1 /* 2 * Copyright (C) 2015-2018 Alibaba Group Holding Limited 3 */ 4 5 #ifndef INFRA_AES_CONFIG_H 6 #define INFRA_AES_CONFIG_H 7 8 #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) 9 #define _CRT_SECURE_NO_DEPRECATE 1 10 #endif 11 12 /** 13 * \name SECTION: System support 14 * 15 * This section sets system specific settings. 16 * \{ 17 */ 18 19 /** 20 * \def INFRA_HAVE_ASM 21 * 22 * The compiler has support for asm(). 23 * 24 * Requires support for asm() in compiler. 25 * 26 * Used in: 27 * library/timing.c 28 * library/padlock.c 29 * include/mbedtls/bn_mul.h 30 * 31 * Comment to disable the use of assembly code. 32 */ 33 34 /** 35 * \def INFRA_HAVE_SSE2 36 * 37 * CPU supports SSE2 instruction set. 38 * 39 * Uncomment if the CPU supports SSE2 (IA-32 specific). 40 */ 41 42 /** 43 * \def INFRA_HAVE_TIME 44 * 45 * System has time.h and time(). 46 * The time does not need to be correct, only time differences are used, 47 * by contrast with INFRA_HAVE_TIME_DATE 48 * 49 * Defining INFRA_HAVE_TIME allows you to specify INFRA_PLATFORM_TIME_ALT, 50 * INFRA_PLATFORM_TIME_MACRO, INFRA_PLATFORM_TIME_TYPE_MACRO and 51 * INFRA_PLATFORM_STD_TIME. 52 * 53 * Comment if your system does not support time functions 54 */ 55 56 /** 57 * \def INFRA_HAVE_TIME_DATE 58 * 59 * System has time.h and time(), gmtime() and the clock is correct. 60 * The time needs to be correct (not necesarily very accurate, but at least 61 * the date should be correct). This is used to verify the validity period of 62 * X.509 certificates. 63 * 64 * Comment if your system does not have a correct clock. 65 */ 66 67 /** 68 * \def INFRA_PLATFORM_MEMORY 69 * 70 * Enable the memory allocation layer. 71 * 72 * By default mbed TLS uses the system-provided calloc() and free(). 73 * This allows different allocators (self-implemented or provided) to be 74 * provided to the platform abstraction layer. 75 * 76 * Enabling INFRA_PLATFORM_MEMORY without the 77 * INFRA_PLATFORM_{FREE,CALLOC}_MACROs will provide 78 * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative 79 * calloc() and free() function pointer at runtime. 80 * 81 * Enabling INFRA_PLATFORM_MEMORY and specifying 82 * INFRA_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the 83 * alternate function at compile time. 84 * 85 * Requires: INFRA_PLATFORM_C 86 * 87 * Enable this layer to allow use of alternative memory allocators. 88 */ 89 #define INFRA_PLATFORM_MEMORY 90 91 /** 92 * \def INFRA_PLATFORM_NO_STD_FUNCTIONS 93 * 94 * Do not assign standard functions in the platform layer (e.g. calloc() to 95 * INFRA_PLATFORM_STD_CALLOC and printf() to INFRA_PLATFORM_STD_PRINTF) 96 * 97 * This makes sure there are no linking errors on platforms that do not support 98 * these functions. You will HAVE to provide alternatives, either at runtime 99 * via the platform_set_xxx() functions or at compile time by setting 100 * the INFRA_PLATFORM_STD_XXX defines, or enabling a 101 * INFRA_PLATFORM_XXX_MACRO. 102 * 103 * Requires: INFRA_PLATFORM_C 104 * 105 * Uncomment to prevent default assignment of standard functions in the 106 * platform layer. 107 */ 108 109 /** 110 * \def INFRA_PLATFORM_EXIT_ALT 111 * 112 * INFRA_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the 113 * function in the platform abstraction layer. 114 * 115 * Example: In case you uncomment INFRA_PLATFORM_PRINTF_ALT, mbed TLS will 116 * provide a function "mbedtls_platform_set_printf()" that allows you to set an 117 * alternative printf function pointer. 118 * 119 * All these define require INFRA_PLATFORM_C to be defined! 120 * 121 * \note INFRA_PLATFORM_SNPRINTF_ALT is required on Windows; 122 * it will be enabled automatically by check_config.h 123 * 124 * \warning INFRA_PLATFORM_XXX_ALT cannot be defined at the same time as 125 * INFRA_PLATFORM_XXX_MACRO! 126 * 127 * Requires: INFRA_PLATFORM_TIME_ALT requires INFRA_HAVE_TIME 128 * 129 * Uncomment a macro to enable alternate implementation of specific base 130 * platform function 131 */ 132 133 /** 134 * \def INFRA_DEPRECATED_WARNING 135 * 136 * Mark deprecated functions so that they generate a warning if used. 137 * Functions deprecated in one version will usually be removed in the next 138 * version. You can enable this to help you prepare the transition to a new 139 * major version by making sure your code is not using these functions. 140 * 141 * This only works with GCC and Clang. With other compilers, you may want to 142 * use INFRA_DEPRECATED_REMOVED 143 * 144 * Uncomment to get warnings on using deprecated functions. 145 */ 146 147 /** 148 * \def INFRA_DEPRECATED_REMOVED 149 * 150 * Remove deprecated functions so that they generate an error if used. 151 * Functions deprecated in one version will usually be removed in the next 152 * version. You can enable this to help you prepare the transition to a new 153 * major version by making sure your code is not using these functions. 154 * 155 * Uncomment to get errors on using deprecated functions. 156 */ 157 158 /* \} name SECTION: System support */ 159 160 /** 161 * \name SECTION: mbed TLS feature support 162 * 163 * This section sets support for features that are or are not needed 164 * within the modules that are enabled. 165 * \{ 166 */ 167 168 /** 169 * \def INFRA_TIMING_ALT 170 * 171 * Uncomment to provide your own alternate implementation for 172 * mbedtls_timing_hardclock(), mbedtls_timing_get_timer(), mbedtls_set_alarm(), 173 * mbedtls_set/get_delay() 174 * 175 * Only works if you have INFRA_TIMING_C enabled. 176 * 177 * You will need to provide a header "timing_alt.h" and an implementation at 178 * compile time. 179 */ 180 181 /** 182 * \def INFRA_AES_ALT 183 * 184 * INFRA__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your 185 * alternate core implementation of a symmetric crypto, an arithmetic or hash 186 * module (e.g. platform specific assembly optimized implementations). Keep 187 * in mind that the function prototypes should remain the same. 188 * 189 * This replaces the whole module. If you only want to replace one of the 190 * functions, use one of the INFRA__FUNCTION_NAME__ALT flags. 191 * 192 * Example: In case you uncomment INFRA_AES_ALT, mbed TLS will no longer 193 * provide the "struct mbedtls_aes_context" definition and omit the base 194 * function declarations and implementations. "aes_alt.h" will be included from 195 * "aes.h" to include the new function definitions. 196 * 197 * Uncomment a macro to enable alternate implementation of the corresponding 198 * module. 199 */ 200 /* 201 * When replacing the elliptic curve module, pleace consider, that it is 202 * implemented with two .c files: 203 * - ecp.c 204 * - ecp_curves.c 205 * You can replace them very much like all the other INFRA__MODULE_NAME__ALT 206 * macros as described above. The only difference is that you have to make sure 207 * that you provide functionality for both .c files. 208 */ 209 210 /** 211 * \def INFRA_MD2_PROCESS_ALT 212 * 213 * INFRA__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you 214 * alternate core implementation of symmetric crypto or hash function. Keep in 215 * mind that function prototypes should remain the same. 216 * 217 * This replaces only one function. The header file from mbed TLS is still 218 * used, in contrast to the INFRA__MODULE_NAME__ALT flags. 219 * 220 * Example: In case you uncomment INFRA_SHA256_PROCESS_ALT, mbed TLS will 221 * no longer provide the mbedtls_sha1_process() function, but it will still 222 * provide the other function (using your mbedtls_sha1_process() function) and 223 * the definition of mbedtls_sha1_context, so your implementation of 224 * mbedtls_sha1_process must be compatible with this definition. 225 * 226 * Note: if you use the AES_xxx_ALT macros, then is is recommended to also set 227 * INFRA_AES_ROM_TABLES in order to help the linker garbage-collect the AES 228 * tables. 229 * 230 * Uncomment a macro to enable alternate implementation of the corresponding 231 * function. 232 */ 233 234 /** 235 * \def INFRA_ECP_INTERNAL_ALT 236 * 237 * Expose a part of the internal interface of the Elliptic Curve Point module. 238 * 239 * INFRA_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your 240 * alternative core implementation of elliptic curve arithmetic. Keep in mind 241 * that function prototypes should remain the same. 242 * 243 * This partially replaces one function. The header file from mbed TLS is still 244 * used, in contrast to the INFRA_ECP_ALT flag. The original implementation 245 * is still present and it is used for group structures not supported by the 246 * alternative. 247 * 248 * Any of these options become available by defining INFRA_ECP_INTERNAL_ALT 249 * and implementing the following functions: 250 * unsigned char mbedtls_internal_ecp_grp_capable( 251 * const mbedtls_ecp_group *grp ) 252 * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ) 253 * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp ) 254 * The mbedtls_internal_ecp_grp_capable function should return 1 if the 255 * replacement functions implement arithmetic for the given group and 0 256 * otherwise. 257 * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are 258 * called before and after each point operation and provide an opportunity to 259 * implement optimized set up and tear down instructions. 260 * 261 * Example: In case you uncomment INFRA_ECP_INTERNAL_ALT and 262 * INFRA_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac 263 * function, but will use your mbedtls_internal_ecp_double_jac if the group is 264 * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when 265 * receives it as an argument). If the group is not supported then the original 266 * implementation is used. The other functions and the definition of 267 * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your 268 * implementation of mbedtls_internal_ecp_double_jac and 269 * mbedtls_internal_ecp_grp_capable must be compatible with this definition. 