- Generated on Fri Nov 15 2024 18:01:28 for TianoCore EDK2 by
1.9.6
|
TianoCore EDK2 master
|
#include <stddef.h>Go to the source code of this file.
SECTION: Module configuration options | |
This section allows for the setting of module specific sizes and configuration options. The default values are already present in the relevant header files and should suffice for the regular use cases. Our advice is to enable options and change their values here only if you have a good reason and know the consequences. | |
| #define | MBEDTLS_PLATFORM_MEMORY |
| #define | MBEDTLS_PLATFORM_PRINTF_MACRO my_printf |
| #define | MBEDTLS_PLATFORM_SNPRINTF_MACRO my_snprintf |
| #define | MBEDTLS_PLATFORM_MEMORY |
| #define | MBEDTLS_PLATFORM_CALLOC_MACRO mbedtls_calloc |
| #define | MBEDTLS_PLATFORM_FREE_MACRO mbedtls_free |
| int | my_printf (const char *fmt,...) |
| int | my_snprintf (char *str, long long size, const char *format,...) |
| void * | mbedtls_calloc (size_t n, size_t size) |
| void | mbedtls_free (void *ptr) |
mbedtls_config.h Configuration options (set of defines).
Copyright (c) 2023, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
Definition in file mbedtls_config.h.
| #define MBEDTLS_AES_C |
Enable the AES block cipher.
Module: library/aes.c Caller: library/cipher.c library/pem.c library/ctr_drbg.c
This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
PEM_PARSE uses AES for decrypting encrypted keys.
Definition at line 2086 of file mbedtls_config.h.
| #define MBEDTLS_ALLOW_PRIVATE_ACCESS |
Complete list of ciphersuites to use, in order of preference.
Use this to save a few hundred bytes of ROM (default ordering of all available ciphersuites) and a few to a few hundred bytes of RAM.
The value below is only an example, not the default. Uncomment the macro to let mbed TLS use your alternate implementation of mbedtls_platform_zeroize(). This replaces the default implementation in platform_util.c.
mbedtls_platform_zeroize() is a widely used function across the library to zero a block of memory. The implementation is expected to be secure in the sense that it has been written to prevent the compiler from removing calls to mbedtls_platform_zeroize() as part of redundant code elimination optimizations. However, it is difficult to guarantee that calls to mbedtls_platform_zeroize() will not be optimized by the compiler as older versions of the C language standards do not provide a secure implementation of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to configure their own implementation of mbedtls_platform_zeroize(), for example by using directives specific to their compiler, features from newer C standards (e.g using memset_s() in C11) or calling a secure memset() from their system (e.g explicit_bzero() in BSD). Uncomment the macro to let Mbed TLS use your alternate implementation of mbedtls_platform_gmtime_r(). This replaces the default implementation in platform_util.c.
gmtime() is not a thread-safe function as defined in the C standard. The library will try to use safer implementations of this function, such as gmtime_r() when available. However, if Mbed TLS cannot identify the target system, the implementation of mbedtls_platform_gmtime_r() will default to using the standard gmtime(). In this case, calls from the library to gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the library are also guarded with this mutex to avoid race conditions. However, if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will unconditionally use the implementation for mbedtls_platform_gmtime_r() supplied at compile time. Enable the verified implementations of ECDH primitives from Project Everest (currently only Curve25519). This feature changes the layout of ECDH contexts and therefore is a compatibility break for applications that access fields of a mbedtls_ecdh_context structure directly. See also MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h.
Definition at line 3823 of file mbedtls_config.h.
| #define MBEDTLS_ASN1_PARSE_C |
Enable the generic ASN1 parser.
Module: library/asn1.c Caller: library/x509.c library/dhm.c library/pkcs12.c library/pkcs5.c library/pkparse.c
Definition at line 2100 of file mbedtls_config.h.
| #define MBEDTLS_ASN1_WRITE_C |
Enable the generic ASN1 writer.
Module: library/asn1write.c Caller: library/ecdsa.c library/pkwrite.c library/x509_create.c library/x509write_crt.c library/x509write_csr.c
Definition at line 2114 of file mbedtls_config.h.
| #define MBEDTLS_BASE64_C |
Enable the Base64 module.
Module: library/base64.c Caller: library/pem.c
This module is required for PEM support (required by X.509).
Definition at line 2126 of file mbedtls_config.h.
| #define MBEDTLS_BIGNUM_C |
Enable the multi-precision integer library.
