ReactOS 0.4.15-dev-7931-gfd331f1
config.h File Reference

Configuration options (set of defines) More...

#include "check_config.h"
Include dependency graph for config.h:

Go to the source code of this file.

Macros

SECTION: System support

This section sets system specific settings.

#define MBEDTLS_HAVE_ASM
 
SECTION: mbed TLS feature support

This section sets support for features that are or are not needed within the modules that are enabled.

#define MBEDTLS_CIPHER_MODE_CBC
 
#define MBEDTLS_CIPHER_MODE_CFB
 
#define MBEDTLS_CIPHER_MODE_CTR
 
#define MBEDTLS_CIPHER_MODE_OFB
 
#define MBEDTLS_CIPHER_MODE_XTS
 
#define MBEDTLS_CIPHER_PADDING_PKCS7
 
#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
 
#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
 
#define MBEDTLS_CIPHER_PADDING_ZEROS
 
#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
 
#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
 
#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
 
#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
 
#define MBEDTLS_ECP_DP_BP256R1_ENABLED
 
#define MBEDTLS_ECP_DP_BP384R1_ENABLED
 
#define MBEDTLS_ECP_DP_BP512R1_ENABLED
 
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
 
#define MBEDTLS_ECP_DP_CURVE448_ENABLED
 
#define MBEDTLS_ECP_NIST_OPTIM
 
#define MBEDTLS_ECDSA_DETERMINISTIC
 
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
 
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 
#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
 
#define MBEDTLS_PK_PARSE_EC_EXTENDED
 
#define MBEDTLS_ERROR_STRERROR_DUMMY
 
#define MBEDTLS_GENPRIME
 
#define MBEDTLS_ENTROPY_FORCE_SHA256   /* swyter: ReactOS is primarily 32-bit only, this speeds it up notably */
 
#define MBEDTLS_PK_RSA_ALT_SUPPORT
 
#define MBEDTLS_PKCS1_V15
 
#define MBEDTLS_PKCS1_V21
 
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
 
#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
 
#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 
#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
 
#define MBEDTLS_SSL_RENEGOTIATION
 
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 
#define MBEDTLS_SSL_PROTO_TLS1
 
#define MBEDTLS_SSL_PROTO_TLS1_1
 
#define MBEDTLS_SSL_PROTO_TLS1_2
 
#define MBEDTLS_SSL_ALPN
 
#define MBEDTLS_SSL_SESSION_TICKETS
 
#define MBEDTLS_SSL_SERVER_NAME_INDICATION
 
#define MBEDTLS_SSL_TRUNCATED_HMAC
 
#define MBEDTLS_X509_CHECK_KEY_USAGE
 
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
 
SECTION: mbed TLS modules

This section enables or disables entire modules in mbed TLS

#define MBEDTLS_AESNI_C   /* swyter: looks like these AMD64 improvements are behind an arch macro, better perf is always good */
 
#define MBEDTLS_AES_C
 
#define MBEDTLS_ARC4_C
 
#define MBEDTLS_ASN1_PARSE_C
 
#define MBEDTLS_ASN1_WRITE_C
 
#define MBEDTLS_BIGNUM_C
 
#define MBEDTLS_BLOWFISH_C
 
#define MBEDTLS_CAMELLIA_C
 
#define MBEDTLS_CCM_C
 
#define MBEDTLS_CIPHER_C
 
#define MBEDTLS_CTR_DRBG_C
 
#define MBEDTLS_DES_C
 
#define MBEDTLS_DHM_C
 
#define MBEDTLS_ECDH_C
 
#define MBEDTLS_ECDSA_C
 
#define MBEDTLS_ECP_C
 
#define MBEDTLS_ENTROPY_C
 
#define MBEDTLS_GCM_C
 
#define MBEDTLS_HMAC_DRBG_C
 
#define MBEDTLS_MD_C
 
#define MBEDTLS_MD5_C
 
#define MBEDTLS_OID_C
 
#define MBEDTLS_PADLOCK_C
 
#define MBEDTLS_PK_C
 
#define MBEDTLS_PK_PARSE_C
 
#define MBEDTLS_PKCS5_C
 
#define MBEDTLS_PKCS12_C
 
#define MBEDTLS_PLATFORM_C
 
#define MBEDTLS_RIPEMD160_C
 
#define MBEDTLS_RSA_C
 
#define MBEDTLS_SHA1_C
 
#define MBEDTLS_SHA256_C
 
#define MBEDTLS_SHA512_C
 
#define MBEDTLS_SSL_TICKET_C
 
#define MBEDTLS_SSL_CLI_C
 
#define MBEDTLS_SSL_TLS_C
 
#define MBEDTLS_TIMING_C
 
#define MBEDTLS_X509_USE_C
 
#define MBEDTLS_X509_CRT_PARSE_C
 
#define MBEDTLS_XTEA_C
 
SECTION: Module configuration options

This section allows for the setting of module specific sizes and configuration options. The default values are already present in the relevant header files and should suffice for the regular use cases.

