Mbed TLS v3.6.3
|
Configuration options (set of defines) More...
Go to the source code of this file.
Configuration options (set of defines)
This set of compile-time options may be used to enable or disable features selectively, and reduce the global memory footprint.
Definition in file mbedtls_config.h.
#define MBEDTLS_AES_ALT |
MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let Mbed TLS use your alternate core implementation of a symmetric crypto, an arithmetic or hash module (e.g. platform specific assembly optimized implementations). Keep in mind that the function prototypes should remain the same.
This replaces the whole module. If you only want to replace one of the functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
Example: In case you uncomment MBEDTLS_AES_ALT, Mbed TLS will no longer provide the "struct mbedtls_aes_context" definition and omit the base function declarations and implementations. "aes_alt.h" will be included from "aes.h" to include the new function definitions.
Uncomment a macro to enable alternate implementation of the corresponding module.
Definition at line 380 of file mbedtls_config.h.
#define MBEDTLS_AES_C |
Enable the AES block cipher.
Module: library/aes.c Caller: library/cipher.c library/pem.c library/ctr_drbg.c
This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
PEM_PARSE uses AES for decrypting encrypted keys.
Definition at line 2420 of file mbedtls_config.h.
#define MBEDTLS_AES_DECRYPT_ALT |
Definition at line 459 of file mbedtls_config.h.
#define MBEDTLS_AES_ENCRYPT_ALT |
Definition at line 458 of file mbedtls_config.h.
#define MBEDTLS_AES_FEWER_TABLES |
Use less ROM/RAM for AES tables.
Uncommenting this macro omits 75% of the AES tables from ROM / RAM (depending on the value of MBEDTLS_AES_ROM_TABLES
) by computing their values on the fly during operations (the tables are entry-wise rotations of one another).
Tradeoff: Uncommenting this reduces the RAM / ROM footprint by ~6kb but at the cost of more arithmetic operations during runtime. Specifically, one has to compare 4 accesses within different tables to 4 accesses with additional arithmetic operations within the same table. The performance gain/loss depends on the system and memory details.
This option is independent of MBEDTLS_AES_ROM_TABLES
.
Definition at line 583 of file mbedtls_config.h.
#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH |
Use only 128-bit keys in AES operations to save ROM.
Uncomment this macro to remove support for AES operations that use 192- or 256-bit keys.
Uncommenting this macro reduces the size of AES code by ~300 bytes on v8-M/Thumb2.
Module: library/aes.c
Requires: MBEDTLS_AES_C
Definition at line 600 of file mbedtls_config.h.
#define MBEDTLS_AES_ROM_TABLES |
Use precomputed AES tables stored in ROM.
Uncomment this macro to use precomputed AES tables stored in ROM. Comment this macro to generate AES tables in RAM at runtime.
Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb (or ~2kb if MBEDTLS_AES_FEWER_TABLES
is used) and reduces the initialization time before the first AES operation can be performed. It comes at the cost of additional ~8kb ROM use (resp. ~2kb if MBEDTLS_AES_FEWER_TABLES
below is used), and potentially degraded performance if ROM access is slower than RAM access.
This option is independent of MBEDTLS_AES_FEWER_TABLES
.
Definition at line 562 of file mbedtls_config.h.
#define MBEDTLS_AES_SETKEY_DEC_ALT |
Definition at line 457 of file mbedtls_config.h.
#define MBEDTLS_AES_SETKEY_ENC_ALT |
Definition at line 456 of file mbedtls_config.h.
#define MBEDTLS_AES_USE_HARDWARE_ONLY |
Definition at line 614 of file mbedtls_config.h.
#define MBEDTLS_AESCE_C |
Enable AES cryptographic extension support on Armv8.
Module: library/aesce.c Caller: library/aes.c
Requires: MBEDTLS_AES_C
CFLAGS
must be set to a minimum of -march=armv8-a+crypto
for armclang <= 6.9This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems.
Definition at line 2345 of file mbedtls_config.h.
#define MBEDTLS_AESNI_C |
Enable AES-NI support on x86-64 or x86-32.
library/aesni.c
and library/aes.c
with machine options to enable SSE2 and AESNI instructions: gcc -msse2 -maes -mpclmul
or clang -maes -mpclmul
.Module: library/aesni.c Caller: library/aes.c
Requires: MBEDTLS_HAVE_ASM (on some platforms, see note)
This modules adds support for the AES-NI instructions on x86.
Definition at line 2319 of file mbedtls_config.h.
#define MBEDTLS_ARIA_ALT |
Definition at line 381 of file mbedtls_config.h.
#define MBEDTLS_ARIA_C |
Enable the ARIA block cipher.
Module: library/aria.c Caller: library/cipher.c
This module enables the following ciphersuites (if other requisites are enabled as well):
MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
Definition at line 2609 of file mbedtls_config.h.
#define MBEDTLS_ASN1_PARSE_C |
Enable the generic ASN1 parser.
Module: library/asn1.c Caller: library/x509.c library/dhm.c library/pkcs12.c library/pkcs5.c library/pkparse.c
Definition at line 2434 of file mbedtls_config.h.
#define MBEDTLS_ASN1_WRITE_C |
Enable the generic ASN1 writer.
Module: library/asn1write.c Caller: library/ecdsa.c library/pkwrite.c library/x509_create.c library/x509write_crt.c library/x509write_csr.c
Definition at line 2448 of file mbedtls_config.h.
#define MBEDTLS_BASE64_C |
Enable the Base64 module.
Module: library/base64.c Caller: library/pem.c
This module is required for PEM support (required by X.509).
Definition at line 2460 of file mbedtls_config.h.
#define MBEDTLS_BIGNUM_C |
Enable the multi-precision integer library.
Module: library/bignum.c library/bignum_core.c library/bignum_mod.c library/bignum_mod_raw.c Caller: library/dhm.c library/ecp.c library/ecdsa.c library/rsa.c library/rsa_alt_helpers.c library/ssl_tls.c
This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
Definition at line 2502 of file mbedtls_config.h.
#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT |
Remove decryption operation for AES, ARIA and Camellia block cipher.
Module: library/aes.c library/aesce.c library/aesni.c library/aria.c library/camellia.c library/cipher.c
Definition at line 2482 of file mbedtls_config.h.
#define MBEDTLS_CAMELLIA_ALT |
Definition at line 382 of file mbedtls_config.h.
#define MBEDTLS_CAMELLIA_C |
Enable the Camellia block cipher.
Module: library/camellia.c Caller: library/cipher.c
This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 2557 of file mbedtls_config.h.
#define MBEDTLS_CAMELLIA_SMALL_MEMORY |
Use less ROM for the Camellia implementation (saves about 768 bytes).
Uncomment this macro to use less memory for Camellia.
Definition at line 623 of file mbedtls_config.h.
#define MBEDTLS_CCM_ALT |
Definition at line 383 of file mbedtls_config.h.
#define MBEDTLS_CCM_C |
Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
Module: library/ccm.c
Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C
This module enables the AES-CCM ciphersuites, if other requisites are enabled as well.
Definition at line 2624 of file mbedtls_config.h.
#define MBEDTLS_CHACHA20_ALT |
Definition at line 384 of file mbedtls_config.h.
#define MBEDTLS_CHACHA20_C |
Enable the ChaCha20 stream cipher.
Module: library/chacha20.c
Definition at line 2633 of file mbedtls_config.h.
#define MBEDTLS_CHACHAPOLY_ALT |
Definition at line 385 of file mbedtls_config.h.
#define MBEDTLS_CHACHAPOLY_C |
Enable the ChaCha20-Poly1305 AEAD algorithm.
Module: library/chachapoly.c
This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
Definition at line 2644 of file mbedtls_config.h.
#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) |
This macro is used at the beginning of the declaration of a function to indicate that its return value should be checked. It should instruct the compiler to emit a warning or an error if the function is called without checking its return value.
There is a default implementation for popular compilers in platform_util.h. You can override the default implementation by defining your own here.
If the implementation here is empty, this will effectively disable the checking of functions' return values.
Definition at line 4130 of file mbedtls_config.h.
#define MBEDTLS_CHECK_RETURN_WARNING |
If this macro is defined, emit a compile-time warning if application code calls a function without checking its return value, but the return value should generally be checked in portable applications.
This is only supported on platforms where MBEDTLS_CHECK_RETURN is implemented. Otherwise this option has no effect.
Uncomment to get warnings on using fallible functions without checking their return value.
Definition at line 646 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_C |
Enable the generic cipher layer.
Module: library/cipher.c Caller: library/ccm.c library/cmac.c library/gcm.c library/nist_kw.c library/pkcs12.c library/pkcs5.c library/psa_crypto_aead.c library/psa_crypto_mac.c library/ssl_ciphersuites.c library/ssl_msg.c library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled) Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled (see the documentation of that option for details).
Uncomment to enable generic cipher wrappers.
Definition at line 2668 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_MODE_CBC |
Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
Definition at line 653 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_MODE_CFB |
Enable Cipher Feedback mode (CFB) for symmetric ciphers.
Definition at line 660 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_MODE_CTR |
Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
Definition at line 667 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_MODE_OFB |
Enable Output Feedback mode (OFB) for symmetric ciphers.
Definition at line 674 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_MODE_XTS |
Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
Definition at line 681 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_NULL_CIPHER |
Enable NULL cipher. Warning: Only do so when you know what you are doing. This allows for encryption or channels without any security!
To enable the following ciphersuites: MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_RSA_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_WITH_NULL_SHA MBEDTLS_TLS_RSA_WITH_NULL_MD5 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA MBEDTLS_TLS_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_PSK_WITH_NULL_SHA
Uncomment this macro to enable the NULL cipher and ciphersuites
Definition at line 713 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS |
Definition at line 727 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_PADDING_PKCS7 |
MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for specific padding modes in the cipher layer with cipher modes that support padding (e.g. CBC)
If you disable all padding modes, only full blocks can be used with CBC.
Enable padding modes in the cipher layer.
Definition at line 726 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_PADDING_ZEROS |
Definition at line 729 of file mbedtls_config.h.
#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN |
Definition at line 728 of file mbedtls_config.h.
#define MBEDTLS_CMAC_ALT |
Definition at line 386 of file mbedtls_config.h.
#define MBEDTLS_CMAC_C |
Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers.
Module: library/cmac.c
Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C
Definition at line 2686 of file mbedtls_config.h.
#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" |
If defined, this is a header which will be included instead of "mbedtls/mbedtls_config.h"
. This header file specifies the compile-time configuration of Mbed TLS. Unlike other configuration options, this one must be defined on the compiler command line: a definition in mbedtls_config.h
would have no effect.
This macro is expanded after an #include
directive. This is a popular but non-standard feature of the C language, so this feature is only available with compilers that perform macro expansion on an #include
line.
The value of this symbol is typically a path in double quotes, either absolute or relative to a directory on the include search path.
Definition at line 3910 of file mbedtls_config.h.
#define MBEDTLS_CONFIG_VERSION 0x03000000 |
This is an optional version symbol that enables compatibility handling of config files.
It is equal to the MBEDTLS_VERSION_NUMBER of the Mbed TLS version that introduced the config format we want to be compatible with.
Definition at line 22 of file mbedtls_config.h.
#define MBEDTLS_CTR_DRBG_C |
Enable the CTR_DRBG AES-based random generator. The CTR_DRBG generator uses AES-256 by default. To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
above.
AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA. Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA is used.
psa_crypto_init()
before using any CTR_DRBG operation (except mbedtls_ctr_drbg_init()
).MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
is set.Module: library/ctr_drbg.c Caller:
Requires: MBEDTLS_AES_C or (PSA_WANT_KEY_TYPE_AES and PSA_WANT_ALG_ECB_NO_PADDING and MBEDTLS_PSA_CRYPTO_C)
This module provides the CTR_DRBG AES random number generator.
Definition at line 2717 of file mbedtls_config.h.
#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 |
The amount of entropy used per seed by default, in bytes.
Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256)
Definition at line 4037 of file mbedtls_config.h.
#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 |
Maximum number of additional input bytes
Definition at line 4039 of file mbedtls_config.h.
#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 |
Maximum number of requested bytes per call
Definition at line 4040 of file mbedtls_config.h.
#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 |
Maximum size of (re)seed buffer
Definition at line 4041 of file mbedtls_config.h.
#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 |
Interval before reseed is performed by default
Definition at line 4038 of file mbedtls_config.h.
#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY |
Uncomment this macro to use a 128-bit key in the CTR_DRBG module. Without this, CTR_DRBG uses a 256-bit key unless MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
is set.
Definition at line 737 of file mbedtls_config.h.
#define MBEDTLS_DEBUG_C |
Enable the debug functions.
Module: library/debug.c Caller: library/ssl_msg.c library/ssl_tls.c library/ssl_tls12_*.c library/ssl_tls13_*.c
This module provides debugging functions.
Definition at line 2732 of file mbedtls_config.h.
#define MBEDTLS_DEPRECATED_REMOVED |
Remove deprecated functions and features so that they generate an error if used. Functionality deprecated in one version will usually be removed in the next version. You can enable this to help you prepare the transition to a new major version by making sure your code is not using this functionality.
Uncomment to get errors on using deprecated functions and features.
Definition at line 330 of file mbedtls_config.h.
#define MBEDTLS_DEPRECATED_WARNING |
Mark deprecated functions and features so that they generate a warning if used. Functionality deprecated in one version will usually be removed in the next version. You can enable this to help you prepare the transition to a new major version by making sure your code is not using this functionality.
This only works with GCC and Clang. With other compilers, you may want to use MBEDTLS_DEPRECATED_REMOVED
Uncomment to get warnings on using deprecated functions and features.
Definition at line 318 of file mbedtls_config.h.
#define MBEDTLS_DES3_CRYPT_ECB_ALT |
Definition at line 455 of file mbedtls_config.h.
#define MBEDTLS_DES_ALT |
Definition at line 387 of file mbedtls_config.h.
#define MBEDTLS_DES_C |
Enable the DES block cipher.
Module: library/des.c Caller: library/pem.c library/cipher.c
PEM_PARSE uses DES/3DES for decrypting encrypted keys.
Definition at line 2748 of file mbedtls_config.h.
#define MBEDTLS_DES_CRYPT_ECB_ALT |
Definition at line 454 of file mbedtls_config.h.
#define MBEDTLS_DES_SETKEY_ALT |
Definition at line 453 of file mbedtls_config.h.
#define MBEDTLS_DHM_ALT |
Definition at line 388 of file mbedtls_config.h.
#define MBEDTLS_DHM_C |
Enable the Diffie-Hellman-Merkle module.
Module: library/dhm.c Caller: library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
This module is used by the following key exchanges: DHE-RSA, DHE-PSK
Definition at line 2770 of file mbedtls_config.h.
#define MBEDTLS_ECDH_C |
Enable the elliptic curve Diffie-Hellman library.
Module: library/ecdh.c Caller: library/psa_crypto.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
This module is used by the following key exchanges: ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
Requires: MBEDTLS_ECP_C
Definition at line 2788 of file mbedtls_config.h.
#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT |
Definition at line 461 of file mbedtls_config.h.
#define MBEDTLS_ECDH_GEN_PUBLIC_ALT |
Definition at line 460 of file mbedtls_config.h.
#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED |
Enable the verified implementations of ECDH primitives from Project Everest (currently only Curve25519). This feature changes the layout of ECDH contexts and therefore is a compatibility break for applications that access fields of a mbedtls_ecdh_context structure directly. See also MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h.
The Everest code is provided under the Apache 2.0 license only; therefore enabling this option is not compatible with taking the library under the GPL v2.0-or-later license.
Definition at line 749 of file mbedtls_config.h.
#define MBEDTLS_ECDSA_C |
Enable the elliptic curve DSA library.
Module: library/ecdsa.c Caller:
This module is used by the following key exchanges: ECDHE-ECDSA
Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C, and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a short Weierstrass curve.
Definition at line 2805 of file mbedtls_config.h.
#define MBEDTLS_ECDSA_DETERMINISTIC |
Enable deterministic ECDSA (RFC 6979). Standard ECDSA is "fragile" in the sense that lack of entropy when signing may result in a compromise of the long-term signing key. This is avoided by the deterministic variant.
Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C
Comment this macro to disable deterministic ECDSA.
Definition at line 861 of file mbedtls_config.h.
#define MBEDTLS_ECDSA_GENKEY_ALT |
Definition at line 464 of file mbedtls_config.h.
#define MBEDTLS_ECDSA_SIGN_ALT |
Definition at line 463 of file mbedtls_config.h.
#define MBEDTLS_ECDSA_VERIFY_ALT |
Definition at line 462 of file mbedtls_config.h.
#define MBEDTLS_ECJPAKE_ALT |
Definition at line 389 of file mbedtls_config.h.
#define MBEDTLS_ECJPAKE_C |
Enable the elliptic curve J-PAKE library.
Module: library/ecjpake.c Caller:
This module is used by the following key exchanges: ECJPAKE
Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C
Definition at line 2827 of file mbedtls_config.h.
#define MBEDTLS_ECP_ADD_MIXED_ALT |
Definition at line 522 of file mbedtls_config.h.
#define MBEDTLS_ECP_ALT |
Definition at line 409 of file mbedtls_config.h.
#define MBEDTLS_ECP_C |
Enable the elliptic curve over GF(p) library.
Module: library/ecp.c Caller: library/ecdh.c library/ecdsa.c library/ecjpake.c
Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
Definition at line 2841 of file mbedtls_config.h.
#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT |
Definition at line 527 of file mbedtls_config.h.
#define MBEDTLS_ECP_DOUBLE_JAC_ALT |
Definition at line 523 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_BP256R1_ENABLED |
Definition at line 768 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_BP384R1_ENABLED |
Definition at line 769 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_BP512R1_ENABLED |
Definition at line 770 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED |
Definition at line 772 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_CURVE448_ENABLED |
Definition at line 773 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_SECP192K1_ENABLED |
Definition at line 765 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_SECP192R1_ENABLED |
MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve module. By default all supported curves are enabled.
Comment macros to disable the curve and functions for it
Definition at line 760 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_SECP224K1_ENABLED |
Definition at line 766 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_SECP224R1_ENABLED |
Definition at line 761 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_SECP256K1_ENABLED |
Definition at line 767 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED |
Definition at line 762 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED |
Definition at line 763 of file mbedtls_config.h.
#define MBEDTLS_ECP_DP_SECP521R1_ENABLED |
Definition at line 764 of file mbedtls_config.h.
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 |
Enable fixed-point speed-up
Definition at line 4051 of file mbedtls_config.h.
#define MBEDTLS_ECP_INTERNAL_ALT |
Expose a part of the internal interface of the Elliptic Curve Point module.
MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let Mbed TLS use your alternative core implementation of elliptic curve arithmetic. Keep in mind that function prototypes should remain the same.
This partially replaces one function. The header file from Mbed TLS is still used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation is still present and it is used for group structures not supported by the alternative.
The original implementation can in addition be removed by setting the MBEDTLS_ECP_NO_FALLBACK option, in which case any function for which the corresponding MBEDTLS_ECP__FUNCTION_NAME__ALT macro is defined will not be able to fallback to curves not supported by the alternative implementation.
Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT and implementing the following functions: unsigned char mbedtls_internal_ecp_grp_capable( const mbedtls_ecp_group *grp ) int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ) void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp ) The mbedtls_internal_ecp_grp_capable function should return 1 if the replacement functions implement arithmetic for the given group and 0 otherwise. The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are called before and after each point operation and provide an opportunity to implement optimized set up and tear down instructions.
Example: In case you set MBEDTLS_ECP_INTERNAL_ALT and MBEDTLS_ECP_DOUBLE_JAC_ALT, Mbed TLS will still provide the ecp_double_jac() function, but will use your mbedtls_internal_ecp_double_jac() if the group for the operation is supported by your implementation (i.e. your mbedtls_internal_ecp_grp_capable() function returns 1 for this group). If the group is not supported by your implementation, then the original Mbed TLS implementation of ecp_double_jac() is used instead, unless this fallback behaviour is disabled by setting MBEDTLS_ECP_NO_FALLBACK (in which case ecp_double_jac() will return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE).
The function prototypes and the definition of mbedtls_ecp_group and mbedtls_ecp_point will not change based on MBEDTLS_ECP_INTERNAL_ALT, so your implementation of mbedtls_internal_ecp__function_name__ must be compatible with their definitions.
Uncomment a macro to enable alternate implementation of the corresponding function.
Definition at line 517 of file mbedtls_config.h.
#define MBEDTLS_ECP_NIST_OPTIM |
Enable specific 'modulo p' routines for each NIST prime. Depending on the prime and architecture, makes operations 4 to 8 times faster on the corresponding curve.
Comment this macro to disable NIST curves optimisation.
Definition at line 784 of file mbedtls_config.h.
#define MBEDTLS_ECP_NO_FALLBACK |
Definition at line 519 of file mbedtls_config.h.
#define MBEDTLS_ECP_NORMALIZE_JAC_ALT |
Definition at line 525 of file mbedtls_config.h.
#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT |
Definition at line 524 of file mbedtls_config.h.
#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT |
Definition at line 529 of file mbedtls_config.h.
#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT |
Definition at line 521 of file mbedtls_config.h.
#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT |
Definition at line 528 of file mbedtls_config.h.
#define MBEDTLS_ECP_RESTARTABLE |
Enable "non-blocking" ECC operations that can return early and be resumed.
This allows various functions to pause by returning MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module, MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in order to further progress and eventually complete their operation. This is controlled through mbedtls_ecp_set_max_ops() which limits the maximum number of ECC operations a function may perform before pausing; see mbedtls_ecp_set_max_ops() for more information.
This is useful in non-threaded environments if you want to avoid blocking for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
This option:
Requires: MBEDTLS_ECP_C
Uncomment this macro to enable restartable ECC computations.
Definition at line 839 of file mbedtls_config.h.
#define MBEDTLS_ECP_WINDOW_SIZE 4 |
Maximum window size used
Definition at line 4050 of file mbedtls_config.h.
#define MBEDTLS_ECP_WITH_MPI_UINT |
Uncomment to enable using new bignum code in the ECC modules.
Definition at line 847 of file mbedtls_config.h.
#define MBEDTLS_ENTROPY_C |
Enable the platform-specific entropy code.
Module: library/entropy.c Caller:
Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
This module provides a generic entropy pool
Definition at line 2855 of file mbedtls_config.h.
#define MBEDTLS_ENTROPY_FORCE_SHA256 |
Force the entropy accumulator to use a SHA-256 accumulator instead of the default SHA-512 based one (if both are available).
Requires: MBEDTLS_SHA256_C
On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option if you have performance concerns.
