|
|
|
|
@ -43,7 +43,16 @@
|
|
|
|
|
* The time does not need to be correct, only time differences are used,
|
|
|
|
|
* by contrast with MBEDTLS_HAVE_TIME_DATE
|
|
|
|
|
*
|
|
|
|
|
* Comment if your system does not support time functions
|
|
|
|
|
* Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
|
|
|
|
|
* MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
|
|
|
|
|
* MBEDTLS_PLATFORM_STD_TIME.
|
|
|
|
|
*
|
|
|
|
|
* Comment if your system does not support time functions.
|
|
|
|
|
*
|
|
|
|
|
* \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing
|
|
|
|
|
* interface - timing.c will include time.h on suitable platforms
|
|
|
|
|
* regardless of the setting of MBEDTLS_HAVE_TIME, unless
|
|
|
|
|
* MBEDTLS_TIMING_ALT is used. See timing.c for more information.
|
|
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_MBEDTLS_HAVE_TIME
|
|
|
|
|
#define MBEDTLS_HAVE_TIME
|
|
|
|
|
@ -358,7 +367,7 @@
|
|
|
|
|
*
|
|
|
|
|
* Module: library/cmac.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
|
|
|
|
|
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_MBEDTLS_CMAC_C
|
|
|
|
|
@ -878,19 +887,15 @@
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID
|
|
|
|
|
*
|
|
|
|
|
* Enable support for the DTLS Connection ID extension
|
|
|
|
|
* (version draft-ietf-tls-dtls-connection-id-05,
|
|
|
|
|
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
|
|
|
|
|
* Enable support for the DTLS Connection ID (CID) extension,
|
|
|
|
|
* which allows to identify DTLS connections across changes
|
|
|
|
|
* in the underlying transport.
|
|
|
|
|
* in the underlying transport. The CID functionality is described
|
|
|
|
|
* in RFC 9146.
|
|
|
|
|
*
|
|
|
|
|
* Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
|
|
|
|
|
* `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`.
|
|
|
|
|
* See the corresponding documentation for more information.
|
|
|
|
|
*
|
|
|
|
|
* \warning The Connection ID extension is still in draft state.
|
|
|
|
|
* We make no stability promises for the availability
|
|
|
|
|
* or the shape of the API controlled by this option.
|
|
|
|
|
* mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and
|
|
|
|
|
* `mbedtls_ssl_conf_cid()`. See the corresponding documentation for
|
|
|
|
|
* more information.
|
|
|
|
|
*
|
|
|
|
|
* The maximum lengths of outgoing and incoming CIDs can be configured
|
|
|
|
|
* through the options
|
|
|
|
|
@ -907,6 +912,28 @@
|
|
|
|
|
#undef MBEDTLS_SSL_DTLS_CONNECTION_ID
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
|
|
|
|
|
*
|
|
|
|
|
* Defines whether RFC 9146 (default) or the legacy version
|
|
|
|
|
* (version draft-ietf-tls-dtls-connection-id-05,
|
|
|
|
|
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
|
|
|
|
|
* is used.
|
|
|
|
|
*
|
|
|
|
|
* Set the value to 0 for the standard version, and
|
|
|
|
|
* 1 for the legacy draft version.
|
|
|
|
|
*
|
|
|
|
|
* \deprecated Support for the legacy version of the DTLS
|
|
|
|
|
* Connection ID feature is deprecated. Please
|
|
|
|
|
* switch to the standardized version defined
|
|
|
|
|
* in RFC 9146 enabled by utilizing
|
|
|
|
|
* MBEDTLS_SSL_DTLS_CONNECTION_ID without use
|
|
|
|
|
* of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT.
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID
|
|
|
|
|
*/
|
|
|
|
|
#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
|
|
|
|
*
|
|
|
|
|
@ -930,6 +957,8 @@
|
|
|
|
|
* saved after the handshake to allow for more efficient serialization, so if
|
|
|
|
|
* you don't need this feature you'll save RAM by disabling it.