Our advice is to enable options and change their values here only if you have a good reason and know the consequences.

Please check the respective header file for documentation on these parameters (to prevent duplicate documentation).

#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 

Detailed Description

Configuration options (set of defines)

This set of compile-time options may be used to enable or disable features selectively, and reduce the global memory footprint.

Definition in file config.h.

Macro Definition Documentation

◆ MBEDTLS_AES_C

#define MBEDTLS_AES_C

Enable the AES block cipher.

Module: library/aes.c Caller: library/cipher.c library/pem.c library/ctr_drbg.c

This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA

PEM_PARSE uses AES for decrypting encrypted keys.

Definition at line 1980 of file config.h.

◆ MBEDTLS_AESNI_C

#define MBEDTLS_AESNI_C   /* swyter: looks like these AMD64 improvements are behind an arch macro, better perf is always good */

Enable AES-NI support on x86-64.

Module: library/aesni.c Caller: library/aes.c

Requires: MBEDTLS_HAVE_ASM

This modules adds support for the AES-NI instructions on x86-64

Definition at line 1905 of file config.h.

◆ MBEDTLS_ARC4_C

#define MBEDTLS_ARC4_C

Enable the ARCFOUR stream cipher.

Module: library/arc4.c Caller: library/cipher.c

This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_PSK_WITH_RC4_128_SHA

Warning
ARC4 is considered a weak cipher and its use constitutes a security risk. If possible, we recommend avoidng dependencies on it, and considering stronger ciphers instead.

Definition at line 2008 of file config.h.

◆ MBEDTLS_ASN1_PARSE_C

#define MBEDTLS_ASN1_PARSE_C

Enable the generic ASN1 parser.

Module: library/asn1.c Caller: library/x509.c library/dhm.c library/pkcs12.c library/pkcs5.c library/pkparse.c

Definition at line 2022 of file config.h.

◆ MBEDTLS_ASN1_WRITE_C

#define MBEDTLS_ASN1_WRITE_C

Enable the generic ASN1 writer.

Module: library/asn1write.c Caller: library/ecdsa.c library/pkwrite.c library/x509_create.c library/x509write_crt.c library/x509write_csr.c

Definition at line 2036 of file config.h.

◆ MBEDTLS_BIGNUM_C

#define MBEDTLS_BIGNUM_C

Enable the multi-precision integer library.

Module: library/bignum.c Caller: library/dhm.c library/ecp.c library/ecdsa.c library/rsa.c library/rsa_internal.c library/ssl_tls.c

This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.

Definition at line 2065 of file config.h.

◆ MBEDTLS_BLOWFISH_C

#define MBEDTLS_BLOWFISH_C

Enable the Blowfish block cipher.

Module: library/blowfish.c

Definition at line 2074 of file config.h.

◆ MBEDTLS_CAMELLIA_C

#define MBEDTLS_CAMELLIA_C

Enable the Camellia block cipher.

Module: library/camellia.c Caller: library/cipher.c

This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256

Definition at line 2129 of file config.h.

◆ MBEDTLS_CCM_C

#define MBEDTLS_CCM_C

Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.

Module: library/ccm.c

Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C

This module enables the AES-CCM ciphersuites, if other requisites are enabled as well.

Definition at line 2195 of file config.h.

◆ MBEDTLS_CIPHER_C

#define MBEDTLS_CIPHER_C

Enable the generic cipher layer.

Module: library/cipher.c Caller: library/ssl_tls.c

Uncomment to enable generic cipher wrappers.

Definition at line 2239 of file config.h.

◆ MBEDTLS_CIPHER_MODE_CBC

#define MBEDTLS_CIPHER_MODE_CBC

Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.

Definition at line 674 of file config.h.

◆ MBEDTLS_CIPHER_MODE_CFB

#define MBEDTLS_CIPHER_MODE_CFB

Enable Cipher Feedback mode (CFB) for symmetric ciphers.

Definition at line 681 of file config.h.

◆ MBEDTLS_CIPHER_MODE_CTR

#define MBEDTLS_CIPHER_MODE_CTR

Enable Counter Block Cipher mode (CTR) for symmetric ciphers.

Definition at line 688 of file config.h.

◆ MBEDTLS_CIPHER_MODE_OFB

#define MBEDTLS_CIPHER_MODE_OFB

Enable Output Feedback mode (OFB) for symmetric ciphers.

Definition at line 695 of file config.h.

