diff --git a/.github/workflows/pq-all.yml b/.github/workflows/pq-all.yml index 5674a54e75..70fc7dda96 100644 --- a/.github/workflows/pq-all.yml +++ b/.github/workflows/pq-all.yml @@ -18,7 +18,7 @@ jobs: matrix: config: [ # Add new configs here - '--enable-intelasm --enable-sp-asm --enable-mlkem=yes,kyber,ml-kem CPPFLAGS=-DWOLFSSL_ML_KEM_USE_OLD_IDS' + '--enable-intelasm --enable-sp-asm --enable-mlkem=yes,kyber,ml-kem CPPFLAGS="-DWOLFSSL_ML_KEM_USE_OLD_IDS"', '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"', '--enable-smallstack --enable-smallstackcache --enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"', '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++' diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index c1b4cf403f..93007391ae 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -96,6 +96,7 @@ CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_MP_MUL CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD +CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING CONFIG_FREERTOS_HZ CONFIG_FREERTOS_UNICORE CONFIG_IDF_TARGET @@ -286,6 +287,7 @@ IOTSAFE_NO_GETDATA IOTSAFE_SIG_8BIT_LENGTH KCAPI_USE_XMALLOC K_SERIES +LIBWOLFSSL_CMAKE_OUTPUT LIBWOLFSSL_VERSION_GIT_BRANCH LIBWOLFSSL_VERSION_GIT_HASH LIBWOLFSSL_VERSION_GIT_HASH_DATE @@ -415,6 +417,7 @@ NO_WOLFSSL_SHA256_INTERLEAVE NO_WOLFSSL_SHA512_INTERLEAVE NO_WOLFSSL_SKIP_TRAILING_PAD NO_WOLFSSL_SMALL_STACK_STATIC +NO_WOLFSSL_USE_ASM_CERT NO_WOLFSSL_XILINX_TAG_MALLOC NRF52 NRF52_SERIES @@ -456,6 +459,7 @@ SHOW_CERTS SHOW_GEN SHOW_SIZES SHOW_SSID_AND_PASSWORD +SHOW_WOLFSSL_BUNDLE_ERROR SIM_SCGC3_RNGA_MASK SIM_SCGC5_PORTC_MASK SIM_SCGC5_PORTD_MASK @@ -518,6 +522,8 @@ TI_DUMMY_BUILD TLS13_RSA_PSS_SIGN_CB_NO_PREHASH TSIP_RSAES_1024 TSIP_RSAES_2048 +TSIP_RSASSA_1024 +TSIP_RSASSA_2048 UNICODE USER_CA_CB USER_CUSTOM_SNIFFX diff --git a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/CMakeLists.txt index cc7ef0d474..b4a2b74c11 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/CMakeLists.txt @@ -19,23 +19,62 @@ # # cmake for wolfssl Espressif projects # -# Version 5.7.2 Espressif ESP-IDF integration +# Version 5.8.0 Espressif ESP-IDF + PlatformIO integration (2) # # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html # message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") cmake_minimum_required(VERSION 3.16) +# The scope of this CMAKE_C_FLAGS is just this component: +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") + +set(CMAKE_CURRENT_SOURCE_DIR ".") + +# Optionally set your source to wolfSSL in your project CMakeLists.txt like this: +# set(WOLFSSL_ROOT "c:/workspace/my_wolfssl" ) + +if ( "${WOLFSSL_ROOT}" STREQUAL "") + set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" ) +endif() + set(VERBOSE_COMPONENT_MESSAGES 1) # Optional requires include: # set(THIS_ESP_TLS "esp-tls") set(THIS_ESP_TLS "") +# LIBWOLFSSL_CMAKE_OUTPUT can be printed at runtime +set(LIBWOLFSSL_CMAKE_OUTPUT "") + + +if(CMAKE_BUILD_EARLY_EXPANSION) + message(STATUS "Skipping libwolfssl_output.h update during CMAKE_BUILD_EARLY_EXPANSION") +else() + # Initialize a new libwolfssl_output.h in the cmake build directory. + if( EXISTS "${CMAKE_BINARY_DIR}/libwolfssl_output.h") + # The next WRITE replaces a file. + # This is here to remove any ambiguity on file removal & generation. + file(REMOVE "${CMAKE_BINARY_DIR}/libwolfssl_output.h") + endif() + + file(WRITE "${CMAKE_BINARY_DIR}/libwolfssl_output.h" + "/* libwolfssl_output.h generated by wolfssl component */\n" + "#ifndef _LIBWOLFSSL_OUTPUT_H_\n" + "\n" + "#define _LIBWOLFSSL_OUTPUT_H_\n\n") +endif() + +# Append messages with: +# LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n"message" "0") +# See function: APPEND_LIBWOLFSSL_CMAKE_OUTPUT + # function: IS_ESP_IDF_COMPONENT # output: RESULT = 1 (true) if this component is located in the ESP-IDF components # otherwise 0 (false) -function( IS_ESP_IDF_COMPONENT RESULT ) +function( IS_ESP_IDF_COMPONENT + RESULT) # NOTE: Component location is based on the location of the CMakeList.txt # and *not* the location of the wolfSSL source code. (which may be anywhere) @@ -55,6 +94,96 @@ function( IS_ESP_IDF_COMPONENT RESULT ) endif() endfunction() +# +# LIBWOLFSSL_SAVE_INFO(VAR_OUTPUT THIS_VAR VAR_RESULT) +# +# Save the THIS_VAR as a string in a macro called VAR_OUTPUT +# +# VAR_OUTPUT: the name of the macro to define +# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() +# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. +# +function ( LIBWOLFSSL_SAVE_INFO VAR_OUTPUT THIS_VAR VAR_RESULT ) + # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. + string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) + + # if we had a successful operation, save the THIS_VAR in VAR_OUTPUT + if(${IS_VALID_VALUE}) + + if(0) + # Optional debug + message(STATUS "Looking for LF in ${THIS_VAR}") + endif() + + # Check if the text to print in THIS_VAR is multi-line + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + list(LENGTH LINES LINE_COUNT) + + # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def + if(LINE_COUNT GREATER 1) + message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") + add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") + + # Split into lines + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + foreach(LINE IN LISTS LINES) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") + endforeach() + + # Final empty line to close the macro + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") + + message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") + else() + message(STATUS "No HAS_LIBWOLFSSL_OUTPUT_HEADER") + # We should not have any, but just to be sure: + # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" VAR_VALUE "${THIS_VAR}") + + # we'll could percolate the value to the parent for possible later use + # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) + + # but we're only using it here in this function + set(${VAR_OUTPUT} ${VAR_VALUE}) + + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUTPUT name a value to use in the app + add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") + + endif() + else() + # if we get here, check the execute_process command and parameters. + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + set(${VAR_OUTPUT} "Unknown") + endif() + + +endfunction() # LIBWOLFSSL_SAVE_INFO + +# +# APPEND_LIBWOLFSSL_CMAKE_OUTPUT(THIS_MESSAGE OUTPUT_VALUE) +# +# Append the text in THIS_MESSAGE to LIBWOLFSSL_CMAKE_OUTPUT. +# String is available at runtime in app +# + +function( APPEND_LIBWOLFSSL_CMAKE_OUTPUT + THIS_MESSAGE ) + # Normally, we'd simply print a message: + message(STATUS "${THIS_MESSAGE}") + + # But here we'll pass the entire LIBWOLFSSL_CMAKE_OUTPUT as a string definition to the app + set(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n${THIS_MESSAGE}" PARENT_SCOPE) + + # We don't call LIBWOLFSSL_SAVE_INFO here as it would add duplicate definitions + # See single instance at the end of this file. +endfunction() + # Determine if this cmake file is located in the ESP-IDF component directory or not, # and if so, if it is being ignored (allowing the use of a local project one, instead). IS_ESP_IDF_COMPONENT( IS_WOLSSL_ESP_IDF_COMPONENT ) @@ -77,20 +206,6 @@ else() message(STATUS "Cleaned wolfssl path: ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") endif() -# The scope of this CMAKE_C_FLAGS is just this component: -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") - -set(CMAKE_CURRENT_SOURCE_DIR ".") -# set(COMPONENT_REQUIRES lwip) # we typically don't need lwip directly in wolfssl component - -# Optionally set your source to wolfSSL in your project CMakeLists.txt like this: -# set(WOLFSSL_ROOT "c:/test/my_wolfssl" ) - -if ( "${WOLFSSL_ROOT}" STREQUAL "") - set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" ) -endif() - if( "$ENV{IDF_PATH}" STREQUAL "" ) message(FATAL_ERROR "IDF_PATH Environment variable not set!") else() @@ -185,7 +300,9 @@ endif() # Check environment variable name EVARPARAM as [name] # If defined, and has a value of EVARVALUE as [value], # then assign a compiler definition "-D[name]=[value]" -function(ENVIRONMENT_VAR_TO_MACRO EVARPARAM EVARVALUE) +function( ENVIRONMENT_VAR_TO_MACRO + EVARPARAM # Environment variable parameter name + EVARVALUE) # Environment variable value # If the EVARPARAM environment variable name is set to EVARVALUE, # set the compiler flag definition to enable CSV output. if ( "$ENV{${EVARPARAM}}" STREQUAL "${EVARVALUE}") @@ -217,7 +334,8 @@ endfunction() # function: IS_WOLFSSL_SOURCE # parameter: DIRECTORY_PARAMETER - the directory to test # output: RESULT = contains contents of DIRECTORY_PARAMETER for wolfssl directory, otherwise blank. -function( IS_WOLFSSL_SOURCE DIRECTORY_PARAMETER +function( IS_WOLFSSL_SOURCE + DIRECTORY_PARAMETER RESULT ) if (EXISTS "${DIRECTORY_PARAMETER}/wolfcrypt/src") set(${RESULT} "${DIRECTORY_PARAMETER}" PARENT_SCOPE) @@ -233,7 +351,8 @@ endfunction() # Example usage: # FIND_WOLFSSL_DIRECTORY(WOLFSSL_ROOT) # ********************************************************************************************* -function(FIND_WOLFSSL_DIRECTORY OUTPUT_FOUND_WOLFSSL_DIRECTORY) +function( FIND_WOLFSSL_DIRECTORY + OUTPUT_FOUND_WOLFSSL_DIRECTORY) message(STATUS "Starting FIND_WOLFSSL_DIRECTORY: ${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}") if ( "${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}" STREQUAL "" ) @@ -673,9 +792,9 @@ else() # depending on the environment, we may need to swap backslashes with forward slashes string(REPLACE "\\" "/" RTOS_IDF_PATH "$ENV{IDF_PATH}/components/freertos/FreeRTOS-Kernel/include/freertos") - if(WOLFSSL_ROOT) - string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT}) - endif() + if(WOLFSSL_ROOT) + string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT}) + endif() if(IS_DIRECTORY "${RTOS_IDF_PATH}") message(STATUS "Found current RTOS path: ${RTOS_IDF_PATH}") @@ -789,16 +908,35 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") ) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("wolfSSL Certificate Bundles Enabled") + if (CMAKE_BUILD_EARLY_EXPANSION) - message(ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION") + message(FATAL_ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION") endif() # reminder: we need a value for wolfSSL root first! if( "${WOLFSSL_ROOT}" STREQUAL "" ) - message(ERROR "Certificate bundles need a value for WOLFSSL_ROOT") + message(FATAL_ERROR "Certificate bundles need a value for WOLFSSL_ROOT") endif() + + # Cert bundle in wolfSSL source unless otherwise specified later set(WOLFSSL_ESP_CRT_BUNDLE_DIR ${WOLFSSL_ROOT}/wolfcrypt/src/port/Espressif/esp_crt_bundle) message(STATUS "WOLFSSL_ESP_CRT_BUNDLE_DIR=${WOLFSSL_ESP_CRT_BUNDLE_DIR}") - if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + + if(DEFINED ENV{PLATFORMIO_PROJECT_DIR}) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Detected PlatformIO") + set(IS_PLATFORMIO 1) + else() + # Some environments may not have environment variable, so double check if we are in .pio + if("${CMAKE_BINARY_DIR}" MATCHES "/\\.pio/") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Detected PlatformIO via CMAKE_BINARY_DIR") + set(IS_PLATFORMIO 1) + else() + set(IS_PLATFORMIO 0) + endif() + endif() + + if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}" OR IS_PLATFORMIO) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Special processing for wolfSSL Certificate Bundles") set(bundle_name "x509_crt_bundle_wolfssl") # For now the certs are in the same directory @@ -824,9 +962,9 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE get_filename_component(custom_bundle_path ${CONFIG_WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}") list(APPEND crt_paths ${custom_bundle_path}) - message(STATUS "Using a custom wolfSSL bundle path: ${custom_bundle_path}") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Using a custom wolfSSL bundle path: ${custom_bundle_path}") else() - message(STATUS "Not using a custom wolfSSL bundle path.") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Not using a custom wolfSSL bundle path") endif() list(APPEND args --input ${crt_paths} -q) @@ -843,25 +981,107 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE message(STATUS "args ${args}") message(STATUS "cert_bundle ${cert_bundle}") - # Generate bundle according to config - # File is generated at build time, not cmake load - add_custom_command(OUTPUT ${crt_bundle} - COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args} - DEPENDS ${custom_bundle_path} - VERBATIM) + if (IS_PLATFORMIO) + # PlatformIO cannot generate a Certificate Bundle at build time + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("PlatformIO is using a predefined bundle rather than generating one") - if(EXISTS "${crt_bundle}") - message(STATUS "Bundle file exists from prior build: ${crt_bundle}") + if ( "${WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}" STREQUAL "" OR "$(WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE)" STREQUAL "" OR "$(WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE)" STREQUAL "n") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Alternate Certificate Bundle Path and Name not enabled, assuming [project]/certs/x509_crt_bundle_wolfssl") + # Reminder this CMakeLists.txt should be in [project]/components/wolfssl, so ./certs is two directories up + set(crt_bundle_option "../../certs/x509_crt_bundle_wolfssl") + else() + string(SUBSTRING "${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}" 0 2 CERT_PATH_FIRST_TWO) + if(CERT_PATH_FIRST_TWO STREQUAL "./" OR CERT_PATH_FIRST_TWO STREQUAL ".\\") + set(IS_CERT_BUNDLE_RELATIVE_PATH 1) + message(STATUS "Alternate Cert Path is relative to project.") + else() + set(IS_CERT_BUNDLE_RELATIVE_PATH 0) + message(STATUS "Alternate Cert Path is not relative to project.") + endif() + + # The cert bundle is not a standard cert, so we con't add to the crt_paths. + # Still, we may have an alternate location, particulatly needed for PlatformIO: + if(IS_CERT_BUNDLE_RELATIVE_PATH) + message(STATUS "CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME = ${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + message(STATUS "Relative alternate_bundle_path: ${alternate_bundle_path}") + + SET(crt_bundle_option "${CMAKE_SOURCE_DIR}/${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + else() + message(STATUS "alternate_bundle_path: ${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + message(STATUS "Not using an alternate wolfSSL bundle file.") + SET(crt_bundle_option "${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + endif() + endif() + + # Clean the path, removing any extra "./" etc. + # Number of spaces in message strings is to align path value outputs + message(STATUS "This crt_bundle_option value: ${crt_bundle_option}") + if(${CMAKE_VERSION} VERSION_LESS "3.19") + message("WARNING: CMake version is ${CMAKE_VERSION} ? file(REAL_PATH ...) is not supported. Falling back to manual path normalization.") + # optional fallback logic here + get_filename_component(crt_bundle_file_component "${crt_bundle_option}" ABSOLUTE) + message(STATUS "Interim crt_bundle_file_component: ${crt_bundle_file_component}") + file(TO_CMAKE_PATH "${crt_bundle_file_component}" crt_bundle) + message(STATUS "TO_CMAKE_PATH crt_bundle result: ${crt_bundle}") + # set(crt_bundle "C:/workspace/pio_wolfssl-upstream-test-wolfssl_cert_bundle/esp32-c6/certs/x509_crt_bundle_wolfssl") + else() + file(REAL_PATH "${crt_bundle_option}" crt_bundle) + endif() + + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Certificate Bundle: ${crt_bundle}") + message(STATUS "This cleaned crt_bundle value: ${crt_bundle}") + message(STATUS "=============================================================================================================") + message(STATUS "=============================================================================================================") + message(STATUS "Reminder: platformio.ini will need this value set for board_build.embed_files =") + message(STATUS "${crt_bundle}") + message(STATUS "=============================================================================================================") + message(STATUS "=============================================================================================================") + + # e.g. SET(crt_bundle "C:/workspace/pio_wolfssl/esp32-c6/certs/x509_crt_bundle_wolfssl") + # + + # Normally x509_crt_bundle_wolfssl built by python script called from cmake. + # See https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/port/Espressif/esp_crt_bundle/gen_crt_bundle.py + # Reminder ESP-IDF scripts are NOT called from CMake for PlatformIO builds. + # + # The easiest way to generate the default file is to build with ESP-IDF and copy the files to [project]/main + # + # for example: + # build\VisualGDB\Debug\x509_crt_bundle_wolfssl.s + # build\VisualGDB\Debug\esp-idf\wolfssl\x509_crt_bundle_wolfssl + # + message(STATUS "Confirming cert bundle exists...") + if(EXISTS "${crt_bundle}") + # Number of spaces is to align path value outputs + message(STATUS "Bundle file found for PlatformIO: ${crt_bundle}") + else() + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("ERROR: Failed to find bundle file found for PlatformIO: ${crt_bundle}") + message(STATUS "Check for entry in platformio.ini: board_build.embed_files = certs/x509_crt_bundle_wolfssl ") + message(FATAL_ERROR "WOLFSSL_CERTIFICATE_BUNDLE is enabled for PlatformIO, but predefined file not found: ${crt_bundle}") + endif() else() - message(STATUS "Bundle file expected during next build: ${crt_bundle}") + # APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Generate bundle: ${GENERATE_CERT_BUNDLEPY} ${args}") + # Not PlatformIO + # Generate bundle according to config + # File is generated at build time, not cmake load + add_custom_command(OUTPUT ${crt_bundle} + COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args} + DEPENDS ${custom_bundle_path} + VERBATIM) + + if(EXISTS "${crt_bundle}") + message(STATUS "Bundle file exists from prior build: ${crt_bundle}") + else() + message(STATUS "Bundle file expected during next build: ${crt_bundle}") + endif() + + # Reminder the file is generated at build time, not cmake load time. + message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}") endif() - # Reminder the file is generated at build time, not cmake load time. - message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}") + add_custom_target(custom_wolfssl_bundle DEPENDS ${crt_bundle}) - add_custom_target(custom_wolfssl_bundle DEPENDS ${cert_bundle}) - - # the wolfSSL crtificate bundle is baked into wolfSSL + # the wolfSSL certificate bundle is baked into wolfSSL add_dependencies(${COMPONENT_LIB} custom_wolfssl_bundle) # COMPONENT_LIB may vary: __idf_wolfssl, __idf_esp_wolfssl, etc @@ -871,7 +1091,12 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE APPEND PROPERTY ADDITIONAL_CLEAN_FILES "${crt_bundle}") else() - message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + if(IS_PLATFORMIO) + message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but cannot be generated in PlatformmIO") + else() + message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + endif() + message(FATAL_ERROR "not detected") endif() endif() @@ -930,42 +1155,6 @@ endif() # end multiple component check -# -# LIBWOLFSSL_SAVE_INFO(VAR_OUPUT THIS_VAR VAR_RESULT) -# -# Save the THIS_VAR as a string in a macro called VAR_OUPUT -# -# VAR_OUPUT: the name of the macro to define -# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() -# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. -# -function ( LIBWOLFSSL_SAVE_INFO VAR_OUPUT THIS_VAR VAR_RESULT ) - # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. - string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) - - # if we had a successful operation, save the THIS_VAR in VAR_OUPUT - if(${IS_VALID_VALUE}) - # strip newline chars in THIS_VAR parameter and save in VAR_VALUE - string(REPLACE "\n" "" VAR_VALUE ${THIS_VAR}) - - # we'll could percolate the value to the parent for possible later use - # set(${VAR_OUPUT} ${VAR_VALUE} PARENT_SCOPE) - - # but we're only using it here in this function - set(${VAR_OUPUT} ${VAR_VALUE}) - - # we'll print what we found to the console - message(STATUS "Found ${VAR_OUPUT}=${VAR_VALUE}") - - # the interesting part is defining the VAR_OUPUT name a value to use in the app - add_compile_definitions(${VAR_OUPUT}=\"${VAR_VALUE}\") - else() - # if we get here, check the execute_process command and parameters. - message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") - set(${VAR_OUPUT} "Unknown") - endif() -endfunction() # LIBWOLFSSL_SAVE_INFO - execute_process( COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree" OUTPUT_VARIABLE IS_GIT_REPO @@ -1049,6 +1238,14 @@ else() message(STATUS "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!") endif() +# A single instance of potentially multiple cmake messages to send to app: +message(STATUS "LIBWOLFSSL_CMAKE_OUTPUT: ${LIBWOLFSSL_CMAKE_OUTPUT}") +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}" "0") + +file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" + "\n" + "#endif\n" ) + message(STATUS "************************************************************************************************") message(STATUS "wolfSSL component config complete!") message(STATUS "************************************************************************************************") diff --git a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig index 9a7fcaa075..ee8dc7f1a2 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig +++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig @@ -274,10 +274,28 @@ menu "wolfSSL" bool "Do not use the default certificate bundle" endchoice + config WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE + depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + default n + bool "Use alternate certificate bundle" + help + Typically only used for PlatformIO which cannot generate a certificate bundle at build time. + Enable this option to specify a fixed wolfSSL certificate file path and file name. + + config WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME + depends on WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + string "Default certificate bundle alternate path and name" + default "./certs/x509_crt_bundle_wolfssl" + help + Name of the default certificate bundle directory. Typically used only with PlatformIO. + Reminder PlatformIO cannot generate a bundle from cmake python script call. Relative + paths are with respect to root of this project. + config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL default n bool "Add custom certificates to the default bundle" + config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH depends on WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL string "Custom certificate bundle path" @@ -430,6 +448,12 @@ menu "wolfSSL" help Enable debugging messages for wolfSSL. See user_settings.h for additional debug options. + config ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING + bool "Suppress build-time warnings for main stack size" + default n + help + Useful only when wolfSSL is running in main task. See FreeRTOS stack size for custom tasks. + config ESP_WOLFSSL_TEST_LOOP bool "Run test apps in a loop until failure" default y diff --git a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h index 488182ed6f..80f89fffe0 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h +++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h @@ -853,13 +853,18 @@ #ifndef NO_RSA #define ESP32_USE_RSA_PRIMITIVE - #if defined(CONFIG_IDF_TARGET_ESP32) - #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + /* See idf.py menuconfig for stack warning settings */ + #if !defined(CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING) #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 - #warning "RSA may be difficult with less than 10KB Stack "/ + #warning "RSA may be difficult with less than 10KB Stack" #endif + #else + /* Implement your own stack warning here */ #endif + #endif + #if defined(CONFIG_IDF_TARGET_ESP32) /* NOTE HW unreliable for small values! */ /* threshold for performance adjustment for HW primitive use */ /* X bits of G^X mod P greater than */ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/CMakeLists.txt index cc7ef0d474..b4a2b74c11 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/CMakeLists.txt @@ -19,23 +19,62 @@ # # cmake for wolfssl Espressif projects # -# Version 5.7.2 Espressif ESP-IDF integration +# Version 5.8.0 Espressif ESP-IDF + PlatformIO integration (2) # # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html # message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") cmake_minimum_required(VERSION 3.16) +# The scope of this CMAKE_C_FLAGS is just this component: +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") + +set(CMAKE_CURRENT_SOURCE_DIR ".") + +# Optionally set your source to wolfSSL in your project CMakeLists.txt like this: +# set(WOLFSSL_ROOT "c:/workspace/my_wolfssl" ) + +if ( "${WOLFSSL_ROOT}" STREQUAL "") + set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" ) +endif() + set(VERBOSE_COMPONENT_MESSAGES 1) # Optional requires include: # set(THIS_ESP_TLS "esp-tls") set(THIS_ESP_TLS "") +# LIBWOLFSSL_CMAKE_OUTPUT can be printed at runtime +set(LIBWOLFSSL_CMAKE_OUTPUT "") + + +if(CMAKE_BUILD_EARLY_EXPANSION) + message(STATUS "Skipping libwolfssl_output.h update during CMAKE_BUILD_EARLY_EXPANSION") +else() + # Initialize a new libwolfssl_output.h in the cmake build directory. + if( EXISTS "${CMAKE_BINARY_DIR}/libwolfssl_output.h") + # The next WRITE replaces a file. + # This is here to remove any ambiguity on file removal & generation. + file(REMOVE "${CMAKE_BINARY_DIR}/libwolfssl_output.h") + endif() + + file(WRITE "${CMAKE_BINARY_DIR}/libwolfssl_output.h" + "/* libwolfssl_output.h generated by wolfssl component */\n" + "#ifndef _LIBWOLFSSL_OUTPUT_H_\n" + "\n" + "#define _LIBWOLFSSL_OUTPUT_H_\n\n") +endif() + +# Append messages with: +# LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n"message" "0") +# See function: APPEND_LIBWOLFSSL_CMAKE_OUTPUT + # function: IS_ESP_IDF_COMPONENT # output: RESULT = 1 (true) if this component is located in the ESP-IDF components # otherwise 0 (false) -function( IS_ESP_IDF_COMPONENT RESULT ) +function( IS_ESP_IDF_COMPONENT + RESULT) # NOTE: Component location is based on the location of the CMakeList.txt # and *not* the location of the wolfSSL source code. (which may be anywhere) @@ -55,6 +94,96 @@ function( IS_ESP_IDF_COMPONENT RESULT ) endif() endfunction() +# +# LIBWOLFSSL_SAVE_INFO(VAR_OUTPUT THIS_VAR VAR_RESULT) +# +# Save the THIS_VAR as a string in a macro called VAR_OUTPUT +# +# VAR_OUTPUT: the name of the macro to define +# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() +# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. +# +function ( LIBWOLFSSL_SAVE_INFO VAR_OUTPUT THIS_VAR VAR_RESULT ) + # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. + string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) + + # if we had a successful operation, save the THIS_VAR in VAR_OUTPUT + if(${IS_VALID_VALUE}) + + if(0) + # Optional debug + message(STATUS "Looking for LF in ${THIS_VAR}") + endif() + + # Check if the text to print in THIS_VAR is multi-line + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + list(LENGTH LINES LINE_COUNT) + + # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def + if(LINE_COUNT GREATER 1) + message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") + add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") + + # Split into lines + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + foreach(LINE IN LISTS LINES) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") + endforeach() + + # Final empty line to close the macro + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") + + message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") + else() + message(STATUS "No HAS_LIBWOLFSSL_OUTPUT_HEADER") + # We should not have any, but just to be sure: + # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" VAR_VALUE "${THIS_VAR}") + + # we'll could percolate the value to the parent for possible later use + # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) + + # but we're only using it here in this function + set(${VAR_OUTPUT} ${VAR_VALUE}) + + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUTPUT name a value to use in the app + add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") + + endif() + else() + # if we get here, check the execute_process command and parameters. + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + set(${VAR_OUTPUT} "Unknown") + endif() + + +endfunction() # LIBWOLFSSL_SAVE_INFO + +# +# APPEND_LIBWOLFSSL_CMAKE_OUTPUT(THIS_MESSAGE OUTPUT_VALUE) +# +# Append the text in THIS_MESSAGE to LIBWOLFSSL_CMAKE_OUTPUT. +# String is available at runtime in app +# + +function( APPEND_LIBWOLFSSL_CMAKE_OUTPUT + THIS_MESSAGE ) + # Normally, we'd simply print a message: + message(STATUS "${THIS_MESSAGE}") + + # But here we'll pass the entire LIBWOLFSSL_CMAKE_OUTPUT as a string definition to the app + set(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n${THIS_MESSAGE}" PARENT_SCOPE) + + # We don't call LIBWOLFSSL_SAVE_INFO here as it would add duplicate definitions + # See single instance at the end of this file. +endfunction() + # Determine if this cmake file is located in the ESP-IDF component directory or not, # and if so, if it is being ignored (allowing the use of a local project one, instead). IS_ESP_IDF_COMPONENT( IS_WOLSSL_ESP_IDF_COMPONENT ) @@ -77,20 +206,6 @@ else() message(STATUS "Cleaned wolfssl path: ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") endif() -# The scope of this CMAKE_C_FLAGS is just this component: -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") - -set(CMAKE_CURRENT_SOURCE_DIR ".") -# set(COMPONENT_REQUIRES lwip) # we typically don't need lwip directly in wolfssl component - -# Optionally set your source to wolfSSL in your project CMakeLists.txt like this: -# set(WOLFSSL_ROOT "c:/test/my_wolfssl" ) - -if ( "${WOLFSSL_ROOT}" STREQUAL "") - set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" ) -endif() - if( "$ENV{IDF_PATH}" STREQUAL "" ) message(FATAL_ERROR "IDF_PATH Environment variable not set!") else() @@ -185,7 +300,9 @@ endif() # Check environment variable name EVARPARAM as [name] # If defined, and has a value of EVARVALUE as [value], # then assign a compiler definition "-D[name]=[value]" -function(ENVIRONMENT_VAR_TO_MACRO EVARPARAM EVARVALUE) +function( ENVIRONMENT_VAR_TO_MACRO + EVARPARAM # Environment variable parameter name + EVARVALUE) # Environment variable value # If the EVARPARAM environment variable name is set to EVARVALUE, # set the compiler flag definition to enable CSV output. if ( "$ENV{${EVARPARAM}}" STREQUAL "${EVARVALUE}") @@ -217,7 +334,8 @@ endfunction() # function: IS_WOLFSSL_SOURCE # parameter: DIRECTORY_PARAMETER - the directory to test # output: RESULT = contains contents of DIRECTORY_PARAMETER for wolfssl directory, otherwise blank. -function( IS_WOLFSSL_SOURCE DIRECTORY_PARAMETER +function( IS_WOLFSSL_SOURCE + DIRECTORY_PARAMETER RESULT ) if (EXISTS "${DIRECTORY_PARAMETER}/wolfcrypt/src") set(${RESULT} "${DIRECTORY_PARAMETER}" PARENT_SCOPE) @@ -233,7 +351,8 @@ endfunction() # Example usage: # FIND_WOLFSSL_DIRECTORY(WOLFSSL_ROOT) # ********************************************************************************************* -function(FIND_WOLFSSL_DIRECTORY OUTPUT_FOUND_WOLFSSL_DIRECTORY) +function( FIND_WOLFSSL_DIRECTORY + OUTPUT_FOUND_WOLFSSL_DIRECTORY) message(STATUS "Starting FIND_WOLFSSL_DIRECTORY: ${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}") if ( "${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}" STREQUAL "" ) @@ -673,9 +792,9 @@ else() # depending on the environment, we may need to swap backslashes with forward slashes string(REPLACE "\\" "/" RTOS_IDF_PATH "$ENV{IDF_PATH}/components/freertos/FreeRTOS-Kernel/include/freertos") - if(WOLFSSL_ROOT) - string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT}) - endif() + if(WOLFSSL_ROOT) + string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT}) + endif() if(IS_DIRECTORY "${RTOS_IDF_PATH}") message(STATUS "Found current RTOS path: ${RTOS_IDF_PATH}") @@ -789,16 +908,35 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") ) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("wolfSSL Certificate Bundles Enabled") + if (CMAKE_BUILD_EARLY_EXPANSION) - message(ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION") + message(FATAL_ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION") endif() # reminder: we need a value for wolfSSL root first! if( "${WOLFSSL_ROOT}" STREQUAL "" ) - message(ERROR "Certificate bundles need a value for WOLFSSL_ROOT") + message(FATAL_ERROR "Certificate bundles need a value for WOLFSSL_ROOT") endif() + + # Cert bundle in wolfSSL source unless otherwise specified later set(WOLFSSL_ESP_CRT_BUNDLE_DIR ${WOLFSSL_ROOT}/wolfcrypt/src/port/Espressif/esp_crt_bundle) message(STATUS "WOLFSSL_ESP_CRT_BUNDLE_DIR=${WOLFSSL_ESP_CRT_BUNDLE_DIR}") - if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + + if(DEFINED ENV{PLATFORMIO_PROJECT_DIR}) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Detected PlatformIO") + set(IS_PLATFORMIO 1) + else() + # Some environments may not have environment variable, so double check if we are in .pio + if("${CMAKE_BINARY_DIR}" MATCHES "/\\.pio/") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Detected PlatformIO via CMAKE_BINARY_DIR") + set(IS_PLATFORMIO 1) + else() + set(IS_PLATFORMIO 0) + endif() + endif() + + if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}" OR IS_PLATFORMIO) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Special processing for wolfSSL Certificate Bundles") set(bundle_name "x509_crt_bundle_wolfssl") # For now the certs are in the same directory @@ -824,9 +962,9 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE get_filename_component(custom_bundle_path ${CONFIG_WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}") list(APPEND crt_paths ${custom_bundle_path}) - message(STATUS "Using a custom wolfSSL bundle path: ${custom_bundle_path}") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Using a custom wolfSSL bundle path: ${custom_bundle_path}") else() - message(STATUS "Not using a custom wolfSSL bundle path.") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Not using a custom wolfSSL bundle path") endif() list(APPEND args --input ${crt_paths} -q) @@ -843,25 +981,107 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE message(STATUS "args ${args}") message(STATUS "cert_bundle ${cert_bundle}") - # Generate bundle according to config - # File is generated at build time, not cmake load - add_custom_command(OUTPUT ${crt_bundle} - COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args} - DEPENDS ${custom_bundle_path} - VERBATIM) + if (IS_PLATFORMIO) + # PlatformIO cannot generate a Certificate Bundle at build time + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("PlatformIO is using a predefined bundle rather than generating one") - if(EXISTS "${crt_bundle}") - message(STATUS "Bundle file exists from prior build: ${crt_bundle}") + if ( "${WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}" STREQUAL "" OR "$(WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE)" STREQUAL "" OR "$(WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE)" STREQUAL "n") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Alternate Certificate Bundle Path and Name not enabled, assuming [project]/certs/x509_crt_bundle_wolfssl") + # Reminder this CMakeLists.txt should be in [project]/components/wolfssl, so ./certs is two directories up + set(crt_bundle_option "../../certs/x509_crt_bundle_wolfssl") + else() + string(SUBSTRING "${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}" 0 2 CERT_PATH_FIRST_TWO) + if(CERT_PATH_FIRST_TWO STREQUAL "./" OR CERT_PATH_FIRST_TWO STREQUAL ".\\") + set(IS_CERT_BUNDLE_RELATIVE_PATH 1) + message(STATUS "Alternate Cert Path is relative to project.") + else() + set(IS_CERT_BUNDLE_RELATIVE_PATH 0) + message(STATUS "Alternate Cert Path is not relative to project.") + endif() + + # The cert bundle is not a standard cert, so we con't add to the crt_paths. + # Still, we may have an alternate location, particulatly needed for PlatformIO: + if(IS_CERT_BUNDLE_RELATIVE_PATH) + message(STATUS "CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME = ${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + message(STATUS "Relative alternate_bundle_path: ${alternate_bundle_path}") + + SET(crt_bundle_option "${CMAKE_SOURCE_DIR}/${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + else() + message(STATUS "alternate_bundle_path: ${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + message(STATUS "Not using an alternate wolfSSL bundle file.") + SET(crt_bundle_option "${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + endif() + endif() + + # Clean the path, removing any extra "./" etc. + # Number of spaces in message strings is to align path value outputs + message(STATUS "This crt_bundle_option value: ${crt_bundle_option}") + if(${CMAKE_VERSION} VERSION_LESS "3.19") + message("WARNING: CMake version is ${CMAKE_VERSION} ? file(REAL_PATH ...) is not supported. Falling back to manual path normalization.") + # optional fallback logic here + get_filename_component(crt_bundle_file_component "${crt_bundle_option}" ABSOLUTE) + message(STATUS "Interim crt_bundle_file_component: ${crt_bundle_file_component}") + file(TO_CMAKE_PATH "${crt_bundle_file_component}" crt_bundle) + message(STATUS "TO_CMAKE_PATH crt_bundle result: ${crt_bundle}") + # set(crt_bundle "C:/workspace/pio_wolfssl-upstream-test-wolfssl_cert_bundle/esp32-c6/certs/x509_crt_bundle_wolfssl") + else() + file(REAL_PATH "${crt_bundle_option}" crt_bundle) + endif() + + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Certificate Bundle: ${crt_bundle}") + message(STATUS "This cleaned crt_bundle value: ${crt_bundle}") + message(STATUS "=============================================================================================================") + message(STATUS "=============================================================================================================") + message(STATUS "Reminder: platformio.ini will need this value set for board_build.embed_files =") + message(STATUS "${crt_bundle}") + message(STATUS "=============================================================================================================") + message(STATUS "=============================================================================================================") + + # e.g. SET(crt_bundle "C:/workspace/pio_wolfssl/esp32-c6/certs/x509_crt_bundle_wolfssl") + # + + # Normally x509_crt_bundle_wolfssl built by python script called from cmake. + # See https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/port/Espressif/esp_crt_bundle/gen_crt_bundle.py + # Reminder ESP-IDF scripts are NOT called from CMake for PlatformIO builds. + # + # The easiest way to generate the default file is to build with ESP-IDF and copy the files to [project]/main + # + # for example: + # build\VisualGDB\Debug\x509_crt_bundle_wolfssl.s + # build\VisualGDB\Debug\esp-idf\wolfssl\x509_crt_bundle_wolfssl + # + message(STATUS "Confirming cert bundle exists...") + if(EXISTS "${crt_bundle}") + # Number of spaces is to align path value outputs + message(STATUS "Bundle file found for PlatformIO: ${crt_bundle}") + else() + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("ERROR: Failed to find bundle file found for PlatformIO: ${crt_bundle}") + message(STATUS "Check for entry in platformio.ini: board_build.embed_files = certs/x509_crt_bundle_wolfssl ") + message(FATAL_ERROR "WOLFSSL_CERTIFICATE_BUNDLE is enabled for PlatformIO, but predefined file not found: ${crt_bundle}") + endif() else() - message(STATUS "Bundle file expected during next build: ${crt_bundle}") + # APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Generate bundle: ${GENERATE_CERT_BUNDLEPY} ${args}") + # Not PlatformIO + # Generate bundle according to config + # File is generated at build time, not cmake load + add_custom_command(OUTPUT ${crt_bundle} + COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args} + DEPENDS ${custom_bundle_path} + VERBATIM) + + if(EXISTS "${crt_bundle}") + message(STATUS "Bundle file exists from prior build: ${crt_bundle}") + else() + message(STATUS "Bundle file expected during next build: ${crt_bundle}") + endif() + + # Reminder the file is generated at build time, not cmake load time. + message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}") endif() - # Reminder the file is generated at build time, not cmake load time. - message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}") + add_custom_target(custom_wolfssl_bundle DEPENDS ${crt_bundle}) - add_custom_target(custom_wolfssl_bundle DEPENDS ${cert_bundle}) - - # the wolfSSL crtificate bundle is baked into wolfSSL + # the wolfSSL certificate bundle is baked into wolfSSL add_dependencies(${COMPONENT_LIB} custom_wolfssl_bundle) # COMPONENT_LIB may vary: __idf_wolfssl, __idf_esp_wolfssl, etc @@ -871,7 +1091,12 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE APPEND PROPERTY ADDITIONAL_CLEAN_FILES "${crt_bundle}") else() - message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + if(IS_PLATFORMIO) + message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but cannot be generated in PlatformmIO") + else() + message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + endif() + message(FATAL_ERROR "not detected") endif() endif() @@ -930,42 +1155,6 @@ endif() # end multiple component check -# -# LIBWOLFSSL_SAVE_INFO(VAR_OUPUT THIS_VAR VAR_RESULT) -# -# Save the THIS_VAR as a string in a macro called VAR_OUPUT -# -# VAR_OUPUT: the name of the macro to define -# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() -# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. -# -function ( LIBWOLFSSL_SAVE_INFO VAR_OUPUT THIS_VAR VAR_RESULT ) - # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. - string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) - - # if we had a successful operation, save the THIS_VAR in VAR_OUPUT - if(${IS_VALID_VALUE}) - # strip newline chars in THIS_VAR parameter and save in VAR_VALUE - string(REPLACE "\n" "" VAR_VALUE ${THIS_VAR}) - - # we'll could percolate the value to the parent for possible later use - # set(${VAR_OUPUT} ${VAR_VALUE} PARENT_SCOPE) - - # but we're only using it here in this function - set(${VAR_OUPUT} ${VAR_VALUE}) - - # we'll print what we found to the console - message(STATUS "Found ${VAR_OUPUT}=${VAR_VALUE}") - - # the interesting part is defining the VAR_OUPUT name a value to use in the app - add_compile_definitions(${VAR_OUPUT}=\"${VAR_VALUE}\") - else() - # if we get here, check the execute_process command and parameters. - message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") - set(${VAR_OUPUT} "Unknown") - endif() -endfunction() # LIBWOLFSSL_SAVE_INFO - execute_process( COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree" OUTPUT_VARIABLE IS_GIT_REPO @@ -1049,6 +1238,14 @@ else() message(STATUS "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!") endif() +# A single instance of potentially multiple cmake messages to send to app: +message(STATUS "LIBWOLFSSL_CMAKE_OUTPUT: ${LIBWOLFSSL_CMAKE_OUTPUT}") +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}" "0") + +file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" + "\n" + "#endif\n" ) + message(STATUS "************************************************************************************************") message(STATUS "wolfSSL component config complete!") message(STATUS "************************************************************************************************") diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig index 9a7fcaa075..ee8dc7f1a2 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig @@ -274,10 +274,28 @@ menu "wolfSSL" bool "Do not use the default certificate bundle" endchoice + config WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE + depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + default n + bool "Use alternate certificate bundle" + help + Typically only used for PlatformIO which cannot generate a certificate bundle at build time. + Enable this option to specify a fixed wolfSSL certificate file path and file name. + + config WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME + depends on WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + string "Default certificate bundle alternate path and name" + default "./certs/x509_crt_bundle_wolfssl" + help + Name of the default certificate bundle directory. Typically used only with PlatformIO. + Reminder PlatformIO cannot generate a bundle from cmake python script call. Relative + paths are with respect to root of this project. + config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL default n bool "Add custom certificates to the default bundle" + config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH depends on WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL string "Custom certificate bundle path" @@ -430,6 +448,12 @@ menu "wolfSSL" help Enable debugging messages for wolfSSL. See user_settings.h for additional debug options. + config ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING + bool "Suppress build-time warnings for main stack size" + default n + help + Useful only when wolfSSL is running in main task. See FreeRTOS stack size for custom tasks. + config ESP_WOLFSSL_TEST_LOOP bool "Run test apps in a loop until failure" default y diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h index 488182ed6f..80f89fffe0 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h @@ -853,13 +853,18 @@ #ifndef NO_RSA #define ESP32_USE_RSA_PRIMITIVE - #if defined(CONFIG_IDF_TARGET_ESP32) - #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + /* See idf.py menuconfig for stack warning settings */ + #if !defined(CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING) #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 - #warning "RSA may be difficult with less than 10KB Stack "/ + #warning "RSA may be difficult with less than 10KB Stack" #endif + #else + /* Implement your own stack warning here */ #endif + #endif + #if defined(CONFIG_IDF_TARGET_ESP32) /* NOTE HW unreliable for small values! */ /* threshold for performance adjustment for HW primitive use */ /* X bits of G^X mod P greater than */ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/CMakeLists.txt index cc7ef0d474..b4a2b74c11 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/CMakeLists.txt @@ -19,23 +19,62 @@ # # cmake for wolfssl Espressif projects # -# Version 5.7.2 Espressif ESP-IDF integration +# Version 5.8.0 Espressif ESP-IDF + PlatformIO integration (2) # # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html # message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") cmake_minimum_required(VERSION 3.16) +# The scope of this CMAKE_C_FLAGS is just this component: +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") + +set(CMAKE_CURRENT_SOURCE_DIR ".") + +# Optionally set your source to wolfSSL in your project CMakeLists.txt like this: +# set(WOLFSSL_ROOT "c:/workspace/my_wolfssl" ) + +if ( "${WOLFSSL_ROOT}" STREQUAL "") + set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" ) +endif() + set(VERBOSE_COMPONENT_MESSAGES 1) # Optional requires include: # set(THIS_ESP_TLS "esp-tls") set(THIS_ESP_TLS "") +# LIBWOLFSSL_CMAKE_OUTPUT can be printed at runtime +set(LIBWOLFSSL_CMAKE_OUTPUT "") + + +if(CMAKE_BUILD_EARLY_EXPANSION) + message(STATUS "Skipping libwolfssl_output.h update during CMAKE_BUILD_EARLY_EXPANSION") +else() + # Initialize a new libwolfssl_output.h in the cmake build directory. + if( EXISTS "${CMAKE_BINARY_DIR}/libwolfssl_output.h") + # The next WRITE replaces a file. + # This is here to remove any ambiguity on file removal & generation. + file(REMOVE "${CMAKE_BINARY_DIR}/libwolfssl_output.h") + endif() + + file(WRITE "${CMAKE_BINARY_DIR}/libwolfssl_output.h" + "/* libwolfssl_output.h generated by wolfssl component */\n" + "#ifndef _LIBWOLFSSL_OUTPUT_H_\n" + "\n" + "#define _LIBWOLFSSL_OUTPUT_H_\n\n") +endif() + +# Append messages with: +# LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n"message" "0") +# See function: APPEND_LIBWOLFSSL_CMAKE_OUTPUT + # function: IS_ESP_IDF_COMPONENT # output: RESULT = 1 (true) if this component is located in the ESP-IDF components # otherwise 0 (false) -function( IS_ESP_IDF_COMPONENT RESULT ) +function( IS_ESP_IDF_COMPONENT + RESULT) # NOTE: Component location is based on the location of the CMakeList.txt # and *not* the location of the wolfSSL source code. (which may be anywhere) @@ -55,6 +94,96 @@ function( IS_ESP_IDF_COMPONENT RESULT ) endif() endfunction() +# +# LIBWOLFSSL_SAVE_INFO(VAR_OUTPUT THIS_VAR VAR_RESULT) +# +# Save the THIS_VAR as a string in a macro called VAR_OUTPUT +# +# VAR_OUTPUT: the name of the macro to define +# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() +# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. +# +function ( LIBWOLFSSL_SAVE_INFO VAR_OUTPUT THIS_VAR VAR_RESULT ) + # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. + string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) + + # if we had a successful operation, save the THIS_VAR in VAR_OUTPUT + if(${IS_VALID_VALUE}) + + if(0) + # Optional debug + message(STATUS "Looking for LF in ${THIS_VAR}") + endif() + + # Check if the text to print in THIS_VAR is multi-line + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + list(LENGTH LINES LINE_COUNT) + + # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def + if(LINE_COUNT GREATER 1) + message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") + add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") + + # Split into lines + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + foreach(LINE IN LISTS LINES) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") + endforeach() + + # Final empty line to close the macro + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") + + message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") + else() + message(STATUS "No HAS_LIBWOLFSSL_OUTPUT_HEADER") + # We should not have any, but just to be sure: + # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" VAR_VALUE "${THIS_VAR}") + + # we'll could percolate the value to the parent for possible later use + # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) + + # but we're only using it here in this function + set(${VAR_OUTPUT} ${VAR_VALUE}) + + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUTPUT name a value to use in the app + add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") + + endif() + else() + # if we get here, check the execute_process command and parameters. + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + set(${VAR_OUTPUT} "Unknown") + endif() + + +endfunction() # LIBWOLFSSL_SAVE_INFO + +# +# APPEND_LIBWOLFSSL_CMAKE_OUTPUT(THIS_MESSAGE OUTPUT_VALUE) +# +# Append the text in THIS_MESSAGE to LIBWOLFSSL_CMAKE_OUTPUT. +# String is available at runtime in app +# + +function( APPEND_LIBWOLFSSL_CMAKE_OUTPUT + THIS_MESSAGE ) + # Normally, we'd simply print a message: + message(STATUS "${THIS_MESSAGE}") + + # But here we'll pass the entire LIBWOLFSSL_CMAKE_OUTPUT as a string definition to the app + set(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n${THIS_MESSAGE}" PARENT_SCOPE) + + # We don't call LIBWOLFSSL_SAVE_INFO here as it would add duplicate definitions + # See single instance at the end of this file. +endfunction() + # Determine if this cmake file is located in the ESP-IDF component directory or not, # and if so, if it is being ignored (allowing the use of a local project one, instead). IS_ESP_IDF_COMPONENT( IS_WOLSSL_ESP_IDF_COMPONENT ) @@ -77,20 +206,6 @@ else() message(STATUS "Cleaned wolfssl path: ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") endif() -# The scope of this CMAKE_C_FLAGS is just this component: -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") - -set(CMAKE_CURRENT_SOURCE_DIR ".") -# set(COMPONENT_REQUIRES lwip) # we typically don't need lwip directly in wolfssl component - -# Optionally set your source to wolfSSL in your project CMakeLists.txt like this: -# set(WOLFSSL_ROOT "c:/test/my_wolfssl" ) - -if ( "${WOLFSSL_ROOT}" STREQUAL "") - set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" ) -endif() - if( "$ENV{IDF_PATH}" STREQUAL "" ) message(FATAL_ERROR "IDF_PATH Environment variable not set!") else() @@ -185,7 +300,9 @@ endif() # Check environment variable name EVARPARAM as [name] # If defined, and has a value of EVARVALUE as [value], # then assign a compiler definition "-D[name]=[value]" -function(ENVIRONMENT_VAR_TO_MACRO EVARPARAM EVARVALUE) +function( ENVIRONMENT_VAR_TO_MACRO + EVARPARAM # Environment variable parameter name + EVARVALUE) # Environment variable value # If the EVARPARAM environment variable name is set to EVARVALUE, # set the compiler flag definition to enable CSV output. if ( "$ENV{${EVARPARAM}}" STREQUAL "${EVARVALUE}") @@ -217,7 +334,8 @@ endfunction() # function: IS_WOLFSSL_SOURCE # parameter: DIRECTORY_PARAMETER - the directory to test # output: RESULT = contains contents of DIRECTORY_PARAMETER for wolfssl directory, otherwise blank. -function( IS_WOLFSSL_SOURCE DIRECTORY_PARAMETER +function( IS_WOLFSSL_SOURCE + DIRECTORY_PARAMETER RESULT ) if (EXISTS "${DIRECTORY_PARAMETER}/wolfcrypt/src") set(${RESULT} "${DIRECTORY_PARAMETER}" PARENT_SCOPE) @@ -233,7 +351,8 @@ endfunction() # Example usage: # FIND_WOLFSSL_DIRECTORY(WOLFSSL_ROOT) # ********************************************************************************************* -function(FIND_WOLFSSL_DIRECTORY OUTPUT_FOUND_WOLFSSL_DIRECTORY) +function( FIND_WOLFSSL_DIRECTORY + OUTPUT_FOUND_WOLFSSL_DIRECTORY) message(STATUS "Starting FIND_WOLFSSL_DIRECTORY: ${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}") if ( "${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}" STREQUAL "" ) @@ -673,9 +792,9 @@ else() # depending on the environment, we may need to swap backslashes with forward slashes string(REPLACE "\\" "/" RTOS_IDF_PATH "$ENV{IDF_PATH}/components/freertos/FreeRTOS-Kernel/include/freertos") - if(WOLFSSL_ROOT) - string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT}) - endif() + if(WOLFSSL_ROOT) + string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT}) + endif() if(IS_DIRECTORY "${RTOS_IDF_PATH}") message(STATUS "Found current RTOS path: ${RTOS_IDF_PATH}") @@ -789,16 +908,35 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") ) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("wolfSSL Certificate Bundles Enabled") + if (CMAKE_BUILD_EARLY_EXPANSION) - message(ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION") + message(FATAL_ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION") endif() # reminder: we need a value for wolfSSL root first! if( "${WOLFSSL_ROOT}" STREQUAL "" ) - message(ERROR "Certificate bundles need a value for WOLFSSL_ROOT") + message(FATAL_ERROR "Certificate bundles need a value for WOLFSSL_ROOT") endif() + + # Cert bundle in wolfSSL source unless otherwise specified later set(WOLFSSL_ESP_CRT_BUNDLE_DIR ${WOLFSSL_ROOT}/wolfcrypt/src/port/Espressif/esp_crt_bundle) message(STATUS "WOLFSSL_ESP_CRT_BUNDLE_DIR=${WOLFSSL_ESP_CRT_BUNDLE_DIR}") - if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + + if(DEFINED ENV{PLATFORMIO_PROJECT_DIR}) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Detected PlatformIO") + set(IS_PLATFORMIO 1) + else() + # Some environments may not have environment variable, so double check if we are in .pio + if("${CMAKE_BINARY_DIR}" MATCHES "/\\.pio/") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Detected PlatformIO via CMAKE_BINARY_DIR") + set(IS_PLATFORMIO 1) + else() + set(IS_PLATFORMIO 0) + endif() + endif() + + if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}" OR IS_PLATFORMIO) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Special processing for wolfSSL Certificate Bundles") set(bundle_name "x509_crt_bundle_wolfssl") # For now the certs are in the same directory @@ -824,9 +962,9 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE get_filename_component(custom_bundle_path ${CONFIG_WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}") list(APPEND crt_paths ${custom_bundle_path}) - message(STATUS "Using a custom wolfSSL bundle path: ${custom_bundle_path}") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Using a custom wolfSSL bundle path: ${custom_bundle_path}") else() - message(STATUS "Not using a custom wolfSSL bundle path.") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Not using a custom wolfSSL bundle path") endif() list(APPEND args --input ${crt_paths} -q) @@ -843,25 +981,107 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE message(STATUS "args ${args}") message(STATUS "cert_bundle ${cert_bundle}") - # Generate bundle according to config - # File is generated at build time, not cmake load - add_custom_command(OUTPUT ${crt_bundle} - COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args} - DEPENDS ${custom_bundle_path} - VERBATIM) + if (IS_PLATFORMIO) + # PlatformIO cannot generate a Certificate Bundle at build time + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("PlatformIO is using a predefined bundle rather than generating one") - if(EXISTS "${crt_bundle}") - message(STATUS "Bundle file exists from prior build: ${crt_bundle}") + if ( "${WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}" STREQUAL "" OR "$(WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE)" STREQUAL "" OR "$(WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE)" STREQUAL "n") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Alternate Certificate Bundle Path and Name not enabled, assuming [project]/certs/x509_crt_bundle_wolfssl") + # Reminder this CMakeLists.txt should be in [project]/components/wolfssl, so ./certs is two directories up + set(crt_bundle_option "../../certs/x509_crt_bundle_wolfssl") + else() + string(SUBSTRING "${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}" 0 2 CERT_PATH_FIRST_TWO) + if(CERT_PATH_FIRST_TWO STREQUAL "./" OR CERT_PATH_FIRST_TWO STREQUAL ".\\") + set(IS_CERT_BUNDLE_RELATIVE_PATH 1) + message(STATUS "Alternate Cert Path is relative to project.") + else() + set(IS_CERT_BUNDLE_RELATIVE_PATH 0) + message(STATUS "Alternate Cert Path is not relative to project.") + endif() + + # The cert bundle is not a standard cert, so we con't add to the crt_paths. + # Still, we may have an alternate location, particulatly needed for PlatformIO: + if(IS_CERT_BUNDLE_RELATIVE_PATH) + message(STATUS "CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME = ${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + message(STATUS "Relative alternate_bundle_path: ${alternate_bundle_path}") + + SET(crt_bundle_option "${CMAKE_SOURCE_DIR}/${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + else() + message(STATUS "alternate_bundle_path: ${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + message(STATUS "Not using an alternate wolfSSL bundle file.") + SET(crt_bundle_option "${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + endif() + endif() + + # Clean the path, removing any extra "./" etc. + # Number of spaces in message strings is to align path value outputs + message(STATUS "This crt_bundle_option value: ${crt_bundle_option}") + if(${CMAKE_VERSION} VERSION_LESS "3.19") + message("WARNING: CMake version is ${CMAKE_VERSION} ? file(REAL_PATH ...) is not supported. Falling back to manual path normalization.") + # optional fallback logic here + get_filename_component(crt_bundle_file_component "${crt_bundle_option}" ABSOLUTE) + message(STATUS "Interim crt_bundle_file_component: ${crt_bundle_file_component}") + file(TO_CMAKE_PATH "${crt_bundle_file_component}" crt_bundle) + message(STATUS "TO_CMAKE_PATH crt_bundle result: ${crt_bundle}") + # set(crt_bundle "C:/workspace/pio_wolfssl-upstream-test-wolfssl_cert_bundle/esp32-c6/certs/x509_crt_bundle_wolfssl") + else() + file(REAL_PATH "${crt_bundle_option}" crt_bundle) + endif() + + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Certificate Bundle: ${crt_bundle}") + message(STATUS "This cleaned crt_bundle value: ${crt_bundle}") + message(STATUS "=============================================================================================================") + message(STATUS "=============================================================================================================") + message(STATUS "Reminder: platformio.ini will need this value set for board_build.embed_files =") + message(STATUS "${crt_bundle}") + message(STATUS "=============================================================================================================") + message(STATUS "=============================================================================================================") + + # e.g. SET(crt_bundle "C:/workspace/pio_wolfssl/esp32-c6/certs/x509_crt_bundle_wolfssl") + # + + # Normally x509_crt_bundle_wolfssl built by python script called from cmake. + # See https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/port/Espressif/esp_crt_bundle/gen_crt_bundle.py + # Reminder ESP-IDF scripts are NOT called from CMake for PlatformIO builds. + # + # The easiest way to generate the default file is to build with ESP-IDF and copy the files to [project]/main + # + # for example: + # build\VisualGDB\Debug\x509_crt_bundle_wolfssl.s + # build\VisualGDB\Debug\esp-idf\wolfssl\x509_crt_bundle_wolfssl + # + message(STATUS "Confirming cert bundle exists...") + if(EXISTS "${crt_bundle}") + # Number of spaces is to align path value outputs + message(STATUS "Bundle file found for PlatformIO: ${crt_bundle}") + else() + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("ERROR: Failed to find bundle file found for PlatformIO: ${crt_bundle}") + message(STATUS "Check for entry in platformio.ini: board_build.embed_files = certs/x509_crt_bundle_wolfssl ") + message(FATAL_ERROR "WOLFSSL_CERTIFICATE_BUNDLE is enabled for PlatformIO, but predefined file not found: ${crt_bundle}") + endif() else() - message(STATUS "Bundle file expected during next build: ${crt_bundle}") + # APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Generate bundle: ${GENERATE_CERT_BUNDLEPY} ${args}") + # Not PlatformIO + # Generate bundle according to config + # File is generated at build time, not cmake load + add_custom_command(OUTPUT ${crt_bundle} + COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args} + DEPENDS ${custom_bundle_path} + VERBATIM) + + if(EXISTS "${crt_bundle}") + message(STATUS "Bundle file exists from prior build: ${crt_bundle}") + else() + message(STATUS "Bundle file expected during next build: ${crt_bundle}") + endif() + + # Reminder the file is generated at build time, not cmake load time. + message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}") endif() - # Reminder the file is generated at build time, not cmake load time. - message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}") + add_custom_target(custom_wolfssl_bundle DEPENDS ${crt_bundle}) - add_custom_target(custom_wolfssl_bundle DEPENDS ${cert_bundle}) - - # the wolfSSL crtificate bundle is baked into wolfSSL + # the wolfSSL certificate bundle is baked into wolfSSL add_dependencies(${COMPONENT_LIB} custom_wolfssl_bundle) # COMPONENT_LIB may vary: __idf_wolfssl, __idf_esp_wolfssl, etc @@ -871,7 +1091,12 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE APPEND PROPERTY ADDITIONAL_CLEAN_FILES "${crt_bundle}") else() - message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + if(IS_PLATFORMIO) + message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but cannot be generated in PlatformmIO") + else() + message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + endif() + message(FATAL_ERROR "not detected") endif() endif() @@ -930,42 +1155,6 @@ endif() # end multiple component check -# -# LIBWOLFSSL_SAVE_INFO(VAR_OUPUT THIS_VAR VAR_RESULT) -# -# Save the THIS_VAR as a string in a macro called VAR_OUPUT -# -# VAR_OUPUT: the name of the macro to define -# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() -# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. -# -function ( LIBWOLFSSL_SAVE_INFO VAR_OUPUT THIS_VAR VAR_RESULT ) - # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. - string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) - - # if we had a successful operation, save the THIS_VAR in VAR_OUPUT - if(${IS_VALID_VALUE}) - # strip newline chars in THIS_VAR parameter and save in VAR_VALUE - string(REPLACE "\n" "" VAR_VALUE ${THIS_VAR}) - - # we'll could percolate the value to the parent for possible later use - # set(${VAR_OUPUT} ${VAR_VALUE} PARENT_SCOPE) - - # but we're only using it here in this function - set(${VAR_OUPUT} ${VAR_VALUE}) - - # we'll print what we found to the console - message(STATUS "Found ${VAR_OUPUT}=${VAR_VALUE}") - - # the interesting part is defining the VAR_OUPUT name a value to use in the app - add_compile_definitions(${VAR_OUPUT}=\"${VAR_VALUE}\") - else() - # if we get here, check the execute_process command and parameters. - message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") - set(${VAR_OUPUT} "Unknown") - endif() -endfunction() # LIBWOLFSSL_SAVE_INFO - execute_process( COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree" OUTPUT_VARIABLE IS_GIT_REPO @@ -1049,6 +1238,14 @@ else() message(STATUS "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!") endif() +# A single instance of potentially multiple cmake messages to send to app: +message(STATUS "LIBWOLFSSL_CMAKE_OUTPUT: ${LIBWOLFSSL_CMAKE_OUTPUT}") +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}" "0") + +file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" + "\n" + "#endif\n" ) + message(STATUS "************************************************************************************************") message(STATUS "wolfSSL component config complete!") message(STATUS "************************************************************************************************") diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig index 9a7fcaa075..ee8dc7f1a2 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig @@ -274,10 +274,28 @@ menu "wolfSSL" bool "Do not use the default certificate bundle" endchoice + config WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE + depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + default n + bool "Use alternate certificate bundle" + help + Typically only used for PlatformIO which cannot generate a certificate bundle at build time. + Enable this option to specify a fixed wolfSSL certificate file path and file name. + + config WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME + depends on WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + string "Default certificate bundle alternate path and name" + default "./certs/x509_crt_bundle_wolfssl" + help + Name of the default certificate bundle directory. Typically used only with PlatformIO. + Reminder PlatformIO cannot generate a bundle from cmake python script call. Relative + paths are with respect to root of this project. + config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL default n bool "Add custom certificates to the default bundle" + config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH depends on WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL string "Custom certificate bundle path" @@ -430,6 +448,12 @@ menu "wolfSSL" help Enable debugging messages for wolfSSL. See user_settings.h for additional debug options. + config ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING + bool "Suppress build-time warnings for main stack size" + default n + help + Useful only when wolfSSL is running in main task. See FreeRTOS stack size for custom tasks. + config ESP_WOLFSSL_TEST_LOOP bool "Run test apps in a loop until failure" default y diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h index 488182ed6f..80f89fffe0 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h @@ -853,13 +853,18 @@ #ifndef NO_RSA #define ESP32_USE_RSA_PRIMITIVE - #if defined(CONFIG_IDF_TARGET_ESP32) - #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + /* See idf.py menuconfig for stack warning settings */ + #if !defined(CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING) #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 - #warning "RSA may be difficult with less than 10KB Stack "/ + #warning "RSA may be difficult with less than 10KB Stack" #endif + #else + /* Implement your own stack warning here */ #endif + #endif + #if defined(CONFIG_IDF_TARGET_ESP32) /* NOTE HW unreliable for small values! */ /* threshold for performance adjustment for HW primitive use */ /* X bits of G^X mod P greater than */ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/CMakeLists.txt index cc7ef0d474..b4a2b74c11 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/CMakeLists.txt @@ -19,23 +19,62 @@ # # cmake for wolfssl Espressif projects # -# Version 5.7.2 Espressif ESP-IDF integration +# Version 5.8.0 Espressif ESP-IDF + PlatformIO integration (2) # # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html # message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") cmake_minimum_required(VERSION 3.16) +# The scope of this CMAKE_C_FLAGS is just this component: +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") + +set(CMAKE_CURRENT_SOURCE_DIR ".") + +# Optionally set your source to wolfSSL in your project CMakeLists.txt like this: +# set(WOLFSSL_ROOT "c:/workspace/my_wolfssl" ) + +if ( "${WOLFSSL_ROOT}" STREQUAL "") + set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" ) +endif() + set(VERBOSE_COMPONENT_MESSAGES 1) # Optional requires include: # set(THIS_ESP_TLS "esp-tls") set(THIS_ESP_TLS "") +# LIBWOLFSSL_CMAKE_OUTPUT can be printed at runtime +set(LIBWOLFSSL_CMAKE_OUTPUT "") + + +if(CMAKE_BUILD_EARLY_EXPANSION) + message(STATUS "Skipping libwolfssl_output.h update during CMAKE_BUILD_EARLY_EXPANSION") +else() + # Initialize a new libwolfssl_output.h in the cmake build directory. + if( EXISTS "${CMAKE_BINARY_DIR}/libwolfssl_output.h") + # The next WRITE replaces a file. + # This is here to remove any ambiguity on file removal & generation. + file(REMOVE "${CMAKE_BINARY_DIR}/libwolfssl_output.h") + endif() + + file(WRITE "${CMAKE_BINARY_DIR}/libwolfssl_output.h" + "/* libwolfssl_output.h generated by wolfssl component */\n" + "#ifndef _LIBWOLFSSL_OUTPUT_H_\n" + "\n" + "#define _LIBWOLFSSL_OUTPUT_H_\n\n") +endif() + +# Append messages with: +# LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n"message" "0") +# See function: APPEND_LIBWOLFSSL_CMAKE_OUTPUT + # function: IS_ESP_IDF_COMPONENT # output: RESULT = 1 (true) if this component is located in the ESP-IDF components # otherwise 0 (false) -function( IS_ESP_IDF_COMPONENT RESULT ) +function( IS_ESP_IDF_COMPONENT + RESULT) # NOTE: Component location is based on the location of the CMakeList.txt # and *not* the location of the wolfSSL source code. (which may be anywhere) @@ -55,6 +94,96 @@ function( IS_ESP_IDF_COMPONENT RESULT ) endif() endfunction() +# +# LIBWOLFSSL_SAVE_INFO(VAR_OUTPUT THIS_VAR VAR_RESULT) +# +# Save the THIS_VAR as a string in a macro called VAR_OUTPUT +# +# VAR_OUTPUT: the name of the macro to define +# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() +# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. +# +function ( LIBWOLFSSL_SAVE_INFO VAR_OUTPUT THIS_VAR VAR_RESULT ) + # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. + string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) + + # if we had a successful operation, save the THIS_VAR in VAR_OUTPUT + if(${IS_VALID_VALUE}) + + if(0) + # Optional debug + message(STATUS "Looking for LF in ${THIS_VAR}") + endif() + + # Check if the text to print in THIS_VAR is multi-line + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + list(LENGTH LINES LINE_COUNT) + + # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def + if(LINE_COUNT GREATER 1) + message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") + add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") + + # Split into lines + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + foreach(LINE IN LISTS LINES) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") + endforeach() + + # Final empty line to close the macro + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") + + message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") + else() + message(STATUS "No HAS_LIBWOLFSSL_OUTPUT_HEADER") + # We should not have any, but just to be sure: + # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" VAR_VALUE "${THIS_VAR}") + + # we'll could percolate the value to the parent for possible later use + # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) + + # but we're only using it here in this function + set(${VAR_OUTPUT} ${VAR_VALUE}) + + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUTPUT name a value to use in the app + add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") + + endif() + else() + # if we get here, check the execute_process command and parameters. + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + set(${VAR_OUTPUT} "Unknown") + endif() + + +endfunction() # LIBWOLFSSL_SAVE_INFO + +# +# APPEND_LIBWOLFSSL_CMAKE_OUTPUT(THIS_MESSAGE OUTPUT_VALUE) +# +# Append the text in THIS_MESSAGE to LIBWOLFSSL_CMAKE_OUTPUT. +# String is available at runtime in app +# + +function( APPEND_LIBWOLFSSL_CMAKE_OUTPUT + THIS_MESSAGE ) + # Normally, we'd simply print a message: + message(STATUS "${THIS_MESSAGE}") + + # But here we'll pass the entire LIBWOLFSSL_CMAKE_OUTPUT as a string definition to the app + set(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n${THIS_MESSAGE}" PARENT_SCOPE) + + # We don't call LIBWOLFSSL_SAVE_INFO here as it would add duplicate definitions + # See single instance at the end of this file. +endfunction() + # Determine if this cmake file is located in the ESP-IDF component directory or not, # and if so, if it is being ignored (allowing the use of a local project one, instead). IS_ESP_IDF_COMPONENT( IS_WOLSSL_ESP_IDF_COMPONENT ) @@ -77,20 +206,6 @@ else() message(STATUS "Cleaned wolfssl path: ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") endif() -# The scope of this CMAKE_C_FLAGS is just this component: -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") - -set(CMAKE_CURRENT_SOURCE_DIR ".") -# set(COMPONENT_REQUIRES lwip) # we typically don't need lwip directly in wolfssl component - -# Optionally set your source to wolfSSL in your project CMakeLists.txt like this: -# set(WOLFSSL_ROOT "c:/test/my_wolfssl" ) - -if ( "${WOLFSSL_ROOT}" STREQUAL "") - set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" ) -endif() - if( "$ENV{IDF_PATH}" STREQUAL "" ) message(FATAL_ERROR "IDF_PATH Environment variable not set!") else() @@ -185,7 +300,9 @@ endif() # Check environment variable name EVARPARAM as [name] # If defined, and has a value of EVARVALUE as [value], # then assign a compiler definition "-D[name]=[value]" -function(ENVIRONMENT_VAR_TO_MACRO EVARPARAM EVARVALUE) +function( ENVIRONMENT_VAR_TO_MACRO + EVARPARAM # Environment variable parameter name + EVARVALUE) # Environment variable value # If the EVARPARAM environment variable name is set to EVARVALUE, # set the compiler flag definition to enable CSV output. if ( "$ENV{${EVARPARAM}}" STREQUAL "${EVARVALUE}") @@ -217,7 +334,8 @@ endfunction() # function: IS_WOLFSSL_SOURCE # parameter: DIRECTORY_PARAMETER - the directory to test # output: RESULT = contains contents of DIRECTORY_PARAMETER for wolfssl directory, otherwise blank. -function( IS_WOLFSSL_SOURCE DIRECTORY_PARAMETER +function( IS_WOLFSSL_SOURCE + DIRECTORY_PARAMETER RESULT ) if (EXISTS "${DIRECTORY_PARAMETER}/wolfcrypt/src") set(${RESULT} "${DIRECTORY_PARAMETER}" PARENT_SCOPE) @@ -233,7 +351,8 @@ endfunction() # Example usage: # FIND_WOLFSSL_DIRECTORY(WOLFSSL_ROOT) # ********************************************************************************************* -function(FIND_WOLFSSL_DIRECTORY OUTPUT_FOUND_WOLFSSL_DIRECTORY) +function( FIND_WOLFSSL_DIRECTORY + OUTPUT_FOUND_WOLFSSL_DIRECTORY) message(STATUS "Starting FIND_WOLFSSL_DIRECTORY: ${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}") if ( "${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}" STREQUAL "" ) @@ -673,9 +792,9 @@ else() # depending on the environment, we may need to swap backslashes with forward slashes string(REPLACE "\\" "/" RTOS_IDF_PATH "$ENV{IDF_PATH}/components/freertos/FreeRTOS-Kernel/include/freertos") - if(WOLFSSL_ROOT) - string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT}) - endif() + if(WOLFSSL_ROOT) + string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT}) + endif() if(IS_DIRECTORY "${RTOS_IDF_PATH}") message(STATUS "Found current RTOS path: ${RTOS_IDF_PATH}") @@ -789,16 +908,35 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") ) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("wolfSSL Certificate Bundles Enabled") + if (CMAKE_BUILD_EARLY_EXPANSION) - message(ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION") + message(FATAL_ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION") endif() # reminder: we need a value for wolfSSL root first! if( "${WOLFSSL_ROOT}" STREQUAL "" ) - message(ERROR "Certificate bundles need a value for WOLFSSL_ROOT") + message(FATAL_ERROR "Certificate bundles need a value for WOLFSSL_ROOT") endif() + + # Cert bundle in wolfSSL source unless otherwise specified later set(WOLFSSL_ESP_CRT_BUNDLE_DIR ${WOLFSSL_ROOT}/wolfcrypt/src/port/Espressif/esp_crt_bundle) message(STATUS "WOLFSSL_ESP_CRT_BUNDLE_DIR=${WOLFSSL_ESP_CRT_BUNDLE_DIR}") - if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + + if(DEFINED ENV{PLATFORMIO_PROJECT_DIR}) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Detected PlatformIO") + set(IS_PLATFORMIO 1) + else() + # Some environments may not have environment variable, so double check if we are in .pio + if("${CMAKE_BINARY_DIR}" MATCHES "/\\.pio/") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Detected PlatformIO via CMAKE_BINARY_DIR") + set(IS_PLATFORMIO 1) + else() + set(IS_PLATFORMIO 0) + endif() + endif() + + if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}" OR IS_PLATFORMIO) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Special processing for wolfSSL Certificate Bundles") set(bundle_name "x509_crt_bundle_wolfssl") # For now the certs are in the same directory @@ -824,9 +962,9 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE get_filename_component(custom_bundle_path ${CONFIG_WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}") list(APPEND crt_paths ${custom_bundle_path}) - message(STATUS "Using a custom wolfSSL bundle path: ${custom_bundle_path}") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Using a custom wolfSSL bundle path: ${custom_bundle_path}") else() - message(STATUS "Not using a custom wolfSSL bundle path.") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Not using a custom wolfSSL bundle path") endif() list(APPEND args --input ${crt_paths} -q) @@ -843,25 +981,107 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE message(STATUS "args ${args}") message(STATUS "cert_bundle ${cert_bundle}") - # Generate bundle according to config - # File is generated at build time, not cmake load - add_custom_command(OUTPUT ${crt_bundle} - COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args} - DEPENDS ${custom_bundle_path} - VERBATIM) + if (IS_PLATFORMIO) + # PlatformIO cannot generate a Certificate Bundle at build time + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("PlatformIO is using a predefined bundle rather than generating one") - if(EXISTS "${crt_bundle}") - message(STATUS "Bundle file exists from prior build: ${crt_bundle}") + if ( "${WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}" STREQUAL "" OR "$(WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE)" STREQUAL "" OR "$(WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE)" STREQUAL "n") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Alternate Certificate Bundle Path and Name not enabled, assuming [project]/certs/x509_crt_bundle_wolfssl") + # Reminder this CMakeLists.txt should be in [project]/components/wolfssl, so ./certs is two directories up + set(crt_bundle_option "../../certs/x509_crt_bundle_wolfssl") + else() + string(SUBSTRING "${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}" 0 2 CERT_PATH_FIRST_TWO) + if(CERT_PATH_FIRST_TWO STREQUAL "./" OR CERT_PATH_FIRST_TWO STREQUAL ".\\") + set(IS_CERT_BUNDLE_RELATIVE_PATH 1) + message(STATUS "Alternate Cert Path is relative to project.") + else() + set(IS_CERT_BUNDLE_RELATIVE_PATH 0) + message(STATUS "Alternate Cert Path is not relative to project.") + endif() + + # The cert bundle is not a standard cert, so we con't add to the crt_paths. + # Still, we may have an alternate location, particulatly needed for PlatformIO: + if(IS_CERT_BUNDLE_RELATIVE_PATH) + message(STATUS "CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME = ${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + message(STATUS "Relative alternate_bundle_path: ${alternate_bundle_path}") + + SET(crt_bundle_option "${CMAKE_SOURCE_DIR}/${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + else() + message(STATUS "alternate_bundle_path: ${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + message(STATUS "Not using an alternate wolfSSL bundle file.") + SET(crt_bundle_option "${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + endif() + endif() + + # Clean the path, removing any extra "./" etc. + # Number of spaces in message strings is to align path value outputs + message(STATUS "This crt_bundle_option value: ${crt_bundle_option}") + if(${CMAKE_VERSION} VERSION_LESS "3.19") + message("WARNING: CMake version is ${CMAKE_VERSION} ? file(REAL_PATH ...) is not supported. Falling back to manual path normalization.") + # optional fallback logic here + get_filename_component(crt_bundle_file_component "${crt_bundle_option}" ABSOLUTE) + message(STATUS "Interim crt_bundle_file_component: ${crt_bundle_file_component}") + file(TO_CMAKE_PATH "${crt_bundle_file_component}" crt_bundle) + message(STATUS "TO_CMAKE_PATH crt_bundle result: ${crt_bundle}") + # set(crt_bundle "C:/workspace/pio_wolfssl-upstream-test-wolfssl_cert_bundle/esp32-c6/certs/x509_crt_bundle_wolfssl") + else() + file(REAL_PATH "${crt_bundle_option}" crt_bundle) + endif() + + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Certificate Bundle: ${crt_bundle}") + message(STATUS "This cleaned crt_bundle value: ${crt_bundle}") + message(STATUS "=============================================================================================================") + message(STATUS "=============================================================================================================") + message(STATUS "Reminder: platformio.ini will need this value set for board_build.embed_files =") + message(STATUS "${crt_bundle}") + message(STATUS "=============================================================================================================") + message(STATUS "=============================================================================================================") + + # e.g. SET(crt_bundle "C:/workspace/pio_wolfssl/esp32-c6/certs/x509_crt_bundle_wolfssl") + # + + # Normally x509_crt_bundle_wolfssl built by python script called from cmake. + # See https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/port/Espressif/esp_crt_bundle/gen_crt_bundle.py + # Reminder ESP-IDF scripts are NOT called from CMake for PlatformIO builds. + # + # The easiest way to generate the default file is to build with ESP-IDF and copy the files to [project]/main + # + # for example: + # build\VisualGDB\Debug\x509_crt_bundle_wolfssl.s + # build\VisualGDB\Debug\esp-idf\wolfssl\x509_crt_bundle_wolfssl + # + message(STATUS "Confirming cert bundle exists...") + if(EXISTS "${crt_bundle}") + # Number of spaces is to align path value outputs + message(STATUS "Bundle file found for PlatformIO: ${crt_bundle}") + else() + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("ERROR: Failed to find bundle file found for PlatformIO: ${crt_bundle}") + message(STATUS "Check for entry in platformio.ini: board_build.embed_files = certs/x509_crt_bundle_wolfssl ") + message(FATAL_ERROR "WOLFSSL_CERTIFICATE_BUNDLE is enabled for PlatformIO, but predefined file not found: ${crt_bundle}") + endif() else() - message(STATUS "Bundle file expected during next build: ${crt_bundle}") + # APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Generate bundle: ${GENERATE_CERT_BUNDLEPY} ${args}") + # Not PlatformIO + # Generate bundle according to config + # File is generated at build time, not cmake load + add_custom_command(OUTPUT ${crt_bundle} + COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args} + DEPENDS ${custom_bundle_path} + VERBATIM) + + if(EXISTS "${crt_bundle}") + message(STATUS "Bundle file exists from prior build: ${crt_bundle}") + else() + message(STATUS "Bundle file expected during next build: ${crt_bundle}") + endif() + + # Reminder the file is generated at build time, not cmake load time. + message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}") endif() - # Reminder the file is generated at build time, not cmake load time. - message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}") + add_custom_target(custom_wolfssl_bundle DEPENDS ${crt_bundle}) - add_custom_target(custom_wolfssl_bundle DEPENDS ${cert_bundle}) - - # the wolfSSL crtificate bundle is baked into wolfSSL + # the wolfSSL