Add inline documentation for missing macros and fix spelling errors

This commit is contained in:
David Garske
2026-03-16 17:03:10 -07:00
parent b5c532703a
commit 4c75a866d9
25 changed files with 1019 additions and 213 deletions
-6
View File
@@ -270,7 +270,6 @@ HAVE_COLDFIRE_SEC
HAVE_CRL_UPDATE_CB
HAVE_CSHARP
HAVE_CURL
HAVE_CURVE22519
HAVE_DANE
HAVE_ECC239
HAVE_ECC320
@@ -278,7 +277,6 @@ HAVE_ECC512
HAVE_ECC_CDH_CAST
HAVE_ECC_SM2
HAVE_ESP_CLK
HAVE_FACON
HAVE_FIPS_VERSION_PORT
HAVE_FUZZER
HAVE_INTEL_MULX
@@ -690,7 +688,6 @@ WOLFSSL_ALT_NAMES_NO_REV
WOLFSSL_ARMASM_NEON_NO_TABLE_LOOKUP
WOLFSSL_ARM_ARCH_NEON_64BIT
WOLFSSL_ASCON_UNROLL
WOLFSSL_ASNC_CRYPT
WOLFSSL_ASN_EXTRA
WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
WOLFSSL_ASN_TEMPLATE_TYPE_CHECK
@@ -808,7 +805,6 @@ WOLFSSL_NONBLOCK_OCSP
WOLFSSL_NOSHA3_384
WOLFSSL_NOT_WINDOWS_API
WOLFSSL_NO_BIO_ADDR_IN
WOLFSSL_NO_CLIENT
WOLFSSL_NO_CLIENT_CERT_ERROR
WOLFSSL_NO_COPY_CERT
WOLFSSL_NO_COPY_KEY
@@ -889,13 +885,11 @@ WOLFSSL_SE050_NO_TRNG
WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
WOLFSSL_SERVER_EXAMPLE
WOLFSSL_SETTINGS_FILE
WOLFSSL_SH224
WOLFSSL_SHA256_ALT_CH_MAJ
WOLFSSL_SHA512_HASHTYPE
WOLFSSL_SHUTDOWNONCE
WOLFSSL_SILABS_TRNG
WOLFSSL_SLHDSA_FULL_HASH
WOLFSSL_SM4_EBC
WOLFSSL_SNIFFER_NO_RECOVERY
WOLFSSL_SP_ARM32_UDIV
WOLFSSL_SP_FAST_NCT_EXPTMOD
+125 -64
View File
@@ -22,72 +22,133 @@
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
/*
* WOLFSSL_SMALL_CERT_VERIFY:
* Verify the certificate signature without using DecodedCert. Doubles up
* on some code but allows smaller peak heap memory usage.
* Cannot be used with WOLFSSL_NONBLOCK_OCSP.
* WOLFSSL_ALT_CERT_CHAINS:
* Allows CA's to be presented by peer, but not part of a valid chain.
* Default wolfSSL behavior is to require validation of all presented peer
* certificates. This also allows loading intermediate CA's as trusted
* and ignoring no signer failures for CA's up the chain to root.
* WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT:
* Enable resending the previous DTLS handshake flight only on a network
* read timeout. By default we resend in two more cases, when we receive:
* - an out of order last msg of the peer's flight
* - a duplicate of the first msg from the peer's flight
* internal.c Build Options:
*
* See also: tls.c for TLS extension/protocol options, tls13.c for TLS 1.3,
* ssl.c for SSL API layer, wc_port.c for platform/memory.
*
* Connection & Buffers:
* LARGE_STATIC_BUFFERS: Use large static I/O buffers default: on
* WOLFSSL_DISABLE_EARLY_SANITY_CHECKS:
* Disable early sanity checks on TLS messages default: off
* WOLFSSL_NO_DTLS_SIZE_CHECK: Disable DTLS record size validation default: off
*
* Cipher Suite Selection:
* NO_CHAPOL_AEAD: Disable ChaCha20-Poly1305 AEAD suites default: off
* WOLFSSL_OLDTLS_AEAD_CIPHERSUITES:
* Enable AEAD cipher suites for pre-TLS 1.2 default: off
* WOLFSSL_OLDTLS_SHA2_CIPHERSUITES:
* Enable SHA-2 cipher suites for pre-TLS 1.2 default: off
* WOLFSSL_NO_STRICT_CIPHER_SUITE:
* Relax strict cipher suite validation default: off
* NO_RESUME_SUITE_CHECK: Skip cipher suite check on resume default: off
* NO_FORCE_SCR_SAME_SUITE: Allow different suite in renegotiation default: off
* CIPHER_NONCE: Per-record cipher nonce for AEAD default: off
*
* Certificate Validation:
* WOLFSSL_SMALL_CERT_VERIFY: Verify cert sig without DecodedCert default: off
* WOLFSSL_ALT_CERT_CHAINS: Allow non-validated intermediate CAs default: off
* NO_CHECK_PRIVATE_KEY: Skip key/cert matching validation default: off
* WOLFSSL_VERIFY_CB_ALL_CERTS:
* Call verify callback for all chain certs default: off
* WOLFSSL_ALWAYS_VERIFY_CB: Always invoke verify callback default: off
* WOLFSSL_ALLOW_NO_CN_IN_SAN: Allow certs with SAN but no CN default: off
* WOLFSSL_TRUST_PEER_CERT: Direct trust of specific peer certs default: off
* WOLFSSL_LOCAL_X509_STORE: Per-context X509 store default: off
* WOLFSSL_APPLE_NATIVE_CERT_VALIDATION:
* Use Apple native cert validation on macOS/iOS default: off
* WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION:
* Testing mode for Apple cert validation default: off
* HAVE_DANE: DNS-based cert validation (DNSSEC) default: off
* HAVE_FALLBACK_SCSV: TLS Fallback SCSV anti-downgrade default: off
* WOLFSSL_ACERT: Attribute certificate support default: off
* WOLFSSL_DEBUG_CERTS: Debug logging for cert processing default: off
* WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY:
* Verify hostname using SAN only (not CN) default: off
*
* Handshake Behavior:
* OLD_HELLO_ALLOWED: Allow SSLv2-format ClientHello default: off
* WOLFSSL_ALTERNATIVE_DOWNGRADE:
* Alternative protocol downgrade detection default: off
* WOLFSSL_OLD_TIMINGPADVERIFY:
* Old timing-based CBC padding verification default: off
* WOLFSSL_ECDSA_MATCH_HASH: Match ECDSA hash to curve preference default: off
* WOLFSSL_STRONGEST_HASH_SIG: Prefer strongest hash in signatures default: off
* USE_ECDSA_KEYSZ_HASH_ALGO: Select ECDSA hash by key size default: off
* WOLFSSL_ALLOW_TLS_SHA1: Allow SHA-1 cipher suites/signatures default: off
* WOLFSSL_EXTRA_ALERTS: Send additional TLS alert messages default: off
* WOLFSSL_NO_ETM_ALERT: No alert on Encrypt-Then-MAC failure default: off
*
* Secure Renegotiation & PSK:
* WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT:
* Enable secure renegotiation by default default: off
* WOLFSSL_PSK_IDENTITY_ALERT: Alert on PSK identity lookup failure default: off
*
* Session Tickets:
* WOLFSSL_NO_DEF_TICKET_ENC_CB:
* No default ticket encryption callback.
* Server only.
* Application must set its own callback to use session tickets.
* WOLFSSL_TICKET_ENC_CHACHA20_POLY1305
* Use ChaCha20-Poly1305 to encrypt/decrypt session tickets in default
* callback. Default algorithm if none defined and algorithms compiled in.
* Server only.
* WOLFSSL_TICKET_ENC_AES128_GCM
* Use AES128-GCM to encrypt/decrypt session tickets in default callback.
* Server only. Default algorithm if ChaCha20/Poly1305 not compiled in.
* WOLFSSL_TICKET_ENC_AES256_GCM
* Use AES256-GCM to encrypt/decrypt session tickets in default callback.
* Server only.
* WOLFSSL_TICKET_DECRYPT_NO_CREATE
* Default callback will not request creation of new ticket on successful
* decryption.
* Server only.
* WOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE
* Once a normal TLS 1.3 handshake is complete, a session ticket message
* may be received by a client. To support detecting this, peek will
* return WOLFSSL_ERROR_WANT_READ.
* This define turns off this behaviour.
* WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
* Verify hostname/ip address using alternate name (SAN) only and do not
* use the common name. Forces use of the alternate name, so certificates
* missing SAN will be rejected during the handshake
* WOLFSSL_CHECK_SIG_FAULTS
* Verifies the ECC signature after signing in case of faults in the
* calculation of the signature. Useful when signature fault injection is a
* possible attack.
* WOLFSSL_TLS13_IGNORE_AEAD_LIMITS
* Ignore the AEAD limits for messages specified in the RFC. After
* reaching the limit, we initiate a key update. We enforce the AEAD limits
* by default.
* https://www.rfc-editor.org/rfc/rfc8446#section-5.5
* https://www.rfc-editor.org/rfc/rfc9147.html#name-aead-limits
* WOLFSSL_HARDEN_TLS
* Implement the recommendations specified in RFC9325. This macro needs to
* be defined to the desired number of bits of security. The currently
* implemented values are 112 and 128 bits. The following macros disable
* certain checks.
* - WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC
* - WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS
* - WOLFSSL_HARDEN_TLS_NO_SCR_CHECK
* - WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK
* - WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES
* WOLFSSL_NO_INIT_CTX_KEY
* Allows SSL objects to be created from a CTX without a loaded key/cert
* pair
* No default ticket encryption callback default: off
* WOLFSSL_TICKET_ENC_CHACHA20_POLY1305:
* ChaCha20-Poly1305 for ticket encryption default: auto
* WOLFSSL_TICKET_ENC_AES128_GCM:
* AES128-GCM for ticket encryption default: auto
* WOLFSSL_TICKET_ENC_AES256_GCM:
* AES256-GCM for ticket encryption default: off
* WOLFSSL_TICKET_DECRYPT_NO_CREATE:
* No new ticket on successful decryption default: off
* WOLFSSL_TICKET_ENC_CBC_HMAC:
* CBC+HMAC for ticket encryption (non-AEAD) default: off
* WOLFSSL_NO_TICKET_EXPIRE: Disable ticket expiration checking default: off
*
* TLS 1.3 Internals:
* WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC:
* Ignore plaintext alerts when encrypted expected default: off
* WOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE:
* Disable peek returning WANT_READ for tickets default: off
* WOLFSSL_TLS13_IGNORE_AEAD_LIMITS:
* Ignore AEAD message limits from RFC 8446 default: off
* WOLFSSL_DTLS13_SEND_MOREACK_DEFAULT:
* Send more ACKs by default in DTLS 1.3 default: off
*
* DTLS:
* WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT:
* Resend previous flight only on timeout default: off
* WOLFSSL_DTLS_DISALLOW_FUTURE:
* Reject DTLS records with future epoch default: off
* WOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS:
* When defined, allows DTLS records to span across multiple datagrams.
