diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index 02ff88e32b..d1100d3cd1 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -111,13 +111,24 @@ jobs: matrix: os: [ ubuntu-24.04, macos-latest ] user-settings: [ - # Add new user_settings.h here + # Add new user_settings.h here (alphabetical order) + 'examples/configs/user_settings_ca.h', + 'examples/configs/user_settings_dtls13.h', + 'examples/configs/user_settings_EBSnet.h', 'examples/configs/user_settings_eccnonblock.h', 'examples/configs/user_settings_min_ecc.h', + 'examples/configs/user_settings_openssl_compat.h', + 'examples/configs/user_settings_pkcs7.h', + 'examples/configs/user_settings_rsa_only.h', + 'examples/configs/user_settings_template.h', + 'examples/configs/user_settings_tls12.h', + 'examples/configs/user_settings_tls13.h', 'examples/configs/user_settings_wolfboot_keytools.h', - 'examples/configs/user_settings_wolftpm.h', 'examples/configs/user_settings_wolfssh.h', - 'examples/configs/user_settings_tls12.h', + 'examples/configs/user_settings_wolftpm.h', + # Not included (require special setup): + # - user_settings_pq.h: Requires --enable-experimental + # - user_settings_baremetal.h: Requires static memory, custom platform ] name: make user_setting.h (testwolfcrypt only) if: github.repository_owner == 'wolfssl' diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 0a681bd403..246ded2a45 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -695,7 +695,6 @@ WOLFSSL_BIGINT_TYPES WOLFSSL_BIO_NO_FLOW_STATS WOLFSSL_BLAKE2B_INIT_EACH_FIELD WOLFSSL_BLAKE2S_INIT_EACH_FIELD -WOLFSSL_BLIND_PRIVATE_KEY WOLFSSL_BYTESWAP32_ASM WOLFSSL_CAAM_BLACK_KEY_AESCCM WOLFSSL_CAAM_BLACK_KEY_SM @@ -708,10 +707,8 @@ WOLFSSL_CLIENT_EXAMPLE WOLFSSL_CONTIKI WOLFSSL_CRL_ALLOW_MISSING_CDP WOLFSSL_DILITHIUM_ASSIGN_KEY -WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM WOLFSSL_DILITHIUM_NO_ASN1 WOLFSSL_DILITHIUM_NO_CHECK_KEY -WOLFSSL_DILITHIUM_NO_LARGE_CODE WOLFSSL_DILITHIUM_NO_MAKE WOLFSSL_DILITHIUM_REVERSE_HASH_OID WOLFSSL_DILITHIUM_SIGN_CHECK_W0 @@ -719,7 +716,6 @@ WOLFSSL_DILITHIUM_SIGN_CHECK_Y WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 -WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM WOLFSSL_DISABLE_EARLY_SANITY_CHECKS WOLFSSL_DTLS_DISALLOW_FUTURE WOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS @@ -785,10 +781,7 @@ WOLFSSL_MAKE_SYSTEM_NAME_LINUX WOLFSSL_MAKE_SYSTEM_NAME_WSL WOLFSSL_MDK5 WOLFSSL_MEM_FAIL_COUNT -WOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM WOLFSSL_MLKEM_INVNTT_UNROLL -WOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -WOLFSSL_MLKEM_NO_LARGE_CODE WOLFSSL_MLKEM_NO_MALLOC WOLFSSL_MLKEM_NTT_UNROLL WOLFSSL_MONT_RED_CT diff --git a/examples/configs/README.md b/examples/configs/README.md index 048c79d456..e1749bdeed 100644 --- a/examples/configs/README.md +++ b/examples/configs/README.md @@ -4,17 +4,27 @@ Example wolfSSL configuration file templates for use when autoconf is not availa ## Files -* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0` logic. +* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0`/`#if 1` gates. * `user_settings_all.h`: This is wolfSSL with all features enabled. Equivalent to `./configure --enable-all`. * `user_settings_arduino.h`: An example Arduino file. See also [wolfSSL/Arduino-wolfSSL](https://github.com/wolfSSL/Arduino-wolfSSL). -*.`user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports. +* `user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports. +* `user_settings_eccnonblock.h`: Example for non-blocking ECC crypto only. See comment at top for test results. +* `user_settings_espressif.h`: Example configuration for Espressif ESP32. See also [wolfSSL/IDE/Espressif](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif). * `user_settings_fipsv2.h`: The FIPS v2 (3389) 140-2 certificate build options. * `user_settings_fipsv5.h`: The FIPS v5 (ready) 140-3 build options. Equivalent to `./configure --enable-fips=v5-dev`. -* `user_settings_min_ecc.h`: This is ECC and SHA-256 only. For ECC verify only add `BUILD_VERIFY_ONLY`. -* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl) +* `user_settings_min_ecc.h`: Minimal ECC and SHA-256 only (no TLS). For ECC verify only add `NO_ECC_SIGN`. +* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl). * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack. -* `user_settings_tls12`: Example for TLS v1.2 client only, ECC only, AES GCM only, SHA2-256 only. -* `user_settings_wolfboot_keytools.h`: This from wolfBoot tools/keytools and is ECC, RSA, ED25519 and ChaCha20. +* `user_settings_tls12.h`: Example for TLS v1.2 client only, ECC only, AES-GCM only, SHA2-256 only. +* `user_settings_tls13.h`: TLS 1.3 only configuration (no TLS 1.2). Modern cipher suites with X25519/X448 key exchange. +* `user_settings_dtls13.h`: DTLS 1.3 for IoT and embedded. Includes connection ID support and smaller MTU options. +* `user_settings_pq.h`: Post-quantum TLS with ML-KEM (Kyber) key exchange and ML-DSA (Dilithium) certificates. +* `user_settings_openssl_compat.h`: OpenSSL compatibility layer for drop-in replacement. Enables OPENSSL_ALL and related APIs. +* `user_settings_baremetal.h`: Bare metal configuration. No filesystem, static memory only, minimal footprint. +* `user_settings_rsa_only.h`: RSA-only configuration (no ECC). For legacy systems requiring RSA cipher suites. +* `user_settings_pkcs7.h`: PKCS#7/CMS configuration for signing and encryption. S/MIME, firmware signing. +* `user_settings_ca.h`: Certificate Authority / PKI operations. Certificate generation, signing, CRL, OCSP. +* `user_settings_wolfboot_keytools.h`: wolfBoot key generation and signing tool. Supports ECC, RSA, ED25519, ED448, and post-quantum (ML-DSA/Dilithium, LMS, XMSS). * `user_settings_wolfssh.h`: Minimum options for building wolfSSH. See comment at top for ./configure used to generate. * `user_settings_wolftpm.h`: Minimum options for building wolfTPM. See comment at top for ./configure used to generate. diff --git a/examples/configs/include.am b/examples/configs/include.am index ab2453412a..2266215bc1 100644 --- a/examples/configs/include.am +++ b/examples/configs/include.am @@ -4,16 +4,24 @@ EXTRA_DIST += examples/configs/README.md EXTRA_DIST += examples/configs/user_settings_all.h EXTRA_DIST += examples/configs/user_settings_arduino.h +EXTRA_DIST += examples/configs/user_settings_baremetal.h +EXTRA_DIST += examples/configs/user_settings_ca.h +EXTRA_DIST += examples/configs/user_settings_dtls13.h EXTRA_DIST += examples/configs/user_settings_EBSnet.h EXTRA_DIST += examples/configs/user_settings_eccnonblock.h EXTRA_DIST += examples/configs/user_settings_espressif.h EXTRA_DIST += examples/configs/user_settings_fipsv2.h EXTRA_DIST += examples/configs/user_settings_fipsv5.h EXTRA_DIST += examples/configs/user_settings_min_ecc.h +EXTRA_DIST += examples/configs/user_settings_openssl_compat.h +EXTRA_DIST += examples/configs/user_settings_pkcs7.h EXTRA_DIST += examples/configs/user_settings_platformio.h +EXTRA_DIST += examples/configs/user_settings_pq.h +EXTRA_DIST += examples/configs/user_settings_rsa_only.h EXTRA_DIST += examples/configs/user_settings_stm32.h EXTRA_DIST += examples/configs/user_settings_template.h EXTRA_DIST += examples/configs/user_settings_tls12.h +EXTRA_DIST += examples/configs/user_settings_tls13.h EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h EXTRA_DIST += examples/configs/user_settings_wolfssh.h EXTRA_DIST += examples/configs/user_settings_wolftpm.h diff --git a/examples/configs/user_settings_EBSnet.h b/examples/configs/user_settings_EBSnet.h index 6ede239274..70f465f51b 100644 --- a/examples/configs/user_settings_EBSnet.h +++ b/examples/configs/user_settings_EBSnet.h @@ -47,6 +47,8 @@ extern "C" { #define NO_MD4 #define NO_MD5 #define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_OLD_TLS #ifdef __cplusplus } diff --git a/examples/configs/user_settings_all.h b/examples/configs/user_settings_all.h index 8940e83f24..d3a3a710dc 100644 --- a/examples/configs/user_settings_all.h +++ b/examples/configs/user_settings_all.h @@ -210,7 +210,6 @@ extern "C" { #define WOLFSSL_SHAKE256 #define WOLFSSL_SHA3 #define WOLFSSL_HASH_FLAGS /* enable hash flag API's */ -#define WOLFSSL_SHAKE256 /* Additional Algorithms */ #define HAVE_HASHDRBG diff --git a/examples/configs/user_settings_baremetal.h b/examples/configs/user_settings_baremetal.h new file mode 100644 index 0000000000..6b3eee79c1 --- /dev/null +++ b/examples/configs/user_settings_baremetal.h @@ -0,0 +1,231 @@ +/* user_settings_baremetal.