blob: 3369620fbb382a1790f98fbc334f4716c562fed4 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/**
2 * \file config.h
3 *
Paul Bakker37ca75d2011-01-06 12:28:03 +00004 * \brief Configuration options (set of defines)
5 *
Simon Butcher5b331b92016-01-03 16:14:14 +00006 * This set of compile-time options may be used to enable
7 * or disable features selectively, and reduce the global
8 * memory footprint.
Darryl Greena40a1012018-01-05 15:33:17 +00009 */
10/*
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +020011 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +020012 * SPDX-License-Identifier: Apache-2.0
13 *
14 * Licensed under the Apache License, Version 2.0 (the "License"); you may
15 * not use this file except in compliance with the License.
16 * You may obtain a copy of the License at
17 *
18 * http://www.apache.org/licenses/LICENSE-2.0
19 *
20 * Unless required by applicable law or agreed to in writing, software
21 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23 * See the License for the specific language governing permissions and
24 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +000025 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +000026 * This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnarde2b0efe2015-08-11 10:38:37 +020027 */
28
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020029#ifndef MBEDTLS_CONFIG_H
30#define MBEDTLS_CONFIG_H
Paul Bakker5121ce52009-01-03 21:22:43 +000031
Paul Bakkercce9d772011-11-18 14:26:47 +000032#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
Paul Bakker5121ce52009-01-03 21:22:43 +000033#define _CRT_SECURE_NO_DEPRECATE 1
34#endif
35
Paul Bakkerf3b86c12011-01-27 15:24:17 +000036/**
Paul Bakker0a62cd12011-01-21 11:00:08 +000037 * \name SECTION: System support
38 *
39 * This section sets system specific settings.
40 * \{
41 */
42
Paul Bakkerf3b86c12011-01-27 15:24:17 +000043/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020044 * \def MBEDTLS_HAVE_ASM
Paul Bakkerf3b86c12011-01-27 15:24:17 +000045 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +020046 * The compiler has support for asm().
Paul Bakker68041ec2009-04-19 21:17:55 +000047 *
48 * Requires support for asm() in compiler.
49 *
50 * Used in:
51 * library/timing.c
52 * library/padlock.c
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +000053 * include/mbedtls/bn_mul.h
Paul Bakker68041ec2009-04-19 21:17:55 +000054 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +020055 * Comment to disable the use of assembly code.
Paul Bakker5121ce52009-01-03 21:22:43 +000056 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020057#define MBEDTLS_HAVE_ASM
Paul Bakker5121ce52009-01-03 21:22:43 +000058
Paul Bakkerf3b86c12011-01-27 15:24:17 +000059/**
Gilles Peskineb1a977f2017-06-08 15:19:20 +020060 * \def MBEDTLS_NO_UDBL_DIVISION
61 *
62 * The platform lacks support for double-width integer division (64-bit
63 * division on a 32-bit platform, 128-bit division on a 64-bit platform).
64 *
65 * Used in:
66 * include/mbedtls/bignum.h
67 * library/bignum.c
68 *
69 * The bignum code uses double-width division to speed up some operations.
70 * Double-width division is often implemented in software that needs to
71 * be linked with the program. The presence of a double-width integer
72 * type is usually detected automatically through preprocessor macros,
73 * but the automatic detection cannot know whether the code needs to
74 * and can be linked with an implementation of division for that type.
75 * By default division is assumed to be usable if the type is present.
76 * Uncomment this option to prevent the use of double-width division.
77 *
78 * Note that division for the native integer type is always required.
79 * Furthermore, a 64-bit type is always required even on a 32-bit
Andres Amaya Garciac630ce62017-07-21 10:56:22 +010080 * platform, but it need not support multiplication or division. In some
81 * cases it is also desirable to disable some double-width operations. For
82 * example, if double-width division is implemented in software, disabling
83 * it can reduce code size in some embedded targets.
Gilles Peskineb1a977f2017-06-08 15:19:20 +020084 */
85//#define MBEDTLS_NO_UDBL_DIVISION
86
87/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020088 * \def MBEDTLS_HAVE_SSE2
Paul Bakkerf3b86c12011-01-27 15:24:17 +000089 *
Paul Bakkere23c3152012-10-01 14:42:47 +000090 * CPU supports SSE2 instruction set.
Paul Bakkerf3b86c12011-01-27 15:24:17 +000091 *
Paul Bakker5121ce52009-01-03 21:22:43 +000092 * Uncomment if the CPU supports SSE2 (IA-32 specific).
Paul Bakker5121ce52009-01-03 21:22:43 +000093 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020094//#define MBEDTLS_HAVE_SSE2
Paul Bakkerfa9b1002013-07-03 15:31:03 +020095
96/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020097 * \def MBEDTLS_HAVE_TIME
Paul Bakkerfa9b1002013-07-03 15:31:03 +020098 *
Manuel Pégourié-Gonnard60c793b2015-06-18 20:52:58 +020099 * System has time.h and time().
100 * The time does not need to be correct, only time differences are used,
101 * by contrast with MBEDTLS_HAVE_TIME_DATE
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200102 *
Andres Amaya Garcia1e4ec662016-07-20 10:16:25 +0100103 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
104 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
105 * MBEDTLS_PLATFORM_STD_TIME.
106 *
Paul Bakkerfa9b1002013-07-03 15:31:03 +0200107 * Comment if your system does not support time functions
108 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200109#define MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnard10934de2013-12-13 12:54:09 +0100110
111/**
Manuel Pégourié-Gonnard60c793b2015-06-18 20:52:58 +0200112 * \def MBEDTLS_HAVE_TIME_DATE
113 *
114 * System has time.h and time(), gmtime() and the clock is correct.
115 * The time needs to be correct (not necesarily very accurate, but at least
116 * the date should be correct). This is used to verify the validity period of
117 * X.509 certificates.
118 *
119 * Comment if your system does not have a correct clock.
120 */
121#define MBEDTLS_HAVE_TIME_DATE
122
123/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200124 * \def MBEDTLS_PLATFORM_MEMORY
Paul Bakkerdefc0ca2014-02-04 17:30:24 +0100125 *
126 * Enable the memory allocation layer.
127 *
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +0200128 * By default mbed TLS uses the system-provided calloc() and free().
Paul Bakkerdefc0ca2014-02-04 17:30:24 +0100129 * This allows different allocators (self-implemented or provided) to be
130 * provided to the platform abstraction layer.
131 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200132 * Enabling MBEDTLS_PLATFORM_MEMORY without the
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +0200133 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
134 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
Rich Evans16f8cd82015-02-06 16:14:34 +0000135 * free() function pointer at runtime.
136 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200137 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +0200138 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
Rich Evans16f8cd82015-02-06 16:14:34 +0000139 * alternate function at compile time.
Paul Bakkerdefc0ca2014-02-04 17:30:24 +0100140 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200141 * Requires: MBEDTLS_PLATFORM_C
Paul Bakkerdefc0ca2014-02-04 17:30:24 +0100142 *
143 * Enable this layer to allow use of alternative memory allocators.
144 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200145//#define MBEDTLS_PLATFORM_MEMORY
Paul Bakkerdefc0ca2014-02-04 17:30:24 +0100146
147/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200148 * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
Paul Bakker088c5c52014-04-25 11:11:10 +0200149 *
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +0200150 * Do not assign standard functions in the platform layer (e.g. calloc() to
151 * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
Paul Bakker088c5c52014-04-25 11:11:10 +0200152 *
153 * This makes sure there are no linking errors on platforms that do not support
154 * these functions. You will HAVE to provide alternatives, either at runtime
155 * via the platform_set_xxx() functions or at compile time by setting
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200156 * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
157 * MBEDTLS_PLATFORM_XXX_MACRO.
Paul Bakker088c5c52014-04-25 11:11:10 +0200158 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200159 * Requires: MBEDTLS_PLATFORM_C
Paul Bakker088c5c52014-04-25 11:11:10 +0200160 *
161 * Uncomment to prevent default assignment of standard functions in the
162 * platform layer.
163 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200164//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
Paul Bakker088c5c52014-04-25 11:11:10 +0200165
166/**
Janos Follathc351d182016-03-21 08:43:59 +0000167 * \def MBEDTLS_PLATFORM_EXIT_ALT
Paul Bakker747a83a2014-02-01 22:50:07 +0100168 *
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100169 * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
170 * function in the platform abstraction layer.
Paul Bakker747a83a2014-02-01 22:50:07 +0100171 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200172 * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
173 * provide a function "mbedtls_platform_set_printf()" that allows you to set an
Paul Bakker747a83a2014-02-01 22:50:07 +0100174 * alternative printf function pointer.
175 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200176 * All these define require MBEDTLS_PLATFORM_C to be defined!
Paul Bakker747a83a2014-02-01 22:50:07 +0100177 *
Manuel Pégourié-Gonnard9db28872015-06-26 10:52:01 +0200178 * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;
179 * it will be enabled automatically by check_config.h
180 *
Manuel Pégourié-Gonnard6c0c8e02015-06-22 10:23:34 +0200181 * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200182 * MBEDTLS_PLATFORM_XXX_MACRO!
Rich Evans16f8cd82015-02-06 16:14:34 +0000183 *
Andres Amaya Garcia1e4ec662016-07-20 10:16:25 +0100184 * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
185 *
Paul Bakker747a83a2014-02-01 22:50:07 +0100186 * Uncomment a macro to enable alternate implementation of specific base
187 * platform function
188 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200189//#define MBEDTLS_PLATFORM_EXIT_ALT
SimonBd5800b72016-04-26 07:43:27 +0100190//#define MBEDTLS_PLATFORM_TIME_ALT
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200191//#define MBEDTLS_PLATFORM_FPRINTF_ALT
192//#define MBEDTLS_PLATFORM_PRINTF_ALT
193//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
Paul Bakkercf0a9f92016-06-01 11:25:44 +0100194//#define MBEDTLS_PLATFORM_NV_SEED_ALT
Andres Amaya Garciad91f99f2017-07-18 10:23:04 +0100195//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100196
197/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200198 * \def MBEDTLS_DEPRECATED_WARNING
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100199 *
200 * Mark deprecated functions so that they generate a warning if used.
201 * Functions deprecated in one version will usually be removed in the next
202 * version. You can enable this to help you prepare the transition to a new
203 * major version by making sure your code is not using these functions.
204 *
205 * This only works with GCC and Clang. With other compilers, you may want to
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200206 * use MBEDTLS_DEPRECATED_REMOVED
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100207 *
208 * Uncomment to get warnings on using deprecated functions.
209 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200210//#define MBEDTLS_DEPRECATED_WARNING
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100211
212/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200213 * \def MBEDTLS_DEPRECATED_REMOVED
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100214 *
215 * Remove deprecated functions so that they generate an error if used.
216 * Functions deprecated in one version will usually be removed in the next
217 * version. You can enable this to help you prepare the transition to a new
218 * major version by making sure your code is not using these functions.
219 *
220 * Uncomment to get errors on using deprecated functions.
221 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200222//#define MBEDTLS_DEPRECATED_REMOVED
Manuel Pégourié-Gonnardc70581c2015-03-23 13:58:27 +0100223
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200224/* \} name SECTION: System support */
Paul Bakker0a62cd12011-01-21 11:00:08 +0000225
Paul Bakkerf3b86c12011-01-27 15:24:17 +0000226/**
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +0000227 * \name SECTION: mbed TLS feature support
Paul Bakker0a62cd12011-01-21 11:00:08 +0000228 *
229 * This section sets support for features that are or are not needed
230 * within the modules that are enabled.
231 * \{
232 */
Paul Bakker5121ce52009-01-03 21:22:43 +0000233
Paul Bakkerf3b86c12011-01-27 15:24:17 +0000234/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200235 * \def MBEDTLS_TIMING_ALT
Paul Bakkerf2561b32014-02-06 15:11:55 +0100236 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200237 * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(),
Manuel Pégourié-Gonnarda63bc942015-05-14 18:22:47 +0200238 * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay()
Paul Bakkerf2561b32014-02-06 15:11:55 +0100239 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200240 * Only works if you have MBEDTLS_TIMING_C enabled.
Paul Bakkerf2561b32014-02-06 15:11:55 +0100241 *
242 * You will need to provide a header "timing_alt.h" and an implementation at
243 * compile time.
244 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200245//#define MBEDTLS_TIMING_ALT
Paul Bakkerf2561b32014-02-06 15:11:55 +0100246
247/**
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100248 * \def MBEDTLS_AES_ALT
Paul Bakker90995b52013-06-24 19:20:35 +0200249 *
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100250 * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
Janos Follathb0697532016-08-18 12:38:46 +0100251 * alternate core implementation of a symmetric crypto, an arithmetic or hash
252 * module (e.g. platform specific assembly optimized implementations). Keep
253 * in mind that the function prototypes should remain the same.
Paul Bakker90995b52013-06-24 19:20:35 +0200254 *
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200255 * This replaces the whole module. If you only want to replace one of the
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200256 * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200257 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200258 * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer
Janos Follathee782bc2016-11-07 15:41:26 +0000259 * provide the "struct mbedtls_aes_context" definition and omit the base
260 * function declarations and implementations. "aes_alt.h" will be included from
Paul Bakker90995b52013-06-24 19:20:35 +0200261 * "aes.h" to include the new function definitions.
262 *
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200263 * Uncomment a macro to enable alternate implementation of the corresponding
264 * module.
Hanno Beckerbbca8c52017-09-25 14:53:51 +0100265 *
266 * \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their
267 * use constitutes a security risk. If possible, we recommend
268 * avoiding dependencies on them, and considering stronger message
269 * digests and ciphers instead.
270 *
Paul Bakker90995b52013-06-24 19:20:35 +0200271 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200272//#define MBEDTLS_AES_ALT
273//#define MBEDTLS_ARC4_ALT
Markku-Juhani O. Saarinen0fb47fe2017-12-01 15:41:38 +0000274//#define MBEDTLS_ARIA_ALT
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200275//#define MBEDTLS_BLOWFISH_ALT
276//#define MBEDTLS_CAMELLIA_ALT
Steven Cooreman222e2ff2017-04-04 11:37:15 +0200277//#define MBEDTLS_CCM_ALT
Steven Cooreman63342772017-04-04 11:47:16 +0200278//#define MBEDTLS_CMAC_ALT
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200279//#define MBEDTLS_DES_ALT
nirekh01d569ecf2018-01-09 16:43:21 +0000280//#define MBEDTLS_DHM_ALT
Hanno Becker616d1ca2018-01-24 10:25:05 +0000281//#define MBEDTLS_ECJPAKE_ALT
Jaeden Amero15263302017-09-21 12:53:48 +0100282//#define MBEDTLS_GCM_ALT
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200283//#define MBEDTLS_MD2_ALT
284//#define MBEDTLS_MD4_ALT
285//#define MBEDTLS_MD5_ALT
286//#define MBEDTLS_RIPEMD160_ALT
Hanno Becker88683b22018-01-04 18:26:54 +0000287//#define MBEDTLS_RSA_ALT
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200288//#define MBEDTLS_SHA1_ALT
289//#define MBEDTLS_SHA256_ALT
290//#define MBEDTLS_SHA512_ALT
Hanno Becker88683b22018-01-04 18:26:54 +0000291//#define MBEDTLS_XTEA_ALT
Markku-Juhani O. Saarinen0fb47fe2017-12-01 15:41:38 +0000292
Janos Follathb0697532016-08-18 12:38:46 +0100293/*
294 * When replacing the elliptic curve module, pleace consider, that it is
295 * implemented with two .c files:
296 * - ecp.c
297 * - ecp_curves.c
Janos Follathee782bc2016-11-07 15:41:26 +0000298 * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
299 * macros as described above. The only difference is that you have to make sure
300 * that you provide functionality for both .c files.
