Update config-default.h to the latest from Mbed TLS

config-default.h should always be a verbatim copy of the default
configuration (include/mbedtls/config.h) from Mbed TLS.
This commit is contained in:
Jaeden Amero 2019-02-08 16:07:34 +00:00
parent 67ea2c5e6d
commit e8206622ad

View file

@ -139,7 +139,7 @@
* *
* System has time.h, time(), and an implementation for * System has time.h, time(), and an implementation for
* mbedtls_platform_gmtime_r() (see below). * mbedtls_platform_gmtime_r() (see below).
* The time needs to be correct (not necesarily very accurate, but at least * The time needs to be correct (not necessarily very accurate, but at least
* the date should be correct). This is used to verify the validity period of * the date should be correct). This is used to verify the validity period of
* X.509 certificates. * X.509 certificates.
* *
@ -226,6 +226,7 @@
//#define MBEDTLS_PLATFORM_FPRINTF_ALT //#define MBEDTLS_PLATFORM_FPRINTF_ALT
//#define MBEDTLS_PLATFORM_PRINTF_ALT //#define MBEDTLS_PLATFORM_PRINTF_ALT
//#define MBEDTLS_PLATFORM_SNPRINTF_ALT //#define MBEDTLS_PLATFORM_SNPRINTF_ALT
//#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
//#define MBEDTLS_PLATFORM_NV_SEED_ALT //#define MBEDTLS_PLATFORM_NV_SEED_ALT
//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
@ -256,6 +257,48 @@
*/ */
//#define MBEDTLS_DEPRECATED_REMOVED //#define MBEDTLS_DEPRECATED_REMOVED
/**
* \def MBEDTLS_CHECK_PARAMS
*
* This configuration option controls whether the library validates more of
* the parameters passed to it.
*
* When this flag is not defined, the library only attempts to validate an
* input parameter if: (1) they may come from the outside world (such as the
* network, the filesystem, etc.) or (2) not validating them could result in
* internal memory errors such as overflowing a buffer controlled by the
* library. On the other hand, it doesn't attempt to validate parameters whose
* values are fully controlled by the application (such as pointers).
*
* When this flag is defined, the library additionally attempts to validate
* parameters that are fully controlled by the application, and should always
* be valid if the application code is fully correct and trusted.
*
* For example, when a function accepts as input a pointer to a buffer that may
* contain untrusted data, and its documentation mentions that this pointer
* must not be NULL:
* - the pointer is checked to be non-NULL only if this option is enabled
* - the content of the buffer is always validated
*
* When this flag is defined, if a library function receives a parameter that
* is invalid, it will:
* - invoke the macro MBEDTLS_PARAM_FAILED() which by default expands to a
* call to the function mbedtls_param_failed()
* - immediately return (with a specific error code unless the function
* returns void and can't communicate an error).
*
* When defining this flag, you also need to:
* - either provide a definition of the function mbedtls_param_failed() in
* your application (see platform_util.h for its prototype) as the library
* calls that function, but does not provide a default definition for it,
* - or provide a different definition of the macro MBEDTLS_PARAM_FAILED()
* below if the above mechanism is not flexible enough to suit your needs.
* See the documentation of this macro later in this file.
*
* Uncomment to enable validation of application-controlled parameters.
*/
//#define MBEDTLS_CHECK_PARAMS
/* \} name SECTION: System support */ /* \} name SECTION: System support */
/** /**
@ -359,7 +402,7 @@
* \note Because of a signature change, the core AES encryption and decryption routines are * \note Because of a signature change, the core AES encryption and decryption routines are
* currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt, * currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
* respectively. When setting up alternative implementations, these functions should * respectively. When setting up alternative implementations, these functions should
* be overriden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt * be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
* must stay untouched. * must stay untouched.
* *
* \note If you use the AES_xxx_ALT macros, then is is recommended to also set * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
@ -414,11 +457,11 @@
* unsigned char mbedtls_internal_ecp_grp_capable( * unsigned char mbedtls_internal_ecp_grp_capable(
* const mbedtls_ecp_group *grp ) * const mbedtls_ecp_group *grp )
* int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ) * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
* void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp ) * void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )
* The mbedtls_internal_ecp_grp_capable function should return 1 if the * The mbedtls_internal_ecp_grp_capable function should return 1 if the
* replacement functions implement arithmetic for the given group and 0 * replacement functions implement arithmetic for the given group and 0
* otherwise. * otherwise.
* The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are
* called before and after each point operation and provide an opportunity to * called before and after each point operation and provide an opportunity to
* implement optimized set up and tear down instructions. * implement optimized set up and tear down instructions.
* *
@ -1159,6 +1202,30 @@
*/ */
#define MBEDTLS_PKCS1_V21 #define MBEDTLS_PKCS1_V21
/**
* \def MBEDTLS_PSA_CRYPTO_SPM
*
* When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
* Partition Manager) integration which separates the code into two parts: a
* NSPE (Non-Secure Process Environment) and an SPE (Secure Process
* Environment).