This option is only useful if both MBEDTLS_SHA256_C and MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
Definition at line 1225 of file mbedtls_config.h.
#define MBEDTLS_ENTROPY_HARDWARE_ALT |
Uncomment this macro to let Mbed TLS use your own implementation of a hardware entropy collector.
Your function must be called mbedtls_hardware_poll()
, have the same prototype as declared in library/entropy_poll.h, and accept NULL as first argument.
Uncomment to use your own hardware entropy collector.
Definition at line 543 of file mbedtls_config.h.
#define MBEDTLS_ENTROPY_MAX_GATHER 128 |
Maximum amount requested from entropy sources
Definition at line 4055 of file mbedtls_config.h.
#define MBEDTLS_ENTROPY_MAX_SOURCES 20 |
Maximum number of sources supported
Definition at line 4054 of file mbedtls_config.h.
#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 |
Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released
Definition at line 4056 of file mbedtls_config.h.
#define MBEDTLS_ENTROPY_NV_SEED |
Enable the non-volatile (NV) seed file-based entropy source. (Also enables the NV seed read/write functions in the platform layer)
This is crucial (if not required) on systems that do not have a cryptographic entropy source (in hardware or kernel) available.
Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
Definition at line 1253 of file mbedtls_config.h.
#define MBEDTLS_ERROR_C |
Enable error code to error string conversion.
Module: library/error.c Caller:
This module enables mbedtls_strerror().
Definition at line 2867 of file mbedtls_config.h.
#define MBEDTLS_ERROR_STRERROR_DUMMY |
Enable a dummy error function to make use of mbedtls_strerror() in third party libraries easier when MBEDTLS_ERROR_C is disabled (no effect when MBEDTLS_ERROR_C is enabled).
You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're not using mbedtls_strerror() or error_strerror() in your application.
Disable if you run into name conflicts and want to really remove the mbedtls_strerror()
Definition at line 1170 of file mbedtls_config.h.
#define MBEDTLS_FS_IO |
Enable functions that use the filesystem.
Definition at line 1186 of file mbedtls_config.h.
#define MBEDTLS_GCM_ALT |
Definition at line 390 of file mbedtls_config.h.
#define MBEDTLS_GCM_C |
Enable the Galois/Counter Mode (GCM).
Module: library/gcm.c
Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C
This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other requisites are enabled as well.
Definition at line 2882 of file mbedtls_config.h.
#define MBEDTLS_GCM_LARGE_TABLE |
Enable large pre-computed tables for Galois/Counter Mode (GCM). Can significantly increase throughput on systems without GCM hardware acceleration (e.g., AESNI, AESCE).
The mbedtls_gcm_context size will increase by 3840 bytes. The code size will increase by roughly 344 bytes.
Module: library/gcm.c
Requires: MBEDTLS_GCM_C
Definition at line 2898 of file mbedtls_config.h.
#define MBEDTLS_GENPRIME |
Enable the prime-number generation code.
Requires: MBEDTLS_BIGNUM_C
Definition at line 1179 of file mbedtls_config.h.
#define MBEDTLS_HAVE_ASM |
The compiler has support for asm().
Requires support for asm() in compiler.
Used in: library/aesni.h library/aria.c library/bn_mul.h library/constant_time.c library/padlock.h
Required by: MBEDTLS_AESCE_C MBEDTLS_AESNI_C (on some platforms) MBEDTLS_PADLOCK_C
Comment to disable the use of assembly code.
Definition at line 52 of file mbedtls_config.h.
#define MBEDTLS_HAVE_SSE2 |
CPU supports SSE2 instruction set.
Uncomment if the CPU supports SSE2 (IA-32 specific).
Definition at line 111 of file mbedtls_config.h.
#define MBEDTLS_HAVE_TIME |
System has time.h and time(). The time does not need to be correct, only time differences are used, by contrast with MBEDTLS_HAVE_TIME_DATE
Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and MBEDTLS_PLATFORM_STD_TIME.
Comment if your system does not support time functions.
Definition at line 131 of file mbedtls_config.h.
#define MBEDTLS_HAVE_TIME_DATE |
System has time.h, time(), and an implementation for mbedtls_platform_gmtime_r() (see below). The time needs to be correct (not necessarily very accurate, but at least the date should be correct). This is used to verify the validity period of X.509 certificates.
Comment if your system does not have a correct clock.
Definition at line 152 of file mbedtls_config.h.
#define MBEDTLS_HKDF_C |
Enable the HKDF algorithm (RFC 5869).
Module: library/hkdf.c Caller:
Requires: MBEDTLS_MD_C
This module adds support for the Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF).
Definition at line 2913 of file mbedtls_config.h.
#define MBEDTLS_HMAC_DRBG_C |
Enable the HMAC_DRBG random generator.
Module: library/hmac_drbg.c Caller:
Requires: MBEDTLS_MD_C
Uncomment to enable the HMAC_DRBG random number generator.
Definition at line 2927 of file mbedtls_config.h.
#define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 |
Maximum number of additional input bytes
Definition at line 4045 of file mbedtls_config.h.
#define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 |
Maximum number of requested bytes per call
Definition at line 4046 of file mbedtls_config.h.
#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 |
Maximum size of (re)seed buffer
Definition at line 4047 of file mbedtls_config.h.
#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 |
Interval before reseed is performed by default
Definition at line 4044 of file mbedtls_config.h.
#define MBEDTLS_IGNORE_RETURN | ( | result | ) | ((void) !(result)) |
This macro requires one argument, which should be a C function call. If that function call would cause a MBEDTLS_CHECK_RETURN warning, this warning is suppressed.
Call this macro with one argument, a function call, to suppress a warning from MBEDTLS_CHECK_RETURN due to that function call.
#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED |
Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_DHM_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 910 of file mbedtls_config.h.
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED |
Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition at line 1008 of file mbedtls_config.h.
#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED |
Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA) MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
Definition at line 1081 of file mbedtls_config.h.
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED |
Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) MBEDTLS_RSA_C MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
Definition at line 1105 of file mbedtls_config.h.
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED |
Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA) MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 1057 of file mbedtls_config.h.
#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED |
Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH)
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 928 of file mbedtls_config.h.
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED |
Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) MBEDTLS_RSA_C MBEDTLS_PKCS1_V15 MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 1033 of file mbedtls_config.h.
#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED |
Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_ECJPAKE_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_JPAKE) SHA-256 (via MBEDTLS_SHA256_C or a PSA driver) MBEDTLS_ECP_DP_SECP256R1_ENABLED
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
Definition at line 1128 of file mbedtls_config.h.
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED |
Enable the PSK based ciphersuite modes in SSL / TLS.
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 881 of file mbedtls_config.h.
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED |
Enable the RSA-only based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
Definition at line 976 of file mbedtls_config.h.
#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED |
Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C
This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
Definition at line 951 of file mbedtls_config.h.
#define MBEDTLS_LMS_C |
Enable the LMS stateful-hash asymmetric signature algorithm.
Module: library/lms.c Caller:
Requires: MBEDTLS_PSA_CRYPTO_C
Uncomment to enable the LMS verification algorithm and public key operations.
Definition at line 2941 of file mbedtls_config.h.
#define MBEDTLS_LMS_PRIVATE |
Enable LMS private-key operations and signing code. Functions enabled by this option are experimental, and should not be used in production.
Requires: MBEDTLS_LMS_C
Uncomment to enable the LMS signature algorithm and private key operations.
Definition at line 2953 of file mbedtls_config.h.
#define MBEDTLS_MD5_ALT |
Definition at line 392 of file mbedtls_config.h.
#define MBEDTLS_MD5_C |
Enable the MD5 hash algorithm.
Module: library/md5.c Caller: library/md.c library/pem.c library/ssl_tls.c
This module is required for TLS 1.2 depending on the handshake parameters. Further, it is used for checking MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded encrypted keys.
Definition at line 3020 of file mbedtls_config.h.
#define MBEDTLS_MD5_PROCESS_ALT |
Definition at line 448 of file mbedtls_config.h.
#define MBEDTLS_MD_C |
Enable the generic layer for message digest (hashing) and HMAC.
Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C, MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C, MBEDTLS_SHA512_C, or MBEDTLS_PSA_CRYPTO_C with at least one hash. Module: library/md.c Caller: library/constant_time.c library/ecdsa.c library/ecjpake.c library/hkdf.c library/hmac_drbg.c library/pk.c library/pkcs5.c library/pkcs12.c library/psa_crypto_ecp.c library/psa_crypto_rsa.c library/rsa.c library/ssl_cookie.c library/ssl_msg.c library/ssl_tls.c library/x509.c library/x509_crt.c library/x509write_crt.c library/x509write_csr.c
Uncomment to enable generic message digest wrappers.
Definition at line 2999 of file mbedtls_config.h.
#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 |
Align on multiples of this value
Definition at line 4059 of file mbedtls_config.h.
#define MBEDTLS_MEMORY_BACKTRACE |
Include backtrace information with each allocated block.
Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C GLIBC-compatible backtrace() and backtrace_symbols() support
Uncomment this macro to include backtrace information
Definition at line 1290 of file mbedtls_config.h.
#define MBEDTLS_MEMORY_BUFFER_ALLOC_C |
Enable the buffer allocator implementation that makes use of a (stack) based buffer to 'allocate' dynamic memory. (replaces calloc() and free() calls)
Module: library/memory_buffer_alloc.c
Requires: MBEDTLS_PLATFORM_C MBEDTLS_PLATFORM_MEMORY (to use it within Mbed TLS)
Enable this module to enable the buffer memory allocator.
Definition at line 3036 of file mbedtls_config.h.
#define MBEDTLS_MEMORY_DEBUG |
Enable debugging of buffer allocator memory issues. Automatically prints (to stderr) all (fatal) messages on memory allocation issues. Enables function for 'debug output' of allocated memory.
Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
Uncomment this macro to let the buffer allocator print out error messages.
Definition at line 1278 of file mbedtls_config.h.
#define MBEDTLS_MPI_MAX_SIZE 1024 |
Maximum number of bytes for usable MPIs.
Definition at line 4034 of file mbedtls_config.h.
#define MBEDTLS_MPI_WINDOW_SIZE 2 |
Maximum window size used.
Definition at line 4033 of file mbedtls_config.h.
#define MBEDTLS_NET_C |
Enable the TCP and UDP over IPv6/IPv4 networking routines.
mbedtls_ssl_set_bio()
.Module: library/net_sockets.c
This module provides networking routines.
Definition at line 3055 of file mbedtls_config.h.
#define MBEDTLS_NIST_KW_ALT |
Definition at line 391 of file mbedtls_config.h.
#define MBEDTLS_NIST_KW_C |
Enable the Key Wrapping mode for 128-bit block ciphers, as defined in NIST SP 800-38F. Only KW and KWP modes are supported. At the moment, only AES is approved by NIST.
Module: library/nist_kw.c
Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
Definition at line 2966 of file mbedtls_config.h.
#define MBEDTLS_NO_64BIT_MULTIPLICATION |
The platform lacks support for 32x32 -> 64-bit multiplication.
Used in: library/poly1305.c
Some parts of the library may use multiplication of two unsigned 32-bit operands with a 64-bit result in order to speed up computations. On some platforms, this is not available in hardware and has to be implemented in software, usually in a library provided by the toolchain.
Sometimes it is not desirable to have to link to that library. This option removes the dependency of that library on platforms that lack a hardware 64-bit multiplier by embedding a software implementation in Mbed TLS.