certificate bundle is baked into wolfSSL add_dependencies(${COMPONENT_LIB} custom_wolfssl_bundle) # COMPONENT_LIB may vary: __idf_wolfssl, __idf_esp_wolfssl, etc @@ -871,7 +1091,12 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE APPEND PROPERTY ADDITIONAL_CLEAN_FILES "${crt_bundle}") else() - message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + if(IS_PLATFORMIO) + message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but cannot be generated in PlatformmIO") + else() + message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + endif() + message(FATAL_ERROR "not detected") endif() endif() @@ -930,42 +1155,6 @@ endif() # end multiple component check -# -# LIBWOLFSSL_SAVE_INFO(VAR_OUPUT THIS_VAR VAR_RESULT) -# -# Save the THIS_VAR as a string in a macro called VAR_OUPUT -# -# VAR_OUPUT: the name of the macro to define -# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() -# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. -# -function ( LIBWOLFSSL_SAVE_INFO VAR_OUPUT THIS_VAR VAR_RESULT ) - # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. - string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) - - # if we had a successful operation, save the THIS_VAR in VAR_OUPUT - if(${IS_VALID_VALUE}) - # strip newline chars in THIS_VAR parameter and save in VAR_VALUE - string(REPLACE "\n" "" VAR_VALUE ${THIS_VAR}) - - # we'll could percolate the value to the parent for possible later use - # set(${VAR_OUPUT} ${VAR_VALUE} PARENT_SCOPE) - - # but we're only using it here in this function - set(${VAR_OUPUT} ${VAR_VALUE}) - - # we'll print what we found to the console - message(STATUS "Found ${VAR_OUPUT}=${VAR_VALUE}") - - # the interesting part is defining the VAR_OUPUT name a value to use in the app - add_compile_definitions(${VAR_OUPUT}=\"${VAR_VALUE}\") - else() - # if we get here, check the execute_process command and parameters. - message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") - set(${VAR_OUPUT} "Unknown") - endif() -endfunction() # LIBWOLFSSL_SAVE_INFO - execute_process( COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree" OUTPUT_VARIABLE IS_GIT_REPO @@ -1049,6 +1238,14 @@ else() message(STATUS "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!") endif() +# A single instance of potentially multiple cmake messages to send to app: +message(STATUS "LIBWOLFSSL_CMAKE_OUTPUT: ${LIBWOLFSSL_CMAKE_OUTPUT}") +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}" "0") + +file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" + "\n" + "#endif\n" ) + message(STATUS "************************************************************************************************") message(STATUS "wolfSSL component config complete!") message(STATUS "************************************************************************************************") diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig index 9a7fcaa075..ee8dc7f1a2 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig @@ -274,10 +274,28 @@ menu "wolfSSL" bool "Do not use the default certificate bundle" endchoice + config WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE + depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + default n + bool "Use alternate certificate bundle" + help + Typically only used for PlatformIO which cannot generate a certificate bundle at build time. + Enable this option to specify a fixed wolfSSL certificate file path and file name. + + config WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME + depends on WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + string "Default certificate bundle alternate path and name" + default "./certs/x509_crt_bundle_wolfssl" + help + Name of the default certificate bundle directory. Typically used only with PlatformIO. + Reminder PlatformIO cannot generate a bundle from cmake python script call. Relative + paths are with respect to root of this project. + config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL default n bool "Add custom certificates to the default bundle" + config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH depends on WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL string "Custom certificate bundle path" @@ -430,6 +448,12 @@ menu "wolfSSL" help Enable debugging messages for wolfSSL. See user_settings.h for additional debug options. + config ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING + bool "Suppress build-time warnings for main stack size" + default n + help + Useful only when wolfSSL is running in main task. See FreeRTOS stack size for custom tasks. + config ESP_WOLFSSL_TEST_LOOP bool "Run test apps in a loop until failure" default y diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h index 488182ed6f..80f89fffe0 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h @@ -853,13 +853,18 @@ #ifndef NO_RSA #define ESP32_USE_RSA_PRIMITIVE - #if defined(CONFIG_IDF_TARGET_ESP32) - #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + /* See idf.py menuconfig for stack warning settings */ + #if !defined(CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING) #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 - #warning "RSA may be difficult with less than 10KB Stack "/ + #warning "RSA may be difficult with less than 10KB Stack" #endif + #else + /* Implement your own stack warning here */ #endif + #endif + #if defined(CONFIG_IDF_TARGET_ESP32) /* NOTE HW unreliable for small values! */ /* threshold for performance adjustment for HW primitive use */ /* X bits of G^X mod P greater than */ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/CMakeLists.txt index cc7ef0d474..b4a2b74c11 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/CMakeLists.txt @@ -19,23 +19,62 @@ # # cmake for wolfssl Espressif projects # -# Version 5.7.2 Espressif ESP-IDF integration +# Version 5.8.0 Espressif ESP-IDF + PlatformIO integration (2) # # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html # message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") cmake_minimum_required(VERSION 3.16) +# The scope of this CMAKE_C_FLAGS is just this component: +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") + +set(CMAKE_CURRENT_SOURCE_DIR ".") + +# Optionally set your source to wolfSSL in your project CMakeLists.txt like this: +# set(WOLFSSL_ROOT "c:/workspace/my_wolfssl" ) + +if ( "${WOLFSSL_ROOT}" STREQUAL "") + set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" ) +endif() + set(VERBOSE_COMPONENT_MESSAGES 1) # Optional requires include: # set(THIS_ESP_TLS "esp-tls") set(THIS_ESP_TLS "") +# LIBWOLFSSL_CMAKE_OUTPUT can be printed at runtime +set(LIBWOLFSSL_CMAKE_OUTPUT "") + + +if(CMAKE_BUILD_EARLY_EXPANSION) + message(STATUS "Skipping libwolfssl_output.h update during CMAKE_BUILD_EARLY_EXPANSION") +else() + # Initialize a new libwolfssl_output.h in the cmake build directory. + if( EXISTS "${CMAKE_BINARY_DIR}/libwolfssl_output.h") + # The next WRITE replaces a file. + # This is here to remove any ambiguity on file removal & generation. + file(REMOVE "${CMAKE_BINARY_DIR}/libwolfssl_output.h") + endif() + + file(WRITE "${CMAKE_BINARY_DIR}/libwolfssl_output.h" + "/* libwolfssl_output.h generated by wolfssl component */\n" + "#ifndef _LIBWOLFSSL_OUTPUT_H_\n" + "\n" + "#define _LIBWOLFSSL_OUTPUT_H_\n\n") +endif() + +# Append messages with: +# LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n"message" "0") +# See function: APPEND_LIBWOLFSSL_CMAKE_OUTPUT + # function: IS_ESP_IDF_COMPONENT # output: RESULT = 1 (true) if this component is located in the ESP-IDF components # otherwise 0 (false) -function( IS_ESP_IDF_COMPONENT RESULT ) +function( IS_ESP_IDF_COMPONENT + RESULT) # NOTE: Component location is based on the location of the CMakeList.txt # and *not* the location of the wolfSSL source code. (which may be anywhere) @@ -55,6 +94,96 @@ function( IS_ESP_IDF_COMPONENT RESULT ) endif() endfunction() +# +# LIBWOLFSSL_SAVE_INFO(VAR_OUTPUT THIS_VAR VAR_RESULT) +# +# Save the THIS_VAR as a string in a macro called VAR_OUTPUT +# +# VAR_OUTPUT: the name of the macro to define +# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() +# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. +# +function ( LIBWOLFSSL_SAVE_INFO VAR_OUTPUT THIS_VAR VAR_RESULT ) + # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. + string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) + + # if we had a successful operation, save the THIS_VAR in VAR_OUTPUT + if(${IS_VALID_VALUE}) + + if(0) + # Optional debug + message(STATUS "Looking for LF in ${THIS_VAR}") + endif() + + # Check if the text to print in THIS_VAR is multi-line + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + list(LENGTH LINES LINE_COUNT) + + # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def + if(LINE_COUNT GREATER 1) + message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") + add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") + + # Split into lines + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + foreach(LINE IN LISTS LINES) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") + endforeach() + + # Final empty line to close the macro + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") + + message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") + else() + message(STATUS "No HAS_LIBWOLFSSL_OUTPUT_HEADER") + # We should not have any, but just to be sure: + # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" VAR_VALUE "${THIS_VAR}") + + # we'll could percolate the value to the parent for possible later use + # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) + + # but we're only using it here in this function + set(${VAR_OUTPUT} ${VAR_VALUE}) + + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUTPUT name a value to use in the app + add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") + + endif() + else() + # if we get here, check the execute_process command and parameters. + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + set(${VAR_OUTPUT} "Unknown") + endif() + + +endfunction() # LIBWOLFSSL_SAVE_INFO + +# +# APPEND_LIBWOLFSSL_CMAKE_OUTPUT(THIS_MESSAGE OUTPUT_VALUE) +# +# Append the text in THIS_MESSAGE to LIBWOLFSSL_CMAKE_OUTPUT. +# String is available at runtime in app +# + +function( APPEND_LIBWOLFSSL_CMAKE_OUTPUT + THIS_MESSAGE ) + # Normally, we'd simply print a message: + message(STATUS "${THIS_MESSAGE}") + + # But here we'll pass the entire LIBWOLFSSL_CMAKE_OUTPUT as a string definition to the app + set(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n${THIS_MESSAGE}" PARENT_SCOPE) + + # We don't call LIBWOLFSSL_SAVE_INFO here as it would add duplicate definitions + # See single instance at the end of this file. +endfunction() + # Determine if this cmake file is located in the ESP-IDF component directory or not, # and if so, if it is being ignored (allowing the use of a local project one, instead). IS_ESP_IDF_COMPONENT( IS_WOLSSL_ESP_IDF_COMPONENT ) @@ -77,20 +206,6 @@ else() message(STATUS "Cleaned wolfssl path: ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") endif() -# The scope of this CMAKE_C_FLAGS is just this component: -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") - -set(CMAKE_CURRENT_SOURCE_DIR ".") -# set(COMPONENT_REQUIRES lwip) # we typically don't need lwip directly in wolfssl component - -# Optionally set your source to wolfSSL in your project CMakeLists.txt like this: -# set(WOLFSSL_ROOT "c:/test/my_wolfssl" ) - -if ( "${WOLFSSL_ROOT}" STREQUAL "") - set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" ) -endif() - if( "$ENV{IDF_PATH}" STREQUAL "" ) message(FATAL_ERROR "IDF_PATH Environment variable not set!") else() @@ -185,7 +300,9 @@ endif() # Check environment variable name EVARPARAM as [name] # If defined, and has a value of EVARVALUE as [value], # then assign a compiler definition "-D[name]=[value]" -function(ENVIRONMENT_VAR_TO_MACRO EVARPARAM EVARVALUE) +function( ENVIRONMENT_VAR_TO_MACRO + EVARPARAM # Environment variable parameter name + EVARVALUE) # Environment variable value # If the EVARPARAM environment variable name is set to EVARVALUE, # set the compiler flag definition to enable CSV output. if ( "$ENV{${EVARPARAM}}" STREQUAL "${EVARVALUE}") @@ -217,7 +334,8 @@ endfunction() # function: IS_WOLFSSL_SOURCE # parameter: DIRECTORY_PARAMETER - the directory to test # output: RESULT = contains contents of DIRECTORY_PARAMETER for wolfssl directory, otherwise blank. -function( IS_WOLFSSL_SOURCE DIRECTORY_PARAMETER +function( IS_WOLFSSL_SOURCE + DIRECTORY_PARAMETER RESULT ) if (EXISTS "${DIRECTORY_PARAMETER}/wolfcrypt/src") set(${RESULT} "${DIRECTORY_PARAMETER}" PARENT_SCOPE) @@ -233,7 +351,8 @@ endfunction() # Example usage: # FIND_WOLFSSL_DIRECTORY(WOLFSSL_ROOT) # ********************************************************************************************* -function(FIND_WOLFSSL_DIRECTORY OUTPUT_FOUND_WOLFSSL_DIRECTORY) +function( FIND_WOLFSSL_DIRECTORY + OUTPUT_FOUND_WOLFSSL_DIRECTORY) message(STATUS "Starting FIND_WOLFSSL_DIRECTORY: ${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}") if ( "${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}" STREQUAL "" ) @@ -673,9 +792,9 @@ else() # depending on the environment, we may need to swap backslashes with forward slashes string(REPLACE "\\" "/" RTOS_IDF_PATH "$ENV{IDF_PATH}/components/freertos/FreeRTOS-Kernel/include/freertos") - if(WOLFSSL_ROOT) - string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT}) - endif() + if(WOLFSSL_ROOT) + string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT}) + endif() if(IS_DIRECTORY "${RTOS_IDF_PATH}") message(STATUS "Found current RTOS path: ${RTOS_IDF_PATH}") @@ -789,16 +908,35 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") ) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("wolfSSL Certificate Bundles Enabled") + if (CMAKE_BUILD_EARLY_EXPANSION) - message(ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION") + message(FATAL_ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION") endif() # reminder: we need a value for wolfSSL root first! if( "${WOLFSSL_ROOT}" STREQUAL "" ) - message(ERROR "Certificate bundles need a value for WOLFSSL_ROOT") + message(FATAL_ERROR "Certificate bundles need a value for WOLFSSL_ROOT") endif() + + # Cert bundle in wolfSSL source unless otherwise specified later set(WOLFSSL_ESP_CRT_BUNDLE_DIR ${WOLFSSL_ROOT}/wolfcrypt/src/port/Espressif/esp_crt_bundle) message(STATUS "WOLFSSL_ESP_CRT_BUNDLE_DIR=${WOLFSSL_ESP_CRT_BUNDLE_DIR}") - if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + + if(DEFINED ENV{PLATFORMIO_PROJECT_DIR}) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Detected PlatformIO") + set(IS_PLATFORMIO 1) + else() + # Some environments may not have environment variable, so double check if we are in .pio + if("${CMAKE_BINARY_DIR}" MATCHES "/\\.pio/") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Detected PlatformIO via CMAKE_BINARY_DIR") + set(IS_PLATFORMIO 1) + else() + set(IS_PLATFORMIO 0) + endif() + endif() + + if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}" OR IS_PLATFORMIO) + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Special processing for wolfSSL Certificate Bundles") set(bundle_name "x509_crt_bundle_wolfssl") # For now the certs are in the same directory @@ -824,9 +962,9 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE get_filename_component(custom_bundle_path ${CONFIG_WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}") list(APPEND crt_paths ${custom_bundle_path}) - message(STATUS "Using a custom wolfSSL bundle path: ${custom_bundle_path}") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Using a custom wolfSSL bundle path: ${custom_bundle_path}") else() - message(STATUS "Not using a custom wolfSSL bundle path.") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Not using a custom wolfSSL bundle path") endif() list(APPEND args --input ${crt_paths} -q) @@ -843,25 +981,107 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE message(STATUS "args ${args}") message(STATUS "cert_bundle ${cert_bundle}") - # Generate bundle according to config - # File is generated at build time, not cmake load - add_custom_command(OUTPUT ${crt_bundle} - COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args} - DEPENDS ${custom_bundle_path} - VERBATIM) + if (IS_PLATFORMIO) + # PlatformIO cannot generate a Certificate Bundle at build time + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("PlatformIO is using a predefined bundle rather than generating one") - if(EXISTS "${crt_bundle}") - message(STATUS "Bundle file exists from prior build: ${crt_bundle}") + if ( "${WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}" STREQUAL "" OR "$(WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE)" STREQUAL "" OR "$(WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE)" STREQUAL "n") + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Alternate Certificate Bundle Path and Name not enabled, assuming [project]/certs/x509_crt_bundle_wolfssl") + # Reminder this CMakeLists.txt should be in [project]/components/wolfssl, so ./certs is two directories up + set(crt_bundle_option "../../certs/x509_crt_bundle_wolfssl") + else() + string(SUBSTRING "${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}" 0 2 CERT_PATH_FIRST_TWO) + if(CERT_PATH_FIRST_TWO STREQUAL "./" OR CERT_PATH_FIRST_TWO STREQUAL ".\\") + set(IS_CERT_BUNDLE_RELATIVE_PATH 1) + message(STATUS "Alternate Cert Path is relative to project.") + else() + set(IS_CERT_BUNDLE_RELATIVE_PATH 0) + message(STATUS "Alternate Cert Path is not relative to project.") + endif() + + # The cert bundle is not a standard cert, so we con't add to the crt_paths. + # Still, we may have an alternate location, particulatly needed for PlatformIO: + if(IS_CERT_BUNDLE_RELATIVE_PATH) + message(STATUS "CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME = ${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + message(STATUS "Relative alternate_bundle_path: ${alternate_bundle_path}") + + SET(crt_bundle_option "${CMAKE_SOURCE_DIR}/${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + else() + message(STATUS "alternate_bundle_path: ${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + message(STATUS "Not using an alternate wolfSSL bundle file.") + SET(crt_bundle_option "${CONFIG_WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME}") + endif() + endif() + + # Clean the path, removing any extra "./" etc. + # Number of spaces in message strings is to align path value outputs + message(STATUS "This crt_bundle_option value: ${crt_bundle_option}") + if(${CMAKE_VERSION} VERSION_LESS "3.19") + message("WARNING: CMake version is ${CMAKE_VERSION} ? file(REAL_PATH ...) is not supported. Falling back to manual path normalization.") + # optional fallback logic here + get_filename_component(crt_bundle_file_component "${crt_bundle_option}" ABSOLUTE) + message(STATUS "Interim crt_bundle_file_component: ${crt_bundle_file_component}") + file(TO_CMAKE_PATH "${crt_bundle_file_component}" crt_bundle) + message(STATUS "TO_CMAKE_PATH crt_bundle result: ${crt_bundle}") + # set(crt_bundle "C:/workspace/pio_wolfssl-upstream-test-wolfssl_cert_bundle/esp32-c6/certs/x509_crt_bundle_wolfssl") + else() + file(REAL_PATH "${crt_bundle_option}" crt_bundle) + endif() + + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Certificate Bundle: ${crt_bundle}") + message(STATUS "This cleaned crt_bundle value: ${crt_bundle}") + message(STATUS "=============================================================================================================") + message(STATUS "=============================================================================================================") + message(STATUS "Reminder: platformio.ini will need this value set for board_build.embed_files =") + message(STATUS "${crt_bundle}") + message(STATUS "=============================================================================================================") + message(STATUS "=============================================================================================================") + + # e.g. SET(crt_bundle "C:/workspace/pio_wolfssl/esp32-c6/certs/x509_crt_bundle_wolfssl") + # + + # Normally x509_crt_bundle_wolfssl built by python script called from cmake. + # See https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/port/Espressif/esp_crt_bundle/gen_crt_bundle.py + # Reminder ESP-IDF scripts are NOT called from CMake for PlatformIO builds. + # + # The easiest way to generate the default file is to build with ESP-IDF and copy the files to [project]/main + # + # for example: + # build\VisualGDB\Debug\x509_crt_bundle_wolfssl.s + # build\VisualGDB\Debug\esp-idf\wolfssl\x509_crt_bundle_wolfssl + # + message(STATUS "Confirming cert bundle exists...") + if(EXISTS "${crt_bundle}") + # Number of spaces is to align path value outputs + message(STATUS "Bundle file found for PlatformIO: ${crt_bundle}") + else() + APPEND_LIBWOLFSSL_CMAKE_OUTPUT("ERROR: Failed to find bundle file found for PlatformIO: ${crt_bundle}") + message(STATUS "Check for entry in platformio.ini: board_build.embed_files = certs/x509_crt_bundle_wolfssl ") + message(FATAL_ERROR "WOLFSSL_CERTIFICATE_BUNDLE is enabled for PlatformIO, but predefined file not found: ${crt_bundle}") + endif() else() - message(STATUS "Bundle file expected during next build: ${crt_bundle}") + # APPEND_LIBWOLFSSL_CMAKE_OUTPUT("Generate bundle: ${GENERATE_CERT_BUNDLEPY} ${args}") + # Not PlatformIO + # Generate bundle according to config + # File is generated at