◆ MBEDTLS_CIPHER_MODE_XTS

#define MBEDTLS_CIPHER_MODE_XTS

Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.

Definition at line 702 of file config.h.

◆ MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS

#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS

Definition at line 749 of file config.h.

◆ MBEDTLS_CIPHER_PADDING_PKCS7

#define MBEDTLS_CIPHER_PADDING_PKCS7

MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for specific padding modes in the cipher layer with cipher modes that support padding (e.g. CBC)

If you disable all padding modes, only full blocks can be used with CBC.

Enable padding modes in the cipher layer.

Definition at line 748 of file config.h.

◆ MBEDTLS_CIPHER_PADDING_ZEROS

#define MBEDTLS_CIPHER_PADDING_ZEROS

Definition at line 751 of file config.h.

◆ MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN

#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN

Definition at line 750 of file config.h.

◆ MBEDTLS_CTR_DRBG_C

#define MBEDTLS_CTR_DRBG_C

Enable the CTR_DRBG AES-based random generator. The CTR_DRBG generator uses AES-256 by default. To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.

Note
To achieve a 256-bit security strength with CTR_DRBG, you must use AES-256 and use sufficient entropy. See ctr_drbg.h for more details.

Module: library/ctr_drbg.c Caller:

Requires: MBEDTLS_AES_C

This module provides the CTR_DRBG AES random number generator.

Definition at line 2272 of file config.h.

◆ MBEDTLS_DES_C

#define MBEDTLS_DES_C

Enable the DES block cipher.

Module: library/des.c Caller: library/pem.c library/cipher.c

This module enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA

PEM_PARSE uses DES/3DES for decrypting encrypted keys.

Warning
DES is considered a weak cipher and its use constitutes a security risk. We recommend considering stronger ciphers instead.

Definition at line 2315 of file config.h.

◆ MBEDTLS_DHM_C

#define MBEDTLS_DHM_C

Enable the Diffie-Hellman-Merkle module.

Module: library/dhm.c Caller: library/ssl_cli.c library/ssl_srv.c

This module is used by the following key exchanges: DHE-RSA, DHE-PSK

Warning
Using DHE constitutes a security risk as it is not possible to validate custom DH parameters. If possible, it is recommended users should consider preferring other methods of key exchange. See dhm.h for more details.

Definition at line 2336 of file config.h.

◆ MBEDTLS_ECDH_C

#define MBEDTLS_ECDH_C

Enable the elliptic curve Diffie-Hellman library.

Module: library/ecdh.c Caller: library/ssl_cli.c library/ssl_srv.c

This module is used by the following key exchanges: ECDHE-ECDSA, ECDHE-RSA, DHE-PSK

Requires: MBEDTLS_ECP_C

Definition at line 2352 of file config.h.

◆ MBEDTLS_ECDSA_C

#define MBEDTLS_ECDSA_C

Enable the elliptic curve DSA library.

Module: library/ecdsa.c Caller:

This module is used by the following key exchanges: ECDHE-ECDSA

Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C

Definition at line 2367 of file config.h.

◆ MBEDTLS_ECDSA_DETERMINISTIC

#define MBEDTLS_ECDSA_DETERMINISTIC

Enable deterministic ECDSA (RFC 6979). Standard ECDSA is "fragile" in the sense that lack of entropy when signing may result in a compromise of the long-term signing key. This is avoided by the deterministic variant.

Requires: MBEDTLS_HMAC_DRBG_C

Comment this macro to disable deterministic ECDSA.

Definition at line 902 of file config.h.

◆ MBEDTLS_ECP_C

#define MBEDTLS_ECP_C

Enable the elliptic curve over GF(p) library.

Module: library/ecp.c Caller: library/ecdh.c library/ecdsa.c library/ecjpake.c

Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED

Definition at line 2400 of file config.h.

◆ MBEDTLS_ECP_DP_BP256R1_ENABLED

#define MBEDTLS_ECP_DP_BP256R1_ENABLED

Definition at line 827 of file config.h.

◆ MBEDTLS_ECP_DP_BP384R1_ENABLED

#define MBEDTLS_ECP_DP_BP384R1_ENABLED

Definition at line 828 of file config.h.

◆ MBEDTLS_ECP_DP_BP512R1_ENABLED

#define MBEDTLS_ECP_DP_BP512R1_ENABLED

Definition at line 829 of file config.h.

◆ MBEDTLS_ECP_DP_CURVE25519_ENABLED

#define MBEDTLS_ECP_DP_CURVE25519_ENABLED

Definition at line 830 of file config.h.

◆ MBEDTLS_ECP_DP_CURVE448_ENABLED

#define MBEDTLS_ECP_DP_CURVE448_ENABLED

Definition at line 831 of file config.h.

