4 * \brief Configuration options (set of defines)
6 * This set of compile-time options may be used to enable
7 * or disable features selectively, and reduce the global
10 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
11 * SPDX-License-Identifier: GPL-2.0
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License along
24 * with this program; if not, write to the Free Software Foundation, Inc.,
25 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 * This file is part of mbed TLS (https://tls.mbed.org)
30 #ifndef MBEDTLS_CONFIG_H
31 #define MBEDTLS_CONFIG_H
33 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
34 //#define _CRT_SECURE_NO_DEPRECATE 1
38 * \name SECTION: System support
40 * This section sets system specific settings.
45 * \def MBEDTLS_HAVE_ASM
47 * The compiler has support for asm().
49 * Requires support for asm() in compiler.
54 * include/mbedtls/bn_mul.h
56 * Comment to disable the use of assembly code.
58 #define MBEDTLS_HAVE_ASM
61 * \def MBEDTLS_NO_UDBL_DIVISION
63 * The platform lacks support for double-width integer division (64-bit
64 * division on a 32-bit platform, 128-bit division on a 64-bit platform).
67 * include/mbedtls/bignum.h
70 * The bignum code uses double-width division to speed up some operations.
71 * Double-width division is often implemented in software that needs to
72 * be linked with the program. The presence of a double-width integer
73 * type is usually detected automatically through preprocessor macros,
74 * but the automatic detection cannot know whether the code needs to
75 * and can be linked with an implementation of division for that type.
76 * By default division is assumed to be usable if the type is present.
77 * Uncomment this option to prevent the use of double-width division.
79 * Note that division for the native integer type is always required.
80 * Furthermore, a 64-bit type is always required even on a 32-bit
81 * platform, but it need not support multiplication or division. In some
82 * cases it is also desirable to disable some double-width operations. For
83 * example, if double-width division is implemented in software, disabling
84 * it can reduce code size in some embedded targets.
86 //#define MBEDTLS_NO_UDBL_DIVISION
89 * \def MBEDTLS_HAVE_SSE2
91 * CPU supports SSE2 instruction set.
93 * Uncomment if the CPU supports SSE2 (IA-32 specific).
95 //#define MBEDTLS_HAVE_SSE2 /* We want to run on older hardware. TODO: This should be checked at runtime. */
98 * \def MBEDTLS_HAVE_TIME
100 * System has time.h and time().
101 * The time does not need to be correct, only time differences are used,
102 * by contrast with MBEDTLS_HAVE_TIME_DATE
104 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
105 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
106 * MBEDTLS_PLATFORM_STD_TIME.
108 * Comment if your system does not support time functions
110 //#define MBEDTLS_HAVE_TIME
113 * \def MBEDTLS_HAVE_TIME_DATE
115 * System has time.h and time(), gmtime() and the clock is correct.
116 * The time needs to be correct (not necesarily very accurate, but at least
117 * the date should be correct). This is used to verify the validity period of
118 * X.509 certificates.
120 * Comment if your system does not have a correct clock.
122 //#define MBEDTLS_HAVE_TIME_DATE
125 * \def MBEDTLS_PLATFORM_MEMORY
127 * Enable the memory allocation layer.
129 * By default mbed TLS uses the system-provided calloc() and free().
130 * This allows different allocators (self-implemented or provided) to be
131 * provided to the platform abstraction layer.
133 * Enabling MBEDTLS_PLATFORM_MEMORY without the
134 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
135 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
136 * free() function pointer at runtime.
138 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
139 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
140 * alternate function at compile time.
142 * Requires: MBEDTLS_PLATFORM_C
144 * Enable this layer to allow use of alternative memory allocators.
146 //#define MBEDTLS_PLATFORM_MEMORY
149 * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
151 * Do not assign standard functions in the platform layer (e.g. calloc() to
152 * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
154 * This makes sure there are no linking errors on platforms that do not support
155 * these functions. You will HAVE to provide alternatives, either at runtime
156 * via the platform_set_xxx() functions or at compile time by setting
157 * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
158 * MBEDTLS_PLATFORM_XXX_MACRO.
160 * Requires: MBEDTLS_PLATFORM_C
162 * Uncomment to prevent default assignment of standard functions in the
165 //#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
168 * \def MBEDTLS_PLATFORM_EXIT_ALT
170 * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
171 * function in the platform abstraction layer.
173 * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
174 * provide a function "mbedtls_platform_set_printf()" that allows you to set an
175 * alternative printf function pointer.
177 * All these define require MBEDTLS_PLATFORM_C to be defined!
179 * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;
180 * it will be enabled automatically by check_config.h
182 * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
183 * MBEDTLS_PLATFORM_XXX_MACRO!
185 * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
187 * Uncomment a macro to enable alternate implementation of specific base
190 //#define MBEDTLS_PLATFORM_EXIT_ALT
191 //#define MBEDTLS_PLATFORM_TIME_ALT
192 //#define MBEDTLS_PLATFORM_FPRINTF_ALT
193 //#define MBEDTLS_PLATFORM_PRINTF_ALT
194 //#define MBEDTLS_PLATFORM_SNPRINTF_ALT
195 //#define MBEDTLS_PLATFORM_NV_SEED_ALT
196 //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
199 * \def MBEDTLS_DEPRECATED_WARNING
201 * Mark deprecated functions so that they generate a warning if used.
202 * Functions deprecated in one version will usually be removed in the next
203 * version. You can enable this to help you prepare the transition to a new
204 * major version by making sure your code is not using these functions.
206 * This only works with GCC and Clang. With other compilers, you may want to
207 * use MBEDTLS_DEPRECATED_REMOVED
209 * Uncomment to get warnings on using deprecated functions.
211 //#define MBEDTLS_DEPRECATED_WARNING
214 * \def MBEDTLS_DEPRECATED_REMOVED
216 * Remove deprecated functions so that they generate an error if used.
217 * Functions deprecated in one version will usually be removed in the next
218 * version. You can enable this to help you prepare the transition to a new
219 * major version by making sure your code is not using these functions.
221 * Uncomment to get errors on using deprecated functions.
223 #define MBEDTLS_DEPRECATED_REMOVED /* swyter: we are explictily using the new API set */
225 /* \} name SECTION: System support */
228 * \name SECTION: mbed TLS feature support
230 * This section sets support for features that are or are not needed
231 * within the modules that are enabled.
236 * \def MBEDTLS_TIMING_ALT
238 * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(),
239 * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay()
241 * Only works if you have MBEDTLS_TIMING_C enabled.
243 * You will need to provide a header "timing_alt.h" and an implementation at
246 //#define MBEDTLS_TIMING_ALT
249 * \def MBEDTLS_AES_ALT
251 * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
252 * alternate core implementation of a symmetric crypto, an arithmetic or hash
253 * module (e.g. platform specific assembly optimized implementations). Keep
254 * in mind that the function prototypes should remain the same.
256 * This replaces the whole module. If you only want to replace one of the
257 * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
259 * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer
260 * provide the "struct mbedtls_aes_context" definition and omit the base
261 * function declarations and implementations. "aes_alt.h" will be included from
262 * "aes.h" to include the new function definitions.
264 * Uncomment a macro to enable alternate implementation of the corresponding
267 //#define MBEDTLS_AES_ALT
268 //#define MBEDTLS_ARC4_ALT
269 //#define MBEDTLS_BLOWFISH_ALT
270 //#define MBEDTLS_CAMELLIA_ALT
271 //#define MBEDTLS_DES_ALT
272 //#define MBEDTLS_XTEA_ALT
273 //#define MBEDTLS_MD2_ALT
274 //#define MBEDTLS_MD4_ALT
275 //#define MBEDTLS_MD5_ALT
276 //#define MBEDTLS_RIPEMD160_ALT
277 //#define MBEDTLS_SHA1_ALT
278 //#define MBEDTLS_SHA256_ALT
279 //#define MBEDTLS_SHA512_ALT
281 * When replacing the elliptic curve module, pleace consider, that it is
282 * implemented with two .c files:
285 * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
286 * macros as described above. The only difference is that you have to make sure
287 * that you provide functionality for both .c files.
289 //#define MBEDTLS_ECP_ALT
292 * \def MBEDTLS_MD2_PROCESS_ALT
294 * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
295 * alternate core implementation of symmetric crypto or hash function. Keep in
296 * mind that function prototypes should remain the same.
