|
|
|
|
@ -128,7 +128,12 @@
|
|
|
|
|
* MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
|
|
|
|
|
* MBEDTLS_PLATFORM_STD_TIME.
|
|
|
|
|
*
|
|
|
|
|
* Comment if your system does not support time functions
|
|
|
|
|
* Comment if your system does not support time functions.
|
|
|
|
|
*
|
|
|
|
|
* \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing
|
|
|
|
|
* interface - timing.c will include time.h on suitable platforms
|
|
|
|
|
* regardless of the setting of MBEDTLS_HAVE_TIME, unless
|
|
|
|
|
* MBEDTLS_TIMING_ALT is used. See timing.c for more information.
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_HAVE_TIME
|
|
|
|
|
|
|
|
|
|
@ -321,7 +326,7 @@
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_CHECK_PARAMS_ASSERT
|
|
|
|
|
|
|
|
|
|
/* \} name SECTION: System support */
|
|
|
|
|
/** \} name SECTION: System support */
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \name SECTION: mbed TLS feature support
|
|
|
|
|
@ -395,7 +400,7 @@
|
|
|
|
|
//#define MBEDTLS_XTEA_ALT
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* When replacing the elliptic curve module, pleace consider, that it is
|
|
|
|
|
* When replacing the elliptic curve module, please consider, that it is
|
|
|
|
|
* implemented with two .c files:
|
|
|
|
|
* - ecp.c
|
|
|
|
|
* - ecp_curves.c
|
|
|
|
|
@ -1493,7 +1498,7 @@
|
|
|
|
|
* Enable an implementation of SHA-256 that has lower ROM footprint but also
|
|
|
|
|
* lower performance.
|
|
|
|
|
*
|
|
|
|
|
* The default implementation is meant to be a reasonnable compromise between
|
|
|
|
|
* The default implementation is meant to be a reasonable compromise between
|
|
|
|
|
* performance and size. This version optimizes more aggressively for size at
|
|
|
|
|
* the expense of performance. Eg on Cortex-M4 it reduces the size of
|
|
|
|
|
* mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
|
|
|
|
|
@ -1658,7 +1663,7 @@
|
|
|
|
|
* Enable support for RFC 7627: Session Hash and Extended Master Secret
|
|
|
|
|
* Extension.
|
|
|
|
|
*
|
|
|
|
|
* This was introduced as "the proper fix" to the Triple Handshake familiy of
|
|
|
|
|
* This was introduced as "the proper fix" to the Triple Handshake family of
|
|
|
|
|
* attacks, but it is recommended to always use it (even if you disable
|
|
|
|
|
* renegotiation), since it actually fixes a more fundamental issue in the
|
|
|
|
|
* original SSL/TLS design, and has implications beyond Triple Handshake.
|
|
|
|
|
@ -1704,7 +1709,7 @@
|
|
|
|
|
* \note This option has no influence on the protection against the
|
|
|
|
|
* triple handshake attack. Even if it is disabled, Mbed TLS will
|
|
|
|
|
* still ensure that certificates do not change during renegotiation,
|
|
|
|
|
* for exaple by keeping a hash of the peer's certificate.
|
|
|
|
|
* for example by keeping a hash of the peer's certificate.
|
|
|
|
|
*
|
|
|
|
|
* Comment this macro to disable storing the peer's certificate
|
|
|
|
|
* after the handshake.
|
|
|
|
|
@ -1909,7 +1914,7 @@
|
|
|
|
|
* unless you know for sure amplification cannot be a problem in the
|
|
|
|
|
* environment in which your server operates.
|
|
|
|
|
*
|
|
|
|
|
* \warning Disabling this can ba a security risk! (see above)
|
|
|
|
|
* \warning Disabling this can be a security risk! (see above)
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_SSL_PROTO_DTLS
|
|
|
|
|
*
|
|
|
|
|
@ -2162,8 +2167,19 @@
|
|
|
|
|
* This setting allows support for cryptographic mechanisms through the PSA
|
|
|
|
|
* API to be configured separately from support through the mbedtls API.
|
|
|
|
|
*
|
|
|
|
|
* Uncomment this to enable use of PSA Crypto configuration settings which
|
|
|
|
|
* can be found in include/psa/crypto_config.h.
