mirror of
https://github.com/espressif/esp-idf.git
synced 2024-09-20 00:36:01 -04:00
mbedtls: Added config options for v2.28.0 upgrade
This commit is contained in:
parent
0fdc5f7490
commit
76658d5066
@ -97,6 +97,13 @@ menu "mbedTLS"
|
||||
This defines maximum outgoing fragment length, overriding default
|
||||
maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN).
|
||||
|
||||
config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
|
||||
bool "Variable SSL buffer length"
|
||||
default n
|
||||
help
|
||||
This enables the SSL buffer to be resized automatically
|
||||
based on the negotiated maximum fragment length in each direction.
|
||||
|
||||
config MBEDTLS_DYNAMIC_BUFFER
|
||||
bool "Using dynamic TX/RX buffer"
|
||||
default n
|
||||
@ -220,16 +227,21 @@ menu "mbedTLS"
|
||||
relative to the project root directory.
|
||||
endmenu
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
config MBEDTLS_ECP_RESTARTABLE
|
||||
bool "Enable mbedTLS ecp restartable"
|
||||
default n
|
||||
help
|
||||
Enable "non-blocking" ECC operations that can return early and be resumed.
|
||||
|
||||
config MBEDTLS_ECDH_LEGACY_CONTEXT
|
||||
bool "Use a backward compatible ECDH context (Experimental)"
|
||||
default y
|
||||
depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_RESTARTABLE
|
||||
help
|
||||
Use the legacy ECDH context format.
|
||||
Define this option only if you enable MBEDTLS_ECP_RESTARTABLE or if you
|
||||
want to access ECDH context fields directly.
|
||||
|
||||
config MBEDTLS_CMAC_C
|
||||
bool "Enable CMAC mode for block ciphers"
|
||||
default n
|
||||
@ -712,8 +724,94 @@ menu "mbedTLS"
|
||||
help
|
||||
Support for parsing X.509 Certifificate Signing Requests
|
||||
|
||||
config MBEDTLS_X509_TRUSTED_CERT_CALLBACK
|
||||
bool "Enable trusted certificate callbacks"
|
||||
default n
|
||||
help
|
||||
Enables users to configure the set of trusted certificates
|
||||
through a callback instead of a linked list.
|
||||
|
||||
See mbedTLS documentation for required API and more details.
|
||||
|
||||
endmenu # Certificates
|
||||
|
||||
|
||||
menu "DTLS-based configurations"
|
||||
visible if MBEDTLS_SSL_PROTO_DTLS
|
||||
|
||||
config MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
bool "Support for the DTLS Connection ID extension"
|
||||
depends on MBEDTLS_SSL_PROTO_DTLS
|
||||
default n
|
||||
help
|
||||
Enable support for the DTLS Connection ID extension which allows to
|
||||
identify DTLS connections across changes in the underlying transport.
|
||||
The Connection ID extension is still in draft state.
|
||||
Refer: version draft-ietf-tls-dtls-connection-id-05
|
||||
|
||||
config MBEDTLS_SSL_CID_IN_LEN_MAX
|
||||
int "Maximum length of CIDs used for incoming DTLS messages"
|
||||
default 32
|
||||
range 0 32
|
||||
depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
help
|
||||
Maximum length of CIDs used for incoming DTLS messages
|
||||
|
||||
config MBEDTLS_SSL_CID_OUT_LEN_MAX
|
||||
int "Maximum length of CIDs used for outgoing DTLS messages"
|
||||
default 32
|
||||
range 0 32
|
||||
depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
help
|
||||
Maximum length of CIDs used for outgoing DTLS messages
|
||||
|
||||
config MBEDTLS_SSL_CID_PADDING_GRANULARITY
|
||||
int "Record plaintext padding (for DTLS 1.2)"
|
||||
default 16
|
||||
range 0 32
|
||||
depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
help
|
||||
Controls the use of record plaintext padding when
|
||||
using the Connection ID extension in DTLS 1.2.
|
||||
|
||||
The padding will always be chosen so that the length of the
|
||||
padded plaintext is a multiple of the value of this option.
|
||||
|
||||
Notes:
|
||||
A value of 1 means that no padding will be used for outgoing records.
|
||||
On systems lacking division instructions, a power of two should be preferred.
