TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5e292605441b9053c14a6ba30218cb42a4714789 / . / docs / proposed / config-split.md
blob: 88845fd039ec88f382c2efedb0524ad5a7b391f4 [file] [log] [blame] [view]
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame^]1Configuration file split
2========================
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]3
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame^]4## Why splitting the configuration file?
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]5
6The objective of the repository split is to reach the point where in Mbed TLS
7all the cryptography code and its tests are located in a tf-psa-crypto
8directory that just contains the TF-PSA-Crypto repository as a submodule.
9The cryptography APIs exposed by Mbed TLS are just the TF-PSA-Crypto ones.
10Mbed TLS relies solely on the TF-PSA-Crypto build system to build its
11cryptography library and its tests.
12
13The TF-PSA-Crypto configuration file tf_psa_crypto_config.h configures
14entirely the cryptography interface exposed by Mbed TLS through TF-PSA-Crypto.
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame^]15Mbed TLS configuration is splitted in two files: mbedtls_config.h for TLS and
16x509, tf_psa_crypto_config.h for the cryptography.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]17
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame^]18## How do we split the configuration file?
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]19
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame^]20We extend the so called PSA cryptographic configuration scheme based on
21mbedtls_config.h and crypto_config.h. The configuration file crypto_config.h is
22extended to become the TF-PSA-Crypto configuration file, mbedtls_config.h
23becomes the configuration file for the TLS and x509 libraries. All the options
24to select the cryptographic mechanisms and to configure their implementation
25are moved from mbedtls_config.h to (tf_psa_)crypto_config.h.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]26
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame^]27The configuration options that are relevant to both Mbed TLS and TF-PSA-Crypto
28like platform or system ones are moved to (tf_psa_)crypto_config.h. That way
29they are available in both repositories (as Mbed TLS includes
30tf_psa_crypto_config.h) without duplication. Later, we may duplicate or create
31aliases for some of them to align with the naming conventions of the
32repositories.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]33
Ronald Cron5e292602024-09-03 16:01:48 +0200[diff] [blame^]34The layout of options into sections in mbedtls_config.h does not suit
35TF-PSA-Crypto well thus the configuration options tf_psa_crypto_config.h are
36organized into different sections (see below).
37
38## Configuration files and config.py
39
40Each repository contains a config.py script to create and modify configurations.
41
42In Mbed TLS, config.py handles both mbedtls_config.h and
43tf_psa_crypto_config.h. It can set or unset TLS, x509 and cryptographic
44configuration options without having to specify the configuration file the
45options belong to. Commands like full and baremetal affect both configuration
46files.
47
48In TF-PSA-Crypto, config.py addresses only tf_psa_crypto_config.h.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]49
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]50## Sections in tf_psa_crypto_config.h
51
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]52The tf_psa_crypto_config.h configuration file is organized into eight sections.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]53
54The pre-split mbedtls_config.h configuration files contains configuration
55options that apply to the whole code base (TLS, x509, crypto and tests) mostly
56related to the platform abstraction layer and testing. In tf_psa_crypto_config.h
57these configurations options are organized into two sections, one for the
58platform abstraction layer options and one for the others, respectively named
Ronald Cron5c464962024-09-02 12:01:36 +0200[diff] [blame]59"Platform abstraction layer" and "General and test configuration options".
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]60
Ronald Cron5c464962024-09-02 12:01:36 +0200[diff] [blame]61Then, the "Cryptographic mechanism selection (PSA API)" section is the
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]62equivalent of the pre-split crypto_config.h configuration file containing the
63PSA_WANT_ prefixed macros.
64
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]65The following section named "Cryptographic mechanism selection (extended API)"
66contains the configuration options for the cryptography mechanisms that are not
67yet part of the PSA cryptography API (like LMS or PK).
68
69It is followed by the "Data format support" section that contains configuration
70options of utilities related to various data formats (like base64 or ASN1 APIs).
71These utilities aim to facilitate the usage of the PSA cryptography API in other
72cryptography projects.
73
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]74Compared to Mbed TLS, the cryptography code in TF-PSA-Crypto is not located
75in a single directory but split between the PSA core (core directory) and the
76PSA builtin drivers (drivers/builtin/src directory). This is reflected in
Ronald Cron5c464962024-09-02 12:01:36 +0200[diff] [blame]77tf_psa_crypto_config.h with two sections respectively named "PSA core" and
78"Builtin drivers".
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]79
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]80Finally, the last section named "Legacy cryptography" contains the configuration
81options that will eventually be removed as duplicates of PSA_WANT_\* and
82MBEDTLS_PSA_ACCEL_\* configuration options.
