Knight KE
/
Game_Master
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
config.h
00001 /** 00002 * \file config.h 00003 * 00004 * \brief Configuration options (set of defines) 00005 * 00006 * This set of compile-time options may be used to enable 00007 * or disable features selectively, and reduce the global 00008 * memory footprint. 00009 */ 00010 /* 00011 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00012 * SPDX-License-Identifier: Apache-2.0 00013 * 00014 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00015 * not use this file except in compliance with the License. 00016 * You may obtain a copy of the License at 00017 * 00018 * http://www.apache.org/licenses/LICENSE-2.0 00019 * 00020 * Unless required by applicable law or agreed to in writing, software 00021 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00022 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00023 * See the License for the specific language governing permissions and 00024 * limitations under the License. 00025 * 00026 * This file is part of mbed TLS (https://tls.mbed.org) 00027 */ 00028 00029 #ifndef MBEDTLS_CONFIG_H 00030 00031 #include "platform/inc/platform_mbed.h" 00032 00033 /* 00034 * Only use features that do not require an entropy source when 00035 * DEVICE_ENTROPY_SOURCE is not defined in mbed OS. 00036 */ 00037 #if !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) && !defined(MBEDTLS_TEST_NULL_ENTROPY) 00038 #include "mbedtls/config-no-entropy.h" 00039 00040 #if defined(MBEDTLS_USER_CONFIG_FILE) 00041 #include MBEDTLS_USER_CONFIG_FILE 00042 #endif 00043 00044 #else 00045 #define MBEDTLS_CONFIG_H 00046 00047 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 00048 #define _CRT_SECURE_NO_DEPRECATE 1 00049 #endif 00050 00051 /** 00052 * \name SECTION: System support 00053 * 00054 * This section sets system specific settings. 00055 * \{ 00056 */ 00057 00058 /** 00059 * \def MBEDTLS_HAVE_ASM 00060 * 00061 * The compiler has support for asm(). 00062 * 00063 * Requires support for asm() in compiler. 00064 * 00065 * Used in: 00066 * library/aria.c 00067 * library/timing.c 00068 * include/mbedtls/bn_mul.h 00069 * 00070 * Required by: 00071 * MBEDTLS_AESNI_C 00072 * MBEDTLS_PADLOCK_C 00073 * 00074 * Comment to disable the use of assembly code. 00075 */ 00076 #define MBEDTLS_HAVE_ASM 00077 00078 /** 00079 * \def MBEDTLS_NO_UDBL_DIVISION 00080 * 00081 * The platform lacks support for double-width integer division (64-bit 00082 * division on a 32-bit platform, 128-bit division on a 64-bit platform). 00083 * 00084 * Used in: 00085 * include/mbedtls/bignum.h 00086 * library/bignum.c 00087 * 00088 * The bignum code uses double-width division to speed up some operations. 00089 * Double-width division is often implemented in software that needs to 00090 * be linked with the program. The presence of a double-width integer 00091 * type is usually detected automatically through preprocessor macros, 00092 * but the automatic detection cannot know whether the code needs to 00093 * and can be linked with an implementation of division for that type. 00094 * By default division is assumed to be usable if the type is present. 00095 * Uncomment this option to prevent the use of double-width division. 00096 * 00097 * Note that division for the native integer type is always required. 00098 * Furthermore, a 64-bit type is always required even on a 32-bit 00099 * platform, but it need not support multiplication or division. In some 00100 * cases it is also desirable to disable some double-width operations. For 00101 * example, if double-width division is implemented in software, disabling 00102 * it can reduce code size in some embedded targets. 00103 */ 00104 //#define MBEDTLS_NO_UDBL_DIVISION 00105 00106 /** 00107 * \def MBEDTLS_HAVE_SSE2 00108 * 00109 * CPU supports SSE2 instruction set. 00110 * 00111 * Uncomment if the CPU supports SSE2 (IA-32 specific). 00112 */ 00113 //#define MBEDTLS_HAVE_SSE2 00114 00115 /** 00116 * \def MBEDTLS_HAVE_TIME 00117 * 00118 * System has time.h and time(). 00119 * The time does not need to be correct, only time differences are used, 00120 * by contrast with MBEDTLS_HAVE_TIME_DATE 00121 * 00122 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, 00123 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and 00124 * MBEDTLS_PLATFORM_STD_TIME. 00125 * 00126 * Comment if your system does not support time functions 00127 */ 00128 #define MBEDTLS_HAVE_TIME 00129 00130 /** 00131 * \def MBEDTLS_HAVE_TIME_DATE 00132 * 00133 * System has time.h and time(), gmtime() and the clock is correct. 00134 * The time needs to be correct (not necesarily very accurate, but at least 00135 * the date should be correct). This is used to verify the validity period of 00136 * X.509 certificates. 00137 * 00138 * Comment if your system does not have a correct clock. 00139 */ 00140 //#define MBEDTLS_HAVE_TIME_DATE 00141 00142 /** 00143 * \def MBEDTLS_PLATFORM_MEMORY 00144 * 00145 * Enable the memory allocation layer. 00146 * 00147 * By default mbed TLS uses the system-provided calloc() and free(). 00148 * This allows different allocators (self-implemented or provided) to be 00149 * provided to the platform abstraction layer. 00150 * 00151 * Enabling MBEDTLS_PLATFORM_MEMORY without the 00152 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 00153 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 00154 * free() function pointer at runtime. 00155 * 00156 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 00157 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 00158 * alternate function at compile time. 00159 * 00160 * Requires: MBEDTLS_PLATFORM_C 00161 * 00162 * Enable this layer to allow use of alternative memory allocators. 00163 */ 00164 //#define MBEDTLS_PLATFORM_MEMORY 00165 00166 /** 00167 * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 00168 * 00169 * Do not assign standard functions in the platform layer (e.g. calloc() to 00170 * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF) 00171 * 00172 * This makes sure there are no linking errors on platforms that do not support 00173 * these functions. You will HAVE to provide alternatives, either at runtime 00174 * via the platform_set_xxx() functions or at compile time by setting 00175 * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a 00176 * MBEDTLS_PLATFORM_XXX_MACRO. 00177 * 00178 * Requires: MBEDTLS_PLATFORM_C 00179 * 00180 * Uncomment to prevent default assignment of standard functions in the 00181 * platform layer. 00182 */ 00183 //#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 00184 00185 /** 00186 * \def MBEDTLS_PLATFORM_EXIT_ALT 00187 * 00188 * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the 00189 * function in the platform abstraction layer. 00190 * 00191 * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will 00192 * provide a function "mbedtls_platform_set_printf()" that allows you to set an 00193 * alternative printf function pointer. 00194 * 00195 * All these define require MBEDTLS_PLATFORM_C to be defined! 00196 * 00197 * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows; 00198 * it will be enabled automatically by check_config.h 00199 * 00200 * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as 00201 * MBEDTLS_PLATFORM_XXX_MACRO! 00202 * 00203 * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME 00204 * 00205 * Uncomment a macro to enable alternate implementation of specific base 00206 * platform function 00207 */ 00208 //#define MBEDTLS_PLATFORM_EXIT_ALT 00209 //#define MBEDTLS_PLATFORM_TIME_ALT 00210 //#define MBEDTLS_PLATFORM_FPRINTF_ALT 00211 //#define MBEDTLS_PLATFORM_PRINTF_ALT 00212 //#define MBEDTLS_PLATFORM_SNPRINTF_ALT 00213 //#define MBEDTLS_PLATFORM_NV_SEED_ALT 00214 //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT 00215 00216 /** 00217 * \def MBEDTLS_DEPRECATED_WARNING 00218 * 00219 * Mark deprecated functions so that they generate a warning if used. 00220 * Functions deprecated in one version will usually be removed in the next 00221 * version. You can enable this to help you prepare the transition to a new 00222 * major version by making sure your code is not using these functions. 00223 * 00224 * This only works with GCC and Clang. With other compilers, you may want to 00225 * use MBEDTLS_DEPRECATED_REMOVED 00226 * 00227 * Uncomment to get warnings on using deprecated functions. 00228 */ 00229 //#define MBEDTLS_DEPRECATED_WARNING 00230 00231 /** 00232 * \def MBEDTLS_DEPRECATED_REMOVED 00233 * 00234 * Remove deprecated functions so that they generate an error if used. 00235 * Functions deprecated in one version will usually be removed in the next 00236 * version. You can enable this to help you prepare the transition to a new 00237 * major version by making sure your code is not using these functions. 00238 * 00239 * Uncomment to get errors on using deprecated functions. 00240 */ 00241 //#define MBEDTLS_DEPRECATED_REMOVED 00242 00243 /* \} name SECTION: System support */ 00244 00245 /** 00246 * \name SECTION: mbed TLS feature support 00247 * 00248 * This section sets support for features that are or are not needed 00249 * within the modules that are enabled. 00250 * \{ 00251 */ 00252 00253 /** 00254 * \def MBEDTLS_TIMING_ALT 00255 * 00256 * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(), 00257 * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay() 00258 * 00259 * Only works if you have MBEDTLS_TIMING_C enabled. 00260 * 00261 * You will need to provide a header "timing_alt.h" and an implementation at 00262 * compile time. 00263 */ 00264 //#define MBEDTLS_TIMING_ALT 00265 00266 /** 00267 * \def MBEDTLS_AES_ALT 00268 * 00269 * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your 00270 * alternate core implementation of a symmetric crypto, an arithmetic or hash 00271 * module (e.g. platform specific assembly optimized implementations). Keep 00272 * in mind that the function prototypes should remain the same. 00273 * 00274 * This replaces the whole module. If you only want to replace one of the 00275 * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. 00276 * 00277 * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer 00278 * provide the "struct mbedtls_aes_context" definition and omit the base 00279 * function declarations and implementations. "aes_alt.h" will be included from 00280 * "aes.h" to include the new function definitions. 00281 * 00282 * Uncomment a macro to enable alternate implementation of the corresponding 00283 * module. 00284 * 00285 * \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their 00286 * use constitutes a security risk. If possible, we recommend 00287 * avoiding dependencies on them, and considering stronger message 00288 * digests and ciphers instead. 00289 * 00290 */ 00291 //#define MBEDTLS_AES_ALT 00292 //#define MBEDTLS_ARC4_ALT 00293 //#define MBEDTLS_ARIA_ALT 00294 //#define MBEDTLS_BLOWFISH_ALT 00295 //#define MBEDTLS_CAMELLIA_ALT 00296 //#define MBEDTLS_CCM_ALT 00297 //#define MBEDTLS_CMAC_ALT 00298 //#define MBEDTLS_DES_ALT 00299 //#define MBEDTLS_DHM_ALT 00300 //#define MBEDTLS_ECJPAKE_ALT 00301 //#define MBEDTLS_GCM_ALT 00302 //#define MBEDTLS_MD2_ALT 00303 //#define MBEDTLS_MD4_ALT 00304 //#define MBEDTLS_MD5_ALT 00305 //#define MBEDTLS_RIPEMD160_ALT 00306 //#define MBEDTLS_RSA_ALT 00307 //#define MBEDTLS_SHA1_ALT 00308 //#define MBEDTLS_SHA256_ALT 00309 //#define MBEDTLS_SHA512_ALT 00310 //#define MBEDTLS_XTEA_ALT 00311 00312 /* 00313 * When replacing the elliptic curve module, pleace consider, that it is 00314 * implemented with two .c files: 00315 * - ecp.c 00316 * - ecp_curves.c 00317 * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT 00318 * macros as described above. The only difference is that you have to make sure 00319 * that you provide functionality for both .c files. 00320 */ 00321 //#define MBEDTLS_ECP_ALT 00322 00323 /** 00324 * \def MBEDTLS_MD2_PROCESS_ALT 00325 * 00326 * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you 00327 * alternate core implementation of symmetric crypto or hash function. Keep in 00328 * mind that function prototypes should remain the same. 00329 * 00330 * This replaces only one function. The header file from mbed TLS is still 00331 * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. 00332 * 00333 * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will 00334 * no longer provide the mbedtls_sha1_process() function, but it will still provide 00335 * the other function (using your mbedtls_sha1_process() function) and the definition 00336 * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible 00337 * with this definition. 00338 * 00339 * \note Because of a signature change, the core AES encryption and decryption routines are 00340 * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt, 00341 * respectively. When setting up alternative implementations, these functions should 00342 * be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt 00343 * must stay untouched. 00344 * 00345 * \note If you use the AES_xxx_ALT macros, then is is recommended to also set 00346 * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES 00347 * tables. 00348 * 00349 * Uncomment a macro to enable alternate implementation of the corresponding 00350 * function. 00351 * 00352 * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use 00353 * constitutes a security risk. If possible, we recommend avoiding 00354 * dependencies on them, and considering stronger message digests 00355 * and ciphers instead. 