NCBI C++ ToolKit
mbedtls_config.h File Reference

Configuration options (set of defines) More...

#include <ncbiconf.h>
#include "ncbicxx_rename_mbedtls.h"
+ Include dependency graph for mbedtls_config.h:
+ This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Go to the SVN repository for this file.

Macros

SECTION: System support

This is an optional version symbol that enables compatibility handling of config files.

It is equal to the MBEDTLS_VERSION_NUMBER of the Mbed TLS version that introduced the config format we want to be compatible with.

This section sets system specific settings.

#define MBEDTLS_HAVE_ASM
 The compiler has support for asm(). More...
 
#define MBEDTLS_HAVE_TIME
 System has time.h and time(). More...
 
#define MBEDTLS_HAVE_TIME_DATE
 System has time.h, time(), and an implementation for mbedtls_platform_gmtime_r() (see below). More...
 
#define MBEDTLS_DEPRECATED_WARNING
 Uncomment the macro to let Mbed TLS use your alternate implementation of mbedtls_platform_gmtime_r(). More...
 
SECTION: Mbed TLS feature support

This section sets support for features that are or are not needed within the modules that are enabled.

#define MBEDTLS_CIPHER_MODE_CBC
 Enable Cipher Block Chaining mode (CBC) for symmetric ciphers. More...
 
#define MBEDTLS_CIPHER_MODE_CFB
 Enable Cipher Feedback mode (CFB) for symmetric ciphers. More...
 
#define MBEDTLS_CIPHER_MODE_CTR
 Enable Counter Block Cipher mode (CTR) for symmetric ciphers. More...
 
#define MBEDTLS_CIPHER_MODE_OFB
 Enable Output Feedback mode (OFB) for symmetric ciphers. More...
 
#define MBEDTLS_CIPHER_MODE_XTS
 Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. More...
 
#define MBEDTLS_CIPHER_PADDING_PKCS7
 MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for specific padding modes in the cipher layer with cipher modes that support padding (e.g. More...
 
#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
 
#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
 
#define MBEDTLS_CIPHER_PADDING_ZEROS
 
#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
 Enable the verified implementations of ECDH primitives from Project Everest (currently only Curve25519). More...
 
#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
 
#define MBEDTLS_ECP_DP_BP256R1_ENABLED
 
#define MBEDTLS_ECP_DP_BP384R1_ENABLED
 
#define MBEDTLS_ECP_DP_BP512R1_ENABLED
 
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
 
#define MBEDTLS_ECP_DP_CURVE448_ENABLED
 
#define MBEDTLS_ECP_NIST_OPTIM
 Enable specific 'modulo p' routines for each NIST prime. More...
 
#define MBEDTLS_ECDSA_DETERMINISTIC
 Uncomment to enable using new bignum code in the ECC modules. More...
 
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 Enable the PSK based ciphersuite modes in SSL / TLS. More...
 
#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
 Enable the DHE-PSK based ciphersuite modes in SSL / TLS. More...
 
#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. More...
 
#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
 Enable the RSA-PSK based ciphersuite modes in SSL / TLS. More...
 
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 Enable the RSA-only based ciphersuite modes in SSL / TLS. More...
 
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
 Enable the DHE-RSA based ciphersuite modes in SSL / TLS. More...
 
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. More...
 
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. More...
 
#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. More...
 
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
 Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. More...
 
#define MBEDTLS_PK_PARSE_EC_EXTENDED
 Enhance support for reading EC keys using variants of SEC1 not allowed by RFC 5915 and RFC 5480. More...
 
#define MBEDTLS_PK_PARSE_EC_COMPRESSED
 Enable the support for parsing public keys of type Short Weierstrass (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX) which are using the compressed point format. More...
 
#define MBEDTLS_ERROR_STRERROR_DUMMY
 Enable a dummy error function to make use of mbedtls_strerror() in third party libraries easier when MBEDTLS_ERROR_C is disabled (no effect when MBEDTLS_ERROR_C is enabled). More...
 
#define MBEDTLS_GENPRIME
 Enable the prime-number generation code. More...
 
#define MBEDTLS_FS_IO
 Enable functions that use the filesystem. More...
 
#define MBEDTLS_PK_RSA_ALT_SUPPORT
 Support external private RSA keys (eg from a HSM) in the PK layer. More...
 
#define MBEDTLS_PKCS1_V15
 Enable support for PKCS#1 v1.5 encoding. More...
 
#define MBEDTLS_PKCS1_V21
 Enable support for PKCS#1 v2.1 encoding. More...
 
#define MBEDTLS_PSA_KEY_STORE_DYNAMIC
 Dynamically resize the PSA key store to accommodate any number of volatile keys (until the heap memory is exhausted). More...
 
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
 Enable sending of alert messages in case of encountered errors as per RFC. More...
 
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
 Enable support for the DTLS Connection ID (CID) extension, which allows to identify DTLS connections across changes in the underlying transport. More...
 
#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT   0
 Defines whether RFC 9146 (default) or the legacy version (version draft-ietf-tls-dtls-connection-id-05, https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) is used. More...
 
#define MBEDTLS_SSL_CONTEXT_SERIALIZATION
 Enable serialization of the TLS context structures, through use of the functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load(). More...
 
#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
 Enable support for Encrypt-then-MAC, RFC 7366. More...
 
#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 Enable support for RFC 7627: Session Hash and Extended Master Secret Extension. More...
 
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 This option controls the availability of the API mbedtls_ssl_get_peer_cert() giving access to the peer's certificate after completion of the handshake. More...
 
#define MBEDTLS_SSL_RENEGOTIATION
 Enable support for TLS renegotiation. More...
 
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 Enable support for RFC 6066 max_fragment_length extension in SSL. More...
 
#define MBEDTLS_SSL_PROTO_TLS1_2
 Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). More...
 
#define MBEDTLS_SSL_PROTO_TLS1_3
 Enable support for TLS 1.3. More...
 
#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 Enable TLS 1.3 middlebox compatibility mode. More...
 
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 Enable TLS 1.3 PSK key exchange mode. More...
 
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 Enable TLS 1.3 ephemeral key exchange mode. More...
 
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 Enable TLS 1.3 PSK ephemeral key exchange mode. More...
 
#define MBEDTLS_SSL_PROTO_DTLS
 Enable support for DTLS (all available versions). More...
 
#define MBEDTLS_SSL_ALPN
 Enable support for RFC 7301 Application Layer Protocol Negotiation. More...
 
#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
 Enable support for the anti-replay mechanism in DTLS. More...
 
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
 Enable support for HelloVerifyRequest on DTLS servers. More...
 
#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
 Enable server-side support for clients that reconnect from the same port. More...
 
#define MBEDTLS_SSL_SESSION_TICKETS
 Enable support for RFC 5077 session tickets in SSL. More...
 
#define MBEDTLS_SSL_SERVER_NAME_INDICATION
 Enable support for RFC 6066 server name indication (SNI) in SSL. More...
 
#define MBEDTLS_THREADING_ALT
 Provide your own alternate threading implementation. More...
 
#define MBEDTLS_VERSION_FEATURES
 Allow run-time checking of compile-time enabled features. More...
 
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
 Enable parsing and verification of X.509 certificates, CRLs and CSRS signed with RSASSA-PSS (aka PKCS#1 v2.1). More...
 
SECTION: Mbed TLS modules

This section enables or disables entire modules in Mbed TLS

#define MBEDTLS_AESNI_C
 Enable AES-NI support on x86-64 or x86-32. More...
 
#define MBEDTLS_AESCE_C
 Enable AES cryptographic extension support on Armv8. More...
 
#define MBEDTLS_AES_C
 Enable the AES block cipher. More...
 
#define MBEDTLS_ASN1_PARSE_C
 Enable the generic ASN1 parser. More...
 
#define MBEDTLS_ASN1_WRITE_C
 Enable the generic ASN1 writer. More...
 
#define MBEDTLS_BASE64_C
 Enable the Base64 module. More...
 
#define MBEDTLS_BIGNUM_C
 Enable the multi-precision integer library. More...
 
#define MBEDTLS_CAMELLIA_C
 Enable the Camellia block cipher. More...
 
#define MBEDTLS_ARIA_C
 Enable the ARIA block cipher. More...
 
#define MBEDTLS_CCM_C
 Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher. More...
 
#define MBEDTLS_CHACHA20_C
 Enable the ChaCha20 stream cipher. More...
 
#define MBEDTLS_CHACHAPOLY_C
 Enable the ChaCha20-Poly1305 AEAD algorithm. More...
 
#define MBEDTLS_CIPHER_C
 Enable the generic cipher layer. More...
 
#define MBEDTLS_CMAC_C
 Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers. More...
 
#define MBEDTLS_CTR_DRBG_C
 Enable the CTR_DRBG AES-based random generator. More...
 
#define MBEDTLS_DEBUG_C
 Enable the debug functions. More...
 
