takashi kadono
/
Nucleo_446
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
config.h
00001 /** 00002 * \file config.h 00003 * 00004 * \brief Configuration options (set of defines) 00005 * 00006 * This set of compile-time options may be used to enable 00007 * or disable features selectively, and reduce the global 00008 * memory footprint. 00009 */ 00010 /* 00011 * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved 00012 * SPDX-License-Identifier: Apache-2.0 00013 * 00014 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00015 * not use this file except in compliance with the License. 00016 * You may obtain a copy of the License at 00017 * 00018 * http://www.apache.org/licenses/LICENSE-2.0 00019 * 00020 * Unless required by applicable law or agreed to in writing, software 00021 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00022 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00023 * See the License for the specific language governing permissions and 00024 * limitations under the License. 00025 * 00026 * This file is part of mbed TLS (https://tls.mbed.org) 00027 */ 00028 00029 #ifndef MBEDTLS_CONFIG_H 00030 00031 #include "platform/inc/platform_mbed.h" 00032 00033 /* 00034 * Only use features that do not require an entropy source when 00035 * DEVICE_ENTROPY_SOURCE is not defined in mbed OS. 00036 */ 00037 #if !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) && !defined(MBEDTLS_TEST_NULL_ENTROPY) 00038 #include "mbedtls/config-no-entropy.h" 00039 00040 #if defined(MBEDTLS_USER_CONFIG_FILE) 00041 #include MBEDTLS_USER_CONFIG_FILE 00042 #endif 00043 00044 #else 00045 #define MBEDTLS_CONFIG_H 00046 00047 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 00048 #define _CRT_SECURE_NO_DEPRECATE 1 00049 #endif 00050 00051 /** 00052 * \name SECTION: System support 00053 * 00054 * This section sets system specific settings. 00055 * \{ 00056 */ 00057 00058 /** 00059 * \def MBEDTLS_HAVE_ASM 00060 * 00061 * The compiler has support for asm(). 00062 * 00063 * Requires support for asm() in compiler. 00064 * 00065 * Used in: 00066 * library/aria.c 00067 * library/timing.c 00068 * include/mbedtls/bn_mul.h 00069 * 00070 * Required by: 00071 * MBEDTLS_AESNI_C 00072 * MBEDTLS_PADLOCK_C 00073 * 00074 * Comment to disable the use of assembly code. 00075 */ 00076 #define MBEDTLS_HAVE_ASM 00077 00078 /** 00079 * \def MBEDTLS_NO_UDBL_DIVISION 00080 * 00081 * The platform lacks support for double-width integer division (64-bit 00082 * division on a 32-bit platform, 128-bit division on a 64-bit platform). 00083 * 00084 * Used in: 00085 * include/mbedtls/bignum.h 00086 * library/bignum.c 00087 * 00088 * The bignum code uses double-width division to speed up some operations. 00089 * Double-width division is often implemented in software that needs to 00090 * be linked with the program. The presence of a double-width integer 00091 * type is usually detected automatically through preprocessor macros, 00092 * but the automatic detection cannot know whether the code needs to 00093 * and can be linked with an implementation of division for that type. 00094 * By default division is assumed to be usable if the type is present. 00095 * Uncomment this option to prevent the use of double-width division. 00096 * 00097 * Note that division for the native integer type is always required. 00098 * Furthermore, a 64-bit type is always required even on a 32-bit 00099 * platform, but it need not support multiplication or division. In some 00100 * cases it is also desirable to disable some double-width operations. For 00101 * example, if double-width division is implemented in software, disabling 00102 * it can reduce code size in some embedded targets. 00103 */ 00104 //#define MBEDTLS_NO_UDBL_DIVISION 00105 00106 /** 00107 * \def MBEDTLS_NO_64BIT_MULTIPLICATION 00108 * 00109 * The platform lacks support for 32x32 -> 64-bit multiplication. 00110 * 00111 * Used in: 00112 * library/poly1305.c 00113 * 00114 * Some parts of the library may use multiplication of two unsigned 32-bit 00115 * operands with a 64-bit result in order to speed up computations. On some 00116 * platforms, this is not available in hardware and has to be implemented in 00117 * software, usually in a library provided by the toolchain. 00118 * 00119 * Sometimes it is not desirable to have to link to that library. This option 00120 * removes the dependency of that library on platforms that lack a hardware 00121 * 64-bit multiplier by embedding a software implementation in Mbed TLS. 00122 * 00123 * Note that depending on the compiler, this may decrease performance compared 00124 * to using the library function provided by the toolchain. 00125 */ 00126 //#define MBEDTLS_NO_64BIT_MULTIPLICATION 00127 00128 /** 00129 * \def MBEDTLS_HAVE_SSE2 00130 * 00131 * CPU supports SSE2 instruction set. 00132 * 00133 * Uncomment if the CPU supports SSE2 (IA-32 specific). 00134 */ 00135 //#define MBEDTLS_HAVE_SSE2 00136 00137 /** 00138 * \def MBEDTLS_HAVE_TIME 00139 * 00140 * System has time.h and time(). 00141 * The time does not need to be correct, only time differences are used, 00142 * by contrast with MBEDTLS_HAVE_TIME_DATE 00143 * 00144 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, 00145 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and 00146 * MBEDTLS_PLATFORM_STD_TIME. 00147 * 00148 * Comment if your system does not support time functions 00149 */ 00150 #define MBEDTLS_HAVE_TIME 00151 00152 /** 00153 * \def MBEDTLS_HAVE_TIME_DATE 00154 * 00155 * System has time.h, time(), and an implementation for 00156 * mbedtls_platform_gmtime_r() (see below). 00157 * The time needs to be correct (not necesarily very accurate, but at least 00158 * the date should be correct). This is used to verify the validity period of 00159 * X.509 certificates. 00160 * 00161 * Comment if your system does not have a correct clock. 00162 * 00163 * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that 00164 * behaves similarly to the gmtime_r() function from the C standard. Refer to 00165 * the documentation for mbedtls_platform_gmtime_r() for more information. 00166 * 00167 * \note It is possible to configure an implementation for 00168 * mbedtls_platform_gmtime_r() at compile-time by using the macro 00169 * MBEDTLS_PLATFORM_GMTIME_R_ALT. 00170 */ 00171 //#define MBEDTLS_HAVE_TIME_DATE 00172 00173 /** 00174 * \def MBEDTLS_PLATFORM_MEMORY 00175 * 00176 * Enable the memory allocation layer. 00177 * 00178 * By default mbed TLS uses the system-provided calloc() and free(). 00179 * This allows different allocators (self-implemented or provided) to be 00180 * provided to the platform abstraction layer. 00181 * 00182 * Enabling MBEDTLS_PLATFORM_MEMORY without the 00183 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide 00184 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and 00185 * free() function pointer at runtime. 00186 * 00187 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying 00188 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 00189 * alternate function at compile time. 00190 * 00191 * Requires: MBEDTLS_PLATFORM_C 00192 * 00193 * Enable this layer to allow use of alternative memory allocators. 00194 */ 00195 //#define MBEDTLS_PLATFORM_MEMORY 00196 00197 /** 00198 * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 00199 * 00200 * Do not assign standard functions in the platform layer (e.g. calloc() to 00201 * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF) 00202 * 00203 * This makes sure there are no linking errors on platforms that do not support 00204 * these functions. You will HAVE to provide alternatives, either at runtime 00205 * via the platform_set_xxx() functions or at compile time by setting 00206 * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a 00207 * MBEDTLS_PLATFORM_XXX_MACRO. 00208 * 00209 * Requires: MBEDTLS_PLATFORM_C 00210 * 00211 * Uncomment to prevent default assignment of standard functions in the 00212 * platform layer. 00213 */ 00214 //#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 00215 00216 /** 00217 * \def MBEDTLS_PLATFORM_EXIT_ALT 00218 * 00219 * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the 00220 * function in the platform abstraction layer. 00221 * 00222 * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will 00223 * provide a function "mbedtls_platform_set_printf()" that allows you to set an 00224 * alternative printf function pointer. 00225 * 00226 * All these define require MBEDTLS_PLATFORM_C to be defined! 00227 * 00228 * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows; 00229 * it will be enabled automatically by check_config.h 00230 * 00231 * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as 00232 * MBEDTLS_PLATFORM_XXX_MACRO! 00233 * 00234 * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME 00235 * 00236 * Uncomment a macro to enable alternate implementation of specific base 00237 * platform function 00238 */ 00239 //#define MBEDTLS_PLATFORM_EXIT_ALT 00240 //#define MBEDTLS_PLATFORM_TIME_ALT 00241 //#define MBEDTLS_PLATFORM_FPRINTF_ALT 00242 //#define MBEDTLS_PLATFORM_PRINTF_ALT 00243 //#define MBEDTLS_PLATFORM_SNPRINTF_ALT 00244 //#define MBEDTLS_PLATFORM_NV_SEED_ALT 00245 //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT 00246 00247 /** 00248 * \def MBEDTLS_DEPRECATED_WARNING 00249 * 00250 * Mark deprecated functions so that they generate a warning if used. 00251 * Functions deprecated in one version will usually be removed in the next 00252 * version. You can enable this to help you prepare the transition to a new 00253 * major version by making sure your code is not using these functions. 00254 * 00255 * This only works with GCC and Clang. With other compilers, you may want to 00256 * use MBEDTLS_DEPRECATED_REMOVED 00257 * 00258 * Uncomment to get warnings on using deprecated functions. 00259 */ 00260 //#define MBEDTLS_DEPRECATED_WARNING 00261 00262 /** 00263 * \def MBEDTLS_DEPRECATED_REMOVED 00264 * 00265 * Remove deprecated functions so that they generate an error if used. 00266 * Functions deprecated in one version will usually be removed in the next 00267 * version. You can enable this to help you prepare the transition to a new 00268 * major version by making sure your code is not using these functions. 00269 * 00270 * Uncomment to get errors on using deprecated functions. 00271 */ 00272 //#define MBEDTLS_DEPRECATED_REMOVED 00273 00274 /* \} name SECTION: System support */ 00275 00276 /** 00277 * \name SECTION: mbed TLS feature support 00278 * 00279 * This section sets support for features that are or are not needed 00280 * within the modules that are enabled. 00281 * \{ 00282 */ 00283 00284 /** 00285 * \def MBEDTLS_TIMING_ALT 00286 * 00287 * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(), 00288 * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay() 00289 * 00290 * Only works if you have MBEDTLS_TIMING_C enabled. 00291 * 00292 * You will need to provide a header "timing_alt.h" and an implementation at 00293 * compile time. 00294 */ 00295 //#define MBEDTLS_TIMING_ALT 00296 00297 /** 00298 * \def MBEDTLS_AES_ALT 00299 * 00300 * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your 00301 * alternate core implementation of a symmetric crypto, an arithmetic or hash 00302 * module (e.g. platform specific assembly optimized implementations). Keep 00303 * in mind that the function prototypes should remain the same. 00304 * 00305 * This replaces the whole module. If you only want to replace one of the 00306 * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. 00307 * 00308 * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer 00309 * provide the "struct mbedtls_aes_context" definition and omit the base 00310 * function declarations and implementations. "aes_alt.h" will be included from 00311 * "aes.h" to include the new function definitions. 00312 * 00313 * Uncomment a macro to enable alternate implementation of the corresponding 00314 * module. 00315 * 00316 * \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their 00317 * use constitutes a security risk. If possible, we recommend 00318 * avoiding dependencies on them, and considering stronger message 00319 * digests and ciphers instead. 00320 * 00321 */ 00322 //#define MBEDTLS_AES_ALT 00323 //#define MBEDTLS_ARC4_ALT 00324 //#define MBEDTLS_ARIA_ALT 00325 //#define MBEDTLS_BLOWFISH_ALT 00326 //#define MBEDTLS_CAMELLIA_ALT 00327 //#define MBEDTLS_CCM_ALT 00328 //#define MBEDTLS_CHACHA20_ALT 00329 //#define MBEDTLS_CHACHAPOLY_ALT 00330 //#define MBEDTLS_CMAC_ALT 00331 //#define MBEDTLS_DES_ALT 00332 //#define MBEDTLS_DHM_ALT 00333 //#define MBEDTLS_ECJPAKE_ALT 00334 //#define MBEDTLS_GCM_ALT 00335 //#define MBEDTLS_NIST_KW_ALT 00336 //#define MBEDTLS_MD2_ALT 00337 //#define MBEDTLS_MD4_ALT 00338 //#define MBEDTLS_MD5_ALT 00339 //#define MBEDTLS_POLY1305_ALT 00340 //#define MBEDTLS_RIPEMD160_ALT 00341 //#define MBEDTLS_RSA_ALT 00342 //#define MBEDTLS_SHA1_ALT 00343 //#define MBEDTLS_SHA256_ALT 00344 //#define MBEDTLS_SHA512_ALT 00345 //#define MBEDTLS_XTEA_ALT 00346 00347 /* 00348 * When replacing the elliptic curve module, pleace consider, that it is 00349 * implemented with two .c files: 00350 * - ecp.c 00351 * - ecp_curves.c 00352 * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT 00353 * macros as described above. The only difference is that you have to make sure 00354 * that you provide functionality for both .c files. 00355 */ 00356 //#define MBEDTLS_ECP_ALT 00357 00358 /** 00359 * \def MBEDTLS_MD2_PROCESS_ALT 00360 * 00361 * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you 00362 * alternate core implementation of symmetric crypto or hash function. Keep in 00363 * mind that function prototypes should remain the same. 00364 * 00365 * This replaces only one function. The header file from mbed TLS is still 00366 * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. 00367 * 00368 * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will 00369 * no longer provide the mbedtls_sha1_process() function, but it will still provide 00370 * the other function (using your mbedtls_sha1_process() function) and the definition 00371 * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible 00372 * with this definition. 00373 * 00374 * \note Because of a signature change, the core AES encryption and decryption routines are 00375 * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt, 00376 * respectively. When setting up alternative implementations, these functions should 00377 * be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt 00378 * must stay untouched. 