◆ MBEDTLS_ECP_DP_SECP192K1_ENABLED

#define MBEDTLS_ECP_DP_SECP192K1_ENABLED

Definition at line 824 of file config.h.

◆ MBEDTLS_ECP_DP_SECP192R1_ENABLED

#define MBEDTLS_ECP_DP_SECP192R1_ENABLED

MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve module. By default all supported curves are enabled.

Comment macros to disable the curve and functions for it

Definition at line 819 of file config.h.

◆ MBEDTLS_ECP_DP_SECP224K1_ENABLED

#define MBEDTLS_ECP_DP_SECP224K1_ENABLED

Definition at line 825 of file config.h.

◆ MBEDTLS_ECP_DP_SECP224R1_ENABLED

#define MBEDTLS_ECP_DP_SECP224R1_ENABLED

Definition at line 820 of file config.h.

◆ MBEDTLS_ECP_DP_SECP256K1_ENABLED

#define MBEDTLS_ECP_DP_SECP256K1_ENABLED

Definition at line 826 of file config.h.

◆ MBEDTLS_ECP_DP_SECP256R1_ENABLED

#define MBEDTLS_ECP_DP_SECP256R1_ENABLED

Definition at line 821 of file config.h.

◆ MBEDTLS_ECP_DP_SECP384R1_ENABLED

#define MBEDTLS_ECP_DP_SECP384R1_ENABLED

Definition at line 822 of file config.h.

◆ MBEDTLS_ECP_DP_SECP521R1_ENABLED

#define MBEDTLS_ECP_DP_SECP521R1_ENABLED

Definition at line 823 of file config.h.

◆ MBEDTLS_ECP_NIST_OPTIM

#define MBEDTLS_ECP_NIST_OPTIM

Enable specific 'modulo p' routines for each NIST prime. Depending on the prime and architecture, makes operations 4 to 8 times faster on the corresponding curve.

Comment this macro to disable NIST curves optimisation.

Definition at line 842 of file config.h.

◆ MBEDTLS_ENTROPY_C

#define MBEDTLS_ENTROPY_C

Enable the platform-specific entropy code.

Module: library/entropy.c Caller:

Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C

This module provides a generic entropy pool

Definition at line 2414 of file config.h.

◆ MBEDTLS_ENTROPY_FORCE_SHA256

#define MBEDTLS_ENTROPY_FORCE_SHA256   /* swyter: ReactOS is primarily 32-bit only, this speeds it up notably */

Force the entropy accumulator to use a SHA-256 accumulator instead of the default SHA-512 based one (if both are available).

Requires: MBEDTLS_SHA256_C

On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option if you have performance concerns.

This option is only useful if both MBEDTLS_SHA256_C and MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.

Definition at line 1262 of file config.h.

◆ MBEDTLS_ERROR_STRERROR_DUMMY

#define MBEDTLS_ERROR_STRERROR_DUMMY

Enable a dummy error function to make use of mbedtls_strerror() in third party libraries easier when MBEDTLS_ERROR_C is disabled (no effect when MBEDTLS_ERROR_C is enabled).

You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're not using mbedtls_strerror() or error_strerror() in your application.

Disable if you run into name conflicts and want to really remove the mbedtls_strerror()

Definition at line 1206 of file config.h.

◆ MBEDTLS_GCM_C

#define MBEDTLS_GCM_C

Enable the Galois/Counter Mode (GCM) for AES.

Module: library/gcm.c

Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C

This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other requisites are enabled as well.

Definition at line 2440 of file config.h.

◆ MBEDTLS_GENPRIME

#define MBEDTLS_GENPRIME

Enable the prime-number generation code.

Requires: MBEDTLS_BIGNUM_C

Definition at line 1215 of file config.h.

◆ MBEDTLS_HAVE_ASM

#define MBEDTLS_HAVE_ASM

The compiler has support for asm().

Requires support for asm() in compiler.

Used in: library/aria.c library/timing.c include/mbedtls/bn_mul.h

Required by: MBEDTLS_AESNI_C MBEDTLS_PADLOCK_C

Comment to disable the use of assembly code.

Definition at line 86 of file config.h.

◆ MBEDTLS_HMAC_DRBG_C

#define MBEDTLS_HMAC_DRBG_C

Enable the HMAC_DRBG random generator.

Module: library/hmac_drbg.c Caller:

Requires: MBEDTLS_MD_C

Uncomment to enable the HMAC_DRBG random number geerator.

Definition at line 2492 of file config.h.

◆ MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED

Enable the DHE-RSA based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

Warning
Using DHE constitutes a security risk as it is not possible to validate custom DH parameters. If possible, it is recommended users should consider preferring other methods of key exchange. See dhm.h for more details.