|
||||
|
||||
config MBEDTLS_SSL_DTLS_SRTP
|
||||
bool "Enable support for negotiation of DTLS-SRTP (RFC 5764)"
|
||||
depends on MBEDTLS_SSL_PROTO_DTLS
|
||||
default n
|
||||
help
|
||||
Enable support for negotiation of DTLS-SRTP (RFC 5764) through the use_srtp extension.
|
||||
|
||||
See mbedTLS documentation for required API and more details.
|
||||
Disabling this option will save some code size.
|
||||
|
||||
endmenu
|
||||
|
||||
config MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
||||
bool "Enable serialization of the TLS context structures"
|
||||
default n
|
||||
help
|
||||
Enable serialization of the TLS context structures
|
||||
This is a local optimization in handling a single, potentially long-lived connection.
|
||||
|
||||
See mbedTLS documentation for required API and more details.
|
||||
Disabling this option will save some code size.
|
||||
|
||||
config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||
bool "Keep peer certificate after handshake completion"
|
||||
default y
|
||||
help
|
||||
Keep the peer's certificate after completion of the handshake.
|
||||
Disabling this option will save about 4kB of heap and some code size.
|
||||
|
||||
See mbedTLS documentation for required API and more details.
|
||||
|
||||
menuconfig MBEDTLS_ECP_C
|
||||
bool "Elliptic Curve Ciphers"
|
||||
default y
|
||||
|
@ -1,12 +1,13 @@
|
||||
/**
|
||||
*
|
||||
* \brief Default mbedTLS configuration options for esp-idf
|
||||
* \brief Default mbedTLS configuration options for ESP-IDF
|
||||
*
|
||||
* This set of compile-time options may be used to enable
|
||||
* or disable features selectively, and reduce the global
|
||||
* memory footprint.
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
@ -20,8 +21,6 @@
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#ifndef ESP_CONFIG_H
|
||||
@ -310,18 +309,54 @@
|
||||
*
|
||||
* \note This option only works with the default software implementation of
|
||||
* elliptic curve functionality. It is incompatible with
|
||||
* MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT and MBEDTLS_ECDSA_XXX_ALT.
|
||||
* MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT
|
||||
* and MBEDTLS_ECDH_LEGACY_CONTEXT.
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE
|
||||
#define MBEDTLS_ECP_RESTARTABLE
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECDH_LEGACY_CONTEXT
|
||||
*
|
||||
* Use a backward compatible ECDH context.
|
||||
*
|
||||
* Mbed TLS supports two formats for ECDH contexts (#mbedtls_ecdh_context
|
||||
* defined in `ecdh.h`). For most applications, the choice of format makes
|
||||
* no difference, since all library functions can work with either format,
|
||||
* except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE.
|
||||
|
||||
* The new format used when this option is disabled is smaller
|
||||
* (56 bytes on a 32-bit platform). In future versions of the library, it
|
||||
* will support alternative implementations of ECDH operations.
|
||||
* The new format is incompatible with applications that access
|
||||
* context fields directly and with restartable ECP operations.
|
||||
*
|
||||
* Define this macro if you enable MBEDTLS_ECP_RESTARTABLE or if you
|
||||
* want to access ECDH context fields directly. Otherwise you should
|
||||
* comment out this macro definition.
|
||||
*
|
||||
* This option has no effect if #MBEDTLS_ECDH_C is not enabled.
|
||||
*
|
||||
* \note This configuration option is experimental. Future versions of the
|
||||
* library may modify the way the ECDH context layout is configured
|
||||
* and may modify the layout of the new context type.
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
|
||||
#define MBEDTLS_ECDH_LEGACY_CONTEXT
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CMAC_C
|
||||
*
|
||||
* Enable the CMAC (Cipher-based Message Authentication Code) mode for block
|
||||
* ciphers.
|
||||
*
|
||||
* \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying
|
||||
* implementation of the CMAC algorithm is provided by an alternate
|
||||
* implementation, that alternate implementation may opt to not support
|
||||
* AES-192 or 3DES as underlying block ciphers for the CMAC operation.
