wolfSSL
diff --git a/‎.github/workflows/os-check.yml‎
Lines changed: 10 additions & 1 deletion b/‎.github/workflows/os-check.yml‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎examples/configs/README.md‎
Lines changed: 8 additions & 0 deletions b/‎examples/configs/README.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎examples/configs/include.am‎
Lines changed: 8 additions & 0 deletions b/‎examples/configs/include.am‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎examples/configs/user_settings_baremetal.h‎
Lines changed: 231 additions & 0 deletions b/‎examples/configs/user_settings_baremetal.h‎
Lines changed: 231 additions & 0 deletions
@@ -111,15 +111,24 @@ jobs:
       matrix:
         os: [ ubuntu-24.04, macos-latest ]
         user-settings: [
-          # Add new user_settings.h here
+          # Add new user_settings.h here (alphabetical order)
+          'examples/configs/user_settings_ca.h',
+          'examples/configs/user_settings_dtls13.h',
           'examples/configs/user_settings_EBSnet.h',
           'examples/configs/user_settings_eccnonblock.h',
           'examples/configs/user_settings_min_ecc.h',
+          'examples/configs/user_settings_openssl_compat.h',
+          'examples/configs/user_settings_pkcs7.h',
+          'examples/configs/user_settings_rsa_only.h',
           'examples/configs/user_settings_template.h',
           'examples/configs/user_settings_tls12.h',
+          'examples/configs/user_settings_tls13.h',
           'examples/configs/user_settings_wolfboot_keytools.h',
           'examples/configs/user_settings_wolfssh.h',
           'examples/configs/user_settings_wolftpm.h',
+          # Not included (require special setup):
+          # - user_settings_pq.h: Requires --enable-experimental
+          # - user_settings_baremetal.h: Requires static memory, custom platform
         ]
     name: make user_setting.h (testwolfcrypt only)
     if: github.repository_owner == 'wolfssl'
 
@@ -16,6 +16,14 @@ Example wolfSSL configuration file templates for use when autoconf is not availa
 * `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl).
 * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack.
 * `user_settings_tls12.h`: Example for TLS v1.2 client only, ECC only, AES-GCM only, SHA2-256 only.
+* `user_settings_tls13.h`: TLS 1.3 only configuration (no TLS 1.2). Modern cipher suites with X25519/X448 key exchange.
+* `user_settings_dtls13.h`: DTLS 1.3 for IoT and embedded. Includes connection ID support and smaller MTU options.
+* `user_settings_pq.h`: Post-quantum TLS with ML-KEM (Kyber) key exchange and ML-DSA (Dilithium) certificates.
+* `user_settings_openssl_compat.h`: OpenSSL compatibility layer for drop-in replacement. Enables OPENSSL_ALL and related APIs.
+* `user_settings_baremetal.h`: Bare metal configuration. No filesystem, static memory only, minimal footprint.
+* `user_settings_rsa_only.h`: RSA-only configuration (no ECC). For legacy systems requiring RSA cipher suites.
+* `user_settings_pkcs7.h`: PKCS#7/CMS configuration for signing and encryption. S/MIME, firmware signing.
+* `user_settings_ca.h`: Certificate Authority / PKI operations. Certificate generation, signing, CRL, OCSP.
 * `user_settings_wolfboot_keytools.h`: wolfBoot key generation and signing tool. Supports ECC, RSA, ED25519, ED448, and post-quantum (ML-DSA/Dilithium, LMS, XMSS).
 * `user_settings_wolfssh.h`: Minimum options for building wolfSSH. See comment at top for ./configure used to generate.
 * `user_settings_wolftpm.h`: Minimum options for building wolfTPM. See comment at top for ./configure used to generate.
