mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 08:40:49 +02:00
Fix and expand tinytls13 footprint profile across CI configs
Make every --enable-tinytls13 spelling build and pass locally, and grow the CI matrix to cover them. These are fixes found while testing the configs the CI workflow had not actually exercised. - internal.h, internal.c, ssl_load.c: include ML-DSA and Falcon in the pkCurveOID member and producer guards so the PSK plus ML-DSA build compiles. - tls13.c: gate the DoTls13CertificateVerify definition on NO_CERTS to match its call site. - settings.h: let the AES-256 adder survive the floor, default the user_settings path to the SHA-256 floor, make WOLFSSL_NO_MALLOC opt-in so the test suite still runs, and keep ML-DSA ASN.1 for the cert profile. - configure.ac: drive ENABLED_ASM and emit WOLFSSL_NO_ASM for the small C floor, restrict SP math to P-256, strip ML-DSA ASN.1 only on the PSK floor, and print a notice for the reduced security cert verify. - examples: guard the cert loading paths for NO_CERTS and treat NO_CERTS as PSK mode in echoserver and echoclient. - Add examples/configs/tinytls13_smoke.c, an in memory TLS 1.3 handshake test that drives PSK, ECDSA, ML-DSA-65 and RSA-PSS chain verify, plus forced cipher suites, for builds with no example or unit test harness. - certs: add ECDSA leaves signed by the ML-DSA-65 and RSA-PSS CAs so the cert profiles drive a real PQC and PSS chain verify in CI. - .github/workflows/tinytls13.yml: cover every profile and adder, run the smoke handshake on the build verified configs, and least privilege the workflow token.
This commit is contained in:
@@ -15,6 +15,9 @@ concurrency:
|
||||
cancel-in-progress: true
|
||||
# END OF COMMON SECTION
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
# Build + make check every --enable-tinytls13 spelling on one runner via
|
||||
# .github/scripts/parallel-make-check.py (see psk.yml for the pattern).
|
||||
@@ -46,14 +49,25 @@ jobs:
|
||||
# Every tiny TLS 1.3 profile/adder spelling, so each is proven to build
|
||||
# and pass make check (which runs the TLS handshake test suite) out of
|
||||
# the box. Server is enabled where a config needs the server-side tests.
|
||||
- name: Build and make check all tinytls13 configs
|
||||
# The psk-p256 and cert-rsaverify configs strip to combinations
|
||||
# (ECDHE-only ECC without certs, RSA verify only) that the OpenSSL-compat
|
||||
# API unit suite (coupled to examples via BUILD_TESTS) does not gate for.
|
||||
# Rather than carry test-harness edits for those, they build static with
|
||||
# --disable-examples, skip make check ("check": false), and instead run
|
||||
# wolfcrypt/test/testwolfcrypt plus examples/configs/tinytls13_smoke.c
|
||||
# (a self-contained in-memory TLS 1.3 handshake) for real crypto and
|
||||
# handshake verification.
|
||||
- name: Build and test all tinytls13 configs
|
||||
run: |
|
||||
cat > "$RUNNER_TEMP/tinytls13-configs.json" <<'EOF'
|
||||
[
|
||||
{"name": "tinytls13-psk-x25519", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=psk,server", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-psk-p256", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=psk,p256,server", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-psk-p256", "minutes": 1, "check": false,
|
||||
"configure": ["--enable-tinytls13=psk,p256,server", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
|
||||
"run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
|
||||
["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
|
||||
["./tinytls13_smoke"]]},
|
||||
{"name": "tinytls13-psk-staticmem", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=psk,server,staticmem", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-psk-mldsa", "minutes": 1,
|
||||
@@ -66,10 +80,56 @@ jobs:
|
||||
"configure": ["--enable-tinytls13=cert,server,sha384", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-cert-mutualauth", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=cert,mutualauth,server", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-cert-rsaverify", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=cert,server,rsaverify", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-cert-rsaverify", "minutes": 1, "check": false,
|
||||
"configure": ["--enable-tinytls13=cert,server,rsaverify", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
|
||||
"run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
|
||||
["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
|
||||
["./tinytls13_smoke"]]},
|
||||
{"name": "tinytls13-cert-mldsa", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=cert,server,mldsa", "--disable-mlkem"]}
|
||||
"configure": ["--enable-tinytls13=cert,server,mldsa", "--enable-static", "--disable-mlkem"],
|
||||
"run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
|
||||
["./tinytls13_smoke"]]},
|
||||
