Symbols
loading...
Files
loading...
SourceVuSTM32 Libraries and SamplesSSL_Server

SSL_Server sample

SSL_Server is a sample project defining the following symbols:

Most used functions

Name
Location
Summary
This function handles NMI exception.
This function handles Hard Fault exception.
This function handles Debug Monitor exception.
This function handles Memory Manage exception.
This function handles Bus Fault exception.
This function handles Usage Fault exception.
This function handles SysTick Handler.
This function handles TIM interrupt request.
Should be called at the beginning of the program to set up the network interface. It calls the function low_level_init() to do the actual setup of the hardware. This function should be passed as a parameter to netif_add().
This function is the ethernetif_input task, it is processed when a packet is ready to be read from the interface. It uses the function low_level_input() that should handle the actual reception of bytes from the network interface. Then the type of the received packet is determined and the appropriate input function is called.
This function handles External lines 9_5 interrupt request.
This function handles ethernet DMA interrupt request.
This function notify user about link status changement.
This function sets the netif link status.
Link callback function, this function is called on change of link status to update low level driver configuration.
Start Thread
LL Driver Interface ( LwIP stack --> ETH) In this function, the hardware should be initialized. Called from ethernetif_init().
This function should do the actual transmission of the packet. The packet is contained in the pbuf that is passed to the function. This pbuf might be chained.
Should allocate a pbuf and transfer the bytes of the incoming packet from the interface into the pbuf.

Other commonly used symbols

Name
Location
Summary
Internal High Speed oscillator (HSI) value. This value is used by the RCC HAL module to compute the system frequency (when HSI is used as system clock source, directly or through the PLL). Value of the Internal oscillator in Hz
Adjust the value of External High Speed oscillator (HSE) used in your application. This value is used by the RCC HAL module to compute the system frequency (when HSE is used as system clock source, directly or through the PLL). Value of the External oscillator in Hz
Miscellaneous Configuration *********************** Vector Table base offset field. This value must be a multiple of 0x200.
@file main.h @author MCD Application Team main application header file. @attention Copyright (c) 2017 STMicroelectronics. All rights reserved. This software is licensed under terms that can be found in the LICENSE file in the root directory of this software component. If no LICENSE file comes with this software, it is provided AS-IS.
@file stm32f4xx_it.h @author MCD Application Team This file contains the headers of the interrupt handlers. @attention Copyright (c) 2017 STMicroelectronics. All rights reserved. This software is licensed under terms that can be found in the LICENSE file in the root directory of this software component. If no LICENSE file comes with this software, it is provided AS-IS.
External clock source for I2S peripheral This value is used by the I2S HAL module to compute the I2S clock source frequency, this source is inserted directly through I2S_CKIN pad. Value of the External oscillator in Hz
tick interrupt priority
Internal Low Speed oscillator (LSI) value.
External Low Speed oscillator (LSE) value. Value of the External Low Speed oscillator in Hz
Time out for HSE start up, in ms
Time out for LSE start up, in ms
@file stm32f4xx_hal_conf.h @author MCD Application Team HAL configuration file. @attention Copyright (c) 2017 STMicroelectronics. All rights reserved. This software is licensed under terms that can be found in the LICENSE file in the root directory of this software component. If no LICENSE file comes with this software, it is provided AS-IS.
This is the list of modules to be used in the HAL driver
This is the HAL system configuration section Value of VDD in mv
Transceiver Basic Control Register
Auto-Negotiation process completed
PHY status register Offset
Transceiver Basic Status Register
PHY Speed mask
Enable auto-negotiation function
PHY Duplex mask
Select the power down mode
Valid link established
PHY Reset
Select loop-back mode
Set the full-duplex mode at 100 Mb/s
Set the half-duplex mode at 100 Mb/s
Set the full-duplex mode at 10 Mb/s
Set the half-duplex mode at 10 Mb/s
Restart auto-negotiation function
Isolate PHY from MII
Jabber condition detected
Uncomment the line below to expanse the "assert_param" macro in the HAL drivers code
MII Interrupt Status and Misc. Control Register
MII Interrupt Control Register
PHY Link mask
PHY Enable interrupts
PHY Enable output interrupt events
Enable Interrupt on change of link status
PHY link status interrupt mask
Portions COPYRIGHT 2016 STMicroelectronics FreeRTOS V9.0.0 - Copyright (C) 2016 Real Time Engineers Ltd. All rights reserved @file FreeRTOSConfig.h @author MCD Application Team the FreeRTOS config header file. @attention Copyright (c) 2017 STMicroelectronics. All rights reserved. This software is licensed under terms that can be found in the LICENSE file in the root directory of this software component. If no LICENSE file comes with this software, it is provided AS-IS.
@file lcd_log_conf.h @author MCD Application Team LCD Log configuration file. @attention Copyright (c) 2017 STMicroelectronics. All rights reserved. This software is licensed under terms that can be found in the LICENSE file in the root directory of this software component. If no LICENSE file comes with this software, it is provided AS-IS.
\def MBEDTLS_ECDSA_C Enable the elliptic curve DSA library. Module: library/ecdsa.c Caller: This module is used by the following key exchanges: ECDHE-ECDSA Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
\def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH Enable support for RFC 6066 max_fragment_length extension in SSL. Comment this macro to disable support for the max_fragment_length extension \def MBEDTLS_SSL_PROTO_SSL3 Enable support for SSL 3.0. Requires: MBEDTLS_MD5_C MBEDTLS_SHA1_C Comment this macro to disable support for SSL 3.0 \def MBEDTLS_SSL_PROTO_TLS1 Enable support for TLS 1.0. Requires: MBEDTLS_MD5_C MBEDTLS_SHA1_C Comment this macro to disable support for TLS 1.0 \def MBEDTLS_SSL_PROTO_TLS1_1 Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). Requires: MBEDTLS_MD5_C MBEDTLS_SHA1_C Comment this macro to disable support for TLS 1.1 / DTLS 1.0 \def MBEDTLS_SSL_PROTO_TLS1_2 Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C (Depends on ciphersuites) Comment this macro to disable support for TLS 1.2 / DTLS 1.2
NO_SYS==1: Provides VERY minimal functionality. Otherwise, use lwIP facilities.