270 * 271 * Uncomment a macro to enable alternate implementation of the corresponding 272 * function. 273 */ 274 /* Required for all the functions in this section */ 275 /* Support for Weierstrass curves with Jacobi representation */ 276 /* Support for curves with Montgomery arithmetic */ 277 278 /** 279 * \def INFRA_TEST_NULL_ENTROPY 280 * 281 * Enables testing and use of mbed TLS without any configured entropy sources. 282 * This permits use of the library on platforms before an entropy source has 283 * been integrated (see for example the INFRA_ENTROPY_HARDWARE_ALT or the 284 * INFRA_ENTROPY_NV_SEED switches). 285 * 286 * WARNING! This switch MUST be disabled in production builds, and is suitable 287 * only for development. 288 * Enabling the switch negates any security provided by the library. 289 * 290 * Requires INFRA_ENTROPY_C, INFRA_NO_DEFAULT_ENTROPY_SOURCES 291 * 292 */ 293 294 /** 295 * \def INFRA_ENTROPY_HARDWARE_ALT 296 * 297 * Uncomment this macro to let mbed TLS use your own implementation of a 298 * hardware entropy collector. 299 * 300 * Your function must be called \c mbedtls_hardware_poll(), have the same 301 * prototype as declared in entropy_poll.h, and accept NULL as first argument. 302 * 303 * Uncomment to use your own hardware entropy collector. 304 */ 305 306 /** 307 * \def INFRA_AES_ROM_TABLES 308 * 309 * Store the AES tables in ROM. 310 * 311 * Uncomment this macro to store the AES tables in ROM. 312 */ 313 314 /** 315 * \def INFRA_CAMELLIA_SMALL_MEMORY 316 * 317 * Use less ROM for the Camellia implementation (saves about 768 bytes). 318 * 319 * Uncomment this macro to use less memory for Camellia. 320 */ 321 322 /** 323 * \def INFRA_CIPHER_MODE_CBC 324 * 325 * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. 326 */ 327 #define INFRA_CIPHER_MODE_CBC 328 329 /** 330 * \def INFRA_CIPHER_MODE_CFB 331 * 332 * Enable Cipher Feedback mode (CFB) for symmetric ciphers. 333 */ 334 #define INFRA_CIPHER_MODE_CFB 335 336 /** 337 * \def INFRA_CIPHER_MODE_CTR 338 * 339 * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. 340 */ 341 342 /** 343 * \def INFRA_CIPHER_NULL_CIPHER 344 * 345 * Enable NULL cipher. 346 * Warning: Only do so when you know what you are doing. This allows for 347 * encryption or channels without any security! 348 * 349 * Requires INFRA_ENABLE_WEAK_CIPHERSUITES as well to enable 350 * the following ciphersuites: 351 * INFRA_TLS_ECDH_ECDSA_WITH_NULL_SHA 352 * INFRA_TLS_ECDH_RSA_WITH_NULL_SHA 353 * INFRA_TLS_ECDHE_ECDSA_WITH_NULL_SHA 354 * INFRA_TLS_ECDHE_RSA_WITH_NULL_SHA 355 * INFRA_TLS_ECDHE_PSK_WITH_NULL_SHA384 356 * INFRA_TLS_ECDHE_PSK_WITH_NULL_SHA256 357 * INFRA_TLS_ECDHE_PSK_WITH_NULL_SHA 358 * INFRA_TLS_DHE_PSK_WITH_NULL_SHA384 359 * INFRA_TLS_DHE_PSK_WITH_NULL_SHA256 360 * INFRA_TLS_DHE_PSK_WITH_NULL_SHA 361 * INFRA_TLS_RSA_WITH_NULL_SHA256 362 * INFRA_TLS_RSA_WITH_NULL_SHA 363 * INFRA_TLS_RSA_WITH_NULL_MD5 364 * INFRA_TLS_RSA_PSK_WITH_NULL_SHA384 365 * INFRA_TLS_RSA_PSK_WITH_NULL_SHA256 366 * INFRA_TLS_RSA_PSK_WITH_NULL_SHA 367 * INFRA_TLS_PSK_WITH_NULL_SHA384 368 * INFRA_TLS_PSK_WITH_NULL_SHA256 369 * INFRA_TLS_PSK_WITH_NULL_SHA 370 * 371 * Uncomment this macro to enable the NULL cipher and ciphersuites 372 */ 373 374 /** 375 * \def INFRA_CIPHER_PADDING_PKCS7 376 * 377 * INFRA_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for 378 * specific padding modes in the cipher layer with cipher modes that support 379 * padding (e.g. CBC) 380 * 381 * If you disable all padding modes, only full blocks can be used with CBC. 382 * 383 * Enable padding modes in the cipher layer. 384 */ 385 #define INFRA_CIPHER_PADDING_PKCS7 386 #define INFRA_CIPHER_PADDING_ZEROS 387 388 /** 389 * \def INFRA_ENABLE_WEAK_CIPHERSUITES 390 * 391 * Enable weak ciphersuites in SSL / TLS. 392 * Warning: Only do so when you know what you are doing. This allows for 393 * channels with virtually no security at all! 394 * 395 * This enables the following ciphersuites: 396 * INFRA_TLS_RSA_WITH_DES_CBC_SHA 397 * INFRA_TLS_DHE_RSA_WITH_DES_CBC_SHA 398 * 399 * Uncomment this macro to enable weak ciphersuites 400 */ 401 402 /** 403 * \def INFRA_REMOVE_ARC4_CIPHERSUITES 404 * 405 * Remove RC4 ciphersuites by default in SSL / TLS. 406 * This flag removes the ciphersuites based on RC4 from the default list as 407 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to 408 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them 409 * explicitly. 410 * 411 * Uncomment this macro to remove RC4 ciphersuites by default. 412 */ 413 #define INFRA_REMOVE_ARC4_CIPHERSUITES 414 415 /** 416 * \def INFRA_ECP_DP_SECP192R1_ENABLED 417 * 418 * INFRA_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve 419 * module. By default all supported curves are enabled. 420 * 421 * Comment macros to disable the curve and functions for it 422 */ 423 424 /** 425 * \def INFRA_ECP_NIST_OPTIM 426 * 427 * Enable specific 'modulo p' routines for each NIST prime. 428 * Depending on the prime and architecture, makes operations 4 to 8 times 429 * faster on the corresponding curve. 430 * 431 * Comment this macro to disable NIST curves optimisation. 432 */ 433 434 /** 435 * \def INFRA_ECDSA_DETERMINISTIC 436 * 437 * Enable deterministic ECDSA (RFC 6979). 438 * Standard ECDSA is "fragile" in the sense that lack of entropy when signing 439 * may result in a compromise of the long-term signing key. This is avoided by 440 * the deterministic variant. 441 * 442 * Requires: INFRA_HMAC_DRBG_C 443 * 444 * Comment this macro to disable deterministic ECDSA. 445 */ 446 447 /** 448 * \def INFRA_KEY_EXCHANGE_PSK_ENABLED 449 * 450 * Enable the PSK based ciphersuite modes in SSL / TLS. 451 * 452 * This enables the following ciphersuites (if other requisites are 453 * enabled as well): 454 * INFRA_TLS_PSK_WITH_AES_256_GCM_SHA384 455 * INFRA_TLS_PSK_WITH_AES_256_CBC_SHA384 456 * INFRA_TLS_PSK_WITH_AES_256_CBC_SHA 457 * INFRA_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 458 * INFRA_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 459 * INFRA_TLS_PSK_WITH_AES_128_GCM_SHA256 460 * INFRA_TLS_PSK_WITH_AES_128_CBC_SHA256 461 * INFRA_TLS_PSK_WITH_AES_128_CBC_SHA 462 * INFRA_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 463 * INFRA_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 464 * INFRA_TLS_PSK_WITH_3DES_EDE_CBC_SHA 465 * INFRA_TLS_PSK_WITH_RC4_128_SHA 466 */ 467 #define INFRA_KEY_EXCHANGE_PSK_ENABLED 468 469 /** 470 * \def INFRA_KEY_EXCHANGE_DHE_PSK_ENABLED 471 * 472 * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. 473 * 474 * Requires: INFRA_DHM_C 475 * 476 * This enables the following ciphersuites (if other requisites are 477 * enabled as well): 478 * INFRA_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 479 * INFRA_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 480 * INFRA_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 481 * INFRA_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 482 * INFRA_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 483 * INFRA_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 484 * INFRA_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 485 * INFRA_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 486 * INFRA_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 487 * INFRA_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 488 * INFRA_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 489 * INFRA_TLS_DHE_PSK_WITH_RC4_128_SHA 490 */ 491 492 /** 493 * \def INFRA_KEY_EXCHANGE_ECDHE_PSK_ENABLED 494 * 495 * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. 496 * 497 * Requires: INFRA_ECDH_C 498 * 499 * This enables the following ciphersuites (if other requisites are 500 * enabled as well): 501 * INFRA_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 502 * INFRA_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 503 * INFRA_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 504 * INFRA_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 505 * INFRA_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 506 * INFRA_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 507 * INFRA_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 508 * INFRA_TLS_ECDHE_PSK_WITH_RC4_128_SHA 509 */ 510 511 /** 512 * \def INFRA_KEY_EXCHANGE_RSA_PSK_ENABLED 513 * 514 * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. 