Cyclic0007/wolfssl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new user_settings.h templates for tls13, dtls13, pq, openssl_compat, baremetal, rsa_only, pkcs7, ca

Browse Source
This commit is contained in:
David Garske
2026-01-28 10:52:31 -08:00
parent 3946ba8de3
commit c2a987595f
14 changed files with 1862 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/os-check.yml vendored
View File

@@ -111,15 +111,24 @@ jobs:
matrix:
os: [ ubuntu-24.04, macos-latest ]
user-settings: [
# Add new user_settings.h here
# Add new user_settings.h here (alphabetical order)
'examples/configs/user_settings_ca.h',
'examples/configs/user_settings_dtls13.h',
'examples/configs/user_settings_EBSnet.h',
'examples/configs/user_settings_eccnonblock.h',
'examples/configs/user_settings_min_ecc.h',
'examples/configs/user_settings_openssl_compat.h',
'examples/configs/user_settings_pkcs7.h',
'examples/configs/user_settings_rsa_only.h',
'examples/configs/user_settings_template.h',
'examples/configs/user_settings_tls12.h',
'examples/configs/user_settings_tls13.h',
'examples/configs/user_settings_wolfboot_keytools.h',
'examples/configs/user_settings_wolfssh.h',
'examples/configs/user_settings_wolftpm.h',
# Not included (require special setup):
# - user_settings_pq.h: Requires --enable-experimental
# - user_settings_baremetal.h: Requires static memory, custom platform
]
name: make user_setting.h (testwolfcrypt only)
if: github.repository_owner == 'wolfssl'

8
examples/configs/README.md
View File

@@ -16,6 +16,14 @@ Example wolfSSL configuration file templates for use when autoconf is not availa
* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl).
* `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack.
* `user_settings_tls12.h`: Example for TLS v1.2 client only, ECC only, AES-GCM only, SHA2-256 only.
* `user_settings_tls13.h`: TLS 1.3 only configuration (no TLS 1.2). Modern cipher suites with X25519/X448 key exchange.
* `user_settings_dtls13.h`: DTLS 1.3 for IoT and embedded. Includes connection ID support and smaller MTU options.
* `user_settings_pq.h`: Post-quantum TLS with ML-KEM (Kyber) key exchange and ML-DSA (Dilithium) certificates.
* `user_settings_openssl_compat.h`: OpenSSL compatibility layer for drop-in replacement. Enables OPENSSL_ALL and related APIs.
* `user_settings_baremetal.h`: Bare metal configuration. No filesystem, static memory only, minimal footprint.
* `user_settings_rsa_only.h`: RSA-only configuration (no ECC). For legacy systems requiring RSA cipher suites.
* `user_settings_pkcs7.h`: PKCS#7/CMS configuration for signing and encryption. S/MIME, firmware signing.
* `user_settings_ca.h`: Certificate Authority / PKI operations. Certificate generation, signing, CRL, OCSP.
* `user_settings_wolfboot_keytools.h`: wolfBoot key generation and signing tool. Supports ECC, RSA, ED25519, ED448, and post-quantum (ML-DSA/Dilithium, LMS, XMSS).
* `user_settings_wolfssh.h`: Minimum options for building wolfSSH. See comment at top for ./configure used to generate.
* `user_settings_wolftpm.h`: Minimum options for building wolfTPM. See comment at top for ./configure used to generate.

8
examples/configs/include.am
View File

@@ -4,16 +4,24 @@
EXTRA_DIST += examples/configs/README.md
EXTRA_DIST += examples/configs/user_settings_all.h
EXTRA_DIST += examples/configs/user_settings_arduino.h
EXTRA_DIST += examples/configs/user_settings_baremetal.h
EXTRA_DIST += examples/configs/user_settings_ca.h
EXTRA_DIST += examples/configs/user_settings_dtls13.h
EXTRA_DIST += examples/configs/user_settings_EBSnet.h
EXTRA_DIST += examples/configs/user_settings_eccnonblock.h
EXTRA_DIST += examples/configs/user_settings_espressif.h
EXTRA_DIST += examples/configs/user_settings_fipsv2.h
EXTRA_DIST += examples/configs/user_settings_fipsv5.h
EXTRA_DIST += examples/configs/user_settings_min_ecc.h
EXTRA_DIST += examples/configs/user_settings_openssl_compat.h
EXTRA_DIST += examples/configs/user_settings_pkcs7.h
EXTRA_DIST += examples/configs/user_settings_platformio.h
EXTRA_DIST += examples/configs/user_settings_pq.h
EXTRA_DIST += examples/configs/user_settings_rsa_only.h
EXTRA_DIST += examples/configs/user_settings_stm32.h
EXTRA_DIST += examples/configs/user_settings_template.h
EXTRA_DIST += examples/configs/user_settings_tls12.h
EXTRA_DIST += examples/configs/user_settings_tls13.h
EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h
EXTRA_DIST += examples/configs/user_settings_wolfssh.h
EXTRA_DIST += examples/configs/user_settings_wolftpm.h

