1 /** 2 * \file mbedtls_config.h 3 * 4 * \brief Configuration options (set of defines) 5 * 6 * This set of compile-time options may be used to enable 7 * or disable features selectively, and reduce the global 8 * memory footprint. 9 */ 10 /* 11 * Copyright The Mbed TLS Contributors 12 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 13 */ 14 15 /** 16 * This is an optional version symbol that enables compatibility handling of 17 * config files. 18 * 19 * It is equal to the #MBEDTLS_VERSION_NUMBER of the Mbed TLS version that 20 * introduced the config format we want to be compatible with. 21 */ 22 //#define MBEDTLS_CONFIG_VERSION 0x03000000 23 24 /** 25 * \name SECTION: Platform abstraction layer 26 * 27 * This section sets platform specific settings. 28 * \{ 29 */ 30 31 /** 32 * \def MBEDTLS_NET_C 33 * 34 * Enable the TCP and UDP over IPv6/IPv4 networking routines. 35 * 36 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X) 37 * and Windows. For other platforms, you'll want to disable it, and write your 38 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio(). 39 * 40 * \note See also our Knowledge Base article about porting to a new 41 * environment: 42 * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 43 * 44 * Module: library/net_sockets.c 45 * 46 * This module provides networking routines. 47 */ 48 #define MBEDTLS_NET_C 49 50 /** 51 * \def MBEDTLS_TIMING_ALT 52 * 53 * Uncomment to provide your own alternate implementation for 54 * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay() 55 * 56 * Only works if you have MBEDTLS_TIMING_C enabled. 57 * 58 * You will need to provide a header "timing_alt.h" and an implementation at 59 * compile time. 60 */ 61 //#define MBEDTLS_TIMING_ALT 62 63 /** 64 * \def MBEDTLS_TIMING_C 65 * 66 * Enable the semi-portable timing interface. 67 * 68 * \note The provided implementation only works on POSIX/Unix (including Linux, 69 * BSD and OS X) and Windows. On other platforms, you can either disable that 70 * module and provide your own implementations of the callbacks needed by 71 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide 72 * your own implementation of the whole module by setting 73 * \c MBEDTLS_TIMING_ALT in the current file. 74 * 75 * \note The timing module will include time.h on suitable platforms 76 * regardless of the setting of MBEDTLS_HAVE_TIME, unless 77 * MBEDTLS_TIMING_ALT is used. See timing.c for more information. 78 * 79 * \note See also our Knowledge Base article about porting to a new 80 * environment: 81 * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 82 * 83 * Module: library/timing.c 84 */ 85 #define MBEDTLS_TIMING_C 86 87 /** \} name SECTION: Platform abstraction layer */ 88 89 /** 90 * \name SECTION: General configuration options 91 * 92 * This section contains Mbed TLS build settings that are not associated 93 * with a particular module. 94 * \{ 95 */ 96 97 /** 98 * \def MBEDTLS_ERROR_C 99 * 100 * Enable error code to error string conversion. 101 * 102 * Module: library/error.c 103 * Caller: 104 * 105 * This module enables mbedtls_strerror(). 106 */ 107 #define MBEDTLS_ERROR_C 108 109 /** 110 * \def MBEDTLS_ERROR_STRERROR_DUMMY 111 * 112 * Enable a dummy error function to make use of mbedtls_strerror() in 113 * third party libraries easier when MBEDTLS_ERROR_C is disabled 114 * (no effect when MBEDTLS_ERROR_C is enabled). 115 * 116 * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're 117 * not using mbedtls_strerror() or error_strerror() in your application. 118 * 119 * Disable if you run into name conflicts and want to really remove the 120 * mbedtls_strerror() 121 */ 122 #define MBEDTLS_ERROR_STRERROR_DUMMY 123 124 /** 125 * \def MBEDTLS_VERSION_C 126 * 127 * Enable run-time version information. 128 * 129 * Module: library/version.c 130 * 131 * This module provides run-time version information. 132 */ 133 #define MBEDTLS_VERSION_C 134 135 /** 136 * \def MBEDTLS_VERSION_FEATURES 137 * 138 * Allow run-time checking of compile-time enabled features. Thus allowing users 139 * to check at run-time if the library is for instance compiled with threading 140 * support via mbedtls_version_check_feature(). 141 * 142 * Requires: MBEDTLS_VERSION_C 143 * 144 * Comment this to disable run-time checking and save ROM space 145 */ 146 #define MBEDTLS_VERSION_FEATURES 147 148 /** 149 * \def MBEDTLS_CONFIG_FILE 150 * 151 * If defined, this is a header which will be included instead of 152 * `"mbedtls/mbedtls_config.h"`. 153 * This header file specifies the compile-time configuration of Mbed TLS. 154 * Unlike other configuration options, this one must be defined on the 155 * compiler command line: a definition in `mbedtls_config.h` would have 156 * no effect. 157 * 158 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 159 * non-standard feature of the C language, so this feature is only available 160 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 161 * 162 * The value of this symbol is typically a path in double quotes, either 163 * absolute or relative to a directory on the include search path. 164 */ 165 //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" 166 167 /** 168 * \def MBEDTLS_USER_CONFIG_FILE 169 * 170 * If defined, this is a header which will be included after 171 * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE. 172 * This allows you to modify the default configuration, including the ability 173 * to undefine options that are enabled by default. 