wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-02-04 03:55:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9719 from dgarske/usersettings_expand

Browse Source 
Improve user_settings.h examples and add validation rules
This commit is contained in:
JacobBarthelmeh
2026-01-29 15:35:12 -07:00
committed by GitHub
parent a6316114bd 7077a7bdd8
commit 9ca379f3bb
26 changed files with 2155 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.github/workflows/os-check.yml vendored
View File

@@ -122,13 +122,24 @@ jobs:
matrix:
os: [ ubuntu-24.04, macos-latest ]
user-settings: [
# Add new user_settings.h here
# Add new user_settings.h here (alphabetical order)
'examples/configs/user_settings_ca.h',
'examples/configs/user_settings_dtls13.h',
'examples/configs/user_settings_EBSnet.h',
'examples/configs/user_settings_eccnonblock.h',
'examples/configs/user_settings_min_ecc.h',
'examples/configs/user_settings_wolfboot_keytools.h',
'examples/configs/user_settings_wolftpm.h',
'examples/configs/user_settings_wolfssh.h',
'examples/configs/user_settings_openssl_compat.h',
'examples/configs/user_settings_pkcs7.h',
'examples/configs/user_settings_rsa_only.h',
'examples/configs/user_settings_template.h',
'examples/configs/user_settings_tls12.h',
'examples/configs/user_settings_tls13.h',
'examples/configs/user_settings_wolfboot_keytools.h',
'examples/configs/user_settings_wolfssh.h',
'examples/configs/user_settings_wolftpm.h',
# Not included (require special setup):
# - user_settings_pq.h: Requires --enable-experimental
# - user_settings_baremetal.h: Requires static memory, custom platform
]
name: make user_setting.h (testwolfcrypt only)
if: github.repository_owner == 'wolfssl'

7
.wolfssl_known_macro_extras
View File

@@ -695,7 +695,6 @@ WOLFSSL_BIGINT_TYPES
WOLFSSL_BIO_NO_FLOW_STATS
WOLFSSL_BLAKE2B_INIT_EACH_FIELD
WOLFSSL_BLAKE2S_INIT_EACH_FIELD
WOLFSSL_BLIND_PRIVATE_KEY
WOLFSSL_BYTESWAP32_ASM
WOLFSSL_CAAM_BLACK_KEY_AESCCM
WOLFSSL_CAAM_BLACK_KEY_SM
@@ -708,10 +707,8 @@ WOLFSSL_CLIENT_EXAMPLE
WOLFSSL_CONTIKI
WOLFSSL_CRL_ALLOW_MISSING_CDP
WOLFSSL_DILITHIUM_ASSIGN_KEY
WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM
WOLFSSL_DILITHIUM_NO_ASN1
WOLFSSL_DILITHIUM_NO_CHECK_KEY
WOLFSSL_DILITHIUM_NO_LARGE_CODE
WOLFSSL_DILITHIUM_NO_MAKE
WOLFSSL_DILITHIUM_REVERSE_HASH_OID
WOLFSSL_DILITHIUM_SIGN_CHECK_W0
@@ -719,7 +716,6 @@ WOLFSSL_DILITHIUM_SIGN_CHECK_Y
WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC
WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A
WOLFSSL_DILITHIUM_SMALL_MEM_POLY64
WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM
WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
WOLFSSL_DTLS_DISALLOW_FUTURE
WOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS
@@ -785,10 +781,7 @@ WOLFSSL_MAKE_SYSTEM_NAME_LINUX
WOLFSSL_MAKE_SYSTEM_NAME_WSL
WOLFSSL_MDK5
WOLFSSL_MEM_FAIL_COUNT
WOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM
WOLFSSL_MLKEM_INVNTT_UNROLL
WOLFSSL_MLKEM_MAKEKEY_SMALL_MEM
WOLFSSL_MLKEM_NO_LARGE_CODE
WOLFSSL_MLKEM_NO_MALLOC
WOLFSSL_MLKEM_NTT_UNROLL
WOLFSSL_MONT_RED_CT

22
examples/configs/README.md
View File

@@ -4,17 +4,27 @@ Example wolfSSL configuration file templates for use when autoconf is not availa
## Files
* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0` logic.
* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0`/`#if 1` gates.
* `user_settings_all.h`: This is wolfSSL with all features enabled. Equivalent to `./configure --enable-all`.
* `user_settings_arduino.h`: An example Arduino file. See also [wolfSSL/Arduino-wolfSSL](https://github.com/wolfSSL/Arduino-wolfSSL).
*.`user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports.
* `user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports.
* `user_settings_eccnonblock.h`: Example for non-blocking ECC crypto only. See comment at top for test results.
* `user_settings_espressif.h`: Example configuration for Espressif ESP32. See also [wolfSSL/IDE/Espressif](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif).
* `user_settings_fipsv2.h`: The FIPS v2 (3389) 140-2 certificate build options.
* `user_settings_fipsv5.h`: The FIPS v5 (ready) 140-3 build options. Equivalent to `./configure --enable-fips=v5-dev`.
* `user_settings_min_ecc.h`: This is ECC and SHA-256 only. For ECC verify only add `BUILD_VERIFY_ONLY`.
* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl)
* `user_settings_min_ecc.h`: Minimal ECC and SHA-256 only (no TLS). For ECC verify only add `NO_ECC_SIGN`.
* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl).
* `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack.
* `user_settings_tls12`: Example for TLS v1.2 client only, ECC only, AES GCM only, SHA2-256 only.
* `user_settings_wolfboot_keytools.h`: This from wolfBoot tools/keytools and is ECC, RSA, ED25519 and ChaCha20.
* `user_settings_tls12.h`: Example for TLS v1.2 client only, ECC only, AES-GCM only, SHA2-256 only.
* `user_settings_tls13.h`: TLS 1.3 only configuration (no TLS 1.2). Modern cipher suites with X25519/X448 key exchange.
* `user_settings_dtls13.h`: DTLS 1.3 for IoT and embedded. Includes connection ID support and smaller MTU options.
* `user_settings_pq.h`: Post-quantum TLS with ML-KEM (Kyber) key exchange and ML-DSA (Dilithium) certificates.
* `user_settings_openssl_compat.h`: OpenSSL compatibility layer for drop-in replacement. Enables OPENSSL_ALL and related APIs.
* `user_settings_baremetal.h`: Bare metal configuration. No filesystem, static memory only, minimal footprint.
* `user_settings_rsa_only.h`: RSA-only configuration (no ECC). For legacy systems requiring RSA cipher suites.
* `user_settings_pkcs7.h`: PKCS#7/CMS configuration for signing and encryption. S/MIME, firmware signing.
* `user_settings_ca.h`: Certificate Authority / PKI operations. Certificate generation, signing, CRL, OCSP.
* `user_settings_wolfboot_keytools.h`: wolfBoot key generation and signing tool. Supports ECC, RSA, ED25519, ED448, and post-quantum (ML-DSA/Dilithium, LMS, XMSS).
* `user_settings_wolfssh.h`: Minimum options for building wolfSSH. See comment at top for ./configure used to generate.
* `user_settings_wolftpm.h`: Minimum options for building wolfTPM. See comment at top for ./configure used to generate.

