From 1a3db6b667de29c0ade3dec2a4e52bc4b9a1a14f Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 16 Feb 2023 23:25:37 +0100 Subject: [PATCH] Update mbedtls_config.h. Signed-off-by: Pol Henarejos --- config/mbedtls_config.h | 506 ++++++++++++++++++++++++++++++---------- 1 file changed, 383 insertions(+), 123 deletions(-) diff --git a/config/mbedtls_config.h b/config/mbedtls_config.h index ada3aca..57c6272 100644 --- a/config/mbedtls_config.h +++ b/config/mbedtls_config.h @@ -25,7 +25,7 @@ */ /** - * This is an optional version symbol that enables comatibility handling of + * This is an optional version symbol that enables compatibility handling of * config files. * * It is equal to the #MBEDTLS_VERSION_NUMBER of the Mbed TLS version that @@ -129,9 +129,14 @@ * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and * MBEDTLS_PLATFORM_STD_TIME. * - * Comment if your system does not support time functions + * Comment if your system does not support time functions. + * + * \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing + * interface - timing.c will include time.h on suitable platforms + * regardless of the setting of MBEDTLS_HAVE_TIME, unless + * MBEDTLS_TIMING_ALT is used. See timing.c for more information. */ -#define MBEDTLS_HAVE_TIME +//#define MBEDTLS_HAVE_TIME /** * \def MBEDTLS_HAVE_TIME_DATE @@ -152,7 +157,7 @@ * mbedtls_platform_gmtime_r() at compile-time by using the macro * MBEDTLS_PLATFORM_GMTIME_R_ALT. */ -#define MBEDTLS_HAVE_TIME_DATE +//#define MBEDTLS_HAVE_TIME_DATE /** * \def MBEDTLS_PLATFORM_MEMORY @@ -220,6 +225,7 @@ * Uncomment a macro to enable alternate implementation of specific base * platform function */ +//#define MBEDTLS_PLATFORM_SETBUF_ALT //#define MBEDTLS_PLATFORM_EXIT_ALT //#define MBEDTLS_PLATFORM_TIME_ALT //#define MBEDTLS_PLATFORM_FPRINTF_ALT @@ -242,7 +248,7 @@ * * Uncomment to get warnings on using deprecated functions and features. */ -//#define MBEDTLS_DEPRECATED_WARNING +#define MBEDTLS_DEPRECATED_WARNING /** * \def MBEDTLS_DEPRECATED_REMOVED @@ -254,9 +260,9 @@ * * Uncomment to get errors on using deprecated functions and features. */ -//#define MBEDTLS_DEPRECATED_REMOVED +#define MBEDTLS_DEPRECATED_REMOVED -/* \} name SECTION: System support */ +/** \} name SECTION: System support */ /** * \name SECTION: mbed TLS feature support @@ -325,7 +331,7 @@ //#define MBEDTLS_SHA512_ALT /* - * When replacing the elliptic curve module, pleace consider, that it is + * When replacing the elliptic curve module, please consider, that it is * implemented with two .c files: * - ecp.c * - ecp_curves.c @@ -724,7 +730,7 @@ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */ -#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED @@ -753,7 +759,7 @@ * See dhm.h for more details. * */ -#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED @@ -771,7 +777,7 @@ * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */ -#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED @@ -794,7 +800,7 @@ * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */ -#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED @@ -851,7 +857,7 @@ * See dhm.h for more details. * */ -#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -874,7 +880,7 @@ * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */ -#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED @@ -896,7 +902,7 @@ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */ -#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED @@ -973,7 +979,7 @@ * * Disable if you only need to support RFC 5915 + 5480 key formats. */ -#define MBEDTLS_PK_PARSE_EC_EXTENDED +//#define MBEDTLS_PK_PARSE_EC_EXTENDED /** * \def MBEDTLS_ERROR_STRERROR_DUMMY @@ -988,7 +994,7 @@ * Disable if you run into name conflicts and want to really remove the * mbedtls_strerror() */ -#define MBEDTLS_ERROR_STRERROR_DUMMY +//#define MBEDTLS_ERROR_STRERROR_DUMMY /** * \def MBEDTLS_GENPRIME @@ -1081,7 +1087,7 @@ * which is currently hard-coded to be int32_t. * * Note that this option is meant for internal use only and may be removed - * without notice. It is incompatible with MBEDTLS_USE_PSA_CRYPTO. + * without notice. */ //#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER @@ -1117,14 +1123,14 @@ * * Comment this macro to disable support for external private RSA keys. */ -#define MBEDTLS_PK_RSA_ALT_SUPPORT +//#define MBEDTLS_PK_RSA_ALT_SUPPORT /** * \def MBEDTLS_PKCS1_V15 * * Enable support for PKCS#1 v1.5 encoding. * - * Requires: MBEDTLS_RSA_C + * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C * * This enables support for PKCS#1 v1.5 operations. */ @@ -1179,8 +1185,9 @@ * * Requires: MBEDTLS_PSA_CRYPTO_C * - * \warning This interface is experimental and may change or be removed - * without notice. + * \warning This interface is experimental. We intend to maintain backward + * compatibility with application code that relies on drivers, + * but the driver interfaces may change without notice. */ //#define MBEDTLS_PSA_CRYPTO_DRIVERS @@ -1273,7 +1280,7 @@ * Enable an implementation of SHA-256 that has lower ROM footprint but also * lower performance. * - * The default implementation is meant to be a reasonnable compromise between + * The default implementation is meant to be a reasonable compromise between * performance and size. This version optimizes more aggressively for size at * the expense of performance. Eg on Cortex-M4 it reduces the size of * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about @@ -1305,7 +1312,7 @@ * * Enable sending of all alert messages */ -#define MBEDTLS_SSL_ALL_ALERT_MESSAGES +//#define MBEDTLS_SSL_ALL_ALERT_MESSAGES /** * \def MBEDTLS_SSL_DTLS_CONNECTION_ID @@ -1317,8 +1324,9 @@ * in the underlying transport. * * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, - * `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`. - * See the corresponding documentation for more information. + * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and + * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for + * more information. * * \warning The Connection ID extension is still in draft state. * We make no stability promises for the availability @@ -1371,7 +1379,7 @@ * * Comment to disable the context serialization APIs. */ -#define MBEDTLS_SSL_CONTEXT_SERIALIZATION +//#define MBEDTLS_SSL_CONTEXT_SERIALIZATION /** * \def MBEDTLS_SSL_DEBUG_ALL @@ -1403,14 +1411,14 @@ * * Comment this macro to disable support for Encrypt-then-MAC */ -#define MBEDTLS_SSL_ENCRYPT_THEN_MAC +//#define MBEDTLS_SSL_ENCRYPT_THEN_MAC /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET * * Enable support for RFC 7627: Session Hash and Extended Master Secret * Extension. * - * This was introduced as "the proper fix" to the Triple Handshake familiy of + * This was introduced as "the proper fix" to the Triple Handshake family of * attacks, but it is recommended to always use it (even if you disable * renegotiation), since it actually fixes a more fundamental issue in the * original SSL/TLS design, and has implications beyond Triple Handshake. @@ -1419,7 +1427,7 @@ * * Comment this macro to disable support for Extended Master Secret. */ -#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET +//#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET /** * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE @@ -1436,12 +1444,14 @@ * \note This option has no influence on the protection against the * triple handshake attack. Even if it is disabled, Mbed TLS will * still ensure that certificates do not change during renegotiation, - * for exaple by keeping a hash of the peer's certificate. + * for example by keeping a hash of the peer's certificate. + * + * \note This option is required if MBEDTLS_SSL_PROTO_TLS1_3 is set. * * Comment this macro to disable storing the peer's certificate * after the handshake. */ -#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +//#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE /** * \def MBEDTLS_SSL_RENEGOTIATION @@ -1463,7 +1473,7 @@ * configuration of this extension). * */ -#define MBEDTLS_SSL_RENEGOTIATION +//#define MBEDTLS_SSL_RENEGOTIATION /** * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH @@ -1472,7 +1482,7 @@ * * Comment this macro to disable support for the max_fragment_length extension */ -#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +//#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH /** * \def MBEDTLS_SSL_PROTO_TLS1_2 @@ -1484,7 +1494,7 @@ * * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 */ -#define MBEDTLS_SSL_PROTO_TLS1_2 +//#define MBEDTLS_SSL_PROTO_TLS1_2 /** * \def MBEDTLS_SSL_PROTO_TLS1_3 @@ -1496,8 +1506,16 @@ * See docs/architecture/tls13-support.md for a description of the TLS * 1.3 support that this option enables. * - * Uncomment this macro to enable the support for TLS 1.3. + * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + * Requires: MBEDTLS_PSA_CRYPTO_C * + * Note: even though TLS 1.3 depends on PSA Crypto, if you want it to only use + * PSA for all crypto operations, you need to also enable + * MBEDTLS_USE_PSA_CRYPTO; otherwise X.509 operations, and functions that are + * common with TLS 1.2 (record protection, running handshake hash) will still + * use non-PSA crypto. + * + * Uncomment this macro to enable the support for TLS 1.3. */ //#define MBEDTLS_SSL_PROTO_TLS1_3 @@ -1534,7 +1552,7 @@ * * Comment this macro to disable support for DTLS */ -#define MBEDTLS_SSL_PROTO_DTLS +//#define MBEDTLS_SSL_PROTO_DTLS /** * \def MBEDTLS_SSL_ALPN @@ -1543,7 +1561,7 @@ * * Comment this macro to disable support for ALPN. */ -#define MBEDTLS_SSL_ALPN +//#define MBEDTLS_SSL_ALPN /** * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY @@ -1558,7 +1576,7 @@ * * Comment this to disable anti-replay in DTLS. */ -#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +//#define MBEDTLS_SSL_DTLS_ANTI_REPLAY /** * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY @@ -1570,13 +1588,13 @@ * unless you know for sure amplification cannot be a problem in the * environment in which your server operates. * - * \warning Disabling this can ba a security risk! (see above) + * \warning Disabling this can be a security risk! (see above) * * Requires: MBEDTLS_SSL_PROTO_DTLS * * Comment this to disable support for HelloVerifyRequest. */ -#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +//#define MBEDTLS_SSL_DTLS_HELLO_VERIFY /** * \def MBEDTLS_SSL_DTLS_SRTP @@ -1623,7 +1641,7 @@ * * Comment this to disable support for clients reusing the source port. */ -#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +//#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE /** * \def MBEDTLS_SSL_SESSION_TICKETS @@ -1637,7 +1655,7 @@ * * Comment this macro to disable support for SSL session tickets */ -#define MBEDTLS_SSL_SESSION_TICKETS +//#define MBEDTLS_SSL_SESSION_TICKETS /** * \def MBEDTLS_SSL_SERVER_NAME_INDICATION @@ -1648,7 +1666,7 @@ * * Comment this macro to disable support for server name indication in SSL */ -#define MBEDTLS_SSL_SERVER_NAME_INDICATION +//#define MBEDTLS_SSL_SERVER_NAME_INDICATION /** * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH @@ -1752,12 +1770,11 @@ * \note See docs/use-psa-crypto.md for a complete description of what this * option currently does, and of parts that are not affected by it so far. * - * \warning This option enables new Mbed TLS APIs which are currently - * considered experimental and may change in incompatible ways at any time. - * That is, the APIs enabled by this option are not covered by the usual - * promises of API stability. + * \warning If you enable this option, you need to call `psa_crypto_init()` + * before calling any function from the SSL/TLS, X.509 or PK modules. * * Requires: MBEDTLS_PSA_CRYPTO_C. + * Conflicts with: MBEDTLS_ECP_RESTARTABLE * * Uncomment this to enable internal use of PSA Crypto and new associated APIs. */ @@ -1769,8 +1786,19 @@ * This setting allows support for cryptographic mechanisms through the PSA * API to be configured separately from support through the mbedtls API. * - * Uncomment this to enable use of PSA Crypto configuration settings which - * can be found in include/psa/crypto_config.h. + * When this option is disabled, the PSA API exposes the cryptographic + * mechanisms that can be implemented on top of the `mbedtls_xxx` API + * configured with `MBEDTLS_XXX` symbols. + * + * When this option is enabled, the PSA API exposes the cryptographic + * mechanisms requested by the `PSA_WANT_XXX` symbols defined in + * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are + * automatically enabled if required (i.e. if no PSA driver provides the + * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols + * in mbedtls_config.h. + * + * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies + * an alternative header to include instead of include/psa/crypto_config.h. * * This feature is still experimental and is not ready for production since * it is not completed. @@ -1788,7 +1816,7 @@ * * Comment this to disable run-time checking and save ROM space */ -#define MBEDTLS_VERSION_FEATURES +//#define MBEDTLS_VERSION_FEATURES /** * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK @@ -1829,7 +1857,7 @@ * Comment this macro to disallow using RSASSA-PSS in certificates. */ #define MBEDTLS_X509_RSASSA_PSS_SUPPORT -/* \} name SECTION: mbed TLS feature support */ +/** \} name SECTION: mbed TLS feature support */ /** * \name SECTION: mbed TLS modules @@ -1850,7 +1878,7 @@ * * This modules adds support for the AES-NI instructions on x86-64 */ -#define MBEDTLS_AESNI_C +//#define MBEDTLS_AESNI_C /** * \def MBEDTLS_AES_C @@ -2098,12 +2126,13 @@ * * Module: library/ccm.c * - * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or + * MBEDTLS_ARIA_C * * This module enables the AES-CCM ciphersuites, if other requisites are * enabled as well. */ -//#define MBEDTLS_CCM_C +#define MBEDTLS_CCM_C /** * \def MBEDTLS_CHACHA20_C @@ -2131,7 +2160,17 @@ * Enable the generic cipher layer. * * Module: library/cipher.c - * Caller: library/ssl_tls.c + * Caller: library/ccm.c + * library/cmac.c + * library/gcm.c + * library/nist_kw.c + * library/pkcs12.c + * library/pkcs5.c + * library/psa_crypto_aead.c + * library/psa_crypto_mac.c + * library/ssl_ciphersuites.c + * library/ssl_msg.c + * library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled) * * Uncomment to enable generic cipher wrappers. */ @@ -2150,7 +2189,7 @@ * * Module: library/cmac.c * - * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C * */ #define MBEDTLS_CMAC_C @@ -2173,7 +2212,7 @@ * * This module provides the CTR_DRBG AES random number generator. */ -#define MBEDTLS_CTR_DRBG_C +//#define MBEDTLS_CTR_DRBG_C /** * \def MBEDTLS_DEBUG_C @@ -2181,13 +2220,14 @@ * Enable the debug functions. * * Module: library/debug.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c + * Caller: library/ssl_msg.c * library/ssl_tls.c + * library/ssl_tls12_*.c + * library/ssl_tls13_*.c * * This module provides debugging functions. */ -#define MBEDTLS_DEBUG_C +//#define MBEDTLS_DEBUG_C /** * \def MBEDTLS_DES_C @@ -2211,8 +2251,9 @@ * Enable the Diffie-Hellman-Merkle module. * * Module: library/dhm.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c + * Caller: library/ssl_tls.c + * library/ssl*_client.c + * library/ssl*_server.c * * This module is used by the following key exchanges: * DHE-RSA, DHE-PSK @@ -2224,7 +2265,7 @@ * See dhm.h for more details. * */ -#define MBEDTLS_DHM_C +//#define MBEDTLS_DHM_C /** * \def MBEDTLS_ECDH_C @@ -2232,8 +2273,10 @@ * Enable the elliptic curve Diffie-Hellman library. * * Module: library/ecdh.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c + * Caller: library/psa_crypto.c + * library/ssl_tls.c + * library/ssl*_client.c + * library/ssl*_server.c * * This module is used by the following key exchanges: * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK @@ -2276,7 +2319,7 @@ * * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C */ -#define MBEDTLS_ECJPAKE_C +//#define MBEDTLS_ECJPAKE_C /** * \def MBEDTLS_ECP_C @@ -2304,7 +2347,7 @@ * * This module provides a generic entropy pool */ -#define MBEDTLS_ENTROPY_C +//#define MBEDTLS_ENTROPY_C /** * \def MBEDTLS_ERROR_C @@ -2316,7 +2359,7 @@ * * This module enables mbedtls_strerror(). */ -#define MBEDTLS_ERROR_C +//#define MBEDTLS_ERROR_C /** * \def MBEDTLS_GCM_C @@ -2325,12 +2368,13 @@ * * Module: library/gcm.c * - * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or + * MBEDTLS_ARIA_C * * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other * requisites are enabled as well. */ -//#define MBEDTLS_GCM_C +#define MBEDTLS_GCM_C /** * \def MBEDTLS_HKDF_C @@ -2357,7 +2401,7 @@ * * Requires: MBEDTLS_MD_C * - * Uncomment to enable the HMAC_DRBG random number geerator. + * Uncomment to enable the HMAC_DRBG random number generator. */ //#define MBEDTLS_HMAC_DRBG_C @@ -2380,7 +2424,24 @@ * Enable the generic message digest layer. * * Module: library/md.c - * Caller: + * Caller: library/constant_time.c + * library/ecdsa.c + * library/ecjpake.c + * library/hkdf.c + * library/hmac_drbg.c + * library/pk.c + * library/pkcs5.c + * library/pkcs12.c + * library/psa_crypto_ecp.c + * library/psa_crypto_rsa.c + * library/rsa.c + * library/ssl_cookie.c + * library/ssl_msg.c + * library/ssl_tls.c + * library/x509.c + * library/x509_crt.c + * library/x509write_crt.c + * library/x509write_csr.c * * Uncomment to enable generic message digest wrappers. */ @@ -2440,7 +2501,7 @@ * * This module provides networking routines. */ -#define MBEDTLS_NET_C +//#define MBEDTLS_NET_C /** * \def MBEDTLS_OID_C @@ -2516,14 +2577,16 @@ /** * \def MBEDTLS_PK_C * - * Enable the generic public (asymetric) key layer. + * Enable the generic public (asymmetric) key layer. * * Module: library/pk.c - * Caller: library/ssl_tls.c - * library/ssl_cli.c - * library/ssl_srv.c + * Caller: library/psa_crypto_rsa.c + * library/ssl_tls.c + * library/ssl*_client.c + * library/ssl*_server.c + * library/x509.c * - * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C + * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C * * Uncomment to enable generic public key wrappers. */ @@ -2532,7 +2595,7 @@ /** * \def MBEDTLS_PK_PARSE_C * - * Enable the generic public (asymetric) key parser. + * Enable the generic public (asymmetric) key parser. * * Module: library/pkparse.c * Caller: library/x509_crt.c @@ -2547,7 +2610,7 @@ /** * \def MBEDTLS_PK_WRITE_C * - * Enable the generic public (asymetric) key writer. + * Enable the generic public (asymmetric) key writer. * * Module: library/pkwrite.c * Caller: library/x509write.c @@ -2565,7 +2628,7 @@ * * Module: library/pkcs5.c * - * Requires: MBEDTLS_MD_C + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C * * This module adds support for the PKCS#5 functions. */ @@ -2623,21 +2686,22 @@ * * Module: library/psa_crypto.c * - * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, + * Requires: MBEDTLS_CIPHER_C, + * either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, * or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C, * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * */ -#define MBEDTLS_PSA_CRYPTO_C +//#define MBEDTLS_PSA_CRYPTO_C /** * \def MBEDTLS_PSA_CRYPTO_SE_C * - * Enable secure element support in the Platform Security Architecture + * Enable dynamic secure element support in the Platform Security Architecture * cryptography API. * - * \warning This feature is not yet suitable for production. It is provided - * for API evaluation and testing purposes only. + * \deprecated This feature is deprecated. Please switch to the driver + * interface enabled by #MBEDTLS_PSA_CRYPTO_DRIVERS. * * Module: library/psa_crypto_se.c * @@ -2680,7 +2744,7 @@ * Caller: library/md.c * */ -#define MBEDTLS_RIPEMD160_C +//#define MBEDTLS_RIPEMD160_C /** * \def MBEDTLS_RSA_C @@ -2689,10 +2753,11 @@ * * Module: library/rsa.c * library/rsa_alt_helpers.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c + * Caller: library/pk.c + * library/psa_crypto.c * library/ssl_tls.c - * library/x509.c + * library/ssl*_client.c + * library/ssl*_server.c * * This module is used by the following key exchanges: * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK @@ -2708,10 +2773,7 @@ * * Module: library/sha1.c * Caller: library/md.c - * library/ssl_cli.c - * library/ssl_srv.c - * library/ssl_tls.c - * library/x509write_crt.c + * library/psa_crypto_hash.c * * This module is required for TLS 1.2 depending on the handshake parameters, * and for SHA1-signed certificates. @@ -2750,15 +2812,65 @@ * Module: library/sha256.c * Caller: library/entropy.c * library/md.c - * library/ssl_cli.c - * library/ssl_srv.c * library/ssl_tls.c + * library/ssl*_client.c + * library/ssl*_server.c * * This module adds support for SHA-256. * This module is required for the SSL/TLS 1.2 PRF function. */ #define MBEDTLS_SHA256_C +/** + * \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + * + * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms + * with the ARMv8 cryptographic extensions if they are available at runtime. + * If not, the library will fall back to the C implementation. + * + * \note If MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT is defined when building + * for a non-Aarch64 build it will be silently ignored. + * + * \note The code uses Neon intrinsics, so \c CFLAGS must be set to a minimum + * of \c -march=armv8-a+crypto. + * + * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the + * same time as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY. + * + * Requires: MBEDTLS_SHA256_C. + * + * Module: library/sha256.c + * + * Uncomment to have the library check for the A64 SHA-256 crypto extensions + * and use them if available. + */ +//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + +/** + * \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + * + * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms + * with the ARMv8 cryptographic extensions, which must be available at runtime + * or else an illegal instruction fault will occur. + * + * \note This allows builds with a smaller code size than with + * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + * + * \note The code uses Neon intrinsics, so \c CFLAGS must be set to a minimum + * of \c -march=armv8-a+crypto. + * + * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY cannot be defined at the same + * time as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT. + * + * Requires: MBEDTLS_SHA256_C. + * + * Module: library/sha256.c + * + * Uncomment to have the library use the A64 SHA-256 crypto extensions + * unconditionally. + */ +//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + /** * \def MBEDTLS_SHA384_C * @@ -2768,8 +2880,10 @@ * * Module: library/sha512.c * Caller: library/md.c - * library/ssl_cli.c - * library/ssl_srv.c + * library/psa_crypto_hash.c + * library/ssl_tls.c + * library/ssl*_client.c + * library/ssl*_server.c * * Comment to disable SHA-384 */ @@ -2790,6 +2904,60 @@ */ #define MBEDTLS_SHA512_C +/** + * \def MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + * + * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms + * with the ARMv8 cryptographic extensions if they are available at runtime. + * If not, the library will fall back to the C implementation. + * + * \note If MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT is defined when building + * for a non-Aarch64 build it will be silently ignored. + * + * \note The code uses the SHA-512 Neon intrinsics, so requires GCC >= 8 or + * Clang >= 7, and \c CFLAGS must be set to a minimum of + * \c -march=armv8.2-a+sha3. An optimisation level of \c -O3 generates the + * fastest code. + * + * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the + * same time as MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY. + * + * Requires: MBEDTLS_SHA512_C. + * + * Module: library/sha512.c + * + * Uncomment to have the library check for the A64 SHA-512 crypto extensions + * and use them if available. + */ +//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + +/** + * \def MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY + * + * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms + * with the ARMv8 cryptographic extensions, which must be available at runtime + * or else an illegal instruction fault will occur. + * + * \note This allows builds with a smaller code size than with + * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + * + * \note The code uses the SHA-512 Neon intrinsics, so requires GCC >= 8 or + * Clang >= 7, and \c CFLAGS must be set to a minimum of + * \c -march=armv8.2-a+sha3. An optimisation level of \c -O3 generates the + * fastest code. + * + * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY cannot be defined at the same + * time as MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT. + * + * Requires: MBEDTLS_SHA512_C. + * + * Module: library/sha512.c + * + * Uncomment to have the library use the A64 SHA-512 crypto extensions + * unconditionally. + */ +//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY + /** * \def MBEDTLS_SSL_CACHE_C * @@ -2800,7 +2968,7 @@ * * Requires: MBEDTLS_SSL_CACHE_C */ -#define MBEDTLS_SSL_CACHE_C +//#define MBEDTLS_SSL_CACHE_C /** * \def MBEDTLS_SSL_COOKIE_C @@ -2810,7 +2978,7 @@ * Module: library/ssl_cookie.c * Caller: */ -#define MBEDTLS_SSL_COOKIE_C +//#define MBEDTLS_SSL_COOKIE_C /** * \def MBEDTLS_SSL_TICKET_C @@ -2820,37 +2988,37 @@ * Module: library/ssl_ticket.c * Caller: * - * Requires: MBEDTLS_CIPHER_C + * Requires: MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO */ -#define MBEDTLS_SSL_TICKET_C +//#define MBEDTLS_SSL_TICKET_C /** * \def MBEDTLS_SSL_CLI_C * * Enable the SSL/TLS client code. * - * Module: library/ssl_cli.c + * Module: library/ssl*_client.c * Caller: * * Requires: MBEDTLS_SSL_TLS_C * * This module is required for SSL/TLS client support. */ -#define MBEDTLS_SSL_CLI_C +//#define MBEDTLS_SSL_CLI_C /** * \def MBEDTLS_SSL_SRV_C * * Enable the SSL/TLS server code. * - * Module: library/ssl_srv.c + * Module: library/ssl*_server.c * Caller: * * Requires: MBEDTLS_SSL_TLS_C * * This module is required for SSL/TLS server support. */ -#define MBEDTLS_SSL_SRV_C +//#define MBEDTLS_SSL_SRV_C /** * \def MBEDTLS_SSL_TLS_C @@ -2858,15 +3026,15 @@ * Enable the generic SSL/TLS code. * * Module: library/ssl_tls.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c + * Caller: library/ssl*_client.c + * library/ssl*_server.c * * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C * and at least one of the MBEDTLS_SSL_PROTO_XXX defines * * This module is required for SSL/TLS. */ -#define MBEDTLS_SSL_TLS_C +//#define MBEDTLS_SSL_TLS_C /** * \def MBEDTLS_THREADING_C @@ -2902,13 +3070,17 @@ * your own implementation of the whole module by setting * \c MBEDTLS_TIMING_ALT in the current file. * + * \note The timing module will include time.h on suitable platforms + * regardless of the setting of MBEDTLS_HAVE_TIME, unless + * MBEDTLS_TIMING_ALT is used. See timing.c for more information. + * * \note See also our Knowledge Base article about porting to a new * environment: * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS * * Module: library/timing.c */ -#define MBEDTLS_TIMING_C +//#define MBEDTLS_TIMING_C /** * \def MBEDTLS_VERSION_C @@ -2919,7 +3091,7 @@ * * This module provides run-time version information. */ -#define MBEDTLS_VERSION_C +//#define MBEDTLS_VERSION_C /** * \def MBEDTLS_X509_USE_C @@ -2944,9 +3116,9 @@ * Enable X.509 certificate parsing. * * Module: library/x509_crt.c - * Caller: library/ssl_cli.c - * library/ssl_srv.c - * library/ssl_tls.c + * Caller: library/ssl_tls.c + * library/ssl*_client.c + * library/ssl*_server.c * * Requires: MBEDTLS_X509_USE_C * @@ -2966,7 +3138,7 @@ * * This module is required for X.509 CRL parsing. */ -#define MBEDTLS_X509_CRL_PARSE_C +//#define MBEDTLS_X509_CRL_PARSE_C /** * \def MBEDTLS_X509_CSR_PARSE_C @@ -2980,7 +3152,7 @@ * * This module is used for reading X.509 certificate request. */ -#define MBEDTLS_X509_CSR_PARSE_C +//#define MBEDTLS_X509_CSR_PARSE_C /** * \def MBEDTLS_X509_CREATE_C @@ -3019,9 +3191,91 @@ * * This module is required for X.509 certificate request writing. */ -#define MBEDTLS_X509_CSR_WRITE_C +//#define MBEDTLS_X509_CSR_WRITE_C -/* \} name SECTION: mbed TLS modules */ +/** \} name SECTION: mbed TLS modules */ + +/** + * \name SECTION: General configuration options + * + * This section contains Mbed TLS build settings that are not associated + * with a particular module. + * + * \{ + */ + +/** + * \def MBEDTLS_CONFIG_FILE + * + * If defined, this is a header which will be included instead of + * `"mbedtls/mbedtls_config.h"`. + * This header file specifies the compile-time configuration of Mbed TLS. + * Unlike other configuration options, this one must be defined on the + * compiler command line: a definition in `mbedtls_config.h` would have + * no effect. + * + * This macro is expanded after an \#include directive. This is a popular but + * non-standard feature of the C language, so this feature is only available + * with compilers that perform macro expansion on an \#include line. + * + * The value of this symbol is