{"name": "tinytls13-psk-client-only", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=psk", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-cert-client-only", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=cert", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-psk-asm", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=psk,server,asm", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-cert-asm", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=cert,server,asm", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-cert-chacha", "minutes": 1, "check": false,
|
||||
"configure": ["--enable-tinytls13=cert,server", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
|
||||
"cflags": "-DHAVE_CHACHA -DHAVE_POLY1305",
|
||||
"run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
|
||||
["./tinytls13_smoke", "TLS13-CHACHA20-POLY1305-SHA256"]]},
|
||||
{"name": "tinytls13-cert-aes256", "minutes": 1, "check": false,
|
||||
"configure": ["--enable-tinytls13=cert,server,sha384", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
|
||||
"cflags": "-DWOLFSSL_AES_256",
|
||||
"run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
|
||||
["./tinytls13_smoke", "TLS13-AES256-GCM-SHA384"]]},
|
||||
{"name": "tinytls13-psk-mlkem", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=psk,server", "--enable-static"],
|
||||
"run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
|
||||
["./tinytls13_smoke", "-", "mlkem"]]},
|
||||
{"name": "tinytls13-cert-staticmem", "minutes": 1, "check": false,
|
||||
"configure": ["--enable-tinytls13=cert,server,staticmem", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
|
||||
"run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
|
||||
["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
|
||||
["./tinytls13_smoke"]]},
|
||||
{"name": "tinytls13-nomalloc", "minutes": 1, "check": false,
|
||||
"configure": ["--enable-tinytls13=psk,server,staticmem", "--enable-static", "--disable-shared", "--disable-examples", "--disable-crypttests", "--disable-mlkem"],
|
||||
"cflags": "-DWOLFSSL_NO_MALLOC"},
|
||||
{"name": "tinytls13-combo-cert-mutualauth-sha384", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=cert,mutualauth,server,sha384", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-combo-cert-mldsa-sha384", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13=cert,server,mldsa,sha384", "--enable-static", "--disable-mlkem"],
|
||||
"run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
|
||||
["./tinytls13_smoke"]]},
|
||||
{"name": "tinytls13-bare", "minutes": 1,
|
||||
"configure": ["--enable-tinytls13", "--disable-mlkem"]},
|
||||
{"name": "tinytls13-usersettings", "minutes": 1, "check": false,
|
||||
"user_settings": "examples/configs/user_settings_tinytls13.h",
|
||||
"configure": ["--enable-usersettings", "--enable-static", "--disable-shared", "--disable-examples", "--disable-crypttests"]}
|
||||
]
|
||||
EOF
|
||||
.github/scripts/parallel-make-check.py \
|
||||
|
||||
@@ -0,0 +1,79 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIOXDCCAVmgAwIBAgIUHkXMjMS80gZRjcfzBuyuhnlS9yEwCwYJYIZIAWUDBAMS
|
||||
MFoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
|
||||
bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRUwEwYDVQQDDAxUZXN0IG1sZHNhNjUwHhcN
|
||||
MjYwNjIyMTgyNjQwWhcNMzYwNjE5MTgyNjQwWjAUMRIwEAYDVQQDDAlsb2NhbGhv
|
||||
c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223It
|
||||
zpTqK/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo0Iw
|
||||
QDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwHwYDVR0jBBgwFoAU0X7s
|
||||
9Um6d4uq1MDByuLMZZkKhxIwCwYJYIZIAWUDBAMSA4IM7gA9PW9GacDhmkuLlT+C
|
||||
a7WbLvUQDQh1o7x2+gkqNN9aYFnWM3FgafeDHJGfJOmGk7RWNh7RHCnT6MmUJFXL
|
||||
qlnC6Q0p7rQpIE/RmkfGcuLRvZyZkLhhgHMKQRhStjzzUYVUW74JKNhc7mp7nD2i
|
||||
xCGeO77hy2VP65AoioniSyg71x83eqnEvUAjjtaWYwc3SoDEoSYSf0E6emIjYvvh
|
||||
KMUXlnLxah5X3mw6ZQXp1FspKY8VY1UkXakz/rSamEd4gmv7/cow6eObAQilHrRX
|
||||
OSiVL4E/uv6qfCjTlWBvpjCDGQP6PTJKYGX3RgzVDptXtlFgRw5QCzBVRQdrUdxR
|
||||
nZjbbtQUn7bXyKEEQtDQ32aMqlvOkdrHpDg6Nto0MTdUv0YDfA+iM4KEKItoCvNm
|
||||
fyO9AMQj7+BrK8hgXSAooACq2cDdELpE0PqUAdVboLFcCOu69D2cZjM8G5IhEqZG
|
||||
aeCTchyGD6dOtpGP7uRdYj+b+4rF1gWUNLxvkwBM7DdeSGV//00zIfiVOpZNs8BG
|
||||
0TAe5mVIgE4WEnp9Z0n/zesh5HLhW6d8V8rpqAikcZMOBslzEcpZS4KZIID1A5It
|
||||
NnNGd5u69LyE3vbjjNpif0/75ns/P+z73iO2FJQ8PnRSlPwwhd8BEpSl6lrk5/ZY
|
||||
L7XjyROaFZz3Iwt/mvtZrYcFaUHcMmZY/y3SKfsuyueld38XP87vRmpDk98VsUgL
|
||||
dBr9+QgqZLKscADMQq3f6W66ziVQY5/gzTbRt/xSCf3hazi9/TTLqQvaUpckAdqD
|
||||
HHr4/mTQ/zXxmXNAXwan4OKQBqy26zgIjMbATincEwDSWvFNJwDcHyYt0Pg/+tqK
|
||||
fXAbkvaSF0BO64nW/EGtxHa2b8EkG9n9ivvYyzVLc8D6OF+wBuxTegF8tYTavKCP
|
||||
UzW11/fEh+xEnIgMQ2EzK6ElxiggvJvH/AH3GAJR4C34u+IjKHm7915hCti1C6yv
|
||||
6NmIfvwWRHMC+2XdyLe9mmVcw8uNsAV1OpbgyNGIP+nghBhunZ23Kk8jv/LjADkA
|
||||
5SCOZZuM8/PEMAA98kN4CcUcSyGh1+ZcG6ArtCWIeUzlECEZ8jq0TRoj/M+pJZ8J
|
||||
Ll50p+wGB+maJeiFD05gKmtfAlKqgHH+TxqnTr8q+pVOlEnCMrEL6tNqWTkRwQ16
|
||||
t0EHstwfOjGuu+JA/1ENlfLDTHKYcmVFQv64MPHFGWknS5arj7A2Z63sxln1eCHH
|
||||
