From 126dcb98933e86247feb57004b073925f53f20e2 Mon Sep 17 00:00:00 2001 From: gojimmypi Date: Wed, 24 Sep 2025 21:00:26 -0700 Subject: [PATCH] Update Espressif Examples --- .wolfssl_known_macro_extras | 39 + .../ESP-IDF/examples/template/CMakeLists.txt | 55 +- .../ESP-IDF/examples/template/Makefile | 153 +++- .../components/wolfssl/CMakeLists.txt | 197 +++-- .../template/components/wolfssl/Kconfig | 408 +++++++-- .../wolfssl/include/user_settings.h | 813 +++++++++++++++--- .../components/wolfssl/ld/region_peek.ld | 9 + .../examples/template/main/CMakeLists.txt | 6 +- .../ESP-IDF/examples/template/main/main.c | 141 ++- .../examples/template/sdkconfig.defaults | 59 +- .../template/sdkconfig.defaults.esp32c2 | 37 + .../template/sdkconfig.defaults.esp8266 | 41 + .../examples/wolfssl_benchmark/CMakeLists.txt | 55 +- .../examples/wolfssl_benchmark/Makefile | 153 +++- .../examples/wolfssl_benchmark/README.md | 8 +- .../components/wolfssl/CMakeLists.txt | 197 +++-- .../components/wolfssl/Kconfig | 408 +++++++-- .../wolfssl/include/user_settings.h | 809 ++++++++++++++--- .../components/wolfssl/ld/region_peek.ld | 9 + .../wolfssl_benchmark/main/CMakeLists.txt | 6 +- .../wolfssl_benchmark/main/Kconfig.projbuild | 2 +- .../examples/wolfssl_benchmark/main/main.c | 56 +- .../wolfssl_benchmark/sdkconfig.defaults | 33 +- .../sdkconfig.defaults.esp32c2 | 37 + .../sdkconfig.defaults.esp8266 | 39 + .../examples/wolfssl_client/CMakeLists.txt | 55 +- .../ESP-IDF/examples/wolfssl_client/Makefile | 34 +- .../components/wolfssl/CMakeLists.txt | 197 +++-- .../wolfssl_client/components/wolfssl/Kconfig | 408 +++++++-- .../wolfssl/include/user_settings.h | 813 +++++++++++++++--- .../components/wolfssl/ld/region_peek.ld | 9 + .../wolfssl_client/main/CMakeLists.txt | 8 +- .../examples/wolfssl_client/main/client-tls.c | 323 +++++-- .../wolfssl_client/main/include/client-tls.h | 18 - .../wolfssl_client/main/include/time_helper.h | 55 -- .../main/include/wifi_connect.h | 139 --- .../examples/wolfssl_client/main/main.c | 182 +++- .../wolfssl_client/main/time_helper.c | 400 --------- .../wolfssl_client/main/wifi_connect.c | 404 --------- .../wolfssl_client/sdkconfig.defaults | 57 +- .../wolfssl_client/sdkconfig.defaults.esp32c2 | 30 + .../wolfssl_client/sdkconfig.defaults.esp8266 | 41 + .../wolfssl_client_ESP8266.vgdbproj | 11 +- .../examples/wolfssl_server/CMakeLists.txt | 55 +- .../ESP-IDF/examples/wolfssl_server/Makefile | 185 +++- .../components/wolfssl/CMakeLists.txt | 197 +++-- .../wolfssl_server/components/wolfssl/Kconfig | 408 +++++++-- .../wolfssl/include/user_settings.h | 813 +++++++++++++++--- .../components/wolfssl/ld/region_peek.ld | 9 + .../wolfssl_server/main/CMakeLists.txt | 8 +- .../wolfssl_server/main/include/server-tls.h | 5 +- .../wolfssl_server/main/include/time_helper.h | 56 -- .../main/include/wifi_connect.h | 145 ---- .../examples/wolfssl_server/main/main.c | 224 +++-- .../examples/wolfssl_server/main/server-tls.c | 538 ++++++++---- .../wolfssl_server/main/time_helper.c | 381 -------- .../wolfssl_server/main/wifi_connect.c | 403 --------- .../wolfssl_server/sdkconfig.defaults | 57 +- .../wolfssl_server/sdkconfig.defaults.esp32c2 | 30 + .../wolfssl_server/sdkconfig.defaults.esp8266 | 41 + .../wolfssl_server_ESP8266.vgdbproj | 11 +- .../examples/wolfssl_test/CMakeLists.txt | 55 +- .../ESP-IDF/examples/wolfssl_test/Makefile | 153 +++- .../components/wolfssl/CMakeLists.txt | 197 +++-- .../wolfssl_test/components/wolfssl/Kconfig | 408 +++++++-- .../wolfssl/include/user_settings.h | 809 ++++++++++++++--- .../components/wolfssl/ld/region_peek.ld | 9 + .../examples/wolfssl_test/main/CMakeLists.txt | 6 +- .../ESP-IDF/examples/wolfssl_test/main/main.c | 19 +- .../examples/wolfssl_test/sdkconfig.defaults | 29 + .../wolfssl_test/sdkconfig.defaults.esp32c2 | 37 + .../wolfssl_test/sdkconfig.defaults.esp32c6 | 2 +- .../wolfssl_test/sdkconfig.defaults.esp8266 | 39 + .../wolfssl_test_ESP8266.vgdbproj | 4 +- IDE/Espressif/include.am | 16 +- wolfssl/wolfcrypt/hash.h | 1 + 76 files changed, 8463 insertions(+), 3841 deletions(-) create mode 100644 IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/ld/region_peek.ld create mode 100644 IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults.esp32c2 create mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/ld/region_peek.ld create mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults.esp32c2 create mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/ld/region_peek.ld delete mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/time_helper.h delete mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/wifi_connect.h delete mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/time_helper.c delete mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/wifi_connect.c create mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/ld/region_peek.ld delete mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/time_helper.h delete mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/wifi_connect.h delete mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/time_helper.c delete mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/wifi_connect.c create mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/ld/region_peek.ld create mode 100644 IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp32c2 diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 11c6b5d4b2..61bf45acdf 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -89,12 +89,17 @@ CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_160 CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240 CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_80 CONFIG_ESP_ENABLE_WOLFSSH +CONFIG_ESP_LATEST_MITIGATIONS CONFIG_ESP_MAIN_TASK_STACK_SIZE CONFIG_ESP_TLS_USING_WOLFSSL CONFIG_ESP_WIFI_PASSWORD CONFIG_ESP_WIFI_SSID +CONFIG_ESP_WOLFSSL_BIG_SESSION_CACHE CONFIG_ESP_WOLFSSL_ENABLE_KYBER CONFIG_ESP_WOLFSSL_ENABLE_WOLFSSH +CONFIG_ESP_WOLFSSL_MEDIUM_SESSION_CACHE +CONFIG_ESP_WOLFSSL_MICRO_SESSION_CACHE +CONFIG_ESP_WOLFSSL_MULTI_THREAD CONFIG_ESP_WOLFSSL_NO_ESP32_CRYPT CONFIG_ESP_WOLFSSL_NO_HW_AES CONFIG_ESP_WOLFSSL_NO_HW_HASH @@ -103,6 +108,18 @@ CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_MP_MUL CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING +CONFIG_ESP_WOLFSSL_RSA_LOW_MEM +CONFIG_ESP_WOLFSSL_SHA224 +CONFIG_ESP_WOLFSSL_SHA384 +CONFIG_ESP_WOLFSSL_SMALL_SESSION_CACHE +CONFIG_ESP_WOLFSSL_SP_MATH +CONFIG_ESP_WOLFSSL_STATIC_MEMORY +CONFIG_ESP_WOLFSSL_TCP_REUSE +CONFIG_ESP_WOLFSSL_TITAN_SESSION_CACHE +CONFIG_ESP_WOLFSSL_USE_ECC +CONFIG_ESP_WOLFSSL_USE_FAST_MATH +CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH +CONFIG_ESP_WOLFSSL_USE_RSA CONFIG_FREERTOS_HZ CONFIG_FREERTOS_UNICORE CONFIG_IDF_TARGET @@ -111,8 +128,12 @@ CONFIG_IDF_TARGET_ARCH_XTENSA CONFIG_IDF_TARGET_ESP32 CONFIG_IDF_TARGET_ESP32C2 CONFIG_IDF_TARGET_ESP32C3 +CONFIG_IDF_TARGET_ESP32C5 CONFIG_IDF_TARGET_ESP32C6 +CONFIG_IDF_TARGET_ESP32C61 CONFIG_IDF_TARGET_ESP32H2 +CONFIG_IDF_TARGET_ESP32H21 +CONFIG_IDF_TARGET_ESP32H4 CONFIG_IDF_TARGET_ESP32P4 CONFIG_IDF_TARGET_ESP32S2 CONFIG_IDF_TARGET_ESP32S3 @@ -145,6 +166,7 @@ CONFIG_WOLFCRYPT_ARMASM CONFIG_WOLFCRYPT_FIPS CONFIG_WOLFCRYPT_INTELASM CONFIG_WOLFSSL +CONFIG_WOLFSSL_ALLOW_TLS12 CONFIG_WOLFSSL_ALLOW_TLS13 CONFIG_WOLFSSL_ALPN CONFIG_WOLFSSL_ALT_CERT_CHAINS @@ -164,7 +186,9 @@ CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFMQTT_AWS_IOT_MQTT CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFMQTT_TEMPLATE CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE +CONFIG_WOLFSSL_EXAMPLE_VERBOSITY CONFIG_WOLFSSL_HKDF +CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13 CONFIG_WOLFSSL_MAX_FRAGMENT_LEN CONFIG_WOLFSSL_NO_ASN_STRICT CONFIG_WOLFSSL_PSK @@ -174,6 +198,11 @@ CONFIG_WOLFSSL_TARGET_PORT CONFIG_WOLFSSL_TLS13_ENABLED CONFIG_WOLFSSL_TLS_VERSION_1_2 CONFIG_WOLFSSL_TLS_VERSION_1_3 +CONFIG_WOLFSSL_USE_CERT_BUFFERS_1024 +CONFIG_WOLFSSL_USE_CERT_BUFFERS_2048 +CONFIG_WOLFSSL_USE_CERT_BUFFERS_256 +CONFIG_WOLFSSL_USE_CERT_BUFFERS_NONE +CONFIG_WOLFSSL_USE_CERT_BUFFERS_SM CONFIG_WOLFTPM CONFIG_WOLFTPM_EXAMPLE_NAME_ESPRESSIF CONFIG_X86 @@ -212,11 +241,17 @@ ENABLE_SECURE_SOCKETS_LOGS ESP32 ESP8266 ESP_ENABLE_WOLFSSH +ESP_ERR_NVS_NEW_VERSION_FOUND +ESP_ERR_NVS_NO_FREE_PAGES ESP_IDF_VERSION ESP_IDF_VERSION_MAJOR ESP_IDF_VERSION_MINOR ESP_PLATFORM +ESP_SDK_UTIL_LIB_VERSION ESP_TASK_MAIN_STACK +ESP_WOLFSSL_DISABLE_DH +ESP_WOLFSSL_DISABLE_ECC +ESP_WOLFSSL_USE_SM ETHERNET_AVAILABLE ETHERNET_H EV_TRIGGER @@ -277,11 +312,13 @@ HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK HAVE_POCO_LIB HAVE_RTP_SYS HAVE_SECURE_GETENV +HAVE_STACK_HEAP_INFO HAVE_STACK_SIZE_VERBOSE_LOG HAVE_THREADX HAVE_TM_TYPE HAVE_VALIDATE_DATE HAVE_VA_COPY +HAVE_WOLFCRYPT_WARMUP HAVE_X448 HONOR_MATH_USED_LENGTH HSM_KEY_TYPE_HMAC_224 @@ -453,6 +490,7 @@ PEER_INFO PKA_ECC_SCALAR_MUL_IN_B_COEFF PLATFORMIO PLUTON_CRYPTO_ECC +POSIX_LINUX PRINT_SESSION_STATS PTHREAD_STACK_MIN QAT_ENABLE_HASH @@ -1080,6 +1118,7 @@ byte configTICK_RATE_HZ fallthrough noinline +sizeof_server_ecc_cert ssize_t sun versal diff --git a/IDE/Espressif/ESP-IDF/examples/template/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/template/CMakeLists.txt index feacf8c429..84c9c510e8 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/template/CMakeLists.txt @@ -1,11 +1,35 @@ # wolfSSL Espressif Example Project CMakeLists.txt -# v1.3 +# v5.8.2.001 # # The following lines of boilerplate have to be in your project's # CMakeLists in this exact order for cmake to work correctly message(STATUS "Begin project ${CMAKE_PROJECT_NAME}") cmake_minimum_required(VERSION 3.16) +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") + +# Optionally set flag for using a private include. See wolfcrypt/port/Espressif/esp-sdk-lib.h +if( "$ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}" STREQUAL "1" ) + message(STATUS "Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") +else() + message(STATUS "CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.") +endif() + +# Different ESP-IDF versions have different lock files. +# Not starting fresh has unintuitive results. +# So force a fresh dependencies.lock by deleting the current one: +file(REMOVE "./dependencies.lock") + +# Force custom partition table regardless of IDE presets +set(PARTITION_TABLE_CUSTOM ON CACHE BOOL "" FORCE) +set(PARTITION_TABLE_FILENAME "${CMAKE_SOURCE_DIR}/partitions_singleapp_large.csv" CACHE STRING "" FORCE) + +if("${IDF_TARGET}" STREQUAL "linux") + set(COMPONENTS main) +endif() # For the main project using ESP-IDF version 6 or greater. # Numerous "dangerous relocation: call8: call target out of range: memcpy" errors encountered @@ -34,6 +58,7 @@ endif() # # Optional WOLFSSL_CMAKE_SYSTEM_NAME detection to find # USE_MY_PRIVATE_CONFIG path for my_private_config.h +# See: wolfcrypt/port/Espressif/esp-sdk-lib.h # # Expected path varies: # @@ -41,6 +66,8 @@ endif() # Linux: ~/workspace # Windows: C:\workspace # + + if(WIN32) # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS") @@ -49,9 +76,6 @@ endif() if(CMAKE_HOST_UNIX) message(STATUS "Detected UNIX") endif() -if(APPLE) - message(STATUS "Detected APPLE") -endif() if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop") # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL") @@ -63,7 +87,7 @@ if(CMAKE_HOST_UNIX AND (NOT APPLE) AND (NOT WIN32)) message(STATUS "Detected Linux") endif() if(APPLE) - # Windows-specific configuration here + # Apple-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_APPLE") message(STATUS "Detected Apple") endif() @@ -157,6 +181,27 @@ endif() include($ENV{IDF_PATH}/tools/cmake/project.cmake) +message(STATUS "Checking Project CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}") +# Optionally force syntax highlighting fix in Visual Studio 2022 for ESP-IDF v6 +# See https://sysprogs.com/w/forums/topic/espressif-esp-idf-v6-0-intellisense-error-invalid-value-gnu2b-in-stdgnu2b/ +# To resolve, enter the text in VisualGDB Project Properties - Intellisense Settings Tab, "Additional flags for C files": +# -std=gnu17 +# And set here: +if( "$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}" STREQUAL "1" ) + set(PREFERRED_DIALECT "gnu17") + if(DEFINED IDF_VERSION_MAJOR AND IDF_VERSION_MAJOR GREATER_EQUAL 6) + message(STATUS "-- Found CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX, replacing -std=gnu2b with -std=${PREFERRED_DIALECT}") + if(CMAKE_C_COMPILER_ID MATCHES "Clang") + string(REPLACE "-std=gnu2b" "-std=${PREFERRED_DIALECT}" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + endif() + else() + message(STATUS "-- Visual Studio Intellisense Fix not needed for this ESP-IDF version=${IDF_VERSION_MAJOR}") + endif() +else() + message(STATUS "-- Not replacing -std=gnu2b with -std=${PREFERRED_DIALECT} for Viosual Studio Intellisense fix") + message(STATUS "-- To enable, define environment variable: CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=1") +endif() + # Once the project is loaded, next check for ESP-IDF version 6 or greater. # Numerous "dangerous relocation: call8: call target out of range: memcpy" errors encountered # So we'll allow long calls with the `-mlongcalls` compiler option for all components. diff --git a/IDE/Espressif/ESP-IDF/examples/template/Makefile b/IDE/Espressif/ESP-IDF/examples/template/Makefile index e2b2e18e18..ee6c41beb5 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/Makefile +++ b/IDE/Espressif/ESP-IDF/examples/template/Makefile @@ -1,7 +1,36 @@ +# ESP8266 Project Makefile for wolfssl_client # -# This is a project Makefile. It is assumed the directory this Makefile resides in is a -# project subdirectory. +# Copyright (C) 2006-2025 wolfSSL Inc. # +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA +# + +PROJECT_NAME := wolfssl_template +$(info ************* wolfssl_template *************) + +# ------------- BEGIN COMMON SECTION ------------- + +ifeq ($(strip $(IDF_PATH)),) + $(error IDF_PATH is not set. Please export it before running make) +endif + +# Default compiler flags +CFLAGS ?= +CXXFLAGS ?= CFLAGS += -DWOLFSSL_USER_SETTINGS @@ -9,6 +38,124 @@ CFLAGS += -DWOLFSSL_USER_SETTINGS # There's an espressif NO_WATCHDOG; we don't use it, as it is reset by sdkconfig. CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 -PROJECT_NAME := wolfssl_template +# Check if CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG is set to 1 in environment +ifeq ($(CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG),1) + $(info Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variablev for Makefile) + CFLAGS += -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1 + CXXFLAGS += -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1 +else + $(info CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.) +endif + +# +# This is a project Makefile. +# It is assumed the directory this Makefile resides in is a +# project subdirectory containing an entire project. +# +# Optional private config headers. Define environment variables +# to include various default header files that are typically +# not in a git path, and thus excluded from being checked in. +# +# Environment Variable Name | Header file name included +# ---------------------------------- | --------------------------------------- +# MY_PRIVATE_CONFIG (files detected / selected in header) +# USE_MY_PRIVATE_WSL_CONFIG /mnt/c/workspace/my_private_config.h +# USE_MY_PRIVATE_MAC_CONFIG ~/Documents/my_private_config.h +# USE_MY_PRIVATE_LINUX_CONFIG ~/workspace/my_private_config.h +# USE_MY_PRIVATE_WINDOWS_CONFIG /workspace/my_private_config.h +# +# + +# Optionally include component source when print path (needs work to then properly build) +# +# include components/wolfssl/component.mk + +MY_PRIVATE_CONFIG ?= n +USE_MY_PRIVATE_WSL_CONFIG ?= n +USE_MY_PRIVATE_MAC_CONFIG ?= n +USE_MY_PRIVATE_LINUX_CONFIG ?= n +USE_MY_PRIVATE_WINDOWS_CONFIG ?= n + +# Calling shell causes unintuitive error in Windows: +# OS := $(shell uname -s) +# +# But OS, or MY_PRIVATE_CONFIG should already be defined: + +ifeq ($(MY_PRIVATE_CONFIG),y) + CFLAGS += -DMY_PRIVATE_CONFIG + $(info Enabled MY_PRIVATE_CONFIG") +endif + +# Check for Windows environment variable: USE_MY_PRIVATE_WINDOWS_CONFIG +ifeq ($(USE_MY_PRIVATE_WINDOWS_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := /workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_WINDOWS_CONFIG + $(info Using private config file for: Windows) + endif +endif + +# Check for WSL environment variable: USE_MY_PRIVATE_WSL_CONFIG +ifeq ($(USE_MY_PRIVATE_WSL_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := /mnt/c/workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_WSL_CONFIG + $(info Using private config file for: WSL) + endif +endif + +# Check for Linux environment variable: USE_MY_PRIVATE_LINUX_CONFIG +ifeq ($(USE_MY_PRIVATE_LINUX_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := ~/workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_LINUX_CONFIG + $(info Using private config file for: Linux) + endif +endif + +# Check for Mac environment variable: USE_MY_PRIVATE_MAC_CONFIG +ifeq ($(USE_MY_PRIVATE_MAC_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := ~/Documents/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_MAC_CONFIG + $(info Using private config file for: Mac) + endif +endif + +ifneq ($(OS),MY_PRIVATE_CONFIG) + CFLAGS += -DMY_PRIVATE_CONFIG="$(MY_PRIVATE_CONFIG)" +else + ifeq ($(OS),Linux) + CFLAGS += -DOS_LINUX + endif + ifeq ($(OS),Windows_NT) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_WINDOWS + endif + ifeq ($(OS),Darwin) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_APPLE + endif + ifneq (,$(findstring MINGW,$(OS))) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_MINGW + endif + ifneq (,$(findstring CYGWIN,$(OS))) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_CYGWIN + endif +endif + +# if there isn't the directory, please disable the line below. +EXTRA_COMPONENT_DIRS = $(IDF_PATH)/examples/common_components/protocol_examples_common +# The Standard Espressif IDF include: include $(IDF_PATH)/make/project.mk diff --git a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/CMakeLists.txt index a266a9c1c2..a131f06973 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/CMakeLists.txt @@ -19,7 +19,7 @@ # # cmake for wolfssl Espressif projects # -# Version 5.8.0 Espressif ESP-IDF + PlatformIO integration (2) +# Version 5.8.2 Espressif ESP-IDF + PlatformIO integration (1) # # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html # @@ -27,9 +27,18 @@ message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") cmake_minimum_required(VERSION 3.16) # The scope of this CMAKE_C_FLAGS is just this component: -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") +message(STATUS "Peek CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG = $ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}") +if( "$ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}" STREQUAL "1" ) + message(STATUS "Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") +else() + message(STATUS "CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.") +endif() + set(CMAKE_CURRENT_SOURCE_DIR ".") # Optionally set your source to wolfSSL in your project CMakeLists.txt like this: @@ -48,6 +57,7 @@ set(THIS_ESP_TLS "") # LIBWOLFSSL_CMAKE_OUTPUT can be printed at runtime set(LIBWOLFSSL_CMAKE_OUTPUT "") +set(git_cmd "git") if(CMAKE_BUILD_EARLY_EXPANSION) message(STATUS "Skipping libwolfssl_output.h update during CMAKE_BUILD_EARLY_EXPANSION") @@ -66,6 +76,19 @@ else() "#define _LIBWOLFSSL_OUTPUT_H_\n\n") endif() +# CMakeLists.txt (project or component) +# Known RISC-V families in ESP-IDF: esp32c2, esp32c3, esp32c6, esp32h2, esp32p4 +set(_riscv_targets esp32c2 esp32c3 esp32c6 esp32h2 esp32p4) + +list(FIND _riscv_targets "${IDF_TARGET}" _idx) +if(_idx GREATER -1) + set(IS_RISCV TRUE) +else() + set(IS_RISCV FALSE) +endif() + +message(STATUS "IDF target: ${IDF_TARGET} (RISC-V: ${IS_RISCV})") + # Append messages with: # LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n"message" "0") # See function: APPEND_LIBWOLFSSL_CMAKE_OUTPUT @@ -73,8 +96,7 @@ endif() # function: IS_ESP_IDF_COMPONENT # output: RESULT = 1 (true) if this component is located in the ESP-IDF components # otherwise 0 (false) -function( IS_ESP_IDF_COMPONENT - RESULT) +function( IS_ESP_IDF_COMPONENT RESULT ) # NOTE: Component location is based on the location of the CMakeList.txt # and *not* the location of the wolfSSL source code. (which may be anywhere) @@ -110,60 +132,60 @@ function ( LIBWOLFSSL_SAVE_INFO VAR_OUTPUT THIS_VAR VAR_RESULT ) # if we had a successful operation, save the THIS_VAR in VAR_OUTPUT if(${IS_VALID_VALUE}) - if(0) - # Optional debug - message(STATUS "Looking for LF in ${THIS_VAR}") - endif() + if(0) + # Optional debug + message(STATUS "Looking for LF in ${THIS_VAR}") + endif() - # Check if the text to print in THIS_VAR is multi-line - string(REPLACE "\n" ";" LINES "${THIS_VAR}") - list(LENGTH LINES LINE_COUNT) - - # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def - if(LINE_COUNT GREATER 1) - message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") - add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") - - # Split into lines - string(REPLACE "\n" ";" LINES "${THIS_VAR}") - foreach(LINE IN LISTS LINES) - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") - endforeach() + # Check if the text to print in THIS_VAR is multi-line + string(REPLACE "\r" "" THIS_VAR "${THIS_VAR}") + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + list(LENGTH LINES LINE_COUNT) - # Final empty line to close the macro - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") + # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def + if(LINE_COUNT GREATER 1) + message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") + add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") - message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") - target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") - else() - message(STATUS "No HAS_LIBWOLFSSL_OUTPUT_HEADER") - # We should not have any, but just to be sure: - # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE - string(REPLACE "\n" "" VAR_VALUE "${THIS_VAR}") + # Split into lines + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + foreach(LINE IN LISTS LINES) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") + endforeach() + + # Final empty line to close the macro + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") - # we'll could percolate the value to the parent for possible later use - # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) + message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") + else() # 1 or zero lines in THIS_VAR + message(STATUS "Result line count=${LINE_COUNT}; Not setting HAS_LIBWOLFSSL_OUTPUT_HEADER") + # We should not have any, but just to be sure: + # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" THIS_VAR "${THIS_VAR}") + string(REPLACE "\r" "" VAR_VALUE "${THIS_VAR}") - # but we're only using it here in this function - set(${VAR_OUTPUT} ${VAR_VALUE}) + # we could percolate the value to the parent for possible later use + # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) - # we'll print what we found to the console - message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + # but we're only using it here in this function + set(${VAR_OUTPUT} ${VAR_VALUE}) - # the interesting part is defining the VAR_OUTPUT name a value to use in the app - add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUTPUT name a value to use in the app + add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") endif() - else() + else() # !IS_VALID_VALUE # if we get here, check the execute_process command and parameters. - message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT=${VAR_RESULT} for THIS_VAR=${THIS_VAR}") set(${VAR_OUTPUT} "Unknown") - endif() - - -endfunction() # LIBWOLFSSL_SAVE_INFO + endif() # IS_VALID_VALUE +endfunction()# LIBWOLFSSL_SAVE_INFO # # APPEND_LIBWOLFSSL_CMAKE_OUTPUT(THIS_MESSAGE OUTPUT_VALUE) @@ -558,7 +580,7 @@ if(CMAKE_BUILD_EARLY_EXPANSION) "${THIS_INCLUDE_TIMER}" "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark ) - + # Do not set compile options during early expansion else() # not CMAKE_BUILD_EARLY_EXPANSION message(STATUS "************************************************************************************************") @@ -596,6 +618,15 @@ else() if(WOLFSSL_ROOT) message(STATUS "Confirmed wolfssl directory at: ${WOLFSSL_ROOT}") + # Once WOLFSSL_ROOT has been determined, see if there's a Espressif.cmake file to include + + set(WOLFSSL_ROOT_ESPRESSIF_CMAKE "${WOLFSSL_ROOT}/cmake/modules/Espressif.cmake") + if( EXISTS "${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + message(STATUS "Found WOLFSSL_ROOT_ESPRESSIF_CMAKE: ${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + include("${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + else() + message(STATUS "Not found WOLFSSL_ROOT_ESPRESSIF_CMAKE: ${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + endif() else() # Try to allow a more intuitive error that the source code was not found in cmake: set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_WARNING_SOURCE_NOT_FOUND") @@ -896,6 +927,25 @@ else() "${THIS_INCLUDE_TIMER}" "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark ) + + message(STATUS "Checking wolfSSL Component CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}") + # Optionally force syntax highlighting fix in Visual Studio 2022 for ESP-IDF v6 + # See https://sysprogs.com/w/forums/topic/espressif-esp-idf-v6-0-intellisense-error-invalid-value-gnu2b-in-stdgnu2b/ + # To resolve, enter the text in VisualGDB Project Properties - Intellisense Settings Tab, Additional flags for C files: + # -std=gnu17 + # And set here: + if( "$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}" STREQUAL "1" ) + set(PREFERRED_DIALECT "gnu17") + if(DEFINED IDF_VERSION_MAJOR AND IDF_VERSION_MAJOR GREATER_EQUAL 6) + message(STATUS "-- Setting -std=${PREFERRED_DIALECT} with target_compile_options $<$:-std=${PREFERRED_DIALECT}>") + target_compile_options(${COMPONENT_LIB} PRIVATE $<$:-std=${PREFERRED_DIALECT}>) + else() + message(STATUS "-- Visual Studio Intellisense Fix not needed for this ESP-IDF version=${IDF_VERSION_MAJOR}") + endif() + else() + message(STATUS "-- Not setting -std=${PREFERRED_DIALECT} with target_compile_options for Visual Studio Intellisense Fix") + message(STATUS "-- To enable, define environment variable: CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=1") + endif() else() # Register the component simply to allow CMake to complete, but there's no wolfSSL source. # Expect many other errors, but the project should at least be loadable and UI can edit Kconfig settings. @@ -906,8 +956,7 @@ else() # function(WOLFSSL_INIT_CERT_BUNDLE) if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE - AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") - ) + AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") ) APPEND_LIBWOLFSSL_CMAKE_OUTPUT("wolfSSL Certificate Bundles Enabled") if (CMAKE_BUILD_EARLY_EXPANSION) @@ -1154,50 +1203,72 @@ if( EXISTS "${WOLFSSL_PROJECT_DIR}" AND EXISTS "$ENV{IDF_PATH}/components/wolfss endif() # end multiple component check - +message(STATUS "Checking for github with git_cmd='${git_cmd}' ...") execute_process( COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree" OUTPUT_VARIABLE IS_GIT_REPO OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET ) +message(STATUS "Checking for github result IS_GIT_REPO='${IS_GIT_REPO}'") # create some programmatic #define values that will be used by ShowExtendedSystemInfo(). # see wolfcrypt\src\port\Espressif\esp32_utl.c +message(STATUS "Checking for macro definitions:") if(NOT CMAKE_BUILD_EARLY_EXPANSION AND WOLFSSL_ROOT AND (IS_GIT_REPO STREQUAL "true")) set (git_cmd "git") message(STATUS "Adding macro definitions:") + # LIBWOLFSSL_VERSION_GIT_TAG: git config describe --tags --abbrev=0 + execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "describe" "--tags" "--abbrev=0" + OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") + LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_TAG "${TMP_OUT}" "${TMP_RES}") + # LIBWOLFSSL_VERSION_GIT_ORIGIN: git config --get remote.origin.url execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "config" "--get" "remote.origin.url" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_ORIGIN "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_BRANCH: git rev-parse --abbrev-ref HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--abbrev-ref" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_BRANCH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_HASH: git rev-parse HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_SHORT_HASH: git rev-parse --short HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--short" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_SHORT_HASH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_HASH_DATE git show --no-patch --no-notes --pretty=\'\%cd\' execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "show" "--no-patch" "--no-notes" "--pretty=\'\%cd\'" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH_DATE "${TMP_OUT}" "${TMP_RES}") - LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "${TMP_RES}") - +else() + message(STATUS "CMAKE_BUILD_EARLY_EXPANSION=${CMAKE_BUILD_EARLY_EXPANSION}; WOLFSSL_ROOT=${WOLFSSL_ROOT}; IS_GIT_REPO=${IS_GIT_REPO};") endif() +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "0") +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_IDF_PATH "${THIS_IDF_PATH}" "0") + # Ensure flag "-DWOLFSSL_ESPIDF" is already in CMAKE_C_FLAGS if not yet found from project string(FIND "${CMAKE_C_FLAGS}" "-DWOLFSSL_ESPIDF" FLAG_ALRREADY_FOUND_WOLFSSL_ESPIDF) @@ -1246,6 +1317,26 @@ file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n" "#endif\n" ) +# Memory peek helper +set(LINKER_REGION_PEEK "${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld") +if( CMAKE_BUILD_EARLY_EXPANSION AND EXISTS "${LINKER_REGION_PEEK}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_HAVE_LINKER_REGION_PEEK") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_HAVE_LINKER_REGION_PEEK") + + message(STATUS "Found linker region peek helper file: ${LINKER_REGION_PEEK}") + if (COMMAND target_linker_scripts) + message(STATUS "target_linker_scripts(${COMPONENT_LIB} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld)") + target_linker_scripts(${COMPONENT_LIB} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + else() + # Fallback if target_linker_scripts isn't available + message(STATUS "target_linker_scripts not available, using target_link_options") + target_link_options(${COMPONENT_LIB} INTERFACE -T${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + set_property(TARGET ${COMPONENT_LIB} APPEND PROPERTY LINK_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + endif() +else() + message(STATUS "Found linker region peek helper NOT FOUND: ${LINKER_REGION_PEEK}") +endif() + message(STATUS "************************************************************************************************") message(STATUS "wolfSSL component config complete!") message(STATUS "************************************************************************************************") diff --git a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig index 22e4a0767d..e8524a8092 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig +++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig @@ -19,8 +19,11 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA # -# Kconfig File Version 5.7.2.001 for esp-idf integration +# Kconfig File Version 5.8.2.001 for esp-idf integration +# See the VSCode extension: nRF Kconfig by Nordic Semiconductor: +# https://marketplace.visualstudio.com/items?itemName=nordic-semiconductor.nrf-kconfig +# # Kconfig Format Rules # # See: @@ -48,106 +51,242 @@ # python -m kconfcheck # # --------------------------------------------------------------------------------------------------------------------- +# See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL +# --------------------------------------------------------------------------------------------------------------------- +# +# Note linking to ESP-IDF component: +# +# From: esp-idf\[version]\components\esp-tls\Kconfig +# +# menu "ESP-TLS" +# choice ESP_TLS_LIBRARY_CHOOSE +# bool "wolfSSL (License info in wolfSSL directory README)" +# select TLS_STACK_WOLFSSL +# +# Selecting TLS_STACK_WOLFSSL in ESP-TLS will be linked to this Kconfig via the +# invisible local keyword by the same name in this Kconfig, below. +# +# See setting here, just above this item: menu "wolfSSL ESP-TLS" +# +# --------------------------------------------------------------------------------------------------------------------- # Begin main wolfSSL configuration menu # --------------------------------------------------------------------------------------------------------------------- # See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL -menu "wolfSSL" +menu "wolfSSL Embedded Cryptography, SSL/TLS; FIPS 140-3" + # Warning: help token not supported here << + config ESP_WOLFSSL_WOLFCRYPT_ONLY + bool "Use wolfcrypt only" + default n + help + Enable this option to use cryptographic libraries but disable things like TLS communication. Normally not set. Enables WOLFCRYPT_ONLY + # ----------------------------------------------------------------------------------------------------------------- - menu "Hardening" - config ESP_WOLFSSL_WC_NO_HARDEN - bool "Disable wolfSSL hardening" - default n + menu "wolfSSL Algorithm Settings" + config ESP_WOLFSSL_USE_ECC + bool "Enable ECC (Elliptic Curve Cryptography) in wolfSSL" + default y help - Sets WC_NO_HARDEN + Enables ECC algorithm - config ESP_WOLFSSL_TFM_TIMING_RESISTANT - bool "Enable TFM Timing Resistant Code" - default n + config ESP_WOLFSSL_USE_RSA + bool "Enable RSA (Rivest-Shamir-Adlemanl) in wolfSSL" + default y help - Sets TFM_TIMING_RESISTANT. + Enables RSA algorithm - endmenu # Hardening + config ESP_WOLFSSL_USE_SM + bool "Enable SM (Shang Mi) in wolfSSL" + default n + help + Enabled SM Cipher Suite: Macros WOLFSSL_SM2, WOLFSSL_SM3, WOLFSSL_SM4 - config ESP_WOLFSSL_ENABLE_BENCHMARK - bool "Enable wolfSSL Benchmark Library" - default n - help - Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK. + config ESP_WOLFSSL_DISABLE_ECC + bool "Disable ECC in wolfSSL" + default n + help + Enabled by default, ECC is required if you want ECDHE key exchange (and/or ECDSA). + Select this option to disable ECC. + config ESP_WOLFSSL_DISABLE_DH + bool "Disable DH in wolfSSL" + default n + help + Enabled by default, DH is required if you want DHE/FFDHE groups. + Select this option to disable DH. - menu "Benchmark Debug" - config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING - bool "Enable benchmark timing debug" - depends on ESP_WOLFSSL_ENABLE_BENCHMARK + config ESP_WOLFSSL_SHA224 + bool "Enable SHA-224" default n help - Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc). + Enables SHA224 algorithm by defining macro: WOLFSSL_SHA224 - config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG - bool "Enable benchmark timer debug" - depends on ESP_WOLFSSL_ENABLE_BENCHMARK + config ESP_WOLFSSL_SHA384 + bool "Enable SHA-384" default n help - Turn on timer debugging (used when CPU cycles not available) + Enables SHA384 algorithm by defining macro: WOLFSSL_SHA384 - endmenu # Benchmark Debug + choice + prompt "Select math library to use" - # ----------------------------------------------------------------------------------------------------------------- - # wolfCrypt Test - # ----------------------------------------------------------------------------------------------------------------- - config ESP_WOLFSSL_ENABLE_TEST - bool "Enable wolfCrypt Test Library" - default n - help - Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST. + config ESP_WOLFSSL_USE_FAST_MATH + bool "Use Fast Math (default)" + + config ESP_WOLFSSL_SP_MATH + bool "Use SP Math" + + config ESP_WOLFSSL_SP_MATH_ALL + bool "Use SP Math All" - menu "wolfCrypt tests" - config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS - bool "Enable wolfCrypt Test Options" - depends on ESP_WOLFSSL_ENABLE_TEST + config ESP_WOLFSSL_USE_INTEGER_HEAP_MATH + bool "Use Integer Heap Math" + + config ESP_WOLFSSL_SP_RISCV32 + bool "Use SP Match for RISC-V Devices" + endchoice + + menu "Hardening" + config ESP_WOLFSSL_WC_NO_HARDEN + bool "Disable wolfSSL hardening" + default n + help + Sets WC_NO_HARDEN + + config ESP_WOLFSSL_TFM_TIMING_RESISTANT + bool "Enable TFM Timing Resistant Code" + default n + help + Sets TFM_TIMING_RESISTANT. + + endmenu # Hardening + endmenu # wolfSSL Algorithm Settings + + menu "wolfSSL Application Specific Tuning" + config ESP_WOLFSSL_MULTI_THREAD + bool "Set wolfSSL SINGLE_THREAD mode" default n help - Enables HAVE_WOLFCRYPT_TEST_OPTIONS + Enable to use semaphores for multi-task applications. Requires a small about of additional long term RAM. + When not selected, defines wolfSSL SINGLE_THREADED macro. The ESP32 ESP-IDF uses FreeRTOS regardless of this setting. - config TEST_ESPIDF_ALL_WOLFSSL - bool "Enable all features to use in tests" - depends on ESP_WOLFSSL_ENABLE_TEST + config ESP_WOLFSSL_STATIC_MEMORY + bool "Set wolfSSL Static Memory mode" default n help - Enables TEST_ESPIDF_ALL_WOLFSSL - - endmenu # wolfCrypt tests + Enable to use experimental static memory, no malloc. May be problematic on devices with low RAM. + When disabled, sets WOLFSSL_SMALL_STACK. The DEBUG_WOLFSSL_MALLOC is also enabled by default to + show malloc failures which may occur on low RAM devices. - # ----------------------------------------------------------------------------------------------------------------- - # Apple HomeKit Options - # ----------------------------------------------------------------------------------------------------------------- - menu "Apple HomeKit" - config WOLFSSL_APPLE_HOMEKIT - bool "Enable Apple HomeKit options" + config ESP_WOLFSSL_RSA_LOW_MEM + bool "RSA Low Memory Mode" default n help - Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit. - endmenu # Apple HomeKit - # ----------------------------------------------------------------------------------------------------------------- + When enabled, use have as much memory, but RSA is twice as slow. - config ESP_WOLFSSL_DISABLE_MY_ECC - bool "Disable ECC in my project" - default "n" - help - ECC is enabled by default. Select this option to disable. + # ----------------------------------------------------------------------------------------------------------------- + # Apple HomeKit Options + # ----------------------------------------------------------------------------------------------------------------- + menu "Apple HomeKit" + config WOLFSSL_APPLE_HOMEKIT + bool "Enable Apple HomeKit options" + default n + help + Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit. + endmenu # Apple HomeKit + + # ----------------------------------------------------------------------------------------------------------------- + # wolfCrypt Benchmark + # ----------------------------------------------------------------------------------------------------------------- + menu "wolfCrypt Benchmark" + config ESP_WOLFSSL_ENABLE_BENCHMARK + bool "Enable wolfSSL Benchmark Library" + default n + help + Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK. - config ESP_WOLFSSL_ENABLE_MY_USE_RSA - bool "Enable RSA in my project" - default "n" - help - RSA is disabled by default. Select this option to enable. + config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING + bool "Enable benchmark timing debug" + depends on ESP_WOLFSSL_ENABLE_BENCHMARK + default n + help + Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc). + + config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG + bool "Enable benchmark timer debug" + depends on ESP_WOLFSSL_ENABLE_BENCHMARK + default n + help + Turn on timer debugging (used when CPU cycles not available) + endmenu # wolfCrypt Benchmark + + # ----------------------------------------------------------------------------------------------------------------- + # wolfCrypt Test + # ----------------------------------------------------------------------------------------------------------------- + menu "wolfCrypt Test" + config ESP_WOLFSSL_ENABLE_TEST + bool "Enable wolfCrypt Test Library" + default n + help + Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST. + + config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS + bool "Enable wolfCrypt Test Options" + depends on ESP_WOLFSSL_ENABLE_TEST + default n + help + Enables HAVE_WOLFCRYPT_TEST_OPTIONS + + config TEST_ESPIDF_ALL_WOLFSSL + bool "Enable all features to use in tests" + depends on ESP_WOLFSSL_ENABLE_TEST + default n + help + Enables TEST_ESPIDF_ALL_WOLFSSL + endmenu # wolfCrypt tests + + # ----------------------------------------------------------------------------------------------------------------- + # TLS Client/Server + # ----------------------------------------------------------------------------------------------------------------- + menu "TLS Client/Server" + choice WOLFSSL_USE_TLS_CERT_EXAMPLE + prompt "Use example certificates (see user_settings.h)" + default WOLFSSL_USE_CERT_BUFFERS_2048 + help + Select which bundled example certificate set to compile in. + + config WOLFSSL_USE_CERT_BUFFERS_2048 + bool "Use 2048 bit RSA cert buffers example (default)" + help + Uses example cert buffers ca_cert_der_2048, client_cert_der_2048 etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_1024 + bool "Use 1024 bit RSA cert buffers" + help + Uses example cert buffers ca_cert_der_1024, client_cert_der_1024, etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_256 + bool "Use 256 bit ECC cert buffers" + help + Uses example cert buffers ca_ecc_cert_der_256, cliecc_cert_der_256, etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_SM + bool "Use SM (Shang Mi) cert buffers" + help + Use the SM (Shang Mi) Cipher Examples + Include header: wolfssl/certs_test_sm.h + + config WOLFSSL_USE_CERT_BUFFERS_NONE + bool "Do not use the default wolfSSL certificate examples" + help + Define your own macro values for the examples. + endchoice + endmenu # TLS Client/Server + endmenu # Application Specific - config ESP_WOLFSSL_BENCHMARK - bool "Enable wolfSSL Benchmark" - default n - help - Enables user settings relevant to benchmark code config ESP_TLS_USING_WOLFSSL_SPECIFIED bool "Use the specified wolfssl for ESP-TLS" @@ -170,7 +309,7 @@ menu "wolfSSL" disabling TFM fast math provides faster wolfSSL software algorithms in an even smaller flash memory footprint. - menu "Protocol Config" + menu "wolfSSL Protocol Config" config WOLFSSL_HAVE_ALPN bool "Enable ALPN (Application Layer Protocol Negotiation) in wolfSSL" default y @@ -182,9 +321,16 @@ menu "wolfSSL" Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2. When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted. + config WOLFSSL_LOW_MEMORY_DISABLE_TLS13 + bool "Disable TLS 1.3 on known low-memory devices" + default n + help + Overrides other settings allowing TLS 1.3. Typically used for ESP8266 and ESP32C2 + devices with known memory limitations. + config WOLFSSL_ALLOW_TLS12 bool "Allow TLS 1.2" - default n + default y help Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2. When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted. @@ -209,13 +355,63 @@ menu "wolfSSL" help Sets HAVE_OCSP + choice + prompt "Select session cache size" + default ESP_WOLFSSL_NO_SESSION_CACHE + + config ESP_WOLFSSL_NO_SESSION_CACHE + bool "No session cache is used" + help + No memory is reserved for session cache. + + config ESP_WOLFSSL_MICRO_SESSION_CACHE + bool "Micro Session Cache" + help + Uses less than 1K. Stored only 1 session for cache. + SessionCache takes about 400 bytes, ClientCache takes 576 bytes. + + config ESP_WOLFSSL_SMALL_SESSION_CACHE + bool "Small Session Cache" + help + Allows storing 6 sessions. + SessionCache takes about 2K, ClientCache takes about 3K bytes. + + config ESP_WOLFSSL_MEDIUM_SESSION_CACHE + bool "Medium Session Cache" + help + Allows for over 1,000 sessions. Consider using external memory. + + config ESP_WOLFSSL_BIG_SESSION_CACHE + bool "Big Session Cache" + help + Allows for over 20,000 sessions. Unrealistic for most ESP32 devices. + + config ESP_WOLFSSL_TITAN_SESSION_CACHE + bool "Tital Session Cache" + help + Allows for over 2 million sessions. Unrealistic for most ESP32 devices. + endchoice + + config ESP_WOLFSSL_TCP_REUSE + int "TCP Reuse" + default 0 + help + Set to 1 to allow socket reuse. + endmenu # Protocol Config # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- config TLS_STACK_WOLFSSL # Invisible option that locks TLS_STACK_WOLFSSL to ESP_TLS_USING_WOLFSSL - bool + # + # See setting in: esp-idf\[version]\components\esp-tls\Kconfig: + # + # config ESP_TLS_USING_WOLFSSL + # bool "wolfSSL (License info in wolfSSL directory README)" + # select TLS_STACK_WOLFSSL + # + bool # No prompt, invisible here. Set in ESP-TLS component default n select FREERTOS_ENABLE_BACKWARD_COMPATIBILITY help @@ -223,6 +419,7 @@ menu "wolfSSL" Enabled when wolfSSL is selected in ESP_TLS_LIBRARY_CHOOSE. menu "wolfSSL ESP-TLS" + # Enabled only when Component config - ESP-TLS - Choose SSL/TLS Library for ESP-TLS has wolfSSL selected: depends on ESP_TLS_USING_WOLFSSL menu "Certificate Bundle" @@ -255,8 +452,8 @@ menu "wolfSSL" depends on ESP_TLS_USING_WOLFSSL help Although not recommended, there may be certificates in the bundle that are missing - a serial number. This option allows the missing value without having to fully - disable strict ASN checking with WOLFSSL_NO_ASN_STRICT. + a serial number. This option allows the missing value (a zero) without having to fully + disable strict ASN checking with WOLFSSL_NO_ASN_STRICT. Note this is disallowed by RFC 5280 choice WOLFSSL_DEFAULT_CERTIFICATE_BUNDLE bool "Default certificate bundle options" @@ -323,6 +520,19 @@ menu "wolfSSL" default 200 depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + config ESP_WOLFSSL_DEBUG_CERT_BUNDLE + bool "Enable certificate bundle debug" + depends on WOLFSSL_CERTIFICATE_BUNDLE + default n + help + View debug messages for cert bundle processing. + + config ESP_WOLFSSL_OPENSSL_EXTRA + bool "Enable wolfSSL OpenSSL Extra support" + default n + help + Enable OpenSSL support: old SHA functions only available with OpenSSLL (not recommended) + endmenu endmenu # wolfSSL ESP-TLS # ----------------------------------------------------------------------------------------------------------------- @@ -429,7 +639,7 @@ menu "wolfSSL" bool "Enable ML-KEM (Kyber Post Quantum)" default n help - bool "Enable wolfSSL ML-KEM" + Enable wolfSSL ML-KEM config WOLFSSL_ENABLE_KYBER bool "Enable Kyber (Round 3)" @@ -442,11 +652,23 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- menu "wolfSSL Debug Options" + config ESP_WOLFSSL_DEBUG_CERTS + bool "Enable wolfSSL Certificate Debugging" + default n + help + Enable debugging messages for wolfSSL certificate processing. See user_settings.h for additional debug options. + config ESP_WOLFSSL_DEBUG_WOLFSSL bool "Enable wolfSSL Debugging" default n help - Enable debugging messages for wolfSSL. See user_settings.h for additional debug options. + Enable debugging messages for wolfSSL. Includes wolfSSL Certificate Debugging (WOLFSSL_DEBUG_CERTS) See user_settings.h for additional debug options. + + config WOLFSSL_EXAMPLE_VERBOSITY + bool "Enable example verbosity" + default n + help + This is only intended to be used with examples. Excessive verbosity may have undesired effects on timing-critical code. config ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING bool "Suppress build-time warnings for main stack size" @@ -454,6 +676,12 @@ menu "wolfSSL" help Useful only when wolfSSL is running in main task. See FreeRTOS stack size for custom tasks. + config ESP_NO_DEFAULT_TASK_MONITOR + bool "Disable automatic enable of task monitoring." + default n + help + Unless disabled, ESP_MONITOR_HW_TASK_LOCK is automatically enabled in esp32-crypt.h + config ESP_WOLFSSL_TEST_LOOP bool "Run test apps in a loop until failure" default y @@ -465,6 +693,26 @@ menu "wolfSSL" default n help Enables experimental settings for wolfSSL. See documentation. + + config ESP_LATEST_MITIGATIONS + bool "Enable mitigation for latest ESP-IDF" + default y + help + Address any issues in latest (unreleased) ESP-IDF. Currently v6. + Known problems include SHA HW acceleration on RISC-V devices failing. + Enable this option to disable SHA HW on only ESP32-C2, C3, C6. + Only implemented in user_settings.h + + config WOLFSSL_USE_MY_PRIVATE_CONFIG + bool "Use a private include file for config" + default n + help + Sets WOLFSSL_USE_MY_PRIVATE_CONFIG for platform-specific default + config file outside of GitHub repository. + Handy for things like WiFi SSID and Passwords that are typically + not saved on GitHub. + Can also set CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG environment variable to 1 + endmenu # wolfSSL Debug Options # ----------------------------------------------------------------------------------------------------------------- @@ -482,7 +730,7 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- - menu "Component Config" + menu "wolfSSL Component Config" config IGNORE_ESP_IDF_WOLFSSL_COMPONENT bool "Ignore the ESP-IDF component of wolfSSL (if present)" default n @@ -500,7 +748,7 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- - menu "Utility Config" + menu "wolfSSL Utility Config" config USE_WOLFSSL_ESP_SDK_TIME bool "Enable wolfSSL time helper functions" default n @@ -523,12 +771,14 @@ menu "wolfSSH" config ESP_ENABLE_WOLFSSH bool "Enable wolfSSH options" default n + # See wolfssl settings.h help Enables WOLFSSH_TERM, WOLFSSL_KEY_GEN, WOLFSSL_PTHREADS, WOLFSSH_TEST_SERVER, WOLFSSH_TEST_THREADING config ESP_WOLFSSL_DEBUG_WOLFSSH bool "Enable wolfSSH debugging" default n + # See wolfssl settings.h help Enable wolfSSH debugging macro. See user_settings.h diff --git a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h index 9c14dc9dfc..cd232962ba 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h +++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h @@ -18,8 +18,28 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ + #define WOLFSSL_ESPIDF_COMPONENT_VERSION 0x01 +/* This user_settings.h is for Espressif ESP-IDF + * + * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.8.2-1 + * + * Do not include any wolfssl headers here. + * + * Note to maintainers: + * + * When editing this file ensure all examples match. + * The template example is the reference. + * Consider Kconfig. Managed Components do not allow editing of user_settings.h + */ +#undef WOLFSSL_ESPIDF +#define WOLFSSL_ESPIDF + +#define NO_FILESYSTEM +#define NO_OLD_TLS +#define WOLFSSL_ASN_TEMPLATE + /* Examples such as test and benchmark are known to cause watchdog timeouts. * Note this is often set in project Makefile: * CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 */ @@ -28,15 +48,17 @@ /* The Espressif project config file. See also sdkconfig.defaults */ #include "sdkconfig.h" -/* This user_settings.h is for Espressif ESP-IDF - * - * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.8.2-1 certs - * - * Do not include any wolfssl headers here. - * - * When editing this file: - * ensure all examples match. The template example is the reference. - */ +/* Some mitigations are ESP-IDF version-specific. */ +#include "esp_idf_version.h" + +/* Optional mitigations for latest (unreleased) ESP-IDF v6 */ +#if defined(CONFIG_ESP_LATEST_MITIGATIONS) && CONFIG_ESP_LATEST_MITIGATIONS + #if defined(ESP_IDF_VERSION_MAJOR) && (ESP_IDF_VERSION_MAJOR >= 6) + /* There's a known issue with SHA HW accerlator on RISC-V chips in V6 + * Fixed in https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_RISCV_SHA_HW_MITIGATION 1 + #endif +#endif /* Naming convention: (see also esp32-crypt.h for the reference source). * @@ -81,17 +103,48 @@ ** CONFIG_IDF_TARGET_ESP32C6 */ -#undef WOLFSSL_ESPIDF -#define WOLFSSL_ESPIDF - /* Test various user_settings between applications by selecting example apps * in `idf.py menuconfig` for Example wolfSSL Configuration settings: */ /* Turn on messages that are useful to see only in examples. */ -#define WOLFSSL_EXAMPLE_VERBOSITY +#if defined(CONFIG_WOLFSSL_EXAMPLE_VERBOSITY) && \ + CONFIG_WOLFSSL_EXAMPLE_VERBOSITY + #undef WOLFSSL_EXAMPLE_VERBOSITY + #define WOLFSSL_EXAMPLE_VERBOSITY +#endif + +#if defined(CONFIG_WOLFSSL_ALT_CERT_CHAINS) && \ + CONFIG_WOLFSSL_ALT_CERT_CHAINS + #undef WOLFSSL_ALT_CERT_CHAINS + #define WOLFSSL_ALT_CERT_CHAINS +#endif + +#if defined(CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL) && \ + CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL + #define DEBUG_WOLFSSL +#endif + +#if defined(CONFIG_ESP_WOLFSSL_DEBUG_CERTS) && \ + CONFIG_ESP_WOLFSSL_DEBUG_CERTS + #define WOLFSSL_DEBUG_CERTS +#endif + +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP8266) + /* WOLFSSL_LOW_MEMORY detected at runtime for low memory warning */ + #define WOLFSSL_LOW_MEMORY +#endif /* Paths can be long, ensure the entire value printed during debug */ -#define WOLFSSL_MAX_ERROR_SZ 500 +#ifdef WOLFSSL_LOW_MEMORY + /* If too small, the error_test() will fail. */ + #define WOLFSSL_MAX_ERROR_SZ 65 + #define WOLFSSL_MSG_EX_BUF_SZ 65 +#else + #define WOLFSSL_MAX_ERROR_SZ 500 + #define WOLFSSL_MSG_EX_BUF_SZ 500 +#endif /* wolfSSL Examples: set macros used in example applications. * @@ -116,12 +169,28 @@ /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */ /* #define USE_WOLFSSL_ESP_SDK_WIFI */ #define WOLFSSL_BENCHMARK_FIXED_UNITS_KB + #define BENCH_EMBEDDED #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT) /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_client */ - #define USE_WOLFSSL_ESP_SDK_WIFI + #if defined(CONFIG_IDF_TARGET_ESP32H2) + /* There's no WiFi on the ESP32 H2, use idf.menuconfig to enable */ + #else + /* This example will always use the wolfSSL WiFi helper */ + #define USE_WOLFSSL_ESP_SDK_WIFI + #endif + #define USE_WOLFSSL_ESP_SDK_TIME + #define NO_WOLFSSL_SERVER #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_SERVER) /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_server */ - #define USE_WOLFSSL_ESP_SDK_WIFI + #define NO_WOLFSSL_CLIENT + #if defined(CONFIG_IDF_TARGET_ESP32H2) + /* There's no WiFi on the ESP32 H2, use idf.menuconfig to enable */ + #else + /* This example will always use the wolfSSL WiFi helper */ + #define USE_WOLFSSL_ESP_SDK_WIFI + #endif + /* Even without WiFi, the wolfSSL helper has some static time settings */ + #define USE_WOLFSSL_ESP_SDK_TIME /* wolfSSH Examples */ #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE) @@ -214,6 +283,7 @@ /* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */ #ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM /* Kyber typically needs a minimum 10K stack */ + #define WOLFSSL_MLKEM_KYBER #define WOLFSSL_HAVE_MLKEM #define WOLFSSL_WC_MLKEM #define WOLFSSL_SHAKE128 @@ -250,6 +320,7 @@ #ifdef NO_AES #warning "Found NO_AES, wolfSSL AES Cannot be enabled. Check config." #else + #define HAVE_AESGCM #define WOLFSSL_AES #define WOLFSSL_AES_COUNTER @@ -356,24 +427,103 @@ #endif /* See below for chipset detection from sdkconfig.h */ -/* when you want to use SINGLE THREAD. Note Default ESP-IDF is FreeRTOS */ -#define SINGLE_THREADED +/* See Kconfig: Check if Multi Thread selected in idf.py menuconfig + * Single Thread avoids RAM-consuming semaphores. + * Note Default ESP-IDF is FreeRTOS rergardless of this setting */ +#if defined(CONFIG_ESP_WOLFSSL_MULTI_THREAD) && \ + CONFIG_ESP_WOLFSSL_MULTI_THREAD + /* Unless SINGLE_THREADED defined, wolfssl assumes multi-thread. */ + /* #undef SINGLE_THREADED */ +#else + #define SINGLE_THREADED +#endif /* Small session cache saves a lot of RAM for ClientCache and SessionCache. * Memory requirement is about 5KB, otherwise 20K is needed when not specified. * If extra small footprint is needed, try MICRO_SESSION_CACHE (< 1K) * When really desperate or no TLS used, try NO_SESSION_CACHE. */ -#define NO_SESSION_CACHE +#if defined(CONFIG_ESP_WOLFSSL_TITAN_SESSION_CACHE) + /* Consider RAM requirements. Unrealistic for most ESP32 devices */ + #define TITAN_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_BIG_SESSION_CACHE) + /* Consider RAM requirements. Unrealistic for most ESP32 devices */ + #define BIG_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_MEDIUM_SESSION_CACHE) + /* Consider RAM requirements. */ + #define MEDIUM_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_SMALL_SESSION_CACHE) + #define SMALL_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_MICRO_SESSION_CACHE) + #define MICRO_SESSION_CACHE +#else + #define NO_SESSION_CACHE + #define WOLFSSL_NO_TICKET +#endif + +#ifndef NO_SESSION_CACHE + #define HAVE_SESSION_TICKET +#endif + +/* See Kconfig: Check if Static Memory selected in idf.py menuconfig */ +#if defined(CONFIG_ESP_WOLFSSL_STATIC_MEMORY) && \ + CONFIG_ESP_WOLFSSL_STATIC_MEMORY + #define WOLFSSL_STATIC_MEMORY +#endif + +#if defined(WOLFSSL_STATIC_MEMORY) + #define WOLFSSL_STATIC_MEMORY + #define WOLFSSL_STATIC_MEMORY_LEAN + #define WOLFSSL_NO_MALLOC + #ifdef WOLFSSL_SMALL_STACK + #error "Cannot use WOLFSSL_SMALL_STACK with WOLFSSL_NO_MALLOC" + #endif + #if 1 + /* trap malloc failure */ + #define WOLFSSL_MALLOC_CHECK + #endif + #define HAVE_MAX_FRAGMENT + #define HAVE_TLS_EXTENSIONS -/* Small Stack uses more heap. */ -#define WOLFSSL_SMALL_STACK + #define WOLFSSL_CUSTOM_CURVES + #define HAVE_ECC_KOBLITZ + #define HAVE_ECC256 + #define NO_ECC192 + #define NO_ECC224 + #define NO_ECC384 + #define NO_ECC521 -/* Full debugging turned off, but show malloc failure detail */ -/* #define DEBUG_WOLFSSL */ -#define DEBUG_WOLFSSL_MALLOC + #ifdef HAVE_ED25519 + #undef HAVE_ED25519 + #endif + #ifdef WOLFSSL_SHA512 + #undef WOLFSSL_SHA512 + #endif + + /* multiple of 16 & 32 */ + #define WOLFMEM_IO_SZ 2048 + + #if (1) + #define USE_FAST_MATH + #else + #define SP_MATH + #define FP_ECC + #endif +#else + /* Not using static memory */ + + /* Small Stack uses more heap. */ + #define WOLFSSL_SMALL_STACK + + /* Full debugging turned off, but show malloc failure detail */ + /* #define DEBUG_WOLFSSL */ + #define DEBUG_WOLFSSL_MALLOC +#endif /* RSA_LOW_MEM: Half as much memory but twice as slow. */ -#define RSA_LOW_MEM +#if defined(CONFIG_ESP_WOLFSSL_RSA_LOW_MEM) && \ + CONFIG_ESP_WOLFSSL_RSA_LOW_MEM + #define RSA_LOW_MEM +#endif /* optionally turn off SHA512/224 SHA512/256 */ /* #define WOLFSSL_NOSHA512_224 */ @@ -386,16 +536,43 @@ /* #define NO_SHA */ /* #define NO_OLD_TLS */ -#define BENCH_EMBEDDED +/* Very low memory device notice: + * TLS 1.2 typically enabled + * TLS 1.3 typically disabled + * + * See runtime warning for limited-resource devices. + * + * Typical error codes at client, talking to low-memory server: + * -125 MEMORY_E out of memory error + * -308 SOCKET_ERROR_E error state on socket + * -313 FATAL_ERROR recvd alert fatal error + */ + +#if defined(CONFIG_WOLFSSL_ALLOW_TLS12) && CONFIG_WOLFSSL_ALLOW_TLS12 + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) + /* low-memory devices with TLS 1.2 enabled */ + #endif + + /* TLS 1.2 uses extensions by default */ + #define HAVE_TLS_EXTENSIONS + +#else + /* Unless explicitly enabled, only TLS 1.3 is configured */ + #define WOLFSSL_NO_TLS12 +#endif + /* TLS 1.3 */ -#ifdef CONFIG_WOLFSSL_ALLOW_TLS13 +#if (defined(CONFIG_WOLFSSL_ALLOW_TLS13) && CONFIG_WOLFSSL_ALLOW_TLS13) && \ + !defined(CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13) #define WOLFSSL_TLS13 #define HAVE_TLS_EXTENSIONS #define HAVE_HKDF - /* May be required */ + /* AEAD May be required */ #ifndef HAVE_AEAD + /* Syntax highlighting detection only */ #endif /* Required for ECC */ @@ -416,8 +593,32 @@ #endif #endif +/* Settings common to both TLS 1.2 and TLS 1.3 */ +#if (defined(CONFIG_WOLFSSL_ALLOW_TLS12) && CONFIG_WOLFSSL_ALLOW_TLS12) || \ + (defined(CONFIG_WOLFSSL_ALLOW_TLS13) && CONFIG_WOLFSSL_ALLOW_TLS13) + + /* ECC can optionally be disabled, but is normally enabled */ + #if defined(ESP_WOLFSSL_DISABLE_ECC) && \ + ESP_WOLFSSL_DISABLE_ECC + #undef HAVE_ECC + #else + #define HAVE_ECC + #endif + + /* DH can optionally be disabled, but is normally enabled */ + #if defined(ESP_WOLFSSL_DISABLE_DH) && \ + ESP_WOLFSSL_DISABLE_DH + #undef HAVE_DH + #else + #define HAVE_DH + #endif + +#endif + + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ - defined(CONFIG_IDF_TARGET_ESP8684) + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP8266) /* Optionally set smaller size here */ #ifdef HAVE_FFDHE_4096 /* this size may be problematic on the C2 */ @@ -427,26 +628,25 @@ #define HAVE_FFDHE_4096 #endif -#define NO_FILESYSTEM - -#define NO_OLD_TLS - -#define HAVE_AESGCM - /* Optional RIPEMD: RACE Integrity Primitives Evaluation Message Digest */ /* #define WOLFSSL_RIPEMD */ /* when you want to use SHA224 */ -#define WOLFSSL_SHA224 +#if defined(CONFIG_ESP_WOLFSSL_SHA224) && \ + CONFIG_ESP_WOLFSSL_SHA224 + #define WOLFSSL_SHA224 +#endif /* when you want to use SHA384 */ -#define WOLFSSL_SHA384 +#if defined(CONFIG_ESP_WOLFSSL_SHA384) && \ + CONFIG_ESP_WOLFSSL_SHA384 + #define WOLFSSL_SHA384 +#endif /* Some features not enabled for ESP8266: */ #if defined(CONFIG_IDF_TARGET_ESP8266) || \ defined(CONFIG_IDF_TARGET_ESP32C2) /* Some known low-memory devices have features not enabled by default. */ - /* TODO determine low memory configuration for ECC. */ #else /* when you want to use SHA512 */ #define WOLFSSL_SHA512 @@ -458,23 +658,17 @@ #define HAVE_ED25519 #endif -#if defined(CONFIG_IDF_TARGET_ESP8266) || defined(CONFIG_IDF_TARGET_ESP32C2) - #define MY_USE_ECC 0 - #define MY_USE_RSA 1 -#else - #define MY_USE_ECC 1 - #define MY_USE_RSA 0 -#endif - -/* We can use either or both ECC and RSA, but must use at least one. */ -#if MY_USE_ECC || MY_USE_RSA - #if MY_USE_ECC +/* We can use either or both ECC and RSA, but must use at least one for TLS */ +#if (defined(CONFIG_ESP_WOLFSSL_USE_ECC) && CONFIG_ESP_WOLFSSL_USE_ECC) || \ + (defined(CONFIG_ESP_WOLFSSL_USE_RSA) && CONFIG_ESP_WOLFSSL_USE_RSA) + /* Some ECC checks */ + #if CONFIG_ESP_WOLFSSL_USE_ECC /* ---- ECDSA / ECC ---- */ #define HAVE_ECC + /* #define HAVE_CURVE25519 #define HAVE_ED25519 #define WOLFSSL_SHA512 - /* #define HAVE_ECC384 #define CURVE25519_SMALL */ @@ -485,17 +679,27 @@ #define WOLFSSH_NO_ECDSA #endif - #if MY_USE_RSA + #if CONFIG_ESP_WOLFSSL_USE_RSA /* ---- RSA ----- */ /* #define RSA_LOW_MEM */ /* DH disabled by default, needed if ECDSA/ECC also turned off */ #define HAVE_DH + #define HAVE_RSA #else + #undef HAVE_RSA + #define NO_RSA + /* Also disable RSA if wolfSSH used */ #define WOLFSSH_NO_RSA #endif #else - #error "Either RSA or ECC must be enabled" + #if defined(CONFIG_ESP_WOLFSSL_ENABLE_MLKEM) + /* See above for PQ-only config */ + #elif defined(WOLFCRYPT_ONLY) + /* Communications such as (D)TLS not compiled in */ + #else + #warning "PQ, RSA, and ECC are disabled. Consider WOLFCRYPT_ONLY" + #endif #endif /* Optional OpenSSL compatibility */ @@ -552,21 +756,37 @@ #define HASH_SIZE_LIMIT /* USE_FAST_MATH is default */ -#define USE_FAST_MATH - -/***** Use SP_MATH *****/ -/* #undef USE_FAST_MATH */ -/* #define SP_MATH */ -/* #define WOLFSSL_SP_MATH_ALL */ -/* #define WOLFSSL_SP_RISCV32 */ +#if defined(CONFIG_ESP_WOLFSSL_USE_FAST_MATH) && \ + ESP_WOLFSSL_USE_FAST_MATH + /***** Use Fast Math *****/ + #define USE_FAST_MATH + #undef WOLFSSL_SP_MATH + #undef WOLFSSL_SP_MATH_ALL + #define USE_INTEGER_HEAP_MATH +#elif defined(CONFIG_ESP_WOLFSSL_SP_MATH) && \ + CONFIG_ESP_WOLFSSL_SP_MATH + /***** Use SP_MATH *****/ + #undef USE_FAST_MATH + #undef USE_INTEGER_HEAP_MATH + #define WOLFSSL_SP_MATH + #define WOLFSSL_SP_MATH_ALL +#elif defined(CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH) && \ + CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH + /***** Use Integer Heap Math *****/ + #undef USE_FAST_MATH + #undef WOLFSSL_SP_MATH + #undef WOLFSSL_SP_MATH_ALL + #define USE_INTEGER_HEAP_MATH +#else + #define USE_FAST_MATH +#endif /***** Use Integer Heap Math *****/ /* #undef USE_FAST_MATH */ /* #define USE_INTEGER_HEAP_MATH */ /* Just syntax highlighting to check math libraries: */ -#if defined(SP_MATH) || \ - defined(USE_INTEGER_HEAP_MATH) || \ +#if defined(WOLFSSL_SP_MATH) || \ defined(USE_INTEGER_HEAP_MATH) || \ defined(USE_FAST_MATH) || \ defined(WOLFSSL_SP_MATH_ALL) || \ @@ -577,10 +797,6 @@ #define HAVE_VERSION_EXTENDED_INFO /* #define HAVE_WC_INTROSPECTION */ -#ifndef NO_SESSION_CACHE - #define HAVE_SESSION_TICKET -#endif - /* #define HAVE_HASHDRBG */ #if 0 @@ -604,8 +820,6 @@ #endif -#define WOLFSSL_ASN_TEMPLATE - /* #undef WOLFSSL_KEY_GEN #undef WOLFSSL_CERT_REQ @@ -623,11 +837,13 @@ */ /* optional SM4 Ciphers. See https://github.com/wolfSSL/wolfsm */ -/* -#define WOLFSSL_SM2 -#define WOLFSSL_SM3 -#define WOLFSSL_SM4 -*/ + +#if defined(ESP_WOLFSSL_USE_SM) && \ + ESP_WOLFSSL_USE_SM + #define WOLFSSL_SM2 + #define WOLFSSL_SM3 + #define WOLFSSL_SM4 +#endif #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) /* SM settings, possible cipher suites: @@ -669,9 +885,16 @@ #undef HAVE_AESGCM #define HAVE_AESGCM -#endif + + /* ByteReverseWords is known to need alignment */ + #undef WOLFSSL_USE_ALIGN + #define WOLFSSL_USE_ALIGN +#endif /* SM or regular certs */ /* Chipset detection from sdkconfig.h + * See idf.py --list-targets + * or ESP-IDF ./components/esp_hw_support/include/esp_chip_info.h + * Set target example: idf.py set-target esp32s3 * Default is HW enabled unless turned off. * Uncomment lines to force SW instead of HW acceleration */ #if defined(CONFIG_IDF_TARGET_ESP32) || defined(WOLFSSL_ESPWROOM32SE) @@ -692,7 +915,7 @@ #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 /* no SHA224 HW on ESP32 */ #undef ESP_RSA_MULM_BITS - #define ESP_RSA_MULM_BITS 16 /* TODO add compile-time warning */ + #define ESP_RSA_MULM_BITS 16 /***** END CONFIG_IDF_TARGET_ESP32 *****/ #elif defined(CONFIG_IDF_TARGET_ESP32S2) @@ -736,8 +959,16 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ /* These are defined automatically in esp32-crypt.h, here for clarity */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C2 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C2 */ + /* no SHA384 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MIGIATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif /* There's no AES or RSA/Math accelerator on the ESP32-C2 * Auto defined with NO_WOLFSSL_ESP32_CRYPT_RSA_PRI, for clarity: */ @@ -756,8 +987,16 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ /* These are defined automatically in esp32-crypt.h, here for clarity: */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MIGIATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ @@ -766,16 +1005,34 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ /***** END CONFIG_IDF_TARGET_ESP32C3 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C5) + #define WOLFSSL_ESP32 + + /* There's no Hardware Acceleration available on ESP32-C5 */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32C5 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32C6) #define WOLFSSL_ESP32 /* wolfSSL HW Acceleration supported on ESP32-C6. Uncomment to disable: */ - /* #define NO_ESP32_CRYPT */ - /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* These are defined automatically in esp32-crypt.h, here for clarity: */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MITIGATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ @@ -783,7 +1040,34 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ /***** END CONFIG_IDF_TARGET_ESP32C6 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C61) + #define WOLFSSL_ESP32 + /* wolfSSL HW Acceleration not yet supported on ESP32-C61. */ + + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + + /* TODO latest WIP ESP-IDF v6 needs esp_sha_set_mode, disable for now: */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH + + /* These are defined automatically in esp32-crypt.h, here for clarity: */ + /* no SHA384 HW on C61 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C61 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + + /* HW temporarily disabled on the ESP32-C61 pending additional development. + * See also settings.h that should also be disabling these after v5.8.0 */ + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD + /***** END CONFIG_IDF_TARGET_ESP32C61 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32H2) + /* Reminder: There's no wifi on ESP32-H2 */ + #define WOLFSSL_ESP32 /* wolfSSL Hardware Acceleration not yet implemented */ #define NO_ESP32_CRYPT @@ -792,6 +1076,24 @@ #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /***** END CONFIG_IDF_TARGET_ESP32H2 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32H21) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H21 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32H4) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H4 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32P4) #define WOLFSSL_ESP32 /* wolfSSL Hardware Acceleration not yet implemented */ @@ -818,16 +1120,25 @@ /***** END CONFIG_IDF_TARGET_ESP266 *****/ #elif defined(CONFIG_IDF_TARGET_ESP8684) - /* There's no Hardware Acceleration available on ESP8684 */ + /* There's no Hardware Acceleration available on ESP8684 + * Note that it usually presents as ESP32C2 */ #define NO_ESP32_CRYPT #define NO_WOLFSSL_ESP32_CRYPT_HASH #define NO_WOLFSSL_ESP32_CRYPT_AES #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /***** END CONFIG_IDF_TARGET_ESP8684 *****/ +#elif defined(POSIX_LINUX) + /* There's no Hardware Acceleration available on POSIX/Linux simulator */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_POSIX_LINUX *****/ + #else /* Anything else encountered, disable HW acceleration */ - #warning "Unexpected CONFIG_IDF_TARGET_NN value" + #warning "Unexpected CONFIG_IDF_TARGET_NN value, disabling all HW crypto" #define NO_ESP32_CRYPT #define NO_WOLFSSL_ESP32_CRYPT_HASH #define NO_WOLFSSL_ESP32_CRYPT_AES @@ -845,7 +1156,7 @@ /* See idf.py menuconfig for stack warning settings */ #if !defined(CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING) #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 - #warning "RSA may be difficult with less than 10KB Stack" + /* RSA may be difficult with less than 10KB Stack */ #endif #else /* Implement your own stack warning here */ @@ -856,11 +1167,17 @@ /* NOTE HW unreliable for small values! */ /* threshold for performance adjustment for HW primitive use */ /* X bits of G^X mod P greater than */ - #undef ESP_RSA_EXPT_XBITS + #if defined(ESP_RSA_EXPT_XBITS) && (ESP_RSA_EXPT_XBITS < 32) + #warning "Adjusting ESP_RSA_EXPT_XBITS to 32" + #undef ESP_RSA_EXPT_XBITS + #endif #define ESP_RSA_EXPT_XBITS 32 /* X and Y of X * Y mod P greater than */ - #undef ESP_RSA_MULM_BITS + #if defined(ESP_RSA_MULM_BITS) && (ESP_RSA_MULM_BITS < 16) + #warning "Adjusting ESP_RSA_MULM_BITS to 16" + #undef ESP_RSA_MULM_BITS + #endif #define ESP_RSA_MULM_BITS 16 #endif #endif @@ -1016,87 +1333,317 @@ Turn on timer debugging (used when CPU cycles not available) * https://github.com/wolfSSL/wolfssl/pull/6825 * https://github.com/wolfSSL/wolfsm * - * Uncomment these 3 macros to enable the SM Ciphers and use the macros below. + * Check to see if idf.py menuconfig selected example certs, otheruse use 2048: */ - -/* -#define WOLFSSL_SM2 -#define WOLFSSL_SM3 -#define WOLFSSL_SM4 -*/ +#if defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_2048) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_2048 + #define USE_CERT_BUFFERS_2048 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_1024) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_1024 + #define USE_CERT_BUFFERS_1024 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_256) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_256 + #define USE_CERT_BUFFERS_256 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_SM) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_SM + #define WOLFSSL_SM2 + #define WOLFSSL_SM3 + #define WOLFSSL_SM4 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_NONE) + /* See user_settings.h for referenbce on defining your own cert */ +#else + #define USE_CERT_BUFFERS_2048 +#endif /* Conditional macros used in wolfSSL TLS client and server examples */ #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) - #include - #define CTX_CA_CERT root_sm2 - #define CTX_CA_CERT_SIZE sizeof_root_sm2 - #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_PEM - #define CTX_SERVER_CERT server_sm2 - #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 - #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM - #define CTX_SERVER_KEY server_sm2_priv - #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv - #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (SM)" - #undef WOLFSSL_BASE16 - #define WOLFSSL_BASE16 -#else - #if defined(USE_CERT_BUFFERS_2048) - #ifdef USE_CERT_BUFFERS_1024 - #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." - #endif + #ifndef HAVE_TLS_EXTENSIONS + #error "SM Ciphers require HAVE_TLS_EXTENSIONS" + #endif + #ifndef HAVE_HKDF + #error "SM Ciphers require HAVE_HKDF" + #endif + #ifndef HAVE_ECC + #error "SM Ciphers require HAVE_ECC" + #endif + #ifndef WOLFSSL_USE_ALIGN + #warning "Define WOLFSSL_USE_ALIGN to avoid LoadStoreAlignment panic" + #endif + + #ifdef WOLFSSL_ALT_CERT_CHAINS + /* When on, wolfSSL will accept the peer if the leaf sent matches + * the one loaded, even without a CA in the path */ + #endif + + /* ./examples/client/client -h 192.168.1.107 -v 3 \ + * -l ECDHE-ECDSA-SM4-CBC-SM3 + * -c ./certs/sm2/client-sm2.pem + * -k ./certs/sm2/client-sm2-priv.pem + * -A ./certs/sm2/ca-sm2.pem -C + */ + + /* Certificate file `-c`; client command default: certs/server-cert.pem + * wolfSSL_CTX_use_certificate_chain_buffer_format + * + * Note that the PEM file of server_sm2 contains both leaf and CA + * The DER file contains only the server cert. */ + + /* Server */ + #ifndef NO_WOLFSSL_SERVER + #define CTX_SERVER_CERT server_sm2 + #define CTX_SERVER_CERT_NAME "server_sm2" + #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + + /* Key file `-k`; client command default: ./certs/server-key.pem + * wolfSSL_CTX_use_certificate_buffer */ + #define CTX_SERVER_KEY server_sm2_priv_der + #define CTX_SERVER_KEY_NAME "server_sm2_priv_der" + #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv_der + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Client */ + #ifndef NO_WOLFSSL_CLIENT + #define CTX_CA_CERT root_sm2_der + #define CTX_CA_CERT_NAME "root_sm2_der" + #define CTX_CA_CERT_SIZE sizeof_root_sm2_der + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_KEY client_sm2_priv_der + #define CTX_CLIENT_KEY_NAME "client_sm2_priv_der" + #define CTX_CLIENT_KEY_SIZE sizeof_client_sm2_priv_der + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Client Cert. + * This is also the optional peer verify certificate at server */ + #define CTX_CLIENT_CERT client_sm2_der + #define CTX_CLIENT_CERT_NAME "client_sm2_der" + #define CTX_CLIENT_CERT_SIZE sizeof_client_sm2_der + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END SM */ - /* Be sure to include in app, not here, when using example certs: */ - /* #include */ +#elif defined(USE_CERT_BUFFERS_2048) + /* + * To connect to ESP32 server with a client from commandline: + * + * The client uses 2048 certs by default, so no certs needed on commandline: + * + * TLS 1.2 + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 + * + * TLS 1.3 + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 + */ + + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_2048)" + + #ifdef USE_CERT_BUFFERS_1024 + #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_256 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + #if defined(NO_RSA) + #error "RSA is needed to use CERT_BUFFERS_2048 example" + #endif + /* Client */ + #ifndef NO_WOLFSSL_CLIENT #define CTX_CA_CERT ca_cert_der_2048 #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_2048 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_SERVER_CERT server_cert_der_2048 - #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 - #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_SERVER_KEY server_key_der_2048 - #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 - #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 - - #define CTX_CLIENT_CERT client_cert_der_2048 - #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 - #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #define CTX_CLIENT_KEY client_key_der_2048 #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_2048 #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif - #elif defined(USE_CERT_BUFFERS_1024) - #ifdef USE_CERT_BUFFERS_2048 - #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + /* Server */ + #ifndef NO_WOLFSSL_SERVER + #if (0) + /* No PEM certs available at this time */ + #define CTX_SERVER_CERT server_cert_2048 + #define CTX_SERVER_CERT_NAME "server_cert_2048" + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + + #define CTX_SERVER_KEY server_key_2048 + #define CTX_SERVER_KEY_NAME "server_key_2048" + #define CTX_SERVER_KEY_SIZE sizeof_server_key_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + #else + #define CTX_SERVER_CERT server_cert_der_2048 + #define CTX_SERVER_CERT_NAME "server_cert_der_2048" + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_SERVER_KEY server_key_der_2048 + #define CTX_SERVER_KEY_NAME "server_key_der_2048" + #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 #endif + #endif /* server */ + + /* -A Client peer verify at the server + * defaults: ./examples/client/client -v 3 -h 192.168.1.107 */ + #define CTX_CLIENT_CERT client_cert_der_2048 + #define CTX_CLIENT_CERT_NAME "client_cert_der_2048" + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END USE_CERT_BUFFERS_2048 */ - /* Be sure to include in app, not here, when using example certs: */ - /* #include */ +#elif defined(USE_CERT_BUFFERS_1024) + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_1024)" + /* + * To connect to ESP32 server with a client from commandline: + * + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d \ + -A ./certs/1024/ca-cert.pem \ + -c ./certs/1024/client-cert.pem \ + -k ./certs/1024/client-key.pem -C + */ + #ifdef USE_CERT_BUFFERS_2048 + #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_256 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + /* Client */ + #ifndef NO_WOLFSSL_CLIENT #define CTX_CA_CERT ca_cert_der_1024 + #define CTX_CA_CERT_NAME "ca_cert_der_1024" #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_1024 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_CLIENT_CERT client_cert_der_1024 - #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 - #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #define CTX_CLIENT_KEY client_key_der_1024 #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_1024 #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + /* Server */ + #ifndef NO_WOLFSSL_SERVER #define CTX_SERVER_CERT server_cert_der_1024 + #define CTX_SERVER_CERT_NAME "server_cert_der_1024" #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_1024 #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + #define CTX_SERVER_KEY server_key_der_1024 + #define CTX_SERVER_KEY_NAME "server_key_der_1024" #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_1024 #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Optional shared client peer verify for wolfSSL_CTX_set_verify() */ + #define CTX_CLIENT_CERT client_cert_der_1024 + #define CTX_CLIENT_CERT_NAME "client_cert_der_1024" + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END USE_CERT_BUFFERS_1024 */ + +#elif defined(USE_CERT_BUFFERS_256) + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_256)" + #ifndef HAVE_ECC + #error "USE_CERT_BUFFERS_256 requires HAVE_ECC" + #endif + + #if (0) /* Optional SECP256K1 */ + #define HAVE_ECC_SECP256K1 + #define HAVE_ECC_KOBLITZ + #define WOLFSSL_CUSTOM_CURVES + #endif + /* + * To connect to this ESP32 server with a client from commandline: + * + * TLS 1.3, disable peer cert: + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 -d + * + * TLS 1.2, disable peer cert: + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d + * + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 \ + -A ./certs/ecc/ca-secp256k1-cert.pem \ + -c ./certs/ecc/client-secp256k1-cert.pem \ + -k ./certs/ecc/secp256k1-key.pem + + ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 \ + -A ./certs/ca-ecc-cert.pem \ + -c ./certs/client-ecc-cert.pem \ + -k ./certs/ecc-client-key.pem + */ + #ifdef USE_CERT_BUFFERS_2048 + #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_1024 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + + #ifndef NO_WOLFSSL_CLIENT + #define CTX_CA_CERT ca_ecc_cert_der_256 + #define CTX_CA_CERT_SIZE sizeof_ca_ecc_cert_der_256 + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_KEY ecc_clikey_der_256 + #define CTX_CLIENT_KEY_SIZE sizeof_ecc_clikey_der_256 + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Server */ + #ifndef NO_WOLFSSL_SERVER + /* wolfSSL_CTX_use_certificate_chain_buffer_format */ + #if (0) + /* serv_ecc_der_256 leaf only */ + #define CTX_SERVER_CERT serv_ecc_der_256 + #define CTX_SERVER_CERT_NAME "serv_ecc_der_256" + #define CTX_SERVER_CERT_SIZE sizeof_serv_ecc_der_256 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #else - /* Optionally define custom cert arrays, sizes, and types here */ + /* new leaf + ca, needs https://github.com/wolfSSL/wolfssl/pull/9231 */ + #define CTX_SERVER_CERT server_ecc_cert + #define CTX_SERVER_CERT_NAME "server_ecc_cert" + #define CTX_SERVER_CERT_SIZE sizeof_server_ecc_cert + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM #endif -#endif /* Conditional key and cert constant names */ + /* wolfSSL_CTX_use_PrivateKey_buffer */ + #define CTX_SERVER_KEY ecc_key_der_256 + #define CTX_SERVER_KEY_NAME "ecc_key_der_256" + #define CTX_SERVER_KEY_SIZE sizeof_ecc_key_der_256 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + + /* wolfSSL_CTX_load_verify_buffer */ + #define CTX_CLIENT_CERT cliecc_cert_der_256 + #define CTX_CLIENT_CERT_NAME "cliecc_cert_der_256" + #define CTX_CLIENT_CERT_SIZE sizeof_cliecc_cert_der_256 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #endif /* Server */ + /* END USE_CERT_BUFFERS_256 */ + +#endif /* USE_CERT_BUFFERS_[n] */ + +/* +./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d \ + -A ./certs/ca-ecc-cert.pem \ + -c ./certs/ecc/client-ecc-cert.pem \ + -k ./certs/ecc/ecc-key.pem +*/ /****************************************************************************** ** Sanity Checks ******************************************************************************/ diff --git a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/ld/region_peek.ld b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/ld/region_peek.ld new file mode 100644 index 0000000000..e8ca4b3ae4 --- /dev/null +++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/ld/region_peek.ld @@ -0,0 +1,9 @@ +/* ORIGIN()/LENGTH() always see the SoC memory regions: */ +INCLUDE memory.ld + +/* Region boundary symbols derived from memory.ld */ +PROVIDE(__dram0_start = ORIGIN(dram0_0_seg)); +PROVIDE(__dram0_end = ORIGIN(dram0_0_seg) + LENGTH(dram0_0_seg)); + +PROVIDE(__drom0_start = ORIGIN(drom0_0_seg)); +PROVIDE(__drom0_end = ORIGIN(drom0_0_seg) + LENGTH(drom0_0_seg)); diff --git a/IDE/Espressif/ESP-IDF/examples/template/main/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/template/main/CMakeLists.txt index 6a3deddc47..6d10c36a49 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/main/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/template/main/CMakeLists.txt @@ -4,7 +4,8 @@ # wolfssl template # message(STATUS "Begin wolfSSL main CMakeLists.txt") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") if (idf_target STREQUAL "esp8266" OR IDF_TARGET STREQUAL "esp8266" OR IDF_VERSION_MAJOR VERSION_LESS "5.0") # `driver` component not available for ESP8266 @@ -21,9 +22,6 @@ endif() if(CMAKE_HOST_UNIX) message(STATUS "Detected UNIX") endif() -if(APPLE) - message(STATUS "Detected APPLE") -endif() if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop") # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL") diff --git a/IDE/Espressif/ESP-IDF/examples/template/main/main.c b/IDE/Espressif/ESP-IDF/examples/template/main/main.c index 6423c073f9..9288f061ad 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/main/main.c +++ b/IDE/Espressif/ESP-IDF/examples/template/main/main.c @@ -19,19 +19,38 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -/* Espressif */ +/* + * Attention maintainers: + * + * This code is mostly mirrored between client and server examples. + * + * Please apply any updates to both. + */ +#include "sdkconfig.h" +#include "main.h" + +/* ESP specific */ #include +#include /* wolfSSL */ -/* Always include wolfcrypt/settings.h before any other wolfSSL file. */ -/* Reminder: settings.h pulls in user_settings.h; don't include it here. */ -#ifdef WOLFSSL_USER_SETTINGS +/* The wolfSSL user_settings.h is automatically included by settings.h file. + * Never explicitly include wolfSSL user_settings.h in any source file. + * The settings.h should also be listed above wolfssl library include files. */ +#if defined(WOLFSSL_USER_SETTINGS) #include - #ifndef WOLFSSL_ESPIDF - #warning "Problem with wolfSSL user_settings." - #warning "Check components/wolfssl/include" + #if defined(WOLFSSL_ESPIDF) + #include + #include + + #include + #include + #else + #error "Problem with wolfSSL user_settings. " \ + "Check components/wolfssl/include " \ + "and confirm WOLFSSL_USER_SETTINGS is defined, " \ + "typically in the component CMakeLists.txt" #endif - #include #else /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include */ /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */ @@ -39,16 +58,116 @@ CFLAGS +=-DWOLFSSL_USER_SETTINGS" #endif +/* Hardware; include after other libraries, + * particularly after freeRTOS from settings.h */ +#include -/* project */ +#define THIS_MONITOR_UART_RX_BUFFER_SIZE 200 + +#ifdef CONFIG_ESP8266_XTAL_FREQ_26 + /* 26MHz crystal: 74880 bps */ + #define THIS_MONITOR_UART_BAUD_DATE 74880 +#else + /* 40MHz crystal: 115200 bps */ + #define THIS_MONITOR_UART_BAUD_DATE 115200 +#endif + +/* This project */ #include "main.h" +/* +** The wolfssl component can be installed in either: +** +** - the ESP-IDF component directory +** +** ** OR ** +** +** - the local project component directory +** +** it is not recommended to install in both. +** +*/ static const char* const TAG = "My Project"; +/* entry point */ void app_main(void) { -#ifdef WOLFSSL_ESPIDF_VERBOSE_EXIT_MESSAGE - int ret = 0; + uart_config_t uart_config = { + .baud_rate = THIS_MONITOR_UART_BAUD_DATE, + .data_bits = UART_DATA_8_BITS, + .parity = UART_PARITY_DISABLE, + .stop_bits = UART_STOP_BITS_1, + }; + int stack_start = 0; + int heap_start = 0; + int heap_current = 0; + + esp_err_t ret = 0; + + stack_start = esp_sdk_stack_pointer(); + + /* uart_set_pin(UART_NUM_0, TX_PIN, RX_PIN, + * UART_PIN_NO_CHANGE, UART_PIN_NO_CHANGE); */ + + /* Some targets may need to have UART speed set, such as ESP8266 */ + ESP_LOGI(TAG, "UART init"); + uart_param_config(UART_NUM_0, &uart_config); + uart_driver_install(UART_NUM_0, + THIS_MONITOR_UART_RX_BUFFER_SIZE, 0, 0, NULL, 0); + + ESP_LOGI(TAG, "--------------- wolfSSL Template Example ---------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "---------------------- BEGIN MAIN ----------------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "Stack Start: 0x%x", stack_start); +#ifdef HAVE_WOLFCRYPT_WARMUP + /* Unless disabled, we'll try to allocate known, long-term heap items early + * in an attempt to avoid later allocations that may cause fragmentation. */ + ESP_ERROR_CHECK(esp_sdk_wolfssl_warmup()); +#endif +#ifdef DEBUG_WOLFSSL + /* Turn debugging on and off as needed: */ + wolfSSL_Debugging_ON(); + wolfSSL_Debugging_OFF(); +#endif +#ifdef WOLFSSL_ESP_NO_WATCHDOG + ESP_LOGW(TAG, "Found WOLFSSL_ESP_NO_WATCHDOG, disabling..."); + esp_DisableWatchdog(); +#endif + +#ifdef ESP_TASK_MAIN_STACK + ESP_LOGI(TAG, "ESP_TASK_MAIN_STACK: %d", ESP_TASK_MAIN_STACK); +#endif +#ifdef TASK_EXTRA_STACK_SIZE + ESP_LOGI(TAG, "TASK_EXTRA_STACK_SIZE: %d", TASK_EXTRA_STACK_SIZE); +#endif + +#ifdef INCLUDE_uxTaskGetStackHighWaterMark + ESP_LOGI(TAG, "CONFIG_ESP_MAIN_TASK_STACK_SIZE = %d bytes (%d words)", + CONFIG_ESP_MAIN_TASK_STACK_SIZE, + (int)(CONFIG_ESP_MAIN_TASK_STACK_SIZE / sizeof(void*))); + + /* Returns the high water mark of the stack associated with xTask. That is, + * the minimum free stack space there has been (in bytes not words, unlike + * vanilla FreeRTOS) since the task started. The smaller the returned + * number the closer the task has come to overflowing its stack. + * see Espressif esp32/api-reference/system/freertos_idf.html + */ + stack_start = uxTaskGetStackHighWaterMark(NULL); + ESP_LOGI(TAG, "Stack Start HWM: %d bytes", stack_start); +#endif + +#if defined(HAVE_VERSION_EXTENDED_INFO) + esp_ShowExtendedSystemInfo(); +#endif + + /* all platforms: stack high water mark check */ + ESP_LOGI(TAG, "Stack HWM: %d\n", uxTaskGetStackHighWaterMark(NULL)); + +#if defined (WOLFSSL_USE_TIME_HELPER) + set_time(); #endif #if !defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TEMPLATE) diff --git a/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults b/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults index 2a93afe056..a5e5008676 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults +++ b/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults @@ -1,18 +1,48 @@ +# sdkconfig.defaults + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + # Set the known example app config to template example (see user_settings.h) CONFIG_WOLFSSL_EXAMPLE_NAME_TEMPLATE=y +# ------------- BEGIN COMMON SECTION ------------- + # CONFIG_EXAMPLE_WIFI_SSID="myssid" # CONFIG_EXAMPLE_WIFI_PASSWORD="mypassword" +CONFIG_EXAMPLE_CONNECT_IPV6=n +CONFIG_LWIP_IPV6=n + +# Colorization disabled by default in IDF V6+ +CONFIG_LOG_COLORS=y + # Some wolfSSL helpers CONFIG_USE_WOLFSSL_ESP_SDK_TIME=y +CONFIG_LWIP_SNTP_MAX_SERVERS=3 # sdkconfig.defaults for ESP8266 + ESP32 # See separate sdkconfig.defaults.esp8266 +# Note that during the build process, settings from sdkconfig.defaults will not override those already in sdkconfig. +CONFIG_BENCH_ARGV="-lng 0" # FreeRTOS ticks at 1ms interval CONFIG_FREERTOS_UNICORE=y CONFIG_FREERTOS_HZ=1000 -CONFIG_ESP32_DEFAULT_CPU_FREQ_240=y # # Default main stack size. See user_settings.h @@ -44,28 +74,12 @@ CONFIG_ESP_TASK_WDT_EN=n CONFIG_ESP_SYSTEM_PANIC_PRINT_HALT=y CONFIG_ESP_INT_WDT=n -# ESP8266 Watchdog: -CONFIG_TASK_WDT=n -CONFIG_TASK_WDT_PANIC=n - -# ESP8266 WDT -# CONFIG_ESP_PANIC_PRINT_REBOOT is not set -CONFIG_ESP_PANIC_PRINT_REBOOT=n -CONFIG_ESP_PANIC_PRINT_HALT=y - # CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS is not set CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS=n -# ESP8266 Memory -CONFIG_FREERTOS_GLOBAL_DATA_LINK_IRAM=y -CONFIG_HEAP_DISABLE_IRAM=y - # Performance # CONFIG_COMPILER_OPTIMIZATION_PERF=y -# Set max CPU frequency (falls back as needed for lower maximum) -CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y - # Enable wolfSSL TLS in esp-tls # CONFIG_ESP_TLS_USING_WOLFSSL=y # CONFIG_TLS_STACK_WOLFSSL=y @@ -86,16 +100,9 @@ CONFIG_USE_WOLFSSL_ESP_SDK_TIME=n # CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS is not set CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS=n -# ESP8266 Memory -CONFIG_FREERTOS_GLOBAL_DATA_LINK_IRAM=y -CONFIG_HEAP_DISABLE_IRAM=y - # Performance # CONFIG_COMPILER_OPTIMIZATION_PERF=y -# Set max COU frequency (falls back as needed for lower maximum) -CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y - # FreeRTOS ticks at 1ms interval CONFIG_FREERTOS_UNICORE=y CONFIG_FREERTOS_HZ=1000 @@ -147,10 +154,6 @@ CONFIG_COMPILER_STACK_CHECK=y # CONFIG_COMPILER_DUMP_RTL_FILES is not set # end of Compiler options -# We don't know that the min is actually v2, -# but this is the earliest tested. -CONFIG_ESP32C3_REV_MIN_2=y - # # Partition Table # diff --git a/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults.esp32c2 b/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults.esp32c2 new file mode 100644 index 0000000000..dba65f98d0 --- /dev/null +++ b/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults.esp32c2 @@ -0,0 +1,37 @@ +# sdkconfig.defaults.esp32c2 + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + +# File Version 5.8.2.001 for esp-idf integration + +# +# Main XTAL Config +# +CONFIG_XTAL_FREQ_26=y +# CONFIG_XTAL_FREQ_40 is not set +CONFIG_XTAL_FREQ=26 +# end of Main XTAL Config + +# Limited memory +CONFIG_ESP_MAIN_MAIN_TASK_STACK_SIZE=10500 +CONFIG_MAIN_MAIN_TASK_STACK_SIZE=10500 +CONFIG_WOLFSSL_ALLOW_TLS12=y +# CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13=y + + diff --git a/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults.esp8266 b/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults.esp8266 index 77299dfe4a..4bf90cd3f1 100644 --- a/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults.esp8266 +++ b/IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults.esp8266 @@ -1,3 +1,44 @@ +# sdkconfig.defaults.esp8266 + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + +# File Version 5.8.2.001 for esp-idf integration + +# Limited memory +# TLS 1.2 only needs about 6000 bytes +# TLS 1.2 + 1.3 needs about 10K +CONFIG_ESP_MAIN_TASK_STACK_SIZE=10240 +CONFIG_MAIN_TASK_STACK_SIZE=10240 +CONFIG_WOLFSSL_ALLOW_TLS12=y + +# TLS 1.3 can be disabled on very low memory devices +# CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13=y + +# CONFIG_TCPIP_TASK_STACK_SIZE=3072 +# CONFIG_ESP_SYSTEM_EVENT_TASK_STACK_SIZE=2304 +# CONFIG_FREERTOS_IDLE_TASK_STACKSIZE=1536 +# CONFIG_FREERTOS_ISR_STACKSIZE=1536 +# CONFIG_TCP_SND_BUF_DEFAULT=5760 + +# wolfSSL sets UART to 115200 instead of 74880 default +CONFIG_CONSOLE_UART_BAUDRATE=115200 + # ESP8266 WDT # CONFIG_ESP_PANIC_PRINT_REBOOT is not set CONFIG_ESP_PANIC_PRINT_REBOOT=n diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/CMakeLists.txt index dcbd07ec52..8dfa7baaa5 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/CMakeLists.txt @@ -1,11 +1,35 @@ # wolfSSL Espressif Example Project CMakeLists.txt -# v1.3 +# v5.8.2.001 # # The following lines of boilerplate have to be in your project's # CMakeLists in this exact order for cmake to work correctly message(STATUS "Begin project ${CMAKE_PROJECT_NAME}") cmake_minimum_required(VERSION 3.16) +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") + +# Optionally set flag for using a private include. See wolfcrypt/port/Espressif/esp-sdk-lib.h +if( "$ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}" STREQUAL "1" ) + message(STATUS "Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") +else() + message(STATUS "CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.") +endif() + +# Different ESP-IDF versions have different lock files. +# Not starting fresh has unintuitive results. +# So force a fresh dependencies.lock by deleting the current one: +file(REMOVE "./dependencies.lock") + +# Force custom partition table regardless of IDE presets +set(PARTITION_TABLE_CUSTOM ON CACHE BOOL "" FORCE) +set(PARTITION_TABLE_FILENAME "${CMAKE_SOURCE_DIR}/partitions_singleapp_large.csv" CACHE STRING "" FORCE) + +if("${IDF_TARGET}" STREQUAL "linux") + set(COMPONENTS main) +endif() # For the main project using ESP-IDF version 6 or greater. # Numerous "dangerous relocation: call8: call target out of range: memcpy" errors encountered @@ -34,6 +58,7 @@ endif() # # Optional WOLFSSL_CMAKE_SYSTEM_NAME detection to find # USE_MY_PRIVATE_CONFIG path for my_private_config.h +# See: wolfcrypt/port/Espressif/esp-sdk-lib.h # # Expected path varies: # @@ -41,6 +66,8 @@ endif() # Linux: ~/workspace # Windows: C:\workspace # + + if(WIN32) # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS") @@ -49,9 +76,6 @@ endif() if(CMAKE_HOST_UNIX) message(STATUS "Detected UNIX") endif() -if(APPLE) - message(STATUS "Detected APPLE") -endif() if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop") # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL") @@ -63,7 +87,7 @@ if(CMAKE_HOST_UNIX AND (NOT APPLE) AND (NOT WIN32)) message(STATUS "Detected Linux") endif() if(APPLE) - # Windows-specific configuration here + # Apple-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_APPLE") message(STATUS "Detected Apple") endif() @@ -157,6 +181,27 @@ endif() include($ENV{IDF_PATH}/tools/cmake/project.cmake) +message(STATUS "Checking Project CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}") +# Optionally force syntax highlighting fix in Visual Studio 2022 for ESP-IDF v6 +# See https://sysprogs.com/w/forums/topic/espressif-esp-idf-v6-0-intellisense-error-invalid-value-gnu2b-in-stdgnu2b/ +# To resolve, enter the text in VisualGDB Project Properties - Intellisense Settings Tab, "Additional flags for C files": +# -std=gnu17 +# And set here: +if( "$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}" STREQUAL "1" ) + set(PREFERRED_DIALECT "gnu17") + if(DEFINED IDF_VERSION_MAJOR AND IDF_VERSION_MAJOR GREATER_EQUAL 6) + message(STATUS "-- Found CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX, replacing -std=gnu2b with -std=${PREFERRED_DIALECT}") + if(CMAKE_C_COMPILER_ID MATCHES "Clang") + string(REPLACE "-std=gnu2b" "-std=${PREFERRED_DIALECT}" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + endif() + else() + message(STATUS "-- Visual Studio Intellisense Fix not needed for this ESP-IDF version=${IDF_VERSION_MAJOR}") + endif() +else() + message(STATUS "-- Not replacing -std=gnu2b with -std=${PREFERRED_DIALECT} for Viosual Studio Intellisense fix") + message(STATUS "-- To enable, define environment variable: CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=1") +endif() + # Once the project is loaded, next check for ESP-IDF version 6 or greater. # Numerous "dangerous relocation: call8: call target out of range: memcpy" errors encountered # So we'll allow long calls with the `-mlongcalls` compiler option for all components. diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/Makefile b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/Makefile index 5bdaf7fa95..dc01819f73 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/Makefile +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/Makefile @@ -1,7 +1,36 @@ +# ESP8266 Project Makefile for wolfssl_client # -# This is a project Makefile. It is assumed the directory this Makefile resides in is a -# project subdirectory. +# Copyright (C) 2006-2025 wolfSSL Inc. # +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA +# + +PROJECT_NAME := wolfssl_benchmark +$(info ************* wolfssl_benchmark *************) + +# ------------- BEGIN COMMON SECTION ------------- + +ifeq ($(strip $(IDF_PATH)),) + $(error IDF_PATH is not set. Please export it before running make) +endif + +# Default compiler flags +CFLAGS ?