00356 * 00357 */ 00358 //#define MBEDTLS_MD2_PROCESS_ALT 00359 //#define MBEDTLS_MD4_PROCESS_ALT 00360 //#define MBEDTLS_MD5_PROCESS_ALT 00361 //#define MBEDTLS_RIPEMD160_PROCESS_ALT 00362 //#define MBEDTLS_SHA1_PROCESS_ALT 00363 //#define MBEDTLS_SHA256_PROCESS_ALT 00364 //#define MBEDTLS_SHA512_PROCESS_ALT 00365 //#define MBEDTLS_DES_SETKEY_ALT 00366 //#define MBEDTLS_DES_CRYPT_ECB_ALT 00367 //#define MBEDTLS_DES3_CRYPT_ECB_ALT 00368 //#define MBEDTLS_AES_SETKEY_ENC_ALT 00369 //#define MBEDTLS_AES_SETKEY_DEC_ALT 00370 //#define MBEDTLS_AES_ENCRYPT_ALT 00371 //#define MBEDTLS_AES_DECRYPT_ALT 00372 //#define MBEDTLS_ECDH_GEN_PUBLIC_ALT 00373 //#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT 00374 //#define MBEDTLS_ECDSA_VERIFY_ALT 00375 //#define MBEDTLS_ECDSA_SIGN_ALT 00376 //#define MBEDTLS_ECDSA_GENKEY_ALT 00377 00378 /** 00379 * \def MBEDTLS_ECP_INTERNAL_ALT 00380 * 00381 * Expose a part of the internal interface of the Elliptic Curve Point module. 00382 * 00383 * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your 00384 * alternative core implementation of elliptic curve arithmetic. Keep in mind 00385 * that function prototypes should remain the same. 00386 * 00387 * This partially replaces one function. The header file from mbed TLS is still 00388 * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation 00389 * is still present and it is used for group structures not supported by the 00390 * alternative. 00391 * 00392 * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT 00393 * and implementing the following functions: 00394 * unsigned char mbedtls_internal_ecp_grp_capable( 00395 * const mbedtls_ecp_group *grp ) 00396 * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ) 00397 * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp ) 00398 * The mbedtls_internal_ecp_grp_capable function should return 1 if the 00399 * replacement functions implement arithmetic for the given group and 0 00400 * otherwise. 00401 * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are 00402 * called before and after each point operation and provide an opportunity to 00403 * implement optimized set up and tear down instructions. 00404 * 00405 * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and 00406 * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac 00407 * function, but will use your mbedtls_internal_ecp_double_jac if the group is 00408 * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when 00409 * receives it as an argument). If the group is not supported then the original 00410 * implementation is used. The other functions and the definition of 00411 * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your 00412 * implementation of mbedtls_internal_ecp_double_jac and 00413 * mbedtls_internal_ecp_grp_capable must be compatible with this definition. 00414 * 00415 * Uncomment a macro to enable alternate implementation of the corresponding 00416 * function. 00417 */ 00418 /* Required for all the functions in this section */ 00419 //#define MBEDTLS_ECP_INTERNAL_ALT 00420 /* Support for Weierstrass curves with Jacobi representation */ 00421 //#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT 00422 //#define MBEDTLS_ECP_ADD_MIXED_ALT 00423 //#define MBEDTLS_ECP_DOUBLE_JAC_ALT 00424 //#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT 00425 //#define MBEDTLS_ECP_NORMALIZE_JAC_ALT 00426 /* Support for curves with Montgomery arithmetic */ 00427 //#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT 00428 //#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT 00429 //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT 00430 00431 /** 00432 * \def MBEDTLS_TEST_NULL_ENTROPY 00433 * 00434 * Enables testing and use of mbed TLS without any configured entropy sources. 00435 * This permits use of the library on platforms before an entropy source has 00436 * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the 00437 * MBEDTLS_ENTROPY_NV_SEED switches). 00438 * 00439 * WARNING! This switch MUST be disabled in production builds, and is suitable 00440 * only for development. 00441 * Enabling the switch negates any security provided by the library. 00442 * 00443 * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 00444 * 00445 */ 00446 //#define MBEDTLS_TEST_NULL_ENTROPY 00447 00448 /** 00449 * \def MBEDTLS_ENTROPY_HARDWARE_ALT 00450 * 00451 * Uncomment this macro to let mbed TLS use your own implementation of a 00452 * hardware entropy collector. 00453 * 00454 * Your function must be called \c mbedtls_hardware_poll(), have the same 00455 * prototype as declared in entropy_poll.h, and accept NULL as first argument. 00456 * 00457 * Uncomment to use your own hardware entropy collector. 00458 */ 00459 //#define MBEDTLS_ENTROPY_HARDWARE_ALT 00460 00461 /** 00462 * \def MBEDTLS_AES_ROM_TABLES 00463 * 00464 * Use precomputed AES tables stored in ROM. 00465 * 00466 * Uncomment this macro to use precomputed AES tables stored in ROM. 00467 * Comment this macro to generate AES tables in RAM at runtime. 00468 * 00469 * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb 00470 * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the 00471 * initialization time before the first AES operation can be performed. 00472 * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c 00473 * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded 00474 * performance if ROM access is slower than RAM access. 00475 * 00476 * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. 00477 * 00478 */ 00479 #define MBEDTLS_AES_ROM_TABLES 00480 00481 /** 00482 * \def MBEDTLS_AES_FEWER_TABLES 00483 * 00484 * Use less ROM/RAM for AES tables. 00485 * 00486 * Uncommenting this macro omits 75% of the AES tables from 00487 * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) 00488 * by computing their values on the fly during operations 00489 * (the tables are entry-wise rotations of one another). 00490 * 00491 * Tradeoff: Uncommenting this reduces the RAM / ROM footprint 00492 * by ~6kb but at the cost of more arithmetic operations during 00493 * runtime. Specifically, one has to compare 4 accesses within 00494 * different tables to 4 accesses with additional arithmetic 00495 * operations within the same table. The performance gain/loss 00496 * depends on the system and memory details. 00497 * 00498 * This option is independent of \c MBEDTLS_AES_ROM_TABLES. 00499 * 00500 */ 00501 //#define MBEDTLS_AES_FEWER_TABLES 00502 00503 /** 00504 * \def MBEDTLS_CAMELLIA_SMALL_MEMORY 00505 * 00506 * Use less ROM for the Camellia implementation (saves about 768 bytes). 00507 * 00508 * Uncomment this macro to use less memory for Camellia. 00509 */ 00510 //#define MBEDTLS_CAMELLIA_SMALL_MEMORY 00511 00512 /** 00513 * \def MBEDTLS_CIPHER_MODE_CBC 00514 * 00515 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. 00516 */ 00517 #define MBEDTLS_CIPHER_MODE_CBC 00518 00519 /** 00520 * \def MBEDTLS_CIPHER_MODE_CFB 00521 * 00522 * Enable Cipher Feedback mode (CFB) for symmetric ciphers. 00523 */ 00524 //#define MBEDTLS_CIPHER_MODE_CFB 00525 00526 /** 00527 * \def MBEDTLS_CIPHER_MODE_CTR 00528 * 00529 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. 00530 */ 00531 //#define MBEDTLS_CIPHER_MODE_CTR 00532 00533 /** 00534 * \def MBEDTLS_CIPHER_NULL_CIPHER 00535 * 00536 * Enable NULL cipher. 00537 * Warning: Only do so when you know what you are doing. This allows for 00538 * encryption or channels without any security! 00539 * 00540 * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable 00541 * the following ciphersuites: 00542 * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA 00543 * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA 00544 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA 00545 * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA 00546 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 00547 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 00548 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA 00549 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384 00550 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256 00551 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA 00552 * MBEDTLS_TLS_RSA_WITH_NULL_SHA256 00553 * MBEDTLS_TLS_RSA_WITH_NULL_SHA 00554 * MBEDTLS_TLS_RSA_WITH_NULL_MD5 00555 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384 00556 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256 00557 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA 00558 * MBEDTLS_TLS_PSK_WITH_NULL_SHA384 00559 * MBEDTLS_TLS_PSK_WITH_NULL_SHA256 00560 * MBEDTLS_TLS_PSK_WITH_NULL_SHA 00561 * 00562 * Uncomment this macro to enable the NULL cipher and ciphersuites 00563 */ 00564 //#define MBEDTLS_CIPHER_NULL_CIPHER 00565 00566 /** 00567 * \def MBEDTLS_CIPHER_PADDING_PKCS7 00568 * 00569 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for 00570 * specific padding modes in the cipher layer with cipher modes that support 00571 * padding (e.g. CBC) 00572 * 00573 * If you disable all padding modes, only full blocks can be used with CBC. 00574 * 00575 * Enable padding modes in the cipher layer. 00576 */ 00577 #define MBEDTLS_CIPHER_PADDING_PKCS7 00578 //#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS 00579 //#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN 00580 //#define MBEDTLS_CIPHER_PADDING_ZEROS 00581 00582 /** 00583 * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES 00584 * 00585 * Enable weak ciphersuites in SSL / TLS. 00586 * Warning: Only do so when you know what you are doing. This allows for 00587 * channels with virtually no security at all! 00588 * 00589 * This enables the following ciphersuites: 00590 * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA 00591 * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA 00592 * 00593 * Uncomment this macro to enable weak ciphersuites 00594 * 00595 * \warning DES is considered a weak cipher and its use constitutes a 00596 * security risk. We recommend considering stronger ciphers instead. 00597 */ 00598 //#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES 00599 00600 /** 00601 * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES 00602 * 00603 * Remove RC4 ciphersuites by default in SSL / TLS. 00604 * This flag removes the ciphersuites based on RC4 from the default list as 00605 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to 00606 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them 00607 * explicitly. 00608 * 00609 * Uncomment this macro to remove RC4 ciphersuites by default. 00610 */ 00611 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES 00612 00613 /** 00614 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED 00615 * 00616 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve 00617 * module. By default all supported curves are enabled. 00618 * 00619 * Comment macros to disable the curve and functions for it 00620 */ 00621 //#define MBEDTLS_ECP_DP_SECP192R1_ENABLED 00622 //#define MBEDTLS_ECP_DP_SECP224R1_ENABLED 00623 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 00624 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED 00625 //#define MBEDTLS_ECP_DP_SECP521R1_ENABLED 00626 //#define MBEDTLS_ECP_DP_SECP192K1_ENABLED 00627 //#define MBEDTLS_ECP_DP_SECP224K1_ENABLED 00628 //#define MBEDTLS_ECP_DP_SECP256K1_ENABLED 00629 //#define MBEDTLS_ECP_DP_BP256R1_ENABLED 00630 //#define MBEDTLS_ECP_DP_BP384R1_ENABLED 00631 //#define MBEDTLS_ECP_DP_BP512R1_ENABLED 00632 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED 00633 #define MBEDTLS_ECP_DP_CURVE448_ENABLED 00634 00635 /** 00636 * \def MBEDTLS_ECP_NIST_OPTIM 00637 * 00638 * Enable specific 'modulo p' routines for each NIST prime. 00639 * Depending on the prime and architecture, makes operations 4 to 8 times 00640 * faster on the corresponding curve. 00641 * 00642 * Comment this macro to disable NIST curves optimisation. 00643 */ 00644 #define MBEDTLS_ECP_NIST_OPTIM 00645 00646 /** 00647 * \def MBEDTLS_ECDSA_DETERMINISTIC 00648 * 00649 * Enable deterministic ECDSA (RFC 6979). 00650 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing 00651 * may result in a compromise of the long-term signing key. This is avoided by 00652 * the deterministic variant. 00653 * 00654 * Requires: MBEDTLS_HMAC_DRBG_C 00655 * 00656 * Comment this macro to disable deterministic ECDSA. 00657 */ 00658 #define MBEDTLS_ECDSA_DETERMINISTIC 00659 00660 /** 00661 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 00662 * 00663 * Enable the PSK based ciphersuite modes in SSL / TLS. 00664 * 00665 * This enables the following ciphersuites (if other requisites are 00666 * enabled as well): 00667 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 00668 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 00669 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 00670 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 00671 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 00672 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 00673 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 00674 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 00675 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 00676 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 00677 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 00678 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 00679 */ 00680 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 00681 00682 /** 00683 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 00684 * 00685 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. 