298 * This replaces only one function. The header file from mbed TLS is still
299 * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
301 * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
302 * no longer provide the mbedtls_sha1_process() function, but it will still provide
303 * the other function (using your mbedtls_sha1_process() function) and the definition
304 * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
305 * with this definition.
307 * \note Because of a signature change, the core AES encryption and decryption routines are
308 * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
309 * respectively. When setting up alternative implementations, these functions should
310 * be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
311 * must stay untouched.
313 * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
314 * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
317 * Uncomment a macro to enable alternate implementation of the corresponding
320 //#define MBEDTLS_MD2_PROCESS_ALT
321 //#define MBEDTLS_MD4_PROCESS_ALT
322 //#define MBEDTLS_MD5_PROCESS_ALT
323 //#define MBEDTLS_RIPEMD160_PROCESS_ALT
324 //#define MBEDTLS_SHA1_PROCESS_ALT
325 //#define MBEDTLS_SHA256_PROCESS_ALT
326 //#define MBEDTLS_SHA512_PROCESS_ALT
327 //#define MBEDTLS_DES_SETKEY_ALT
328 //#define MBEDTLS_DES_CRYPT_ECB_ALT
329 //#define MBEDTLS_DES3_CRYPT_ECB_ALT
330 //#define MBEDTLS_AES_SETKEY_ENC_ALT
331 //#define MBEDTLS_AES_SETKEY_DEC_ALT
332 //#define MBEDTLS_AES_ENCRYPT_ALT
333 //#define MBEDTLS_AES_DECRYPT_ALT
336 * \def MBEDTLS_ECP_INTERNAL_ALT
338 * Expose a part of the internal interface of the Elliptic Curve Point module.
340 * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your
341 * alternative core implementation of elliptic curve arithmetic. Keep in mind
342 * that function prototypes should remain the same.
344 * This partially replaces one function. The header file from mbed TLS is still
345 * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
346 * is still present and it is used for group structures not supported by the
349 * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
350 * and implementing the following functions:
351 * unsigned char mbedtls_internal_ecp_grp_capable(
352 * const mbedtls_ecp_group *grp )
353 * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
354 * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
355 * The mbedtls_internal_ecp_grp_capable function should return 1 if the
356 * replacement functions implement arithmetic for the given group and 0
358 * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
359 * called before and after each point operation and provide an opportunity to
360 * implement optimized set up and tear down instructions.
362 * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
363 * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
364 * function, but will use your mbedtls_internal_ecp_double_jac if the group is
365 * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
366 * receives it as an argument). If the group is not supported then the original
367 * implementation is used. The other functions and the definition of
368 * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
369 * implementation of mbedtls_internal_ecp_double_jac and
370 * mbedtls_internal_ecp_grp_capable must be compatible with this definition.
372 * Uncomment a macro to enable alternate implementation of the corresponding
375 /* Required for all the functions in this section */
376 //#define MBEDTLS_ECP_INTERNAL_ALT
377 /* Support for Weierstrass curves with Jacobi representation */
378 //#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
379 //#define MBEDTLS_ECP_ADD_MIXED_ALT
380 //#define MBEDTLS_ECP_DOUBLE_JAC_ALT
381 //#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
382 //#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
383 /* Support for curves with Montgomery arithmetic */
384 //#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
385 //#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
386 //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
389 * \def MBEDTLS_TEST_NULL_ENTROPY
391 * Enables testing and use of mbed TLS without any configured entropy sources.
392 * This permits use of the library on platforms before an entropy source has
393 * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
394 * MBEDTLS_ENTROPY_NV_SEED switches).
396 * WARNING! This switch MUST be disabled in production builds, and is suitable
397 * only for development.
398 * Enabling the switch negates any security provided by the library.
400 * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
403 //#define MBEDTLS_TEST_NULL_ENTROPY
406 * \def MBEDTLS_ENTROPY_HARDWARE_ALT
408 * Uncomment this macro to let mbed TLS use your own implementation of a
409 * hardware entropy collector.
411 * Your function must be called \c mbedtls_hardware_poll(), have the same
412 * prototype as declared in entropy_poll.h, and accept NULL as first argument.
414 * Uncomment to use your own hardware entropy collector.
416 //#define MBEDTLS_ENTROPY_HARDWARE_ALT
419 * \def MBEDTLS_AES_ROM_TABLES
421 * Store the AES tables in ROM.
423 * Uncomment this macro to store the AES tables in ROM.
425 //#define MBEDTLS_AES_ROM_TABLES
428 * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
430 * Use less ROM for the Camellia implementation (saves about 768 bytes).
432 * Uncomment this macro to use less memory for Camellia.
434 //#define MBEDTLS_CAMELLIA_SMALL_MEMORY
437 * \def MBEDTLS_CIPHER_MODE_CBC
439 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
441 #define MBEDTLS_CIPHER_MODE_CBC
444 * \def MBEDTLS_CIPHER_MODE_CFB
446 * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
448 #define MBEDTLS_CIPHER_MODE_CFB
451 * \def MBEDTLS_CIPHER_MODE_CTR
453 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
455 #define MBEDTLS_CIPHER_MODE_CTR
458 * \def MBEDTLS_CIPHER_NULL_CIPHER
460 * Enable NULL cipher.
461 * Warning: Only do so when you know what you are doing. This allows for
462 * encryption or channels without any security!
464 * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
465 * the following ciphersuites:
466 * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
467 * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
468 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
469 * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
470 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
471 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
472 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
473 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
474 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
475 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
476 * MBEDTLS_TLS_RSA_WITH_NULL_SHA256
477 * MBEDTLS_TLS_RSA_WITH_NULL_SHA
478 * MBEDTLS_TLS_RSA_WITH_NULL_MD5
479 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
480 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
481 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
482 * MBEDTLS_TLS_PSK_WITH_NULL_SHA384
483 * MBEDTLS_TLS_PSK_WITH_NULL_SHA256
484 * MBEDTLS_TLS_PSK_WITH_NULL_SHA
486 * Uncomment this macro to enable the NULL cipher and ciphersuites
488 //#define MBEDTLS_CIPHER_NULL_CIPHER
491 * \def MBEDTLS_CIPHER_PADDING_PKCS7
493 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
494 * specific padding modes in the cipher layer with cipher modes that support
497 * If you disable all padding modes, only full blocks can be used with CBC.
499 * Enable padding modes in the cipher layer.
501 #define MBEDTLS_CIPHER_PADDING_PKCS7
502 #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
503 #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
504 #define MBEDTLS_CIPHER_PADDING_ZEROS
507 * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
509 * Enable weak ciphersuites in SSL / TLS.
510 * Warning: Only do so when you know what you are doing. This allows for
511 * channels with virtually no security at all!
513 * This enables the following ciphersuites:
514 * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
515 * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
517 * Uncomment this macro to enable weak ciphersuites
519 //#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
522 * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES
524 * Remove RC4 ciphersuites by default in SSL / TLS.
525 * This flag removes the ciphersuites based on RC4 from the default list as
526 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
527 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
530 * Uncomment this macro to remove RC4 ciphersuites by default.
532 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
535 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
537 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
538 * module. By default all supported curves are enabled.
540 * Comment macros to disable the curve and functions for it
542 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED
543 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED
544 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
545 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
546 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED
547 #define MBEDTLS_ECP_DP_SECP192K1_ENABLED
548 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED
549 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
550 #define MBEDTLS_ECP_DP_BP256R1_ENABLED
551 #define MBEDTLS_ECP_DP_BP384R1_ENABLED
552 #define MBEDTLS_ECP_DP_BP512R1_ENABLED
553 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
556 * \def MBEDTLS_ECP_NIST_OPTIM
558 * Enable specific 'modulo p' routines for each NIST prime.
559 * Depending on the prime and architecture, makes operations 4 to 8 times
560 * faster on the corresponding curve.
562 * Comment this macro to disable NIST curves optimisation.
564 #define MBEDTLS_ECP_NIST_OPTIM
567 * \def MBEDTLS_ECDSA_DETERMINISTIC
569 * Enable deterministic ECDSA (RFC 6979).
570 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
571 * may result in a compromise of the long-term signing key. This is avoided by
572 * the deterministic variant.
574 * Requires: MBEDTLS_HMAC_DRBG_C
576 * Comment this macro to disable deterministic ECDSA.