zzgN/eY+G5zjyYvSesCWc5MDz1JpHu8QUfO93PEVxovH/KBWcpPWI+9tNkfwPgZM
|
||||
dlJMalwyhvsPz45XMbpqP4UcIQlzLztk6J7KMfSYvbAUCR4aDo5HqLflHuM6MiS6
|
||||
saigxzmXNjomMOCM10HyHmfUSpVB5CLa9xG4ImGAFSz5eP2XTmxXQquGxf1dQlON
|
||||
6hfT9JW2KTNmhyjSbAmddRCXHCpUpa23GxJtw5zWelotzOYD3fN8OsSsv3Za3Exa
|
||||
zI6NzQ3qwZoz/7rpOAxENcZ6zA7qDs36ieqKVviaEO4Pb0ReudyE1WHoTlcUNbYK
|
||||
VnnFSnw8wewKxVbVCa2ic1F/x7wiDBh0BqC4biHTtJcC6iUPjKvO5JNITokuFeC9
|
||||
lTfRJg4Q2LWTEgfLh0wEMBhsUxRzA9MghDxfzA5BZa70//pm9pGCy6FDdVStbIxe
|
||||
FgGaVqHLtV47XHT2P8cHn6UszRGET4odF1S3J/Lqe9rk9p2JJECt6WhLRHUryie2
|
||||
hB+SfG00xmfP4eGyJEndd6ElqQ7grinVWikv9bq0MqVH3uvb8ZMLdK98gF7yZMyx
|
||||
xFXIOogdu0fn5qm43yrizuCLRiw1DXroS2X131ggTLJpObqauYx+gvReqma8fPX/
|
||||
LImlDAfgrUEGAMka3DaULRGWNNF5z5PyaIGyOokIWGvvN20ArM4J7DMzBQMzUZdz
|
||||
IgugrVwxzGlAW3By14S3talrdywbpdbrH/wMi7j6H/VHqyw3bx4cLydQlbjxb1d3
|
||||
B3wm2NgOKYIfvsqw9mHOh16XInqamwCys9LhoRiqR5DwFGyEElWuFZJq9uKQvoyo
|
||||
Vx1P++TDoGP6f4ycmF1kkZaKNDK7Awj+ugmGMVu95Ij74x533kfNgvUDK7ChcJfX
|
||||
1a3VwmBGvB51AZWzaDqqa7d6OWQkoE0NE3gPnDgbNo+vZ6+ElMSK2P9G53kBA50H
|
||||
UbU+T/++QF6m69d02hq7yyiSgaXpVeLtAGEHTswmx3HWzxEE1o3PIsa322xizUsJ
|
||||
JHmHdIpFVDvaYz4A7Per42qRfXahHAqzp0UrqERQQROuzfJAWltp35LBbJIr2BXk
|
||||
l1JYDvjP5plOJgeDGvl1lY+cblsuV1OzSCuXAi//ziFXTpvhrQ0r5zE96NwNl6Fm
|
||||
L09mVZfd0Ic+sBaB9Mw6fN9QpSGHj2P/F9+UePU981qv93PqZv2ZGKrbbRMQg9Hh
|
||||
DsXNddZZduhR91xS6gVXN2IMsRKTRh/zD06oVOZxq9ZCO+NtCYYtMwzgi1By4Wx6
|
||||
R+UBg/t/rqXuui4cFEwUgS2R66VGXKzenhq5fQl1xYJPTRn0fMZBa77QLs90D1Bw
|
||||
qIY0BggeSxJ0u1hR3D2opXq1bjJ/mkjki6xwzVVI/cnWB3BwKdzmVcQJesDzhCkc
|
||||
+kghJygggyyk2T6qYc/nIGf+2fe1vu8DuL969SVcW3WOzOgzzCEVCiGdD/3wMWL8
|
||||
2CLXUS6XBOTzEiahVB2u4ljuTe3pymRP8G3JLNNBvlpGAYxml/BbaKwJKJloO7Xy
|
||||
M1JZ7tno/yTCsvtY2OIMmlfkgaPQhOVwSSlXEZeHxGZZ9pe0QLYsKdBQCfoAFXpq
|
||||
YXdXtzaC3virEUKLkAp4vUGez6bMMjw1LfL8Lp6eW3szPmFrwzU3fMCGQPq7Clsw
|
||||
E2ZzrgM6Tdt4YsXp0ZLmaNbGtTi0WuQikSor4QZjr1zH2jWFs9kVW9T+1iKkKGUC
|
||||
AVwV+PbVtQsyp0gCA9mGFDdrZBH+U8KVn9wGF6I8+UwToWPnDNTYM2jVRpl8DWui
|
||||
xSBq1TxArIZD7T2xX2988zevcYDKs4w1AHj+27j6kmGZW2NGDVvdmHj/xxRuw9WV
|
||||
4tZAlLzavkGEo6/ngGJkdmPW1OAyGhKhpvGqjABMM1HfppvFNHxfyXQfLVroEog3
|
||||
/q+U1RsEs5mfHfWc1wNdL0FBYqTvgkarxUwKZzm48yeGVdO5GE4bTXgCxHLGi3Av
|
||||
aIzMEYJ5qNBIOhp629i2AV14CgPhQjaTZq+OkI3Gr7gKkTDZrJiU/THEUZs08KpJ
|
||||
8FUnWTzkZ0fZoMx8jnx2QXGmii/79S1PnzGzvxN5f8rM5xG/br9g3qEpJ23Yi9PH
|
||||
QqCtm7GVeKEcx1WLd7gZ4UMu4MpXhOmrDKG6du245KVq20AdzEckVWOq5ObGmBV7
|
||||
IYrhrfjojculsXuYse/+q3+vzlSevsz9f/N42pEITGGeAkaUdL6aQrxqjsLW7gNY
|
||||
82H9BbpCqw2UEGX44+sAMViszTrpy34Px16+svZfzdbhsUJdCpoi49Yuf7IdH4iY
|
||||
DJMVN9TNrTEUOZCB6trzbK8I0NDWYOvEBVHl5D0qB1LDqdN9Sc0Fj1dVgaC2Ihx9
|
||||
6c3+9m43zJTIstS+YTQbyZ67ADFnCxY8/eRN0ZDRymWnlTnR7r+ceNvzprUaF3XN
|
||||
ihpVNN3fGsWaejbCWND8YHDj+F5hLTXJLZ5sqzk/CU0doHbkhnai8WHUFdKYVZRl
|
||||
6PDML7snxqobWGv690ECgixrqQkdBtiEKIAOGk0wwJfDIyzyhB1lFRT8bafOnKCX
|
||||
DiHFSfDjVIg0rLANtivOXUCXctv07JoL+jCqpC0WOHe5ch5BNRDnruXhErbu4ZJw
|
||||
xZxrafS7+79U0MQAum2SSTCYnJE96VzNUzDdZg9z1ZKEVjhp9eAEfzQdZf0JwmQs
|
||||
gZvaPyOdJ+i1bndol4NOstjx3QHsiPimvkInYlPwaaRvaUDwmucIRAIWAk0X3ZkU
|
||||
X6iC7zLeLPiGUNpsI2FJHVD5eG1bivhsWFLRvHC6pHfCMSfCcw8wLTsbx0rwrQaA
|
||||
YntZeGqc45E7f+Ef6d+6Yg80O73F9iZBHrCwVg4E4wMxzDw91xoKtbMdOoWIRTn4
|
||||
BGR9+HjGK8tH7lpj5vP2EAoNFW+m25vu6tvCebUdZyWuGgnFQc7WyvLiCiNoCo5K
|
||||
DJb+XcYkOSb0YGt1HCcZCkZ0jjUN9qH1YQfCAoOI98/YhUiL4z9FAVfdM3OhUopT
|
||||
MZGUffqI1C+OZeSvGE4GZDdIUxznJ6JURSxS93X/BUyD89U1I86Jn5wAkRH4sjKO
|
||||
lipqwbk8EY1UkfszCSFkQJTXjDxciY7CDBpYaXHG5fJCYpPX2NoEUFR+hKy0uCxM
|
||||
bYCvvMX5/h8xU1Rof5WptbzH6wAAAAAAAAAFDRMbJDA=
|
||||
-----END CERTIFICATE-----
|
||||
@@ -31,6 +31,7 @@ EXTRA_DIST += \
|
||||
certs/mldsa/mldsa65-key.pem \
|
||||
certs/mldsa/mldsa65-cert.pem \
|
||||
certs/mldsa/mldsa65-cert.der \
|
||||
certs/mldsa/ecc-leaf-mldsa65.pem \
|
||||
certs/mldsa/mldsa87-key.pem \
|
||||
certs/mldsa/mldsa87-cert.pem \
|
||||
certs/mldsa/mldsa87-cert.der \
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDNDCCAeigAwIBAgIUJdePE8BDNOOIsd+cyrHxNRYrF/0wQQYJKoZIhvcNAQEK
|
||||
MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
|
||||
AKIDAgEgMIGyMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
|
||||
BwwHQm96ZW1hbjEXMBUGA1UECgwOd29sZlNTTF9SU0FQU1MxEjAQBgNVBAsMCUNB
|
||||
LVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB
|
||||
FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0y
|
||||
NjA2MjIxODI2NDBaFw0zNjA2MTkxODI2NDBaMBQxEjAQBgNVBAMMCWxvY2FsaG9z
|
||||
dDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLszrEwnUErGSqUEwzzenzbbci3O
|
||||
lOor+ssgCTksFuhhAumvTdMCk5oxW5eSIX/wzxjakRECNIboIFgzC4A0idijQjBA
|
||||
MB0GA1UdDgQWBBRdXSbvrH42+Zt2FStKJQIj77KJMDAfBgNVHSMEGDAWgBSeDODT
|
||||
37ZL8xljXMpsk4aiFFORMTBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUA
|
||||
oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggEBAElprEznMP8A
|
||||
0b5c12vOMkAWT1jxpXGwDeVNkgZS+RfC82OI7UMN7kzlpjGaHts/JMUIvCTmIyNA
|
||||
I47x6JteFsnJklrk40Q4Om1ANOI1Zw8Jf/pX9mqwU4uOkto1PzTP7t0EICBr0UG4