Note that depending on the compiler, this may decrease performance compared to using the library function provided by the toolchain.
Definition at line 102 of file mbedtls_config.h.
#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES |
Do not add default entropy sources in mbedtls_entropy_init().
This is useful to have more control over the added entropy sources in an application.
Uncomment this macro to prevent loading of default entropy functions.
Definition at line 1198 of file mbedtls_config.h.
#define MBEDTLS_NO_PLATFORM_ENTROPY |
Do not use built-in platform entropy functions. This is useful if your platform does not support standards like the /dev/urandom or Windows CryptoAPI.
Uncomment this macro to disable the built-in platform entropy functions.
Definition at line 1209 of file mbedtls_config.h.
#define MBEDTLS_NO_UDBL_DIVISION |
The platform lacks support for double-width integer division (64-bit division on a 32-bit platform, 128-bit division on a 64-bit platform).
Used in: include/mbedtls/bignum.h library/bignum.c
The bignum code uses double-width division to speed up some operations. Double-width division is often implemented in software that needs to be linked with the program. The presence of a double-width integer type is usually detected automatically through preprocessor macros, but the automatic detection cannot know whether the code needs to and can be linked with an implementation of division for that type. By default division is assumed to be usable if the type is present. Uncomment this option to prevent the use of double-width division.
Note that division for the native integer type is always required. Furthermore, a 64-bit type is always required even on a 32-bit platform, but it need not support multiplication or division. In some cases it is also desirable to disable some double-width operations. For example, if double-width division is implemented in software, disabling it can reduce code size in some embedded targets.
Definition at line 80 of file mbedtls_config.h.
#define MBEDTLS_OID_C |
Enable the OID database.
Module: library/oid.c Caller: library/asn1write.c library/pkcs5.c library/pkparse.c library/pkwrite.c library/rsa.c library/x509.c library/x509_create.c library/x509_crl.c library/x509_crt.c library/x509_csr.c library/x509write_crt.c library/x509write_csr.c
This modules translates between OIDs and internal values.
Definition at line 3078 of file mbedtls_config.h.
#define MBEDTLS_PADLOCK_C |
Enable VIA Padlock support on x86.
Module: library/padlock.c Caller: library/aes.c
Requires: MBEDTLS_HAVE_ASM
This modules adds support for the VIA PadLock on x86.
Definition at line 3092 of file mbedtls_config.h.
#define MBEDTLS_PEM_PARSE_C |
Enable PEM decoding / parsing.
Module: library/pem.c Caller: library/dhm.c library/pkparse.c library/x509_crl.c library/x509_crt.c library/x509_csr.c
Requires: MBEDTLS_BASE64_C optionally MBEDTLS_MD5_C, or PSA Crypto with MD5 (see below)
This modules adds support for decoding / parsing PEM files.
Definition at line 3114 of file mbedtls_config.h.
#define MBEDTLS_PEM_WRITE_C |
Enable PEM encoding / writing.
Module: library/pem.c Caller: library/pkwrite.c library/x509write_crt.c library/x509write_csr.c
Requires: MBEDTLS_BASE64_C
This modules adds support for encoding / writing PEM files.
Definition at line 3130 of file mbedtls_config.h.
#define MBEDTLS_PK_C |
Enable the generic public (asymmetric) key layer.
Module: library/pk.c Caller: library/psa_crypto_rsa.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c library/x509.c
Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C
Uncomment to enable generic public key wrappers.
Definition at line 3148 of file mbedtls_config.h.
#define MBEDTLS_PK_PARSE_C |
Enable the generic public (asymmetric) key parser.
Module: library/pkparse.c Caller: library/x509_crt.c library/x509_csr.c
Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_C
Uncomment to enable generic public key parse functions.
Definition at line 3163 of file mbedtls_config.h.
#define MBEDTLS_PK_PARSE_EC_COMPRESSED |
Enable the support for parsing public keys of type Short Weierstrass (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX) which are using the compressed point format. This parsing is done through ECP module's functions.
Definition at line 1155 of file mbedtls_config.h.
#define MBEDTLS_PK_PARSE_EC_EXTENDED |
Enhance support for reading EC keys using variants of SEC1 not allowed by RFC 5915 and RFC 5480.
Currently this means parsing the SpecifiedECDomain choice of EC parameters (only known groups are supported, not arbitrary domains, to avoid validation issues).
Disable if you only need to support RFC 5915 + 5480 key formats.
Definition at line 1142 of file mbedtls_config.h.
#define MBEDTLS_PK_RSA_ALT_SUPPORT |
Support external private RSA keys (eg from a HSM) in the PK layer.
Comment this macro to disable support for external private RSA keys.
Definition at line 1299 of file mbedtls_config.h.
#define MBEDTLS_PK_WRITE_C |
Enable the generic public (asymmetric) key writer.
Module: library/pkwrite.c Caller: library/x509write.c
Requires: MBEDTLS_ASN1_WRITE_C, MBEDTLS_OID_C, MBEDTLS_PK_C
Uncomment to enable generic public key write functions.
Definition at line 3177 of file mbedtls_config.h.
#define MBEDTLS_PKCS12_C |
Enable PKCS#12 PBE functions. Adds algorithms for parsing PKCS#8 encrypted private keys
Module: library/pkcs12.c Caller: library/pkparse.c
Requires: MBEDTLS_ASN1_PARSE_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C.
This module enables PKCS#12 functions.
Definition at line 3228 of file mbedtls_config.h.
#define MBEDTLS_PKCS1_V15 |
Enable support for PKCS#1 v1.5 encoding.
Requires: MBEDTLS_RSA_C
This enables support for PKCS#1 v1.5 operations.
Definition at line 1310 of file mbedtls_config.h.
#define MBEDTLS_PKCS1_V21 |
Enable support for PKCS#1 v2.1 encoding.
Requires: MBEDTLS_RSA_C
This enables support for RSAES-OAEP and RSASSA-PSS operations.
Definition at line 1324 of file mbedtls_config.h.
#define MBEDTLS_PKCS5_C |
Enable PKCS#5 functions.
Module: library/pkcs5.c
Auto-enables: MBEDTLS_MD_C
This module adds support for the PKCS#5 functions.
Definition at line 3193 of file mbedtls_config.h.
#define MBEDTLS_PKCS7_C |
Enable PKCS #7 core for using PKCS #7-formatted signatures. RFC Link - https://tools.ietf.org/html/rfc2315
Module: library/pkcs7.c
Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_MD_C
This module is required for the PKCS #7 parsing modules.
Definition at line 3209 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_C |
Enable the platform abstraction layer that allows you to re-assign functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned above to be specified at runtime or compile time respectively.
Module: library/platform.c Caller: Most other .c files
This module enables abstraction of common (libc) functions.
Definition at line 3248 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_CALLOC_MACRO calloc |
Default allocator macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_CALLOC for requirements.
Definition at line 4101 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_EXIT_ALT |
MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let Mbed TLS support the function in the platform abstraction layer.
Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, Mbed TLS will provide a function "mbedtls_platform_set_printf()" that allows you to set an alternative printf function pointer.
All these define require MBEDTLS_PLATFORM_C to be defined!
Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
Uncomment a macro to enable alternate implementation of specific base platform function
Definition at line 253 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_EXIT_MACRO exit |
Default exit macro to use, can be undefined
Definition at line 4103 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_FPRINTF_ALT |
Definition at line 255 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf |
Default fprintf macro to use, can be undefined
Definition at line 4107 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_FREE_MACRO free |
Default free macro to use, can be undefined. See MBEDTLS_PLATFORM_STD_FREE for requirements.
Definition at line 4102 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_GMTIME_R_ALT |
Uncomment the macro to let Mbed TLS use your alternate implementation of mbedtls_platform_gmtime_r(). This replaces the default implementation in platform_util.c.
gmtime() is not a thread-safe function as defined in the C standard. The library will try to use safer implementations of this function, such as gmtime_r() when available. However, if Mbed TLS cannot identify the target system, the implementation of mbedtls_platform_gmtime_r() will default to using the standard gmtime(). In this case, calls from the library to gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the library are also guarded with this mutex to avoid race conditions. However, if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will unconditionally use the implementation for mbedtls_platform_gmtime_r() supplied at compile time.
Definition at line 280 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_MEMORY |
Enable the memory allocation layer.
By default Mbed TLS uses the system-provided calloc() and free(). This allows different allocators (self-implemented or provided) to be provided to the platform abstraction layer.
Enabling MBEDTLS_PLATFORM_MEMORY without the MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and free() function pointer at runtime.
Enabling MBEDTLS_PLATFORM_MEMORY and specifying MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the alternate function at compile time.
An overview of how the value of mbedtls_calloc is determined:
Defining MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible. MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time. MBEDTLS_PLATFORM_STD_CALLOC and MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used, dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases. An uninitialized MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer. An uninitialized MBEDTLS_PLATFORM_STD_FREE does not do anything.
Requires: MBEDTLS_PLATFORM_C
Enable this layer to allow use of alternative memory allocators.
Definition at line 208 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_MS_TIME_ALT |
Definition at line 261 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO int64_t |
Definition at line 4114 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS |
Do not assign standard functions in the platform layer (e.g. calloc() to MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
This makes sure there are no linking errors on platforms that do not support these functions. You will HAVE to provide alternatives, either at runtime via the platform_set_xxx() functions or at compile time by setting the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a MBEDTLS_PLATFORM_XXX_MACRO.
Requires: MBEDTLS_PLATFORM_C
Uncomment to prevent default assignment of standard functions in the platform layer.
Definition at line 227 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_NV_SEED_ALT |
Definition at line 259 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read |
Default nv_seed_read function to use, can be undefined
Definition at line 4112 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write |
Default nv_seed_write function to use, can be undefined
Definition at line 4113 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_PRINTF_ALT |
Definition at line 256 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_PRINTF_MACRO printf |
Default printf macro to use, can be undefined
Definition at line 4108 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_SETBUF_ALT |
Definition at line 252 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf |
Default setbuf macro to use, can be undefined
Definition at line 4104 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT |
Definition at line 260 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_SNPRINTF_ALT |
Definition at line 257 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf |
Default snprintf macro to use, can be undefined
Definition at line 4110 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_CALLOC calloc |
Default allocator to use, can be undefined. It must initialize the allocated buffer memory to zeroes. The size of the buffer is the product of the two parameters. The calloc function returns either a null pointer or a pointer to the allocated space. If the product is 0, the function may either return NULL or a valid pointer to an array of size 0 which is a valid input to the deallocation function. An uninitialized MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer. See the description of MBEDTLS_PLATFORM_MEMORY for more details. The corresponding deallocation function is MBEDTLS_PLATFORM_STD_FREE.
Definition at line 4075 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_EXIT exit |
Default exit to use, can be undefined
Definition at line 4087 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 |
Default exit value to use, can be undefined
Definition at line 4094 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 |
Default exit value to use, can be undefined
Definition at line 4093 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf |
Default fprintf to use, can be undefined
Definition at line 4089 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_FREE free |
Default free to use, can be undefined. NULL is a valid parameter, and the function must do nothing. A non-null parameter will always be a pointer previously returned by MBEDTLS_PLATFORM_STD_CALLOC and not yet freed. An uninitialized MBEDTLS_PLATFORM_STD_FREE does not do anything. See the description of MBEDTLS_PLATFORM_MEMORY for more details (same principles as for MBEDTLS_PLATFORM_STD_CALLOC apply).
