Optimize config-suite-b for low RAM usage
diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index 8560a7b..1c7c4b4 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -44,6 +44,7 @@
/*
* Save RAM at the expense of interoperability: do this only if you control
* both ends of the connection! (See coments in "polarssl/ssl.h".)
+ * The optimal size here depends on the typical size of records.
*/
#define SSL_MAX_CONTENT_LEN 512
diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index bfd6048..8a98b9d 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@@ -1,6 +1,14 @@
/*
* Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
*
+ * Distinguishing features:
+ * - no RSA or classic DH, fully based on ECC
+ * - optimized for low RAM usage
+ *
+ * Possible improvements:
+ * - if 128-bit security is enough, disable secp384r1 and SHA-512
+ * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C
+ *
* See README.txt for usage instructions.
*/
@@ -48,8 +56,34 @@
#define POLARSSL_CERTS_C
#define POLARSSL_PEM_PARSE_C
-/* For testing with compat.sh */
-#define POLARSSL_FS_IO
+/* Save RAM at the expense of ROM */
+#define POLARSSL_AES_ROM_TABLES
+
+/* Save RAM by adjusting to our exact needs */
+#define POLARSSL_MPI_MAX_SIZE 96
+#define POLARSSL_ECP_MAX_BITS 384
+
+/* Save RAM at the expense of speed, see ecp.h */
+#define POLARSSL_ECP_WINDOW_SIZE 2
+#define POLARSSL_ECP_FIXED_POINT_OPTIM 0
+
+/* Uncomment for a significant speed benefit at the expense of some ROM */
+//#define POLARSSL_ECP_NIST_OPTIM
+
+/*
+ * You should adjust this to the exact number of sources you're using: default
+ * is the "platform_entrpy_poll" source, but you may want to add other ones.
+ * Minimum is 2 for the entropy test suite.
+ */
+#define ENTROPY_MAX_SOURCES 2
+
+/*
+ * Save RAM at the expense of interoperability: do this only if you control
+ * both ends of the connection! (See coments in "polarssl/ssl.h".)
+ * The minimum size here depends on the certificate chain used as well as the
+ * typical size of records.
+ */
+#define SSL_MAX_CONTENT_LEN 1024
#include "check_config.h"
diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl
index fddfe65..9b09e34 100755
--- a/tests/scripts/test-ref-configs.pl
+++ b/tests/scripts/test-ref-configs.pl
@@ -16,7 +16,7 @@
'config-mini-tls1_1.h'
=> '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'',
'config-suite-b.h'
- => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM'",
+ => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p PolarSSL",
'config-picocoin.h'
=> 0,
'config-ccm-psk-tls1_2.h'