|
|
|
@ -3,6 +3,10 @@
|
|
|
|
|
*
|
|
|
|
|
* \brief Configuration options (set of defines)
|
|
|
|
|
*
|
|
|
|
|
* This set of compile-time options may be used to enable
|
|
|
|
|
* or disable features selectively, and reduce the global
|
|
|
|
|
* memory footprint.
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
|
|
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
*
|
|
|
|
@ -21,11 +25,6 @@
|
|
|
|
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* This set of compile-time options may be used to enable
|
|
|
|
|
* or disable features selectively, and reduce the global
|
|
|
|
|
* memory footprint.
|
|
|
|
|
*/
|
|
|
|
|
#ifndef MBEDTLS_CONFIG_H
|
|
|
|
|
#define MBEDTLS_CONFIG_H
|
|
|
|
|
|
|
|
|
@ -72,6 +71,10 @@
|
|
|
|
|
* The time does not need to be correct, only time differences are used,
|
|
|
|
|
* by contrast with MBEDTLS_HAVE_TIME_DATE
|
|
|
|
|
*
|
|
|
|
|
* Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
|
|
|
|
|
* MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
|
|
|
|
|
* MBEDTLS_PLATFORM_STD_TIME.
|
|
|
|
|
*
|
|
|
|
|
* Comment if your system does not support time functions
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_HAVE_TIME
|
|
|
|
@ -132,10 +135,10 @@
|
|
|
|
|
//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PLATFORM_XXX_ALT
|
|
|
|
|
* \def MBEDTLS_PLATFORM_EXIT_ALT
|
|
|
|
|
*
|
|
|
|
|
* Uncomment a macro to let mbed TLS support the function in the platform
|
|
|
|
|
* abstraction layer.
|
|
|
|
|
* MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
|
|
|
|
|
* function in the platform abstraction layer.
|
|
|
|
|
*
|
|
|
|
|
* Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
|
|
|
|
|
* provide a function "mbedtls_platform_set_printf()" that allows you to set an
|
|
|
|
@ -149,13 +152,17 @@
|
|
|
|
|
* \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
|
|
|
|
|
* MBEDTLS_PLATFORM_XXX_MACRO!
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
|
|
|
|
|
*
|
|
|
|
|
* Uncomment a macro to enable alternate implementation of specific base
|
|
|
|
|
* platform function
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_PLATFORM_EXIT_ALT
|
|
|
|
|
//#define MBEDTLS_PLATFORM_TIME_ALT
|
|
|
|
|
//#define MBEDTLS_PLATFORM_FPRINTF_ALT
|
|
|
|
|
//#define MBEDTLS_PLATFORM_PRINTF_ALT
|
|
|
|
|
//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
|
|
|
|
|
//#define MBEDTLS_PLATFORM_NV_SEED_ALT
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_DEPRECATED_WARNING
|
|
|
|
@ -208,19 +215,19 @@
|
|
|
|
|
//#define MBEDTLS_TIMING_ALT
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS__MODULE_NAME__ALT
|
|
|
|
|
* \def MBEDTLS_AES_ALT
|
|
|
|
|
*
|
|
|
|
|
* Uncomment a macro to let mbed TLS use your alternate core implementation of
|
|
|
|
|
* a symmetric crypto or hash module (e.g. platform specific assembly
|
|
|
|
|
* optimized implementations). Keep in mind that the function prototypes
|
|
|
|
|
* should remain the same.
|
|
|
|
|
* MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
|
|
|
|
|
* alternate core implementation of a symmetric crypto, an arithmetic or hash
|
|
|
|
|
* module (e.g. platform specific assembly optimized implementations). Keep
|
|
|
|
|
* in mind that the function prototypes should remain the same.
|
|
|
|
|
*
|
|
|
|
|
* This replaces the whole module. If you only want to replace one of the
|
|
|
|
|
* functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
|
|
|
|
|
*
|
|
|
|
|
* Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer
|
|
|
|
|
* provide the "struct mbedtls_aes_context" definition and omit the base function
|
|
|
|
|
* declarations and implementations. "aes_alt.h" will be included from
|
|
|
|
|
* provide the "struct mbedtls_aes_context" definition and omit the base
|
|
|
|
|
* function declarations and implementations. "aes_alt.h" will be included from
|
|
|
|
|
* "aes.h" to include the new function definitions.
