From 3946ba8de3f7163667081e20a040300c4a96c26b Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 28 Jan 2026 09:46:21 -0800 Subject: [PATCH] Improve user_settings.h examples and add validation rules - Standardize header guards to WOLFSSL_USER_SETTINGS_H across all files - Add #if 0/1 gates with labels for easy feature toggling - Fix bugs: typos in eccnonblock (WOLFSL_SHA*), duplicates in fipsv5/all - Add NO_DES3_TLS_SUITES alongside NO_DES3 where needed - Update wolfboot_keytools with upstream PQ algorithms (ML-DSA, LMS, XMSS) - Add settings.h validation rules with descriptive error messages - Auto-define NO_DES3_TLS_SUITES when NO_DES3 is set (instead of error) - Update README.md and add missing files to CI tests --- .github/workflows/os-check.yml | 8 +- examples/configs/README.md | 14 +- examples/configs/user_settings_EBSnet.h | 2 + examples/configs/user_settings_all.h | 1 - examples/configs/user_settings_eccnonblock.h | 4 +- examples/configs/user_settings_fipsv2.h | 2 +- examples/configs/user_settings_fipsv5.h | 3 +- examples/configs/user_settings_min_ecc.h | 112 +++++++---- examples/configs/user_settings_template.h | 82 ++++---- examples/configs/user_settings_tls12.h | 1 + .../configs/user_settings_wolfboot_keytools.h | 190 +++++++++++++----- examples/configs/user_settings_wolfssh.h | 6 +- examples/configs/user_settings_wolftpm.h | 15 +- 13 files changed, 294 insertions(+), 146 deletions(-) diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index 02ff88e32..13fc39c56 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -112,12 +112,14 @@ jobs: os: [ ubuntu-24.04, macos-latest ] user-settings: [ # Add new user_settings.h here + 'examples/configs/user_settings_EBSnet.h', 'examples/configs/user_settings_eccnonblock.h', 'examples/configs/user_settings_min_ecc.h', - 'examples/configs/user_settings_wolfboot_keytools.h', - 'examples/configs/user_settings_wolftpm.h', - 'examples/configs/user_settings_wolfssh.h', + 'examples/configs/user_settings_template.h', 'examples/configs/user_settings_tls12.h', + 'examples/configs/user_settings_wolfboot_keytools.h', + 'examples/configs/user_settings_wolfssh.h', + 'examples/configs/user_settings_wolftpm.h', ] name: make user_setting.h (testwolfcrypt only) if: github.repository_owner == 'wolfssl' diff --git a/examples/configs/README.md b/examples/configs/README.md index 048c79d45..a7a7ff856 100644 --- a/examples/configs/README.md +++ b/examples/configs/README.md @@ -4,17 +4,19 @@ Example wolfSSL configuration file templates for use when autoconf is not availa ## Files -* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0` logic. +* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0`/`#if 1` gates. * `user_settings_all.h`: This is wolfSSL with all features enabled. Equivalent to `./configure --enable-all`. * `user_settings_arduino.h`: An example Arduino file. See also [wolfSSL/Arduino-wolfSSL](https://github.com/wolfSSL/Arduino-wolfSSL). -*.