Definition at line 1061 of file config.h.

◆ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED

Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384

Definition at line 1134 of file config.h.

◆ MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED

Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384

Definition at line 1158 of file config.h.

◆ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED

Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

Definition at line 1110 of file config.h.

◆ MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED

Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA

Definition at line 1086 of file config.h.

◆ MBEDTLS_KEY_EXCHANGE_RSA_ENABLED

#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED

Enable the RSA-only based ciphersuite modes in SSL / TLS.

Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, MBEDTLS_X509_CRT_PARSE_C

This enables the following ciphersuites (if other requisites are enabled as well): MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_MD5

Definition at line 1028 of file config.h.

◆ MBEDTLS_MD5_C

#define MBEDTLS_MD5_C

Enable the MD5 hash algorithm.

Module: library/md5.c Caller: library/md.c library/pem.c library/ssl_tls.c

This module is required for SSL/TLS up to version 1.1, and for TLS 1.2 depending on the handshake parameters. Further, it is used for checking MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded encrypted keys.

Warning
MD5 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead.

Definition at line 2573 of file config.h.

◆ MBEDTLS_MD_C

#define MBEDTLS_MD_C

Enable the generic message digest layer.

Module: library/md.c Caller:

Uncomment to enable generic message digest wrappers.

Definition at line 2517 of file config.h.

◆ MBEDTLS_OID_C

#define MBEDTLS_OID_C

Enable the OID database.

Module: library/oid.c Caller: library/asn1write.c library/pkcs5.c library/pkparse.c library/pkwrite.c library/rsa.c library/x509.c library/x509_create.c library/x509_crl.c library/x509_crt.c library/x509_csr.c library/x509write_crt.c library/x509write_csr.c

This modules translates between OIDs and internal values.

Definition at line 2631 of file config.h.

◆ MBEDTLS_PADLOCK_C

#define MBEDTLS_PADLOCK_C

Enable VIA Padlock support on x86.

Module: library/padlock.c Caller: library/aes.c

Requires: MBEDTLS_HAVE_ASM

This modules adds support for the VIA PadLock on x86.

Definition at line 2645 of file config.h.

◆ MBEDTLS_PK_C

#define MBEDTLS_PK_C

Enable the generic public (asymetric) key layer.

Module: library/pk.c Caller: library/ssl_tls.c library/ssl_cli.c library/ssl_srv.c

Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C

Uncomment to enable generic public key wrappers.

Definition at line 2695 of file config.h.

◆ MBEDTLS_PK_PARSE_C

#define MBEDTLS_PK_PARSE_C

Enable the generic public (asymetric) key parser.

Module: library/pkparse.c Caller: library/x509_crt.c library/x509_csr.c

Requires: MBEDTLS_PK_C

Uncomment to enable generic public key parse functions.

Definition at line 2710 of file config.h.

◆ MBEDTLS_PK_PARSE_EC_EXTENDED

#define MBEDTLS_PK_PARSE_EC_EXTENDED

Enhance support for reading EC keys using variants of SEC1 not allowed by RFC 5915 and RFC 5480.

Currently this means parsing the SpecifiedECDomain choice of EC parameters (only known groups are supported, not arbitrary domains, to avoid validation issues).

Disable if you only need to support RFC 5915 + 5480 key formats.

Definition at line 1191 of file config.h.

◆ MBEDTLS_PK_RSA_ALT_SUPPORT

#define MBEDTLS_PK_RSA_ALT_SUPPORT

Support external private RSA keys (eg from a HSM) in the PK layer.

Comment this macro to disable support for external private RSA keys.

Definition at line 1324 of file config.h.

◆ MBEDTLS_PKCS12_C

#define MBEDTLS_PKCS12_C

Enable PKCS#12 PBE functions. Adds algorithms for parsing PKCS#8 encrypted private keys

Module: library/pkcs12.c Caller: library/pkparse.c

Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C Can use: MBEDTLS_ARC4_C

This module enables PKCS#12 functions.

Definition at line 2768 of file config.h.

◆ MBEDTLS_PKCS1_V15

#define MBEDTLS_PKCS1_V15

Enable support for PKCS#1 v1.5 encoding.

Requires: MBEDTLS_RSA_C

This enables support for PKCS#1 v1.5 operations.

Definition at line 1335 of file config.h.

◆ MBEDTLS_PKCS1_V21

#define MBEDTLS_PKCS1_V21

Enable support for PKCS#1 v2.1 encoding.

Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C

This enables support for RSAES-OAEP and RSASSA-PSS operations.

Definition at line 1346 of file config.h.

◆ MBEDTLS_PKCS5_C

#define MBEDTLS_PKCS5_C

Enable PKCS#5 functions.

