From 737fa536361a114d30f0fef4a0d9837e3f4c58f6 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 12 Mar 2024 12:00:01 -0700 Subject: [PATCH 1/5] Improve Zephyr support. Cleanup user_settings.h mess. Add FIPS support. --- zephyr/CMakeLists.txt | 64 +-- zephyr/Kconfig | 8 +- zephyr/include.am | 2 - zephyr/nrf5340dk_nrf5340_user_settings.h | 133 ----- .../boards/nrf5340dk_nrf5340_cpuapp.conf | 2 +- .../boards/nrf5340dk_nrf5340_cpuapp_ns.conf | 2 +- .../boards/nrf5340dk_nrf5340_cpuapp.conf | 2 +- .../boards/nrf5340dk_nrf5340_cpuapp_ns.conf | 2 +- .../samples/wolfssl_tls_sock/src/tls_sock.c | 17 + .../boards/nrf5340dk_nrf5340_cpuapp.conf | 2 +- .../boards/nrf5340dk_nrf5340_cpuapp_ns.conf | 2 +- zephyr/samples/wolfssl_tls_thread/prj.conf | 2 +- .../wolfssl_tls_thread/src/tls_threaded.c | 17 + zephyr/user_settings-tls-generic.h | 153 ------ zephyr/user_settings.h | 460 ++++++++++++++---- zephyr/wolfssl/options.h | 1 + 16 files changed, 445 insertions(+), 424 deletions(-) delete mode 100644 zephyr/nrf5340dk_nrf5340_user_settings.h delete mode 100644 zephyr/user_settings-tls-generic.h diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt index ec6dcba2c..b1c2b0159 100644 --- a/zephyr/CMakeLists.txt +++ b/zephyr/CMakeLists.txt @@ -1,20 +1,22 @@ if(CONFIG_WOLFSSL) zephyr_interface_library_named(wolfSSL) - + if(CONFIG_WOLFSSL_BUILTIN) - target_compile_definitions(wolfSSL INTERFACE - WOLFSSL_SETTINGS_FILE="${CONFIG_WOLFSSL_SETTINGS_FILE}" - ) - + if(CONFIG_WOLFSSL_SETTINGS_FILE) + target_compile_definitions(wolfSSL INTERFACE + WOLFSSL_SETTINGS_FILE="${CONFIG_WOLFSSL_SETTINGS_FILE}" + ) + endif() + zephyr_include_directories( ${ZEPHYR_CURRENT_MODULE_DIR} ${ZEPHYR_CURRENT_MODULE_DIR}/wolfssl ${ZEPHYR_CURRENT_MODULE_DIR}/zephyr ) - + zephyr_library() zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/zephyr/zephyr_init.c) - + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/crl.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/dtls13.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/internal.c) @@ -25,8 +27,29 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/tls.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/tls13.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/wolfio.c) - + + # FIPS Boundary + if(CONFIG_WOLFCRYPT_FIPS) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfcrypt_first.c) + endif() + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/hmac.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/random.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/kdf.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/rsa.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ecc.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/aes.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha256.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha512.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha3.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dh.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/cmac.c) + if(CONFIG_WOLFCRYPT_FIPS) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fips.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fips_test.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfcrypt_last.c) + endif() + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/arc4.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/asm.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/asn.c) @@ -36,7 +59,6 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/camellia.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/chacha.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/chacha20_poly1305.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/cmac.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/coding.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/compress.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/cpuid.c) @@ -44,10 +66,8 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/curve25519.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/curve448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/des3.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dh.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dilithium.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dsa.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ecc.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ecc_fp.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/eccsi.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ed25519.c) @@ -58,15 +78,11 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fe_448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fe_low_mem.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fe_operations.c) - #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fips.c) - #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/fips_test.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ge_448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ge_low_mem.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ge_operations.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/hash.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/hmac.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/integer.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/kdf.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/logging.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/md2.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/md4.c) @@ -77,15 +93,9 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/pkcs7.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/poly1305.