Module: library/bignum.c library/bignum_core.c library/bignum_mod.c library/bignum_mod_raw.c Caller: library/dhm.c library/ecp.c library/ecdsa.c library/rsa.c library/rsa_alt_helpers.c library/ssl_tls.c
This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
Definition at line 2146 of file mbedtls_config.h.
| #define MBEDTLS_CHACHA20_C |
Enable the ChaCha20 stream cipher.
Module: library/chacha20.c
Definition at line 2277 of file mbedtls_config.h.
| #define MBEDTLS_CHACHAPOLY_C |
Enable the ChaCha20-Poly1305 AEAD algorithm.
Module: library/chachapoly.c
This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
Definition at line 2288 of file mbedtls_config.h.
| #define MBEDTLS_CIPHER_C |
Enable the generic cipher layer.
Module: library/cipher.c Caller: library/ccm.c library/cmac.c library/gcm.c library/nist_kw.c library/pkcs12.c library/pkcs5.c library/psa_crypto_aead.c library/psa_crypto_mac.c library/ssl_ciphersuites.c library/ssl_msg.c library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled)
Uncomment to enable generic cipher wrappers.
Definition at line 2310 of file mbedtls_config.h.
| #define MBEDTLS_CIPHER_MODE_CBC |
Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
Definition at line 539 of file mbedtls_config.h.
| #define MBEDTLS_CTR_DRBG_C |
Enable the CTR_DRBG AES-based random generator. The CTR_DRBG generator uses AES-256 by default. To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
Module: library/ctr_drbg.c Caller:
Requires: MBEDTLS_AES_C
This module provides the CTR_DRBG AES random number generator.
Definition at line 2348 of file mbedtls_config.h.
| #define MBEDTLS_DHM_C |
Enable the Diffie-Hellman-Merkle module.
Module: library/dhm.c Caller: library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
This module is used by the following key exchanges: DHE-RSA, DHE-PSK
Definition at line 2401 of file mbedtls_config.h.
| #define MBEDTLS_ECDH_C |
Enable the elliptic curve Diffie-Hellman library.
Module: library/ecdh.c Caller: library/psa_crypto.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
This module is used by the following key exchanges: ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
Requires: MBEDTLS_ECP_C
Definition at line 2419 of file mbedtls_config.h.
| #define MBEDTLS_ECDSA_C |
Enable the elliptic curve DSA library.
Module: library/ecdsa.c Caller:
This module is used by the following key exchanges: ECDHE-ECDSA
Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C, and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a short Weierstrass curve.
Definition at line 2436 of file mbedtls_config.h.
| #define MBEDTLS_ECP_C |
Enable the elliptic curve over GF(p) library.
Module: library/ecp.c Caller: library/ecdh.c library/ecdsa.c library/ecjpake.c
Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
Definition at line 2477 of file mbedtls_config.h.
| #define MBEDTLS_ECP_DP_CURVE25519_ENABLED |
Definition at line 645 of file mbedtls_config.h.
| #define MBEDTLS_ECP_DP_CURVE448_ENABLED |
Definition at line 646 of file mbedtls_config.h.
| #define MBEDTLS_ECP_DP_SECP256R1_ENABLED |
Definition at line 635 of file mbedtls_config.h.
| #define MBEDTLS_ECP_DP_SECP384R1_ENABLED |
Definition at line 636 of file mbedtls_config.h.
| #define MBEDTLS_ECP_DP_SECP521R1_ENABLED |
Definition at line 637 of file mbedtls_config.h.
| #define MBEDTLS_ECP_NIST_OPTIM |
Enable specific 'modulo p' routines for each NIST prime. Depending on the prime and architecture, makes operations 4 to 8 times faster on the corresponding curve.
Comment this macro to disable NIST curves optimisation.
Definition at line 657 of file mbedtls_config.h.
| #define MBEDTLS_ECP_RESTARTABLE |
Enable "non-blocking" ECC operations that can return early and be resumed.
This allows various functions to pause by returning #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module, #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in order to further progress and eventually complete their operation. This is controlled through mbedtls_ecp_set_max_ops() which limits the maximum number of ECC operations a function may perform before pausing; see mbedtls_ecp_set_max_ops() for more information.
This is useful in non-threaded environments if you want to avoid blocking for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
Uncomment this macro to enable restartable ECC computations.
Definition at line 681 of file mbedtls_config.h.
| #define MBEDTLS_ENTROPY_C |
Enable the platform-specific entropy code.
Module: library/entropy.c Caller:
Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
This module provides a generic entropy pool
Definition at line 2491 of file mbedtls_config.h.
| #define MBEDTLS_ERROR_C |
Enable error code to error string conversion.
