4e78b52b6df27b56adb8a1b8f1c838d25f0500cd
4 * \brief Configuration options (set of defines)
6 * This set of compile-time options may be used to enable
7 * or disable features selectively, and reduce the global
11 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
12 * SPDX-License-Identifier: GPL-2.0
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License along
25 * with this program; if not, write to the Free Software Foundation, Inc.,
26 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 * This file is part of mbed TLS (https://tls.mbed.org)
31 #ifndef MBEDTLS_CONFIG_H
32 #define MBEDTLS_CONFIG_H
34 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
35 //#define _CRT_SECURE_NO_DEPRECATE 1
39 * \name SECTION: System support
41 * This section sets system specific settings.
46 * \def MBEDTLS_HAVE_ASM
48 * The compiler has support for asm().
50 * Requires support for asm() in compiler.
55 * include/mbedtls/bn_mul.h
57 * Comment to disable the use of assembly code.
59 #define MBEDTLS_HAVE_ASM
62 * \def MBEDTLS_NO_UDBL_DIVISION
64 * The platform lacks support for double-width integer division (64-bit
65 * division on a 32-bit platform, 128-bit division on a 64-bit platform).
68 * include/mbedtls/bignum.h
71 * The bignum code uses double-width division to speed up some operations.
72 * Double-width division is often implemented in software that needs to
73 * be linked with the program. The presence of a double-width integer
74 * type is usually detected automatically through preprocessor macros,
75 * but the automatic detection cannot know whether the code needs to
76 * and can be linked with an implementation of division for that type.
77 * By default division is assumed to be usable if the type is present.
78 * Uncomment this option to prevent the use of double-width division.
80 * Note that division for the native integer type is always required.
81 * Furthermore, a 64-bit type is always required even on a 32-bit
82 * platform, but it need not support multiplication or division. In some
83 * cases it is also desirable to disable some double-width operations. For
84 * example, if double-width division is implemented in software, disabling
85 * it can reduce code size in some embedded targets.
87 //#define MBEDTLS_NO_UDBL_DIVISION
90 * \def MBEDTLS_HAVE_SSE2
92 * CPU supports SSE2 instruction set.
94 * Uncomment if the CPU supports SSE2 (IA-32 specific).
96 //#define MBEDTLS_HAVE_SSE2 /* We want to run on older hardware. TODO: This should be checked at runtime. */
99 * \def MBEDTLS_HAVE_TIME
101 * System has time.h and time().
102 * The time does not need to be correct, only time differences are used,
103 * by contrast with MBEDTLS_HAVE_TIME_DATE
105 * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
106 * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
107 * MBEDTLS_PLATFORM_STD_TIME.
109 * Comment if your system does not support time functions
111 //#define MBEDTLS_HAVE_TIME
114 * \def MBEDTLS_HAVE_TIME_DATE
116 * System has time.h and time(), gmtime() and the clock is correct.
117 * The time needs to be correct (not necesarily very accurate, but at least
118 * the date should be correct). This is used to verify the validity period of
119 * X.509 certificates.
121 * Comment if your system does not have a correct clock.
123 //#define MBEDTLS_HAVE_TIME_DATE
126 * \def MBEDTLS_PLATFORM_MEMORY
128 * Enable the memory allocation layer.
130 * By default mbed TLS uses the system-provided calloc() and free().
131 * This allows different allocators (self-implemented or provided) to be
132 * provided to the platform abstraction layer.
134 * Enabling MBEDTLS_PLATFORM_MEMORY without the
135 * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
136 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
137 * free() function pointer at runtime.
139 * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
140 * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
141 * alternate function at compile time.
143 * Requires: MBEDTLS_PLATFORM_C
145 * Enable this layer to allow use of alternative memory allocators.
147 //#define MBEDTLS_PLATFORM_MEMORY
150 * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
152 * Do not assign standard functions in the platform layer (e.g. calloc() to
153 * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
155 * This makes sure there are no linking errors on platforms that do not support
156 * these functions. You will HAVE to provide alternatives, either at runtime
157 * via the platform_set_xxx() functions or at compile time by setting
158 * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
159 * MBEDTLS_PLATFORM_XXX_MACRO.
161 * Requires: MBEDTLS_PLATFORM_C
163 * Uncomment to prevent default assignment of standard functions in the
166 //#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
169 * \def MBEDTLS_PLATFORM_EXIT_ALT
171 * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
172 * function in the platform abstraction layer.
174 * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
175 * provide a function "mbedtls_platform_set_printf()" that allows you to set an
176 * alternative printf function pointer.
178 * All these define require MBEDTLS_PLATFORM_C to be defined!
180 * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;
181 * it will be enabled automatically by check_config.h
183 * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
184 * MBEDTLS_PLATFORM_XXX_MACRO!
186 * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
188 * Uncomment a macro to enable alternate implementation of specific base
191 //#define MBEDTLS_PLATFORM_EXIT_ALT
192 //#define MBEDTLS_PLATFORM_TIME_ALT
193 //#define MBEDTLS_PLATFORM_FPRINTF_ALT
194 //#define MBEDTLS_PLATFORM_PRINTF_ALT
195 //#define MBEDTLS_PLATFORM_SNPRINTF_ALT
196 //#define MBEDTLS_PLATFORM_NV_SEED_ALT
197 //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
200 * \def MBEDTLS_DEPRECATED_WARNING
202 * Mark deprecated functions so that they generate a warning if used.
203 * Functions deprecated in one version will usually be removed in the next
204 * version. You can enable this to help you prepare the transition to a new
205 * major version by making sure your code is not using these functions.
207 * This only works with GCC and Clang. With other compilers, you may want to
208 * use MBEDTLS_DEPRECATED_REMOVED
210 * Uncomment to get warnings on using deprecated functions.
212 //#define MBEDTLS_DEPRECATED_WARNING
215 * \def MBEDTLS_DEPRECATED_REMOVED
217 * Remove deprecated functions so that they generate an error if used.
218 * Functions deprecated in one version will usually be removed in the next
219 * version. You can enable this to help you prepare the transition to a new
220 * major version by making sure your code is not using these functions.
222 * Uncomment to get errors on using deprecated functions.
224 //#define MBEDTLS_DEPRECATED_REMOVED /* ThFabba: we need md5/sha functions for bcrypt */
226 /* \} name SECTION: System support */
229 * \name SECTION: mbed TLS feature support
231 * This section sets support for features that are or are not needed
232 * within the modules that are enabled.
237 * \def MBEDTLS_TIMING_ALT
239 * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(),
240 * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay()
242 * Only works if you have MBEDTLS_TIMING_C enabled.
244 * You will need to provide a header "timing_alt.h" and an implementation at
247 //#define MBEDTLS_TIMING_ALT
250 * \def MBEDTLS_AES_ALT
252 * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
253 * alternate core implementation of a symmetric crypto, an arithmetic or hash
254 * module (e.g. platform specific assembly optimized implementations). Keep
255 * in mind that the function prototypes should remain the same.
257 * This replaces the whole module. If you only want to replace one of the
258 * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
260 * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer
261 * provide the "struct mbedtls_aes_context" definition and omit the base
262 * function declarations and implementations. "aes_alt.h" will be included from
263 * "aes.h" to include the new function definitions.
265 * Uncomment a macro to enable alternate implementation of the corresponding
268 * \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their
269 * use constitutes a security risk. If possible, we recommend
270 * avoiding dependencies on them, and considering stronger message
271 * digests and ciphers instead.
274 //#define MBEDTLS_AES_ALT
275 //#define MBEDTLS_ARC4_ALT
276 //#define MBEDTLS_BLOWFISH_ALT
277 //#define MBEDTLS_CAMELLIA_ALT
278 //#define MBEDTLS_CCM_ALT
279 //#define MBEDTLS_CMAC_ALT
280 //#define MBEDTLS_DES_ALT
281 //#define MBEDTLS_DHM_ALT
282 //#define MBEDTLS_ECJPAKE_ALT
283 //#define MBEDTLS_GCM_ALT
284 //#define MBEDTLS_MD2_ALT
285 //#define MBEDTLS_MD4_ALT
286 //#define MBEDTLS_MD5_ALT
287 //#define MBEDTLS_RIPEMD160_ALT
288 //#define MBEDTLS_RSA_ALT
289 //#define MBEDTLS_SHA1_ALT
290 //#define MBEDTLS_SHA256_ALT
291 //#define MBEDTLS_SHA512_ALT
292 //#define MBEDTLS_XTEA_ALT
294 * When replacing the elliptic curve module, pleace consider, that it is
295 * implemented with two .c files:
298 * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
299 * macros as described above. The only difference is that you have to make sure
300 * that you provide functionality for both .c files.
302 //#define MBEDTLS_ECP_ALT
305 * \def MBEDTLS_MD2_PROCESS_ALT
307 * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
308 * alternate core implementation of symmetric crypto or hash function. Keep in
309 * mind that function prototypes should remain the same.
