From c0f65f668077b4279e90c751fc777ddc19808e8e Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Thu, 17 Aug 2017 17:15:04 +1000 Subject: [PATCH] mbedtls: Expose compile-time config, disable some things by default * Disables 3DES, Camellia, Blowfish, RC4, RIPEMD160, SSLv3, TLS-PSK modes, DTLS by default * Saves about 40KB from the default TLS client code size * Defaults no longer get "Bad" howsmyssl.com rating (no more vulnerable 3DES) (ping https://github.com/espressif/arduino-esp32/issues/575 ) * Allows up to another 20-30KB code size to be trimmed without security implications if using DER formatted certificates, RSA ciphersuites only, etc. * Can save up to another 8KB by setting the TLS Role to Server or Client only. --- components/mbedtls/Kconfig | 312 +++++++++++++++++- .../mbedtls/port/include/mbedtls/esp_config.h | 84 +++++ 2 files changed, 394 insertions(+), 2 deletions(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 57a73584f3..cecf6b8033 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -15,7 +15,7 @@ config MBEDTLS_SSL_MAX_CONTENT_LEN Fragment Length Negotiation Extension (max_fragment_length, see RFC6066) or you know for certain that it will never send a message longer than a certain number of bytes. - + If the value is set too low, symptoms are a failed TLS handshake or a return value of MBEDTLS_ERR_SSL_INVALID_RECORD (-0x7200). @@ -102,4 +102,312 @@ config MBEDTLS_HAVE_TIME_DATE It is suggested that you should get the real time by "SNTP". -endmenu +choice MBEDTLS_TLS_MODE + bool "TLS Protocol Role" + default MBEDTLS_TLS_SERVER_AND_CLIENT + help + mbedTLS can be compiled with protocol support for the TLS + server, TLS client, or both server and client. + + Reducing the number of TLS roles supported saves code size. + +config MBEDTLS_TLS_SERVER_AND_CLIENT + bool "Server & Client" + select MBEDTLS_TLS_SERVER + select MBEDTLS_TLS_CLIENT +config MBEDTLS_TLS_SERVER_ONLY + bool "Server" + select MBEDTLS_TLS_SERVER +config MBEDTLS_TLS_CLIENT_ONLY + bool "Client" + select MBEDTLS_TLS_CLIENT +config MBEDTLS_TLS_DISABLED + bool "None" + +endchoice + +config MBEDTLS_TLS_SERVER + bool + select MBEDTLS_TLS_ENABLED +config MBEDTLS_TLS_CLIENT + bool + select MBEDTLS_TLS_ENABLED +config MBEDTLS_TLS_ENABLED + bool + +menu "TLS Key Exchange Methods" + depends on MBEDTLS_TLS_ENABLED + +config MBEDTLS_PSK_MODES + bool "Enable pre-shared-key ciphersuites" + default n + help + Enable to show configuration for different types of pre-shared-key TLS authentatication methods. + + Leaving this options disabled will save code size if they are not used. + +config MBEDTLS_KEY_EXCHANGE_PSK + bool "Enable PSK based ciphersuite modes" + depends on MBEDTLS_PSK_MODES + default n + help + Enable to support symmetric key PSK (pre-shared-key) TLS key exchange modes. + +config MBEDTLS_KEY_EXCHANGE_DHE_PSK + bool "Enable DHE-PSK based ciphersuite modes" + depends on MBEDTLS_PSK_MODES + default y + help + Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. + +config MBEDTLS_KEY_EXCHANGE_DHE_PSK + bool "Enable DHE-PSK based ciphersuite modes" + depends on MBEDTLS_PSK_MODES + default y + help + Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. + +config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK + bool "Enable ECDHE-PSK based ciphersuite modes" + depends on MBEDTLS_PSK_MODES + default y + help + Enable to support Elliptic-Curve-Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. + +config MBEDTLS_KEY_EXCHANGE_RSA_PSK + bool "Enable RSA-PSK based ciphersuite modes" + depends on MBEDTLS_PSK_MODES + default y + help + Enable to support RSA PSK (pre-shared-key) TLS authentication modes. + +config MBEDTLS_KEY_EXCHANGE_RSA + bool "Enable RSA-only based ciphersuite modes" + default y + help + Enable to support ciphersuites with prefix TLS-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_DHE_RSA + bool "Enable DHE-RSA based ciphersuite modes" + default y + help + Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE + bool "Support Elliptic Curve based ciphersuites" + default y + help + Enable to show Elliptic Curve based ciphersuite mode options. + + Disabling all Elliptic Curve ciphersuites saves code size and + can give slightly faster TLS handshakes, provided the