00686 * 00687 * Requires: MBEDTLS_DHM_C 00688 * 00689 * This enables the following ciphersuites (if other requisites are 00690 * enabled as well): 00691 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 00692 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 00693 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 00694 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 00695 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 00696 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 00697 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 00698 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 00699 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 00700 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 00701 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 00702 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 00703 * 00704 * \warning Using DHE constitutes a security risk as it 00705 * is not possible to validate custom DH parameters. 00706 * If possible, it is recommended users should consider 00707 * preferring other methods of key exchange. 00708 * See dhm.h for more details. 00709 * 00710 */ 00711 //#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 00712 00713 /** 00714 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 00715 * 00716 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. 00717 * 00718 * Requires: MBEDTLS_ECDH_C 00719 * 00720 * This enables the following ciphersuites (if other requisites are 00721 * enabled as well): 00722 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 00723 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 00724 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 00725 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 00726 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 00727 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 00728 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 00729 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 00730 */ 00731 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 00732 00733 /** 00734 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 00735 * 00736 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. 00737 * 00738 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00739 * MBEDTLS_X509_CRT_PARSE_C 00740 * 00741 * This enables the following ciphersuites (if other requisites are 00742 * enabled as well): 00743 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 00744 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 00745 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 00746 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 00747 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 00748 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 00749 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 00750 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 00751 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 00752 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 00753 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 00754 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 00755 */ 00756 //#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 00757 00758 /** 00759 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 00760 * 00761 * Enable the RSA-only based ciphersuite modes in SSL / TLS. 00762 * 00763 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00764 * MBEDTLS_X509_CRT_PARSE_C 00765 * 00766 * This enables the following ciphersuites (if other requisites are 00767 * enabled as well): 00768 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 00769 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 00770 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 00771 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 00772 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 00773 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 00774 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 00775 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 00776 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 00777 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 00778 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 00779 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 00780 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 00781 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 00782 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 00783 */ 00784 //#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 00785 00786 /** 00787 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 00788 * 00789 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. 00790 * 00791 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00792 * MBEDTLS_X509_CRT_PARSE_C 00793 * 00794 * This enables the following ciphersuites (if other requisites are 00795 * enabled as well): 00796 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 00797 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 00798 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 00799 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 00800 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 00801 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 00802 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 00803 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 00804 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 00805 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 00806 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 00807 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 00808 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 00809 * 00810 * \warning Using DHE constitutes a security risk as it 00811 * is not possible to validate custom DH parameters. 00812 * If possible, it is recommended users should consider 00813 * preferring other methods of key exchange. 00814 * See dhm.h for more details. 00815 * 00816 */ 00817 //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 00818 00819 /** 00820 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 00821 * 00822 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. 00823 * 00824 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00825 * MBEDTLS_X509_CRT_PARSE_C 00826 * 00827 * This enables the following ciphersuites (if other requisites are 00828 * enabled as well): 00829 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 00830 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 00831 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 00832 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 00833 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 00834 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 00835 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 00836 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 00837 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 00838 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 00839 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 00840 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 00841 */ 00842 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 00843 00844 /** 00845 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 00846 * 00847 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. 00848 * 00849 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, 00850 * 00851 * This enables the following ciphersuites (if other requisites are 00852 * enabled as well): 00853 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 00854 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 00855 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 00856 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 00857 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 00858 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 00859 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 00860 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 00861 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 00862 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 00863 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 00864 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 00865 */ 00866 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 00867 00868 /** 00869 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 00870 * 00871 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. 00872 * 00873 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C 00874 * 00875 * This enables the following ciphersuites (if other requisites are 00876 * enabled as well): 00877 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 00878 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 00879 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 00880 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 00881 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 00882 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 00883 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 00884 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 00885 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 00886 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 00887 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 00888 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 00889 */ 00890 //#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 00891 00892 /** 00893 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 00894 * 00895 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. 00896 * 00897 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C 00898 * 00899 * This enables the following ciphersuites (if other requisites are 00900 * enabled as well): 00901 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 00902 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 00903 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 00904 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 00905 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 00906 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 00907 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 00908 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 00909 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 00910 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 00911 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 00912 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 00913 */ 00914 //#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 00915 00916 /** 00917 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 00918 * 00919 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. 00920 * 00921 * \warning This is currently experimental. EC J-PAKE support is based on the 00922 * Thread v1.0.0 specification; incompatible changes to the specification 00923 * might still happen. For this reason, this is disabled by default. 00924 * 00925 * Requires: MBEDTLS_ECJPAKE_C 00926 * MBEDTLS_SHA256_C 00927 * MBEDTLS_ECP_DP_SECP256R1_ENABLED 00928 * 00929 * This enables the following ciphersuites (if other requisites are 00930 * enabled as well): 00931 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 00932 */ 00933 //#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 00934 00935 /** 00936 * \def MBEDTLS_PK_PARSE_EC_EXTENDED 00937 * 00938 * Enhance support for reading EC keys using variants of SEC1 not allowed by 00939 * RFC 5915 and RFC 5480. 00940 * 00941 * Currently this means parsing the SpecifiedECDomain choice of EC 00942 * parameters (only known groups are supported, not arbitrary domains, to 00943 * avoid validation issues). 00944 * 00945 * Disable if you only need to support RFC 5915 + 5480 key formats. 00946 */ 00947 //#define MBEDTLS_PK_PARSE_EC_EXTENDED 00948 00949 /** 00950 * \def MBEDTLS_ERROR_STRERROR_DUMMY 00951 * 00952 * Enable a dummy error function to make use of mbedtls_strerror() in 00953 * third party libraries easier when MBEDTLS_ERROR_C is disabled 00954 * (no effect when MBEDTLS_ERROR_C is enabled). 00955 * 00956 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 00957 * not using mbedtls_strerror() or error_strerror() in your application. 00958 * 00959 * Disable if you run into name conflicts and want to really remove the 00960 * mbedtls_strerror() 00961 */ 00962 #define MBEDTLS_ERROR_STRERROR_DUMMY 00963 00964 /** 00965 * \def MBEDTLS_GENPRIME 00966 * 00967 * Enable the prime-number generation code. 00968 * 00969 * Requires: MBEDTLS_BIGNUM_C 00970 */ 00971 //#define MBEDTLS_GENPRIME 00972 00973 /** 00974 * \def MBEDTLS_FS_IO 00975 * 00976 * Enable functions that use the filesystem. 00977 */ 00978 //#define MBEDTLS_FS_IO 00979 00980 /** 00981 * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 00982 * 00983 * Do not add default entropy sources. These are the platform specific, 00984 * mbedtls_timing_hardclock and HAVEGE based poll functions. 00985 * 00986 * This is useful to have more control over the added entropy sources in an 00987 * application. 00988 * 00989 * Uncomment this macro to prevent loading of default entropy functions. 00990 */ 00991 //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 00992 00993 /** 00994 * \def MBEDTLS_NO_PLATFORM_ENTROPY 00995 * 00996 * Do not use built-in platform entropy functions. 00997 * This is useful if your platform does not support 00998 * standards like the /dev/urandom or Windows CryptoAPI. 00999 * 01000 * Uncomment this macro to disable the built-in platform entropy functions. 