#define MBEDTLS_DES_C
 Enable the DES block cipher. More...
 
#define MBEDTLS_DHM_C
 Enable the Diffie-Hellman-Merkle module. More...
 
#define MBEDTLS_ECDH_C
 Enable the elliptic curve Diffie-Hellman library. More...
 
#define MBEDTLS_ECDSA_C
 Enable the elliptic curve DSA library. More...
 
#define MBEDTLS_ECJPAKE_C
 Enable the elliptic curve J-PAKE library. More...
 
#define MBEDTLS_ECP_C
 Enable the elliptic curve over GF(p) library. More...
 
#define MBEDTLS_ENTROPY_C
 Enable the platform-specific entropy code. More...
 
#define MBEDTLS_ERROR_C
 Enable error code to error string conversion. More...
 
#define MBEDTLS_GCM_C
 Enable the Galois/Counter Mode (GCM). More...
 
#define MBEDTLS_HKDF_C
 Enable the HKDF algorithm (RFC 5869). More...
 
#define MBEDTLS_HMAC_DRBG_C
 Enable the HMAC_DRBG random generator. More...
 
#define MBEDTLS_LMS_C
 Enable the LMS stateful-hash asymmetric signature algorithm. More...
 
#define MBEDTLS_NIST_KW_C
 Enable the Key Wrapping mode for 128-bit block ciphers, as defined in NIST SP 800-38F. More...
 
#define MBEDTLS_MD_C
 Enable the generic layer for message digest (hashing) and HMAC. More...
 
#define MBEDTLS_MD5_C
 Enable the MD5 hash algorithm. More...
 
#define MBEDTLS_NET_C
 Enable the TCP and UDP over IPv6/IPv4 networking routines. More...
 
#define MBEDTLS_OID_C
 Enable the OID database. More...
 
#define MBEDTLS_PADLOCK_C
 Enable VIA Padlock support on x86. More...
 
#define MBEDTLS_PEM_PARSE_C
 Enable PEM decoding / parsing. More...
 
#define MBEDTLS_PEM_WRITE_C
 Enable PEM encoding / writing. More...
 
#define MBEDTLS_PK_C
 Enable the generic public (asymmetric) key layer. More...
 
#define MBEDTLS_PK_PARSE_C
 Enable the generic public (asymmetric) key parser. More...
 
#define MBEDTLS_PK_WRITE_C
 Enable the generic public (asymmetric) key writer. More...
 
#define MBEDTLS_PKCS5_C
 Enable PKCS#5 functions. More...
 
#define MBEDTLS_PKCS7_C
 Enable PKCS #7 core for using PKCS #7-formatted signatures. More...
 
#define MBEDTLS_PKCS12_C
 Enable PKCS#12 PBE functions. More...
 
#define MBEDTLS_PLATFORM_C
 Enable the platform abstraction layer that allows you to re-assign functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). More...
 
#define MBEDTLS_POLY1305_C
 Enable the Poly1305 MAC algorithm. More...
 
#define MBEDTLS_PSA_CRYPTO_C
 Enable the Platform Security Architecture cryptography API. More...
 
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
 Enable the Platform Security Architecture persistent key storage. More...
 
#define MBEDTLS_PSA_ITS_FILE_C
 Enable the emulation of the Platform Security Architecture Internal Trusted Storage (PSA ITS) over files. More...
 
#define MBEDTLS_RIPEMD160_C
 Enable the RIPEMD-160 hash algorithm. More...
 
#define MBEDTLS_RSA_C
 Enable the RSA public-key cryptosystem. More...
 
#define MBEDTLS_SHA1_C
 Enable the SHA1 cryptographic hash algorithm. More...
 
#define MBEDTLS_SHA224_C
 Enable the SHA-224 cryptographic hash algorithm. More...
 
#define MBEDTLS_SHA256_C
 Enable the SHA-256 cryptographic hash algorithm. More...
 
#define MBEDTLS_SHA384_C
 Enable the SHA-384 cryptographic hash algorithm. More...
 
#define MBEDTLS_SHA512_C
 Enable SHA-512 cryptographic hash algorithms. More...
 
#define MBEDTLS_SHA3_C
 Enable the SHA3 cryptographic hash algorithm. More...
 
#define MBEDTLS_SSL_CACHE_C
 Enable simple SSL cache implementation. More...
 
#define MBEDTLS_SSL_COOKIE_C
 Enable basic implementation of DTLS cookies for hello verification. More...
 
#define MBEDTLS_SSL_TICKET_C
 Enable an implementation of TLS server-side callbacks for session tickets. More...
 
#define MBEDTLS_SSL_CLI_C
 Enable the SSL/TLS client code. More...
 
#define MBEDTLS_SSL_SRV_C
 Enable the SSL/TLS server code. More...
 
#define MBEDTLS_SSL_TLS_C
 Enable the generic SSL/TLS code. More...
 
#define MBEDTLS_THREADING_C
 Enable the threading abstraction layer. More...
 
#define MBEDTLS_TIMING_C
 Enable the semi-portable timing interface. More...
 
#define MBEDTLS_VERSION_C
 Enable run-time version information. More...
 
#define MBEDTLS_X509_USE_C
 Enable X.509 core for using certificates. More...
 
#define MBEDTLS_X509_CRT_PARSE_C
 Enable X.509 certificate parsing. More...
 
#define MBEDTLS_X509_CRL_PARSE_C
 Enable X.509 CRL parsing. More...
 
#define MBEDTLS_X509_CSR_PARSE_C
 Enable X.509 Certificate Signing Request (CSR) parsing. More...
 
#define MBEDTLS_X509_CREATE_C
 Enable X.509 core for creating certificates. More...
 
#define MBEDTLS_X509_CRT_WRITE_C
 Enable creating X.509 certificates. More...
 
#define MBEDTLS_X509_CSR_WRITE_C
 Enable creating X.509 Certificate Signing Requests (CSR). More...
 

Detailed Description

Configuration options (set of defines)

This set of compile-time options may be used to enable or disable features selectively, and reduce the global memory footprint.

Definition in file mbedtls_config.h.

Macro Definition Documentation

◆ MBEDTLS_AES_C

#define MBEDTLS_AES_C

Enable the AES block cipher.

Module: library/aes.c Caller: library/cipher.c library/pem.c library/ctr_drbg.c

This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA

PEM_PARSE uses AES for decrypting encrypted keys.

Definition at line 2368 of file mbedtls_config.h.

◆ MBEDTLS_AESCE_C

#define MBEDTLS_AESCE_C

Enable AES cryptographic extension support on Armv8.

Module: library/aesce.c Caller: library/aes.c

Requires: MBEDTLS_AES_C

Warning
Runtime detection only works on Linux. For non-Linux operating system, Armv8-A Cryptographic Extensions must be supported by the CPU when this option is enabled.
Note
Minimum compiler versions for this feature when targeting aarch64 are Clang 4.0; armclang 6.6; GCC 6.0; or MSVC 2019 version 16.11.2. Minimum compiler versions for this feature when targeting 32-bit Arm or Thumb are Clang 11.0; armclang 6.20; or GCC 6.0.
CFLAGS must be set to a minimum of -march=armv8-a+crypto for armclang <= 6.9

This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems.

Definition at line 2293 of file mbedtls_config.h.

◆ MBEDTLS_AESNI_C

#define MBEDTLS_AESNI_C

Enable AES-NI support on x86-64 or x86-32.

Note
AESNI is only supported with certain compilers and target options:
  • Visual Studio: supported
  • GCC, x86-64, target not explicitly supporting AESNI: requires MBEDTLS_HAVE_ASM.
  • GCC, x86-32, target not explicitly supporting AESNI: not supported.
  • GCC, x86-64 or x86-32, target supporting AESNI: supported. For this assembly-less implementation, you must currently compile `library/aesni.c` and `library/aes.c` with machine options to enable SSE2 and AESNI instructions: `gcc -msse2 -maes -mpclmul` or `clang -maes -mpclmul`.
  • Non-x86 targets: this option is silently ignored.
  • Other compilers: this option is silently ignored.
Above, "GCC" includes compatible compilers such as Clang. The limitations on target support are likely to be relaxed in the future.

Module: library/aesni.c Caller: library/aes.c

Requires: MBEDTLS_HAVE_ASM (on some platforms, see note)

This modules adds support for the AES-NI instructions on x86.

Definition at line 2267 of file mbedtls_config.h.

◆ MBEDTLS_ARIA_C

#define MBEDTLS_ARIA_C

Enable the ARIA block cipher.

Module: library/aria.c Caller: library/cipher.c

This module enables the following ciphersuites (if other requisites are enabled as well):

MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384

Definition at line 2557 of file mbedtls_config.h.

◆ MBEDTLS_ASN1_PARSE_C

#define MBEDTLS_ASN1_PARSE_C

Enable the generic ASN1 parser.

Module: library/asn1.c Caller: library/x509.c library/dhm.c library/pkcs12.c library/pkcs5.c library/pkparse.c

Definition at line 2382 of file mbedtls_config.h.