* Allow DTLS records to span datagrams default: off
* WOLFSSL_DEBUG_DTLS: Debug logging for DTLS operations default: off
*
* Session Export:
* WOLFSSL_SESSION_EXPORT: Enable session export/import default: off
* WOLFSSL_SESSION_EXPORT_DEBUG:
* Debug logging for session export/import default: off
* WOLFSSL_SESSION_EXPORT_NOPEER:
* Export sessions without peer cert info default: off
*
* Compatibility Layers:
* WOLFSSL_MYSQL_COMPATIBLE: MySQL protocol compatibility default: off
* WOLFSSL_OPENVPN: OpenVPN compatibility behaviors default: off
*
* Async & Non-blocking:
* WOLFSSL_ASYNC_CRYPT_SW: Software async crypto simulation default: off
* WC_X25519_NONBLOCK: Non-blocking X25519 operations default: off
* HAVE_WOLF_EVENT: Event-driven async processing default: off
*
* Hardware/Platform TLS:
* WOLFSSL_MAXQ10XX_TLS: Maxim MAXQ10xx secure element default: off
* WOLFSSL_IOTSAFE: IoTSAFE (GSMA) applet support default: off
* WOLFSSL_QNX_CAAM: QNX CAAM crypto module support default: off
* HAVE_DH_DEFAULT_PARAMS: Include default DH parameters default: off
* HAVE_EXT_CACHE: External session cache callbacks default: off
*
* Hardening:
* WOLFSSL_HARDEN_TLS: Implement RFC 9325 recommendations default: off
* WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC: Allow truncated HMAC
* WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS: Allow old TLS versions
* WOLFSSL_HARDEN_TLS_NO_SCR_CHECK: No SCR check
* WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK: No public key check
* WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES: Allow all suites
* WOLFSSL_NO_INIT_CTX_KEY: Allow SSL objects without loaded keys default: off
*/
#ifndef WOLFCRYPT_ONLY
+116 -21
View File
@@ -153,26 +153,121 @@
#endif /* !WOLFCRYPT_ONLY || OPENSSL_EXTRA */
/*
* ssl.c Build Options:
*
* See also: tls.c for TLS extension/protocol options, tls13.c for TLS 1.3,
* internal.c for handshake internals, wc_port.c for platform/memory.
*
* OpenSSL Compatibility:
* OPENSSL_EXTRA: Enable OpenSSL compatibility API default: off
* OPENSSL_ALL: Enable all OpenSSL compat APIs default: off
* OPENSSL_EXTRA_X509_SMALL: Minimal OpenSSL X509 compat APIs default: off
* OPENSSL_EXTRA_NO_ASN1: OpenSSL extra without ASN1 objects default: off
* OPENSSL_COMPATIBLE_DEFAULTS:
* Enable default behaviour that is compatible with OpenSSL. For example
* SSL_CTX by default doesn't verify the loaded certs. Enabling this
* should make porting to new projects easier.
* WOLFSSL_CHECK_ALERT_ON_ERR:
* Check for alerts during the handshake in the event of an error.
* NO_SESSION_CACHE_REF:
* wolfSSL_get_session on a client will return a reference to the internal
* ClientCache by default for backwards compatibility. This define will
* make wolfSSL_get_session return a reference to ssl->session. The returned
* pointer will be freed with the related WOLFSSL object.
* SESSION_CACHE_DYNAMIC_MEM:
* Dynamically allocate sessions for the session cache from the heap, as
* opposed to the default which allocates from the stack. Allocates
* memory only when a session is added to the cache, frees memory after the
* session is no longer being used. Recommended for memory-constrained
* systems.
* WOLFSSL_SYS_CA_CERTS
* Enables ability to load system CA certs from the OS via
* wolfSSL_CTX_load_system_CA_certs.
* Default behavior compatible with OpenSSL default: off
* NO_WOLFSSL_STUB: Disable stubs for unimplemented funcs default: off
* WOLFSSL_DEBUG_OPENSSL: Debug logging for OpenSSL compat layer default: off
* WOLFSSL_HAVE_ERROR_QUEUE: OpenSSL-compatible error queue default: off
* WOLFSSL_ERROR_CODE_OPENSSL: Use OpenSSL-compatible error codes default: off
* WOLFSSL_CIPHER_INTERNALNAME:
* Use wolfSSL internal cipher suite names default: off
* NO_CIPHER_SUITE_ALIASES: Disable cipher suite name aliases default: off
* WOLFSSL_SET_CIPHER_BYTES: Set cipher suites by raw byte values default: off
* WOLFSSL_OLD_SET_CURVES_LIST:
* Old-style curve list parsing for compat default: off
* WOLFSSL_NO_OPENSSL_RAND_CB: Disable OpenSSL RAND callback compat default: off
* NO_ERROR_STRINGS: Disable human-readable error strings default: off
* WOLFSSL_PUBLIC_ASN: Make ASN parsing functions public default: off
*
* Extra Data / BIO:
* HAVE_EX_DATA: Enable ex_data on SSL/CTX/X509 objects default: off
* HAVE_EX_DATA_CLEANUP_HOOKS: Cleanup callbacks for ex_data default: off
* HAVE_EX_DATA_CRYPTO: ex_data support for wolfCrypt objects default: off
* MAX_EX_DATA: Max ex_data entries per object default: 5
* NO_BIO: Disable BIO abstraction layer default: off
*
* Session & Cache:
* NO_SESSION_CACHE: Disable server session cache default: off
* NO_SESSION_CACHE_REF: wolfSSL_get_session returns ssl->session
* reference instead of ClientCache ref default: off
* SESSION_CACHE_DYNAMIC_MEM: Dynamically allocate session cache default: off
* NO_CLIENT_CACHE: Disable client-side session cache default: off
* SESSION_CERTS: Store full cert chain in session default: off
* WOLFSSL_SESSION_ID_CTX: Session ID context for cache sharing default: off
*
* I/O & Transport:
* USE_WOLFSSL_IO: Use built-in I/O callbacks default: on
* WOLFSSL_USER_IO: Application provides custom I/O default: off
* WOLFSSL_NO_SOCK: Build without socket support default: off
* NO_WRITEV: Disable writev() scatter/gather I/O default: off
* WOLFSSL_DTLS_MTU: Enable DTLS MTU management APIs default: off
* WOLFSSL_DTLS_DROP_STATS: Track DTLS packet drop statistics default: off
* WOLFSSL_MULTICAST: Enable DTLS multicast support default: off
*
* Callbacks & Features:
* WOLFSSL_CHECK_ALERT_ON_ERR: Check alerts on handshake error default: off
* ATOMIC_USER: User-defined record layer callbacks default: off
* HAVE_WRITE_DUP: Separate threads for SSL read/write default: off
* WOLFSSL_CALLBACKS: Handshake monitoring callbacks default: off
* NO_HANDSHAKE_DONE_CB: Disable handshake completion callback default: off
* WOLFSSL_SHUTDOWNONCE: Send close_notify only once default: off
* WOLFSSL_COPY_CERT: Copy certificate buffer (own copy) default: off
* WOLFSSL_COPY_KEY: Copy private key buffer (own copy) default: off
* WOLF_PRIVATE_KEY_ID: Reference private keys by ID default: off
* WOLFSSL_REFCNT_ERROR_RETURN:
* Return errors on ref counting failures default: off
* WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST:
* Allow runtime max fragment size adjustment default: off
* WOLFSSL_ALLOW_NO_SUITES: Allow SSL objects with no cipher suites default: off
*
* Certificates & Keys:
* KEEP_PEER_CERT: Keep peer cert after handshake default: off
* KEEP_OUR_CERT: Keep our cert after handshake default: off
* WOLFSSL_STATIC_RSA: Enable static RSA key exchange default: off
* WOLFSSL_HAVE_CERT_SERVICE: Certificate service callbacks default: off
* WOLFSSL_SYS_CA_CERTS: Load system CA certs from OS default: off
*
* Application Compatibility:
* HAVE_CURL: APIs for libcurl compatibility default: off
* HAVE_LIGHTY: APIs for lighttpd compatibility default: off
* HAVE_MEMCACHED: APIs for memcached compatibility default: off
* WOLFSSL_APACHE_HTTPD: APIs for Apache httpd compatibility default: off
* WOLFSSL_NGINX: APIs for nginx compatibility default: off
* WOLFSSL_HAPROXY: APIs for HAProxy compatibility default: off
* WOLFSSL_ASIO: APIs for Boost.Asio compatibility default: off
* WOLFSSL_PYTHON: APIs for Python module compatibility default: off
* WOLFSSL_QT: APIs for Qt framework compatibility default: off
* WOLFSSL_JNI: APIs for Java JNI/JSSE compatibility default: off
*
* Protocol Features:
* WOLFSSL_HAVE_WOLFSCEP: Enable wolfSCEP protocol support default: off
* WOLFCRYPT_HAVE_SRP: Enable SRP protocol support default: off
* HAVE_LIBZ: Enable zlib TLS compression default: off
* WOLFSSL_EXTRA: Extra SSL session info APIs default: off
* WOLFSSL_WPAS_SMALL: Minimal wpa_supplicant/hostapd APIs default: off
* HAVE_FUZZER: Fuzzing callback support default: off
*
* Memory & Threading:
* WOLFSSL_STATIC_MEMORY_LEAN: Lean static memory allocation default: off
* WOLFSSL_THREADED_CRYPT: Multi-threaded crypto operations default: off
* WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS:
* Thread-safe cleanup via atomics default: off