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* Bare metal configuration for systems without an OS. + * No filesystem, no malloc, static memory, minimal footprint. + * Suitable for deeply embedded systems and bootloaders. + * + * Build and test: + * cp ./examples/configs/user_settings_baremetal.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform - Bare Metal */ +/* ------------------------------------------------- */ +#define SINGLE_THREADED +#define NO_FILESYSTEM +#define NO_WRITEV +#define WOLFSSL_NO_SOCK +#define WOLFSSL_IGNORE_FILE_WARN +#define WOLFSSL_GENERAL_ALIGNMENT 4 +#define SIZEOF_LONG_LONG 8 + +/* TLS transport requires setting IO callbacks */ +#define WOLFSSL_USER_IO + +/* ------------------------------------------------- */ +/* Memory */ +/* ------------------------------------------------- */ +#if 1 /* stack memory */ + +#elif 1 /* small stack */ + /* Small stack - allocate large variables from static pool */ + #define WOLFSSL_SMALL_STACK +#else /* static memory */ + #define WOLFSSL_STATIC_MEMORY + #define WOLFSSL_NO_MALLOC + #define WOLFSSL_SP_NO_MALLOC + #define WOLFSSL_MALLOC_CHECK + #define NO_WOLFSSL_MEMORY +#endif + +/* ------------------------------------------------- */ +/* Math - Single Precision (smallest) */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH +#define WOLFSSL_SP_SMALL +#define TFM_TIMING_RESISTANT + +/* ------------------------------------------------- */ +/* TLS (optional - disable for crypto-only) */ +/* ------------------------------------------------- */ +#if 0 /* TLS support */ + #define WOLFSSL_TLS13 + #define WOLFSSL_NO_TLS12 + #define NO_OLD_TLS + #define HAVE_TLS_EXTENSIONS + #define HAVE_SUPPORTED_CURVES + #define HAVE_HKDF +#else + #define WOLFCRYPT_ONLY +#endif + +/* ------------------------------------------------- */ +/* ECC (smallest asymmetric option) */ +/* ------------------------------------------------- */ +#if 1 /* ECC support */ + #define HAVE_ECC + #define WOLFSSL_HAVE_SP_ECC + + #define ECC_USER_CURVES /* P-256 only */ + #undef NO_ECC256 + #define ECC_TIMING_RESISTANT + /* Disable for smaller size */ + #if 0 /* ECC Shamir (faster, more code) */ + #define ECC_SHAMIR + #endif +#endif + +/* ECC Feature Reduction */ +#if 0 /* Verify only (no signing/keygen) */ + #define NO_ECC_SIGN + #define NO_ECC_DHE + #define NO_ECC_KEY_EXPORT +#endif + +/* ------------------------------------------------- */ +/* RSA (disable for smallest size) */ +/* ------------------------------------------------- */ +#if 0 /* RSA support */ + #undef NO_RSA + #define WOLFSSL_HAVE_SP_RSA + #define WC_RSA_BLINDING + #define RSA_LOW_MEM + #if 0 /* Verify only */ + #define WOLFSSL_RSA_PUBLIC_ONLY + #define WOLFSSL_RSA_VERIFY_INLINE + #define NO_CHECK_PRIVATE_KEY + #endif +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +#if 1 /* AES */ + #define HAVE_AESGCM + #define GCM_SMALL + #define WOLFSSL_AES_SMALL_TABLES + #define WOLFSSL_AES_NO_UNROLL + #define NO_AES_192 + #define NO_AES_256 + #if 0 /* AES-CBC */ + #undef NO_AES_CBC + #else + #define NO_AES_CBC + #endif +#else + #define NO_AES +#endif + +#if 0 /* ChaCha20-Poly1305 */ + #define HAVE_CHACHA + #define HAVE_POLY1305 +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 only (required) */ +#define USE_SLOW_SHA256 + +#if 0 /* SHA-1 (legacy) */ + #undef NO_SHA +#else + #define NO_SHA +#endif + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#if 1 /* Hash-based DRBG */ + #define HAVE_HASHDRBG +#else + /* Use hardware RNG directly */ + #define WC_NO_HASHDRBG + extern int my_rng_gen_block(unsigned char* output, unsigned int sz); + #define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block +#endif + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +#if 0 /* Disable certificates for smallest size */ + #define NO_ASN + #define NO_CERTS + #define NO_CODING +#endif + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DH +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_PSK +#define NO_PWDBASED +#define NO_PKCS8 +#define NO_PKCS12 + +/* ------------------------------------------------- */ +/* Disabled Features */ +/* ------------------------------------------------- */ +#define NO_SIG_WRAPPER +#define NO_SESSION_CACHE +#define NO_ERROR_STRINGS +#define NO_OLD_RNGNAME +#define NO_WOLFSSL_DIR +#define BENCH_EMBEDDED + +/* ------------------------------------------------- */ +/* Custom Time (bare metal has no RTC typically) */ +/* ------------------------------------------------- */ +#if 1 /* Custom time function */ + #define NO_ASN_TIME + /* Or provide custom time: + * #define USER_TIME + * extern unsigned long my_time(unsigned long* timer); + * #define XTIME my_time + */ +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_ca.h b/examples/configs/user_settings_ca.h new file mode 100644 index 0000000000..a04f880cf6 --- /dev/null +++ b/examples/configs/user_settings_ca.h @@ -0,0 +1,210 @@ +/* user_settings_ca.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* Certificate Authority (CA) / PKI configuration. + * For certificate generation, signing, CRL, OCSP, and CertificateManager. + * No TLS - certificate operations only. + * + * Build and test: + * cp ./examples/configs/user_settings_ca.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#define NO_TLS /* Enables CertificateManager without TLS */ +#if 0 /* Single threaded */ + #define SINGLE_THREADED +#endif +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL +#define SP_INT_BITS 4096 + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* Certificate Generation */ +/* ------------------------------------------------- */ +#define WOLFSSL_CERT_GEN +#define WOLFSSL_CERT_REQ +#define WOLFSSL_CERT_EXT +#define WOLFSSL_MULTI_ATTRIB +#define WOLFSSL_ALT_NAMES +#define WOLFSSL_CUSTOM_OID +#define HAVE_OID_ENCODING + +/* Additional certificate features */ +#define WOLFSSL_CERT_NAME_ALL +#define WOLFSSL_HAVE_ISSUER_NAMES +#define WOLFSSL_AKID_NAME +#define WOLFSSL_SUBJ_DIR_ATTR +#define WOLFSSL_SUBJ_INFO_ACC + +/* ------------------------------------------------- */ +/* ASN.1 */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE +#define WOLFSSL_PEM_TO_DER +#define WOLFSSL_DER_TO_PEM +#define WOLFSSL_DER_LOAD +#define ASN_BER_TO_DER + +/* ------------------------------------------------- */ +/* CRL (Certificate Revocation List) */ +/* ------------------------------------------------- */ +#define HAVE_CRL +#if 0 /* CRL file monitoring */ + #define HAVE_CRL_MONITOR +#endif +#define HAVE_CRL_IO +#define HAVE_IO_TIMEOUT + +/* ------------------------------------------------- */ +/* OCSP (Online Certificate Status Protocol) */ +/* ------------------------------------------------- */ +#define HAVE_OCSP +#define HAVE_CERTIFICATE_STATUS_REQUEST +#define HAVE_CERTIFICATE_STATUS_REQUEST_V2 +#define HAVE_TLS_EXTENSIONS + +/* ------------------------------------------------- */ +/* ECC */ +/* ------------------------------------------------- */ +#if 1 /* ECC support */ + #define HAVE_ECC + #define ECC_USER_CURVES + #undef NO_ECC256 + #define HAVE_ECC384 + #define HAVE_ECC521 + #define ECC_SHAMIR + #define HAVE_COMP_KEY + #define WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT +#endif + +/* ------------------------------------------------- */ +/* Ed25519 / Ed448 */ +/* ------------------------------------------------- */ +#if 1 /* Ed25519 certificates */ + #define HAVE_ED25519 + #define HAVE_CURVE25519 +#endif +#if 1 /* Ed448 certificates */ + #define HAVE_ED448 + #define HAVE_CURVE448 + #define WOLFSSL_SHAKE256 +#endif + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#if 1 /* RSA support */ + #undef NO_RSA + #define WOLFSSL_KEY_GEN + #define WC_RSA_PSS + #define WC_RSA_NO_PADDING +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* Post-Quantum Certificates */ +/* ------------------------------------------------- */ +#if 0 /* ML-DSA / Dilithium certificates */ + #define WOLFSSL_EXPERIMENTAL_SETTINGS + #define HAVE_DILITHIUM + #define WOLFSSL_WC_DILITHIUM + #define WOLFSSL_SHAKE128 + #define WOLFSSL_SHAKE256 +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 required */ +#define WOLFSSL_SHA224 +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA3 + +#if 1 /* SHA-1 (for legacy certificate compatibility) */ + #undef NO_SHA +#else + #define NO_SHA +#endif + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* Encoding */ +/* ------------------------------------------------- */ +#define WOLFSSL_BASE64_ENCODE +#define WOLFSSL_BASE16 + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DH +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define NO_PSK +#define NO_PWDBASED +#define NO_OLD_TLS + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 0 /* Disable error strings */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_dtls13.h b/examples/configs/user_settings_dtls13.h new file mode 100644 index 0000000000..52df154d3a --- /dev/null +++ b/examples/configs/user_settings_dtls13.h @@ -0,0 +1,211 @@ +/* user_settings_dtls13.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* DTLS 1.3 for IoT and UDP applications. + * Suitable for constrained devices with unreliable networks. + * + * Build and test: + * cp ./examples/configs/user_settings_dtls13.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#if 1 /* Single threaded (typical for IoT) */ + #define SINGLE_THREADED +#endif +#if 0 /* Disable filesystem */ + #define NO_FILESYSTEM +#endif +#define WOLFSSL_USER_IO +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL +#if 1 /* Small code size for IoT */ + #define WOLFSSL_SP_SMALL +#endif + +/* ------------------------------------------------- */ +/* DTLS 1.3 */ +/* ------------------------------------------------- */ +#define WOLFSSL_DTLS +#define WOLFSSL_DTLS13 +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_HKDF +#define WC_RSA_PSS + +/* Disable older versions */ +#define WOLFSSL_NO_TLS12 +#define NO_OLD_TLS + +/* DTLS-specific features */ +#if 1 /* HelloRetryRequest cookie (DoS protection) */ + #define WOLFSSL_SEND_HRR_COOKIE +#endif +#if 0 /* Connection ID (NAT traversal) - requires TLS 1.2 code paths */ + #define WOLFSSL_DTLS_CID +#endif +#if 0 /* Fragmented ClientHello */ + #define WOLFSSL_DTLS_CH_FRAG +#endif + +/* Client/Server */ +#if 0 /* Client only */ + #define NO_WOLFSSL_SERVER +#endif +#if 0 /* Server only */ + #define NO_WOLFSSL_CLIENT +#endif + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* ECC (preferred for IoT) */ +/* ------------------------------------------------- */ +#define HAVE_ECC +#define ECC_USER_CURVES +#undef NO_ECC256 +#if 0 /* P-384 */ + #define HAVE_ECC384 +#endif +#define ECC_SHAMIR + +/* ------------------------------------------------- */ +/* Curve25519 / Ed25519 */ +/* ------------------------------------------------- */ +#if 1 /* X25519 key exchange (efficient for IoT) */ + #define HAVE_CURVE25519 + #define CURVE25519_SMALL +#endif + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#if 0 /* RSA support (larger, disable for constrained devices) */ + #undef NO_RSA +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* DH */ +/* ------------------------------------------------- */ +#define NO_DH + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +/* AES-GCM */ +#define HAVE_AESGCM +#if 1 /* Small GCM tables for IoT */ + #define GCM_SMALL +#else + #define GCM_TABLE_4BIT +#endif + +#if 1 /* ChaCha20-Poly1305 (efficient in software) */ + #define HAVE_CHACHA + #define HAVE_POLY1305 + #define HAVE_ONE_TIME_AUTH +#endif + +#if 1 /* AES-CCM (common in IoT) */ + #define HAVE_AESCCM +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 required */ +#if 1 /* Smaller/slower SHA */ + #define USE_SLOW_SHA256 +#endif + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_SHA +#define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_PSK +#define NO_PWDBASED + +/* ------------------------------------------------- */ +/* Memory Optimization */ +/* ------------------------------------------------- */ +#if 1 /* Small stack for embedded */ + #define WOLFSSL_SMALL_STACK +#endif +#if 0 /* Static memory (no malloc) */ + #define WOLFSSL_STATIC_MEMORY + #define WOLFSSL_NO_MALLOC +#endif +#define NO_SESSION_CACHE + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 1 /* Disable error strings to save flash */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_eccnonblock.h b/examples/configs/user_settings_eccnonblock.h index 122b885ad3..64b2df45f1 100644 --- a/examples/configs/user_settings_eccnonblock.h +++ b/examples/configs/user_settings_eccnonblock.h @@ -104,8 +104,8 @@ extern "C" { #define WOLFSSL_SP_MATH /* forces only single precision */ /* Hashing */ -#define WOLFSL_SHA512 -#define WOLFSL_SHA384 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA384 #undef NO_SHA256 /* Debugging */ diff --git a/examples/configs/user_settings_fipsv2.h b/examples/configs/user_settings_fipsv2.h index cb219506fb..372952085f 100644 --- a/examples/configs/user_settings_fipsv2.h +++ b/examples/configs/user_settings_fipsv2.h @@ -112,4 +112,4 @@ extern "C" { } #endif -#endif /* WOLFSSL_OPTIONS_H */ +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_fipsv5.h b/examples/configs/user_settings_fipsv5.h index e977b8c0dc..575c172821 100644 --- a/examples/configs/user_settings_fipsv5.h +++ b/examples/configs/user_settings_fipsv5.h @@ -130,7 +130,6 @@ extern "C" { #define WOLFSSL_AES_COUNTER #define HAVE_AESCCM #define HAVE_AES_ECB -#define WOLFSSL_AES_COUNTER #define WOLFSSL_AES_DIRECT #define WOLFSSL_AES_OFB #define HAVE_AESGCM @@ -147,7 +146,6 @@ extern "C" { #define WOLFSSL_SHA224 #define WOLFSSL_SHA512 #define WOLFSSL_SHA384 -#define WOLFSSL_NO_SHAKE256 #define WOLFSSL_NOSHA512_224 #define WOLFSSL_NOSHA512_256 #define WOLFSSL_SHA3 @@ -162,6 +160,7 @@ extern "C" { #define NO_MD4 #define NO_MD5 #define NO_DES3 +#define NO_DES3_TLS_SUITES #define NO_DSA #define NO_RABBIT #define NO_HC128 diff --git a/examples/configs/user_settings_min_ecc.h b/examples/configs/user_settings_min_ecc.h index c555d3b202..ad71a4b95e 100644 --- a/examples/configs/user_settings_min_ecc.h +++ b/examples/configs/user_settings_min_ecc.h @@ -19,63 +19,94 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -/* should be renamed to user_settings.h for customer use - * generated from configure options: +/* Minimal ECC and SHA-256 only (no TLS, no RSA, no AES) + * + * Derived from: * ./configure \ - --enable-cryptonly --enable-ecc --enable-sp \ - --disable-rsa --disable-dh --disable-sha3 --disable-sha224 --disable-md5 \ - --disable-sha --disable-pkcs12 --disable-memory \ - --disable-chacha --disable-poly1305 --disable-sha512 --disable-sha384 \ - --disable-aesgcm --disable-aescbc --disable-aes --disable-rng \ - CFLAGS="-DNO_SIG_WRAPPER -DWOLFSSL_PUBLIC_MP -DECC_USER_CURVES \ - -DNO_ECC_SIGN -DNO_ECC_DHE -DNO_ECC_KEY_EXPORT" + * --enable-cryptonly --enable-ecc --enable-sp \ + * --disable-rsa --disable-dh --disable-sha3 \ + * --disable-sha224 --disable-md5 \ + * --disable-sha --disable-pkcs12 --disable-memory \ + * --disable-chacha --disable-poly1305 \ + * --disable-sha512 --disable-sha384 \ + * --disable-aesgcm --disable-aescbc \ + * --disable-aes --disable-rng \ + * CFLAGS="-DNO_SIG_WRAPPER -DWOLFSSL_PUBLIC_MP \ + * -DECC_USER_CURVES" * - * Cleaned up by David Garske + * Build and test: + * cp ./examples/configs/user_settings_min_ecc.h \ + * user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt */ #ifndef WOLFSSL_USER_SETTINGS_H #define WOLFSSL_USER_SETTINGS_H - #ifdef __cplusplus extern "C" { #endif -/* WolfCrypt Only (no TLS) */ -#define WOLFCRYPT_ONLY +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#define WOLFCRYPT_ONLY /* No TLS, wolfCrypt only */ /* Endianness - defaults to little endian */ #ifdef __BIG_ENDIAN__ #define BIG_ENDIAN_ORDER #endif -/* Expose the math mp_ API's */ -#define WOLFSSL_PUBLIC_MP +#define WOLFSSL_PUBLIC_MP /* Expose mp_ math API's */ -/* Use single precision math only */ +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ #define WOLFSSL_SP #define WOLFSSL_SP_SMALL #define WOLFSSL_SP_MATH #define WOLFSSL_HAVE_SP_ECC -/* Enable Timing Resistance */ +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ #define TFM_TIMING_RESISTANT #define ECC_TIMING_RESISTANT -/* Enable ECC */ +/* ------------------------------------------------- */ +/* ECC */ +/* ------------------------------------------------- */ #define HAVE_ECC -#define ECC_USER_CURVES /* Only 256-Bit Curves */ -//#define ECC_SHAMIR +#define ECC_USER_CURVES /* Only P-256 by default */ +#if 0 /* ECC Shamir - faster but more code/memory */ + #define ECC_SHAMIR +#endif -/* Optional Feature Disables */ -#define NO_SIG_WRAPPER -//#define NO_ECC_KEY_EXPORT -//#define NO_ECC_DHE -//#define NO_ECC_SIGN -//#define NO_ECC_VERIFY +/* ECC Feature Options */ +#if 0 /* Disable ECC key export */ + #define NO_ECC_KEY_EXPORT +#endif +#if 0 /* Disable ECDHE key agreement */ + #define NO_ECC_DHE +#endif +#if 0 /* Disable ECC sign */ + #define NO_ECC_SIGN +#endif +#if 0 /* Disable ECC verify */ + #define NO_ECC_VERIFY +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 enabled by default */ -/* Disable Algorithms */ +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ #define NO_AES #define NO_AES_CBC #define NO_DES3 @@ -89,17 +120,30 @@ extern "C" { #define NO_PWDBASED #define NO_PKCS12 #define NO_PKCS8 -//#define WC_NO_RNG +#define NO_SIG_WRAPPER -/* Disable Features */ -//#define NO_ASN -//#define NO_CERTS +/* ------------------------------------------------- */ +/* Disabled Features */ +/* ------------------------------------------------- */ #define NO_WOLFSSL_MEMORY #define WOLFSSL_NO_PEM -//#define NO_CODING #define NO_PSK -#ifndef DEBUG_WOLFSSL +#if 0 /* Disable ASN.1 / certificates */ + #define NO_ASN + #define NO_CERTS + #define NO_CODING +#endif +#if 0 /* Disable RNG (ECC verify only) */ + #define WC_NO_RNG +#endif + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ #define DEBUG_WOLFSSL +#endif +#if 1 /* Disable error strings to save flash */ #define NO_ERROR_STRINGS #endif diff --git a/examples/configs/user_settings_openssl_compat.h b/examples/configs/user_settings_openssl_compat.h new file mode 100644 index 0000000000..415f5addd4 --- /dev/null +++ b/examples/configs/user_settings_openssl_compat.h @@ -0,0 +1,274 @@ +/* user_settings_openssl_compat.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* OpenSSL compatibility layer for drop-in replacement. + * Provides OpenSSL API compatibility for applications migrating from OpenSSL. + * + * Build and test: + * cp ./examples/configs/user_settings_openssl_compat.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* OpenSSL Compatibility */ +/* ------------------------------------------------- */ +#define OPENSSL_EXTRA +#if 1 /* Full OpenSSL API compatibility */ + #define OPENSSL_ALL +#endif + +/* OpenSSL-compatible names and behavior */ +#define WOLFSSL_VERBOSE_ERRORS +#define ERROR_QUEUE_PER_THREAD +#define WOLFSSL_ERROR_CODE_OPENSSL +#define HAVE_WOLFSSL_SSL_H +#define OPENSSL_COMPATIBLE_DEFAULTS + +/* Avoid old name conflicts */ +#define NO_OLD_RNGNAME +#define NO_OLD_WC_NAMES +#define NO_OLD_SSL_NAMES +#define NO_OLD_SHA_NAMES +#define NO_OLD_MD5_NAME + +/* Extra data support (SSL_CTX_set_ex_data, etc.) */ +#define HAVE_EX_DATA + +/* ------------------------------------------------- */ +/* Application Compatibility */ +/* ------------------------------------------------- */ +#if 0 /* nginx */ + #define WOLFSSL_NGINX +#endif +#if 0 /* HAProxy */ + #define WOLFSSL_HAPROXY +#endif +#if 0 /* Apache httpd */ + #define HAVE_LIGHTY +#endif +#if 0 /* stunnel */ + #define HAVE_STUNNEL +#endif +#if 0 /* OpenVPN */ + #define WOLFSSL_OPENVPN +#endif +#if 0 /* Qt */ + #define WOLFSSL_QT +#endif +#if 0 /* cURL */ + #define WOLFSSL_LIBCURL +#endif +#if 0 /* OpenSSH */ + #define WOLFSSL_OPENSSH +#endif + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL + +/* ------------------------------------------------- */ +/* TLS Versions */ +/* ------------------------------------------------- */ +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_EXTENDED_MASTER +#define HAVE_ENCRYPT_THEN_MAC +#define HAVE_HKDF +#define WC_RSA_PSS + +#if 1 /* TLS 1.2 (for compatibility) */ + #undef WOLFSSL_NO_TLS12 +#endif +#if 0 /* Allow older TLS (not recommended) */ + #undef NO_OLD_TLS +#else + #define NO_OLD_TLS +#endif + +/* TLS Extensions */ +#define HAVE_SESSION_TICKET +#define HAVE_SNI +#define HAVE_ALPN +#define HAVE_MAX_FRAGMENT +#define HAVE_TRUNCATED_HMAC +#define HAVE_SECURE_RENEGOTIATION +#define HAVE_SERVER_RENEGOTIATION_INFO + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* ECC */ +/* ------------------------------------------------- */ +#define HAVE_ECC +#define TFM_ECC256 +#define ECC_SHAMIR +#define HAVE_ECC_CDH +#define HAVE_COMP_KEY + +/* ------------------------------------------------- */ +/* Curve25519 / Ed25519 */ +/* ------------------------------------------------- */ +#define HAVE_CURVE25519 +#define HAVE_ED25519 + +/* ------------------------------------------------- */ +/* Curve448 / Ed448 */ +/* ------------------------------------------------- */ +#if 1 /* Ed448/X448 */ + #define HAVE_CURVE448 + #define HAVE_ED448 +#endif + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#undef NO_RSA +#define WC_RSA_NO_PADDING +#define WOLFSSL_KEY_GEN + +/* ------------------------------------------------- */ +/* DH */ +/* ------------------------------------------------- */ +#undef NO_DH +#define HAVE_FFDHE_2048 +#define HAVE_FFDHE_3072 +#define HAVE_FFDHE_4096 +#define HAVE_DH_DEFAULT_PARAMS +#define WOLFSSL_DH_EXTRA + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +#define HAVE_AESGCM +#define GCM_TABLE_4BIT +#define WOLFSSL_AESGCM_STREAM +#define HAVE_AESCCM +#define WOLFSSL_AES_COUNTER +#define WOLFSSL_AES_DIRECT +#define WOLFSSL_AES_OFB +#define WOLFSSL_AES_CFB +#define HAVE_AES_ECB +#define HAVE_AES_KEYWRAP +#define HAVE_AES_DECRYPT + +#define HAVE_CHACHA +#define HAVE_POLY1305 +#define HAVE_ONE_TIME_AUTH +#define HAVE_XCHACHA + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +#define WOLFSSL_SHA224 +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA3 +#define WOLFSSL_SHAKE256 + +#define HAVE_BLAKE2 +#define HAVE_BLAKE2B +#define HAVE_BLAKE2S + +/* ------------------------------------------------- */ +/* Additional Features */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG +#define WOLFSSL_CMAC +#define WOLFSSL_DES_ECB +#define HAVE_CTS +#define HAVE_HKDF +#define HAVE_X963_KDF +#define HAVE_KEYING_MATERIAL +#define WOLFSSL_HAVE_PRF + +/* ------------------------------------------------- */ +/* Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE +#define WOLFSSL_CERT_GEN +#define WOLFSSL_CERT_REQ +#define WOLFSSL_CERT_EXT +#define WOLFSSL_MULTI_ATTRIB +#define WOLFSSL_DER_LOAD +#define WOLFSSL_PEM_TO_DER +#define WOLFSSL_DER_TO_PEM +#define WOLFSSL_ALT_NAMES + +#define HAVE_CRL +#define HAVE_OCSP +#define HAVE_CERTIFICATE_STATUS_REQUEST +#define HAVE_CERTIFICATE_STATUS_REQUEST_V2 + +/* ------------------------------------------------- */ +/* Encoding */ +/* ------------------------------------------------- */ +#define WOLFSSL_BASE16 +#define WOLFSSL_BASE64_ENCODE + +/* ------------------------------------------------- */ +/* Session Cache */ +/* ------------------------------------------------- */ +#define HAVE_EXT_CACHE +#define SESSION_CERTS +#define PERSIST_SESSION_CACHE +#define PERSIST_CERT_CACHE + +/* ------------------------------------------------- */ +/* PKCS */ +/* ------------------------------------------------- */ +#define HAVE_PKCS8 + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_PSK + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_pkcs7.h b/examples/configs/user_settings_pkcs7.h new file mode 100644 index 0000000000..1d93f215d6 --- /dev/null +++ b/examples/configs/user_settings_pkcs7.h @@ -0,0 +1,215 @@ +/* user_settings_pkcs7.