 
@@ -4,16 +4,24 @@
 EXTRA_DIST += examples/configs/README.md
 EXTRA_DIST += examples/configs/user_settings_all.h
 EXTRA_DIST += examples/configs/user_settings_arduino.h
+EXTRA_DIST += examples/configs/user_settings_baremetal.h
+EXTRA_DIST += examples/configs/user_settings_ca.h
+EXTRA_DIST += examples/configs/user_settings_dtls13.h
 EXTRA_DIST += examples/configs/user_settings_EBSnet.h
 EXTRA_DIST += examples/configs/user_settings_eccnonblock.h
 EXTRA_DIST += examples/configs/user_settings_espressif.h
 EXTRA_DIST += examples/configs/user_settings_fipsv2.h
 EXTRA_DIST += examples/configs/user_settings_fipsv5.h
 EXTRA_DIST += examples/configs/user_settings_min_ecc.h
+EXTRA_DIST += examples/configs/user_settings_openssl_compat.h
+EXTRA_DIST += examples/configs/user_settings_pkcs7.h
 EXTRA_DIST += examples/configs/user_settings_platformio.h
+EXTRA_DIST += examples/configs/user_settings_pq.h
+EXTRA_DIST += examples/configs/user_settings_rsa_only.h
 EXTRA_DIST += examples/configs/user_settings_stm32.h
 EXTRA_DIST += examples/configs/user_settings_template.h
 EXTRA_DIST += examples/configs/user_settings_tls12.h
+EXTRA_DIST += examples/configs/user_settings_tls13.h
 EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h
 EXTRA_DIST += examples/configs/user_settings_wolfssh.h
 EXTRA_DIST += examples/configs/user_settings_wolftpm.h
@@ -0,0 +1,231 @@
+/* user_settings_baremetal.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Bare metal configuration for systems without an OS.
+ * No filesystem, no malloc (static memory), minimal footprint.
+ * Suitable for deeply embedded systems and bootloaders.
+ *
+ * Build and test:
+ * cp ./examples/configs/user_settings_baremetal.h user_settings.h
+ * ./configure --enable-usersettings --disable-examples
+ * make
+ * ./wolfcrypt/test/testwolfcrypt
+ */
+
+#ifndef WOLFSSL_USER_SETTINGS_H
+#define WOLFSSL_USER_SETTINGS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* ------------------------------------------------- */
+/* Platform - Bare Metal */
+/* ------------------------------------------------- */
+#define SINGLE_THREADED
+#define NO_FILESYSTEM
+#define NO_WRITEV
+#define WOLFSSL_NO_SOCK
+#define WOLFSSL_IGNORE_FILE_WARN
+#define WOLFSSL_GENERAL_ALIGNMENT 4
+#define SIZEOF_LONG_LONG 8
+
+/* TLS transport requires setting IO callbacks */
+#define WOLFSSL_USER_IO
+
+/* ------------------------------------------------- */
+/* Memory */
+/* ------------------------------------------------- */
+#if 1 /* stack memory */
+
+#elif 1 /* small stack */
+    /* Small stack - allocate large variables from static pool */
+    #define WOLFSSL_SMALL_STACK
+#else /* static memory */
+    #define WOLFSSL_STATIC_MEMORY
+    #define WOLFSSL_NO_MALLOC
+    #define WOLFSSL_SP_NO_MALLOC
+    #define WOLFSSL_MALLOC_CHECK
+    #define NO_WOLFSSL_MEMORY
+#endif
+
+/* ------------------------------------------------- */
+/* Math - Single Precision (smallest) */
+/* ------------------------------------------------- */
+#define WOLFSSL_SP_MATH
+#define WOLFSSL_SP_SMALL
+#define TFM_TIMING_RESISTANT
+
+/* ------------------------------------------------- */
+/* TLS (optional - disable for crypto-only) */
+/* ------------------------------------------------- */
+#if 0 /* TLS support */
+    #define WOLFSSL_TLS13
+    #define WOLFSSL_NO_TLS12
+    #define NO_OLD_TLS
+    #define HAVE_TLS_EXTENSIONS
+    #define HAVE_SUPPORTED_CURVES
+    #define HAVE_HKDF
+#else
+    #define WOLFCRYPT_ONLY
+#endif
+
+/* ------------------------------------------------- */
+/* ECC (smallest asymmetric option) */
+/* ------------------------------------------------- */