Module: library/pkcs5.c

Requires: MBEDTLS_MD_C

This module adds support for the PKCS#5 functions.

Definition at line 2737 of file config.h.

◆ MBEDTLS_PLATFORM_C

#define MBEDTLS_PLATFORM_C

Enable the platform abstraction layer that allows you to re-assign functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().

Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned above to be specified at runtime or compile time respectively.

Note
This abstraction layer must be enabled on Windows (including MSYS2) as other module rely on it for a fixed snprintf implementation.

Module: library/platform.c Caller: Most other .c files

This module enables abstraction of common (libc) functions.

Definition at line 2788 of file config.h.

◆ MBEDTLS_REMOVE_3DES_CIPHERSUITES

#define MBEDTLS_REMOVE_3DES_CIPHERSUITES

Remove 3DES ciphersuites by default in SSL / TLS. This flag removes the ciphersuites based on 3DES from the default list as returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them explicitly.

A man-in-the-browser attacker can recover authentication tokens sent through a TLS connection using a 3DES based cipher suite (see "On the Practical (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaƫtan Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls in your threat model or you are unsure, then you should keep this option enabled to remove 3DES based cipher suites.

Comment this macro to keep 3DES in the default ciphersuite list.

Definition at line 809 of file config.h.

◆ MBEDTLS_REMOVE_ARC4_CIPHERSUITES

#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES

Remove RC4 ciphersuites by default in SSL / TLS. This flag removes the ciphersuites based on RC4 from the default list as returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them explicitly.

Uncomment this macro to remove RC4 ciphersuites by default.

Definition at line 789 of file config.h.

◆ MBEDTLS_RIPEMD160_C

#define MBEDTLS_RIPEMD160_C

Enable the RIPEMD-160 hash algorithm.

Module: library/ripemd160.c Caller: library/md.c

Definition at line 2809 of file config.h.

◆ MBEDTLS_RSA_C

#define MBEDTLS_RSA_C

Enable the RSA public-key cryptosystem.

Module: library/rsa.c library/rsa_internal.c Caller: library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c library/x509.c

This module is used by the following key exchanges: RSA, DHE-RSA, ECDHE-RSA, RSA-PSK

Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C

Definition at line 2828 of file config.h.

◆ MBEDTLS_SHA1_C

#define MBEDTLS_SHA1_C

Enable the SHA1 cryptographic hash algorithm.

Module: library/sha1.c Caller: library/md.c library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c library/x509write_crt.c

This module is required for SSL/TLS up to version 1.1, for TLS 1.2 depending on the handshake parameters, and for SHA1-signed certificates.

Warning
SHA-1 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead.

Definition at line 2850 of file config.h.

◆ MBEDTLS_SHA256_C

#define MBEDTLS_SHA256_C

Enable the SHA-224 and SHA-256 cryptographic hash algorithms.

Module: library/sha256.c Caller: library/entropy.c library/md.c library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c

This module adds support for SHA-224 and SHA-256. This module is required for the SSL/TLS 1.2 PRF function.

Definition at line 2867 of file config.h.

◆ MBEDTLS_SHA512_C

#define MBEDTLS_SHA512_C

Enable the SHA-384 and SHA-512 cryptographic hash algorithms.

Module: library/sha512.c Caller: library/entropy.c library/md.c library/ssl_cli.c library/ssl_srv.c

This module adds support for SHA-384 and SHA-512.

Definition at line 2882 of file config.h.

◆ MBEDTLS_SSL_ALL_ALERT_MESSAGES

#define MBEDTLS_SSL_ALL_ALERT_MESSAGES

Enable sending of alert messages in case of encountered errors as per RFC. If you choose not to send the alert messages, mbed TLS can still communicate with other servers, only debugging of failures is harder.

The advantage of not sending alert messages, is that no information is given about reasons for failures thus preventing adversaries of gaining intel.

Enable sending of all alert messages

Definition at line 1394 of file config.h.

◆ MBEDTLS_SSL_ALPN

#define MBEDTLS_SSL_ALPN

Enable support for RFC 7301 Application Layer Protocol Negotiation.

Comment this macro to disable support for ALPN.

Definition at line 1619 of file config.h.

◆ MBEDTLS_SSL_CBC_RECORD_SPLITTING

#define MBEDTLS_SSL_CBC_RECORD_SPLITTING

Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.

This is a countermeasure to the BEAST attack, which also minimizes the risk of interoperability issues compared to sending 0-length records.

Comment this macro to disable 1/n-1 record splitting.

Definition at line 1496 of file config.h.

◆ MBEDTLS_SSL_CLI_C

#define MBEDTLS_SSL_CLI_C

Enable the SSL/TLS client code.

