Update config-default.h to the latest from Mbed TLS
config-default.h should always be a verbatim copy of the default configuration (include/mbedtls/config.h) from Mbed TLS.
This commit is contained in:
parent
67ea2c5e6d
commit
e8206622ad
1 changed files with 230 additions and 24 deletions
|
@ -139,7 +139,7 @@
|
|||
*
|
||||
* System has time.h, time(), and an implementation for
|
||||
* mbedtls_platform_gmtime_r() (see below).
|
||||
* The time needs to be correct (not necesarily very accurate, but at least
|
||||
* The time needs to be correct (not necessarily very accurate, but at least
|
||||
* the date should be correct). This is used to verify the validity period of
|
||||
* X.509 certificates.
|
||||
*
|
||||
|
@ -226,6 +226,7 @@
|
|||
//#define MBEDTLS_PLATFORM_FPRINTF_ALT
|
||||
//#define MBEDTLS_PLATFORM_PRINTF_ALT
|
||||
//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
|
||||
//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
|
||||
//#define MBEDTLS_PLATFORM_NV_SEED_ALT
|
||||
//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
|
||||
|
||||
|
@ -256,6 +257,48 @@
|
|||
*/
|
||||
//#define MBEDTLS_DEPRECATED_REMOVED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CHECK_PARAMS
|
||||
*
|
||||
* This configuration option controls whether the library validates more of
|
||||
* the parameters passed to it.
|
||||
*
|
||||
* When this flag is not defined, the library only attempts to validate an
|
||||
* input parameter if: (1) they may come from the outside world (such as the
|
||||
* network, the filesystem, etc.) or (2) not validating them could result in
|
||||
* internal memory errors such as overflowing a buffer controlled by the
|
||||
* library. On the other hand, it doesn't attempt to validate parameters whose
|
||||
* values are fully controlled by the application (such as pointers).
|
||||
*
|
||||
* When this flag is defined, the library additionally attempts to validate
|
||||
* parameters that are fully controlled by the application, and should always
|
||||
* be valid if the application code is fully correct and trusted.
|
||||
*
|
||||
* For example, when a function accepts as input a pointer to a buffer that may
|
||||
* contain untrusted data, and its documentation mentions that this pointer
|
||||
* must not be NULL:
|
||||
* - the pointer is checked to be non-NULL only if this option is enabled
|
||||
* - the content of the buffer is always validated
|
||||
*
|
||||
* When this flag is defined, if a library function receives a parameter that
|
||||
* is invalid, it will:
|
||||
* - invoke the macro MBEDTLS_PARAM_FAILED() which by default expands to a
|
||||
* call to the function mbedtls_param_failed()
|
||||
* - immediately return (with a specific error code unless the function
|
||||
* returns void and can't communicate an error).
|
||||
*
|
||||
* When defining this flag, you also need to:
|
||||
* - either provide a definition of the function mbedtls_param_failed() in
|
||||
* your application (see platform_util.h for its prototype) as the library
|
||||
* calls that function, but does not provide a default definition for it,
|
||||
* - or provide a different definition of the macro MBEDTLS_PARAM_FAILED()
|
||||
* below if the above mechanism is not flexible enough to suit your needs.
|
||||
* See the documentation of this macro later in this file.
|
||||
*
|
||||
* Uncomment to enable validation of application-controlled parameters.
|
||||
*/
|
||||
//#define MBEDTLS_CHECK_PARAMS
|
||||
|
||||
/* \} name SECTION: System support */
|
||||
|
||||
/**
|
||||
|
@ -359,7 +402,7 @@
|
|||
* \note Because of a signature change, the core AES encryption and decryption routines are
|
||||
* currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
|
||||
* respectively. When setting up alternative implementations, these functions should
|
||||
* be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
|
||||
* be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
|
||||
* must stay untouched.
