1Configuration file split
2========================
3
4## Why split the configuration file?
5
6The objective of the repository split is to reach the point where in Mbed TLS
7all the cryptography code and its tests are located in a `tf-psa-crypto`
8directory that just contains the TF-PSA-Crypto repository as a submodule.
9The cryptography APIs exposed by Mbed TLS are just the TF-PSA-Crypto ones.
10Mbed TLS relies solely on the TF-PSA-Crypto build system to build its
11cryptography library and its tests.
12
13The TF-PSA-Crypto configuration file `tf_psa_crypto_config.h` configures
14entirely the cryptography interface exposed by Mbed TLS through TF-PSA-Crypto.
15Mbed TLS configuration is split in two files: `mbedtls_config.h` for TLS and
16x509, `tf_psa_crypto_config.h` for the cryptography.
17
18## How do we split the configuration file?
19
20We extend the so-called PSA cryptographic configuration scheme based on
21`mbedtls_config.h` and `crypto_config.h`. The configuration file `crypto_config.h`
22is extended to become the TF-PSA-Crypto configuration file, `mbedtls_config.h`
23becomes the configuration file for the TLS and x509 libraries. All the options
24to select the cryptographic mechanisms and to configure their implementation
25are moved from `mbedtls_config.h` to `(tf_psa_)crypto_config.h`.
26
27The configuration options that are relevant to both Mbed TLS and TF-PSA-Crypto
28like platform or system ones are moved to `(tf_psa_)crypto_config.h`. That way
29they are available in both repositories (as Mbed TLS includes
30`tf_psa_crypto_config.h`) without duplication. Later, we may duplicate or
31create aliases for some of them to align with the naming conventions of the
32repositories.
33
34The cryptographic configuration options in `tf_psa_crypto_config.h` are
35organized into sections that are different from the ones in the pre-split
36`mbedtls_config.h` (see below). This is first to take into account the
37specifics of TF-PSA-Crypto, for example a specific section for the
38configuration of builtin drivers. We also get rid of the grouping of non
39boolean options into a dedicated section: related boolean and non boolean
40configuration options are rather grouped together into the same section.
41
42Finally, for consistency, the sections in `mbedtls_config.h` are reorganized
43to be better aligned with the `tf_psa_crypto_config.h` ones.
44
45
46## Configuration files and `config.py`
47
48Each repository contains a `config.py` script to create and modify
49configurations.
50
51In Mbed TLS, `config.py` handles both `mbedtls_config.h` and
52`tf_psa_crypto_config.h`. It can set or unset TLS, x509 and cryptographic
53configuration options without having to specify the configuration file the
54options belong to. Commands like full and baremetal affect both configuration
55files.
56
57In TF-PSA-Crypto, `config.py` addresses only `tf_psa_crypto_config.h`.
58
59## Sections in `tf_psa_crypto_config.h`
60
61The `tf_psa_crypto_config.h` configuration file is organized into eight
62sections.
63
64The pre-split `mbedtls_config.h` configuration file contains configuration
65options that apply to the whole code base (TLS, x509, crypto and tests) mostly
66related to the platform abstraction layer and testing. In
67`tf_psa_crypto_config.h` these configurations options are organized into two
68sections, one for the platform abstraction layer options and one for the others,
69respectively named ["Platform abstraction layer"](#section-platform-abstraction-layer)
70and ["General and test configuration options"](#section-general-and-test-configuration-options).
71
72Then, the ["Cryptographic mechanism selection (PSA API)"](#section-cryptographic-mechanism-selection-PSA-API)
73section is the equivalent of the pre-split `crypto_config.h` configuration file
74containing the PSA_WANT_ prefixed macros.
75
76The following section named
77["Cryptographic mechanism selection (extended API)"](#section-cryptographic-mechanism-selection-extended-API)
78contains the configuration options for the cryptography mechanisms that are not
79yet part of the PSA cryptography API (like LMS or PK).