8
examples/configs/include.am
View File

@@ -4,16 +4,24 @@
EXTRA_DIST += examples/configs/README.md
EXTRA_DIST += examples/configs/user_settings_all.h
EXTRA_DIST += examples/configs/user_settings_arduino.h
EXTRA_DIST += examples/configs/user_settings_baremetal.h
EXTRA_DIST += examples/configs/user_settings_ca.h
EXTRA_DIST += examples/configs/user_settings_dtls13.h
EXTRA_DIST += examples/configs/user_settings_EBSnet.h
EXTRA_DIST += examples/configs/user_settings_eccnonblock.h
EXTRA_DIST += examples/configs/user_settings_espressif.h
EXTRA_DIST += examples/configs/user_settings_fipsv2.h
EXTRA_DIST += examples/configs/user_settings_fipsv5.h
EXTRA_DIST += examples/configs/user_settings_min_ecc.h
EXTRA_DIST += examples/configs/user_settings_openssl_compat.h
EXTRA_DIST += examples/configs/user_settings_pkcs7.h
EXTRA_DIST += examples/configs/user_settings_platformio.h
EXTRA_DIST += examples/configs/user_settings_pq.h
EXTRA_DIST += examples/configs/user_settings_rsa_only.h
EXTRA_DIST += examples/configs/user_settings_stm32.h
EXTRA_DIST += examples/configs/user_settings_template.h
EXTRA_DIST += examples/configs/user_settings_tls12.h
EXTRA_DIST += examples/configs/user_settings_tls13.h
EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h
EXTRA_DIST += examples/configs/user_settings_wolfssh.h
EXTRA_DIST += examples/configs/user_settings_wolftpm.h

2
examples/configs/user_settings_EBSnet.h
View File

@@ -47,6 +47,8 @@ extern "C" {
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_OLD_TLS
#ifdef __cplusplus
}

1
examples/configs/user_settings_all.h
View File

@@ -210,7 +210,6 @@ extern "C" {
#define WOLFSSL_SHAKE256
#define WOLFSSL_SHA3
#define WOLFSSL_HASH_FLAGS /* enable hash flag API's */
#define WOLFSSL_SHAKE256
/* Additional Algorithms */
#define HAVE_HASHDRBG

231
examples/configs/user_settings_baremetal.h Normal file
View File

@@ -0,0 +1,231 @@
/* user_settings_baremetal.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* Bare metal configuration for systems without an OS.
* No filesystem, no malloc, static memory, minimal footprint.
* Suitable for deeply embedded systems and bootloaders.
*
* Build and test:
* cp ./examples/configs/user_settings_baremetal.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform - Bare Metal */
/* ------------------------------------------------- */
#define SINGLE_THREADED
#define NO_FILESYSTEM
#define NO_WRITEV
#define WOLFSSL_NO_SOCK
#define WOLFSSL_IGNORE_FILE_WARN
#define WOLFSSL_GENERAL_ALIGNMENT 4
#define SIZEOF_LONG_LONG 8
/* TLS transport requires setting IO callbacks */
#define WOLFSSL_USER_IO
/* ------------------------------------------------- */
/* Memory */
/* ------------------------------------------------- */
#if 1 /* stack memory */
#elif 1 /* small stack */
/* Small stack - allocate large variables from static pool */
#define WOLFSSL_SMALL_STACK
#else /* static memory */
#define WOLFSSL_STATIC_MEMORY
#define WOLFSSL_NO_MALLOC
#define WOLFSSL_SP_NO_MALLOC
#define WOLFSSL_MALLOC_CHECK
#define NO_WOLFSSL_MEMORY
#endif
/* ------------------------------------------------- */
/* Math - Single Precision (smallest) */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH
#define WOLFSSL_SP_SMALL
#define TFM_TIMING_RESISTANT
/* ------------------------------------------------- */
/* TLS (optional - disable for crypto-only) */
/* ------------------------------------------------- */
#if 0 /* TLS support */
#define WOLFSSL_TLS13
#define WOLFSSL_NO_TLS12
#define NO_OLD_TLS
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
#else
#define WOLFCRYPT_ONLY
#endif
/* ------------------------------------------------- */
/* ECC (smallest asymmetric option) */
/* ------------------------------------------------- */
#if 1 /* ECC support */
#define HAVE_ECC
#define WOLFSSL_HAVE_SP_ECC
#define ECC_USER_CURVES /* P-256 only */
#undef NO_ECC256
#define ECC_TIMING_RESISTANT
/* Disable for smaller size */
#if 0 /* ECC Shamir (faster, more code) */
#define ECC_SHAMIR
#endif
#endif
/* ECC Feature Reduction */
#if 0 /* Verify only (no signing/keygen) */
#define NO_ECC_SIGN
#define NO_ECC_DHE
#define NO_ECC_KEY_EXPORT
#endif
/* ------------------------------------------------- */
/* RSA (disable for smallest size) */
/* ------------------------------------------------- */
#if 0 /* RSA support */
#undef NO_RSA
#define WOLFSSL_HAVE_SP_RSA
#define WC_RSA_BLINDING
#define RSA_LOW_MEM
#if 0 /* Verify only */
#define WOLFSSL_RSA_PUBLIC_ONLY
#define WOLFSSL_RSA_VERIFY_INLINE
#define NO_CHECK_PRIVATE_KEY
#endif
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
#if 1 /* AES */
#define HAVE_AESGCM
#define GCM_SMALL
#define WOLFSSL_AES_SMALL_TABLES
#define WOLFSSL_AES_NO_UNROLL
#define NO_AES_192
#define NO_AES_256
#if 0 /* AES-CBC */
#undef NO_AES_CBC
#else
#define NO_AES_CBC
#endif
#else
#define NO_AES
#endif
#if 0 /* ChaCha20-Poly1305 */
#define HAVE_CHACHA
#define HAVE_POLY1305
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 only (required) */
#define USE_SLOW_SHA256
#if 0 /* SHA-1 (legacy) */
#undef NO_SHA
#else
#define NO_SHA
#endif
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#if 1 /* Hash-based DRBG */
#define HAVE_HASHDRBG
#else
/* Use hardware RNG directly */
#define WC_NO_HASHDRBG
extern int my_rng_gen_block(unsigned char* output, unsigned int sz);
#define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block
#endif
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#if 0 /* Disable certificates for smallest size */
#define NO_ASN
#define NO_CERTS
#define NO_CODING
#endif
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DH
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PSK
#define NO_PWDBASED
#define NO_PKCS8
#define NO_PKCS12
/* ------------------------------------------------- */
/* Disabled Features */
/* ------------------------------------------------- */
#define NO_SIG_WRAPPER
#define NO_SESSION_CACHE
#define NO_ERROR_STRINGS
#define NO_OLD_RNGNAME
#define NO_WOLFSSL_DIR
#define BENCH_EMBEDDED
/* ------------------------------------------------- */
/* Custom Time (bare metal has no RTC typically) */
/* ------------------------------------------------- */
#if 1 /* Custom time function */
#define NO_ASN_TIME
/* Or provide custom time:
* #define USER_TIME
* extern unsigned long my_time(unsigned long* timer);
* #define XTIME my_time
*/
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

210
examples/configs/user_settings_ca.h Normal file
View File

@@ -0,0 +1,210 @@
/* user_settings_ca.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* Certificate Authority (CA) / PKI configuration.
* For certificate generation, signing, CRL, OCSP, and CertificateManager.
* No TLS - certificate operations only.
*
* Build and test:
* cp ./examples/configs/user_settings_ca.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#define NO_TLS /* Enables CertificateManager without TLS */
#if 0 /* Single threaded */
#define SINGLE_THREADED
#endif
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
#define SP_INT_BITS 4096
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* Certificate Generation */
/* ------------------------------------------------- */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#define WOLFSSL_MULTI_ATTRIB
#define WOLFSSL_ALT_NAMES
#define WOLFSSL_CUSTOM_OID
#define HAVE_OID_ENCODING
/* Additional certificate features */
#define WOLFSSL_CERT_NAME_ALL
#define WOLFSSL_HAVE_ISSUER_NAMES
#define WOLFSSL_AKID_NAME
#define WOLFSSL_SUBJ_DIR_ATTR
#define WOLFSSL_SUBJ_INFO_ACC
/* ------------------------------------------------- */
/* ASN.1 */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#define WOLFSSL_PEM_TO_DER
#define WOLFSSL_DER_TO_PEM
#define WOLFSSL_DER_LOAD
#define ASN_BER_TO_DER
/* ------------------------------------------------- */
/* CRL (Certificate Revocation List) */
/* ------------------------------------------------- */
#define HAVE_CRL
#if 0 /* CRL file monitoring */
#define HAVE_CRL_MONITOR
#endif
#define HAVE_CRL_IO
#define HAVE_IO_TIMEOUT
/* ------------------------------------------------- */
/* OCSP (Online Certificate Status Protocol) */
/* ------------------------------------------------- */
#define HAVE_OCSP
#define HAVE_CERTIFICATE_STATUS_REQUEST
#define HAVE_CERTIFICATE_STATUS_REQUEST_V2
#define HAVE_TLS_EXTENSIONS
/* ------------------------------------------------- */
/* ECC */
/* ------------------------------------------------- */
#if 1 /* ECC support */
#define HAVE_ECC
#define ECC_USER_CURVES
#undef NO_ECC256
#define HAVE_ECC384
#define HAVE_ECC521
#define ECC_SHAMIR
#define HAVE_COMP_KEY
#define WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT
#endif
/* ------------------------------------------------- */
/* Ed25519 / Ed448 */
/* ------------------------------------------------- */
#if 1 /* Ed25519 certificates */
#define HAVE_ED25519
#define HAVE_CURVE25519
#endif
#if 1 /* Ed448 certificates */
#define HAVE_ED448
#define HAVE_CURVE448
#define WOLFSSL_SHAKE256
#endif
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#if 1 /* RSA support */
#undef NO_RSA
#define WOLFSSL_KEY_GEN
#define WC_RSA_PSS
#define WC_RSA_NO_PADDING
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* Post-Quantum Certificates */
/* ------------------------------------------------- */
#if 0 /* ML-DSA / Dilithium certificates */
#define WOLFSSL_EXPERIMENTAL_SETTINGS
#define HAVE_DILITHIUM
#define WOLFSSL_WC_DILITHIUM
#define WOLFSSL_SHAKE128
#define WOLFSSL_SHAKE256
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 required */
#define WOLFSSL_SHA224
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#define WOLFSSL_SHA3
#if 1 /* SHA-1 (for legacy certificate compatibility) */
#undef NO_SHA
#else
#define NO_SHA
#endif
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* Encoding */
/* ------------------------------------------------- */
#define WOLFSSL_BASE64_ENCODE
#define WOLFSSL_BASE16
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DH
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_PSK
#define NO_PWDBASED
#define NO_OLD_TLS
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 0 /* Disable error strings */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