|
|
|
|
|
*
|
|
|
|
|
* Uncomment a macro to enable alternate implementation of the corresponding
|
|
|
|
@ -239,13 +246,23 @@
|
|
|
|
|
//#define MBEDTLS_SHA1_ALT
|
|
|
|
|
//#define MBEDTLS_SHA256_ALT
|
|
|
|
|
//#define MBEDTLS_SHA512_ALT
|
|
|
|
|
/*
|
|
|
|
|
* When replacing the elliptic curve module, pleace consider, that it is
|
|
|
|
|
* implemented with two .c files:
|
|
|
|
|
* - ecp.c
|
|
|
|
|
* - ecp_curves.c
|
|
|
|
|
* You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
|
|
|
|
|
* macros as described above. The only difference is that you have to make sure
|
|
|
|
|
* that you provide functionality for both .c files.
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_ECP_ALT
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS__FUNCTION_NAME__ALT
|
|
|
|
|
* \def MBEDTLS_MD2_PROCESS_ALT
|
|
|
|
|
*
|
|
|
|
|
* Uncomment a macro to let mbed TLS use you alternate core implementation of
|
|
|
|
|
* symmetric crypto or hash function. Keep in mind that function prototypes
|
|
|
|
|
* should remain the same.
|
|
|
|
|
* MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
|
|
|
|
|
* alternate core implementation of symmetric crypto or hash function. Keep in
|
|
|
|
|
* mind that function prototypes should remain the same.
|
|
|
|
|
*
|
|
|
|
|
* This replaces only one function. The header file from mbed TLS is still
|
|
|
|
|
* used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
|
|
|
|
@ -278,6 +295,76 @@
|
|
|
|
|
//#define MBEDTLS_AES_ENCRYPT_ALT
|
|
|
|
|
//#define MBEDTLS_AES_DECRYPT_ALT
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_ECP_INTERNAL_ALT
|
|
|
|
|
*
|
|
|
|
|
* Expose a part of the internal interface of the Elliptic Curve Point module.
|
|
|
|
|
*
|
|
|
|
|
* MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your
|
|
|
|
|
* alternative core implementation of elliptic curve arithmetic. Keep in mind
|
|
|
|
|
* that function prototypes should remain the same.
|
|
|
|
|
*
|
|
|
|
|
* This partially replaces one function. The header file from mbed TLS is still
|
|
|
|
|
* used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
|
|
|
|
|
* is still present and it is used for group structures not supported by the
|
|
|
|
|
* alternative.
|
|
|
|
|
*
|
|
|
|
|
* Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
|
|
|
|
|
* and implementing the following functions:
|
|
|
|
|
* unsigned char mbedtls_internal_ecp_grp_capable(
|
|
|
|
|
* const mbedtls_ecp_group *grp )
|
|
|
|
|
* int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
|
|
|
|
|
* void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
|
|
|
|
|
* The mbedtls_internal_ecp_grp_capable function should return 1 if the
|
|
|
|
|
* replacement functions implement arithmetic for the given group and 0
|
|
|
|
|
* otherwise.
|
|
|
|
|
* The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
|
|
|
|
|
* called before and after each point operation and provide an opportunity to
|
|
|
|
|
* implement optimized set up and tear down instructions.
|
|
|
|
|
*
|
|
|
|
|
* Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
|
|
|
|
|
* MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
|
|
|
|
|
* function, but will use your mbedtls_internal_ecp_double_jac if the group is
|
|
|
|
|
* supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
|
|
|
|
|
* receives it as an argument). If the group is not supported then the original
|
|
|
|
|
* implementation is used. The other functions and the definition of
|
|
|
|
|
* mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
|
|
|
|
|
* implementation of mbedtls_internal_ecp_double_jac and
|
|
|
|
|
* mbedtls_internal_ecp_grp_capable must be compatible with this definition.
|
|
|
|
|
*
|
|
|
|
|
* Uncomment a macro to enable alternate implementation of the corresponding
|
|
|
|
|
* function.