LWIP_NETCONN==1: Enable Netconn API (require to use api_lib.c)
LWIP_SOCKET==1: Enable Socket API (require to use sockets.c)
\def MBEDTLS_ECJPAKE_C Enable the elliptic curve J-PAKE library. \warning This is currently experimental. EC J-PAKE support is based on the Thread v1.0.0 specification; incompatible changes to the specification might still happen. For this reason, this is disabled by default. Module: library/ecjpake.c Caller: This module is used by the following key exchanges: ECJPAKE Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C \def MBEDTLS_ECP_C Enable the elliptic curve over GF(p) library. Module: library/ecp.c Caller: library/ecdh.c library/ecdsa.c library/ecjpake.c Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
\def MBEDTLS_X509_CRT_PARSE_C Enable X.509 certificate parsing. Module: library/x509_crt.c Caller: library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c Requires: MBEDTLS_X509_USE_C This module is required for X.509 certificate parsing.
\def MBEDTLS_PK_WRITE_C Enable the generic public (asymmetric) key writer. Module: library/pkwrite.c Caller: library/x509write.c Requires: MBEDTLS_PK_C Uncomment to enable generic public key write functions. \def MBEDTLS_PKCS5_C Enable PKCS#5 functions. Module: library/pkcs5.c Requires: MBEDTLS_MD_C This module adds support for the PKCS#5 functions. \def MBEDTLS_PKCS11_C Enable wrapper for PKCS#11 smartcard support. Module: library/pkcs11.c Caller: library/pk.c Requires: MBEDTLS_PK_C This module enables SSL/TLS PKCS #11 smartcard support. Requires the presence of the PKCS#11 helper library (libpkcs11-helper) \def MBEDTLS_PKCS12_C Enable PKCS#12 PBE functions. Adds algorithms for parsing PKCS#8 encrypted private keys Module: library/pkcs12.c Caller: library/pkparse.c Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C Can use: MBEDTLS_ARC4_C This module enables PKCS#12 functions. \def MBEDTLS_PLATFORM_C Enable the platform abstraction layer that allows you to re-assign functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned above to be specified at runtime or compile time respectively. Module: library/platform.c Caller: Most other .c files This module enables abstraction of common (libc) functions. \def MBEDTLS_POLY1305_C Enable the Poly1305 MAC algorithm. Module: library/poly1305.c Caller: library/chachapoly.c \def MBEDTLS_RIPEMD160_C Enable the RIPEMD-160 hash algorithm. Module: library/ripemd160.c Caller: library/md.c \def MBEDTLS_RSA_C Enable the RSA public-key cryptosystem. Module: library/rsa.c library/rsa_internal.c Caller: library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c library/x509.c This module is used by the following key exchanges: RSA, DHE-RSA, ECDHE-RSA, RSA-PSK Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C \def MBEDTLS_SHA1_C Enable the SHA1 cryptographic hash algorithm. Module: library/sha1.c Caller: library/md.c library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c library/x509write_crt.c This module is required for SSL/TLS up to version 1.1, for TLS 1.2 depending on the handshake parameters, and for SHA1-signed certificates. \warning SHA-1 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead. \def MBEDTLS_SHA256_C Enable the SHA-224 and SHA-256 cryptographic hash algorithms. Module: library/sha256.c Caller: library/entropy.c library/md.c library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c This module adds support for SHA-224 and SHA-256. This module is required for the SSL/TLS 1.2 PRF function.
\def MBEDTLS_SHA512_C Enable the SHA-384 and SHA-512 cryptographic hash algorithms. Module: library/sha512.c Caller: library/entropy.c library/md.c library/ssl_cli.c library/ssl_srv.c This module adds support for SHA-384 and SHA-512.
\def MBEDTLS_SSL_SRV_C Enable the SSL/TLS server code. Module: library/ssl_srv.c Caller: Requires: MBEDTLS_SSL_TLS_C This module is required for SSL/TLS server support.
\def MBEDTLS_SSL_CACHE_C Enable simple SSL cache implementation. Module: library/ssl_cache.c Caller: Requires: MBEDTLS_SSL_CACHE_C \def MBEDTLS_SSL_COOKIE_C Enable basic implementation of DTLS cookies for hello verification. Module: library/ssl_cookie.c Caller: \def MBEDTLS_SSL_TICKET_C Enable an implementation of TLS server-side callbacks for session tickets. Module: library/ssl_ticket.c Caller: Requires: MBEDTLS_CIPHER_C \def MBEDTLS_SSL_CLI_C Enable the SSL/TLS client code. Module: library/ssl_cli.c Caller: Requires: MBEDTLS_SSL_TLS_C This module is required for SSL/TLS client support.
@file ethernetif.h @author MCD Application Team Ethernet interface header file. @attention Copyright (c) 2017 STMicroelectronics. All rights reserved. This software is licensed under terms that can be found in the LICENSE file in the root directory of this software component. If no LICENSE file comes with this software, it is provided AS-IS.
@file lwipopts.h @author MCD Application Team lwIP Options Configuration. @attention Copyright (c) 2017 STMicroelectronics. All rights reserved. This software is licensed under terms that can be found in the LICENSE file in the root directory of this software component. If no LICENSE file comes with this software, it is provided AS-IS.
