mbedtls/configs/config-suite-b.h

/**
 * \file config-suite-b.h
 *
 * \brief Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
 */
/*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
 */
/*
 * Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
 *
 * Distinguishing features:
 * - no RSA or classic DH, fully based on ECC
 * - optimized for low RAM usage
 *
 * Possible improvements:
 * - if 128-bit security is enough, disable secp384r1 and SHA-512
 * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C
 *
 * See README.txt for usage instructions.
 */

/* Mbed TLS feature support */
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_SSL_PROTO_TLS1_2

/* Mbed TLS modules */
#define MBEDTLS_NET_C
#define MBEDTLS_SSL_CLI_C
#define MBEDTLS_SSL_SRV_C
#define MBEDTLS_SSL_TLS_C
#define MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_USE_C

/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
#define MBEDTLS_SSL_CIPHERSUITES                        \
    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,    \
    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

/*
 * Save RAM at the expense of interoperability: do this only if you control
 * both ends of the connection!  (See comments in "mbedtls/ssl.h".)
 * The minimum size here depends on the certificate chain used as well as the
 * typical size of records.
 */
#define MBEDTLS_SSL_IN_CONTENT_LEN             1024
#define MBEDTLS_SSL_OUT_CONTENT_LEN             1024

/* Error messages and TLS debugging traces
 * (huge code size increase, needed for tests/ssl-opt.sh) */
//#define MBEDTLS_DEBUG_C
//#define MBEDTLS_ERROR_C
Update Doxygen file blocks to remove copyright and license information 2018-01-05 15:33:17 +00:00			`/**`
			`* \file config-suite-b.h`
Make sure all .h files have license information Even if they don't need it: this simplifies future audits. 2015-08-06 08:59:26 +00:00			`*`
Update Doxygen file blocks to remove copyright and license information 2018-01-05 15:33:17 +00:00			`* \brief Minimal configuration for TLS NSA Suite B Profile (RFC 6460)`
			`*/`
			`/*`
Update copyright notices to use Linux Foundation guidance As a result, the copyright of contributors other than Arm is now acknowledged, and the years of publishing are no longer tracked in the source files. Also remove the now-redundant lines declaring that the files are part of MbedTLS. This commit was generated using the following script: # ======================== #!/bin/sh # Find files find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print \| xargs sed -bi ' # Replace copyright attribution line s/Copyright.Arm./Copyright The Mbed TLS Contributors/I # Remove redundant declaration and the preceding line $!N /This file is part of Mbed TLS/Id P D ' # ======================== Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com> 2020-08-07 11:07:28 +00:00			`* Copyright The Mbed TLS Contributors`
update headers Signed-off-by: Dave Rodgman <dave.rodgman@arm.com> 2023-11-02 19:47:20 +00:00			`* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later`
Make sure all .h files have license information Even if they don't need it: this simplifies future audits. 2015-08-06 08:59:26 +00:00			`*/`
Add custom configurations with activation script 2013-09-20 13:11:44 +00:00			`/*`
			`* Minimal configuration for TLS NSA Suite B Profile (RFC 6460)`
			`*`
Optimize config-suite-b for low RAM usage 2014-06-24 15:30:05 +00:00			`* Distinguishing features:`
			`* - no RSA or classic DH, fully based on ECC`
			`* - optimized for low RAM usage`
			`*`
			`* Possible improvements:`
			`* - if 128-bit security is enough, disable secp384r1 and SHA-512`
			`* - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C`
			`*`
Adapt script and instructions for alt config.h 2014-04-30 09:53:50 +00:00			`* See README.txt for usage instructions.`
Add custom configurations with activation script 2013-09-20 13:11:44 +00:00			`*/`