build time, not cmake load + add_custom_command(OUTPUT ${crt_bundle} + COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args} + DEPENDS ${custom_bundle_path} + VERBATIM) + + if(EXISTS "${crt_bundle}") + message(STATUS "Bundle file exists from prior build: ${crt_bundle}") + else() + message(STATUS "Bundle file expected during next build: ${crt_bundle}") + endif() + + # Reminder the file is generated at build time, not cmake load time. + message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}") endif() - # Reminder the file is generated at build time, not cmake load time. - message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}") + add_custom_target(custom_wolfssl_bundle DEPENDS ${crt_bundle}) - add_custom_target(custom_wolfssl_bundle DEPENDS ${cert_bundle}) - - # the wolfSSL crtificate bundle is baked into wolfSSL + # the wolfSSL certificate bundle is baked into wolfSSL add_dependencies(${COMPONENT_LIB} custom_wolfssl_bundle) # COMPONENT_LIB may vary: __idf_wolfssl, __idf_esp_wolfssl, etc @@ -871,7 +1091,12 @@ if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE APPEND PROPERTY ADDITIONAL_CLEAN_FILES "${crt_bundle}") else() - message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + if(IS_PLATFORMIO) + message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but cannot be generated in PlatformmIO") + else() + message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}") + endif() + message(FATAL_ERROR "not detected") endif() endif() @@ -930,42 +1155,6 @@ endif() # end multiple component check -# -# LIBWOLFSSL_SAVE_INFO(VAR_OUPUT THIS_VAR VAR_RESULT) -# -# Save the THIS_VAR as a string in a macro called VAR_OUPUT -# -# VAR_OUPUT: the name of the macro to define -# THIS_VAR: the OUTPUT_VARIABLE result from a execute_process() -# VAR_RESULT: the RESULT_VARIABLE from a execute_process(); "0" if successful. -# -function ( LIBWOLFSSL_SAVE_INFO VAR_OUPUT THIS_VAR VAR_RESULT ) - # is the RESULT_VARIABLE output value 0? If so, IS_VALID_VALUE is true. - string(COMPARE EQUAL "${VAR_RESULT}" "0" IS_VALID_VALUE) - - # if we had a successful operation, save the THIS_VAR in VAR_OUPUT - if(${IS_VALID_VALUE}) - # strip newline chars in THIS_VAR parameter and save in VAR_VALUE - string(REPLACE "\n" "" VAR_VALUE ${THIS_VAR}) - - # we'll could percolate the value to the parent for possible later use - # set(${VAR_OUPUT} ${VAR_VALUE} PARENT_SCOPE) - - # but we're only using it here in this function - set(${VAR_OUPUT} ${VAR_VALUE}) - - # we'll print what we found to the console - message(STATUS "Found ${VAR_OUPUT}=${VAR_VALUE}") - - # the interesting part is defining the VAR_OUPUT name a value to use in the app - add_compile_definitions(${VAR_OUPUT}=\"${VAR_VALUE}\") - else() - # if we get here, check the execute_process command and parameters. - message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") - set(${VAR_OUPUT} "Unknown") - endif() -endfunction() # LIBWOLFSSL_SAVE_INFO - execute_process( COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree" OUTPUT_VARIABLE IS_GIT_REPO @@ -1049,6 +1238,14 @@ else() message(STATUS "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!") endif() +# A single instance of potentially multiple cmake messages to send to app: +message(STATUS "LIBWOLFSSL_CMAKE_OUTPUT: ${LIBWOLFSSL_CMAKE_OUTPUT}") +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}" "0") + +file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" + "\n" + "#endif\n" ) + message(STATUS "************************************************************************************************") message(STATUS "wolfSSL component config complete!") message(STATUS "************************************************************************************************") diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig index 9a7fcaa075..ee8dc7f1a2 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig @@ -274,10 +274,28 @@ menu "wolfSSL" bool "Do not use the default certificate bundle" endchoice + config WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE + depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + default n + bool "Use alternate certificate bundle" + help + Typically only used for PlatformIO which cannot generate a certificate bundle at build time. + Enable this option to specify a fixed wolfSSL certificate file path and file name. + + config WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE_PATH_AND_NAME + depends on WOLFSSL_ALTERNATE_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + string "Default certificate bundle alternate path and name" + default "./certs/x509_crt_bundle_wolfssl" + help + Name of the default certificate bundle directory. Typically used only with PlatformIO. + Reminder PlatformIO cannot generate a bundle from cmake python script call. Relative + paths are with respect to root of this project. + config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL default n bool "Add custom certificates to the default bundle" + config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH depends on WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL string "Custom certificate bundle path" @@ -430,6 +448,12 @@ menu "wolfSSL" help Enable debugging messages for wolfSSL. See user_settings.h for additional debug options. + config ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING + bool "Suppress build-time warnings for main stack size" + default n + help + Useful only when wolfSSL is running in main task. See FreeRTOS stack size for custom tasks. + config ESP_WOLFSSL_TEST_LOOP bool "Run test apps in a loop until failure" default y diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h index 488182ed6f..80f89fffe0 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h @@ -853,13 +853,18 @@ #ifndef NO_RSA #define ESP32_USE_RSA_PRIMITIVE - #if defined(CONFIG_IDF_TARGET_ESP32) - #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + #ifdef CONFIG_ESP_MAIN_TASK_STACK_SIZE + /* See idf.py menuconfig for stack warning settings */ + #if !defined(CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING) #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 - #warning "RSA may be difficult with less than 10KB Stack "/ + #warning "RSA may be difficult with less than 10KB Stack" #endif + #else + /* Implement your own stack warning here */ #endif + #endif + #if defined(CONFIG_IDF_TARGET_ESP32) /* NOTE HW unreliable for small values! */ /* threshold for performance adjustment for HW primitive use */ /* X bits of G^X mod P greater than */ diff --git a/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/test/src/client/simple_tls_tsip_client.c b/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/test/src/client/simple_tls_tsip_client.c index aa11768ad5..5dfb51c338 100644 --- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/test/src/client/simple_tls_tsip_client.c +++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/test/src/client/simple_tls_tsip_client.c @@ -244,7 +244,7 @@ void wolfSSL_TLS_client( ) ret = tsip_use_PrivateKey_buffer_TLS(ssl, (const char*)g_key_block_data.encrypted_user_ecc256_private_key, sizeof(g_key_block_data.encrypted_user_ecc256_private_key), - TSIP_ECCP256); + TSIP_KEY_TYPE_ECDSAP256); if (ret != 0) { printf("ERROR tsip_use_PrivateKey_buffer_TLS\n"); } @@ -254,7 +254,7 @@ void wolfSSL_TLS_client( ) ret = tsip_use_PublicKey_buffer_TLS(ssl, (const char*)g_key_block_data.encrypted_user_ecc256_public_key, sizeof(g_key_block_data.encrypted_user_ecc256_public_key), - TSIP_ECCP256); + TSIP_KEY_TYPE_ECDSAP256); if (ret != 0) { printf("ERROR tsip_use_PublicKey_buffer_TLS\n"); } @@ -289,7 +289,7 @@ void wolfSSL_TLS_client( ) ret = tsip_use_PrivateKey_buffer_TLS(ssl, (const char*)g_key_block_data.encrypted_user_rsa2048_private_key, sizeof(g_key_block_data.encrypted_user_rsa2048_private_key), - TSIP_RSA2048); + TSIP_KEY_TYPE_RSA2048); if (ret != 0) { printf("ERROR tsip_use_PrivateKey_buffer_TLS :%d\n", ret); } @@ -298,7 +298,7 @@ void wolfSSL_TLS_client( ) ret = tsip_use_PublicKey_buffer_TLS(ssl, (const char*)g_key_block_data.encrypted_user_rsa2048_public_key, sizeof(g_key_block_data.encrypted_user_rsa2048_public_key), - TSIP_RSA2048); + TSIP_KEY_TYPE_RSA2048); if (ret != 0) { printf("ERROR tsip_use_PublicKey_buffer_TLS: %d\n", ret); } diff --git a/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/key_data.c b/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/key_data.c index 0566cdcd8b..7230c1ef6f 100644 --- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/key_data.c +++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/key_data.c @@ -186,95 +186,95 @@ const uint32_t encrypted_user_key_type = const unsigned char ca_ecc_cert_der_sig[] = { - 0x80, 0x1C, 0x3A, 0xC0, 0x74, 0xC8, 0xF8, 0xB7, 0x23, 0xB0, - 0x4D, 0xEC, 0x5A, 0xA3, 0x28, 0xD9, 0x27, 0x93, 0xD2, 0xEF, - 0x48, 0xBD, 0x29, 0x99, 0x65, 0x7F, 0xCB, 0x60, 0xD3, 0xB7, - 0xFF, 0x4D, 0xC4, 0x2D, 0x07, 0x53, 0xD3, 0xF9, 0xB6, 0xE7, - 0x56, 0x25, 0x5D, 0x3E, 0x9C, 0x31, 0x1D, 0x8D, 0xA3, 0x29, - 0xA0, 0x9C, 0xFB, 0xEC, 0x91, 0xF5, 0x58, 0x14, 0x11, 0xFD, - 0x43, 0xFB, 0xA5, 0xAC, 0x70, 0xAE, 0x68, 0x89, 0x03, 0x32, - 0x82, 0x53, 0xB9, 0xE3, 0x40, 0xD4, 0x50, 0xC5, 0xB4, 0xB2, - 0x1F, 0xF6, 0x24, 0x10, 0xFE, 0x76, 0xA2, 0x1C, 0xAE, 0x01, - 0x79, 0xBF, 0xF7, 0x5A, 0x5C, 0xA9, 0x9B, 0x80, 0x02, 0x7D, - 0x24, 0x94, 0xCE, 0xFE, 0x41, 0x85, 0x1A, 0x63, 0x50, 0xD4, - 0xDE, 0xBD, 0xB4, 0x26, 0xA4, 0x13, 0xE3, 0x94, 0x0C, 0xBB, - 0xBE, 0x27, 0x0F, 0xDE, 0xF2, 0x2A, 0x0D, 0xD5, 0x79, 0x4B, - 0x7A, 0xD6, 0x3C, 0x3B, 0xED, 0x4D, 0xAB, 0xB6, 0xBD, 0x53, - 0x57, 0x9B, 0xA1, 0x69, 0x26, 0xD3, 0xDF, 0x47, 0x64, 0x4F, - 0xD5, 0xC9, 0x11, 0x35, 0xB6, 0x17, 0x6C, 0x48, 0x6E, 0xBE, - 0xCB, 0x0C, 0x63, 0x8C, 0x31, 0x45, 0x8B, 0x7F, 0x93, 0x02, - 0x7C, 0xC6, 0xD3, 0x14, 0x2F, 0x5B, 0x41, 0x72, 0x4F, 0x48, - 0xE6, 0xCC, 0x89, 0x4E, 0x31, 0x98, 0xBA, 0xBA, 0xE0, 0xAA, - 0x04, 0x68, 0xF2, 0x07, 0xF5, 0x0B, 0x1F, 0xC2, 0x21, 0x28, - 0x38, 0x44, 0xAF, 0x2C, 0x7C, 0x1B, 0x69, 0x12, 0xCC, 0x3B, - 0xF7, 0xE8, 0xC2, 0x56, 0x00, 0x10, 0x14, 0x05, 0x6F, 0x29, - 0x80, 0x7C, 0x1E, 0xB2, 0x37, 0x2C, 0xBF, 0x09, 0x77, 0xC9, - 0x1D, 0xB1, 0x13, 0x7A, 0xDC, 0x87, 0x7D, 0xF1, 0x2E, 0xBC, - 0xFC, 0x2B, 0x3D, 0x4A, 0x55, 0xD5, 0x85, 0x0C, 0xF1, 0x1D, - 0xFE, 0x80, 0x73, 0xD9, 0xB4, 0x84 + 0x58, 0x3F, 0x3C, 0x27, 0x4A, 0xC0, 0xA8, 0x35, 0x31, 0xAA, + 0xB6, 0x49, 0x4C, 0x69, 0x48, 0xF6, 0x63, 0xA5, 0x2E, 0x8C, + 0xA4, 0x1E, 0xAF, 0x18, 0x14, 0x11, 0x6A, 0xF7, 0x25, 0xF2, + 0xE1, 0x82, 0x6E, 0xAA, 0x3C, 0xE2, 0x75, 0x6E, 0x81, 0x59, + 0x2E, 0xF1, 0xED, 0xDD, 0xD1, 0x1C, 0xA3, 0xE7, 0xEC, 0x89, + 0xD3, 0x19, 0x1A, 0x59, 0xEB, 0xBA, 0x1D, 0x65, 0xFD, 0x53, + 0x4A, 0x90, 0x6F, 0xA1, 0x06, 0xB3, 0x08, 0xE4, 0x00, 0xF4, + 0x91, 0x45, 0xD8, 0xC9, 0xD8, 0x30, 0x8A, 0x94, 0x9B, 0x48, + 0x60, 0x68, 0xD1, 0x09, 0x84, 0xAE, 0x51, 0xD8, 0xD8, 0x67, + 0x58, 0x58, 0x9B, 0x57, 0x9E, 0x09, 0x9D, 0x1B, 0x3B, 0x22, + 0x67, 0x6A, 0x50, 0x91, 0xF2, 0x60, 0x5E, 0x78, 0x86, 0xF9, + 0x2F, 0xF4, 0xB4, 0xAE, 0x6A, 0xF6, 0x0D, 0xAB, 0x8B, 0xF6, + 0x60, 0x47, 0x8D, 0xD4, 0xEC, 0xE6, 0x9E, 0x57, 0x6C, 0xCC, + 0x4F, 0xF5, 0xCD, 0x20, 0xD7, 0x15, 0x70, 0x50, 0x53, 0x96, + 0x84, 0x6B, 0x9A, 0x07, 0x90, 0x41, 0x14, 0x08, 0x62, 0x87, + 0xF5, 0x20, 0x0E, 0x82, 0xE2, 0x12, 0x5C, 0x1E, 0x72, 0x73, + 0xB8, 0x18, 0x90, 0xCF, 0x98, 0x14, 0xC3, 0xE6, 0xED, 0x89, + 0xA3, 0x7C, 0x67, 0x50, 0x01, 0xCC, 0x48, 0xD2, 0x6A, 0x9C, + 0x9E, 0x4D, 0x44, 0x49, 0x82, 0x5F, 0xC1, 0x2E, 0x18, 0xBE, + 0x23, 0x53, 0xCD, 0x09, 0x85, 0x16, 0x9D, 0x5F, 0x99, 0x78, + 0xA1, 0x78, 0x51, 0xC9, 0x5A, 0x3E, 0x04, 0xBE, 0xE2, 0xF5, + 0x74, 0x7E, 0x6F, 0x89, 0xD9, 0x05, 0x29, 0xC1, 0x5B, 0x57, + 0x3D, 0xE3, 0x5E, 0xB8, 0x4B, 0x93, 0x7D, 0x68, 0x78, 0xF9, + 0x88, 0x1B, 0x8E, 0x78, 0x04, 0x00, 0x54, 0x20, 0x3F, 0x0C, + 0x99, 0x11, 0x1D, 0x90, 0x2C, 0x10, 0x4C, 0xCE, 0xA3, 0x17, + 0xA7, 0xF8, 0xB4, 0xC6, 0xF8, 0x12 }; const int sizeof_ca_ecc_cert_sig = sizeof(ca_ecc_cert_der_sig); /* ./ca-cert.der.sign, */ const unsigned char ca_cert_der_sig[] = { - 0x77, 0x62, 0x9D, 0x3D, 0x7A, 0x60, 0xF7, 0x9C, 0x7C, 0x1C, - 0xC8, 0x9D, 0x09, 0x2D, 0x98, 0xBE, 0x39, 0x25, 0x4E, 0x05, - 0xED, 0xF1, 0x93, 0xB1, 0x4B, 0x1B, 0x29, 0x2D, 0x8F, 0x3A, - 0xCA, 0x3A, 0x8F, 0x3F, 0x77, 0x61, 0xF1, 0x97, 0x05, 0x69, - 0xDC, 0x4A, 0x92, 0x52, 0x29, 0xC8, 0x26, 0x38, 0x53, 0x7A, - 0x41, 0x7C, 0x73, 0xCA, 0xA7, 0x6B, 0xD7, 0x19, 0xC4, 0x99, - 0x64, 0xCD, 0x27, 0xC9, 0x85, 0x19, 0x53, 0xD2, 0x93, 0xC5, - 0x7A, 0xE5, 0xDC, 0x88, 0xA0, 0xFB, 0xB3, 0xEB, 0x8B, 0x01, - 0xD6, 0x80, 0x9C, 0x93, 0x9D, 0x44, 0x5A, 0x17, 0x4B, 0x87, - 0x8B, 0xD1, 0x08, 0xBA, 0x82, 0x87, 0xA7, 0x69, 0x06, 0x70, - 0x67, 0x68, 0xE3, 0xD1, 0x6C, 0x05, 0x85, 0x97, 0x84, 0x6B, - 0xBF, 0xC2, 0x91, 0xBC, 0xA5, 0x32, 0x37, 0x99, 0x5C, 0xC7, - 0xE9, 0x8C, 0x4F, 0xBD, 0xFD, 0x66, 0x98, 0x38, 0xD8, 0x31, - 0x4E, 0x97, 0x57, 0x66, 0x0C, 0x1F, 0x43, 0x81, 0xC5, 0x0F, - 0xA2, 0x5A, 0xF2, 0xF6, 0x68, 0x9D, 0x97, 0xA9, 0x39, 0x42, - 0xFD, 0xCB, 0xCB, 0x29, 0x56, 0xA0, 0x49, 0x8D, 0x79, 0x40, - 0x66, 0x60, 0xC1, 0xB1, 0x99, 0xD7, 0x32, 0x06, 0x80, 0x64, - 0x43, 0x7F, 0x2B, 0x5A, 0xF7, 0xD9, 0x54, 0xF6, 0x3E, 0x2C, - 0x92, 0x6F, 0xEE, 0xCA, 0x59, 0x53, 0xC1, 0xCA, 0x3C, 0xDB, - 0xA3, 0x20, 0xF9, 0x8D, 0xEF, 0xFD, 0x8B, 0x08, 0xCE, 0x25, - 0x58, 0x16, 0x00, 0x93, 0xB6, 0xF6, 0xF8, 0x7D, 0x1C, 0x35, - 0xD2, 0x8E, 0xAE, 0x51, 0x1F, 0x08, 0x99, 0xBA, 0x63, 0x4B, - 0x05, 0x93, 0x61, 0x64, 0x40, 0x85, 0x71, 0x69, 0xBB, 0xF2, - 0xC4, 0xAE, 0x9E, 0xFB, 0x5C, 0xD1, 0x3F, 0x5F, 0x0D, 0x85, - 0xAA, 0x73, 0x23, 0x16, 0xE7, 0x13, 0x60, 0x5D, 0xF4, 0x88, - 0x34, 0xB1, 0xD2, 0xC9, 0x6B, 0xD4 + 0x55, 0x93, 0xCF, 0x28, 0xF7, 0x38, 0x1E, 0xF1, 0x29, 0x5A, + 0xDE, 0x41, 0xCD, 0x83, 0x00, 0x06, 0x79, 0xB3, 0x12, 0x56, + 0xBD, 0x04, 0xCB, 0x97, 0xCC, 0xD2, 0x39, 0x3C, 0x36, 0x94, + 0x8D, 0x66, 0xB0, 0x41, 0xF4, 0xBD, 0x82, 0x8F, 0x03, 0x24, + 0x25, 0x65, 0xA1, 0x85, 0x87, 0xCE, 0x58, 0x0A, 0x45, 0xC6, + 0xB6, 0x38, 0x27, 0x44, 0x2A, 0x7A, 0x9B, 0xA2, 0x71, 0x67, + 0x92, 0xDA, 0xFD, 0x71, 0x88, 0x52, 0xF2, 0xFE, 0x61, 0x33, + 0xCB, 0x7F, 0xB4, 0x47, 0x3D, 0x60, 0xC6, 0x3A, 0x48, 0x44, + 0x6F, 0xA2, 0x16, 0x07, 0xA2, 0x94, 0x50, 0x99, 0x09, 0x7B, + 0x43, 0x04, 0xAD, 0xCA, 0x9C, 0x34, 0xD4, 0x72, 0x4B, 0x79, + 0x31, 0xE1, 0xC5, 0x6C, 0xA7, 0xB4, 0xD8, 0xED, 0x80, 0x79, + 0xBB, 0x69, 0xA0, 0xA6, 0x7A, 0x63, 0x99, 0x02, 0xF7, 0x64, + 0xF0, 0x6D, 0xBB, 0xC5, 0xDA, 0x55, 0x0D, 0x43, 0x7C, 0x30, + 0x74, 0x21, 0x05, 0x35, 0x63, 0xAD, 0x32, 0x76, 0x11, 0xA5, + 0x75, 0xF3, 0x83, 0xEE, 0x05, 0xFB, 0x91, 0x18, 0x5E, 0xCC, + 0x71, 0x49, 0x26, 0x0D, 0xE2, 0xE3, 0xB3, 0xAD, 0xFF, 0x65, + 0xA9, 0x9B, 0xF0, 0x81, 0xE1, 0x5D, 0xC3, 0x4C, 0x82, 0x83, + 0x33, 0xDA, 0xF6, 0x29, 0xC7, 0xC2, 0xA0, 0x23, 0x5D, 0xB1, + 0xCE, 0x82, 0x94, 0x49, 0xC5, 0xC0, 0xE5, 0xED, 0x3B, 0xF6, + 0x79, 0x21, 0x3B, 0xFC, 0x6D, 0xB5, 0x2A, 0xF6, 0x6D, 0xD9, + 0x4C, 0x3E, 0xBF, 0x2E, 0x13, 0xA2, 0x75, 0x93, 0x5A, 0xB4, + 0x2B, 0xF5, 0x74, 0xEF, 0xAE, 0x48, 0xFE, 0x06, 0x2D, 0x3F, + 0xA3, 0xFE, 0x1A, 0xC9, 0x45, 0x1D, 0x15, 0xC8, 0xEF, 0x95, + 0xE2, 0x6F, 0x7D, 0x1E, 0x96, 0xCD, 0x4D, 0xC5, 0x5F, 0xEB, + 0x57, 0x85, 0x54, 0xE4, 0x7F, 0xE0, 0x0F, 0xAD, 0xC3, 0xEE, + 0xBF, 0xFB, 0x43, 0xA6, 0xAB, 0x92 }; const int sizeof_ca_cert_sig = sizeof(ca_cert_der_sig); /* ./client-cert.der.sign, */ const unsigned char client_cert_der_sign[] = { - 0x21, 0x2A, 0x81, 0xFF, 0xC2, 0x4C, 0x98, 0xFF, 0xB8, 0x99, - 0xFC, 0x14, 0x07, 0xBA, 0xBD, 0x7F, 0x58, 0x0F, 0x23, 0x49, - 0x6B, 0xFA, 0x47, 0xAC, 0xF5, 0xCF, 0x7A, 0x76, 0x89, 0x07, - 0x22, 0x2F, 0x2A, 0xC5, 0x9F, 0x6D, 0x37, 0xFC, 0x7E, 0x51, - 0x55, 0x29, 0xDA, 0xF9, 0x7E, 0x30, 0x25, 0x3F, 0x38, 0xE3, - 0x5B, 0xD8, 0xD1, 0xC4, 0xE1, 0x05, 0x14, 0x5D, 0x3A, 0x8C, - 0xFC, 0x42, 0x7D, 0x38, 0x21, 0x5B, 0x0B, 0xC8, 0x6E, 0x80, - 0x35, 0xA7, 0x0B, 0xAB, 0x9E, 0x8B, 0x7F, 0x04, 0xE5, 0x43, - 0x2E, 0xFF, 0x11, 0x67, 0x04, 0xF4, 0x52, 0x52, 0xEF, 0x6C, - 0xC6, 0x30, 0x63, 0xE0, 0xAE, 0xCB, 0xD0, 0xBC, 0x7F, 0xB7, - 0x98, 0xD4, 0x08, 0x76, 0x49, 0xFF, 0x0E, 0xAF, 0x2B, 0x3B, - 0xA0, 0xFD, 0x25, 0xD5, 0x42, 0x02, 0x0A, 0xAA, 0xC0, 0x0C, - 0x5C, 0x62, 0x04, 0xD0, 0x4A, 0xE7, 0xEA, 0x26, 0x72, 0xE1, - 0x35, 0x8D, 0x47, 0x5A, 0xE6, 0x9A, 0xD5, 0x5C, 0x31, 0x79, - 0x7A, 0xEE, 0x59, 0xAD, 0x1B, 0x04, 0x2C, 0xFF, 0x74, 0x9D, - 0xA5, 0x90, 0x21, 0xCE, 0xC2, 0x04, 0x41, 0x98, 0x14, 0x27, - 0xF8, 0x35, 0xB9, 0xF5, 0x73, 0x1D, 0xAE, 0x2F, 0x8F, 0x44, - 0x79, 0xCA, 0xE7, 0x38, 0xDD, 0x15, 0x11, 0xDB, 0xA5, 0x6D, - 0xE6, 0x7F, 0x4E, 0x73, 0xE6, 0x2E, 0x98, 0xF3, 0xDD, 0x5A, - 0x34, 0x24, 0x6B, 0xAF, 0x28, 0xDC, 0x3A, 0x10, 0x0D, 0x54, - 0x86, 0x11, 0x52, 0x0F, 0x88, 0x65, 0x03, 0xE5, 0x1C, 0x04, - 0x45, 0x6B, 0x25, 0x3E, 0x8D, 0x5B, 0xD7, 0x2E, 0x33, 0x06, - 0xAA, 0x23, 0xFE, 0x1B, 0x7B, 0xE8, 0xB9, 0xA7, 0x80, 0x3F, - 0x08, 0x89, 0x6A, 0x22, 0x3F, 0xE0, 0xB8, 0xF3, 0xA4, 0x0A, - 0xC6, 0xA5, 0x51, 0xC4, 0x1A, 0x38, 0xE3, 0xD2, 0x8A, 0x1C, - 0xF1, 0xAE, 0x89, 0xFB, 0xCE, 0x9E + 0x1C, 0x3F, 0xB6, 0x72, 0x01, 0x8E, 0xAA, 0x73, 0xCC, 0xAD, + 0xA9, 0x43, 0x26, 0x1C, 0x7E, 0x3B, 0x2B, 0xE2, 0x82, 0x6D, + 0xA4, 0x89, 0xC6, 0x7A, 0x11, 0x7A, 0x41, 0xC1, 0xF6, 0x23, + 0x14, 0xD2, 0x6F, 0x3A, 0x2F, 0xD4, 0x2C, 0xA5, 0x18, 0x31, + 0x0D, 0xFB, 0x84, 0xBE, 0xF8, 0x12, 0x48, 0x41, 0x28, 0xD9, + 0xDB, 0xF9, 0x0A, 0xCF, 0x93, 0xDB, 0xC6, 0x65, 0x89, 0xDE, + 0x1D, 0x22, 0xE1, 0x0D, 0x25, 0x39, 0xD9, 0x56, 0xE2, 0xB7, + 0xE5, 0xAB, 0x6C, 0x44, 0xF8, 0xC5, 0x3B, 0x3D, 0xC6, 0x97, + 0x89, 0xAE, 0x97, 0x38, 0x03, 0x8C, 0x31, 0x36, 0x03, 0xBC, + 0xC2, 0x05, 0x28, 0x35, 0x14, 0xA8, 0xFC, 0x2B, 0x8F, 0xE0, + 0x8C, 0x85, 0xC2, 0x90, 0x5E, 0x0E, 0x75, 0xBC, 0xA0, 0xAD, + 0x24, 0x0F, 0xA3, 0x3A, 0x16, 0xB3, 0x46, 0x20, 0x9D, 0xAE, + 0x5E, 0xBF, 0x6E, 0xC1, 0x10, 0x45, 0x82, 0x8C, 0xE5, 0x6D, + 0x1A, 0xEE, 0xF9, 0x28, 0xD7, 0xC8, 0xE4, 0xA5, 0xC1, 0xD7, + 0xDD, 0x03, 0x37, 0x48, 0x87, 0x96, 0x0F, 0x17, 0x35, 0xDE, + 0xB8, 0xFB, 0x38, 0xDB, 0x64, 0x6C, 0xCB, 0xE9, 0xE0, 0x2F, + 0x17, 0xC9, 0x1B, 0xA0, 0xCB, 0xCB, 0xA9, 0xC3, 0x8F, 0x7B, + 0x4F, 0x25, 0xD8, 0xBA, 0x34, 0x6E, 0xD0, 0x60, 0x17, 0xE0, + 0x0C, 0x48, 0xBF, 0xAF, 0xC2, 0xE1, 0x0E, 0x5B, 0x56, 0x90, + 0x33, 0x13, 0x8F, 0xDA, 0x4D, 0x8D, 0xF5, 0xAF, 0x1D, 0x7A, + 0xA5, 0x2B, 0xD8, 0xBD, 0x81, 0x5A, 0xBB, 0x70, 0x8F, 0xB5, + 0xC9, 0xA5, 0xF3, 0x23, 0xA1, 0x58, 0x3D, 0xCF, 0x7D, 0x2B, + 0xFA, 0xBD, 0xF7, 0x58, 0x22, 0xF2, 0x1F, 0xC7, 0x98, 0xED, + 0x5D, 0x4F, 0x42, 0xA7, 0xC0, 0x41, 0xAC, 0xA5, 0x0B, 0x75, + 0xE6, 0xAB, 0x44, 0x42, 0x0B, 0xBC, 0x99, 0x99, 0x65, 0x21, + 0x9F, 0x53, 0xEF, 0x9A, 0x53, 0xCF }; const int sizeof_client_cert_der_sign = sizeof(client_cert_der_sign); diff --git a/examples/configs/user_settings_platformio.h b/examples/configs/user_settings_platformio.h index 4fd753bcef..f1ee655b25 100644 --- a/examples/configs/user_settings_platformio.h +++ b/examples/configs/user_settings_platformio.h @@ -18,8 +18,16 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#define WOLFSSL_ESPIDF_COMPONENT_VERSION 0x01 /* This is a sample PlatformIO user_settings.h for wolfSSL +/* Examples such as test and benchmark are known to cause watchdog timeouts. + * Note this is often set in project Makefile: + * CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 */ +#define WOLFSSL_ESP_NO_WATCHDOG 1 + +/* The Espressif project config file. See also sdkconfig.defaults */ +#include "sdkconfig.h" * * Do not include any wolfssl headers here * @@ -47,10 +55,9 @@ /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */ /* #define USE_WOLFSSL_ESP_SDK_WIFI */ -/* Experimental Kyber */ +/* Optional MLKEM (Kyber Post Quantum) */ #if 0 /* Kyber typically needs a minimum 10K stack */ - #define WOLFSSL_EXPERIMENTAL_SETTINGS #define WOLFSSL_HAVE_MLKEM #define WOLFSSL_WC_MLKEM #define WOLFSSL_SHA3 @@ -566,18 +573,33 @@ /* Debug options: See wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h for details on debug options +optionally increase error message size for very long paths. +#define WOLFSSL_MAX_ERROR_SZ 500 + +Turn wolfSSL debugging on/off: + wolfSSL_Debugging_ON(); + wolfSSL_Debugging_OFF(); + #define ESP_VERIFY_MEMBLOCK #define DEBUG_WOLFSSL #define DEBUG_WOLFSSL_VERBOSE #define DEBUG_WOLFSSL_SHA_MUTEX +#define WOLFSSL_DEBUG_IGNORE_ASN_TIME +#define WOLFSSL_DEBUG_CERT_BUNDLE +#define WOLFSSL_DEBUG_CERT_BUNDLE_NAME #define WOLFSSL_ESP32_CRYPT_DEBUG #define WOLFSSL_ESP32_CRYPT_HASH_SHA224_DEBUG #define NO_RECOVER_SOFTWARE_CALC #define WOLFSSL_TEST_STRAY 1 #define USE_ESP_DPORT_ACCESS_READ_BUFFER #define WOLFSSL_ESP32_HW_LOCK_DEBUG +#define WOLFSSL_DEBUG_MUTEX #define WOLFSSL_DEBUG_ESP_RSA_MULM_BITS +#define WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS +#define WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS #define ESP_DISABLE_HW_TASK_LOCK +#define ESP_MONITOR_HW_TASK_LOCK +#define USE_ESP_DPORT_ACCESS_READ_BUFFER See wolfcrypt/benchmark/benchmark.c for debug and other settings: @@ -594,7 +616,7 @@ Turn on timer debugging (used when CPU cycles not available) #define WOLFSSL_HW_METRICS #define ALT_ECC_SIZE -/* for test.c: */ +/* for test.c */ /* #define HASH_SIZE_LIMIT */ /* Optionally turn off HW math checks */ @@ -641,6 +663,12 @@ Turn on timer debugging (used when CPU cycles not available) * There are various certificate examples in this header file: * https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/certs_test.h * + * To use the sample certificates in code (not recommended for production!): + * + * #if defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024) + * #include + * #endif + * * To use the sets of macros below, define *one* of these: * * USE_CERT_BUFFERS_1024 - ECC 1024 bit encoded ASN1 @@ -655,10 +683,10 @@ Turn on timer debugging (used when CPU cycles not available) * CTX_CA_CERT_SIZE, * CTX_CA_CERT_TYPE); * - * See www.wolfssl.com/documentation/manuals/wolfssl/group__CertsKeys.html#function-wolfssl_ctx_load_verify_buffer + * See https://www.wolfssl.com/documentation/manuals/wolfssl/group__CertsKeys.html#function-wolfssl_ctx_load_verify_buffer * * In this case the CTX_CA_CERT will be defined as `ca_cert_der_2048` as - * defined here: github.com/wolfSSL/wolfssl/blob/master/wolfssl/certs_test.h + * defined here: https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/certs_test.h * * The CTX_CA_CERT_SIZE and CTX_CA_CERT_TYPE are similarly used to reference * array size and cert type respectively. @@ -670,7 +698,7 @@ Turn on timer debugging (used when CPU cycles not available) * CTX_CLIENT_KEY_SIZE, * CTX_CLIENT_KEY_TYPE); * - * see www.wolfssl.com/documentation/manuals/wolfssl/group__CertsKeys.html#function-wolfssl_ctx_use_privatekey_buffer + * see https://www.wolfssl.com/documentation/manuals/wolfssl/group__CertsKeys.html#function-wolfssl_ctx_use_privatekey_buffer * * Similarly, the other macros are for server certificates and keys: * `CTX_SERVER_CERT` and `CTX_SERVER_KEY` are available. @@ -680,17 +708,17 @@ Turn on timer debugging (used when CPU cycles not available) * are the known wolfSSL encoding type integers (e.g. WOLFSSL_FILETYPE_PEM). * * See `SSL_FILETYPE_[name]` in - * github.com/wolfSSL/wolfssl/blob/master/wolfssl/ssl.h + * https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/ssl.h * * See Abstract Syntax Notation One (ASN.1) in: - * github.com/wolfSSL/wolfssl/blob/master/wolfssl/wolfcrypt/asn.h + * https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/wolfcrypt/asn.h * * Optional SM4 Ciphers: * * Although the SM ciphers are shown here, the `certs_test_sm.h` may not yet * be available. See: - * github.com/wolfSSL/wolfssl/pull/6825 - * github.com/wolfSSL/wolfsm + * https://github.com/wolfSSL/wolfssl/pull/6825 + * https://github.com/wolfSSL/wolfsm * * Uncomment these 3 macros to enable the SM Ciphers and use the macros below. */ @@ -703,6 +731,7 @@ Turn on timer debugging (used when CPU cycles not available) /* Conditional macros used in wolfSSL TLS client and server examples */ #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) + #include #define CTX_CA_CERT root_sm2 #define CTX_CA_CERT_SIZE sizeof_root_sm2 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_PEM @@ -720,7 +749,11 @@ Turn on timer debugging (used when CPU cycles not available) #ifdef USE_CERT_BUFFERS_1024 #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." #endif + + /* Be sure to include in app when using example certs: */ #include + + #define USE_CERT_BUFFERS_256 #define CTX_CA_CERT ca_cert_der_2048 #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_2048 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 @@ -743,6 +776,11 @@ Turn on timer debugging (used when CPU cycles not available) #ifdef USE_CERT_BUFFERS_2048 #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." #endif + + /* Be sure to include in app when using example certs: */ + #include + + #define USE_CERT_BUFFERS_256 #define CTX_CA_CERT ca_cert_der_1024 #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_1024 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 @@ -788,3 +826,11 @@ Turn on timer debugging (used when CPU cycles not available) #else #warning "CONFIG_ESP_MAIN_TASK_STACK_SIZE not defined!" #endif +/* See settings.h for some of the possible hardening options: + * + * #define NO_ESPIDF_DEFAULT + * #define WC_NO_CACHE_RESISTANT + * #define WC_AES_BITSLICED + * #define HAVE_AES_ECB + * #define HAVE_AES_DIRECT + */ diff --git a/src/dtls13.c b/src/dtls13.c index 5a9b6dca22..375c00af09 100644 --- a/src/dtls13.c +++ b/src/dtls13.c @@ -2618,19 +2618,16 @@ static int Dtls13RtxIsTrackedByRn(const Dtls13RtxRecord* r, w64wrapper epoch, static int Dtls13KeyUpdateAckReceived(WOLFSSL* ssl) { int ret; - w64Increment(&ssl->dtls13Epoch); - - /* Epoch wrapped up */ - if (w64IsZero(ssl->dtls13Epoch)) - return BAD_STATE_E; ret = DeriveTls13Keys(ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1); if (ret != 0) return ret; - ret = Dtls13NewEpoch(ssl, ssl->dtls13Epoch, ENCRYPT_SIDE_ONLY); - if (ret != 0) - return ret; + w64Increment(&ssl->dtls13Epoch); + + /* Epoch wrapped up */ + if (w64IsZero(ssl->dtls13Epoch)) + return BAD_STATE_E; return Dtls13SetEpochKeys(ssl, ssl->dtls13Epoch, ENCRYPT_SIDE_ONLY); } diff --git a/src/keys.c b/src/keys.c index 84781126bf..ff20b96581 100644 --- a/src/keys.c +++ b/src/keys.c @@ -3557,6 +3557,9 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) #if defined(WOLFSSL_RENESAS_FSPSM_TLS) FSPSM_ST* cbInfo = (FSPSM_ST*)ctx; cbInfo->side = side; + #elif defined(WOLFSSL_RENESAS_TSIP_TLS) + TsipUserCtx* cbInfo = (TsipUserCtx*)ctx; + cbInfo->key_side = side; #endif ret = ssl->ctx->EncryptKeysCb(ssl, ctx); } diff --git a/src/ssl.c b/src/ssl.c index 1607c4f85e..bb1d1176c0 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6155,6 +6155,12 @@ int wolfSSL_Init(void) WOLFSSL_ENTER("wolfSSL_Init"); +#if defined(LIBWOLFSSL_CMAKE_OUTPUT) + WOLFSSL_MSG(LIBWOLFSSL_CMAKE_OUTPUT); +#else + WOLFSSL_MSG("No extra wolfSSL cmake messages found"); +#endif + #ifndef WOLFSSL_MUTEX_INITIALIZER if (inits_count_mutex_valid == 0) { #if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS diff --git a/src/tls.c b/src/tls.c index 78972a1bd6..1593f28d8d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -16149,7 +16149,7 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, /* RFC 8446 4.2.4 states trusted_ca_keys is not used in TLS 1.3. */ if (IsAtLeastTLSv1_3(ssl->version)) { - return EXT_NOT_ALLOWED; + break; } else #endif diff --git a/src/tls13.c b/src/tls13.c index 3a9dae2631..135f784070 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -1623,9 +1623,42 @@ int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store) goto end; if (ssl->options.dtls) { + w64wrapper epochNumber; ret = Dtls13DeriveSnKeys(ssl, provision); if (ret != 0) - return ret; + goto end; + + switch (secret) { + case early_data_key: + epochNumber = w64From32(0, DTLS13_EPOCH_EARLYDATA); + break; + case handshake_key: + epochNumber = w64From32(0, DTLS13_EPOCH_HANDSHAKE); + break; + case traffic_key: + case no_key: + epochNumber = w64From32(0, DTLS13_EPOCH_TRAFFIC0); + break; + case update_traffic_key: + if (side == ENCRYPT_SIDE_ONLY) { + epochNumber = ssl->dtls13Epoch; + } + else if (side == DECRYPT_SIDE_ONLY) { + epochNumber = ssl->dtls13PeerEpoch; + } + else { + ret = BAD_STATE_E; + goto end; + } + w64Increment(&epochNumber); + break; + default: + ret = BAD_STATE_E; + goto end; + } + ret = Dtls13NewEpoch(ssl, epochNumber, side); + if (ret != 0) + goto end; } #endif /* WOLFSSL_DTLS13 */ @@ -4083,15 +4116,6 @@ static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx) if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) return ret; -#ifdef WOLFSSL_DTLS13 - if (ssl->options.dtls) { - ret = Dtls13NewEpoch( - ssl, w64From32(0x0, DTLS13_EPOCH_EARLYDATA), ENCRYPT_SIDE_ONLY); - if (ret != 0) - return ret; - } -#endif /* WOLFSSL_DTLS13 */ - } #endif @@ -5118,6 +5142,7 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* Force client hello version 1.2 to work for static RSA. */ ssl->chVersion.minor = TLSv1_2_MINOR; ssl->version.minor = TLSv1_2_MINOR; + ssl->options.tls1_3 = 0; #ifdef WOLFSSL_DTLS13 if (ssl->options.dtls) { @@ -5218,6 +5243,7 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (ssl->options.dtls) { ssl->chVersion.minor = DTLSv1_2_MINOR; ssl->version.minor = DTLSv1_2_MINOR; + ssl->options.tls1_3 = 0; ret = Dtls13ClientDoDowngrade(ssl); if (ret != 0) return ret; @@ -5231,6 +5257,7 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return VERSION_ERROR; } #ifndef WOLFSSL_NO_TLS12 + ssl->options.tls1_3 = 0; return DoServerHello(ssl, input, inOutIdx, helloSz); #else SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version); @@ -6296,17 +6323,6 @@ static int CheckPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz, return ret; ssl->keys.encryptionOn = 1; - -#ifdef WOLFSSL_DTLS13 - if (ssl->options.dtls) { - ret = Dtls13NewEpoch(ssl, - w64From32(0x0, DTLS13_EPOCH_EARLYDATA), - DECRYPT_SIDE_ONLY); - if (ret != 0) - return ret; - } -#endif /* WOLFSSL_DTLS13 */ - ssl->earlyData = process_early_data; } else @@ -7604,11 +7620,6 @@ static int SendTls13EncryptedExtensions(WOLFSSL* ssl) w64wrapper epochHandshake = w64From32(0, DTLS13_EPOCH_HANDSHAKE); ssl->dtls13Epoch = epochHandshake; - ret = Dtls13NewEpoch( - ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE); - if (ret != 0) - return ret; - ret = Dtls13SetEpochKeys( ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE); if (ret != 0) @@ -11194,11 +11205,6 @@ static int SendTls13Finished(WOLFSSL* ssl) ssl->dtls13Epoch = epochTraffic0; ssl->dtls13PeerEpoch = epochTraffic0; - ret = Dtls13NewEpoch( - ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE); - if (ret != 0) - return ret; - ret = Dtls13SetEpochKeys( ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE); if (ret != 0) @@ -11236,11 +11242,6 @@ static int SendTls13Finished(WOLFSSL* ssl) ssl->dtls13Epoch = epochTraffic0; ssl->dtls13PeerEpoch = epochTraffic0; - ret = Dtls13NewEpoch( - ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE); - if (ret != 0) - return ret; - ret = Dtls13SetEpochKeys( ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE); if (ret != 0) @@ -11440,10 +11441,6 @@ static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (ssl->options.dtls) { w64Increment(&ssl->dtls13PeerEpoch); - ret = Dtls13NewEpoch(ssl, ssl->dtls13PeerEpoch, DECRYPT_SIDE_ONLY); - if (ret != 0) - return ret; - ret = Dtls13SetEpochKeys(ssl, ssl->dtls13PeerEpoch, DECRYPT_SIDE_ONLY); if (ret != 0) return ret; @@ -12859,11 +12856,6 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, ssl->dtls13Epoch = epochHandshake; ssl->dtls13PeerEpoch = epochHandshake; - ret = Dtls13NewEpoch( - ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE); - if (ret != 0) - return ret; - ret = Dtls13SetEpochKeys( ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE); if (ret != 0) diff --git a/tests/api.c b/tests/api.c index adc826ed75..26667ce1cb 100644 --- a/tests/api.c +++ b/tests/api.c @@ -51,6 +51,12 @@ #endif #include + +#ifdef __linux__ +#include +#include +#endif + #include /* compatibility layer */ #include @@ -19069,6 +19075,14 @@ static int test_wc_PKCS12_create_once(int keyEncType, int certEncType) static int test_wc_PKCS12_create(void) { EXPECT_DECLS; + + EXPECT_TEST(test_wc_PKCS12_create_once(-1, -1)); +#if !defined(NO_RC4) && !defined(NO_SHA) + EXPECT_TEST(test_wc_PKCS12_create_once(PBE_SHA1_RC4_128, PBE_SHA1_RC4_128)); +#endif +#if !defined(NO_DES3) && !defined(NO_SHA) + EXPECT_TEST(test_wc_PKCS12_create_once(PBE_SHA1_DES, PBE_SHA1_DES)); +#endif #if !defined(NO_DES3) && !defined(NO_SHA) EXPECT_TEST(test_wc_PKCS12_create_once(PBE_SHA1_DES3, PBE_SHA1_DES3)); #endif @@ -32741,6 +32755,59 @@ static int test_wolfSSL_check_domain(void) } #endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + !defined(WOLFSSL_SYS_CA_CERTS) +static const char* dn = NULL; +static int test_wolfSSL_check_domain_basic_client_ctx(WOLFSSL_CTX* ctx) +{ + EXPECT_DECLS; + + ExpectIntEQ(wolfSSL_CTX_load_system_CA_certs(ctx), WOLFSSL_SUCCESS); + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); + + return EXPECT_RESULT(); +} +static int test_wolfSSL_check_domain_basic_client_ssl(WOLFSSL* ssl) +{ + EXPECT_DECLS; + + ExpectIntEQ(wolfSSL_check_domain_name(ssl, dn), WOLFSSL_SUCCESS); + + return EXPECT_RESULT(); +} +static int test_wolfSSL_check_domain_basic(void) +{ + EXPECT_DECLS; + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; + + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + + func_cb_client.ctx_ready = &test_wolfSSL_check_domain_basic_client_ctx; + + dn = "invalid.com"; + func_cb_client.ssl_ready = &test_wolfSSL_check_domain_basic_client_ssl; + + /* Expect to fail */ + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), -1001); + + dn = "example.com"; + + /* Expect to succeed */ + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); + + return EXPECT_RESULT(); +} +#else +static int test_wolfSSL_check_domain_basic(void) +{ + EXPECT_DECLS; + return EXPECT_RESULT(); +} +#endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */ static int test_wolfSSL_X509_get_X509_PUBKEY(void) { @@ -33142,6 +33209,59 @@ static int test_wolfSSL_RAND(void) } +static int test_wolfSSL_RAND_poll(void) +{ + EXPECT_DECLS; + +#if defined(OPENSSL_EXTRA) && defined(__linux__) + byte seed[16] = {0}; + byte randbuf[8] = {0}; + int pipefds[2] = {0}; + pid_t pid = 0; + + XMEMSET(seed, 0, sizeof(seed)); + + /* No global methods set. */ + ExpectIntEQ(RAND_seed(seed, sizeof(seed)), 1); + + ExpectIntEQ(pipe(pipefds), 0); + pid = fork(); + ExpectIntGE(pid, 0); + if (pid == 0) + { + ssize_t n_written = 0; + + /* Child process. */ + close(pipefds[0]); + RAND_poll(); + RAND_bytes(randbuf, sizeof(randbuf)); + n_written = write(pipefds[1], randbuf, sizeof(randbuf)); + close(pipefds[1]); + exit(n_written == sizeof(randbuf) ? 0 : 1); + } + else + { + /* Parent process. */ + word64 childrand64 = 0; + int waitstatus = 0; + + close(pipefds[1]); + ExpectIntEQ(RAND_poll(), 1); + ExpectIntEQ(RAND_bytes(randbuf, sizeof(randbuf)), 1); + ExpectIntEQ(read(pipefds[0], &childrand64, sizeof(childrand64)), sizeof(childrand64)); + ExpectBufNE(randbuf, &childrand64, sizeof(randbuf)); + close(pipefds[0]); + waitpid(pid, &waitstatus, 0); + } + RAND_cleanup(); + + ExpectIntEQ(RAND_egd(NULL), -1); +#endif + + return EXPECT_RESULT(); +} + + static int test_wolfSSL_PKCS8_Compat(void) { EXPECT_DECLS; @@ -67671,6 +67791,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_RAND_set_rand_method), TEST_DECL(test_wolfSSL_RAND_bytes), TEST_DECL(test_wolfSSL_RAND), + TEST_DECL(test_wolfSSL_RAND_poll), /* BN compatibility API */ TEST_DECL(test_wolfSSL_BN_CTX), @@ -67742,6 +67863,7 @@ TEST_CASE testCases[] = { #endif TEST_DECL(test_wolfSSL_check_domain), + TEST_DECL(test_wolfSSL_check_domain_basic), TEST_DECL(test_wolfSSL_cert_cb), TEST_DECL(test_wolfSSL_cert_cb_dyn_ciphers), TEST_DECL(test_wolfSSL_ciphersuite_auth), @@ -68274,6 +68396,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_inject), TEST_DECL(test_wolfSSL_dtls_cid_parse), TEST_DECL(test_dtls13_epochs), + TEST_DECL(test_dtls_rtx_across_epoch_change), TEST_DECL(test_dtls13_ack_order), TEST_DECL(test_dtls_version_checking), TEST_DECL(test_ocsp_status_callback), diff --git a/tests/api/test_dtls.c b/tests/api/test_dtls.c index d5d5896493..d6a106b391 100644 --- a/tests/api/test_dtls.c +++ b/tests/api/test_dtls.c @@ -1313,3 +1313,73 @@ int test_records_span_network_boundaries(void) } #endif /* defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \ !defined(WOLFSSL_NO_TLS12) */ + +int test_dtls_rtx_across_epoch_change(void) +{ + EXPECT_DECLS; +#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS) + WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL; + WOLFSSL *ssl_c = NULL, *ssl_s = NULL; + struct test_memio_ctx test_ctx; + + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + + /* Setup DTLS contexts */ + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, + wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method), + 0); + + /* CH0 */ + wolfSSL_SetLoggingPrefix("client:"); + ExpectIntEQ(wolfSSL_connect(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), SSL_ERROR_WANT_READ); + + /* HRR */ + wolfSSL_SetLoggingPrefix("server:"); + ExpectIntEQ(wolfSSL_accept(ssl_s), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), SSL_ERROR_WANT_READ); + + /* CH1 */ + wolfSSL_SetLoggingPrefix("client:"); + ExpectIntEQ(wolfSSL_connect(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), SSL_ERROR_WANT_READ); + + /* SH ... FINISHED */ + wolfSSL_SetLoggingPrefix("server:"); + ExpectIntEQ(wolfSSL_accept(ssl_s), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), SSL_ERROR_WANT_READ); + + /* we should have now SH ... FINISHED messages in the buffer*/ + ExpectIntGE(test_ctx.c_msg_count, 2); + + /* drop everything but the SH */ + while (test_ctx.c_msg_count > 1 && EXPECT_SUCCESS()) { + ExpectIntEQ(test_memio_drop_message(&test_ctx, 1, test_ctx.c_msg_count - 1), 0); + } + + /* Read the SH */ + wolfSSL_SetLoggingPrefix("client:"); + ExpectIntEQ(wolfSSL_connect(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), SSL_ERROR_WANT_READ); + + /* trigger client timeout */ + ExpectIntEQ(wolfSSL_dtls_got_timeout(ssl_c), WOLFSSL_SUCCESS); + /* this should have triggered a rtx */ + ExpectIntGT(test_ctx.s_msg_count, 0); + + /* finish the handshake */ + ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); + + /* Test communication works correctly */ + ExpectIntEQ(test_dtls_communication(ssl_s, ssl_c), TEST_SUCCESS); + + /* Cleanup */ + wolfSSL_free(ssl_c); + wolfSSL_CTX_free(ctx_c); + wolfSSL_free(ssl_s); + wolfSSL_CTX_free(ctx_s); +#endif /* defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(WOLFSSL_DTLS13) */ + return EXPECT_RESULT(); +} diff --git a/tests/api/test_dtls.h b/tests/api/test_dtls.h index 7896a95104..18ace27b6e 100644 --- a/tests/api/test_dtls.h +++ b/tests/api/test_dtls.h @@ -36,4 +36,5 @@ int test_dtls13_longer_length(void); int test_dtls13_short_read(void); int test_records_span_network_boundaries(void); int test_dtls_record_cross_boundaries(void); +int test_dtls_rtx_across_epoch_change(void); #endif /* TESTS_API_DTLS_H */ diff --git a/tests/api/test_mldsa.c b/tests/api/test_mldsa.c index 34b9181b57..c86703f883 100644 --- a/tests/api/test_mldsa.c +++ b/tests/api/test_mldsa.c @@ -16665,6 +16665,7 @@ int test_mldsa_pkcs8(void) defined(HAVE_DILITHIUM) && !defined(NO_TLS) && \ (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) && \ + !defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ !defined(WOLFSSL_DILITHIUM_NO_ASN1) WOLFSSL_CTX* ctx = NULL; @@ -16685,9 +16686,15 @@ int test_mldsa_pkcs8(void) int oidSum; int keySz; } test_variant[] = { +#ifndef WOLFSSL_NO_ML_DSA_44 {WC_ML_DSA_44, ML_DSA_LEVEL2k, ML_DSA_LEVEL2_PRV_KEY_SIZE}, +#endif +#ifndef WOLFSSL_NO_ML_DSA_65 {WC_ML_DSA_65, ML_DSA_LEVEL3k, ML_DSA_LEVEL3_PRV_KEY_SIZE}, +#endif +#ifndef WOLFSSL_NO_ML_DSA_87 {WC_ML_DSA_87, ML_DSA_LEVEL5k, ML_DSA_LEVEL5_PRV_KEY_SIZE} +#endif }; (void) pemSz; diff --git a/tests/test-tls13-down.conf b/tests/test-tls13-down.conf index 90f0c4bb43..3b388a0266 100644 --- a/tests/test-tls13-down.conf +++ b/tests/test-tls13-down.conf @@ -51,7 +51,7 @@ -v 3 -H exitWithRet -# server TLSv1.2 +# server TLSv1.2 -v 3 -l ECDHE-RSA-AES256-GCM-SHA384 -H exitWithRet @@ -60,7 +60,7 @@ -v 4 -H exitWithRet -# server TLSv1.2 +# server TLSv1.2 -v 3 -l ECDHE-RSA-AES256-GCM-SHA384 -H exitWithRet @@ -119,3 +119,10 @@ -7 3 -s -l ECDHE-PSK-AES128-GCM-SHA256 + +# server TLSv1.3 +-v 4 + +# client downgrade with trusted ca +-v d +-5 diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am index 04058c3e80..7d44a36634 100644 --- a/wolfcrypt/src/include.am +++ b/wolfcrypt/src/include.am @@ -132,6 +132,7 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \ wolfcrypt/src/port/Espressif/esp_crt_bundle/cacrt_deprecated.pem \ wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c \ wolfcrypt/src/port/Espressif/esp_crt_bundle/gen_crt_bundle.py \ + wolfcrypt/src/port/Espressif/esp_crt_bundle/pio_install_cryptography.py \ wolfcrypt/src/port/Espressif/esp_crt_bundle/cacrt_local.pem \ wolfcrypt/src/port/Espressif/README.md \ wolfcrypt/src/port/arm/cryptoCell.c \ diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index e4e908ae26..3116fe5bf3 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -1760,6 +1760,51 @@ exit_pk12par: } +/* Helper function to get parameters for key and cert encryptions */ +static int wc_PKCS12_get_enc_params(int inAlgo, int* vPKCS, int* outAlgo, + int* blkOid, int* hmacOid) +{ + int ret = 0; + + if (inAlgo == PBE_SHA1_RC4_128) { + *vPKCS = 1; /* PKCS#12 */ + *outAlgo = PBE_SHA1_RC4_128; + *blkOid = 0; /* Unused */ + *hmacOid = 0; /* Use SHA1 as default */ + } + else if (inAlgo == PBE_SHA1_DES) { + *vPKCS = PKCS5; + *outAlgo = PBES1_SHA1_DES; + *blkOid = 0; /* Unused */ + *hmacOid = 0; /* Use SHA1 as default */ + } + else if (inAlgo == PBE_SHA1_DES3) { + *vPKCS = 1; /* PKCS#12 */ + *outAlgo = PBE_SHA1_DES3; + *blkOid = 0; /* Unused */ + *hmacOid = 0; /* Use SHA1 as default */ + } + else if (inAlgo == PBE_AES256_CBC) { + *vPKCS = PKCS5; + *outAlgo = PBES2; + *blkOid = AES256CBCb; + *hmacOid = HMAC_SHA256_OID; + } + else if (inAlgo == PBE_AES128_CBC) { + *vPKCS = PKCS5; + *outAlgo = PBES2; + *blkOid = AES128CBCb; + *hmacOid = HMAC_SHA256_OID; + } + else { + WOLFSSL_MSG("Unsupported algorithm for PKCS12 encryption"); + ret = ALGO_ID_E; + } + + return ret; +} + + /* Helper function to shroud keys. * * pkcs12 structure to use with shrouding key @@ -1781,15 +1826,15 @@ static int wc_PKCS12_shroud_key(WC_PKCS12* pkcs12, WC_RNG* rng, { void* heap; word32 tmpIdx = 0; - int vPKCS = 1; /* PKCS#12 default set to 1 */ word32 sz; word32 totalSz = 0; int ret; byte* pkcs8Key = NULL; - /* The blkOid and hmacOid are only valid for PKCS#5v2 (PBES2) */ + int vPKCS = -1; + int outAlgo = -1; int blkOid = 0; - int hmacOid = 0; /* If 0, use the default HMAC algorithm */ + int hmacOid = 0; if (outSz == NULL || pkcs12 == NULL || rng == NULL || key == NULL || pass == NULL) { @@ -1826,25 +1871,13 @@ static int wc_PKCS12_shroud_key(WC_PKCS12* pkcs12, WC_RNG* rng, else { WOLFSSL_MSG("creating PKCS12 