\def MBEDTLS_DEBUG_C Enable the debug functions. Module: library/debug.c Caller: library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c This module provides debugging functions. \def MBEDTLS_DES_C Enable the DES block cipher. Module: library/des.c Caller: library/pem.c library/cipher.c This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA PEM_PARSE uses DES/3DES for decrypting encrypted keys. \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead. \def MBEDTLS_DHM_C Enable the Diffie-Hellman-Merkle module. Module: library/dhm.c Caller: library/ssl_cli.c library/ssl_srv.c This module is used by the following key exchanges: DHE-RSA, DHE-PSK \warning Using DHE constitutes a security risk as it is not possible to validate custom DH parameters. If possible, it is recommended users should consider preferring other methods of key exchange. See dhm.h for more details. \def MBEDTLS_ECDH_C Enable the elliptic curve Diffie-Hellman library. Module: library/ecdh.c Caller: library/ssl_cli.c library/ssl_srv.c This module is used by the following key exchanges: ECDHE-ECDSA, ECDHE-RSA, DHE-PSK Requires: MBEDTLS_ECP_C
\def MBEDTLS_ERROR_C Enable error code to error string conversion. Module: library/error.c Caller: This module enables mbedtls_strerror(). \def MBEDTLS_GCM_C Enable the Galois/Counter Mode (GCM) for AES. Module: library/gcm.c Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other requisites are enabled as well.
SYS_LIGHTWEIGHT_PROT==1: if you want inter-task protection for certain critical regions during buffer allocation, deallocation and memory allocation and deallocation.
\def MBEDTLS_PADLOCK_C Enable VIA Padlock support on x86. Module: library/padlock.c Caller: library/aes.c Requires: MBEDTLS_HAVE_ASM This modules adds support for the VIA PadLock on x86. \def MBEDTLS_PEM_PARSE_C Enable PEM decoding / parsing. Module: library/pem.c Caller: library/dhm.c library/pkparse.c library/x509_crl.c library/x509_crt.c library/x509_csr.c Requires: MBEDTLS_BASE64_C This modules adds support for decoding / parsing PEM files.
\def MBEDTLS_ECP_RESTARTABLE Enable "non-blocking" ECC operations that can return early and be resumed. This allows various functions to pause by returning #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module, #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in order to further progress and eventually complete their operation. This is controlled through mbedtls_ecp_set_max_ops() which limits the maximum number of ECC operations a function may perform before pausing; see mbedtls_ecp_set_max_ops() for more information. This is useful in non-threaded environments if you want to avoid blocking for too long on ECC (and, hence, X.509 or SSL/TLS) operations. Uncomment this macro to enable restartable ECC computations. \def MBEDTLS_ECDSA_DETERMINISTIC Enable deterministic ECDSA (RFC 6979). Standard ECDSA is "fragile" in the sense that lack of entropy when signing may result in a compromise of the long-term signing key. This is avoided by the deterministic variant. Requires: MBEDTLS_HMAC_DRBG_C Comment this macro to disable deterministic ECDSA. \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED Enable the PSK based ciphersuite modes in SSL / TLS. This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_PSK_WITH_RC4_128_SHA \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED Enable the DHE-PSK based ciphersuite modes in SSL / TLS. Requires: MBEDTLS_DHM_C This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA \warning Using DHE constitutes a security risk as it is not possible to validate custom DH parameters. If possible, it is recommended users should consider preferring other methods of key exchange. See dhm.h for more details. \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. Requires: MBEDTLS_ECDH_C This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED Enable the RSA-PSK based ciphersuite modes in SSL / TLS. Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED Enable the RSA-only based ciphersuite modes in SSL / TLS. Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED Enable the DHE-RSA based ciphersuite modes in SSL / TLS. Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA \warning Using DHE constitutes a security risk as it is not possible to validate custom DH parameters. If possible, it is recommended users should consider preferring other methods of key exchange. See dhm.h for more details. \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C, This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
\def MBEDTLS_AESNI_C Enable AES-NI support on x86-64. Module: library/aesni.c Caller: library/aes.c Requires: MBEDTLS_HAVE_ASM This modules adds support for the AES-NI instructions on x86-64 \def MBEDTLS_AES_C Enable the AES block cipher. Module: library/aes.c Caller: library/cipher.c library/pem.c library/ctr_drbg.c This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA PEM_PARSE uses AES for decrypting encrypted keys.
\def MBEDTLS_BIGNUM_C Enable the multi-precision integer library. Module: library/bignum.c Caller: library/dhm.c library/ecp.c library/ecdsa.c library/rsa.c library/rsa_internal.c library/ssl_tls.c This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
\def MBEDTLS_SSL_TLS_C Enable the generic SSL/TLS code. Module: library/ssl_tls.c Caller: library/ssl_cli.c library/ssl_srv.c Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C and at least one of the MBEDTLS_SSL_PROTO_XXX defines This module is required for SSL/TLS.
\def MBEDTLS_ENTROPY_C Enable the platform-specific entropy code. Module: library/entropy.c Caller: Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C This module provides a generic entropy pool
\def MBEDTLS_MD2_C Enable the MD2 hash algorithm. Module: library/md2.c Caller: Uncomment to enable support for (rare) MD2-signed X.509 certs. \warning MD2 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead. \def MBEDTLS_MD4_C Enable the MD4 hash algorithm. Module: library/md4.c Caller: Uncomment to enable support for (rare) MD4-signed X.509 certs. \warning MD4 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead. \def MBEDTLS_MD5_C Enable the MD5 hash algorithm. Module: library/md5.c Caller: library/md.c library/pem.c library/ssl_tls.c This module is required for SSL/TLS up to version 1.1, and for TLS 1.2 depending on the handshake parameters. Further, it is used for checking MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded encrypted keys. \warning MD5 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead. \def MBEDTLS_MEMORY_BUFFER_ALLOC_C Enable the buffer allocator implementation that makes use of a (stack) based buffer to 'allocate' dynamic memory. (replaces calloc() and free() calls) Module: library/memory_buffer_alloc.c Requires: MBEDTLS_PLATFORM_C MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) Enable this module to enable the buffer memory allocator. \def MBEDTLS_NET_C Enable the TCP and UDP over IPv6/IPv4 networking routines. Module: library/net_sockets.c This module provides networking routines.