|
||||
*
|
||||
* Module: library/cmac.c
|
||||
*
|
||||
* Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
|
||||
@ -339,6 +374,7 @@
|
||||
*
|
||||
* Comment macros to disable the curve and functions for it
|
||||
*/
|
||||
/* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */
|
||||
#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
#else
|
||||
@ -394,12 +430,12 @@
|
||||
#else
|
||||
#undef MBEDTLS_ECP_DP_BP512R1_ENABLED
|
||||
#endif
|
||||
/* Montgomery curves (supporting ECP) */
|
||||
#ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||
#else
|
||||
#undef MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||
#endif
|
||||
|
||||
#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||
#undef MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||
#endif
|
||||
@ -427,7 +463,7 @@
|
||||
* may result in a compromise of the long-term signing key. This is avoided by
|
||||
* the deterministic variant.
|
||||
*
|
||||
* Requires: MBEDTLS_HMAC_DRBG_C
|
||||
* Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C
|
||||
*
|
||||
* Comment this macro to disable deterministic ECDSA.
|
||||
*/
|
||||
@ -668,7 +704,7 @@
|
||||
*
|
||||
* Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
|
||||
*
|
||||
* Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
|
||||
* Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C
|
||||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
@ -696,7 +732,7 @@
|
||||
*
|
||||
* Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
|
||||
*
|
||||
* Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
|
||||
* Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_X509_CRT_PARSE_C
|
||||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
@ -850,6 +886,69 @@
|
||||
*/
|
||||
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
*
|
||||
* Enable support for the DTLS Connection ID extension
|
||||
* (version draft-ietf-tls-dtls-connection-id-05,
|
||||
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
|
||||
* which allows to identify DTLS connections across changes
|
||||
* in the underlying transport.
|
||||
*
|
||||
* Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
|
||||
* `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`.
|
||||
* See the corresponding documentation for more information.
|
||||
*
|
||||
* \warning The Connection ID extension is still in draft state.
|
||||
* We make no stability promises for the availability
|
||||
* or the shape of the API controlled by this option.
|
||||
*
|
||||
* The maximum lengths of outgoing and incoming CIDs can be configured
|
||||
* through the options
|
||||
* - MBEDTLS_SSL_CID_OUT_LEN_MAX
|
||||
* - MBEDTLS_SSL_CID_IN_LEN_MAX.
|
||||
*
|
||||
* Requires: MBEDTLS_SSL_PROTO_DTLS
|
||||
*
|
||||
* Uncomment to enable the Connection ID extension.
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
#else
|
||||
#undef MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
||||
*
|
||||
* Enable serialization of the TLS context structures, through use of the
|
||||
* functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load().
|
||||
*
|
||||
* This pair of functions allows one side of a connection to serialize the
|
||||
* context associated with the connection, then free or re-use that context
|
||||
* while the serialized state is persisted elsewhere, and finally deserialize
|
||||
* that state to a live context for resuming read/write operations on the
|
||||
* connection. From a protocol perspective, the state of the connection is
|
||||
* unaffected, in particular this is entirely transparent to the peer.
|
||||
*
|
||||
* Note: this is distinct from TLS session resumption, which is part of the
|
||||
* protocol and fully visible by the peer. TLS session resumption enables
|
||||
* establishing new connections associated to a saved session with shorter,
|
||||
* lighter handshakes, while context serialization is a local optimization in
|
||||
* handling a single, potentially long-lived connection.
|
||||
*
|
||||
* Enabling these APIs makes some SSL structures larger, as 64 extra bytes are
|
||||
* saved after the handshake to allow for more efficient serialization, so if
|
||||
* you don't need this feature you'll save RAM by disabling it.
|
||||
*
|
||||
* Comment to disable the context serialization APIs.
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
||||
#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
||||
#else
|
||||
#undef MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
||||
#endif
|
||||
|
||||
/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
|
||||
*
|
||||
* Enable support for Encrypt-then-MAC, RFC 7366.
|
||||
@ -874,8 +973,8 @@
|
||||
|
||||
/** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
|
||||
*
|
||||
* Enable support for Extended Master Secret, aka Session Hash
|
||||
* (draft-ietf-tls-session-hash-02).
|
||||
* Enable support for RFC 7627: Session Hash and Extended Master Secret
|
||||
* Extension.
|
||||
*
|
||||
* This was introduced as "the proper fix" to the Triple Handshake familiy of
|
||||
* attacks, but it is recommended to always use it (even if you disable
|
||||
@ -897,7 +996,8 @@
|
||||
/**
|
||||
* \def MBEDTLS_SSL_FALLBACK_SCSV
|
||||
*
|
||||
* Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
|
||||
* Enable support for RFC 7507: Fallback Signaling Cipher Suite Value (SCSV)
|
||||
* for Preventing Protocol Downgrade Attacks.
