diff --git a/IDE/ARDUINO/README.md b/IDE/ARDUINO/README.md index f7d9788b6f..4c4e10da42 100644 --- a/IDE/ARDUINO/README.md +++ b/IDE/ARDUINO/README.md @@ -2,10 +2,11 @@ ##### Reformatting wolfSSL as a compatible Arduino Library This is a shell script that will re-organize the wolfSSL library to be -compatible with Arduino projects. The Arduino IDE requires a library's source -files to be in the library's root directory with a header file in the name of -the library. This script moves all src/ files to the `IDE/ARDUINO/wolfSSL` -directory and creates a stub header file called `wolfssl.h`. +compatible with Arduino projects that use Arduino IDE 1.5.0 or newer. +The Arduino IDE requires a library's source files to be in the library's root +directory with a header file in the name of the library. This script moves all +src/ files to the `IDE/ARDUINO/wolfSSL/src` directory and creates a stub header +file called `wolfssl.h` inside that directory. Step 1: To configure wolfSSL with Arduino, enter the following from within the wolfssl/IDE/ARDUINO directory: @@ -15,7 +16,7 @@ wolfssl/IDE/ARDUINO directory: Step 2: Copy the directory wolfSSL that was just created to: `~/Documents/Arduino/libraries/` directory so the Arduino IDE can find it. -Step 3: Edit `/wolfSSL/user_settings.h` +Step 3: Edit `/wolfSSL/src/user_settings.h` If building for Intel Galileo platform add: `#define INTEL_GALILEO`. Add any other custom settings, for a good start see the examples in wolfssl root "/examples/configs/user_settings_*.h" diff --git a/IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino b/IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino index b50e9f126e..61362ae98c 100644 --- a/IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino +++ b/IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino @@ -19,10 +19,18 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +/* + This was original tested with Intel Galileo acting as the Client, with a +laptop acting as a server using the server example provided in examples/server. +Legacy Ardunio v1.86 was used to compile and program the Galileo +*/ +#define USE_CERT_BUFFERS_2048 #include #include #include +#include + const char host[] = "192.168.1.148"; /* server to connect to */ const int port = 11111; /* port on server to connect to */ @@ -37,123 +45,132 @@ WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; void setup() { - WOLFSSL_METHOD* method; - - Serial.begin(9600); - - method = wolfTLSv1_2_client_method(); - if (method == NULL) { - Serial.println("unable to get method"); + WOLFSSL_METHOD* method; + /* Initialize Return Code */ + int rc; + Serial.begin(9600); + /* Delay need to ensure connection to server */ + delay(4000); + + method = wolfTLSv1_2_client_method(); + if (method == NULL) { + Serial.println("unable to get method"); return; - } - ctx = wolfSSL_CTX_new(method); - if (ctx == NULL) { - Serial.println("unable to get ctx"); + } + ctx = wolfSSL_CTX_new(method); + if (ctx == NULL) { + Serial.println("unable to get ctx"); + return; + } + /* initialize wolfSSL using callback functions */ + wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); + rc = wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_der_2048,\ + sizeof_ca_cert_der_2048,\ + WOLFSSL_FILETYPE_ASN1); + Serial.print("\n\n Return code of load_verify is:"); + Serial.println(rc); + Serial.println(""); + rc = wolfSSL_CTX_use_certificate_buffer(ctx, client_cert_der_2048,\ + sizeof_client_cert_der_2048,\ + WOLFSSL_FILETYPE_ASN1); + Serial.print("\n\n Return code of use_certificate_buffer is:"); + Serial.println(rc); + Serial.println(""); + rc = wolfSSL_CTX_use_PrivateKey_buffer(ctx, client_key_der_2048,\ + sizeof_client_key_der_2048,\ + WOLFSSL_FILETYPE_ASN1); + Serial.print("\n\n Return code of use_PrivateKey_buffer is:"); + Serial.println(rc); + Serial.println(""); + wolfSSL_SetIOSend(ctx, EthernetSend); + wolfSSL_SetIORecv(ctx, EthernetReceive); return; - } - /* initialize wolfSSL using callback functions */ - wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); - wolfSSL_SetIOSend(ctx, EthernetSend); - wolfSSL_SetIORecv(ctx, EthernetReceive); - - return; } int EthernetSend(WOLFSSL* ssl, char* msg, int sz, void* ctx) { - int sent = 0; - - sent = client.write((byte*)msg, sz); - - return sent; + int sent = 0; + sent = client.write((byte*)msg, sz); + return sent; } int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx) { - int ret = 0; - - while (client.available() > 0 && ret < sz) { - reply[ret++] = client.read(); - } - - return ret; + int ret = 0; + while (client.available() > 0 && ret < sz) { + reply[ret++] = client.read(); + } + return ret; } void loop() { - int err = 0; - int input = 0; - int total_input = 0; - char msg[32] = "hello wolfssl!"; - int msgSz = (int)strlen(msg); - char errBuf[80]; - char reply[80]; - const char* cipherName; - - if (reconnect) { - reconnect--; - - if (client.connect(host, port)) { - - Serial.print("Connected to "); - Serial.println(host); - - ssl = wolfSSL_new(ctx); - if (ssl == NULL) { - Serial.println("Unable to allocate SSL object"); - return; - } - - err = wolfSSL_connect(ssl); - if (err != WOLFSSL_SUCCESS) { - err = wolfSSL_get_error(ssl, 0); - wolfSSL_ERR_error_string(err, errBuf); - Serial.print("TLS Connect Error: "); - Serial.println(errBuf); - } - - Serial.print("SSL version is "); - Serial.println(wolfSSL_get_version(ssl)); - - cipherName = wolfSSL_get_cipher(ssl); - Serial.print("SSL cipher suite is "); - Serial.println(cipherName); - - if ((wolfSSL_write(ssl, msg, msgSz)) == msgSz) { - - Serial.print("Server response: "); - /* wait for data */ - while (!client.available()) {} - /* read data */ - while (wolfSSL_pending(ssl)) { - input = wolfSSL_read(ssl, reply, sizeof(reply) - 1); - total_input += input; - if (input < 0) { - err = wolfSSL_get_error(ssl, 0); - wolfSSL_ERR_error_string(err, errBuf); - Serial.print("TLS Read Error: "); - Serial.println(errBuf); - break; - } else if (input > 0) { - reply[input] = '\0'; - Serial.print(reply); - } else { - Serial.println(); - } - } - } else { - err = wolfSSL_get_error(ssl, 0); - wolfSSL_ERR_error_string(err, errBuf); - Serial.print("TLS Write Error: "); - Serial.println(errBuf); - } - - wolfSSL_shutdown(ssl); - wolfSSL_free(ssl); - - client.stop(); - Serial.println("Connection complete."); - reconnect = 0; - } else { - Serial.println("Trying to reconnect..."); + int err = 0; + int input = 0; + int total_input = 0; + char msg[32] = "hello wolfssl!"; + int msgSz = (int)strlen(msg); + char errBuf[80]; + char reply[80]; + const char* cipherName; + if (reconnect) { + reconnect--; + if (client.connect(host, port)) { + Serial.print("Connected to "); + Serial.println(host); + ssl = wolfSSL_new(ctx); + if (ssl == NULL) { + Serial.println("Unable to allocate SSL object"); + return; + } + err = wolfSSL_connect(ssl); + if (err != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + wolfSSL_ERR_error_string(err, errBuf); + Serial.print("TLS Connect Error: "); + Serial.println(errBuf); + } + Serial.print("SSL version is "); + Serial.println(wolfSSL_get_version(ssl)); + cipherName = wolfSSL_get_cipher(ssl); + Serial.print("SSL cipher suite is "); + Serial.println(cipherName); + if ((wolfSSL_write(ssl, msg, msgSz)) == msgSz) { + Serial.print("Server response: "); + /* wait for data */ + while (!client.available()) {} + /* read data */ + while (wolfSSL_pending(ssl)) { + input = wolfSSL_read(ssl, reply, sizeof(reply) - 1); + total_input += input; + if (input < 0) { + err = wolfSSL_get_error(ssl, 0); + wolfSSL_ERR_error_string(err, errBuf); + Serial.print("TLS Read Error: "); + Serial.println(errBuf); + break; + } + else if (input > 0) { + reply[input] = '\0'; + Serial.print(reply); + } + else { + Serial.println(); + } + } + } + else { + err = wolfSSL_get_error(ssl, 0); + wolfSSL_ERR_error_string(err, errBuf); + Serial.print("TLS Write Error: "); + Serial.println(errBuf); + } + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); + client.stop(); + Serial.println("Connection complete."); + reconnect = 0; + } + else { + Serial.println("Trying to reconnect..."); + } } - } - delay(1000); + delay(1000); } diff --git a/IDE/ARDUINO/wolfssl-arduino.sh b/IDE/ARDUINO/wolfssl-arduino.sh index e1267a8625..107f99b1c8 100755 --- a/IDE/ARDUINO/wolfssl-arduino.sh +++ b/IDE/ARDUINO/wolfssl-arduino.sh @@ -4,86 +4,141 @@ # an Arduino project # run as bash ./wolfssl-arduino.sh -DIR=${PWD##*/} +ROOT_DIR="/wolfSSL" +ROOT_SRC_DIR="${ROOT_DIR}/src" +WOLFSSL_SRC="${ROOT_SRC_DIR}/src" +WOLFSSL_HEADERS="${ROOT_SRC_DIR}/wolfssl" +WOLFCRYPT_ROOT="${ROOT_SRC_DIR}/wolfcrypt" +WOLFCRYPT_SRC="${WOLFCRYPT_ROOT}/src" +WOLFCRYPT_HEADERS="${WOLFSSL_HEADERS}/wolfcrypt" +OPENSSL_DIR="${WOLFSSL_HEADERS}/openssl" +WOLFSSL_VERSION="5.6.4" -space(){ - echo "" >> "$1" -} +# TOP indicates the file directory comes from the top level of the wolfssl repo +TOP_DIR="../.." +WOLFSSL_SRC_TOP="${TOP_DIR}/src" +WOLFSSL_HEADERS_TOP="${TOP_DIR}/wolfssl" +WOLFCRYPT_ROOT_TOP="${TOP_DIR}/wolfcrypt" +WOLFCRYPT_SRC_TOP="${WOLFCRYPT_ROOT_TOP}/src" +WOLFCRYPT_HEADERS_TOP="${WOLFSSL_HEADERS_TOP}/wolfcrypt" +OPENSSL_DIR_TOP="${WOLFSSL_HEADERS_TOP}/openssl" -if [ "$DIR" = "ARDUINO" ]; then - if [ ! -d "wolfSSL" ]; then - mkdir wolfSSL - fi - cp ../../src/*.c ./wolfSSL - cp ../../wolfcrypt/src/*.c ./wolfSSL +# TODO: Parse version number +WOLFSSL_VERSION=$(grep -i "LIBWOLFSSL_VERSION_STRING" ${TOP_DIR}/wolfssl/version.h | cut -d '"' -f 2) + - if [ ! -d "wolfSSL/wolfssl" ]; then - mkdir wolfSSL/wolfssl +DIR=${PWD##*/} + +if [ "$DIR" = "ARDUINO" ]; then + if [ ! -d ".${ROOT_DIR}" ]; then + mkdir .${ROOT_DIR} fi - cp ../../wolfssl/*.h ./wolfSSL/wolfssl - if [ ! -d "wolfSSL/wolfssl/wolfcrypt" ]; then - mkdir wolfSSL/wolfssl/wolfcrypt + if [ ! -d ".${ROOT_SRC_DIR}" ]; then + mkdir .${ROOT_SRC_DIR} fi - cp ../../wolfssl/wolfcrypt/*.h ./wolfSSL/wolfssl/wolfcrypt - # support misc.c as include in wolfcrypt/src - if [ ! -d "./wolfSSL/wolfcrypt" ]; then - mkdir ./wolfSSL/wolfcrypt + if [ ! -d ".${WOLFSSL_HEADERS}" ]; then + mkdir .${WOLFSSL_HEADERS} fi - if [ ! -d "./wolfSSL/wolfcrypt/src" ]; then - mkdir ./wolfSSL/wolfcrypt/src + + cp ${WOLFSSL_HEADERS_TOP}/*.h .${WOLFSSL_HEADERS} + if [ ! -d ".${WOLFCRYPT_HEADERS}" ]; then + mkdir .${WOLFCRYPT_HEADERS} fi - cp ../../wolfcrypt/src/misc.c ./wolfSSL/wolfcrypt/src - cp ../../wolfcrypt/src/asm.c ./wolfSSL/wolfcrypt/src + cp ${WOLFCRYPT_HEADERS_TOP}/*.h .${WOLFCRYPT_HEADERS} + # Add in source files to wolfcrypt/src + if [ ! -d ".${WOLFCRYPT_ROOT}" ]; then + mkdir .${WOLFCRYPT_ROOT} + fi + if [ ! -d ".${WOLFCRYPT_SRC}" ]; then + mkdir .${WOLFCRYPT_SRC} + fi + cp ${WOLFCRYPT_SRC_TOP}/*.c .${WOLFCRYPT_SRC} + + # Add in source files to top level src folders + if [ ! -d ".${WOLFSSL_SRC}" ]; then + mkdir .${WOLFSSL_SRC} + fi + cp ${WOLFSSL_SRC_TOP}/*.c .${WOLFSSL_SRC} # put bio and evp as includes - mv ./wolfSSL/bio.c ./wolfSSL/wolfssl - mv ./wolfSSL/evp.c ./wolfSSL/wolfssl + cp .${WOLFSSL_SRC}/bio.c .${WOLFSSL_HEADERS} + cp .