|
||||
JV97K/+9GT2HJccS6UEh6hG2BySYHAFnG7SoBgXm6a2tGTR/Cfz9ZUY8+Cy87F3k
|
||||
3q9sCB3oqP+REOAM7FN/0Va2eY24nHZkno7sGsl2kDTx3vacBjHkx6u/KaaahB5K
|
||||
Snb3aGwrksRALpjRHOnz5wYCEtOkLOde0v1sktaVtroVRNXW2pS6iCXPpNApRJyv
|
||||
MFCkuGEo+gc=
|
||||
-----END CERTIFICATE-----
|
||||
@@ -3,6 +3,7 @@
|
||||
#
|
||||
|
||||
EXTRA_DIST += \
|
||||
certs/rsapss/ecc-leaf-rsapss.pem \
|
||||
certs/rsapss/ca-rsapss.der \
|
||||
certs/rsapss/ca-rsapss.pem \
|
||||
certs/rsapss/ca-rsapss-key.der \
|
||||
|
||||
+33
-5
@@ -940,13 +940,14 @@ if test "x$enable_tinytls13" != "x" && test "x$enable_tinytls13" != "xno"
|
||||
then
|
||||
tinytls13_cert=no
|
||||
tinytls13_p256=no
|
||||
tinytls13_asm=no
|
||||
for v in `echo $enable_tinytls13 | tr ',' ' '`
|
||||
do
|
||||
case $v in
|
||||
cert|mutualauth) tinytls13_cert=yes ;;
|
||||
p256) tinytls13_p256=yes ;;
|
||||
rsaverify) enable_rsa=yes ;;
|
||||
asm) enable_asm=yes ;;
|
||||
asm) tinytls13_asm=yes ;;
|
||||
mldsa) enable_mldsa=yes ;;
|
||||
sha384) enable_sha384=yes; enable_sha512=yes ;;
|
||||
esac
|
||||
@@ -957,6 +958,18 @@ then
|
||||
test "x$enable_sha384" = "x" && enable_sha384=no
|
||||
test "x$enable_sha512" = "x" && enable_sha512=no
|
||||
|
||||
# Small-C floor by default: no platform assembly unless the asm adder is
|
||||
# selected. ENABLED_ASM (resolved above) is the variable the downstream
|
||||
# assembly decisions read; emit the no-asm defines here too, since the
|
||||
# WOLFSSL_NO_ASM emission earlier ran before this block.
|
||||
if test "$tinytls13_asm" = "yes"
|
||||
then
|
||||
ENABLED_ASM=yes
|
||||
else
|
||||
ENABLED_ASM=no
|
||||
AM_CFLAGS="$AM_CFLAGS -DTFM_NO_ASM -DWOLFSSL_NO_ASM"
|
||||
fi
|
||||
|
||||
# TLS 1.3 only, no legacy TLS / renegotiation / extras.
|
||||
enable_tls13=yes
|
||||
enable_oldtls=no
|
||||
@@ -970,7 +983,9 @@ then
|
||||
if test "$tinytls13_cert" = "yes"
|
||||
then
|
||||
enable_ecc=yes
|
||||
enable_sp=yes
|
||||
# P-256 only SP math to match the documented footprint; bare "yes"
|
||||
# would also pull in P-384/P-521 on 64-bit hosts.
|
||||
enable_sp="yes,256"
|
||||
test "x$enable_asn" = "x" && enable_asn=template
|
||||
test "x$enable_rsa" = "x" && enable_rsa=no
|
||||
else
|
||||
@@ -979,7 +994,7 @@ then
|
||||
if test "$tinytls13_p256" = "yes"
|
||||
then
|
||||
enable_ecc=yes
|
||||
enable_sp=yes
|
||||
enable_sp="yes,256"
|
||||
else
|
||||
test "x$enable_ecc" = "x" && enable_ecc=no
|
||||
enable_curve25519=yes
|
||||
@@ -2903,7 +2918,9 @@ AC_ARG_ENABLE([tinytls13],
|
||||
[AS_HELP_STRING([--enable-tinytls13@<:@=LIST@:>@],
|
||||
[Enable tiny TLS 1.3 footprint build. LIST is comma-separated from:
|
||||
psk cert server mutualauth staticmem asm p256 sha384 mldsa rsaverify
|
||||
(default: disabled; bare flag = psk)])],
|
||||
(default: disabled; bare flag = psk). NOTE: the cert profile is a
|
||||
reduced-security verify (no name constraints, relaxed ASN, no CRL)
|
||||
meant for a known or pinned CA, not public-internet PKI.])],
|
||||
[ ENABLED_TINYTLS13=$enableval ],
|
||||
[ ENABLED_TINYTLS13=no ]
|
||||
)
|
||||
@@ -2918,6 +2935,7 @@ then
|
||||
# Feature switches were aligned early (MATH LIBRARY SELECTION section);
|
||||
# here we only emit the umbrella + adder macros (settings.h does the rest).
|
||||
tinytls13_base=psk
|
||||
tinytls13_mldsa=no
|
||||
for v in `echo $ENABLED_TINYTLS13 | tr ',' ' '`
|
||||
do
|
||||
case $v in
|
||||
@@ -2931,15 +2949,25 @@ then
|
||||
p256) AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DECC_USER_CURVES" ;;
|
||||
rsaverify) AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TINY_TLS13_RSA_VERIFY" ;;
|
||||
sha384) AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA384" ;;
|
||||
mldsa) AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLDSA -DWOLFSSL_DILITHIUM_VERIFY_ONLY -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_ASN1 -DWOLFSSL_NO_ML_DSA_44 -DWOLFSSL_NO_ML_DSA_87" ;;
|
||||
mldsa) tinytls13_mldsa=yes
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLDSA -DWOLFSSL_DILITHIUM_VERIFY_ONLY -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_NO_ML_DSA_44 -DWOLFSSL_NO_ML_DSA_87" ;;
|
||||
no) ;;
|
||||
*) AC_MSG_ERROR([Invalid --enable-tinytls13 value: $v. Valid: psk cert server mutualauth staticmem asm p256 sha384 mldsa rsaverify.]) ;;
|
||||
esac
|
||||
done
|
||||
|
||||
# ML-DSA on the PSK floor never parses a certificate, so drop the ASN.1/
|
||||
# X.509 surface for footprint. The cert profile needs it to decode and
|
||||
# verify ML-DSA certificates, so keep ASN.1 there.
|
||||
if test "$tinytls13_mldsa" = "yes" && test "$tinytls13_base" != "cert"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_ASN1"
|
||||
fi
|
||||
|
||||
if test "$tinytls13_base" = "cert"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TINY_TLS13_CERT"
|
||||
AC_MSG_NOTICE([tiny TLS 1.3 cert profile is a reduced-security verify: no name constraints, relaxed ASN, no CRL. For a known or pinned CA, not public-internet PKI.])