= +CXXFLAGS ?= CFLAGS += -DWOLFSSL_USER_SETTINGS @@ -9,6 +38,124 @@ CFLAGS += -DWOLFSSL_USER_SETTINGS # There's an espressif NO_WATCHDOG; we don't use it, as it is reset by sdkconfig. CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 -PROJECT_NAME := wolfssl_benchmark +# Check if CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG is set to 1 in environment +ifeq ($(CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG),1) + $(info Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variablev for Makefile) + CFLAGS += -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1 + CXXFLAGS += -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1 +else + $(info CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.) +endif + +# +# This is a project Makefile. +# It is assumed the directory this Makefile resides in is a +# project subdirectory containing an entire project. +# +# Optional private config headers. Define environment variables +# to include various default header files that are typically +# not in a git path, and thus excluded from being checked in. +# +# Environment Variable Name | Header file name included +# ---------------------------------- | --------------------------------------- +# MY_PRIVATE_CONFIG (files detected / selected in header) +# USE_MY_PRIVATE_WSL_CONFIG /mnt/c/workspace/my_private_config.h +# USE_MY_PRIVATE_MAC_CONFIG ~/Documents/my_private_config.h +# USE_MY_PRIVATE_LINUX_CONFIG ~/workspace/my_private_config.h +# USE_MY_PRIVATE_WINDOWS_CONFIG /workspace/my_private_config.h +# +# + +# Optionally include component source when print path (needs work to then properly build) +# +# include components/wolfssl/component.mk + +MY_PRIVATE_CONFIG ?= n +USE_MY_PRIVATE_WSL_CONFIG ?= n +USE_MY_PRIVATE_MAC_CONFIG ?= n +USE_MY_PRIVATE_LINUX_CONFIG ?= n +USE_MY_PRIVATE_WINDOWS_CONFIG ?= n + +# Calling shell causes unintuitive error in Windows: +# OS := $(shell uname -s) +# +# But OS, or MY_PRIVATE_CONFIG should already be defined: + +ifeq ($(MY_PRIVATE_CONFIG),y) + CFLAGS += -DMY_PRIVATE_CONFIG + $(info Enabled MY_PRIVATE_CONFIG") +endif + +# Check for Windows environment variable: USE_MY_PRIVATE_WINDOWS_CONFIG +ifeq ($(USE_MY_PRIVATE_WINDOWS_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := /workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_WINDOWS_CONFIG + $(info Using private config file for: Windows) + endif +endif + +# Check for WSL environment variable: USE_MY_PRIVATE_WSL_CONFIG +ifeq ($(USE_MY_PRIVATE_WSL_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := /mnt/c/workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_WSL_CONFIG + $(info Using private config file for: WSL) + endif +endif + +# Check for Linux environment variable: USE_MY_PRIVATE_LINUX_CONFIG +ifeq ($(USE_MY_PRIVATE_LINUX_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := ~/workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_LINUX_CONFIG + $(info Using private config file for: Linux) + endif +endif + +# Check for Mac environment variable: USE_MY_PRIVATE_MAC_CONFIG +ifeq ($(USE_MY_PRIVATE_MAC_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := ~/Documents/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_MAC_CONFIG + $(info Using private config file for: Mac) + endif +endif + +ifneq ($(OS),MY_PRIVATE_CONFIG) + CFLAGS += -DMY_PRIVATE_CONFIG="$(MY_PRIVATE_CONFIG)" +else + ifeq ($(OS),Linux) + CFLAGS += -DOS_LINUX + endif + ifeq ($(OS),Windows_NT) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_WINDOWS + endif + ifeq ($(OS),Darwin) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_APPLE + endif + ifneq (,$(findstring MINGW,$(OS))) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_MINGW + endif + ifneq (,$(findstring CYGWIN,$(OS))) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_CYGWIN + endif +endif + +# if there isn't the directory, please disable the line below. +EXTRA_COMPONENT_DIRS = $(IDF_PATH)/examples/common_components/protocol_examples_common +# The Standard Espressif IDF include: include $(IDF_PATH)/make/project.mk diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/README.md b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/README.md index e760db5f99..3a304b33ca 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/README.md +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/README.md @@ -113,16 +113,18 @@ WRK_IDF_PATH=/mnt/c/SysGCC/esp32-12.4/esp-idf/v5.1 WRK_IDF_PATH=/mnt/c/SysGCC/esp32-12.4/esp-idf/v5.2.1 # The most recent version: -# ESP-IDF v5.2 uses toolchain v13.2 -WRK_IDF_PATH=/mnt/c/SysGCC/esp32/esp-idf/v5.2 - +# ESP-IDF v6 from GitHub +WRK_IDF_PATH=/mnt/c/SysGCC/esp32-master/esp-idf/master +pushd $WRK_IDF_PATH . $WRK_IDF_PATH/export.sh +popd # Set target SoC idf.py set-target esp32c3 # Optionally erase +idf.py -p /dev/ttyS20 -b 115200 erase-flash # Build and flash idf.py build flash -p /dev/ttyS20 -b 115200 monitor diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/CMakeLists.txt index a266a9c1c2..a131f06973 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/CMakeLists.txt @@ -19,7 +19,7 @@ # # cmake for wolfssl Espressif projects # -# Version 5.8.0 Espressif ESP-IDF + PlatformIO integration (2) +# Version 5.8.2 Espressif ESP-IDF + PlatformIO integration (1) # # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html # @@ -27,9 +27,18 @@ message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") cmake_minimum_required(VERSION 3.16) # The scope of this CMAKE_C_FLAGS is just this component: -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") +message(STATUS "Peek CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG = $ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}") +if( "$ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}" STREQUAL "1" ) + message(STATUS "Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") +else() + message(STATUS "CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.") +endif() + set(CMAKE_CURRENT_SOURCE_DIR ".") # Optionally set your source to wolfSSL in your project CMakeLists.txt like this: @@ -48,6 +57,7 @@ set(THIS_ESP_TLS "") # LIBWOLFSSL_CMAKE_OUTPUT can be printed at runtime set(LIBWOLFSSL_CMAKE_OUTPUT "") +set(git_cmd "git") if(CMAKE_BUILD_EARLY_EXPANSION) message(STATUS "Skipping libwolfssl_output.h update during CMAKE_BUILD_EARLY_EXPANSION") @@ -66,6 +76,19 @@ else() "#define _LIBWOLFSSL_OUTPUT_H_\n\n") endif() +# CMakeLists.txt (project or component) +# Known RISC-V families in ESP-IDF: esp32c2, esp32c3, esp32c6, esp32h2, esp32p4 +set(_riscv_targets esp32c2 esp32c3 esp32c6 esp32h2 esp32p4) + +list(FIND _riscv_targets "${IDF_TARGET}" _idx) +if(_idx GREATER -1) + set(IS_RISCV TRUE) +else() + set(IS_RISCV FALSE) +endif() + +message(STATUS "IDF target: ${IDF_TARGET} (RISC-V: ${IS_RISCV})") + # Append messages with: # LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n"message" "0") # See function: APPEND_LIBWOLFSSL_CMAKE_OUTPUT @@ -73,8 +96,7 @@ endif() # function: IS_ESP_IDF_COMPONENT # output: RESULT = 1 (true) if this component is located in the ESP-IDF components # otherwise 0 (false) -function( IS_ESP_IDF_COMPONENT - RESULT) +function( IS_ESP_IDF_COMPONENT RESULT ) # NOTE: Component location is based on the location of the CMakeList.txt # and *not* the location of the wolfSSL source code. (which may be anywhere) @@ -110,60 +132,60 @@ function ( LIBWOLFSSL_SAVE_INFO VAR_OUTPUT THIS_VAR VAR_RESULT ) # if we had a successful operation, save the THIS_VAR in VAR_OUTPUT if(${IS_VALID_VALUE}) - if(0) - # Optional debug - message(STATUS "Looking for LF in ${THIS_VAR}") - endif() + if(0) + # Optional debug + message(STATUS "Looking for LF in ${THIS_VAR}") + endif() - # Check if the text to print in THIS_VAR is multi-line - string(REPLACE "\n" ";" LINES "${THIS_VAR}") - list(LENGTH LINES LINE_COUNT) - - # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def - if(LINE_COUNT GREATER 1) - message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") - add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") - - # Split into lines - string(REPLACE "\n" ";" LINES "${THIS_VAR}") - foreach(LINE IN LISTS LINES) - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") - endforeach() + # Check if the text to print in THIS_VAR is multi-line + string(REPLACE "\r" "" THIS_VAR "${THIS_VAR}") + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + list(LENGTH LINES LINE_COUNT) - # Final empty line to close the macro - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") + # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def + if(LINE_COUNT GREATER 1) + message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") + add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") - message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") - target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") - else() - message(STATUS "No HAS_LIBWOLFSSL_OUTPUT_HEADER") - # We should not have any, but just to be sure: - # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE - string(REPLACE "\n" "" VAR_VALUE "${THIS_VAR}") + # Split into lines + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + foreach(LINE IN LISTS LINES) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") + endforeach() + + # Final empty line to close the macro + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") - # we'll could percolate the value to the parent for possible later use - # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) + message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") + else() # 1 or zero lines in THIS_VAR + message(STATUS "Result line count=${LINE_COUNT}; Not setting HAS_LIBWOLFSSL_OUTPUT_HEADER") + # We should not have any, but just to be sure: + # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" THIS_VAR "${THIS_VAR}") + string(REPLACE "\r" "" VAR_VALUE "${THIS_VAR}") - # but we're only using it here in this function - set(${VAR_OUTPUT} ${VAR_VALUE}) + # we could percolate the value to the parent for possible later use + # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) - # we'll print what we found to the console - message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + # but we're only using it here in this function + set(${VAR_OUTPUT} ${VAR_VALUE}) - # the interesting part is defining the VAR_OUTPUT name a value to use in the app - add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUTPUT name a value to use in the app + add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") endif() - else() + else() # !IS_VALID_VALUE # if we get here, check the execute_process command and parameters. - message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT=${VAR_RESULT} for THIS_VAR=${THIS_VAR}") set(${VAR_OUTPUT} "Unknown") - endif() - - -endfunction() # LIBWOLFSSL_SAVE_INFO + endif() # IS_VALID_VALUE +endfunction()# LIBWOLFSSL_SAVE_INFO # # APPEND_LIBWOLFSSL_CMAKE_OUTPUT(THIS_MESSAGE OUTPUT_VALUE) @@ -558,7 +580,7 @@ if(CMAKE_BUILD_EARLY_EXPANSION) "${THIS_INCLUDE_TIMER}" "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark ) - + # Do not set compile options during early expansion else() # not CMAKE_BUILD_EARLY_EXPANSION message(STATUS "************************************************************************************************") @@ -596,6 +618,15 @@ else() if(WOLFSSL_ROOT) message(STATUS "Confirmed wolfssl directory at: ${WOLFSSL_ROOT}") + # Once WOLFSSL_ROOT has been determined, see if there's a Espressif.cmake file to include + + set(WOLFSSL_ROOT_ESPRESSIF_CMAKE "${WOLFSSL_ROOT}/cmake/modules/Espressif.cmake") + if( EXISTS "${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + message(STATUS "Found WOLFSSL_ROOT_ESPRESSIF_CMAKE: ${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + include("${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + else() + message(STATUS "Not found WOLFSSL_ROOT_ESPRESSIF_CMAKE: ${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + endif() else() # Try to allow a more intuitive error that the source code was not found in cmake: set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_WARNING_SOURCE_NOT_FOUND") @@ -896,6 +927,25 @@ else() "${THIS_INCLUDE_TIMER}" "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark ) + + message(STATUS "Checking wolfSSL Component CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}") + # Optionally force syntax highlighting fix in Visual Studio 2022 for ESP-IDF v6 + # See https://sysprogs.com/w/forums/topic/espressif-esp-idf-v6-0-intellisense-error-invalid-value-gnu2b-in-stdgnu2b/ + # To resolve, enter the text in VisualGDB Project Properties - Intellisense Settings Tab, Additional flags for C files: + # -std=gnu17 + # And set here: + if( "$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}" STREQUAL "1" ) + set(PREFERRED_DIALECT "gnu17") + if(DEFINED IDF_VERSION_MAJOR AND IDF_VERSION_MAJOR GREATER_EQUAL 6) + message(STATUS "-- Setting -std=${PREFERRED_DIALECT} with target_compile_options $<$:-std=${PREFERRED_DIALECT}>") + target_compile_options(${COMPONENT_LIB} PRIVATE $<$:-std=${PREFERRED_DIALECT}>) + else() + message(STATUS "-- Visual Studio Intellisense Fix not needed for this ESP-IDF version=${IDF_VERSION_MAJOR}") + endif() + else() + message(STATUS "-- Not setting -std=${PREFERRED_DIALECT} with target_compile_options for Visual Studio Intellisense Fix") + message(STATUS "-- To enable, define environment variable: CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=1") + endif() else() # Register the component simply to allow CMake to complete, but there's no wolfSSL source. # Expect many other errors, but the project should at least be loadable and UI can edit Kconfig settings. @@ -906,8 +956,7 @@ else() # function(WOLFSSL_INIT_CERT_BUNDLE) if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE - AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") - ) + AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") ) APPEND_LIBWOLFSSL_CMAKE_OUTPUT("wolfSSL Certificate Bundles Enabled") if (CMAKE_BUILD_EARLY_EXPANSION) @@ -1154,50 +1203,72 @@ if( EXISTS "${WOLFSSL_PROJECT_DIR}" AND EXISTS "$ENV{IDF_PATH}/components/wolfss endif() # end multiple component check - +message(STATUS "Checking for github with git_cmd='${git_cmd}' ...") execute_process( COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree" OUTPUT_VARIABLE IS_GIT_REPO OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET ) +message(STATUS "Checking for github result IS_GIT_REPO='${IS_GIT_REPO}'") # create some programmatic #define values that will be used by ShowExtendedSystemInfo(). # see wolfcrypt\src\port\Espressif\esp32_utl.c +message(STATUS "Checking for macro definitions:") if(NOT CMAKE_BUILD_EARLY_EXPANSION AND WOLFSSL_ROOT AND (IS_GIT_REPO STREQUAL "true")) set (git_cmd "git") message(STATUS "Adding macro definitions:") + # LIBWOLFSSL_VERSION_GIT_TAG: git config describe --tags --abbrev=0 + execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "describe" "--tags" "--abbrev=0" + OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") + LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_TAG "${TMP_OUT}" "${TMP_RES}") + # LIBWOLFSSL_VERSION_GIT_ORIGIN: git config --get remote.origin.url execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "config" "--get" "remote.origin.url" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_ORIGIN "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_BRANCH: git rev-parse --abbrev-ref HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--abbrev-ref" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_BRANCH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_HASH: git rev-parse HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_SHORT_HASH: git rev-parse --short HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--short" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_SHORT_HASH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_HASH_DATE git show --no-patch --no-notes --pretty=\'\%cd\' execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "show" "--no-patch" "--no-notes" "--pretty=\'\%cd\'" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH_DATE "${TMP_OUT}" "${TMP_RES}") - LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "${TMP_RES}") - +else() + message(STATUS "CMAKE_BUILD_EARLY_EXPANSION=${CMAKE_BUILD_EARLY_EXPANSION}; WOLFSSL_ROOT=${WOLFSSL_ROOT}; IS_GIT_REPO=${IS_GIT_REPO};") endif() +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "0") +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_IDF_PATH "${THIS_IDF_PATH}" "0") + # Ensure flag "-DWOLFSSL_ESPIDF" is already in CMAKE_C_FLAGS if not yet found from project string(FIND "${CMAKE_C_FLAGS}" "-DWOLFSSL_ESPIDF" FLAG_ALRREADY_FOUND_WOLFSSL_ESPIDF) @@ -1246,6 +1317,26 @@ file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n" "#endif\n" ) +# Memory peek helper +set(LINKER_REGION_PEEK "${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld") +if( CMAKE_BUILD_EARLY_EXPANSION AND EXISTS "${LINKER_REGION_PEEK}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_HAVE_LINKER_REGION_PEEK") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_HAVE_LINKER_REGION_PEEK") + + message(STATUS "Found linker region peek helper file: ${LINKER_REGION_PEEK}") + if (COMMAND target_linker_scripts) + message(STATUS "target_linker_scripts(${COMPONENT_LIB} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld)") + target_linker_scripts(${COMPONENT_LIB} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + else() + # Fallback if target_linker_scripts isn't available + message(STATUS "target_linker_scripts not available, using target_link_options") + target_link_options(${COMPONENT_LIB} INTERFACE -T${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + set_property(TARGET ${COMPONENT_LIB} APPEND PROPERTY LINK_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + endif() +else() + message(STATUS "Found linker region peek helper NOT FOUND: ${LINKER_REGION_PEEK}") +endif() + message(STATUS "************************************************************************************************") message(STATUS "wolfSSL component config complete!") message(STATUS "************************************************************************************************") diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig index 22e4a0767d..e8524a8092 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/Kconfig @@ -19,8 +19,11 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA # -# Kconfig File Version 5.7.2.001 for esp-idf integration +# Kconfig File Version 5.8.2.001 for esp-idf integration +# See the VSCode extension: nRF Kconfig by Nordic Semiconductor: +# https://marketplace.visualstudio.com/items?itemName=nordic-semiconductor.nrf-kconfig +# # Kconfig Format Rules # # See: @@ -48,106 +51,242 @@ # python -m kconfcheck # # --------------------------------------------------------------------------------------------------------------------- +# See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL +# --------------------------------------------------------------------------------------------------------------------- +# +# Note linking to ESP-IDF component: +# +# From: esp-idf\[version]\components\esp-tls\Kconfig +# +# menu "ESP-TLS" +# choice ESP_TLS_LIBRARY_CHOOSE +# bool "wolfSSL (License info in wolfSSL directory README)" +# select TLS_STACK_WOLFSSL +# +# Selecting TLS_STACK_WOLFSSL in ESP-TLS will be linked to this Kconfig via the +# invisible local keyword by the same name in this Kconfig, below. +# +# See setting here, just above this item: menu "wolfSSL ESP-TLS" +# +# --------------------------------------------------------------------------------------------------------------------- # Begin main wolfSSL configuration menu # --------------------------------------------------------------------------------------------------------------------- # See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL -menu "wolfSSL" +menu "wolfSSL Embedded Cryptography, SSL/TLS; FIPS 140-3" + # Warning: help token not supported here << + config ESP_WOLFSSL_WOLFCRYPT_ONLY + bool "Use wolfcrypt only" + default n + help + Enable this option to use cryptographic libraries but disable things like TLS communication. Normally not set. Enables WOLFCRYPT_ONLY + # ----------------------------------------------------------------------------------------------------------------- - menu "Hardening" - config ESP_WOLFSSL_WC_NO_HARDEN - bool "Disable wolfSSL hardening" - default n + menu "wolfSSL Algorithm Settings" + config ESP_WOLFSSL_USE_ECC + bool "Enable ECC (Elliptic Curve Cryptography) in wolfSSL" + default y help - Sets WC_NO_HARDEN + Enables ECC algorithm - config ESP_WOLFSSL_TFM_TIMING_RESISTANT - bool "Enable TFM Timing Resistant Code" - default n + config ESP_WOLFSSL_USE_RSA + bool "Enable RSA (Rivest-Shamir-Adlemanl) in wolfSSL" + default y help - Sets TFM_TIMING_RESISTANT. + Enables RSA algorithm - endmenu # Hardening + config ESP_WOLFSSL_USE_SM + bool "Enable SM (Shang Mi) in wolfSSL" + default n + help + Enabled SM Cipher Suite: Macros WOLFSSL_SM2, WOLFSSL_SM3, WOLFSSL_SM4 - config ESP_WOLFSSL_ENABLE_BENCHMARK - bool "Enable wolfSSL Benchmark Library" - default n - help - Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK. + config ESP_WOLFSSL_DISABLE_ECC + bool "Disable ECC in wolfSSL" + default n + help + Enabled by default, ECC is required if you want ECDHE key exchange (and/or ECDSA). + Select this option to disable ECC. + config ESP_WOLFSSL_DISABLE_DH + bool "Disable DH in wolfSSL" + default n + help + Enabled by default, DH is required if you want DHE/FFDHE groups. + Select this option to disable DH. - menu "Benchmark Debug" - config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING - bool "Enable benchmark timing debug" - depends on ESP_WOLFSSL_ENABLE_BENCHMARK + config ESP_WOLFSSL_SHA224 + bool "Enable SHA-224" default n help - Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc). + Enables SHA224 algorithm by defining macro: WOLFSSL_SHA224 - config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG - bool "Enable benchmark timer debug" - depends on ESP_WOLFSSL_ENABLE_BENCHMARK + config ESP_WOLFSSL_SHA384 + bool "Enable SHA-384" default n help - Turn on timer debugging (used when CPU cycles not available) + Enables SHA384 algorithm by defining macro: WOLFSSL_SHA384 - endmenu # Benchmark Debug + choice + prompt "Select math library to use" - # ----------------------------------------------------------------------------------------------------------------- - # wolfCrypt Test - # ----------------------------------------------------------------------------------------------------------------- - config ESP_WOLFSSL_ENABLE_TEST - bool "Enable wolfCrypt Test Library" - default n - help - Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST. + config ESP_WOLFSSL_USE_FAST_MATH + bool "Use Fast Math (default)" + + config ESP_WOLFSSL_SP_MATH + bool "Use SP Math" + + config ESP_WOLFSSL_SP_MATH_ALL + bool "Use SP Math All" - menu "wolfCrypt tests" - config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS - bool "Enable wolfCrypt Test Options" - depends on ESP_WOLFSSL_ENABLE_TEST + config ESP_WOLFSSL_USE_INTEGER_HEAP_MATH + bool "Use Integer Heap Math" + + config ESP_WOLFSSL_SP_RISCV32 + bool "Use SP Match for RISC-V Devices" + endchoice + + menu "Hardening" + config ESP_WOLFSSL_WC_NO_HARDEN + bool "Disable wolfSSL hardening" + default n + help + Sets WC_NO_HARDEN + + config ESP_WOLFSSL_TFM_TIMING_RESISTANT + bool "Enable TFM Timing Resistant Code" + default n + help + Sets TFM_TIMING_RESISTANT. + + endmenu # Hardening + endmenu # wolfSSL Algorithm Settings + + menu "wolfSSL Application Specific Tuning" + config ESP_WOLFSSL_MULTI_THREAD + bool "Set wolfSSL SINGLE_THREAD mode" default n help - Enables HAVE_WOLFCRYPT_TEST_OPTIONS + Enable to use semaphores for multi-task applications. Requires a small about of additional long term RAM. + When not selected, defines wolfSSL SINGLE_THREADED macro. The ESP32 ESP-IDF uses FreeRTOS regardless of this setting. - config TEST_ESPIDF_ALL_WOLFSSL - bool "Enable all features to use in tests" - depends on ESP_WOLFSSL_ENABLE_TEST + config ESP_WOLFSSL_STATIC_MEMORY + bool "Set wolfSSL Static Memory mode" default n help - Enables TEST_ESPIDF_ALL_WOLFSSL - - endmenu # wolfCrypt tests + Enable to use experimental static memory, no malloc. May be problematic on devices with low RAM. + When disabled, sets WOLFSSL_SMALL_STACK. The DEBUG_WOLFSSL_MALLOC is also enabled by default to + show malloc failures which may occur on low RAM devices. - # ----------------------------------------------------------------------------------------------------------------- - # Apple HomeKit Options - # ----------------------------------------------------------------------------------------------------------------- - menu "Apple HomeKit" - config WOLFSSL_APPLE_HOMEKIT - bool "Enable Apple HomeKit options" + config ESP_WOLFSSL_RSA_LOW_MEM + bool "RSA Low Memory Mode" default n help - Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit. - endmenu # Apple HomeKit - # ----------------------------------------------------------------------------------------------------------------- + When enabled, use have as much memory, but RSA is twice as slow. - config ESP_WOLFSSL_DISABLE_MY_ECC - bool "Disable ECC in my project" - default "n" - help - ECC is enabled by default. Select this option to disable. + # ----------------------------------------------------------------------------------------------------------------- + # Apple HomeKit Options + # ----------------------------------------------------------------------------------------------------------------- + menu "Apple HomeKit" + config WOLFSSL_APPLE_HOMEKIT + bool "Enable Apple HomeKit options" + default n + help + Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit. + endmenu # Apple HomeKit + + # ----------------------------------------------------------------------------------------------------------------- + # wolfCrypt Benchmark + # ----------------------------------------------------------------------------------------------------------------- + menu "wolfCrypt Benchmark" + config ESP_WOLFSSL_ENABLE_BENCHMARK + bool "Enable wolfSSL Benchmark Library" + default n + help + Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK. - config ESP_WOLFSSL_ENABLE_MY_USE_RSA - bool "Enable RSA in my project" - default "n" - help - RSA is disabled by default. Select this option to enable. + config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING + bool "Enable benchmark timing debug" + depends on ESP_WOLFSSL_ENABLE_BENCHMARK + default n + help + Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc). + + config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG + bool "Enable benchmark timer debug" + depends on ESP_WOLFSSL_ENABLE_BENCHMARK + default n + help + Turn on timer debugging (used when CPU cycles not available) + endmenu # wolfCrypt Benchmark + + # ----------------------------------------------------------------------------------------------------------------- + # wolfCrypt Test + # ----------------------------------------------------------------------------------------------------------------- + menu "wolfCrypt Test" + config ESP_WOLFSSL_ENABLE_TEST + bool "Enable wolfCrypt Test Library" + default n + help + Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST. + + config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS + bool "Enable wolfCrypt Test Options" + depends on ESP_WOLFSSL_ENABLE_TEST + default n + help + Enables HAVE_WOLFCRYPT_TEST_OPTIONS + + config TEST_ESPIDF_ALL_WOLFSSL + bool "Enable all features to use in tests" + depends on ESP_WOLFSSL_ENABLE_TEST + default n + help + Enables TEST_ESPIDF_ALL_WOLFSSL + endmenu # wolfCrypt tests + + # ----------------------------------------------------------------------------------------------------------------- + # TLS Client/Server + # ----------------------------------------------------------------------------------------------------------------- + menu "TLS Client/Server" + choice WOLFSSL_USE_TLS_CERT_EXAMPLE + prompt "Use example certificates (see user_settings.h)" + default WOLFSSL_USE_CERT_BUFFERS_2048 + help + Select which bundled example certificate set to compile in. + + config WOLFSSL_USE_CERT_BUFFERS_2048 + bool "Use 2048 bit RSA cert buffers example (default)" + help + Uses example cert buffers ca_cert_der_2048, client_cert_der_2048 etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_1024 + bool "Use 1024 bit RSA cert buffers" + help + Uses example cert buffers ca_cert_der_1024, client_cert_der_1024, etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_256 + bool "Use 256 bit ECC cert buffers" + help + Uses example cert buffers ca_ecc_cert_der_256, cliecc_cert_der_256, etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_SM + bool "Use SM (Shang Mi) cert buffers" + help + Use the SM (Shang Mi) Cipher Examples + Include header: wolfssl/certs_test_sm.h + + config WOLFSSL_USE_CERT_BUFFERS_NONE + bool "Do not use the default wolfSSL certificate examples" + help + Define your own macro values for the examples. + endchoice + endmenu # TLS Client/Server + endmenu # Application Specific - config ESP_WOLFSSL_BENCHMARK - bool "Enable wolfSSL Benchmark" - default n - help - Enables user settings relevant to benchmark code config ESP_TLS_USING_WOLFSSL_SPECIFIED bool "Use the specified wolfssl for ESP-TLS" @@ -170,7 +309,7 @@ menu "wolfSSL" disabling TFM fast math provides faster wolfSSL software algorithms in an even smaller flash memory footprint. - menu "Protocol Config" + menu "wolfSSL Protocol Config" config WOLFSSL_HAVE_ALPN bool "Enable ALPN (Application Layer Protocol Negotiation) in wolfSSL" default y @@ -182,9 +321,16 @@ menu "wolfSSL" Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2. When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted. + config WOLFSSL_LOW_MEMORY_DISABLE_TLS13 + bool "Disable TLS 1.3 on known low-memory devices" + default n + help + Overrides other settings allowing TLS 1.3. Typically used for ESP8266 and ESP32C2 + devices with known memory limitations. + config WOLFSSL_ALLOW_TLS12 bool "Allow TLS 1.2" - default n + default y help Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2. When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted. @@ -209,13 +355,63 @@ menu "wolfSSL" help Sets HAVE_OCSP + choice + prompt "Select session cache size" + default ESP_WOLFSSL_NO_SESSION_CACHE + + config ESP_WOLFSSL_NO_SESSION_CACHE + bool "No session cache is used" + help + No memory is reserved for session cache. + + config ESP_WOLFSSL_MICRO_SESSION_CACHE + bool "Micro Session Cache" + help + Uses less than 1K. Stored only 1 session for cache. + SessionCache takes about 400 bytes, ClientCache takes 576 bytes. + + config ESP_WOLFSSL_SMALL_SESSION_CACHE + bool "Small Session Cache" + help + Allows storing 6 sessions. + SessionCache takes about 2K, ClientCache takes about 3K bytes. + + config ESP_WOLFSSL_MEDIUM_SESSION_CACHE + bool "Medium Session Cache" + help + Allows for over 1,000 sessions. Consider using external memory. + + config ESP_WOLFSSL_BIG_SESSION_CACHE + bool "Big Session Cache" + help + Allows for over 20,000 sessions. Unrealistic for most ESP32 devices. + + config ESP_WOLFSSL_TITAN_SESSION_CACHE + bool "Tital Session Cache" + help + Allows for over 2 million sessions. Unrealistic for most ESP32 devices. + endchoice + + config ESP_WOLFSSL_TCP_REUSE + int "TCP Reuse" + default 0 + help + Set to 1 to allow socket reuse. + endmenu # Protocol Config # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- config TLS_STACK_WOLFSSL # Invisible option that locks TLS_STACK_WOLFSSL to ESP_TLS_USING_WOLFSSL - bool + # + # See setting in: esp-idf\[version]\components\esp-tls\Kconfig: + # + # config ESP_TLS_USING_WOLFSSL + # bool "wolfSSL (License info in wolfSSL directory README)" + # select TLS_STACK_WOLFSSL + # + bool # No prompt, invisible here. Set in ESP-TLS component default n select FREERTOS_ENABLE_BACKWARD_COMPATIBILITY help @@ -223,6 +419,7 @@ menu "wolfSSL" Enabled when wolfSSL is selected in ESP_TLS_LIBRARY_CHOOSE. menu "wolfSSL ESP-TLS" + # Enabled only when Component config - ESP-TLS - Choose SSL/TLS Library for ESP-TLS has wolfSSL selected: depends on ESP_TLS_USING_WOLFSSL menu "Certificate Bundle" @@ -255,8 +452,8 @@ menu "wolfSSL" depends on ESP_TLS_USING_WOLFSSL help Although not recommended, there may be certificates in the bundle that are missing - a serial number. This option allows the missing value without having to fully - disable strict ASN checking with WOLFSSL_NO_ASN_STRICT. + a serial number. This option allows the missing value (a zero) without having to fully + disable strict ASN checking with WOLFSSL_NO_ASN_STRICT. Note this is disallowed by RFC 5280 choice WOLFSSL_DEFAULT_CERTIFICATE_BUNDLE bool "Default certificate bundle options" @@ -323,6 +520,19 @@ menu "wolfSSL" default 200 depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + config ESP_WOLFSSL_DEBUG_CERT_BUNDLE + bool "Enable certificate bundle debug" + depends on WOLFSSL_CERTIFICATE_BUNDLE + default