blob: 255323272ad4aba3c40785492ea8f85339ce22cd [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/**
2 * \file config.h
3 *
Paul Bakker37ca75d2011-01-06 12:28:03 +00004 * \brief Configuration options (set of defines)
5 *
Simon Butcher5b331b92016-01-03 16:14:14 +00006 * This set of compile-time options may be used to enable
7 * or disable features selectively, and reduce the global
8 * memory footprint.
Darryl Greena40a1012018-01-05 15:33:17 +00009 */
10/*
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +020011 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Bence Szépkúti4e9f7122020-06-05 13:02:18 +020012 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
13 *
14 * This file is provided under the Apache License 2.0, or the
15 * GNU General Public License v2.0 or later.
16 *
17 * **********
18 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +020019 *
20 * Licensed under the Apache License, Version 2.0 (the "License"); you may
21 * not use this file except in compliance with the License.
22 * You may obtain a copy of the License at
23 *
24 * http://www.apache.org/licenses/LICENSE-2.0
25 *
26 * Unless required by applicable law or agreed to in writing, software
27 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
28 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
29 * See the License for the specific language governing permissions and
30 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +000031 *
Bence Szépkúti4e9f7122020-06-05 13:02:18 +020032 * **********
33 *
34 * **********
35 * GNU General Public License v2.0 or later:
36 *
37 * This program is free software; you can redistribute it and/or modify
38 * it under the terms of the GNU General Public License as published by
39 * the Free Software Foundation; either version 2 of the License, or
40 * (at your option) any later version.
41 *
42 * This program is distributed in the hope that it will be useful,
43 * but WITHOUT ANY WARRANTY; without even the implied warranty of
44 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
45 * GNU General Public License for more details.
46 *
47 * You should have received a copy of the GNU General Public License along
48 * with this program; if not, write to the Free Software Foundation, Inc.,
49 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
50 *
51 * **********
52 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +000053 * This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnarde2b0efe2015-08-11 10:38:37 +020054 */
55
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020056#ifndef MBEDTLS_CONFIG_H
57#define MBEDTLS_CONFIG_H
Paul Bakker5121ce52009-01-03 21:22:43 +000058
Paul Bakkercce9d772011-11-18 14:26:47 +000059#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
Paul Bakker5121ce52009-01-03 21:22:43 +000060#define _CRT_SECURE_NO_DEPRECATE 1
61#endif
62
Paul Bakkerf3b86c12011-01-27 15:24:17 +000063/**
Paul Bakker0a62cd12011-01-21 11:00:08 +000064 * \name SECTION: System support
65 *
66 * This section sets system specific settings.
67 * \{
68 */
69
Paul Bakkerf3b86c12011-01-27 15:24:17 +000070/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020071 * \def MBEDTLS_HAVE_ASM
Paul Bakkerf3b86c12011-01-27 15:24:17 +000072 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +020073 * The compiler has support for asm().
Paul Bakker68041ec2009-04-19 21:17:55 +000074 *
75 * Requires support for asm() in compiler.
76 *
77 * Used in:
78 * library/timing.c
79 * library/padlock.c
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000080 * include/mbedtls/bn_mul.h
Paul Bakker68041ec2009-04-19 21:17:55 +000081 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +020082 * Comment to disable the use of assembly code.
Paul Bakker5121ce52009-01-03 21:22:43 +000083 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020084#define MBEDTLS_HAVE_ASM
Paul Bakker5121ce52009-01-03 21:22:43 +000085
Paul Bakkerf3b86c12011-01-27 15:24:17 +000086/**
Gilles Peskineb1a977f2017-06-08 15:19:20 +020087 * \def MBEDTLS_NO_UDBL_DIVISION
88 *
89 * The platform lacks support for double-width integer division (64-bit
90 * division on a 32-bit platform, 128-bit division on a 64-bit platform).
91 *
92 * Used in:
93 * include/mbedtls/bignum.h
94 * library/bignum.c
95 *
96 * The bignum code uses double-width division to speed up some operations.
97 * Double-width division is often implemented in software that needs to
98 * be linked with the program. The presence of a double-width integer
99 * type is usually detected automatically through preprocessor macros,
100 * but the automatic detection cannot know whether the code needs to
101 * and can be linked with an implementation of division for that type.
102 * By default division is assumed to be usable if the type is present.
103 * Uncomment this option to prevent the use of double-width division.
104 *
105 * Note that division for the native integer type is always required.
106 * Furthermore, a 64-bit type is always required even on a 32-bit
Andres Amaya Garciac630ce62017-07-21 10:56:22 +0100107 * platform, but it need not support multiplication or division. In some
108 * cases it is also desirable to disable some double-width operations. For
109 * example, if double-width division is implemented in software, disabling
110 * it can reduce code size in some embedded targets.
Gilles Peskineb1a977f2017-06-08 15:19:20 +0200111 */
112//#define MBEDTLS_NO_UDBL_DIVISION
113
114/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200115 * \def MBEDTLS_HAVE_SSE2
Paul Bakkerf3b86c12011-01-27 15:24:17 +0000116 *
Paul Bakkere23c3152012-10-01 14:42:47 +0000117 * CPU supports SSE2 instruction set.
Paul Bakkerf3b86c12011-01-27 15:24:17 +0000118 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000119 * Uncomment if the CPU supports SSE2 (IA-32 specific).
Paul Bakker5121ce52009-01-03 21:22:43 +0000120 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200121//#define MBEDTLS_HAVE_SSE2
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200122
123/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200124 * \def MBEDTLS_HAVE_TIME
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200125 *
Manuel Pégourié-Gonnard60c793b2015-06-18 20:52:58 +0200126 * System has time.h and time().
127 * The time does not need to be correct, only time differences are used,
128 * by contrast with MBEDTLS_HAVE_TIME_DATE
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200129 *
Andres Amaya Garcia1e4ec662016-07-20 10:16:25 +0100130 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
131 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
132 * MBEDTLS_PLATFORM_STD_TIME.
133 *
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200134 * Comment if your system does not support time functions
135 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200136#define MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnard10934de2013-12-13 12:54:09 +0100137
138/**
Manuel Pégourié-Gonnard60c793b2015-06-18 20:52:58 +0200139 * \def MBEDTLS_HAVE_TIME_DATE
140 *
141 * System has time.h and time(), gmtime() and the clock is correct.
Antonin Décimo8fd91562019-01-23 15:24:37 +0100142 * The time needs to be correct (not necessarily very accurate, but at least
Manuel Pégourié-Gonnard60c793b2015-06-18 20:52:58 +0200143 * the date should be correct). This is used to verify the validity period of
144 * X.509 certificates.
145 *
146 * Comment if your system does not have a correct clock.
147 */
148#define MBEDTLS_HAVE_TIME_DATE
149
150/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200151 * \def MBEDTLS_PLATFORM_MEMORY
Paul Bakkerdefc0ca2014-02-04 17:30:24 +0100152 *
153 * Enable the memory allocation layer.
154 *
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +0200155 * By default mbed TLS uses the system-provided calloc() and free().
Paul Bakkerdefc0ca2014-02-04 17:30:24 +0100156 * This allows different allocators (self-implemented or provided) to be
157 * provided to the platform abstraction layer.
158 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200159 * Enabling MBEDTLS_PLATFORM_MEMORY without the
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +0200160 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
161 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
Rich Evans16f8cd82015-02-06 16:14:34 +0000162 * free() function pointer at runtime.
163 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200164 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +0200165 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
Rich Evans16f8cd82015-02-06 16:14:34 +0000166 * alternate function at compile time.
Paul Bakkerdefc0ca2014-02-04 17:30:24 +0100167 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200168 * Requires: MBEDTLS_PLATFORM_C
Paul Bakkerdefc0ca2014-02-04 17:30:24 +0100169 *
170 * Enable this layer to allow use of alternative memory allocators.
171 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200172//#define MBEDTLS_PLATFORM_MEMORY
Paul Bakkerdefc0ca2014-02-04 17:30:24 +0100173
174/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200175 * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
Paul Bakker088c5c52014-04-25 11:11:10 +0200176 *
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +0200177 * Do not assign standard functions in the platform layer (e.g. calloc() to
178 * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
Paul Bakker088c5c52014-04-25 11:11:10 +0200179 *
180 * This makes sure there are no linking errors on platforms that do not support
181 * these functions. You will HAVE to provide alternatives, either at runtime
182 * via the platform_set_xxx() functions or at compile time by setting
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200183 * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
184 * MBEDTLS_PLATFORM_XXX_MACRO.
Paul Bakker088c5c52014-04-25 11:11:10 +0200185 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200186 * Requires: MBEDTLS_PLATFORM_C
Paul Bakker088c5c52014-04-25 11:11:10 +0200187 *
188 * Uncomment to prevent default assignment of standard functions in the
189 * platform layer.
190 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200191//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
Paul Bakker088c5c52014-04-25 11:11:10 +0200192
193/**
Janos Follathc351d182016-03-21 08:43:59 +0000194 * \def MBEDTLS_PLATFORM_EXIT_ALT
Paul Bakker747a83a2014-02-01 22:50:07 +0100195 *
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100196 * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
197 * function in the platform abstraction layer.
Paul Bakker747a83a2014-02-01 22:50:07 +0100198 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200199 * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
200 * provide a function "mbedtls_platform_set_printf()" that allows you to set an
Paul Bakker747a83a2014-02-01 22:50:07 +0100201 * alternative printf function pointer.
202 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200203 * All these define require MBEDTLS_PLATFORM_C to be defined!
Paul Bakker747a83a2014-02-01 22:50:07 +0100204 *
Manuel Pégourié-Gonnard9db28872015-06-26 10:52:01 +0200205 * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;
206 * it will be enabled automatically by check_config.h
207 *
Manuel Pégourié-Gonnard6c0c8e02015-06-22 10:23:34 +0200208 * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200209 * MBEDTLS_PLATFORM_XXX_MACRO!
Rich Evans16f8cd82015-02-06 16:14:34 +0000210 *
Andres Amaya Garcia1e4ec662016-07-20 10:16:25 +0100211 * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
212 *
Paul Bakker747a83a2014-02-01 22:50:07 +0100213 * Uncomment a macro to enable alternate implementation of specific base
214 * platform function
215 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200216//#define MBEDTLS_PLATFORM_EXIT_ALT
SimonBd5800b72016-04-26 07:43:27 +0100217//#define MBEDTLS_PLATFORM_TIME_ALT
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200218//#define MBEDTLS_PLATFORM_FPRINTF_ALT
219//#define MBEDTLS_PLATFORM_PRINTF_ALT
220//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
Paul Bakkercf0a9f92016-06-01 11:25:44 +0100221//#define MBEDTLS_PLATFORM_NV_SEED_ALT
Andres Amaya Garciad91f99f2017-07-18 10:23:04 +0100222//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100223
224/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200225 * \def MBEDTLS_DEPRECATED_WARNING
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100226 *
227 * Mark deprecated functions so that they generate a warning if used.
228 * Functions deprecated in one version will usually be removed in the next
229 * version. You can enable this to help you prepare the transition to a new
230 * major version by making sure your code is not using these functions.
231 *
232 * This only works with GCC and Clang. With other compilers, you may want to
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200233 * use MBEDTLS_DEPRECATED_REMOVED
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100234 *
235 * Uncomment to get warnings on using deprecated functions.
236 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200237//#define MBEDTLS_DEPRECATED_WARNING
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100238
239/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200240 * \def MBEDTLS_DEPRECATED_REMOVED
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100241 *
242 * Remove deprecated functions so that they generate an error if used.
243 * Functions deprecated in one version will usually be removed in the next
244 * version. You can enable this to help you prepare the transition to a new
245 * major version by making sure your code is not using these functions.
246 *
247 * Uncomment to get errors on using deprecated functions.
248 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200249//#define MBEDTLS_DEPRECATED_REMOVED
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100250
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200251/* \} name SECTION: System support */
Paul Bakker0a62cd12011-01-21 11:00:08 +0000252
Paul Bakkerf3b86c12011-01-27 15:24:17 +0000253/**
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +0000254 * \name SECTION: mbed TLS feature support
Paul Bakker0a62cd12011-01-21 11:00:08 +0000255 *
256 * This section sets support for features that are or are not needed
257 * within the modules that are enabled.
258 * \{
259 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000260
Paul Bakkerf3b86c12011-01-27 15:24:17 +0000261/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200262 * \def MBEDTLS_TIMING_ALT
Paul Bakkerf2561b32014-02-06 15:11:55 +0100263 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200264 * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(),
Manuel Pégourié-Gonnarda63bc942015-05-14 18:22:47 +0200265 * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay()
Paul Bakkerf2561b32014-02-06 15:11:55 +0100266 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200267 * Only works if you have MBEDTLS_TIMING_C enabled.
Paul Bakkerf2561b32014-02-06 15:11:55 +0100268 *
269 * You will need to provide a header "timing_alt.h" and an implementation at
270 * compile time.
271 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200272//#define MBEDTLS_TIMING_ALT
Paul Bakkerf2561b32014-02-06 15:11:55 +0100273
274/**
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100275 * \def MBEDTLS_AES_ALT
Paul Bakker90995b52013-06-24 19:20:35 +0200276 *
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100277 * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
Janos Follathb0697532016-08-18 12:38:46 +0100278 * alternate core implementation of a symmetric crypto, an arithmetic or hash
279 * module (e.g. platform specific assembly optimized implementations). Keep
280 * in mind that the function prototypes should remain the same.
Paul Bakker90995b52013-06-24 19:20:35 +0200281 *
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200282 * This replaces the whole module. If you only want to replace one of the
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200283 * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200284 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200285 * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer
Janos Follathee782bc2016-11-07 15:41:26 +0000286 * provide the "struct mbedtls_aes_context" definition and omit the base
287 * function declarations and implementations. "aes_alt.h" will be included from
Paul Bakker90995b52013-06-24 19:20:35 +0200288 * "aes.h" to include the new function definitions.
289 *
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200290 * Uncomment a macro to enable alternate implementation of the corresponding
291 * module.
Hanno Beckerbbca8c52017-09-25 14:53:51 +0100292 *
293 * \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their
294 * use constitutes a security risk. If possible, we recommend
295 * avoiding dependencies on them, and considering stronger message
296 * digests and ciphers instead.
297 *
Paul Bakker90995b52013-06-24 19:20:35 +0200298 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200299//#define MBEDTLS_AES_ALT
300//#define MBEDTLS_ARC4_ALT
301//#define MBEDTLS_BLOWFISH_ALT
302//#define MBEDTLS_CAMELLIA_ALT
Steven Cooreman222e2ff2017-04-04 11:37:15 +0200303//#define MBEDTLS_CCM_ALT
Steven Cooreman63342772017-04-04 11:47:16 +0200304//#define MBEDTLS_CMAC_ALT
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200305//#define MBEDTLS_DES_ALT
nirekh01d569ecf2018-01-09 16:43:21 +0000306//#define MBEDTLS_DHM_ALT
Hanno Becker616d1ca2018-01-24 10:25:05 +0000307//#define MBEDTLS_ECJPAKE_ALT
Jaeden Amero15263302017-09-21 12:53:48 +0100308//#define MBEDTLS_GCM_ALT
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200309//#define MBEDTLS_MD2_ALT
310//#define MBEDTLS_MD4_ALT
311//#define MBEDTLS_MD5_ALT
312//#define MBEDTLS_RIPEMD160_ALT
Hanno Becker88683b22018-01-04 18:26:54 +0000313//#define MBEDTLS_RSA_ALT
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200314//#define MBEDTLS_SHA1_ALT
315//#define MBEDTLS_SHA256_ALT
316//#define MBEDTLS_SHA512_ALT
Hanno Becker88683b22018-01-04 18:26:54 +0000317//#define MBEDTLS_XTEA_ALT
Janos Follathb0697532016-08-18 12:38:46 +0100318/*
319 * When replacing the elliptic curve module, pleace consider, that it is
320 * implemented with two .c files:
321 * - ecp.c
322 * - ecp_curves.c
Janos Follathee782bc2016-11-07 15:41:26 +0000323 * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
324 * macros as described above. The only difference is that you have to make sure
325 * that you provide functionality for both .c files.