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* PKCS#7 / CMS configuration for signing and encryption. + * Suitable for S/MIME, firmware signing, secure messaging. + * No TLS - cryptographic operations only. + * + * Build and test: + * cp ./examples/configs/user_settings_pkcs7.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#define WOLFCRYPT_ONLY +#if 0 /* Single threaded */ + #define SINGLE_THREADED +#endif +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL +#if 0 /* Small code size */ + #define WOLFSSL_SP_SMALL +#endif + +/* ------------------------------------------------- */ +/* PKCS#7 / CMS */ +/* ------------------------------------------------- */ +#define HAVE_PKCS7 + +/* PKCS#7 Content Types */ +#if 1 /* Signed Data */ + /* Default enabled with HAVE_PKCS7 */ +#endif +#if 1 /* Enveloped Data (encryption) */ + /* Default enabled with HAVE_PKCS7 */ +#endif +#if 0 /* Compressed Data (requires libz) */ + #define HAVE_LIBZ +#endif +#if 1 /* Authenticated Enveloped Data (AES-GCM) */ + /* Requires HAVE_AESGCM */ +#endif + +/* PKCS#7 Features */ +#define HAVE_X963_KDF +#define HAVE_HKDF + +/* ------------------------------------------------- */ +/* S/MIME */ +/* ------------------------------------------------- */ +#if 1 /* S/MIME support */ + #define HAVE_SMIME +#endif + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* ECC */ +/* ------------------------------------------------- */ +#if 1 /* ECC support */ + #define HAVE_ECC + #define ECC_USER_CURVES + #undef NO_ECC256 + #if 1 /* P-384 */ + #define HAVE_ECC384 + #endif + #if 0 /* P-521 */ + #define HAVE_ECC521 + #endif + #define ECC_SHAMIR + #define HAVE_ECC_ENCRYPT /* ECIES for PKCS#7 */ +#endif + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#if 1 /* RSA support */ + #undef NO_RSA + #define WOLFSSL_KEY_GEN + #define WC_RSA_NO_PADDING +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +/* AES (required for PKCS#7) */ +#define HAVE_AES_CBC +#define HAVE_AES_DECRYPT +#define HAVE_AES_KEYWRAP +#define WOLFSSL_AES_DIRECT + +#if 1 /* AES-GCM (AuthEnvelopedData) */ + #define HAVE_AESGCM + #define GCM_TABLE_4BIT +#endif + +#if 1 /* AES-CCM */ + #define HAVE_AESCCM +#endif + +#if 0 /* 3DES (legacy, not recommended) */ + #undef NO_DES3 +#else + #define NO_DES3 +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 required */ + +#if 1 /* SHA-1 (for legacy compatibility) */ + #undef NO_SHA +#else + #define NO_SHA +#endif + +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 + +#if 1 /* SHA-3 */ + #define WOLFSSL_SHA3 +#endif + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +/* Certificate generation for signing */ +#define WOLFSSL_CERT_GEN +#define WOLFSSL_CERT_REQ +#define WOLFSSL_CERT_EXT +#define WOLFSSL_MULTI_ATTRIB + +/* Certificate parsing */ +#define WOLFSSL_PEM_TO_DER +#define WOLFSSL_DER_TO_PEM +#define WOLFSSL_DER_LOAD + +/* ------------------------------------------------- */ +/* Encoding */ +/* ------------------------------------------------- */ +#define WOLFSSL_BASE64_ENCODE + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DH +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_PSK +#define NO_PWDBASED + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 0 /* Disable error strings */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_pq.h b/examples/configs/user_settings_pq.h new file mode 100644 index 0000000000..87768603d0 --- /dev/null +++ b/examples/configs/user_settings_pq.h @@ -0,0 +1,232 @@ +/* user_settings_pq.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* Post-Quantum TLS 1.3 with ML-KEM (Kyber) and ML-DSA (Dilithium). + * Provides quantum-resistant key exchange and signatures. + * Based on NIST FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) standards. + * + * Build and test: + * cp ./examples/configs/user_settings_pq.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL + +/* ------------------------------------------------- */ +/* TLS 1.3 (required for PQ) */ +/* ------------------------------------------------- */ +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_HKDF +#define WC_RSA_PSS + +/* Disable older TLS versions */ +#define WOLFSSL_NO_TLS12 +#define NO_OLD_TLS + +#if 1 /* Session tickets */ + #define HAVE_SESSION_TICKET +#endif +#if 1 /* Server Name Indication */ + #define HAVE_SNI +#endif + +/* ------------------------------------------------- */ +/* Experimental Settings (required for PQ) */ +/* ------------------------------------------------- */ +#define WOLFSSL_EXPERIMENTAL_SETTINGS + +/* ------------------------------------------------- */ +/* ML-KEM / Kyber (Key Encapsulation) */ +/* ------------------------------------------------- */ +#if 1 /* ML-KEM (FIPS 203) */ + #define WOLFSSL_HAVE_KYBER + #define WOLFSSL_WC_KYBER + #define WOLFSSL_KYBER512 /* Level 1: 128-bit security */ + #define WOLFSSL_KYBER768 /* Level 3: 192-bit security */ + #define WOLFSSL_KYBER1024 /* Level 5: 256-bit security */ +#endif + +/* ------------------------------------------------- */ +/* ML-DSA / Dilithium (Signatures) */ +/* ------------------------------------------------- */ +#if 1 /* ML-DSA (FIPS 204) */ + #define HAVE_DILITHIUM + #define WOLFSSL_WC_DILITHIUM + #define DILITHIUM_LEVEL2 /* Level 2: ~128-bit security */ + #define DILITHIUM_LEVEL3 /* Level 3: ~192-bit security */ + #define DILITHIUM_LEVEL5 /* Level 5: ~256-bit security */ + /* Uses FIPS 204 final standard by default */ + #if 0 /* FIPS 204 Draft version */ + #define WOLFSSL_DILITHIUM_FIPS204_DRAFT + #endif + #define WOLFSSL_SHAKE128 + #define WOLFSSL_SHAKE256 +#endif + +/* ------------------------------------------------- */ +/* LMS (Stateful Hash-Based Signatures) */ +/* ------------------------------------------------- */ +#if 0 /* LMS signatures */ + #define WOLFSSL_HAVE_LMS + #define WOLFSSL_WC_LMS + #ifndef LMS_LEVELS + #define LMS_LEVELS 2 + #endif + #ifndef LMS_HEIGHT + #define LMS_HEIGHT 10 + #endif + #ifndef LMS_WINTERNITZ + #define LMS_WINTERNITZ 8 + #endif +#endif + +/* ------------------------------------------------- */ +/* XMSS (Stateful Hash-Based Signatures) */ +/* ------------------------------------------------- */ +#if 0 /* XMSS signatures */ + #define WOLFSSL_HAVE_XMSS + #define WOLFSSL_WC_XMSS + #ifndef WOLFSSL_XMSS_MAX_HEIGHT + #define WOLFSSL_XMSS_MAX_HEIGHT 20 + #endif +#endif + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* Classical ECC (hybrid with PQ) */ +/* ------------------------------------------------- */ +#if 1 /* ECC for hybrid key exchange */ + #define HAVE_ECC + #define ECC_USER_CURVES + #undef NO_ECC256 + #define HAVE_ECC384 + #define ECC_SHAMIR +#endif + +/* ------------------------------------------------- */ +/* Curve25519 (hybrid with PQ) */ +/* ------------------------------------------------- */ +#if 1 /* X25519 for hybrid key exchange */ + #define HAVE_CURVE25519 +#endif + +/* ------------------------------------------------- */ +/* RSA (for legacy compatibility) */ +/* ------------------------------------------------- */ +#if 1 /* RSA support */ + #undef NO_RSA + #define WOLFSSL_KEY_GEN +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* DH */ +/* ------------------------------------------------- */ +#define NO_DH + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +#define HAVE_AESGCM +#define GCM_TABLE_4BIT + +#if 1 /* ChaCha20-Poly1305 */ + #define HAVE_CHACHA + #define HAVE_POLY1305 + #define HAVE_ONE_TIME_AUTH +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA3 + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +#if 1 /* Certificate generation with PQ algorithms */ + #define WOLFSSL_CERT_GEN + #define WOLFSSL_CERT_REQ + #define WOLFSSL_CERT_EXT +#endif + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_PSK +#define NO_PWDBASED + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 0 /* Disable error strings */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_rsa_only.h b/examples/configs/user_settings_rsa_only.h new file mode 100644 index 0000000000..d58dab7a0a --- /dev/null +++ b/examples/configs/user_settings_rsa_only.h @@ -0,0 +1,238 @@ +/* user_settings_rsa_only.