Embed:
(wiki syntax)
Show/hide line numbers
config.h
00001 /** 00002 * \file config.h 00003 * 00004 * \brief Configuration options (set of defines) 00005 * 00006 * This set of compile-time options may be used to enable 00007 * or disable features selectively, and reduce the global 00008 * memory footprint. 00009 */ 00010 /* 00011 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00012 * SPDX-License-Identifier: Apache-2.0 00013 * 00014 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00015 * not use this file except in compliance with the License. 00016 * You may obtain a copy of the License at 00017 * 00018 * http://www.apache.org/licenses/LICENSE-2.0 00019 * 00020 * Unless required by applicable law or agreed to in writing, software 00021 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00022 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00023 * See the License for the specific language governing permissions and 00024 * limitations under the License. 00025 * 00026 * This file is part of mbed TLS (https://tls.mbed.org) 00027 */ 00028 00029 #ifndef MBEDTLS_CONFIG_H 00030 00031 #include "platform/inc/platform_mbed.h" 00032 00033 /* 00034 * Only use features that do not require an entropy source when 00035 * DEVICE_ENTROPY_SOURCE is not defined in mbed OS. 00036 */ 00037 #if !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) && !defined(MBEDTLS_TEST_NULL_ENTROPY) 00038 #include "mbedtls/config-no-entropy.h" 00039 00040 #if defined(MBEDTLS_USER_CONFIG_FILE) 00041 #include MBEDTLS_USER_CONFIG_FILE 00042 #endif 00043 00044 #else 00045 #define MBEDTLS_CONFIG_H 00046 00047 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 00048 #define _CRT_SECURE_NO_DEPRECATE 1 00049 #endif 00050 00051 /** 00052 * \name SECTION: System support 00053 * 00054 * This section sets system specific settings. 00055 * \{ 00056 */ 00057 00058 /** 00059 * \def MBEDTLS_HAVE_ASM 00060 * 00061 * The compiler has support for asm(). 00062 * 00063 * Requires support for asm() in compiler. 00064 * 00065 * Used in: 00066 * library/timing.c 00067 * library/padlock.c 00068 * include/mbedtls/bn_mul.h 00069 * 00070 * Comment to disable the use of assembly code. 00071 */ 00072 #define MBEDTLS_HAVE_ASM 00073 00074 /** 00075 * \def MBEDTLS_NO_UDBL_DIVISION 00076 * 00077 * The platform lacks support for double-width integer division (64-bit 00078 * division on a 32-bit platform, 128-bit division on a 64-bit platform). 00079 * 00080 * Used in: 00081 * include/mbedtls/bignum.h 00082 * library/bignum.c 00083 * 00084 * The bignum code uses double-width division to speed up some operations. 00085 * Double-width division is often implemented in software that needs to 00086 * be linked with the program. The presence of a double-width integer 00087 * type is usually detected automatically through preprocessor macros, 00088 * but the automatic detection cannot know whether the code needs to 00089 * and can be linked with an implementation of division for that type. 00090 * By default division is assumed to be usable if the type is present. 00091 * Uncomment this option to prevent the use of double-width division. 00092 * 00093 * Note that division for the native integer type is always required. 00094 * Furthermore, a 64-bit type is always required even on a 32-bit 00095 * platform, but it need not support multiplication or division. In some 00096 * cases it is also desirable to disable some double-width operations. For 00097 * example, if double-width division is implemented in software, disabling 00098 * it can reduce code size in some embedded targets. 00099 */ 00100 //#define MBEDTLS_NO_UDBL_DIVISION 00101 00102 /** 00103 * \def MBEDTLS_HAVE_SSE2 00104 * 00105 * CPU supports SSE2 instruction set. 00106 * 00107 * Uncomment if the CPU supports SSE2 (IA-32 specific). 00108 */ 00109 //#define MBEDTLS_HAVE_SSE2 00110 00111 /** 00112 * \def MBEDTLS_HAVE_TIME 00113 * 00114 * System has time.h and time(). 00115 * The time does not need to be correct, only time differences are used, 00116 * by contrast with MBEDTLS_HAVE_TIME_DATE 00117 * 00118 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, 00119 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and 00120 * MBEDTLS_PLATFORM_STD_TIME. 00121 * 00122 * Comment if your system does not support time functions 00123 */ 00124 #define MBEDTLS_HAVE_TIME 00125 00126 /** 00127 * \def MBEDTLS_HAVE_TIME_DATE 00128 * 00129 * System has time.h and time(), gmtime() and the clock is correct. 00130 * The time needs to be correct (not necesarily very accurate, but at least 00131 * the date should be correct). This is used to verify the validity period of 00132 * X.509 certificates. 00133 * 00134 * Comment if your system does not have a correct clock. 00135 */ 00136 //#define MBEDTLS_HAVE_TIME_DATE 00137 00138 /** 00139 * \def MBEDTLS_PLATFORM_MEMORY 00140 * 00141 * Enable the memory allocation layer. 00142 * 00143 * By default mbed TLS uses the system-provided calloc() and free(). 00144 * This allows different allocators (self-implemented or provided) to be 00145 * provided to the platform abstraction layer. 00146 * 00147 * Enabling MBEDTLS_PLATFORM_MEMORY without the 00148 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 00149 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 00150 * free() function pointer at runtime. 00151 * 00152 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 00153 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 00154 * alternate function at compile time. 00155 * 00156 * Requires: MBEDTLS_PLATFORM_C 00157 * 00158 * Enable this layer to allow use of alternative memory allocators. 00159 */ 00160 //#define MBEDTLS_PLATFORM_MEMORY 00161 00162 /** 00163 * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 00164 * 00165 * Do not assign standard functions in the platform layer (e.g. calloc() to 00166 * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF) 00167 * 00168 * This makes sure there are no linking errors on platforms that do not support 00169 * these functions. You will HAVE to provide alternatives, either at runtime 00170 * via the platform_set_xxx() functions or at compile time by setting 00171 * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a 00172 * MBEDTLS_PLATFORM_XXX_MACRO. 00173 * 00174 * Requires: MBEDTLS_PLATFORM_C 00175 * 00176 * Uncomment to prevent default assignment of standard functions in the 00177 * platform layer. 00178 */ 00179 //#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 00180 00181 /** 00182 * \def MBEDTLS_PLATFORM_EXIT_ALT 00183 * 00184 * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the 00185 * function in the platform abstraction layer. 00186 * 00187 * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will 00188 * provide a function "mbedtls_platform_set_printf()" that allows you to set an 00189 * alternative printf function pointer. 00190 * 00191 * All these define require MBEDTLS_PLATFORM_C to be defined! 00192 * 00193 * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows; 00194 * it will be enabled automatically by check_config.h 00195 * 00196 * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as 00197 * MBEDTLS_PLATFORM_XXX_MACRO! 00198 * 00199 * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME 00200 * 00201 * Uncomment a macro to enable alternate implementation of specific base 00202 * platform function 00203 */ 00204 //#define MBEDTLS_PLATFORM_EXIT_ALT 00205 //#define MBEDTLS_PLATFORM_TIME_ALT 00206 //#define MBEDTLS_PLATFORM_FPRINTF_ALT 00207 //#define MBEDTLS_PLATFORM_PRINTF_ALT 00208 //#define MBEDTLS_PLATFORM_SNPRINTF_ALT 00209 //#define MBEDTLS_PLATFORM_NV_SEED_ALT 00210 //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT 00211 00212 /** 00213 * \def MBEDTLS_DEPRECATED_WARNING 00214 * 00215 * Mark deprecated functions so that they generate a warning if used. 00216 * Functions deprecated in one version will usually be removed in the next 00217 * version. You can enable this to help you prepare the transition to a new 00218 * major version by making sure your code is not using these functions. 00219 * 00220 * This only works with GCC and Clang. With other compilers, you may want to 00221 * use MBEDTLS_DEPRECATED_REMOVED 00222 * 00223 * Uncomment to get warnings on using deprecated functions. 00224 */ 00225 //#define MBEDTLS_DEPRECATED_WARNING 00226 00227 /** 00228 * \def MBEDTLS_DEPRECATED_REMOVED 00229 * 00230 * Remove deprecated functions so that they generate an error if used. 00231 * Functions deprecated in one version will usually be removed in the next 00232 * version. You can enable this to help you prepare the transition to a new 00233 * major version by making sure your code is not using these functions. 00234 * 00235 * Uncomment to get errors on using deprecated functions. 00236 */ 00237 //#define MBEDTLS_DEPRECATED_REMOVED 00238 00239 /* \} name SECTION: System support */ 00240 00241 /** 00242 * \name SECTION: mbed TLS feature support 00243 * 00244 * This section sets support for features that are or are not needed 00245 * within the modules that are enabled. 00246 * \{ 00247 */ 00248 00249 /** 00250 * \def MBEDTLS_TIMING_ALT 00251 * 00252 * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(), 00253 * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay() 00254 * 00255 * Only works if you have MBEDTLS_TIMING_C enabled. 00256 * 00257 * You will need to provide a header "timing_alt.h" and an implementation at 00258 * compile time. 00259 */ 00260 //#define MBEDTLS_TIMING_ALT 00261 00262 /** 00263 * \def MBEDTLS_AES_ALT 00264 * 00265 * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your 00266 * alternate core implementation of a symmetric crypto, an arithmetic or hash 00267 * module (e.g. platform specific assembly optimized implementations). Keep 00268 * in mind that the function prototypes should remain the same. 00269 * 00270 * This replaces the whole module. If you only want to replace one of the 00271 * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. 00272 * 00273 * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer 00274 * provide the "struct mbedtls_aes_context" definition and omit the base 00275 * function declarations and implementations. "aes_alt.h" will be included from 00276 * "aes.h" to include the new function definitions. 00277 * 00278 * Uncomment a macro to enable alternate implementation of the corresponding 00279 * module. 00280 * 00281 * \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their 00282 * use constitutes a security risk. If possible, we recommend 00283 * avoiding dependencies on them, and considering stronger message 00284 * digests and ciphers instead. 00285 * 00286 */ 00287 //#define MBEDTLS_AES_ALT 00288 //#define MBEDTLS_ARC4_ALT 00289 //#define MBEDTLS_BLOWFISH_ALT 00290 //#define MBEDTLS_CAMELLIA_ALT 00291 //#define MBEDTLS_CCM_ALT 00292 //#define MBEDTLS_CMAC_ALT 00293 //#define MBEDTLS_DES_ALT 00294 //#define MBEDTLS_DHM_ALT 00295 //#define MBEDTLS_ECJPAKE_ALT 00296 //#define MBEDTLS_GCM_ALT 00297 //#define MBEDTLS_MD2_ALT 00298 //#define MBEDTLS_MD4_ALT 00299 //#define MBEDTLS_MD5_ALT 00300 //#define MBEDTLS_RIPEMD160_ALT 00301 //#define MBEDTLS_RSA_ALT 00302 //#define MBEDTLS_SHA1_ALT 00303 //#define MBEDTLS_SHA256_ALT 00304 //#define MBEDTLS_SHA512_ALT 00305 //#define MBEDTLS_XTEA_ALT 00306 /* 00307 * When replacing the elliptic curve module, pleace consider, that it is 00308 * implemented with two .c files: 00309 * - ecp.c 00310 * - ecp_curves.c 00311 * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT 00312 * macros as described above. The only difference is that you have to make sure 00313 * that you provide functionality for both .c files. 00314 */ 00315 //#define MBEDTLS_ECP_ALT 00316 00317 /** 00318 * \def MBEDTLS_MD2_PROCESS_ALT 00319 * 00320 * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you 00321 * alternate core implementation of symmetric crypto or hash function. Keep in 00322 * mind that function prototypes should remain the same. 00323 * 00324 * This replaces only one function. The header file from mbed TLS is still 00325 * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. 00326 * 00327 * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will 00328 * no longer provide the mbedtls_sha1_process() function, but it will still provide 00329 * the other function (using your mbedtls_sha1_process() function) and the definition 00330 * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible 00331 * with this definition. 00332 * 00333 * \note Because of a signature change, the core AES encryption and decryption routines are 00334 * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt, 00335 * respectively. When setting up alternative implementations, these functions should 00336 * be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt 00337 * must stay untouched. 