TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a3f3fca492662eb6754ef70a61775a47a3edaee5 / . / docs / proposed / config-split.md
blob: 93660f6d240c738109d31a39e7b0c88c5b6c84f4 [file] [log] [blame] [view]
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]1Mbed TLS and TF-PSA-Crypto configuration
2========================================
3
4## Objectives
5
6The objective of the repository split is to reach the point where in Mbed TLS
7all the cryptography code and its tests are located in a tf-psa-crypto
8directory that just contains the TF-PSA-Crypto repository as a submodule.
9The cryptography APIs exposed by Mbed TLS are just the TF-PSA-Crypto ones.
10Mbed TLS relies solely on the TF-PSA-Crypto build system to build its
11cryptography library and its tests.
12
13The TF-PSA-Crypto configuration file tf_psa_crypto_config.h configures
14entirely the cryptography interface exposed by Mbed TLS through TF-PSA-Crypto.
15Mbed TLS is configured with two files: mbedtls_config.h for TLS and x509
16and tf_psa_crypto_config.h.
17
18The platform abstraction layer and its configuration are the same in Mbed TLS
19and TF-PSA-Crypto as:
20* we want an user of Mbed TLS to set up only one plaform
21abstraction layer for both the TLS/x509 part of Mbed TLS and its cryptography
22part (TF-PSA-Crypto).
23* we want to avoid an interface adaptation.
24
25## Requirements on tf_psa_crypto_config.h
26* it configures the PSA APIs, their implementations, the implementation of the
27 builtin drivers and the platform abstraction layer.
28* it does not contain the legacy cryptography configuration options that are
29 superseded by the PSA cryptography configuration scheme (PSA_WANT_ and
30 MBEDTLS_PSA_ACCEL_ macros), for example MBEDTLS_CCM_C or
31 MBEDTLS_CHACHAPOLY_ALT.
32* apart from the legacy cryptography configuration options mentioned in the
33 previous point and the cryptography configuration options that are planned
34 to be removed for 4.0, tf_psa_crypto_config.h inherites from all the
35 cryptography configuration options of mbedtls_config.h.
36* apart from the PSA cryptography API configuration options that are prefixed
37 by PSA_WANT_, the tf_psa_crypto_config.h configuration options are prefixed
38 by TF_PSA_CRYPTO_.
39
40## Comments about objectives and requirements
41
42Given the objectives and requirements on tf_psa_crypto_config.h above, the
43Mbed TLS configuration with mbedtls_config.h and tf_psa_crypto_config.h can be
44seen as an extension of the so called PSA cryptographic configuration scheme
45based on mbedtls_config.h and crypto_config.h. The configuration file
46crypto_config.h is extended to become the TF-PSA-Crypto configuration file,
47mbedtls_config.h mainly becomes the configuration file for the TLS and x509
48libraries.
49
50Regarding the platform abstraction layer configuration options, we do not
51want to use the TF-PSA-Crypto ones in TLS and x509 code thus each of them has
52an equivalent one in mbedtls_config.h prefixed by MBEDTLS_ instead of
53TF_PSA_CRYPTO_ that just expand to the TF_PSA_CRYPTO_ one:
54#define MBEDTLS_xyz TF_PSA_CRYPTO_xyz.
55
56## Sections in tf_psa_crypto_config.h
57
58The tf_psa_crypto_config.h configuration file is organized into seven sections.
59
60The pre-split mbedtls_config.h configuration files contains configuration
61options that apply to the whole code base (TLS, x509, crypto and tests) mostly
62related to the platform abstraction layer and testing. In tf_psa_crypto_config.h
63these configurations options are organized into two sections, one for the
64platform abstraction layer options and one for the others, respectively named
65"Platform abstraction layer configuration options" and
66"General and test configuration options".
67
68Then, the "PSA cryptography API configuration options" section is the
69equivalent of the pre-split crypto_config.h configuration file containing the
70PSA_WANT_ prefixed macros.
