• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * \file config-suite-b.h
3  *
4  * \brief Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0
9  *
10  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
11  *  not use this file except in compliance with the License.
12  *  You may obtain a copy of the License at
13  *
14  *  http://www.apache.org/licenses/LICENSE-2.0
15  *
16  *  Unless required by applicable law or agreed to in writing, software
17  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  *  See the License for the specific language governing permissions and
20  *  limitations under the License.
21  */
22 /*
23  * Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
24  *
25  * Distinguishing features:
26  * - no RSA or classic DH, fully based on ECC
27  * - optimized for low RAM usage
28  *
29  * Possible improvements:
30  * - if 128-bit security is enough, disable secp384r1 and SHA-512
31  * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C
32  *
33  * See README.txt for usage instructions.
34  */
35 
36 /* System support */
37 #define MBEDTLS_HAVE_ASM
38 #define MBEDTLS_HAVE_TIME
39 
40 /* mbed TLS feature support */
41 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
42 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
43 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
44 #define MBEDTLS_SSL_PROTO_TLS1_2
45 
46 /* mbed TLS modules */
47 #define MBEDTLS_AES_C
48 #define MBEDTLS_ASN1_PARSE_C
49 #define MBEDTLS_ASN1_WRITE_C
50 #define MBEDTLS_BIGNUM_C
51 #define MBEDTLS_CIPHER_C
52 #define MBEDTLS_CTR_DRBG_C
53 #define MBEDTLS_ECDH_C
54 #define MBEDTLS_ECDSA_C
55 #define MBEDTLS_ECP_C
56 #define MBEDTLS_ENTROPY_C
57 #define MBEDTLS_GCM_C
58 #define MBEDTLS_MD_C
59 #define MBEDTLS_NET_C
60 #define MBEDTLS_OID_C
61 #define MBEDTLS_PK_C
62 #define MBEDTLS_PK_PARSE_C
63 /* The library does not currently support enabling SHA-224 without SHA-256.
64  * A future version of the library will have this option disabled
65  * by default. */
66 #define MBEDTLS_SHA224_C
67 #define MBEDTLS_SHA256_C
68 #define MBEDTLS_SHA384_C
69 #define MBEDTLS_SHA512_C
70 #define MBEDTLS_SSL_CLI_C
71 #define MBEDTLS_SSL_SRV_C
72 #define MBEDTLS_SSL_TLS_C
73 #define MBEDTLS_X509_CRT_PARSE_C
74 #define MBEDTLS_X509_USE_C
75 
76 /* For test certificates */
77 #define MBEDTLS_BASE64_C
78 #define MBEDTLS_PEM_PARSE_C
79 
80 /* Save RAM at the expense of ROM */
81 #define MBEDTLS_AES_ROM_TABLES
82 
83 /* Save RAM by adjusting to our exact needs */
84 #define MBEDTLS_MPI_MAX_SIZE    48 // 384-bit EC curve = 48 bytes
85 
86 /* Save RAM at the expense of speed, see ecp.h */
87 #define MBEDTLS_ECP_WINDOW_SIZE        2
88 #define MBEDTLS_ECP_FIXED_POINT_OPTIM  0
89 
90 /* Significant speed benefit at the expense of some ROM */
91 #define MBEDTLS_ECP_NIST_OPTIM
92 
93 /*
94  * You should adjust this to the exact number of sources you're using: default
95  * is the "mbedtls_platform_entropy_poll" source, but you may want to add other ones.
96  * Minimum is 2 for the entropy test suite.
97  */
98 #define MBEDTLS_ENTROPY_MAX_SOURCES 2
99 
100 /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
101 #define MBEDTLS_SSL_CIPHERSUITES                        \
102     MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,    \
103     MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
104 
105 /*
106  * Save RAM at the expense of interoperability: do this only if you control
107  * both ends of the connection!  (See coments in "mbedtls/ssl.h".)
108  * The minimum size here depends on the certificate chain used as well as the
109  * typical size of records.
110  */
111 #define MBEDTLS_SSL_IN_CONTENT_LEN             1024
112 #define MBEDTLS_SSL_OUT_CONTENT_LEN             1024
113