* WOLFSSL_ATOMIC_INITIALIZER: Static init for atomic variables default: off
* WOLFSSL_DEBUG_MEMORY: Log malloc/free with file/line info default: off
* WOLFSSL_NO_REALLOC: Disable realloc, use malloc+copy+free default: off
* WOLFSSL_HEAP_TEST: Heap-related testing utilities default: off
*
* Debugging & Build:
* SHOW_SIZES: Display struct sizes at init default: off
* WOLFSSL_DEBUG_TRACE_ERROR_CODES:
* Trace error code origins for debugging default: off
* HAVE_ATEXIT: Register wolfSSL_Cleanup via atexit default: off
* WOLFSSL_SYS_CRYPTO_POLICY: Honor system crypto policy settings default: off
*
* Hardware TLS:
* WOLFSSL_RENESAS_TSIP_TLS: Renesas TSIP hardware crypto for TLS default: off
* WOLFSSL_RENESAS_FSPSM_TLS: Renesas FSP Security Module for TLS default: off
* WOLFSSL_EGD_NBLOCK: Non-blocking EGD entropy support default: off
*/
#define WOLFSSL_SSL_MISC_INCLUDED
@@ -8526,12 +8621,12 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
if (ssl == NULL)
return 0;
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_CLIENT)
#if defined(WOLFSSL_DTLS13) && !defined(NO_WOLFSSL_CLIENT)
if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls
&& IsAtLeastTLSv1_3(ssl->version)) {
return ssl->options.serverState == SERVER_FINISHED_ACKED;
}
#endif /* WOLFSSL_DTLS13 && !WOLFSSL_NO_CLIENT */
#endif /* WOLFSSL_DTLS13 && !NO_WOLFSSL_CLIENT */
/* Can't use ssl->options.connectState and ssl->options.acceptState
* because they differ in meaning for TLS <=1.2 and 1.3 */
+97
View File
@@ -19,6 +19,103 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
* TLS Build Options:
* (See tls13.c for TLS 1.3-specific options)
*
* Protocol Control:
* NO_OLD_TLS: Disable TLS 1.0 and 1.1 default: off
* WOLFSSL_ALLOW_TLSV10: Allow TLS 1.0 connections default: off
* WOLFSSL_NO_TLS12: Disable TLS 1.2 default: off
* NO_TLS: Disable TLS entirely (SSL only) default: off
* WOLFSSL_DTLS: Enable DTLS support default: off
* WOLFSSL_DTLS13: Enable DTLS 1.3 support default: off
* WOLFSSL_DTLS_CID: Enable DTLS Connection ID default: off
* WOLFSSL_AEAD_ONLY: Only allow AEAD cipher suites default: off
* NO_WOLFSSL_CLIENT: Disable TLS client functionality default: off
* NO_WOLFSSL_SERVER: Disable TLS server functionality default: off
* WOLFSSL_EITHER_SIDE: Allow same context for client/server default: off
* HAVE_TLS_EXTENSIONS: Enable TLS extension support default: on
* HAVE_SNI: Server Name Indication extension default: off
* WOLFSSL_ALWAYS_KEEP_SNI: Keep SNI after handshake default: off
* HAVE_MAX_FRAGMENT: Max Fragment Length extension default: off
* HAVE_TRUNCATED_HMAC: Truncated HMAC extension default: off
* HAVE_SUPPORTED_CURVES: Supported Curves extension default: on
* HAVE_EXTENDED_MASTER: Extended Master Secret (RFC 7627) default: on
* HAVE_ENCRYPT_THEN_MAC: Encrypt-Then-MAC extension default: on
* HAVE_ALPN: Application-Layer Protocol Negotiation default: off
* HAVE_CERTIFICATE_STATUS_REQUEST: OCSP stapling default: off
* HAVE_CERTIFICATE_STATUS_REQUEST_V2: OCSP stapling v2 default: off
* HAVE_SECURE_RENEGOTIATION: Secure renegotiation support default: off
* HAVE_SERVER_RENEGOTIATION_INFO: Server renegotiation info default: off
* HAVE_SESSION_TICKET: Session ticket support default: off
* HAVE_TRUSTED_CA: Trusted CA Indication extension default: off
* HAVE_RPK: Raw Public Key support (RFC 7250) default: off
* HAVE_ECH: Encrypted Client Hello support default: off
* WOLFSSL_NO_SIGALG: Disable signature algorithms ext default: off
* WOLFSSL_NO_CA_NAMES: Disable CA Names in CertificateReq default: off
* WOLFSSL_NO_SERVER_GROUPS_EXT: Don't send server groups ext default: off
* NO_TLSX_PSKKEM_PLAIN_ANNOUNCE: Disable plain PSK announce default: off
* WOLFSSL_OLD_UNSUPPORTED_EXTENSION: Old unsupported ext handling default: off
* WOLFSSL_ALLOW_SERVER_SC_EXT: Allow server supported curves ext default: off
*
* Pre-Shared Keys:
* NO_PSK: Disable PSK cipher suites default: off
*
* Key Exchange:
* HAVE_FFDHE: Enable Finite Field DH ephemeral default: off
* HAVE_FFDHE_2048: Enable FFDHE 2048-bit group default: off
* HAVE_FFDHE_3072: Enable FFDHE 3072-bit group default: off
* HAVE_FFDHE_4096: Enable FFDHE 4096-bit group default: off
* HAVE_FFDHE_6144: Enable FFDHE 6144-bit group default: off
* HAVE_FFDHE_8192: Enable FFDHE 8192-bit group default: off
* HAVE_PUBLIC_FFDHE: Use public FFDHE parameters only default: off
* WOLFSSL_OLD_PRIME_CHECK: Use old DH prime checking method default: off
* WOLFSSL_STATIC_DH: Enable static DH cipher suites default: off
* WOLFSSL_STATIC_EPHEMERAL: Enable static ephemeral key loading default: off
*
* Post-Quantum:
* WOLFSSL_HAVE_MLKEM: Enable ML-KEM (Kyber) support default: off
* WOLFSSL_WC_MLKEM: Use wolfCrypt ML-KEM implementation default: off
* WOLFSSL_MLKEM_KYBER: Use Kyber round 3 parameters default: off
* WOLFSSL_KYBER512: Enable Kyber/ML-KEM-512 default: off
* WOLFSSL_KYBER768: Enable Kyber/ML-KEM-768 default: off
* WOLFSSL_KYBER1024: Enable Kyber/ML-KEM-1024 default: off
* WOLFSSL_NO_ML_KEM: Disable all ML-KEM support default: off
* WOLFSSL_NO_ML_KEM_512: Disable ML-KEM-512 default: off
* WOLFSSL_NO_ML_KEM_768: Disable ML-KEM-768 default: off
* WOLFSSL_NO_ML_KEM_1024: Disable ML-KEM-1024 default: off
* WOLFSSL_ML_KEM_USE_OLD_IDS: Use old IANA IDs for ML-KEM default: off
* WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ: Store ML-KEM object in ext default: off
* WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY: Store ML-KEM priv key default: off
* WOLFSSL_MLKEM_CACHE_A: Cache ML-KEM A matrix default: off
* WOLFSSL_MLKEM_NO_MAKE_KEY: Disable ML-KEM key generation default: off
* WOLFSSL_MLKEM_NO_ENCAPSULATE: Disable ML-KEM encapsulation default: off
* WOLFSSL_MLKEM_NO_DECAPSULATE: Disable ML-KEM decapsulation default: off
* HAVE_LIBOQS: Use liboqs for PQ algorithms default: off
*
* Curves:
* HAVE_SECRET_CALLBACK: Enable TLS secret callback default: off
* HAVE_PK_CALLBACKS: Enable public key callbacks default: off
* HAVE_FUZZER: Enable fuzzing callback support default: off
*
* Features:
* WOLFSSL_SNIFFER: Enable TLS packet sniffing support default: off
* WOLFSSL_SNIFFER_KEYLOGFILE: Sniffer keylog file support default: off
* WOLFSSL_SSLKEYLOGFILE: Enable SSL key log file output default: off
* WOLFSSL_SRTP: Enable SRTP extension support default: off
* WOLFSSL_DUAL_ALG_CERTS: Enable dual algorithm certificates default: off
* WOLFSSL_HAVE_PRF: Enable TLS PRF function access default: off
* WOLFSSL_DEBUG_TLS: Debug TLS protocol messages default: off
* WOLFSSL_32BIT_MILLI_TIME: 32-bit millisecond time function default: off
* WOLFSSL_REQUIRE_TCA: Require Trusted CA extension default: off
* WOLFSSL_DH_EXTRA: Extra DH key info in SSL object default: off
* WOLFSSL_CURVE25519_BLINDING: Curve25519 blinding in TLS default: off
* HAVE_NULL_CIPHER: Allow NULL cipher suites default: off
* HAVE_WEBSERVER: Enable web server features default: off
* NO_CERTS: Disable certificate processing default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#ifndef WOLFCRYPT_ONLY
+57 -67
View File
@@ -22,71 +22,61 @@
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
/*
* BUILD_GCM
* Enables AES-GCM ciphersuites.
* HAVE_AESCCM
* Enables AES-CCM ciphersuites.
* HAVE_SESSION_TICKET
* Enables session tickets - required for TLS 1.3 resumption.
* NO_PSK
* Do not enable Pre-Shared Keys.
* HAVE_KEYING_MATERIAL
* Enables exporting keying material based on section 7.5 of RFC 8446.
* WOLFSSL_ASYNC_CRYPT
* Enables the use of asynchronous cryptographic operations.
* This is available for ciphers and certificates.
* HAVE_CHACHA && HAVE_POLY1305
* Enables use of CHACHA20-POLY1305 ciphersuites.
* WOLFSSL_DEBUG_TLS
* Writes out details of TLS 1.3 protocol including handshake message buffers
* and key generation input and output.
* WOLFSSL_EARLY_DATA
* Allow 0-RTT Handshake using Early Data extensions and handshake message
* WOLFSSL_EARLY_DATA_GROUP
* Group EarlyData message with ClientHello when sending
* WOLFSSL_NO_SERVER_GROUPS_EXT
* Do not send the server's groups in an extension when the server's top
* preference is not in client's list.