|
||||
else
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TINY_TLS13"
|
||||
fi
|
||||
|
||||
@@ -18,6 +18,7 @@ Example wolfSSL configuration file templates for use when autoconf is not availa
|
||||
* `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack.
|
||||
* `user_settings_tls12.h`: Example for TLS v1.2 client only, ECC only, AES-GCM only, SHA2-256 only.
|
||||
* `user_settings_tls13.h`: TLS 1.3 only configuration (no TLS 1.2). Modern cipher suites with X25519/X448 key exchange.
|
||||
* `user_settings_tinytls13.h`: Smallest TLS 1.3 only footprint profile. PSK + ECDHE floor (no X.509) with opt-in adders: `cert` (minimal X.509 verify), `server`, `mutualauth`, `staticmem`, `asm`, `p256`, `sha384`, `mldsa`, `rsaverify`. Pairs with `--enable-tinytls13`. See `tinytls13_smoke.c` for the self-contained handshake check used by `--disable-examples` builds.
|
||||
* `user_settings_dtls13.h`: DTLS 1.3 for IoT and embedded. Includes connection ID support and smaller MTU options.
|
||||
* `user_settings_pq.h`: Post-quantum TLS with ML-KEM (Kyber) key exchange and ML-DSA (Dilithium) certificates.
|
||||
* `user_settings_openssl_compat.h`: OpenSSL compatibility layer for drop-in replacement. Enables OPENSSL_ALL and related APIs.
|
||||
|
||||
@@ -24,6 +24,7 @@ EXTRA_DIST += examples/configs/user_settings_template.h
|
||||
EXTRA_DIST += examples/configs/user_settings_tls12.h
|
||||
EXTRA_DIST += examples/configs/user_settings_tls13.h
|
||||
EXTRA_DIST += examples/configs/user_settings_tinytls13.h
|
||||
EXTRA_DIST += examples/configs/tinytls13_smoke.c
|
||||
EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h
|
||||
EXTRA_DIST += examples/configs/user_settings_wolfssh.h
|
||||
EXTRA_DIST += examples/configs/user_settings_wolftpm.h
|
||||
|
||||
@@ -0,0 +1,243 @@
|
||||
/* tinytls13_smoke.c
|
||||
*
|
||||
* Copyright (C) 2006-2026 wolfSSL Inc.
|
||||
*
|
||||
* This file is part of wolfSSL.
|
||||
*
|
||||
* wolfSSL is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation; either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* wolfSSL is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
||||
*/
|
||||
|
||||
/* Self-contained TLS 1.3 handshake smoke test for the tiny TLS 1.3 profile.
|
||||
*
|
||||
* Single process, no sockets, no threads (SINGLE_THREADED safe): the client
|
||||
* and server WOLFSSL objects are wired together through two in-memory byte
|
||||
* queues, and the handshake is driven to completion in one loop. It exercises
|
||||
* the real TLS 1.3 handshake state machine for builds where the example/unit
|
||||
* test harness is not available, e.g. --enable-tinytls13=psk,p256
|
||||
* --disable-examples.
|
||||
*
|
||||
* On the PSK floor it runs a PSK + ECDHE handshake. On the cert profile
|
||||
* (WOLFSSL_TINY_TLS13_CERT) it runs a certificate handshake: the server
|
||||
* presents an ECDSA P-256 certificate and the client validates it, driving
|
||||
* the Certificate / CertificateVerify path. Cert files default to ../certs
|
||||
* (the layout used by parallel-make-check.py builds); pass a directory as
|
||||
* argv[1] to override.
|
||||
*
|
||||
* Build against a static tiny build and run:
|
||||
* cc -I<build> -I<src> tinytls13_smoke.c <build>/src/.libs/libwolfssl.a -lm \
|
||||
* -o tinytls13_smoke && ./tinytls13_smoke
|
||||
*/
|
||||
|
||||
#include <wolfssl/options.h>
|
||||
#include <wolfssl/ssl.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#define MEM_BUF_SZ 32768
|
||||
|
||||
typedef struct membuf {
|
||||
unsigned char data[MEM_BUF_SZ];
|
||||
int len;
|
||||
} membuf;
|
||||
|
||||
/* recv: drain from the queue this endpoint reads from */
|
||||
static int mem_recv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
|
||||
{
|
||||
membuf* mb = (membuf*)ctx;
|
||||
int n;
|
||||
|
||||
(void)ssl;
|
||||
if (mb->len == 0)
|
||||
return WOLFSSL_CBIO_ERR_WANT_READ;
|
||||
n = (sz < mb->len) ? sz : mb->len;
|
||||
XMEMCPY(buf, mb->data, (size_t)n);
|
||||
XMEMMOVE(mb->data, mb->data + n, (size_t)(mb->len - n));
|
||||
mb->len -= n;
|
||||
return n;
|
||||
}
|
||||
|
||||
/* send: append to the queue the peer reads from */
|
||||
static int mem_send(WOLFSSL* ssl, char* buf, int sz, void* ctx)
|
||||
{
|
||||
membuf* mb = (membuf*)ctx;
|
||||
|
||||
(void)ssl;
|
||||
if (sz < 0 || mb->len > MEM_BUF_SZ - sz)
|
||||
return WOLFSSL_CBIO_ERR_WANT_WRITE;
|
||||
XMEMCPY(mb->data + mb->len, buf, (size_t)sz);
|
||||
mb->len += sz;
|
||||
return sz;
|
||||
}
|
||||
|
||||
#ifndef WOLFSSL_TINY_TLS13_CERT
|
||||
static const unsigned char psk_key[16] = {
|
||||
0x1a, 0x2b, 0x3c, 0x4d, 0x5e, 0x6f, 0x70, 0x81,
|
||||
0x92, 0xa3, 0xb4, 0xc5, 0xd6, 0xe7, 0xf8, 0x09
|
||||
};
|
||||
static const char psk_identity[] = "tinytls13-client";
|
||||
|
||||
static unsigned int psk_client_cb(WOLFSSL* ssl, const char* hint,
|
||||
char* identity, unsigned int id_max, unsigned char* key,
|
||||
unsigned int key_max)
|
||||
{
|
||||
(void)ssl;
|
||||
(void)hint;
|
||||
if (id_max < sizeof(psk_identity) || key_max < sizeof(psk_key))
|
||||
return 0;
|
||||
XMEMCPY(identity, psk_identity, sizeof(psk_identity));
|
||||
XMEMCPY(key, psk_key, sizeof(psk_key));
|
||||
return (unsigned int)sizeof(psk_key);
|
||||
}
|
||||
|
||||
static unsigned int psk_server_cb(WOLFSSL* ssl, const char* identity,
|
||||