${WOLFCRYPT_SRC}/evp.c .${WOLFSSL_HEADERS} # make a copy of evp.c and bio.c for ssl.c to include inline - cp ./wolfSSL/wolfssl/evp.c ./wolfSSL/wolfcrypt/src/evp.c - cp ./wolfSSL/wolfssl/bio.c ./wolfSSL/wolfcrypt/src/bio.c + cp .${WOLFSSL_HEADERS}/evp.c .${WOLFCRYPT_SRC}/evp.c + cp .${WOLFSSL_HEADERS}/bio.c .${WOLFCRYPT_SRC}/bio.c # copy openssl compatibility headers to their appropriate location - if [ ! -d "./wolfSSL/wolfssl/openssl" ]; then - mkdir ./wolfSSL/wolfssl/openssl + if [ ! -d ".${OPENSSL_DIR}" ]; then + mkdir .${OPENSSL_DIR} fi - cp ../../wolfssl/openssl/* ./wolfSSL/wolfssl/openssl - - echo "/* Generated wolfSSL header file for Arduino */" > ./wolfSSL/wolfssl.h - echo "#include " >> ./wolfSSL/wolfssl.h - echo "#include " >> ./wolfSSL/wolfssl.h - echo "#include " >> ./wolfSSL/wolfssl.h - - if [ ! -f "./wolfSSL/user_settings.h" ]; then - echo "/* Generated wolfSSL user_settings.h file for Arduino */" > ./wolfSSL/user_settings.h - echo "#ifndef ARDUINO_USER_SETTINGS_H" >> ./wolfSSL/user_settings.h - echo "#define ARDUINO_USER_SETTINGS_H" >> ./wolfSSL/user_settings.h - space ./wolfSSL/user_settings.h - echo "/* Platform */" >> ./wolfSSL/user_settings.h - echo "#define WOLFSSL_ARDUINO" >> ./wolfSSL/user_settings.h - space ./wolfSSL/user_settings.h - echo "/* Math library (remove this to use normal math)*/" >> ./wolfSSL/user_settings.h - echo "#define USE_FAST_MATH" >> ./wolfSSL/user_settings.h - echo "#define TFM_NO_ASM" >> ./wolfSSL/user_settings.h - space ./wolfSSL/user_settings.h - echo "/* RNG DEFAULT !!FOR TESTING ONLY!! */" >> ./wolfSSL/user_settings.h - echo "/* comment out the error below to get started w/ bad entropy source" >> ./wolfSSL/user_settings.h - echo " * This will need fixed before distribution but is OK to test with */" >> ./wolfSSL/user_settings.h - echo "#error \"needs solved, see: https://www.wolfssl.com/docs/porting-guide/\"" >> ./wolfSSL/user_settings.h - echo "#define WOLFSSL_GENSEED_FORTEST" >> ./wolfSSL/user_settings.h - space ./wolfSSL/user_settings.h - echo "#endif /* ARDUINO_USER_SETTINGS_H */" >> ./wolfSSL/user_settings.h + cp ${OPENSSL_DIR_TOP}/* .${OPENSSL_DIR} + + + cat > .${ROOT_SRC_DIR}/wolfssl.h < +#include +#include +EOF + + +# Creates user_settings file if one does not exist + if [ ! -f ".${ROOT_SRC_DIR}/user_settings.h" ]; then + cat > .${ROOT_SRC_DIR}/user_settings.h < ./wolfSSL/wolfssl/wolfcrypt/settings.h - echo "#ifndef WOLFSSL_USER_SETTINGS" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h - echo " #define WOLFSSL_USER_SETTINGS" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h - echo "#endif /* WOLFSSL_USER_SETTINGS */" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h - echo " /* wolfSSL Generated ARDUINO settings: END */" >> ./wolfSSL/wolfssl/wolfcrypt/settings.h - cat ./wolfSSL/wolfssl/wolfcrypt/settings.h.bak >> ./wolfSSL/wolfssl/wolfcrypt/settings.h + cp .${WOLFCRYPT_HEADERS}/settings.h .${WOLFCRYPT_HEADERS}/settings.h.bak + cat > .${WOLFCRYPT_HEADERS}/settings.h <> .${WOLFCRYPT_HEADERS}/settings.h + + #Creating library.properties file based off of: + #https://arduino.github.io/arduino-cli/0.35/library-specification/#libraryproperties-file-format + + cat > .${ROOT_DIR}/library.properties < +sentence=A lightweight SSL/TLS library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments. +paragraph=Manual: https://www.wolfssl.com/documentation/manuals/wolfssl/index.html. +category=Communication +url=https://www.wolfssl.com/ +architectures=* + +EOF else echo "ERROR: You must be in the IDE/ARDUINO directory to run this script" diff --git a/IDE/apple-universal/build-wolfssl-framework.sh b/IDE/apple-universal/build-wolfssl-framework.sh index 14b3db3286..a3ff12a6cc 100755 --- a/IDE/apple-universal/build-wolfssl-framework.sh +++ b/IDE/apple-universal/build-wolfssl-framework.sh @@ -20,7 +20,6 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - set -euo pipefail WOLFSSL_DIR=$(pwd)/../../ @@ -28,12 +27,9 @@ OUTDIR=$(pwd)/artifacts LIPODIR=${OUTDIR}/lib SDK_OUTPUT_DIR=${OUTDIR}/xcframework - CFLAGS_COMMON="" -# Optional configure flags passed in by user through -c argument -CONF_OPTS_EXTRA="" # Base configure flags -CONF_OPTS_COMMON="--disable-shared --enable-static" +CONF_OPTS="--disable-shared --enable-static" helpFunction() { @@ -47,7 +43,7 @@ helpFunction() while getopts ":c:" opt; do case $opt in c) - CONF_OPTS_EXTRA="$OPTARG" + CONF_OPTS+=" $OPTARG" ;; \?) echo "Invalid option: -$OPTARG" >&2; helpFunction @@ -55,279 +51,60 @@ while getopts ":c:" opt; do esac done -# Amalgamate extra CLI options with base options -CONF_OPTS="${CONF_OPTS_COMMON} ${CONF_OPTS_EXTRA}" - rm -rf $OUTDIR mkdir -p $LIPODIR mkdir -p $SDK_OUTPUT_DIR - -buildIOSSim() -{ - set -x - pushd . - cd $WOLFSSL_DIR - - ARCH=$1 - HOST="${ARCH}-apple-darwin" - SDK_ROOT=$(xcrun --sdk iphonesimulator --show-sdk-path) - - ./configure -prefix=${OUTDIR}/wolfssl-ios-simulator-${ARCH} ${CONF_OPTS} --host=${HOST} \ - CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}" - make -j - make install - - popd - set +x -} - -buildIOS() -{ +build() { # set -x pushd . cd $WOLFSSL_DIR - ARCH=$1 + ARCH=$1 HOST="${ARCH}-apple-darwin" - SDK_ROOT=$(xcrun --sdk iphoneos --show-sdk-path) + TYPE=$2 + SDK_ROOT=$(xcrun --sdk ${TYPE} --show-sdk-path) - ./configure -prefix=${OUTDIR}/wolfssl-ios-${ARCH} ${CONF_OPTS} --host=${HOST} \ + ./configure -prefix=${OUTDIR}/wolfssl-${TYPE}-${ARCH} ${CONF_OPTS} --host=${HOST} \ CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}" - make -j + make -j src/libwolfssl.la make install popd set +x } -buildMacOS() -{ - set -x - pushd . - cd $WOLFSSL_DIR +XCFRAMEWORKS= +for type in iphonesimulator macosx appletvsimulator watchsimulator ; do + build arm64 ${type} + build x86_64 ${type} - ARCH=$1 - HOST="${ARCH}-apple-darwin" - SDK_ROOT=$(xcrun --sdk macosx --show-sdk-path) + # Create universal binaries from architecture-specific static libraries + lipo \ + "$OUTDIR/wolfssl-${type}-x86_64/lib/libwolfssl.a" \ + "$OUTDIR/wolfssl-${type}-arm64/lib/libwolfssl.a" \ + -create -output $LIPODIR/libwolfssl-${type}.a - ./configure -prefix=${OUTDIR}/wolfssl-macos-${ARCH} ${CONF_OPTS} --host=${HOST} \ - CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}" - make -j - make install - - popd - set +x -} - -buildWatchOS() -{ - set -x - pushd . - cd $WOLFSSL_DIR - - ARCH=$1 - HOST="${ARCH}-apple-darwin" - SDK_ROOT=$(xcrun --sdk watchos --show-sdk-path) - - ./configure -prefix=${OUTDIR}/wolfssl-watchos-${ARCH} ${CONF_OPTS} --host=${HOST} \ - CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}" - make -j - make install - - popd - set +x -} - -buildWatchOSSim() -{ - set -x - pushd . - cd $WOLFSSL_DIR - - ARCH=$1 - HOST="${ARCH}-apple-darwin" - SDK_ROOT=$(xcrun --sdk watchsimulator --show-sdk-path) - - ./configure -prefix=${OUTDIR}/wolfssl-watchos-simulator-${ARCH} ${CONF_OPTS} --host=${HOST} \ - CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}" - make -j - make install - - popd - set +x -} - -buildTVOS() -{ - set -x - pushd . - cd $WOLFSSL_DIR - - ARCH=arm64 - HOST="${ARCH}-apple-darwin" - SDK_ROOT=$(xcrun --sdk appletvos --show-sdk-path) - - ./configure -prefix=${OUTDIR}/wolfssl-tvos-${ARCH} ${CONF_OPTS} --host=${HOST} \ - CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}" - make -j - make install - - popd - set +x -} - -buildTVOSSim() -{ - set -x - pushd . - cd $WOLFSSL_DIR - - ARCH=$1 - HOST="${ARCH}-apple-darwin" - SDK_ROOT=$(xcrun --sdk appletvsimulator --show-sdk-path) - - ./configure -prefix=${OUTDIR}/wolfssl-tvos-simulator-${ARCH} ${CONF_OPTS} --host=${HOST} \ - CFLAGS="${CFLAGS_COMMON} -arch ${ARCH} -isysroot ${SDK_ROOT}" - make -j - make install - - popd - set +x -} - -buildCatalyst() -{ - echo "TBD" -} - -############################################################################################################################################ -# IOS Simulator ############################################################################################################################ -############################################################################################################################################ -buildIOSSim arm64 -buildIOSSim x86_64 - -# Create universal binaries from architecture-specific static libraries -lipo \ - "$OUTDIR/wolfssl-ios-simulator-x86_64/lib/libwolfssl.a" \ - "$OUTDIR/wolfssl-ios-simulator-arm64/lib/libwolfssl.a" \ - -create -output $LIPODIR/libwolfssl-ios-simulator.a - -echo "Checking libraries" -xcrun -sdk iphonesimulator lipo -info $LIPODIR/libwolfssl-ios-simulator.a - -############################################################################################################################################ -# IOS ###################################################################################################################################### -############################################################################################################################################ -buildIOS arm64 - -# Create universal binaries from architecture-specific static libraries -lipo \ - "$OUTDIR/wolfssl-ios-arm64/lib/libwolfssl.a" \ - -create -output $LIPODIR/libwolfssl-ios.a - -echo "Checking libraries" -xcrun -sdk iphoneos lipo -info $LIPODIR/libwolfssl-ios.a - - -############################################################################################################################################ -# MacOS #################################################################################################################################### -############################################################################################################################################ -buildMacOS arm64 -buildMacOS x86_64 - -# Create universal binaries from architecture-specific static libraries -lipo \ - "$OUTDIR/wolfssl-macos-x86_64/lib/libwolfssl.a" \ - "$OUTDIR/wolfssl-macos-arm64/lib/libwolfssl.a" \ - -create -output $LIPODIR/libwolfssl-macos.a - -echo "Checking libraries" -xcrun -sdk macosx lipo -info $LIPODIR/libwolfssl-macos.a - - -############################################################################################################################################ -# tvOS Simulator ########################################################################################################################### -############################################################################################################################################ -buildTVOSSim arm64 -buildTVOSSim x86_64 - -# Create universal binaries from architecture-specific static libraries -lipo \ - "$OUTDIR/wolfssl-tvos-simulator-x86_64/lib/libwolfssl.a" \ - "$OUTDIR/wolfssl-tvos-simulator-arm64/lib/libwolfssl.a" \ - -create -output $LIPODIR/libwolfssl-tvos-simulator.a - -echo "Checking libraries" -xcrun -sdk appletvsimulator lipo -info $LIPODIR/libwolfssl-tvos-simulator.a - - -############################################################################################################################################ -# tvOS ##################################################################################################################################### -############################################################################################################################################ -buildTVOS arm64 - -# Create universal binaries from architecture-specific static libraries -lipo \ - "$OUTDIR/wolfssl-tvos-arm64/lib/libwolfssl.a" \ - -create -output $LIPODIR/libwolfssl-tvos.a - -echo "Checking libraries" -xcrun -sdk appletvos lipo -info $LIPODIR/libwolfssl-tvos.a - - -############################################################################################################################################ -# watchOS Simulator ######################################################################################################################## -############################################################################################################################################ -buildWatchOSSim arm64 -buildWatchOSSim x86_64 - -# Create universal binaries from architecture-specific static libraries -lipo \ - "$OUTDIR/wolfssl-watchos-simulator-arm64/lib/libwolfssl.a" \ - "$OUTDIR/wolfssl-watchos-simulator-x86_64/lib/libwolfssl.a" \ - -create -output $LIPODIR/libwolfssl-watchos-simulator.a - -echo "Checking libraries" -xcrun -sdk watchsimulator lipo -info $LIPODIR/libwolfssl-watchos-simulator.a - - -############################################################################################################################################ -# watchOS ################################################################################################################################## -############################################################################################################################################ -buildWatchOS arm64 - -# Create universal binaries from architecture-specific static libraries -lipo \ - "$OUTDIR/wolfssl-watchos-arm64/lib/libwolfssl.a" \ - -create -output $LIPODIR/libwolfssl-watchos.a - -echo "Checking libraries" -xcrun -sdk watchos lipo -info $LIPODIR/libwolfssl-watchos.a + echo "Checking libraries" + xcrun -sdk ${type} lipo -info $LIPODIR/libwolfssl-${type}.a + XCFRAMEWORKS+=" -library ${LIPODIR}/libwolfssl-${type}.a -headers ${OUTDIR}/wolfssl-${type}-arm64/include" +done +for type in iphoneos appletvos ; do + build arm64 ${type} -############################################################################################################################################ -# Catalyst ################################################################################################################################# -############################################################################################################################################ + # Create universal binaries from architecture-specific static libraries + lipo \ + "$OUTDIR/wolfssl-${type}-arm64/lib/libwolfssl.a" \ + -create -output $LIPODIR/libwolfssl-${type}.a + echo "Checking libraries" + xcrun -sdk ${type} lipo -info $LIPODIR/libwolfssl-${type}.a + XCFRAMEWORKS+=" -library ${LIPODIR}/libwolfssl-${type}.a -headers ${OUTDIR}/wolfssl-${type}-arm64/include" +done ############################################################################################################################################ # ********** BUILD FRAMEWORK ############################################################################################################################################ -xcodebuild -create-xcframework \ - -library ${LIPODIR}/libwolfssl-ios-simulator.a \ - -headers ${OUTDIR}/wolfssl-ios-simulator-arm64/include \ - -library ${LIPODIR}/libwolfssl-ios.a \ - -headers ${OUTDIR}/wolfssl-ios-arm64/include \ - -library ${LIPODIR}/libwolfssl-macos.a \ - -headers ${OUTDIR}/wolfssl-macos-arm64/include \ - -library ${LIPODIR}/libwolfssl-tvos.a \ - -headers ${OUTDIR}/wolfssl-tvos-arm64/include \ - -library ${LIPODIR}/libwolfssl-tvos-simulator.a \ - -headers ${OUTDIR}/wolfssl-tvos-simulator-arm64/include \ - -library ${LIPODIR}/libwolfssl-watchos.a \ - -headers ${OUTDIR}/wolfssl-watchos-arm64/include \ - -library ${LIPODIR}/libwolfssl-watchos-simulator.a \ - -headers ${OUTDIR}/wolfssl-watchos-simulator-arm64/include \ - -output ${SDK_OUTPUT_DIR}/libwolfssl.xcframework +xcodebuild -create-xcframework ${XCFRAMEWORKS} -output ${SDK_OUTPUT_DIR}/libwolfssl.xcframework diff --git a/doc/dox_comments/header_files/ssl.h b/doc/dox_comments/header_files/ssl.h index 6fe45a084c..5965f11d3a 100644 --- a/doc/dox_comments/header_files/ssl.h +++ b/doc/dox_comments/header_files/ssl.h @@ -14854,3 +14854,111 @@ available size need to be provided in bufferSz. */ int wolfSSL_dtls_cid_get_tx(WOLFSSL* ssl, unsigned char* buffer, unsigned int bufferSz); + +/*! + \ingroup TLS + + \brief This function returns the raw list of ciphersuites and signature + algorithms offered by the client. The lists are only stored and returned + inside a callback setup with wolfSSL_CTX_set_cert_cb(). This is useful to + be able to dynamically load certificates and keys based on the available + ciphersuites and signature algorithms. + + \param [in] ssl The WOLFSSL object to extract the lists from. + \param [out] optional suites Raw and unfiltered list of client ciphersuites + \param [out] optional suiteSz Size of suites in bytes + \param [out] optional hashSigAlgo Raw and unfiltered list of client + signature algorithms + \param [out] optional hashSigAlgoSz Size of hashSigAlgo in bytes + \return WOLFSSL_SUCCESS when suites available + \return WOLFSSL_FAILURE when suites not available + + _Example_ + \code + int certCB(WOLFSSL* ssl, void* arg) + { + const byte* suites = NULL; + word16 suiteSz = 0; + const byte* hashSigAlgo = NULL; + word16 hashSigAlgoSz = 0; + + wolfSSL_get_client_suites_sigalgs(ssl, &suites, &suiteSz, &hashSigAlgo, + &hashSigAlgoSz); + + // Choose certificate to load based on ciphersuites and sigalgs + } + + WOLFSSL* ctx; + ctx = wolfSSL_CTX_new(wolfTLSv1_3_method_ex(NULL)); + wolfSSL_CTX_set_cert_cb(ctx, certCB, NULL); + \endcode + + \sa wolfSSL_get_ciphersuite_info + \sa wolfSSL_get_sigalg_info +*/ +int wolfSSL_get_client_suites_sigalgs(const WOLFSSL* ssl, + const byte** suites, word16* suiteSz, + const byte** hashSigAlgo, word16* hashSigAlgoSz); + +/*! + \ingroup TLS + + \brief This returns information about the ciphersuite directly from the + raw ciphersuite bytes. + + \param [in] first First byte of the ciphersuite + \param [in] second Second byte of the ciphersuite + + \return WOLFSSL_CIPHERSUITE_INFO A struct containing information about the + type of authentication used in the ciphersuite. + + _Example_ + \code + WOLFSSL_CIPHERSUITE_INFO info = + wolfSSL_get_ciphersuite_info(suites[0], suites[1]); + if (info.rsaAuth) + haveRSA = 1; + else if (info.eccAuth) + haveECC = 1; + \endcode + + \sa wolfSSL_get_client_suites_sigalgs + \sa wolfSSL_get_sigalg_info +*/ +WOLFSSL_CIPHERSUITE_INFO wolfSSL_get_ciphersuite_info(byte first, + byte second); + +/*! + \ingroup TLS + + \brief This returns information about the hash and signature algorithm + directly from the raw ciphersuite bytes. + + \param [in] first First byte of the hash and signature algorithm + \param [in] second Second byte of the hash and signature algorithm + \param [out] hashAlgo The enum wc_HashType of the MAC algorithm + \param [out] sigAlgo The enum Key_Sum of the authentication algorithm + + \return 0 when info was correctly set + \return BAD_FUNC_ARG when either input paramters are NULL or the bytes + are not a recognized sigalg suite + + _Example_ + \code + enum wc_HashType hashAlgo; + enum Key_Sum sigAlgo; + + wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1], + &hashAlgo, &sigAlgo); + + if (sigAlgo == RSAk || sigAlgo == RSAPSSk) + haveRSA = 1; + else if (sigAlgo == ECDSAk) + haveECC = 1; + \endcode + + \sa wolfSSL_get_client_suites_sigalgs + \sa wolfSSL_get_ciphersuite_info +*/ +int wolfSSL_get_sigalg_info(byte first, byte second, + int* hashAlgo, int* sigAlgo); diff --git a/src/internal.c b/src/internal.c index 89761cc87e..dfd04595dc 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4236,7 +4236,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, * hashalgo The hash algorithm. * hsType The signature type. */ -static WC_INLINE void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType) +void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType) { *hsType = invalid_sa_algo; switch (input[0]) { @@ -4324,7 +4324,7 @@ static WC_INLINE void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsTy #if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ defined(HAVE_CURVE448) || (!defined(NO_RSA) && defined(WC_RSA_PSS)) -static enum wc_HashType HashAlgoToType(int hashAlgo) +enum wc_HashType HashAlgoToType(int hashAlgo) { switch (hashAlgo) { #ifdef WOLFSSL_SHA512 @@ -11224,23 +11224,11 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) #endif /* WOLFSSL_NO_TLS12 */ #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT) -/* cipher requirements */ -enum { - REQUIRES_RSA, - REQUIRES_DHE, - REQUIRES_ECC, - REQUIRES_ECC_STATIC, - REQUIRES_PSK, - REQUIRES_RSA_SIG, - REQUIRES_AEAD -}; - - /* Does this cipher suite (first, second) have the requirement an ephemeral key exchange will still require the key for signing the key exchange so ECDHE_RSA requires an rsa key thus rsa_kea */ -static int CipherRequires(byte first, byte second, int requirement) +int CipherRequires(byte first, byte second, int requirement) { (void)requirement; @@ -35435,6 +35423,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif #ifdef OPENSSL_EXTRA + ssl->clSuites = clSuites; /* Give user last chance to provide a cert for cipher selection */ if (ret == 0 && ssl->ctx->certSetupCb != NULL) ret = CertSetupCbWrapper(ssl); @@ -35458,7 +35447,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif out: - +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) + ssl->clSuites = NULL; +#endif #ifdef WOLFSSL_SMALL_STACK if (clSuites != NULL) XFREE(clSuites, ssl->heap, DYNAMIC_TYPE_SUITES); diff --git a/src/ssl.c b/src/ssl.c index d926ef3b08..e49ce92b21 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16303,6 +16303,163 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ctx->certSetupCbArg = arg; } + int wolfSSL_get_client_suites_sigalgs(const WOLFSSL* ssl, + const byte** suites, word16* suiteSz, + const byte** hashSigAlgo, word16* hashSigAlgoSz) + { + WOLFSSL_ENTER("wolfSSL_get_client_suites_sigalgs"); + + if (suites != NULL) + *suites = NULL; + if (suiteSz != NULL) + *suiteSz = 0; + if (hashSigAlgo != NULL) + *hashSigAlgo = NULL; + if (hashSigAlgoSz != NULL) + *hashSigAlgoSz = 0; + + if (ssl != NULL && ssl->clSuites != NULL) { + if (suites != NULL && suiteSz != NULL) { + *suites = ssl->clSuites->suites; + *suiteSz = ssl->clSuites->suiteSz; + } + if (hashSigAlgo != NULL && hashSigAlgoSz != NULL) { + *hashSigAlgo = ssl->clSuites->hashSigAlgo; + *hashSigAlgoSz = ssl->clSuites->hashSigAlgoSz; + } + return WOLFSSL_SUCCESS; + } + return WOLFSSL_FAILURE; + } + WOLFSSL_CIPHERSUITE_INFO wolfSSL_get_ciphersuite_info(byte first, + byte second) + { + WOLFSSL_CIPHERSUITE_INFO info; + info.rsaAuth = (byte)(CipherRequires(first, second, REQUIRES_RSA) || + CipherRequires(first, second, REQUIRES_RSA_SIG)); + info.eccAuth = (byte)(CipherRequires(first, second, REQUIRES_ECC) || + /* Static ECC ciphers may require RSA for authentication */ + (CipherRequires(first, second, REQUIRES_ECC_STATIC) && + !CipherRequires(first, second, REQUIRES_RSA_SIG))); + info.eccStatic = + (byte)CipherRequires(first, second, REQUIRES_ECC_STATIC); + info.psk = (byte)CipherRequires(first, second, REQUIRES_PSK); + return info; + } + + /** + * @param first First byte of the hash and signature algorithm + * @param second Second byte of the hash and signature algorithm + * @param hashAlgo The enum wc_HashType of the MAC algorithm + * @param sigAlgo The enum Key_Sum of the authentication algorithm + */ + int wolfSSL_get_sigalg_info(byte first, byte second, + int* hashAlgo, int* sigAlgo) + { + byte input[2]; + byte hashType; + byte sigType; + + if (hashAlgo == NULL || sigAlgo == NULL) + return BAD_FUNC_ARG; + + input[0] = first; + input[1] = second; + DecodeSigAlg(input, &hashType, &sigType); + + /* cast so that compiler reminds us of unimplemented values */ + switch ((enum SignatureAlgorithm)sigType) { + case anonymous_sa_algo: + *sigAlgo = (enum Key_Sum)0; + break; + case rsa_sa_algo: + *sigAlgo = RSAk; + break; + case dsa_sa_algo: + *sigAlgo = DSAk; + break; + case ecc_dsa_sa_algo: + *sigAlgo = ECDSAk; + break; + case rsa_pss_sa_algo: + *sigAlgo = RSAPSSk; + break; + case ed25519_sa_algo: + *sigAlgo = ED25519k; + break; + case rsa_pss_pss_algo: + *sigAlgo = RSAPSSk; + break; + case ed448_sa_algo: + *sigAlgo = ED448k; + break; + case falcon_level1_sa_algo: + *sigAlgo = FALCON_LEVEL1k; + break; + case falcon_level5_sa_algo: + *sigAlgo = FALCON_LEVEL5k; + break; + case dilithium_level2_sa_algo: + *sigAlgo = DILITHIUM_LEVEL2k; + break; + case dilithium_level3_sa_algo: + *sigAlgo = DILITHIUM_LEVEL3k; + break; + case dilithium_level5_sa_algo: + *sigAlgo = DILITHIUM_LEVEL5k; + break; + case sm2_sa_algo: + *sigAlgo = SM2k; + break; + case invalid_sa_algo: + default: + *hashAlgo = WC_HASH_TYPE_NONE; + *sigAlgo = 0; + return BAD_FUNC_ARG; + } + + /* cast so that compiler reminds us of unimplemented values */ + switch((enum wc_MACAlgorithm)hashType) { + case no_mac: + case rmd_mac: /* Don't have a RIPEMD type in wc_HashType */ + *hashAlgo = WC_HASH_TYPE_NONE; + break; + case md5_mac: + *hashAlgo = WC_HASH_TYPE_MD5; + break; + case sha_mac: + *hashAlgo = WC_HASH_TYPE_SHA; + break; + case sha224_mac: + *hashAlgo = WC_HASH_TYPE_SHA224; + break; + case sha256_mac: + *hashAlgo = WC_HASH_TYPE_SHA256; + break; + case sha384_mac: + *hashAlgo = WC_HASH_TYPE_SHA384; + break; + case sha512_mac: + *hashAlgo = WC_HASH_TYPE_SHA512; + break; + case blake2b_mac: + *hashAlgo = WC_HASH_TYPE_BLAKE2B; + break; + case sm3_mac: +#ifdef WOLFSSL_SM3 + *hashAlgo = WC_HASH_TYPE_SM3; +#else + *hashAlgo = WC_HASH_TYPE_NONE; +#endif + break; + default: + *hashAlgo = WC_HASH_TYPE_NONE; + *sigAlgo = 0; + return BAD_FUNC_ARG; + } + return 0; + } + /** * Internal wrapper for calling certSetupCb * @param ssl The SSL/TLS Object diff --git a/src/tls13.c b/src/tls13.c index 16a9e7b314..0329b5d553 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -5617,6 +5617,11 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input, if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo); #endif +#ifdef OPENSSL_EXTRA + if ((ret = CertSetupCbWrapper(ssl)) != 0) + return ret; +#endif + if (OPAQUE8_LEN > size) return BUFFER_ERROR; @@ -6594,6 +6599,9 @@ static void FreeDch13Args(WOLFSSL* ssl, void* pArgs) XFREE(args->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES); args->clSuites = NULL; } +#ifdef OPENSSL_EXTRA + ssl->clSuites = NULL; +#endif } int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, @@ -6978,6 +6986,11 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, case TLS_ASYNC_DO: { +#ifdef OPENSSL_EXTRA + ssl->clSuites = args->clSuites; + if ((ret = CertSetupCbWrapper(ssl)) != 0) + goto exit_dch; +#endif #ifndef NO_CERTS if (!args->usingPSK) { if ((ret = MatchSuite(ssl, args->clSuites)) < 0) { @@ -8244,11 +8257,6 @@ static int SendTls13Certificate(WOLFSSL* ssl) listSz = 0; } else { -#ifdef OPENSSL_EXTRA - if ((ret = CertSetupCbWrapper(ssl)) != 0) - return ret; -#endif - if (!ssl->buffers.certificate) { WOLFSSL_MSG("Send Cert missing certificate buffer"); return BUFFER_ERROR; diff --git a/tests/api.c b/tests/api.c index 7793eb2920..38673e45b2 100644 --- a/tests/api.c +++ b/tests/api.c @@ -370,7 +370,7 @@ defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN)) || \ defined(WOLFSSL_TEST_STATIC_BUILD) || defined(WOLFSSL_DTLS) || \ defined(HAVE_ECH) || defined(HAVE_EX_DATA) || !defined(NO_SESSION_CACHE) \ - || !defined(WOLFSSL_NO_TLS12) + || !defined(WOLFSSL_NO_TLS12) || defined(WOLFSSL_TLS13) /* for testing SSL_get_peer_cert_chain, or SESSION_TICKET_HINT_DEFAULT, * for setting authKeyIdSrc in WOLFSSL_X509, or testing DTLS sequence * number tracking */ @@ -5824,8 +5824,12 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx) #ifdef WOLFSSL_ENCRYPTED_KEYS wolfSSL_CTX_set_default_passwd_cb(ctx->c_ctx, PasswordCallBack); #endif - ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx, caCertFile, 0), - WOLFSSL_SUCCESS); + if (ctx->c_cb.caPemFile != NULL) + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx, + ctx->c_cb.caPemFile, 0), WOLFSSL_SUCCESS); + else + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->c_ctx, + caCertFile, 0), WOLFSSL_SUCCESS); #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) if (!c_sharedCtx) #endif @@ -5889,8 +5893,12 @@ static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx) wolfSSL_SetIOSend(ctx->s_ctx, test_ssl_memio_write_cb); wolfSSL_CTX_set_verify(ctx->s_ctx, WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); - ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx, cliCertFile, 0), - WOLFSSL_SUCCESS); + if (ctx->s_cb.caPemFile != NULL) + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx, + ctx->s_cb.caPemFile, 0), WOLFSSL_SUCCESS); + else + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx->s_ctx, + cliCertFile, 0), WOLFSSL_SUCCESS); #ifdef WOLFSSL_ENCRYPTED_KEYS wolfSSL_CTX_set_default_passwd_cb(ctx->s_ctx, PasswordCallBack); #endif @@ -44748,85 +44756,354 @@ static int test_wolfSSL_BIO_reset(void) /* test that the callback arg is correct */ static int certCbArg = 0; -static int clientCertCb(WOLFSSL* ssl, void* arg) +static int certCb(WOLFSSL* ssl, void* arg) { if (ssl == NULL || arg != &certCbArg) return 0; - if (wolfSSL_use_certificate_file(ssl, cliCertFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; - if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; + if (wolfSSL_is_server(ssl)) { + if (wolfSSL_use_certificate_file(ssl, svrCertFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + } + else { + if (wolfSSL_use_certificate_file(ssl, cliCertFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, cliKeyFile, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) + return 0; + } return 1; } -static int clientCertSetupCb(WOLFSSL_CTX* ctx) +static int certSetupCb(WOLFSSL_CTX* ctx) { - SSL_CTX_set_cert_cb(ctx, clientCertCb, &certCbArg); + SSL_CTX_set_cert_cb(ctx, certCb, &certCbArg); return TEST_SUCCESS; } /** - * This is only done because test_client_nofail has no way to stop - * certificate and key loading + * This is only done because test_wolfSSL_client_server_nofail_memio has no way + * to stop certificate and key loading */ -static int clientCertClearCb(WOLFSSL* ssl) +static int certClearCb(WOLFSSL* ssl) { /* Clear the loaded certs to force the callbacks to set them up */ SSL_certs_clear(ssl); return TEST_SUCCESS; } -static int serverCertCb(WOLFSSL* ssl, void* arg) +#endif + +static int test_wolfSSL_cert_cb(void) { - if (ssl == NULL || arg != &certCbArg) - return 0; - if (wolfSSL_use_certificate_file(ssl, svrCertFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; - if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) - return 0; - return 1; + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; + + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + + func_cb_client.ctx_ready = certSetupCb; + func_cb_client.ssl_ready = certClearCb; + func_cb_server.ctx_ready = certSetupCb; + func_cb_server.ssl_ready = certClearCb; + + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); +#endif + return EXPECT_RESULT(); } -static int serverCertSetupCb(WOLFSSL_CTX* ctx) +#if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + +static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = NULL; +static const char* test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = NULL; +static int test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready(WOLFSSL_CTX* ctx) { - SSL_CTX_set_cert_cb(ctx, serverCertCb, &certCbArg); - return TEST_SUCCESS; + EXPECT_DECLS; + ExpectIntEQ(wolfSSL_CTX_set_cipher_list(ctx, + test_wolfSSL_cert_cb_dyn_ciphers_client_cipher), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(ctx, + test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs), WOLFSSL_SUCCESS); + return EXPECT_RESULT(); } -/** - * This is only done because test_server_nofail has no way to stop - * certificate and key loading - */ -static int serverCertClearCb(WOLFSSL* ssl) +static int test_wolfSSL_cert_cb_dyn_ciphers_certCB(WOLFSSL* ssl, void* arg) { - /* Clear the loaded certs to force the callbacks to set them up */ - SSL_certs_clear(ssl); + const byte* suites = NULL; + word16 suiteSz = 0; + const byte* hashSigAlgo = NULL; + word16 hashSigAlgoSz = 0; + word16 idx = 0; + int haveRSA = 0; + int haveECC = 0; + + (void)arg; + + if (wolfSSL_get_client_suites_sigalgs(ssl, &suites, &suiteSz, &hashSigAlgo, + &hashSigAlgoSz) != WOLFSSL_SUCCESS) + return 0; + if (suites == NULL || suiteSz == 0 || hashSigAlgo == NULL || + hashSigAlgoSz == 0) + return 0; + + for (idx = 0; idx < suiteSz; idx += 2) { + WOLFSSL_CIPHERSUITE_INFO info = + wolfSSL_get_ciphersuite_info(suites[idx], suites[idx+1]); + + if (info.rsaAuth) + haveRSA = 1; + else if (info.eccAuth) + haveECC = 1; + } + + if (hashSigAlgoSz > 0) { + /* sigalgs extension takes precedence over ciphersuites */ + haveRSA = 0; + haveECC = 0; + } + for (idx = 0; idx < hashSigAlgoSz; idx += 2) { + int hashAlgo; + int sigAlgo; + + if (wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], hashSigAlgo[idx+1], + &hashAlgo, &sigAlgo) != 0) + return 0; + + if (sigAlgo == RSAk || sigAlgo == RSAPSSk) + haveRSA = 1; + else if (sigAlgo == ECDSAk) + haveECC = 1; + } + + if (haveRSA) { + if (wolfSSL_use_certificate_file(ssl, svrCertFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, svrKeyFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + } + else if (haveECC) { + if (wolfSSL_use_certificate_file(ssl, eccCertFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + if (wolfSSL_use_PrivateKey_file(ssl, eccKeyFile, WOLFSSL_FILETYPE_PEM) + != WOLFSSL_SUCCESS) + return 0; + } + + return 1; +} + +static int test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready(WOLFSSL_CTX* ctx) +{ + SSL_CTX_set_cert_cb(ctx, test_wolfSSL_cert_cb_dyn_ciphers_certCB, NULL); + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL); return TEST_SUCCESS; } #endif -static int test_wolfSSL_cert_cb(void) +/* Testing dynamic ciphers offered by client */ +static int test_wolfSSL_cert_cb_dyn_ciphers(void) { EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) test_ssl_cbf func_cb_client; test_ssl_cbf func_cb_server; + struct { + method_provider client_meth; + const char* client_ciphers; + const char* client_sigalgs; + const char* client_ca; + method_provider server_meth; + } test_params[] = { +#if !defined(NO_SHA256) && defined(HAVE_AESGCM) +#ifdef WOLFSSL_TLS13 +#if !defined(NO_RSA) && defined(WC_RSA_PSS) + {wolfTLSv1_3_client_method, + "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256", + "RSA-PSS+SHA256", caCertFile, wolfTLSv1_3_server_method}, +#endif +#ifdef HAVE_ECC + {wolfTLSv1_3_client_method, + "TLS13-AES256-GCM-SHA384:TLS13-AES128-GCM-SHA256", + "ECDSA+SHA256", caEccCertFile, wolfTLSv1_3_server_method}, +#endif +#endif +#ifndef WOLFSSL_NO_TLS12 +#if !defined(NO_RSA) && defined(WC_RSA_PSS) && !defined(NO_DH) + {wolfTLSv1_2_client_method, + "DHE-RSA-AES128-GCM-SHA256", + "RSA-PSS+SHA256", caCertFile, wolfTLSv1_2_server_method}, +#endif +#ifdef HAVE_ECC + {wolfTLSv1_2_client_method, + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDSA+SHA256", caEccCertFile, wolfTLSv1_2_server_method}, +#endif +#endif +#endif + }; + size_t i; - XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); - XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + for (i = 0; i < sizeof(test_params)/sizeof(*test_params); i++) { + printf("\tTesting %s ciphers with %s sigalgs\n", + test_params[i].client_ciphers, test_params[i].client_sigalgs); - func_cb_client.ctx_ready = clientCertSetupCb; - func_cb_client.ssl_ready = clientCertClearCb; - func_cb_server.ctx_ready = serverCertSetupCb; - func_cb_server.ssl_ready = serverCertClearCb; + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + + test_wolfSSL_cert_cb_dyn_ciphers_client_cipher = + test_params[i].client_ciphers; + test_wolfSSL_cert_cb_dyn_ciphers_client_sigalgs = + test_params[i].client_sigalgs; + func_cb_client.method = test_params[i].client_meth; + func_cb_client.caPemFile = test_params[i].client_ca; + func_cb_client.ctx_ready = + test_wolfSSL_cert_cb_dyn_ciphers_client_ctx_ready; + + func_cb_server.ctx_ready = + test_wolfSSL_cert_cb_dyn_ciphers_server_ctx_ready; + func_cb_server.ssl_ready = certClearCb; /* Reuse from previous test */ + func_cb_server.method = test_params[i].server_meth; + + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_SUCCESS); + } +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_ciphersuite_auth(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) + WOLFSSL_CIPHERSUITE_INFO info; + + (void)info; + +#ifndef WOLFSSL_NO_TLS12 +#ifdef HAVE_CHACHA + info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); + + info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 1); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); + + info = wolfSSL_get_ciphersuite_info(CHACHA_BYTE, + TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 1); +#endif +#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) +#ifndef NO_RSA + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); + + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 1); + ExpectIntEQ(info.psk, 0); + + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 1); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 1); + ExpectIntEQ(info.psk, 0); +#endif + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 1); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); + + info = wolfSSL_get_ciphersuite_info(ECC_BYTE, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 1); + ExpectIntEQ(info.eccStatic, 1); + ExpectIntEQ(info.psk, 0); + + info = wolfSSL_get_ciphersuite_info(ECDHE_PSK_BYTE, + TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 1); +#endif +#endif + +#ifdef WOLFSSL_TLS13 + info = wolfSSL_get_ciphersuite_info(TLS13_BYTE, + TLS_AES_128_GCM_SHA256); + ExpectIntEQ(info.rsaAuth, 0); + ExpectIntEQ(info.eccAuth, 0); + ExpectIntEQ(info.eccStatic, 0); + ExpectIntEQ(info.psk, 0); +#endif + +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_sigalg_info(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) + byte hashSigAlgo[WOLFSSL_MAX_SIGALGO]; + word16 len = 0; + word16 idx = 0; + int allSigAlgs = SIG_ECDSA | SIG_RSA | SIG_SM2 | SIG_FALCON | SIG_DILITHIUM; + + InitSuitesHashSigAlgo_ex2(hashSigAlgo, allSigAlgs, 1, 0xFFFFFFFF, &len); + for (idx = 0; idx < len; idx += 2) { + int hashAlgo; + int sigAlgo; + + ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], + hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0); + + ExpectIntNE(hashAlgo, 0); + ExpectIntNE(sigAlgo, 0); + } + + InitSuitesHashSigAlgo_ex2(hashSigAlgo, allSigAlgs | SIG_ANON, 1, + 0xFFFFFFFF, &len); + for (idx = 0; idx < len; idx += 2) { + int hashAlgo; + int sigAlgo; + + ExpectIntEQ(wolfSSL_get_sigalg_info(hashSigAlgo[idx+0], + hashSigAlgo[idx+1], &hashAlgo, &sigAlgo), 0); + + ExpectIntNE(hashAlgo, 0); + } - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, - &func_cb_server, NULL), TEST_SUCCESS); #endif return EXPECT_RESULT(); } @@ -69051,6 +69328,9 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_check_domain), #endif TEST_DECL(test_wolfSSL_cert_cb), + TEST_DECL(test_wolfSSL_cert_cb_dyn_ciphers), + TEST_DECL(test_wolfSSL_ciphersuite_auth), + TEST_DECL(test_wolfSSL_sigalg_info), /* Can't memory test as tcp_connect aborts. */ TEST_DECL(test_wolfSSL_SESSION), TEST_DECL(test_wolfSSL_SESSION_expire_downgrade), diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index e110afcb7d..ab7d3e582e 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -340,7 +340,7 @@ #elif defined(CONFIG_IDF_TARGET_ESP32H2) #else - + /* Other platform */ #endif #include #endif /* WOLFSSL_ESPIDF */ diff --git a/wolfcrypt/src/port/Espressif/esp32_mp.c b/wolfcrypt/src/port/Espressif/esp32_mp.c index 1b699dfddf..20fb4ee9ee 100644 --- a/wolfcrypt/src/port/Espressif/esp32_mp.c +++ b/wolfcrypt/src/port/Espressif/esp32_mp.c @@ -90,7 +90,7 @@ #endif #ifndef ESP_RSA_EXPT_YBITS - #define ESP_RSA_EXPT_YBITS 8 + #define ESP_RSA_EXPT_YBITS 8 #endif #define ESP_TIMEOUT(cnt) (cnt >= ESP_RSA_TIMEOUT_CNT) @@ -140,12 +140,14 @@ static portMUX_TYPE wc_rsa_reg_lock = portMUX_INITIALIZER_UNLOCKED; /* usage metrics can be turned on independently of debugging */ #ifdef WOLFSSL_HW_METRICS - static unsigned long esp_mp_max_used = 0; + static unsigned long esp_mp_max_used = 0; static unsigned long esp_mp_mulmod_small_x_ct = 0; static unsigned long esp_mp_mulmod_small_y_ct = 0; -#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL + static unsigned long esp_mp_max_timeout = 0; + + #ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL static unsigned long esp_mp_mul_usage_ct = 0; static unsigned long esp_mp_mul_error_ct = 0; #endif /* !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ @@ -236,6 +238,13 @@ static int esp_mp_hw_wait_clean(void) /* no HW timeout if we don't know the platform. assumes no HW */ #endif + #if defined(WOLFSSL_HW_METRICS) + { + esp_mp_max_timeout = (timeout > esp_mp_max_timeout) ? timeout : + esp_mp_max_timeout; + } + #endif + if (ESP_TIMEOUT(timeout)) { ESP_LOGE(TAG, "esp_mp_hw_wait_clean waiting HW ready timed out."); ret = WC_HW_WAIT_E; /* hardware is busy, MP_HW_BUSY; */ @@ -1016,7 +1025,7 @@ int esp_mp_montgomery_init(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, } if ((X == NULL) || (Y == NULL) || (M == NULL) ) { /* if a bad operand passed, we cannot use HW */ - ESP_LOGE(TAG, "ERROR: Bad montgomery operand, falling back to SW"); + ESP_LOGE(TAG, "ERROR: Bad Montgomery operand, falling back to SW"); return MP_HW_FALLBACK; } XMEMSET(mph, 0, sizeof(struct esp_mp_helper)); @@ -1298,7 +1307,7 @@ int esp_mp_mul(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* Z) resultWords_sz = bits2words(Xs + Ys); /* sanity check */ - if((hwWords_sz << 5) > ESP_HW_MULTI_RSAMAX_BITS) { + if ( (hwWords_sz << 5) > ESP_HW_MULTI_RSAMAX_BITS) { ESP_LOGW(TAG, "exceeds max bit length(2048) (a)"); ret = MP_HW_FALLBACK; /* Error: value is not able to be used. */ } @@ -3060,6 +3069,8 @@ int esp_hw_show_mp_metrics(void) #endif /* EXPTMOD not disabled !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ ESP_LOGI(TAG, "Max N->used: esp_mp_max_used = %lu", esp_mp_max_used); + ESP_LOGI(TAG, "Max timeout: esp_mp_max_timeout = %lu", esp_mp_max_timeout); + #else /* no HW math, no HW math metrics */ ret = ESP_OK; diff --git a/wolfcrypt/src/port/Espressif/esp32_sha.c b/wolfcrypt/src/port/Espressif/esp32_sha.c index 12607d3e79..30ba0e7bba 100644 --- a/wolfcrypt/src/port/Espressif/esp32_sha.c +++ b/wolfcrypt/src/port/Espressif/esp32_sha.c @@ -50,7 +50,10 @@ #if defined(WOLFSSL_ESP32_CRYPT) && \ !defined(NO_WOLFSSL_ESP32_CRYPT_HASH) -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) #include #include @@ -72,13 +75,16 @@ #include #endif -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) +static const char* TAG = "wolf_hw_sha"; + +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) /* keep track of the currently active SHA hash object for interleaving */ const static word32 ** _active_digest_address = 0; #endif -static const char* TAG = "wolf_hw_sha"; - #ifdef NO_SHA #define WC_SHA_DIGEST_SIZE 20 #endif @@ -158,11 +164,16 @@ static const char* TAG = "wolf_hw_sha"; /* ** The wolfCrypt functions for LITTLE_ENDIAN_ORDER typically ** reverse the byte order. Except when the hardware doesn't expect it. +** +** Returns 0 (FALSE) or 1 (TRUE); see wolfSSL types.h */ int esp_sha_need_byte_reversal(WC_ESP32SHA* ctx) { - int ret = 1; /* assume we'll need reversal, look for exceptions */ -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) + int ret = TRUE; /* assume we'll need reversal, look for exceptions */ +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) if (ctx == NULL) { ESP_LOGE(TAG, " ctx is null"); /* return true for bad params */ @@ -175,10 +186,10 @@ int esp_sha_need_byte_reversal(WC_ESP32SHA* ctx) #endif if (ctx->mode == ESP32_SHA_HW) { ESP_LOGV(TAG, " No reversal, ESP32_SHA_HW"); - ret = 0; + ret = FALSE; } else { - ret = 1; + ret = TRUE; ESP_LOGV(TAG, " Need byte reversal, %d", ctx->mode); /* return true for SW; only HW C3 skips reversal at this time. */ #ifdef WOLFSSL_HW_METRICS @@ -276,7 +287,10 @@ int esp_sha_init(WC_ESP32SHA* ctx, enum wc_HashType hash_type) ESP_LOGW(TAG, "Unexpected hash_type in esp_sha_init"); break; } -#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) +#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) switch (hash_type) { /* check each wolfSSL hash type WC_[n] */ #ifndef NO_SHA