Merge pull request #9818 from yanesca/remove_USE_PSA_from_standalone_doc_9632
Remove discussions of MBEDTLS_USE_PSA_CRYPTO in standalone documentation
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 19fa7e9..9f23c3b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -351,7 +351,7 @@
endif()
if (NOT EXISTS "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt")
- if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/.git/")
+ if (EXISTS "${MBEDTLS_DIR}/.git")
message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found (and does appear to be a git checkout). Run `git submodule update --init` from the source tree to fetch the submodule contents.")
else ()
message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found (and does not appear to be a git checkout). Please ensure you have downloaded the right archive from the release page on GitHub.")
diff --git a/Makefile b/Makefile
index 20580bf..c9f5750 100644
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,7 @@
ifeq (,$(wildcard framework/exported.make))
# Use the define keyword to get a multi-line message.
# GNU make appends ". Stop.", so tweak the ending of our message accordingly.
- ifeq (,$(wildcard .git))
+ ifneq (,$(wildcard .git))
define error_message
${MBEDTLS_PATH}/framework/exported.make not found (and does appear to be a git checkout). Run `git submodule update --init` from the source tree to fetch the submodule contents.
This is a fatal error
diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md
index 409141a..1baab35 100644
--- a/docs/proposed/config-split.md
+++ b/docs/proposed/config-split.md
@@ -397,7 +397,6 @@
//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
#define MBEDTLS_SSL_ALPN
//#define MBEDTLS_SSL_ASYNC_PRIVATE
diff --git a/framework b/framework
index ff4c336..2db6804 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit ff4c33600afc0def98d190f7d10210370f47bd9f
+Subproject commit 2db68049e1ba586407a1db6a37e94a1f9836142f
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index e5c6ee6..64bf7ee 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -22,14 +22,32 @@
//#define MBEDTLS_CONFIG_VERSION 0x03000000
/**
- * \name SECTION: Mbed TLS feature support
+ * \name SECTION: Platform abstraction layer
*
- * This section sets support for features that are or are not needed
- * within the modules that are enabled.
+ * This section sets platform specific settings.
* \{
*/
/**
+ * \def MBEDTLS_NET_C
+ *
+ * Enable the TCP and UDP over IPv6/IPv4 networking routines.
+ *
+ * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
+ * and Windows. For other platforms, you'll want to disable it, and write your
+ * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
+ *
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
+ *
+ * Module: library/net_sockets.c
+ *
+ * This module provides networking routines.
+ */
+#define MBEDTLS_NET_C
+
+/**
* \def MBEDTLS_TIMING_ALT
*
* Uncomment to provide your own alternate implementation for
@@ -43,24 +61,150 @@
//#define MBEDTLS_TIMING_ALT
/**
- * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+ * \def MBEDTLS_TIMING_C
*
- * Enable the PSK based ciphersuite modes in SSL / TLS.
+ * Enable the semi-portable timing interface.
*
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ * \note The provided implementation only works on POSIX/Unix (including Linux,
+ * BSD and OS X) and Windows. On other platforms, you can either disable that
+ * module and provide your own implementations of the callbacks needed by
+ * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
+ * your own implementation of the whole module by setting
+ * \c MBEDTLS_TIMING_ALT in the current file.
+ *
+ * \note The timing module will include time.h on suitable platforms
+ * regardless of the setting of MBEDTLS_HAVE_TIME, unless
+ * MBEDTLS_TIMING_ALT is used. See timing.c for more information.
+ *
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
+ *
+ * Module: library/timing.c
*/
-#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#define MBEDTLS_TIMING_C
+
+/** \} name SECTION: Platform abstraction layer */
+
+/**
+ * \name SECTION: General configuration options
+ *
+ * This section contains Mbed TLS build settings that are not associated
+ * with a particular module.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_ERROR_C
+ *
+ * Enable error code to error string conversion.
+ *
+ * Module: library/error.c
+ * Caller:
+ *
+ * This module enables mbedtls_strerror().
+ */
+#define MBEDTLS_ERROR_C
+
+/**
+ * \def MBEDTLS_ERROR_STRERROR_DUMMY
+ *
+ * Enable a dummy error function to make use of mbedtls_strerror() in
+ * third party libraries easier when MBEDTLS_ERROR_C is disabled
+ * (no effect when MBEDTLS_ERROR_C is enabled).
+ *
+ * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
+ * not using mbedtls_strerror() or error_strerror() in your application.
+ *
+ * Disable if you run into name conflicts and want to really remove the
+ * mbedtls_strerror()
+ */
+#define MBEDTLS_ERROR_STRERROR_DUMMY
+
+/**
+ * \def MBEDTLS_VERSION_C
+ *
+ * Enable run-time version information.
+ *
+ * Module: library/version.c
+ *
+ * This module provides run-time version information.
+ */
+#define MBEDTLS_VERSION_C
+
+/**
+ * \def MBEDTLS_VERSION_FEATURES
+ *
+ * Allow run-time checking of compile-time enabled features. Thus allowing users
+ * to check at run-time if the library is for instance compiled with threading
+ * support via mbedtls_version_check_feature().
+ *
+ * Requires: MBEDTLS_VERSION_C
+ *
+ * Comment this to disable run-time checking and save ROM space
+ */
+#define MBEDTLS_VERSION_FEATURES
+
+/**
+ * \def MBEDTLS_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included instead of
+ * `"mbedtls/mbedtls_config.h"`.
+ * This header file specifies the compile-time configuration of Mbed TLS.
+ * Unlike other configuration options, this one must be defined on the
+ * compiler command line: a definition in `mbedtls_config.h` would have
+ * no effect.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
+
+/**
+ * \def MBEDTLS_USER_CONFIG_FILE
+ *
+ * If defined, this is a header which will be included after
+ * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
+ * This allows you to modify the default configuration, including the ability
+ * to undefine options that are enabled by default.
+ *
+ * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
+ * non-standard feature of the C language, so this feature is only available
+ * with compilers that perform macro expansion on an <tt>\#include</tt> line.
+ *
+ * The value of this symbol is typically a path in double quotes, either
+ * absolute or relative to a directory on the include search path.
+ */
+//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
+
+/** \} name SECTION: General configuration options */
+
+/**
+ * \name SECTION: TLS feature selection
+ *
+ * This section sets support for features that are or are not needed
+ * within the modules that are enabled.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_DEBUG_C
+ *
+ * Enable the debug functions.
+ *
+ * Module: library/debug.c
+ * Caller: library/ssl_msg.c
+ * library/ssl_tls.c
+ * library/ssl_tls12_*.c
+ * library/ssl_tls13_*.c
+ *
+ * This module provides debugging functions.
+ */
+#define MBEDTLS_DEBUG_C
/**
* \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
@@ -91,48 +235,6 @@
*/
#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
-/**
- * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
- *
- * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
- */
-#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
- *
- * Enable the RSA-only based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
- * MBEDTLS_X509_CRT_PARSE_C
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- */
-#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
@@ -167,6 +269,48 @@
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+ *
+ * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
+ * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA
+ * MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+ *
+ * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+
+/**
* \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
*
* Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
@@ -192,30 +336,6 @@
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
/**
- * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
- *
- * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
- * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA
- * MBEDTLS_X509_CRT_PARSE_C
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
- */
-#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-
-/**
* \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
*
* Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
@@ -283,19 +403,49 @@
//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
/**
- * \def MBEDTLS_ERROR_STRERROR_DUMMY
+ * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
*
- * Enable a dummy error function to make use of mbedtls_strerror() in
- * third party libraries easier when MBEDTLS_ERROR_C is disabled
- * (no effect when MBEDTLS_ERROR_C is enabled).
+ * Enable the PSK based ciphersuite modes in SSL / TLS.
*
- * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
- * not using mbedtls_strerror() or error_strerror() in your application.
- *
- * Disable if you run into name conflicts and want to really remove the
- * mbedtls_strerror()
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+ * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
*/
-#define MBEDTLS_ERROR_STRERROR_DUMMY
+#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+ *
+ * Enable the RSA-only based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ * MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+ * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+ * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
/**
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
@@ -312,51 +462,13 @@
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
/**
- * \def MBEDTLS_SSL_DTLS_CONNECTION_ID
+ * \def MBEDTLS_SSL_ALPN
*
- * Enable support for the DTLS Connection ID (CID) extension,
- * which allows to identify DTLS connections across changes
- * in the underlying transport. The CID functionality is described
- * in RFC 9146.
+ * Enable support for RFC 7301 Application Layer Protocol Negotiation.
*
- * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
- * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and
- * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for
- * more information.
- *
- * The maximum lengths of outgoing and incoming CIDs can be configured
- * through the options
- * - MBEDTLS_SSL_CID_OUT_LEN_MAX
- * - MBEDTLS_SSL_CID_IN_LEN_MAX.
- *
- * Requires: MBEDTLS_SSL_PROTO_DTLS
- *
- * Uncomment to enable the Connection ID extension.
+ * Comment this macro to disable support for ALPN.
*/
-#define MBEDTLS_SSL_DTLS_CONNECTION_ID
-
-
-/**
- * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
- *
- * Defines whether RFC 9146 (default) or the legacy version
- * (version draft-ietf-tls-dtls-connection-id-05,
- * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
- * is used.
- *
- * Set the value to 0 for the standard version, and
- * 1 for the legacy draft version.
- *
- * \deprecated Support for the legacy version of the DTLS
- * Connection ID feature is deprecated. Please
- * switch to the standardized version defined
- * in RFC 9146 enabled by utilizing
- * MBEDTLS_SSL_DTLS_CONNECTION_ID without use
- * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT.
- *
- * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID
- */
-#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
+#define MBEDTLS_SSL_ALPN
/**
* \def MBEDTLS_SSL_ASYNC_PRIVATE
@@ -371,6 +483,34 @@
//#define MBEDTLS_SSL_ASYNC_PRIVATE
/**
+ * \def MBEDTLS_SSL_CACHE_C
+ *
+ * Enable simple SSL cache implementation.
+ *
+ * Module: library/ssl_cache.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_CACHE_C
+ */
+#define MBEDTLS_SSL_CACHE_C
+
+/**
+ * \def MBEDTLS_SSL_CLI_C
+ *
+ * Enable the SSL/TLS client code.
