espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-03 20:54:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(mbedtls): adds more configuration options

Browse Source
This commit is contained in:
Ashish Sharma
2025-04-24 10:00:17 +08:00
parent 65cf3d0a20
commit f7be43c83d
2 changed files with 899 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

472
components/mbedtls/Kconfig
View File

@@ -97,6 +97,13 @@ menu "mbedTLS"
This defines maximum outgoing fragment length, overriding default
maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN).
config MBEDTLS_SSL_SERVER_NAME_INDICATION
bool "Enable server name indication"
default y
depends on MBEDTLS_X509_CRT_PARSE_C
help
Enable support for RFC 6066 server name indication (SNI).
config MBEDTLS_DYNAMIC_BUFFER
bool "Using dynamic TX/RX buffer"
default n
@@ -135,6 +142,19 @@ menu "mbedTLS"
This option will decrease the heap footprint for the TLS handshake, but may lead to a problem:
If the respective ssl object needs to perform the TLS handshake again,
the CA certificate should once again be registered to the ssl object.
config MBEDTLS_VERSION_FEATURES
bool "Enable mbedTLS version features"
default n
help
Enable mbedTLS version features.
This option allows Allow run-time checking of compile-time enabled features.
Disabling this option will save some code size.
config MBEDTLS_X509_USE_C
bool "Enable X.509 certificate support"
default y
help
Enable X.509 certificate support.
config MBEDTLS_DEBUG
bool "Enable mbedTLS debugging"
@@ -198,6 +218,14 @@ menu "mbedTLS"
bool "TLS 1.3 PSK ephemeral key exchange mode"
default y
config MBEDTLS_SSL_EARLY_DATA
bool "TLS 1.3 early data"
default n
depends on MBEDTLS_CLIENT_SSL_SESSION_TICKETS && \
(MBEDTLS_SSL_TLS1_3_KEXM_PSK || MBEDTLS_SSL_TLS1_3_KEXM_EPHEMER)
help
Enable support for TLS 1.3 early data (0-RTT).
endmenu
config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
@@ -234,7 +262,7 @@ menu "mbedTLS"
This is a local optimization in handling a single, potentially long-lived connection.
See mbedTLS documentation for required API and more details.
Disabling this option will save some code size.
Disabling this option will save some code and RAM size.
config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
bool "Keep peer certificate after handshake completion"
@@ -257,10 +285,25 @@ menu "mbedTLS"
config MBEDTLS_PKCS7_C
bool "Enable PKCS number 7"
default y
depends on MBEDTLS_X509_CRL_PARSE_C
depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_OID_C && MBEDTLS_PK_PARSE_C && \
MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_X509_CRL_PARSE_C && MBEDTLS_BIGNUM_C && MBEDTLS_MD_C
help
Enable PKCS number 7 core for using PKCS number 7-formatted signatures.
config MBEDTLS_PKCS12_C
bool "Enable PKCS number 12"
default y
depends on MBEDTLS_ASN1_PARSE_C && (MBEDTLS_MD_C)
help
Enable PKCS number 12 core for using PKCS number 12-formatted signatures.
config MBEDTLS_PKCS5_C
bool "Enable PKCS#5 functions"
default y
select MBEDTLS_MD_C
help
Enable support for PKCS#5 functions.
config MBEDTLS_SSL_CID_PADDING_GRANULARITY
int "Record plaintext padding"
default 16
@@ -389,6 +432,32 @@ menu "mbedTLS"
endmenu
config MBEDTLS_SELF_TEST
bool "Enable mbedTLS self-test"
default y
help
Enable mbedTLS self-test functions.
config MBEDTLS_PKCS1_V15
bool "Enable PKCS#1 v1.5 padding"
default y
depends on MBEDTLS_RSA_C
help
Enable support for PKCS#1 v1.5 operations.
config MBEDTLS_PKCS1_V21
bool "Enable PKCS#1 v2.1 padding"
default y
depends on MBEDTLS_RSA_C && MBEDTLS_MD_C
help
Enable support for PKCS#1 v2.1 operations.
config MBEDTLS_PK_RSA_ALT_SUPPORT
bool "Enable RSA alt support"
default y
help
Support external private RSA keys (eg from a HSM) int the PK layer.
config MBEDTLS_ECP_RESTARTABLE
bool "Enable mbedTLS ecp restartable"
select MBEDTLS_ECDH_LEGACY_CONTEXT
@@ -397,10 +466,34 @@ menu "mbedTLS"
help
Enable "non-blocking" ECC operations that can return early and be resumed.
config MBEDTLS_AES_ROM_TABLES
bool "Store AES tables in ROM"
default y
help
Store the AES tables in ROM instead of generating them at runtime.
Using precomputed ROM tables reduces RAM usage, but increases
flash usage.
config MBEDTLS_AES_FEWER_TABLES
bool "Use fewer AES tables"
default n
help
Use fewer AES tables to reduce ROM/RAM usage.
Using fewer tables increases the time taken to generate the tables
at runtime, but reduces ROM/RAM usage.
config MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
bool "Only support 128-bit AES keys"
default n
help
Only support 128-bit AES keys.
This reduces code size, but disables support for 192-bit and
256-bit AES keys.
config MBEDTLS_CMAC_C
bool "Enable CMAC mode for block ciphers"
default n
depends on MBEDTLS_AES_C || MBEDTLS_DES_C
depends on (MBEDTLS_AES_C || MBEDTLS_DES_C) && MBEDTLS_CIPHER_C
help
Enable the CMAC (Cipher-based Message Authentication Code) mode for
block ciphers.
@@ -507,10 +600,21 @@ menu "mbedTLS"
operations using a non-AES cipher, you can safely disable this config,
leading to reduction in binary size footprint.
config MBEDTLS_BIGNUM_C
bool "Enable multiple precision integer (bignum) support"
default y
help
Enable support for multiple precision integer (bignum) operations.