* WOLFSSL_POST_HANDSHAKE_AUTH
* Allow TLS v1.3 code to perform post-handshake authentication of the
* client.
* WOLFSSL_SEND_HRR_COOKIE
* Send a cookie in hello_retry_request message to enable stateless tracking
* of ClientHello replies.
* WOLFSSL_TLS13
* Enable TLS 1.3 protocol implementation.
* WOLFSSL_TLS13_MIDDLEBOX_COMPAT
* Enable middlebox compatibility in the TLS 1.3 handshake.
* This includes sending ChangeCipherSpec before encrypted messages and
* including a session id.
* WOLFSSL_TLS13_SHA512
* Allow generation of SHA-512 digests in handshake - no ciphersuite
* requires SHA-512 at this time.
* WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
* Allow a NewSessionTicket message to be sent by server before Client's
* Finished message.
* See TLS v1.3 specification, Section 4.6.1, Paragraph 4 (Note).
* WOLFSSL_PSK_ONE_ID
* When only one PSK ID is used and only one call to the PSK callback can
* be made per connect.
* You cannot use wc_psk_client_cs_callback type callback on client.
* WOLFSSL_PRIORITIZE_PSK
* During a handshake, prioritize PSK order instead of ciphersuite order.
* WOLFSSL_CHECK_ALERT_ON_ERR
* Check for alerts during the handshake in the event of an error.
* WOLFSSL_NO_CLIENT_CERT_ERROR
* Requires client to set a client certificate
* WOLFSSL_PSK_MULTI_ID_PER_CS
* When multiple PSK identities are available for the same cipher suite.
* Sets the first byte of the client identity to the count of identities
* that have been seen so far for the cipher suite.
* WOLFSSL_CHECK_SIG_FAULTS
* Verifies the ECC signature after signing in case of faults in the
* calculation of the signature. Useful when signature fault injection is a
* possible attack.
* WOLFSSL_32BIT_MILLI_TIME
* Function TimeNowInMilliseconds() returns an unsigned 32-bit value.
* Default behavior is to return a signed 64-bit value.
* TLS 1.3-Specific Build Options:
* (See tls.c for generic TLS options: extensions, curves, callbacks, etc.)
*
* Protocol:
* WOLFSSL_TLS13: Enable TLS 1.3 protocol default: on
* WOLFSSL_TLS13_DRAFT: Enable TLS 1.3 draft version support default: off
* WOLFSSL_QUIC: Enable QUIC protocol support (TLS 1.3) default: off
* WOLFSSL_DTLS13_NO_HRR_ON_RESUME: Skip HRR on DTLS 1.3 resume default: off
* WOLFSSL_DTLS_CH_FRAG: Enable DTLS 1.3 ClientHello frag default: off
*
* Handshake:
* WOLFSSL_TLS13_MIDDLEBOX_COMPAT: Enable middlebox compatibility default: on
* Sends ChangeCipherSpec and includes session id
* WOLFSSL_SEND_HRR_COOKIE: Send cookie in HelloRetryRequest default: off
* for stateless ClientHello tracking
* WOLFSSL_EARLY_DATA: Allow 0-RTT early data default: off
* WOLFSSL_EARLY_DATA_GROUP: Group early data with ClientHello default: off
* WOLFSSL_POST_HANDSHAKE_AUTH: Post-handshake client auth default: off
* WOLFSSL_TLS13_TICKET_BEFORE_FINISHED: Send NewSessionTicket default: off
* before client Finished message
* WOLFSSL_NO_CLIENT_AUTH: Disable TLS 1.3 client authentication default: off
* WOLFSSL_NO_CLIENT_CERT_ERROR: Require client certificate default: off
* WOLFSSL_CERT_SETUP_CB: Certificate setup callback default: off
* WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION: Allow bad legacy version default: off
*
* Security:
* WOLFSSL_BLIND_PRIVATE_KEY: Blind private key during signing default: off
* WOLFSSL_CHECK_SIG_FAULTS: Verify signature after ECC signing default: off
* to detect fault injection attacks
* WOLFSSL_CIPHER_TEXT_CHECK: Verify ciphertext integrity default: off
*
* TLS 1.3 PSK:
* WOLFSSL_PSK_ONE_ID: Single PSK identity per connect default: off
* WOLFSSL_PSK_MULTI_ID_PER_CS: Multiple PSK IDs per cipher suite default: off
* WOLFSSL_PRIORITIZE_PSK: Prioritize PSK over ciphersuite order default: off
* WOLFSSL_PSK_ID_PROTECTION: Enable PSK identity protection default: off
*
* TLS 1.3 Session Tickets:
* WOLFSSL_TICKET_HAVE_ID: Session tickets include ID default: off
* WOLFSSL_TICKET_NONCE_MALLOC: Dynamically allocate ticket nonce default: off
*
* TLS 1.3 Key Exchange:
* HAVE_KEYING_MATERIAL: Export keying material (RFC 8446 7.5) default: off
* WOLFSSL_HAVE_TLS_UNIQUE: Enable tls-unique channel binding default: off
*
* TLS 1.3 Hash/Signature:
* WOLFSSL_TLS13_SHA512: Allow SHA-512 in TLS 1.3 handshake default: off
* (no ciphersuite requires it currently)
* WOLFSSL_ERROR_CODE_OPENSSL: Use OpenSSL-compatible error codes default: off
* WOLFSSL_SSLKEYLOGFILE_OUTPUT: Set key log output file path default: off
* WOLFSSL_RW_THREADED: Enable read/write threading support default: off
* WOLFSSL_ASYNC_IO: Enable async I/O operations default: off
* WOLFSSL_NONBLOCK_OCSP: Non-blocking OCSP processing default: off
* WOLFSSL_TLS_OCSP_MULTI: Multiple OCSP responses default: off
* WOLFSSL_WOLFSENTRY_HOOKS: wolfSentry integration hooks default: off
*/
#if !defined(NO_TLS) && defined(WOLFSSL_TLS13)
@@ -5037,7 +5027,7 @@ int SendTls13ClientHello(WOLFSSL* ssl)
return ret;
}
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_CLIENT)
#if defined(WOLFSSL_DTLS13) && !defined(NO_WOLFSSL_CLIENT)
static int Dtls13ClientDoDowngrade(WOLFSSL* ssl)
{
int ret;
@@ -5061,7 +5051,7 @@ static int Dtls13ClientDoDowngrade(WOLFSSL* ssl)
w64GetLow32(ssl->dtls13EncryptEpoch->nextSeqNumber);
return ret;
}
#endif /* WOLFSSL_DTLS13 && !WOLFSSL_NO_CLIENT*/
#endif /* WOLFSSL_DTLS13 && !NO_WOLFSSL_CLIENT*/
#if defined(HAVE_ECH)
/* Calculate ECH acceptance and verify the server accepted ECH.
+1 -1
View File
@@ -466,7 +466,7 @@ static void show_appinfo(void)
#ifdef HAVE_CURVE448
"x448 "
#endif
#ifdef HAVE_CURVE22519
#ifdef HAVE_CURVE25519
"x22519 "
#endif
#ifdef WOLFSSL_STATIC_RSA
+1 -1
View File
@@ -37,7 +37,7 @@
#if defined(WOLFSSL_STATIC_MEMORY)
#include <wolfssl/wolfcrypt/memory.h>
#endif
#ifdef WOLFSSL_ASNC_CRYPT
#ifdef WOLFSSL_ASYNC_CRYPT
#include <wolfssl/wolfcrypt/async.h>
#endif
#ifdef HAVE_ECC
+81
View File
@@ -29,6 +29,87 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
*/
/*
* AES Build Options:
*
* Core:
* NO_AES: Disable AES support entirely default: off
* WOLFSSL_AES_128: Enable AES-128 key size default: on
* WOLFSSL_AES_192: Enable AES-192 key size default: on
* WOLFSSL_AES_256: Enable AES-256 key size default: on
* AES_MAX_KEY_SIZE: Maximum AES key size in bits default: 256
*
* Cipher Modes:
* HAVE_AES_CBC: Enable AES-CBC mode default: on
* HAVE_AES_ECB: Enable AES-ECB mode default: off
* HAVE_AES_DECRYPT: Enable AES decryption default: on
* WOLFSSL_AES_COUNTER: Enable AES-CTR mode default: off
* WOLFSSL_AES_CFB: Enable AES-CFB mode default: off
* WOLFSSL_NO_AES_CFB_1_8: Disable AES-CFB-1 and AES-CFB-8 default: off
* WOLFSSL_AES_OFB: Enable AES-OFB mode default: off
* WOLFSSL_AES_DIRECT: Enable direct AES encrypt/decrypt API default: off
* WOLFSSL_AES_XTS: Enable AES-XTS mode default: off
* WOLFSSL_AES_CTS: Enable AES-CTS (ciphertext stealing) default: off
* WOLFSSL_AES_SIV: Enable AES-SIV (synthetic IV) mode default: off
* WOLFSSL_AES_EAX: Enable AES-EAX AEAD mode default: off
* WOLFSSL_CMAC: Enable AES-CMAC (RFC 4493) default: off
* HAVE_AESCCM: Enable AES-CCM mode default: off
* HAVE_AES_KEYWRAP: Enable AES key wrap (RFC 3394) default: off
* WOLFSSL_AES_CBC_LENGTH_CHECKS: Validate CBC input length default: off
*
* AES-GCM:
* HAVE_AESGCM: Enable AES-GCM mode default: off
* HAVE_AESGCM_DECRYPT: Enable AES-GCM decryption default: on
* (when HAVE_AESGCM is enabled)
* WOLFSSL_AESGCM_STREAM: Enable streaming AES-GCM API default: off
* WC_AES_GCM_DEC_AUTH_EARLY: Authenticate tag before decryption default: off
* GCM_SMALL: Small GCM table, saves memory default: off
* GCM_TABLE: Full 4-bit GCM lookup table, faster default: off
* GCM_TABLE_4BIT: Explicit 4-bit GCM table mode default: off
* GCM_WORD32: Use 32-bit word GCM implementation default: off
* GCM_GMULT_LEN: GCM GMULT length optimization default: off
*
* AES-XTS Stream:
* WOLFSSL_AESXTS_STREAM: Enable streaming AES-XTS API default: off
* WC_AESXTS_STREAM_NO_REQUEST_ACCOUNTING:
* Disable XTS stream request accounting default: off
* WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS:
* Support both encrypt and decrypt keys default: off
* simultaneously in XTS context
*
* Performance / Side-Channel:
* WOLFSSL_AESNI: Enable Intel AES-NI instructions default: off
* WOLFSSL_AESNI_BY4: AES-NI 4-block parallel processing default: off
* WOLFSSL_AESNI_BY6: AES-NI 6-block parallel processing default: off
* USE_INTEL_SPEEDUP: Intel AVX/AVX2 for AES acceleration default: off
* WOLFSSL_AES_SMALL_TABLES: Use smaller AES S-box tables default: off
* WOLFSSL_AES_NO_UNROLL: Disable AES round loop unrolling default: off
* WOLFSSL_AES_TOUCH_LINES: Touch all cache lines for default: off
* side-channel resistance
* WC_AES_BITSLICED: Use bitsliced AES implementation default: off
* AES_GCM_GMULT_NCT: GCM GMULT non-constant-time default: off
* NO_WOLFSSL_ALLOC_ALIGN: Disable aligned memory allocation default: off
*
* Hardware Acceleration (AES-specific):
* WC_ASYNC_ENABLE_AES: Enable async AES operations default: off
* WOLFSSL_CRYPTOCELL_AES: CryptoCell AES acceleration default: off
* WOLFSSL_DEVCRYPTO_AES: /dev/crypto AES acceleration default: off
* WOLFSSL_DEVCRYPTO_CBC: /dev/crypto AES-CBC acceleration default: off
* WOLFSSL_KCAPI_AES: Linux kernel crypto API for AES default: off
* WOLFSSL_NO_KCAPI_AES_CBC: Disable KCAPI AES-CBC default: off
* WOLFSSL_NRF51_AES: nRF51 hardware AES default: off
* WOLFSSL_PSA_NO_AES: Disable PSA AES default: off
* WOLFSSL_SCE_NO_AES: Disable Renesas SCE AES default: off
* NO_IMX6_CAAM_AES: Disable i.MX6 CAAM AES default: off
* WOLFSSL_AFALG_XILINX_AES: AF_ALG Xilinx AES acceleration default: off
* NO_WOLFSSL_ESP32_CRYPT_AES: Disable ESP32 AES acceleration default: off
* STM32_CRYPTO_AES_ONLY: STM32 AES-only crypto mode default: off
*
* Debug:
* WC_DEBUG_CIPHER_LIFECYCLE: Debug cipher init/free lifecycle default: off
* WOLFSSL_HW_METRICS: Track hardware acceleration usage default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#if !defined(NO_AES)
+102 -2
View File
@@ -107,6 +107,106 @@ ASN Options:
* WOLFSSL_ALLOW_AKID_SKID_MATCH: By default cert issuer is found using hash
* of cert subject hash with signers subject hash. This option allows fallback
* to using AKID and SKID matching.