00338 * 00339 * \note If you use the AES_xxx_ALT macros, then is is recommended to also set 00340 * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES 00341 * tables. 00342 * 00343 * Uncomment a macro to enable alternate implementation of the corresponding 00344 * function. 00345 * 00346 * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use 00347 * constitutes a security risk. If possible, we recommend avoiding 00348 * dependencies on them, and considering stronger message digests 00349 * and ciphers instead. 00350 * 00351 */ 00352 //#define MBEDTLS_MD2_PROCESS_ALT 00353 //#define MBEDTLS_MD4_PROCESS_ALT 00354 //#define MBEDTLS_MD5_PROCESS_ALT 00355 //#define MBEDTLS_RIPEMD160_PROCESS_ALT 00356 //#define MBEDTLS_SHA1_PROCESS_ALT 00357 //#define MBEDTLS_SHA256_PROCESS_ALT 00358 //#define MBEDTLS_SHA512_PROCESS_ALT 00359 //#define MBEDTLS_DES_SETKEY_ALT 00360 //#define MBEDTLS_DES_CRYPT_ECB_ALT 00361 //#define MBEDTLS_DES3_CRYPT_ECB_ALT 00362 //#define MBEDTLS_AES_SETKEY_ENC_ALT 00363 //#define MBEDTLS_AES_SETKEY_DEC_ALT 00364 //#define MBEDTLS_AES_ENCRYPT_ALT 00365 //#define MBEDTLS_AES_DECRYPT_ALT 00366 //#define MBEDTLS_ECDH_GEN_PUBLIC_ALT 00367 //#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT 00368 //#define MBEDTLS_ECDSA_VERIFY_ALT 00369 //#define MBEDTLS_ECDSA_SIGN_ALT 00370 //#define MBEDTLS_ECDSA_GENKEY_ALT 00371 00372 /** 00373 * \def MBEDTLS_ECP_INTERNAL_ALT 00374 * 00375 * Expose a part of the internal interface of the Elliptic Curve Point module. 00376 * 00377 * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your 00378 * alternative core implementation of elliptic curve arithmetic. Keep in mind 00379 * that function prototypes should remain the same. 00380 * 00381 * This partially replaces one function. The header file from mbed TLS is still 00382 * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation 00383 * is still present and it is used for group structures not supported by the 00384 * alternative. 00385 * 00386 * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT 00387 * and implementing the following functions: 00388 * unsigned char mbedtls_internal_ecp_grp_capable( 00389 * const mbedtls_ecp_group *grp ) 00390 * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ) 00391 * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp ) 00392 * The mbedtls_internal_ecp_grp_capable function should return 1 if the 00393 * replacement functions implement arithmetic for the given group and 0 00394 * otherwise. 00395 * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are 00396 * called before and after each point operation and provide an opportunity to 00397 * implement optimized set up and tear down instructions. 00398 * 00399 * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and 00400 * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac 00401 * function, but will use your mbedtls_internal_ecp_double_jac if the group is 00402 * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when 00403 * receives it as an argument). If the group is not supported then the original 00404 * implementation is used. The other functions and the definition of 00405 * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your 00406 * implementation of mbedtls_internal_ecp_double_jac and 00407 * mbedtls_internal_ecp_grp_capable must be compatible with this definition. 00408 * 00409 * Uncomment a macro to enable alternate implementation of the corresponding 00410 * function. 00411 */ 00412 /* Required for all the functions in this section */ 00413 //#define MBEDTLS_ECP_INTERNAL_ALT 00414 /* Support for Weierstrass curves with Jacobi representation */ 00415 //#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT 00416 //#define MBEDTLS_ECP_ADD_MIXED_ALT 00417 //#define MBEDTLS_ECP_DOUBLE_JAC_ALT 00418 //#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT 00419 //#define MBEDTLS_ECP_NORMALIZE_JAC_ALT 00420 /* Support for curves with Montgomery arithmetic */ 00421 //#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT 00422 //#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT 00423 //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT 00424 00425 /** 00426 * \def MBEDTLS_TEST_NULL_ENTROPY 00427 * 00428 * Enables testing and use of mbed TLS without any configured entropy sources. 00429 * This permits use of the library on platforms before an entropy source has 00430 * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the 00431 * MBEDTLS_ENTROPY_NV_SEED switches). 00432 * 00433 * WARNING! This switch MUST be disabled in production builds, and is suitable 00434 * only for development. 00435 * Enabling the switch negates any security provided by the library. 00436 * 00437 * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 00438 * 00439 */ 00440 //#define MBEDTLS_TEST_NULL_ENTROPY 00441 00442 /** 00443 * \def MBEDTLS_ENTROPY_HARDWARE_ALT 00444 * 00445 * Uncomment this macro to let mbed TLS use your own implementation of a 00446 * hardware entropy collector. 00447 * 00448 * Your function must be called \c mbedtls_hardware_poll(), have the same 00449 * prototype as declared in entropy_poll.h, and accept NULL as first argument. 00450 * 00451 * Uncomment to use your own hardware entropy collector. 00452 */ 00453 //#define MBEDTLS_ENTROPY_HARDWARE_ALT 00454 00455 /** 00456 * \def MBEDTLS_AES_ROM_TABLES 00457 * 00458 * Store the AES tables in ROM. 00459 * 00460 * Uncomment this macro to store the AES tables in ROM. 00461 */ 00462 #define MBEDTLS_AES_ROM_TABLES 00463 00464 /** 00465 * \def MBEDTLS_CAMELLIA_SMALL_MEMORY 00466 * 00467 * Use less ROM for the Camellia implementation (saves about 768 bytes). 00468 * 00469 * Uncomment this macro to use less memory for Camellia. 00470 */ 00471 //#define MBEDTLS_CAMELLIA_SMALL_MEMORY 00472 00473 /** 00474 * \def MBEDTLS_CIPHER_MODE_CBC 00475 * 00476 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. 00477 */ 00478 #define MBEDTLS_CIPHER_MODE_CBC 00479 00480 /** 00481 * \def MBEDTLS_CIPHER_MODE_CFB 00482 * 00483 * Enable Cipher Feedback mode (CFB) for symmetric ciphers. 00484 */ 00485 //#define MBEDTLS_CIPHER_MODE_CFB 00486 00487 /** 00488 * \def MBEDTLS_CIPHER_MODE_CTR 00489 * 00490 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. 00491 */ 00492 //#define MBEDTLS_CIPHER_MODE_CTR 00493 00494 /** 00495 * \def MBEDTLS_CIPHER_NULL_CIPHER 00496 * 00497 * Enable NULL cipher. 00498 * Warning: Only do so when you know what you are doing. This allows for 00499 * encryption or channels without any security! 00500 * 00501 * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable 00502 * the following ciphersuites: 00503 * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA 00504 * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA 00505 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA 00506 * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA 00507 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 00508 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 00509 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA 00510 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384 00511 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256 00512 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA 00513 * MBEDTLS_TLS_RSA_WITH_NULL_SHA256 00514 * MBEDTLS_TLS_RSA_WITH_NULL_SHA 00515 * MBEDTLS_TLS_RSA_WITH_NULL_MD5 00516 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384 00517 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256 00518 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA 00519 * MBEDTLS_TLS_PSK_WITH_NULL_SHA384 00520 * MBEDTLS_TLS_PSK_WITH_NULL_SHA256 00521 * MBEDTLS_TLS_PSK_WITH_NULL_SHA 00522 * 00523 * Uncomment this macro to enable the NULL cipher and ciphersuites 00524 */ 00525 //#define MBEDTLS_CIPHER_NULL_CIPHER 00526 00527 /** 00528 * \def MBEDTLS_CIPHER_PADDING_PKCS7 00529 * 00530 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for 00531 * specific padding modes in the cipher layer with cipher modes that support 00532 * padding (e.g. CBC) 00533 * 00534 * If you disable all padding modes, only full blocks can be used with CBC. 00535 * 00536 * Enable padding modes in the cipher layer. 00537 */ 00538 #define MBEDTLS_CIPHER_PADDING_PKCS7 00539 //#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS 00540 //#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN 00541 //#define MBEDTLS_CIPHER_PADDING_ZEROS 00542 00543 /** 00544 * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES 00545 * 00546 * Enable weak ciphersuites in SSL / TLS. 00547 * Warning: Only do so when you know what you are doing. This allows for 00548 * channels with virtually no security at all! 00549 * 00550 * This enables the following ciphersuites: 00551 * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA 00552 * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA 00553 * 00554 * Uncomment this macro to enable weak ciphersuites 00555 * 00556 * \warning DES is considered a weak cipher and its use constitutes a 00557 * security risk. We recommend considering stronger ciphers instead. 00558 */ 00559 //#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES 00560 00561 /** 00562 * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES 00563 * 00564 * Remove RC4 ciphersuites by default in SSL / TLS. 00565 * This flag removes the ciphersuites based on RC4 from the default list as 00566 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to 00567 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them 00568 * explicitly. 00569 * 00570 * Uncomment this macro to remove RC4 ciphersuites by default. 00571 */ 00572 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES 00573 00574 /** 00575 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED 00576 * 00577 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve 00578 * module. By default all supported curves are enabled. 00579 * 00580 * Comment macros to disable the curve and functions for it 00581 */ 00582 //#define MBEDTLS_ECP_DP_SECP192R1_ENABLED 00583 //#define MBEDTLS_ECP_DP_SECP224R1_ENABLED 00584 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 00585 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED 00586 //#define MBEDTLS_ECP_DP_SECP521R1_ENABLED 00587 //#define MBEDTLS_ECP_DP_SECP192K1_ENABLED 00588 //#define MBEDTLS_ECP_DP_SECP224K1_ENABLED 00589 //#define MBEDTLS_ECP_DP_SECP256K1_ENABLED 00590 //#define MBEDTLS_ECP_DP_BP256R1_ENABLED 00591 //#define MBEDTLS_ECP_DP_BP384R1_ENABLED 00592 //#define MBEDTLS_ECP_DP_BP512R1_ENABLED 00593 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED 00594 00595 /** 00596 * \def MBEDTLS_ECP_NIST_OPTIM 00597 * 00598 * Enable specific 'modulo p' routines for each NIST prime. 00599 * Depending on the prime and architecture, makes operations 4 to 8 times 00600 * faster on the corresponding curve. 00601 * 00602 * Comment this macro to disable NIST curves optimisation. 00603 */ 00604 #define MBEDTLS_ECP_NIST_OPTIM 00605 00606 /** 00607 * \def MBEDTLS_ECDSA_DETERMINISTIC 00608 * 00609 * Enable deterministic ECDSA (RFC 6979). 00610 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing 00611 * may result in a compromise of the long-term signing key. This is avoided by 00612 * the deterministic variant. 00613 * 00614 * Requires: MBEDTLS_HMAC_DRBG_C 00615 * 00616 * Comment this macro to disable deterministic ECDSA. 00617 */ 00618 #define MBEDTLS_ECDSA_DETERMINISTIC 00619 00620 /** 00621 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 00622 * 00623 * Enable the PSK based ciphersuite modes in SSL / TLS. 00624 * 00625 * This enables the following ciphersuites (if other requisites are 00626 * enabled as well): 00627 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 00628 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 00629 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 00630 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 00631 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 00632 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 00633 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 00634 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 00635 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 00636 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 00637 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 00638 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 00639 */ 00640 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 00641 00642 /** 00643 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 00644 * 00645 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. 