174 * 175 * This macro is expanded after an <tt>\#include</tt> directive. This is a popular but 176 * non-standard feature of the C language, so this feature is only available 177 * with compilers that perform macro expansion on an <tt>\#include</tt> line. 178 * 179 * The value of this symbol is typically a path in double quotes, either 180 * absolute or relative to a directory on the include search path. 181 */ 182 //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" 183 184 /** \} name SECTION: General configuration options */ 185 186 /** 187 * \name SECTION: TLS feature selection 188 * 189 * This section sets support for features that are or are not needed 190 * within the modules that are enabled. 191 * \{ 192 */ 193 194 /** 195 * \def MBEDTLS_DEBUG_C 196 * 197 * Enable the debug functions. 198 * 199 * Module: library/debug.c 200 * Caller: library/ssl_msg.c 201 * library/ssl_tls.c 202 * library/ssl_tls12_*.c 203 * library/ssl_tls13_*.c 204 * 205 * This module provides debugging functions. 206 */ 207 #define MBEDTLS_DEBUG_C 208 209 /** 210 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 211 * 212 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. 213 * 214 * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH 215 * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA 216 * MBEDTLS_X509_CRT_PARSE_C 217 * 218 * This enables the following ciphersuites (if other requisites are 219 * enabled as well): 220 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 221 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 222 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 223 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 224 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 225 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 226 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 227 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 228 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 229 * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 230 */ 231 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 232 233 /** 234 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 235 * 236 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. 237 * 238 * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH 239 * 240 * This enables the following ciphersuites (if other requisites are 241 * enabled as well): 242 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 243 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 244 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 245 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 246 * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 247 * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 248 */ 249 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED 250 251 /** 252 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 253 * 254 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. 255 * 256 * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH 257 * MBEDTLS_RSA_C 258 * PSA_WANT_ALG_RSA_PKCS1V15_SIGN 259 * MBEDTLS_X509_CRT_PARSE_C 260 * 261 * This enables the following ciphersuites (if other requisites are 262 * enabled as well): 263 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 264 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 265 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 266 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 267 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 268 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 269 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 270 * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 271 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 272 * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 273 */ 274 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 275 276 /** 277 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 278 * 279 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. 280 * 281 * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH 282 * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA 283 * MBEDTLS_X509_CRT_PARSE_C 284 * 285 * This enables the following ciphersuites (if other requisites are 286 * enabled as well): 287 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 288 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 289 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 290 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 291 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 292 * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 293 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 294 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 295 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 296 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 297 */ 298 #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 299 300 /** 301 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 302 * 303 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. 