515 * 516 * Requires: INFRA_RSA_C, INFRA_PKCS1_V15, 517 * INFRA_X509_CRT_PARSE_C 518 * 519 * This enables the following ciphersuites (if other requisites are 520 * enabled as well): 521 * INFRA_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 522 * INFRA_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 523 * INFRA_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 524 * INFRA_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 525 * INFRA_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 526 * INFRA_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 527 * INFRA_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 528 * INFRA_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 529 * INFRA_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 530 * INFRA_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 531 * INFRA_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 532 * INFRA_TLS_RSA_PSK_WITH_RC4_128_SHA 533 */ 534 #define INFRA_KEY_EXCHANGE_RSA_PSK_ENABLED 535 536 /** 537 * \def INFRA_KEY_EXCHANGE_RSA_ENABLED 538 * 539 * Enable the RSA-only based ciphersuite modes in SSL / TLS. 540 * 541 * Requires: INFRA_RSA_C, INFRA_PKCS1_V15, 542 * INFRA_X509_CRT_PARSE_C 543 * 544 * This enables the following ciphersuites (if other requisites are 545 * enabled as well): 546 * INFRA_TLS_RSA_WITH_AES_256_GCM_SHA384 547 * INFRA_TLS_RSA_WITH_AES_256_CBC_SHA256 548 * INFRA_TLS_RSA_WITH_AES_256_CBC_SHA 549 * INFRA_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 550 * INFRA_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 551 * INFRA_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 552 * INFRA_TLS_RSA_WITH_AES_128_GCM_SHA256 553 * INFRA_TLS_RSA_WITH_AES_128_CBC_SHA256 554 * INFRA_TLS_RSA_WITH_AES_128_CBC_SHA 555 * INFRA_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 556 * INFRA_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 557 * INFRA_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 558 * INFRA_TLS_RSA_WITH_3DES_EDE_CBC_SHA 559 * INFRA_TLS_RSA_WITH_RC4_128_SHA 560 * INFRA_TLS_RSA_WITH_RC4_128_MD5 561 */ 562 #define INFRA_KEY_EXCHANGE_RSA_ENABLED 563 564 /** 565 * \def INFRA_KEY_EXCHANGE_DHE_RSA_ENABLED 566 * 567 * Enable the DHE-RSA based ciphersuite modes in SSL / TLS. 568 * 569 * Requires: INFRA_DHM_C, INFRA_RSA_C, INFRA_PKCS1_V15, 570 * INFRA_X509_CRT_PARSE_C 571 * 572 * This enables the following ciphersuites (if other requisites are 573 * enabled as well): 574 * INFRA_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 575 * INFRA_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 576 * INFRA_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 577 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 578 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 579 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 580 * INFRA_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 581 * INFRA_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 582 * INFRA_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 583 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 584 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 585 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 586 * INFRA_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 587 */ 588 589 /** 590 * \def INFRA_KEY_EXCHANGE_ECDHE_RSA_ENABLED 591 * 592 * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. 593 * 594 * Requires: INFRA_ECDH_C, INFRA_RSA_C, INFRA_PKCS1_V15, 595 * INFRA_X509_CRT_PARSE_C 596 * 597 * This enables the following ciphersuites (if other requisites are 598 * enabled as well): 599 * INFRA_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 600 * INFRA_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 601 * INFRA_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 602 * INFRA_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 603 * INFRA_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 604 * INFRA_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 605 * INFRA_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 606 * INFRA_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 607 * INFRA_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 608 * INFRA_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 609 * INFRA_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 610 * INFRA_TLS_ECDHE_RSA_WITH_RC4_128_SHA 611 */ 612 613 /** 614 * \def INFRA_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 615 * 616 * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. 617 * 618 * Requires: INFRA_ECDH_C, INFRA_ECDSA_C, INFRA_X509_CRT_PARSE_C, 619 * 620 * This enables the following ciphersuites (if other requisites are 621 * enabled as well): 622 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 623 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 624 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 625 * INFRA_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 626 * INFRA_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 627 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 628 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 629 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 630 * INFRA_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 631 * INFRA_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 632 * INFRA_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 633 * INFRA_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 634 */ 635 636 /** 637 * \def INFRA_KEY_EXCHANGE_ECDH_ECDSA_ENABLED 638 * 639 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. 640 * 641 * Requires: INFRA_ECDH_C, INFRA_X509_CRT_PARSE_C 642 * 643 * This enables the following ciphersuites (if other requisites are 644 * enabled as well): 645 * INFRA_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 646 * INFRA_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 647 * INFRA_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 648 * INFRA_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 649 * INFRA_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 650 * INFRA_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 651 * INFRA_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 652 * INFRA_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 653 * INFRA_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 654 * INFRA_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 655 * INFRA_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 656 * INFRA_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 657 */ 658 659 /** 660 * \def INFRA_KEY_EXCHANGE_ECDH_RSA_ENABLED 661 * 662 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. 663 * 664 * Requires: INFRA_ECDH_C, INFRA_X509_CRT_PARSE_C 665 * 666 * This enables the following ciphersuites (if other requisites are 667 * enabled as well): 668 * INFRA_TLS_ECDH_RSA_WITH_RC4_128_SHA 669 * INFRA_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 670 * INFRA_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 671 * INFRA_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 672 * INFRA_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 673 * INFRA_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 674 * INFRA_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 675 * INFRA_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 676 * INFRA_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 677 * INFRA_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 678 * INFRA_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 679 * INFRA_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 680 */ 681 682 /** 683 * \def INFRA_KEY_EXCHANGE_ECJPAKE_ENABLED 684 * 685 * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. 686 * 687 * \warning This is currently experimental. EC J-PAKE support is based on the 688 * Thread v1.0.0 specification; incompatible changes to the specification 689 * might still happen. For this reason, this is disabled by default. 690 * 691 * Requires: INFRA_ECJPAKE_C 692 * INFRA_SHA256_C 693 * INFRA_ECP_DP_SECP256R1_ENABLED 694 * 695 * This enables the following ciphersuites (if other requisites are 696 * enabled as well): 697 * INFRA_TLS_ECJPAKE_WITH_AES_128_CCM_8 698 */ 699 700 /** 701 * \def INFRA_PK_PARSE_EC_EXTENDED 702 * 703 * Enhance support for reading EC keys using variants of SEC1 not allowed by 704 * RFC 5915 and RFC 5480. 705 * 706 * Currently this means parsing the SpecifiedECDomain choice of EC 707 * parameters (only known groups are supported, not arbitrary domains, to 708 * avoid validation issues). 709 * 710 * Disable if you only need to support RFC 5915 + 5480 key formats. 711 */ 712 713 /** 714 * \def INFRA_ERROR_STRERROR_DUMMY 715 * 716 * Enable a dummy error function to make use of mbedtls_strerror() in 717 * third party libraries easier when INFRA_ERROR_C is disabled 718 * (no effect when INFRA_ERROR_C is enabled). 719 * 720 * You can safely disable this if INFRA_ERROR_C is enabled, or if you're 721 * not using mbedtls_strerror() or error_strerror() in your application. 722 * 723 * Disable if you run into name conflicts and want to really remove the 724 * mbedtls_strerror() 725 */ 726 #define INFRA_ERROR_STRERROR_DUMMY 727 728 /** 729 * \def INFRA_GENPRIME 730 * 731 * Enable the prime-number generation code. 732 * 733 * Requires: INFRA_BIGNUM_C 734 */ 735 #define INFRA_GENPRIME 736 737 /** 738 * \def INFRA_FS_IO 739 * 740 * Enable functions that use the filesystem. 741 */ 742 743 /** 744 * \def INFRA_NO_DEFAULT_ENTROPY_SOURCES 745 * 746 * Do not add default entropy sources. These are the platform specific, 747 * mbedtls_timing_hardclock and HAVEGE based poll functions. 748 * 749 * This is useful to have more control over the added entropy sources in an 750 * application. 751 * 752 * Uncomment this macro to prevent loading of default entropy functions. 753 */ 754 755 /** 756 * \def INFRA_NO_PLATFORM_ENTROPY 757 * 758 * Do not use built-in platform entropy functions. 759 * This is useful if your platform does not support 760 * standards like the /dev/urandom or Windows CryptoAPI. 761 * 762 * Uncomment this macro to disable the built-in platform entropy functions. 763 */ 764 765 /** 766 * \def INFRA_ENTROPY_FORCE_SHA256 767 * 768 * Force the entropy accumulator to use a SHA-256 accumulator instead of the 769 * default SHA-512 based one (if both are available). 770 * 771 * Requires: INFRA_SHA256_C 772 * 773 * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option 774 * if you have performance concerns. 775 * 776 * This option is only useful if both INFRA_SHA256_C and 777 * INFRA_SHA512_C are defined. Otherwise the available hash module is used. 778 */ 779 780 /** 781 * \def INFRA_ENTROPY_NV_SEED 782 * 783 * Enable the non-volatile (NV) seed file-based entropy source. 784 * (Also enables the NV seed read/write functions in the platform layer) 785 * 786 * This is crucial (if not required) on systems that do not have a 787 * cryptographic entropy source (in hardware or kernel) available. 788 * 789 * Requires: INFRA_ENTROPY_C, INFRA_PLATFORM_C 790 * 791 * \note The read/write functions that are used by the entropy source are 792 * determined in the platform layer, and can be modified at runtime and/or 793 * compile-time depending on the flags (INFRA_PLATFORM_NV_SEED_*) used. 794 * 795 * \note If you use the default implementation functions that read a seedfile 796 * with regular fopen(), please make sure you make a seedfile with the 797 * proper name (defined in INFRA_PLATFORM_STD_NV_SEED_FILE) and at 798 * least INFRA_ENTROPY_BLOCK_SIZE bytes in size that can be read from 799 * and written to or you will get an entropy source error! The default 800 * implementation will only use the first INFRA_ENTROPY_BLOCK_SIZE 801 * bytes from the file. 802 * 803 * \note The entropy collector will write to the seed file before entropy is 804 * given to an external source, to update it. 805 */ 806 807 /** 808 * \def INFRA_MEMORY_DEBUG 809 * 810 * Enable debugging of buffer allocator memory issues. Automatically prints 811 * (to stderr) all (fatal) messages on memory allocation issues. Enables 812 * function for 'debug output' of allocated memory. 813 * 814 * Requires: INFRA_MEMORY_BUFFER_ALLOC_C 815 * 816 * Uncomment this macro to let the buffer allocator print out error messages. 817 */ 818 819 /** 820 * \def INFRA_MEMORY_BACKTRACE 821 * 822 * Include backtrace information with each allocated block. 823 * 824 * Requires: INFRA_MEMORY_BUFFER_ALLOC_C 825 * GLIBC-compatible backtrace() an backtrace_symbols() support 826 * 827 * Uncomment this macro to include backtrace information 828 */ 829 830 /** 831 * \def INFRA_PK_RSA_ALT_SUPPORT 832 * 833 * Support external private RSA keys (eg from a HSM) in the PK layer. 834 * 835 * Comment this macro to disable support for external private RSA keys. 836 */ 837 838 /** 839 * \def INFRA_PKCS1_V15 840 * 841 * Enable support for PKCS#1 v1.5 encoding. 842 * 843 * Requires: INFRA_RSA_C 844 * 845 * This enables support for PKCS#1 v1.5 operations. 846 */ 847 #define INFRA_PKCS1_V15 848 849 /** 850 * \def INFRA_PKCS1_V21 851 * 852 * Enable support for PKCS#1 v2.1 encoding. 853 * 854 * Requires: INFRA_MD_C, INFRA_RSA_C 855 * 856 * This enables support for RSAES-OAEP and RSASSA-PSS operations. 857 */ 858 #define INFRA_PKCS1_V21 859 860 /** 861 * \def INFRA_RSA_NO_CRT 862 * 863 * Do not use the Chinese Remainder Theorem for the RSA private operation. 864 * 865 * Uncomment this macro to disable the use of CRT in RSA. 866 * 867 */ 868 869 /** 870 * \def INFRA_SELF_TEST 871 * 872 * Enable the checkup functions (*_self_test). 873 */ 874 875 /** 876 * \def INFRA_SHA256_SMALLER 877 * 878 * Enable an implementation of SHA-256 that has lower ROM footprint but also 879 * lower performance. 880 * 881 * The default implementation is meant to be a reasonnable compromise between 882 * performance and size. This version optimizes more aggressively for size at 883 * the expense of performance. Eg on Cortex-M4 it reduces the size of 884 * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 885 * 30%. 886 * 887 * Uncomment to enable the smaller implementation of SHA256. 888 */ 889 890 /** 891 * \def INFRA_SSL_ALL_ALERT_MESSAGES 892 * 893 * Enable sending of alert messages in case of encountered errors as per RFC. 894 * If you choose not to send the alert messages, mbed TLS can still communicate 895 * with other servers, only debugging of failures is harder. 896 * 897 * The advantage of not sending alert messages, is that no information is given 898 * about reasons for failures thus preventing adversaries of gaining intel. 899 * 900 * Enable sending of all alert messages 901 */ 902 #define INFRA_SSL_ALL_ALERT_MESSAGES 903 904 /** 905 * \def INFRA_SSL_DEBUG_ALL 906 * 907 * Enable the debug messages in SSL module for all issues. 908 * Debug messages have been disabled in some places to prevent timing 909 * attacks due to (unbalanced) debugging function calls. 910 * 911 * If you need all error reporting you should enable this during debugging, 912 * but remove this for production servers that should log as well. 913 * 914 * Uncomment this macro to report all debug messages on errors introducing 915 * a timing side-channel. 916 * 917 */ 918 919 /** \def INFRA_SSL_ENCRYPT_THEN_MAC 920 * 921 * Enable support for Encrypt-then-MAC, RFC 7366. 922 * 923 * This allows peers that both support it to use a more robust protection for 924 * ciphersuites using CBC, providing deep resistance against timing attacks 925 * on the padding or underlying cipher. 926 * 927 * This only affects CBC ciphersuites, and is useless if none is defined. 928 * 929 * Requires: INFRA_SSL_PROTO_TLS1 or 930 * INFRA_SSL_PROTO_TLS1_1 or 931 * INFRA_SSL_PROTO_TLS1_2 932 * 933 * Comment this macro to disable support for Encrypt-then-MAC 934 */ 935 936 /** \def INFRA_SSL_EXTENDED_MASTER_SECRET 937 * 938 * Enable support for Extended Master Secret, aka Session Hash 939 * (draft-ietf-tls-session-hash-02). 940 * 941 * This was introduced as "the proper fix" to the Triple Handshake familiy of 942 * attacks, but it is recommended to always use it (even if you disable 943 * renegotiation), since it actually fixes a more fundamental issue in the 944 * original SSL/TLS design, and has implications beyond Triple Handshake. 945 * 946 * Requires: INFRA_SSL_PROTO_TLS1 or 947 * INFRA_SSL_PROTO_TLS1_1 or 948 * INFRA_SSL_PROTO_TLS1_2 949 * 950 * Comment this macro to disable support for Extended Master Secret. 951 */ 952 953 /** 954 * \def INFRA_SSL_FALLBACK_SCSV 955 * 956 * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00). 957 * 958 * For servers, it is recommended to always enable this, unless you support 959 * only one version of TLS, or know for sure that none of your clients 960 * implements a fallback strategy. 961 * 962 * For clients, you only need this if you're using a fallback strategy, which 963 * is not recommended in the first place, unless you absolutely need it to 964 * interoperate with buggy (version-intolerant) servers. 965 * 966 * Comment this macro to disable support for FALLBACK_SCSV 967 */ 968 969 /** 970 * \def INFRA_SSL_HW_RECORD_ACCEL 971 * 972 * Enable hooking functions in SSL module for hardware acceleration of 973 * individual records. 974 * 975 * Uncomment this macro to enable hooking functions. 976 */ 977 978 /** 979 * \def INFRA_SSL_CBC_RECORD_SPLITTING 980 * 981 * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. 982 * 983 * This is a countermeasure to the BEAST attack, which also minimizes the risk 984 * of interoperability issues compared to sending 0-length records. 985 * 986 * Comment this macro to disable 1/n-1 record splitting. 987 */ 988 989 /** 990 * \def INFRA_SSL_RENEGOTIATION 991 * 992 * Disable support for TLS renegotiation. 993 * 994 * The two main uses of renegotiation are (1) refresh keys on long-lived 995 * connections and (2) client authentication after the initial handshake. 996 * If you don't need renegotiation, it's probably better to disable it, since 997 * it has been associated with security issues in the past and is easy to 998 * misuse/misunderstand. 999 * 1000 * Comment this to disable support for renegotiation. 1001 */ 1002 1003 /** 1004 * \def INFRA_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO 1005 * 1006 * Enable support for receiving and parsing SSLv2 Client Hello messages for the 1007 * SSL Server module (INFRA_SSL_SRV_C). 1008 * 1009 * Uncomment this macro to enable support for SSLv2 Client Hello messages. 1010 */ 1011 1012 /** 1013 * \def INFRA_SSL_SRV_RESPECT_CLIENT_PREFERENCE 1014 * 1015 * Pick the ciphersuite according to the client's preferences rather than ours 1016 * in the SSL Server module (INFRA_SSL_SRV_C). 1017 * 1018 * Uncomment this macro to respect client's ciphersuite order 1019 */ 1020 1021 /** 1022 * \def INFRA_SSL_MAX_FRAGMENT_LENGTH 1023 * 1024 * Enable support for RFC 6066 max_fragment_length extension in SSL. 1025 * 1026 * Comment this macro to disable support for the max_fragment_length extension 1027 */ 1028 #define INFRA_SSL_MAX_FRAGMENT_LENGTH 1029 1030 /** 1031 * \def INFRA_SSL_PROTO_SSL3 1032 * 1033 * Enable support for SSL 3.0. 1034 * 1035 * Requires: INFRA_MD5_C 1036 * INFRA_SHA1_C 1037 * 1038 * Comment this macro to disable support for SSL 3.0 1039 */ 1040 1041 /** 1042 * \def INFRA_SSL_PROTO_TLS1 1043 * 1044 * Enable support for TLS 1.0. 1045 * 1046 * Requires: INFRA_MD5_C 1047 * INFRA_SHA1_C 1048 * 1049 * Comment this macro to disable support for TLS 1.0 1050 */ 1051 1052 /** 1053 * \def INFRA_SSL_PROTO_TLS1_1 1054 * 1055 * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). 1056 * 1057 * Requires: INFRA_MD5_C 1058 * INFRA_SHA1_C 1059 * 1060 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 1061 */ 1062 1063 /** 1064 * \def INFRA_SSL_PROTO_TLS1_2 1065 * 1066 * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). 1067 * 1068 * Requires: INFRA_SHA1_C or INFRA_SHA256_C or INFRA_SHA512_C 1069 * (Depends on ciphersuites) 1070 * 1071 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 1072 */ 1073 #define INFRA_SSL_PROTO_TLS1_2 1074 1075 /** 1076 * \def INFRA_SSL_PROTO_DTLS 1077 * 1078 * Enable support for DTLS (all available versions). 1079 * 1080 * Enable this and INFRA_SSL_PROTO_TLS1_1 to enable DTLS 1.0, 1081 * and/or this and INFRA_SSL_PROTO_TLS1_2 to enable DTLS 1.2. 1082 * 1083 * Requires: INFRA_SSL_PROTO_TLS1_1 1084 * or INFRA_SSL_PROTO_TLS1_2 1085 * 1086 * Comment this macro to disable support for DTLS 1087 */ 1088 #define INFRA_SSL_PROTO_DTLS 1089 1090 /** 1091 * \def INFRA_SSL_ALPN 1092 * 1093 * Enable support for RFC 7301 Application Layer Protocol Negotiation. 