◆ MBEDTLS_ASN1_WRITE_C

#define MBEDTLS_ASN1_WRITE_C

Enable the generic ASN1 writer.

Module: library/asn1write.c Caller: library/ecdsa.c library/pkwrite.c library/x509_create.c library/x509write_crt.c library/x509write_csr.c

Definition at line 2396 of file mbedtls_config.h.

◆ MBEDTLS_BASE64_C

#define MBEDTLS_BASE64_C

Enable the Base64 module.

Module: library/base64.c Caller: library/pem.c

This module is required for PEM support (required by X.509).

Definition at line 2408 of file mbedtls_config.h.

◆ MBEDTLS_BIGNUM_C

#define MBEDTLS_BIGNUM_C

Enable the multi-precision integer library.

Module: library/bignum.c library/bignum_core.c library/bignum_mod.c library/bignum_mod_raw.c Caller: library/dhm.c library/ecp.c library/ecdsa.c library/rsa.c library/rsa_alt_helpers.c library/ssl_tls.c

This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.

Definition at line 2450 of file mbedtls_config.h.

◆ MBEDTLS_CAMELLIA_C

#define MBEDTLS_CAMELLIA_C

Enable the Camellia block cipher.

Module: library/camellia.c Caller: library/cipher.c

This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256

Definition at line 2505 of file mbedtls_config.h.

◆ MBEDTLS_CCM_C

#define MBEDTLS_CCM_C

Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.

Module: library/ccm.c

Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C

This module enables the AES-CCM ciphersuites, if other requisites are enabled as well.

Definition at line 2572 of file mbedtls_config.h.

◆ MBEDTLS_CHACHA20_C

#define MBEDTLS_CHACHA20_C

Enable the ChaCha20 stream cipher.

Module: library/chacha20.c

Definition at line 2581 of file mbedtls_config.h.

◆ MBEDTLS_CHACHAPOLY_C

#define MBEDTLS_CHACHAPOLY_C

Enable the ChaCha20-Poly1305 AEAD algorithm.

Module: library/chachapoly.c

This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C

Definition at line 2592 of file mbedtls_config.h.

◆ MBEDTLS_CIPHER_C

#define MBEDTLS_CIPHER_C

Enable the generic cipher layer.

Module: library/cipher.c Caller: library/ccm.c library/cmac.c library/gcm.c library/nist_kw.c library/pkcs12.c library/pkcs5.c library/psa_crypto_aead.c library/psa_crypto_mac.c library/ssl_ciphersuites.c library/ssl_msg.c library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled) Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled (see the documentation of that option for details).

Uncomment to enable generic cipher wrappers.

Definition at line 2616 of file mbedtls_config.h.

◆ MBEDTLS_CIPHER_MODE_CBC

#define MBEDTLS_CIPHER_MODE_CBC

Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.

Definition at line 660 of file mbedtls_config.h.

◆ MBEDTLS_CIPHER_MODE_CFB

#define MBEDTLS_CIPHER_MODE_CFB

Enable Cipher Feedback mode (CFB) for symmetric ciphers.

Definition at line 667 of file mbedtls_config.h.

◆ MBEDTLS_CIPHER_MODE_CTR

#define MBEDTLS_CIPHER_MODE_CTR

Enable Counter Block Cipher mode (CTR) for symmetric ciphers.

Definition at line 674 of file mbedtls_config.h.

◆ MBEDTLS_CIPHER_MODE_OFB

#define MBEDTLS_CIPHER_MODE_OFB

Enable Output Feedback mode (OFB) for symmetric ciphers.

Definition at line 681 of file mbedtls_config.h.

◆ MBEDTLS_CIPHER_MODE_XTS

#define MBEDTLS_CIPHER_MODE_XTS

Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.

Definition at line 688 of file mbedtls_config.h.

◆ MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS

#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS

Definition at line 734 of file mbedtls_config.h.

◆ MBEDTLS_CIPHER_PADDING_PKCS7

#define MBEDTLS_CIPHER_PADDING_PKCS7

MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for specific padding modes in the cipher layer with cipher modes that support padding (e.g.

CBC)

If you disable all padding modes, only full blocks can be used with CBC.

Enable padding modes in the cipher layer.

Definition at line 733 of file mbedtls_config.h.

◆ MBEDTLS_CIPHER_PADDING_ZEROS

#define MBEDTLS_CIPHER_PADDING_ZEROS

Definition at line 736 of file mbedtls_config.h.

◆ MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN

#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN

Definition at line 735 of file mbedtls_config.h.

◆ MBEDTLS_CMAC_C

#define MBEDTLS_CMAC_C

Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers.

Note
When #MBEDTLS_CMAC_ALT is active, meaning that the underlying implementation of the CMAC algorithm is provided by an alternate implementation, that alternate implementation may opt to not support AES-192 or 3DES as underlying block ciphers for the CMAC operation.

Module: library/cmac.c

Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C

Definition at line 2634 of file mbedtls_config.h.

◆ MBEDTLS_CTR_DRBG_C

#define MBEDTLS_CTR_DRBG_C

Enable the CTR_DRBG AES-based random generator.

The CTR_DRBG generator uses AES-256 by default. To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.

AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA. Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA is used.

Warning
When using PSA, the user should call `psa_crypto_init()` before using any CTR_DRBG operation (except `mbedtls_ctr_drbg_init()`).
Note
AES-128 will be used if MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set.
To achieve a 256-bit security strength with CTR_DRBG, you must use AES-256 *and* use sufficient entropy. See ctr_drbg.h for more details.

Module: library/ctr_drbg.c Caller:

Requires: MBEDTLS_AES_C or (PSA_WANT_KEY_TYPE_AES and PSA_WANT_ALG_ECB_NO_PADDING and MBEDTLS_PSA_CRYPTO_C)

This module provides the CTR_DRBG AES random number generator.

Definition at line 2665 of file mbedtls_config.h.

◆ MBEDTLS_DEBUG_C

#define MBEDTLS_DEBUG_C

Enable the debug functions.

Module: library/debug.c Caller: library/ssl_msg.c library/ssl_tls.c library/ssl_tls12_*.c library/ssl_tls13_*.c

This module provides debugging functions.

Definition at line 2680 of file mbedtls_config.h.

◆ MBEDTLS_DEPRECATED_WARNING

#define MBEDTLS_DEPRECATED_WARNING

Uncomment the macro to let Mbed TLS use your alternate implementation of mbedtls_platform_gmtime_r().

This replaces the default implementation in platform_util.c.

gmtime() is not a thread-safe function as defined in the C standard. The library will try to use safer implementations of this function, such as gmtime_r() when available. However, if Mbed TLS cannot identify the target system, the implementation of mbedtls_platform_gmtime_r() will default to using the standard gmtime(). In this case, calls from the library to gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the library are also guarded with this mutex to avoid race conditions. However, if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will unconditionally use the implementation for mbedtls_platform_gmtime_r() supplied at compile time.

Uncomment the macro to let Mbed TLS use your alternate implementation of mbedtls_platform_zeroize(), to wipe sensitive data in memory. This replaces the default implementation in platform_util.c.

By default, the library uses a system function such as memset_s() (optional feature of C11), explicit_bzero() (BSD and compatible), or SecureZeroMemory (Windows). If no such function is detected, the library falls back to a plain C implementation. Compilers are technically permitted to optimize this implementation out, meaning that the memory is not actually wiped. The library tries to prevent that, but the C language makes it impossible to guarantee that the memory will always be wiped.

If your platform provides a guaranteed method to wipe memory which `platform_util.c` does not detect, define this macro to the name of a function that takes two arguments, a `void *` pointer and a length, and wipes that many bytes starting at the specified address. For example, if your platform has explicit_bzero() but `platform_util.c` does not detect its presence, define `MBEDTLS_PLATFORM_ZEROIZE_ALT` to be `explicit_bzero` to use that function as mbedtls_platform_zeroize().

Mark deprecated functions and features so that they generate a warning if used. Functionality deprecated in one version will usually be removed in the next version. You can enable this to help you prepare the transition to a new major version by making sure your code is not using this functionality.

This only works with GCC and Clang. With other compilers, you may want to use MBEDTLS_DEPRECATED_REMOVED

Uncomment to get warnings on using deprecated functions and features.

Definition at line 324 of file mbedtls_config.h.

◆ MBEDTLS_DES_C

#define MBEDTLS_DES_C

Enable the DES block cipher.

Module: library/des.c Caller: library/pem.c library/cipher.c

PEM_PARSE uses DES/3DES for decrypting encrypted keys.

Warning
DES/3DES are considered weak ciphers and their use constitutes a security risk. We recommend considering stronger ciphers instead.

Definition at line 2696 of file mbedtls_config.h.

◆ MBEDTLS_DHM_C

#define MBEDTLS_DHM_C

Enable the Diffie-Hellman-Merkle module.