80
81It is followed by the ["Data format support"](#section-data-format-support)
82section that contains configuration options of utilities related to various data
83formats (like Base64 or ASN.1 APIs). These utilities aim to facilitate the
84usage of the PSA cryptography API in other cryptography projects.
85
86Compared to Mbed TLS, the cryptography code in TF-PSA-Crypto is not located
87in a single directory but split between the PSA core (core directory) and the
88PSA builtin drivers (drivers/builtin/src directory). This is reflected in
89`tf_psa_crypto_config.h` with two sections respectively named ["PSA core"](#section-psa-core)
90and ["Builtin drivers"](#section-builtin-drivers).
91
92Finally, the last section named ["Legacy cryptography"](#section-legacy-cryptography)
93contains the configuration options that will eventually be removed as duplicates
94of PSA_WANT_\* and MBEDTLS_PSA_ACCEL_\* configuration options.
95
96## Sections in `mbedtls_config.h`
97
98The sections in `mbedtls_config.h` are reorganized to be better aligned with
99the ones in `tf_psa_crypto_config.h`. The main change is the reorganization
100of the "Mbed TLS modules", "Mbed TLS feature support" and
101"Module configuration options" sections into the
102["TLS feature selection"](#section-tls-feature-selection) and
103["X.509 feature selection"](#section-x-509-feature-selection) sections. That
104way all TLS/x509 options are grouped into one section and there is no
105section dedicated to non boolean configuration options anymore.
106
107
108## Repartition of the configuration options
109
110### In `tf_psa_crypto_config.h`, we have:
111#### SECTION Platform abstraction layer
112```
113#define MBEDTLS_FS_IO
114#define MBEDTLS_HAVE_TIME
115#define MBEDTLS_HAVE_TIME_DATE
116//#define MBEDTLS_MEMORY_BACKTRACE
117//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
118//#define MBEDTLS_MEMORY_DEBUG
119#define MBEDTLS_PLATFORM_C
120//#define MBEDTLS_PLATFORM_EXIT_ALT
121//#define MBEDTLS_PLATFORM_FPRINTF_ALT
122//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
123//#define MBEDTLS_PLATFORM_MEMORY
124//#define MBEDTLS_PLATFORM_MS_TIME_ALT
125//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
126//#define MBEDTLS_PLATFORM_NV_SEED_ALT
127//#define MBEDTLS_PLATFORM_PRINTF_ALT
128//#define MBEDTLS_PLATFORM_SETBUF_ALT
129//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
130//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
131//#define MBEDTLS_PLATFORM_TIME_ALT
132//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
133//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
134//#define MBEDTLS_THREADING_ALT
135//#define MBEDTLS_THREADING_C
136//#define MBEDTLS_THREADING_PTHREAD
137
138//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE      4
139//#define MBEDTLS_PLATFORM_CALLOC_MACRO        calloc
140//#define MBEDTLS_PLATFORM_EXIT_MACRO            exit
141//#define MBEDTLS_PLATFORM_FREE_MACRO            free
142//#define MBEDTLS_PLATFORM_FPRINTF_MACRO      fprintf
143//#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO   int64_t
144//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO   mbedtls_platform_std_nv_seed_read
145//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO  mbedtls_platform_std_nv_seed_write
146//#define MBEDTLS_PLATFORM_PRINTF_MACRO        printf
147//#define MBEDTLS_PLATFORM_SETBUF_MACRO      setbuf
148//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO    snprintf
149//#define MBEDTLS_PLATFORM_STD_CALLOC        calloc
150//#define MBEDTLS_PLATFORM_STD_EXIT            exit
151//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE       1
152//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS       0
153//#define MBEDTLS_PLATFORM_STD_FPRINTF      fprintf
154//#define MBEDTLS_PLATFORM_STD_FREE            free
155//#define MBEDTLS_PLATFORM_STD_MEM_HDR   <stdlib.h>
156//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE  "seedfile"
157//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   mbedtls_platform_std_nv_seed_read
158//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE  mbedtls_platform_std_nv_seed_write
159//#define MBEDTLS_PLATFORM_STD_PRINTF        printf
160//#define MBEDTLS_PLATFORM_STD_SETBUF      setbuf
161//#define MBEDTLS_PLATFORM_STD_SNPRINTF    snprintf
162//#define MBEDTLS_PLATFORM_STD_TIME            time
163//#define MBEDTLS_PLATFORM_TIME_MACRO            time
164//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO       time_t
165//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO    vsnprintf
166//#define MBEDTLS_PRINTF_MS_TIME    PRId64
167```
168
169#### SECTION General and test configuration options
170Note: for consistency with the configuration file name change from
171`crypto_config.h` to `tf_psa_crypto_config.h`, the configuration options
172`MBEDTLS_PSA_CRYPTO_CONFIG_FILE` and `MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE` are
173respectively renamed `TF_PSA_CRYPTO_CONFIG_FILE` and
174`TF_PSA_CRYPTO_USER_CONFIG_FILE`. These are the only configuration options
175renamed by this document.