231
examples/configs/user_settings_baremetal.h Normal file
View File

@@ -0,0 +1,231 @@
/* user_settings_baremetal.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* Bare metal configuration for systems without an OS.
* No filesystem, no malloc (static memory), minimal footprint.
* Suitable for deeply embedded systems and bootloaders.
*
* Build and test:
* cp ./examples/configs/user_settings_baremetal.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform - Bare Metal */
/* ------------------------------------------------- */
#define SINGLE_THREADED
#define NO_FILESYSTEM
#define NO_WRITEV
#define WOLFSSL_NO_SOCK
#define WOLFSSL_IGNORE_FILE_WARN
#define WOLFSSL_GENERAL_ALIGNMENT 4
#define SIZEOF_LONG_LONG 8
/* TLS transport requires setting IO callbacks */
#define WOLFSSL_USER_IO
/* ------------------------------------------------- */
/* Memory */
/* ------------------------------------------------- */
#if 1 /* stack memory */
#elif 1 /* small stack */
/* Small stack - allocate large variables from static pool */
#define WOLFSSL_SMALL_STACK
#else /* static memory */
#define WOLFSSL_STATIC_MEMORY
#define WOLFSSL_NO_MALLOC
#define WOLFSSL_SP_NO_MALLOC
#define WOLFSSL_MALLOC_CHECK
#define NO_WOLFSSL_MEMORY
#endif
/* ------------------------------------------------- */
/* Math - Single Precision (smallest) */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH
#define WOLFSSL_SP_SMALL
#define TFM_TIMING_RESISTANT
/* ------------------------------------------------- */
/* TLS (optional - disable for crypto-only) */
/* ------------------------------------------------- */
#if 0 /* TLS support */
#define WOLFSSL_TLS13
#define WOLFSSL_NO_TLS12
#define NO_OLD_TLS
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
#else
#define WOLFCRYPT_ONLY
#endif
/* ------------------------------------------------- */
/* ECC (smallest asymmetric option) */
/* ------------------------------------------------- */
#if 1 /* ECC support */
#define HAVE_ECC
#define WOLFSSL_HAVE_SP_ECC
#define ECC_USER_CURVES /* P-256 only */
#undef NO_ECC256
#define ECC_TIMING_RESISTANT
/* Disable for smaller size */
#if 0 /* ECC Shamir (faster, more code) */
#define ECC_SHAMIR
#endif
#endif
/* ECC Feature Reduction */
#if 0 /* Verify only (no signing/keygen) */
#define NO_ECC_SIGN
#define NO_ECC_DHE
#define NO_ECC_KEY_EXPORT
#endif
/* ------------------------------------------------- */
/* RSA (disable for smallest size) */
/* ------------------------------------------------- */
#if 0 /* RSA support */
#undef NO_RSA
#define WOLFSSL_HAVE_SP_RSA
#define WC_RSA_BLINDING
#define RSA_LOW_MEM
#if 0 /* Verify only */
#define WOLFSSL_RSA_PUBLIC_ONLY
#define WOLFSSL_RSA_VERIFY_INLINE
#define NO_CHECK_PRIVATE_KEY
#endif
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
#if 1 /* AES */
#define HAVE_AESGCM
#define GCM_SMALL
#define WOLFSSL_AES_SMALL_TABLES
#define WOLFSSL_AES_NO_UNROLL
#define NO_AES_192
#define NO_AES_256
#if 0 /* AES-CBC */
#undef NO_AES_CBC
#else
#define NO_AES_CBC
#endif
#else
#define NO_AES
#endif
#if 0 /* ChaCha20-Poly1305 */
#define HAVE_CHACHA
#define HAVE_POLY1305
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 only (required) */
#define USE_SLOW_SHA256
#if 0 /* SHA-1 (legacy) */
#undef NO_SHA
#else
#define NO_SHA
#endif
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#if 1 /* Hash-based DRBG */
#define HAVE_HASHDRBG
#else
/* Use hardware RNG directly */
#define WC_NO_HASHDRBG
extern int my_rng_gen_block(unsigned char* output, unsigned int sz);
#define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block
#endif
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#if 0 /* Disable certificates for smallest size */
#define NO_ASN
#define NO_CERTS
#define NO_CODING
#endif
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DH
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PSK
#define NO_PWDBASED
#define NO_PKCS8
#define NO_PKCS12
/* ------------------------------------------------- */
/* Disabled Features */
/* ------------------------------------------------- */
#define NO_SIG_WRAPPER
#define NO_SESSION_CACHE
#define NO_ERROR_STRINGS
#define NO_OLD_RNGNAME
#define NO_WOLFSSL_DIR
#define BENCH_EMBEDDED
/* ------------------------------------------------- */
/* Custom Time (bare metal has no RTC typically) */
/* ------------------------------------------------- */
#if 1 /* Custom time function */
#define NO_ASN_TIME
/* Or provide custom time:
* #define USER_TIME
* extern unsigned long my_time(unsigned long* timer);
* #define XTIME my_time
*/
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