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C
|
|
|
|
|
*
|
|
|
|
|
* Comment to disable the context serialization APIs.
|
|
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
|
|
|
|
@ -963,7 +992,7 @@
|
|
|
|
|
* Enable support for RFC 7627: Session Hash and Extended Master Secret
|
|
|
|
|
* Extension.
|
|
|
|
|
*
|
|
|
|
|
* This was introduced as "the proper fix" to the Triple Handshake familiy of
|
|
|
|
|
* This was introduced as "the proper fix" to the Triple Handshake family of
|
|
|
|
|
* attacks, but it is recommended to always use it (even if you disable
|
|
|
|
|
* renegotiation), since it actually fixes a more fundamental issue in the
|
|
|
|
|
* original SSL/TLS design, and has implications beyond Triple Handshake.
|
|
|
|
|
@ -1011,7 +1040,9 @@
|
|
|
|
|
* \note This option has no influence on the protection against the
|
|
|
|
|
* triple handshake attack. Even if it is disabled, Mbed TLS will
|
|
|
|
|
* still ensure that certificates do not change during renegotiation,
|
|
|
|
|
* for exaple by keeping a hash of the peer's certificate.
|
|
|
|
|
* for example by keeping a hash of the peer's certificate.
|
|
|
|
|
*
|
|
|
|
|
* \note This option is required if MBEDTLS_SSL_PROTO_TLS1_3 is set.
|
|
|
|
|
*
|
|
|
|
|
* Comment this macro to disable storing the peer's certificate
|
|
|
|
|
* after the handshake.
|
|
|
|
|
@ -1100,6 +1131,8 @@
|
|
|
|
|
* See docs/architecture/tls13-support.md for a description of the TLS
|
|
|
|
|
* 1.3 support that this option enables.
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
|
|
|
|
*
|
|
|
|
|
* Uncomment this macro to enable the support for TLS 1.3.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
@ -1135,6 +1168,134 @@
|
|
|
|
|
#undef MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|
|
|
|
*
|
|
|
|
|
* Enable TLS 1.3 PSK key exchange mode.
|
|
|
|
|
*
|
|
|
|
|
* Comment to disable support for the PSK key exchange mode in TLS 1.3. If
|
|
|
|
|
* MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
|
|
|
|
|
* effect on the build.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_PSK
|
|
|
|
|
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|
|
|
|
#else
|
|
|
|
|
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
|
|
|
|
*
|
|
|
|
|
* Enable TLS 1.3 ephemeral key exchange mode.
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C, MBEDTLS_ECDSA_C or
|
|
|
|
|
* MBEDTLS_PKCS1_V21
|
|
|
|
|
*
|
|
|
|
|
* Comment to disable support for the ephemeral key exchange mode in TLS 1.3.
|
|
|
|
|
* If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
|
|
|
|
|
* effect on the build.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_EPHEMERAL
|
|
|
|
|
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
|
|
|
|
#else
|
|
|
|
|
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
|
|
|
|
*
|
|
|
|
|
* Enable TLS 1.3 PSK ephemeral key exchange mode.
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_ECDH_C
|
|
|
|
|
*
|
|
|
|
|
* Comment to disable support for the PSK ephemeral key exchange mode in
|
|
|
|
|
* TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not
|
|
|
|
|
* have any effect on the build.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_PSK_EPHEMERAL
|
|
|
|
|
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
|
|
|
|
#else
|
|
|
|
|
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE
|
|
|
|
|
*
|
|
|
|
|
* Maximum time difference in milliseconds tolerated between the age of a
|
|
|
|
|
* ticket from the server and client point of view.
|
|
|
|
|
* From the client point of view, the age of a ticket is the time difference
|
|
|
|
|
* between the time when the client proposes to the server to use the ticket
|
|
|
|
|
* (time of writing of the Pre-Shared Key Extension including the ticket) and
|
|
|
|
|
* the time the client received the ticket from the server.
|
|
|
|
|
* From the server point of view, the age of a ticket is the time difference
|
|
|
|
|
* between the time when the server receives a proposition from the client
|
|
|
|
|
* to use the ticket and the time when the ticket was created by the server.
|
|
|
|
|
* The server age is expected to be always greater than the client one and
|
|
|
|
|
* MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE defines the
|
|
|
|
|
* maximum difference tolerated for the server to accept the ticket.
|
|
|
|
|
* This is not used in TLS 1.2.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH
|
|
|
|
|
*
|
|
|
|
|
* Size in bytes of a ticket nonce. This is not used in TLS 1.2.
|
|
|
|
|
*
|
|
|
|
|
* This must be less than 256.
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS
|
|
|
|
|
*
|
|
|
|
|
* Default number of NewSessionTicket messages to be sent by a TLS 1.3 server
|
|
|
|
|
* after handshake completion. This is not used in TLS 1.2 and relevant only if
|
|
|
|
|
* the MBEDTLS_SSL_SESSION_TICKETS option is enabled.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_EARLY_DATA
|
|
|
|
|
*
|
|
|
|
|
* Enable support for RFC 8446 TLS 1.3 early data.