unsigned char* key, unsigned int key_max)
|
||||
{
|
||||
(void)ssl;
|
||||
(void)identity;
|
||||
if (key_max < sizeof(psk_key))
|
||||
return 0;
|
||||
XMEMCPY(key, psk_key, sizeof(psk_key));
|
||||
return (unsigned int)sizeof(psk_key);
|
||||
}
|
||||
#endif /* !WOLFSSL_TINY_TLS13_CERT */
|
||||
|
||||
int main(int argc, char** argv)
|
||||
{
|
||||
WOLFSSL_CTX* cctx = NULL;
|
||||
WOLFSSL_CTX* sctx = NULL;
|
||||
WOLFSSL* c = NULL;
|
||||
WOLFSSL* s = NULL;
|
||||
membuf c2s; /* client writes, server reads */
|
||||
membuf s2c; /* server writes, client reads */
|
||||
int i, cdone = 0, sdone = 0, ret = 1;
|
||||
int cret = WOLFSSL_FATAL_ERROR, sret = WOLFSSL_FATAL_ERROR;
|
||||
const char* cipher = (argc > 1) ? argv[1] : "-";
|
||||
const char* group = (argc > 2) ? argv[2] : "-";
|
||||
int mlkemGroup[1];
|
||||
#ifdef WOLFSSL_TINY_TLS13_CERT
|
||||
const char* certDir = (argc > 3) ? argv[3] : "../certs";
|
||||
char sCert[300];
|
||||
char sKey[300];
|
||||
char cCa[300];
|
||||
#endif
|
||||
|
||||
XMEMSET(&c2s, 0, sizeof(c2s));
|
||||
XMEMSET(&s2c, 0, sizeof(s2c));
|
||||
|
||||
wolfSSL_Init();
|
||||
|
||||
cctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
|
||||
sctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
|
||||
if (cctx == NULL || sctx == NULL) {
|
||||
printf("smoke: CTX_new failed\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* Force a specific suite when asked, so an adder config proves its cipher
|
||||
* negotiates: a single-suite list means a completed handshake used it. */
|
||||
if (cipher[0] != '\0' && cipher[0] != '-') {
|
||||
wolfSSL_CTX_set_cipher_list(cctx, cipher);
|
||||
wolfSSL_CTX_set_cipher_list(sctx, cipher);
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_TINY_TLS13_CERT
|
||||
/* Server presents a P-256 ECDSA leaf; the client validates it against the
|
||||
* CA. The leaf is signed by the CA whose algorithm this profile verifies,
|
||||
* so a completed handshake drives that verify path (ECDSA, ML-DSA-65, or
|
||||
* RSA-PSS). */
|
||||
#if defined(WOLFSSL_HAVE_MLDSA)
|
||||
XSNPRINTF(sCert, sizeof(sCert), "%s/mldsa/ecc-leaf-mldsa65.pem", certDir);
|
||||
XSNPRINTF(cCa, sizeof(cCa), "%s/mldsa/mldsa65-cert.pem", certDir);
|
||||
#elif defined(WOLFSSL_TINY_TLS13_RSA_VERIFY)
|
||||
XSNPRINTF(sCert, sizeof(sCert), "%s/rsapss/ecc-leaf-rsapss.pem", certDir);
|
||||
XSNPRINTF(cCa, sizeof(cCa), "%s/rsapss/ca-rsapss.pem", certDir);
|
||||
#else
|
||||
XSNPRINTF(sCert, sizeof(sCert), "%s/server-ecc.pem", certDir);
|
||||
XSNPRINTF(cCa, sizeof(cCa), "%s/ca-ecc-cert.pem", certDir);
|
||||
#endif
|
||||
XSNPRINTF(sKey, sizeof(sKey), "%s/ecc-key.pem", certDir);
|
||||
if (wolfSSL_CTX_use_certificate_file(sctx, sCert, WOLFSSL_FILETYPE_PEM)
|
||||
!= WOLFSSL_SUCCESS ||
|
||||
wolfSSL_CTX_use_PrivateKey_file(sctx, sKey, WOLFSSL_FILETYPE_PEM)
|
||||
!= WOLFSSL_SUCCESS ||
|
||||
wolfSSL_CTX_load_verify_locations(cctx, cCa, NULL)
|
||||
!= WOLFSSL_SUCCESS) {
|
||||
printf("smoke: cert load failed (certDir=%s)\n", certDir);
|
||||
goto done;
|
||||
}
|
||||
#else
|
||||
wolfSSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
|
||||
wolfSSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
|
||||
#endif
|
||||
|
||||
wolfSSL_CTX_SetIORecv(cctx, mem_recv);
|
||||
wolfSSL_CTX_SetIOSend(cctx, mem_send);
|
||||
wolfSSL_CTX_SetIORecv(sctx, mem_recv);
|
||||
wolfSSL_CTX_SetIOSend(sctx, mem_send);
|
||||
|
||||
c = wolfSSL_new(cctx);
|
||||
s = wolfSSL_new(sctx);
|
||||
if (c == NULL || s == NULL) {
|
||||
printf("smoke: SSL_new failed\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
/* Restrict to the ML-KEM hybrid key share when asked, so a completed
|
||||
* handshake proves the hybrid KEX was negotiated. */
|
||||
if (XSTRCMP(group, "mlkem") == 0) {
|
||||
mlkemGroup[0] = WOLFSSL_X25519MLKEM768;
|
||||
wolfSSL_set_groups(c, mlkemGroup, 1);
|
||||
wolfSSL_set_groups(s, mlkemGroup, 1);
|
||||
}
|
||||
|
||||
/* client reads s2c, writes c2s; server reads c2s, writes s2c */
|
||||
wolfSSL_SetIOReadCtx(c, &s2c);
|
||||
wolfSSL_SetIOWriteCtx(c, &c2s);
|
||||
wolfSSL_SetIOReadCtx(s, &c2s);
|
||||
wolfSSL_SetIOWriteCtx(s, &s2c);
|
||||
|
||||
for (i = 0; i < 50 && !(cdone && sdone); i++) {
|
||||
if (!cdone) {
|
||||
cret = wolfSSL_connect(c);
|
||||
if (cret == WOLFSSL_SUCCESS)
|
||||
cdone = 1;
|
||||
}
|
||||
if (!sdone) {
|
||||
sret = wolfSSL_accept(s);
|
||||
if (sret == WOLFSSL_SUCCESS)
|
||||
sdone = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (cdone && sdone &&
|
||||
XSTRCMP(wolfSSL_get_version(c), "TLSv1.3") == 0) {
|
||||
printf("tinytls13 handshake OK: %s %s\n",
|
||||
wolfSSL_get_version(c), wolfSSL_get_cipher(c));
|
||||
ret = 0;
|
||||
}
|
||||
else {
|
||||
printf("tinytls13 handshake FAILED (client err %d, server err %d)\n",
|
||||
wolfSSL_get_error(c, cret), wolfSSL_get_error(s, sret));
|
||||
}
|
||||
|
||||
done:
|
||||
wolfSSL_free(c);
|
||||
wolfSSL_free(s);
|
||||
wolfSSL_CTX_free(cctx);
|
||||
wolfSSL_CTX_free(sctx);
|
||||
wolfSSL_Cleanup();
|
||||
return ret;
|
||||
}
|
||||
@@ -47,7 +47,9 @@ extern "C" {
|
||||
#if 1 /* Profile A: PSK + ECDHE floor, no X.509 (smallest) */
|
||||
#define WOLFSSL_TINY_TLS13
|
||||
#endif
|
||||
#if 0 /* Profile B: + minimal X.509 cert verify (ECDSA P-256). Implies core. */
|
||||
#if 0 /* Profile B: + minimal X.509 cert verify (ECDSA P-256). Implies core.
