From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 4A31FD80233 for ; Sat, 2 Sep 2023 14:16:39 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=750/5Ast9ZzJgme+27FsDQ9dYePPryeZM560YcQP8Hw=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1693664198; v=1; b=vYo09H2JHbnbcEmBTEhti8N8A4fNcgaxVjRmP6y3d9cCTP0AvH5QG9Waw280vztzKeGYO7Nw 6LYhp5iI2vui2K8YXS5kKpKwdrXuEG12PdKHqBQvdatIsfLn6uoQRIuULiN0OoaIZVrgginGxq8 36AF0f505OAGAyxSdlFySCjk= X-Received: by 127.0.0.2 with SMTP id JYQjYY7687511xhSFr5YQeRr; Sat, 02 Sep 2023 07:16:38 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web11.8769.1693664196705429436 for ; Sat, 02 Sep 2023 07:16:36 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10821"; a="440346267" X-IronPort-AV: E=Sophos;i="6.02,222,1688454000"; d="scan'208";a="440346267" X-Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Sep 2023 07:16:35 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10821"; a="805769438" X-IronPort-AV: E=Sophos;i="6.02,222,1688454000"; d="scan'208";a="805769438" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.58.116]) by fmsmga008.fm.intel.com with ESMTP; 02 Sep 2023 07:16:33 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Jiewen Yao , Yi Li , Xiaoyu Lu , Guomin Jiang Subject: [edk2-devel] [PATCH v2 02/10] CryptoPkg: Add mbedtls_config and MbedTlsLib.inf Date: Sat, 2 Sep 2023 22:16:19 +0800 Message-Id: <20230902141627.3178-3-wenxing.hou@intel.com> In-Reply-To: <20230902141627.3178-1-wenxing.hou@intel.com> References: <20230902141627.3178-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: XkNqUY02n6SvxzcMKj6uhGH6x7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=vYo09H2J; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none) Add MbedTlsLib support. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4177 Cc: Jiewen Yao Cc: Yi Li Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Wenxing Hou --- CryptoPkg/Library/MbedTlsLib/CrtWrapper.c | 96 + CryptoPkg/Library/MbedTlsLib/EcSm2Null.c | 495 +++ .../Include/mbedtls/mbedtls_config.h | 3823 +++++++++++++++++ CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf | 173 + .../Library/MbedTlsLib/MbedTlsLibFull.inf | 177 + 5 files changed, 4764 insertions(+) create mode 100644 CryptoPkg/Library/MbedTlsLib/CrtWrapper.c create mode 100644 CryptoPkg/Library/MbedTlsLib/EcSm2Null.c create mode 100644 CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_co= nfig.h create mode 100644 CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf create mode 100644 CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf diff --git a/CryptoPkg/Library/MbedTlsLib/CrtWrapper.c b/CryptoPkg/Library/= MbedTlsLib/CrtWrapper.c new file mode 100644 index 0000000000..04d2877e7d --- /dev/null +++ b/CryptoPkg/Library/MbedTlsLib/CrtWrapper.c @@ -0,0 +1,96 @@ +/** @file=0D + C Run-Time Libraries (CRT) Wrapper Implementation for MbedTLS-based=0D + Cryptographic Library.=0D +=0D +Copyright (c) 2023, Intel Corporation. All rights reserved.
=0D +SPDX-License-Identifier: BSD-2-Clause-Patent=0D +=0D +**/=0D +=0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +=0D +#include =0D +=0D +int=0D +my_snprintf (=0D + char *str,=0D + size_t size,=0D + const char *format,=0D + ...=0D + )=0D +{=0D + return 0;=0D +}=0D +=0D +//=0D +// Extra header to record the memory buffer size from malloc routine.=0D +//=0D +#define CRYPTMEM_HEAD_SIGNATURE SIGNATURE_32('c','m','h','d')=0D +typedef struct {=0D + UINT32 Signature;=0D + UINT32 Reserved;=0D + UINTN Size;=0D +} CRYPTMEM_HEAD;=0D +=0D +#define CRYPTMEM_OVERHEAD sizeof(CRYPTMEM_HEAD)=0D +=0D +//=0D +// -- Memory-Allocation Routines --=0D +//=0D +=0D +/* Allocates memory blocks */=0D +void *=0D +mbedtls_calloc (=0D + size_t num,=0D + size_t size=0D + )=0D +{=0D + CRYPTMEM_HEAD *PoolHdr;=0D + UINTN NewSize;=0D + VOID *Data;=0D +=0D + //=0D + // Adjust the size by the buffer header overhead=0D + //=0D + NewSize =3D (UINTN)(size * num) + CRYPTMEM_OVERHEAD;=0D +=0D + Data =3D AllocateZeroPool (NewSize);=0D + if (Data !=3D NULL) {=0D + PoolHdr =3D (CRYPTMEM_HEAD *)Data;=0D + //=0D + // Record the memory brief information=0D + //=0D + PoolHdr->Signature =3D CRYPTMEM_HEAD_SIGNATURE;=0D + PoolHdr->Size =3D size;=0D +=0D + return (VOID *)(PoolHdr + 1);=0D + } else {=0D + //=0D + // The buffer allocation failed.=0D + //=0D + return NULL;=0D + }=0D +}=0D +=0D +/* De-allocates or frees a memory block */=0D +void=0D +mbedtls_free (=0D + void *ptr=0D + )=0D +{=0D + CRYPTMEM_HEAD *PoolHdr;=0D +=0D + //=0D + // In Standard C, free() handles a null pointer argument transparently. = This=0D + // is not true of FreePool() below, so protect it.=0D + //=0D + if (ptr !=3D NULL) {=0D + PoolHdr =3D (CRYPTMEM_HEAD *)ptr - 1;=0D + ASSERT (PoolHdr->Signature =3D=3D CRYPTMEM_HEAD_SIGNATURE);=0D + FreePool (PoolHdr);=0D + }=0D +}=0D diff --git a/CryptoPkg/Library/MbedTlsLib/EcSm2Null.c b/CryptoPkg/Library/M= bedTlsLib/EcSm2Null.c new file mode 100644 index 0000000000..c7d5c393a1 --- /dev/null +++ b/CryptoPkg/Library/MbedTlsLib/EcSm2Null.c @@ -0,0 +1,495 @@ +/** @file=0D + Null implementation of EC and SM2 functions called by BaseCryptLib.=0D +=0D + Copyright (c) 2023, Intel Corporation. All rights reserved.
=0D + SPDX-License-Identifier: BSD-2-Clause-Patent=0D +=0D +**/=0D +=0D +#include =0D +=0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +=0D +/*=0D + * Get the curve info for the internal identifier=0D + */=0D +const mbedtls_ecp_curve_info *=0D +mbedtls_ecp_curve_info_from_grp_id (=0D + mbedtls_ecp_group_id grp_id=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return (NULL);=0D +}=0D +=0D +void=0D +mbedtls_ecdh_init (=0D + mbedtls_ecdh_context *ctx=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +/*=0D + * Free context=0D + */=0D +void=0D +mbedtls_ecdh_free (=0D + mbedtls_ecdh_context *ctx=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +int=0D +mbedtls_ecdh_calc_secret (=0D + mbedtls_ecdh_context *ctx,=0D + size_t *olen,=0D + unsigned char *buf,=0D + size_t blen,=0D + int ( *f_rng )(void *, unsigned char *, size_t),=0D + void *p_rng=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +void=0D +mbedtls_ecp_keypair_init (=0D + mbedtls_ecp_keypair *key=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +void=0D +mbedtls_ecp_keypair_free (=0D + mbedtls_ecp_keypair *key=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +int=0D +mbedtls_ecp_check_pub_priv (=0D + const mbedtls_ecp_keypair *pub,=0D + const mbedtls_ecp_keypair *prv,=0D + int ( *f_rng )(void *, unsigned char *, size_t),=0D + void *p_rng=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdsa_write_signature (=0D + mbedtls_ecdsa_context *ctx,=0D + mbedtls_md_type_t md_alg,=0D + const unsigned char *hash,=0D + size_t hlen,=0D + unsigned char *sig,=0D + size_t sig_size,=0D + size_t *slen,=0D + int ( *f_rng )(void *, unsigned char *, size_t),=0D + void *p_rng=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdsa_write_signature_restartable (=0D + mbedtls_ecdsa_context *ctx,=0D + mbedtls_md_type_t md_alg,=0D + const unsigned char *hash,=0D + size_t hlen,=0D + unsigned char *sig,=0D + size_t sig_size,=0D + size_t *slen,=0D + int ( *f_rng )(void *, unsigned char *, size_t),=0D + void *p_rng,=0D + mbedtls_ecdsa_restart_ctx *rs_ctx=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdsa_read_signature (=0D + mbedtls_ecdsa_context *ctx,=0D + const unsigned char *hash,=0D + size_t hlen,=0D + const unsigned char *sig,=0D + size_t slen=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdsa_read_signature_restartable (=0D + mbedtls_ecdsa_context *ctx,=0D + const unsigned char *hash,=0D + size_t hlen,=0D + const unsigned char *sig,=0D + size_t slen,=0D + mbedtls_ecdsa_restart_ctx *rs_ctx=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdsa_from_keypair (=0D + mbedtls_ecdsa_context *ctx,=0D + const mbedtls_ecp_keypair *key=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +void=0D +mbedtls_ecdsa_init (=0D + mbedtls_ecdsa_context *ctx=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +void=0D +mbedtls_ecdsa_free (=0D + mbedtls_ecdsa_context *ctx=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +void=0D +mbedtls_ecdsa_restart_init (=0D + mbedtls_ecdsa_restart_ctx *ctx=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +void=0D +mbedtls_ecdsa_restart_free (=0D + mbedtls_ecdsa_restart_ctx *ctx=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +int=0D +mbedtls_ecp_point_write_binary (=0D + const mbedtls_ecp_group *grp,=0D + const mbedtls_ecp_point *P,=0D + int format,=0D + size_t *olen,=0D + unsigned char *buf,=0D + size_t buflen=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecp_point_read_binary (=0D + const mbedtls_ecp_group *grp,=0D + mbedtls_ecp_point *P,=0D + const unsigned char *buf,=0D + size_t ilen=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecp_write_key (=0D + mbedtls_ecp_keypair *key,=0D + unsigned char *buf,=0D + size_t buflen=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecp_group_load (=0D + mbedtls_ecp_group *grp,=0D + mbedtls_ecp_group_id id=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecp_mul (=0D + mbedtls_ecp_group *grp,=0D + mbedtls_ecp_point *R,=0D + const mbedtls_mpi *m,=0D + const mbedtls_ecp_point *P,=0D + int ( *f_rng )(void *, unsigned char *, size_t),=0D + void *p_rng=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecp_check_pubkey (=0D + const mbedtls_ecp_group *grp,=0D + const mbedtls_ecp_point *pt=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecp_check_privkey (=0D + const mbedtls_ecp_group *grp,=0D + const mbedtls_mpi *d=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecp_restart_is_enabled (=0D + void=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +const mbedtls_ecp_curve_info *=0D +mbedtls_ecp_curve_info_from_tls_id (=0D + uint16_t tls_id=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return (NULL);=0D +}=0D +=0D +int=0D +mbedtls_ecdh_setup (=0D + mbedtls_ecdh_context *ctx,=0D + mbedtls_ecp_group_id grp_id=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdh_make_params (=0D + mbedtls_ecdh_context *ctx,=0D + size_t *olen,=0D + unsigned char *buf,=0D + size_t blen,=0D + int ( *f_rng )(void *, unsigned char *, size_t),=0D + void *p_rng=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdh_get_params (=0D + mbedtls_ecdh_context *ctx,=0D + const mbedtls_ecp_keypair *key,=0D + mbedtls_ecdh_side side=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdh_read_public (=0D + mbedtls_ecdh_context *ctx,=0D + const unsigned char *buf,=0D + size_t blen=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdh_read_params (=0D + mbedtls_ecdh_context *ctx,=0D + const unsigned char **buf,=0D + const unsigned char *end=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdh_make_public (=0D + mbedtls_ecdh_context *ctx,=0D + size_t *olen,=0D + unsigned char *buf,=0D + size_t blen,=0D + int ( *f_rng )(void *, unsigned char *, size_t),=0D + void *p_rng=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +void=0D +mbedtls_ecdh_enable_restart (=0D + mbedtls_ecdh_context *ctx=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +void=0D +mbedtls_ecp_point_init (=0D + mbedtls_ecp_point *pt=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +void=0D +mbedtls_ecp_group_init (=0D + mbedtls_ecp_group *grp=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +void=0D +mbedtls_ecp_point_free (=0D + mbedtls_ecp_point *pt=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +void=0D +mbedtls_ecp_group_free (=0D + mbedtls_ecp_group *grp=0D + )=0D +{=0D + ASSERT (FALSE);=0D +}=0D +=0D +int=0D +mbedtls_ecp_is_zero (=0D + mbedtls_ecp_point *pt=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecp_point_cmp (=0D + const mbedtls_ecp_point *P,=0D + const mbedtls_ecp_point *Q=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecp_muladd (=0D + mbedtls_ecp_group *grp,=0D + mbedtls_ecp_point *R,=0D + const mbedtls_mpi *m,=0D + const mbedtls_ecp_point *P,=0D + const mbedtls_mpi *n,=0D + const mbedtls_ecp_point *Q=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdh_gen_public (=0D + mbedtls_ecp_group *grp,=0D + mbedtls_mpi *d,=0D + mbedtls_ecp_point *Q,=0D + int ( *f_rng )(void *, unsigned char *, size_t),=0D + void *p_rng=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdh_compute_shared (=0D + mbedtls_ecp_group *grp,=0D + mbedtls_mpi *z,=0D + const mbedtls_ecp_point *Q,=0D + const mbedtls_mpi *d,=0D + int ( *f_rng )(void *, unsigned char *, size_t),=0D + void *p_rng=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +int=0D +mbedtls_ecdsa_verify (=0D + mbedtls_ecp_group *grp,=0D + const unsigned char *buf,=0D + size_t blen,=0D + const mbedtls_ecp_point *Q,=0D + const mbedtls_mpi *r,=0D + const mbedtls_mpi *s=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D +=0D +/*=0D + * Compute ECDSA signature of a hashed message=0D + */=0D +int=0D +mbedtls_ecdsa_sign (=0D + mbedtls_ecp_group *grp,=0D + mbedtls_mpi *r,=0D + mbedtls_mpi *s,=0D + const mbedtls_mpi *d,=0D + const unsigned char *buf,=0D + size_t blen,=0D + int ( *f_rng )(void *, unsigned char *, size_t),=0D + void *p_rng=0D + )=0D +{=0D + ASSERT (FALSE);=0D + return -1;=0D +}=0D diff --git a/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h = b/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h new file mode 100644 index 0000000000..ae9ef3a1b3 --- /dev/null +++ b/CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h @@ -0,0 +1,3823 @@ +/** @file=0D + mbedtls_config.h Configuration options (set of defines).=0D +=0D + Copyright (c) 2023, Intel Corporation. All rights reserved.
=0D + SPDX-License-Identifier: BSD-2-Clause-Patent=0D +=0D +**/=0D +=0D +/**=0D + * This is an optional version symbol that enables compatibility handling = of=0D + * config files.=0D + *=0D + * It is equal to the #MBEDTLS_VERSION_NUMBER of the Mbed TLS version that= =0D + * introduced the config format we want to be compatible with.=0D + */=0D +// #define MBEDTLS_CONFIG_VERSION 0x03000000=0D +=0D +/**=0D + * \name SECTION: System support=0D + *=0D + * This section sets system specific settings.=0D + * \{=0D + */=0D +=0D +/**=0D + * \def MBEDTLS_HAVE_ASM=0D + *=0D + * The compiler has support for asm().=0D + *=0D + * Requires support for asm() in compiler.=0D + *=0D + * Used in:=0D + * library/aria.c=0D + * library/bn_mul.h=0D + *=0D + * Required by:=0D + * MBEDTLS_AESNI_C=0D + * MBEDTLS_PADLOCK_C=0D + *=0D + * Comment to disable the use of assembly code.=0D + */=0D +#define MBEDTLS_HAVE_ASM=0D +=0D +/**=0D + * \def MBEDTLS_NO_UDBL_DIVISION=0D + *=0D + * The platform lacks support for double-width integer division (64-bit=0D + * division on a 32-bit platform, 128-bit division on a 64-bit platform).= =0D + *=0D + * Used in:=0D + * include/mbedtls/bignum.h=0D + * library/bignum.c=0D + *=0D + * The bignum code uses double-width division to speed up some operations.= =0D + * Double-width division is often implemented in software that needs to=0D + * be linked with the program. The presence of a double-width integer=0D + * type is usually detected automatically through preprocessor macros,=0D + * but the automatic detection cannot know whether the code needs to=0D + * and can be linked with an implementation of division for that type.=0D + * By default division is assumed to be usable if the type is present.=0D + * Uncomment this option to prevent the use of double-width division.=0D + *=0D + * Note that division for the native integer type is always required.=0D + * Furthermore, a 64-bit type is always required even on a 32-bit=0D + * platform, but it need not support multiplication or division. In some=0D + * cases it is also desirable to disable some double-width operations. For= =0D + * example, if double-width division is implemented in software, disabling= =0D + * it can reduce code size in some embedded targets.=0D + */=0D +// #define MBEDTLS_NO_UDBL_DIVISION=0D +=0D +/**=0D + * \def MBEDTLS_NO_64BIT_MULTIPLICATION=0D + *=0D + * The platform lacks support for 32x32 -> 64-bit multiplication.=0D + *=0D + * Used in:=0D + * library/poly1305.c=0D + *=0D + * Some parts of the library may use multiplication of two unsigned 32-bit= =0D + * operands with a 64-bit result in order to speed up computations. On som= e=0D + * platforms, this is not available in hardware and has to be implemented = in=0D + * software, usually in a library provided by the toolchain.=0D + *=0D + * Sometimes it is not desirable to have to link to that library. This opt= ion=0D + * removes the dependency of that library on platforms that lack a hardwar= e=0D + * 64-bit multiplier by embedding a software implementation in Mbed TLS.=0D + *=0D + * Note that depending on the compiler, this may decrease performance comp= ared=0D + * to using the library function provided by the toolchain.=0D + */=0D +// #define MBEDTLS_NO_64BIT_MULTIPLICATION=0D +=0D +/**=0D + * \def MBEDTLS_HAVE_SSE2=0D + *=0D + * CPU supports SSE2 instruction set.=0D + *=0D + * Uncomment if the CPU supports SSE2 (IA-32 specific).=0D + */=0D +// #define MBEDTLS_HAVE_SSE2=0D +=0D +/**=0D + * \def MBEDTLS_HAVE_TIME=0D + *=0D + * System has time.h and time().=0D + * The time does not need to be correct, only time differences are used,=0D + * by contrast with MBEDTLS_HAVE_TIME_DATE=0D + *=0D + * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_= ALT,=0D + * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and=0D + * MBEDTLS_PLATFORM_STD_TIME.=0D + *=0D + * Comment if your system does not support time functions.=0D + *=0D + * \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing=0D + * interface - timing.c will include time.h on suitable platforms=0D + * regardless of the setting of MBEDTLS_HAVE_TIME, unless=0D + * MBEDTLS_TIMING_ALT is used. See timing.c for more information.=0D + */=0D +#define MBEDTLS_HAVE_TIME=0D +=0D +/**=0D + * \def MBEDTLS_HAVE_TIME_DATE=0D + *=0D + * System has time.h, time(), and an implementation for=0D + * mbedtls_platform_gmtime_r() (see below).=0D + * The time needs to be correct (not necessarily very accurate, but at lea= st=0D + * the date should be correct). This is used to verify the validity period= of=0D + * X.509 certificates.=0D + *=0D + * Comment if your system does not have a correct clock.=0D + *=0D + * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h = that=0D + * behaves similarly to the gmtime_r() function from the C standard. Refer= to=0D + * the documentation for mbedtls_platform_gmtime_r() for more information.= =0D + *=0D + * \note It is possible to configure an implementation for=0D + * mbedtls_platform_gmtime_r() at compile-time by using the macro=0D + * MBEDTLS_PLATFORM_GMTIME_R_ALT.=0D + */=0D +// #define MBEDTLS_HAVE_TIME_DATE=0D +=0D +/**=0D + * \def MBEDTLS_PLATFORM_MEMORY=0D + *=0D + * Enable the memory allocation layer.=0D + *=0D + * By default mbed TLS uses the system-provided calloc() and free().=0D + * This allows different allocators (self-implemented or provided) to be=0D + * provided to the platform abstraction layer.=0D + *=0D + * Enabling MBEDTLS_PLATFORM_MEMORY without the=0D + * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide=0D + * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative= calloc() and=0D + * free() function pointer at runtime.=0D + *=0D + * Enabling MBEDTLS_PLATFORM_MEMORY and specifying=0D + * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the=0D + * alternate function at compile time.=0D + *=0D + * Requires: MBEDTLS_PLATFORM_C=0D + *=0D + * Enable this layer to allow use of alternative memory allocators.=0D + */=0D +#define MBEDTLS_PLATFORM_MEMORY=0D +=0D +/**=0D + * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS=0D + *=0D + * Do not assign standard functions in the platform layer (e.g. calloc() t= o=0D + * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF= )=0D + *=0D + * This makes sure there are no linking errors on platforms that do not su= pport=0D + * these functions. You will HAVE to provide alternatives, either at runti= me=0D + * via the platform_set_xxx() functions or at compile time by setting=0D + * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a=0D + * MBEDTLS_PLATFORM_XXX_MACRO.