311 * This replaces only one function. The header file from mbed TLS is still
312 * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
314 * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
315 * no longer provide the mbedtls_sha1_process() function, but it will still provide
316 * the other function (using your mbedtls_sha1_process() function) and the definition
317 * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
318 * with this definition.
320 * \note Because of a signature change, the core AES encryption and decryption routines are
321 * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
322 * respectively. When setting up alternative implementations, these functions should
323 * be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
324 * must stay untouched.
326 * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
327 * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
330 * Uncomment a macro to enable alternate implementation of the corresponding
333 * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
334 * constitutes a security risk. If possible, we recommend avoiding
335 * dependencies on them, and considering stronger message digests
336 * and ciphers instead.
339 //#define MBEDTLS_MD2_PROCESS_ALT
340 //#define MBEDTLS_MD4_PROCESS_ALT
341 //#define MBEDTLS_MD5_PROCESS_ALT
342 //#define MBEDTLS_RIPEMD160_PROCESS_ALT
343 //#define MBEDTLS_SHA1_PROCESS_ALT
344 //#define MBEDTLS_SHA256_PROCESS_ALT
345 //#define MBEDTLS_SHA512_PROCESS_ALT
346 //#define MBEDTLS_DES_SETKEY_ALT
347 //#define MBEDTLS_DES_CRYPT_ECB_ALT
348 //#define MBEDTLS_DES3_CRYPT_ECB_ALT
349 //#define MBEDTLS_AES_SETKEY_ENC_ALT
350 //#define MBEDTLS_AES_SETKEY_DEC_ALT
351 //#define MBEDTLS_AES_ENCRYPT_ALT
352 //#define MBEDTLS_AES_DECRYPT_ALT
353 //#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
354 //#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
355 //#define MBEDTLS_ECDSA_VERIFY_ALT
356 //#define MBEDTLS_ECDSA_SIGN_ALT
357 //#define MBEDTLS_ECDSA_GENKEY_ALT
360 * \def MBEDTLS_ECP_INTERNAL_ALT
362 * Expose a part of the internal interface of the Elliptic Curve Point module.
364 * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your
365 * alternative core implementation of elliptic curve arithmetic. Keep in mind
366 * that function prototypes should remain the same.
368 * This partially replaces one function. The header file from mbed TLS is still
369 * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
370 * is still present and it is used for group structures not supported by the
373 * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
374 * and implementing the following functions:
375 * unsigned char mbedtls_internal_ecp_grp_capable(
376 * const mbedtls_ecp_group *grp )
377 * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
378 * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
379 * The mbedtls_internal_ecp_grp_capable function should return 1 if the
380 * replacement functions implement arithmetic for the given group and 0
382 * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
383 * called before and after each point operation and provide an opportunity to
384 * implement optimized set up and tear down instructions.
386 * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
387 * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
388 * function, but will use your mbedtls_internal_ecp_double_jac if the group is
389 * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
390 * receives it as an argument). If the group is not supported then the original
391 * implementation is used. The other functions and the definition of
392 * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
393 * implementation of mbedtls_internal_ecp_double_jac and
394 * mbedtls_internal_ecp_grp_capable must be compatible with this definition.
396 * Uncomment a macro to enable alternate implementation of the corresponding
399 /* Required for all the functions in this section */
400 //#define MBEDTLS_ECP_INTERNAL_ALT
401 /* Support for Weierstrass curves with Jacobi representation */
402 //#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
403 //#define MBEDTLS_ECP_ADD_MIXED_ALT
404 //#define MBEDTLS_ECP_DOUBLE_JAC_ALT
405 //#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
406 //#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
407 /* Support for curves with Montgomery arithmetic */
408 //#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
409 //#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
410 //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
413 * \def MBEDTLS_TEST_NULL_ENTROPY
415 * Enables testing and use of mbed TLS without any configured entropy sources.
416 * This permits use of the library on platforms before an entropy source has
417 * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
418 * MBEDTLS_ENTROPY_NV_SEED switches).
420 * WARNING! This switch MUST be disabled in production builds, and is suitable
421 * only for development.
422 * Enabling the switch negates any security provided by the library.
424 * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
427 //#define MBEDTLS_TEST_NULL_ENTROPY
430 * \def MBEDTLS_ENTROPY_HARDWARE_ALT
432 * Uncomment this macro to let mbed TLS use your own implementation of a
433 * hardware entropy collector.
435 * Your function must be called \c mbedtls_hardware_poll(), have the same
436 * prototype as declared in entropy_poll.h, and accept NULL as first argument.
438 * Uncomment to use your own hardware entropy collector.
440 //#define MBEDTLS_ENTROPY_HARDWARE_ALT
443 * \def MBEDTLS_AES_ROM_TABLES
445 * Store the AES tables in ROM.
447 * Uncomment this macro to store the AES tables in ROM.
449 //#define MBEDTLS_AES_ROM_TABLES
452 * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
454 * Use less ROM for the Camellia implementation (saves about 768 bytes).
456 * Uncomment this macro to use less memory for Camellia.
458 //#define MBEDTLS_CAMELLIA_SMALL_MEMORY
461 * \def MBEDTLS_CIPHER_MODE_CBC
463 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
465 #define MBEDTLS_CIPHER_MODE_CBC
468 * \def MBEDTLS_CIPHER_MODE_CFB
470 * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
472 #define MBEDTLS_CIPHER_MODE_CFB
475 * \def MBEDTLS_CIPHER_MODE_CTR
477 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
479 #define MBEDTLS_CIPHER_MODE_CTR
482 * \def MBEDTLS_CIPHER_NULL_CIPHER
484 * Enable NULL cipher.
485 * Warning: Only do so when you know what you are doing. This allows for
486 * encryption or channels without any security!
488 * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
489 * the following ciphersuites:
490 * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
491 * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
492 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
493 * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
494 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
495 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
496 * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
497 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
498 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
499 * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
500 * MBEDTLS_TLS_RSA_WITH_NULL_SHA256
501 * MBEDTLS_TLS_RSA_WITH_NULL_SHA
502 * MBEDTLS_TLS_RSA_WITH_NULL_MD5
503 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
504 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
505 * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
506 * MBEDTLS_TLS_PSK_WITH_NULL_SHA384
507 * MBEDTLS_TLS_PSK_WITH_NULL_SHA256
508 * MBEDTLS_TLS_PSK_WITH_NULL_SHA
510 * Uncomment this macro to enable the NULL cipher and ciphersuites
512 //#define MBEDTLS_CIPHER_NULL_CIPHER
515 * \def MBEDTLS_CIPHER_PADDING_PKCS7
517 * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
518 * specific padding modes in the cipher layer with cipher modes that support
521 * If you disable all padding modes, only full blocks can be used with CBC.
523 * Enable padding modes in the cipher layer.
525 #define MBEDTLS_CIPHER_PADDING_PKCS7
526 #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
527 #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
528 #define MBEDTLS_CIPHER_PADDING_ZEROS
531 * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
533 * Enable weak ciphersuites in SSL / TLS.
534 * Warning: Only do so when you know what you are doing. This allows for
535 * channels with virtually no security at all!
537 * This enables the following ciphersuites:
538 * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
539 * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
541 * Uncomment this macro to enable weak ciphersuites
543 * \warning DES is considered a weak cipher and its use constitutes a
544 * security risk. We recommend considering stronger ciphers instead.
546 //#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
549 * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES
551 * Remove RC4 ciphersuites by default in SSL / TLS.
552 * This flag removes the ciphersuites based on RC4 from the default list as
553 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
554 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
557 * Uncomment this macro to remove RC4 ciphersuites by default.
559 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
562 * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
564 * Remove 3DES ciphersuites by default in SSL / TLS.
565 * This flag removes the ciphersuites based on 3DES from the default list as
566 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
567 * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
570 * A man-in-the-browser attacker can recover authentication tokens sent through
571 * a TLS connection using a 3DES based cipher suite (see "On the Practical
572 * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
573 * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
574 * in your threat model or you are unsure, then you should keep this option
575 * enabled to remove 3DES based cipher suites.
577 * Comment this macro to keep 3DES in the default ciphersuite list.
579 #define MBEDTLS_REMOVE_3DES_CIPHERSUITES
582 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
584 * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
585 * module. By default all supported curves are enabled.
587 * Comment macros to disable the curve and functions for it
589 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED
590 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED
591 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
592 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
593 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED
594 #define MBEDTLS_ECP_DP_SECP192K1_ENABLED
595 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED
596 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
597 #define MBEDTLS_ECP_DP_BP256R1_ENABLED
598 #define MBEDTLS_ECP_DP_BP384R1_ENABLED
599 #define MBEDTLS_ECP_DP_BP512R1_ENABLED
600 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
603 * \def MBEDTLS_ECP_NIST_OPTIM
605 * Enable specific 'modulo p' routines for each NIST prime.
606 * Depending on the prime and architecture, makes operations 4 to 8 times
607 * faster on the corresponding curve.
609 * Comment this macro to disable NIST curves optimisation.
