ESP32: Use mbedtls component in IDF (#26608)
* ESP32: use mbedtls config in IDF
* esp32: remove esp32_mbedtls component
diff --git a/config/esp32/components/chip/CMakeLists.txt b/config/esp32/components/chip/CMakeLists.txt
index 6f30e30..b064a89 100644
--- a/config/esp32/components/chip/CMakeLists.txt
+++ b/config/esp32/components/chip/CMakeLists.txt
@@ -332,22 +332,17 @@
"${CHIP_ROOT}/config/esp32/${CONFIG_CHIP_EXTERNAL_PLATFORM_DIR}/../../"
)
-idf_component_get_property(esp32_mbedtls_lib esp32_mbedtls COMPONENT_LIB)
+idf_component_get_property(mbedtls_lib mbedtls COMPONENT_LIB)
+
+idf_build_get_property(idf_target IDF_TARGET)
+set(target_name "${idf_target}")
if(CONFIG_BT_ENABLED)
idf_component_get_property(bt_lib bt COMPONENT_LIB)
- if("${CONFIG_IDF_TARGET}" STREQUAL "esp32h2")
+ if((target_name STREQUAL "esp32h2") OR (target_name STREQUAL "esp32c2") OR (target_name STREQUAL "esp32c6"))
idf_component_get_property(bt_dir bt COMPONENT_DIR)
list(APPEND chip_libraries $<TARGET_FILE:${bt_lib}>)
- list(APPEND chip_libraries ${bt_dir}/controller/lib_esp32h2/esp32h2-bt-lib/libble_app.a)
- elseif("${CONFIG_IDF_TARGET}" STREQUAL "esp32c2")
- idf_component_get_property(bt_dir bt COMPONENT_DIR)
- list(APPEND chip_libraries $<TARGET_FILE:${bt_lib}>)
- list(APPEND chip_libraries ${bt_dir}/controller/lib_esp32c2/esp32c2-bt-lib/libble_app.a)
- elseif("${CONFIG_IDF_TARGET}" STREQUAL "esp32c6")
- idf_component_get_property(bt_dir bt COMPONENT_DIR)
- list(APPEND chip_libraries $<TARGET_FILE:${bt_lib}>)
- list(APPEND chip_libraries ${bt_dir}/controller/lib_esp32c6/esp32c6-bt-lib/libble_app.a)
+ list(APPEND chip_libraries "${bt_dir}/controller/lib_${target_name}/${target_name}-bt-lib/libble_app.a")
else()
list(APPEND chip_libraries $<TARGET_FILE:${bt_lib}> -lbtdm_app)
endif()
@@ -383,9 +378,65 @@
list(APPEND chip_libraries $<TARGET_FILE:${esp32_secure_cert_mgr_lib}>)
endif()
+idf_component_get_property(lwip_lib lwip COMPONENT_LIB)
+list(APPEND chip_libraries $<TARGET_FILE:${lwip_lib}>)
+
+
+if (CONFIG_ESP_WIFI_ENABLED)
+ idf_component_get_property(esp_wifi_lib esp_wifi COMPONENT_LIB)
+ idf_component_get_property(esp_wifi_dir esp_wifi COMPONENT_DIR)
+ list(APPEND chip_libraries $<TARGET_FILE:${esp_wifi_lib}>)
+ if (CONFIG_IDF_TARGET_ESP32C2)
+ set(blobs core net80211 pp)
+ else()
+ set(blobs core mesh net80211 pp)
+ endif()
+
+ foreach(blob ${blobs})
+ list(APPEND chip_libraries "${esp_wifi_dir}/lib/${target_name}/lib${blob}.a")
+ endforeach()
+endif()
+
+idf_component_get_property(esp_netif_lib esp_netif COMPONENT_LIB)
+list(APPEND chip_libraries $<TARGET_FILE:${esp_netif_lib}>)
+
+idf_component_get_property(esp_hw_support_lib esp_hw_support COMPONENT_LIB)
+list(APPEND chip_libraries $<TARGET_FILE:${esp_hw_support_lib}>)
+
+idf_component_get_property(esp_phy_lib esp_phy COMPONENT_LIB)
+idf_component_get_property(esp_phy_dir esp_phy COMPONENT_DIR)
+list(APPEND chip_libraries $<TARGET_FILE:${esp_phy_lib}>)
+
+if (CONFIG_IDF_TARGET_ESP32)
+ set(phy_blobs phy rtc)
+elseif (CONFIG_IDF_TARGET_ESP32S2)
+ set(phy_blobs phy)
+else()
+ set(phy_blobs phy btbb)
+endif()
+foreach(phy_blob ${phy_blobs})
+ list(APPEND chip_libraries "${esp_phy_dir}/lib/${target_name}/lib${phy_blob}.a")
+endforeach()
+
+idf_component_get_property(esp_event_lib esp_event COMPONENT_LIB)
+list(APPEND chip_libraries $<TARGET_FILE:${esp_event_lib}>)
+
+idf_component_get_property(hal_lib hal COMPONENT_LIB)
+list(APPEND chip_libraries $<TARGET_FILE:${hal_lib}>)
+
+idf_component_get_property(esp_system_lib esp_system COMPONENT_LIB)
+list(APPEND chip_libraries $<TARGET_FILE:${esp_system_lib}>)
+
+idf_component_get_property(soc_lib soc COMPONENT_LIB)
+list(APPEND chip_libraries $<TARGET_FILE:${soc_lib}>)
+
+idf_component_get_property(efuse_lib efuse COMPONENT_LIB)
+list(APPEND chip_libraries $<TARGET_FILE:${efuse_lib}>)
+
target_link_libraries(${COMPONENT_LIB} INTERFACE -Wl,--start-group
${chip_libraries}
- $<TARGET_FILE:mbedcrypto> $<TARGET_FILE:${esp32_mbedtls_lib}>
+ $<TARGET_FILE:mbedcrypto> $<TARGET_FILE:mbedx509>
+ $<TARGET_FILE:${mbedtls_lib}>
-Wl,--end-group)
# Make the component dependent on our CHIP build
diff --git a/config/esp32/components/esp32_mbedtls/CMakeLists.txt b/config/esp32/components/esp32_mbedtls/CMakeLists.txt
deleted file mode 100644
index 1e5382b..0000000
--- a/config/esp32/components/esp32_mbedtls/CMakeLists.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-idf_component_register(SRCS hkdf.c
- INCLUDE_DIRS .
- PRIV_REQUIRES mbedtls)
diff --git a/config/esp32/components/esp32_mbedtls/hkdf.c b/config/esp32/components/esp32_mbedtls/hkdf.c
deleted file mode 100644
index c480bbf..0000000
--- a/config/esp32/components/esp32_mbedtls/hkdf.c
+++ /dev/null
@@ -1,191 +0,0 @@
-/**
- *
- * Copyright (c) 2020 Project CHIP Authors
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-/*
- * HKDF implementation -- RFC 5869
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
- */
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#if defined(MBEDTLS_HKDF_C)
-
-#include "mbedtls/hkdf.h"
-#include "mbedtls/platform_util.h"
-#include <string.h>
-
-int mbedtls_hkdf(const mbedtls_md_info_t * md, const unsigned char * salt, size_t salt_len, const unsigned char * ikm,
- size_t ikm_len, const unsigned char * info, size_t info_len, unsigned char * okm, size_t okm_len)
-{
- int ret;
- unsigned char prk[MBEDTLS_MD_MAX_SIZE];
-
- ret = mbedtls_hkdf_extract(md, salt, salt_len, ikm, ikm_len, prk);
-
- if (ret == 0)
- {
- ret = mbedtls_hkdf_expand(md, prk, mbedtls_md_get_size(md), info, info_len, okm, okm_len);
- }
-
- mbedtls_platform_zeroize(prk, sizeof(prk));
-
- return (ret);
-}
-
-int mbedtls_hkdf_extract(const mbedtls_md_info_t * md, const unsigned char * salt, size_t salt_len, const unsigned char * ikm,
- size_t ikm_len, unsigned char * prk)
-{
- unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
-
- if (salt == NULL)
- {
- size_t hash_len;
-
- if (salt_len != 0)
- {
- return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
- }
-
- hash_len = mbedtls_md_get_size(md);
-
- if (hash_len == 0)
- {
- return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
- }
-
- salt = null_salt;
- salt_len = hash_len;
- }
-
- return (mbedtls_md_hmac(md, salt, salt_len, ikm, ikm_len, prk));
-}
-
-int mbedtls_hkdf_expand(const mbedtls_md_info_t * md, const unsigned char * prk, size_t prk_len, const unsigned char * info,
- size_t info_len, unsigned char * okm, size_t okm_len)
-{
- size_t hash_len;
- size_t where = 0;
- size_t n;
- size_t t_len = 0;
- size_t i;
- int ret = 0;
- mbedtls_md_context_t ctx;
- unsigned char t[MBEDTLS_MD_MAX_SIZE];
-
- if (okm == NULL)
- {
- return (MBEDTLS_ERR_HKDF_BAD_INPUT_DATA);
- }
-
- hash_len = mbedtls_md_get_size(md);
-
- if (prk_len < hash_len || hash_len == 0)
- {
- return (MBEDTLS_ERR_HKDF_BAD_INPUT_DATA);
- }
-
- if (info == NULL)
- {
- info = (const unsigned char *) "";
- info_len = 0;
- }
-
- n = okm_len / hash_len;
-
- if ((okm_len % hash_len) != 0)
- {
- n++;
- }
-
- /*
- * Per RFC 5869 Section 2.3, okm_len must not exceed
- * 255 times the hash length
- */
- if (n > 255)
- {
- return (MBEDTLS_ERR_HKDF_BAD_INPUT_DATA);
- }
-
- mbedtls_md_init(&ctx);
-
- if ((ret = mbedtls_md_setup(&ctx, md, 1)) != 0)
- {
- goto exit;
- }
-
- /*
- * Compute T = T(1) | T(2) | T(3) | ... | T(N)
- * Where T(N) is defined in RFC 5869 Section 2.3
- */
- for (i = 1; i <= n; i++)
- {
- size_t num_to_copy;
- unsigned char c = i & 0xff;
-
- ret = mbedtls_md_hmac_starts(&ctx, prk, prk_len);
- if (ret != 0)
- {
- goto exit;
- }
-
- ret = mbedtls_md_hmac_update(&ctx, t, t_len);
- if (ret != 0)
- {
- goto exit;
- }
-
- ret = mbedtls_md_hmac_update(&ctx, info, info_len);
- if (ret != 0)
- {
- goto exit;
- }
-
- /* The constant concatenated to the end of each T(n) is a single octet.