+ *
+ * Module: library/ssl*_client.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *
+ * \warning You must call psa_crypto_init() before doing any TLS operations.
+ *
+ * This module is required for SSL/TLS client support.
+ */
+#define MBEDTLS_SSL_CLI_C
+
+/**
* \def MBEDTLS_SSL_CONTEXT_SERIALIZATION
*
* Enable serialization of the TLS context structures, through use of the
@@ -400,6 +540,16 @@
#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
/**
+ * \def MBEDTLS_SSL_COOKIE_C
+ *
+ * Enable basic implementation of DTLS cookies for hello verification.
+ *
+ * Module: library/ssl_cookie.c
+ * Caller:
+ */
+#define MBEDTLS_SSL_COOKIE_C
+
+/**
* \def MBEDTLS_SSL_DEBUG_ALL
*
* Enable the debug messages in SSL module for all issues.
@@ -415,6 +565,150 @@
*/
//#define MBEDTLS_SSL_DEBUG_ALL
+/**
+ * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
+ *
+ * Enable support for the anti-replay mechanism in DTLS.
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ * MBEDTLS_SSL_PROTO_DTLS
+ *
+ * \warning Disabling this is often a security risk!
+ * See mbedtls_ssl_conf_dtls_anti_replay() for details.
+ *
+ * Comment this to disable anti-replay in DTLS.
+ */
+#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
+
+/**
+ * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+ *
+ * Enable server-side support for clients that reconnect from the same port.
+ *
+ * Some clients unexpectedly close the connection and try to reconnect using the
+ * same source port. This needs special support from the server to handle the
+ * new connection securely, as described in section 4.2.8 of RFC 6347. This
+ * flag enables that support.
+ *
+ * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
+ *
+ * Comment this to disable support for clients reusing the source port.
+ */
+#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+
+/**
+ * \def MBEDTLS_SSL_DTLS_CONNECTION_ID
+ *
+ * Enable support for the DTLS Connection ID (CID) extension,
+ * which allows to identify DTLS connections across changes
+ * in the underlying transport. The CID functionality is described
+ * in RFC 9146.
+ *
+ * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
+ * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and
+ * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for
+ * more information.
+ *
+ * The maximum lengths of outgoing and incoming CIDs can be configured
+ * through the options
+ * - MBEDTLS_SSL_CID_OUT_LEN_MAX
+ * - MBEDTLS_SSL_CID_IN_LEN_MAX.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Uncomment to enable the Connection ID extension.
+ */
+#define MBEDTLS_SSL_DTLS_CONNECTION_ID
+
+/**
+ * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
+ *
+ * Defines whether RFC 9146 (default) or the legacy version
+ * (version draft-ietf-tls-dtls-connection-id-05,
+ * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
+ * is used.
+ *
+ * Set the value to 0 for the standard version, and
+ * 1 for the legacy draft version.
+ *
+ * \deprecated Support for the legacy version of the DTLS
+ * Connection ID feature is deprecated. Please
+ * switch to the standardized version defined
+ * in RFC 9146 enabled by utilizing
+ * MBEDTLS_SSL_DTLS_CONNECTION_ID without use
+ * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT.
+ *
+ * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID
+ */
+#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
+
+/**
+ * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
+ *
+ * Enable support for HelloVerifyRequest on DTLS servers.
+ *
+ * This feature is highly recommended to prevent DTLS servers being used as
+ * amplifiers in DoS attacks against other hosts. It should always be enabled
+ * unless you know for sure amplification cannot be a problem in the
+ * environment in which your server operates.
+ *
+ * \warning Disabling this can be a security risk! (see above)
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Comment this to disable support for HelloVerifyRequest.
+ */
+#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
+
+/**
+ * \def MBEDTLS_SSL_DTLS_SRTP
+ *
+ * Enable support for negotiation of DTLS-SRTP (RFC 5764)
+ * through the use_srtp extension.
+ *
+ * \note This feature provides the minimum functionality required
+ * to negotiate the use of DTLS-SRTP and to allow the derivation of
+ * the associated SRTP packet protection key material.
+ * In particular, the SRTP packet protection itself, as well as the
+ * demultiplexing of RTP and DTLS packets at the datagram layer
+ * (see Section 5 of RFC 5764), are not handled by this feature.
+ * Instead, after successful completion of a handshake negotiating
+ * the use of DTLS-SRTP, the extended key exporter API
+ * mbedtls_ssl_conf_export_keys_cb() should be used to implement
+ * the key exporter described in Section 4.2 of RFC 5764 and RFC 5705
+ * (this is implemented in the SSL example programs).
+ * The resulting key should then be passed to an SRTP stack.
+ *
+ * Setting this option enables the runtime API
+ * mbedtls_ssl_conf_dtls_srtp_protection_profiles()
+ * through which the supported DTLS-SRTP protection
+ * profiles can be configured. You must call this API at
+ * runtime if you wish to negotiate the use of DTLS-SRTP.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Uncomment this to enable support for use_srtp extension.
+ */
+//#define MBEDTLS_SSL_DTLS_SRTP
+
+/**
+ * \def MBEDTLS_SSL_EARLY_DATA
+ *
+ * Enable support for RFC 8446 TLS 1.3 early data.
+ *
+ * Requires: MBEDTLS_SSL_SESSION_TICKETS and either
+ * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or
+ * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+ *
+ * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
+ * is not enabled, this option does not have any effect on the build.
+ *
+ * \note The maximum amount of early data can be set with
+ * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE.
+ *
+ */
+//#define MBEDTLS_SSL_EARLY_DATA
+
/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
*
* Enable support for Encrypt-then-MAC, RFC 7366.
@@ -472,30 +766,6 @@
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
/**
- * \def MBEDTLS_SSL_RENEGOTIATION
- *
- * Enable support for TLS renegotiation.
- *
- * The two main uses of renegotiation are (1) refresh keys on long-lived
- * connections and (2) client authentication after the initial handshake.
- * If you don't need renegotiation, it's probably better to disable it, since
- * it has been associated with security issues in the past and is easy to
- * misuse/misunderstand.
- *
- * Requires: MBEDTLS_SSL_PROTO_TLS1_2
- *
- * Comment this to disable support for renegotiation.
- *
- * \note Even if this option is disabled, both client and server are aware
- * of the Renegotiation Indication Extension (RFC 5746) used to
- * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
- * (See \c mbedtls_ssl_conf_legacy_renegotiation for the
- * configuration of this extension).
- *
- */
-#define MBEDTLS_SSL_RENEGOTIATION
-
-/**
* \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
*
* Enable support for RFC 6066 max_fragment_length extension in SSL.
@@ -505,15 +775,17 @@
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
/**
- * \def MBEDTLS_SSL_RECORD_SIZE_LIMIT
+ * \def MBEDTLS_SSL_PROTO_DTLS
*
- * Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only).
+ * Enable support for DTLS (all available versions).
*
- * Requires: MBEDTLS_SSL_PROTO_TLS1_3
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
*
- * Uncomment this macro to enable support for the record_size_limit extension
+ * Requires: MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for DTLS
*/
-//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
+#define MBEDTLS_SSL_PROTO_DTLS
/**
* \def MBEDTLS_SSL_PROTO_TLS1_2
@@ -542,6 +814,95 @@
#define MBEDTLS_SSL_PROTO_TLS1_3
/**
+ * \def MBEDTLS_SSL_RECORD_SIZE_LIMIT
+ *
+ * Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only).
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1_3
+ *
+ * Uncomment this macro to enable support for the record_size_limit extension
+ */
+//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
+
+/**
+ * \def MBEDTLS_SSL_RENEGOTIATION
+ *
+ * Enable support for TLS renegotiation.
+ *
+ * The two main uses of renegotiation are (1) refresh keys on long-lived
+ * connections and (2) client authentication after the initial handshake.
+ * If you don't need renegotiation, it's probably better to disable it, since
+ * it has been associated with security issues in the past and is easy to
+ * misuse/misunderstand.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this to disable support for renegotiation.
+ *
+ * \note Even if this option is disabled, both client and server are aware
+ * of the Renegotiation Indication Extension (RFC 5746) used to
+ * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
+ * (See \c mbedtls_ssl_conf_legacy_renegotiation for the
+ * configuration of this extension).
+ *
+ */
+#define MBEDTLS_SSL_RENEGOTIATION
+
+/**
+ * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
+ *
+ * Enable support for RFC 6066 server name indication (SNI) in SSL.
+ *
+ * Requires: MBEDTLS_X509_CRT_PARSE_C
+ *
+ * Comment this macro to disable support for server name indication in SSL
+ */
+#define MBEDTLS_SSL_SERVER_NAME_INDICATION
+
+/**
+ * \def MBEDTLS_SSL_SESSION_TICKETS
+ *
+ * Enable support for RFC 5077 session tickets in SSL.
+ * Client-side, provides full support for session tickets (maintenance of a
+ * session store remains the responsibility of the application, though).
+ * Server-side, you also need to provide callbacks for writing and parsing
+ * tickets, including authenticated encryption and key management. Example
+ * callbacks are provided by MBEDTLS_SSL_TICKET_C.
+ *
+ * Comment this macro to disable support for SSL session tickets
+ */
+#define MBEDTLS_SSL_SESSION_TICKETS
+
+/**
+ * \def MBEDTLS_SSL_SRV_C
+ *
+ * Enable the SSL/TLS server code.
+ *
+ * Module: library/ssl*_server.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *
+ * \warning You must call psa_crypto_init() before doing any TLS operations.
+ *
+ * This module is required for SSL/TLS server support.
+ */
+#define MBEDTLS_SSL_SRV_C
+
+/**
+ * \def MBEDTLS_SSL_TICKET_C
+ *
+ * Enable an implementation of TLS server-side callbacks for session tickets.
+ *
+ * Module: library/ssl_ticket.c
+ * Caller:
+ *
+ * Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) &&
+ * (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)
+ */
+#define MBEDTLS_SSL_TICKET_C
+
+/**
* \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
*
* Enable TLS 1.3 middlebox compatibility mode.