n + help + View debug messages for cert bundle processing. + + config ESP_WOLFSSL_OPENSSL_EXTRA + bool "Enable wolfSSL OpenSSL Extra support" + default n + help + Enable OpenSSL support: old SHA functions only available with OpenSSLL (not recommended) + endmenu endmenu # wolfSSL ESP-TLS # ----------------------------------------------------------------------------------------------------------------- @@ -429,7 +639,7 @@ menu "wolfSSL" bool "Enable ML-KEM (Kyber Post Quantum)" default n help - bool "Enable wolfSSL ML-KEM" + Enable wolfSSL ML-KEM config WOLFSSL_ENABLE_KYBER bool "Enable Kyber (Round 3)" @@ -442,11 +652,23 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- menu "wolfSSL Debug Options" + config ESP_WOLFSSL_DEBUG_CERTS + bool "Enable wolfSSL Certificate Debugging" + default n + help + Enable debugging messages for wolfSSL certificate processing. See user_settings.h for additional debug options. + config ESP_WOLFSSL_DEBUG_WOLFSSL bool "Enable wolfSSL Debugging" default n help - Enable debugging messages for wolfSSL. See user_settings.h for additional debug options. + Enable debugging messages for wolfSSL. Includes wolfSSL Certificate Debugging (WOLFSSL_DEBUG_CERTS) See user_settings.h for additional debug options. + + config WOLFSSL_EXAMPLE_VERBOSITY + bool "Enable example verbosity" + default n + help + This is only intended to be used with examples. Excessive verbosity may have undesired effects on timing-critical code. config ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING bool "Suppress build-time warnings for main stack size" @@ -454,6 +676,12 @@ menu "wolfSSL" help Useful only when wolfSSL is running in main task. See FreeRTOS stack size for custom tasks. + config ESP_NO_DEFAULT_TASK_MONITOR + bool "Disable automatic enable of task monitoring." + default n + help + Unless disabled, ESP_MONITOR_HW_TASK_LOCK is automatically enabled in esp32-crypt.h + config ESP_WOLFSSL_TEST_LOOP bool "Run test apps in a loop until failure" default y @@ -465,6 +693,26 @@ menu "wolfSSL" default n help Enables experimental settings for wolfSSL. See documentation. + + config ESP_LATEST_MITIGATIONS + bool "Enable mitigation for latest ESP-IDF" + default y + help + Address any issues in latest (unreleased) ESP-IDF. Currently v6. + Known problems include SHA HW acceleration on RISC-V devices failing. + Enable this option to disable SHA HW on only ESP32-C2, C3, C6. + Only implemented in user_settings.h + + config WOLFSSL_USE_MY_PRIVATE_CONFIG + bool "Use a private include file for config" + default n + help + Sets WOLFSSL_USE_MY_PRIVATE_CONFIG for platform-specific default + config file outside of GitHub repository. + Handy for things like WiFi SSID and Passwords that are typically + not saved on GitHub. + Can also set CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG environment variable to 1 + endmenu # wolfSSL Debug Options # ----------------------------------------------------------------------------------------------------------------- @@ -482,7 +730,7 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- - menu "Component Config" + menu "wolfSSL Component Config" config IGNORE_ESP_IDF_WOLFSSL_COMPONENT bool "Ignore the ESP-IDF component of wolfSSL (if present)" default n @@ -500,7 +748,7 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- - menu "Utility Config" + menu "wolfSSL Utility Config" config USE_WOLFSSL_ESP_SDK_TIME bool "Enable wolfSSL time helper functions" default n @@ -523,12 +771,14 @@ menu "wolfSSH" config ESP_ENABLE_WOLFSSH bool "Enable wolfSSH options" default n + # See wolfssl settings.h help Enables WOLFSSH_TERM, WOLFSSL_KEY_GEN, WOLFSSL_PTHREADS, WOLFSSH_TEST_SERVER, WOLFSSH_TEST_THREADING config ESP_WOLFSSL_DEBUG_WOLFSSH bool "Enable wolfSSH debugging" default n + # See wolfssl settings.h help Enable wolfSSH debugging macro. See user_settings.h diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h index 9c14dc9dfc..577e555bd8 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h @@ -18,8 +18,28 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ + #define WOLFSSL_ESPIDF_COMPONENT_VERSION 0x01 +/* This user_settings.h is for Espressif ESP-IDF + * + * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.8.2-1 + * + * Do not include any wolfssl headers here. + * + * Note to maintainers: + * + * When editing this file ensure all examples match. + * The template example is the reference. + * Consider Kconfig. Managed Components do not allow editing of user_settings.h + */ +#undef WOLFSSL_ESPIDF +#define WOLFSSL_ESPIDF + +#define NO_FILESYSTEM +#define NO_OLD_TLS +#define WOLFSSL_ASN_TEMPLATE + /* Examples such as test and benchmark are known to cause watchdog timeouts. * Note this is often set in project Makefile: * CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 */ @@ -28,15 +48,17 @@ /* The Espressif project config file. See also sdkconfig.defaults */ #include "sdkconfig.h" -/* This user_settings.h is for Espressif ESP-IDF - * - * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.8.2-1 certs - * - * Do not include any wolfssl headers here. - * - * When editing this file: - * ensure all examples match. The template example is the reference. - */ +/* Some mitigations are ESP-IDF version-specific. */ +#include "esp_idf_version.h" + +/* Optional mitigations for latest (unreleased) ESP-IDF v6 */ +#if defined(CONFIG_ESP_LATEST_MITIGATIONS) && CONFIG_ESP_LATEST_MITIGATIONS + #if defined(ESP_IDF_VERSION_MAJOR) && (ESP_IDF_VERSION_MAJOR >= 6) + /* There's a known issue with SHA HW accerlator on RISC-V chips in V6 + * Fixed in https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_RISCV_SHA_HW_MITIGATION 1 + #endif +#endif /* Naming convention: (see also esp32-crypt.h for the reference source). * @@ -81,17 +103,48 @@ ** CONFIG_IDF_TARGET_ESP32C6 */ -#undef WOLFSSL_ESPIDF -#define WOLFSSL_ESPIDF - /* Test various user_settings between applications by selecting example apps * in `idf.py menuconfig` for Example wolfSSL Configuration settings: */ /* Turn on messages that are useful to see only in examples. */ -#define WOLFSSL_EXAMPLE_VERBOSITY +#if defined(CONFIG_WOLFSSL_EXAMPLE_VERBOSITY) && \ + CONFIG_WOLFSSL_EXAMPLE_VERBOSITY + #undef WOLFSSL_EXAMPLE_VERBOSITY + #define WOLFSSL_EXAMPLE_VERBOSITY +#endif + +#if defined(CONFIG_WOLFSSL_ALT_CERT_CHAINS) && \ + CONFIG_WOLFSSL_ALT_CERT_CHAINS + #undef WOLFSSL_ALT_CERT_CHAINS + #define WOLFSSL_ALT_CERT_CHAINS +#endif + +#if defined(CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL) && \ + CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL + #define DEBUG_WOLFSSL +#endif + +#if defined(CONFIG_ESP_WOLFSSL_DEBUG_CERTS) && \ + CONFIG_ESP_WOLFSSL_DEBUG_CERTS + #define WOLFSSL_DEBUG_CERTS +#endif + +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP8266) + /* WOLFSSL_LOW_MEMORY detected at runtime for low memory warning */ + #define WOLFSSL_LOW_MEMORY +#endif /* Paths can be long, ensure the entire value printed during debug */ -#define WOLFSSL_MAX_ERROR_SZ 500 +#ifdef WOLFSSL_LOW_MEMORY + /* If too small, the error_test() will fail. */ + #define WOLFSSL_MAX_ERROR_SZ 65 + #define WOLFSSL_MSG_EX_BUF_SZ 65 +#else + #define WOLFSSL_MAX_ERROR_SZ 500 + #define WOLFSSL_MSG_EX_BUF_SZ 500 +#endif /* wolfSSL Examples: set macros used in example applications. * @@ -116,12 +169,28 @@ /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */ /* #define USE_WOLFSSL_ESP_SDK_WIFI */ #define WOLFSSL_BENCHMARK_FIXED_UNITS_KB + #define BENCH_EMBEDDED #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT) /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_client */ - #define USE_WOLFSSL_ESP_SDK_WIFI + #if defined(CONFIG_IDF_TARGET_ESP32H2) + /* There's no WiFi on the ESP32 H2, use idf.menuconfig to enable */ + #else + /* This example will always use the wolfSSL WiFi helper */ + #define USE_WOLFSSL_ESP_SDK_WIFI + #endif + #define USE_WOLFSSL_ESP_SDK_TIME + #define NO_WOLFSSL_SERVER #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_SERVER) /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_server */ - #define USE_WOLFSSL_ESP_SDK_WIFI + #define NO_WOLFSSL_CLIENT + #if defined(CONFIG_IDF_TARGET_ESP32H2) + /* There's no WiFi on the ESP32 H2, use idf.menuconfig to enable */ + #else + /* This example will always use the wolfSSL WiFi helper */ + #define USE_WOLFSSL_ESP_SDK_WIFI + #endif + /* Even without WiFi, the wolfSSL helper has some static time settings */ + #define USE_WOLFSSL_ESP_SDK_TIME /* wolfSSH Examples */ #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE) @@ -214,6 +283,7 @@ /* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */ #ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM /* Kyber typically needs a minimum 10K stack */ + #define WOLFSSL_MLKEM_KYBER #define WOLFSSL_HAVE_MLKEM #define WOLFSSL_WC_MLKEM #define WOLFSSL_SHAKE128 @@ -250,6 +320,7 @@ #ifdef NO_AES #warning "Found NO_AES, wolfSSL AES Cannot be enabled. Check config." #else + #define HAVE_AESGCM #define WOLFSSL_AES #define WOLFSSL_AES_COUNTER @@ -356,24 +427,103 @@ #endif /* See below for chipset detection from sdkconfig.h */ -/* when you want to use SINGLE THREAD. Note Default ESP-IDF is FreeRTOS */ -#define SINGLE_THREADED +/* See Kconfig: Check if Multi Thread selected in idf.py menuconfig + * Single Thread avoids RAM-consuming semaphores. + * Note Default ESP-IDF is FreeRTOS rergardless of this setting */ +#if defined(CONFIG_ESP_WOLFSSL_MULTI_THREAD) && \ + CONFIG_ESP_WOLFSSL_MULTI_THREAD + /* Unless SINGLE_THREADED defined, wolfssl assumes multi-thread. */ + /* #undef SINGLE_THREADED */ +#else + #define SINGLE_THREADED +#endif /* Small session cache saves a lot of RAM for ClientCache and SessionCache. * Memory requirement is about 5KB, otherwise 20K is needed when not specified. * If extra small footprint is needed, try MICRO_SESSION_CACHE (< 1K) * When really desperate or no TLS used, try NO_SESSION_CACHE. */ -#define NO_SESSION_CACHE +#if defined(CONFIG_ESP_WOLFSSL_TITAN_SESSION_CACHE) + /* Consider RAM requirements. Unrealistic for most ESP32 devices */ + #define TITAN_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_BIG_SESSION_CACHE) + /* Consider RAM requirements. Unrealistic for most ESP32 devices */ + #define BIG_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_MEDIUM_SESSION_CACHE) + /* Consider RAM requirements. */ + #define MEDIUM_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_SMALL_SESSION_CACHE) + #define SMALL_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_MICRO_SESSION_CACHE) + #define MICRO_SESSION_CACHE +#else + #define NO_SESSION_CACHE + #define WOLFSSL_NO_TICKET +#endif + +#ifndef NO_SESSION_CACHE + #define HAVE_SESSION_TICKET +#endif + +/* See Kconfig: Check if Static Memory selected in idf.py menuconfig */ +#if defined(CONFIG_ESP_WOLFSSL_STATIC_MEMORY) && \ + CONFIG_ESP_WOLFSSL_STATIC_MEMORY + #define WOLFSSL_STATIC_MEMORY +#endif + +#if defined(WOLFSSL_STATIC_MEMORY) + #define WOLFSSL_STATIC_MEMORY + #define WOLFSSL_STATIC_MEMORY_LEAN + #define WOLFSSL_NO_MALLOC + #ifdef WOLFSSL_SMALL_STACK + #error "Cannot use WOLFSSL_SMALL_STACK with WOLFSSL_NO_MALLOC" + #endif + #if 1 + /* trap malloc failure */ + #define WOLFSSL_MALLOC_CHECK + #endif + #define HAVE_MAX_FRAGMENT + #define HAVE_TLS_EXTENSIONS -/* Small Stack uses more heap. */ -#define WOLFSSL_SMALL_STACK + #define WOLFSSL_CUSTOM_CURVES + #define HAVE_ECC_KOBLITZ + #define HAVE_ECC256 + #define NO_ECC192 + #define NO_ECC224 + #define NO_ECC384 + #define NO_ECC521 -/* Full debugging turned off, but show malloc failure detail */ -/* #define DEBUG_WOLFSSL */ -#define DEBUG_WOLFSSL_MALLOC + #ifdef HAVE_ED25519 + #undef HAVE_ED25519 + #endif + #ifdef WOLFSSL_SHA512 + #undef WOLFSSL_SHA512 + #endif + + /* multiple of 16 & 32 */ + #define WOLFMEM_IO_SZ 2048 + + #if (1) + #define USE_FAST_MATH + #else + #define SP_MATH + #define FP_ECC + #endif +#else + /* Not using static memory */ + + /* Small Stack uses more heap. */ + #define WOLFSSL_SMALL_STACK + + /* Full debugging turned off, but show malloc failure detail */ + /* #define DEBUG_WOLFSSL */ + #define DEBUG_WOLFSSL_MALLOC +#endif /* RSA_LOW_MEM: Half as much memory but twice as slow. */ -#define RSA_LOW_MEM +#if defined(CONFIG_ESP_WOLFSSL_RSA_LOW_MEM) && \ + CONFIG_ESP_WOLFSSL_RSA_LOW_MEM + #define RSA_LOW_MEM +#endif /* optionally turn off SHA512/224 SHA512/256 */ /* #define WOLFSSL_NOSHA512_224 */ @@ -386,16 +536,43 @@ /* #define NO_SHA */ /* #define NO_OLD_TLS */ -#define BENCH_EMBEDDED +/* Very low memory device notice: + * TLS 1.2 typically enabled + * TLS 1.3 typically disabled + * + * See runtime warning for limited-resource devices. + * + * Typical error codes at client, talking to low-memory server: + * -125 MEMORY_E out of memory error + * -308 SOCKET_ERROR_E error state on socket + * -313 FATAL_ERROR recvd alert fatal error + */ + +#if defined(CONFIG_WOLFSSL_ALLOW_TLS12) && CONFIG_WOLFSSL_ALLOW_TLS12 + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) + /* low-memory devices with TLS 1.2 enabled */ + #endif + + /* TLS 1.2 uses extensions by default */ + #define HAVE_TLS_EXTENSIONS + +#else + /* Unless explicitly enabled, only TLS 1.3 is configured */ + #define WOLFSSL_NO_TLS12 +#endif + /* TLS 1.3 */ -#ifdef CONFIG_WOLFSSL_ALLOW_TLS13 +#if (defined(CONFIG_WOLFSSL_ALLOW_TLS13) && CONFIG_WOLFSSL_ALLOW_TLS13) && \ + !defined(CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13) #define WOLFSSL_TLS13 #define HAVE_TLS_EXTENSIONS #define HAVE_HKDF - /* May be required */ + /* AEAD May be required */ #ifndef HAVE_AEAD + /* Syntax highlighting detection only */ #endif /* Required for ECC */ @@ -416,8 +593,32 @@ #endif #endif +/* Settings common to both TLS 1.2 and TLS 1.3 */ +#if (defined(CONFIG_WOLFSSL_ALLOW_TLS12) && CONFIG_WOLFSSL_ALLOW_TLS12) || \ + (defined(CONFIG_WOLFSSL_ALLOW_TLS13) && CONFIG_WOLFSSL_ALLOW_TLS13) + + /* ECC can optionally be disabled, but is normally enabled */ + #if defined(ESP_WOLFSSL_DISABLE_ECC) && \ + ESP_WOLFSSL_DISABLE_ECC + #undef HAVE_ECC + #else + #define HAVE_ECC + #endif + + /* DH can optionally be disabled, but is normally enabled */ + #if defined(ESP_WOLFSSL_DISABLE_DH) && \ + ESP_WOLFSSL_DISABLE_DH + #undef HAVE_DH + #else + #define HAVE_DH + #endif + +#endif + + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ - defined(CONFIG_IDF_TARGET_ESP8684) + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP8266) /* Optionally set smaller size here */ #ifdef HAVE_FFDHE_4096 /* this size may be problematic on the C2 */ @@ -427,26 +628,25 @@ #define HAVE_FFDHE_4096 #endif -#define NO_FILESYSTEM - -#define NO_OLD_TLS - -#define HAVE_AESGCM - /* Optional RIPEMD: RACE Integrity Primitives Evaluation Message Digest */ /* #define WOLFSSL_RIPEMD */ /* when you want to use SHA224 */ -#define WOLFSSL_SHA224 +#if defined(CONFIG_ESP_WOLFSSL_SHA224) && \ + CONFIG_ESP_WOLFSSL_SHA224 + #define WOLFSSL_SHA224 +#endif /* when you want to use SHA384 */ -#define WOLFSSL_SHA384 +#if defined(CONFIG_ESP_WOLFSSL_SHA384) && \ + CONFIG_ESP_WOLFSSL_SHA384 + #define WOLFSSL_SHA384 +#endif /* Some features not enabled for ESP8266: */ #if defined(CONFIG_IDF_TARGET_ESP8266) || \ defined(CONFIG_IDF_TARGET_ESP32C2) /* Some known low-memory devices have features not enabled by default. */ - /* TODO determine low memory configuration for ECC. */ #else /* when you want to use SHA512 */ #define WOLFSSL_SHA512 @@ -458,23 +658,17 @@ #define HAVE_ED25519 #endif -#if defined(CONFIG_IDF_TARGET_ESP8266) || defined(CONFIG_IDF_TARGET_ESP32C2) - #define MY_USE_ECC 0 - #define MY_USE_RSA 1 -#else - #define MY_USE_ECC 1 - #define MY_USE_RSA 0 -#endif - -/* We can use either or both ECC and RSA, but must use at least one. */ -#if MY_USE_ECC || MY_USE_RSA - #if MY_USE_ECC +/* We can use either or both ECC and RSA, but must use at least one for TLS */ +#if (defined(CONFIG_ESP_WOLFSSL_USE_ECC) && CONFIG_ESP_WOLFSSL_USE_ECC) || \ + (defined(CONFIG_ESP_WOLFSSL_USE_RSA) && CONFIG_ESP_WOLFSSL_USE_RSA) + /* Some ECC checks */ + #if CONFIG_ESP_WOLFSSL_USE_ECC /* ---- ECDSA / ECC ---- */ #define HAVE_ECC + /* #define HAVE_CURVE25519 #define HAVE_ED25519 #define WOLFSSL_SHA512 - /* #define HAVE_ECC384 #define CURVE25519_SMALL */ @@ -485,17 +679,27 @@ #define WOLFSSH_NO_ECDSA #endif - #if MY_USE_RSA + #if CONFIG_ESP_WOLFSSL_USE_RSA /* ---- RSA ----- */ /* #define RSA_LOW_MEM */ /* DH disabled by default, needed if ECDSA/ECC also turned off */ #define HAVE_DH + #define HAVE_RSA #else + #undef HAVE_RSA + #define NO_RSA + /* Also disable RSA if wolfSSH used */ #define WOLFSSH_NO_RSA #endif #else - #error "Either RSA or ECC must be enabled" + #if defined(CONFIG_ESP_WOLFSSL_ENABLE_MLKEM) + /* See above for PQ-only config */ + #elif defined(WOLFCRYPT_ONLY) + /* Communications such as (D)TLS not compiled in */ + #else + #warning "PQ, RSA, and ECC are disabled. Consider WOLFCRYPT_ONLY" + #endif #endif /* Optional OpenSSL compatibility */ @@ -552,21 +756,37 @@ #define HASH_SIZE_LIMIT /* USE_FAST_MATH is default */ -#define USE_FAST_MATH - -/***** Use SP_MATH *****/ -/* #undef USE_FAST_MATH */ -/* #define SP_MATH */ -/* #define WOLFSSL_SP_MATH_ALL */ -/* #define WOLFSSL_SP_RISCV32 */ +#if defined(CONFIG_ESP_WOLFSSL_USE_FAST_MATH) && \ + ESP_WOLFSSL_USE_FAST_MATH + /***** Use Fast Math *****/ + #define USE_FAST_MATH + #undef WOLFSSL_SP_MATH + #undef WOLFSSL_SP_MATH_ALL + #define USE_INTEGER_HEAP_MATH +#elif defined(CONFIG_ESP_WOLFSSL_SP_MATH) && \ + CONFIG_ESP_WOLFSSL_SP_MATH + /***** Use SP_MATH *****/ + #undef USE_FAST_MATH + #undef USE_INTEGER_HEAP_MATH + #define WOLFSSL_SP_MATH + #define WOLFSSL_SP_MATH_ALL +#elif defined(CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH) && \ + CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH + /***** Use Integer Heap Math *****/ + #undef USE_FAST_MATH + #undef WOLFSSL_SP_MATH + #undef WOLFSSL_SP_MATH_ALL + #define USE_INTEGER_HEAP_MATH +#else + #define USE_FAST_MATH +#endif /***** Use Integer Heap Math *****/ /* #undef USE_FAST_MATH */ /* #define USE_INTEGER_HEAP_MATH */ /* Just syntax highlighting to check math libraries: */ -#if defined(SP_MATH) || \ - defined(USE_INTEGER_HEAP_MATH) || \ +#if defined(WOLFSSL_SP_MATH) || \ defined(USE_INTEGER_HEAP_MATH) || \ defined(USE_FAST_MATH) || \ defined(WOLFSSL_SP_MATH_ALL) || \ @@ -577,10 +797,6 @@ #define HAVE_VERSION_EXTENDED_INFO /* #define HAVE_WC_INTROSPECTION */ -#ifndef NO_SESSION_CACHE - #define HAVE_SESSION_TICKET -#endif - /* #define HAVE_HASHDRBG */ #if 0 @@ -604,8 +820,6 @@ #endif -#define WOLFSSL_ASN_TEMPLATE - /* #undef WOLFSSL_KEY_GEN #undef WOLFSSL_CERT_REQ @@ -623,11 +837,13 @@ */ /* optional SM4 Ciphers. See https://github.com/wolfSSL/wolfsm */ -/* -#define WOLFSSL_SM2 -#define WOLFSSL_SM3 -#define WOLFSSL_SM4 -*/ + +#if defined(ESP_WOLFSSL_USE_SM) && \ + ESP_WOLFSSL_USE_SM + #define WOLFSSL_SM2 + #define WOLFSSL_SM3 + #define WOLFSSL_SM4 +#endif #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) /* SM settings, possible cipher suites: @@ -669,9 +885,16 @@ #undef HAVE_AESGCM #define HAVE_AESGCM -#endif + + /* ByteReverseWords is known to need alignment */ + #undef WOLFSSL_USE_ALIGN + #define WOLFSSL_USE_ALIGN +#endif /* SM or regular certs */ /* Chipset detection from sdkconfig.h + * See idf.py --list-targets + * or ESP-IDF ./components/esp_hw_support/include/esp_chip_info.h + * Set target example: idf.py set-target esp32s3 * Default is HW enabled unless turned off. * Uncomment lines to force SW instead of HW acceleration */ #if defined(CONFIG_IDF_TARGET_ESP32) || defined(WOLFSSL_ESPWROOM32SE) @@ -692,7 +915,7 @@ #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 /* no SHA224 HW on ESP32 */ #undef ESP_RSA_MULM_BITS - #define ESP_RSA_MULM_BITS 16 /* TODO add compile-time warning */ + #define ESP_RSA_MULM_BITS 16 /***** END CONFIG_IDF_TARGET_ESP32 *****/ #elif defined(CONFIG_IDF_TARGET_ESP32S2) @@ -736,8 +959,16 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ /* These are defined automatically in esp32-crypt.h, here for clarity */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C2 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C2 */ + /* no SHA384 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MIGIATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif /* There's no AES or RSA/Math accelerator on the ESP32-C2 * Auto defined with NO_WOLFSSL_ESP32_CRYPT_RSA_PRI, for clarity: */ @@ -756,8 +987,16 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ /* These are defined automatically in esp32-crypt.h, here for clarity: */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MIGIATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ @@ -766,16 +1005,34 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ /***** END CONFIG_IDF_TARGET_ESP32C3 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C5) + #define WOLFSSL_ESP32 + + /* There's no Hardware Acceleration available on ESP32-C5 */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32C5 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32C6) #define WOLFSSL_ESP32 /* wolfSSL HW Acceleration supported on ESP32-C6. Uncomment to disable: */ - /* #define NO_ESP32_CRYPT */ - /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* These are defined automatically in esp32-crypt.h, here for clarity: */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MITIGATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ @@ -783,7 +1040,34 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ /***** END CONFIG_IDF_TARGET_ESP32C6 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C61) + #define WOLFSSL_ESP32 + /* wolfSSL HW Acceleration not yet supported on ESP32-C61. */ + + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + + /* TODO latest WIP ESP-IDF v6 needs esp_sha_set_mode, disable for now: */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH + + /* These are defined automatically in esp32-crypt.h, here for clarity: */ + /* no SHA384 HW on C61 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C61 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + + /* HW temporarily disabled on the ESP32-C61 pending additional development. + * See also settings.h that should also be disabling these after v5.8.0 */ + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD + /***** END CONFIG_IDF_TARGET_ESP32C61 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32H2) + /* Reminder: There's no wifi on ESP32-H2 */ + #define WOLFSSL_ESP32 /* wolfSSL Hardware Acceleration not yet implemented */ #define NO_ESP32_CRYPT @@ -792,6 +1076,24 @@ #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /***** END CONFIG_IDF_TARGET_ESP32H2 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32H21) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H21 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32H4) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H4 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32P4) #define WOLFSSL_ESP32 /* wolfSSL Hardware Acceleration not yet implemented */ @@ -818,16 +1120,25 @@ /***** END CONFIG_IDF_TARGET_ESP266 *****/ #elif defined(CONFIG_IDF_TARGET_ESP8684) - /* There's no Hardware Acceleration available on ESP8684 */ + /* There's no Hardware Acceleration available on ESP8684 + * Note that it usually presents as ESP32C2 */ #define NO_ESP32_CRYPT #define NO_WOLFSSL_ESP32_CRYPT_HASH #define NO_WOLFSSL_ESP32_CRYPT_AES #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /***** END CONFIG_IDF_TARGET_ESP8684 *****/ +#elif defined(POSIX_LINUX) + /* There's no Hardware Acceleration available on POSIX/Linux simulator */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_POSIX_LINUX *****/ + #else /* Anything else encountered, disable HW acceleration */ - #warning "Unexpected CONFIG_IDF_TARGET_NN value" + #warning "Unexpected CONFIG_IDF_TARGET_NN value, disabling all HW crypto" #define NO_ESP32_CRYPT #define NO_WOLFSSL_ESP32_CRYPT_HASH #define NO_WOLFSSL_ESP32_CRYPT_AES @@ -845,7 +1156,7 @@ /* See idf.py menuconfig for stack warning settings */ #if !defined(CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING) #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 - #warning "RSA may be difficult with less than 10KB Stack" + /* RSA may be difficult with less than 10KB Stack */ #endif #else /* Implement your own stack warning here */ @@ -856,11 +1167,17 @@ /* NOTE HW unreliable for small values! */ /* threshold for performance adjustment for HW primitive use */ /* X bits of G^X mod P greater than */ - #undef ESP_RSA_EXPT_XBITS + #if defined(ESP_RSA_EXPT_XBITS) && (ESP_RSA_EXPT_XBITS < 32) + #warning "Adjusting ESP_RSA_EXPT_XBITS to 32" + #undef ESP_RSA_EXPT_XBITS + #endif #define ESP_RSA_EXPT_XBITS 32 /* X and Y of X * Y mod P greater than */ - #undef ESP_RSA_MULM_BITS + #if defined(ESP_RSA_MULM_BITS) && (ESP_RSA_MULM_BITS < 16) + #warning "Adjusting ESP_RSA_MULM_BITS to 16" + #undef ESP_RSA_MULM_BITS + #endif #define ESP_RSA_MULM_BITS 16 #endif #endif @@ -1016,87 +1333,313 @@ Turn on timer debugging (used when CPU cycles not available) * https://github.com/wolfSSL/wolfssl/pull/6825 * https://github.com/wolfSSL/wolfsm * - * Uncomment these 3 macros to enable the SM Ciphers and use the macros below. + * Check to see if idf.py menuconfig selected example certs, otheruse use 2048: */ - -/* -#define WOLFSSL_SM2 -#define WOLFSSL_SM3 -#define WOLFSSL_SM4 -*/ +#if defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_2048) + #define USE_CERT_BUFFERS_2048 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_1024) + #define USE_CERT_BUFFERS_1024 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_256) + #define USE_CERT_BUFFERS_256 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_SM) + #define WOLFSSL_SM2 + #define WOLFSSL_SM3 + #define WOLFSSL_SM4 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_NONE) + /* See user_settings.h for referenbce on defining your own cert */ +#else + #define USE_CERT_BUFFERS_2048 +#endif /* Conditional macros used in wolfSSL TLS client and server examples */ #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) - #include - #define CTX_CA_CERT root_sm2 - #define CTX_CA_CERT_SIZE sizeof_root_sm2 - #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_PEM - #define CTX_SERVER_CERT server_sm2 - #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 - #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM - #define CTX_SERVER_KEY server_sm2_priv - #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv - #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (SM)" - #undef WOLFSSL_BASE16 - #define WOLFSSL_BASE16 -#else - #if defined(USE_CERT_BUFFERS_2048) - #ifdef USE_CERT_BUFFERS_1024 - #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." - #endif + #ifndef HAVE_TLS_EXTENSIONS + #error "SM Ciphers require HAVE_TLS_EXTENSIONS" + #endif + #ifndef HAVE_HKDF + #error "SM Ciphers require HAVE_HKDF" + #endif + #ifndef HAVE_ECC + #error "SM Ciphers require HAVE_ECC" + #endif + #ifndef WOLFSSL_USE_ALIGN + #warning "Define WOLFSSL_USE_ALIGN to avoid LoadStoreAlignment panic" + #endif + + #ifdef WOLFSSL_ALT_CERT_CHAINS + /* When on, wolfSSL will accept the peer if the leaf sent matches + * the one loaded, even without a CA in the path */ + #endif + + /* ./examples/client/client -h 192.168.1.107 -v 3 \ + * -l ECDHE-ECDSA-SM4-CBC-SM3 + * -c ./certs/sm2/client-sm2.pem + * -k ./certs/sm2/client-sm2-priv.pem + * -A ./certs/sm2/ca-sm2.pem -C + */ + + /* Certificate file `-c`; client command default: certs/server-cert.pem + * wolfSSL_CTX_use_certificate_chain_buffer_format + * + * Note that the PEM file of server_sm2 contains both leaf and CA + * The DER file contains only the server cert. */ + + /* Server */ + #ifndef NO_WOLFSSL_SERVER + #define CTX_SERVER_CERT server_sm2 + #define CTX_SERVER_CERT_NAME "server_sm2" + #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + + /* Key file `-k`; client command default: ./certs/server-key.pem + * wolfSSL_CTX_use_certificate_buffer */ + #define CTX_SERVER_KEY server_sm2_priv_der + #define CTX_SERVER_KEY_NAME "server_sm2_priv_der" + #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv_der + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Client */ + #ifndef NO_WOLFSSL_CLIENT + #define CTX_CA_CERT root_sm2_der + #define CTX_CA_CERT_NAME "root_sm2_der" + #define CTX_CA_CERT_SIZE sizeof_root_sm2_der + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_KEY client_sm2_priv_der + #define CTX_CLIENT_KEY_NAME "client_sm2_priv_der" + #define CTX_CLIENT_KEY_SIZE sizeof_client_sm2_priv_der + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Client Cert. + * This is also the optional peer verify certificate at server */ + #define CTX_CLIENT_CERT client_sm2_der + #define CTX_CLIENT_CERT_NAME "client_sm2_der" + #define CTX_CLIENT_CERT_SIZE sizeof_client_sm2_der + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END SM */ - /* Be sure to include in app, not here, when using example certs: */ - /* #include */ +#elif defined(USE_CERT_BUFFERS_2048) + /* + * To connect to ESP32 server with a client from commandline: + * + * The client uses 2048 certs by default, so no certs needed on commandline: + * + * TLS 1.2 + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 + * + * TLS 1.3 + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 + */ + + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_2048)" + + #ifdef USE_CERT_BUFFERS_1024 + #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_256 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + #if defined(NO_RSA) + #error "RSA is needed to use CERT_BUFFERS_2048 example" + #endif + /* Client */ + #ifndef NO_WOLFSSL_CLIENT #define CTX_CA_CERT ca_cert_der_2048 #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_2048 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_SERVER_CERT server_cert_der_2048 - #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 - #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_SERVER_KEY server_key_der_2048 - #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 - #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 - - #define CTX_CLIENT_CERT client_cert_der_2048 - #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 - #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #define CTX_CLIENT_KEY client_key_der_2048 #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_2048 #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif - #elif defined(USE_CERT_BUFFERS_1024) - #ifdef USE_CERT_BUFFERS_2048 - #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + /* Server */ + #ifndef NO_WOLFSSL_SERVER + #if (0) + /* No PEM certs available at this time */ + #define CTX_SERVER_CERT server_cert_2048 + #define CTX_SERVER_CERT_NAME "server_cert_2048" + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + + #define CTX_SERVER_KEY server_key_2048 + #define CTX_SERVER_KEY_NAME "server_key_2048" + #define CTX_SERVER_KEY_SIZE sizeof_server_key_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + #else + #define CTX_SERVER_CERT server_cert_der_2048 + #define CTX_SERVER_CERT_NAME "server_cert_der_2048" + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_SERVER_KEY server_key_der_2048 + #define CTX_SERVER_KEY_NAME "server_key_der_2048" + #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 #endif + #endif /* server */ + + /* -A Client peer verify at the server + * defaults: ./examples/client/client -v 3 -h 192.168.1.107 */ + #define CTX_CLIENT_CERT client_cert_der_2048 + #define CTX_CLIENT_CERT_NAME "client_cert_der_2048" + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END USE_CERT_BUFFERS_2048 */ - /* Be sure to include in app, not here, when using example certs: */ - /* #include */ +#elif defined(USE_CERT_BUFFERS_1024) + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_1024)" + /* + * To connect to ESP32 server with a client from commandline: + * + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d \ + -A ./certs/1024/ca-cert.pem \ + -c ./certs/1024/client-cert.pem \ + -k ./certs/1024/client-key.pem -C + */ + #ifdef USE_CERT_BUFFERS_2048 + #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_256 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + /* Client */ + #ifndef NO_WOLFSSL_CLIENT #define CTX_CA_CERT ca_cert_der_1024 + #define CTX_CA_CERT_NAME "ca_cert_der_1024" #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_1024 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_CLIENT_CERT client_cert_der_1024 - #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 - #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #define CTX_CLIENT_KEY client_key_der_1024 #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_1024 #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + /* Server */ + #ifndef NO_WOLFSSL_SERVER #define CTX_SERVER_CERT server_cert_der_1024 + #define CTX_SERVER_CERT_NAME "server_cert_der_1024" #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_1024 #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + #define CTX_SERVER_KEY server_key_der_1024 + #define CTX_SERVER_KEY_NAME "server_key_der_1024" #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_1024 #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Optional shared client peer verify