- * */
- ret = mbedtls_md_hmac_update(&ctx, &c, 1);
- if (ret != 0)
- {
- goto exit;
- }
-
- ret = mbedtls_md_hmac_finish(&ctx, t);
- if (ret != 0)
- {
- goto exit;
- }
-
- num_to_copy = i != n ? hash_len : okm_len - where;
- memcpy(okm + where, t, num_to_copy);
- where += hash_len;
- t_len = hash_len;
- }
-
-exit:
- mbedtls_md_free(&ctx);
- mbedtls_platform_zeroize(t, sizeof(t));
-
- return (ret);
-}
-
-#endif /* MBEDTLS_HKDF_C */
diff --git a/config/esp32/components/esp32_mbedtls/mbedtls/esp_config.h b/config/esp32/components/esp32_mbedtls/mbedtls/esp_config.h
deleted file mode 100644
index aca884c..0000000
--- a/config/esp32/components/esp32_mbedtls/mbedtls/esp_config.h
+++ /dev/null
@@ -1,2345 +0,0 @@
-/**
- *
- * Copyright (c) 2020 Project CHIP Authors
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-/**
- *
- * \brief Default mbedTLS configuration options for esp-idf
- *
- * This set of compile-time options may be used to enable
- * or disable features selectively, and reduce the global
- * memory footprint.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
- */
-
-#ifndef ESP_CONFIG_H
-#define ESP_CONFIG_H
-
-#include "esp_idf_version.h"
-#include "sdkconfig.h"
-// For ESP32H2, we use idf v5.0. Its "mbedtls/config.h" was replaced by "mbedtls/build_info.h"
-#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 0, 0)
-#include "mbedtls/build_info.h"
-#else
-#include "mbedtls/config.h"
-#endif
-/**
- * \name SECTION: System support
- *
- * This section sets system specific settings.
- * \{
- */
-
-/**
- * \def MBEDTLS_HAVE_TIME
- *
- * System has time.h and time().
- * The time does not need to be correct, only time differences are used,
- * by contrast with MBEDTLS_HAVE_TIME_DATE
- *
- * Comment if your system does not support time functions
- */
-#ifdef CONFIG_MBEDTLS_HAVE_TIME
-#define MBEDTLS_HAVE_TIME
-#else
-#undef MBEDTLS_HAVE_TIME
-#endif
-
-/**
- * \def MBEDTLS_HAVE_TIME_DATE
- *
- * System has time.h and time(), gmtime() and the clock is correct.
- * The time needs to be correct (not necesarily very accurate, but at least
- * the date should be correct). This is used to verify the validity period of
- * X.509 certificates.
- *
- * Comment if your system does not have a correct clock.
- */
-#ifdef CONFIG_MBEDTLS_HAVE_TIME_DATE
-#define MBEDTLS_HAVE_TIME_DATE
-#else
-#undef MBEDTLS_HAVE_TIME_DATE
-#endif
-
-/**
- * \def MBEDTLS_PLATFORM_MEMORY
- *
- * Enable the memory allocation layer.
- *
- * By default mbed TLS uses the system-provided calloc() and free().
- * This allows different allocators (self-implemented or provided) to be
- * provided to the platform abstraction layer.
- *
- * Enabling MBEDTLS_PLATFORM_MEMORY without the
- * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
- * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
- * free() function pointer at runtime.
- *
- * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
- * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
- * alternate function at compile time.
- *
- * Requires: MBEDTLS_PLATFORM_C
- *
- * Enable this layer to allow use of alternative memory allocators.
- */
-#define MBEDTLS_PLATFORM_MEMORY
-
-/** Override calloc(), free() except for case where memory allocation scheme is not set to custom */
-#ifndef CONFIG_MBEDTLS_CUSTOM_MEM_ALLOC
-#include "esp_mem.h"
-#define MBEDTLS_PLATFORM_STD_CALLOC esp_mbedtls_mem_calloc
-#define MBEDTLS_PLATFORM_STD_FREE esp_mbedtls_mem_free
-#endif
-
-/* \} name SECTION: System support */
-
-/**
- * \name SECTION: mbed TLS feature support
- *
- * This section sets support for features that are or are not needed
- * within the modules that are enabled.
- * \{
- */
-
-/* The following units have ESP32 hardware support,
- uncommenting each _ALT macro will use the
- hardware-accelerated implementation. */
-#ifdef CONFIG_MBEDTLS_HARDWARE_AES
-#define MBEDTLS_AES_ALT
-#else
-#undef MBEDTLS_AES_ALT
-#endif
-
-/* MBEDTLS_SHAxx_ALT to enable hardware SHA support
- with software fallback.
-*/
-#ifdef CONFIG_MBEDTLS_HARDWARE_SHA
-#define MBEDTLS_SHA1_ALT
-#define MBEDTLS_SHA256_ALT
-#define MBEDTLS_SHA512_ALT
-#else
-#undef MBEDTLS_SHA1_ALT
-#undef MBEDTLS_SHA256_ALT
-#undef MBEDTLS_SHA512_ALT
-#endif
-
-/* The following MPI (bignum) functions have ESP32 hardware support,
- Uncommenting these macros will use the hardware-accelerated
- implementations.
-*/
-#ifdef CONFIG_MBEDTLS_HARDWARE_MPI
-#define MBEDTLS_MPI_EXP_MOD_ALT
-#define MBEDTLS_MPI_MUL_MPI_ALT
-#else
-#undef MBEDTLS_MPI_EXP_MOD_ALT
-#undef MBEDTLS_MPI_MUL_MPI_ALT
-#endif
-
-/**
- * \def MBEDTLS_ENTROPY_HARDWARE_ALT
- *
- * Uncomment this macro to let mbed TLS use your own implementation of a
- * hardware entropy collector.
- *
- * Your function must be called \c mbedtls_hardware_poll(), have the same
- * prototype as declared in entropy_poll.h, and accept NULL as first argument.
- *
- * Uncomment to use your own hardware entropy collector.
- */
-#define MBEDTLS_ENTROPY_HARDWARE_ALT
-
-/**
- * \def MBEDTLS_AES_ROM_TABLES
- *
- * Store the AES tables in ROM.
- *
- * Uncomment this macro to store the AES tables in ROM.
- */
-#define MBEDTLS_AES_ROM_TABLES
-
-/**
- * \def MBEDTLS_CIPHER_MODE_CBC
- *
- * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
- */
-#define MBEDTLS_CIPHER_MODE_CBC
-
-/**
- * \def MBEDTLS_CIPHER_MODE_CFB
- *
- * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
- */
-#define MBEDTLS_CIPHER_MODE_CFB
-
-/**
- * \def MBEDTLS_CIPHER_MODE_CTR
- *
- * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
- */
-#define MBEDTLS_CIPHER_MODE_CTR
-
-/**
- * \def MBEDTLS_CIPHER_MODE_OFB
- *
- * Enable Output Feedback mode (OFB) for symmetric ciphers.
- */
-#define MBEDTLS_CIPHER_MODE_OFB
-
-/**
- * \def MBEDTLS_CIPHER_MODE_XTS
- *
- * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
- */
-#define MBEDTLS_CIPHER_MODE_XTS
-
-/**
- * \def MBEDTLS_CIPHER_PADDING_PKCS7
- *
- * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
- * specific padding modes in the cipher layer with cipher modes that support
- * padding (e.g. CBC)
- *
- * If you disable all padding modes, only full blocks can be used with CBC.
- *
- * Enable padding modes in the cipher layer.
- */
-#define MBEDTLS_CIPHER_PADDING_PKCS7
-#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
-#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
-#define MBEDTLS_CIPHER_PADDING_ZEROS
-
-/**
- * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES & MBEDTLS_ARC4_C
- *
- * MBEDTLS_ARC4_C
- * Enable the ARCFOUR stream cipher.
- *
- * This module enables/disables the following ciphersuites
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
- * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
- * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
- * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
- * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
- * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
- *
- * MBEDTLS_REMOVE_ARC4_CIPHERSUITES
- * This flag removes the ciphersuites based on RC4 from the default list as
- * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
- * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
- * explicitly.
- *
- * Uncomment this macro to remove RC4 ciphersuites by default.
- */
-#ifdef CONFIG_MBEDTLS_RC4_ENABLED
-#define MBEDTLS_ARC4_C
-#undef MBEDTLS_REMOVE_ARC4_CIPHERSUITES
-#elif defined CONFIG_MBEDTLS_RC4_ENABLED_NO_DEFAULT
-#define MBEDTLS_ARC4_C
-#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
-#else
-#undef MBEDTLS_ARC4_C
-#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
-#endif
-
-/**
- * \def MBEDTLS_ECP_RESTARTABLE
- *
- * Enable "non-blocking" ECC operations that can return early and be resumed.
- *
- * This allows various functions to pause by returning
- * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module,
- * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in
- * order to further progress and eventually complete their operation. This is
- * controlled through mbedtls_ecp_set_max_ops() which limits the maximum
- * number of ECC operations a function may perform before pausing; see
- * mbedtls_ecp_set_max_ops() for more information.
- *
- * This is useful in non-threaded environments if you want to avoid blocking
- * for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
- *
- * Uncomment this macro to enable restartable ECC computations.
- *
- * \note This option only works with the default software implementation of
- * elliptic curve functionality. It is incompatible with
- * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT and MBEDTLS_ECDSA_XXX_ALT.
- */
-#ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE
-#define MBEDTLS_ECP_RESTARTABLE
-#endif
-
-/**
- * \def MBEDTLS_CMAC_C
- *
- * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
- * ciphers.
- *
- * Module: library/cmac.c
- *
- * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
- *
- */
-#ifdef CONFIG_MBEDTLS_CMAC_C
-#define MBEDTLS_CMAC_C
-#endif
-
-/**
- * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
- *
- * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
- * module. By default all supported curves are enabled.
- *
- * Comment macros to disable the curve and functions for it
- */
-#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_SECP192R1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_SECP224R1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_SECP384R1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED
-#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_SECP521R1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED
-#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_SECP192K1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED
-#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_SECP224K1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED
-#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_SECP256K1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED
-#define MBEDTLS_ECP_DP_BP256R1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_BP256R1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED
-#define MBEDTLS_ECP_DP_BP384R1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_BP384R1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED
-#define MBEDTLS_ECP_DP_BP512R1_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_BP512R1_ENABLED
-#endif
-#ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED
-#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
-#else
-#undef MBEDTLS_ECP_DP_CURVE25519_ENABLED
-#endif
-
-#ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
-#undef MBEDTLS_ECP_DP_CURVE448_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_ECP_NIST_OPTIM
- *
- * Enable specific 'modulo p' routines for each NIST prime.
