Merge pull request wolfSSL#9719 from dgarske/usersettings_expand

Improve user_settings.h examples and add validation rules

Author: JacobBarthelmeh

.github/workflows/os-check.yml

@@ -122,13 +122,24 @@ jobs:
       matrix:
         os: [ ubuntu-24.04, macos-latest ]
         user-settings: [
-          # Add new user_settings.h here
+          # Add new user_settings.h here (alphabetical order)
+          'examples/configs/user_settings_ca.h',
+          'examples/configs/user_settings_dtls13.h',
+          'examples/configs/user_settings_EBSnet.h',
           'examples/configs/user_settings_eccnonblock.h',
           'examples/configs/user_settings_min_ecc.h',
+          'examples/configs/user_settings_openssl_compat.h',
+          'examples/configs/user_settings_pkcs7.h',
+          'examples/configs/user_settings_rsa_only.h',
+          'examples/configs/user_settings_template.h',
+          'examples/configs/user_settings_tls12.h',
+          'examples/configs/user_settings_tls13.h',
           'examples/configs/user_settings_wolfboot_keytools.h',
-          'examples/configs/user_settings_wolftpm.h',
           'examples/configs/user_settings_wolfssh.h',
-          'examples/configs/user_settings_tls12.h',
+          'examples/configs/user_settings_wolftpm.h',
+          # Not included (require special setup):
+          # - user_settings_pq.h: Requires --enable-experimental
+          # - user_settings_baremetal.h: Requires static memory, custom platform
         ]
     name: make user_setting.h (testwolfcrypt only)
     if: github.repository_owner == 'wolfssl'

.wolfssl_known_macro_extras

@@ -695,7 +695,6 @@ WOLFSSL_BIGINT_TYPES
 WOLFSSL_BIO_NO_FLOW_STATS
 WOLFSSL_BLAKE2B_INIT_EACH_FIELD
 WOLFSSL_BLAKE2S_INIT_EACH_FIELD
-WOLFSSL_BLIND_PRIVATE_KEY
 WOLFSSL_BYTESWAP32_ASM
 WOLFSSL_CAAM_BLACK_KEY_AESCCM
 WOLFSSL_CAAM_BLACK_KEY_SM
@@ -708,18 +707,15 @@ WOLFSSL_CLIENT_EXAMPLE
 WOLFSSL_CONTIKI
 WOLFSSL_CRL_ALLOW_MISSING_CDP
 WOLFSSL_DILITHIUM_ASSIGN_KEY
-WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM
 WOLFSSL_DILITHIUM_NO_ASN1
 WOLFSSL_DILITHIUM_NO_CHECK_KEY
-WOLFSSL_DILITHIUM_NO_LARGE_CODE
 WOLFSSL_DILITHIUM_NO_MAKE
 WOLFSSL_DILITHIUM_REVERSE_HASH_OID
 WOLFSSL_DILITHIUM_SIGN_CHECK_W0
 WOLFSSL_DILITHIUM_SIGN_CHECK_Y
 WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC
 WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A
 WOLFSSL_DILITHIUM_SMALL_MEM_POLY64
-WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM
 WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
 WOLFSSL_DTLS_DISALLOW_FUTURE
 WOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS
@@ -785,10 +781,7 @@ WOLFSSL_MAKE_SYSTEM_NAME_LINUX
 WOLFSSL_MAKE_SYSTEM_NAME_WSL
 WOLFSSL_MDK5
 WOLFSSL_MEM_FAIL_COUNT
-WOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM
 WOLFSSL_MLKEM_INVNTT_UNROLL
-WOLFSSL_MLKEM_MAKEKEY_SMALL_MEM
-WOLFSSL_MLKEM_NO_LARGE_CODE
 WOLFSSL_MLKEM_NO_MALLOC
 WOLFSSL_MLKEM_NTT_UNROLL
 WOLFSSL_MONT_RED_CT

examples/configs/README.md

@@ -4,17 +4,27 @@ Example wolfSSL configuration file templates for use when autoconf is not availa
 
