| Gilles Peskine | 168f17c | 2022-02-25 19:28:00 +0100 | [diff] [blame] | 1 | /** |
| 2 | * \file config-ccm-psk-dtls1_2.h |
| 3 | * |
| 4 | * \brief Small configuration for DTLS 1.2 with PSK and AES-CCM ciphersuites |
| 5 | */ |
| 6 | /* |
| 7 | * Copyright The Mbed TLS Contributors |
| Dave Rodgman | 16799db | 2023-11-02 19:47:20 +0000 | [diff] [blame] | 8 | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
| Gilles Peskine | 168f17c | 2022-02-25 19:28:00 +0100 | [diff] [blame] | 9 | */ |
| 10 | /* |
| 11 | * Minimal configuration for DTLS 1.2 with PSK and AES-CCM ciphersuites |
| 12 | * |
| 13 | * Distinguishing features: |
| Gilles Peskine | d725bf7 | 2022-04-05 21:52:14 +0200 | [diff] [blame] | 14 | * - Optimized for small code size, low bandwidth (on an unreliable transport), |
| Gilles Peskine | 168f17c | 2022-02-25 19:28:00 +0100 | [diff] [blame] | 15 | * and low RAM usage. |
| 16 | * - No asymmetric cryptography (no certificates, no Diffie-Hellman key |
| 17 | * exchange). |
| 18 | * - Fully modern and secure (provided the pre-shared keys are generated and |
| 19 | * stored securely). |
| 20 | * - Very low record overhead with CCM-8. |
| 21 | * - Includes several optional DTLS features typically used in IoT. |
| 22 | * |
| 23 | * See README.txt for usage instructions. |
| 24 | */ |
| 25 | |
| Gilles Peskine | 168f17c | 2022-02-25 19:28:00 +0100 | [diff] [blame] | 26 | /* Mbed TLS modules */ |
| Gilles Peskine | 168f17c | 2022-02-25 19:28:00 +0100 | [diff] [blame] | 27 | #define MBEDTLS_NET_C |
| Gilles Peskine | 168f17c | 2022-02-25 19:28:00 +0100 | [diff] [blame] | 28 | #define MBEDTLS_SSL_CLI_C |
| 29 | #define MBEDTLS_SSL_COOKIE_C |
| 30 | #define MBEDTLS_SSL_SRV_C |
| 31 | #define MBEDTLS_SSL_TLS_C |
| 32 | #define MBEDTLS_TIMING_C |
| 33 | |
| 34 | /* TLS protocol feature support */ |
| 35 | #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED |
| 36 | #define MBEDTLS_SSL_PROTO_TLS1_2 |
| 37 | #define MBEDTLS_SSL_PROTO_DTLS |
| 38 | #define MBEDTLS_SSL_DTLS_ANTI_REPLAY |
| 39 | #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE |
| 40 | #define MBEDTLS_SSL_DTLS_CONNECTION_ID |
| 41 | #define MBEDTLS_SSL_DTLS_HELLO_VERIFY |
| 42 | #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH |
| 43 | |
| 44 | /* |
| 45 | * Use only CCM_8 ciphersuites, and |
| 46 | * save ROM and a few bytes of RAM by specifying our own ciphersuite list |
| 47 | */ |
| 48 | #define MBEDTLS_SSL_CIPHERSUITES \ |
| Gilles Peskine | 449bd83 | 2023-01-11 14:50:10 +0100 | [diff] [blame] | 49 | MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, \ |
| 50 | MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8 |
| Gilles Peskine | 168f17c | 2022-02-25 19:28:00 +0100 | [diff] [blame] | 51 | |
| 52 | /* |
| 53 | * Save RAM at the expense of interoperability: do this only if you control |
| 54 | * both ends of the connection! (See comments in "mbedtls/ssl.h".) |
| 55 | * The optimal size here depends on the typical size of records. |
| 56 | */ |
| 57 | #define MBEDTLS_SSL_IN_CONTENT_LEN 256 |
| 58 | #define MBEDTLS_SSL_OUT_CONTENT_LEN 256 |
| 59 | |
| Gilles Peskine | 168f17c | 2022-02-25 19:28:00 +0100 | [diff] [blame] | 60 | /* Save some RAM by adjusting to your exact needs */ |
| 61 | #define MBEDTLS_PSK_MAX_LEN 16 /* 128-bits keys are generally enough */ |
| 62 | |
| Gilles Peskine | c6d197b | 2022-02-25 21:00:16 +0100 | [diff] [blame] | 63 | /* Error messages and TLS debugging traces |
| 64 | * (huge code size increase, needed for tests/ssl-opt.sh) */ |
| 65 | //#define MBEDTLS_DEBUG_C |
| 66 | //#define MBEDTLS_ERROR_C |