211
examples/configs/user_settings_dtls13.h Normal file
View File

@@ -0,0 +1,211 @@
/* user_settings_dtls13.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* DTLS 1.3 for IoT and UDP applications.
* Suitable for constrained devices with unreliable networks.
*
* Build and test:
* cp ./examples/configs/user_settings_dtls13.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#if 1 /* Single threaded (typical for IoT) */
#define SINGLE_THREADED
#endif
#if 0 /* Disable filesystem */
#define NO_FILESYSTEM
#endif
#define WOLFSSL_USER_IO
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
#if 1 /* Small code size for IoT */
#define WOLFSSL_SP_SMALL
#endif
/* ------------------------------------------------- */
/* DTLS 1.3 */
/* ------------------------------------------------- */
#define WOLFSSL_DTLS
#define WOLFSSL_DTLS13
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
#define WC_RSA_PSS
/* Disable older versions */
#define WOLFSSL_NO_TLS12
#define NO_OLD_TLS
/* DTLS-specific features */
#if 1 /* HelloRetryRequest cookie (DoS protection) */
#define WOLFSSL_SEND_HRR_COOKIE
#endif
#if 0 /* Connection ID (NAT traversal) - requires TLS 1.2 code paths */
#define WOLFSSL_DTLS_CID
#endif
#if 0 /* Fragmented ClientHello */
#define WOLFSSL_DTLS_CH_FRAG
#endif
/* Client/Server */
#if 0 /* Client only */
#define NO_WOLFSSL_SERVER
#endif
#if 0 /* Server only */
#define NO_WOLFSSL_CLIENT
#endif
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* ECC (preferred for IoT) */
/* ------------------------------------------------- */
#define HAVE_ECC
#define ECC_USER_CURVES
#undef NO_ECC256
#if 0 /* P-384 */
#define HAVE_ECC384
#endif
#define ECC_SHAMIR
/* ------------------------------------------------- */
/* Curve25519 / Ed25519 */
/* ------------------------------------------------- */
#if 1 /* X25519 key exchange (efficient for IoT) */
#define HAVE_CURVE25519
#define CURVE25519_SMALL
#endif
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#if 0 /* RSA support (larger, disable for constrained devices) */
#undef NO_RSA
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* DH */
/* ------------------------------------------------- */
#define NO_DH
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
/* AES-GCM */
#define HAVE_AESGCM
#if 1 /* Small GCM tables for IoT */
#define GCM_SMALL
#else
#define GCM_TABLE_4BIT
#endif
#if 1 /* ChaCha20-Poly1305 (efficient in software) */
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#endif
#if 1 /* AES-CCM (common in IoT) */
#define HAVE_AESCCM
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 required */
#if 1 /* Smaller/slower SHA */
#define USE_SLOW_SHA256
#endif
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_SHA
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PSK
#define NO_PWDBASED
/* ------------------------------------------------- */
/* Memory Optimization */
/* ------------------------------------------------- */
#if 1 /* Small stack for embedded */
#define WOLFSSL_SMALL_STACK
#endif
#if 0 /* Static memory (no malloc) */
#define WOLFSSL_STATIC_MEMORY
#define WOLFSSL_NO_MALLOC
#endif
#define NO_SESSION_CACHE
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 1 /* Disable error strings to save flash */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

4
examples/configs/user_settings_eccnonblock.h
View File

@@ -104,8 +104,8 @@ extern "C" {
#define WOLFSSL_SP_MATH /* forces only single precision */
/* Hashing */
#define WOLFSL_SHA512
#define WOLFSL_SHA384
#define WOLFSSL_SHA512
#define WOLFSSL_SHA384
#undef NO_SHA256
/* Debugging */

2
examples/configs/user_settings_fipsv2.h
View File

@@ -112,4 +112,4 @@ extern "C" {
}
#endif
#endif /* WOLFSSL_OPTIONS_H */
#endif /* WOLFSSL_USER_SETTINGS_H */

3
examples/configs/user_settings_fipsv5.h
View File

@@ -130,7 +130,6 @@ extern "C" {
#define WOLFSSL_AES_COUNTER
#define HAVE_AESCCM
#define HAVE_AES_ECB
#define WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_DIRECT
#define WOLFSSL_AES_OFB
#define HAVE_AESGCM
@@ -147,7 +146,6 @@ extern "C" {
#define WOLFSSL_SHA224
#define WOLFSSL_SHA512
#define WOLFSSL_SHA384
#define WOLFSSL_NO_SHAKE256
#define WOLFSSL_NOSHA512_224
#define WOLFSSL_NOSHA512_256
#define WOLFSSL_SHA3
@@ -162,6 +160,7 @@ extern "C" {
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_DSA
#define NO_RABBIT
#define NO_HC128