typically a path in double quotes, either + * absolute or relative to a directory on the include search path. + */ +//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" + +/** + * \def MBEDTLS_USER_CONFIG_FILE + * + * If defined, this is a header which will be included after + * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. + * This allows you to modify the default configuration, including the ability + * to undefine options that are enabled by default. + * + * This macro is expanded after an \#include directive. This is a popular but + * non-standard feature of the C language, so this feature is only available + * with compilers that perform macro expansion on an \#include line. + * + * The value of this symbol is typically a path in double quotes, either + * absolute or relative to a directory on the include search path. + */ +//#define MBEDTLS_USER_CONFIG_FILE "/dev/null" + +/** + * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE + * + * If defined, this is a header which will be included instead of + * `"psa/crypto_config.h"`. + * This header file specifies which cryptographic mechanisms are available + * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and + * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. + * + * This macro is expanded after an \#include directive. This is a popular but + * non-standard feature of the C language, so this feature is only available + * with compilers that perform macro expansion on an \#include line. + * + * The value of this symbol is typically a path in double quotes, either + * absolute or relative to a directory on the include search path. + */ +//#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" + +/** + * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE + * + * If defined, this is a header which will be included after + * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE. + * This allows you to modify the default configuration, including the ability + * to undefine options that are enabled by default. + * + * This macro is expanded after an \#include directive. This is a popular but + * non-standard feature of the C language, so this feature is only available + * with compilers that perform macro expansion on an \#include line. + * + * The value of this symbol is typically a path in double quotes, either + * absolute or relative to a directory on the include search path. + */ +//#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" + +/** \} name SECTION: General configuration options */ /** * \name SECTION: Module configuration options @@ -3032,11 +3286,15 @@ * * Our advice is to enable options and change their values here * only if you have a good reason and know the consequences. - * - * Please check the respective header file for documentation on these - * parameters (to prevent duplicate documentation). * \{ */ +/* The Doxygen documentation here is used when a user comments out a + * setting and runs doxygen themselves. On the other hand, when we typeset + * the full documentation including disabled settings, the documentation + * in specific modules' header files is used if present. When editing this + * file, make sure that each option is documented in exactly one place, + * plus optionally a same-line Doxygen comment here if there is a Doxygen + * comment in the specific module. */ /* MPI / BIGNUM options */ //#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */ @@ -3071,6 +3329,7 @@ //#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ //#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use, can be undefined */ +//#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */ @@ -3088,6 +3347,7 @@ //#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default allocator macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit macro to use, can be undefined */ +//#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf /**< Default setbuf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */ @@ -3319,4 +3579,4 @@ */ //#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED -/* \} name SECTION: Customisation configuration options */ +/** \} name SECTION: Module configuration options */