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/pwdbased.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/random.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ripemd.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/rsa.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sakke.c) #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/selftest.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha256.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha3.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha512.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/signature.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/siphash.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sp_arm32.c) @@ -104,8 +114,6 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wc_encrypt.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wc_pkcs11.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wc_port.c) - #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfcrypt_first.c) - #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfcrypt_last.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfevent.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wolfmath.c) @@ -115,7 +123,7 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/psa/psa_hash.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/psa/psa_pkcbs.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/st/stm32.c) - + zephyr_library_link_libraries(wolfSSL) target_compile_definitions(wolfSSL INTERFACE WOLFSSL_ZEPHYR) @@ -125,14 +133,14 @@ if(CONFIG_WOLFSSL) endif() else() assert(CONFIG_WOLFSSL_LIBRARY "wolfSSL was enabled, but neither BUILTIN or LIBRARY was selected.") - + # NB: CONFIG_WOLFSSL_LIBRARY is not regression tested and is # therefore susceptible to bit rot - + target_include_directories(wolfSSL INTERFACE ${CONFIG_WOLFSSL_INSTALL_PATH} ) - + zephyr_link_libraries( wolfssl_external -L${CONFIG_WOLFSSL_INSTALL_PATH} @@ -142,7 +150,7 @@ if(CONFIG_WOLFSSL) # wolfssl to link with gcc we need to ensure it is placed # after wolfssl_external on the linkers command line. endif() - + target_link_libraries(wolfSSL INTERFACE zephyr_interface) endif() diff --git a/zephyr/Kconfig b/zephyr/Kconfig index 6d58cc02e..75b20ad47 100644 --- a/zephyr/Kconfig +++ b/zephyr/Kconfig @@ -53,7 +53,6 @@ endchoice config WOLFSSL_SETTINGS_FILE string "wolfSSL settings file" depends on WOLFSSL_BUILTIN - default "user_settings-tls-generic.h" help Use a specific wolfSSL settings file. The default config file file can be tweaked with Kconfig. The default settings is @@ -64,6 +63,13 @@ config WOLFSSL_SETTINGS_FILE rsource "Kconfig.tls-generic" +config WOLFCRYPT_FIPS + bool "wolfCrypt FIPS support" + depends on WOLFSSL_BUILTIN + help + Enables FIPS support in wolfCrypt. Requires the wolfSSL FIPS ready + download that includes fips.c/fips_test.c. + config WOLFSSL_DEBUG bool "wolfSSL debug activation" depends on WOLFSSL_BUILTIN diff --git a/zephyr/include.am b/zephyr/include.am index 83b69368d..ef67bcc10 100644 --- a/zephyr/include.am +++ b/zephyr/include.am @@ -8,9 +8,7 @@ EXTRA_DIST+= zephyr/Kconfig.tls-generic EXTRA_DIST+= zephyr/zephyr_init.c EXTRA_DIST+= zephyr/module.yml EXTRA_DIST+= zephyr/wolfssl/options.h -EXTRA_DIST+= zephyr/nrf5340dk_nrf5340_user_settings.h EXTRA_DIST+= zephyr/user_settings.h -EXTRA_DIST+= zephyr/user_settings-tls-generic.h EXTRA_DIST+= zephyr/README.md EXTRA_DIST+= zephyr/samples/wolfssl_benchmark/ EXTRA_DIST+= zephyr/samples/wolfssl_benchmark/CMakeLists.txt diff --git a/zephyr/nrf5340dk_nrf5340_user_settings.h b/zephyr/nrf5340dk_nrf5340_user_settings.h deleted file mode 100644 index a10b54bd2..000000000 --- a/zephyr/nrf5340dk_nrf5340_user_settings.h +++ /dev/null @@ -1,133 +0,0 @@ -/* nrf5340dk_nrf5340_user_settings.h - * - * Copyright (C) 2006-2023 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -#ifndef WOLFSSL_OPTIONS_H -#define WOLFSSL_OPTIONS_H - - -#ifdef __cplusplus -extern "C" { -#endif - -/* Platform */ -#undef WOLFSSL_ZEPHYR -#define WOLFSSL_ZEPHYR - -#define WOLFSSL_GENERAL_ALIGNMENT 4 -#define SIZEOF_LONG_LONG 8 - -/* Enable PSA Crypto API for CryptoCell 312 crypto use */ -#define WOLFSSL_HAVE_PSA -#define WOLFSSL_PSA_GLOBAL_LOCK - -/* Enable SP Math */ -#define WOLFSSL_SP_MATH -#define WOLFSSL_SP_MATH_ALL -#define WOLFSSL_HAVE_SP_RSA -#define WOLFSSL_HAVE_SP_DH -#define WOLFSSL_HAVE_SP_ECC - -/* Enable SP Math assembly support for ARM32 */ -#define SP_WORD_SIZE 32 -#define WOLFSSL_SP_ASM -#define WOLFSSL_SP_ARM32 -#define WOLFSSL_SP_ARM32_ASM - -/* Crypto */ -#define WC_RSA_BLINDING -#define WC_RSA_PSS -#define WOLFSSL_DH_CONST -#define HAVE_FFDHE_2048 - -#define HAVE_ECC -#define ECC_USER_CURVES -/* #define HAVE_ECC192 */ -/* #define HAVE_ECC224 */ -#undef NO_ECC256 -/* #define HAVE_ECC384 */ -/* #define HAVE_ECC521 */ -#define ECC_SHAMIR -#define ECC_TIMING_RESISTANT - -#define WOLFSSL_AES_DIRECT -#define HAVE_AES_ECB -#define HAVE_AES_CBC -#define HAVE_AESCCM -#define HAVE_AESGCM -#define GCM_TABLE_4BIT - -/* AES-CTR is not working correctly with Nordic PSA Crypto API */ -/* #define WOLFSSL_AES_COUNTER */ - -#define HAVE_CHACHA -#define HAVE_POLY1305 -#define HAVE_ONE_TIME_AUTH - -/* Nordic Security PSA Crypto CryptoCell integration does not support SHA-1 */ -#define NO_SHA -#define WOLFSSL_SHA224 -#define WOLFSSL_SHA384 -#define WOLFSSL_SHA512 -#define WOLFSSL_SHA3 - -#define HAVE_HKDF -#define WOLFSSL_CMAC - -/* Benchmark / Test */ -#define BENCH_EMBEDDED -#define USE_CERT_BUFFERS_256 -#define USE_CERT_BUFFERS_2048 -#define NO_FILESYSTEM - -/* RNG */ -#define HAVE_HASHDRBG - -/* Features */ -#define WOLFSSL_TLS13 -#define WOLFSSL_OLD_PRIME_CHECK -#define HAVE_TLS_EXTENSIONS -#define HAVE_SUPPORTED_CURVES -#define HAVE_EXTENDED_MASTER -#define WOLFSSL_BASE64_ENCODE -#define WC_NO_ASYNC_THREADING - -/* Disable features that require SHA-1 (see note above) */ -#define NO_OLD_TLS -#define NO_DSA - -/* Disable other features (re-enable if needed) */ -#define NO_RC4 -#define NO_PSK -#define NO_MD4 -#define NO_PWDBASED -#define NO_DES3 - -#if defined(CONFIG_WOLFSSL_DEBUG) -#undef DEBUG_WOLFSSL -#define DEBUG_WOLFSSL -#endif - -#ifdef __cplusplus -} -#endif - -#endif /* WOLFSSL_OPTIONS_H */ - diff --git a/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp.conf b/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp.conf index b651b7b88..98d8bc496 100644 --- a/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp.conf +++ b/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp.conf @@ -1,5 +1,5 @@ # Set user_settings.h file to be used for native wolfSSL build settings -CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" +#CONFIG_WOLFSSL_SETTINGS_FILE="user_settings_custom.h" ##### PSA and CC3XX ##### # Enable Nordic Security Module diff --git a/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp_ns.conf index a0e205215..aa3bbe18a 100644 --- a/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp_ns.conf +++ b/zephyr/samples/wolfssl_benchmark/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -2,7 +2,7 @@ CONFIG_BUILD_WITH_TFM=y CONFIG_TFM_PROFILE_TYPE_NOT_SET=y # Set user_settings.h file to be used for native wolfSSL build settings -CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" +#CONFIG_WOLFSSL_SETTINGS_FILE="user_settings_custom.h" ##### PSA and CC3XX ##### # Enable Nordic Security Module diff --git a/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp.conf b/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp.conf index b651b7b88..98d8bc496 100644 --- a/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp.conf +++ b/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp.conf @@ -1,5 +1,5 @@ # Set user_settings.h file to be used for native wolfSSL build settings -CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" +#CONFIG_WOLFSSL_SETTINGS_FILE="user_settings_custom.h" ##### PSA and CC3XX ##### # Enable Nordic Security Module diff --git a/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp_ns.conf index a0e205215..aa3bbe18a 100644 --- a/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp_ns.conf +++ b/zephyr/samples/wolfssl_test/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -2,7 +2,7 @@ CONFIG_BUILD_WITH_TFM=y CONFIG_TFM_PROFILE_TYPE_NOT_SET=y # Set user_settings.h file to be used for native wolfSSL build settings -CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" +#CONFIG_WOLFSSL_SETTINGS_FILE="user_settings_custom.h" ##### PSA and CC3XX ##### # Enable Nordic Security Module diff --git a/zephyr/samples/wolfssl_tls_sock/src/tls_sock.c b/zephyr/samples/wolfssl_tls_sock/src/tls_sock.c index 7be365321..b93055443 100644 --- a/zephyr/samples/wolfssl_tls_sock/src/tls_sock.c +++ b/zephyr/samples/wolfssl_tls_sock/src/tls_sock.c @@ -62,6 +62,20 @@ static const char msgHTTPIndex[] = "\n" "\n"; +#ifdef HAVE_FIPS +static void myFipsCb(int ok, int err, const char* hash) +{ + printf("in my Fips callback, ok = %d, err = %d\n", ok, err); + printf("message = %s\n", wc_GetErrorString(err)); + printf("hash = %s\n", hash); + + if (err == IN_CORE_FIPS_E) { + printf("In core integrity hash check failure, copy above hash\n"); + printf("into verifyCore[] in fips_test.c and rebuild\n"); + } +} +#endif + /* DO NOT use this in production. You should implement a way * to get the current date. */ static int verifyIgnoreDateError(int preverify, WOLFSSL_X509_STORE_CTX* store) @@ -485,6 +499,9 @@ int main() { THREAD_TYPE serverThread; +#ifdef HAVE_FIPS + wolfCrypt_SetCb_fips(myFipsCb); +#endif wolfSSL_Init(); #ifdef DEBUG_WOLFSSL wolfSSL_Debugging_ON(); diff --git a/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp.conf b/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp.conf index b651b7b88..98d8bc496 100644 --- a/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp.conf +++ b/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp.conf @@ -1,5 +1,5 @@ # Set user_settings.h file to be used for native wolfSSL build settings -CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" +#CONFIG_WOLFSSL_SETTINGS_FILE="user_settings_custom.h" ##### PSA and CC3XX ##### # Enable Nordic Security Module diff --git a/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp_ns.conf index a0e205215..aa3bbe18a 100644 --- a/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp_ns.conf +++ b/zephyr/samples/wolfssl_tls_thread/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -2,7 +2,7 @@ CONFIG_BUILD_WITH_TFM=y CONFIG_TFM_PROFILE_TYPE_NOT_SET=y # Set user_settings.h file to be used for native wolfSSL build settings -CONFIG_WOLFSSL_SETTINGS_FILE="nrf5340dk_nrf5340_user_settings.h" +#CONFIG_WOLFSSL_SETTINGS_FILE="user_settings_custom.h" ##### PSA and CC3XX ##### # Enable Nordic Security Module diff --git a/zephyr/samples/wolfssl_tls_thread/prj.conf b/zephyr/samples/wolfssl_tls_thread/prj.conf index 4a1e290a6..fc0e01595 100644 --- a/zephyr/samples/wolfssl_tls_thread/prj.conf +++ b/zephyr/samples/wolfssl_tls_thread/prj.conf @@ -35,7 +35,7 @@ CONFIG_LOG_MODE_IMMEDIATE=y CONFIG_WOLFSSL=y CONFIG_WOLFSSL_BUILTIN=y -CONFIG_WOLFSSL_TLS_VERSION_1_2=y +CONFIG_WOLFSSL_TLS_VERSION_1_3=y