This is required for RSA, DSA, DHM, ECDH and ECDSA.
If you don't need any of these algorithms, you can disable this option
to save code size.
config MBEDTLS_HARDWARE_MPI
bool "Enable hardware MPI (bignum) acceleration"
default y
depends on !SPIRAM_CACHE_WORKAROUND_STRATEGY_DUPLDST && SOC_MPI_SUPPORTED
depends on !SPIRAM_CACHE_WORKAROUND_STRATEGY_DUPLDST && SOC_MPI_SUPPORTED && MBEDTLS_BIGNUM_C
help
Enable hardware accelerated multiple precision integer operations.
@@ -519,6 +623,13 @@ menu "mbedTLS"
These operations are used by RSA.
config MBEDTLS_GENPRIME
bool "Enable hardware prime number generation"
default y
depends on MBEDTLS_BIGNUM_C
help
Enable prime number generation.
config MBEDTLS_LARGE_KEY_SOFTWARE_MPI
bool "Fallback to software implementation for larger MPI values"
depends on MBEDTLS_HARDWARE_MPI
@@ -567,6 +678,22 @@ menu "mbedTLS"
SHA hardware acceleration is faster than software in some situations but
slower in others. You should benchmark to find the best setting for you.
config MBEDTLS_SHA256_SMALLER
bool "Enable SHA-256 smaller implementation"
default n
depends on !MBEDTLS_HARDWARE_SHA && MBEDTLS_SHA256_C
help
Enable a smaller implementation of SHA-256 that has lower ROM footprint
but is slower than the default implementation.
config MBEDTLS_SHA512_SMALLER
bool "Enable SHA-512 smaller implementation"
default n
depends on !MBEDTLS_HARDWARE_SHA && MBEDTLS_SHA512_C
help
Enable a smaller implementation of SHA-512 that has lower ROM footprint
but is slower than the default implementation.
config MBEDTLS_HARDWARE_ECC
bool "Enable hardware ECC acceleration"
default y
@@ -631,7 +758,7 @@ menu "mbedTLS"
default y
help
This option adds a delay after the actual ECDSA signature operation
so that the entire operation appears to be constant time for the software.
so that the entire operation appears to be constant  time for the software.
This fix helps in protecting the device only in case of remote timing attack on the ECDSA private key.
For e.g., When an interface is exposed by the device to perform ECDSA signature
of an arbitrary message.
@@ -718,11 +845,69 @@ menu "mbedTLS"
config MBEDTLS_ECDSA_DETERMINISTIC
bool "Enable deterministic ECDSA"
default y
default n
help
Standard ECDSA is "fragile" in the sense that lack of entropy when signing
may result in a compromise of the long-term signing key.
config MBEDTLS_ENTROPY_C
bool "Enable entropy support"
default y
depends on MBEDTLS_SHA256_C || MBEDTLS_SHA512_C
help
Enable support for entropy sources and provides a generic
entropy pool.
config MBEDTLS_ENTROPY_FORCE_SHA256
bool "Force SHA-256 for entropy"
default n
depends on MBEDTLS_SHA256_C && MBEDTLS_SHA512_C
help
Force SHA-256 to be used for the entropy pool if both SHA-256 and SHA-512 are
enabled. On 32-bit architectures, SHA-256 can be faster than SHA-512
config MBEDTLS_CTR_DRBG_C
bool "Enable CTR_DRBG"
default y
depends on MBEDTLS_AES_C
help
Enable CTR_DRBG (CTR mode Deterministic Random Bit Generator).
The CTR_DRBG generator uses AES-256 by default.
config MBEDTLS_HMAC_DRBG_C
bool "Enable HMAC_DRBG"
default n
depends on MBEDTLS_MD_C
help
Enable HMAC_DRBG (HMAC mode Deterministic Random Bit Generator).
config MBEDTLS_OID_C
bool "Enable OID support"
default y
help
Enable support for Object Identifier (OID) parsing and printing.
This is used by X.509 and PKCS#11.
config MBEDTLS_MD_C
bool "Enable message digest support"
default y
depends on MBEDTLS_MD5_C || MBEDTLS_RIPEMD160_C || MBEDTLS_SHA1_C || \
MBEDTLS_SHA224_C || MBEDTLS_SHA256_C || MBEDTLS_SHA384_C || MBEDTLS_SHA512_C
help
Enable generic layer for message digest algorithms.
config MBEDTLS_MD5_C
bool "Enable the MD5 cryptographic hash algorithm"
default y
help
Enables support for MD5.
This module is required for TLS 1.2 depending on the handshake parameters.
Further, it is used for checking MD5-signed certificates, and for PBKDF1
when decrypting PEM-encoded encrypted keys.
MD5 is considered a weak message digest and its use constitutes
a security risk. If possible, consider stronger message digests
such as SHA-256 (part of the SHA-2 family).
config MBEDTLS_SHA1_C
bool "Enable the SHA-1 cryptographic hash algorithm"
default y
@@ -738,20 +923,50 @@ menu "mbedTLS"
please consider testing the changes in a controlled environment for individual features
like OTA updates, cloud connectivity, secure local control, etc.
config MBEDTLS_SHA224_C
bool "Enable the SHA-224 cryptographic hash algorithm"
default n
help
Enable MBEDTLS_SHA224_C adds support for SHA-224.
config MBEDTLS_SHA256_C
bool "Enable the SHA-256 cryptographic hash algorithm"
default y
help
Enable MBEDTLS_SHA256_C adds support for SHA-256.
config MBEDTLS_SHA384_C
bool "Enable the SHA-384 cryptographic hash algorithm"
default y
help
Enable MBEDTLS_SHA384_C adds support for SHA-384.
config MBEDTLS_SHA512_C
bool "Enable the SHA-384 and SHA-512 cryptographic hash algorithms"
default y
help
Enable MBEDTLS_SHA512_C adds support for SHA-384 and SHA-512.