00379 * 00380 * \note If you use the AES_xxx_ALT macros, then is is recommended to also set 00381 * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES 00382 * tables. 00383 * 00384 * Uncomment a macro to enable alternate implementation of the corresponding 00385 * function. 00386 * 00387 * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use 00388 * constitutes a security risk. If possible, we recommend avoiding 00389 * dependencies on them, and considering stronger message digests 00390 * and ciphers instead. 00391 * 00392 */ 00393 //#define MBEDTLS_MD2_PROCESS_ALT 00394 //#define MBEDTLS_MD4_PROCESS_ALT 00395 //#define MBEDTLS_MD5_PROCESS_ALT 00396 //#define MBEDTLS_RIPEMD160_PROCESS_ALT 00397 //#define MBEDTLS_SHA1_PROCESS_ALT 00398 //#define MBEDTLS_SHA256_PROCESS_ALT 00399 //#define MBEDTLS_SHA512_PROCESS_ALT 00400 //#define MBEDTLS_DES_SETKEY_ALT 00401 //#define MBEDTLS_DES_CRYPT_ECB_ALT 00402 //#define MBEDTLS_DES3_CRYPT_ECB_ALT 00403 //#define MBEDTLS_AES_SETKEY_ENC_ALT 00404 //#define MBEDTLS_AES_SETKEY_DEC_ALT 00405 //#define MBEDTLS_AES_ENCRYPT_ALT 00406 //#define MBEDTLS_AES_DECRYPT_ALT 00407 //#define MBEDTLS_ECDH_GEN_PUBLIC_ALT 00408 //#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT 00409 //#define MBEDTLS_ECDSA_VERIFY_ALT 00410 //#define MBEDTLS_ECDSA_SIGN_ALT 00411 //#define MBEDTLS_ECDSA_GENKEY_ALT 00412 00413 /** 00414 * \def MBEDTLS_ECP_INTERNAL_ALT 00415 * 00416 * Expose a part of the internal interface of the Elliptic Curve Point module. 00417 * 00418 * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your 00419 * alternative core implementation of elliptic curve arithmetic. Keep in mind 00420 * that function prototypes should remain the same. 00421 * 00422 * This partially replaces one function. The header file from mbed TLS is still 00423 * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation 00424 * is still present and it is used for group structures not supported by the 00425 * alternative. 00426 * 00427 * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT 00428 * and implementing the following functions: 00429 * unsigned char mbedtls_internal_ecp_grp_capable( 00430 * const mbedtls_ecp_group *grp ) 00431 * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ) 00432 * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp ) 00433 * The mbedtls_internal_ecp_grp_capable function should return 1 if the 00434 * replacement functions implement arithmetic for the given group and 0 00435 * otherwise. 00436 * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are 00437 * called before and after each point operation and provide an opportunity to 00438 * implement optimized set up and tear down instructions. 00439 * 00440 * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and 00441 * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac 00442 * function, but will use your mbedtls_internal_ecp_double_jac if the group is 00443 * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when 00444 * receives it as an argument). If the group is not supported then the original 00445 * implementation is used. The other functions and the definition of 00446 * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your 00447 * implementation of mbedtls_internal_ecp_double_jac and 00448 * mbedtls_internal_ecp_grp_capable must be compatible with this definition. 00449 * 00450 * Uncomment a macro to enable alternate implementation of the corresponding 00451 * function. 00452 */ 00453 /* Required for all the functions in this section */ 00454 //#define MBEDTLS_ECP_INTERNAL_ALT 00455 /* Support for Weierstrass curves with Jacobi representation */ 00456 //#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT 00457 //#define MBEDTLS_ECP_ADD_MIXED_ALT 00458 //#define MBEDTLS_ECP_DOUBLE_JAC_ALT 00459 //#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT 00460 //#define MBEDTLS_ECP_NORMALIZE_JAC_ALT 00461 /* Support for curves with Montgomery arithmetic */ 00462 //#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT 00463 //#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT 00464 //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT 00465 00466 /** 00467 * \def MBEDTLS_TEST_NULL_ENTROPY 00468 * 00469 * Enables testing and use of mbed TLS without any configured entropy sources. 00470 * This permits use of the library on platforms before an entropy source has 00471 * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the 00472 * MBEDTLS_ENTROPY_NV_SEED switches). 00473 * 00474 * WARNING! This switch MUST be disabled in production builds, and is suitable 00475 * only for development. 00476 * Enabling the switch negates any security provided by the library. 00477 * 00478 * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 00479 * 00480 */ 00481 //#define MBEDTLS_TEST_NULL_ENTROPY 00482 00483 /** 00484 * \def MBEDTLS_ENTROPY_HARDWARE_ALT 00485 * 00486 * Uncomment this macro to let mbed TLS use your own implementation of a 00487 * hardware entropy collector. 00488 * 00489 * Your function must be called \c mbedtls_hardware_poll(), have the same 00490 * prototype as declared in entropy_poll.h, and accept NULL as first argument. 00491 * 00492 * Uncomment to use your own hardware entropy collector. 00493 */ 00494 //#define MBEDTLS_ENTROPY_HARDWARE_ALT 00495 00496 /** 00497 * \def MBEDTLS_AES_ROM_TABLES 00498 * 00499 * Use precomputed AES tables stored in ROM. 00500 * 00501 * Uncomment this macro to use precomputed AES tables stored in ROM. 00502 * Comment this macro to generate AES tables in RAM at runtime. 00503 * 00504 * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb 00505 * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the 00506 * initialization time before the first AES operation can be performed. 00507 * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c 00508 * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded 00509 * performance if ROM access is slower than RAM access. 00510 * 00511 * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. 00512 * 00513 */ 00514 #define MBEDTLS_AES_ROM_TABLES 00515 00516 /** 00517 * \def MBEDTLS_AES_FEWER_TABLES 00518 * 00519 * Use less ROM/RAM for AES tables. 00520 * 00521 * Uncommenting this macro omits 75% of the AES tables from 00522 * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) 00523 * by computing their values on the fly during operations 00524 * (the tables are entry-wise rotations of one another). 00525 * 00526 * Tradeoff: Uncommenting this reduces the RAM / ROM footprint 00527 * by ~6kb but at the cost of more arithmetic operations during 00528 * runtime. Specifically, one has to compare 4 accesses within 00529 * different tables to 4 accesses with additional arithmetic 00530 * operations within the same table. The performance gain/loss 00531 * depends on the system and memory details. 00532 * 00533 * This option is independent of \c MBEDTLS_AES_ROM_TABLES. 00534 * 00535 */ 00536 //#define MBEDTLS_AES_FEWER_TABLES 00537 00538 /** 00539 * \def MBEDTLS_CAMELLIA_SMALL_MEMORY 00540 * 00541 * Use less ROM for the Camellia implementation (saves about 768 bytes). 00542 * 00543 * Uncomment this macro to use less memory for Camellia. 00544 */ 00545 //#define MBEDTLS_CAMELLIA_SMALL_MEMORY 00546 00547 /** 00548 * \def MBEDTLS_CIPHER_MODE_CBC 00549 * 00550 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. 00551 */ 00552 #define MBEDTLS_CIPHER_MODE_CBC 00553 00554 /** 00555 * \def MBEDTLS_CIPHER_MODE_CFB 00556 * 00557 * Enable Cipher Feedback mode (CFB) for symmetric ciphers. 00558 */ 00559 //#define MBEDTLS_CIPHER_MODE_CFB 00560 00561 /** 00562 * \def MBEDTLS_CIPHER_MODE_CTR 00563 * 00564 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. 00565 */ 00566 //#define MBEDTLS_CIPHER_MODE_CTR 00567 00568 /** 00569 * \def MBEDTLS_CIPHER_MODE_OFB 00570 * 00571 * Enable Output Feedback mode (OFB) for symmetric ciphers. 00572 */ 00573 //#define MBEDTLS_CIPHER_MODE_OFB 00574 00575 /** 00576 * \def MBEDTLS_CIPHER_MODE_XTS 00577 * 00578 * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. 00579 */ 00580 //#define MBEDTLS_CIPHER_MODE_XTS 00581 00582 /** 00583 * \def MBEDTLS_CIPHER_NULL_CIPHER 00584 * 00585 * Enable NULL cipher. 00586 * Warning: Only do so when you know what you are doing. This allows for 00587 * encryption or channels without any security! 00588 * 00589 * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable 00590 * the following ciphersuites: 00591 * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA 00592 * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA 00593 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA 00594 * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA 00595 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 00596 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 00597 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA 00598 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384 00599 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256 00600 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA 00601 * MBEDTLS_TLS_RSA_WITH_NULL_SHA256 00602 * MBEDTLS_TLS_RSA_WITH_NULL_SHA 00603 * MBEDTLS_TLS_RSA_WITH_NULL_MD5 00604 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384 00605 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256 00606 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA 00607 * MBEDTLS_TLS_PSK_WITH_NULL_SHA384 00608 * MBEDTLS_TLS_PSK_WITH_NULL_SHA256 00609 * MBEDTLS_TLS_PSK_WITH_NULL_SHA 00610 * 00611 * Uncomment this macro to enable the NULL cipher and ciphersuites 00612 */ 00613 //#define MBEDTLS_CIPHER_NULL_CIPHER 00614 00615 /** 00616 * \def MBEDTLS_CIPHER_PADDING_PKCS7 00617 * 00618 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for 00619 * specific padding modes in the cipher layer with cipher modes that support 00620 * padding (e.g. CBC) 00621 * 00622 * If you disable all padding modes, only full blocks can be used with CBC. 00623 * 00624 * Enable padding modes in the cipher layer. 00625 */ 00626 #define MBEDTLS_CIPHER_PADDING_PKCS7 00627 //#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS 00628 //#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN 00629 //#define MBEDTLS_CIPHER_PADDING_ZEROS 00630 00631 /** 00632 * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES 00633 * 00634 * Enable weak ciphersuites in SSL / TLS. 00635 * Warning: Only do so when you know what you are doing. This allows for 00636 * channels with virtually no security at all! 00637 * 00638 * This enables the following ciphersuites: 00639 * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA 00640 * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA 00641 * 00642 * Uncomment this macro to enable weak ciphersuites 00643 * 00644 * \warning DES is considered a weak cipher and its use constitutes a 00645 * security risk. We recommend considering stronger ciphers instead. 00646 */ 00647 //#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES 00648 00649 /** 00650 * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES 00651 * 00652 * Remove RC4 ciphersuites by default in SSL / TLS. 00653 * This flag removes the ciphersuites based on RC4 from the default list as 00654 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to 00655 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them 00656 * explicitly. 00657 * 00658 * Uncomment this macro to remove RC4 ciphersuites by default. 00659 */ 00660 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES 00661 00662 /** 00663 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED 00664 * 00665 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve 00666 * module. By default all supported curves are enabled. 00667 * 00668 * Comment macros to disable the curve and functions for it 00669 */ 00670 //#define MBEDTLS_ECP_DP_SECP192R1_ENABLED 00671 //#define MBEDTLS_ECP_DP_SECP224R1_ENABLED 00672 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 00673 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED 00674 //#define MBEDTLS_ECP_DP_SECP521R1_ENABLED 00675 //#define MBEDTLS_ECP_DP_SECP192K1_ENABLED 00676 //#define MBEDTLS_ECP_DP_SECP224K1_ENABLED 00677 //#define MBEDTLS_ECP_DP_SECP256K1_ENABLED 00678 //#define MBEDTLS_ECP_DP_BP256R1_ENABLED 00679 //#define MBEDTLS_ECP_DP_BP384R1_ENABLED 00680 //#define MBEDTLS_ECP_DP_BP512R1_ENABLED 00681 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED 00682 #define MBEDTLS_ECP_DP_CURVE448_ENABLED 00683 00684 /** 00685 * \def MBEDTLS_ECP_NIST_OPTIM 00686 * 00687 * Enable specific 'modulo p' routines for each NIST prime. 00688 * Depending on the prime and architecture, makes operations 4 to 8 times 00689 * faster on the corresponding curve. 00690 * 00691 * Comment this macro to disable NIST curves optimisation. 00692 */ 00693 #define MBEDTLS_ECP_NIST_OPTIM 00694 00695 /** 00696 * \def MBEDTLS_ECDSA_DETERMINISTIC 00697 * 00698 * Enable deterministic ECDSA (RFC 6979). 00699 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing 00700 * may result in a compromise of the long-term signing key. This is avoided by 00701 * the deterministic variant. 00702 * 00703 * Requires: MBEDTLS_HMAC_DRBG_C 00704 * 00705 * Comment this macro to disable deterministic ECDSA. 00706 */ 00707 #define MBEDTLS_ECDSA_DETERMINISTIC 00708 00709 /** 00710 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 00711 * 00712 * Enable the PSK based ciphersuite modes in SSL / TLS. 00713 * 00714 * This enables the following ciphersuites (if other requisites are 00715 * enabled as well): 00716 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 00717 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 00718 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 00719 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 00720 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 00721 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 00722 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 00723 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 00724 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 00725 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 00726 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 00727 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 00728 */ 00729 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 00730 00731 /** 00732 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 00733 * 00734 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. 