210
examples/configs/user_settings_ca.h Normal file
View File

@@ -0,0 +1,210 @@
/* user_settings_ca.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* Certificate Authority (CA) / PKI configuration.
* For certificate generation, signing, CRL, OCSP, and CertificateManager.
* No TLS - certificate operations only.
*
* Build and test:
* cp ./examples/configs/user_settings_ca.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#define NO_TLS /* Enables CertificateManager without TLS */
#if 0 /* Single threaded */
#define SINGLE_THREADED
#endif
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
#define SP_INT_BITS 4096
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* Certificate Generation */
/* ------------------------------------------------- */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#define WOLFSSL_MULTI_ATTRIB
#define WOLFSSL_ALT_NAMES
#define WOLFSSL_CUSTOM_OID
#define HAVE_OID_ENCODING
/* Additional certificate features */
#define WOLFSSL_CERT_NAME_ALL
#define WOLFSSL_HAVE_ISSUER_NAMES
#define WOLFSSL_AKID_NAME
#define WOLFSSL_SUBJ_DIR_ATTR
#define WOLFSSL_SUBJ_INFO_ACC
/* ------------------------------------------------- */
/* ASN.1 */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#define WOLFSSL_PEM_TO_DER
#define WOLFSSL_DER_TO_PEM
#define WOLFSSL_DER_LOAD
#define ASN_BER_TO_DER
/* ------------------------------------------------- */
/* CRL (Certificate Revocation List) */
/* ------------------------------------------------- */
#define HAVE_CRL
#if 0 /* CRL file monitoring */
#define HAVE_CRL_MONITOR
#endif
#define HAVE_CRL_IO
#define HAVE_IO_TIMEOUT
/* ------------------------------------------------- */
/* OCSP (Online Certificate Status Protocol) */
/* ------------------------------------------------- */
#define HAVE_OCSP
#define HAVE_CERTIFICATE_STATUS_REQUEST
#define HAVE_CERTIFICATE_STATUS_REQUEST_V2
#define HAVE_TLS_EXTENSIONS
/* ------------------------------------------------- */
/* ECC */
/* ------------------------------------------------- */
#if 1 /* ECC support */
#define HAVE_ECC
#define ECC_USER_CURVES
#undef NO_ECC256
#define HAVE_ECC384
#define HAVE_ECC521
#define ECC_SHAMIR
#define HAVE_COMP_KEY
#define WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT
#endif
/* ------------------------------------------------- */
/* Ed25519 / Ed448 */
/* ------------------------------------------------- */
#if 1 /* Ed25519 certificates */
#define HAVE_ED25519
#define HAVE_CURVE25519
#endif
#if 1 /* Ed448 certificates */
#define HAVE_ED448
#define HAVE_CURVE448
#define WOLFSSL_SHAKE256
#endif
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#if 1 /* RSA support */
#undef NO_RSA
#define WOLFSSL_KEY_GEN
#define WC_RSA_PSS
#define WC_RSA_NO_PADDING
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* Post-Quantum Certificates */
/* ------------------------------------------------- */
#if 0 /* ML-DSA / Dilithium certificates */
#define WOLFSSL_EXPERIMENTAL_SETTINGS
#define HAVE_DILITHIUM
#define WOLFSSL_WC_DILITHIUM
#define WOLFSSL_SHAKE128
#define WOLFSSL_SHAKE256
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 required */
#define WOLFSSL_SHA224
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#define WOLFSSL_SHA3
#if 1 /* SHA-1 (for legacy certificate compatibility) */
#undef NO_SHA
#else
#define NO_SHA
#endif
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* Encoding */
/* ------------------------------------------------- */
#define WOLFSSL_BASE64_ENCODE
#define WOLFSSL_BASE16
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DH
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_PSK
#define NO_PWDBASED
#define NO_OLD_TLS
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 0 /* Disable error strings */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

211
examples/configs/user_settings_dtls13.h Normal file
View File

@@ -0,0 +1,211 @@
/* user_settings_dtls13.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* DTLS 1.3 for IoT and UDP applications.
* Suitable for constrained devices with unreliable networks.
*
* Build and test:
* cp ./examples/configs/user_settings_dtls13.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#if 1 /* Single threaded (typical for IoT) */
#define SINGLE_THREADED
#endif
#if 0 /* Disable filesystem */
#define NO_FILESYSTEM
#endif
#define WOLFSSL_USER_IO
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
#if 1 /* Small code size for IoT */
#define WOLFSSL_SP_SMALL
#endif
/* ------------------------------------------------- */
/* DTLS 1.3 */
/* ------------------------------------------------- */
#define WOLFSSL_DTLS
#define WOLFSSL_DTLS13
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
#define WC_RSA_PSS
/* Disable older versions */
#define WOLFSSL_NO_TLS12
#define NO_OLD_TLS
/* DTLS-specific features */
#if 1 /* HelloRetryRequest cookie (DoS protection) */
#define WOLFSSL_SEND_HRR_COOKIE
#endif
#if 0 /* Connection ID (NAT traversal) - requires TLS 1.2 code paths */
#define WOLFSSL_DTLS_CID
#endif
#if 0 /* Fragmented ClientHello */
#define WOLFSSL_DTLS_CH_FRAG
#endif
/* Client/Server */
#if 0 /* Client only */
#define NO_WOLFSSL_SERVER
#endif
#if 0 /* Server only */
#define NO_WOLFSSL_CLIENT
#endif
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* ECC (preferred for IoT) */
/* ------------------------------------------------- */
#define HAVE_ECC
#define ECC_USER_CURVES
#undef NO_ECC256
#if 0 /* P-384 */
#define HAVE_ECC384
#endif
#define ECC_SHAMIR
/* ------------------------------------------------- */
/* Curve25519 / Ed25519 */
/* ------------------------------------------------- */
#if 1 /* X25519 key exchange (efficient for IoT) */
#define HAVE_CURVE25519
#define CURVE25519_SMALL
#endif
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#if 0 /* RSA support (larger, disable for constrained devices) */
#undef NO_RSA
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* DH */
/* ------------------------------------------------- */
#define NO_DH
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
/* AES-GCM */
#define HAVE_AESGCM
#if 1 /* Small GCM tables for IoT */
#define GCM_SMALL
#else
#define GCM_TABLE_4BIT
#endif
#if 1 /* ChaCha20-Poly1305 (efficient in software) */
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#endif
#if 1 /* AES-CCM (common in IoT) */
#define HAVE_AESCCM
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 required */
#if 1 /* Smaller/slower SHA */
#define USE_SLOW_SHA256
#endif
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_SHA
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PSK
#define NO_PWDBASED
/* ------------------------------------------------- */
/* Memory Optimization */
/* ------------------------------------------------- */
#if 1 /* Small stack for embedded */
#define WOLFSSL_SMALL_STACK
#endif
#if 0 /* Static memory (no malloc) */
#define WOLFSSL_STATIC_MEMORY
#define WOLFSSL_NO_MALLOC
#endif
#define NO_SESSION_CACHE
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 1 /* Disable error strings to save flash */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

274
examples/configs/user_settings_openssl_compat.h Normal file
View File

@@ -0,0 +1,274 @@
/* user_settings_openssl_compat.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* OpenSSL compatibility layer for drop-in replacement.
* Provides OpenSSL API compatibility for applications migrating from OpenSSL.
*
* Build and test:
* cp ./examples/configs/user_settings_openssl_compat.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* OpenSSL Compatibility */
/* ------------------------------------------------- */
#define OPENSSL_EXTRA
#if 1 /* Full OpenSSL API compatibility */
#define OPENSSL_ALL
#endif
/* OpenSSL-compatible names and behavior */
#define WOLFSSL_VERBOSE_ERRORS
#define ERROR_QUEUE_PER_THREAD
#define WOLFSSL_ERROR_CODE_OPENSSL
#define HAVE_WOLFSSL_SSL_H
#define OPENSSL_COMPATIBLE_DEFAULTS
/* Avoid old name conflicts */
#define NO_OLD_RNGNAME
#define NO_OLD_WC_NAMES
#define NO_OLD_SSL_NAMES
#define NO_OLD_SHA_NAMES
#define NO_OLD_MD5_NAME
/* Extra data support (SSL_CTX_set_ex_data, etc.) */
#define HAVE_EX_DATA
/* ------------------------------------------------- */
/* Application Compatibility */
/* ------------------------------------------------- */
#if 0 /* nginx */
#define WOLFSSL_NGINX
#endif
#if 0 /* HAProxy */
#define WOLFSSL_HAPROXY
#endif
#if 0 /* Apache httpd */
#define HAVE_LIGHTY
#endif
#if 0 /* stunnel */
#define HAVE_STUNNEL
#endif
#if 0 /* OpenVPN */
#define WOLFSSL_OPENVPN
#endif
#if 0 /* Qt */
#define WOLFSSL_QT
#endif
#if 0 /* cURL */
#define WOLFSSL_LIBCURL
#endif
#if 0 /* OpenSSH */
#define WOLFSSL_OPENSSH
#endif
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
/* ------------------------------------------------- */
/* TLS Versions */
/* ------------------------------------------------- */
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_EXTENDED_MASTER
#define HAVE_ENCRYPT_THEN_MAC
#define HAVE_HKDF
#define WC_RSA_PSS
#if 1 /* TLS 1.2 (for compatibility) */
#undef WOLFSSL_NO_TLS12
#endif
#if 0 /* Allow older TLS (not recommended) */
#undef NO_OLD_TLS
#else
#define NO_OLD_TLS
#endif
/* TLS Extensions */
#define HAVE_SESSION_TICKET
#define HAVE_SNI
#define HAVE_ALPN
#define HAVE_MAX_FRAGMENT
#define HAVE_TRUNCATED_HMAC
#define HAVE_SECURE_RENEGOTIATION
#define HAVE_SERVER_RENEGOTIATION_INFO
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* ECC */
/* ------------------------------------------------- */
#define HAVE_ECC
#define TFM_ECC256
#define ECC_SHAMIR
#define HAVE_ECC_CDH
#define HAVE_COMP_KEY
/* ------------------------------------------------- */
/* Curve25519 / Ed25519 */
/* ------------------------------------------------- */
#define HAVE_CURVE25519
#define HAVE_ED25519
/* ------------------------------------------------- */
/* Curve448 / Ed448 */
/* ------------------------------------------------- */
#if 1 /* Ed448/X448 */
#define HAVE_CURVE448
#define HAVE_ED448
#endif
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#undef NO_RSA
#define WC_RSA_NO_PADDING
#define WOLFSSL_KEY_GEN
/* ------------------------------------------------- */
/* DH */
/* ------------------------------------------------- */
#undef NO_DH
#define HAVE_FFDHE_2048
#define HAVE_FFDHE_3072
#define HAVE_FFDHE_4096
#define HAVE_DH_DEFAULT_PARAMS
#define WOLFSSL_DH_EXTRA
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
#define WOLFSSL_AESGCM_STREAM
#define HAVE_AESCCM
#define WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_DIRECT
#define WOLFSSL_AES_OFB
#define WOLFSSL_AES_CFB
#define HAVE_AES_ECB
#define HAVE_AES_KEYWRAP
#define HAVE_AES_DECRYPT
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#define HAVE_XCHACHA
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
#define WOLFSSL_SHA224
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#define WOLFSSL_SHA3
#define WOLFSSL_SHAKE256
#define HAVE_BLAKE2
#define HAVE_BLAKE2B
#define HAVE_BLAKE2S
/* ------------------------------------------------- */
/* Additional Features */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
#define WOLFSSL_CMAC
#define WOLFSSL_DES_ECB
#define HAVE_CTS
#define HAVE_HKDF
#define HAVE_X963_KDF
#define HAVE_KEYING_MATERIAL
#define WOLFSSL_HAVE_PRF
/* ------------------------------------------------- */
/* Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#define WOLFSSL_MULTI_ATTRIB
#define WOLFSSL_DER_LOAD
#define WOLFSSL_PEM_TO_DER
#define WOLFSSL_DER_TO_PEM
#define WOLFSSL_ALT_NAMES
#define HAVE_CRL
#define HAVE_OCSP
#define HAVE_CERTIFICATE_STATUS_REQUEST
#define HAVE_CERTIFICATE_STATUS_REQUEST_V2
/* ------------------------------------------------- */
/* Encoding */
/* ------------------------------------------------- */
#define WOLFSSL_BASE16
#define WOLFSSL_BASE64_ENCODE
/* ------------------------------------------------- */
/* Session Cache */
/* ------------------------------------------------- */
#define HAVE_EXT_CACHE
#define SESSION_CERTS
#define PERSIST_SESSION_CACHE
#define PERSIST_CERT_CACHE
/* ------------------------------------------------- */
/* PKCS */
/* ------------------------------------------------- */
#define HAVE_PKCS8
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_PSK
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