71
72Compared to Mbed TLS, the cryptography code in TF-PSA-Crypto is not located
73in a single directory but split between the PSA core (core directory) and the
74PSA builtin drivers (drivers/builtin/src directory). This is reflected in
75tf_psa_crypto_config.h with two sections named "PSA core configuration options"
76and "Builtin drivers configuration options".
77
78The two last sections contain the configuration options for the cryptography
79mechanisms that are not yet part of the PSA cryptography API (like LMS) and
80for cryptography utilities (like base64 or ASN1 APIs) that facilitate the usage
81of the PSA cryptography API in other cryptography projects. They are
82named respectively "Beyond the current PSA cryptography API configuration
83options" and "Cryptography utilities configuration options".
84
85By contrast to mbedtls_config.h, tf_psa_crypto_config.h does not contain a
86section like the "Module configuration options" one containing non boolean
87configuration options. The configuration options that are not boolean are
88located in the same section as the boolean option they are associated to.
89
90Open question: do we group them into a subsection?
91
92## Repartition of the configuration options
93
94Starting from mbedtls_config.h as in c085cc767d, we remove the following
95configuration options as duplicates of PSA_WANT_ and MBEDTLS_PSA_ACCEL_
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]96options or obsolete options:
97//#define MBEDTLS_AES_ALT
98//#define MBEDTLS_ARIA_ALT
99//#define MBEDTLS_CAMELLIA_ALT
100//#define MBEDTLS_CCM_ALT
101//#define MBEDTLS_CHACHA20_ALT
102//#define MBEDTLS_CHACHAPOLY_ALT
103//#define MBEDTLS_CMAC_ALT
104//#define MBEDTLS_DES_ALT
105//#define MBEDTLS_DHM_ALT
106//#define MBEDTLS_ECJPAKE_ALT
107//#define MBEDTLS_GCM_ALT
108//#define MBEDTLS_NIST_KW_ALT
109//#define MBEDTLS_MD5_ALT
110//#define MBEDTLS_POLY1305_ALT
111//#define MBEDTLS_RIPEMD160_ALT
112//#define MBEDTLS_RSA_ALT
113//#define MBEDTLS_SHA1_ALT
114//#define MBEDTLS_SHA256_ALT
115//#define MBEDTLS_SHA512_ALT
116//#define MBEDTLS_ECP_ALT
117//#define MBEDTLS_MD5_PROCESS_ALT
118//#define MBEDTLS_RIPEMD160_PROCESS_ALT
119//#define MBEDTLS_SHA1_PROCESS_ALT
120//#define MBEDTLS_SHA256_PROCESS_ALT
121//#define MBEDTLS_SHA512_PROCESS_ALT
122//#define MBEDTLS_DES_SETKEY_ALT
123//#define MBEDTLS_DES_CRYPT_ECB_ALT
124//#define MBEDTLS_DES3_CRYPT_ECB_ALT
125//#define MBEDTLS_AES_SETKEY_ENC_ALT
126//#define MBEDTLS_AES_SETKEY_DEC_ALT
127//#define MBEDTLS_AES_ENCRYPT_ALT
128//#define MBEDTLS_AES_DECRYPT_ALT
129//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
130//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
131//#define MBEDTLS_ECDSA_VERIFY_ALT
132//#define MBEDTLS_ECDSA_SIGN_ALT
133//#define MBEDTLS_ECDSA_GENKEY_ALT
134//#define MBEDTLS_ECP_INTERNAL_ALT
135//#define MBEDTLS_ECP_NO_FALLBACK
136//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
137//#define MBEDTLS_ECP_ADD_MIXED_ALT
138//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
139//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
140//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
141//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
142//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
143//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