- * Depending on the prime and architecture, makes operations 4 to 8 times
- * faster on the corresponding curve.
- *
- * Comment this macro to disable NIST curves optimisation.
- */
-#ifdef CONFIG_MBEDTLS_ECP_NIST_OPTIM
-#define MBEDTLS_ECP_NIST_OPTIM
-#else
-#undef MBEDTLS_ECP_NIST_OPTIM
-#endif
-
-/**
- * \def MBEDTLS_ECDSA_DETERMINISTIC
- *
- * Enable deterministic ECDSA (RFC 6979).
- * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
- * may result in a compromise of the long-term signing key. This is avoided by
- * the deterministic variant.
- *
- * Requires: MBEDTLS_HMAC_DRBG_C
- *
- * Comment this macro to disable deterministic ECDSA.
- */
-#define MBEDTLS_ECDSA_DETERMINISTIC
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
- *
- * Enable the PSK based ciphersuite modes in SSL / TLS.
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
- */
-#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK
-#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-#else
-#undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
- *
- * Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_DHM_C
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
- */
-#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK
-#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
-#else
-#undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
- *
- * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_ECDH_C
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
- */
-#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
-#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-#else
-#undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
- *
- * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
- * MBEDTLS_X509_CRT_PARSE_C
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
- */
-#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK
-#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-#else
-#undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
- *
- * Enable the RSA-only based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
- * MBEDTLS_X509_CRT_PARSE_C
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
- * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
- */
-#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA
-#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-#else
-#undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
- *
- * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
- * MBEDTLS_X509_CRT_PARSE_C
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- */
-#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA
-#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
-#else
-#undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
- *
- * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
- * MBEDTLS_X509_CRT_PARSE_C
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
- */
-#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
-#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-#else
-#undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
- *
- * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- */
-#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
-#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#else
-#undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
- *
- * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
- */
-#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
-#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
-#else
-#undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
- *
- * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
- *
- * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
- *
- * This enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
- */
-#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA
-#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-#else
-#undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-#endif
-
-/**
- * \def MBEDTLS_PK_PARSE_EC_EXTENDED
- *
- * Enhance support for reading EC keys using variants of SEC1 not allowed by
- * RFC 5915 and RFC 5480.
- *
- * Currently this means parsing the SpecifiedECDomain choice of EC
- * parameters (only known groups are supported, not arbitrary domains, to
- * avoid validation issues).
- *
- * Disable if you only need to support RFC 5915 + 5480 key formats.
- */
-#define MBEDTLS_PK_PARSE_EC_EXTENDED
-
-/**
- * \def MBEDTLS_ERROR_STRERROR_DUMMY
- *
- * Enable a dummy error function to make use of mbedtls_strerror() in
- * third party libraries easier when MBEDTLS_ERROR_C is disabled
- * (no effect when MBEDTLS_ERROR_C is enabled).
- *
- * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
- * not using mbedtls_strerror() or error_strerror() in your application.
- *
- * Disable if you run into name conflicts and want to really remove the
- * mbedtls_strerror()
- */
-#define MBEDTLS_ERROR_STRERROR_DUMMY
-
-/**
- * \def MBEDTLS_GENPRIME
- *
- * Enable the prime-number generation code.
- *
- * Requires: MBEDTLS_BIGNUM_C
- */
-#define MBEDTLS_GENPRIME
-
-/**
- * \def MBEDTLS_FS_IO
- *
- * Enable functions that use the filesystem.
- */
-#define MBEDTLS_FS_IO
-
-/**
- * \def MBEDTLS_NO_PLATFORM_ENTROPY
- *
- * Do not use built-in platform entropy functions.
- * This is useful if your platform does not support
- * standards like the /dev/urandom or Windows CryptoAPI.
- *
- * Uncomment this macro to disable the built-in platform entropy functions.
- */
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-
-/**
- * \def MBEDTLS_PK_RSA_ALT_SUPPORT
- *
- * Support external private RSA keys (eg from a HSM) in the PK layer.
- *
- * Comment this macro to disable support for external private RSA keys.
- */
-#define MBEDTLS_PK_RSA_ALT_SUPPORT
-
-/**
- * \def MBEDTLS_PKCS1_V15
- *
- * Enable support for PKCS#1 v1.5 encoding.
- *
- * Requires: MBEDTLS_RSA_C
- *
- * This enables support for PKCS#1 v1.5 operations.
- */
-#define MBEDTLS_PKCS1_V15
-
-/**
- * \def MBEDTLS_PKCS1_V21
- *
- * Enable support for PKCS#1 v2.1 encoding.
- *
- * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C
- *
- * This enables support for RSAES-OAEP and RSASSA-PSS operations.
- */
-#define MBEDTLS_PKCS1_V21
-
-/**
- * \def MBEDTLS_SELF_TEST
- *
- * Enable the checkup functions (*_self_test).
- */
-#define MBEDTLS_SELF_TEST
-
-/**
- * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
- *
- * Enable sending of alert messages in case of encountered errors as per RFC.
- * If you choose not to send the alert messages, mbed TLS can still communicate
- * with other servers, only debugging of failures is harder.
- *
- * The advantage of not sending alert messages, is that no information is given
- * about reasons for failures thus preventing adversaries of gaining intel.
- *
- * Enable sending of all alert messages
- */
-#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
-
-/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
- *
- * Enable support for Encrypt-then-MAC, RFC 7366.
- *
- * This allows peers that both support it to use a more robust protection for
- * ciphersuites using CBC, providing deep resistance against timing attacks
- * on the padding or underlying cipher.
- *
- * This only affects CBC ciphersuites, and is useless if none is defined.
- *
- * Requires: MBEDTLS_SSL_PROTO_TLS1 or
- * MBEDTLS_SSL_PROTO_TLS1_1 or
- * MBEDTLS_SSL_PROTO_TLS1_2
- *
- * Comment this macro to disable support for Encrypt-then-MAC
- */
-#ifdef CONFIG_MBEDTLS_TLS_ENABLED
-#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
-#else
-#undef MBEDTLS_SSL_ENCRYPT_THEN_MAC
-#endif
-
-/** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
- *
- * Enable support for Extended Master Secret, aka Session Hash
- * (draft-ietf-tls-session-hash-02).
- *
- * This was introduced as "the proper fix" to the Triple Handshake familiy of
- * attacks, but it is recommended to always use it (even if you disable
- * renegotiation), since it actually fixes a more fundamental issue in the
- * original SSL/TLS design, and has implications beyond Triple Handshake.
- *
- * Requires: MBEDTLS_SSL_PROTO_TLS1 or
- * MBEDTLS_SSL_PROTO_TLS1_1 or
- * MBEDTLS_SSL_PROTO_TLS1_2
- *
- * Comment this macro to disable support for Extended Master Secret.
- */
-#ifdef CONFIG_MBEDTLS_TLS_ENABLED
-#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
-#else
-#undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET
-#endif
-
-/**
- * \def MBEDTLS_SSL_FALLBACK_SCSV
- *
- * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
- *
- * For servers, it is recommended to always enable this, unless you support
- * only one version of TLS, or know for sure that none of your clients
- * implements a fallback strategy.
- *
- * For clients, you only need this if you're using a fallback strategy, which
- * is not recommended in the first place, unless you absolutely need it to
- * interoperate with buggy (version-intolerant) servers.
- *
- * Comment this macro to disable support for FALLBACK_SCSV
- */
-#define MBEDTLS_SSL_FALLBACK_SCSV
-
-/**
- * \def MBEDTLS_SSL_PROTO_TLS1
- *
- * Enable support for TLS 1.0.
- *
- * Requires: MBEDTLS_MD5_C
- * MBEDTLS_SHA1_C
- *
- * Comment this macro to disable support for TLS 1.0
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1
-#define MBEDTLS_SSL_PROTO_TLS1
-#else
-#undef MBEDTLS_SSL_PROTO_TLS1
-#endif
-
-/**
- * \def MBEDTLS_SSL_PROTO_SSL3
- *
- * Enable support for SSL 3.0.
- *
- * Requires: MBEDTLS_MD5_C
- * MBEDTLS_SHA1_C
- *
- * Comment this macro to disable support for SSL 3.0
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3
-#define MBEDTLS_SSL_PROTO_SSL3
-#else
-#undef MBEDTLS_SSL_PROTO_SSL3
-#endif
-
-/**
- * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
- *
- * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
- *
- * This is a countermeasure to the BEAST attack, which also minimizes the risk
- * of interoperability issues compared to sending 0-length records.
- *
- * Comment this macro to disable 1/n-1 record splitting.
- */
-#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
-#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
-#else
-#undef MBEDTLS_SSL_CBC_RECORD_SPLITTING
-#endif
-
-/**
- * \def MBEDTLS_SSL_RENEGOTIATION
- *
- * Disable support for TLS renegotiation.
- *
- * The two main uses of renegotiation are (1) refresh keys on long-lived
- * connections and (2) client authentication after the initial handshake.
- * If you don't need renegotiation, it's probably better to disable it, since
- * it has been associated with security issues in the past and is easy to
- * misuse/misunderstand.
- *
- * Comment this to disable support for renegotiation.
- */
-#ifdef CONFIG_MBEDTLS_SSL_RENEGOTIATION
-#define MBEDTLS_SSL_RENEGOTIATION
-#else
-#undef MBEDTLS_SSL_RENEGOTIATION
-#endif
-
-/**
- * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
- *
- * Enable support for RFC 6066 max_fragment_length extension in SSL.
- *
- * Comment this macro to disable support for the max_fragment_length extension
- */
-#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
-
-/**
- * \def MBEDTLS_SSL_PROTO_TLS1_1
- *
- * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
- *
- * Requires: MBEDTLS_MD5_C
- * MBEDTLS_SHA1_C
- *
- * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_1
-#define MBEDTLS_SSL_PROTO_TLS1_1
-#endif
-
-/**
- * \def MBEDTLS_SSL_PROTO_TLS1_2
- *
- * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
- *
- * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
- * (Depends on ciphersuites)
- *
- * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2
-#define MBEDTLS_SSL_PROTO_TLS1_2
-#else
-#undef MBEDTLS_SSL_PROTO_TLS1_2
-#endif
-
-/**
- * \def MBEDTLS_SSL_PROTO_DTLS
- *
- * Enable support for DTLS (all available versions).