Janos Follathb0697532016-08-18 12:38:46 +0100326 */
327//#define MBEDTLS_ECP_ALT
Paul Bakker90995b52013-06-24 19:20:35 +0200328
329/**
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100330 * \def MBEDTLS_MD2_PROCESS_ALT
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200331 *
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100332 * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
333 * alternate core implementation of symmetric crypto or hash function. Keep in
334 * mind that function prototypes should remain the same.
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200335 *
336 * This replaces only one function. The header file from mbed TLS is still
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200337 * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200338 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200339 * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
340 * no longer provide the mbedtls_sha1_process() function, but it will still provide
341 * the other function (using your mbedtls_sha1_process() function) and the definition
342 * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200343 * with this definition.
344 *
Hanno Becker6d84ae72017-06-26 12:46:19 +0100345 * \note Because of a signature change, the core AES encryption and decryption routines are
346 * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
347 * respectively. When setting up alternative implementations, these functions should
Antonin Décimo8fd91562019-01-23 15:24:37 +0100348 * be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
Hanno Beckerca1cdb22017-07-20 09:50:59 +0100349 * must stay untouched.
Hanno Becker6d84ae72017-06-26 12:46:19 +0100350 *
351 * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
352 * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
353 * tables.
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200354 *
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200355 * Uncomment a macro to enable alternate implementation of the corresponding
356 * function.
Hanno Beckerbbca8c52017-09-25 14:53:51 +0100357 *
358 * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
359 * constitutes a security risk. If possible, we recommend avoiding
360 * dependencies on them, and considering stronger message digests
361 * and ciphers instead.
362 *
Janos Follathba66faf2019-01-07 15:01:32 +0000363 * \warning If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC are
364 * enabled, then the deterministic ECDH signature functions pass the
365 * the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefore
366 * alternative implementations should use the RNG only for generating
367 * the ephemeral key and nothing else. If this is not possible, then
368 * MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
369 * implementation should be provided for mbedtls_ecdsa_sign_det_ext()
370 * (and for mbedtls_ecdsa_sign_det() too if backward compatibility is
371 * desirable).
372 *
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200373 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200374//#define MBEDTLS_MD2_PROCESS_ALT
375//#define MBEDTLS_MD4_PROCESS_ALT
376//#define MBEDTLS_MD5_PROCESS_ALT
377//#define MBEDTLS_RIPEMD160_PROCESS_ALT
378//#define MBEDTLS_SHA1_PROCESS_ALT
379//#define MBEDTLS_SHA256_PROCESS_ALT
380//#define MBEDTLS_SHA512_PROCESS_ALT
Manuel Pégourié-Gonnard70a50102015-05-12 15:02:45 +0200381//#define MBEDTLS_DES_SETKEY_ALT
382//#define MBEDTLS_DES_CRYPT_ECB_ALT
383//#define MBEDTLS_DES3_CRYPT_ECB_ALT
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200384//#define MBEDTLS_AES_SETKEY_ENC_ALT
385//#define MBEDTLS_AES_SETKEY_DEC_ALT
386//#define MBEDTLS_AES_ENCRYPT_ALT
387//#define MBEDTLS_AES_DECRYPT_ALT
Ron Eldora84c1cb2017-10-10 19:04:27 +0300388//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
Ron Eldor3226d362017-10-12 14:17:48 +0300389//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
Ron Eldor314adb62017-10-10 18:28:25 +0300390//#define MBEDTLS_ECDSA_VERIFY_ALT
391//#define MBEDTLS_ECDSA_SIGN_ALT
392//#define MBEDTLS_ECDSA_GENKEY_ALT
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200393
394/**
Janos Follathc44ab972016-11-18 16:38:23 +0000395 * \def MBEDTLS_ECP_INTERNAL_ALT
396 *
397 * Expose a part of the internal interface of the Elliptic Curve Point module.
Janos Follathb0697532016-08-18 12:38:46 +0100398 *
399 * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your
Janos Follath372697b2016-10-28 16:53:11 +0100400 * alternative core implementation of elliptic curve arithmetic. Keep in mind
401 * that function prototypes should remain the same.
Janos Follathb0697532016-08-18 12:38:46 +0100402 *
403 * This partially replaces one function. The header file from mbed TLS is still
404 * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
405 * is still present and it is used for group structures not supported by the
406 * alternative.
407 *
Janos Follathc44ab972016-11-18 16:38:23 +0000408 * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
409 * and implementing the following functions:
410 * unsigned char mbedtls_internal_ecp_grp_capable(
411 * const mbedtls_ecp_group *grp )
412 * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
413 * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
414 * The mbedtls_internal_ecp_grp_capable function should return 1 if the
415 * replacement functions implement arithmetic for the given group and 0
416 * otherwise.
417 * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
418 * called before and after each point operation and provide an opportunity to
419 * implement optimized set up and tear down instructions.
Janos Follathb0697532016-08-18 12:38:46 +0100420 *
Janos Follathc44ab972016-11-18 16:38:23 +0000421 * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
Janos Follath4d9c69d2016-11-01 13:27:03 +0000422 * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
Janos Follathc44ab972016-11-18 16:38:23 +0000423 * function, but will use your mbedtls_internal_ecp_double_jac if the group is
424 * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
425 * receives it as an argument). If the group is not supported then the original
Janos Follathee782bc2016-11-07 15:41:26 +0000426 * implementation is used. The other functions and the definition of
427 * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
Janos Follathc44ab972016-11-18 16:38:23 +0000428 * implementation of mbedtls_internal_ecp_double_jac and
429 * mbedtls_internal_ecp_grp_capable must be compatible with this definition.
Janos Follathb0697532016-08-18 12:38:46 +0100430 *
431 * Uncomment a macro to enable alternate implementation of the corresponding
432 * function.
433 */
434/* Required for all the functions in this section */
Janos Follathc44ab972016-11-18 16:38:23 +0000435//#define MBEDTLS_ECP_INTERNAL_ALT
Janos Follathb0697532016-08-18 12:38:46 +0100436/* Support for Weierstrass curves with Jacobi representation */
437//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
438//#define MBEDTLS_ECP_ADD_MIXED_ALT
439//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
440//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
441//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
442/* Support for curves with Montgomery arithmetic */
443//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
444//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
445//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
446
447/**
Simon Butcherab5df402016-06-11 02:31:21 +0100448 * \def MBEDTLS_TEST_NULL_ENTROPY
Janos Follath53de7842016-06-08 15:29:18 +0100449 *
Simon Butcherab5df402016-06-11 02:31:21 +0100450 * Enables testing and use of mbed TLS without any configured entropy sources.
451 * This permits use of the library on platforms before an entropy source has
452 * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
453 * MBEDTLS_ENTROPY_NV_SEED switches).
454 *
455 * WARNING! This switch MUST be disabled in production builds, and is suitable
456 * only for development.
457 * Enabling the switch negates any security provided by the library.
Janos Follath53de7842016-06-08 15:29:18 +0100458 *
Janos Follathf93b8bc2016-06-09 13:54:15 +0100459 * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
460 *
Janos Follath53de7842016-06-08 15:29:18 +0100461 */
Simon Butcherab5df402016-06-11 02:31:21 +0100462//#define MBEDTLS_TEST_NULL_ENTROPY
Janos Follath53de7842016-06-08 15:29:18 +0100463
464/**
Manuel Pégourié-Gonnard8ba88f02015-06-22 12:14:20 +0200465 * \def MBEDTLS_ENTROPY_HARDWARE_ALT
Manuel Pégourié-Gonnard3f77dfb2015-06-19 10:06:21 +0200466 *
467 * Uncomment this macro to let mbed TLS use your own implementation of a
468 * hardware entropy collector.
469 *
470 * Your function must be called \c mbedtls_hardware_poll(), have the same
471 * prototype as declared in entropy_poll.h, and accept NULL as first argument.
472 *
473 * Uncomment to use your own hardware entropy collector.
474 */
475//#define MBEDTLS_ENTROPY_HARDWARE_ALT
476
477/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200478 * \def MBEDTLS_AES_ROM_TABLES
Paul Bakker15566e42011-04-24 21:19:15 +0000479 *
480 * Store the AES tables in ROM.
481 *
482 * Uncomment this macro to store the AES tables in ROM.
Paul Bakker15566e42011-04-24 21:19:15 +0000483 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200484//#define MBEDTLS_AES_ROM_TABLES
Paul Bakker15566e42011-04-24 21:19:15 +0000485
486/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200487 * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
Manuel Pégourié-Gonnard62edcc82015-04-03 16:28:19 +0200488 *
489 * Use less ROM for the Camellia implementation (saves about 768 bytes).
490 *
491 * Uncomment this macro to use less memory for Camellia.
492 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200493//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
Manuel Pégourié-Gonnard62edcc82015-04-03 16:28:19 +0200494
495/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200496 * \def MBEDTLS_CIPHER_MODE_CBC
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200497 *
498 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
499 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200500#define MBEDTLS_CIPHER_MODE_CBC
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200501
502/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200503 * \def MBEDTLS_CIPHER_MODE_CFB
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000504 *
505 * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
506 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200507#define MBEDTLS_CIPHER_MODE_CFB
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000508
509/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200510 * \def MBEDTLS_CIPHER_MODE_CTR
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000511 *
512 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
513 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200514#define MBEDTLS_CIPHER_MODE_CTR
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000515
516/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200517 * \def MBEDTLS_CIPHER_NULL_CIPHER
Paul Bakkerfab5c822012-02-06 16:45:10 +0000518 *
519 * Enable NULL cipher.
520 * Warning: Only do so when you know what you are doing. This allows for
521 * encryption or channels without any security!
522 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200523 * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
Paul Bakkerfab5c822012-02-06 16:45:10 +0000524 * the following ciphersuites:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200525 * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
526 * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
527 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
528 * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
529 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
530 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
531 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
532 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
533 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
534 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
535 * MBEDTLS_TLS_RSA_WITH_NULL_SHA256
536 * MBEDTLS_TLS_RSA_WITH_NULL_SHA
537 * MBEDTLS_TLS_RSA_WITH_NULL_MD5
538 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
539 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
540 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
541 * MBEDTLS_TLS_PSK_WITH_NULL_SHA384
542 * MBEDTLS_TLS_PSK_WITH_NULL_SHA256
543 * MBEDTLS_TLS_PSK_WITH_NULL_SHA
Paul Bakkerfab5c822012-02-06 16:45:10 +0000544 *
545 * Uncomment this macro to enable the NULL cipher and ciphersuites
Paul Bakkerfab5c822012-02-06 16:45:10 +0000546 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200547//#define MBEDTLS_CIPHER_NULL_CIPHER
Paul Bakkerfab5c822012-02-06 16:45:10 +0000548
549/**
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100550 * \def MBEDTLS_CIPHER_PADDING_PKCS7
Paul Bakker48e93c82013-08-14 12:21:18 +0200551 *
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100552 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
553 * specific padding modes in the cipher layer with cipher modes that support
554 * padding (e.g. CBC)
Paul Bakker48e93c82013-08-14 12:21:18 +0200555 *
556 * If you disable all padding modes, only full blocks can be used with CBC.
557 *
558 * Enable padding modes in the cipher layer.
559 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200560#define MBEDTLS_CIPHER_PADDING_PKCS7
561#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
562#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
563#define MBEDTLS_CIPHER_PADDING_ZEROS
Paul Bakker48e93c82013-08-14 12:21:18 +0200564
565/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200566 * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
Paul Bakkerfab5c822012-02-06 16:45:10 +0000567 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200568 * Enable weak ciphersuites in SSL / TLS.
Paul Bakkerfab5c822012-02-06 16:45:10 +0000569 * Warning: Only do so when you know what you are doing. This allows for
Paul Bakker9a736322012-11-14 12:39:52 +0000570 * channels with virtually no security at all!
Paul Bakkerfab5c822012-02-06 16:45:10 +0000571 *
572 * This enables the following ciphersuites:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200573 * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
574 * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
Paul Bakkerfab5c822012-02-06 16:45:10 +0000575 *
576 * Uncomment this macro to enable weak ciphersuites
Hanno Beckerbbca8c52017-09-25 14:53:51 +0100577 *
578 * \warning DES is considered a weak cipher and its use constitutes a
579 * security risk. We recommend considering stronger ciphers instead.
Paul Bakkerfab5c822012-02-06 16:45:10 +0000580 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200581//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
Paul Bakkerfab5c822012-02-06 16:45:10 +0000582
583/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200584 * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnard01edb102014-06-24 22:42:34 +0200585 *
586 * Remove RC4 ciphersuites by default in SSL / TLS.
587 * This flag removes the ciphersuites based on RC4 from the default list as
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200588 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200589 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
Manuel Pégourié-Gonnard01edb102014-06-24 22:42:34 +0200590 * explicitly.
591 *
592 * Uncomment this macro to remove RC4 ciphersuites by default.
593 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200594#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnard01edb102014-06-24 22:42:34 +0200595
596/**
Andres Amaya Garcia21ade062018-10-30 18:21:41 +0000597 * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
598 *
599 * Remove 3DES ciphersuites by default in SSL / TLS.
600 * This flag removes the ciphersuites based on 3DES from the default list as
601 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
602 * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
603 * them explicitly.
604 *
Andres Amaya Garciab7c22ec2019-02-11 21:47:30 +0000605 * A man-in-the-browser attacker can recover authentication tokens sent through
Andres Amaya Garciaf9b2ed02018-11-26 20:57:49 +0000606 * a TLS connection using a 3DES based cipher suite (see "On the Practical
607 * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
608 * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
609 * in your threat model or you are unsure, then you should keep this option
610 * enabled to remove 3DES based cipher suites.
611 *
Andres Amaya Garcia21ade062018-10-30 18:21:41 +0000612 * Comment this macro to keep 3DES in the default ciphersuite list.
613 */
614#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
615
616/**
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100617 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200618 *
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100619 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
620 * module. By default all supported curves are enabled.
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200621 *
622 * Comment macros to disable the curve and functions for it
623 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200624#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
625#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
626#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
627#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
628#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
629#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
630#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
631#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
632#define MBEDTLS_ECP_DP_BP256R1_ENABLED
633#define MBEDTLS_ECP_DP_BP384R1_ENABLED
634#define MBEDTLS_ECP_DP_BP512R1_ENABLED
Manuel Pégourié-Gonnard07894332015-06-23 00:18:41 +0200635#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200636
637/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200638 * \def MBEDTLS_ECP_NIST_OPTIM
Manuel Pégourié-Gonnardc04c5302013-10-23 16:11:52 +0200639 *
640 * Enable specific 'modulo p' routines for each NIST prime.