Module: library/error.c Caller:
This module enables mbedtls_strerror().
Definition at line 2503 of file mbedtls_config.h.
| #define MBEDTLS_ERROR_STRERROR_DUMMY |
Enable a dummy error function to make use of mbedtls_strerror() in third party libraries easier when MBEDTLS_ERROR_C is disabled (no effect when MBEDTLS_ERROR_C is enabled).
You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're not using mbedtls_strerror() or error_strerror() in your application.
Disable if you run into name conflicts and want to really remove the mbedtls_strerror()
Definition at line 979 of file mbedtls_config.h.
| #define MBEDTLS_GCM_C |
Enable the Galois/Counter Mode (GCM).
Module: library/gcm.c
Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C
This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other requisites are enabled as well.
Definition at line 2518 of file mbedtls_config.h.
| #define MBEDTLS_GENPRIME |
Enable the prime-number generation code.
Requires: MBEDTLS_BIGNUM_C
Definition at line 988 of file mbedtls_config.h.
| #define MBEDTLS_HAVE_ASM |
The compiler has support for asm().
Requires support for asm() in compiler.
Used in: library/aria.c library/bn_mul.h
Required by: MBEDTLS_AESNI_C MBEDTLS_PADLOCK_C
Comment to disable the use of assembly code.
Definition at line 42 of file mbedtls_config.h.
| #define MBEDTLS_HAVE_TIME |
System has time.h and time(). The time does not need to be correct, only time differences are used, by contrast with MBEDTLS_HAVE_TIME_DATE
Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and MBEDTLS_PLATFORM_STD_TIME.
Comment if your system does not support time functions.
Definition at line 121 of file mbedtls_config.h.
| #define MBEDTLS_HKDF_C |
Enable the HKDF algorithm (RFC 5869).
Module: library/hkdf.c Caller:
Requires: MBEDTLS_MD_C
This module adds support for the Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF).
Definition at line 2533 of file mbedtls_config.h.
| #define MBEDTLS_HMAC_DRBG_C |
Enable the HMAC_DRBG random generator.
Module: library/hmac_drbg.c Caller:
Requires: MBEDTLS_MD_C
Uncomment to enable the HMAC_DRBG random number generator.
Definition at line 2547 of file mbedtls_config.h.
| #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED |
Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_DHM_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 744 of file mbedtls_config.h.
| #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED |
Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition at line 842 of file mbedtls_config.h.
| #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED |
Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
Definition at line 909 of file mbedtls_config.h.
| #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED |
Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
Definition at line 931 of file mbedtls_config.h.
| #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED |
Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 887 of file mbedtls_config.h.
| #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED |
Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 762 of file mbedtls_config.h.
| #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED |
Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 865 of file mbedtls_config.h.
| #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED |
Enable the PSK based ciphersuite modes in SSL / TLS.
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 715 of file mbedtls_config.h.
| #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED |
Enable the RSA-only based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition at line 810 of file mbedtls_config.h.
| #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED |
Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 785 of file mbedtls_config.h.
| #define MBEDTLS_MD5_C |
Enable the MD5 hash algorithm.
Module: library/md5.c Caller: library/md.c library/pem.c library/ssl_tls.c
This module is required for TLS 1.2 depending on the handshake parameters. Further, it is used for checking MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded encrypted keys.
Definition at line 2639 of file mbedtls_config.h.
| #define MBEDTLS_MD_C |
Enable the generic message digest layer.
Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C, MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C, MBEDTLS_SHA512_C. Module: library/md.c Caller: library/constant_time.c library/ecdsa.c library/ecjpake.c library/hkdf.c library/hmac_drbg.c library/pk.c library/pkcs5.c library/pkcs12.c library/psa_crypto_ecp.c library/psa_crypto_rsa.c library/rsa.c library/ssl_cookie.c library/ssl_msg.c library/ssl_tls.c library/x509.c library/x509_crt.c library/x509write_crt.c library/x509write_csr.c
Uncomment to enable generic message digest wrappers.
Definition at line 2618 of file mbedtls_config.h.
| #define MBEDTLS_NET_C |
Enable the TCP and UDP over IPv6/IPv4 networking routines.
mbedtls_ssl_set_bio().Module: library/net_sockets.c
This module provides networking routines.
Definition at line 2674 of file mbedtls_config.h.
| #define MBEDTLS_NO_UDBL_DIVISION |
The platform lacks support for double-width integer division (64-bit division on a 32-bit platform, 128-bit division on a 64-bit platform).