@@ -564,18 +925,6 @@
#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
/**
- * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
- *
- * Enable TLS 1.3 PSK key exchange mode.
- *
- * Comment to disable support for the PSK key exchange mode in TLS 1.3. If
- * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
- * effect on the build.
- *
- */
-#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
-
-/**
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
*
* Enable TLS 1.3 ephemeral key exchange mode.
@@ -594,6 +943,18 @@
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
/**
+ * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+ *
+ * Enable TLS 1.3 PSK key exchange mode.
+ *
+ * Comment to disable support for the PSK key exchange mode in TLS 1.3. If
+ * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
+ * effect on the build.
+ *
+ */
+#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+
+/**
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
*
* Enable TLS 1.3 PSK ephemeral key exchange mode.
@@ -608,355 +969,6 @@
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
/**
- * \def MBEDTLS_SSL_EARLY_DATA
- *
- * Enable support for RFC 8446 TLS 1.3 early data.
- *
- * Requires: MBEDTLS_SSL_SESSION_TICKETS and either
- * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or
- * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
- *
- * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
- * is not enabled, this option does not have any effect on the build.
- *
- * \note The maximum amount of early data can be set with
- * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE.
- *
- */
-//#define MBEDTLS_SSL_EARLY_DATA
-
-/**
- * \def MBEDTLS_SSL_PROTO_DTLS
- *
- * Enable support for DTLS (all available versions).
- *
- * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
- *
- * Requires: MBEDTLS_SSL_PROTO_TLS1_2
- *
- * Comment this macro to disable support for DTLS
- */
-#define MBEDTLS_SSL_PROTO_DTLS
-
-/**
- * \def MBEDTLS_SSL_ALPN
- *
- * Enable support for RFC 7301 Application Layer Protocol Negotiation.
- *
- * Comment this macro to disable support for ALPN.
- */
-#define MBEDTLS_SSL_ALPN
-
-/**
- * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
- *
- * Enable support for the anti-replay mechanism in DTLS.
- *
- * Requires: MBEDTLS_SSL_TLS_C
- * MBEDTLS_SSL_PROTO_DTLS
- *
- * \warning Disabling this is often a security risk!
- * See mbedtls_ssl_conf_dtls_anti_replay() for details.
- *
- * Comment this to disable anti-replay in DTLS.
- */
-#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
-
-/**
- * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
- *
- * Enable support for HelloVerifyRequest on DTLS servers.
- *
- * This feature is highly recommended to prevent DTLS servers being used as
- * amplifiers in DoS attacks against other hosts. It should always be enabled
- * unless you know for sure amplification cannot be a problem in the
- * environment in which your server operates.
- *
- * \warning Disabling this can be a security risk! (see above)
- *
- * Requires: MBEDTLS_SSL_PROTO_DTLS
- *
- * Comment this to disable support for HelloVerifyRequest.
- */
-#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
-
-/**
- * \def MBEDTLS_SSL_DTLS_SRTP
- *
- * Enable support for negotiation of DTLS-SRTP (RFC 5764)
- * through the use_srtp extension.
- *
- * \note This feature provides the minimum functionality required
- * to negotiate the use of DTLS-SRTP and to allow the derivation of
- * the associated SRTP packet protection key material.
- * In particular, the SRTP packet protection itself, as well as the
- * demultiplexing of RTP and DTLS packets at the datagram layer
- * (see Section 5 of RFC 5764), are not handled by this feature.
- * Instead, after successful completion of a handshake negotiating
- * the use of DTLS-SRTP, the extended key exporter API
- * mbedtls_ssl_conf_export_keys_cb() should be used to implement
- * the key exporter described in Section 4.2 of RFC 5764 and RFC 5705
- * (this is implemented in the SSL example programs).
- * The resulting key should then be passed to an SRTP stack.
- *
- * Setting this option enables the runtime API
- * mbedtls_ssl_conf_dtls_srtp_protection_profiles()
- * through which the supported DTLS-SRTP protection
- * profiles can be configured. You must call this API at
- * runtime if you wish to negotiate the use of DTLS-SRTP.
- *
- * Requires: MBEDTLS_SSL_PROTO_DTLS
- *
- * Uncomment this to enable support for use_srtp extension.
- */
-//#define MBEDTLS_SSL_DTLS_SRTP
-
-/**
- * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
- *
- * Enable server-side support for clients that reconnect from the same port.
- *
- * Some clients unexpectedly close the connection and try to reconnect using the
- * same source port. This needs special support from the server to handle the
- * new connection securely, as described in section 4.2.8 of RFC 6347. This
- * flag enables that support.
- *
- * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
- *
- * Comment this to disable support for clients reusing the source port.
- */
-#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
-
-/**
- * \def MBEDTLS_SSL_SESSION_TICKETS
- *
- * Enable support for RFC 5077 session tickets in SSL.
- * Client-side, provides full support for session tickets (maintenance of a
- * session store remains the responsibility of the application, though).
- * Server-side, you also need to provide callbacks for writing and parsing
- * tickets, including authenticated encryption and key management. Example
- * callbacks are provided by MBEDTLS_SSL_TICKET_C.
- *
- * Comment this macro to disable support for SSL session tickets
- */
-#define MBEDTLS_SSL_SESSION_TICKETS
-
-/**
- * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
- *
- * Enable support for RFC 6066 server name indication (SNI) in SSL.
- *
- * Requires: MBEDTLS_X509_CRT_PARSE_C
- *
- * Comment this macro to disable support for server name indication in SSL
- */
-#define MBEDTLS_SSL_SERVER_NAME_INDICATION
-
-/**
- * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
- *
- * When this option is enabled, the SSL buffer will be resized automatically
- * based on the negotiated maximum fragment length in each direction.
- *
- * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
- */
-//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
-
-/**
- * \def MBEDTLS_VERSION_FEATURES
- *
- * Allow run-time checking of compile-time enabled features. Thus allowing users
- * to check at run-time if the library is for instance compiled with threading
- * support via mbedtls_version_check_feature().
- *
- * Requires: MBEDTLS_VERSION_C
- *
- * Comment this to disable run-time checking and save ROM space
- */
-#define MBEDTLS_VERSION_FEATURES
-
-/**
- * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
- *
- * If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()`
- * and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure
- * the set of trusted certificates through a callback instead of a linked
- * list.
- *
- * This is useful for example in environments where a large number of trusted
- * certificates is present and storing them in a linked list isn't efficient
- * enough, or when the set of trusted certificates changes frequently.
- *
- * See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and
- * `mbedtls_ssl_conf_ca_cb()` for more information.
- *
- * Requires: MBEDTLS_X509_CRT_PARSE_C
- *
- * Uncomment to enable trusted certificate callbacks.
- */
-//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
-
-/**
- * \def MBEDTLS_X509_REMOVE_INFO
- *
- * Disable mbedtls_x509_*_info() and related APIs.
- *
- * Uncomment to omit mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt()
- * and other functions/constants only used by these functions, thus reducing
- * the code footprint by several KB.
- */
-//#define MBEDTLS_X509_REMOVE_INFO
-
-/**
- * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
- *
- * Enable parsing and verification of X.509 certificates, CRLs and CSRS
- * signed with RSASSA-PSS (aka PKCS#1 v2.1).
- *
- * Requires: MBEDTLS_PKCS1_V21
- *
- * Comment this macro to disallow using RSASSA-PSS in certificates.
- */
-#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
-/** \} name SECTION: Mbed TLS feature support */
-
-/**
- * \name SECTION: Mbed TLS modules
- *
- * This section enables or disables entire modules in Mbed TLS
- * \{
- */
-
-/**
- * \def MBEDTLS_DEBUG_C
- *
- * Enable the debug functions.
- *
- * Module: library/debug.c
- * Caller: library/ssl_msg.c
- * library/ssl_tls.c
- * library/ssl_tls12_*.c
- * library/ssl_tls13_*.c
- *
- * This module provides debugging functions.
- */
-#define MBEDTLS_DEBUG_C
-
-/**
- * \def MBEDTLS_ERROR_C
- *
- * Enable error code to error string conversion.
- *
- * Module: library/error.c
- * Caller:
- *
- * This module enables mbedtls_strerror().
- */
-#define MBEDTLS_ERROR_C
-
-/**
- * \def MBEDTLS_NET_C
- *
- * Enable the TCP and UDP over IPv6/IPv4 networking routines.
- *
- * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
- * and Windows. For other platforms, you'll want to disable it, and write your
- * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
- *
- * \note See also our Knowledge Base article about porting to a new
- * environment:
- * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
- *
- * Module: library/net_sockets.c
- *
- * This module provides networking routines.
- */
-#define MBEDTLS_NET_C
-
-/**
- * \def MBEDTLS_PKCS7_C
- *
- * Enable PKCS #7 core for using PKCS #7-formatted signatures.
- * RFC Link - https://tools.ietf.org/html/rfc2315
- *
- * Module: library/pkcs7.c
- *
- * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
- * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C,
- * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C
- *
- * This module is required for the PKCS #7 parsing modules.
- */
-#define MBEDTLS_PKCS7_C
-
-/**
- * \def MBEDTLS_SSL_CACHE_C
- *
- * Enable simple SSL cache implementation.
- *
- * Module: library/ssl_cache.c
- * Caller:
- *
- * Requires: MBEDTLS_SSL_CACHE_C
- */
-#define MBEDTLS_SSL_CACHE_C
-
-/**
- * \def MBEDTLS_SSL_COOKIE_C
- *
- * Enable basic implementation of DTLS cookies for hello verification.
- *
- * Module: library/ssl_cookie.c
- * Caller:
- */
-#define MBEDTLS_SSL_COOKIE_C
-
-/**
- * \def MBEDTLS_SSL_TICKET_C
- *
- * Enable an implementation of TLS server-side callbacks for session tickets.
- *
- * Module: library/ssl_ticket.c
- * Caller:
- *
- * Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) &&
- * (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)
- */
-#define MBEDTLS_SSL_TICKET_C
-
-/**
- * \def MBEDTLS_SSL_CLI_C
- *
- * Enable the SSL/TLS client code.