304 * 305 * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH 306 * MBEDTLS_RSA_C 307 * MBEDTLS_X509_CRT_PARSE_C 308 * 309 * This enables the following ciphersuites (if other requisites are 310 * enabled as well): 311 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 312 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 313 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 314 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 315 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 316 * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 317 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 318 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 319 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 320 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 321 */ 322 #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED 323 324 /** 325 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 326 * 327 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. 328 * 329 * \warning This is currently experimental. EC J-PAKE support is based on the 330 * Thread v1.0.0 specification; incompatible changes to the specification 331 * might still happen. For this reason, this is disabled by default. 332 * 333 * Requires: MBEDTLS_ECJPAKE_C or PSA_WANT_ALG_JPAKE 334 * PSA_WANT_ALG_SHA_256 335 * MBEDTLS_ECP_DP_SECP256R1_ENABLED 336 * 337 * This enables the following ciphersuites (if other requisites are 338 * enabled as well): 339 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 340 */ 341 //#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 342 343 /** 344 * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 345 * 346 * Enable the PSK based ciphersuite modes in SSL / TLS. 347 * 348 * This enables the following ciphersuites (if other requisites are 349 * enabled as well): 350 * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 351 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 352 * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 353 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 354 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 355 * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 356 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 357 * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 358 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 359 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 360 */ 361 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 362 363 /** 364 * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES 365 * 366 * Enable sending of alert messages in case of encountered errors as per RFC. 367 * If you choose not to send the alert messages, Mbed TLS can still communicate 368 * with other servers, only debugging of failures is harder. 369 * 370 * The advantage of not sending alert messages, is that no information is given 371 * about reasons for failures thus preventing adversaries of gaining intel. 372 * 373 * Enable sending of all alert messages 374 */ 375 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES 376 377 /** 378 * \def MBEDTLS_SSL_ALPN 379 * 380 * Enable support for RFC 7301 Application Layer Protocol Negotiation. 381 * 382 * Comment this macro to disable support for ALPN. 383 */ 384 #define MBEDTLS_SSL_ALPN 385 386 /** 387 * \def MBEDTLS_SSL_ASYNC_PRIVATE 388 * 389 * Enable asynchronous external private key operations in SSL. This allows 390 * you to configure an SSL connection to call an external cryptographic 391 * module to perform private key operations instead of performing the 392 * operation inside the library. 393 * 394 * Requires: MBEDTLS_X509_CRT_PARSE_C 395 */ 396 //#define MBEDTLS_SSL_ASYNC_PRIVATE 397 398 /** 399 * \def MBEDTLS_SSL_CACHE_C 400 * 401 * Enable simple SSL cache implementation. 402 * 403 * Module: library/ssl_cache.c 404 * Caller: 405 * 406 * Requires: MBEDTLS_SSL_CACHE_C 407 */ 408 #define MBEDTLS_SSL_CACHE_C 409 410 /** 411 * \def MBEDTLS_SSL_CLI_C 412 * 413 * Enable the SSL/TLS client code. 414 * 415 * Module: library/ssl*_client.c 416 * Caller: 417 * 418 * Requires: MBEDTLS_SSL_TLS_C 419 * 420 * \warning You must call psa_crypto_init() before doing any TLS operations. 421 * 422 * This module is required for SSL/TLS client support. 423 */ 424 #define MBEDTLS_SSL_CLI_C 425 426 /** 427 * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION 428 * 429 * Enable serialization of the TLS context structures, through use of the 430 * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load(). 431 * 432 * This pair of functions allows one side of a connection to serialize the 433 * context associated with the connection, then free or re-use that context 434 * while the serialized state is persisted elsewhere, and finally deserialize 435 * that state to a live context for resuming read/write operations on the 436 * connection. From a protocol perspective, the state of the connection is 437 * unaffected, in particular this is entirely transparent to the peer. 438 * 439 * Note: this is distinct from TLS session resumption, which is part of the 440 * protocol and fully visible by the peer. TLS session resumption enables 441 * establishing new connections associated to a saved session with shorter, 442 * lighter handshakes, while context serialization is a local optimization in 443 * handling a single, potentially long-lived connection. 444 * 445 * Enabling these APIs makes some SSL structures larger, as 64 extra bytes are 446 * saved after the handshake to allow for more efficient serialization, so if 447 * you don't need this feature you'll save RAM by disabling it. 448 * 449 * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305 450 * 451 * Comment to disable the context serialization APIs. 452 */ 453 #define MBEDTLS_SSL_CONTEXT_SERIALIZATION 454 455 /** 456 * \def MBEDTLS_SSL_COOKIE_C 457 * 458 * Enable basic implementation of DTLS cookies for hello verification. 