1 /** 2 * \file config-suite-b.h 3 * 4 * \brief Minimal configuration for TLS NSA Suite B Profile (RFC 6460) 5 */ 6 /* 7 * Copyright The Mbed TLS Contributors 8 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 9 * 10 * This file is provided under the Apache License 2.0, or the 11 * GNU General Public License v2.0 or later. 12 * 13 * ********** 14 * Apache License 2.0: 15 * 16 * Licensed under the Apache License, Version 2.0 (the "License"); you may 17 * not use this file except in compliance with the License. 18 * You may obtain a copy of the License at 19 * 20 * http://www.apache.org/licenses/LICENSE-2.0 21 * 22 * Unless required by applicable law or agreed to in writing, software 23 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 24 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 25 * See the License for the specific language governing permissions and 26 * limitations under the License. 27 * 28 * ********** 29 * 30 * ********** 31 * GNU General Public License v2.0 or later: 32 * 33 * This program is free software; you can redistribute it and/or modify 34 * it under the terms of the GNU General Public License as published by 35 * the Free Software Foundation; either version 2 of the License, or 36 * (at your option) any later version. 37 * 38 * This program is distributed in the hope that it will be useful, 39 * but WITHOUT ANY WARRANTY; without even the implied warranty of 40 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 41 * GNU General Public License for more details. 42 * 43 * You should have received a copy of the GNU General Public License along 44 * with this program; if not, write to the Free Software Foundation, Inc., 45 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 46 * 47 * ********** 48 */ 49 /* 50 * Minimal configuration for TLS NSA Suite B Profile (RFC 6460) 51 * 52 * Distinguishing features: 53 * - no RSA or classic DH, fully based on ECC 54 * - optimized for low RAM usage 55 * 56 * Possible improvements: 57 * - if 128-bit security is enough, disable secp384r1 and SHA-512 58 * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C 59 * 60 * See README.txt for usage instructions. 61 */ 62 63 #ifndef MBEDTLS_CONFIG_H 64 #define MBEDTLS_CONFIG_H 65 66 /* System support */ 67 #define MBEDTLS_HAVE_ASM 68 #define MBEDTLS_HAVE_TIME 69 70 /* mbed TLS feature support */ 71 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 72 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED 73 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 74 #define MBEDTLS_SSL_PROTO_TLS1_2 75 76 /* mbed TLS modules */ 77 #define MBEDTLS_AES_C 78 #define MBEDTLS_ASN1_PARSE_C 79 #define MBEDTLS_ASN1_WRITE_C 80 #define MBEDTLS_BIGNUM_C 81 #define MBEDTLS_CIPHER_C 82 #define MBEDTLS_CTR_DRBG_C 83 #define MBEDTLS_ECDH_C 84 #define MBEDTLS_ECDSA_C 85 #define MBEDTLS_ECP_C 86 #define MBEDTLS_ENTROPY_C 87 #define MBEDTLS_GCM_C 88 #define MBEDTLS_MD_C 89 #define MBEDTLS_NET_C 90 #define MBEDTLS_OID_C 91 #define MBEDTLS_PK_C 92 #define MBEDTLS_PK_PARSE_C 93 #define MBEDTLS_SHA256_C 94 #define MBEDTLS_SHA512_C 95 #define MBEDTLS_SSL_CLI_C 96 #define MBEDTLS_SSL_SRV_C 97 #define MBEDTLS_SSL_TLS_C 98 #define MBEDTLS_X509_CRT_PARSE_C 99 #define MBEDTLS_X509_USE_C 100 101 /* For test certificates */ 102 #define MBEDTLS_BASE64_C 103 #define MBEDTLS_CERTS_C 104 #define MBEDTLS_PEM_PARSE_C 105 106 /* Save RAM at the expense of ROM */ 107 #define MBEDTLS_AES_ROM_TABLES 108 109 /* Save RAM by adjusting to our exact needs */ 110 #define MBEDTLS_ECP_MAX_BITS 384 111 #define MBEDTLS_MPI_MAX_SIZE 48 // 384 bits is 48 bytes 112 113 /* Save RAM at the expense of speed, see ecp.h */ 114 #define MBEDTLS_ECP_WINDOW_SIZE 2 115 #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 116 117 /* Significant speed benefit at the expense of some ROM */ 118 #define MBEDTLS_ECP_NIST_OPTIM 119 120 /* 121 * You should adjust this to the exact number of sources you're using: default 122 * is the "mbedtls_platform_entropy_poll" source, but you may want to add other ones. 123 * Minimum is 2 for the entropy test suite. 124 */ 125 #define MBEDTLS_ENTROPY_MAX_SOURCES 2 126 127 /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */ 128 #define MBEDTLS_SSL_CIPHERSUITES \ 129 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \ 130 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 131 132 /* 133 * Save RAM at the expense of interoperability: do this only if you control 134 * both ends of the connection! (See coments in "mbedtls/ssl.h".) 135 * The minimum size here depends on the certificate chain used as well as the 136 * typical size of records. 137 */ 138 #define MBEDTLS_SSL_MAX_CONTENT_LEN 1024 139 140 #include "mbedtls/check_config.h" 141 142 #endif /* MBEDTLS_CONFIG_H */ 143