- *
- * Module: library/ssl*_client.c
- * Caller:
- *
- * Requires: MBEDTLS_SSL_TLS_C
- *
- * \warning You must call psa_crypto_init() before doing any TLS operations.
- *
- * This module is required for SSL/TLS client support.
- */
-#define MBEDTLS_SSL_CLI_C
-
-/**
- * \def MBEDTLS_SSL_SRV_C
- *
- * Enable the SSL/TLS server code.
- *
- * Module: library/ssl*_server.c
- * Caller:
- *
- * Requires: MBEDTLS_SSL_TLS_C
- *
- * \warning You must call psa_crypto_init() before doing any TLS operations.
- *
- * This module is required for SSL/TLS server support.
- */
-#define MBEDTLS_SSL_SRV_C
-
-/**
* \def MBEDTLS_SSL_TLS_C
*
* Enable the generic SSL/TLS code.
@@ -973,237 +985,18 @@
#define MBEDTLS_SSL_TLS_C
/**
- * \def MBEDTLS_TIMING_C
+ * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
*
- * Enable the semi-portable timing interface.
+ * When this option is enabled, the SSL buffer will be resized automatically
+ * based on the negotiated maximum fragment length in each direction.
*
- * \note The provided implementation only works on POSIX/Unix (including Linux,
- * BSD and OS X) and Windows. On other platforms, you can either disable that
- * module and provide your own implementations of the callbacks needed by
- * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
- * your own implementation of the whole module by setting
- * \c MBEDTLS_TIMING_ALT in the current file.
- *
- * \note The timing module will include time.h on suitable platforms
- * regardless of the setting of MBEDTLS_HAVE_TIME, unless
- * MBEDTLS_TIMING_ALT is used. See timing.c for more information.
- *
- * \note See also our Knowledge Base article about porting to a new
- * environment:
- * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
- *
- * Module: library/timing.c
+ * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
*/
-#define MBEDTLS_TIMING_C
+//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
-/**
- * \def MBEDTLS_VERSION_C
- *
- * Enable run-time version information.
- *
- * Module: library/version.c
- *
- * This module provides run-time version information.
- */
-#define MBEDTLS_VERSION_C
-
-/**
- * \def MBEDTLS_X509_USE_C
- *
- * Enable X.509 core for using certificates.
- *
- * Module: library/x509.c
- * Caller: library/x509_crl.c
- * library/x509_crt.c
- * library/x509_csr.c
- *
- * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C
- *
- * \warning You must call psa_crypto_init() before doing any X.509 operation.
- *
- * This module is required for the X.509 parsing modules.
- */
-#define MBEDTLS_X509_USE_C
-
-/**
- * \def MBEDTLS_X509_CRT_PARSE_C
- *
- * Enable X.509 certificate parsing.
- *
- * Module: library/x509_crt.c
- * Caller: library/ssl_tls.c
- * library/ssl*_client.c
- * library/ssl*_server.c
- *
- * Requires: MBEDTLS_X509_USE_C
- *
- * This module is required for X.509 certificate parsing.
- */
-#define MBEDTLS_X509_CRT_PARSE_C
-
-/**
- * \def MBEDTLS_X509_CRL_PARSE_C
- *
- * Enable X.509 CRL parsing.
- *
- * Module: library/x509_crl.c
- * Caller: library/x509_crt.c
- *
- * Requires: MBEDTLS_X509_USE_C
- *
- * This module is required for X.509 CRL parsing.
- */
-#define MBEDTLS_X509_CRL_PARSE_C
-
-/**
- * \def MBEDTLS_X509_CSR_PARSE_C
- *
- * Enable X.509 Certificate Signing Request (CSR) parsing.
- *
- * Module: library/x509_csr.c
- * Caller: library/x509_crt_write.c
- *
- * Requires: MBEDTLS_X509_USE_C
- *
- * This module is used for reading X.509 certificate request.
- */
-#define MBEDTLS_X509_CSR_PARSE_C
-
-/**
- * \def MBEDTLS_X509_CREATE_C
- *
- * Enable X.509 core for creating certificates.
- *
- * Module: library/x509_create.c
- *
- * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
- *
- * \warning You must call psa_crypto_init() before doing any X.509 operation.
- *
- * This module is the basis for creating X.509 certificates and CSRs.
- */
-#define MBEDTLS_X509_CREATE_C
-
-/**
- * \def MBEDTLS_X509_CRT_WRITE_C
- *
- * Enable creating X.509 certificates.
- *
- * Module: library/x509_crt_write.c
- *
- * Requires: MBEDTLS_X509_CREATE_C
- *
- * This module is required for X.509 certificate creation.
- */
-#define MBEDTLS_X509_CRT_WRITE_C
-
-/**
- * \def MBEDTLS_X509_CSR_WRITE_C
- *
- * Enable creating X.509 Certificate Signing Requests (CSR).
- *
- * Module: library/x509_csr_write.c
- *
- * Requires: MBEDTLS_X509_CREATE_C
- *
- * This module is required for X.509 certificate request writing.
- */
-#define MBEDTLS_X509_CSR_WRITE_C
-
-/** \} name SECTION: Mbed TLS modules */
-
-/**
- * \name SECTION: General configuration options
- *
- * This section contains Mbed TLS build settings that are not associated
- * with a particular module.
- *
- * \{
- */
-
-/**
- * \def MBEDTLS_CONFIG_FILE
- *
- * If defined, this is a header which will be included instead of
- * `"mbedtls/mbedtls_config.h"`.
- * This header file specifies the compile-time configuration of Mbed TLS.
- * Unlike other configuration options, this one must be defined on the
- * compiler command line: a definition in `mbedtls_config.h` would have
- * no effect.
- *
- * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
- * non-standard feature of the C language, so this feature is only available
- * with compilers that perform macro expansion on an <tt>\#include</tt> line.
- *
- * The value of this symbol is typically a path in double quotes, either
- * absolute or relative to a directory on the include search path.
- */
-//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
-
-/**
- * \def MBEDTLS_USER_CONFIG_FILE
- *
- * If defined, this is a header which will be included after
- * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.
- * This allows you to modify the default configuration, including the ability
- * to undefine options that are enabled by default.
- *
- * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
- * non-standard feature of the C language, so this feature is only available
- * with compilers that perform macro expansion on an <tt>\#include</tt> line.
- *
- * The value of this symbol is typically a path in double quotes, either
- * absolute or relative to a directory on the include search path.
- */
-//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
-
-/** \} name SECTION: General configuration options */
-
-/**
- * \name SECTION: Module configuration options
- *
- * This section allows for the setting of module specific sizes and
- * configuration options. The default values are already present in the
- * relevant header files and should suffice for the regular use cases.
- *
- * Our advice is to enable options and change their values here
- * only if you have a good reason and know the consequences.
- * \{
- */
-/* The Doxygen documentation here is used when a user comments out a
- * setting and runs doxygen themselves. On the other hand, when we typeset
- * the full documentation including disabled settings, the documentation
- * in specific modules' header files is used if present. When editing this
- * file, make sure that each option is documented in exactly one place,
- * plus optionally a same-line Doxygen comment here if there is a Doxygen
- * comment in the specific module. */
-
-/* SSL Cache options */
-//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
+//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 or 384 bits) */
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
-
-/* SSL options */
-
-/** \def MBEDTLS_SSL_IN_CONTENT_LEN
- *
- * Maximum length (in bytes) of incoming plaintext fragments.
- *
- * This determines the size of the incoming TLS I/O buffer in such a way
- * that it is capable of holding the specified amount of plaintext data,
- * regardless of the protection mechanism used.
- *
- * \note When using a value less than the default of 16KB on the client, it is
- * recommended to use the Maximum Fragment Length (MFL) extension to
- * inform the server about this limitation. On the server, there
- * is no supported, standardized way of informing the client about
- * restriction on the maximum size of incoming messages, and unless
- * the limitation has been communicated by other means, it is recommended
- * to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
- * while keeping the default value of 16KB for the incoming buffer.
- *
- * Uncomment to set the maximum plaintext size of the incoming I/O buffer.
- */
-//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
+//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
/** \def MBEDTLS_SSL_CID_IN_LEN_MAX
*
@@ -1235,6 +1028,73 @@
*/
//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16
+/**
+ * Complete list of ciphersuites to use, in order of preference.
+ *
+ * \warning No dependency checking is done on that field! This option can only
+ * be used to restrict the set of available ciphersuites. It is your
+ * responsibility to make sure the needed modules are active.
+ *
+ * Use this to save a few hundred bytes of ROM (default ordering of all
+ * available ciphersuites) and a few to a few hundred bytes of RAM.
+ *
+ * The value below is only an example, not the default.
+ */
+//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+
+//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
+
+/** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING
+ *
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ *
+ * This should be at least 9/8 * MBEDTLS_SSL_IN_CONTENT_LEN
+ * to account for a reassembled handshake message of maximum size,
+ * together with its reassembly bitmap.
+ *
+ * A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default)
+ * should be sufficient for all practical situations as it allows
+ * to reassembly a large handshake message (such as a certificate)
+ * while buffering multiple smaller handshake messages.
+ *
+ */
+//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
+
+/** \def MBEDTLS_SSL_IN_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of incoming plaintext fragments.
+ *
+ * This determines the size of the incoming TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ * recommended to use the Maximum Fragment Length (MFL) extension to
+ * inform the server about this limitation. On the server, there
+ * is no supported, standardized way of informing the client about
+ * restriction on the maximum size of incoming messages, and unless
+ * the limitation has been communicated by other means, it is recommended
+ * to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ * while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of the incoming I/O buffer.
+ */
+//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
+
+/**
+ * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
+ *
+ * The default maximum amount of 0-RTT data. See the documentation of
+ * \c mbedtls_ssl_conf_max_early_data_size() for more information.
+ *
+ * It must be positive and smaller than UINT32_MAX.
+ *
+ * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not
+ * have any impact on the build.
+ */
+//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024
+
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
*
* Maximum length (in bytes) of outgoing plaintext fragments.
@@ -1255,52 +1115,15 @@
*/
//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
-/** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING
- *
- * Maximum number of heap-allocated bytes for the purpose of
- * DTLS handshake message reassembly and future message buffering.