578 #define MBEDTLS_ECDSA_DETERMINISTIC
581 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
583 * Enable the PSK based ciphersuite modes in SSL / TLS.
585 * This enables the following ciphersuites (if other requisites are
587 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
588 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
589 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
590 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
591 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
592 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
593 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
594 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
595 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
596 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
597 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
598 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
600 //#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED /* swyter: we don't need PSK-based ciphers for schannel */
603 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
605 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
607 * Requires: MBEDTLS_DHM_C
609 * This enables the following ciphersuites (if other requisites are
611 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
612 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
613 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
614 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
615 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
616 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
617 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
618 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
619 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
620 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
621 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
622 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
624 //#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED /* swyter: we don't need PSK-based ciphers for schannel */
627 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
629 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
631 * Requires: MBEDTLS_ECDH_C
633 * This enables the following ciphersuites (if other requisites are
635 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
636 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
637 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
638 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
639 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
640 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
641 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
642 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
644 //#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED /* swyter: we don't need PSK-based ciphers for schannel */
647 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
649 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
651 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
652 * MBEDTLS_X509_CRT_PARSE_C
654 * This enables the following ciphersuites (if other requisites are
656 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
657 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
658 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
659 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
660 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
661 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
662 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
663 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
664 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
665 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
666 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
667 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
669 //#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED /* swyter: we don't need PSK-based ciphers for schannel */
672 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
674 * Enable the RSA-only based ciphersuite modes in SSL / TLS.
676 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
677 * MBEDTLS_X509_CRT_PARSE_C
679 * This enables the following ciphersuites (if other requisites are
681 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
682 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
683 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
684 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
685 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
686 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
687 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
688 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
689 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
690 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
691 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
692 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
693 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
694 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
695 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
697 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
700 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
702 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
704 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
705 * MBEDTLS_X509_CRT_PARSE_C
707 * This enables the following ciphersuites (if other requisites are
709 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
710 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
711 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
712 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
713 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
714 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
715 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
716 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
717 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
718 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
719 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
720 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
721 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
723 #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
726 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
728 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
730 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
731 * MBEDTLS_X509_CRT_PARSE_C
733 * This enables the following ciphersuites (if other requisites are
735 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
736 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
737 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
738 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
739 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
740 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
741 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
742 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
743 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
744 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
745 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
746 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
748 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
751 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
753 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
755 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
757 * This enables the following ciphersuites (if other requisites are
759 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
760 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
761 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
762 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
763 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
764 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
765 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
766 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
767 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
768 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
769 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
770 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
772 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
775 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
777 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
779 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
781 * This enables the following ciphersuites (if other requisites are
783 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
784 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
785 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
786 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
787 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
788 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
789 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
790 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
791 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
792 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
793 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
794 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
796 #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
799 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
801 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
803 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
805 * This enables the following ciphersuites (if other requisites are
807 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
808 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
809 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
810 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
811 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
812 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
813 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
814 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
815 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
816 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
817 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
818 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
820 #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
823 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
825 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
827 * \warning This is currently experimental. EC J-PAKE support is based on the
828 * Thread v1.0.0 specification; incompatible changes to the specification
829 * might still happen. For this reason, this is disabled by default.
831 * Requires: MBEDTLS_ECJPAKE_C
833 * MBEDTLS_ECP_DP_SECP256R1_ENABLED
835 * This enables the following ciphersuites (if other requisites are
837 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
839 //#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
842 * \def MBEDTLS_PK_PARSE_EC_EXTENDED
844 * Enhance support for reading EC keys using variants of SEC1 not allowed by
845 * RFC 5915 and RFC 5480.
847 * Currently this means parsing the SpecifiedECDomain choice of EC
848 * parameters (only known groups are supported, not arbitrary domains, to
849 * avoid validation issues).
851 * Disable if you only need to support RFC 5915 + 5480 key formats.
853 #define MBEDTLS_PK_PARSE_EC_EXTENDED
856 * \def MBEDTLS_ERROR_STRERROR_DUMMY
858 * Enable a dummy error function to make use of mbedtls_strerror() in
859 * third party libraries easier when MBEDTLS_ERROR_C is disabled
860 * (no effect when MBEDTLS_ERROR_C is enabled).
862 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
863 * not using mbedtls_strerror() or error_strerror() in your application.
865 * Disable if you run into name conflicts and want to really remove the
868 #define MBEDTLS_ERROR_STRERROR_DUMMY
871 * \def MBEDTLS_GENPRIME
873 * Enable the prime-number generation code.
875 * Requires: MBEDTLS_BIGNUM_C
877 #define MBEDTLS_GENPRIME
882 * Enable functions that use the filesystem.
884 //#define MBEDTLS_FS_IO /* swyter: we don't have to access the filesystem directly in schannel */
887 * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
889 * Do not add default entropy sources. These are the platform specific,
890 * mbedtls_timing_hardclock and HAVEGE based poll functions.
892 * This is useful to have more control over the added entropy sources in an
895 * Uncomment this macro to prevent loading of default entropy functions.
897 //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
900 * \def MBEDTLS_NO_PLATFORM_ENTROPY
902 * Do not use built-in platform entropy functions.
903 * This is useful if your platform does not support
904 * standards like the /dev/urandom or Windows CryptoAPI.
906 * Uncomment this macro to disable the built-in platform entropy functions.
908 //#define MBEDTLS_NO_PLATFORM_ENTROPY
911 * \def MBEDTLS_ENTROPY_FORCE_SHA256
913 * Force the entropy accumulator to use a SHA-256 accumulator instead of the
914 * default SHA-512 based one (if both are available).
916 * Requires: MBEDTLS_SHA256_C
918 * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
919 * if you have performance concerns.
921 * This option is only useful if both MBEDTLS_SHA256_C and
922 * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
924 #define MBEDTLS_ENTROPY_FORCE_SHA256 /* swyter: ReactOS is primarily 32-bit only, this speeds it up notably */
927 * \def MBEDTLS_ENTROPY_NV_SEED
929 * Enable the non-volatile (NV) seed file-based entropy source.
930 * (Also enables the NV seed read/write functions in the platform layer)
932 * This is crucial (if not required) on systems that do not have a
933 * cryptographic entropy source (in hardware or kernel) available.
935 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
937 * \note The read/write functions that are used by the entropy source are
938 * determined in the platform layer, and can be modified at runtime and/or
939 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
941 * \note If you use the default implementation functions that read a seedfile
942 * with regular fopen(), please make sure you make a seedfile with the
943 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
944 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
945 * and written to or you will get an entropy source error! The default
946 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
947 * bytes from the file.
949 * \note The entropy collector will write to the seed file before entropy is
950 * given to an external source, to update it.
952 //#define MBEDTLS_ENTROPY_NV_SEED
955 * \def MBEDTLS_MEMORY_DEBUG
957 * Enable debugging of buffer allocator memory issues. Automatically prints
958 * (to stderr) all (fatal) messages on memory allocation issues. Enables
959 * function for 'debug output' of allocated memory.
961 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
963 * Uncomment this macro to let the buffer allocator print out error messages.
965 //#define MBEDTLS_MEMORY_DEBUG
968 * \def MBEDTLS_MEMORY_BACKTRACE
970 * Include backtrace information with each allocated block.
972 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
973 * GLIBC-compatible backtrace() an backtrace_symbols() support
975 * Uncomment this macro to include backtrace information
977 //#define MBEDTLS_MEMORY_BACKTRACE
980 * \def MBEDTLS_PK_RSA_ALT_SUPPORT
982 * Support external private RSA keys (eg from a HSM) in the PK layer.
984 * Comment this macro to disable support for external private RSA keys.
986 #define MBEDTLS_PK_RSA_ALT_SUPPORT
989 * \def MBEDTLS_PKCS1_V15
991 * Enable support for PKCS#1 v1.5 encoding.
993 * Requires: MBEDTLS_RSA_C
995 * This enables support for PKCS#1 v1.5 operations.
997 #define MBEDTLS_PKCS1_V15
1000 * \def MBEDTLS_PKCS1_V21
1002 * Enable support for PKCS#1 v2.1 encoding.
1004 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C
1006 * This enables support for RSAES-OAEP and RSASSA-PSS operations.
1008 #define MBEDTLS_PKCS1_V21
1011 * \def MBEDTLS_RSA_NO_CRT
1013 * Do not use the Chinese Remainder Theorem for the RSA private operation.