CONFIG_WOLFSSL_KEY_EXCHANGE_ALL_ENABLED=y CONFIG_WOLFSSL_CIPHER_ALL_ENABLED=y CONFIG_WOLFSSL_MAC_ALL_ENABLED=y diff --git a/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c b/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c index 490e3362e..cd7aad901 100644 --- a/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c +++ b/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c @@ -89,6 +89,20 @@ static const char msgHTTPIndex[] = "\n" "\n"; +#ifdef HAVE_FIPS +static void myFipsCb(int ok, int err, const char* hash) +{ + printf("in my Fips callback, ok = %d, err = %d\n", ok, err); + printf("message = %s\n", wc_GetErrorString(err)); + printf("hash = %s\n", hash); + + if (err == IN_CORE_FIPS_E) { + printf("In core integrity hash check failure, copy above hash\n"); + printf("into verifyCore[] in fips_test.c and rebuild\n"); + } +} +#endif + /* wolfSSL client wants to read data from the server. */ static int recv_client(WOLFSSL* ssl, char* buff, int sz, void* ctx) { @@ -575,6 +589,9 @@ int main() utctime.tv_nsec = 0; clock_settime(CLOCK_REALTIME, &utctime); +#ifdef HAVE_FIPS + wolfCrypt_SetCb_fips(myFipsCb); +#endif wolfSSL_Init(); #ifdef DEBUG_WOLFSSL wolfSSL_Debugging_ON(); diff --git a/zephyr/user_settings-tls-generic.h b/zephyr/user_settings-tls-generic.h deleted file mode 100644 index 32a28bbc2..000000000 --- a/zephyr/user_settings-tls-generic.h +++ /dev/null @@ -1,153 +0,0 @@ -/* user_settings-tls-generic.h - * generated from configure options - * - * Copyright (C) 2006-2023 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -#ifndef WOLFSSL_OPTIONS_H -#define WOLFSSL_OPTIONS_H - - -#ifdef __cplusplus -extern "C" { -#endif - -#if 0 -#undef SINGLE_THREADED -#define SINGLE_THREADED -#endif - -#undef TFM_TIMING_RESISTANT -#define TFM_TIMING_RESISTANT - -#undef ECC_TIMING_RESISTANT -#define ECC_TIMING_RESISTANT - -#undef WC_RSA_BLINDING -#define WC_RSA_BLINDING - -#undef HAVE_AESGCM -#define HAVE_AESGCM - -#undef WOLFSSL_SHA512 -#define WOLFSSL_SHA512 - -#undef WOLFSSL_SHA384 -#define WOLFSSL_SHA384 - -#undef NO_DSA -#define NO_DSA - -#undef HAVE_ECC -#define HAVE_ECC - -#undef TFM_ECC256 -#define TFM_ECC256 - -#undef WOLFSSL_BASE64_ENCODE -#define WOLFSSL_BASE64_ENCODE - -#undef NO_RC4 -#define NO_RC4 - -#undef WOLFSSL_SHA224 -#define WOLFSSL_SHA224 - -#undef WOLFSSL_SHA3 -#define WOLFSSL_SHA3 - -#undef HAVE_POLY1305 -#define HAVE_POLY1305 - -#undef HAVE_ONE_TIME_AUTH -#define HAVE_ONE_TIME_AUTH - -#undef HAVE_CHACHA -#define HAVE_CHACHA - -#undef HAVE_HASHDRBG -#define HAVE_HASHDRBG - -#undef NO_FILESYSTEM -#define NO_FILESYSTEM - -#undef HAVE_TLS_EXTENSIONS -#define HAVE_TLS_EXTENSIONS - -#undef HAVE_SUPPORTED_CURVES -#define HAVE_SUPPORTED_CURVES - -#undef HAVE_EXTENDED_MASTER -#define HAVE_EXTENDED_MASTER - -#undef NO_PSK -#define NO_PSK - -#undef NO_MD4 -#define NO_MD4 - -#undef NO_PWDBASED -#define NO_PWDBASED - -#undef USE_FAST_MATH -#define USE_FAST_MATH - -#undef WOLFSSL_NO_ASM -#define WOLFSSL_NO_ASM - -#undef WOLFSSL_X86_BUILD -#define WOLFSSL_X86_BUILD - -#undef WC_NO_ASYNC_THREADING -#define WC_NO_ASYNC_THREADING - -#undef NO_DES3 -#define NO_DES3 - -#undef WOLFSSL_STATIC_MEMORY -#define WOLFSSL_STATIC_MEMORY - -#undef WOLFSSL_TLS13 -#define WOLFSSL_TLS13 - -#undef HAVE_HKDF -#define HAVE_HKDF - -#undef WC_RSA_PSS -#define WC_RSA_PSS - -#undef HAVE_FFDHE_2048 -#define HAVE_FFDHE_2048 - -#if 0 -#undef WOLFSSL_HAVE_SP_RSA -#define WOLFSSL_HAVE_SP_RSA -#undef WOLFSSL_HAVE_SP_DH -#define WOLFSSL_HAVE_SP_DH -#undef WOLFSSL_HAVE_SP_ECC -#define WOLFSSL_HAVE_SP_ECC -#endif - -#ifdef __cplusplus -} -#endif - - -#endif /* WOLFSSL_OPTIONS_H */ - diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h index ba0ba9b2e..de3073d04 100644 --- a/zephyr/user_settings.h +++ b/zephyr/user_settings.h @@ -1,6 +1,6 @@ /* user_settings.h * - * Copyright (C) 2006-2023 wolfSSL Inc. + * Copyright (C) 2006-2024 wolfSSL Inc. * * This file is part of wolfSSL. * @@ -23,119 +23,379 @@ #define USER_SETTINGS_H #ifdef CONFIG_WOLFSSL -#ifdef CONFIG_WOLFSSL_SETTINGS_FILE - -#include CONFIG_WOLFSSL_SETTINGS_FILE +/* If a custom user_settings file is provided use it instead */ +#ifdef WOLFSSL_SETTINGS_FILE +#include WOLFSSL_SETTINGS_FILE #else #ifdef __cplusplus extern "C" { #endif -#if 0 -#undef SINGLE_THREADED -#define SINGLE_THREADED -#endif -#undef TFM_TIMING_RESISTANT -#define TFM_TIMING_RESISTANT +/* ------------------------------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------------------------------- */ +#define WOLFSSL_GENERAL_ALIGNMENT 4 /* platform requires 32-bit alignment on uint32_t */ +#define SIZEOF_LONG_LONG 8 /* long long is 8 bytes / 64-bit */ +//#define WOLFSSL_NO_ASM /* optionally disable inline assembly support */ +#define WOLFSSL_IGNORE_FILE_WARN /* ignore file includes not required */ +//#define WOLFSSL_SMALL_STACK /* option to reduce stack size, offload to heap */ +#define BENCH_EMBEDDED /* use smaller buffers in benchmark / tests */ -#undef ECC_TIMING_RESISTANT -#define ECC_TIMING_RESISTANT +/* Network stack */ +/* Default is POSIX sockets */ +//#define WOLFSSL_USER_IO /* Use the SetIO callbacks, not the internal wolfio.c socket code */ +//#define WOLFSSL_LWIP +//#define WOLFSSL_LWIP_NATIVE +//#define FREERTOS_TCP -#undef WC_RSA_BLINDING -#define WC_RSA_BLINDING - -#undef HAVE_AESGCM -#define HAVE_AESGCM - -#undef WOLFSSL_SHA512 -#define WOLFSSL_SHA512 - -#undef WOLFSSL_SHA384 -#define WOLFSSL_SHA384 - -#undef NO_DSA -#define NO_DSA - -#undef HAVE_ECC -#define HAVE_ECC - -#undef TFM_ECC256 -#define TFM_ECC256 - -#undef WOLFSSL_BASE64_ENCODE -#define