 ## Files
 
-* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0` logic.
+* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0`/`#if 1` gates.
 * `user_settings_all.h`: This is wolfSSL with all features enabled. Equivalent to `./configure --enable-all`.
 * `user_settings_arduino.h`: An example Arduino file. See also [wolfSSL/Arduino-wolfSSL](https://github.com/wolfSSL/Arduino-wolfSSL).
-*.`user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports.
+* `user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports.
+* `user_settings_eccnonblock.h`: Example for non-blocking ECC crypto only. See comment at top for test results.
+* `user_settings_espressif.h`: Example configuration for Espressif ESP32. See also [wolfSSL/IDE/Espressif](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif).
 * `user_settings_fipsv2.h`: The FIPS v2 (3389) 140-2 certificate build options.
 * `user_settings_fipsv5.h`: The FIPS v5 (ready) 140-3 build options. Equivalent to `./configure --enable-fips=v5-dev`.
-* `user_settings_min_ecc.h`: This is ECC and SHA-256 only. For ECC verify only add `BUILD_VERIFY_ONLY`.
-* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl)
+* `user_settings_min_ecc.h`: Minimal ECC and SHA-256 only (no TLS). For ECC verify only add `NO_ECC_SIGN`.
+* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl).
 * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack.
-* `user_settings_tls12`: Example for TLS v1.2 client only, ECC only, AES GCM only, SHA2-256 only.
-* `user_settings_wolfboot_keytools.h`: This from wolfBoot tools/keytools and is ECC, RSA, ED25519 and ChaCha20.
+* `user_settings_tls12.h`: Example for TLS v1.2 client only, ECC only, AES-GCM only, SHA2-256 only.
+* `user_settings_tls13.h`: TLS 1.3 only configuration (no TLS 1.2). Modern cipher suites with X25519/X448 key exchange.
+* `user_settings_dtls13.h`: DTLS 1.3 for IoT and embedded. Includes connection ID support and smaller MTU options.
+* `user_settings_pq.h`: Post-quantum TLS with ML-KEM (Kyber) key exchange and ML-DSA (Dilithium) certificates.
+* `user_settings_openssl_compat.h`: OpenSSL compatibility layer for drop-in replacement. Enables OPENSSL_ALL and related APIs.
+* `user_settings_baremetal.h`: Bare metal configuration. No filesystem, static memory only, minimal footprint.
+* `user_settings_rsa_only.h`: RSA-only configuration (no ECC). For legacy systems requiring RSA cipher suites.
+* `user_settings_pkcs7.h`: PKCS#7/CMS configuration for signing and encryption. S/MIME, firmware signing.
+* `user_settings_ca.h`: Certificate Authority / PKI operations. Certificate generation, signing, CRL, OCSP.
+* `user_settings_wolfboot_keytools.h`: wolfBoot key generation and signing tool. Supports ECC, RSA, ED25519, ED448, and post-quantum (ML-DSA/Dilithium, LMS, XMSS).
 * `user_settings_wolfssh.h`: Minimum options for building wolfSSH. See comment at top for ./configure used to generate.
 * `user_settings_wolftpm.h`: Minimum options for building wolfTPM. See comment at top for ./configure used to generate.
 

examples/configs/include.am

@@ -4,16 +4,24 @@
 EXTRA_DIST += examples/configs/README.md
 EXTRA_DIST += examples/configs/user_settings_all.h
 EXTRA_DIST += examples/configs/user_settings_arduino.h
+EXTRA_DIST += examples/configs/user_settings_baremetal.h
+EXTRA_DIST += examples/configs/user_settings_ca.h
+EXTRA_DIST += examples/configs/user_settings_dtls13.h
 EXTRA_DIST += examples/configs/user_settings_EBSnet.h
 EXTRA_DIST += examples/configs/user_settings_eccnonblock.h
 EXTRA_DIST += examples/configs/user_settings_espressif.h
 EXTRA_DIST += examples/configs/user_settings_fipsv2.h
 EXTRA_DIST += examples/configs/user_settings_fipsv5.h
 EXTRA_DIST += examples/configs/user_settings_min_ecc.h
+EXTRA_DIST += examples/configs/user_settings_openssl_compat.h
+EXTRA_DIST += examples/configs/user_settings_pkcs7.h
 EXTRA_DIST += examples/configs/user_settings_platformio.h
+EXTRA_DIST += examples/configs/user_settings_pq.h
+EXTRA_DIST += examples/configs/user_settings_rsa_only.h
 EXTRA_DIST += examples/configs/user_settings_stm32.h
 EXTRA_DIST += examples/configs/user_settings_template.h
 EXTRA_DIST += examples/configs/user_settings_tls12.h
+EXTRA_DIST += examples/configs/user_settings_tls13.h
 EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h
 EXTRA_DIST += examples/configs/user_settings_wolfssh.h
 EXTRA_DIST += examples/configs/user_settings_wolftpm.h