Janos Follathb0697532016-08-18 12:38:46 +0100301 */
302//#define MBEDTLS_ECP_ALT
Paul Bakker90995b52013-06-24 19:20:35 +0200303
304/**
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100305 * \def MBEDTLS_MD2_PROCESS_ALT
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200306 *
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100307 * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
308 * alternate core implementation of symmetric crypto or hash function. Keep in
309 * mind that function prototypes should remain the same.
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200310 *
311 * This replaces only one function. The header file from mbed TLS is still
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200312 * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200313 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200314 * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
315 * no longer provide the mbedtls_sha1_process() function, but it will still provide
316 * the other function (using your mbedtls_sha1_process() function) and the definition
317 * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200318 * with this definition.
319 *
Hanno Becker6d84ae72017-06-26 12:46:19 +0100320 * \note Because of a signature change, the core AES encryption and decryption routines are
321 * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
322 * respectively. When setting up alternative implementations, these functions should
323 * be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
Hanno Beckerca1cdb22017-07-20 09:50:59 +0100324 * must stay untouched.
Hanno Becker6d84ae72017-06-26 12:46:19 +0100325 *
326 * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
327 * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
328 * tables.
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200329 *
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200330 * Uncomment a macro to enable alternate implementation of the corresponding
331 * function.
Hanno Beckerbbca8c52017-09-25 14:53:51 +0100332 *
333 * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
334 * constitutes a security risk. If possible, we recommend avoiding
335 * dependencies on them, and considering stronger message digests
336 * and ciphers instead.
337 *
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200338 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200339//#define MBEDTLS_MD2_PROCESS_ALT
340//#define MBEDTLS_MD4_PROCESS_ALT
341//#define MBEDTLS_MD5_PROCESS_ALT
342//#define MBEDTLS_RIPEMD160_PROCESS_ALT
343//#define MBEDTLS_SHA1_PROCESS_ALT
344//#define MBEDTLS_SHA256_PROCESS_ALT
345//#define MBEDTLS_SHA512_PROCESS_ALT
Manuel Pégourié-Gonnard70a50102015-05-12 15:02:45 +0200346//#define MBEDTLS_DES_SETKEY_ALT
347//#define MBEDTLS_DES_CRYPT_ECB_ALT
348//#define MBEDTLS_DES3_CRYPT_ECB_ALT
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200349//#define MBEDTLS_AES_SETKEY_ENC_ALT
350//#define MBEDTLS_AES_SETKEY_DEC_ALT
351//#define MBEDTLS_AES_ENCRYPT_ALT
352//#define MBEDTLS_AES_DECRYPT_ALT
Ron Eldora84c1cb2017-10-10 19:04:27 +0300353//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
Ron Eldor3226d362017-10-12 14:17:48 +0300354//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
Ron Eldor314adb62017-10-10 18:28:25 +0300355//#define MBEDTLS_ECDSA_VERIFY_ALT
356//#define MBEDTLS_ECDSA_SIGN_ALT
357//#define MBEDTLS_ECDSA_GENKEY_ALT
Manuel Pégourié-Gonnard427b6722015-03-31 18:32:50 +0200358
359/**
Janos Follathc44ab972016-11-18 16:38:23 +0000360 * \def MBEDTLS_ECP_INTERNAL_ALT
361 *
362 * Expose a part of the internal interface of the Elliptic Curve Point module.
Janos Follathb0697532016-08-18 12:38:46 +0100363 *
364 * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your
Janos Follath372697b2016-10-28 16:53:11 +0100365 * alternative core implementation of elliptic curve arithmetic. Keep in mind
366 * that function prototypes should remain the same.
Janos Follathb0697532016-08-18 12:38:46 +0100367 *
368 * This partially replaces one function. The header file from mbed TLS is still
369 * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
370 * is still present and it is used for group structures not supported by the
371 * alternative.
372 *
Janos Follathc44ab972016-11-18 16:38:23 +0000373 * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
374 * and implementing the following functions:
375 * unsigned char mbedtls_internal_ecp_grp_capable(
376 * const mbedtls_ecp_group *grp )
377 * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
378 * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
379 * The mbedtls_internal_ecp_grp_capable function should return 1 if the
380 * replacement functions implement arithmetic for the given group and 0
381 * otherwise.
382 * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
383 * called before and after each point operation and provide an opportunity to
384 * implement optimized set up and tear down instructions.
Janos Follathb0697532016-08-18 12:38:46 +0100385 *
Janos Follathc44ab972016-11-18 16:38:23 +0000386 * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
Janos Follath4d9c69d2016-11-01 13:27:03 +0000387 * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
Janos Follathc44ab972016-11-18 16:38:23 +0000388 * function, but will use your mbedtls_internal_ecp_double_jac if the group is
389 * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
390 * receives it as an argument). If the group is not supported then the original
Janos Follathee782bc2016-11-07 15:41:26 +0000391 * implementation is used. The other functions and the definition of
392 * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
Janos Follathc44ab972016-11-18 16:38:23 +0000393 * implementation of mbedtls_internal_ecp_double_jac and
394 * mbedtls_internal_ecp_grp_capable must be compatible with this definition.
Janos Follathb0697532016-08-18 12:38:46 +0100395 *
396 * Uncomment a macro to enable alternate implementation of the corresponding
397 * function.
398 */
399/* Required for all the functions in this section */
Janos Follathc44ab972016-11-18 16:38:23 +0000400//#define MBEDTLS_ECP_INTERNAL_ALT
Janos Follathb0697532016-08-18 12:38:46 +0100401/* Support for Weierstrass curves with Jacobi representation */
402//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
403//#define MBEDTLS_ECP_ADD_MIXED_ALT
404//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
405//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
406//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
407/* Support for curves with Montgomery arithmetic */
408//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
409//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
410//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
411
412/**
Simon Butcherab5df402016-06-11 02:31:21 +0100413 * \def MBEDTLS_TEST_NULL_ENTROPY
Janos Follath53de7842016-06-08 15:29:18 +0100414 *
Simon Butcherab5df402016-06-11 02:31:21 +0100415 * Enables testing and use of mbed TLS without any configured entropy sources.
416 * This permits use of the library on platforms before an entropy source has
417 * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
418 * MBEDTLS_ENTROPY_NV_SEED switches).
419 *
420 * WARNING! This switch MUST be disabled in production builds, and is suitable
421 * only for development.
422 * Enabling the switch negates any security provided by the library.
Janos Follath53de7842016-06-08 15:29:18 +0100423 *
Janos Follathf93b8bc2016-06-09 13:54:15 +0100424 * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
425 *
Janos Follath53de7842016-06-08 15:29:18 +0100426 */
Simon Butcherab5df402016-06-11 02:31:21 +0100427//#define MBEDTLS_TEST_NULL_ENTROPY
Janos Follath53de7842016-06-08 15:29:18 +0100428
429/**
Manuel Pégourié-Gonnard8ba88f02015-06-22 12:14:20 +0200430 * \def MBEDTLS_ENTROPY_HARDWARE_ALT
Manuel Pégourié-Gonnard3f77dfb2015-06-19 10:06:21 +0200431 *
432 * Uncomment this macro to let mbed TLS use your own implementation of a
433 * hardware entropy collector.
434 *
435 * Your function must be called \c mbedtls_hardware_poll(), have the same
436 * prototype as declared in entropy_poll.h, and accept NULL as first argument.
437 *
438 * Uncomment to use your own hardware entropy collector.
439 */
440//#define MBEDTLS_ENTROPY_HARDWARE_ALT
441
442/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200443 * \def MBEDTLS_AES_ROM_TABLES
Paul Bakker15566e42011-04-24 21:19:15 +0000444 *
445 * Store the AES tables in ROM.
446 *
447 * Uncomment this macro to store the AES tables in ROM.
Paul Bakker15566e42011-04-24 21:19:15 +0000448 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200449//#define MBEDTLS_AES_ROM_TABLES
Paul Bakker15566e42011-04-24 21:19:15 +0000450
451/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200452 * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
Manuel Pégourié-Gonnard62edcc82015-04-03 16:28:19 +0200453 *
454 * Use less ROM for the Camellia implementation (saves about 768 bytes).
455 *
456 * Uncomment this macro to use less memory for Camellia.
457 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200458//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
Manuel Pégourié-Gonnard62edcc82015-04-03 16:28:19 +0200459
460/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200461 * \def MBEDTLS_CIPHER_MODE_CBC
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200462 *
463 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
464 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200465#define MBEDTLS_CIPHER_MODE_CBC
Manuel Pégourié-Gonnardf7dc3782013-09-13 14:10:44 +0200466
467/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200468 * \def MBEDTLS_CIPHER_MODE_CFB
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000469 *
470 * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
471 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200472#define MBEDTLS_CIPHER_MODE_CFB
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000473
474/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200475 * \def MBEDTLS_CIPHER_MODE_CTR
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000476 *
477 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
478 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200479#define MBEDTLS_CIPHER_MODE_CTR
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000480
481/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200482 * \def MBEDTLS_CIPHER_NULL_CIPHER
Paul Bakkerfab5c822012-02-06 16:45:10 +0000483 *
484 * Enable NULL cipher.
485 * Warning: Only do so when you know what you are doing. This allows for
486 * encryption or channels without any security!
487 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200488 * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
Paul Bakkerfab5c822012-02-06 16:45:10 +0000489 * the following ciphersuites:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200490 * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
491 * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
492 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
493 * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
494 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
495 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
496 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
497 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
498 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
499 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
500 * MBEDTLS_TLS_RSA_WITH_NULL_SHA256
501 * MBEDTLS_TLS_RSA_WITH_NULL_SHA
502 * MBEDTLS_TLS_RSA_WITH_NULL_MD5
503 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
504 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
505 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
506 * MBEDTLS_TLS_PSK_WITH_NULL_SHA384
507 * MBEDTLS_TLS_PSK_WITH_NULL_SHA256
508 * MBEDTLS_TLS_PSK_WITH_NULL_SHA
Paul Bakkerfab5c822012-02-06 16:45:10 +0000509 *
510 * Uncomment this macro to enable the NULL cipher and ciphersuites
Paul Bakkerfab5c822012-02-06 16:45:10 +0000511 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200512//#define MBEDTLS_CIPHER_NULL_CIPHER
Paul Bakkerfab5c822012-02-06 16:45:10 +0000513
514/**
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100515 * \def MBEDTLS_CIPHER_PADDING_PKCS7
Paul Bakker48e93c82013-08-14 12:21:18 +0200516 *
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100517 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
518 * specific padding modes in the cipher layer with cipher modes that support
519 * padding (e.g. CBC)
Paul Bakker48e93c82013-08-14 12:21:18 +0200520 *
521 * If you disable all padding modes, only full blocks can be used with CBC.
522 *
523 * Enable padding modes in the cipher layer.
524 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200525#define MBEDTLS_CIPHER_PADDING_PKCS7
526#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
527#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
528#define MBEDTLS_CIPHER_PADDING_ZEROS
Paul Bakker48e93c82013-08-14 12:21:18 +0200529
530/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200531 * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
Paul Bakkerfab5c822012-02-06 16:45:10 +0000532 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200533 * Enable weak ciphersuites in SSL / TLS.
Paul Bakkerfab5c822012-02-06 16:45:10 +0000534 * Warning: Only do so when you know what you are doing. This allows for
Paul Bakker9a736322012-11-14 12:39:52 +0000535 * channels with virtually no security at all!
Paul Bakkerfab5c822012-02-06 16:45:10 +0000536 *
537 * This enables the following ciphersuites:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200538 * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
539 * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
Paul Bakkerfab5c822012-02-06 16:45:10 +0000540 *
541 * Uncomment this macro to enable weak ciphersuites
Hanno Beckerbbca8c52017-09-25 14:53:51 +0100542 *
543 * \warning DES is considered a weak cipher and its use constitutes a
544 * security risk. We recommend considering stronger ciphers instead.
Paul Bakkerfab5c822012-02-06 16:45:10 +0000545 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200546//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
Paul Bakkerfab5c822012-02-06 16:45:10 +0000547
548/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200549 * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnard01edb102014-06-24 22:42:34 +0200550 *
551 * Remove RC4 ciphersuites by default in SSL / TLS.
552 * This flag removes the ciphersuites based on RC4 from the default list as
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200553 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +0200554 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
Manuel Pégourié-Gonnard01edb102014-06-24 22:42:34 +0200555 * explicitly.
556 *
557 * Uncomment this macro to remove RC4 ciphersuites by default.
558 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200559#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnard01edb102014-06-24 22:42:34 +0200560
561/**
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100562 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200563 *
Manuel Pégourié-Gonnard76da60c2016-01-04 13:51:01 +0100564 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
565 * module. By default all supported curves are enabled.
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200566 *
567 * Comment macros to disable the curve and functions for it
568 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200569#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
570#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
571#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
572#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
573#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
574#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
575#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
576#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
577#define MBEDTLS_ECP_DP_BP256R1_ENABLED
578#define MBEDTLS_ECP_DP_BP384R1_ENABLED
579#define MBEDTLS_ECP_DP_BP512R1_ENABLED
Manuel Pégourié-Gonnard07894332015-06-23 00:18:41 +0200580#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
Paul Bakker5dc6b5f2013-06-29 23:26:34 +0200581
582/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200583 * \def MBEDTLS_ECP_NIST_OPTIM
Manuel Pégourié-Gonnardc04c5302013-10-23 16:11:52 +0200584 *
585 * Enable specific 'modulo p' routines for each NIST prime.
586 * Depending on the prime and architecture, makes operations 4 to 8 times
587 * faster on the corresponding curve.
588 *
589 * Comment this macro to disable NIST curves optimisation.
590 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200591#define MBEDTLS_ECP_NIST_OPTIM
Manuel Pégourié-Gonnardc04c5302013-10-23 16:11:52 +0200592
593/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200594 * \def MBEDTLS_ECDSA_DETERMINISTIC
Manuel Pégourié-Gonnard461d4162014-01-06 10:16:28 +0100595 *
596 * Enable deterministic ECDSA (RFC 6979).
597 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
598 * may result in a compromise of the long-term signing key. This is avoided by
599 * the deterministic variant.
600 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200601 * Requires: MBEDTLS_HMAC_DRBG_C
Manuel Pégourié-Gonnard5b1a5732014-01-07 16:46:17 +0100602 *
Manuel Pégourié-Gonnard461d4162014-01-06 10:16:28 +0100603 * Comment this macro to disable deterministic ECDSA.
604 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200605#define MBEDTLS_ECDSA_DETERMINISTIC
Manuel Pégourié-Gonnard461d4162014-01-06 10:16:28 +0100606
607/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200608 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200609 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200610 * Enable the PSK based ciphersuite modes in SSL / TLS.