176```
177//#define MBEDTLS_CHECK_RETURN_WARNING
178//#define MBEDTLS_DEPRECATED_REMOVED
179//#define MBEDTLS_DEPRECATED_WARNING
180#define MBEDTLS_SELF_TEST
181//#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
182//#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
183//#define MBEDTLS_TEST_HOOKS
184
185//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))
186//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result))
187//#define TF_PSA_CRYPTO_CONFIG_FILE "psa/tf_psa_crypto_config.h"
188//#define TF_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"
189```
190
191#### SECTION Cryptographic mechanism selection (PSA API)
192PSA_WANT_\* macros as in current `crypto_config.h`.
193
194
195#### SECTION Cryptographic mechanism selection (extended API)
196```
197#define MBEDTLS_LMS_C
198//#define MBEDTLS_LMS_PRIVATE
199#define MBEDTLS_MD_C
200#define MBEDTLS_NIST_KW_C
201#define MBEDTLS_PKCS5_C
202#define MBEDTLS_PKCS12_C
203#define MBEDTLS_PK_C
204#define MBEDTLS_PK_PARSE_C
205#define MBEDTLS_PK_PARSE_EC_COMPRESSED
206#define MBEDTLS_PK_PARSE_EC_EXTENDED
207#define MBEDTLS_PK_RSA_ALT_SUPPORT
208#define MBEDTLS_PK_WRITE_C
209
210//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN               48
211//#define MBEDTLS_CTR_DRBG_MAX_INPUT                256
212//#define MBEDTLS_CTR_DRBG_MAX_REQUEST             1024
213//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT           384
214//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL        10000
215//#define MBEDTLS_HMAC_DRBG_MAX_INPUT           256
216//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST        1024
217//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT      384
218//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000
219//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
220```
221
222
223#### SECTION Data format support
224```
225#define MBEDTLS_ASN1_PARSE_C
226#define MBEDTLS_ASN1_WRITE_C
227#define MBEDTLS_BASE64_C
228#define MBEDTLS_OID_C
229#define MBEDTLS_PEM_PARSE_C
230#define MBEDTLS_PEM_WRITE_C
231```
232
233
234#### SECTION PSA core
235```
236#define MBEDTLS_ENTROPY_C
237//#define MBEDTLS_ENTROPY_FORCE_SHA256
238//#define MBEDTLS_ENTROPY_HARDWARE_ALT
239//#define MBEDTLS_ENTROPY_NV_SEED
240//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
241//#define MBEDTLS_NO_PLATFORM_ENTROPY
242//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
243//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
244#define MBEDTLS_PSA_CRYPTO_C
245//#define MBEDTLS_PSA_CRYPTO_CLIENT
246//#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
247//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
248//#define MBEDTLS_PSA_CRYPTO_SPM
249#define MBEDTLS_PSA_CRYPTO_STORAGE_C
250//#define MBEDTLS_PSA_INJECT_ENTROPY
251#define MBEDTLS_PSA_ITS_FILE_C
252#define MBEDTLS_PSA_KEY_STORE_DYNAMIC
253//#define MBEDTLS_PSA_STATIC_KEY_SLOTS
254
255//#define MBEDTLS_ENTROPY_MAX_GATHER                128
256//#define MBEDTLS_ENTROPY_MAX_SOURCES                20
257//#define MBEDTLS_ENTROPY_MIN_HARDWARE               32
258//#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h"
259//#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h"
260//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
261//#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE       256
262```
263
264#### SECTION Builtin drivers
265```
266#define MBEDTLS_AESCE_C
267#define MBEDTLS_AESNI_C
268//#define MBEDTLS_AES_FEWER_TABLES
269//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
270//#define MBEDTLS_AES_ROM_TABLES
271//#define MBEDTLS_AES_USE_HARDWARE_ONLY
272//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
273//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
274//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