112
examples/configs/user_settings_min_ecc.h
View File

@@ -19,63 +19,94 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* should be renamed to user_settings.h for customer use
* generated from configure options:
* ./configure \
--enable-cryptonly --enable-ecc --enable-sp \
--disable-rsa --disable-dh --disable-sha3 --disable-sha224 --disable-md5 \
--disable-sha --disable-pkcs12 --disable-memory \
--disable-chacha --disable-poly1305 --disable-sha512 --disable-sha384 \
--disable-aesgcm --disable-aescbc --disable-aes --disable-rng \
CFLAGS="-DNO_SIG_WRAPPER -DWOLFSSL_PUBLIC_MP -DECC_USER_CURVES \
-DNO_ECC_SIGN -DNO_ECC_DHE -DNO_ECC_KEY_EXPORT"
/* Minimal ECC and SHA-256 only (no TLS, no RSA, no AES)
*
* Cleaned up by David Garske
* Derived from:
* ./configure \
* --enable-cryptonly --enable-ecc --enable-sp \
* --disable-rsa --disable-dh --disable-sha3 \
* --disable-sha224 --disable-md5 \
* --disable-sha --disable-pkcs12 --disable-memory \
* --disable-chacha --disable-poly1305 \
* --disable-sha512 --disable-sha384 \
* --disable-aesgcm --disable-aescbc \
* --disable-aes --disable-rng \
* CFLAGS="-DNO_SIG_WRAPPER -DWOLFSSL_PUBLIC_MP \
* -DECC_USER_CURVES"
*
* Build and test:
* cp ./examples/configs/user_settings_min_ecc.h \
* user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* WolfCrypt Only (no TLS) */
#define WOLFCRYPT_ONLY
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#define WOLFCRYPT_ONLY /* No TLS, wolfCrypt only */
/* Endianness - defaults to little endian */
#ifdef __BIG_ENDIAN__
#define BIG_ENDIAN_ORDER
#endif
/* Expose the math mp_ API's */
#define WOLFSSL_PUBLIC_MP
#define WOLFSSL_PUBLIC_MP /* Expose mp_ math API's */
/* Use single precision math only */
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP
#define WOLFSSL_SP_SMALL
#define WOLFSSL_SP_MATH
#define WOLFSSL_HAVE_SP_ECC
/* Enable Timing Resistance */
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
/* Enable ECC */
/* ------------------------------------------------- */
/* ECC */
/* ------------------------------------------------- */
#define HAVE_ECC
#define ECC_USER_CURVES /* Only 256-Bit Curves */
//#define ECC_SHAMIR
#define ECC_USER_CURVES /* Only P-256 by default */
#if 0 /* ECC Shamir - faster but more code/memory */
#define ECC_SHAMIR
#endif
/* Optional Feature Disables */
#define NO_SIG_WRAPPER
//#define NO_ECC_KEY_EXPORT
//#define NO_ECC_DHE
//#define NO_ECC_SIGN
//#define NO_ECC_VERIFY
/* ECC Feature Options */
#if 0 /* Disable ECC key export */
#define NO_ECC_KEY_EXPORT
#endif
#if 0 /* Disable ECDHE key agreement */
#define NO_ECC_DHE
#endif
#if 0 /* Disable ECC sign */
#define NO_ECC_SIGN
#endif
#if 0 /* Disable ECC verify */
#define NO_ECC_VERIFY
#endif
/* Disable Algorithms */
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 enabled by default */
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_AES
#define NO_AES_CBC
#define NO_DES3
@@ -89,17 +120,30 @@ extern "C" {
#define NO_PWDBASED
#define NO_PKCS12
#define NO_PKCS8
//#define WC_NO_RNG
#define NO_SIG_WRAPPER
/* Disable Features */
//#define NO_ASN
//#define NO_CERTS
/* ------------------------------------------------- */
/* Disabled Features */
/* ------------------------------------------------- */
#define NO_WOLFSSL_MEMORY
#define WOLFSSL_NO_PEM
//#define NO_CODING
#define NO_PSK
#ifndef DEBUG_WOLFSSL
#if 0 /* Disable ASN.1 / certificates */
#define NO_ASN
#define NO_CERTS
#define NO_CODING
#endif
#if 0 /* Disable RNG (ECC verify only) */
#define WC_NO_RNG
#endif
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 1 /* Disable error strings to save flash */
#define NO_ERROR_STRINGS
#endif

274
examples/configs/user_settings_openssl_compat.h Normal file
View File

@@ -0,0 +1,274 @@
/* user_settings_openssl_compat.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* OpenSSL compatibility layer for drop-in replacement.
* Provides OpenSSL API compatibility for applications migrating from OpenSSL.
*
* Build and test:
* cp ./examples/configs/user_settings_openssl_compat.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* OpenSSL Compatibility */
/* ------------------------------------------------- */
#define OPENSSL_EXTRA
#if 1 /* Full OpenSSL API compatibility */
#define OPENSSL_ALL
#endif
/* OpenSSL-compatible names and behavior */
#define WOLFSSL_VERBOSE_ERRORS
#define ERROR_QUEUE_PER_THREAD
#define WOLFSSL_ERROR_CODE_OPENSSL
#define HAVE_WOLFSSL_SSL_H
#define OPENSSL_COMPATIBLE_DEFAULTS
/* Avoid old name conflicts */
#define NO_OLD_RNGNAME
#define NO_OLD_WC_NAMES
#define NO_OLD_SSL_NAMES
#define NO_OLD_SHA_NAMES
#define NO_OLD_MD5_NAME
/* Extra data support (SSL_CTX_set_ex_data, etc.) */
#define HAVE_EX_DATA
/* ------------------------------------------------- */
/* Application Compatibility */
/* ------------------------------------------------- */
#if 0 /* nginx */
#define WOLFSSL_NGINX
#endif
#if 0 /* HAProxy */
#define WOLFSSL_HAPROXY
#endif
#if 0 /* Apache httpd */
#define HAVE_LIGHTY
#endif
#if 0 /* stunnel */
#define HAVE_STUNNEL
#endif
#if 0 /* OpenVPN */
#define WOLFSSL_OPENVPN
#endif
#if 0 /* Qt */
#define WOLFSSL_QT
#endif
#if 0 /* cURL */
#define WOLFSSL_LIBCURL
#endif
#if 0 /* OpenSSH */
#define WOLFSSL_OPENSSH
#endif
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
/* ------------------------------------------------- */
/* TLS Versions */
/* ------------------------------------------------- */
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_EXTENDED_MASTER
#define HAVE_ENCRYPT_THEN_MAC
#define HAVE_HKDF
#define WC_RSA_PSS
#if 1 /* TLS 1.2 (for compatibility) */
#undef WOLFSSL_NO_TLS12
#endif
#if 0 /* Allow older TLS (not recommended) */
#undef NO_OLD_TLS
#else
#define NO_OLD_TLS
#endif
/* TLS Extensions */
#define HAVE_SESSION_TICKET
#define HAVE_SNI
#define HAVE_ALPN
#define HAVE_MAX_FRAGMENT
#define HAVE_TRUNCATED_HMAC
#define HAVE_SECURE_RENEGOTIATION
#define HAVE_SERVER_RENEGOTIATION_INFO
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* ECC */
/* ------------------------------------------------- */
#define HAVE_ECC
#define TFM_ECC256
#define ECC_SHAMIR
#define HAVE_ECC_CDH
#define HAVE_COMP_KEY
/* ------------------------------------------------- */
/* Curve25519 / Ed25519 */
/* ------------------------------------------------- */
#define HAVE_CURVE25519
#define HAVE_ED25519
/* ------------------------------------------------- */
/* Curve448 / Ed448 */
/* ------------------------------------------------- */
#if 1 /* Ed448/X448 */
#define HAVE_CURVE448
#define HAVE_ED448
#endif
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#undef NO_RSA
#define WC_RSA_NO_PADDING
#define WOLFSSL_KEY_GEN
/* ------------------------------------------------- */
/* DH */
/* ------------------------------------------------- */
#undef NO_DH
#define HAVE_FFDHE_2048
#define HAVE_FFDHE_3072
#define HAVE_FFDHE_4096
#define HAVE_DH_DEFAULT_PARAMS
#define WOLFSSL_DH_EXTRA
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
#define WOLFSSL_AESGCM_STREAM
#define HAVE_AESCCM
#define WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_DIRECT
#define WOLFSSL_AES_OFB
#define WOLFSSL_AES_CFB
#define HAVE_AES_ECB
#define HAVE_AES_KEYWRAP
#define HAVE_AES_DECRYPT
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#define HAVE_XCHACHA
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
#define WOLFSSL_SHA224
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#define WOLFSSL_SHA3
#define WOLFSSL_SHAKE256
#define HAVE_BLAKE2
#define HAVE_BLAKE2B
#define HAVE_BLAKE2S
/* ------------------------------------------------- */
/* Additional Features */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
#define WOLFSSL_CMAC
#define WOLFSSL_DES_ECB
#define HAVE_CTS
#define HAVE_HKDF
#define HAVE_X963_KDF
#define HAVE_KEYING_MATERIAL
#define WOLFSSL_HAVE_PRF
/* ------------------------------------------------- */
/* Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#define WOLFSSL_MULTI_ATTRIB
#define WOLFSSL_DER_LOAD
#define WOLFSSL_PEM_TO_DER
#define WOLFSSL_DER_TO_PEM
#define WOLFSSL_ALT_NAMES
#define HAVE_CRL
#define HAVE_OCSP
#define HAVE_CERTIFICATE_STATUS_REQUEST
#define HAVE_CERTIFICATE_STATUS_REQUEST_V2
/* ------------------------------------------------- */
/* Encoding */
/* ------------------------------------------------- */
#define WOLFSSL_BASE16
#define WOLFSSL_BASE64_ENCODE
/* ------------------------------------------------- */
/* Session Cache */
/* ------------------------------------------------- */
#define HAVE_EXT_CACHE
#define SESSION_CERTS
#define PERSIST_SESSION_CACHE
#define PERSIST_CERT_CACHE
/* ------------------------------------------------- */
/* PKCS */
/* ------------------------------------------------- */
#define HAVE_PKCS8
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_PSK
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

