From 8b14bf2951a27a5781f52156b3b78a63eda131d0 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 9 Jun 2021 12:40:40 -0700 Subject: [PATCH 1/3] Additional user_settings.h examples. --- examples/configs/README.md | 2 + examples/configs/user_settings_fipsv2.h | 116 +++++ examples/configs/user_settings_template.h | 525 ++++++++++++++++++++++ 3 files changed, 643 insertions(+) create mode 100644 examples/configs/user_settings_fipsv2.h create mode 100644 examples/configs/user_settings_template.h diff --git a/examples/configs/README.md b/examples/configs/README.md index b7ad705c3..f34a21b74 100644 --- a/examples/configs/README.md +++ b/examples/configs/README.md @@ -4,9 +4,11 @@ Example wolfSSL configuration file templates for use when autoconf is not availa ## Files +* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0` logic. * `user_settings_all.h`: This is wolfSSL with all features enabled. Equivalent to `./configure --enable-all`. * `user_settings_min_ecc.h`: This is ECC and SHA-256 only. For ECC verify only add `BUILD_VERIFY_ONLY`. * `user_settings_wolfboot_keytools.h`: This from wolfBoot tools/keytools and is ECC, RSA, ED25519 and ChaCha20. +* `user_settings_fipsv2.h`: The FIPS v2 (3389) 140-2 certificate build options. ## Usage diff --git a/examples/configs/user_settings_fipsv2.h b/examples/configs/user_settings_fipsv2.h new file mode 100644 index 000000000..eac8ffd7a --- /dev/null +++ b/examples/configs/user_settings_fipsv2.h @@ -0,0 +1,116 @@ +/* user_settings_fipsv2.h + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* should be renamed to user_settings.h for customer use + * generated from configure options: + * ./fips-check.sh linuxv2 keep + * XXX-fips-test\wolfssl\options.h + * + * Cleaned up by David Garske + */ + + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* FIPS Version 3 (3389 Certificate) */ +#define HAVE_FIPS +#define HAVE_FIPS_VERSION 2 + +#define HAVE_HASHDRBG /* NIST Certified DRBG - SHA256 based */ +#define HAVE_THREAD_LS + +/* Math */ +#define USE_FAST_MATH + +/* Timing Resistance */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* TLS Features */ +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_EXTENDED_MASTER +#define HAVE_ENCRYPT_THEN_MAC + +/* DH */ +#undef NO_DH +#define HAVE_FFDHE_2048 +#define HAVE_FFDHE_Q +#define WOLFSSL_VALIDATE_ECC_IMPORT +#define WOLFSSL_VALIDATE_FFC_IMPORT +#define HAVE_DH_DEFAULT_PARAMS + +/* ECC */ +#define HAVE_ECC +#define TFM_ECC256 +#define ECC_SHAMIR +#define HAVE_ECC_CDH + +/* RSA */ +#undef NO_RSA +#define WC_RSA_PSS +#define WOLFSSL_KEY_GEN +#define WC_RSA_NO_PADDING + +/* AES */ +#define WOLFSSL_AES_DIRECT +#define HAVE_AES_ECB +#define HAVE_AESGCM +#define GCM_TABLE_4BIT +#define HAVE_AESCCM +#define WOLFSSL_AES_COUNTER + +/* Hashing */ +#undef NO_SHA +#undef NO_SHA256 +#define WOLFSSL_SHA224 +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA3 +#define HAVE_HKDF + +/* Other */ +#define WOLFSSL_CMAC +#define WOLFSSL_BASE64_ENCODE + +/* Disabled Algorithms */ +#define NO_DSA +#define NO_HC128 +#define NO_MD4 +#define NO_PSK +#define NO_PWDBASED +#define NO_RABBIT +#define NO_RC4 +#define WOLFSSL_NO_SHAKE256 + + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_OPTIONS_H */ diff --git a/examples/configs/user_settings_template.h b/examples/configs/user_settings_template.h