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_SSL_SESSION_TICKETS and either
|
|
|
|
|
* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or
|
|
|
|
|
* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
|
|
|
|
*
|
|
|
|
|
* Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
|
|
|
|
|
* is not enabled, this option does not have any effect on the build.
|
|
|
|
|
*
|
|
|
|
|
* This feature is experimental, not completed and thus not ready for
|
|
|
|
|
* production.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_SSL_EARLY_DATA
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
|
|
|
|
|
*
|
|
|
|
|
* The default maximum amount of 0-RTT data. See the documentation of
|
|
|
|
|
* \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information.
|
|
|
|
|
*
|
|
|
|
|
* It must be positive and smaller than UINT32_MAX.
|
|
|
|
|
*
|
|
|
|
|
* If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not
|
|
|
|
|
* have any impact on the build.
|
|
|
|
|
*
|
|
|
|
|
* This feature is experimental, not completed and thus not ready for
|
|
|
|
|
* production.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SSL_PROTO_DTLS
|
|
|
|
|
*
|
|
|
|
|
@ -1489,10 +1650,14 @@
|
|
|
|
|
* Enable the multi-precision integer library.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/bignum.c
|
|
|
|
|
* library/bignum_core.c
|
|
|
|
|
* library/bignum_mod.c
|
|
|
|
|
* library/bignum_mod_raw.c
|
|
|
|
|
* Caller: library/dhm.c
|
|
|
|
|
* library/ecp.c
|
|
|
|
|
* library/ecdsa.c
|
|
|
|
|
* library/rsa.c
|
|
|
|
|
* library/rsa_alt_helpers.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
*
|
|
|
|
|
* This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
|
|
|
|
|
@ -1578,7 +1743,8 @@
|
|
|
|
|
*
|
|
|
|
|
* Module: library/ccm.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
|
|
|
|
|
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or
|
|
|
|
|
* MBEDTLS_ARIA_C
|
|
|
|
|
*
|
|
|
|
|
* This module enables the AES-CCM ciphersuites, if other requisites are
|
|
|
|
|
* enabled as well.
|
|
|
|
|
@ -1635,7 +1801,17 @@
|
|
|
|
|
* Enable the generic cipher layer.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/cipher.c
|
|
|
|
|
* Caller: library/ssl_tls.c
|
|
|
|
|
* Caller: library/ccm.c
|
|
|
|
|
* library/cmac.c
|
|
|
|
|
* library/gcm.c
|
|
|
|
|
* library/nist_kw.c
|
|
|
|
|
* library/pkcs12.c
|
|
|
|
|
* library/pkcs5.c
|
|
|
|
|
* library/psa_crypto_aead.c
|
|
|
|
|
* library/psa_crypto_mac.c
|
|
|
|
|
* library/ssl_ciphersuites.c
|
|
|
|
|
* library/ssl_msg.c
|
|
|
|
|
* library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled)
|
|
|
|
|
*
|
|
|
|
|
* Uncomment to enable generic cipher wrappers.
|
|
|
|
|
*/
|
|
|
|
|
@ -1661,9 +1837,10 @@
|
|
|
|
|
* Enable the debug functions.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/debug.c
|
|
|
|
|
* Caller: library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* Caller: library/ssl_msg.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
* library/ssl_tls12_*.c
|
|
|
|
|
* library/ssl_tls13_*.c
|
|
|
|
|
*
|
|
|
|
|
* This module provides debugging functions.
