diff --git a/examples/configs/README.md b/examples/configs/README.md index ddde95d69..dadfa45ec 100644 --- a/examples/configs/README.md +++ b/examples/configs/README.md @@ -9,6 +9,7 @@ Example wolfSSL configuration file templates for use when autoconf is not availa * `user_settings_min_ecc.h`: This is ECC and SHA-256 only. For ECC verify only add `BUILD_VERIFY_ONLY`. * `user_settings_wolfboot_keytools.h`: This from wolfBoot tools/keytools and is ECC, RSA, ED25519 and ChaCha20. * `user_settings_fipsv2.h`: The FIPS v2 (3389) 140-2 certificate build options. +* `user_settings_fipsv5.h`: The FIPS v5 (ready) 140-3 build options. Equivalent to `./configure --enable-fips=v5-dev`. * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack. ## Usage diff --git a/examples/configs/include.am b/examples/configs/include.am index 9568c9536..a74fe24ef 100644 --- a/examples/configs/include.am +++ b/examples/configs/include.am @@ -7,4 +7,5 @@ EXTRA_DIST += examples/configs/user_settings_min_ecc.h EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h EXTRA_DIST += examples/configs/user_settings_template.h EXTRA_DIST += examples/configs/user_settings_fipsv2.h +EXTRA_DIST += examples/configs/user_settings_fipsv5.h EXTRA_DIST += examples/configs/user_settings_stm32.h diff --git a/examples/configs/user_settings_fipsv2.h b/examples/configs/user_settings_fipsv2.h index ed8aa6db9..9526890a1 100644 --- a/examples/configs/user_settings_fipsv2.h +++ b/examples/configs/user_settings_fipsv2.h @@ -105,7 +105,8 @@ extern "C" { #define NO_PWDBASED #define NO_RC4 #define WOLFSSL_NO_SHAKE256 - +#define NO_RABBIT +#define NO_HC128 #ifdef __cplusplus } diff --git a/examples/configs/user_settings_fipsv5.h b/examples/configs/user_settings_fipsv5.h new file mode 100644 index 000000000..441b5a847 --- /dev/null +++ b/examples/configs/user_settings_fipsv5.h @@ -0,0 +1,181 @@ +/* user_settings_fipsv5.h + * + * Copyright (C) 2006-2022 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* should be renamed to user_settings.h for customer use + * generated from configure options: + * ./fips-check.sh linuxv5-dev keep + * XXX-fips-test\wolfssl\options.h + * ./configure --enable-fips=v5-dev + * + * Cleaned up by David Garske + */ + + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* FIPS Version 5.3 */ +#define HAVE_FIPS +#define HAVE_FIPS_VERSION 5 +#define HAVE_FIPS_VERSION_MINOR 3 + +#define HAVE_HASHDRBG /* NIST Certified DRBG - SHA256 based */ +#define HAVE_THREAD_LS + +/* Math */ +#define USE_FAST_MATH +#define FP_MAX_BITS 16384 +#define SP_INT_BITS 8192 +#define WOLFSSL_PUBLIC_MP /* expose the mp_ math API's */ + +/* Timing Resistance */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* FIPS Features */ +#define WC_RNG_SEED_CB +#define WOLFSSL_VALIDATE_ECC_IMPORT +#define WOLFSSL_VALIDATE_ECC_KEYGEN +#define WOLFSSL_VALIDATE_FFC_IMPORT + +/* TLS Features */ +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_ENCRYPT_THEN_MAC +#define HAVE_SUPPORTED_CURVES +#define HAVE_EXTENDED_MASTER +#define HAVE_ONE_TIME_AUTH /* TLS extension used with Poly1305 */ + +/* TLS Resumption */ +#define HAVE_SECURE_RENEGOTIATION +#define HAVE_SERVER_RENEGOTIATION_INFO +#define HAVE_SESSION_TICKET + +/* Other Features */ +#define WOLFSSL_USE_ALIGN +#define WOLFSSL_BASE64_ENCODE +#if 0 /* optionally enable CRL (Certificate Revocation List) */ + #define HAVE_CRL +#endif +#define HAVE_EXT_CACHE +#define WOLFSSL_VERIFY_CB_ALL_CERTS +#define WOLFSSL_ALWAYS_VERIFY_CB +#define WOLFSSL_DH_EXTRA /* DHE ASN.1 key import/export