Used in: include/mbedtls/bignum.h library/bignum.c
The bignum code uses double-width division to speed up some operations. Double-width division is often implemented in software that needs to be linked with the program. The presence of a double-width integer type is usually detected automatically through preprocessor macros, but the automatic detection cannot know whether the code needs to and can be linked with an implementation of division for that type. By default division is assumed to be usable if the type is present. Uncomment this option to prevent the use of double-width division.
Note that division for the native integer type is always required. Furthermore, a 64-bit type is always required even on a 32-bit platform, but it need not support multiplication or division. In some cases it is also desirable to disable some double-width operations. For example, if double-width division is implemented in software, disabling it can reduce code size in some embedded targets.
Definition at line 70 of file mbedtls_config.h.
| #define MBEDTLS_OID_C |
Enable the OID database.
Module: library/oid.c Caller: library/asn1write.c library/pkcs5.c library/pkparse.c library/pkwrite.c library/rsa.c library/x509.c library/x509_create.c library/x509_crl.c library/x509_crt.c library/x509_csr.c library/x509write_crt.c library/x509write_csr.c
This modules translates between OIDs and internal values.
Definition at line 2697 of file mbedtls_config.h.
| #define MBEDTLS_PEM_PARSE_C |
Enable PEM decoding / parsing.
Module: library/pem.c Caller: library/dhm.c library/pkparse.c library/x509_crl.c library/x509_crt.c library/x509_csr.c
Requires: MBEDTLS_BASE64_C
This modules adds support for decoding / parsing PEM files.
Definition at line 2729 of file mbedtls_config.h.
| #define MBEDTLS_PEM_WRITE_C |
Enable PEM encoding / writing.
Module: library/pem.c Caller: library/pkwrite.c library/x509write_crt.c library/x509write_csr.c
Requires: MBEDTLS_BASE64_C
This modules adds support for encoding / writing PEM files.
Definition at line 2745 of file mbedtls_config.h.
| #define MBEDTLS_PK_C |
Enable the generic public (asymmetric) key layer.
Module: library/pk.c Caller: library/psa_crypto_rsa.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c library/x509.c
Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C
Uncomment to enable generic public key wrappers.
Definition at line 2763 of file mbedtls_config.h.
| #define MBEDTLS_PK_PARSE_C |
Enable the generic public (asymmetric) key parser.
Module: library/pkparse.c Caller: library/x509_crt.c library/x509_csr.c
Requires: MBEDTLS_PK_C
Uncomment to enable generic public key parse functions.
Definition at line 2778 of file mbedtls_config.h.
| #define MBEDTLS_PK_WRITE_C |
Enable the generic public (asymmetric) key writer.
Module: library/pkwrite.c Caller: library/x509write.c
Requires: MBEDTLS_PK_C
Uncomment to enable generic public key write functions.
Definition at line 2792 of file mbedtls_config.h.
| #define MBEDTLS_PKCS1_V15 |
Enable support for PKCS#1 v1.5 encoding.
Requires: MBEDTLS_RSA_C
This enables support for PKCS#1 v1.5 operations.
Definition at line 1119 of file mbedtls_config.h.
| #define MBEDTLS_PKCS1_V21 |
Enable support for PKCS#1 v2.1 encoding.
Requires: MBEDTLS_RSA_C and (MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C).
This enables support for RSAES-OAEP and RSASSA-PSS operations.
Definition at line 1138 of file mbedtls_config.h.
| #define MBEDTLS_PKCS5_C |
Enable PKCS#5 functions.
Module: library/pkcs5.c
Requires: MBEDTLS_CIPHER_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C.
This module adds support for the PKCS#5 functions.
Definition at line 2813 of file mbedtls_config.h.
| #define MBEDTLS_PKCS7_C |
This feature is a work in progress and not ready for production. Testing and validation is incomplete, and handling of malformed inputs may not be robust. The API may change.
Enable PKCS7 core for using PKCS7 formatted signatures. RFC Link - https://tools.ietf.org/html/rfc2315
Module: library/pkcs7.c
Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_MD_C
This module is required for the PKCS7 parsing modules.
Definition at line 2833 of file mbedtls_config.h.
| #define MBEDTLS_PLATFORM_C |
Enable the platform abstraction layer that allows you to re-assign functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned above to be specified at runtime or compile time respectively.
Module: library/platform.c Caller: Most other .c files
This module enables abstraction of common (libc) functions.