examples/configs/user_settings_EBSnet.h

@@ -47,6 +47,8 @@ extern "C" {
 #define NO_MD4
 #define NO_MD5
 #define NO_DES3
+#define NO_DES3_TLS_SUITES
+#define NO_OLD_TLS
 
 #ifdef __cplusplus
 }

examples/configs/user_settings_all.h

@@ -210,7 +210,6 @@ extern "C" {
 #define WOLFSSL_SHAKE256
 #define WOLFSSL_SHA3
 #define WOLFSSL_HASH_FLAGS /* enable hash flag API's */
-#define WOLFSSL_SHAKE256
 
 /* Additional Algorithms */
 #define HAVE_HASHDRBG

examples/configs/user_settings_baremetal.h

@@ -0,0 +1,231 @@
+/* user_settings_baremetal.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Bare metal configuration for systems without an OS.
+ * No filesystem, no malloc, static memory, minimal footprint.
+ * Suitable for deeply embedded systems and bootloaders.
+ *
+ * Build and test:
+ * cp ./examples/configs/user_settings_baremetal.h user_settings.h
+ * ./configure --enable-usersettings --disable-examples
+ * make
+ * ./wolfcrypt/test/testwolfcrypt
+ */
+
+#ifndef WOLFSSL_USER_SETTINGS_H
+#define WOLFSSL_USER_SETTINGS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* ------------------------------------------------- */
+/* Platform - Bare Metal */
+/* ------------------------------------------------- */
+#define SINGLE_THREADED
+#define NO_FILESYSTEM
+#define NO_WRITEV
+#define WOLFSSL_NO_SOCK
+#define WOLFSSL_IGNORE_FILE_WARN
+#define WOLFSSL_GENERAL_ALIGNMENT 4
+#define SIZEOF_LONG_LONG 8
+
+/* TLS transport requires setting IO callbacks */
+#define WOLFSSL_USER_IO
+
+/* ------------------------------------------------- */
+/* Memory */
+/* ------------------------------------------------- */
+#if 1 /* stack memory */
+
+#elif 1 /* small stack */
+    /* Small stack - allocate large variables from static pool */
+    #define WOLFSSL_SMALL_STACK
+#else /* static memory */
+    #define WOLFSSL_STATIC_MEMORY
+    #define WOLFSSL_NO_MALLOC
+    #define WOLFSSL_SP_NO_MALLOC
+    #define WOLFSSL_MALLOC_CHECK
+    #define NO_WOLFSSL_MEMORY
+#endif
+
+/* ------------------------------------------------- */
+/* Math - Single Precision (smallest) */
+/* ------------------------------------------------- */
+#define WOLFSSL_SP_MATH
+#define WOLFSSL_SP_SMALL
+#define TFM_TIMING_RESISTANT
+
+/* ------------------------------------------------- */
+/* TLS (optional - disable for crypto-only) */
+/* ------------------------------------------------- */
+#if 0 /* TLS support */
+    #define WOLFSSL_TLS13
+    #define WOLFSSL_NO_TLS12
+    #define NO_OLD_TLS
+    #define HAVE_TLS_EXTENSIONS
+    #define HAVE_SUPPORTED_CURVES
+    #define HAVE_HKDF
+#else
+    #define WOLFCRYPT_ONLY
+#endif
+
+/* ------------------------------------------------- */
+/* ECC (smallest asymmetric option) */
+/* ------------------------------------------------- */
+#if 1 /* ECC support */
+    #define HAVE_ECC
+    #define WOLFSSL_HAVE_SP_ECC
+
+    #define ECC_USER_CURVES    /* P-256 only */
+    #undef  NO_ECC256
+    #define ECC_TIMING_RESISTANT
+    /* Disable for smaller size */
+    #if 0 /* ECC Shamir (faster, more code) */
+        #define ECC_SHAMIR
+    #endif
+#endif
+
+/* ECC Feature Reduction */
+#if 0 /* Verify only (no signing/keygen) */
+    #define NO_ECC_SIGN