Module: library/ssl_cli.c Caller:

Requires: MBEDTLS_SSL_TLS_C

This module is required for SSL/TLS client support.

Definition at line 2930 of file config.h.

◆ MBEDTLS_SSL_ENCRYPT_THEN_MAC

#define MBEDTLS_SSL_ENCRYPT_THEN_MAC

Enable support for Encrypt-then-MAC, RFC 7366.

This allows peers that both support it to use a more robust protection for ciphersuites using CBC, providing deep resistance against timing attacks on the padding or underlying cipher.

This only affects CBC ciphersuites, and is useless if none is defined.

Requires: MBEDTLS_SSL_PROTO_TLS1 or MBEDTLS_SSL_PROTO_TLS1_1 or MBEDTLS_SSL_PROTO_TLS1_2

Comment this macro to disable support for Encrypt-then-MAC

Definition at line 1439 of file config.h.

◆ MBEDTLS_SSL_EXTENDED_MASTER_SECRET

#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET

Enable support for Extended Master Secret, aka Session Hash (draft-ietf-tls-session-hash-02).

This was introduced as "the proper fix" to the Triple Handshake familiy of attacks, but it is recommended to always use it (even if you disable renegotiation), since it actually fixes a more fundamental issue in the original SSL/TLS design, and has implications beyond Triple Handshake.

Requires: MBEDTLS_SSL_PROTO_TLS1 or MBEDTLS_SSL_PROTO_TLS1_1 or MBEDTLS_SSL_PROTO_TLS1_2

Comment this macro to disable support for Extended Master Secret.

Definition at line 1457 of file config.h.

◆ MBEDTLS_SSL_MAX_FRAGMENT_LENGTH

#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH

Enable support for RFC 6066 max_fragment_length extension in SSL.

Comment this macro to disable support for the max_fragment_length extension

Definition at line 1547 of file config.h.

◆ MBEDTLS_SSL_PROTO_TLS1

#define MBEDTLS_SSL_PROTO_TLS1

Enable support for TLS 1.0.

Requires: MBEDTLS_MD5_C MBEDTLS_SHA1_C

Comment this macro to disable support for TLS 1.0

Definition at line 1571 of file config.h.

◆ MBEDTLS_SSL_PROTO_TLS1_1

#define MBEDTLS_SSL_PROTO_TLS1_1

Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).

Requires: MBEDTLS_MD5_C MBEDTLS_SHA1_C

Comment this macro to disable support for TLS 1.1 / DTLS 1.0

Definition at line 1583 of file config.h.

◆ MBEDTLS_SSL_PROTO_TLS1_2

#define MBEDTLS_SSL_PROTO_TLS1_2

Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).

Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C (Depends on ciphersuites)

Comment this macro to disable support for TLS 1.2 / DTLS 1.2

Definition at line 1595 of file config.h.

◆ MBEDTLS_SSL_RENEGOTIATION

#define MBEDTLS_SSL_RENEGOTIATION

Enable support for TLS renegotiation.

The two main uses of renegotiation are (1) refresh keys on long-lived connections and (2) client authentication after the initial handshake. If you don't need renegotiation, it's probably better to disable it, since it has been associated with security issues in the past and is easy to misuse/misunderstand.

Comment this to disable support for renegotiation.

Note
Even if this option is disabled, both client and server are aware of the Renegotiation Indication Extension (RFC 5746) used to prevent the SSL renegotiation attack (see RFC 5746 Sect. 1). (See mbedtls_ssl_conf_legacy_renegotiation for the configuration of this extension).

Definition at line 1518 of file config.h.

◆ MBEDTLS_SSL_SERVER_NAME_INDICATION

#define MBEDTLS_SSL_SERVER_NAME_INDICATION

Enable support for RFC 6066 server name indication (SNI) in SSL.

Requires: MBEDTLS_X509_CRT_PARSE_C

Comment this macro to disable support for server name indication in SSL

Definition at line 1714 of file config.h.

◆ MBEDTLS_SSL_SESSION_TICKETS

#define MBEDTLS_SSL_SESSION_TICKETS

Enable support for RFC 5077 session tickets in SSL. Client-side, provides full support for session tickets (maintenance of a session store remains the responsibility of the application, though). Server-side, you also need to provide callbacks for writing and parsing tickets, including authenticated encryption and key management. Example callbacks are provided by MBEDTLS_SSL_TICKET_C.

Comment this macro to disable support for SSL session tickets

Definition at line 1693 of file config.h.

◆ MBEDTLS_SSL_TICKET_C

#define MBEDTLS_SSL_TICKET_C

Enable an implementation of TLS server-side callbacks for session tickets.