Enable MBEDTLS_SHA512_C adds support for SHA-512.
config MBEDTLS_SHA3_C
bool "Enable the SHA3 cryptographic hash algorithm"
default n
default y
help
Enabling MBEDTLS_SHA3_C adds support for SHA3.
Enabling this configuration option increases the flash footprint
by almost 4KB.
config MBEDTLS_SSL_CACHE_C
bool "Enable SSL session cache"
default y
help
Enable simple SSL session cache implementation.
config MBEDTLS_SSL_COOKIE_C
bool "Enable SSL session cookie"
default n
help
Enable basic DTLS cookie implementation for hello verification.
choice MBEDTLS_TLS_MODE
bool "TLS Protocol Role"
default MBEDTLS_TLS_SERVER_AND_CLIENT
@@ -885,6 +1100,29 @@ menu "mbedTLS"
endmenu # TLS key exchange modes
config MBEDTLS_SSL_RECORD_SIZE_LIMIT
bool "Enable support for record size limit"
default y
depends on MBEDTLS_SSL_PROTO_TLS1_3
help
Enable support for record size limit in TLS 1.3.
config MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
bool "Enable support for TLS max fragment length extension"
default y
help
Enable support for the TLS max fragment length extension.
config MBEDTLS_SSL_ALL_ALERT_MESSAGES
bool "Enable all TLS alert messages"
default y
help
Enable all TLS alert messages in case of encountered errors as per RFC.
If disabled, Mbed TLS can still communicate with other servers, only debugging of failures is harder.
The advantage of not sending alert messages, is that no information is given about reasons for failures
thus preventing adversaries of gaining intel.
config MBEDTLS_SSL_RENEGOTIATION
bool "Support TLS renegotiation"
depends on MBEDTLS_TLS_ENABLED && MBEDTLS_SSL_PROTO_TLS1_2
@@ -937,6 +1175,24 @@ menu "mbedTLS"
Server support for RFC 5077 session tickets. See mbedTLS documentation for more details.
Disabling this option will save some code size.
config MBEDTLS_BASE64_C
bool "Enable Base64 encoding/decoding"
default y
help
Enable Base64 encoding and decoding functions. This is required for PEM support.
config MBEDTLS_ASN1_PARSE_C
bool "Enable ASN.1 parsing"
default y
help
Enable ASN.1 parsing functions.
config MBEDTLS_ASN1_WRITE_C
bool "Enable ASN.1 writing"
default y
help
Enable ASN.1 writing functions.
menu "Symmetric Ciphers"
config MBEDTLS_AES_C
@@ -947,6 +1203,17 @@ menu "mbedTLS"
bool "Camellia block cipher"
default n
config MBEDTLS_ARIA_C
bool "ARIA block cipher"
default n
config MBEDTLS_CAMELLIA_SMALL_MEMORY
bool "Use small memory implementation of Camellia"
default n
depends on MBEDTLS_CAMELLIA_C
help
Reduces ROM usage of the Camellia implementation
config MBEDTLS_DES_C
bool "DES block cipher (legacy, insecure)"
default n
@@ -982,10 +1249,46 @@ menu "mbedTLS"
Disabling this option saves some code size.
config MBEDTLS_CIPHER_MODE_CBC
bool "CBC (Cipher Block Chaining) block cipher modes"
default y
depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C
help
Enable Cipher Block Chaining (CBC) modes for AES and/or Camellia ciphers.
config MBEDTLS_CIPHER_MODE_CFB
bool "CFB (Cipher Feedback) block cipher modes"
default y
depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C
help
Enable Cipher Feedback (CFB) modes for AES and/or Camellia ciphers.
config MBEDTLS_CIPHER_MODE_CTR
bool "CTR (Counter) block cipher modes"
default y
depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C
help
Enable Counter (CTR) modes for AES and/or Camellia ciphers.
config MBEDTLS_CIPHER_MODE_OFB
bool "OFB (Output Feedback) block cipher modes"
default y
depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C
help
Enable Output Feedback (OFB) modes for AES and/or Camellia ciphers.
config MBEDTLS_CIPHER_MODE_XTS
bool "XTS (XEX Tweakable Block Cipher with Ciphertext Stealing) block cipher modes"
default y
depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C
help
Enable XEX Tweakable Block Cipher with Ciphertext Stealing (XTS) modes
for AES and/or Camellia ciphers.
config MBEDTLS_GCM_C
bool "GCM (Galois/Counter) block cipher modes"
default y
depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C
depends on (MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C) && MBEDTLS_CIPHER_C
help
Enable Galois/Counter Mode for AES and/or Camellia ciphers.
@@ -994,10 +1297,53 @@ menu "mbedTLS"
config MBEDTLS_NIST_KW_C
bool "NIST key wrapping (KW) and KW padding (KWP)"
default n
depends on MBEDTLS_AES_C
depends on MBEDTLS_AES_C && MBEDTLS_CIPHER_C
help
Enable NIST key wrapping and key wrapping padding.
config MBEDTLS_CIPHER_PADDING
bool "Cipher padding"
default y
depends on MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB
help
Enable padding for block ciphers.
Padding is only used for block ciphers in CBC, CFB, CTR and OFB modes.