641 * Depending on the prime and architecture, makes operations 4 to 8 times
642 * faster on the corresponding curve.
643 *
644 * Comment this macro to disable NIST curves optimisation.
645 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200646#define MBEDTLS_ECP_NIST_OPTIM
Manuel Pégourié-Gonnardc04c5302013-10-23 16:11:52 +0200647
648/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200649 * \def MBEDTLS_ECDSA_DETERMINISTIC
Manuel Pégourié-Gonnard461d4162014-01-06 10:16:28 +0100650 *
651 * Enable deterministic ECDSA (RFC 6979).
652 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
653 * may result in a compromise of the long-term signing key. This is avoided by
654 * the deterministic variant.
655 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200656 * Requires: MBEDTLS_HMAC_DRBG_C
Manuel Pégourié-Gonnard5b1a5732014-01-07 16:46:17 +0100657 *
Manuel Pégourié-Gonnard461d4162014-01-06 10:16:28 +0100658 * Comment this macro to disable deterministic ECDSA.
659 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200660#define MBEDTLS_ECDSA_DETERMINISTIC
Manuel Pégourié-Gonnard461d4162014-01-06 10:16:28 +0100661
662/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200663 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200664 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200665 * Enable the PSK based ciphersuite modes in SSL / TLS.
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200666 *
Paul Bakkere07f41d2013-04-19 09:08:57 +0200667 * This enables the following ciphersuites (if other requisites are
668 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200669 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
670 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
671 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
672 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
673 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
674 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
675 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
676 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
677 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
678 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
679 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
680 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200681 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200682#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200683
684/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200685 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200686 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200687 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
Paul Bakkere07f41d2013-04-19 09:08:57 +0200688 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200689 * Requires: MBEDTLS_DHM_C
Paul Bakkere07f41d2013-04-19 09:08:57 +0200690 *
691 * This enables the following ciphersuites (if other requisites are
692 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200693 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
694 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
695 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
696 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
697 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
698 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
699 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
700 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
701 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
702 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
703 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
704 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
Hanno Beckera2f6b722017-09-28 10:33:29 +0100705 *
Hanno Beckerf9734b32017-10-03 12:09:22 +0100706 * \warning Using DHE constitutes a security risk as it
707 * is not possible to validate custom DH parameters.
708 * If possible, it is recommended users should consider
709 * preferring other methods of key exchange.
710 * See dhm.h for more details.
Hanno Beckera2f6b722017-09-28 10:33:29 +0100711 *
Paul Bakkere07f41d2013-04-19 09:08:57 +0200712 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200713#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200714
715/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200716 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200717 *
718 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
719 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200720 * Requires: MBEDTLS_ECDH_C
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200721 *
722 * This enables the following ciphersuites (if other requisites are
723 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200724 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
725 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
726 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
727 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
728 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
729 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
730 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
731 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200732 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200733#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200734
735/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200736 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200737 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200738 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200739 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200740 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
741 * MBEDTLS_X509_CRT_PARSE_C
Paul Bakkere07f41d2013-04-19 09:08:57 +0200742 *
743 * This enables the following ciphersuites (if other requisites are
744 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200745 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
746 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
747 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
748 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
749 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
750 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
751 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
752 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
753 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
754 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
755 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
756 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
Paul Bakkere07f41d2013-04-19 09:08:57 +0200757 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200758#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200759
760/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200761 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200762 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200763 * Enable the RSA-only based ciphersuite modes in SSL / TLS.
Paul Bakkere07f41d2013-04-19 09:08:57 +0200764 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200765 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
766 * MBEDTLS_X509_CRT_PARSE_C
Paul Bakkere07f41d2013-04-19 09:08:57 +0200767 *
768 * This enables the following ciphersuites (if other requisites are
769 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200770 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
771 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
772 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
773 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
774 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
775 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
776 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
777 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
778 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
779 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
780 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
781 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
782 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
783 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
784 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
Paul Bakkere07f41d2013-04-19 09:08:57 +0200785 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200786#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200787
788/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200789 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200790 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200791 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
Paul Bakkere07f41d2013-04-19 09:08:57 +0200792 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200793 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
794 * MBEDTLS_X509_CRT_PARSE_C
Paul Bakkere07f41d2013-04-19 09:08:57 +0200795 *
796 * This enables the following ciphersuites (if other requisites are
797 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200798 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
799 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
800 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
801 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
802 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
803 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
804 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
805 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
806 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
807 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
808 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
809 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
810 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Hanno Beckera2f6b722017-09-28 10:33:29 +0100811 *
Hanno Beckerf9734b32017-10-03 12:09:22 +0100812 * \warning Using DHE constitutes a security risk as it
813 * is not possible to validate custom DH parameters.
814 * If possible, it is recommended users should consider
815 * preferring other methods of key exchange.
816 * See dhm.h for more details.
Hanno Beckera2f6b722017-09-28 10:33:29 +0100817 *
Paul Bakkere07f41d2013-04-19 09:08:57 +0200818 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200819#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200820
821/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200822 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200823 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200824 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
Paul Bakkere07f41d2013-04-19 09:08:57 +0200825 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200826 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
827 * MBEDTLS_X509_CRT_PARSE_C
Paul Bakkere07f41d2013-04-19 09:08:57 +0200828 *
829 * This enables the following ciphersuites (if other requisites are
830 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200831 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
832 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
833 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
834 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
835 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
836 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
837 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
838 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
839 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
840 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
841 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
842 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
Paul Bakkere07f41d2013-04-19 09:08:57 +0200843 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200844#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200845
846/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200847 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200848 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200849 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200850 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200851 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200852 *
853 * This enables the following ciphersuites (if other requisites are
854 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200855 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
856 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
857 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
858 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
859 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
860 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
861 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
862 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
863 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
864 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
865 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
866 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200867 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200868#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200869
870/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200871 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100872 *
873 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
874 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200875 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100876 *
877 * This enables the following ciphersuites (if other requisites are
878 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200879 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
880 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
881 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
882 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
883 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
884 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
885 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
886 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
887 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
888 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
889 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
890 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100891 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200892#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100893
894/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200895 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100896 *
897 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
898 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200899 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100900 *
901 * This enables the following ciphersuites (if other requisites are
902 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200903 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
904 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
905 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
906 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
907 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
908 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
909 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
910 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
911 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
912 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
913 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
914 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100915 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200916#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100917
918/**
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +0200919 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
920 *
921 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
922 *
Manuel Pégourié-Gonnard75df9022015-09-16 23:21:01 +0200923 * \warning This is currently experimental. EC J-PAKE support is based on the
924 * Thread v1.0.0 specification; incompatible changes to the specification
925 * might still happen. For this reason, this is disabled by default.
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +0200926 *
927 * Requires: MBEDTLS_ECJPAKE_C
928 * MBEDTLS_SHA256_C
929 * MBEDTLS_ECP_DP_SECP256R1_ENABLED
930 *
931 * This enables the following ciphersuites (if other requisites are
932 * enabled as well):
933 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
934 */
Manuel Pégourié-Gonnardcf828932015-10-20 14:57:00 +0200935//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +0200936
937/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200938 * \def MBEDTLS_PK_PARSE_EC_EXTENDED
Manuel Pégourié-Gonnard6fac3512014-03-19 16:39:52 +0100939 *
940 * Enhance support for reading EC keys using variants of SEC1 not allowed by
941 * RFC 5915 and RFC 5480.
942 *
943 * Currently this means parsing the SpecifiedECDomain choice of EC
944 * parameters (only known groups are supported, not arbitrary domains, to
945 * avoid validation issues).
946 *
947 * Disable if you only need to support RFC 5915 + 5480 key formats.
948 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200949#define MBEDTLS_PK_PARSE_EC_EXTENDED
Manuel Pégourié-Gonnard6fac3512014-03-19 16:39:52 +0100950
951/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200952 * \def MBEDTLS_ERROR_STRERROR_DUMMY
Paul Bakker8fe40dc2013-02-02 12:43:08 +0100953 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200954 * Enable a dummy error function to make use of mbedtls_strerror() in
955 * third party libraries easier when MBEDTLS_ERROR_C is disabled
956 * (no effect when MBEDTLS_ERROR_C is enabled).
Manuel Pégourié-Gonnarddc16aa72014-06-25 12:55:12 +0200957 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200958 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
959 * not using mbedtls_strerror() or error_strerror() in your application.
Paul Bakker8fe40dc2013-02-02 12:43:08 +0100960 *
961 * Disable if you run into name conflicts and want to really remove the
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200962 * mbedtls_strerror()
Paul Bakker8fe40dc2013-02-02 12:43:08 +0100963 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200964#define MBEDTLS_ERROR_STRERROR_DUMMY
Paul Bakker8fe40dc2013-02-02 12:43:08 +0100965
966/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200967 * \def MBEDTLS_GENPRIME
Paul Bakkerf3b86c12011-01-27 15:24:17 +0000968 *
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +0200969 * Enable the prime-number generation code.
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200970 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200971 * Requires: MBEDTLS_BIGNUM_C
Paul Bakker5121ce52009-01-03 21:22:43 +0000972 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200973#define MBEDTLS_GENPRIME
Paul Bakker5121ce52009-01-03 21:22:43 +0000974
Paul Bakkerf3b86c12011-01-27 15:24:17 +0000975/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200976 * \def MBEDTLS_FS_IO
Paul Bakker335db3f2011-04-25 15:28:35 +0000977 *
978 * Enable functions that use the filesystem.
979 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200980#define MBEDTLS_FS_IO
Paul Bakker335db3f2011-04-25 15:28:35 +0000981
982/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200983 * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
Paul Bakker43655f42011-12-15 20:11:16 +0000984 *
985 * Do not add default entropy sources. These are the platform specific,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200986 * mbedtls_timing_hardclock and HAVEGE based poll functions.
Paul Bakker43655f42011-12-15 20:11:16 +0000987 *
Shuo Chen95a0d112014-04-04 21:04:40 -0700988 * This is useful to have more control over the added entropy sources in an
Paul Bakker43655f42011-12-15 20:11:16 +0000989 * application.
990 *
991 * Uncomment this macro to prevent loading of default entropy functions.
Paul Bakker43655f42011-12-15 20:11:16 +0000992 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200993//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
Paul Bakker43655f42011-12-15 20:11:16 +0000994
995/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200996 * \def MBEDTLS_NO_PLATFORM_ENTROPY
Paul Bakker6083fd22011-12-03 21:45:14 +0000997 *
998 * Do not use built-in platform entropy functions.
999 * This is useful if your platform does not support
1000 * standards like the /dev/urandom or Windows CryptoAPI.
1001 *
1002 * Uncomment this macro to disable the built-in platform entropy functions.
Paul Bakker6083fd22011-12-03 21:45:14 +00001003 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001004//#define MBEDTLS_NO_PLATFORM_ENTROPY
Paul Bakker6083fd22011-12-03 21:45:14 +00001005
1006/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001007 * \def MBEDTLS_ENTROPY_FORCE_SHA256
Paul Bakker2ceda572014-02-06 15:55:25 +01001008 *
1009 * Force the entropy accumulator to use a SHA-256 accumulator instead of the
1010 * default SHA-512 based one (if both are available).
1011 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001012 * Requires: MBEDTLS_SHA256_C
Paul Bakker2ceda572014-02-06 15:55:25 +01001013 *
1014 * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
1015 * if you have performance concerns.
1016 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001017 * This option is only useful if both MBEDTLS_SHA256_C and
1018 * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
Paul Bakker2ceda572014-02-06 15:55:25 +01001019 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001020//#define MBEDTLS_ENTROPY_FORCE_SHA256
Paul Bakker2ceda572014-02-06 15:55:25 +01001021
1022/**
Paul Bakkercf0a9f92016-06-01 11:25:44 +01001023 * \def MBEDTLS_ENTROPY_NV_SEED
1024 *
1025 * Enable the non-volatile (NV) seed file-based entropy source.
1026 * (Also enables the NV seed read/write functions in the platform layer)
1027 *
1028 * This is crucial (if not required) on systems that do not have a
1029 * cryptographic entropy source (in hardware or kernel) available.
1030 *
1031 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
1032 *
Paul Bakker71a597a2016-06-07 10:59:03 +01001033 * \note The read/write functions that are used by the entropy source are
1034 * determined in the platform layer, and can be modified at runtime and/or
1035 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
1036 *
1037 * \note If you use the default implementation functions that read a seedfile
Paul Bakkercf0a9f92016-06-01 11:25:44 +01001038 * with regular fopen(), please make sure you make a seedfile with the
1039 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
1040 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
Paul Bakker71a597a2016-06-07 10:59:03 +01001041 * and written to or you will get an entropy source error! The default
1042 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
1043 * bytes from the file.
1044 *
1045 * \note The entropy collector will write to the seed file before entropy is
1046 * given to an external source, to update it.
Paul Bakkercf0a9f92016-06-01 11:25:44 +01001047 */
1048//#define MBEDTLS_ENTROPY_NV_SEED
1049
1050/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001051 * \def MBEDTLS_MEMORY_DEBUG
Paul Bakker6e339b52013-07-03 13:37:05 +02001052 *
1053 * Enable debugging of buffer allocator memory issues. Automatically prints
1054 * (to stderr) all (fatal) messages on memory allocation issues. Enables
1055 * function for 'debug output' of allocated memory.
1056 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001057 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
Paul Bakker6e339b52013-07-03 13:37:05 +02001058 *
1059 * Uncomment this macro to let the buffer allocator print out error messages.
Paul Bakkera7ea6a52013-10-15 11:55:10 +02001060 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001061//#define MBEDTLS_MEMORY_DEBUG
Paul Bakker6e339b52013-07-03 13:37:05 +02001062
1063/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001064 * \def MBEDTLS_MEMORY_BACKTRACE
Paul Bakker6e339b52013-07-03 13:37:05 +02001065 *
1066 * Include backtrace information with each allocated block.
1067 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001068 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
Paul Bakker6e339b52013-07-03 13:37:05 +02001069 * GLIBC-compatible backtrace() an backtrace_symbols() support
1070 *
1071 * Uncomment this macro to include backtrace information
Paul Bakker6e339b52013-07-03 13:37:05 +02001072 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001073//#define MBEDTLS_MEMORY_BACKTRACE
Paul Bakker6e339b52013-07-03 13:37:05 +02001074
1075/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001076 * \def MBEDTLS_PK_RSA_ALT_SUPPORT
Manuel Pégourié-Gonnard348bcb32015-03-31 14:01:33 +02001077 *
1078 * Support external private RSA keys (eg from a HSM) in the PK layer.
1079 *
1080 * Comment this macro to disable support for external private RSA keys.
1081 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001082#define MBEDTLS_PK_RSA_ALT_SUPPORT
Manuel Pégourié-Gonnard348bcb32015-03-31 14:01:33 +02001083
1084/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001085 * \def MBEDTLS_PKCS1_V15
Paul Bakker48377d92013-08-30 12:06:24 +02001086 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001087 * Enable support for PKCS#1 v1.5 encoding.