611 #define MBEDTLS_ECP_NIST_OPTIM
614 * \def MBEDTLS_ECDSA_DETERMINISTIC
616 * Enable deterministic ECDSA (RFC 6979).
617 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
618 * may result in a compromise of the long-term signing key. This is avoided by
619 * the deterministic variant.
621 * Requires: MBEDTLS_HMAC_DRBG_C
623 * Comment this macro to disable deterministic ECDSA.
625 #define MBEDTLS_ECDSA_DETERMINISTIC
628 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
630 * Enable the PSK based ciphersuite modes in SSL / TLS.
632 * This enables the following ciphersuites (if other requisites are
634 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
635 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
636 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
637 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
638 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
639 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
640 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
641 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
642 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
643 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
644 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
645 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
647 //#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED /* swyter: we don't need PSK-based ciphers for schannel */
650 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
652 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
654 * Requires: MBEDTLS_DHM_C
656 * This enables the following ciphersuites (if other requisites are
658 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
659 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
660 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
661 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
662 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
663 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
664 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
665 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
666 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
667 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
668 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
669 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
671 * \warning Using DHE constitutes a security risk as it
672 * is not possible to validate custom DH parameters.
673 * If possible, it is recommended users should consider
674 * preferring other methods of key exchange.
675 * See dhm.h for more details.
678 //#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED /* swyter: we don't need PSK-based ciphers for schannel */
681 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
683 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
685 * Requires: MBEDTLS_ECDH_C
687 * This enables the following ciphersuites (if other requisites are
689 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
690 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
691 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
692 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
693 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
694 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
695 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
696 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
698 //#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED /* swyter: we don't need PSK-based ciphers for schannel */
701 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
703 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
705 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
706 * MBEDTLS_X509_CRT_PARSE_C
708 * This enables the following ciphersuites (if other requisites are
710 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
711 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
712 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
713 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
714 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
715 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
716 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
717 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
718 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
719 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
720 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
721 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
723 //#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED /* swyter: we don't need PSK-based ciphers for schannel */
726 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
728 * Enable the RSA-only based ciphersuite modes in SSL / TLS.
730 * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
731 * MBEDTLS_X509_CRT_PARSE_C
733 * This enables the following ciphersuites (if other requisites are
735 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
736 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
737 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
738 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
739 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
740 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
741 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
742 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
743 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
744 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
745 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
746 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
747 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
748 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
749 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
751 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
754 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
756 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
758 * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
759 * MBEDTLS_X509_CRT_PARSE_C
761 * This enables the following ciphersuites (if other requisites are
763 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
764 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
765 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
766 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
767 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
768 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
769 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
770 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
771 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
772 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
773 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
774 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
775 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
777 * \warning Using DHE constitutes a security risk as it
778 * is not possible to validate custom DH parameters.
779 * If possible, it is recommended users should consider
780 * preferring other methods of key exchange.
781 * See dhm.h for more details.
784 #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
787 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
789 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
791 * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
792 * MBEDTLS_X509_CRT_PARSE_C
794 * This enables the following ciphersuites (if other requisites are
796 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
797 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
798 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
799 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
800 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
801 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
802 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
803 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
804 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
805 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
806 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
807 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
809 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
812 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
814 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
816 * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
818 * This enables the following ciphersuites (if other requisites are
820 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
821 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
822 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
823 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
824 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
825 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
826 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
827 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
828 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
829 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
830 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
831 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
833 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
836 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
838 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
840 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
842 * This enables the following ciphersuites (if other requisites are
844 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
845 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
846 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
847 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
848 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
849 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
850 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
851 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
852 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
853 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
854 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
855 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
857 #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
860 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
862 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
864 * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
866 * This enables the following ciphersuites (if other requisites are
868 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
869 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
870 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
871 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
872 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
873 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
874 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
875 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
876 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
877 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
878 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
879 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
881 #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
884 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
886 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
888 * \warning This is currently experimental. EC J-PAKE support is based on the
889 * Thread v1.0.0 specification; incompatible changes to the specification
890 * might still happen. For this reason, this is disabled by default.
892 * Requires: MBEDTLS_ECJPAKE_C
894 * MBEDTLS_ECP_DP_SECP256R1_ENABLED
896 * This enables the following ciphersuites (if other requisites are
898 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
900 //#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
903 * \def MBEDTLS_PK_PARSE_EC_EXTENDED
905 * Enhance support for reading EC keys using variants of SEC1 not allowed by
906 * RFC 5915 and RFC 5480.
908 * Currently this means parsing the SpecifiedECDomain choice of EC
909 * parameters (only known groups are supported, not arbitrary domains, to
910 * avoid validation issues).
912 * Disable if you only need to support RFC 5915 + 5480 key formats.
914 #define MBEDTLS_PK_PARSE_EC_EXTENDED
917 * \def MBEDTLS_ERROR_STRERROR_DUMMY
919 * Enable a dummy error function to make use of mbedtls_strerror() in
920 * third party libraries easier when MBEDTLS_ERROR_C is disabled
921 * (no effect when MBEDTLS_ERROR_C is enabled).
923 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
924 * not using mbedtls_strerror() or error_strerror() in your application.
926 * Disable if you run into name conflicts and want to really remove the
929 #define MBEDTLS_ERROR_STRERROR_DUMMY
932 * \def MBEDTLS_GENPRIME
934 * Enable the prime-number generation code.
936 * Requires: MBEDTLS_BIGNUM_C
938 #define MBEDTLS_GENPRIME
943 * Enable functions that use the filesystem.
945 //#define MBEDTLS_FS_IO /* swyter: we don't have to access the filesystem directly in schannel */
948 * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
950 * Do not add default entropy sources. These are the platform specific,
951 * mbedtls_timing_hardclock and HAVEGE based poll functions.
953 * This is useful to have more control over the added entropy sources in an
956 * Uncomment this macro to prevent loading of default entropy functions.
958 //#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
961 * \def MBEDTLS_NO_PLATFORM_ENTROPY
963 * Do not use built-in platform entropy functions.
964 * This is useful if your platform does not support
965 * standards like the /dev/urandom or Windows CryptoAPI.
967 * Uncomment this macro to disable the built-in platform entropy functions.
969 //#define MBEDTLS_NO_PLATFORM_ENTROPY
972 * \def MBEDTLS_ENTROPY_FORCE_SHA256
974 * Force the entropy accumulator to use a SHA-256 accumulator instead of the
975 * default SHA-512 based one (if both are available).
977 * Requires: MBEDTLS_SHA256_C
979 * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
980 * if you have performance concerns.
982 * This option is only useful if both MBEDTLS_SHA256_C and
983 * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
985 #define MBEDTLS_ENTROPY_FORCE_SHA256 /* swyter: ReactOS is primarily 32-bit only, this speeds it up notably */
988 * \def MBEDTLS_ENTROPY_NV_SEED
990 * Enable the non-volatile (NV) seed file-based entropy source.
991 * (Also enables the NV seed read/write functions in the platform layer)
993 * This is crucial (if not required) on systems that do not have a
994 * cryptographic entropy source (in hardware or kernel) available.
996 * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
998 * \note The read/write functions that are used by the entropy source are
999 * determined in the platform layer, and can be modified at runtime and/or
1000 * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
1002 * \note If you use the default implementation functions that read a seedfile
1003 * with regular fopen(), please make sure you make a seedfile with the
1004 * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
1005 * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
1006 * and written to or you will get an entropy source error! The default
1007 * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
1008 * bytes from the file.
1010 * \note The entropy collector will write to the seed file before entropy is
1011 * given to an external source, to update it.
1013 //#define MBEDTLS_ENTROPY_NV_SEED
1016 * \def MBEDTLS_MEMORY_DEBUG
1018 * Enable debugging of buffer allocator memory issues. Automatically prints
1019 * (to stderr) all (fatal) messages on memory allocation issues. Enables
1020 * function for 'debug output' of allocated memory.
1022 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
1024 * Uncomment this macro to let the buffer allocator print out error messages.
1026 //#define MBEDTLS_MEMORY_DEBUG
1029 * \def MBEDTLS_MEMORY_BACKTRACE
1031 * Include backtrace information with each allocated block.
1033 * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
1034 * GLIBC-compatible backtrace() an backtrace_symbols() support
1036 * Uncomment this macro to include backtrace information
1038 //#define MBEDTLS_MEMORY_BACKTRACE
1041 * \def MBEDTLS_PK_RSA_ALT_SUPPORT
1043 * Support external private RSA keys (eg from a HSM) in the PK layer.
1045 * Comment this macro to disable support for external private RSA keys.
1047 #define MBEDTLS_PK_RSA_ALT_SUPPORT
1050 * \def MBEDTLS_PKCS1_V15
1052 * Enable support for PKCS#1 v1.5 encoding.
1054 * Requires: MBEDTLS_RSA_C
1056 * This enables support for PKCS#1 v1.5 operations.
1058 #define MBEDTLS_PKCS1_V15
1061 * \def MBEDTLS_PKCS1_V21
1063 * Enable support for PKCS#1 v2.1 encoding.