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200611 *
Paul Bakkere07f41d2013-04-19 09:08:57 +0200612 * This enables the following ciphersuites (if other requisites are
613 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200614 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
615 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
616 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
617 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
618 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
619 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
620 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
621 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
622 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
623 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
624 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
625 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200626 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200627#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
Paul Bakkerd4a56ec2013-04-16 18:05:29 +0200628
629/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200630 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200631 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200632 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
Paul Bakkere07f41d2013-04-19 09:08:57 +0200633 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200634 * Requires: MBEDTLS_DHM_C
Paul Bakkere07f41d2013-04-19 09:08:57 +0200635 *
636 * This enables the following ciphersuites (if other requisites are
637 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200638 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
639 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
640 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
641 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
642 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
643 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
644 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
645 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
646 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
647 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
648 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
649 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
Hanno Beckera2f6b722017-09-28 10:33:29 +0100650 *
Hanno Beckerf9734b32017-10-03 12:09:22 +0100651 * \warning Using DHE constitutes a security risk as it
652 * is not possible to validate custom DH parameters.
653 * If possible, it is recommended users should consider
654 * preferring other methods of key exchange.
655 * See dhm.h for more details.
Hanno Beckera2f6b722017-09-28 10:33:29 +0100656 *
Paul Bakkere07f41d2013-04-19 09:08:57 +0200657 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200658#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200659
660/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200661 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200662 *
663 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
664 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200665 * Requires: MBEDTLS_ECDH_C
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200666 *
667 * This enables the following ciphersuites (if other requisites are
668 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200669 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
670 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
671 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
672 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
673 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
674 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
675 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
676 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200677 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200678#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
Manuel Pégourié-Gonnard3ce3bbd2013-10-11 16:53:50 +0200679
680/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200681 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200682 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200683 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
Manuel Pégourié-Gonnard0fae60b2013-10-14 17:39:48 +0200684 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200685 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
686 * MBEDTLS_X509_CRT_PARSE_C
Paul Bakkere07f41d2013-04-19 09:08:57 +0200687 *
688 * This enables the following ciphersuites (if other requisites are
689 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200690 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
691 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
692 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
693 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
694 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
695 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
696 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
697 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
698 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
699 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
700 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
701 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
Paul Bakkere07f41d2013-04-19 09:08:57 +0200702 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200703#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200704
705/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200706 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200707 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200708 * Enable the RSA-only based ciphersuite modes in SSL / TLS.
Paul Bakkere07f41d2013-04-19 09:08:57 +0200709 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200710 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
711 * MBEDTLS_X509_CRT_PARSE_C
Paul Bakkere07f41d2013-04-19 09:08:57 +0200712 *
713 * This enables the following ciphersuites (if other requisites are
714 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200715 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
716 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
717 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
718 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
719 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
720 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
721 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
722 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
723 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
724 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
725 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
726 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
727 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
728 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
729 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
Paul Bakkere07f41d2013-04-19 09:08:57 +0200730 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200731#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200732
733/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200734 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200735 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200736 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
Paul Bakkere07f41d2013-04-19 09:08:57 +0200737 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200738 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
739 * MBEDTLS_X509_CRT_PARSE_C
Paul Bakkere07f41d2013-04-19 09:08:57 +0200740 *
741 * This enables the following ciphersuites (if other requisites are
742 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200743 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
744 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
745 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
746 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
747 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
748 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
749 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
750 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
751 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
752 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
753 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
754 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
755 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Hanno Beckera2f6b722017-09-28 10:33:29 +0100756 *
Hanno Beckerf9734b32017-10-03 12:09:22 +0100757 * \warning Using DHE constitutes a security risk as it
758 * is not possible to validate custom DH parameters.
759 * If possible, it is recommended users should consider
760 * preferring other methods of key exchange.
761 * See dhm.h for more details.
Hanno Beckera2f6b722017-09-28 10:33:29 +0100762 *
Paul Bakkere07f41d2013-04-19 09:08:57 +0200763 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200764#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200765
766/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200767 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200768 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200769 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
Paul Bakkere07f41d2013-04-19 09:08:57 +0200770 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200771 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
772 * MBEDTLS_X509_CRT_PARSE_C
Paul Bakkere07f41d2013-04-19 09:08:57 +0200773 *
774 * This enables the following ciphersuites (if other requisites are
775 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200776 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
777 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
778 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
779 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
780 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
781 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
782 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
783 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
784 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
785 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
786 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
787 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
Paul Bakkere07f41d2013-04-19 09:08:57 +0200788 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200789#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
Paul Bakkere07f41d2013-04-19 09:08:57 +0200790
791/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200792 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200793 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200794 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200795 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200796 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200797 *
798 * This enables the following ciphersuites (if other requisites are
799 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200800 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
801 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
802 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
803 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
804 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
805 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
806 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
807 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
808 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
809 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
810 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
811 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200812 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200813#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard32ea60a2013-08-17 17:39:04 +0200814
815/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200816 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100817 *
818 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
819 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200820 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100821 *
822 * This enables the following ciphersuites (if other requisites are
823 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200824 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
825 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
826 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
827 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
828 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
829 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
830 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
831 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
832 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
833 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
834 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
835 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100836 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200837#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100838
839/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200840 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100841 *
842 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
843 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200844 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100845 *
846 * This enables the following ciphersuites (if other requisites are
847 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200848 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
849 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
850 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
851 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
852 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
853 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
854 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
855 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
856 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
857 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
858 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
859 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100860 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200861#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
Manuel Pégourié-Gonnard25781b22013-12-11 16:17:10 +0100862
863/**
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +0200864 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
865 *
866 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
867 *
Manuel Pégourié-Gonnard75df9022015-09-16 23:21:01 +0200868 * \warning This is currently experimental. EC J-PAKE support is based on the
869 * Thread v1.0.0 specification; incompatible changes to the specification
870 * might still happen. For this reason, this is disabled by default.
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +0200871 *
872 * Requires: MBEDTLS_ECJPAKE_C
873 * MBEDTLS_SHA256_C
874 * MBEDTLS_ECP_DP_SECP256R1_ENABLED
875 *
876 * This enables the following ciphersuites (if other requisites are
877 * enabled as well):
878 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
879 */
Manuel Pégourié-Gonnardcf828932015-10-20 14:57:00 +0200880//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard557535d2015-09-15 17:53:32 +0200881
882/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200883 * \def MBEDTLS_PK_PARSE_EC_EXTENDED
Manuel Pégourié-Gonnard6fac3512014-03-19 16:39:52 +0100884 *
885 * Enhance support for reading EC keys using variants of SEC1 not allowed by
886 * RFC 5915 and RFC 5480.
887 *
888 * Currently this means parsing the SpecifiedECDomain choice of EC
889 * parameters (only known groups are supported, not arbitrary domains, to
890 * avoid validation issues).
891 *
892 * Disable if you only need to support RFC 5915 + 5480 key formats.
893 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200894#define MBEDTLS_PK_PARSE_EC_EXTENDED
Manuel Pégourié-Gonnard6fac3512014-03-19 16:39:52 +0100895
896/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200897 * \def MBEDTLS_ERROR_STRERROR_DUMMY
Paul Bakker8fe40dc2013-02-02 12:43:08 +0100898 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200899 * Enable a dummy error function to make use of mbedtls_strerror() in
900 * third party libraries easier when MBEDTLS_ERROR_C is disabled
901 * (no effect when MBEDTLS_ERROR_C is enabled).
Manuel Pégourié-Gonnarddc16aa72014-06-25 12:55:12 +0200902 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200903 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
904 * not using mbedtls_strerror() or error_strerror() in your application.
Paul Bakker8fe40dc2013-02-02 12:43:08 +0100905 *
906 * Disable if you run into name conflicts and want to really remove the
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200907 * mbedtls_strerror()
Paul Bakker8fe40dc2013-02-02 12:43:08 +0100908 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200909#define MBEDTLS_ERROR_STRERROR_DUMMY
Paul Bakker8fe40dc2013-02-02 12:43:08 +0100910
911/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200912 * \def MBEDTLS_GENPRIME
Paul Bakkerf3b86c12011-01-27 15:24:17 +0000913 *
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +0200914 * Enable the prime-number generation code.
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +0200915 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200916 * Requires: MBEDTLS_BIGNUM_C
Paul Bakker5121ce52009-01-03 21:22:43 +0000917 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200918#define MBEDTLS_GENPRIME
Paul Bakker5121ce52009-01-03 21:22:43 +0000919
Paul Bakkerf3b86c12011-01-27 15:24:17 +0000920/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200921 * \def MBEDTLS_FS_IO
Paul Bakker335db3f2011-04-25 15:28:35 +0000922 *
923 * Enable functions that use the filesystem.
924 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200925#define MBEDTLS_FS_IO
Paul Bakker335db3f2011-04-25 15:28:35 +0000926
927/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200928 * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
Paul Bakker43655f42011-12-15 20:11:16 +0000929 *
930 * Do not add default entropy sources. These are the platform specific,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200931 * mbedtls_timing_hardclock and HAVEGE based poll functions.
Paul Bakker43655f42011-12-15 20:11:16 +0000932 *
Shuo Chen95a0d112014-04-04 21:04:40 -0700933 * This is useful to have more control over the added entropy sources in an
Paul Bakker43655f42011-12-15 20:11:16 +0000934 * application.
935 *
936 * Uncomment this macro to prevent loading of default entropy functions.
Paul Bakker43655f42011-12-15 20:11:16 +0000937 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200938//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
Paul Bakker43655f42011-12-15 20:11:16 +0000939
940/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200941 * \def MBEDTLS_NO_PLATFORM_ENTROPY
Paul Bakker6083fd22011-12-03 21:45:14 +0000942 *
943 * Do not use built-in platform entropy functions.
944 * This is useful if your platform does not support
945 * standards like the /dev/urandom or Windows CryptoAPI.
946 *
947 * Uncomment this macro to disable the built-in platform entropy functions.
Paul Bakker6083fd22011-12-03 21:45:14 +0000948 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200949//#define MBEDTLS_NO_PLATFORM_ENTROPY
Paul Bakker6083fd22011-12-03 21:45:14 +0000950
951/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200952 * \def MBEDTLS_ENTROPY_FORCE_SHA256
Paul Bakker2ceda572014-02-06 15:55:25 +0100953 *
954 * Force the entropy accumulator to use a SHA-256 accumulator instead of the
955 * default SHA-512 based one (if both are available).
956 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200957 * Requires: MBEDTLS_SHA256_C
Paul Bakker2ceda572014-02-06 15:55:25 +0100958 *
959 * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
960 * if you have performance concerns.
961 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200962 * This option is only useful if both MBEDTLS_SHA256_C and
963 * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
Paul Bakker2ceda572014-02-06 15:55:25 +0100964 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200965//#define MBEDTLS_ENTROPY_FORCE_SHA256
Paul Bakker2ceda572014-02-06 15:55:25 +0100966
967/**
Paul Bakkercf0a9f92016-06-01 11:25:44 +0100968 * \def MBEDTLS_ENTROPY_NV_SEED
969 *
970 * Enable the non-volatile (NV) seed file-based entropy source.
971 * (Also enables the NV seed read/write functions in the platform layer)
972 *
973 * This is crucial (if not required) on systems that do not have a
974 * cryptographic entropy source (in hardware or kernel) available.
975 *
976 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
977 *
Paul Bakker71a597a2016-06-07 10:59:03 +0100978 * \note The read/write functions that are used by the entropy source are
979 * determined in the platform layer, and can be modified at runtime and/or
980 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
981 *
982 * \note If you use the default implementation functions that read a seedfile
Paul Bakkercf0a9f92016-06-01 11:25:44 +0100983 * with regular fopen(), please make sure you make a seedfile with the
984 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
985 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
Paul Bakker71a597a2016-06-07 10:59:03 +0100986 * and written to or you will get an entropy source error! The default
987 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
988 * bytes from the file.
989 *
990 * \note The entropy collector will write to the seed file before entropy is
991 * given to an external source, to update it.
Paul Bakkercf0a9f92016-06-01 11:25:44 +0100992 */
993//#define MBEDTLS_ENTROPY_NV_SEED
994
995/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200996 * \def MBEDTLS_MEMORY_DEBUG
Paul Bakker6e339b52013-07-03 13:37:05 +0200997 *
998 * Enable debugging of buffer allocator memory issues. Automatically prints
999 * (to stderr) all (fatal) messages on memory allocation issues. Enables
1000 * function for 'debug output' of allocated memory.
1001 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001002 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
Paul Bakker6e339b52013-07-03 13:37:05 +02001003 *
1004 * Uncomment this macro to let the buffer allocator print out error messages.
Paul Bakkera7ea6a52013-10-15 11:55:10 +02001005 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001006//#define MBEDTLS_MEMORY_DEBUG
Paul Bakker6e339b52013-07-03 13:37:05 +02001007
1008/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001009 * \def MBEDTLS_MEMORY_BACKTRACE
Paul Bakker6e339b52013-07-03 13:37:05 +02001010 *
1011 * Include backtrace information with each allocated block.
1012 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001013 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
Paul Bakker6e339b52013-07-03 13:37:05 +02001014 * GLIBC-compatible backtrace() an backtrace_symbols() support
1015 *
1016 * Uncomment this macro to include backtrace information
Paul Bakker6e339b52013-07-03 13:37:05 +02001017 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001018//#define MBEDTLS_MEMORY_BACKTRACE
Paul Bakker6e339b52013-07-03 13:37:05 +02001019
1020/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001021 * \def MBEDTLS_PK_RSA_ALT_SUPPORT
Manuel Pégourié-Gonnard348bcb32015-03-31 14:01:33 +02001022 *
1023 * Support external private RSA keys (eg from a HSM) in the PK layer.
1024 *
1025 * Comment this macro to disable support for external private RSA keys.
1026 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001027#define MBEDTLS_PK_RSA_ALT_SUPPORT
Manuel Pégourié-Gonnard348bcb32015-03-31 14:01:33 +02001028
1029/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001030 * \def MBEDTLS_PKCS1_V15
Paul Bakker48377d92013-08-30 12:06:24 +02001031 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001032 * Enable support for PKCS#1 v1.5 encoding.
1033 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001034 * Requires: MBEDTLS_RSA_C
Paul Bakker48377d92013-08-30 12:06:24 +02001035 *
Paul Bakker48377d92013-08-30 12:06:24 +02001036 * This enables support for PKCS#1 v1.5 operations.
1037 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001038#define MBEDTLS_PKCS1_V15
Paul Bakker48377d92013-08-30 12:06:24 +02001039
1040/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001041 * \def MBEDTLS_PKCS1_V21
Paul Bakker9dcc3222011-03-08 14:16:06 +00001042 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001043 * Enable support for PKCS#1 v2.1 encoding.
1044 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001045 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C
Paul Bakker5690efc2011-05-26 13:16:06 +00001046 *
Paul Bakker9dcc3222011-03-08 14:16:06 +00001047 * This enables support for RSAES-OAEP and RSASSA-PSS operations.
1048 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001049#define MBEDTLS_PKCS1_V21
Paul Bakker9dcc3222011-03-08 14:16:06 +00001050
1051/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001052 * \def MBEDTLS_RSA_NO_CRT
Paul Bakker0216cc12011-03-26 13:40:23 +00001053 *
1054 * Do not use the Chinese Remainder Theorem for the RSA private operation.
1055 *
1056 * Uncomment this macro to disable the use of CRT in RSA.
1057 *
Paul Bakker0216cc12011-03-26 13:40:23 +00001058 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001059//#define MBEDTLS_RSA_NO_CRT
Paul Bakker15566e42011-04-24 21:19:15 +00001060
1061/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001062 * \def MBEDTLS_SELF_TEST
Paul Bakker15566e42011-04-24 21:19:15 +00001063 *
1064 * Enable the checkup functions (*_self_test).