01001 */ 01002 #define MBEDTLS_NO_PLATFORM_ENTROPY 01003 01004 /** 01005 * \def MBEDTLS_ENTROPY_FORCE_SHA256 01006 * 01007 * Force the entropy accumulator to use a SHA-256 accumulator instead of the 01008 * default SHA-512 based one (if both are available). 01009 * 01010 * Requires: MBEDTLS_SHA256_C 01011 * 01012 * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option 01013 * if you have performance concerns. 01014 * 01015 * This option is only useful if both MBEDTLS_SHA256_C and 01016 * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. 01017 */ 01018 //#define MBEDTLS_ENTROPY_FORCE_SHA256 01019 01020 /** 01021 * \def MBEDTLS_ENTROPY_NV_SEED 01022 * 01023 * Enable the non-volatile (NV) seed file-based entropy source. 01024 * (Also enables the NV seed read/write functions in the platform layer) 01025 * 01026 * This is crucial (if not required) on systems that do not have a 01027 * cryptographic entropy source (in hardware or kernel) available. 01028 * 01029 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 01030 * 01031 * \note The read/write functions that are used by the entropy source are 01032 * determined in the platform layer, and can be modified at runtime and/or 01033 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 01034 * 01035 * \note If you use the default implementation functions that read a seedfile 01036 * with regular fopen(), please make sure you make a seedfile with the 01037 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 01038 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 01039 * and written to or you will get an entropy source error! The default 01040 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 01041 * bytes from the file. 01042 * 01043 * \note The entropy collector will write to the seed file before entropy is 01044 * given to an external source, to update it. 01045 */ 01046 //#define MBEDTLS_ENTROPY_NV_SEED 01047 01048 /** 01049 * \def MBEDTLS_MEMORY_DEBUG 01050 * 01051 * Enable debugging of buffer allocator memory issues. Automatically prints 01052 * (to stderr) all (fatal) messages on memory allocation issues. Enables 01053 * function for 'debug output' of allocated memory. 01054 * 01055 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C 01056 * 01057 * Uncomment this macro to let the buffer allocator print out error messages. 01058 */ 01059 //#define MBEDTLS_MEMORY_DEBUG 01060 01061 /** 01062 * \def MBEDTLS_MEMORY_BACKTRACE 01063 * 01064 * Include backtrace information with each allocated block. 01065 * 01066 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C 01067 * GLIBC-compatible backtrace() an backtrace_symbols() support 01068 * 01069 * Uncomment this macro to include backtrace information 01070 */ 01071 //#define MBEDTLS_MEMORY_BACKTRACE 01072 01073 /** 01074 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 01075 * 01076 * Support external private RSA keys (eg from a HSM) in the PK layer. 01077 * 01078 * Comment this macro to disable support for external private RSA keys. 01079 */ 01080 #define MBEDTLS_PK_RSA_ALT_SUPPORT 01081 01082 /** 01083 * \def MBEDTLS_PKCS1_V15 01084 * 01085 * Enable support for PKCS#1 v1.5 encoding. 01086 * 01087 * Requires: MBEDTLS_RSA_C 01088 * 01089 * This enables support for PKCS#1 v1.5 operations. 01090 */ 01091 #define MBEDTLS_PKCS1_V15 01092 01093 /** 01094 * \def MBEDTLS_PKCS1_V21 01095 * 01096 * Enable support for PKCS#1 v2.1 encoding. 01097 * 01098 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C 01099 * 01100 * This enables support for RSAES-OAEP and RSASSA-PSS operations. 01101 */ 01102 #define MBEDTLS_PKCS1_V21 01103 01104 /** 01105 * \def MBEDTLS_RSA_NO_CRT 01106 * 01107 * Do not use the Chinese Remainder Theorem 01108 * for the RSA private operation. 01109 * 01110 * Uncomment this macro to disable the use of CRT in RSA. 01111 * 01112 */ 01113 //#define MBEDTLS_RSA_NO_CRT 01114 01115 /** 01116 * \def MBEDTLS_SELF_TEST 01117 * 01118 * Enable the checkup functions (*_self_test). 01119 */ 01120 #define MBEDTLS_SELF_TEST 01121 01122 /** 01123 * \def MBEDTLS_SHA256_SMALLER 01124 * 01125 * Enable an implementation of SHA-256 that has lower ROM footprint but also 01126 * lower performance. 01127 * 01128 * The default implementation is meant to be a reasonnable compromise between 01129 * performance and size. This version optimizes more aggressively for size at 01130 * the expense of performance. Eg on Cortex-M4 it reduces the size of 01131 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 01132 * 30%. 01133 * 01134 * Uncomment to enable the smaller implementation of SHA256. 01135 */ 01136 //#define MBEDTLS_SHA256_SMALLER 01137 01138 /** 01139 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES 01140 * 01141 * Enable sending of alert messages in case of encountered errors as per RFC. 01142 * If you choose not to send the alert messages, mbed TLS can still communicate 01143 * with other servers, only debugging of failures is harder. 01144 * 01145 * The advantage of not sending alert messages, is that no information is given 01146 * about reasons for failures thus preventing adversaries of gaining intel. 01147 * 01148 * Enable sending of all alert messages 01149 */ 01150 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES 01151 01152 /** 01153 * \def MBEDTLS_SSL_DEBUG_ALL 01154 * 01155 * Enable the debug messages in SSL module for all issues. 01156 * Debug messages have been disabled in some places to prevent timing 01157 * attacks due to (unbalanced) debugging function calls. 01158 * 01159 * If you need all error reporting you should enable this during debugging, 01160 * but remove this for production servers that should log as well. 01161 * 01162 * Uncomment this macro to report all debug messages on errors introducing 01163 * a timing side-channel. 01164 * 01165 */ 01166 //#define MBEDTLS_SSL_DEBUG_ALL 01167 01168 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC 01169 * 01170 * Enable support for Encrypt-then-MAC, RFC 7366. 01171 * 01172 * This allows peers that both support it to use a more robust protection for 01173 * ciphersuites using CBC, providing deep resistance against timing attacks 01174 * on the padding or underlying cipher. 01175 * 01176 * This only affects CBC ciphersuites, and is useless if none is defined. 01177 * 01178 * Requires: MBEDTLS_SSL_PROTO_TLS1 or 01179 * MBEDTLS_SSL_PROTO_TLS1_1 or 01180 * MBEDTLS_SSL_PROTO_TLS1_2 01181 * 01182 * Comment this macro to disable support for Encrypt-then-MAC 01183 */ 01184 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC 01185 01186 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET 01187 * 01188 * Enable support for Extended Master Secret, aka Session Hash 01189 * (draft-ietf-tls-session-hash-02). 01190 * 01191 * This was introduced as "the proper fix" to the Triple Handshake familiy of 01192 * attacks, but it is recommended to always use it (even if you disable 01193 * renegotiation), since it actually fixes a more fundamental issue in the 01194 * original SSL/TLS design, and has implications beyond Triple Handshake. 01195 * 01196 * Requires: MBEDTLS_SSL_PROTO_TLS1 or 01197 * MBEDTLS_SSL_PROTO_TLS1_1 or 01198 * MBEDTLS_SSL_PROTO_TLS1_2 01199 * 01200 * Comment this macro to disable support for Extended Master Secret. 01201 */ 01202 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET 01203 01204 /** 01205 * \def MBEDTLS_SSL_FALLBACK_SCSV 01206 * 01207 * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00). 01208 * 01209 * For servers, it is recommended to always enable this, unless you support 01210 * only one version of TLS, or know for sure that none of your clients 01211 * implements a fallback strategy. 01212 * 01213 * For clients, you only need this if you're using a fallback strategy, which 01214 * is not recommended in the first place, unless you absolutely need it to 01215 * interoperate with buggy (version-intolerant) servers. 01216 * 01217 * Comment this macro to disable support for FALLBACK_SCSV 01218 */ 01219 //#define MBEDTLS_SSL_FALLBACK_SCSV 01220 01221 /** 01222 * \def MBEDTLS_SSL_HW_RECORD_ACCEL 01223 * 01224 * Enable hooking functions in SSL module for hardware acceleration of 01225 * individual records. 01226 * 01227 * Uncomment this macro to enable hooking functions. 01228 */ 01229 //#define MBEDTLS_SSL_HW_RECORD_ACCEL 01230 01231 /** 01232 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING 01233 * 01234 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. 01235 * 01236 * This is a countermeasure to the BEAST attack, which also minimizes the risk 01237 * of interoperability issues compared to sending 0-length records. 01238 * 01239 * Comment this macro to disable 1/n-1 record splitting. 01240 */ 01241 //#define MBEDTLS_SSL_CBC_RECORD_SPLITTING 01242 01243 /** 01244 * \def MBEDTLS_SSL_RENEGOTIATION 01245 * 01246 * Disable support for TLS renegotiation. 01247 * 01248 * The two main uses of renegotiation are (1) refresh keys on long-lived 01249 * connections and (2) client authentication after the initial handshake. 01250 * If you don't need renegotiation, it's probably better to disable it, since 01251 * it has been associated with security issues in the past and is easy to 01252 * misuse/misunderstand. 01253 * 01254 * Comment this to disable support for renegotiation. 01255 * 01256 * \note Even if this option is disabled, both client and server are aware 01257 * of the Renegotiation Indication Extension (RFC 5746) used to 01258 * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1). 01259 * (See \c mbedtls_ssl_conf_legacy_renegotiation for the 01260 * configuration of this extension). 01261 * 01262 */ 01263 #define MBEDTLS_SSL_RENEGOTIATION 01264 01265 /** 01266 * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO 01267 * 01268 * Enable support for receiving and parsing SSLv2 Client Hello messages for the 01269 * SSL Server module (MBEDTLS_SSL_SRV_C). 01270 * 01271 * Uncomment this macro to enable support for SSLv2 Client Hello messages. 01272 */ 01273 //#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO 01274 01275 /** 01276 * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE 01277 * 01278 * Pick the ciphersuite according to the client's preferences rather than ours 01279 * in the SSL Server module (MBEDTLS_SSL_SRV_C). 01280 * 01281 * Uncomment this macro to respect client's ciphersuite order 01282 */ 01283 //#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE 01284 01285 /** 01286 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 01287 * 01288 * Enable support for RFC 6066 max_fragment_length extension in SSL. 01289 * 01290 * Comment this macro to disable support for the max_fragment_length extension 01291 */ 01292 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 01293 01294 /** 01295 * \def MBEDTLS_SSL_PROTO_SSL3 01296 * 01297 * Enable support for SSL 3.0. 01298 * 01299 * Requires: MBEDTLS_MD5_C 01300 * MBEDTLS_SHA1_C 01301 * 01302 * Comment this macro to disable support for SSL 3.0 01303 */ 01304 //#define MBEDTLS_SSL_PROTO_SSL3 01305 01306 /** 01307 * \def MBEDTLS_SSL_PROTO_TLS1 01308 * 01309 * Enable support for TLS 1.0. 01310 * 01311 * Requires: MBEDTLS_MD5_C 01312 * MBEDTLS_SHA1_C 01313 * 01314 * Comment this macro to disable support for TLS 1.0 01315 */ 01316 //#define MBEDTLS_SSL_PROTO_TLS1 01317 01318 /** 01319 * \def MBEDTLS_SSL_PROTO_TLS1_1 01320 * 01321 * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). 01322 * 01323 * Requires: MBEDTLS_MD5_C 01324 * MBEDTLS_SHA1_C 01325 * 01326 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 01327 */ 01328 //#define MBEDTLS_SSL_PROTO_TLS1_1 01329 01330 /** 01331 * \def MBEDTLS_SSL_PROTO_TLS1_2 01332 * 01333 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). 01334 * 01335 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C 01336 * (Depends on ciphersuites) 01337 * 01338 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 01339 */ 01340 #define MBEDTLS_SSL_PROTO_TLS1_2 01341 01342 /** 01343 * \def MBEDTLS_SSL_PROTO_DTLS 01344 * 01345 * Enable support for DTLS (all available versions). 01346 * 01347 * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, 01348 * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. 01349 * 01350 * Requires: MBEDTLS_SSL_PROTO_TLS1_1 01351 * or MBEDTLS_SSL_PROTO_TLS1_2 01352 * 01353 * Comment this macro to disable support for DTLS 01354 */ 01355 #define MBEDTLS_SSL_PROTO_DTLS 01356 01357 /** 01358 * \def MBEDTLS_SSL_ALPN 01359 * 01360 * Enable support for RFC 7301 Application Layer Protocol Negotiation. 01361 * 01362 * Comment this macro to disable support for ALPN. 01363 */ 01364 #define MBEDTLS_SSL_ALPN 01365 01366 /** 01367 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY 01368 * 01369 * Enable support for the anti-replay mechanism in DTLS. 01370 * 01371 * Requires: MBEDTLS_SSL_TLS_C 01372 * MBEDTLS_SSL_PROTO_DTLS 01373 * 01374 * \warning Disabling this is often a security risk! 01375 * See mbedtls_ssl_conf_dtls_anti_replay() for details. 01376 * 01377 * Comment this to disable anti-replay in DTLS. 01378 */ 01379 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY 01380 01381 /** 01382 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY 01383 * 01384 * Enable support for HelloVerifyRequest on DTLS servers. 01385 * 01386 * This feature is highly recommended to prevent DTLS servers being used as 01387 * amplifiers in DoS attacks against other hosts. It should always be enabled 01388 * unless you know for sure amplification cannot be a problem in the 01389 * environment in which your server operates. 