support */ + +#ifndef WOLFSSL_WOLFSSH /* ifndef check required due to configure already generating flag */ +#define WOLFSSL_WOLFSSH +#endif + +/* Compatibility Layer */ +#define OPENSSL_EXTRA +#if 0 /* if full suite of compatibility API's are needed */ + #define OPENSSL_ALL +#endif + +/* DH */ +#undef NO_DH +#define HAVE_FFDHE_Q +#define HAVE_FFDHE_2048 +#define HAVE_FFDHE_3072 +#define HAVE_FFDHE_4096 +#define HAVE_FFDHE_6144 +#define HAVE_FFDHE_8192 +#define HAVE_DH_DEFAULT_PARAMS +#define HAVE_PUBLIC_FFDHE + +/* ECC */ +#define HAVE_ECC +#define TFM_ECC256 +#define ECC_SHAMIR +#define HAVE_ECC_CDH +#define ECC_USER_CURVES +#define HAVE_ECC192 +#define HAVE_ECC224 +#define HAVE_ECC256 +#define HAVE_ECC384 +#define HAVE_ECC521 +#define WOLFSSL_ECDSA_SET_K + +/* RSA */ +#undef NO_RSA +#define WC_RSA_PSS +#define WOLFSSL_KEY_GEN +#define WC_RSA_NO_PADDING + +/* AES */ +#undef NO_AES +#define WOLFSSL_AES_COUNTER +#define HAVE_AESCCM +#define HAVE_AES_ECB +#define WOLFSSL_AES_COUNTER +#define WOLFSSL_AES_DIRECT +#define WOLFSSL_AES_OFB +#define HAVE_AESGCM +#define GCM_TABLE_4BIT +#define WOLFSSL_CMAC + +/* ChaCha/Poly */ +#define HAVE_CHACHA +#define HAVE_POLY1305 + +/* Hashing */ +#undef NO_SHA +#undef NO_SHA256 +#define WOLFSSL_SHA224 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA384 +#define WOLFSSL_NO_SHAKE256 +#define WOLFSSL_NOSHA512_224 +#define WOLFSSL_NOSHA512_256 +#define WOLFSSL_SHA3 +#define HAVE_HKDF + +/* Disabled Features */ +#define NO_OLD_TLS +#define NO_PSK + +/* Disabled Algorithms */ +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define NO_DSA +#define NO_RABBIT +#define NO_HC128 +#define WOLFSSL_NO_SHAKE256 + +/* Debugging */ +#if 0 + #define DEBUG_WOLFSSL +#else + /* #define NO_ERROR_STRINGS */ +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/sctp/sctp-client-dtls.c b/examples/sctp/sctp-client-dtls.c index 8022e50ed..8db65a185 100644 --- a/examples/sctp/sctp-client-dtls.c +++ b/examples/sctp/sctp-client-dtls.c @@ -49,8 +49,10 @@ static int err_sys(const char* msg) } #endif /* WOLFSSL_SCTP && WOLFSSL_DTLS */ -int main() +int main(int argc, char **argv) { + (void)argc; + (void)argv; #if defined(WOLFSSL_SCTP) && defined(WOLFSSL_DTLS) int sd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP); diff --git a/examples/sctp/sctp-client.c b/examples/sctp/sctp-client.c index 9a55cd210..fe365e3a0 100644 --- a/examples/sctp/sctp-client.c +++ b/examples/sctp/sctp-client.c @@ -38,8 +38,10 @@ #include #endif /* WOLFSSL_SCTP */ -int main() +int main(int argc, char **argv) { + (void)argc; + (void)argv; #ifdef WOLFSSL_SCTP int sd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP); diff --git a/examples/sctp/sctp-server-dtls.c b/examples/sctp/sctp-server-dtls.c index 5d14ca872..24b0ad9e9 100644 --- a/examples/sctp/sctp-server-dtls.c +++ b/examples/sctp/sctp-server-dtls.c @@ -49,8 +49,10 @@ static int err_sys(const char* msg) } #endif /* WOLFSSL_SCTP && WOLFSSL_DTLS */ -int main() +int main(int argc, char **argv) { + (void)argc; + (void)argv; #if defined(WOLFSSL_SCTP) && defined(WOLFSSL_DTLS) int sd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP); diff --git a/examples/sctp/sctp-server.c b/examples/sctp/sctp-server.c index 75034caaf..a829c40aa 100644 --- a/examples/sctp/sctp-server.c +++ b/examples/sctp/sctp-server.c @@ -36,8 +36,10 @@ #include #endif /* WOLFSSL_SCTP */ -int main() +int main(int argc, char **argv) { + (void)argc; + (void)argv; #ifdef WOLFSSL_SCTP int sd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);