1088 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001089 * Requires: MBEDTLS_RSA_C
Paul Bakker48377d92013-08-30 12:06:24 +02001090 *
Paul Bakker48377d92013-08-30 12:06:24 +02001091 * This enables support for PKCS#1 v1.5 operations.
1092 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001093#define MBEDTLS_PKCS1_V15
Paul Bakker48377d92013-08-30 12:06:24 +02001094
1095/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001096 * \def MBEDTLS_PKCS1_V21
Paul Bakker9dcc3222011-03-08 14:16:06 +00001097 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001098 * Enable support for PKCS#1 v2.1 encoding.
1099 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001100 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C
Paul Bakker5690efc2011-05-26 13:16:06 +00001101 *
Paul Bakker9dcc3222011-03-08 14:16:06 +00001102 * This enables support for RSAES-OAEP and RSASSA-PSS operations.
1103 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001104#define MBEDTLS_PKCS1_V21
Paul Bakker9dcc3222011-03-08 14:16:06 +00001105
1106/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001107 * \def MBEDTLS_RSA_NO_CRT
Paul Bakker0216cc12011-03-26 13:40:23 +00001108 *
Hanno Becker930ec7d2018-03-09 10:48:00 +00001109 * Do not use the Chinese Remainder Theorem
1110 * for the RSA private operation.
Paul Bakker0216cc12011-03-26 13:40:23 +00001111 *
1112 * Uncomment this macro to disable the use of CRT in RSA.
1113 *
Paul Bakker0216cc12011-03-26 13:40:23 +00001114 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001115//#define MBEDTLS_RSA_NO_CRT
Paul Bakker15566e42011-04-24 21:19:15 +00001116
1117/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001118 * \def MBEDTLS_SELF_TEST
Paul Bakker15566e42011-04-24 21:19:15 +00001119 *
1120 * Enable the checkup functions (*_self_test).
1121 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001122#define MBEDTLS_SELF_TEST
Paul Bakker5c721f92011-07-27 16:51:09 +00001123
1124/**
Manuel Pégourié-Gonnardeb0d8702015-05-28 12:54:04 +02001125 * \def MBEDTLS_SHA256_SMALLER
1126 *
1127 * Enable an implementation of SHA-256 that has lower ROM footprint but also
1128 * lower performance.
1129 *
1130 * The default implementation is meant to be a reasonnable compromise between
1131 * performance and size. This version optimizes more aggressively for size at
1132 * the expense of performance. Eg on Cortex-M4 it reduces the size of
1133 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
1134 * 30%.
1135 *
1136 * Uncomment to enable the smaller implementation of SHA256.
1137 */
1138//#define MBEDTLS_SHA256_SMALLER
1139
1140/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001141 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
Paul Bakker40865c82013-01-31 17:13:13 +01001142 *
1143 * Enable sending of alert messages in case of encountered errors as per RFC.
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00001144 * If you choose not to send the alert messages, mbed TLS can still communicate
Paul Bakker40865c82013-01-31 17:13:13 +01001145 * with other servers, only debugging of failures is harder.
1146 *
1147 * The advantage of not sending alert messages, is that no information is given
1148 * about reasons for failures thus preventing adversaries of gaining intel.
1149 *
1150 * Enable sending of all alert messages
1151 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001152#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
Paul Bakker40865c82013-01-31 17:13:13 +01001153
1154/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001155 * \def MBEDTLS_SSL_DEBUG_ALL
Paul Bakkerd66f0702013-01-31 16:57:45 +01001156 *
1157 * Enable the debug messages in SSL module for all issues.
1158 * Debug messages have been disabled in some places to prevent timing
1159 * attacks due to (unbalanced) debugging function calls.
1160 *
1161 * If you need all error reporting you should enable this during debugging,
1162 * but remove this for production servers that should log as well.
1163 *
1164 * Uncomment this macro to report all debug messages on errors introducing
1165 * a timing side-channel.
1166 *
Paul Bakkerd66f0702013-01-31 16:57:45 +01001167 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001168//#define MBEDTLS_SSL_DEBUG_ALL
Paul Bakkerd66f0702013-01-31 16:57:45 +01001169
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001170/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001171 *
1172 * Enable support for Encrypt-then-MAC, RFC 7366.
1173 *
1174 * This allows peers that both support it to use a more robust protection for
1175 * ciphersuites using CBC, providing deep resistance against timing attacks
1176 * on the padding or underlying cipher.
1177 *
1178 * This only affects CBC ciphersuites, and is useless if none is defined.
1179 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001180 * Requires: MBEDTLS_SSL_PROTO_TLS1 or
1181 * MBEDTLS_SSL_PROTO_TLS1_1 or
1182 * MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001183 *
1184 * Comment this macro to disable support for Encrypt-then-MAC
1185 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001186#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001187
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001188/** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001189 *
1190 * Enable support for Extended Master Secret, aka Session Hash
1191 * (draft-ietf-tls-session-hash-02).
1192 *
1193 * This was introduced as "the proper fix" to the Triple Handshake familiy of
1194 * attacks, but it is recommended to always use it (even if you disable
1195 * renegotiation), since it actually fixes a more fundamental issue in the
1196 * original SSL/TLS design, and has implications beyond Triple Handshake.
1197 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001198 * Requires: MBEDTLS_SSL_PROTO_TLS1 or
1199 * MBEDTLS_SSL_PROTO_TLS1_1 or
1200 * MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard769c6b62014-10-28 14:13:55 +01001201 *
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001202 * Comment this macro to disable support for Extended Master Secret.
1203 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001204#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001205
Paul Bakkerd66f0702013-01-31 16:57:45 +01001206/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001207 * \def MBEDTLS_SSL_FALLBACK_SCSV
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02001208 *
1209 * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
1210 *
1211 * For servers, it is recommended to always enable this, unless you support
1212 * only one version of TLS, or know for sure that none of your clients
1213 * implements a fallback strategy.
1214 *
1215 * For clients, you only need this if you're using a fallback strategy, which
1216 * is not recommended in the first place, unless you absolutely need it to
1217 * interoperate with buggy (version-intolerant) servers.
1218 *
1219 * Comment this macro to disable support for FALLBACK_SCSV
1220 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001221#define MBEDTLS_SSL_FALLBACK_SCSV
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02001222
1223/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001224 * \def MBEDTLS_SSL_HW_RECORD_ACCEL
Paul Bakker05ef8352012-05-08 09:17:57 +00001225 *
1226 * Enable hooking functions in SSL module for hardware acceleration of
1227 * individual records.
1228 *
1229 * Uncomment this macro to enable hooking functions.
Paul Bakker05ef8352012-05-08 09:17:57 +00001230 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001231//#define MBEDTLS_SSL_HW_RECORD_ACCEL
Paul Bakker05ef8352012-05-08 09:17:57 +00001232
1233/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001234 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01001235 *
1236 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
1237 *
1238 * This is a countermeasure to the BEAST attack, which also minimizes the risk
1239 * of interoperability issues compared to sending 0-length records.
1240 *
1241 * Comment this macro to disable 1/n-1 record splitting.
1242 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001243#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01001244
1245/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001246 * \def MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001247 *
Hanno Becker3ddf1012018-10-26 09:53:16 +01001248 * Enable support for TLS renegotiation.
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001249 *
1250 * The two main uses of renegotiation are (1) refresh keys on long-lived
1251 * connections and (2) client authentication after the initial handshake.
1252 * If you don't need renegotiation, it's probably better to disable it, since
1253 * it has been associated with security issues in the past and is easy to
1254 * misuse/misunderstand.
Manuel Pégourié-Gonnard03717042014-11-04 19:52:10 +01001255 *
Manuel Pégourié-Gonnard55f968b2015-03-09 16:23:15 +00001256 * Comment this to disable support for renegotiation.
Hanno Becker6851b102017-10-12 14:57:48 +01001257 *
1258 * \note Even if this option is disabled, both client and server are aware
1259 * of the Renegotiation Indication Extension (RFC 5746) used to
1260 * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
1261 * (See \c mbedtls_ssl_conf_legacy_renegotiation for the
1262 * configuration of this extension).
1263 *
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001264 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001265#define MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001266
1267/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001268 * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
Paul Bakker78a8c712013-03-06 17:01:52 +01001269 *
1270 * Enable support for receiving and parsing SSLv2 Client Hello messages for the
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001271 * SSL Server module (MBEDTLS_SSL_SRV_C).
Paul Bakker78a8c712013-03-06 17:01:52 +01001272 *
Manuel Pégourié-Gonnard265dd5c2015-03-10 13:48:34 +00001273 * Uncomment this macro to enable support for SSLv2 Client Hello messages.
Paul Bakker78a8c712013-03-06 17:01:52 +01001274 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001275//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
Paul Bakker78a8c712013-03-06 17:01:52 +01001276
1277/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001278 * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +01001279 *
1280 * Pick the ciphersuite according to the client's preferences rather than ours
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001281 * in the SSL Server module (MBEDTLS_SSL_SRV_C).
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +01001282 *
1283 * Uncomment this macro to respect client's ciphersuite order
1284 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001285//#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +01001286
1287/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001288 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Paul Bakker05decb22013-08-15 13:33:48 +02001289 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001290 * Enable support for RFC 6066 max_fragment_length extension in SSL.
Paul Bakker05decb22013-08-15 13:33:48 +02001291 *
1292 * Comment this macro to disable support for the max_fragment_length extension
1293 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001294#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Paul Bakker05decb22013-08-15 13:33:48 +02001295
1296/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001297 * \def MBEDTLS_SSL_PROTO_SSL3
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001298 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001299 * Enable support for SSL 3.0.
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001300 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001301 * Requires: MBEDTLS_MD5_C
1302 * MBEDTLS_SHA1_C
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001303 *
1304 * Comment this macro to disable support for SSL 3.0
1305 */
Janos Follathe2681a42016-03-07 15:57:05 +00001306//#define MBEDTLS_SSL_PROTO_SSL3
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001307
1308/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001309 * \def MBEDTLS_SSL_PROTO_TLS1
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001310 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001311 * Enable support for TLS 1.0.
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001312 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001313 * Requires: MBEDTLS_MD5_C
1314 * MBEDTLS_SHA1_C
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001315 *
1316 * Comment this macro to disable support for TLS 1.0
1317 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001318#define MBEDTLS_SSL_PROTO_TLS1
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001319
1320/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001321 * \def MBEDTLS_SSL_PROTO_TLS1_1
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001322 *
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001323 * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001324 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001325 * Requires: MBEDTLS_MD5_C
1326 * MBEDTLS_SHA1_C
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001327 *
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001328 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001329 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001330#define MBEDTLS_SSL_PROTO_TLS1_1
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001331
1332/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001333 * \def MBEDTLS_SSL_PROTO_TLS1_2
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001334 *
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001335 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001336 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001337 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001338 * (Depends on ciphersuites)
1339 *
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001340 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001341 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001342#define MBEDTLS_SSL_PROTO_TLS1_2
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001343
1344/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001345 * \def MBEDTLS_SSL_PROTO_DTLS
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001346 *
1347 * Enable support for DTLS (all available versions).
1348 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001349 * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0,
1350 * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001351 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001352 * Requires: MBEDTLS_SSL_PROTO_TLS1_1
1353 * or MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001354 *
1355 * Comment this macro to disable support for DTLS
1356 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001357#define MBEDTLS_SSL_PROTO_DTLS
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001358
1359/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001360 * \def MBEDTLS_SSL_ALPN
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02001361 *
Manuel Pégourié-Gonnard6b298e62014-11-20 18:28:50 +01001362 * Enable support for RFC 7301 Application Layer Protocol Negotiation.
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02001363 *
Paul Bakker27e36d32014-04-08 12:33:37 +02001364 * Comment this macro to disable support for ALPN.
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02001365 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001366#define MBEDTLS_SSL_ALPN
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02001367
1368/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001369 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
Manuel Pégourié-Gonnard8464a462014-09-24 14:05:32 +02001370 *
1371 * Enable support for the anti-replay mechanism in DTLS.
1372 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001373 * Requires: MBEDTLS_SSL_TLS_C
1374 * MBEDTLS_SSL_PROTO_DTLS
Manuel Pégourié-Gonnard8464a462014-09-24 14:05:32 +02001375 *
Manuel Pégourié-Gonnarda6fcffe2014-10-13 18:15:52 +02001376 * \warning Disabling this is often a security risk!
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02001377 * See mbedtls_ssl_conf_dtls_anti_replay() for details.
Manuel Pégourié-Gonnarda6fcffe2014-10-13 18:15:52 +02001378 *
Manuel Pégourié-Gonnard8464a462014-09-24 14:05:32 +02001379 * Comment this to disable anti-replay in DTLS.
1380 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001381#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
Manuel Pégourié-Gonnard8464a462014-09-24 14:05:32 +02001382
1383/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001384 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
Manuel Pégourié-Gonnard82202f02014-07-23 00:28:58 +02001385 *
1386 * Enable support for HelloVerifyRequest on DTLS servers.
1387 *
1388 * This feature is highly recommended to prevent DTLS servers being used as
1389 * amplifiers in DoS attacks against other hosts. It should always be enabled
1390 * unless you know for sure amplification cannot be a problem in the
1391 * environment in which your server operates.
1392 *
Manuel Pégourié-Gonnarda6fcffe2014-10-13 18:15:52 +02001393 * \warning Disabling this can ba a security risk! (see above)
1394 *
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02001395 * Requires: MBEDTLS_SSL_PROTO_DTLS
Manuel Pégourié-Gonnard82202f02014-07-23 00:28:58 +02001396 *
1397 * Comment this to disable support for HelloVerifyRequest.
1398 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001399#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
Manuel Pégourié-Gonnard82202f02014-07-23 00:28:58 +02001400
1401/**
Manuel Pégourié-Gonnard26d227d2015-09-04 10:53:25 +02001402 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
1403 *
1404 * Enable server-side support for clients that reconnect from the same port.
1405 *
1406 * Some clients unexpectedly close the connection and try to reconnect using the
1407 * same source port. This needs special support from the server to handle the
Simon Butcher4f6882a2015-09-11 17:12:46 +01001408 * new connection securely, as described in section 4.2.8 of RFC 6347. This
Manuel Pégourié-Gonnard26d227d2015-09-04 10:53:25 +02001409 * flag enables that support.
1410 *
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02001411 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02001412 *
Manuel Pégourié-Gonnard26d227d2015-09-04 10:53:25 +02001413 * Comment this to disable support for clients reusing the source port.
1414 */
1415#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
1416
1417/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001418 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001419 *
1420 * Enable support for a limit of records with bad MAC.
1421 *
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02001422 * See mbedtls_ssl_conf_dtls_badmac_limit().
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001423 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001424 * Requires: MBEDTLS_SSL_PROTO_DTLS
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001425 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001426#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001427
1428/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001429 * \def MBEDTLS_SSL_SESSION_TICKETS
Paul Bakkera503a632013-08-14 13:48:06 +02001430 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001431 * Enable support for RFC 5077 session tickets in SSL.
Antonin Décimo8fd91562019-01-23 15:24:37 +01001432 * Client-side, provides full support for session tickets (maintenance of a
Manuel Pégourié-Gonnard0c0f11f2015-05-20 09:55:50 +02001433 * session store remains the responsibility of the application, though).