01390 * 01391 * \warning Disabling this can ba a security risk! (see above) 01392 * 01393 * Requires: MBEDTLS_SSL_PROTO_DTLS 01394 * 01395 * Comment this to disable support for HelloVerifyRequest. 01396 */ 01397 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY 01398 01399 /** 01400 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 01401 * 01402 * Enable server-side support for clients that reconnect from the same port. 01403 * 01404 * Some clients unexpectedly close the connection and try to reconnect using the 01405 * same source port. This needs special support from the server to handle the 01406 * new connection securely, as described in section 4.2.8 of RFC 6347. This 01407 * flag enables that support. 01408 * 01409 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY 01410 * 01411 * Comment this to disable support for clients reusing the source port. 01412 */ 01413 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 01414 01415 /** 01416 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT 01417 * 01418 * Enable support for a limit of records with bad MAC. 01419 * 01420 * See mbedtls_ssl_conf_dtls_badmac_limit(). 01421 * 01422 * Requires: MBEDTLS_SSL_PROTO_DTLS 01423 */ 01424 #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT 01425 01426 /** 01427 * \def MBEDTLS_SSL_SESSION_TICKETS 01428 * 01429 * Enable support for RFC 5077 session tickets in SSL. 01430 * Client-side, provides full support for session tickets (maintainance of a 01431 * session store remains the responsibility of the application, though). 01432 * Server-side, you also need to provide callbacks for writing and parsing 01433 * tickets, including authenticated encryption and key management. Example 01434 * callbacks are provided by MBEDTLS_SSL_TICKET_C. 01435 * 01436 * Comment this macro to disable support for SSL session tickets 01437 */ 01438 #define MBEDTLS_SSL_SESSION_TICKETS 01439 01440 /** 01441 * \def MBEDTLS_SSL_EXPORT_KEYS 01442 * 01443 * Enable support for exporting key block and master secret. 01444 * This is required for certain users of TLS, e.g. EAP-TLS. 01445 * 01446 * Comment this macro to disable support for key export 01447 */ 01448 #define MBEDTLS_SSL_EXPORT_KEYS 01449 01450 /** 01451 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION 01452 * 01453 * Enable support for RFC 6066 server name indication (SNI) in SSL. 01454 * 01455 * Requires: MBEDTLS_X509_CRT_PARSE_C 01456 * 01457 * Comment this macro to disable support for server name indication in SSL 01458 */ 01459 #define MBEDTLS_SSL_SERVER_NAME_INDICATION 01460 01461 /** 01462 * \def MBEDTLS_SSL_TRUNCATED_HMAC 01463 * 01464 * Enable support for RFC 6066 truncated HMAC in SSL. 01465 * 01466 * Comment this macro to disable support for truncated HMAC in SSL 01467 */ 01468 //#define MBEDTLS_SSL_TRUNCATED_HMAC 01469 01470 /** 01471 * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 01472 * 01473 * Fallback to old (pre-2.7), non-conforming implementation of the truncated 01474 * HMAC extension which also truncates the HMAC key. Note that this option is 01475 * only meant for a transitory upgrade period and is likely to be removed in 01476 * a future version of the library. 01477 * 01478 * \warning The old implementation is non-compliant and has a security weakness 01479 * (2^80 brute force attack on the HMAC key used for a single, 01480 * uninterrupted connection). This should only be enabled temporarily 01481 * when (1) the use of truncated HMAC is essential in order to save 01482 * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use 01483 * the fixed implementation yet (pre-2.7). 01484 * 01485 * \deprecated This option is deprecated and will likely be removed in a 01486 * future version of Mbed TLS. 01487 * 01488 * Uncomment to fallback to old, non-compliant truncated HMAC implementation. 01489 * 01490 * Requires: MBEDTLS_SSL_TRUNCATED_HMAC 01491 */ 01492 //#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 01493 01494 /** 01495 * \def MBEDTLS_THREADING_ALT 01496 * 01497 * Provide your own alternate threading implementation. 01498 * 01499 * Requires: MBEDTLS_THREADING_C 01500 * 01501 * Uncomment this to allow your own alternate threading implementation. 01502 */ 01503 //#define MBEDTLS_THREADING_ALT 01504 01505 /** 01506 * \def MBEDTLS_THREADING_PTHREAD 01507 * 01508 * Enable the pthread wrapper layer for the threading layer. 01509 * 01510 * Requires: MBEDTLS_THREADING_C 01511 * 01512 * Uncomment this to enable pthread mutexes. 01513 */ 01514 //#define MBEDTLS_THREADING_PTHREAD 01515 01516 /** 01517 * \def MBEDTLS_VERSION_FEATURES 01518 * 01519 * Allow run-time checking of compile-time enabled features. Thus allowing users 01520 * to check at run-time if the library is for instance compiled with threading 01521 * support via mbedtls_version_check_feature(). 01522 * 01523 * Requires: MBEDTLS_VERSION_C 01524 * 01525 * Comment this to disable run-time checking and save ROM space 01526 */ 01527 #define MBEDTLS_VERSION_FEATURES 01528 01529 /** 01530 * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 01531 * 01532 * If set, the X509 parser will not break-off when parsing an X509 certificate 01533 * and encountering an extension in a v1 or v2 certificate. 01534 * 01535 * Uncomment to prevent an error. 01536 */ 01537 //#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 01538 01539 /** 01540 * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 01541 * 01542 * If set, the X509 parser will not break-off when parsing an X509 certificate 01543 * and encountering an unknown critical extension. 01544 * 01545 * \warning Depending on your PKI use, enabling this can be a security risk! 01546 * 01547 * Uncomment to prevent an error. 01548 */ 01549 //#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 01550 01551 /** 01552 * \def MBEDTLS_X509_CHECK_KEY_USAGE 01553 * 01554 * Enable verification of the keyUsage extension (CA and leaf certificates). 01555 * 01556 * Disabling this avoids problems with mis-issued and/or misused 01557 * (intermediate) CA and leaf certificates. 01558 * 01559 * \warning Depending on your PKI use, disabling this can be a security risk! 01560 * 01561 * Comment to skip keyUsage checking for both CA and leaf certificates. 01562 */ 01563 #define MBEDTLS_X509_CHECK_KEY_USAGE 01564 01565 /** 01566 * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 01567 * 01568 * Enable verification of the extendedKeyUsage extension (leaf certificates). 01569 * 01570 * Disabling this avoids problems with mis-issued and/or misused certificates. 01571 * 01572 * \warning Depending on your PKI use, disabling this can be a security risk! 01573 * 01574 * Comment to skip extendedKeyUsage checking for certificates. 01575 */ 01576 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 01577 01578 /** 01579 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT 01580 * 01581 * Enable parsing and verification of X.509 certificates, CRLs and CSRS 01582 * signed with RSASSA-PSS (aka PKCS#1 v2.1). 01583 * 01584 * Comment this macro to disallow using RSASSA-PSS in certificates. 01585 */ 01586 //#define MBEDTLS_X509_RSASSA_PSS_SUPPORT 01587 01588 /** 01589 * \def MBEDTLS_ZLIB_SUPPORT 01590 * 01591 * If set, the SSL/TLS module uses ZLIB to support compression and 01592 * decompression of packet data. 01593 * 01594 * \warning TLS-level compression MAY REDUCE SECURITY! See for example the 01595 * CRIME attack. Before enabling this option, you should examine with care if 01596 * CRIME or similar exploits may be a applicable to your use case. 01597 * 01598 * \note Currently compression can't be used with DTLS. 01599 * 01600 * \deprecated This feature is deprecated and will be removed 01601 * in the next major revision of the library. 01602 * 01603 * Used in: library/ssl_tls.c 01604 * library/ssl_cli.c 01605 * library/ssl_srv.c 01606 * 01607 * This feature requires zlib library and headers to be present. 01608 * 01609 * Uncomment to enable use of ZLIB 01610 */ 01611 //#define MBEDTLS_ZLIB_SUPPORT 01612 /* \} name SECTION: mbed TLS feature support */ 01613 01614 /** 01615 * \name SECTION: mbed TLS modules 01616 * 01617 * This section enables or disables entire modules in mbed TLS 01618 * \{ 01619 */ 01620 01621 /** 01622 * \def MBEDTLS_AESNI_C 01623 * 01624 * Enable AES-NI support on x86-64. 01625 * 01626 * Module: library/aesni.c 01627 * Caller: library/aes.c 01628 * 01629 * Requires: MBEDTLS_HAVE_ASM 01630 * 01631 * This modules adds support for the AES-NI instructions on x86-64 01632 */ 01633 //#define MBEDTLS_AESNI_C 01634 01635 /** 01636 * \def MBEDTLS_AES_C 01637 * 01638 * Enable the AES block cipher. 01639 * 01640 * Module: library/aes.c 01641 * Caller: library/cipher.c 01642 * library/pem.c 01643 * library/ctr_drbg.c 01644 * 01645 * This module enables the following ciphersuites (if other requisites are 01646 * enabled as well): 01647 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 01648 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 01649 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 01650 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 01651 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 01652 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 01653 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 01654 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 01655 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 01656 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 01657 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 01658 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 01659 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 01660 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 01661 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 01662 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 01663 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 01664 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 01665 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 01666 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 01667 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 01668 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 01669 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 01670 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 01671 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 01672 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 01673 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 01674 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 01675 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 01676 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 01677 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 01678 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 01679 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 01680 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 01681 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 01682 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 01683 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 01684 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 01685 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 01686 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 01687 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 01688 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 01689 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 01690 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 01691 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 01692 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 01693 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 01694 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 01695 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 01696 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 01697 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 01698 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 01699 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 01700 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 01701 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 01702 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 01703 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 01704 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 01705 * 01706 * PEM_PARSE uses AES for decrypting encrypted keys. 01707 */ 01708 #define MBEDTLS_AES_C 01709 01710 /** 01711 * \def MBEDTLS_ARC4_C 01712 * 01713 * Enable the ARCFOUR stream cipher. 01714 * 01715 * Module: library/arc4.c 01716 * Caller: library/cipher.c 01717 * 01718 * This module enables the following ciphersuites (if other requisites are 01719 * enabled as well): 01720 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 01721 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 01722 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 01723 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 01724 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 01725 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 01726 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 01727 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 01728 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 01729 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 01730 * 01731 * \warning ARC4 is considered a weak cipher and its use constitutes a 01732 * security risk. If possible, we recommend avoidng dependencies on 01733 * it, and considering stronger ciphers instead. 