|
||||
*
|
||||
* \note If you use the AES_xxx_ALT macros, then is is recommended to also set
|
||||
|
@ -414,11 +457,11 @@
|
|||
* unsigned char mbedtls_internal_ecp_grp_capable(
|
||||
* const mbedtls_ecp_group *grp )
|
||||
* int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
|
||||
* void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp )
|
||||
* void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )
|
||||
* The mbedtls_internal_ecp_grp_capable function should return 1 if the
|
||||
* replacement functions implement arithmetic for the given group and 0
|
||||
* otherwise.
|
||||
* The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are
|
||||
* The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are
|
||||
* called before and after each point operation and provide an opportunity to
|
||||
* implement optimized set up and tear down instructions.
|
||||
*
|
||||
|
@ -1159,6 +1202,30 @@
|
|||
*/
|
||||
#define MBEDTLS_PKCS1_V21
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_SPM
|
||||
*
|
||||
* When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
|
||||
* Partition Manager) integration which separates the code into two parts: a
|
||||
* NSPE (Non-Secure Process Environment) and an SPE (Secure Process
|
||||
* Environment).
|
||||
*
|
||||
* Module: library/psa_crypto.c
|
||||
* Requires: MBEDTLS_PSA_CRYPTO_C
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_PSA_CRYPTO_SPM
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_HAS_ITS_IO
|
||||
*
|
||||
* Enable the non-volatile secure storage usage.
|
||||
*
|
||||
* This is crucial on systems that do not have a HW TRNG support.
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_PSA_HAS_ITS_IO
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_NO_CRT
|
||||
*
|
||||
|
@ -1496,7 +1563,7 @@
|
|||
* \def MBEDTLS_SSL_SESSION_TICKETS
|
||||
*
|
||||
* Enable support for RFC 5077 session tickets in SSL.
|
||||
* Client-side, provides full support for session tickets (maintainance of a
|
||||
* Client-side, provides full support for session tickets (maintenance of a
|
||||
* session store remains the responsibility of the application, though).
|
||||
* Server-side, you also need to provide callbacks for writing and parsing
|
||||
* tickets, including authenticated encryption and key management. Example
|
||||
|
@ -1582,6 +1649,24 @@
|
|||
*/
|
||||
//#define MBEDTLS_THREADING_PTHREAD
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_USE_PSA_CRYPTO
|
||||
*
|
||||
* Make the X.509 and TLS library use PSA for cryptographic operations, see
|
||||
* #MBEDTLS_PSA_CRYPTO_C.
|
||||
*
|
||||
* Note: this option is still in progress, the full X.509 and TLS modules are
|
||||
* not covered yet, but parts that are not ported to PSA yet will still work
|
||||
* as usual, so enabling this option should not break backwards compatibility.
|
||||
*
|
||||
* \warning Support for PSA is still an experimental feature.
|
||||
* Any public API that depends on this option may change
|
||||
* at any time until this warning is removed.
|
||||
*
|
||||
* Requires: MBEDTLS_PSA_CRYPTO_C.
|
||||
*/
|
||||
//#define MBEDTLS_USE_PSA_CRYPTO
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_VERSION_FEATURES
|
||||
*
|
||||
|
@ -1662,7 +1747,7 @@
|
|||
*
|
||||
* \warning TLS-level compression MAY REDUCE SECURITY! See for example the
|
||||
* CRIME attack. Before enabling this option, you should examine with care if
|
||||
* CRIME or similar exploits may be a applicable to your use case.
|
||||
* CRIME or similar exploits may be applicable to your use case.
|
||||
*
|
||||
* \note Currently compression can't be used with DTLS.
|
||||
*
|
||||
|
@ -2590,6 +2675,65 @@
|
|||
*/
|
||||
#define MBEDTLS_POLY1305_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_C
|
||||
*
|
||||
* Enable the Platform Security Architecture cryptography API.
|
||||
*
|
||||
* \note This option only has an effect when the build option
|
||||
* USE_CRYPTO_SUBMODULE is also in use.
|
||||
*
|
||||
* \warning This feature is experimental and available on an opt-in basis only.