00735 * 00736 * Requires: MBEDTLS_DHM_C 00737 * 00738 * This enables the following ciphersuites (if other requisites are 00739 * enabled as well): 00740 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 00741 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 00742 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 00743 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 00744 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 00745 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 00746 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 00747 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 00748 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 00749 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 00750 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 00751 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 00752 * 00753 * \warning Using DHE constitutes a security risk as it 00754 * is not possible to validate custom DH parameters. 00755 * If possible, it is recommended users should consider 00756 * preferring other methods of key exchange. 00757 * See dhm.h for more details. 00758 * 00759 */ 00760 //#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 00761 00762 /** 00763 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 00764 * 00765 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. 00766 * 00767 * Requires: MBEDTLS_ECDH_C 00768 * 00769 * This enables the following ciphersuites (if other requisites are 00770 * enabled as well): 00771 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 00772 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 00773 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 00774 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 00775 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 00776 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 00777 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 00778 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 00779 */ 00780 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 00781 00782 /** 00783 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 00784 * 00785 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. 00786 * 00787 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00788 * MBEDTLS_X509_CRT_PARSE_C 00789 * 00790 * This enables the following ciphersuites (if other requisites are 00791 * enabled as well): 00792 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 00793 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 00794 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 00795 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 00796 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 00797 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 00798 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 00799 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 00800 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 00801 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 00802 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 00803 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 00804 */ 00805 //#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED 00806 00807 /** 00808 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 00809 * 00810 * Enable the RSA-only based ciphersuite modes in SSL / TLS. 00811 * 00812 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00813 * MBEDTLS_X509_CRT_PARSE_C 00814 * 00815 * This enables the following ciphersuites (if other requisites are 00816 * enabled as well): 00817 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 00818 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 00819 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 00820 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 00821 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 00822 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 00823 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 00824 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 00825 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 00826 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 00827 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 00828 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 00829 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 00830 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 00831 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 00832 */ 00833 //#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED 00834 00835 /** 00836 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 00837 * 00838 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. 00839 * 00840 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00841 * MBEDTLS_X509_CRT_PARSE_C 00842 * 00843 * This enables the following ciphersuites (if other requisites are 00844 * enabled as well): 00845 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 00846 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 00847 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 00848 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 00849 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 00850 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 00851 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 00852 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 00853 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 00854 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 00855 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 00856 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 00857 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 00858 * 00859 * \warning Using DHE constitutes a security risk as it 00860 * is not possible to validate custom DH parameters. 00861 * If possible, it is recommended users should consider 00862 * preferring other methods of key exchange. 00863 * See dhm.h for more details. 00864 * 00865 */ 00866 //#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 00867 00868 /** 00869 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 00870 * 00871 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. 00872 * 00873 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, 00874 * MBEDTLS_X509_CRT_PARSE_C 00875 * 00876 * This enables the following ciphersuites (if other requisites are 00877 * enabled as well): 00878 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 00879 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 00880 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 00881 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 00882 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 00883 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 00884 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 00885 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 00886 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 00887 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 00888 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 00889 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 00890 */ 00891 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 00892 00893 /** 00894 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 00895 * 00896 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. 00897 * 00898 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, 00899 * 00900 * This enables the following ciphersuites (if other requisites are 00901 * enabled as well): 00902 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 00903 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 00904 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 00905 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 00906 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 00907 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 00908 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 00909 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 00910 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 00911 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 00912 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 00913 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 00914 */ 00915 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 00916 00917 /** 00918 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 00919 * 00920 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. 00921 * 00922 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C 00923 * 00924 * This enables the following ciphersuites (if other requisites are 00925 * enabled as well): 00926 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 00927 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 00928 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 00929 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 00930 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 00931 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 00932 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 00933 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 00934 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 00935 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 00936 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 00937 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 00938 */ 00939 //#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 00940 00941 /** 00942 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 00943 * 00944 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. 00945 * 00946 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C 00947 * 00948 * This enables the following ciphersuites (if other requisites are 00949 * enabled as well): 00950 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 00951 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 00952 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 00953 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 00954 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 00955 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 00956 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 00957 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 00958 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 00959 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 00960 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 00961 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 00962 */ 00963 //#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 00964 00965 /** 00966 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 00967 * 00968 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. 00969 * 00970 * \warning This is currently experimental. EC J-PAKE support is based on the 00971 * Thread v1.0.0 specification; incompatible changes to the specification 00972 * might still happen. For this reason, this is disabled by default. 00973 * 00974 * Requires: MBEDTLS_ECJPAKE_C 00975 * MBEDTLS_SHA256_C 00976 * MBEDTLS_ECP_DP_SECP256R1_ENABLED 00977 * 00978 * This enables the following ciphersuites (if other requisites are 00979 * enabled as well): 00980 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 00981 */ 00982 //#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 00983 00984 /** 00985 * \def MBEDTLS_PK_PARSE_EC_EXTENDED 00986 * 00987 * Enhance support for reading EC keys using variants of SEC1 not allowed by 00988 * RFC 5915 and RFC 5480. 00989 * 00990 * Currently this means parsing the SpecifiedECDomain choice of EC 00991 * parameters (only known groups are supported, not arbitrary domains, to 00992 * avoid validation issues). 00993 * 00994 * Disable if you only need to support RFC 5915 + 5480 key formats. 00995 */ 00996 //#define MBEDTLS_PK_PARSE_EC_EXTENDED 00997 00998 /** 00999 * \def MBEDTLS_ERROR_STRERROR_DUMMY 01000 * 01001 * Enable a dummy error function to make use of mbedtls_strerror() in 01002 * third party libraries easier when MBEDTLS_ERROR_C is disabled 01003 * (no effect when MBEDTLS_ERROR_C is enabled). 01004 * 01005 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 01006 * not using mbedtls_strerror() or error_strerror() in your application. 01007 * 01008 * Disable if you run into name conflicts and want to really remove the 01009 * mbedtls_strerror() 01010 */ 01011 #define MBEDTLS_ERROR_STRERROR_DUMMY 01012 01013 /** 01014 * \def MBEDTLS_GENPRIME 01015 * 01016 * Enable the prime-number generation code. 01017 * 01018 * Requires: MBEDTLS_BIGNUM_C 01019 */ 01020 //#define MBEDTLS_GENPRIME 01021 01022 /** 01023 * \def MBEDTLS_FS_IO 01024 * 01025 * Enable functions that use the filesystem. 01026 */ 01027 //#define MBEDTLS_FS_IO 01028 01029 /** 01030 * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 01031 * 01032 * Do not add default entropy sources. These are the platform specific, 01033 * mbedtls_timing_hardclock and HAVEGE based poll functions. 01034 * 01035 * This is useful to have more control over the added entropy sources in an 01036 * application. 01037 * 01038 * Uncomment this macro to prevent loading of default entropy functions. 01039 */ 01040 //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 01041 01042 /** 01043 * \def MBEDTLS_NO_PLATFORM_ENTROPY 01044 * 01045 * Do not use built-in platform entropy functions. 01046 * This is useful if your platform does not support 01047 * standards like the /dev/urandom or Windows CryptoAPI. 01048 * 01049 * Uncomment this macro to disable the built-in platform entropy functions. 01050 */ 01051 #define MBEDTLS_NO_PLATFORM_ENTROPY 01052 01053 /** 01054 * \def MBEDTLS_ENTROPY_FORCE_SHA256 01055 * 01056 * Force the entropy accumulator to use a SHA-256 accumulator instead of the 01057 * default SHA-512 based one (if both are available). 01058 * 01059 * Requires: MBEDTLS_SHA256_C 01060 * 01061 * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option 01062 * if you have performance concerns. 01063 * 01064 * This option is only useful if both MBEDTLS_SHA256_C and 01065 * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. 01066 */ 01067 //#define MBEDTLS_ENTROPY_FORCE_SHA256 01068 01069 /** 01070 * \def MBEDTLS_ENTROPY_NV_SEED 01071 * 01072 * Enable the non-volatile (NV) seed file-based entropy source. 01073 * (Also enables the NV seed read/write functions in the platform layer) 01074 * 01075 * This is crucial (if not required) on systems that do not have a 01076 * cryptographic entropy source (in hardware or kernel) available. 01077 * 01078 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C 01079 * 01080 * \note The read/write functions that are used by the entropy source are 01081 * determined in the platform layer, and can be modified at runtime and/or 01082 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. 01083 * 01084 * \note If you use the default implementation functions that read a seedfile 01085 * with regular fopen(), please make sure you make a seedfile with the 01086 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at 01087 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from 01088 * and written to or you will get an entropy source error! The default 01089 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE 01090 * bytes from the file. 01091 * 01092 * \note The entropy collector will write to the seed file before entropy is 01093 * given to an external source, to update it. 01094 */ 01095 //#define MBEDTLS_ENTROPY_NV_SEED 01096 01097 /** 01098 * \def MBEDTLS_MEMORY_DEBUG 01099 * 01100 * Enable debugging of buffer allocator memory issues. Automatically prints 01101 * (to stderr) all (fatal) messages on memory allocation issues. Enables 01102 * function for 'debug output' of allocated memory. 01103 * 01104 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C 01105 * 01106 * Uncomment this macro to let the buffer allocator print out error messages. 01107 */ 01108 //#define MBEDTLS_MEMORY_DEBUG 01109 01110 /** 01111 * \def MBEDTLS_MEMORY_BACKTRACE 01112 * 01113 * Include backtrace information with each allocated block. 01114 * 01115 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C 01116 * GLIBC-compatible backtrace() an backtrace_symbols() support 01117 * 01118 * Uncomment this macro to include backtrace information 01119 */ 01120 //#define MBEDTLS_MEMORY_BACKTRACE 01121 01122 /** 01123 * \def MBEDTLS_PK_RSA_ALT_SUPPORT 01124 * 01125 * Support external private RSA keys (eg from a HSM) in the PK layer. 01126 * 01127 * Comment this macro to disable support for external private RSA keys. 01128 */ 01129 #define MBEDTLS_PK_RSA_ALT_SUPPORT 01130 01131 /** 01132 * \def MBEDTLS_PKCS1_V15 01133 * 01134 * Enable support for PKCS#1 v1.5 encoding. 01135 * 01136 * Requires: MBEDTLS_RSA_C 01137 * 01138 * This enables support for PKCS#1 v1.5 operations. 01139 */ 01140 #define MBEDTLS_PKCS1_V15 01141 01142 /** 01143 * \def MBEDTLS_PKCS1_V21 01144 * 01145 * Enable support for PKCS#1 v2.1 encoding. 01146 * 01147 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C 01148 * 01149 * This enables support for RSAES-OAEP and RSASSA-PSS operations. 01150 */ 01151 #define MBEDTLS_PKCS1_V21 01152 01153 /** 01154 * \def MBEDTLS_RSA_NO_CRT 01155 * 01156 * Do not use the Chinese Remainder Theorem 01157 * for the RSA private operation. 01158 * 01159 * Uncomment this macro to disable the use of CRT in RSA. 01160 * 01161 */ 01162 //#define MBEDTLS_RSA_NO_CRT 01163 01164 /** 01165 * \def MBEDTLS_SELF_TEST 01166 * 01167 * Enable the checkup functions (*_self_test). 01168 */ 01169 #define MBEDTLS_SELF_TEST 01170 01171 /** 01172 * \def MBEDTLS_SHA256_SMALLER 01173 * 01174 * Enable an implementation of SHA-256 that has lower ROM footprint but also 01175 * lower performance. 01176 * 01177 * The default implementation is meant to be a reasonnable compromise between 01178 * performance and size. This version optimizes more aggressively for size at 01179 * the expense of performance. Eg on Cortex-M4 it reduces the size of 01180 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 01181 * 30%. 01182 * 01183 * Uncomment to enable the smaller implementation of SHA256. 01184 */ 01185 //#define MBEDTLS_SHA256_SMALLER 01186 01187 /** 01188 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES 01189 * 01190 * Enable sending of alert messages in case of encountered errors as per RFC. 01191 * If you choose not to send the alert messages, mbed TLS can still communicate 01192 * with other servers, only debugging of failures is harder. 01193 * 01194 * The advantage of not sending alert messages, is that no information is given 01195 * about reasons for failures thus preventing adversaries of gaining intel. 01196 * 01197 * Enable sending of all alert messages 01198 */ 01199 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES 01200 01201 /** 01202 * \def MBEDTLS_SSL_ASYNC_PRIVATE 01203 * 01204 * Enable asynchronous external private key operations in SSL. This allows 01205 * you to configure an SSL connection to call an external cryptographic 01206 * module to perform private key operations instead of performing the 01207 * operation inside the library. 01208 * 01209 */ 01210 //#define MBEDTLS_SSL_ASYNC_PRIVATE 01211 01212 /** 01213 * \def MBEDTLS_SSL_DEBUG_ALL 01214 * 01215 * Enable the debug messages in SSL module for all issues. 01216 * Debug messages have been disabled in some places to prevent timing 01217 * attacks due to (unbalanced) debugging function calls. 01218 * 01219 * If you need all error reporting you should enable this during debugging, 01220 * but remove this for production servers that should log as well. 01221 * 01222 * Uncomment this macro to report all debug messages on errors introducing 01223 * a timing side-channel. 01224 * 01225 */ 01226 //#define MBEDTLS_SSL_DEBUG_ALL 01227 01228 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC 01229 * 01230 * Enable support for Encrypt-then-MAC, RFC 7366. 01231 * 01232 * This allows peers that both support it to use a more robust protection for 01233 * ciphersuites using CBC, providing deep resistance against timing attacks 01234 * on the padding or underlying cipher. 01235 * 01236 * This only affects CBC ciphersuites, and is useless if none is defined. 01237 * 01238 * Requires: MBEDTLS_SSL_PROTO_TLS1 or 01239 * MBEDTLS_SSL_PROTO_TLS1_1 or 01240 * MBEDTLS_SSL_PROTO_TLS1_2 01241 * 01242 * Comment this macro to disable support for Encrypt-then-MAC 01243 */ 01244 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC 01245 01246 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET 01247 * 01248 * Enable support for Extended Master Secret, aka Session Hash 01249 * (draft-ietf-tls-session-hash-02). 01250 * 01251 * This was introduced as "the proper fix" to the Triple Handshake familiy of 01252 * attacks, but it is recommended to always use it (even if you disable 01253 * renegotiation), since it actually fixes a more fundamental issue in the 01254 * original SSL/TLS design, and has implications beyond Triple Handshake. 01255 * 01256 * Requires: MBEDTLS_SSL_PROTO_TLS1 or 01257 * MBEDTLS_SSL_PROTO_TLS1_1 or 01258 * MBEDTLS_SSL_PROTO_TLS1_2 01259 * 01260 * Comment this macro to disable support for Extended Master Secret. 01261 */ 01262 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET 01263 01264 /** 01265 * \def MBEDTLS_SSL_FALLBACK_SCSV 01266 * 01267 * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00). 01268 * 01269 * For servers, it is recommended to always enable this, unless you support 01270 * only one version of TLS, or know for sure that none of your clients 01271 * implements a fallback strategy. 01272 * 01273 * For clients, you only need this if you're using a fallback strategy, which 01274 * is not recommended in the first place, unless you absolutely need it to 01275 * interoperate with buggy (version-intolerant) servers. 01276 * 01277 * Comment this macro to disable support for FALLBACK_SCSV 01278 */ 01279 //#define MBEDTLS_SSL_FALLBACK_SCSV 01280 01281 /** 01282 * \def MBEDTLS_SSL_HW_RECORD_ACCEL 01283 * 01284 * Enable hooking functions in SSL module for hardware acceleration of 01285 * individual records. 01286 * 01287 * Uncomment this macro to enable hooking functions. 01288 */ 01289 //#define MBEDTLS_SSL_HW_RECORD_ACCEL 01290 01291 /** 01292 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING 01293 * 01294 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. 01295 * 01296 * This is a countermeasure to the BEAST attack, which also minimizes the risk 01297 * of interoperability issues compared to sending 0-length records. 01298 * 01299 * Comment this macro to disable 1/n-1 record splitting. 01300 */ 01301 //#define MBEDTLS_SSL_CBC_RECORD_SPLITTING 01302 01303 /** 01304 * \def MBEDTLS_SSL_RENEGOTIATION 01305 * 01306 * Disable support for TLS renegotiation. 01307 * 01308 * The two main uses of renegotiation are (1) refresh keys on long-lived 01309 * connections and (2) client authentication after the initial handshake. 01310 * If you don't need renegotiation, it's probably better to disable it, since 01311 * it has been associated with security issues in the past and is easy to 01312 * misuse/misunderstand. 01313 * 01314 * Comment this to disable support for renegotiation. 01315 * 01316 * \note Even if this option is disabled, both client and server are aware 01317 * of the Renegotiation Indication Extension (RFC 5746) used to 01318 * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1). 01319 * (See \c mbedtls_ssl_conf_legacy_renegotiation for the 01320 * configuration of this extension). 01321 * 01322 */ 01323 #define MBEDTLS_SSL_RENEGOTIATION 01324 01325 /** 01326 * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO 01327 * 01328 * Enable support for receiving and parsing SSLv2 Client Hello messages for the 01329 * SSL Server module (MBEDTLS_SSL_SRV_C). 01330 * 01331 * Uncomment this macro to enable support for SSLv2 Client Hello messages. 01332 */ 01333 //#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO 01334 01335 /** 01336 * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE 01337 * 01338 * Pick the ciphersuite according to the client's preferences rather than ours 01339 * in the SSL Server module (MBEDTLS_SSL_SRV_C). 01340 * 01341 * Uncomment this macro to respect client's ciphersuite order 01342 */ 01343 //#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE 01344 01345 /** 01346 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 01347 * 01348 * Enable support for RFC 6066 max_fragment_length extension in SSL. 01349 * 01350 * Comment this macro to disable support for the max_fragment_length extension 01351 */ 01352 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 01353 01354 /** 01355 * \def MBEDTLS_SSL_PROTO_SSL3 01356 * 01357 * Enable support for SSL 3.0. 01358 * 01359 * Requires: MBEDTLS_MD5_C 01360 * MBEDTLS_SHA1_C 01361 * 01362 * Comment this macro to disable support for SSL 3.0 01363 */ 01364 //#define MBEDTLS_SSL_PROTO_SSL3 01365 01366 /** 01367 * \def MBEDTLS_SSL_PROTO_TLS1 01368 * 01369 * Enable support for TLS 1.0. 01370 * 01371 * Requires: MBEDTLS_MD5_C 01372 * MBEDTLS_SHA1_C 01373 * 01374 * Comment this macro to disable support for TLS 1.0 01375 */ 01376 //#define MBEDTLS_SSL_PROTO_TLS1 01377 01378 /** 01379 * \def MBEDTLS_SSL_PROTO_TLS1_1 01380 * 01381 * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). 01382 * 01383 * Requires: MBEDTLS_MD5_C 01384 * MBEDTLS_SHA1_C 01385 * 01386 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 01387 */ 01388 //#define MBEDTLS_SSL_PROTO_TLS1_1 01389 01390 /** 01391 * \def MBEDTLS_SSL_PROTO_TLS1_2 01392 * 01393 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). 01394 * 01395 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C 01396 * (Depends on ciphersuites) 01397 * 01398 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 01399 */ 01400 #define MBEDTLS_SSL_PROTO_TLS1_2 01401 01402 /** 01403 * \def MBEDTLS_SSL_PROTO_DTLS 01404 * 01405 * Enable support for DTLS (all available versions). 01406 * 01407 * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, 01408 * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. 01409 * 01410 * Requires: MBEDTLS_SSL_PROTO_TLS1_1 01411 * or MBEDTLS_SSL_PROTO_TLS1_2 01412 * 01413 * Comment this macro to disable support for DTLS 01414 */ 01415 #define MBEDTLS_SSL_PROTO_DTLS 01416 01417 /** 01418 * \def MBEDTLS_SSL_ALPN 01419 * 01420 * Enable support for RFC 7301 Application Layer Protocol Negotiation. 01421 * 01422 * Comment this macro to disable support for ALPN. 01423 */ 01424 #define MBEDTLS_SSL_ALPN 01425 01426 /** 01427 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY 01428 * 01429 * Enable support for the anti-replay mechanism in DTLS. 01430 * 01431 * Requires: MBEDTLS_SSL_TLS_C 01432 * MBEDTLS_SSL_PROTO_DTLS 01433 * 01434 * \warning Disabling this is often a security risk! 01435 * See mbedtls_ssl_conf_dtls_anti_replay() for details. 01436 * 01437 * Comment this to disable anti-replay in DTLS. 01438 */ 01439 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY 01440 01441 /** 01442 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY 01443 * 01444 * Enable support for HelloVerifyRequest on DTLS servers. 01445 * 01446 * This feature is highly recommended to prevent DTLS servers being used as 01447 * amplifiers in DoS attacks against other hosts. It should always be enabled 01448 * unless you know for sure amplification cannot be a problem in the 01449 * environment in which your server operates. 01450 * 01451 * \warning Disabling this can ba a security risk! (see above) 01452 * 01453 * Requires: MBEDTLS_SSL_PROTO_DTLS 01454 * 01455 * Comment this to disable support for HelloVerifyRequest. 01456 */ 01457 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY 01458 01459 /** 01460 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 01461 * 01462 * Enable server-side support for clients that reconnect from the same port. 01463 * 01464 * Some clients unexpectedly close the connection and try to reconnect using the 01465 * same source port. This needs special support from the server to handle the 01466 * new connection securely, as described in section 4.2.8 of RFC 6347. This 01467 * flag enables that support. 01468 * 01469 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY 01470 * 01471 * Comment this to disable support for clients reusing the source port. 01472 */ 01473 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 01474 01475 /** 01476 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT 01477 * 01478 * Enable support for a limit of records with bad MAC. 01479 * 01480 * See mbedtls_ssl_conf_dtls_badmac_limit(). 01481 * 01482 * Requires: MBEDTLS_SSL_PROTO_DTLS 01483 */ 01484 #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT 01485 01486 /** 01487 * \def MBEDTLS_SSL_SESSION_TICKETS 01488 * 01489 * Enable support for RFC 5077 session tickets in SSL. 01490 * Client-side, provides full support for session tickets (maintainance of a 01491 * session store remains the responsibility of the application, though). 