01734 * 01735 */ 01736 //#define MBEDTLS_ARC4_C 01737 01738 /** 01739 * \def MBEDTLS_ASN1_PARSE_C 01740 * 01741 * Enable the generic ASN1 parser. 01742 * 01743 * Module: library/asn1.c 01744 * Caller: library/x509.c 01745 * library/dhm.c 01746 * library/pkcs12.c 01747 * library/pkcs5.c 01748 * library/pkparse.c 01749 */ 01750 #define MBEDTLS_ASN1_PARSE_C 01751 01752 /** 01753 * \def MBEDTLS_ASN1_WRITE_C 01754 * 01755 * Enable the generic ASN1 writer. 01756 * 01757 * Module: library/asn1write.c 01758 * Caller: library/ecdsa.c 01759 * library/pkwrite.c 01760 * library/x509_create.c 01761 * library/x509write_crt.c 01762 * library/x509write_csr.c 01763 */ 01764 #define MBEDTLS_ASN1_WRITE_C 01765 01766 /** 01767 * \def MBEDTLS_BASE64_C 01768 * 01769 * Enable the Base64 module. 01770 * 01771 * Module: library/base64.c 01772 * Caller: library/pem.c 01773 * 01774 * This module is required for PEM support (required by X.509). 01775 */ 01776 #define MBEDTLS_BASE64_C 01777 01778 /** 01779 * \def MBEDTLS_BIGNUM_C 01780 * 01781 * Enable the multi-precision integer library. 01782 * 01783 * Module: library/bignum.c 01784 * Caller: library/dhm.c 01785 * library/ecp.c 01786 * library/ecdsa.c 01787 * library/rsa.c 01788 * library/rsa_internal.c 01789 * library/ssl_tls.c 01790 * 01791 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. 01792 */ 01793 #define MBEDTLS_BIGNUM_C 01794 01795 /** 01796 * \def MBEDTLS_BLOWFISH_C 01797 * 01798 * Enable the Blowfish block cipher. 01799 * 01800 * Module: library/blowfish.c 01801 */ 01802 //#define MBEDTLS_BLOWFISH_C 01803 01804 /** 01805 * \def MBEDTLS_CAMELLIA_C 01806 * 01807 * Enable the Camellia block cipher. 01808 * 01809 * Module: library/camellia.c 01810 * Caller: library/cipher.c 01811 * 01812 * This module enables the following ciphersuites (if other requisites are 01813 * enabled as well): 01814 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 01815 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 01816 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 01817 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 01818 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 01819 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 01820 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 01821 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 01822 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 01823 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 01824 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 01825 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 01826 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 01827 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 01828 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 01829 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 01830 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 01831 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 01832 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 01833 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 01834 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 01835 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 01836 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 01837 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 01838 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 01839 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 01840 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 01841 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 01842 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 01843 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 01844 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 01845 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 01846 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 01847 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 01848 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 01849 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 01850 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 01851 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 01852 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 01853 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 01854 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 01855 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 01856 */ 01857 //#define MBEDTLS_CAMELLIA_C 01858 01859 /** 01860 * \def MBEDTLS_ARIA_C 01861 * 01862 * Enable the ARIA block cipher. 01863 * 01864 * Module: library/aria.c 01865 * Caller: library/cipher.c 01866 * 01867 * This module enables the following ciphersuites (if other requisites are 01868 * enabled as well): 01869 * 01870 * MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 01871 * MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 01872 * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 01873 * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 01874 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 01875 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 01876 * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 01877 * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 01878 * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 01879 * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 01880 * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 01881 * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 01882 * MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 01883 * MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 01884 * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 01885 * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 01886 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 01887 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 01888 * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 01889 * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 01890 * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 01891 * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 01892 * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 01893 * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 01894 * MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 01895 * MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 01896 * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 01897 * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 01898 * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 01899 * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 01900 * MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 01901 * MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 01902 * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 01903 * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 01904 * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 01905 * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 01906 * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 01907 * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 01908 */ 01909 //#define MBEDTLS_ARIA_C 01910 01911 /** 01912 * \def MBEDTLS_CCM_C 01913 * 01914 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. 01915 * 01916 * Module: library/ccm.c 01917 * 01918 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C 01919 * 01920 * This module enables the AES-CCM ciphersuites, if other requisites are 01921 * enabled as well. 01922 */ 01923 #define MBEDTLS_CCM_C 01924 01925 /** 01926 * \def MBEDTLS_CERTS_C 01927 * 01928 * Enable the test certificates. 01929 * 01930 * Module: library/certs.c 01931 * Caller: 01932 * 01933 * This module is used for testing (ssl_client/server). 01934 */ 01935 #define MBEDTLS_CERTS_C 01936 01937 /** 01938 * \def MBEDTLS_CIPHER_C 01939 * 01940 * Enable the generic cipher layer. 01941 * 01942 * Module: library/cipher.c 01943 * Caller: library/ssl_tls.c 01944 * 01945 * Uncomment to enable generic cipher wrappers. 01946 */ 01947 #define MBEDTLS_CIPHER_C 01948 01949 /** 01950 * \def MBEDTLS_CMAC_C 01951 * 01952 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block 01953 * ciphers. 01954 * 01955 * Module: library/cmac.c 01956 * 01957 * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C 01958 * 01959 */ 01960 #define MBEDTLS_CMAC_C 01961 01962 /** 01963 * \def MBEDTLS_CTR_DRBG_C 01964 * 01965 * Enable the CTR_DRBG AES-256-based random generator. 01966 * 01967 * Module: library/ctr_drbg.c 01968 * Caller: 01969 * 01970 * Requires: MBEDTLS_AES_C 01971 * 01972 * This module provides the CTR_DRBG AES-256 random number generator. 01973 */ 01974 #define MBEDTLS_CTR_DRBG_C 01975 01976 /** 01977 * \def MBEDTLS_DEBUG_C 01978 * 01979 * Enable the debug functions. 01980 * 01981 * Module: library/debug.c 01982 * Caller: library/ssl_cli.c 01983 * library/ssl_srv.c 01984 * library/ssl_tls.c 01985 * 01986 * This module provides debugging functions. 01987 */ 01988 #define MBEDTLS_DEBUG_C 01989 01990 /** 01991 * \def MBEDTLS_DES_C 01992 * 01993 * Enable the DES block cipher. 01994 * 01995 * Module: library/des.c 01996 * Caller: library/pem.c 01997 * library/cipher.c 01998 * 01999 * This module enables the following ciphersuites (if other requisites are 02000 * enabled as well): 02001 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 02002 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 02003 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 02004 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 02005 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 02006 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 02007 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 02008 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 02009 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 02010 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 02011 * 02012 * PEM_PARSE uses DES/3DES for decrypting encrypted keys. 02013 * 02014 * \warning DES is considered a weak cipher and its use constitutes a 02015 * security risk. We recommend considering stronger ciphers instead. 02016 */ 02017 //#define MBEDTLS_DES_C 02018 02019 /** 02020 * \def MBEDTLS_DHM_C 02021 * 02022 * Enable the Diffie-Hellman-Merkle module. 02023 * 02024 * Module: library/dhm.c 02025 * Caller: library/ssl_cli.c 02026 * library/ssl_srv.c 02027 * 02028 * This module is used by the following key exchanges: 02029 * DHE-RSA, DHE-PSK 02030 * 02031 * \warning Using DHE constitutes a security risk as it 02032 * is not possible to validate custom DH parameters. 02033 * If possible, it is recommended users should consider 02034 * preferring other methods of key exchange. 02035 * See dhm.h for more details. 02036 * 02037 */ 02038 //#define MBEDTLS_DHM_C 02039 02040 /** 02041 * \def MBEDTLS_ECDH_C 02042 * 02043 * Enable the elliptic curve Diffie-Hellman library. 02044 * 02045 * Module: library/ecdh.c 02046 * Caller: library/ssl_cli.c 02047 * library/ssl_srv.c 02048 * 02049 * This module is used by the following key exchanges: 02050 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK 02051 * 02052 * Requires: MBEDTLS_ECP_C 02053 */ 02054 #define MBEDTLS_ECDH_C 02055 02056 /** 02057 * \def MBEDTLS_ECDSA_C 02058 * 02059 * Enable the elliptic curve DSA library. 02060 * 02061 * Module: library/ecdsa.c 02062 * Caller: 02063 * 02064 * This module is used by the following key exchanges: 02065 * ECDHE-ECDSA 02066 * 02067 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C 02068 */ 02069 #define MBEDTLS_ECDSA_C 02070 02071 /** 02072 * \def MBEDTLS_ECJPAKE_C 02073 * 02074 * Enable the elliptic curve J-PAKE library. 02075 * 02076 * \warning This is currently experimental. EC J-PAKE support is based on the 02077 * Thread v1.0.0 specification; incompatible changes to the specification 02078 * might still happen. For this reason, this is disabled by default. 02079 * 02080 * Module: library/ecjpake.c 02081 * Caller: 02082 * 02083 * This module is used by the following key exchanges: 02084 * ECJPAKE 02085 * 02086 * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C 02087 */ 02088 //#define MBEDTLS_ECJPAKE_C 02089 02090 /** 02091 * \def MBEDTLS_ECP_C 02092 * 02093 * Enable the elliptic curve over GF(p) library. 02094 * 02095 * Module: library/ecp.c 02096 * Caller: library/ecdh.c 02097 * library/ecdsa.c 02098 * library/ecjpake.c 02099 * 02100 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED 02101 */ 02102 #define MBEDTLS_ECP_C 02103 02104 /** 02105 * \def MBEDTLS_ENTROPY_C 02106 * 02107 * Enable the platform-specific entropy code. 02108 * 02109 * Module: library/entropy.c 02110 * Caller: 02111 * 02112 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 02113 * 02114 * This module provides a generic entropy pool 02115 */ 02116 #define MBEDTLS_ENTROPY_C 02117 02118 /** 02119 * \def MBEDTLS_ERROR_C 02120 * 02121 * Enable error code to error string conversion. 02122 * 02123 * Module: library/error.c 02124 * Caller: 02125 * 02126 * This module enables mbedtls_strerror(). 02127 */ 02128 #define MBEDTLS_ERROR_C 02129 02130 /** 02131 * \def MBEDTLS_GCM_C 02132 * 02133 * Enable the Galois/Counter Mode (GCM) for AES. 02134 * 02135 * Module: library/gcm.c 02136 * 02137 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C 02138 * 02139 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other 02140 * requisites are enabled as well. 02141 */ 02142 #define MBEDTLS_GCM_C 02143 02144 /** 02145 * \def MBEDTLS_HAVEGE_C 02146 * 02147 * Enable the HAVEGE random generator. 