- *
- * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0,
- * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
- *
- * Requires: MBEDTLS_SSL_PROTO_TLS1_1
- * or MBEDTLS_SSL_PROTO_TLS1_2
- *
- * Comment this macro to disable support for DTLS
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
-#define MBEDTLS_SSL_PROTO_DTLS
-#else
-#undef MBEDTLS_SSL_PROTO_DTLS
-#endif
-
-/**
- * \def MBEDTLS_SSL_ALPN
- *
- * Enable support for RFC 7301 Application Layer Protocol Negotiation.
- *
- * Comment this macro to disable support for ALPN.
- */
-#ifdef CONFIG_MBEDTLS_SSL_ALPN
-#define MBEDTLS_SSL_ALPN
-#else
-#undef MBEDTLS_SSL_ALPN
-#endif
-
-/**
- * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
- *
- * Enable support for the anti-replay mechanism in DTLS.
- *
- * Requires: MBEDTLS_SSL_TLS_C
- * MBEDTLS_SSL_PROTO_DTLS
- *
- * \warning Disabling this is often a security risk!
- * See mbedtls_ssl_conf_dtls_anti_replay() for details.
- *
- * Comment this to disable anti-replay in DTLS.
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
-#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
-#else
-#undef MBEDTLS_SSL_DTLS_ANTI_REPLAY
-#endif
-
-/**
- * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
- *
- * Enable support for HelloVerifyRequest on DTLS servers.
- *
- * This feature is highly recommended to prevent DTLS servers being used as
- * amplifiers in DoS attacks against other hosts. It should always be enabled
- * unless you know for sure amplification cannot be a problem in the
- * environment in which your server operates.
- *
- * \warning Disabling this can ba a security risk! (see above)
- *
- * Requires: MBEDTLS_SSL_PROTO_DTLS
- *
- * Comment this to disable support for HelloVerifyRequest.
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
-#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
-#else
-#undef MBEDTLS_SSL_DTLS_HELLO_VERIFY
-#endif
-
-/**
- * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
- *
- * Enable server-side support for clients that reconnect from the same port.
- *
- * Some clients unexpectedly close the connection and try to reconnect using the
- * same source port. This needs special support from the server to handle the
- * new connection securely, as described in section 4.2.8 of RFC 6347. This
- * flag enables that support.
- *
- * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
- *
- * Comment this to disable support for clients reusing the source port.
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
-#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
-#else
-#undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
-#endif
-
-/**
- * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
- *
- * Enable support for a limit of records with bad MAC.
- *
- * See mbedtls_ssl_conf_dtls_badmac_limit().
- *
- * Requires: MBEDTLS_SSL_PROTO_DTLS
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
-#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
-#else
-#undef MBEDTLS_SSL_DTLS_BADMAC_LIMIT
-#endif
-
-/**
- * \def MBEDTLS_SSL_SESSION_TICKETS
- *
- * Enable support for RFC 5077 session tickets in SSL.
- * Client-side, provides full support for session tickets (maintainance of a
- * session store remains the responsibility of the application, though).
- * Server-side, you also need to provide callbacks for writing and parsing
- * tickets, including authenticated encryption and key management. Example
- * callbacks are provided by MBEDTLS_SSL_TICKET_C.
- *
- * Comment this macro to disable support for SSL session tickets
- */
-#ifdef CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
-#define MBEDTLS_SSL_SESSION_TICKETS
-#else
-#undef MBEDTLS_SSL_SESSION_TICKETS
-#endif
-
-/**
- * \def MBEDTLS_SSL_EXPORT_KEYS
- *
- * Enable support for exporting key block and master secret.
- * This is required for certain users of TLS, e.g. EAP-TLS.
- *
- * Comment this macro to disable support for key export
- */
-#define MBEDTLS_SSL_EXPORT_KEYS
-
-/**
- * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
- *
- * Enable support for RFC 6066 server name indication (SNI) in SSL.
- *
- * Requires: MBEDTLS_X509_CRT_PARSE_C
- *
- * Comment this macro to disable support for server name indication in SSL
- */
-#define MBEDTLS_SSL_SERVER_NAME_INDICATION
-
-/**
- * \def MBEDTLS_SSL_TRUNCATED_HMAC
- *
- * Enable support for RFC 6066 truncated HMAC in SSL.
- *
- * Comment this macro to disable support for truncated HMAC in SSL
- */
-#define MBEDTLS_SSL_TRUNCATED_HMAC
-
-/**
- * \def MBEDTLS_VERSION_FEATURES
- *
- * Allow run-time checking of compile-time enabled features. Thus allowing users
- * to check at run-time if the library is for instance compiled with threading
- * support via mbedtls_version_check_feature().
- *
- * Requires: MBEDTLS_VERSION_C
- *
- * Comment this to disable run-time checking and save ROM space
- */
-#define MBEDTLS_VERSION_FEATURES
-
-/**
- * \def MBEDTLS_X509_CHECK_KEY_USAGE
- *
- * Enable verification of the keyUsage extension (CA and leaf certificates).
- *
- * Disabling this avoids problems with mis-issued and/or misused
- * (intermediate) CA and leaf certificates.
- *
- * \warning Depending on your PKI use, disabling this can be a security risk!
- *
- * Comment to skip keyUsage checking for both CA and leaf certificates.
- */
-#define MBEDTLS_X509_CHECK_KEY_USAGE
-
-/**
- * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
- *
- * Enable verification of the extendedKeyUsage extension (leaf certificates).
- *
- * Disabling this avoids problems with mis-issued and/or misused certificates.
- *
- * \warning Depending on your PKI use, disabling this can be a security risk!
- *
- * Comment to skip extendedKeyUsage checking for certificates.
- */
-#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
-
-/**
- * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
- *
- * Enable parsing and verification of X.509 certificates, CRLs and CSRS
- * signed with RSASSA-PSS (aka PKCS#1 v2.1).
- *
- * Comment this macro to disallow using RSASSA-PSS in certificates.
- */
-#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
-
-/* \} name SECTION: mbed TLS feature support */
-
-/**
- * \name SECTION: mbed TLS modules
- *
- * This section enables or disables entire modules in mbed TLS
- * \{
- */
-
-/**
- * \def MBEDTLS_AESNI_C
- *
- * Enable AES-NI support on x86-64.
- *
- * Module: library/aesni.c
- * Caller: library/aes.c
- *
- * Requires: MBEDTLS_HAVE_ASM
- *
- * This modules adds support for the AES-NI instructions on x86-64
- */
-#define MBEDTLS_AESNI_C
-
-/**
- * \def MBEDTLS_AES_C
- *
- * Enable the AES block cipher.
- *
- * Module: library/aes.c
- * Caller: library/ssl_tls.c
- * library/pem.c
- * library/ctr_drbg.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
- * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
- * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
- * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
- * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
- *
- * PEM_PARSE uses AES for decrypting encrypted keys.
- */
-#ifdef CONFIG_MBEDTLS_AES_C
-#define MBEDTLS_AES_C
-#else
-#undef MBEDTLS_AES_C
-#endif
-
-/**
- * \def MBEDTLS_ASN1_PARSE_C
- *
- * Enable the generic ASN1 parser.
- *
- * Module: library/asn1.c
- * Caller: library/x509.c
- * library/dhm.c
- * library/pkcs12.c
- * library/pkcs5.c
- * library/pkparse.c
- */
-#define MBEDTLS_ASN1_PARSE_C
-
-/**
- * \def MBEDTLS_ASN1_WRITE_C
- *
- * Enable the generic ASN1 writer.
- *
- * Module: library/asn1write.c
- * Caller: library/ecdsa.c
- * library/pkwrite.c
- * library/x509_create.c
- * library/x509write_crt.c
- * library/mbedtls_x509write_csr.c
- */
-#define MBEDTLS_ASN1_WRITE_C
-
-/**
- * \def MBEDTLS_BASE64_C
- *
- * Enable the Base64 module.
- *
- * Module: library/base64.c
- * Caller: library/pem.c
- *
- * This module is required for PEM support (required by X.509).
- */
-#define MBEDTLS_BASE64_C
-
-/**
- * \def MBEDTLS_BIGNUM_C
- *
- * Enable the multi-precision integer library.
- *
- * Module: library/bignum.c
- * Caller: library/dhm.c
- * library/ecp.c
- * library/ecdsa.c
- * library/rsa.c
- * library/ssl_tls.c
- *
- * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
- */
-#define MBEDTLS_BIGNUM_C
-
-/**
- * \def MBEDTLS_BLOWFISH_C
- *
- * Enable the Blowfish block cipher.
- *
- * Module: library/blowfish.c
- */
-#ifdef CONFIG_MBEDTLS_BLOWFISH_C
-#define MBEDTLS_BLOWFISH_C
-#else
-#undef MBEDTLS_BLOWFISH_C
-#endif
-
-/**
- * \def MBEDTLS_CAMELLIA_C
- *
- * Enable the Camellia block cipher.
- *
- * Module: library/camellia.c
- * Caller: library/ssl_tls.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
- * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
- */
-#ifdef CONFIG_MBEDTLS_CAMELLIA_C
-#define MBEDTLS_CAMELLIA_C
-#else
-#undef MBEDTLS_CAMELLIA_C
-#endif
-
-/**
- * \def MBEDTLS_CCM_C
- *
- * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
- *
- * Module: library/ccm.c
- *
- * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
- *
- * This module enables the AES-CCM ciphersuites, if other requisites are
- * enabled as well.
- */
-#ifdef CONFIG_MBEDTLS_CCM_C
-#define MBEDTLS_CCM_C
-#else
-#undef MBEDTLS_CCM_C
-#endif
-
-/**
- * \def MBEDTLS_CERTS_C
- *
- * Enable the test certificates.
- *
- * Module: library/certs.c
- * Caller:
- *
- * This module is used for testing (ssl_client/server).
- */
-#define MBEDTLS_CERTS_C
-
-/**
- * \def MBEDTLS_CHACHA20_C
- *
- * Disable the ChaCha20 stream cipher.
- *
- * Module: library/chacha20.c
- */
-#ifdef MBEDTLS_CHACHA20_C
-#undef MBEDTLS_CHACHA20_C
-#endif
-
-/**
- * \def MBEDTLS_CHACHAPOLY_C
- *
- * Disable the ChaCha20-Poly1305 AEAD algorithm.
- *
- * Module: library/chachapoly.c
- *
- * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
- */
-#ifdef MBEDTLS_CHACHAPOLY_C
-#undef MBEDTLS_CHACHAPOLY_C
-#endif
-
-/**
- * \def MBEDTLS_CIPHER_C
- *
- * Enable the generic cipher layer.