1094 * 1095 * Comment this macro to disable support for ALPN. 1096 */ 1097 1098 /** 1099 * \def INFRA_SSL_DTLS_ANTI_REPLAY 1100 * 1101 * Enable support for the anti-replay mechanism in DTLS. 1102 * 1103 * Requires: INFRA_SSL_TLS_C 1104 * INFRA_SSL_PROTO_DTLS 1105 * 1106 * \warning Disabling this is often a security risk! 1107 * See mbedtls_ssl_conf_dtls_anti_replay() for details. 1108 * 1109 * Comment this to disable anti-replay in DTLS. 1110 */ 1111 1112 /** 1113 * \def INFRA_SSL_DTLS_HELLO_VERIFY 1114 * 1115 * Enable support for HelloVerifyRequest on DTLS servers. 1116 * 1117 * This feature is highly recommended to prevent DTLS servers being used as 1118 * amplifiers in DoS attacks against other hosts. It should always be enabled 1119 * unless you know for sure amplification cannot be a problem in the 1120 * environment in which your server operates. 1121 * 1122 * \warning Disabling this can ba a security risk! (see above) 1123 * 1124 * Requires: INFRA_SSL_PROTO_DTLS 1125 * 1126 * Comment this to disable support for HelloVerifyRequest. 1127 */ 1128 #define INFRA_SSL_DTLS_HELLO_VERIFY 1129 1130 /** 1131 * \def INFRA_SSL_DTLS_CLIENT_PORT_REUSE 1132 * 1133 * Enable server-side support for clients that reconnect from the same port. 1134 * 1135 * Some clients unexpectedly close the connection and try to reconnect using the 1136 * same source port. This needs special support from the server to handle the 1137 * new connection securely, as described in section 4.2.8 of RFC 6347. This 1138 * flag enables that support. 1139 * 1140 * Requires: INFRA_SSL_DTLS_HELLO_VERIFY 1141 * 1142 * Comment this to disable support for clients reusing the source port. 1143 */ 1144 #define INFRA_SSL_DTLS_CLIENT_PORT_REUSE 1145 1146 /** 1147 * \def INFRA_SSL_DTLS_BADMAC_LIMIT 1148 * 1149 * Enable support for a limit of records with bad MAC. 1150 * 1151 * See mbedtls_ssl_conf_dtls_badmac_limit(). 1152 * 1153 * Requires: INFRA_SSL_PROTO_DTLS 1154 */ 1155 1156 /** 1157 * \def INFRA_SSL_SESSION_TICKETS 1158 * 1159 * Enable support for RFC 5077 session tickets in SSL. 1160 * Client-side, provides full support for session tickets (maintainance of a 1161 * session store remains the responsibility of the application, though). 1162 * Server-side, you also need to provide callbacks for writing and parsing 1163 * tickets, including authenticated encryption and key management. Example 1164 * callbacks are provided by INFRA_SSL_TICKET_C. 1165 * 1166 * Comment this macro to disable support for SSL session tickets 1167 */ 1168 #define INFRA_SSL_SESSION_TICKETS 1169 1170 /** 1171 * \def INFRA_SSL_EXPORT_KEYS 1172 * 1173 * Enable support for exporting key block and master secret. 1174 * This is required for certain users of TLS, e.g. EAP-TLS. 1175 * 1176 * Comment this macro to disable support for key export 1177 */ 1178 1179 /** 1180 * \def INFRA_SSL_SERVER_NAME_INDICATION 1181 * 1182 * Enable support for RFC 6066 server name indication (SNI) in SSL. 1183 * 1184 * Requires: INFRA_X509_CRT_PARSE_C 1185 * 1186 * Comment this macro to disable support for server name indication in SSL 1187 */ 1188 1189 /** 1190 * \def INFRA_SSL_TRUNCATED_HMAC 1191 * 1192 * Enable support for RFC 6066 truncated HMAC in SSL. 1193 * 1194 * Comment this macro to disable support for truncated HMAC in SSL 1195 */ 1196 1197 /** 1198 * \def INFRA_THREADING_ALT 1199 * 1200 * Provide your own alternate threading implementation. 1201 * 1202 * Requires: INFRA_THREADING_C 1203 * 1204 * Uncomment this to allow your own alternate threading implementation. 1205 */ 1206 1207 /** 1208 * \def INFRA_THREADING_PTHREAD 1209 * 1210 * Enable the pthread wrapper layer for the threading layer. 1211 * 1212 * Requires: INFRA_THREADING_C 1213 * 1214 * Uncomment this to enable pthread mutexes. 1215 */ 1216 1217 /** 1218 * \def INFRA_VERSION_FEATURES 1219 * 1220 * Allow run-time checking of compile-time enabled features. Thus allowing users 1221 * to check at run-time if the library is for instance compiled with threading 1222 * support via mbedtls_version_check_feature(). 1223 * 1224 * Requires: INFRA_VERSION_C 1225 * 1226 * Comment this to disable run-time checking and save ROM space 1227 */ 1228 1229 /** 1230 * \def INFRA_X509_ALLOW_EXTENSIONS_NON_V3 1231 * 1232 * If set, the X509 parser will not break-off when parsing an X509 certificate 1233 * and encountering an extension in a v1 or v2 certificate. 1234 * 1235 * Uncomment to prevent an error. 1236 */ 1237 1238 /** 1239 * \def INFRA_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 1240 * 1241 * If set, the X509 parser will not break-off when parsing an X509 certificate 1242 * and encountering an unknown critical extension. 1243 * 1244 * \warning Depending on your PKI use, enabling this can be a security risk! 1245 * 1246 * Uncomment to prevent an error. 1247 */ 1248 1249 /** 1250 * \def INFRA_X509_CHECK_KEY_USAGE 1251 * 1252 * Enable verification of the keyUsage extension (CA and leaf certificates). 1253 * 1254 * Disabling this avoids problems with mis-issued and/or misused 1255 * (intermediate) CA and leaf certificates. 1256 * 1257 * \warning Depending on your PKI use, disabling this can be a security risk! 1258 * 1259 * Comment to skip keyUsage checking for both CA and leaf certificates. 1260 */ 1261 #define INFRA_X509_CHECK_KEY_USAGE 1262 1263 /** 1264 * \def INFRA_X509_CHECK_EXTENDED_KEY_USAGE 1265 * 1266 * Enable verification of the extendedKeyUsage extension (leaf certificates). 1267 * 1268 * Disabling this avoids problems with mis-issued and/or misused certificates. 1269 * 1270 * \warning Depending on your PKI use, disabling this can be a security risk! 1271 * 1272 * Comment to skip extendedKeyUsage checking for certificates. 1273 */ 1274 #define INFRA_X509_CHECK_EXTENDED_KEY_USAGE 1275 1276 /** 1277 * \def INFRA_X509_RSASSA_PSS_SUPPORT 1278 * 1279 * Enable parsing and verification of X.509 certificates, CRLs and CSRS 1280 * signed with RSASSA-PSS (aka PKCS#1 v2.1). 1281 * 1282 * Comment this macro to disallow using RSASSA-PSS in certificates. 1283 */ 1284 1285 /** 1286 * \def INFRA_ZLIB_SUPPORT 1287 * 1288 * If set, the SSL/TLS module uses ZLIB to support compression and 1289 * decompression of packet data. 1290 * 1291 * \warning TLS-level compression MAY REDUCE SECURITY! See for example the 1292 * CRIME attack. Before enabling this option, you should examine with care if 1293 * CRIME or similar exploits may be a applicable to your use case. 1294 * 1295 * \note Currently compression can't be used with DTLS. 1296 * 1297 * Used in: library/ssl_tls.c 1298 * library/ssl_cli.c 1299 * library/ssl_srv.c 1300 * 1301 * This feature requires zlib library and headers to be present. 1302 * 1303 * Uncomment to enable use of ZLIB 1304 */ 1305 /* \} name SECTION: mbed TLS feature support */ 1306 1307 /** 1308 * \name SECTION: mbed TLS modules 1309 * 1310 * This section enables or disables entire modules in mbed TLS 1311 * \{ 1312 */ 1313 1314 /** 1315 * \def INFRA_AESNI_C 1316 * 1317 * Enable AES-NI support on x86-64. 1318 * 1319 * Module: library/aesni.c 1320 * Caller: library/aes.c 1321 * 1322 * Requires: INFRA_HAVE_ASM 1323 * 1324 * This modules adds support for the AES-NI instructions on x86-64 1325 */ 1326 1327 /** 1328 * \def INFRA_AES_C 1329 * 1330 * Enable the AES block cipher. 1331 * 1332 * Module: library/aes.c 1333 * Caller: library/ssl_tls.c 1334 * library/pem.c 1335 * library/ctr_drbg.c 1336 * 1337 * This module enables the following ciphersuites (if other requisites are 1338 * enabled as well): 1339 * INFRA_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 1340 * INFRA_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 1341 * INFRA_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 1342 * INFRA_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 1343 * INFRA_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 1344 * INFRA_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 1345 * INFRA_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 1346 * INFRA_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 1347 * INFRA_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 1348 * INFRA_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 1349 * INFRA_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 1350 * INFRA_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 1351 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 1352 * INFRA_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 1353 * INFRA_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 1354 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 1355 * INFRA_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 1356 * INFRA_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 1357 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 1358 * INFRA_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 1359 * INFRA_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 1360 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 1361 * INFRA_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 1362 * INFRA_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 1363 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 1364 * INFRA_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 1365 * INFRA_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 1366 * INFRA_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 1367 * INFRA_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 1368 * INFRA_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 1369 * INFRA_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 1370 * INFRA_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 1371 * INFRA_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 1372 * INFRA_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 1373 * INFRA_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 1374 * INFRA_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 1375 * INFRA_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 1376 * INFRA_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 1377 * INFRA_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 1378 * INFRA_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 1379 * INFRA_TLS_RSA_WITH_AES_256_GCM_SHA384 1380 * INFRA_TLS_RSA_WITH_AES_256_CBC_SHA256 1381 * INFRA_TLS_RSA_WITH_AES_256_CBC_SHA 1382 * INFRA_TLS_RSA_WITH_AES_128_GCM_SHA256 1383 * INFRA_TLS_RSA_WITH_AES_128_CBC_SHA256 1384 * INFRA_TLS_RSA_WITH_AES_128_CBC_SHA 1385 * INFRA_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 1386 * INFRA_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 1387 * INFRA_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 1388 * INFRA_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 1389 * INFRA_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 1390 * INFRA_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 1391 * INFRA_TLS_PSK_WITH_AES_256_GCM_SHA384 1392 * INFRA_TLS_PSK_WITH_AES_256_CBC_SHA384 1393 * INFRA_TLS_PSK_WITH_AES_256_CBC_SHA 1394 * INFRA_TLS_PSK_WITH_AES_128_GCM_SHA256 1395 * INFRA_TLS_PSK_WITH_AES_128_CBC_SHA256 1396 * INFRA_TLS_PSK_WITH_AES_128_CBC_SHA 1397 * 1398 * PEM_PARSE uses AES for decrypting encrypted keys. 1399 */ 1400 #define INFRA_AES_C 1401 1402 /** 1403 * \def INFRA_ARC4_C 1404 * 1405 * Enable the ARCFOUR stream cipher. 