WOLFSSL_BASE64_ENCODE - -#undef NO_RC4 -#define NO_RC4 - -#undef WOLFSSL_SHA224 -#define WOLFSSL_SHA224 - -#undef WOLFSSL_SHA3 -#define WOLFSSL_SHA3 - -#undef HAVE_POLY1305 -#define HAVE_POLY1305 - -#undef HAVE_ONE_TIME_AUTH -#define HAVE_ONE_TIME_AUTH - -#undef HAVE_CHACHA -#define HAVE_CHACHA - -#undef HAVE_HASHDRBG -#define HAVE_HASHDRBG - -#undef NO_FILESYSTEM +/* RTOS */ +/* Default is POSIX mutex and pthreads*/ +//#define SINGLE_THREADED +//#define FREERTOS #define NO_FILESYSTEM +#define NO_WRITEV -#undef HAVE_TLS_EXTENSIONS -#define HAVE_TLS_EXTENSIONS - -#undef HAVE_SUPPORTED_CURVES -#define HAVE_SUPPORTED_CURVES - -#undef HAVE_EXTENDED_MASTER -#define HAVE_EXTENDED_MASTER - -#undef NO_PSK -#define NO_PSK - -#undef NO_MD4 -#define NO_MD4 - -#undef NO_PWDBASED -#define NO_PWDBASED - -#undef USE_FAST_MATH -#define USE_FAST_MATH - -#undef WOLFSSL_NO_ASM -#define WOLFSSL_NO_ASM - -#undef WOLFSSL_X86_BUILD -#define WOLFSSL_X86_BUILD - -#undef WC_NO_ASYNC_THREADING -#define WC_NO_ASYNC_THREADING - -#undef NO_DES3 -#define NO_DES3 - -#undef WOLFSSL_STATIC_MEMORY -#define WOLFSSL_STATIC_MEMORY - +/* ------------------------------------------------------------------------- */ +/* Hardware */ +/* ------------------------------------------------------------------------- */ +/* CryptoCell support */ #if 0 -#undef WOLFSSL_HAVE_SP_RSA -#define WOLFSSL_HAVE_SP_RSA -#undef WOLFSSL_HAVE_SP_DH -#define WOLFSSL_HAVE_SP_DH -#undef WOLFSSL_HAVE_SP_ECC -#define WOLFSSL_HAVE_SP_ECC + //#define WOLFSSL_CRYPTOCELL + //#define WOLFSSL_CRYPTOCELL_AES #endif +/* PSA support */ +#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_C + #define WOLFSSL_HAVE_PSA + #define WOLFSSL_PSA_GLOBAL_LOCK +#endif + +/* ------------------------------------------------------------------------- */ +/* FIPS */ +/* ------------------------------------------------------------------------- */ +#ifdef CONFIG_WOLFCRYPT_FIPS + /* FIPS Ready */ + #define HAVE_FIPS_VERSION 5 + #define HAVE_FIPS_VERSION_MINOR 3 +#endif + + +/* ------------------------------------------------------------------------- */ +/* TLS */ +/* ------------------------------------------------------------------------- */ +/* TLS v1.2 (on by default) */ +#ifdef CONFIG_WOLFSSL_TLS_VERSION_1_2 + #undef WOLFSSL_NO_TLS12 +#else + #define WOLFSSL_NO_TLS12 +#endif +//#define NO_WOLFSSL_SERVER /* Optionally disable TLS server code */ +//#define NO_WOLFSSL_CLIENT /* Optionally disable TLS client code */ + +/* TLS v1.3 */ +#if defined(CONFIG_WOLFSSL_TLS_VERSION_1_3) || defined(CONFIG_WOLFSSL_TLS13_ENABLED) + #define WOLFSSL_TLS13 +#endif + +/* Disable older TLS version prior to 1.2 */ +#define NO_OLD_TLS + +/* Enable default TLS extensions */ +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_EXTENDED_MASTER +#define HAVE_ENCRYPT_THEN_MAC +#define HAVE_SERVER_RENEGOTIATION_INFO +#define HAVE_SNI /* optional Server Name Indicator (SNI) */ + +/* ASN */ +#define WOLFSSL_ASN_TEMPLATE /* use newer ASN template asn.c code (default) */ +#if 0 /* optional space reductions */ + #define WOLFSSL_NO_ASN_STRICT + #define IGNORE_NAME_CONSTRAINTS +#endif + +/* Session Cache */ +#if 1 + #define SMALL_SESSION_CACHE + #ifdef WOLFSSL_TLS13 + #define HAVE_SESSION_TICKET /* session tickets required for resumption in TLS v1.3 */ + #endif +#else + #define NO_SESSION_CACHE /* disable session resumption */ +#endif + +/* PSK */ +#define NO_PSK /* disable pre-shared-key support */ + + +/* ------------------------------------------------------------------------- */ +/* Algorithms */ +/* ------------------------------------------------------------------------- */ +/* RNG */ +#if 0 + /* Example for disabling DRBG and using TRNG directly */ + extern int cc310_random_generate(unsigned char* output, unsigned int size); + #define CUSTOM_RAND_GENERATE_BLOCK cc310_random_generate + #define WC_NO_HASHDRBG +#endif +#ifndef WC_NO_HASHDRBG + #define HAVE_HASHDRBG /* Use DRBG SHA2-256 and seed */ +#endif + +/* ECC */ +#if 1 + #define HAVE_ECC + #define ECC_USER_CURVES /* Enable only ECC curves specific */ + #undef NO_ECC256 /* Enable SECP256R1 only (on by default) */ + #define ECC_TIMING_RESISTANT /* Enable Timing Resistance */ + + //#define ECC_SHAMIR /* Optional ECC calculation speed improvement if not using SP implementation */ + //#define WOLFSSL_CUSTOM_CURVES /* enable other curves (not just prime) */ + //#define HAVE_ECC_SECPR2 + //#define HAVE_ECC_SECPR3 + //#define HAVE_ECC_BRAINPOOL + //#define HAVE_ECC_KOBLITZ + //#define HAVE_ECC_CDH /* Co-factor */ + //#define HAVE_COMP_KEY /* Compressed key support */ + //#define FP_ECC /* Fixed point caching - speed repeated operations against same key */ + //#define HAVE_ECC_ENCRYPT + //#define WOLFCRYPT_HAVE_ECCSI + //#define WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT +#endif + +#define WOLFSSL_OLD_PRIME_CHECK /* Use faster DH prime checking */ + +/* RSA */ +#if 1 + #undef NO_RSA + #define WC_RSA_BLINDING + //#define WC_RSA_NO_PADDING + + #if 0 + #define WOLFSSL_KEY_GEN /* For RSA Key gen only */ + #endif + #if defined(WOLFSSL_TLS13) || defined(CONFIG_WOLFSSL_RSA_PSS) + /* TLS v1.3 requires RSA PSS padding */ + #define WC_RSA_PSS + //#define WOLFSSL_PSS_LONG_SALT + #endif +#else + #define NO_RSA +#endif + +/* DH */ +#if 0 + #undef NO_DH /* on by default */ + #define WOLFSSL_DH_CONST /* don't rely on pow/log */ + #define HAVE_FFDHE_2048 + #define HAVE_FFDHE_3072 + #define HAVE_DH_DEFAULT_PARAMS + //#define WOLFSSL_DH_EXTRA /* Enable additional DH key import/export */ +#else + #define NO_DH +#endif + +/* ChaCha20 / Poly1305 */ +#if 1 + #define HAVE_CHACHA + #define HAVE_POLY1305 + + /* Needed for Poly1305 */ + #define HAVE_ONE_TIME_AUTH +#endif + +/* Ed25519 / Curve25519 */ +#if 0 + #define HAVE_CURVE25519 + #define HAVE_ED25519 /* ED25519 Requires SHA512 */ + + /* Optionally use small math (less flash usage, but much slower) */ + //#define CURVED25519_SMALL +#endif + +/* SHA-1 */ +#if 0 + #undef NO_SHA /* on by default */ + //#define USE_SLOW_SHA /* 1k smaller, but 25% slower */ +#else + #define NO_SHA +#endif + +/* SHA2-256 */ +#if 1 + #undef NO_SHA256 /* on by default */ + //#define USE_SLOW_SHA256 /* ~2k smaller and about 25% slower */ + #define WOLFSSL_SHA224 +#else + #define NO_SHA256 +#endif + +/* SHA2-384/512 */ +#if 1 + #define WOLFSSL_SHA384 + #define WOLFSSL_SHA512 + //#define USE_SLOW_SHA512 /* Over twice as small, but 50% slower */ +#endif + +/* SHA-3 */ +#if 1 + #define WOLFSSL_SHA3 +#endif + +/* AES */ +#define HAVE_AES_ECB +/* AES-CBC */ +#if 1 + #define HAVE_AES_CBC +#else + #define NO_AES_CBC +#endif +/* AES-GCM */ +#if 1 + #define HAVE_AESGCM + #define GCM_SMALL /* GCM Method: GCM_TABLE_4BIT, GCM_SMALL, GCM_WORD32 or GCM_TABLE */ + //#define WOLFSSL_AESGCM_STREAM +#endif +//#define HAVE_AES_DECRYPT +//#define WOLFSSL_AES_COUNTER +//#define WOLFSSL_AES_CFB +//#define WOLFSSL_AES_OFB +//#define HAVE_AESCCM +//#define WOLFSSL_AES_XTS + +//#define NO_AES_128 +//#define NO_AES_192 +//#define NO_AES_256 +//#define WOLFSSL_AES_SMALL_TABLES +//#define WOLFSSL_AES_NO_UNROLL + + +/* HKDF */ +#if defined(WOLFSSL_TLS13) || defined(CONFIG_WOLFSSL_HKDF) + #define HAVE_HKDF +#endif + +/* CMAC - Zephyr nRF BTLE needs CMAC */ +#if 1 + #define WOLFSSL_AES_DIRECT + #define WOLFSSL_CMAC +#endif + + +/* Optional Features */ +#define WOLFSSL_BASE64_ENCODE /* Enable Base64 encoding */ +//#define WC_NO_CACHE_RESISTANT /* systems with cache should enable this for AES, ECC, RSA and DH */ +//#define WOLFSSL_CERT_GEN +//#define WOLFSSL_CERT_REQ +//#define WOLFSSL_CERT_EXT +//#define NO_PWDBASED + + +/* Disable Algorithms */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define WOLFSSL_NO_SHAKE128 +#define WOLFSSL_NO_SHAKE256 + + + +/* ------------------------------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------------------------------- */ +/* Math Options */ +/* Multi-precision - generic math for all keys sizes and curves */ +#if 1 + #define WOLFSSL_SP_MATH /* no multi-precision math, only single */ +#elif 1 + /* wolf mp math (sp_int.c) */ + #define WOLFSSL_SP_MATH_ALL /* use SP math for all key sizes and curves */ + //#define WOLFSSL_SP_NO_MALLOC + + /* use smaller version of code */ + #define WOLFSSL_SP_SMALL + + /* Define the maximum math bits used */ + #if !defined(NO_RSA) || !defined(NO_DH) + #define SP_INT_BITS 2048 + #elif defined(HAVE_ECC) + #define SP_INT_BITS 256 + #endif + +#elif 1 + /* Fast Math (tfm.c) (stack based and timing resistant) */ + #define USE_FAST_MATH + #define TFM_TIMING_RESISTANT + + /* Define the maximum math bits used (2 * max) */ + #if !defined(NO_RSA) || !defined(NO_DH) + #define FP_MAX_BITS (2*2048) + #ifdef HAVE_ECC + #define ALT_ECC_SIZE /* use heap allocation for ECC point */ + #endif + #elif defined(HAVE_ECC) + #define FP_MAX_BITS (2*256) + #endif + #ifdef HAVE_ECC + //#define TFM_ECC256 /* optional speedup for ECC-256 bit */ + #endif +#else + /* Normal (integer.c) (heap based, not timing resistant) - not recommended */ + #define USE_INTEGER_HEAP_MATH +#endif + +/* Single Precision (optional) */ +/* Math written for specific curves and key sizes */ +#if 1 + #ifdef HAVE_ECC + #define WOLFSSL_HAVE_SP_ECC + //#define WOLFSSL_SP_NO_256 + //#define WOLFSSL_SP_384 + //#define WOLFSSL_SP_521 + #endif + #ifndef NO_RSA + #define WOLFSSL_HAVE_SP_RSA + //#define WOLFSSL_SP_NO_2048 + //#define WOLFSSL_SP_NO_3072 + //#define WOLFSSL_SP_4096 + #endif + #ifndef NO_DH + #define WOLFSSL_HAVE_SP_DH + #endif + + #define WOLFSSL_SP_SMALL /* use smaller version of code */ + //#define WOLFSSL_SP_NO_MALLOC /* disable heap in wolf/SP math */ + //#define SP_DIV_WORD_USE_DIV /* no div64 */ + + #if 0 + /* optional speedup with inline assembly */ + //#define WOLFSSL_SP_ARM_CORTEX_M_ASM /* Cortex-M3+ */ + //#define WOLFSSL_SP_ARM_THUMB_ASM /* Cortex-M0+ thumb */ + //#define WOLFSSL_SP_ARM32_ASM /* Cortex-R */ + //#define WOLFSSL_SP_ARM64_ASM /* Cortex-A */ + //#define WOLFSSL_SP_USE_UDIV + #endif +#endif + + +/* ------------------------------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------------------------------- */ +#undef DEBUG_WOLFSSL +#undef NO_ERROR_STRINGS +#ifdef CONFIG_WOLFSSL_DEBUG + #define DEBUG_WOLFSSL +#else + #if 1 + #define NO_ERROR_STRINGS + #endif +#endif + #ifdef __cplusplus } diff --git a/zephyr/wolfssl/options.h b/zephyr/wolfssl/options.h index e69de29bb..5c637481b 100644 --- a/zephyr/wolfssl/options.h +++ b/zephyr/wolfssl/options.h @@ -0,0 +1 @@ +/* default blank options to appease code that may require it */ From 85c22abe4e78516e5e665324d0f474bb0be3c328 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 15 Mar 2024 14:01:59 -0700 Subject: [PATCH 2/5] Fix for Zephyr `TimeNowInMilliseconds`. Resolves issue with TLS v1.3 server and session tickets time (uptime in sim < 1000 ms was being made 0). --- src/internal.c | 7 ++++++- src/tls13.c | 8 ++++++-- wolfcrypt/benchmark/benchmark.c | 6 +++--- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/src/internal.c b/src/internal.c index d889f3370..6848b47b9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9768,7 +9768,12 @@ ProtocolVersion MakeDTLSv1_3(void) word32 LowResTimer(void) { - return