`user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports. +* `user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports. +* `user_settings_eccnonblock.h`: Example for non-blocking ECC crypto only. See comment at top for test results. +* `user_settings_espressif.h`: Example configuration for Espressif ESP32. See also [wolfSSL/IDE/Espressif](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif). * `user_settings_fipsv2.h`: The FIPS v2 (3389) 140-2 certificate build options. * `user_settings_fipsv5.h`: The FIPS v5 (ready) 140-3 build options. Equivalent to `./configure --enable-fips=v5-dev`. -* `user_settings_min_ecc.h`: This is ECC and SHA-256 only. For ECC verify only add `BUILD_VERIFY_ONLY`. -* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl) +* `user_settings_min_ecc.h`: Minimal ECC and SHA-256 only (no TLS). For ECC verify only add `NO_ECC_SIGN`. +* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl). * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack. -* `user_settings_tls12`: Example for TLS v1.2 client only, ECC only, AES GCM only, SHA2-256 only. -* `user_settings_wolfboot_keytools.h`: This from wolfBoot tools/keytools and is ECC, RSA, ED25519 and ChaCha20. +* `user_settings_tls12.h`: Example for TLS v1.2 client only, ECC only, AES-GCM only, SHA2-256 only. +* `user_settings_wolfboot_keytools.h`: wolfBoot key generation and signing tool. Supports ECC, RSA, ED25519, ED448, and post-quantum (ML-DSA/Dilithium, LMS, XMSS). * `user_settings_wolfssh.h`: Minimum options for building wolfSSH. See comment at top for ./configure used to generate. * `user_settings_wolftpm.h`: Minimum options for building wolfTPM. See comment at top for ./configure used to generate. diff --git a/examples/configs/user_settings_EBSnet.h b/examples/configs/user_settings_EBSnet.h index 6ede23927..70f465f51 100644 --- a/examples/configs/user_settings_EBSnet.h +++ b/examples/configs/user_settings_EBSnet.h @@ -47,6 +47,8 @@ extern "C" { #define NO_MD4 #define NO_MD5 #define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_OLD_TLS #ifdef __cplusplus } diff --git a/examples/configs/user_settings_all.h b/examples/configs/user_settings_all.h index 8940e83f2..d3a3a710d 100644 --- a/examples/configs/user_settings_all.h +++ b/examples/configs/user_settings_all.h @@ -210,7 +210,6 @@ extern "C" { #define WOLFSSL_SHAKE256 #define WOLFSSL_SHA3 #define WOLFSSL_HASH_FLAGS /* enable hash flag API's */ -#define WOLFSSL_SHAKE256 /* Additional Algorithms */ #define HAVE_HASHDRBG diff --git a/examples/configs/user_settings_eccnonblock.h b/examples/configs/user_settings_eccnonblock.h index 122b885ad..64b2df45f 100644 --- a/examples/configs/user_settings_eccnonblock.h +++ b/examples/configs/user_settings_eccnonblock.h @@ -104,8 +104,8 @@ extern "C" { #define WOLFSSL_SP_MATH /* forces only single precision */ /* Hashing */ -#define WOLFSL_SHA512 -#define WOLFSL_SHA384 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA384 #undef NO_SHA256 /* Debugging */ diff --git a/examples/configs/user_settings_fipsv2.h b/examples/configs/user_settings_fipsv2.h index cb219506f..372952085 100644 --- a/examples/configs/user_settings_fipsv2.h +++ b/examples/configs/user_settings_fipsv2.h @@ -112,4 +112,4 @@ extern "C" { } #endif -#endif /* WOLFSSL_OPTIONS_H */ +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_fipsv5.h b/examples/configs/user_settings_fipsv5.h