|
||||
* Reduced-security verify: no name constraints, relaxed ASN, no CRL.
|
||||
* For a known or pinned CA, not general public-internet PKI. */
|
||||
#define WOLFSSL_TINY_TLS13_CERT
|
||||
#endif
|
||||
|
||||
@@ -63,10 +65,16 @@ extern "C" {
|
||||
#endif
|
||||
|
||||
/* ===== MEMORY MODEL ===================================================== */
|
||||
#if 0 /* zero-heap: static memory pool, no system malloc (deterministic RAM).
|
||||
* App provides the pool via wolfSSL_CTX_load_static_memory(). */
|
||||
#if 0 /* static memory pool for TLS allocations (deterministic RAM, no
|
||||
* fragmentation). App provides the pool via
|
||||
* wolfSSL_CTX_load_static_memory(). Keeps the malloc fallback. */
|
||||
#define WOLFSSL_TINY_TLS13_STATIC_MEM
|
||||
#endif
|
||||
#if 0 /* true zero-heap: forbid all system malloc. Opt-in because it removes
|
||||
* the allocator the standard test suite relies on. Pair with the
|
||||
* static memory pool above. */
|
||||
#define WOLFSSL_NO_MALLOC
|
||||
#endif
|
||||
|
||||
/* ===== SPEED ============================================================ */
|
||||
#if 0 /* tiny+fast: assembly crypto instead of small-C (size up, speed up) */
|
||||
@@ -95,11 +103,17 @@ extern "C" {
|
||||
#endif
|
||||
|
||||
/* ===== PQC ADDERS (valid on either profile; SHA-3/SHAKE pulled in auto) = */
|
||||
#if 0 /* ML-DSA-65 verify-only */
|
||||
#if 0 /* ML-DSA-65 verify-only. Use with the cert profile (Profile B) for TLS
|
||||
* auth: the PSK floor has no certificate to verify, so on Profile A
|
||||
* this only confirms the umbrella builds. */
|
||||
#define WOLFSSL_HAVE_MLDSA
|
||||
#define WOLFSSL_DILITHIUM_VERIFY_ONLY
|
||||
#define WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM
|
||||
#define WOLFSSL_DILITHIUM_NO_ASN1
|
||||
#ifndef WOLFSSL_TINY_TLS13_CERT
|
||||
/* PSK floor never parses a cert; the cert profile needs ML-DSA ASN.1
|
||||
* to decode and verify ML-DSA certificates, so keep it there. */
|
||||
#define WOLFSSL_DILITHIUM_NO_ASN1
|
||||
#endif
|
||||
#define WOLFSSL_NO_ML_DSA_44
|
||||
#define WOLFSSL_NO_ML_DSA_87
|
||||
#endif
|
||||
|
||||
@@ -121,8 +121,8 @@ void echoclient_test(void* args)
|
||||
#ifdef WOLFSSL_LEANPSK
|
||||
doPSK = 1;
|
||||
#endif
|
||||
#if defined(NO_RSA) && !defined(HAVE_ECC) && !defined(HAVE_ED25519) && \
|
||||
!defined(HAVE_ED448)
|
||||
#if defined(NO_CERTS) || (defined(NO_RSA) && !defined(HAVE_ECC) && \
|
||||
!defined(HAVE_ED25519) && !defined(HAVE_ED448))
|
||||
doPSK = 1;
|
||||
#endif
|
||||
(void)doPSK;
|
||||
@@ -146,7 +146,7 @@ void echoclient_test(void* args)
|
||||
#endif
|
||||
ctx = SSL_CTX_new(method);
|
||||
|
||||
#ifndef NO_FILESYSTEM
|
||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
|
||||
#ifndef NO_RSA
|
||||
if (SSL_CTX_load_verify_locations(ctx, caCertFile, 0) != WOLFSSL_SUCCESS)
|
||||
err_sys("can't load ca file, Please run from wolfSSL home dir");
|
||||
|
||||
@@ -123,8 +123,9 @@ THREAD_RETURN WOLFSSL_THREAD echoserver_test(void* args)
|
||||
|
||||
((func_args*)args)->return_code = -1; /* error state */
|
||||
|
||||
#if (defined(NO_RSA) && !defined(HAVE_ECC) && !defined(HAVE_ED25519) && \
|
||||
!defined(HAVE_ED448)) || defined(WOLFSSL_LEANPSK)
|
||||
#if defined(NO_CERTS) || defined(WOLFSSL_LEANPSK) || \
|
||||
(defined(NO_RSA) && !defined(HAVE_ECC) && !defined(HAVE_ED25519) && \
|
||||
!defined(HAVE_ED448))
|
||||
doPSK = 1;
|
||||
#else
|
||||
doPSK = 0;
|
||||
@@ -178,7 +179,7 @@ THREAD_RETURN WOLFSSL_THREAD echoserver_test(void* args)
|
||||
|
||||
#ifndef NO_FILESYSTEM
|
||||
if (doPSK == 0) {
|
||||
#if defined(HAVE_ECC) && !defined(WOLFSSL_SNIFFER)
|
||||
#if defined(HAVE_ECC) && !defined(NO_CERTS) && !defined(WOLFSSL_SNIFFER)
|
||||
/* ecc */
|
||||
if (wolfSSL_CTX_use_certificate_file(ctx, eccCertFile, CERT_FILETYPE)
|
||||
!= WOLFSSL_SUCCESS)
|
||||
@@ -189,7 +190,7 @@ THREAD_RETURN WOLFSSL_THREAD echoserver_test(void* args)
|
||||
!= WOLFSSL_SUCCESS)
|
||||
err_sys("can't load server key file, "
|
||||
"Please run from wolfSSL home dir");
|
||||
#elif defined(HAVE_ED25519) && !defined(WOLFSSL_SNIFFER)
|
||||
#elif defined(HAVE_ED25519) && !defined(NO_CERTS) && !defined(WOLFSSL_SNIFFER)
|
||||
/* ed25519 */
|
||||
if (wolfSSL_CTX_use_certificate_chain_file(ctx, edCertFile)
|
||||
!= WOLFSSL_SUCCESS)
|
||||
@@ -200,7 +201,7 @@ THREAD_RETURN WOLFSSL_THREAD echoserver_test(void* args)
|
||||
!= WOLFSSL_SUCCESS)
|
||||
err_sys("can't load server key file, "
|
||||
"Please run from wolfSSL home dir");
|
||||
#elif defined(HAVE_ED448) && !defined(WOLFSSL_SNIFFER)
|
||||
#elif defined(HAVE_ED448) && !defined(NO_CERTS) && !defined(WOLFSSL_SNIFFER)
|
||||
/* ed448 */
|
||||
if (wolfSSL_CTX_use_certificate_chain_file(ctx, ed448CertFile)
|
||||
!= WOLFSSL_SUCCESS)