1065 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001066#define MBEDTLS_SELF_TEST
Paul Bakker5c721f92011-07-27 16:51:09 +00001067
1068/**
Manuel Pégourié-Gonnardeb0d8702015-05-28 12:54:04 +02001069 * \def MBEDTLS_SHA256_SMALLER
1070 *
1071 * Enable an implementation of SHA-256 that has lower ROM footprint but also
1072 * lower performance.
1073 *
1074 * The default implementation is meant to be a reasonnable compromise between
1075 * performance and size. This version optimizes more aggressively for size at
1076 * the expense of performance. Eg on Cortex-M4 it reduces the size of
1077 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
1078 * 30%.
1079 *
1080 * Uncomment to enable the smaller implementation of SHA256.
1081 */
1082//#define MBEDTLS_SHA256_SMALLER
1083
1084/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001085 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
Paul Bakker40865c82013-01-31 17:13:13 +01001086 *
1087 * Enable sending of alert messages in case of encountered errors as per RFC.
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00001088 * If you choose not to send the alert messages, mbed TLS can still communicate
Paul Bakker40865c82013-01-31 17:13:13 +01001089 * with other servers, only debugging of failures is harder.
1090 *
1091 * The advantage of not sending alert messages, is that no information is given
1092 * about reasons for failures thus preventing adversaries of gaining intel.
1093 *
1094 * Enable sending of all alert messages
1095 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001096#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
Paul Bakker40865c82013-01-31 17:13:13 +01001097
1098/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001099 * \def MBEDTLS_SSL_DEBUG_ALL
Paul Bakkerd66f0702013-01-31 16:57:45 +01001100 *
1101 * Enable the debug messages in SSL module for all issues.
1102 * Debug messages have been disabled in some places to prevent timing
1103 * attacks due to (unbalanced) debugging function calls.
1104 *
1105 * If you need all error reporting you should enable this during debugging,
1106 * but remove this for production servers that should log as well.
1107 *
1108 * Uncomment this macro to report all debug messages on errors introducing
1109 * a timing side-channel.
1110 *
Paul Bakkerd66f0702013-01-31 16:57:45 +01001111 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001112//#define MBEDTLS_SSL_DEBUG_ALL
Paul Bakkerd66f0702013-01-31 16:57:45 +01001113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001114/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001115 *
1116 * Enable support for Encrypt-then-MAC, RFC 7366.
1117 *
1118 * This allows peers that both support it to use a more robust protection for
1119 * ciphersuites using CBC, providing deep resistance against timing attacks
1120 * on the padding or underlying cipher.
1121 *
1122 * This only affects CBC ciphersuites, and is useless if none is defined.
1123 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001124 * Requires: MBEDTLS_SSL_PROTO_TLS1 or
1125 * MBEDTLS_SSL_PROTO_TLS1_1 or
1126 * MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001127 *
1128 * Comment this macro to disable support for Encrypt-then-MAC
1129 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001130#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +01001131
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001132/** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001133 *
1134 * Enable support for Extended Master Secret, aka Session Hash
1135 * (draft-ietf-tls-session-hash-02).
1136 *
1137 * This was introduced as "the proper fix" to the Triple Handshake familiy of
1138 * attacks, but it is recommended to always use it (even if you disable
1139 * renegotiation), since it actually fixes a more fundamental issue in the
1140 * original SSL/TLS design, and has implications beyond Triple Handshake.
1141 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001142 * Requires: MBEDTLS_SSL_PROTO_TLS1 or
1143 * MBEDTLS_SSL_PROTO_TLS1_1 or
1144 * MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard769c6b62014-10-28 14:13:55 +01001145 *
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001146 * Comment this macro to disable support for Extended Master Secret.
1147 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001148#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +02001149
Paul Bakkerd66f0702013-01-31 16:57:45 +01001150/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001151 * \def MBEDTLS_SSL_FALLBACK_SCSV
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02001152 *
1153 * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
1154 *
1155 * For servers, it is recommended to always enable this, unless you support
1156 * only one version of TLS, or know for sure that none of your clients
1157 * implements a fallback strategy.
1158 *
1159 * For clients, you only need this if you're using a fallback strategy, which
1160 * is not recommended in the first place, unless you absolutely need it to
1161 * interoperate with buggy (version-intolerant) servers.
1162 *
1163 * Comment this macro to disable support for FALLBACK_SCSV
1164 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001165#define MBEDTLS_SSL_FALLBACK_SCSV
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +02001166
1167/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001168 * \def MBEDTLS_SSL_HW_RECORD_ACCEL
Paul Bakker05ef8352012-05-08 09:17:57 +00001169 *
1170 * Enable hooking functions in SSL module for hardware acceleration of
1171 * individual records.
1172 *
1173 * Uncomment this macro to enable hooking functions.
Paul Bakker05ef8352012-05-08 09:17:57 +00001174 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001175//#define MBEDTLS_SSL_HW_RECORD_ACCEL
Paul Bakker05ef8352012-05-08 09:17:57 +00001176
1177/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001178 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01001179 *
1180 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
1181 *
1182 * This is a countermeasure to the BEAST attack, which also minimizes the risk
1183 * of interoperability issues compared to sending 0-length records.
1184 *
1185 * Comment this macro to disable 1/n-1 record splitting.
1186 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001187#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
Manuel Pégourié-Gonnardd76314c2015-01-07 12:39:44 +01001188
1189/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001190 * \def MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001191 *
Manuel Pégourié-Gonnard03717042014-11-04 19:52:10 +01001192 * Disable support for TLS renegotiation.
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001193 *
1194 * The two main uses of renegotiation are (1) refresh keys on long-lived
1195 * connections and (2) client authentication after the initial handshake.
1196 * If you don't need renegotiation, it's probably better to disable it, since
1197 * it has been associated with security issues in the past and is easy to
1198 * misuse/misunderstand.
Manuel Pégourié-Gonnard03717042014-11-04 19:52:10 +01001199 *
Manuel Pégourié-Gonnard55f968b2015-03-09 16:23:15 +00001200 * Comment this to disable support for renegotiation.
Hanno Becker6851b102017-10-12 14:57:48 +01001201 *
1202 * \note Even if this option is disabled, both client and server are aware
1203 * of the Renegotiation Indication Extension (RFC 5746) used to
1204 * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
1205 * (See \c mbedtls_ssl_conf_legacy_renegotiation for the
1206 * configuration of this extension).
1207 *
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001208 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001209#define MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard615e6772014-11-03 08:23:14 +01001210
1211/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001212 * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
Paul Bakker78a8c712013-03-06 17:01:52 +01001213 *
1214 * Enable support for receiving and parsing SSLv2 Client Hello messages for the
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001215 * SSL Server module (MBEDTLS_SSL_SRV_C).
Paul Bakker78a8c712013-03-06 17:01:52 +01001216 *
Manuel Pégourié-Gonnard265dd5c2015-03-10 13:48:34 +00001217 * Uncomment this macro to enable support for SSLv2 Client Hello messages.
Paul Bakker78a8c712013-03-06 17:01:52 +01001218 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001219//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
Paul Bakker78a8c712013-03-06 17:01:52 +01001220
1221/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001222 * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +01001223 *
1224 * Pick the ciphersuite according to the client's preferences rather than ours
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001225 * in the SSL Server module (MBEDTLS_SSL_SRV_C).
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +01001226 *
1227 * Uncomment this macro to respect client's ciphersuite order
1228 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001229//#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
Manuel Pégourié-Gonnard1a9f2c72013-11-30 18:30:06 +01001230
1231/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001232 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Paul Bakker05decb22013-08-15 13:33:48 +02001233 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001234 * Enable support for RFC 6066 max_fragment_length extension in SSL.
Paul Bakker05decb22013-08-15 13:33:48 +02001235 *
1236 * Comment this macro to disable support for the max_fragment_length extension
1237 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001238#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Paul Bakker05decb22013-08-15 13:33:48 +02001239
1240/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001241 * \def MBEDTLS_SSL_PROTO_SSL3
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001242 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001243 * Enable support for SSL 3.0.
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001244 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001245 * Requires: MBEDTLS_MD5_C
1246 * MBEDTLS_SHA1_C
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001247 *
1248 * Comment this macro to disable support for SSL 3.0
1249 */
Janos Follathe2681a42016-03-07 15:57:05 +00001250//#define MBEDTLS_SSL_PROTO_SSL3
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001251
1252/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001253 * \def MBEDTLS_SSL_PROTO_TLS1
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001254 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001255 * Enable support for TLS 1.0.
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001256 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001257 * Requires: MBEDTLS_MD5_C
1258 * MBEDTLS_SHA1_C
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001259 *
1260 * Comment this macro to disable support for TLS 1.0
1261 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001262#define MBEDTLS_SSL_PROTO_TLS1
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001263
1264/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001265 * \def MBEDTLS_SSL_PROTO_TLS1_1
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001266 *
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001267 * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001268 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001269 * Requires: MBEDTLS_MD5_C
1270 * MBEDTLS_SHA1_C
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001271 *
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001272 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001273 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001274#define MBEDTLS_SSL_PROTO_TLS1_1
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001275
1276/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001277 * \def MBEDTLS_SSL_PROTO_TLS1_2
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001278 *
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001279 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001280 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001281 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001282 * (Depends on ciphersuites)
1283 *
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001284 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001285 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001286#define MBEDTLS_SSL_PROTO_TLS1_2
Paul Bakkerd2f068e2013-08-27 21:19:20 +02001287
1288/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001289 * \def MBEDTLS_SSL_PROTO_DTLS
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001290 *
1291 * Enable support for DTLS (all available versions).
1292 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001293 * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0,
1294 * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001295 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001296 * Requires: MBEDTLS_SSL_PROTO_TLS1_1
1297 * or MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001298 *
1299 * Comment this macro to disable support for DTLS
1300 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001301#define MBEDTLS_SSL_PROTO_DTLS
Manuel Pégourié-Gonnard0b1ff292014-02-06 13:04:16 +01001302
1303/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001304 * \def MBEDTLS_SSL_ALPN
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02001305 *
Manuel Pégourié-Gonnard6b298e62014-11-20 18:28:50 +01001306 * Enable support for RFC 7301 Application Layer Protocol Negotiation.
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02001307 *
Paul Bakker27e36d32014-04-08 12:33:37 +02001308 * Comment this macro to disable support for ALPN.
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02001309 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001310#define MBEDTLS_SSL_ALPN
Manuel Pégourié-Gonnard7e250d42014-04-04 16:08:41 +02001311
1312/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001313 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
Manuel Pégourié-Gonnard8464a462014-09-24 14:05:32 +02001314 *
1315 * Enable support for the anti-replay mechanism in DTLS.
1316 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001317 * Requires: MBEDTLS_SSL_TLS_C
1318 * MBEDTLS_SSL_PROTO_DTLS
Manuel Pégourié-Gonnard8464a462014-09-24 14:05:32 +02001319 *
Manuel Pégourié-Gonnarda6fcffe2014-10-13 18:15:52 +02001320 * \warning Disabling this is often a security risk!
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02001321 * See mbedtls_ssl_conf_dtls_anti_replay() for details.
Manuel Pégourié-Gonnarda6fcffe2014-10-13 18:15:52 +02001322 *
Manuel Pégourié-Gonnard8464a462014-09-24 14:05:32 +02001323 * Comment this to disable anti-replay in DTLS.
1324 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001325#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
Manuel Pégourié-Gonnard8464a462014-09-24 14:05:32 +02001326
1327/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001328 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
Manuel Pégourié-Gonnard82202f02014-07-23 00:28:58 +02001329 *
1330 * Enable support for HelloVerifyRequest on DTLS servers.
1331 *
1332 * This feature is highly recommended to prevent DTLS servers being used as
1333 * amplifiers in DoS attacks against other hosts. It should always be enabled
1334 * unless you know for sure amplification cannot be a problem in the
1335 * environment in which your server operates.
1336 *
Manuel Pégourié-Gonnarda6fcffe2014-10-13 18:15:52 +02001337 * \warning Disabling this can ba a security risk! (see above)
1338 *
Manuel Pégourié-Gonnarde057d3b2015-05-20 10:59:43 +02001339 * Requires: MBEDTLS_SSL_PROTO_DTLS
Manuel Pégourié-Gonnard82202f02014-07-23 00:28:58 +02001340 *
1341 * Comment this to disable support for HelloVerifyRequest.
1342 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001343#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
Manuel Pégourié-Gonnard82202f02014-07-23 00:28:58 +02001344
1345/**
Manuel Pégourié-Gonnard26d227d2015-09-04 10:53:25 +02001346 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
1347 *
1348 * Enable server-side support for clients that reconnect from the same port.
1349 *
1350 * Some clients unexpectedly close the connection and try to reconnect using the
1351 * same source port. This needs special support from the server to handle the
Simon Butcher4f6882a2015-09-11 17:12:46 +01001352 * new connection securely, as described in section 4.2.8 of RFC 6347. This
Manuel Pégourié-Gonnard26d227d2015-09-04 10:53:25 +02001353 * flag enables that support.
1354 *
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02001355 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
Manuel Pégourié-Gonnard62c74bb2015-09-08 17:50:29 +02001356 *
Manuel Pégourié-Gonnard26d227d2015-09-04 10:53:25 +02001357 * Comment this to disable support for clients reusing the source port.
1358 */
1359#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
1360
1361/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001362 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001363 *
1364 * Enable support for a limit of records with bad MAC.
1365 *
Manuel Pégourié-Gonnard6729e792015-05-11 09:50:24 +02001366 * See mbedtls_ssl_conf_dtls_badmac_limit().
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001367 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001368 * Requires: MBEDTLS_SSL_PROTO_DTLS
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001369 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001370#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
Manuel Pégourié-Gonnardb0643d12014-10-14 18:30:36 +02001371
1372/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001373 * \def MBEDTLS_SSL_SESSION_TICKETS
Paul Bakkera503a632013-08-14 13:48:06 +02001374 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001375 * Enable support for RFC 5077 session tickets in SSL.
Manuel Pégourié-Gonnard0c0f11f2015-05-20 09:55:50 +02001376 * Client-side, provides full support for session tickets (maintainance of a
1377 * session store remains the responsibility of the application, though).
1378 * Server-side, you also need to provide callbacks for writing and parsing
1379 * tickets, including authenticated encryption and key management. Example
1380 * callbacks are provided by MBEDTLS_SSL_TICKET_C.
Paul Bakkera503a632013-08-14 13:48:06 +02001381 *
1382 * Comment this macro to disable support for SSL session tickets
1383 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001384#define MBEDTLS_SSL_SESSION_TICKETS
Paul Bakkera503a632013-08-14 13:48:06 +02001385
1386/**
Robert Cragie4feb7ae2015-10-02 13:33:37 +01001387 * \def MBEDTLS_SSL_EXPORT_KEYS
1388 *
Manuel Pégourié-Gonnard024b6df2015-10-19 13:52:53 +02001389 * Enable support for exporting key block and master secret.
Robert Cragie4feb7ae2015-10-02 13:33:37 +01001390 * This is required for certain users of TLS, e.g. EAP-TLS.
1391 *
1392 * Comment this macro to disable support for key export
1393 */
1394#define MBEDTLS_SSL_EXPORT_KEYS
1395
1396/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001397 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
Paul Bakker0be444a2013-08-27 21:55:01 +02001398 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001399 * Enable support for RFC 6066 server name indication (SNI) in SSL.