|
|
|
|
|
*/
|
|
|
|
|
/* Required for all the functions in this section */
|
|
|
|
|
//#define MBEDTLS_ECP_INTERNAL_ALT
|
|
|
|
|
/* Support for Weierstrass curves with Jacobi representation */
|
|
|
|
|
//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
|
|
|
|
|
//#define MBEDTLS_ECP_ADD_MIXED_ALT
|
|
|
|
|
//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
|
|
|
|
|
//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
|
|
|
|
|
//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
|
|
|
|
|
/* Support for curves with Montgomery arithmetic */
|
|
|
|
|
//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
|
|
|
|
|
//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
|
|
|
|
|
//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_TEST_NULL_ENTROPY
|
|
|
|
|
*
|
|
|
|
|
* Enables testing and use of mbed TLS without any configured entropy sources.
|
|
|
|
|
* This permits use of the library on platforms before an entropy source has
|
|
|
|
|
* been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
|
|
|
|
|
* MBEDTLS_ENTROPY_NV_SEED switches).
|
|
|
|
|
*
|
|
|
|
|
* WARNING! This switch MUST be disabled in production builds, and is suitable
|
|
|
|
|
* only for development.
|
|
|
|
|
* Enabling the switch negates any security provided by the library.
|
|
|
|
|
*
|
|
|
|
|
* Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_TEST_NULL_ENTROPY
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_ENTROPY_HARDWARE_ALT
|
|
|
|
|
*
|
|
|
|
@ -365,10 +452,11 @@
|
|
|
|
|
//#define MBEDTLS_CIPHER_NULL_CIPHER
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_CIPHER_PADDING_XXX
|
|
|
|
|
* \def MBEDTLS_CIPHER_PADDING_PKCS7
|
|
|
|
|
*
|
|
|
|
|
* Uncomment or comment macros to add support for specific padding modes
|
|
|
|
|
* in the cipher layer with cipher modes that support padding (e.g. CBC)
|
|
|
|
|
* MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
|
|
|
|
|
* specific padding modes in the cipher layer with cipher modes that support
|
|
|
|
|
* padding (e.g. CBC)
|
|
|
|
|
*
|
|
|
|
|
* If you disable all padding modes, only full blocks can be used with CBC.
|
|
|
|
|
*
|
|
|
|
@ -408,10 +496,10 @@
|
|
|
|
|
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_ECP_XXXX_ENABLED
|
|
|
|
|
* \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
|
|
|
|
*
|
|
|
|
|
* Enables specific curves within the Elliptic Curve module.
|
|
|
|
|
* By default all supported curves are enabled.
|
|
|
|
|
* MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
|
|
|
|
|
* module. By default all supported curves are enabled.
|
|
|
|
|
*
|
|
|
|
|
* Comment macros to disable the curve and functions for it
|
|
|
|
|
*/
|
|
|
|
@ -695,6 +783,25 @@
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
|
|
|
|
*
|
|
|
|
|
* Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
|
|
|
|
|
*
|
|
|
|
|
* \warning This is currently experimental. EC J-PAKE support is based on the
|
|
|
|
|
* Thread v1.0.0 specification; incompatible changes to the specification
|
|
|
|
|
* might still happen. For this reason, this is disabled by default.
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_ECJPAKE_C
|
|
|
|
|
* MBEDTLS_SHA256_C
|
|
|
|
|
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
|
|
|
|
*
|
|
|
|
|
* This enables the following ciphersuites (if other requisites are
|
|
|
|
|
* enabled as well):
|
|
|
|
|
* MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PK_PARSE_EC_EXTENDED
|
|
|
|
|
*
|
|
|
|
@ -780,6 +887,34 @@
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_ENTROPY_FORCE_SHA256
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_ENTROPY_NV_SEED
|
|
|
|
|
*
|
|
|
|
|
* Enable the non-volatile (NV) seed file-based entropy source.
|
|
|
|
|
* (Also enables the NV seed read/write functions in the platform layer)
|
|
|
|
|
*
|
|
|
|
|
* This is crucial (if not required) on systems that do not have a
|
|
|
|
|
* cryptographic entropy source (in hardware or kernel) available.