144#define MBEDTLS_CIPHER_MODE_CBC
145#define MBEDTLS_CIPHER_MODE_CFB
146#define MBEDTLS_CIPHER_MODE_CTR
147#define MBEDTLS_CIPHER_MODE_OFB
148#define MBEDTLS_CIPHER_MODE_XTS
149#define MBEDTLS_CIPHER_PADDING_PKCS7
150#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
151#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
152#define MBEDTLS_CIPHER_PADDING_ZEROS
153#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
154#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
155#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
156#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
157#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
158#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
159#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
160#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
161#define MBEDTLS_ECP_DP_BP256R1_ENABLED
162#define MBEDTLS_ECP_DP_BP384R1_ENABLED
163#define MBEDTLS_ECP_DP_BP512R1_ENABLED
164#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
165#define MBEDTLS_ECP_DP_CURVE448_ENABLED
166#define MBEDTLS_ECDSA_DETERMINISTIC
167#define MBEDTLS_GENPRIME
168#define MBEDTLS_PKCS1_V15
169#define MBEDTLS_PKCS1_V21
170//#define MBEDTLS_PSA_CRYPTO_CONFIG
171#define MBEDTLS_AES_C
172#define MBEDTLS_BIGNUM_C
173#define MBEDTLS_CAMELLIA_C
174#define MBEDTLS_ARIA_C
175#define MBEDTLS_CCM_C
176#define MBEDTLS_CHACHA20_C
177#define MBEDTLS_CHACHAPOLY_C
178#define MBEDTLS_CMAC_C
179#define MBEDTLS_DES_C
180#define MBEDTLS_DHM_C
181#define MBEDTLS_ECDH_C
182#define MBEDTLS_ECDSA_C
183#define MBEDTLS_ECJPAKE_C
184#define MBEDTLS_ECP_C
185#define MBEDTLS_GCM_C
186#define MBEDTLS_HKDF_C
187#define MBEDTLS_MD5_C
188#define MBEDTLS_PADLOCK_C
189#define MBEDTLS_POLY1305_C
190//#define MBEDTLS_PSA_CRYPTO_SE_C
191#define MBEDTLS_RIPEMD160_C
192#define MBEDTLS_RSA_C
193#define MBEDTLS_SHA1_C
194#define MBEDTLS_SHA224_C
195#define MBEDTLS_SHA256_C
196#define MBEDTLS_SHA384_C
197#define MBEDTLS_SHA512_C
198#define MBEDTLS_SHA3_C
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]199
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]200### In tf_psa_crypto_config.h, we have:
201* SECTION "Platform abstraction layer configuration options"
202#define MBEDTLS_HAVE_TIME
203#define MBEDTLS_HAVE_TIME_DATE
204//#define MBEDTLS_PLATFORM_MEMORY
205//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
206//#define MBEDTLS_PLATFORM_SETBUF_ALT
207//#define MBEDTLS_PLATFORM_EXIT_ALT
208//#define MBEDTLS_PLATFORM_TIME_ALT
209//#define MBEDTLS_PLATFORM_FPRINTF_ALT
210//#define MBEDTLS_PLATFORM_PRINTF_ALT
211//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
212//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
213//#define MBEDTLS_PLATFORM_NV_SEED_ALT
214//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
215//#define MBEDTLS_PLATFORM_MS_TIME_ALT
216//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
217//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
218#define MBEDTLS_FS_IO
219//#define MBEDTLS_MEMORY_DEBUG
220//#define MBEDTLS_MEMORY_BACKTRACE
221//#define MBEDTLS_THREADING_ALT ???
222//#define MBEDTLS_THREADING_PTHREAD
223#define MBEDTLS_PLATFORM_C
224//#define MBEDTLS_THREADING_C
225#define MBEDTLS_TIMING_C
226//#define MBEDTLS_TIMING_ALT ???
