From f7be43c83ddda62d73038f55f0555dc36f130d64 Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Thu, 24 Apr 2025 10:00:17 +0800 Subject: [PATCH] feat(mbedtls): adds more configuration options --- components/mbedtls/Kconfig | 472 +++++++++++++++++- .../mbedtls/port/include/mbedtls/esp_config.h | 453 ++++++++++++++++- 2 files changed, 899 insertions(+), 26 deletions(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 366b06fdf8..903a1dd8d7 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -97,6 +97,13 @@ menu "mbedTLS" This defines maximum outgoing fragment length, overriding default maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN). + config MBEDTLS_SSL_SERVER_NAME_INDICATION + bool "Enable server name indication" + default y + depends on MBEDTLS_X509_CRT_PARSE_C + help + Enable support for RFC 6066 server name indication (SNI). + config MBEDTLS_DYNAMIC_BUFFER bool "Using dynamic TX/RX buffer" default n @@ -135,6 +142,19 @@ menu "mbedTLS" This option will decrease the heap footprint for the TLS handshake, but may lead to a problem: If the respective ssl object needs to perform the TLS handshake again, the CA certificate should once again be registered to the ssl object. + config MBEDTLS_VERSION_FEATURES + bool "Enable mbedTLS version features" + default n + help + Enable mbedTLS version features. + This option allows Allow run-time checking of compile-time enabled features. + Disabling this option will save some code size. + + config MBEDTLS_X509_USE_C + bool "Enable X.509 certificate support" + default y + help + Enable X.509 certificate support. config MBEDTLS_DEBUG bool "Enable mbedTLS debugging" @@ -198,6 +218,14 @@ menu "mbedTLS" bool "TLS 1.3 PSK ephemeral key exchange mode" default y + config MBEDTLS_SSL_EARLY_DATA + bool "TLS 1.3 early data" + default n + depends on MBEDTLS_CLIENT_SSL_SESSION_TICKETS && \ + (MBEDTLS_SSL_TLS1_3_KEXM_PSK || MBEDTLS_SSL_TLS1_3_KEXM_EPHEMER) + help + Enable support for TLS 1.3 early data (0-RTT). + endmenu config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH @@ -234,7 +262,7 @@ menu "mbedTLS" This is a local optimization in handling a single, potentially long-lived connection. See mbedTLS documentation for required API and more details. - Disabling this option will save some code size. + Disabling this option will save some code and RAM size. config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE bool "Keep peer certificate after handshake completion" @@ -257,10 +285,25 @@ menu "mbedTLS" config MBEDTLS_PKCS7_C bool "Enable PKCS number 7" default y - depends on MBEDTLS_X509_CRL_PARSE_C + depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_OID_C && MBEDTLS_PK_PARSE_C && \ + MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_X509_CRL_PARSE_C && MBEDTLS_BIGNUM_C && MBEDTLS_MD_C help Enable PKCS number 7 core for using PKCS number 7-formatted signatures. + config MBEDTLS_PKCS12_C + bool "Enable PKCS number 12" + default y + depends on MBEDTLS_ASN1_PARSE_C && (MBEDTLS_MD_C) + help + Enable PKCS number 12 core for using PKCS number 12-formatted signatures. + + config MBEDTLS_PKCS5_C + bool "Enable PKCS#5 functions" + default y + select MBEDTLS_MD_C + help + Enable support for PKCS#5 functions. + config MBEDTLS_SSL_CID_PADDING_GRANULARITY int "Record plaintext padding" default 16 @@ -389,6 +432,32 @@ menu "mbedTLS" endmenu + config MBEDTLS_SELF_TEST + bool "Enable mbedTLS self-test" + default y + help + Enable mbedTLS self-test functions. + + config MBEDTLS_PKCS1_V15 + bool "Enable PKCS#1 v1.5 padding" + default y + depends on MBEDTLS_RSA_C + help + Enable support for PKCS#1 v1.5 operations. + + config MBEDTLS_PKCS1_V21 + bool "Enable PKCS#1 v2.1 padding" + default y + depends on MBEDTLS_RSA_C && MBEDTLS_MD_C + help + Enable support for PKCS#1 v2.1 operations. + + config MBEDTLS_PK_RSA_ALT_SUPPORT + bool "Enable RSA alt support" + default y + help + Support external private RSA keys (eg from a HSM) int the PK layer. + config MBEDTLS_ECP_RESTARTABLE bool "Enable mbedTLS ecp restartable" select MBEDTLS_ECDH_LEGACY_CONTEXT @@ -397,10 +466,34 @@ menu "mbedTLS" help Enable "non-blocking" ECC operations that can return early and be resumed. + config MBEDTLS_AES_ROM_TABLES + bool "Store AES tables in ROM" + default y + help + Store the AES tables in ROM instead of generating them at runtime. + Using precomputed ROM tables reduces RAM usage, but increases + flash usage. + + config MBEDTLS_AES_FEWER_TABLES + bool "Use fewer AES tables" + default n + help + Use fewer AES tables to reduce ROM/RAM usage. + Using fewer tables increases the time taken to generate the tables + at runtime, but reduces ROM/RAM usage. + + config MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + bool "Only support 128-bit AES keys" + default n + help + Only support 128-bit AES keys. + This reduces code size, but disables support for 192-bit and + 256-bit AES keys. + config MBEDTLS_CMAC_C bool "Enable CMAC mode for block ciphers" default