1015 * Uncomment this macro to disable the use of CRT in RSA.
1018 //#define MBEDTLS_RSA_NO_CRT
1021 * \def MBEDTLS_SELF_TEST
1023 * Enable the checkup functions (*_self_test).
1025 //#define MBEDTLS_SELF_TEST /* swyter: we don't need this, adds quite a bit of bloat */
1028 * \def MBEDTLS_SHA256_SMALLER
1030 * Enable an implementation of SHA-256 that has lower ROM footprint but also
1031 * lower performance.
1033 * The default implementation is meant to be a reasonnable compromise between
1034 * performance and size. This version optimizes more aggressively for size at
1035 * the expense of performance. Eg on Cortex-M4 it reduces the size of
1036 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
1039 * Uncomment to enable the smaller implementation of SHA256.
1041 //#define MBEDTLS_SHA256_SMALLER
1044 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
1046 * Enable sending of alert messages in case of encountered errors as per RFC.
1047 * If you choose not to send the alert messages, mbed TLS can still communicate
1048 * with other servers, only debugging of failures is harder.
1050 * The advantage of not sending alert messages, is that no information is given
1051 * about reasons for failures thus preventing adversaries of gaining intel.
1053 * Enable sending of all alert messages
1055 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
1058 * \def MBEDTLS_SSL_DEBUG_ALL
1060 * Enable the debug messages in SSL module for all issues.
1061 * Debug messages have been disabled in some places to prevent timing
1062 * attacks due to (unbalanced) debugging function calls.
1064 * If you need all error reporting you should enable this during debugging,
1065 * but remove this for production servers that should log as well.
1067 * Uncomment this macro to report all debug messages on errors introducing
1068 * a timing side-channel.
1071 //#define MBEDTLS_SSL_DEBUG_ALL /* swyter: we don't need that much verboseness that clogges up the dll with strings */
1073 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
1075 * Enable support for Encrypt-then-MAC, RFC 7366.
1077 * This allows peers that both support it to use a more robust protection for
1078 * ciphersuites using CBC, providing deep resistance against timing attacks
1079 * on the padding or underlying cipher.
1081 * This only affects CBC ciphersuites, and is useless if none is defined.
1083 * Requires: MBEDTLS_SSL_PROTO_TLS1 or
1084 * MBEDTLS_SSL_PROTO_TLS1_1 or
1085 * MBEDTLS_SSL_PROTO_TLS1_2
1087 * Comment this macro to disable support for Encrypt-then-MAC
1089 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC
1091 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
1093 * Enable support for Extended Master Secret, aka Session Hash
1094 * (draft-ietf-tls-session-hash-02).
1096 * This was introduced as "the proper fix" to the Triple Handshake familiy of
1097 * attacks, but it is recommended to always use it (even if you disable
1098 * renegotiation), since it actually fixes a more fundamental issue in the
1099 * original SSL/TLS design, and has implications beyond Triple Handshake.
1101 * Requires: MBEDTLS_SSL_PROTO_TLS1 or
1102 * MBEDTLS_SSL_PROTO_TLS1_1 or
1103 * MBEDTLS_SSL_PROTO_TLS1_2
1105 * Comment this macro to disable support for Extended Master Secret.
1107 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
1110 * \def MBEDTLS_SSL_FALLBACK_SCSV
1112 * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
1114 * For servers, it is recommended to always enable this, unless you support
1115 * only one version of TLS, or know for sure that none of your clients
1116 * implements a fallback strategy.
1118 * For clients, you only need this if you're using a fallback strategy, which
1119 * is not recommended in the first place, unless you absolutely need it to
1120 * interoperate with buggy (version-intolerant) servers.
1122 * Comment this macro to disable support for FALLBACK_SCSV
1124 //#define MBEDTLS_SSL_FALLBACK_SCSV /* swyter: as the description says, we don't need this for clients */
1127 * \def MBEDTLS_SSL_HW_RECORD_ACCEL
1129 * Enable hooking functions in SSL module for hardware acceleration of
1130 * individual records.
1132 * Uncomment this macro to enable hooking functions.
1134 //#define MBEDTLS_SSL_HW_RECORD_ACCEL
1137 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
1139 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
1141 * This is a countermeasure to the BEAST attack, which also minimizes the risk
1142 * of interoperability issues compared to sending 0-length records.
1144 * Comment this macro to disable 1/n-1 record splitting.
1146 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING
1149 * \def MBEDTLS_SSL_RENEGOTIATION
1151 * Disable support for TLS renegotiation.
1153 * The two main uses of renegotiation are (1) refresh keys on long-lived
1154 * connections and (2) client authentication after the initial handshake.
1155 * If you don't need renegotiation, it's probably better to disable it, since
1156 * it has been associated with security issues in the past and is easy to
1157 * misuse/misunderstand.
1159 * Comment this to disable support for renegotiation.
1161 #define MBEDTLS_SSL_RENEGOTIATION
1164 * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
1166 * Enable support for receiving and parsing SSLv2 Client Hello messages for the
1167 * SSL Server module (MBEDTLS_SSL_SRV_C).
1169 * Uncomment this macro to enable support for SSLv2 Client Hello messages.
1171 //#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO /* swyter: we don't need anything server-related */
1174 * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
1176 * Pick the ciphersuite according to the client's preferences rather than ours
1177 * in the SSL Server module (MBEDTLS_SSL_SRV_C).
1179 * Uncomment this macro to respect client's ciphersuite order
1181 //#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE /* swyter: we don't need anything server-related */
1184 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1186 * Enable support for RFC 6066 max_fragment_length extension in SSL.
1188 * Comment this macro to disable support for the max_fragment_length extension
1190 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1193 * \def MBEDTLS_SSL_PROTO_SSL3
1195 * Enable support for SSL 3.0.
1197 * Requires: MBEDTLS_MD5_C
1200 * Comment this macro to disable support for SSL 3.0
1202 //#define MBEDTLS_SSL_PROTO_SSL3 /* swyter: this is potentially insecure and should remain ethernaly disabled */
1205 * \def MBEDTLS_SSL_PROTO_TLS1
1207 * Enable support for TLS 1.0.
1209 * Requires: MBEDTLS_MD5_C
1212 * Comment this macro to disable support for TLS 1.0
1214 #define MBEDTLS_SSL_PROTO_TLS1
1217 * \def MBEDTLS_SSL_PROTO_TLS1_1
1219 * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
1221 * Requires: MBEDTLS_MD5_C
1224 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
1226 #define MBEDTLS_SSL_PROTO_TLS1_1
1229 * \def MBEDTLS_SSL_PROTO_TLS1_2
1231 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
1233 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
1234 * (Depends on ciphersuites)
1236 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
1238 #define MBEDTLS_SSL_PROTO_TLS1_2
1241 * \def MBEDTLS_SSL_PROTO_DTLS
1243 * Enable support for DTLS (all available versions).
1245 * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0,
1246 * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
1248 * Requires: MBEDTLS_SSL_PROTO_TLS1_1
1249 * or MBEDTLS_SSL_PROTO_TLS1_2
1251 * Comment this macro to disable support for DTLS
1253 //#define MBEDTLS_SSL_PROTO_DTLS /* swyter: schannel does not support UDP sockets, DTLS is useless */
1256 * \def MBEDTLS_SSL_ALPN
1258 * Enable support for RFC 7301 Application Layer Protocol Negotiation.
1260 * Comment this macro to disable support for ALPN.
1262 #define MBEDTLS_SSL_ALPN
1265 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
1267 * Enable support for the anti-replay mechanism in DTLS.
1269 * Requires: MBEDTLS_SSL_TLS_C
1270 * MBEDTLS_SSL_PROTO_DTLS
1272 * \warning Disabling this is often a security risk!
1273 * See mbedtls_ssl_conf_dtls_anti_replay() for details.
1275 * Comment this to disable anti-replay in DTLS.
1277 //#define MBEDTLS_SSL_DTLS_ANTI_REPLAY /* swyter: schannel does not support UDP sockets, DTLS is useless */
1280 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
1282 * Enable support for HelloVerifyRequest on DTLS servers.
1284 * This feature is highly recommended to prevent DTLS servers being used as
1285 * amplifiers in DoS attacks against other hosts. It should always be enabled
1286 * unless you know for sure amplification cannot be a problem in the
1287 * environment in which your server operates.