If you are using a stream cipher or a block cipher in ECB mode, you can
disable this option to save code size.
config MBEDTLS_CIPHER_PADDING_PKCS7
bool "PKCS#7 padding"
default y
depends on MBEDTLS_CIPHER_PADDING && \
(MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB)
help
Enable PKCS#7 padding for block ciphers.
config MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
bool "One and zeros padding"
default y
depends on MBEDTLS_CIPHER_PADDING && \
(MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB)
help
Enable one and zeros padding for block ciphers.
config MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
bool "Zeros and length padding"
default y
depends on MBEDTLS_CIPHER_PADDING && \
(MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB)
help
Enable zeros and length padding for block ciphers.
config MBEDTLS_CIPHER_PADDING_ZEROS
bool "Zeros padding"
default y
depends on MBEDTLS_CIPHER_PADDING && \
(MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB)
help
Enable zeros padding for block ciphers.
endmenu # Symmetric Ciphers
config MBEDTLS_RIPEMD160_C
@@ -1026,17 +1372,83 @@ menu "mbedTLS"
If writing certificate data only in DER format, disabling this
option will save some code size.
config MBEDTLS_PK_C
bool "Enable generic public key layer"
default y
depends on MBEDTLS_MD_C && (MBEDTLS_RSA_C || MBEDTLS_ECP_C)
help
Enable support for generic public key layer.
config MBEDTLS_PK_PARSE_C
bool "Enables generic public key parsing functions"
default y
depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_PK_C && MBEDTLS_OID_C
help
Enable generic public key parsing functions.
config MBEDTLS_PK_WRITE_C
bool "Enables generic public key writing functions"
default y
depends on MBEDTLS_PK_C && MBEDTLS_OID_C && MBEDTLS_ASN1_WRITE_C
help
Enable generic public key writing functions.
config MBEDTLS_X509_REMOVE_INFO
bool "Remove X.509 debug info"
default n
help
Removes mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt() and other
functions/constants only used by these functions.
This will save some code size.
config MBEDTLS_X509_CRL_PARSE_C
bool "X.509 CRL parsing"
default y
help
Support for parsing X.509 Certificate Revocation Lists.
config MBEDTLS_X509_CRT_PARSE_C
bool "Enable X.509 certificate parsing"
default y
depends on MBEDTLS_X509_USE_C
help
Enable X.509 certificate parsing.
This is required for TLS and DTLS.
config MBEDTLS_X509_CSR_PARSE_C
bool "X.509 CSR parsing"
default y
help
Support for parsing X.509 Certificate Signing Requests
config MBEDTLS_X509_CREATE_C
bool "X.509 certificate creation"
default y
depends on MBEDTLS_BIGNUM_C && MBEDTLS_OID_C && \
MBEDTLS_PK_WRITE_C && MBEDTLS_MD_C
help
Support for creating X.509 certificates and CSRs.
config MBEDTLS_X509_CRT_WRITE_C
bool "X.509 certificate writing"
default y
depends on MBEDTLS_X509_CREATE_C
help
Support for writing X.509 certificates
config MBEDTLS_X509_CSR_WRITE_C
bool "X.509 CSR writing"
default y
depends on MBEDTLS_X509_CREATE_C
help
Support for writing X.509 CSRs
config MBEDTLS_X509_RSASSA_PSS_SUPPORT
bool "X.509 PSS support"
default y
select MBEDTLS_PKCS1_V21
depends on MBEDTLS_X509_CRL_PARSE_C || MBEDTLS_X509_CSR_PARSE_C || MBEDTLS_X509_CRT_PARSE_C
help
Support for parsing X.509 certificates with RSASSA-PSS signatures.
endmenu # Certificates
@@ -1064,6 +1476,8 @@ menu "mbedTLS"
config MBEDTLS_DHM_C
bool "Diffie-Hellman-Merkle key exchange (DHM)"
default n
select MBEDTLS_BIGNUM_C
depends on MBEDTLS_ECP_C
help
Enable DHM. Needed to use DHE-xxx TLS ciphersuites.
@@ -1071,6 +1485,14 @@ menu "mbedTLS"
a suitable prime being used for the exchange. Please see detailed
warning text about this in file `mbedtls/dhm.h` file.
config MBEDTLS_RSA_C
bool "RSA public key cryptosystem"
default y
select MBEDTLS_BIGNUM_C
select MBEDTLS_OID_C
help
Enable RSA. Needed to use RSA-xxx TLS ciphersuites.
config MBEDTLS_ECDH_C
bool "Elliptic Curve Diffie-Hellman (ECDH)"
depends on MBEDTLS_ECP_C
@@ -1080,7 +1502,9 @@ menu "mbedTLS"
config MBEDTLS_ECDSA_C
bool "Elliptic Curve DSA"
depends on MBEDTLS_ECDH_C
depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_C
select MBEDTLS_ASN1_WRITE_C
select MBEDTLS_ASN1_PARSE_C
default y
help
Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites.
@@ -1216,9 +1640,19 @@ menu "mbedTLS"
help
Enable support for ChaCha20-Poly1305 AEAD algorithm.
config MBEDTLS_CIPHER_C
bool "Cipher abstraction layer"
default y
help
Enable the cipher abstraction layer. This enables generic cipher wrappers
for the block ciphers and stream ciphers.
If you are not using the cipher abstraction layer, you can disable this
option to save some code size.
config MBEDTLS_HKDF_C
bool "HKDF algorithm (RFC 5869)"
default n
depends on MBEDTLS_MD_C
help
Enable support for the Hashed Message Authentication Code
(HMAC)-based key derivation function (HKDF).
@@ -1230,6 +1664,12 @@ menu "mbedTLS"
If you do intend to use contexts between threads, you will need to enable
this layer to prevent race conditions.
config MBEDTLS_VERSION_C
bool "Enable version information"
default y
help
Enable version information functions.
config MBEDTLS_THREADING_ALT
bool "Enable threading alternate implementation"
depends on MBEDTLS_THREADING_C
@@ -1252,6 +1692,16 @@ menu "mbedTLS"
Disabling this config can save some code/rodata size as the error
string conversion implementation is replaced with an empty stub.
config MBEDTLS_ERROR_STRERROR_DUMMY
bool "Enable a dummy error function to make use of mbedtls_strerror()"
default n
depends on !MBEDTLS_ERROR_STRINGS
help
This option enables a dummy error function to make use of mbedtls_strerror()
when MBEDTLS_ERROR_STRINGS is disabled. This is useful for applications
that use mbedtls_strerror() but do not need the actual error strings.