|
||||
*
|
||||
* For servers, it is recommended to always enable this, unless you support
|
||||
* only one version of TLS, or know for sure that none of your clients
|
||||
@ -911,6 +1011,32 @@
|
||||
*/
|
||||
#define MBEDTLS_SSL_FALLBACK_SCSV
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||
*
|
||||
* This option controls the availability of the API mbedtls_ssl_get_peer_cert()
|
||||
* giving access to the peer's certificate after completion of the handshake.
|
||||
*
|
||||
* Unless you need mbedtls_ssl_peer_cert() in your application, it is
|
||||
* recommended to disable this option for reduced RAM usage.
|
||||
*
|
||||
* \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still
|
||||
* defined, but always returns \c NULL.
|
||||
*
|
||||
* \note This option has no influence on the protection against the
|
||||
* triple handshake attack. Even if it is disabled, Mbed TLS will
|
||||
* still ensure that certificates do not change during renegotiation,
|
||||
* for exaple by keeping a hash of the peer's certificate.
|
||||
*
|
||||
* Comment this macro to disable storing the peer's certificate
|
||||
* after the handshake.
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||
#else
|
||||
#undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_PROTO_TLS1
|
||||
*
|
||||
@ -935,6 +1061,9 @@
|
||||
* Requires: MBEDTLS_MD5_C
|
||||
* MBEDTLS_SHA1_C
|
||||
*
|
||||
* \deprecated This option is deprecated and will be removed in a future
|
||||
* version of Mbed TLS.
|
||||
*
|
||||
* Comment this macro to disable support for SSL 3.0
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3
|
||||
@ -1092,6 +1221,41 @@
|
||||
#undef MBEDTLS_SSL_DTLS_HELLO_VERIFY
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_DTLS_SRTP
|
||||
*
|
||||
* Enable support for negotiation of DTLS-SRTP (RFC 5764)
|
||||
* through the use_srtp extension.
|
||||
*
|
||||
* \note This feature provides the minimum functionality required
|
||||
* to negotiate the use of DTLS-SRTP and to allow the derivation of
|
||||
* the associated SRTP packet protection key material.
|
||||
* In particular, the SRTP packet protection itself, as well as the
|
||||
* demultiplexing of RTP and DTLS packets at the datagram layer
|
||||
* (see Section 5 of RFC 5764), are not handled by this feature.
|
||||
* Instead, after successful completion of a handshake negotiating
|
||||
* the use of DTLS-SRTP, the extended key exporter API
|
||||
* mbedtls_ssl_conf_export_keys_ext_cb() should be used to implement
|
||||
* the key exporter described in Section 4.2 of RFC 5764 and RFC 5705
|
||||
* (this is implemented in the SSL example programs).
|
||||
* The resulting key should then be passed to an SRTP stack.
|
||||
*
|
||||
* Setting this option enables the runtime API
|
||||
* mbedtls_ssl_conf_dtls_srtp_protection_profiles()
|
||||
* through which the supported DTLS-SRTP protection
|
||||
* profiles can be configured. You must call this API at
|
||||
* runtime if you wish to negotiate the use of DTLS-SRTP.
|
||||
*
|
||||
* Requires: MBEDTLS_SSL_PROTO_DTLS
|
||||
*
|
||||
* Uncomment this to enable support for use_srtp extension.
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
|
||||
#define MBEDTLS_SSL_DTLS_SRTP
|
||||
#else
|
||||
#undef MBEDTLS_SSL_DTLS_SRTP
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
|
||||
*
|
||||
@ -1176,6 +1340,21 @@
|
||||
#define MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
|
||||
*
|
||||
* When this option is enabled, the SSL buffer will be resized automatically
|
||||
* based on the negotiated maximum fragment length in each direction.
|
||||
*
|
||||
* Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||
*/
|
||||
#if defined MBEDTLS_SSL_MAX_FRAGMENT_LENGTH && CONFIG_MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
|
||||
#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
|
||||
#else
|
||||
#undef MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
|
||||
#endif
|
||||
|
||||
/**
|
||||
*
|
||||
* \def MBEDTLS_VERSION_FEATURES
|
||||
*
|
||||
* Allow run-time checking of compile-time enabled features. Thus allowing users
|
||||
@ -1641,7 +1820,9 @@
|
||||
* This module is used by the following key exchanges:
|
||||
* ECDHE-ECDSA
|
||||
*
|
||||
* Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
|
||||
* Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C,
|
||||
* and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a
|
||||
* short Weierstrass curve.
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_ECDSA_C
|
||||
#define MBEDTLS_ECDSA_C
|
||||
@ -1719,11 +1900,11 @@
|
||||
/**
|
||||
* \def MBEDTLS_GCM_C
|
||||
*
|
||||
* Enable the Galois/Counter Mode (GCM) for AES.
|
||||
* Enable the Galois/Counter Mode (GCM).
|
||||
*
|
||||
* Module: library/gcm.c
|
||||
*
|
||||
* Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
|
||||
* Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C
|
||||
*
|
||||
* This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
|
||||
* requisites are enabled as well.
|
||||
@ -2323,6 +2504,29 @@
|
||||
#undef MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
*
|
||||
* If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()`
|
||||
* and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure
|
||||
* the set of trusted certificates through a callback instead of a linked
|
||||
* list.
|
||||
*
|
||||
* This is useful for example in environments where a large number of trusted
|
||||
* certificates is present and storing them in a linked list isn't efficient
|
||||
* enough, or when the set of trusted certificates changes frequently.
|
||||
*
|
||||
* See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and
|
||||
* `mbedtls_ssl_conf_ca_cb()` for more information.
|
||||
*
|
||||
* Uncomment to enable trusted certificate callbacks.
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_X509_TRUSTED_CERT_CALLBACK
|
||||
#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
#else
|
||||
#undef MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_X509_CSR_WRITE_C
|
||||
*
|
||||
@ -2383,6 +2587,51 @@
|
||||
*/
|
||||
#define MBEDTLS_SSL_IN_CONTENT_LEN CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN
|
||||
|
||||
/** \def MBEDTLS_SSL_CID_IN_LEN_MAX
|
||||
*
|
||||
* The maximum length of CIDs used for incoming DTLS messages.
|
||||
*
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
#define MBEDTLS_SSL_CID_IN_LEN_MAX CONFIG_MBEDTLS_SSL_CID_IN_LEN_MAX
|
||||
#else
|
||||
#undef MBEDTLS_SSL_CID_IN_LEN_MAX
|
||||
#endif
|
||||
|
||||
|
||||
/** \def MBEDTLS_SSL_CID_OUT_LEN_MAX
|
||||
*
|
||||
* The maximum length of CIDs used for outgoing DTLS messages.
|
||||
*
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
#define MBEDTLS_SSL_CID_OUT_LEN_MAX CONFIG_MBEDTLS_SSL_CID_OUT_LEN_MAX
|
||||
#else
|
||||
#undef MBEDTLS_SSL_CID_OUT_LEN_MAX
|
||||
#endif
|
||||
|
||||
/** \def MBEDTLS_SSL_CID_PADDING_GRANULARITY
|
||||
*
|
||||
* This option controls the use of record plaintext padding
|
||||
* when using the Connection ID extension in DTLS 1.2.
|
||||
*
|
||||
* The padding will always be chosen so that the length of the
|
||||
* padded plaintext is a multiple of the value of this option.
|
||||
*
|
||||
* Note: A value of \c 1 means that no padding will be used
|
||||
* for outgoing records.
|
||||
*
|
||||
* Note: On systems lacking division instructions,
|
||||
* a power of two should be preferred.
|
||||
*
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
#define MBEDTLS_SSL_CID_PADDING_GRANULARITY CONFIG_MBEDTLS_SSL_CID_PADDING_GRANULARITY
|
||||
#else
|
||||
#undef MBEDTLS_SSL_CID_PADDING_GRANULARITY
|
||||
#endif
|
||||
|
||||
|
||||
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
*
|
||||
* Maximum outgoing fragment length in bytes.
|
||||
@ -2416,6 +2665,10 @@
|
||||
* default. At the time of writing, there is no practical attack on the use
|
||||
* of SHA-1 in handshake signatures, hence this option is turned on by default
|
||||
* for compatibility with existing peers.
|
||||
*
|
||||
* \warning SHA-1 is considered a weak message digest and its use constitutes
|
||||
* a security risk. If possible, we recommend avoiding dependencies
|
||||
* on it, and considering stronger message digests instead.
|
||||
*/
|
||||
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user