Paul Bakker0be444a2013-08-27 21:55:01 +02001400 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001401 * Requires: MBEDTLS_X509_CRT_PARSE_C
Manuel Pégourié-Gonnardbbbb3cf2015-01-28 16:44:37 +00001402 *
Paul Bakker0be444a2013-08-27 21:55:01 +02001403 * Comment this macro to disable support for server name indication in SSL
1404 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001405#define MBEDTLS_SSL_SERVER_NAME_INDICATION
Paul Bakker0be444a2013-08-27 21:55:01 +02001406
1407/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001408 * \def MBEDTLS_SSL_TRUNCATED_HMAC
Paul Bakker1f2bc622013-08-15 13:45:55 +02001409 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001410 * Enable support for RFC 6066 truncated HMAC in SSL.
Paul Bakker1f2bc622013-08-15 13:45:55 +02001411 *
1412 * Comment this macro to disable support for truncated HMAC in SSL
1413 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001414#define MBEDTLS_SSL_TRUNCATED_HMAC
Paul Bakker1f2bc622013-08-15 13:45:55 +02001415
1416/**
Hanno Beckere89353a2017-11-20 16:36:41 +00001417 * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
1418 *
Hanno Becker702dfbc2017-11-29 16:35:46 +00001419 * Fallback to old (pre-2.7), non-conforming implementation of the truncated
1420 * HMAC extension which also truncates the HMAC key. Note that this option is
1421 * only meant for a transitory upgrade period and is likely to be removed in
1422 * a future version of the library.
Hanno Beckere89353a2017-11-20 16:36:41 +00001423 *
Hanno Becker702dfbc2017-11-29 16:35:46 +00001424 * \warning The old implementation is non-compliant and has a security weakness
1425 * (2^80 brute force attack on the HMAC key used for a single,
1426 * uninterrupted connection). This should only be enabled temporarily
1427 * when (1) the use of truncated HMAC is essential in order to save
1428 * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
1429 * the fixed implementation yet (pre-2.7).
Hanno Beckere89353a2017-11-20 16:36:41 +00001430 *
Hanno Becker4c2ac7e2017-11-21 18:22:53 +00001431 * \deprecated This option is deprecated and will likely be removed in a
1432 * future version of Mbed TLS.
1433 *
Hanno Beckere89353a2017-11-20 16:36:41 +00001434 * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
1435 *
1436 * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
1437 */
1438//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
1439
1440/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001441 * \def MBEDTLS_THREADING_ALT
Paul Bakker2466d932013-09-28 14:40:38 +02001442 *
1443 * Provide your own alternate threading implementation.
1444 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001445 * Requires: MBEDTLS_THREADING_C
Paul Bakker2466d932013-09-28 14:40:38 +02001446 *
1447 * Uncomment this to allow your own alternate threading implementation.
Paul Bakker2466d932013-09-28 14:40:38 +02001448 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001449//#define MBEDTLS_THREADING_ALT
Paul Bakker2466d932013-09-28 14:40:38 +02001450
1451/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001452 * \def MBEDTLS_THREADING_PTHREAD
Paul Bakker2466d932013-09-28 14:40:38 +02001453 *
1454 * Enable the pthread wrapper layer for the threading layer.
1455 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001456 * Requires: MBEDTLS_THREADING_C
Paul Bakker2466d932013-09-28 14:40:38 +02001457 *
1458 * Uncomment this to enable pthread mutexes.
Paul Bakker2466d932013-09-28 14:40:38 +02001459 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001460//#define MBEDTLS_THREADING_PTHREAD
Paul Bakker2466d932013-09-28 14:40:38 +02001461
1462/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001463 * \def MBEDTLS_VERSION_FEATURES
Paul Bakker0f90d7d2014-04-30 11:49:44 +02001464 *
1465 * Allow run-time checking of compile-time enabled features. Thus allowing users
1466 * to check at run-time if the library is for instance compiled with threading
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001467 * support via mbedtls_version_check_feature().
Paul Bakker0f90d7d2014-04-30 11:49:44 +02001468 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001469 * Requires: MBEDTLS_VERSION_C
Paul Bakker0f90d7d2014-04-30 11:49:44 +02001470 *
1471 * Comment this to disable run-time checking and save ROM space
1472 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001473#define MBEDTLS_VERSION_FEATURES
Paul Bakker0f90d7d2014-04-30 11:49:44 +02001474
1475/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001476 * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
Paul Bakkerc27c4e22013-09-23 15:01:36 +02001477 *
1478 * If set, the X509 parser will not break-off when parsing an X509 certificate
1479 * and encountering an extension in a v1 or v2 certificate.
1480 *
1481 * Uncomment to prevent an error.
Paul Bakkerc27c4e22013-09-23 15:01:36 +02001482 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001483//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
Paul Bakkerc27c4e22013-09-23 15:01:36 +02001484
1485/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001486 * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
Paul Bakker5c721f92011-07-27 16:51:09 +00001487 *
1488 * If set, the X509 parser will not break-off when parsing an X509 certificate
1489 * and encountering an unknown critical extension.
1490 *
Manuel Pégourié-Gonnardcb6af002015-10-05 12:12:39 +01001491 * \warning Depending on your PKI use, enabling this can be a security risk!
1492 *
Paul Bakker5c721f92011-07-27 16:51:09 +00001493 * Uncomment to prevent an error.
Paul Bakker5c721f92011-07-27 16:51:09 +00001494 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001495//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
Paul Bakker2770fbd2012-07-03 13:30:23 +00001496
1497/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001498 * \def MBEDTLS_X509_CHECK_KEY_USAGE
Manuel Pégourié-Gonnard603116c2014-04-09 09:50:03 +02001499 *
1500 * Enable verification of the keyUsage extension (CA and leaf certificates).
1501 *
1502 * Disabling this avoids problems with mis-issued and/or misused
1503 * (intermediate) CA and leaf certificates.
1504 *
1505 * \warning Depending on your PKI use, disabling this can be a security risk!
1506 *
1507 * Comment to skip keyUsage checking for both CA and leaf certificates.
1508 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001509#define MBEDTLS_X509_CHECK_KEY_USAGE
Manuel Pégourié-Gonnard603116c2014-04-09 09:50:03 +02001510
1511/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001512 * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
Manuel Pégourié-Gonnard7afb8a02014-04-10 17:53:56 +02001513 *
1514 * Enable verification of the extendedKeyUsage extension (leaf certificates).
1515 *
1516 * Disabling this avoids problems with mis-issued and/or misused certificates.
1517 *
1518 * \warning Depending on your PKI use, disabling this can be a security risk!
1519 *
1520 * Comment to skip extendedKeyUsage checking for certificates.
1521 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001522#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
Manuel Pégourié-Gonnard7afb8a02014-04-10 17:53:56 +02001523
1524/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001525 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +02001526 *
1527 * Enable parsing and verification of X.509 certificates, CRLs and CSRS
1528 * signed with RSASSA-PSS (aka PKCS#1 v2.1).
1529 *
1530 * Comment this macro to disallow using RSASSA-PSS in certificates.
1531 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001532#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
Manuel Pégourié-Gonnardd1539b12014-06-06 16:42:37 +02001533
1534/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001535 * \def MBEDTLS_ZLIB_SUPPORT
Paul Bakker2770fbd2012-07-03 13:30:23 +00001536 *
1537 * If set, the SSL/TLS module uses ZLIB to support compression and
1538 * decompression of packet data.
1539 *
Manuel Pégourié-Gonnardbb4dd372014-03-11 10:30:38 +01001540 * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
1541 * CRIME attack. Before enabling this option, you should examine with care if
1542 * CRIME or similar exploits may be a applicable to your use case.
1543 *
Manuel Pégourié-Gonnard7c3b4ab2015-07-02 17:59:52 +02001544 * \note Currently compression can't be used with DTLS.
Manuel Pégourié-Gonnarda0e16322014-07-14 17:38:41 +02001545 *
Paul Bakker2770fbd2012-07-03 13:30:23 +00001546 * Used in: library/ssl_tls.c
1547 * library/ssl_cli.c
1548 * library/ssl_srv.c
1549 *
1550 * This feature requires zlib library and headers to be present.
1551 *
1552 * Uncomment to enable use of ZLIB
Paul Bakker2770fbd2012-07-03 13:30:23 +00001553 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001554//#define MBEDTLS_ZLIB_SUPPORT
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00001555/* \} name SECTION: mbed TLS feature support */
Paul Bakker0a62cd12011-01-21 11:00:08 +00001556
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001557/**
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00001558 * \name SECTION: mbed TLS modules
Paul Bakker0a62cd12011-01-21 11:00:08 +00001559 *
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00001560 * This section enables or disables entire modules in mbed TLS
Paul Bakker0a62cd12011-01-21 11:00:08 +00001561 * \{
1562 */
Paul Bakker5121ce52009-01-03 21:22:43 +00001563
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001564/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001565 * \def MBEDTLS_AESNI_C
Manuel Pégourié-Gonnard92ac76f2013-12-16 17:12:53 +01001566 *
1567 * Enable AES-NI support on x86-64.
1568 *
1569 * Module: library/aesni.c
1570 * Caller: library/aes.c
1571 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001572 * Requires: MBEDTLS_HAVE_ASM
Manuel Pégourié-Gonnard92ac76f2013-12-16 17:12:53 +01001573 *
1574 * This modules adds support for the AES-NI instructions on x86-64
1575 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001576#define MBEDTLS_AESNI_C
Manuel Pégourié-Gonnard92ac76f2013-12-16 17:12:53 +01001577
1578/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001579 * \def MBEDTLS_AES_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001580 *
1581 * Enable the AES block cipher.
1582 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001583 * Module: library/aes.c
1584 * Caller: library/ssl_tls.c
Paul Bakker96743fc2011-02-12 14:30:57 +00001585 * library/pem.c
Paul Bakker6083fd22011-12-03 21:45:14 +00001586 * library/ctr_drbg.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001587 *
Paul Bakker645ce3a2012-10-31 12:32:41 +00001588 * This module enables the following ciphersuites (if other requisites are
1589 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001590 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
1591 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
1592 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
1593 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
1594 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
1595 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
1596 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
1597 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
1598 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
1599 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
1600 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
1601 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
1602 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
1603 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
1604 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
1605 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
1606 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
1607 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
1608 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
1609 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
1610 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
1611 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
1612 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
1613 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
1614 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
1615 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
1616 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
1617 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
1618 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
1619 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
1620 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
1621 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
1622 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
1623 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
1624 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
1625 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
1626 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
1627 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
1628 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
1629 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
1630 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
1631 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
1632 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
1633 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
1634 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
1635 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
1636 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
1637 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
1638 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
1639 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
1640 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
1641 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
1642 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
1643 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
1644 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
1645 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
1646 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
1647 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
Paul Bakker6deb37e2013-02-19 13:17:08 +01001648 *
Paul Bakkercff68422013-09-15 20:43:33 +02001649 * PEM_PARSE uses AES for decrypting encrypted keys.
Paul Bakker5121ce52009-01-03 21:22:43 +00001650 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001651#define MBEDTLS_AES_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001652
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001653/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001654 * \def MBEDTLS_ARC4_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001655 *
1656 * Enable the ARCFOUR stream cipher.
1657 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001658 * Module: library/arc4.c
1659 * Caller: library/ssl_tls.c
1660 *
Paul Bakker41c83d32013-03-20 14:39:14 +01001661 * This module enables the following ciphersuites (if other requisites are
1662 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001663 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
1664 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
1665 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
1666 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
1667 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
1668 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
1669 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
1670 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
1671 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
1672 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
Hanno Beckerbbca8c52017-09-25 14:53:51 +01001673 *
1674 * \warning ARC4 is considered a weak cipher and its use constitutes a
1675 * security risk. If possible, we recommend avoidng dependencies on
1676 * it, and considering stronger ciphers instead.
1677 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001678 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001679#define MBEDTLS_ARC4_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001680
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001681/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001682 * \def MBEDTLS_ASN1_PARSE_C
Paul Bakkerefc30292011-11-10 14:43:23 +00001683 *
1684 * Enable the generic ASN1 parser.
1685 *
1686 * Module: library/asn1.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02001687 * Caller: library/x509.c
1688 * library/dhm.c
1689 * library/pkcs12.c
1690 * library/pkcs5.c
1691 * library/pkparse.c
Paul Bakkerefc30292011-11-10 14:43:23 +00001692 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001693#define MBEDTLS_ASN1_PARSE_C
Paul Bakkerefc30292011-11-10 14:43:23 +00001694
1695/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001696 * \def MBEDTLS_ASN1_WRITE_C
Paul Bakkerbdb912d2012-02-13 23:11:30 +00001697 *
1698 * Enable the generic ASN1 writer.
1699 *
1700 * Module: library/asn1write.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02001701 * Caller: library/ecdsa.c
1702 * library/pkwrite.c
1703 * library/x509_create.c
1704 * library/x509write_crt.c
Simon Butcher2cb47392016-11-04 12:23:11 +00001705 * library/x509write_csr.c
Paul Bakkerbdb912d2012-02-13 23:11:30 +00001706 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001707#define MBEDTLS_ASN1_WRITE_C
Paul Bakkerbdb912d2012-02-13 23:11:30 +00001708
1709/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001710 * \def MBEDTLS_BASE64_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001711 *
1712 * Enable the Base64 module.
1713 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001714 * Module: library/base64.c
Paul Bakker5690efc2011-05-26 13:16:06 +00001715 * Caller: library/pem.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001716 *
Paul Bakker5690efc2011-05-26 13:16:06 +00001717 * This module is required for PEM support (required by X.509).
Paul Bakker5121ce52009-01-03 21:22:43 +00001718 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001719#define MBEDTLS_BASE64_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001720
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001721/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001722 * \def MBEDTLS_BIGNUM_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001723 *
Paul Bakker9a736322012-11-14 12:39:52 +00001724 * Enable the multi-precision integer library.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001725 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001726 * Module: library/bignum.c
1727 * Caller: library/dhm.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02001728 * library/ecp.c
Manuel Pégourié-Gonnardbf319772014-06-25 13:00:17 +02001729 * library/ecdsa.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001730 * library/rsa.c
Hanno Beckera565f542017-10-11 11:00:19 +01001731 * library/rsa_internal.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001732 * library/ssl_tls.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001733 *
Manuel Pégourié-Gonnardbf319772014-06-25 13:00:17 +02001734 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
Paul Bakker5121ce52009-01-03 21:22:43 +00001735 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001736#define MBEDTLS_BIGNUM_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001737
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001738/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001739 * \def MBEDTLS_BLOWFISH_C
Paul Bakkera9379c02012-07-04 11:02:11 +00001740 *
1741 * Enable the Blowfish block cipher.
1742 *
1743 * Module: library/blowfish.c
1744 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001745#define MBEDTLS_BLOWFISH_C
Paul Bakkera9379c02012-07-04 11:02:11 +00001746
1747/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001748 * \def MBEDTLS_CAMELLIA_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001749 *
1750 * Enable the Camellia block cipher.