01492 * Server-side, you also need to provide callbacks for writing and parsing 01493 * tickets, including authenticated encryption and key management. Example 01494 * callbacks are provided by MBEDTLS_SSL_TICKET_C. 01495 * 01496 * Comment this macro to disable support for SSL session tickets 01497 */ 01498 #define MBEDTLS_SSL_SESSION_TICKETS 01499 01500 /** 01501 * \def MBEDTLS_SSL_EXPORT_KEYS 01502 * 01503 * Enable support for exporting key block and master secret. 01504 * This is required for certain users of TLS, e.g. EAP-TLS. 01505 * 01506 * Comment this macro to disable support for key export 01507 */ 01508 #define MBEDTLS_SSL_EXPORT_KEYS 01509 01510 /** 01511 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION 01512 * 01513 * Enable support for RFC 6066 server name indication (SNI) in SSL. 01514 * 01515 * Requires: MBEDTLS_X509_CRT_PARSE_C 01516 * 01517 * Comment this macro to disable support for server name indication in SSL 01518 */ 01519 #define MBEDTLS_SSL_SERVER_NAME_INDICATION 01520 01521 /** 01522 * \def MBEDTLS_SSL_TRUNCATED_HMAC 01523 * 01524 * Enable support for RFC 6066 truncated HMAC in SSL. 01525 * 01526 * Comment this macro to disable support for truncated HMAC in SSL 01527 */ 01528 //#define MBEDTLS_SSL_TRUNCATED_HMAC 01529 01530 /** 01531 * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 01532 * 01533 * Fallback to old (pre-2.7), non-conforming implementation of the truncated 01534 * HMAC extension which also truncates the HMAC key. Note that this option is 01535 * only meant for a transitory upgrade period and is likely to be removed in 01536 * a future version of the library. 01537 * 01538 * \warning The old implementation is non-compliant and has a security weakness 01539 * (2^80 brute force attack on the HMAC key used for a single, 01540 * uninterrupted connection). This should only be enabled temporarily 01541 * when (1) the use of truncated HMAC is essential in order to save 01542 * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use 01543 * the fixed implementation yet (pre-2.7). 01544 * 01545 * \deprecated This option is deprecated and will likely be removed in a 01546 * future version of Mbed TLS. 01547 * 01548 * Uncomment to fallback to old, non-compliant truncated HMAC implementation. 01549 * 01550 * Requires: MBEDTLS_SSL_TRUNCATED_HMAC 01551 */ 01552 //#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT 01553 01554 /** 01555 * \def MBEDTLS_THREADING_ALT 01556 * 01557 * Provide your own alternate threading implementation. 01558 * 01559 * Requires: MBEDTLS_THREADING_C 01560 * 01561 * Uncomment this to allow your own alternate threading implementation. 01562 */ 01563 //#define MBEDTLS_THREADING_ALT 01564 01565 /** 01566 * \def MBEDTLS_THREADING_PTHREAD 01567 * 01568 * Enable the pthread wrapper layer for the threading layer. 01569 * 01570 * Requires: MBEDTLS_THREADING_C 01571 * 01572 * Uncomment this to enable pthread mutexes. 01573 */ 01574 //#define MBEDTLS_THREADING_PTHREAD 01575 01576 /** 01577 * \def MBEDTLS_VERSION_FEATURES 01578 * 01579 * Allow run-time checking of compile-time enabled features. Thus allowing users 01580 * to check at run-time if the library is for instance compiled with threading 01581 * support via mbedtls_version_check_feature(). 01582 * 01583 * Requires: MBEDTLS_VERSION_C 01584 * 01585 * Comment this to disable run-time checking and save ROM space 01586 */ 01587 #define MBEDTLS_VERSION_FEATURES 01588 01589 /** 01590 * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 01591 * 01592 * If set, the X509 parser will not break-off when parsing an X509 certificate 01593 * and encountering an extension in a v1 or v2 certificate. 01594 * 01595 * Uncomment to prevent an error. 01596 */ 01597 //#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 01598 01599 /** 01600 * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 01601 * 01602 * If set, the X509 parser will not break-off when parsing an X509 certificate 01603 * and encountering an unknown critical extension. 01604 * 01605 * \warning Depending on your PKI use, enabling this can be a security risk! 01606 * 01607 * Uncomment to prevent an error. 01608 */ 01609 //#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 01610 01611 /** 01612 * \def MBEDTLS_X509_CHECK_KEY_USAGE 01613 * 01614 * Enable verification of the keyUsage extension (CA and leaf certificates). 01615 * 01616 * Disabling this avoids problems with mis-issued and/or misused 01617 * (intermediate) CA and leaf certificates. 01618 * 01619 * \warning Depending on your PKI use, disabling this can be a security risk! 01620 * 01621 * Comment to skip keyUsage checking for both CA and leaf certificates. 01622 */ 01623 #define MBEDTLS_X509_CHECK_KEY_USAGE 01624 01625 /** 01626 * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 01627 * 01628 * Enable verification of the extendedKeyUsage extension (leaf certificates). 01629 * 01630 * Disabling this avoids problems with mis-issued and/or misused certificates. 01631 * 01632 * \warning Depending on your PKI use, disabling this can be a security risk! 01633 * 01634 * Comment to skip extendedKeyUsage checking for certificates. 01635 */ 01636 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 01637 01638 /** 01639 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT 01640 * 01641 * Enable parsing and verification of X.509 certificates, CRLs and CSRS 01642 * signed with RSASSA-PSS (aka PKCS#1 v2.1). 01643 * 01644 * Comment this macro to disallow using RSASSA-PSS in certificates. 01645 */ 01646 //#define MBEDTLS_X509_RSASSA_PSS_SUPPORT 01647 01648 /** 01649 * \def MBEDTLS_ZLIB_SUPPORT 01650 * 01651 * If set, the SSL/TLS module uses ZLIB to support compression and 01652 * decompression of packet data. 01653 * 01654 * \warning TLS-level compression MAY REDUCE SECURITY! See for example the 01655 * CRIME attack. Before enabling this option, you should examine with care if 01656 * CRIME or similar exploits may be a applicable to your use case. 01657 * 01658 * \note Currently compression can't be used with DTLS. 01659 * 01660 * \deprecated This feature is deprecated and will be removed 01661 * in the next major revision of the library. 01662 * 01663 * Used in: library/ssl_tls.c 01664 * library/ssl_cli.c 01665 * library/ssl_srv.c 01666 * 01667 * This feature requires zlib library and headers to be present. 01668 * 01669 * Uncomment to enable use of ZLIB 01670 */ 01671 //#define MBEDTLS_ZLIB_SUPPORT 01672 /* \} name SECTION: mbed TLS feature support */ 01673 01674 /** 01675 * \name SECTION: mbed TLS modules 01676 * 01677 * This section enables or disables entire modules in mbed TLS 01678 * \{ 01679 */ 01680 01681 /** 01682 * \def MBEDTLS_AESNI_C 01683 * 01684 * Enable AES-NI support on x86-64. 01685 * 01686 * Module: library/aesni.c 01687 * Caller: library/aes.c 01688 * 01689 * Requires: MBEDTLS_HAVE_ASM 01690 * 01691 * This modules adds support for the AES-NI instructions on x86-64 01692 */ 01693 //#define MBEDTLS_AESNI_C 01694 01695 /** 01696 * \def MBEDTLS_AES_C 01697 * 01698 * Enable the AES block cipher. 01699 * 01700 * Module: library/aes.c 01701 * Caller: library/cipher.c 01702 * library/pem.c 01703 * library/ctr_drbg.c 01704 * 01705 * This module enables the following ciphersuites (if other requisites are 01706 * enabled as well): 01707 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 01708 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 01709 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 01710 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 01711 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 01712 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 01713 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 01714 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 01715 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 01716 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 01717 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 01718 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 01719 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 01720 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 01721 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 01722 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 01723 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 01724 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 01725 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 01726 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 01727 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 01728 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 01729 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 01730 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 01731 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 01732 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 01733 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 01734 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 01735 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 01736 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 01737 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 01738 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 01739 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 01740 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 01741 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 01742 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 01743 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 01744 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 01745 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 01746 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 01747 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 01748 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 01749 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 01750 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 01751 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 01752 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 01753 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 01754 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 01755 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 01756 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 01757 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 01758 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 01759 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 01760 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 01761 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 01762 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 01763 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 01764 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 01765 * 01766 * PEM_PARSE uses AES for decrypting encrypted keys. 01767 */ 01768 #define MBEDTLS_AES_C 01769 01770 /** 01771 * \def MBEDTLS_ARC4_C 01772 * 01773 * Enable the ARCFOUR stream cipher. 01774 * 01775 * Module: library/arc4.c 01776 * Caller: library/cipher.c 01777 * 01778 * This module enables the following ciphersuites (if other requisites are 01779 * enabled as well): 01780 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 01781 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 01782 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 01783 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 01784 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 01785 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 01786 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 01787 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 01788 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 01789 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 01790 * 01791 * \warning ARC4 is considered a weak cipher and its use constitutes a 01792 * security risk. If possible, we recommend avoidng dependencies on 01793 * it, and considering stronger ciphers instead. 01794 * 01795 */ 01796 //#define MBEDTLS_ARC4_C 01797 01798 /** 01799 * \def MBEDTLS_ASN1_PARSE_C 01800 * 01801 * Enable the generic ASN1 parser. 01802 * 01803 * Module: library/asn1.c 01804 * Caller: library/x509.c 01805 * library/dhm.c 01806 * library/pkcs12.c 01807 * library/pkcs5.c 01808 * library/pkparse.c 01809 */ 01810 #define MBEDTLS_ASN1_PARSE_C 01811 01812 /** 01813 * \def MBEDTLS_ASN1_WRITE_C 01814 * 01815 * Enable the generic ASN1 writer. 01816 * 01817 * Module: library/asn1write.c 01818 * Caller: library/ecdsa.c 01819 * library/pkwrite.c 01820 * library/x509_create.c 01821 * library/x509write_crt.c 01822 * library/x509write_csr.c 01823 */ 01824 #define MBEDTLS_ASN1_WRITE_C 01825 01826 /** 01827 * \def MBEDTLS_BASE64_C 01828 * 01829 * Enable the Base64 module. 01830 * 01831 * Module: library/base64.c 01832 * Caller: library/pem.c 01833 * 01834 * This module is required for PEM support (required by X.509). 01835 */ 01836 #define MBEDTLS_BASE64_C 01837 01838 /** 01839 * \def MBEDTLS_BIGNUM_C 01840 * 01841 * Enable the multi-precision integer library. 01842 * 01843 * Module: library/bignum.c 01844 * Caller: library/dhm.c 01845 * library/ecp.c 01846 * library/ecdsa.c 01847 * library/rsa.c 01848 * library/rsa_internal.c 01849 * library/ssl_tls.c 01850 * 01851 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. 01852 */ 01853 #define MBEDTLS_BIGNUM_C 01854 01855 /** 01856 * \def MBEDTLS_BLOWFISH_C 01857 * 01858 * Enable the Blowfish block cipher. 01859 * 01860 * Module: library/blowfish.c 01861 */ 01862 //#define MBEDTLS_BLOWFISH_C 01863 01864 /** 01865 * \def MBEDTLS_CAMELLIA_C 01866 * 01867 * Enable the Camellia block cipher. 