Shrouded Key Bag"); - /* Need to handle PKCS#5v1/v2 (=non-PKCS#12v1) encryptions */ - if (vAlgo == PBE_SHA1_DES) { - vPKCS = PKCS5; - vAlgo = 10; - } - else if (vAlgo == PBE_AES256_CBC) { - vPKCS = PKCS5; - vAlgo = PBES2; - blkOid = AES256CBCb; - hmacOid = HMAC_SHA256_OID; - } - else if (vAlgo == PBE_AES128_CBC) { - vPKCS = PKCS5; - vAlgo = PBES2; - blkOid = AES128CBCb; - hmacOid = HMAC_SHA256_OID; + if ((ret = wc_PKCS12_get_enc_params(vAlgo, &vPKCS, &outAlgo, &blkOid, + &hmacOid)) < 0) { + return ret; } + ret = TraditionalEnc_ex(key, keySz, pkcs8Key, &sz, pass, passSz, - vPKCS, vAlgo, blkOid, NULL, 0, itt, hmacOid, rng, heap); + vPKCS, outAlgo, blkOid, NULL, 0, itt, hmacOid, rng, heap); } if (ret == WC_NO_ERR_TRACE(LENGTH_ONLY_E)) { *outSz = sz + MAX_LENGTH_SZ + 1; @@ -2084,7 +2117,6 @@ static int wc_PKCS12_encrypt_content(WC_PKCS12* pkcs12, WC_RNG* rng, const char* pass, int passSz, int iter, int type) { void* heap; - int vPKCS = 1; /* PKCS#12 is always set to 1 */ int ret; byte* tmp; word32 idx = 0; @@ -2092,6 +2124,9 @@ static int wc_PKCS12_encrypt_content(WC_PKCS12* pkcs12, WC_RNG* rng, word32 length = 0; word32 tmpSz; word32 encSz; + + int vPKCS = -1; + int outAlgo = -1; int blkOid = 0; int hmacOid = 0; @@ -2111,23 +2146,14 @@ static int wc_PKCS12_encrypt_content(WC_PKCS12* pkcs12, WC_RNG* rng, if (type == WC_PKCS12_ENCRYPTED_DATA) { word32 outerSz = 0; - /* Need to handle PKCS#5v1/v2 (=non-PKCS#12v1) encryptions */ - if (vAlgo == PBE_AES256_CBC) { - vPKCS = PKCS5; - vAlgo = PBES2; - blkOid = AES256CBCb; - hmacOid = HMAC_SHA256_OID; - } - else if (vAlgo == PBE_AES128_CBC) { - vPKCS = PKCS5; - vAlgo = PBES2; - blkOid = AES128CBCb; - hmacOid = HMAC_SHA256_OID; + if ((ret = wc_PKCS12_get_enc_params(vAlgo, &vPKCS, &outAlgo, &blkOid, + &hmacOid)) < 0) { + return ret; } encSz = contentSz; if ((ret = EncryptContent(NULL, contentSz, NULL, &encSz, - pass, passSz, vPKCS, vAlgo, blkOid, NULL, 0, iter, hmacOid, + pass, passSz, vPKCS, outAlgo, blkOid, NULL, 0, iter, hmacOid, rng, heap)) < 0) { if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) { return ret; @@ -2180,7 +2206,7 @@ static int wc_PKCS12_encrypt_content(WC_PKCS12* pkcs12, WC_RNG* rng, } if ((ret = EncryptContent(content, contentSz, tmp, &encSz, - pass, passSz, vPKCS, vAlgo, blkOid, NULL, 0, iter, hmacOid, + pass, passSz, vPKCS, outAlgo, blkOid, NULL, 0, iter, hmacOid, rng, heap)) < 0) { XFREE(tmp, heap, DYNAMIC_TYPE_TMP_BUFFER); return ret; diff --git a/wolfcrypt/src/port/Espressif/esp32_util.c b/wolfcrypt/src/port/Espressif/esp32_util.c index 90b3cdcc85..b8b387c02d 100644 --- a/wolfcrypt/src/port/Espressif/esp32_util.c +++ b/wolfcrypt/src/port/Espressif/esp32_util.c @@ -31,6 +31,11 @@ #include "sdkconfig.h" /* programmatically generated from sdkconfig */ #include +#if HAVE_LIBWOLFSSL_OUTPUT_HEADER + /* see wolfssl component CMakeLists.txt that may have generated this: */ + #include "libwolfssl_output.h" +#endif + /* Espressif */ #include #include @@ -647,6 +652,16 @@ int ShowExtendedSystemInfo(void) LIBWOLFSSL_VERSION_HEX); #endif +#if defined(LIBWOLFSSL_CMAKE_OUTPUT) + /* For some environments such as PlatformIO that may hide CMake output, + * we can have important messages propagated to the app: */ + ESP_LOGI(TAG, "----------------------------------------------------------"); + ESP_LOGI(TAG, "LIBWOLFSSL_CMAKE_OUTPUT:%s", LIBWOLFSSL_CMAKE_OUTPUT); + ESP_LOGI(TAG, "----------------------------------------------------------"); +#else + ESP_LOGW(TAG, "LIBWOLFSSL_CMAKE_OUTPUT: No cmake messages detected"); +#endif + /* some interesting settings are target specific (ESP32, -C3, -S3, etc */ #if defined(CONFIG_IDF_TARGET_ESP32) /* ESP_RSA_MULM_BITS should be set to at least 16 for ESP32 */ diff --git a/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c b/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c index 6e7b625c47..8a836b6642 100644 --- a/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c +++ b/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c @@ -31,6 +31,13 @@ /* Reminder: settings.h pulls in user_settings.h */ /* Do not explicitly include user_settings.h here. */ #include +#include +#include + +#ifndef SHOW_WOLFSSL_BUNDLE_ERROR + #define SHOW_WOLFSSL_BUNDLE_ERROR(X) ESP_LOGV(TAG, \ + "SHOW_WOLFSSL_BUNDLE_ERROR not enabled, details suppressed."); +#endif /* Espressif */ #include @@ -91,6 +98,8 @@ esp_err_t esp_crt_bundle_attach(void *conf) /* Bundle debug may come from user_settings.h and/or sdkconfig.h */ #if defined(CONFIG_WOLFSSL_DEBUG_CERT_BUNDLE) || \ defined( WOLFSSL_DEBUG_CERT_BUNDLE) + /* someplace to store result of wc_ErrorString(err, string) */ + char last_esp_crt_bundle_error[WOLFSSL_MAX_ERROR_SZ]; /* We'll only locally check this one: */ #undef WOLFSSL_DEBUG_CERT_BUNDLE #define WOLFSSL_DEBUG_CERT_BUNDLE @@ -173,12 +182,16 @@ esp_err_t esp_crt_bundle_attach(void *conf) /* A "Certificate Bundle" is this array of [size] + [x509 CA List] * certs that the client trusts: */ -extern const uint8_t x509_crt_imported_bundle_wolfssl_bin_start[] - asm("_binary_x509_crt_bundle_wolfssl_start"); - -extern const uint8_t x509_crt_imported_bundle_wolfssl_bin_end[] - asm("_binary_x509_crt_bundle_wolfssl_end"); +#if !defined(NO_WOLFSSL_USE_ASM_CERT) + extern const uint8_t x509_crt_imported_bundle_wolfssl_bin_start[] + asm("_binary_x509_crt_bundle_wolfssl_start"); + extern const uint8_t x509_crt_imported_bundle_wolfssl_bin_end[] + asm("_binary_x509_crt_bundle_wolfssl_end"); +#else + extern const unsigned char _binary_x509_crt_bundle_wolfssl_start[]; + extern const unsigned char _binary_x509_crt_bundle_wolfssl_end[]; +#endif /* This crt_bundle_t type must match other providers in esp-tls from ESP-IDF. * TODO: Move to common header in ESP-IDF. (requires ESP-IDF modification). * For now, it is here: */ @@ -453,7 +466,8 @@ static CB_INLINE int cert_manager_load(int preverify, } } else { - ESP_LOGE(TAG, "Failed to load CA"); + ESP_LOGE(TAG, "Failed to load CA, ret = %d", ret); + SHOW_WOLFSSL_BUNDLE_ERROR(ret); } /* We don't free the issue and subject, as they are @@ -861,6 +875,7 @@ static CB_INLINE int wolfssl_ssl_conf_verify_cb_no_signer(int preverify, if (ret == WOLFSSL_FAILURE) { ESP_LOGW(TAG, "Warning: found a matching cert, but not added " "to the Certificate Manager. error: %d", ret); + SHOW_WOLFSSL_BUNDLE_ERROR(ret); } else { ESP_LOGCBI(TAG, "New CA added to the Certificate Manager."); @@ -1338,15 +1353,15 @@ static esp_err_t wolfssl_esp_crt_bundle_init(const uint8_t *x509_bundle, /* If all is ok, proceed with initialization of Certificate Bundle */ if (ret == ESP_OK) { - /* This is the maximum region that is allowed to access */ - ESP_LOGV(TAG, "Bundle Start 0x%x", (intptr_t)x509_bundle); - ESP_LOGV(TAG, "Bundle Size %d", bundle_size); bundle_end = x509_bundle + bundle_size; - ESP_LOGV(TAG, "Bundle End 0x%x", (intptr_t)bundle_end); + /* This is the maximum region that is allowed to access */ + ESP_LOGCBI(TAG, "Bundle Start 0x%x", (intptr_t)x509_bundle); + ESP_LOGCBI(TAG, "Bundle End 0x%x", (intptr_t)bundle_end); + ESP_LOGCBI(TAG, "Bundle Size %u bytes", bundle_size); cur_crt = x509_bundle + BUNDLE_HEADER_OFFSET; for (i = 0; i < num_certs; i++) { - ESP_LOGV(TAG, "Init Cert %d", i); + ESP_LOGCBI(TAG, "Init Cert %d", i); if (cur_crt + CRT_HEADER_OFFSET > bundle_end) { ESP_LOGE(TAG, "Invalid certificate bundle current offset"); _esp_crt_bundle_is_valid = ESP_FAIL; @@ -1357,24 +1372,46 @@ static esp_err_t wolfssl_esp_crt_bundle_init(const uint8_t *x509_bundle, crts[i] = cur_crt; #ifndef IS_WOLFSSL_CERT_BUNDLE_FORMAT + ESP_LOGE("err", "Error: not IS_WOLFSSL_CERT_BUNDLE_FORMAT"); /* For reference only */ size_t name_len = cur_crt[0] << 8 | cur_crt[1]; size_t key_len = cur_crt[2] << 8 | cur_crt[3]; cur_crt = cur_crt + CRT_HEADER_OFFSET + name_len + key_len; #else cert_len = cur_crt[0] << 8 | cur_crt[1]; - #if defined(CONFIG_WOLFSSL_ASN_ALLOW_0_SERIAL) || \ + ESP_LOGCBI(TAG, "- This certificate at 0x%x, length: %u", + (intptr_t)cur_crt, cert_len); + + /* TODO: optional gate out serial check for performance. */ + /* Useful only for custom cert bundle, known to have no zeros. */ + if (wolfssl_is_zero_serial_number(cur_crt + CRT_HEADER_OFFSET, + cert_len) > 0) { + #if defined(CONFIG_WOLFSSL_ASN_ALLOW_0_SERIAL) || \ defined( WOLFSSL_ASN_ALLOW_0_SERIAL) || \ defined(CONFIG_WOLFSSL_NO_ASN_STRICT) || \ defined( WOLFSSL_NO_ASN_STRICT) - if (wolfssl_is_zero_serial_number(cur_crt + CRT_HEADER_OFFSET, - cert_len) > 0) { ESP_LOGW(TAG, "Warning: found zero value for serial number in " "certificate #%d", i); - ESP_LOGW(TAG, "Enable WOLFSSL_NO_ASN_STRICT to allow zero in " - "serial number."); - } - #endif + #if defined(CONFIG_WOLFSSL_ASN_ALLOW_0_SERIAL) + ESP_LOGCBW(TAG, "Allowing zero serial in certificate config."); + #elif defined( WOLFSSL_ASN_ALLOW_0_SERIAL) + ESP_LOGCBW(TAG, "Allowing zero serial in certificate setting."); + #elif defined(CONFIG_WOLFSSL_NO_ASN_STRICT) + ESP_LOGCBW(TAG, "Allowing zero serial, no ASN Strict config."); + #elif defined( WOLFSSL_NO_ASN_STRICT) + ESP_LOGCBW(TAG, "Allowing zero serial, no ASN Strict setting."); + #else + /* Unless explicitly allowed, wolfSSL will reject zero serial */ + ESP_LOGW(TAG, "Certificate has zero serial number!"); + #endif /* zero serial check message, why allowed per setting */ + #else + /* we don't allow zero serial, expect wolfssl error later */ + ESP_LOGE(TAG, "ERROR: Strict ASN and found zero value for " + "serial number in certificate #%d", i); + #endif /* zero serial check */ + } /* wolfssl_is_zero_serial_number */ + + /* look at next cert */ cur_crt = cur_crt + (CRT_HEADER_OFFSET + cert_len); #endif } /* for certs 0 to num_certs - 1 in the order found */ @@ -1427,25 +1464,52 @@ static esp_err_t wolfssl_esp_crt_bundle_init(const uint8_t *x509_bundle, esp_err_t esp_crt_bundle_attach(void *conf) { esp_err_t ret = ESP_OK; + size_t bundle_size = 0; ESP_LOGCBI(TAG, "Enter esp_crt_bundle_attach"); /* If no bundle has been set by the user, * then use the bundle embedded in the binary */ +#ifdef PLATFORMIO + ESP_LOGCBW(TAG, "Found PLATFORMIO, beware of alternate cert bundles."); +#endif if (s_crt_bundle.crts == NULL) { ESP_LOGCBI(TAG, "No bundle set by user; using the embedded binary."); ESP_LOGCBI(TAG, "x509_crt_imported_bundle_wolfssl_bin_start 0x%x", (intptr_t)x509_crt_imported_bundle_wolfssl_bin_start); - ESP_LOGCBI(TAG, "x509_crt_imported_bundle_wolfssl_bin_end 0x%x", + ESP_LOGCBI(TAG, "x509_crt_imported_bundle_wolfssl_bin_end 0x%x", (intptr_t)x509_crt_imported_bundle_wolfssl_bin_end); - ret = wolfssl_esp_crt_bundle_init( - x509_crt_imported_bundle_wolfssl_bin_start, - (x509_crt_imported_bundle_wolfssl_bin_end - - x509_crt_imported_bundle_wolfssl_bin_start)); + if ((intptr_t)x509_crt_imported_bundle_wolfssl_bin_end < + (intptr_t)x509_crt_imported_bundle_wolfssl_bin_start) { + ESP_LOGE(TAG, "Imported bundle end less than starting address"); + ret = ESP_FAIL; + } + else { + bundle_size = (x509_crt_imported_bundle_wolfssl_bin_end + - x509_crt_imported_bundle_wolfssl_bin_start); + if (bundle_size == 0) { + ESP_LOGE(TAG, "Imported bundle size is zero. Empty?"); + ret = ESP_FAIL; + } + else { + ESP_LOGCBI(TAG, "Importing x509 wolfSSL bundle, %u bytes", + bundle_size); + ret = wolfssl_esp_crt_bundle_init( + x509_crt_imported_bundle_wolfssl_bin_start, + bundle_size); + } + } } else { ESP_LOGCBI(TAG, "Cert bundle set by user at 0x%x.", (intptr_t)s_crt_bundle.crts); } + if (((uintptr_t)x509_crt_imported_bundle_wolfssl_bin_start % 4) == 0) { + ESP_LOGCBI(TAG, "Confirmed alignment x509_crt_imported_bundle_wolfssl"); + } + else { + ESP_LOGCBI(TAG, "Not aligned: x509_crt_imported_bundle_wolfssl"); + } + if (ret == ESP_OK) { if (conf) { wolfssl_ssl_config *ssl_conf = (wolfssl_ssl_config *)conf; diff --git a/wolfcrypt/src/port/Espressif/esp_crt_bundle/pio_install_cryptography.py b/wolfcrypt/src/port/Espressif/esp_crt_bundle/pio_install_cryptography.py new file mode 100644 index 0000000000..18571403ea --- /dev/null +++ b/wolfcrypt/src/port/Espressif/esp_crt_bundle/pio_install_cryptography.py @@ -0,0 +1,37 @@ +#!/usr/bin/env python +# +# pio_install_cryptography.py +# +# Copyright (C) 2006-2024 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA +# +# Import("env") +import subprocess +import sys + +# Function to install a package +def install(package): + subprocess.check_call([sys.executable, "-m", "pip", "install", package]) + +try: + # Check if cryptography is installed + import cryptography +except ImportError: + # If not installed, install it + print("cryptography package not found. Installing...") + install("cryptography") diff --git a/wolfcrypt/src/port/Renesas/renesas_common.c b/wolfcrypt/src/port/Renesas/renesas_common.c index dd900feeb5..eacdca52d9 100644 --- a/wolfcrypt/src/port/Renesas/renesas_common.c +++ b/wolfcrypt/src/port/Renesas/renesas_common.c @@ -254,7 +254,8 @@ static int Renesas_cmn_CryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx) if (ret == 0) { TsipUserCtx* tsipCtx = (TsipUserCtx*)ctx; RsaKey* key = info->pk.rsakg.key; - #if defined(TSIP_RSAES_1024) && TSIP_RSAES_1024 == 1 + #if (defined(TSIP_RSAES_1024) && TSIP_RSAES_1024 == 1) || \ + (defined(TSIP_RSASSA_1024) && TSIP_RSASSA_1024 == 1) if (info->pk.rsakg.size == 1024) { /* export generated public key to the RsaKey structure */ ret = wc_RsaPublicKeyDecodeRaw( @@ -266,7 +267,8 @@ static int Renesas_cmn_CryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx) ); } #endif - #if defined(TSIP_RSAES_2048) && TSIP_RSAES_2048 == 1 + #if (defined(TSIP_RSAES_2048) && TSIP_RSAES_2048 == 1) || \ + (defined(TSIP_RSASSA_2048) && TSIP_RSASSA_2048 == 1) if (info->pk.rsakg.size == 2048) { /* export generated public key to the RsaKey structure */ ret = wc_RsaPublicKeyDecodeRaw( @@ -824,11 +826,13 @@ static int Renesas_cmn_EncryptKeys(WOLFSSL* ssl, void* ctx) TsipUserCtx* cbInfo = (TsipUserCtx*)ctx; if (cbInfo->session_key_set == 1) { + switch(cbInfo->key_side) { #elif defined(WOLFSSL_RENESAS_FSPSM_TLS) FSPSM_ST* cbInfo = (FSPSM_ST*)ctx; if (cbInfo->keyflgs_tls.bits.session_key_set == 1) { switch(cbInfo->side) { + #endif case 1:/* ENCRYPT_SIDE_ONLY */ ssl->encrypt.setup = 1; break; @@ -841,7 +845,7 @@ static int Renesas_cmn_EncryptKeys(WOLFSSL* ssl, void* ctx) break; default:break; } - #endif + ret = 0; wolfSSL_CTX_SetTlsFinishedCb(ssl->ctx, Renesas_cmn_TlsFinished); wolfSSL_SetTlsFinishedCtx(ssl, cbInfo); diff --git a/wolfcrypt/src/port/Renesas/renesas_tsip_rsa.c b/wolfcrypt/src/port/Renesas/renesas_tsip_rsa.c index 33bf4df8c6..46433bee00 100644 --- a/wolfcrypt/src/port/Renesas/renesas_tsip_rsa.c +++ b/wolfcrypt/src/port/Renesas/renesas_tsip_rsa.c @@ -372,7 +372,7 @@ int wc_tsip_RsaVerifyPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) if ((ret = tsip_hw_lock()) == 0) { switch (tuc->wrappedKeyType) { -#if defined(TSIP_RSAES_1024) && TSIP_RSAES_1024 == 1 +#if defined(TSIP_RSASSA_1024) && TSIP_RSASSA_1024 == 1 case TSIP_KEY_TYPE_RSA1024: err = R_TSIP_RsassaPkcs1024SignatureVerification(&sigData, &hashData, @@ -390,7 +390,7 @@ int wc_tsip_RsaVerifyPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) } break; #endif -#if defined(TSIP_RSAES_2048) && TSIP_RSAES_2048 == 1 +#if defined(TSIP_RSASSA_2048) && TSIP_RSASSA_2048 == 1 case TSIP_KEY_TYPE_RSA2048: err = R_TSIP_RsassaPkcs2048SignatureVerification(&sigData, &hashData, diff --git a/wolfcrypt/src/port/Renesas/renesas_tsip_util.c b/wolfcrypt/src/port/Renesas/renesas_tsip_util.c index 9af6b7b1b2..54fd8f8b9b 100644 --- a/wolfcrypt/src/port/Renesas/renesas_tsip_util.c +++ b/wolfcrypt/src/port/Renesas/renesas_tsip_util.c @@ -2425,7 +2425,8 @@ int tsip_ImportPublicKey(TsipUserCtx* tuc, int keyType) switch (keyType) { #if !defined(NO_RSA) - #if defined(TSIP_RSAES_2048) && TSIP_RSAES_2048 == 1 + #if ((defined(TSIP_RSAES_2048) && TSIP_RSAES_2048 == 1) || \ + (defined(TSIP_RSASSA_2048) && TSIP_RSASSA_2048 == 1)) case TSIP_KEY_TYPE_RSA2048: #if defined(WOLFSSL_RENESAS_TSIP_TLS) tuc->ClientRsa2048PubKey_set = 0; @@ -3231,15 +3232,13 @@ int wc_tsip_generateSessionKey( if (enc) { enc->aes->ctx.keySize = ssl->specs.key_size; enc->aes->ctx.setup = 1; - /* ready for use */ - enc->setup = 1; + /* ready-for-use flag will be set when SetKeySide() is called */ } /* set up key size and marked ready */ if (dec) { dec->aes->ctx.keySize = ssl->specs.key_size; dec->aes->ctx.setup = 1; - /* ready for use */ - dec->setup = 1; + /* ready-for-use flag will be set when SetKeySide() is called */ } if (ctx->tsip_cipher == @@ -3706,7 +3705,7 @@ int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) } switch (tuc->wrappedKeyType) { -#if defined(TSIP_RSAES_1024) && TSIP_RSAES_1024 == 1 +#if defined(TSIP_RSASSA_1024) && TSIP_RSASSA_1024 == 1 case TSIP_KEY_TYPE_RSA1024: if (tuc->keyflgs_crypt.bits.rsapri1024_key_set != 1) { WOLFSSL_MSG("tsip rsa private key 1024 not set"); @@ -3714,7 +3713,7 @@ int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) } break; #endif -#if defined(TSIP_RSAES_2048) && TSIP_RSAES_2048 == 1 +#if defined(TSIP_RSASSA_2048) && TSIP_RSASSA_2048 == 1 case TSIP_KEY_TYPE_RSA2048: if (tuc->keyflgs_crypt.bits.rsapri2048_key_set != 1) { WOLFSSL_MSG("tsip rsa private key 2048 not set"); @@ -3731,9 +3730,11 @@ int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) if (ret == 0) { #ifdef WOLFSSL_RENESAS_TSIP_TLS + /* since TSIP driver adds ASN.1 input data uses raw digest */ hashData.pdata = (uint8_t*)ssl->buffers.digest.buffer; - hashData.data_type = 1; - sigData.pdata = (uint8_t*)info->pk.rsa.in; + hashData.data_length= ssl->buffers.digest.length; + hashData.data_type = 1; /* hashed data */ + sigData.pdata = (uint8_t*)info->pk.rsa.out; sigData.data_length = 0; /* signature size will be returned here */ #else hashData.pdata = (uint8_t*)info->pk.rsa.in; @@ -3744,7 +3745,8 @@ int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) #endif if ((ret = tsip_hw_lock()) == 0) { switch (tuc->wrappedKeyType) { -#if defined(TSIP_RSAES_1024) && TSIP_RSAES_1024 == 1 +#if (defined(TSIP_RSASSA_1024) && TSIP_RSASSA_1024 == 1) && \ + defined(WOLFSSL_RENESAS_TSIP_CRYPTONLY) case TSIP_KEY_TYPE_RSA1024: err = R_TSIP_RsassaPkcs1024SignatureGenerate( &hashData, &sigData, @@ -3757,7 +3759,7 @@ int tsip_SignRsaPkcs(wc_CryptoInfo* info, TsipUserCtx* tuc) } break; #endif -#if defined(TSIP_RSAES_2048) && TSIP_RSAES_2048 == 1 +#if defined(TSIP_RSASSA_2048) && TSIP_RSASSA_2048 == 1 case TSIP_KEY_TYPE_RSA2048: err = R_TSIP_RsassaPkcs2048SignatureGenerate( &hashData, &sigData, @@ -3849,15 +3851,18 @@ int tsip_VerifyRsaPkcsCb( if (ret == 0) { sigData.pdata = (uint8_t*)sig; + sigData.data_length = sigSz; + /* Since TSITP driver handles ASN.1 internally, + * the expected data is raw hash. + */ hashData.pdata = (uint8_t*)ssl->buffers.digest.buffer; hashData.data_type = 1; /* hash value */ if ((ret = tsip_hw_lock()) == 0) { switch (tuc->wrappedKeyType) { -#if defined(TSIP_RSAES_2048) && TSIP_RSAES_2048 == 1 +#if defined(TSIP_RSASSA_2048) && TSIP_RSASSA_2048 == 1 case TSIP_KEY_TYPE_RSA2048: - sigData.data_length = 256; err = R_TSIP_RsassaPkcs2048SignatureVerification( &sigData, &hashData, &tuc->Rsa2048PublicKeyIdx, diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 5c74cf0d19..6b6f4e3618 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -46814,8 +46814,10 @@ static wc_test_ret_t dilithium_param_test(int param, WC_RNG* rng) byte* sig = NULL; #else dilithium_key key[1]; +#ifndef WOLFSSL_DILITHIUM_NO_SIGN byte sig[DILITHIUM_MAX_SIG_SIZE]; #endif +#endif #ifndef WOLFSSL_DILITHIUM_NO_SIGN word32 sigLen; byte msg[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; diff --git a/wolfssl/wolfcrypt/port/Espressif/esp_crt_bundle.h b/wolfssl/wolfcrypt/port/Espressif/esp_crt_bundle.h index cc8f48f230..3b089f3fa7 100644 --- a/wolfssl/wolfcrypt/port/Espressif/esp_crt_bundle.h +++ b/wolfssl/wolfcrypt/port/Espressif/esp_crt_bundle.h @@ -90,6 +90,16 @@ extern "C" { #define WOLFSSL_X509_VERIFY_CALLBACK (void *, WOLFSSL_X509 *, int, uint32_t *) #include +#if defined(CONFIG_WOLFSSL_DEBUG_CERT_BUNDLE) || \ + defined( WOLFSSL_DEBUG_CERT_BUNDLE) + /* Default WOLFSSL_MAX_ERROR_SZ assigned in settings.h or user_settings.h */ + extern char last_esp_crt_bundle_error[WOLFSSL_MAX_ERROR_SZ]; + #define SHOW_WOLFSSL_BUNDLE_ERROR(THIS_ERR) \ + { \ + wc_ErrorString(THIS_ERR, last_esp_crt_bundle_error); \ + ESP_LOGE(TAG,"%s", last_esp_crt_bundle_error); \ + } +#endif typedef struct wolfssl_ssl_config wolfssl_ssl_config; struct wolfssl_ssl_config diff --git a/wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h b/wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h index 04f3294718..a2924b86da 100644 --- a/wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h +++ b/wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h @@ -164,7 +164,8 @@ typedef struct TsipUserCtx { #ifdef WOLFSSL_RENESAS_TSIP_TLS /* 0:working as a TLS client, 1: as a server */ byte side; - + /* ENCRYPT_SIDE_ONLY:1 DECRYPT_SIDE_ONLY:2 ENCRYPT AND DECRYPT:3 */ + byte key_side; /* public key index for verification of RootCA cert */ uint32_t user_key_id; diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 2b20781182..ff5cbe7950 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -455,6 +455,10 @@ #endif #endif +/* Important build-time configuration messages may be saved. + * Enable DEBUG_WOLFSSL and see wolfSSL_Init() for display. */ +#define LIBWOLFSSL_CMAKE_OUTPUT "" + /* --------------------------------------------------------------------------- * Dual Algorithm Certificate Required Features. * ---------------------------------------------------------------------------