275#define MBEDTLS_ECP_NIST_OPTIM
276//#define MBEDTLS_ECP_RESTARTABLE
277//#define MBEDTLS_ECP_WITH_MPI_UINT
278//#define MBEDTLS_GCM_LARGE_TABLE
279#define MBEDTLS_HAVE_ASM
280//#define MBEDTLS_HAVE_SSE2
281//#define MBEDTLS_NO_UDBL_DIVISION
282//#define MBEDTLS_NO_64BIT_MULTIPLICATION
283//#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
284//#define MBEDTLS_RSA_NO_CRT
285//#define MBEDTLS_SHA256_SMALLER
286//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
287//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
288//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
289//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
290//#define MBEDTLS_SHA512_SMALLER
291//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
292//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
293
294//#define MBEDTLS_ECP_FIXED_POINT_OPTIM      1
295//#define MBEDTLS_ECP_WINDOW_SIZE            4
296//#define MBEDTLS_MPI_MAX_SIZE            1024
297//#define MBEDTLS_MPI_WINDOW_SIZE            2
298//#define MBEDTLS_RSA_GEN_KEY_MIN_BITS            1024
299```
300
301
302#### SECTION Legacy cryptography
303```
304#define MBEDTLS_AES_C
305#define MBEDTLS_ARIA_C
306#define MBEDTLS_BIGNUM_C
307#define MBEDTLS_CAMELLIA_C
308#define MBEDTLS_CCM_C
309#define MBEDTLS_CHACHA20_C
310#define MBEDTLS_CHACHAPOLY_C
311#define MBEDTLS_CIPHER_C
312#define MBEDTLS_CIPHER_MODE_CBC
313#define MBEDTLS_CIPHER_MODE_CFB
314#define MBEDTLS_CIPHER_MODE_CTR
315#define MBEDTLS_CIPHER_MODE_OFB
316#define MBEDTLS_CIPHER_MODE_XTS
317//#define MBEDTLS_CIPHER_NULL_CIPHER
318#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
319#define MBEDTLS_CIPHER_PADDING_PKCS7
320#define MBEDTLS_CIPHER_PADDING_ZEROS
321#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
322#define MBEDTLS_CMAC_C
323#define MBEDTLS_CTR_DRBG_C
324//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
325#define MBEDTLS_DES_C
326#define MBEDTLS_DHM_C
327#define MBEDTLS_ECDH_C
328#define MBEDTLS_ECP_C
329#define MBEDTLS_ECP_DP_BP256R1_ENABLED
330#define MBEDTLS_ECP_DP_BP384R1_ENABLED
331#define MBEDTLS_ECP_DP_BP512R1_ENABLED
332#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
333#define MBEDTLS_ECP_DP_CURVE448_ENABLED
334#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
335#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
336#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
337#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
338#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
339#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
340#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
341#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
342#define MBEDTLS_ECDSA_C
343#define MBEDTLS_ECDSA_DETERMINISTIC
344#define MBEDTLS_ECJPAKE_C
345#define MBEDTLS_GCM_C
346#define MBEDTLS_GENPRIME
347#define MBEDTLS_HKDF_C
348#define MBEDTLS_HMAC_DRBG_C
349#define MBEDTLS_MD5_C
350#define MBEDTLS_PADLOCK_C
351#define MBEDTLS_PKCS1_V15
352#define MBEDTLS_PKCS1_V21
353#define MBEDTLS_POLY1305_C
354//#define MBEDTLS_PSA_CRYPTO_SE_C
355#define MBEDTLS_RIPEMD160_C
356#define MBEDTLS_RSA_C
357#define MBEDTLS_SHA1_C
358#define MBEDTLS_SHA224_C
359#define MBEDTLS_SHA256_C
360#define MBEDTLS_SHA384_C
361#define MBEDTLS_SHA3_C
362#define MBEDTLS_SHA512_C
363```
364
365
366### In `mbedtls_config.h`, we have:
367#### SECTION Platform abstraction layer
368```
369#define MBEDTLS_NET_C
370//#define MBEDTLS_TIMING_ALT
371#define MBEDTLS_TIMING_C
372```
373
374
375#### SECTION General configuration options
376```
377#define MBEDTLS_ERROR_C
378#define MBEDTLS_ERROR_STRERROR_DUMMY
379#define MBEDTLS_VERSION_C
380#define MBEDTLS_VERSION_FEATURES
381
382//#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"