\def MBEDTLS_ECP_DP_SECP192R1_ENABLED MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve module. By default all supported curves are enabled. Comment macros to disable the curve and functions for it
\def MBEDTLS_HAVEGE_C Enable the HAVEGE random generator. Warning: the HAVEGE random generator is not suitable for virtualized environments Warning: the HAVEGE random generator is dependent on timing and specific processor traits. It is therefore not advised to use HAVEGE as your applications primary random generator or primary entropy pool input. As a secondary input to your entropy pool, it IS able add the (limited) extra entropy it provides. Module: library/havege.c Caller: Requires: MBEDTLS_TIMING_C Uncomment to enable the HAVEGE random generator. \def MBEDTLS_HKDF_C Enable the HKDF algorithm (RFC 5869). Module: library/hkdf.c Caller: Requires: MBEDTLS_MD_C This module adds support for the Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF). \def MBEDTLS_HMAC_DRBG_C Enable the HMAC_DRBG random generator. Module: library/hmac_drbg.c Caller: Requires: MBEDTLS_MD_C Uncomment to enable the HMAC_DRBG random number geerator. \def MBEDTLS_NIST_KW_C Enable the Key Wrapping mode for 128-bit block ciphers, as defined in NIST SP 800-38F. Only KW and KWP modes are supported. At the moment, only AES is approved by NIST. Module: library/nist_kw.c Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C \def MBEDTLS_MD_C Enable the generic message digest layer. Module: library/md.c Caller: Uncomment to enable generic message digest wrappers.
\def MBEDTLS_PEM_WRITE_C Enable PEM encoding / writing. Module: library/pem.c Caller: library/pkwrite.c library/x509write_crt.c library/x509write_csr.c Requires: MBEDTLS_BASE64_C This modules adds support for encoding / writing PEM files. \def MBEDTLS_PK_C Enable the generic public (asymmetric) key layer. Module: library/pk.c Caller: library/ssl_tls.c library/ssl_cli.c library/ssl_srv.c Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C Uncomment to enable generic public key wrappers.
\def MBEDTLS_TIMING_ALT Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(), mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay() Only works if you have MBEDTLS_TIMING_C enabled. You will need to provide a header "timing_alt.h" and an implementation at compile time. \def MBEDTLS_AES_ALT MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your alternate core implementation of a symmetric crypto, an arithmetic or hash module (e.g. platform specific assembly optimized implementations). Keep in mind that the function prototypes should remain the same. This replaces the whole module. If you only want to replace one of the functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer provide the "struct mbedtls_aes_context" definition and omit the base function declarations and implementations. "aes_alt.h" will be included from "aes.h" to include the new function definitions. Uncomment a macro to enable alternate implementation of the corresponding module. \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their use constitutes a security risk. If possible, we recommend avoiding dependencies on them, and considering stronger message digests and ciphers instead. \def MBEDTLS_MD2_PROCESS_ALT MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you alternate core implementation of symmetric crypto or hash function. Keep in mind that function prototypes should remain the same. This replaces only one function. The header file from mbed TLS is still used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags. Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will no longer provide the mbedtls_sha1_process() function, but it will still provide the other function (using your mbedtls_sha1_process() function) and the definition of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible with this definition. Uncomment a macro to enable alternate implementation of the corresponding function. \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use constitutes a security risk. If possible, we recommend avoiding dependencies on them, and considering stronger message digests and ciphers instead. \def MBEDTLS_ECP_INTERNAL_ALT Expose a part of the internal interface of the Elliptic Curve Point module. MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your alternative core implementation of elliptic curve arithmetic. Keep in mind that function prototypes should remain the same. This partially replaces one function. The header file from mbed TLS is still used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation is still present and it is used for group structures not supported by the alternative. Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT and implementing the following functions: unsigned char mbedtls_internal_ecp_grp_capable( const mbedtls_ecp_group *grp ) int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ) void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp ) The mbedtls_internal_ecp_grp_capable function should return 1 if the replacement functions implement arithmetic for the given group and 0 otherwise. The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are called before and after each point operation and provide an opportunity to implement optimized set up and tear down instructions. Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac function, but will use your mbedtls_internal_ecp_double_jac if the group is supported (your mbedtls_internal_ecp_grp_capable function returns 1 when receives it as an argument). If the group is not supported then the original implementation is used. The other functions and the definition of mbedtls_ecp_group and mbedtls_ecp_point will not change, so your implementation of mbedtls_internal_ecp_double_jac and mbedtls_internal_ecp_grp_capable must be compatible with this definition. Uncomment a macro to enable alternate implementation of the corresponding function. \def MBEDTLS_TEST_NULL_ENTROPY Enables testing and use of mbed TLS without any configured entropy sources. This permits use of the library on platforms before an entropy source has been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the MBEDTLS_ENTROPY_NV_SEED switches). WARNING! This switch MUST be disabled in production builds, and is suitable only for development. Enabling the switch negates any security provided by the library. Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES \def MBEDTLS_ENTROPY_HARDWARE_ALT Uncomment this macro to let mbed TLS use your own implementation of a hardware entropy collector. Your function must be called \c mbedtls_hardware_poll(), have the same prototype as declared in entropy_poll.h, and accept NULL as first argument. Uncomment to use your own hardware entropy collector.