n - depends on MBEDTLS_AES_C || MBEDTLS_DES_C + depends on (MBEDTLS_AES_C || MBEDTLS_DES_C) && MBEDTLS_CIPHER_C help Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers. @@ -507,10 +600,21 @@ menu "mbedTLS" operations using a non-AES cipher, you can safely disable this config, leading to reduction in binary size footprint. + config MBEDTLS_BIGNUM_C + bool "Enable multiple precision integer (bignum) support" + default y + help + Enable support for multiple precision integer (bignum) operations. + + This is required for RSA, DSA, DHM, ECDH and ECDSA. + + If you don't need any of these algorithms, you can disable this option + to save code size. + config MBEDTLS_HARDWARE_MPI bool "Enable hardware MPI (bignum) acceleration" default y - depends on !SPIRAM_CACHE_WORKAROUND_STRATEGY_DUPLDST && SOC_MPI_SUPPORTED + depends on !SPIRAM_CACHE_WORKAROUND_STRATEGY_DUPLDST && SOC_MPI_SUPPORTED && MBEDTLS_BIGNUM_C help Enable hardware accelerated multiple precision integer operations. @@ -519,6 +623,13 @@ menu "mbedTLS" These operations are used by RSA. + config MBEDTLS_GENPRIME + bool "Enable hardware prime number generation" + default y + depends on MBEDTLS_BIGNUM_C + help + Enable prime number generation. + config MBEDTLS_LARGE_KEY_SOFTWARE_MPI bool "Fallback to software implementation for larger MPI values" depends on MBEDTLS_HARDWARE_MPI @@ -567,6 +678,22 @@ menu "mbedTLS" SHA hardware acceleration is faster than software in some situations but slower in others. You should benchmark to find the best setting for you. + config MBEDTLS_SHA256_SMALLER + bool "Enable SHA-256 smaller implementation" + default n + depends on !MBEDTLS_HARDWARE_SHA && MBEDTLS_SHA256_C + help + Enable a smaller implementation of SHA-256 that has lower ROM footprint + but is slower than the default implementation. + + config MBEDTLS_SHA512_SMALLER + bool "Enable SHA-512 smaller implementation" + default n + depends on !MBEDTLS_HARDWARE_SHA && MBEDTLS_SHA512_C + help + Enable a smaller implementation of SHA-512 that has lower ROM footprint + but is slower than the default implementation. + config MBEDTLS_HARDWARE_ECC bool "Enable hardware ECC acceleration" default y @@ -631,7 +758,7 @@ menu "mbedTLS" default y help This option adds a delay after the actual ECDSA signature operation - so that the entire operation appears to be constant time for the software. + so that the entire operation appears to be constant  time for the software. This fix helps in protecting the device only in case of remote timing attack on the ECDSA private key. For e.g., When an interface is exposed by the device to perform ECDSA signature of an arbitrary message. @@ -718,11 +845,69 @@ menu "mbedTLS" config MBEDTLS_ECDSA_DETERMINISTIC bool "Enable deterministic ECDSA" - default y + default n help Standard ECDSA is "fragile" in the sense that lack of entropy when signing may result in a compromise of the long-term signing key. + config MBEDTLS_ENTROPY_C + bool "Enable entropy support" + default y + depends on MBEDTLS_SHA256_C || MBEDTLS_SHA512_C + help + Enable support for entropy sources and provides a generic + entropy pool. + + config MBEDTLS_ENTROPY_FORCE_SHA256 + bool "Force SHA-256 for entropy" + default n + depends on MBEDTLS_SHA256_C && MBEDTLS_SHA512_C + help + Force SHA-256 to be used for the entropy pool if both SHA-256 and SHA-512 are + enabled. On 32-bit architectures, SHA-256 can be faster than SHA-512 + + config MBEDTLS_CTR_DRBG_C + bool "Enable CTR_DRBG" + default y + depends on MBEDTLS_AES_C + help + Enable CTR_DRBG (CTR mode Deterministic Random Bit Generator). + The CTR_DRBG generator uses AES-256 by default. + + config MBEDTLS_HMAC_DRBG_C + bool "Enable HMAC_DRBG" + default n + depends on MBEDTLS_MD_C + help + Enable HMAC_DRBG (HMAC mode Deterministic Random Bit Generator). + + config MBEDTLS_OID_C + bool "Enable OID support" + default y + help + Enable support for Object Identifier (OID) parsing and printing. + This is used by X.509 and PKCS#11. + + config MBEDTLS_MD_C + bool "Enable message digest support" + default y + depends on MBEDTLS_MD5_C || MBEDTLS_RIPEMD160_C || MBEDTLS_SHA1_C || \ + MBEDTLS_SHA224_C || MBEDTLS_SHA256_C || MBEDTLS_SHA384_C || MBEDTLS_SHA512_C + help + Enable generic layer for message digest algorithms. + + config MBEDTLS_MD5_C + bool "Enable the MD5 cryptographic hash algorithm" + default y + help + Enables support for MD5. + This module is required for TLS 1.2 depending on the handshake parameters. + Further, it is used for checking MD5-signed certificates, and for PBKDF1 + when decrypting PEM-encoded encrypted keys. + MD5 is considered a weak message digest and its use constitutes + a security risk. If possible, consider stronger message digests + such as SHA-256 (part of the SHA-2 family). + config MBEDTLS_SHA1_C bool "Enable the SHA-1 cryptographic hash algorithm" default y @@ -738,20 +923,50 @@ menu "mbedTLS" please consider testing the changes in a controlled environment for individual