Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / e38eb0b7be41a5977515d1e10b208a0aaad020fd^! / .
commite38eb0b7be41a5977515d1e10b208a0aaad020fd[log] [tgz]
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>Tue Jun 24 17:30:05 2014 +0200
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>Tue Jun 24 17:30:05 2014 +0200
tree429fdf8fb213fb361f259c694c7c42ec40e41dd7
parentf87cad9397f4fd77edccab5e5ecd3b0ba77c6f55 [diff]
Optimize config-suite-b for low RAM usage

diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index 8560a7b..1c7c4b4 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h

@@ -44,6 +44,7 @@
 /*
  * Save RAM at the expense of interoperability: do this only if you control
  * both ends of the connection!  (See coments in "polarssl/ssl.h".)
+ * The optimal size here depends on the typical size of records.
  */
 #define SSL_MAX_CONTENT_LEN             512
 

diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index bfd6048..8a98b9d 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h

@@ -1,6 +1,14 @@
 /*
  * Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
  *
+ * Distinguishing features:
+ * - no RSA or classic DH, fully based on ECC
+ * - optimized for low RAM usage
+ *
+ * Possible improvements:
+ * - if 128-bit security is enough, disable secp384r1 and SHA-512
+ * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C
+ *
  * See README.txt for usage instructions.
  */
 
@@ -48,8 +56,34 @@
 #define POLARSSL_CERTS_C
 #define POLARSSL_PEM_PARSE_C
 
-/* For testing with compat.sh */
-#define POLARSSL_FS_IO
+/* Save RAM at the expense of ROM */
+#define POLARSSL_AES_ROM_TABLES
+
+/* Save RAM by adjusting to our exact needs */
+#define POLARSSL_MPI_MAX_SIZE    96
+#define POLARSSL_ECP_MAX_BITS   384
+
+/* Save RAM at the expense of speed, see ecp.h */
+#define POLARSSL_ECP_WINDOW_SIZE        2
+#define POLARSSL_ECP_FIXED_POINT_OPTIM  0
+
+/* Uncomment for a significant speed benefit at the expense of some ROM */
+//#define POLARSSL_ECP_NIST_OPTIM
+
+/*
+ * You should adjust this to the exact number of sources you're using: default
+ * is the "platform_entrpy_poll" source, but you may want to add other ones.
+ * Minimum is 2 for the entropy test suite.
+ */
+#define ENTROPY_MAX_SOURCES 2
+
+/*
+ * Save RAM at the expense of interoperability: do this only if you control
+ * both ends of the connection!  (See coments in "polarssl/ssl.h".)
+ * The minimum size here depends on the certificate chain used as well as the
+ * typical size of records.
+ */
+#define SSL_MAX_CONTENT_LEN             1024
 
 #include "check_config.h"
 

diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index fddfe65..9b09e34 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl

@@ -16,7 +16,7 @@
     'config-mini-tls1_1.h'
         => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'',
     'config-suite-b.h'
-        => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM'",
+        => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p PolarSSL",
     'config-picocoin.h'
         => 0,
     'config-ccm-psk-tls1_2.h'