Module: library/dhm.c Caller: library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c

This module is used by the following key exchanges: DHE-RSA, DHE-PSK

Warning
Using DHE constitutes a security risk as it is not possible to validate custom DH parameters. If possible, it is recommended users should consider preferring other methods of key exchange. See dhm.h for more details.

Definition at line 2718 of file mbedtls_config.h.

◆ MBEDTLS_ECDH_C

#define MBEDTLS_ECDH_C

Enable the elliptic curve Diffie-Hellman library.

Module: library/ecdh.c Caller: library/psa_crypto.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c

This module is used by the following key exchanges: ECDHE-ECDSA, ECDHE-RSA, DHE-PSK

Requires: MBEDTLS_ECP_C

Definition at line 2736 of file mbedtls_config.h.

◆ MBEDTLS_ECDSA_C

#define MBEDTLS_ECDSA_C

Enable the elliptic curve DSA library.

Module: library/ecdsa.c Caller:

This module is used by the following key exchanges: ECDHE-ECDSA

Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C, and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a short Weierstrass curve.

Definition at line 2753 of file mbedtls_config.h.

◆ MBEDTLS_ECDSA_DETERMINISTIC

#define MBEDTLS_ECDSA_DETERMINISTIC

Uncomment to enable using new bignum code in the ECC modules.

Warning
This is currently experimental, incomplete and therefore should not be used in production.

Enable deterministic ECDSA (RFC 6979). Standard ECDSA is "fragile" in the sense that lack of entropy when signing may result in a compromise of the long-term signing key. This is avoided by the deterministic variant.

Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C

Comment this macro to disable deterministic ECDSA.

Definition at line 868 of file mbedtls_config.h.

◆ MBEDTLS_ECJPAKE_C

#define MBEDTLS_ECJPAKE_C

Enable the elliptic curve J-PAKE library.

Note
EC J-PAKE support is based on the Thread v1.0.0 specification. It has not been reviewed for compliance with newer standards such as Thread v1.1 or RFC 8236.

Module: library/ecjpake.c Caller:

This module is used by the following key exchanges: ECJPAKE

Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C

Warning
If using a hash that is only provided by PSA drivers, you must call psa_crypto_init() before doing any EC J-PAKE operations.

Definition at line 2775 of file mbedtls_config.h.

◆ MBEDTLS_ECP_C

#define MBEDTLS_ECP_C

Enable the elliptic curve over GF(p) library.

Module: library/ecp.c Caller: library/ecdh.c library/ecdsa.c library/ecjpake.c

Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED

Definition at line 2789 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_BP256R1_ENABLED

#define MBEDTLS_ECP_DP_BP256R1_ENABLED

Definition at line 775 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_BP384R1_ENABLED

#define MBEDTLS_ECP_DP_BP384R1_ENABLED

Definition at line 776 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_BP512R1_ENABLED

#define MBEDTLS_ECP_DP_BP512R1_ENABLED

Definition at line 777 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_CURVE25519_ENABLED

#define MBEDTLS_ECP_DP_CURVE25519_ENABLED

Definition at line 779 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_CURVE448_ENABLED

#define MBEDTLS_ECP_DP_CURVE448_ENABLED

Definition at line 780 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_SECP192K1_ENABLED

#define MBEDTLS_ECP_DP_SECP192K1_ENABLED

Definition at line 772 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_SECP192R1_ENABLED

#define MBEDTLS_ECP_DP_SECP192R1_ENABLED

Enable the verified implementations of ECDH primitives from Project Everest (currently only Curve25519).

This feature changes the layout of ECDH contexts and therefore is a compatibility break for applications that access fields of a mbedtls_ecdh_context structure directly. See also MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h.

The Everest code is provided under the Apache 2.0 license only; therefore enabling this option is not compatible with taking the library under the GPL v2.0-or-later license.

MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve module. By default all supported curves are enabled.

Comment macros to disable the curve and functions for it

Definition at line 767 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_SECP224K1_ENABLED

#define MBEDTLS_ECP_DP_SECP224K1_ENABLED

Definition at line 773 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_SECP224R1_ENABLED

#define MBEDTLS_ECP_DP_SECP224R1_ENABLED

Definition at line 768 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_SECP256K1_ENABLED

#define MBEDTLS_ECP_DP_SECP256K1_ENABLED

Definition at line 774 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_SECP256R1_ENABLED

#define MBEDTLS_ECP_DP_SECP256R1_ENABLED

Definition at line 769 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_SECP384R1_ENABLED

#define MBEDTLS_ECP_DP_SECP384R1_ENABLED

Definition at line 770 of file mbedtls_config.h.

◆ MBEDTLS_ECP_DP_SECP521R1_ENABLED

#define MBEDTLS_ECP_DP_SECP521R1_ENABLED

Definition at line 771 of file mbedtls_config.h.

◆ MBEDTLS_ECP_NIST_OPTIM

#define MBEDTLS_ECP_NIST_OPTIM

Enable specific 'modulo p' routines for each NIST prime.

Depending on the prime and architecture, makes operations 4 to 8 times faster on the corresponding curve.

Comment this macro to disable NIST curves optimisation.

Definition at line 791 of file mbedtls_config.h.

◆ MBEDTLS_ENTROPY_C

#define MBEDTLS_ENTROPY_C

Enable the platform-specific entropy code.

Module: library/entropy.c Caller:

Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C

This module provides a generic entropy pool

Definition at line 2803 of file mbedtls_config.h.

◆ MBEDTLS_ERROR_C

#define MBEDTLS_ERROR_C

Enable error code to error string conversion.

Module: library/error.c Caller:

This module enables mbedtls_strerror().

Definition at line 2815 of file mbedtls_config.h.

◆ MBEDTLS_ERROR_STRERROR_DUMMY

#define MBEDTLS_ERROR_STRERROR_DUMMY

Enable a dummy error function to make use of mbedtls_strerror() in third party libraries easier when MBEDTLS_ERROR_C is disabled (no effect when MBEDTLS_ERROR_C is enabled).

You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're not using mbedtls_strerror() or error_strerror() in your application.

Disable if you run into name conflicts and want to really remove the mbedtls_strerror()

Definition at line 1177 of file mbedtls_config.h.

◆ MBEDTLS_FS_IO

#define MBEDTLS_FS_IO

Enable functions that use the filesystem.

Definition at line 1193 of file mbedtls_config.h.

◆ MBEDTLS_GCM_C

#define MBEDTLS_GCM_C

Enable the Galois/Counter Mode (GCM).

Module: library/gcm.c

Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C

This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other requisites are enabled as well.

Definition at line 2830 of file mbedtls_config.h.

◆ MBEDTLS_GENPRIME

#define MBEDTLS_GENPRIME

Enable the prime-number generation code.

Requires: MBEDTLS_BIGNUM_C

Definition at line 1186 of file mbedtls_config.h.

◆ MBEDTLS_HAVE_ASM

#define MBEDTLS_HAVE_ASM

The compiler has support for asm().

Requires support for asm() in compiler.

Used in: library/aesni.h library/aria.c library/bn_mul.h library/constant_time.c library/padlock.h

Required by: MBEDTLS_AESCE_C MBEDTLS_AESNI_C (on some platforms) MBEDTLS_PADLOCK_C

Comment to disable the use of assembly code.

Definition at line 54 of file mbedtls_config.h.

◆ MBEDTLS_HAVE_TIME

#define MBEDTLS_HAVE_TIME

System has time.h and time().

The time does not need to be correct, only time differences are used, by contrast with MBEDTLS_HAVE_TIME_DATE

Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT, MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and MBEDTLS_PLATFORM_STD_TIME.

Comment if your system does not support time functions.

Note
If MBEDTLS_TIMING_C is set - to enable the semi-portable timing interface - timing.c will include time.h on suitable platforms regardless of the setting of MBEDTLS_HAVE_TIME, unless MBEDTLS_TIMING_ALT is used. See timing.c for more information.

Definition at line 135 of file mbedtls_config.h.

◆ MBEDTLS_HAVE_TIME_DATE

#define MBEDTLS_HAVE_TIME_DATE

System has time.h, time(), and an implementation for mbedtls_platform_gmtime_r() (see below).

The time needs to be correct (not necessarily very accurate, but at least the date should be correct). This is used to verify the validity period of X.509 certificates.

Comment if your system does not have a correct clock.

Note
mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that behaves similarly to the gmtime_r() function from the C standard. Refer to the documentation for mbedtls_platform_gmtime_r() for more information.
It is possible to configure an implementation for mbedtls_platform_gmtime_r() at compile-time by using the macro MBEDTLS_PLATFORM_GMTIME_R_ALT.

Definition at line 156 of file mbedtls_config.h.

◆ MBEDTLS_HKDF_C

#define MBEDTLS_HKDF_C

Enable the HKDF algorithm (RFC 5869).

Module: library/hkdf.c Caller:

Requires: MBEDTLS_MD_C

This module adds support for the Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF).