features like OTA updates, cloud connectivity, secure local control, etc. + config MBEDTLS_SHA224_C + bool "Enable the SHA-224 cryptographic hash algorithm" + default n + help + Enable MBEDTLS_SHA224_C adds support for SHA-224. + + config MBEDTLS_SHA256_C + bool "Enable the SHA-256 cryptographic hash algorithm" + default y + help + Enable MBEDTLS_SHA256_C adds support for SHA-256. + + config MBEDTLS_SHA384_C + bool "Enable the SHA-384 cryptographic hash algorithm" + default y + help + Enable MBEDTLS_SHA384_C adds support for SHA-384. + config MBEDTLS_SHA512_C bool "Enable the SHA-384 and SHA-512 cryptographic hash algorithms" default y help - Enable MBEDTLS_SHA512_C adds support for SHA-384 and SHA-512. + Enable MBEDTLS_SHA512_C adds support for SHA-512. config MBEDTLS_SHA3_C bool "Enable the SHA3 cryptographic hash algorithm" - default n + default y help Enabling MBEDTLS_SHA3_C adds support for SHA3. Enabling this configuration option increases the flash footprint by almost 4KB. + config MBEDTLS_SSL_CACHE_C + bool "Enable SSL session cache" + default y + help + Enable simple SSL session cache implementation. + + config MBEDTLS_SSL_COOKIE_C + bool "Enable SSL session cookie" + default n + help + Enable basic DTLS cookie implementation for hello verification. + choice MBEDTLS_TLS_MODE bool "TLS Protocol Role" default MBEDTLS_TLS_SERVER_AND_CLIENT @@ -885,6 +1100,29 @@ menu "mbedTLS" endmenu # TLS key exchange modes + config MBEDTLS_SSL_RECORD_SIZE_LIMIT + bool "Enable support for record size limit" + default y + depends on MBEDTLS_SSL_PROTO_TLS1_3 + help + Enable support for record size limit in TLS 1.3. + + + config MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + bool "Enable support for TLS max fragment length extension" + default y + help + Enable support for the TLS max fragment length extension. + + config MBEDTLS_SSL_ALL_ALERT_MESSAGES + bool "Enable all TLS alert messages" + default y + help + Enable all TLS alert messages in case of encountered errors as per RFC. + If disabled, Mbed TLS can still communicate with other servers, only debugging of failures is harder. + The advantage of not sending alert messages, is that no information is given about reasons for failures + thus preventing adversaries of gaining intel. + config MBEDTLS_SSL_RENEGOTIATION bool "Support TLS renegotiation" depends on MBEDTLS_TLS_ENABLED && MBEDTLS_SSL_PROTO_TLS1_2 @@ -937,6 +1175,24 @@ menu "mbedTLS" Server support for RFC 5077 session tickets. See mbedTLS documentation for more details. Disabling this option will save some code size. + config MBEDTLS_BASE64_C + bool "Enable Base64 encoding/decoding" + default y + help + Enable Base64 encoding and decoding functions. This is required for PEM support. + + config MBEDTLS_ASN1_PARSE_C + bool "Enable ASN.1 parsing" + default y + help + Enable ASN.1 parsing functions. + + config MBEDTLS_ASN1_WRITE_C + bool "Enable ASN.1 writing" + default y + help + Enable ASN.1 writing functions. + menu "Symmetric Ciphers" config MBEDTLS_AES_C @@ -947,6 +1203,17 @@ menu "mbedTLS" bool "Camellia block cipher" default n + config MBEDTLS_ARIA_C + bool "ARIA block cipher" + default n + + config MBEDTLS_CAMELLIA_SMALL_MEMORY + bool "Use small memory implementation of Camellia" + default n + depends on MBEDTLS_CAMELLIA_C + help + Reduces ROM usage of the Camellia implementation + config MBEDTLS_DES_C bool "DES block cipher (legacy, insecure)" default n @@ -982,10 +1249,46 @@ menu "mbedTLS" Disabling this option saves some code size. + config MBEDTLS_CIPHER_MODE_CBC + bool "CBC (Cipher Block Chaining) block cipher modes" + default y + depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C + help + Enable Cipher Block Chaining (CBC) modes for AES and/or Camellia ciphers. + + config MBEDTLS_CIPHER_MODE_CFB + bool "CFB (Cipher Feedback) block cipher modes" + default y + depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C + help + Enable Cipher Feedback (CFB) modes for AES and/or Camellia ciphers. + + config MBEDTLS_CIPHER_MODE_CTR + bool "CTR (Counter) block cipher modes" + default y + depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C + help + Enable Counter (CTR) modes for AES and/or Camellia ciphers. + + config MBEDTLS_CIPHER_MODE_OFB + bool "OFB (Output Feedback) block cipher modes" + default y + depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C + help + Enable Output Feedback (OFB) modes for AES and/or Camellia ciphers. + + config MBEDTLS_CIPHER_MODE_XTS + bool "XTS (XEX Tweakable Block Cipher with Ciphertext Stealing) block cipher modes" + default y + depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C + help + Enable XEX Tweakable Block Cipher with Ciphertext Stealing (XTS) modes + for AES and/or Camellia ciphers. + config MBEDTLS_GCM_C bool "GCM (Galois/Counter) block cipher modes" default y - depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C + depends on (MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C) && MBEDTLS_CIPHER_C