215
examples/configs/user_settings_pkcs7.h Normal file
View File

@@ -0,0 +1,215 @@
/* user_settings_pkcs7.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* PKCS#7 / CMS configuration for signing and encryption.
* Suitable for S/MIME, firmware signing, secure messaging.
* No TLS - cryptographic operations only.
*
* Build and test:
* cp ./examples/configs/user_settings_pkcs7.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#define WOLFCRYPT_ONLY
#if 0 /* Single threaded */
#define SINGLE_THREADED
#endif
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
#if 0 /* Small code size */
#define WOLFSSL_SP_SMALL
#endif
/* ------------------------------------------------- */
/* PKCS#7 / CMS */
/* ------------------------------------------------- */
#define HAVE_PKCS7
/* PKCS#7 Content Types */
#if 1 /* Signed Data */
/* Default enabled with HAVE_PKCS7 */
#endif
#if 1 /* Enveloped Data (encryption) */
/* Default enabled with HAVE_PKCS7 */
#endif
#if 0 /* Compressed Data (requires libz) */
#define HAVE_LIBZ
#endif
#if 1 /* Authenticated Enveloped Data (AES-GCM) */
/* Requires HAVE_AESGCM */
#endif
/* PKCS#7 Features */
#define HAVE_X963_KDF
#define HAVE_HKDF
/* ------------------------------------------------- */
/* S/MIME */
/* ------------------------------------------------- */
#if 1 /* S/MIME support */
#define HAVE_SMIME
#endif
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* ECC */
/* ------------------------------------------------- */
#if 1 /* ECC support */
#define HAVE_ECC
#define ECC_USER_CURVES
#undef NO_ECC256
#if 1 /* P-384 */
#define HAVE_ECC384
#endif
#if 0 /* P-521 */
#define HAVE_ECC521
#endif
#define ECC_SHAMIR
#define HAVE_ECC_ENCRYPT /* ECIES for PKCS#7 */
#endif
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#if 1 /* RSA support */
#undef NO_RSA
#define WOLFSSL_KEY_GEN
#define WC_RSA_NO_PADDING
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
/* AES (required for PKCS#7) */
#define HAVE_AES_CBC
#define HAVE_AES_DECRYPT
#define HAVE_AES_KEYWRAP
#define WOLFSSL_AES_DIRECT
#if 1 /* AES-GCM (AuthEnvelopedData) */
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
#endif
#if 1 /* AES-CCM */
#define HAVE_AESCCM
#endif
#if 0 /* 3DES (legacy, not recommended) */
#undef NO_DES3
#else
#define NO_DES3
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 required */
#if 1 /* SHA-1 (for legacy compatibility) */
#undef NO_SHA
#else
#define NO_SHA
#endif
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#if 1 /* SHA-3 */
#define WOLFSSL_SHA3
#endif
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
/* Certificate generation for signing */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#define WOLFSSL_MULTI_ATTRIB
/* Certificate parsing */
#define WOLFSSL_PEM_TO_DER
#define WOLFSSL_DER_TO_PEM
#define WOLFSSL_DER_LOAD
/* ------------------------------------------------- */
/* Encoding */
/* ------------------------------------------------- */
#define WOLFSSL_BASE64_ENCODE
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DH
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_PSK
#define NO_PWDBASED
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 0 /* Disable error strings */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

