mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-27 07:54:18 +01:00
ba8b1eb5d9
A positive option looks better, but comes with the following compatibility issue: people using a custom config.h that is not based on the default config.h and need TLS support would need to manually change their config in order to still get TLS. Work around that by making the public option negative. Internally the positive option is used, though. In the future (when preparing the next major version), we might want to switch back to a positive option as this would be more consistent with other options we have.
118 lines
3.5 KiB
C
118 lines
3.5 KiB
C
/**
|
|
* \file config-suite-b.h
|
|
*
|
|
* \brief Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
|
|
*/
|
|
/*
|
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*
|
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
|
*/
|
|
/*
|
|
* Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
|
|
*
|
|
* Distinguishing features:
|
|
* - no RSA or classic DH, fully based on ECC
|
|
* - optimized for low RAM usage
|
|
*
|
|
* Possible improvements:
|
|
* - if 128-bit security is enough, disable secp384r1 and SHA-512
|
|
* - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C
|
|
*
|
|
* See README.txt for usage instructions.
|
|
*/
|
|
|
|
#ifndef MBEDTLS_CONFIG_H
|
|
#define MBEDTLS_CONFIG_H
|
|
|
|
/* System support */
|
|
#define MBEDTLS_HAVE_ASM
|
|
#define MBEDTLS_HAVE_TIME
|
|
|
|
/* mbed TLS feature support */
|
|
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
|
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
|
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
|
#define MBEDTLS_SSL_PROTO_TLS1_2
|
|
|
|
/* mbed TLS modules */
|
|
#define MBEDTLS_AES_C
|
|
#define MBEDTLS_ASN1_PARSE_C
|
|
#define MBEDTLS_ASN1_WRITE_C
|
|
#define MBEDTLS_BIGNUM_C
|
|
#define MBEDTLS_CIPHER_C
|
|
#define MBEDTLS_CTR_DRBG_C
|
|
#define MBEDTLS_ECDH_C
|
|
#define MBEDTLS_ECDSA_C
|
|
#define MBEDTLS_ECP_C
|
|
#define MBEDTLS_ENTROPY_C
|
|
#define MBEDTLS_GCM_C
|
|
#define MBEDTLS_MD_C
|
|
#define MBEDTLS_NET_C
|
|
#define MBEDTLS_OID_C
|
|
#define MBEDTLS_PK_C
|
|
#define MBEDTLS_PK_PARSE_C
|
|
#define MBEDTLS_SHA256_C
|
|
#define MBEDTLS_SHA512_C
|
|
#define MBEDTLS_SSL_CLI_C
|
|
#define MBEDTLS_SSL_SRV_C
|
|
#define MBEDTLS_SSL_TLS_C
|
|
#define MBEDTLS_X509_CRT_PARSE_C
|
|
#define MBEDTLS_X509_USE_C
|
|
|
|
/* For test certificates */
|
|
#define MBEDTLS_BASE64_C
|
|
#define MBEDTLS_CERTS_C
|
|
#define MBEDTLS_PEM_PARSE_C
|
|
|
|
/* Save RAM at the expense of ROM */
|
|
#define MBEDTLS_AES_ROM_TABLES
|
|
|
|
/* Save RAM by adjusting to our exact needs */
|
|
#define MBEDTLS_ECP_MAX_BITS 384
|
|
#define MBEDTLS_MPI_MAX_SIZE 48 // 384 bits is 48 bytes
|
|
|
|
/* Save RAM at the expense of speed, see ecp.h */
|
|
#define MBEDTLS_ECP_WINDOW_SIZE 2
|
|
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0
|
|
|
|
/* Significant speed benefit at the expense of some ROM */
|
|
#define MBEDTLS_ECP_NIST_OPTIM
|
|
|
|
/*
|
|
* You should adjust this to the exact number of sources you're using: default
|
|
* is the "mbedtls_platform_entropy_poll" source, but you may want to add other ones.
|
|
* Minimum is 2 for the entropy test suite.
|
|
*/
|
|
#define MBEDTLS_ENTROPY_MAX_SOURCES 2
|
|
|
|
/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
|
|
#define MBEDTLS_SSL_CIPHERSUITES \
|
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, \
|
|
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
|
|
/*
|
|
* Save RAM at the expense of interoperability: do this only if you control
|
|
* both ends of the connection! (See coments in "mbedtls/ssl.h".)
|
|
* The minimum size here depends on the certificate chain used as well as the
|
|
* typical size of records.
|
|
*/
|
|
#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
|
|
|
|
#include "mbedtls/check_config.h"
|
|
|
|
#endif /* MBEDTLS_CONFIG_H */
|