diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index 13fc39c56..d1100d3cd 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -111,15 +111,24 @@ jobs: matrix: os: [ ubuntu-24.04, macos-latest ] user-settings: [ - # Add new user_settings.h here + # Add new user_settings.h here (alphabetical order) + 'examples/configs/user_settings_ca.h', + 'examples/configs/user_settings_dtls13.h', 'examples/configs/user_settings_EBSnet.h', 'examples/configs/user_settings_eccnonblock.h', 'examples/configs/user_settings_min_ecc.h', + 'examples/configs/user_settings_openssl_compat.h', + 'examples/configs/user_settings_pkcs7.h', + 'examples/configs/user_settings_rsa_only.h', 'examples/configs/user_settings_template.h', 'examples/configs/user_settings_tls12.h', + 'examples/configs/user_settings_tls13.h', 'examples/configs/user_settings_wolfboot_keytools.h', 'examples/configs/user_settings_wolfssh.h', 'examples/configs/user_settings_wolftpm.h', + # Not included (require special setup): + # - user_settings_pq.h: Requires --enable-experimental + # - user_settings_baremetal.h: Requires static memory, custom platform ] name: make user_setting.h (testwolfcrypt only) if: github.repository_owner == 'wolfssl' diff --git a/examples/configs/README.md b/examples/configs/README.md index a7a7ff856..e1749bdee 100644 --- a/examples/configs/README.md +++ b/examples/configs/README.md @@ -16,6 +16,14 @@ Example wolfSSL configuration file templates for use when autoconf is not availa * `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl). * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack. * `user_settings_tls12.h`: Example for TLS v1.2 client only, ECC only, AES-GCM only, SHA2-256 only. +* `user_settings_tls13.h`: TLS 1.3 only configuration (no TLS 1.2). Modern cipher suites with X25519/X448 key exchange. +* `user_settings_dtls13.h`: DTLS 1.3 for IoT and embedded. Includes connection ID support and smaller MTU options. +* `user_settings_pq.h`: Post-quantum TLS with ML-KEM (Kyber) key exchange and ML-DSA (Dilithium) certificates. +* `user_settings_openssl_compat.h`: OpenSSL compatibility layer for drop-in replacement. Enables OPENSSL_ALL and related APIs. +* `user_settings_baremetal.h`: Bare metal configuration. No filesystem, static memory only, minimal footprint. +* `user_settings_rsa_only.h`: RSA-only configuration (no ECC). For legacy systems requiring RSA cipher suites. +* `user_settings_pkcs7.h`: PKCS#7/CMS configuration for signing and encryption. S/MIME, firmware signing. +* `user_settings_ca.h`: Certificate Authority / PKI operations. Certificate generation, signing, CRL, OCSP. * `user_settings_wolfboot_keytools.h`: wolfBoot key generation and signing tool. Supports ECC, RSA, ED25519, ED448, and post-quantum (ML-DSA/Dilithium, LMS, XMSS). * `user_settings_wolfssh.h`: Minimum options for building wolfSSH. See comment at top for ./configure used to generate. * `user_settings_wolftpm.h`: Minimum options for building wolfTPM. See comment at top for ./configure used to generate. diff --git a/examples/configs/include.am b/examples/configs/include.am index ab2453412..2266215bc 100644 --- a/examples/configs/include.am +++ b/examples/configs/include.am @@ -4,16 +4,24 @@ EXTRA_DIST += examples/configs/README.md EXTRA_DIST += examples/configs/user_settings_all.h EXTRA_DIST += examples/configs/user_settings_arduino.h +EXTRA_DIST += examples/configs/user_settings_baremetal.h +EXTRA_DIST += examples/configs/user_settings_ca.h +EXTRA_DIST += examples/configs/user_settings_dtls13.h EXTRA_DIST += examples/configs/user_settings_EBSnet.h EXTRA_DIST += examples/configs/user_settings_eccnonblock.h EXTRA_DIST += examples/configs/user_settings_espressif.h EXTRA_DIST += examples/configs/user_settings_fipsv2.h EXTRA_DIST += examples/configs/user_settings_fipsv5.h EXTRA_DIST += examples/configs/user_settings_min_ecc.h +EXTRA_DIST += examples/configs/user_settings_openssl_compat.h +EXTRA_DIST += examples/configs/user_settings_pkcs7.h EXTRA_DIST += examples/configs/user_settings_platformio.h +EXTRA_DIST += examples/configs/user_settings_pq.h +EXTRA_DIST += examples/configs/user_settings_rsa_only.h EXTRA_DIST += examples/configs/user_settings_stm32.h EXTRA_DIST += examples/configs/user_settings_template.h EXTRA_DIST += examples/configs/user_settings_tls12.h +EXTRA_DIST += examples/configs/user_settings_tls13.h EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h EXTRA_DIST += examples/configs/user_settings_wolfssh.h EXTRA_DIST += examples/configs/user_settings_wolftpm.h diff --git a/examples/configs/user_settings_baremetal.h b/examples/configs/user_settings_baremetal.h new file mode 100644 index 000000000..1e789b362 --- /dev/null +++ b/examples/configs/user_settings_baremetal.h @@ -0,0 +1,231 @@ +/* user_settings_baremetal.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* Bare metal configuration for systems without an OS. + * No filesystem, no malloc (static memory), minimal footprint. + * Suitable for deeply embedded systems and bootloaders. + * + * Build and test: + * cp ./examples/configs/user_settings_baremetal.