83
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]84By contrast to mbedtls_config.h, tf_psa_crypto_config.h does not contain a
85section like the "Module configuration options" one containing non boolean
86configuration options. The configuration options that are not boolean are
87located in the same section as the boolean option they are associated to.
88
89Open question: do we group them into a subsection?
90
91## Repartition of the configuration options
92
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]93### In tf_psa_crypto_config.h, we have:
Ronald Cron5c464962024-09-02 12:01:36 +0200[diff] [blame]94* SECTION "Platform abstraction layer"
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]95#define MBEDTLS_HAVE_TIME
96#define MBEDTLS_HAVE_TIME_DATE
97//#define MBEDTLS_PLATFORM_MEMORY
98//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
99//#define MBEDTLS_PLATFORM_SETBUF_ALT
100//#define MBEDTLS_PLATFORM_EXIT_ALT
101//#define MBEDTLS_PLATFORM_TIME_ALT
102//#define MBEDTLS_PLATFORM_FPRINTF_ALT
103//#define MBEDTLS_PLATFORM_PRINTF_ALT
104//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
105//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
106//#define MBEDTLS_PLATFORM_NV_SEED_ALT
107//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
108//#define MBEDTLS_PLATFORM_MS_TIME_ALT
109//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
110//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
111#define MBEDTLS_FS_IO
112//#define MBEDTLS_MEMORY_DEBUG
113//#define MBEDTLS_MEMORY_BACKTRACE
Ronald Cron4f4a30c2024-09-02 15:00:54 +0200[diff] [blame]114//#define MBEDTLS_THREADING_ALT
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]115//#define MBEDTLS_THREADING_PTHREAD
116#define MBEDTLS_PLATFORM_C
117//#define MBEDTLS_THREADING_C
118#define MBEDTLS_TIMING_C
Ronald Cron4f4a30c2024-09-02 15:00:54 +0200[diff] [blame]119//#define MBEDTLS_TIMING_ALT
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]120//#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
121//#define MBEDTLS_PLATFORM_STD_CALLOC calloc
122//#define MBEDTLS_PLATFORM_STD_FREE free
123//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf
124//#define MBEDTLS_PLATFORM_STD_EXIT exit
125//#define MBEDTLS_PLATFORM_STD_TIME time
126//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf
127//#define MBEDTLS_PLATFORM_STD_PRINTF printf
128//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf
129//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0
130//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1
131//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read
132//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write
133//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile"
134//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc
135//#define MBEDTLS_PLATFORM_FREE_MACRO free
136//#define MBEDTLS_PLATFORM_EXIT_MACRO exit
137//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf
138//#define MBEDTLS_PLATFORM_TIME_MACRO time
139//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t
140//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf
141//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf
142//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
143//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf
144//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read
145//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write
146//#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t
147//#define MBEDTLS_PRINTF_MS_TIME PRId64
148//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]149
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]150* SECTION "General and test configuration options"
151//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
152//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
153//#define MBEDTLS_DEPRECATED_WARNING
154//#define MBEDTLS_DEPRECATED_REMOVED
155//#define MBEDTLS_CHECK_RETURN_WARNING
Ronald Cron717663b2024-09-02 15:30:10 +0200[diff] [blame]156#define MBEDTLS_SELF_TEST
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]157//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
158//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
159//#define MBEDTLS_TEST_HOOKS
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]160
Ronald Crone5d0f8c2024-09-02 15:43:10 +0200[diff] [blame]161//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))
162//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result))
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]163
Ronald Cron5c464962024-09-02 12:01:36 +0200[diff] [blame]164* SECTION "Cryptographic mechanism selection (PSA API)"
165PSA_WANT_\* macros as in current crypto_config.h.
