
  2560. * This section allows for the setting of module specific sizes and
  2561. * configuration options. The default values are already present in the
  2562. * relevant header files and should suffice for the regular use cases.
  2563. *
  2564. * Our advice is to enable options and change their values here
  2565. * only if you have a good reason and know the consequences.
  2566. *
  2567. * Please check the respective header file for documentation on these
  2568. * parameters (to prevent duplicate documentation).
  2569. * \{
  2570. */
  2571. /* MPI / BIGNUM options */
  2572. //#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */
  2573. //#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */
  2574. /* CTR_DRBG options */
  2575. //#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
  2576. //#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
  2577. //#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
  2578. //#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
  2579. //#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
  2580. /* HMAC_DRBG options */
  2581. //#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
  2582. //#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
  2583. //#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
  2584. //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
  2585. /* ECP options */
  2586. //#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */
  2587. //#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */
  2588. //#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
  2589. /* Entropy options */
  2590. //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
  2591. //#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
  2592. //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
  2593. /* Memory buffer allocator options */
  2594. //#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */
  2595. /* Platform options */
  2596. //#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
  2597. //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */
  2598. //#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */
  2599. //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
  2600. //#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
  2601. //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
  2602. //#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
  2603. /* Note: your snprintf must correclty zero-terminate the buffer! */
  2604. //#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
  2605. //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
  2606. //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
  2607. //#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
  2608. //#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
  2609. //#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */
  2610. /* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
  2611. /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
  2612. //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */
  2613. //#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */
  2614. //#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
  2615. //#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
  2616. //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
  2617. //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
  2618. //#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
  2619. /* Note: your snprintf must correclty zero-terminate the buffer! */
  2620. //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
  2621. //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
  2622. //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
  2623. /* SSL Cache options */
  2624. //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
  2625. //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
  2626. /* SSL options */
  2627. //#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
  2628. //#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
  2629. //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
  2630. //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
  2631. /**
  2632. * Complete list of ciphersuites to use, in order of preference.
  2633. *
  2634. * \warning No dependency checking is done on that field! This option can only
  2635. * be used to restrict the set of available ciphersuites. It is your
  2636. * responsibility to make sure the needed modules are active.
  2637. *
  2638. * Use this to save a few hundred bytes of ROM (default ordering of all
  2639. * available ciphersuites) and a few to a few hundred bytes of RAM.
  2640. *
  2641. * The value below is only an example, not the default.
  2642. */
  2643. //#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  2644. /* X509 options */
  2645. //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
  2646. //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
  2647. /**
  2648. * Allow SHA-1 in the default TLS configuration for certificate signing.
  2649. * Without this build-time option, SHA-1 support must be activated explicitly
  2650. * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
  2651. * recommended because of it is possible to generate SHA-1 collisions, however
  2652. * this may be safe for legacy infrastructure where additional controls apply.
  2653. *
  2654. * \warning SHA-1 is considered a weak message digest and its use constitutes
  2655. * a security risk. If possible, we recommend avoiding dependencies
  2656. * on it, and considering stronger message digests instead.
  2657. *
  2658. */
  2659. // #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
  2660. /**
  2661. * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
  2662. * signature and ciphersuite selection. Without this build-time option, SHA-1
  2663. * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
  2664. * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
  2665. * default. At the time of writing, there is no practical attack on the use
  2666. * of SHA-1 in handshake signatures, hence this option is turned on by default
  2667. * to preserve compatibility with existing peers, but the general
  2668. * warning applies nonetheless:
  2669. *
  2670. * \warning SHA-1 is considered a weak message digest and its use constitutes
  2671. * a security risk. If possible, we recommend avoiding dependencies
  2672. * on it, and considering stronger message digests instead.
  2673. *
  2674. */
  2675. //#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
  2676. /* \} name SECTION: Customisation configuration options */
  2677. /* Target and application specific configurations */
  2678. //#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h"
  2679. #if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
  2680. #include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
  2681. #endif
  2682. /*
  2683. * Allow user to override any previous default.
  2684. *
  2685. * Use two macro names for that, as:
  2686. * - with yotta the prefix YOTTA_CFG_ is forced
  2687. * - without yotta is looks weird to have a YOTTA prefix.
  2688. */
  2689. #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
  2690. #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
  2691. #elif defined(MBEDTLS_USER_CONFIG_FILE)
  2692. #include MBEDTLS_USER_CONFIG_FILE
  2693. #endif
  2694. #include "check_config.h"
  2695. #endif /* MBEDTLS_CONFIG_H */