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform - Bare Metal */ +/* ------------------------------------------------- */ +#define SINGLE_THREADED +#define NO_FILESYSTEM +#define NO_WRITEV +#define WOLFSSL_NO_SOCK +#define WOLFSSL_IGNORE_FILE_WARN +#define WOLFSSL_GENERAL_ALIGNMENT 4 +#define SIZEOF_LONG_LONG 8 + +/* TLS transport requires setting IO callbacks */ +#define WOLFSSL_USER_IO + +/* ------------------------------------------------- */ +/* Memory */ +/* ------------------------------------------------- */ +#if 1 /* stack memory */ + +#elif 1 /* small stack */ + /* Small stack - allocate large variables from static pool */ + #define WOLFSSL_SMALL_STACK +#else /* static memory */ + #define WOLFSSL_STATIC_MEMORY + #define WOLFSSL_NO_MALLOC + #define WOLFSSL_SP_NO_MALLOC + #define WOLFSSL_MALLOC_CHECK + #define NO_WOLFSSL_MEMORY +#endif + +/* ------------------------------------------------- */ +/* Math - Single Precision (smallest) */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH +#define WOLFSSL_SP_SMALL +#define TFM_TIMING_RESISTANT + +/* ------------------------------------------------- */ +/* TLS (optional - disable for crypto-only) */ +/* ------------------------------------------------- */ +#if 0 /* TLS support */ + #define WOLFSSL_TLS13 + #define WOLFSSL_NO_TLS12 + #define NO_OLD_TLS + #define HAVE_TLS_EXTENSIONS + #define HAVE_SUPPORTED_CURVES + #define HAVE_HKDF +#else + #define WOLFCRYPT_ONLY +#endif + +/* ------------------------------------------------- */ +/* ECC (smallest asymmetric option) */ +/* ------------------------------------------------- */ +#if 1 /* ECC support */ + #define HAVE_ECC + #define WOLFSSL_HAVE_SP_ECC + + #define ECC_USER_CURVES /* P-256 only */ + #undef NO_ECC256 + #define ECC_TIMING_RESISTANT + /* Disable for smaller size */ + #if 0 /* ECC Shamir (faster, more code) */ + #define ECC_SHAMIR + #endif +#endif + +/* ECC Feature Reduction */ +#if 0 /* Verify only (no signing/keygen) */ + #define NO_ECC_SIGN + #define NO_ECC_DHE + #define NO_ECC_KEY_EXPORT +#endif + +/* ------------------------------------------------- */ +/* RSA (disable for smallest size) */ +/* ------------------------------------------------- */ +#if 0 /* RSA support */ + #undef NO_RSA + #define WOLFSSL_HAVE_SP_RSA + #define WC_RSA_BLINDING + #define RSA_LOW_MEM + #if 0 /* Verify only */ + #define WOLFSSL_RSA_PUBLIC_ONLY + #define WOLFSSL_RSA_VERIFY_INLINE + #define NO_CHECK_PRIVATE_KEY + #endif +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +#if 1 /* AES */ + #define HAVE_AESGCM + #define GCM_SMALL + #define WOLFSSL_AES_SMALL_TABLES + #define WOLFSSL_AES_NO_UNROLL + #define NO_AES_192 + #define NO_AES_256 + #if 0 /* AES-CBC */ + #undef NO_AES_CBC + #else + #define NO_AES_CBC + #endif +#else + #define NO_AES +#endif + +#if 0 /* ChaCha20-Poly1305 */ + #define HAVE_CHACHA + #define HAVE_POLY1305 +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 only (required) */ +#define USE_SLOW_SHA256 + +#if 0 /* SHA-1 (legacy) */ + #undef NO_SHA +#else + #define NO_SHA +#endif + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#if 1 /* Hash-based DRBG */ + #define HAVE_HASHDRBG +#else + /* Use hardware RNG directly */ + #define WC_NO_HASHDRBG + extern int my_rng_gen_block(unsigned char* output, unsigned int sz); + #define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block +#endif + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +#if 0 /* Disable certificates for smallest size */ + #define NO_ASN + #define NO_CERTS + #define NO_CODING +#endif + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DH +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_PSK +#define NO_PWDBASED +#define NO_PKCS8 +#define NO_PKCS12 + +/* ------------------------------------------------- */ +/* Disabled Features */ +/* ------------------------------------------------- */ +#define NO_SIG_WRAPPER +#define NO_SESSION_CACHE +#define NO_ERROR_STRINGS +#define NO_OLD_RNGNAME +#define NO_WOLFSSL_DIR +#define BENCH_EMBEDDED + +/* ------------------------------------------------- */ +/* Custom Time (bare metal has no RTC typically) */ +/* ------------------------------------------------- */ +#if 1 /* Custom time function */ + #define NO_ASN_TIME + /* Or provide custom time: + * #define USER_TIME + * extern unsigned long my_time(unsigned long* timer); + * #define XTIME my_time + */ +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_ca.h b/examples/configs/user_settings_ca.h new file mode 100644 index 000000000..a04f880cf --- /dev/null +++ b/examples/configs/user_settings_ca.h @@ -0,0 +1,210 @@ +/* user_settings_ca.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* Certificate Authority (CA) / PKI configuration. + * For certificate generation, signing, CRL, OCSP, and CertificateManager. + * No TLS - certificate operations only. + * + * Build and test: + * cp ./examples/configs/user_settings_ca.