new file mode 100644 index 000000000..f2ede9a50 --- /dev/null +++ b/examples/configs/user_settings_template.h @@ -0,0 +1,525 @@ +/* user_settings_template.h + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* Example wolfSSL user settings with #if 0/1 gates to enable/disable algorithms and features. + * This file is included with wolfssl/wolfcrypt/settings.h when WOLFSSL_USER_SETTINGS is defined. + * Based on IDE/GCC-ARM/Headers/user_settings.h + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* If TARGET_EMBEDDED is defined then small target settings are used */ +#if !((defined(__MACH__) || defined(__FreeBSD__) || defined(__linux__))) + #define TARGET_EMBEDDED +#endif + +/* ------------------------------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------------------------------- */ +#define WOLFSSL_GENERAL_ALIGNMENT 4 +#define SIZEOF_LONG_LONG 8 +#if 0 + #define NO_64BIT /* disable use of 64-bit variables */ +#endif + +#ifdef TARGET_EMBEDDED + /* disable mutex locking */ + #define SINGLE_THREADED + + /* reduce stack use. For variables over 100 bytes allocate from heap */ + #define WOLFSSL_SMALL_STACK + + /* disable the built-in socket support and use the IO callbacks. Set with wolfSSL_CTX_SetIORecv/wolfSSL_CTX_SetIOSend */ + #define WOLFSSL_USER_IO +#endif + +/* ------------------------------------------------------------------------- */ +/* Math Configuration */ +/* ------------------------------------------------------------------------- */ +#undef USE_FAST_MATH +#if 1 + #define USE_FAST_MATH + #define TFM_TIMING_RESISTANT +#endif + +/* Wolf Single Precision Math */ +#undef WOLFSSL_SP +#if 1 + #define WOLFSSL_HAVE_SP_RSA + #define WOLFSSL_HAVE_SP_DH + #define WOLFSSL_HAVE_SP_ECC + #define WOLFSSL_SP_SMALL /* use smaller version of code */ + //#define WOLFSSL_SP_CACHE_RESISTANT + #define WOLFSSL_SP_MATH /* only SP math - eliminates integer.c/tfm.c(fast math) code */ + #define WOLFSSL_SP_MATH_ALL /* use SP math for all key sizes and curves */ + + /* SP Assembly Speedups - specific to chip type */ + //#define WOLFSSL_SP_X86_64 + //#define WOLFSSL_SP_X86 + //#define WOLFSSL_SP_ARM32_ASM + //#define WOLFSSL_SP_ARM64_ASM + //#define WOLFSSL_SP_ARM_THUMB_ASM + //#define WOLFSSL_SP_ARM_CORTEX_M_ASM +#endif + +/* ------------------------------------------------------------------------- */ +/* Crypto */ +/* ------------------------------------------------------------------------- */ +/* RSA */ +#undef NO_RSA +#if 1 + #ifdef USE_FAST_MATH + /* Maximum math bits (Max RSA key bits * 2) */ + #define FP_MAX_BITS 4096 + #endif + + /* half as much memory but twice as slow */ + //#define RSA_LOW_MEM + + /* Enables blinding mode, to prevent timing attacks */ + #define WC_RSA_BLINDING + + /* RSA PSS Support */ + #define WC_RSA_PSS +#else + #define NO_RSA +#endif + +/* ECC */ +#undef HAVE_ECC +#if 1 + #define HAVE_ECC + + /* Manually define enabled curves */ + #define ECC_USER_CURVES + + #ifdef ECC_USER_CURVES + /* Manual Curve Selection */ + //#define HAVE_ECC192 + //#define HAVE_ECC224 + #undef NO_ECC256 + //#define HAVE_ECC384 + //#define HAVE_ECC521 + #endif + + /* Fixed point cache (speeds repeated operations against same private key) */ + //#define FP_ECC + #ifdef FP_ECC + /* Bits / Entries */ + #undef FP_ENTRIES + #define FP_ENTRIES 2 + #undef FP_LUT + #define FP_LUT 4 + #endif + + /* Optional ECC calculation method */ + /* Note: doubles heap usage, but slightly faster */ + #define ECC_SHAMIR + + /* Reduces heap usage, but slower */ + #define ECC_TIMING_RESISTANT + + /* Compressed ECC Key Support */ + //#define HAVE_COMP_KEY + + /* Use alternate ECC size for ECC math */ + #ifdef USE_FAST_MATH + /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */ + #ifdef NO_RSA + /* Custom fastmath size if not using RSA */ + #undef FP_MAX_BITS + #define FP_MAX_BITS (256 * 2) + #else + #define ALT_ECC_SIZE + + /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overriden */ + //#define FP_MAX_BITS_ECC (256 * 2) + #endif + + /* Speedups specific to curve */ + #ifndef NO_ECC256 + #define TFM_ECC256 + #endif + #endif +#endif + +/* DH */ +#undef NO_DH +#if 1 + /* Use table for DH instead of -lm (math) lib dependency */ + #if 1 + #define WOLFSSL_DH_CONST + #define HAVE_FFDHE_2048 + //#define HAVE_FFDHE_4096 + //#define HAVE_FFDHE_6144 + //#define HAVE_FFDHE_8192 + #endif +#else + #define NO_DH +#endif + + +/* AES */ +#undef NO_AES +#if 1 + #define HAVE_AES_CBC + + /* GCM Method: GCM_TABLE_4BIT, GCM_SMALL, GCM_WORD32 or GCM_TABLE */ + #define HAVE_AESGCM + #ifdef TARGET_EMBEDDED + #define GCM_SMALL + #endif + + //#define WOLFSSL_AES_DIRECT + //#define HAVE_AES_ECB + //#define WOLFSSL_AES_COUNTER + //#define HAVE_AESCCM +#else + #define NO_AES +#endif + + +/* DES3 */ +#undef NO_DES3 +#if 0 +#else + #define NO_DES3 +#endif + +/* ChaCha20 / Poly1305 */ +#undef HAVE_CHACHA +#undef HAVE_POLY1305 +#if 1 + #define HAVE_CHACHA + #define HAVE_POLY1305 + + /* Needed for Poly1305 */ + #define HAVE_ONE_TIME_AUTH +#endif + +/* Ed25519 / Curve25519 */ +#undef HAVE_CURVE25519 +#undef HAVE_ED25519 +#if 0 + #define HAVE_CURVE25519 + #define HAVE_ED25519 /* ED25519 Requires SHA512 */ + + /* Optionally use small math (less flash usage, but much slower) */ + #if 1 + #define CURVED25519_SMALL + #endif +#endif + + +/* ------------------------------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------------------------------- */ +/* Sha */ +#undef NO_SHA +#if 1 + /* 1k smaller, but 25% slower */ + //#define USE_SLOW_SHA +#else + #define NO_SHA +#endif + +/* Sha256 */ +#undef NO_SHA256 +#if 1 + /* not unrolled - ~2k smaller and ~25% slower */ + //#define USE_SLOW_SHA256 + + /* Sha224 */ + #if 0 + #define WOLFSSL_SHA224 + #endif +#else + #define NO_SHA256 +#endif + +/* Sha512 */ +#undef WOLFSSL_SHA512 +#if 0 + #define WOLFSSL_SHA512 + + /* Sha384 */ + #undef WOLFSSL_SHA384 + #if 0 + #define WOLFSSL_SHA384 + #endif + + /* over twice as small, but 50% slower */ + //#define USE_SLOW_SHA512 +#endif + +/* Sha3 */ +#undef WOLFSSL_SHA3 +#if 0 + #define WOLFSSL_SHA3 +#endif + +/* MD5 */ +#undef NO_MD5 +#if 0 + +#else + #define NO_MD5 +#endif + +/* HKDF */ +#undef HAVE_HKDF +#if 1 + #define HAVE_HKDF +#endif + +/* CMAC */ +#undef WOLFSSL_CMAC +#if 0 + #define WOLFSSL_CMAC +#endif + + +/* ------------------------------------------------------------------------- */ +/* Benchmark / Test */ +/* ------------------------------------------------------------------------- */ +#ifdef TARGET_EMBEDDED + /* Use reduced benchmark / test sizes */ + #define BENCH_EMBEDDED +#endif + +/* Use test buffers from array (not filesystem) */ +#ifndef NO_FILESYSTEM +#define