case WC_HASH_TYPE_SHA: @@ -312,7 +326,9 @@ int esp_sha_init(WC_ESP32SHA* ctx, enum wc_HashType hash_type) /* other chipsets will be implemented here */ ESP_LOGW(TAG, "SW Fallback; CONFIG_IDF_TARGET = %s", CONFIG_IDF_TARGET); ctx->mode = ESP32_SHA_SW; -#endif /* CONFIG_IDF_TARGET_ESP32 || x_ESP32S2 || x_ESP32S3 */ +#endif /* CONFIG_IDF_TARGET_ESP32 || + * CONFIG_IDF_TARGET_ESP32S2 || + * CONFIG_IDF_TARGET_ESP32S3 */ return ret; } @@ -541,9 +557,12 @@ int esp_sha_ctx_copy(struct wc_Sha* src, struct wc_Sha* dst) } if (dst->ctx.mode == ESP32_SHA_SW) { - #if defined(CONFIG_IDF_TARGET_ESP32C3) || \ + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ defined(CONFIG_IDF_TARGET_ESP32C6) - /* Reverse digest for C3 when HW enabled but fallback to SW. */ + /* Reverse digest for C2/C3/C6 RISC-V platform + * only when HW enabled but fallback to SW. */ ByteReverseWords(dst->digest, dst->digest, WC_SHA_DIGEST_SIZE); #ifdef WOLFSSL_HW_METRICS esp_sha_reverse_words_ct++; @@ -613,7 +632,7 @@ int esp_sha256_ctx_copy(struct wc_Sha256* src, struct wc_Sha256* dst) ESP_LOGI(TAG, "esp_sha256_ctx_copy esp_sha512_digest_process"); } #endif - ret = esp_sha256_digest_process(dst, 0); + ret = esp_sha256_digest_process(dst, 0); /* TODO Use FALSE*/ if (ret == 0) { /* provide init hint to possibly SW revert */ @@ -624,7 +643,9 @@ int esp_sha256_ctx_copy(struct wc_Sha256* src, struct wc_Sha256* dst) } if (dst->ctx.mode == ESP32_SHA_SW) { - #if defined(CONFIG_IDF_TARGET_ESP32C3) || \ + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ defined(CONFIG_IDF_TARGET_ESP32C6) { /* Reverse digest byte order for C3 fallback to SW. */ @@ -665,9 +686,16 @@ int esp_sha256_ctx_copy(struct wc_Sha256* src, struct wc_Sha256* dst) int esp_sha384_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst) { int ret = 0; -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) - ESP_LOGW(TAG, "Warning: esp_sha384_ctx_copy() called for ESP32-C3!"); - ESP_LOGW(TAG, "There's no SHA384 HW for the ESP32-C3"); +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) + { + /* We should ever be calling the HW sHA384 copy for this target. */ + ESP_LOGW(TAG, "Warning: esp_sha384_ctx_copy() called for %s!", + CONFIG_IDF_TARGET); + ESP_LOGW(TAG, "There's no SHA384 HW for this CONFIG_IDF_TARGET"); + } #else if (src->ctx.mode == ESP32_SHA_HW) { /* Get a copy of the HW digest, but don't process it. */ @@ -723,8 +751,16 @@ int esp_sha384_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst) */ int esp_sha512_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst) { - int ret = 0; -#if !defined(CONFIG_IDF_TARGET_ESP32C3) && !defined(CONFIG_IDF_TARGET_ESP32C6) + int ret = ESP_OK; /* Assume success (zero) */ + +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) + /* there's no SHA512 HW on the RISC-V SoC so there's nothing to do. */ +#elif defined(CONFIG_IDF_TARGET_ESP32) || \ + defined(CONFIG_IDF_TARGET_ESP32S2) || \ + defined(CONFIG_IDF_TARGET_ESP32S3) if (src->ctx.mode == ESP32_SHA_HW) { /* Get a copy of the HW digest, but don't process it. */ ESP_LOGI(TAG, "esp_sha512_ctx_copy esp_sha512_digest_process"); @@ -752,7 +788,9 @@ int esp_sha512_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst) /* reminder this happened in XMEMCOPY, above: dst->ctx = src->ctx; ** No special HW init needed when not in active HW mode. ** but we need to set our initializer breadcrumb: */ - #if !defined(CONFIG_IDF_TARGET_ESP32C3) && \ + /* TODO: instead of what is NOT supported, gate on what IS known to be supported */ + #if !defined(CONFIG_IDF_TARGET_ESP32C2) && \ + !defined(CONFIG_IDF_TARGET_ESP32C3) && \ !defined(CONFIG_IDF_TARGET_ESP32C6) dst->ctx.initializer = &dst->ctx; /*breadcrumb is this ctx address */ #endif @@ -764,6 +802,7 @@ int esp_sha512_ctx_copy(struct wc_Sha512* src, struct wc_Sha512* dst) #endif } #endif + return ret; } /* esp_sha512_ctx_copy */ #endif @@ -821,7 +860,7 @@ static word32 wc_esp_sha_digest_size(WC_ESP_SHA_TYPE type) break; } #else - /* Xtnsa */ + /* Xtensa */ switch (type) { #ifndef NO_SHA case SHA1: /* typically 20 bytes */ @@ -871,7 +910,10 @@ static int wc_esp_wait_until_idle(void) int ret = 0; /* assume success */ int loop_ct = 10000; -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) /* ESP32-C3 and ESP32-C6 RISC-V */ while ((sha_ll_busy() == true) && (loop_ct > 0)) { loop_ct--; @@ -925,16 +967,20 @@ int esp_unroll_sha_module_enable(WC_ESP32SHA* ctx) return BAD_FUNC_ARG; } -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) - /* RISC-V Architecture */ +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) + /************* RISC-V Architecture *************/ (void)max_unroll_count; (void)_active_digest_address; ets_sha_disable(); + /* We don't check for unroll as done below, for Xtensa*/ #else - /* Xtensa Architecture */ + /************* Xtensa Architecture *************/ - /* unwind prior calls to THIS ctx. decrement ref_counts[periph] */ - /* only when ref_counts[periph] == 0 does something actually happen */ + /* unwind prior calls to THIS ctx. decrement ref_counts[periph] + ** only when ref_counts[periph] == 0 does something actually happen. */ /* once the value we read is a 0 in the DPORT_PERI_CLK_EN_REG bit * then we have fully unrolled the enables via ref_counts[periph]==0 */ @@ -1243,8 +1289,8 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx) #ifdef WOLFSSL_DEBUG_MUTEX if (esp_sha_call_count() == 8 && WOLFSSL_TEST_STRAY) { - /* once we've locked 10 times here, - * we'll force a fallback to SW until other thread unlocks */ + /* Once we've locked 10 times here, + * we'll force a fallback to SW until other thread unlocks. */ taskENTER_CRITICAL(&sha_crit_sect); { (void)stray_ctx; @@ -1329,10 +1375,15 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx) } #endif /* not defined(SINGLE_THREADED) */ -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) + { ESP_LOGV(TAG, "ets_sha_enable for RISC-V"); ets_sha_enable(); ctx->mode = ESP32_SHA_HW; + } #else if (ret == 0) { ctx->lockDepth++; /* depth for THIS ctx (there could be others!) */ @@ -1361,14 +1412,15 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx) */ int esp_sha_hw_unlock(WC_ESP32SHA* ctx) { - int ret; + int ret = ESP_OK; /* assume success (zero) */ #ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG ESP_LOGV(TAG, "enter esp_sha_hw_unlock"); #endif - ret = 0; -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) - /* ESP32-C3 and ESP32-C6 RISC-V */ +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) ets_sha_disable(); /* disable also resets active, ongoing hash */ ESP_LOGV(TAG, "ets_sha_disable in esp_sha_hw_unlock()"); #else @@ -1431,9 +1483,10 @@ int esp_sha_hw_unlock(WC_ESP32SHA* ctx) ESP_LOGE(TAG, "ERROR unlock lockDepth not zero"); ret = ESP_FAIL; } -#ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG + #ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG ESP_LOGI(TAG, "leave esp_sha_hw_unlock, %x", (int)ctx->initializer); -#endif + #endif + return ret; } /* esp_sha_hw_unlock */ @@ -1442,8 +1495,13 @@ int esp_sha_hw_unlock(WC_ESP32SHA* ctx) * Assumes register already loaded. * Returns a negative value error code upon failure. */ -#if !defined(CONFIG_IDF_TARGET_ESP32C3) && !defined(CONFIG_IDF_TARGET_ESP32C6) -/* the ESP32-C3 HAL has built-in process start, everything else uses: */ +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) + /* ESP32-C3 HAL has built-in process start, nothing to declare here. */ +#else + /* Everything else uses esp_sha_start_process() */ static int esp_sha_start_process(WC_ESP32SHA* sha) { int ret = 0; @@ -1457,7 +1515,10 @@ static int esp_sha_start_process(WC_ESP32SHA* sha) ESP_LOGV(TAG, " enter esp_sha_start_process"); -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) ESP_LOGV(TAG, "SHA1 SHA_START_REG"); if (sha->isfirstblock) { sha_ll_start_block(SHA2_256); @@ -1477,7 +1538,9 @@ static int esp_sha_start_process(WC_ESP32SHA* sha) ESP_LOGV(TAG, " continue block #%d", this_block_num); #endif } /* not first block */ - /***** END CONFIG_IDF_TARGET_ESP32C3 or CONFIG_IDF_TARGET_ESP32C6 *****/ + /***** END CONFIG_IDF_TARGET_ESP32C2 aka ESP8684 or + * CONFIG_IDF_TARGET_ESP32C3 or + * CONFIG_IDF_TARGET_ESP32C6 *****/ #elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3) /* Translate from Wolf SHA type to hardware algorithm. */ @@ -1667,8 +1730,13 @@ static int wc_esp_process_block(WC_ESP32SHA* ctx, /* see ctx->sha_type */ ret = esp_sha_start_process(ctx); /***** END CONFIG_IDF_TARGET_ESP32 */ -#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) - /* SHA_M_1_REG is not a macro: +#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) + /************* RISC-V Architecture ************* + * + * SHA_M_1_REG is not a macro: * DPORT_REG_WRITE(SHA_M_1_REG + (i*sizeof(word32)), *(data + i)); * * but we have this HAL: sha_ll_fill_text_block @@ -1710,7 +1778,10 @@ static int wc_esp_process_block(WC_ESP32SHA* ctx, /* see ctx->sha_type */ ctx->isfirstblock); ctx->isfirstblock = 0; /* once we hash a block, * we're no longer at the first */ - /***** END CONFIG_IDF_TARGET_ESP32C3 or CONFIG_IDF_TARGET_ESP32C6 */ + /***** END CONFIG_IDF_TARGET_ESP32C2 or + * CONFIG_IDF_TARGET_ESP8684 or + * CONFIG_IDF_TARGET_ESP32C3 or + * CONFIG_IDF_TARGET_ESP32C6 */ #elif defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3) MessageSource = (word32*)data; @@ -1785,7 +1856,9 @@ int wc_esp_digest_state(WC_ESP32SHA* ctx, byte* hash) /* sanity check */ #if defined(CONFIG_IDF_TARGET_ESP32) if (ctx->sha_type == SHA_INVALID) { -#elif defined(CONFIG_IDF_TARGET_ESP32C3) || \ +#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ defined(CONFIG_IDF_TARGET_ESP32S2) || \ defined(CONFIG_IDF_TARGET_ESP32S3) || \ defined(CONFIG_IDF_TARGET_ESP32C6) @@ -1805,6 +1878,7 @@ int wc_esp_digest_state(WC_ESP32SHA* ctx, byte* hash) ESP_LOGE(TAG, "unexpected error. sha_type is invalid."); return ESP_FAIL; } + #if defined(CONFIG_IDF_TARGET_ESP32S2) || defined(CONFIG_IDF_TARGET_ESP32S3) if (ctx->isfirstblock == true) { /* no hardware use yet. Nothing to do yet */ @@ -1837,20 +1911,34 @@ int wc_esp_digest_state(WC_ESP32SHA* ctx, byte* hash) } /* not (ctx->sha_type == SHA2_512) */ /* end if CONFIG_IDF_TARGET_ESP32S3 */ -#elif defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) - sha_ll_read_digest(ctx->sha_type, - (void *)hash, - wc_esp_sha_digest_size(ctx->sha_type) / sizeof(word32)); +#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) + wc_esp_wait_until_idle(); + sha_ll_read_digest( + ctx->sha_type, + (void *)hash, + wc_esp_sha_digest_size(ctx->sha_type) / sizeof(word32) + ); +#elif defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) + wc_esp_wait_until_idle(); + sha_ll_read_digest( + ctx->sha_type, + (void *)hash, + wc_esp_sha_digest_size(ctx->sha_type) / sizeof(word32) + ); #else /* not CONFIG_IDF_TARGET_ESP32S3 */ /* wait until idle */ wc_esp_wait_until_idle(); /* each sha_type register is at a different location */ -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) - +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) #elif