| 1 | /*
|
|---|
| 2 | * Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
|
|---|
| 3 | *
|
|---|
| 4 | * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
|---|
| 5 | * SPDX-License-Identifier: Apache-2.0
|
|---|
| 6 | *
|
|---|
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|---|
| 8 | * not use this file except in compliance with the License.
|
|---|
| 9 | * You may obtain a copy of the License at
|
|---|
| 10 | *
|
|---|
| 11 | * http://www.apache.org/licenses/LICENSE-2.0
|
|---|
| 12 | *
|
|---|
| 13 | * Unless required by applicable law or agreed to in writing, software
|
|---|
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|---|
| 15 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|---|
| 16 | * See the License for the specific language governing permissions and
|
|---|
| 17 | * limitations under the License.
|
|---|
| 18 | *
|
|---|
| 19 | * This file is part of mbed TLS (https://tls.mbed.org)
|
|---|
| 20 | */
|
|---|
| 21 | /*
|
|---|
| 22 | * Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
|
|---|
| 23 | *
|
|---|
| 24 | * Distinguishing features:
|
|---|
| 25 | * - no RSA or classic DH, fully based on ECC
|
|---|
| 26 | * - optimized for low RAM usage
|
|---|
| 27 | *
|
|---|
| 28 | * Possible improvements:
|
|---|
| 29 | * - if 128-bit security is enough, disable secp384r1 and SHA-512
|
|---|
| 30 | * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C
|
|---|
| 31 | *
|
|---|
| 32 | * See README.txt for usage instructions.
|
|---|
| 33 | */
|
|---|
| 34 |
|
|---|
| 35 | #ifndef MBEDTLS_CONFIG_H
|
|---|
| 36 | #define MBEDTLS_CONFIG_H
|
|---|
| 37 |
|
|---|
| 38 | /* System support */
|
|---|
| 39 | #define MBEDTLS_HAVE_ASM
|
|---|
| 40 | #define MBEDTLS_HAVE_TIME
|
|---|
| 41 |
|
|---|
| 42 | /* mbed TLS feature support */
|
|---|
| 43 | #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
|---|
| 44 | #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
|---|
| 45 | #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
|---|
| 46 | #define MBEDTLS_SSL_PROTO_TLS1_2
|
|---|
| 47 |
|
|---|
| 48 | /* mbed TLS modules */
|
|---|
| 49 | #define MBEDTLS_AES_C
|
|---|
| 50 | #define MBEDTLS_ASN1_PARSE_C
|
|---|
| 51 | #define MBEDTLS_ASN1_WRITE_C
|
|---|
| 52 | #define MBEDTLS_BIGNUM_C
|
|---|
| 53 | #define MBEDTLS_CIPHER_C
|
|---|
| 54 | #define MBEDTLS_CTR_DRBG_C
|
|---|
| 55 | #define MBEDTLS_ECDH_C
|
|---|
| 56 | #define MBEDTLS_ECDSA_C
|
|---|
| 57 | #define MBEDTLS_ECP_C
|
|---|
| 58 | #define MBEDTLS_ENTROPY_C
|
|---|
| 59 | #define MBEDTLS_GCM_C
|
|---|
| 60 | #define MBEDTLS_MD_C
|
|---|
| 61 | #define MBEDTLS_NET_C
|
|---|
| 62 | #define MBEDTLS_OID_C
|
|---|
| 63 | #define MBEDTLS_PK_C
|
|---|
| 64 | #define MBEDTLS_PK_PARSE_C
|
|---|
| 65 | #define MBEDTLS_SHA256_C
|
|---|
| 66 | #define MBEDTLS_SHA512_C
|
|---|
| 67 | #define MBEDTLS_SSL_CLI_C
|
|---|
| 68 | #define MBEDTLS_SSL_SRV_C
|
|---|
| 69 | #define MBEDTLS_SSL_TLS_C
|
|---|
| 70 | #define MBEDTLS_X509_CRT_PARSE_C
|
|---|
| 71 | #define MBEDTLS_X509_USE_C
|
|---|
| 72 |
|
|---|
| 73 | /* For test certificates */
|
|---|
| 74 | #define MBEDTLS_BASE64_C
|
|---|
| 75 | #define MBEDTLS_CERTS_C
|
|---|
| 76 | #define MBEDTLS_PEM_PARSE_C
|
|---|
| 77 |
|
|---|
| 78 | /* Save RAM at the expense of ROM */
|
|---|
| 79 | #define MBEDTLS_AES_ROM_TABLES
|
|---|
| 80 |
|
|---|
| 81 | /* Save RAM by adjusting to our exact needs */
|
|---|
| 82 | #define MBEDTLS_ECP_MAX_BITS 384
|
|---|
| 83 | #define MBEDTLS_MPI_MAX_SIZE 48 // 384 bits is 48 bytes
|
|---|
| 84 |
|
|---|
| 85 | /* Save RAM at the expense of speed, see ecp.h */
|
|---|
| 86 | #define MBEDTLS_ECP_WINDOW_SIZE 2
|
|---|
| 87 | #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0
|
|---|
| 88 |
|
|---|
| 89 | /* Significant speed benefit at the expense of some ROM */
|
|---|
| 90 | #define MBEDTLS_ECP_NIST_OPTIM
|
|---|
| 91 |
|
|---|
| 92 | /*
|
|---|
| 93 | * You should adjust this to the exact number of sources you're using: default
|
|---|
| 94 | * is the "mbedtls_platform_entropy_poll" source, but you may want to add other ones.
|
|---|
| 95 | * Minimum is 2 for the entropy test suite.
|
|---|
| 96 | */
|
|---|
| 97 | #define MBEDTLS_ENTROPY_MAX_SOURCES 2
|
|---|
| 98 |
|
|---|
| 99 | /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
|
|---|
| 100 | #define MBEDTLS_SSL_CIPHERSUITES \
|
|---|
| 101 | MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \
|
|---|
| 102 | MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|---|
| 103 |
|
|---|
| 104 | /*
|
|---|
| 105 | * Save RAM at the expense of interoperability: do this only if you control
|
|---|
| 106 | * both ends of the connection! (See coments in "mbedtls/ssl.h".)
|
|---|
| 107 | * The minimum size here depends on the certificate chain used as well as the
|
|---|
| 108 | * typical size of records.
|
|---|
| 109 | */
|
|---|
| 110 | #define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
|
|---|
| 111 |
|
|---|
| 112 | #include "mbedtls/check_config.h"
|
|---|
| 113 |
|
|---|
| 114 | #endif /* MBEDTLS_CONFIG_H */
|
|---|