|
|
|
|
|
*/
|
|
|
|
|
@ -1709,8 +1886,9 @@
|
|
|
|
|
* Enable the Diffie-Hellman-Merkle module.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/dhm.c
|
|
|
|
|
* Caller: library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* Caller: library/ssl_tls.c
|
|
|
|
|
* library/ssl*_client.c
|
|
|
|
|
* library/ssl*_server.c
|
|
|
|
|
*
|
|
|
|
|
* This module is used by the following key exchanges:
|
|
|
|
|
* DHE-RSA, DHE-PSK
|
|
|
|
|
@ -1727,8 +1905,10 @@
|
|
|
|
|
* Enable the elliptic curve Diffie-Hellman library.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/ecdh.c
|
|
|
|
|
* Caller: library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* Caller: library/psa_crypto.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
* library/ssl*_client.c
|
|
|
|
|
* library/ssl*_server.c
|
|
|
|
|
*
|
|
|
|
|
* This module is used by the following key exchanges:
|
|
|
|
|
* ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
|
|
|
|
|
@ -1777,7 +1957,8 @@
|
|
|
|
|
* This module is used by the following key exchanges:
|
|
|
|
|
* ECJPAKE
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
|
|
|
|
|
* Requires: MBEDTLS_ECP_C and MBEDTLS_MD_C
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_MBEDTLS_ECJPAKE_C
|
|
|
|
|
#define MBEDTLS_ECJPAKE_C
|
|
|
|
|
@ -1836,7 +2017,8 @@
|
|
|
|
|
*
|
|
|
|
|
* Module: library/gcm.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C
|
|
|
|
|
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or
|
|
|
|
|
* MBEDTLS_ARIA_C
|
|
|
|
|
*
|
|
|
|
|
* This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
|
|
|
|
|
* requisites are enabled as well.
|
|
|
|
|
@ -1885,8 +2067,29 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the generic message digest layer.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_md.c
|
|
|
|
|
* Caller:
|
|
|
|
|
* Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C,
|
|
|
|
|
* MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C,
|
|
|
|
|
* MBEDTLS_SHA512_C.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/md.c
|
|
|
|
|
* Caller: library/constant_time.c
|
|
|
|
|
* library/ecdsa.c
|
|
|
|
|
* library/ecjpake.c
|
|
|
|
|
* library/hkdf.c
|
|
|
|
|
* library/hmac_drbg.c
|
|
|
|
|
* library/pk.c
|
|
|
|
|
* library/pkcs5.c
|
|
|
|
|
* library/pkcs12.c
|
|
|
|
|
* library/psa_crypto_ecp.c
|
|
|
|
|
* library/psa_crypto_rsa.c
|
|
|
|
|
* library/rsa.c
|
|
|
|
|
* library/ssl_cookie.c
|
|
|
|
|
* library/ssl_msg.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
* library/x509.c
|
|
|
|
|
* library/x509_crt.c
|
|
|
|
|
* library/x509write_crt.c
|
|
|
|
|
* library/x509write_csr.c
|
|
|
|
|
*
|
|
|
|
|
* Uncomment to enable generic message digest wrappers.
|
|
|
|
|
*/
|
|
|
|
|
@ -1910,11 +2113,19 @@
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_NET_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the TCP/IP networking routines.
|
|
|
|
|
* Enable the TCP and UDP over IPv6/IPv4 networking routines.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/net.c
|
|
|
|
|
* \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
|
|
|
|
|
* and Windows. For other platforms, you'll want to disable it, and write your
|
|
|
|
|
* own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
|
|
|
|
|
*
|
|
|
|
|
* This module provides TCP/IP networking routines.
|
|
|
|
|
* \note See also our Knowledge Base article about porting to a new
|
|
|
|
|
* environment:
|
|
|
|
|
* https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
|
|
|
|
|
*
|
|
|
|
|
* Module: library/net_sockets.c
|
|
|
|
|
*
|
|
|
|
|
* This module provides networking routines.
|
|
|
|
|
*/
|
|
|
|
|
#ifdef MBEDTLS_NET_C
|
|
|
|
|
#undef MBEDTLS_NET_C
|
|
|
|
|
@ -2002,12 +2213,16 @@
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PK_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the generic public (asymetric) key layer.
|
|
|
|
|
* Enable the generic public (asymmetric) key layer.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/pk.c
|
|
|
|
|
* Caller: library/ssl_tls.c
|
|
|
|
|
* library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* Caller: library/psa_crypto_rsa.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
* library/ssl*_client.c
|
|
|
|
|
* library/ssl*_server.c
|
|
|
|
|
* library/x509.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
|
|
|
|
|
*
|
|
|
|
|
@ -2018,7 +2233,7 @@
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PK_PARSE_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the generic public (asymetric) key parser.
|
|
|
|
|
* Enable the generic public (asymmetric) key parser.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/pkparse.c
|
|
|
|
|
* Caller: library/mbedtls_x509_crt.c
|
|
|
|
|
@ -2033,7 +2248,7 @@
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PK_WRITE_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the generic public (asymetric) key writer.
|
|
|
|
|
* Enable the generic public (asymmetric) key writer.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/pkwrite.c
|
|
|
|
|
* Caller: library/x509write.c
|
|
|
|
|
@ -2051,12 +2266,32 @@
|
|
|
|
|
*
|
|
|
|
|
* Module: library/pkcs5.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_MD_C
|
|
|
|
|
* Requires: MBEDTLS_CIPHER_C and MBEDTLS_MD_C
|
|
|
|
|
*
|
|
|
|
|
* This module adds support for the PKCS#5 functions.