1065 * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C
1067 * This enables support for RSAES-OAEP and RSASSA-PSS operations.
1069 #define MBEDTLS_PKCS1_V21
1072 * \def MBEDTLS_RSA_NO_CRT
1074 * Do not use the Chinese Remainder Theorem
1075 * for the RSA private operation.
1077 * Uncomment this macro to disable the use of CRT in RSA.
1080 //#define MBEDTLS_RSA_NO_CRT
1083 * \def MBEDTLS_SELF_TEST
1085 * Enable the checkup functions (*_self_test).
1087 //#define MBEDTLS_SELF_TEST /* swyter: we don't need this, adds quite a bit of bloat */
1090 * \def MBEDTLS_SHA256_SMALLER
1092 * Enable an implementation of SHA-256 that has lower ROM footprint but also
1093 * lower performance.
1095 * The default implementation is meant to be a reasonnable compromise between
1096 * performance and size. This version optimizes more aggressively for size at
1097 * the expense of performance. Eg on Cortex-M4 it reduces the size of
1098 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
1101 * Uncomment to enable the smaller implementation of SHA256.
1103 //#define MBEDTLS_SHA256_SMALLER
1106 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
1108 * Enable sending of alert messages in case of encountered errors as per RFC.
1109 * If you choose not to send the alert messages, mbed TLS can still communicate
1110 * with other servers, only debugging of failures is harder.
1112 * The advantage of not sending alert messages, is that no information is given
1113 * about reasons for failures thus preventing adversaries of gaining intel.
1115 * Enable sending of all alert messages
1117 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
1120 * \def MBEDTLS_SSL_DEBUG_ALL
1122 * Enable the debug messages in SSL module for all issues.
1123 * Debug messages have been disabled in some places to prevent timing
1124 * attacks due to (unbalanced) debugging function calls.
1126 * If you need all error reporting you should enable this during debugging,
1127 * but remove this for production servers that should log as well.
1129 * Uncomment this macro to report all debug messages on errors introducing
1130 * a timing side-channel.
1133 //#define MBEDTLS_SSL_DEBUG_ALL /* swyter: we don't need that much verboseness that clogges up the dll with strings */
1135 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
1137 * Enable support for Encrypt-then-MAC, RFC 7366.
1139 * This allows peers that both support it to use a more robust protection for
1140 * ciphersuites using CBC, providing deep resistance against timing attacks
1141 * on the padding or underlying cipher.
1143 * This only affects CBC ciphersuites, and is useless if none is defined.
1145 * Requires: MBEDTLS_SSL_PROTO_TLS1 or
1146 * MBEDTLS_SSL_PROTO_TLS1_1 or
1147 * MBEDTLS_SSL_PROTO_TLS1_2
1149 * Comment this macro to disable support for Encrypt-then-MAC
1151 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC
1153 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
1155 * Enable support for Extended Master Secret, aka Session Hash
1156 * (draft-ietf-tls-session-hash-02).
1158 * This was introduced as "the proper fix" to the Triple Handshake familiy of
1159 * attacks, but it is recommended to always use it (even if you disable
1160 * renegotiation), since it actually fixes a more fundamental issue in the
1161 * original SSL/TLS design, and has implications beyond Triple Handshake.
1163 * Requires: MBEDTLS_SSL_PROTO_TLS1 or
1164 * MBEDTLS_SSL_PROTO_TLS1_1 or
1165 * MBEDTLS_SSL_PROTO_TLS1_2
1167 * Comment this macro to disable support for Extended Master Secret.
1169 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
1172 * \def MBEDTLS_SSL_FALLBACK_SCSV
1174 * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
1176 * For servers, it is recommended to always enable this, unless you support
1177 * only one version of TLS, or know for sure that none of your clients
1178 * implements a fallback strategy.
1180 * For clients, you only need this if you're using a fallback strategy, which
1181 * is not recommended in the first place, unless you absolutely need it to
1182 * interoperate with buggy (version-intolerant) servers.
1184 * Comment this macro to disable support for FALLBACK_SCSV
1186 //#define MBEDTLS_SSL_FALLBACK_SCSV /* swyter: as the description says, we don't need this for clients */
1189 * \def MBEDTLS_SSL_HW_RECORD_ACCEL
1191 * Enable hooking functions in SSL module for hardware acceleration of
1192 * individual records.
1194 * Uncomment this macro to enable hooking functions.
1196 //#define MBEDTLS_SSL_HW_RECORD_ACCEL
1199 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
1201 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
1203 * This is a countermeasure to the BEAST attack, which also minimizes the risk
1204 * of interoperability issues compared to sending 0-length records.
1206 * Comment this macro to disable 1/n-1 record splitting.
1208 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING
1211 * \def MBEDTLS_SSL_RENEGOTIATION
1213 * Enable support for TLS renegotiation.
1215 * The two main uses of renegotiation are (1) refresh keys on long-lived
1216 * connections and (2) client authentication after the initial handshake.
1217 * If you don't need renegotiation, it's probably better to disable it, since
1218 * it has been associated with security issues in the past and is easy to
1219 * misuse/misunderstand.
1221 * Comment this to disable support for renegotiation.
1223 * \note Even if this option is disabled, both client and server are aware
1224 * of the Renegotiation Indication Extension (RFC 5746) used to
1225 * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
1226 * (See \c mbedtls_ssl_conf_legacy_renegotiation for the
1227 * configuration of this extension).
1230 #define MBEDTLS_SSL_RENEGOTIATION
1233 * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
1235 * Enable support for receiving and parsing SSLv2 Client Hello messages for the
1236 * SSL Server module (MBEDTLS_SSL_SRV_C).
1238 * Uncomment this macro to enable support for SSLv2 Client Hello messages.
1240 //#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO /* swyter: we don't need anything server-related */
1243 * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
1245 * Pick the ciphersuite according to the client's preferences rather than ours
1246 * in the SSL Server module (MBEDTLS_SSL_SRV_C).
1248 * Uncomment this macro to respect client's ciphersuite order
1250 //#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE /* swyter: we don't need anything server-related */
1253 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1255 * Enable support for RFC 6066 max_fragment_length extension in SSL.
1257 * Comment this macro to disable support for the max_fragment_length extension
1259 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1262 * \def MBEDTLS_SSL_PROTO_SSL3
1264 * Enable support for SSL 3.0.
1266 * Requires: MBEDTLS_MD5_C
1269 * Comment this macro to disable support for SSL 3.0
1271 //#define MBEDTLS_SSL_PROTO_SSL3 /* swyter: this is potentially insecure and should remain ethernaly disabled */
1274 * \def MBEDTLS_SSL_PROTO_TLS1
1276 * Enable support for TLS 1.0.
1278 * Requires: MBEDTLS_MD5_C
1281 * Comment this macro to disable support for TLS 1.0
1283 #define MBEDTLS_SSL_PROTO_TLS1
1286 * \def MBEDTLS_SSL_PROTO_TLS1_1
1288 * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
1290 * Requires: MBEDTLS_MD5_C
1293 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
1295 #define MBEDTLS_SSL_PROTO_TLS1_1
1298 * \def MBEDTLS_SSL_PROTO_TLS1_2
1300 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
1302 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
1303 * (Depends on ciphersuites)
1305 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
1307 #define MBEDTLS_SSL_PROTO_TLS1_2
1310 * \def MBEDTLS_SSL_PROTO_DTLS
1312 * Enable support for DTLS (all available versions).
1314 * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0,
1315 * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
1317 * Requires: MBEDTLS_SSL_PROTO_TLS1_1
1318 * or MBEDTLS_SSL_PROTO_TLS1_2
1320 * Comment this macro to disable support for DTLS
1322 //#define MBEDTLS_SSL_PROTO_DTLS /* swyter: schannel does not support UDP sockets, DTLS is useless */
1325 * \def MBEDTLS_SSL_ALPN
1327 * Enable support for RFC 7301 Application Layer Protocol Negotiation.
1329 * Comment this macro to disable support for ALPN.
1331 #define MBEDTLS_SSL_ALPN
1334 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
1336 * Enable support for the anti-replay mechanism in DTLS.
1338 * Requires: MBEDTLS_SSL_TLS_C
1339 * MBEDTLS_SSL_PROTO_DTLS
1341 * \warning Disabling this is often a security risk!
1342 * See mbedtls_ssl_conf_dtls_anti_replay() for details.
1344 * Comment this to disable anti-replay in DTLS.
1346 //#define MBEDTLS_SSL_DTLS_ANTI_REPLAY /* swyter: schannel does not support UDP sockets, DTLS is useless */
1349 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
1351 * Enable support for HelloVerifyRequest on DTLS servers.
1353 * This feature is highly recommended to prevent DTLS servers being used as
1354 * amplifiers in DoS attacks against other hosts. It should always be enabled
1355 * unless you know for sure amplification cannot be a problem in the
1356 * environment in which your server operates.
1358 * \warning Disabling this can ba a security risk! (see above)
1360 * Requires: MBEDTLS_SSL_PROTO_DTLS
1362 * Comment this to disable support for HelloVerifyRequest.