1289 * \warning Disabling this can ba a security risk! (see above)
1291 * Requires: MBEDTLS_SSL_PROTO_DTLS
1293 * Comment this to disable support for HelloVerifyRequest.
1295 //#define MBEDTLS_SSL_DTLS_HELLO_VERIFY /* swyter: schannel does not support UDP sockets, DTLS is useless */
1298 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
1300 * Enable server-side support for clients that reconnect from the same port.
1302 * Some clients unexpectedly close the connection and try to reconnect using the
1303 * same source port. This needs special support from the server to handle the
1304 * new connection securely, as described in section 4.2.8 of RFC 6347. This
1305 * flag enables that support.
1307 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
1309 * Comment this to disable support for clients reusing the source port.
1311 //#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE /* swyter: schannel does not support UDP sockets, DTLS is useless */
1314 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
1316 * Enable support for a limit of records with bad MAC.
1318 * See mbedtls_ssl_conf_dtls_badmac_limit().
1320 * Requires: MBEDTLS_SSL_PROTO_DTLS
1322 //#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT /* swyter: schannel does not support UDP sockets, DTLS is useless */
1325 * \def MBEDTLS_SSL_SESSION_TICKETS
1327 * Enable support for RFC 5077 session tickets in SSL.
1328 * Client-side, provides full support for session tickets (maintainance of a
1329 * session store remains the responsibility of the application, though).
1330 * Server-side, you also need to provide callbacks for writing and parsing
1331 * tickets, including authenticated encryption and key management. Example
1332 * callbacks are provided by MBEDTLS_SSL_TICKET_C.
1334 * Comment this macro to disable support for SSL session tickets
1336 #define MBEDTLS_SSL_SESSION_TICKETS
1339 * \def MBEDTLS_SSL_EXPORT_KEYS
1341 * Enable support for exporting key block and master secret.
1342 * This is required for certain users of TLS, e.g. EAP-TLS.
1344 * Comment this macro to disable support for key export
1346 //#define MBEDTLS_SSL_EXPORT_KEYS
1349 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
1351 * Enable support for RFC 6066 server name indication (SNI) in SSL.
1353 * Requires: MBEDTLS_X509_CRT_PARSE_C
1355 * Comment this macro to disable support for server name indication in SSL
1357 #define MBEDTLS_SSL_SERVER_NAME_INDICATION
1360 * \def MBEDTLS_SSL_TRUNCATED_HMAC
1362 * Enable support for RFC 6066 truncated HMAC in SSL.
1364 * Comment this macro to disable support for truncated HMAC in SSL
1366 #define MBEDTLS_SSL_TRUNCATED_HMAC
1369 * \def MBEDTLS_THREADING_ALT
1371 * Provide your own alternate threading implementation.
1373 * Requires: MBEDTLS_THREADING_C
1375 * Uncomment this to allow your own alternate threading implementation.
1377 //#define MBEDTLS_THREADING_ALT
1380 * \def MBEDTLS_THREADING_PTHREAD
1382 * Enable the pthread wrapper layer for the threading layer.
1384 * Requires: MBEDTLS_THREADING_C
1386 * Uncomment this to enable pthread mutexes.
1388 //#define MBEDTLS_THREADING_PTHREAD
1391 * \def MBEDTLS_VERSION_FEATURES
1393 * Allow run-time checking of compile-time enabled features. Thus allowing users
1394 * to check at run-time if the library is for instance compiled with threading
1395 * support via mbedtls_version_check_feature().
1397 * Requires: MBEDTLS_VERSION_C
1399 * Comment this to disable run-time checking and save ROM space
1401 //#define MBEDTLS_VERSION_FEATURES
1404 * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
1406 * If set, the X509 parser will not break-off when parsing an X509 certificate
1407 * and encountering an extension in a v1 or v2 certificate.
1409 * Uncomment to prevent an error.
1411 //#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
1414 * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
1416 * If set, the X509 parser will not break-off when parsing an X509 certificate
1417 * and encountering an unknown critical extension.
1419 * \warning Depending on your PKI use, enabling this can be a security risk!
1421 * Uncomment to prevent an error.
1423 //#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
1426 * \def MBEDTLS_X509_CHECK_KEY_USAGE
1428 * Enable verification of the keyUsage extension (CA and leaf certificates).
1430 * Disabling this avoids problems with mis-issued and/or misused
1431 * (intermediate) CA and leaf certificates.
1433 * \warning Depending on your PKI use, disabling this can be a security risk!
1435 * Comment to skip keyUsage checking for both CA and leaf certificates.
1437 #define MBEDTLS_X509_CHECK_KEY_USAGE
1440 * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
1442 * Enable verification of the extendedKeyUsage extension (leaf certificates).
1444 * Disabling this avoids problems with mis-issued and/or misused certificates.
1446 * \warning Depending on your PKI use, disabling this can be a security risk!
1448 * Comment to skip extendedKeyUsage checking for certificates.
1450 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
1453 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
1455 * Enable parsing and verification of X.509 certificates, CRLs and CSRS
1456 * signed with RSASSA-PSS (aka PKCS#1 v2.1).
1458 * Comment this macro to disallow using RSASSA-PSS in certificates.
1460 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT
1463 * \def MBEDTLS_ZLIB_SUPPORT
1465 * If set, the SSL/TLS module uses ZLIB to support compression and
1466 * decompression of packet data.
1468 * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
1469 * CRIME attack. Before enabling this option, you should examine with care if
1470 * CRIME or similar exploits may be a applicable to your use case.
1472 * \note Currently compression can't be used with DTLS.
1474 * Used in: library/ssl_tls.c
1478 * This feature requires zlib library and headers to be present.
1480 * Uncomment to enable use of ZLIB
1482 //#define MBEDTLS_ZLIB_SUPPORT
1483 /* \} name SECTION: mbed TLS feature support */
1486 * \name SECTION: mbed TLS modules
1488 * This section enables or disables entire modules in mbed TLS
1493 * \def MBEDTLS_AESNI_C
1495 * Enable AES-NI support on x86-64.
1497 * Module: library/aesni.c
1498 * Caller: library/aes.c
1500 * Requires: MBEDTLS_HAVE_ASM
1502 * This modules adds support for the AES-NI instructions on x86-64
1504 #define MBEDTLS_AESNI_C /* swyter: looks like these AMD64 improvements are behind an arch macro, better perf is always good */
1507 * \def MBEDTLS_AES_C
1509 * Enable the AES block cipher.
1511 * Module: library/aes.c
1512 * Caller: library/ssl_tls.c
1514 * library/ctr_drbg.c
1516 * This module enables the following ciphersuites (if other requisites are
1518 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
1519 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
1520 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
1521 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
1522 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
1523 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
1524 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
1525 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
1526 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
1527 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
1528 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
1529 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
1530 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
1531 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
1532 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
1533 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
1534 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
1535 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
1536 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
1537 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
1538 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
1539 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
1540 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
1541 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
1542 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
1543 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
1544 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
1545 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
1546 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
1547 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
1548 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
1549 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
1550 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
1551 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
1552 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
1553 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
1554 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
1555 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
1556 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
1557 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
1558 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
1559 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
1560 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
1561 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
1562 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
1563 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
1564 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
1565 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
1566 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
1567 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
1568 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
1569 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
1570 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
1571 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
1572 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
1573 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
1574 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
1575 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
1577 * PEM_PARSE uses AES for decrypting encrypted keys.
1579 #define MBEDTLS_AES_C
1582 * \def MBEDTLS_ARC4_C
1584 * Enable the ARCFOUR stream cipher.
1586 * Module: library/arc4.c
1587 * Caller: library/ssl_tls.c
1589 * This module enables the following ciphersuites (if other requisites are
1591 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
1592 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
1593 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
1594 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
1595 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
1596 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
1597 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
1598 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
1599 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
1600 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
1602 #define MBEDTLS_ARC4_C
1605 * \def MBEDTLS_ASN1_PARSE_C
1607 * Enable the generic ASN1 parser.
1609 * Module: library/asn1.c
1610 * Caller: library/x509.c
1616 #define MBEDTLS_ASN1_PARSE_C
1619 * \def MBEDTLS_ASN1_WRITE_C
1621 * Enable the generic ASN1 writer.
1623 * Module: library/asn1write.c
1624 * Caller: library/ecdsa.c
1626 * library/x509_create.c
1627 * library/x509write_crt.c
1628 * library/x509write_csr.c
1630 #define MBEDTLS_ASN1_WRITE_C
1633 * \def MBEDTLS_BASE64_C
1635 * Enable the Base64 module.