Definition at line 4085 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h> |
Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed.
Definition at line 4062 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" |
Seed file to read/write with default implementation
Definition at line 4097 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read |
Default nv_seed_read function to use, can be undefined
Definition at line 4095 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write |
Default nv_seed_write function to use, can be undefined
Definition at line 4096 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_PRINTF printf |
Default printf to use, can be undefined
Definition at line 4090 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_SETBUF setbuf |
Default setbuf to use, can be undefined
Definition at line 4086 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf |
Default snprintf to use, can be undefined
Definition at line 4092 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_STD_TIME time |
Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled
Definition at line 4088 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_TIME_ALT |
Definition at line 254 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_TIME_MACRO time |
Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled
Definition at line 4105 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t |
Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled
Definition at line 4106 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_VSNPRINTF_ALT |
Definition at line 258 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf |
Default vsnprintf macro to use, can be undefined
Definition at line 4111 of file mbedtls_config.h.
#define MBEDTLS_PLATFORM_ZEROIZE_ALT |
Uncomment the macro to let Mbed TLS use your alternate implementation of mbedtls_platform_zeroize(), to wipe sensitive data in memory. This replaces the default implementation in platform_util.c.
By default, the library uses a system function such as memset_s() (optional feature of C11), explicit_bzero() (BSD and compatible), or SecureZeroMemory (Windows). If no such function is detected, the library falls back to a plain C implementation. Compilers are technically permitted to optimize this implementation out, meaning that the memory is not actually wiped. The library tries to prevent that, but the C language makes it impossible to guarantee that the memory will always be wiped.
If your platform provides a guaranteed method to wipe memory which platform_util.c
does not detect, define this macro to the name of a function that takes two arguments, a void *
pointer and a length, and wipes that many bytes starting at the specified address. For example, if your platform has explicit_bzero() but platform_util.c
does not detect its presence, define MBEDTLS_PLATFORM_ZEROIZE_ALT
to be explicit_bzero
to use that function as mbedtls_platform_zeroize().
Definition at line 303 of file mbedtls_config.h.
#define MBEDTLS_POLY1305_ALT |
Definition at line 393 of file mbedtls_config.h.
#define MBEDTLS_POLY1305_C |
Enable the Poly1305 MAC algorithm.
Module: library/poly1305.c Caller: library/chachapoly.c
Definition at line 3258 of file mbedtls_config.h.
#define MBEDTLS_PRINTF_MS_TIME PRId64 |
Default fmt for printf. That's avoid compiler warning if mbedtls_ms_time_t is redefined
Definition at line 4115 of file mbedtls_config.h.
#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS |
Assume all buffers passed to PSA functions are owned exclusively by the PSA function and are not stored in shared memory.
This option may be enabled if all buffers passed to any PSA function reside in memory that is accessible only to the PSA function during its execution.
This option MUST be disabled whenever buffer arguments are in memory shared with an untrusted party, for example where arguments to PSA calls are passed across a trust boundary.
Definition at line 1506 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS |
Enable support for platform built-in keys. If you enable this feature, you must implement the function mbedtls_psa_platform_get_builtin_key(). See the documentation of that function for more information.
Built-in keys are typically derived from a hardware unique key or stored in a secure element.
Requires: MBEDTLS_PSA_CRYPTO_C.
Definition at line 1340 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_C |
Enable the Platform Security Architecture (PSA) cryptography API.
psa_xxx()
functions. That includes indirect calls, such as:Module: library/psa_crypto.c
Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C, or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher is enabled in PSA (unless it's fully accelerated, see docs/driver-only-builds.md about that).
Definition at line 3285 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_CLIENT |
Enable support for PSA crypto client.
Definition at line 1356 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_CONFIG |
This setting allows support for cryptographic mechanisms through the PSA API to be configured separately from support through the mbedtls API.
When this option is disabled, the PSA API exposes the cryptographic mechanisms that can be implemented on top of the mbedtls_xxx
API configured with MBEDTLS_XXX
symbols.
When this option is enabled, the PSA API exposes the cryptographic mechanisms requested by the PSA_WANT_XXX
symbols defined in include/psa/crypto_config.h. The corresponding MBEDTLS_XXX
settings are automatically enabled if required (i.e. if no PSA driver provides the mechanism). You may still freely enable additional MBEDTLS_XXX
symbols in mbedtls_config.h.
If the symbol MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies an alternative header to include instead of include/psa/crypto_config.h.
PSA_WANT_XXX
symbols is not completely finalized yet, and the configuration tooling is not ideally adapted to having two separate configuration files. Future minor releases of Mbed TLS may make minor changes to those symbols, but we will endeavor to provide a transition path. Nonetheless, this option is considered mature enough to use in production, as long as you accept that you may need to make minor changes to psa/crypto_config.h when upgrading Mbed TLS. Definition at line 2222 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" |
If defined, this is a header which will be included instead of "psa/crypto_config.h"
. This header file specifies which cryptographic mechanisms are available through the PSA API when MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and is not used when MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
This macro is expanded after an #include
directive. This is a popular but non-standard feature of the C language, so this feature is only available with compilers that perform macro expansion on an #include
line.
The value of this symbol is typically a path in double quotes, either absolute or relative to a directory on the include search path.
Definition at line 3945 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG |
Make the PSA Crypto module use an external random generator provided by a driver, instead of Mbed TLS's entropy and DRBG modules.
If you enable this option, you must configure the type mbedtls_psa_external_random_context_t in psa/crypto_platform.h and define a function called mbedtls_psa_external_get_random() with the following prototype: ``` psa_status_t mbedtls_psa_external_get_random( mbedtls_psa_external_random_context_t *context, uint8_t *output, size_t output_size, size_t *output_length); ); ``` The context
value is initialized to 0 before the first call. The function must fill the output
buffer with output_size
bytes of random data and set *output_length
to output_size
.
Requires: MBEDTLS_PSA_CRYPTO_C
Definition at line 1394 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER |
Definition at line 1265 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_PLATFORM_FILE "psa/crypto_platform_alt.h" |
If defined, this is a header which will be included instead of "psa/crypto_platform.h"
. This file should declare the same identifiers as the one in Mbed TLS, but with definitions adapted to the platform on which the library code will run.
This macro is expanded after an #include
directive. This is a popular but non-standard feature of the C language, so this feature is only available with compilers that perform macro expansion on an #include
line.
The value of this symbol is typically a path in double quotes, either absolute or relative to a directory on the include search path.
Definition at line 3984 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_SE_C |
Enable dynamic secure element support in the Platform Security Architecture cryptography API.
Module: library/psa_crypto_se.c
Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_C
Definition at line 3304 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_SPM |
When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure Partition Manager) integration which separates the code into two parts: a NSPE (Non-Secure Process Environment) and an SPE (Secure Process Environment).
If you enable this option, your build environment must include a header file "crypto_spe.h"
(either in the psa
subdirectory of the Mbed TLS header files, or in another directory on the compiler's include search path). Alternatively, your platform may customize the header psa/crypto_platform.h
, in which case it can skip or replace the inclusion of "crypto_spe.h"
.
Module: library/psa_crypto.c Requires: MBEDTLS_PSA_CRYPTO_C
Definition at line 1415 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_STORAGE_C |
Enable the Platform Security Architecture persistent key storage.
Module: library/psa_crypto_storage.c
Requires: MBEDTLS_PSA_CRYPTO_C, either MBEDTLS_PSA_ITS_FILE_C or a native implementation of the PSA ITS interface
Definition at line 3317 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_STRUCT_FILE "psa/crypto_struct_alt.h" |
If defined, this is a header which will be included instead of "psa/crypto_struct.h"
. This file should declare the same identifiers as the one in Mbed TLS, but with definitions adapted to the environment in which the library code will run. The typical use for this feature is to provide alternative type definitions on the client side in client-server integrations of PSA crypto, where operation structures contain handles instead of cryptographic data.
This macro is expanded after an #include
directive. This is a popular but non-standard feature of the C language, so this feature is only available with compilers that perform macro expansion on an #include
line.
The value of this symbol is typically a path in double quotes, either absolute or relative to a directory on the include search path.
Definition at line 4009 of file mbedtls_config.h.
#define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" |
If defined, this is a header which will be included after "psa/crypto_config.h"
or MBEDTLS_PSA_CRYPTO_CONFIG_FILE. This allows you to modify the default configuration, including the ability to undefine options that are enabled by default.
This macro is expanded after an #include
directive. This is a popular but non-standard feature of the C language, so this feature is only available with compilers that perform macro expansion on an #include
line.
The value of this symbol is typically a path in double quotes, either absolute or relative to a directory on the include search path.
Definition at line 3962 of file mbedtls_config.h.
#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 |
Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the PSA crypto subsystem.
If this option is unset, the library chooses a hash (currently between MBEDTLS_MD_SHA512 and MBEDTLS_MD_SHA256) based on availability and unspecified heuristics.
A future version may reevaluate the prioritization of DRBG mechanisms.
Definition at line 4158 of file mbedtls_config.h.
#define MBEDTLS_PSA_INJECT_ENTROPY |
Enable support for entropy injection at first boot. This feature is required on systems that do not have a built-in entropy source (TRNG). This feature is currently not supported on systems that have a built-in entropy source.
Requires: MBEDTLS_PSA_CRYPTO_STORAGE_C, MBEDTLS_ENTROPY_NV_SEED
Definition at line 1486 of file mbedtls_config.h.
#define MBEDTLS_PSA_ITS_FILE_C |
Enable the emulation of the Platform Security Architecture Internal Trusted Storage (PSA ITS) over files.
Module: library/psa_its_file.c
Requires: MBEDTLS_FS_IO
Definition at line 3329 of file mbedtls_config.h.
#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 |
When MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled, the maximum amount of PSA keys simultaneously in memory. This counts all volatile keys, plus loaded persistent keys.
When MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, the maximum number of loaded persistent keys.
Currently, persistent keys do not need to be loaded all the time while a multipart operation is in progress, only while the operation is being set up. This may change in future versions of the library.
Currently, the library traverses of the whole table on each access to a persistent key. Therefore large values may cause poor performance.
This option has no effect when MBEDTLS_PSA_CRYPTO_C is disabled.
Definition at line 4178 of file mbedtls_config.h.
#define MBEDTLS_PSA_KEY_STORE_DYNAMIC |
Dynamically resize the PSA key store to accommodate any number of volatile keys (until the heap memory is exhausted).
If this option is disabled, the key store has a fixed size MBEDTLS_PSA_KEY_SLOT_COUNT for volatile keys and loaded persistent keys together.
This option has no effect when MBEDTLS_PSA_CRYPTO_C is disabled.
Module: library/psa_crypto.c Requires: MBEDTLS_PSA_CRYPTO_C
Definition at line 1432 of file mbedtls_config.h.
#define MBEDTLS_PSA_P256M_DRIVER_ENABLED |
Uncomment to enable p256-m. This is an alternative implementation of key generation, ECDH and (randomized) ECDSA on the curve SECP256R1. Compared to the default implementation:
We recommend enabling this option if your application uses the PSA API and the only elliptic curve support it needs is ECDH and ECDSA over SECP256R1.
If you enable this option, you do not need to enable any ECC-related MBEDTLS_xxx option. You do need to separately request support for the cryptographic mechanisms through the PSA API:
Definition at line 1473 of file mbedtls_config.h.