k_uptime_get() / 1000; + int64_t t; + #if defined(CONFIG_ARCH_POSIX) + k_cpu_idle(); + #endif + t = k_uptime_get(); /* returns current uptime in milliseconds */ + return (word32)(t / 1000); } #elif defined(WOLFSSL_LINUXKM) diff --git a/src/tls13.c b/src/tls13.c index 512d16e9c..713d3edff 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -1910,10 +1910,12 @@ end: #elif defined(WOLFSSL_ZEPHYR) word32 TimeNowInMilliseconds(void) { + int64_t t; #if defined(CONFIG_ARCH_POSIX) k_cpu_idle(); #endif - return (word32)k_uptime_get() / 1000; + t = k_uptime_get(); /* returns current uptime in milliseconds */ + return (word32)t; } #else @@ -2201,10 +2203,12 @@ end: #elif defined(WOLFSSL_ZEPHYR) sword64 TimeNowInMilliseconds(void) { + int64_t t; #if defined(CONFIG_ARCH_POSIX) k_cpu_idle(); #endif - return (sword64)k_uptime_get() / 1000; + t = k_uptime_get(); /* returns current uptime in milliseconds */ + return (sword64)t; } #else diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 2f51aeffc..1367be546 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -12998,13 +12998,13 @@ void bench_sphincsKeySign(byte level, byte optim) double current_time(int reset) { + int64_t t; (void)reset; - #if defined(CONFIG_ARCH_POSIX) k_cpu_idle(); #endif - - return (double)k_uptime_get() / 1000; + t = k_uptime_get(); /* returns current uptime in milliseconds */ + return (double)(t / 1000); } #elif defined(WOLFSSL_NETBURNER) From 03e306a98f3a2a72674527f472d6cdc96366148e Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 15 Mar 2024 14:48:32 -0700 Subject: [PATCH 3/5] Add include for project for cases when a custom user_settings.h file is used. Tested support with PSA. --- zephyr/CMakeLists.txt | 4 ++++ zephyr/user_settings.h | 12 +++++------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt index b1c2b0159..376cbce6e 100644 --- a/zephyr/CMakeLists.txt +++ b/zephyr/CMakeLists.txt @@ -6,6 +6,10 @@ if(CONFIG_WOLFSSL) target_compile_definitions(wolfSSL INTERFACE WOLFSSL_SETTINGS_FILE="${CONFIG_WOLFSSL_SETTINGS_FILE}" ) + zephyr_include_directories( + ${APPLICATION_CONFIG_DIR} + ${APPLICATION_CONFIG_DIR}/src + ) endif() zephyr_include_directories( diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h index de3073d04..8b597144a 100644 --- a/zephyr/user_settings.h +++ b/zephyr/user_settings.h @@ -69,7 +69,10 @@ extern "C" { /* PSA support */ #ifdef CONFIG_MBEDTLS_PSA_CRYPTO_C #define WOLFSSL_HAVE_PSA - #define WOLFSSL_PSA_GLOBAL_LOCK + #ifndef SINGLE_THREADED + #define WOLFSSL_PSA_GLOBAL_LOCK + #endif + #define WC_NO_HASHDRBG /* use PSA RNG directly via wc_psa_get_random */ #endif /* ------------------------------------------------------------------------- */ @@ -135,12 +138,6 @@ extern "C" { /* Algorithms */ /* ------------------------------------------------------------------------- */ /* RNG */ -#if 0 - /* Example for disabling DRBG and using TRNG directly */ - extern int cc310_random_generate(unsigned char* output, unsigned int size); - #define CUSTOM_RAND_GENERATE_BLOCK cc310_random_generate - #define WC_NO_HASHDRBG -#endif #ifndef WC_NO_HASHDRBG #define HAVE_HASHDRBG /* Use DRBG SHA2-256 and seed */ #endif @@ -173,6 +170,7 @@ extern "C" { #undef NO_RSA #define WC_RSA_BLINDING //#define WC_RSA_NO_PADDING + //#define RSA_LOW_MEM #if 0 #define WOLFSSL_KEY_GEN /* For RSA Key gen only */ From face8b6e43425d24f02b0260cdfa344c888b496c Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 18 Mar 2024 13:40:10 -0700 Subject: [PATCH 4/5] Experimental support for Intel and ARM ASM with Zephyr. Related to issue #7116. --- zephyr/CMakeLists.txt | 31 ++++++++++++++++++++++ zephyr/Kconfig | 13 +++++++++ zephyr/samples/wolfssl_benchmark/prj.conf | 4 +++ zephyr/samples/wolfssl_test/prj.conf | 2 +- zephyr/samples/wolfssl_tls_thread/prj.conf | 1 + zephyr/user_settings.h | 27 +++++++++++++++++++ 6 files changed, 77 insertions(+), 1 deletion(-) diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt index 376cbce6e..acc3c8543 100644 --- a/zephyr/CMakeLists.txt +++ b/zephyr/CMakeLists.txt @@ -128,6 +128,37 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/psa/psa_pkcbs.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/st/stm32.c) + if(CONFIG_WOLFCRYPT_ARMASM) + # tested with board: "qemu_kvm_arm64" + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-aes.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-32-aes-asm_c.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-sha256.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-32-sha256-asm_c.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-sha512.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-sha512-asm_c.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-sha3-asm_c.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-poly1305.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-chacha.