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#define NO_TLS /* Enables CertificateManager without TLS */ +#if 0 /* Single threaded */ + #define SINGLE_THREADED +#endif +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL +#define SP_INT_BITS 4096 + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* Certificate Generation */ +/* ------------------------------------------------- */ +#define WOLFSSL_CERT_GEN +#define WOLFSSL_CERT_REQ +#define WOLFSSL_CERT_EXT +#define WOLFSSL_MULTI_ATTRIB +#define WOLFSSL_ALT_NAMES +#define WOLFSSL_CUSTOM_OID +#define HAVE_OID_ENCODING + +/* Additional certificate features */ +#define WOLFSSL_CERT_NAME_ALL +#define WOLFSSL_HAVE_ISSUER_NAMES +#define WOLFSSL_AKID_NAME +#define WOLFSSL_SUBJ_DIR_ATTR +#define WOLFSSL_SUBJ_INFO_ACC + +/* ------------------------------------------------- */ +/* ASN.1 */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE +#define WOLFSSL_PEM_TO_DER +#define WOLFSSL_DER_TO_PEM +#define WOLFSSL_DER_LOAD +#define ASN_BER_TO_DER + +/* ------------------------------------------------- */ +/* CRL (Certificate Revocation List) */ +/* ------------------------------------------------- */ +#define HAVE_CRL +#if 0 /* CRL file monitoring */ + #define HAVE_CRL_MONITOR +#endif +#define HAVE_CRL_IO +#define HAVE_IO_TIMEOUT + +/* ------------------------------------------------- */ +/* OCSP (Online Certificate Status Protocol) */ +/* ------------------------------------------------- */ +#define HAVE_OCSP +#define HAVE_CERTIFICATE_STATUS_REQUEST +#define HAVE_CERTIFICATE_STATUS_REQUEST_V2 +#define HAVE_TLS_EXTENSIONS + +/* ------------------------------------------------- */ +/* ECC */ +/* ------------------------------------------------- */ +#if 1 /* ECC support */ + #define HAVE_ECC + #define ECC_USER_CURVES + #undef NO_ECC256 + #define HAVE_ECC384 + #define HAVE_ECC521 + #define ECC_SHAMIR + #define HAVE_COMP_KEY + #define WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT +#endif + +/* ------------------------------------------------- */ +/* Ed25519 / Ed448 */ +/* ------------------------------------------------- */ +#if 1 /* Ed25519 certificates */ + #define HAVE_ED25519 + #define HAVE_CURVE25519 +#endif +#if 1 /* Ed448 certificates */ + #define HAVE_ED448 + #define HAVE_CURVE448 + #define WOLFSSL_SHAKE256 +#endif + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#if 1 /* RSA support */ + #undef NO_RSA + #define WOLFSSL_KEY_GEN + #define WC_RSA_PSS + #define WC_RSA_NO_PADDING +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* Post-Quantum Certificates */ +/* ------------------------------------------------- */ +#if 0 /* ML-DSA / Dilithium certificates */ + #define WOLFSSL_EXPERIMENTAL_SETTINGS + #define HAVE_DILITHIUM + #define WOLFSSL_WC_DILITHIUM + #define WOLFSSL_SHAKE128 + #define WOLFSSL_SHAKE256 +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 required */ +#define WOLFSSL_SHA224 +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA3 + +#if 1 /* SHA-1 (for legacy certificate compatibility) */ + #undef NO_SHA +#else + #define NO_SHA +#endif + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* Encoding */ +/* ------------------------------------------------- */ +#define WOLFSSL_BASE64_ENCODE +#define WOLFSSL_BASE16 + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DH +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define NO_PSK +#define NO_PWDBASED +#define NO_OLD_TLS + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 0 /* Disable error strings */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_dtls13.h b/examples/configs/user_settings_dtls13.h new file mode 100644 index 000000000..52df154d3 --- /dev/null +++ b/examples/configs/user_settings_dtls13.h @@ -0,0 +1,211 @@ +/* user_settings_dtls13.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* DTLS 1.3 for IoT and UDP applications. + * Suitable for constrained devices with unreliable networks. + * + * Build and test: + * cp ./examples/configs/user_settings_dtls13.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#if 1 /* Single threaded (typical for IoT) */ + #define SINGLE_THREADED +#endif +#if 0 /* Disable filesystem */ + #define NO_FILESYSTEM +#endif +#define WOLFSSL_USER_IO +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL +#if 1 /* Small code size for IoT */ + #define WOLFSSL_SP_SMALL +#endif + +/* ------------------------------------------------- */ +/* DTLS 1.3 */ +/* ------------------------------------------------- */ +#define WOLFSSL_DTLS +#define WOLFSSL_DTLS13 +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_HKDF +#define WC_RSA_PSS + +/* Disable older versions */ +#define WOLFSSL_NO_TLS12 +#define NO_OLD_TLS + +/* DTLS-specific features */ +#if 1 /* HelloRetryRequest cookie (DoS protection) */ + #define WOLFSSL_SEND_HRR_COOKIE +#endif +#if 0 /* Connection ID (NAT traversal) - requires TLS 1.2 code paths */ + #define WOLFSSL_DTLS_CID +#endif +#if 0 /* Fragmented ClientHello */ + #define WOLFSSL_DTLS_CH_FRAG +#endif + +/* Client/Server */ +#if 0 /* Client only */ + #define NO_WOLFSSL_SERVER +#endif +#if 0 /* Server only */ + #define NO_WOLFSSL_CLIENT +#endif + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* ECC (preferred for IoT) */ +/* ------------------------------------------------- */ +#define HAVE_ECC +#define ECC_USER_CURVES +#undef NO_ECC256 +#if 0 /* P-384 */ + #define HAVE_ECC384 +#endif +#define ECC_SHAMIR + +/* ------------------------------------------------- */ +/* Curve25519 / Ed25519 */ +/* ------------------------------------------------- */ +#if 1 /* X25519 key exchange (efficient for IoT) */ + #define HAVE_CURVE25519 + #define CURVE25519_SMALL +#endif + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#if 0 /* RSA support (larger, disable for constrained devices) */ + #undef NO_RSA +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* DH */ +/* ------------------------------------------------- */ +#define NO_DH + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +/* AES-GCM */ +#define HAVE_AESGCM +#if 1 /* Small GCM tables for IoT */ + #define GCM_SMALL +#else + #define GCM_TABLE_4BIT +#endif + +#if 1 /* ChaCha20-Poly1305 (efficient in software) */ + #define HAVE_CHACHA + #define HAVE_POLY1305 + #define HAVE_ONE_TIME_AUTH +#endif + +#if 1 /* AES-CCM (common in IoT) */ + #define HAVE_AESCCM +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 required */ +#if 1 /* Smaller/slower SHA */ + #define USE_SLOW_SHA256 +#endif + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_SHA +#define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_PSK +#define NO_PWDBASED + +/* ------------------------------------------------- */ +/* Memory Optimization */ +/* ------------------------------------------------- */ +#if 1 /* Small stack for embedded */ + #define WOLFSSL_SMALL_STACK +#endif +#if 0 /* Static memory (no malloc) */ + #define WOLFSSL_STATIC_MEMORY + #define WOLFSSL_NO_MALLOC +#endif +#define NO_SESSION_CACHE + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 1 /* Disable error strings to save flash */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_openssl_compat.h b/examples/configs/user_settings_openssl_compat.h new file mode 100644 index 000000000..415f5addd --- /dev/null +++ b/examples/configs/user_settings_openssl_compat.h @@ -0,0 +1,274 @@ +/* user_settings_openssl_compat.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* OpenSSL compatibility layer for drop-in replacement. + * Provides OpenSSL API compatibility for applications migrating from OpenSSL. + * + * Build and test: + * cp ./examples/configs/user_settings_openssl_compat.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* OpenSSL Compatibility */ +/* ------------------------------------------------- */ +#define OPENSSL_EXTRA +#if 1 /* Full OpenSSL API compatibility */ + #define OPENSSL_ALL +#endif + +/* OpenSSL-compatible names and behavior */ +#define WOLFSSL_VERBOSE_ERRORS +#define ERROR_QUEUE_PER_THREAD +#define WOLFSSL_ERROR_CODE_OPENSSL +#define HAVE_WOLFSSL_SSL_H +#define OPENSSL_COMPATIBLE_DEFAULTS + +/* Avoid old name conflicts */ +#define NO_OLD_RNGNAME +#define NO_OLD_WC_NAMES +#define NO_OLD_SSL_NAMES +#define NO_OLD_SHA_NAMES +#define NO_OLD_MD5_NAME + +/* Extra data support (SSL_CTX_set_ex_data, etc.) */ +#define HAVE_EX_DATA + +/* ------------------------------------------------- */ +/* Application Compatibility */ +/* ------------------------------------------------- */ +#if 0 /* nginx */ + #define WOLFSSL_NGINX +#endif +#if 0 /* HAProxy */ + #define WOLFSSL_HAPROXY +#endif +#if 0 /* Apache httpd */ + #define HAVE_LIGHTY +#endif +#if 0 /* stunnel */ + #define HAVE_STUNNEL +#endif +#if 0 /* OpenVPN */ + #define WOLFSSL_OPENVPN +#endif +#if 0 /* Qt */ + #define WOLFSSL_QT +#endif +#if 0 /* cURL */ + #define WOLFSSL_LIBCURL +#endif +#if 0 /* OpenSSH */ + #define WOLFSSL_OPENSSH +#endif + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL + +/* ------------------------------------------------- */ +/* TLS Versions */ +/* ------------------------------------------------- */ +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_EXTENDED_MASTER +#define HAVE_ENCRYPT_THEN_MAC +#define HAVE_HKDF +#define WC_RSA_PSS + +#if 1 /* TLS 1.2 (for compatibility) */ + #undef WOLFSSL_NO_TLS12 +#endif +#if 0 /* Allow older TLS (not recommended) */ + #undef NO_OLD_TLS +#else + #define NO_OLD_TLS +#endif + +/* TLS Extensions */ +#define HAVE_SESSION_TICKET +#define HAVE_SNI +#define HAVE_ALPN +#define HAVE_MAX_FRAGMENT +#define HAVE_TRUNCATED_HMAC +#define HAVE_SECURE_RENEGOTIATION +#define HAVE_SERVER_RENEGOTIATION_INFO + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* ECC */ +/* ------------------------------------------------- */ +#define HAVE_ECC +#define TFM_ECC256 +#define ECC_SHAMIR +#define HAVE_ECC_CDH +#define HAVE_COMP_KEY + +/* ------------------------------------------------- */ +/* Curve25519 / Ed25519 */ +/* ------------------------------------------------- */ +#define HAVE_CURVE25519 +#define HAVE_ED25519 + +/* ------------------------------------------------- */ +/* Curve448 / Ed448 */ +/* ------------------------------------------------- */ +#if 1 /* Ed448/X448 */ + #define HAVE_CURVE448 + #define HAVE_ED448 +#endif + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#undef NO_RSA +#define WC_RSA_NO_PADDING +#define WOLFSSL_KEY_GEN + +/* ------------------------------------------------- */ +/* DH */ +/* ------------------------------------------------- */ +#undef NO_DH +#define HAVE_FFDHE_2048 +#define HAVE_FFDHE_3072 +#define HAVE_FFDHE_4096 +#define HAVE_DH_DEFAULT_PARAMS +#define WOLFSSL_DH_EXTRA + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +#define HAVE_AESGCM +#define GCM_TABLE_4BIT +#define WOLFSSL_AESGCM_STREAM +#define HAVE_AESCCM +#define WOLFSSL_AES_COUNTER +#define WOLFSSL_AES_DIRECT +#define WOLFSSL_AES_OFB +#define WOLFSSL_AES_CFB +#define HAVE_AES_ECB +#define HAVE_AES_KEYWRAP +#define HAVE_AES_DECRYPT + +#define HAVE_CHACHA +#define HAVE_POLY1305 +#define HAVE_ONE_TIME_AUTH +#define HAVE_XCHACHA + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +#define WOLFSSL_SHA224 +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA3 +#define WOLFSSL_SHAKE256 + +#define HAVE_BLAKE2 +#define HAVE_BLAKE2B +#define HAVE_BLAKE2S + +/* ------------------------------------------------- */ +/* Additional Features */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG +#define WOLFSSL_CMAC +#define WOLFSSL_DES_ECB +#define HAVE_CTS +#define HAVE_HKDF +#define HAVE_X963_KDF +#define HAVE_KEYING_MATERIAL +#define WOLFSSL_HAVE_PRF + +/* ------------------------------------------------- */ +/* Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE +#define WOLFSSL_CERT_GEN +#define WOLFSSL_CERT_REQ +#define WOLFSSL_CERT_EXT +#define WOLFSSL_MULTI_ATTRIB +#define WOLFSSL_DER_LOAD +#define WOLFSSL_PEM_TO_DER +#define WOLFSSL_DER_TO_PEM +#define WOLFSSL_ALT_NAMES + +#define HAVE_CRL +#define HAVE_OCSP +#define HAVE_CERTIFICATE_STATUS_REQUEST +#define HAVE_CERTIFICATE_STATUS_REQUEST_V2 + +/* ------------------------------------------------- */ +/* Encoding */ +/* ------------------------------------------------- */ +#define WOLFSSL_BASE16 +#define WOLFSSL_BASE64_ENCODE + +/* ------------------------------------------------- */ +/* Session Cache */ +/* ------------------------------------------------- */ +#define HAVE_EXT_CACHE +#define SESSION_CERTS +#define PERSIST_SESSION_CACHE +#define PERSIST_CERT_CACHE + +/* ------------------------------------------------- */ +/* PKCS */ +/* ------------------------------------------------- */ +#define HAVE_PKCS8 + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_PSK + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_pkcs7.h b/examples/configs/user_settings_pkcs7.h new file mode 100644 index 000000000..1d93f215d --- /dev/null +++ b/examples/configs/user_settings_pkcs7.h @@ -0,0 +1,215 @@ +/* user_settings_pkcs7.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* PKCS#7 / CMS configuration for signing and encryption. + * Suitable for S/MIME, firmware signing, secure messaging. + * No TLS - cryptographic operations only. + * + * Build and test: + * cp ./examples/configs/user_settings_pkcs7.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#define WOLFCRYPT_ONLY +#if 0 /* Single threaded */ + #define SINGLE_THREADED +#endif +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL +#if 0 /* Small code size */ + #define WOLFSSL_SP_SMALL +#endif + +/* ------------------------------------------------- */ +/* PKCS#7 / CMS */ +/* ------------------------------------------------- */ +#define HAVE_PKCS7 + +/* PKCS#7 Content Types */ +#if 1 /* Signed Data */ + /* Default enabled with HAVE_PKCS7 */ +#endif +#if 1 /* Enveloped Data (encryption) */ + /* Default enabled with HAVE_PKCS7 */ +#endif +#if 0 /* Compressed Data (requires libz) */ + #define HAVE_LIBZ +#endif +#if 1 /* Authenticated Enveloped Data (AES-GCM) */ + /* Requires HAVE_AESGCM */ +#endif + +/* PKCS#7 Features */ +#define HAVE_X963_KDF +#define HAVE_HKDF + +/* ------------------------------------------------- */ +/* S/MIME */ +/* ------------------------------------------------- */ +#if 1 /* S/MIME support */ + #define HAVE_SMIME +#endif + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* ECC */ +/* ------------------------------------------------- */ +#if 1 /* ECC support */ + #define HAVE_ECC + #define ECC_USER_CURVES + #undef NO_ECC256 + #if 1 /* P-384 */ + #define HAVE_ECC384 + #endif + #if 0 /* P-521 */ + #define HAVE_ECC521 + #endif + #define ECC_SHAMIR + #define HAVE_ECC_ENCRYPT /* ECIES for PKCS#7 */ +#endif + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#if 1 /* RSA support */ + #undef NO_RSA + #define WOLFSSL_KEY_GEN + #define WC_RSA_NO_PADDING +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +/* AES (required for PKCS#7) */ +#define HAVE_AES_CBC +#define HAVE_AES_DECRYPT +#define HAVE_AES_KEYWRAP +#define WOLFSSL_AES_DIRECT + +#if 1 /* AES-GCM (AuthEnvelopedData) */ + #define HAVE_AESGCM + #define GCM_TABLE_4BIT +#endif + +#if 1 /* AES-CCM */ + #define HAVE_AESCCM +#endif + +#if 0 /* 3DES (legacy, not recommended) */ + #undef NO_DES3 +#else + #define NO_DES3 +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 required */ + +#if 1 /* SHA-1 (for legacy compatibility) */ + #undef NO_SHA +#else + #define NO_SHA +#endif + +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 + +#if 1 /* SHA-3 */ + #define WOLFSSL_SHA3 +#endif + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +/* Certificate generation for signing */ +#define WOLFSSL_CERT_GEN +#define WOLFSSL_CERT_REQ +#define WOLFSSL_CERT_EXT +#define WOLFSSL_MULTI_ATTRIB + +/* Certificate parsing */ +#define WOLFSSL_PEM_TO_DER +#define WOLFSSL_DER_TO_PEM +#define WOLFSSL_DER_LOAD + +/* ------------------------------------------------- */ +/* Encoding */ +/* ------------------------------------------------- */ +#define WOLFSSL_BASE64_ENCODE + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DH +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_PSK +#define NO_PWDBASED + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 0 /* Disable error strings */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_pq.h b/examples/configs/user_settings_pq.h new file mode 100644 index 000000000..87768603d --- /dev/null +++ b/examples/configs/user_settings_pq.h @@ -0,0 +1,232 @@ +/* user_settings_pq.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* Post-Quantum TLS 1.3 with ML-KEM (Kyber) and ML-DSA (Dilithium). + * Provides quantum-resistant key exchange and signatures. + * Based on NIST FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) standards. + * + * Build and test: + * cp ./examples/configs/user_settings_pq.