=0D + *=0D + * Requires: MBEDTLS_PLATFORM_C=0D + *=0D + * Uncomment to prevent default assignment of standard functions in the=0D + * platform layer.=0D + */=0D +#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS=0D +=0D +/**=0D + * \def MBEDTLS_PLATFORM_EXIT_ALT=0D + *=0D + * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the= =0D + * function in the platform abstraction layer.=0D + *=0D + * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS wi= ll=0D + * provide a function "mbedtls_platform_set_printf()" that allows you to s= et an=0D + * alternative printf function pointer.=0D + *=0D + * All these define require MBEDTLS_PLATFORM_C to be defined!=0D + *=0D + * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;=0D + * it will be enabled automatically by check_config.h=0D + *=0D + * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as= =0D + * MBEDTLS_PLATFORM_XXX_MACRO!=0D + *=0D + * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME=0D + *=0D + * Uncomment a macro to enable alternate implementation of specific base=0D + * platform function=0D + */=0D +// #define MBEDTLS_PLATFORM_SETBUF_ALT=0D +// #define MBEDTLS_PLATFORM_EXIT_ALT=0D +// #define MBEDTLS_PLATFORM_TIME_ALT=0D +#define MBEDTLS_PLATFORM_FPRINTF_ALT=0D +// #define MBEDTLS_PLATFORM_PRINTF_ALT=0D +// #define MBEDTLS_PLATFORM_SNPRINTF_ALT=0D +// #define MBEDTLS_PLATFORM_VSNPRINTF_ALT=0D +// #define MBEDTLS_PLATFORM_NV_SEED_ALT=0D +// #define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT=0D +=0D +/**=0D + * \def MBEDTLS_DEPRECATED_WARNING=0D + *=0D + * Mark deprecated functions and features so that they generate a warning = if=0D + * used. Functionality deprecated in one version will usually be removed i= n the=0D + * next version. You can enable this to help you prepare the transition to= a=0D + * new major version by making sure your code is not using this functional= ity.=0D + *=0D + * This only works with GCC and Clang. With other compilers, you may want = to=0D + * use MBEDTLS_DEPRECATED_REMOVED=0D + *=0D + * Uncomment to get warnings on using deprecated functions and features.=0D + */=0D +// #define MBEDTLS_DEPRECATED_WARNING=0D +=0D +/**=0D + * \def MBEDTLS_DEPRECATED_REMOVED=0D + *=0D + * Remove deprecated functions and features so that they generate an error= if=0D + * used. Functionality deprecated in one version will usually be removed i= n the=0D + * next version. You can enable this to help you prepare the transition to= a=0D + * new major version by making sure your code is not using this functional= ity.=0D + *=0D + * Uncomment to get errors on using deprecated functions and features.=0D + */=0D +// #define MBEDTLS_DEPRECATED_REMOVED=0D +=0D +/** \} name SECTION: System support */=0D +=0D +/**=0D + * \name SECTION: mbed TLS feature support=0D + *=0D + * This section sets support for features that are or are not needed=0D + * within the modules that are enabled.=0D + * \{=0D + */=0D +=0D +/**=0D + * \def MBEDTLS_TIMING_ALT=0D + *=0D + * Uncomment to provide your own alternate implementation for=0D + * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay(= )=0D + *=0D + * Only works if you have MBEDTLS_TIMING_C enabled.=0D + *=0D + * You will need to provide a header "timing_alt.h" and an implementation = at=0D + * compile time.=0D + */=0D +// #define MBEDTLS_TIMING_ALT=0D +=0D +/**=0D + * \def MBEDTLS_AES_ALT=0D + *=0D + * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your=0D + * alternate core implementation of a symmetric crypto, an arithmetic or h= ash=0D + * module (e.g. platform specific assembly optimized implementations). Kee= p=0D + * in mind that the function prototypes should remain the same.=0D + *=0D + * This replaces the whole module. If you only want to replace one of the= =0D + * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.=0D + *=0D + * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer= =0D + * provide the "struct mbedtls_aes_context" definition and omit the base=0D + * function declarations and implementations. "aes_alt.h" will be included= from=0D + * "aes.h" to include the new function definitions.=0D + *=0D + * Uncomment a macro to enable alternate implementation of the correspondi= ng=0D + * module.=0D + *=0D + * \warning MD5, DES and SHA-1 are considered weak and their=0D + * use constitutes a security risk. If possible, we recommend=0D + * avoiding dependencies on them, and considering stronger mess= age=0D + * digests and ciphers instead.=0D + *=0D + */=0D +// #define MBEDTLS_AES_ALT=0D +// #define MBEDTLS_ARIA_ALT=0D +// #define MBEDTLS_CAMELLIA_ALT=0D +// #define MBEDTLS_CCM_ALT=0D +// #define MBEDTLS_CHACHA20_ALT=0D +// #define MBEDTLS_CHACHAPOLY_ALT=0D +// #define MBEDTLS_CMAC_ALT=0D +// #define MBEDTLS_DES_ALT=0D +// #define MBEDTLS_DHM_ALT=0D +// #define MBEDTLS_ECJPAKE_ALT=0D +// #define MBEDTLS_GCM_ALT=0D +// #define MBEDTLS_NIST_KW_ALT=0D +// #define MBEDTLS_MD5_ALT=0D +// #define MBEDTLS_POLY1305_ALT=0D +// #define MBEDTLS_RIPEMD160_ALT=0D +// #define MBEDTLS_RSA_ALT=0D +// #define MBEDTLS_SHA1_ALT=0D +// #define MBEDTLS_SHA256_ALT=0D +// #define MBEDTLS_SHA512_ALT=0D +=0D +/*=0D + * When replacing the elliptic curve module, please consider, that it is=0D + * implemented with two .c files:=0D + * - ecp.c=0D + * - ecp_curves.c=0D + * You can replace them very much like all the other MBEDTLS__MODULE_NAME_= _ALT=0D + * macros as described above. The only difference is that you have to make= sure=0D + * that you provide functionality for both .c files.=0D + */=0D +// #define MBEDTLS_ECP_ALT=0D +=0D +/**=0D + * \def MBEDTLS_SHA256_PROCESS_ALT=0D + *=0D + * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you= =0D + * alternate core implementation of symmetric crypto or hash function. Kee= p in=0D + * mind that function prototypes should remain the same.=0D + *=0D + * This replaces only one function. The header file from mbed TLS is still= =0D + * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.=0D + *=0D + * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS wil= l=0D + * no longer provide the mbedtls_sha1_process() function, but it will stil= l provide=0D + * the other function (using your mbedtls_sha1_process() function) and the= definition=0D + * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process= must be compatible=0D + * with this definition.=0D + *=0D + * \note If you use the AES_xxx_ALT macros, then it is recommended to also= set=0D + * MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collec= t the AES=0D + * tables.=0D + *=0D + * Uncomment a macro to enable alternate implementation of the correspondi= ng=0D + * function.=0D + *=0D + * \warning MD5, DES and SHA-1 are considered weak and their use=0D + * constitutes a security risk. If possible, we recommend avoid= ing=0D + * dependencies on them, and considering stronger message diges= ts=0D + * and ciphers instead.=0D + *=0D + * \warning If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINIST= IC are=0D + * enabled, then the deterministic ECDH signature functions pas= s the=0D + * the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefo= re=0D + * alternative implementations should use the RNG only for gene= rating=0D + * the ephemeral key and nothing else. If this is not possible,= then=0D + * MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an altern= ative=0D + * implementation should be provided for mbedtls_ecdsa_sign_det= _ext().=0D + *=0D + */=0D +// #define MBEDTLS_MD5_PROCESS_ALT=0D +// #define MBEDTLS_RIPEMD160_PROCESS_ALT=0D +// #define MBEDTLS_SHA1_PROCESS_ALT=0D +// #define MBEDTLS_SHA256_PROCESS_ALT=0D +// #define MBEDTLS_SHA512_PROCESS_ALT=0D +// #define MBEDTLS_DES_SETKEY_ALT=0D +// #define MBEDTLS_DES_CRYPT_ECB_ALT=0D +// #define MBEDTLS_DES3_CRYPT_ECB_ALT=0D +// #define MBEDTLS_AES_SETKEY_ENC_ALT=0D +// #define MBEDTLS_AES_SETKEY_DEC_ALT=0D +// #define MBEDTLS_AES_ENCRYPT_ALT=0D +// #define MBEDTLS_AES_DECRYPT_ALT=0D +// #define MBEDTLS_ECDH_GEN_PUBLIC_ALT=0D +// #define MBEDTLS_ECDH_COMPUTE_SHARED_ALT=0D +// #define MBEDTLS_ECDSA_VERIFY_ALT=0D +// #define MBEDTLS_ECDSA_SIGN_ALT=0D +// #define MBEDTLS_ECDSA_GENKEY_ALT=0D +=0D +/**=0D + * \def MBEDTLS_ECP_INTERNAL_ALT=0D + *=0D + * Expose a part of the internal interface of the Elliptic Curve Point mod= ule.=0D + *=0D + * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use = your=0D + * alternative core implementation of elliptic curve arithmetic. Keep in m= ind=0D + * that function prototypes should remain the same.=0D + *=0D + * This partially replaces one function. The header file from mbed TLS is = still=0D + * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementat= ion=0D + * is still present and it is used for group structures not supported by t= he=0D + * alternative.=0D + *=0D + * The original implementation can in addition be removed by setting the=0D + * MBEDTLS_ECP_NO_FALLBACK option, in which case any function for which th= e=0D + * corresponding MBEDTLS_ECP__FUNCTION_NAME__ALT macro is defined will not= be=0D + * able to fallback to curves not supported by the alternative implementat= ion.=0D + *=0D + * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_= ALT=0D + * and implementing the following functions:=0D + * unsigned char mbedtls_internal_ecp_grp_capable(=0D + * const mbedtls_ecp_group *grp )=0D + * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )=0D + * void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )=0D + * The mbedtls_internal_ecp_grp_capable function should return 1 if the=0D + * replacement functions implement arithmetic for the given group and 0=0D + * otherwise.=0D + * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free a= re=0D + * called before and after each point operation and provide an opportunity= to=0D + * implement optimized set up and tear down instructions.=0D + *=0D + * Example: In case you set MBEDTLS_ECP_INTERNAL_ALT and=0D + * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_= jac()=0D + * function, but will use your mbedtls_internal_ecp_double_jac() if the gr= oup=0D + * for the operation is supported by your implementation (i.e. your=0D + * mbedtls_internal_ecp_grp_capable() function returns 1 for this group). = If the=0D + * group is not supported by your implementation, then the original mbed T= LS=0D + * implementation of ecp_double_jac() is used instead, unless this fallbac= k=0D + * behaviour is disabled by setting MBEDTLS_ECP_NO_FALLBACK (in which case= =0D + * ecp_double_jac() will return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE).=0D + *=0D + * The function prototypes and the definition of mbedtls_ecp_group and=0D + * mbedtls_ecp_point will not change based on MBEDTLS_ECP_INTERNAL_ALT, so= your=0D + * implementation of mbedtls_internal_ecp__function_name__ must be compati= ble=0D + * with their definitions.=0D + *=0D + * Uncomment a macro to enable alternate implementation of the correspondi= ng=0D + * function.=0D + */=0D +/* Required for all the functions in this section */=0D +// #define MBEDTLS_ECP_INTERNAL_ALT=0D +/* Turn off software fallback for curves not supported in hardware */=0D +// #define MBEDTLS_ECP_NO_FALLBACK=0D +/* Support for Weierstrass curves with Jacobi representation */=0D +// #define MBEDTLS_ECP_RANDOMIZE_JAC_ALT=0D +// #define MBEDTLS_ECP_ADD_MIXED_ALT=0D +// #define MBEDTLS_ECP_DOUBLE_JAC_ALT=0D +// #define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT=0D +// #define MBEDTLS_ECP_NORMALIZE_JAC_ALT=0D +/* Support for curves with Montgomery arithmetic */=0D +// #define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT=0D +// #define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT=0D +// #define MBEDTLS_ECP_NORMALIZE_MXZ_ALT=0D +=0D +/**=0D + * \def MBEDTLS_ENTROPY_HARDWARE_ALT=0D + *=0D + * Uncomment this macro to let mbed TLS use your own implementation of a=0D + * hardware entropy collector.=0D + *=0D + * Your function must be called \c mbedtls_hardware_poll(), have the same= =0D + * prototype as declared in library/entropy_poll.h, and accept NULL as fir= st=0D + * argument.=0D + *=0D + * Uncomment to use your own hardware entropy collector.=0D + */=0D +// #define MBEDTLS_ENTROPY_HARDWARE_ALT=0D +=0D +/**=0D + * \def MBEDTLS_AES_ROM_TABLES=0D + *=0D + * Use precomputed AES tables stored in ROM.=0D + *=0D + * Uncomment this macro to use precomputed AES tables stored in ROM.=0D + * Comment this macro to generate AES tables in RAM at runtime.=0D + *=0D + * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb=0D + * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the=0D + * initialization time before the first AES operation can be performed.=0D + * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c=0D + * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded=0D + * performance if ROM access is slower than RAM access.=0D + *=0D + * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.=0D + *=0D + */=0D +// #define MBEDTLS_AES_ROM_TABLES=0D +=0D +/**=0D + * \def MBEDTLS_AES_FEWER_TABLES=0D + *=0D + * Use less ROM/RAM for AES tables.=0D + *=0D + * Uncommenting this macro omits 75% of the AES tables from=0D + * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)=0D + * by computing their values on the fly during operations=0D + * (the tables are entry-wise rotations of one another).=0D + *=0D + * Tradeoff: Uncommenting this reduces the RAM / ROM footprint=0D + * by ~6kb but at the cost of more arithmetic operations during=0D + * runtime. Specifically, one has to compare 4 accesses within=0D + * different tables to 4 accesses with additional arithmetic=0D + * operations within the same table. The performance gain/loss=0D + * depends on the system and memory details.=0D + *=0D + * This option is independent of \c MBEDTLS_AES_ROM_TABLES.=0D + *=0D + */=0D +// #define MBEDTLS_AES_FEWER_TABLES=0D +=0D +/**=0D + * \def MBEDTLS_CAMELLIA_SMALL_MEMORY=0D + *=0D + * Use less ROM for the Camellia implementation (saves about 768 bytes).=0D + *=0D + * Uncomment this macro to use less memory for Camellia.=0D + */=0D +// #define MBEDTLS_CAMELLIA_SMALL_MEMORY=0D +=0D +/**=0D + * \def MBEDTLS_CHECK_RETURN_WARNING=0D + *=0D + * If this macro is defined, emit a compile-time warning if application co= de=0D + * calls a function without checking its return value, but the return valu= e=0D + * should generally be checked in portable applications.=0D + *=0D + * This is only supported on platforms where #MBEDTLS_CHECK_RETURN is=0D + * implemented. Otherwise this option has no effect.=0D + *=0D + * Uncomment to get warnings on using fallible functions without checking= =0D + * their return value.=0D + *=0D + * \note This feature is a work in progress.=0D + * Warnings will be added to more functions in the future.=0D + *=0D + * \note A few functions are considered critical, and ignoring the return= =0D + * value of these functions will trigger a warning even if this=0D + * macro is not defined. To completely disable return value check=0D + * warnings, define #MBEDTLS_CHECK_RETURN with an empty expansion.= =0D + */=0D +// #define MBEDTLS_CHECK_RETURN_WARNING=0D +=0D +/**=0D + * \def MBEDTLS_CIPHER_MODE_CBC=0D + *=0D + * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.=0D + */=0D +#define MBEDTLS_CIPHER_MODE_CBC=0D +=0D +/**=0D + * \def MBEDTLS_CIPHER_MODE_CFB=0D + *=0D + * Enable Cipher Feedback mode (CFB) for symmetric ciphers.=0D + */=0D +// #define MBEDTLS_CIPHER_MODE_CFB=0D +=0D +/**=0D + * \def MBEDTLS_CIPHER_MODE_CTR=0D + *=0D + * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.=0D + */=0D +// #define MBEDTLS_CIPHER_MODE_CTR=0D +=0D +/**=0D + * \def MBEDTLS_CIPHER_MODE_OFB=0D + *=0D + * Enable Output Feedback mode (OFB) for symmetric ciphers.=0D + */=0D +// #define MBEDTLS_CIPHER_MODE_OFB=0D +=0D +/**=0D + * \def MBEDTLS_CIPHER_MODE_XTS=0D + *=0D + * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.=0D + */=0D +// #define MBEDTLS_CIPHER_MODE_XTS=0D +=0D +/**=0D + * \def MBEDTLS_CIPHER_NULL_CIPHER=0D + *=0D + * Enable NULL cipher.=0D + * Warning: Only do so when you know what you are doing. This allows for=0D + * encryption or channels without any security!=0D + *=0D + * To enable the following ciphersuites:=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA=0D + * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384=0D + * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256=0D + * MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA=0D + * MBEDTLS_TLS_RSA_WITH_NULL_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_NULL_SHA=0D + * MBEDTLS_TLS_RSA_WITH_NULL_MD5=0D + * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256=0D + * MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA=0D + * MBEDTLS_TLS_PSK_WITH_NULL_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_NULL_SHA256=0D + * MBEDTLS_TLS_PSK_WITH_NULL_SHA=0D + *=0D + * Uncomment this macro to enable the NULL cipher and ciphersuites=0D + */=0D +// #define MBEDTLS_CIPHER_NULL_CIPHER=0D +=0D +/**=0D + * \def MBEDTLS_CIPHER_PADDING_PKCS7=0D + *=0D + * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support = for=0D + * specific padding modes in the cipher layer with cipher modes that suppo= rt=0D + * padding (e.g. CBC)=0D + *=0D + * If you disable all padding modes, only full blocks can be used with CBC= .=0D + *=0D + * Enable padding modes in the cipher layer.=0D + */=0D +// #define MBEDTLS_CIPHER_PADDING_PKCS7=0D +// #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS=0D +// #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=0D +// #define MBEDTLS_CIPHER_PADDING_ZEROS=0D +=0D +/** \def MBEDTLS_CTR_DRBG_USE_128_BIT_KEY=0D + *=0D + * Uncomment this macro to use a 128-bit key in the CTR_DRBG module.=0D + * By default, CTR_DRBG uses a 256-bit key.=0D + */=0D +// #define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY=0D +=0D +/**=0D + * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED=0D + *=0D + * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic C= urve=0D + * module. By default all supported curves are enabled.=0D + *=0D + * Comment macros to disable the curve and functions for it=0D + */=0D +/* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */=0D +// #define MBEDTLS_ECP_DP_SECP192R1_ENABLED=0D +// #define MBEDTLS_ECP_DP_SECP224R1_ENABLED=0D +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED=0D +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED=0D +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED=0D +// #define MBEDTLS_ECP_DP_SECP192K1_ENABLED=0D +// #define MBEDTLS_ECP_DP_SECP224K1_ENABLED=0D +// #define MBEDTLS_ECP_DP_SECP256K1_ENABLED=0D +// #define MBEDTLS_ECP_DP_BP256R1_ENABLED=0D +// #define MBEDTLS_ECP_DP_BP384R1_ENABLED=0D +// #define MBEDTLS_ECP_DP_BP512R1_ENABLED=0D +/* Montgomery curves (supporting ECP) */=0D +#define MBEDTLS_ECP_DP_CURVE25519_ENABLED=0D +#define MBEDTLS_ECP_DP_CURVE448_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_ECP_NIST_OPTIM=0D + *=0D + * Enable specific 'modulo p' routines for each NIST prime.=0D + * Depending on the prime and architecture, makes operations 4 to 8 times= =0D + * faster on the corresponding curve.=0D + *=0D + * Comment this macro to disable NIST curves optimisation.=0D + */=0D +#define MBEDTLS_ECP_NIST_OPTIM=0D +=0D +/**=0D + * \def MBEDTLS_ECP_RESTARTABLE=0D + *=0D + * Enable "non-blocking" ECC operations that can return early and be resum= ed.