*
* Certificate Generation/Parsing:
* WOLFSSL_CERT_REQ: Enable certificate request (CSR) support
* WOLFSSL_CERT_EXT: Enable certificate extension support
* WOLFSSL_CERT_PIV: Enable PIV certificate support
* WOLFSSL_CERT_GEN_CACHE: Cache DER for cert generation
* WOLFSSL_CERT_SIGN_CB: Enable certificate signing callback
* WOLFSSL_CERT_NAME_ALL: Store all certificate name components
* WOLFSSL_MULTI_ATTRIB: Enable multi-valued RDN attributes
* WOLFSSL_DER_TO_PEM: Enable DER to PEM conversion
* WOLFSSL_PEM_TO_DER: Enable PEM to DER conversion
* WOLFSSL_PUB_PEM_TO_DER: Enable public key PEM to DER conversion
* WOLFSSL_KEY_TO_DER: Enable key to DER encoding
* WOLFSSL_ENCRYPTED_KEYS: Enable encrypted private key support (PKCS#8)
* ASN_BER_TO_DER: Enable BER to DER conversion
* WOLFSSL_DUP_CERTPOL: Allow duplicate certificate policies
* WOLFSSL_NAMES_STATIC: Use static allocation for name strings
* WOLFSSL_SIGNER_DER_CERT: Store signer DER cert in cert manager
*
* Certificate Validation:
* NO_VERIFY_OID: Skip OID verification
* NO_CHECK_PRIVATE_KEY: Skip private key pair check
* NO_SKID: Disable Subject Key Identifier
* NO_STRICT_ECDSA_LEN: Allow non-strict ECDSA signature length
* NO_WOLFSSL_CM_VERIFY: Disable cert manager verify callback
* NO_WOLFSSL_SKIP_TRAILING_PAD: Don't skip trailing padding
* ALLOW_SELFSIGNED_INVALID_CERTSIGN: Allow self-signed certs
* without keyCertSign in keyUsage
* ALLOW_V1_EXTENSIONS: Allow extensions in v1 certificates
* USE_WOLF_VALIDDATE: Use wolfSSL date validation
* WC_ASN_RUNTIME_DATE_CHECK_CONTROL: Runtime control of date checking
* WOLFSSL_AFTER_DATE_CLOCK_SKEW: Clock skew tolerance for after-date
* WOLFSSL_BEFORE_DATE_CLOCK_SKEW: Clock skew tolerance for before-date
* WOLFSSL_TRUST_PEER_CERT: Enable trusted peer certificate support
*
* Extensions:
* WOLFSSL_ALT_NAMES: Enable Subject Alternative Names
* WOLFSSL_ALT_NAMES_NO_REV: Alt names without reverse order
* WOLFSSL_IP_ALT_NAME: Enable IP address in SAN
* WOLFSSL_RID_ALT_NAME: Enable Registered ID in SAN
* WOLFSSL_SEP: Enable SubjectEntryPoint extension
* WOLFSSL_EKU_OID: Enable Extended Key Usage OID support
* WOLFSSL_ACERT: Enable attribute certificate support
* IGNORE_KEY_EXTENSIONS: Ignore key usage extensions
* IGNORE_NETSCAPE_CERT_TYPE: Ignore Netscape cert type extension
* WOLFSSL_ALLOW_CRIT_AIA: Allow critical Authority Info Access
* WOLFSSL_ALLOW_CRIT_AKID: Allow critical Auth Key Identifier
* WOLFSSL_ALLOW_CRIT_SKID: Allow critical Subject Key Identifier
* WC_ASN_UNKNOWN_EXT_CB: Callback for unknown extensions
*
* ASN.1 Parsing:
* WOLFSSL_ASN_ALL: Enable all ASN.1 features
* WOLFSSL_ASN_CA_ISSUER: Enable CA Issuer in AIA parsing
* WOLFSSL_ASN_PRINT: Enable ASN.1 structure printing
* WOLFSSL_ASN_INT_LEAD_0_ANY: Allow any leading zero in ASN integers
* WOLFSSL_ASN_PARSE_KEYUSAGE: Parse key usage extension
* WOLFSSL_ASN_TIME_STRING: Enable ASN time to string conversion
* ASN_TEMPLATE_SKIP_ISCA_CHECK: Skip isCA check in ASN template
*
* OID:
* HAVE_OID_ENCODING: Enable OID encoding support
* HAVE_OID_DECODING: Enable OID decoding support
* WOLFSSL_OLD_OID_SUM: Use old OID sum calculation
*
* CRL:
* HAVE_CRL: Enable Certificate Revocation Lists
* CRL_STATIC_REVOKED_LIST: Use static list for revoked certs
*
* OCSP:
* HAVE_OCSP: Enable OCSP support
* HAVE_OCSP_RESPONDER: Enable OCSP responder support
* WOLFSSL_OCSP_PARSE_STATUS: Parse OCSP response status
*
* PKCS:
* HAVE_PKCS8: Enable PKCS#8 support
* HAVE_PKCS12: Enable PKCS#12 support
*
* Algorithms (ASN encoding/decoding):
* HAVE_DILITHIUM: Enable Dilithium ASN support
* WOLFSSL_DILITHIUM_NO_ASN1: Disable Dilithium ASN.1 encoding
* WOLFSSL_DILITHIUM_FIPS204_DRAFT: FIPS 204 draft Dilithium
* WOLFSSL_DILITHIUM_NO_SIGN: Disable Dilithium signing
* WOLFSSL_DILITHIUM_NO_VERIFY: Disable Dilithium verify
* HAVE_FALCON: Enable Falcon ASN support
* HAVE_SPHINCS: Enable SPHINCS+ ASN support
*
* Key Import/Export:
* WC_ENABLE_ASYM_KEY_IMPORT: Enable asymmetric key import
* WC_ENABLE_ASYM_KEY_EXPORT: Enable asymmetric key export
*
* Compatibility:
* WOLFSSL_APACHE_HTTPD: Apache HTTPD compatibility
* WOLFSSL_X509_NAME_AVAILABLE: Enable X509_NAME API
* WOLFSSL_HAVE_ISSUER_NAMES: Store issuer name components
* WOLFSSL_ASN_KEY_SIZE_ENUM: Use enum for AES key size in ASN
* WOLFSSL_SM3: Enable SM3 hash ASN support
* HAVE_SMIME: Enable S/MIME support
* HAVE_LIBZ: Enable zlib compression for certs
* WC_RC2: Enable RC2 for PKCS#12
* WOLFSSL_MD2: Enable MD2 hash (legacy)
*/
#ifndef NO_RSA
@@ -4389,7 +4489,7 @@ static word32 SetBitString16Bit(word16 val, byte* output)
/* Falcon Level 5: 1 3 9999 3 9 */
static const byte sigFalcon_Level5Oid[] = {43, 206, 15, 3, 9};
#endif /* HAVE_FACON */
#endif /* HAVE_FALCON */
#ifdef HAVE_DILITHIUM
#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT
/* Dilithium Level 2: 1.3.6.1.4.1.2.267.12.4.4 */
@@ -17954,7 +18054,7 @@ static WC_INLINE int IsSigAlgoECC(word32 algoOID)
#ifdef HAVE_CURVE448
|| (algoOID == X448k)
#endif
#ifdef HAVE_FACON
#ifdef HAVE_FALCON
|| (algoOID == FALCON_LEVEL1k)
|| (algoOID == FALCON_LEVEL5k)
#endif
+28 -10
View File
@@ -22,18 +22,36 @@
/* This framework provides a central place for crypto hardware integration
using the devId scheme. If not supported return `CRYPTOCB_UNAVAILABLE`. */
/* Some common, optional build settings:
* these can also be set in wolfssl/options.h or user_settings.h
* -------------------------------------------------------------
* enable the find device callback functions
* WOLF_CRYPTO_CB_FIND
/*
Crypto Callback Build Options:
* WOLF_CRYPTO_CB: Master enable for crypto callback default: off
* framework. Required for all options below.