459 * 460 * Module: library/ssl_cookie.c 461 * Caller: 462 */ 463 #define MBEDTLS_SSL_COOKIE_C 464 465 /** 466 * \def MBEDTLS_SSL_DEBUG_ALL 467 * 468 * Enable the debug messages in SSL module for all issues. 469 * Debug messages have been disabled in some places to prevent timing 470 * attacks due to (unbalanced) debugging function calls. 471 * 472 * If you need all error reporting you should enable this during debugging, 473 * but remove this for production servers that should log as well. 474 * 475 * Uncomment this macro to report all debug messages on errors introducing 476 * a timing side-channel. 477 * 478 */ 479 //#define MBEDTLS_SSL_DEBUG_ALL 480 481 /** 482 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY 483 * 484 * Enable support for the anti-replay mechanism in DTLS. 485 * 486 * Requires: MBEDTLS_SSL_TLS_C 487 * MBEDTLS_SSL_PROTO_DTLS 488 * 489 * \warning Disabling this is often a security risk! 490 * See mbedtls_ssl_conf_dtls_anti_replay() for details. 491 * 492 * Comment this to disable anti-replay in DTLS. 493 */ 494 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY 495 496 /** 497 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 498 * 499 * Enable server-side support for clients that reconnect from the same port. 500 * 501 * Some clients unexpectedly close the connection and try to reconnect using the 502 * same source port. This needs special support from the server to handle the 503 * new connection securely, as described in section 4.2.8 of RFC 6347. This 504 * flag enables that support. 505 * 506 * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY 507 * 508 * Comment this to disable support for clients reusing the source port. 509 */ 510 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 511 512 /** 513 * \def MBEDTLS_SSL_DTLS_CONNECTION_ID 514 * 515 * Enable support for the DTLS Connection ID (CID) extension, 516 * which allows to identify DTLS connections across changes 517 * in the underlying transport. The CID functionality is described 518 * in RFC 9146. 519 * 520 * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, 521 * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and 522 * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for 523 * more information. 524 * 525 * The maximum lengths of outgoing and incoming CIDs can be configured 526 * through the options 527 * - MBEDTLS_SSL_CID_OUT_LEN_MAX 528 * - MBEDTLS_SSL_CID_IN_LEN_MAX. 529 * 530 * Requires: MBEDTLS_SSL_PROTO_DTLS 531 * 532 * Uncomment to enable the Connection ID extension. 533 */ 534 #define MBEDTLS_SSL_DTLS_CONNECTION_ID 535 536 /** 537 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY 538 * 539 * Enable support for HelloVerifyRequest on DTLS servers. 540 * 541 * This feature is highly recommended to prevent DTLS servers being used as 542 * amplifiers in DoS attacks against other hosts. It should always be enabled 543 * unless you know for sure amplification cannot be a problem in the 544 * environment in which your server operates. 545 * 546 * \warning Disabling this can be a security risk! (see above) 547 * 548 * Requires: MBEDTLS_SSL_PROTO_DTLS 549 * 550 * Comment this to disable support for HelloVerifyRequest. 551 */ 552 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY 553 554 /** 555 * \def MBEDTLS_SSL_DTLS_SRTP 556 * 557 * Enable support for negotiation of DTLS-SRTP (RFC 5764) 558 * through the use_srtp extension. 559 * 560 * \note This feature provides the minimum functionality required 561 * to negotiate the use of DTLS-SRTP and to allow the derivation of 562 * the associated SRTP packet protection key material. 563 * In particular, the SRTP packet protection itself, as well as the 564 * demultiplexing of RTP and DTLS packets at the datagram layer 565 * (see Section 5 of RFC 5764), are not handled by this feature. 566 * Instead, after successful completion of a handshake negotiating 567 * the use of DTLS-SRTP, the extended key exporter API 568 * mbedtls_ssl_conf_export_keys_cb() should be used to implement 569 * the key exporter described in Section 4.2 of RFC 5764 and RFC 5705 570 * (this is implemented in the SSL example programs). 571 * The resulting key should then be passed to an SRTP stack. 572 * 573 * Setting this option enables the runtime API 574 * mbedtls_ssl_conf_dtls_srtp_protection_profiles() 575 * through which the supported DTLS-SRTP protection 576 * profiles can be configured. You must call this API at 577 * runtime if you wish to negotiate the use of DTLS-SRTP. 578 * 579 * Requires: MBEDTLS_SSL_PROTO_DTLS 580 * 581 * Uncomment this to enable support for use_srtp extension. 582 */ 583 //#define MBEDTLS_SSL_DTLS_SRTP 584 585 /** 586 * \def MBEDTLS_SSL_EARLY_DATA 587 * 588 * Enable support for RFC 8446 TLS 1.3 early data. 589 * 590 * Requires: MBEDTLS_SSL_SESSION_TICKETS and either 591 * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or 592 * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 593 * 594 * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 595 * is not enabled, this option does not have any effect on the build. 596 * 597 * \note The maximum amount of early data can be set with 598 * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE. 599 * 600 */ 601 //#define MBEDTLS_SSL_EARLY_DATA 602 603 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC 604 * 605 * Enable support for Encrypt-then-MAC, RFC 7366. 606 * 607 * This allows peers that both support it to use a more robust protection for 608 * ciphersuites using CBC, providing deep resistance against timing attacks 609 * on the padding or underlying cipher. 