=0D + *=0D + * This allows various functions to pause by returning=0D + * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module,=0D + * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in= =0D + * order to further progress and eventually complete their operation. This= is=0D + * controlled through mbedtls_ecp_set_max_ops() which limits the maximum=0D + * number of ECC operations a function may perform before pausing; see=0D + * mbedtls_ecp_set_max_ops() for more information.=0D + *=0D + * This is useful in non-threaded environments if you want to avoid blocki= ng=0D + * for too long on ECC (and, hence, X.509 or SSL/TLS) operations.=0D + *=0D + * Uncomment this macro to enable restartable ECC computations.=0D + *=0D + * \note This option only works with the default software implementation = of=0D + * elliptic curve functionality. It is incompatible with=0D + * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT.=0D + */=0D +#define MBEDTLS_ECP_RESTARTABLE=0D +=0D +/**=0D + * \def MBEDTLS_ECDSA_DETERMINISTIC=0D + *=0D + * Enable deterministic ECDSA (RFC 6979).=0D + * Standard ECDSA is "fragile" in the sense that lack of entropy when sign= ing=0D + * may result in a compromise of the long-term signing key. This is avoide= d by=0D + * the deterministic variant.=0D + *=0D + * Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C=0D + *=0D + * Comment this macro to disable deterministic ECDSA.=0D + */=0D +// #define MBEDTLS_ECDSA_DETERMINISTIC=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=0D + *=0D + * Enable the PSK based ciphersuite modes in SSL / TLS.=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256=0D + */=0D +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=0D + *=0D + * Enable the DHE-PSK based ciphersuite modes in SSL / TLS.=0D + *=0D + * Requires: MBEDTLS_DHM_C=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256=0D + *=0D + * \warning Using DHE constitutes a security risk as it=0D + * is not possible to validate custom DH parameters.=0D + * If possible, it is recommended users should consider=0D + * preferring other methods of key exchange.=0D + * See dhm.h for more details.=0D + *=0D + */=0D +#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED=0D + *=0D + * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.=0D + *=0D + * Requires: MBEDTLS_ECDH_C=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256=0D + */=0D +#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED=0D + *=0D + * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.=0D + *=0D + * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,=0D + * MBEDTLS_X509_CRT_PARSE_C=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256=0D + */=0D +#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=0D + *=0D + * Enable the RSA-only based ciphersuite modes in SSL / TLS.=0D + *=0D + * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,=0D + * MBEDTLS_X509_CRT_PARSE_C=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA=0D + * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA=0D + */=0D +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=0D + *=0D + * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.=0D + *=0D + * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,=0D + * MBEDTLS_X509_CRT_PARSE_C=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA=0D + *=0D + * \warning Using DHE constitutes a security risk as it=0D + * is not possible to validate custom DH parameters.=0D + * If possible, it is recommended users should consider=0D + * preferring other methods of key exchange.=0D + * See dhm.h for more details.=0D + *=0D + */=0D +#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=0D + *=0D + * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.=0D + *=0D + * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,=0D + * MBEDTLS_X509_CRT_PARSE_C=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256=0D + */=0D +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=0D + *=0D + * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.=0D + *=0D + * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256=0D + */=0D +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=0D + *=0D + * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.=0D + *=0D + * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384=0D + */=0D +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=0D + *=0D + * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.=0D + *=0D + * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_X509_CRT_PARSE_C=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384=0D + */=0D +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED=0D + *=0D + * Enable the ECJPAKE based ciphersuite modes in SSL / TLS.=0D + *=0D + * \warning This is currently experimental. EC J-PAKE support is based on = the=0D + * Thread v1.0.0 specification; incompatible changes to the specification= =0D + * might still happen. For this reason, this is disabled by default.=0D + *=0D + * Requires: MBEDTLS_ECJPAKE_C=0D + * SHA-256 (via MD if present, or via PSA, see MBEDTLS_ECJPAKE_C= )=0D + * MBEDTLS_ECP_DP_SECP256R1_ENABLED=0D + *=0D + * This enables the following ciphersuites (if other requisites are=0D + * enabled as well):=0D + * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8=0D + */=0D +// #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_PK_PARSE_EC_EXTENDED=0D + *=0D + * Enhance support for reading EC keys using variants of SEC1 not allowed = by=0D + * RFC 5915 and RFC 5480.=0D + *=0D + * Currently this means parsing the SpecifiedECDomain choice of EC=0D + * parameters (only known groups are supported, not arbitrary domains, to= =0D + * avoid validation issues).=0D + *=0D + * Disable if you only need to support RFC 5915 + 5480 key formats.=0D + */=0D +// #define MBEDTLS_PK_PARSE_EC_EXTENDED=0D +=0D +/**=0D + * \def MBEDTLS_ERROR_STRERROR_DUMMY=0D + *=0D + * Enable a dummy error function to make use of mbedtls_strerror() in=0D + * third party libraries easier when MBEDTLS_ERROR_C is disabled=0D + * (no effect when MBEDTLS_ERROR_C is enabled).=0D + *=0D + * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're= =0D + * not using mbedtls_strerror() or error_strerror() in your application.=0D + *=0D + * Disable if you run into name conflicts and want to really remove the=0D + * mbedtls_strerror()=0D + */=0D +#define MBEDTLS_ERROR_STRERROR_DUMMY=0D +=0D +/**=0D + * \def MBEDTLS_GENPRIME=0D + *=0D + * Enable the prime-number generation code.=0D + *=0D + * Requires: MBEDTLS_BIGNUM_C=0D + */=0D +#define MBEDTLS_GENPRIME=0D +=0D +/**=0D + * \def MBEDTLS_FS_IO=0D + *=0D + * Enable functions that use the filesystem.=0D + */=0D +// #define MBEDTLS_FS_IO=0D +=0D +/**=0D + * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES=0D + *=0D + * Do not add default entropy sources in mbedtls_entropy_init().=0D + *=0D + * This is useful to have more control over the added entropy sources in a= n=0D + * application.=0D + *=0D + * Uncomment this macro to prevent loading of default entropy functions.=0D + */=0D +// #define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES=0D +=0D +/**=0D + * \def MBEDTLS_NO_PLATFORM_ENTROPY=0D + *=0D + * Do not use built-in platform entropy functions.=0D + * This is useful if your platform does not support=0D + * standards like the /dev/urandom or Windows CryptoAPI.=0D + *=0D + * Uncomment this macro to disable the built-in platform entropy functions= .=0D + */=0D +// #define MBEDTLS_NO_PLATFORM_ENTROPY=0D +=0D +/**=0D + * \def MBEDTLS_ENTROPY_FORCE_SHA256=0D + *=0D + * Force the entropy accumulator to use a SHA-256 accumulator instead of t= he=0D + * default SHA-512 based one (if both are available).=0D + *=0D + * Requires: MBEDTLS_SHA256_C=0D + *=0D + * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this opt= ion=0D + * if you have performance concerns.=0D + *=0D + * This option is only useful if both MBEDTLS_SHA256_C and=0D + * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is us= ed.=0D + */=0D +// #define MBEDTLS_ENTROPY_FORCE_SHA256=0D +=0D +/**=0D + * \def MBEDTLS_ENTROPY_NV_SEED=0D + *=0D + * Enable the non-volatile (NV) seed file-based entropy source.=0D + * (Also enables the NV seed read/write functions in the platform layer)=0D + *=0D + * This is crucial (if not required) on systems that do not have a=0D + * cryptographic entropy source (in hardware or kernel) available.=0D + *=0D + * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C=0D + *=0D + * \note The read/write functions that are used by the entropy source are= =0D + * determined in the platform layer, and can be modified at runtime = and/or=0D + * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) = used.=0D + *=0D + * \note If you use the default implementation functions that read a seedf= ile=0D + * with regular fopen(), please make sure you make a seedfile with t= he=0D + * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at= =0D + * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read f= rom=0D + * and written to or you will get an entropy source error! The defau= lt=0D + * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE= =0D + * bytes from the file.=0D + *=0D + * \note The entropy collector will write to the seed file before entropy = is=0D + * given to an external source, to update it.=0D + */=0D +// #define MBEDTLS_ENTROPY_NV_SEED=0D +=0D +/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER=0D + *=0D + * Enable key identifiers that encode a key owner identifier.=0D + *=0D + * The owner of a key is identified by a value of type ::mbedtls_key_owner= _id_t=0D + * which is currently hard-coded to be int32_t.=0D + *=0D + * Note that this option is meant for internal use only and may be removed= =0D + * without notice.=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER=0D +=0D +/**=0D + * \def MBEDTLS_MEMORY_DEBUG=0D + *=0D + * Enable debugging of buffer allocator memory issues. Automatically print= s=0D + * (to stderr) all (fatal) messages on memory allocation issues. Enables=0D + * function for 'debug output' of allocated memory.=0D + *=0D + * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C=0D + *=0D + * Uncomment this macro to let the buffer allocator print out error messag= es.=0D + */=0D +// #define MBEDTLS_MEMORY_DEBUG=0D +=0D +/**=0D + * \def MBEDTLS_MEMORY_BACKTRACE=0D + *=0D + * Include backtrace information with each allocated block.=0D + *=0D + * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C=0D + * GLIBC-compatible backtrace() and backtrace_symbols() support= =0D + *=0D + * Uncomment this macro to include backtrace information=0D + */=0D +// #define MBEDTLS_MEMORY_BACKTRACE=0D +=0D +/**=0D + * \def MBEDTLS_PK_RSA_ALT_SUPPORT=0D + *=0D + * Support external private RSA keys (eg from a HSM) in the PK layer.=0D + *=0D + * Comment this macro to disable support for external private RSA keys.=0D + */=0D +// #define MBEDTLS_PK_RSA_ALT_SUPPORT=0D +=0D +/**=0D + * \def MBEDTLS_PKCS1_V15=0D + *=0D + * Enable support for PKCS#1 v1.5 encoding.=0D + *=0D + * Requires: MBEDTLS_RSA_C=0D + *=0D + * This enables support for PKCS#1 v1.5 operations.=0D + */=0D +#define MBEDTLS_PKCS1_V15=0D +=0D +/**=0D + * \def MBEDTLS_PKCS1_V21=0D + *=0D + * Enable support for PKCS#1 v2.1 encoding.=0D + *=0D + * Requires: MBEDTLS_RSA_C and (MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C).=0D + *=0D + * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_ini= t()=0D + * before doing any PKCS#1 v2.1 operation.=0D + *=0D + * \warning When building with MBEDTLS_MD_C, all hashes used with this=0D + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256= _C,=0D + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used= by=0D + * this module in builds where MBEDTLS_MD_C is disabled.=0D + *=0D + * This enables support for RSAES-OAEP and RSASSA-PSS operations.=0D + */=0D +#define MBEDTLS_PKCS1_V21=0D +=0D +/** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS=0D + *=0D + * Enable support for platform built-in keys. If you enable this feature,= =0D + * you must implement the function mbedtls_psa_platform_get_builtin_key().= =0D + * See the documentation of that function for more information.=0D + *=0D + * Built-in keys are typically derived from a hardware unique key or=0D + * stored in a secure element.=0D + *=0D + * Requires: MBEDTLS_PSA_CRYPTO_C.=0D + *=0D + * \warning This interface is experimental and may change or be removed=0D + * without notice.=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS=0D +=0D +/** \def MBEDTLS_PSA_CRYPTO_CLIENT=0D + *=0D + * Enable support for PSA crypto client.=0D + *=0D + * \note This option allows to include the code necessary for a PSA=0D + * crypto client when the PSA crypto implementation is not included = in=0D + * the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is= the=0D + * code to set and get PSA key attributes.=0D + * The development of PSA drivers partially relying on the library t= o=0D + * fulfill the hardware gaps is another possible usage of this optio= n.=0D + *=0D + * \warning This interface is experimental and may change or be removed=0D + * without notice.=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_CLIENT=0D +=0D +/** \def MBEDTLS_PSA_CRYPTO_DRIVERS=0D + *=0D + * Enable support for the experimental PSA crypto driver interface.=0D + *=0D + * Requires: MBEDTLS_PSA_CRYPTO_C=0D + *=0D + * \warning This interface is experimental. We intend to maintain backward= =0D + * compatibility with application code that relies on drivers,=0D + * but the driver interfaces may change without notice.=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_DRIVERS=0D +=0D +/** \def MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=0D + *=0D + * Make the PSA Crypto module use an external random generator provided=0D + * by a driver, instead of Mbed TLS's entropy and DRBG modules.=0D + *=0D + * \note This random generator must deliver random numbers with cryptograp= hic=0D + * quality and high performance. It must supply unpredictable number= s=0D + * with a uniform distribution. The implementation of this function= =0D + * is responsible for ensuring that the random generator is seeded=0D + * with sufficient entropy. If you have a hardware TRNG which is slo= w=0D + * or delivers non-uniform output, declare it as an entropy source=0D + * with mbedtls_entropy_add_source() instead of enabling this option= .=0D + *=0D + * If you enable this option, you must configure the type=0D + * ::mbedtls_psa_external_random_context_t in psa/crypto_platform.h=0D + * and define a function called mbedtls_psa_external_get_random()=0D + * with the following prototype:=0D + * ```=0D + * psa_status_t mbedtls_psa_external_get_random(=0D + * mbedtls_psa_external_random_context_t *context,=0D + * uint8_t *output, size_t output_size, size_t *output_length);=0D + * );=0D + * ```=0D + * The \c context value is initialized to 0 before the first call.=0D + * The function must fill the \c output buffer with \p output_size bytes=0D + * of random data and set \c *output_length to \p output_size.=0D + *=0D + * Requires: MBEDTLS_PSA_CRYPTO_C=0D + *=0D + * \warning If you enable this option, code that uses the PSA cryptography= =0D + * interface will not use any of the entropy sources set up for=0D + * the entropy module, nor the NV seed that MBEDTLS_ENTROPY_NV_SE= ED=0D + * enables.=0D + *=0D + * \note This option is experimental and may be removed without notice.=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=0D +=0D +/**=0D + * \def MBEDTLS_PSA_CRYPTO_SPM=0D + *=0D + * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secu= re=0D + * Partition Manager) integration which separates the code into two parts:= a=0D + * NSPE (Non-Secure Process Environment) and an SPE (Secure Process=0D + * Environment).=0D + *=0D + * Module: library/psa_crypto.c=0D + * Requires: MBEDTLS_PSA_CRYPTO_C=0D + *=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_SPM=0D +=0D +/**=0D + * \def MBEDTLS_PSA_INJECT_ENTROPY=0D + *=0D + * Enable support for entropy injection at first boot. This feature is=0D + * required on systems that do not have a built-in entropy source (TRNG).= =0D + * This feature is currently not supported on systems that have a built-in= =0D + * entropy source.=0D + *=0D + * Requires: MBEDTLS_PSA_CRYPTO_STORAGE_C, MBEDTLS_ENTROPY_NV_SEED=0D + *=0D + */=0D +// #define MBEDTLS_PSA_INJECT_ENTROPY=0D +=0D +/**=0D + * \def MBEDTLS_RSA_NO_CRT=0D + *=0D + * Do not use the Chinese Remainder Theorem=0D + * for the RSA private operation.=0D + *=0D + * Uncomment this macro to disable the use of CRT in RSA.=0D + *=0D + */=0D +// #define MBEDTLS_RSA_NO_CRT=0D +=0D +/**=0D + * \def MBEDTLS_SELF_TEST=0D + *=0D + * Enable the checkup functions (*_self_test).=0D + */=0D +// #define MBEDTLS_SELF_TEST=0D +=0D +/**=0D + * \def MBEDTLS_SHA256_SMALLER=0D + *=0D + * Enable an implementation of SHA-256 that has lower ROM footprint but al= so=0D + * lower performance.=0D + *=0D + * The default implementation is meant to be a reasonable compromise betwe= en=0D + * performance and size. This version optimizes more aggressively for size= at=0D + * the expense of performance. Eg on Cortex-M4 it reduces the size of=0D + * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of a= bout=0D + * 30%.=0D + *=0D + * Uncomment to enable the smaller implementation of SHA256.=0D + */=0D +#define MBEDTLS_SHA256_SMALLER=0D +=0D +/**=0D + * \def MBEDTLS_SHA512_SMALLER=0D + *=0D + * Enable an implementation of SHA-512 that has lower ROM footprint but al= so=0D + * lower performance.=0D + *=0D + * Uncomment to enable the smaller implementation of SHA512.=0D + */=0D +#define MBEDTLS_SHA512_SMALLER=0D +=0D +/**=0D + * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES=0D + *=0D + * Enable sending of alert messages in case of encountered errors as per R= FC.=0D + * If you choose not to send the alert messages, mbed TLS can still commun= icate=0D + * with other servers, only debugging of failures is harder.=0D + *=0D + * The advantage of not sending alert messages, is that no information is = given=0D + * about reasons for failures thus preventing adversaries of gaining intel= .=0D + *=0D + * Enable sending of all alert messages=0D + */=0D +#define MBEDTLS_SSL_ALL_ALERT_MESSAGES=0D +=0D +/**=0D + * \def MBEDTLS_SSL_DTLS_CONNECTION_ID=0D + *=0D + * Enable support for the DTLS Connection ID (CID) extension,=0D + * which allows to identify DTLS connections across changes=0D + * in the underlying transport. The CID functionality is described=0D + * in RFC 9146.=0D + *=0D + * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,=0D + * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and=0D + * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for=0D + * more information.=0D + *=0D + * The maximum lengths of outgoing and incoming CIDs can be configured=0D + * through the options=0D + * - MBEDTLS_SSL_CID_OUT_LEN_MAX=0D + * - MBEDTLS_SSL_CID_IN_LEN_MAX.=0D + *=0D + * Requires: MBEDTLS_SSL_PROTO_DTLS=0D + *=0D + * Uncomment to enable the Connection ID extension.=0D + */=0D +#define MBEDTLS_SSL_DTLS_CONNECTION_ID=0D +=0D +/**=0D + * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT=0D + *=0D + * Defines whether RFC 9146 (default) or the legacy version=0D + * (version draft-ietf-tls-dtls-connection-id-05,=0D + * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)=0D + * is used.=0D + *=0D + * Set the value to 0 for the standard version, and=0D + * 1 for the legacy draft version.=0D + *=0D + * \deprecated Support for the legacy version of the DTLS=0D + * Connection ID feature is deprecated. Please=0D + * switch to the standardized version defined=0D + * in RFC 9146 enabled by utilizing=0D + * MBEDTLS_SSL_DTLS_CONNECTION_ID without use=0D + * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT.=0D + *=0D + * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID=0D + */=0D +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0=0D +=0D +/**=0D + * \def MBEDTLS_SSL_ASYNC_PRIVATE=0D + *=0D + * Enable asynchronous external private key operations in SSL. This allows= =0D + * you to configure an SSL connection to call an external cryptographic=0D + * module to perform private key operations instead of performing the=0D + * operation inside the library.=0D + *=0D + */=0D +// #define MBEDTLS_SSL_ASYNC_PRIVATE=0D +=0D +/**=0D + * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION=0D + *=0D + * Enable serialization of the TLS context structures, through use of the= =0D + * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load().=0D + *=0D + * This pair of functions allows one side of a connection to serialize the= =0D + * context associated with the connection, then free or re-use that contex= t=0D + * while the serialized state is persisted elsewhere, and finally deserial= ize=0D + * that state to a live context for resuming read/write operations on the= =0D + * connection. From a protocol perspective, the state of the connection is= =0D + * unaffected, in particular this is entirely transparent to the peer.=0D + *=0D + * Note: this is distinct from TLS session resumption, which is part of th= e=0D + * protocol and fully visible by the peer. TLS session resumption enables= =0D + * establishing new connections associated to a saved session with shorter= ,=0D + * lighter handshakes, while context serialization is a local optimization= in=0D + * handling a single, potentially long-lived connection.=0D + *=0D + * Enabling these APIs makes some SSL structures larger, as 64 extra bytes= are=0D + * saved after the handshake to allow for more efficient serialization, so= if=0D + * you don't need this feature you'll save RAM by disabling it.=0D + *=0D + * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C=0D + *=0D + * Comment to disable the context serialization APIs.=0D + */=0D +#define MBEDTLS_SSL_CONTEXT_SERIALIZATION=0D +=0D +/**=0D + * \def MBEDTLS_SSL_DEBUG_ALL=0D + *=0D + * Enable the debug messages in SSL module for all issues.=0D + * Debug messages have been disabled in some places to prevent timing=0D + * attacks due to (unbalanced) debugging function calls.=0D + *=0D + * If you need all error reporting you should enable this during debugging= ,=0D + * but remove this for production servers that should log as well.=0D + *=0D + * Uncomment this macro to report all debug messages on errors introducing= =0D + * a timing side-channel.=0D + *=0D + */=0D +// #define MBEDTLS_SSL_DEBUG_ALL=0D +=0D +/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC=0D + *=0D + * Enable support for Encrypt-then-MAC, RFC 7366.=0D + *=0D + * This allows peers that both support it to use a more robust protection = for=0D + * ciphersuites using CBC, providing deep resistance against timing attack= s=0D + * on the padding or underlying cipher.=0D + *=0D + * This only affects CBC ciphersuites, and is useless if none is defined.= =0D + *=0D + * Requires: MBEDTLS_SSL_PROTO_TLS1_2=0D + *=0D + * Comment this macro to disable support for Encrypt-then-MAC=0D + */=0D +#define MBEDTLS_SSL_ENCRYPT_THEN_MAC=0D +=0D +/** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET=0D + *=0D + * Enable support for RFC 7627: Session Hash and Extended Master Secret=0D + * Extension.=0D + *=0D + * This was introduced as "the proper fix" to the Triple Handshake family = of=0D + * attacks, but it is recommended to always use it (even if you disable=0D + * renegotiation), since it actually fixes a more fundamental issue in the= =0D + * original SSL/TLS design, and has implications beyond Triple Handshake.= =0D + *=0D + * Requires: MBEDTLS_SSL_PROTO_TLS1_2=0D + *=0D + * Comment this macro to disable support for Extended Master Secret.=0D + */=0D +#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET=0D +=0D +/**=0D + * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=0D + *=0D + * This option controls the availability of the API mbedtls_ssl_get_peer_c= ert()=0D + * giving access to the peer's certificate after completion of the handsha= ke.=0D + *=0D + * Unless you need mbedtls_ssl_peer_cert() in your application, it is=0D + * recommended to disable this option for reduced RAM usage.=0D + *=0D + * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still= =0D + * defined, but always returns \c NULL.=0D + *=0D + * \note This option has no influence on the protection against the=0D + * triple handshake attack. Even if it is disabled, Mbed TLS will=0D + * still ensure that certificates do not change during renegotiation= ,=0D + * for example by keeping a hash of the peer's certificate.=0D + *=0D + * \note This option is required if MBEDTLS_SSL_PROTO_TLS1_3 is set.=0D + *=0D + * Comment this macro to disable storing the peer's certificate=0D + * after the handshake.=0D + */=0D +#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=0D +=0D +/**=0D + * \def MBEDTLS_SSL_RENEGOTIATION=0D + *=0D + * Enable support for TLS renegotiation.=0D + *=0D + * The two main uses of renegotiation are (1) refresh keys on long-lived=0D + * connections and (2) client authentication after the initial handshake.= =0D + * If you don't need renegotiation, it's probably better to disable it, si= nce=0D + * it has been associated with security issues in the past and is easy to= =0D + * misuse/misunderstand.=0D + *=0D + * Comment this to disable support for renegotiation.=0D + *=0D + * \note Even if this option is disabled, both client and server are awa= re=0D + * of the Renegotiation Indication Extension (RFC 5746) used to=0D + * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).=0D + * (See \c mbedtls_ssl_conf_legacy_renegotiation for the=0D + * configuration of this extension).=0D + *=0D + */=0D +#define MBEDTLS_SSL_RENEGOTIATION=0D +=0D +/**=0D + * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH=0D + *=0D + * Enable support for RFC 6066 max_fragment_length extension in SSL.=0D + *=0D + * Comment this macro to disable support for the max_fragment_length exten= sion=0D + */=0D +#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH=0D +=0D +/**=0D + * \def MBEDTLS_SSL_PROTO_TLS1_2=0D + *=0D + * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).=0D + *=0D + * Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and=0D + * (MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C)=0D + * With MBEDTLS_USE_PSA_CRYPTO:=0D + * PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or=0D + * PSA_WANT_ALG_SHA_512=0D + *=0D + * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call=0D + * psa_crypto_init() before doing any TLS operations.=0D + *=0D + * Comment this macro to disable support for TLS 1.2 / DTLS 1.2=0D + */=0D +#define MBEDTLS_SSL_PROTO_TLS1_2=0D +=0D +/**=0D + * \def MBEDTLS_SSL_PROTO_TLS1_3=0D + *=0D + * Enable support for TLS 1.3.=0D + *=0D + * \note The support for TLS 1.3 is not comprehensive yet, in particular=0D + * pre-shared keys are not supported.=0D + * See docs/architecture/tls13-support.md for a description of the T= LS=0D + * 1.3 support that this option enables.=0D + *=0D + * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=0D + * Requires: MBEDTLS_PSA_CRYPTO_C=0D + *=0D + * Note: even though TLS 1.3 depends on PSA Crypto, and uses it unconditio= nally=0D + * for most operations, if you want it to only use PSA for all crypto=0D + * operations, you need to also enable MBEDTLS_USE_PSA_CRYPTO; otherwise X= .509=0D + * operations, and functions that are common with TLS 1.2 (record protecti= on,=0D + * running handshake hash) will still use non-PSA crypto.=0D + *=0D + * Uncomment this macro to enable the support for TLS 1.3.=0D + */=0D +// #define MBEDTLS_SSL_PROTO_TLS1_3=0D +=0D +/**=0D + * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE=0D + *=0D + * Enable TLS 1.3 middlebox compatibility mode.=0D + *=0D + * As specified in Section D.4 of RFC 8446, TLS 1.3 offers a compatibility= =0D + * mode to make a TLS 1.3 connection more likely to pass through middle bo= xes=0D + * expecting TLS 1.2 traffic.=0D + *=0D + * Turning on the compatibility mode comes at the cost of a few added byte= s=0D + * on the wire, but it doesn't affect compatibility with TLS 1.3 implement= ations=0D + * that don't use it. Therefore, unless transmission bandwidth is critical= and=0D + * you know that middlebox compatibility issues won't occur, it is therefo= re=0D + * recommended to set this option.=0D + *=0D + * Comment to disable compatibility mode for TLS 1.3. If=0D + * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any= =0D + * effect on the build.=0D + *=0D + */=0D +// #define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE=0D +=0D +/**=0D + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED=0D + *=0D + * Enable TLS 1.3 PSK key exchange mode.=0D + *=0D + * Comment to disable support for the PSK key exchange mode in TLS 1.3. If= =0D + * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any= =0D + * effect on the build.=0D + *=0D + */=0D +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED=0D + *=0D + * Enable TLS 1.3 ephemeral key exchange mode.=0D + *=0D + * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C, MBEDTLS_ECDSA_C or= =0D + * MBEDTLS_PKCS1_V21=0D + *=0D + * Comment to disable support for the ephemeral key exchange mode in TLS 1= .3.=0D + * If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have a= ny=0D + * effect on the build.=0D + *=0D + */=0D +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED=0D + *=0D + * Enable TLS 1.3 PSK ephemeral key exchange mode.=0D + *=0D + * Requires: MBEDTLS_ECDH_C=0D + *=0D + * Comment to disable support for the PSK ephemeral key exchange mode in=0D + * TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does n= ot=0D + * have any effect on the build.=0D + *=0D + */=0D +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED=0D +=0D +/**=0D + * \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE=0D + *=0D + * Maximum time difference in milliseconds tolerated between the age of a= =0D + * ticket from the server and client point of view.=0D + * From the client point of view, the age of a ticket is the time differen= ce=0D + * between the time when the client proposes to the server to use the tick= et=0D + * (time of writing of the Pre-Shared Key Extension including the ticket) = and=0D + * the time the client received the ticket from the server.=0D + * From the server point of view, the age of a ticket is the time differen= ce=0D + * between the time when the server receives a proposition from the client= =0D + * to use the ticket and the time when the ticket was created by the serve= r.=0D + * The server age is expected to be always greater than the client one and= =0D + * MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE defines the=0D + * maximum difference tolerated for the server to accept the ticket.=0D + * This is not used in TLS 1.2.=0D + *=0D + */=0D +#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000=0D +=0D +/**=0D + * \def MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH=0D + *=0D + * Size in bytes of a ticket nonce. This is not used in TLS 1.2.=0D + *=0D + * This must be less than 256.=0D + */=0D +#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32=0D +=0D +/**=0D + * \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS=0D + *=0D + * Default number of NewSessionTicket messages to be sent by a TLS 1.3 ser= ver=0D + * after handshake completion. This is not used in TLS 1.2 and relevant on= ly if=0D + * the MBEDTLS_SSL_SESSION_TICKETS option is enabled.=0D + *=0D + */=0D +#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1=0D +=0D +/**=0D +* \def MBEDTLS_SSL_EARLY_DATA=0D +*=0D +* Enable support for RFC 8446 TLS 1.3 early data.=0D +*=0D +* Requires: MBEDTLS_SSL_SESSION_TICKETS and either=0D +* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or=0D +* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED=0D +*=0D +* Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS= 1_3=0D +* is not enabled, this option does not have any effect on the build.=0D +*=0D +* This feature is experimental, not completed and thus not ready for=0D +* production.=0D +*=0D +*/=0D +// #define MBEDTLS_SSL_EARLY_DATA=0D +=0D +/**=0D + * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE=0D + *=0D + * The default maximum amount of 0-RTT data. See the documentation of=0D + * \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information.=0D + *=0D + * It must be positive and smaller than UINT32_MAX.=0D + *=0D + * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not=0D + * have any impact on the build.=0D + *=0D + * This feature is experimental, not completed and thus not ready for=0D + * production.=0D + *=0D + */=0D +#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024=0D +=0D +/**=0D + * \def MBEDTLS_SSL_PROTO_DTLS=0D + *=0D + * Enable support for DTLS (all available versions).=0D + *=0D + * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.=0D + *=0D + * Requires: MBEDTLS_SSL_PROTO_TLS1_2=0D + *=0D + * Comment this macro to disable support for DTLS=0D + */=0D +#define MBEDTLS_SSL_PROTO_DTLS=0D +=0D +/**=0D + * \def MBEDTLS_SSL_ALPN=0D + *=0D + * Enable support for RFC 7301 Application Layer Protocol Negotiation.=0D + *=0D + * Comment this macro to disable support for ALPN.=0D + */=0D +#define MBEDTLS_SSL_ALPN=0D +=0D +/**=0D + * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY=0D + *=0D + * Enable support for the anti-replay mechanism in DTLS.=0D + *=0D + * Requires: MBEDTLS_SSL_TLS_C=0D + * MBEDTLS_SSL_PROTO_DTLS=0D + *=0D + * \warning Disabling this is often a security risk!=0D + * See mbedtls_ssl_conf_dtls_anti_replay() for details.=0D + *=0D + * Comment this to disable anti-replay in DTLS.=0D + */=0D +// #define MBEDTLS_SSL_DTLS_ANTI_REPLAY=0D +=0D +/**=0D + * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY=0D + *=0D + * Enable support for HelloVerifyRequest on DTLS servers.=0D + *=0D + * This feature is highly recommended to prevent DTLS servers being used a= s=0D + * amplifiers in DoS attacks against other hosts. It should always be enab= led=0D + * unless you know for sure amplification cannot be a problem in the=0D + * environment in which your server operates.=0D + *=0D + * \warning Disabling this can be a security risk! (see above)=0D + *=0D + * Requires: MBEDTLS_SSL_PROTO_DTLS=0D + *=0D + * Comment this to disable support for HelloVerifyRequest.=0D + */=0D +// #define MBEDTLS_SSL_DTLS_HELLO_VERIFY=0D +=0D +/**=0D + * \def MBEDTLS_SSL_DTLS_SRTP=0D + *=0D + * Enable support for negotiation of DTLS-SRTP (RFC 5764)=0D + * through the use_srtp extension.=0D + *=0D + * \note This feature provides the minimum functionality required=0D + * to negotiate the use of DTLS-SRTP and to allow the derivation of=0D + * the associated SRTP packet protection key material.=0D + * In particular, the SRTP packet protection itself, as well as the=0D + * demultiplexing of RTP and DTLS packets at the datagram layer=0D + * (see Section 5 of RFC 5764), are not handled by this feature.=0D + * Instead, after successful completion of a handshake negotiating=0D + * the use of DTLS-SRTP, the extended key exporter API=0D + * mbedtls_ssl_conf_export_keys_cb() should be used to implement=0D + * the key exporter described in Section 4.2 of RFC 5764 and RFC 5705=0D + * (this is implemented in the SSL example programs).=0D + * The resulting key should then be passed to an SRTP stack.=0D + *=0D + * Setting this option enables the runtime API=0D + * mbedtls_ssl_conf_dtls_srtp_protection_profiles()=0D + * through which the supported DTLS-SRTP protection=0D + * profiles can be configured. You must call this API at=0D + * runtime if you wish to negotiate the use of DTLS-SRTP.=0D + *=0D + * Requires: MBEDTLS_SSL_PROTO_DTLS=0D + *=0D + * Uncomment this to enable support for use_srtp extension.=0D + */=0D +// #define MBEDTLS_SSL_DTLS_SRTP=0D +=0D +/**=0D + * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE=0D + *=0D + * Enable server-side support for clients that reconnect from the same por= t.=0D + *=0D + * Some clients unexpectedly close the connection and try to reconnect usi= ng the=0D + * same source port. This needs special support from the server to handle = the=0D + * new connection securely, as described in section 4.2.8 of RFC 6347. Thi= s=0D + * flag enables that support.=0D + *=0D + * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY=0D + *=0D + * Comment this to disable support for clients reusing the source port.=0D + */=0D +// #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE=0D +=0D +/**=0D + * \def MBEDTLS_SSL_SESSION_TICKETS=0D + *=0D + * Enable support for RFC 5077 session tickets in SSL.=0D + * Client-side, provides full support for session tickets (maintenance of = a=0D + * session store remains the responsibility of the application, though).=0D + * Server-side, you also need to provide callbacks for writing and parsing= =0D + * tickets, including authenticated encryption and key management. Example= =0D + * callbacks are provided by MBEDTLS_SSL_TICKET_C.=0D + *=0D + * Comment this macro to disable support for SSL session tickets=0D + */=0D +#define MBEDTLS_SSL_SESSION_TICKETS=0D +=0D +/**=0D + * \def MBEDTLS_SSL_SERVER_NAME_INDICATION=0D + *=0D + * Enable support for RFC 6066 server name indication (SNI) in SSL.=0D + *=0D + * Requires: MBEDTLS_X509_CRT_PARSE_C=0D + *=0D + * Comment this macro to disable support for server name indication in SSL= =0D + */=0D +#define MBEDTLS_SSL_SERVER_NAME_INDICATION=0D +=0D +/**=0D + * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH=0D + *=0D + * When this option is enabled, the SSL buffer will be resized automatical= ly=0D + * based on the negotiated maximum fragment length in each direction.=0D + *=0D + * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH=0D + */=0D +// #define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH=0D +=0D +/**=0D + * \def MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN=0D + *=0D + * Enable testing of the constant-flow nature of some sensitive functions = with=0D + * clang's MemorySanitizer. This causes some existing tests to also test=0D + * this non-functional property of the code under test.=0D + *=0D + * This setting requires compiling with clang -fsanitize=3Dmemory. The tes= t=0D + * suites can then be run normally.=0D + *=0D + * \warning This macro is only used for extended testing; it is not consid= ered=0D + * part of the library's API, so it may change or disappear at any time.=0D + *=0D + * Uncomment to enable testing of the constant-flow nature of selected cod= e.=0D + */=0D +// #define MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN=0D +=0D +/**=0D + * \def MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND=0D + *=0D + * Enable testing of the constant-flow nature of some sensitive functions = with=0D + * valgrind's memcheck tool. This causes some existing tests to also test= =0D + * this non-functional property of the code under test.=0D + *=0D + * This setting requires valgrind headers for building, and is only useful= for=0D + * testing if the tests suites are run with valgrind's memcheck. This can = be=0D + * done for an individual test suite with 'valgrind ./test_suite_xxx', or = when=0D + * using CMake, this can be done for all test suites with 'make memcheck'.= =0D + *=0D + * \warning This macro is only used for extended testing; it is not consid= ered=0D + * part of the library's API, so it may change or disappear at any time.=0D + *=0D + * Uncomment to enable testing of the constant-flow nature of selected cod= e.=0D + */=0D +// #define MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND=0D +=0D +/**=0D + * \def MBEDTLS_TEST_HOOKS=0D + *=0D + * Enable features for invasive testing such as introspection functions an= d=0D + * hooks for fault injection. This enables additional unit tests.=0D + *=0D + * Merely enabling this feature should not change the behavior of the prod= uct.