- *
- * Module: library/cipher.c
- * Caller: library/ssl_tls.c
- *
- * Uncomment to enable generic cipher wrappers.
- */
-#define MBEDTLS_CIPHER_C
-
-/**
- * \def MBEDTLS_CTR_DRBG_C
- *
- * Enable the CTR_DRBG AES-256-based random generator.
- *
- * Module: library/ctr_drbg.c
- * Caller:
- *
- * Requires: MBEDTLS_AES_C
- *
- * This module provides the CTR_DRBG AES-256 random number generator.
- */
-#define MBEDTLS_CTR_DRBG_C
-
-/**
- * \def MBEDTLS_DEBUG_C
- *
- * Enable the debug functions.
- *
- * Module: library/debug.c
- * Caller: library/ssl_cli.c
- * library/ssl_srv.c
- * library/ssl_tls.c
- *
- * This module provides debugging functions.
- */
-#if CONFIG_MBEDTLS_DEBUG
-#define MBEDTLS_DEBUG_C
-#else
-#undef MBEDTLS_DEBUG_C
-#endif
-
-/**
- * \def MBEDTLS_DES_C
- *
- * Enable the DES block cipher.
- *
- * Module: library/des.c
- * Caller: library/pem.c
- * library/ssl_tls.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- * MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
- * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
- *
- * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
- */
-#ifdef CONFIG_MBEDTLS_DES_C
-#define MBEDTLS_DES_C
-#else
-#undef MBEDTLS_DES_C
-#endif
-
-/**
- * \def MBEDTLS_DHM_C
- *
- * Enable the Diffie-Hellman-Merkle module.
- *
- * Module: library/dhm.c
- * Caller: library/ssl_cli.c
- * library/ssl_srv.c
- *
- * This module is used by the following key exchanges:
- * DHE-RSA, DHE-PSK
- */
-#define MBEDTLS_DHM_C
-
-/**
- * \def MBEDTLS_ECDH_C
- *
- * Enable the elliptic curve Diffie-Hellman library.
- *
- * Module: library/ecdh.c
- * Caller: library/ssl_cli.c
- * library/ssl_srv.c
- *
- * This module is used by the following key exchanges:
- * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
- *
- * Requires: MBEDTLS_ECP_C
- */
-#ifdef CONFIG_MBEDTLS_ECDH_C
-#define MBEDTLS_ECDH_C
-#else
-#undef MBEDTLS_ECDH_C
-#endif
-
-/**
- * \def MBEDTLS_ECDSA_C
- *
- * Enable the elliptic curve DSA library.
- *
- * Module: library/ecdsa.c
- * Caller:
- *
- * This module is used by the following key exchanges:
- * ECDHE-ECDSA
- *
- * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
- */
-#ifdef CONFIG_MBEDTLS_ECDSA_C
-#define MBEDTLS_ECDSA_C
-#else
-#undef MBEDTLS_ECDSA_C
-#endif
-
-/**
- * \def MBEDTLS_ECJPAKE_C
- *
- * Enable the elliptic curve J-PAKE library.
- *
- * \warning This is currently experimental. EC J-PAKE support is based on the
- * Thread v1.0.0 specification; incompatible changes to the specification
- * might still happen. For this reason, this is disabled by default.
- *
- * Module: library/ecjpake.c
- * Caller:
- *
- * This module is used by the following key exchanges:
- * ECJPAKE
- *
- * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
- */
-//#define MBEDTLS_ECJPAKE_C
-
-/**
- * \def MBEDTLS_ECP_C
- *
- * Enable the elliptic curve over GF(p) library.
- *
- * Module: library/ecp.c
- * Caller: library/ecdh.c
- * library/ecdsa.c
- * library/ecjpake.c
- *
- * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
- */
-#ifdef CONFIG_MBEDTLS_ECP_C
-#define MBEDTLS_ECP_C
-#else
-#undef MBEDTLS_ECP_C
-#endif
-
-/**
- * \def MBEDTLS_ENTROPY_C
- *
- * Enable the platform-specific entropy code.
- *
- * Module: library/entropy.c
- * Caller:
- *
- * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
- *
- * This module provides a generic entropy pool
- */
-#define MBEDTLS_ENTROPY_C
-
-/**
- * \def MBEDTLS_ERROR_C
- *
- * Enable error code to error string conversion.
- *
- * Module: library/error.c
- * Caller:
- *
- * This module enables mbedtls_strerror().
- */
-#define MBEDTLS_ERROR_C
-
-/**
- * \def MBEDTLS_GCM_C
- *
- * Enable the Galois/Counter Mode (GCM) for AES.
- *
- * Module: library/gcm.c
- *
- * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
- *
- * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
- * requisites are enabled as well.
- */
-#ifdef CONFIG_MBEDTLS_GCM_C
-#define MBEDTLS_GCM_C
-#else
-#undef MBEDTLS_GCM_C
-#endif
-
-/**
- * \def MBEDTLS_HKDF_C
- *
- * Enable the HKDF algorithm (RFC 5869).
- *
- * Module: library/hkdf.c
- * Caller:
- *
- * Requires: MBEDTLS_MD_C
- *
- * This module adds support for the Hashed Message Authentication Code
- * (HMAC)-based key derivation function (HKDF).
- */
-#ifndef MBEDTLS_HKDF_C
-#define MBEDTLS_HKDF_C
-#endif
-
-/**
- * \def MBEDTLS_HMAC_DRBG_C
- *
- * Enable the HMAC_DRBG random generator.
- *
- * Module: library/hmac_drbg.c
- * Caller:
- *
- * Requires: MBEDTLS_MD_C
- *
- * Uncomment to enable the HMAC_DRBG random number geerator.
- */
-#define MBEDTLS_HMAC_DRBG_C
-
-/**
- * \def MBEDTLS_MD_C
- *
- * Enable the generic message digest layer.
- *
- * Module: library/mbedtls_md.c
- * Caller:
- *
- * Uncomment to enable generic message digest wrappers.
- */
-#define MBEDTLS_MD_C
-
-/**
- * \def MBEDTLS_MD5_C
- *
- * Enable the MD5 hash algorithm.
- *
- * Module: library/mbedtls_md5.c
- * Caller: library/mbedtls_md.c
- * library/pem.c
- * library/ssl_tls.c
- *
- * This module is required for SSL/TLS and X.509.
- * PEM_PARSE uses MD5 for decrypting encrypted keys.
- */
-#define MBEDTLS_MD5_C
-
-/**
- * \def MBEDTLS_NET_C
- *
- * Enable the TCP/IP networking routines.
- *
- * Module: library/net.c
- *
- * This module provides TCP/IP networking routines.
- */
-#ifdef MBEDTLS_NET_C
-#undef MBEDTLS_NET_C
-#endif
-
-/**
- * \def MBEDTLS_OID_C
- *
- * Enable the OID database.
- *
- * Module: library/oid.c
- * Caller: library/asn1write.c
- * library/pkcs5.c
- * library/pkparse.c
- * library/pkwrite.c
- * library/rsa.c
- * library/x509.c
- * library/x509_create.c
- * library/mbedtls_x509_crl.c
- * library/mbedtls_x509_crt.c
- * library/mbedtls_x509_csr.c
- * library/x509write_crt.c
- * library/mbedtls_x509write_csr.c
- *
- * This modules translates between OIDs and internal values.
- */
-#define MBEDTLS_OID_C
-
-/**
- * \def MBEDTLS_PADLOCK_C
- *
- * Enable VIA Padlock support on x86.
- *
- * Module: library/padlock.c
- * Caller: library/aes.c
- *
- * Requires: MBEDTLS_HAVE_ASM
- *
- * This modules adds support for the VIA PadLock on x86.
- */
-#define MBEDTLS_PADLOCK_C
-
-/**
- * \def MBEDTLS_PEM_PARSE_C
- *
- * Enable PEM decoding / parsing.
- *
- * Module: library/pem.c
- * Caller: library/dhm.c
- * library/pkparse.c
- * library/mbedtls_x509_crl.c
- * library/mbedtls_x509_crt.c
- * library/mbedtls_x509_csr.c
- *
- * Requires: MBEDTLS_BASE64_C
- *
- * This modules adds support for decoding / parsing PEM files.
- */
-#ifdef CONFIG_MBEDTLS_PEM_PARSE_C
-#define MBEDTLS_PEM_PARSE_C
-#else
-#undef MBEDTLS_PEM_PARSE_C
-#endif
-
-/**
- * \def MBEDTLS_PEM_WRITE_C
- *
- * Enable PEM encoding / writing.
- *
- * Module: library/pem.c
- * Caller: library/pkwrite.c
- * library/x509write_crt.c
- * library/mbedtls_x509write_csr.c
- *
- * Requires: MBEDTLS_BASE64_C
- *
- * This modules adds support for encoding / writing PEM files.
- */
-#ifdef CONFIG_MBEDTLS_PEM_WRITE_C
-#define MBEDTLS_PEM_WRITE_C
-#else
-#undef MBEDTLS_PEM_WRITE_C
-#endif
-
-/**
- * \def MBEDTLS_PK_C
- *
- * Enable the generic public (asymetric) key layer.
- *
- * Module: library/pk.c
- * Caller: library/ssl_tls.c
- * library/ssl_cli.c
- * library/ssl_srv.c
- *
- * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
- *
- * Uncomment to enable generic public key wrappers.
- */
-#define MBEDTLS_PK_C
-
-/**
- * \def MBEDTLS_PK_PARSE_C
- *
- * Enable the generic public (asymetric) key parser.
- *
- * Module: library/pkparse.c
- * Caller: library/mbedtls_x509_crt.c
- * library/mbedtls_x509_csr.c
- *
- * Requires: MBEDTLS_PK_C
- *
- * Uncomment to enable generic public key parse functions.
- */
-#define MBEDTLS_PK_PARSE_C
-
-/**
- * \def MBEDTLS_PK_WRITE_C
- *
- * Enable the generic public (asymetric) key writer.
- *
- * Module: library/pkwrite.c
- * Caller: library/x509write.c
- *
- * Requires: MBEDTLS_PK_C
- *
- * Uncomment to enable generic public key write functions.
- */
-#define MBEDTLS_PK_WRITE_C
-
-/**
- * \def MBEDTLS_PKCS5_C
- *
- * Enable PKCS#5 functions.
- *
- * Module: library/pkcs5.c
- *
- * Requires: MBEDTLS_MD_C
- *
- * This module adds support for the PKCS#5 functions.