Definition at line 2877 of file mbedtls_config.h.
| #define MBEDTLS_PLATFORM_CALLOC_MACRO mbedtls_calloc |
Definition at line 3607 of file mbedtls_config.h.
| #define MBEDTLS_PLATFORM_FPRINTF_ALT |
Definition at line 213 of file mbedtls_config.h.
| #define MBEDTLS_PLATFORM_FREE_MACRO mbedtls_free |
Definition at line 3608 of file mbedtls_config.h.
| #define MBEDTLS_PLATFORM_MEMORY |
Enable the memory allocation layer.
By default mbed TLS uses the system-provided calloc() and free(). This allows different allocators (self-implemented or provided) to be provided to the platform abstraction layer.
Enabling MBEDTLS_PLATFORM_MEMORY without the MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and free() function pointer at runtime.
Enabling MBEDTLS_PLATFORM_MEMORY and specifying MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the alternate function at compile time.
Requires: MBEDTLS_PLATFORM_C
Enable this layer to allow use of alternative memory allocators.
Definition at line 3594 of file mbedtls_config.h.
| #define MBEDTLS_PLATFORM_MEMORY |
Enable the memory allocation layer.
By default mbed TLS uses the system-provided calloc() and free(). This allows different allocators (self-implemented or provided) to be provided to the platform abstraction layer.
Enabling MBEDTLS_PLATFORM_MEMORY without the MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and free() function pointer at runtime.
Enabling MBEDTLS_PLATFORM_MEMORY and specifying MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the alternate function at compile time.
Requires: MBEDTLS_PLATFORM_C
Enable this layer to allow use of alternative memory allocators.
Definition at line 3594 of file mbedtls_config.h.
| #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS |
Do not assign standard functions in the platform layer (e.g. calloc() to MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
This makes sure there are no linking errors on platforms that do not support these functions. You will HAVE to provide alternatives, either at runtime via the platform_set_xxx() functions or at compile time by setting the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a MBEDTLS_PLATFORM_XXX_MACRO.
Requires: MBEDTLS_PLATFORM_C
Uncomment to prevent default assignment of standard functions in the platform layer.
Definition at line 185 of file mbedtls_config.h.
| #define MBEDTLS_PLATFORM_PRINTF_MACRO my_printf |
Definition at line 3582 of file mbedtls_config.h.
| #define MBEDTLS_PLATFORM_SNPRINTF_MACRO my_snprintf |
Definition at line 3592 of file mbedtls_config.h.
| #define MBEDTLS_POLY1305_C |
Enable the Poly1305 MAC algorithm.
Module: library/poly1305.c Caller: library/chachapoly.c
Definition at line 2887 of file mbedtls_config.h.
| #define MBEDTLS_RSA_C |
Enable the RSA public-key cryptosystem.
Module: library/rsa.c library/rsa_alt_helpers.c Caller: library/pk.c library/psa_crypto.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
This module is used by the following key exchanges: RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
Definition at line 2974 of file mbedtls_config.h.
| #define MBEDTLS_SHA1_C |
Enable the SHA1 cryptographic hash algorithm.
Module: library/sha1.c Caller: library/md.c library/psa_crypto_hash.c
This module is required for TLS 1.2 depending on the handshake parameters, and for SHA1-signed certificates.
Definition at line 2993 of file mbedtls_config.h.
| #define MBEDTLS_SHA224_C |
Enable the SHA-224 cryptographic hash algorithm.
Requires: MBEDTLS_SHA256_C. The library does not currently support enabling SHA-224 without SHA-256.
Module: library/sha256.c Caller: library/md.c library/ssl_cookie.c
This module adds support for SHA-224.
Definition at line 3009 of file mbedtls_config.h.
| #define MBEDTLS_SHA256_C |
Enable the SHA-256 cryptographic hash algorithm.
Requires: MBEDTLS_SHA224_C. The library does not currently support enabling SHA-256 without SHA-224.
Module: library/sha256.c Caller: library/entropy.c library/md.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
This module adds support for SHA-256. This module is required for the SSL/TLS 1.2 PRF function.
Definition at line 3029 of file mbedtls_config.h.
| #define MBEDTLS_SHA256_SMALLER |
Enable an implementation of SHA-256 that has lower ROM footprint but also lower performance.
The default implementation is meant to be a reasonable compromise between performance and size. This version optimizes more aggressively for size at the expense of performance. Eg on Cortex-M4 it reduces the size of mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 30%.
Uncomment to enable the smaller implementation of SHA256.
Definition at line 1281 of file mbedtls_config.h.
| #define MBEDTLS_SHA384_C |
Enable the SHA-384 cryptographic hash algorithm.