=0D + * It only adds new code, and new branching points where the default behav= ior=0D + * is the same as when this feature is disabled.=0D + * However, this feature increases the attack surface: there is an added=0D + * risk of vulnerabilities, and more gadgets that can make exploits easier= .=0D + * Therefore this feature must never be enabled in production.=0D + *=0D + * See `docs/architecture/testing/mbed-crypto-invasive-testing.md` for mor= e=0D + * information.=0D + *=0D + * Uncomment to enable invasive tests.=0D + */=0D +// #define MBEDTLS_TEST_HOOKS=0D +=0D +/**=0D + * \def MBEDTLS_THREADING_ALT=0D + *=0D + * Provide your own alternate threading implementation.=0D + *=0D + * Requires: MBEDTLS_THREADING_C=0D + *=0D + * Uncomment this to allow your own alternate threading implementation.=0D + */=0D +// #define MBEDTLS_THREADING_ALT=0D +=0D +/**=0D + * \def MBEDTLS_THREADING_PTHREAD=0D + *=0D + * Enable the pthread wrapper layer for the threading layer.=0D + *=0D + * Requires: MBEDTLS_THREADING_C=0D + *=0D + * Uncomment this to enable pthread mutexes.=0D + */=0D +// #define MBEDTLS_THREADING_PTHREAD=0D +=0D +/**=0D + * \def MBEDTLS_USE_PSA_CRYPTO=0D + *=0D + * Make the X.509 and TLS library use PSA for cryptographic operations, an= d=0D + * enable new APIs for using keys handled by PSA Crypto.=0D + *=0D + * \note Development of this option is currently in progress, and parts of= Mbed=0D + * TLS's X.509 and TLS modules are not ported to PSA yet. However, these p= arts=0D + * will still continue to work as usual, so enabling this option should no= t=0D + * break backwards compatibility.=0D + *=0D + * \note See docs/use-psa-crypto.md for a complete description of what thi= s=0D + * option currently does, and of parts that are not affected by it so far.= =0D + *=0D + * \warning If you enable this option, you need to call `psa_crypto_init()= `=0D + * before calling any function from the SSL/TLS, X.509 or PK modules.=0D + *=0D + * Requires: MBEDTLS_PSA_CRYPTO_C.=0D + * Conflicts with: MBEDTLS_ECP_RESTARTABLE=0D + *=0D + * Uncomment this to enable internal use of PSA Crypto and new associated = APIs.=0D + */=0D +// #define MBEDTLS_USE_PSA_CRYPTO=0D +=0D +/**=0D + * \def MBEDTLS_PSA_CRYPTO_CONFIG=0D + *=0D + * This setting allows support for cryptographic mechanisms through the PS= A=0D + * API to be configured separately from support through the mbedtls API.=0D + *=0D + * When this option is disabled, the PSA API exposes the cryptographic=0D + * mechanisms that can be implemented on top of the `mbedtls_xxx` API=0D + * configured with `MBEDTLS_XXX` symbols.=0D + *=0D + * When this option is enabled, the PSA API exposes the cryptographic=0D + * mechanisms requested by the `PSA_WANT_XXX` symbols defined in=0D + * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings a= re=0D + * automatically enabled if required (i.e. if no PSA driver provides the=0D + * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbol= s=0D + * in mbedtls_config.h.=0D + *=0D + * If the symbol #MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined, it specifies= =0D + * an alternative header to include instead of include/psa/crypto_config.h= .=0D + *=0D + * This feature is still experimental and is not ready for production sinc= e=0D + * it is not completed.=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_CONFIG=0D +=0D +/**=0D + * \def MBEDTLS_VERSION_FEATURES=0D + *=0D + * Allow run-time checking of compile-time enabled features. Thus allowing= users=0D + * to check at run-time if the library is for instance compiled with threa= ding=0D + * support via mbedtls_version_check_feature().=0D + *=0D + * Requires: MBEDTLS_VERSION_C=0D + *=0D + * Comment this to disable run-time checking and save ROM space=0D + */=0D +// #define MBEDTLS_VERSION_FEATURES=0D +=0D +/**=0D + * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK=0D + *=0D + * If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb(= )`=0D + * and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configu= re=0D + * the set of trusted certificates through a callback instead of a linked= =0D + * list.=0D + *=0D + * This is useful for example in environments where a large number of trus= ted=0D + * certificates is present and storing them in a linked list isn't efficie= nt=0D + * enough, or when the set of trusted certificates changes frequently.=0D + *=0D + * See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and=0D + * `mbedtls_ssl_conf_ca_cb()` for more information.=0D + *=0D + * Uncomment to enable trusted certificate callbacks.=0D + */=0D +// #define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK=0D +=0D +/**=0D + * \def MBEDTLS_X509_REMOVE_INFO=0D + *=0D + * Disable mbedtls_x509_*_info() and related APIs.=0D + *=0D + * Uncomment to omit mbedtls_x509_*_info(), as well as mbedtls_debug_print= _crt()=0D + * and other functions/constants only used by these functions, thus reduci= ng=0D + * the code footprint by several KB.=0D + */=0D +// #define MBEDTLS_X509_REMOVE_INFO=0D +=0D +/**=0D + * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT=0D + *=0D + * Enable parsing and verification of X.509 certificates, CRLs and CSRS=0D + * signed with RSASSA-PSS (aka PKCS#1 v2.1).=0D + *=0D + * Comment this macro to disallow using RSASSA-PSS in certificates.=0D + */=0D +#define MBEDTLS_X509_RSASSA_PSS_SUPPORT=0D +/** \} name SECTION: mbed TLS feature support */=0D +=0D +/**=0D + * \name SECTION: mbed TLS modules=0D + *=0D + * This section enables or disables entire modules in mbed TLS=0D + * \{=0D + */=0D +=0D +/**=0D + * \def MBEDTLS_AESNI_C=0D + *=0D + * Enable AES-NI support on x86-64.=0D + *=0D + * Module: library/aesni.c=0D + * Caller: library/aes.c=0D + *=0D + * Requires: MBEDTLS_HAVE_ASM=0D + *=0D + * This modules adds support for the AES-NI instructions on x86-64=0D + */=0D +// #define MBEDTLS_AESNI_C=0D +=0D +/**=0D + * \def MBEDTLS_AES_C=0D + *=0D + * Enable the AES block cipher.=0D + *=0D + * Module: library/aes.c=0D + * Caller: library/cipher.c=0D + * library/pem.c=0D + * library/ctr_drbg.c=0D + *=0D + * This module enables the following ciphersuites (if other requisites are= =0D + * enabled as well):=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA=0D + * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA=0D + * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256=0D + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256=0D + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA=0D + *=0D + * PEM_PARSE uses AES for decrypting encrypted keys.=0D + */=0D +#define MBEDTLS_AES_C=0D +=0D +/**=0D + * \def MBEDTLS_ASN1_PARSE_C=0D + *=0D + * Enable the generic ASN1 parser.=0D + *=0D + * Module: library/asn1.c=0D + * Caller: library/x509.c=0D + * library/dhm.c=0D + * library/pkcs12.c=0D + * library/pkcs5.c=0D + * library/pkparse.c=0D + */=0D +#define MBEDTLS_ASN1_PARSE_C=0D +=0D +/**=0D + * \def MBEDTLS_ASN1_WRITE_C=0D + *=0D + * Enable the generic ASN1 writer.=0D + *=0D + * Module: library/asn1write.c=0D + * Caller: library/ecdsa.c=0D + * library/pkwrite.c=0D + * library/x509_create.c=0D + * library/x509write_crt.c=0D + * library/x509write_csr.c=0D + */=0D +#define MBEDTLS_ASN1_WRITE_C=0D +=0D +/**=0D + * \def MBEDTLS_BASE64_C=0D + *=0D + * Enable the Base64 module.=0D + *=0D + * Module: library/base64.c=0D + * Caller: library/pem.c=0D + *=0D + * This module is required for PEM support (required by X.509).=0D + */=0D +#define MBEDTLS_BASE64_C=0D +=0D +/**=0D + * \def MBEDTLS_BIGNUM_C=0D + *=0D + * Enable the multi-precision integer library.=0D + *=0D + * Module: library/bignum.c=0D + * library/bignum_core.c=0D + * library/bignum_mod.c=0D + * library/bignum_mod_raw.c=0D + * Caller: library/dhm.c=0D + * library/ecp.c=0D + * library/ecdsa.c=0D + * library/rsa.c=0D + * library/rsa_alt_helpers.c=0D + * library/ssl_tls.c=0D + *=0D + * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.=0D + */=0D +#define MBEDTLS_BIGNUM_C=0D +=0D +/**=0D + * \def MBEDTLS_CAMELLIA_C=0D + *=0D + * Enable the Camellia block cipher.=0D + *=0D + * Module: library/camellia.c=0D + * Caller: library/cipher.c=0D + *=0D + * This module enables the following ciphersuites (if other requisites are= =0D + * enabled as well):=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA=0D + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA=0D + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256=0D + */=0D +// #define MBEDTLS_CAMELLIA_C=0D +=0D +/**=0D + * \def MBEDTLS_ARIA_C=0D + *=0D + * Enable the ARIA block cipher.=0D + *=0D + * Module: library/aria.c=0D + * Caller: library/cipher.c=0D + *=0D + * This module enables the following ciphersuites (if other requisites are= =0D + * enabled as well):=0D + *=0D + * MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384=0D + * MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256=0D + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256=0D + * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384=0D + */=0D +// #define MBEDTLS_ARIA_C=0D +=0D +/**=0D + * \def MBEDTLS_CCM_C=0D + *=0D + * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.=0D + *=0D + * Module: library/ccm.c=0D + *=0D + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or=0D + * MBEDTLS_ARIA_C=0D + *=0D + * This module enables the AES-CCM ciphersuites, if other requisites are=0D + * enabled as well.=0D + */=0D +// #define MBEDTLS_CCM_C=0D +=0D +/**=0D + * \def MBEDTLS_CHACHA20_C=0D + *=0D + * Enable the ChaCha20 stream cipher.=0D + *=0D + * Module: library/chacha20.c=0D + */=0D +#define MBEDTLS_CHACHA20_C=0D +=0D +/**=0D + * \def MBEDTLS_CHACHAPOLY_C=0D + *=0D + * Enable the ChaCha20-Poly1305 AEAD algorithm.=0D + *=0D + * Module: library/chachapoly.c=0D + *=0D + * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C=0D + */=0D +#define MBEDTLS_CHACHAPOLY_C=0D +=0D +/**=0D + * \def MBEDTLS_CIPHER_C=0D + *=0D + * Enable the generic cipher layer.=0D + *=0D + * Module: library/cipher.c=0D + * Caller: library/ccm.c=0D + * library/cmac.c=0D + * library/gcm.c=0D + * library/nist_kw.c=0D + * library/pkcs12.c=0D + * library/pkcs5.c=0D + * library/psa_crypto_aead.c=0D + * library/psa_crypto_mac.c=0D + * library/ssl_ciphersuites.c=0D + * library/ssl_msg.c=0D + * library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled= )=0D + *=0D + * Uncomment to enable generic cipher wrappers.=0D + */=0D +#define MBEDTLS_CIPHER_C=0D +=0D +/**=0D + * \def MBEDTLS_CMAC_C=0D + *=0D + * Enable the CMAC (Cipher-based Message Authentication Code) mode for blo= ck=0D + * ciphers.=0D + *=0D + * \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying=0D + * implementation of the CMAC algorithm is provided by an alternate= =0D + * implementation, that alternate implementation may opt to not supp= ort=0D + * AES-192 or 3DES as underlying block ciphers for the CMAC operatio= n.=0D + *=0D + * Module: library/cmac.c=0D + *=0D + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C=0D + *=0D + */=0D +// #define MBEDTLS_CMAC_C=0D +=0D +/**=0D + * \def MBEDTLS_CTR_DRBG_C=0D + *=0D + * Enable the CTR_DRBG AES-based random generator.=0D + * The CTR_DRBG generator uses AES-256 by default.=0D + * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY abov= e.=0D + *=0D + * \note To achieve a 256-bit security strength with CTR_DRBG,=0D + * you must use AES-256 *and* use sufficient entropy.=0D + * See ctr_drbg.h for more details.=0D + *=0D + * Module: library/ctr_drbg.c=0D + * Caller:=0D + *=0D + * Requires: MBEDTLS_AES_C=0D + *=0D + * This module provides the CTR_DRBG AES random number generator.=0D + */=0D +#define MBEDTLS_CTR_DRBG_C=0D +=0D +/**=0D + * \def MBEDTLS_DEBUG_C=0D + *=0D + * Enable the debug functions.=0D + *=0D + * Module: library/debug.c=0D + * Caller: library/ssl_msg.c=0D + * library/ssl_tls.c=0D + * library/ssl_tls12_*.c=0D + * library/ssl_tls13_*.c=0D + *=0D + * This module provides debugging functions.=0D + */=0D +// #define MBEDTLS_DEBUG_C=0D +=0D +/**=0D + * \def MBEDTLS_DES_C=0D + *=0D + * Enable the DES block cipher.=0D + *=0D + * Module: library/des.c=0D + * Caller: library/pem.c=0D + * library/cipher.c=0D + *=0D + * PEM_PARSE uses DES/3DES for decrypting encrypted keys.=0D + *=0D + * \warning DES is considered a weak cipher and its use constitutes a=0D + * security risk. We recommend considering stronger ciphers ins= tead.=0D + */=0D +// #define MBEDTLS_DES_C=0D +=0D +/**=0D + * \def MBEDTLS_DHM_C=0D + *=0D + * Enable the Diffie-Hellman-Merkle module.=0D + *=0D + * Module: library/dhm.c=0D + * Caller: library/ssl_tls.c=0D + * library/ssl*_client.c=0D + * library/ssl*_server.c=0D + *=0D + * This module is used by the following key exchanges:=0D + * DHE-RSA, DHE-PSK=0D + *=0D + * \warning Using DHE constitutes a security risk as it=0D + * is not possible to validate custom DH parameters.=0D + * If possible, it is recommended users should consider=0D + * preferring other methods of key exchange.=0D + * See dhm.h for more details.=0D + *=0D + */=0D +#define MBEDTLS_DHM_C=0D +=0D +/**=0D + * \def MBEDTLS_ECDH_C=0D + *=0D + * Enable the elliptic curve Diffie-Hellman library.=0D + *=0D + * Module: library/ecdh.c=0D + * Caller: library/psa_crypto.c=0D + * library/ssl_tls.c=0D + * library/ssl*_client.c=0D + * library/ssl*_server.c=0D + *=0D + * This module is used by the following key exchanges:=0D + * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK=0D + *=0D + * Requires: MBEDTLS_ECP_C=0D + */=0D +#define MBEDTLS_ECDH_C=0D +=0D +/**=0D + * \def MBEDTLS_ECDSA_C=0D + *=0D + * Enable the elliptic curve DSA library.=0D + *=0D + * Module: library/ecdsa.c=0D + * Caller:=0D + *=0D + * This module is used by the following key exchanges:=0D + * ECDHE-ECDSA=0D + *=0D + * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C,=0D + * and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a=0D + * short Weierstrass curve.=0D + */=0D +#define MBEDTLS_ECDSA_C=0D +=0D +/**=0D + * \def MBEDTLS_ECJPAKE_C=0D + *=0D + * Enable the elliptic curve J-PAKE library.=0D + *=0D + * \note EC J-PAKE support is based on the Thread v1.0.0 specification.=0D + * It has not been reviewed for compliance with newer standards such= as=0D + * Thread v1.1 or RFC 8236.=0D + *=0D + * Module: library/ecjpake.c=0D + * Caller:=0D + *=0D + * This module is used by the following key exchanges:=0D + * ECJPAKE=0D + *=0D + * Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C= =0D + *=0D + * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_ini= t()=0D + * before doing any EC J-PAKE operations.=0D + *=0D + * \warning When building with MBEDTLS_MD_C, all hashes used with this=0D + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256= _C,=0D + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used= by=0D + * this module in builds where MBEDTLS_MD_C is disabled.=0D + */=0D +// #define MBEDTLS_ECJPAKE_C=0D +=0D +/**=0D + * \def MBEDTLS_ECP_C=0D + *=0D + * Enable the elliptic curve over GF(p) library.=0D + *=0D + * Module: library/ecp.c=0D + * Caller: library/ecdh.c=0D + * library/ecdsa.c=0D + * library/ecjpake.c=0D + *=0D + * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED= =0D + */=0D +#define MBEDTLS_ECP_C=0D +=0D +/**=0D + * \def MBEDTLS_ENTROPY_C=0D + *=0D + * Enable the platform-specific entropy code.=0D + *=0D + * Module: library/entropy.c=0D + * Caller:=0D + *=0D + * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C=0D + *=0D + * This module provides a generic entropy pool=0D + */=0D +#define MBEDTLS_ENTROPY_C=0D +=0D +/**=0D + * \def MBEDTLS_ERROR_C=0D + *=0D + * Enable error code to error string conversion.=0D + *=0D + * Module: library/error.c=0D + * Caller:=0D + *=0D + * This module enables mbedtls_strerror().=0D + */=0D +#define MBEDTLS_ERROR_C=0D +=0D +/**=0D + * \def MBEDTLS_GCM_C=0D + *=0D + * Enable the Galois/Counter Mode (GCM).=0D + *=0D + * Module: library/gcm.c=0D + *=0D + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or=0D + * MBEDTLS_ARIA_C=0D + *=0D + * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other= =0D + * requisites are enabled as well.=0D + */=0D +#define MBEDTLS_GCM_C=0D +=0D +/**=0D + * \def MBEDTLS_HKDF_C=0D + *=0D + * Enable the HKDF algorithm (RFC 5869).=0D + *=0D + * Module: library/hkdf.c=0D + * Caller:=0D + *=0D + * Requires: MBEDTLS_MD_C=0D + *=0D + * This module adds support for the Hashed Message Authentication Code=0D + * (HMAC)-based key derivation function (HKDF).=0D + */=0D +#define MBEDTLS_HKDF_C=0D +=0D +/**=0D + * \def MBEDTLS_HMAC_DRBG_C=0D + *=0D + * Enable the HMAC_DRBG random generator.=0D + *=0D + * Module: library/hmac_drbg.c=0D + * Caller:=0D + *=0D + * Requires: MBEDTLS_MD_C=0D + *=0D + * Uncomment to enable the HMAC_DRBG random number generator.=0D + */=0D +#define MBEDTLS_HMAC_DRBG_C=0D +=0D +/**=0D + * \def MBEDTLS_LMS_C=0D + *=0D + * Enable the LMS stateful-hash asymmetric signature algorithm.=0D + *=0D + * Module: library/lms.c=0D + * Caller:=0D + *=0D + * Requires: MBEDTLS_PSA_CRYPTO_C=0D + *=0D + * Uncomment to enable the LMS verification algorithm and public key opera= tions.=0D + */=0D +// #define MBEDTLS_LMS_C=0D +=0D +/**=0D + * \def MBEDTLS_LMS_PRIVATE=0D + *=0D + * Enable LMS private-key operations and signing code. Functions enabled b= y this=0D + * option are experimental, and should not be used in production.=0D + *=0D + * Requires: MBEDTLS_LMS_C=0D + *=0D + * Uncomment to enable the LMS signature algorithm and private key operati= ons.=0D + */=0D +// #define MBEDTLS_LMS_PRIVATE=0D +=0D +/**=0D + * \def MBEDTLS_NIST_KW_C=0D + *=0D + * Enable the Key Wrapping mode for 128-bit block ciphers,=0D + * as defined in NIST SP 800-38F. Only KW and KWP modes=0D + * are supported. At the moment, only AES is approved by NIST.=0D + *=0D + * Module: library/nist_kw.c=0D + *=0D + * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C=0D + */=0D +// #define MBEDTLS_NIST_KW_C=0D +=0D +/**=0D + * \def MBEDTLS_MD_C=0D + *=0D + * Enable the generic message digest layer.=0D + *=0D + * Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C,=0D + * MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C,= =0D + * MBEDTLS_SHA512_C.=0D + * Module: library/md.c=0D + * Caller: library/constant_time.c=0D + * library/ecdsa.c=0D + * library/ecjpake.c=0D + * library/hkdf.c=0D + * library/hmac_drbg.c=0D + * library/pk.c=0D + * library/pkcs5.c=0D + * library/pkcs12.c=0D + * library/psa_crypto_ecp.c=0D + * library/psa_crypto_rsa.c=0D + * library/rsa.c=0D + * library/ssl_cookie.c=0D + * library/ssl_msg.c=0D + * library/ssl_tls.c=0D + * library/x509.c=0D + * library/x509_crt.c=0D + * library/x509write_crt.c=0D + * library/x509write_csr.c=0D + *=0D + * Uncomment to enable generic message digest wrappers.=0D + */=0D +#define MBEDTLS_MD_C=0D +=0D +/**=0D + * \def MBEDTLS_MD5_C=0D + *=0D + * Enable the MD5 hash algorithm.=0D + *=0D + * Module: library/md5.c=0D + * Caller: library/md.c=0D + * library/pem.c=0D + * library/ssl_tls.c=0D + *=0D + * This module is required for TLS 1.2 depending on the handshake paramete= rs.=0D + * Further, it is used for checking MD5-signed certificates, and for PBKDF= 1=0D + * when decrypting PEM-encoded encrypted keys.=0D + *=0D + * \warning MD5 is considered a weak message digest and its use constitu= tes a=0D + * security risk. If possible, we recommend avoiding dependenci= es on=0D + * it, and considering stronger message digests instead.=0D + *=0D + */=0D +#define MBEDTLS_MD5_C=0D +=0D +/**=0D + * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C=0D + *=0D + * Enable the buffer allocator implementation that makes use of a (stack)= =0D + * based buffer to 'allocate' dynamic memory. (replaces calloc() and free(= )=0D + * calls)=0D + *=0D + * Module: library/memory_buffer_alloc.c=0D + *=0D + * Requires: MBEDTLS_PLATFORM_C=0D + * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)=0D + *=0D + * Enable this module to enable the buffer memory allocator.