* WOLF_CRYPTO_CB_FIND: Enable find device callback functions default: off
* Allows lookup of registered crypto devices.
* WOLF_CRYPTO_CB_CMD: Enable command callbacks invoked during default: off
* register and unregister of crypto devices.
* WOLF_CRYPTO_CB_COPY: Enable copy callback for algorithm default: off
* structures (hash, cipher state copying).
* WOLF_CRYPTO_CB_FREE: Enable free callback for algorithm default: off
* structures (cleanup of crypto objects).
* WOLF_CRYPTO_CB_AES_SETKEY: Enable callback for AES key setup default: off
* WOLF_CRYPTO_CB_RSA_PAD: Enable callback for RSA padding default: off
* operations (custom padding handling).
* DEBUG_CRYPTOCB: Enable debug InfoString functions default: off
*
* enable the command callback functions to invoke the callback during
* register and unregister
* WOLF_CRYPTO_CB_CMD
* Device ID options:
* WC_USE_DEVID: Specify a default device ID to use default: off
* when no hardware device is detected.
* WC_NO_DEFAULT_DEVID: Disable automatic default device ID default: off
* selection. Requires explicit devId passing.
* WOLFSSL_CAAM_DEVID: Device ID constant (value 7) for NXP default: off
* CAAM hardware crypto.
*
* enable debug InfoString functions
* DEBUG_CRYPTOCB
* Algorithm-specific callback options:
* NO_SHA2_CRYPTO_CB: Disable crypto callbacks for SHA-384 default: off
* and SHA-512 operations.
* WOLF_CRYPTO_CB_ONLY_ECC: Use only callbacks for ECC default: off
* WOLF_CRYPTO_CB_ONLY_RSA: Use only callbacks for RSA default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
+11
View File
@@ -25,6 +25,17 @@
* Reworked for curve448 by Sean Parkinson.
*/
/*
* Curve448 Build Options:
*
* HAVE_CURVE448: Enable Curve448 support default: off
* HAVE_CURVE448_SHARED_SECRET: Enable Curve448 shared secret default: on
* (when HAVE_CURVE448 is enabled)
* HAVE_CURVE448_KEY_EXPORT: Enable Curve448 key export default: on
* HAVE_CURVE448_KEY_IMPORT: Enable Curve448 key import default: on
* WOLFSSL_ECDHX_SHARED_NOT_ZERO: Check ECDH shared secret != 0 default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#ifdef HAVE_CURVE448
+11
View File
@@ -19,6 +19,17 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
* DES3 Build Options:
*
* NO_DES3: Disable 3DES support entirely default: off
* WOLFSSL_DES_ECB: Enable DES-ECB mode default: off
*
* Hardware Acceleration (DES3-specific):
* WC_ASYNC_ENABLE_3DES: Enable async 3DES operations default: off
* FREESCALE_LTC_DES: Freescale LTC DES acceleration default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#ifndef NO_DES3
+59
View File
@@ -100,6 +100,65 @@ Possible ECC enable options:
* WOLFSSL_CHECK_VER_FAULTS
* Sanity check on verification steps in case of faults.
* default: off
* ECC_TIMING_RESISTANT: Enables constant-time ECC operations default: on
* to prevent timing side-channel attacks.
* Auto-enabled for FIPS and some embedded builds.
* WC_NO_CACHE_RESISTANT: Disables cache-resistant operations default: off
* (conditional swaps) in ECC scalar multiply to
* reduce overhead. Not recommended for secure use.
* ALT_ECC_SIZE: Uses alternate smaller fixed-size arrays default: off
* for ECC points instead of full mp_int arrays,
* reducing memory. Requires USE_FAST_MATH.
* WOLFSSL_ECC_NO_SMALL_STACK: Disables WOLFSSL_SMALL_STACK default: off
* optimizations for ECC, using stack instead of heap.
* HAVE_ECC_CHECK_PUBKEY_ORDER: Validates ECC public key order default: on
* during import. Auto-enabled unless
* NO_ECC_CHECK_PUBKEY_ORDER is defined.
* NO_ECC_CHECK_PUBKEY_ORDER: Disables public key order check default: off
* during ECC key import. Not recommended.
* HAVE_ECC_MAKE_PUB: Enables computing public key from default: on
* private key via wc_ecc_make_pub.
* HAVE_ECC_VERIFY_HELPER: Enables ECC verify helper functions default: on
* Auto-enabled unless using hardware accelerators.
* WOLFSSL_PUBLIC_ECC_ADD_DBL: Makes ecc_projective_add_point default: off
* and ecc_projective_dbl_point public APIs.
* SQRTMOD_USE_MOD_EXP: Computes square root mod prime using default: off
* modular exponentiation instead of Jacobi method
* for compressed key decompression.
*
* ECIES options:
* WOLFSSL_ECIES_OLD: Uses original wolfSSL ECIES format default: off
* (public key not in shared secret material).
* WOLFSSL_ECIES_ISO18033: Uses ISO 18033 ECIES standard default: off
* (includes public key in shared secret).
* WOLFSSL_ECIES_GEN_IV: Generates random IV for ECIES default: off
* encryption instead of deriving from KDF.
*
* Fixed Point Cache options (requires FP_ECC):
* FP_ENTRIES: Number of FP cache entries default: 15
* FP_LUT: FP lookup table bit size (2-12). Larger default: 8
* values use more memory but faster verify.
* FP_ECC_CONTROL: Auto-selects cached FP ECC verify with default: on
* SP when WOLFSSL_HAVE_SP_ECC is available.
*
* SP Math ECC options:
* WOLFSSL_HAVE_SP_ECC: Enables SP math optimizations for ECC default: on
* Provides significant performance improvement.
* WOLFSSL_SP_NO_256: Disables SP P-256 support default: off
* WOLFSSL_SP_384: Enables SP P-384 support default: off
* WOLFSSL_SP_521: Enables SP P-521 support default: off
* WOLFSSL_SP_1024: Enables SP 1024-bit support for SAKKE default: off
* WOLFSSL_SP_SM2: Enables SP SM2 curve support default: off
* Auto-enabled with WOLFSSL_SM2.
*
* Hardware/Offload options:
* WOLFSSL_KCAPI_ECC: Offload ECC to Linux Kernel Crypto API default: off
* WC_ASYNC_ENABLE_ECC: Enables async ECC with crypto callbacks default: off
* Requires WOLFSSL_ASYNC_CRYPT.
* WC_ASYNC_ENABLE_ECC_KEYGEN: Enables async ECC key gen default: off
* PLUTON_CRYPTO_ECC: Uses ARM Pluton TEE for ECC operations default: off
* WOLFSSL_CAAM_BLACK_KEY_SM: Uses NXP CAAM secure memory for default: off
* encrypted black key storage.
*/
/*
+1 -1
View File
@@ -5483,7 +5483,7 @@ const WOLFSSL_EVP_CIPHER *wolfSSL_EVP_get_cipherbyname(const char *name)
{EVP_ARIA_256_GCM, "aria-256-gcm"},
{EVP_ARIA_256_GCM, "id-aria256-GCM"},
#endif
#ifdef WOLFSSL_SM4_EBC
#ifdef WOLFSSL_SM4_ECB
{EVP_SM4_ECB, "sm4-ecb"},
#endif
#ifdef WOLFSSL_SM4_CBC
+15
View File
@@ -20,6 +20,21 @@
*/
/*
* HMAC Build Options:
*
* NO_HMAC: Disable HMAC support entirely default: off
* HAVE_HKDF: Enable HKDF (RFC 5869) key derivation default: off
* WOLFSSL_HMAC_COPY_HASH: Copy hash state instead of re-init default: off
* for HMAC operations (performance)
* STM32_HMAC: STM32 hardware HMAC acceleration default: off
*
* Hardware Acceleration (HMAC-specific):
* WC_ASYNC_ENABLE_HMAC: Enable async HMAC operations default: off
* WOLFSSL_DEVCRYPTO_HMAC: /dev/crypto HMAC acceleration default: off
* WOLFSSL_KCAPI_HMAC: Linux kernel crypto API for HMAC default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#ifndef NO_HMAC
+11
View File
@@ -19,6 +19,17 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
* MD5 Build Options:
*
* NO_MD5: Disable MD5 support entirely default: off
* HAVE_MD5_CUST_API: Enable custom MD5 API default: off
* STM32_NOMD5: Disable STM32 hardware MD5 default: off
*
* Hardware Acceleration (MD5-specific):
* WC_ASYNC_ENABLE_MD5: Enable async MD5 operations default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#if !defined(NO_MD5)
+19
View File
@@ -19,6 +19,25 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
* PKCS#7 Build Options:
*
* Core:
* HAVE_PKCS7: Enable PKCS#7 support default: off
* NO_PKCS7_STREAM: Disable PKCS#7 streaming mode default: off
* NO_PKCS7_ENCRYPTED_DATA: Disable PKCS#7 EncryptedData type default: off
* NO_PKCS7_COMPRESSED_DATA: Disable PKCS#7 CompressedData type default: off
* WC_PKCS7_STREAM_DEBUG: Enable PKCS#7 stream debug output default: off
* WOLFSSL_PKCS7_MAX_DECOMPRESSION: Max decompression size default: off
*
* Callbacks:
* HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK: Custom RSA raw sign callback default: off
* HAVE_PKCS7_ECC_RAW_SIGN_CALLBACK: Custom ECC raw sign callback default: off
*
* Key Derivation:
* HAVE_X963_KDF: Enable ANSI X9.63 KDF default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#ifdef HAVE_PKCS7
+8
View File
@@ -38,6 +38,14 @@ and Daniel J. Bernstein
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
/*
* Poly1305 Build Options:
*
* HAVE_POLY1305: Enable Poly1305 authenticator default: off
* POLY130564: Use 64-bit Poly1305 implementation default: auto
* USE_INTEL_POLY1305_SPEEDUP: Intel AVX/AVX2 Poly1305 accel default: off
*/
#ifdef HAVE_POLY1305
#include <wolfssl/wolfcrypt/poly1305.h>
#include <wolfssl/wolfcrypt/cpuid.h>
+74 -16
View File
@@ -26,22 +26,80 @@ This library contains implementation for the random number generator.