00646 * 00647 * Requires: MBEDTLS_DHM_C 00648 * 00649 * This enables the following ciphersuites (if other requisites are 00650 * enabled as well): 00651 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 00652 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 00653 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 00654 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 00655 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 00656 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 00657 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 00658 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 00659 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 00660 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 00661 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 00662 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 00663 * 00664 * \warning Using DHE constitutes a security risk as it 00665 * is not possible to validate custom DH parameters. 00666 * If possible, it is recommended users should consider 00667 * preferring other methods of key exchange. 00668 * See dhm.h for more details. 00669 * 00670 */ 00671 //#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 00672 00673 /** 00674 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 00675 * 00676 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. 00677 * 00678 * Requires: MBEDTLS_ECDH_C 00679 * 00680 * This enables the following ciphersuites (if other requisites are 00681 * enabled as well): 00682 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 00683 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 00684 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 00685 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 00686 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 00687 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 00688 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 00689 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 00690 */ 00691 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 00692 00693 /** 00694 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 00695 * 00696 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. 00697 * 00698 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00699 * MBEDTLS_X509_CRT_PARSE_C 00700 * 00701 * This enables the following ciphersuites (if other requisites are 00702 * enabled as well): 00703 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 00704 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 00705 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 00706 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 00707 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 00708 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 00709 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 00710 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 00711 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 00712 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 00713 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 00714 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 00715 */ 00716 //#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 00717 00718 /** 00719 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 00720 * 00721 * Enable the RSA-only based ciphersuite modes in SSL / TLS. 00722 * 00723 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00724 * MBEDTLS_X509_CRT_PARSE_C 00725 * 00726 * This enables the following ciphersuites (if other requisites are 00727 * enabled as well): 00728 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 00729 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 00730 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 00731 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 00732 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 00733 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 00734 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 00735 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 00736 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 00737 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 00738 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 00739 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 00740 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 00741 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 00742 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 00743 */ 00744 //#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 00745 00746 /** 00747 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 00748 * 00749 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. 00750 * 00751 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00752 * MBEDTLS_X509_CRT_PARSE_C 00753 * 00754 * This enables the following ciphersuites (if other requisites are 00755 * enabled as well): 00756 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 00757 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 00758 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 00759 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 00760 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 00761 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 00762 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 00763 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 00764 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 00765 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 00766 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 00767 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 00768 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 00769 * 00770 * \warning Using DHE constitutes a security risk as it 00771 * is not possible to validate custom DH parameters. 00772 * If possible, it is recommended users should consider 00773 * preferring other methods of key exchange. 00774 * See dhm.h for more details. 00775 * 00776 */ 00777 //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 00778 00779 /** 00780 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 00781 * 00782 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. 00783 * 00784 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00785 * MBEDTLS_X509_CRT_PARSE_C 00786 * 00787 * This enables the following ciphersuites (if other requisites are 00788 * enabled as well): 00789 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 00790 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 00791 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 00792 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 00793 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 00794 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 00795 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 00796 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 00797 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 00798 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 00799 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 00800 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 00801 */ 00802 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 00803 00804 /** 00805 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 00806 * 00807 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. 00808 * 00809 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, 00810 * 00811 * This enables the following ciphersuites (if other requisites are 00812 * enabled as well): 00813 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 00814 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 00815 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 00816 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 00817 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 00818 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 00819 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 00820 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 00821 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 00822 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 00823 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 00824 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 00825 */ 00826 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 00827 00828 /** 00829 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 00830 * 00831 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. 00832 * 00833 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C 00834 * 00835 * This enables the following ciphersuites (if other requisites are 00836 * enabled as well): 00837 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 00838 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 00839 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 00840 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 00841 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 00842 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 00843 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 00844 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 00845 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 00846 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 00847 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 00848 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 00849 */ 00850 //#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 00851 00852 /** 00853 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 00854 * 00855 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. 00856 * 00857 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C 00858 * 00859 * This enables the following ciphersuites (if other requisites are 00860 * enabled as well): 00861 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 00862 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 00863 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 00864 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 00865 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 00866 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 00867 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 00868 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 00869 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 00870 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 00871 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 00872 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 00873 */ 00874 //#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 00875 00876 /** 00877 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 00878 * 00879 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. 00880 * 00881 * \warning This is currently experimental. EC J-PAKE support is based on the 00882 * Thread v1.0.0 specification; incompatible changes to the specification 00883 * might still happen. For this reason, this is disabled by default. 00884 * 00885 * Requires: MBEDTLS_ECJPAKE_C 00886 * MBEDTLS_SHA256_C 00887 * MBEDTLS_ECP_DP_SECP256R1_ENABLED 00888 * 00889 * This enables the following ciphersuites (if other requisites are 00890 * enabled as well): 00891 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 00892 */ 00893 //#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 00894 00895 /** 00896 * \def MBEDTLS_PK_PARSE_EC_EXTENDED 00897 * 00898 * Enhance support for reading EC keys using variants of SEC1 not allowed by 00899 * RFC 5915 and RFC 5480. 00900 * 00901 * Currently this means parsing the SpecifiedECDomain choice of EC 00902 * parameters (only known groups are supported, not arbitrary domains, to 00903 * avoid validation issues). 00904 * 00905 * Disable if you only need to support RFC 5915 + 5480 key formats. 00906 */ 00907 //#define MBEDTLS_PK_PARSE_EC_EXTENDED 00908 00909 /** 00910 * \def MBEDTLS_ERROR_STRERROR_DUMMY 00911 * 00912 * Enable a dummy error function to make use of mbedtls_strerror() in 00913 * third party libraries easier when MBEDTLS_ERROR_C is disabled 00914 * (no effect when MBEDTLS_ERROR_C is enabled). 00915 * 00916 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 00917 * not using mbedtls_strerror() or error_strerror() in your application. 00918 * 00919 * Disable if you run into name conflicts and want to really remove the 00920 * mbedtls_strerror() 00921 */ 00922 #define MBEDTLS_ERROR_STRERROR_DUMMY 00923 00924 /** 00925 * \def MBEDTLS_GENPRIME 00926 * 00927 * Enable the prime-number generation code. 00928 * 00929 * Requires: MBEDTLS_BIGNUM_C 00930 */ 00931 //#define MBEDTLS_GENPRIME 00932 00933 /** 00934 * \def MBEDTLS_FS_IO 00935 * 00936 * Enable functions that use the filesystem. 00937 */ 00938 //#define MBEDTLS_FS_IO 00939 00940 /** 00941 * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 00942 * 00943 * Do not add default entropy sources. These are the platform specific, 00944 * mbedtls_timing_hardclock and HAVEGE based poll functions. 00945 * 00946 * This is useful to have more control over the added entropy sources in an 00947 * application. 