\def MBEDTLS_ECP_DP_SECP192R1_ENABLED MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve module. By default all supported curves are enabled. Comment macros to disable the curve and functions for it
\def MBEDTLS_BLOWFISH_C Enable the Blowfish block cipher. Module: library/blowfish.c \def MBEDTLS_CAMELLIA_C Enable the Camellia block cipher. Module: library/camellia.c Caller: library/cipher.c This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
\def MBEDTLS_THREADING_C Enable the threading abstraction layer. By default mbed TLS assumes it is used in a non-threaded environment or that contexts are not shared between threads. If you do intend to use contexts between threads, you will need to enable this layer to prevent race conditions. See also our Knowledge Base article about threading: https://tls.mbed.org/kb/development/thread-safety-and-multi-threading Module: library/threading.c This allows different threading implementations (self-implemented or provided). You will have to enable either MBEDTLS_THREADING_ALT or MBEDTLS_THREADING_PTHREAD. Enable this layer to allow use of mutexes within mbed TLS \def MBEDTLS_TIMING_C Enable the semi-portable timing interface. Module: library/timing.c Caller: library/havege.c This module is used by the HAVEGE random number generator. \def MBEDTLS_VERSION_C Enable run-time version information. Module: library/version.c This module provides run-time version information. \def MBEDTLS_X509_USE_C Enable X.509 core for using certificates. Module: library/x509.c Caller: library/x509_crl.c library/x509_crt.c library/x509_csr.c Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C This module is required for the X.509 parsing modules.
\def MBEDTLS_CHACHA20_C Enable the ChaCha20 stream cipher. Module: library/chacha20.c \def MBEDTLS_CHACHAPOLY_C Enable the ChaCha20-Poly1305 AEAD algorithm. Module: library/chachapoly.c This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C \def MBEDTLS_CIPHER_C Enable the generic cipher layer. Module: library/cipher.c Caller: library/ssl_tls.c Uncomment to enable generic cipher wrappers.
\def MBEDTLS_PK_PARSE_C Enable the generic public (asymmetric) key parser. Module: library/pkparse.c Caller: library/x509_crt.c library/x509_csr.c Requires: MBEDTLS_PK_C Uncomment to enable generic public key parse functions.
\def MBEDTLS_CMAC_C Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers. Module: library/cmac.c Requires: MBEDTLS_AES_C or MBEDTLS_DES_C \def MBEDTLS_CTR_DRBG_C Enable the CTR_DRBG AES-based random generator. The CTR_DRBG generator uses AES-256 by default. To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. Module: library/ctr_drbg.c Caller: Requires: MBEDTLS_AES_C This module provides the CTR_DRBG AES random number generator.
\def MBEDTLS_HAVE_ASM The compiler has support for asm(). Requires support for asm() in compiler. Used in: library/aria.c library/timing.c include/mbedtls/bn_mul.h Required by: MBEDTLS_AESNI_C MBEDTLS_PADLOCK_C Comment to disable the use of assembly code.
\def MBEDTLS_ARC4_C Enable the ARCFOUR stream cipher. Module: library/arc4.c Caller: library/cipher.c This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_PSK_WITH_RC4_128_SHA \warning ARC4 is considered a weak cipher and its use constitutes a security risk. If possible, we recommend avoidng dependencies on it, and considering stronger ciphers instead. \def MBEDTLS_ASN1_PARSE_C Enable the generic ASN1 parser. Module: library/asn1.c Caller: library/x509.c library/dhm.c library/pkcs12.c library/pkcs5.c library/pkparse.c
\def MBEDTLS_ARIA_C Enable the ARIA block cipher. Module: library/aria.c Caller: library/cipher.c This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 \def MBEDTLS_CCM_C Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. Module: library/ccm.c Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C This module enables the AES-CCM ciphersuites, if other requisites are enabled as well. \def MBEDTLS_CERTS_C Enable the test certificates. Module: library/certs.c Caller: This module is used for testing (ssl_client/server).
\def MBEDTLS_OID_C Enable the OID database. Module: library/oid.c Caller: library/asn1write.c library/pkcs5.c library/pkparse.c library/pkwrite.c library/rsa.c library/x509.c library/x509_create.c library/x509_crl.c library/x509_crt.c library/x509_csr.c library/x509write_crt.c library/x509write_csr.c This modules translates between OIDs and internal values.
\def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED Enable the ECJPAKE based ciphersuite modes in SSL / TLS. \warning This is currently experimental. EC J-PAKE support is based on the Thread v1.0.0 specification; incompatible changes to the specification might still happen. For this reason, this is disabled by default. Requires: MBEDTLS_ECJPAKE_C MBEDTLS_SHA256_C MBEDTLS_ECP_DP_SECP256R1_ENABLED This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 \def MBEDTLS_PK_PARSE_EC_EXTENDED Enhance support for reading EC keys using variants of SEC1 not allowed by RFC 5915 and RFC 5480. Currently this means parsing the SpecifiedECDomain choice of EC parameters (only known groups are supported, not arbitrary domains, to avoid validation issues). Disable if you only need to support RFC 5915 + 5480 key formats. \def MBEDTLS_ERROR_STRERROR_DUMMY Enable a dummy error function to make use of mbedtls_strerror() in third party libraries easier when MBEDTLS_ERROR_C is disabled (no effect when MBEDTLS_ERROR_C is enabled). You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're not using mbedtls_strerror() or error_strerror() in your application. Disable if you run into name conflicts and want to really remove the mbedtls_strerror() \def MBEDTLS_GENPRIME Enable the prime-number generation code. Requires: MBEDTLS_BIGNUM_C \def MBEDTLS_FS_IO Enable functions that use the filesystem. \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES Do not add default entropy sources. These are the platform specific, mbedtls_timing_hardclock and HAVEGE based poll functions. This is useful to have more control over the added entropy sources in an application. Uncomment this macro to prevent loading of default entropy functions. \def MBEDTLS_NO_PLATFORM_ENTROPY Do not use built-in platform entropy functions. This is useful if your platform does not support standards like the /dev/urandom or Windows CryptoAPI. Uncomment this macro to disable the built-in platform entropy functions.