1751 *
Paul Bakker38119b12009-01-10 23:31:23 +00001752 * Module: library/camellia.c
Paul Bakker13e2dfe2009-07-28 07:18:38 +00001753 * Caller: library/ssl_tls.c
Paul Bakker38119b12009-01-10 23:31:23 +00001754 *
Paul Bakker645ce3a2012-10-31 12:32:41 +00001755 * This module enables the following ciphersuites (if other requisites are
1756 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001757 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
1758 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
1759 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
1760 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
1761 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
1762 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
1763 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
1764 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
1765 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
1766 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
1767 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
1768 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
1769 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
1770 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
1771 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
1772 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
1773 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
1774 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
1775 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
1776 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
1777 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
1778 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
1779 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
1780 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
1781 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
1782 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
1783 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
1784 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
1785 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
1786 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
1787 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
1788 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
1789 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
1790 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
1791 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
1792 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
1793 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
1794 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
1795 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
1796 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
1797 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
1798 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
Paul Bakker38119b12009-01-10 23:31:23 +00001799 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001800#define MBEDTLS_CAMELLIA_C
Paul Bakker38119b12009-01-10 23:31:23 +00001801
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001802/**
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +00001803 * \def MBEDTLS_ARIA_C
1804 *
1805 * Enable the ARIA block cipher.
1806 *
1807 * Module: library/aria.c
1808 */
1809#define MBEDTLS_ARIA_C
1810
1811/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001812 * \def MBEDTLS_CCM_C
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +02001813 *
1814 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
1815 *
1816 * Module: library/ccm.c
1817 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001818 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +02001819 *
1820 * This module enables the AES-CCM ciphersuites, if other requisites are
1821 * enabled as well.
1822 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001823#define MBEDTLS_CCM_C
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +02001824
1825/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001826 * \def MBEDTLS_CERTS_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001827 *
1828 * Enable the test certificates.
1829 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001830 * Module: library/certs.c
1831 * Caller:
1832 *
1833 * This module is used for testing (ssl_client/server).
1834 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001835#define MBEDTLS_CERTS_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001836
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001837/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001838 * \def MBEDTLS_CIPHER_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001839 *
1840 * Enable the generic cipher layer.
1841 *
Paul Bakker8123e9d2011-01-06 15:37:30 +00001842 * Module: library/cipher.c
Paul Bakker04784f52013-08-19 13:30:57 +02001843 * Caller: library/ssl_tls.c
Paul Bakker8123e9d2011-01-06 15:37:30 +00001844 *
1845 * Uncomment to enable generic cipher wrappers.
1846 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001847#define MBEDTLS_CIPHER_C
Paul Bakker8123e9d2011-01-06 15:37:30 +00001848
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001849/**
Robert Cragiedc5c7b92015-12-11 15:49:45 +00001850 * \def MBEDTLS_CMAC_C
1851 *
Simon Butcher327398a2016-10-05 14:09:11 +01001852 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
1853 * ciphers.
Robert Cragiedc5c7b92015-12-11 15:49:45 +00001854 *
1855 * Module: library/cmac.c
1856 *
Simon Butcher69283e52016-10-06 12:49:58 +01001857 * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
Robert Cragiedc5c7b92015-12-11 15:49:45 +00001858 *
1859 */
Brian Murray53e23b62016-09-13 14:00:15 -07001860//#define MBEDTLS_CMAC_C
Robert Cragiedc5c7b92015-12-11 15:49:45 +00001861
1862/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001863 * \def MBEDTLS_CTR_DRBG_C
Paul Bakker0e04d0e2011-11-27 14:46:59 +00001864 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02001865 * Enable the CTR_DRBG AES-256-based random generator.
Paul Bakker0e04d0e2011-11-27 14:46:59 +00001866 *
1867 * Module: library/ctr_drbg.c
1868 * Caller:
1869 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001870 * Requires: MBEDTLS_AES_C
Paul Bakker6083fd22011-12-03 21:45:14 +00001871 *
Paul Bakker0e04d0e2011-11-27 14:46:59 +00001872 * This module provides the CTR_DRBG AES-256 random number generator.
1873 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001874#define MBEDTLS_CTR_DRBG_C
Paul Bakker0e04d0e2011-11-27 14:46:59 +00001875
1876/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001877 * \def MBEDTLS_DEBUG_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001878 *
1879 * Enable the debug functions.
1880 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001881 * Module: library/debug.c
1882 * Caller: library/ssl_cli.c
1883 * library/ssl_srv.c
1884 * library/ssl_tls.c
1885 *
1886 * This module provides debugging functions.
1887 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001888#define MBEDTLS_DEBUG_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001889
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001890/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001891 * \def MBEDTLS_DES_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001892 *
1893 * Enable the DES block cipher.
1894 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001895 * Module: library/des.c
Paul Bakker6deb37e2013-02-19 13:17:08 +01001896 * Caller: library/pem.c
1897 * library/ssl_tls.c
Paul Bakker5121ce52009-01-03 21:22:43 +00001898 *
Paul Bakker645ce3a2012-10-31 12:32:41 +00001899 * This module enables the following ciphersuites (if other requisites are
1900 * enabled as well):
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001901 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
1902 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
1903 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
1904 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
1905 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
1906 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
1907 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
1908 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
1909 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
1910 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
Paul Bakker6deb37e2013-02-19 13:17:08 +01001911 *
Paul Bakkercff68422013-09-15 20:43:33 +02001912 * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
Hanno Beckerbbca8c52017-09-25 14:53:51 +01001913 *
1914 * \warning DES is considered a weak cipher and its use constitutes a
1915 * security risk. We recommend considering stronger ciphers instead.
Paul Bakker5121ce52009-01-03 21:22:43 +00001916 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001917#define MBEDTLS_DES_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001918
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001919/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001920 * \def MBEDTLS_DHM_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001921 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02001922 * Enable the Diffie-Hellman-Merkle module.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001923 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001924 * Module: library/dhm.c
1925 * Caller: library/ssl_cli.c
1926 * library/ssl_srv.c
1927 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02001928 * This module is used by the following key exchanges:
1929 * DHE-RSA, DHE-PSK
Hanno Beckera2f6b722017-09-28 10:33:29 +01001930 *
Hanno Beckerf9734b32017-10-03 12:09:22 +01001931 * \warning Using DHE constitutes a security risk as it
1932 * is not possible to validate custom DH parameters.
1933 * If possible, it is recommended users should consider
1934 * preferring other methods of key exchange.
1935 * See dhm.h for more details.
Hanno Beckera2f6b722017-09-28 10:33:29 +01001936 *
Paul Bakker5121ce52009-01-03 21:22:43 +00001937 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001938#define MBEDTLS_DHM_C
Paul Bakker5121ce52009-01-03 21:22:43 +00001939
Paul Bakkerf3b86c12011-01-27 15:24:17 +00001940/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001941 * \def MBEDTLS_ECDH_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01001942 *
1943 * Enable the elliptic curve Diffie-Hellman library.
1944 *
1945 * Module: library/ecdh.c
Paul Bakker41c83d32013-03-20 14:39:14 +01001946 * Caller: library/ssl_cli.c
1947 * library/ssl_srv.c
1948 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02001949 * This module is used by the following key exchanges:
1950 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
Paul Bakkerd589a0d2013-03-13 16:30:17 +01001951 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001952 * Requires: MBEDTLS_ECP_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01001953 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001954#define MBEDTLS_ECDH_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01001955
1956/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001957 * \def MBEDTLS_ECDSA_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01001958 *
1959 * Enable the elliptic curve DSA library.
1960 *
1961 * Module: library/ecdsa.c
1962 * Caller:
1963 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02001964 * This module is used by the following key exchanges:
1965 * ECDHE-ECDSA
1966 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001967 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01001968 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001969#define MBEDTLS_ECDSA_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01001970
1971/**
Manuel Pégourié-Gonnard4d8685b2015-08-05 15:44:42 +02001972 * \def MBEDTLS_ECJPAKE_C
1973 *
1974 * Enable the elliptic curve J-PAKE library.
1975 *
Manuel Pégourié-Gonnard75df9022015-09-16 23:21:01 +02001976 * \warning This is currently experimental. EC J-PAKE support is based on the
1977 * Thread v1.0.0 specification; incompatible changes to the specification
1978 * might still happen. For this reason, this is disabled by default.
1979 *
Manuel Pégourié-Gonnard4d8685b2015-08-05 15:44:42 +02001980 * Module: library/ecjpake.c
1981 * Caller:
1982 *
1983 * This module is used by the following key exchanges:
1984 * ECJPAKE
1985 *
1986 * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
1987 */
Manuel Pégourié-Gonnardcf828932015-10-20 14:57:00 +02001988//#define MBEDTLS_ECJPAKE_C
Manuel Pégourié-Gonnard4d8685b2015-08-05 15:44:42 +02001989
1990/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02001991 * \def MBEDTLS_ECP_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01001992 *
1993 * Enable the elliptic curve over GF(p) library.
1994 *
1995 * Module: library/ecp.c
1996 * Caller: library/ecdh.c
1997 * library/ecdsa.c
Manuel Pégourié-Gonnard4d8685b2015-08-05 15:44:42 +02001998 * library/ecjpake.c
Paul Bakkerd589a0d2013-03-13 16:30:17 +01001999 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002000 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002001 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002002#define MBEDTLS_ECP_C
Paul Bakkerd589a0d2013-03-13 16:30:17 +01002003
2004/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002005 * \def MBEDTLS_ENTROPY_C
Paul Bakker6083fd22011-12-03 21:45:14 +00002006 *
2007 * Enable the platform-specific entropy code.
2008 *
2009 * Module: library/entropy.c
2010 * Caller:
2011 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002012 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
Paul Bakker6083fd22011-12-03 21:45:14 +00002013 *
2014 * This module provides a generic entropy pool
2015 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002016#define MBEDTLS_ENTROPY_C
Paul Bakker6083fd22011-12-03 21:45:14 +00002017
2018/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002019 * \def MBEDTLS_ERROR_C
Paul Bakker9d781402011-05-09 16:17:09 +00002020 *
2021 * Enable error code to error string conversion.
2022 *
2023 * Module: library/error.c
2024 * Caller:
2025 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002026 * This module enables mbedtls_strerror().
Paul Bakker9d781402011-05-09 16:17:09 +00002027 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002028#define MBEDTLS_ERROR_C
Paul Bakker9d781402011-05-09 16:17:09 +00002029
2030/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002031 * \def MBEDTLS_GCM_C
Paul Bakker89e80c92012-03-20 13:50:09 +00002032 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002033 * Enable the Galois/Counter Mode (GCM) for AES.
Paul Bakker89e80c92012-03-20 13:50:09 +00002034 *
2035 * Module: library/gcm.c
2036 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002037 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
Paul Bakker645ce3a2012-10-31 12:32:41 +00002038 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02002039 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
2040 * requisites are enabled as well.
Paul Bakker89e80c92012-03-20 13:50:09 +00002041 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002042#define MBEDTLS_GCM_C
Paul Bakker89e80c92012-03-20 13:50:09 +00002043
2044/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002045 * \def MBEDTLS_HAVEGE_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002046 *
2047 * Enable the HAVEGE random generator.
2048 *
Paul Bakker2a844242013-06-24 13:01:53 +02002049 * Warning: the HAVEGE random generator is not suitable for virtualized
2050 * environments
2051 *
2052 * Warning: the HAVEGE random generator is dependent on timing and specific
2053 * processor traits. It is therefore not advised to use HAVEGE as
2054 * your applications primary random generator or primary entropy pool
2055 * input. As a secondary input to your entropy pool, it IS able add
2056 * the (limited) extra entropy it provides.
2057 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002058 * Module: library/havege.c
2059 * Caller:
2060 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002061 * Requires: MBEDTLS_TIMING_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002062 *
Paul Bakker2a844242013-06-24 13:01:53 +02002063 * Uncomment to enable the HAVEGE random generator.
Paul Bakker2a844242013-06-24 13:01:53 +02002064 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002065//#define MBEDTLS_HAVEGE_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002066
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002067/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002068 * \def MBEDTLS_HMAC_DRBG_C
Manuel Pégourié-Gonnard490bdf32014-01-27 14:03:10 +01002069 *
2070 * Enable the HMAC_DRBG random generator.
2071 *
2072 * Module: library/hmac_drbg.c
2073 * Caller:
2074 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002075 * Requires: MBEDTLS_MD_C
Manuel Pégourié-Gonnard490bdf32014-01-27 14:03:10 +01002076 *
2077 * Uncomment to enable the HMAC_DRBG random number geerator.
2078 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002079#define MBEDTLS_HMAC_DRBG_C
Manuel Pégourié-Gonnard490bdf32014-01-27 14:03:10 +01002080
2081/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002082 * \def MBEDTLS_MD_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002083 *
2084 * Enable the generic message digest layer.
2085 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002086 * Module: library/md.c
Paul Bakker17373852011-01-06 14:20:01 +00002087 * Caller:
2088 *
2089 * Uncomment to enable generic message digest wrappers.
2090 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002091#define MBEDTLS_MD_C
Paul Bakker17373852011-01-06 14:20:01 +00002092
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002093/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002094 * \def MBEDTLS_MD2_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002095 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002096 * Enable the MD2 hash algorithm.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002097 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002098 * Module: library/md2.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002099 * Caller:
Paul Bakker5121ce52009-01-03 21:22:43 +00002100 *
2101 * Uncomment to enable support for (rare) MD2-signed X.509 certs.
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002102 *
2103 * \warning MD2 is considered a weak message digest and its use constitutes a
2104 * security risk. If possible, we recommend avoiding dependencies on
2105 * it, and considering stronger message digests instead.
2106 *
Paul Bakker6506aff2009-07-28 20:52:02 +00002107 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002108//#define MBEDTLS_MD2_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002109
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002110/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002111 * \def MBEDTLS_MD4_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002112 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002113 * Enable the MD4 hash algorithm.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002114 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002115 * Module: library/md4.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002116 * Caller:
Paul Bakker5121ce52009-01-03 21:22:43 +00002117 *
2118 * Uncomment to enable support for (rare) MD4-signed X.509 certs.
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002119 *
2120 * \warning MD4 is considered a weak message digest and its use constitutes a
2121 * security risk. If possible, we recommend avoiding dependencies on
2122 * it, and considering stronger message digests instead.
2123 *
Paul Bakker6506aff2009-07-28 20:52:02 +00002124 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002125//#define MBEDTLS_MD4_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002126
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002127/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002128 * \def MBEDTLS_MD5_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002129 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002130 * Enable the MD5 hash algorithm.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002131 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002132 * Module: library/md5.c
2133 * Caller: library/md.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002134 * library/pem.c
Paul Bakker6deb37e2013-02-19 13:17:08 +01002135 * library/ssl_tls.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002136 *
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002137 * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2
2138 * depending on the handshake parameters. Further, it is used for checking
2139 * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded
2140 * encrypted keys.
2141 *
2142 * \warning MD5 is considered a weak message digest and its use constitutes a
2143 * security risk. If possible, we recommend avoiding dependencies on
2144 * it, and considering stronger message digests instead.
2145 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002146 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002147#define MBEDTLS_MD5_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002148
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002149/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002150 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002151 *
2152 * Enable the buffer allocator implementation that makes use of a (stack)
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +02002153 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002154 * calls)
Paul Bakker6e339b52013-07-03 13:37:05 +02002155 *
2156 * Module: library/memory_buffer_alloc.c
2157 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002158 * Requires: MBEDTLS_PLATFORM_C
2159 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
Paul Bakker6e339b52013-07-03 13:37:05 +02002160 *
2161 * Enable this module to enable the buffer memory allocator.