#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 256 |
Define the size (in bytes) of each static key buffer when MBEDTLS_PSA_STATIC_KEY_SLOTS is set. If not explicitly defined then it's automatically guessed from available PSA keys enabled in the build through PSA_WANT_xxx symbols. If required by the application this parameter can be set to higher values in order to store larger objects (ex: raw keys), but please note that this will increase RAM usage.
Definition at line 4191 of file mbedtls_config.h.
#define MBEDTLS_PSA_STATIC_KEY_SLOTS |
Statically preallocate memory to store keys' material in PSA instead of allocating it dynamically when required. This allows builds without a heap, if none of the enabled cryptographic implementations or other features require it. This feature affects both volatile and persistent keys which means that it's not possible to persistently store a key which is larger than MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE.
Requires: MBEDTLS_PSA_CRYPTO_C
Definition at line 3349 of file mbedtls_config.h.
#define MBEDTLS_PSK_MAX_LEN 32 |
Max size of TLS pre-shared keys, in bytes (default 256 or 384 bits)
Definition at line 4290 of file mbedtls_config.h.
#define MBEDTLS_RIPEMD160_ALT |
Definition at line 394 of file mbedtls_config.h.
#define MBEDTLS_RIPEMD160_C |
Enable the RIPEMD-160 hash algorithm.
Module: library/ripemd160.c Caller: library/md.c
Definition at line 3360 of file mbedtls_config.h.
#define MBEDTLS_RIPEMD160_PROCESS_ALT |
Definition at line 449 of file mbedtls_config.h.
#define MBEDTLS_RSA_ALT |
Definition at line 395 of file mbedtls_config.h.
#define MBEDTLS_RSA_C |
Enable the RSA public-key cryptosystem.
Module: library/rsa.c library/rsa_alt_helpers.c Caller: library/pk.c library/psa_crypto.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
This module is used by the following key exchanges: RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
Definition at line 3380 of file mbedtls_config.h.
#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024 |
Minimum RSA key size that can be generated in bits (Minimum possible value is 128 bits)
Definition at line 4194 of file mbedtls_config.h.
#define MBEDTLS_RSA_NO_CRT |
Do not use the Chinese Remainder Theorem for the RSA private operation.
Uncomment this macro to disable the use of CRT in RSA.
Definition at line 1517 of file mbedtls_config.h.
#define MBEDTLS_SELF_TEST |
Enable the checkup functions (*_self_test).
Definition at line 1524 of file mbedtls_config.h.
#define MBEDTLS_SHA1_ALT |
Definition at line 396 of file mbedtls_config.h.
#define MBEDTLS_SHA1_C |
Enable the SHA1 cryptographic hash algorithm.
Module: library/sha1.c Caller: library/md.c library/psa_crypto_hash.c
This module is required for TLS 1.2 depending on the handshake parameters, and for SHA1-signed certificates.
Definition at line 3399 of file mbedtls_config.h.
#define MBEDTLS_SHA1_PROCESS_ALT |
Definition at line 450 of file mbedtls_config.h.
#define MBEDTLS_SHA224_C |
Enable the SHA-224 cryptographic hash algorithm.
Module: library/sha256.c Caller: library/md.c library/ssl_cookie.c
This module adds support for SHA-224.
Definition at line 3412 of file mbedtls_config.h.
#define MBEDTLS_SHA256_ALT |
Definition at line 397 of file mbedtls_config.h.
#define MBEDTLS_SHA256_C |
Enable the SHA-256 cryptographic hash algorithm.
Module: library/sha256.c Caller: library/entropy.c library/md.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
This module adds support for SHA-256. This module is required for the SSL/TLS 1.2 PRF function.
Definition at line 3429 of file mbedtls_config.h.
#define MBEDTLS_SHA256_PROCESS_ALT |
MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let Mbed TLS use you alternate core implementation of symmetric crypto or hash function. Keep in mind that function prototypes should remain the same.
This replaces only one function. The header file from Mbed TLS is still used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, Mbed TLS will no longer provide the mbedtls_sha1_process() function, but it will still provide the other function (using your mbedtls_sha1_process() function) and the definition of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible with this definition.
Uncomment a macro to enable alternate implementation of the corresponding function.
Definition at line 451 of file mbedtls_config.h.
#define MBEDTLS_SHA256_SMALLER |
Enable an implementation of SHA-256 that has lower ROM footprint but also lower performance.
The default implementation is meant to be a reasonable compromise between performance and size. This version optimizes more aggressively for size at the expense of performance. Eg on Cortex-M4 it reduces the size of mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 30%.
Uncomment to enable the smaller implementation of SHA256.
Definition at line 1540 of file mbedtls_config.h.
#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT |
Definition at line 3470 of file mbedtls_config.h.
#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY |
Definition at line 3511 of file mbedtls_config.h.
#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT |
Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms with the ARMv8 cryptographic extensions if they are available at runtime. If not, the library will fall back to the C implementation.
CFLAGS
must be set to a minimum of -march=armv8-a+crypto
for armclang <= 6.9Requires: MBEDTLS_SHA256_C.
Module: library/sha256.c
Uncomment to have the library check for the Armv8-A SHA-256 crypto extensions and use them if available.
Definition at line 3461 of file mbedtls_config.h.
#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY |
Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms with the ARMv8 cryptographic extensions, which must be available at runtime or else an illegal instruction fault will occur.
CFLAGS
must be set to a minimum of -march=armv8-a+crypto
for armclang <= 6.9Requires: MBEDTLS_SHA256_C.
Module: library/sha256.c
Uncomment to have the library use the Armv8-A SHA-256 crypto extensions unconditionally.
Definition at line 3502 of file mbedtls_config.h.
#define MBEDTLS_SHA384_C |
Enable the SHA-384 cryptographic hash algorithm.
Module: library/sha512.c Caller: library/md.c library/psa_crypto_hash.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
Comment to disable SHA-384
Definition at line 3527 of file mbedtls_config.h.
#define MBEDTLS_SHA3_C |
Enable the SHA3 cryptographic hash algorithm.
Module: library/sha3.c
This module adds support for SHA3.
Definition at line 3553 of file mbedtls_config.h.
#define MBEDTLS_SHA512_ALT |
Definition at line 398 of file mbedtls_config.h.
#define MBEDTLS_SHA512_C |
Enable SHA-512 cryptographic hash algorithms.
Module: library/sha512.c Caller: library/entropy.c library/md.c library/ssl_tls.c library/ssl_cookie.c
This module adds support for SHA-512.
Definition at line 3542 of file mbedtls_config.h.
#define MBEDTLS_SHA512_PROCESS_ALT |
Definition at line 452 of file mbedtls_config.h.
#define MBEDTLS_SHA512_SMALLER |
Enable an implementation of SHA-512 that has lower ROM footprint but also lower performance.
Uncomment to enable the smaller implementation of SHA512.
Definition at line 1550 of file mbedtls_config.h.
#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT |
Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms with the ARMv8 cryptographic extensions if they are available at runtime. If not, the library will fall back to the C implementation.
CFLAGS
must be set to a minimum of -march=armv8.2-a+sha3
for armclang 6.9Requires: MBEDTLS_SHA512_C.
Module: library/sha512.c
Uncomment to have the library check for the A64 SHA-512 crypto extensions and use them if available.
Definition at line 3581 of file mbedtls_config.h.
#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY |
Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms with the ARMv8 cryptographic extensions, which must be available at runtime or else an illegal instruction fault will occur.
CFLAGS
must be set to a minimum of -march=armv8.2-a+sha3
for armclang 6.9Requires: MBEDTLS_SHA512_C.
Module: library/sha512.c
Uncomment to have the library use the A64 SHA-512 crypto extensions unconditionally.
Definition at line 3609 of file mbedtls_config.h.
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES |
Enable sending of alert messages in case of encountered errors as per RFC. If you choose not to send the alert messages, Mbed TLS can still communicate with other servers, only debugging of failures is harder.
The advantage of not sending alert messages, is that no information is given about reasons for failures thus preventing adversaries of gaining intel.
Enable sending of all alert messages
Definition at line 1564 of file mbedtls_config.h.
#define MBEDTLS_SSL_ALPN |
Enable support for RFC 7301 Application Layer Protocol Negotiation.
Comment this macro to disable support for ALPN.
Definition at line 1963 of file mbedtls_config.h.
#define MBEDTLS_SSL_ASYNC_PRIVATE |
Enable asynchronous external private key operations in SSL. This allows you to configure an SSL connection to call an external cryptographic module to perform private key operations instead of performing the operation inside the library.
Requires: MBEDTLS_X509_CRT_PARSE_C
Definition at line 1623 of file mbedtls_config.h.
#define MBEDTLS_SSL_CACHE_C |
Enable simple SSL cache implementation.
Module: library/ssl_cache.c Caller:
Requires: MBEDTLS_SSL_CACHE_C
Definition at line 3621 of file mbedtls_config.h.
#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 |
Maximum entries in cache
Definition at line 4198 of file mbedtls_config.h.
#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 |
1 day
Definition at line 4197 of file mbedtls_config.h.
#define MBEDTLS_SSL_CID_IN_LEN_MAX 32 |
The maximum length of CIDs used for incoming DTLS messages.
Definition at line 4228 of file mbedtls_config.h.
#define MBEDTLS_SSL_CID_OUT_LEN_MAX 32 |
The maximum length of CIDs used for outgoing DTLS messages.
Definition at line 4235 of file mbedtls_config.h.
#define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 |
This option controls the use of record plaintext padding in TLS 1.3 and when using the Connection ID extension in DTLS 1.2.
The padding will always be chosen so that the length of the padded plaintext is a multiple of the value of this option.
Note: A value of 1
means that no padding will be used for outgoing records.
Note: On systems lacking division instructions, a power of two should be preferred.
Definition at line 4251 of file mbedtls_config.h.
#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
Complete list of ciphersuites to use, in order of preference.
Use this to save a few hundred bytes of ROM (default ordering of all available ciphersuites) and a few to a few hundred bytes of RAM.
The value below is only an example, not the default.
Definition at line 4305 of file mbedtls_config.h.
#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME |
In TLS clients, when a client authenticates a server through its certificate, the client normally checks three things:
Omitting any of these checks is generally insecure, and can allow a malicious server to impersonate a legitimate server.
The third check may be safely skipped in some unusual scenarios, such as networks where eavesdropping is a risk but not active attacks, or a private PKI where the client equally trusts all servers that are accredited by the root CA.
You should call mbedtls_ssl_set_hostname() with the expected server name before starting a TLS handshake on a client (unless the client is set up to only use PSK-based authentication, which does not rely on the host name). This configuration option controls what happens if a TLS client is configured with the authentication mode MBEDTLS_SSL_VERIFY_REQUIRED (default), certificate authentication is enabled and the client does not call mbedtls_ssl_set_hostname():
Enable this option for strict backward compatibility if you have determined that it is secure in the scenario where you are using Mbed TLS.
Definition at line 1663 of file mbedtls_config.h.
#define MBEDTLS_SSL_CLI_C |
Enable the SSL/TLS client code.
Module: library/ssl*_client.c Caller:
Requires: MBEDTLS_SSL_TLS_C
This module is required for SSL/TLS client support.
Definition at line 3658 of file mbedtls_config.h.
#define MBEDTLS_SSL_CONTEXT_SERIALIZATION |
Enable serialization of the TLS context structures, through use of the functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load().