*/
/* Possible defines:
* ENTROPY_NUM_UPDATE default: 18
* Number of updates to perform. A hash is created and memory accessed
* based on the hash values in each update of a sample.
* More updates will result in better entropy quality but longer sample
* times.
* ENTROPY_NUM_UPDATES_BITS default: 5
* Number of bits needed to represent ENTROPY_NUM_UPDATE.
* = upper(log2(ENTROPY_NUM_UPDATE))
* ENTROPY_NUM_WORDS_BITS default: 14
* State has 2^ENTROPY_NUMN_WORDS_BITS entries. Range: 8-30
* The value should be based on the cache sizes.
* Use a value that is at least as large as the L1 cache if possible.
* The higher the value, the more likely there will be cache misses and
* better the entropy quality.
* A larger value will use more static memory.
/*
* Random Number Generator Build Options:
*
* Core RNG:
* WC_NO_RNG: Disable RNG support entirely default: off
* HAVE_HASHDRBG: Enable Hash-based DRBG (SP 800-90A) default: on
* WC_RNG_BLOCKING: Make RNG operations blocking default: off
* WC_VERBOSE_RNG: Enable verbose RNG debug output default: off
* WC_RNG_SEED_CB: Use custom seed callback function default: off
* WC_RNG_BANK_SUPPORT: Enable RNG bank (pre-generated) default: off
* random data support
* WOLFSSL_RNG_USE_FULL_SEED: Use full-length seed for DRBG default: off
* WOLFSSL_GENSEED_FORTEST: Use deterministic seed for testing default: off
* WARNING: not for production use
* WOLFSSL_KEEP_RNG_SEED_FD_OPEN: Keep /dev/random fd open default: off
* between seed operations
*
* Custom RNG Sources:
* CUSTOM_RAND_GENERATE: Custom random word generator func default: off
* CUSTOM_RAND_GENERATE_BLOCK: Custom block random generator default: off
* CUSTOM_RAND_GENERATE_SEED: Custom seed generator function default: off
* CUSTOM_RAND_GENERATE_SEED_OS: Custom OS-level seed generator default: off
*
* Entropy Sources:
* HAVE_ENTROPY_MEMUSE: Enable memory-use based entropy default: off
* source for DRBG seeding
* ENTROPY_MEMUSE_FORCE_FAILURE: Force entropy failure (testing) default: off
* HAVE_GETRANDOM: Use Linux getrandom() syscall default: auto
* WOLFSSL_GETRANDOM: Use getrandom() for seed source default: auto
* FORCE_FAILURE_GETRANDOM: Force getrandom failure (testing) default: off
* NO_DEV_RANDOM: Don't use /dev/random for seeding default: off
* NO_DEV_URANDOM: Don't use /dev/urandom for seeding default: off
* HAVE_INTEL_RDRAND: Use Intel RDRAND instruction default: off
* HAVE_INTEL_RDSEED: Use Intel RDSEED instruction default: off
* HAVE_AMD_RDSEED: Use AMD RDSEED instruction default: off
* IDIRECT_DEV_RANDOM: iDirect custom /dev/random path default: off
* WIN_REUSE_CRYPT_HANDLE: Reuse Windows CryptContext handle default: off
*
* Entropy Tuning (for HAVE_ENTROPY_MEMUSE):
* ENTROPY_NUM_UPDATE: Number of updates per sample default: 18
* More updates = better entropy but slower
* ENTROPY_NUM_UPDATES_BITS: Bits to represent ENTROPY_NUM_UPDATE default: 5
* = upper(log2(ENTROPY_NUM_UPDATE))
* ENTROPY_NUM_WORDS_BITS: State size as 2^N entries default: 14
* Range: 8-30. Base on cache sizes.
* Larger = more cache misses = better entropy
* but more static memory usage.
*
* DRBG Health Tests:
* WC_RNG_SEED_APT_CUTOFF: Adaptive proportion test cutoff default: auto
* WC_RNG_SEED_APT_WINDOW: Adaptive proportion test window size default: auto
* WC_RNG_SEED_RCT_CUTOFF: Repetition count test cutoff default: auto
*
* Hardware RNG:
* STM32_RNG: STM32 hardware RNG default: off
* STM32_NUTTX_RNG: STM32 RNG via NuttX default: off
* WOLFSSL_STM32F427_RNG: STM32F427 hardware RNG default: off
* WOLFSSL_STM32_RNG_NOLIB: STM32 RNG without HAL library default: off
* WOLFSSL_PIC32MZ_RNG: PIC32MZ hardware RNG default: off
* FREESCALE_RNGA: Freescale RNGA default: off
* FREESCALE_K70_RNGA: Freescale K70 RNGA default: off
* FREESCALE_RNGB: Freescale RNGB default: off
* FREESCALE_KSDK_2_0_RNGA: Freescale KSDK 2.0 RNGA default: off
* FREESCALE_KSDK_2_0_TRNG: Freescale KSDK 2.0 TRNG default: off
* MAX3266X_RNG: MAX3266X hardware RNG default: off
* QAT_ENABLE_RNG: Intel QAT hardware RNG default: off
* WOLFSSL_ATECC_RNG: ATECC508/608 hardware RNG default: off
* WOLFSSL_SILABS_TRNG: Silicon Labs TRNG default: off
* WOLFSSL_SCE_NO_TRNG: Disable Renesas SCE TRNG default: off
* WOLFSSL_SCE_TRNG_HANDLE: Renesas SCE TRNG handle default: off
* WOLFSSL_SE050_NO_TRNG: Disable SE050 TRNG default: off
* WOLFSSL_PSA_NO_RNG: Disable PSA RNG default: off
* HAVE_IOTSAFE_HWRNG: IoT-Safe hardware RNG default: off
* WOLFSSL_XILINX_CRYPT_VERSAL: Xilinx Versal crypto RNG default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
+56 -23
View File
@@ -66,29 +66,62 @@ RSA keys can be used to encrypt, decrypt, sign and verify data.
#endif
/*
Possible RSA enable options:
* NO_RSA: Overall control of RSA default: on
* (not defined)
* WC_RSA_BLINDING: Uses Blinding w/ Private Ops default: on
Note: slower by ~20%
* WOLFSSL_KEY_GEN: Allows Private Key Generation default: off
* RSA_LOW_MEM: NON CRT Private Operations, less memory default: off
* WC_NO_RSA_OAEP: Disables RSA OAEP padding default: on
* (not defined)
* WC_RSA_NONBLOCK: Enables support for RSA non-blocking default: off
* WC_RSA_NONBLOCK_TIME: Enables support for time based blocking default: off
* time calculation.
* WC_RSA_NO_FERMAT_CHECK:Don't check for small difference in default: off
* p and q (Fermat's factorization is (not defined)
* possible when small difference).
*/
/*
RSA Key Size Configuration:
* FP_MAX_BITS: With USE_FAST_MATH only default: 4096
If USE_FAST_MATH then use this to override default.