610 * 611 * This only affects CBC ciphersuites, and is useless if none is defined. 612 * 613 * Requires: MBEDTLS_SSL_PROTO_TLS1_2 614 * 615 * Comment this macro to disable support for Encrypt-then-MAC 616 */ 617 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC 618 619 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET 620 * 621 * Enable support for RFC 7627: Session Hash and Extended Master Secret 622 * Extension. 623 * 624 * This was introduced as "the proper fix" to the Triple Handshake family of 625 * attacks, but it is recommended to always use it (even if you disable 626 * renegotiation), since it actually fixes a more fundamental issue in the 627 * original SSL/TLS design, and has implications beyond Triple Handshake. 628 * 629 * Requires: MBEDTLS_SSL_PROTO_TLS1_2 630 * 631 * Comment this macro to disable support for Extended Master Secret. 632 */ 633 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET 634 635 /** 636 * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 637 * 638 * This option controls the availability of the API mbedtls_ssl_get_peer_cert() 639 * giving access to the peer's certificate after completion of the handshake. 640 * 641 * Unless you need mbedtls_ssl_peer_cert() in your application, it is 642 * recommended to disable this option for reduced RAM usage. 643 * 644 * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still 645 * defined, but always returns \c NULL. 646 * 647 * \note This option has no influence on the protection against the 648 * triple handshake attack. Even if it is disabled, Mbed TLS will 649 * still ensure that certificates do not change during renegotiation, 650 * for example by keeping a hash of the peer's certificate. 651 * 652 * \note This option is required if MBEDTLS_SSL_PROTO_TLS1_3 is set. 653 * 654 * Comment this macro to disable storing the peer's certificate 655 * after the handshake. 656 */ 657 #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 658 659 /** 660 * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 661 * 662 * Enable support for RFC 6066 max_fragment_length extension in SSL. 663 * 664 * Comment this macro to disable support for the max_fragment_length extension 665 */ 666 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 667 668 /** 669 * \def MBEDTLS_SSL_PROTO_DTLS 670 * 671 * Enable support for DTLS (all available versions). 672 * 673 * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. 674 * 675 * Requires: MBEDTLS_SSL_PROTO_TLS1_2 676 * 677 * Comment this macro to disable support for DTLS 678 */ 679 #define MBEDTLS_SSL_PROTO_DTLS 680 681 /** 682 * \def MBEDTLS_SSL_PROTO_TLS1_2 683 * 684 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). 685 * 686 * Requires: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384 687 * 688 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 689 */ 690 #define MBEDTLS_SSL_PROTO_TLS1_2 691 692 /** 693 * \def MBEDTLS_SSL_PROTO_TLS1_3 694 * 695 * Enable support for TLS 1.3. 696 * 697 * \note See docs/architecture/tls13-support.md for a description of the TLS 698 * 1.3 support that this option enables. 699 * 700 * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 701 * Requires: MBEDTLS_PSA_CRYPTO_C 702 * 703 * Uncomment this macro to enable the support for TLS 1.3. 704 */ 705 #define MBEDTLS_SSL_PROTO_TLS1_3 706 707 /** 708 * \def MBEDTLS_SSL_RECORD_SIZE_LIMIT 709 * 710 * Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only). 711 * 712 * Requires: MBEDTLS_SSL_PROTO_TLS1_3 713 * 714 * Uncomment this macro to enable support for the record_size_limit extension 715 */ 716 //#define MBEDTLS_SSL_RECORD_SIZE_LIMIT 717 718 /** 719 * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT 720 * 721 * When this option is enabled, the client and server can extract additional 722 * shared symmetric keys after an SSL handshake using the function 723 * mbedtls_ssl_export_keying_material(). 724 * 725 * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and 726 * in RFC 8446, Section 7.5, for TLS 1.3. 727 * 728 * Comment this macro to disable mbedtls_ssl_export_keying_material(). 729 */ 730 #define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT 731 732 /** 733 * \def MBEDTLS_SSL_RENEGOTIATION 734 * 735 * Enable support for TLS renegotiation. 736 * 737 * The two main uses of renegotiation are (1) refresh keys on long-lived 738 * connections and (2) client authentication after the initial handshake. 739 * If you don't need renegotiation, it's probably better to disable it, since 740 * it has been associated with security issues in the past and is easy to 741 * misuse/misunderstand. 742 * 743 * Requires: MBEDTLS_SSL_PROTO_TLS1_2 744 * 745 * Comment this to disable support for renegotiation. 746 * 747 * \note Even if this option is disabled, both client and server are aware 748 * of the Renegotiation Indication Extension (RFC 5746) used to 749 * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1). 750 * (See \c mbedtls_ssl_conf_legacy_renegotiation for the 751 * configuration of this extension). 752 * 753 */ 754 #define MBEDTLS_SSL_RENEGOTIATION 755 756 /** 757 * \def MBEDTLS_SSL_SERVER_NAME_INDICATION 758 * 759 * Enable support for RFC 6066 server name indication (SNI) in SSL. 760 * 761 * Requires: MBEDTLS_X509_CRT_PARSE_C 762 * 763 * Comment this macro to disable support for server name indication in SSL 764 */ 765 #define MBEDTLS_SSL_SERVER_NAME_INDICATION 766 767 /** 768 * \def MBEDTLS_SSL_SESSION_TICKETS 769 * 770 * Enable support for RFC 5077 session tickets in SSL. 771 * Client-side, provides full support for session tickets (maintenance of a 772 * session store remains the responsibility of the application, though). 