Requires: MBEDTLS_SHA512_C
Module: library/sha512.c Caller: library/md.c library/psa_crypto_hash.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
Comment to disable SHA-384
Definition at line 3097 of file mbedtls_config.h.
| #define MBEDTLS_SHA512_C |
Enable SHA-512 cryptographic hash algorithms.
Module: library/sha512.c Caller: library/entropy.c library/md.c library/ssl_tls.c library/ssl_cookie.c
This module adds support for SHA-512.
Definition at line 3112 of file mbedtls_config.h.
| #define MBEDTLS_SHA512_SMALLER |
Enable an implementation of SHA-512 that has lower ROM footprint but also lower performance.
Uncomment to enable the smaller implementation of SHA512.
Definition at line 1291 of file mbedtls_config.h.
| #define MBEDTLS_SSL_ALL_ALERT_MESSAGES |
Enable sending of alert messages in case of encountered errors as per RFC. If you choose not to send the alert messages, mbed TLS can still communicate with other servers, only debugging of failures is harder.
The advantage of not sending alert messages, is that no information is given about reasons for failures thus preventing adversaries of gaining intel.
Enable sending of all alert messages
Definition at line 1305 of file mbedtls_config.h.
| #define MBEDTLS_SSL_ALPN |
Enable support for RFC 7301 Application Layer Protocol Negotiation.
Comment this macro to disable support for ALPN.
Definition at line 1694 of file mbedtls_config.h.
| #define MBEDTLS_SSL_CACHE_C |
Enable simple SSL cache implementation.
Module: library/ssl_cache.c Caller:
Requires: MBEDTLS_SSL_CACHE_C
Definition at line 3178 of file mbedtls_config.h.
| #define MBEDTLS_SSL_CLI_C |
Enable the SSL/TLS client code.
Module: library/ssl*_client.c Caller:
Requires: MBEDTLS_SSL_TLS_C
This module is required for SSL/TLS client support.
Definition at line 3215 of file mbedtls_config.h.
| #define MBEDTLS_SSL_CONTEXT_SERIALIZATION |
Enable serialization of the TLS context structures, through use of the functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load().
This pair of functions allows one side of a connection to serialize the context associated with the connection, then free or re-use that context while the serialized state is persisted elsewhere, and finally deserialize that state to a live context for resuming read/write operations on the connection. From a protocol perspective, the state of the connection is unaffected, in particular this is entirely transparent to the peer.
Note: this is distinct from TLS session resumption, which is part of the protocol and fully visible by the peer. TLS session resumption enables establishing new connections associated to a saved session with shorter, lighter handshakes, while context serialization is a local optimization in handling a single, potentially long-lived connection.
Enabling these APIs makes some SSL structures larger, as 64 extra bytes are saved after the handshake to allow for more efficient serialization, so if you don't need this feature you'll save RAM by disabling it.
Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C
Comment to disable the context serialization APIs.
Definition at line 1391 of file mbedtls_config.h.
| #define MBEDTLS_SSL_COOKIE_C |
Enable basic implementation of DTLS cookies for hello verification.
Module: library/ssl_cookie.c Caller:
Definition at line 3188 of file mbedtls_config.h.
| #define MBEDTLS_SSL_DTLS_CONNECTION_ID |
Enable support for the DTLS Connection ID (CID) extension, which allows to identify DTLS connections across changes in the underlying transport. The CID functionality is described in RFC 9146.
Setting this option enables the SSL APIs mbedtls_ssl_set_cid(), mbedtls_ssl_get_own_cid(),mbedtls_ssl_get_peer_cid()and mbedtls_ssl_conf_cid()`. See the corresponding documentation for more information.
The maximum lengths of outgoing and incoming CIDs can be configured through the options
Requires: MBEDTLS_SSL_PROTO_DTLS
Uncomment to enable the Connection ID extension.
Definition at line 1329 of file mbedtls_config.h.
| #define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 |
Defines whether RFC 9146 (default) or the legacy version (version draft-ietf-tls-dtls-connection-id-05, https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) is used.
Set the value to 0 for the standard version, and 1 for the legacy draft version.
Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID
Definition at line 1351 of file mbedtls_config.h.
| #define MBEDTLS_SSL_ENCRYPT_THEN_MAC |
Enable support for Encrypt-then-MAC, RFC 7366.
This allows peers that both support it to use a more robust protection for ciphersuites using CBC, providing deep resistance against timing attacks on the padding or underlying cipher.
This only affects CBC ciphersuites, and is useless if none is defined.