*
* Module: library/psa_crypto.c
* Requires: MBEDTLS_PSA_CRYPTO_C
*
*/
//#define MBEDTLS_PSA_CRYPTO_SPM
/**
* \def MBEDTLS_PSA_HAS_ITS_IO
*
* Enable the non-volatile secure storage usage.
*
* This is crucial on systems that do not have a HW TRNG support.
*
*/
//#define MBEDTLS_PSA_HAS_ITS_IO
/** /**
* \def MBEDTLS_RSA_NO_CRT * \def MBEDTLS_RSA_NO_CRT
* *
@ -1496,7 +1563,7 @@
* \def MBEDTLS_SSL_SESSION_TICKETS * \def MBEDTLS_SSL_SESSION_TICKETS
* *
* Enable support for RFC 5077 session tickets in SSL. * Enable support for RFC 5077 session tickets in SSL.
* Client-side, provides full support for session tickets (maintainance of a * Client-side, provides full support for session tickets (maintenance of a
* session store remains the responsibility of the application, though). * session store remains the responsibility of the application, though).
* Server-side, you also need to provide callbacks for writing and parsing * Server-side, you also need to provide callbacks for writing and parsing
* tickets, including authenticated encryption and key management. Example * tickets, including authenticated encryption and key management. Example
@ -1582,6 +1649,24 @@
*/ */
//#define MBEDTLS_THREADING_PTHREAD //#define MBEDTLS_THREADING_PTHREAD
/**
* \def MBEDTLS_USE_PSA_CRYPTO
*
* Make the X.509 and TLS library use PSA for cryptographic operations, see
* #MBEDTLS_PSA_CRYPTO_C.
*
* Note: this option is still in progress, the full X.509 and TLS modules are
* not covered yet, but parts that are not ported to PSA yet will still work
* as usual, so enabling this option should not break backwards compatibility.
*
* \warning Support for PSA is still an experimental feature.
* Any public API that depends on this option may change
* at any time until this warning is removed.
*
* Requires: MBEDTLS_PSA_CRYPTO_C.
*/
//#define MBEDTLS_USE_PSA_CRYPTO
/** /**
* \def MBEDTLS_VERSION_FEATURES * \def MBEDTLS_VERSION_FEATURES
* *
@ -1662,7 +1747,7 @@
* *
* \warning TLS-level compression MAY REDUCE SECURITY! See for example the * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
* CRIME attack. Before enabling this option, you should examine with care if * CRIME attack. Before enabling this option, you should examine with care if
* CRIME or similar exploits may be a applicable to your use case. * CRIME or similar exploits may be applicable to your use case.
* *
* \note Currently compression can't be used with DTLS. * \note Currently compression can't be used with DTLS.
* *
@ -2590,6 +2675,65 @@
*/ */
#define MBEDTLS_POLY1305_C #define MBEDTLS_POLY1305_C
/**
* \def MBEDTLS_PSA_CRYPTO_C
*
* Enable the Platform Security Architecture cryptography API.
*
* \note This option only has an effect when the build option
* USE_CRYPTO_SUBMODULE is also in use.
*
* \warning This feature is experimental and available on an opt-in basis only.
* PSA APIs are subject to change at any time. The implementation comes with
* less assurance and support than the rest of Mbed TLS.
*
* Module: crypto/library/psa_crypto.c
*
* Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C
*
*/
//#define MBEDTLS_PSA_CRYPTO_C
/**
* \def MBEDTLS_PSA_CRYPTO_STORAGE_C
*
* Enable the Platform Security Architecture persistent key storage.
*
* Module: library/psa_crypto_storage.c
*
* Requires: MBEDTLS_PSA_CRYPTO_C and one of either
* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C or MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
* (but not both)
*
*/
//#define MBEDTLS_PSA_CRYPTO_STORAGE_C
/**
* \def MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
*
* Enable persistent key storage over files for the
* Platform Security Architecture cryptography API.
*
* Module: library/psa_crypto_storage_file.c
*
* Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_FS_IO
*
*/
//#define MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
/**
* \def MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
*
* Enable persistent key storage over PSA ITS for the
* Platform Security Architecture cryptography API.
*
* Module: library/psa_crypto_storage_its.c
*
* Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_HAS_ITS_IO
*
*/
//#define MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
/** /**
* \def MBEDTLS_RIPEMD160_C * \def MBEDTLS_RIPEMD160_C
* *
@ -2974,7 +3118,7 @@
//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ //#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */
/* Note: your snprintf must correclty zero-terminate the buffer! */ /* Note: your snprintf must correctly zero-terminate the buffer! */
//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */
//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */ //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */
@ -2991,11 +3135,42 @@
//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ //#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
/* Note: your snprintf must correclty zero-terminate the buffer! */ /* Note: your snprintf must correctly zero-terminate the buffer! */
//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_VSNPRINTF_MACRO vsnprintf /**< Default vsnprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
/**
* \brief This macro is invoked by the library when an invalid parameter
* is detected that is only checked with MBEDTLS_CHECK_PARAMS
* (see the documentation of that option for context).