Definition at line 2861 of file mbedtls_config.h.

◆ MBEDTLS_HMAC_DRBG_C

#define MBEDTLS_HMAC_DRBG_C

Enable the HMAC_DRBG random generator.

Module: library/hmac_drbg.c Caller:

Requires: MBEDTLS_MD_C

Uncomment to enable the HMAC_DRBG random number generator.

Definition at line 2875 of file mbedtls_config.h.

◆ MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED

#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED

Enable the DHE-PSK based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_DHM_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256

Warning
Using DHE constitutes a security risk as it is not possible to validate custom DH parameters. If possible, it is recommended users should consider preferring other methods of key exchange. See dhm.h for more details.

Definition at line 917 of file mbedtls_config.h.

◆ MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED

Enable the DHE-RSA based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

Warning
Using DHE constitutes a security risk as it is not possible to validate custom DH parameters. If possible, it is recommended users should consider preferring other methods of key exchange. See dhm.h for more details.

Definition at line 1015 of file mbedtls_config.h.

◆ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED

Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA) MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384

Definition at line 1088 of file mbedtls_config.h.

◆ MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED

Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) MBEDTLS_RSA_C MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384

Definition at line 1112 of file mbedtls_config.h.

◆ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED

Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA) MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256

Definition at line 1064 of file mbedtls_config.h.

◆ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED

#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED

Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH)

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256

Definition at line 935 of file mbedtls_config.h.

◆ MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED

Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_ECDH_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDH) MBEDTLS_RSA_C MBEDTLS_PKCS1_V15 MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

Definition at line 1040 of file mbedtls_config.h.

◆ MBEDTLS_KEY_EXCHANGE_PSK_ENABLED

#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED

Enable the PSK based ciphersuite modes in SSL / TLS.

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256

Definition at line 888 of file mbedtls_config.h.

◆ MBEDTLS_KEY_EXCHANGE_RSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED

Enable the RSA-only based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

Definition at line 983 of file mbedtls_config.h.

◆ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED

#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED

Enable the RSA-PSK based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256

Definition at line 958 of file mbedtls_config.h.

◆ MBEDTLS_LMS_C

#define MBEDTLS_LMS_C

Enable the LMS stateful-hash asymmetric signature algorithm.

Module: library/lms.c Caller:

Requires: MBEDTLS_PSA_CRYPTO_C

Uncomment to enable the LMS verification algorithm and public key operations.

Definition at line 2889 of file mbedtls_config.h.

◆ MBEDTLS_MD5_C

#define MBEDTLS_MD5_C

Enable the MD5 hash algorithm.

Module: library/md5.c Caller: library/md.c library/pem.c library/ssl_tls.c

This module is required for TLS 1.2 depending on the handshake parameters. Further, it is used for checking MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded encrypted keys.

Warning
MD5 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead.

Definition at line 2968 of file mbedtls_config.h.

◆ MBEDTLS_MD_C

#define MBEDTLS_MD_C

Enable the generic layer for message digest (hashing) and HMAC.

Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C, MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C, MBEDTLS_SHA512_C, or MBEDTLS_PSA_CRYPTO_C with at least one hash. Module: library/md.c Caller: library/constant_time.c library/ecdsa.c library/ecjpake.c library/hkdf.c library/hmac_drbg.c library/pk.c library/pkcs5.c library/pkcs12.c library/psa_crypto_ecp.c library/psa_crypto_rsa.c library/rsa.c library/ssl_cookie.c library/ssl_msg.c library/ssl_tls.c library/x509.c library/x509_crt.c library/x509write_crt.c library/x509write_csr.c

Uncomment to enable generic message digest wrappers.

Definition at line 2947 of file mbedtls_config.h.

◆ MBEDTLS_NET_C

#define MBEDTLS_NET_C

Enable the TCP and UDP over IPv6/IPv4 networking routines.

Note
This module only works on POSIX/Unix (including Linux, BSD and OS X) and Windows. For other platforms, you'll want to disable it, and write your own networking callbacks to be passed to mbedtls_ssl_set_bio().
See also our Knowledge Base article about porting to a new environment: https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS

Module: library/net_sockets.c

This module provides networking routines.

Definition at line 3003 of file mbedtls_config.h.

◆ MBEDTLS_NIST_KW_C

#define MBEDTLS_NIST_KW_C

Enable the Key Wrapping mode for 128-bit block ciphers, as defined in NIST SP 800-38F.

Only KW and KWP modes are supported. At the moment, only AES is approved by NIST.

Module: library/nist_kw.c

Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C

Definition at line 2914 of file mbedtls_config.h.

◆ MBEDTLS_OID_C

#define MBEDTLS_OID_C

Enable the OID database.

Module: library/oid.c Caller: library/asn1write.c library/pkcs5.c library/pkparse.c library/pkwrite.c library/rsa.c library/x509.c library/x509_create.c library/x509_crl.c library/x509_crt.c library/x509_csr.c library/x509write_crt.c library/x509write_csr.c

This modules translates between OIDs and internal values.

Definition at line 3026 of file mbedtls_config.h.

◆ MBEDTLS_PADLOCK_C

#define MBEDTLS_PADLOCK_C

Enable VIA Padlock support on x86.

Module: library/padlock.c Caller: library/aes.c

Requires: MBEDTLS_HAVE_ASM

This modules adds support for the VIA PadLock on x86.

Definition at line 3040 of file mbedtls_config.h.

◆ MBEDTLS_PEM_PARSE_C

#define MBEDTLS_PEM_PARSE_C

Enable PEM decoding / parsing.

Module: library/pem.c Caller: library/dhm.c library/pkparse.c library/x509_crl.c library/x509_crt.c library/x509_csr.c

Requires: MBEDTLS_BASE64_C optionally MBEDTLS_MD5_C, or PSA Crypto with MD5 (see below)

Warning
When parsing password-protected files, if MD5 is provided only by a PSA driver, you must call psa_crypto_init() before the first file.

This modules adds support for decoding / parsing PEM files.

Definition at line 3062 of file mbedtls_config.h.

◆ MBEDTLS_PEM_WRITE_C

#define MBEDTLS_PEM_WRITE_C

Enable PEM encoding / writing.

Module: library/pem.c Caller: library/pkwrite.c library/x509write_crt.c library/x509write_csr.c

Requires: MBEDTLS_BASE64_C

This modules adds support for encoding / writing PEM files.

Definition at line 3078 of file mbedtls_config.h.

◆ MBEDTLS_PK_C

#define MBEDTLS_PK_C

Enable the generic public (asymmetric) key layer.

Module: library/pk.c Caller: library/psa_crypto_rsa.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c library/x509.c

Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C

Uncomment to enable generic public key wrappers.

Definition at line 3096 of file mbedtls_config.h.

◆ MBEDTLS_PK_PARSE_C

#define MBEDTLS_PK_PARSE_C

Enable the generic public (asymmetric) key parser.

Module: library/pkparse.c Caller: library/x509_crt.c library/x509_csr.c

Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_C

Uncomment to enable generic public key parse functions.

Definition at line 3111 of file mbedtls_config.h.

◆ MBEDTLS_PK_PARSE_EC_COMPRESSED

#define MBEDTLS_PK_PARSE_EC_COMPRESSED

Enable the support for parsing public keys of type Short Weierstrass (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX) which are using the compressed point format.

This parsing is done through ECP module's functions.

Note
As explained in the description of MBEDTLS_ECP_PF_COMPRESSED (in ecp.h) the only unsupported curves are MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1.

Definition at line 1162 of file mbedtls_config.h.

◆ MBEDTLS_PK_PARSE_EC_EXTENDED

#define MBEDTLS_PK_PARSE_EC_EXTENDED

Enhance support for reading EC keys using variants of SEC1 not allowed by RFC 5915 and RFC 5480.

Currently this means parsing the SpecifiedECDomain choice of EC parameters (only known groups are supported, not arbitrary domains, to avoid validation issues).

Disable if you only need to support RFC 5915 + 5480 key formats.

Definition at line 1149 of file mbedtls_config.h.

◆ MBEDTLS_PK_RSA_ALT_SUPPORT

#define MBEDTLS_PK_RSA_ALT_SUPPORT

Support external private RSA keys (eg from a HSM) in the PK layer.

Comment this macro to disable support for external private RSA keys.

Definition at line 1306 of file mbedtls_config.h.

◆ MBEDTLS_PK_WRITE_C

#define MBEDTLS_PK_WRITE_C

Enable the generic public (asymmetric) key writer.

Module: library/pkwrite.c Caller: library/x509write.c

Requires: MBEDTLS_ASN1_WRITE_C, MBEDTLS_OID_C, MBEDTLS_PK_C

Uncomment to enable generic public key write functions.

Definition at line 3125 of file mbedtls_config.h.

◆ MBEDTLS_PKCS12_C

#define MBEDTLS_PKCS12_C

Enable PKCS#12 PBE functions.