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]166
167
Ronald Cron8e1b4632024-09-02 16:21:44 +0200[diff] [blame]168* SECTION "Cryptographic mechanism selection (extended API)"
169#define MBEDTLS_CIPHER_C
170//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
171#define MBEDTLS_CTR_DRBG_C
172#define MBEDTLS_HMAC_DRBG_C
173#define MBEDTLS_LMS_C
174//#define MBEDTLS_LMS_PRIVATE
175#define MBEDTLS_MD_C
176#define MBEDTLS_NIST_KW_C
177#define MBEDTLS_PK_PARSE_EC_EXTENDED
178#define MBEDTLS_PK_PARSE_EC_COMPRESSED
179#define MBEDTLS_PK_RSA_ALT_SUPPORT
180#define MBEDTLS_PK_C
181#define MBEDTLS_PK_PARSE_C
182#define MBEDTLS_PK_WRITE_C
183#define MBEDTLS_PKCS5_C
184#define MBEDTLS_PKCS12_C
185
186//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
187//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48
188//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000
189//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256
190//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024
191//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384
192//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000
193//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256
194//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024
195//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384
196
197
198* SECTION "Data format support"
199#define MBEDTLS_ASN1_PARSE_C
200#define MBEDTLS_ASN1_WRITE_C
201#define MBEDTLS_BASE64_C
202#define MBEDTLS_OID_C
203#define MBEDTLS_PEM_PARSE_C
204#define MBEDTLS_PEM_WRITE_C
205
206
Ronald Cron5c464962024-09-02 12:01:36 +0200[diff] [blame]207* SECTION "PSA core"
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]208//#define MBEDTLS_ENTROPY_HARDWARE_ALT
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]209//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
210//#define MBEDTLS_NO_PLATFORM_ENTROPY
211//#define MBEDTLS_ENTROPY_FORCE_SHA256
Ronald Cron4f4a30c2024-09-02 15:00:54 +0200[diff] [blame]212//#define MBEDTLS_ENTROPY_NV_SEED
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]213//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
214//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
215#define MBEDTLS_PSA_CRYPTO_C
216//#define MBEDTLS_PSA_CRYPTO_CLIENT
217//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
218//#define MBEDTLS_PSA_CRYPTO_SPM
219//#define MBEDTLS_PSA_INJECT_ENTROPY
220//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]221#define MBEDTLS_ENTROPY_C
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]222#define MBEDTLS_PSA_CRYPTO_STORAGE_C
223#define MBEDTLS_PSA_ITS_FILE_C
224//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h"
225//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h"
226//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]227//#define MBEDTLS_ENTROPY_MAX_SOURCES 20
228//#define MBEDTLS_ENTROPY_MAX_GATHER 128
229//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]230
Ronald Cron5c464962024-09-02 12:01:36 +0200[diff] [blame]231* SECTION "Builtin drivers"
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]232#define MBEDTLS_HAVE_ASM
233//#define MBEDTLS_NO_UDBL_DIVISION
234//#define MBEDTLS_NO_64BIT_MULTIPLICATION
235//#define MBEDTLS_HAVE_SSE2
236#define MBEDTLS_AESNI_C
237#define MBEDTLS_AESCE_C
238//#define MBEDTLS_AES_ROM_TABLES
239//#define MBEDTLS_AES_FEWER_TABLES
240//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
241//#define MBEDTLS_AES_USE_HARDWARE_ONLY
242//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
243//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
244#define MBEDTLS_ECP_NIST_OPTIM
Ronald Cron4f4a30c2024-09-02 15:00:54 +0200[diff] [blame]245//#define MBEDTLS_ECP_RESTARTABLE
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]246//#define MBEDTLS_ECP_WITH_MPI_UINT
247//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
248//#define MBEDTLS_SHA256_SMALLER
249//#define MBEDTLS_SHA512_SMALLER
250//#define MBEDTLS_RSA_NO_CRT
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]251//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
252//#define MBEDTLS_GCM_LARGE_TABLE
253//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
254//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
255//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
256//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
257//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
258//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
259//#define MBEDTLS_MPI_WINDOW_SIZE 2
260//#define MBEDTLS_MPI_MAX_SIZE 1024
261//#define MBEDTLS_ECP_WINDOW_SIZE 4
262//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1
263//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]264
265
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]266* SECTION "Legacy cryptography"
Ronald Cronad62dce2024-09-02 14:22:24 +0200[diff] [blame]267#define MBEDTLS_CIPHER_MODE_CBC
268#define MBEDTLS_CIPHER_MODE_CFB
269#define MBEDTLS_CIPHER_MODE_CTR
270#define MBEDTLS_CIPHER_MODE_OFB
271#define MBEDTLS_CIPHER_MODE_XTS
272#define MBEDTLS_CIPHER_PADDING_PKCS7
273#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
274#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
275#define MBEDTLS_CIPHER_PADDING_ZEROS
276#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
277#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
278#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
279#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
280#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
281#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
282#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
283#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
284#define MBEDTLS_ECP_DP_BP256R1_ENABLED
285#define MBEDTLS_ECP_DP_BP384R1_ENABLED
286#define MBEDTLS_ECP_DP_BP512R1_ENABLED
287#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
288#define MBEDTLS_ECP_DP_CURVE448_ENABLED