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL + +/* ------------------------------------------------- */ +/* TLS 1.3 (required for PQ) */ +/* ------------------------------------------------- */ +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_HKDF +#define WC_RSA_PSS + +/* Disable older TLS versions */ +#define WOLFSSL_NO_TLS12 +#define NO_OLD_TLS + +#if 1 /* Session tickets */ + #define HAVE_SESSION_TICKET +#endif +#if 1 /* Server Name Indication */ + #define HAVE_SNI +#endif + +/* ------------------------------------------------- */ +/* Experimental Settings (required for PQ) */ +/* ------------------------------------------------- */ +#define WOLFSSL_EXPERIMENTAL_SETTINGS + +/* ------------------------------------------------- */ +/* ML-KEM / Kyber (Key Encapsulation) */ +/* ------------------------------------------------- */ +#if 1 /* ML-KEM (FIPS 203) */ + #define WOLFSSL_HAVE_KYBER + #define WOLFSSL_WC_KYBER + #define WOLFSSL_KYBER512 /* Level 1: 128-bit security */ + #define WOLFSSL_KYBER768 /* Level 3: 192-bit security */ + #define WOLFSSL_KYBER1024 /* Level 5: 256-bit security */ +#endif + +/* ------------------------------------------------- */ +/* ML-DSA / Dilithium (Signatures) */ +/* ------------------------------------------------- */ +#if 1 /* ML-DSA (FIPS 204) */ + #define HAVE_DILITHIUM + #define WOLFSSL_WC_DILITHIUM + #define DILITHIUM_LEVEL2 /* Level 2: ~128-bit security */ + #define DILITHIUM_LEVEL3 /* Level 3: ~192-bit security */ + #define DILITHIUM_LEVEL5 /* Level 5: ~256-bit security */ + /* Uses FIPS 204 final standard by default */ + #if 0 /* FIPS 204 Draft version */ + #define WOLFSSL_DILITHIUM_FIPS204_DRAFT + #endif + #define WOLFSSL_SHAKE128 + #define WOLFSSL_SHAKE256 +#endif + +/* ------------------------------------------------- */ +/* LMS (Stateful Hash-Based Signatures) */ +/* ------------------------------------------------- */ +#if 0 /* LMS signatures */ + #define WOLFSSL_HAVE_LMS + #define WOLFSSL_WC_LMS + #ifndef LMS_LEVELS + #define LMS_LEVELS 2 + #endif + #ifndef LMS_HEIGHT + #define LMS_HEIGHT 10 + #endif + #ifndef LMS_WINTERNITZ + #define LMS_WINTERNITZ 8 + #endif +#endif + +/* ------------------------------------------------- */ +/* XMSS (Stateful Hash-Based Signatures) */ +/* ------------------------------------------------- */ +#if 0 /* XMSS signatures */ + #define WOLFSSL_HAVE_XMSS + #define WOLFSSL_WC_XMSS + #ifndef WOLFSSL_XMSS_MAX_HEIGHT + #define WOLFSSL_XMSS_MAX_HEIGHT 20 + #endif +#endif + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* Classical ECC (hybrid with PQ) */ +/* ------------------------------------------------- */ +#if 1 /* ECC for hybrid key exchange */ + #define HAVE_ECC + #define ECC_USER_CURVES + #undef NO_ECC256 + #define HAVE_ECC384 + #define ECC_SHAMIR +#endif + +/* ------------------------------------------------- */ +/* Curve25519 (hybrid with PQ) */ +/* ------------------------------------------------- */ +#if 1 /* X25519 for hybrid key exchange */ + #define HAVE_CURVE25519 +#endif + +/* ------------------------------------------------- */ +/* RSA (for legacy compatibility) */ +/* ------------------------------------------------- */ +#if 1 /* RSA support */ + #undef NO_RSA + #define WOLFSSL_KEY_GEN +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* DH */ +/* ------------------------------------------------- */ +#define NO_DH + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +#define HAVE_AESGCM +#define GCM_TABLE_4BIT + +#if 1 /* ChaCha20-Poly1305 */ + #define HAVE_CHACHA + #define HAVE_POLY1305 + #define HAVE_ONE_TIME_AUTH +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA3 + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +#if 1 /* Certificate generation with PQ algorithms */ + #define WOLFSSL_CERT_GEN + #define WOLFSSL_CERT_REQ + #define WOLFSSL_CERT_EXT +#endif + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_PSK +#define NO_PWDBASED + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 0 /* Disable error strings */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_rsa_only.h b/examples/configs/user_settings_rsa_only.h new file mode 100644 index 000000000..d58dab7a0 --- /dev/null +++ b/examples/configs/user_settings_rsa_only.h @@ -0,0 +1,238 @@ +/* user_settings_rsa_only.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* RSA-only configuration (no ECC). + * For legacy systems that require RSA-only cipher suites. + * Supports TLS 1.2 and 1.3 with RSA certificates. + * + * Build and test: + * cp ./examples/configs/user_settings_rsa_only.