02148 * 02149 * Warning: the HAVEGE random generator is not suitable for virtualized 02150 * environments 02151 * 02152 * Warning: the HAVEGE random generator is dependent on timing and specific 02153 * processor traits. It is therefore not advised to use HAVEGE as 02154 * your applications primary random generator or primary entropy pool 02155 * input. As a secondary input to your entropy pool, it IS able add 02156 * the (limited) extra entropy it provides. 02157 * 02158 * Module: library/havege.c 02159 * Caller: 02160 * 02161 * Requires: MBEDTLS_TIMING_C 02162 * 02163 * Uncomment to enable the HAVEGE random generator. 02164 */ 02165 //#define MBEDTLS_HAVEGE_C 02166 02167 /** 02168 * \def MBEDTLS_HMAC_DRBG_C 02169 * 02170 * Enable the HMAC_DRBG random generator. 02171 * 02172 * Module: library/hmac_drbg.c 02173 * Caller: 02174 * 02175 * Requires: MBEDTLS_MD_C 02176 * 02177 * Uncomment to enable the HMAC_DRBG random number geerator. 02178 */ 02179 #define MBEDTLS_HMAC_DRBG_C 02180 02181 /** 02182 * \def MBEDTLS_MD_C 02183 * 02184 * Enable the generic message digest layer. 02185 * 02186 * Module: library/md.c 02187 * Caller: 02188 * 02189 * Uncomment to enable generic message digest wrappers. 02190 */ 02191 #define MBEDTLS_MD_C 02192 02193 /** 02194 * \def MBEDTLS_MD2_C 02195 * 02196 * Enable the MD2 hash algorithm. 02197 * 02198 * Module: library/md2.c 02199 * Caller: 02200 * 02201 * Uncomment to enable support for (rare) MD2-signed X.509 certs. 02202 * 02203 * \warning MD2 is considered a weak message digest and its use constitutes a 02204 * security risk. If possible, we recommend avoiding dependencies on 02205 * it, and considering stronger message digests instead. 02206 * 02207 */ 02208 //#define MBEDTLS_MD2_C 02209 02210 /** 02211 * \def MBEDTLS_MD4_C 02212 * 02213 * Enable the MD4 hash algorithm. 02214 * 02215 * Module: library/md4.c 02216 * Caller: 02217 * 02218 * Uncomment to enable support for (rare) MD4-signed X.509 certs. 02219 * 02220 * \warning MD4 is considered a weak message digest and its use constitutes a 02221 * security risk. If possible, we recommend avoiding dependencies on 02222 * it, and considering stronger message digests instead. 02223 * 02224 */ 02225 //#define MBEDTLS_MD4_C 02226 02227 /** 02228 * \def MBEDTLS_MD5_C 02229 * 02230 * Enable the MD5 hash algorithm. 02231 * 02232 * Module: library/md5.c 02233 * Caller: library/md.c 02234 * library/pem.c 02235 * library/ssl_tls.c 02236 * 02237 * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2 02238 * depending on the handshake parameters. Further, it is used for checking 02239 * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded 02240 * encrypted keys. 02241 * 02242 * \warning MD5 is considered a weak message digest and its use constitutes a 02243 * security risk. If possible, we recommend avoiding dependencies on 02244 * it, and considering stronger message digests instead. 02245 * 02246 */ 02247 //#define MBEDTLS_MD5_C 02248 02249 /** 02250 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 02251 * 02252 * Enable the buffer allocator implementation that makes use of a (stack) 02253 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 02254 * calls) 02255 * 02256 * Module: library/memory_buffer_alloc.c 02257 * 02258 * Requires: MBEDTLS_PLATFORM_C 02259 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 02260 * 02261 * Enable this module to enable the buffer memory allocator. 02262 */ 02263 //#define MBEDTLS_MEMORY_BUFFER_ALLOC_C 02264 02265 /** 02266 * \def MBEDTLS_NET_C 02267 * 02268 * Enable the TCP and UDP over IPv6/IPv4 networking routines. 02269 * 02270 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X) 02271 * and Windows. For other platforms, you'll want to disable it, and write your 02272 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio(). 02273 * 02274 * \note See also our Knowledge Base article about porting to a new 02275 * environment: 02276 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 02277 * 02278 * Module: library/net_sockets.c 02279 * 02280 * This module provides networking routines. 02281 */ 02282 //#define MBEDTLS_NET_C 02283 02284 /** 02285 * \def MBEDTLS_OID_C 02286 * 02287 * Enable the OID database. 02288 * 02289 * Module: library/oid.c 02290 * Caller: library/asn1write.c 02291 * library/pkcs5.c 02292 * library/pkparse.c 02293 * library/pkwrite.c 02294 * library/rsa.c 02295 * library/x509.c 02296 * library/x509_create.c 02297 * library/x509_crl.c 02298 * library/x509_crt.c 02299 * library/x509_csr.c 02300 * library/x509write_crt.c 02301 * library/x509write_csr.c 02302 * 02303 * This modules translates between OIDs and internal values. 02304 */ 02305 #define MBEDTLS_OID_C 02306 02307 /** 02308 * \def MBEDTLS_PADLOCK_C 02309 * 02310 * Enable VIA Padlock support on x86. 02311 * 02312 * Module: library/padlock.c 02313 * Caller: library/aes.c 02314 * 02315 * Requires: MBEDTLS_HAVE_ASM 02316 * 02317 * This modules adds support for the VIA PadLock on x86. 02318 */ 02319 //#define MBEDTLS_PADLOCK_C 02320 02321 /** 02322 * \def MBEDTLS_PEM_PARSE_C 02323 * 02324 * Enable PEM decoding / parsing. 02325 * 02326 * Module: library/pem.c 02327 * Caller: library/dhm.c 02328 * library/pkparse.c 02329 * library/x509_crl.c 02330 * library/x509_crt.c 02331 * library/x509_csr.c 02332 * 02333 * Requires: MBEDTLS_BASE64_C 02334 * 02335 * This modules adds support for decoding / parsing PEM files. 02336 */ 02337 #define MBEDTLS_PEM_PARSE_C 02338 02339 /** 02340 * \def MBEDTLS_PEM_WRITE_C 02341 * 02342 * Enable PEM encoding / writing. 02343 * 02344 * Module: library/pem.c 02345 * Caller: library/pkwrite.c 02346 * library/x509write_crt.c 02347 * library/x509write_csr.c 02348 * 02349 * Requires: MBEDTLS_BASE64_C 02350 * 02351 * This modules adds support for encoding / writing PEM files. 02352 */ 02353 //#define MBEDTLS_PEM_WRITE_C 02354 02355 /** 02356 * \def MBEDTLS_PK_C 02357 * 02358 * Enable the generic public (asymetric) key layer. 02359 * 02360 * Module: library/pk.c 02361 * Caller: library/ssl_tls.c 02362 * library/ssl_cli.c 02363 * library/ssl_srv.c 02364 * 02365 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C 02366 * 02367 * Uncomment to enable generic public key wrappers. 02368 */ 02369 #define MBEDTLS_PK_C 02370 02371 /** 02372 * \def MBEDTLS_PK_PARSE_C 02373 * 02374 * Enable the generic public (asymetric) key parser. 02375 * 02376 * Module: library/pkparse.c 02377 * Caller: library/x509_crt.c 02378 * library/x509_csr.c 02379 * 02380 * Requires: MBEDTLS_PK_C 02381 * 02382 * Uncomment to enable generic public key parse functions. 02383 */ 02384 #define MBEDTLS_PK_PARSE_C 02385 02386 /** 02387 * \def MBEDTLS_PK_WRITE_C 02388 * 02389 * Enable the generic public (asymetric) key writer. 02390 * 02391 * Module: library/pkwrite.c 02392 * Caller: library/x509write.c 02393 * 02394 * Requires: MBEDTLS_PK_C 02395 * 02396 * Uncomment to enable generic public key write functions. 02397 */ 02398 #define MBEDTLS_PK_WRITE_C 02399 02400 /** 02401 * \def MBEDTLS_PKCS5_C 02402 * 02403 * Enable PKCS#5 functions. 02404 * 02405 * Module: library/pkcs5.c 02406 * 02407 * Requires: MBEDTLS_MD_C 02408 * 02409 * This module adds support for the PKCS#5 functions. 02410 */ 02411 //#define MBEDTLS_PKCS5_C 02412 02413 /** 02414 * \def MBEDTLS_PKCS11_C 02415 * 02416 * Enable wrapper for PKCS#11 smartcard support. 02417 * 02418 * Module: library/pkcs11.c 02419 * Caller: library/pk.c 02420 * 02421 * Requires: MBEDTLS_PK_C 02422 * 02423 * This module enables SSL/TLS PKCS #11 smartcard support. 02424 * Requires the presence of the PKCS#11 helper library (libpkcs11-helper) 02425 */ 02426 //#define MBEDTLS_PKCS11_C 02427 02428 /** 02429 * \def MBEDTLS_PKCS12_C 02430 * 02431 * Enable PKCS#12 PBE functions. 02432 * Adds algorithms for parsing PKCS#8 encrypted private keys 02433 * 02434 * Module: library/pkcs12.c 02435 * Caller: library/pkparse.c 02436 * 02437 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C 02438 * Can use: MBEDTLS_ARC4_C 02439 * 02440 * This module enables PKCS#12 functions. 02441 */ 02442 //#define MBEDTLS_PKCS12_C 02443 02444 /** 02445 * \def MBEDTLS_PLATFORM_C 02446 * 02447 * Enable the platform abstraction layer that allows you to re-assign 02448 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 02449 * 02450 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 02451 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 02452 * above to be specified at runtime or compile time respectively. 02453 * 02454 * \note This abstraction layer must be enabled on Windows (including MSYS2) 02455 * as other module rely on it for a fixed snprintf implementation. 02456 * 02457 * Module: library/platform.c 02458 * Caller: Most other .c files 02459 * 02460 * This module enables abstraction of common (libc) functions. 02461 */ 02462 #define MBEDTLS_PLATFORM_C 02463 02464 /** 02465 * \def MBEDTLS_RIPEMD160_C 02466 * 02467 * Enable the RIPEMD-160 hash algorithm. 02468 * 02469 * Module: library/ripemd160.c 02470 * Caller: library/md.c 02471 * 02472 */ 02473 //#define MBEDTLS_RIPEMD160_C 02474 02475 /** 02476 * \def MBEDTLS_RSA_C 02477 * 02478 * Enable the RSA public-key cryptosystem. 02479 * 02480 * Module: library/rsa.c 02481 * library/rsa_internal.c 02482 * Caller: library/ssl_cli.c 02483 * library/ssl_srv.c 02484 * library/ssl_tls.c 02485 * library/x509.c 02486 * 02487 * This module is used by the following key exchanges: 02488 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK 02489 * 02490 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C 02491 */ 02492 #define MBEDTLS_RSA_C 02493 02494 /** 02495 * \def MBEDTLS_SHA1_C 02496 * 02497 * Enable the SHA1 cryptographic hash algorithm. 02498 * 02499 * Module: library/sha1.c 02500 * Caller: library/md.c 02501 * library/ssl_cli.c 02502 * library/ssl_srv.c 02503 * library/ssl_tls.c 02504 * library/x509write_crt.c 02505 * 02506 * This module is required for SSL/TLS up to version 1.1, for TLS 1.2 02507 * depending on the handshake parameters, and for SHA1-signed certificates. 02508 * 02509 * \warning SHA-1 is considered a weak message digest and its use constitutes 02510 * a security risk. If possible, we recommend avoiding dependencies 02511 * on it, and considering stronger message digests instead. 02512 * 02513 */ 02514 //#define MBEDTLS_SHA1_C 02515 02516 /** 02517 * \def MBEDTLS_SHA256_C 02518 * 02519 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms. 02520 * 02521 * Module: library/sha256.c 02522 * Caller: library/entropy.c 02523 * library/md.c 02524 * library/ssl_cli.c 02525 * library/ssl_srv.c 02526 * library/ssl_tls.c 02527 * 02528 * This module adds support for SHA-224 and SHA-256. 02529 * This module is required for the SSL/TLS 1.2 PRF function. 02530 */ 02531 #define MBEDTLS_SHA256_C 02532 02533 /** 02534 * \def MBEDTLS_SHA512_C 02535 * 02536 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms. 02537 * 02538 * Module: library/sha512.c 02539 * Caller: library/entropy.c 02540 * library/md.c 02541 * library/ssl_cli.c 02542 * library/ssl_srv.c 02543 * 02544 * This module adds support for SHA-384 and SHA-512. 02545 */ 02546 #define MBEDTLS_SHA512_C 02547 02548 /** 02549 * \def MBEDTLS_SSL_CACHE_C 02550 * 02551 * Enable simple SSL cache implementation. 02552 * 02553 * Module: library/ssl_cache.c 02554 * Caller: 02555 * 02556 * Requires: MBEDTLS_SSL_CACHE_C 02557 */ 02558 #define MBEDTLS_SSL_CACHE_C 02559 02560 /** 02561 * \def MBEDTLS_SSL_COOKIE_C 02562 * 02563 * Enable basic implementation of DTLS cookies for hello verification. 02564 * 02565 * Module: library/ssl_cookie.c 02566 * Caller: 02567 */ 02568 #define MBEDTLS_SSL_COOKIE_C 02569 02570 /** 02571 * \def MBEDTLS_SSL_TICKET_C 02572 * 02573 * Enable an implementation of TLS server-side callbacks for session tickets. 02574 * 02575 * Module: library/ssl_ticket.c 02576 * Caller: 02577 * 02578 * Requires: MBEDTLS_CIPHER_C 02579 */ 02580 #define MBEDTLS_SSL_TICKET_C 02581 02582 /** 02583 * \def MBEDTLS_SSL_CLI_C 02584 * 02585 * Enable the SSL/TLS client code. 02586 * 02587 * Module: library/ssl_cli.c 02588 * Caller: 02589 * 02590 * Requires: MBEDTLS_SSL_TLS_C 02591 * 02592 * This module is required for SSL/TLS client support. 02593 */ 02594 #define MBEDTLS_SSL_CLI_C 02595 02596 /** 02597 * \def MBEDTLS_SSL_SRV_C 02598 * 02599 * Enable the SSL/TLS server code. 02600 * 02601 * Module: library/ssl_srv.c 02602 * Caller: 02603 * 02604 * Requires: MBEDTLS_SSL_TLS_C 02605 * 02606 * This module is required for SSL/TLS server support. 02607 */ 02608 #define MBEDTLS_SSL_SRV_C 02609 02610 /** 02611 * \def MBEDTLS_SSL_TLS_C 02612 * 02613 * Enable the generic SSL/TLS code. 02614 * 02615 * Module: library/ssl_tls.c 02616 * Caller: library/ssl_cli.c 02617 * library/ssl_srv.c 02618 * 02619 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C 02620 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines 02621 * 02622 * This module is required for SSL/TLS. 02623 */ 02624 #define MBEDTLS_SSL_TLS_C 02625 02626 /** 02627 * \def MBEDTLS_THREADING_C 02628 * 02629 * Enable the threading abstraction layer. 02630 * By default mbed TLS assumes it is used in a non-threaded environment or that 02631 * contexts are not shared between threads. If you do intend to use contexts 02632 * between threads, you will need to enable this layer to prevent race 02633 * conditions. See also our Knowledge Base article about threading: 02634 * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading 02635 * 02636 * Module: library/threading.c 02637 * 02638 * This allows different threading implementations (self-implemented or 02639 * provided). 