+#if 1 /* ECC support */
+    #define HAVE_ECC
+    #define WOLFSSL_HAVE_SP_ECC
+
+    #define ECC_USER_CURVES    /* P-256 only */
+    #undef  NO_ECC256
+    #define ECC_TIMING_RESISTANT
+    /* Disable for smaller size */
+    #if 0 /* ECC Shamir (faster, more code) */
+        #define ECC_SHAMIR
+    #endif
+#endif
+
+/* ECC Feature Reduction */
+#if 0 /* Verify only (no signing/keygen) */
+    #define NO_ECC_SIGN
+    #define NO_ECC_DHE
+    #define NO_ECC_KEY_EXPORT
+#endif
+
+/* ------------------------------------------------- */
+/* RSA (disable for smallest size) */
+/* ------------------------------------------------- */
+#if 0 /* RSA support */
+    #undef NO_RSA
+    #define WOLFSSL_HAVE_SP_RSA
+    #define WC_RSA_BLINDING
+    #define RSA_LOW_MEM
+    #if 0 /* Verify only */
+        #define WOLFSSL_RSA_PUBLIC_ONLY
+        #define WOLFSSL_RSA_VERIFY_INLINE
+        #define NO_CHECK_PRIVATE_KEY
+    #endif
+#else
+    #define NO_RSA
+#endif
+
+/* ------------------------------------------------- */
+/* Symmetric Ciphers */
+/* ------------------------------------------------- */
+#if 1 /* AES */
+    #define HAVE_AESGCM
+    #define GCM_SMALL
+    #define WOLFSSL_AES_SMALL_TABLES
+    #define WOLFSSL_AES_NO_UNROLL
+    #define NO_AES_192
+    #define NO_AES_256
+    #if 0 /* AES-CBC */
+        #undef NO_AES_CBC
+    #else
+        #define NO_AES_CBC
+    #endif
+#else
+    #define NO_AES
+#endif
+
+#if 0 /* ChaCha20-Poly1305 */
+    #define HAVE_CHACHA
+    #define HAVE_POLY1305
+#endif
+
+/* ------------------------------------------------- */
+/* Hashing */
+/* ------------------------------------------------- */
+/* SHA-256 only (required) */
+#define USE_SLOW_SHA256
+
+#if 0 /* SHA-1 (legacy) */
+    #undef NO_SHA
+#else
+    #define NO_SHA
+#endif
+
+/* ------------------------------------------------- */
+/* RNG */
+/* ------------------------------------------------- */
+#if 1 /* Hash-based DRBG */
+    #define HAVE_HASHDRBG
+#else
+    /* Use hardware RNG directly */
+    #define WC_NO_HASHDRBG
+    extern int my_rng_gen_block(unsigned char* output, unsigned int sz);
+    #define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block
+#endif
+
+/* ------------------------------------------------- */
+/* ASN / Certificates */
+/* ------------------------------------------------- */
+#define WOLFSSL_ASN_TEMPLATE
+
+#if 0 /* Disable certificates for smallest size */
+    #define NO_ASN
+    #define NO_CERTS
+    #define NO_CODING
+#endif
+
+/* ------------------------------------------------- */
+/* Disabled Algorithms */
+/* ------------------------------------------------- */
+#define NO_DH
+#define NO_DSA
+#define NO_RC4
+#define NO_MD4
+#define NO_MD5
+#define NO_DES3
+#define NO_DES3_TLS_SUITES
+#define NO_PSK
+#define NO_PWDBASED
+#define NO_PKCS8
+#define NO_PKCS12
+
+/* ------------------------------------------------- */
+/* Disabled Features */
+/* ------------------------------------------------- */
+#define NO_SIG_WRAPPER
+#define NO_SESSION_CACHE
+#define NO_ERROR_STRINGS
+#define NO_OLD_RNGNAME
+#define NO_WOLFSSL_DIR
+#define BENCH_EMBEDDED
+
+/* ------------------------------------------------- */
+/* Custom Time (bare metal has no RTC typically) */
+/* ------------------------------------------------- */
+#if 1 /* Custom time function */
+    #define NO_ASN_TIME
+    /* Or provide custom time:
+     * #define USER_TIME
+     * extern unsigned long my_time(unsigned long* timer);
+     * #define XTIME my_time
+     */
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* WOLFSSL_USER_SETTINGS_H */