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* RSA-only configuration (no ECC). + * For legacy systems that require RSA-only cipher suites. + * Supports TLS 1.2 and 1.3 with RSA certificates. + * + * Build and test: + * cp ./examples/configs/user_settings_rsa_only.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#if 0 /* Single threaded */ + #define SINGLE_THREADED +#endif +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL +#define WOLFSSL_HAVE_SP_RSA +#define WOLFSSL_SP_4096 + +#if 0 /* Small code size */ + #define WOLFSSL_SP_SMALL +#endif + +/* ------------------------------------------------- */ +/* TLS */ +/* ------------------------------------------------- */ +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_EXTENDED_MASTER +#define HAVE_ENCRYPT_THEN_MAC +#define HAVE_HKDF +#define WC_RSA_PSS + +/* TLS 1.2 for legacy compatibility */ +#if 1 /* Enable TLS 1.2 */ + #undef WOLFSSL_NO_TLS12 +#else + #define WOLFSSL_NO_TLS12 +#endif +#define NO_OLD_TLS + +/* TLS Extensions */ +#if 1 /* Session tickets */ + #define HAVE_SESSION_TICKET +#endif +#if 1 /* Server Name Indication */ + #define HAVE_SNI +#endif +#if 1 /* Secure renegotiation */ + #define HAVE_SECURE_RENEGOTIATION + #define HAVE_SERVER_RENEGOTIATION_INFO +#endif + +/* Client/Server */ +#if 0 /* Client only */ + #define NO_WOLFSSL_SERVER +#endif +#if 0 /* Server only */ + #define NO_WOLFSSL_CLIENT +#endif + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#undef NO_RSA + +/* RSA key sizes */ +#if 1 /* 2048-bit (minimum recommended) */ + /* Always enabled */ +#endif +#if 1 /* 3072-bit */ + /* Enabled via WOLFSSL_SP_MATH_ALL */ +#endif +#if 1 /* 4096-bit */ + #define WOLFSSL_SP_4096 +#endif + +/* RSA features */ +#define WOLFSSL_KEY_GEN +#define WC_RSA_NO_PADDING + +#if 0 /* RSA-PSS only (no PKCS#1 v1.5) */ + #define WC_RSA_PSS_ONLY +#endif + +#if 0 /* Low memory RSA */ + #define RSA_LOW_MEM +#endif + +/* ------------------------------------------------- */ +/* DH (for TLS 1.2 key exchange) */ +/* ------------------------------------------------- */ +#if 1 /* DH key exchange */ + #undef NO_DH + #define HAVE_FFDHE_2048 + #define HAVE_FFDHE_3072 + #define HAVE_FFDHE_4096 + #define HAVE_DH_DEFAULT_PARAMS + #define WOLFSSL_HAVE_SP_DH +#else + #define NO_DH +#endif + +/* ------------------------------------------------- */ +/* ECC - Disabled */ +/* ------------------------------------------------- */ +#define NO_ECC +/* Note: TLS 1.3 typically requires ECDHE, but can work with + * FFDHE (DH) key exchange with RSA certificates */ + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +/* AES-GCM (required for TLS 1.3) */ +#define HAVE_AESGCM +#define GCM_TABLE_4BIT + +/* AES-CBC (for TLS 1.2) */ +#define HAVE_AES_CBC +#define HAVE_AES_DECRYPT + +#if 1 /* ChaCha20-Poly1305 */ + #define HAVE_CHACHA + #define HAVE_POLY1305 + #define HAVE_ONE_TIME_AUTH +#endif + +#if 0 /* AES-CCM */ + #define HAVE_AESCCM +#endif + +#if 0 /* Additional AES modes */ + #define WOLFSSL_AES_COUNTER + #define WOLFSSL_AES_DIRECT +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 required */ +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 + +#if 1 /* SHA-1 (for TLS 1.2 compatibility) */ + #undef NO_SHA +#else + #define NO_SHA +#endif + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +#if 1 /* Certificate generation */ + #define WOLFSSL_CERT_GEN + #define WOLFSSL_CERT_REQ + #define WOLFSSL_CERT_EXT +#endif + +#if 1 /* CRL/OCSP */ + #define HAVE_CRL + #define HAVE_OCSP +#endif + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_PSK +#define NO_PWDBASED + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 0 /* Disable error strings to save flash */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_template.h b/examples/configs/user_settings_template.h index c88cbc8203..ca8367af1d 100644 --- a/examples/configs/user_settings_template.h +++ b/examples/configs/user_settings_template.h @@ -41,8 +41,8 @@ extern "C" { /* ------------------------------------------------------------------------- */ #define WOLFSSL_GENERAL_ALIGNMENT 4 #define SIZEOF_LONG_LONG 8 -#if 0 - #define NO_64BIT /* disable use of 64-bit variables */ +#if 0 /* Disable 64-bit types */ + #define NO_64BIT #endif #ifdef TARGET_EMBEDDED @@ -62,7 +62,7 @@ extern "C" { /* Math Configuration */ /* ------------------------------------------------------------------------- */ /* Wolf Single Precision Math */ -#if 1 +#if 1 /* SP Math (recommended) */ #define WOLFSSL_HAVE_SP_RSA #define WOLFSSL_HAVE_SP_DH #define WOLFSSL_HAVE_SP_ECC @@ -78,10 +78,9 @@ extern "C" { #ifdef TARGET_EMBEDDED /* use smaller version of code */ #define WOLFSSL_SP_SMALL - #else - /* SP Assembly Speedups - specific to chip type */ - #define WOLFSSL_SP_ASM #endif + /* SP Assembly Speedups - specific to chip type */ + //#define WOLFSSL_SP_ASM //#define WOLFSSL_SP_X86_64 //#define WOLFSSL_SP_X86 //#define WOLFSSL_SP_ARM32_ASM @@ -103,7 +102,7 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* RSA */ #undef NO_RSA -#if 1 +#if 1 /* RSA */ #ifdef USE_FAST_MATH /* Maximum math bits (Max RSA key bits * 2) */ #define FP_MAX_BITS 4096 @@ -123,9 +122,9 @@ extern "C" { /* DH */ #undef NO_DH -#if 1 - /* Use table for DH instead of -lm (math) lib dependency */ - #if 1 +#if 1 /* DH */ + /* Use table for DH instead of -lm (math) lib */ + #if 1 /* FFDHE parameters */ #define WOLFSSL_DH_CONST #define HAVE_FFDHE_2048 //#define HAVE_FFDHE_4096 @@ -138,7 +137,7 @@ extern "C" { /* ECC */ #undef HAVE_ECC -#if 1 +#if 1 /* ECC */ #define HAVE_ECC /* Manually define enabled curves */ @@ -195,7 +194,7 @@ extern "C" { /* AES */ #undef NO_AES -#if 1 +#if 1 /* AES */ #define HAVE_AES_CBC /* GCM Method: GCM_TABLE_4BIT, GCM_SMALL, GCM_WORD32 or GCM_TABLE */ @@ -217,7 +216,7 @@ extern "C" { /* DES3 */ #undef NO_DES3 -#if 0 +#if 0 /* DES3 (legacy, not recommended) */ #else #define NO_DES3 #endif @@ -225,7 +224,7 @@ extern "C" { /* ChaCha20 / Poly1305 */ #undef HAVE_CHACHA #undef HAVE_POLY1305 -#if 1 +#if 1 /* ChaCha20 / Poly1305 */ #define HAVE_CHACHA #define HAVE_POLY1305 @@ -236,12 +235,12 @@ extern "C" { /* Ed25519 / Curve25519 */ #undef HAVE_CURVE25519 #undef HAVE_ED25519 -#if 0 +#if 0 /* Ed25519 / Curve25519 */ #define HAVE_CURVE25519 #define HAVE_ED25519 /* ED25519 Requires SHA512 */ - /* Optionally use small math (less flash usage, but much slower) */ - #if 1 + /* Optionally use small math (less flash, slower) */ + #if 1 /* Small Curve25519 */ #define CURVED25519_SMALL #endif #endif @@ -252,7 +251,7 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* Sha */ #undef NO_SHA -#if 1 +#if 1 /* SHA-1 */ /* 1k smaller, but 25% slower */ //#define USE_SLOW_SHA #else @@ -261,12 +260,12 @@ extern "C" { /* Sha256 */ #undef NO_SHA256 -#if 1 +#if 1 /* SHA-256 */ /* not unrolled - ~2k smaller and ~25% slower */ //#define USE_SLOW_SHA256 - /* Sha224 */ - #if 0 + /* SHA-224 (requires SHA-256) */ + #if 0 /* SHA-224 */ #define WOLFSSL_SHA224 #endif #else @@ -275,12 +274,12 @@ extern "C" { /* Sha512 */ #undef WOLFSSL_SHA512 -#if 0 +#if 0 /* SHA-512 */ #define WOLFSSL_SHA512 - /* Sha384 */ + /* SHA-384 (requires SHA-512) */ #undef WOLFSSL_SHA384 - #if 0 + #if 0 /* SHA-384 */ #define WOLFSSL_SHA384 #endif @@ -290,27 +289,27 @@ extern "C" { /* Sha3 */ #undef WOLFSSL_SHA3 -#if 0 +#if 0 /* SHA-3 */ #define WOLFSSL_SHA3 #endif /* MD5 */ #undef NO_MD5 -#if 0 - +#if 0 /* MD5 (legacy, not recommended) */ + /* MD5 enabled */ #else #define NO_MD5 #endif /* HKDF */ #undef HAVE_HKDF -#if 1 +#if 1 /* HKDF (TLS 1.3 requires this) */ #define HAVE_HKDF #endif /* CMAC */ #undef WOLFSSL_CMAC -#if 0 +#if 0 /* CMAC */ #define WOLFSSL_CMAC #endif @@ -335,10 +334,10 @@ extern "C" { #undef DEBUG_WOLFSSL #undef NO_ERROR_STRINGS -#if 0 +#if 0 /* Enable debug logging */ #define DEBUG_WOLFSSL #else - #if 0 + #if 0 /* Disable error strings to save flash */ #define NO_ERROR_STRINGS #endif #endif @@ -349,7 +348,7 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* Override Memory API's */ -#if 0 +#if 0 /* Custom malloc/free/realloc */ #define XMALLOC_OVERRIDE /* prototypes for user heap override functions */ @@ -365,24 +364,23 @@ extern "C" { #define XREALLOC(p, n, h, t) myRealloc(p, n, h, t) #endif -#if 0 - /* Static memory requires fast math */ +#if 0 /* Static memory (no heap) */ #define WOLFSSL_STATIC_MEMORY /* Disable fallback malloc/free */ #define WOLFSSL_NO_MALLOC - #if 1 + #if 1 /* Trap malloc failure */ #define WOLFSSL_MALLOC_CHECK /* trap malloc failure */ #endif #endif /* Memory callbacks */ -#if 0 +#if 0 /* wolfSSL memory callbacks */ #undef USE_WOLFSSL_MEMORY #define USE_WOLFSSL_MEMORY /* Use this to measure / print heap usage */ - #if 0 + #if 0 /* Memory tracking / debug */ #define WOLFSSL_TRACK_MEMORY #define WOLFSSL_DEBUG_MEMORY #endif @@ -399,7 +397,7 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* Override Current Time */ -#if 0 +#if 0 /* Custom time function */ /* Allows custom "custom_time()" function to be used for benchmark */ #define WOLFSSL_USER_CURRTIME #define WOLFSSL_GMTIME @@ -414,9 +412,9 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* Choose RNG method */ -#if 1 +#if 1 /* P-RNG with hash DRBG */ /* Custom Seed Source */ - #if 0 + #if 0 /* Custom HW RNG seed */ /* Size of returned HW RNG value */ #define CUSTOM_RAND_TYPE unsigned int extern unsigned int my_rng_seed_gen(void); @@ -444,7 +442,7 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* Allows override of all standard library functions */ #undef STRING_USER -#if 0 +#if 0 /* Custom standard library overrides */ #define STRING_USER #include @@ -490,7 +488,7 @@ extern "C" { //#define HAVE_COMP_KEY /* TLS Session Cache */ -#if 0 +#if 0 /* Small session cache */ #define SMALL_SESSION_CACHE #else #define NO_SESSION_CACHE diff --git a/examples/configs/user_settings_tls12.h b/examples/configs/user_settings_tls12.h index f26fb348c7..e501d7cc71 100644 --- a/examples/configs/user_settings_tls12.h +++ b/examples/configs/user_settings_tls12.h @@ -132,6 +132,7 @@ extern "C" { #define NO_MD4 #define NO_MD5 #define NO_DES3 +#define NO_DES3_TLS_SUITES #define NO_PWDBASED #define WOLFSSL_NO_SHAKE128 #define WOLFSSL_NO_SHAKE256 diff --git a/examples/configs/user_settings_tls13.h b/examples/configs/user_settings_tls13.h new file mode 100644 index 0000000000..874da0ec88 --- /dev/null +++ b/examples/configs/user_settings_tls13.h @@ -0,0 +1,214 @@ +/* user_settings_tls13.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* TLS 1.3 only (no TLS 1.2 or older) with modern algorithms. + * Supports both client and server. + * + * Build and test: + * cp ./examples/configs/user_settings_tls13.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#if 0 /* Single threaded */ + #define SINGLE_THREADED +#endif +#if 0 /* Disable filesystem */ + #define NO_FILESYSTEM +#endif +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL +#if 0 /* Small code size */ + #define WOLFSSL_SP_SMALL +#endif + +/* ------------------------------------------------- */ +/* TLS 1.3 */ +/* ------------------------------------------------- */ +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_HKDF +#define WC_RSA_PSS + +/* Disable older TLS versions */ +#define WOLFSSL_NO_TLS12 +#define NO_OLD_TLS + +/* TLS 1.3 Extensions */ +#if 1 /* Session tickets */ + #define HAVE_SESSION_TICKET +#endif +#if 0 /* Early data (0-RTT) */ + #define WOLFSSL_EARLY_DATA +#endif +#if 0 /* Post-handshake authentication */ + #define WOLFSSL_POST_HANDSHAKE_AUTH +#endif +#if 1 /* Server Name Indication */ + #define HAVE_SNI +#endif + +/* Client/Server */ +#if 0 /* Client only */ + #define NO_WOLFSSL_SERVER +#endif +#if 0 /* Server only */ + #define NO_WOLFSSL_CLIENT +#endif + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* ECC */ +/* ------------------------------------------------- */ +#if 1 /* ECC support */ + #define HAVE_ECC + #define ECC_USER_CURVES + #undef NO_ECC256 + #if 1 /* P-384 */ + #define HAVE_ECC384 + #endif + #if 0 /* P-521 */ + #define HAVE_ECC521 + #endif + #define ECC_SHAMIR +#endif + +/* ------------------------------------------------- */ +/* Curve25519 / Ed25519 */ +/* ------------------------------------------------- */ +#if 1 /* X25519 key exchange */ + #define HAVE_CURVE25519 +#endif +#if 0 /* Ed25519 signatures */ + #define HAVE_ED25519 +#endif + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#if 1 /* RSA support */ + #undef NO_RSA + #define WOLFSSL_KEY_GEN +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* DH */ +/* ------------------------------------------------- */ +#if 0 /* DH key exchange (FFDHE) */ + #undef NO_DH + #define HAVE_FFDHE_2048 + #define HAVE_FFDHE_3072 + #define HAVE_DH_DEFAULT_PARAMS +#else + #define NO_DH +#endif + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +/* AES-GCM (required for TLS 1.3) */ +#define HAVE_AESGCM +#define GCM_TABLE_4BIT + +#if 1 /* ChaCha20-Poly1305 */ + #define HAVE_CHACHA + #define HAVE_POLY1305 + #define HAVE_ONE_TIME_AUTH +#endif + +#if 0 /* AES-CCM */ + #define HAVE_AESCCM +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 required */ +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +#if 0 /* Certificate generation */ + #define WOLFSSL_CERT_GEN + #define WOLFSSL_CERT_REQ + #define WOLFSSL_CERT_EXT +#endif + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_PSK +#define NO_PWDBASED + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 0 /* Disable error strings to save flash */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_wolfboot_keytools.h b/examples/configs/user_settings_wolfboot_keytools.h index 969d9f466c..452de3f7ff 100644 --- a/examples/configs/user_settings_wolfboot_keytools.h +++ b/examples/configs/user_settings_wolfboot_keytools.h @@ -3,7 +3,6 @@ * wolfCrypt build settings for wolfBoot keygen and signing tool * Enabled via WOLFSSL_USER_SETTINGS. * - * * Copyright (C) 2006-2025 wolfSSL Inc. * * This file is part of wolfSSL. @@ -23,58 +22,154 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#ifndef H_USER_SETTINGS_ -#define H_USER_SETTINGS_ +/* wolfBoot key generation and signing tool. + * Derived from wolfBoot tools/keytools/user_settings.h + * + * Build and test: + * cp ./examples/configs/user_settings_wolfboot_keytools.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H -/* #include */ /* DG: Removed, not needed for testing */ +#ifdef __cplusplus +extern "C" { +#endif -/* System */ -#define WOLFSSL_GENERAL_ALIGNMENT 4 +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ #define SINGLE_THREADED #define WOLFCRYPT_ONLY -#define SIZEOF_LONG_LONG 8 +/* ------------------------------------------------- */ /* Math */ -#define USE_FAST_MATH -#define FP_MAX_BITS (4096 * 2) +/* ------------------------------------------------- */ +#if 0 /* Fast Math */ + #define USE_FAST_MATH + #define FP_MAX_BITS (4096 * 2) +#else /* SP Math (recommended) */ + #define WOLFSSL_SP_MATH + #define WOLFSSL_HAVE_SP_ECC + #define WOLFSSL_SP_384 + #define WOLFSSL_SP_521 + #define WOLFSSL_HAVE_SP_RSA + #define WOLFSSL_SP_4096 +#endif #define TFM_TIMING_RESISTANT +/* ------------------------------------------------- */ /* ECC */ -#define HAVE_ECC -#define WOLFSSL_HAVE_SP_ECC -#define ECC_TIMING_RESISTANT -#define HAVE_ECC256 -#define HAVE_ECC384 -#define HAVE_ECC521 - -/* ED25519 */ -#define HAVE_ED25519 -/* DG: Added, since --enable-usersettings expects small version to be used */ -#define ED25519_SMALL - -/* ED448 */ -#define HAVE_ED448 -#define WOLFSSL_SHAKE256 +/* ------------------------------------------------- */ +#if 1 /* ECC support */ + #define HAVE_ECC + #define ECC_TIMING_RESISTANT + #define ECC_USER_CURVES + #undef NO_ECC256 + #if 1 /* ECC P-384 */ + #define HAVE_ECC384 + #endif + #if 1 /* ECC P-521 */ + #define HAVE_ECC521 + #endif +#endif + +/* ------------------------------------------------- */ +/* ED25519 / Curve25519 */ +/* ------------------------------------------------- */ +#if 1 /* ED25519 signing support */ + #define HAVE_ED25519 +#endif + +/* ------------------------------------------------- */ +/* ED448 / Curve448 */ +/* ------------------------------------------------- */ +#if 1 /* ED448 signing support */ + #define HAVE_ED448 + #define WOLFSSL_SHAKE256 +#endif +/* ------------------------------------------------- */ /* RSA */ -#define WOLFSSL_HAVE_SP_RSA -#define WC_RSA_BLINDING -#define WOLFSSL_KEY_GEN +/* ------------------------------------------------- */ +#if 1 /* RSA signing support */ + #define HAVE_RSA + #define WC_RSA_BLINDING + #define WOLFSSL_KEY_GEN +#else + #define NO_RSA +#endif +/* ------------------------------------------------- */ /* Hashing */ -#define WOLFSSL_SHA512 /* Required for ED25519 */ +/* ------------------------------------------------- */ +#define WOLFSSL_SHA512 /* Required for ED25519/ED448 */ #define WOLFSSL_SHA384 #define WOLFSSL_SHA3 -#undef NO_SHA256 -/* Chacha stream cipher */ -#define HAVE_CHACHA +/* ------------------------------------------------- */ +/* Post-Quantum Algorithms */ +/* ------------------------------------------------- */ +#define WOLFSSL_EXPERIMENTAL_SETTINGS -/* AES */ -#define WOLFSSL_AES_COUNTER -#define WOLFSSL_AES_DIRECT +#if 1 /* ML-DSA / Dilithium */ + #define HAVE_DILITHIUM + #define WOLFSSL_WC_DILITHIUM + /* Builds to FIPS 204 final standard by default. + * Set to 1 for draft version. */ + #if 0 /* FIPS 204 Draft */ + #define WOLFSSL_DILITHIUM_FIPS204_DRAFT + #endif + #ifndef ML_DSA_LEVEL + #define ML_DSA_LEVEL 2 + #endif + #define WOLFSSL_SHAKE128 /* Required for Dilithium */ +#endif -/* Disables */ +#if 1 /* LMS */ + #define WOLFSSL_HAVE_LMS + #define WOLFSSL_WC_LMS + #ifndef LMS_LEVELS + #define LMS_LEVELS 1 + #endif + #ifndef LMS_HEIGHT + #define LMS_HEIGHT 10 + #endif + #ifndef LMS_WINTERNITZ + #define LMS_WINTERNITZ 8 + #endif +#endif + +#if 1 /* XMSS */ + #define WOLFSSL_HAVE_XMSS + #define WOLFSSL_WC_XMSS + #ifndef WOLFSSL_XMSS_MAX_HEIGHT + #define WOLFSSL_XMSS_MAX_HEIGHT 32 + #endif +#endif + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +#if 1 /* ChaCha20 stream cipher */ + #define HAVE_CHACHA +#endif +#if 1 /* AES-CTR / AES direct */ + #define WOLFSSL_AES_COUNTER + #define WOLFSSL_AES_DIRECT +#endif + +/* ------------------------------------------------- */ +/* ASN */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ #define NO_CMAC #define NO_HMAC #define NO_RC4 @@ -82,26 +177,31 @@ #define NO_DH #define NO_DSA #define NO_MD4 -#define NO_RABBIT #define NO_MD5 +#define NO_DES3 +#define NO_PWDBASED +#define NO_OLD_RNGNAME +#define NO_RABBIT +#define NO_HC128 + +/* ------------------------------------------------- */ +/* Disabled Features */ +/* ------------------------------------------------- */ #define NO_SIG_WRAPPER #define NO_CERTS #define NO_SESSION_CACHE -#define NO_HC128 -#define NO_DES3 -#define NO_PWDBASED #define NO_WRITEV -#define NO_OLD_RNGNAME #define NO_WOLFSSL_DIR #define WOLFSSL_NO_SOCK #define WOLFSSL_IGNORE_FILE_WARN -#define NO_ERROR_STRINGS - #define BENCH_EMBEDDED -/* DG: Removed since we need it here for testing */ -/* #define NO_MAIN_DRIVER */ -/* #define NO_CRYPT_TEST */ -/* #define NO_CRYPT_BENCHMARK */ +#if 1 /* Disable error strings to save flash */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif -#endif /* !H_USER_SETTINGS_ */ +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_wolfssh.h b/examples/configs/user_settings_wolfssh.h index 9c4462a1f3..6385d5fb65 100644 --- a/examples/configs/user_settings_wolfssh.h +++ b/examples/configs/user_settings_wolfssh.h @@ -46,8 +46,8 @@ sudo make install make */ -#ifndef WOLFSSL_USER_SETTINGS_SSH_H -#define WOLFSSL_USER_SETTINGS_SSH_H +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H #ifdef __cplusplus extern "C" { @@ -211,4 +211,4 @@ extern "C" { #endif -#endif /* WOLFSSL_USER_SETTINGS_SSH_H */ +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_wolftpm.h b/examples/configs/user_settings_wolftpm.h index e7512c6df9..009d2497c8 100644 --- a/examples/configs/user_settings_wolftpm.h +++ b/examples/configs/user_settings_wolftpm.h @@ -59,15 +59,15 @@ make */ -#ifndef WOLF_USER_SETTINGS_TPM_H -#define WOLF_USER_SETTINGS_TPM_H +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H #ifdef __cplusplus extern "C" { #endif -/* enable for low resource options */ -#if 0 +/* Enable for low resource options (smaller, no TLS) */ +#if 0 /* Low resource mode */ #define USE_LOW_RESOURCE #endif @@ -121,7 +121,7 @@ extern "C" { #endif /* Asymmetric */ -#if 1 /* RSA - needed to encrypt salt */ +#if 1 /* RSA - needed for TPM salt encryption */ #undef NO_RSA #ifdef USE_LOW_RESOURCE #define WOLFSSL_RSA_PUBLIC_ONLY @@ -131,7 +131,7 @@ extern "C" { #else #define NO_RSA #endif -#if 1 /* ECC - needed for encrypt ECC salt */ +#if 1 /* ECC - needed for TPM ECC operations */ #define HAVE_ECC #define ECC_USER_CURVES /* default to only SECP256R1 */ #endif @@ -187,6 +187,7 @@ extern "C" { #define NO_PWDBASED #define NO_DSA #define NO_DES3 +#define NO_DES3_TLS_SUITES #define NO_RC4 #define NO_PSK #define NO_MD4 @@ -222,4 +223,4 @@ extern "C" { } #endif -#endif /* WOLF_USER_SETTINGS_TPM_H */ +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/src/internal.c b/src/internal.c index 45d8924791..b8689b8eea 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15063,7 +15063,7 @@ PRAGMA_GCC_DIAG_POP return ret; #endif } -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(NO_TLS) if (verify != NO_VERIFY && TLSX_CSR2_IsMulti(ssl->extensions)) { extraSigners = TLSX_CSR2_GetPendingSigners(ssl->extensions); } @@ -15840,6 +15840,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* If we are processing OCSP staples then always * initialize the corresponding request. */ int ocspRet = 0; + #ifndef NO_TLS #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 addToPendingCAs = 0; if (ssl->options.side == WOLFSSL_CLIENT_END && @@ -15864,6 +15865,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else #endif + #endif /* NO_TLS */ if (ret == 0 && SSL_CM(ssl)->ocspEnabled && SSL_CM(ssl)->ocspCheckAll) { WOLFSSL_MSG("Doing Non Leaf OCSP check"); @@ -16365,6 +16367,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("Checking if ocsp needed"); if (ssl->options.side == WOLFSSL_CLIENT_END) { + #ifndef NO_TLS #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) { args->fatal = (TLSX_CSR_InitRequest_ex( @@ -16397,6 +16400,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("\tHave status request v2"); } #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ + #endif /* !NO_TLS */ } #ifdef HAVE_OCSP @@ -17217,8 +17221,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, return BUFFER_ERROR; switch (status_type) { - - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + #ifndef NO_TLS + #if (defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_TLS)) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) /* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */ @@ -17332,6 +17336,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, break; #endif + #endif /* !NO_TLS */ default: ret = BUFFER_ERROR; diff --git a/src/ocsp.c b/src/ocsp.c index 77cce2b1a7..40c255f37d 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -373,7 +373,7 @@ int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz, #endif InitOcspResponse(ocspResponse, newSingle, newStatus, response, (word32)responseSz, ocsp->cm->heap); -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(NO_TLS) if (ocspRequest != NULL && ocspRequest->ssl != NULL && TLSX_CSR2_IsMulti(((WOLFSSL*)ocspRequest->ssl)->extensions)) { ocspResponse->pendingCAs = TLSX_CSR2_GetPendingSigners(((WOLFSSL*)ocspRequest->ssl)->extensions); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 00fd901e83..7f84428ab5 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3198,8 +3198,9 @@ WOLFSSL_LOCAL int TLSX_Append(TLSX** list, TLSX_Type type, || defined(HAVE_SECURE_RENEGOTIATION) \ || defined(HAVE_SERVER_RENEGOTIATION_INFO) +#ifndef NO_TLS #error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined. - +#endif #endif /* HAVE_TLS_EXTENSIONS */ /** Server Name Indication - RFC 6066 (session 3) */