00948 * 00949 * Uncomment this macro to prevent loading of default entropy functions. 00950 */ 00951 //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 00952 00953 /** 00954 * \def MBEDTLS_NO_PLATFORM_ENTROPY 00955 * 00956 * Do not use built-in platform entropy functions. 00957 * This is useful if your platform does not support 00958 * standards like the /dev/urandom or Windows CryptoAPI. 00959 * 00960 * Uncomment this macro to disable the built-in platform entropy functions. 00961 */ 00962 #define MBEDTLS_NO_PLATFORM_ENTROPY 00963 00964 /** 00965 * \def MBEDTLS_ENTROPY_FORCE_SHA256 00966 * 00967 * Force the entropy accumulator to use a SHA-256 accumulator instead of the 00968 * default SHA-512 based one (if both are available). 00969 * 00970 * Requires: MBEDTLS_SHA256_C 00971 * 00972 * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option 00973 * if you have performance concerns. 00974 * 00975 * This option is only useful if both MBEDTLS_SHA256_C and 00976 * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. 00977 */ 00978 //#define MBEDTLS_ENTROPY_FORCE_SHA256 00979 00980 /** 00981 * \def MBEDTLS_ENTROPY_NV_SEED 00982 * 00983 * Enable the non-volatile (NV) seed file-based entropy source. 00984 * (Also enables the NV seed read/write functions in the platform layer) 00985 * 00986 * This is crucial (if not required) on systems that do not have a 00987 * cryptographic entropy source (in hardware or kernel) available. 00988 * 00989 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 00990 * 00991 * \note The read/write functions that are used by the entropy source are 00992 * determined in the platform layer, and can be modified at runtime and/or 00993 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 00994 * 00995 * \note If you use the default implementation functions that read a seedfile 00996 * with regular fopen(), please make sure you make a seedfile with the 00997 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 00998 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 00999 * and written to or you will get an entropy source error! The default 01000 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 01001 * bytes from the file. 01002 * 01003 * \note The entropy collector will write to the seed file before entropy is 01004 * given to an external source, to update it. 01005 */ 01006 //#define MBEDTLS_ENTROPY_NV_SEED 01007 01008 /** 01009 * \def MBEDTLS_MEMORY_DEBUG 01010 * 01011 * Enable debugging of buffer allocator memory issues. Automatically prints 01012 * (to stderr) all (fatal) messages on memory allocation issues. Enables 01013 * function for 'debug output' of allocated memory. 01014 * 01015 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C 01016 * 01017 * Uncomment this macro to let the buffer allocator print out error messages. 01018 */ 01019 //#define MBEDTLS_MEMORY_DEBUG 01020 01021 /** 01022 * \def MBEDTLS_MEMORY_BACKTRACE 01023 * 01024 * Include backtrace information with each allocated block. 01025 * 01026 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C 01027 * GLIBC-compatible backtrace() an backtrace_symbols() support 01028 * 01029 * Uncomment this macro to include backtrace information 01030 */ 01031 //#define MBEDTLS_MEMORY_BACKTRACE 01032 01033 /** 01034 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 01035 * 01036 * Support external private RSA keys (eg from a HSM) in the PK layer. 01037 * 01038 * Comment this macro to disable support for external private RSA keys. 01039 */ 01040 #define MBEDTLS_PK_RSA_ALT_SUPPORT 01041 01042 /** 01043 * \def MBEDTLS_PKCS1_V15 01044 * 01045 * Enable support for PKCS#1 v1.5 encoding. 01046 * 01047 * Requires: MBEDTLS_RSA_C 01048 * 01049 * This enables support for PKCS#1 v1.5 operations. 01050 */ 01051 #define MBEDTLS_PKCS1_V15 01052 01053 /** 01054 * \def MBEDTLS_PKCS1_V21 01055 * 01056 * Enable support for PKCS#1 v2.1 encoding. 01057 * 01058 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C 01059 * 01060 * This enables support for RSAES-OAEP and RSASSA-PSS operations. 01061 */ 01062 #define MBEDTLS_PKCS1_V21 01063 01064 /** 01065 * \def MBEDTLS_RSA_NO_CRT 01066 * 01067 * Do not use the Chinese Remainder Theorem for the RSA private operation. 01068 * 01069 * Uncomment this macro to disable the use of CRT in RSA. 01070 * 01071 */ 01072 //#define MBEDTLS_RSA_NO_CRT 01073 01074 /** 01075 * \def MBEDTLS_SELF_TEST 01076 * 01077 * Enable the checkup functions (*_self_test). 01078 */ 01079 #define MBEDTLS_SELF_TEST 01080 01081 /** 01082 * \def MBEDTLS_SHA256_SMALLER 01083 * 01084 * Enable an implementation of SHA-256 that has lower ROM footprint but also 01085 * lower performance. 01086 * 01087 * The default implementation is meant to be a reasonnable compromise between 01088 * performance and size. This version optimizes more aggressively for size at 01089 * the expense of performance. Eg on Cortex-M4 it reduces the size of 01090 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 01091 * 30%. 01092 * 01093 * Uncomment to enable the smaller implementation of SHA256. 01094 */ 01095 //#define MBEDTLS_SHA256_SMALLER 01096 01097 /** 01098 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES 01099 * 01100 * Enable sending of alert messages in case of encountered errors as per RFC. 01101 * If you choose not to send the alert messages, mbed TLS can still communicate 01102 * with other servers, only debugging of failures is harder. 01103 * 01104 * The advantage of not sending alert messages, is that no information is given 01105 * about reasons for failures thus preventing adversaries of gaining intel. 01106 * 01107 * Enable sending of all alert messages 01108 */ 01109 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES 01110 01111 /** 01112 * \def MBEDTLS_SSL_DEBUG_ALL 01113 * 01114 * Enable the debug messages in SSL module for all issues. 01115 * Debug messages have been disabled in some places to prevent timing 01116 * attacks due to (unbalanced) debugging function calls. 01117 * 01118 * If you need all error reporting you should enable this during debugging, 01119 * but remove this for production servers that should log as well. 01120 * 01121 * Uncomment this macro to report all debug messages on errors introducing 01122 * a timing side-channel. 01123 * 01124 */ 01125 //#define MBEDTLS_SSL_DEBUG_ALL 01126 01127 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC 01128 * 01129 * Enable support for Encrypt-then-MAC, RFC 7366. 01130 * 01131 * This allows peers that both support it to use a more robust protection for 01132 * ciphersuites using CBC, providing deep resistance against timing attacks 01133 * on the padding or underlying cipher. 01134 * 01135 * This only affects CBC ciphersuites, and is useless if none is defined. 01136 * 01137 * Requires: MBEDTLS_SSL_PROTO_TLS1 or 01138 * MBEDTLS_SSL_PROTO_TLS1_1 or 01139 * MBEDTLS_SSL_PROTO_TLS1_2 01140 * 01141 * Comment this macro to disable support for Encrypt-then-MAC 01142 */ 01143 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC 01144 01145 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET 01146 * 01147 * Enable support for Extended Master Secret, aka Session Hash 01148 * (draft-ietf-tls-session-hash-02). 01149 * 01150 * This was introduced as "the proper fix" to the Triple Handshake familiy of 01151 * attacks, but it is recommended to always use it (even if you disable 01152 * renegotiation), since it actually fixes a more fundamental issue in the 01153 * original SSL/TLS design, and has implications beyond Triple Handshake. 01154 * 01155 * Requires: MBEDTLS_SSL_PROTO_TLS1 or 01156 * MBEDTLS_SSL_PROTO_TLS1_1 or 01157 * MBEDTLS_SSL_PROTO_TLS1_2 01158 * 01159 * Comment this macro to disable support for Extended Master Secret. 01160 */ 01161 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET 01162 01163 /** 01164 * \def MBEDTLS_SSL_FALLBACK_SCSV 01165 * 01166 * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00). 01167 * 01168 * For servers, it is recommended to always enable this, unless you support 01169 * only one version of TLS, or know for sure that none of your clients 01170 * implements a fallback strategy. 01171 * 01172 * For clients, you only need this if you're using a fallback strategy, which 01173 * is not recommended in the first place, unless you absolutely need it to 01174 * interoperate with buggy (version-intolerant) servers. 01175 * 01176 * Comment this macro to disable support for FALLBACK_SCSV 01177 */ 01178 //#define MBEDTLS_SSL_FALLBACK_SCSV 01179 01180 /** 01181 * \def MBEDTLS_SSL_HW_RECORD_ACCEL 01182 * 01183 * Enable hooking functions in SSL module for hardware acceleration of 01184 * individual records. 01185 * 01186 * Uncomment this macro to enable hooking functions. 01187 */ 01188 //#define MBEDTLS_SSL_HW_RECORD_ACCEL 01189 01190 /** 01191 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING 01192 * 01193 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. 01194 * 01195 * This is a countermeasure to the BEAST attack, which also minimizes the risk 01196 * of interoperability issues compared to sending 0-length records. 01197 * 01198 * Comment this macro to disable 1/n-1 record splitting. 01199 */ 01200 //#define MBEDTLS_SSL_CBC_RECORD_SPLITTING 01201 01202 /** 01203 * \def MBEDTLS_SSL_RENEGOTIATION 01204 * 01205 * Disable support for TLS renegotiation. 01206 * 01207 * The two main uses of renegotiation are (1) refresh keys on long-lived 01208 * connections and (2) client authentication after the initial handshake. 01209 * If you don't need renegotiation, it's probably better to disable it, since 01210 * it has been associated with security issues in the past and is easy to 01211 * misuse/misunderstand. 01212 * 01213 * Comment this to disable support for renegotiation. 01214 * 01215 * \note Even if this option is disabled, both client and server are aware 01216 * of the Renegotiation Indication Extension (RFC 5746) used to 01217 * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1). 01218 * (See \c mbedtls_ssl_conf_legacy_renegotiation for the 01219 * configuration of this extension). 01220 * 01221 */ 01222 #define MBEDTLS_SSL_RENEGOTIATION 01223 01224 /** 01225 * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO 01226 * 01227 * Enable support for receiving and parsing SSLv2 Client Hello messages for the 01228 * SSL Server module (MBEDTLS_SSL_SRV_C). 01229 * 01230 * Uncomment this macro to enable support for SSLv2 Client Hello messages. 01231 */ 01232 //#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO 01233 01234 /** 01235 * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE 01236 * 01237 * Pick the ciphersuite according to the client's preferences rather than ours 01238 * in the SSL Server module (MBEDTLS_SSL_SRV_C). 01239 * 01240 * Uncomment this macro to respect client's ciphersuite order 01241 */ 01242 //#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE 01243 01244 /** 01245 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 01246 * 01247 * Enable support for RFC 6066 max_fragment_length extension in SSL. 01248 * 01249 * Comment this macro to disable support for the max_fragment_length extension 01250 */ 01251 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 01252 01253 /** 01254 * \def MBEDTLS_SSL_PROTO_SSL3 01255 * 01256 * Enable support for SSL 3.0. 01257 * 01258 * Requires: MBEDTLS_MD5_C 01259 * MBEDTLS_SHA1_C 01260 * 01261 * Comment this macro to disable support for SSL 3.0 01262 */ 01263 //#define MBEDTLS_SSL_PROTO_SSL3 01264 01265 /** 01266 * \def MBEDTLS_SSL_PROTO_TLS1 01267 * 01268 * Enable support for TLS 1.0. 01269 * 01270 * Requires: MBEDTLS_MD5_C 01271 * MBEDTLS_SHA1_C 01272 * 01273 * Comment this macro to disable support for TLS 1.0 01274 */ 01275 //#define MBEDTLS_SSL_PROTO_TLS1 01276 01277 /** 01278 * \def MBEDTLS_SSL_PROTO_TLS1_1 01279 * 01280 * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). 01281 * 01282 * Requires: MBEDTLS_MD5_C 01283 * MBEDTLS_SHA1_C 01284 * 01285 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 01286 */ 01287 //#define MBEDTLS_SSL_PROTO_TLS1_1 01288 01289 /** 01290 * \def MBEDTLS_SSL_PROTO_TLS1_2 01291 * 01292 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). 01293 * 01294 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C 01295 * (Depends on ciphersuites) 01296 * 01297 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 01298 */ 01299 #define MBEDTLS_SSL_PROTO_TLS1_2 01300 01301 /** 01302 * \def MBEDTLS_SSL_PROTO_DTLS 01303 * 01304 * Enable support for DTLS (all available versions). 01305 * 01306 * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, 01307 * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. 01308 * 01309 * Requires: MBEDTLS_SSL_PROTO_TLS1_1 01310 * or MBEDTLS_SSL_PROTO_TLS1_2 01311 * 01312 * Comment this macro to disable support for DTLS 01313 */ 01314 #define MBEDTLS_SSL_PROTO_DTLS 01315 01316 /** 01317 * \def MBEDTLS_SSL_ALPN 01318 * 01319 * Enable support for RFC 7301 Application Layer Protocol Negotiation. 