1406 * 1407 * Module: library/arc4.c 1408 * Caller: library/ssl_tls.c 1409 * 1410 * This module enables the following ciphersuites (if other requisites are 1411 * enabled as well): 1412 * INFRA_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 1413 * INFRA_TLS_ECDH_RSA_WITH_RC4_128_SHA 1414 * INFRA_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 1415 * INFRA_TLS_ECDHE_RSA_WITH_RC4_128_SHA 1416 * INFRA_TLS_ECDHE_PSK_WITH_RC4_128_SHA 1417 * INFRA_TLS_DHE_PSK_WITH_RC4_128_SHA 1418 * INFRA_TLS_RSA_WITH_RC4_128_SHA 1419 * INFRA_TLS_RSA_WITH_RC4_128_MD5 1420 * INFRA_TLS_RSA_PSK_WITH_RC4_128_SHA 1421 * INFRA_TLS_PSK_WITH_RC4_128_SHA 1422 */ 1423 1424 /** 1425 * \def INFRA_ASN1_PARSE_C 1426 * 1427 * Enable the generic ASN1 parser. 1428 * 1429 * Module: library/asn1.c 1430 * Caller: library/x509.c 1431 * library/dhm.c 1432 * library/pkcs12.c 1433 * library/pkcs5.c 1434 * library/pkparse.c 1435 */ 1436 #define INFRA_ASN1_PARSE_C 1437 1438 /** 1439 * \def INFRA_ASN1_WRITE_C 1440 * 1441 * Enable the generic ASN1 writer. 1442 * 1443 * Module: library/asn1write.c 1444 * Caller: library/ecdsa.c 1445 * library/pkwrite.c 1446 * library/x509_create.c 1447 * library/x509write_crt.c 1448 * library/x509write_csr.c 1449 */ 1450 1451 /** 1452 * \def INFRA_BASE64_C 1453 * 1454 * Enable the Base64 module. 1455 * 1456 * Module: library/base64.c 1457 * Caller: library/pem.c 1458 * 1459 * This module is required for PEM support (required by X.509). 1460 */ 1461 #define INFRA_BASE64_C 1462 1463 /** 1464 * \def INFRA_BIGNUM_C 1465 * 1466 * Enable the multi-precision integer library. 1467 * 1468 * Module: library/bignum.c 1469 * Caller: library/dhm.c 1470 * library/ecp.c 1471 * library/ecdsa.c 1472 * library/rsa.c 1473 * library/ssl_tls.c 1474 * 1475 * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. 1476 */ 1477 #define INFRA_BIGNUM_C 1478 1479 /** 1480 * \def INFRA_BLOWFISH_C 1481 * 1482 * Enable the Blowfish block cipher. 1483 * 1484 * Module: library/blowfish.c 1485 */ 1486 1487 /** 1488 * \def INFRA_CAMELLIA_C 1489 * 1490 * Enable the Camellia block cipher. 1491 * 1492 * Module: library/camellia.c 1493 * Caller: library/ssl_tls.c 1494 * 1495 * This module enables the following ciphersuites (if other requisites are 1496 * enabled as well): 1497 * INFRA_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 1498 * INFRA_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 1499 * INFRA_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 1500 * INFRA_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 1501 * INFRA_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 1502 * INFRA_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 1503 * INFRA_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 1504 * INFRA_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 1505 * INFRA_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 1506 * INFRA_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 1507 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 1508 * INFRA_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 1509 * INFRA_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 1510 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 1511 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 1512 * INFRA_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 1513 * INFRA_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 1514 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 1515 * INFRA_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 1516 * INFRA_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 1517 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 1518 * INFRA_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 1519 * INFRA_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 1520 * INFRA_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 1521 * INFRA_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 1522 * INFRA_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 1523 * INFRA_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 1524 * INFRA_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 1525 * INFRA_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 1526 * INFRA_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 1527 * INFRA_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 1528 * INFRA_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 1529 * INFRA_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 1530 * INFRA_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 1531 * INFRA_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 1532 * INFRA_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 1533 * INFRA_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 1534 * INFRA_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 1535 * INFRA_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 1536 * INFRA_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 1537 * INFRA_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 1538 * INFRA_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 1539 */ 1540 1541 /** 1542 * \def INFRA_CCM_C 1543 * 1544 * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. 1545 * 1546 * Module: library/ccm.c 1547 * 1548 * Requires: INFRA_AES_C or INFRA_CAMELLIA_C 1549 * 1550 * This module enables the AES-CCM ciphersuites, if other requisites are 1551 * enabled as well. 1552 */ 1553 1554 /** 1555 * \def INFRA_CERTS_C 1556 * 1557 * Enable the test certificates. 1558 * 1559 * Module: library/certs.c 1560 * Caller: 1561 * 1562 * This module is used for testing (ssl_client/server). 1563 */ 1564 #define INFRA_CERTS_C 1565 1566 /** 1567 * \def INFRA_CIPHER_C 1568 * 1569 * Enable the generic cipher layer. 1570 * 1571 * Module: library/cipher.c 1572 * Caller: library/ssl_tls.c 1573 * 1574 * Uncomment to enable generic cipher wrappers. 1575 */ 1576 #define INFRA_CIPHER_C 1577 1578 /** 1579 * \def INFRA_CMAC_C 1580 * 1581 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block 1582 * ciphers. 1583 * 1584 * Module: library/cmac.c 1585 * 1586 * Requires: INFRA_AES_C or INFRA_DES_C 1587 * 1588 */ 1589 1590 /** 1591 * \def INFRA_CTR_DRBG_C 1592 * 1593 * Enable the CTR_DRBG AES-256-based random generator. 1594 * 1595 * Module: library/ctr_drbg.c 1596 * Caller: 1597 * 1598 * Requires: INFRA_AES_C 1599 * 1600 * This module provides the CTR_DRBG AES-256 random number generator. 1601 */ 1602 #define INFRA_CTR_DRBG_C 1603 1604 /** 1605 * \def INFRA_DEBUG_C 1606 * 1607 * Enable the debug functions. 1608 * 1609 * Module: library/debug.c 1610 * Caller: library/ssl_cli.c 1611 * library/ssl_srv.c 1612 * library/ssl_tls.c 1613 * 1614 * This module provides debugging functions. 1615 */ 1616 #define INFRA_DEBUG_C 1617 1618 /** 1619 * \def INFRA_DES_C 1620 * 1621 * Enable the DES block cipher. 1622 * 1623 * Module: library/des.c 1624 * Caller: library/pem.c 1625 * library/ssl_tls.c 1626 * 1627 * This module enables the following ciphersuites (if other requisites are 1628 * enabled as well): 1629 * INFRA_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 1630 * INFRA_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 1631 * INFRA_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 1632 * INFRA_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 1633 * INFRA_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 1634 * INFRA_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 1635 * INFRA_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 1636 * INFRA_TLS_RSA_WITH_3DES_EDE_CBC_SHA 1637 * INFRA_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 1638 * INFRA_TLS_PSK_WITH_3DES_EDE_CBC_SHA 1639 * 1640 * PEM_PARSE uses DES/3DES for decrypting encrypted keys. 1641 */ 1642 1643 /** 1644 * \def INFRA_DHM_C 1645 * 1646 * Enable the Diffie-Hellman-Merkle module. 1647 * 1648 * Module: library/dhm.c 1649 * Caller: library/ssl_cli.c 1650 * library/ssl_srv.c 1651 * 1652 * This module is used by the following key exchanges: 1653 * DHE-RSA, DHE-PSK 1654 */ 1655 1656 /** 1657 * \def INFRA_ECDH_C 1658 * 1659 * Enable the elliptic curve Diffie-Hellman library. 1660 * 1661 * Module: library/ecdh.c 1662 * Caller: library/ssl_cli.c 1663 * library/ssl_srv.c 1664 * 1665 * This module is used by the following key exchanges: 1666 * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK 1667 * 1668 * Requires: INFRA_ECP_C 1669 */ 1670 1671 /** 1672 * \def INFRA_ECDSA_C 1673 * 1674 * Enable the elliptic curve DSA library. 