232
examples/configs/user_settings_pq.h Normal file
View File

@@ -0,0 +1,232 @@
/* user_settings_pq.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* Post-Quantum TLS 1.3 with ML-KEM (Kyber) and ML-DSA (Dilithium).
* Provides quantum-resistant key exchange and signatures.
* Based on NIST FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) standards.
*
* Build and test:
* cp ./examples/configs/user_settings_pq.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
/* ------------------------------------------------- */
/* TLS 1.3 (required for PQ) */
/* ------------------------------------------------- */
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
#define WC_RSA_PSS
/* Disable older TLS versions */
#define WOLFSSL_NO_TLS12
#define NO_OLD_TLS
#if 1 /* Session tickets */
#define HAVE_SESSION_TICKET
#endif
#if 1 /* Server Name Indication */
#define HAVE_SNI
#endif
/* ------------------------------------------------- */
/* Experimental Settings (required for PQ) */
/* ------------------------------------------------- */
#define WOLFSSL_EXPERIMENTAL_SETTINGS
/* ------------------------------------------------- */
/* ML-KEM / Kyber (Key Encapsulation) */
/* ------------------------------------------------- */
#if 1 /* ML-KEM (FIPS 203) */
#define WOLFSSL_HAVE_KYBER
#define WOLFSSL_WC_KYBER
#define WOLFSSL_KYBER512 /* Level 1: 128-bit security */
#define WOLFSSL_KYBER768 /* Level 3: 192-bit security */
#define WOLFSSL_KYBER1024 /* Level 5: 256-bit security */
#endif
/* ------------------------------------------------- */
/* ML-DSA / Dilithium (Signatures) */
/* ------------------------------------------------- */
#if 1 /* ML-DSA (FIPS 204) */
#define HAVE_DILITHIUM
#define WOLFSSL_WC_DILITHIUM
#define DILITHIUM_LEVEL2 /* Level 2: ~128-bit security */
#define DILITHIUM_LEVEL3 /* Level 3: ~192-bit security */
#define DILITHIUM_LEVEL5 /* Level 5: ~256-bit security */
/* Uses FIPS 204 final standard by default */
#if 0 /* FIPS 204 Draft version */
#define WOLFSSL_DILITHIUM_FIPS204_DRAFT
#endif
#define WOLFSSL_SHAKE128
#define WOLFSSL_SHAKE256
#endif
/* ------------------------------------------------- */
/* LMS (Stateful Hash-Based Signatures) */
/* ------------------------------------------------- */
#if 0 /* LMS signatures */
#define WOLFSSL_HAVE_LMS
#define WOLFSSL_WC_LMS
#ifndef LMS_LEVELS
#define LMS_LEVELS 2
#endif
#ifndef LMS_HEIGHT
#define LMS_HEIGHT 10
#endif
#ifndef LMS_WINTERNITZ
#define LMS_WINTERNITZ 8
#endif
#endif
/* ------------------------------------------------- */
/* XMSS (Stateful Hash-Based Signatures) */
/* ------------------------------------------------- */
#if 0 /* XMSS signatures */
#define WOLFSSL_HAVE_XMSS
#define WOLFSSL_WC_XMSS
#ifndef WOLFSSL_XMSS_MAX_HEIGHT
#define WOLFSSL_XMSS_MAX_HEIGHT 20
#endif
#endif
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* Classical ECC (hybrid with PQ) */
/* ------------------------------------------------- */
#if 1 /* ECC for hybrid key exchange */
#define HAVE_ECC
#define ECC_USER_CURVES
#undef NO_ECC256
#define HAVE_ECC384
#define ECC_SHAMIR
#endif
/* ------------------------------------------------- */
/* Curve25519 (hybrid with PQ) */
/* ------------------------------------------------- */
#if 1 /* X25519 for hybrid key exchange */
#define HAVE_CURVE25519
#endif
/* ------------------------------------------------- */
/* RSA (for legacy compatibility) */
/* ------------------------------------------------- */
#if 1 /* RSA support */
#undef NO_RSA
#define WOLFSSL_KEY_GEN
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* DH */
/* ------------------------------------------------- */
#define NO_DH
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
#if 1 /* ChaCha20-Poly1305 */
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#define WOLFSSL_SHA3
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#if 1 /* Certificate generation with PQ algorithms */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#endif
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PSK
#define NO_PWDBASED
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 0 /* Disable error strings */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