*
* When you leave this undefined here, a default definition is
* provided that invokes the function mbedtls_param_failed(),
* which is declared in platform_util.h for the benefit of the
* library, but that you need to define in your application.
*
* When you define this here, this replaces the default
* definition in platform_util.h (which no longer declares the
* function mbedtls_param_failed()) and it is your responsibility
* to make sure this macro expands to something suitable (in
* particular, that all the necessary declarations are visible
* from within the library - you can ensure that by providing
* them in this file next to the macro definition).
*
* Note that you may define this macro to expand to nothing, in
* which case you don't have to worry about declarations or
* definitions. However, you will then be notified about invalid
* parameters only in non-void functions, and void function will
* just silently return early on invalid parameters, which
* partially negates the benefits of enabling
* #MBEDTLS_CHECK_PARAMS in the first place, so is discouraged.
*
* \param cond The expression that should evaluate to true, but doesn't.
*/
//#define MBEDTLS_PARAM_FAILED( cond ) assert( cond )
/* SSL Cache options */ /* SSL Cache options */
//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */ //#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /**< 1 day */
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
@ -3004,31 +3179,65 @@
/** \def MBEDTLS_SSL_MAX_CONTENT_LEN /** \def MBEDTLS_SSL_MAX_CONTENT_LEN
* *
* Maximum fragment length in bytes. * Maximum length (in bytes) of incoming and outgoing plaintext fragments.
* *
* Determines the size of both the incoming and outgoing TLS I/O buffers. * This determines the size of both the incoming and outgoing TLS I/O buffers
* in such a way that both are capable of holding the specified amount of
* plaintext data, regardless of the protection mechanism used.
* *
* Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN * To configure incoming and outgoing I/O buffers separately, use
* will override this length by setting maximum incoming and/or outgoing * #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN,
* fragment length, respectively. * which overwrite the value set by this option.
*
* \note When using a value less than the default of 16KB on the client, it is
* recommended to use the Maximum Fragment Length (MFL) extension to
* inform the server about this limitation. On the server, there
* is no supported, standardized way of informing the client about
* restriction on the maximum size of incoming messages, and unless
* the limitation has been communicated by other means, it is recommended
* to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
* while keeping the default value of 16KB for the incoming buffer.
*
* Uncomment to set the maximum plaintext size of both
* incoming and outgoing I/O buffers.
*/ */
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 //#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
/** \def MBEDTLS_SSL_IN_CONTENT_LEN /** \def MBEDTLS_SSL_IN_CONTENT_LEN
* *
* Maximum incoming fragment length in bytes. * Maximum length (in bytes) of incoming plaintext fragments.
* *
* Uncomment to set the size of the inward TLS buffer independently of the * This determines the size of the incoming TLS I/O buffer in such a way
* outward buffer. * that it is capable of holding the specified amount of plaintext data,
* regardless of the protection mechanism used.
*
* If this option is undefined, it inherits its value from
* #MBEDTLS_SSL_MAX_CONTENT_LEN.
*
* \note When using a value less than the default of 16KB on the client, it is
* recommended to use the Maximum Fragment Length (MFL) extension to
* inform the server about this limitation. On the server, there
* is no supported, standardized way of informing the client about
* restriction on the maximum size of incoming messages, and unless
* the limitation has been communicated by other means, it is recommended
* to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
* while keeping the default value of 16KB for the incoming buffer.
*
* Uncomment to set the maximum plaintext size of the incoming I/O buffer
* independently of the outgoing I/O buffer.
*/ */
//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 //#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN /** \def MBEDTLS_SSL_OUT_CONTENT_LEN
* *
* Maximum outgoing fragment length in bytes. * Maximum length (in bytes) of outgoing plaintext fragments.
* *
* Uncomment to set the size of the outward TLS buffer independently of the * This determines the size of the outgoing TLS I/O buffer in such a way
* inward buffer. * that it is capable of holding the specified amount of plaintext data,
* regardless of the protection mechanism used.
*
* If this option undefined, it inherits its value from
* #MBEDTLS_SSL_MAX_CONTENT_LEN.
* *
* It is possible to save RAM by setting a smaller outward buffer, while keeping * It is possible to save RAM by setting a smaller outward buffer, while keeping
* the default inward 16384 byte buffer to conform to the TLS specification. * the default inward 16384 byte buffer to conform to the TLS specification.
@ -3038,11 +3247,8 @@
* The specific size requirement depends on the configured ciphers and any * The specific size requirement depends on the configured ciphers and any
* certificate data which is sent during the handshake. * certificate data which is sent during the handshake.
* *
* For absolute minimum RAM usage, it's best to enable * Uncomment to set the maximum plaintext size of the outgoing I/O buffer
* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This * independently of the incoming I/O buffer.
* reduces both incoming and outgoing buffer sizes. However this is only
* guaranteed if the other end of the connection also supports the TLS
* max_fragment_len extension. Otherwise the connection may fail.
*/ */
//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 //#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384