Paul Bakker6e339b52013-07-03 13:37:05 +02002162 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002163//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
Paul Bakker6e339b52013-07-03 13:37:05 +02002164
2165/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002166 * \def MBEDTLS_NET_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002167 *
Manuel Pégourié-Gonnard325ce092016-02-22 10:33:34 +01002168 * Enable the TCP and UDP over IPv6/IPv4 networking routines.
2169 *
Simon Butcherd567a232016-03-09 20:19:21 +00002170 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
2171 * and Windows. For other platforms, you'll want to disable it, and write your
Manuel Pégourié-Gonnard325ce092016-02-22 10:33:34 +01002172 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002173 *
Manuel Pégourié-Gonnard02049dc2016-02-22 16:42:51 +00002174 * \note See also our Knowledge Base article about porting to a new
2175 * environment:
2176 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
2177 *
Andres AG788aa4a2016-09-14 14:32:09 +01002178 * Module: library/net_sockets.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002179 *
Manuel Pégourié-Gonnard325ce092016-02-22 10:33:34 +01002180 * This module provides networking routines.
Paul Bakker5121ce52009-01-03 21:22:43 +00002181 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002182#define MBEDTLS_NET_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002183
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002184/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002185 * \def MBEDTLS_OID_C
Paul Bakkerc70b9822013-04-07 22:00:46 +02002186 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002187 * Enable the OID database.
Paul Bakkerc70b9822013-04-07 22:00:46 +02002188 *
2189 * Module: library/oid.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002190 * Caller: library/asn1write.c
2191 * library/pkcs5.c
2192 * library/pkparse.c
2193 * library/pkwrite.c
2194 * library/rsa.c
2195 * library/x509.c
2196 * library/x509_create.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002197 * library/x509_crl.c
2198 * library/x509_crt.c
2199 * library/x509_csr.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002200 * library/x509write_crt.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002201 * library/x509write_csr.c
Paul Bakkerc70b9822013-04-07 22:00:46 +02002202 *
2203 * This modules translates between OIDs and internal values.
2204 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002205#define MBEDTLS_OID_C
Paul Bakkerc70b9822013-04-07 22:00:46 +02002206
2207/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002208 * \def MBEDTLS_PADLOCK_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002209 *
2210 * Enable VIA Padlock support on x86.
2211 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002212 * Module: library/padlock.c
2213 * Caller: library/aes.c
2214 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002215 * Requires: MBEDTLS_HAVE_ASM
Manuel Pégourié-Gonnard92ac76f2013-12-16 17:12:53 +01002216 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002217 * This modules adds support for the VIA PadLock on x86.
2218 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002219#define MBEDTLS_PADLOCK_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002220
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002221/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002222 * \def MBEDTLS_PEM_PARSE_C
Paul Bakker96743fc2011-02-12 14:30:57 +00002223 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002224 * Enable PEM decoding / parsing.
Paul Bakker96743fc2011-02-12 14:30:57 +00002225 *
2226 * Module: library/pem.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002227 * Caller: library/dhm.c
Paul Bakkercff68422013-09-15 20:43:33 +02002228 * library/pkparse.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002229 * library/x509_crl.c
2230 * library/x509_crt.c
2231 * library/x509_csr.c
Paul Bakker96743fc2011-02-12 14:30:57 +00002232 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002233 * Requires: MBEDTLS_BASE64_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002234 *
Paul Bakkercff68422013-09-15 20:43:33 +02002235 * This modules adds support for decoding / parsing PEM files.
Paul Bakker96743fc2011-02-12 14:30:57 +00002236 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002237#define MBEDTLS_PEM_PARSE_C
Paul Bakkercff68422013-09-15 20:43:33 +02002238
2239/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002240 * \def MBEDTLS_PEM_WRITE_C
Paul Bakkercff68422013-09-15 20:43:33 +02002241 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002242 * Enable PEM encoding / writing.
Paul Bakkercff68422013-09-15 20:43:33 +02002243 *
2244 * Module: library/pem.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002245 * Caller: library/pkwrite.c
2246 * library/x509write_crt.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002247 * library/x509write_csr.c
Paul Bakkercff68422013-09-15 20:43:33 +02002248 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002249 * Requires: MBEDTLS_BASE64_C
Paul Bakkercff68422013-09-15 20:43:33 +02002250 *
2251 * This modules adds support for encoding / writing PEM files.
2252 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002253#define MBEDTLS_PEM_WRITE_C
Paul Bakker96743fc2011-02-12 14:30:57 +00002254
2255/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002256 * \def MBEDTLS_PK_C
Manuel Pégourié-Gonnardc40b4c32013-08-22 13:29:31 +02002257 *
2258 * Enable the generic public (asymetric) key layer.
2259 *
2260 * Module: library/pk.c
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02002261 * Caller: library/ssl_tls.c
Manuel Pégourié-Gonnardc40b4c32013-08-22 13:29:31 +02002262 * library/ssl_cli.c
2263 * library/ssl_srv.c
2264 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002265 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
Manuel Pégourié-Gonnard1a483832013-09-20 12:29:15 +02002266 *
Manuel Pégourié-Gonnardc40b4c32013-08-22 13:29:31 +02002267 * Uncomment to enable generic public key wrappers.
2268 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002269#define MBEDTLS_PK_C
Manuel Pégourié-Gonnardc40b4c32013-08-22 13:29:31 +02002270
2271/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002272 * \def MBEDTLS_PK_PARSE_C
Paul Bakker4606c732013-09-15 17:04:23 +02002273 *
2274 * Enable the generic public (asymetric) key parser.
2275 *
2276 * Module: library/pkparse.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002277 * Caller: library/x509_crt.c
2278 * library/x509_csr.c
Paul Bakker4606c732013-09-15 17:04:23 +02002279 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002280 * Requires: MBEDTLS_PK_C
Paul Bakker4606c732013-09-15 17:04:23 +02002281 *
2282 * Uncomment to enable generic public key parse functions.
2283 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002284#define MBEDTLS_PK_PARSE_C
Paul Bakker4606c732013-09-15 17:04:23 +02002285
2286/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002287 * \def MBEDTLS_PK_WRITE_C
Paul Bakker4606c732013-09-15 17:04:23 +02002288 *
Paul Bakkerf20ba4b2013-09-16 22:46:20 +02002289 * Enable the generic public (asymetric) key writer.
Paul Bakker4606c732013-09-15 17:04:23 +02002290 *
2291 * Module: library/pkwrite.c
2292 * Caller: library/x509write.c
2293 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002294 * Requires: MBEDTLS_PK_C
Paul Bakker4606c732013-09-15 17:04:23 +02002295 *
2296 * Uncomment to enable generic public key write functions.
2297 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002298#define MBEDTLS_PK_WRITE_C
Paul Bakker4606c732013-09-15 17:04:23 +02002299
2300/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002301 * \def MBEDTLS_PKCS5_C
Paul Bakkerb0c19a42013-06-24 19:26:38 +02002302 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002303 * Enable PKCS#5 functions.
Paul Bakkerb0c19a42013-06-24 19:26:38 +02002304 *
2305 * Module: library/pkcs5.c
2306 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002307 * Requires: MBEDTLS_MD_C
Paul Bakkerb0c19a42013-06-24 19:26:38 +02002308 *
2309 * This module adds support for the PKCS#5 functions.
2310 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002311#define MBEDTLS_PKCS5_C
Paul Bakkerb0c19a42013-06-24 19:26:38 +02002312
2313/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002314 * \def MBEDTLS_PKCS11_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002315 *
Paul Bakkereb2c6582012-09-27 19:15:01 +00002316 * Enable wrapper for PKCS#11 smartcard support.
Paul Bakker5690efc2011-05-26 13:16:06 +00002317 *
Manuel Pégourié-Gonnard51be5592013-08-22 13:35:53 +02002318 * Module: library/pkcs11.c
2319 * Caller: library/pk.c
Paul Bakker5690efc2011-05-26 13:16:06 +00002320 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002321 * Requires: MBEDTLS_PK_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002322 *
Paul Bakkereb2c6582012-09-27 19:15:01 +00002323 * This module enables SSL/TLS PKCS #11 smartcard support.
Paul Bakker5690efc2011-05-26 13:16:06 +00002324 * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
Paul Bakker5690efc2011-05-26 13:16:06 +00002325 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002326//#define MBEDTLS_PKCS11_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002327
2328/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002329 * \def MBEDTLS_PKCS12_C
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02002330 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002331 * Enable PKCS#12 PBE functions.
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02002332 * Adds algorithms for parsing PKCS#8 encrypted private keys
2333 *
2334 * Module: library/pkcs12.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002335 * Caller: library/pkparse.c
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02002336 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002337 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C
2338 * Can use: MBEDTLS_ARC4_C
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02002339 *
2340 * This module enables PKCS#12 functions.
2341 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002342#define MBEDTLS_PKCS12_C
Paul Bakkerf1f21fe2013-06-24 19:17:19 +02002343
2344/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002345 * \def MBEDTLS_PLATFORM_C
Paul Bakker747a83a2014-02-01 22:50:07 +01002346 *
2347 * Enable the platform abstraction layer that allows you to re-assign
Manuel Pégourié-Gonnard6c0c8e02015-06-22 10:23:34 +02002348 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
Paul Bakker747a83a2014-02-01 22:50:07 +01002349 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002350 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
2351 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
Rich Evans16f8cd82015-02-06 16:14:34 +00002352 * above to be specified at runtime or compile time respectively.
Paul Bakker747a83a2014-02-01 22:50:07 +01002353 *
Manuel Pégourié-Gonnard6c0c8e02015-06-22 10:23:34 +02002354 * \note This abstraction layer must be enabled on Windows (including MSYS2)
2355 * as other module rely on it for a fixed snprintf implementation.
2356 *
Paul Bakker747a83a2014-02-01 22:50:07 +01002357 * Module: library/platform.c
2358 * Caller: Most other .c files
2359 *
2360 * This module enables abstraction of common (libc) functions.
2361 */
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +02002362#define MBEDTLS_PLATFORM_C
Paul Bakker747a83a2014-02-01 22:50:07 +01002363
2364/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002365 * \def MBEDTLS_RIPEMD160_C
Manuel Pégourié-Gonnardcab4a882014-01-17 12:42:35 +01002366 *
2367 * Enable the RIPEMD-160 hash algorithm.
2368 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002369 * Module: library/ripemd160.c
2370 * Caller: library/md.c
Manuel Pégourié-Gonnardcab4a882014-01-17 12:42:35 +01002371 *
2372 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002373#define MBEDTLS_RIPEMD160_C
Manuel Pégourié-Gonnardcab4a882014-01-17 12:42:35 +01002374
2375/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002376 * \def MBEDTLS_RSA_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002377 *
2378 * Enable the RSA public-key cryptosystem.
2379 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002380 * Module: library/rsa.c
Hanno Beckera565f542017-10-11 11:00:19 +01002381 * library/rsa_internal.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002382 * Caller: library/ssl_cli.c
2383 * library/ssl_srv.c
2384 * library/ssl_tls.c
2385 * library/x509.c
2386 *
Manuel Pégourié-Gonnard9d703732013-10-25 18:01:50 +02002387 * This module is used by the following key exchanges:
2388 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
Paul Bakker5690efc2011-05-26 13:16:06 +00002389 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002390 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002391 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002392#define MBEDTLS_RSA_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002393
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002394/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002395 * \def MBEDTLS_SHA1_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002396 *
2397 * Enable the SHA1 cryptographic hash algorithm.
2398 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002399 * Module: library/sha1.c
2400 * Caller: library/md.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002401 * library/ssl_cli.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002402 * library/ssl_srv.c
2403 * library/ssl_tls.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002404 * library/x509write_crt.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002405 *
Gilles Peskine5e79cb32017-05-04 16:17:21 +02002406 * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
2407 * depending on the handshake parameters, and for SHA1-signed certificates.
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002408 *
2409 * \warning SHA-1 is considered a weak message digest and its use constitutes
2410 * a security risk. If possible, we recommend avoiding dependencies
2411 * on it, and considering stronger message digests instead.
2412 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002413 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002414#define MBEDTLS_SHA1_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002415
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002416/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002417 * \def MBEDTLS_SHA256_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002418 *
2419 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
2420 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002421 * Module: library/sha256.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002422 * Caller: library/entropy.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002423 * library/md.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002424 * library/ssl_cli.c
2425 * library/ssl_srv.c
2426 * library/ssl_tls.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002427 *
2428 * This module adds support for SHA-224 and SHA-256.
Paul Bakker769075d2012-11-24 11:26:46 +01002429 * This module is required for the SSL/TLS 1.2 PRF function.
Paul Bakker5121ce52009-01-03 21:22:43 +00002430 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002431#define MBEDTLS_SHA256_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002432
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002433/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002434 * \def MBEDTLS_SHA512_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002435 *
2436 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
2437 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002438 * Module: library/sha512.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002439 * Caller: library/entropy.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002440 * library/md.c
Manuel Pégourié-Gonnardfe286462013-09-20 14:10:14 +02002441 * library/ssl_cli.c
2442 * library/ssl_srv.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002443 *
2444 * This module adds support for SHA-384 and SHA-512.
2445 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002446#define MBEDTLS_SHA512_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002447
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002448/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002449 * \def MBEDTLS_SSL_CACHE_C
Paul Bakker0a597072012-09-25 21:55:46 +00002450 *
2451 * Enable simple SSL cache implementation.
2452 *
2453 * Module: library/ssl_cache.c
2454 * Caller:
2455 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002456 * Requires: MBEDTLS_SSL_CACHE_C
Paul Bakker0a597072012-09-25 21:55:46 +00002457 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002458#define MBEDTLS_SSL_CACHE_C
Paul Bakker0a597072012-09-25 21:55:46 +00002459
2460/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002461 * \def MBEDTLS_SSL_COOKIE_C
Manuel Pégourié-Gonnarda64acd42014-07-23 18:30:45 +02002462 *
2463 * Enable basic implementation of DTLS cookies for hello verification.
2464 *
2465 * Module: library/ssl_cookie.c
2466 * Caller:
Manuel Pégourié-Gonnarda64acd42014-07-23 18:30:45 +02002467 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002468#define MBEDTLS_SSL_COOKIE_C
Manuel Pégourié-Gonnarda64acd42014-07-23 18:30:45 +02002469
2470/**
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +02002471 * \def MBEDTLS_SSL_TICKET_C
2472 *
2473 * Enable an implementation of TLS server-side callbacks for session tickets.
2474 *
2475 * Module: library/ssl_ticket.c
2476 * Caller:
Manuel Pégourié-Gonnard0c0f11f2015-05-20 09:55:50 +02002477 *
Manuel Pégourié-Gonnard4214e3a2015-05-25 19:34:49 +02002478 * Requires: MBEDTLS_CIPHER_C
Manuel Pégourié-Gonnardfd6d8972015-05-15 12:09:00 +02002479 */
2480#define MBEDTLS_SSL_TICKET_C
2481
2482/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002483 * \def MBEDTLS_SSL_CLI_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002484 *
2485 * Enable the SSL/TLS client code.
2486 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002487 * Module: library/ssl_cli.c
2488 * Caller:
2489 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002490 * Requires: MBEDTLS_SSL_TLS_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002491 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002492 * This module is required for SSL/TLS client support.
2493 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002494#define MBEDTLS_SSL_CLI_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002495
Paul Bakker9a736322012-11-14 12:39:52 +00002496/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002497 * \def MBEDTLS_SSL_SRV_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002498 *
2499 * Enable the SSL/TLS server code.
