xref: /curl/projects/wolfssl_options.h (revision 99ba50d9)
1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at https://curl.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  * SPDX-License-Identifier: curl
22  *
23  ***************************************************************************/
24 /*
25 By default wolfSSL has a very conservative configuration that can result in
26 connections to servers failing due to certificate or algorithm problems.
27 To remedy this issue for libcurl I've generated this options file that
28 build-wolfssl will copy to the wolfSSL include directories and will result in
29 maximum compatibility.
30 
31 These are the configure options that were used to build wolfSSL v5.1.1 in
32 MinGW and generate the options in this file:
33 
34 C_EXTRA_FLAGS="\
35   -Wno-attributes \
36   -Wno-unused-but-set-variable \
37   -DFP_MAX_BITS=16384 \
38   -DHAVE_SECRET_CALLBACK \
39   -DTFM_TIMING_RESISTANT \
40   -DUSE_WOLF_STRTOK \
41   -DWOLFSSL_DES_ECB \
42   -DWOLFSSL_STATIC_DH \
43   -DWOLFSSL_STATIC_RSA \
44   " \
45 ./configure --prefix=/usr/local \
46   --disable-jobserver \
47   --enable-aesgcm \
48   --enable-alpn \
49   --enable-altcertchains \
50   --enable-certgen \
51   --enable-des3 \
52   --enable-dh \
53   --enable-dsa \
54   --enable-ecc \
55   --enable-eccshamir \
56   --enable-fastmath \
57   --enable-opensslextra \
58   --enable-ripemd \
59   --enable-sessioncerts \
60   --enable-sha512 \
61   --enable-sni \
62   --enable-tlsv10 \
63   --enable-supportedcurves \
64   --enable-tls13 \
65   --enable-testcert \
66   > config.out 2>&1
67 
68 Two generated options HAVE_THREAD_LS and _POSIX_THREADS were removed since they
69 are inapplicable for our Visual Studio build. Currently thread local storage is
70 only used by the Fixed Point cache ECC which we're not enabling. However even
71 if we later may decide to enable the cache it will fallback on mutexes when
72 thread local storage is not available. wolfSSL is using __declspec(thread) to
73 create the thread local storage and that could be a problem for LoadLibrary.
74 
75 Regarding the options that were added via C_EXTRA_FLAGS:
76 
77 FP_MAX_BITS=16384
78 https://www.wolfssl.com/documentation/manuals/wolfssl/chapter02.html
79 "Since root.crt uses a 4096-bit RSA key, you'll need to increase the fastmath
80 buffer size.  You can do this using the define:
81 FP_MAX_BITS and setting it to 8192."
82 
83 HAVE_SECRET_CALLBACK
84 Build wolfSSL with wolfSSL_set_tls13_secret_cb which allows saving TLS 1.3
85 secrets to SSLKEYLOGFILE.
86 
87 TFM_TIMING_RESISTANT
88 https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-2-building-wolfssl.html
89 From section 2.4.5 Increasing Performance, USE_FAST_MATH:
90 "Because the stack memory usage can be larger when using fastmath, we recommend
91 defining TFM_TIMING_RESISTANT as well when using this option."
92 
93 USE_WOLF_STRTOK
94 Build wolfSSL to always use its internal strtok instead of C runtime strtok.
95 
96 WOLFSSL_DES_ECB
97 Build wolfSSL with wolfSSL_DES_ecb_encrypt which is needed by libcurl for NTLM.
98 
99 WOLFSSL_STATIC_DH:    Allow TLS_ECDH_ ciphers
100 WOLFSSL_STATIC_RSA:   Allow TLS_RSA_ ciphers
101 https://github.com/wolfSSL/wolfssl/blob/v3.6.6/README.md#note-1
102 Static key cipher suites are deprecated and disabled by default since v3.6.6.
103 */
104 
105 /* wolfssl options.h
106  * generated from configure options
107  *
108  * Copyright (C) 2006-2022 wolfSSL Inc.