Adds algorithms for parsing PKCS#8 encrypted private keys

Module: library/pkcs12.c Caller: library/pkparse.c

Requires: MBEDTLS_ASN1_PARSE_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C.

Warning
If using a hash that is only provided by PSA drivers, you must call psa_crypto_init() before doing any PKCS12 operations.

This module enables PKCS#12 functions.

Definition at line 3176 of file mbedtls_config.h.

◆ MBEDTLS_PKCS1_V15

#define MBEDTLS_PKCS1_V15

Enable support for PKCS#1 v1.5 encoding.

Requires: MBEDTLS_RSA_C

This enables support for PKCS#1 v1.5 operations.

Definition at line 1317 of file mbedtls_config.h.

◆ MBEDTLS_PKCS1_V21

#define MBEDTLS_PKCS1_V21

Enable support for PKCS#1 v2.1 encoding.

Requires: MBEDTLS_RSA_C

Warning
If using a hash that is only provided by PSA drivers, you must call psa_crypto_init() before doing any PKCS#1 v2.1 operation.

This enables support for RSAES-OAEP and RSASSA-PSS operations.

Definition at line 1331 of file mbedtls_config.h.

◆ MBEDTLS_PKCS5_C

#define MBEDTLS_PKCS5_C

Enable PKCS#5 functions.

Module: library/pkcs5.c

Auto-enables: MBEDTLS_MD_C

Warning
If using a hash that is only provided by PSA drivers, you must call psa_crypto_init() before doing any PKCS5 operations.

This module adds support for the PKCS#5 functions.

Definition at line 3141 of file mbedtls_config.h.

◆ MBEDTLS_PKCS7_C

#define MBEDTLS_PKCS7_C

Enable PKCS #7 core for using PKCS #7-formatted signatures.

RFC Link - https://tools.ietf.org/html/rfc2315

Module: library/pkcs7.c

Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_MD_C

This module is required for the PKCS #7 parsing modules.

Definition at line 3157 of file mbedtls_config.h.

◆ MBEDTLS_PLATFORM_C

#define MBEDTLS_PLATFORM_C

Enable the platform abstraction layer that allows you to re-assign functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().

Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned above to be specified at runtime or compile time respectively.

Note
This abstraction layer must be enabled on Windows (including MSYS2) as other modules rely on it for a fixed snprintf implementation.

Module: library/platform.c Caller: Most other .c files

This module enables abstraction of common (libc) functions.

Definition at line 3196 of file mbedtls_config.h.

◆ MBEDTLS_POLY1305_C

#define MBEDTLS_POLY1305_C

Enable the Poly1305 MAC algorithm.

Module: library/poly1305.c Caller: library/chachapoly.c

Definition at line 3206 of file mbedtls_config.h.

◆ MBEDTLS_PSA_CRYPTO_C

#define MBEDTLS_PSA_CRYPTO_C

Enable the Platform Security Architecture cryptography API.

Module: library/psa_crypto.c

Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C, or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher is enabled in PSA (unless it's fully accelerated, see docs/driver-only-builds.md about that).

Definition at line 3222 of file mbedtls_config.h.

◆ MBEDTLS_PSA_CRYPTO_STORAGE_C

#define MBEDTLS_PSA_CRYPTO_STORAGE_C

Enable the Platform Security Architecture persistent key storage.

Module: library/psa_crypto_storage.c

Requires: MBEDTLS_PSA_CRYPTO_C, either MBEDTLS_PSA_ITS_FILE_C or a native implementation of the PSA ITS interface

Definition at line 3254 of file mbedtls_config.h.

◆ MBEDTLS_PSA_ITS_FILE_C

#define MBEDTLS_PSA_ITS_FILE_C

Enable the emulation of the Platform Security Architecture Internal Trusted Storage (PSA ITS) over files.

Module: library/psa_its_file.c

Requires: MBEDTLS_FS_IO

Definition at line 3266 of file mbedtls_config.h.

◆ MBEDTLS_PSA_KEY_STORE_DYNAMIC

#define MBEDTLS_PSA_KEY_STORE_DYNAMIC

Dynamically resize the PSA key store to accommodate any number of volatile keys (until the heap memory is exhausted).

If this option is disabled, the key store has a fixed size MBEDTLS_PSA_KEY_SLOT_COUNT for volatile keys and loaded persistent keys together.

This option has no effect when MBEDTLS_PSA_CRYPTO_C is disabled.

Module: library/psa_crypto.c Requires: MBEDTLS_PSA_CRYPTO_C

Definition at line 1439 of file mbedtls_config.h.

◆ MBEDTLS_RIPEMD160_C

#define MBEDTLS_RIPEMD160_C

Enable the RIPEMD-160 hash algorithm.

Module: library/ripemd160.c Caller: library/md.c

Definition at line 3277 of file mbedtls_config.h.

◆ MBEDTLS_RSA_C

#define MBEDTLS_RSA_C

Enable the RSA public-key cryptosystem.

Module: library/rsa.c library/rsa_alt_helpers.c Caller: library/pk.c library/psa_crypto.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c

This module is used by the following key exchanges: RSA, DHE-RSA, ECDHE-RSA, RSA-PSK

Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C

Definition at line 3297 of file mbedtls_config.h.

◆ MBEDTLS_SHA1_C

#define MBEDTLS_SHA1_C

Enable the SHA1 cryptographic hash algorithm.

Module: library/sha1.c Caller: library/md.c library/psa_crypto_hash.c

This module is required for TLS 1.2 depending on the handshake parameters, and for SHA1-signed certificates.

Warning
SHA-1 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead.

Definition at line 3316 of file mbedtls_config.h.

◆ MBEDTLS_SHA224_C

#define MBEDTLS_SHA224_C

Enable the SHA-224 cryptographic hash algorithm.

Module: library/sha256.c Caller: library/md.c library/ssl_cookie.c

This module adds support for SHA-224.

Definition at line 3329 of file mbedtls_config.h.

◆ MBEDTLS_SHA256_C

#define MBEDTLS_SHA256_C

Enable the SHA-256 cryptographic hash algorithm.

Module: library/sha256.c Caller: library/entropy.c library/md.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c

This module adds support for SHA-256. This module is required for the SSL/TLS 1.2 PRF function.

Definition at line 3346 of file mbedtls_config.h.

◆ MBEDTLS_SHA384_C

#define MBEDTLS_SHA384_C

Enable the SHA-384 cryptographic hash algorithm.

Module: library/sha512.c Caller: library/md.c library/psa_crypto_hash.c library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c

Comment to disable SHA-384

Definition at line 3444 of file mbedtls_config.h.

◆ MBEDTLS_SHA3_C

#define MBEDTLS_SHA3_C

Enable the SHA3 cryptographic hash algorithm.

Module: library/sha3.c

This module adds support for SHA3.

Definition at line 3470 of file mbedtls_config.h.

◆ MBEDTLS_SHA512_C

#define MBEDTLS_SHA512_C

Enable SHA-512 cryptographic hash algorithms.

Module: library/sha512.c Caller: library/entropy.c library/md.c library/ssl_tls.c library/ssl_cookie.c

This module adds support for SHA-512.

Definition at line 3459 of file mbedtls_config.h.

◆ MBEDTLS_SSL_ALL_ALERT_MESSAGES

#define MBEDTLS_SSL_ALL_ALERT_MESSAGES

Enable sending of alert messages in case of encountered errors as per RFC.

If you choose not to send the alert messages, Mbed TLS can still communicate with other servers, only debugging of failures is harder.

The advantage of not sending alert messages, is that no information is given about reasons for failures thus preventing adversaries of gaining intel.

Enable sending of all alert messages

Definition at line 1561 of file mbedtls_config.h.

◆ MBEDTLS_SSL_ALPN

#define MBEDTLS_SSL_ALPN

Enable support for RFC 7301 Application Layer Protocol Negotiation.

Comment this macro to disable support for ALPN.

Definition at line 1915 of file mbedtls_config.h.

◆ MBEDTLS_SSL_CACHE_C

#define MBEDTLS_SSL_CACHE_C

Enable simple SSL cache implementation.

Module: library/ssl_cache.c Caller:

Requires: MBEDTLS_SSL_CACHE_C

Definition at line 3538 of file mbedtls_config.h.

◆ MBEDTLS_SSL_CLI_C

#define MBEDTLS_SSL_CLI_C

Enable the SSL/TLS client code.

Module: library/ssl*_client.c Caller:

Requires: MBEDTLS_SSL_TLS_C

This module is required for SSL/TLS client support.

Definition at line 3575 of file mbedtls_config.h.

◆ MBEDTLS_SSL_CONTEXT_SERIALIZATION

#define MBEDTLS_SSL_CONTEXT_SERIALIZATION

Enable serialization of the TLS context structures, through use of the functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load().

This pair of functions allows one side of a connection to serialize the context associated with the connection, then free or re-use that context while the serialized state is persisted elsewhere, and finally deserialize that state to a live context for resuming read/write operations on the connection. From a protocol perspective, the state of the connection is unaffected, in particular this is entirely transparent to the peer.