defined(CONFIG_IDF_TARGET_ESP32S2) - + /* nothing here for S2 */ #else switch (ctx->sha_type) { case SHA1: @@ -2051,7 +2139,13 @@ int esp_sha512_block(struct wc_Sha512* sha, const word32* data, byte isfinal) int ret = 0; /* assume success */ ESP_LOGV(TAG, "enter esp_sha512_block"); /* start register offset */ -#if !defined(CONFIG_IDF_TARGET_ESP32C3) && !defined(CONFIG_IDF_TARGET_ESP32C6) + +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) + /* No SHA-512 HW on RISC-V SoC, so nothing to do. */ +#else /* note that in SW mode, wolfSSL uses 64 bit words */ if (sha->ctx.mode == ESP32_SHA_SW) { ByteReverseWords64(sha->buffer, @@ -2107,8 +2201,14 @@ int esp_sha512_digest_process(struct wc_Sha512* sha, byte blockproc) { int ret = 0; ESP_LOGV(TAG, "enter esp_sha512_digest_process"); -#if defined(CONFIG_IDF_TARGET_ESP32C3) || defined(CONFIG_IDF_TARGET_ESP32C6) - ESP_LOGW(TAG, "Warning: no SHA512 HW to digest on ESP32-C3"); +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) + { + ESP_LOGW(TAG, "Warning: no SHA512 HW to digest on %s", + CONFIG_IDF_TARGET); + } #else if (blockproc) { word32* data = (word32*)sha->buffer; @@ -2171,6 +2271,6 @@ int esp_hw_show_sha_metrics(void) return ret; } -#endif /* WOLFSSL_HW_METRICS */ +#endif /* WOLFSSL_ESP32_CRYPT and WOLFSSL_HW_METRICS */ -#endif /* WOLFSSL_ESPIDF */ +#endif /* WOLFSSL_ESPIDF (exclude entire contents for non-Espressif projects */ diff --git a/wolfcrypt/src/port/Espressif/esp32_util.c b/wolfcrypt/src/port/Espressif/esp32_util.c index 28ade6ff99..162b38fdf4 100644 --- a/wolfcrypt/src/port/Espressif/esp32_util.c +++ b/wolfcrypt/src/port/Espressif/esp32_util.c @@ -201,7 +201,11 @@ static int ShowExtendedSystemInfo_platform_espressif(void) WOLFSSL_VERSION_PRINTF("Xthal_have_ccount = %u", Xthal_have_ccount); #elif CONFIG_IDF_TARGET_ESP32C6 - /* not supported at this time */ + /* TODO find Xthal for C6 */ +#elif CONFIG_IDF_TARGET_ESP32C2 + /* TODO find Xthal for C6 */ +#elif defined(CONFIG_IDF_TARGET_ESP8684) + /* TODO find Xthal for C6 */ #elif CONFIG_IDF_TARGET_ESP32C3 /* not supported at this time */ #elif CONFIG_IDF_TARGET_ESP32S3 @@ -228,6 +232,9 @@ static int ShowExtendedSystemInfo_platform_espressif(void) WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-S2."); #elif defined(CONFIG_IDF_TARGET_ESP32S3) WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-S3."); + #elif defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) + WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-C2."); #elif defined(CONFIG_IDF_TARGET_ESP32C3) WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-C3."); #elif defined(CONFIG_IDF_TARGET_ESP32C6) @@ -235,7 +242,7 @@ static int ShowExtendedSystemInfo_platform_espressif(void) #elif defined(CONFIG_IDF_TARGET_ESP32H2) WOLFSSL_VERSION_PRINTF("ESP32_CRYPT is enabled for ESP32-H2."); #else - /* this should have been detected & disabled in user_settins.h */ + /* This should have been detected & disabled in user_settins.h */ #error "ESP32_CRYPT not yet supported on this IDF TARGET" #endif @@ -246,12 +253,12 @@ static int ShowExtendedSystemInfo_platform_espressif(void) #endif #if defined(NO_WOLFSSL_ESP32_CRYPT_AES) - WOLFSSL_VERSION_PRINTF("NO_WOLFSSL_ESP32_CRYPT_AES is defined!" + WOLFSSL_VERSION_PRINTF("NO_WOLFSSL_ESP32_CRYPT_AES is defined! " "(disabled HW AES)."); #endif #if defined(NO_WOLFSSL_ESP32_CRYPT_RSA_PRI) - WOLFSSL_VERSION_PRINTF("NO_WOLFSSL_ESP32_CRYPT_RSA_PRI defined!" + WOLFSSL_VERSION_PRINTF("NO_WOLFSSL_ESP32_CRYPT_RSA_PRI defined! " "(disabled HW RSA)"); #endif #endif @@ -376,7 +383,7 @@ int esp_current_boot_count(void) } /* See macro helpers above; not_defined is macro name when *not* defined */ -static int esp_ShowMacroStatus(char* s, char* not_defined) +static int show_macro(char* s, char* not_defined) { char hd1[] = "Macro Name Defined Not Defined"; char hd2[] = "------------------------- --------- -------------"; @@ -397,9 +404,11 @@ static int esp_ShowMacroStatus(char* s, char* not_defined) /* Depending on if defined, put an "x" in the appropriate column */ if (not_defined == NULL || not_defined[0] == '\0') { msg[ESP_SMS_ENA_POS] = 'X'; + msg[ESP_SMS_ENA_POS+1] = 0; /* end of line to eliminate space pad */ } else { msg[ESP_SMS_DIS_POS] = 'X'; + msg[ESP_SMS_DIS_POS+1] = 0; /* end of line to eliminate space pad */ } /* do we need a header? */ @@ -415,35 +424,78 @@ static int esp_ShowMacroStatus(char* s, char* not_defined) } /* Show some interesting settings */ -int esp_ShowHardwareAcclerationSettings(void) +int ShowExtendedSystemInfo_config(void) { esp_ShowMacroStatus_need_header = 1; - esp_ShowMacroStatus("HW_MATH_ENABLED", STR_IFNDEF(HW_MATH_ENABLED)); - esp_ShowMacroStatus("RSA_LOW_MEM", STR_IFNDEF(RSA_LOW_MEM)); - esp_ShowMacroStatus("WOLFSSL_SHA224", STR_IFNDEF(WOLFSSL_SHA224)); - esp_ShowMacroStatus("WOLFSSL_SHA384", STR_IFNDEF(WOLFSSL_SHA384)); - esp_ShowMacroStatus("WOLFSSL_SHA512", STR_IFNDEF(WOLFSSL_SHA512)); - esp_ShowMacroStatus("WOLFSSL_SHA3", STR_IFNDEF(WOLFSSL_SHA3)); - esp_ShowMacroStatus("HAVE_ED25519", STR_IFNDEF(HAVE_ED25519)); - esp_ShowMacroStatus("USE_FAST_MATH", STR_IFNDEF(USE_FAST_MATH)); - esp_ShowMacroStatus("WOLFSSL_SP_MATH_ALL", STR_IFNDEF(WOLFSSL_SP_MATH_ALL)); - esp_ShowMacroStatus("WOLFSSL_SP_RISCV32", STR_IFNDEF(WOLFSSL_SP_RISCV32)); - esp_ShowMacroStatus("SP_MATH", STR_IFNDEF(SP_MATH)); - esp_ShowMacroStatus("WOLFSSL_HW_METRICS", STR_IFNDEF(WOLFSSL_HW_METRICS)); - - #ifdef USE_FAST_MATH - ESP_LOGI(TAG, "USE_FAST_MATH"); - #endif /* USE_FAST_MATH */ - - #ifdef WOLFSSL_SP_MATH_ALL - #ifdef WOLFSSL_SP_RISCV32 - ESP_LOGI(TAG, "WOLFSSL_SP_MATH_ALL + WOLFSSL_SP_RISCV32"); - #else - ESP_LOGI(TAG, "WOLFSSL_SP_MATH_ALL"); - #endif - #endif /* WOLFSSL_SP_MATH_ALL */ + + show_macro("NO_ESPIDF_DEFAULT", STR_IFNDEF(NO_ESPIDF_DEFAULT)); + + show_macro("HW_MATH_ENABLED", STR_IFNDEF(HW_MATH_ENABLED)); + + /* Features */ + show_macro("WOLFSSL_SHA224", STR_IFNDEF(WOLFSSL_SHA224)); + show_macro("WOLFSSL_SHA384", STR_IFNDEF(WOLFSSL_SHA384)); + show_macro("WOLFSSL_SHA512", STR_IFNDEF(WOLFSSL_SHA512)); + show_macro("WOLFSSL_SHA3", STR_IFNDEF(WOLFSSL_SHA3)); + show_macro("HAVE_ED25519", STR_IFNDEF(HAVE_ED25519)); + show_macro("HAVE_AES_ECB", STR_IFNDEF(HAVE_AES_ECB)); + show_macro("HAVE_AES_DIRECT", STR_IFNDEF(HAVE_AES_DIRECT)); + + /* Math Library Selection */ + show_macro("USE_FAST_MATH", STR_IFNDEF(USE_FAST_MATH)); + show_macro("WOLFSSL_SP_MATH_ALL", STR_IFNDEF(WOLFSSL_SP_MATH_ALL)); +#ifdef WOLFSSL_SP_RISCV32 + show_macro("WOLFSSL_SP_RISCV32", STR_IFNDEF(WOLFSSL_SP_RISCV32)); +#endif + show_macro("SP_MATH", STR_IFNDEF(SP_MATH)); + + /* Diagnostics */ + show_macro("WOLFSSL_HW_METRICS", STR_IFNDEF(WOLFSSL_HW_METRICS)); + + /* Optimizations */ + show_macro("RSA_LOW_MEM", STR_IFNDEF(RSA_LOW_MEM)); + + /* Security Hardening */ + show_macro("WC_NO_HARDEN", STR_IFNDEF(WC_NO_HARDEN)); + show_macro("TFM_TIMING_RESISTANT", STR_IFNDEF(TFM_TIMING_RESISTANT)); + show_macro("ECC_TIMING_RESISTANT", STR_IFNDEF(ECC_TIMING_RESISTANT)); + + /* WC_NO_CACHE_RESISTANT is only important if another process can be + * run on the device. With embedded it is less likely to be exploitable. + * Timing attacks are usually by probe. So typically turn this on: */ + show_macro("WC_NO_CACHE_RESISTANT", STR_IFNDEF(WC_NO_CACHE_RESISTANT)); + + /* Side channel bit slicing */ + show_macro("WC_AES_BITSLICED", STR_IFNDEF(WC_AES_BITSLICED)); + + /* Unrolling will normally improve performance, + * so make sure WOLFSSL_AES_NO_UNROLL isn't defined unless you want it. */ + show_macro("WOLFSSL_AES_NO_UNROLL", STR_IFNDEF(WOLFSSL_AES_NO_UNROLL)); + show_macro("TFM_TIMING_RESISTANT", STR_IFNDEF(TFM_TIMING_RESISTANT)); + show_macro("ECC_TIMING_RESISTANT", STR_IFNDEF(ECC_TIMING_RESISTANT)); + show_macro("WC_RSA_BLINDING", STR_IFNDEF(WC_RSA_BLINDING)); + show_macro("NO_WRITEV", STR_IFNDEF(NO_WRITEV)); + + /* Environment */ + show_macro("FREERTOS", STR_IFNDEF(FREERTOS)); + show_macro("NO_WOLFSSL_DIR", STR_IFNDEF(NO_WOLFSSL_DIR)); + show_macro("WOLFSSL_NO_CURRDIR", STR_IFNDEF(WOLFSSL_NO_CURRDIR)); + show_macro("WOLFSSL_LWIP", STR_IFNDEF(WOLFSSL_LWIP)); ESP_LOGI(TAG, ""); +#if defined(CONFIG_COMPILER_OPTIMIZATION_DEFAULT) + ESP_LOGI(TAG, "Compiler Optimization: Default"); +#elif defined(CONFIG_COMPILER_OPTIMIZATION_SIZE) + ESP_LOGI(TAG, "Compiler Optimization: Size"); +#elif defined(CONFIG_COMPILER_OPTIMIZATION_PERF) + ESP_LOGI(TAG, "Compiler Optimization: Performance"); +#elif defined(CONFIG_COMPILER_OPTIMIZATION_NONE) + ESP_LOGI(TAG, "Compiler Optimization: None"); +#else + ESP_LOGI(TAG, "Compiler Optimization: Unknown"); +#endif + ESP_LOGI(TAG, ""); + return ESP_OK; } /* @@ -536,7 +588,7 @@ int ShowExtendedSystemInfo(void) ESP_LOGW(TAG, "Warning: ESP_RSA_MULM_BITS not defined for ESP32"); #endif -#elif defined(CONFIG_IDF_TARGET_ESP32C2) +#elif defined(CONFIG_IDF_TARGET_ESP32C2) || defined(CONFIG_IDF_TARGET_ESP8684) ESP_LOGI(TAG, "CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ = %u MHz", CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ ); @@ -578,7 +630,7 @@ int ShowExtendedSystemInfo(void) #endif ESP_LOGI(TAG, ""); - esp_ShowHardwareAcclerationSettings(); + ShowExtendedSystemInfo_config(); ShowExtendedSystemInfo_git(); ShowExtendedSystemInfo_platform(); ShowExtendedSystemInfo_thread(); @@ -732,18 +784,19 @@ int esp_hw_show_metrics(void) #if defined(WOLFSSL_ESP32_CRYPT) esp_hw_show_sha_metrics(); #else - ESP_LOGI(TAG, "WOLFSSL_ESP32_CRYPT"); + ESP_LOGI(TAG, "WOLFSSL_ESP32_CRYPT not defined, " + "HW SHA hash not enabled"); #endif #if defined(WOLFSSL_ESP32_CRYPT_RSA_PRI) esp_hw_show_mp_metrics(); #else - ESP_LOGI(TAG, "WOLFSSL_ESP32_CRYPT_RSA_PRI not defined," + ESP_LOGI(TAG, "WOLFSSL_ESP32_CRYPT_RSA_PRI not defined, " "HW math not enabled"); #endif #if defined(NO_WOLFSSL_ESP32_CRYPT_AES) - ESP_LOGI(TAG, "NO_WOLFSSL_ESP32_CRYPT_AES is defined," + ESP_LOGI(TAG, "NO_WOLFSSL_ESP32_CRYPT_AES is defined, " "HW AES not enabled"); #else esp_hw_show_aes_metrics(); diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index 6e3d2fe8bf..373c9e85c4 100644 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -4051,12 +4051,16 @@ int fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c) /* zero the int */ fp_zero (a); + if (c < 0) { + return FP_VAL; + } + if (c == 0) { return FP_OKAY; } /* if input b excess max, then truncate */ - if (c > 0 && (word32)c > maxC) { + if ((word32)c > maxC) { int excess = (c - maxC); c -= excess; b += excess; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 534dedc43e..6b802e3568 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -16930,7 +16930,7 @@ static wc_test_ret_t rsa_decode_test(RsaKey* keyPub) goto done; } ret = wc_RsaPublicKeyDecodeRaw(n, (word32)-1, e, sizeof(e), keyPub); -#if !defined(WOLFSSL_SP_MATH) & !defined(WOLFSSL_SP_MATH_ALL) +#if defined(USE_INTEGER_HEAP_MATH) if (ret != 0) #else if (ret != ASN_GETINT_E) @@ -16944,11 +16944,12 @@ static wc_test_ret_t rsa_decode_test(RsaKey* keyPub) if (ret != 0) return WC_TEST_RET_ENC_EC(ret); ret = wc_RsaPublicKeyDecodeRaw(n, sizeof(n), e, (word32)-1, keyPub); -#if !defined(WOLFSSL_SP_MATH) & !defined(WOLFSSL_SP_MATH_ALL) - if (ret != 0) { +#if defined(USE_INTEGER_HEAP_MATH) + if (ret != 0) #else - if (ret != ASN_GETINT_E) { + if (ret != ASN_GETINT_E) #endif + { ret = WC_TEST_RET_ENC_EC(ret); goto done; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 27b1486f64..8480fbed1b 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2352,7 +2352,8 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex(byte* hashSigAlgo, int haveECDSAsig, int haveRSAsig, int haveFalconSig, int haveDilithiumSig, int haveAnon, int tls1_2, int keySz, word16* len); -WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have, +/* use wolfSSL_API visibility to be able to test in tests/api.c */ +WOLFSSL_API void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have, int tls1_2, int keySz, word16* len); WOLFSSL_LOCAL int AllocateCtxSuites(WOLFSSL_CTX* ctx); @@ -5389,6 +5390,9 @@ struct WOLFSSL { * re-using the context's object. When WOLFSSL * object needs separate instance of suites use * AllocateSuites(). */ +#ifdef OPENSSL_EXTRA + const Suites* clSuites; +#endif #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) WOLF_STACK_OF(WOLFSSL_CIPHER)* suitesStack; /* stack of available cipher * suites */ @@ -6011,6 +6015,16 @@ enum ProvisionSide { PROVISION_CLIENT_SERVER = 3 }; +/* cipher requirements */ +enum { + REQUIRES_RSA, + REQUIRES_DHE, + REQUIRES_ECC, + REQUIRES_ECC_STATIC, + REQUIRES_PSK, + REQUIRES_RSA_SIG, + REQUIRES_AEAD +}; static const byte kTlsClientStr[SIZEOF_SENDER+1] = { 0x43, 0x4C, 0x4E, 0x54, 0x00 }; /* CLNT */ static const byte kTlsServerStr[SIZEOF_SENDER+1] = { 0x53, 0x52, 0x56, 0x52, 0x00 }; /* SRVR */ @@ -6102,6 +6116,7 @@ WOLFSSL_LOCAL void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree); WOLFSSL_LOCAL void ShrinkOutputBuffer(WOLFSSL* ssl); WOLFSSL_LOCAL byte* GetOutputBuffer(WOLFSSL* ssl); +WOLFSSL_LOCAL int CipherRequires(byte first, byte second, int requirement); WOLFSSL_LOCAL int VerifyClientSuite(word16 havePSK, byte cipherSuite0, byte cipherSuite); @@ -6311,6 +6326,10 @@ WOLFSSL_LOCAL word32 LowResTimer(void); WOLFSSL_LOCAL int FindSuiteSSL(const WOLFSSL* ssl, byte* suite); +WOLFSSL_LOCAL void DecodeSigAlg(const byte* input, byte* hashAlgo, + byte* hsType); +WOLFSSL_LOCAL enum wc_HashType HashAlgoToType(int hashAlgo); + #ifndef NO_CERTS WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag, void* heap); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index d709836589..c78d6b6f70 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2121,6 +2121,19 @@ WOLFSSL_API void wolfSSL_CTX_set_client_cert_cb(WOLFSSL_CTX *ctx, client_cert_cb typedef int (*CertSetupCallback)(WOLFSSL* ssl, void*); WOLFSSL_API void wolfSSL_CTX_set_cert_cb(WOLFSSL_CTX* ctx, CertSetupCallback cb, void *arg); +WOLFSSL_API int wolfSSL_get_client_suites_sigalgs(const WOLFSSL* ssl, + const byte** suites, word16* suiteSz, + const byte** hashSigAlgo, word16* hashSigAlgoSz); +typedef struct WOLFSSL_CIPHERSUITE_INFO { + byte rsaAuth:1; + byte eccAuth:1; + byte eccStatic:1; + byte psk:1; +} WOLFSSL_CIPHERSUITE_INFO; +WOLFSSL_API WOLFSSL_CIPHERSUITE_INFO wolfSSL_get_ciphersuite_info(byte first, + byte second); +WOLFSSL_API int wolfSSL_get_sigalg_info(byte first, + byte second, int* hashAlgo, int* sigAlgo); WOLFSSL_LOCAL int CertSetupCbWrapper(WOLFSSL* ssl); WOLFSSL_API void* wolfSSL_X509_STORE_CTX_get_ex_data( diff --git a/wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h b/wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h index b459d9b2b2..f8d88ef8c3 100644 --- a/wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h +++ b/wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h @@ -22,9 +22,17 @@ #define __ESP32_CRYPT_H__ +/* WOLFSSL_USER_SETTINGS must be defined, typically in the CMakeLists.txt: + * + * set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") */ #include /* references user_settings.h */ #if defined(WOLFSSL_ESPIDF) /* Entire file is only for Espressif EDP-IDF */ + +#ifndef WOLFSSL_USER_SETTINGS + #error "WOLFSSL_USER_SETTINGS must be defined for Espressif targts" +#endif + #include "sdkconfig.h" /* ensure ESP-IDF settings are available everywhere */ /* wolfSSL */ @@ -72,6 +80,12 @@ enum { ** ** Primary Settings: ** +** WC_NO_HARDEN +** Disables some timing resistance / side-channel attack prevention. +** +** NO_ESPIDF_DEFAULT +** When defined, disables some default definitions. See wolfcrypt/settings.h +** ** NO_ESP32_CRYPT ** When defined, disables all hardware acceleration on the ESP32 ** @@ -143,11 +157,15 @@ enum { ** WOLFSSL_HW_METRICS ** Enables metric counters for calls to HW, success, fall back, oddities. ** +** WOLFSSL_HAS_METRICS +** Indicates that we actually have metrics to show. Useful for old wolfSSL +** libraries tested with newer examples, or when all HW turned off. +** ** DEBUG_WOLFSSL ** Turns on development testing. Validates HW accelerated results to software ** - Automatically turns on WOLFSSL_HW_METRICS ** -** WOLFSSL_DEBUG_MUTEX +** DEBUG_WOLFSSL_SHA_MUTEX ** Turns on diagnostic messages for SHA mutex. Note that given verbosity, ** there may be TLS timing issues encountered. Use with caution. ** @@ -203,10 +221,12 @@ enum { ** ** CONFIG_IDF_TARGET_[SoC] ** CONFIG_IDF_TARGET_ESP32 -** CONFIG_IDF_TARGET_ESP32S2 -** CONFIG_IDF_TARGET_ESP32S3 +** CONFIG_IDF_TARGET_ESP32C2 ** CONFIG_IDF_TARGET_ESP32C3 ** CONFIG_IDF_TARGET_ESP32C6 +** CONFIG_IDF_TARGET_ESP32S2 +** CONFIG_IDF_TARGET_ESP32S3 +** CONFIG_IDF_TARGET_ESP32H2 ** ]******************************************************************************* ** Informative settings. Not meant to be edited: @@ -254,6 +274,60 @@ enum { #define ESP_PROHIBIT_SMALL_X FALSE /***** END CONFIG_IDF_TARGET_ESP32 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) + /* ESP8684 is essentially ESP32-C2 chip + flash embedded together in a + * single QFN 4x4 mm package. Out of released documentation, Technical + * Reference Manual as well as ESP-IDF Programming Guide is applicable + * to both ESP32-C2 and ESP8684. + * + * Note there is not currently an expected CONFIG_IDF_TARGET_ESP8684. + * The ESP8684 is detected with CONFIG_IDF_TARGET_ESP32C2. + * The macro is included for clarity, and possible future rename. */ + + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ + #define NO_WOLFSSL_ESP32_CRYPT_AES /* No AES HW */ + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /* No RSA HW*/ + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL /* No RSA, so no mp_mul */ + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD /* No RSA, so no mp_mulmod */ + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD /* No RSA, no mp_exptmod */ + + #include + #include + + #if ESP_IDF_VERSION_MAJOR < 5 + #include + #endif + + #if defined(ESP_IDF_VERSION_MAJOR) && ESP_IDF_VERSION_MAJOR >= 5 + #include + #else + #include + #endif + + #if ESP_IDF_VERSION_MAJOR >= 4 + /* #include */ + #else + #include + #endif + +/* If for some reason there's a desire to disable specific HW on the C2: */ +/* #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA */ +/* #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA there is SHA HW on C2 */ +/* #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 */ +/* #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 there is SHA224 HW on C2 */ +/* #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA256 */ +/* #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA256 there is SHA256 HW on C2 */ + + /* Code will fall back to SW with warning if these are removed: + * Note there is no SHA384/SHA512 HW on ESP32-C3 */ + #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + #undef NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + /***** END CONFIG_IDF_TARGET_ESP32C2 aka CONFIG_IDF_TARGET_ESP8684 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32C3) #include #include @@ -499,7 +573,8 @@ extern "C" #if defined(CONFIG_IDF_TARGET_ESP32) #include "esp32/rom/sha.h" #define WC_ESP_SHA_TYPE enum SHA_TYPE - #elif defined(CONFIG_IDF_TARGET_ESP32C2) + #elif defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) #include "esp32c2/rom/sha.h" #define WC_ESP_SHA_TYPE SHA_TYPE #elif defined(CONFIG_IDF_TARGET_ESP32C3) @@ -686,6 +761,8 @@ extern "C" ******************************************************************************* */ #ifdef WOLFSSL_HW_METRICS + #define WOLFSSL_HAS_METRICS + /* Allow sha256 code to keep track of SW fallback during active HW */ WOLFSSL_LOCAL int esp_sw_sha256_count_add(); @@ -780,6 +857,6 @@ extern "C" } #endif -#endif /* WOLFSSL_ESPIDF */ +#endif /* WOLFSSL_ESPIDF (entire contents excluded when not Espressif ESP-IDF) */ #endif /* __ESP32_CRYPT_H__ */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index a3536e596f..37bbcdb3c5 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -378,16 +378,19 @@ #endif #if defined(WOLFSSL_ESPIDF) - #define FREERTOS - #define WOLFSSL_LWIP - #define NO_WRITEV #define SIZEOF_LONG_LONG 8 - #define NO_WOLFSSL_DIR - #define WOLFSSL_NO_CURRDIR + #ifndef NO_ESPIDF_DEFAULT + #define FREERTOS + #define WOLFSSL_LWIP + #define NO_WRITEV + #define NO_WOLFSSL_DIR + #define WOLFSSL_NO_CURRDIR - #define TFM_TIMING_RESISTANT - #define ECC_TIMING_RESISTANT - #define WC_RSA_BLINDING + #define TFM_TIMING_RESISTANT + #define ECC_TIMING_RESISTANT + #define WC_RSA_BLINDING + #define WC_NO_CACHE_RESISTANT + #endif /* !WOLFSSL_ESPIDF_NO_DEFAULT */ #if defined(WOLFSSL_ESPWROOM32) /* WOLFSSL_ESPWROOM32 is a legacy macro gate. @@ -396,6 +399,32 @@ #define WOLFSSL_ESP32 #endif +#if defined(NO_ESP32WROOM32_CRYPT) + #undef NO_ESP32WROOM32_CRYPT + #define NO_ESP32_CRYPT + #error "Please use NO_ESP32_CRYPT not NO_ESP32WROOM32_CRYPT" +#endif + +#if defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH) + #undef NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #error "Please use NO_WOLFSSL_ESP32_CRYPT_HASH not NO_ESP32WROOM32_CRYPT" +#endif + +#if defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES) + #undef NO_WOLFSSL_ESP32WROOM32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_AES + #error "Please use NO_WOLFSSL_ESP32_CRYPT_AES" \ + " not " "NO_WOLFSSL_ESP32WROOM32_CRYPT_AES" +#endif + +#if defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI) + #undef NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + #error "Please use NO_WOLFSSL_ESP32_CRYPT_RSA_PRI" \ + " not " "NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI" +#endif + #if defined(WOLFSSL_ESP32) || defined(WOLFSSL_ESPWROOM32SE) #ifndef NO_ESP32_CRYPT #define WOLFSSL_ESP32_CRYPT @@ -407,9 +436,9 @@ #endif #if defined(WOLFSSL_SP_RISCV32) - #if defined(CONFIG_IDF_TARGET_ESP32C2) \ - || defined(CONFIG_IDF_TARGET_ESP32C3) \ - || defined(CONFIG_IDF_TARGET_ESP32C6) + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP32C3) || \ + defined(CONFIG_IDF_TARGET_ESP32C6) /* ok, only the known C2, C3, C6 chips allowed */ #else #error "WOLFSSL_SP_RISCV32 can only be used on RISC-V architecture"