1434 * Server-side, you also need to provide callbacks for writing and parsing
1435 * tickets, including authenticated encryption and key management. Example
1436 * callbacks are provided by MBEDTLS_SSL_TICKET_C.
Paul Bakkera503a632013-08-14 13:48:06 +02001437 *
1438 * Comment this macro to disable support for SSL session tickets
1439 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001440#define MBEDTLS_SSL_SESSION_TICKETS
Paul Bakkera503a632013-08-14 13:48:06 +02001441
1442/**
Robert Cragie4feb7ae2015-10-02 13:33:37 +01001443 * \def MBEDTLS_SSL_EXPORT_KEYS
1444 *
Manuel Pégourié-Gonnard024b6df2015-10-19 13:52:53 +02001445 * Enable support for exporting key block and master secret.
Robert Cragie4feb7ae2015-10-02 13:33:37 +01001446 * This is required for certain users of TLS, e.g. EAP-TLS.
1447 *
1448 * Comment this macro to disable support for key export
1449 */
1450#define MBEDTLS_SSL_EXPORT_KEYS
1451
1452/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001453 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
Paul Bakker0be444a2013-08-27 21:55:01 +02001454 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001455 * Enable support for RFC 6066 server name indication (SNI) in SSL.
Paul Bakker0be444a2013-08-27 21:55:01 +02001456 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001457 * Requires: MBEDTLS_X509_CRT_PARSE_C
Manuel Pégourié-Gonnardbbbb3cf2015-01-28 16:44:37 +00001458 *
Paul Bakker0be444a2013-08-27 21:55:01 +02001459 * Comment this macro to disable support for server name indication in SSL
1460 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001461#define MBEDTLS_SSL_SERVER_NAME_INDICATION
Paul Bakker0be444a2013-08-27 21:55:01 +02001462
1463/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001464 * \def MBEDTLS_SSL_TRUNCATED_HMAC
Paul Bakker1f2bc622013-08-15 13:45:55 +02001465 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001466 * Enable support for RFC 6066 truncated HMAC in SSL.
Paul Bakker1f2bc622013-08-15 13:45:55 +02001467 *
1468 * Comment this macro to disable support for truncated HMAC in SSL
1469 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001470#define MBEDTLS_SSL_TRUNCATED_HMAC
Paul Bakker1f2bc622013-08-15 13:45:55 +02001471
1472/**
Hanno Beckere89353a2017-11-20 16:36:41 +00001473 * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
1474 *
Hanno Becker702dfbc2017-11-29 16:35:46 +00001475 * Fallback to old (pre-2.7), non-conforming implementation of the truncated
1476 * HMAC extension which also truncates the HMAC key. Note that this option is
1477 * only meant for a transitory upgrade period and is likely to be removed in
1478 * a future version of the library.
Hanno Beckere89353a2017-11-20 16:36:41 +00001479 *
Hanno Becker702dfbc2017-11-29 16:35:46 +00001480 * \warning The old implementation is non-compliant and has a security weakness
1481 * (2^80 brute force attack on the HMAC key used for a single,
1482 * uninterrupted connection). This should only be enabled temporarily
1483 * when (1) the use of truncated HMAC is essential in order to save
1484 * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
1485 * the fixed implementation yet (pre-2.7).
Hanno Beckere89353a2017-11-20 16:36:41 +00001486 *
Hanno Becker4c2ac7e2017-11-21 18:22:53 +00001487 * \deprecated This option is deprecated and will likely be removed in a
1488 * future version of Mbed TLS.
1489 *
Hanno Beckere89353a2017-11-20 16:36:41 +00001490 * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
1491 *
1492 * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
1493 */
1494//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
1495
1496/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001497 * \def MBEDTLS_THREADING_ALT
Paul Bakker2466d932013-09-28 14:40:38 +02001498 *
1499 * Provide your own alternate threading implementation.
1500 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001501 * Requires: MBEDTLS_THREADING_C
Paul Bakker2466d932013-09-28 14:40:38 +02001502 *
1503 * Uncomment this to allow your own alternate threading implementation.
Paul Bakker2466d932013-09-28 14:40:38 +02001504 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001505//#define MBEDTLS_THREADING_ALT
Paul Bakker2466d932013-09-28 14:40:38 +02001506
1507/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001508 * \def MBEDTLS_THREADING_PTHREAD
Paul Bakker2466d932013-09-28 14:40:38 +02001509 *
1510 * Enable the pthread wrapper layer for the threading layer.
1511 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001512 * Requires: MBEDTLS_THREADING_C
Paul Bakker2466d932013-09-28 14:40:38 +02001513 *
1514 * Uncomment this to enable pthread mutexes.
Paul Bakker2466d932013-09-28 14:40:38 +02001515 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001516//#define MBEDTLS_THREADING_PTHREAD
Paul Bakker2466d932013-09-28 14:40:38 +02001517
1518/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001519 * \def MBEDTLS_VERSION_FEATURES
Paul Bakker0f90d7d2014-04-30 11:49:44 +02001520 *
1521 * Allow run-time checking of compile-time enabled features. Thus allowing users
1522 * to check at run-time if the library is for instance compiled with threading
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001523 * support via mbedtls_version_check_feature().
Paul Bakker0f90d7d2014-04-30 11:49:44 +02001524 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001525 * Requires: MBEDTLS_VERSION_C
Paul Bakker0f90d7d2014-04-30 11:49:44 +02001526 *
1527 * Comment this to disable run-time checking and save ROM space
1528 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001529#define MBEDTLS_VERSION_FEATURES
Paul Bakker0f90d7d2014-04-30 11:49:44 +02001530
1531/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001532 * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
Paul Bakkerc27c4e22013-09-23 15:01:36 +02001533 *
1534 * If set, the X509 parser will not break-off when parsing an X509 certificate
1535 * and encountering an extension in a v1 or v2 certificate.
1536 *
1537 * Uncomment to prevent an error.
Paul Bakkerc27c4e22013-09-23 15:01:36 +02001538 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001539//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
Paul Bakkerc27c4e22013-09-23 15:01:36 +02001540
1541/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001542 * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
Paul Bakker5c721f92011-07-27 16:51:09 +00001543 *
1544 * If set, the X509 parser will not break-off when parsing an X509 certificate
1545 * and encountering an unknown critical extension.
1546 *
Manuel Pégourié-Gonnardcb6af002015-10-05 12:12:39 +01001547 * \warning Depending on your PKI use, enabling this can be a security risk!
1548 *
Paul Bakker5c721f92011-07-27 16:51:09 +00001549 * Uncomment to prevent an error.
Paul Bakker5c721f92011-07-27 16:51:09 +00001550 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001551//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
Paul Bakker2770fbd2012-07-03 13:30:23 +00001552
1553/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001554 * \def MBEDTLS_X509_CHECK_KEY_USAGE
Manuel Pégourié-Gonnard603116c2014-04-09 09:50:03 +02001555 *
1556 * Enable verification of the keyUsage extension (CA and leaf certificates).
1557 *
1558 * Disabling this avoids problems with mis-issued and/or misused
1559 * (intermediate) CA and leaf certificates.
1560 *
1561 * \warning Depending on your PKI use, disabling this can be a security risk!
1562 *
1563 * Comment to skip keyUsage checking for both CA and leaf certificates.
1564 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001565#define MBEDTLS_X509_CHECK_KEY_USAGE
Manuel Pégourié-Gonnard603116c2014-04-09 09:50:03 +02001566
1567/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001568 * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
Manuel Pégourié-Gonnard7afb8a02014-04-10 17:53:56 +02001569 *
1570 * Enable verification of the extendedKeyUsage extension (leaf certificates).
1571 *
1572 * Disabling this avoids problems with mis-issued and/or misused certificates.
1573 *
1574 * \warning Depending on your PKI use, disabling this can be a security risk!
1575 *
1576 * Comment to skip extendedKeyUsage checking for certificates.
1577 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001578#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
Manuel Pégourié-Gonnard7afb8a02014-04-10 17:53:56 +02001579
1580/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001581 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +02001582 *
1583 * Enable parsing and verification of X.509 certificates, CRLs and CSRS
1584 * signed with RSASSA-PSS (aka PKCS#1 v2.1).
1585 *
1586 * Comment this macro to disallow using RSASSA-PSS in certificates.
1587 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001588#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +02001589
1590/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001591 * \def MBEDTLS_ZLIB_SUPPORT
Paul Bakker2770fbd2012-07-03 13:30:23 +00001592 *
1593 * If set, the SSL/TLS module uses ZLIB to support compression and
1594 * decompression of packet data.
1595 *
Manuel Pégourié-Gonnardbb4dd372014-03-11 10:30:38 +01001596 * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
1597 * CRIME attack. Before enabling this option, you should examine with care if
Antonin Décimo8fd91562019-01-23 15:24:37 +01001598 * CRIME or similar exploits may be applicable to your use case.
Manuel Pégourié-Gonnardbb4dd372014-03-11 10:30:38 +01001599 *
Manuel Pégourié-Gonnard7c3b4ab2015-07-02 17:59:52 +02001600 * \note Currently compression can't be used with DTLS.
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001601 *
Paul Bakker2770fbd2012-07-03 13:30:23 +00001602 * Used in: library/ssl_tls.c
1603 * library/ssl_cli.c
1604 * library/ssl_srv.c
1605 *
1606 * This feature requires zlib library and headers to be present.
1607 *
1608 * Uncomment to enable use of ZLIB
Paul Bakker2770fbd2012-07-03 13:30:23 +00001609 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001610//#define MBEDTLS_ZLIB_SUPPORT
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00001611/* \} name SECTION: mbed TLS feature support */
Paul Bakker0a62cd12011-01-21 11:00:08 +00001612
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001613/**
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00001614 * \name SECTION: mbed TLS modules
Paul Bakker0a62cd12011-01-21 11:00:08 +00001615 *
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00001616 * This section enables or disables entire modules in mbed TLS
Paul Bakker0a62cd12011-01-21 11:00:08 +00001617 * \{
1618 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001619
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001620/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001621 * \def MBEDTLS_AESNI_C
Manuel Pégourié-Gonnard92ac76f2013-12-16 17:12:53 +01001622 *
1623 * Enable AES-NI support on x86-64.
1624 *
1625 * Module: library/aesni.c
1626 * Caller: library/aes.c
1627 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001628 * Requires: MBEDTLS_HAVE_ASM
Manuel Pégourié-Gonnard92ac76f2013-12-16 17:12:53 +01001629 *
1630 * This modules adds support for the AES-NI instructions on x86-64
1631 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001632#define MBEDTLS_AESNI_C
Manuel Pégourié-Gonnard92ac76f2013-12-16 17:12:53 +01001633
1634/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001635 * \def MBEDTLS_AES_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001636 *
1637 * Enable the AES block cipher.
1638 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001639 * Module: library/aes.c
1640 * Caller: library/ssl_tls.c
Paul Bakker96743fc2011-02-12 14:30:57 +00001641 * library/pem.c
Paul Bakker6083fd22011-12-03 21:45:14 +00001642 * library/ctr_drbg.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001643 *
Paul Bakker645ce3a2012-10-31 12:32:41 +00001644 * This module enables the following ciphersuites (if other requisites are
1645 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001646 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
1647 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
1648 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
1649 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
1650 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
1651 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
1652 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
1653 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
1654 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
1655 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
1656 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
1657 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
1658 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
1659 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
1660 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
1661 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
1662 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
1663 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
1664 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
1665 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
1666 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
1667 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
1668 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
1669 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
1670 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
1671 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
1672 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
1673 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
1674 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
1675 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
1676 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
1677 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
1678 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
1679 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
1680 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
1681 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
1682 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
1683 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
1684 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
1685 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
1686 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
1687 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
1688 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
1689 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
1690 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
1691 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
1692 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
1693 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
1694 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
1695 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
1696 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
1697 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
1698 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
1699 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
1700 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
1701 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
1702 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
1703 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
Paul Bakker6deb37e2013-02-19 13:17:08 +01001704 *
Paul Bakkercff68422013-09-15 20:43:33 +02001705 * PEM_PARSE uses AES for decrypting encrypted keys.
Paul Bakker5121ce52009-01-03 21:22:43 +00001706 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001707#define MBEDTLS_AES_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001708
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001709/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001710 * \def MBEDTLS_ARC4_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001711 *
1712 * Enable the ARCFOUR stream cipher.
1713 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001714 * Module: library/arc4.c
1715 * Caller: library/ssl_tls.c
1716 *
Paul Bakker41c83d32013-03-20 14:39:14 +01001717 * This module enables the following ciphersuites (if other requisites are
1718 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001719 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
1720 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
1721 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
1722 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
1723 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
1724 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
1725 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
1726 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
1727 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
1728 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
Hanno Beckerbbca8c52017-09-25 14:53:51 +01001729 *
1730 * \warning ARC4 is considered a weak cipher and its use constitutes a
1731 * security risk. If possible, we recommend avoidng dependencies on
1732 * it, and considering stronger ciphers instead.
1733 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001734 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001735#define MBEDTLS_ARC4_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001736
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001737/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001738 * \def MBEDTLS_ASN1_PARSE_C
Paul Bakkerefc30292011-11-10 14:43:23 +00001739 *
1740 * Enable the generic ASN1 parser.
1741 *
1742 * Module: library/asn1.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02001743 * Caller: library/x509.c
1744 * library/dhm.c
1745 * library/pkcs12.c
1746 * library/pkcs5.c
1747 * library/pkparse.c
Paul Bakkerefc30292011-11-10 14:43:23 +00001748 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001749#define MBEDTLS_ASN1_PARSE_C
Paul Bakkerefc30292011-11-10 14:43:23 +00001750
1751/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001752 * \def MBEDTLS_ASN1_WRITE_C
Paul Bakkerbdb912d2012-02-13 23:11:30 +00001753 *
1754 * Enable the generic ASN1 writer.
1755 *
1756 * Module: library/asn1write.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02001757 * Caller: library/ecdsa.c
1758 * library/pkwrite.c
1759 * library/x509_create.c
1760 * library/x509write_crt.c
Simon Butcher2cb47392016-11-04 12:23:11 +00001761 * library/x509write_csr.c
Paul Bakkerbdb912d2012-02-13 23:11:30 +00001762 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001763#define MBEDTLS_ASN1_WRITE_C
Paul Bakkerbdb912d2012-02-13 23:11:30 +00001764
1765/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001766 * \def MBEDTLS_BASE64_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001767 *
1768 * Enable the Base64 module.
1769 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001770 * Module: library/base64.c
Paul Bakker5690efc2011-05-26 13:16:06 +00001771 * Caller: library/pem.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001772 *
Paul Bakker5690efc2011-05-26 13:16:06 +00001773 * This module is required for PEM support (required by X.509).