help Enable Galois/Counter Mode for AES and/or Camellia ciphers. @@ -994,10 +1297,53 @@ menu "mbedTLS" config MBEDTLS_NIST_KW_C bool "NIST key wrapping (KW) and KW padding (KWP)" default n - depends on MBEDTLS_AES_C + depends on MBEDTLS_AES_C && MBEDTLS_CIPHER_C help Enable NIST key wrapping and key wrapping padding. + config MBEDTLS_CIPHER_PADDING + bool "Cipher padding" + default y + depends on MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB + help + Enable padding for block ciphers. + + Padding is only used for block ciphers in CBC, CFB, CTR and OFB modes. + If you are using a stream cipher or a block cipher in ECB mode, you can + disable this option to save code size. + + config MBEDTLS_CIPHER_PADDING_PKCS7 + bool "PKCS#7 padding" + default y + depends on MBEDTLS_CIPHER_PADDING && \ + (MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB) + help + Enable PKCS#7 padding for block ciphers. + + config MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS + bool "One and zeros padding" + default y + depends on MBEDTLS_CIPHER_PADDING && \ + (MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB) + help + Enable one and zeros padding for block ciphers. + + config MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN + bool "Zeros and length padding" + default y + depends on MBEDTLS_CIPHER_PADDING && \ + (MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB) + help + Enable zeros and length padding for block ciphers. + + config MBEDTLS_CIPHER_PADDING_ZEROS + bool "Zeros padding" + default y + depends on MBEDTLS_CIPHER_PADDING && \ + (MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB) + help + Enable zeros padding for block ciphers. + endmenu # Symmetric Ciphers config MBEDTLS_RIPEMD160_C @@ -1026,17 +1372,83 @@ menu "mbedTLS" If writing certificate data only in DER format, disabling this option will save some code size. + config MBEDTLS_PK_C + bool "Enable generic public key layer" + default y + depends on MBEDTLS_MD_C && (MBEDTLS_RSA_C || MBEDTLS_ECP_C) + help + Enable support for generic public key layer. + + config MBEDTLS_PK_PARSE_C + bool "Enables generic public key parsing functions" + default y + depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_PK_C && MBEDTLS_OID_C + help + Enable generic public key parsing functions. + + config MBEDTLS_PK_WRITE_C + bool "Enables generic public key writing functions" + default y + depends on MBEDTLS_PK_C && MBEDTLS_OID_C && MBEDTLS_ASN1_WRITE_C + help + Enable generic public key writing functions. + + config MBEDTLS_X509_REMOVE_INFO + bool "Remove X.509 debug info" + default n + help + Removes mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt() and other + functions/constants only used by these functions. + This will save some code size. + config MBEDTLS_X509_CRL_PARSE_C bool "X.509 CRL parsing" default y help Support for parsing X.509 Certificate Revocation Lists. + config MBEDTLS_X509_CRT_PARSE_C + bool "Enable X.509 certificate parsing" + default y + depends on MBEDTLS_X509_USE_C + help + Enable X.509 certificate parsing. + This is required for TLS and DTLS. + config MBEDTLS_X509_CSR_PARSE_C bool "X.509 CSR parsing" default y help Support for parsing X.509 Certificate Signing Requests + config MBEDTLS_X509_CREATE_C + bool "X.509 certificate creation" + default y + depends on MBEDTLS_BIGNUM_C && MBEDTLS_OID_C && \ + MBEDTLS_PK_WRITE_C && MBEDTLS_MD_C + help + Support for creating X.509 certificates and CSRs. + + config MBEDTLS_X509_CRT_WRITE_C + bool "X.509 certificate writing" + default y + depends on MBEDTLS_X509_CREATE_C + help + Support for writing X.509 certificates + + config MBEDTLS_X509_CSR_WRITE_C + bool "X.509 CSR writing" + default y + depends on MBEDTLS_X509_CREATE_C + help + Support for writing X.509 CSRs + + config MBEDTLS_X509_RSASSA_PSS_SUPPORT + bool "X.509 PSS support" + default y + select MBEDTLS_PKCS1_V21 + depends on MBEDTLS_X509_CRL_PARSE_C || MBEDTLS_X509_CSR_PARSE_C || MBEDTLS_X509_CRT_PARSE_C + help + Support for parsing X.509 certificates with RSASSA-PSS signatures. endmenu # Certificates @@ -1064,6 +1476,8 @@ menu "mbedTLS" config MBEDTLS_DHM_C bool "Diffie-Hellman-Merkle key exchange (DHM)" default n + select MBEDTLS_BIGNUM_C + depends on MBEDTLS_ECP_C help Enable DHM. Needed to use DHE-xxx TLS ciphersuites. @@ -1071,6 +1485,14 @@ menu "mbedTLS" a suitable prime being used for the exchange. Please see detailed warning text about this in file `mbedtls/dhm.h` file. + config MBEDTLS_RSA_C + bool "RSA public key cryptosystem" + default y + select MBEDTLS_BIGNUM_C + select MBEDTLS_OID_C + help + Enable RSA. Needed to use RSA-xxx TLS ciphersuites. + config MBEDTLS_ECDH_C bool "Elliptic Curve Diffie-Hellman (ECDH)" depends on MBEDTLS_ECP_C @@ -1080,7 +1502,9 @@ menu "mbedTLS" config MBEDTLS_ECDSA_C bool "Elliptic Curve DSA" - depends on MBEDTLS_ECDH_C + depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_C + select MBEDTLS_ASN1_WRITE_C + select