|
||||
|
||||
+2
-1
@@ -7177,7 +7177,8 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
|
||||
ssl->eccTempKeySz = ctx->eccTempKeySz;
|
||||
ssl->ecdhCurveOID = ctx->ecdhCurveOID;
|
||||
#endif
|
||||
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
|
||||
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
|
||||
defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA)
|
||||
ssl->pkCurveOID = ctx->pkCurveOID;
|
||||
#endif
|
||||
|
||||
|
||||
+2
-1
@@ -1590,7 +1590,8 @@ static void ProcessBufferCertSetHave(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
|
||||
|
||||
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
|
||||
defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA) || !defined(NO_RSA)
|
||||
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
|
||||
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
|
||||
defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA)
|
||||
/* Set the private key curve OID. */
|
||||
if (ssl != NULL) {
|
||||
ssl->pkCurveOID = cert->pkCurveOID;
|
||||
|
||||
+3
-2
@@ -10802,8 +10802,9 @@ static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
}
|
||||
#endif
|
||||
|
||||
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
|
||||
defined(HAVE_ED448)
|
||||
#if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
|
||||
defined(HAVE_ED448) || defined(HAVE_FALCON) || \
|
||||
defined(WOLFSSL_HAVE_MLDSA)) && !defined(NO_CERTS)
|
||||
|
||||
typedef struct Dcv13Args {
|
||||
byte* output; /* not allocated */
|
||||
|
||||
+4
-2
@@ -4152,7 +4152,8 @@ struct WOLFSSL_CTX {
|
||||
#ifdef HAVE_ECC
|
||||
word16 eccTempKeySz; /* in octets 20 - 66 */
|
||||
#endif
|
||||
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
|
||||
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
|
||||
defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA)
|
||||
word32 pkCurveOID; /* curve Ecc_Sum */
|
||||
#endif
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
@@ -6267,7 +6268,8 @@ struct WOLFSSL {
|
||||
byte peerEccDsaKeyPresent;
|
||||
#endif
|
||||
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || \
|
||||
defined(HAVE_CURVE448) || defined(HAVE_ED448)
|
||||
defined(HAVE_CURVE448) || defined(HAVE_ED448) || \
|
||||
defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA)
|
||||
word32 pkCurveOID; /* curve Ecc_Sum */
|
||||
#endif
|
||||
#ifdef HAVE_ED25519
|
||||
|
||||
@@ -1979,10 +1979,16 @@
|
||||
#define HAVE_AESGCM
|
||||
#undef WOLFSSL_AES_128
|
||||
#define WOLFSSL_AES_128
|
||||
#undef NO_AES_192
|
||||
#define NO_AES_192
|
||||
#undef NO_AES_256
|
||||
#define NO_AES_256
|
||||
/* Floor is AES-128 only, but let a user adder (WOLFSSL_AES_192 /
|
||||
* WOLFSSL_AES_256) opt back in; user_settings.h is processed before this. */
|
||||
#ifndef WOLFSSL_AES_192
|
||||
#undef NO_AES_192
|
||||
#define NO_AES_192
|
||||
#endif
|
||||
#ifndef WOLFSSL_AES_256
|
||||
#undef NO_AES_256
|
||||
#define NO_AES_256
|
||||
#endif
|
||||
#undef GCM_SMALL
|
||||
#define GCM_SMALL
|
||||
/* Small AES tables at the size-first headline; fast AES with the asm toggle. */
|
||||
@@ -1996,6 +2002,13 @@
|
||||
#define WOLFSSL_NOSHA512_224
|
||||
#undef WOLFSSL_NOSHA512_256
|
||||
#define WOLFSSL_NOSHA512_256
|
||||
/* Floor is SHA-256. SHA-384/512 share the large SHA-512 core; keep them out
|
||||
* unless asked (the sha384 adder defines WOLFSSL_SHA384). This matches the
|
||||
* configure path so both build methods give the same SHA-256 floor. */
|
||||
#if !defined(WOLFSSL_SHA384) && !defined(WOLFSSL_SHA512)
|
||||
#undef NO_SHA512
|
||||
#define NO_SHA512
|
||||
#endif
|
||||
|
||||
/* Strip legacy / unused algorithms. */
|
||||
#undef NO_DSA
|
||||
@@ -2031,14 +2044,15 @@
|
||||
#define NO_WOLFSSL_SERVER
|
||||
#endif
|
||||
|
||||
/* Optional zero-heap: serve all memory from a caller-provided static pool,
|
||||
* with no system malloc at all (deterministic RAM, no fragmentation).
|
||||
* Requires wolfSSL_CTX_load_static_memory() at runtime. */
|
||||
/* Optional static memory: serve TLS allocations from a caller-provided
|
||||
* static pool (deterministic RAM, no fragmentation). Requires
|
||||
* wolfSSL_CTX_load_static_memory() at runtime. For a true zero-heap build
|
||||
* (no system malloc at all), also define WOLFSSL_NO_MALLOC in your
|
||||
* user_settings; that is left opt-in because it removes the allocator the
|
||||
* standard test suite relies on. */
|
||||
#ifdef WOLFSSL_TINY_TLS13_STATIC_MEM
|
||||
#undef WOLFSSL_STATIC_MEMORY
|
||||
#define WOLFSSL_STATIC_MEMORY
|
||||
#undef WOLFSSL_NO_MALLOC
|
||||
#define WOLFSSL_NO_MALLOC
|
||||
#endif
|
||||
|
||||
/* Profile A: no X.509 at all (the cert variant keeps ASN/certs). */
|
||||
|
||||
Reference in New Issue
Block a user