=0D + */=0D +// #define MBEDTLS_MEMORY_BUFFER_ALLOC_C=0D +=0D +/**=0D + * \def MBEDTLS_NET_C=0D + *=0D + * Enable the TCP and UDP over IPv6/IPv4 networking routines.=0D + *=0D + * \note This module only works on POSIX/Unix (including Linux, BSD and OS= X)=0D + * and Windows. For other platforms, you'll want to disable it, and write = your=0D + * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().=0D + *=0D + * \note See also our Knowledge Base article about porting to a new=0D + * environment:=0D + * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-= tls-to-a-new-environment-OS=0D + *=0D + * Module: library/net_sockets.c=0D + *=0D + * This module provides networking routines.=0D + */=0D +#define MBEDTLS_NET_C=0D +=0D +/**=0D + * \def MBEDTLS_OID_C=0D + *=0D + * Enable the OID database.=0D + *=0D + * Module: library/oid.c=0D + * Caller: library/asn1write.c=0D + * library/pkcs5.c=0D + * library/pkparse.c=0D + * library/pkwrite.c=0D + * library/rsa.c=0D + * library/x509.c=0D + * library/x509_create.c=0D + * library/x509_crl.c=0D + * library/x509_crt.c=0D + * library/x509_csr.c=0D + * library/x509write_crt.c=0D + * library/x509write_csr.c=0D + *=0D + * This modules translates between OIDs and internal values.=0D + */=0D +#define MBEDTLS_OID_C=0D +=0D +/**=0D + * \def MBEDTLS_PADLOCK_C=0D + *=0D + * Enable VIA Padlock support on x86.=0D + *=0D + * Module: library/padlock.c=0D + * Caller: library/aes.c=0D + *=0D + * Requires: MBEDTLS_HAVE_ASM=0D + *=0D + * This modules adds support for the VIA PadLock on x86.=0D + */=0D +// #define MBEDTLS_PADLOCK_C=0D +=0D +/**=0D + * \def MBEDTLS_PEM_PARSE_C=0D + *=0D + * Enable PEM decoding / parsing.=0D + *=0D + * Module: library/pem.c=0D + * Caller: library/dhm.c=0D + * library/pkparse.c=0D + * library/x509_crl.c=0D + * library/x509_crt.c=0D + * library/x509_csr.c=0D + *=0D + * Requires: MBEDTLS_BASE64_C=0D + *=0D + * This modules adds support for decoding / parsing PEM files.=0D + */=0D +#define MBEDTLS_PEM_PARSE_C=0D +=0D +/**=0D + * \def MBEDTLS_PEM_WRITE_C=0D + *=0D + * Enable PEM encoding / writing.=0D + *=0D + * Module: library/pem.c=0D + * Caller: library/pkwrite.c=0D + * library/x509write_crt.c=0D + * library/x509write_csr.c=0D + *=0D + * Requires: MBEDTLS_BASE64_C=0D + *=0D + * This modules adds support for encoding / writing PEM files.=0D + */=0D +#define MBEDTLS_PEM_WRITE_C=0D +=0D +/**=0D + * \def MBEDTLS_PK_C=0D + *=0D + * Enable the generic public (asymmetric) key layer.=0D + *=0D + * Module: library/pk.c=0D + * Caller: library/psa_crypto_rsa.c=0D + * library/ssl_tls.c=0D + * library/ssl*_client.c=0D + * library/ssl*_server.c=0D + * library/x509.c=0D + *=0D + * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C=0D + *=0D + * Uncomment to enable generic public key wrappers.=0D + */=0D +#define MBEDTLS_PK_C=0D +=0D +/**=0D + * \def MBEDTLS_PK_PARSE_C=0D + *=0D + * Enable the generic public (asymmetric) key parser.=0D + *=0D + * Module: library/pkparse.c=0D + * Caller: library/x509_crt.c=0D + * library/x509_csr.c=0D + *=0D + * Requires: MBEDTLS_PK_C=0D + *=0D + * Uncomment to enable generic public key parse functions.=0D + */=0D +#define MBEDTLS_PK_PARSE_C=0D +=0D +/**=0D + * \def MBEDTLS_PK_WRITE_C=0D + *=0D + * Enable the generic public (asymmetric) key writer.=0D + *=0D + * Module: library/pkwrite.c=0D + * Caller: library/x509write.c=0D + *=0D + * Requires: MBEDTLS_PK_C=0D + *=0D + * Uncomment to enable generic public key write functions.=0D + */=0D +#define MBEDTLS_PK_WRITE_C=0D +=0D +/**=0D + * \def MBEDTLS_PKCS5_C=0D + *=0D + * Enable PKCS#5 functions.=0D + *=0D + * Module: library/pkcs5.c=0D + *=0D + * Requires: MBEDTLS_CIPHER_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPT= O_C.=0D + *=0D + * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_ini= t()=0D + * before doing any PKCS5 operation.=0D + *=0D + * \warning When building with MBEDTLS_MD_C, all hashes used with this=0D + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256= _C,=0D + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used= by=0D + * this module in builds where MBEDTLS_MD_C is disabled.=0D + *=0D + * This module adds support for the PKCS#5 functions.=0D + */=0D +#define MBEDTLS_PKCS5_C=0D +=0D +/**=0D + * \def MBEDTLS_PKCS7_C=0D + *=0D + * This feature is a work in progress and not ready for production. Testin= g and=0D + * validation is incomplete, and handling of malformed inputs may not be r= obust.=0D + * The API may change.=0D + *=0D + * Enable PKCS7 core for using PKCS7 formatted signatures.=0D + * RFC Link - https://tools.ietf.org/html/rfc2315=0D + *=0D + * Module: library/pkcs7.c=0D + *=0D + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,=0D + * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C,=0D + * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C=0D + *=0D + * This module is required for the PKCS7 parsing modules.=0D + */=0D +#define MBEDTLS_PKCS7_C=0D +=0D +/**=0D + * \def MBEDTLS_PKCS12_C=0D + *=0D + * Enable PKCS#12 PBE functions.=0D + * Adds algorithms for parsing PKCS#8 encrypted private keys=0D + *=0D + * Module: library/pkcs12.c=0D + * Caller: library/pkparse.c=0D + *=0D + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C and either=0D + * MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C.=0D + *=0D + * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_ini= t()=0D + * before doing any PKCS12 operation.=0D + *=0D + * \warning When building with MBEDTLS_MD_C, all hashes used with this=0D + * need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256= _C,=0D + * etc.) as opposed to just PSA drivers. So far, PSA drivers are only used= by=0D + * this module in builds where MBEDTLS_MD_C is disabled.=0D + *=0D + * This module enables PKCS#12 functions.=0D + */=0D +// #define MBEDTLS_PKCS12_C=0D +=0D +/**=0D + * \def MBEDTLS_PLATFORM_C=0D + *=0D + * Enable the platform abstraction layer that allows you to re-assign=0D + * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(= ).=0D + *=0D + * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT= =0D + * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentio= ned=0D + * above to be specified at runtime or compile time respectively.=0D + *=0D + * \note This abstraction layer must be enabled on Windows (including MSYS= 2)=0D + * as other modules rely on it for a fixed snprintf implementation.=0D + *=0D + * Module: library/platform.c=0D + * Caller: Most other .c files=0D + *=0D + * This module enables abstraction of common (libc) functions.=0D + */=0D +#define MBEDTLS_PLATFORM_C=0D +=0D +/**=0D + * \def MBEDTLS_POLY1305_C=0D + *=0D + * Enable the Poly1305 MAC algorithm.=0D + *=0D + * Module: library/poly1305.c=0D + * Caller: library/chachapoly.c=0D + */=0D +#define MBEDTLS_POLY1305_C=0D +=0D +/**=0D + * \def MBEDTLS_PSA_CRYPTO_C=0D + *=0D + * Enable the Platform Security Architecture cryptography API.=0D + *=0D + * Module: library/psa_crypto.c=0D + *=0D + * Requires: MBEDTLS_CIPHER_C,=0D + * either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,=0D + * or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C,=0D + * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.=0D + *=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_C=0D +=0D +/**=0D + * \def MBEDTLS_PSA_CRYPTO_SE_C=0D + *=0D + * Enable dynamic secure element support in the Platform Security Architec= ture=0D + * cryptography API.=0D + *=0D + * \deprecated This feature is deprecated. Please switch to the driver=0D + * interface enabled by #MBEDTLS_PSA_CRYPTO_DRIVERS.=0D + *=0D + * Module: library/psa_crypto_se.c=0D + *=0D + * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_C=0D + *=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_SE_C=0D +=0D +/**=0D + * \def MBEDTLS_PSA_CRYPTO_STORAGE_C=0D + *=0D + * Enable the Platform Security Architecture persistent key storage.=0D + *=0D + * Module: library/psa_crypto_storage.c=0D + *=0D + * Requires: MBEDTLS_PSA_CRYPTO_C,=0D + * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of=0D + * the PSA ITS interface=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_STORAGE_C=0D +=0D +/**=0D + * \def MBEDTLS_PSA_ITS_FILE_C=0D + *=0D + * Enable the emulation of the Platform Security Architecture=0D + * Internal Trusted Storage (PSA ITS) over files.=0D + *=0D + * Module: library/psa_its_file.c=0D + *=0D + * Requires: MBEDTLS_FS_IO=0D + */=0D +// #define MBEDTLS_PSA_ITS_FILE_C=0D +=0D +/**=0D + * \def MBEDTLS_RIPEMD160_C=0D + *=0D + * Enable the RIPEMD-160 hash algorithm.=0D + *=0D + * Module: library/ripemd160.c=0D + * Caller: library/md.c=0D + *=0D + */=0D +// #define MBEDTLS_RIPEMD160_C=0D +=0D +/**=0D + * \def MBEDTLS_RSA_C=0D + *=0D + * Enable the RSA public-key cryptosystem.=0D + *=0D + * Module: library/rsa.c=0D + * library/rsa_alt_helpers.c=0D + * Caller: library/pk.c=0D + * library/psa_crypto.c=0D + * library/ssl_tls.c=0D + * library/ssl*_client.c=0D + * library/ssl*_server.c=0D + *=0D + * This module is used by the following key exchanges:=0D + * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK=0D + *=0D + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C=0D + */=0D +#define MBEDTLS_RSA_C=0D +=0D +/**=0D + * \def MBEDTLS_SHA1_C=0D + *=0D + * Enable the SHA1 cryptographic hash algorithm.=0D + *=0D + * Module: library/sha1.c=0D + * Caller: library/md.c=0D + * library/psa_crypto_hash.c=0D + *=0D + * This module is required for TLS 1.2 depending on the handshake paramete= rs,=0D + * and for SHA1-signed certificates.=0D + *=0D + * \warning SHA-1 is considered a weak message digest and its use consti= tutes=0D + * a security risk. If possible, we recommend avoiding dependen= cies=0D + * on it, and considering stronger message digests instead.=0D + *=0D + */=0D +#define MBEDTLS_SHA1_C=0D +=0D +/**=0D + * \def MBEDTLS_SHA224_C=0D + *=0D + * Enable the SHA-224 cryptographic hash algorithm.=0D + *=0D + * Requires: MBEDTLS_SHA256_C. The library does not currently support enab= ling=0D + * SHA-224 without SHA-256.=0D + *=0D + * Module: library/sha256.c=0D + * Caller: library/md.c=0D + * library/ssl_cookie.c=0D + *=0D + * This module adds support for SHA-224.=0D + */=0D +#define MBEDTLS_SHA224_C=0D +=0D +/**=0D + * \def MBEDTLS_SHA256_C=0D + *=0D + * Enable the SHA-256 cryptographic hash algorithm.=0D + *=0D + * Requires: MBEDTLS_SHA224_C. The library does not currently support enab= ling=0D + * SHA-256 without SHA-224.=0D + *=0D + * Module: library/sha256.c=0D + * Caller: library/entropy.c=0D + * library/md.c=0D + * library/ssl_tls.c=0D + * library/ssl*_client.c=0D + * library/ssl*_server.c=0D + *=0D + * This module adds support for SHA-256.=0D + * This module is required for the SSL/TLS 1.2 PRF function.=0D + */=0D +#define MBEDTLS_SHA256_C=0D +=0D +/**=0D + * \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT=0D + *=0D + * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algor= ithms=0D + * with the ARMv8 cryptographic extensions if they are available at runtim= e.=0D + * If not, the library will fall back to the C implementation.=0D + *=0D + * \note If MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT is defined when build= ing=0D + * for a non-Aarch64 build it will be silently ignored.=0D + *=0D + * \note The code uses Neon intrinsics, so \c CFLAGS must be set to a mini= mum=0D + * of \c -march=3Darmv8-a+crypto.=0D + *=0D + * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT cannot be defined at = the=0D + * same time as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY.=0D + *=0D + * Requires: MBEDTLS_SHA256_C.=0D + *=0D + * Module: library/sha256.c=0D + *=0D + * Uncomment to have the library check for the A64 SHA-256 crypto extensio= ns=0D + * and use them if available.=0D + */=0D +// #define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT=0D +=0D +/**=0D + * \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY=0D + *=0D + * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algor= ithms=0D + * with the ARMv8 cryptographic extensions, which must be available at run= time=0D + * or else an illegal instruction fault will occur.=0D + *=0D + * \note This allows builds with a smaller code size than with=0D + * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT=0D + *=0D + * \note The code uses Neon intrinsics, so \c CFLAGS must be set to a mini= mum=0D + * of \c -march=3Darmv8-a+crypto.=0D + *=0D + * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY cannot be defined at the sa= me=0D + * time as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT.=0D + *=0D + * Requires: MBEDTLS_SHA256_C.=0D + *=0D + * Module: library/sha256.c=0D + *=0D + * Uncomment to have the library use the A64 SHA-256 crypto extensions=0D + * unconditionally.=0D + */=0D +// #define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY=0D +=0D +/**=0D + * \def MBEDTLS_SHA384_C=0D + *=0D + * Enable the SHA-384 cryptographic hash algorithm.=0D + *=0D + * Requires: MBEDTLS_SHA512_C=0D + *=0D + * Module: library/sha512.c=0D + * Caller: library/md.c=0D + * library/psa_crypto_hash.c=0D + * library/ssl_tls.c=0D + * library/ssl*_client.c=0D + * library/ssl*_server.c=0D + *=0D + * Comment to disable SHA-384=0D + */=0D +#define MBEDTLS_SHA384_C=0D +=0D +/**=0D + * \def MBEDTLS_SHA512_C=0D + *=0D + * Enable SHA-512 cryptographic hash algorithms.=0D + *=0D + * Module: library/sha512.c=0D + * Caller: library/entropy.c=0D + * library/md.c=0D + * library/ssl_tls.c=0D + * library/ssl_cookie.c=0D + *=0D + * This module adds support for SHA-512.=0D + */=0D +#define MBEDTLS_SHA512_C=0D +=0D +/**=0D + * \def MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT=0D + *=0D + * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algor= ithms=0D + * with the ARMv8 cryptographic extensions if they are available at runtim= e.=0D + * If not, the library will fall back to the C implementation.=0D + *=0D + * \note If MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT is defined when build= ing=0D + * for a non-Aarch64 build it will be silently ignored.=0D + *=0D + * \note The code uses the SHA-512 Neon intrinsics, so requires GCC >=3D 8= or=0D + * Clang >=3D 7, and \c CFLAGS must be set to a minimum of=0D + * \c -march=3Darmv8.2-a+sha3. An optimisation level of \c -O3 generates t= he=0D + * fastest code.=0D + *=0D + * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT cannot be defined at = the=0D + * same time as MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY.=0D + *=0D + * Requires: MBEDTLS_SHA512_C.=0D + *=0D + * Module: library/sha512.c=0D + *=0D + * Uncomment to have the library check for the A64 SHA-512 crypto extensio= ns=0D + * and use them if available.=0D + */=0D +// #define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT=0D +=0D +/**=0D + * \def MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY=0D + *=0D + * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algor= ithms=0D + * with the ARMv8 cryptographic extensions, which must be available at run= time=0D + * or else an illegal instruction fault will occur.=0D + *=0D + * \note This allows builds with a smaller code size than with=0D + * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT=0D + *=0D + * \note The code uses the SHA-512 Neon intrinsics, so requires GCC >=3D 8= or=0D + * Clang >=3D 7, and \c CFLAGS must be set to a minimum of=0D + * \c -march=3Darmv8.2-a+sha3. An optimisation level of \c -O3 generates t= he=0D + * fastest code.=0D + *=0D + * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY cannot be defined at the sa= me=0D + * time as MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT.=0D + *=0D + * Requires: MBEDTLS_SHA512_C.=0D + *=0D + * Module: library/sha512.c=0D + *=0D + * Uncomment to have the library use the A64 SHA-512 crypto extensions=0D + * unconditionally.=0D + */=0D +// #define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY=0D +=0D +/**=0D + * \def MBEDTLS_SSL_CACHE_C=0D + *=0D + * Enable simple SSL cache implementation.=0D + *=0D + * Module: library/ssl_cache.c=0D + * Caller:=0D + *=0D + * Requires: MBEDTLS_SSL_CACHE_C=0D + */=0D +#define MBEDTLS_SSL_CACHE_C=0D +=0D +/**=0D + * \def MBEDTLS_SSL_COOKIE_C=0D + *=0D + * Enable basic implementation of DTLS cookies for hello verification.=0D + *=0D + * Module: library/ssl_cookie.c=0D + * Caller:=0D + */=0D +#define MBEDTLS_SSL_COOKIE_C=0D +=0D +/**=0D + * \def MBEDTLS_SSL_TICKET_C=0D + *=0D + * Enable an implementation of TLS server-side callbacks for session ticke= ts.=0D + *=0D + * Module: library/ssl_ticket.c=0D + * Caller:=0D + *=0D + * Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) &&=0D + * (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)=0D + */=0D +#define MBEDTLS_SSL_TICKET_C=0D +=0D +/**=0D + * \def MBEDTLS_SSL_CLI_C=0D + *=0D + * Enable the SSL/TLS client code.=0D + *=0D + * Module: library/ssl*_client.c=0D + * Caller:=0D + *=0D + * Requires: MBEDTLS_SSL_TLS_C=0D + *=0D + * This module is required for SSL/TLS client support.=0D + */=0D +#define MBEDTLS_SSL_CLI_C=0D +=0D +/**=0D + * \def MBEDTLS_SSL_SRV_C=0D + *=0D + * Enable the SSL/TLS server code.=0D + *=0D + * Module: library/ssl*_server.c=0D + * Caller:=0D + *=0D + * Requires: MBEDTLS_SSL_TLS_C=0D + *=0D + * This module is required for SSL/TLS server support.=0D + */=0D +#define MBEDTLS_SSL_SRV_C=0D +=0D +/**=0D + * \def MBEDTLS_SSL_TLS_C=0D + *=0D + * Enable the generic SSL/TLS code.=0D + *=0D + * Module: library/ssl_tls.c=0D + * Caller: library/ssl*_client.c=0D + * library/ssl*_server.c=0D + *=0D + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C=0D + * and at least one of the MBEDTLS_SSL_PROTO_XXX defines=0D + *=0D + * This module is required for SSL/TLS.=0D + */=0D +#define MBEDTLS_SSL_TLS_C=0D +=0D +/**=0D + * \def MBEDTLS_THREADING_C=0D + *=0D + * Enable the threading abstraction layer.=0D + * By default mbed TLS assumes it is used in a non-threaded environment or= that=0D + * contexts are not shared between threads. If you do intend to use contex= ts=0D + * between threads, you will need to enable this layer to prevent race=0D + * conditions. See also our Knowledge Base article about threading:=0D + * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-= and-multi-threading=0D + *=0D + * Module: library/threading.c=0D + *=0D + * This allows different threading implementations (self-implemented or=0D + * provided).=0D + *=0D + * You will have to enable either MBEDTLS_THREADING_ALT or=0D + * MBEDTLS_THREADING_PTHREAD.=0D + *=0D + * Enable this layer to allow use of mutexes within mbed TLS=0D + */=0D +// #define MBEDTLS_THREADING_C=0D +=0D +/**=0D + * \def MBEDTLS_TIMING_C=0D + *=0D + * Enable the semi-portable timing interface.=0D + *=0D + * \note The provided implementation only works on POSIX/Unix (including L= inux,=0D + * BSD and OS X) and Windows. On other platforms, you can either disable t= hat=0D + * module and provide your own implementations of the callbacks needed by= =0D + * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide= =0D + * your own implementation of the whole module by setting=0D + * \c MBEDTLS_TIMING_ALT in the current file.=0D + *=0D + * \note The timing module will include time.h on suitable platforms=0D + * regardless of the setting of MBEDTLS_HAVE_TIME, unless=0D + * MBEDTLS_TIMING_ALT is used. See timing.c for more information.=0D + *=0D + * \note See also our Knowledge Base article about porting to a new=0D + * environment:=0D + * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-= tls-to-a-new-environment-OS=0D + *=0D + * Module: library/timing.c=0D + */=0D +// #define MBEDTLS_TIMING_C=0D +=0D +/**=0D + * \def MBEDTLS_VERSION_C=0D + *=0D + * Enable run-time version information.=0D + *=0D + * Module: library/version.c=0D + *=0D + * This module provides run-time version information.