Paul Bakker5121ce52009-01-03 21:22:43 +00001774 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001775#define MBEDTLS_BASE64_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001776
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001777/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001778 * \def MBEDTLS_BIGNUM_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001779 *
Paul Bakker9a736322012-11-14 12:39:52 +00001780 * Enable the multi-precision integer library.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001781 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001782 * Module: library/bignum.c
1783 * Caller: library/dhm.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02001784 * library/ecp.c
Manuel Pégourié-Gonnardbf319772014-06-25 13:00:17 +02001785 * library/ecdsa.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001786 * library/rsa.c
Hanno Beckera565f542017-10-11 11:00:19 +01001787 * library/rsa_internal.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001788 * library/ssl_tls.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001789 *
Manuel Pégourié-Gonnardbf319772014-06-25 13:00:17 +02001790 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
Paul Bakker5121ce52009-01-03 21:22:43 +00001791 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001792#define MBEDTLS_BIGNUM_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001793
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001794/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001795 * \def MBEDTLS_BLOWFISH_C
Paul Bakkera9379c02012-07-04 11:02:11 +00001796 *
1797 * Enable the Blowfish block cipher.
1798 *
1799 * Module: library/blowfish.c
1800 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001801#define MBEDTLS_BLOWFISH_C
Paul Bakkera9379c02012-07-04 11:02:11 +00001802
1803/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001804 * \def MBEDTLS_CAMELLIA_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001805 *
1806 * Enable the Camellia block cipher.
1807 *
Paul Bakker38119b12009-01-10 23:31:23 +00001808 * Module: library/camellia.c
Paul Bakker13e2dfe2009-07-28 07:18:38 +00001809 * Caller: library/ssl_tls.c
Paul Bakker38119b12009-01-10 23:31:23 +00001810 *
Paul Bakker645ce3a2012-10-31 12:32:41 +00001811 * This module enables the following ciphersuites (if other requisites are
1812 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001813 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
1814 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
1815 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
1816 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
1817 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
1818 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
1819 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
1820 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
1821 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
1822 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
1823 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
1824 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
1825 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
1826 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
1827 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
1828 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
1829 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
1830 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
1831 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
1832 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
1833 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
1834 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
1835 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
1836 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
1837 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
1838 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
1839 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
1840 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
1841 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
1842 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
1843 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
1844 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
1845 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
1846 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
1847 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
1848 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
1849 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
1850 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
1851 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
1852 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
1853 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
1854 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
Paul Bakker38119b12009-01-10 23:31:23 +00001855 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001856#define MBEDTLS_CAMELLIA_C
Paul Bakker38119b12009-01-10 23:31:23 +00001857
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001858/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001859 * \def MBEDTLS_CCM_C
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +02001860 *
1861 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
1862 *
1863 * Module: library/ccm.c
1864 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001865 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +02001866 *
1867 * This module enables the AES-CCM ciphersuites, if other requisites are
1868 * enabled as well.
1869 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001870#define MBEDTLS_CCM_C
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +02001871
1872/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001873 * \def MBEDTLS_CERTS_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001874 *
1875 * Enable the test certificates.
1876 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001877 * Module: library/certs.c
1878 * Caller:
1879 *
1880 * This module is used for testing (ssl_client/server).
1881 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001882#define MBEDTLS_CERTS_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001883
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001884/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001885 * \def MBEDTLS_CIPHER_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001886 *
1887 * Enable the generic cipher layer.
1888 *
Paul Bakker8123e9d2011-01-06 15:37:30 +00001889 * Module: library/cipher.c
Paul Bakker04784f52013-08-19 13:30:57 +02001890 * Caller: library/ssl_tls.c
Paul Bakker8123e9d2011-01-06 15:37:30 +00001891 *
1892 * Uncomment to enable generic cipher wrappers.
1893 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001894#define MBEDTLS_CIPHER_C
Paul Bakker8123e9d2011-01-06 15:37:30 +00001895
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001896/**
Robert Cragiedc5c7b92015-12-11 15:49:45 +00001897 * \def MBEDTLS_CMAC_C
1898 *
Simon Butcher327398a2016-10-05 14:09:11 +01001899 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
1900 * ciphers.
Robert Cragiedc5c7b92015-12-11 15:49:45 +00001901 *
1902 * Module: library/cmac.c
1903 *
Simon Butcher69283e52016-10-06 12:49:58 +01001904 * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
Robert Cragiedc5c7b92015-12-11 15:49:45 +00001905 *
1906 */
Brian Murray53e23b62016-09-13 14:00:15 -07001907//#define MBEDTLS_CMAC_C
Robert Cragiedc5c7b92015-12-11 15:49:45 +00001908
1909/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001910 * \def MBEDTLS_CTR_DRBG_C
Paul Bakker0e04d0e2011-11-27 14:46:59 +00001911 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001912 * Enable the CTR_DRBG AES-256-based random generator.
Paul Bakker0e04d0e2011-11-27 14:46:59 +00001913 *
Gilles Peskine406d2582019-10-03 14:31:22 +02001914 * \note This module only achieves a 256-bit security strength if
1915 * the generator is seeded with sufficient entropy.
1916 * See ctr_drbg.h for more details.
1917 *
Paul Bakker0e04d0e2011-11-27 14:46:59 +00001918 * Module: library/ctr_drbg.c
1919 * Caller:
1920 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001921 * Requires: MBEDTLS_AES_C
Paul Bakker6083fd22011-12-03 21:45:14 +00001922 *
Paul Bakker0e04d0e2011-11-27 14:46:59 +00001923 * This module provides the CTR_DRBG AES-256 random number generator.
1924 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001925#define MBEDTLS_CTR_DRBG_C
Paul Bakker0e04d0e2011-11-27 14:46:59 +00001926
1927/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001928 * \def MBEDTLS_DEBUG_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001929 *
1930 * Enable the debug functions.
1931 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001932 * Module: library/debug.c
1933 * Caller: library/ssl_cli.c
1934 * library/ssl_srv.c
1935 * library/ssl_tls.c
1936 *
1937 * This module provides debugging functions.
1938 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001939#define MBEDTLS_DEBUG_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001940
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001941/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001942 * \def MBEDTLS_DES_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001943 *
1944 * Enable the DES block cipher.
1945 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001946 * Module: library/des.c
Paul Bakker6deb37e2013-02-19 13:17:08 +01001947 * Caller: library/pem.c
1948 * library/ssl_tls.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001949 *
Paul Bakker645ce3a2012-10-31 12:32:41 +00001950 * This module enables the following ciphersuites (if other requisites are
1951 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001952 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
1953 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
1954 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
1955 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
1956 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
1957 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
1958 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
1959 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
1960 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
1961 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
Paul Bakker6deb37e2013-02-19 13:17:08 +01001962 *
Paul Bakkercff68422013-09-15 20:43:33 +02001963 * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
Hanno Beckerbbca8c52017-09-25 14:53:51 +01001964 *
1965 * \warning DES is considered a weak cipher and its use constitutes a
1966 * security risk. We recommend considering stronger ciphers instead.
Paul Bakker5121ce52009-01-03 21:22:43 +00001967 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001968#define MBEDTLS_DES_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001969
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001970/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001971 * \def MBEDTLS_DHM_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001972 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02001973 * Enable the Diffie-Hellman-Merkle module.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001974 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001975 * Module: library/dhm.c
1976 * Caller: library/ssl_cli.c
1977 * library/ssl_srv.c
1978 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02001979 * This module is used by the following key exchanges:
1980 * DHE-RSA, DHE-PSK
Hanno Beckera2f6b722017-09-28 10:33:29 +01001981 *
Hanno Beckerf9734b32017-10-03 12:09:22 +01001982 * \warning Using DHE constitutes a security risk as it
1983 * is not possible to validate custom DH parameters.
1984 * If possible, it is recommended users should consider
1985 * preferring other methods of key exchange.
1986 * See dhm.h for more details.
Hanno Beckera2f6b722017-09-28 10:33:29 +01001987 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001988 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001989#define MBEDTLS_DHM_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001990
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001991/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001992 * \def MBEDTLS_ECDH_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01001993 *
1994 * Enable the elliptic curve Diffie-Hellman library.
1995 *
1996 * Module: library/ecdh.c
Paul Bakker41c83d32013-03-20 14:39:14 +01001997 * Caller: library/ssl_cli.c
1998 * library/ssl_srv.c
1999 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02002000 * This module is used by the following key exchanges:
2001 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002002 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002003 * Requires: MBEDTLS_ECP_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002004 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002005#define MBEDTLS_ECDH_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002006
2007/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002008 * \def MBEDTLS_ECDSA_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002009 *
2010 * Enable the elliptic curve DSA library.
2011 *
2012 * Module: library/ecdsa.c
2013 * Caller:
2014 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02002015 * This module is used by the following key exchanges:
2016 * ECDHE-ECDSA
2017 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002018 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002019 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002020#define MBEDTLS_ECDSA_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002021
2022/**
Manuel Pégourié-Gonnard4d8685b2015-08-05 15:44:42 +02002023 * \def MBEDTLS_ECJPAKE_C
2024 *
2025 * Enable the elliptic curve J-PAKE library.
2026 *
Manuel Pégourié-Gonnard75df9022015-09-16 23:21:01 +02002027 * \warning This is currently experimental. EC J-PAKE support is based on the
2028 * Thread v1.0.0 specification; incompatible changes to the specification
2029 * might still happen. For this reason, this is disabled by default.
2030 *
Manuel Pégourié-Gonnard4d8685b2015-08-05 15:44:42 +02002031 * Module: library/ecjpake.c
2032 * Caller:
2033 *
2034 * This module is used by the following key exchanges:
2035 * ECJPAKE
2036 *
2037 * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
2038 */
Manuel Pégourié-Gonnardcf828932015-10-20 14:57:00 +02002039//#define MBEDTLS_ECJPAKE_C
Manuel Pégourié-Gonnard4d8685b2015-08-05 15:44:42 +02002040
2041/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002042 * \def MBEDTLS_ECP_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002043 *
2044 * Enable the elliptic curve over GF(p) library.
2045 *
2046 * Module: library/ecp.c
2047 * Caller: library/ecdh.c
2048 * library/ecdsa.c
Manuel Pégourié-Gonnard4d8685b2015-08-05 15:44:42 +02002049 * library/ecjpake.c
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002050 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002051 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002052 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002053#define MBEDTLS_ECP_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002054
2055/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002056 * \def MBEDTLS_ENTROPY_C
Paul Bakker6083fd22011-12-03 21:45:14 +00002057 *
2058 * Enable the platform-specific entropy code.
2059 *
2060 * Module: library/entropy.c
2061 * Caller:
2062 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002063 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
Paul Bakker6083fd22011-12-03 21:45:14 +00002064 *
2065 * This module provides a generic entropy pool
2066 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002067#define MBEDTLS_ENTROPY_C
Paul Bakker6083fd22011-12-03 21:45:14 +00002068
2069/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002070 * \def MBEDTLS_ERROR_C
Paul Bakker9d781402011-05-09 16:17:09 +00002071 *
2072 * Enable error code to error string conversion.
2073 *
2074 * Module: library/error.c
2075 * Caller:
2076 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002077 * This module enables mbedtls_strerror().
Paul Bakker9d781402011-05-09 16:17:09 +00002078 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002079#define MBEDTLS_ERROR_C
Paul Bakker9d781402011-05-09 16:17:09 +00002080
2081/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002082 * \def MBEDTLS_GCM_C
Paul Bakker89e80c92012-03-20 13:50:09 +00002083 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002084 * Enable the Galois/Counter Mode (GCM) for AES.
Paul Bakker89e80c92012-03-20 13:50:09 +00002085 *
2086 * Module: library/gcm.c
2087 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002088 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
Paul Bakker645ce3a2012-10-31 12:32:41 +00002089 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02002090 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
2091 * requisites are enabled as well.
Paul Bakker89e80c92012-03-20 13:50:09 +00002092 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002093#define MBEDTLS_GCM_C
Paul Bakker89e80c92012-03-20 13:50:09 +00002094
2095/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002096 * \def MBEDTLS_HAVEGE_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002097 *
2098 * Enable the HAVEGE random generator.
2099 *
Paul Bakker2a844242013-06-24 13:01:53 +02002100 * Warning: the HAVEGE random generator is not suitable for virtualized
2101 * environments
2102 *
2103 * Warning: the HAVEGE random generator is dependent on timing and specific
2104 * processor traits. It is therefore not advised to use HAVEGE as
2105 * your applications primary random generator or primary entropy pool
2106 * input. As a secondary input to your entropy pool, it IS able add
2107 * the (limited) extra entropy it provides.
2108 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002109 * Module: library/havege.c
2110 * Caller:
2111 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002112 * Requires: MBEDTLS_TIMING_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002113 *
Paul Bakker2a844242013-06-24 13:01:53 +02002114 * Uncomment to enable the HAVEGE random generator.
Paul Bakker2a844242013-06-24 13:01:53 +02002115 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002116//#define MBEDTLS_HAVEGE_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002117
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002118/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002119 * \def MBEDTLS_HMAC_DRBG_C
Manuel Pégourié-Gonnard490bdf32014-01-27 14:03:10 +01002120 *
2121 * Enable the HMAC_DRBG random generator.
2122 *
2123 * Module: library/hmac_drbg.c
2124 * Caller:
2125 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002126 * Requires: MBEDTLS_MD_C
Manuel Pégourié-Gonnard490bdf32014-01-27 14:03:10 +01002127 *
2128 * Uncomment to enable the HMAC_DRBG random number geerator.
2129 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002130#define MBEDTLS_HMAC_DRBG_C
Manuel Pégourié-Gonnard490bdf32014-01-27 14:03:10 +01002131
2132/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002133 * \def MBEDTLS_MD_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002134 *
2135 * Enable the generic message digest layer.
2136 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002137 * Module: library/md.c
Paul Bakker17373852011-01-06 14:20:01 +00002138 * Caller:
2139 *
2140 * Uncomment to enable generic message digest wrappers.
2141 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002142#define MBEDTLS_MD_C
Paul Bakker17373852011-01-06 14:20:01 +00002143
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002144/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002145 * \def MBEDTLS_MD2_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002146 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002147 * Enable the MD2 hash algorithm.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002148 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002149 * Module: library/md2.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002150 * Caller:
Paul Bakker5121ce52009-01-03 21:22:43 +00002151 *
2152 * Uncomment to enable support for (rare) MD2-signed X.509 certs.
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002153 *
2154 * \warning MD2 is considered a weak message digest and its use constitutes a
2155 * security risk. If possible, we recommend avoiding dependencies on
2156 * it, and considering stronger message digests instead.
2157 *
Paul Bakker6506aff2009-07-28 20:52:02 +00002158 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002159//#define MBEDTLS_MD2_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002160
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002161/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002162 * \def MBEDTLS_MD4_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002163 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002164 * Enable the MD4 hash algorithm.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002165 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002166 * Module: library/md4.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002167 * Caller:
Paul Bakker5121ce52009-01-03 21:22:43 +00002168 *
2169 * Uncomment to enable support for (rare) MD4-signed X.509 certs.
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002170 *
2171 * \warning MD4 is considered a weak message digest and its use constitutes a
2172 * security risk. If possible, we recommend avoiding dependencies on
2173 * it, and considering stronger message digests instead.
2174 *
Paul Bakker6506aff2009-07-28 20:52:02 +00002175 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002176//#define MBEDTLS_MD4_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002177
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002178/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002179 * \def MBEDTLS_MD5_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002180 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002181 * Enable the MD5 hash algorithm.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002182 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002183 * Module: library/md5.c
2184 * Caller: library/md.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002185 * library/pem.c
Paul Bakker6deb37e2013-02-19 13:17:08 +01002186 * library/ssl_tls.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002187 *
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002188 * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2
2189 * depending on the handshake parameters. Further, it is used for checking
2190 * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded
2191 * encrypted keys.