- */
-#define MBEDTLS_PKCS5_C
-
-/**
- * \def MBEDTLS_PKCS12_C
- *
- * Enable PKCS#12 PBE functions.
- * Adds algorithms for parsing PKCS#8 encrypted private keys
- *
- * Module: library/pkcs12.c
- * Caller: library/pkparse.c
- *
- * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C
- * Can use: MBEDTLS_ARC4_C
- *
- * This module enables PKCS#12 functions.
- */
-#define MBEDTLS_PKCS12_C
-
-/**
- * \def MBEDTLS_PLATFORM_C
- *
- * Enable the platform abstraction layer that allows you to re-assign
- * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
- *
- * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
- * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
- * above to be specified at runtime or compile time respectively.
- *
- * \note This abstraction layer must be enabled on Windows (including MSYS2)
- * as other module rely on it for a fixed snprintf implementation.
- *
- * Module: library/platform.c
- * Caller: Most other .c files
- *
- * This module enables abstraction of common (libc) functions.
- */
-#define MBEDTLS_PLATFORM_C
-
-/**
- * \def MBEDTLS_POLY1305_C
- *
- * Disable the Poly1305 MAC algorithm.
- *
- * Module: library/poly1305.c
- * Caller: library/chachapoly.c
- */
-#ifdef MBEDTLS_POLY1305_C
-#undef MBEDTLS_POLY1305_C
-#endif
-
-/**
- * \def MBEDTLS_RIPEMD160_C
- *
- * Enable the RIPEMD-160 hash algorithm.
- *
- * Module: library/mbedtls_ripemd160.c
- * Caller: library/mbedtls_md.c
- *
- */
-#ifdef CONFIG_MBEDTLS_RIPEMD160_C
-#define MBEDTLS_RIPEMD160_C
-#else
-#undef MBEDTLS_RIPEMD160_C
-#endif
-
-/**
- * \def MBEDTLS_RSA_C
- *
- * Enable the RSA public-key cryptosystem.
- *
- * Module: library/rsa.c
- * Caller: library/ssl_cli.c
- * library/ssl_srv.c
- * library/ssl_tls.c
- * library/x509.c
- *
- * This module is used by the following key exchanges:
- * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
- *
- * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
- */
-#define MBEDTLS_RSA_C
-
-/**
- * \def MBEDTLS_SHA1_C
- *
- * Enable the SHA1 cryptographic hash algorithm.
- *
- * Module: library/mbedtls_sha1.c
- * Caller: library/mbedtls_md.c
- * library/ssl_cli.c
- * library/ssl_srv.c
- * library/ssl_tls.c
- * library/x509write_crt.c
- *
- * This module is required for SSL/TLS and SHA1-signed certificates.
- */
-#define MBEDTLS_SHA1_C
-
-/**
- * \def MBEDTLS_SHA256_C
- *
- * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
- *
- * Module: library/mbedtls_sha256.c
- * Caller: library/entropy.c
- * library/mbedtls_md.c
- * library/ssl_cli.c
- * library/ssl_srv.c
- * library/ssl_tls.c
- *
- * This module adds support for SHA-224 and SHA-256.
- * This module is required for the SSL/TLS 1.2 PRF function.
- */
-#define MBEDTLS_SHA256_C
-
-/**
- * \def MBEDTLS_SHA512_C
- *
- * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
- *
- * Module: library/mbedtls_sha512.c
- * Caller: library/entropy.c
- * library/mbedtls_md.c
- * library/ssl_cli.c
- * library/ssl_srv.c
- *
- * This module adds support for SHA-384 and SHA-512.
- */
-#define MBEDTLS_SHA512_C
-
-/**
- * \def MBEDTLS_SSL_CACHE_C
- *
- * Enable simple SSL cache implementation.
- *
- * Module: library/ssl_cache.c
- * Caller:
- *
- * Requires: MBEDTLS_SSL_CACHE_C
- */
-#define MBEDTLS_SSL_CACHE_C
-
-/**
- * \def MBEDTLS_SSL_COOKIE_C
- *
- * Enable basic implementation of DTLS cookies for hello verification.
- *
- * Module: library/ssl_cookie.c
- * Caller:
- */
-#define MBEDTLS_SSL_COOKIE_C
-
-/**
- * \def MBEDTLS_SSL_TICKET_C
- *
- * Enable an implementation of TLS server-side callbacks for session tickets.
- *
- * Module: library/ssl_ticket.c
- * Caller:
- *
- * Requires: MBEDTLS_CIPHER_C
- */
-#ifdef CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS
-#define MBEDTLS_SSL_TICKET_C
-#else
-#undef MBEDTLS_SSL_TICKET_C
-#endif
-
-/**
- * \def MBEDTLS_SSL_CLI_C
- *
- * Enable the SSL/TLS client code.
- *
- * Module: library/ssl_cli.c
- * Caller:
- *
- * Requires: MBEDTLS_SSL_TLS_C
- *
- * This module is required for SSL/TLS client support.
- */
-#ifdef CONFIG_MBEDTLS_TLS_CLIENT
-#define MBEDTLS_SSL_CLI_C
-#else
-#undef MBEDTLS_SSL_CLI_C
-#endif
-
-/**
- * \def MBEDTLS_SSL_SRV_C
- *
- * Enable the SSL/TLS server code.
- *
- * Module: library/ssl_srv.c
- * Caller:
- *
- * Requires: MBEDTLS_SSL_TLS_C
- *
- * This module is required for SSL/TLS server support.
- */
-#ifdef CONFIG_MBEDTLS_TLS_SERVER
-#define MBEDTLS_SSL_SRV_C
-#else
-#undef MBEDTLS_SSL_SRV_C
-#endif
-
-/**
- * \def MBEDTLS_SSL_TLS_C
- *
- * Enable the generic SSL/TLS code.
- *
- * Module: library/ssl_tls.c
- * Caller: library/ssl_cli.c
- * library/ssl_srv.c
- *
- * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
- * and at least one of the MBEDTLS_SSL_PROTO_XXX defines
- *
- * This module is required for SSL/TLS.
- */
-#ifdef CONFIG_MBEDTLS_TLS_ENABLED
-#define MBEDTLS_SSL_TLS_C
-#else
-#undef MBEDTLS_SSL_TLS_C
-#endif
-
-/**
- * \def MBEDTLS_TIMING_C
- *
- * Enable the semi-portable timing interface.
- *
- * \note The provided implementation only works on POSIX/Unix (including Linux,
- * BSD and OS X) and Windows. On other platforms, you can either disable that
- * module and provide your own implementations of the callbacks needed by
- * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
- * your own implementation of the whole module by setting
- * \c MBEDTLS_TIMING_ALT in the current file.
- *
- * \note See also our Knowledge Base article about porting to a new
- * environment:
- * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
- *
- * Module: library/timing.c
- * Caller: library/havege.c
- *
- * This module is used by the HAVEGE random number generator.
- */
-#ifdef MBEDTLS_TIMING_C
-#undef MBEDTLS_TIMING_C
-#endif
-
-/**
- * \def MBEDTLS_VERSION_C
- *
- * Enable run-time version information.
- *
- * Module: library/version.c
- *
- * This module provides run-time version information.
- */
-#define MBEDTLS_VERSION_C
-
-/**
- * \def MBEDTLS_X509_USE_C
- *
- * Enable X.509 core for using certificates.
- *
- * Module: library/x509.c
- * Caller: library/mbedtls_x509_crl.c
- * library/mbedtls_x509_crt.c
- * library/mbedtls_x509_csr.c
- *
- * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
- * MBEDTLS_PK_PARSE_C
- *
- * This module is required for the X.509 parsing modules.
- */
-#define MBEDTLS_X509_USE_C
-
-/**
- * \def MBEDTLS_X509_CRT_PARSE_C
- *
- * Enable X.509 certificate parsing.
- *
- * Module: library/mbedtls_x509_crt.c
- * Caller: library/ssl_cli.c
- * library/ssl_srv.c
- * library/ssl_tls.c
- *
- * Requires: MBEDTLS_X509_USE_C
- *
- * This module is required for X.509 certificate parsing.
- */
-#define MBEDTLS_X509_CRT_PARSE_C
-
-/**
- * \def MBEDTLS_X509_CRL_PARSE_C
- *
- * Enable X.509 CRL parsing.
- *
- * Module: library/mbedtls_x509_crl.c
- * Caller: library/mbedtls_x509_crt.c
- *
- * Requires: MBEDTLS_X509_USE_C
- *
- * This module is required for X.509 CRL parsing.
- */
-#ifdef CONFIG_MBEDTLS_X509_CRL_PARSE_C
-#define MBEDTLS_X509_CRL_PARSE_C
-#else
-#undef MBEDTLS_X509_CRL_PARSE_C
-#endif
-
-/**
- * \def MBEDTLS_X509_CSR_PARSE_C
- *
- * Enable X.509 Certificate Signing Request (CSR) parsing.
- *
- * Module: library/mbedtls_x509_csr.c
- * Caller: library/x509_crt_write.c
- *
- * Requires: MBEDTLS_X509_USE_C
- *
- * This module is used for reading X.509 certificate request.
- */
-#ifdef CONFIG_MBEDTLS_X509_CSR_PARSE_C
-#define MBEDTLS_X509_CSR_PARSE_C
-#else
-#undef MBEDTLS_X509_CSR_PARSE_C
-#endif
-
-/**
- * \def MBEDTLS_X509_CREATE_C
- *
- * Enable X.509 core for creating certificates.
- *
- * Module: library/x509_create.c
- *
- * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
- *
- * This module is the basis for creating X.509 certificates and CSRs.
- */
-#define MBEDTLS_X509_CREATE_C
-
-/**
- * \def MBEDTLS_X509_CRT_WRITE_C
- *
- * Enable creating X.509 certificates.
- *
- * Module: library/x509_crt_write.c
- *
- * Requires: MBEDTLS_X509_CREATE_C
- *
- * This module is required for X.509 certificate creation.
- */
-#define MBEDTLS_X509_CRT_WRITE_C
-
-/**
- * \def MBEDTLS_X509_CSR_WRITE_C
- *
- * Enable creating X.509 Certificate Signing Requests (CSR).
- *
- * Module: library/x509_csr_write.c
- *
- * Requires: MBEDTLS_X509_CREATE_C
- *
- * This module is required for X.509 certificate request writing.
- */
-#define MBEDTLS_X509_CSR_WRITE_C
-
-/**
- * \def MBEDTLS_XTEA_C
- *
- * Enable the XTEA block cipher.