USE_CERT_BUFFERS_256 +#define USE_CERT_BUFFERS_2048 +#endif + +/* ------------------------------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------------------------------- */ + +#undef DEBUG_WOLFSSL +#undef NO_ERROR_STRINGS +#if 0 + #define DEBUG_WOLFSSL +#else + #if 0 + #define NO_ERROR_STRINGS + #endif +#endif + + +/* ------------------------------------------------------------------------- */ +/* Memory */ +/* ------------------------------------------------------------------------- */ + +/* Override Memory API's */ +#if 0 + #define XMALLOC_OVERRIDE + + /* prototypes for user heap override functions */ + /* Note: Realloc only required for normal math */ + #include /* for size_t */ + extern void *myMalloc(size_t n, void* heap, int type); + extern void myFree(void *p, void* heap, int type); + extern void *myRealloc(void *p, size_t n, void* heap, int type); + + #define XMALLOC(n, h, t) myMalloc(n, h, t) + #define XFREE(p, h, t) myFree(p, h, t) + #define XREALLOC(p, n, h, t) myRealloc(p, n, h, t) +#endif + +#if 0 + /* Static memory requires fast math */ + #define WOLFSSL_STATIC_MEMORY + + /* Disable fallback malloc/free */ + #define WOLFSSL_NO_MALLOC + #if 1 + #define WOLFSSL_MALLOC_CHECK /* trap malloc failure */ + #endif +#endif + +/* Memory callbacks */ +#if 0 + #undef USE_WOLFSSL_MEMORY + #define USE_WOLFSSL_MEMORY + + /* Use this to measure / print heap usage */ + #if 0 + #define WOLFSSL_TRACK_MEMORY + #define WOLFSSL_DEBUG_MEMORY + #endif +#else + #ifndef WOLFSSL_STATIC_MEMORY + #define NO_WOLFSSL_MEMORY + /* Otherwise we will use stdlib malloc, free and realloc */ + #endif +#endif + + +/* ------------------------------------------------------------------------- */ +/* Port */ +/* ------------------------------------------------------------------------- */ + +/* Override Current Time */ +#if 0 + /* Allows custom "custom_time()" function to be used for benchmark */ + #define WOLFSSL_USER_CURRTIME + #define WOLFSSL_GMTIME + #define USER_TICKS + extern unsigned long my_time(unsigned long* timer); + #define XTIME my_time +#endif + + +/* ------------------------------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------------------------------- */ + +/* Choose RNG method */ +#if 1 + /* Custom Seed Source */ + #if 0 + /* Size of returned HW RNG value */ + #define CUSTOM_RAND_TYPE unsigned int + extern unsigned int my_rng_seed_gen(void); + #undef CUSTOM_RAND_GENERATE + #define CUSTOM_RAND_GENERATE my_rng_seed_gen + #endif + + /* Use built-in P-RNG (SHA256 based) with HW RNG */ + /* P-RNG + HW RNG (P-RNG is ~8K) */ + #undef HAVE_HASHDRBG + #define HAVE_HASHDRBG +#else + #undef WC_NO_HASHDRBG + #define WC_NO_HASHDRBG + + /* Bypass P-RNG and use only HW RNG */ + extern int my_rng_gen_block(unsigned char* output, unsigned int sz); + #undef CUSTOM_RAND_GENERATE_BLOCK + #define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block +#endif + + +/* ------------------------------------------------------------------------- */ +/* Custom Standard Lib */ +/* ------------------------------------------------------------------------- */ +/* Allows override of all standard library functions */ +#undef STRING_USER +#if 0 + #define STRING_USER + + #include + + #define USE_WOLF_STRSEP + #define XSTRSEP(s1,d) wc_strsep((s1),(d)) + + #define USE_WOLF_STRTOK + #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr)) + + #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n)) + + #define XMEMCPY(d,s,l) memcpy((d),(s),(l)) + #define XMEMSET(b,c,l) memset((b),(c),(l)) + #define XMEMCMP(s1,s2,n) memcmp((s1),(s2),(n)) + #define XMEMMOVE(d,s,l) memmove((d),(s),(l)) + + #define XSTRLEN(s1) strlen((s1)) + #define XSTRNCPY(s1,s2,n) strncpy((s1),(s2),(n)) + #define XSTRSTR(s1,s2) strstr((s1),(s2)) + + #define XSTRNCMP(s1,s2,n) strncmp((s1),(s2),(n)) + #define XSTRNCAT(s1,s2,n) strncat((s1),(s2),(n)) + #define XSTRNCASECMP(s1,s2,n) strncasecmp((s1),(s2),(n)) + + #define XSNPRINTF snprintf +#endif + + + +/* ------------------------------------------------------------------------- */ +/* Enable Features */ +/* ------------------------------------------------------------------------- */ + +#define WOLFSSL_TLS13 +#define WOLFSSL_OLD_PRIME_CHECK /* Use faster DH prime checking */ +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define WOLFSSL_BASE64_ENCODE + +//#define WOLFSSL_KEY_GEN /* For RSA Key gen only */ +//#define KEEP_PEER_CERT +//#define HAVE_COMP_KEY + +/* TLS Session Cache */ +#if 0 + #define SMALL_SESSION_CACHE +#else + #define NO_SESSION_CACHE +#endif + + +/* ------------------------------------------------------------------------- */ +/* Disable Features */ +/* ------------------------------------------------------------------------- */ +//#define NO_WOLFSSL_SERVER +//#define NO_WOLFSSL_CLIENT +//#define NO_CRYPT_TEST +//#define NO_CRYPT_BENCHMARK +//#define WOLFCRYPT_ONLY + +/* In-lining of misc.c functions */ +/* If defined, must include wolfcrypt/src/misc.c in build */ +/* Slower, but about 1k smaller */ +//#define NO_INLINE + +#ifdef TARGET_EMBEDDED + #define NO_FILESYSTEM + #define NO_WRITEV + #define NO_MAIN_DRIVER + #define NO_DEV_RANDOM +#endif + +#define NO_OLD_TLS +#define NO_PSK + +#define NO_DSA +#define NO_RC4 +#define NO_HC128 +#define NO_RABBIT +#define NO_MD4 +#define NO_PWDBASED +//#define NO_CODING +//#define NO_ASN_TIME +//#define NO_CERTS +//#define NO_SIG_WRAPPER + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ From ffb9a8b440fe596b740fc38fb74c9e12498b69d8 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 10 Jun 2021 08:33:16 -0700 Subject: [PATCH 2/3] Improve the user_settings_template to incude Windows. Added STM32 configuration example. --- IDE/STM32Cube/README.md | 13 +++- IDE/STM32Cube/include.am | 1 - examples/configs/README.md | 1 + examples/configs/include.am | 3 + .../configs/user_settings_stm32.h | 5 -- examples/configs/user_settings_template.h | 66 ++++++++++++------- 6 files changed, 56 insertions(+), 33 deletions(-) rename IDE/STM32Cube/wolfSSL_conf.h => examples/configs/user_settings_stm32.h (99%) diff --git a/IDE/STM32Cube/README.md b/IDE/STM32Cube/README.md index 1109d5f45..9e6267deb 100644 --- a/IDE/STM32Cube/README.md +++ b/IDE/STM32Cube/README.md @@ -14,9 +14,18 @@ These examples use the Cube HAL for STM32. ## Configuration -The settings for the wolfSSL CubeMX pack are in the generated `wolfSSL.I-CUBE-wolfSSL_conf.h` file. An example of this is located in `IDE/STM32Cube/wolfSSL_conf.h` (renamed to avoid possible conflicts with generated file). +The settings for the wolfSSL CubeMX pack are in the generated `wolfSSL.I-CUBE-wolfSSL_conf.h` file. An example of a generated file