This option can be used to save code size when MBEDTLS_ERROR_STRINGS is disabled.
config MBEDTLS_USE_CRYPTO_ROM_IMPL_BOOTLOADER
bool "Use ROM implementation of the crypto algorithm in the bootloader"
depends on ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB

453
components/mbedtls/port/include/mbedtls/esp_config.h
View File

@@ -260,42 +260,107 @@
*
* Uncomment this macro to store the AES tables in ROM.
*/
#ifdef CONFIG_MBEDTLS_AES_ROM_TABLES
#define MBEDTLS_AES_ROM_TABLES
#else
#undef MBEDTLS_AES_ROM_TABLES
#endif
/**
* \def MBEDTLS_AES_FEWER_TABLES
*
* Use fewer tables for AES.
*
* Uncomment this macro to store fewer tables for AES
* in ROM or RAM. The values are computed at runtime.
*
*/
#ifdef CONFIG_MBEDTLS_AES_FEWER_TABLES
#define MBEDTLS_AES_FEWER_TABLES
#else
#undef MBEDTLS_AES_FEWER_TABLES
#endif
/**
* \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
*
* Enable support for AES with only 128-bit key length. This disables
* support for 192-bit and 256-bit key lengths.
*
* Uncommenting this macro reduces the size of AES code
*/
#ifdef CONFIG_MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
#else
#undef MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
#endif
/**
* \def MBEDTLS_CAMELLIA_SMALL_MEMORY
*
* Enable small memory usage for Camellia cipher.
*/
#ifdef CONFIG_MBEDTLS_CAMELLIA_SMALL_MEMORY
#define MBEDTLS_CAMELLIA_SMALL_MEMORY
#else
#undef MBEDTLS_CAMELLIA_SMALL_MEMORY
#endif
/**
* \def MBEDTLS_CIPHER_MODE_CBC
*
* Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CBC
#define MBEDTLS_CIPHER_MODE_CBC
#else
#undef MBEDTLS_CIPHER_MODE_CBC
#endif
/**
* \def MBEDTLS_CIPHER_MODE_CFB
*
* Enable Cipher Feedback mode (CFB) for symmetric ciphers.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CFB
#define MBEDTLS_CIPHER_MODE_CFB
#else
#undef MBEDTLS_CIPHER_MODE_CFB
#endif
/**
* \def MBEDTLS_CIPHER_MODE_CTR
*
* Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CTR
#define MBEDTLS_CIPHER_MODE_CTR
#else
#undef MBEDTLS_CIPHER_MODE_CTR
#endif
/**
* \def MBEDTLS_CIPHER_MODE_OFB
*
* Enable Output Feedback mode (OFB) for symmetric ciphers.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_OFB
#define MBEDTLS_CIPHER_MODE_OFB
#else
#undef MBEDTLS_CIPHER_MODE_OFB
#endif
/**
* \def MBEDTLS_CIPHER_MODE_XTS
*
* Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_XTS
#define MBEDTLS_CIPHER_MODE_XTS
#else
#undef MBEDTLS_CIPHER_MODE_XTS
#endif
/**
* \def MBEDTLS_CIPHER_PADDING_PKCS7
@@ -308,10 +373,29 @@
*
* Enable padding modes in the cipher layer.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7
#define MBEDTLS_CIPHER_PADDING_PKCS7
#else
#undef MBEDTLS_CIPHER_PADDING_PKCS7
#endif
#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
#else
#undef MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
#endif
#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
#else
#undef MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
#endif
#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS
#define MBEDTLS_CIPHER_PADDING_ZEROS
#else
#undef MBEDTLS_CIPHER_PADDING_ZEROS
#endif
/**
* \def MBEDTLS_ECP_RESTARTABLE
@@ -362,6 +446,8 @@
*/
#ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE
#define MBEDTLS_ECP_RESTARTABLE
#else
#undef MBEDTLS_ECP_RESTARTABLE
#endif
/**
@@ -885,7 +971,11 @@
* Disable if you run into name conflicts and want to really remove the
* mbedtls_strerror()
*/
#ifdef CONFIG_MBEDTLS_ERROR_STRERROR_DUMMY
#define MBEDTLS_ERROR_STRERROR_DUMMY
#else
#undef MBEDTLS_ERROR_STRERROR_DUMMY
#endif
/**
* \def MBEDTLS_GENPRIME
@@ -894,7 +984,11 @@
*
* Requires: MBEDTLS_BIGNUM_C
*/
#ifdef CONFIG_MBEDTLS_GENPRIME
#define MBEDTLS_GENPRIME
#else
#undef MBEDTLS_GENPRIME
#endif
/**
* \def MBEDTLS_FS_IO
@@ -922,6 +1016,26 @@
#define MBEDTLS_NO_PLATFORM_ENTROPY
#endif // !CONFIG_IDF_TARGET_LINUX
/**
* \def MBEDTLS_ENTROPY_FORCE_SHA256
*
* Force the entropy accumulator to use a SHA-256 accumulator instead of the
* default SHA-512 based one (if both are available).
*
* Requires: MBEDTLS_SHA256_C
*
* On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
* if you have performance concerns.
*
* This option is only useful if both MBEDTLS_SHA256_C and
* MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
*/
#ifdef CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256
#define MBEDTLS_ENTROPY_FORCE_SHA256
#else
#undef MBEDTLS_ENTROPY_FORCE_SHA256
#endif
/**
* \def MBEDTLS_PK_RSA_ALT_SUPPORT
*
@@ -929,7 +1043,11 @@
*
* Comment this macro to disable support for external private RSA keys.
*/
#ifdef CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT
#define MBEDTLS_PK_RSA_ALT_SUPPORT
#else
#undef MBEDTLS_PK_RSA_ALT_SUPPORT
#endif
/**
* \def MBEDTLS_PKCS1_V15
@@ -940,7 +1058,11 @@
*
* This enables support for PKCS#1 v1.5 operations.