773 * Server-side, you also need to provide callbacks for writing and parsing 774 * tickets, including authenticated encryption and key management. Example 775 * callbacks are provided by MBEDTLS_SSL_TICKET_C. 776 * 777 * Comment this macro to disable support for SSL session tickets 778 */ 779 #define MBEDTLS_SSL_SESSION_TICKETS 780 781 /** 782 * \def MBEDTLS_SSL_SRV_C 783 * 784 * Enable the SSL/TLS server code. 785 * 786 * Module: library/ssl*_server.c 787 * Caller: 788 * 789 * Requires: MBEDTLS_SSL_TLS_C 790 * 791 * \warning You must call psa_crypto_init() before doing any TLS operations. 792 * 793 * This module is required for SSL/TLS server support. 794 */ 795 #define MBEDTLS_SSL_SRV_C 796 797 /** 798 * \def MBEDTLS_SSL_TICKET_C 799 * 800 * Enable an implementation of TLS server-side callbacks for session tickets. 801 * 802 * Module: library/ssl_ticket.c 803 * Caller: 804 * 805 * Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305 806 */ 807 #define MBEDTLS_SSL_TICKET_C 808 809 /** 810 * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 811 * 812 * Enable TLS 1.3 middlebox compatibility mode. 813 * 814 * As specified in Section D.4 of RFC 8446, TLS 1.3 offers a compatibility 815 * mode to make a TLS 1.3 connection more likely to pass through middle boxes 816 * expecting TLS 1.2 traffic. 817 * 818 * Turning on the compatibility mode comes at the cost of a few added bytes 819 * on the wire, but it doesn't affect compatibility with TLS 1.3 implementations 820 * that don't use it. Therefore, unless transmission bandwidth is critical and 821 * you know that middlebox compatibility issues won't occur, it is therefore 822 * recommended to set this option. 823 * 824 * Comment to disable compatibility mode for TLS 1.3. If 825 * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any 826 * effect on the build. 827 * 828 */ 829 #define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 830 831 /** 832 * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 833 * 834 * Enable TLS 1.3 ephemeral key exchange mode. 835 * 836 * Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH 837 * MBEDTLS_X509_CRT_PARSE_C 838 * and at least one of: 839 * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA 840 * PSA_WANT_ALG_RSA_PSS 841 * 842 * Comment to disable support for the ephemeral key exchange mode in TLS 1.3. 843 * If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any 844 * effect on the build. 845 * 846 */ 847 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 848 849 /** 850 * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 851 * 852 * Enable TLS 1.3 PSK key exchange mode. 853 * 854 * Comment to disable support for the PSK key exchange mode in TLS 1.3. If 855 * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any 856 * effect on the build. 857 * 858 */ 859 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 860 861 /** 862 * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 863 * 864 * Enable TLS 1.3 PSK ephemeral key exchange mode. 865 * 866 * Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH 867 * 868 * Comment to disable support for the PSK ephemeral key exchange mode in 869 * TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not 870 * have any effect on the build. 871 * 872 */ 873 #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 874 875 /** 876 * \def MBEDTLS_SSL_TLS_C 877 * 878 * Enable the generic SSL/TLS code. 879 * 880 * Module: library/ssl_tls.c 881 * Caller: library/ssl*_client.c 882 * library/ssl*_server.c 883 * 884 * Requires: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384 885 * and at least one of the MBEDTLS_SSL_PROTO_XXX defines 886 * 887 * This module is required for SSL/TLS. 888 */ 889 #define MBEDTLS_SSL_TLS_C 890 891 /** 892 * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 893 * 894 * When this option is enabled, the SSL buffer will be resized automatically 895 * based on the negotiated maximum fragment length in each direction. 896 * 897 * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 898 */ 899 //#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 900 901 //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 or 384 bits) */ 902 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ 903 //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */ 904 905 /** \def MBEDTLS_SSL_CID_IN_LEN_MAX 906 * 907 * The maximum length of CIDs used for incoming DTLS messages. 908 * 909 */ 910 //#define MBEDTLS_SSL_CID_IN_LEN_MAX 32 911 912 /** \def MBEDTLS_SSL_CID_OUT_LEN_MAX 913 * 914 * The maximum length of CIDs used for outgoing DTLS messages. 915 * 916 */ 917 //#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 918 919 /** \def MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 920 * 921 * This option controls the use of record plaintext padding 922 * in TLS 1.3 and when using the Connection ID extension in DTLS 1.2. 923 * 924 * The padding will always be chosen so that the length of the 925 * padded plaintext is a multiple of the value of this option. 926 * 927 * Note: A value of \c 1 means that no padding will be used 928 * for outgoing records. 929 * 930 * Note: On systems lacking division instructions, 931 * a power of two should be preferred. 