- *
- * This should be at least 9/8 * MBEDTLS_SSL_IN_CONTENT_LEN
- * to account for a reassembled handshake message of maximum size,
- * together with its reassembly bitmap.
- *
- * A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default)
- * should be sufficient for all practical situations as it allows
- * to reassembly a large handshake message (such as a certificate)
- * while buffering multiple smaller handshake messages.
- *
- */
-//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
-
-//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 or 384 bits) */
-//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
-
/**
- * Complete list of ciphersuites to use, in order of preference.
+ * \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS
*
- * \warning No dependency checking is done on that field! This option can only
- * be used to restrict the set of available ciphersuites. It is your
- * responsibility to make sure the needed modules are active.
+ * Default number of NewSessionTicket messages to be sent by a TLS 1.3 server
+ * after handshake completion. This is not used in TLS 1.2 and relevant only if
+ * the MBEDTLS_SSL_SESSION_TICKETS option is enabled.
*
- * Use this to save a few hundred bytes of ROM (default ordering of all
- * available ciphersuites) and a few to a few hundred bytes of RAM.
- *
- * The value below is only an example, not the default.
*/
-//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
-/**
- * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
- *
- * The default maximum amount of 0-RTT data. See the documentation of
- * \c mbedtls_ssl_conf_max_early_data_size() for more information.
- *
- * It must be positive and smaller than UINT32_MAX.
- *
- * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not
- * have any impact on the build.
- */
-//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024
+//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1
/**
* \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE
@@ -1334,18 +1157,179 @@
*/
//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32
+/** \} name SECTION: TLS feature selection */
+
/**
- * \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS
+ * \name SECTION: X.509 feature selection
*
- * Default number of NewSessionTicket messages to be sent by a TLS 1.3 server
- * after handshake completion. This is not used in TLS 1.2 and relevant only if
- * the MBEDTLS_SSL_SESSION_TICKETS option is enabled.
- *
+ * This section sets Certificate related options.
+ * \{
*/
-//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1
-/* X509 options */
-//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
+/**
+ * \def MBEDTLS_PKCS7_C
+ *
+ * Enable PKCS #7 core for using PKCS #7-formatted signatures.
+ * RFC Link - https://tools.ietf.org/html/rfc2315
+ *
+ * Module: library/pkcs7.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
+ * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C,
+ * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C
+ *
+ * This module is required for the PKCS #7 parsing modules.
+ */
+#define MBEDTLS_PKCS7_C
+
+/**
+ * \def MBEDTLS_X509_CREATE_C
+ *
+ * Enable X.509 core for creating certificates.
+ *
+ * Module: library/x509_create.c
+ *
+ * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
+ *
+ * \warning You must call psa_crypto_init() before doing any X.509 operation.
+ *
+ * This module is the basis for creating X.509 certificates and CSRs.
+ */
+#define MBEDTLS_X509_CREATE_C
+
+/**
+ * \def MBEDTLS_X509_CRL_PARSE_C
+ *
+ * Enable X.509 CRL parsing.
+ *
+ * Module: library/x509_crl.c
+ * Caller: library/x509_crt.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is required for X.509 CRL parsing.
+ */
+#define MBEDTLS_X509_CRL_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CRT_PARSE_C
+ *
+ * Enable X.509 certificate parsing.
+ *
+ * Module: library/x509_crt.c
+ * Caller: library/ssl_tls.c
+ * library/ssl*_client.c
+ * library/ssl*_server.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is required for X.509 certificate parsing.
+ */
+#define MBEDTLS_X509_CRT_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CRT_WRITE_C
+ *
+ * Enable creating X.509 certificates.
+ *
+ * Module: library/x509_crt_write.c
+ *
+ * Requires: MBEDTLS_X509_CREATE_C
+ *
+ * This module is required for X.509 certificate creation.
+ */
+#define MBEDTLS_X509_CRT_WRITE_C
+
+/**
+ * \def MBEDTLS_X509_CSR_PARSE_C
+ *
+ * Enable X.509 Certificate Signing Request (CSR) parsing.
+ *
+ * Module: library/x509_csr.c
+ * Caller: library/x509_crt_write.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is used for reading X.509 certificate request.
+ */
+#define MBEDTLS_X509_CSR_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CSR_WRITE_C
+ *
+ * Enable creating X.509 Certificate Signing Requests (CSR).
+ *
+ * Module: library/x509_csr_write.c
+ *
+ * Requires: MBEDTLS_X509_CREATE_C
+ *
+ * This module is required for X.509 certificate request writing.
+ */
+#define MBEDTLS_X509_CSR_WRITE_C
+
+/**
+ * \def MBEDTLS_X509_REMOVE_INFO
+ *
+ * Disable mbedtls_x509_*_info() and related APIs.
+ *
+ * Uncomment to omit mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt()
+ * and other functions/constants only used by these functions, thus reducing
+ * the code footprint by several KB.
+ */
+//#define MBEDTLS_X509_REMOVE_INFO
+
+/**
+ * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ *
+ * Enable parsing and verification of X.509 certificates, CRLs and CSRS
+ * signed with RSASSA-PSS (aka PKCS#1 v2.1).
+ *
+ * Requires: MBEDTLS_PKCS1_V21
+ *
+ * Comment this macro to disallow using RSASSA-PSS in certificates.
+ */
+#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
+
+/**
+ * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
+ *
+ * If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()`
+ * and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure
+ * the set of trusted certificates through a callback instead of a linked
+ * list.
+ *
+ * This is useful for example in environments where a large number of trusted
+ * certificates is present and storing them in a linked list isn't efficient
+ * enough, or when the set of trusted certificates changes frequently.
+ *
+ * See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and
+ * `mbedtls_ssl_conf_ca_cb()` for more information.
+ *
+ * Requires: MBEDTLS_X509_CRT_PARSE_C
+ *
+ * Uncomment to enable trusted certificate callbacks.
+ */
+//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
+
+/**
+ * \def MBEDTLS_X509_USE_C
+ *
+ * Enable X.509 core for using certificates.
+ *
+ * Module: library/x509.c
+ * Caller: library/x509_crl.c
+ * library/x509_crt.c
+ * library/x509_csr.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C
+ *
+ * \warning You must call psa_crypto_init() before doing any X.509 operation.
+ *
+ * This module is required for the X.509 parsing modules.
+ */
+#define MBEDTLS_X509_USE_C
+
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
+//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
-/** \} name SECTION: Module configuration options */
+/** \} name SECTION: X.509 feature selection */
diff --git a/scripts/code_style.py b/scripts/code_style.py
deleted file mode 100755
index 26b691c..0000000
--- a/scripts/code_style.py
+++ /dev/null
@@ -1,279 +0,0 @@
-#!/usr/bin/env python3
-"""Check or fix the code style by running Uncrustify.
-
-This script must be run from the root of a Git work tree containing Mbed TLS.
-"""
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-import argparse
-import os
-import re
-import subprocess
-import sys
-from typing import FrozenSet, List, Optional
-
-UNCRUSTIFY_SUPPORTED_VERSION = "0.75.1"
-CONFIG_FILE = ".uncrustify.cfg"
-UNCRUSTIFY_EXE = "uncrustify"
-UNCRUSTIFY_ARGS = ["-c", CONFIG_FILE]
-CHECK_GENERATED_FILES = "tests/scripts/check-generated-files.sh"
-
-def print_err(*args):
- print("Error: ", *args, file=sys.stderr)
-
-# Print the file names that will be skipped and the help message
-def print_skip(files_to_skip):
- print()
- print(*files_to_skip, sep=", SKIP\n", end=", SKIP\n")
- print("Warning: The listed files will be skipped because\n"
- "they are not known to git.")
- print()
-
-# Match FILENAME(s) in "check SCRIPT (FILENAME...)"
-CHECK_CALL_RE = re.compile(r"\n\s*check\s+[^\s#$&*?;|]+([^\n#$&*?;|]+)",
- re.ASCII)
-def list_generated_files() -> FrozenSet[str]:
- """Return the names of generated files.
-
- We don't reformat generated files, since the result might be different
- from the output of the generator. Ideally the result of the generator
- would conform to the code style, but this would be difficult, especially
- with respect to the placement of line breaks in long logical lines.
- """
- # Parse check-generated-files.sh to get an up-to-date list of
- # generated files. Read the file rather than calling it so that
- # this script only depends on Git, Python and uncrustify, and not other
- # tools such as sh or grep which might not be available on Windows.
- # This introduces a limitation: check-generated-files.sh must have
- # the expected format and must list the files explicitly, not through
- # wildcards or command substitution.
- content = open(CHECK_GENERATED_FILES, encoding="utf-8").read()
- checks = re.findall(CHECK_CALL_RE, content)
- return frozenset(word for s in checks for word in s.split())
-
-# Check for comment string indicating an auto-generated file
-AUTOGEN_RE = re.compile(r"Warning[ :-]+This file is (now )?auto[ -]?generated",
- re.ASCII | re.IGNORECASE)
-def is_file_autogenerated(filename):
- content = open(filename, encoding="utf-8").read()
- return AUTOGEN_RE.search(content) is not None
-
-def get_src_files(since: Optional[str]) -> List[str]:
- """
- Use git to get a list of the source files.
-
- The optional argument since is a commit, indicating to only list files
- that have changed since that commit. Without this argument, list all
- files known to git.
-
- Only C files are included, and certain files (generated, or third party)
- are excluded.
- """
- file_patterns = ["*.[hc]",
- "tests/suites/*.function",
- "tf-psa-crypto/tests/suites/*.function",
- "scripts/data_files/*.fmt"]
- output = subprocess.check_output(["git", "ls-files"] + file_patterns,
- universal_newlines=True)
- src_files = output.split()
-
- # When this script is called from a git hook, some environment variables
- # are set by default which force all git commands to use the main repository
- # (i.e. prevent us from performing commands on the framework repo).
- # Create an environment without these variables for running commands on the
- # framework repo.