\def MBEDTLS_ASN1_WRITE_C Enable the generic ASN1 writer. Module: library/asn1write.c Caller: library/ecdsa.c library/pkwrite.c library/x509_create.c library/x509write_crt.c library/x509write_csr.c
\def MBEDTLS_BASE64_C Enable the Base64 module. Module: library/base64.c Caller: library/pem.c This module is required for PEM support (required by X.509).
This macro is invoked by the library when an invalid parameter is detected that is only checked with MBEDTLS_CHECK_PARAMS (see the documentation of that option for context). When you leave this undefined here, a default definition is provided that invokes the function mbedtls_param_failed(), which is declared in platform_util.h for the benefit of the library, but that you need to define in your application. When you define this here, this replaces the default definition in platform_util.h (which no longer declares the function mbedtls_param_failed()) and it is your responsibility to make sure this macro expands to something suitable (in particular, that all the necessary declarations are visible from within the library - you can ensure that by providing them in this file next to the macro definition). Note that you may define this macro to expand to nothing, in which case you don't have to worry about declarations or definitions. However, you will then be notified about invalid parameters only in non-void functions, and void function will just silently return early on invalid parameters, which partially negates the benefits of enabling #MBEDTLS_CHECK_PARAMS in the first place, so is discouraged. \def MBEDTLS_SSL_MAX_CONTENT_LEN Maximum length (in bytes) of incoming and outgoing plaintext fragments. This determines the size of both the incoming and outgoing TLS I/O buffers in such a way that both are capable of holding the specified amount of plaintext data, regardless of the protection mechanism used. To configure incoming and outgoing I/O buffers separately, use #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN, which overwrite the value set by this option. Uncomment to set the maximum plaintext size of both incoming and outgoing I/O buffers. \def MBEDTLS_SSL_IN_CONTENT_LEN Maximum length (in bytes) of incoming plaintext fragments. This determines the size of the incoming TLS I/O buffer in such a way that it is capable of holding the specified amount of plaintext data, regardless of the protection mechanism used. If this option is undefined, it inherits its value from #MBEDTLS_SSL_MAX_CONTENT_LEN. Uncomment to set the maximum plaintext size of the incoming I/O buffer independently of the outgoing I/O buffer. \def MBEDTLS_SSL_OUT_CONTENT_LEN Maximum length (in bytes) of outgoing plaintext fragments. This determines the size of the outgoing TLS I/O buffer in such a way that it is capable of holding the specified amount of plaintext data, regardless of the protection mechanism used. If this option undefined, it inherits its value from #MBEDTLS_SSL_MAX_CONTENT_LEN. It is possible to save RAM by setting a smaller outward buffer, while keeping the default inward 16384 byte buffer to conform to the TLS specification. The minimum required outward buffer size is determined by the handshake protocol's usage. Handshaking will fail if the outward buffer is too small. The specific size requirement depends on the configured ciphers and any certificate data which is sent during the handshake. Uncomment to set the maximum plaintext size of the outgoing I/O buffer independently of the incoming I/O buffer. \def MBEDTLS_SSL_DTLS_MAX_BUFFERING Maximum number of heap-allocated bytes for the purpose of DTLS handshake message reassembly and future message buffering. This should be at least 9/8 * MBEDTLSSL_IN_CONTENT_LEN to account for a reassembled handshake message of maximum size, together with its reassembly bitmap. A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default) should be sufficient for all practical situations as it allows to reassembly a large handshake message (such as a certificate) while buffering multiple smaller handshake messages. Complete list of ciphersuites to use, in order of preference. \warning No dependency checking is done on that field! This option can only be used to restrict the set of available ciphersuites. It is your responsibility to make sure the needed modules are active. Use this to save a few hundred bytes of ROM (default ordering of all available ciphersuites) and a few to a few hundred bytes of RAM. The value below is only an example, not the default. Allow SHA-1 in the default TLS configuration for certificate signing. Without this build-time option, SHA-1 support must be activated explicitly through mbedtls_ssl_conf_cert_profile. Turning on this option is not recommended because of it is possible to generate SHA-1 collisions, however this may be safe for legacy infrastructure where additional controls apply. \warning SHA-1 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead. Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake signature and ciphersuite selection. Without this build-time option, SHA-1 support must be activated explicitly through mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by default. At the time of writing, there is no practical attack on the use of SHA-1 in handshake signatures, hence this option is turned on by default to preserve compatibility with existing peers, but the general warning applies nonetheless: \warning SHA-1 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead. Uncomment the macro to let mbed TLS use your alternate implementation of mbedtls_platform_zeroize(). This replaces the default implementation in platform_util.c. mbedtls_platform_zeroize() is a widely used function across the library to zero a block of memory. The implementation is expected to be secure in the sense that it has been written to prevent the compiler from removing calls to mbedtls_platform_zeroize() as part of redundant code elimination optimizations. However, it is difficult to guarantee that calls to mbedtls_platform_zeroize() will not be optimized by the compiler as older versions of the C language standards do not provide a secure implementation of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to configure their own implementation of mbedtls_platform_zeroize(), for example by using directives specific to their compiler, features from newer C standards (e.g using memset_s() in C11) or calling a secure memset() from their system (e.g explicit_bzero() in BSD). Uncomment the macro to let Mbed TLS use your alternate implementation of mbedtls_platform_gmtime_r(). This replaces the default implementation in platform_util.c. gmtime() is not a thread-safe function as defined in the C standard. The library will try to use safer implementations of this function, such as gmtime_r() when available. However, if Mbed TLS cannot identify the target system, the implementation of mbedtls_platform_gmtime_r() will default to using the standard gmtime(). In this case, calls from the library to gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the library are also guarded with this mutex to avoid race conditions. However, if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will unconditionally use the implementation for mbedtls_platform_gmtime_r() supplied at compile time.