01320 * 01321 * Comment this macro to disable support for ALPN. 01322 */ 01323 #define MBEDTLS_SSL_ALPN 01324 01325 /** 01326 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY 01327 * 01328 * Enable support for the anti-replay mechanism in DTLS. 01329 * 01330 * Requires: MBEDTLS_SSL_TLS_C 01331 * MBEDTLS_SSL_PROTO_DTLS 01332 * 01333 * \warning Disabling this is often a security risk! 01334 * See mbedtls_ssl_conf_dtls_anti_replay() for details. 01335 * 01336 * Comment this to disable anti-replay in DTLS. 01337 */ 01338 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY 01339 01340 /** 01341 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY 01342 * 01343 * Enable support for HelloVerifyRequest on DTLS servers. 01344 * 01345 * This feature is highly recommended to prevent DTLS servers being used as 01346 * amplifiers in DoS attacks against other hosts. It should always be enabled 01347 * unless you know for sure amplification cannot be a problem in the 01348 * environment in which your server operates. 01349 * 01350 * \warning Disabling this can ba a security risk! (see above) 01351 * 01352 * Requires: MBEDTLS_SSL_PROTO_DTLS 01353 * 01354 * Comment this to disable support for HelloVerifyRequest. 01355 */ 01356 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY 01357 01358 /** 01359 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 01360 * 01361 * Enable server-side support for clients that reconnect from the same port. 01362 * 01363 * Some clients unexpectedly close the connection and try to reconnect using the 01364 * same source port. This needs special support from the server to handle the 01365 * new connection securely, as described in section 4.2.8 of RFC 6347. This 01366 * flag enables that support. 01367 * 01368 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY 01369 * 01370 * Comment this to disable support for clients reusing the source port. 01371 */ 01372 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 01373 01374 /** 01375 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT 01376 * 01377 * Enable support for a limit of records with bad MAC. 01378 * 01379 * See mbedtls_ssl_conf_dtls_badmac_limit(). 01380 * 01381 * Requires: MBEDTLS_SSL_PROTO_DTLS 01382 */ 01383 #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT 01384 01385 /** 01386 * \def MBEDTLS_SSL_SESSION_TICKETS 01387 * 01388 * Enable support for RFC 5077 session tickets in SSL. 01389 * Client-side, provides full support for session tickets (maintainance of a 01390 * session store remains the responsibility of the application, though). 01391 * Server-side, you also need to provide callbacks for writing and parsing 01392 * tickets, including authenticated encryption and key management. Example 01393 * callbacks are provided by MBEDTLS_SSL_TICKET_C. 01394 * 01395 * Comment this macro to disable support for SSL session tickets 01396 */ 01397 #define MBEDTLS_SSL_SESSION_TICKETS 01398 01399 /** 01400 * \def MBEDTLS_SSL_EXPORT_KEYS 01401 * 01402 * Enable support for exporting key block and master secret. 01403 * This is required for certain users of TLS, e.g. EAP-TLS. 01404 * 01405 * Comment this macro to disable support for key export 01406 */ 01407 #define MBEDTLS_SSL_EXPORT_KEYS 01408 01409 /** 01410 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION 01411 * 01412 * Enable support for RFC 6066 server name indication (SNI) in SSL. 01413 * 01414 * Requires: MBEDTLS_X509_CRT_PARSE_C 01415 * 01416 * Comment this macro to disable support for server name indication in SSL 01417 */ 01418 #define MBEDTLS_SSL_SERVER_NAME_INDICATION 01419 01420 /** 01421 * \def MBEDTLS_SSL_TRUNCATED_HMAC 01422 * 01423 * Enable support for RFC 6066 truncated HMAC in SSL. 01424 * 01425 * Comment this macro to disable support for truncated HMAC in SSL 01426 */ 01427 //#define MBEDTLS_SSL_TRUNCATED_HMAC 01428 01429 /** 01430 * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 01431 * 01432 * Fallback to old (pre-2.7), non-conforming implementation of the truncated 01433 * HMAC extension which also truncates the HMAC key. Note that this option is 01434 * only meant for a transitory upgrade period and is likely to be removed in 01435 * a future version of the library. 01436 * 01437 * \warning The old implementation is non-compliant and has a security weakness 01438 * (2^80 brute force attack on the HMAC key used for a single, 01439 * uninterrupted connection). This should only be enabled temporarily 01440 * when (1) the use of truncated HMAC is essential in order to save 01441 * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use 01442 * the fixed implementation yet (pre-2.7). 01443 * 01444 * \deprecated This option is deprecated and will likely be removed in a 01445 * future version of Mbed TLS. 01446 * 01447 * Uncomment to fallback to old, non-compliant truncated HMAC implementation. 01448 * 01449 * Requires: MBEDTLS_SSL_TRUNCATED_HMAC 01450 */ 01451 //#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 01452 01453 /** 01454 * \def MBEDTLS_THREADING_ALT 01455 * 01456 * Provide your own alternate threading implementation. 01457 * 01458 * Requires: MBEDTLS_THREADING_C 01459 * 01460 * Uncomment this to allow your own alternate threading implementation. 01461 */ 01462 //#define MBEDTLS_THREADING_ALT 01463 01464 /** 01465 * \def MBEDTLS_THREADING_PTHREAD 01466 * 01467 * Enable the pthread wrapper layer for the threading layer. 01468 * 01469 * Requires: MBEDTLS_THREADING_C 01470 * 01471 * Uncomment this to enable pthread mutexes. 01472 */ 01473 //#define MBEDTLS_THREADING_PTHREAD 01474 01475 /** 01476 * \def MBEDTLS_VERSION_FEATURES 01477 * 01478 * Allow run-time checking of compile-time enabled features. Thus allowing users 01479 * to check at run-time if the library is for instance compiled with threading 01480 * support via mbedtls_version_check_feature(). 01481 * 01482 * Requires: MBEDTLS_VERSION_C 01483 * 01484 * Comment this to disable run-time checking and save ROM space 01485 */ 01486 #define MBEDTLS_VERSION_FEATURES 01487 01488 /** 01489 * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 01490 * 01491 * If set, the X509 parser will not break-off when parsing an X509 certificate 01492 * and encountering an extension in a v1 or v2 certificate. 01493 * 01494 * Uncomment to prevent an error. 01495 */ 01496 //#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 01497 01498 /** 01499 * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 01500 * 01501 * If set, the X509 parser will not break-off when parsing an X509 certificate 01502 * and encountering an unknown critical extension. 01503 * 01504 * \warning Depending on your PKI use, enabling this can be a security risk! 01505 * 01506 * Uncomment to prevent an error. 01507 */ 01508 //#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 01509 01510 /** 01511 * \def MBEDTLS_X509_CHECK_KEY_USAGE 01512 * 01513 * Enable verification of the keyUsage extension (CA and leaf certificates). 01514 * 01515 * Disabling this avoids problems with mis-issued and/or misused 01516 * (intermediate) CA and leaf certificates. 01517 * 01518 * \warning Depending on your PKI use, disabling this can be a security risk! 01519 * 01520 * Comment to skip keyUsage checking for both CA and leaf certificates. 01521 */ 01522 #define MBEDTLS_X509_CHECK_KEY_USAGE 01523 01524 /** 01525 * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 01526 * 01527 * Enable verification of the extendedKeyUsage extension (leaf certificates). 01528 * 01529 * Disabling this avoids problems with mis-issued and/or misused certificates. 01530 * 01531 * \warning Depending on your PKI use, disabling this can be a security risk! 01532 * 01533 * Comment to skip extendedKeyUsage checking for certificates. 01534 */ 01535 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 01536 01537 /** 01538 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT 01539 * 01540 * Enable parsing and verification of X.509 certificates, CRLs and CSRS 01541 * signed with RSASSA-PSS (aka PKCS#1 v2.1). 01542 * 01543 * Comment this macro to disallow using RSASSA-PSS in certificates. 01544 */ 01545 //#define MBEDTLS_X509_RSASSA_PSS_SUPPORT 01546 01547 /** 01548 * \def MBEDTLS_ZLIB_SUPPORT 01549 * 01550 * If set, the SSL/TLS module uses ZLIB to support compression and 01551 * decompression of packet data. 01552 * 01553 * \warning TLS-level compression MAY REDUCE SECURITY! See for example the 01554 * CRIME attack. Before enabling this option, you should examine with care if 01555 * CRIME or similar exploits may be a applicable to your use case. 01556 * 01557 * \note Currently compression can't be used with DTLS. 01558 * 01559 * Used in: library/ssl_tls.c 01560 * library/ssl_cli.c 01561 * library/ssl_srv.c 01562 * 01563 * This feature requires zlib library and headers to be present. 01564 * 01565 * Uncomment to enable use of ZLIB 01566 */ 01567 //#define MBEDTLS_ZLIB_SUPPORT 01568 /* \} name SECTION: mbed TLS feature support */ 01569 01570 /** 01571 * \name SECTION: mbed TLS modules 01572 * 01573 * This section enables or disables entire modules in mbed TLS 01574 * \{ 01575 */ 01576 01577 /** 01578 * \def MBEDTLS_AESNI_C 01579 * 01580 * Enable AES-NI support on x86-64. 01581 * 01582 * Module: library/aesni.c 01583 * Caller: library/aes.c 01584 * 01585 * Requires: MBEDTLS_HAVE_ASM 01586 * 01587 * This modules adds support for the AES-NI instructions on x86-64 01588 */ 01589 //#define MBEDTLS_AESNI_C 01590 01591 /** 01592 * \def MBEDTLS_AES_C 01593 * 01594 * Enable the AES block cipher. 01595 * 01596 * Module: library/aes.c 01597 * Caller: library/ssl_tls.c 01598 * library/pem.c 01599 * library/ctr_drbg.c 01600 * 01601 * This module enables the following ciphersuites (if other requisites are 01602 * enabled as well): 01603 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 01604 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 01605 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 01606 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 01607 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 01608 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 01609 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 01610 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 01611 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 01612 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 01613 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 01614 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 01615 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 01616 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 01617 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 01618 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 01619 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 01620 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 01621 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 01622 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 01623 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 01624 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 01625 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 01626 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 01627 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 01628 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 01629 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 01630 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 01631 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 01632 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 01633 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 01634 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 01635 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 01636 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 01637 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 01638 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 01639 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 01640 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 01641 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 01642 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 01643 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 01644 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 01645 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 01646 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 01647 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 01648 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 01649 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 01650 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 01651 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 01652 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 01653 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 01654 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 01655 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 01656 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 01657 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 01658 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 01659 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 01660 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 01661 * 01662 * PEM_PARSE uses AES for decrypting encrypted keys. 01663 */ 01664 #define MBEDTLS_AES_C 01665 01666 /** 01667 * \def MBEDTLS_ARC4_C 01668 * 01669 * Enable the ARCFOUR stream cipher. 