*/
#ifdef CONFIG_MBEDTLS_PKCS1_V15
#define MBEDTLS_PKCS1_V15
#else
#undef MBEDTLS_PKCS1_V15
#endif
/**
* \def MBEDTLS_PKCS1_V21
@@ -951,14 +1073,55 @@
*
* This enables support for RSAES-OAEP and RSASSA-PSS operations.
*/
#ifdef CONFIG_MBEDTLS_PKCS1_V21
#define MBEDTLS_PKCS1_V21
#else
#undef MBEDTLS_PKCS1_V21
#endif
/**
* \def MBEDTLS_SELF_TEST
*
* Enable the checkup functions (*_self_test).
*/
#ifdef CONFIG_MBEDTLS_SELF_TEST
#define MBEDTLS_SELF_TEST
#else
#undef MBEDTLS_SELF_TEST
#endif
/**
* \def MBEDTLS_SHA256_SMALLER
*
* Enable an implementation of SHA-256 that has lower ROM footprint but also
* lower performance.
*
* The default implementation is meant to be a reasonable compromise between
* performance and size. This version optimizes more aggressively for size at
* the expense of performance. Eg on Cortex-M4 it reduces the size of
* mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
* 30%.
*
* Uncomment to enable the smaller implementation of SHA256.
*/
#ifdef CONFIG_MBEDTLS_SHA256_SMALLER
#define MBEDTLS_SHA256_SMALLER
#else
#undef MBEDTLS_SHA256_SMALLER
#endif
/**
* \def MBEDTLS_SHA512_SMALLER
* Enable an implementation of SHA-512 that has lower ROM footprint but also
* lower performance.
*
* Uncomment to enable the smaller implementation of SHA512.
*/
#ifdef CONFIG_MBEDTLS_SHA512_SMALLER
#define MBEDTLS_SHA512_SMALLER
#else
#undef MBEDTLS_SHA512_SMALLER
#endif
/**
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
@@ -972,7 +1135,11 @@
*
* Enable sending of all alert messages
*/
#ifdef CONFIG_MBEDTLS_SSL_ALL_ALERT_MESSAGES
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
#else
#undef MBEDTLS_SSL_ALL_ALERT_MESSAGES
#endif
/**
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID
@@ -1210,21 +1377,26 @@
*
* Comment this macro to disable support for the max_fragment_length extension
*/
#ifdef CONFIG_MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#else
#undef MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#endif
/**
* \def MBEDTLS_SSL_RECORD_SIZE_LIMIT
*
* Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only).
*
* \warning This extension is currently in development and must NOT be used except
* for testing purposes.
*
* Requires: MBEDTLS_SSL_PROTO_TLS1_3
*
* Uncomment this macro to enable support for the record_size_limit extension
*/
//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
#ifdef CONFIG_MBEDTLS_SSL_RECORD_SIZE_LIMIT
#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
#else
#undef MBEDTLS_SSL_RECORD_SIZE_LIMIT
#endif
/**
* \def MBEDTLS_SSL_PROTO_TLS1_2
@@ -1393,11 +1565,12 @@
* Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
* is not enabled, this option does not have any effect on the build.
*
* This feature is experimental, not completed and thus not ready for
* production.
*
*/
//#define MBEDTLS_SSL_EARLY_DATA
#ifdef CONFIG_MBEDTLS_SSL_EARLY_DATA
#define MBEDTLS_SSL_EARLY_DATA
#else
#undef MBEDTLS_SSL_EARLY_DATA
#endif
/**
* \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
@@ -1517,7 +1690,7 @@
*
* Uncomment this to enable support for use_srtp extension.
*/
#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
#ifdef CONFIG_MBEDTLS_SSL_DTLS_SRTP
#define MBEDTLS_SSL_DTLS_SRTP
#else
#undef MBEDTLS_SSL_DTLS_SRTP
@@ -1580,8 +1753,11 @@
*
* Comment this macro to disable support for server name indication in SSL
*/
#ifdef CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION
#define MBEDTLS_SSL_SERVER_NAME_INDICATION
#else
#undef MBEDTLS_SSL_SERVER_NAME_INDICATION
#endif
/**
* \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
@@ -1609,7 +1785,11 @@
*
* Comment this to disable run-time checking and save ROM space
*/
#ifdef CONFIG_MBEDTLS_VERSION_FEATURES
#define MBEDTLS_VERSION_FEATURES
#else
#undef MBEDTLS_VERSION_FEATURES
#endif
/**
@@ -1620,7 +1800,11 @@
*
* Comment this macro to disallow using RSASSA-PSS in certificates.
*/
#ifdef CONFIG_MBEDTLS_X509_RSASSA_PSS_SUPPORT
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
#else
#undef MBEDTLS_X509_RSASSA_PSS_SUPPORT
#endif
/* \} name SECTION: mbed TLS feature support */
@@ -1644,7 +1828,33 @@
*
* This modules adds support for the AES-NI instructions on x86-64
*/
#define MBEDTLS_AESNI_C
#undef MBEDTLS_AESNI_C
/**
* \def MBEDTLS_AESCE_C
*
* Enable AES cryptographic extension support on Armv8.
*
* Module: library/aesce.c
* Caller: library/aes.c
*
* Requires: MBEDTLS_AES_C
*
* \warning Runtime detection only works on Linux. For non-Linux operating
* system, Armv8-A Cryptographic Extensions must be supported by
* the CPU when this option is enabled.
*
* \note Minimum compiler versions for this feature when targeting aarch64
* are Clang 4.0; armclang 6.6; GCC 6.0; or MSVC 2019 version 16.11.2.
* Minimum compiler versions for this feature when targeting 32-bit
* Arm or Thumb are Clang 11.0; armclang 6.20; or GCC 6.0.
*
* \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
* armclang <= 6.9
*
* This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems.