|
|
|
|
|
* When this option is disabled, the PSA API exposes the cryptographic
|
|
|
|
|
* mechanisms that can be implemented on top of the `mbedtls_xxx` API
|
|
|
|
|
* configured with `MBEDTLS_XXX` symbols.
|
|
|
|
|
*
|
|
|
|
|
* When this option is enabled, the PSA API exposes the cryptographic
|
|
|
|
|
* mechanisms requested by the `PSA_WANT_XXX` symbols defined in
|
|
|
|
|
* include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are
|
|
|
|
|
* automatically enabled if required (i.e. if no PSA driver provides the
|
|
|
|
|
* mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols
|
|
|
|
|
* in config.h.
|
|
|
|
|
*
|
|
|
|
|
* If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies
|
|
|
|
|
* an alternative header to include instead of include/psa/crypto_config.h.
|
|
|
|
|
*
|
|
|
|
|
* If you enable this option and write your own configuration file, you must
|
|
|
|
|
* include mbedtls/config_psa.h in your configuration file. The default
|
|
|
|
|
@ -2289,7 +2305,7 @@
|
|
|
|
|
* Uncomment to enable use of ZLIB
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_ZLIB_SUPPORT
|
|
|
|
|
/* \} name SECTION: mbed TLS feature support */
|
|
|
|
|
/** \} name SECTION: mbed TLS feature support */
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \name SECTION: mbed TLS modules
|
|
|
|
|
@ -2902,7 +2918,7 @@
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_MD_C
|
|
|
|
|
*
|
|
|
|
|
* Uncomment to enable the HMAC_DRBG random number geerator.
|
|
|
|
|
* Uncomment to enable the HMAC_DRBG random number generator.
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_HMAC_DRBG_C
|
|
|
|
|
|
|
|
|
|
@ -3096,7 +3112,7 @@
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PK_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the generic public (asymetric) key layer.
|
|
|
|
|
* Enable the generic public (asymmetric) key layer.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/pk.c
|
|
|
|
|
* Caller: library/ssl_tls.c
|
|
|
|
|
@ -3112,7 +3128,7 @@
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PK_PARSE_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the generic public (asymetric) key parser.
|
|
|
|
|
* Enable the generic public (asymmetric) key parser.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/pkparse.c
|
|
|
|
|
* Caller: library/x509_crt.c
|
|
|
|
|
@ -3127,7 +3143,7 @@
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PK_WRITE_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the generic public (asymetric) key writer.
|
|
|
|
|
* Enable the generic public (asymmetric) key writer.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/pkwrite.c
|
|
|
|
|
* Caller: library/x509write.c
|
|
|
|
|
@ -3466,6 +3482,10 @@
|
|
|
|
|
* your own implementation of the whole module by setting
|
|
|
|
|
* \c MBEDTLS_TIMING_ALT in the current file.
|
|
|
|
|
*
|
|
|
|
|
* \note The timing module will include time.h on suitable platforms
|
|
|
|
|
* regardless of the setting of MBEDTLS_HAVE_TIME, unless
|
|
|
|
|
* MBEDTLS_TIMING_ALT is used. See timing.c for more information.
|
|
|
|
|
*
|
|
|
|
|
* \note See also our Knowledge Base article about porting to a new
|
|
|
|
|
* environment:
|
|
|
|
|
* https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
|
|
|
|
|
@ -3598,7 +3618,88 @@
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_XTEA_C
|
|
|
|
|
|
|
|
|
|
/* \} name SECTION: mbed TLS modules */
|
|
|
|
|
/** \} name SECTION: mbed TLS modules */
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \name SECTION: General configuration options
|
|
|
|
|
*
|
|
|
|
|
* This section contains Mbed TLS build settings that are not associated
|
|
|
|
|
* with a particular module.
|
|
|
|
|
*
|
|
|
|
|
* \{
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_CONFIG_FILE
|
|
|
|
|
*
|
|
|
|
|
* If defined, this is a header which will be included instead of
|
|
|
|
|
* `"mbedtls/config.h"`.
|
|
|
|
|
* This header file specifies the compile-time configuration of Mbed TLS.
|
|
|
|
|
* Unlike other configuration options, this one must be defined on the
|
|
|
|
|
* compiler command line: a definition in `config.h` would have no effect.
|
|
|
|
|
*
|
|
|
|
|
* This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
|
|
|
|
|
* non-standard feature of the C language, so this feature is only available
|
|
|
|
|
* with compilers that perform macro expansion on an <tt>\#include</tt> line.
|
|
|
|
|
*
|
|
|
|
|
* The value of this symbol is typically a path in double quotes, either
|
|
|
|
|
* absolute or relative to a directory on the include search path.