|
||||
* PSA APIs are subject to change at any time. The implementation comes with
|
||||
* less assurance and support than the rest of Mbed TLS.
|
||||
*
|
||||
* Module: crypto/library/psa_crypto.c
|
||||
*
|
||||
* Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_PSA_CRYPTO_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_STORAGE_C
|
||||
*
|
||||
* Enable the Platform Security Architecture persistent key storage.
|
||||
*
|
||||
* Module: library/psa_crypto_storage.c
|
||||
*
|
||||
* Requires: MBEDTLS_PSA_CRYPTO_C and one of either
|
||||
* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C or MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
|
||||
* (but not both)
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_PSA_CRYPTO_STORAGE_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
|
||||
*
|
||||
* Enable persistent key storage over files for the
|
||||
* Platform Security Architecture cryptography API.
|
||||
*
|
||||
* Module: library/psa_crypto_storage_file.c
|
||||
*
|
||||
* Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_FS_IO
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
|
||||
*
|
||||
* Enable persistent key storage over PSA ITS for the
|
||||
* Platform Security Architecture cryptography API.
|
||||
*
|
||||
* Module: library/psa_crypto_storage_its.c
|
||||
*
|
||||
* Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_HAS_ITS_IO
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RIPEMD160_C
|
||||
*
|
||||
|
@ -2974,7 +3118,7 @@
|
|||
//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
|
||||
//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
|
||||
/* Note: your snprintf must correclty zero-terminate the buffer! */
|
||||
/* Note: your snprintf must correctly zero-terminate the buffer! */
|
||||
//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
|
||||
|
@ -2991,11 +3135,42 @@
|
|||
//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
|
||||
//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
|
||||
/* Note: your snprintf must correclty zero-terminate the buffer! */
|
||||
/* Note: your snprintf must correctly zero-terminate the buffer! */
|
||||
//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf /**< Default vsnprintf macro to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
|
||||
|
||||
/**
|
||||
* \brief This macro is invoked by the library when an invalid parameter
|
||||
* is detected that is only checked with MBEDTLS_CHECK_PARAMS
|
||||
* (see the documentation of that option for context).
|
||||
*
|
||||
* When you leave this undefined here, a default definition is
|
||||
* provided that invokes the function mbedtls_param_failed(),
|
||||
* which is declared in platform_util.h for the benefit of the
|
||||
* library, but that you need to define in your application.
|
||||
*
|
||||
* When you define this here, this replaces the default
|
||||
* definition in platform_util.h (which no longer declares the
|
||||
* function mbedtls_param_failed()) and it is your responsibility
|
||||
* to make sure this macro expands to something suitable (in
|
||||
* particular, that all the necessary declarations are visible
|
||||
* from within the library - you can ensure that by providing
|
||||
* them in this file next to the macro definition).
|
||||
*
|
||||
* Note that you may define this macro to expand to nothing, in
|
||||
* which case you don't have to worry about declarations or
|
||||
* definitions. However, you will then be notified about invalid
|
||||
* parameters only in non-void functions, and void function will
|
||||
* just silently return early on invalid parameters, which
|
||||
* partially negates the benefits of enabling
|
||||
* #MBEDTLS_CHECK_PARAMS in the first place, so is discouraged.
|
||||
*
|
||||
* \param cond The expression that should evaluate to true, but doesn't.
|
||||
*/
|
||||
//#define MBEDTLS_PARAM_FAILED( cond ) assert( cond )
|
||||
|
||||
/* SSL Cache options */
|
||||
//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
|
||||
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
|
||||
|
@ -3004,31 +3179,65 @@
|
|||
|
||||
/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
*
|
||||
* Maximum fragment length in bytes.
|
||||
* Maximum length (in bytes) of incoming and outgoing plaintext fragments.
|
||||
*
|
||||
* Determines the size of both the incoming and outgoing TLS I/O buffers.