Requires: MBEDTLS_SSL_PROTO_TLS1_2
Comment this macro to disable support for Encrypt-then-MAC
Definition at line 1423 of file mbedtls_config.h.
| #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET |
Enable support for RFC 7627: Session Hash and Extended Master Secret Extension.
This was introduced as "the proper fix" to the Triple Handshake family of attacks, but it is recommended to always use it (even if you disable renegotiation), since it actually fixes a more fundamental issue in the original SSL/TLS design, and has implications beyond Triple Handshake.
Requires: MBEDTLS_SSL_PROTO_TLS1_2
Comment this macro to disable support for Extended Master Secret.
Definition at line 1439 of file mbedtls_config.h.
| #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE |
This option controls the availability of the API mbedtls_ssl_get_peer_cert() giving access to the peer's certificate after completion of the handshake.
Unless you need mbedtls_ssl_peer_cert() in your application, it is recommended to disable this option for reduced RAM usage.
NULL.Comment this macro to disable storing the peer's certificate after the handshake.
Definition at line 1463 of file mbedtls_config.h.
| #define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 |
The default maximum amount of 0-RTT data. See the documentation of mbedtls_ssl_tls13_conf_max_early_data_size() for more information.
It must be positive and smaller than UINT32_MAX.
If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not have any impact on the build.
This feature is experimental, not completed and thus not ready for production.
Definition at line 1672 of file mbedtls_config.h.
| #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH |
Enable support for RFC 6066 max_fragment_length extension in SSL.
Comment this macro to disable support for the max_fragment_length extension
Definition at line 1494 of file mbedtls_config.h.
| #define MBEDTLS_SSL_PROTO_DTLS |
Enable support for DTLS (all available versions).
Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
Requires: MBEDTLS_SSL_PROTO_TLS1_2
Comment this macro to disable support for DTLS
Definition at line 1685 of file mbedtls_config.h.
| #define MBEDTLS_SSL_PROTO_TLS1_2 |
Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and (MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C) With MBEDTLS_USE_PSA_CRYPTO: PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_512
Comment this macro to disable support for TLS 1.2 / DTLS 1.2
Definition at line 1512 of file mbedtls_config.h.
| #define MBEDTLS_SSL_RENEGOTIATION |
Enable support for TLS renegotiation.
The two main uses of renegotiation are (1) refresh keys on long-lived connections and (2) client authentication after the initial handshake. If you don't need renegotiation, it's probably better to disable it, since it has been associated with security issues in the past and is easy to misuse/misunderstand.
Comment this to disable support for renegotiation.
mbedtls_ssl_conf_legacy_renegotiation for the configuration of this extension). Definition at line 1485 of file mbedtls_config.h.
| #define MBEDTLS_SSL_SERVER_NAME_INDICATION |
Enable support for RFC 6066 server name indication (SNI) in SSL.
Requires: MBEDTLS_X509_CRT_PARSE_C
Comment this macro to disable support for server name indication in SSL
Definition at line 1799 of file mbedtls_config.h.
| #define MBEDTLS_SSL_SESSION_TICKETS |
Enable support for RFC 5077 session tickets in SSL. Client-side, provides full support for session tickets (maintenance of a session store remains the responsibility of the application, though). Server-side, you also need to provide callbacks for writing and parsing tickets, including authenticated encryption and key management. Example callbacks are provided by MBEDTLS_SSL_TICKET_C.
Comment this macro to disable support for SSL session tickets
Definition at line 1788 of file mbedtls_config.h.
| #define MBEDTLS_SSL_SRV_C |
Enable the SSL/TLS server code.
Module: library/ssl*_server.c Caller:
Requires: MBEDTLS_SSL_TLS_C
This module is required for SSL/TLS server support.
Definition at line 3229 of file mbedtls_config.h.
| #define MBEDTLS_SSL_TICKET_C |
Enable an implementation of TLS server-side callbacks for session tickets.
Module: library/ssl_ticket.c Caller:
Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) && (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)
Definition at line 3201 of file mbedtls_config.h.
| #define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 |
Default number of NewSessionTicket messages to be sent by a TLS 1.3 server after handshake completion. This is not used in TLS 1.2 and relevant only if the MBEDTLS_SSL_SESSION_TICKETS option is enabled.
Definition at line 1637 of file mbedtls_config.h.
| #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED |
Enable TLS 1.3 ephemeral key exchange mode.
Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C, MBEDTLS_ECDSA_C or MBEDTLS_PKCS1_V21
Comment to disable support for the ephemeral key exchange mode in TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.