1364 //#define MBEDTLS_SSL_DTLS_HELLO_VERIFY /* swyter: schannel does not support UDP sockets, DTLS is useless */
1367 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
1369 * Enable server-side support for clients that reconnect from the same port.
1371 * Some clients unexpectedly close the connection and try to reconnect using the
1372 * same source port. This needs special support from the server to handle the
1373 * new connection securely, as described in section 4.2.8 of RFC 6347. This
1374 * flag enables that support.
1376 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
1378 * Comment this to disable support for clients reusing the source port.
1380 //#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE /* swyter: schannel does not support UDP sockets, DTLS is useless */
1383 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
1385 * Enable support for a limit of records with bad MAC.
1387 * See mbedtls_ssl_conf_dtls_badmac_limit().
1389 * Requires: MBEDTLS_SSL_PROTO_DTLS
1391 //#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT /* swyter: schannel does not support UDP sockets, DTLS is useless */
1394 * \def MBEDTLS_SSL_SESSION_TICKETS
1396 * Enable support for RFC 5077 session tickets in SSL.
1397 * Client-side, provides full support for session tickets (maintainance of a
1398 * session store remains the responsibility of the application, though).
1399 * Server-side, you also need to provide callbacks for writing and parsing
1400 * tickets, including authenticated encryption and key management. Example
1401 * callbacks are provided by MBEDTLS_SSL_TICKET_C.
1403 * Comment this macro to disable support for SSL session tickets
1405 #define MBEDTLS_SSL_SESSION_TICKETS
1408 * \def MBEDTLS_SSL_EXPORT_KEYS
1410 * Enable support for exporting key block and master secret.
1411 * This is required for certain users of TLS, e.g. EAP-TLS.
1413 * Comment this macro to disable support for key export
1415 //#define MBEDTLS_SSL_EXPORT_KEYS
1418 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
1420 * Enable support for RFC 6066 server name indication (SNI) in SSL.
1422 * Requires: MBEDTLS_X509_CRT_PARSE_C
1424 * Comment this macro to disable support for server name indication in SSL
1426 #define MBEDTLS_SSL_SERVER_NAME_INDICATION
1429 * \def MBEDTLS_SSL_TRUNCATED_HMAC
1431 * Enable support for RFC 6066 truncated HMAC in SSL.
1433 * Comment this macro to disable support for truncated HMAC in SSL
1435 #define MBEDTLS_SSL_TRUNCATED_HMAC
1438 * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
1440 * Fallback to old (pre-2.7), non-conforming implementation of the truncated
1441 * HMAC extension which also truncates the HMAC key. Note that this option is
1442 * only meant for a transitory upgrade period and is likely to be removed in
1443 * a future version of the library.
1445 * \warning The old implementation is non-compliant and has a security weakness
1446 * (2^80 brute force attack on the HMAC key used for a single,
1447 * uninterrupted connection). This should only be enabled temporarily
1448 * when (1) the use of truncated HMAC is essential in order to save
1449 * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
1450 * the fixed implementation yet (pre-2.7).
1452 * \deprecated This option is deprecated and will likely be removed in a
1453 * future version of Mbed TLS.
1455 * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
1457 * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
1459 //#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
1462 * \def MBEDTLS_THREADING_ALT
1464 * Provide your own alternate threading implementation.
1466 * Requires: MBEDTLS_THREADING_C
1468 * Uncomment this to allow your own alternate threading implementation.
1470 //#define MBEDTLS_THREADING_ALT
1473 * \def MBEDTLS_THREADING_PTHREAD
1475 * Enable the pthread wrapper layer for the threading layer.
1477 * Requires: MBEDTLS_THREADING_C
1479 * Uncomment this to enable pthread mutexes.
1481 //#define MBEDTLS_THREADING_PTHREAD
1484 * \def MBEDTLS_VERSION_FEATURES
1486 * Allow run-time checking of compile-time enabled features. Thus allowing users
1487 * to check at run-time if the library is for instance compiled with threading
1488 * support via mbedtls_version_check_feature().
1490 * Requires: MBEDTLS_VERSION_C
1492 * Comment this to disable run-time checking and save ROM space
1494 //#define MBEDTLS_VERSION_FEATURES
1497 * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
1499 * If set, the X509 parser will not break-off when parsing an X509 certificate
1500 * and encountering an extension in a v1 or v2 certificate.
1502 * Uncomment to prevent an error.
1504 //#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
1507 * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
1509 * If set, the X509 parser will not break-off when parsing an X509 certificate
1510 * and encountering an unknown critical extension.
1512 * \warning Depending on your PKI use, enabling this can be a security risk!
1514 * Uncomment to prevent an error.
1516 //#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
1519 * \def MBEDTLS_X509_CHECK_KEY_USAGE
1521 * Enable verification of the keyUsage extension (CA and leaf certificates).
1523 * Disabling this avoids problems with mis-issued and/or misused
1524 * (intermediate) CA and leaf certificates.
1526 * \warning Depending on your PKI use, disabling this can be a security risk!
1528 * Comment to skip keyUsage checking for both CA and leaf certificates.
1530 #define MBEDTLS_X509_CHECK_KEY_USAGE
1533 * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
1535 * Enable verification of the extendedKeyUsage extension (leaf certificates).
1537 * Disabling this avoids problems with mis-issued and/or misused certificates.
1539 * \warning Depending on your PKI use, disabling this can be a security risk!
1541 * Comment to skip extendedKeyUsage checking for certificates.
1543 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
1546 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
1548 * Enable parsing and verification of X.509 certificates, CRLs and CSRS
1549 * signed with RSASSA-PSS (aka PKCS#1 v2.1).
1551 * Comment this macro to disallow using RSASSA-PSS in certificates.
1553 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT
1556 * \def MBEDTLS_ZLIB_SUPPORT
1558 * If set, the SSL/TLS module uses ZLIB to support compression and
1559 * decompression of packet data.
1561 * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
1562 * CRIME attack. Before enabling this option, you should examine with care if
1563 * CRIME or similar exploits may be a applicable to your use case.
1565 * \note Currently compression can't be used with DTLS.
1567 * Used in: library/ssl_tls.c
1571 * This feature requires zlib library and headers to be present.
1573 * Uncomment to enable use of ZLIB
1575 //#define MBEDTLS_ZLIB_SUPPORT
1576 /* \} name SECTION: mbed TLS feature support */
1579 * \name SECTION: mbed TLS modules
1581 * This section enables or disables entire modules in mbed TLS
1586 * \def MBEDTLS_AESNI_C
1588 * Enable AES-NI support on x86-64.
1590 * Module: library/aesni.c
1591 * Caller: library/aes.c
1593 * Requires: MBEDTLS_HAVE_ASM
1595 * This modules adds support for the AES-NI instructions on x86-64
1597 #define MBEDTLS_AESNI_C /* swyter: looks like these AMD64 improvements are behind an arch macro, better perf is always good */
1600 * \def MBEDTLS_AES_C
1602 * Enable the AES block cipher.
1604 * Module: library/aes.c
1605 * Caller: library/ssl_tls.c
1607 * library/ctr_drbg.c
1609 * This module enables the following ciphersuites (if other requisites are
1611 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
1612 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
1613 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
1614 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
1615 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
1616 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
1617 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
1618 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
1619 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
1620 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
1621 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
1622 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
1623 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
1624 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
1625 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
1626 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
1627 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
1628 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
1629 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
1630 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
1631 * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
1632 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
1633 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
1634 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
1635 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
1636 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
1637 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
1638 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
1639 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
1640 * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
1641 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
1642 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
1643 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
1644 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
1645 * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
1646 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
1647 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
1648 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
1649 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
1650 * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
1651 * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
1652 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
1653 * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
1654 * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
1655 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
1656 * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
1657 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
1658 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
1659 * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
1660 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
1661 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
1662 * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
1663 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
1664 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
1665 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
1666 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
1667 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
1668 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
1670 * PEM_PARSE uses AES for decrypting encrypted keys.
1672 #define MBEDTLS_AES_C
1675 * \def MBEDTLS_ARC4_C
1677 * Enable the ARCFOUR stream cipher.
1679 * Module: library/arc4.c
1680 * Caller: library/ssl_tls.c
1682 * This module enables the following ciphersuites (if other requisites are
1684 * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
1685 * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
1686 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
1687 * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
1688 * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
1689 * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
1690 * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
1691 * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
1692 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
1693 * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
1695 * \warning ARC4 is considered a weak cipher and its use constitutes a
1696 * security risk. If possible, we recommend avoidng dependencies on
1697 * it, and considering stronger ciphers instead.
1700 #define MBEDTLS_ARC4_C
1703 * \def MBEDTLS_ASN1_PARSE_C
1705 * Enable the generic ASN1 parser.
1707 * Module: library/asn1.c
1708 * Caller: library/x509.c
1714 #define MBEDTLS_ASN1_PARSE_C
1717 * \def MBEDTLS_ASN1_WRITE_C
1719 * Enable the generic ASN1 writer.