|
||||
* This determines the size of both the incoming and outgoing TLS I/O buffers
|
||||
* in such a way that both are capable of holding the specified amount of
|
||||
* plaintext data, regardless of the protection mechanism used.
|
||||
*
|
||||
* Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
* will override this length by setting maximum incoming and/or outgoing
|
||||
* fragment length, respectively.
|
||||
* To configure incoming and outgoing I/O buffers separately, use
|
||||
* #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN,
|
||||
* which overwrite the value set by this option.
|
||||
*
|
||||
* \note When using a value less than the default of 16KB on the client, it is
|
||||
* recommended to use the Maximum Fragment Length (MFL) extension to
|
||||
* inform the server about this limitation. On the server, there
|
||||
* is no supported, standardized way of informing the client about
|
||||
* restriction on the maximum size of incoming messages, and unless
|
||||
* the limitation has been communicated by other means, it is recommended
|
||||
* to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
* while keeping the default value of 16KB for the incoming buffer.
|
||||
*
|
||||
* Uncomment to set the maximum plaintext size of both
|
||||
* incoming and outgoing I/O buffers.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
|
||||
|
||||
/** \def MBEDTLS_SSL_IN_CONTENT_LEN
|
||||
*
|
||||
* Maximum incoming fragment length in bytes.
|
||||
* Maximum length (in bytes) of incoming plaintext fragments.
|
||||
*
|
||||
* Uncomment to set the size of the inward TLS buffer independently of the
|
||||
* outward buffer.
|
||||
* This determines the size of the incoming TLS I/O buffer in such a way
|
||||
* that it is capable of holding the specified amount of plaintext data,
|
||||
* regardless of the protection mechanism used.
|
||||
*
|
||||
* If this option is undefined, it inherits its value from
|
||||
* #MBEDTLS_SSL_MAX_CONTENT_LEN.
|
||||
*
|
||||
* \note When using a value less than the default of 16KB on the client, it is
|
||||
* recommended to use the Maximum Fragment Length (MFL) extension to
|
||||
* inform the server about this limitation. On the server, there
|
||||
* is no supported, standardized way of informing the client about
|
||||
* restriction on the maximum size of incoming messages, and unless
|
||||
* the limitation has been communicated by other means, it is recommended
|
||||
* to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
* while keeping the default value of 16KB for the incoming buffer.
|
||||
*
|
||||
* Uncomment to set the maximum plaintext size of the incoming I/O buffer
|
||||
* independently of the outgoing I/O buffer.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
|
||||
|
||||
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
*
|
||||
* Maximum outgoing fragment length in bytes.
|
||||
* Maximum length (in bytes) of outgoing plaintext fragments.
|
||||
*
|
||||
* Uncomment to set the size of the outward TLS buffer independently of the
|
||||
* inward buffer.
|
||||
* This determines the size of the outgoing TLS I/O buffer in such a way
|
||||
* that it is capable of holding the specified amount of plaintext data,
|
||||
* regardless of the protection mechanism used.
|
||||
*
|
||||
* If this option undefined, it inherits its value from
|
||||
* #MBEDTLS_SSL_MAX_CONTENT_LEN.
|
||||
*
|
||||
* It is possible to save RAM by setting a smaller outward buffer, while keeping
|
||||
* the default inward 16384 byte buffer to conform to the TLS specification.
|
||||
|
@ -3038,11 +3247,8 @@
|
|||
* The specific size requirement depends on the configured ciphers and any
|
||||
* certificate data which is sent during the handshake.
|
||||
*
|
||||
* For absolute minimum RAM usage, it's best to enable
|
||||
* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This
|
||||
* reduces both incoming and outgoing buffer sizes. However this is only
|
||||
* guaranteed if the other end of the connection also supports the TLS
|
||||
* max_fragment_len extension. Otherwise the connection may fail.
|
||||
* Uncomment to set the maximum plaintext size of the outgoing I/O buffer
|
||||
* independently of the incoming I/O buffer.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
|
||||
|
||||
|
|
Loading…
Reference in a new issue