1*62c56f98SSadaf Ebrahimi /** 2*62c56f98SSadaf Ebrahimi * \file config-ccm-psk-dtls1_2.h 3*62c56f98SSadaf Ebrahimi * 4*62c56f98SSadaf Ebrahimi * \brief Small configuration for DTLS 1.2 with PSK and AES-CCM ciphersuites 5*62c56f98SSadaf Ebrahimi */ 6*62c56f98SSadaf Ebrahimi /* 7*62c56f98SSadaf Ebrahimi * Copyright The Mbed TLS Contributors 8*62c56f98SSadaf Ebrahimi * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 9*62c56f98SSadaf Ebrahimi */ 10*62c56f98SSadaf Ebrahimi /* 11*62c56f98SSadaf Ebrahimi * Minimal configuration for DTLS 1.2 with PSK and AES-CCM ciphersuites 12*62c56f98SSadaf Ebrahimi * 13*62c56f98SSadaf Ebrahimi * Distinguishing features: 14*62c56f98SSadaf Ebrahimi * - Optimized for small code size, low bandwidth (on an unreliable transport), 15*62c56f98SSadaf Ebrahimi * and low RAM usage. 16*62c56f98SSadaf Ebrahimi * - No asymmetric cryptography (no certificates, no Diffie-Hellman key 17*62c56f98SSadaf Ebrahimi * exchange). 18*62c56f98SSadaf Ebrahimi * - Fully modern and secure (provided the pre-shared keys are generated and 19*62c56f98SSadaf Ebrahimi * stored securely). 20*62c56f98SSadaf Ebrahimi * - Very low record overhead with CCM-8. 21*62c56f98SSadaf Ebrahimi * - Includes several optional DTLS features typically used in IoT. 22*62c56f98SSadaf Ebrahimi * 23*62c56f98SSadaf Ebrahimi * See README.txt for usage instructions. 24*62c56f98SSadaf Ebrahimi */ 25*62c56f98SSadaf Ebrahimi 26*62c56f98SSadaf Ebrahimi /* System support */ 27*62c56f98SSadaf Ebrahimi //#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */ 28*62c56f98SSadaf Ebrahimi /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */ 29*62c56f98SSadaf Ebrahimi 30*62c56f98SSadaf Ebrahimi /* Mbed TLS modules */ 31*62c56f98SSadaf Ebrahimi #define MBEDTLS_AES_C 32*62c56f98SSadaf Ebrahimi #define MBEDTLS_CCM_C 33*62c56f98SSadaf Ebrahimi #define MBEDTLS_CIPHER_C 34*62c56f98SSadaf Ebrahimi #define MBEDTLS_CTR_DRBG_C 35*62c56f98SSadaf Ebrahimi #define MBEDTLS_ENTROPY_C 36*62c56f98SSadaf Ebrahimi #define MBEDTLS_MD_C 37*62c56f98SSadaf Ebrahimi #define MBEDTLS_NET_C 38*62c56f98SSadaf Ebrahimi #define MBEDTLS_SHA256_C 39*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_CLI_C 40*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_COOKIE_C 41*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_SRV_C 42*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_TLS_C 43*62c56f98SSadaf Ebrahimi #define MBEDTLS_TIMING_C 44*62c56f98SSadaf Ebrahimi 45*62c56f98SSadaf Ebrahimi /* TLS protocol feature support */ 46*62c56f98SSadaf Ebrahimi #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED 47*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_PROTO_TLS1_2 48*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_PROTO_DTLS 49*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_DTLS_ANTI_REPLAY 50*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE 51*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_DTLS_CONNECTION_ID 52*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_DTLS_HELLO_VERIFY 53*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 54*62c56f98SSadaf Ebrahimi 55*62c56f98SSadaf Ebrahimi /* 56*62c56f98SSadaf Ebrahimi * Use only CCM_8 ciphersuites, and 57*62c56f98SSadaf Ebrahimi * save ROM and a few bytes of RAM by specifying our own ciphersuite list 58*62c56f98SSadaf Ebrahimi */ 59*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_CIPHERSUITES \ 60*62c56f98SSadaf Ebrahimi MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, \ 61*62c56f98SSadaf Ebrahimi MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8 62*62c56f98SSadaf Ebrahimi 63*62c56f98SSadaf Ebrahimi /* 64*62c56f98SSadaf Ebrahimi * Save RAM at the expense of interoperability: do this only if you control 65*62c56f98SSadaf Ebrahimi * both ends of the connection! (See comments in "mbedtls/ssl.h".) 66*62c56f98SSadaf Ebrahimi * The optimal size here depends on the typical size of records. 67*62c56f98SSadaf Ebrahimi */ 68*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_IN_CONTENT_LEN 256 69*62c56f98SSadaf Ebrahimi #define MBEDTLS_SSL_OUT_CONTENT_LEN 256 70*62c56f98SSadaf Ebrahimi 71*62c56f98SSadaf Ebrahimi /* Save RAM at the expense of ROM */ 72*62c56f98SSadaf Ebrahimi #define MBEDTLS_AES_ROM_TABLES 73*62c56f98SSadaf Ebrahimi 74*62c56f98SSadaf Ebrahimi /* Save some RAM by adjusting to your exact needs */ 75*62c56f98SSadaf Ebrahimi #define MBEDTLS_PSK_MAX_LEN 16 /* 128-bits keys are generally enough */ 76*62c56f98SSadaf Ebrahimi 77*62c56f98SSadaf Ebrahimi /* 78*62c56f98SSadaf Ebrahimi * You should adjust this to the exact number of sources you're using: default 79*62c56f98SSadaf Ebrahimi * is the "platform_entropy_poll" source, but you may want to add other ones 80*62c56f98SSadaf Ebrahimi * Minimum is 2 for the entropy test suite. 81*62c56f98SSadaf Ebrahimi */ 82*62c56f98SSadaf Ebrahimi #define MBEDTLS_ENTROPY_MAX_SOURCES 2 83*62c56f98SSadaf Ebrahimi 84*62c56f98SSadaf Ebrahimi /* These defines are present so that the config modifying scripts can enable 85*62c56f98SSadaf Ebrahimi * them during tests/scripts/test-ref-configs.pl */ 86*62c56f98SSadaf Ebrahimi //#define MBEDTLS_USE_PSA_CRYPTO 87*62c56f98SSadaf Ebrahimi //#define MBEDTLS_PSA_CRYPTO_C 88*62c56f98SSadaf Ebrahimi 89*62c56f98SSadaf Ebrahimi /* Error messages and TLS debugging traces 90*62c56f98SSadaf Ebrahimi * (huge code size increase, needed for tests/ssl-opt.sh) */ 91*62c56f98SSadaf Ebrahimi //#define MBEDTLS_DEBUG_C 92*62c56f98SSadaf Ebrahimi //#define MBEDTLS_ERROR_C 93