Definition at line 1584 of file mbedtls_config.h.
| #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED |
Enable TLS 1.3 PSK key exchange mode.
Comment to disable support for the PSK key exchange mode in TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.
Definition at line 1569 of file mbedtls_config.h.
| #define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED |
Enable TLS 1.3 PSK ephemeral key exchange mode.
Requires: MBEDTLS_ECDH_C
Comment to disable support for the PSK ephemeral key exchange mode in TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.
Definition at line 1598 of file mbedtls_config.h.
| #define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 |
Maximum time difference in milliseconds tolerated between the age of a ticket from the server and client point of view. From the client point of view, the age of a ticket is the time difference between the time when the client proposes to the server to use the ticket (time of writing of the Pre-Shared Key Extension including the ticket) and the time the client received the ticket from the server. From the server point of view, the age of a ticket is the time difference between the time when the server receives a proposition from the client to use the ticket and the time when the ticket was created by the server. The server age is expected to be always greater than the client one and MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE defines the maximum difference tolerated for the server to accept the ticket. This is not used in TLS 1.2.
Definition at line 1618 of file mbedtls_config.h.
| #define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 |
Size in bytes of a ticket nonce. This is not used in TLS 1.2.
This must be less than 256.
Definition at line 1627 of file mbedtls_config.h.
| #define MBEDTLS_SSL_TLS_C |
Enable the generic SSL/TLS code.
Module: library/ssl_tls.c Caller: library/ssl*_client.c library/ssl*_server.c
Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C and at least one of the MBEDTLS_SSL_PROTO_XXX defines
This module is required for SSL/TLS.
Definition at line 3245 of file mbedtls_config.h.
| #define MBEDTLS_VERSION_C |
Enable run-time version information.
Module: library/version.c
This module provides run-time version information.
Definition at line 3302 of file mbedtls_config.h.
| #define MBEDTLS_X509_CREATE_C |
Enable X.509 core for creating certificates.
Module: library/x509_create.c
Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
This module is the basis for creating X.509 certificates and CSRs.
Definition at line 3383 of file mbedtls_config.h.
| #define MBEDTLS_X509_CRL_PARSE_C |
Enable X.509 CRL parsing.
Module: library/x509_crl.c Caller: library/x509_crt.c
Requires: MBEDTLS_X509_USE_C
This module is required for X.509 CRL parsing.
Definition at line 3352 of file mbedtls_config.h.
| #define MBEDTLS_X509_CRT_PARSE_C |
Enable X.509 certificate parsing.
Module: library/x509_crt.c Caller: library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
Requires: MBEDTLS_X509_USE_C
This module is required for X.509 certificate parsing.
Definition at line 3338 of file mbedtls_config.h.
| #define MBEDTLS_X509_CRT_WRITE_C |
Enable creating X.509 certificates.
Module: library/x509_crt_write.c
Requires: MBEDTLS_X509_CREATE_C
This module is required for X.509 certificate creation.
Definition at line 3396 of file mbedtls_config.h.
| #define MBEDTLS_X509_CSR_PARSE_C |
Enable X.509 Certificate Signing Request (CSR) parsing.
Module: library/x509_csr.c Caller: library/x509_crt_write.c
Requires: MBEDTLS_X509_USE_C
This module is used for reading X.509 certificate request.
Definition at line 3366 of file mbedtls_config.h.
| #define MBEDTLS_X509_CSR_WRITE_C |
Enable creating X.509 Certificate Signing Requests (CSR).
Module: library/x509_csr_write.c
Requires: MBEDTLS_X509_CREATE_C
This module is required for X.509 certificate request writing.
Definition at line 3409 of file mbedtls_config.h.
| #define MBEDTLS_X509_RSASSA_PSS_SUPPORT |
Enable parsing and verification of X.509 certificates, CRLs and CSRS signed with RSASSA-PSS (aka PKCS#1 v2.1).
Comment this macro to disallow using RSASSA-PSS in certificates.
Definition at line 1989 of file mbedtls_config.h.
| #define MBEDTLS_X509_USE_C |
Enable X.509 core for using certificates.
Module: library/x509.c Caller: library/x509_crl.c library/x509_crt.c library/x509_csr.c
Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
This module is required for the X.509 parsing modules.
Definition at line 3322 of file mbedtls_config.h.
| void * mbedtls_calloc | ( | size_t | n, |
| size_t | size | ||
| ) |
Definition at line 47 of file CrtWrapper.c.
| void mbedtls_free | ( | void * | ptr | ) |
Definition at line 81 of file CrtWrapper.c.
1.9.6