diff --git a/docs/proposed/config-split.md b/docs/proposed/config-split.md index 148b6a6050..c81b3b2fb2 100644 --- a/docs/proposed/config-split.md +++ b/docs/proposed/config-split.md @@ -97,12 +97,12 @@ of PSA_WANT_\* and MBEDTLS_PSA_ACCEL_\* configuration options. The sections in `mbedtls_config.h` are reorganized to be better aligned with the ones in `tf_psa_crypto_config.h`. The main change is the reorganization -of the "Mbed TLS modules" and "Module configuration options" sections into -the ["TLS feature selection"](#section-tls-feature-selection) and +of the "Mbed TLS modules", "Mbed TLS feature support" and +"Module configuration options" sections into the +["TLS feature selection"](#section-tls-feature-selection) and ["X.509 feature selection"](#section-x.509-feature-selection) sections. That -way both configuration files do not have a section dedicated to non boolean -configuration options. The non boolean configuration options are located in the -same section as the boolean option they are associated to. +way all TLS/x509 options are grouped into one section and there is no +section dedicated to non boolean configuration options anymore. ## Repartition of the configuration options @@ -371,6 +371,10 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #### SECTION General configuration options ``` #define MBEDTLS_ERROR_C +#define MBEDTLS_ERROR_STRERROR_DUMMY +#define MBEDTLS_VERSION_C +#define MBEDTLS_VERSION_FEATURES + //#define MBEDTLS_CONFIG_FILE "mbedtls/mbedtls_config.h" //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" ``` @@ -378,13 +382,53 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #### SECTION TLS feature selection ``` +//#define MBEDTLS_CIPHER_NULL_CIPHER #define MBEDTLS_DEBUG_C +#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +#define MBEDTLS_SSL_ALL_ALERT_MESSAGES +#define MBEDTLS_SSL_ALPN +//#define MBEDTLS_SSL_ASYNC_PRIVATE #define MBEDTLS_SSL_CACHE_C #define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_CONTEXT_SERIALIZATION #define MBEDTLS_SSL_COOKIE_C +//#define MBEDTLS_SSL_DEBUG_ALL +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#define MBEDTLS_SSL_DTLS_CONNECTION_ID +#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +//#define MBEDTLS_SSL_DTLS_SRTP +//#define MBEDTLS_SSL_EARLY_DATA +#define MBEDTLS_SSL_ENCRYPT_THEN_MAC +#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +#define MBEDTLS_SSL_PROTO_DTLS +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_PROTO_TLS1_3 +//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT +#define MBEDTLS_SSL_RENEGOTIATION +#define MBEDTLS_SSL_SERVER_NAME_INDICATION +#define MBEDTLS_SSL_SESSION_TICKETS #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TICKET_C +#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED #define MBEDTLS_SSL_TLS_C +//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH //#define MBEDTLS_PSK_MAX_LEN 32 //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 @@ -413,59 +457,11 @@ PSA_WANT_\* macros as in current `crypto_config.h`. #define MBEDTLS_X509_CRT_WRITE_C #define MBEDTLS_X509_CSR_PARSE_C #define MBEDTLS_X509_CSR_WRITE_C +//#define MBEDTLS_X509_REMOVE_INFO +#define MBEDTLS_X509_RSASSA_PSS_SUPPORT +//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK #define MBEDTLS_X509_USE_C //#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 ``` - - -#### SECTION Mbed TLS feature support -``` -//#define MBEDTLS_CIPHER_NULL_CIPHER -#define MBEDTLS_ERROR_STRERROR_DUMMY -#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -#define MBEDTLS_SSL_ALL_ALERT_MESSAGES -#define MBEDTLS_SSL_ALPN -//#define MBEDTLS_SSL_ASYNC_PRIVATE -#define MBEDTLS_SSL_CONTEXT_SERIALIZATION -//#define MBEDTLS_SSL_DEBUG_ALL -#define MBEDTLS_SSL_DTLS_ANTI_REPLAY -#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE -#define MBEDTLS_SSL_DTLS_CONNECTION_ID -#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 -#define MBEDTLS_SSL_DTLS_HELLO_VERIFY -//#define MBEDTLS_SSL_DTLS_SRTP -//#define MBEDTLS_SSL_EARLY_DATA -#define MBEDTLS_SSL_ENCRYPT_THEN_MAC -#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET -#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE -#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -#define MBEDTLS_SSL_PROTO_DTLS -#define MBEDTLS_SSL_PROTO_TLS1_2 -#define MBEDTLS_SSL_PROTO_TLS1_3 -//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT -#define MBEDTLS_SSL_RENEGOTIATION -#define MBEDTLS_SSL_SERVER_NAME_INDICATION -#define MBEDTLS_SSL_SESSION_TICKETS -#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH -#define MBEDTLS_VERSION_C -#define MBEDTLS_VERSION_FEATURES -//#define MBEDTLS_X509_REMOVE_INFO -#define MBEDTLS_X509_RSASSA_PSS_SUPPORT -//#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK -```