Improve user_settings.h examples and add validation rules

  - Standardize header guards to WOLFSSL_USER_SETTINGS_H across all files
  - Add #if 0/1 gates with labels for easy feature toggling
  - Fix bugs: typos in eccnonblock (WOLFSL_SHA*), duplicates in fipsv5/all
  - Add NO_DES3_TLS_SUITES alongside NO_DES3 where needed
  - Update wolfboot_keytools with upstream PQ algorithms (ML-DSA, LMS, XMSS)
  - Add settings.h validation rules with descriptive error messages
  - Auto-define NO_DES3_TLS_SUITES when NO_DES3 is set (instead of error)
  - Update README.md and add missing files to CI tests

Author: dgarske

.github/workflows/os-check.yml

@@ -112,12 +112,14 @@ jobs:
         os: [ ubuntu-24.04, macos-latest ]
         user-settings: [
           # Add new user_settings.h here
+          'examples/configs/user_settings_EBSnet.h',
           'examples/configs/user_settings_eccnonblock.h',
           'examples/configs/user_settings_min_ecc.h',
+          'examples/configs/user_settings_template.h',
+          'examples/configs/user_settings_tls12.h',
           'examples/configs/user_settings_wolfboot_keytools.h',
-          'examples/configs/user_settings_wolftpm.h',
           'examples/configs/user_settings_wolfssh.h',
-          'examples/configs/user_settings_tls12.h',
+          'examples/configs/user_settings_wolftpm.h',
         ]
     name: make user_setting.h (testwolfcrypt only)
     if: github.repository_owner == 'wolfssl'

examples/configs/README.md

@@ -4,17 +4,19 @@ Example wolfSSL configuration file templates for use when autoconf is not availa
 
 ## Files
 
-* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0` logic.
+* `user_settings_template.h`: Template that allows modular algorithm and feature selection using `#if 0`/`#if 1` gates.
 * `user_settings_all.h`: This is wolfSSL with all features enabled. Equivalent to `./configure --enable-all`.
 * `user_settings_arduino.h`: An example Arduino file. See also [wolfSSL/Arduino-wolfSSL](https://github.com/wolfSSL/Arduino-wolfSSL).
-*.`user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports.
+* `user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports.
+* `user_settings_eccnonblock.h`: Example for non-blocking ECC crypto only. See comment at top for test results.
+* `user_settings_espressif.h`: Example configuration for Espressif ESP32. See also [wolfSSL/IDE/Espressif](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif).
 * `user_settings_fipsv2.h`: The FIPS v2 (3389) 140-2 certificate build options.
 * `user_settings_fipsv5.h`: The FIPS v5 (ready) 140-3 build options. Equivalent to `./configure --enable-fips=v5-dev`.
-* `user_settings_min_ecc.h`: This is ECC and SHA-256 only. For ECC verify only add `BUILD_VERIFY_ONLY`.
-* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl)
+* `user_settings_min_ecc.h`: Minimal ECC and SHA-256 only (no TLS). For ECC verify only add `NO_ECC_SIGN`.
+* `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl).
 * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack.
-* `user_settings_tls12`: Example for TLS v1.2 client only, ECC only, AES GCM only, SHA2-256 only.
-* `user_settings_wolfboot_keytools.h`: This from wolfBoot tools/keytools and is ECC, RSA, ED25519 and ChaCha20.
+* `user_settings_tls12.h`: Example for TLS v1.2 client only, ECC only, AES-GCM only, SHA2-256 only.
+* `user_settings_wolfboot_keytools.h`: wolfBoot key generation and signing tool. Supports ECC, RSA, ED25519, ED448, and post-quantum (ML-DSA/Dilithium, LMS, XMSS).
 * `user_settings_wolfssh.h`: Minimum options for building wolfSSH. See comment at top for ./configure used to generate.
 * `user_settings_wolftpm.h`: Minimum options for building wolfTPM. See comment at top for ./configure used to generate.
 

examples/configs/user_settings_EBSnet.h

@@ -47,6 +47,8 @@ extern "C" {
 #define NO_MD4
 #define NO_MD5
 #define NO_DES3
+#define NO_DES3_TLS_SUITES
+#define NO_OLD_TLS
 