Note: this is distinct from TLS session resumption, which is part of the protocol and fully visible by the peer. TLS session resumption enables establishing new connections associated to a saved session with shorter, lighter handshakes, while context serialization is a local optimization in handling a single, potentially long-lived connection.

Enabling these APIs makes some SSL structures larger, as 64 extra bytes are saved after the handshake to allow for more efficient serialization, so if you don't need this feature you'll save RAM by disabling it.

Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C

Comment to disable the context serialization APIs.

Definition at line 1649 of file mbedtls_config.h.

◆ MBEDTLS_SSL_COOKIE_C

#define MBEDTLS_SSL_COOKIE_C

Enable basic implementation of DTLS cookies for hello verification.

Module: library/ssl_cookie.c Caller:

Definition at line 3548 of file mbedtls_config.h.

◆ MBEDTLS_SSL_DTLS_ANTI_REPLAY

#define MBEDTLS_SSL_DTLS_ANTI_REPLAY

Enable support for the anti-replay mechanism in DTLS.

Requires: MBEDTLS_SSL_TLS_C MBEDTLS_SSL_PROTO_DTLS

Warning
Disabling this is often a security risk! See mbedtls_ssl_conf_dtls_anti_replay() for details.

Comment this to disable anti-replay in DTLS.

Definition at line 1930 of file mbedtls_config.h.

◆ MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE

#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE

Enable server-side support for clients that reconnect from the same port.

Some clients unexpectedly close the connection and try to reconnect using the same source port. This needs special support from the server to handle the new connection securely, as described in section 4.2.8 of RFC 6347. This flag enables that support.

Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY

Comment this to disable support for clients reusing the source port.

Definition at line 1995 of file mbedtls_config.h.

◆ MBEDTLS_SSL_DTLS_CONNECTION_ID

#define MBEDTLS_SSL_DTLS_CONNECTION_ID

Enable support for the DTLS Connection ID (CID) extension, which allows to identify DTLS connections across changes in the underlying transport.

The CID functionality is described in RFC 9146.

Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`. See the corresponding documentation for more information.

The maximum lengths of outgoing and incoming CIDs can be configured through the options

  • MBEDTLS_SSL_CID_OUT_LEN_MAX
  • MBEDTLS_SSL_CID_IN_LEN_MAX.

Requires: MBEDTLS_SSL_PROTO_DTLS

Uncomment to enable the Connection ID extension.

Definition at line 1585 of file mbedtls_config.h.

◆ MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT

#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT   0

Defines whether RFC 9146 (default) or the legacy version (version draft-ietf-tls-dtls-connection-id-05, https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) is used.

Set the value to 0 for the standard version, and 1 for the legacy draft version.

Deprecated:
Support for the legacy version of the DTLS Connection ID feature is deprecated. Please switch to the standardized version defined in RFC 9146 enabled by utilizing MBEDTLS_SSL_DTLS_CONNECTION_ID without use of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT.

Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID

Definition at line 1608 of file mbedtls_config.h.

◆ MBEDTLS_SSL_DTLS_HELLO_VERIFY

#define MBEDTLS_SSL_DTLS_HELLO_VERIFY

Enable support for HelloVerifyRequest on DTLS servers.

This feature is highly recommended to prevent DTLS servers being used as amplifiers in DoS attacks against other hosts. It should always be enabled unless you know for sure amplification cannot be a problem in the environment in which your server operates.

Warning
Disabling this can be a security risk! (see above)

Requires: MBEDTLS_SSL_PROTO_DTLS

Comment this to disable support for HelloVerifyRequest.

Definition at line 1948 of file mbedtls_config.h.

◆ MBEDTLS_SSL_ENCRYPT_THEN_MAC

#define MBEDTLS_SSL_ENCRYPT_THEN_MAC

Enable support for Encrypt-then-MAC, RFC 7366.

This allows peers that both support it to use a more robust protection for ciphersuites using CBC, providing deep resistance against timing attacks on the padding or underlying cipher.

This only affects CBC ciphersuites, and is useless if none is defined.

Requires: MBEDTLS_SSL_PROTO_TLS1_2

Comment this macro to disable support for Encrypt-then-MAC

Definition at line 1681 of file mbedtls_config.h.

◆ MBEDTLS_SSL_EXTENDED_MASTER_SECRET

#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET

Enable support for RFC 7627: Session Hash and Extended Master Secret Extension.

This was introduced as "the proper fix" to the Triple Handshake family of attacks, but it is recommended to always use it (even if you disable renegotiation), since it actually fixes a more fundamental issue in the original SSL/TLS design, and has implications beyond Triple Handshake.

Requires: MBEDTLS_SSL_PROTO_TLS1_2

Comment this macro to disable support for Extended Master Secret.

Definition at line 1697 of file mbedtls_config.h.

◆ MBEDTLS_SSL_KEEP_PEER_CERTIFICATE

#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE

This option controls the availability of the API mbedtls_ssl_get_peer_cert() giving access to the peer's certificate after completion of the handshake.

Unless you need mbedtls_ssl_peer_cert() in your application, it is recommended to disable this option for reduced RAM usage.

Note
If this option is disabled, mbedtls_ssl_get_peer_cert() is still defined, but always returns NULL.
This option has no influence on the protection against the triple handshake attack. Even if it is disabled, Mbed TLS will still ensure that certificates do not change during renegotiation, for example by keeping a hash of the peer's certificate.
This option is required if MBEDTLS_SSL_PROTO_TLS1_3 is set.

Comment this macro to disable storing the peer's certificate after the handshake.

Definition at line 1721 of file mbedtls_config.h.

◆ MBEDTLS_SSL_MAX_FRAGMENT_LENGTH

#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH

Enable support for RFC 6066 max_fragment_length extension in SSL.

Comment this macro to disable support for the max_fragment_length extension

Definition at line 1754 of file mbedtls_config.h.

◆ MBEDTLS_SSL_PROTO_DTLS

#define MBEDTLS_SSL_PROTO_DTLS

Enable support for DTLS (all available versions).

Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.

Requires: MBEDTLS_SSL_PROTO_TLS1_2

Comment this macro to disable support for DTLS

Definition at line 1906 of file mbedtls_config.h.

◆ MBEDTLS_SSL_PROTO_TLS1_2

#define MBEDTLS_SSL_PROTO_TLS1_2

Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).

Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and (MBEDTLS_SHA256_C or MBEDTLS_SHA384_C or SHA-256 or SHA-512 provided by a PSA driver) With MBEDTLS_USE_PSA_CRYPTO: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384

Warning
If building with MBEDTLS_USE_PSA_CRYPTO, or if the hash(es) used are only provided by PSA drivers, you must call psa_crypto_init() before doing any TLS operations.

Comment this macro to disable support for TLS 1.2 / DTLS 1.2

Definition at line 1784 of file mbedtls_config.h.

◆ MBEDTLS_SSL_PROTO_TLS1_3

#define MBEDTLS_SSL_PROTO_TLS1_3

Enable support for TLS 1.3.

Note
See docs/architecture/tls13-support.md for a description of the TLS 1.3 support that this option enables.

Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE Requires: MBEDTLS_PSA_CRYPTO_C

Note
TLS 1.3 uses PSA crypto for cryptographic operations that are directly performed by TLS 1.3 code. As a consequence, when TLS 1.3 is enabled, a TLS handshake may call psa_crypto_init(), even if it ends up negotiating a different TLS version.
Cryptographic operations performed indirectly via another module (X.509, PK) or by code shared with TLS 1.2 (record protection, running handshake hash) only use PSA crypto if #MBEDTLS_USE_PSA_CRYPTO is enabled.

Uncomment this macro to enable the support for TLS 1.3.

Definition at line 1809 of file mbedtls_config.h.

◆ MBEDTLS_SSL_RENEGOTIATION

#define MBEDTLS_SSL_RENEGOTIATION

Enable support for TLS renegotiation.

The two main uses of renegotiation are (1) refresh keys on long-lived connections and (2) client authentication after the initial handshake. If you don't need renegotiation, it's probably better to disable it, since it has been associated with security issues in the past and is easy to misuse/misunderstand.

Requires: MBEDTLS_SSL_PROTO_TLS1_2

Comment this to disable support for renegotiation.

Note
Even if this option is disabled, both client and server are aware of the Renegotiation Indication Extension (RFC 5746) used to prevent the SSL renegotiation attack (see RFC 5746 Sect. 1). (See mbedtls_ssl_conf_legacy_renegotiation for the configuration of this extension).

Definition at line 1745 of file mbedtls_config.h.

◆ MBEDTLS_SSL_SERVER_NAME_INDICATION

#define MBEDTLS_SSL_SERVER_NAME_INDICATION

Enable support for RFC 6066 server name indication (SNI) in SSL.