383//#define MBEDTLS_USER_CONFIG_FILE "/dev/null"
384```
385
386
387#### SECTION TLS feature selection
388```
389#define MBEDTLS_DEBUG_C
390#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
391#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
392#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
393#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
394#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
395#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
396#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
397//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
398#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
399#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
400#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
401#define MBEDTLS_SSL_ALPN
402//#define MBEDTLS_SSL_ASYNC_PRIVATE
403#define MBEDTLS_SSL_CACHE_C
404#define MBEDTLS_SSL_CLI_C
405#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
406#define MBEDTLS_SSL_COOKIE_C
407//#define MBEDTLS_SSL_DEBUG_ALL
408#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
409#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
410#define MBEDTLS_SSL_DTLS_CONNECTION_ID
411#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
412#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
413//#define MBEDTLS_SSL_DTLS_SRTP
414//#define MBEDTLS_SSL_EARLY_DATA
415#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
416#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
417#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
418#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
419#define MBEDTLS_SSL_PROTO_DTLS
420#define MBEDTLS_SSL_PROTO_TLS1_2
421#define MBEDTLS_SSL_PROTO_TLS1_3
422//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
423#define MBEDTLS_SSL_RENEGOTIATION
424#define MBEDTLS_SSL_SERVER_NAME_INDICATION
425#define MBEDTLS_SSL_SESSION_TICKETS
426#define MBEDTLS_SSL_SRV_C
427#define MBEDTLS_SSL_TICKET_C
428#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
429#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
430#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
431#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
432#define MBEDTLS_SSL_TLS_C
433//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
434
435//#define MBEDTLS_PSK_MAX_LEN               32
436//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50
437//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400
438//#define MBEDTLS_SSL_CID_IN_LEN_MAX 32
439//#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32
440//#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16
441//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
442//#define MBEDTLS_SSL_COOKIE_TIMEOUT        60
443//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING             32768
444//#define MBEDTLS_SSL_IN_CONTENT_LEN              16384
445//#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE        1024
446//#define MBEDTLS_SSL_OUT_CONTENT_LEN             16384
447//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1
448//#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000
449//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32
450```
451
452
453#### SECTION X.509 feature selection
454```
455#define MBEDTLS_PKCS7_C
456#define MBEDTLS_X509_CREATE_C
457#define MBEDTLS_X509_CRL_PARSE_C
458#define MBEDTLS_X509_CRT_PARSE_C
459#define MBEDTLS_X509_CRT_WRITE_C
460#define MBEDTLS_X509_CSR_PARSE_C
461#define MBEDTLS_X509_CSR_WRITE_C
462//#define MBEDTLS_X509_REMOVE_INFO
463#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
464//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
465#define MBEDTLS_X509_USE_C
466
467//#define MBEDTLS_X509_MAX_FILE_PATH_LEN     512
468//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8
469```
470