932 */ 933 //#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 934 935 /** 936 * Complete list of ciphersuites to use, in order of preference. 937 * 938 * \warning No dependency checking is done on that field! This option can only 939 * be used to restrict the set of available ciphersuites. It is your 940 * responsibility to make sure the needed modules are active. 941 * 942 * Use this to save a few hundred bytes of ROM (default ordering of all 943 * available ciphersuites) and a few to a few hundred bytes of RAM. 944 * 945 * The value below is only an example, not the default. 946 */ 947 //#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 948 949 //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ 950 951 /** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING 952 * 953 * Maximum number of heap-allocated bytes for the purpose of 954 * DTLS handshake message reassembly and future message buffering. 955 * 956 * This should be at least 9/8 * MBEDTLS_SSL_IN_CONTENT_LEN 957 * to account for a reassembled handshake message of maximum size, 958 * together with its reassembly bitmap. 959 * 960 * A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default) 961 * should be sufficient for all practical situations as it allows 962 * to reassembly a large handshake message (such as a certificate) 963 * while buffering multiple smaller handshake messages. 964 * 965 */ 966 //#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 967 968 /** \def MBEDTLS_SSL_IN_CONTENT_LEN 969 * 970 * Maximum length (in bytes) of incoming plaintext fragments. 971 * 972 * This determines the size of the incoming TLS I/O buffer in such a way 973 * that it is capable of holding the specified amount of plaintext data, 974 * regardless of the protection mechanism used. 975 * 976 * \note When using a value less than the default of 16KB on the client, it is 977 * recommended to use the Maximum Fragment Length (MFL) extension to 978 * inform the server about this limitation. On the server, there 979 * is no supported, standardized way of informing the client about 980 * restriction on the maximum size of incoming messages, and unless 981 * the limitation has been communicated by other means, it is recommended 982 * to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN 983 * while keeping the default value of 16KB for the incoming buffer. 984 * 985 * Uncomment to set the maximum plaintext size of the incoming I/O buffer. 986 */ 987 //#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 988 989 /** 990 * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 991 * 992 * The default maximum amount of 0-RTT data. See the documentation of 993 * \c mbedtls_ssl_conf_max_early_data_size() for more information. 994 * 995 * It must be positive and smaller than UINT32_MAX. 996 * 997 * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not 998 * have any impact on the build. 999 */ 1000 //#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 1001 1002 /** \def MBEDTLS_SSL_OUT_CONTENT_LEN 1003 * 1004 * Maximum length (in bytes) of outgoing plaintext fragments. 1005 * 1006 * This determines the size of the outgoing TLS I/O buffer in such a way 1007 * that it is capable of holding the specified amount of plaintext data, 1008 * regardless of the protection mechanism used. 1009 * 1010 * It is possible to save RAM by setting a smaller outward buffer, while keeping 1011 * the default inward 16384 byte buffer to conform to the TLS specification. 1012 * 1013 * The minimum required outward buffer size is determined by the handshake 1014 * protocol's usage. Handshaking will fail if the outward buffer is too small. 1015 * The specific size requirement depends on the configured ciphers and any 1016 * certificate data which is sent during the handshake. 1017 * 1018 * Uncomment to set the maximum plaintext size of the outgoing I/O buffer. 1019 */ 1020 //#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 1021 1022 /** 1023 * \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1024 * 1025 * Default number of NewSessionTicket messages to be sent by a TLS 1.3 server 1026 * after handshake completion. This is not used in TLS 1.2 and relevant only if 1027 * the MBEDTLS_SSL_SESSION_TICKETS option is enabled. 1028 * 1029 */ 1030 //#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 1031 1032 /** 1033 * \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 1034 * 1035 * Maximum allowed ticket age difference in milliseconds tolerated between 1036 * server and client. Default value is 6000. This is not used in TLS 1.2. 1037 * 1038 * - The client ticket age is the time difference between the time when the 1039 * client proposes to the server to use the ticket and the time the client 1040 * received the ticket from the server. 1041 * - The server ticket age is the time difference between the time when the 1042 * server receives a proposition from the client to use the ticket and the 1043 * time when the ticket was created by the server. 1044 * 1045 * The ages might be different due to the client and server clocks not running 1046 * at the same pace. The typical accuracy of an RTC crystal is ±100 to ±20 parts 1047 * per million (360 to 72 milliseconds per hour). Default tolerance window is 1048 * 6s, thus in the worst case clients and servers must sync up their system time 1049 * every 6000/360/2~=8 hours. 1050 * 1051 * See section 8.3 of the TLS 1.3 specification(RFC 8446) for more information. 