02640 * 02641 * You will have to enable either MBEDTLS_THREADING_ALT or 02642 * MBEDTLS_THREADING_PTHREAD. 02643 * 02644 * Enable this layer to allow use of mutexes within mbed TLS 02645 */ 02646 //#define MBEDTLS_THREADING_C 02647 02648 /** 02649 * \def MBEDTLS_TIMING_C 02650 * 02651 * Enable the semi-portable timing interface. 02652 * 02653 * \note The provided implementation only works on POSIX/Unix (including Linux, 02654 * BSD and OS X) and Windows. On other platforms, you can either disable that 02655 * module and provide your own implementations of the callbacks needed by 02656 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide 02657 * your own implementation of the whole module by setting 02658 * \c MBEDTLS_TIMING_ALT in the current file. 02659 * 02660 * \note See also our Knowledge Base article about porting to a new 02661 * environment: 02662 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 02663 * 02664 * Module: library/timing.c 02665 * Caller: library/havege.c 02666 * 02667 * This module is used by the HAVEGE random number generator. 02668 */ 02669 //#define MBEDTLS_TIMING_C 02670 02671 /** 02672 * \def MBEDTLS_VERSION_C 02673 * 02674 * Enable run-time version information. 02675 * 02676 * Module: library/version.c 02677 * 02678 * This module provides run-time version information. 02679 */ 02680 #define MBEDTLS_VERSION_C 02681 02682 /** 02683 * \def MBEDTLS_X509_USE_C 02684 * 02685 * Enable X.509 core for using certificates. 02686 * 02687 * Module: library/x509.c 02688 * Caller: library/x509_crl.c 02689 * library/x509_crt.c 02690 * library/x509_csr.c 02691 * 02692 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, 02693 * MBEDTLS_PK_PARSE_C 02694 * 02695 * This module is required for the X.509 parsing modules. 02696 */ 02697 #define MBEDTLS_X509_USE_C 02698 02699 /** 02700 * \def MBEDTLS_X509_CRT_PARSE_C 02701 * 02702 * Enable X.509 certificate parsing. 02703 * 02704 * Module: library/x509_crt.c 02705 * Caller: library/ssl_cli.c 02706 * library/ssl_srv.c 02707 * library/ssl_tls.c 02708 * 02709 * Requires: MBEDTLS_X509_USE_C 02710 * 02711 * This module is required for X.509 certificate parsing. 02712 */ 02713 #define MBEDTLS_X509_CRT_PARSE_C 02714 02715 /** 02716 * \def MBEDTLS_X509_CRL_PARSE_C 02717 * 02718 * Enable X.509 CRL parsing. 02719 * 02720 * Module: library/x509_crl.c 02721 * Caller: library/x509_crt.c 02722 * 02723 * Requires: MBEDTLS_X509_USE_C 02724 * 02725 * This module is required for X.509 CRL parsing. 02726 */ 02727 #define MBEDTLS_X509_CRL_PARSE_C 02728 02729 /** 02730 * \def MBEDTLS_X509_CSR_PARSE_C 02731 * 02732 * Enable X.509 Certificate Signing Request (CSR) parsing. 02733 * 02734 * Module: library/x509_csr.c 02735 * Caller: library/x509_crt_write.c 02736 * 02737 * Requires: MBEDTLS_X509_USE_C 02738 * 02739 * This module is used for reading X.509 certificate request. 02740 */ 02741 //#define MBEDTLS_X509_CSR_PARSE_C 02742 02743 /** 02744 * \def MBEDTLS_X509_CREATE_C 02745 * 02746 * Enable X.509 core for creating certificates. 02747 * 02748 * Module: library/x509_create.c 02749 * 02750 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C 02751 * 02752 * This module is the basis for creating X.509 certificates and CSRs. 02753 */ 02754 //#define MBEDTLS_X509_CREATE_C 02755 02756 /** 02757 * \def MBEDTLS_X509_CRT_WRITE_C 02758 * 02759 * Enable creating X.509 certificates. 02760 * 02761 * Module: library/x509_crt_write.c 02762 * 02763 * Requires: MBEDTLS_X509_CREATE_C 02764 * 02765 * This module is required for X.509 certificate creation. 02766 */ 02767 //#define MBEDTLS_X509_CRT_WRITE_C 02768 02769 /** 02770 * \def MBEDTLS_X509_CSR_WRITE_C 02771 * 02772 * Enable creating X.509 Certificate Signing Requests (CSR). 02773 * 02774 * Module: library/x509_csr_write.c 02775 * 02776 * Requires: MBEDTLS_X509_CREATE_C 02777 * 02778 * This module is required for X.509 certificate request writing. 02779 */ 02780 //#define MBEDTLS_X509_CSR_WRITE_C 02781 02782 /** 02783 * \def MBEDTLS_XTEA_C 02784 * 02785 * Enable the XTEA block cipher. 02786 * 02787 * Module: library/xtea.c 02788 * Caller: 02789 */ 02790 //#define MBEDTLS_XTEA_C 02791 02792 /* \} name SECTION: mbed TLS modules */ 02793 02794 /** 02795 * \name SECTION: Module configuration options 02796 * 02797 * This section allows for the setting of module specific sizes and 02798 * configuration options. The default values are already present in the 02799 * relevant header files and should suffice for the regular use cases. 02800 * 02801 * Our advice is to enable options and change their values here 02802 * only if you have a good reason and know the consequences. 02803 * 02804 * Please check the respective header file for documentation on these 02805 * parameters (to prevent duplicate documentation). 02806 * \{ 02807 */ 02808 02809 /* MPI / BIGNUM options */ 02810 //#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */ 02811 //#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */ 02812 02813 /* CTR_DRBG options */ 02814 //#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ 02815 //#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 02816 //#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 02817 //#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 02818 //#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 02819 02820 /* HMAC_DRBG options */ 02821 //#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 02822 //#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 02823 //#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 02824 //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 02825 02826 /* ECP options */ 02827 //#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */ 02828 //#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ 02829 //#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ 02830 02831 /* Entropy options */ 02832 //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ 02833 //#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */ 02834 //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */ 02835 02836 /* Memory buffer allocator options */ 02837 //#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */ 02838 02839 /* Platform options */ 02840 //#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ 02841 //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */ 02842 //#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ 02843 //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ 02844 //#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ 02845 //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */ 02846 //#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */ 02847 /* Note: your snprintf must correclty zero-terminate the buffer! */ 02848 //#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ 02849 //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */ 02850 //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */ 02851 //#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ 02852 //#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ 02853 //#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */ 02854 02855 /* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */ 02856 /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ 02857 //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */ 02858 //#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */ 02859 //#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */ 02860 //#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ 02861 //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ 02862 //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */ 02863 //#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */ 02864 /* Note: your snprintf must correclty zero-terminate the buffer! */ 02865 //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */ 02866 //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ 02867 //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ 02868 02869 /* SSL Cache options */ 02870 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */ 02871 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ 02872 02873 /* SSL options */ 02874 //#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ 02875 //#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */ 02876 //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ 02877 //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ 02878 02879 /** 02880 * Complete list of ciphersuites to use, in order of preference. 02881 * 02882 * \warning No dependency checking is done on that field! This option can only 02883 * be used to restrict the set of available ciphersuites. It is your 02884 * responsibility to make sure the needed modules are active. 02885 * 02886 * Use this to save a few hundred bytes of ROM (default ordering of all 02887 * available ciphersuites) and a few to a few hundred bytes of RAM. 02888 * 02889 * The value below is only an example, not the default. 02890 */ 02891 //#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 02892 02893 /* X509 options */ 02894 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ 02895 //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */ 02896 02897 /** 02898 * Allow SHA-1 in the default TLS configuration for certificate signing. 02899 * Without this build-time option, SHA-1 support must be activated explicitly 02900 * through mbedtls_ssl_conf_cert_profile. Turning on this option is not 02901 * recommended because of it is possible to generate SHA-1 collisions, however 02902 * this may be safe for legacy infrastructure where additional controls apply. 02903 * 02904 * \warning SHA-1 is considered a weak message digest and its use constitutes 02905 * a security risk. If possible, we recommend avoiding dependencies 02906 * on it, and considering stronger message digests instead. 02907 * 02908 */ 02909 // #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES 02910 02911 /** 02912 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake 02913 * signature and ciphersuite selection. Without this build-time option, SHA-1 02914 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes. 02915 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by 02916 * default. At the time of writing, there is no practical attack on the use 02917 * of SHA-1 in handshake signatures, hence this option is turned on by default 02918 * to preserve compatibility with existing peers, but the general 02919 * warning applies nonetheless: 02920 * 02921 * \warning SHA-1 is considered a weak message digest and its use constitutes 02922 * a security risk. If possible, we recommend avoiding dependencies 02923 * on it, and considering stronger message digests instead. 02924 * 02925 */ 02926 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE 02927 02928 /** 02929 * Uncomment the macro to let mbed TLS use your alternate implementation of 02930 * mbedtls_platform_zeroize(). This replaces the default implementation in 02931 * platform_util.c. 02932 * 02933 * mbedtls_platform_zeroize() is a widely used function across the library to 02934 * zero a block of memory. The implementation is expected to be secure in the 02935 * sense that it has been written to prevent the compiler from removing calls 02936 * to mbedtls_platform_zeroize() as part of redundant code elimination 02937 * optimizations. However, it is difficult to guarantee that calls to 02938 * mbedtls_platform_zeroize() will not be optimized by the compiler as older 02939 * versions of the C language standards do not provide a secure implementation 02940 * of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to 02941 * configure their own implementation of mbedtls_platform_zeroize(), for 02942 * example by using directives specific to their compiler, features from newer 02943 * C standards (e.g using memset_s() in C11) or calling a secure memset() from 02944 * their system (e.g explicit_bzero() in BSD). 02945 */ 02946 //#define MBEDTLS_PLATFORM_ZEROIZE_ALT 02947 02948 /* \} name SECTION: Customisation configuration options */ 02949 02950 /* Target and application specific configurations */ 02951 //#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h" 02952 02953 #if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE) 02954 #include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE 02955 #endif 02956 02957 /* 02958 * Allow user to override any previous default. 02959 * 02960 * Use two macro names for that, as: 02961 * - with yotta the prefix YOTTA_CFG_ is forced 02962 * - without yotta is looks weird to have a YOTTA prefix. 02963 */ 02964 #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) 02965 #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE 02966 #elif defined(MBEDTLS_USER_CONFIG_FILE) 02967 #include MBEDTLS_USER_CONFIG_FILE 02968 #endif 02969 02970 #include "check_config.h" 02971 02972 #endif /* !MBEDTLS_ENTROPY_HARDWARE_ALT && !MBEDTLS_TEST_NULL_ENTROPY */ 02973 02974 #if defined(MBEDTLS_TEST_NULL_ENTROPY) 02975 #warning "MBEDTLS_TEST_NULL_ENTROPY has been enabled. This " \ 02976 "configuration is not secure and is not suitable for production use" 02977 #endif 02978 02979 #if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_TEST_NULL_ENTROPY) && \ 02980 !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) && !defined(MBEDTLS_ENTROPY_NV_SEED) 02981 #error "No entropy source was found at build time, so TLS " \ 02982 "functionality is not available" 02983 #endif 02984 02985 #endif /* MBEDTLS_CONFIG_H */
Generated on Tue Jul 12 2022 12:43:41 by
1.7.2