*/
#undef MBEDTLS_AESCE_C
/**
* \def MBEDTLS_AES_C
@@ -1737,7 +1947,11 @@
* library/pkcs5.c
* library/pkparse.c
*/
#ifdef CONFIG_MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_PARSE_C
#else
#undef MBEDTLS_ASN1_PARSE_C
#endif
/**
* \def MBEDTLS_ASN1_WRITE_C
@@ -1751,7 +1965,11 @@
* library/x509write_crt.c
* library/mbedtls_x509write_csr.c
*/
#ifdef CONFIG_MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_ASN1_WRITE_C
#else
#undef MBEDTLS_ASN1_WRITE_C
#endif
/**
* \def MBEDTLS_BASE64_C
@@ -1763,7 +1981,11 @@
*
* This module is required for PEM support (required by X.509).
*/
#ifdef CONFIG_MBEDTLS_BASE64_C
#define MBEDTLS_BASE64_C
#else
#undef MBEDTLS_BASE64_C
#endif
/**
* \def MBEDTLS_BIGNUM_C
@@ -1783,7 +2005,11 @@
*
* This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
*/
#ifdef CONFIG_MBEDTLS_BIGNUM_C
#define MBEDTLS_BIGNUM_C
#else
#undef MBEDTLS_BIGNUM_C
#endif
/**
* \def MBEDTLS_BLOWFISH_C
@@ -1857,6 +2083,62 @@
#undef MBEDTLS_CAMELLIA_C
#endif
/**
* \def MBEDTLS_ARIA_C
*
* Enable the ARIA block cipher.
*
* Module: library/aria.c
* Caller: library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
*
* MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
*/
#ifdef CONFIG_MBEDTLS_ARIA_C
#define MBEDTLS_ARIA_C
#else
#undef MBEDTLS_ARIA_C
#endif
/**
* \def MBEDTLS_CCM_C
*
@@ -1936,7 +2218,11 @@
*
* Uncomment to enable generic cipher wrappers.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_C
#define MBEDTLS_CIPHER_C
#else
#undef MBEDTLS_CIPHER_C
#endif
/**
* \def MBEDTLS_CTR_DRBG_C
@@ -1950,7 +2236,11 @@
*
* This module provides the CTR_DRBG AES-256 random number generator.
*/
#ifdef CONFIG_MBEDTLS_CTR_DRBG_C
#define MBEDTLS_CTR_DRBG_C
#else
#undef MBEDTLS_CTR_DRBG_C
#endif
/**
* \def MBEDTLS_DEBUG_C
@@ -2117,7 +2407,11 @@
*
* This module provides a generic entropy pool
*/
#ifdef CONFIG_MBEDTLS_ENTROPY_C
#define MBEDTLS_ENTROPY_C
#else
#undef MBEDTLS_ENTROPY_C
#endif
/**
* \def MBEDTLS_ERROR_C
@@ -2200,7 +2494,27 @@
*
* Uncomment to enable the HMAC_DRBG random number generator.
*/
#ifdef CONFIG_MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_HMAC_DRBG_C
#else
#undef MBEDTLS_HMAC_DRBG_C
#endif
/**
* \def MBEDTLS_LMS_C
*
* Enable the LMS stateful-hash asymmetric signature algorithm.
*
* Module: library/lms.c
* Caller:
*
* Requires: MBEDTLS_PSA_CRYPTO_C
*
* Uncomment to enable the LMS verification algorithm and public key operations.
*
* This is disable by now. When we shift to PSA, we will enable it.
*/
#undef MBEDTLS_LMS_C
/**
* \def MBEDTLS_MD_C
@@ -2233,7 +2547,11 @@
*
* Uncomment to enable generic message digest wrappers.
*/
#ifdef CONFIG_MBEDTLS_MD_C
#define MBEDTLS_MD_C
#else
#undef MBEDTLS_MD_C
#endif
/**
* \def MBEDTLS_MD5_C
@@ -2248,7 +2566,11 @@
* This module is required for SSL/TLS and X.509.
* PEM_PARSE uses MD5 for decrypting encrypted keys.
*/
#ifdef CONFIG_MBEDTLS_MD5_C
#define MBEDTLS_MD5_C
#else
#undef MBEDTLS_MD5_C
#endif
/**
* \def MBEDTLS_NET_C
@@ -2292,7 +2614,11 @@
*
* This modules translates between OIDs and internal values.
*/
#ifdef CONFIG_MBEDTLS_OID_C
#define MBEDTLS_OID_C
#else
#undef MBEDTLS_OID_C
#endif
/**
* \def MBEDTLS_PADLOCK_C
@@ -2306,7 +2632,7 @@
*
* This modules adds support for the VIA PadLock on x86.
*/
#define MBEDTLS_PADLOCK_C
#undef MBEDTLS_PADLOCK_C
/**
* \def MBEDTLS_PEM_PARSE_C
@@ -2368,7 +2694,11 @@
*
* Uncomment to enable generic public key wrappers.
*/
#ifdef CONFIG_MBEDTLS_PK_C
#define MBEDTLS_PK_C
#else
#undef MBEDTLS_PK_C
#endif
/**
* \def MBEDTLS_PK_PARSE_C
@@ -2383,7 +2713,11 @@
*
* Uncomment to enable generic public key parse functions.
*/
#ifdef CONFIG_MBEDTLS_PK_PARSE_C
#define MBEDTLS_PK_PARSE_C
#else
#undef MBEDTLS_PK_PARSE_C
#endif
/**
* \def MBEDTLS_PK_WRITE_C
@@ -2397,7 +2731,11 @@
*
* Uncomment to enable generic public key write functions.
*/
#ifdef CONFIG_MBEDTLS_PK_WRITE_C
#define MBEDTLS_PK_WRITE_C
#else
#undef MBEDTLS_PK_WRITE_C
#endif
/**
* \def MBEDTLS_PKCS5_C
@@ -2410,7 +2748,11 @@
*
* This module adds support for the PKCS#5 functions.