227//#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
228//#define MBEDTLS_PLATFORM_STD_CALLOC calloc
229//#define MBEDTLS_PLATFORM_STD_FREE free
230//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf
231//#define MBEDTLS_PLATFORM_STD_EXIT exit
232//#define MBEDTLS_PLATFORM_STD_TIME time
233//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf
234//#define MBEDTLS_PLATFORM_STD_PRINTF printf
235//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf
236//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0
237//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1
238//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read
239//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write
240//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile"
241//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc
242//#define MBEDTLS_PLATFORM_FREE_MACRO free
243//#define MBEDTLS_PLATFORM_EXIT_MACRO exit
244//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf
245//#define MBEDTLS_PLATFORM_TIME_MACRO time
246//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t
247//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf
248//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf
249//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
250//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf
251//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read
252//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write
253//#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t
254//#define MBEDTLS_PRINTF_MS_TIME PRId64
255//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4
256//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))
257//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result))
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]258
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]259* SECTION "General and test configuration options"
260//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
261//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
262//#define MBEDTLS_DEPRECATED_WARNING
263//#define MBEDTLS_DEPRECATED_REMOVED
264//#define MBEDTLS_CHECK_RETURN_WARNING
265//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
266//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
267//#define MBEDTLS_TEST_HOOKS
268#define MBEDTLS_VERSION_C
269#define MBEDTLS_VERSION_FEATURES
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]270
271
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]272* SECTION "PSA cryptography API configuration options"
273include/psa/crypto_config.h
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]274
275
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]276* SECTION "PSA core configuration options"
277//#define MBEDTLS_ENTROPY_HARDWARE_ALT
278//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
279//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
280//#define MBEDTLS_NO_PLATFORM_ENTROPY
281//#define MBEDTLS_ENTROPY_FORCE_SHA256
282//#define MBEDTLS_ENTROPY_NV_SEED ???
283//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
284//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
285#define MBEDTLS_PSA_CRYPTO_C
286//#define MBEDTLS_PSA_CRYPTO_CLIENT
287//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
288//#define MBEDTLS_PSA_CRYPTO_SPM
289//#define MBEDTLS_PSA_INJECT_ENTROPY
290//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
291#define MBEDTLS_CTR_DRBG_C
292#define MBEDTLS_ENTROPY_C
293#define MBEDTLS_HMAC_DRBG_C
294#define MBEDTLS_PSA_CRYPTO_STORAGE_C
295#define MBEDTLS_PSA_ITS_FILE_C
296//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h"
297//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h"
298//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
299//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
300//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48
301//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000
302//#define MBEDTLS_CTR_DRBG_MAX_INPUT 256
303//#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024
304//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384
305//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000
306//#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256
307//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024
308//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384
309//#define MBEDTLS_ENTROPY_MAX_SOURCES 20
310//#define MBEDTLS_ENTROPY_MAX_GATHER 128
311//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]312
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]313* SECTION "Builtin drivers configuration options"
314#define MBEDTLS_HAVE_ASM
315//#define MBEDTLS_NO_UDBL_DIVISION
316//#define MBEDTLS_NO_64BIT_MULTIPLICATION
317//#define MBEDTLS_HAVE_SSE2
318#define MBEDTLS_AESNI_C
319#define MBEDTLS_AESCE_C
320//#define MBEDTLS_AES_ROM_TABLES
321//#define MBEDTLS_AES_FEWER_TABLES
322//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
323//#define MBEDTLS_AES_USE_HARDWARE_ONLY
324//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
325//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
326#define MBEDTLS_ECP_NIST_OPTIM
327//#define MBEDTLS_ECP_RESTARTABLE ???
328//#define MBEDTLS_ECP_WITH_MPI_UINT
329//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
330//#define MBEDTLS_SHA256_SMALLER
331//#define MBEDTLS_SHA512_SMALLER
332//#define MBEDTLS_RSA_NO_CRT
333#define MBEDTLS_SELF_TEST
334//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
335//#define MBEDTLS_GCM_LARGE_TABLE
336//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
337//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
338//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
339//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
340//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
341//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
342//#define MBEDTLS_MPI_WINDOW_SIZE 2
343//#define MBEDTLS_MPI_MAX_SIZE 1024
344//#define MBEDTLS_ECP_WINDOW_SIZE 4
345//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1
346//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]347
348
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]349* SECTION "Beyond the current PSA cryptography API configuration options."