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_PKCS5_C
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PKCS7_C
|
|
|
|
|
*
|
|
|
|
|
* This feature is a work in progress and not ready for production. Testing and
|
|
|
|
|
* validation is incomplete, and handling of malformed inputs may not be robust.
|
|
|
|
|
* The API may change.
|
|
|
|
|
*
|
|
|
|
|
* Enable PKCS7 core for using PKCS7 formatted signatures.
|
|
|
|
|
* RFC Link - https://tools.ietf.org/html/rfc2315
|
|
|
|
|
*
|
|
|
|
|
* Module: library/pkcs7.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
|
|
|
|
|
* MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C,
|
|
|
|
|
* MBEDTLS_BIGNUM_C, MBEDTLS_MD_C
|
|
|
|
|
*
|
|
|
|
|
* This module is required for the PKCS7 parsing modules.
|
|
|
|
|
*/
|
|
|
|
|
//#define MBEDTLS_PKCS7_C
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_PKCS12_C
|
|
|
|
|
*
|
|
|
|
|
@ -2083,7 +2318,7 @@
|
|
|
|
|
* above to be specified at runtime or compile time respectively.
|
|
|
|
|
*
|
|
|
|
|
* \note This abstraction layer must be enabled on Windows (including MSYS2)
|
|
|
|
|
* as other module rely on it for a fixed snprintf implementation.
|
|
|
|
|
* as other modules rely on it for a fixed snprintf implementation.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/platform.c
|
|
|
|
|
* Caller: Most other .c files
|
|
|
|
|
@ -2127,10 +2362,12 @@
|
|
|
|
|
* Enable the RSA public-key cryptosystem.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/rsa.c
|
|
|
|
|
* Caller: library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* library/rsa_alt_helpers.c
|
|
|
|
|
* Caller: library/pk.c
|
|
|
|
|
* library/psa_crypto.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
* library/x509.c
|
|
|
|
|
* library/ssl*_client.c
|
|
|
|
|
* library/ssl*_server.c
|
|
|
|
|
*
|
|
|
|
|
* This module is used by the following key exchanges:
|
|
|
|
|
* RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
|
|
|
|
|
@ -2144,17 +2381,36 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the SHA1 cryptographic hash algorithm.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_sha1.c
|
|
|
|
|
* Caller: library/mbedtls_md.c
|
|
|
|
|
* library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
* library/x509write_crt.c
|
|
|
|
|
* Module: library/sha1.c
|
|
|
|
|
* Caller: library/md.c
|
|
|
|
|
* library/psa_crypto_hash.c
|
|
|
|
|
*
|
|
|
|
|
* This module is required for TLS 1.2 depending on the handshake parameters,
|
|
|
|
|
* and for SHA1-signed certificates.
|
|
|
|
|
*
|
|
|
|
|
* \warning SHA-1 is considered a weak message digest and its use constitutes
|
|
|
|
|
* a security risk. If possible, we recommend avoiding dependencies
|
|
|
|
|
* on it, and considering stronger message digests instead.
|
|
|
|
|
*
|
|
|
|
|
* This module is required for SSL/TLS and SHA1-signed certificates.
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SHA1_C
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SHA224_C
|
|
|
|
|
*
|
|
|
|
|
* Enable the SHA-224 cryptographic hash algorithm.
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_SHA256_C. The library does not currently support enabling
|
|
|
|
|
* SHA-224 without SHA-256.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/sha256.c
|
|
|
|
|
* Caller: library/md.c
|
|
|
|
|
* library/ssl_cookie.c
|
|
|
|
|
*
|
|
|
|
|
* This module adds support for SHA-224.
|
|
|
|
|
*/
|
|
|
|
|
#define MBEDTLS_SHA224_C
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \def MBEDTLS_SHA256_C
|
|
|
|
|
*
|
|
|
|
|
@ -2163,9 +2419,9 @@
|
|
|
|
|
* Module: library/mbedtls_sha256.c
|
|
|
|
|
* Caller: library/entropy.c
|
|
|
|
|
* library/mbedtls_md.c
|
|
|
|
|
* library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
* library/ssl*_client.c
|
|
|
|
|
* library/ssl*_server.c=
|
|
|
|
|
*
|
|
|
|
|
* This module adds support for SHA-224 and SHA-256.