289#define MBEDTLS_ECDSA_DETERMINISTIC
290#define MBEDTLS_GENPRIME
291#define MBEDTLS_PKCS1_V15
292#define MBEDTLS_PKCS1_V21
293//#define MBEDTLS_PSA_CRYPTO_CONFIG
294#define MBEDTLS_AES_C
295#define MBEDTLS_BIGNUM_C
296#define MBEDTLS_CAMELLIA_C
297#define MBEDTLS_ARIA_C
298#define MBEDTLS_CCM_C
299#define MBEDTLS_CHACHA20_C
300#define MBEDTLS_CHACHAPOLY_C
301#define MBEDTLS_CMAC_C
302#define MBEDTLS_DES_C
303#define MBEDTLS_DHM_C
304#define MBEDTLS_ECDH_C
305#define MBEDTLS_ECDSA_C
306#define MBEDTLS_ECJPAKE_C
307#define MBEDTLS_ECP_C
308#define MBEDTLS_GCM_C
309#define MBEDTLS_HKDF_C
310#define MBEDTLS_MD5_C
311#define MBEDTLS_PADLOCK_C
312#define MBEDTLS_POLY1305_C
313//#define MBEDTLS_PSA_CRYPTO_SE_C
314#define MBEDTLS_RIPEMD160_C
315#define MBEDTLS_RSA_C
316#define MBEDTLS_SHA1_C
317#define MBEDTLS_SHA224_C
318#define MBEDTLS_SHA256_C
319#define MBEDTLS_SHA384_C
320#define MBEDTLS_SHA512_C
321#define MBEDTLS_SHA3_C
322
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]323
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]324### In mbedtls_config.h, we have:
Ronald Cron5c464962024-09-02 12:01:36 +0200[diff] [blame]325* SECTION "Platform abstraction layer"
Ronald Cron34a40862024-09-02 15:33:45 +0200[diff] [blame]326#define MBEDTLS_NET_C
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]327
328
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]329* SECTION "Mbed TLS feature support"
330//#define MBEDTLS_CIPHER_NULL_CIPHER
331#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
332#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
333#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
334#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
335#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
336#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
337#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
338#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
339#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
340#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
341//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
342#define MBEDTLS_ERROR_STRERROR_DUMMY
343#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
344#define MBEDTLS_SSL_DTLS_CONNECTION_ID
345#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
346//#define MBEDTLS_SSL_ASYNC_PRIVATE
347#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
348//#define MBEDTLS_SSL_DEBUG_ALL
349#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
350#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
351#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
352#define MBEDTLS_SSL_RENEGOTIATION
353#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
354//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
355#define MBEDTLS_SSL_PROTO_TLS1_2
356#define MBEDTLS_SSL_PROTO_TLS1_3
357#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
358#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
359#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
360#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
361//#define MBEDTLS_SSL_EARLY_DATA
362#define MBEDTLS_SSL_PROTO_DTLS
363#define MBEDTLS_SSL_ALPN
364#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
365#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
366//#define MBEDTLS_SSL_DTLS_SRTP
367#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
368#define MBEDTLS_SSL_SESSION_TICKETS
369#define MBEDTLS_SSL_SERVER_NAME_INDICATION
370//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
371//#define MBEDTLS_USE_PSA_CRYPTO
Ronald Crona25e9db2024-09-03 09:56:46 +0200[diff] [blame]372#define MBEDTLS_VERSION_C
373#define MBEDTLS_VERSION_FEATURES
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]374//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
375//#define MBEDTLS_X509_REMOVE_INFO
376#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]377
378
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]379* SECTION "Mbed TLS modules"
380#define MBEDTLS_DEBUG_C
381#define MBEDTLS_ERROR_C
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]382#define MBEDTLS_PKCS7_C
383#define MBEDTLS_SSL_CACHE_C
384#define MBEDTLS_SSL_COOKIE_C
385#define MBEDTLS_SSL_TICKET_C
386#define MBEDTLS_SSL_CLI_C
387#define MBEDTLS_SSL_SRV_C
388#define MBEDTLS_SSL_TLS_C
389#define MBEDTLS_X509_USE_C
390#define MBEDTLS_X509_CRT_PARSE_C
391#define MBEDTLS_X509_CRL_PARSE_C
392#define MBEDTLS_X509_CSR_PARSE_C
393#define MBEDTLS_X509_CREATE_C
394#define MBEDTLS_X509_CRT_WRITE_C
395#define MBEDTLS_X509_CSR_WRITE_C
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]396
397
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]398* SECTION "General configuration options"
399//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
400//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]401
402
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame]403* SECTION "Module configuration options"
404//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400
405//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50
406//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
407//#define MBEDTLS_SSL_CID_IN_LEN_MAX 32
408//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32
409//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16
410//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
411//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
412//#define MBEDTLS_PSK_MAX_LEN 32
413//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60
414//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
415//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024
416//#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000
417//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32
418//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1
419//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8
420//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512