01670 * 01671 * Module: library/arc4.c 01672 * Caller: library/ssl_tls.c 01673 * 01674 * This module enables the following ciphersuites (if other requisites are 01675 * enabled as well): 01676 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 01677 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 01678 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 01679 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 01680 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 01681 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 01682 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 01683 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 01684 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 01685 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 01686 * 01687 * \warning ARC4 is considered a weak cipher and its use constitutes a 01688 * security risk. If possible, we recommend avoidng dependencies on 01689 * it, and considering stronger ciphers instead. 01690 * 01691 */ 01692 //#define MBEDTLS_ARC4_C 01693 01694 /** 01695 * \def MBEDTLS_ASN1_PARSE_C 01696 * 01697 * Enable the generic ASN1 parser. 01698 * 01699 * Module: library/asn1.c 01700 * Caller: library/x509.c 01701 * library/dhm.c 01702 * library/pkcs12.c 01703 * library/pkcs5.c 01704 * library/pkparse.c 01705 */ 01706 #define MBEDTLS_ASN1_PARSE_C 01707 01708 /** 01709 * \def MBEDTLS_ASN1_WRITE_C 01710 * 01711 * Enable the generic ASN1 writer. 01712 * 01713 * Module: library/asn1write.c 01714 * Caller: library/ecdsa.c 01715 * library/pkwrite.c 01716 * library/x509_create.c 01717 * library/x509write_crt.c 01718 * library/x509write_csr.c 01719 */ 01720 #define MBEDTLS_ASN1_WRITE_C 01721 01722 /** 01723 * \def MBEDTLS_BASE64_C 01724 * 01725 * Enable the Base64 module. 01726 * 01727 * Module: library/base64.c 01728 * Caller: library/pem.c 01729 * 01730 * This module is required for PEM support (required by X.509). 01731 */ 01732 #define MBEDTLS_BASE64_C 01733 01734 /** 01735 * \def MBEDTLS_BIGNUM_C 01736 * 01737 * Enable the multi-precision integer library. 01738 * 01739 * Module: library/bignum.c 01740 * Caller: library/dhm.c 01741 * library/ecp.c 01742 * library/ecdsa.c 01743 * library/rsa.c 01744 * library/rsa_internal.c 01745 * library/ssl_tls.c 01746 * 01747 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. 01748 */ 01749 #define MBEDTLS_BIGNUM_C 01750 01751 /** 01752 * \def MBEDTLS_BLOWFISH_C 01753 * 01754 * Enable the Blowfish block cipher. 01755 * 01756 * Module: library/blowfish.c 01757 */ 01758 //#define MBEDTLS_BLOWFISH_C 01759 01760 /** 01761 * \def MBEDTLS_CAMELLIA_C 01762 * 01763 * Enable the Camellia block cipher. 01764 * 01765 * Module: library/camellia.c 01766 * Caller: library/ssl_tls.c 01767 * 01768 * This module enables the following ciphersuites (if other requisites are 01769 * enabled as well): 01770 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 01771 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 01772 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 01773 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 01774 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 01775 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 01776 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 01777 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 01778 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 01779 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 01780 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 01781 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 01782 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 01783 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 01784 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 01785 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 01786 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 01787 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 01788 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 01789 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 01790 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 01791 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 01792 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 01793 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 01794 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 01795 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 01796 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 01797 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 01798 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 01799 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 01800 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 01801 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 01802 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 01803 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 01804 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 01805 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 01806 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 01807 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 01808 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 01809 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 01810 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 01811 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 01812 */ 01813 //#define MBEDTLS_CAMELLIA_C 01814 01815 /** 01816 * \def MBEDTLS_CCM_C 01817 * 01818 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. 01819 * 01820 * Module: library/ccm.c 01821 * 01822 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C 01823 * 01824 * This module enables the AES-CCM ciphersuites, if other requisites are 01825 * enabled as well. 01826 */ 01827 #define MBEDTLS_CCM_C 01828 01829 /** 01830 * \def MBEDTLS_CERTS_C 01831 * 01832 * Enable the test certificates. 01833 * 01834 * Module: library/certs.c 01835 * Caller: 01836 * 01837 * This module is used for testing (ssl_client/server). 01838 */ 01839 #define MBEDTLS_CERTS_C 01840 01841 /** 01842 * \def MBEDTLS_CIPHER_C 01843 * 01844 * Enable the generic cipher layer. 01845 * 01846 * Module: library/cipher.c 01847 * Caller: library/ssl_tls.c 01848 * 01849 * Uncomment to enable generic cipher wrappers. 01850 */ 01851 #define MBEDTLS_CIPHER_C 01852 01853 /** 01854 * \def MBEDTLS_CMAC_C 01855 * 01856 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block 01857 * ciphers. 01858 * 01859 * Module: library/cmac.c 01860 * 01861 * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C 01862 * 01863 */ 01864 //#define MBEDTLS_CMAC_C 01865 01866 /** 01867 * \def MBEDTLS_CTR_DRBG_C 01868 * 01869 * Enable the CTR_DRBG AES-256-based random generator. 01870 * 01871 * Module: library/ctr_drbg.c 01872 * Caller: 01873 * 01874 * Requires: MBEDTLS_AES_C 01875 * 01876 * This module provides the CTR_DRBG AES-256 random number generator. 01877 */ 01878 #define MBEDTLS_CTR_DRBG_C 01879 01880 /** 01881 * \def MBEDTLS_DEBUG_C 01882 * 01883 * Enable the debug functions. 01884 * 01885 * Module: library/debug.c 01886 * Caller: library/ssl_cli.c 01887 * library/ssl_srv.c 01888 * library/ssl_tls.c 01889 * 01890 * This module provides debugging functions. 01891 */ 01892 #define MBEDTLS_DEBUG_C 01893 01894 /** 01895 * \def MBEDTLS_DES_C 01896 * 01897 * Enable the DES block cipher. 01898 * 01899 * Module: library/des.c 01900 * Caller: library/pem.c 01901 * library/ssl_tls.c 01902 * 01903 * This module enables the following ciphersuites (if other requisites are 01904 * enabled as well): 01905 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 01906 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 01907 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 01908 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 01909 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 01910 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 01911 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 01912 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 01913 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 01914 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 01915 * 01916 * PEM_PARSE uses DES/3DES for decrypting encrypted keys. 01917 * 01918 * \warning DES is considered a weak cipher and its use constitutes a 01919 * security risk. We recommend considering stronger ciphers instead. 01920 */ 01921 //#define MBEDTLS_DES_C 01922 01923 /** 01924 * \def MBEDTLS_DHM_C 01925 * 01926 * Enable the Diffie-Hellman-Merkle module. 01927 * 01928 * Module: library/dhm.c 01929 * Caller: library/ssl_cli.c 01930 * library/ssl_srv.c 01931 * 01932 * This module is used by the following key exchanges: 01933 * DHE-RSA, DHE-PSK 01934 * 01935 * \warning Using DHE constitutes a security risk as it 01936 * is not possible to validate custom DH parameters. 01937 * If possible, it is recommended users should consider 01938 * preferring other methods of key exchange. 01939 * See dhm.h for more details. 01940 * 01941 */ 01942 //#define MBEDTLS_DHM_C 01943 01944 /** 01945 * \def MBEDTLS_ECDH_C 01946 * 01947 * Enable the elliptic curve Diffie-Hellman library. 01948 * 01949 * Module: library/ecdh.c 01950 * Caller: library/ssl_cli.c 01951 * library/ssl_srv.c 01952 * 01953 * This module is used by the following key exchanges: 01954 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK 01955 * 01956 * Requires: MBEDTLS_ECP_C 01957 */ 01958 #define MBEDTLS_ECDH_C 01959 01960 /** 01961 * \def MBEDTLS_ECDSA_C 01962 * 01963 * Enable the elliptic curve DSA library. 01964 * 01965 * Module: library/ecdsa.c 01966 * Caller: 01967 * 01968 * This module is used by the following key exchanges: 01969 * ECDHE-ECDSA 01970 * 01971 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C 01972 */ 01973 #define MBEDTLS_ECDSA_C 01974 01975 /** 01976 * \def MBEDTLS_ECJPAKE_C 01977 * 01978 * Enable the elliptic curve J-PAKE library. 01979 * 01980 * \warning This is currently experimental. EC J-PAKE support is based on the 01981 * Thread v1.0.0 specification; incompatible changes to the specification 01982 * might still happen. For this reason, this is disabled by default. 01983 * 01984 * Module: library/ecjpake.c 01985 * Caller: 01986 * 01987 * This module is used by the following key exchanges: 01988 * ECJPAKE 01989 * 01990 * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C 01991 */ 01992 //#define MBEDTLS_ECJPAKE_C 01993 01994 /** 01995 * \def MBEDTLS_ECP_C 01996 * 01997 * Enable the elliptic curve over GF(p) library. 01998 * 01999 * Module: library/ecp.c 02000 * Caller: library/ecdh.c 02001 * library/ecdsa.c 02002 * library/ecjpake.c 02003 * 02004 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED 02005 */ 02006 #define MBEDTLS_ECP_C 02007 02008 /** 02009 * \def MBEDTLS_ENTROPY_C 02010 * 02011 * Enable the platform-specific entropy code. 02012 * 02013 * Module: library/entropy.c 02014 * Caller: 02015 * 02016 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 02017 * 02018 * This module provides a generic entropy pool 02019 */ 02020 #define MBEDTLS_ENTROPY_C 02021 02022 /** 02023 * \def MBEDTLS_ERROR_C 02024 * 02025 * Enable error code to error string conversion. 02026 * 02027 * Module: library/error.c 02028 * Caller: 02029 * 02030 * This module enables mbedtls_strerror(). 02031 */ 02032 #define MBEDTLS_ERROR_C 02033 02034 /** 02035 * \def MBEDTLS_GCM_C 02036 * 02037 * Enable the Galois/Counter Mode (GCM) for AES. 02038 * 02039 * Module: library/gcm.c 02040 * 02041 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C 02042 * 02043 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other 02044 * requisites are enabled as well. 02045 */ 02046 #define MBEDTLS_GCM_C 02047 02048 /** 02049 * \def MBEDTLS_HAVEGE_C 02050 * 02051 * Enable the HAVEGE random generator. 02052 * 02053 * Warning: the HAVEGE random generator is not suitable for virtualized 02054 * environments 02055 * 02056 * Warning: the HAVEGE random generator is dependent on timing and specific 02057 * processor traits. It is therefore not advised to use HAVEGE as 02058 * your applications primary random generator or primary entropy pool 02059 * input. As a secondary input to your entropy pool, it IS able add 02060 * the (limited) extra entropy it provides. 