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#if 0 /* Single threaded */ + #define SINGLE_THREADED +#endif +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL +#define WOLFSSL_HAVE_SP_RSA +#define WOLFSSL_SP_4096 + +#if 0 /* Small code size */ + #define WOLFSSL_SP_SMALL +#endif + +/* ------------------------------------------------- */ +/* TLS */ +/* ------------------------------------------------- */ +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_EXTENDED_MASTER +#define HAVE_ENCRYPT_THEN_MAC +#define HAVE_HKDF +#define WC_RSA_PSS + +/* TLS 1.2 for legacy compatibility */ +#if 1 /* Enable TLS 1.2 */ + #undef WOLFSSL_NO_TLS12 +#else + #define WOLFSSL_NO_TLS12 +#endif +#define NO_OLD_TLS + +/* TLS Extensions */ +#if 1 /* Session tickets */ + #define HAVE_SESSION_TICKET +#endif +#if 1 /* Server Name Indication */ + #define HAVE_SNI +#endif +#if 1 /* Secure renegotiation */ + #define HAVE_SECURE_RENEGOTIATION + #define HAVE_SERVER_RENEGOTIATION_INFO +#endif + +/* Client/Server */ +#if 0 /* Client only */ + #define NO_WOLFSSL_SERVER +#endif +#if 0 /* Server only */ + #define NO_WOLFSSL_CLIENT +#endif + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#undef NO_RSA + +/* RSA key sizes */ +#if 1 /* 2048-bit (minimum recommended) */ + /* Always enabled */ +#endif +#if 1 /* 3072-bit */ + /* Enabled via WOLFSSL_SP_MATH_ALL */ +#endif +#if 1 /* 4096-bit */ + #define WOLFSSL_SP_4096 +#endif + +/* RSA features */ +#define WOLFSSL_KEY_GEN +#define WC_RSA_NO_PADDING + +#if 0 /* RSA-PSS only (no PKCS#1 v1.5) */ + #define WC_RSA_PSS_ONLY +#endif + +#if 0 /* Low memory RSA */ + #define RSA_LOW_MEM +#endif + +/* ------------------------------------------------- */ +/* DH (for TLS 1.2 key exchange) */ +/* ------------------------------------------------- */ +#if 1 /* DH key exchange */ + #undef NO_DH + #define HAVE_FFDHE_2048 + #define HAVE_FFDHE_3072 + #define HAVE_FFDHE_4096 + #define HAVE_DH_DEFAULT_PARAMS + #define WOLFSSL_HAVE_SP_DH +#else + #define NO_DH +#endif + +/* ------------------------------------------------- */ +/* ECC - Disabled */ +/* ------------------------------------------------- */ +#define NO_ECC +/* Note: TLS 1.3 typically requires ECDHE, but can work with + * FFDHE (DH) key exchange with RSA certificates */ + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +/* AES-GCM (required for TLS 1.3) */ +#define HAVE_AESGCM +#define GCM_TABLE_4BIT + +/* AES-CBC (for TLS 1.2) */ +#define HAVE_AES_CBC +#define HAVE_AES_DECRYPT + +#if 1 /* ChaCha20-Poly1305 */ + #define HAVE_CHACHA + #define HAVE_POLY1305 + #define HAVE_ONE_TIME_AUTH +#endif + +#if 0 /* AES-CCM */ + #define HAVE_AESCCM +#endif + +#if 0 /* Additional AES modes */ + #define WOLFSSL_AES_COUNTER + #define WOLFSSL_AES_DIRECT +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 required */ +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 + +#if 1 /* SHA-1 (for TLS 1.2 compatibility) */ + #undef NO_SHA +#else + #define NO_SHA +#endif + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +#if 1 /* Certificate generation */ + #define WOLFSSL_CERT_GEN + #define WOLFSSL_CERT_REQ + #define WOLFSSL_CERT_EXT +#endif + +#if 1 /* CRL/OCSP */ + #define HAVE_CRL + #define HAVE_OCSP +#endif + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_PSK +#define NO_PWDBASED + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 0 /* Disable error strings to save flash */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/examples/configs/user_settings_tls13.h b/examples/configs/user_settings_tls13.h new file mode 100644 index 000000000..874da0ec8 --- /dev/null +++ b/examples/configs/user_settings_tls13.h @@ -0,0 +1,214 @@ +/* user_settings_tls13.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* TLS 1.3 only (no TLS 1.2 or older) with modern algorithms. + * Supports both client and server. + * + * Build and test: + * cp ./examples/configs/user_settings_tls13.h user_settings.h + * ./configure --enable-usersettings --disable-examples + * make + * ./wolfcrypt/test/testwolfcrypt + */ + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* ------------------------------------------------- */ +/* Platform */ +/* ------------------------------------------------- */ +#if 0 /* Single threaded */ + #define SINGLE_THREADED +#endif +#if 0 /* Disable filesystem */ + #define NO_FILESYSTEM +#endif +#define WOLFSSL_IGNORE_FILE_WARN + +/* ------------------------------------------------- */ +/* Math */ +/* ------------------------------------------------- */ +#define WOLFSSL_SP_MATH_ALL +#if 0 /* Small code size */ + #define WOLFSSL_SP_SMALL +#endif + +/* ------------------------------------------------- */ +/* TLS 1.3 */ +/* ------------------------------------------------- */ +#define WOLFSSL_TLS13 +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_HKDF +#define WC_RSA_PSS + +/* Disable older TLS versions */ +#define WOLFSSL_NO_TLS12 +#define NO_OLD_TLS + +/* TLS 1.3 Extensions */ +#if 1 /* Session tickets */ + #define HAVE_SESSION_TICKET +#endif +#if 0 /* Early data (0-RTT) */ + #define WOLFSSL_EARLY_DATA +#endif +#if 0 /* Post-handshake authentication */ + #define WOLFSSL_POST_HANDSHAKE_AUTH +#endif +#if 1 /* Server Name Indication */ + #define HAVE_SNI +#endif + +/* Client/Server */ +#if 0 /* Client only */ + #define NO_WOLFSSL_SERVER +#endif +#if 0 /* Server only */ + #define NO_WOLFSSL_CLIENT +#endif + +/* ------------------------------------------------- */ +/* Timing Resistance */ +/* ------------------------------------------------- */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* ------------------------------------------------- */ +/* ECC */ +/* ------------------------------------------------- */ +#if 1 /* ECC support */ + #define HAVE_ECC + #define ECC_USER_CURVES + #undef NO_ECC256 + #if 1 /* P-384 */ + #define HAVE_ECC384 + #endif + #if 0 /* P-521 */ + #define HAVE_ECC521 + #endif + #define ECC_SHAMIR +#endif + +/* ------------------------------------------------- */ +/* Curve25519 / Ed25519 */ +/* ------------------------------------------------- */ +#if 1 /* X25519 key exchange */ + #define HAVE_CURVE25519 +#endif +#if 0 /* Ed25519 signatures */ + #define HAVE_ED25519 +#endif + +/* ------------------------------------------------- */ +/* RSA */ +/* ------------------------------------------------- */ +#if 1 /* RSA support */ + #undef NO_RSA + #define WOLFSSL_KEY_GEN +#else + #define NO_RSA +#endif + +/* ------------------------------------------------- */ +/* DH */ +/* ------------------------------------------------- */ +#if 0 /* DH key exchange (FFDHE) */ + #undef NO_DH + #define HAVE_FFDHE_2048 + #define HAVE_FFDHE_3072 + #define HAVE_DH_DEFAULT_PARAMS +#else + #define NO_DH +#endif + +/* ------------------------------------------------- */ +/* Symmetric Ciphers */ +/* ------------------------------------------------- */ +/* AES-GCM (required for TLS 1.3) */ +#define HAVE_AESGCM +#define GCM_TABLE_4BIT + +#if 1 /* ChaCha20-Poly1305 */ + #define HAVE_CHACHA + #define HAVE_POLY1305 + #define HAVE_ONE_TIME_AUTH +#endif + +#if 0 /* AES-CCM */ + #define HAVE_AESCCM +#endif + +/* ------------------------------------------------- */ +/* Hashing */ +/* ------------------------------------------------- */ +/* SHA-256 required */ +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA512 + +/* ------------------------------------------------- */ +/* RNG */ +/* ------------------------------------------------- */ +#define HAVE_HASHDRBG + +/* ------------------------------------------------- */ +/* ASN / Certificates */ +/* ------------------------------------------------- */ +#define WOLFSSL_ASN_TEMPLATE + +#if 0 /* Certificate generation */ + #define WOLFSSL_CERT_GEN + #define WOLFSSL_CERT_REQ + #define WOLFSSL_CERT_EXT +#endif + +/* ------------------------------------------------- */ +/* Disabled Algorithms */ +/* ------------------------------------------------- */ +#define NO_DSA +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define NO_DES3_TLS_SUITES +#define NO_PSK +#define NO_PWDBASED + +/* ------------------------------------------------- */ +/* Debugging */ +/* ------------------------------------------------- */ +#if 0 /* Enable debug logging */ + #define DEBUG_WOLFSSL +#endif +#if 0 /* Disable error strings to save flash */ + #define NO_ERROR_STRINGS +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */ diff --git a/src/internal.c b/src/internal.c index 45d892479..b8689b8ee 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15063,7 +15063,7 @@ PRAGMA_GCC_DIAG_POP return ret; #endif } -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(NO_TLS) if (verify != NO_VERIFY && TLSX_CSR2_IsMulti(ssl->extensions)) { extraSigners = TLSX_CSR2_GetPendingSigners(ssl->extensions); } @@ -15840,6 +15840,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* If we are processing OCSP staples then always * initialize the corresponding request. */ int ocspRet = 0; + #ifndef NO_TLS #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 addToPendingCAs = 0; if (ssl->options.side == WOLFSSL_CLIENT_END && @@ -15864,6 +15865,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else #endif + #endif /* NO_TLS */ if (ret == 0 && SSL_CM(ssl)->ocspEnabled && SSL_CM(ssl)->ocspCheckAll) { WOLFSSL_MSG("Doing Non Leaf OCSP check"); @@ -16365,6 +16367,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("Checking if ocsp needed"); if (ssl->options.side == WOLFSSL_CLIENT_END) { + #ifndef NO_TLS #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) { args->fatal = (TLSX_CSR_InitRequest_ex( @@ -16397,6 +16400,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("\tHave status request v2"); } #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ + #endif /* !NO_TLS */ } #ifdef HAVE_OCSP @@ -17217,8 +17221,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, return BUFFER_ERROR; switch (status_type) { - - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + #ifndef NO_TLS + #if (defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_TLS)) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) /* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */ @@ -17332,6 +17336,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, break; #endif + #endif /* !NO_TLS */ default: ret = BUFFER_ERROR; diff --git a/src/ocsp.c b/src/ocsp.c index 77cce2b1a..40c255f37 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -373,7 +373,7 @@ int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz, #endif InitOcspResponse(ocspResponse, newSingle, newStatus, response, (word32)responseSz, ocsp->cm->heap); -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(NO_TLS) if (ocspRequest != NULL && ocspRequest->ssl != NULL && TLSX_CSR2_IsMulti(((WOLFSSL*)ocspRequest->ssl)->extensions)) { ocspResponse->pendingCAs = TLSX_CSR2_GetPendingSigners(((WOLFSSL*)ocspRequest->ssl)->extensions); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 00fd901e8..7f84428ab 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3198,8 +3198,9 @@ WOLFSSL_LOCAL int TLSX_Append(TLSX** list, TLSX_Type type, || defined(HAVE_SECURE_RENEGOTIATION) \ || defined(HAVE_SERVER_RENEGOTIATION_INFO) +#ifndef NO_TLS #error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined. - +#endif #endif /* HAVE_TLS_EXTENSIONS */ /** Server Name Indication - RFC 6066 (session 3) */