 #ifdef __cplusplus
 }

examples/configs/user_settings_all.h

@@ -210,7 +210,6 @@ extern "C" {
 #define WOLFSSL_SHAKE256
 #define WOLFSSL_SHA3
 #define WOLFSSL_HASH_FLAGS /* enable hash flag API's */
-#define WOLFSSL_SHAKE256
 
 /* Additional Algorithms */
 #define HAVE_HASHDRBG

examples/configs/user_settings_eccnonblock.h

@@ -104,8 +104,8 @@ extern "C" {
 #define WOLFSSL_SP_MATH /* forces only single precision */
 
 /* Hashing */
-#define WOLFSL_SHA512
-#define WOLFSL_SHA384
+#define WOLFSSL_SHA512
+#define WOLFSSL_SHA384
 #undef NO_SHA256
 
 /* Debugging */

examples/configs/user_settings_fipsv2.h

@@ -112,4 +112,4 @@ extern "C" {
 }
 #endif
 
-#endif /* WOLFSSL_OPTIONS_H */
+#endif /* WOLFSSL_USER_SETTINGS_H */

examples/configs/user_settings_fipsv5.h

@@ -130,7 +130,6 @@ extern "C" {
 #define WOLFSSL_AES_COUNTER
 #define HAVE_AESCCM
 #define HAVE_AES_ECB
-#define WOLFSSL_AES_COUNTER
 #define WOLFSSL_AES_DIRECT
 #define WOLFSSL_AES_OFB
 #define HAVE_AESGCM
@@ -147,7 +146,6 @@ extern "C" {
 #define WOLFSSL_SHA224
 #define WOLFSSL_SHA512
 #define WOLFSSL_SHA384
-#define WOLFSSL_NO_SHAKE256
 #define WOLFSSL_NOSHA512_224
 #define WOLFSSL_NOSHA512_256
 #define WOLFSSL_SHA3
@@ -162,6 +160,7 @@ extern "C" {
 #define NO_MD4
 #define NO_MD5
 #define NO_DES3
+#define NO_DES3_TLS_SUITES
 #define NO_DSA
 #define NO_RABBIT
 #define NO_HC128

examples/configs/user_settings_min_ecc.h

@@ -19,63 +19,94 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-/* should be renamed to user_settings.h for customer use
- * generated from configure options:
+/* Minimal ECC and SHA-256 only (no TLS, no RSA, no AES)
+ *
+ * Derived from:
  * ./configure \
-    --enable-cryptonly --enable-ecc --enable-sp \
-    --disable-rsa --disable-dh --disable-sha3 --disable-sha224 --disable-md5 \
-    --disable-sha --disable-pkcs12 --disable-memory \
-    --disable-chacha --disable-poly1305 --disable-sha512 --disable-sha384 \
-    --disable-aesgcm --disable-aescbc --disable-aes --disable-rng \
-    CFLAGS="-DNO_SIG_WRAPPER -DWOLFSSL_PUBLIC_MP -DECC_USER_CURVES \
-        -DNO_ECC_SIGN -DNO_ECC_DHE -DNO_ECC_KEY_EXPORT"
+ *   --enable-cryptonly --enable-ecc --enable-sp \
+ *   --disable-rsa --disable-dh --disable-sha3 \
+ *   --disable-sha224 --disable-md5 \
+ *   --disable-sha --disable-pkcs12 --disable-memory \
+ *   --disable-chacha --disable-poly1305 \
+ *   --disable-sha512 --disable-sha384 \
+ *   --disable-aesgcm --disable-aescbc \
+ *   --disable-aes --disable-rng \
+ *   CFLAGS="-DNO_SIG_WRAPPER -DWOLFSSL_PUBLIC_MP \
+ *       -DECC_USER_CURVES"
  *
- * Cleaned up by David Garske
+ * Build and test:
+ * cp ./examples/configs/user_settings_min_ecc.h \
+ *     user_settings.h
+ * ./configure --enable-usersettings --disable-examples
+ * make
+ * ./wolfcrypt/test/testwolfcrypt
  */
 