- *
- * Module: library/xtea.c
- * Caller:
- */
-#ifdef CONFIG_MBEDTLS_XTEA_C
-#define MBEDTLS_XTEA_C
-#else
-#undef MBEDTLS_XTEA_C
-#endif
-
-/* \} name SECTION: mbed TLS modules */
-
-/**
- * \name SECTION: Module configuration options
- *
- * This section allows for the setting of module specific sizes and
- * configuration options. The default values are already present in the
- * relevant header files and should suffice for the regular use cases.
- *
- * Our advice is to enable options and change their values here
- * only if you have a good reason and know the consequences.
- *
- * Please check the respective header file for documentation on these
- * parameters (to prevent duplicate documentation).
- * \{
- */
-
-/* SSL options */
-#ifndef CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN
-
-#define MBEDTLS_SSL_MAX_CONTENT_LEN \
- CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O \
- buffers */
-
-#else
-
-/** \def MBEDTLS_SSL_IN_CONTENT_LEN
- *
- * Maximum incoming fragment length in bytes.
- *
- * Uncomment to set the size of the inward TLS buffer independently of the
- * outward buffer.
- */
-#define MBEDTLS_SSL_IN_CONTENT_LEN CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN
-
-/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
- *
- * Maximum outgoing fragment length in bytes.
- *
- * Uncomment to set the size of the outward TLS buffer independently of the
- * inward buffer.
- *
- * It is possible to save RAM by setting a smaller outward buffer, while keeping
- * the default inward 16384 byte buffer to conform to the TLS specification.
- *
- * The minimum required outward buffer size is determined by the handshake
- * protocol's usage. Handshaking will fail if the outward buffer is too small.
- * The specific size requirement depends on the configured ciphers and any
- * certificate data which is sent during the handshake.
- *
- * For absolute minimum RAM usage, it's best to enable
- * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This
- * reduces both incoming and outgoing buffer sizes. However this is only
- * guaranteed if the other end of the connection also supports the TLS
- * max_fragment_len extension. Otherwise the connection may fail.
- */
-#define MBEDTLS_SSL_OUT_CONTENT_LEN CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN
-
-#endif /* !CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN */
-
-/**
- * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
- * signature and ciphersuite selection. Without this build-time option, SHA-1
- * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
- * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
- * default. At the time of writing, there is no practical attack on the use
- * of SHA-1 in handshake signatures, hence this option is turned on by default
- * for compatibility with existing peers.
- */
-#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
-
-/* \} name SECTION: Module configuration options */
-
-#if defined(TARGET_LIKE_MBED)
-#include "mbedtls/target_config.h"
-#endif
-
-/*
- * Allow user to override any previous default.
- *
- * Use two macro names for that, as:
- * - with yotta the prefix YOTTA_CFG_ is forced
- * - without yotta is looks weird to have a YOTTA prefix.
- */
-#if defined(YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE)
-#include YOTTA_CFG_MBEDTLS_USER_CONFIG_FILE
-#elif defined(MBEDTLS_USER_CONFIG_FILE)
-#include MBEDTLS_USER_CONFIG_FILE
-#endif
-
-#include "mbedtls/check_config.h"
-
-#endif /* ESP_CONFIG_H */
diff --git a/examples/all-clusters-app/esp32/sdkconfig.defaults b/examples/all-clusters-app/esp32/sdkconfig.defaults
index 42d30f4..d824c99 100644
--- a/examples/all-clusters-app/esp32/sdkconfig.defaults
+++ b/examples/all-clusters-app/esp32/sdkconfig.defaults
@@ -60,6 +60,9 @@
# Disable softap support by default
CONFIG_ESP_WIFI_SOFTAP_SUPPORT=n
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
+
# This example uses the older version of RMT driver to work with both
# idf-v4.4.3 and idf-v5.0, so supressing the warnings by setting below option
CONFIG_RMT_SUPPRESS_DEPRECATE_WARN=y
diff --git a/examples/all-clusters-app/esp32/sdkconfig_c3devkit.defaults b/examples/all-clusters-app/esp32/sdkconfig_c3devkit.defaults
index 737935b..24d4fe7 100644
--- a/examples/all-clusters-app/esp32/sdkconfig_c3devkit.defaults
+++ b/examples/all-clusters-app/esp32/sdkconfig_c3devkit.defaults
@@ -47,3 +47,6 @@
# Serial Flasher config
CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y
CONFIG_ESPTOOLPY_FLASHSIZE="4MB"
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/all-clusters-app/esp32/sdkconfig_m5stack.defaults b/examples/all-clusters-app/esp32/sdkconfig_m5stack.defaults
index 6b3de5e..d8d54e5 100644
--- a/examples/all-clusters-app/esp32/sdkconfig_m5stack.defaults
+++ b/examples/all-clusters-app/esp32/sdkconfig_m5stack.defaults
@@ -63,4 +63,7 @@
#enable it may cause GPIO ISR triggers continuously
CONFIG_BTDM_CTRL_MODEM_SLEEP=n
CONFIG_BTDM_CTRL_MODEM_SLEEP_MODE_ORIG=n
-CONFIG_BTDM_CTRL_LPCLK_SEL_MAIN_XTAL=n
\ No newline at end of file
+CONFIG_BTDM_CTRL_LPCLK_SEL_MAIN_XTAL=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/all-clusters-app/esp32/sdkconfig_m5stack_rpc.defaults b/examples/all-clusters-app/esp32/sdkconfig_m5stack_rpc.defaults
index 5ffdd66..35fd87e 100644
--- a/examples/all-clusters-app/esp32/sdkconfig_m5stack_rpc.defaults
+++ b/examples/all-clusters-app/esp32/sdkconfig_m5stack_rpc.defaults
@@ -67,4 +67,7 @@
#enable it may cause GPIO ISR triggers continuously
CONFIG_BTDM_CTRL_MODEM_SLEEP=n
CONFIG_BTDM_CTRL_MODEM_SLEEP_MODE_ORIG=n
-CONFIG_BTDM_CTRL_LPCLK_SEL_MAIN_XTAL=n
\ No newline at end of file
+CONFIG_BTDM_CTRL_LPCLK_SEL_MAIN_XTAL=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/all-clusters-minimal-app/esp32/sdkconfig.defaults b/examples/all-clusters-minimal-app/esp32/sdkconfig.defaults
index 42d30f4..dcceac3 100644
--- a/examples/all-clusters-minimal-app/esp32/sdkconfig.defaults
+++ b/examples/all-clusters-minimal-app/esp32/sdkconfig.defaults
@@ -63,3 +63,6 @@
# This example uses the older version of RMT driver to work with both
# idf-v4.4.3 and idf-v5.0, so supressing the warnings by setting below option
CONFIG_RMT_SUPPRESS_DEPRECATE_WARN=y
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/all-clusters-minimal-app/esp32/sdkconfig_c3devkit.defaults b/examples/all-clusters-minimal-app/esp32/sdkconfig_c3devkit.defaults
index 737935b..24d4fe7 100644
--- a/examples/all-clusters-minimal-app/esp32/sdkconfig_c3devkit.defaults
+++ b/examples/all-clusters-minimal-app/esp32/sdkconfig_c3devkit.defaults
@@ -47,3 +47,6 @@
# Serial Flasher config
CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y
CONFIG_ESPTOOLPY_FLASHSIZE="4MB"
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/all-clusters-minimal-app/esp32/sdkconfig_m5stack.defaults b/examples/all-clusters-minimal-app/esp32/sdkconfig_m5stack.defaults
index 6b3de5e..d8d54e5 100644
--- a/examples/all-clusters-minimal-app/esp32/sdkconfig_m5stack.defaults
+++ b/examples/all-clusters-minimal-app/esp32/sdkconfig_m5stack.defaults
@@ -63,4 +63,7 @@
#enable it may cause GPIO ISR triggers continuously
CONFIG_BTDM_CTRL_MODEM_SLEEP=n
CONFIG_BTDM_CTRL_MODEM_SLEEP_MODE_ORIG=n
-CONFIG_BTDM_CTRL_LPCLK_SEL_MAIN_XTAL=n
\ No newline at end of file
+CONFIG_BTDM_CTRL_LPCLK_SEL_MAIN_XTAL=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/all-clusters-minimal-app/esp32/sdkconfig_m5stack_rpc.defaults b/examples/all-clusters-minimal-app/esp32/sdkconfig_m5stack_rpc.defaults
index 5ffdd66..35fd87e 100644
--- a/examples/all-clusters-minimal-app/esp32/sdkconfig_m5stack_rpc.defaults
+++ b/examples/all-clusters-minimal-app/esp32/sdkconfig_m5stack_rpc.defaults
@@ -67,4 +67,7 @@
#enable it may cause GPIO ISR triggers continuously
CONFIG_BTDM_CTRL_MODEM_SLEEP=n
CONFIG_BTDM_CTRL_MODEM_SLEEP_MODE_ORIG=n
-CONFIG_BTDM_CTRL_LPCLK_SEL_MAIN_XTAL=n
\ No newline at end of file
+CONFIG_BTDM_CTRL_LPCLK_SEL_MAIN_XTAL=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/bridge-app/esp32/sdkconfig.defaults b/examples/bridge-app/esp32/sdkconfig.defaults
index 611f452..bc364e1 100644
--- a/examples/bridge-app/esp32/sdkconfig.defaults
+++ b/examples/bridge-app/esp32/sdkconfig.defaults
@@ -45,3 +45,6 @@
# Disable softap support by default
CONFIG_ESP_WIFI_SOFTAP_SUPPORT=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/chef/esp32/main/CMakeLists.txt b/examples/chef/esp32/main/CMakeLists.txt
index e1940af..5a48e62 100644
--- a/examples/chef/esp32/main/CMakeLists.txt
+++ b/examples/chef/esp32/main/CMakeLists.txt
@@ -107,7 +107,7 @@
idf_component_register(PRIV_INCLUDE_DIRS
"${CHIP_SHELL_DIR}/shell_common/include"
"${PRIV_INCLUDE_DIRS_LIST}"