1637 * Module: library/base64.c
1638 * Caller: library/pem.c
1640 * This module is required for PEM support (required by X.509).
1642 //#define MBEDTLS_BASE64_C
1645 * \def MBEDTLS_BIGNUM_C
1647 * Enable the multi-precision integer library.
1649 * Module: library/bignum.c
1650 * Caller: library/dhm.c
1656 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
1658 #define MBEDTLS_BIGNUM_C
1661 * \def MBEDTLS_BLOWFISH_C
1663 * Enable the Blowfish block cipher.
1665 * Module: library/blowfish.c
1667 #define MBEDTLS_BLOWFISH_C
1670 * \def MBEDTLS_CAMELLIA_C
1672 * Enable the Camellia block cipher.
1674 * Module: library/camellia.c
1675 * Caller: library/ssl_tls.c
1677 * This module enables the following ciphersuites (if other requisites are
1679 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
1680 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
1681 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
1682 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
1683 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
1684 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
1685 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
1686 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
1687 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
1688 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
1689 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
1690 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
1691 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
1692 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
1693 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
1694 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
1695 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
1696 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
1697 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
1698 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
1699 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
1700 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
1701 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
1702 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
1703 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
1704 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
1705 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
1706 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
1707 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
1708 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
1709 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
1710 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
1711 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
1712 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
1713 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
1714 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
1715 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
1716 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
1717 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
1718 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
1719 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
1720 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
1722 #define MBEDTLS_CAMELLIA_C
1725 * \def MBEDTLS_CCM_C
1727 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
1729 * Module: library/ccm.c
1731 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
1733 * This module enables the AES-CCM ciphersuites, if other requisites are
1736 #define MBEDTLS_CCM_C
1739 * \def MBEDTLS_CERTS_C
1741 * Enable the test certificates.
1743 * Module: library/certs.c
1746 * This module is used for testing (ssl_client/server).
1748 //#define MBEDTLS_CERTS_C /* swyter: these test certs are completely useless */
1751 * \def MBEDTLS_CIPHER_C
1753 * Enable the generic cipher layer.
1755 * Module: library/cipher.c
1756 * Caller: library/ssl_tls.c
1758 * Uncomment to enable generic cipher wrappers.
1760 #define MBEDTLS_CIPHER_C
1763 * \def MBEDTLS_CMAC_C
1765 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
1768 * Module: library/cmac.c
1770 * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
1773 //#define MBEDTLS_CMAC_C
1776 * \def MBEDTLS_CTR_DRBG_C
1778 * Enable the CTR_DRBG AES-256-based random generator.
1780 * Module: library/ctr_drbg.c
1783 * Requires: MBEDTLS_AES_C
1785 * This module provides the CTR_DRBG AES-256 random number generator.
1787 #define MBEDTLS_CTR_DRBG_C
1790 * \def MBEDTLS_DEBUG_C
1792 * Enable the debug functions.
1794 * Module: library/debug.c
1795 * Caller: library/ssl_cli.c
1799 * This module provides debugging functions.
1802 #define MBEDTLS_DEBUG_C /* swyter: we don't even need this level of verboseness, useful only when developing */
1806 * \def MBEDTLS_DES_C
1808 * Enable the DES block cipher.
1810 * Module: library/des.c
1811 * Caller: library/pem.c
1814 * This module enables the following ciphersuites (if other requisites are
1816 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
1817 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
1818 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
1819 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
1820 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
1821 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
1822 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
1823 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
1824 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
1825 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
1827 * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
1829 #define MBEDTLS_DES_C
1832 * \def MBEDTLS_DHM_C
1834 * Enable the Diffie-Hellman-Merkle module.
1836 * Module: library/dhm.c
1837 * Caller: library/ssl_cli.c
1840 * This module is used by the following key exchanges:
1843 #define MBEDTLS_DHM_C
1846 * \def MBEDTLS_ECDH_C
1848 * Enable the elliptic curve Diffie-Hellman library.
1850 * Module: library/ecdh.c
1851 * Caller: library/ssl_cli.c
1854 * This module is used by the following key exchanges:
1855 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
1857 * Requires: MBEDTLS_ECP_C
1859 #define MBEDTLS_ECDH_C
1862 * \def MBEDTLS_ECDSA_C
1864 * Enable the elliptic curve DSA library.
1866 * Module: library/ecdsa.c
1869 * This module is used by the following key exchanges:
1872 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
1874 #define MBEDTLS_ECDSA_C
1877 * \def MBEDTLS_ECJPAKE_C
1879 * Enable the elliptic curve J-PAKE library.
1881 * \warning This is currently experimental. EC J-PAKE support is based on the
1882 * Thread v1.0.0 specification; incompatible changes to the specification
1883 * might still happen. For this reason, this is disabled by default.
1885 * Module: library/ecjpake.c
1888 * This module is used by the following key exchanges:
1891 * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
1893 //#define MBEDTLS_ECJPAKE_C
1896 * \def MBEDTLS_ECP_C
1898 * Enable the elliptic curve over GF(p) library.
1900 * Module: library/ecp.c
1901 * Caller: library/ecdh.c
1905 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
1907 #define MBEDTLS_ECP_C
1910 * \def MBEDTLS_ENTROPY_C
1912 * Enable the platform-specific entropy code.
1914 * Module: library/entropy.c
1917 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
1919 * This module provides a generic entropy pool
1921 #define MBEDTLS_ENTROPY_C
1924 * \def MBEDTLS_ERROR_C
1926 * Enable error code to error string conversion.
1928 * Module: library/error.c
1931 * This module enables mbedtls_strerror().
1933 //#define MBEDTLS_ERROR_C /* swyter: we don't print user errors, so this trims some fat */
1936 * \def MBEDTLS_GCM_C
1938 * Enable the Galois/Counter Mode (GCM) for AES.
1940 * Module: library/gcm.c
1942 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
1944 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
1945 * requisites are enabled as well.
1947 #define MBEDTLS_GCM_C
1950 * \def MBEDTLS_HAVEGE_C
1952 * Enable the HAVEGE random generator.
1954 * Warning: the HAVEGE random generator is not suitable for virtualized
1957 * Warning: the HAVEGE random generator is dependent on timing and specific
1958 * processor traits. It is therefore not advised to use HAVEGE as
1959 * your applications primary random generator or primary entropy pool
1960 * input. As a secondary input to your entropy pool, it IS able add
1961 * the (limited) extra entropy it provides.
1963 * Module: library/havege.c
1966 * Requires: MBEDTLS_TIMING_C
1968 * Uncomment to enable the HAVEGE random generator.
1970 //#define MBEDTLS_HAVEGE_C
1973 * \def MBEDTLS_HMAC_DRBG_C
1975 * Enable the HMAC_DRBG random generator.
1977 * Module: library/hmac_drbg.c
1980 * Requires: MBEDTLS_MD_C
1982 * Uncomment to enable the HMAC_DRBG random number geerator.
1984 #define MBEDTLS_HMAC_DRBG_C
1989 * Enable the generic message digest layer.
1991 * Module: library/md.c
1994 * Uncomment to enable generic message digest wrappers.
1996 #define MBEDTLS_MD_C
1999 * \def MBEDTLS_MD2_C
2001 * Enable the MD2 hash algorithm.
2003 * Module: library/md2.c
2006 * Uncomment to enable support for (rare) MD2-signed X.509 certs.
2008 //#define MBEDTLS_MD2_C
2011 * \def MBEDTLS_MD4_C
2013 * Enable the MD4 hash algorithm.
2015 * Module: library/md4.c
2018 * Uncomment to enable support for (rare) MD4-signed X.509 certs.
2020 //#define MBEDTLS_MD4_C
2023 * \def MBEDTLS_MD5_C
2025 * Enable the MD5 hash algorithm.
2027 * Module: library/md5.c
2028 * Caller: library/md.c
2032 * This module is required for SSL/TLS and X.509.
2033 * PEM_PARSE uses MD5 for decrypting encrypted keys.
2035 #define MBEDTLS_MD5_C
2038 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
2040 * Enable the buffer allocator implementation that makes use of a (stack)
2041 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
2044 * Module: library/memory_buffer_alloc.c
2046 * Requires: MBEDTLS_PLATFORM_C
2047 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
2049 * Enable this module to enable the buffer memory allocator.