This pair of functions allows one side of a connection to serialize the context associated with the connection, then free or re-use that context while the serialized state is persisted elsewhere, and finally deserialize that state to a live context for resuming read/write operations on the connection. From a protocol perspective, the state of the connection is unaffected, in particular this is entirely transparent to the peer.
Note: this is distinct from TLS session resumption, which is part of the protocol and fully visible by the peer. TLS session resumption enables establishing new connections associated to a saved session with shorter, lighter handshakes, while context serialization is a local optimization in handling a single, potentially long-lived connection.
Enabling these APIs makes some SSL structures larger, as 64 extra bytes are saved after the handshake to allow for more efficient serialization, so if you don't need this feature you'll save RAM by disabling it.
Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C
Comment to disable the context serialization APIs.
Definition at line 1692 of file mbedtls_config.h.
#define MBEDTLS_SSL_COOKIE_C |
Enable basic implementation of DTLS cookies for hello verification.
Module: library/ssl_cookie.c Caller:
Definition at line 3631 of file mbedtls_config.h.
#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 |
Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued
Definition at line 4291 of file mbedtls_config.h.
#define MBEDTLS_SSL_DEBUG_ALL |
Enable the debug messages in SSL module for all issues. Debug messages have been disabled in some places to prevent timing attacks due to (unbalanced) debugging function calls.
If you need all error reporting you should enable this during debugging, but remove this for production servers that should log as well.
Uncomment this macro to report all debug messages on errors introducing a timing side-channel.
Definition at line 1708 of file mbedtls_config.h.
#define MBEDTLS_SSL_DTLS_ANTI_REPLAY |
Enable support for the anti-replay mechanism in DTLS.
Requires: MBEDTLS_SSL_TLS_C MBEDTLS_SSL_PROTO_DTLS
Comment this to disable anti-replay in DTLS.
Definition at line 1978 of file mbedtls_config.h.
#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE |
Enable server-side support for clients that reconnect from the same port.
Some clients unexpectedly close the connection and try to reconnect using the same source port. This needs special support from the server to handle the new connection securely, as described in section 4.2.8 of RFC 6347. This flag enables that support.
Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
Comment this to disable support for clients reusing the source port.
Definition at line 2043 of file mbedtls_config.h.
#define MBEDTLS_SSL_DTLS_CONNECTION_ID |
Enable support for the DTLS Connection ID (CID) extension, which allows to identify DTLS connections across changes in the underlying transport. The CID functionality is described in RFC 9146.
Setting this option enables the SSL APIs mbedtls_ssl_set_cid()
, mbedtls_ssl_get_own_cid(),
mbedtls_ssl_get_peer_cid()and
mbedtls_ssl_conf_cid()`. See the corresponding documentation for more information.
The maximum lengths of outgoing and incoming CIDs can be configured through the options
Requires: MBEDTLS_SSL_PROTO_DTLS
Uncomment to enable the Connection ID extension.
Definition at line 1588 of file mbedtls_config.h.
#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 |
Defines whether RFC 9146 (default) or the legacy version (version draft-ietf-tls-dtls-connection-id-05, https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) is used.
Set the value to 0 for the standard version, and 1 for the legacy draft version.
Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID
Definition at line 1611 of file mbedtls_config.h.
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY |
Enable support for HelloVerifyRequest on DTLS servers.
This feature is highly recommended to prevent DTLS servers being used as amplifiers in DoS attacks against other hosts. It should always be enabled unless you know for sure amplification cannot be a problem in the environment in which your server operates.
Requires: MBEDTLS_SSL_PROTO_DTLS
Comment this to disable support for HelloVerifyRequest.
Definition at line 1996 of file mbedtls_config.h.
#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 |
Maximum number of heap-allocated bytes for the purpose of DTLS handshake message reassembly and future message buffering.
This should be at least 9/8 * MBEDTLS_SSL_IN_CONTENT_LEN to account for a reassembled handshake message of maximum size, together with its reassembly bitmap.
A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default) should be sufficient for all practical situations as it allows to reassembly a large handshake message (such as a certificate) while buffering multiple smaller handshake messages.
Definition at line 4288 of file mbedtls_config.h.
#define MBEDTLS_SSL_DTLS_SRTP |
Enable support for negotiation of DTLS-SRTP (RFC 5764) through the use_srtp extension.
Setting this option enables the runtime API mbedtls_ssl_conf_dtls_srtp_protection_profiles() through which the supported DTLS-SRTP protection profiles can be configured. You must call this API at runtime if you wish to negotiate the use of DTLS-SRTP.
Requires: MBEDTLS_SSL_PROTO_DTLS
Uncomment this to enable support for use_srtp extension.
Definition at line 2027 of file mbedtls_config.h.
#define MBEDTLS_SSL_EARLY_DATA |
Enable support for RFC 8446 TLS 1.3 early data.
Requires: MBEDTLS_SSL_SESSION_TICKETS and either MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.
Definition at line 1941 of file mbedtls_config.h.
#define MBEDTLS_SSL_ENCRYPT_THEN_MAC |
Enable support for Encrypt-then-MAC, RFC 7366.
This allows peers that both support it to use a more robust protection for ciphersuites using CBC, providing deep resistance against timing attacks on the padding or underlying cipher.
This only affects CBC ciphersuites, and is useless if none is defined.
Requires: MBEDTLS_SSL_PROTO_TLS1_2
Comment this macro to disable support for Encrypt-then-MAC
Definition at line 1724 of file mbedtls_config.h.
#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET |
Enable support for RFC 7627: Session Hash and Extended Master Secret Extension.
This was introduced as "the proper fix" to the Triple Handshake family of attacks, but it is recommended to always use it (even if you disable renegotiation), since it actually fixes a more fundamental issue in the original SSL/TLS design, and has implications beyond Triple Handshake.
Requires: MBEDTLS_SSL_PROTO_TLS1_2
Comment this macro to disable support for Extended Master Secret.
Definition at line 1740 of file mbedtls_config.h.
#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 |
Maximum length (in bytes) of incoming plaintext fragments.
This determines the size of the incoming TLS I/O buffer in such a way that it is capable of holding the specified amount of plaintext data, regardless of the protection mechanism used.
Uncomment to set the maximum plaintext size of the incoming I/O buffer.
Definition at line 4221 of file mbedtls_config.h.
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE |
This option controls the availability of the API mbedtls_ssl_get_peer_cert() giving access to the peer's certificate after completion of the handshake.
Unless you need mbedtls_ssl_peer_cert() in your application, it is recommended to disable this option for reduced RAM usage.
NULL
.Comment this macro to disable storing the peer's certificate after the handshake.
Definition at line 1764 of file mbedtls_config.h.
#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 |
The default maximum amount of 0-RTT data. See the documentation of mbedtls_ssl_conf_max_early_data_size()
for more information.
It must be positive and smaller than UINT32_MAX.
If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not have any impact on the build.
Definition at line 4318 of file mbedtls_config.h.
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH |
Enable support for RFC 6066 max_fragment_length extension in SSL.
Comment this macro to disable support for the max_fragment_length extension
Definition at line 1797 of file mbedtls_config.h.
#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 |
Maximum length (in bytes) of outgoing plaintext fragments.
This determines the size of the outgoing TLS I/O buffer in such a way that it is capable of holding the specified amount of plaintext data, regardless of the protection mechanism used.
It is possible to save RAM by setting a smaller outward buffer, while keeping the default inward 16384 byte buffer to conform to the TLS specification.
The minimum required outward buffer size is determined by the handshake protocol's usage. Handshaking will fail if the outward buffer is too small. The specific size requirement depends on the configured ciphers and any certificate data which is sent during the handshake.
Uncomment to set the maximum plaintext size of the outgoing I/O buffer.
Definition at line 4271 of file mbedtls_config.h.
#define MBEDTLS_SSL_PROTO_DTLS |
Enable support for DTLS (all available versions).
Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
Requires: MBEDTLS_SSL_PROTO_TLS1_2
Comment this macro to disable support for DTLS
Definition at line 1954 of file mbedtls_config.h.
#define MBEDTLS_SSL_PROTO_TLS1_2 |
Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and (MBEDTLS_SHA256_C or MBEDTLS_SHA384_C or SHA-256 or SHA-512 provided by a PSA driver) With MBEDTLS_USE_PSA_CRYPTO: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384
Comment this macro to disable support for TLS 1.2 / DTLS 1.2
Definition at line 1827 of file mbedtls_config.h.
#define MBEDTLS_SSL_PROTO_TLS1_3 |
Enable support for TLS 1.3.
Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE Requires: MBEDTLS_PSA_CRYPTO_C
Uncomment this macro to enable the support for TLS 1.3.
Definition at line 1857 of file mbedtls_config.h.
#define MBEDTLS_SSL_RECORD_SIZE_LIMIT |
Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only).
Requires: MBEDTLS_SSL_PROTO_TLS1_3
Uncomment this macro to enable support for the record_size_limit extension
Definition at line 1808 of file mbedtls_config.h.
#define MBEDTLS_SSL_RENEGOTIATION |
Enable support for TLS renegotiation.
The two main uses of renegotiation are (1) refresh keys on long-lived connections and (2) client authentication after the initial handshake. If you don't need renegotiation, it's probably better to disable it, since it has been associated with security issues in the past and is easy to misuse/misunderstand.
Requires: MBEDTLS_SSL_PROTO_TLS1_2
Comment this to disable support for renegotiation.
mbedtls_ssl_conf_legacy_renegotiation
for the configuration of this extension). Definition at line 1788 of file mbedtls_config.h.
#define MBEDTLS_SSL_SERVER_NAME_INDICATION |
Enable support for RFC 6066 server name indication (SNI) in SSL.
Requires: MBEDTLS_X509_CRT_PARSE_C
Comment this macro to disable support for server name indication in SSL
Definition at line 2068 of file mbedtls_config.h.
#define MBEDTLS_SSL_SESSION_TICKETS |
Enable support for RFC 5077 session tickets in SSL. Client-side, provides full support for session tickets (maintenance of a session store remains the responsibility of the application, though). Server-side, you also need to provide callbacks for writing and parsing tickets, including authenticated encryption and key management. Example callbacks are provided by MBEDTLS_SSL_TICKET_C.
Comment this macro to disable support for SSL session tickets
Definition at line 2057 of file mbedtls_config.h.
#define MBEDTLS_SSL_SRV_C |
Enable the SSL/TLS server code.
Module: library/ssl*_server.c Caller:
Requires: MBEDTLS_SSL_TLS_C
This module is required for SSL/TLS server support.
Definition at line 3672 of file mbedtls_config.h.
#define MBEDTLS_SSL_TICKET_C |
Enable an implementation of TLS server-side callbacks for session tickets.
Module: library/ssl_ticket.c Caller:
Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) && (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)
Definition at line 3644 of file mbedtls_config.h.
#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE |
Enable TLS 1.3 middlebox compatibility mode.
As specified in Section D.4 of RFC 8446, TLS 1.3 offers a compatibility mode to make a TLS 1.3 connection more likely to pass through middle boxes expecting TLS 1.2 traffic.
Turning on the compatibility mode comes at the cost of a few added bytes on the wire, but it doesn't affect compatibility with TLS 1.3 implementations that don't use it. Therefore, unless transmission bandwidth is critical and you know that middlebox compatibility issues won't occur, it is therefore recommended to set this option.
Comment to disable compatibility mode for TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.
Definition at line 1879 of file mbedtls_config.h.