=0D + */=0D +#define MBEDTLS_VERSION_C=0D +=0D +/**=0D + * \def MBEDTLS_X509_USE_C=0D + *=0D + * Enable X.509 core for using certificates.=0D + *=0D + * Module: library/x509.c=0D + * Caller: library/x509_crl.c=0D + * library/x509_crt.c=0D + * library/x509_csr.c=0D + *=0D + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTL= S_PK_PARSE_C,=0D + * (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)=0D + *=0D + * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call=0D + * psa_crypto_init() before doing any X.509 operation.=0D + *=0D + * This module is required for the X.509 parsing modules.=0D + */=0D +#define MBEDTLS_X509_USE_C=0D +=0D +/**=0D + * \def MBEDTLS_X509_CRT_PARSE_C=0D + *=0D + * Enable X.509 certificate parsing.=0D + *=0D + * Module: library/x509_crt.c=0D + * Caller: library/ssl_tls.c=0D + * library/ssl*_client.c=0D + * library/ssl*_server.c=0D + *=0D + * Requires: MBEDTLS_X509_USE_C=0D + *=0D + * This module is required for X.509 certificate parsing.=0D + */=0D +#define MBEDTLS_X509_CRT_PARSE_C=0D +=0D +/**=0D + * \def MBEDTLS_X509_CRL_PARSE_C=0D + *=0D + * Enable X.509 CRL parsing.=0D + *=0D + * Module: library/x509_crl.c=0D + * Caller: library/x509_crt.c=0D + *=0D + * Requires: MBEDTLS_X509_USE_C=0D + *=0D + * This module is required for X.509 CRL parsing.=0D + */=0D +#define MBEDTLS_X509_CRL_PARSE_C=0D +=0D +/**=0D + * \def MBEDTLS_X509_CSR_PARSE_C=0D + *=0D + * Enable X.509 Certificate Signing Request (CSR) parsing.=0D + *=0D + * Module: library/x509_csr.c=0D + * Caller: library/x509_crt_write.c=0D + *=0D + * Requires: MBEDTLS_X509_USE_C=0D + *=0D + * This module is used for reading X.509 certificate request.=0D + */=0D +#define MBEDTLS_X509_CSR_PARSE_C=0D +=0D +/**=0D + * \def MBEDTLS_X509_CREATE_C=0D + *=0D + * Enable X.509 core for creating certificates.=0D + *=0D + * Module: library/x509_create.c=0D + *=0D + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,=0D + * (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)=0D + *=0D + * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call=0D + * psa_crypto_init() before doing any X.509 create operation.=0D + *=0D + * This module is the basis for creating X.509 certificates and CSRs.=0D + */=0D +#define MBEDTLS_X509_CREATE_C=0D +=0D +/**=0D + * \def MBEDTLS_X509_CRT_WRITE_C=0D + *=0D + * Enable creating X.509 certificates.=0D + *=0D + * Module: library/x509_crt_write.c=0D + *=0D + * Requires: MBEDTLS_X509_CREATE_C=0D + *=0D + * This module is required for X.509 certificate creation.=0D + */=0D +#define MBEDTLS_X509_CRT_WRITE_C=0D +=0D +/**=0D + * \def MBEDTLS_X509_CSR_WRITE_C=0D + *=0D + * Enable creating X.509 Certificate Signing Requests (CSR).=0D + *=0D + * Module: library/x509_csr_write.c=0D + *=0D + * Requires: MBEDTLS_X509_CREATE_C=0D + *=0D + * This module is required for X.509 certificate request writing.=0D + */=0D +#define MBEDTLS_X509_CSR_WRITE_C=0D +=0D +/** \} name SECTION: mbed TLS modules */=0D +=0D +/**=0D + * \name SECTION: General configuration options=0D + *=0D + * This section contains Mbed TLS build settings that are not associated=0D + * with a particular module.=0D + *=0D + * \{=0D + */=0D +=0D +/**=0D + * \def MBEDTLS_CONFIG_FILE=0D + *=0D + * If defined, this is a header which will be included instead of=0D + * `"mbedtls/mbedtls_config.h"`.=0D + * This header file specifies the compile-time configuration of Mbed TLS.= =0D + * Unlike other configuration options, this one must be defined on the=0D + * compiler command line: a definition in `mbedtls_config.h` would have=0D + * no effect.=0D + *=0D + * This macro is expanded after an \#include directive. This is a= popular but=0D + * non-standard feature of the C language, so this feature is only availab= le=0D + * with compilers that perform macro expansion on an \#include li= ne.=0D + *=0D + * The value of this symbol is typically a path in double quotes, either=0D + * absolute or relative to a directory on the include search path.=0D + */=0D +// #define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h"=0D +=0D +/**=0D + * \def MBEDTLS_USER_CONFIG_FILE=0D + *=0D + * If defined, this is a header which will be included after=0D + * `"mbedtls/mbedtls_config.h"` or #MBEDTLS_CONFIG_FILE.=0D + * This allows you to modify the default configuration, including the abil= ity=0D + * to undefine options that are enabled by default.=0D + *=0D + * This macro is expanded after an \#include directive. This is a= popular but=0D + * non-standard feature of the C language, so this feature is only availab= le=0D + * with compilers that perform macro expansion on an \#include li= ne.=0D + *=0D + * The value of this symbol is typically a path in double quotes, either=0D + * absolute or relative to a directory on the include search path.=0D + */=0D +// #define MBEDTLS_USER_CONFIG_FILE "/dev/null"=0D +=0D +/**=0D + * \def MBEDTLS_PSA_CRYPTO_CONFIG_FILE=0D + *=0D + * If defined, this is a header which will be included instead of=0D + * `"psa/crypto_config.h"`.=0D + * This header file specifies which cryptographic mechanisms are available= =0D + * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and=0D + * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled.=0D + *=0D + * This macro is expanded after an \#include directive. This is a= popular but=0D + * non-standard feature of the C language, so this feature is only availab= le=0D + * with compilers that perform macro expansion on an \#include li= ne.=0D + *=0D + * The value of this symbol is typically a path in double quotes, either=0D + * absolute or relative to a directory on the include search path.=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h"=0D +=0D +/**=0D + * \def MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE=0D + *=0D + * If defined, this is a header which will be included after=0D + * `"psa/crypto_config.h"` or #MBEDTLS_PSA_CRYPTO_CONFIG_FILE.=0D + * This allows you to modify the default configuration, including the abil= ity=0D + * to undefine options that are enabled by default.=0D + *=0D + * This macro is expanded after an \#include directive. This is a= popular but=0D + * non-standard feature of the C language, so this feature is only availab= le=0D + * with compilers that perform macro expansion on an \#include li= ne.=0D + *=0D + * The value of this symbol is typically a path in double quotes, either=0D + * absolute or relative to a directory on the include search path.=0D + */=0D +// #define MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null"=0D +=0D +/** \} name SECTION: General configuration options */=0D +=0D +/**=0D + * \name SECTION: Module configuration options=0D + *=0D + * This section allows for the setting of module specific sizes and=0D + * configuration options. The default values are already present in the=0D + * relevant header files and should suffice for the regular use cases.=0D + *=0D + * Our advice is to enable options and change their values here=0D + * only if you have a good reason and know the consequences.=0D + * \{=0D + */=0D +/* The Doxygen documentation here is used when a user comments out a=0D + * setting and runs doxygen themselves. On the other hand, when we typeset= =0D + * the full documentation including disabled settings, the documentation=0D + * in specific modules' header files is used if present. When editing this= =0D + * file, make sure that each option is documented in exactly one place,=0D + * plus optionally a same-line Doxygen comment here if there is a Doxygen= =0D + * comment in the specific module. */=0D +=0D +/* MPI / BIGNUM options */=0D +// #define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size u= sed. */=0D +// #define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of byt= es for usable MPIs. */=0D +=0D +/* CTR_DRBG options */=0D +// #define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of en= tropy used per seed by default (48 with SHA-512, 32 with SHA-256) */=0D +// #define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval bef= ore reseed is performed by default */=0D +// #define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum numb= er of additional input bytes */=0D +// #define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum numb= er of requested bytes per call */=0D +// #define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size= of (re)seed buffer */=0D +=0D +/* HMAC_DRBG options */=0D +// #define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL 10000 /**< Interval before = reseed is performed by default */=0D +// #define MBEDTLS_HMAC_DRBG_MAX_INPUT 256 /**< Maximum number o= f additional input bytes */=0D +// #define MBEDTLS_HMAC_DRBG_MAX_REQUEST 1024 /**< Maximum number o= f requested bytes per call */=0D +// #define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of = (re)seed buffer */=0D +=0D +/* ECP options */=0D +// #define MBEDTLS_ECP_WINDOW_SIZE 4 /**< Maximum window size u= sed */=0D +// #define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point sp= eed-up */=0D +=0D +/* Entropy options */=0D +// #define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum numb= er of sources supported */=0D +// #define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amou= nt requested from entropy sources */=0D +// #define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default mini= mum number of bytes required for the hardware entropy source mbedtls_hardwa= re_poll() before entropy is released */=0D +=0D +/* Memory buffer allocator options */=0D +// #define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of= this value */=0D +=0D +/* Platform options */=0D +// #define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to includ= e if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no heade= r is needed. */=0D +// #define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocato= r to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to = use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to = use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to = use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to = use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */=0D +// #define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf = to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf t= o use, can be undefined */=0D +/* Note: your snprintf must correctly zero-terminate the buffer! */=0D +// #define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf= to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit val= ue to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit val= ue to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_see= d_read /**< Default nv_seed_read function to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_see= d_write /**< Default nv_seed_write function to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to= read/write with default implementation */=0D +=0D +/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */=0D +/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be = defined */=0D +// #define MBEDTLS_PLATFORM_CALLOC_MACRO calloc /**< Default alloca= tor macro to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_FREE_MACRO free /**< Default free m= acro to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_EXIT_MACRO exit /**< Default exit m= acro to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_SETBUF_MACRO setbuf /**< Default setbuf m= acro to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_TIME_MACRO time /**< Default time m= acro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */=0D +// #define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time= macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */=0D +// #define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprint= f macro to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf= macro to use, can be undefined */=0D +/* Note: your snprintf must correctly zero-terminate the buffer! */=0D +// #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprin= tf macro to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf /**< Default vsnp= rintf macro to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_s= eed_read /**< Default nv_seed_read function to use, can be undefined */=0D +// #define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_s= eed_write /**< Default nv_seed_write function to use, can be undefined */=0D +=0D +extern int=0D +my_printf (=0D + const char *fmt,=0D + ...=0D + );=0D +=0D +#define MBEDTLS_PLATFORM_PRINTF_MACRO my_printf=0D +=0D +extern int=0D +my_snprintf (=0D + char *str,=0D + long long size,=0D + const char *format,=0D + ...=0D + );=0D +=0D +#define MBEDTLS_PLATFORM_SNPRINTF_MACRO my_snprintf=0D +=0D +#define MBEDTLS_PLATFORM_MEMORY=0D +#include =0D +extern void *=0D +mbedtls_calloc (=0D + size_t n,=0D + size_t size=0D + );=0D +=0D +extern void=0D +mbedtls_free (=0D + void *ptr=0D + );=0D +=0D +#define MBEDTLS_PLATFORM_CALLOC_MACRO mbedtls_calloc=0D +#define MBEDTLS_PLATFORM_FREE_MACRO mbedtls_free=0D +=0D +/** \def MBEDTLS_CHECK_RETURN=0D + *=0D + * This macro is used at the beginning of the declaration of a function=0D + * to indicate that its return value should be checked. It should=0D + * instruct the compiler to emit a warning or an error if the function=0D + * is called without checking its return value.=0D + *=0D + * There is a default implementation for popular compilers in platform_uti= l.h.=0D + * You can override the default implementation by defining your own here.= =0D + *=0D + * If the implementation here is empty, this will effectively disable the= =0D + * checking of functions' return values.=0D + */=0D +// #define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))=0D +=0D +/** \def MBEDTLS_IGNORE_RETURN=0D + *=0D + * This macro requires one argument, which should be a C function call.=0D + * If that function call would cause a #MBEDTLS_CHECK_RETURN warning, this= =0D + * warning is suppressed.=0D + */=0D +// #define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result))=0D +=0D +/* PSA options */=0D +=0D +/**=0D + * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the=0D + * PSA crypto subsystem.=0D + *=0D + * If this option is unset:=0D + * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_= DRBG.=0D + * - Otherwise, the PSA subsystem uses HMAC_DRBG with either=0D + * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and=0D + * on unspecified heuristics.=0D + */=0D +// #define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256=0D +=0D +/** \def MBEDTLS_PSA_KEY_SLOT_COUNT=0D + * Restrict the PSA library to supporting a maximum amount of simultaneous= ly=0D + * loaded keys. A loaded key is a key stored by the PSA Crypto core as a=0D + * volatile key, or a persistent key which is loaded temporarily by the=0D + * library as part of a crypto operation in flight.=0D + *=0D + * If this option is unset, the library will fall back to a default value = of=0D + * 32 keys.=0D + */=0D +// #define MBEDTLS_PSA_KEY_SLOT_COUNT 32=0D +=0D +/* SSL Cache options */=0D +// #define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */=0D +// #define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entr= ies in cache */=0D +=0D +/* SSL options */=0D +=0D +/** \def MBEDTLS_SSL_IN_CONTENT_LEN=0D + *=0D + * Maximum length (in bytes) of incoming plaintext fragments.=0D + *=0D + * This determines the size of the incoming TLS I/O buffer in such a way=0D + * that it is capable of holding the specified amount of plaintext data,=0D + * regardless of the protection mechanism used.=0D + *=0D + * \note When using a value less than the default of 16KB on the client, i= t is=0D + * recommended to use the Maximum Fragment Length (MFL) extension to= =0D + * inform the server about this limitation. On the server, there=0D + * is no supported, standardized way of informing the client about=0D + * restriction on the maximum size of incoming messages, and unless= =0D + * the limitation has been communicated by other means, it is recomm= ended=0D + * to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_= LEN=0D + * while keeping the default value of 16KB for the incoming buffer.= =0D + *=0D + * Uncomment to set the maximum plaintext size of the incoming I/O buffer.= =0D + */=0D +// #define MBEDTLS_SSL_IN_CONTENT_LEN 16384=0D +=0D +/** \def MBEDTLS_SSL_CID_IN_LEN_MAX=0D + *=0D + * The maximum length of CIDs used for incoming DTLS messages.=0D + *=0D + */=0D +// #define MBEDTLS_SSL_CID_IN_LEN_MAX 32=0D +=0D +/** \def MBEDTLS_SSL_CID_OUT_LEN_MAX=0D + *=0D + * The maximum length of CIDs used for outgoing DTLS messages.=0D + *=0D + */=0D +// #define MBEDTLS_SSL_CID_OUT_LEN_MAX 32=0D +=0D +/** \def MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY=0D + *=0D + * This option controls the use of record plaintext padding=0D + * in TLS 1.3 and when using the Connection ID extension in DTLS 1.2.=0D + *=0D + * The padding will always be chosen so that the length of the=0D + * padded plaintext is a multiple of the value of this option.=0D + *=0D + * Note: A value of \c 1 means that no padding will be used=0D + * for outgoing records.=0D + *=0D + * Note: On systems lacking division instructions,=0D + * a power of two should be preferred.=0D + */=0D +// #define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16=0D +=0D +/** \def MBEDTLS_SSL_OUT_CONTENT_LEN=0D + *=0D + * Maximum length (in bytes) of outgoing plaintext fragments.=0D + *=0D + * This determines the size of the outgoing TLS I/O buffer in such a way=0D + * that it is capable of holding the specified amount of plaintext data,=0D + * regardless of the protection mechanism used.=0D + *=0D + * It is possible to save RAM by setting a smaller outward buffer, while k= eeping=0D + * the default inward 16384 byte buffer to conform to the TLS specificatio= n.=0D + *=0D + * The minimum required outward buffer size is determined by the handshake= =0D + * protocol's usage. Handshaking will fail if the outward buffer is too sm= all.=0D + * The specific size requirement depends on the configured ciphers and any= =0D + * certificate data which is sent during the handshake.=0D + *=0D + * Uncomment to set the maximum plaintext size of the outgoing I/O buffer.= =0D + */=0D +// #define MBEDTLS_SSL_OUT_CONTENT_LEN 16384=0D +=0D +/** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING=0D + *=0D + * Maximum number of heap-allocated bytes for the purpose of=0D + * DTLS handshake message reassembly and future message buffering.=0D + *=0D + * This should be at least 9/8 * MBEDTLS_SSL_IN_CONTENT_LEN=0D + * to account for a reassembled handshake message of maximum size,=0D + * together with its reassembly bitmap.=0D + *=0D + * A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default)=0D + * should be sufficient for all practical situations as it allows=0D + * to reassembly a large handshake message (such as a certificate)=0D + * while buffering multiple smaller handshake messages.=0D + *=0D + */=0D +// #define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768=0D +=0D +// #define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-s= hared keys, in bytes (default 256 bits) */=0D +// #define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration de= lay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issue= d */=0D +=0D +/**=0D + * Complete list of ciphersuites to use, in order of preference.=0D + *=0D + * \warning No dependency checking is done on that field! This option can = only=0D + * be used to restrict the set of available ciphersuites. It is your=0D + * responsibility to make sure the needed modules are active.=0D + *=0D + * Use this to save a few hundred bytes of ROM (default ordering of all=0D + * available ciphersuites) and a few to a few hundred bytes of RAM.=0D + *=0D + * The value below is only an example, not the default.