2051 //#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
2054 * \def MBEDTLS_NET_C
2056 * Enable the TCP and UDP over IPv6/IPv4 networking routines.
2058 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
2059 * and Windows. For other platforms, you'll want to disable it, and write your
2060 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
2062 * \note See also our Knowledge Base article about porting to a new
2064 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
2066 * Module: library/net_sockets.c
2068 * This module provides networking routines.
2070 //#define MBEDTLS_NET_C /* swyter: we don't use the network routines, in fact in schannel we replace them with our own shim to forward the managed network buffers */
2073 * \def MBEDTLS_OID_C
2075 * Enable the OID database.
2077 * Module: library/oid.c
2078 * Caller: library/asn1write.c
2084 * library/x509_create.c
2085 * library/x509_crl.c
2086 * library/x509_crt.c
2087 * library/x509_csr.c
2088 * library/x509write_crt.c
2089 * library/x509write_csr.c
2091 * This modules translates between OIDs and internal values.
2093 #define MBEDTLS_OID_C
2096 * \def MBEDTLS_PADLOCK_C
2098 * Enable VIA Padlock support on x86.
2100 * Module: library/padlock.c
2101 * Caller: library/aes.c
2103 * Requires: MBEDTLS_HAVE_ASM
2105 * This modules adds support for the VIA PadLock on x86.
2107 #define MBEDTLS_PADLOCK_C
2110 * \def MBEDTLS_PEM_PARSE_C
2112 * Enable PEM decoding / parsing.
2114 * Module: library/pem.c
2115 * Caller: library/dhm.c
2117 * library/x509_crl.c
2118 * library/x509_crt.c
2119 * library/x509_csr.c
2121 * Requires: MBEDTLS_BASE64_C
2123 * This modules adds support for decoding / parsing PEM files.
2125 //#define MBEDTLS_PEM_PARSE_C /* swyter: we don't do any PEM decoding */
2128 * \def MBEDTLS_PEM_WRITE_C
2130 * Enable PEM encoding / writing.
2132 * Module: library/pem.c
2133 * Caller: library/pkwrite.c
2134 * library/x509write_crt.c
2135 * library/x509write_csr.c
2137 * Requires: MBEDTLS_BASE64_C
2139 * This modules adds support for encoding / writing PEM files.
2141 //#define MBEDTLS_PEM_WRITE_C /* swyter: we don't do any PEM decoding */
2146 * Enable the generic public (asymetric) key layer.
2148 * Module: library/pk.c
2149 * Caller: library/ssl_tls.c
2153 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
2155 * Uncomment to enable generic public key wrappers.
2157 #define MBEDTLS_PK_C
2160 * \def MBEDTLS_PK_PARSE_C
2162 * Enable the generic public (asymetric) key parser.
2164 * Module: library/pkparse.c
2165 * Caller: library/x509_crt.c
2166 * library/x509_csr.c
2168 * Requires: MBEDTLS_PK_C
2170 * Uncomment to enable generic public key parse functions.
2172 #define MBEDTLS_PK_PARSE_C
2175 * \def MBEDTLS_PK_WRITE_C
2177 * Enable the generic public (asymetric) key writer.
2179 * Module: library/pkwrite.c
2180 * Caller: library/x509write.c
2182 * Requires: MBEDTLS_PK_C
2184 * Uncomment to enable generic public key write functions.
2186 //#define MBEDTLS_PK_WRITE_C /* swyter: we don't write any PK */
2189 * \def MBEDTLS_PKCS5_C
2191 * Enable PKCS#5 functions.
2193 * Module: library/pkcs5.c
2195 * Requires: MBEDTLS_MD_C
2197 * This module adds support for the PKCS#5 functions.
2199 #define MBEDTLS_PKCS5_C
2202 * \def MBEDTLS_PKCS11_C
2204 * Enable wrapper for PKCS#11 smartcard support.
2206 * Module: library/pkcs11.c
2207 * Caller: library/pk.c
2209 * Requires: MBEDTLS_PK_C
2211 * This module enables SSL/TLS PKCS #11 smartcard support.
2212 * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
2214 //#define MBEDTLS_PKCS11_C
2217 * \def MBEDTLS_PKCS12_C
2219 * Enable PKCS#12 PBE functions.
2220 * Adds algorithms for parsing PKCS#8 encrypted private keys
2222 * Module: library/pkcs12.c
2223 * Caller: library/pkparse.c
2225 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C
2226 * Can use: MBEDTLS_ARC4_C
2228 * This module enables PKCS#12 functions.
2230 #define MBEDTLS_PKCS12_C
2233 * \def MBEDTLS_PLATFORM_C
2235 * Enable the platform abstraction layer that allows you to re-assign
2236 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
2238 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
2239 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
2240 * above to be specified at runtime or compile time respectively.
2242 * \note This abstraction layer must be enabled on Windows (including MSYS2)
2243 * as other module rely on it for a fixed snprintf implementation.
2245 * Module: library/platform.c
2246 * Caller: Most other .c files
2248 * This module enables abstraction of common (libc) functions.
2250 #define MBEDTLS_PLATFORM_C
2253 * \def MBEDTLS_RIPEMD160_C
2255 * Enable the RIPEMD-160 hash algorithm.
2257 * Module: library/ripemd160.c
2258 * Caller: library/md.c
2261 #define MBEDTLS_RIPEMD160_C
2264 * \def MBEDTLS_RSA_C
2266 * Enable the RSA public-key cryptosystem.
2268 * Module: library/rsa.c
2269 * Caller: library/ssl_cli.c
2274 * This module is used by the following key exchanges:
2275 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
2277 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
2279 #define MBEDTLS_RSA_C
2282 * \def MBEDTLS_SHA1_C
2284 * Enable the SHA1 cryptographic hash algorithm.
2286 * Module: library/sha1.c
2287 * Caller: library/md.c
2291 * library/x509write_crt.c
2293 * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
2294 * depending on the handshake parameters, and for SHA1-signed certificates.
2296 #define MBEDTLS_SHA1_C
2299 * \def MBEDTLS_SHA256_C
2301 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
2303 * Module: library/sha256.c
2304 * Caller: library/entropy.c
2310 * This module adds support for SHA-224 and SHA-256.
2311 * This module is required for the SSL/TLS 1.2 PRF function.
2313 #define MBEDTLS_SHA256_C
2316 * \def MBEDTLS_SHA512_C
2318 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
2320 * Module: library/sha512.c
2321 * Caller: library/entropy.c
2326 * This module adds support for SHA-384 and SHA-512.
2328 #define MBEDTLS_SHA512_C
2331 * \def MBEDTLS_SSL_CACHE_C
2333 * Enable simple SSL cache implementation.
2335 * Module: library/ssl_cache.c
2338 * Requires: MBEDTLS_SSL_CACHE_C
2340 //#define MBEDTLS_SSL_CACHE_C /* swyter: we don't make use of this caching mechanism, as the WINE schannel API does not expose it */
2343 * \def MBEDTLS_SSL_COOKIE_C
2345 * Enable basic implementation of DTLS cookies for hello verification.
2347 * Module: library/ssl_cookie.c
2350 //#define MBEDTLS_SSL_COOKIE_C /* swyter: schannel does not support UDP sockets, DTLS is useless */
2353 * \def MBEDTLS_SSL_TICKET_C
2355 * Enable an implementation of TLS server-side callbacks for session tickets.
2357 * Module: library/ssl_ticket.c
2360 * Requires: MBEDTLS_CIPHER_C
2362 #define MBEDTLS_SSL_TICKET_C
2365 * \def MBEDTLS_SSL_CLI_C
2367 * Enable the SSL/TLS client code.
2369 * Module: library/ssl_cli.c
2372 * Requires: MBEDTLS_SSL_TLS_C
2374 * This module is required for SSL/TLS client support.
2376 #define MBEDTLS_SSL_CLI_C
2379 * \def MBEDTLS_SSL_SRV_C
2381 * Enable the SSL/TLS server code.
2383 * Module: library/ssl_srv.c
2386 * Requires: MBEDTLS_SSL_TLS_C
2388 * This module is required for SSL/TLS server support.
2390 //#define MBEDTLS_SSL_SRV_C /* swyter: we don't need anything server-related */
2393 * \def MBEDTLS_SSL_TLS_C
2395 * Enable the generic SSL/TLS code.