server supports + RSA-only ciphersuite modes. + +config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA + bool "Enable ECDHE-RSA based ciphersuite modes" + depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE + default y + help + Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA + bool "Enable ECDHE-ECDSA based ciphersuite modes" + depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE + default y + help + Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA + bool "Enable ECDHE-ECDSA based ciphersuite modes" + depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE + default y + help + Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA + bool "Enable ECDH-ECDSA based ciphersuite modes" + depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE + default y + help + Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_ECDH_RSA + bool "Enable ECDH-RSA based ciphersuite modes" + depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE + default y + help + Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + +endmenu # TLS key exchange modes + +config MBEDTLS_SSL_RENEGOTIATION + bool "Support TLS renegotiation" + depends on MBEDTLS_TLS_ENABLED + default y + help + The two main uses of renegotiation are (1) refresh keys on long-lived + connections and (2) client authentication after the initial handshake. + If you don't need renegotiation, disabling it will save code size and + reduce the possibility of abuse/vulnerability. + +config MBEDTLS_SSL_PROTO_SSL3 + bool "Legacy SSL 3.0 support" + depends on MBEDTLS_TLS_ENABLED + default n + help + Support the legacy SSL 3.0 protocol. Most servers will speak a newer + TLS protocol these days. + +config MBEDTLS_SSL_PROTO_TLS1 + bool "Support TLS 1.0 protocol" + depends on MBEDTLS_TLS_ENABLED + default y + +config MBEDTLS_SSL_PROTO_TLS1_1 + bool "Support TLS 1.1 protocol" + depends on MBEDTLS_TLS_ENABLED + default y + +config MBEDTLS_SSL_PROTO_TLS1_2 + bool "Support TLS 1.2 protocol" + depends on MBEDTLS_TLS_ENABLED + default y + +config MBEDTLS_SSL_PROTO_DTLS + bool "Support DTLS protocol (all versions)" + default n + depends on MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 + help + Requires TLS 1.1 to be enabled for DTLS 1.0 + Requires TLS 1.2 to be enabled for DTLS 1.2 + +config MBEDTLS_SSL_ALPN + bool "Support ALPN (Application Layer Protocol Negotiation)" + depends on MBEDTLS_TLS_ENABLED + default y + help + Disabling this option will save some code size if it is not needed. + +config MBEDTLS_SSL_SESSION_TICKETS + bool "TLS: Support RFC 5077 SSL session tickets" + default y + depends on MBEDTLS_TLS_ENABLED + help + Support RFC 5077 session tickets. See mbedTLS documentation for more details. + + Disabling this option will save some code size. + +menu "Symmetric Ciphers" + +config MBEDTLS_AES_C + bool "AES block cipher" + default y + +config MBEDTLS_CAMELLIA_C + bool "Camellia block cipher" + default n + +config MBEDTLS_DES_C + bool "DES block cipher (legacy, insecure)" + default n + help + Enables the DES block cipher to support 3DES-based TLS ciphersuites. + + 3DES is vulnerable to the Sweet32 attack and should only be enabled + if absolutely necessary. + +choice MBEDTLS_RC4_MODE + prompt "RC4 Stream Cipher (legacy, insecure)" + default MBEDTLS_RC4_DISABLED + help + ARCFOUR (RC4) stream cipher can be disabled entirely, enabled but not + added to default ciphersuites, or enabled completely. + + Please consider the security implications before enabling RC4. + +config MBEDTLS_RC4_DISABLED + bool "Disabled" +config MBEDTLS_RC4_ENABLED_NO_DEFAULT + bool "Enabled, not in default ciphersuites" +config MBEDTLS_RC4_ENABLED + bool "Enabled" +endchoice + +config MBEDTLS_BLOWFISH_C + bool "Blowfish block cipher (read help)" + default n + help + Enables the Blowfish block cipher (not used for TLS sessions.) + + The Blowfish cipher is not used for mbedTLS TLS sessions but can be + used for other purposes. Read up on the limitations of Blowfish (including + Sweet32) before enabling. + +config MBEDTLS_XTEA_C + bool "XTEA block cipher" + default n + help + Enables the XTEA block cipher. + + +config MBEDTLS_CCM_C + bool "CCM (Counter with CBC-MAC) block cipher modes" + default y + depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C + help + Enable Counter with CBC-MAC (CCM) modes for AES and/or Camellia ciphers. + + Disabling this option saves some code size. + +config MBEDTLS_GCM_C + bool "GCM (Galois/Counter) block cipher modes" + default y + depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C + help + Enable Galois/Counter Mode for AES and/or Camellia ciphers. + + This option is generally faster than CCM. + +endmenu # Symmetric Ciphers + +config MBEDTLS_RIPEMD160_C + bool "Enable RIPEMD-160 hash algorithm" + default n + help + Enable the RIPEMD-160 hash algorithm. + +menu "Certificates" + +config MBEDTLS_PEM_PARSE_C + bool "Read & Parse PEM formatted certificates" + default y + help + Enable decoding/parsing of PEM formatted certificates. + + If your certificates are all in the simpler DER format, disabling + this option will save some code size. + +config MBEDTLS_PEM_WRITE_C + bool "Write PEM formatted certificates" + default y + help + Enable writing of PEM formatted certificates. + + If writing certificate data only in DER format, disabling this + option will save some code size. + +config MBEDTLS_X509_CRL_PARSE_C + bool "X.509 CRL parsing" + default y + help + Support for parsing X.509 Certifificate Revocation Lists. + +config MBEDTLS_X509_CSR_PARSE_C + bool "X.509 CSR parsing" + default y + help + Support for parsing X.509 Certifificate Signing Requests + +endmenu # Certificates + +endmenu # mbedTLS diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 447fc302bd..daa7bdcfe5 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -430,7 +430,9 @@ * * Uncomment this macro to remove RC4 ciphersuites by default. */ +#ifdef CONFIG_MBEDTLS_RC4_ENABLED #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES +#endif /** * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED @@ -498,7 +500,9 @@ * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED @@ -522,7 +526,9 @@ * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED @@ -542,7 +548,9 @@ * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED @@ -567,7 +575,9 @@ * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED @@ -595,7 +605,9 @@ * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED @@ -621,7 +633,9 @@ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -646,7 +660,9 @@ * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED @@ -670,7 +686,9 @@ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED @@ -694,7 +712,9 @@ * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED @@ -718,7 +738,9 @@ * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED @@ -971,7 +993,9 @@ * * Comment this macro to disable support for Encrypt-then-MAC */ +#ifdef CONFIG_MBEDTLS_TLS_ENABLED #define MBEDTLS_SSL_ENCRYPT_THEN_MAC +#endif /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET * @@ -989,7 +1013,9 @@ * * Comment this macro to disable support for Extended Master Secret. */ +#ifdef CONFIG_MBEDTLS_TLS_ENABLED #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#endif /** * \def MBEDTLS_SSL_FALLBACK_SCSV @@ -1028,7 +1054,9 @@ * * Comment this macro to disable 1/n-1 record splitting. */ +#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) #define MBEDTLS_SSL_CBC_RECORD_SPLITTING +#endif /** * \def MBEDTLS_SSL_RENEGOTIATION @@ -1043,7 +1071,9 @@ * * Comment this to disable support for renegotiation. */ +#ifdef CONFIG_MBEDTLS_SSL_RENEGOTIATION #define MBEDTLS_SSL_RENEGOTIATION +#endif /** * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO @@ -1084,7 +1114,9 @@ * * Comment this macro to disable support for SSL 3.0 */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3 #define MBEDTLS_SSL_PROTO_SSL3 +#endif /** * \def MBEDTLS_SSL_PROTO_TLS1 @@ -1096,7 +1128,9 @@ * * Comment this macro to disable support for TLS 1.0 */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1 #define MBEDTLS_SSL_PROTO_TLS1 +#endif /** * \def MBEDTLS_SSL_PROTO_TLS1_1 @@ -1108,7 +1142,9 @@ * * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_1 #define MBEDTLS_SSL_PROTO_TLS1_1 +#endif /** * \def MBEDTLS_SSL_PROTO_TLS1_2 @@ -1120,7 +1156,9 @@ * * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_SSL_PROTO_TLS1_2 +#endif /** * \def MBEDTLS_SSL_PROTO_DTLS @@ -1135,7 +1173,9 @@ * * Comment this macro to