1721 * Module: library/asn1write.c
1722 * Caller: library/ecdsa.c
1724 * library/x509_create.c
1725 * library/x509write_crt.c
1726 * library/x509write_csr.c
1728 #define MBEDTLS_ASN1_WRITE_C
1731 * \def MBEDTLS_BASE64_C
1733 * Enable the Base64 module.
1735 * Module: library/base64.c
1736 * Caller: library/pem.c
1738 * This module is required for PEM support (required by X.509).
1740 //#define MBEDTLS_BASE64_C
1743 * \def MBEDTLS_BIGNUM_C
1745 * Enable the multi-precision integer library.
1747 * Module: library/bignum.c
1748 * Caller: library/dhm.c
1752 * library/rsa_internal.c
1755 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
1757 #define MBEDTLS_BIGNUM_C
1760 * \def MBEDTLS_BLOWFISH_C
1762 * Enable the Blowfish block cipher.
1764 * Module: library/blowfish.c
1766 #define MBEDTLS_BLOWFISH_C
1769 * \def MBEDTLS_CAMELLIA_C
1771 * Enable the Camellia block cipher.
1773 * Module: library/camellia.c
1774 * Caller: library/ssl_tls.c
1776 * This module enables the following ciphersuites (if other requisites are
1778 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
1779 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
1780 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
1781 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
1782 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
1783 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
1784 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
1785 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
1786 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
1787 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
1788 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
1789 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
1790 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
1791 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
1792 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
1793 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
1794 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
1795 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
1796 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
1797 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
1798 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
1799 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
1800 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
1801 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
1802 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
1803 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
1804 * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
1805 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
1806 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
1807 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
1808 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
1809 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
1810 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
1811 * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
1812 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
1813 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
1814 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
1815 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
1816 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
1817 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
1818 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
1819 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
1821 #define MBEDTLS_CAMELLIA_C
1824 * \def MBEDTLS_CCM_C
1826 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
1828 * Module: library/ccm.c
1830 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
1832 * This module enables the AES-CCM ciphersuites, if other requisites are
1835 #define MBEDTLS_CCM_C
1838 * \def MBEDTLS_CERTS_C
1840 * Enable the test certificates.
1842 * Module: library/certs.c
1845 * This module is used for testing (ssl_client/server).
1847 //#define MBEDTLS_CERTS_C /* swyter: these test certs are completely useless */
1850 * \def MBEDTLS_CIPHER_C
1852 * Enable the generic cipher layer.
1854 * Module: library/cipher.c
1855 * Caller: library/ssl_tls.c
1857 * Uncomment to enable generic cipher wrappers.
1859 #define MBEDTLS_CIPHER_C
1862 * \def MBEDTLS_CMAC_C
1864 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
1867 * Module: library/cmac.c
1869 * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
1872 //#define MBEDTLS_CMAC_C
1875 * \def MBEDTLS_CTR_DRBG_C
1877 * Enable the CTR_DRBG AES-256-based random generator.
1879 * Module: library/ctr_drbg.c
1882 * Requires: MBEDTLS_AES_C
1884 * This module provides the CTR_DRBG AES-256 random number generator.
1886 #define MBEDTLS_CTR_DRBG_C
1889 * \def MBEDTLS_DEBUG_C
1891 * Enable the debug functions.
1893 * Module: library/debug.c
1894 * Caller: library/ssl_cli.c
1898 * This module provides debugging functions.
1901 #define MBEDTLS_DEBUG_C /* swyter: we don't even need this level of verboseness, useful only when developing */
1905 * \def MBEDTLS_DES_C
1907 * Enable the DES block cipher.
1909 * Module: library/des.c
1910 * Caller: library/pem.c
1913 * This module enables the following ciphersuites (if other requisites are
1915 * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
1916 * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
1917 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
1918 * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
1919 * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
1920 * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
1921 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
1922 * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
1923 * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
1924 * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
1926 * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
1928 * \warning DES is considered a weak cipher and its use constitutes a
1929 * security risk. We recommend considering stronger ciphers instead.
1931 #define MBEDTLS_DES_C
1934 * \def MBEDTLS_DHM_C
1936 * Enable the Diffie-Hellman-Merkle module.
1938 * Module: library/dhm.c
1939 * Caller: library/ssl_cli.c
1942 * This module is used by the following key exchanges:
1945 * \warning Using DHE constitutes a security risk as it
1946 * is not possible to validate custom DH parameters.
1947 * If possible, it is recommended users should consider
1948 * preferring other methods of key exchange.
1949 * See dhm.h for more details.
1952 #define MBEDTLS_DHM_C
1955 * \def MBEDTLS_ECDH_C
1957 * Enable the elliptic curve Diffie-Hellman library.
1959 * Module: library/ecdh.c
1960 * Caller: library/ssl_cli.c
1963 * This module is used by the following key exchanges:
1964 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
1966 * Requires: MBEDTLS_ECP_C
1968 #define MBEDTLS_ECDH_C
1971 * \def MBEDTLS_ECDSA_C
1973 * Enable the elliptic curve DSA library.
1975 * Module: library/ecdsa.c
1978 * This module is used by the following key exchanges:
1981 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
1983 #define MBEDTLS_ECDSA_C
1986 * \def MBEDTLS_ECJPAKE_C
1988 * Enable the elliptic curve J-PAKE library.
1990 * \warning This is currently experimental. EC J-PAKE support is based on the
1991 * Thread v1.0.0 specification; incompatible changes to the specification
1992 * might still happen. For this reason, this is disabled by default.
1994 * Module: library/ecjpake.c
1997 * This module is used by the following key exchanges:
2000 * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
2002 //#define MBEDTLS_ECJPAKE_C
2005 * \def MBEDTLS_ECP_C
2007 * Enable the elliptic curve over GF(p) library.
2009 * Module: library/ecp.c
2010 * Caller: library/ecdh.c
2014 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
2016 #define MBEDTLS_ECP_C
2019 * \def MBEDTLS_ENTROPY_C
2021 * Enable the platform-specific entropy code.
2023 * Module: library/entropy.c
2026 * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
2028 * This module provides a generic entropy pool
2030 #define MBEDTLS_ENTROPY_C
2033 * \def MBEDTLS_ERROR_C
2035 * Enable error code to error string conversion.
2037 * Module: library/error.c
2040 * This module enables mbedtls_strerror().
2042 //#define MBEDTLS_ERROR_C /* swyter: we don't print user errors, so this trims some fat */
2045 * \def MBEDTLS_GCM_C
2047 * Enable the Galois/Counter Mode (GCM) for AES.
2049 * Module: library/gcm.c
2051 * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
2053 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
2054 * requisites are enabled as well.
2056 #define MBEDTLS_GCM_C
2059 * \def MBEDTLS_HAVEGE_C
2061 * Enable the HAVEGE random generator.
2063 * Warning: the HAVEGE random generator is not suitable for virtualized
2066 * Warning: the HAVEGE random generator is dependent on timing and specific
2067 * processor traits. It is therefore not advised to use HAVEGE as
2068 * your applications primary random generator or primary entropy pool
2069 * input. As a secondary input to your entropy pool, it IS able add
2070 * the (limited) extra entropy it provides.
2072 * Module: library/havege.c
2075 * Requires: MBEDTLS_TIMING_C
2077 * Uncomment to enable the HAVEGE random generator.
2079 //#define MBEDTLS_HAVEGE_C
2082 * \def MBEDTLS_HMAC_DRBG_C
2084 * Enable the HMAC_DRBG random generator.
2086 * Module: library/hmac_drbg.c
2089 * Requires: MBEDTLS_MD_C
2091 * Uncomment to enable the HMAC_DRBG random number geerator.
2093 #define MBEDTLS_HMAC_DRBG_C
2098 * Enable the generic message digest layer.
2100 * Module: library/md.c
2103 * Uncomment to enable generic message digest wrappers.
2105 #define MBEDTLS_MD_C
2108 * \def MBEDTLS_MD2_C
2110 * Enable the MD2 hash algorithm.
2112 * Module: library/md2.c
2115 * Uncomment to enable support for (rare) MD2-signed X.509 certs.
2117 * \warning MD2 is considered a weak message digest and its use constitutes a
2118 * security risk. If possible, we recommend avoiding dependencies on
2119 * it, and considering stronger message digests instead.
2122 //#define MBEDTLS_MD2_C
2125 * \def MBEDTLS_MD4_C
2127 * Enable the MD4 hash algorithm.
2129 * Module: library/md4.c
2132 * Uncomment to enable support for (rare) MD4-signed X.509 certs.
2134 * \warning MD4 is considered a weak message digest and its use constitutes a
2135 * security risk. If possible, we recommend avoiding dependencies on
2136 * it, and considering stronger message digests instead.
2139 //#define MBEDTLS_MD4_C
2142 * \def MBEDTLS_MD5_C
2144 * Enable the MD5 hash algorithm.