02061 * 02062 * Module: library/havege.c 02063 * Caller: 02064 * 02065 * Requires: MBEDTLS_TIMING_C 02066 * 02067 * Uncomment to enable the HAVEGE random generator. 02068 */ 02069 //#define MBEDTLS_HAVEGE_C 02070 02071 /** 02072 * \def MBEDTLS_HMAC_DRBG_C 02073 * 02074 * Enable the HMAC_DRBG random generator. 02075 * 02076 * Module: library/hmac_drbg.c 02077 * Caller: 02078 * 02079 * Requires: MBEDTLS_MD_C 02080 * 02081 * Uncomment to enable the HMAC_DRBG random number geerator. 02082 */ 02083 #define MBEDTLS_HMAC_DRBG_C 02084 02085 /** 02086 * \def MBEDTLS_MD_C 02087 * 02088 * Enable the generic message digest layer. 02089 * 02090 * Module: library/md.c 02091 * Caller: 02092 * 02093 * Uncomment to enable generic message digest wrappers. 02094 */ 02095 #define MBEDTLS_MD_C 02096 02097 /** 02098 * \def MBEDTLS_MD2_C 02099 * 02100 * Enable the MD2 hash algorithm. 02101 * 02102 * Module: library/md2.c 02103 * Caller: 02104 * 02105 * Uncomment to enable support for (rare) MD2-signed X.509 certs. 02106 * 02107 * \warning MD2 is considered a weak message digest and its use constitutes a 02108 * security risk. If possible, we recommend avoiding dependencies on 02109 * it, and considering stronger message digests instead. 02110 * 02111 */ 02112 //#define MBEDTLS_MD2_C 02113 02114 /** 02115 * \def MBEDTLS_MD4_C 02116 * 02117 * Enable the MD4 hash algorithm. 02118 * 02119 * Module: library/md4.c 02120 * Caller: 02121 * 02122 * Uncomment to enable support for (rare) MD4-signed X.509 certs. 02123 * 02124 * \warning MD4 is considered a weak message digest and its use constitutes a 02125 * security risk. If possible, we recommend avoiding dependencies on 02126 * it, and considering stronger message digests instead. 02127 * 02128 */ 02129 //#define MBEDTLS_MD4_C 02130 02131 /** 02132 * \def MBEDTLS_MD5_C 02133 * 02134 * Enable the MD5 hash algorithm. 02135 * 02136 * Module: library/md5.c 02137 * Caller: library/md.c 02138 * library/pem.c 02139 * library/ssl_tls.c 02140 * 02141 * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2 02142 * depending on the handshake parameters. Further, it is used for checking 02143 * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded 02144 * encrypted keys. 02145 * 02146 * \warning MD5 is considered a weak message digest and its use constitutes a 02147 * security risk. If possible, we recommend avoiding dependencies on 02148 * it, and considering stronger message digests instead. 02149 * 02150 */ 02151 //#define MBEDTLS_MD5_C 02152 02153 /** 02154 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 02155 * 02156 * Enable the buffer allocator implementation that makes use of a (stack) 02157 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 02158 * calls) 02159 * 02160 * Module: library/memory_buffer_alloc.c 02161 * 02162 * Requires: MBEDTLS_PLATFORM_C 02163 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 02164 * 02165 * Enable this module to enable the buffer memory allocator. 02166 */ 02167 //#define MBEDTLS_MEMORY_BUFFER_ALLOC_C 02168 02169 /** 02170 * \def MBEDTLS_NET_C 02171 * 02172 * Enable the TCP and UDP over IPv6/IPv4 networking routines. 02173 * 02174 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X) 02175 * and Windows. For other platforms, you'll want to disable it, and write your 02176 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio(). 02177 * 02178 * \note See also our Knowledge Base article about porting to a new 02179 * environment: 02180 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 02181 * 02182 * Module: library/net_sockets.c 02183 * 02184 * This module provides networking routines. 02185 */ 02186 //#define MBEDTLS_NET_C 02187 02188 /** 02189 * \def MBEDTLS_OID_C 02190 * 02191 * Enable the OID database. 02192 * 02193 * Module: library/oid.c 02194 * Caller: library/asn1write.c 02195 * library/pkcs5.c 02196 * library/pkparse.c 02197 * library/pkwrite.c 02198 * library/rsa.c 02199 * library/x509.c 02200 * library/x509_create.c 02201 * library/x509_crl.c 02202 * library/x509_crt.c 02203 * library/x509_csr.c 02204 * library/x509write_crt.c 02205 * library/x509write_csr.c 02206 * 02207 * This modules translates between OIDs and internal values. 02208 */ 02209 #define MBEDTLS_OID_C 02210 02211 /** 02212 * \def MBEDTLS_PADLOCK_C 02213 * 02214 * Enable VIA Padlock support on x86. 02215 * 02216 * Module: library/padlock.c 02217 * Caller: library/aes.c 02218 * 02219 * Requires: MBEDTLS_HAVE_ASM 02220 * 02221 * This modules adds support for the VIA PadLock on x86. 02222 */ 02223 //#define MBEDTLS_PADLOCK_C 02224 02225 /** 02226 * \def MBEDTLS_PEM_PARSE_C 02227 * 02228 * Enable PEM decoding / parsing. 02229 * 02230 * Module: library/pem.c 02231 * Caller: library/dhm.c 02232 * library/pkparse.c 02233 * library/x509_crl.c 02234 * library/x509_crt.c 02235 * library/x509_csr.c 02236 * 02237 * Requires: MBEDTLS_BASE64_C 02238 * 02239 * This modules adds support for decoding / parsing PEM files. 02240 */ 02241 #define MBEDTLS_PEM_PARSE_C 02242 02243 /** 02244 * \def MBEDTLS_PEM_WRITE_C 02245 * 02246 * Enable PEM encoding / writing. 02247 * 02248 * Module: library/pem.c 02249 * Caller: library/pkwrite.c 02250 * library/x509write_crt.c 02251 * library/x509write_csr.c 02252 * 02253 * Requires: MBEDTLS_BASE64_C 02254 * 02255 * This modules adds support for encoding / writing PEM files. 02256 */ 02257 //#define MBEDTLS_PEM_WRITE_C 02258 02259 /** 02260 * \def MBEDTLS_PK_C 02261 * 02262 * Enable the generic public (asymetric) key layer. 02263 * 02264 * Module: library/pk.c 02265 * Caller: library/ssl_tls.c 02266 * library/ssl_cli.c 02267 * library/ssl_srv.c 02268 * 02269 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C 02270 * 02271 * Uncomment to enable generic public key wrappers. 02272 */ 02273 #define MBEDTLS_PK_C 02274 02275 /** 02276 * \def MBEDTLS_PK_PARSE_C 02277 * 02278 * Enable the generic public (asymetric) key parser. 02279 * 02280 * Module: library/pkparse.c 02281 * Caller: library/x509_crt.c 02282 * library/x509_csr.c 02283 * 02284 * Requires: MBEDTLS_PK_C 02285 * 02286 * Uncomment to enable generic public key parse functions. 02287 */ 02288 #define MBEDTLS_PK_PARSE_C 02289 02290 /** 02291 * \def MBEDTLS_PK_WRITE_C 02292 * 02293 * Enable the generic public (asymetric) key writer. 02294 * 02295 * Module: library/pkwrite.c 02296 * Caller: library/x509write.c 02297 * 02298 * Requires: MBEDTLS_PK_C 02299 * 02300 * Uncomment to enable generic public key write functions. 02301 */ 02302 #define MBEDTLS_PK_WRITE_C 02303 02304 /** 02305 * \def MBEDTLS_PKCS5_C 02306 * 02307 * Enable PKCS#5 functions. 02308 * 02309 * Module: library/pkcs5.c 02310 * 02311 * Requires: MBEDTLS_MD_C 02312 * 02313 * This module adds support for the PKCS#5 functions. 02314 */ 02315 //#define MBEDTLS_PKCS5_C 02316 02317 /** 02318 * \def MBEDTLS_PKCS11_C 02319 * 02320 * Enable wrapper for PKCS#11 smartcard support. 02321 * 02322 * Module: library/pkcs11.c 02323 * Caller: library/pk.c 02324 * 02325 * Requires: MBEDTLS_PK_C 02326 * 02327 * This module enables SSL/TLS PKCS #11 smartcard support. 02328 * Requires the presence of the PKCS#11 helper library (libpkcs11-helper) 02329 */ 02330 //#define MBEDTLS_PKCS11_C 02331 02332 /** 02333 * \def MBEDTLS_PKCS12_C 02334 * 02335 * Enable PKCS#12 PBE functions. 02336 * Adds algorithms for parsing PKCS#8 encrypted private keys 02337 * 02338 * Module: library/pkcs12.c 02339 * Caller: library/pkparse.c 02340 * 02341 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C 02342 * Can use: MBEDTLS_ARC4_C 02343 * 02344 * This module enables PKCS#12 functions. 02345 */ 02346 //#define MBEDTLS_PKCS12_C 02347 02348 /** 02349 * \def MBEDTLS_PLATFORM_C 02350 * 02351 * Enable the platform abstraction layer that allows you to re-assign 02352 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 02353 * 02354 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 02355 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 02356 * above to be specified at runtime or compile time respectively. 02357 * 02358 * \note This abstraction layer must be enabled on Windows (including MSYS2) 02359 * as other module rely on it for a fixed snprintf implementation. 02360 * 02361 * Module: library/platform.c 02362 * Caller: Most other .c files 02363 * 02364 * This module enables abstraction of common (libc) functions. 02365 */ 02366 #define MBEDTLS_PLATFORM_C 02367 02368 /** 02369 * \def MBEDTLS_RIPEMD160_C 02370 * 02371 * Enable the RIPEMD-160 hash algorithm. 02372 * 02373 * Module: library/ripemd160.c 02374 * Caller: library/md.c 02375 * 02376 */ 02377 //#define MBEDTLS_RIPEMD160_C 02378 02379 /** 02380 * \def MBEDTLS_RSA_C 02381 * 02382 * Enable the RSA public-key cryptosystem. 02383 * 02384 * Module: library/rsa.c 02385 * library/rsa_internal.c 02386 * Caller: library/ssl_cli.c 02387 * library/ssl_srv.c 02388 * library/ssl_tls.c 02389 * library/x509.c 02390 * 02391 * This module is used by the following key exchanges: 02392 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK 02393 * 02394 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C 02395 */ 02396 #define MBEDTLS_RSA_C 02397 02398 /** 02399 * \def MBEDTLS_SHA1_C 02400 * 02401 * Enable the SHA1 cryptographic hash algorithm. 02402 * 02403 * Module: library/sha1.c 02404 * Caller: library/md.c 02405 * library/ssl_cli.c 02406 * library/ssl_srv.c 02407 * library/ssl_tls.c 02408 * library/x509write_crt.c 02409 * 02410 * This module is required for SSL/TLS up to version 1.1, for TLS 1.2 02411 * depending on the handshake parameters, and for SHA1-signed certificates. 02412 * 02413 * \warning SHA-1 is considered a weak message digest and its use constitutes 02414 * a security risk. If possible, we recommend avoiding dependencies 02415 * on it, and considering stronger message digests instead. 02416 * 02417 */ 02418 //#define MBEDTLS_SHA1_C 02419 02420 /** 02421 * \def MBEDTLS_SHA256_C 02422 * 02423 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms. 02424 * 02425 * Module: library/sha256.c 02426 * Caller: library/entropy.c 02427 * library/md.c 02428 * library/ssl_cli.c 02429 * library/ssl_srv.c 02430 * library/ssl_tls.c 02431 * 02432 * This module adds support for SHA-224 and SHA-256. 02433 * This module is required for the SSL/TLS 1.2 PRF function. 02434 */ 02435 #define MBEDTLS_SHA256_C 02436 02437 /** 02438 * \def MBEDTLS_SHA512_C 02439 * 02440 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms. 02441 * 02442 * Module: library/sha512.c 02443 * Caller: library/entropy.c 02444 * library/md.c 02445 * library/ssl_cli.c 02446 * library/ssl_srv.c 02447 * 02448 * This module adds support for SHA-384 and SHA-512. 02449 */ 02450 #define MBEDTLS_SHA512_C 02451 02452 /** 02453 * \def MBEDTLS_SSL_CACHE_C 02454 * 02455 * Enable simple SSL cache implementation. 02456 * 02457 * Module: library/ssl_cache.c 02458 * Caller: 02459 * 02460 * Requires: MBEDTLS_SSL_CACHE_C 02461 */ 02462 #define MBEDTLS_SSL_CACHE_C 02463 02464 /** 02465 * \def MBEDTLS_SSL_COOKIE_C 02466 * 02467 * Enable basic implementation of DTLS cookies for hello verification. 02468 * 02469 * Module: library/ssl_cookie.c 02470 * Caller: 02471 */ 02472 #define MBEDTLS_SSL_COOKIE_C 02473 02474 /** 02475 * \def MBEDTLS_SSL_TICKET_C 02476 * 02477 * Enable an implementation of TLS server-side callbacks for session tickets. 02478 * 02479 * Module: library/ssl_ticket.c 02480 * Caller: 02481 * 02482 * Requires: MBEDTLS_CIPHER_C 02483 */ 02484 #define MBEDTLS_SSL_TICKET_C 02485 02486 /** 02487 * \def MBEDTLS_SSL_CLI_C 02488 * 02489 * Enable the SSL/TLS client code. 02490 * 02491 * Module: library/ssl_cli.c 02492 * Caller: 02493 * 02494 * Requires: MBEDTLS_SSL_TLS_C 02495 * 02496 * This module is required for SSL/TLS client support. 02497 */ 02498 #define MBEDTLS_SSL_CLI_C 02499 02500 /** 02501 * \def MBEDTLS_SSL_SRV_C 02502 * 02503 * Enable the SSL/TLS server code. 02504 * 02505 * Module: library/ssl_srv.c 02506 * Caller: 02507 * 02508 * Requires: MBEDTLS_SSL_TLS_C 02509 * 02510 * This module is required for SSL/TLS server support. 02511 */ 02512 #define MBEDTLS_SSL_SRV_C 02513 02514 /** 02515 * \def MBEDTLS_SSL_TLS_C 02516 * 02517 * Enable the generic SSL/TLS code. 02518 * 02519 * Module: library/ssl_tls.c 02520 * Caller: library/ssl_cli.c 02521 * library/ssl_srv.c 02522 * 02523 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C 02524 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines 02525 * 02526 * This module is required for SSL/TLS. 02527 */ 02528 #define MBEDTLS_SSL_TLS_C 02529 02530 /** 02531 * \def MBEDTLS_THREADING_C 02532 * 02533 * Enable the threading abstraction layer. 