|
|
|
|
|
* This module is required for the SSL/TLS 1.2 PRF function.
|
|
|
|
|
@ -2177,11 +2433,11 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_sha512.c
|
|
|
|
|
* Module: library/sha512.c
|
|
|
|
|
* Caller: library/entropy.c
|
|
|
|
|
* library/mbedtls_md.c
|
|
|
|
|
* library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* library/md.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
* library/ssl_cookie.c
|
|
|
|
|
*
|
|
|
|
|
* This module adds support for SHA-384 and SHA-512.
|
|
|
|
|
*/
|
|
|
|
|
@ -2223,7 +2479,8 @@
|
|
|
|
|
* Module: library/ssl_ticket.c
|
|
|
|
|
* Caller:
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_CIPHER_C
|
|
|
|
|
* Requires: (MBEDTLS_CIPHER_C) &&
|
|
|
|
|
* (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)
|
|
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS
|
|
|
|
|
#define MBEDTLS_SSL_TICKET_C
|
|
|
|
|
@ -2236,7 +2493,7 @@
|
|
|
|
|
*
|
|
|
|
|
* Enable the SSL/TLS client code.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/ssl_cli.c
|
|
|
|
|
* Module: library/ssl*_client.c
|
|
|
|
|
* Caller:
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_SSL_TLS_C
|
|
|
|
|
@ -2273,8 +2530,8 @@
|
|
|
|
|
* Enable the generic SSL/TLS code.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/ssl_tls.c
|
|
|
|
|
* Caller: library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* Caller: library/ssl*_client.c
|
|
|
|
|
* library/ssl*_server.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
|
|
|
|
|
* and at least one of the MBEDTLS_SSL_PROTO_XXX defines
|
|
|
|
|
@ -2301,7 +2558,7 @@
|
|
|
|
|
*
|
|
|
|
|
* \note See also our Knowledge Base article about porting to a new
|
|
|
|
|
* environment:
|
|
|
|
|
* https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
|
|
|
|
|
* https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
|
|
|
|
|
*
|
|
|
|
|
* Module: library/timing.c
|
|
|
|
|
* Caller: library/havege.c
|
|
|
|
|
@ -2334,7 +2591,7 @@
|
|
|
|
|
* library/mbedtls_x509_csr.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
|
|
|
|
|
* MBEDTLS_PK_PARSE_C
|
|
|
|
|
* MBEDTLS_PK_PARSE_C, MBEDTLS_MD_C
|
|
|
|
|
*
|
|
|
|
|
* This module is required for the X.509 parsing modules.
|
|
|
|
|
*/
|
|
|
|
|
@ -2346,9 +2603,9 @@
|
|
|
|
|
* Enable X.509 certificate parsing.
|
|
|
|
|
*
|
|
|
|
|
* Module: library/mbedtls_x509_crt.c
|
|
|
|
|
* Caller: library/ssl_cli.c
|
|
|
|
|
* library/ssl_srv.c
|
|
|
|
|
* library/ssl_tls.c
|
|
|
|
|
* Caller: library/ssl_tls.c
|
|
|
|
|
* library/ssl*_client.c
|
|
|
|
|
* library/ssl*_server.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_X509_USE_C
|
|
|
|
|
*
|
|
|
|
|
@ -2399,7 +2656,8 @@
|
|
|
|
|
*
|
|
|
|
|
* Module: library/x509_create.c
|
|
|
|
|
*
|
|
|
|
|
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
|
|
|
|
|
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C,
|
|
|
|
|
* MBEDTLS_MD_C
|
|
|
|
|
*
|
|
|
|
|
* This module is the basis for creating X.509 certificates and CSRs.
|
|
|
|
|
*/
|
|
|
|
|
@ -2613,7 +2871,7 @@
|
|
|
|
|
* contexts are not shared between threads. If you do intend to use contexts
|
|
|
|
|
* between threads, you will need to enable this layer to prevent race
|
|
|
|
|
* conditions. See also our Knowledge Base article about threading:
|
|
|
|
|
* https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
|
|
|
|
|
* https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
|
|
|
|
|
*
|
|
|
|
|
* Module: library/threading.c
|
|
|
|
|
*
|
|
|
|
|
|
Laukik Hase