109  *
110  * This file is part of wolfSSL. (formerly known as CyaSSL)
111  *
112  */
113 
114 #ifndef WOLFSSL_OPTIONS_H
115 #define WOLFSSL_OPTIONS_H
116 
117 
118 #ifdef __cplusplus
119 extern "C" {
120 #endif
121 
122 #undef  FP_MAX_BITS
123 #define FP_MAX_BITS 16384
124 
125 #undef  HAVE_SECRET_CALLBACK
126 #define HAVE_SECRET_CALLBACK
127 
128 #undef  TFM_TIMING_RESISTANT
129 #define TFM_TIMING_RESISTANT
130 
131 #undef  USE_WOLF_STRTOK
132 #define USE_WOLF_STRTOK
133 
134 #undef  WOLFSSL_DES_ECB
135 #define WOLFSSL_DES_ECB
136 
137 #undef  WOLFSSL_STATIC_DH
138 #define WOLFSSL_STATIC_DH
139 
140 #undef  WOLFSSL_STATIC_RSA
141 #define WOLFSSL_STATIC_RSA
142 
143 #undef  TFM_TIMING_RESISTANT
144 #define TFM_TIMING_RESISTANT
145 
146 #undef  ECC_TIMING_RESISTANT
147 #define ECC_TIMING_RESISTANT
148 
149 #undef  WC_RSA_BLINDING
150 #define WC_RSA_BLINDING
151 
152 #undef  WOLFSSL_USE_ALIGN
153 #define WOLFSSL_USE_ALIGN
154 
155 #undef  WOLFSSL_RIPEMD
156 #define WOLFSSL_RIPEMD
157 
158 #undef  WOLFSSL_SHA512
159 #define WOLFSSL_SHA512
160 
161 #undef  WOLFSSL_SHA384
162 #define WOLFSSL_SHA384
163 
164 #undef  SESSION_CERTS
165 #define SESSION_CERTS
166 
167 #undef  HAVE_HKDF
168 #define HAVE_HKDF
169 
170 #undef  HAVE_ECC
171 #define HAVE_ECC
172 
173 #undef  TFM_ECC256
174 #define TFM_ECC256
175 
176 #undef  ECC_SHAMIR
177 #define ECC_SHAMIR
178 
179 #undef  WOLFSSL_ALLOW_TLSV10
180 #define WOLFSSL_ALLOW_TLSV10
181 
182 #undef  WC_RSA_PSS
183 #define WC_RSA_PSS
184 
185 #undef  NO_HC128
186 #define NO_HC128
187 
188 #undef  NO_RABBIT
189 #define NO_RABBIT
190 
191 #undef  HAVE_POLY1305
192 #define HAVE_POLY1305
193 
194 #undef  HAVE_ONE_TIME_AUTH
195 #define HAVE_ONE_TIME_AUTH
196 
197 #undef  HAVE_CHACHA
198 #define HAVE_CHACHA
199 
200 #undef  HAVE_HASHDRBG
201 #define HAVE_HASHDRBG
202 
203 #undef  HAVE_TLS_EXTENSIONS
204 #define HAVE_TLS_EXTENSIONS
205 
206 #undef  HAVE_SNI
207 #define HAVE_SNI
208 
209 #undef  HAVE_TLS_EXTENSIONS
210 #define HAVE_TLS_EXTENSIONS
211 
212 #undef  HAVE_ALPN
213 #define HAVE_ALPN
214 
215 #undef  HAVE_TLS_EXTENSIONS
216 #define HAVE_TLS_EXTENSIONS
217 
218 #undef  HAVE_SUPPORTED_CURVES
219 #define HAVE_SUPPORTED_CURVES
220 
221 #undef  HAVE_FFDHE_2048
222 #define HAVE_FFDHE_2048
223 
224 #undef  HAVE_SUPPORTED_CURVES
225 #define HAVE_SUPPORTED_CURVES
226 
227 #undef  WOLFSSL_TLS13
228 #define WOLFSSL_TLS13
229 
230 #undef  HAVE_TLS_EXTENSIONS
231 #define HAVE_TLS_EXTENSIONS
232 
233 #undef  HAVE_EXTENDED_MASTER
234 #define HAVE_EXTENDED_MASTER
235 
236 #undef  WOLFSSL_ALT_CERT_CHAINS
237 #define WOLFSSL_ALT_CERT_CHAINS
238 
239 #undef  WOLFSSL_TEST_CERT
240 #define WOLFSSL_TEST_CERT
241 
242 #undef  NO_RC4
243 #define NO_RC4
244 
245 #undef  HAVE_ENCRYPT_THEN_MAC
246 #define HAVE_ENCRYPT_THEN_MAC
247 
248 #undef  NO_PSK
249 #define NO_PSK
250 
251 #undef  NO_MD4
252 #define NO_MD4
253 
254 #undef  WOLFSSL_ENCRYPTED_KEYS
255 #define WOLFSSL_ENCRYPTED_KEYS
256 
257 #undef  USE_FAST_MATH
258 #define USE_FAST_MATH
259 
260 #undef  WC_NO_ASYNC_THREADING
261 #define WC_NO_ASYNC_THREADING
262 
263 #undef  HAVE_DH_DEFAULT_PARAMS
264 #define HAVE_DH_DEFAULT_PARAMS
265 
266 #undef  WOLFSSL_CERT_GEN
267 #define WOLFSSL_CERT_GEN
268 
269 #undef  OPENSSL_EXTRA
270 #define OPENSSL_EXTRA
271 
272 #undef  WOLFSSL_ALWAYS_VERIFY_CB
273 #define WOLFSSL_ALWAYS_VERIFY_CB
274 
275 #undef  WOLFSSL_VERIFY_CB_ALL_CERTS
276 #define WOLFSSL_VERIFY_CB_ALL_CERTS
277 
278 #undef  WOLFSSL_EXTRA_ALERTS
279 #define WOLFSSL_EXTRA_ALERTS
280 
281 #undef  HAVE_EXT_CACHE
282 #define HAVE_EXT_CACHE
283 
284 #undef  WOLFSSL_FORCE_CACHE_ON_TICKET
285 #define WOLFSSL_FORCE_CACHE_ON_TICKET
286 
287 #undef  WOLFSSL_AKID_NAME
288 #define WOLFSSL_AKID_NAME
289 
290 #undef  HAVE_CTS
291 #define HAVE_CTS
292 
293 #undef  GCM_TABLE_4BIT
294 #define GCM_TABLE_4BIT
295 
296 #undef  HAVE_AESGCM
297 #define HAVE_AESGCM
298 
299 #undef  HAVE_WC_INTROSPECTION
300 #define HAVE_WC_INTROSPECTION
301 
302 
303 #ifdef __cplusplus
304 } /* end of extern "C" */
305 #endif
306 
307 
308 #endif /* WOLFSSL_OPTIONS_H */
309