1 /**
2  * \file config-suite-b.h
3  *
4  * \brief Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9  */
10 /*
11  * Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
12  *
13  * Distinguishing features:
14  * - no RSA or classic DH, fully based on ECC
15  * - optimized for low RAM usage
16  *
17  * Possible improvements:
18  * - if 128-bit security is enough, disable secp384r1 and SHA-512
19  * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C
20  *
21  * See README.txt for usage instructions.
22  */
23 
24 /* System support */
25 #define MBEDTLS_HAVE_ASM
26 #define MBEDTLS_HAVE_TIME
27 
28 /* Mbed TLS feature support */
29 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
30 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
31 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
32 #define MBEDTLS_SSL_PROTO_TLS1_2
33 
34 /* Mbed TLS modules */
35 #define MBEDTLS_AES_C
36 #define MBEDTLS_ASN1_PARSE_C
37 #define MBEDTLS_ASN1_WRITE_C
38 #define MBEDTLS_BIGNUM_C
39 #define MBEDTLS_CIPHER_C
40 #define MBEDTLS_CTR_DRBG_C
41 #define MBEDTLS_ECDH_C
42 #define MBEDTLS_ECDSA_C
43 #define MBEDTLS_ECP_C
44 #define MBEDTLS_ENTROPY_C
45 #define MBEDTLS_GCM_C
46 #define MBEDTLS_MD_C
47 #define MBEDTLS_NET_C
48 #define MBEDTLS_OID_C
49 #define MBEDTLS_PK_C
50 #define MBEDTLS_PK_PARSE_C
51 #define MBEDTLS_SHA256_C
52 #define MBEDTLS_SHA384_C
53 #define MBEDTLS_SHA512_C
54 #define MBEDTLS_SSL_CLI_C
55 #define MBEDTLS_SSL_SRV_C
56 #define MBEDTLS_SSL_TLS_C
57 #define MBEDTLS_X509_CRT_PARSE_C
58 #define MBEDTLS_X509_USE_C
59 
60 /* For test certificates */
61 #define MBEDTLS_BASE64_C
62 #define MBEDTLS_PEM_PARSE_C
63 
64 /* Save RAM at the expense of ROM */
65 #define MBEDTLS_AES_ROM_TABLES
66 
67 /* Save RAM by adjusting to our exact needs */
68 #define MBEDTLS_MPI_MAX_SIZE    48 // 384-bit EC curve = 48 bytes
69 
70 /* Save RAM at the expense of speed, see ecp.h */
71 #define MBEDTLS_ECP_WINDOW_SIZE        2
72 #define MBEDTLS_ECP_FIXED_POINT_OPTIM  0
73 
74 /* Significant speed benefit at the expense of some ROM */
75 #define MBEDTLS_ECP_NIST_OPTIM
76 
77 /*
78  * You should adjust this to the exact number of sources you're using: default
79  * is the "mbedtls_platform_entropy_poll" source, but you may want to add other ones.
80  * Minimum is 2 for the entropy test suite.
81  */
82 #define MBEDTLS_ENTROPY_MAX_SOURCES 2
83 
84 /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
85 #define MBEDTLS_SSL_CIPHERSUITES                        \
86     MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,    \
87     MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
88 
89 /*
90  * Save RAM at the expense of interoperability: do this only if you control
91  * both ends of the connection!  (See comments in "mbedtls/ssl.h".)
92  * The minimum size here depends on the certificate chain used as well as the
93  * typical size of records.
94  */
95 #define MBEDTLS_SSL_IN_CONTENT_LEN             1024
96 #define MBEDTLS_SSL_OUT_CONTENT_LEN             1024
97 
98 /* These defines are present so that the config modifying scripts can enable
99  * them during tests/scripts/test-ref-configs.pl */
100 //#define MBEDTLS_USE_PSA_CRYPTO
101 //#define MBEDTLS_PSA_CRYPTO_C
102 
103 /* Error messages and TLS debugging traces
104  * (huge code size increase, needed for tests/ssl-opt.sh) */
105 //#define MBEDTLS_DEBUG_C
106 //#define MBEDTLS_ERROR_C
107