MBEDTLS_ASN1_PARSE_C default y help Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites. @@ -1216,9 +1640,19 @@ menu "mbedTLS" help Enable support for ChaCha20-Poly1305 AEAD algorithm. + config MBEDTLS_CIPHER_C + bool "Cipher abstraction layer" + default y + help + Enable the cipher abstraction layer. This enables generic cipher wrappers + for the block ciphers and stream ciphers. + If you are not using the cipher abstraction layer, you can disable this + option to save some code size. + config MBEDTLS_HKDF_C bool "HKDF algorithm (RFC 5869)" default n + depends on MBEDTLS_MD_C help Enable support for the Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF). @@ -1230,6 +1664,12 @@ menu "mbedTLS" If you do intend to use contexts between threads, you will need to enable this layer to prevent race conditions. + config MBEDTLS_VERSION_C + bool "Enable version information" + default y + help + Enable version information functions. + config MBEDTLS_THREADING_ALT bool "Enable threading alternate implementation" depends on MBEDTLS_THREADING_C @@ -1252,6 +1692,16 @@ menu "mbedTLS" Disabling this config can save some code/rodata size as the error string conversion implementation is replaced with an empty stub. + config MBEDTLS_ERROR_STRERROR_DUMMY + bool "Enable a dummy error function to make use of mbedtls_strerror()" + default n + depends on !MBEDTLS_ERROR_STRINGS + help + This option enables a dummy error function to make use of mbedtls_strerror() + when MBEDTLS_ERROR_STRINGS is disabled. This is useful for applications + that use mbedtls_strerror() but do not need the actual error strings. + This option can be used to save code size when MBEDTLS_ERROR_STRINGS is disabled. + config MBEDTLS_USE_CRYPTO_ROM_IMPL_BOOTLOADER bool "Use ROM implementation of the crypto algorithm in the bootloader" depends on ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 54f49bdc14..611d0878a8 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -260,42 +260,107 @@ * * Uncomment this macro to store the AES tables in ROM. */ +#ifdef CONFIG_MBEDTLS_AES_ROM_TABLES #define MBEDTLS_AES_ROM_TABLES +#else +#undef MBEDTLS_AES_ROM_TABLES +#endif + +/** + * \def MBEDTLS_AES_FEWER_TABLES + * + * Use fewer tables for AES. + * + * Uncomment this macro to store fewer tables for AES + * in ROM or RAM. The values are computed at runtime. + * + */ + +#ifdef CONFIG_MBEDTLS_AES_FEWER_TABLES +#define MBEDTLS_AES_FEWER_TABLES +#else +#undef MBEDTLS_AES_FEWER_TABLES +#endif + +/** + * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + * + * Enable support for AES with only 128-bit key length. This disables + * support for 192-bit and 256-bit key lengths. + * + * Uncommenting this macro reduces the size of AES code + */ + +#ifdef CONFIG_MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +#else +#undef MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +#endif + +/** + * \def MBEDTLS_CAMELLIA_SMALL_MEMORY + * + * Enable small memory usage for Camellia cipher. + */ +#ifdef CONFIG_MBEDTLS_CAMELLIA_SMALL_MEMORY +#define MBEDTLS_CAMELLIA_SMALL_MEMORY +#else +#undef MBEDTLS_CAMELLIA_SMALL_MEMORY +#endif /** * \def MBEDTLS_CIPHER_MODE_CBC * * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. */ +#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CBC #define MBEDTLS_CIPHER_MODE_CBC +#else +#undef MBEDTLS_CIPHER_MODE_CBC +#endif /** * \def MBEDTLS_CIPHER_MODE_CFB * * Enable Cipher Feedback mode (CFB) for symmetric ciphers. */ +#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CFB #define MBEDTLS_CIPHER_MODE_CFB +#else +#undef MBEDTLS_CIPHER_MODE_CFB +#endif /** * \def MBEDTLS_CIPHER_MODE_CTR * * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. */ +#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CTR #define MBEDTLS_CIPHER_MODE_CTR - +#else +#undef MBEDTLS_CIPHER_MODE_CTR +#endif /** * \def MBEDTLS_CIPHER_MODE_OFB * * Enable Output Feedback mode (OFB) for symmetric ciphers. */ +#ifdef CONFIG_MBEDTLS_CIPHER_MODE_OFB #define MBEDTLS_CIPHER_MODE_OFB +#else +#undef MBEDTLS_CIPHER_MODE_OFB +#endif /** * \def MBEDTLS_CIPHER_MODE_XTS * * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. */ +#ifdef CONFIG_MBEDTLS_CIPHER_MODE_XTS #define MBEDTLS_CIPHER_MODE_XTS +#else +#undef MBEDTLS_CIPHER_MODE_XTS +#endif /** * \def MBEDTLS_CIPHER_PADDING_PKCS7 @@ -308,10 +373,29 @@ * * Enable padding modes in the cipher layer. */ +#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7 #define MBEDTLS_CIPHER_PADDING_PKCS7 +#else +#undef MBEDTLS_CIPHER_PADDING_PKCS7 +#endif + +#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +#else +#undef MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +#endif + +#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +#else +#undef MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +#endif + +#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS #define MBEDTLS_CIPHER_PADDING_ZEROS +#else +#undef MBEDTLS_CIPHER_PADDING_ZEROS +#endif /** * \def MBEDTLS_ECP_RESTARTABLE @@ -362,6 +446,8 @@ */ #ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE #define MBEDTLS_ECP_RESTARTABLE +#else +#undef MBEDTLS_ECP_RESTARTABLE #endif /** @@ -885,7 +971,11 @@ * Disable if you run into name conflicts and want to really remove the * mbedtls_strerror() */ +#ifdef CONFIG_MBEDTLS_ERROR_STRERROR_DUMMY #define MBEDTLS_ERROR_STRERROR_DUMMY +#else +#undef MBEDTLS_ERROR_STRERROR_DUMMY +#endif /** * \def MBEDTLS_GENPRIME @@ -894,7 +984,11 @@ * * Requires: MBEDTLS_BIGNUM_C */ +#ifdef CONFIG_MBEDTLS_GENPRIME #define MBEDTLS_GENPRIME +#else +#undef MBEDTLS_GENPRIME +#endif /** * \def MBEDTLS_FS_IO @@ -922,6 +1016,26 @@ #define MBEDTLS_NO_PLATFORM_ENTROPY #endif // !CONFIG_IDF_TARGET_LINUX +/** + * \def MBEDTLS_ENTROPY_FORCE_SHA256 + * + * Force the entropy accumulator to use a SHA-256 accumulator instead of the + * default SHA-512 based one (if both are available). + * + * Requires: MBEDTLS_SHA256_C + * + * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option + * if you have performance concerns. + * + * This option is only useful if both MBEDTLS_SHA256_C and + * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. + */ +#ifdef CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256 +#define MBEDTLS_ENTROPY_FORCE_SHA256 +#else +#undef MBEDTLS_ENTROPY_FORCE_SHA256 +#endif + /** * \def MBEDTLS_PK_RSA_ALT_SUPPORT * @@ -929,7 +1043,11 @@ * * Comment this macro to disable support for external private RSA keys. */ +#ifdef CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT #define MBEDTLS_PK_RSA_ALT_SUPPORT +#else +#undef MBEDTLS_PK_RSA_ALT_SUPPORT +#endif /** * \def MBEDTLS_PKCS1_V15 @@ -940,7 +1058,11 @@ * * This enables support for PKCS#1 v1.5 operations. */ +#ifdef CONFIG_MBEDTLS_PKCS1_V15 #define MBEDTLS_PKCS1_V15 +#else +#undef MBEDTLS_PKCS1_V15 +#endif /** * \def MBEDTLS_PKCS1_V21 @@ -951,14 +1073,55 @@ * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ +#ifdef CONFIG_MBEDTLS_PKCS1_V21 #define MBEDTLS_PKCS1_V21 +#else +#undef MBEDTLS_PKCS1_V21 +#endif /** * \def MBEDTLS_SELF_TEST * * Enable the checkup functions (*_self_test). */ +#ifdef CONFIG_MBEDTLS_SELF_TEST #define MBEDTLS_SELF_TEST +#else +#undef MBEDTLS_SELF_TEST +#endif + +/** + * \def MBEDTLS_SHA256_SMALLER + * + * Enable an implementation of SHA-256 that has lower ROM footprint but also + * lower performance. + * + * The default implementation is meant to be a reasonable compromise between + * performance and size. This version optimizes more aggressively for size at + * the expense of performance. Eg on Cortex-M4 it reduces the size of + * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about + * 30%. + * + * Uncomment to enable the smaller implementation of SHA256. + */ +#ifdef CONFIG_MBEDTLS_SHA256_SMALLER +#define MBEDTLS_SHA256_SMALLER +#else +#undef MBEDTLS_SHA256_SMALLER +#endif + +/** + * \def MBEDTLS_SHA512_SMALLER + * Enable an implementation of SHA-512 that has lower ROM footprint but also + * lower performance. + * + * Uncomment to enable the smaller implementation of SHA512. + */ +#ifdef CONFIG_MBEDTLS_SHA512_SMALLER +#define MBEDTLS_SHA512_SMALLER +#else +#undef MBEDTLS_SHA512_SMALLER +#endif /** * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES @@ -972,7 +1135,11 @@ * * Enable sending of all alert messages */ +#ifdef CONFIG_MBEDTLS_SSL_ALL_ALERT_MESSAGES #define MBEDTLS_SSL_ALL_ALERT_MESSAGES +#else +#undef MBEDTLS_SSL_ALL_ALERT_MESSAGES +#endif /** * \def MBEDTLS_SSL_DTLS_CONNECTION_ID @@ -1210,21 +1377,26 @@ * * Comment this macro to disable support for the max_fragment_length extension */ +#ifdef CONFIG_MBEDTLS_SSL_MAX_FRAGMENT_LENGTH #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +#else +#undef MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +#endif /** * \def MBEDTLS_SSL_RECORD_SIZE_LIMIT * * Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only). * - * \warning This extension is currently in development and must NOT be used except - * for testing purposes. - * * Requires: MBEDTLS_SSL_PROTO_TLS1_3 * * Uncomment this macro to enable support for the record_size_limit extension */ -//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT +#ifdef CONFIG_MBEDTLS_SSL_RECORD_SIZE_LIMIT +#define MBEDTLS_SSL_RECORD_SIZE_LIMIT +#else +#undef MBEDTLS_SSL_RECORD_SIZE_LIMIT +#endif /** * \def MBEDTLS_SSL_PROTO_TLS1_2 @@ -1393,11 +1565,12 @@ * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 * is not enabled, this option does not have any effect on the build. * - * This feature is experimental, not completed and thus not ready for - * production. - * */ -//#define MBEDTLS_SSL_EARLY_DATA +#ifdef CONFIG_MBEDTLS_SSL_EARLY_DATA +#define MBEDTLS_SSL_EARLY_DATA +#else +#undef MBEDTLS_SSL_EARLY_DATA +#endif /** * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE @@ -1517,7 +1690,7 @@ * * Uncomment this to enable support for use_srtp extension. */ -#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS +#ifdef CONFIG_MBEDTLS_SSL_DTLS_SRTP #define