215
examples/configs/user_settings_pkcs7.h Normal file
View File

@@ -0,0 +1,215 @@
/* user_settings_pkcs7.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* PKCS#7 / CMS configuration for signing and encryption.
* Suitable for S/MIME, firmware signing, secure messaging.
* No TLS - cryptographic operations only.
*
* Build and test:
* cp ./examples/configs/user_settings_pkcs7.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#define WOLFCRYPT_ONLY
#if 0 /* Single threaded */
#define SINGLE_THREADED
#endif
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
#if 0 /* Small code size */
#define WOLFSSL_SP_SMALL
#endif
/* ------------------------------------------------- */
/* PKCS#7 / CMS */
/* ------------------------------------------------- */
#define HAVE_PKCS7
/* PKCS#7 Content Types */
#if 1 /* Signed Data */
/* Default enabled with HAVE_PKCS7 */
#endif
#if 1 /* Enveloped Data (encryption) */
/* Default enabled with HAVE_PKCS7 */
#endif
#if 0 /* Compressed Data (requires libz) */
#define HAVE_LIBZ
#endif
#if 1 /* Authenticated Enveloped Data (AES-GCM) */
/* Requires HAVE_AESGCM */
#endif
/* PKCS#7 Features */
#define HAVE_X963_KDF
#define HAVE_HKDF
/* ------------------------------------------------- */
/* S/MIME */
/* ------------------------------------------------- */
#if 1 /* S/MIME support */
#define HAVE_SMIME
#endif
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* ECC */
/* ------------------------------------------------- */
#if 1 /* ECC support */
#define HAVE_ECC
#define ECC_USER_CURVES
#undef NO_ECC256
#if 1 /* P-384 */
#define HAVE_ECC384
#endif
#if 0 /* P-521 */
#define HAVE_ECC521
#endif
#define ECC_SHAMIR
#define HAVE_ECC_ENCRYPT /* ECIES for PKCS#7 */
#endif
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#if 1 /* RSA support */
#undef NO_RSA
#define WOLFSSL_KEY_GEN
#define WC_RSA_NO_PADDING
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
/* AES (required for PKCS#7) */
#define HAVE_AES_CBC
#define HAVE_AES_DECRYPT
#define HAVE_AES_KEYWRAP
#define WOLFSSL_AES_DIRECT
#if 1 /* AES-GCM (AuthEnvelopedData) */
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
#endif
#if 1 /* AES-CCM */
#define HAVE_AESCCM
#endif
#if 0 /* 3DES (legacy, not recommended) */
#undef NO_DES3
#else
#define NO_DES3
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 required */
#if 1 /* SHA-1 (for legacy compatibility) */
#undef NO_SHA
#else
#define NO_SHA
#endif
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#if 1 /* SHA-3 */
#define WOLFSSL_SHA3
#endif
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
/* Certificate generation for signing */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#define WOLFSSL_MULTI_ATTRIB
/* Certificate parsing */
#define WOLFSSL_PEM_TO_DER
#define WOLFSSL_DER_TO_PEM
#define WOLFSSL_DER_LOAD
/* ------------------------------------------------- */
/* Encoding */
/* ------------------------------------------------- */
#define WOLFSSL_BASE64_ENCODE
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DH
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_PSK
#define NO_PWDBASED
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 0 /* Disable error strings */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

232
examples/configs/user_settings_pq.h Normal file
View File

@@ -0,0 +1,232 @@
/* user_settings_pq.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* Post-Quantum TLS 1.3 with ML-KEM (Kyber) and ML-DSA (Dilithium).
* Provides quantum-resistant key exchange and signatures.
* Based on NIST FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) standards.
*
* Build and test:
* cp ./examples/configs/user_settings_pq.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
/* ------------------------------------------------- */
/* TLS 1.3 (required for PQ) */
/* ------------------------------------------------- */
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
#define WC_RSA_PSS
/* Disable older TLS versions */
#define WOLFSSL_NO_TLS12
#define NO_OLD_TLS
#if 1 /* Session tickets */
#define HAVE_SESSION_TICKET
#endif
#if 1 /* Server Name Indication */
#define HAVE_SNI
#endif
/* ------------------------------------------------- */
/* Experimental Settings (required for PQ) */
/* ------------------------------------------------- */
#define WOLFSSL_EXPERIMENTAL_SETTINGS
/* ------------------------------------------------- */
/* ML-KEM / Kyber (Key Encapsulation) */
/* ------------------------------------------------- */
#if 1 /* ML-KEM (FIPS 203) */
#define WOLFSSL_HAVE_KYBER
#define WOLFSSL_WC_KYBER
#define WOLFSSL_KYBER512 /* Level 1: 128-bit security */
#define WOLFSSL_KYBER768 /* Level 3: 192-bit security */
#define WOLFSSL_KYBER1024 /* Level 5: 256-bit security */
#endif
/* ------------------------------------------------- */
/* ML-DSA / Dilithium (Signatures) */
/* ------------------------------------------------- */
#if 1 /* ML-DSA (FIPS 204) */
#define HAVE_DILITHIUM
#define WOLFSSL_WC_DILITHIUM
#define DILITHIUM_LEVEL2 /* Level 2: ~128-bit security */
#define DILITHIUM_LEVEL3 /* Level 3: ~192-bit security */
#define DILITHIUM_LEVEL5 /* Level 5: ~256-bit security */
/* Uses FIPS 204 final standard by default */
#if 0 /* FIPS 204 Draft version */
#define WOLFSSL_DILITHIUM_FIPS204_DRAFT
#endif
#define WOLFSSL_SHAKE128
#define WOLFSSL_SHAKE256
#endif
/* ------------------------------------------------- */
/* LMS (Stateful Hash-Based Signatures) */
/* ------------------------------------------------- */
#if 0 /* LMS signatures */
#define WOLFSSL_HAVE_LMS
#define WOLFSSL_WC_LMS
#ifndef LMS_LEVELS
#define LMS_LEVELS 2
#endif
#ifndef LMS_HEIGHT
#define LMS_HEIGHT 10
#endif
#ifndef LMS_WINTERNITZ
#define LMS_WINTERNITZ 8
#endif
#endif
/* ------------------------------------------------- */
/* XMSS (Stateful Hash-Based Signatures) */
/* ------------------------------------------------- */
#if 0 /* XMSS signatures */
#define WOLFSSL_HAVE_XMSS
#define WOLFSSL_WC_XMSS
#ifndef WOLFSSL_XMSS_MAX_HEIGHT
#define WOLFSSL_XMSS_MAX_HEIGHT 20
#endif
#endif
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* Classical ECC (hybrid with PQ) */
/* ------------------------------------------------- */
#if 1 /* ECC for hybrid key exchange */
#define HAVE_ECC
#define ECC_USER_CURVES
#undef NO_ECC256
#define HAVE_ECC384
#define ECC_SHAMIR
#endif
/* ------------------------------------------------- */
/* Curve25519 (hybrid with PQ) */
/* ------------------------------------------------- */
#if 1 /* X25519 for hybrid key exchange */
#define HAVE_CURVE25519
#endif
/* ------------------------------------------------- */
/* RSA (for legacy compatibility) */
/* ------------------------------------------------- */
#if 1 /* RSA support */
#undef NO_RSA
#define WOLFSSL_KEY_GEN
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* DH */
/* ------------------------------------------------- */
#define NO_DH
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
#if 1 /* ChaCha20-Poly1305 */
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#define WOLFSSL_SHA3
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#if 1 /* Certificate generation with PQ algorithms */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#endif
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PSK
#define NO_PWDBASED
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 0 /* Disable error strings */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