2192 *
2193 * \warning MD5 is considered a weak message digest and its use constitutes a
2194 * security risk. If possible, we recommend avoiding dependencies on
2195 * it, and considering stronger message digests instead.
2196 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002197 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002198#define MBEDTLS_MD5_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002199
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002200/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002201 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002202 *
2203 * Enable the buffer allocator implementation that makes use of a (stack)
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +02002204 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002205 * calls)
Paul Bakker6e339b52013-07-03 13:37:05 +02002206 *
2207 * Module: library/memory_buffer_alloc.c
2208 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002209 * Requires: MBEDTLS_PLATFORM_C
2210 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
Paul Bakker6e339b52013-07-03 13:37:05 +02002211 *
2212 * Enable this module to enable the buffer memory allocator.
Paul Bakker6e339b52013-07-03 13:37:05 +02002213 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002214//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
Paul Bakker6e339b52013-07-03 13:37:05 +02002215
2216/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002217 * \def MBEDTLS_NET_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002218 *
Manuel Pégourié-Gonnard325ce092016-02-22 10:33:34 +01002219 * Enable the TCP and UDP over IPv6/IPv4 networking routines.
2220 *
Simon Butcherd567a232016-03-09 20:19:21 +00002221 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
2222 * and Windows. For other platforms, you'll want to disable it, and write your
Manuel Pégourié-Gonnard325ce092016-02-22 10:33:34 +01002223 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002224 *
Manuel Pégourié-Gonnard02049dc2016-02-22 16:42:51 +00002225 * \note See also our Knowledge Base article about porting to a new
2226 * environment:
2227 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
2228 *
Andres AG788aa4a2016-09-14 14:32:09 +01002229 * Module: library/net_sockets.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002230 *
Manuel Pégourié-Gonnard325ce092016-02-22 10:33:34 +01002231 * This module provides networking routines.
Paul Bakker5121ce52009-01-03 21:22:43 +00002232 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002233#define MBEDTLS_NET_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002234
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002235/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002236 * \def MBEDTLS_OID_C
Paul Bakkerc70b9822013-04-07 22:00:46 +02002237 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002238 * Enable the OID database.
Paul Bakkerc70b9822013-04-07 22:00:46 +02002239 *
2240 * Module: library/oid.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002241 * Caller: library/asn1write.c
2242 * library/pkcs5.c
2243 * library/pkparse.c
2244 * library/pkwrite.c
2245 * library/rsa.c
2246 * library/x509.c
2247 * library/x509_create.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002248 * library/x509_crl.c
2249 * library/x509_crt.c
2250 * library/x509_csr.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002251 * library/x509write_crt.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002252 * library/x509write_csr.c
Paul Bakkerc70b9822013-04-07 22:00:46 +02002253 *
2254 * This modules translates between OIDs and internal values.
2255 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002256#define MBEDTLS_OID_C
Paul Bakkerc70b9822013-04-07 22:00:46 +02002257
2258/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002259 * \def MBEDTLS_PADLOCK_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002260 *
2261 * Enable VIA Padlock support on x86.
2262 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002263 * Module: library/padlock.c
2264 * Caller: library/aes.c
2265 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002266 * Requires: MBEDTLS_HAVE_ASM
Manuel Pégourié-Gonnard92ac76f2013-12-16 17:12:53 +01002267 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002268 * This modules adds support for the VIA PadLock on x86.
2269 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002270#define MBEDTLS_PADLOCK_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002271
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002272/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002273 * \def MBEDTLS_PEM_PARSE_C
Paul Bakker96743fc2011-02-12 14:30:57 +00002274 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002275 * Enable PEM decoding / parsing.
Paul Bakker96743fc2011-02-12 14:30:57 +00002276 *
2277 * Module: library/pem.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002278 * Caller: library/dhm.c
Paul Bakkercff68422013-09-15 20:43:33 +02002279 * library/pkparse.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002280 * library/x509_crl.c
2281 * library/x509_crt.c
2282 * library/x509_csr.c
Paul Bakker96743fc2011-02-12 14:30:57 +00002283 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002284 * Requires: MBEDTLS_BASE64_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002285 *
Paul Bakkercff68422013-09-15 20:43:33 +02002286 * This modules adds support for decoding / parsing PEM files.
Paul Bakker96743fc2011-02-12 14:30:57 +00002287 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002288#define MBEDTLS_PEM_PARSE_C
Paul Bakkercff68422013-09-15 20:43:33 +02002289
2290/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002291 * \def MBEDTLS_PEM_WRITE_C
Paul Bakkercff68422013-09-15 20:43:33 +02002292 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002293 * Enable PEM encoding / writing.
Paul Bakkercff68422013-09-15 20:43:33 +02002294 *
2295 * Module: library/pem.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002296 * Caller: library/pkwrite.c
2297 * library/x509write_crt.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002298 * library/x509write_csr.c
Paul Bakkercff68422013-09-15 20:43:33 +02002299 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002300 * Requires: MBEDTLS_BASE64_C
Paul Bakkercff68422013-09-15 20:43:33 +02002301 *
2302 * This modules adds support for encoding / writing PEM files.
2303 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002304#define MBEDTLS_PEM_WRITE_C
Paul Bakker96743fc2011-02-12 14:30:57 +00002305
2306/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002307 * \def MBEDTLS_PK_C
Manuel Pégourié-Gonnardc40b4c32013-08-22 13:29:31 +02002308 *
2309 * Enable the generic public (asymetric) key layer.
2310 *
2311 * Module: library/pk.c
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02002312 * Caller: library/ssl_tls.c
Manuel Pégourié-Gonnardc40b4c32013-08-22 13:29:31 +02002313 * library/ssl_cli.c
2314 * library/ssl_srv.c
2315 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002316 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02002317 *
Manuel Pégourié-Gonnardc40b4c32013-08-22 13:29:31 +02002318 * Uncomment to enable generic public key wrappers.
2319 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002320#define MBEDTLS_PK_C
Manuel Pégourié-Gonnardc40b4c32013-08-22 13:29:31 +02002321
2322/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002323 * \def MBEDTLS_PK_PARSE_C
Paul Bakker4606c732013-09-15 17:04:23 +02002324 *
2325 * Enable the generic public (asymetric) key parser.
2326 *
2327 * Module: library/pkparse.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002328 * Caller: library/x509_crt.c
2329 * library/x509_csr.c
Paul Bakker4606c732013-09-15 17:04:23 +02002330 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002331 * Requires: MBEDTLS_PK_C
Paul Bakker4606c732013-09-15 17:04:23 +02002332 *
2333 * Uncomment to enable generic public key parse functions.
2334 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002335#define MBEDTLS_PK_PARSE_C
Paul Bakker4606c732013-09-15 17:04:23 +02002336
2337/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002338 * \def MBEDTLS_PK_WRITE_C
Paul Bakker4606c732013-09-15 17:04:23 +02002339 *
Paul Bakkerf20ba4b2013-09-16 22:46:20 +02002340 * Enable the generic public (asymetric) key writer.
Paul Bakker4606c732013-09-15 17:04:23 +02002341 *
2342 * Module: library/pkwrite.c
2343 * Caller: library/x509write.c
2344 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002345 * Requires: MBEDTLS_PK_C
Paul Bakker4606c732013-09-15 17:04:23 +02002346 *
2347 * Uncomment to enable generic public key write functions.
2348 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002349#define MBEDTLS_PK_WRITE_C
Paul Bakker4606c732013-09-15 17:04:23 +02002350
2351/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002352 * \def MBEDTLS_PKCS5_C
Paul Bakkerb0c19a42013-06-24 19:26:38 +02002353 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002354 * Enable PKCS#5 functions.
Paul Bakkerb0c19a42013-06-24 19:26:38 +02002355 *
2356 * Module: library/pkcs5.c
2357 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002358 * Requires: MBEDTLS_MD_C
Paul Bakkerb0c19a42013-06-24 19:26:38 +02002359 *
2360 * This module adds support for the PKCS#5 functions.
2361 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002362#define MBEDTLS_PKCS5_C
Paul Bakkerb0c19a42013-06-24 19:26:38 +02002363
2364/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002365 * \def MBEDTLS_PKCS11_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002366 *
Paul Bakkereb2c6582012-09-27 19:15:01 +00002367 * Enable wrapper for PKCS#11 smartcard support.
Paul Bakker5690efc2011-05-26 13:16:06 +00002368 *
Manuel Pégourié-Gonnard51be5592013-08-22 13:35:53 +02002369 * Module: library/pkcs11.c
2370 * Caller: library/pk.c
Paul Bakker5690efc2011-05-26 13:16:06 +00002371 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002372 * Requires: MBEDTLS_PK_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002373 *
Paul Bakkereb2c6582012-09-27 19:15:01 +00002374 * This module enables SSL/TLS PKCS #11 smartcard support.
Paul Bakker5690efc2011-05-26 13:16:06 +00002375 * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
Paul Bakker5690efc2011-05-26 13:16:06 +00002376 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002377//#define MBEDTLS_PKCS11_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002378
2379/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002380 * \def MBEDTLS_PKCS12_C
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02002381 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002382 * Enable PKCS#12 PBE functions.
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02002383 * Adds algorithms for parsing PKCS#8 encrypted private keys
2384 *
2385 * Module: library/pkcs12.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002386 * Caller: library/pkparse.c
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02002387 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002388 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C
2389 * Can use: MBEDTLS_ARC4_C
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02002390 *
2391 * This module enables PKCS#12 functions.
2392 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002393#define MBEDTLS_PKCS12_C
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02002394
2395/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002396 * \def MBEDTLS_PLATFORM_C
Paul Bakker747a83a2014-02-01 22:50:07 +01002397 *
2398 * Enable the platform abstraction layer that allows you to re-assign
Manuel Pégourié-Gonnard6c0c8e02015-06-22 10:23:34 +02002399 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
Paul Bakker747a83a2014-02-01 22:50:07 +01002400 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002401 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
2402 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
Rich Evans16f8cd82015-02-06 16:14:34 +00002403 * above to be specified at runtime or compile time respectively.
Paul Bakker747a83a2014-02-01 22:50:07 +01002404 *
Manuel Pégourié-Gonnard6c0c8e02015-06-22 10:23:34 +02002405 * \note This abstraction layer must be enabled on Windows (including MSYS2)
2406 * as other module rely on it for a fixed snprintf implementation.
2407 *
Paul Bakker747a83a2014-02-01 22:50:07 +01002408 * Module: library/platform.c
2409 * Caller: Most other .c files
2410 *
2411 * This module enables abstraction of common (libc) functions.
2412 */
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +02002413#define MBEDTLS_PLATFORM_C
Paul Bakker747a83a2014-02-01 22:50:07 +01002414
2415/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002416 * \def MBEDTLS_RIPEMD160_C
Manuel Pégourié-Gonnardcab4a882014-01-17 12:42:35 +01002417 *
2418 * Enable the RIPEMD-160 hash algorithm.
2419 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002420 * Module: library/ripemd160.c
2421 * Caller: library/md.c
Manuel Pégourié-Gonnardcab4a882014-01-17 12:42:35 +01002422 *
2423 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002424#define MBEDTLS_RIPEMD160_C
Manuel Pégourié-Gonnardcab4a882014-01-17 12:42:35 +01002425
2426/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002427 * \def MBEDTLS_RSA_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002428 *
2429 * Enable the RSA public-key cryptosystem.
2430 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002431 * Module: library/rsa.c
Hanno Beckera565f542017-10-11 11:00:19 +01002432 * library/rsa_internal.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002433 * Caller: library/ssl_cli.c
2434 * library/ssl_srv.c
2435 * library/ssl_tls.c
2436 * library/x509.c
2437 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02002438 * This module is used by the following key exchanges:
2439 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
Paul Bakker5690efc2011-05-26 13:16:06 +00002440 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002441 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002442 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002443#define MBEDTLS_RSA_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002444
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002445/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002446 * \def MBEDTLS_SHA1_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002447 *
2448 * Enable the SHA1 cryptographic hash algorithm.
2449 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002450 * Module: library/sha1.c
2451 * Caller: library/md.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002452 * library/ssl_cli.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002453 * library/ssl_srv.c
2454 * library/ssl_tls.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002455 * library/x509write_crt.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002456 *
Gilles Peskine5e79cb32017-05-04 16:17:21 +02002457 * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
2458 * depending on the handshake parameters, and for SHA1-signed certificates.
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002459 *
2460 * \warning SHA-1 is considered a weak message digest and its use constitutes
2461 * a security risk. If possible, we recommend avoiding dependencies
2462 * on it, and considering stronger message digests instead.
2463 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002464 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002465#define MBEDTLS_SHA1_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002466
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002467/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002468 * \def MBEDTLS_SHA256_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002469 *
2470 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
2471 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002472 * Module: library/sha256.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002473 * Caller: library/entropy.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002474 * library/md.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002475 * library/ssl_cli.c
2476 * library/ssl_srv.c
2477 * library/ssl_tls.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002478 *
2479 * This module adds support for SHA-224 and SHA-256.
Paul Bakker769075d2012-11-24 11:26:46 +01002480 * This module is required for the SSL/TLS 1.2 PRF function.
Paul Bakker5121ce52009-01-03 21:22:43 +00002481 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002482#define MBEDTLS_SHA256_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002483
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002484/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002485 * \def MBEDTLS_SHA512_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002486 *
2487 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
2488 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002489 * Module: library/sha512.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002490 * Caller: library/entropy.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002491 * library/md.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002492 * library/ssl_cli.c
2493 * library/ssl_srv.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002494 *
2495 * This module adds support for SHA-384 and SHA-512.
2496 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002497#define MBEDTLS_SHA512_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002498
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002499/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002500 * \def MBEDTLS_SSL_CACHE_C
Paul Bakker0a597072012-09-25 21:55:46 +00002501 *
2502 * Enable simple SSL cache implementation.
2503 *
2504 * Module: library/ssl_cache.c
2505 * Caller:
2506 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002507 * Requires: MBEDTLS_SSL_CACHE_C
Paul Bakker0a597072012-09-25 21:55:46 +00002508 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002509#define MBEDTLS_SSL_CACHE_C
Paul Bakker0a597072012-09-25 21:55:46 +00002510
2511/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002512 * \def MBEDTLS_SSL_COOKIE_C
Manuel Pégourié-Gonnarda64acd42014-07-23 18:30:45 +02002513 *
2514 * Enable basic implementation of DTLS cookies for hello verification.
2515 *
2516 * Module: library/ssl_cookie.c
2517 * Caller:
Manuel Pégourié-Gonnarda64acd42014-07-23 18:30:45 +02002518 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002519#define MBEDTLS_SSL_COOKIE_C
Manuel Pégourié-Gonnarda64acd42014-07-23 18:30:45 +02002520
2521/**
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +02002522 * \def MBEDTLS_SSL_TICKET_C
2523 *
2524 * Enable an implementation of TLS server-side callbacks for session tickets.