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-curve25519_c.c) + + set(MCPU_FLAGS "-mcpu=cortex-a53+crypto -mstrict-align") + #set(MCPU_FLAGS "-mcpu=generic+crypto -mstrict-align") + endif() + + if(CONFIG_WOLFCRYPT_INTELASM) + # tested with board: "qemu_x86_64" + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha256_asm.S) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha512_asm.S) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/sha3_asm.S) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/chacha_asm.S) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/poly1305_asm.S) + + # issues with aesni + #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/aes_asm.S) + #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/aes_gcm_x86_asm.S) + #set(MCPU_FLAGS "-march=native -maes -msse4 -mpclmul ") + endif() + zephyr_library_link_libraries(wolfSSL) target_compile_definitions(wolfSSL INTERFACE WOLFSSL_ZEPHYR) diff --git a/zephyr/Kconfig b/zephyr/Kconfig index 75b20ad47..5c6fa73ef 100644 --- a/zephyr/Kconfig +++ b/zephyr/Kconfig @@ -70,6 +70,19 @@ config WOLFCRYPT_FIPS Enables FIPS support in wolfCrypt. Requires the wolfSSL FIPS ready download that includes fips.c/fips_test.c. +config WOLFCRYPT_ARMASM + bool "wolfCrypt ARM Assembly support" + depends on WOLFSSL_BUILTIN + help + wolfCrypt ARM (ARMv8/ARMv7) assembly support for AES, SHA-2, SHA-3, + ChaCha20/Poly1305 and Curve25519 + +config WOLFCRYPT_INTELASM + bool "wolfCrypt Intel Assembly support" + depends on WOLFSSL_BUILTIN + help + wolfCrypt Intel Aassembly support (AVX/AVX2/AESNI) + config WOLFSSL_DEBUG bool "wolfSSL debug activation" depends on WOLFSSL_BUILTIN diff --git a/zephyr/samples/wolfssl_benchmark/prj.conf b/zephyr/samples/wolfssl_benchmark/prj.conf index b7e4eee43..41ccf7f94 100644 --- a/zephyr/samples/wolfssl_benchmark/prj.conf +++ b/zephyr/samples/wolfssl_benchmark/prj.conf @@ -26,6 +26,10 @@ CONFIG_LOG_BUFFER_SIZE=15360 #CONFIG_WOLFSSL_DEBUG=y # Entropy +CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_ENTROPY_GENERATOR=y CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y +# Optional ARM or Intel Assembly +#CONFIG_WOLFCRYPT_ARMASM=y +#CONFIG_WOLFCRYPT_INTELASM=y diff --git a/zephyr/samples/wolfssl_test/prj.conf b/zephyr/samples/wolfssl_test/prj.conf index a989213b4..6c8a5ca43 100644 --- a/zephyr/samples/wolfssl_test/prj.conf +++ b/zephyr/samples/wolfssl_test/prj.conf @@ -24,6 +24,6 @@ CONFIG_LOG_BUFFER_SIZE=15360 #CONFIG_WOLFSSL_DEBUG=y # Entropy +CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_ENTROPY_GENERATOR=y CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y - diff --git a/zephyr/samples/wolfssl_tls_thread/prj.conf b/zephyr/samples/wolfssl_tls_thread/prj.conf index fc0e01595..95ebedcbb 100644 --- a/zephyr/samples/wolfssl_tls_thread/prj.conf +++ b/zephyr/samples/wolfssl_tls_thread/prj.conf @@ -1,6 +1,7 @@ # Kernel options CONFIG_MAIN_STACK_SIZE=16384 CONFIG_ENTROPY_GENERATOR=y +CONFIG_TEST_RANDOM_GENERATOR=y CONFIG_INIT_STACKS=y CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE=65536 diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h index 8b597144a..32bae9c8b 100644 --- a/zephyr/user_settings.h +++ b/zephyr/user_settings.h @@ -380,6 +380,33 @@ extern "C" { #endif #endif +/* ------------------------------------------------------------------------- */ +/* Assembly Speedups for Symmetric Algorithms */ +/* ------------------------------------------------------------------------- */ + +#ifdef CONFIG_WOLFCRYPT_ARMASM + #define WOLFSSL_ARMASM + #define WOLFSSL_NO_HASH_RAW + #define WOLFSSL_ARMASM_INLINE /* use inline .c versions */ + #define WOLFSSL_ARMASM_NO_HW_CRYPTO /* enable if processor does not support aes/sha instructions */ + #define WOLFSSL_ARMASM_NO_NEON + + /* Default is ARMv8 */ + + #if 0 /* ARMv7 */ + #define WOLFSSL_ARM_ARCH 7 + #endif +#endif + +#ifdef CONFIG_WOLFCRYPT_INTELASM + #define USE_INTEL_SPEEDUP + #define WOLFSSL_X86_64_BUILD /* 64-bit */ + //#define WOLFSSL_X86_BUILD /* 32-bit */ + + /* Issues with building AESNI "_mm_aesimc_si128" always_inline */ + //#define WOLFSSL_AESNI +#endif + /* ------------------------------------------------------------------------- */ /* Debugging */ From b8bebd6196167b8e4aa89c4c7a53e6861d4e8416 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 20 Mar 2024 13:14:05 -0700 Subject: [PATCH 5/5] Fixes for ARM/Intel ASM support. --- zephyr/CMakeLists.txt | 12 ++++++------ zephyr/user_settings.h | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt index acc3c8543..0b2680557 100644 --- a/zephyr/CMakeLists.txt +++ b/zephyr/CMakeLists.txt @@ -141,8 +141,8 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-chacha.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/port/arm/armv8-curve25519_c.c) - set(MCPU_FLAGS "-mcpu=cortex-a53+crypto -mstrict-align") - #set(MCPU_FLAGS "-mcpu=generic+crypto -mstrict-align") + # Note: The cmake/gcc-m-cpu.cmake make need updated to add "+crypto -mstrict-align" + set(TOOLCHAIN_C_FLAGS "-mcpu=cortex-a53+crypto -mstrict-align") endif() if(CONFIG_WOLFCRYPT_INTELASM) @@ -153,10 +153,10 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/chacha_asm.S) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/poly1305_asm.S) - # issues with aesni - #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/aes_asm.S) - #zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/aes_gcm_x86_asm.S) - #set(MCPU_FLAGS "-march=native -maes -msse4 -mpclmul ") + # AESNI + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/aes_asm.S) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/aes_gcm_x86_asm.S) + set(TOOLCHAIN_C_FLAGS "-march=native -maes -msse4 -mpclmul ") endif() zephyr_library_link_libraries(wolfSSL) diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h index 32bae9c8b..8c8f2e303 100644 --- a/zephyr/user_settings.h +++ b/zephyr/user_settings.h @@ -388,13 +388,13 @@ extern "C" { #define WOLFSSL_ARMASM #define WOLFSSL_NO_HASH_RAW #define WOLFSSL_ARMASM_INLINE /* use inline .c versions */ - #define WOLFSSL_ARMASM_NO_HW_CRYPTO /* enable if processor does not support aes/sha instructions */ #define WOLFSSL_ARMASM_NO_NEON /* Default is ARMv8 */ #if 0 /* ARMv7 */ #define WOLFSSL_ARM_ARCH 7 + #define WOLFSSL_ARMASM_NO_HW_CRYPTO /* enable if processor does not support aes/sha instructions */ #endif #endif