can be found at `examples/configs/user_settings_stm32.h`. + +The template used for generation is `IDE/STM32Cube/default_conf.ftl`, which is stored in the pack here: `STM32Cube/Repository/Packs/wolfSSL/wolfSSL/[Version]/CubeMX/templates/default_conf.ftl`. + +If the default settings for the Cube GUI are insufficient you can customize the build using one of these methods to prevent the changes from being overwritten when generating the code: + +* Copy the `wolfSSL.I-CUBE-wolfSSL_conf.h` to `Core/Inc` and rename to `user_settings.h`. Then add the preprocessor macro `WOLFSSL_USER_SETTINGS` to your project. This will use the `user_settings.h` instead of the generated configuration. + +OR + +* Edit the source template file used for Cube pack generation here: `STM32Cube/Repository/Packs/wolfSSL/wolfSSL/[Version]/CubeMX/templates/default_conf.ftl`. -The template used for generation is `IDE/STM32Cube/default_conf.ftl` which can be updated at `STM32Cube/Repository/Packs/wolfSSL/wolfSSL/[Version]/CubeMX/templates/default_conf.ftl`. The section for "Hardware platform" may need to be adjusted depending on your processor and board: diff --git a/IDE/STM32Cube/include.am b/IDE/STM32Cube/include.am index 9cf2e6427..f0d0a4394 100644 --- a/IDE/STM32Cube/include.am +++ b/IDE/STM32Cube/include.am @@ -5,7 +5,6 @@ EXTRA_DIST+= IDE/STM32Cube/README.md EXTRA_DIST+= IDE/STM32Cube/main.c EXTRA_DIST+= IDE/STM32Cube/wolfssl_example.c -EXTRA_DIST+= IDE/STM32Cube/wolfSSL_conf.h EXTRA_DIST+= IDE/STM32Cube/wolfssl_example.h EXTRA_DIST+= IDE/STM32Cube/STM32_Benchmarks.md EXTRA_DIST+= IDE/STM32Cube/default_conf.ftl diff --git a/examples/configs/README.md b/examples/configs/README.md index f34a21b74..ddde95d69 100644 --- a/examples/configs/README.md +++ b/examples/configs/README.md @@ -9,6 +9,7 @@ Example wolfSSL configuration file templates for use when autoconf is not availa * `user_settings_min_ecc.h`: This is ECC and SHA-256 only. For ECC verify only add `BUILD_VERIFY_ONLY`. * `user_settings_wolfboot_keytools.h`: This from wolfBoot tools/keytools and is ECC, RSA, ED25519 and ChaCha20. * `user_settings_fipsv2.h`: The FIPS v2 (3389) 140-2 certificate build options. +* `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack. ## Usage diff --git a/examples/configs/include.am b/examples/configs/include.am index 1096eee79..9568c9536 100644 --- a/examples/configs/include.am +++ b/examples/configs/include.am @@ -5,3 +5,6 @@ EXTRA_DIST += examples/configs/README.md EXTRA_DIST += examples/configs/user_settings_all.h EXTRA_DIST += examples/configs/user_settings_min_ecc.h EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h +EXTRA_DIST += examples/configs/user_settings_template.h +EXTRA_DIST += examples/configs/user_settings_fipsv2.h +EXTRA_DIST += examples/configs/user_settings_stm32.h diff --git a/IDE/STM32Cube/wolfSSL_conf.h b/examples/configs/user_settings_stm32.h similarity index 99% rename from IDE/STM32Cube/wolfSSL_conf.h rename to examples/configs/user_settings_stm32.h index 9dc4311a2..84b1f089c 100644 --- a/IDE/STM32Cube/wolfSSL_conf.h +++ b/examples/configs/user_settings_stm32.h @@ -29,11 +29,6 @@ #ifndef __WOLFSSL_I_CUBE_WOLFSSL_CONF_H__ #define __WOLFSSL_I_CUBE_WOLFSSL_CONF_H__ -/** - MiddleWare name : wolfSSL.I-CUBE-wolfSSL.4.6.0 - MiddleWare fileName : ./wolfSSL.I-CUBE-wolfSSL_conf.h - MiddleWare version : -*/ /*---------- WOLF_CONF_DEBUG -----------*/ #define WOLF_CONF_DEBUG 0 diff --git a/examples/configs/user_settings_template.h b/examples/configs/user_settings_template.h index f2ede9a50..30b1a7736 100644 --- a/examples/configs/user_settings_template.h +++ b/examples/configs/user_settings_template.h @@ -32,7 +32,7 @@ extern "C" { #endif /* If TARGET_EMBEDDED is defined then small target settings are used */ -#if !