- framework_env = os.environ.copy()
- # Get a list of environment vars that git sets
- git_env_vars = subprocess.check_output(["git", "rev-parse", "--local-env-vars"],
- universal_newlines=True)
- # Remove the vars from the environment
- for var in git_env_vars.split():
- framework_env.pop(var, None)
-
- output = subprocess.check_output(["git", "-C", "framework", "ls-files"]
- + file_patterns,
- universal_newlines=True,
- env=framework_env)
- framework_src_files = output.split()
-
- if since:
- # get all files changed in commits since the starting point in ...
- # ... the main repository
- cmd = ["git", "log", since + "..HEAD", "--ignore-submodules",
- "--name-only", "--pretty=", "--"] + src_files
- output = subprocess.check_output(cmd, universal_newlines=True)
- committed_changed_files = output.split()
-
- # ... the framework submodule
- framework_since = get_submodule_hash(since, "framework")
- cmd = ["git", "-C", "framework", "log", framework_since + "..HEAD",
- "--name-only", "--pretty=", "--"] + framework_src_files
- output = subprocess.check_output(cmd, universal_newlines=True,
- env=framework_env)
- committed_changed_files += ["framework/" + s for s in output.split()]
-
- # and also get all files with uncommitted changes in ...
- # ... the main repository
- cmd = ["git", "diff", "--name-only", "--"] + src_files
- output = subprocess.check_output(cmd, universal_newlines=True)
- uncommitted_changed_files = output.split()
- # ... the framework submodule
- cmd = ["git", "-C", "framework", "diff", "--name-only", "--"] + \
- framework_src_files
- output = subprocess.check_output(cmd, universal_newlines=True,
- env=framework_env)
- uncommitted_changed_files += ["framework/" + s for s in output.split()]
-
- src_files = committed_changed_files + uncommitted_changed_files
- else:
- src_files += ["framework/" + s for s in framework_src_files]
-
- generated_files = list_generated_files()
- # Don't correct style for third-party files (and, for simplicity,
- # companion files in the same subtree), or for automatically
- # generated files (we're correcting the templates instead).
- src_files = [filename for filename in src_files
- if not (filename.startswith("tf-psa-crypto/drivers/everest/") or
- filename.startswith("tf-psa-crypto/drivers/p256-m/") or
- filename in generated_files or
- is_file_autogenerated(filename))]
- return src_files
-
-def get_submodule_hash(commit: str, submodule: str) -> str:
- """Get the commit hash of a submodule at a given commit in the Git repository."""
- cmd = ["git", "ls-tree", commit, submodule]
- output = subprocess.check_output(cmd, universal_newlines=True)
- return output.split()[2]
-
-def get_uncrustify_version() -> str:
- """
- Get the version string from Uncrustify
- """
- result = subprocess.run([UNCRUSTIFY_EXE, "--version"],
- stdout=subprocess.PIPE, stderr=subprocess.PIPE,
- check=False)
- if result.returncode != 0:
- print_err("Could not get Uncrustify version:", str(result.stderr, "utf-8"))
- return ""
- else:
- return str(result.stdout, "utf-8")
-
-def check_style_is_correct(src_file_list: List[str]) -> bool:
- """
- Check the code style and output a diff for each file whose style is
- incorrect.
- """
- style_correct = True
- for src_file in src_file_list:
- uncrustify_cmd = [UNCRUSTIFY_EXE] + UNCRUSTIFY_ARGS + [src_file]
- result = subprocess.run(uncrustify_cmd, stdout=subprocess.PIPE,
- stderr=subprocess.PIPE, check=False)
- if result.returncode != 0:
- print_err("Uncrustify returned " + str(result.returncode) +
- " correcting file " + src_file)
- return False
-
- # Uncrustify makes changes to the code and places the result in a new
- # file with the extension ".uncrustify". To get the changes (if any)
- # simply diff the 2 files.
- diff_cmd = ["diff", "-u", src_file, src_file + ".uncrustify"]
- cp = subprocess.run(diff_cmd, check=False)
-
- if cp.returncode == 1:
- print(src_file + " changed - code style is incorrect.")
- style_correct = False
- elif cp.returncode != 0:
- raise subprocess.CalledProcessError(cp.returncode, cp.args,
- cp.stdout, cp.stderr)
-
- # Tidy up artifact
- os.remove(src_file + ".uncrustify")
-
- return style_correct
-
-def fix_style_single_pass(src_file_list: List[str]) -> bool:
- """
- Run Uncrustify once over the source files.
- """
- code_change_args = UNCRUSTIFY_ARGS + ["--no-backup"]
- for src_file in src_file_list:
- uncrustify_cmd = [UNCRUSTIFY_EXE] + code_change_args + [src_file]
- result = subprocess.run(uncrustify_cmd, check=False)
- if result.returncode != 0:
- print_err("Uncrustify with file returned: " +
- str(result.returncode) + " correcting file " +
- src_file)
- return False
- return True
-
-def fix_style(src_file_list: List[str]) -> int:
- """
- Fix the code style. This takes 2 passes of Uncrustify.
- """
- if not fix_style_single_pass(src_file_list):
- return 1
- if not fix_style_single_pass(src_file_list):
- return 1
-
- # Guard against future changes that cause the codebase to require
- # more passes.
- if not check_style_is_correct(src_file_list):
- print_err("Code style still incorrect after second run of Uncrustify.")
- return 1
- else:
- return 0
-
-def main() -> int:
- """
- Main with command line arguments.
- """
- uncrustify_version = get_uncrustify_version().strip()
- if UNCRUSTIFY_SUPPORTED_VERSION not in uncrustify_version:
- print("Warning: Using unsupported Uncrustify version '" +
- uncrustify_version + "'")
- print("Note: The only supported version is " +
- UNCRUSTIFY_SUPPORTED_VERSION)
-
- parser = argparse.ArgumentParser()
- parser.add_argument('-f', '--fix', action='store_true',
- help=('modify source files to fix the code style '
- '(default: print diff, do not modify files)'))
- parser.add_argument('-s', '--since', metavar='COMMIT', const='development', nargs='?',
- help=('only check files modified since the specified commit'
- ' (e.g. --since=HEAD~3 or --since=development). If no'
- ' commit is specified, default to development.'))
- # --subset is almost useless: it only matters if there are no files
- # ('code_style.py' without arguments checks all files known to Git,
- # 'code_style.py --subset' does nothing). In particular,
- # 'code_style.py --fix --subset ...' is intended as a stable ("porcelain")
- # way to restyle a possibly empty set of files.
- parser.add_argument('--subset', action='store_true',
- help='only check the specified files (default with non-option arguments)')
- parser.add_argument('operands', nargs='*', metavar='FILE',
- help='files to check (files MUST be known to git, if none: check all)')
-
- args = parser.parse_args()
-
- covered = frozenset(get_src_files(args.since))
- # We only check files that are known to git
- if args.subset or args.operands:
- src_files = [f for f in args.operands if f in covered]
- skip_src_files = [f for f in args.operands if f not in covered]
- if skip_src_files:
- print_skip(skip_src_files)
- else:
- src_files = list(covered)
-
- if args.fix:
- # Fix mode
- return fix_style(src_files)
- else:
- # Check mode
- if check_style_is_correct(src_files):
- print("Checked {} files, style ok.".format(len(src_files)))
- return 0
- else:
- return 1
-
-if __name__ == '__main__':
- sys.exit(main())
diff --git a/scripts/generate_features.pl b/scripts/generate_features.pl
index cea8c11..5e50ca6 100755
--- a/scripts/generate_features.pl
+++ b/scripts/generate_features.pl
@@ -27,8 +27,8 @@
my $feature_format_file = $data_dir.'/version_features.fmt';
-my @sections = ( "System support", "Mbed TLS modules",
- "Mbed TLS feature support" );
+my @sections = ( "Platform abstraction layer", "General configuration options",
+ "TLS feature selection", "X.509 feature selection" );
my $line_separator = $/;
undef $/;
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index 3b186d6..8cc341d 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -125,7 +125,7 @@
}
# Note: if the format of calls to the "check" function changes, update
-# scripts/code_style.py accordingly. For generated C source files (*.h or *.c),
+# framework/scripts/code_style.py accordingly. For generated C source files (*.h or *.c),
# the format must be "check SCRIPT FILENAME...". For other source files,
# any shell syntax is permitted (including e.g. command substitution).
diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py
deleted file mode 100755
index d3fbe85..0000000
--- a/tests/scripts/check_files.py
+++ /dev/null
@@ -1,567 +0,0 @@
-#!/usr/bin/env python3
-
-# Copyright The Mbed TLS Contributors
-# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
-
-"""
-This script checks the current state of the source code for minor issues,
-including incorrect file permissions, presence of tabs, non-Unix line endings,
-trailing whitespace, and presence of UTF-8 BOM.
-Note: requires python 3, must be run from Mbed TLS root.
-"""
-
-import argparse
-import codecs
-import inspect
-import logging
-import os
-import re
-import subprocess
-import sys
-try:
- from typing import FrozenSet, Optional, Pattern # pylint: disable=unused-import
-except ImportError:
- pass
-
-import scripts_path # pylint: disable=unused-import
-from mbedtls_framework import build_tree
-
-
-class FileIssueTracker:
- """Base class for file-wide issue tracking.
-
- To implement a checker that processes a file as a whole, inherit from
- this class and implement `check_file_for_issue` and define ``heading``.
-
- ``suffix_exemptions``: files whose name ends with a string in this set
- will not be checked.
-
- ``path_exemptions``: files whose path (relative to the root of the source
- tree) matches this regular expression will not be checked. This can be
- ``None`` to match no path. Paths are normalized and converted to ``/``
- separators before matching.
-
- ``heading``: human-readable description of the issue
- """
-
- suffix_exemptions = frozenset() #type: FrozenSet[str]
- path_exemptions = None #type: Optional[Pattern[str]]
- # heading must be defined in derived classes.
- # pylint: disable=no-member
-
- def __init__(self):
- self.files_with_issues = {}
-
- @staticmethod
- def normalize_path(filepath):
- """Normalize ``filepath`` with / as the directory separator."""
- filepath = os.path.normpath(filepath)
- # On Windows, we may have backslashes to separate directories.
- # We need slashes to match exemption lists.
- seps = os.path.sep
- if os.path.altsep is not None:
- seps += os.path.altsep
- return '/'.join(filepath.split(seps))
-
- def should_check_file(self, filepath):
- """Whether the given file name should be checked.