Module: library/ssl_ticket.c Caller:

Requires: MBEDTLS_CIPHER_C

Definition at line 2916 of file config.h.

◆ MBEDTLS_SSL_TLS_C

#define MBEDTLS_SSL_TLS_C

Enable the generic SSL/TLS code.

Module: library/ssl_tls.c Caller: library/ssl_cli.c library/ssl_srv.c

Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C and at least one of the MBEDTLS_SSL_PROTO_XXX defines

This module is required for SSL/TLS.

Definition at line 2960 of file config.h.

◆ MBEDTLS_SSL_TRUNCATED_HMAC

#define MBEDTLS_SSL_TRUNCATED_HMAC

Enable support for RFC 6066 truncated HMAC in SSL.

Comment this macro to disable support for truncated HMAC in SSL

Definition at line 1723 of file config.h.

◆ MBEDTLS_TIMING_C

#define MBEDTLS_TIMING_C

Enable the semi-portable timing interface.

Note
The provided implementation only works on POSIX/Unix (including Linux, BSD and OS X) and Windows. On other platforms, you can either disable that module and provide your own implementations of the callbacks needed by mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide your own implementation of the whole module by setting MBEDTLS_TIMING_ALT in the current file.
See also our Knowledge Base article about porting to a new environment: https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS

Module: library/timing.c Caller: library/havege.c

This module is used by the HAVEGE random number generator.

Definition at line 3005 of file config.h.

◆ MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE

#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE

Complete list of ciphersuites to use, in order of preference.

Warning
No dependency checking is done on that field! This option can only be used to restrict the set of available ciphersuites. It is your responsibility to make sure the needed modules are active.

Use this to save a few hundred bytes of ROM (default ordering of all available ciphersuites) and a few to a few hundred bytes of RAM.

The value below is only an example, not the default. Allow SHA-1 in the default TLS configuration for certificate signing. Without this build-time option, SHA-1 support must be activated explicitly through mbedtls_ssl_conf_cert_profile. Turning on this option is not recommended because of it is possible to generate SHA-1 collisions, however this may be safe for legacy infrastructure where additional controls apply.

Warning
SHA-1 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead. Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake signature and ciphersuite selection. Without this build-time option, SHA-1 support must be activated explicitly through mbedtls_ssl_conf_sig_hashes. The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by default. At the time of writing, there is no practical attack on the use of SHA-1 in handshake signatures, hence this option is turned on by default to preserve compatibility with existing peers, but the general warning applies nonetheless:
SHA-1 is considered a weak message digest and its use constitutes a security risk. If possible, we recommend avoiding dependencies on it, and considering stronger message digests instead.

Definition at line 3390 of file config.h.

◆ MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE

#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE

Enable verification of the extendedKeyUsage extension (leaf certificates).

Disabling this avoids problems with mis-issued and/or misused certificates.

Warning
Depending on your PKI use, disabling this can be a security risk!

Comment to skip extendedKeyUsage checking for certificates.

Definition at line 1848 of file config.h.

◆ MBEDTLS_X509_CHECK_KEY_USAGE

#define MBEDTLS_X509_CHECK_KEY_USAGE

Enable verification of the keyUsage extension (CA and leaf certificates).

Disabling this avoids problems with mis-issued and/or misused (intermediate) CA and leaf certificates.

Warning
Depending on your PKI use, disabling this can be a security risk!

Comment to skip keyUsage checking for both CA and leaf certificates.

Definition at line 1835 of file config.h.

◆ MBEDTLS_X509_CRT_PARSE_C

#define MBEDTLS_X509_CRT_PARSE_C

Enable X.509 certificate parsing.

Module: library/x509_crt.c Caller: library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c

Requires: MBEDTLS_X509_USE_C

This module is required for X.509 certificate parsing.

Definition at line 3049 of file config.h.

◆ MBEDTLS_X509_RSASSA_PSS_SUPPORT

#define MBEDTLS_X509_RSASSA_PSS_SUPPORT

Enable parsing and verification of X.509 certificates, CRLs and CSRS signed with RSASSA-PSS (aka PKCS#1 v2.1).

Comment this macro to disallow using RSASSA-PSS in certificates.

Definition at line 1858 of file config.h.

◆ MBEDTLS_X509_USE_C

#define MBEDTLS_X509_USE_C

Enable X.509 core for using certificates.

Module: library/x509.c Caller: library/x509_crl.c library/x509_crt.c library/x509_csr.c

Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C

This module is required for the X.509 parsing modules.

Definition at line 3033 of file config.h.

◆ MBEDTLS_XTEA_C

#define MBEDTLS_XTEA_C

Enable the XTEA block cipher.

Module: library/xtea.c Caller:

Definition at line 3126 of file config.h.