\def MBEDTLS_AES_ROM_TABLES Use precomputed AES tables stored in ROM. Uncomment this macro to use precomputed AES tables stored in ROM. Comment this macro to generate AES tables in RAM at runtime. Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the initialization time before the first AES operation can be performed. It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded performance if ROM access is slower than RAM access. This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
\def MBEDTLS_ECP_NIST_OPTIM Enable specific 'modulo p' routines for each NIST prime. Depending on the prime and architecture, makes operations 4 to 8 times faster on the corresponding curve. Comment this macro to disable NIST curves optimisation.
\def MBEDTLS_NO_UDBL_DIVISION The platform lacks support for double-width integer division (64-bit division on a 32-bit platform, 128-bit division on a 64-bit platform). Used in: include/mbedtls/bignum.h library/bignum.c The bignum code uses double-width division to speed up some operations. Double-width division is often implemented in software that needs to be linked with the program. The presence of a double-width integer type is usually detected automatically through preprocessor macros, but the automatic detection cannot know whether the code needs to and can be linked with an implementation of division for that type. By default division is assumed to be usable if the type is present. Uncomment this option to prevent the use of double-width division. Note that division for the native integer type is always required. Furthermore, a 64-bit type is always required even on a 32-bit platform, but it need not support multiplication or division. In some cases it is also desirable to disable some double-width operations. For example, if double-width division is implemented in software, disabling it can reduce code size in some embedded targets.
\def MBEDTLS_ENTROPY_FORCE_SHA256 Force the entropy accumulator to use a SHA-256 accumulator instead of the default SHA-512 based one (if both are available). Requires: MBEDTLS_SHA256_C On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option if you have performance concerns. This option is only useful if both MBEDTLS_SHA256_C and MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. \def MBEDTLS_ENTROPY_NV_SEED Enable the non-volatile (NV) seed file-based entropy source. (Also enables the NV seed read/write functions in the platform layer) This is crucial (if not required) on systems that do not have a cryptographic entropy source (in hardware or kernel) available. Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C \def MBEDTLS_MEMORY_DEBUG Enable debugging of buffer allocator memory issues. Automatically prints (to stderr) all (fatal) messages on memory allocation issues. Enables function for 'debug output' of allocated memory. Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C Uncomment this macro to let the buffer allocator print out error messages. \def MBEDTLS_MEMORY_BACKTRACE Include backtrace information with each allocated block. Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C GLIBC-compatible backtrace() an backtrace_symbols() support Uncomment this macro to include backtrace information \def MBEDTLS_PK_RSA_ALT_SUPPORT Support external private RSA keys (eg from a HSM) in the PK layer. Comment this macro to disable support for external private RSA keys. \def MBEDTLS_PKCS1_V15 Enable support for PKCS#1 v1.5 encoding. Requires: MBEDTLS_RSA_C This enables support for PKCS#1 v1.5 operations. \def MBEDTLS_PKCS1_V21 Enable support for PKCS#1 v2.1 encoding. Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C This enables support for RSAES-OAEP and RSASSA-PSS operations. \def MBEDTLS_RSA_NO_CRT Do not use the Chinese Remainder Theorem for the RSA private operation. Uncomment this macro to disable the use of CRT in RSA. \def MBEDTLS_SELF_TEST Enable the checkup functions (*_self_test). \def MBEDTLS_SHA256_SMALLER Enable an implementation of SHA-256 that has lower ROM footprint but also lower performance. The default implementation is meant to be a reasonable compromise between performance and size. This version optimizes more aggressively for size at the expense of performance. Eg on Cortex-M4 it reduces the size of mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about 30%. Uncomment to enable the smaller implementation of SHA256. \def MBEDTLS_SSL_ALL_ALERT_MESSAGES Enable sending of alert messages in case of encountered errors as per RFC. If you choose not to send the alert messages, mbed TLS can still communicate with other servers, only debugging of failures is harder. The advantage of not sending alert messages, is that no information is given about reasons for failures thus preventing adversaries of gaining intel. Enable sending of all alert messages \def MBEDTLS_SSL_ASYNC_PRIVATE Enable asynchronous external private key operations in SSL. This allows you to configure an SSL connection to call an external cryptographic module to perform private key operations instead of performing the operation inside the library. \def MBEDTLS_SSL_DEBUG_ALL Enable the debug messages in SSL module for all issues. Debug messages have been disabled in some places to prevent timing attacks due to (unbalanced) debugging function calls. If you need all error reporting you should enable this during debugging, but remove this for production servers that should log as well. Uncomment this macro to report all debug messages on errors introducing a timing side-channel. \def MBEDTLS_SSL_ENCRYPT_THEN_MAC Enable support for Encrypt-then-MAC, RFC 7366. This allows peers that both support it to use a more robust protection for ciphersuites using CBC, providing deep resistance against timing attacks on the padding or underlying cipher. This only affects CBC ciphersuites, and is useless if none is defined. Requires: MBEDTLS_SSL_PROTO_TLS1 or MBEDTLS_SSL_PROTO_TLS1_1 or MBEDTLS_SSL_PROTO_TLS1_2 Comment this macro to disable support for Encrypt-then-MAC \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET Enable support for Extended Master Secret, aka Session Hash (draft-ietf-tls-session-hash-02). This was introduced as "the proper fix" to the Triple Handshake family of attacks, but it is recommended to always