Fix up for building without ./configure to warn if hardening options are not enabled. Currently ./configure defaults to --enable-harden, but if building sources directly and using settings.h or user_settings.h the hardening defines will not be set by default. If a user wants to use without hardening they can suppress the warning by defining WC_NO_HARDEN.

IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h

@@ -120,6 +120,11 @@ extern "C" {
     /* half as much memory but twice as slow */
     #undef  RSA_LOW_MEM
     //#define RSA_LOW_MEM
+
+    /* Enables blinding mode, to prevent timing attacks */
+    #undef  WC_RSA_BLINDING
+    #define WC_RSA_BLINDING
+
 #else
     #define NO_RSA
 #endif

configure.ac

@@ -408,6 +408,8 @@ AC_ARG_ENABLE([harden],
 if test "$ENABLED_HARDEN" = "yes"
 then
     AM_CFLAGS="$AM_CFLAGS -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT -DWC_RSA_BLINDING"
+else
+    AM_CFLAGS="$AM_CFLAGS -DWC_NO_HARDEN"
 fi
 
 

wolfssl/wolfcrypt/settings.h

@@ -1596,6 +1596,21 @@ extern void uITRON4_free(void *p) ;
     #define ED25519_SMALL
 #endif
 
+
+/* warning for not using harden build options (default with ./configure) */
+#ifndef WC_NO_HARDEN
+    #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \
+        (defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \
+        (!defined(NO_RSA) && !defined(WC_RSA_BLINDING))
+
+        #ifndef _MSC_VER
+            #warning "For timing resistance / side-channel attack prevention consider using harden options"
+        #else
+            #pragma message("Warning: For timing resistance / side-channel attack prevention consider using harden options")
+        #endif
+    #endif
+#endif
+
 #ifdef __cplusplus
     }   /* extern "C" */
 #endif