From e38eb0b7be41a5977515d1e10b208a0aaad020fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 24 Jun 2014 17:30:05 +0200 Subject: [PATCH] Optimize config-suite-b for low RAM usage --- configs/config-ccm-psk-tls1_2.h | 1 + configs/config-suite-b.h | 38 +++++++++++++++++++++++++++++-- tests/scripts/test-ref-configs.pl | 2 +- 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index 8560a7b56..1c7c4b44c 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -44,6 +44,7 @@ /* * Save RAM at the expense of interoperability: do this only if you control * both ends of the connection! (See coments in "polarssl/ssl.h".) + * The optimal size here depends on the typical size of records. */ #define SSL_MAX_CONTENT_LEN 512 diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index bfd604807..8a98b9de1 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -1,6 +1,14 @@ /* * Minimal configuration for TLS NSA Suite B Profile (RFC 6460) * + * Distinguishing features: + * - no RSA or classic DH, fully based on ECC + * - optimized for low RAM usage + * + * Possible improvements: + * - if 128-bit security is enough, disable secp384r1 and SHA-512 + * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C + * * See README.txt for usage instructions. */ @@ -48,8 +56,34 @@ #define POLARSSL_CERTS_C #define POLARSSL_PEM_PARSE_C -/* For testing with compat.sh */ -#define POLARSSL_FS_IO +/* Save RAM at the expense of ROM */ +#define POLARSSL_AES_ROM_TABLES + +/* Save RAM by adjusting to our exact needs */ +#define POLARSSL_MPI_MAX_SIZE 96 +#define POLARSSL_ECP_MAX_BITS 384 + +/* Save RAM at the expense of speed, see ecp.h */ +#define POLARSSL_ECP_WINDOW_SIZE 2 +#define POLARSSL_ECP_FIXED_POINT_OPTIM 0 + +/* Uncomment for a significant speed benefit at the expense of some ROM */ +//#define POLARSSL_ECP_NIST_OPTIM + +/* + * You should adjust this to the exact number of sources you're using: default + * is the "platform_entrpy_poll" source, but you may want to add other ones. + * Minimum is 2 for the entropy test suite. + */ +#define ENTROPY_MAX_SOURCES 2 + +/* + * Save RAM at the expense of interoperability: do this only if you control + * both ends of the connection! (See coments in "polarssl/ssl.h".) + * The minimum size here depends on the certificate chain used as well as the + * typical size of records. + */ +#define SSL_MAX_CONTENT_LEN 1024 #include "check_config.h" diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index fddfe65ea..9b09e3464 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -16,7 +16,7 @@ my %configs = ( 'config-mini-tls1_1.h' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', 'config-suite-b.h' - => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM'", + => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p PolarSSL", 'config-picocoin.h' => 0, 'config-ccm-psk-tls1_2.h'