Value is key size * 2. Example: RSA 3072 = 6144
*/
* RSA Build Options:
*
* Core:
* NO_RSA: Disable RSA support entirely default: off
* WOLFSSL_RSA_PUBLIC_ONLY: Only include RSA public key operations default: off
* WOLFSSL_RSA_VERIFY_ONLY: Only include RSA verify operation default: off
* WOLFSSL_RSA_VERIFY_INLINE: RSA verify inline (no output copy) default: off
* WC_RSA_DIRECT: Enable direct RSA encrypt/decrypt API default: off
* WC_RSA_NO_PADDING: Enable no-padding RSA mode default: off
* WOLFSSL_RSA_KEY_CHECK: Enable RSA key pair consistency check default: off
* WOLFSSL_RSA_CHECK_D_ON_DECRYPT: Validate private exponent d default: off
* before each decrypt operation
* WOLFSSL_RSA_DECRYPT_TO_0_LEN: Allow RSA decrypt result of 0 default: off
* length (empty plaintext)
* NO_RSA_BOUNDS_CHECK: Disable RSA bounds checking on input default: off
* SHOW_GEN: Show key generation progress dots default: off
*
* Padding:
* WC_RSA_PSS: Enable RSA-PSS signature support default: off
* WC_NO_RSA_OAEP: Disable RSA OAEP padding default: off
* WOLFSSL_PSS_LONG_SALT: Allow PSS salt longer than hash length default: off
* WOLFSSL_PSS_SALT_LEN_DISCOVER: Auto-discover PSS salt length default: off
* during verification
*
* Performance:
* WC_RSA_BLINDING: Use blinding with private key ops default: on
* Note: ~20% slower, protects against
* timing side-channels
* RSA_LOW_MEM: Non-CRT private ops, less memory default: off
* WC_RSA_NONBLOCK: Non-blocking RSA operations default: off
* WC_RSA_NONBLOCK_TIME: Time-based non-blocking RSA default: off
* WOLFSSL_MP_INVMOD_CONSTANT_TIME: Constant-time modular inverse default: off
* WC_RSA_NO_FERMAT_CHECK: Skip Fermat factorization check on default: off
* key generation (p and q closeness)
*
* Key Generation:
* WOLFSSL_KEY_GEN: Enable RSA private key generation default: off
* FP_MAX_BITS: Max key bits with USE_FAST_MATH default: 4096
* Value is key size * 2 (e.g. RSA 3072 = 6144)
*
* SP Math:
* WOLFSSL_HAVE_SP_RSA: Use SP math for RSA operations default: off
* WOLFSSL_SP_MATH: Use SP math only (no multi-precision) default: off
* WOLFSSL_SP_MATH_ALL: SP math for all key sizes default: off
* WOLFSSL_SP_NO_2048: Disable SP RSA 2048-bit support default: off
* WOLFSSL_SP_NO_3072: Disable SP RSA 3072-bit support default: off
* WOLFSSL_SP_4096: Enable SP RSA 4096-bit support default: off
* WOLFSSL_SP_ASM: Use SP assembly optimizations default: off
*
* Hardware Acceleration (RSA-specific):
* WC_ASYNC_ENABLE_RSA: Enable async RSA operations default: off
* WOLFSSL_KCAPI_RSA: Linux kernel crypto API for RSA default: off
* WOLFSSL_AFALG_XILINX_RSA: AF_ALG Xilinx RSA acceleration default: off
* WOLFSSL_SE050_NO_RSA: Disable SE050 RSA default: off
* WOLFSSL_XILINX_CRYPT: Xilinx crypto RSA acceleration default: off
*/
#include <wolfssl/wolfcrypt/random.h>
+20
View File
@@ -19,6 +19,26 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
* SHA-1 Build Options:
*
* Core:
* NO_SHA: Disable SHA-1 support entirely default: off
* USE_SLOW_SHA: Disable SHA-1 loop unrolling default: off
* WC_HASH_DATA_ALIGNMENT: Required data alignment for hashing default: off
*
* Hardware Acceleration (SHA-1-specific):
* WC_ASYNC_ENABLE_SHA: Enable async SHA-1 operations default: off
* WOLFSSL_PIC32MZ_HASH: PIC32MZ hardware SHA default: off
* WOLFSSL_PSA_NO_HASH: Disable PSA hash default: off
* WOLFSSL_TI_HASH: TI hardware hash default: off
* WOLFSSL_RENESAS_RX64_HASH: Renesas RX64 hardware hash default: off
* FREESCALE_LTC_SHA: Freescale LTC SHA acceleration default: off
* FREESCALE_MMCAU_SHA: Freescale MMCAU SHA acceleration default: off
* STM32_HASH: STM32 hardware hash default: off
* PSOC6_HASH_SHA1: PSoC6 hardware SHA-1 default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#ifdef DEBUG_WOLFSSL_VERBOSE
+19
View File
@@ -19,6 +19,25 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
* SHA-3 Build Options:
*
* Core:
* WOLFSSL_SHA3: Enable SHA-3 support default: off
* WOLFSSL_SHA3_SMALL: Use smaller SHA-3 implementation default: off
* WOLFSSL_SHAKE128: Enable SHAKE128 XOF default: off
* WOLFSSL_SHAKE256: Enable SHAKE256 XOF default: off
* SHA3_BY_SPEC: Use specification Keccak-f order default: off
* WC_SHA3_NO_ASM: Disable SHA-3 assembly optimizations default: off
* WC_SHA3_FAULT_HARDEN: Harden SHA-3 against fault attacks default: off
*
* Hardware Acceleration (SHA-3-specific):
* WC_ASYNC_ENABLE_SHA3: Enable async SHA-3 operations default: off
* WOLFSSL_ARMASM_CRYPTO_SHA3: ARM crypto SHA-3 instructions default: off
* STM32_HASH_SHA3: STM32 hardware SHA-3 default: off
* PSOC6_HASH_SHA3: PSoC6 hardware SHA-3 default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#ifdef WC_SHA3_NO_ASM
+35
View File
@@ -19,6 +19,41 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
* SHA-512/384 Build Options:
*
* Core:
* WOLFSSL_SHA512: Enable SHA-512 support default: off
* WOLFSSL_SHA384: Enable SHA-384 support default: off
* WOLFSSL_NOSHA512_224: Disable SHA-512/224 variant default: off
* WOLFSSL_NOSHA512_256: Disable SHA-512/256 variant default: off
*
* Performance:
* USE_SLOW_SHA512: Disable SHA-512 loop unrolling default: off
* USE_SLOW_SHA2: Disable SHA-2 loop unrolling default: off
* WOLFSSL_HASH_FLAGS: Enable hash flags for state tracking default: off
* WOLFSSL_HASH_KEEP: Keep hash input data for reuse default: off
* WOLFSSL_SMALL_STACK_CACHE: Cache hash state on small stack default: off
* WC_NO_INTERNAL_FUNCTION_POINTERS: Disable internal func ptrs default: off
*
* Hardware Acceleration (SHA-512-specific):
* WC_ASYNC_ENABLE_SHA512: Enable async SHA-512 operations default: off
* WC_ASYNC_ENABLE_SHA384: Enable async SHA-384 operations default: off
* WOLFSSL_KCAPI_HASH: Linux kernel crypto API for hashing default: off
* WOLFSSL_SE050_HASH: SE050 hardware hashing default: off
* WOLFSSL_SILABS_SHA384: Silicon Labs SHA-384 acceleration default: off
* WOLFSSL_SILABS_SHA512: Silicon Labs SHA-512 acceleration default: off
* NO_IMX6_CAAM_HASH: Disable i.MX6 CAAM hash default: off
* NO_WOLFSSL_ESP32_CRYPT_HASH: Disable ESP32 hash acceleration default: off
* WOLFSSL_ARMASM_CRYPTO_SHA512: ARM crypto SHA-512 instructions default: off
* STM32_HASH_SHA384: STM32 hardware SHA-384 default: off
* STM32_HASH_SHA512: STM32 hardware SHA-512 default: off
* WOLFSSL_SHA512_HASHTYPE: SHA-512 hash type for hw dispatch default: off
* MAX3266X_SHA: MAX3266X hardware SHA default: off
* PSOC6_HASH_SHA2: PSoC6 hardware SHA-2 default: off
* WOLFSSL_RENESAS_RSIP: Renesas RSIP SHA acceleration default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#if (defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)) && \
+71
View File
@@ -19,6 +19,77 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/*
wolfCrypt Porting Build Options:
Threading/Mutex options:
* SINGLE_THREADED: No-op mutex/threading implementations default: off
* WOLFSSL_PTHREADS: Use pthread-based mutex/threading default: off
* (auto-detected on most POSIX systems)
* WOLFSSL_MUTEX_INITIALIZER: Use static mutex initialization default: off
* WC_MUTEX_OPS_INLINE: Use inlined mutex operations default: off
* WOLFSSL_USER_MUTEX: User-provided mutex implementation default: off
* WOLFSSL_COND: Enable condition variable support default: off
* WOLFSSL_USE_RWLOCK: Enable reader-writer lock support default: off
* WOLFSSL_THREAD_NO_JOIN: Create threads without join default: off
* WOLFSSL_ALGO_HW_MUTEX: Per-algorithm hardware mutex locks default: off
* Controls AES, hash, PK, and RNG mutexes.
* WOLFSSL_CRYPT_HW_MUTEX: Cryptography hardware mutex default: off
* Master control for all HW mutex init.
* NO_AES_MUTEX: Disable AES hardware mutex default: off
* NO_HASH_MUTEX: Disable hash hardware mutex default: off
* NO_PK_MUTEX: Disable public-key hardware mutex default: off
* NO_RNG_MUTEX: Disable RNG hardware mutex default: off
*
* Memory options:
* USE_WOLFSSL_MEMORY: Enable custom memory allocation hooks default: on
* WOLFSSL_STATIC_MEMORY: Use static memory pools instead of default: off
* dynamic allocation.
* WOLFSSL_TRACK_MEMORY: Enable memory allocation tracking default: off
* WOLFSSL_TRACK_MEMORY_VERBOSE: Verbose memory tracking output default: off
* WOLFSSL_FORCE_MALLOC_FAIL_TEST: Force malloc failures for default: off
* testing error handling paths.
* WOLFSSL_MEM_FAIL_COUNT: Count malloc failures for testing default: off
* WOLFSSL_CHECK_MEM_ZERO: Verify sensitive memory is zeroed default: off
* on free. Debug tool for key material.
*
* Filesystem options:
* NO_FILESYSTEM: Disable all filesystem operations default: off
* NO_WOLFSSL_DIR: Disable directory listing/iteration default: off
*
* Time options:
* WOLFSSL_GMTIME: Provide custom gmtime implementation default: off
* HAVE_TIME_T_TYPE: Platform provides time_t default: auto
* TIME_OVERRIDES: Application provides custom time funcs default: off
* USER_TICKS: Application provides tick counter default: off
* USE_WOLF_TM: Use wolfSSL struct tm definition default: off
*
* String function options:
* STRING_USER: User provides all string functions default: off
* USE_WOLF_STRTOK: Use wolfSSL strtok implementation default: off
* USE_WOLF_STRSEP: Use wolfSSL strsep implementation default: off
* USE_WOLF_STRLCPY: Use wolfSSL strlcpy implementation default: off
* USE_WOLF_STRLCAT: Use wolfSSL strlcat implementation default: off
* USE_WOLF_STRCASECMP: Use wolfSSL strcasecmp implementation default: off
* USE_WOLF_STRNCASECMP:Use wolfSSL strncasecmp implementation default: off
* USE_WOLF_STRDUP: Use wolfSSL strdup implementation default: off
*
* Atomic operation options:
* WOLFSSL_ATOMIC_OPS: Enable atomic operations for thread default: off
* safety without full mutexes.
* WOLFSSL_USER_DEFINED_ATOMICS: User-provided atomic impl default: off
* WOLFSSL_HAVE_ATOMIC_H: Has C11 atomic.h header default: off
*
* General options:
* WOLFCRYPT_ONLY: Exclude TLS/SSL, wolfCrypt only build default: off
* WOLFSSL_LEANPSK: Lean PSK build, minimal features default: off
* WOLF_C89: C89 compatibility mode default: off
* WOLFSSL_SMALL_STACK: Reduce stack usage by allocating from default: off
* heap instead. Slower but needed for
* constrained environments.
* DEBUG_WOLFSSL_VERBOSE: Enable verbose debug logging default: off
*/
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
#ifdef __APPLE__
@@ -91,7 +91,7 @@ typedef struct FSPSM_RSA_CTX {
} FSPSM_RSA_CTX;
#if (!defined(NO_SHA) || !defined(NO_SHA256) || defined(WOLFSSL_SH224) || \
#if (!defined(NO_SHA) || !defined(NO_SHA256) || defined(WOLFSSL_SHA224) || \
defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)) && \
!defined(NO_WOLFSSL_RENESAS_FSPSM_HASH)