238
examples/configs/user_settings_rsa_only.h Normal file
View File

@@ -0,0 +1,238 @@
/* user_settings_rsa_only.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* RSA-only configuration (no ECC).
* For legacy systems that require RSA-only cipher suites.
* Supports TLS 1.2 and 1.3 with RSA certificates.
*
* Build and test:
* cp ./examples/configs/user_settings_rsa_only.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#if 0 /* Single threaded */
#define SINGLE_THREADED
#endif
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
#define WOLFSSL_HAVE_SP_RSA
#define WOLFSSL_SP_4096
#if 0 /* Small code size */
#define WOLFSSL_SP_SMALL
#endif
/* ------------------------------------------------- */
/* TLS */
/* ------------------------------------------------- */
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_EXTENDED_MASTER
#define HAVE_ENCRYPT_THEN_MAC
#define HAVE_HKDF
#define WC_RSA_PSS
/* TLS 1.2 for legacy compatibility */
#if 1 /* Enable TLS 1.2 */
#undef WOLFSSL_NO_TLS12
#else
#define WOLFSSL_NO_TLS12
#endif
#define NO_OLD_TLS
/* TLS Extensions */
#if 1 /* Session tickets */
#define HAVE_SESSION_TICKET
#endif
#if 1 /* Server Name Indication */
#define HAVE_SNI
#endif
#if 1 /* Secure renegotiation */
#define HAVE_SECURE_RENEGOTIATION
#define HAVE_SERVER_RENEGOTIATION_INFO
#endif
/* Client/Server */
#if 0 /* Client only */
#define NO_WOLFSSL_SERVER
#endif
#if 0 /* Server only */
#define NO_WOLFSSL_CLIENT
#endif
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#undef NO_RSA
/* RSA key sizes */
#if 1 /* 2048-bit (minimum recommended) */
/* Always enabled */
#endif
#if 1 /* 3072-bit */
/* Enabled via WOLFSSL_SP_MATH_ALL */
#endif
#if 1 /* 4096-bit */
#define WOLFSSL_SP_4096
#endif
/* RSA features */
#define WOLFSSL_KEY_GEN
#define WC_RSA_NO_PADDING
#if 0 /* RSA-PSS only (no PKCS#1 v1.5) */
#define WC_RSA_PSS_ONLY
#endif
#if 0 /* Low memory RSA */
#define RSA_LOW_MEM
#endif
/* ------------------------------------------------- */
/* DH (for TLS 1.2 key exchange) */
/* ------------------------------------------------- */
#if 1 /* DH key exchange */
#undef NO_DH
#define HAVE_FFDHE_2048
#define HAVE_FFDHE_3072
#define HAVE_FFDHE_4096
#define HAVE_DH_DEFAULT_PARAMS
#define WOLFSSL_HAVE_SP_DH
#else
#define NO_DH
#endif
/* ------------------------------------------------- */
/* ECC - Disabled */
/* ------------------------------------------------- */
#define NO_ECC
/* Note: TLS 1.3 typically requires ECDHE, but can work with
* FFDHE (DH) key exchange with RSA certificates */
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
/* AES-GCM (required for TLS 1.3) */
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
/* AES-CBC (for TLS 1.2) */
#define HAVE_AES_CBC
#define HAVE_AES_DECRYPT
#if 1 /* ChaCha20-Poly1305 */
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#endif
#if 0 /* AES-CCM */
#define HAVE_AESCCM
#endif
#if 0 /* Additional AES modes */
#define WOLFSSL_AES_COUNTER
#define WOLFSSL_AES_DIRECT
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 required */
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#if 1 /* SHA-1 (for TLS 1.2 compatibility) */
#undef NO_SHA
#else
#define NO_SHA
#endif
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#if 1 /* Certificate generation */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#endif
#if 1 /* CRL/OCSP */
#define HAVE_CRL
#define HAVE_OCSP
#endif
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PSK
#define NO_PWDBASED
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 0 /* Disable error strings to save flash */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

214
examples/configs/user_settings_tls13.h Normal file
View File

@@ -0,0 +1,214 @@
/* user_settings_tls13.h
*
* Copyright (C) 2006-2025 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
/* TLS 1.3 only (no TLS 1.2 or older) with modern algorithms.
* Supports both client and server.
*
* Build and test:
* cp ./examples/configs/user_settings_tls13.h user_settings.h
* ./configure --enable-usersettings --disable-examples
* make
* ./wolfcrypt/test/testwolfcrypt
*/
#ifndef WOLFSSL_USER_SETTINGS_H
#define WOLFSSL_USER_SETTINGS_H
#ifdef __cplusplus
extern "C" {
#endif
/* ------------------------------------------------- */
/* Platform */
/* ------------------------------------------------- */
#if 0 /* Single threaded */
#define SINGLE_THREADED
#endif
#if 0 /* Disable filesystem */
#define NO_FILESYSTEM
#endif
#define WOLFSSL_IGNORE_FILE_WARN
/* ------------------------------------------------- */
/* Math */
/* ------------------------------------------------- */
#define WOLFSSL_SP_MATH_ALL
#if 0 /* Small code size */
#define WOLFSSL_SP_SMALL
#endif
/* ------------------------------------------------- */
/* TLS 1.3 */
/* ------------------------------------------------- */
#define WOLFSSL_TLS13
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES
#define HAVE_HKDF
#define WC_RSA_PSS
/* Disable older TLS versions */
#define WOLFSSL_NO_TLS12
#define NO_OLD_TLS
/* TLS 1.3 Extensions */
#if 1 /* Session tickets */
#define HAVE_SESSION_TICKET
#endif
#if 0 /* Early data (0-RTT) */
#define WOLFSSL_EARLY_DATA
#endif
#if 0 /* Post-handshake authentication */
#define WOLFSSL_POST_HANDSHAKE_AUTH
#endif
#if 1 /* Server Name Indication */
#define HAVE_SNI
#endif
/* Client/Server */
#if 0 /* Client only */
#define NO_WOLFSSL_SERVER
#endif
#if 0 /* Server only */
#define NO_WOLFSSL_CLIENT
#endif
/* ------------------------------------------------- */
/* Timing Resistance */
/* ------------------------------------------------- */
#define TFM_TIMING_RESISTANT
#define ECC_TIMING_RESISTANT
#define WC_RSA_BLINDING
/* ------------------------------------------------- */
/* ECC */
/* ------------------------------------------------- */
#if 1 /* ECC support */
#define HAVE_ECC
#define ECC_USER_CURVES
#undef NO_ECC256
#if 1 /* P-384 */
#define HAVE_ECC384
#endif
#if 0 /* P-521 */
#define HAVE_ECC521
#endif
#define ECC_SHAMIR
#endif
/* ------------------------------------------------- */
/* Curve25519 / Ed25519 */
/* ------------------------------------------------- */
#if 1 /* X25519 key exchange */
#define HAVE_CURVE25519
#endif
#if 0 /* Ed25519 signatures */
#define HAVE_ED25519
#endif
/* ------------------------------------------------- */
/* RSA */
/* ------------------------------------------------- */
#if 1 /* RSA support */
#undef NO_RSA
#define WOLFSSL_KEY_GEN
#else
#define NO_RSA
#endif
/* ------------------------------------------------- */
/* DH */
/* ------------------------------------------------- */
#if 0 /* DH key exchange (FFDHE) */
#undef NO_DH
#define HAVE_FFDHE_2048
#define HAVE_FFDHE_3072
#define HAVE_DH_DEFAULT_PARAMS
#else
#define NO_DH
#endif
/* ------------------------------------------------- */
/* Symmetric Ciphers */
/* ------------------------------------------------- */
/* AES-GCM (required for TLS 1.3) */
#define HAVE_AESGCM
#define GCM_TABLE_4BIT
#if 1 /* ChaCha20-Poly1305 */
#define HAVE_CHACHA
#define HAVE_POLY1305
#define HAVE_ONE_TIME_AUTH
#endif
#if 0 /* AES-CCM */
#define HAVE_AESCCM
#endif
/* ------------------------------------------------- */
/* Hashing */
/* ------------------------------------------------- */
/* SHA-256 required */
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
/* ------------------------------------------------- */
/* RNG */
/* ------------------------------------------------- */
#define HAVE_HASHDRBG
/* ------------------------------------------------- */
/* ASN / Certificates */
/* ------------------------------------------------- */
#define WOLFSSL_ASN_TEMPLATE
#if 0 /* Certificate generation */
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_REQ
#define WOLFSSL_CERT_EXT
#endif
/* ------------------------------------------------- */
/* Disabled Algorithms */
/* ------------------------------------------------- */
#define NO_DSA
#define NO_RC4
#define NO_MD4
#define NO_MD5
#define NO_DES3
#define NO_DES3_TLS_SUITES
#define NO_PSK
#define NO_PWDBASED
/* ------------------------------------------------- */
/* Debugging */
/* ------------------------------------------------- */
#if 0 /* Enable debug logging */
#define DEBUG_WOLFSSL
#endif
#if 0 /* Disable error strings to save flash */
#define NO_ERROR_STRINGS
#endif
#ifdef __cplusplus
}
#endif
#endif /* WOLFSSL_USER_SETTINGS_H */