 
 #ifndef WOLFSSL_USER_SETTINGS_H
 #define WOLFSSL_USER_SETTINGS_H
 
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-/* WolfCrypt Only (no TLS) */
-#define WOLFCRYPT_ONLY
+/* ------------------------------------------------- */
+/* Platform */
+/* ------------------------------------------------- */
+#define WOLFCRYPT_ONLY /* No TLS, wolfCrypt only */
 
 /* Endianness - defaults to little endian */
 #ifdef __BIG_ENDIAN__
     #define BIG_ENDIAN_ORDER
 #endif
 
-/* Expose the math mp_ API's */
-#define WOLFSSL_PUBLIC_MP
+#define WOLFSSL_PUBLIC_MP /* Expose mp_ math API's */
 
-/* Use single precision math only */
+/* ------------------------------------------------- */
+/* Math */
+/* ------------------------------------------------- */
 #define WOLFSSL_SP
 #define WOLFSSL_SP_SMALL
 #define WOLFSSL_SP_MATH
 #define WOLFSSL_HAVE_SP_ECC
 
-/* Enable Timing Resistance */
+/* ------------------------------------------------- */
+/* Timing Resistance */
+/* ------------------------------------------------- */
 #define TFM_TIMING_RESISTANT
 #define ECC_TIMING_RESISTANT
 
-/* Enable ECC */
+/* ------------------------------------------------- */
+/* ECC */
+/* ------------------------------------------------- */
 #define HAVE_ECC
-#define ECC_USER_CURVES /* Only 256-Bit Curves */
-//#define ECC_SHAMIR
+#define ECC_USER_CURVES /* Only P-256 by default */
+#if 0 /* ECC Shamir - faster but more code/memory */
+    #define ECC_SHAMIR
+#endif
 
-/* Optional Feature Disables */
-#define NO_SIG_WRAPPER
-//#define NO_ECC_KEY_EXPORT
-//#define NO_ECC_DHE
-//#define NO_ECC_SIGN
-//#define NO_ECC_VERIFY
+/* ECC Feature Options */
+#if 0 /* Disable ECC key export */
+    #define NO_ECC_KEY_EXPORT
+#endif
+#if 0 /* Disable ECDHE key agreement */
+    #define NO_ECC_DHE
+#endif
+#if 0 /* Disable ECC sign */
+    #define NO_ECC_SIGN
+#endif
+#if 0 /* Disable ECC verify */
+    #define NO_ECC_VERIFY
+#endif
+
+/* ------------------------------------------------- */
+/* Hashing */
+/* ------------------------------------------------- */
+/* SHA-256 enabled by default */
 
-/* Disable Algorithms */
+/* ------------------------------------------------- */
+/* Disabled Algorithms */
+/* ------------------------------------------------- */
 #define NO_AES
 #define NO_AES_CBC
 #define NO_DES3
@@ -89,17 +120,30 @@ extern "C" {
 #define NO_PWDBASED
 #define NO_PKCS12
 #define NO_PKCS8
-//#define WC_NO_RNG
+#define NO_SIG_WRAPPER
 
-/* Disable Features */
-//#define NO_ASN
-//#define NO_CERTS
+/* ------------------------------------------------- */
+/* Disabled Features */
+/* ------------------------------------------------- */
 #define NO_WOLFSSL_MEMORY
 #define WOLFSSL_NO_PEM
-//#define NO_CODING
 #define NO_PSK
-#ifndef DEBUG_WOLFSSL
+#if 0 /* Disable ASN.1 / certificates */
+    #define NO_ASN
+    #define NO_CERTS
+    #define NO_CODING
+#endif
+#if 0 /* Disable RNG (ECC verify only) */
+    #define WC_NO_RNG
+#endif
+
+/* ------------------------------------------------- */
+/* Debugging */
+/* ------------------------------------------------- */
+#if 0 /* Enable debug logging */
     #define DEBUG_WOLFSSL
+#endif
+#if 1 /* Disable error strings to save flash */
     #define NO_ERROR_STRINGS
 #endif