2397 * Module: library/ssl_tls.c
2398 * Caller: library/ssl_cli.c
2401 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
2402 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines
2404 * This module is required for SSL/TLS.
2406 #define MBEDTLS_SSL_TLS_C
2409 * \def MBEDTLS_THREADING_C
2411 * Enable the threading abstraction layer.
2412 * By default mbed TLS assumes it is used in a non-threaded environment or that
2413 * contexts are not shared between threads. If you do intend to use contexts
2414 * between threads, you will need to enable this layer to prevent race
2415 * conditions. See also our Knowledge Base article about threading:
2416 * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
2418 * Module: library/threading.c
2420 * This allows different threading implementations (self-implemented or
2423 * You will have to enable either MBEDTLS_THREADING_ALT or
2424 * MBEDTLS_THREADING_PTHREAD.
2426 * Enable this layer to allow use of mutexes within mbed TLS
2428 //#define MBEDTLS_THREADING_C
2431 * \def MBEDTLS_TIMING_C
2433 * Enable the semi-portable timing interface.
2435 * \note The provided implementation only works on POSIX/Unix (including Linux,
2436 * BSD and OS X) and Windows. On other platforms, you can either disable that
2437 * module and provide your own implementations of the callbacks needed by
2438 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
2439 * your own implementation of the whole module by setting
2440 * \c MBEDTLS_TIMING_ALT in the current file.
2442 * \note See also our Knowledge Base article about porting to a new
2444 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
2446 * Module: library/timing.c
2447 * Caller: library/havege.c
2449 * This module is used by the HAVEGE random number generator.
2451 #define MBEDTLS_TIMING_C
2454 * \def MBEDTLS_VERSION_C
2456 * Enable run-time version information.
2458 * Module: library/version.c
2460 * This module provides run-time version information.
2462 //#define MBEDTLS_VERSION_C /* swyter: we don't use these functions, so it's a waste of space */
2465 * \def MBEDTLS_X509_USE_C
2467 * Enable X.509 core for using certificates.
2469 * Module: library/x509.c
2470 * Caller: library/x509_crl.c
2471 * library/x509_crt.c
2472 * library/x509_csr.c
2474 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
2475 * MBEDTLS_PK_PARSE_C
2477 * This module is required for the X.509 parsing modules.
2479 #define MBEDTLS_X509_USE_C
2482 * \def MBEDTLS_X509_CRT_PARSE_C
2484 * Enable X.509 certificate parsing.
2486 * Module: library/x509_crt.c
2487 * Caller: library/ssl_cli.c
2491 * Requires: MBEDTLS_X509_USE_C
2493 * This module is required for X.509 certificate parsing.
2495 #define MBEDTLS_X509_CRT_PARSE_C
2498 * \def MBEDTLS_X509_CRL_PARSE_C
2500 * Enable X.509 CRL parsing.
2502 * Module: library/x509_crl.c
2503 * Caller: library/x509_crt.c
2505 * Requires: MBEDTLS_X509_USE_C
2507 * This module is required for X.509 CRL parsing.
2509 //#define MBEDTLS_X509_CRL_PARSE_C /* swyter: we don't verify certs directly */
2512 * \def MBEDTLS_X509_CSR_PARSE_C
2514 * Enable X.509 Certificate Signing Request (CSR) parsing.
2516 * Module: library/x509_csr.c
2517 * Caller: library/x509_crt_write.c
2519 * Requires: MBEDTLS_X509_USE_C
2521 * This module is used for reading X.509 certificate request.
2523 //#define MBEDTLS_X509_CSR_PARSE_C /* swyter: we don't verify certs directly */
2526 * \def MBEDTLS_X509_CREATE_C
2528 * Enable X.509 core for creating certificates.
2530 * Module: library/x509_create.c
2532 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
2534 * This module is the basis for creating X.509 certificates and CSRs.
2536 //#define MBEDTLS_X509_CREATE_C /* swyter: we don't create certs in schannel */
2539 * \def MBEDTLS_X509_CRT_WRITE_C
2541 * Enable creating X.509 certificates.
2543 * Module: library/x509_crt_write.c
2545 * Requires: MBEDTLS_X509_CREATE_C
2547 * This module is required for X.509 certificate creation.
2549 //#define MBEDTLS_X509_CRT_WRITE_C /* swyter: we don't create certs in schannel */
2552 * \def MBEDTLS_X509_CSR_WRITE_C
2554 * Enable creating X.509 Certificate Signing Requests (CSR).
2556 * Module: library/x509_csr_write.c
2558 * Requires: MBEDTLS_X509_CREATE_C
2560 * This module is required for X.509 certificate request writing.
2562 //#define MBEDTLS_X509_CSR_WRITE_C /* swyter: we don't create certs in schannel, this is for servers */
2565 * \def MBEDTLS_XTEA_C
2567 * Enable the XTEA block cipher.
2569 * Module: library/xtea.c
2572 #define MBEDTLS_XTEA_C
2574 /* \} name SECTION: mbed TLS modules */
2577 * \name SECTION: Module configuration options
2579 * This section allows for the setting of module specific sizes and
2580 * configuration options. The default values are already present in the
2581 * relevant header files and should suffice for the regular use cases.
2583 * Our advice is to enable options and change their values here
2584 * only if you have a good reason and know the consequences.
2586 * Please check the respective header file for documentation on these
2587 * parameters (to prevent duplicate documentation).
2591 /* MPI / BIGNUM options */
2592 //#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */
2593 //#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */
2595 /* CTR_DRBG options */
2596 //#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
2597 //#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
2598 //#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
2599 //#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
2600 //#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
2602 /* HMAC_DRBG options */
2603 //#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
2604 //#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
2605 //#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
2606 //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
2609 //#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */
2610 //#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */
2611 //#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
2613 /* Entropy options */
2614 //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
2615 //#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
2616 //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
2618 /* Memory buffer allocator options */
2619 //#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */
2621 /* Platform options */
2622 //#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
2623 //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */
2624 //#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */
2625 //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
2626 //#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
2627 //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
2628 //#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
2629 /* Note: your snprintf must correclty zero-terminate the buffer! */
2630 //#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
2631 //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
2632 //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
2633 //#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
2634 //#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
2635 //#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */
2637 /* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
2638 /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
2639 //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */
2640 //#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */
2641 //#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
2642 //#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
2643 //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
2644 //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
2645 //#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
2646 /* Note: your snprintf must correclty zero-terminate the buffer! */
2647 //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
2648 //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
2649 //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
2651 /* SSL Cache options */
2652 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
2653 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
2656 //#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
2657 //#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
2658 //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
2659 //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
2662 * Complete list of ciphersuites to use, in order of preference.
2664 * \warning No dependency checking is done on that field! This option can only
2665 * be used to restrict the set of available ciphersuites. It is your
2666 * responsibility to make sure the needed modules are active.
2668 * Use this to save a few hundred bytes of ROM (default ordering of all
2669 * available ciphersuites) and a few to a few hundred bytes of RAM.
2671 * The value below is only an example, not the default.
2673 //#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
2676 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
2677 //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
2680 * Allow SHA-1 in the default TLS configuration for certificate signing.
2681 * Without this build-time option, SHA-1 support must be activated explicitly
2682 * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
2683 * recommended because of it is possible to generte SHA-1 collisions, however
2684 * this may be safe for legacy infrastructure where additional controls apply.
2686 // #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
2689 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
2690 * signature and ciphersuite selection. Without this build-time option, SHA-1
2691 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
2692 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
2693 * default. At the time of writing, there is no practical attack on the use
2694 * of SHA-1 in handshake signatures, hence this option is turned on by default
2695 * for compatibility with existing peers.
2697 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
2699 /* \} name SECTION: Customisation configuration options */
2701 /* Target and application specific configurations */
2702 //#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h"
2704 #if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
2705 #include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
2709 * Allow user to override any previous default.
2711 * Use two macro names for that, as:
2712 * - with yotta the prefix YOTTA_CFG_ is forced
2713 * - without yotta is looks weird to have a YOTTA prefix.
2715 #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
2716 #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
2717 #elif defined(MBEDTLS_USER_CONFIG_FILE)
2718 #include MBEDTLS_USER_CONFIG_FILE
2721 #include "check_config.h"
2723 #endif /* MBEDTLS_CONFIG_H */