238
examples/configs/user_settings_rsa_only.h Normal file
View File

@@ -0,0 +1,238 @@
/* user_settings_rsa_only.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* RSA-only configuration (no ECC).
* For legacy systems that require RSA-only cipher suites.
* Supports TLS 1.2 and 1.3 with RSA certificates.
*
* Build and test:
* cp ./examples/configs/user_settings_rsa_only.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#if 0 /* Single threaded */
#define SINGLE_THREADED
#endif
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_SP_4096
#if 0 /* Small code size */
#define WOLFSSL_SP_SMALL
#endif
/* ------------------------------------------------- */
/* TLS */
/* ------------------------------------------------- */
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_EXTENDED_MASTER
#define HAVE_ENCRYPT_THEN_MAC
#define HAVE_HKDF
#define WC_RSA_PSS
/* TLS 1.2 for legacy compatibility */
#if 1 /* Enable TLS 1.2 */
#undef WOLFSSL_NO_TLS12
#else
#define WOLFSSL_NO_TLS12
#endif
#define NO_OLD_TLS
/* TLS Extensions */
#if 1 /* Session tickets */
#define HAVE_SESSION_TICKET
#endif
#if 1 /* Server Name Indication */
#define HAVE_SNI
#endif
#if 1 /* Secure renegotiation */
#define HAVE_SECURE_RENEGOTIATION
#define HAVE_SERVER_RENEGOTIATION_INFO
#endif
/* Client/Server */
#if 0 /* Client only */
#define NO_WOLFSSL_SERVER
#endif
#if 0 /* Server only */
#define NO_WOLFSSL_CLIENT
#endif
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#undef NO_RSA
/* RSA key sizes */
#if 1 /* 2048-bit (minimum recommended) */
/* Always enabled */
#endif
#if 1 /* 3072-bit */
/* Enabled via WOLFSSL_SP_MATH_ALL */
#endif
#if 1 /* 4096-bit */
#define WOLFSSL_SP_4096
#endif
/* RSA features */
#define WOLFSSL_KEY_GEN
#define WC_RSA_NO_PADDING
#if 0 /* RSA-PSS only (no PKCS#1 v1.5) */
#define WC_RSA_PSS_ONLY
#endif
#if 0 /* Low memory RSA */
#define RSA_LOW_MEM
#endif
/* ------------------------------------------------- */
/* DH (for TLS 1.2 key exchange) */
/* ------------------------------------------------- */
#if 1 /* DH key exchange */
#undef NO_DH
#define HAVE_FFDHE_2048
#define HAVE_FFDHE_3072
#define HAVE_FFDHE_4096
#define HAVE_DH_DEFAULT_PARAMS
#define WOLFSSL_HAVE_SP_DH
#else
#define NO_DH
#endif
/* ------------------------------------------------- */
/* ECC - Disabled */
/* ------------------------------------------------- */
#define NO_ECC
/* Note: TLS 1.3 typically requires ECDHE, but can work with
* FFDHE (DH) key exchange with RSA certificates */
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
/* AES-GCM (required for TLS 1.3) */
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
/* AES-CBC (for TLS 1.2) */
#define HAVE_AES_CBC
#define HAVE_AES_DECRYPT
#if 1 /* ChaCha20-Poly1305 */
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#endif
#if 0 /* AES-CCM */
#define HAVE_AESCCM
#endif
#if 0 /* Additional AES modes */
#define WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_DIRECT
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 required */
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#if 1 /* SHA-1 (for TLS 1.2 compatibility) */
#undef NO_SHA
#else
#define NO_SHA
#endif
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#if 1 /* Certificate generation */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#endif
#if 1 /* CRL/OCSP */
#define HAVE_CRL
#define HAVE_OCSP
#endif
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PSK
#define NO_PWDBASED
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 0 /* Disable error strings to save flash */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

82
examples/configs/user_settings_template.h
View File

@@ -41,8 +41,8 @@ extern "C" {
/* ------------------------------------------------------------------------- */
#define WOLFSSL_GENERAL_ALIGNMENT 4
#define SIZEOF_LONG_LONG 8
#if 0
#define NO_64BIT /* disable use of 64-bit variables */
#if 0 /* Disable 64-bit types */
#define NO_64BIT
#endif
#ifdef TARGET_EMBEDDED
@@ -62,7 +62,7 @@ extern "C" {
/* Math Configuration */
/* ------------------------------------------------------------------------- */
/* Wolf Single Precision Math */
#if 1
#if 1 /* SP Math (recommended) */
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_HAVE_SP_DH
#define WOLFSSL_HAVE_SP_ECC
@@ -78,10 +78,9 @@ extern "C" {
#ifdef TARGET_EMBEDDED
/* use smaller version of code */
#define WOLFSSL_SP_SMALL
#else
/* SP Assembly Speedups - specific to chip type */
#define WOLFSSL_SP_ASM
#endif
/* SP Assembly Speedups - specific to chip type */
//#define WOLFSSL_SP_ASM
//#define WOLFSSL_SP_X86_64
//#define WOLFSSL_SP_X86
//#define WOLFSSL_SP_ARM32_ASM
@@ -103,7 +102,7 @@ extern "C" {
/* ------------------------------------------------------------------------- */
/* RSA */
#undef NO_RSA
#if 1
#if 1 /* RSA */
#ifdef USE_FAST_MATH
/* Maximum math bits (Max RSA key bits * 2) */
#define FP_MAX_BITS 4096
@@ -123,9 +122,9 @@ extern "C" {
/* DH */
#undef NO_DH
#if 1
/* Use table for DH instead of -lm (math) lib dependency */
#if 1
#if 1 /* DH */
/* Use table for DH instead of -lm (math) lib */
#if 1 /* FFDHE parameters */
#define WOLFSSL_DH_CONST
#define HAVE_FFDHE_2048
//#define HAVE_FFDHE_4096
@@ -138,7 +137,7 @@ extern "C" {
/* ECC */
#undef HAVE_ECC
#if 1
#if 1 /* ECC */
#define HAVE_ECC
/* Manually define enabled curves */
@@ -195,7 +194,7 @@ extern "C" {
/* AES */
#undef NO_AES
#if 1
#if 1 /* AES */
#define HAVE_AES_CBC
/* GCM Method: GCM_TABLE_4BIT, GCM_SMALL, GCM_WORD32 or GCM_TABLE */
@@ -217,7 +216,7 @@ extern "C" {
/* DES3 */
#undef NO_DES3
#if 0
#if 0 /* DES3 (legacy, not recommended) */
#else
#define NO_DES3
#endif
@@ -225,7 +224,7 @@ extern "C" {
/* ChaCha20 / Poly1305 */
#undef HAVE_CHACHA
#undef HAVE_POLY1305
#if 1
#if 1 /* ChaCha20 / Poly1305 */
#define HAVE_CHACHA
#define HAVE_POLY1305
@@ -236,12 +235,12 @@ extern "C" {
/* Ed25519 / Curve25519 */
#undef HAVE_CURVE25519
#undef HAVE_ED25519
#if 0
#if 0 /* Ed25519 / Curve25519 */
#define HAVE_CURVE25519
#define HAVE_ED25519 /* ED25519 Requires SHA512 */
/* Optionally use small math (less flash usage, but much slower) */
#if 1
/* Optionally use small math (less flash, slower) */
#if 1 /* Small Curve25519 */
#define CURVED25519_SMALL
#endif
#endif
@@ -252,7 +251,7 @@ extern "C" {
/* ------------------------------------------------------------------------- */
/* Sha */
#undef NO_SHA
#if 1
#if 1 /* SHA-1 */
/* 1k smaller, but 25% slower */
//#define USE_SLOW_SHA
#else
@@ -261,12 +260,12 @@ extern "C" {
/* Sha256 */
#undef NO_SHA256
#if 1
#if 1 /* SHA-256 */
/* not unrolled - ~2k smaller and ~25% slower */
//#define USE_SLOW_SHA256
/* Sha224 */
#if 0
/* SHA-224 (requires SHA-256) */
#if 0 /* SHA-224 */
#define WOLFSSL_SHA224
#endif
#else
@@ -275,12 +274,12 @@ extern "C" {
/* Sha512 */
#undef WOLFSSL_SHA512
#if 0
#if 0 /* SHA-512 */
#define WOLFSSL_SHA512
/* Sha384 */
/* SHA-384 (requires SHA-512) */
#undef WOLFSSL_SHA384
#if 0
#if 0 /* SHA-384 */
#define WOLFSSL_SHA384
#endif
@@ -290,27 +289,27 @@ extern "C" {
/* Sha3 */
#undef WOLFSSL_SHA3
#if 0
#if 0 /* SHA-3 */
#define WOLFSSL_SHA3
#endif
/* MD5 */
#undef NO_MD5
#if 0
#if 0 /* MD5 (legacy, not recommended) */
/* MD5 enabled */
#else
#define NO_MD5
#endif
/* HKDF */
#undef HAVE_HKDF
#if 1
#if 1 /* HKDF (TLS 1.3 requires this) */
#define HAVE_HKDF
#endif
/* CMAC */
#undef WOLFSSL_CMAC
#if 0
#if 0 /* CMAC */
#define WOLFSSL_CMAC
#endif
@@ -335,10 +334,10 @@ extern "C" {
#undef DEBUG_WOLFSSL
#undef NO_ERROR_STRINGS
#if 0
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#else
#if 0
#if 0 /* Disable error strings to save flash */
#define NO_ERROR_STRINGS
#endif
#endif
@@ -349,7 +348,7 @@ extern "C" {
/* ------------------------------------------------------------------------- */
/* Override Memory API's */
#if 0
#if 0 /* Custom malloc/free/realloc */
#define XMALLOC_OVERRIDE
/* prototypes for user heap override functions */
@@ -365,24 +364,23 @@ extern "C" {
#define XREALLOC(p, n, h, t) myRealloc(p, n, h, t)
#endif
#if 0
/* Static memory requires fast math */
#if 0 /* Static memory (no heap) */
#define WOLFSSL_STATIC_MEMORY
/* Disable fallback malloc/free */
#define WOLFSSL_NO_MALLOC
#if 1
#if 1 /* Trap malloc failure */
#define WOLFSSL_MALLOC_CHECK /* trap malloc failure */
#endif
#endif
/* Memory callbacks */
#if 0
#if 0 /* wolfSSL memory callbacks */
#undef USE_WOLFSSL_MEMORY
#define USE_WOLFSSL_MEMORY
/* Use this to measure / print heap usage */
#if 0
#if 0 /* Memory tracking / debug */
#define WOLFSSL_TRACK_MEMORY
#define WOLFSSL_DEBUG_MEMORY
#endif
@@ -399,7 +397,7 @@ extern "C" {
/* ------------------------------------------------------------------------- */
/* Override Current Time */
#if 0
#if 0 /* Custom time function */
/* Allows custom "custom_time()" function to be used for benchmark */
#define WOLFSSL_USER_CURRTIME
#define WOLFSSL_GMTIME
@@ -414,9 +412,9 @@ extern "C" {
/* ------------------------------------------------------------------------- */
/* Choose RNG method */
#if 1
#if 1 /* P-RNG with hash DRBG */
/* Custom Seed Source */
#if 0
#if 0 /* Custom HW RNG seed */
/* Size of returned HW RNG value */
#define CUSTOM_RAND_TYPE unsigned int
extern unsigned int my_rng_seed_gen(void);
@@ -444,7 +442,7 @@ extern "C" {
/* ------------------------------------------------------------------------- */
/* Allows override of all standard library functions */
#undef STRING_USER
#if 0
#if 0 /* Custom standard library overrides */
#define STRING_USER
#include <string.h>
@@ -490,7 +488,7 @@ extern "C" {
//#define HAVE_COMP_KEY
/* TLS Session Cache */
#if 0
#if 0 /* Small session cache */
#define SMALL_SESSION_CACHE
#else
#define NO_SESSION_CACHE