01868 * 01869 * Module: library/camellia.c 01870 * Caller: library/cipher.c 01871 * 01872 * This module enables the following ciphersuites (if other requisites are 01873 * enabled as well): 01874 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 01875 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 01876 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 01877 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 01878 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 01879 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 01880 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 01881 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 01882 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 01883 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 01884 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 01885 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 01886 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 01887 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 01888 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 01889 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 01890 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 01891 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 01892 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 01893 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 01894 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 01895 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 01896 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 01897 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 01898 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 01899 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 01900 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 01901 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 01902 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 01903 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 01904 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 01905 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 01906 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 01907 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 01908 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 01909 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 01910 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 01911 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 01912 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 01913 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 01914 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 01915 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 01916 */ 01917 //#define MBEDTLS_CAMELLIA_C 01918 01919 /** 01920 * \def MBEDTLS_ARIA_C 01921 * 01922 * Enable the ARIA block cipher. 01923 * 01924 * Module: library/aria.c 01925 * Caller: library/cipher.c 01926 * 01927 * This module enables the following ciphersuites (if other requisites are 01928 * enabled as well): 01929 * 01930 * MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 01931 * MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 01932 * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 01933 * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 01934 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 01935 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 01936 * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 01937 * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 01938 * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 01939 * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 01940 * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 01941 * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 01942 * MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 01943 * MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 01944 * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 01945 * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 01946 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 01947 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 01948 * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 01949 * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 01950 * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 01951 * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 01952 * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 01953 * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 01954 * MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 01955 * MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 01956 * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 01957 * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 01958 * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 01959 * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 01960 * MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 01961 * MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 01962 * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 01963 * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 01964 * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 01965 * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 01966 * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 01967 * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 01968 */ 01969 //#define MBEDTLS_ARIA_C 01970 01971 /** 01972 * \def MBEDTLS_CCM_C 01973 * 01974 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. 01975 * 01976 * Module: library/ccm.c 01977 * 01978 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C 01979 * 01980 * This module enables the AES-CCM ciphersuites, if other requisites are 01981 * enabled as well. 01982 */ 01983 #define MBEDTLS_CCM_C 01984 01985 /** 01986 * \def MBEDTLS_CERTS_C 01987 * 01988 * Enable the test certificates. 01989 * 01990 * Module: library/certs.c 01991 * Caller: 01992 * 01993 * This module is used for testing (ssl_client/server). 01994 */ 01995 #define MBEDTLS_CERTS_C 01996 01997 /** 01998 * \def MBEDTLS_CHACHA20_C 01999 * 02000 * Enable the ChaCha20 stream cipher. 02001 * 02002 * Module: library/chacha20.c 02003 */ 02004 #define MBEDTLS_CHACHA20_C 02005 02006 /** 02007 * \def MBEDTLS_CHACHAPOLY_C 02008 * 02009 * Enable the ChaCha20-Poly1305 AEAD algorithm. 02010 * 02011 * Module: library/chachapoly.c 02012 * 02013 * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C 02014 */ 02015 #define MBEDTLS_CHACHAPOLY_C 02016 02017 /** 02018 * \def MBEDTLS_CIPHER_C 02019 * 02020 * Enable the generic cipher layer. 02021 * 02022 * Module: library/cipher.c 02023 * Caller: library/ssl_tls.c 02024 * 02025 * Uncomment to enable generic cipher wrappers. 02026 */ 02027 #define MBEDTLS_CIPHER_C 02028 02029 /** 02030 * \def MBEDTLS_CMAC_C 02031 * 02032 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block 02033 * ciphers. 02034 * 02035 * Module: library/cmac.c 02036 * 02037 * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C 02038 * 02039 */ 02040 #define MBEDTLS_CMAC_C 02041 02042 /** 02043 * \def MBEDTLS_CTR_DRBG_C 02044 * 02045 * Enable the CTR_DRBG AES-256-based random generator. 02046 * 02047 * Module: library/ctr_drbg.c 02048 * Caller: 02049 * 02050 * Requires: MBEDTLS_AES_C 02051 * 02052 * This module provides the CTR_DRBG AES-256 random number generator. 02053 */ 02054 #define MBEDTLS_CTR_DRBG_C 02055 02056 /** 02057 * \def MBEDTLS_DEBUG_C 02058 * 02059 * Enable the debug functions. 02060 * 02061 * Module: library/debug.c 02062 * Caller: library/ssl_cli.c 02063 * library/ssl_srv.c 02064 * library/ssl_tls.c 02065 * 02066 * This module provides debugging functions. 02067 */ 02068 #define MBEDTLS_DEBUG_C 02069 02070 /** 02071 * \def MBEDTLS_DES_C 02072 * 02073 * Enable the DES block cipher. 02074 * 02075 * Module: library/des.c 02076 * Caller: library/pem.c 02077 * library/cipher.c 02078 * 02079 * This module enables the following ciphersuites (if other requisites are 02080 * enabled as well): 02081 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 02082 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 02083 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 02084 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 02085 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 02086 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 02087 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 02088 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 02089 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 02090 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 02091 * 02092 * PEM_PARSE uses DES/3DES for decrypting encrypted keys. 02093 * 02094 * \warning DES is considered a weak cipher and its use constitutes a 02095 * security risk. We recommend considering stronger ciphers instead. 02096 */ 02097 //#define MBEDTLS_DES_C 02098 02099 /** 02100 * \def MBEDTLS_DHM_C 02101 * 02102 * Enable the Diffie-Hellman-Merkle module. 02103 * 02104 * Module: library/dhm.c 02105 * Caller: library/ssl_cli.c 02106 * library/ssl_srv.c 02107 * 02108 * This module is used by the following key exchanges: 02109 * DHE-RSA, DHE-PSK 02110 * 02111 * \warning Using DHE constitutes a security risk as it 02112 * is not possible to validate custom DH parameters. 02113 * If possible, it is recommended users should consider 02114 * preferring other methods of key exchange. 02115 * See dhm.h for more details. 02116 * 02117 */ 02118 //#define MBEDTLS_DHM_C 02119 02120 /** 02121 * \def MBEDTLS_ECDH_C 02122 * 02123 * Enable the elliptic curve Diffie-Hellman library. 02124 * 02125 * Module: library/ecdh.c 02126 * Caller: library/ssl_cli.c 02127 * library/ssl_srv.c 02128 * 02129 * This module is used by the following key exchanges: 02130 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK 02131 * 02132 * Requires: MBEDTLS_ECP_C 02133 */ 02134 #define MBEDTLS_ECDH_C 02135 02136 /** 02137 * \def MBEDTLS_ECDSA_C 02138 * 02139 * Enable the elliptic curve DSA library. 02140 * 02141 * Module: library/ecdsa.c 02142 * Caller: 02143 * 02144 * This module is used by the following key exchanges: 02145 * ECDHE-ECDSA 02146 * 02147 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C 02148 */ 02149 #define MBEDTLS_ECDSA_C 02150 02151 /** 02152 * \def MBEDTLS_ECJPAKE_C 02153 * 02154 * Enable the elliptic curve J-PAKE library. 02155 * 02156 * \warning This is currently experimental. EC J-PAKE support is based on the 02157 * Thread v1.0.0 specification; incompatible changes to the specification 02158 * might still happen. For this reason, this is disabled by default. 02159 * 02160 * Module: library/ecjpake.c 02161 * Caller: 02162 * 02163 * This module is used by the following key exchanges: 02164 * ECJPAKE 02165 * 02166 * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C 02167 */ 02168 //#define MBEDTLS_ECJPAKE_C 02169 02170 /** 02171 * \def MBEDTLS_ECP_C 02172 * 02173 * Enable the elliptic curve over GF(p) library. 02174 * 02175 * Module: library/ecp.c 02176 * Caller: library/ecdh.c 02177 * library/ecdsa.c 02178 * library/ecjpake.c 02179 * 02180 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED 02181 */ 02182 #define MBEDTLS_ECP_C 02183 02184 /** 02185 * \def MBEDTLS_ENTROPY_C 02186 * 02187 * Enable the platform-specific entropy code. 02188 * 02189 * Module: library/entropy.c 02190 * Caller: 02191 * 02192 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C 02193 * 02194 * This module provides a generic entropy pool 02195 */ 02196 #define MBEDTLS_ENTROPY_C 02197 02198 /** 02199 * \def MBEDTLS_ERROR_C 02200 * 02201 * Enable error code to error string conversion. 02202 * 02203 * Module: library/error.c 02204 * Caller: 02205 * 02206 * This module enables mbedtls_strerror(). 02207 */ 02208 #define MBEDTLS_ERROR_C 02209 02210 /** 02211 * \def MBEDTLS_GCM_C 02212 * 02213 * Enable the Galois/Counter Mode (GCM) for AES. 02214 * 02215 * Module: library/gcm.c 02216 * 02217 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C 02218 * 02219 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other 02220 * requisites are enabled as well. 02221 */ 02222 #define MBEDTLS_GCM_C 02223 02224 /** 02225 * \def MBEDTLS_HAVEGE_C 02226 * 02227 * Enable the HAVEGE random generator. 02228 * 02229 * Warning: the HAVEGE random generator is not suitable for virtualized 02230 * environments 02231 * 02232 * Warning: the HAVEGE random generator is dependent on timing and specific 02233 * processor traits. It is therefore not advised to use HAVEGE as 02234 * your applications primary random generator or primary entropy pool 02235 * input. As a secondary input to your entropy pool, it IS able add 02236 * the (limited) extra entropy it provides. 02237 * 02238 * Module: library/havege.c 02239 * Caller: 02240 * 02241 * Requires: MBEDTLS_TIMING_C 02242 * 02243 * Uncomment to enable the HAVEGE random generator. 02244 */ 02245 //#define MBEDTLS_HAVEGE_C 02246 02247 /** 02248 * \def MBEDTLS_HKDF_C 02249 * 02250 * Enable the HKDF algorithm (RFC 5869). 02251 * 02252 * Module: library/hkdf.c 02253 * Caller: 02254 * 02255 * Requires: MBEDTLS_MD_C 02256 * 02257 * This module adds support for the Hashed Message Authentication Code 02258 * (HMAC)-based key derivation function (HKDF). 02259 */ 02260 #define MBEDTLS_HKDF_C 02261 02262 /** 02263 * \def MBEDTLS_HMAC_DRBG_C 02264 * 02265 * Enable the HMAC_DRBG random generator. 02266 * 02267 * Module: library/hmac_drbg.c 02268 * Caller: 02269 * 02270 * Requires: MBEDTLS_MD_C 02271 * 02272 * Uncomment to enable the HMAC_DRBG random number geerator. 02273 */ 02274 #define MBEDTLS_HMAC_DRBG_C 02275 02276 /** 02277 * \def MBEDTLS_NIST_KW_C 02278 * 02279 * Enable the Key Wrapping mode for 128-bit block ciphers, 02280 * as defined in NIST SP 800-38F. Only KW and KWP modes 02281 * are supported. At the moment, only AES is approved by NIST. 02282 * 02283 * Module: library/nist_kw.c 02284 * 02285 * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C 02286 */ 02287 //#define MBEDTLS_NIST_KW_C 02288 02289 /** 02290 * \def MBEDTLS_MD_C 02291 * 02292 * Enable the generic message digest layer. 02293 * 02294 * Module: library/md.c 02295 * Caller: 02296 * 02297 * Uncomment to enable generic message digest wrappers. 02298 */ 02299 #define MBEDTLS_MD_C 02300 02301 /** 02302 * \def MBEDTLS_MD2_C 02303 * 02304 * Enable the MD2 hash algorithm. 02305 * 02306 * Module: library/md2.c 02307 * Caller: 02308 * 02309 * Uncomment to enable support for (rare) MD2-signed X.509 certs. 02310 * 02311 * \warning MD2 is considered a weak message digest and its use constitutes a 02312 * security risk. If possible, we recommend avoiding dependencies on 02313 * it, and considering stronger message digests instead. 02314 * 02315 */ 02316 //#define MBEDTLS_MD2_C 02317 02318 /** 02319 * \def MBEDTLS_MD4_C 02320 * 02321 * Enable the MD4 hash algorithm. 02322 * 02323 * Module: library/md4.c 02324 * Caller: 02325 * 02326 * Uncomment to enable support for (rare) MD4-signed X.509 certs. 