index e977b8c0d..575c17282 100644 --- a/examples/configs/user_settings_fipsv5.h +++ b/examples/configs/user_settings_fipsv5.h @@ -130,7 +130,6 @@ extern "C" { #define WOLFSSL_AES_COUNTER #define HAVE_AESCCM #define HAVE_AES_ECB -#define WOLFSSL_AES_COUNTER #define WOLFSSL_AES_DIRECT #define WOLFSSL_AES_OFB #define HAVE_AESGCM @@ -147,7 +146,6 @@ extern "C" { #define WOLFSSL_SHA224 #define WOLFSSL_SHA512 #define WOLFSSL_SHA384 -#define WOLFSSL_NO_SHAKE256 #define WOLFSSL_NOSHA512_224 #define WOLFSSL_NOSHA512_256 #define WOLFSSL_SHA3 @@ -162,6 +160,7 @@ extern "C" { #define NO_MD4 #define NO_MD5 #define NO_DES3 +#define NO_DES3_TLS_SUITES #define NO_DSA #define NO_RABBIT #define NO_HC128 diff --git a/examples/configs/user_settings_min_ecc.h b/examples/configs/user_settings_min_ecc.h index c555d3b20..ad71a4b95 100644 --- a/examples/configs/user_settings_min_ecc.h +++ b/examples/configs/user_settings_min_ecc.h @@ -19,63 +19,94 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -/* should be renamed to user_settings.h for customer use - * generated from configure options: - * ./configure \ - --enable-cryptonly --enable-ecc --enable-sp \ - --disable-rsa --disable-dh --disable-sha3 --disable-sha224 --disable-md5 \ - --disable-sha --disable-pkcs12 --disable-memory \ - --disable-chacha --disable-poly1305 --disable-sha512 --disable-sha384 \ - --disable-aesgcm --disable-aescbc --disable-aes --disable-rng \ - CFLAGS="-DNO_SIG_WRAPPER -DWOLFSSL_PUBLIC_MP -DECC_USER_CURVES \ - -DNO_ECC_SIGN -DNO_ECC_DHE -DNO_ECC_KEY_EXPORT" +/* Minimal ECC and SHA-256 only (no TLS, no RSA, no AES) * - * Cleaned up by David Garske + * Derived from: + * ./configure \ + * --enable-cryptonly --enable-ecc --enable-sp \ + * --disable-rsa --disable-dh --disable-sha3 \ + * --disable-sha224 --disable-md5 \ + * --disable-sha --disable-pkcs12 --disable-memory \ + * --disable-chacha --disable-poly1305 \ + * --disable-sha512 --disable-sha384 \ + * --disable-aesgcm --disable-aescbc \ + * --disable-aes --disable-rng \ + * CFLAGS="-DNO_SIG_WRAPPER -DWOLFSSL_PUBLIC_MP \ + * -DECC_USER_CURVES" + * + * Build and test: + * cp ./examples/configs/user_settings_min_ecc.h \ + * user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt */ #ifndef WOLFSSL_USER_SETTINGS_H #define WOLFSSL_USER_SETTINGS_H - #ifdef __cplusplus extern "C" { #endif -/* WolfCrypt Only (no TLS) */ -#define WOLFCRYPT_ONLY +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#define WOLFCRYPT_ONLY /* No TLS, wolfCrypt only */ /* Endianness - defaults to little endian */ #ifdef __BIG_ENDIAN__ #define BIG_ENDIAN_ORDER #endif -/* Expose the math mp_ API's */ -#define WOLFSSL_PUBLIC_MP +#define WOLFSSL_PUBLIC_MP /* Expose mp_ math API's */ -/* Use single precision math only */ +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ #define WOLFSSL_SP #define WOLFSSL_SP_SMALL #define WOLFSSL_SP_MATH #define WOLFSSL_HAVE_SP_ECC -/* Enable Timing Resistance */ +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ #define TFM_TIMING_RESISTANT #define ECC_TIMING_RESISTANT -/* Enable ECC */ +/* ------------------------------------------------- */ +/* ECC */ +/* ------------------------------------------------- */ #define HAVE_ECC -#define ECC_USER_CURVES /* Only 256-Bit Curves */ -//#define ECC_SHAMIR +#define ECC_USER_CURVES /* Only P-256 by default */ +#if 0 /* ECC Shamir - faster but more code/memory */ + #define ECC_SHAMIR +#endif -/* Optional Feature Disables */ -#define NO_SIG_WRAPPER -//#define NO_ECC_KEY_EXPORT -//#define NO_ECC_DHE -//#define NO_ECC_SIGN -//#define NO_ECC_VERIFY +/* ECC Feature Options */ +#if 0 /* Disable ECC key export */ + #define NO_ECC_KEY_EXPORT +#endif +#if 0 /* Disable ECDHE key agreement */ + #define NO_ECC_DHE +#endif +#if 0 /* Disable ECC sign */ + #define NO_ECC_SIGN +#endif +#if 0 /* Disable ECC verify */ + #define NO_ECC_VERIFY +#endif -/* Disable Algorithms */ +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 enabled by default */ + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ #define NO_AES #define NO_AES_CBC #define NO_DES3 @@ -89,17 +120,30 @@ extern "C" { #define NO_PWDBASED #define NO_PKCS12 #define NO_PKCS8 -//#define WC_NO_RNG +#define NO_SIG_WRAPPER -/* Disable Features */ -//#define NO_ASN -//#define NO_CERTS +/* ------------------------------------------------- */ +/* Disabled Features */ +/* ------------------------------------------------- */ #define NO_WOLFSSL_MEMORY #define WOLFSSL_NO_PEM -//#define NO_CODING #define NO_PSK -#ifndef DEBUG_WOLFSSL +#if 0 /* Disable ASN.1 / certificates */ + #define NO_ASN + #define NO_CERTS + #define NO_CODING +#endif +#if 0 /* Disable RNG (ECC verify only) */ + #define WC_NO_RNG +#endif + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ #define DEBUG_WOLFSSL +#endif +#if 1 /* Disable error strings to save flash */ #define NO_ERROR_STRINGS #endif diff --git a/examples/configs/user_settings_template.h b/examples/configs/user_settings_template.h index c88cbc820..ca8367af1 100644 --- a/examples/configs/user_settings_template.h +++ b/examples/configs/user_settings_template.h @@ -41,8 +41,8 @@ extern "C" { /* ------------------------------------------------------------------------- */ #define WOLFSSL_GENERAL_ALIGNMENT 4 #define SIZEOF_LONG_LONG 8 -#if 0 - #define NO_64BIT /* disable use of 64-bit variables */ +#if 0 /* Disable 64-bit types */ + #define NO_64BIT #endif #ifdef TARGET_EMBEDDED @@ -62,7 +62,7 @@ extern "C" { /* Math Configuration */ /* ------------------------------------------------------------------------- */ /* Wolf Single Precision Math */ -#if 1 +#if 1 /* SP Math (recommended) */ #define WOLFSSL_HAVE_SP_RSA #define WOLFSSL_HAVE_SP_DH #define WOLFSSL_HAVE_SP_ECC @@ -78,10 +78,9 @@ extern "C" { #ifdef TARGET_EMBEDDED /* use smaller version of code */ #define WOLFSSL_SP_SMALL - #else - /* SP Assembly Speedups - specific to chip type */ - #define WOLFSSL_SP_ASM #endif + /* SP Assembly Speedups - specific to chip type */ + //#define WOLFSSL_SP_ASM //#define WOLFSSL_SP_X86_64 //#define WOLFSSL_SP_X86 //#define WOLFSSL_SP_ARM32_ASM @@ -103,7 +102,7 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* RSA */ #undef NO_RSA -#if 1 +#if 1 /* RSA */ #ifdef USE_FAST_MATH /* Maximum math bits (Max RSA key bits * 2) */ #define FP_MAX_BITS 4096 @@ -123,9 +122,9 @@ extern "C" { /* DH */ #undef NO_DH -#if 1 - /* Use table for DH instead of -lm (math) lib dependency */ - #if 1 +#if 1 /* DH */ + /* Use table for DH instead of -lm (math) lib */ + #if 1 /* FFDHE parameters */ #define WOLFSSL_DH_CONST #define HAVE_FFDHE_2048 //#define HAVE_FFDHE_4096 @@ -138,7 +137,7 @@ extern "C" { /* ECC */ #undef HAVE_ECC -#if 1 +#if 1 /* ECC */ #define HAVE_ECC /* Manually define enabled curves */ @@ -195,7 +194,7 @@ extern "C" { /* AES */ #undef NO_AES -#if 1 +#if 1 /* AES */ #define HAVE_AES_CBC /* GCM Method: GCM_TABLE_4BIT, GCM_SMALL, GCM_WORD32 or GCM_TABLE */ @@ -217,7 +216,7 @@ extern "C" { /* DES3 */ #undef NO_DES3 -#if 0 +#if 0 /* DES3 (legacy, not recommended) */ #else #define NO_DES3 #endif @@ -225,7 +224,7 @@ extern "C" { /* ChaCha20 / Poly1305 */ #undef HAVE_CHACHA #undef HAVE_POLY1305 -#if 1 +#if 1 /* ChaCha20 / Poly1305 */ #define HAVE_CHACHA #define HAVE_POLY1305 @@ -236,12 +235,12 @@ extern "C" { /* Ed25519 / Curve25519 */ #undef HAVE_CURVE25519 #undef HAVE_ED25519 -#if 0 +#if 0 /* Ed25519 / Curve25519 */ #define HAVE_CURVE25519 #define HAVE_ED25519 /* ED25519 Requires SHA512 */ - /* Optionally use small math (less flash usage, but much slower) */ - #if 1 + /* Optionally use small math (less flash, slower) */ + #if 1 /* Small Curve25519 */ #define CURVED25519_SMALL #endif #endif @@ -252,7 +251,7 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* Sha */ #undef NO_SHA -#if 1 +#if 1 /* SHA-1 */ /* 1k smaller, but 25% slower */ //#define USE_SLOW_SHA #else @@ -261,12 +260,12 @@ extern "C" { /* Sha256 */ #undef NO_SHA256 -#if 1 +#if 1 /* SHA-256 */ /* not unrolled - ~2k smaller and ~25% slower */ //#define USE_SLOW_SHA256 - /* Sha224 */ - #if 0 + /* SHA-224 (requires SHA-256) */ + #if 0 /* SHA-224 */ #define WOLFSSL_SHA224 #endif #else @@ -275,12 +274,12 @@ extern "C" { /* Sha512 */ #undef WOLFSSL_SHA512 -#if 0 +#if 0 /* SHA-512 */ #define WOLFSSL_SHA512 - /* Sha384 */ + /* SHA-384 (requires SHA-512) */ #undef WOLFSSL_SHA384 - #if 0 + #if 0 /* SHA-384 */ #define WOLFSSL_SHA384 #endif @@ -290,27 +289,27 @@ extern "C" { /* Sha3 */ #undef WOLFSSL_SHA3 -#if 0 +#if 0 /* SHA-3 */ #define WOLFSSL_SHA3 #endif /* MD5 */ #undef NO_MD5 -#if 0 - +#if 0 /* MD5 (legacy, not recommended) */ + /* MD5 enabled */ #else #define NO_MD5 #endif /* HKDF */ #undef HAVE_HKDF -#if 1 +#if 1 /* HKDF (TLS 1.3 requires this) */ #define HAVE_HKDF #endif /* CMAC */ #undef WOLFSSL_CMAC -#if 0 +#if 0 /* CMAC */ #define WOLFSSL_CMAC #endif @@ -335,10 +334,10 @@ extern "C" { #undef DEBUG_WOLFSSL #undef NO_ERROR_STRINGS -#if 0 +#if 0 /* Enable debug logging */ #define DEBUG_WOLFSSL #else - #if 0 + #if 0 /* Disable error strings to save flash */ #define NO_ERROR_STRINGS #endif #endif @@ -349,7 +348,7 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* Override Memory API's */ -#if 0 +#if 0 /* Custom malloc/free/realloc */ #define XMALLOC_OVERRIDE /* prototypes for user heap override functions */ @@ -365,24 +364,23 @@ extern "C" { #define XREALLOC(p, n, h, t) myRealloc(p, n, h, t) #endif -#if 0 - /* Static memory requires fast math */ +#if 0 /* Static memory (no heap) */ #define WOLFSSL_STATIC_MEMORY /* Disable