Requires: MBEDTLS_X509_CRT_PARSE_C

Comment this macro to disable support for server name indication in SSL

Definition at line 2020 of file mbedtls_config.h.

◆ MBEDTLS_SSL_SESSION_TICKETS

#define MBEDTLS_SSL_SESSION_TICKETS

Enable support for RFC 5077 session tickets in SSL.

Client-side, provides full support for session tickets (maintenance of a session store remains the responsibility of the application, though). Server-side, you also need to provide callbacks for writing and parsing tickets, including authenticated encryption and key management. Example callbacks are provided by MBEDTLS_SSL_TICKET_C.

Comment this macro to disable support for SSL session tickets

Definition at line 2009 of file mbedtls_config.h.

◆ MBEDTLS_SSL_SRV_C

#define MBEDTLS_SSL_SRV_C

Enable the SSL/TLS server code.

Module: library/ssl*_server.c Caller:

Requires: MBEDTLS_SSL_TLS_C

This module is required for SSL/TLS server support.

Definition at line 3589 of file mbedtls_config.h.

◆ MBEDTLS_SSL_TICKET_C

#define MBEDTLS_SSL_TICKET_C

Enable an implementation of TLS server-side callbacks for session tickets.

Module: library/ssl_ticket.c Caller:

Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) && (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)

Definition at line 3561 of file mbedtls_config.h.

◆ MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE

#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE

Enable TLS 1.3 middlebox compatibility mode.

As specified in Section D.4 of RFC 8446, TLS 1.3 offers a compatibility mode to make a TLS 1.3 connection more likely to pass through middle boxes expecting TLS 1.2 traffic.

Turning on the compatibility mode comes at the cost of a few added bytes on the wire, but it doesn't affect compatibility with TLS 1.3 implementations that don't use it. Therefore, unless transmission bandwidth is critical and you know that middlebox compatibility issues won't occur, it is therefore recommended to set this option.

Comment to disable compatibility mode for TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.

Definition at line 1831 of file mbedtls_config.h.

◆ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED

#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED

Enable TLS 1.3 ephemeral key exchange mode.

Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH MBEDTLS_X509_CRT_PARSE_C and at least one of: MBEDTLS_ECDSA_C or (MBEDTLS_USE_PSA_CRYPTO and PSA_WANT_ALG_ECDSA) MBEDTLS_PKCS1_V21

Comment to disable support for the ephemeral key exchange mode in TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.

Definition at line 1861 of file mbedtls_config.h.

◆ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED

#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED

Enable TLS 1.3 PSK key exchange mode.

Comment to disable support for the PSK key exchange mode in TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.

Definition at line 1843 of file mbedtls_config.h.

◆ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED

#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED

Enable TLS 1.3 PSK ephemeral key exchange mode.

Requires: PSA_WANT_ALG_ECDH or PSA_WANT_ALG_FFDH

Comment to disable support for the PSK ephemeral key exchange mode in TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any effect on the build.

Definition at line 1875 of file mbedtls_config.h.

◆ MBEDTLS_SSL_TLS_C

#define MBEDTLS_SSL_TLS_C

Enable the generic SSL/TLS code.

Module: library/ssl_tls.c Caller: library/ssl*_client.c library/ssl*_server.c

Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C and at least one of the MBEDTLS_SSL_PROTO_XXX defines

This module is required for SSL/TLS.

Definition at line 3605 of file mbedtls_config.h.

◆ MBEDTLS_THREADING_ALT

#define MBEDTLS_THREADING_ALT

Provide your own alternate threading implementation.

Requires: MBEDTLS_THREADING_C

Uncomment this to allow your own alternate threading implementation.

Definition at line 2097 of file mbedtls_config.h.

◆ MBEDTLS_THREADING_C

#define MBEDTLS_THREADING_C

Enable the threading abstraction layer.

By default Mbed TLS assumes it is used in a non-threaded environment or that contexts are not shared between threads. If you do intend to use contexts between threads, you will need to enable this layer to prevent race conditions. See also our Knowledge Base article about threading: https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading

Module: library/threading.c

This allows different threading implementations (self-implemented or provided).

You will have to enable either MBEDTLS_THREADING_ALT or MBEDTLS_THREADING_PTHREAD.

Enable this layer to allow use of mutexes within Mbed TLS

Definition at line 3627 of file mbedtls_config.h.

◆ MBEDTLS_TIMING_C

#define MBEDTLS_TIMING_C

Enable the semi-portable timing interface.

Note
The provided implementation only works on POSIX/Unix (including Linux, BSD and OS X) and Windows. On other platforms, you can either disable that module and provide your own implementations of the callbacks needed by mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide your own implementation of the whole module by setting MBEDTLS_TIMING_ALT in the current file.
The timing module will include time.h on suitable platforms regardless of the setting of MBEDTLS_HAVE_TIME, unless MBEDTLS_TIMING_ALT is used. See timing.c for more information.
See also our Knowledge Base article about porting to a new environment: https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS

Module: library/timing.c

Definition at line 3651 of file mbedtls_config.h.

◆ MBEDTLS_VERSION_C

#define MBEDTLS_VERSION_C

Enable run-time version information.

Module: library/version.c

This module provides run-time version information.

Definition at line 3662 of file mbedtls_config.h.

◆ MBEDTLS_VERSION_FEATURES

#define MBEDTLS_VERSION_FEATURES

Allow run-time checking of compile-time enabled features.

Thus allowing users to check at run-time if the library is for instance compiled with threading support via mbedtls_version_check_feature().

Requires: MBEDTLS_VERSION_C

Comment this to disable run-time checking and save ROM space

Definition at line 2183 of file mbedtls_config.h.

◆ MBEDTLS_X509_CREATE_C

#define MBEDTLS_X509_CREATE_C

Enable X.509 core for creating certificates.

Module: library/x509_create.c

Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)

Warning
If building with MBEDTLS_USE_PSA_CRYPTO, you must call psa_crypto_init() before doing any X.509 create operation.

This module is the basis for creating X.509 certificates and CSRs.

Definition at line 3743 of file mbedtls_config.h.

◆ MBEDTLS_X509_CRL_PARSE_C

#define MBEDTLS_X509_CRL_PARSE_C

Enable X.509 CRL parsing.

Module: library/x509_crl.c Caller: library/x509_crt.c

Requires: MBEDTLS_X509_USE_C

This module is required for X.509 CRL parsing.

Definition at line 3712 of file mbedtls_config.h.

◆ MBEDTLS_X509_CRT_PARSE_C

#define MBEDTLS_X509_CRT_PARSE_C

Enable X.509 certificate parsing.

Module: library/x509_crt.c Caller: library/ssl_tls.c library/ssl*_client.c library/ssl*_server.c

Requires: MBEDTLS_X509_USE_C

This module is required for X.509 certificate parsing.

Definition at line 3698 of file mbedtls_config.h.

◆ MBEDTLS_X509_CRT_WRITE_C

#define MBEDTLS_X509_CRT_WRITE_C

Enable creating X.509 certificates.

Module: library/x509_crt_write.c

Requires: MBEDTLS_X509_CREATE_C

This module is required for X.509 certificate creation.

Definition at line 3756 of file mbedtls_config.h.

◆ MBEDTLS_X509_CSR_PARSE_C

#define MBEDTLS_X509_CSR_PARSE_C

Enable X.509 Certificate Signing Request (CSR) parsing.

Module: library/x509_csr.c Caller: library/x509_crt_write.c

Requires: MBEDTLS_X509_USE_C

This module is used for reading X.509 certificate request.

Definition at line 3726 of file mbedtls_config.h.

◆ MBEDTLS_X509_CSR_WRITE_C

#define MBEDTLS_X509_CSR_WRITE_C

Enable creating X.509 Certificate Signing Requests (CSR).

Module: library/x509_csr_write.c

Requires: MBEDTLS_X509_CREATE_C

This module is required for X.509 certificate request writing.

Definition at line 3769 of file mbedtls_config.h.

◆ MBEDTLS_X509_RSASSA_PSS_SUPPORT

#define MBEDTLS_X509_RSASSA_PSS_SUPPORT

Enable parsing and verification of X.509 certificates, CRLs and CSRS signed with RSASSA-PSS (aka PKCS#1 v2.1).

Requires: MBEDTLS_PKCS1_V21

Comment this macro to disallow using RSASSA-PSS in certificates.

Definition at line 2227 of file mbedtls_config.h.

◆ MBEDTLS_X509_USE_C

#define MBEDTLS_X509_USE_C

Enable X.509 core for using certificates.

Module: library/x509.c Caller: library/x509_crl.c library/x509_crt.c library/x509_csr.c

Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)

Warning
If building with MBEDTLS_USE_PSA_CRYPTO, you must call psa_crypto_init() before doing any X.509 operation.

This module is required for the X.509 parsing modules.

Definition at line 3682 of file mbedtls_config.h.

Modified on Fri Sep 20 14:57:57 2024 by modify_doxy.py rev. 669887