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
|
|
|
|
|
*
|
|
|
|
|
* \note The read/write functions that are used by the entropy source are
|
|
|
|
|
* determined in the platform layer, and can be modified at runtime and/or
|
|
|
|
|
* compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
|
|
|
|
|
*
|
|
|
|
|
* \note If you use the default implementation functions that read a seedfile
|
|
|
|
|
* with regular fopen(), please make sure you make a seedfile with the
|
|
|
|
|
* proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
|
|
|
|
|
* least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
|
|
|
|
|
* and written to or you will get an entropy source error! The default
|
|
|
|
|
* implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
|
|
|
|
|
* bytes from the file.
|
|
|
|
|
*
|
|
|
|
|
* \note The entropy collector will write to the seed file before entropy is
|
|
|
|
|
* given to an external source, to update it.
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_ENTROPY_NV_SEED
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_MEMORY_DEBUG
|
|
|
|
|
*
|
|
|
|
@ -869,18 +1004,6 @@
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SHA256_SMALLER
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_AEAD_RANDOM_IV
|
|
|
|
|
*
|
|
|
|
|
* Generate a random IV rather than using the record sequence number as a
|
|
|
|
|
* nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
|
|
|
|
|
*
|
|
|
|
|
* Using the sequence number is generally recommended.
|
|
|
|
|
*
|
|
|
|
|
* Uncomment this macro to always use random IVs with AEAD ciphersuites.
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_SSL_AEAD_RANDOM_IV
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
|
|
|
|
|
*
|
|
|
|
@ -1040,7 +1163,7 @@
|
|
|
|
|
*
|
|
|
|
|
* Comment this macro to disable support for SSL 3.0
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SSL_PROTO_SSL3
|
|
|
|
|
//#define MBEDTLS_SSL_PROTO_SSL3
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_PROTO_TLS1
|
|
|
|
@ -1135,6 +1258,22 @@
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
|
|
|
|
|
*
|
|
|
|
|
* Enable server-side support for clients that reconnect from the same port.
|
|
|
|
|
*
|
|
|
|
|
* Some clients unexpectedly close the connection and try to reconnect using the
|
|
|
|
|
* same source port. This needs special support from the server to handle the
|
|
|
|
|
* new connection securely, as described in section 4.2.8 of RFC 6347. This
|
|
|
|
|
* flag enables that support.
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
|
|
|
|
|
*
|
|
|
|
|
* Comment this to disable support for clients reusing the source port.
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
|
|
|
|
|
*
|
|
|
|
@ -1160,6 +1299,16 @@
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SSL_SESSION_TICKETS
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_EXPORT_KEYS
|
|
|
|
|
*
|
|
|
|
|
* Enable support for exporting key block and master secret.
|
|
|
|
|
* This is required for certain users of TLS, e.g. EAP-TLS.
|
|
|
|
|
*
|
|
|
|
|
* Comment this macro to disable support for key export
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SSL_EXPORT_KEYS
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_SERVER_NAME_INDICATION
|
|
|
|
|
*
|
|
|
|
@ -1231,6 +1380,8 @@
|
|
|
|
|
* If set, the X509 parser will not break-off when parsing an X509 certificate
|
|
|
|
|
* and encountering an unknown critical extension.
|
|
|
|
|
*
|
|
|
|
|
* \warning Depending on your PKI use, enabling this can be a security risk!
|
|
|
|
|
*
|
|
|
|
|
* Uncomment to prevent an error.
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
|
|
|
@ -1438,7 +1589,7 @@
|
|
|
|
|
* library/pkwrite.c
|
|
|
|
|
* library/x509_create.c
|
|
|
|
|
* library/x509write_crt.c
|
|
|
|
|
* library/mbedtls_x509write_csr.c
|
|
|
|
|
* library/x509write_csr.c
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_ASN1_WRITE_C
|
|
|
|
|
|
|
|
|
@ -1572,6 +1723,19 @@
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_CIPHER_C
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_CMAC_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the CMAC (Cipher-based Message Authentication Code) mode for block
|
|
|
|
|
* ciphers.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/cmac.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_CMAC_C
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_CTR_DRBG_C
|
|
|
|
|
*
|
|
|
|
@ -1671,6 +1835,25 @@
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_ECDSA_C
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_ECJPAKE_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the elliptic curve J-PAKE library.