2500 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002501 * Module: library/ssl_srv.c
2502 * Caller:
2503 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002504 * Requires: MBEDTLS_SSL_TLS_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002505 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002506 * This module is required for SSL/TLS server support.
2507 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002508#define MBEDTLS_SSL_SRV_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002509
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002510/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002511 * \def MBEDTLS_SSL_TLS_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002512 *
Paul Bakkere29ab062011-05-18 13:26:54 +00002513 * Enable the generic SSL/TLS code.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002514 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002515 * Module: library/ssl_tls.c
2516 * Caller: library/ssl_cli.c
2517 * library/ssl_srv.c
2518 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002519 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
2520 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines
Paul Bakker5690efc2011-05-26 13:16:06 +00002521 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002522 * This module is required for SSL/TLS.
2523 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002524#define MBEDTLS_SSL_TLS_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002525
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002526/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002527 * \def MBEDTLS_THREADING_C
Paul Bakker2466d932013-09-28 14:40:38 +02002528 *
2529 * Enable the threading abstraction layer.
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00002530 * By default mbed TLS assumes it is used in a non-threaded environment or that
Paul Bakker2466d932013-09-28 14:40:38 +02002531 * contexts are not shared between threads. If you do intend to use contexts
2532 * between threads, you will need to enable this layer to prevent race
Manuel Pégourié-Gonnard02049dc2016-02-22 16:42:51 +00002533 * conditions. See also our Knowledge Base article about threading:
2534 * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
Paul Bakker2466d932013-09-28 14:40:38 +02002535 *
2536 * Module: library/threading.c
2537 *
2538 * This allows different threading implementations (self-implemented or
2539 * provided).
2540 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002541 * You will have to enable either MBEDTLS_THREADING_ALT or
2542 * MBEDTLS_THREADING_PTHREAD.
Paul Bakker2466d932013-09-28 14:40:38 +02002543 *
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00002544 * Enable this layer to allow use of mutexes within mbed TLS
Paul Bakker2466d932013-09-28 14:40:38 +02002545 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002546//#define MBEDTLS_THREADING_C
Paul Bakker2466d932013-09-28 14:40:38 +02002547
2548/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002549 * \def MBEDTLS_TIMING_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002550 *
Manuel Pégourié-Gonnard325ce092016-02-22 10:33:34 +01002551 * Enable the semi-portable timing interface.
2552 *
Simon Butcherd567a232016-03-09 20:19:21 +00002553 * \note The provided implementation only works on POSIX/Unix (including Linux,
2554 * BSD and OS X) and Windows. On other platforms, you can either disable that
Manuel Pégourié-Gonnard325ce092016-02-22 10:33:34 +01002555 * module and provide your own implementations of the callbacks needed by
2556 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
2557 * your own implementation of the whole module by setting
2558 * \c MBEDTLS_TIMING_ALT in the current file.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002559 *
Manuel Pégourié-Gonnard02049dc2016-02-22 16:42:51 +00002560 * \note See also our Knowledge Base article about porting to a new
2561 * environment:
2562 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
2563 *
Paul Bakker5121ce52009-01-03 21:22:43 +00002564 * Module: library/timing.c
2565 * Caller: library/havege.c
2566 *
2567 * This module is used by the HAVEGE random number generator.
Paul Bakkerecd54fb2013-07-03 14:48:29 +02002568 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002569#define MBEDTLS_TIMING_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002570
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002571/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002572 * \def MBEDTLS_VERSION_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002573 *
2574 * Enable run-time version information.
2575 *
Paul Bakker0a62cd12011-01-21 11:00:08 +00002576 * Module: library/version.c
2577 *
2578 * This module provides run-time version information.
2579 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002580#define MBEDTLS_VERSION_C
Paul Bakker0a62cd12011-01-21 11:00:08 +00002581
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002582/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002583 * \def MBEDTLS_X509_USE_C
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002584 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002585 * Enable X.509 core for using certificates.
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002586 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002587 * Module: library/x509.c
Simon Butcher2cb47392016-11-04 12:23:11 +00002588 * Caller: library/x509_crl.c
2589 * library/x509_crt.c
2590 * library/x509_csr.c
Paul Bakker5121ce52009-01-03 21:22:43 +00002591 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002592 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
2593 * MBEDTLS_PK_PARSE_C
Paul Bakker5690efc2011-05-26 13:16:06 +00002594 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002595 * This module is required for the X.509 parsing modules.
Paul Bakker5121ce52009-01-03 21:22:43 +00002596 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002597#define MBEDTLS_X509_USE_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002598
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002599/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002600 * \def MBEDTLS_X509_CRT_PARSE_C
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002601 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002602 * Enable X.509 certificate parsing.
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002603 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002604 * Module: library/x509_crt.c
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002605 * Caller: library/ssl_cli.c
2606 * library/ssl_srv.c
2607 * library/ssl_tls.c
2608 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002609 * Requires: MBEDTLS_X509_USE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002610 *
2611 * This module is required for X.509 certificate parsing.
2612 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002613#define MBEDTLS_X509_CRT_PARSE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002614
2615/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002616 * \def MBEDTLS_X509_CRL_PARSE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002617 *
2618 * Enable X.509 CRL parsing.
2619 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002620 * Module: library/x509_crl.c
2621 * Caller: library/x509_crt.c
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002622 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002623 * Requires: MBEDTLS_X509_USE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002624 *
2625 * This module is required for X.509 CRL parsing.
2626 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002627#define MBEDTLS_X509_CRL_PARSE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002628
2629/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002630 * \def MBEDTLS_X509_CSR_PARSE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002631 *
2632 * Enable X.509 Certificate Signing Request (CSR) parsing.
2633 *
Simon Butcher2cb47392016-11-04 12:23:11 +00002634 * Module: library/x509_csr.c
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002635 * Caller: library/x509_crt_write.c
2636 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002637 * Requires: MBEDTLS_X509_USE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002638 *
2639 * This module is used for reading X.509 certificate request.
2640 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002641#define MBEDTLS_X509_CSR_PARSE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002642
2643/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002644 * \def MBEDTLS_X509_CREATE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002645 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002646 * Enable X.509 core for creating certificates.
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002647 *
2648 * Module: library/x509_create.c
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002649 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002650 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002651 *
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002652 * This module is the basis for creating X.509 certificates and CSRs.
2653 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002654#define MBEDTLS_X509_CREATE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002655
2656/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002657 * \def MBEDTLS_X509_CRT_WRITE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002658 *
2659 * Enable creating X.509 certificates.
2660 *
2661 * Module: library/x509_crt_write.c
2662 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002663 * Requires: MBEDTLS_X509_CREATE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002664 *
2665 * This module is required for X.509 certificate creation.
2666 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002667#define MBEDTLS_X509_CRT_WRITE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002668
2669/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002670 * \def MBEDTLS_X509_CSR_WRITE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002671 *
Manuel Pégourié-Gonnard09fff7e2013-09-20 13:45:36 +02002672 * Enable creating X.509 Certificate Signing Requests (CSR).
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002673 *
2674 * Module: library/x509_csr_write.c
2675 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002676 * Requires: MBEDTLS_X509_CREATE_C
Paul Bakker7c6b2c32013-09-16 13:49:26 +02002677 *
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002678 * This module is required for X.509 certificate request writing.
2679 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002680#define MBEDTLS_X509_CSR_WRITE_C
Paul Bakkerbdb912d2012-02-13 23:11:30 +00002681
2682/**
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002683 * \def MBEDTLS_XTEA_C
Paul Bakker5121ce52009-01-03 21:22:43 +00002684 *
Paul Bakkerf3b86c12011-01-27 15:24:17 +00002685 * Enable the XTEA block cipher.
2686 *
Paul Bakker7a7c78f2009-01-04 18:15:48 +00002687 * Module: library/xtea.c
2688 * Caller:
2689 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002690#define MBEDTLS_XTEA_C
Manuel Pégourié-Gonnard39d2adb2012-10-31 09:26:55 +01002691
Manuel Pégourié-Gonnardb4fe3cb2015-01-22 16:11:05 +00002692/* \} name SECTION: mbed TLS modules */
Paul Bakker7a7c78f2009-01-04 18:15:48 +00002693
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002694/**
2695 * \name SECTION: Module configuration options
2696 *
2697 * This section allows for the setting of module specific sizes and
2698 * configuration options. The default values are already present in the
2699 * relevant header files and should suffice for the regular use cases.
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002700 *
Paul Bakker088c5c52014-04-25 11:11:10 +02002701 * Our advice is to enable options and change their values here
2702 * only if you have a good reason and know the consequences.
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002703 *
2704 * Please check the respective header file for documentation on these
2705 * parameters (to prevent duplicate documentation).
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002706 * \{
2707 */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002708
Paul Bakker088c5c52014-04-25 11:11:10 +02002709/* MPI / BIGNUM options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002710//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */
2711//#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002712
Paul Bakker088c5c52014-04-25 11:11:10 +02002713/* CTR_DRBG options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002714//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
2715//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
2716//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
2717//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
2718//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002719
Paul Bakker088c5c52014-04-25 11:11:10 +02002720/* HMAC_DRBG options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002721//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
2722//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
2723//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
2724//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002725
Paul Bakker088c5c52014-04-25 11:11:10 +02002726/* ECP options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002727//#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */
2728//#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */
2729//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
Manuel Pégourié-Gonnard0520b602014-01-30 19:43:46 +01002730
Paul Bakker088c5c52014-04-25 11:11:10 +02002731/* Entropy options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002732//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
2733//#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
Andres AG7abc9742016-09-23 17:58:49 +01002734//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
Paul Bakkere1b665e2013-12-11 16:02:58 +01002735
Paul Bakker088c5c52014-04-25 11:11:10 +02002736/* Memory buffer allocator options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002737//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002738
Paul Bakker088c5c52014-04-25 11:11:10 +02002739/* Platform options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002740//#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +02002741//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002742//#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */
2743//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
Andres Amaya Garcia1e4ec662016-07-20 10:16:25 +01002744//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002745//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
2746//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
Manuel Pégourié-Gonnard6c0c8e02015-06-22 10:23:34 +02002747/* Note: your snprintf must correclty zero-terminate the buffer! */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002748//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
Janos Follath91947442016-03-18 13:49:27 +00002749//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
2750//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
Paul Bakkercf0a9f92016-06-01 11:25:44 +01002751//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
2752//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
2753//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */
Paul Bakker6e339b52013-07-03 13:37:05 +02002754
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002755/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
2756/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
Manuel Pégourié-Gonnardb9ef1182015-05-26 16:15:20 +02002757//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002758//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */
2759//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
Andres Amaya Garcia1e4ec662016-07-20 10:16:25 +01002760//#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
2761//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002762//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
2763//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
Manuel Pégourié-Gonnard6c0c8e02015-06-22 10:23:34 +02002764/* Note: your snprintf must correclty zero-terminate the buffer! */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002765//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
Paul Bakkercf0a9f92016-06-01 11:25:44 +01002766//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
2767//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002768
Paul Bakker088c5c52014-04-25 11:11:10 +02002769/* SSL Cache options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002770//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
2771//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002772
Paul Bakker088c5c52014-04-25 11:11:10 +02002773/* SSL options */
Manuel Pégourié-Gonnardbb838442015-08-31 12:46:01 +02002774//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002775//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
2776//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
2777//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
Paul Bakker9bcf16c2013-06-24 19:31:17 +02002778
Manuel Pégourié-Gonnarddfc7df02014-06-30 17:59:55 +02002779/**
2780 * Complete list of ciphersuites to use, in order of preference.
2781 *
2782 * \warning No dependency checking is done on that field! This option can only
2783 * be used to restrict the set of available ciphersuites. It is your
2784 * responsibility to make sure the needed modules are active.
2785 *
2786 * Use this to save a few hundred bytes of ROM (default ordering of all
2787 * available ciphersuites) and a few to a few hundred bytes of RAM.
2788 *
2789 * The value below is only an example, not the default.
2790 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002791//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Manuel Pégourié-Gonnarddfc7df02014-06-30 17:59:55 +02002792
Manuel Pégourié-Gonnardfd6c85c2014-11-20 16:34:20 +01002793/* X509 options */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002794//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
Andres AGf9113192016-09-02 14:06:04 +01002795//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
Manuel Pégourié-Gonnardfd6c85c2014-11-20 16:34:20 +01002796
Gilles Peskine5e79cb32017-05-04 16:17:21 +02002797/**
Gilles Peskine5d2511c2017-05-12 13:16:40 +02002798 * Allow SHA-1 in the default TLS configuration for certificate signing.
2799 * Without this build-time option, SHA-1 support must be activated explicitly
2800 * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002801 * recommended because of it is possible to generate SHA-1 collisions, however
Gilles Peskine5d2511c2017-05-12 13:16:40 +02002802 * this may be safe for legacy infrastructure where additional controls apply.
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002803 *
2804 * \warning SHA-1 is considered a weak message digest and its use constitutes
2805 * a security risk. If possible, we recommend avoiding dependencies
2806 * on it, and considering stronger message digests instead.
2807 *
Gilles Peskine5e79cb32017-05-04 16:17:21 +02002808 */
Gilles Peskine5d2511c2017-05-12 13:16:40 +02002809// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
2810
2811/**
2812 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
2813 * signature and ciphersuite selection. Without this build-time option, SHA-1
2814 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
2815 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
2816 * default. At the time of writing, there is no practical attack on the use
2817 * of SHA-1 in handshake signatures, hence this option is turned on by default
Hanno Beckerbbca8c52017-09-25 14:53:51 +01002818 * to preserve compatibility with existing peers, but the general
2819 * warning applies nonetheless:
2820 *
2821 * \warning SHA-1 is considered a weak message digest and its use constitutes
2822 * a security risk. If possible, we recommend avoiding dependencies
2823 * on it, and considering stronger message digests instead.
2824 *
Gilles Peskine5d2511c2017-05-12 13:16:40 +02002825 */
2826#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
Gilles Peskine5e79cb32017-05-04 16:17:21 +02002827
Simon Butcher30b5f972016-06-08 19:00:23 +01002828/* \} name SECTION: Customisation configuration options */
Manuel Pégourié-Gonnard43569a92015-07-31 15:37:29 +02002829
Simon Butcherb2c81b12016-06-23 13:56:06 +01002830/* Target and application specific configurations */
Simon Butcher1d46a2d2016-07-11 10:17:03 +01002831//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h"
2832
2833#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
2834#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
2835#endif
Simon Butcherb2c81b12016-06-23 13:56:06 +01002836
Manuel Pégourié-Gonnard32da9f62015-07-31 15:52:30 +02002837/*
2838 * Allow user to override any previous default.
2839 *
2840 * Use two macro names for that, as:
2841 * - with yotta the prefix YOTTA_CFG_ is forced
2842 * - without yotta is looks weird to have a YOTTA prefix.
2843 */
2844#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
2845#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
2846#elif defined(MBEDTLS_USER_CONFIG_FILE)
2847#include MBEDTLS_USER_CONFIG_FILE
2848#endif
2849
Manuel Pégourié-Gonnard14d55952014-04-30 12:35:08 +02002850#include "check_config.h"
Manuel Pégourié-Gonnard92ac76f2013-12-16 17:12:53 +01002851
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +02002852#endif /* MBEDTLS_CONFIG_H */