2146 * Module: library/md5.c
2147 * Caller: library/md.c
2151 * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2
2152 * depending on the handshake parameters. Further, it is used for checking
2153 * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded
2156 * \warning MD5 is considered a weak message digest and its use constitutes a
2157 * security risk. If possible, we recommend avoiding dependencies on
2158 * it, and considering stronger message digests instead.
2161 #define MBEDTLS_MD5_C
2164 * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
2166 * Enable the buffer allocator implementation that makes use of a (stack)
2167 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
2170 * Module: library/memory_buffer_alloc.c
2172 * Requires: MBEDTLS_PLATFORM_C
2173 * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
2175 * Enable this module to enable the buffer memory allocator.
2177 //#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
2180 * \def MBEDTLS_NET_C
2182 * Enable the TCP and UDP over IPv6/IPv4 networking routines.
2184 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
2185 * and Windows. For other platforms, you'll want to disable it, and write your
2186 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
2188 * \note See also our Knowledge Base article about porting to a new
2190 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
2192 * Module: library/net_sockets.c
2194 * This module provides networking routines.
2196 //#define MBEDTLS_NET_C /* swyter: we don't use the network routines, in fact in schannel we replace them with our own shim to forward the managed network buffers */
2199 * \def MBEDTLS_OID_C
2201 * Enable the OID database.
2203 * Module: library/oid.c
2204 * Caller: library/asn1write.c
2210 * library/x509_create.c
2211 * library/x509_crl.c
2212 * library/x509_crt.c
2213 * library/x509_csr.c
2214 * library/x509write_crt.c
2215 * library/x509write_csr.c
2217 * This modules translates between OIDs and internal values.
2219 #define MBEDTLS_OID_C
2222 * \def MBEDTLS_PADLOCK_C
2224 * Enable VIA Padlock support on x86.
2226 * Module: library/padlock.c
2227 * Caller: library/aes.c
2229 * Requires: MBEDTLS_HAVE_ASM
2231 * This modules adds support for the VIA PadLock on x86.
2233 #define MBEDTLS_PADLOCK_C
2236 * \def MBEDTLS_PEM_PARSE_C
2238 * Enable PEM decoding / parsing.
2240 * Module: library/pem.c
2241 * Caller: library/dhm.c
2243 * library/x509_crl.c
2244 * library/x509_crt.c
2245 * library/x509_csr.c
2247 * Requires: MBEDTLS_BASE64_C
2249 * This modules adds support for decoding / parsing PEM files.
2251 //#define MBEDTLS_PEM_PARSE_C /* swyter: we don't do any PEM decoding */
2254 * \def MBEDTLS_PEM_WRITE_C
2256 * Enable PEM encoding / writing.
2258 * Module: library/pem.c
2259 * Caller: library/pkwrite.c
2260 * library/x509write_crt.c
2261 * library/x509write_csr.c
2263 * Requires: MBEDTLS_BASE64_C
2265 * This modules adds support for encoding / writing PEM files.
2267 //#define MBEDTLS_PEM_WRITE_C /* swyter: we don't do any PEM decoding */
2272 * Enable the generic public (asymetric) key layer.
2274 * Module: library/pk.c
2275 * Caller: library/ssl_tls.c
2279 * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
2281 * Uncomment to enable generic public key wrappers.
2283 #define MBEDTLS_PK_C
2286 * \def MBEDTLS_PK_PARSE_C
2288 * Enable the generic public (asymetric) key parser.
2290 * Module: library/pkparse.c
2291 * Caller: library/x509_crt.c
2292 * library/x509_csr.c
2294 * Requires: MBEDTLS_PK_C
2296 * Uncomment to enable generic public key parse functions.
2298 #define MBEDTLS_PK_PARSE_C
2301 * \def MBEDTLS_PK_WRITE_C
2303 * Enable the generic public (asymetric) key writer.
2305 * Module: library/pkwrite.c
2306 * Caller: library/x509write.c
2308 * Requires: MBEDTLS_PK_C
2310 * Uncomment to enable generic public key write functions.
2312 //#define MBEDTLS_PK_WRITE_C /* swyter: we don't write any PK */
2315 * \def MBEDTLS_PKCS5_C
2317 * Enable PKCS#5 functions.
2319 * Module: library/pkcs5.c
2321 * Requires: MBEDTLS_MD_C
2323 * This module adds support for the PKCS#5 functions.
2325 #define MBEDTLS_PKCS5_C
2328 * \def MBEDTLS_PKCS11_C
2330 * Enable wrapper for PKCS#11 smartcard support.
2332 * Module: library/pkcs11.c
2333 * Caller: library/pk.c
2335 * Requires: MBEDTLS_PK_C
2337 * This module enables SSL/TLS PKCS #11 smartcard support.
2338 * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
2340 //#define MBEDTLS_PKCS11_C
2343 * \def MBEDTLS_PKCS12_C
2345 * Enable PKCS#12 PBE functions.
2346 * Adds algorithms for parsing PKCS#8 encrypted private keys
2348 * Module: library/pkcs12.c
2349 * Caller: library/pkparse.c
2351 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C
2352 * Can use: MBEDTLS_ARC4_C
2354 * This module enables PKCS#12 functions.
2356 #define MBEDTLS_PKCS12_C
2359 * \def MBEDTLS_PLATFORM_C
2361 * Enable the platform abstraction layer that allows you to re-assign
2362 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
2364 * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
2365 * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
2366 * above to be specified at runtime or compile time respectively.
2368 * \note This abstraction layer must be enabled on Windows (including MSYS2)
2369 * as other module rely on it for a fixed snprintf implementation.
2371 * Module: library/platform.c
2372 * Caller: Most other .c files
2374 * This module enables abstraction of common (libc) functions.
2376 #define MBEDTLS_PLATFORM_C
2379 * \def MBEDTLS_RIPEMD160_C
2381 * Enable the RIPEMD-160 hash algorithm.
2383 * Module: library/ripemd160.c
2384 * Caller: library/md.c
2387 #define MBEDTLS_RIPEMD160_C
2390 * \def MBEDTLS_RSA_C
2392 * Enable the RSA public-key cryptosystem.
2394 * Module: library/rsa.c
2395 * library/rsa_internal.c
2396 * Caller: library/ssl_cli.c
2401 * This module is used by the following key exchanges:
2402 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
2404 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
2406 #define MBEDTLS_RSA_C
2409 * \def MBEDTLS_SHA1_C
2411 * Enable the SHA1 cryptographic hash algorithm.
2413 * Module: library/sha1.c
2414 * Caller: library/md.c
2418 * library/x509write_crt.c
2420 * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
2421 * depending on the handshake parameters, and for SHA1-signed certificates.
2423 * \warning SHA-1 is considered a weak message digest and its use constitutes
2424 * a security risk. If possible, we recommend avoiding dependencies
2425 * on it, and considering stronger message digests instead.
2428 #define MBEDTLS_SHA1_C
2431 * \def MBEDTLS_SHA256_C
2433 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
2435 * Module: library/sha256.c
2436 * Caller: library/entropy.c
2442 * This module adds support for SHA-224 and SHA-256.
2443 * This module is required for the SSL/TLS 1.2 PRF function.
2445 #define MBEDTLS_SHA256_C
2448 * \def MBEDTLS_SHA512_C
2450 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
2452 * Module: library/sha512.c
2453 * Caller: library/entropy.c
2458 * This module adds support for SHA-384 and SHA-512.
2460 #define MBEDTLS_SHA512_C
2463 * \def MBEDTLS_SSL_CACHE_C
2465 * Enable simple SSL cache implementation.
2467 * Module: library/ssl_cache.c
2470 * Requires: MBEDTLS_SSL_CACHE_C
2472 //#define MBEDTLS_SSL_CACHE_C /* swyter: we don't make use of this caching mechanism, as the WINE schannel API does not expose it */
2475 * \def MBEDTLS_SSL_COOKIE_C
2477 * Enable basic implementation of DTLS cookies for hello verification.
2479 * Module: library/ssl_cookie.c
2482 //#define MBEDTLS_SSL_COOKIE_C /* swyter: schannel does not support UDP sockets, DTLS is useless */
2485 * \def MBEDTLS_SSL_TICKET_C
2487 * Enable an implementation of TLS server-side callbacks for session tickets.
2489 * Module: library/ssl_ticket.c
2492 * Requires: MBEDTLS_CIPHER_C
2494 #define MBEDTLS_SSL_TICKET_C
2497 * \def MBEDTLS_SSL_CLI_C
2499 * Enable the SSL/TLS client code.
2501 * Module: library/ssl_cli.c
2504 * Requires: MBEDTLS_SSL_TLS_C
2506 * This module is required for SSL/TLS client support.
2508 #define MBEDTLS_SSL_CLI_C
2511 * \def MBEDTLS_SSL_SRV_C
2513 * Enable the SSL/TLS server code.
2515 * Module: library/ssl_srv.c
2518 * Requires: MBEDTLS_SSL_TLS_C
2520 * This module is required for SSL/TLS server support.