MBEDTLS_SSL_DTLS_SRTP #else #undef MBEDTLS_SSL_DTLS_SRTP @@ -1580,8 +1753,11 @@ * * Comment this macro to disable support for server name indication in SSL */ +#ifdef CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION #define MBEDTLS_SSL_SERVER_NAME_INDICATION - +#else +#undef MBEDTLS_SSL_SERVER_NAME_INDICATION +#endif /** * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH @@ -1609,7 +1785,11 @@ * * Comment this to disable run-time checking and save ROM space */ +#ifdef CONFIG_MBEDTLS_VERSION_FEATURES #define MBEDTLS_VERSION_FEATURES +#else +#undef MBEDTLS_VERSION_FEATURES +#endif /** @@ -1620,7 +1800,11 @@ * * Comment this macro to disallow using RSASSA-PSS in certificates. */ +#ifdef CONFIG_MBEDTLS_X509_RSASSA_PSS_SUPPORT #define MBEDTLS_X509_RSASSA_PSS_SUPPORT +#else +#undef MBEDTLS_X509_RSASSA_PSS_SUPPORT +#endif /* \} name SECTION: mbed TLS feature support */ @@ -1644,7 +1828,33 @@ * * This modules adds support for the AES-NI instructions on x86-64 */ -#define MBEDTLS_AESNI_C +#undef MBEDTLS_AESNI_C + +/** + * \def MBEDTLS_AESCE_C + * + * Enable AES cryptographic extension support on Armv8. + * + * Module: library/aesce.c + * Caller: library/aes.c + * + * Requires: MBEDTLS_AES_C + * + * \warning Runtime detection only works on Linux. For non-Linux operating + * system, Armv8-A Cryptographic Extensions must be supported by + * the CPU when this option is enabled. + * + * \note Minimum compiler versions for this feature when targeting aarch64 + * are Clang 4.0; armclang 6.6; GCC 6.0; or MSVC 2019 version 16.11.2. + * Minimum compiler versions for this feature when targeting 32-bit + * Arm or Thumb are Clang 11.0; armclang 6.20; or GCC 6.0. + * + * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for + * armclang <= 6.9 + * + * This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems. + */ +#undef MBEDTLS_AESCE_C /** * \def MBEDTLS_AES_C @@ -1737,7 +1947,11 @@ * library/pkcs5.c * library/pkparse.c */ +#ifdef CONFIG_MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_PARSE_C +#else +#undef MBEDTLS_ASN1_PARSE_C +#endif /** * \def MBEDTLS_ASN1_WRITE_C @@ -1751,7 +1965,11 @@ * library/x509write_crt.c * library/mbedtls_x509write_csr.c */ +#ifdef CONFIG_MBEDTLS_ASN1_WRITE_C #define MBEDTLS_ASN1_WRITE_C +#else +#undef MBEDTLS_ASN1_WRITE_C +#endif /** * \def MBEDTLS_BASE64_C @@ -1763,7 +1981,11 @@ * * This module is required for PEM support (required by X.509). */ +#ifdef CONFIG_MBEDTLS_BASE64_C #define MBEDTLS_BASE64_C +#else +#undef MBEDTLS_BASE64_C +#endif /** * \def MBEDTLS_BIGNUM_C @@ -1783,7 +2005,11 @@ * * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. */ +#ifdef CONFIG_MBEDTLS_BIGNUM_C #define MBEDTLS_BIGNUM_C +#else +#undef MBEDTLS_BIGNUM_C +#endif /** * \def MBEDTLS_BLOWFISH_C @@ -1857,6 +2083,62 @@ #undef MBEDTLS_CAMELLIA_C #endif +/** + * \def MBEDTLS_ARIA_C + * + * Enable the ARIA block cipher. + * + * Module: library/aria.c + * Caller: library/cipher.c + * + * This module enables the following ciphersuites (if other requisites are + * enabled as well): + * + * MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 + */ +#ifdef CONFIG_MBEDTLS_ARIA_C +#define MBEDTLS_ARIA_C +#else +#undef MBEDTLS_ARIA_C +#endif + /** * \def MBEDTLS_CCM_C * @@ -1936,7 +2218,11 @@ * * Uncomment to enable generic cipher wrappers. */ +#ifdef CONFIG_MBEDTLS_CIPHER_C #define MBEDTLS_CIPHER_C +#else +#undef MBEDTLS_CIPHER_C +#endif /** * \def MBEDTLS_CTR_DRBG_C @@ -1950,7 +2236,11 @@ * * This module provides the CTR_DRBG AES-256 random number generator. */ +#ifdef CONFIG_MBEDTLS_CTR_DRBG_C #define MBEDTLS_CTR_DRBG_C +#else +#undef MBEDTLS_CTR_DRBG_C +#endif /** * \def MBEDTLS_DEBUG_C @@ -2117,7 +2407,11 @@ * * This module provides a generic entropy pool */ +#ifdef CONFIG_MBEDTLS_ENTROPY_C #define MBEDTLS_ENTROPY_C +#else +#undef MBEDTLS_ENTROPY_C +#endif /** * \def MBEDTLS_ERROR_C @@ -2200,7 +2494,27 @@ * * Uncomment to enable the HMAC_DRBG random number generator. */ +#ifdef CONFIG_MBEDTLS_HMAC_DRBG_C #define MBEDTLS_HMAC_DRBG_C +#else +#undef MBEDTLS_HMAC_DRBG_C +#endif + +/** + * \def MBEDTLS_LMS_C + * + * Enable the LMS stateful-hash asymmetric signature algorithm. + * + * Module: library/lms.c + * Caller: + * + * Requires: MBEDTLS_PSA_CRYPTO_C + * + * Uncomment to enable the LMS verification algorithm and public key operations. + * + * This is disable by now. When we shift to PSA, we will enable it. + */ +#undef MBEDTLS_LMS_C /** * \def MBEDTLS_MD_C @@ -2233,7 +2547,11 @@ * * Uncomment to enable generic message digest wrappers. */ +#ifdef CONFIG_MBEDTLS_MD_C #define MBEDTLS_MD_C +#else +#undef MBEDTLS_MD_C +#endif /** * \def MBEDTLS_MD5_C @@ -2248,7 +2566,11 @@ * This module is required for SSL/TLS and X.509. * PEM_PARSE uses MD5 for decrypting encrypted keys. */ +#ifdef CONFIG_MBEDTLS_MD5_C #define MBEDTLS_MD5_C +#else +#undef MBEDTLS_MD5_C +#endif /** * \def MBEDTLS_NET_C @@ -2292,7 +2614,11 @@ * * This modules translates between OIDs and internal values. */ +#ifdef CONFIG_MBEDTLS_OID_C #define MBEDTLS_OID_C +#else +#undef MBEDTLS_OID_C +#endif /** * \def MBEDTLS_PADLOCK_C @@ -2306,7 +2632,7 @@ * * This modules adds support for the VIA PadLock on x86. */ -#define MBEDTLS_PADLOCK_C +#undef MBEDTLS_PADLOCK_C /** * \def MBEDTLS_PEM_PARSE_C @@ -2368,7 +2694,11 @@ * * Uncomment to enable generic public key wrappers. */ +#ifdef CONFIG_MBEDTLS_PK_C #define MBEDTLS_PK_C +#else +#undef MBEDTLS_PK_C +#endif /** * \def MBEDTLS_PK_PARSE_C @@ -2383,7 +2713,11 @@ * * Uncomment to enable generic public key parse functions. */ +#ifdef CONFIG_MBEDTLS_PK_PARSE_C #define MBEDTLS_PK_PARSE_C +#else +#undef MBEDTLS_PK_PARSE_C +#endif /** * \def MBEDTLS_PK_WRITE_C @@ -2397,7 +2731,11 @@ * * Uncomment to enable generic public key write functions. */ +#ifdef CONFIG_MBEDTLS_PK_WRITE_C #define MBEDTLS_PK_WRITE_C +#else +#undef MBEDTLS_PK_WRITE_C +#endif /** * \def MBEDTLS_PKCS5_C @@ -2410,7 +2748,11 @@ * * This module adds support for the PKCS#5 functions. */ +#ifdef CONFIG_MBEDTLS_PKCS5_C #define MBEDTLS_PKCS5_C +#else +#undef MBEDTLS_PKCS5_C +#endif /** * \def MBEDTLS_PKCS7_C @@ -2449,7 +2791,11 @@ * * This module enables PKCS#12 functions. */ +#ifdef CONFIG_MBEDTLS_PKCS12_C #define MBEDTLS_PKCS12_C +#else +#undef MBEDTLS_PKCS12_C +#endif /** * \def MBEDTLS_PLATFORM_C @@ -2518,7 +2864,11 @@ * * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C */ +#ifdef CONFIG_MBEDTLS_RSA_C #define MBEDTLS_RSA_C +#else +#undef MBEDTLS_RSA_C +#endif /** * \def MBEDTLS_SHA1_C @@ -2556,7 +2906,11 @@ * * This module adds support for SHA-224. */ +#ifdef CONFIG_MBEDTLS_SHA224_C #define MBEDTLS_SHA224_C +#else +#undef MBEDTLS_SHA224_C +#endif /** * \def MBEDTLS_SHA256_C @@ -2573,7 +2927,31 @@ * This module adds support for SHA-224 and SHA-256. * This module is required for the SSL/TLS 1.2 PRF function. */ +#ifdef CONFIG_MBEDTLS_SHA256_C #define MBEDTLS_SHA256_C +#else +#undef MBEDTLS_SHA256_C +#endif + +/** + * \def MBEDTLS_SHA384_C + * + * Enable the SHA-384 cryptographic hash algorithm. + * + * Module: library/sha512.c + * Caller: library/md.c + * library/psa_crypto_hash.c + * library/ssl_tls.c + * library/ssl*_client.c + * library/ssl*_server.c + * + * Comment to disable SHA-384 + */ +#ifdef CONFIG_MBEDTLS_SHA384_C +#define MBEDTLS_SHA384_C +#else +#undef MBEDTLS_SHA384_C +#endif /** * \def MBEDTLS_SHA512_C @@ -2589,10 +2967,8 @@ * This module adds support for SHA-384 and SHA-512. */ #ifdef CONFIG_MBEDTLS_SHA512_C -#define MBEDTLS_SHA384_C #define MBEDTLS_SHA512_C #else -#undef MBEDTLS_SHA384_C #undef MBEDTLS_SHA512_C #endif @@ -2621,7 +2997,11 @@ * * Requires: MBEDTLS_SSL_CACHE_C */ +#ifdef CONFIG_MBEDTLS_SSL_CACHE_C #define MBEDTLS_SSL_CACHE_C +#else +#undef MBEDTLS_SSL_CACHE_C +#endif /** * \def MBEDTLS_SSL_COOKIE_C @@ -2631,7 +3011,11 @@ * Module: library/ssl_cookie.c * Caller: */ +#ifdef CONFIG_MBEDTLS_SSL_COOKIE_C #define MBEDTLS_SSL_COOKIE_C +#else +#undef MBEDTLS_SSL_COOKIE_C +#endif /** * \def MBEDTLS_SSL_TICKET_C @@ -2740,7 +3124,11 @@ * * This module provides run-time version information. */ +#ifdef CONFIG_MBEDTLS_VERSION_C #define MBEDTLS_VERSION_C +#else +#undef MBEDTLS_VERSION_C +#endif /** * \def MBEDTLS_X509_USE_C @@ -2757,7 +3145,11 @@ * * This module is required for the X.509 parsing modules. */ +#ifdef CONFIG_MBEDTLS_X509_USE_C #define MBEDTLS_X509_USE_C +#else +#undef MBEDTLS_X509_USE_C +#endif /** * \def MBEDTLS_X509_CRT_PARSE_C @@ -2773,7 +3165,11 @@ * * This module is required for X.509 certificate parsing. */ +#ifdef CONFIG_MBEDTLS_X509_CRT_PARSE_C #define MBEDTLS_X509_CRT_PARSE_C +#else +#undef MBEDTLS_X509_CRT_PARSE_C +#endif /** * \def MBEDTLS_X509_CRL_PARSE_C @@ -2823,7 +3219,11 @@ * * This module is the basis for creating X.509 certificates and CSRs. */ +#ifdef CONFIG_MBEDTLS_X509_CREATE_C #define MBEDTLS_X509_CREATE_C +#else +#undef MBEDTLS_X509_CREATE_C +#endif /** * \def MBEDTLS_X509_CRT_WRITE_C @@ -2836,7 +3236,11 @@ * * This module is required for X.509 certificate creation. */ +#ifdef CONFIG_MBEDTLS_X509_CRT_WRITE_C #define MBEDTLS_X509_CRT_WRITE_C +#else +#undef MBEDTLS_X509_CRT_WRITE_C +#endif /** * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK @@ -2861,6 +3265,21 @@ #undef MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK #endif +/** + * \def MBEDTLS_X509_REMOVE_INFO + * + * Disable mbedtls_x509_*_info() and related APIs. + * + * Uncomment to omit mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt() + * and other functions/constants only used by these functions, thus reducing + * the code footprint by several KB. + */ +#ifdef CONFIG_MBEDTLS_X509_REMOVE_INFO +#define MBEDTLS_X509_REMOVE_INFO +#else +#undef MBEDTLS_X509_REMOVE_INFO +#endif + /** * \def MBEDTLS_X509_CSR_WRITE_C * @@ -2872,7 +3291,11 @@ * * This module is required for X.509 certificate request writing. */ +#ifdef CONFIG_MBEDTLS_X509_CSR_WRITE_C #define MBEDTLS_X509_CSR_WRITE_C +#else +#undef MBEDTLS_X509_CSR_WRITE_C +#endif /** * \def MBEDTLS_XTEA_C