02327 * 02328 * \warning MD4 is considered a weak message digest and its use constitutes a 02329 * security risk. If possible, we recommend avoiding dependencies on 02330 * it, and considering stronger message digests instead. 02331 * 02332 */ 02333 //#define MBEDTLS_MD4_C 02334 02335 /** 02336 * \def MBEDTLS_MD5_C 02337 * 02338 * Enable the MD5 hash algorithm. 02339 * 02340 * Module: library/md5.c 02341 * Caller: library/md.c 02342 * library/pem.c 02343 * library/ssl_tls.c 02344 * 02345 * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2 02346 * depending on the handshake parameters. Further, it is used for checking 02347 * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded 02348 * encrypted keys. 02349 * 02350 * \warning MD5 is considered a weak message digest and its use constitutes a 02351 * security risk. If possible, we recommend avoiding dependencies on 02352 * it, and considering stronger message digests instead. 02353 * 02354 */ 02355 //#define MBEDTLS_MD5_C 02356 02357 /** 02358 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C 02359 * 02360 * Enable the buffer allocator implementation that makes use of a (stack) 02361 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 02362 * calls) 02363 * 02364 * Module: library/memory_buffer_alloc.c 02365 * 02366 * Requires: MBEDTLS_PLATFORM_C 02367 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) 02368 * 02369 * Enable this module to enable the buffer memory allocator. 02370 */ 02371 //#define MBEDTLS_MEMORY_BUFFER_ALLOC_C 02372 02373 /** 02374 * \def MBEDTLS_NET_C 02375 * 02376 * Enable the TCP and UDP over IPv6/IPv4 networking routines. 02377 * 02378 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X) 02379 * and Windows. For other platforms, you'll want to disable it, and write your 02380 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio(). 02381 * 02382 * \note See also our Knowledge Base article about porting to a new 02383 * environment: 02384 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 02385 * 02386 * Module: library/net_sockets.c 02387 * 02388 * This module provides networking routines. 02389 */ 02390 //#define MBEDTLS_NET_C 02391 02392 /** 02393 * \def MBEDTLS_OID_C 02394 * 02395 * Enable the OID database. 02396 * 02397 * Module: library/oid.c 02398 * Caller: library/asn1write.c 02399 * library/pkcs5.c 02400 * library/pkparse.c 02401 * library/pkwrite.c 02402 * library/rsa.c 02403 * library/x509.c 02404 * library/x509_create.c 02405 * library/x509_crl.c 02406 * library/x509_crt.c 02407 * library/x509_csr.c 02408 * library/x509write_crt.c 02409 * library/x509write_csr.c 02410 * 02411 * This modules translates between OIDs and internal values. 02412 */ 02413 #define MBEDTLS_OID_C 02414 02415 /** 02416 * \def MBEDTLS_PADLOCK_C 02417 * 02418 * Enable VIA Padlock support on x86. 02419 * 02420 * Module: library/padlock.c 02421 * Caller: library/aes.c 02422 * 02423 * Requires: MBEDTLS_HAVE_ASM 02424 * 02425 * This modules adds support for the VIA PadLock on x86. 02426 */ 02427 //#define MBEDTLS_PADLOCK_C 02428 02429 /** 02430 * \def MBEDTLS_PEM_PARSE_C 02431 * 02432 * Enable PEM decoding / parsing. 02433 * 02434 * Module: library/pem.c 02435 * Caller: library/dhm.c 02436 * library/pkparse.c 02437 * library/x509_crl.c 02438 * library/x509_crt.c 02439 * library/x509_csr.c 02440 * 02441 * Requires: MBEDTLS_BASE64_C 02442 * 02443 * This modules adds support for decoding / parsing PEM files. 02444 */ 02445 #define MBEDTLS_PEM_PARSE_C 02446 02447 /** 02448 * \def MBEDTLS_PEM_WRITE_C 02449 * 02450 * Enable PEM encoding / writing. 02451 * 02452 * Module: library/pem.c 02453 * Caller: library/pkwrite.c 02454 * library/x509write_crt.c 02455 * library/x509write_csr.c 02456 * 02457 * Requires: MBEDTLS_BASE64_C 02458 * 02459 * This modules adds support for encoding / writing PEM files. 02460 */ 02461 //#define MBEDTLS_PEM_WRITE_C 02462 02463 /** 02464 * \def MBEDTLS_PK_C 02465 * 02466 * Enable the generic public (asymetric) key layer. 02467 * 02468 * Module: library/pk.c 02469 * Caller: library/ssl_tls.c 02470 * library/ssl_cli.c 02471 * library/ssl_srv.c 02472 * 02473 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C 02474 * 02475 * Uncomment to enable generic public key wrappers. 02476 */ 02477 #define MBEDTLS_PK_C 02478 02479 /** 02480 * \def MBEDTLS_PK_PARSE_C 02481 * 02482 * Enable the generic public (asymetric) key parser. 02483 * 02484 * Module: library/pkparse.c 02485 * Caller: library/x509_crt.c 02486 * library/x509_csr.c 02487 * 02488 * Requires: MBEDTLS_PK_C 02489 * 02490 * Uncomment to enable generic public key parse functions. 02491 */ 02492 #define MBEDTLS_PK_PARSE_C 02493 02494 /** 02495 * \def MBEDTLS_PK_WRITE_C 02496 * 02497 * Enable the generic public (asymetric) key writer. 02498 * 02499 * Module: library/pkwrite.c 02500 * Caller: library/x509write.c 02501 * 02502 * Requires: MBEDTLS_PK_C 02503 * 02504 * Uncomment to enable generic public key write functions. 02505 */ 02506 #define MBEDTLS_PK_WRITE_C 02507 02508 /** 02509 * \def MBEDTLS_PKCS5_C 02510 * 02511 * Enable PKCS#5 functions. 02512 * 02513 * Module: library/pkcs5.c 02514 * 02515 * Requires: MBEDTLS_MD_C 02516 * 02517 * This module adds support for the PKCS#5 functions. 02518 */ 02519 //#define MBEDTLS_PKCS5_C 02520 02521 /** 02522 * \def MBEDTLS_PKCS11_C 02523 * 02524 * Enable wrapper for PKCS#11 smartcard support. 02525 * 02526 * Module: library/pkcs11.c 02527 * Caller: library/pk.c 02528 * 02529 * Requires: MBEDTLS_PK_C 02530 * 02531 * This module enables SSL/TLS PKCS #11 smartcard support. 02532 * Requires the presence of the PKCS#11 helper library (libpkcs11-helper) 02533 */ 02534 //#define MBEDTLS_PKCS11_C 02535 02536 /** 02537 * \def MBEDTLS_PKCS12_C 02538 * 02539 * Enable PKCS#12 PBE functions. 02540 * Adds algorithms for parsing PKCS#8 encrypted private keys 02541 * 02542 * Module: library/pkcs12.c 02543 * Caller: library/pkparse.c 02544 * 02545 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C 02546 * Can use: MBEDTLS_ARC4_C 02547 * 02548 * This module enables PKCS#12 functions. 02549 */ 02550 //#define MBEDTLS_PKCS12_C 02551 02552 /** 02553 * \def MBEDTLS_PLATFORM_C 02554 * 02555 * Enable the platform abstraction layer that allows you to re-assign 02556 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 02557 * 02558 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT 02559 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 02560 * above to be specified at runtime or compile time respectively. 02561 * 02562 * \note This abstraction layer must be enabled on Windows (including MSYS2) 02563 * as other module rely on it for a fixed snprintf implementation. 02564 * 02565 * Module: library/platform.c 02566 * Caller: Most other .c files 02567 * 02568 * This module enables abstraction of common (libc) functions. 02569 */ 02570 #define MBEDTLS_PLATFORM_C 02571 02572 /** 02573 * \def MBEDTLS_POLY1305_C 02574 * 02575 * Enable the Poly1305 MAC algorithm. 02576 * 02577 * Module: library/poly1305.c 02578 * Caller: library/chachapoly.c 02579 */ 02580 #define MBEDTLS_POLY1305_C 02581 02582 /** 02583 * \def MBEDTLS_RIPEMD160_C 02584 * 02585 * Enable the RIPEMD-160 hash algorithm. 02586 * 02587 * Module: library/ripemd160.c 02588 * Caller: library/md.c 02589 * 02590 */ 02591 //#define MBEDTLS_RIPEMD160_C 02592 02593 /** 02594 * \def MBEDTLS_RSA_C 02595 * 02596 * Enable the RSA public-key cryptosystem. 02597 * 02598 * Module: library/rsa.c 02599 * library/rsa_internal.c 02600 * Caller: library/ssl_cli.c 02601 * library/ssl_srv.c 02602 * library/ssl_tls.c 02603 * library/x509.c 02604 * 02605 * This module is used by the following key exchanges: 02606 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK 02607 * 02608 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C 02609 */ 02610 #define MBEDTLS_RSA_C 02611 02612 /** 02613 * \def MBEDTLS_SHA1_C 02614 * 02615 * Enable the SHA1 cryptographic hash algorithm. 02616 * 02617 * Module: library/sha1.c 02618 * Caller: library/md.c 02619 * library/ssl_cli.c 02620 * library/ssl_srv.c 02621 * library/ssl_tls.c 02622 * library/x509write_crt.c 02623 * 02624 * This module is required for SSL/TLS up to version 1.1, for TLS 1.2 02625 * depending on the handshake parameters, and for SHA1-signed certificates. 02626 * 02627 * \warning SHA-1 is considered a weak message digest and its use constitutes 02628 * a security risk. If possible, we recommend avoiding dependencies 02629 * on it, and considering stronger message digests instead. 02630 * 02631 */ 02632 //#define MBEDTLS_SHA1_C 02633 02634 /** 02635 * \def MBEDTLS_SHA256_C 02636 * 02637 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms. 02638 * 02639 * Module: library/sha256.c 02640 * Caller: library/entropy.c 02641 * library/md.c 02642 * library/ssl_cli.c 02643 * library/ssl_srv.c 02644 * library/ssl_tls.c 02645 * 02646 * This module adds support for SHA-224 and SHA-256. 02647 * This module is required for the SSL/TLS 1.2 PRF function. 02648 */ 02649 #define MBEDTLS_SHA256_C 02650 02651 /** 02652 * \def MBEDTLS_SHA512_C 02653 * 02654 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms. 02655 * 02656 * Module: library/sha512.c 02657 * Caller: library/entropy.c 02658 * library/md.c 02659 * library/ssl_cli.c 02660 * library/ssl_srv.c 02661 * 02662 * This module adds support for SHA-384 and SHA-512. 02663 */ 02664 #define MBEDTLS_SHA512_C 02665 02666 /** 02667 * \def MBEDTLS_SSL_CACHE_C 02668 * 02669 * Enable simple SSL cache implementation. 02670 * 02671 * Module: library/ssl_cache.c 02672 * Caller: 02673 * 02674 * Requires: MBEDTLS_SSL_CACHE_C 02675 */ 02676 #define MBEDTLS_SSL_CACHE_C 02677 02678 /** 02679 * \def MBEDTLS_SSL_COOKIE_C 02680 * 02681 * Enable basic implementation of DTLS cookies for hello verification. 02682 * 02683 * Module: library/ssl_cookie.c 02684 * Caller: 02685 */ 02686 #define MBEDTLS_SSL_COOKIE_C 02687 02688 /** 02689 * \def MBEDTLS_SSL_TICKET_C 02690 * 02691 * Enable an implementation of TLS server-side callbacks for session tickets. 02692 * 02693 * Module: library/ssl_ticket.c 02694 * Caller: 02695 * 02696 * Requires: MBEDTLS_CIPHER_C 02697 */ 02698 #define MBEDTLS_SSL_TICKET_C 02699 02700 /** 02701 * \def MBEDTLS_SSL_CLI_C 02702 * 02703 * Enable the SSL/TLS client code. 02704 * 02705 * Module: library/ssl_cli.c 02706 * Caller: 02707 * 02708 * Requires: MBEDTLS_SSL_TLS_C 02709 * 02710 * This module is required for SSL/TLS client support. 02711 */ 02712 #define MBEDTLS_SSL_CLI_C 02713 02714 /** 02715 * \def MBEDTLS_SSL_SRV_C 02716 * 02717 * Enable the SSL/TLS server code. 02718 * 02719 * Module: library/ssl_srv.c 02720 * Caller: 02721 * 02722 * Requires: MBEDTLS_SSL_TLS_C 02723 * 02724 * This module is required for SSL/TLS server support. 02725 */ 02726 #define MBEDTLS_SSL_SRV_C 02727 02728 /** 02729 * \def MBEDTLS_SSL_TLS_C 02730 * 02731 * Enable the generic SSL/TLS code. 02732 * 02733 * Module: library/ssl_tls.c 02734 * Caller: library/ssl_cli.c 02735 * library/ssl_srv.c 02736 * 02737 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C 02738 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines 02739 * 02740 * This module is required for SSL/TLS. 02741 */ 02742 #define MBEDTLS_SSL_TLS_C 02743 02744 /** 02745 * \def MBEDTLS_THREADING_C 02746 * 02747 * Enable the threading abstraction layer. 02748 * By default mbed TLS assumes it is used in a non-threaded environment or that 02749 * contexts are not shared between threads. If you do intend to use contexts 02750 * between threads, you will need to enable this layer to prevent race 02751 * conditions. See also our Knowledge Base article about threading: 02752 * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading 02753 * 02754 * Module: library/threading.c 02755 * 02756 * This allows different threading implementations (self-implemented or 02757 * provided). 02758 * 02759 * You will have to enable either MBEDTLS_THREADING_ALT or 02760 * MBEDTLS_THREADING_PTHREAD. 02761 * 02762 * Enable this layer to allow use of mutexes within mbed TLS 02763 */ 02764 //#define MBEDTLS_THREADING_C 02765 02766 /** 02767 * \def MBEDTLS_TIMING_C 02768 * 02769 * Enable the semi-portable timing interface. 02770 * 02771 * \note The provided implementation only works on POSIX/Unix (including Linux, 02772 * BSD and OS X) and Windows. On other platforms, you can either disable that 02773 * module and provide your own implementations of the callbacks needed by 02774 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide 02775 * your own implementation of the whole module by setting 02776 * \c MBEDTLS_TIMING_ALT in the current file. 02777 * 02778 * \note See also our Knowledge Base article about porting to a new 02779 * environment: 02780 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 02781 * 02782 * Module: library/timing.c 02783 * Caller: library/havege.c 02784 * 02785 * This module is used by the HAVEGE random number generator. 02786 */ 02787 //#define MBEDTLS_TIMING_C 02788 02789 /** 02790 * \def MBEDTLS_VERSION_C 02791 * 02792 * Enable run-time version information. 02793 * 02794 * Module: library/version.c 02795 * 02796 * This module provides run-time version information. 02797 */ 02798 #define MBEDTLS_VERSION_C 02799 02800 /** 02801 * \def MBEDTLS_X509_USE_C 02802 * 02803 * Enable X.509 core for using certificates. 02804 * 02805 * Module: library/x509.c 02806 * Caller: library/x509_crl.c 02807 * library/x509_crt.c 02808 * library/x509_csr.c 02809 * 02810 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, 02811 * MBEDTLS_PK_PARSE_C 02812 * 02813 * This module is required for the X.509 parsing modules. 02814 */ 02815 #define MBEDTLS_X509_USE_C 02816 02817 /** 02818 * \def MBEDTLS_X509_CRT_PARSE_C 02819 * 02820 * Enable X.509 certificate parsing. 02821 * 02822 * Module: library/x509_crt.c 02823 * Caller: library/ssl_cli.c 02824 * library/ssl_srv.c 02825 * library/ssl_tls.c 02826 * 02827 * Requires: MBEDTLS_X509_USE_C 02828 * 02829 * This module is required for X.509 certificate parsing. 02830 */ 02831 #define MBEDTLS_X509_CRT_PARSE_C 02832 02833 /** 02834 * \def MBEDTLS_X509_CRL_PARSE_C 02835 * 02836 * Enable X.509 CRL parsing. 02837 * 02838 * Module: library/x509_crl.c 02839 * Caller: library/x509_crt.c 02840 * 02841 * Requires: MBEDTLS_X509_USE_C 02842 * 02843 * This module is required for X.509 CRL parsing. 02844 */ 02845 #define MBEDTLS_X509_CRL_PARSE_C 02846 02847 /** 02848 * \def MBEDTLS_X509_CSR_PARSE_C 02849 * 02850 * Enable X.509 Certificate Signing Request (CSR) parsing. 