1
examples/configs/user_settings_tls12.h
View File

@@ -132,6 +132,7 @@ extern "C" {
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PWDBASED
#define WOLFSSL_NO_SHAKE128
#define WOLFSSL_NO_SHAKE256

214
examples/configs/user_settings_tls13.h Normal file
View File

@@ -0,0 +1,214 @@
/* user_settings_tls13.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* TLS 1.3 only (no TLS 1.2 or older) with modern algorithms.
* Supports both client and server.
*
* Build and test:
* cp ./examples/configs/user_settings_tls13.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#if 0 /* Single threaded */
#define SINGLE_THREADED
#endif
#if 0 /* Disable filesystem */
#define NO_FILESYSTEM
#endif
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
#if 0 /* Small code size */
#define WOLFSSL_SP_SMALL
#endif
/* ------------------------------------------------- */
/* TLS 1.3 */
/* ------------------------------------------------- */
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
#define WC_RSA_PSS
/* Disable older TLS versions */
#define WOLFSSL_NO_TLS12
#define NO_OLD_TLS
/* TLS 1.3 Extensions */
#if 1 /* Session tickets */
#define HAVE_SESSION_TICKET
#endif
#if 0 /* Early data (0-RTT) */
#define WOLFSSL_EARLY_DATA
#endif
#if 0 /* Post-handshake authentication */
#define WOLFSSL_POST_HANDSHAKE_AUTH
#endif
#if 1 /* Server Name Indication */
#define HAVE_SNI
#endif
/* Client/Server */
#if 0 /* Client only */
#define NO_WOLFSSL_SERVER
#endif
#if 0 /* Server only */
#define NO_WOLFSSL_CLIENT
#endif
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* ECC */
/* ------------------------------------------------- */
#if 1 /* ECC support */
#define HAVE_ECC
#define ECC_USER_CURVES
#undef NO_ECC256
#if 1 /* P-384 */
#define HAVE_ECC384
#endif
#if 0 /* P-521 */
#define HAVE_ECC521
#endif
#define ECC_SHAMIR
#endif
/* ------------------------------------------------- */
/* Curve25519 / Ed25519 */
/* ------------------------------------------------- */
#if 1 /* X25519 key exchange */
#define HAVE_CURVE25519
#endif
#if 0 /* Ed25519 signatures */
#define HAVE_ED25519
#endif
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#if 1 /* RSA support */
#undef NO_RSA
#define WOLFSSL_KEY_GEN
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* DH */
/* ------------------------------------------------- */
#if 0 /* DH key exchange (FFDHE) */
#undef NO_DH
#define HAVE_FFDHE_2048
#define HAVE_FFDHE_3072
#define HAVE_DH_DEFAULT_PARAMS
#else
#define NO_DH
#endif
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
/* AES-GCM (required for TLS 1.3) */
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
#if 1 /* ChaCha20-Poly1305 */
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#endif
#if 0 /* AES-CCM */
#define HAVE_AESCCM
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 required */
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#if 0 /* Certificate generation */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#endif
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PSK
#define NO_PWDBASED
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 0 /* Disable error strings to save flash */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