((defined(__MACH__) || defined(__FreeBSD__) || defined(__linux__))) +#if !(defined(__MACH__) || defined(__FreeBSD__) || defined(__linux__) || defined(_WIN32)) #define TARGET_EMBEDDED #endif @@ -52,7 +52,9 @@ extern "C" { /* reduce stack use. For variables over 100 bytes allocate from heap */ #define WOLFSSL_SMALL_STACK - /* disable the built-in socket support and use the IO callbacks. Set with wolfSSL_CTX_SetIORecv/wolfSSL_CTX_SetIOSend */ + /* disable the built-in socket support and use the IO callbacks. + * Set with wolfSSL_CTX_SetIORecv/wolfSSL_CTX_SetIOSend + */ #define WOLFSSL_USER_IO #endif @@ -61,8 +63,11 @@ extern "C" { /* ------------------------------------------------------------------------- */ #undef USE_FAST_MATH #if 1 + /* fast math (tfmc.) (stack based and timing resistant) */ #define USE_FAST_MATH #define TFM_TIMING_RESISTANT +#else + /* normal heap based integer.c (not timing resistant) */ #endif /* Wolf Single Precision Math */ @@ -71,12 +76,23 @@ extern "C" { #define WOLFSSL_HAVE_SP_RSA #define WOLFSSL_HAVE_SP_DH #define WOLFSSL_HAVE_SP_ECC - #define WOLFSSL_SP_SMALL /* use smaller version of code */ + //#define WOLFSSL_SP_4096 /* Enable RSA/RH 4096-bit support */ + //#define WOLFSSL_SP_384 /* Enable ECC 384-bit SECP384R1 support */ + //#define WOLFSSL_SP_CACHE_RESISTANT - #define WOLFSSL_SP_MATH /* only SP math - eliminates integer.c/tfm.c(fast math) code */ + #define WOLFSSL_SP_MATH /* only SP math - disables integer.c/tfm.c */ #define WOLFSSL_SP_MATH_ALL /* use SP math for all key sizes and curves */ - /* SP Assembly Speedups - specific to chip type */ + //#define WOLFSSL_SP_NO_MALLOC + //#define WOLFSSL_SP_DIV_32 /* do not use 64-bit divides */ + + #ifdef TARGET_EMBEDDED + /* use smaller version of code */ + #define WOLFSSL_SP_SMALL + #else + /* SP Assembly Speedups - specific to chip type */ + #define WOLFSSL_SP_ASM + #endif //#define WOLFSSL_SP_X86_64 //#define WOLFSSL_SP_X86 //#define WOLFSSL_SP_ARM32_ASM @@ -108,6 +124,21 @@ extern "C" { #define NO_RSA #endif +/* DH */ +#undef NO_DH +#if 1 + /* Use table for DH instead of -lm (math) lib dependency */ + #if 1 + #define WOLFSSL_DH_CONST + #define HAVE_FFDHE_2048 + //#define HAVE_FFDHE_4096 + //#define HAVE_FFDHE_6144 + //#define HAVE_FFDHE_8192 + #endif +#else + #define NO_DH +#endif + /* ECC */ #undef HAVE_ECC #if 1 @@ -129,9 +160,7 @@ extern "C" { //#define FP_ECC #ifdef FP_ECC /* Bits / Entries */ - #undef FP_ENTRIES #define FP_ENTRIES 2 - #undef FP_LUT #define FP_LUT 4 #endif @@ -148,11 +177,11 @@ extern "C" { /* Use alternate ECC size for ECC math */ #ifdef USE_FAST_MATH /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */ - #ifdef NO_RSA - /* Custom fastmath size if not using RSA */ - #undef FP_MAX_BITS + #if defined(NO_RSA) && defined(NO_DH) + /* Custom fastmath size if not using RSA/DH */ #define FP_MAX_BITS (256 * 2) #else + /* use heap