Update spelling "mbed TLS" to "Mbed TLS" The official spelling of the trade mark changed from all-lowercase "mbed" to normal proper noun capitalization "Mbed" a few years ago. We've been using the new spelling in new text but still have the old spelling in a lot of text. This commit updates most occurrences of "mbed TLS": ``` sed -i -e 's/mbed TLS/Mbed TLS/g' $(git ls-files ':!ChangeLog' ':!tests/data_files/*' ':!tests/suites/.data' ':!programs/x509/' ':!configs/tfm') ``` Justification for the omissions: * `ChangeLog`: historical text. * `test/data_files/*`, `tests/suites/.data`, `programs/x509/`: many occurrences are significant names in certificates and such. Changing the spelling would invalidate many signatures and tests. `configs/tfm*`: this is an imported file. We'll follow the upstream updates. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2023-08-03 15:45:20 +00:00			`/* Mbed TLS feature support */`
The Great Renaming A simple execution of tmp/invoke-rename.pl 2015-04-08 10:49:31 +00:00			`#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED`
			`#define MBEDTLS_SSL_PROTO_TLS1_2`
Add custom configurations with activation script 2013-09-20 13:11:44 +00:00
Update spelling "mbed TLS" to "Mbed TLS" The official spelling of the trade mark changed from all-lowercase "mbed" to normal proper noun capitalization "Mbed" a few years ago. We've been using the new spelling in new text but still have the old spelling in a lot of text. This commit updates most occurrences of "mbed TLS": ``` sed -i -e 's/mbed TLS/Mbed TLS/g' $(git ls-files ':!ChangeLog' ':!tests/data_files/*' ':!tests/suites/.data' ':!programs/x509/' ':!configs/tfm') ``` Justification for the omissions: * `ChangeLog`: historical text. * `test/data_files/*`, `tests/suites/.data`, `programs/x509/`: many occurrences are significant names in certificates and such. Changing the spelling would invalidate many signatures and tests. `configs/tfm*`: this is an imported file. We'll follow the upstream updates. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2023-08-03 15:45:20 +00:00			`/* Mbed TLS modules */`
The Great Renaming A simple execution of tmp/invoke-rename.pl 2015-04-08 10:49:31 +00:00			`#define MBEDTLS_NET_C`
			`#define MBEDTLS_SSL_CLI_C`
			`#define MBEDTLS_SSL_SRV_C`
			`#define MBEDTLS_SSL_TLS_C`
			`#define MBEDTLS_X509_CRT_PARSE_C`
			`#define MBEDTLS_X509_USE_C`
Add custom configurations with activation script 2013-09-20 13:11:44 +00:00
Use SSL_CIPHERSUITES in example configs 2014-06-30 17:22:44 +00:00			`/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */`
The Great Renaming A simple execution of tmp/invoke-rename.pl 2015-04-08 10:49:31 +00:00			`#define MBEDTLS_SSL_CIPHERSUITES \`
			`MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \`
			`MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
Use SSL_CIPHERSUITES in example configs 2014-06-30 17:22:44 +00:00
Optimize config-suite-b for low RAM usage 2014-06-24 15:30:05 +00:00			`/*`
			`* Save RAM at the expense of interoperability: do this only if you control`
Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell. Signed-off-by: Shaun Case <warmsocks@gmail.com> Signed-off-by: Dave Rodgman <dave.rodgman@arm.com> 2021-12-21 05:14:10 +00:00			`* both ends of the connection! (See comments in "mbedtls/ssl.h".)`
Optimize config-suite-b for low RAM usage 2014-06-24 15:30:05 +00:00			`* The minimum size here depends on the certificate chain used as well as the`
			`* typical size of records.`
			`*/`
Remove MBEDTLS_SSL_MAX_CONTENT_LEN option Signed-off-by: David Horstmann <david.horstmann@arm.com> 2021-05-04 17:36:56 +00:00			`#define MBEDTLS_SSL_IN_CONTENT_LEN 1024`
			`#define MBEDTLS_SSL_OUT_CONTENT_LEN 1024`
Restructure test-ref-configs to test with USE_PSA_CRYPTO turned on Run some of the test configs twice, enabling MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_PSA_CRYPTO_C in one of the runs. Add relevant comments in these configs. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com> 2022-01-17 14:32:02 +00:00
ssl-opt needs debug messages Many test cases in ssl-opt.sh need error messages (MBEDTLS_ERROR_C) or SSL traces (MBEDTLS_DEBUG_C). Some sample configurations don't include these options. When running ssl-opt.sh on those configurations, enable the required options. They must be listed in the config*.h file, commented out. Run ssl-opt in the following configurations with debug options: ccm-psk-tls1_2, ccm-psk-dtls1_2, suite-b. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2022-02-25 20:00:16 +00:00			`/* Error messages and TLS debugging traces`
			`* (huge code size increase, needed for tests/ssl-opt.sh) */`
			`//#define MBEDTLS_DEBUG_C`
			`//#define MBEDTLS_ERROR_C`