1052 */ 1053 //#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 1054 1055 /** 1056 * \def MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 1057 * 1058 * Size in bytes of a ticket nonce. This is not used in TLS 1.2. 1059 * 1060 * This must be less than 256. 1061 */ 1062 //#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 1063 1064 /** \} name SECTION: TLS feature selection */ 1065 1066 /** 1067 * \name SECTION: X.509 feature selection 1068 * 1069 * This section sets Certificate related options. 1070 * \{ 1071 */ 1072 1073 /** 1074 * \def MBEDTLS_PKCS7_C 1075 * 1076 * Enable PKCS #7 core for using PKCS #7-formatted signatures. 1077 * RFC Link - https://tools.ietf.org/html/rfc2315 1078 * 1079 * Module: library/pkcs7.c 1080 * 1081 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_PK_PARSE_C, 1082 * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, 1083 * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C 1084 * 1085 * This module is required for the PKCS #7 parsing modules. 1086 */ 1087 #define MBEDTLS_PKCS7_C 1088 1089 /** 1090 * \def MBEDTLS_X509_CREATE_C 1091 * 1092 * Enable X.509 core for creating certificates. 1093 * 1094 * Module: library/x509_create.c 1095 * 1096 * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_PK_PARSE_C, 1097 * 1098 * \warning You must call psa_crypto_init() before doing any X.509 operation. 1099 * 1100 * This module is the basis for creating X.509 certificates and CSRs. 1101 */ 1102 #define MBEDTLS_X509_CREATE_C 1103 1104 /** 1105 * \def MBEDTLS_X509_CRL_PARSE_C 1106 * 1107 * Enable X.509 CRL parsing. 1108 * 1109 * Module: library/x509_crl.c 1110 * Caller: library/x509_crt.c 1111 * 1112 * Requires: MBEDTLS_X509_USE_C 1113 * 1114 * This module is required for X.509 CRL parsing. 1115 */ 1116 #define MBEDTLS_X509_CRL_PARSE_C 1117 1118 /** 1119 * \def MBEDTLS_X509_CRT_PARSE_C 1120 * 1121 * Enable X.509 certificate parsing. 1122 * 1123 * Module: library/x509_crt.c 1124 * Caller: library/ssl_tls.c 1125 * library/ssl*_client.c 1126 * library/ssl*_server.c 1127 * 1128 * Requires: MBEDTLS_X509_USE_C 1129 * 1130 * This module is required for X.509 certificate parsing. 1131 */ 1132 #define MBEDTLS_X509_CRT_PARSE_C 1133 1134 /** 1135 * \def MBEDTLS_X509_CRT_WRITE_C 1136 * 1137 * Enable creating X.509 certificates. 1138 * 1139 * Module: library/x509_crt_write.c 1140 * 1141 * Requires: MBEDTLS_X509_CREATE_C 1142 * 1143 * This module is required for X.509 certificate creation. 1144 */ 1145 #define MBEDTLS_X509_CRT_WRITE_C 1146 1147 /** 1148 * \def MBEDTLS_X509_CSR_PARSE_C 1149 * 1150 * Enable X.509 Certificate Signing Request (CSR) parsing. 1151 * 1152 * Module: library/x509_csr.c 1153 * Caller: library/x509_crt_write.c 1154 * 1155 * Requires: MBEDTLS_X509_USE_C 1156 * 1157 * This module is used for reading X.509 certificate request. 1158 */ 1159 #define MBEDTLS_X509_CSR_PARSE_C 1160 1161 /** 1162 * \def MBEDTLS_X509_CSR_WRITE_C 1163 * 1164 * Enable creating X.509 Certificate Signing Requests (CSR). 1165 * 1166 * Module: library/x509_csr_write.c 1167 * 1168 * Requires: MBEDTLS_X509_CREATE_C 1169 * 1170 * This module is required for X.509 certificate request writing. 1171 */ 1172 #define MBEDTLS_X509_CSR_WRITE_C 1173 1174 /** 1175 * \def MBEDTLS_X509_REMOVE_INFO 1176 * 1177 * Disable mbedtls_x509_*_info() and related APIs. 1178 * 1179 * Uncomment to omit mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt() 1180 * and other functions/constants only used by these functions, thus reducing 1181 * the code footprint by several KB. 1182 */ 1183 //#define MBEDTLS_X509_REMOVE_INFO 1184 1185 /** 1186 * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT 1187 * 1188 * Enable parsing and verification of X.509 certificates, CRLs and CSRS 1189 * signed with RSASSA-PSS (aka PKCS#1 v2.1). 1190 * 1191 * Requires: PSA_WANT_ALG_RSA_PSS 1192 * 1193 * Comment this macro to disallow using RSASSA-PSS in certificates. 1194 */ 1195 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT 1196 1197 /** 1198 * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 1199 * 1200 * If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()` 1201 * and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure 1202 * the set of trusted certificates through a callback instead of a linked 1203 * list. 1204 * 1205 * This is useful for example in environments where a large number of trusted 1206 * certificates is present and storing them in a linked list isn't efficient 1207 * enough, or when the set of trusted certificates changes frequently. 1208 * 1209 * See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and 1210 * `mbedtls_ssl_conf_ca_cb()` for more information. 1211 * 1212 * Requires: MBEDTLS_X509_CRT_PARSE_C 1213 * 1214 * Uncomment to enable trusted certificate callbacks. 1215 */ 1216 //#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK 1217 1218 /** 1219 * \def MBEDTLS_X509_USE_C 1220 * 1221 * Enable X.509 core for using certificates. 1222 * 1223 * Module: library/x509.c 1224 * Caller: library/x509_crl.c 1225 * library/x509_crt.c 1226 * library/x509_csr.c 1227 * 1228 * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_PK_PARSE_C 1229 * 1230 * \warning You must call psa_crypto_init() before doing any X.509 operation. 1231 * 1232 * This module is required for the X.509 parsing modules. 1233 */ 1234 #define MBEDTLS_X509_USE_C 1235 1236 //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */ 1237 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ 1238 1239 /** \} name SECTION: X.509 feature selection */ 1240