- PRIV_REQUIRES chip nvs_flash bt console esp32_mbedtls QRCode tft screen-framework spidriver
+ PRIV_REQUIRES chip nvs_flash bt console mbedtls QRCode tft screen-framework spidriver
SRC_DIRS ${SRC_DIRS_LIST})
include("${CHIP_ROOT}/build/chip/esp32/esp32_codegen.cmake")
diff --git a/examples/chef/esp32/sdkconfig.defaults b/examples/chef/esp32/sdkconfig.defaults
index a4365b4..ca2cd09 100644
--- a/examples/chef/esp32/sdkconfig.defaults
+++ b/examples/chef/esp32/sdkconfig.defaults
@@ -56,3 +56,6 @@
# Disable softap support by default
CONFIG_ESP_WIFI_SOFTAP_SUPPORT=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/chef/esp32/sdkconfig_rpc.defaults b/examples/chef/esp32/sdkconfig_rpc.defaults
index 97220a6..caac021 100644
--- a/examples/chef/esp32/sdkconfig_rpc.defaults
+++ b/examples/chef/esp32/sdkconfig_rpc.defaults
@@ -55,3 +55,6 @@
# Serial Flasher config
CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y
CONFIG_ESPTOOLPY_FLASHSIZE="4MB"
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/light-switch-app/esp32/sdkconfig.defaults b/examples/light-switch-app/esp32/sdkconfig.defaults
index 822b1da..e392501 100644
--- a/examples/light-switch-app/esp32/sdkconfig.defaults
+++ b/examples/light-switch-app/esp32/sdkconfig.defaults
@@ -52,3 +52,6 @@
# Disable softap support by default
CONFIG_ESP_WIFI_SOFTAP_SUPPORT=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/lighting-app/esp32/sdkconfig.defaults b/examples/lighting-app/esp32/sdkconfig.defaults
index 32b11db..59c0af6 100644
--- a/examples/lighting-app/esp32/sdkconfig.defaults
+++ b/examples/lighting-app/esp32/sdkconfig.defaults
@@ -55,3 +55,6 @@
# This example uses the older version of RMT driver to work with both
# idf-v4.4.3 and idf-v5.0, so suppressing the warnings by setting below option
CONFIG_RMT_SUPPRESS_DEPRECATE_WARN=y
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/lighting-app/esp32/sdkconfig.optimize.defaults b/examples/lighting-app/esp32/sdkconfig.optimize.defaults
index 97a291d..78b876c 100644
--- a/examples/lighting-app/esp32/sdkconfig.optimize.defaults
+++ b/examples/lighting-app/esp32/sdkconfig.optimize.defaults
@@ -91,3 +91,5 @@
CONFIG_TCPIP_RECVMBOX_SIZE=16
CONFIG_TCP_SYNMAXRTX=6
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/lighting-app/esp32/sdkconfig_m5stack.defaults b/examples/lighting-app/esp32/sdkconfig_m5stack.defaults
index 3f70ee3..95d805a 100644
--- a/examples/lighting-app/esp32/sdkconfig_m5stack.defaults
+++ b/examples/lighting-app/esp32/sdkconfig_m5stack.defaults
@@ -62,3 +62,6 @@
# This example uses the older version of RMT driver to work with both
# idf-v4.4.3 and idf-v5.0, so supressing the warnings by setting below option
CONFIG_RMT_SUPPRESS_DEPRECATE_WARN=y
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/lock-app/esp32/sdkconfig.defaults b/examples/lock-app/esp32/sdkconfig.defaults
index f74cbb1..29b4204 100644
--- a/examples/lock-app/esp32/sdkconfig.defaults
+++ b/examples/lock-app/esp32/sdkconfig.defaults
@@ -49,3 +49,6 @@
# Disable softap support by default
CONFIG_ESP_WIFI_SOFTAP_SUPPORT=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/ota-provider-app/esp32/sdkconfig.defaults b/examples/ota-provider-app/esp32/sdkconfig.defaults
index 74c5ea5..9c1ccf0 100644
--- a/examples/ota-provider-app/esp32/sdkconfig.defaults
+++ b/examples/ota-provider-app/esp32/sdkconfig.defaults
@@ -64,3 +64,6 @@
# Disable softap support by default
CONFIG_ESP_WIFI_SOFTAP_SUPPORT=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/ota-requestor-app/esp32/sdkconfig.defaults b/examples/ota-requestor-app/esp32/sdkconfig.defaults
index e25893a..b994220 100644
--- a/examples/ota-requestor-app/esp32/sdkconfig.defaults
+++ b/examples/ota-requestor-app/esp32/sdkconfig.defaults
@@ -65,3 +65,6 @@
# Disable softap support by default
CONFIG_ESP_WIFI_SOFTAP_SUPPORT=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/ota-requestor-app/esp32/sdkconfig_m5stack.defaults b/examples/ota-requestor-app/esp32/sdkconfig_m5stack.defaults
index e251fb9..6e55e05 100644
--- a/examples/ota-requestor-app/esp32/sdkconfig_m5stack.defaults
+++ b/examples/ota-requestor-app/esp32/sdkconfig_m5stack.defaults
@@ -63,3 +63,6 @@
# Enable OTA Requestor
CONFIG_ENABLE_OTA_REQUESTOR=y
CONFIG_DEVICE_SOFTWARE_VERSION_NUMBER=2
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/ota-requestor-app/esp32/sdkconfig_m5stack_rpc.defaults b/examples/ota-requestor-app/esp32/sdkconfig_m5stack_rpc.defaults
index 3f39345..8d425ec 100644
--- a/examples/ota-requestor-app/esp32/sdkconfig_m5stack_rpc.defaults
+++ b/examples/ota-requestor-app/esp32/sdkconfig_m5stack_rpc.defaults
@@ -70,3 +70,6 @@
CONFIG_EXAMPLE_UART_RXD=3
CONFIG_EXAMPLE_UART_TXD=1
CONFIG_ENABLE_PW_RPC=y
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/ota-requestor-app/esp32/sdkconfig_rpc.defaults b/examples/ota-requestor-app/esp32/sdkconfig_rpc.defaults
index 350613d..8e3f95f 100644
--- a/examples/ota-requestor-app/esp32/sdkconfig_rpc.defaults
+++ b/examples/ota-requestor-app/esp32/sdkconfig_rpc.defaults
@@ -62,4 +62,7 @@
CONFIG_EXAMPLE_UART_BAUD_RATE=115200
CONFIG_EXAMPLE_UART_RXD=3
CONFIG_EXAMPLE_UART_TXD=1
-CONFIG_ENABLE_PW_RPC=y
\ No newline at end of file
+CONFIG_ENABLE_PW_RPC=y
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/persistent-storage/esp32/sdkconfig.defaults b/examples/persistent-storage/esp32/sdkconfig.defaults
index 9fb2f9e..f9a4c4b 100644
--- a/examples/persistent-storage/esp32/sdkconfig.defaults
+++ b/examples/persistent-storage/esp32/sdkconfig.defaults
@@ -29,3 +29,6 @@
# Vendor and product id
CONFIG_DEVICE_VENDOR_ID=0xFFF1
CONFIG_DEVICE_PRODUCT_ID=0x8009
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/pigweed-app/esp32/sdkconfig.defaults b/examples/pigweed-app/esp32/sdkconfig.defaults
index 6ad8460..3421646 100644
--- a/examples/pigweed-app/esp32/sdkconfig.defaults
+++ b/examples/pigweed-app/esp32/sdkconfig.defaults
@@ -40,3 +40,6 @@
# Vendor and product id
CONFIG_DEVICE_VENDOR_ID=0xFFF1
CONFIG_DEVICE_PRODUCT_ID=0x800B
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/shell/esp32/main/CMakeLists.txt b/examples/shell/esp32/main/CMakeLists.txt
index a55f95c..8fac151 100644
--- a/examples/shell/esp32/main/CMakeLists.txt
+++ b/examples/shell/esp32/main/CMakeLists.txt
@@ -23,4 +23,4 @@
"${CHIP_SHELL_DIR}/shell_common/globals.cpp"
PRIV_INCLUDE_DIRS
"${CHIP_SHELL_DIR}/shell_common/include"
- PRIV_REQUIRES chip nvs_flash bt console esp32_mbedtls)
+ PRIV_REQUIRES chip nvs_flash bt console)
diff --git a/examples/temperature-measurement-app/esp32/sdkconfig.defaults b/examples/temperature-measurement-app/esp32/sdkconfig.defaults
index 4aea5a3..33c86a9 100644
--- a/examples/temperature-measurement-app/esp32/sdkconfig.defaults
+++ b/examples/temperature-measurement-app/esp32/sdkconfig.defaults
@@ -90,3 +90,6 @@
# Disable softap support by default
CONFIG_ESP_WIFI_SOFTAP_SUPPORT=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/temperature-measurement-app/esp32/sdkconfig.optimize.defaults b/examples/temperature-measurement-app/esp32/sdkconfig.optimize.defaults
index 86335c2..ec8e29e 100644
--- a/examples/temperature-measurement-app/esp32/sdkconfig.optimize.defaults
+++ b/examples/temperature-measurement-app/esp32/sdkconfig.optimize.defaults
@@ -76,3 +76,6 @@
CONFIG_NIMBLE_MAX_CONNECTIONS=1
CONFIG_TCPIP_RECVMBOX_SIZE=16
CONFIG_TCP_SYNMAXRTX=6
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/examples/temperature-measurement-app/esp32/sdkconfig_rpc.defaults b/examples/temperature-measurement-app/esp32/sdkconfig_rpc.defaults
index f1e074d..936e8ee 100644
--- a/examples/temperature-measurement-app/esp32/sdkconfig_rpc.defaults
+++ b/examples/temperature-measurement-app/esp32/sdkconfig_rpc.defaults
@@ -90,4 +90,7 @@
CONFIG_EXAMPLE_UART_BAUD_RATE=115200
CONFIG_EXAMPLE_UART_RXD=3
CONFIG_EXAMPLE_UART_TXD=1
-CONFIG_ENABLE_PW_RPC=y
\ No newline at end of file
+CONFIG_ENABLE_PW_RPC=y
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/src/test_driver/esp32/sdkconfig.defaults b/src/test_driver/esp32/sdkconfig.defaults
index 78f0bdd..77ae47c 100644
--- a/src/test_driver/esp32/sdkconfig.defaults
+++ b/src/test_driver/esp32/sdkconfig.defaults
@@ -31,3 +31,6 @@
#enable BT
CONFIG_BT_ENABLED=y
+
+#enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
diff --git a/src/test_driver/esp32/sdkconfig_qemu.defaults b/src/test_driver/esp32/sdkconfig_qemu.defaults
index 31a9916..6278876 100644
--- a/src/test_driver/esp32/sdkconfig_qemu.defaults
+++ b/src/test_driver/esp32/sdkconfig_qemu.defaults
@@ -49,3 +49,6 @@
# Crypto tests generally take long enough for the watchdog to trigger
# otherwise.
CONFIG_ESP_TASK_WDT=n
+
+# Enable HKDF in mbedtls
+CONFIG_MBEDTLS_HKDF_C=y