disable support for DTLS */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_PROTO_DTLS +#endif /** * \def MBEDTLS_SSL_ALPN @@ -1144,7 +1184,9 @@ * * Comment this macro to disable support for ALPN. */ +#ifdef CONFIG_MBEDTLS_SSL_ALPN #define MBEDTLS_SSL_ALPN +#endif /** * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY @@ -1159,7 +1201,9 @@ * * Comment this to disable anti-replay in DTLS. */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#endif /** * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY @@ -1177,7 +1221,9 @@ * * Comment this to disable support for HelloVerifyRequest. */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_DTLS_HELLO_VERIFY +#endif /** * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE @@ -1193,7 +1239,9 @@ * * Comment this to disable support for clients reusing the source port. */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#endif /** * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT @@ -1204,7 +1252,9 @@ * * Requires: MBEDTLS_SSL_PROTO_DTLS */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT +#endif /** * \def MBEDTLS_SSL_SESSION_TICKETS @@ -1218,7 +1268,9 @@ * * Comment this macro to disable support for SSL session tickets */ +#ifdef CONFIG_MBEDTLS_SSL_SESSION_TICKETS #define MBEDTLS_SSL_SESSION_TICKETS +#endif /** * \def MBEDTLS_SSL_EXPORT_KEYS @@ -1461,7 +1513,9 @@ * * PEM_PARSE uses AES for decrypting encrypted keys. */ +#ifdef CONFIG_MBEDTLS_AES_C #define MBEDTLS_AES_C +#endif /** * \def MBEDTLS_ARC4_C @@ -1484,7 +1538,9 @@ * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA */ +#if defined(CONFIG_MBEDTLS_RC4_ENABLED_NO_DEFAULT) || defined(CONFIG_MBEDTLS_RC4_ENABLED) #define MBEDTLS_ARC4_C +#endif /** * \def MBEDTLS_ASN1_PARSE_C @@ -1549,7 +1605,9 @@ * * Module: library/blowfish.c */ +#ifdef CONFIG_MBEDTLS_BLOWFISH_C #define MBEDTLS_BLOWFISH_C +#endif /** * \def MBEDTLS_CAMELLIA_C @@ -1604,7 +1662,9 @@ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */ +#ifdef CONFIG_MBEDTLS_CAMELLIA_C #define MBEDTLS_CAMELLIA_C +#endif /** * \def MBEDTLS_CCM_C @@ -1618,7 +1678,9 @@ * This module enables the AES-CCM ciphersuites, if other requisites are * enabled as well. */ +#ifdef CONFIG_MBEDTLS_CCM_C #define MBEDTLS_CCM_C +#endif /** * \def MBEDTLS_CERTS_C @@ -1698,7 +1760,9 @@ * * PEM_PARSE uses DES/3DES for decrypting encrypted keys. */ +#ifdef CONFIG_MBEDTLS_DES_C #define MBEDTLS_DES_C +#endif /** * \def MBEDTLS_DHM_C @@ -1816,7 +1880,9 @@ * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other * requisites are enabled as well. */ +#ifdef CONFIG_MBEDTLS_GCM_C #define MBEDTLS_GCM_C +#endif /** * \def MBEDTLS_HAVEGE_C @@ -1986,7 +2052,9 @@ * * This modules adds support for decoding / parsing PEM files. */ +#ifdef CONFIG_MBEDTLS_PEM_PARSE_C #define MBEDTLS_PEM_PARSE_C +#endif /** * \def MBEDTLS_PEM_WRITE_C @@ -2002,7 +2070,9 @@ * * This modules adds support for encoding / writing PEM files. */ +#ifdef CONFIG_MBEDTLS_PEM_WRITE_C #define MBEDTLS_PEM_WRITE_C +#endif /** * \def MBEDTLS_PK_C @@ -2122,7 +2192,9 @@ * Caller: library/mbedtls_md.c * */ +#ifdef CONFIG_MBEDTLS_RIPEMD160_C #define MBEDTLS_RIPEMD160_C +#endif /** * \def MBEDTLS_RSA_C @@ -2236,7 +2308,9 @@ * * This module is required for SSL/TLS client support. */ +#ifdef CONFIG_MBEDTLS_TLS_CLIENT #define MBEDTLS_SSL_CLI_C +#endif /** * \def MBEDTLS_SSL_SRV_C @@ -2250,7 +2324,9 @@ * * This module is required for SSL/TLS server support. */ +#ifdef CONFIG_MBEDTLS_TLS_SERVER #define MBEDTLS_SSL_SRV_C +#endif /** * \def MBEDTLS_SSL_TLS_C @@ -2266,7 +2342,9 @@ * * This module is required for SSL/TLS. */ +#ifdef CONFIG_MBEDTLS_TLS_ENABLED #define MBEDTLS_SSL_TLS_C +#endif /** * \def MBEDTLS_THREADING_C @@ -2357,7 +2435,9 @@ * * This module is required for X.509 CRL parsing. */ +#ifdef CONFIG_MBEDTLS_X509_CRL_PARSE_C #define MBEDTLS_X509_CRL_PARSE_C +#endif /** * \def MBEDTLS_X509_CSR_PARSE_C @@ -2371,7 +2451,9 @@ * * This module is used for reading X.509 certificate request. */ +#ifdef CONFIG_MBEDTLS_X509_CSR_PARSE_C #define MBEDTLS_X509_CSR_PARSE_C +#endif /** * \def MBEDTLS_X509_CREATE_C @@ -2420,7 +2502,9 @@ * Module: library/xtea.c * Caller: */ +#ifdef CONFIG_MBEDTLS_XTEA_C #define MBEDTLS_XTEA_C +#endif /* \} name SECTION: mbed TLS modules */