+    #define NO_ECC_DHE
+    #define NO_ECC_KEY_EXPORT
+#endif
+
+/* ------------------------------------------------- */
+/* RSA (disable for smallest size) */
+/* ------------------------------------------------- */
+#if 0 /* RSA support */
+    #undef NO_RSA
+    #define WOLFSSL_HAVE_SP_RSA
+    #define WC_RSA_BLINDING
+    #define RSA_LOW_MEM
+    #if 0 /* Verify only */
+        #define WOLFSSL_RSA_PUBLIC_ONLY
+        #define WOLFSSL_RSA_VERIFY_INLINE
+        #define NO_CHECK_PRIVATE_KEY
+    #endif
+#else
+    #define NO_RSA
+#endif
+
+/* ------------------------------------------------- */
+/* Symmetric Ciphers */
+/* ------------------------------------------------- */
+#if 1 /* AES */
+    #define HAVE_AESGCM
+    #define GCM_SMALL
+    #define WOLFSSL_AES_SMALL_TABLES
+    #define WOLFSSL_AES_NO_UNROLL
+    #define NO_AES_192
+    #define NO_AES_256
+    #if 0 /* AES-CBC */
+        #undef NO_AES_CBC
+    #else
+        #define NO_AES_CBC
+    #endif
+#else
+    #define NO_AES
+#endif
+
+#if 0 /* ChaCha20-Poly1305 */
+    #define HAVE_CHACHA
+    #define HAVE_POLY1305
+#endif
+
+/* ------------------------------------------------- */
+/* Hashing */
+/* ------------------------------------------------- */
+/* SHA-256 only (required) */
+#define USE_SLOW_SHA256
+
+#if 0 /* SHA-1 (legacy) */
+    #undef NO_SHA
+#else
+    #define NO_SHA
+#endif
+
+/* ------------------------------------------------- */
+/* RNG */
+/* ------------------------------------------------- */
+#if 1 /* Hash-based DRBG */
+    #define HAVE_HASHDRBG
+#else
+    /* Use hardware RNG directly */
+    #define WC_NO_HASHDRBG
+    extern int my_rng_gen_block(unsigned char* output, unsigned int sz);
+    #define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block
+#endif
+
+/* ------------------------------------------------- */
+/* ASN / Certificates */
+/* ------------------------------------------------- */
+#define WOLFSSL_ASN_TEMPLATE
+
+#if 0 /* Disable certificates for smallest size */
+    #define NO_ASN
+    #define NO_CERTS
+    #define NO_CODING
+#endif
+
+/* ------------------------------------------------- */
+/* Disabled Algorithms */
+/* ------------------------------------------------- */
+#define NO_DH
+#define NO_DSA
+#define NO_RC4
+#define NO_MD4
+#define NO_MD5
+#define NO_DES3
+#define NO_DES3_TLS_SUITES
+#define NO_PSK
+#define NO_PWDBASED
+#define NO_PKCS8
+#define NO_PKCS12
+
+/* ------------------------------------------------- */
+/* Disabled Features */
+/* ------------------------------------------------- */
+#define NO_SIG_WRAPPER
+#define NO_SESSION_CACHE
+#define NO_ERROR_STRINGS
+#define NO_OLD_RNGNAME
+#define NO_WOLFSSL_DIR
+#define BENCH_EMBEDDED
+
+/* ------------------------------------------------- */
+/* Custom Time (bare metal has no RTC typically) */
+/* ------------------------------------------------- */
+#if 1 /* Custom time function */
+    #define NO_ASN_TIME
+    /* Or provide custom time:
+     * #define USER_TIME
+     * extern unsigned long my_time(unsigned long* timer);
+     * #define XTIME my_time
+     */
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* WOLFSSL_USER_SETTINGS_H */