|
|
|
|
|
*
|
|
|
|
|
* \warning This is currently experimental. EC J-PAKE support is based on the
|
|
|
|
|
* Thread v1.0.0 specification; incompatible changes to the specification
|
|
|
|
|
* might still happen. For this reason, this is disabled by default.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/ecjpake.c
|
|
|
|
|
* Caller:
|
|
|
|
|
*
|
|
|
|
|
* This module is used by the following key exchanges:
|
|
|
|
|
* ECJPAKE
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_ECJPAKE_C
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_ECP_C
|
|
|
|
|
*
|
|
|
|
@ -1679,6 +1862,7 @@
|
|
|
|
|
* Module: library/ecp.c
|
|
|
|
|
* Caller: library/ecdh.c
|
|
|
|
|
* library/ecdsa.c
|
|
|
|
|
* library/ecjpake.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
|
|
|
|
|
*/
|
|
|
|
@ -1766,7 +1950,7 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the generic message digest layer.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_md.c
|
|
|
|
|
* Module: library/md.c
|
|
|
|
|
* Caller:
|
|
|
|
|
*
|
|
|
|
|
* Uncomment to enable generic message digest wrappers.
|
|
|
|
@ -1778,7 +1962,7 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the MD2 hash algorithm.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_md2.c
|
|
|
|
|
* Module: library/md2.c
|
|
|
|
|
* Caller:
|
|
|
|
|
*
|
|
|
|
|
* Uncomment to enable support for (rare) MD2-signed X.509 certs.
|
|
|
|
@ -1790,7 +1974,7 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the MD4 hash algorithm.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_md4.c
|
|
|
|
|
* Module: library/md4.c
|
|
|
|
|
* Caller:
|
|
|
|
|
*
|
|
|
|
|
* Uncomment to enable support for (rare) MD4-signed X.509 certs.
|
|
|
|
@ -1802,8 +1986,8 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the MD5 hash algorithm.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_md5.c
|
|
|
|
|
* Caller: library/mbedtls_md.c
|
|
|
|
|
* Module: library/md5.c
|
|
|
|
|
* Caller: library/md.c
|
|
|
|
|
* library/pem.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
*
|
|
|
|
@ -1831,11 +2015,19 @@
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_NET_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the TCP/IP networking routines.
|
|
|
|
|
* Enable the TCP and UDP over IPv6/IPv4 networking routines.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/net.c
|
|
|
|
|
* \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
|
|
|
|
|
* and Windows. For other platforms, you'll want to disable it, and write your
|
|
|
|
|
* own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
|
|
|
|
|
*
|
|
|
|
|
* This module provides TCP/IP networking routines.
|
|
|
|
|
* \note See also our Knowledge Base article about porting to a new
|
|
|
|
|
* environment:
|
|
|
|
|
* https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
|
|
|
|
|
*
|
|
|
|
|
* Module: library/net_sockets.c
|
|
|
|
|
*
|
|
|
|
|
* This module provides networking routines.
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_NET_C
|
|
|
|
|
|
|
|
|
@ -1852,11 +2044,11 @@
|
|
|
|
|
* library/rsa.c
|
|
|
|
|
* library/x509.c
|
|
|
|
|
* library/x509_create.c
|
|
|
|
|
* library/mbedtls_x509_crl.c
|
|
|
|
|
* library/mbedtls_x509_crt.c
|
|
|
|
|
* library/mbedtls_x509_csr.c
|
|
|
|
|
* library/x509_crl.c
|
|
|
|
|
* library/x509_crt.c
|
|
|
|
|
* library/x509_csr.c
|
|
|
|
|
* library/x509write_crt.c
|
|
|
|
|
* library/mbedtls_x509write_csr.c
|
|
|
|
|
* library/x509write_csr.c
|
|
|
|
|
*
|
|
|
|
|
* This modules translates between OIDs and internal values.