190
examples/configs/user_settings_wolfboot_keytools.h
View File

@@ -3,7 +3,6 @@
* wolfCrypt build settings for wolfBoot keygen and signing tool
* Enabled via WOLFSSL_USER_SETTINGS.
*
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
@@ -23,58 +22,154 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef H_USER_SETTINGS_
#define H_USER_SETTINGS_
/* wolfBoot key generation and signing tool.
* Derived from wolfBoot tools/keytools/user_settings.h
*
* Build and test:
* cp ./examples/configs/user_settings_wolfboot_keytools.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
/* #include <stdint.h> */ /* DG: Removed, not needed for testing */
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
/* System */
#define WOLFSSL_GENERAL_ALIGNMENT 4
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#define SINGLE_THREADED
#define WOLFCRYPT_ONLY
#define SIZEOF_LONG_LONG 8
/* ------------------------------------------------- */
/* Math */
#define USE_FAST_MATH
#define FP_MAX_BITS (4096 * 2)
/* ------------------------------------------------- */
#if 0 /* Fast Math */
#define USE_FAST_MATH
#define FP_MAX_BITS (4096 * 2)
#else /* SP Math (recommended) */
#define WOLFSSL_SP_MATH
#define WOLFSSL_HAVE_SP_ECC
#define WOLFSSL_SP_384
#define WOLFSSL_SP_521
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_SP_4096
#endif
#define TFM_TIMING_RESISTANT
/* ------------------------------------------------- */
/* ECC */
#define HAVE_ECC
#define WOLFSSL_HAVE_SP_ECC
#define ECC_TIMING_RESISTANT
#define HAVE_ECC256
#define HAVE_ECC384
#define HAVE_ECC521
/* ------------------------------------------------- */
#if 1 /* ECC support */
#define HAVE_ECC
#define ECC_TIMING_RESISTANT
#define ECC_USER_CURVES
#undef NO_ECC256
#if 1 /* ECC P-384 */
#define HAVE_ECC384
#endif
#if 1 /* ECC P-521 */
#define HAVE_ECC521
#endif
#endif
/* ED25519 */
#define HAVE_ED25519
/* DG: Added, since --enable-usersettings expects small version to be used */
#define ED25519_SMALL
/* ------------------------------------------------- */
/* ED25519 / Curve25519 */
/* ------------------------------------------------- */
#if 1 /* ED25519 signing support */
#define HAVE_ED25519
#endif
/* ED448 */
#define HAVE_ED448
#define WOLFSSL_SHAKE256
/* ------------------------------------------------- */
/* ED448 / Curve448 */
/* ------------------------------------------------- */
#if 1 /* ED448 signing support */
#define HAVE_ED448
#define WOLFSSL_SHAKE256
#endif
/* ------------------------------------------------- */
/* RSA */
#define WOLFSSL_HAVE_SP_RSA
#define WC_RSA_BLINDING
#define WOLFSSL_KEY_GEN
/* ------------------------------------------------- */
#if 1 /* RSA signing support */
#define HAVE_RSA
#define WC_RSA_BLINDING
#define WOLFSSL_KEY_GEN
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* Hashing */
#define WOLFSSL_SHA512 /* Required for ED25519 */
/* ------------------------------------------------- */
#define WOLFSSL_SHA512 /* Required for ED25519/ED448 */
#define WOLFSSL_SHA384
#define WOLFSSL_SHA3
#undef NO_SHA256
/* Chacha stream cipher */
#define HAVE_CHACHA
/* ------------------------------------------------- */
/* Post-Quantum Algorithms */
/* ------------------------------------------------- */
#define WOLFSSL_EXPERIMENTAL_SETTINGS
/* AES */
#define WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_DIRECT
#if 1 /* ML-DSA / Dilithium */
#define HAVE_DILITHIUM
#define WOLFSSL_WC_DILITHIUM
/* Builds to FIPS 204 final standard by default.
* Set to 1 for draft version. */
#if 0 /* FIPS 204 Draft */
#define WOLFSSL_DILITHIUM_FIPS204_DRAFT
#endif
#ifndef ML_DSA_LEVEL
#define ML_DSA_LEVEL 2
#endif
#define WOLFSSL_SHAKE128 /* Required for Dilithium */
#endif
/* Disables */
#if 1 /* LMS */
#define WOLFSSL_HAVE_LMS
#define WOLFSSL_WC_LMS
#ifndef LMS_LEVELS
#define LMS_LEVELS 1
#endif
#ifndef LMS_HEIGHT
#define LMS_HEIGHT 10
#endif
#ifndef LMS_WINTERNITZ
#define LMS_WINTERNITZ 8
#endif
#endif
#if 1 /* XMSS */
#define WOLFSSL_HAVE_XMSS
#define WOLFSSL_WC_XMSS
#ifndef WOLFSSL_XMSS_MAX_HEIGHT
#define WOLFSSL_XMSS_MAX_HEIGHT 32
#endif
#endif
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
#if 1 /* ChaCha20 stream cipher */
#define HAVE_CHACHA
#endif
#if 1 /* AES-CTR / AES direct */
#define WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_DIRECT
#endif
/* ------------------------------------------------- */
/* ASN */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_CMAC
#define NO_HMAC
#define NO_RC4
@@ -82,26 +177,31 @@
#define NO_DH
#define NO_DSA
#define NO_MD4
#define NO_RABBIT
#define NO_MD5
#define NO_DES3
#define NO_PWDBASED
#define NO_OLD_RNGNAME
#define NO_RABBIT
#define NO_HC128
/* ------------------------------------------------- */
/* Disabled Features */
/* ------------------------------------------------- */
#define NO_SIG_WRAPPER
#define NO_CERTS
#define NO_SESSION_CACHE
#define NO_HC128
#define NO_DES3
#define NO_PWDBASED
#define NO_WRITEV
#define NO_OLD_RNGNAME
#define NO_WOLFSSL_DIR
#define WOLFSSL_NO_SOCK
#define WOLFSSL_IGNORE_FILE_WARN
#define NO_ERROR_STRINGS
#define BENCH_EMBEDDED
/* DG: Removed since we need it here for testing */
/* #define NO_MAIN_DRIVER */
/* #define NO_CRYPT_TEST */
/* #define NO_CRYPT_BENCHMARK */
#if 1 /* Disable error strings to save flash */
#define NO_ERROR_STRINGS
#endif
#endif /* !H_USER_SETTINGS_ */
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

6
examples/configs/user_settings_wolfssh.h
View File

@@ -46,8 +46,8 @@ wolfSSH:
make
*/
#ifndef WOLFSSL_USER_SETTINGS_SSH_H
#define WOLFSSL_USER_SETTINGS_SSH_H
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
@@ -211,4 +211,4 @@ extern "C" {
#endif
#endif /* WOLFSSL_USER_SETTINGS_SSH_H */
#endif /* WOLFSSL_USER_SETTINGS_H */

14
examples/configs/user_settings_wolftpm.h
View File

@@ -59,15 +59,15 @@ make
*/
#ifndef WOLF_USER_SETTINGS_TPM_H
#define WOLF_USER_SETTINGS_TPM_H
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* enable for low resource options */
#if 0
/* Enable for low resource options (smaller, no TLS) */
#if 0 /* Low resource mode */
#define USE_LOW_RESOURCE
#endif
@@ -121,7 +121,7 @@ extern "C" {
#endif
/* Asymmetric */
#if 1 /* RSA - needed to encrypt salt */
#if 1 /* RSA - needed for TPM salt encryption */
#undef NO_RSA
#ifdef USE_LOW_RESOURCE
#define WOLFSSL_RSA_PUBLIC_ONLY
@@ -131,7 +131,7 @@ extern "C" {
#else
#define NO_RSA
#endif
#if 1 /* ECC - needed for encrypt ECC salt */
#if 1 /* ECC - needed for TPM ECC operations */
#define HAVE_ECC
#define ECC_USER_CURVES /* default to only SECP256R1 */
#endif
@@ -223,4 +223,4 @@ extern "C" {
}
#endif
#endif /* WOLF_USER_SETTINGS_TPM_H */
#endif /* WOLFSSL_USER_SETTINGS_H */

11
src/internal.c
View File

@@ -15160,7 +15160,7 @@ PRAGMA_GCC_DIAG_POP
return ret;
#endif
}
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(NO_TLS)
if (verify != NO_VERIFY && TLSX_CSR2_IsMulti(ssl->extensions)) {
extraSigners = TLSX_CSR2_GetPendingSigners(ssl->extensions);
}
@@ -15937,6 +15937,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* If we are processing OCSP staples then always
* initialize the corresponding request. */
int ocspRet = 0;
#ifndef NO_TLS
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
addToPendingCAs = 0;
if (ssl->options.side == WOLFSSL_CLIENT_END &&
@@ -15961,6 +15962,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
else
#endif
#endif /* NO_TLS */
if (ret == 0 && SSL_CM(ssl)->ocspEnabled &&
SSL_CM(ssl)->ocspCheckAll) {
WOLFSSL_MSG("Doing Non Leaf OCSP check");
@@ -16462,6 +16464,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("Checking if ocsp needed");
if (ssl->options.side == WOLFSSL_CLIENT_END) {
#ifndef NO_TLS
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
if (ssl->status_request) {
args->fatal = (TLSX_CSR_InitRequest_ex(
@@ -16494,6 +16497,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("\tHave status request v2");
}
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
#endif /* !NO_TLS */
}
#ifdef HAVE_OCSP
@@ -17314,8 +17318,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
return BUFFER_ERROR;
switch (status_type) {
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
#ifndef NO_TLS
#if (defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_TLS)) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
/* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */
@@ -17431,6 +17435,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
break;
#endif
#endif /* !NO_TLS */
default:
ret = BUFFER_ERROR;

2
src/ocsp.c
View File

@@ -373,7 +373,7 @@ int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz,
#endif
InitOcspResponse(ocspResponse, newSingle, newStatus, response,
(word32)responseSz, ocsp->cm->heap);
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(NO_TLS)
if (ocspRequest != NULL && ocspRequest->ssl != NULL &&
TLSX_CSR2_IsMulti(((WOLFSSL*)ocspRequest->ssl)->extensions)) {
ocspResponse->pendingCAs = TLSX_CSR2_GetPendingSigners(((WOLFSSL*)ocspRequest->ssl)->extensions);

3
wolfssl/internal.h
View File

@@ -3198,8 +3198,9 @@ WOLFSSL_LOCAL int TLSX_Append(TLSX** list, TLSX_Type type,
|| defined(HAVE_SECURE_RENEGOTIATION) \
|| defined(HAVE_SERVER_RENEGOTIATION_INFO)
#ifndef NO_TLS
#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined.
#endif
#endif /* HAVE_TLS_EXTENSIONS */
/** Server Name Indication - RFC 6066 (session 3) */