*/
#ifdef CONFIG_MBEDTLS_PKCS5_C
#define MBEDTLS_PKCS5_C
#else
#undef MBEDTLS_PKCS5_C
#endif
/**
* \def MBEDTLS_PKCS7_C
@@ -2449,7 +2791,11 @@
*
* This module enables PKCS#12 functions.
*/
#ifdef CONFIG_MBEDTLS_PKCS12_C
#define MBEDTLS_PKCS12_C
#else
#undef MBEDTLS_PKCS12_C
#endif
/**
* \def MBEDTLS_PLATFORM_C
@@ -2518,7 +2864,11 @@
*
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
*/
#ifdef CONFIG_MBEDTLS_RSA_C
#define MBEDTLS_RSA_C
#else
#undef MBEDTLS_RSA_C
#endif
/**
* \def MBEDTLS_SHA1_C
@@ -2556,7 +2906,11 @@
*
* This module adds support for SHA-224.
*/
#ifdef CONFIG_MBEDTLS_SHA224_C
#define MBEDTLS_SHA224_C
#else
#undef MBEDTLS_SHA224_C
#endif
/**
* \def MBEDTLS_SHA256_C
@@ -2573,7 +2927,31 @@
* This module adds support for SHA-224 and SHA-256.
* This module is required for the SSL/TLS 1.2 PRF function.
*/
#ifdef CONFIG_MBEDTLS_SHA256_C
#define MBEDTLS_SHA256_C
#else
#undef MBEDTLS_SHA256_C
#endif
/**
* \def MBEDTLS_SHA384_C
*
* Enable the SHA-384 cryptographic hash algorithm.
*
* Module: library/sha512.c
* Caller: library/md.c
* library/psa_crypto_hash.c
* library/ssl_tls.c
* library/ssl*_client.c
* library/ssl*_server.c
*
* Comment to disable SHA-384
*/
#ifdef CONFIG_MBEDTLS_SHA384_C
#define MBEDTLS_SHA384_C
#else
#undef MBEDTLS_SHA384_C
#endif
/**
* \def MBEDTLS_SHA512_C
@@ -2589,10 +2967,8 @@
* This module adds support for SHA-384 and SHA-512.
*/
#ifdef CONFIG_MBEDTLS_SHA512_C
#define MBEDTLS_SHA384_C
#define MBEDTLS_SHA512_C
#else
#undef MBEDTLS_SHA384_C
#undef MBEDTLS_SHA512_C
#endif
@@ -2621,7 +2997,11 @@
*
* Requires: MBEDTLS_SSL_CACHE_C
*/
#ifdef CONFIG_MBEDTLS_SSL_CACHE_C
#define MBEDTLS_SSL_CACHE_C
#else
#undef MBEDTLS_SSL_CACHE_C
#endif
/**
* \def MBEDTLS_SSL_COOKIE_C
@@ -2631,7 +3011,11 @@
* Module: library/ssl_cookie.c
* Caller:
*/
#ifdef CONFIG_MBEDTLS_SSL_COOKIE_C
#define MBEDTLS_SSL_COOKIE_C
#else
#undef MBEDTLS_SSL_COOKIE_C
#endif
/**
* \def MBEDTLS_SSL_TICKET_C
@@ -2740,7 +3124,11 @@
*
* This module provides run-time version information.
*/
#ifdef CONFIG_MBEDTLS_VERSION_C
#define MBEDTLS_VERSION_C
#else
#undef MBEDTLS_VERSION_C
#endif
/**
* \def MBEDTLS_X509_USE_C
@@ -2757,7 +3145,11 @@
*
* This module is required for the X.509 parsing modules.
*/
#ifdef CONFIG_MBEDTLS_X509_USE_C
#define MBEDTLS_X509_USE_C
#else
#undef MBEDTLS_X509_USE_C
#endif
/**
* \def MBEDTLS_X509_CRT_PARSE_C
@@ -2773,7 +3165,11 @@
*
* This module is required for X.509 certificate parsing.
*/
#ifdef CONFIG_MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_CRT_PARSE_C
#else
#undef MBEDTLS_X509_CRT_PARSE_C
#endif
/**
* \def MBEDTLS_X509_CRL_PARSE_C
@@ -2823,7 +3219,11 @@
*
* This module is the basis for creating X.509 certificates and CSRs.
*/
#ifdef CONFIG_MBEDTLS_X509_CREATE_C
#define MBEDTLS_X509_CREATE_C
#else
#undef MBEDTLS_X509_CREATE_C
#endif
/**
* \def MBEDTLS_X509_CRT_WRITE_C
@@ -2836,7 +3236,11 @@
*
* This module is required for X.509 certificate creation.
*/
#ifdef CONFIG_MBEDTLS_X509_CRT_WRITE_C
#define MBEDTLS_X509_CRT_WRITE_C
#else
#undef MBEDTLS_X509_CRT_WRITE_C
#endif
/**
* \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
@@ -2861,6 +3265,21 @@
#undef MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
#endif
/**
* \def MBEDTLS_X509_REMOVE_INFO
*
* Disable mbedtls_x509_*_info() and related APIs.
*
* Uncomment to omit mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt()
* and other functions/constants only used by these functions, thus reducing
* the code footprint by several KB.
*/
#ifdef CONFIG_MBEDTLS_X509_REMOVE_INFO
#define MBEDTLS_X509_REMOVE_INFO
#else
#undef MBEDTLS_X509_REMOVE_INFO
#endif
/**
* \def MBEDTLS_X509_CSR_WRITE_C
*
@@ -2872,7 +3291,11 @@
*
* This module is required for X.509 certificate request writing.
*/
#ifdef CONFIG_MBEDTLS_X509_CSR_WRITE_C
#define MBEDTLS_X509_CSR_WRITE_C
#else
#undef MBEDTLS_X509_CSR_WRITE_C
#endif
/**
* \def MBEDTLS_XTEA_C