02851 * 02852 * Module: library/x509_csr.c 02853 * Caller: library/x509_crt_write.c 02854 * 02855 * Requires: MBEDTLS_X509_USE_C 02856 * 02857 * This module is used for reading X.509 certificate request. 02858 */ 02859 //#define MBEDTLS_X509_CSR_PARSE_C 02860 02861 /** 02862 * \def MBEDTLS_X509_CREATE_C 02863 * 02864 * Enable X.509 core for creating certificates. 02865 * 02866 * Module: library/x509_create.c 02867 * 02868 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C 02869 * 02870 * This module is the basis for creating X.509 certificates and CSRs. 02871 */ 02872 //#define MBEDTLS_X509_CREATE_C 02873 02874 /** 02875 * \def MBEDTLS_X509_CRT_WRITE_C 02876 * 02877 * Enable creating X.509 certificates. 02878 * 02879 * Module: library/x509_crt_write.c 02880 * 02881 * Requires: MBEDTLS_X509_CREATE_C 02882 * 02883 * This module is required for X.509 certificate creation. 02884 */ 02885 //#define MBEDTLS_X509_CRT_WRITE_C 02886 02887 /** 02888 * \def MBEDTLS_X509_CSR_WRITE_C 02889 * 02890 * Enable creating X.509 Certificate Signing Requests (CSR). 02891 * 02892 * Module: library/x509_csr_write.c 02893 * 02894 * Requires: MBEDTLS_X509_CREATE_C 02895 * 02896 * This module is required for X.509 certificate request writing. 02897 */ 02898 //#define MBEDTLS_X509_CSR_WRITE_C 02899 02900 /** 02901 * \def MBEDTLS_XTEA_C 02902 * 02903 * Enable the XTEA block cipher. 02904 * 02905 * Module: library/xtea.c 02906 * Caller: 02907 */ 02908 //#define MBEDTLS_XTEA_C 02909 02910 /* \} name SECTION: mbed TLS modules */ 02911 02912 /** 02913 * \name SECTION: Module configuration options 02914 * 02915 * This section allows for the setting of module specific sizes and 02916 * configuration options. The default values are already present in the 02917 * relevant header files and should suffice for the regular use cases. 02918 * 02919 * Our advice is to enable options and change their values here 02920 * only if you have a good reason and know the consequences. 02921 * 02922 * Please check the respective header file for documentation on these 02923 * parameters (to prevent duplicate documentation). 02924 * \{ 02925 */ 02926 02927 /* MPI / BIGNUM options */ 02928 //#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */ 02929 //#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */ 02930 02931 /* CTR_DRBG options */ 02932 //#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ 02933 //#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 02934 //#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 02935 //#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 02936 //#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 02937 02938 /* HMAC_DRBG options */ 02939 //#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ 02940 //#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ 02941 //#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ 02942 //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ 02943 02944 /* ECP options */ 02945 //#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */ 02946 //#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ 02947 //#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ 02948 02949 /* Entropy options */ 02950 //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ 02951 //#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */ 02952 //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */ 02953 02954 /* Memory buffer allocator options */ 02955 //#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */ 02956 02957 /* Platform options */ 02958 //#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ 02959 //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */ 02960 //#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ 02961 //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ 02962 //#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ 02963 //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */ 02964 //#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */ 02965 /* Note: your snprintf must correclty zero-terminate the buffer! */ 02966 //#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ 02967 //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */ 02968 //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */ 02969 //#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ 02970 //#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ 02971 //#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */ 02972 02973 /* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */ 02974 /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ 02975 //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */ 02976 //#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */ 02977 //#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */ 02978 //#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ 02979 //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ 02980 //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */ 02981 //#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */ 02982 /* Note: your snprintf must correclty zero-terminate the buffer! */ 02983 //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */ 02984 //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ 02985 //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ 02986 02987 /* SSL Cache options */ 02988 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */ 02989 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ 02990 02991 /* SSL options */ 02992 02993 /** \def MBEDTLS_SSL_MAX_CONTENT_LEN 02994 * 02995 * Maximum fragment length in bytes. 02996 * 02997 * Determines the size of both the incoming and outgoing TLS I/O buffers. 02998 * 02999 * Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN 03000 * will override this length by setting maximum incoming and/or outgoing 03001 * fragment length, respectively. 03002 */ 03003 //#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 03004 03005 /** \def MBEDTLS_SSL_IN_CONTENT_LEN 03006 * 03007 * Maximum incoming fragment length in bytes. 03008 * 03009 * Uncomment to set the size of the inward TLS buffer independently of the 03010 * outward buffer. 03011 */ 03012 //#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 03013 03014 /** \def MBEDTLS_SSL_OUT_CONTENT_LEN 03015 * 03016 * Maximum outgoing fragment length in bytes. 03017 * 03018 * Uncomment to set the size of the outward TLS buffer independently of the 03019 * inward buffer. 03020 * 03021 * It is possible to save RAM by setting a smaller outward buffer, while keeping 03022 * the default inward 16384 byte buffer to conform to the TLS specification. 03023 * 03024 * The minimum required outward buffer size is determined by the handshake 03025 * protocol's usage. Handshaking will fail if the outward buffer is too small. 03026 * The specific size requirement depends on the configured ciphers and any 03027 * certificate data which is sent during the handshake. 03028 * 03029 * For absolute minimum RAM usage, it's best to enable 03030 * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This 03031 * reduces both incoming and outgoing buffer sizes. However this is only 03032 * guaranteed if the other end of the connection also supports the TLS 03033 * max_fragment_len extension. Otherwise the connection may fail. 03034 */ 03035 //#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 03036 03037 /** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING 03038 * 03039 * Maximum number of heap-allocated bytes for the purpose of 03040 * DTLS handshake message reassembly and future message buffering. 03041 * 03042 * This should be at least 9/8 * MBEDTLSSL_IN_CONTENT_LEN 03043 * to account for a reassembled handshake message of maximum size, 03044 * together with its reassembly bitmap. 03045 * 03046 * A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default) 03047 * should be sufficient for all practical situations as it allows 03048 * to reassembly a large handshake message (such as a certificate) 03049 * while buffering multiple smaller handshake messages. 03050 * 03051 */ 03052 //#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 03053 03054 //#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */ 03055 //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ 03056 //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ 03057 03058 /** 03059 * Complete list of ciphersuites to use, in order of preference. 03060 * 03061 * \warning No dependency checking is done on that field! This option can only 03062 * be used to restrict the set of available ciphersuites. It is your 03063 * responsibility to make sure the needed modules are active. 03064 * 03065 * Use this to save a few hundred bytes of ROM (default ordering of all 03066 * available ciphersuites) and a few to a few hundred bytes of RAM. 03067 * 03068 * The value below is only an example, not the default. 03069 */ 03070 //#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 03071 03072 /* X509 options */ 03073 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ 03074 //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */ 03075 03076 /** 03077 * Allow SHA-1 in the default TLS configuration for certificate signing. 03078 * Without this build-time option, SHA-1 support must be activated explicitly 03079 * through mbedtls_ssl_conf_cert_profile. Turning on this option is not 03080 * recommended because of it is possible to generate SHA-1 collisions, however 03081 * this may be safe for legacy infrastructure where additional controls apply. 03082 * 03083 * \warning SHA-1 is considered a weak message digest and its use constitutes 03084 * a security risk. If possible, we recommend avoiding dependencies 03085 * on it, and considering stronger message digests instead. 03086 * 03087 */ 03088 // #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES 03089 03090 /** 03091 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake 03092 * signature and ciphersuite selection. Without this build-time option, SHA-1 03093 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes. 03094 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by 03095 * default. At the time of writing, there is no practical attack on the use 03096 * of SHA-1 in handshake signatures, hence this option is turned on by default 03097 * to preserve compatibility with existing peers, but the general 03098 * warning applies nonetheless: 03099 * 03100 * \warning SHA-1 is considered a weak message digest and its use constitutes 03101 * a security risk. If possible, we recommend avoiding dependencies 03102 * on it, and considering stronger message digests instead. 03103 * 03104 */ 03105 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE 03106 03107 /** 03108 * Uncomment the macro to let mbed TLS use your alternate implementation of 03109 * mbedtls_platform_zeroize(). This replaces the default implementation in 03110 * platform_util.c. 03111 * 03112 * mbedtls_platform_zeroize() is a widely used function across the library to 03113 * zero a block of memory. The implementation is expected to be secure in the 03114 * sense that it has been written to prevent the compiler from removing calls 03115 * to mbedtls_platform_zeroize() as part of redundant code elimination 03116 * optimizations. However, it is difficult to guarantee that calls to 03117 * mbedtls_platform_zeroize() will not be optimized by the compiler as older 03118 * versions of the C language standards do not provide a secure implementation 03119 * of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to 03120 * configure their own implementation of mbedtls_platform_zeroize(), for 03121 * example by using directives specific to their compiler, features from newer 03122 * C standards (e.g using memset_s() in C11) or calling a secure memset() from 03123 * their system (e.g explicit_bzero() in BSD). 03124 */ 03125 //#define MBEDTLS_PLATFORM_ZEROIZE_ALT 03126 03127 /** 03128 * Uncomment the macro to let Mbed TLS use your alternate implementation of 03129 * mbedtls_platform_gmtime_r(). This replaces the default implementation in 03130 * platform_util.c. 03131 * 03132 * gmtime() is not a thread-safe function as defined in the C standard. The 03133 * library will try to use safer implementations of this function, such as 03134 * gmtime_r() when available. However, if Mbed TLS cannot identify the target 03135 * system, the implementation of mbedtls_platform_gmtime_r() will default to 03136 * using the standard gmtime(). In this case, calls from the library to 03137 * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex 03138 * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the 03139 * library are also guarded with this mutex to avoid race conditions. However, 03140 * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will 03141 * unconditionally use the implementation for mbedtls_platform_gmtime_r() 03142 * supplied at compile time. 03143 */ 03144 //#define MBEDTLS_PLATFORM_GMTIME_R_ALT 03145 03146 /* \} name SECTION: Customisation configuration options */ 03147 03148 /* Target and application specific configurations */ 03149 //#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h" 03150 03151 #if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE) 03152 #include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE 03153 #endif 03154 03155 /* 03156 * Allow user to override any previous default. 03157 * 03158 * Use two macro names for that, as: 03159 * - with yotta the prefix YOTTA_CFG_ is forced 03160 * - without yotta is looks weird to have a YOTTA prefix. 03161 */ 03162 #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE) 03163 #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE 03164 #elif defined(MBEDTLS_USER_CONFIG_FILE) 03165 #include MBEDTLS_USER_CONFIG_FILE 03166 #endif 03167 03168 #include "check_config.h" 03169 03170 #endif /* !MBEDTLS_ENTROPY_HARDWARE_ALT && !MBEDTLS_TEST_NULL_ENTROPY */ 03171 03172 #if defined(MBEDTLS_TEST_NULL_ENTROPY) 03173 #warning "MBEDTLS_TEST_NULL_ENTROPY has been enabled. This " \ 03174 "configuration is not secure and is not suitable for production use" 03175 #endif 03176 03177 #if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_TEST_NULL_ENTROPY) && \ 03178 !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) && !defined(MBEDTLS_ENTROPY_NV_SEED) 03179 #error "No entropy source was found at build time, so TLS " \ 03180 "functionality is not available" 03181 #endif 03182 03183 #endif /* MBEDTLS_CONFIG_H */
Generated on Tue Aug 9 2022 00:37:04 by
1.7.2