fallback malloc/free */ #define WOLFSSL_NO_MALLOC - #if 1 + #if 1 /* Trap malloc failure */ #define WOLFSSL_MALLOC_CHECK /* trap malloc failure */ #endif #endif /* Memory callbacks */ -#if 0 +#if 0 /* wolfSSL memory callbacks */ #undef USE_WOLFSSL_MEMORY #define USE_WOLFSSL_MEMORY /* Use this to measure / print heap usage */ - #if 0 + #if 0 /* Memory tracking / debug */ #define WOLFSSL_TRACK_MEMORY #define WOLFSSL_DEBUG_MEMORY #endif @@ -399,7 +397,7 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* Override Current Time */ -#if 0 +#if 0 /* Custom time function */ /* Allows custom "custom_time()" function to be used for benchmark */ #define WOLFSSL_USER_CURRTIME #define WOLFSSL_GMTIME @@ -414,9 +412,9 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* Choose RNG method */ -#if 1 +#if 1 /* P-RNG with hash DRBG */ /* Custom Seed Source */ - #if 0 + #if 0 /* Custom HW RNG seed */ /* Size of returned HW RNG value */ #define CUSTOM_RAND_TYPE unsigned int extern unsigned int my_rng_seed_gen(void); @@ -444,7 +442,7 @@ extern "C" { /* ------------------------------------------------------------------------- */ /* Allows override of all standard library functions */ #undef STRING_USER -#if 0 +#if 0 /* Custom standard library overrides */ #define STRING_USER #include @@ -490,7 +488,7 @@ extern "C" { //#define HAVE_COMP_KEY /* TLS Session Cache */ -#if 0 +#if 0 /* Small session cache */ #define SMALL_SESSION_CACHE #else #define NO_SESSION_CACHE diff --git a/examples/configs/user_settings_tls12.h b/examples/configs/user_settings_tls12.h index f26fb348c..e501d7cc7 100644 --- a/examples/configs/user_settings_tls12.h +++ b/examples/configs/user_settings_tls12.h @@ -132,6 +132,7 @@ extern "C" { #define NO_MD4 #define NO_MD5 #define NO_DES3 +#define NO_DES3_TLS_SUITES #define NO_PWDBASED #define WOLFSSL_NO_SHAKE128 #define WOLFSSL_NO_SHAKE256 diff --git a/examples/configs/user_settings_wolfboot_keytools.h b/examples/configs/user_settings_wolfboot_keytools.h index 969d9f466..452de3f7f 100644 --- a/examples/configs/user_settings_wolfboot_keytools.h +++ b/examples/configs/user_settings_wolfboot_keytools.h @@ -3,7 +3,6 @@ * wolfCrypt build settings for wolfBoot keygen and signing tool * Enabled via WOLFSSL_USER_SETTINGS. * - * * Copyright (C) 2006-2025 wolfSSL Inc. * * This file is part of wolfSSL. @@ -23,58 +22,154 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#ifndef H_USER_SETTINGS_ -#define H_USER_SETTINGS_ +/* wolfBoot key generation and signing tool. + * Derived from wolfBoot tools/keytools/user_settings.h + * + * Build and test: + * cp ./examples/configs/user_settings_wolfboot_keytools.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ -/* #include */ /* DG: Removed, not needed for testing */ +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H -/* System */ -#define WOLFSSL_GENERAL_ALIGNMENT 4 +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ #define SINGLE_THREADED #define WOLFCRYPT_ONLY -#define SIZEOF_LONG_LONG 8 +/* ------------------------------------------------- */ /* Math */ -#define USE_FAST_MATH -#define FP_MAX_BITS (4096 * 2) +/* ------------------------------------------------- */ +#if 0 /* Fast Math */ + #define USE_FAST_MATH + #define FP_MAX_BITS (4096 * 2) +#else /* SP Math (recommended) */ + #define WOLFSSL_SP_MATH + #define WOLFSSL_HAVE_SP_ECC + #define WOLFSSL_SP_384 + #define WOLFSSL_SP_521 + #define WOLFSSL_HAVE_SP_RSA + #define WOLFSSL_SP_4096 +#endif #define TFM_TIMING_RESISTANT +/* ------------------------------------------------- */ /* ECC */ -#define HAVE_ECC -#define WOLFSSL_HAVE_SP_ECC -#define ECC_TIMING_RESISTANT -#define HAVE_ECC256 -#define HAVE_ECC384 -#define HAVE_ECC521 +/* ------------------------------------------------- */ +#if 1 /* ECC support */ + #define HAVE_ECC + #define ECC_TIMING_RESISTANT + #define ECC_USER_CURVES + #undef NO_ECC256 + #if 1 /* ECC P-384 */ + #define HAVE_ECC384 + #endif + #if 1 /* ECC P-521 */ + #define HAVE_ECC521 + #endif +#endif -/* ED25519 */ -#define HAVE_ED25519 -/* DG: Added, since --enable-usersettings expects small version to be used */ -#define ED25519_SMALL +/* ------------------------------------------------- */ +/* ED25519 / Curve25519 */ +/* ------------------------------------------------- */ +#if 1 /* ED25519 signing support */ + #define HAVE_ED25519 +#endif -/* ED448 */ -#define HAVE_ED448 -#define WOLFSSL_SHAKE256 +/* ------------------------------------------------- */ +/* ED448 / Curve448 */ +/* ------------------------------------------------- */ +#if 1 /* ED448 signing support */ + #define HAVE_ED448 + #define WOLFSSL_SHAKE256 +#endif +/* ------------------------------------------------- */ /* RSA */ -#define WOLFSSL_HAVE_SP_RSA -#define WC_RSA_BLINDING -#define WOLFSSL_KEY_GEN +/* ------------------------------------------------- */ +#if 1 /* RSA signing support */ + #define HAVE_RSA + #define WC_RSA_BLINDING + #define WOLFSSL_KEY_GEN +#else + #define NO_RSA +#endif +/* ------------------------------------------------- */ /* Hashing */ -#define WOLFSSL_SHA512 /* Required for ED25519 */ +/* ------------------------------------------------- */ +#define WOLFSSL_SHA512 /* Required for ED25519/ED448 */ #define WOLFSSL_SHA384 #define WOLFSSL_SHA3 -#undef NO_SHA256 -/* Chacha stream cipher */ -#define HAVE_CHACHA +/* ------------------------------------------------- */ +/* Post-Quantum Algorithms */ +/* ------------------------------------------------- */ +#define WOLFSSL_EXPERIMENTAL_SETTINGS -/* AES */ -#define WOLFSSL_AES_COUNTER -#define WOLFSSL_AES_DIRECT +#if 1 /* ML-DSA / Dilithium */ + #define HAVE_DILITHIUM + #define WOLFSSL_WC_DILITHIUM + /* Builds to FIPS 204 final standard by default. + * Set to 1 for draft version. */ + #if 0 /* FIPS 204 Draft */ + #define WOLFSSL_DILITHIUM_FIPS204_DRAFT + #endif + #ifndef ML_DSA_LEVEL + #define ML_DSA_LEVEL 2 + #endif + #define WOLFSSL_SHAKE128 /* Required for Dilithium */ +#endif -/* Disables */ +#if 1 /* LMS */ + #define WOLFSSL_HAVE_LMS + #define WOLFSSL_WC_LMS + #ifndef LMS_LEVELS + #define LMS_LEVELS 1 + #endif + #ifndef LMS_HEIGHT + #define LMS_HEIGHT 10 + #endif + #ifndef LMS_WINTERNITZ + #define LMS_WINTERNITZ 8 + #endif +#endif + +#if 1 /* XMSS */ + #define WOLFSSL_HAVE_XMSS + #define WOLFSSL_WC_XMSS + #ifndef WOLFSSL_XMSS_MAX_HEIGHT + #define