1675 * 1676 * Module: library/ecdsa.c 1677 * Caller: 1678 * 1679 * This module is used by the following key exchanges: 1680 * ECDHE-ECDSA 1681 * 1682 * Requires: INFRA_ECP_C, INFRA_ASN1_WRITE_C, INFRA_ASN1_PARSE_C 1683 */ 1684 1685 /** 1686 * \def INFRA_ECJPAKE_C 1687 * 1688 * Enable the elliptic curve J-PAKE library. 1689 * 1690 * \warning This is currently experimental. EC J-PAKE support is based on the 1691 * Thread v1.0.0 specification; incompatible changes to the specification 1692 * might still happen. For this reason, this is disabled by default. 1693 * 1694 * Module: library/ecjpake.c 1695 * Caller: 1696 * 1697 * This module is used by the following key exchanges: 1698 * ECJPAKE 1699 * 1700 * Requires: INFRA_ECP_C, INFRA_MD_C 1701 */ 1702 1703 /** 1704 * \def INFRA_ECP_C 1705 * 1706 * Enable the elliptic curve over GF(p) library. 1707 * 1708 * Module: library/ecp.c 1709 * Caller: library/ecdh.c 1710 * library/ecdsa.c 1711 * library/ecjpake.c 1712 * 1713 * Requires: INFRA_BIGNUM_C and at least one INFRA_ECP_DP_XXX_ENABLED 1714 */ 1715 1716 /** 1717 * \def INFRA_ENTROPY_C 1718 * 1719 * Enable the platform-specific entropy code. 1720 * 1721 * Module: library/entropy.c 1722 * Caller: 1723 * 1724 * Requires: INFRA_SHA512_C or INFRA_SHA256_C 1725 * 1726 * This module provides a generic entropy pool 1727 */ 1728 #define INFRA_ENTROPY_C 1729 1730 /** 1731 * \def INFRA_ERROR_C 1732 * 1733 * Enable error code to error string conversion. 1734 * 1735 * Module: library/error.c 1736 * Caller: 1737 * 1738 * This module enables mbedtls_strerror(). 1739 */ 1740 #define INFRA_ERROR_C 1741 1742 /** 1743 * \def INFRA_GCM_C 1744 * 1745 * Enable the Galois/Counter Mode (GCM) for AES. 1746 * 1747 * Module: library/gcm.c 1748 * 1749 * Requires: INFRA_AES_C or INFRA_CAMELLIA_C 1750 * 1751 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other 1752 * requisites are enabled as well. 1753 */ 1754 1755 /** 1756 * \def INFRA_HAVEGE_C 1757 * 1758 * Enable the HAVEGE random generator. 1759 * 1760 * Warning: the HAVEGE random generator is not suitable for virtualized 1761 * environments 1762 * 1763 * Warning: the HAVEGE random generator is dependent on timing and specific 1764 * processor traits. It is therefore not advised to use HAVEGE as 1765 * your applications primary random generator or primary entropy pool 1766 * input. As a secondary input to your entropy pool, it IS able add 1767 * the (limited) extra entropy it provides. 1768 * 1769 * Module: library/havege.c 1770 * Caller: 1771 * 1772 * Requires: INFRA_TIMING_C 1773 * 1774 * Uncomment to enable the HAVEGE random generator. 1775 */ 1776 1777 /** 1778 * \def INFRA_HMAC_DRBG_C 1779 * 1780 * Enable the HMAC_DRBG random generator. 1781 * 1782 * Module: library/hmac_drbg.c 1783 * Caller: 1784 * 1785 * Requires: INFRA_MD_C 1786 * 1787 * Uncomment to enable the HMAC_DRBG random number geerator. 1788 */ 1789 1790 /** 1791 * \def INFRA_MD_C 1792 * 1793 * Enable the generic message digest layer. 1794 * 1795 * Module: library/md.c 1796 * Caller: 1797 * 1798 * Uncomment to enable generic message digest wrappers. 1799 */ 1800 #define INFRA_MD_C 1801 1802 /** 1803 * \def INFRA_MD2_C 1804 * 1805 * Enable the MD2 hash algorithm. 1806 * 1807 * Module: library/md2.c 1808 * Caller: 1809 * 1810 * Uncomment to enable support for (rare) MD2-signed X.509 certs. 1811 */ 1812 1813 /** 1814 * \def INFRA_MD4_C 1815 * 1816 * Enable the MD4 hash algorithm. 1817 * 1818 * Module: library/md4.c 1819 * Caller: 1820 * 1821 * Uncomment to enable support for (rare) MD4-signed X.509 certs. 1822 */ 1823 1824 /** 1825 * \def INFRA_MD5_C 1826 * 1827 * Enable the MD5 hash algorithm. 1828 * 1829 * Module: library/md5.c 1830 * Caller: library/md.c 1831 * library/pem.c 1832 * library/ssl_tls.c 1833 * 1834 * This module is required for SSL/TLS and X.509. 1835 * PEM_PARSE uses MD5 for decrypting encrypted keys. 1836 */ 1837 1838 /** 1839 * \def INFRA_MEMORY_BUFFER_ALLOC_C 1840 * 1841 * Enable the buffer allocator implementation that makes use of a (stack) 1842 * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() 1843 * calls) 1844 * 1845 * Module: library/memory_buffer_alloc.c 1846 * 1847 * Requires: INFRA_PLATFORM_C 1848 * INFRA_PLATFORM_MEMORY (to use it within mbed TLS) 1849 * 1850 * Enable this module to enable the buffer memory allocator. 1851 */ 1852 1853 /** 1854 * \def INFRA_NET_C 1855 * 1856 * Enable the TCP and UDP over IPv6/IPv4 networking routines. 1857 * 1858 * \note This module only works on POSIX/Unix (including Linux, BSD and OS X) 1859 * and Windows. For other platforms, you'll want to disable it, and write your 1860 * own networking callbacks to be passed to \c mbedtls_ssl_set_bio(). 1861 * 1862 * \note See also our Knowledge Base article about porting to a new 1863 * environment: 1864 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 1865 * 1866 * Module: library/net_sockets.c 1867 * 1868 * This module provides networking routines. 1869 */ 1870 #define INFRA_NET_C 1871 1872 /** 1873 * \def INFRA_OID_C 1874 * 1875 * Enable the OID database. 1876 * 1877 * Module: library/oid.c 1878 * Caller: library/asn1write.c 1879 * library/pkcs5.c 1880 * library/pkparse.c 1881 * library/pkwrite.c 1882 * library/rsa.c 1883 * library/x509.c 1884 * library/x509_create.c 1885 * library/x509_crl.c 1886 * library/x509_crt.c 1887 * library/x509_csr.c 1888 * library/x509write_crt.c 1889 * library/x509write_csr.c 1890 * 1891 * This modules translates between OIDs and internal values. 1892 */ 1893 #define INFRA_OID_C 1894 1895 /** 1896 * \def INFRA_PADLOCK_C 1897 * 1898 * Enable VIA Padlock support on x86. 1899 * 1900 * Module: library/padlock.c 1901 * Caller: library/aes.c 1902 * 1903 * Requires: INFRA_HAVE_ASM 1904 * 1905 * This modules adds support for the VIA PadLock on x86. 1906 */ 1907 1908 /** 1909 * \def INFRA_PEM_PARSE_C 1910 * 1911 * Enable PEM decoding / parsing. 1912 * 1913 * Module: library/pem.c 1914 * Caller: library/dhm.c 1915 * library/pkparse.c 1916 * library/x509_crl.c 1917 * library/x509_crt.c 1918 * library/x509_csr.c 1919 * 1920 * Requires: INFRA_BASE64_C 1921 * 1922 * This modules adds support for decoding / parsing PEM files. 1923 */ 1924 #define INFRA_PEM_PARSE_C 1925 1926 /** 1927 * \def INFRA_PEM_WRITE_C 1928 * 1929 * Enable PEM encoding / writing. 1930 * 1931 * Module: library/pem.c 1932 * Caller: library/pkwrite.c 1933 * library/x509write_crt.c 1934 * library/x509write_csr.c 1935 * 1936 * Requires: INFRA_BASE64_C 1937 * 1938 * This modules adds support for encoding / writing PEM files. 1939 */ 1940 1941 /** 1942 * \def INFRA_PK_C 1943 * 1944 * Enable the generic public (asymetric) key layer. 1945 * 1946 * Module: library/pk.c 1947 * Caller: library/ssl_tls.c 1948 * library/ssl_cli.c 1949 * library/ssl_srv.c 1950 * 1951 * Requires: INFRA_RSA_C or INFRA_ECP_C 1952 * 1953 * Uncomment to enable generic public key wrappers. 1954 */ 1955 #define INFRA_PK_C 1956 1957 /** 1958 * \def INFRA_PK_PARSE_C 1959 * 1960 * Enable the generic public (asymetric) key parser. 1961 * 1962 * Module: library/pkparse.c 1963 * Caller: library/x509_crt.c 1964 * library/x509_csr.c 1965 * 1966 * Requires: INFRA_PK_C 1967 * 1968 * Uncomment to enable generic public key parse functions. 1969 */ 1970 #define INFRA_PK_PARSE_C 1971 1972 /** 1973 * \def INFRA_PK_WRITE_C 1974 * 1975 * Enable the generic public (asymetric) key writer. 1976 * 1977 * Module: library/pkwrite.c 1978 * Caller: library/x509write.c 1979 * 1980 * Requires: INFRA_PK_C 1981 * 1982 * Uncomment to enable generic public key write functions. 1983 */ 1984 1985 /** 1986 * \def INFRA_PKCS5_C 1987 * 1988 * Enable PKCS#5 functions. 1989 * 1990 * Module: library/pkcs5.c 1991 * 1992 * Requires: INFRA_MD_C 1993 * 1994 * This module adds support for the PKCS#5 functions. 1995 */ 1996 1997 /** 1998 * \def INFRA_PKCS11_C 1999 * 2000 * Enable wrapper for PKCS#11 smartcard support. 2001 * 2002 * Module: library/pkcs11.c 2003 * Caller: library/pk.c 2004 * 2005 * Requires: INFRA_PK_C 2006 * 2007 * This module enables SSL/TLS PKCS #11 smartcard support. 2008 * Requires the presence of the PKCS#11 helper library (libpkcs11-helper) 2009 */ 2010 2011 /** 2012 * \def INFRA_PKCS12_C 2013 * 2014 * Enable PKCS#12 PBE functions. 2015 * Adds algorithms for parsing PKCS#8 encrypted private keys 2016 * 2017 * Module: library/pkcs12.c 2018 * Caller: library/pkparse.c 2019 * 2020 * Requires: INFRA_ASN1_PARSE_C, INFRA_CIPHER_C, INFRA_MD_C 2021 * Can use: INFRA_ARC4_C 2022 * 2023 * This module enables PKCS#12 functions. 2024 */ 2025 2026 /** 2027 * \def INFRA_PLATFORM_C 2028 * 2029 * Enable the platform abstraction layer that allows you to re-assign 2030 * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). 2031 * 2032 * Enabling INFRA_PLATFORM_C enables to use of INFRA_PLATFORM_XXX_ALT 2033 * or INFRA_PLATFORM_XXX_MACRO directives, allowing the functions mentioned 2034 * above to be specified at runtime or compile time respectively. 2035 * 2036 * \note This abstraction layer must be enabled on Windows (including MSYS2) 2037 * as other module rely on it for a fixed snprintf implementation. 2038 * 2039 * Module: library/platform.c 2040 * Caller: Most other .c files 2041 * 2042 * This module enables abstraction of common (libc) functions. 2043 */ 2044 #define INFRA_PLATFORM_C 2045 2046 /** 2047 * \def INFRA_RIPEMD160_C 2048 * 2049 * Enable the RIPEMD-160 hash algorithm. 2050 * 2051 * Module: library/ripemd160.c 2052 * Caller: library/md.c 2053 * 2054 */ 2055 2056 /** 2057 * \def INFRA_RSA_C 2058 * 2059 * Enable the RSA public-key cryptosystem. 