-
- Files whose name ends with a string listed in ``self.suffix_exemptions``
- or whose path matches ``self.path_exemptions`` will not be checked.
- """
- for files_exemption in self.suffix_exemptions:
- if filepath.endswith(files_exemption):
- return False
- if self.path_exemptions and \
- re.match(self.path_exemptions, self.normalize_path(filepath)):
- return False
- return True
-
- def check_file_for_issue(self, filepath):
- """Check the specified file for the issue that this class is for.
-
- Subclasses must implement this method.
- """
- raise NotImplementedError
-
- def record_issue(self, filepath, line_number):
- """Record that an issue was found at the specified location."""
- if filepath not in self.files_with_issues.keys():
- self.files_with_issues[filepath] = []
- self.files_with_issues[filepath].append(line_number)
-
- def output_file_issues(self, logger):
- """Log all the locations where the issue was found."""
- if self.files_with_issues.values():
- logger.info(self.heading)
- for filename, lines in sorted(self.files_with_issues.items()):
- if lines:
- logger.info("{}: {}".format(
- filename, ", ".join(str(x) for x in lines)
- ))
- else:
- logger.info(filename)
- logger.info("")
-
-BINARY_FILE_PATH_RE_LIST = [
- r'docs/.*\.pdf\Z',
- r'docs/.*\.png\Z',
- r'tf-psa-crypto/docs/.*\.pdf\Z',
- r'tf-psa-crypto/docs/.*\.png\Z',
- r'programs/fuzz/corpuses/[^.]+\Z',
- r'framework/data_files/[^.]+\Z',
- r'framework/data_files/.*\.(crt|csr|db|der|key|pubkey)\Z',
- r'framework/data_files/.*\.req\.[^/]+\Z',
- r'framework/data_files/.*malformed[^/]+\Z',
- r'framework/data_files/format_pkcs12\.fmt\Z',
- r'framework/data_files/.*\.bin\Z',
-]
-BINARY_FILE_PATH_RE = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST))
-
-class LineIssueTracker(FileIssueTracker):
- """Base class for line-by-line issue tracking.
-
- To implement a checker that processes files line by line, inherit from
- this class and implement `line_with_issue`.
- """
-
- # Exclude binary files.
- path_exemptions = BINARY_FILE_PATH_RE
-
- def issue_with_line(self, line, filepath, line_number):
- """Check the specified line for the issue that this class is for.
-
- Subclasses must implement this method.
- """
- raise NotImplementedError
-
- def check_file_line(self, filepath, line, line_number):
- if self.issue_with_line(line, filepath, line_number):
- self.record_issue(filepath, line_number)
-
- def check_file_for_issue(self, filepath):
- """Check the lines of the specified file.
-
- Subclasses must implement the ``issue_with_line`` method.
- """
- with open(filepath, "rb") as f:
- for i, line in enumerate(iter(f.readline, b"")):
- self.check_file_line(filepath, line, i + 1)
-
-
-def is_windows_file(filepath):
- _root, ext = os.path.splitext(filepath)
- return ext in ('.bat', '.dsp', '.dsw', '.sln', '.vcxproj')
-
-
-class ShebangIssueTracker(FileIssueTracker):
- """Track files with a bad, missing or extraneous shebang line.
-
- Executable scripts must start with a valid shebang (#!) line.
- """
-
- heading = "Invalid shebang line:"
-
- # Allow either /bin/sh, /bin/bash, or /usr/bin/env.
- # Allow at most one argument (this is a Linux limitation).
- # For sh and bash, the argument if present must be options.
- # For env, the argument must be the base name of the interpreter.
- _shebang_re = re.compile(rb'^#! ?(?:/bin/(bash|sh)(?: -[^\n ]*)?'
- rb'|/usr/bin/env ([^\n /]+))$')
- _extensions = {
- b'bash': 'sh',
- b'perl': 'pl',
- b'python3': 'py',
- b'sh': 'sh',
- }
-
- path_exemptions = re.compile(r'framework/scripts/quiet/.*')
-
- def is_valid_shebang(self, first_line, filepath):
- m = re.match(self._shebang_re, first_line)
- if not m:
- return False
- interpreter = m.group(1) or m.group(2)
- if interpreter not in self._extensions:
- return False
- if not filepath.endswith('.' + self._extensions[interpreter]):
- return False
- return True
-
- def check_file_for_issue(self, filepath):
- is_executable = os.access(filepath, os.X_OK)
- with open(filepath, "rb") as f:
- first_line = f.readline()
- if first_line.startswith(b'#!'):
- if not is_executable:
- # Shebang on a non-executable file
- self.files_with_issues[filepath] = None
- elif not self.is_valid_shebang(first_line, filepath):
- self.files_with_issues[filepath] = [1]
- elif is_executable:
- # Executable without a shebang
- self.files_with_issues[filepath] = None
-
-
-class EndOfFileNewlineIssueTracker(FileIssueTracker):
- """Track files that end with an incomplete line
- (no newline character at the end of the last line)."""
-
- heading = "Missing newline at end of file:"
-
- path_exemptions = BINARY_FILE_PATH_RE
-
- def check_file_for_issue(self, filepath):
- with open(filepath, "rb") as f:
- try:
- f.seek(-1, 2)
- except OSError:
- # This script only works on regular files. If we can't seek
- # 1 before the end, it means that this position is before
- # the beginning of the file, i.e. that the file is empty.
- return
- if f.read(1) != b"\n":
- self.files_with_issues[filepath] = None
-
-
-class Utf8BomIssueTracker(FileIssueTracker):
- """Track files that start with a UTF-8 BOM.
- Files should be ASCII or UTF-8. Valid UTF-8 does not start with a BOM."""
-
- heading = "UTF-8 BOM present:"
-
- suffix_exemptions = frozenset([".vcxproj", ".sln"])
- path_exemptions = BINARY_FILE_PATH_RE
-
- def check_file_for_issue(self, filepath):
- with open(filepath, "rb") as f:
- if f.read().startswith(codecs.BOM_UTF8):
- self.files_with_issues[filepath] = None
-
-
-class UnicodeIssueTracker(LineIssueTracker):
- """Track lines with invalid characters or invalid text encoding."""
-
- heading = "Invalid UTF-8 or forbidden character:"
-
- # Only allow valid UTF-8, and only other explicitly allowed characters.
- # We deliberately exclude all characters that aren't a simple non-blank,
- # non-zero-width glyph, apart from a very small set (tab, ordinary space,
- # line breaks, "basic" no-break space and soft hyphen). In particular,
- # non-ASCII control characters, combinig characters, and Unicode state
- # changes (e.g. right-to-left text) are forbidden.
- # Note that we do allow some characters with a risk of visual confusion,
- # for example '-' (U+002D HYPHEN-MINUS) vs '' (U+00AD SOFT HYPHEN) vs
- # '‐' (U+2010 HYPHEN), or 'A' (U+0041 LATIN CAPITAL LETTER A) vs
- # 'Α' (U+0391 GREEK CAPITAL LETTER ALPHA).
- GOOD_CHARACTERS = ''.join([
- '\t\n\r -~', # ASCII (tabs and line endings are checked separately)
- '\u00A0-\u00FF', # Latin-1 Supplement (for NO-BREAK SPACE and punctuation)
- '\u2010-\u2027\u2030-\u205E', # General Punctuation (printable)
- '\u2070\u2071\u2074-\u208E\u2090-\u209C', # Superscripts and Subscripts
- '\u2190-\u21FF', # Arrows
- '\u2200-\u22FF', # Mathematical Symbols
- '\u2500-\u257F' # Box Drawings characters used in markdown trees
- ])
- # Allow any of the characters and ranges above, and anything classified
- # as a word constituent.
- GOOD_CHARACTERS_RE = re.compile(r'[\w{}]+\Z'.format(GOOD_CHARACTERS))
-
- def issue_with_line(self, line, _filepath, line_number):
- try:
- text = line.decode('utf-8')
- except UnicodeDecodeError:
- return True
- if line_number == 1 and text.startswith('\uFEFF'):
- # Strip BOM (U+FEFF ZERO WIDTH NO-BREAK SPACE) at the beginning.
- # Which files are allowed to have a BOM is handled in
- # Utf8BomIssueTracker.
- text = text[1:]
- return not self.GOOD_CHARACTERS_RE.match(text)
-
-class UnixLineEndingIssueTracker(LineIssueTracker):
- """Track files with non-Unix line endings (i.e. files with CR)."""
-
- heading = "Non-Unix line endings:"
-
- def should_check_file(self, filepath):
- if not super().should_check_file(filepath):
- return False
- return not is_windows_file(filepath)
-
- def issue_with_line(self, line, _filepath, _line_number):
- return b"\r" in line
-
-
-class WindowsLineEndingIssueTracker(LineIssueTracker):
- """Track files with non-Windows line endings (i.e. CR or LF not in CRLF)."""
-
- heading = "Non-Windows line endings:"
-
- def should_check_file(self, filepath):
- if not super().should_check_file(filepath):
- return False
- return is_windows_file(filepath)
-
- def issue_with_line(self, line, _filepath, _line_number):
- return not line.endswith(b"\r\n") or b"\r" in line[:-2]
-
-
-class TrailingWhitespaceIssueTracker(LineIssueTracker):
- """Track lines with trailing whitespace."""
-
- heading = "Trailing whitespace:"
- suffix_exemptions = frozenset([".dsp", ".md"])
-
- def issue_with_line(self, line, _filepath, _line_number):
- return line.rstrip(b"\r\n") != line.rstrip()
-
-
-class TabIssueTracker(LineIssueTracker):
- """Track lines with tabs."""
-
- heading = "Tabs present:"
- suffix_exemptions = frozenset([
- ".make",
- ".pem", # some openssl dumps have tabs
- ".sln",
- "/.gitmodules",
- "/Makefile",
- "/Makefile.inc",
- "/generate_visualc_files.pl",
- ])
-
- def issue_with_line(self, line, _filepath, _line_number):
- return b"\t" in line
-
-
-class MergeArtifactIssueTracker(LineIssueTracker):
- """Track lines with merge artifacts.