use it (even if you disable renegotiation), since it actually fixes a more fundamental issue in the original SSL/TLS design, and has implications beyond Triple Handshake. Requires: MBEDTLS_SSL_PROTO_TLS1 or MBEDTLS_SSL_PROTO_TLS1_1 or MBEDTLS_SSL_PROTO_TLS1_2 Comment this macro to disable support for Extended Master Secret. \def MBEDTLS_SSL_FALLBACK_SCSV Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00). For servers, it is recommended to always enable this, unless you support only one version of TLS, or know for sure that none of your clients implements a fallback strategy. For clients, you only need this if you're using a fallback strategy, which is not recommended in the first place, unless you absolutely need it to interoperate with buggy (version-intolerant) servers. Comment this macro to disable support for FALLBACK_SCSV \def MBEDTLS_SSL_HW_RECORD_ACCEL Enable hooking functions in SSL module for hardware acceleration of individual records. Uncomment this macro to enable hooking functions. \def MBEDTLS_SSL_CBC_RECORD_SPLITTING Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. This is a countermeasure to the BEAST attack, which also minimizes the risk of interoperability issues compared to sending 0-length records. Comment this macro to disable 1/n-1 record splitting. \def MBEDTLS_SSL_RENEGOTIATION Enable support for TLS renegotiation. The two main uses of renegotiation are (1) refresh keys on long-lived connections and (2) client authentication after the initial handshake. If you don't need renegotiation, it's probably better to disable it, since it has been associated with security issues in the past and is easy to misuse/misunderstand. Comment this to disable support for renegotiation. \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO Enable support for receiving and parsing SSLv2 Client Hello messages for the SSL Server module (MBEDTLS_SSL_SRV_C). Uncomment this macro to enable support for SSLv2 Client Hello messages. \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE Pick the ciphersuite according to the client's preferences rather than ours in the SSL Server module (MBEDTLS_SSL_SRV_C). Uncomment this macro to respect client's ciphersuite order
Portions COPYRIGHT 2016 STMicroelectronics Copyright (C) 2006-2015, ARM Limited, All Rights Reserved @file mbedtls_config.h @author MCD Application Team the mbedtls custom config header file. @attention Copyright (c) 2017 STMicroelectronics. All rights reserved. This software is licensed under terms that can be found in the LICENSE file in the root directory of this software component. If no LICENSE file comes with this software, it is provided AS-IS.
\def MBEDTLS_AES_FEWER_TABLES Use less ROM/RAM for AES tables. Uncommenting this macro omits 75% of the AES tables from ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) by computing their values on the fly during operations (the tables are entry-wise rotations of one another). Tradeoff: Uncommenting this reduces the RAM / ROM footprint by ~6kb but at the cost of more arithmetic operations during runtime. Specifically, one has to compare 4 accesses within different tables to 4 accesses with additional arithmetic operations within the same table. The performance gain/loss depends on the system and memory details. This option is independent of \c MBEDTLS_AES_ROM_TABLES. \def MBEDTLS_CAMELLIA_SMALL_MEMORY Use less ROM for the Camellia implementation (saves about 768 bytes). Uncomment this macro to use less memory for Camellia. \def MBEDTLS_CIPHER_MODE_CBC Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. \def MBEDTLS_CIPHER_MODE_CFB Enable Cipher Feedback mode (CFB) for symmetric ciphers. \def MBEDTLS_CIPHER_MODE_CTR Enable Counter Block Cipher mode (CTR) for symmetric ciphers. \def MBEDTLS_CIPHER_MODE_OFB Enable Output Feedback mode (OFB) for symmetric ciphers. \def MBEDTLS_CIPHER_MODE_XTS Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. \def MBEDTLS_CIPHER_NULL_CIPHER Enable NULL cipher. Warning: Only do so when you know what you are doing. This allows for encryption or channels without any security! Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable the following ciphersuites: MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_RSA_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_WITH_NULL_SHA MBEDTLS_TLS_RSA_WITH_NULL_MD5 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA MBEDTLS_TLS_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_PSK_WITH_NULL_SHA Uncomment this macro to enable the NULL cipher and ciphersuites \def MBEDTLS_CIPHER_PADDING_PKCS7 MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for specific padding modes in the cipher layer with cipher modes that support padding (e.g. CBC) If you disable all padding modes, only full blocks can be used with CBC. Enable padding modes in the cipher layer. \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES Enable weak ciphersuites in SSL / TLS. Warning: Only do so when you know what you are doing. This allows for channels with virtually no security at all! This enables the following ciphersuites: MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA Uncomment this macro to enable weak ciphersuites \warning DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead. \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES Remove RC4 ciphersuites by default in SSL / TLS. This flag removes the ciphersuites based on RC4 from the default list as returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them explicitly. Uncomment this macro to remove RC4 ciphersuites by default. \def MBEDTLS_REMOVE_3DES_CIPHERSUITES Remove 3DES ciphersuites by default in SSL / TLS. This flag removes the ciphersuites based on 3DES from the default list as returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them explicitly. A man-in-the-browser attacker can recover authentication tokens sent through a TLS connection using a 3DES based cipher suite (see "On the Practical (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Ga�tan Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls in your threat model or you are unsure, then you should keep this option enabled to remove 3DES based cipher suites. Comment this macro to keep 3DES in the default ciphersuite list.

Dependencies