2060 * 2061 * Module: library/rsa.c 2062 * Caller: library/ssl_cli.c 2063 * library/ssl_srv.c 2064 * library/ssl_tls.c 2065 * library/x509.c 2066 * 2067 * This module is used by the following key exchanges: 2068 * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK 2069 * 2070 * Requires: INFRA_BIGNUM_C, INFRA_OID_C 2071 */ 2072 #define INFRA_RSA_C 2073 2074 /** 2075 * \def INFRA_SHA1_C 2076 * 2077 * Enable the SHA1 cryptographic hash algorithm. 2078 * 2079 * Module: library/sha1.c 2080 * Caller: library/md.c 2081 * library/ssl_cli.c 2082 * library/ssl_srv.c 2083 * library/ssl_tls.c 2084 * library/x509write_crt.c 2085 * 2086 * This module is required for SSL/TLS and SHA1-signed certificates. 2087 */ 2088 #define INFRA_SHA1_C 2089 2090 /** 2091 * \def INFRA_SHA256_C 2092 * 2093 * Enable the SHA-224 and SHA-256 cryptographic hash algorithms. 2094 * 2095 * Module: library/sha256.c 2096 * Caller: library/entropy.c 2097 * library/md.c 2098 * library/ssl_cli.c 2099 * library/ssl_srv.c 2100 * library/ssl_tls.c 2101 * 2102 * This module adds support for SHA-224 and SHA-256. 2103 * This module is required for the SSL/TLS 1.2 PRF function. 2104 */ 2105 #define INFRA_SHA256_C 2106 2107 /** 2108 * \def INFRA_SHA512_C 2109 * 2110 * Enable the SHA-384 and SHA-512 cryptographic hash algorithms. 2111 * 2112 * Module: library/sha512.c 2113 * Caller: library/entropy.c 2114 * library/md.c 2115 * library/ssl_cli.c 2116 * library/ssl_srv.c 2117 * 2118 * This module adds support for SHA-384 and SHA-512. 2119 */ 2120 2121 /** 2122 * \def INFRA_SSL_CACHE_C 2123 * 2124 * Enable simple SSL cache implementation. 2125 * 2126 * Module: library/ssl_cache.c 2127 * Caller: 2128 * 2129 * Requires: INFRA_SSL_CACHE_C 2130 */ 2131 #define INFRA_SSL_CACHE_C 2132 2133 /** 2134 * \def INFRA_SSL_COOKIE_C 2135 * 2136 * Enable basic implementation of DTLS cookies for hello verification. 2137 * 2138 * Module: library/ssl_cookie.c 2139 * Caller: 2140 */ 2141 #define INFRA_SSL_COOKIE_C 2142 2143 /** 2144 * \def INFRA_SSL_TICKET_C 2145 * 2146 * Enable an implementation of TLS server-side callbacks for session tickets. 2147 * 2148 * Module: library/ssl_ticket.c 2149 * Caller: 2150 * 2151 * Requires: INFRA_CIPHER_C 2152 */ 2153 #define INFRA_SSL_TICKET_C 2154 2155 /** 2156 * \def INFRA_SSL_CLI_C 2157 * 2158 * Enable the SSL/TLS client code. 2159 * 2160 * Module: library/ssl_cli.c 2161 * Caller: 2162 * 2163 * Requires: INFRA_SSL_TLS_C 2164 * 2165 * This module is required for SSL/TLS client support. 2166 */ 2167 #define INFRA_SSL_CLI_C 2168 2169 /** 2170 * \def INFRA_SSL_SRV_C 2171 * 2172 * Enable the SSL/TLS server code. 2173 * 2174 * Module: library/ssl_srv.c 2175 * Caller: 2176 * 2177 * Requires: INFRA_SSL_TLS_C 2178 * 2179 * This module is required for SSL/TLS server support. 2180 */ 2181 2182 /** 2183 * \def INFRA_SSL_TLS_C 2184 * 2185 * Enable the generic SSL/TLS code. 2186 * 2187 * Module: library/ssl_tls.c 2188 * Caller: library/ssl_cli.c 2189 * library/ssl_srv.c 2190 * 2191 * Requires: INFRA_CIPHER_C, INFRA_MD_C 2192 * and at least one of the INFRA_SSL_PROTO_XXX defines 2193 * 2194 * This module is required for SSL/TLS. 2195 */ 2196 #define INFRA_SSL_TLS_C 2197 2198 /** 2199 * \def INFRA_THREADING_C 2200 * 2201 * Enable the threading abstraction layer. 2202 * By default mbed TLS assumes it is used in a non-threaded environment or that 2203 * contexts are not shared between threads. If you do intend to use contexts 2204 * between threads, you will need to enable this layer to prevent race 2205 * conditions. See also our Knowledge Base article about threading: 2206 * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading 2207 * 2208 * Module: library/threading.c 2209 * 2210 * This allows different threading implementations (self-implemented or 2211 * provided). 2212 * 2213 * You will have to enable either INFRA_THREADING_ALT or 2214 * INFRA_THREADING_PTHREAD. 2215 * 2216 * Enable this layer to allow use of mutexes within mbed TLS 2217 */ 2218 2219 /** 2220 * \def INFRA_TIMING_C 2221 * 2222 * Enable the semi-portable timing interface. 2223 * 2224 * \note The provided implementation only works on POSIX/Unix (including Linux, 2225 * BSD and OS X) and Windows. On other platforms, you can either disable that 2226 * module and provide your own implementations of the callbacks needed by 2227 * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide 2228 * your own implementation of the whole module by setting 2229 * \c INFRA_TIMING_ALT in the current file. 2230 * 2231 * \note See also our Knowledge Base article about porting to a new 2232 * environment: 2233 * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS 2234 * 2235 * Module: library/timing.c 2236 * Caller: library/havege.c 2237 * 2238 * This module is used by the HAVEGE random number generator. 2239 */ 2240 #define INFRA_TIMING_C 2241 2242 /** 2243 * \def INFRA_VERSION_C 2244 * 2245 * Enable run-time version information. 2246 * 2247 * Module: library/version.c 2248 * 2249 * This module provides run-time version information. 2250 */ 2251 2252 /** 2253 * \def INFRA_X509_USE_C 2254 * 2255 * Enable X.509 core for using certificates. 2256 * 2257 * Module: library/x509.c 2258 * Caller: library/x509_crl.c 2259 * library/x509_crt.c 2260 * library/x509_csr.c 2261 * 2262 * Requires: INFRA_ASN1_PARSE_C, INFRA_BIGNUM_C, INFRA_OID_C, 2263 * INFRA_PK_PARSE_C 2264 * 2265 * This module is required for the X.509 parsing modules. 2266 */ 2267 #define INFRA_X509_USE_C 2268 2269 /** 2270 * \def INFRA_X509_CRT_PARSE_C 2271 * 2272 * Enable X.509 certificate parsing. 2273 * 2274 * Module: library/x509_crt.c 2275 * Caller: library/ssl_cli.c 2276 * library/ssl_srv.c 2277 * library/ssl_tls.c 2278 * 2279 * Requires: INFRA_X509_USE_C 2280 * 2281 * This module is required for X.509 certificate parsing. 2282 */ 2283 #define INFRA_X509_CRT_PARSE_C 2284 2285 /** 2286 * \def INFRA_X509_CRL_PARSE_C 2287 * 2288 * Enable X.509 CRL parsing. 2289 * 2290 * Module: library/x509_crl.c 2291 * Caller: library/x509_crt.c 2292 * 2293 * Requires: INFRA_X509_USE_C 2294 * 2295 * This module is required for X.509 CRL parsing. 2296 */ 2297 2298 /** 2299 * \def INFRA_X509_CSR_PARSE_C 2300 * 2301 * Enable X.509 Certificate Signing Request (CSR) parsing. 2302 * 2303 * Module: library/x509_csr.c 2304 * Caller: library/x509_crt_write.c 2305 * 2306 * Requires: INFRA_X509_USE_C 2307 * 2308 * This module is used for reading X.509 certificate request. 2309 */ 2310 2311 /** 2312 * \def INFRA_X509_CREATE_C 2313 * 2314 * Enable X.509 core for creating certificates. 2315 * 2316 * Module: library/x509_create.c 2317 * 2318 * Requires: INFRA_BIGNUM_C, INFRA_OID_C, INFRA_PK_WRITE_C 2319 * 2320 * This module is the basis for creating X.509 certificates and CSRs. 2321 */ 2322 2323 /** 2324 * \def INFRA_X509_CRT_WRITE_C 2325 * 2326 * Enable creating X.509 certificates. 2327 * 2328 * Module: library/x509_crt_write.c 2329 * 2330 * Requires: INFRA_X509_CREATE_C 2331 * 2332 * This module is required for X.509 certificate creation. 2333 */ 2334 2335 /** 2336 * \def INFRA_X509_CSR_WRITE_C 2337 * 2338 * Enable creating X.509 Certificate Signing Requests (CSR). 2339 * 2340 * Module: library/x509_csr_write.c 2341 * 2342 * Requires: INFRA_X509_CREATE_C 2343 * 2344 * This module is required for X.509 certificate request writing. 2345 */ 2346 2347 /** 2348 * \def INFRA_XTEA_C 2349 * 2350 * Enable the XTEA block cipher. 2351 * 2352 * Module: library/xtea.c 2353 * Caller: 2354 */ 2355 2356 /* \} name SECTION: mbed TLS modules */ 2357 2358 /** 2359 * \name SECTION: Module configuration options 2360 * 2361 * This section allows for the setting of module specific sizes and 2362 * configuration options. The default values are already present in the 2363 * relevant header files and should suffice for the regular use cases. 2364 * 2365 * Our advice is to enable options and change their values here 2366 * only if you have a good reason and know the consequences. 2367 * 2368 * Please check the respective header file for documentation on these 2369 * parameters (to prevent duplicate documentation). 2370 * \{ 2371 */ 2372 2373 /* MPI / BIGNUM options */ 2374 2375 /* CTR_DRBG options */ 2376 2377 /* HMAC_DRBG options */ 2378 2379 /* ECP options */ 2380 2381 /* Entropy options */ 2382 2383 /* Memory buffer allocator options */ 2384 2385 /* Platform options */ 2386 /* Note: your snprintf must correclty zero-terminate the buffer! */ 2387 2388 /* To Use Function Macros INFRA_PLATFORM_C must be enabled */ 2389 /* INFRA_PLATFORM_XXX_MACRO and INFRA_PLATFORM_XXX_ALT cannot both be defined */ 2390 2391 /* SSL Cache options */ 2392 2393 /* SSL options */ 2394 2395 /** 2396 * Complete list of ciphersuites to use, in order of preference. 2397 * 2398 * \warning No dependency checking is done on that field! This option can only 2399 * be used to restrict the set of available ciphersuites. It is your 2400 * responsibility to make sure the needed modules are active. 2401 * 2402 * Use this to save a few hundred bytes of ROM (default ordering of all 2403 * available ciphersuites) and a few to a few hundred bytes of RAM. 2404 * 2405 * The value below is only an example, not the default. 2406 */ 2407 2408 /* X509 options */ 2409 2410 /* \} name SECTION: Customisation configuration options */ 2411 2412 /* Target and application specific configurations */ 2413 2414 #if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_INFRA_TARGET_CONFIG_FILE) 2415 #include YOTTA_CFG_INFRA_TARGET_CONFIG_FILE 2416 #endif 2417 2418 /* 2419 * Allow user to override any previous default. 2420 * 2421 * Use two macro names for that, as: 2422 * - with yotta the prefix YOTTA_CFG_ is forced 2423 * - without yotta is looks weird to have a YOTTA prefix. 2424 */ 2425 #if defined(YOTTA_CFG_INFRA_USER_CONFIG_FILE) 2426 #include YOTTA_CFG_INFRA_USER_CONFIG_FILE 2427 #elif defined(INFRA_USER_CONFIG_FILE) 2428 #include INFRA_USER_CONFIG_FILE 2429 #endif 2430 2431 #endif /* INFRA_AES_CONFIG_H */ 2432