2522 //#define MBEDTLS_SSL_SRV_C /* swyter: we don't need anything server-related */
2525 * \def MBEDTLS_SSL_TLS_C
2527 * Enable the generic SSL/TLS code.
2529 * Module: library/ssl_tls.c
2530 * Caller: library/ssl_cli.c
2533 * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
2534 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines
2536 * This module is required for SSL/TLS.
2538 #define MBEDTLS_SSL_TLS_C
2541 * \def MBEDTLS_THREADING_C
2543 * Enable the threading abstraction layer.
2544 * By default mbed TLS assumes it is used in a non-threaded environment or that
2545 * contexts are not shared between threads. If you do intend to use contexts
2546 * between threads, you will need to enable this layer to prevent race
2547 * conditions. See also our Knowledge Base article about threading:
2548 * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
2550 * Module: library/threading.c
2552 * This allows different threading implementations (self-implemented or
2555 * You will have to enable either MBEDTLS_THREADING_ALT or
2556 * MBEDTLS_THREADING_PTHREAD.
2558 * Enable this layer to allow use of mutexes within mbed TLS
2560 //#define MBEDTLS_THREADING_C
2563 * \def MBEDTLS_TIMING_C
2565 * Enable the semi-portable timing interface.
2567 * \note The provided implementation only works on POSIX/Unix (including Linux,
2568 * BSD and OS X) and Windows. On other platforms, you can either disable that
2569 * module and provide your own implementations of the callbacks needed by
2570 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
2571 * your own implementation of the whole module by setting
2572 * \c MBEDTLS_TIMING_ALT in the current file.
2574 * \note See also our Knowledge Base article about porting to a new
2576 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
2578 * Module: library/timing.c
2579 * Caller: library/havege.c
2581 * This module is used by the HAVEGE random number generator.
2583 #define MBEDTLS_TIMING_C
2586 * \def MBEDTLS_VERSION_C
2588 * Enable run-time version information.
2590 * Module: library/version.c
2592 * This module provides run-time version information.
2594 //#define MBEDTLS_VERSION_C /* swyter: we don't use these functions, so it's a waste of space */
2597 * \def MBEDTLS_X509_USE_C
2599 * Enable X.509 core for using certificates.
2601 * Module: library/x509.c
2602 * Caller: library/x509_crl.c
2603 * library/x509_crt.c
2604 * library/x509_csr.c
2606 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
2607 * MBEDTLS_PK_PARSE_C
2609 * This module is required for the X.509 parsing modules.
2611 #define MBEDTLS_X509_USE_C
2614 * \def MBEDTLS_X509_CRT_PARSE_C
2616 * Enable X.509 certificate parsing.
2618 * Module: library/x509_crt.c
2619 * Caller: library/ssl_cli.c
2623 * Requires: MBEDTLS_X509_USE_C
2625 * This module is required for X.509 certificate parsing.
2627 #define MBEDTLS_X509_CRT_PARSE_C
2630 * \def MBEDTLS_X509_CRL_PARSE_C
2632 * Enable X.509 CRL parsing.
2634 * Module: library/x509_crl.c
2635 * Caller: library/x509_crt.c
2637 * Requires: MBEDTLS_X509_USE_C
2639 * This module is required for X.509 CRL parsing.
2641 //#define MBEDTLS_X509_CRL_PARSE_C /* swyter: we don't verify certs directly */
2644 * \def MBEDTLS_X509_CSR_PARSE_C
2646 * Enable X.509 Certificate Signing Request (CSR) parsing.
2648 * Module: library/x509_csr.c
2649 * Caller: library/x509_crt_write.c
2651 * Requires: MBEDTLS_X509_USE_C
2653 * This module is used for reading X.509 certificate request.
2655 //#define MBEDTLS_X509_CSR_PARSE_C /* swyter: we don't verify certs directly */
2658 * \def MBEDTLS_X509_CREATE_C
2660 * Enable X.509 core for creating certificates.
2662 * Module: library/x509_create.c
2664 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
2666 * This module is the basis for creating X.509 certificates and CSRs.
2668 //#define MBEDTLS_X509_CREATE_C /* swyter: we don't create certs in schannel */
2671 * \def MBEDTLS_X509_CRT_WRITE_C
2673 * Enable creating X.509 certificates.
2675 * Module: library/x509_crt_write.c
2677 * Requires: MBEDTLS_X509_CREATE_C
2679 * This module is required for X.509 certificate creation.
2681 //#define MBEDTLS_X509_CRT_WRITE_C /* swyter: we don't create certs in schannel */
2684 * \def MBEDTLS_X509_CSR_WRITE_C
2686 * Enable creating X.509 Certificate Signing Requests (CSR).
2688 * Module: library/x509_csr_write.c
2690 * Requires: MBEDTLS_X509_CREATE_C
2692 * This module is required for X.509 certificate request writing.
2694 //#define MBEDTLS_X509_CSR_WRITE_C /* swyter: we don't create certs in schannel, this is for servers */
2697 * \def MBEDTLS_XTEA_C
2699 * Enable the XTEA block cipher.
2701 * Module: library/xtea.c
2704 #define MBEDTLS_XTEA_C
2706 /* \} name SECTION: mbed TLS modules */
2709 * \name SECTION: Module configuration options
2711 * This section allows for the setting of module specific sizes and
2712 * configuration options. The default values are already present in the
2713 * relevant header files and should suffice for the regular use cases.
2715 * Our advice is to enable options and change their values here
2716 * only if you have a good reason and know the consequences.
2718 * Please check the respective header file for documentation on these
2719 * parameters (to prevent duplicate documentation).
2723 /* MPI / BIGNUM options */
2724 //#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */
2725 //#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */
2727 /* CTR_DRBG options */
2728 //#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
2729 //#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
2730 //#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
2731 //#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
2732 //#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
2734 /* HMAC_DRBG options */
2735 //#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */
2736 //#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */
2737 //#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */
2738 //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */
2741 //#define MBEDTLS_ECP_MAX_BITS 521 /**< Maximum bit size of groups */
2742 //#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */
2743 //#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
2745 /* Entropy options */
2746 //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
2747 //#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */
2748 //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
2750 /* Memory buffer allocator options */
2751 //#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */
2753 /* Platform options */
2754 //#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
2755 //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */
2756 //#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */
2757 //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */
2758 //#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
2759 //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
2760 //#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
2761 /* Note: your snprintf must correclty zero-terminate the buffer! */
2762 //#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
2763 //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
2764 //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
2765 //#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
2766 //#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
2767 //#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */
2769 /* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
2770 /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
2771 //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */
2772 //#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */
2773 //#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */
2774 //#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
2775 //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
2776 //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
2777 //#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
2778 /* Note: your snprintf must correclty zero-terminate the buffer! */
2779 //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
2780 //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
2781 //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
2783 /* SSL Cache options */
2784 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
2785 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
2788 //#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
2789 //#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
2790 //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
2791 //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
2794 * Complete list of ciphersuites to use, in order of preference.
2796 * \warning No dependency checking is done on that field! This option can only
2797 * be used to restrict the set of available ciphersuites. It is your
2798 * responsibility to make sure the needed modules are active.
2800 * Use this to save a few hundred bytes of ROM (default ordering of all
2801 * available ciphersuites) and a few to a few hundred bytes of RAM.
2803 * The value below is only an example, not the default.
2805 //#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
2808 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
2809 //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
2812 * Allow SHA-1 in the default TLS configuration for certificate signing.
2813 * Without this build-time option, SHA-1 support must be activated explicitly
2814 * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
2815 * recommended because of it is possible to generate SHA-1 collisions, however
2816 * this may be safe for legacy infrastructure where additional controls apply.
2818 * \warning SHA-1 is considered a weak message digest and its use constitutes
2819 * a security risk. If possible, we recommend avoiding dependencies
2820 * on it, and considering stronger message digests instead.
2823 // #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
2826 * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
2827 * signature and ciphersuite selection. Without this build-time option, SHA-1
2828 * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
2829 * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
2830 * default. At the time of writing, there is no practical attack on the use
2831 * of SHA-1 in handshake signatures, hence this option is turned on by default
2832 * to preserve compatibility with existing peers, but the general
2833 * warning applies nonetheless:
2835 * \warning SHA-1 is considered a weak message digest and its use constitutes
2836 * a security risk. If possible, we recommend avoiding dependencies
2837 * on it, and considering stronger message digests instead.
2840 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
2842 /* \} name SECTION: Customisation configuration options */
2844 /* Target and application specific configurations */
2845 //#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
2847 #if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
2848 #include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
2852 * Allow user to override any previous default.
2854 * Use two macro names for that, as:
2855 * - with yotta the prefix YOTTA_CFG_ is forced
2856 * - without yotta is looks weird to have a YOTTA prefix.
2858 #if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
2859 #include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
2860 #elif defined(MBEDTLS_USER_CONFIG_FILE)
2861 #include MBEDTLS_USER_CONFIG_FILE
2864 #include "check_config.h"
2866 #endif /* MBEDTLS_CONFIG_H */