11
src/internal.c
View File

@@ -15063,7 +15063,7 @@ PRAGMA_GCC_DIAG_POP
return ret;
#endif
}
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(NO_TLS)
if (verify != NO_VERIFY && TLSX_CSR2_IsMulti(ssl->extensions)) {
extraSigners = TLSX_CSR2_GetPendingSigners(ssl->extensions);
}
@@ -15840,6 +15840,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* If we are processing OCSP staples then always
* initialize the corresponding request. */
int ocspRet = 0;
#ifndef NO_TLS
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
addToPendingCAs = 0;
if (ssl->options.side == WOLFSSL_CLIENT_END &&
@@ -15864,6 +15865,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
else
#endif
#endif /* NO_TLS */
if (ret == 0 && SSL_CM(ssl)->ocspEnabled &&
SSL_CM(ssl)->ocspCheckAll) {
WOLFSSL_MSG("Doing Non Leaf OCSP check");
@@ -16365,6 +16367,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("Checking if ocsp needed");
if (ssl->options.side == WOLFSSL_CLIENT_END) {
#ifndef NO_TLS
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
if (ssl->status_request) {
args->fatal = (TLSX_CSR_InitRequest_ex(
@@ -16397,6 +16400,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("\tHave status request v2");
}
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
#endif /* !NO_TLS */
}
#ifdef HAVE_OCSP
@@ -17217,8 +17221,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
return BUFFER_ERROR;
switch (status_type) {
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
#ifndef NO_TLS
#if (defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_TLS)) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
/* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */
@@ -17332,6 +17336,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
break;
#endif
#endif /* !NO_TLS */
default:
ret = BUFFER_ERROR;

2
src/ocsp.c
View File

@@ -373,7 +373,7 @@ int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz,
#endif
InitOcspResponse(ocspResponse, newSingle, newStatus, response,
(word32)responseSz, ocsp->cm->heap);
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(NO_TLS)
if (ocspRequest != NULL && ocspRequest->ssl != NULL &&
TLSX_CSR2_IsMulti(((WOLFSSL*)ocspRequest->ssl)->extensions)) {
ocspResponse->pendingCAs = TLSX_CSR2_GetPendingSigners(((WOLFSSL*)ocspRequest->ssl)->extensions);

3
wolfssl/internal.h
View File

@@ -3198,8 +3198,9 @@ WOLFSSL_LOCAL int TLSX_Append(TLSX** list, TLSX_Type type,
|| defined(HAVE_SECURE_RENEGOTIATION) \
|| defined(HAVE_SERVER_RENEGOTIATION_INFO)
#ifndef NO_TLS
#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined.
#endif
#endif /* HAVE_TLS_EXTENSIONS */
/** Server Name Indication - RFC 6066 (session 3) */