2525 *
2526 * Module: library/ssl_ticket.c
2527 * Caller:
Manuel Pégourié-Gonnard0c0f11f2015-05-20 09:55:50 +02002528 *
Manuel Pégourié-Gonnard4214e3a2015-05-25 19:34:49 +02002529 * Requires: MBEDTLS_CIPHER_C
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +02002530 */
2531#define MBEDTLS_SSL_TICKET_C
2532
2533/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002534 * \def MBEDTLS_SSL_CLI_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002535 *
2536 * Enable the SSL/TLS client code.
2537 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002538 * Module: library/ssl_cli.c
2539 * Caller:
2540 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002541 * Requires: MBEDTLS_SSL_TLS_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002542 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002543 * This module is required for SSL/TLS client support.
2544 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002545#define MBEDTLS_SSL_CLI_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002546
Paul Bakker9a736322012-11-14 12:39:52 +00002547/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002548 * \def MBEDTLS_SSL_SRV_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002549 *
2550 * Enable the SSL/TLS server code.
2551 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002552 * Module: library/ssl_srv.c
2553 * Caller:
2554 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002555 * Requires: MBEDTLS_SSL_TLS_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002556 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002557 * This module is required for SSL/TLS server support.
2558 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002559#define MBEDTLS_SSL_SRV_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002560
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002561/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002562 * \def MBEDTLS_SSL_TLS_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002563 *
Paul Bakkere29ab062011-05-18 13:26:54 +00002564 * Enable the generic SSL/TLS code.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002565 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002566 * Module: library/ssl_tls.c
2567 * Caller: library/ssl_cli.c
2568 * library/ssl_srv.c
2569 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002570 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
2571 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines
Paul Bakker5690efc2011-05-26 13:16:06 +00002572 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002573 * This module is required for SSL/TLS.
2574 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002575#define MBEDTLS_SSL_TLS_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002576
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002577/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002578 * \def MBEDTLS_THREADING_C
Paul Bakker2466d932013-09-28 14:40:38 +02002579 *
2580 * Enable the threading abstraction layer.
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00002581 * By default mbed TLS assumes it is used in a non-threaded environment or that
Paul Bakker2466d932013-09-28 14:40:38 +02002582 * contexts are not shared between threads. If you do intend to use contexts
2583 * between threads, you will need to enable this layer to prevent race
Manuel Pégourié-Gonnard02049dc2016-02-22 16:42:51 +00002584 * conditions. See also our Knowledge Base article about threading:
2585 * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
Paul Bakker2466d932013-09-28 14:40:38 +02002586 *
2587 * Module: library/threading.c
2588 *
2589 * This allows different threading implementations (self-implemented or
2590 * provided).
2591 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002592 * You will have to enable either MBEDTLS_THREADING_ALT or
2593 * MBEDTLS_THREADING_PTHREAD.
Paul Bakker2466d932013-09-28 14:40:38 +02002594 *
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00002595 * Enable this layer to allow use of mutexes within mbed TLS
Paul Bakker2466d932013-09-28 14:40:38 +02002596 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002597//#define MBEDTLS_THREADING_C
Paul Bakker2466d932013-09-28 14:40:38 +02002598
2599/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002600 * \def MBEDTLS_TIMING_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002601 *
Manuel Pégourié-Gonnard325ce092016-02-22 10:33:34 +01002602 * Enable the semi-portable timing interface.
2603 *
Simon Butcherd567a232016-03-09 20:19:21 +00002604 * \note The provided implementation only works on POSIX/Unix (including Linux,
2605 * BSD and OS X) and Windows. On other platforms, you can either disable that
Manuel Pégourié-Gonnard325ce092016-02-22 10:33:34 +01002606 * module and provide your own implementations of the callbacks needed by
2607 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
2608 * your own implementation of the whole module by setting
2609 * \c MBEDTLS_TIMING_ALT in the current file.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002610 *
Manuel Pégourié-Gonnard02049dc2016-02-22 16:42:51 +00002611 * \note See also our Knowledge Base article about porting to a new
2612 * environment:
2613 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
2614 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002615 * Module: library/timing.c
2616 * Caller: library/havege.c
2617 *
2618 * This module is used by the HAVEGE random number generator.
Paul Bakkerecd54fb2013-07-03 14:48:29 +02002619 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002620#define MBEDTLS_TIMING_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002621
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002622/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002623 * \def MBEDTLS_VERSION_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002624 *
2625 * Enable run-time version information.
2626 *
Paul Bakker0a62cd12011-01-21 11:00:08 +00002627 * Module: library/version.c
2628 *
2629 * This module provides run-time version information.
2630 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002631#define MBEDTLS_VERSION_C
Paul Bakker0a62cd12011-01-21 11:00:08 +00002632
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002633/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002634 * \def MBEDTLS_X509_USE_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002635 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002636 * Enable X.509 core for using certificates.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002637 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002638 * Module: library/x509.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002639 * Caller: library/x509_crl.c
2640 * library/x509_crt.c
2641 * library/x509_csr.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002642 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002643 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
2644 * MBEDTLS_PK_PARSE_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002645 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002646 * This module is required for the X.509 parsing modules.
Paul Bakker5121ce52009-01-03 21:22:43 +00002647 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002648#define MBEDTLS_X509_USE_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002649
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002650/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002651 * \def MBEDTLS_X509_CRT_PARSE_C
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002652 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002653 * Enable X.509 certificate parsing.
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002654 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002655 * Module: library/x509_crt.c
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002656 * Caller: library/ssl_cli.c
2657 * library/ssl_srv.c
2658 * library/ssl_tls.c
2659 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002660 * Requires: MBEDTLS_X509_USE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002661 *
2662 * This module is required for X.509 certificate parsing.
2663 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002664#define MBEDTLS_X509_CRT_PARSE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002665
2666/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002667 * \def MBEDTLS_X509_CRL_PARSE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002668 *
2669 * Enable X.509 CRL parsing.
2670 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002671 * Module: library/x509_crl.c
2672 * Caller: library/x509_crt.c
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002673 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002674 * Requires: MBEDTLS_X509_USE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002675 *
2676 * This module is required for X.509 CRL parsing.
2677 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002678#define MBEDTLS_X509_CRL_PARSE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002679
2680/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002681 * \def MBEDTLS_X509_CSR_PARSE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002682 *
2683 * Enable X.509 Certificate Signing Request (CSR) parsing.
2684 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002685 * Module: library/x509_csr.c
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002686 * Caller: library/x509_crt_write.c
2687 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002688 * Requires: MBEDTLS_X509_USE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002689 *
2690 * This module is used for reading X.509 certificate request.
2691 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002692#define MBEDTLS_X509_CSR_PARSE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002693
2694/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002695 * \def MBEDTLS_X509_CREATE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002696 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002697 * Enable X.509 core for creating certificates.
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002698 *
2699 * Module: library/x509_create.c
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002700 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002701 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002702 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002703 * This module is the basis for creating X.509 certificates and CSRs.
2704 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002705#define MBEDTLS_X509_CREATE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002706
2707/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002708 * \def MBEDTLS_X509_CRT_WRITE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002709 *
2710 * Enable creating X.509 certificates.
2711 *
2712 * Module: library/x509_crt_write.c
2713 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002714 * Requires: MBEDTLS_X509_CREATE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002715 *
2716 * This module is required for X.509 certificate creation.
2717 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002718#define MBEDTLS_X509_CRT_WRITE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002719
2720/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002721 * \def MBEDTLS_X509_CSR_WRITE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002722 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002723 * Enable creating X.509 Certificate Signing Requests (CSR).
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002724 *
2725 * Module: library/x509_csr_write.c
2726 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002727 * Requires: MBEDTLS_X509_CREATE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002728 *
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002729 * This module is required for X.509 certificate request writing.
2730 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002731#define MBEDTLS_X509_CSR_WRITE_C
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002732
2733/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002734 * \def MBEDTLS_XTEA_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002735 *
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002736 * Enable the XTEA block cipher.
2737 *
Paul Bakker7a7c78f2009-01-04 18:15:48 +00002738 * Module: library/xtea.c
2739 * Caller:
2740 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002741#define MBEDTLS_XTEA_C
Manuel Pégourié-Gonnard39d2adb2012-10-31 09:26:55 +01002742
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00002743/* \} name SECTION: mbed TLS modules */
Paul Bakker7a7c78f2009-01-04 18:15:48 +00002744
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002745/**
2746 * \name SECTION: Module configuration options
2747 *
2748 * This section allows for the setting of module specific sizes and
2749 * configuration options. The default values are already present in the
2750 * relevant header files and should suffice for the regular use cases.
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002751 *
Paul Bakker088c5c52014-04-25 11:11:10 +02002752 * Our advice is to enable options and change their values here
2753 * only if you have a good reason and know the consequences.
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002754 *
2755 * Please check the respective header file for documentation on these
2756 * parameters (to prevent duplicate documentation).
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002757 * \{
2758 */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002759
Paul Bakker088c5c52014-04-25 11:11:10 +02002760/* MPI / BIGNUM options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002761//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */
2762//#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002763
Paul Bakker088c5c52014-04-25 11:11:10 +02002764/* CTR_DRBG options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002765//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
2766//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
2767//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
2768//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
2769//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002770
Paul Bakker088c5c52014-04-25 11:11:10 +02002771/* HMAC_DRBG options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002772//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
2773//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
2774//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
2775//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002776
Paul Bakker088c5c52014-04-25 11:11:10 +02002777/* ECP options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002778//#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */
2779//#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */
2780//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
Manuel Pégourié-Gonnard0520b602014-01-30 19:43:46 +01002781
Paul Bakker088c5c52014-04-25 11:11:10 +02002782/* Entropy options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002783//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
2784//#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
Andres AG7abc9742016-09-23 17:58:49 +01002785//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
Paul Bakkere1b665e2013-12-11 16:02:58 +01002786
Paul Bakker088c5c52014-04-25 11:11:10 +02002787/* Memory buffer allocator options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002788//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002789
Paul Bakker088c5c52014-04-25 11:11:10 +02002790/* Platform options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002791//#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +02002792//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002793//#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */
2794//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
Andres Amaya Garcia1e4ec662016-07-20 10:16:25 +01002795//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002796//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
2797//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
Antonin Décimo8fd91562019-01-23 15:24:37 +01002798/* Note: your snprintf must correctly zero-terminate the buffer! */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002799//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
Janos Follath91947442016-03-18 13:49:27 +00002800//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
2801//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
Paul Bakkercf0a9f92016-06-01 11:25:44 +01002802//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
2803//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
2804//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */
Paul Bakker6e339b52013-07-03 13:37:05 +02002805
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002806/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
2807/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +02002808//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002809//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */
2810//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
Andres Amaya Garcia1e4ec662016-07-20 10:16:25 +01002811//#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
2812//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002813//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
2814//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
Antonin Décimo8fd91562019-01-23 15:24:37 +01002815/* Note: your snprintf must correctly zero-terminate the buffer! */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002816//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
Paul Bakkercf0a9f92016-06-01 11:25:44 +01002817//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
2818//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002819
Paul Bakker088c5c52014-04-25 11:11:10 +02002820/* SSL Cache options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002821//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
2822//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002823
Paul Bakker088c5c52014-04-25 11:11:10 +02002824/* SSL options */
Manuel Pégourié-Gonnardbb838442015-08-31 12:46:01 +02002825//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002826//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
2827//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
2828//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002829
Manuel Pégourié-Gonnarddfc7df02014-06-30 17:59:55 +02002830/**
2831 * Complete list of ciphersuites to use, in order of preference.
2832 *
2833 * \warning No dependency checking is done on that field! This option can only
2834 * be used to restrict the set of available ciphersuites. It is your
2835 * responsibility to make sure the needed modules are active.
2836 *
2837 * Use this to save a few hundred bytes of ROM (default ordering of all
2838 * available ciphersuites) and a few to a few hundred bytes of RAM.
2839 *
2840 * The value below is only an example, not the default.
2841 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002842//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Manuel Pégourié-Gonnarddfc7df02014-06-30 17:59:55 +02002843
Manuel Pégourié-Gonnardfd6c85c2014-11-20 16:34:20 +01002844/* X509 options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002845//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
Andres AGf9113192016-09-02 14:06:04 +01002846//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
Manuel Pégourié-Gonnardfd6c85c2014-11-20 16:34:20 +01002847
Gilles Peskine5e79cb32017-05-04 16:17:21 +02002848/**
Gilles Peskine5d2511c2017-05-12 13:16:40 +02002849 * Allow SHA-1 in the default TLS configuration for certificate signing.
2850 * Without this build-time option, SHA-1 support must be activated explicitly
2851 * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002852 * recommended because of it is possible to generate SHA-1 collisions, however
Gilles Peskine5d2511c2017-05-12 13:16:40 +02002853 * this may be safe for legacy infrastructure where additional controls apply.
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002854 *
2855 * \warning SHA-1 is considered a weak message digest and its use constitutes
2856 * a security risk. If possible, we recommend avoiding dependencies
2857 * on it, and considering stronger message digests instead.
2858 *
Gilles Peskine5e79cb32017-05-04 16:17:21 +02002859 */
Gilles Peskine5d2511c2017-05-12 13:16:40 +02002860// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
2861
2862/**
2863 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
2864 * signature and ciphersuite selection. Without this build-time option, SHA-1
2865 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
2866 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
2867 * default. At the time of writing, there is no practical attack on the use
2868 * of SHA-1 in handshake signatures, hence this option is turned on by default
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002869 * to preserve compatibility with existing peers, but the general
2870 * warning applies nonetheless:
2871 *
2872 * \warning SHA-1 is considered a weak message digest and its use constitutes
2873 * a security risk. If possible, we recommend avoiding dependencies
2874 * on it, and considering stronger message digests instead.
2875 *
Gilles Peskine5d2511c2017-05-12 13:16:40 +02002876 */
2877#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
Gilles Peskine5e79cb32017-05-04 16:17:21 +02002878
Simon Butcher30b5f972016-06-08 19:00:23 +01002879/* \} name SECTION: Customisation configuration options */
Manuel Pégourié-Gonnard43569a92015-07-31 15:37:29 +02002880
Simon Butcherb2c81b12016-06-23 13:56:06 +01002881/* Target and application specific configurations */
Ron Eldordf9b93e2017-05-14 16:17:33 +03002882//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
Simon Butcher1d46a2d2016-07-11 10:17:03 +01002883
2884#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
2885#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
2886#endif
Simon Butcherb2c81b12016-06-23 13:56:06 +01002887
Manuel Pégourié-Gonnard32da9f62015-07-31 15:52:30 +02002888/*
2889 * Allow user to override any previous default.
2890 *
2891 * Use two macro names for that, as:
2892 * - with yotta the prefix YOTTA_CFG_ is forced
2893 * - without yotta is looks weird to have a YOTTA prefix.
2894 */
2895#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
2896#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
2897#elif defined(MBEDTLS_USER_CONFIG_FILE)
2898#include MBEDTLS_USER_CONFIG_FILE
2899#endif
2900
Manuel Pégourié-Gonnard14d55952014-04-30 12:35:08 +02002901#include "check_config.h"
Manuel Pégourié-Gonnard92ac76f2013-12-16 17:12:53 +01002902
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002903#endif /* MBEDTLS_CONFIG_H */