- These are leftovers from a ``git merge`` that wasn't fully edited."""
-
- heading = "Merge artifact:"
-
- def issue_with_line(self, line, _filepath, _line_number):
- # Detect leftover git conflict markers.
- if line.startswith(b'<<<<<<< ') or line.startswith(b'>>>>>>> '):
- return True
- if line.startswith(b'||||||| '): # from merge.conflictStyle=diff3
- return True
- if line.rstrip(b'\r\n') == b'=======' and \
- not _filepath.endswith('.md'):
- return True
- return False
-
-
-def this_location():
- frame = inspect.currentframe()
- assert frame is not None
- info = inspect.getframeinfo(frame)
- return os.path.basename(info.filename), info.lineno
-THIS_FILE_BASE_NAME, LINE_NUMBER_BEFORE_LICENSE_ISSUE_TRACKER = this_location()
-
-class LicenseIssueTracker(LineIssueTracker):
- """Check copyright statements and license indications.
-
- This class only checks that statements are correct if present. It does
- not enforce the presence of statements in each file.
- """
-
- heading = "License issue:"
-
- LICENSE_EXEMPTION_RE_LIST = [
- # Exempt third-party drivers which may be under a different license
- r'tf-psa-crypto/drivers/(?=(everest)/.*)',
- # Documentation explaining the license may have accidental
- # false positives.
- r'(ChangeLog|LICENSE|framework\/LICENSE|[-0-9A-Z_a-z]+\.md)\Z',
- # Files imported from TF-M, and not used except in test builds,
- # may be under a different license.
- r'configs/ext/crypto_config_profile_medium\.h\Z',
- r'configs/ext/tfm_mbedcrypto_config_profile_medium\.h\Z',
- r'configs/ext/README\.md\Z',
- # Third-party file.
- r'dco\.txt\Z',
- r'framework\/dco\.txt\Z',
- ]
- path_exemptions = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST +
- LICENSE_EXEMPTION_RE_LIST))
-
- COPYRIGHT_HOLDER = rb'The Mbed TLS Contributors'
- # Catch "Copyright foo", "Copyright (C) foo", "Copyright © foo", etc.
- COPYRIGHT_RE = re.compile(rb'.*\bcopyright\s+((?:\w|\s|[()]|[^ -~])*\w)', re.I)
-
- SPDX_HEADER_KEY = b'SPDX-License-Identifier'
- LICENSE_IDENTIFIER = b'Apache-2.0 OR GPL-2.0-or-later'
- SPDX_RE = re.compile(br'.*?(' +
- re.escape(SPDX_HEADER_KEY) +
- br')(:\s*(.*?)\W*\Z|.*)', re.I)
-
- LICENSE_MENTION_RE = re.compile(rb'.*(?:' + rb'|'.join([
- rb'Apache License',
- rb'General Public License',
- ]) + rb')', re.I)
-
- def __init__(self):
- super().__init__()
- # Record what problem was caused. We can't easily report it due to
- # the structure of the script. To be fixed after
- # https://github.com/Mbed-TLS/mbedtls/pull/2506
- self.problem = None
-
- def issue_with_line(self, line, filepath, line_number):
- #pylint: disable=too-many-return-statements
-
- # Use endswith() rather than the more correct os.path.basename()
- # because experimentally, it makes a significant difference to
- # the running time.
- if filepath.endswith(THIS_FILE_BASE_NAME) and \
- line_number > LINE_NUMBER_BEFORE_LICENSE_ISSUE_TRACKER:
- # Avoid false positives from the code in this class.
- # Also skip the rest of this file, which is highly unlikely to
- # contain any problematic statements since we put those near the
- # top of files.
- return False
-
- m = self.COPYRIGHT_RE.match(line)
- if m and m.group(1) != self.COPYRIGHT_HOLDER:
- self.problem = 'Invalid copyright line'
- return True
-
- m = self.SPDX_RE.match(line)
- if m:
- if m.group(1) != self.SPDX_HEADER_KEY:
- self.problem = 'Misspelled ' + self.SPDX_HEADER_KEY.decode()
- return True
- if not m.group(3):
- self.problem = 'Improperly formatted SPDX license identifier'
- return True
- if m.group(3) != self.LICENSE_IDENTIFIER:
- self.problem = 'Wrong SPDX license identifier'
- return True
-
- m = self.LICENSE_MENTION_RE.match(line)
- if m:
- self.problem = 'Suspicious license mention'
- return True
-
- return False
-
-
-class ErrorAddIssueTracker(LineIssueTracker):
- """Signal direct additions of error codes.
-
- Adding a low-level error code with a high-level error code is deprecated
- and should use MBEDTLS_ERROR_ADD.
- """
-
- heading = "Direct addition of error codes"
-
- _ERR_PLUS_RE = re.compile(br'MBEDTLS_ERR_\w+ *\+|'
- br'\+ *MBEDTLS_ERR_')
- _EXCLUDE_RE = re.compile(br' *case ')
-
- def issue_with_line(self, line, filepath, line_number):
- if self._ERR_PLUS_RE.search(line) and not self._EXCLUDE_RE.match(line):
- return True
- return False
-
-
-class IntegrityChecker:
- """Sanity-check files under the current directory."""
-
- def __init__(self, log_file):
- """Instantiate the sanity checker.
- Check files under the current directory.
- Write a report of issues to log_file."""
- build_tree.check_repo_path()
- self.logger = None
- self.setup_logger(log_file)
- self.issues_to_check = [
- ShebangIssueTracker(),
- EndOfFileNewlineIssueTracker(),
- Utf8BomIssueTracker(),
- UnicodeIssueTracker(),
- UnixLineEndingIssueTracker(),
- WindowsLineEndingIssueTracker(),
- TrailingWhitespaceIssueTracker(),
- TabIssueTracker(),
- MergeArtifactIssueTracker(),
- LicenseIssueTracker(),
- ErrorAddIssueTracker(),
- ]
-
- def setup_logger(self, log_file, level=logging.INFO):
- """Log to log_file if provided, or to stderr if None."""
- self.logger = logging.getLogger()
- self.logger.setLevel(level)
- if log_file:
- handler = logging.FileHandler(log_file)
- self.logger.addHandler(handler)
- else:
- console = logging.StreamHandler()
- self.logger.addHandler(console)
-
- @staticmethod
- def collect_files():
- """Return the list of files to check.
-
- These are the regular files commited into Git.
- """
- bytes_output = subprocess.check_output(['git', '-C', 'framework',
- 'ls-files', '-z'])
- bytes_framework_filepaths = bytes_output.split(b'\0')[:-1]
- bytes_framework_filepaths = ["framework/".encode() + filepath
- for filepath in bytes_framework_filepaths]
-
- bytes_output = subprocess.check_output(['git', 'ls-files', '-z'])
- bytes_filepaths = bytes_output.split(b'\0')[:-1] + \
- bytes_framework_filepaths
- ascii_filepaths = map(lambda fp: fp.decode('ascii'), bytes_filepaths)
-
- # Filter out directories. Normally Git doesn't list directories
- # (it only knows about the files inside them), but there is
- # at least one case where 'git ls-files' includes a directory:
- # submodules. Just skip submodules (and any other directories).
- ascii_filepaths = [fp for fp in ascii_filepaths
- if os.path.isfile(fp)]
- # Prepend './' to files in the top-level directory so that
- # something like `'/Makefile' in fp` matches in the top-level
- # directory as well as in subdirectories.
- return [fp if os.path.dirname(fp) else os.path.join(os.curdir, fp)
- for fp in ascii_filepaths]
-
- def check_files(self):
- """Check all files for all issues."""
- for issue_to_check in self.issues_to_check:
- for filepath in self.collect_files():
- if issue_to_check.should_check_file(filepath):
- issue_to_check.check_file_for_issue(filepath)
-
- def output_issues(self):
- """Log the issues found and their locations.
-
- Return 1 if there were issues, 0 otherwise.
- """
- integrity_return_code = 0
- for issue_to_check in self.issues_to_check:
- if issue_to_check.files_with_issues:
- integrity_return_code = 1
- issue_to_check.output_file_issues(self.logger)
- return integrity_return_code
-
-
-def run_main():
- parser = argparse.ArgumentParser(description=__doc__)
- parser.add_argument(
- "-l", "--log_file", type=str, help="path to optional output log",
- )
- check_args = parser.parse_args()
- integrity_check = IntegrityChecker(check_args.log_file)
- integrity_check.check_files()
- return_code = integrity_check.output_issues()
- sys.exit(return_code)
-
-
-if __name__ == "__main__":
- run_main()
diff --git a/tests/scripts/components-basic-checks.sh b/tests/scripts/components-basic-checks.sh
index e9bfe5c..99fd0d7 100644
--- a/tests/scripts/components-basic-checks.sh
+++ b/tests/scripts/components-basic-checks.sh
@@ -43,7 +43,7 @@
component_check_files () {
msg "Check: file sanity checks (permissions, encodings)" # < 1s
- tests/scripts/check_files.py
+ framework/scripts/check_files.py
}
component_check_changelog () {
@@ -140,7 +140,7 @@
component_check_code_style () {
msg "Check C code style"
- ./scripts/code_style.py
+ ./framework/scripts/code_style.py
}
support_check_code_style () {
diff --git a/tests/scripts/components-sanitizers.sh b/tests/scripts/components-sanitizers.sh
index 2496c3d..454d140 100644
--- a/tests/scripts/components-sanitizers.sh
+++ b/tests/scripts/components-sanitizers.sh
@@ -111,6 +111,8 @@
scripts/config.py set MBEDTLS_THREADING_PTHREAD
# Self-tests do not currently use multiple threads.
scripts/config.py unset MBEDTLS_SELF_TEST
+ # Interruptible ECC tests are not thread safe
+ scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
# The deprecated MBEDTLS_PSA_CRYPTO_SE_C interface is not thread safe.
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
diff --git a/tf-psa-crypto b/tf-psa-crypto
index 26bc88c..9e4ac37 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit 26bc88ccd708e8f5748b5aa90691980d5bb111c0
+Subproject commit 9e4ac374e2be67892e70b9c653c6872ba8a2031b