350#define MBEDTLS_CIPHER_C
351#define MBEDTLS_LMS_C
352//#define MBEDTLS_LMS_PRIVATE
353#define MBEDTLS_MD_C
354#define MBEDTLS_NIST_KW_C
355#define MBEDTLS_PK_PARSE_EC_EXTENDED
356#define MBEDTLS_PK_PARSE_EC_COMPRESSED
357#define MBEDTLS_PK_RSA_ALT_SUPPORT
358#define MBEDTLS_PK_C
359#define MBEDTLS_PK_PARSE_C
360#define MBEDTLS_PK_WRITE_C
361#define MBEDTLS_PKCS5_C
362#define MBEDTLS_PKCS12_C
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]363
364
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]365* SECTION "Cryptography utilities configuration options"
366#define MBEDTLS_ASN1_PARSE_C
367#define MBEDTLS_ASN1_WRITE_C
368#define MBEDTLS_BASE64_C
369#define MBEDTLS_OID_C
370#define MBEDTLS_PEM_PARSE_C
371#define MBEDTLS_PEM_WRITE_C
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]372
373
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]374### In mbedtls_config.h, we have:
375* SECTION "System support"
376Empty
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]377
378
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]379* SECTION "Mbed TLS feature support"
380//#define MBEDTLS_CIPHER_NULL_CIPHER
381#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
382#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
383#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
384#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
385#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
386#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
387#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
388#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
389#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
390#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
391//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
392#define MBEDTLS_ERROR_STRERROR_DUMMY
393#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
394#define MBEDTLS_SSL_DTLS_CONNECTION_ID
395#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
396//#define MBEDTLS_SSL_ASYNC_PRIVATE
397#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
398//#define MBEDTLS_SSL_DEBUG_ALL
399#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
400#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
401#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
402#define MBEDTLS_SSL_RENEGOTIATION
403#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
404//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
405#define MBEDTLS_SSL_PROTO_TLS1_2
406#define MBEDTLS_SSL_PROTO_TLS1_3
407#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
408#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
409#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
410#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
411//#define MBEDTLS_SSL_EARLY_DATA
412#define MBEDTLS_SSL_PROTO_DTLS
413#define MBEDTLS_SSL_ALPN
414#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
415#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
416//#define MBEDTLS_SSL_DTLS_SRTP
417#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
418#define MBEDTLS_SSL_SESSION_TICKETS
419#define MBEDTLS_SSL_SERVER_NAME_INDICATION
420//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
421//#define MBEDTLS_USE_PSA_CRYPTO
422//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
423//#define MBEDTLS_X509_REMOVE_INFO
424#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]425
426
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]427* SECTION "Mbed TLS modules"
428#define MBEDTLS_DEBUG_C
429#define MBEDTLS_ERROR_C
430#define MBEDTLS_NET_C
431#define MBEDTLS_PKCS7_C
432#define MBEDTLS_SSL_CACHE_C
433#define MBEDTLS_SSL_COOKIE_C
434#define MBEDTLS_SSL_TICKET_C
435#define MBEDTLS_SSL_CLI_C
436#define MBEDTLS_SSL_SRV_C
437#define MBEDTLS_SSL_TLS_C
438#define MBEDTLS_X509_USE_C
439#define MBEDTLS_X509_CRT_PARSE_C
440#define MBEDTLS_X509_CRL_PARSE_C
441#define MBEDTLS_X509_CSR_PARSE_C
442#define MBEDTLS_X509_CREATE_C
443#define MBEDTLS_X509_CRT_WRITE_C
444#define MBEDTLS_X509_CSR_WRITE_C
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]445
446
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]447* SECTION "General configuration options"
448//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
449//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
Ronald Cron8793d9c2024-06-06 17:54:45 +0200[diff] [blame]450
451
Ronald Crona3f3fca2024-09-02 12:09:18 +0200[diff] [blame^]452* SECTION "Module configuration options"
453//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400
454//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50
455//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
456//#define MBEDTLS_SSL_CID_IN_LEN_MAX 32
457//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32
458//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16
459//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
460//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
461//#define MBEDTLS_PSK_MAX_LEN 32
462//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60
463//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
464//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024
465//#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000
466//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32
467//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1
468//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8
469//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512