=0D + */=0D +// #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_G= CM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256=0D +=0D +/* X509 options */=0D +// #define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of i= ntermediate CAs in a verification chain. */=0D +// #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 /**< Maximum length of a= path/filename string in bytes including the null terminator character ('\0= '). */=0D +=0D +/**=0D + * Uncomment the macro to let mbed TLS use your alternate implementation o= f=0D + * mbedtls_platform_zeroize(). This replaces the default implementation in= =0D + * platform_util.c.=0D + *=0D + * mbedtls_platform_zeroize() is a widely used function across the library= to=0D + * zero a block of memory. The implementation is expected to be secure in = the=0D + * sense that it has been written to prevent the compiler from removing ca= lls=0D + * to mbedtls_platform_zeroize() as part of redundant code elimination=0D + * optimizations. However, it is difficult to guarantee that calls to=0D + * mbedtls_platform_zeroize() will not be optimized by the compiler as old= er=0D + * versions of the C language standards do not provide a secure implementa= tion=0D + * of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to=0D + * configure their own implementation of mbedtls_platform_zeroize(), for=0D + * example by using directives specific to their compiler, features from n= ewer=0D + * C standards (e.g using memset_s() in C11) or calling a secure memset() = from=0D + * their system (e.g explicit_bzero() in BSD).=0D + */=0D +// #define MBEDTLS_PLATFORM_ZEROIZE_ALT=0D +=0D +/**=0D + * Uncomment the macro to let Mbed TLS use your alternate implementation o= f=0D + * mbedtls_platform_gmtime_r(). This replaces the default implementation i= n=0D + * platform_util.c.=0D + *=0D + * gmtime() is not a thread-safe function as defined in the C standard. Th= e=0D + * library will try to use safer implementations of this function, such as= =0D + * gmtime_r() when available. However, if Mbed TLS cannot identify the tar= get=0D + * system, the implementation of mbedtls_platform_gmtime_r() will default = to=0D + * using the standard gmtime(). In this case, calls from the library to=0D + * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_m= utex=0D + * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside= the=0D + * library are also guarded with this mutex to avoid race conditions. Howe= ver,=0D + * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will=0D + * unconditionally use the implementation for mbedtls_platform_gmtime_r()= =0D + * supplied at compile time.=0D + */=0D +// #define MBEDTLS_PLATFORM_GMTIME_R_ALT=0D +=0D +/**=0D + * Enable the verified implementations of ECDH primitives from Project Eve= rest=0D + * (currently only Curve25519). This feature changes the layout of ECDH=0D + * contexts and therefore is a compatibility break for applications that a= ccess=0D + * fields of a mbedtls_ecdh_context structure directly. See also=0D + * MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h.=0D + */=0D +// #define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED=0D +=0D +/** \} name SECTION: Module configuration options */=0D +=0D +#define MBEDTLS_ALLOW_PRIVATE_ACCESS=0D diff --git a/CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf b/CryptoPkg/Librar= y/MbedTlsLib/MbedTlsLib.inf new file mode 100644 index 0000000000..465bc38364 --- /dev/null +++ b/CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf @@ -0,0 +1,173 @@ +## @file=0D +# library for the MbedTls.=0D +#=0D +# Copyright (c) 2023, Intel Corporation. All rights reserved.
=0D +# SPDX-License-Identifier: BSD-2-Clause-Patent=0D +#=0D +##=0D +=0D +[Defines]=0D + INF_VERSION =3D 0x00010005=0D + BASE_NAME =3D MbedTlsLib=0D + FILE_GUID =3D BB8E7D92-3E14-4907-A890-B28C7A0A1931= =0D + MODULE_TYPE =3D BASE=0D + VERSION_STRING =3D 1.0=0D + LIBRARY_CLASS =3D MbedTlsLib=0D +=0D +#=0D +# The following information is for reference only and not required by the = build tools.=0D +#=0D +# VALID_ARCHITECTURES =3D IA32 X64 ARM AARCH64=0D +#=0D +=0D +[Sources]=0D + Include/mbedtls/mbedtls_config.h=0D + mbedtls/library/aes.c=0D + mbedtls/library/asn1parse.c=0D + mbedtls/library/asn1write.c=0D + mbedtls/library/base64.c=0D + mbedtls/library/bignum.c=0D + mbedtls/library/ccm.c=0D + mbedtls/library/chacha20.c=0D + mbedtls/library/chachapoly.c=0D + mbedtls/library/cipher.c=0D + mbedtls/library/cipher_wrap.c=0D + mbedtls/library/cmac.c=0D + mbedtls/library/ctr_drbg.c=0D + mbedtls/library/debug.c=0D + mbedtls/library/des.c=0D + mbedtls/library/dhm.c=0D + EcSm2Null.c=0D + mbedtls/library/error.c=0D + mbedtls/library/gcm.c=0D + mbedtls/library/hkdf.c=0D + mbedtls/library/hmac_drbg.c=0D + mbedtls/library/md.c=0D + mbedtls/library/md5.c=0D + mbedtls/library/ssl_msg.c=0D + mbedtls/library/ssl_tls12_client.c=0D + mbedtls/library/ssl_tls12_server.c=0D + mbedtls/library/ssl_client.c=0D + mbedtls/library/ssl_debug_helpers_generated.c=0D + mbedtls/library/rsa_alt_helpers.c=0D + mbedtls/library/hash_info.c=0D + mbedtls/library/bignum_core.c=0D + mbedtls/library/constant_time.c=0D + mbedtls/library/memory_buffer_alloc.c=0D + mbedtls/library/nist_kw.c=0D + mbedtls/library/oid.c=0D + mbedtls/library/padlock.c=0D + mbedtls/library/pem.c=0D + mbedtls/library/pk.c=0D + mbedtls/library/pkcs12.c=0D + mbedtls/library/pkcs5.c=0D + mbedtls/library/pkparse.c=0D + mbedtls/library/pkwrite.c=0D + mbedtls/library/pk_wrap.c=0D + mbedtls/library/poly1305.c=0D + mbedtls/library/ripemd160.c=0D + mbedtls/library/rsa.c=0D + mbedtls/library/sha1.c=0D + mbedtls/library/sha256.c=0D + mbedtls/library/sha512.c=0D + mbedtls/library/ssl_cache.c=0D + mbedtls/library/ssl_ciphersuites.c=0D + mbedtls/library/ssl_cookie.c=0D + mbedtls/library/ssl_ticket.c=0D + mbedtls/library/ssl_tls.c=0D + mbedtls/library/threading.c=0D + mbedtls/library/version.c=0D + mbedtls/library/version_features.c=0D + mbedtls/library/x509.c=0D + mbedtls/library/x509write_crt.c=0D + mbedtls/library/x509write_csr.c=0D + mbedtls/library/x509_create.c=0D + mbedtls/library/x509_crl.c=0D + mbedtls/library/x509_crt.c=0D + mbedtls/library/x509_csr.c=0D + mbedtls/library/pkcs7.c=0D + mbedtls/library/platform_util.c=0D + CrtWrapper.c=0D +=0D +[Packages]=0D + MdePkg/MdePkg.dec=0D + CryptoPkg/CryptoPkg.dec=0D +=0D +[LibraryClasses]=0D + BaseLib=0D + BaseMemoryLib=0D + DebugLib=0D + MemoryAllocationLib=0D +=0D +[BuildOptions]=0D + #=0D + # Disables the following Visual Studio compiler warnings brought by Mbed= tls source,=0D + # warning C4244: '=3D': conversion from 'int' to 'unsigned char', possib= le loss of data=0D + # warning C4132: 'S': const object should be initialized=0D + # warning C4245: '=3D': conversion from 'int' to 'mbedtls_mpi_uint', sig= ned/unsigned mismatch=0D + # warning C4310: cast truncates constant value=0D + # warning C4204: nonstandard extension used=0D + #=0D + MSFT:*_*_IA32_CC_FLAGS =3D /DEFI32 /wd4244 /wd4132 /wd4245 /wd4310 /w= d4204=0D + MSFT:*_*_X64_CC_FLAGS =3D /DEFI32 /wd4244 /wd4132 /wd4245 /wd4310 /wd= 4204=0D +=0D + #=0D + # Disable following Visual Studio 2015 compiler warnings brought by open= ssl source,=0D + # so we do not break the build with /WX option:=0D + # C4718: recursive call has no side effects, deleting=0D + #=0D + MSFT:*_VS2015x86_IA32_CC_FLAGS =3D /wd4718=0D + MSFT:*_VS2015x86_X64_CC_FLAGS =3D /wd4718=0D +=0D + INTEL:*_*_IA32_CC_FLAGS =3D -U_WIN32 -U_WIN64 /w=0D + INTEL:*_*_X64_CC_FLAGS =3D -U_WIN32 -U_WIN64 /w=0D +=0D + #=0D + # Suppress the following build warnings in openssl so we don't break the= build with -Werror=0D + # -Werror=3Dmaybe-uninitialized: there exist some other paths for whic= h the variable is not initialized.=0D + # -Werror=3Dformat: Check calls to printf and scanf, etc., to make sur= e that the arguments supplied have=0D + # types appropriate to the format string specified.=0D + # -Werror=3Dunused-but-set-variable: Warn whenever a local variable is= assigned to, but otherwise unused (aside from its declaration).=0D + #=0D + GCC:*_*_IA32_CC_FLAGS =3D -U_WIN32 -U_WIN64 -Wno-error=3Dmaybe-uninit= ialized -Wno-error=3Dunused-but-set-variable=0D + GCC:*_*_X64_CC_FLAGS =3D -U_WIN32 -U_WIN64 -Wno-error=3Dmaybe-uninit= ialized -Wno-error=3Dformat -Wno-format -Wno-error=3Dunused-but-set-variabl= e -DNO_MSABI_VA_FUNCS=0D + GCC:*_*_ARM_CC_FLAGS =3D -Wno-error=3Dmaybe-uninitialized -Wno-erro= r=3Dunused-but-set-variable=0D + GCC:*_*_AARCH64_CC_FLAGS =3D -Wno-error=3Dmaybe-uninitialized -Wno-form= at -Wno-error=3Dunused-but-set-variable -Wno-error=3Dformat=0D + GCC:*_*_RISCV64_CC_FLAGS =3D -Wno-error=3Dmaybe-uninitialized -Wno-form= at -Wno-error=3Dunused-but-set-variable=0D + GCC:*_*_LOONGARCH64_CC_FLAGS =3D -Wno-error=3Dmaybe-uninitialized -Wno-= format -Wno-error=3Dunused-but-set-variable=0D + GCC:*_CLANG35_*_CC_FLAGS =3D -std=3Dc99 -Wno-error=3Duninitialized=0D + GCC:*_CLANG38_*_CC_FLAGS =3D -std=3Dc99 -Wno-error=3Duninitialized=0D + GCC:*_CLANGPDB_*_CC_FLAGS =3D -std=3Dc99 -Wno-error=3Duninitialized -Wno= -error=3Dincompatible-pointer-types -Wno-error=3Dpointer-sign -Wno-error=3D= implicit-function-declaration -Wno-error=3Dignored-pragma-optimize=0D +=0D + # suppress the following warnings in openssl so we don't break the build= with warnings-as-errors:=0D + # 1295: Deprecated declaration - give arg types=0D + # 550: was set but never used=0D + # 1293: assignment in condition=0D + # 111: statement is unreachable (invariably "break;" after "return X;" = in case statement)=0D + # 68: integer conversion resulted in a change of sign ("if (Status =3D= =3D -1)")=0D + # 177: was declared but never referenced=0D + # 223: function declared implicitly=0D + # 144: a value of type cannot be used to initialize an entity of= type =0D + # 513: a value of type cannot be assigned to an entity of type <= type>=0D + # 188: enumerated type mixed with another type (i.e. passing an integer= as an enum without a cast)=0D + # 1296: Extended constant initialiser used=0D + # 128: loop is not reachable - may be emitted inappropriately if code f= ollows a conditional return=0D + # from the function that evaluates to true at compile time=0D + # 546: transfer of control bypasses initialization - may be emitted ina= ppropriately if the uninitialized=0D + # variable is never referenced after the jump=0D + # 1: ignore "#1-D: last line of file ends without a newline"=0D + # 3017: may be used before being set (NOTE: This was fixed in O= penSSL 1.1 HEAD with=0D + # commit d9b8b89bec4480de3a10bdaf9425db371c19145b, and can be drop= ped then.)=0D + XCODE:*_*_IA32_CC_FLAGS =3D -mmmx -msse -U_WIN32 -U_WIN64 -w -std=3D= c99 -Wno-error=3Duninitialized=0D + XCODE:*_*_X64_CC_FLAGS =3D -mmmx -msse -U_WIN32 -U_WIN64 -w -std=3D= c99 -Wno-error=3Duninitialized=0D +=0D + #=0D + # AARCH64 uses strict alignment and avoids SIMD registers for code that = may execute=0D + # with the MMU off. This involves SEC, PEI_CORE and PEIM modules as well= as BASE=0D + # libraries, given that they may be included into such modules.=0D + # This library, even though of the BASE type, is never used in such case= s, and=0D + # avoiding the SIMD register file (which is shared with the FPU) prevent= s the=0D + # compiler from successfully building some of the OpenSSL source files t= hat=0D + # use floating point types, so clear the flags here.=0D + #=0D + GCC:*_*_AARCH64_CC_XIPFLAGS =3D=3D=0D diff --git a/CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf b/CryptoPkg/Li= brary/MbedTlsLib/MbedTlsLibFull.inf new file mode 100644 index 0000000000..f6e7247dba --- /dev/null +++ b/CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf @@ -0,0 +1,177 @@ +## @file=0D +# library for the MbedTls.=0D +#=0D +# Copyright (c) 2023, Intel Corporation. All rights reserved.
=0D +# SPDX-License-Identifier: BSD-2-Clause-Patent=0D +#=0D +##=0D +=0D +[Defines]=0D + INF_VERSION =3D 0x00010005=0D + BASE_NAME =3D MbedTlsLibFull=0D + FILE_GUID =3D BE9B7BBC-F003-4D88-A7E3-EB73E951F5BF= =0D + MODULE_TYPE =3D BASE=0D + VERSION_STRING =3D 1.0=0D + LIBRARY_CLASS =3D MbedTlsLib=0D +=0D +#=0D +# The following information is for reference only and not required by the = build tools.=0D +#=0D +# VALID_ARCHITECTURES =3D IA32 X64 ARM AARCH64=0D +#=0D +=0D +[Sources]=0D + Include/mbedtls/mbedtls_config.h=0D + mbedtls/library/aes.c=0D + mbedtls/library/asn1parse.c=0D + mbedtls/library/asn1write.c=0D + mbedtls/library/base64.c=0D + mbedtls/library/bignum.c=0D + mbedtls/library/ccm.c=0D + mbedtls/library/chacha20.c=0D + mbedtls/library/chachapoly.c=0D + mbedtls/library/cipher.c=0D + mbedtls/library/cipher_wrap.c=0D + mbedtls/library/cmac.c=0D + mbedtls/library/ctr_drbg.c=0D + mbedtls/library/debug.c=0D + mbedtls/library/des.c=0D + mbedtls/library/dhm.c=0D + mbedtls/library/ecdh.c=0D + mbedtls/library/ecdsa.c=0D + mbedtls/library/ecjpake.c=0D + mbedtls/library/ecp.c=0D + mbedtls/library/ecp_curves.c=0D + mbedtls/library/error.c=0D + mbedtls/library/gcm.c=0D + mbedtls/library/hkdf.c=0D + mbedtls/library/hmac_drbg.c=0D + mbedtls/library/md.c=0D + mbedtls/library/md5.c=0D + mbedtls/library/ssl_msg.c=0D + mbedtls/library/ssl_tls12_client.c=0D + mbedtls/library/ssl_tls12_server.c=0D + mbedtls/library/ssl_client.c=0D + mbedtls/library/ssl_debug_helpers_generated.c=0D + mbedtls/library/rsa_alt_helpers.c=0D + mbedtls/library/hash_info.c=0D + mbedtls/library/bignum_core.c=0D + mbedtls/library/constant_time.c=0D + mbedtls/library/memory_buffer_alloc.c=0D + mbedtls/library/nist_kw.c=0D + mbedtls/library/oid.c=0D + mbedtls/library/padlock.c=0D + mbedtls/library/pem.c=0D + mbedtls/library/pk.c=0D + mbedtls/library/pkcs12.c=0D + mbedtls/library/pkcs5.c=0D + mbedtls/library/pkparse.c=0D + mbedtls/library/pkwrite.c=0D + mbedtls/library/pk_wrap.c=0D + mbedtls/library/poly1305.c=0D + mbedtls/library/ripemd160.c=0D + mbedtls/library/rsa.c=0D + mbedtls/library/sha1.c=0D + mbedtls/library/sha256.c=0D + mbedtls/library/sha512.c=0D + mbedtls/library/ssl_cache.c=0D + mbedtls/library/ssl_ciphersuites.c=0D + mbedtls/library/ssl_cookie.c=0D + mbedtls/library/ssl_ticket.c=0D + mbedtls/library/ssl_tls.c=0D + mbedtls/library/threading.c=0D + mbedtls/library/version.c=0D + mbedtls/library/version_features.c=0D + mbedtls/library/x509.c=0D + mbedtls/library/x509write_crt.c=0D + mbedtls/library/x509write_csr.c=0D + mbedtls/library/x509_create.c=0D + mbedtls/library/x509_crl.c=0D + mbedtls/library/x509_crt.c=0D + mbedtls/library/x509_csr.c=0D + mbedtls/library/pkcs7.c=0D + mbedtls/library/platform_util.c=0D + CrtWrapper.c=0D +=0D +[Packages]=0D + MdePkg/MdePkg.dec=0D + CryptoPkg/CryptoPkg.dec=0D +=0D +[LibraryClasses]=0D + BaseLib=0D + BaseMemoryLib=0D + DebugLib=0D + MemoryAllocationLib=0D +=0D +[BuildOptions]=0D + #=0D + # Disables the following Visual Studio compiler warnings brought by Mbed= tls source,=0D + # warning C4244: '=3D': conversion from 'int' to 'unsigned char', possib= le loss of data=0D + # warning C4132: 'S': const object should be initialized=0D + # warning C4245: '=3D': conversion from 'int' to 'mbedtls_mpi_uint', sig= ned/unsigned mismatch=0D + # warning C4310: cast truncates constant value=0D + # warning C4204: nonstandard extension used=0D + #=0D + MSFT:*_*_IA32_CC_FLAGS =3D /DEFI32 /wd4244 /wd4132 /wd4245 /wd4310 /w= d4204=0D + MSFT:*_*_X64_CC_FLAGS =3D /DEFI32 /wd4244 /wd4132 /wd4245 /wd4310 /wd= 4204=0D +=0D + #=0D + # Disable following Visual Studio 2015 compiler warnings brought by open= ssl source,=0D + # so we do not break the build with /WX option:=0D + # C4718: recursive call has no side effects, deleting=0D + #=0D + MSFT:*_VS2015x86_IA32_CC_FLAGS =3D /wd4718=0D + MSFT:*_VS2015x86_X64_CC_FLAGS =3D /wd4718=0D +=0D + INTEL:*_*_IA32_CC_FLAGS =3D -U_WIN32 -U_WIN64 /w=0D + INTEL:*_*_X64_CC_FLAGS =3D -U_WIN32 -U_WIN64 /w=0D +=0D + #=0D + # Suppress the following build warnings in openssl so we don't break the= build with -Werror=0D + # -Werror=3Dmaybe-uninitialized: there exist some other paths for whic= h the variable is not initialized.=0D + # -Werror=3Dformat: Check calls to printf and scanf, etc., to make sur= e that the arguments supplied have=0D + # types appropriate to the format string specified.=0D + # -Werror=3Dunused-but-set-variable: Warn whenever a local variable is= assigned to, but otherwise unused (aside from its declaration).=0D + #=0D + GCC:*_*_IA32_CC_FLAGS =3D -U_WIN32 -U_WIN64 -Wno-error=3Dmaybe-uninit= ialized -Wno-error=3Dunused-but-set-variable=0D + GCC:*_*_X64_CC_FLAGS =3D -U_WIN32 -U_WIN64 -Wno-error=3Dmaybe-uninit= ialized -Wno-error=3Dformat -Wno-format -Wno-error=3Dunused-but-set-variabl= e -DNO_MSABI_VA_FUNCS=0D + GCC:*_*_ARM_CC_FLAGS =3D -Wno-error=3Dmaybe-uninitialized -Wno-erro= r=3Dunused-but-set-variable=0D + GCC:*_*_AARCH64_CC_FLAGS =3D -Wno-error=3Dmaybe-uninitialized -Wno-form= at -Wno-error=3Dunused-but-set-variable -Wno-error=3Dformat=0D + GCC:*_*_RISCV64_CC_FLAGS =3D -Wno-error=3Dmaybe-uninitialized -Wno-form= at -Wno-error=3Dunused-but-set-variable=0D + GCC:*_*_LOONGARCH64_CC_FLAGS =3D -Wno-error=3Dmaybe-uninitialized -Wno-= format -Wno-error=3Dunused-but-set-variable=0D + GCC:*_CLANG35_*_CC_FLAGS =3D -std=3Dc99 -Wno-error=3Duninitialized=0D + GCC:*_CLANG38_*_CC_FLAGS =3D -std=3Dc99 -Wno-error=3Duninitialized=0D + GCC:*_CLANGPDB_*_CC_FLAGS =3D -std=3Dc99 -Wno-error=3Duninitialized -Wno= -error=3Dincompatible-pointer-types -Wno-error=3Dpointer-sign -Wno-error=3D= implicit-function-declaration -Wno-error=3Dignored-pragma-optimize=0D +=0D + # suppress the following warnings in openssl so we don't break the build= with warnings-as-errors:=0D + # 1295: Deprecated declaration - give arg types=0D + # 550: was set but never used=0D + # 1293: assignment in condition=0D + # 111: statement is unreachable (invariably "break;" after "return X;" = in case statement)=0D + # 68: integer conversion resulted in a change of sign ("if (Status =3D= =3D -1)")=0D + # 177: was declared but never referenced=0D + # 223: function declared implicitly=0D + # 144: a value of type cannot be used to initialize an entity of= type =0D + # 513: a value of type cannot be assigned to an entity of type <= type>=0D + # 188: enumerated type mixed with another type (i.e. passing an integer= as an enum without a cast)=0D + # 1296: Extended constant initialiser used=0D + # 128: loop is not reachable - may be emitted inappropriately if code f= ollows a conditional return=0D + # from the function that evaluates to true at compile time=0D + # 546: transfer of control bypasses initialization - may be emitted ina= ppropriately if the uninitialized=0D + # variable is never referenced after the jump=0D + # 1: ignore "#1-D: last line of file ends without a newline"=0D + # 3017: may be used before being set (NOTE: This was fixed in O= penSSL 1.1 HEAD with=0D + # commit d9b8b89bec4480de3a10bdaf9425db371c19145b, and can be drop= ped then.)=0D + XCODE:*_*_IA32_CC_FLAGS =3D -mmmx -msse -U_WIN32 -U_WIN64 -w -std=3D= c99 -Wno-error=3Duninitialized=0D + XCODE:*_*_X64_CC_FLAGS =3D -mmmx -msse -U_WIN32 -U_WIN64 -w -std=3D= c99 -Wno-error=3Duninitialized=0D +=0D + #=0D + # AARCH64 uses strict alignment and avoids SIMD registers for code that = may execute=0D + # with the MMU off. This involves SEC, PEI_CORE and PEIM modules as well= as BASE=0D + # libraries, given that they may be included into such modules.=0D + # This library, even though of the BASE type, is never used in such case= s, and=0D + # avoiding the SIMD register file (which is shared with the FPU) prevent= s the=0D + # compiler from successfully building some of the OpenSSL source files t= hat=0D + # use floating point types, so clear the flags here.=0D + #=0D + GCC:*_*_AARCH64_CC_XIPFLAGS =3D=3D=0D --=20 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#108237): https://edk2.groups.io/g/devel/message/108237 Mute This Topic: https://groups.io/mt/101114024/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-