02534 * By default mbed TLS assumes it is used in a non-threaded environment or that 02535 * contexts are not shared between threads. If you do intend to use contexts 02536 * between threads, you will need to enable this layer to prevent race 02537 * conditions. See also our Knowledge Base article about threading: 02538 * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading 02539 * 02540 * Module: library/threading.c 02541 * 02542 * This allows different threading implementations (self-implemented or 02543 * provided). 02544 * 02545 * You will have to enable either MBEDTLS_THREADING_ALT or 02546 * MBEDTLS_THREADING_PTHREAD. 02547 * 02548 * Enable this layer to allow use of mutexes within mbed TLS 02549 */ 02550 //#define MBEDTLS_THREADING_C 02551 02552 /** 02553 * \def MBEDTLS_TIMING_C 02554 * 02555 * Enable the semi-portable timing interface. 02556 * 02557 * \note The provided implementation only works on POSIX/Unix (including Linux, 02558 * BSD and OS X) and Windows. On other platforms, you can either disable that 02559 * module and provide your own implementations of the callbacks needed by 02560 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide 02561 * your own implementation of the whole module by setting 02562 * \c MBEDTLS_TIMING_ALT in the current file. 02563 * 02564 * \note See also our Knowledge Base article about porting to a new 02565 * environment: 02566 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 02567 * 02568 * Module: library/timing.c 02569 * Caller: library/havege.c 02570 * 02571 * This module is used by the HAVEGE random number generator. 02572 */ 02573 //#define MBEDTLS_TIMING_C 02574 02575 /** 02576 * \def MBEDTLS_VERSION_C 02577 * 02578 * Enable run-time version information. 02579 * 02580 * Module: library/version.c 02581 * 02582 * This module provides run-time version information. 02583 */ 02584 #define MBEDTLS_VERSION_C 02585 02586 /** 02587 * \def MBEDTLS_X509_USE_C 02588 * 02589 * Enable X.509 core for using certificates. 02590 * 02591 * Module: library/x509.c 02592 * Caller: library/x509_crl.c 02593 * library/x509_crt.c 02594 * library/x509_csr.c 02595 * 02596 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, 02597 * MBEDTLS_PK_PARSE_C 02598 * 02599 * This module is required for the X.509 parsing modules. 02600 */ 02601 #define MBEDTLS_X509_USE_C 02602 02603 /** 02604 * \def MBEDTLS_X509_CRT_PARSE_C 02605 * 02606 * Enable X.509 certificate parsing. 02607 * 02608 * Module: library/x509_crt.c 02609 * Caller: library/ssl_cli.c 02610 * library/ssl_srv.c 02611 * library/ssl_tls.c 02612 * 02613 * Requires: MBEDTLS_X509_USE_C 02614 * 02615 * This module is required for X.509 certificate parsing. 02616 */ 02617 #define MBEDTLS_X509_CRT_PARSE_C 02618 02619 /** 02620 * \def MBEDTLS_X509_CRL_PARSE_C 02621 * 02622 * Enable X.509 CRL parsing. 02623 * 02624 * Module: library/x509_crl.c 02625 * Caller: library/x509_crt.c 02626 * 02627 * Requires: MBEDTLS_X509_USE_C 02628 * 02629 * This module is required for X.509 CRL parsing. 02630 */ 02631 #define MBEDTLS_X509_CRL_PARSE_C 02632 02633 /** 02634 * \def MBEDTLS_X509_CSR_PARSE_C 02635 * 02636 * Enable X.509 Certificate Signing Request (CSR) parsing. 02637 * 02638 * Module: library/x509_csr.c 02639 * Caller: library/x509_crt_write.c 02640 * 02641 * Requires: MBEDTLS_X509_USE_C 02642 * 02643 * This module is used for reading X.509 certificate request. 02644 */ 02645 //#define MBEDTLS_X509_CSR_PARSE_C 02646 02647 /** 02648 * \def MBEDTLS_X509_CREATE_C 02649 * 02650 * Enable X.509 core for creating certificates. 02651 * 02652 * Module: library/x509_create.c 02653 * 02654 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C 02655 * 02656 * This module is the basis for creating X.509 certificates and CSRs. 02657 */ 02658 //#define MBEDTLS_X509_CREATE_C 02659 02660 /** 02661 * \def MBEDTLS_X509_CRT_WRITE_C 02662 * 02663 * Enable creating X.509 certificates. 02664 * 02665 * Module: library/x509_crt_write.c 02666 * 02667 * Requires: MBEDTLS_X509_CREATE_C 02668 * 02669 * This module is required for X.509 certificate creation. 02670 */ 02671 //#define MBEDTLS_X509_CRT_WRITE_C 02672 02673 /** 02674 * \def MBEDTLS_X509_CSR_WRITE_C 02675 * 02676 * Enable creating X.509 Certificate Signing Requests (CSR). 02677 * 02678 * Module: library/x509_csr_write.c 02679 * 02680 * Requires: MBEDTLS_X509_CREATE_C 02681 * 02682 * This module is required for X.509 certificate request writing. 02683 */ 02684 //#define MBEDTLS_X509_CSR_WRITE_C 02685 02686 /** 02687 * \def MBEDTLS_XTEA_C 02688 * 02689 * Enable the XTEA block cipher. 02690 * 02691 * Module: library/xtea.c 02692 * Caller: 02693 */ 02694 //#define MBEDTLS_XTEA_C 02695 02696 /* \} name SECTION: mbed TLS modules */ 02697 02698 /** 02699 * \name SECTION: Module configuration options 02700 * 02701 * This section allows for the setting of module specific sizes and 02702 * configuration options. The default values are already present in the 02703 * relevant header files and should suffice for the regular use cases. 02704 * 02705 * Our advice is to enable options and change their values here 02706 * only if you have a good reason and know the consequences. 02707 * 02708 * Please check the respective header file for documentation on these 02709 * parameters (to prevent duplicate documentation). 02710 * \{ 02711 */ 02712 02713 /* MPI / BIGNUM options */ 02714 //#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */ 02715 //#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */ 02716 02717 /* CTR_DRBG options */ 02718 //#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ 02719 //#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 02720 //#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 02721 //#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 02722 //#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 02723 02724 /* HMAC_DRBG options */ 02725 //#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 02726 //#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 02727 //#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 02728 //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 02729 02730 /* ECP options */ 02731 //#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */ 02732 //#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ 02733 //#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ 02734 02735 /* Entropy options */ 02736 //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ 02737 //#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */ 02738 //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */ 02739 02740 /* Memory buffer allocator options */ 02741 //#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */ 02742 02743 /* Platform options */ 02744 //#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ 02745 //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */ 02746 //#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ 02747 //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ 02748 //#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ 02749 //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */ 02750 //#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */ 02751 /* Note: your snprintf must correclty zero-terminate the buffer! */ 02752 //#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ 02753 //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */ 02754 //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */ 02755 //#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ 02756 //#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ 02757 //#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */ 02758 02759 /* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */ 02760 /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ 02761 //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */ 02762 //#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */ 02763 //#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */ 02764 //#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ 02765 //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ 02766 //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */ 02767 //#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */ 02768 /* Note: your snprintf must correclty zero-terminate the buffer! */ 02769 //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */ 02770 //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ 02771 //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ 02772 02773 /* SSL Cache options */ 02774 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */ 02775 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ 02776 02777 /* SSL options */ 02778 //#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ 02779 //#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */ 02780 //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ 02781 //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ 02782 02783 /** 02784 * Complete list of ciphersuites to use, in order of preference. 02785 * 02786 * \warning No dependency checking is done on that field! This option can only 02787 * be used to restrict the set of available ciphersuites. It is your 02788 * responsibility to make sure the needed modules are active. 02789 * 02790 * Use this to save a few hundred bytes of ROM (default ordering of all 02791 * available ciphersuites) and a few to a few hundred bytes of RAM. 02792 * 02793 * The value below is only an example, not the default. 02794 */ 02795 //#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 02796 02797 /* X509 options */ 02798 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ 02799 //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */ 02800 02801 /** 02802 * Allow SHA-1 in the default TLS configuration for certificate signing. 02803 * Without this build-time option, SHA-1 support must be activated explicitly 02804 * through mbedtls_ssl_conf_cert_profile. Turning on this option is not 02805 * recommended because of it is possible to generate SHA-1 collisions, however 02806 * this may be safe for legacy infrastructure where additional controls apply. 02807 * 02808 * \warning SHA-1 is considered a weak message digest and its use constitutes 02809 * a security risk. If possible, we recommend avoiding dependencies 02810 * on it, and considering stronger message digests instead. 02811 * 02812 */ 02813 // #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES 02814 02815 /** 02816 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake 02817 * signature and ciphersuite selection. Without this build-time option, SHA-1 02818 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes. 02819 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by 02820 * default. At the time of writing, there is no practical attack on the use 02821 * of SHA-1 in handshake signatures, hence this option is turned on by default 02822 * to preserve compatibility with existing peers, but the general 02823 * warning applies nonetheless: 02824 * 02825 * \warning SHA-1 is considered a weak message digest and its use constitutes 02826 * a security risk. If possible, we recommend avoiding dependencies 02827 * on it, and considering stronger message digests instead. 02828 * 02829 */ 02830 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE 02831 02832 /* \} name SECTION: Customisation configuration options */ 02833 02834 /* Target and application specific configurations */ 02835 //#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h" 02836 02837 #if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE) 02838 #include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE 02839 #endif 02840 02841 /* 02842 * Allow user to override any previous default. 02843 * 02844 * Use two macro names for that, as: 02845 * - with yotta the prefix YOTTA_CFG_ is forced 02846 * - without yotta is looks weird to have a YOTTA prefix. 02847 */ 02848 #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) 02849 #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE 02850 #elif defined(MBEDTLS_USER_CONFIG_FILE) 02851 #include MBEDTLS_USER_CONFIG_FILE 02852 #endif 02853 02854 #include "check_config.h" 02855 02856 #endif /* !MBEDTLS_ENTROPY_HARDWARE_ALT && !MBEDTLS_TEST_NULL_ENTROPY */ 02857 02858 #if defined(MBEDTLS_TEST_NULL_ENTROPY) 02859 #warning "MBEDTLS_TEST_NULL_ENTROPY has been enabled. This " \ 02860 "configuration is not secure and is not suitable for production use" 02861 #endif 02862 02863 #if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_TEST_NULL_ENTROPY) && \ 02864 !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) 02865 #error "No entropy source was found at build time, so TLS " \ 02866 "functionality is not available" 02867 #endif 02868 02869 #endif /* MBEDTLS_CONFIG_H */
Generated on Tue Jul 12 2022 12:21:47 by
1.7.2