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_CONFIG_FILE "mbedtls/config.h"
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_USER_CONFIG_FILE
|
|
|
|
|
*
|
|
|
|
|
* If defined, this is a header which will be included after
|
|
|
|
|
* `"mbedtls/config.h"` or #MBEDTLS_CONFIG_FILE.
|
|
|
|
|
* This allows you to modify the default configuration, including the ability
|
|
|
|
|
* to undefine options that are enabled by default.
|
|
|
|
|
*
|
|
|
|
|
* This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
|
|
|
|
|
* non-standard feature of the C language, so this feature is only available
|
|
|
|
|
* with compilers that perform macro expansion on an <tt>\#include</tt> line.
|
|
|
|
|
*
|
|
|
|
|
* The value of this symbol is typically a path in double quotes, either
|
|
|
|
|
* absolute or relative to a directory on the include search path.
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE
|
|
|
|
|
*
|
|
|
|
|
* If defined, this is a header which will be included instead of
|
|
|
|
|
* `"psa/crypto_config.h"`.
|
|
|
|
|
* This header file specifies which cryptographic mechanisms are available
|
|
|
|
|
* through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and
|
|
|
|
|
* is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
|
|
|
|
|
*
|
|
|
|
|
* This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
|
|
|
|
|
* non-standard feature of the C language, so this feature is only available
|
|
|
|
|
* with compilers that perform macro expansion on an <tt>\#include</tt> line.
|
|
|
|
|
*
|
|
|
|
|
* The value of this symbol is typically a path in double quotes, either
|
|
|
|
|
* absolute or relative to a directory on the include search path.
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
|
|
|
|
|
*
|
|
|
|
|
* If defined, this is a header which will be included after
|
|
|
|
|
* `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.
|
|
|
|
|
* This allows you to modify the default configuration, including the ability
|
|
|
|
|
* to undefine options that are enabled by default.
|
|
|
|
|
*
|
|
|
|
|
* This macro is expanded after an <tt>\#include</tt> directive. This is a popular but
|
|
|
|
|
* non-standard feature of the C language, so this feature is only available
|
|
|
|
|
* with compilers that perform macro expansion on an <tt>\#include</tt> line.
|
|
|
|
|
*
|
|
|
|
|
* The value of this symbol is typically a path in double quotes, either
|
|
|
|
|
* absolute or relative to a directory on the include search path.
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
|
|
|
|
|
|
|
|
|
|
/** \} name SECTION: General configuration options */
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \name SECTION: Module configuration options
|
|
|
|
|
@ -3609,11 +3710,15 @@
|
|
|
|
|
*
|
|
|
|
|
* Our advice is to enable options and change their values here
|
|
|
|
|
* only if you have a good reason and know the consequences.
|
|
|
|
|
*
|
|
|
|
|
* Please check the respective header file for documentation on these
|
|
|
|
|
* parameters (to prevent duplicate documentation).
|
|
|
|
|
* \{
|
|
|
|
|
*/
|
|
|
|
|
/* The Doxygen documentation here is used when a user comments out a
|
|
|
|
|
* setting and runs doxygen themselves. On the other hand, when we typeset
|
|
|
|
|
* the full documentation including disabled settings, the documentation
|
|
|
|
|
* in specific modules' header files is used if present. When editing this
|
|
|
|
|
* file, make sure that each option is documented in exactly one place,
|
|
|
|
|
* plus optionally a same-line Doxygen comment here if there is a Doxygen
|
|
|
|
|
* comment in the specific module. */
|
|
|
|
|
|
|
|
|
|
/* MPI / BIGNUM options */
|
|
|
|
|
//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */
|
|
|
|
|
@ -4002,7 +4107,7 @@
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
|
|
|
|
|
|
|
|
|
|
/* \} name SECTION: Customisation configuration options */
|
|
|
|
|
/** \} name SECTION: Module configuration options */
|
|
|
|
|
|
|
|
|
|
/* Target and application specific configurations
|
|
|
|
|
*
|
|
|
|
|
|
Fabio Alessandrelli
Rémi Verschelde