#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 |
Default number of NewSessionTicket messages to be sent by a TLS 1.3 server after handshake completion. This is not used in TLS 1.2 and relevant only if the MBEDTLS_SSL_SESSION_TICKETS option is enabled.
Definition at line 4360 of file mbedtls_config.h.
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED |
Enable TLS 1.3 ephemeral key exchange mode.
Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH MBEDTLS_X509_CRT_PARSE_C and at least one of: MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA) MBEDTLS_PKCS1_V21
Comment to disable support for the ephemeral key exchange mode in TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.
Definition at line 1909 of file mbedtls_config.h.
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED |
Enable TLS 1.3 PSK key exchange mode.
Comment to disable support for the PSK key exchange mode in TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.
Definition at line 1891 of file mbedtls_config.h.
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED |
Enable TLS 1.3 PSK ephemeral key exchange mode.
Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH
Comment to disable support for the PSK ephemeral key exchange mode in TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.
Definition at line 1923 of file mbedtls_config.h.
#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 |
Maximum allowed ticket age difference in milliseconds tolerated between server and client. Default value is 6000. This is not used in TLS 1.2.
The ages might be different due to the client and server clocks not running at the same pace. The typical accuracy of an RTC crystal is ±100 to ±20 parts per million (360 to 72 milliseconds per hour). Default tolerance window is 6s, thus in the worst case clients and servers must sync up their system time every 6000/360/2~=8 hours.
See section 8.3 of the TLS 1.3 specification(RFC 8446) for more information.
Definition at line 4341 of file mbedtls_config.h.
#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 |
Size in bytes of a ticket nonce. This is not used in TLS 1.2.
This must be less than 256.
Definition at line 4350 of file mbedtls_config.h.
#define MBEDTLS_SSL_TLS_C |
Enable the generic SSL/TLS code.
Module: library/ssl_tls.c Caller: library/ssl*_client.c library/ssl*_server.c
Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C and at least one of the MBEDTLS_SSL_PROTO_XXX defines
This module is required for SSL/TLS.
Definition at line 3688 of file mbedtls_config.h.
#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH |
When this option is enabled, the SSL buffer will be resized automatically based on the negotiated maximum fragment length in each direction.
Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Definition at line 2078 of file mbedtls_config.h.
#define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN |
Enable testing of the constant-flow nature of some sensitive functions with clang's MemorySanitizer. This causes some existing tests to also test this non-functional property of the code under test.
This setting requires compiling with clang -fsanitize=memory. The test suites can then be run normally.
Uncomment to enable testing of the constant-flow nature of selected code.
Definition at line 2095 of file mbedtls_config.h.
#define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND |
Enable testing of the constant-flow nature of some sensitive functions with valgrind's memcheck tool. This causes some existing tests to also test this non-functional property of the code under test.
This setting requires valgrind headers for building, and is only useful for testing if the tests suites are run with valgrind's memcheck. This can be done for an individual test suite with 'valgrind ./test_suite_xxx', or when using CMake, this can be done for all test suites with 'make memcheck'.
Uncomment to enable testing of the constant-flow nature of selected code.
Definition at line 2114 of file mbedtls_config.h.
#define MBEDTLS_TEST_HOOKS |
Enable features for invasive testing such as introspection functions and hooks for fault injection. This enables additional unit tests.
Merely enabling this feature should not change the behavior of the product. It only adds new code, and new branching points where the default behavior is the same as when this feature is disabled. However, this feature increases the attack surface: there is an added risk of vulnerabilities, and more gadgets that can make exploits easier. Therefore this feature must never be enabled in production.
See docs/architecture/testing/mbed-crypto-invasive-testing.md
for more information.
Uncomment to enable invasive tests.
Definition at line 2134 of file mbedtls_config.h.
#define MBEDTLS_THREADING_ALT |
Provide your own alternate threading implementation.
Requires: MBEDTLS_THREADING_C
Uncomment this to allow your own alternate threading implementation.
Definition at line 2145 of file mbedtls_config.h.
#define MBEDTLS_THREADING_C |
Enable the threading abstraction layer.
Traditionally, Mbed TLS assumes it is used in a non-threaded environment or that contexts are not shared between threads. If you do intend to use contexts between threads, you will need to enable this layer to prevent race conditions.
The PSA subsystem has an implicit shared context. Therefore, you must enable this option if more than one thread may use any part of Mbed TLS that is implemented on top of the PSA subsystem.
You must enable this option in multithreaded applications where more than one thread performs any of the following operations:
psa_xxx()
).mbedtls_ssl_xxx()
, mbedtls_x509_xxx()
, mbedtls_pkcs7_xxx()
, mbedtls_pk_xxx()
) if MBEDTLS_USE_PSA_CRYPTO
is enabled (regardless of whether individual TLS, X.509 or PK contexts are shared between threads).MBEDTLS_MD_C
is disabled. As an exception, algorithm-specific low-level modules do not require threading protection unless the contexts are shared between threads.MBEDTLS_CIPHER_C
is disabled. As an exception, algorithm-specific low-level modules do not require threading protection unless the contexts are shared between threads.See also our Knowledge Base article about threading: https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
Module: library/threading.c
This allows different threading implementations (self-implemented or provided).
You will have to enable either MBEDTLS_THREADING_ALT or MBEDTLS_THREADING_PTHREAD.
Enable this layer to allow use of mutexes within Mbed TLS
Definition at line 3738 of file mbedtls_config.h.
#define MBEDTLS_THREADING_PTHREAD |
Enable the pthread wrapper layer for the threading layer.
Requires: MBEDTLS_THREADING_C
Uncomment this to enable pthread mutexes.
Definition at line 2156 of file mbedtls_config.h.
#define MBEDTLS_TIMING_ALT |
Uncomment to provide your own alternate implementation for mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay()
Only works if you have MBEDTLS_TIMING_C enabled.
You will need to provide a header "timing_alt.h" and an implementation at compile time.
Definition at line 353 of file mbedtls_config.h.
#define MBEDTLS_TIMING_C |
Enable the semi-portable timing interface.
mbedtls_ssl_set_timer_cb()
for DTLS, or leave it enabled and provide your own implementation of the whole module by setting MBEDTLS_TIMING_ALT
in the current file.Module: library/timing.c
Definition at line 3762 of file mbedtls_config.h.
#define MBEDTLS_USE_PSA_CRYPTO |
Make the X.509 and TLS libraries use PSA for cryptographic operations as much as possible, and enable new APIs for using keys handled by PSA Crypto.
psa_crypto_init()
before calling any function from the SSL/TLS, X.509 or PK modules, except for the various mbedtls_xxx_init() functions which can be called at any time.psa_xxx()
), including indirect calls through SSL/TLS, X.509 or PK.Requires: MBEDTLS_PSA_CRYPTO_C.
Uncomment this to enable internal use of PSA Crypto and new associated APIs.
Definition at line 2190 of file mbedtls_config.h.
#define MBEDTLS_USER_CONFIG_FILE "/dev/null" |
If defined, this is a header which will be included after "mbedtls/mbedtls_config.h"
or MBEDTLS_CONFIG_FILE. This allows you to modify the default configuration, including the ability to undefine options that are enabled by default.
This macro is expanded after an #include
directive. This is a popular but non-standard feature of the C language, so this feature is only available with compilers that perform macro expansion on an #include
line.
The value of this symbol is typically a path in double quotes, either absolute or relative to a directory on the include search path.
Definition at line 3927 of file mbedtls_config.h.
#define MBEDTLS_VERSION_C |
Enable run-time version information.
Module: library/version.c
This module provides run-time version information.
Definition at line 3773 of file mbedtls_config.h.
#define MBEDTLS_VERSION_FEATURES |
Allow run-time checking of compile-time enabled features. Thus allowing users to check at run-time if the library is for instance compiled with threading support via mbedtls_version_check_feature().
Requires: MBEDTLS_VERSION_C
Comment this to disable run-time checking and save ROM space
Definition at line 2235 of file mbedtls_config.h.
#define MBEDTLS_X509_CREATE_C |
Enable X.509 core for creating certificates.
Module: library/x509_create.c
Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
This module is the basis for creating X.509 certificates and CSRs.
Definition at line 3854 of file mbedtls_config.h.
#define MBEDTLS_X509_CRL_PARSE_C |
Enable X.509 CRL parsing.
Module: library/x509_crl.c Caller: library/x509_crt.c
Requires: MBEDTLS_X509_USE_C
This module is required for X.509 CRL parsing.
Definition at line 3823 of file mbedtls_config.h.
#define MBEDTLS_X509_CRT_PARSE_C |
Enable X.509 certificate parsing.
Module: library/x509_crt.c Caller: library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c
Requires: MBEDTLS_X509_USE_C
This module is required for X.509 certificate parsing.
Definition at line 3809 of file mbedtls_config.h.
#define MBEDTLS_X509_CRT_WRITE_C |
Enable creating X.509 certificates.
Module: library/x509_crt_write.c
Requires: MBEDTLS_X509_CREATE_C
This module is required for X.509 certificate creation.
Definition at line 3867 of file mbedtls_config.h.
#define MBEDTLS_X509_CSR_PARSE_C |
Enable X.509 Certificate Signing Request (CSR) parsing.
Module: library/x509_csr.c Caller: library/x509_crt_write.c
Requires: MBEDTLS_X509_USE_C
This module is used for reading X.509 certificate request.
Definition at line 3837 of file mbedtls_config.h.
#define MBEDTLS_X509_CSR_WRITE_C |
Enable creating X.509 Certificate Signing Requests (CSR).
Module: library/x509_csr_write.c
Requires: MBEDTLS_X509_CREATE_C
This module is required for X.509 certificate request writing.
Definition at line 3880 of file mbedtls_config.h.
#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 |
Maximum length of a path/filename string in bytes including the null terminator character ('\0').
Definition at line 4364 of file mbedtls_config.h.
#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 |
Maximum number of intermediate CAs in a verification chain.
Definition at line 4363 of file mbedtls_config.h.
#define MBEDTLS_X509_REMOVE_INFO |
Disable mbedtls_x509_*_info() and related APIs.
Uncomment to omit mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt() and other functions/constants only used by these functions, thus reducing the code footprint by several KB.
Definition at line 2267 of file mbedtls_config.h.
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT |
Enable parsing and verification of X.509 certificates, CRLs and CSRS signed with RSASSA-PSS (aka PKCS#1 v2.1).
Requires: MBEDTLS_PKCS1_V21
Comment this macro to disallow using RSASSA-PSS in certificates.
Definition at line 2279 of file mbedtls_config.h.
#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK |
If set, this enables the X.509 API mbedtls_x509_crt_verify_with_ca_cb()
and the SSL API mbedtls_ssl_conf_ca_cb()
which allow users to configure the set of trusted certificates through a callback instead of a linked list.
This is useful for example in environments where a large number of trusted certificates is present and storing them in a linked list isn't efficient enough, or when the set of trusted certificates changes frequently.
See the documentation of mbedtls_x509_crt_verify_with_ca_cb()
and mbedtls_ssl_conf_ca_cb()
for more information.
Requires: MBEDTLS_X509_CRT_PARSE_C
Uncomment to enable trusted certificate callbacks.
Definition at line 2256 of file mbedtls_config.h.
#define MBEDTLS_X509_USE_C |
Enable X.509 core for using certificates.
Module: library/x509.c Caller: library/x509_crl.c library/x509_crt.c library/x509_csr.c
Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
This module is required for the X.509 parsing modules.
Definition at line 3793 of file mbedtls_config.h.