WOLFSSL_XMSS_MAX_HEIGHT 32 + #endif +#endif + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +#if 1 /* ChaCha20 stream cipher */ + #define HAVE_CHACHA +#endif +#if 1 /* AES-CTR / AES direct */ + #define WOLFSSL_AES_COUNTER + #define WOLFSSL_AES_DIRECT +#endif + +/* ------------------------------------------------- */ +/* ASN */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ #define NO_CMAC #define NO_HMAC #define NO_RC4 @@ -82,26 +177,31 @@ #define NO_DH #define NO_DSA #define NO_MD4 -#define NO_RABBIT #define NO_MD5 +#define NO_DES3 +#define NO_PWDBASED +#define NO_OLD_RNGNAME +#define NO_RABBIT +#define NO_HC128 + +/* ------------------------------------------------- */ +/* Disabled Features */ +/* ------------------------------------------------- */ #define NO_SIG_WRAPPER #define NO_CERTS #define NO_SESSION_CACHE -#define NO_HC128 -#define NO_DES3 -#define NO_PWDBASED #define NO_WRITEV -#define NO_OLD_RNGNAME #define NO_WOLFSSL_DIR #define WOLFSSL_NO_SOCK #define WOLFSSL_IGNORE_FILE_WARN -#define NO_ERROR_STRINGS - #define BENCH_EMBEDDED -/* DG: Removed since we need it here for testing */ -/* #define NO_MAIN_DRIVER */ -/* #define NO_CRYPT_TEST */ -/* #define NO_CRYPT_BENCHMARK */ +#if 1 /* Disable error strings to save flash */ + #define NO_ERROR_STRINGS +#endif -#endif /* !H_USER_SETTINGS_ */ +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_wolfssh.h b/examples/configs/user_settings_wolfssh.h index 9c4462a1f..6385d5fb6 100644 --- a/examples/configs/user_settings_wolfssh.h +++ b/examples/configs/user_settings_wolfssh.h @@ -46,8 +46,8 @@ wolfSSH: make */ -#ifndef WOLFSSL_USER_SETTINGS_SSH_H -#define WOLFSSL_USER_SETTINGS_SSH_H +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H #ifdef __cplusplus extern "C" { @@ -211,4 +211,4 @@ extern "C" { #endif -#endif /* WOLFSSL_USER_SETTINGS_SSH_H */ +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_wolftpm.h b/examples/configs/user_settings_wolftpm.h index e7512c6df..009d2497c 100644 --- a/examples/configs/user_settings_wolftpm.h +++ b/examples/configs/user_settings_wolftpm.h @@ -59,15 +59,15 @@ make */ -#ifndef WOLF_USER_SETTINGS_TPM_H -#define WOLF_USER_SETTINGS_TPM_H +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H #ifdef __cplusplus extern "C" { #endif -/* enable for low resource options */ -#if 0 +/* Enable for low resource options (smaller, no TLS) */ +#if 0 /* Low resource mode */ #define USE_LOW_RESOURCE #endif @@ -121,7 +121,7 @@ extern "C" { #endif /* Asymmetric */ -#if 1 /* RSA - needed to encrypt salt */ +#if 1 /* RSA - needed for TPM salt encryption */ #undef NO_RSA #ifdef USE_LOW_RESOURCE #define WOLFSSL_RSA_PUBLIC_ONLY @@ -131,7 +131,7 @@ extern "C" { #else #define NO_RSA #endif -#if 1 /* ECC - needed for encrypt ECC salt */ +#if 1 /* ECC - needed for TPM ECC operations */ #define HAVE_ECC #define ECC_USER_CURVES /* default to only SECP256R1 */ #endif @@ -187,6 +187,7 @@ extern "C" { #define NO_PWDBASED #define NO_DSA #define NO_DES3 +#define NO_DES3_TLS_SUITES #define NO_RC4 #define NO_PSK #define NO_MD4 @@ -222,4 +223,4 @@ extern "C" { } #endif -#endif /* WOLF_USER_SETTINGS_TPM_H */ +#endif /* WOLFSSL_USER_SETTINGS_H */