|
|
|
|
|
*/
|
|
|
|
@ -1884,9 +2076,9 @@
|
|
|
|
|
* Module: library/pem.c
|
|
|
|
|
* Caller: library/dhm.c
|
|
|
|
|
* library/pkparse.c
|
|
|
|
|
* library/mbedtls_x509_crl.c
|
|
|
|
|
* library/mbedtls_x509_crt.c
|
|
|
|
|
* library/mbedtls_x509_csr.c
|
|
|
|
|
* library/x509_crl.c
|
|
|
|
|
* library/x509_crt.c
|
|
|
|
|
* library/x509_csr.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_BASE64_C
|
|
|
|
|
*
|
|
|
|
@ -1902,7 +2094,7 @@
|
|
|
|
|
* Module: library/pem.c
|
|
|
|
|
* Caller: library/pkwrite.c
|
|
|
|
|
* library/x509write_crt.c
|
|
|
|
|
* library/mbedtls_x509write_csr.c
|
|
|
|
|
* library/x509write_csr.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_BASE64_C
|
|
|
|
|
*
|
|
|
|
@ -1932,8 +2124,8 @@
|
|
|
|
|
* Enable the generic public (asymetric) key parser.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/pkparse.c
|
|
|
|
|
* Caller: library/mbedtls_x509_crt.c
|
|
|
|
|
* library/mbedtls_x509_csr.c
|
|
|
|
|
* Caller: library/x509_crt.c
|
|
|
|
|
* library/x509_csr.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_PK_C
|
|
|
|
|
*
|
|
|
|
@ -2024,8 +2216,8 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the RIPEMD-160 hash algorithm.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_ripemd160.c
|
|
|
|
|
* Caller: library/mbedtls_md.c
|
|
|
|
|
* Module: library/ripemd160.c
|
|
|
|
|
* Caller: library/md.c
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_RIPEMD160_C
|
|
|
|
@ -2053,14 +2245,15 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the SHA1 cryptographic hash algorithm.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_sha1.c
|
|
|
|
|
* Caller: library/mbedtls_md.c
|
|
|
|
|
* Module: library/sha1.c
|
|
|
|
|
* Caller: library/md.c
|
|
|
|
|
* library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
* library/x509write_crt.c
|
|
|
|
|
*
|
|
|
|
|
* This module is required for SSL/TLS and SHA1-signed certificates.
|
|
|
|
|
* This module is required for SSL/TLS up to version 1.1, for TLS 1.2
|
|
|
|
|
* depending on the handshake parameters, and for SHA1-signed certificates.
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SHA1_C
|
|
|
|
|
|
|
|
|
@ -2069,9 +2262,9 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_sha256.c
|
|
|
|
|
* Module: library/sha256.c
|
|
|
|
|
* Caller: library/entropy.c
|
|
|
|
|
* library/mbedtls_md.c
|
|
|
|
|
* library/md.c
|
|
|
|
|
* library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
@ -2086,9 +2279,9 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_sha512.c
|
|
|
|
|
* Module: library/sha512.c
|
|
|
|
|
* Caller: library/entropy.c
|
|
|
|
|
* library/mbedtls_md.c
|
|
|
|
|
* library/md.c
|
|
|
|
|
* library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
*
|
|
|
|
@ -2181,7 +2374,8 @@
|
|
|
|
|
* By default mbed TLS assumes it is used in a non-threaded environment or that
|
|
|
|
|
* contexts are not shared between threads. If you do intend to use contexts
|
|
|
|
|
* between threads, you will need to enable this layer to prevent race
|
|
|
|
|
* conditions.
|
|
|
|
|
* conditions. See also our Knowledge Base article about threading:
|
|
|
|
|
* https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
|
|
|
|
|
*
|
|
|
|
|
* Module: library/threading.c
|
|
|
|
|
*
|
|
|
|
@ -2198,7 +2392,18 @@
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_TIMING_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the portable timing interface.
|
|
|
|
|
* Enable the semi-portable timing interface.
|
|
|
|
|
*
|
|
|
|
|
* \note The provided implementation only works on POSIX/Unix (including Linux,
|
|
|
|
|
* BSD and OS X) and Windows. On other platforms, you can either disable that
|
|
|
|
|
* module and provide your own implementations of the callbacks needed by
|
|
|
|
|
* \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
|
|
|
|
|
* your own implementation of the whole module by setting
|
|
|
|
|
* \c MBEDTLS_TIMING_ALT in the current file.