allocation for ECC points */ #define ALT_ECC_SIZE /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overriden */ @@ -166,21 +195,6 @@ extern "C" { #endif #endif -/* DH */ -#undef NO_DH -#if 1 - /* Use table for DH instead of -lm (math) lib dependency */ - #if 1 - #define WOLFSSL_DH_CONST - #define HAVE_FFDHE_2048 - //#define HAVE_FFDHE_4096 - //#define HAVE_FFDHE_6144 - //#define HAVE_FFDHE_8192 - #endif -#else - #define NO_DH -#endif - /* AES */ #undef NO_AES @@ -191,6 +205,8 @@ extern "C" { #define HAVE_AESGCM #ifdef TARGET_EMBEDDED #define GCM_SMALL + #else + #define GCM_TABLE_4BIT #endif //#define WOLFSSL_AES_DIRECT From 9181c949ae587004c2a9fa994a5b578f6ebf567a Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 17 Jun 2021 08:37:00 -0700 Subject: [PATCH 3/3] Added static ciphers and sniffer. Fixed spelling. --- examples/configs/user_settings_all.h | 20 +++++++++++++++++--- examples/configs/user_settings_min_ecc.h | 2 +- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/examples/configs/user_settings_all.h b/examples/configs/user_settings_all.h index 589a28eca..fbd09338c 100644 --- a/examples/configs/user_settings_all.h +++ b/examples/configs/user_settings_all.h @@ -35,7 +35,7 @@ extern "C" { #endif /* Features */ -#define WOLFSSL_PUBLIC_MP /* Make math API's pbulic */ +#define WOLFSSL_PUBLIC_MP /* Make math API's public */ #define KEEP_PEER_CERT /* Retain peer's certificate */ #define KEEP_OUR_CERT /* Keep our certificate */ #define WOLFSSL_ALWAYS_VERIFY_CB /* Always call verify callback (configured via wolfSSL_CTX_set_verify API) */ @@ -60,6 +60,7 @@ extern "C" { #define ASN_BER_TO_DER /* BER to DER support */ #define WOLFSSL_SIGNER_DER_CERT //#define HAVE_THREAD_LS /* DG Commented: Thread local storage - may not be portable */ +//#define WOLFSSL_AEAD_ONLY /* automatically set if TLS v1.3 only, but can be enabled for TLS v1.2 manually */ /* TLS Features */ #define WOLFSSL_DTLS @@ -109,7 +110,7 @@ extern "C" { #define FP_MAX_BITS 8192 //#define HAVE___UINT128_T 1 /* DG commented: May not be portable */ -/* Timing Resistence */ +/* Timing Resistance */ #define TFM_TIMING_RESISTANT #define ECC_TIMING_RESISTANT #define WC_RSA_BLINDING @@ -127,7 +128,7 @@ extern "C" { #define HAVE_ECC_SECPR3 #define HAVE_ECC_BRAINPOOL #define HAVE_ECC_KOBLITZ -#define HAVE_ECC_CDH /* Cofactor */ +#define HAVE_ECC_CDH /* Co-factor */ #define HAVE_COMP_KEY /* Compressed key support */ #define FP_ECC /* Fixed point caching - speed repeated operations against same key */ #define HAVE_ECC_ENCRYPT @@ -210,6 +211,19 @@ extern "C" { #define BOOST_ASIO_USE_WOLFSSL #endif +/* TLS static cipher support - off by default */ +#if 0 + #define WOLFSSL_STATIC_RSA + #define WOLFSSL_STATIC_DH + #define WOLFSSL_STATIC_PSK +#endif + +/* TLS sniffer support - off by default */ +#if 0 + #define WOLFSSL_STATIC_EPHEMERAL + #define WOLFSSL_SNIFFER +#endif + #ifdef __cplusplus } diff --git a/examples/configs/user_settings_min_ecc.h b/examples/configs/user_settings_min_ecc.h index c23e34f1b..6a705f365 100644 --- a/examples/configs/user_settings_min_ecc.h +++ b/examples/configs/user_settings_min_ecc.h @@ -59,7 +59,7 @@ extern "C" { #define WOLFSSL_SP_MATH #define WOLFSSL_HAVE_SP_ECC -/* Enable Timing Resistanace */ +/* Enable Timing Resistance */ #define TFM_TIMING_RESISTANT #define ECC_TIMING_RESISTANT