|
|
|
|
|
*
|
|
|
|
|
* \note See also our Knowledge Base article about porting to a new
|
|
|
|
|
* environment:
|
|
|
|
|
* https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
|
|
|
|
|
*
|
|
|
|
|
* Module: library/timing.c
|
|
|
|
|
* Caller: library/havege.c
|
|
|
|
@ -2224,9 +2429,9 @@
|
|
|
|
|
* Enable X.509 core for using certificates.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/x509.c
|
|
|
|
|
* Caller: library/mbedtls_x509_crl.c
|
|
|
|
|
* library/mbedtls_x509_crt.c
|
|
|
|
|
* library/mbedtls_x509_csr.c
|
|
|
|
|
* Caller: library/x509_crl.c
|
|
|
|
|
* library/x509_crt.c
|
|
|
|
|
* library/x509_csr.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
|
|
|
|
|
* MBEDTLS_PK_PARSE_C
|
|
|
|
@ -2240,7 +2445,7 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable X.509 certificate parsing.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_x509_crt.c
|
|
|
|
|
* Module: library/x509_crt.c
|
|
|
|
|
* Caller: library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
@ -2256,8 +2461,8 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable X.509 CRL parsing.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_x509_crl.c
|
|
|
|
|
* Caller: library/mbedtls_x509_crt.c
|
|
|
|
|
* Module: library/x509_crl.c
|
|
|
|
|
* Caller: library/x509_crt.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_X509_USE_C
|
|
|
|
|
*
|
|
|
|
@ -2270,7 +2475,7 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable X.509 Certificate Signing Request (CSR) parsing.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_x509_csr.c
|
|
|
|
|
* Module: library/x509_csr.c
|
|
|
|
|
* Caller: library/x509_crt_write.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_X509_USE_C
|
|
|
|
@ -2371,6 +2576,7 @@
|
|
|
|
|
/* Entropy options */
|
|
|
|
|
//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
|
|
|
|
|
//#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
|
|
|
|
|
//#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
|
|
|
|
|
|
|
|
|
|
/* Memory buffer allocator options */
|
|
|
|
|
//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */
|
|
|
|
@ -2380,20 +2586,30 @@
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
|
|
|
|
|
/* Note: your snprintf must correclty zero-terminate the buffer! */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */
|
|
|
|
|
|
|
|
|
|
/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
|
|
|
|
|
/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
|
|
|
|
|
/* Note: your snprintf must correclty zero-terminate the buffer! */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
|
|
|
|
|
//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
|
|
|
|
|
|
|
|
|
|
/* SSL Cache options */
|
|
|
|
|
//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
|
|
|
|
@ -2421,11 +2637,35 @@
|
|
|
|
|
|
|
|
|
|
/* X509 options */
|
|
|
|
|
//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
|
|
|
|
|
//#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
|
|
|
|
|
|
|
|
|
|
/* \} name SECTION: Module configuration options */
|
|
|
|
|
/**
|
|
|
|
|
* Allow SHA-1 in the default TLS configuration for certificate signing.
|
|
|
|
|
* Without this build-time option, SHA-1 support must be activated explicitly
|
|
|
|
|
* through mbedtls_ssl_conf_cert_profile. Turning on this option is not
|
|
|
|
|
* recommended because of it is possible to generte SHA-1 collisions, however
|
|
|
|
|
* this may be safe for legacy infrastructure where additional controls apply.
|
|
|
|
|
*/
|
|
|
|
|
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
|
|
|
|
|
|
|
|
|
#if defined(TARGET_LIKE_MBED)
|
|
|
|
|
#include "mbedtls/target_config.h"
|
|
|
|
|
/**
|
|
|
|
|
* Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
|
|
|
|
|
* signature and ciphersuite selection. Without this build-time option, SHA-1
|
|
|
|
|
* support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
|
|
|
|
|
* The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
|
|
|
|
|
* default. At the time of writing, there is no practical attack on the use
|
|
|
|
|
* of SHA-1 in handshake signatures, hence this option is turned on by default
|
|
|
|
|
* for compatibility with existing peers.
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
|
|
|
|
|
|
|
|
|
|
/* \} name SECTION: Customisation configuration options */
|
|
|
|
|
|
|
|
|
|
/* Target and application specific configurations */
|
|
|
|
|
//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h"
|
|
|
|
|
|
|
|
|
|
#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
|
|
|
|
|
#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|