for wolfSSL_CTX_set_verify() */ + #define CTX_CLIENT_CERT client_cert_der_1024 + #define CTX_CLIENT_CERT_NAME "client_cert_der_1024" + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END USE_CERT_BUFFERS_1024 */ + +#elif defined(USE_CERT_BUFFERS_256) + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_256)" + #ifndef HAVE_ECC + #error "USE_CERT_BUFFERS_256 requires HAVE_ECC" + #endif + + #if (0) /* Optional SECP256K1 */ + #define HAVE_ECC_SECP256K1 + #define HAVE_ECC_KOBLITZ + #define WOLFSSL_CUSTOM_CURVES + #endif + /* + * To connect to this ESP32 server with a client from commandline: + * + * TLS 1.3, disable peer cert: + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 -d + * + * TLS 1.2, disable peer cert: + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d + * + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 \ + -A ./certs/ecc/ca-secp256k1-cert.pem \ + -c ./certs/ecc/client-secp256k1-cert.pem \ + -k ./certs/ecc/secp256k1-key.pem + + ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 \ + -A ./certs/ca-ecc-cert.pem \ + -c ./certs/client-ecc-cert.pem \ + -k ./certs/ecc-client-key.pem + */ + #ifdef USE_CERT_BUFFERS_2048 + #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_1024 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + + #ifndef NO_WOLFSSL_CLIENT + #define CTX_CA_CERT ca_ecc_cert_der_256 + #define CTX_CA_CERT_SIZE sizeof_ca_ecc_cert_der_256 + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_KEY ecc_clikey_der_256 + #define CTX_CLIENT_KEY_SIZE sizeof_ecc_clikey_der_256 + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Server */ + #ifndef NO_WOLFSSL_SERVER + /* wolfSSL_CTX_use_certificate_chain_buffer_format */ + #if (0) + /* serv_ecc_der_256 leaf only */ + #define CTX_SERVER_CERT serv_ecc_der_256 + #define CTX_SERVER_CERT_NAME "serv_ecc_der_256" + #define CTX_SERVER_CERT_SIZE sizeof_serv_ecc_der_256 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #else - /* Optionally define custom cert arrays, sizes, and types here */ + /* new leaf + ca, needs https://github.com/wolfSSL/wolfssl/pull/9231 */ + #define CTX_SERVER_CERT server_ecc_cert + #define CTX_SERVER_CERT_NAME "server_ecc_cert" + #define CTX_SERVER_CERT_SIZE sizeof_server_ecc_cert + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM #endif -#endif /* Conditional key and cert constant names */ + /* wolfSSL_CTX_use_PrivateKey_buffer */ + #define CTX_SERVER_KEY ecc_key_der_256 + #define CTX_SERVER_KEY_NAME "ecc_key_der_256" + #define CTX_SERVER_KEY_SIZE sizeof_ecc_key_der_256 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + + /* wolfSSL_CTX_load_verify_buffer */ + #define CTX_CLIENT_CERT cliecc_cert_der_256 + #define CTX_CLIENT_CERT_NAME "cliecc_cert_der_256" + #define CTX_CLIENT_CERT_SIZE sizeof_cliecc_cert_der_256 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #endif /* Server */ + /* END USE_CERT_BUFFERS_256 */ + +#endif /* USE_CERT_BUFFERS_[n] */ + +/* +./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d \ + -A ./certs/ca-ecc-cert.pem \ + -c ./certs/ecc/client-ecc-cert.pem \ + -k ./certs/ecc/ecc-key.pem +*/ /****************************************************************************** ** Sanity Checks ******************************************************************************/ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/ld/region_peek.ld b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/ld/region_peek.ld new file mode 100644 index 0000000000..e8ca4b3ae4 --- /dev/null +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/ld/region_peek.ld @@ -0,0 +1,9 @@ +/* ORIGIN()/LENGTH() always see the SoC memory regions: */ +INCLUDE memory.ld + +/* Region boundary symbols derived from memory.ld */ +PROVIDE(__dram0_start = ORIGIN(dram0_0_seg)); +PROVIDE(__dram0_end = ORIGIN(dram0_0_seg) + LENGTH(dram0_0_seg)); + +PROVIDE(__drom0_start = ORIGIN(drom0_0_seg)); +PROVIDE(__drom0_end = ORIGIN(drom0_0_seg) + LENGTH(drom0_0_seg)); diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/CMakeLists.txt index 5166065a31..714770174a 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/CMakeLists.txt @@ -4,7 +4,8 @@ # wolfssl benchmark test # message(STATUS "Begin wolfSSL main CMakeLists.txt") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") if (idf_target STREQUAL "esp8266" OR IDF_TARGET STREQUAL "esp8266" OR IDF_VERSION_MAJOR VERSION_LESS "5.0") # `driver` component not available for ESP8266 @@ -21,9 +22,6 @@ endif() if(CMAKE_HOST_UNIX) message(STATUS "Detected UNIX") endif() -if(APPLE) - message(STATUS "Detected APPLE") -endif() if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop") # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL") diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/Kconfig.projbuild b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/Kconfig.projbuild index cb935d1afe..1f71792c20 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/Kconfig.projbuild +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/Kconfig.projbuild @@ -21,7 +21,7 @@ # Kconfig File Version 5.7.2.001 for wolfssl_template -menu "Example Configuration" +menu "Example wolfSSL Configuration" choice WOLFSSL_EXAMPLE_CHOOSE prompt "Choose Example (See wolfssl/include/user_settings.h)" diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/main.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/main.c index a99320ab59..c1782c2955 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/main.c +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/main.c @@ -24,8 +24,8 @@ #include /* wolfSSL */ -/* The wolfSSL user_settings.h file is automatically included by the settings.h - * file and should never be explicitly included in any other source files. +/* The wolfSSL user_settings.h is automatically included by settings.h file. + * Never explicitly include wolfSSL user_settings.h in any source file. * The settings.h should also be listed above wolfssl library include files. */ #if defined(WOLFSSL_USER_SETTINGS) #include @@ -152,6 +152,12 @@ void my_atmel_free(int slotId) #endif /* CUSTOM_SLOT_ALLOCATION */ #endif /* WOLFSSL_ESPWROOM32SE && HAVE_PK_CALLBACK && WOLFSSL_ATECC508A */ +/* check BENCH_ARGV in sdkconfig to determine need to set WOLFSSL_BENCH_ARGV */ +#ifdef CONFIG_BENCH_ARGV + #define WOLFSSL_BENCH_ARGV CONFIG_BENCH_ARGV + #define WOLFSSL_BENCH_ARGV_MAX_ARGUMENTS 22 /* arbitrary number max args */ +#endif + /* the following are needed by benchmark.c with args */ #ifdef WOLFSSL_BENCH_ARGV char* __argv[WOLFSSL_BENCH_ARGV_MAX_ARGUMENTS]; @@ -227,7 +233,9 @@ void app_main(void) .stop_bits = UART_STOP_BITS_1, }; int stack_start = 0; - word32 loops = 0; + int heap_start = 0; + int heap_current = 0; + int loops = 0; esp_err_t ret = 0; stack_start = esp_sdk_stack_pointer(); @@ -247,19 +255,55 @@ void app_main(void) ESP_LOGI(TAG, "---------------------- BEGIN MAIN ----------------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); + ESP_LOGI(TAG, "app_main CONFIG_BENCH_ARGV = %s", WOLFSSL_BENCH_ARGV); ESP_LOGI(TAG, "Stack Start: 0x%x", stack_start); - +#ifdef HAVE_WOLFCRYPT_WARMUP + /* Unless disabled, we'll try to allocate known, long-term heap items early + * in an attempt to avoid later allocations that may cause fragmentation. */ + ESP_ERROR_CHECK(esp_sdk_wolfssl_warmup()); +#endif +#ifdef DEBUG_WOLFSSL + /* Turn debugging on and off as needed: */ + wolfSSL_Debugging_ON(); + wolfSSL_Debugging_OFF(); +#endif #ifdef WOLFSSL_ESP_NO_WATCHDOG ESP_LOGW(TAG, "Found WOLFSSL_ESP_NO_WATCHDOG, disabling..."); esp_DisableWatchdog(); #endif -#if defined(HAVE_VERSION_EXTENDED_INFO) && defined(WOLFSSL_HAS_METRICS) +#ifdef ESP_TASK_MAIN_STACK + ESP_LOGI(TAG, "ESP_TASK_MAIN_STACK: %d", ESP_TASK_MAIN_STACK); +#endif +#ifdef TASK_EXTRA_STACK_SIZE + ESP_LOGI(TAG, "TASK_EXTRA_STACK_SIZE: %d", TASK_EXTRA_STACK_SIZE); +#endif + +#ifdef INCLUDE_uxTaskGetStackHighWaterMark + ESP_LOGI(TAG, "CONFIG_ESP_MAIN_TASK_STACK_SIZE = %d bytes (%d words)", + CONFIG_ESP_MAIN_TASK_STACK_SIZE, + (int)(CONFIG_ESP_MAIN_TASK_STACK_SIZE / sizeof(void*))); + + /* Returns the high water mark of the stack associated with xTask. That is, + * the minimum free stack space there has been (in bytes not words, unlike + * vanilla FreeRTOS) since the task started. The smaller the returned + * number the closer the task has come to overflowing its stack. + * see Espressif esp32/api-reference/system/freertos_idf.html + */ + stack_start = uxTaskGetStackHighWaterMark(NULL); + ESP_LOGI(TAG, "Stack Start HWM: %d bytes", stack_start); +#endif + +#if defined(HAVE_VERSION_EXTENDED_INFO) esp_ShowExtendedSystemInfo(); #endif /* all platforms: stack high water mark check */ - ESP_LOGI(TAG, "app_main CONFIG_BENCH_ARGV = %s", WOLFSSL_BENCH_ARGV); + ESP_LOGI(TAG, "Stack HWM: %d\n", uxTaskGetStackHighWaterMark(NULL)); + +#if defined (WOLFSSL_USE_TIME_HELPER) + set_time(); +#endif /* when using atecc608a on esp32-wroom-32se */ #if defined(WOLFSSL_ESPWROOM32SE) && defined(HAVE_PK_CALLBACKS) \ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults index bc63cebf8b..5d88acee2e 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults @@ -1,11 +1,40 @@ +# sdkconfig.defaults + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + # Set the known example app config to template example (see user_settings.h) CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK=y +# ------------- BEGIN COMMON SECTION ------------- + # CONFIG_EXAMPLE_WIFI_SSID="myssid" # CONFIG_EXAMPLE_WIFI_PASSWORD="mypassword" +CONFIG_EXAMPLE_CONNECT_IPV6=n +CONFIG_LWIP_IPV6=n + +# Colorization disabled by default in IDF V6+ +CONFIG_LOG_COLORS=y + # Some wolfSSL helpers CONFIG_USE_WOLFSSL_ESP_SDK_TIME=y +CONFIG_LWIP_SNTP_MAX_SERVERS=3 # sdkconfig.defaults for ESP8266 + ESP32 # See separate sdkconfig.defaults.esp8266 @@ -149,10 +178,6 @@ CONFIG_COMPILER_STACK_CHECK=y # CONFIG_COMPILER_DUMP_RTL_FILES is not set # end of Compiler options -# We don't know that the min is actually v2, -# but this is the earliest tested. -CONFIG_ESP32C3_REV_MIN_2=y - # # Partition Table # diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults.esp32c2 b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults.esp32c2 new file mode 100644 index 0000000000..dba65f98d0 --- /dev/null +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults.esp32c2 @@ -0,0 +1,37 @@ +# sdkconfig.defaults.esp32c2 + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + +# File Version 5.8.2.001 for esp-idf integration + +# +# Main XTAL Config +# +CONFIG_XTAL_FREQ_26=y +# CONFIG_XTAL_FREQ_40 is not set +CONFIG_XTAL_FREQ=26 +# end of Main XTAL Config + +# Limited memory +CONFIG_ESP_MAIN_MAIN_TASK_STACK_SIZE=10500 +CONFIG_MAIN_MAIN_TASK_STACK_SIZE=10500 +CONFIG_WOLFSSL_ALLOW_TLS12=y +# CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13=y + + diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults.esp8266 b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults.esp8266 index 77299dfe4a..63c491ec8e 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults.esp8266 +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults.esp8266 @@ -1,3 +1,42 @@ +# sdkconfig.defaults.esp328266 + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + +# File Version 5.8.2.001 for esp-idf integration + +# Limited memory +CONFIG_ESP_MAIN_TASK_STACK_SIZE=7500 +CONFIG_MAIN_TASK_STACK_SIZE=7500 +CONFIG_WOLFSSL_ALLOW_TLS12=y + +# TLS 1.3 can be disabled on very low memory devices +# CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13=y + +# CONFIG_TCPIP_TASK_STACK_SIZE=3072 +# CONFIG_ESP_SYSTEM_EVENT_TASK_STACK_SIZE=2304 +# CONFIG_FREERTOS_IDLE_TASK_STACKSIZE=1536 +# CONFIG_FREERTOS_ISR_STACKSIZE=1536 +# CONFIG_TCP_SND_BUF_DEFAULT=5760 + +# wolfSSL sets UART to 115200 instead of 74880 default +CONFIG_CONSOLE_UART_BAUDRATE=115200 + # ESP8266 WDT # CONFIG_ESP_PANIC_PRINT_REBOOT is not set CONFIG_ESP_PANIC_PRINT_REBOOT=n diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/CMakeLists.txt index caa597d16e..c0c4b2c824 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/CMakeLists.txt @@ -1,11 +1,35 @@ # wolfSSL Espressif Example Project CMakeLists.txt -# v1.3 +# v5.8.2.001 # # The following lines of boilerplate have to be in your project's # CMakeLists in this exact order for cmake to work correctly message(STATUS "Begin project ${CMAKE_PROJECT_NAME}") cmake_minimum_required(VERSION 3.16) +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") + +# Optionally set flag for using a private include. See wolfcrypt/port/Espressif/esp-sdk-lib.h +if( "$ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}" STREQUAL "1" ) + message(STATUS "Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") +else() + message(STATUS "CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.") +endif() + +# Different ESP-IDF versions have different lock files. +# Not starting fresh has unintuitive results. +# So force a fresh dependencies.lock by deleting the current one: +file(REMOVE "./dependencies.lock") + +# Force custom partition table regardless of IDE presets +set(PARTITION_TABLE_CUSTOM ON CACHE BOOL "" FORCE) +set(PARTITION_TABLE_FILENAME "${CMAKE_SOURCE_DIR}/partitions_singleapp_large.csv" CACHE STRING "" FORCE) + +if("${IDF_TARGET}" STREQUAL "linux") + set(COMPONENTS main) +endif() # For the main project using ESP-IDF version 6 or greater. # Numerous "dangerous relocation: call8: call target out of range: memcpy" errors encountered @@ -34,6 +58,7 @@ endif() # # Optional WOLFSSL_CMAKE_SYSTEM_NAME detection to find # USE_MY_PRIVATE_CONFIG path for my_private_config.h +# See: wolfcrypt/port/Espressif/esp-sdk-lib.h # # Expected path varies: # @@ -41,6 +66,8 @@ endif() # Linux: ~/workspace # Windows: C:\workspace # + + if(WIN32) # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS") @@ -49,9 +76,6 @@ endif() if(CMAKE_HOST_UNIX) message(STATUS "Detected UNIX") endif() -if(APPLE) - message(STATUS "Detected APPLE") -endif() if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop") # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL") @@ -63,7 +87,7 @@ if(CMAKE_HOST_UNIX AND (NOT APPLE) AND (NOT WIN32)) message(STATUS "Detected Linux") endif() if(APPLE) - # Windows-specific configuration here + # Apple-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_APPLE") message(STATUS "Detected Apple") endif() @@ -157,6 +181,27 @@ endif() include($ENV{IDF_PATH}/tools/cmake/project.cmake) +message(STATUS "Checking Project CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}") +# Optionally force syntax highlighting fix in Visual Studio 2022 for ESP-IDF v6 +# See https://sysprogs.com/w/forums/topic/espressif-esp-idf-v6-0-intellisense-error-invalid-value-gnu2b-in-stdgnu2b/ +# To resolve, enter the text in VisualGDB Project Properties - Intellisense Settings Tab, "Additional flags for C files": +# -std=gnu17 +# And set here: +if( "$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}" STREQUAL "1" ) + set(PREFERRED_DIALECT "gnu17") + if(DEFINED IDF_VERSION_MAJOR AND IDF_VERSION_MAJOR GREATER_EQUAL 6) + message(STATUS "-- Found CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX, replacing -std=gnu2b with -std=${PREFERRED_DIALECT}") + if(CMAKE_C_COMPILER_ID MATCHES "Clang") + string(REPLACE "-std=gnu2b" "-std=${PREFERRED_DIALECT}" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + endif() + else() + message(STATUS "-- Visual Studio Intellisense Fix not needed for this ESP-IDF version=${IDF_VERSION_MAJOR}") + endif() +else() + message(STATUS "-- Not replacing -std=gnu2b with -std=${PREFERRED_DIALECT} for Viosual Studio Intellisense fix") + message(STATUS "-- To enable, define environment variable: CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=1") +endif() + # Once the project is loaded, next check for ESP-IDF version 6 or greater. # Numerous "dangerous relocation: call8: call target out of range: memcpy" errors encountered # So we'll allow long calls with the `-mlongcalls` compiler option for all components. diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/Makefile b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/Makefile index f333758101..b0641c2340 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/Makefile +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/Makefile @@ -19,6 +19,34 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA # +PROJECT_NAME := wolfssl_client +$(info ************* wolfssl_client *************) + +# ------------- BEGIN COMMON SECTION ------------- + +ifeq ($(strip $(IDF_PATH)),) + $(error IDF_PATH is not set. Please export it before running make) +endif + +# Default compiler flags +CFLAGS ?= +CXXFLAGS ?= + +CFLAGS += -DWOLFSSL_USER_SETTINGS + +# Some of the tests are CPU intenstive, so we'll force the watchdog timer off. +# There's an espressif NO_WATCHDOG; we don't use it, as it is reset by sdkconfig. +CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 + +# Check if CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG is set to 1 in environment +ifeq ($(CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG),1) + $(info Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variablev for Makefile) + CFLAGS += -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1 + CXXFLAGS += -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1 +else + $(info CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.) +endif + # # This is a project Makefile. # It is assumed the directory this Makefile resides in is a @@ -37,7 +65,6 @@ # USE_MY_PRIVATE_WINDOWS_CONFIG /workspace/my_private_config.h # # -PROJECT_NAME := wolfssl_client # Optionally include component source when print path (needs work to then properly build) # @@ -53,7 +80,6 @@ USE_MY_PRIVATE_WINDOWS_CONFIG ?= n # OS := $(shell uname -s) # # But OS, or MY_PRIVATE_CONFIG should already be defined: -$(info ************* wolfssl_client *************) ifeq ($(MY_PRIVATE_CONFIG),y) CFLAGS += -DMY_PRIVATE_CONFIG @@ -128,12 +154,8 @@ else endif endif -# It is essential that the build process sees the WOLFSSL_USER_SETTINGS -CFLAGS += -DWOLFSSL_USER_SETTINGS - # if directory not available, please disable the line below. EXTRA_COMPONENT_DIRS = $(IDF_PATH)/examples/common_components/protocol_examples_common # The Standard Espressif IDF include: include $(IDF_PATH)/make/project.mk - diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/CMakeLists.txt index a266a9c1c2..23fb4ffbb9 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/CMakeLists.txt @@ -19,7 +19,7 @@ # # cmake for wolfssl Espressif projects # -# Version 5.8.0 Espressif ESP-IDF + PlatformIO integration (2) +# Version 5.8.2 Espressif ESP-IDF + PlatformIO integration (1) # # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html # @@ -27,9 +27,18 @@ message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") cmake_minimum_required(VERSION 3.16) # The scope of this CMAKE_C_FLAGS is just this component: -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") +message(STATUS "Peek CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG = $ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}") +if( "$ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}" STREQUAL "1" ) + message(STATUS "Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") +else() + message(STATUS "CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.") +endif() + set(CMAKE_CURRENT_SOURCE_DIR ".") # Optionally set your source to wolfSSL in your project CMakeLists.txt like this: @@ -48,6 +57,7 @@ set(THIS_ESP_TLS "") # LIBWOLFSSL_CMAKE_OUTPUT can be printed at runtime set(LIBWOLFSSL_CMAKE_OUTPUT "") +set(git_cmd "git") if(CMAKE_BUILD_EARLY_EXPANSION) message(STATUS "Skipping libwolfssl_output.h update during CMAKE_BUILD_EARLY_EXPANSION") @@ -66,6 +76,19 @@ else() "#define _LIBWOLFSSL_OUTPUT_H_\n\n") endif() +# CMakeLists.txt (project or component) +# Known RISC-V families in ESP-IDF: esp32c2, esp32c3, esp32c6, esp32h2, esp32p4 +set(_riscv_targets esp32c2 esp32c3 esp32c6 esp32h2 esp32p4) + +list(FIND _riscv_targets "${IDF_TARGET}" _idx) +if(_idx GREATER -1) + set(IS_RISCV TRUE) +else() + set(IS_RISCV FALSE) +endif() + +message(STATUS "IDF target: ${IDF_TARGET} (RISC-V: ${IS_RISCV})") + # Append messages with: # LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n"message" "0") # See function: APPEND_LIBWOLFSSL_CMAKE_OUTPUT @@ -73,8 +96,7 @@ endif() # function: IS_ESP_IDF_COMPONENT # output: RESULT = 1 (true) if this component is located in the ESP-IDF components # otherwise 0 (false) -function( IS_ESP_IDF_COMPONENT - RESULT) +function( IS_ESP_IDF_COMPONENT RESULT ) # NOTE: Component location is based on the location of the CMakeList.txt # and *not* the location of the wolfSSL source code. (which may be anywhere) @@ -110,60 +132,60 @@ function ( LIBWOLFSSL_SAVE_INFO VAR_OUTPUT THIS_VAR VAR_RESULT ) # if we had a successful operation, save the THIS_VAR in VAR_OUTPUT if(${IS_VALID_VALUE}) - if(0) - # Optional debug - message(STATUS "Looking for LF in ${THIS_VAR}") - endif() + if(0) + # Optional debug + message(STATUS "Looking for LF in ${THIS_VAR}") + endif() - # Check if the text to print in THIS_VAR is multi-line - string(REPLACE "\n" ";" LINES "${THIS_VAR}") - list(LENGTH LINES LINE_COUNT) - - # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def - if(LINE_COUNT GREATER 1) - message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") - add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") - - # Split into lines - string(REPLACE "\n" ";" LINES "${THIS_VAR}") - foreach(LINE IN LISTS LINES) - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") - endforeach() + # Check if the text to print in THIS_VAR is multi-line + string(REPLACE "\r" "" THIS_VAR "${THIS_VAR}") + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + list(LENGTH LINES LINE_COUNT) - # Final empty line to close the macro - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") + # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def + if(LINE_COUNT GREATER 1) + message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") + add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") - message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") - target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") - else() - message(STATUS "No HAS_LIBWOLFSSL_OUTPUT_HEADER") - # We should not have any, but just to be sure: - # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE - string(REPLACE "\n" "" VAR_VALUE "${THIS_VAR}") + # Split into lines + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + foreach(LINE IN LISTS LINES) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") + endforeach() + + # Final empty line to close the macro + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") - # we'll could percolate the value to the parent for possible later use - # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) + message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") + else() # 1 or zero lines in THIS_VAR + message(STATUS "Result line count=${LINE_COUNT}; Not setting HAS_LIBWOLFSSL_OUTPUT_HEADER") + # We should not have any, but just to be sure: + # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" THIS_VAR "${THIS_VAR}") + string(REPLACE "\r" "" VAR_VALUE "${THIS_VAR}") - # but we're only using it here in this function - set(${VAR_OUTPUT} ${VAR_VALUE}) + # we could percolate the value to the parent for possible later use + # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) - # we'll print what we found to the console - message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + # but we're only using it here in this function + set(${VAR_OUTPUT} ${VAR_VALUE}) - # the interesting part is defining the VAR_OUTPUT name a value to use in the app - add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUTPUT name a value to use in the app + add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") endif() - else() + else() # !IS_VALID_VALUE # if we get here, check the execute_process command and parameters. - message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT=${VAR_RESULT} for THIS_VAR=${THIS_VAR}") set(${VAR_OUTPUT} "Unknown") - endif() - - -endfunction() # LIBWOLFSSL_SAVE_INFO + endif() # IS_VALID_VALUE +endfunction()# LIBWOLFSSL_SAVE_INFO # # APPEND_LIBWOLFSSL_CMAKE_OUTPUT(THIS_MESSAGE OUTPUT_VALUE) @@ -558,7 +580,7 @@ if(CMAKE_BUILD_EARLY_EXPANSION) "${THIS_INCLUDE_TIMER}" "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark ) - + # Do not set compile options during early expansion else() # not CMAKE_BUILD_EARLY_EXPANSION message(STATUS "************************************************************************************************") @@ -596,6 +618,15 @@ else() if(WOLFSSL_ROOT) message(STATUS "Confirmed wolfssl directory at: ${WOLFSSL_ROOT}") + # Once WOLFSSL_ROOT has been determined, see if there's a Espressif.cmake file to include + + set(WOLFSSL_ROOT_ESPRESSIF_CMAKE "${WOLFSSL_ROOT}/cmake/modules/Espressif.cmake") + if( EXISTS "${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + message(STATUS "Found WOLFSSL_ROOT_ESPRESSIF_CMAKE: ${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + include("${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + else() + message(STATUS "Not found WOLFSSL_ROOT_ESPRESSIF_CMAKE: ${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + endif() else() # Try to allow a more intuitive error that the source code was not found in cmake: set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_WARNING_SOURCE_NOT_FOUND") @@ -896,6 +927,25 @@ else() "${THIS_INCLUDE_TIMER}" "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark ) + + message(STATUS "Checking wolfSSL Component CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}") + # Optionally force syntax highlighting fix in Visual Studio 2022 for ESP-IDF v6 + # See https://sysprogs.com/w/forums/topic/espressif-esp-idf-v6-0-intellisense-error-invalid-value-gnu2b-in-stdgnu2b/ + # To resolve, enter the text in VisualGDB Project Properties - Intellisense Settings Tab, "Additional flags for C files": + # -std=gnu17 + # And set here: + if( "$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}" STREQUAL "1" ) + set(PREFERRED_DIALECT "gnu17") + if(DEFINED IDF_VERSION_MAJOR AND IDF_VERSION_MAJOR GREATER_EQUAL 6) + message(STATUS "-- Setting -std=${PREFERRED_DIALECT} with target_compile_options $<$:-std=${PREFERRED_DIALECT}>") + target_compile_options(${COMPONENT_LIB} PRIVATE $<$:-std=${PREFERRED_DIALECT}>) + else() + message(STATUS "-- Visual Studio Intellisense Fix not needed for this ESP-IDF version=${IDF_VERSION_MAJOR}") + endif() + else() + message(STATUS "-- Not setting -std=${PREFERRED_DIALECT} with target_compile_options for Visual Studio Intellisense Fix") + message(STATUS "-- To enable, define environment variable: CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=1") + endif() else() # Register the component simply to allow CMake to complete, but there's no wolfSSL source. # Expect many other errors, but the project should at least be loadable and UI can edit Kconfig settings. @@ -906,8 +956,7 @@ else() # function(WOLFSSL_INIT_CERT_BUNDLE) if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE - AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") - ) + AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") ) APPEND_LIBWOLFSSL_CMAKE_OUTPUT("wolfSSL Certificate Bundles Enabled") if (CMAKE_BUILD_EARLY_EXPANSION) @@ -1154,50 +1203,72 @@ if( EXISTS "${WOLFSSL_PROJECT_DIR}" AND EXISTS "$ENV{IDF_PATH}/components/wolfss endif() # end multiple component check - +message(STATUS "Checking for github with git_cmd='${git_cmd}' ...") execute_process( COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree" OUTPUT_VARIABLE IS_GIT_REPO OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET ) +message(STATUS "Checking for github result IS_GIT_REPO='${IS_GIT_REPO}'") # create some programmatic #define values that will be used by ShowExtendedSystemInfo(). # see wolfcrypt\src\port\Espressif\esp32_utl.c +message(STATUS "Checking for macro definitions:") if(NOT CMAKE_BUILD_EARLY_EXPANSION AND WOLFSSL_ROOT AND (IS_GIT_REPO STREQUAL "true")) set (git_cmd "git") message(STATUS "Adding macro definitions:") + # LIBWOLFSSL_VERSION_GIT_TAG: git config describe --tags --abbrev=0 + execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "describe" "--tags" "--abbrev=0" + OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") + LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_TAG "${TMP_OUT}" "${TMP_RES}") + # LIBWOLFSSL_VERSION_GIT_ORIGIN: git config --get remote.origin.url execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "config" "--get" "remote.origin.url" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_ORIGIN "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_BRANCH: git rev-parse --abbrev-ref HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--abbrev-ref" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_BRANCH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_HASH: git rev-parse HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_SHORT_HASH: git rev-parse --short HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--short" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_SHORT_HASH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_HASH_DATE git show --no-patch --no-notes --pretty=\'\%cd\' execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "show" "--no-patch" "--no-notes" "--pretty=\'\%cd\'" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH_DATE "${TMP_OUT}" "${TMP_RES}") - LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "${TMP_RES}") - +else() + message(STATUS "CMAKE_BUILD_EARLY_EXPANSION=${CMAKE_BUILD_EARLY_EXPANSION}; WOLFSSL_ROOT=${WOLFSSL_ROOT}; IS_GIT_REPO=${IS_GIT_REPO};") endif() +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "0") +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_IDF_PATH "${THIS_IDF_PATH}" "0") + # Ensure flag "-DWOLFSSL_ESPIDF" is already in CMAKE_C_FLAGS if not yet found from project string(FIND "${CMAKE_C_FLAGS}" "-DWOLFSSL_ESPIDF" FLAG_ALRREADY_FOUND_WOLFSSL_ESPIDF) @@ -1246,6 +1317,26 @@ file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n" "#endif\n" ) +# Memory peek helper +set(LINKER_REGION_PEEK "${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld") +if( CMAKE_BUILD_EARLY_EXPANSION AND EXISTS "${LINKER_REGION_PEEK}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_HAVE_LINKER_REGION_PEEK") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_HAVE_LINKER_REGION_PEEK") + + message(STATUS "Found linker region peek helper file: ${LINKER_REGION_PEEK}") + if (COMMAND target_linker_scripts) + message(STATUS "target_linker_scripts(${COMPONENT_LIB} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld)") + target_linker_scripts(${COMPONENT_LIB} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + else() + # Fallback if target_linker_scripts isn't available + message(STATUS "target_linker_scripts not available, using target_link_options") + target_link_options(${COMPONENT_LIB} INTERFACE -T${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + set_property(TARGET ${COMPONENT_LIB} APPEND PROPERTY LINK_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + endif() +else() + message(STATUS "Found linker region peek helper NOT FOUND: ${LINKER_REGION_PEEK}") +endif() + message(STATUS "************************************************************************************************") message(STATUS "wolfSSL component config complete!") message(STATUS "************************************************************************************************") diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig index 22e4a0767d..e8524a8092 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kconfig @@ -19,8 +19,11 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA # -# Kconfig File Version 5.7.2.001 for esp-idf integration +# Kconfig File Version 5.8.2.001 for esp-idf integration +# See the VSCode extension: nRF Kconfig by Nordic Semiconductor: +# https://marketplace.visualstudio.com/items?itemName=nordic-semiconductor.nrf-kconfig +# # Kconfig Format Rules # # See: @@ -48,106 +51,242 @@ # python -m kconfcheck # # --------------------------------------------------------------------------------------------------------------------- +# See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL +# --------------------------------------------------------------------------------------------------------------------- +# +# Note linking to ESP-IDF component: +# +# From: esp-idf\[version]\components\esp-tls\Kconfig +# +# menu "ESP-TLS" +# choice ESP_TLS_LIBRARY_CHOOSE +# bool "wolfSSL (License info in wolfSSL directory README)" +# select TLS_STACK_WOLFSSL +# +# Selecting TLS_STACK_WOLFSSL in ESP-TLS will be linked to this Kconfig via the +# invisible local keyword by the same name in this Kconfig, below. +# +# See setting here, just above this item: menu "wolfSSL ESP-TLS" +# +# --------------------------------------------------------------------------------------------------------------------- # Begin main wolfSSL configuration menu # --------------------------------------------------------------------------------------------------------------------- # See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL -menu "wolfSSL" +menu "wolfSSL Embedded Cryptography, SSL/TLS; FIPS 140-3" + # Warning: help token not supported here << + config ESP_WOLFSSL_WOLFCRYPT_ONLY + bool "Use wolfcrypt only" + default n + help + Enable this option to use cryptographic libraries but disable things like TLS communication. Normally not set. Enables WOLFCRYPT_ONLY + # ----------------------------------------------------------------------------------------------------------------- - menu "Hardening" - config ESP_WOLFSSL_WC_NO_HARDEN - bool "Disable wolfSSL hardening" - default n + menu "wolfSSL Algorithm Settings" + config ESP_WOLFSSL_USE_ECC + bool "Enable ECC (Elliptic Curve Cryptography) in wolfSSL" + default y help - Sets WC_NO_HARDEN + Enables ECC algorithm - config ESP_WOLFSSL_TFM_TIMING_RESISTANT - bool "Enable TFM Timing Resistant Code" - default n + config ESP_WOLFSSL_USE_RSA + bool "Enable RSA (Rivest-Shamir-Adlemanl) in wolfSSL" + default y help - Sets TFM_TIMING_RESISTANT. + Enables RSA algorithm - endmenu # Hardening + config ESP_WOLFSSL_USE_SM + bool "Enable SM (Shang Mi) in wolfSSL" + default n + help + Enabled SM Cipher Suite: Macros WOLFSSL_SM2, WOLFSSL_SM3, WOLFSSL_SM4 - config ESP_WOLFSSL_ENABLE_BENCHMARK - bool "Enable wolfSSL Benchmark Library" - default n - help - Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK. + config ESP_WOLFSSL_DISABLE_ECC + bool "Disable ECC in wolfSSL" + default n + help + Enabled by default, ECC is required if you want ECDHE key exchange (and/or ECDSA). + Select this option to disable ECC. + config ESP_WOLFSSL_DISABLE_DH + bool "Disable DH in wolfSSL" + default n + help + Enabled by default, DH is required if you want DHE/FFDHE groups. + Select this option to disable DH. - menu "Benchmark Debug" - config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING - bool "Enable benchmark timing debug" - depends on ESP_WOLFSSL_ENABLE_BENCHMARK + config ESP_WOLFSSL_SHA224 + bool "Enable SHA-224" default n help - Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc). + Enables SHA224 algorithm by defining macro: WOLFSSL_SHA224 - config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG - bool "Enable benchmark timer debug" - depends on ESP_WOLFSSL_ENABLE_BENCHMARK + config ESP_WOLFSSL_SHA384 + bool "Enable SHA-384" default n help - Turn on timer debugging (used when CPU cycles not available) + Enables SHA384 algorithm by defining macro: WOLFSSL_SHA384 - endmenu # Benchmark Debug + choice + prompt "Select math library to use" - # ----------------------------------------------------------------------------------------------------------------- - # wolfCrypt Test - # ----------------------------------------------------------------------------------------------------------------- - config ESP_WOLFSSL_ENABLE_TEST - bool "Enable wolfCrypt Test Library" - default n - help - Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST. + config ESP_WOLFSSL_USE_FAST_MATH + bool "Use Fast Math (default)" + + config ESP_WOLFSSL_SP_MATH + bool "Use SP Math" + + config ESP_WOLFSSL_SP_MATH_ALL + bool "Use SP Math All" - menu "wolfCrypt tests" - config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS - bool "Enable wolfCrypt Test Options" - depends on ESP_WOLFSSL_ENABLE_TEST + config ESP_WOLFSSL_USE_INTEGER_HEAP_MATH + bool "Use Integer Heap Math" + + config ESP_WOLFSSL_SP_RISCV32 + bool "Use SP Match for RISC-V Devices" + endchoice + + menu "Hardening" + config ESP_WOLFSSL_WC_NO_HARDEN + bool "Disable wolfSSL hardening" + default n + help + Sets WC_NO_HARDEN + + config ESP_WOLFSSL_TFM_TIMING_RESISTANT + bool "Enable TFM Timing Resistant Code" + default n + help + Sets TFM_TIMING_RESISTANT. + + endmenu # Hardening + endmenu # wolfSSL Algorithm Settings + + menu "wolfSSL Application Specific Tuning" + config ESP_WOLFSSL_MULTI_THREAD + bool "Set wolfSSL SINGLE_THREAD mode" default n help - Enables HAVE_WOLFCRYPT_TEST_OPTIONS + Enable to use semaphores for multi-task applications. Requires a small about of additional long term RAM. + When not selected, defines wolfSSL SINGLE_THREADED macro. The ESP32 ESP-IDF uses FreeRTOS regardless of this setting. - config TEST_ESPIDF_ALL_WOLFSSL - bool "Enable all features to use in tests" - depends on ESP_WOLFSSL_ENABLE_TEST + config ESP_WOLFSSL_STATIC_MEMORY + bool "Set wolfSSL Static Memory mode" default n help - Enables TEST_ESPIDF_ALL_WOLFSSL - - endmenu # wolfCrypt tests + Enable to use experimental static memory, no malloc. May be problematic on devices with low RAM. + When disabled, sets WOLFSSL_SMALL_STACK. The DEBUG_WOLFSSL_MALLOC is also enabled by default to + show malloc failures which may occur on low RAM devices. - # ----------------------------------------------------------------------------------------------------------------- - # Apple HomeKit Options - # ----------------------------------------------------------------------------------------------------------------- - menu "Apple HomeKit" - config WOLFSSL_APPLE_HOMEKIT - bool "Enable Apple HomeKit options" + config ESP_WOLFSSL_RSA_LOW_MEM + bool "RSA Low Memory Mode" default n help - Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit. - endmenu # Apple HomeKit - # ----------------------------------------------------------------------------------------------------------------- + When enabled, use have as much memory, but RSA is twice as slow. - config ESP_WOLFSSL_DISABLE_MY_ECC - bool "Disable ECC in my project" - default "n" - help - ECC is enabled by default. Select this option to disable. + # ----------------------------------------------------------------------------------------------------------------- + # Apple HomeKit Options + # ----------------------------------------------------------------------------------------------------------------- + menu "Apple HomeKit" + config WOLFSSL_APPLE_HOMEKIT + bool "Enable Apple HomeKit options" + default n + help + Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit. + endmenu # Apple HomeKit + + # ----------------------------------------------------------------------------------------------------------------- + # wolfCrypt Benchmark + # ----------------------------------------------------------------------------------------------------------------- + menu "wolfCrypt Benchmark" + config ESP_WOLFSSL_ENABLE_BENCHMARK + bool "Enable wolfSSL Benchmark Library" + default n + help + Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK. - config ESP_WOLFSSL_ENABLE_MY_USE_RSA - bool "Enable RSA in my project" - default "n" - help - RSA is disabled by default. Select this option to enable. + config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING + bool "Enable benchmark timing debug" + depends on ESP_WOLFSSL_ENABLE_BENCHMARK + default n + help + Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc). + + config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG + bool "Enable benchmark timer debug" + depends on ESP_WOLFSSL_ENABLE_BENCHMARK + default n + help + Turn on timer debugging (used when CPU cycles not available) + endmenu # wolfCrypt Benchmark + + # ----------------------------------------------------------------------------------------------------------------- + # wolfCrypt Test + # ----------------------------------------------------------------------------------------------------------------- + menu "wolfCrypt Test" + config ESP_WOLFSSL_ENABLE_TEST + bool "Enable wolfCrypt Test Library" + default n + help + Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST. + + config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS + bool "Enable wolfCrypt Test Options" + depends on ESP_WOLFSSL_ENABLE_TEST + default n + help + Enables HAVE_WOLFCRYPT_TEST_OPTIONS + + config TEST_ESPIDF_ALL_WOLFSSL + bool "Enable all features to use in tests" + depends on ESP_WOLFSSL_ENABLE_TEST + default n + help + Enables TEST_ESPIDF_ALL_WOLFSSL + endmenu # wolfCrypt tests + + # ----------------------------------------------------------------------------------------------------------------- + # TLS Client/Server + # ----------------------------------------------------------------------------------------------------------------- + menu "TLS Client/Server" + choice WOLFSSL_USE_TLS_CERT_EXAMPLE + prompt "Use example certificates (see user_settings.h)" + default WOLFSSL_USE_CERT_BUFFERS_2048 + help + Select which bundled example certificate set to compile in. + + config WOLFSSL_USE_CERT_BUFFERS_2048 + bool "Use 2048 bit RSA cert buffers example (default)" + help + Uses example cert buffers ca_cert_der_2048, client_cert_der_2048 etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_1024 + bool "Use 1024 bit RSA cert buffers" + help + Uses example cert buffers ca_cert_der_1024, client_cert_der_1024, etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_256 + bool "Use 256 bit ECC cert buffers" + help + Uses example cert buffers ca_ecc_cert_der_256, cliecc_cert_der_256, etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_SM + bool "Use SM (Shang Mi) cert buffers" + help + Use the SM (Shang Mi) Cipher Examples + Include header: wolfssl/certs_test_sm.h + + config WOLFSSL_USE_CERT_BUFFERS_NONE + bool "Do not use the default wolfSSL certificate examples" + help + Define your own macro values for the examples. + endchoice + endmenu # TLS Client/Server + endmenu # Application Specific - config ESP_WOLFSSL_BENCHMARK - bool "Enable wolfSSL Benchmark" - default n - help - Enables user settings relevant to benchmark code config ESP_TLS_USING_WOLFSSL_SPECIFIED bool "Use the specified wolfssl for ESP-TLS" @@ -170,7 +309,7 @@ menu "wolfSSL" disabling TFM fast math provides faster wolfSSL software algorithms in an even smaller flash memory footprint. - menu "Protocol Config" + menu "wolfSSL Protocol Config" config WOLFSSL_HAVE_ALPN bool "Enable ALPN (Application Layer Protocol Negotiation) in wolfSSL" default y @@ -182,9 +321,16 @@ menu "wolfSSL" Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2. When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted. + config WOLFSSL_LOW_MEMORY_DISABLE_TLS13 + bool "Disable TLS 1.3 on known low-memory devices" + default n + help + Overrides other settings allowing TLS 1.3. Typically used for ESP8266 and ESP32C2 + devices with known memory limitations. + config WOLFSSL_ALLOW_TLS12 bool "Allow TLS 1.2" - default n + default y help Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2. When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted. @@ -209,13 +355,63 @@ menu "wolfSSL" help Sets HAVE_OCSP + choice + prompt "Select session cache size" + default ESP_WOLFSSL_NO_SESSION_CACHE + + config ESP_WOLFSSL_NO_SESSION_CACHE + bool "No session cache is used" + help + No memory is reserved for session cache. + + config ESP_WOLFSSL_MICRO_SESSION_CACHE + bool "Micro Session Cache" + help + Uses less than 1K. Stored only 1 session for cache. + SessionCache takes about 400 bytes, ClientCache takes 576 bytes. + + config ESP_WOLFSSL_SMALL_SESSION_CACHE + bool "Small Session Cache" + help + Allows storing 6 sessions. + SessionCache takes about 2K, ClientCache takes about 3K bytes. + + config ESP_WOLFSSL_MEDIUM_SESSION_CACHE + bool "Medium Session Cache" + help + Allows for over 1,000 sessions. Consider using external memory. + + config ESP_WOLFSSL_BIG_SESSION_CACHE + bool "Big Session Cache" + help + Allows for over 20,000 sessions. Unrealistic for most ESP32 devices. + + config ESP_WOLFSSL_TITAN_SESSION_CACHE + bool "Tital Session Cache" + help + Allows for over 2 million sessions. Unrealistic for most ESP32 devices. + endchoice + + config ESP_WOLFSSL_TCP_REUSE + int "TCP Reuse" + default 0 + help + Set to 1 to allow socket reuse. + endmenu # Protocol Config # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- config TLS_STACK_WOLFSSL # Invisible option that locks TLS_STACK_WOLFSSL to ESP_TLS_USING_WOLFSSL - bool + # + # See setting in: esp-idf\[version]\components\esp-tls\Kconfig: + # + # config ESP_TLS_USING_WOLFSSL + # bool "wolfSSL (License info in wolfSSL directory README)" + # select TLS_STACK_WOLFSSL + # + bool # No prompt, invisible here. Set in ESP-TLS component default n select FREERTOS_ENABLE_BACKWARD_COMPATIBILITY help @@ -223,6 +419,7 @@ menu "wolfSSL" Enabled when wolfSSL is selected in ESP_TLS_LIBRARY_CHOOSE. menu "wolfSSL ESP-TLS" + # Enabled only when Component config - ESP-TLS - Choose SSL/TLS Library for ESP-TLS has wolfSSL selected: depends on ESP_TLS_USING_WOLFSSL menu "Certificate Bundle" @@ -255,8 +452,8 @@ menu "wolfSSL" depends on ESP_TLS_USING_WOLFSSL help Although not recommended, there may be certificates in the bundle that are missing - a serial number. This option allows the missing value without having to fully - disable strict ASN checking with WOLFSSL_NO_ASN_STRICT. + a serial number. This option allows the missing value (a zero) without having to fully + disable strict ASN checking with WOLFSSL_NO_ASN_STRICT. Note this is disallowed by RFC 5280 choice WOLFSSL_DEFAULT_CERTIFICATE_BUNDLE bool "Default certificate bundle options" @@ -323,6 +520,19 @@ menu "wolfSSL" default 200 depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + config ESP_WOLFSSL_DEBUG_CERT_BUNDLE + bool "Enable certificate bundle debug" + depends on WOLFSSL_CERTIFICATE_BUNDLE + default n + help + View debug messages for cert bundle processing. + + config ESP_WOLFSSL_OPENSSL_EXTRA + bool "Enable wolfSSL OpenSSL Extra support" + default n + help + Enable OpenSSL support: old SHA functions only available with OpenSSLL (not recommended) + endmenu endmenu # wolfSSL ESP-TLS # ----------------------------------------------------------------------------------------------------------------- @@ -429,7 +639,7 @@ menu "wolfSSL" bool "Enable ML-KEM (Kyber Post Quantum)" default n help - bool "Enable wolfSSL ML-KEM" + Enable wolfSSL ML-KEM config WOLFSSL_ENABLE_KYBER bool "Enable Kyber (Round 3)" @@ -442,11 +652,23 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- menu "wolfSSL Debug Options" + config ESP_WOLFSSL_DEBUG_CERTS + bool "Enable wolfSSL Certificate Debugging" + default n + help + Enable debugging messages for wolfSSL certificate processing. See user_settings.h for additional debug options. + config ESP_WOLFSSL_DEBUG_WOLFSSL bool "Enable wolfSSL Debugging" default n help - Enable debugging messages for wolfSSL. See user_settings.h for additional debug options. + Enable debugging messages for wolfSSL. Includes wolfSSL Certificate Debugging (WOLFSSL_DEBUG_CERTS) See user_settings.h for additional debug options. + + config WOLFSSL_EXAMPLE_VERBOSITY + bool "Enable example verbosity" + default n + help + This is only intended to be used with examples. Excessive verbosity may have undesired effects on timing-critical code. config ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING bool "Suppress build-time warnings for main stack size" @@ -454,6 +676,12 @@ menu "wolfSSL" help Useful only when wolfSSL is running in main task. See FreeRTOS stack size for custom tasks. + config ESP_NO_DEFAULT_TASK_MONITOR + bool "Disable automatic enable of task monitoring." + default n + help + Unless disabled, ESP_MONITOR_HW_TASK_LOCK is automatically enabled in esp32-crypt.h + config ESP_WOLFSSL_TEST_LOOP bool "Run test apps in a loop until failure" default y @@ -465,6 +693,26 @@ menu "wolfSSL" default n help Enables experimental settings for wolfSSL. See documentation. + + config ESP_LATEST_MITIGATIONS + bool "Enable mitigation for latest ESP-IDF" + default y + help + Address any issues in latest (unreleased) ESP-IDF. Currently v6. + Known problems include SHA HW acceleration on RISC-V devices failing. + Enable this option to disable SHA HW on only ESP32-C2, C3, C6. + Only implemented in user_settings.h + + config WOLFSSL_USE_MY_PRIVATE_CONFIG + bool "Use a private include file for config" + default n + help + Sets WOLFSSL_USE_MY_PRIVATE_CONFIG for platform-specific default + config file outside of GitHub repository. + Handy for things like WiFi SSID and Passwords that are typically + not saved on GitHub. + Can also set CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG environment variable to 1 + endmenu # wolfSSL Debug Options # ----------------------------------------------------------------------------------------------------------------- @@ -482,7 +730,7 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- - menu "Component Config" + menu "wolfSSL Component Config" config IGNORE_ESP_IDF_WOLFSSL_COMPONENT bool "Ignore the ESP-IDF component of wolfSSL (if present)" default n @@ -500,7 +748,7 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- - menu "Utility Config" + menu "wolfSSL Utility Config" config USE_WOLFSSL_ESP_SDK_TIME bool "Enable wolfSSL time helper functions" default n @@ -523,12 +771,14 @@ menu "wolfSSH" config ESP_ENABLE_WOLFSSH bool "Enable wolfSSH options" default n + # See wolfssl settings.h help Enables WOLFSSH_TERM, WOLFSSL_KEY_GEN, WOLFSSL_PTHREADS, WOLFSSH_TEST_SERVER, WOLFSSH_TEST_THREADING config ESP_WOLFSSL_DEBUG_WOLFSSH bool "Enable wolfSSH debugging" default n + # See wolfssl settings.h help Enable wolfSSH debugging macro. See user_settings.h diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h index 9c14dc9dfc..cd232962ba 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h @@ -18,8 +18,28 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ + #define WOLFSSL_ESPIDF_COMPONENT_VERSION 0x01 +/* This user_settings.h is for Espressif ESP-IDF + * + * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.8.2-1 + * + * Do not include any wolfssl headers here. + * + * Note to maintainers: + * + * When editing this file ensure all examples match. + * The template example is the reference. + * Consider Kconfig. Managed Components do not allow editing of user_settings.h + */ +#undef WOLFSSL_ESPIDF +#define WOLFSSL_ESPIDF + +#define NO_FILESYSTEM +#define NO_OLD_TLS +#define WOLFSSL_ASN_TEMPLATE + /* Examples such as test and benchmark are known to cause watchdog timeouts. * Note this is often set in project Makefile: * CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 */ @@ -28,15 +48,17 @@ /* The Espressif project config file. See also sdkconfig.defaults */ #include "sdkconfig.h" -/* This user_settings.h is for Espressif ESP-IDF - * - * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.8.2-1 certs - * - * Do not include any wolfssl headers here. - * - * When editing this file: - * ensure all examples match. The template example is the reference. - */ +/* Some mitigations are ESP-IDF version-specific. */ +#include "esp_idf_version.h" + +/* Optional mitigations for latest (unreleased) ESP-IDF v6 */ +#if defined(CONFIG_ESP_LATEST_MITIGATIONS) && CONFIG_ESP_LATEST_MITIGATIONS + #if defined(ESP_IDF_VERSION_MAJOR) && (ESP_IDF_VERSION_MAJOR >= 6) + /* There's a known issue with SHA HW accerlator on RISC-V chips in V6 + * Fixed in https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_RISCV_SHA_HW_MITIGATION 1 + #endif +#endif /* Naming convention: (see also esp32-crypt.h for the reference source). * @@ -81,17 +103,48 @@ ** CONFIG_IDF_TARGET_ESP32C6 */ -#undef WOLFSSL_ESPIDF -#define WOLFSSL_ESPIDF - /* Test various user_settings between applications by selecting example apps * in `idf.py menuconfig` for Example wolfSSL Configuration settings: */ /* Turn on messages that are useful to see only in examples. */ -#define WOLFSSL_EXAMPLE_VERBOSITY +#if defined(CONFIG_WOLFSSL_EXAMPLE_VERBOSITY) && \ + CONFIG_WOLFSSL_EXAMPLE_VERBOSITY + #undef WOLFSSL_EXAMPLE_VERBOSITY + #define WOLFSSL_EXAMPLE_VERBOSITY +#endif + +#if defined(CONFIG_WOLFSSL_ALT_CERT_CHAINS) && \ + CONFIG_WOLFSSL_ALT_CERT_CHAINS + #undef WOLFSSL_ALT_CERT_CHAINS + #define WOLFSSL_ALT_CERT_CHAINS +#endif + +#if defined(CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL) && \ + CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL + #define DEBUG_WOLFSSL +#endif + +#if defined(CONFIG_ESP_WOLFSSL_DEBUG_CERTS) && \ + CONFIG_ESP_WOLFSSL_DEBUG_CERTS + #define WOLFSSL_DEBUG_CERTS +#endif + +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP8266) + /* WOLFSSL_LOW_MEMORY detected at runtime for low memory warning */ + #define WOLFSSL_LOW_MEMORY +#endif /* Paths can be long, ensure the entire value printed during debug */ -#define WOLFSSL_MAX_ERROR_SZ 500 +#ifdef WOLFSSL_LOW_MEMORY + /* If too small, the error_test() will fail. */ + #define WOLFSSL_MAX_ERROR_SZ 65 + #define WOLFSSL_MSG_EX_BUF_SZ 65 +#else + #define WOLFSSL_MAX_ERROR_SZ 500 + #define WOLFSSL_MSG_EX_BUF_SZ 500 +#endif /* wolfSSL Examples: set macros used in example applications. * @@ -116,12 +169,28 @@ /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */ /* #define USE_WOLFSSL_ESP_SDK_WIFI */ #define WOLFSSL_BENCHMARK_FIXED_UNITS_KB + #define BENCH_EMBEDDED #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT) /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_client */ - #define USE_WOLFSSL_ESP_SDK_WIFI + #if defined(CONFIG_IDF_TARGET_ESP32H2) + /* There's no WiFi on the ESP32 H2, use idf.menuconfig to enable */ + #else + /* This example will always use the wolfSSL WiFi helper */ + #define USE_WOLFSSL_ESP_SDK_WIFI + #endif + #define USE_WOLFSSL_ESP_SDK_TIME + #define NO_WOLFSSL_SERVER #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_SERVER) /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_server */ - #define USE_WOLFSSL_ESP_SDK_WIFI + #define NO_WOLFSSL_CLIENT + #if defined(CONFIG_IDF_TARGET_ESP32H2) + /* There's no WiFi on the ESP32 H2, use idf.menuconfig to enable */ + #else + /* This example will always use the wolfSSL WiFi helper */ + #define USE_WOLFSSL_ESP_SDK_WIFI + #endif + /* Even without WiFi, the wolfSSL helper has some static time settings */ + #define USE_WOLFSSL_ESP_SDK_TIME /* wolfSSH Examples */ #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE) @@ -214,6 +283,7 @@ /* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */ #ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM /* Kyber typically needs a minimum 10K stack */ + #define WOLFSSL_MLKEM_KYBER #define WOLFSSL_HAVE_MLKEM #define WOLFSSL_WC_MLKEM #define WOLFSSL_SHAKE128 @@ -250,6 +320,7 @@ #ifdef NO_AES #warning "Found NO_AES, wolfSSL AES Cannot be enabled. Check config." #else + #define HAVE_AESGCM #define WOLFSSL_AES #define WOLFSSL_AES_COUNTER @@ -356,24 +427,103 @@ #endif /* See below for chipset detection from sdkconfig.h */ -/* when you want to use SINGLE THREAD. Note Default ESP-IDF is FreeRTOS */ -#define SINGLE_THREADED +/* See Kconfig: Check if Multi Thread selected in idf.py menuconfig + * Single Thread avoids RAM-consuming semaphores. + * Note Default ESP-IDF is FreeRTOS rergardless of this setting */ +#if defined(CONFIG_ESP_WOLFSSL_MULTI_THREAD) && \ + CONFIG_ESP_WOLFSSL_MULTI_THREAD + /* Unless SINGLE_THREADED defined, wolfssl assumes multi-thread. */ + /* #undef SINGLE_THREADED */ +#else + #define SINGLE_THREADED +#endif /* Small session cache saves a lot of RAM for ClientCache and SessionCache. * Memory requirement is about 5KB, otherwise 20K is needed when not specified. * If extra small footprint is needed, try MICRO_SESSION_CACHE (< 1K) * When really desperate or no TLS used, try NO_SESSION_CACHE. */ -#define NO_SESSION_CACHE +#if defined(CONFIG_ESP_WOLFSSL_TITAN_SESSION_CACHE) + /* Consider RAM requirements. Unrealistic for most ESP32 devices */ + #define TITAN_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_BIG_SESSION_CACHE) + /* Consider RAM requirements. Unrealistic for most ESP32 devices */ + #define BIG_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_MEDIUM_SESSION_CACHE) + /* Consider RAM requirements. */ + #define MEDIUM_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_SMALL_SESSION_CACHE) + #define SMALL_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_MICRO_SESSION_CACHE) + #define MICRO_SESSION_CACHE +#else + #define NO_SESSION_CACHE + #define WOLFSSL_NO_TICKET +#endif + +#ifndef NO_SESSION_CACHE + #define HAVE_SESSION_TICKET +#endif + +/* See Kconfig: Check if Static Memory selected in idf.py menuconfig */ +#if defined(CONFIG_ESP_WOLFSSL_STATIC_MEMORY) && \ + CONFIG_ESP_WOLFSSL_STATIC_MEMORY + #define WOLFSSL_STATIC_MEMORY +#endif + +#if defined(WOLFSSL_STATIC_MEMORY) + #define WOLFSSL_STATIC_MEMORY + #define WOLFSSL_STATIC_MEMORY_LEAN + #define WOLFSSL_NO_MALLOC + #ifdef WOLFSSL_SMALL_STACK + #error "Cannot use WOLFSSL_SMALL_STACK with WOLFSSL_NO_MALLOC" + #endif + #if 1 + /* trap malloc failure */ + #define WOLFSSL_MALLOC_CHECK + #endif + #define HAVE_MAX_FRAGMENT + #define HAVE_TLS_EXTENSIONS -/* Small Stack uses more heap. */ -#define WOLFSSL_SMALL_STACK + #define WOLFSSL_CUSTOM_CURVES + #define HAVE_ECC_KOBLITZ + #define HAVE_ECC256 + #define NO_ECC192 + #define NO_ECC224 + #define NO_ECC384 + #define NO_ECC521 -/* Full debugging turned off, but show malloc failure detail */ -/* #define DEBUG_WOLFSSL */ -#define DEBUG_WOLFSSL_MALLOC + #ifdef HAVE_ED25519 + #undef HAVE_ED25519 + #endif + #ifdef WOLFSSL_SHA512 + #undef WOLFSSL_SHA512 + #endif + + /* multiple of 16 & 32 */ + #define WOLFMEM_IO_SZ 2048 + + #if (1) + #define USE_FAST_MATH + #else + #define SP_MATH + #define FP_ECC + #endif +#else + /* Not using static memory */ + + /* Small Stack uses more heap. */ + #define WOLFSSL_SMALL_STACK + + /* Full debugging turned off, but show malloc failure detail */ + /* #define DEBUG_WOLFSSL */ + #define DEBUG_WOLFSSL_MALLOC +#endif /* RSA_LOW_MEM: Half as much memory but twice as slow. */ -#define RSA_LOW_MEM +#if defined(CONFIG_ESP_WOLFSSL_RSA_LOW_MEM) && \ + CONFIG_ESP_WOLFSSL_RSA_LOW_MEM + #define RSA_LOW_MEM +#endif /* optionally turn off SHA512/224 SHA512/256 */ /* #define WOLFSSL_NOSHA512_224 */ @@ -386,16 +536,43 @@ /* #define NO_SHA */ /* #define NO_OLD_TLS */ -#define BENCH_EMBEDDED +/* Very low memory device notice: + * TLS 1.2 typically enabled + * TLS 1.3 typically disabled + * + * See runtime warning for limited-resource devices. + * + * Typical error codes at client, talking to low-memory server: + * -125 MEMORY_E out of memory error + * -308 SOCKET_ERROR_E error state on socket + * -313 FATAL_ERROR recvd alert fatal error + */ + +#if defined(CONFIG_WOLFSSL_ALLOW_TLS12) && CONFIG_WOLFSSL_ALLOW_TLS12 + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) + /* low-memory devices with TLS 1.2 enabled */ + #endif + + /* TLS 1.2 uses extensions by default */ + #define HAVE_TLS_EXTENSIONS + +#else + /* Unless explicitly enabled, only TLS 1.3 is configured */ + #define WOLFSSL_NO_TLS12 +#endif + /* TLS 1.3 */ -#ifdef CONFIG_WOLFSSL_ALLOW_TLS13 +#if (defined(CONFIG_WOLFSSL_ALLOW_TLS13) && CONFIG_WOLFSSL_ALLOW_TLS13) && \ + !defined(CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13) #define WOLFSSL_TLS13 #define HAVE_TLS_EXTENSIONS #define HAVE_HKDF - /* May be required */ + /* AEAD May be required */ #ifndef HAVE_AEAD + /* Syntax highlighting detection only */ #endif /* Required for ECC */ @@ -416,8 +593,32 @@ #endif #endif +/* Settings common to both TLS 1.2 and TLS 1.3 */ +#if (defined(CONFIG_WOLFSSL_ALLOW_TLS12) && CONFIG_WOLFSSL_ALLOW_TLS12) || \ + (defined(CONFIG_WOLFSSL_ALLOW_TLS13) && CONFIG_WOLFSSL_ALLOW_TLS13) + + /* ECC can optionally be disabled, but is normally enabled */ + #if defined(ESP_WOLFSSL_DISABLE_ECC) && \ + ESP_WOLFSSL_DISABLE_ECC + #undef HAVE_ECC + #else + #define HAVE_ECC + #endif + + /* DH can optionally be disabled, but is normally enabled */ + #if defined(ESP_WOLFSSL_DISABLE_DH) && \ + ESP_WOLFSSL_DISABLE_DH + #undef HAVE_DH + #else + #define HAVE_DH + #endif + +#endif + + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ - defined(CONFIG_IDF_TARGET_ESP8684) + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP8266) /* Optionally set smaller size here */ #ifdef HAVE_FFDHE_4096 /* this size may be problematic on the C2 */ @@ -427,26 +628,25 @@ #define HAVE_FFDHE_4096 #endif -#define NO_FILESYSTEM - -#define NO_OLD_TLS - -#define HAVE_AESGCM - /* Optional RIPEMD: RACE Integrity Primitives Evaluation Message Digest */ /* #define WOLFSSL_RIPEMD */ /* when you want to use SHA224 */ -#define WOLFSSL_SHA224 +#if defined(CONFIG_ESP_WOLFSSL_SHA224) && \ + CONFIG_ESP_WOLFSSL_SHA224 + #define WOLFSSL_SHA224 +#endif /* when you want to use SHA384 */ -#define WOLFSSL_SHA384 +#if defined(CONFIG_ESP_WOLFSSL_SHA384) && \ + CONFIG_ESP_WOLFSSL_SHA384 + #define WOLFSSL_SHA384 +#endif /* Some features not enabled for ESP8266: */ #if defined(CONFIG_IDF_TARGET_ESP8266) || \ defined(CONFIG_IDF_TARGET_ESP32C2) /* Some known low-memory devices have features not enabled by default. */ - /* TODO determine low memory configuration for ECC. */ #else /* when you want to use SHA512 */ #define WOLFSSL_SHA512 @@ -458,23 +658,17 @@ #define HAVE_ED25519 #endif -#if defined(CONFIG_IDF_TARGET_ESP8266) || defined(CONFIG_IDF_TARGET_ESP32C2) - #define MY_USE_ECC 0 - #define MY_USE_RSA 1 -#else - #define MY_USE_ECC 1 - #define MY_USE_RSA 0 -#endif - -/* We can use either or both ECC and RSA, but must use at least one. */ -#if MY_USE_ECC || MY_USE_RSA - #if MY_USE_ECC +/* We can use either or both ECC and RSA, but must use at least one for TLS */ +#if (defined(CONFIG_ESP_WOLFSSL_USE_ECC) && CONFIG_ESP_WOLFSSL_USE_ECC) || \ + (defined(CONFIG_ESP_WOLFSSL_USE_RSA) && CONFIG_ESP_WOLFSSL_USE_RSA) + /* Some ECC checks */ + #if CONFIG_ESP_WOLFSSL_USE_ECC /* ---- ECDSA / ECC ---- */ #define HAVE_ECC + /* #define HAVE_CURVE25519 #define HAVE_ED25519 #define WOLFSSL_SHA512 - /* #define HAVE_ECC384 #define CURVE25519_SMALL */ @@ -485,17 +679,27 @@ #define WOLFSSH_NO_ECDSA #endif - #if MY_USE_RSA + #if CONFIG_ESP_WOLFSSL_USE_RSA /* ---- RSA ----- */ /* #define RSA_LOW_MEM */ /* DH disabled by default, needed if ECDSA/ECC also turned off */ #define HAVE_DH + #define HAVE_RSA #else + #undef HAVE_RSA + #define NO_RSA + /* Also disable RSA if wolfSSH used */ #define WOLFSSH_NO_RSA #endif #else - #error "Either RSA or ECC must be enabled" + #if defined(CONFIG_ESP_WOLFSSL_ENABLE_MLKEM) + /* See above for PQ-only config */ + #elif defined(WOLFCRYPT_ONLY) + /* Communications such as (D)TLS not compiled in */ + #else + #warning "PQ, RSA, and ECC are disabled. Consider WOLFCRYPT_ONLY" + #endif #endif /* Optional OpenSSL compatibility */ @@ -552,21 +756,37 @@ #define HASH_SIZE_LIMIT /* USE_FAST_MATH is default */ -#define USE_FAST_MATH - -/***** Use SP_MATH *****/ -/* #undef USE_FAST_MATH */ -/* #define SP_MATH */ -/* #define WOLFSSL_SP_MATH_ALL */ -/* #define WOLFSSL_SP_RISCV32 */ +#if defined(CONFIG_ESP_WOLFSSL_USE_FAST_MATH) && \ + ESP_WOLFSSL_USE_FAST_MATH + /***** Use Fast Math *****/ + #define USE_FAST_MATH + #undef WOLFSSL_SP_MATH + #undef WOLFSSL_SP_MATH_ALL + #define USE_INTEGER_HEAP_MATH +#elif defined(CONFIG_ESP_WOLFSSL_SP_MATH) && \ + CONFIG_ESP_WOLFSSL_SP_MATH + /***** Use SP_MATH *****/ + #undef USE_FAST_MATH + #undef USE_INTEGER_HEAP_MATH + #define WOLFSSL_SP_MATH + #define WOLFSSL_SP_MATH_ALL +#elif defined(CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH) && \ + CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH + /***** Use Integer Heap Math *****/ + #undef USE_FAST_MATH + #undef WOLFSSL_SP_MATH + #undef WOLFSSL_SP_MATH_ALL + #define USE_INTEGER_HEAP_MATH +#else + #define USE_FAST_MATH +#endif /***** Use Integer Heap Math *****/ /* #undef USE_FAST_MATH */ /* #define USE_INTEGER_HEAP_MATH */ /* Just syntax highlighting to check math libraries: */ -#if defined(SP_MATH) || \ - defined(USE_INTEGER_HEAP_MATH) || \ +#if defined(WOLFSSL_SP_MATH) || \ defined(USE_INTEGER_HEAP_MATH) || \ defined(USE_FAST_MATH) || \ defined(WOLFSSL_SP_MATH_ALL) || \ @@ -577,10 +797,6 @@ #define HAVE_VERSION_EXTENDED_INFO /* #define HAVE_WC_INTROSPECTION */ -#ifndef NO_SESSION_CACHE - #define HAVE_SESSION_TICKET -#endif - /* #define HAVE_HASHDRBG */ #if 0 @@ -604,8 +820,6 @@ #endif -#define WOLFSSL_ASN_TEMPLATE - /* #undef WOLFSSL_KEY_GEN #undef WOLFSSL_CERT_REQ @@ -623,11 +837,13 @@ */ /* optional SM4 Ciphers. See https://github.com/wolfSSL/wolfsm */ -/* -#define WOLFSSL_SM2 -#define WOLFSSL_SM3 -#define WOLFSSL_SM4 -*/ + +#if defined(ESP_WOLFSSL_USE_SM) && \ + ESP_WOLFSSL_USE_SM + #define WOLFSSL_SM2 + #define WOLFSSL_SM3 + #define WOLFSSL_SM4 +#endif #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) /* SM settings, possible cipher suites: @@ -669,9 +885,16 @@ #undef HAVE_AESGCM #define HAVE_AESGCM -#endif + + /* ByteReverseWords is known to need alignment */ + #undef WOLFSSL_USE_ALIGN + #define WOLFSSL_USE_ALIGN +#endif /* SM or regular certs */ /* Chipset detection from sdkconfig.h + * See idf.py --list-targets + * or ESP-IDF ./components/esp_hw_support/include/esp_chip_info.h + * Set target example: idf.py set-target esp32s3 * Default is HW enabled unless turned off. * Uncomment lines to force SW instead of HW acceleration */ #if defined(CONFIG_IDF_TARGET_ESP32) || defined(WOLFSSL_ESPWROOM32SE) @@ -692,7 +915,7 @@ #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 /* no SHA224 HW on ESP32 */ #undef ESP_RSA_MULM_BITS - #define ESP_RSA_MULM_BITS 16 /* TODO add compile-time warning */ + #define ESP_RSA_MULM_BITS 16 /***** END CONFIG_IDF_TARGET_ESP32 *****/ #elif defined(CONFIG_IDF_TARGET_ESP32S2) @@ -736,8 +959,16 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ /* These are defined automatically in esp32-crypt.h, here for clarity */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C2 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C2 */ + /* no SHA384 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MIGIATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif /* There's no AES or RSA/Math accelerator on the ESP32-C2 * Auto defined with NO_WOLFSSL_ESP32_CRYPT_RSA_PRI, for clarity: */ @@ -756,8 +987,16 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ /* These are defined automatically in esp32-crypt.h, here for clarity: */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MIGIATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ @@ -766,16 +1005,34 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ /***** END CONFIG_IDF_TARGET_ESP32C3 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C5) + #define WOLFSSL_ESP32 + + /* There's no Hardware Acceleration available on ESP32-C5 */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32C5 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32C6) #define WOLFSSL_ESP32 /* wolfSSL HW Acceleration supported on ESP32-C6. Uncomment to disable: */ - /* #define NO_ESP32_CRYPT */ - /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* These are defined automatically in esp32-crypt.h, here for clarity: */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MITIGATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ @@ -783,7 +1040,34 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ /***** END CONFIG_IDF_TARGET_ESP32C6 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C61) + #define WOLFSSL_ESP32 + /* wolfSSL HW Acceleration not yet supported on ESP32-C61. */ + + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + + /* TODO latest WIP ESP-IDF v6 needs esp_sha_set_mode, disable for now: */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH + + /* These are defined automatically in esp32-crypt.h, here for clarity: */ + /* no SHA384 HW on C61 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C61 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + + /* HW temporarily disabled on the ESP32-C61 pending additional development. + * See also settings.h that should also be disabling these after v5.8.0 */ + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD + /***** END CONFIG_IDF_TARGET_ESP32C61 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32H2) + /* Reminder: There's no wifi on ESP32-H2 */ + #define WOLFSSL_ESP32 /* wolfSSL Hardware Acceleration not yet implemented */ #define NO_ESP32_CRYPT @@ -792,6 +1076,24 @@ #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /***** END CONFIG_IDF_TARGET_ESP32H2 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32H21) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H21 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32H4) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H4 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32P4) #define WOLFSSL_ESP32 /* wolfSSL Hardware Acceleration not yet implemented */ @@ -818,16 +1120,25 @@ /***** END CONFIG_IDF_TARGET_ESP266 *****/ #elif defined(CONFIG_IDF_TARGET_ESP8684) - /* There's no Hardware Acceleration available on ESP8684 */ + /* There's no Hardware Acceleration available on ESP8684 + * Note that it usually presents as ESP32C2 */ #define NO_ESP32_CRYPT #define NO_WOLFSSL_ESP32_CRYPT_HASH #define NO_WOLFSSL_ESP32_CRYPT_AES #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /***** END CONFIG_IDF_TARGET_ESP8684 *****/ +#elif defined(POSIX_LINUX) + /* There's no Hardware Acceleration available on POSIX/Linux simulator */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_POSIX_LINUX *****/ + #else /* Anything else encountered, disable HW acceleration */ - #warning "Unexpected CONFIG_IDF_TARGET_NN value" + #warning "Unexpected CONFIG_IDF_TARGET_NN value, disabling all HW crypto" #define NO_ESP32_CRYPT #define NO_WOLFSSL_ESP32_CRYPT_HASH #define NO_WOLFSSL_ESP32_CRYPT_AES @@ -845,7 +1156,7 @@ /* See idf.py menuconfig for stack warning settings */ #if !defined(CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING) #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 - #warning "RSA may be difficult with less than 10KB Stack" + /* RSA may be difficult with less than 10KB Stack */ #endif #else /* Implement your own stack warning here */ @@ -856,11 +1167,17 @@ /* NOTE HW unreliable for small values! */ /* threshold for performance adjustment for HW primitive use */ /* X bits of G^X mod P greater than */ - #undef ESP_RSA_EXPT_XBITS + #if defined(ESP_RSA_EXPT_XBITS) && (ESP_RSA_EXPT_XBITS < 32) + #warning "Adjusting ESP_RSA_EXPT_XBITS to 32" + #undef ESP_RSA_EXPT_XBITS + #endif #define ESP_RSA_EXPT_XBITS 32 /* X and Y of X * Y mod P greater than */ - #undef ESP_RSA_MULM_BITS + #if defined(ESP_RSA_MULM_BITS) && (ESP_RSA_MULM_BITS < 16) + #warning "Adjusting ESP_RSA_MULM_BITS to 16" + #undef ESP_RSA_MULM_BITS + #endif #define ESP_RSA_MULM_BITS 16 #endif #endif @@ -1016,87 +1333,317 @@ Turn on timer debugging (used when CPU cycles not available) * https://github.com/wolfSSL/wolfssl/pull/6825 * https://github.com/wolfSSL/wolfsm * - * Uncomment these 3 macros to enable the SM Ciphers and use the macros below. + * Check to see if idf.py menuconfig selected example certs, otheruse use 2048: */ - -/* -#define WOLFSSL_SM2 -#define WOLFSSL_SM3 -#define WOLFSSL_SM4 -*/ +#if defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_2048) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_2048 + #define USE_CERT_BUFFERS_2048 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_1024) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_1024 + #define USE_CERT_BUFFERS_1024 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_256) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_256 + #define USE_CERT_BUFFERS_256 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_SM) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_SM + #define WOLFSSL_SM2 + #define WOLFSSL_SM3 + #define WOLFSSL_SM4 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_NONE) + /* See user_settings.h for referenbce on defining your own cert */ +#else + #define USE_CERT_BUFFERS_2048 +#endif /* Conditional macros used in wolfSSL TLS client and server examples */ #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) - #include - #define CTX_CA_CERT root_sm2 - #define CTX_CA_CERT_SIZE sizeof_root_sm2 - #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_PEM - #define CTX_SERVER_CERT server_sm2 - #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 - #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM - #define CTX_SERVER_KEY server_sm2_priv - #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv - #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (SM)" - #undef WOLFSSL_BASE16 - #define WOLFSSL_BASE16 -#else - #if defined(USE_CERT_BUFFERS_2048) - #ifdef USE_CERT_BUFFERS_1024 - #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." - #endif + #ifndef HAVE_TLS_EXTENSIONS + #error "SM Ciphers require HAVE_TLS_EXTENSIONS" + #endif + #ifndef HAVE_HKDF + #error "SM Ciphers require HAVE_HKDF" + #endif + #ifndef HAVE_ECC + #error "SM Ciphers require HAVE_ECC" + #endif + #ifndef WOLFSSL_USE_ALIGN + #warning "Define WOLFSSL_USE_ALIGN to avoid LoadStoreAlignment panic" + #endif + + #ifdef WOLFSSL_ALT_CERT_CHAINS + /* When on, wolfSSL will accept the peer if the leaf sent matches + * the one loaded, even without a CA in the path */ + #endif + + /* ./examples/client/client -h 192.168.1.107 -v 3 \ + * -l ECDHE-ECDSA-SM4-CBC-SM3 + * -c ./certs/sm2/client-sm2.pem + * -k ./certs/sm2/client-sm2-priv.pem + * -A ./certs/sm2/ca-sm2.pem -C + */ + + /* Certificate file `-c`; client command default: certs/server-cert.pem + * wolfSSL_CTX_use_certificate_chain_buffer_format + * + * Note that the PEM file of server_sm2 contains both leaf and CA + * The DER file contains only the server cert. */ + + /* Server */ + #ifndef NO_WOLFSSL_SERVER + #define CTX_SERVER_CERT server_sm2 + #define CTX_SERVER_CERT_NAME "server_sm2" + #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + + /* Key file `-k`; client command default: ./certs/server-key.pem + * wolfSSL_CTX_use_certificate_buffer */ + #define CTX_SERVER_KEY server_sm2_priv_der + #define CTX_SERVER_KEY_NAME "server_sm2_priv_der" + #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv_der + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Client */ + #ifndef NO_WOLFSSL_CLIENT + #define CTX_CA_CERT root_sm2_der + #define CTX_CA_CERT_NAME "root_sm2_der" + #define CTX_CA_CERT_SIZE sizeof_root_sm2_der + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_KEY client_sm2_priv_der + #define CTX_CLIENT_KEY_NAME "client_sm2_priv_der" + #define CTX_CLIENT_KEY_SIZE sizeof_client_sm2_priv_der + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Client Cert. + * This is also the optional peer verify certificate at server */ + #define CTX_CLIENT_CERT client_sm2_der + #define CTX_CLIENT_CERT_NAME "client_sm2_der" + #define CTX_CLIENT_CERT_SIZE sizeof_client_sm2_der + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END SM */ - /* Be sure to include in app, not here, when using example certs: */ - /* #include */ +#elif defined(USE_CERT_BUFFERS_2048) + /* + * To connect to ESP32 server with a client from commandline: + * + * The client uses 2048 certs by default, so no certs needed on commandline: + * + * TLS 1.2 + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 + * + * TLS 1.3 + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 + */ + + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_2048)" + + #ifdef USE_CERT_BUFFERS_1024 + #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_256 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + #if defined(NO_RSA) + #error "RSA is needed to use CERT_BUFFERS_2048 example" + #endif + /* Client */ + #ifndef NO_WOLFSSL_CLIENT #define CTX_CA_CERT ca_cert_der_2048 #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_2048 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_SERVER_CERT server_cert_der_2048 - #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 - #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_SERVER_KEY server_key_der_2048 - #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 - #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 - - #define CTX_CLIENT_CERT client_cert_der_2048 - #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 - #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #define CTX_CLIENT_KEY client_key_der_2048 #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_2048 #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif - #elif defined(USE_CERT_BUFFERS_1024) - #ifdef USE_CERT_BUFFERS_2048 - #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + /* Server */ + #ifndef NO_WOLFSSL_SERVER + #if (0) + /* No PEM certs available at this time */ + #define CTX_SERVER_CERT server_cert_2048 + #define CTX_SERVER_CERT_NAME "server_cert_2048" + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + + #define CTX_SERVER_KEY server_key_2048 + #define CTX_SERVER_KEY_NAME "server_key_2048" + #define CTX_SERVER_KEY_SIZE sizeof_server_key_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + #else + #define CTX_SERVER_CERT server_cert_der_2048 + #define CTX_SERVER_CERT_NAME "server_cert_der_2048" + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_SERVER_KEY server_key_der_2048 + #define CTX_SERVER_KEY_NAME "server_key_der_2048" + #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 #endif + #endif /* server */ + + /* -A Client peer verify at the server + * defaults: ./examples/client/client -v 3 -h 192.168.1.107 */ + #define CTX_CLIENT_CERT client_cert_der_2048 + #define CTX_CLIENT_CERT_NAME "client_cert_der_2048" + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END USE_CERT_BUFFERS_2048 */ - /* Be sure to include in app, not here, when using example certs: */ - /* #include */ +#elif defined(USE_CERT_BUFFERS_1024) + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_1024)" + /* + * To connect to ESP32 server with a client from commandline: + * + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d \ + -A ./certs/1024/ca-cert.pem \ + -c ./certs/1024/client-cert.pem \ + -k ./certs/1024/client-key.pem -C + */ + #ifdef USE_CERT_BUFFERS_2048 + #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_256 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + /* Client */ + #ifndef NO_WOLFSSL_CLIENT #define CTX_CA_CERT ca_cert_der_1024 + #define CTX_CA_CERT_NAME "ca_cert_der_1024" #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_1024 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_CLIENT_CERT client_cert_der_1024 - #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 - #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #define CTX_CLIENT_KEY client_key_der_1024 #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_1024 #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + /* Server */ + #ifndef NO_WOLFSSL_SERVER #define CTX_SERVER_CERT server_cert_der_1024 + #define CTX_SERVER_CERT_NAME "server_cert_der_1024" #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_1024 #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + #define CTX_SERVER_KEY server_key_der_1024 + #define CTX_SERVER_KEY_NAME "server_key_der_1024" #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_1024 #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Optional shared client peer verify for wolfSSL_CTX_set_verify() */ + #define CTX_CLIENT_CERT client_cert_der_1024 + #define CTX_CLIENT_CERT_NAME "client_cert_der_1024" + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END USE_CERT_BUFFERS_1024 */ + +#elif defined(USE_CERT_BUFFERS_256) + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_256)" + #ifndef HAVE_ECC + #error "USE_CERT_BUFFERS_256 requires HAVE_ECC" + #endif + + #if (0) /* Optional SECP256K1 */ + #define HAVE_ECC_SECP256K1 + #define HAVE_ECC_KOBLITZ + #define WOLFSSL_CUSTOM_CURVES + #endif + /* + * To connect to this ESP32 server with a client from commandline: + * + * TLS 1.3, disable peer cert: + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 -d + * + * TLS 1.2, disable peer cert: + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d + * + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 \ + -A ./certs/ecc/ca-secp256k1-cert.pem \ + -c ./certs/ecc/client-secp256k1-cert.pem \ + -k ./certs/ecc/secp256k1-key.pem + + ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 \ + -A ./certs/ca-ecc-cert.pem \ + -c ./certs/client-ecc-cert.pem \ + -k ./certs/ecc-client-key.pem + */ + #ifdef USE_CERT_BUFFERS_2048 + #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_1024 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + + #ifndef NO_WOLFSSL_CLIENT + #define CTX_CA_CERT ca_ecc_cert_der_256 + #define CTX_CA_CERT_SIZE sizeof_ca_ecc_cert_der_256 + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_KEY ecc_clikey_der_256 + #define CTX_CLIENT_KEY_SIZE sizeof_ecc_clikey_der_256 + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Server */ + #ifndef NO_WOLFSSL_SERVER + /* wolfSSL_CTX_use_certificate_chain_buffer_format */ + #if (0) + /* serv_ecc_der_256 leaf only */ + #define CTX_SERVER_CERT serv_ecc_der_256 + #define CTX_SERVER_CERT_NAME "serv_ecc_der_256" + #define CTX_SERVER_CERT_SIZE sizeof_serv_ecc_der_256 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #else - /* Optionally define custom cert arrays, sizes, and types here */ + /* new leaf + ca, needs https://github.com/wolfSSL/wolfssl/pull/9231 */ + #define CTX_SERVER_CERT server_ecc_cert + #define CTX_SERVER_CERT_NAME "server_ecc_cert" + #define CTX_SERVER_CERT_SIZE sizeof_server_ecc_cert + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM #endif -#endif /* Conditional key and cert constant names */ + /* wolfSSL_CTX_use_PrivateKey_buffer */ + #define CTX_SERVER_KEY ecc_key_der_256 + #define CTX_SERVER_KEY_NAME "ecc_key_der_256" + #define CTX_SERVER_KEY_SIZE sizeof_ecc_key_der_256 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + + /* wolfSSL_CTX_load_verify_buffer */ + #define CTX_CLIENT_CERT cliecc_cert_der_256 + #define CTX_CLIENT_CERT_NAME "cliecc_cert_der_256" + #define CTX_CLIENT_CERT_SIZE sizeof_cliecc_cert_der_256 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #endif /* Server */ + /* END USE_CERT_BUFFERS_256 */ + +#endif /* USE_CERT_BUFFERS_[n] */ + +/* +./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d \ + -A ./certs/ca-ecc-cert.pem \ + -c ./certs/ecc/client-ecc-cert.pem \ + -k ./certs/ecc/ecc-key.pem +*/ /****************************************************************************** ** Sanity Checks ******************************************************************************/ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/ld/region_peek.ld b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/ld/region_peek.ld new file mode 100644 index 0000000000..e8ca4b3ae4 --- /dev/null +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/ld/region_peek.ld @@ -0,0 +1,9 @@ +/* ORIGIN()/LENGTH() always see the SoC memory regions: */ +INCLUDE memory.ld + +/* Region boundary symbols derived from memory.ld */ +PROVIDE(__dram0_start = ORIGIN(dram0_0_seg)); +PROVIDE(__dram0_end = ORIGIN(dram0_0_seg) + LENGTH(dram0_0_seg)); + +PROVIDE(__drom0_start = ORIGIN(drom0_0_seg)); +PROVIDE(__drom0_end = ORIGIN(drom0_0_seg) + LENGTH(drom0_0_seg)); diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/CMakeLists.txt index 80a89c25a7..48492edbc6 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/CMakeLists.txt @@ -4,7 +4,8 @@ # wolfssl client test # message(STATUS "Begin wolfSSL main CMakeLists.txt") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") if (idf_target STREQUAL "esp8266" OR IDF_TARGET STREQUAL "esp8266" OR IDF_VERSION_MAJOR VERSION_LESS "5.0") # `driver` component not available for ESP8266 @@ -21,9 +22,6 @@ endif() if(CMAKE_HOST_UNIX) message(STATUS "Detected UNIX") endif() -if(APPLE) - message(STATUS "Detected APPLE") -endif() if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop") # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL") @@ -62,8 +60,6 @@ endif() ## register_component() idf_component_register(SRCS main.c - wifi_connect.c - time_helper.c client-tls.c INCLUDE_DIRS "." "./include" diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c index f51d041d6d..d06e35cef8 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c @@ -21,6 +21,9 @@ #include "client-tls.h" +/* Optional peer verify, see wolfSSL_CTX_set_verify() */ +#define MY_PEER_VERIFY 1 + /* Espressif FreeRTOS */ #ifndef SINGLE_THREADED #include @@ -34,20 +37,50 @@ /* socket includes */ #include #include +#include /* For TCP options */ +#include /* wolfSSL */ -#include -/* This project not yet using the library */ -#undef USE_WOLFSSL_ESP_SDK_WIFI -#include - +/* Always include wolfcrypt/settings.h before any other wolfSSL file. */ +/* Reminder: settings.h pulls in user_settings.h; don't include it here. */ +#ifdef WOLFSSL_USER_SETTINGS + #include + #ifndef WOLFSSL_ESPIDF + #warning "Problem with wolfSSL user_settings." + #warning "Check components/wolfssl/include" + #endif + #include + #include +#else + /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include */ + /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */ + #error "Missing WOLFSSL_USER_SETTINGS in CMakeLists or Makefile:\ + CFLAGS +=-DWOLFSSL_USER_SETTINGS" +#endif #if defined(WOLFSSL_WC_MLKEM) #include #include #endif -#if defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024) + +/* The default user_settings.h includes macros that reference sample certs: */ +#if defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024) || \ + defined(USE_CERT_BUFFERS_256) #include #endif +#if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) + #include +#endif +/* Some older versions don't have cert name strings, so set to blanks: */ +#ifndef CTX_CLIENT_CERT_NAME + #define CTX_CLIENT_CERT_NAME "" +#endif +#ifndef CTX_SERVER_KEY_NAME + #define CTX_SERVER_KEY_NAME "" +#endif +#ifndef CTX_SERVER_CERT_NAME + #define CTX_SERVER_CERT_NAME "" +#endif + #ifdef WOLFSSL_TRACK_MEMORY #include #endif @@ -61,24 +94,33 @@ #define DEFAULT_MAX_DHKEY_BITS 2048 #endif -/* Project */ -#include "wifi_connect.h" -#include "time_helper.h" - -/* working TLS 1.2 VS client app commandline param: +/* + * Optionally define explicit ciphers, for example these TLS 1.3 options. * - * -h 192.168.1.128 -v 3 -l ECDHE-ECDSA-SM4-CBC-SM3 -c ./certs/sm2/client-sm2.pem -k ./certs/sm2/client-sm2-priv.pem -A ./certs/sm2/root-sm2.pem -C + * TLS13-AES128-GCM-SHA256 + * TLS13-AES256-GCM-SHA384 + * TLS13-AES128-CCM-SHA256 + * TLS13-AES128-CCM-8-SHA256 + * TLS13-AES128-CCM8-SHA256 * - * working Linux, non-working VS c app + * examples: + * #define WOLFSSL_ESP32_CIPHER_SUITE "TLS13-AES128-GCM-SHA256:PSK-AES128-GCM-SHA256" + * #define WOLFSSL_ESP32_CIPHER_SUITE "TLS13-AES128-CCM-8-SHA256" * - * -h 192.168.1.128 -v 4 -l TLS13-SM4-CCM-SM3 -c ./certs/sm2/client-sm2.pem -k ./certs/sm2/client-sm2-priv.pem -A ./certs/sm2/root-sm2.pem -C + * TLS 1.2 VS client app commandline param: * - **/ + * -h 192.168.1.128 -v 3 -l ECDHE-ECDSA-SM4-CBC-SM3 + -c ./certs/sm2/client-sm2.pem + -k ./certs/sm2/client-sm2-priv.pem + -A ./certs/sm2/root-sm2.pem -C + + * -h 192.168.1.128 -v 4 -l TLS13-SM4-CCM-SM3 + -c ./certs/sm2/client-sm2.pem + -k ./certs/sm2/client-sm2-priv.pem + -A ./certs/sm2/root-sm2.pem -C + */ #define TAG "client-tls" -#if defined(DEBUG_WOLFSSL) -int stack_start = -1; - int ShowCiphers(WOLFSSL* ssl) { #define CLIENT_TLS_MAX_CIPHER_LENGTH 4096 @@ -109,7 +151,13 @@ int ShowCiphers(WOLFSSL* ssl) return ret; } -#endif +static void halt_for_reboot(const char* s) +{ + ESP_LOGE(TAG, "Halt. %s", s); + while (1) { + vTaskDelay(60000); + } +} #if defined(WOLFSSL_ESPWROOM32SE) && defined(HAVE_PK_CALLBACKS) \ && defined(WOLFSSL_ATECC508A) @@ -176,12 +224,6 @@ void my_atmel_free(int slotId) /* client task */ WOLFSSL_ESP_TASK tls_smp_client_task(void* args) { -#if defined(SINGLE_THREADED) - int ret = ESP_OK; - #define TLS_SMP_CLIENT_TASK_RET ret -#else - #define TLS_SMP_CLIENT_TASK_RET -#endif char buff[256]; const char sndMsg[] = "GET /index.html HTTP/1.0\r\n\r\n"; const char* ch = TLS_SMP_TARGET_HOST; /* see wifi_connect.h */ @@ -192,8 +234,13 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args) int ret_i; /* interim return values */ int err; /* interim return values */ int sockfd; - int doPeerCheck; int sendGet; +#if defined(SINGLE_THREADED) + #define TLS_SMP_CLIENT_TASK_RET ret + int ret = ESP_OK; +#else + #define TLS_SMP_CLIENT_TASK_RET +#endif #ifdef DEBUG_WOLFSSL int this_heap = 0; #endif @@ -209,24 +256,43 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args) WOLFSSL_ENTER(TLS_SMP_CLIENT_TASK_NAME); - doPeerCheck = 1; sendGet = 0; #ifdef DEBUG_WOLFSSL - WOLFSSL_MSG("Debug ON"); + wolfSSL_Debugging_OFF(); ShowCiphers(NULL); #endif + +#if defined(SINGLE_THREADED) + /* No startup delay */ +#else + /* Brief delay to allow the main task to be deleted and free memory. */ + vTaskDelay(100); +#endif + /* Initialize wolfSSL */ - wolfSSL_Init(); + ESP_LOGI(TAG, "Start wolfSSL_Init()"); + ret_i = wolfSSL_Init(); + if (ret_i != WOLFSSL_SUCCESS) { + ESP_LOGE(TAG, "Failed to initialize wolfSSL"); + } /* Create a socket that uses an Internet IPv4 address, * Sets the socket to be stream based (TCP), * 0 means choose the default protocol. */ - if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { - ESP_LOGE(TAG, "ERROR: failed to create the socket\n"); + WOLFSSL_MSG( "start socket())"); + if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == -1) { + halt_for_reboot("ERROR: failed to create the socket"); } - ESP_LOGI(TAG, "get target IP address"); + /* Optionally set TCP Socket Reuse. */ +#if defined(CONFIG_ESP_WOLFSSL_TCP_REUSE) && (CONFIG_ESP_WOLFSSL_TCP_REUSE > 0) + setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &tcp_reuse, sizeof(tcp_reuse)); +#ifdef SO_REUSEPORT /* not always available on lwIP */ + setsockopt(sockfd, SOL_SOCKET, SO_REUSEPORT, &tcp_reuse, sizeof(tcp_reuse)); +#endif /* SO_REUSEPORT */ +#endif /* optional TCP reuse */ + ESP_LOGI(TAG, "Get target IP address: %s", TLS_SMP_TARGET_HOST); hp = gethostbyname(TLS_SMP_TARGET_HOST); if (!hp) { @@ -238,16 +304,61 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args) } /* Create and initialize WOLFSSL_CTX */ - ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); /* SSL 3.0 - TLS 1.3. */ - /* options: */ - /* ctx = wolfSSL_CTX_new(wolfSSLv1_2_client_method()); only TLS 1.2 */ - /* ctx = wolfSSL_CTX_new(wolfSSLv1_3_client_method()); only TLS 1.3 */ - /* wolfSSL_CTX_NoTicketTLSv12(); */ - /* wolfSSL_NoTicketTLSv12(); */ + WOLFSSL_MSG("Create and initialize WOLFSSL_CTX"); +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_LOW_MEMORY) + ESP_LOGW(TAG, "Warning: TLS 1.3 enabled on low-memory device."); +#endif +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_NO_TLS12) + ESP_LOGW(TAG, "Creating TLS 1.3 (only) client context..."); + ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()); +#elif defined(WOLFSSL_TLS13) + ESP_LOGI(TAG, "Creating TLS (1.2 or 1.3) client context..."); + ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); +#else + ESP_LOGW(TAG, "Creating TLS 1.2 (only) client context..."); + ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); +#endif /* TLS 1.2 or TLS 1.3 */ if (ctx == NULL) { - ESP_LOGE(TAG, "ERROR: failed to create WOLFSSL_CTX\n"); + halt_for_reboot("ERROR: failed to create wolfSSL ctx"); } + +#if defined(USE_CERT_BUFFERS_1024) + /* The x1024 test certs are in current user_settings.h, but not default. + * Smaller certs are typically used with smaller RAM devices.(ESP8266) + * Example client will need explicit params: + * ./examples/client/client -h 192.168.1.48 -p 11111 -v 3 \ + * -A ./certs/1024/ca-cert.pem \ + * -c ./certs/1024/client-cert.pem \ + * -k ./certs/1024/client-key.pem -d + */ + ESP_LOGW(TAG, "Example certificates USE_CERT_BUFFERS_1024 (not default)"); +#endif +#if defined(USE_CERT_BUFFERS_2048) + /* Anything other than this x2048 default is a warning or error. + * + * Example TLS 1.2 client with default build does not need explicit cert: + * ./examples/client/client -h 192.168.1.47 -p 11111 -v 3 + * + * Example TLS 1.3 client: + * ./examples/client/client -h 192.168.1.47 -p 11111 -v 4 + */ + ESP_LOGI(TAG, "Example certificates USE_CERT_BUFFERS_2048"); +#endif +#if defined(USE_CERT_BUFFERS_3072) + /* The x3072 test certs are not in current user_settings.h */ + ESP_LOGE(TAG, "Example certificates USE_CERT_BUFFERS_3072 (not default)"); +#endif +#if defined(USE_CERT_BUFFERS_4096) + /* The x4096 test certs are not in current user_settings.h */ + ESP_LOGE(TAG, "Example certificates USE_CERT_BUFFERS_4096 (not default)"); +#endif + +#if (0) + /* Optionally disable CRL checks */ + wolfSSL_CTX_DisableCRL(ctx); +#endif + #if defined(WOLFSSL_ESP32_CIPHER_SUITE) ESP_LOGI(TAG, "Start SM2\n"); @@ -280,6 +391,7 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args) #endif */ + /* Optional set explicit ciphers ret = wolfSSL_CTX_set_cipher_list(ctx, WOLFSSL_ESP32_CIPHER_SUITE); if (ret == WOLFSSL_SUCCESS) { ESP_LOGI(TAG, "Set cipher list: %s\n", WOLFSSL_ESP32_CIPHER_SUITE); @@ -288,6 +400,7 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args) ESP_LOGE(TAG, "ERROR: failed to set cipher list: %s\n", WOLFSSL_ESP32_CIPHER_SUITE); } + */ #endif #ifdef DEBUG_WOLFSSL @@ -297,6 +410,25 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args) - uxTaskGetStackHighWaterMark(NULL)); #endif +/* +TLS13-AES128-GCM-SHA256 +TLS13-AES256-GCM-SHA384 +TLS13-AES128-CCM-SHA256 +TLS13-AES128-CCM-8-SHA256 +TLS13-AES128-CCM8-SHA256 +*/ + +#if defined(WOLFSSL_ESP32_CIPHER_SUITE) + ret = wolfSSL_CTX_set_cipher_list(ctx, WOLFSSL_ESP32_CIPHER_SUITE); + if (ret == WOLFSSL_SUCCESS) { + ESP_LOGI(TAG, "Set cipher list: %s\n", WOLFSSL_ESP32_CIPHER_SUITE); + } + else { + ESP_LOGE(TAG, "ERROR: failed to set cipher list: %s\n", + WOLFSSL_ESP32_CIPHER_SUITE); + } +#endif /* WOLFSSL_ESP32_CIPHER_SUITE */ + /* see user_settings PROJECT_DH for HAVE_DH and HAVE_FFDHE_2048 */ #ifndef NO_DH ret_i = wolfSSL_CTX_SetMinDhKey_Sz(ctx, (word16)minDhKeyBits); @@ -305,52 +437,80 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args) } #endif - /* no peer check */ - if (doPeerCheck == 0) { - ESP_LOGW(TAG, "doPeerCheck == 0; WOLFSSL_VERIFY_NONE"); - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, 0); + /* Identify certificates used, typically in wolfssl/certs_test[_sm].h */ +#ifdef CTX_CERT_SET_NAME + ESP_LOGI(TAG, "Certificates in use: %s", CTX_CERT_SET_NAME); +#else + ESP_LOGW(TAG, "Unknown Certificates in use!"); +#endif +/* Some older versions don't have cert name strings, so set to blanks: */ +#ifndef CTX_CA_CERT_NAME + #define CTX_CA_CERT_NAME "" +#endif +#ifndef CTX_CLIENT_CERT_NAME + #define CTX_CLIENT_CERT_NAME "" +#endif +#ifndef CTX_CLIENT_KEY_NAME + #define CTX_CLIENT_KEY_NAME "" +#endif + + /* Load client certificates into WOLFSSL_CTX */ + ESP_LOGI(TAG, "Loading CA cert %s", CTX_CA_CERT_NAME); + ret_i = wolfSSL_CTX_load_verify_buffer(ctx, + CTX_CA_CERT, + CTX_CA_CERT_SIZE, + CTX_CA_CERT_TYPE); + if (ret_i != WOLFSSL_SUCCESS) { + ESP_LOGE(TAG, "ERROR: failed to load CA cert %d, " + "please check the file.\n", ret_i) ; + wolfSSL_CTX_free(ctx); + ctx = NULL; + halt_for_reboot("ERROR: failed wolfSSL_CTX_load_verify_buffer"); } - else { - ESP_LOGI(TAG, "doPeerCheck != 0"); - WOLFSSL_MSG("Loading... our cert"); - /* load our certificate */ - ret_i = wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, - CTX_CLIENT_CERT, - CTX_CLIENT_CERT_SIZE, - CTX_CLIENT_CERT_TYPE); - if (ret_i != WOLFSSL_SUCCESS) { - ESP_LOGE(TAG, "ERROR: failed to load our cert chain %d, " - "please check the file.", ret_i); - } - /* Load client certificates into WOLFSSL_CTX */ - WOLFSSL_MSG("Loading... CA cert"); - ret_i = wolfSSL_CTX_load_verify_buffer(ctx, - CTX_CA_CERT, - CTX_CA_CERT_SIZE, - CTX_CA_CERT_TYPE); - if (ret_i != WOLFSSL_SUCCESS) { - ESP_LOGE(TAG, "ERROR: failed to load CA cert %d, " - "please check the file.\n", ret_i) ; - } +#if defined(MY_PEER_VERIFY) && MY_PEER_VERIFY + ESP_LOGI(TAG, "Set verify: verify peer, fail if no peer..."); + wolfSSL_CTX_set_verify(ctx, + (WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT | + WOLFSSL_VERIFY_PEER), + NULL); +#else + ESP_LOGI(TAG, "CTX SSL_VERIFY_NONE"); + wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); +#endif - WOLFSSL_MSG("Loading... our key"); - ret_i = wolfSSL_CTX_use_PrivateKey_buffer(ctx, - CTX_CLIENT_KEY, - CTX_CLIENT_KEY_SIZE, - CTX_CLIENT_KEY_TYPE); - if (ret_i != WOLFSSL_SUCCESS) { - ESP_LOGE(TAG, "ERROR: failed to load key %d, " - "please check the file.\n", ret_i) ; - } + WOLFSSL_MSG("Loading... our cert"); + /* load our certificate */ + ESP_LOGI(TAG, "Load our client cert %s", CTX_CLIENT_CERT_NAME); + ret_i = wolfSSL_CTX_use_certificate_buffer(ctx, + CTX_CLIENT_CERT, + CTX_CLIENT_CERT_SIZE, + CTX_CLIENT_CERT_TYPE); + if (ret_i != WOLFSSL_SUCCESS) { + ESP_LOGE(TAG, "ERROR: failed to load our cert chain %d, " + "please check the file.", ret_i); + wolfSSL_CTX_free(ctx); + ctx = NULL; + halt_for_reboot("ERROR: failed wolfSSL_CTX_use_certificate_buffer"); + } - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, 0); + + ESP_LOGI(TAG, "Load Client Key %s", CTX_CLIENT_KEY_NAME); + ret_i = wolfSSL_CTX_use_PrivateKey_buffer(ctx, + CTX_CLIENT_KEY, + CTX_CLIENT_KEY_SIZE, + CTX_CLIENT_KEY_TYPE); + if (ret_i != WOLFSSL_SUCCESS) { + ESP_LOGE(TAG, "ERROR: failed to load key %d, " + "please check the file.\n", ret_i) ; + wolfSSL_CTX_free(ctx); + ctx = NULL; + halt_for_reboot("ERROR: failed wolfSSL_CTX_use_PrivateKey_buffer"); } - /* Initialize the server address struct with zeros */ - memset(&servAddr, 0, sizeof(servAddr)); - /* Fill in the server address */ + /* Setup server port and address */ + memset(&servAddr, 0, sizeof(servAddr)); servAddr.sin_family = AF_INET; /* using IPv4 */ servAddr.sin_port = htons(TLS_SMP_DEFAULT_PORT); /* on DEFAULT_PORT */ @@ -381,7 +541,7 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args) } #if defined(WOLFSSL_EXPERIMENTAL_SETTINGS) - ESP_LOGW(TAG, "WOLFSSL_EXPERIMENTAL_SETTINGS is enabled"); + ESP_LOGW(TAG, "WOLFSSL_EXPERIMENTAL_SETTINGS is enabled"); #endif WOLFSSL_MSG("Create a WOLFSSL object"); @@ -503,10 +663,7 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args) ShowCiphers(ssl); #endif ESP_LOGI(TAG, "Connect success! Sending message..."); - /* Get a message for the server from stdin */ - WOLFSSL_MSG("Message for server: "); memset(buff, 0, sizeof(buff)); - if (sendGet) { len = XSTRLEN(sndMsg); strncpy(buff, sndMsg, len); @@ -602,6 +759,8 @@ WOLFSSL_ESP_TASK tls_smp_client_init(void* args) #else xTaskHandle _handle; #endif + ESP_LOGI(TAG, "Creating task: tls_smp_client_init. Stack size = %d", + TLS_SMP_CLIENT_TASK_BYTES); /* See Espressif api-reference/system/freertos_idf.html#functions */ if (TLS_SMP_CLIENT_TASK_BYTES < (6 * 1024)) { /* Observed approximately 6KB limit for the RTOS task stack size. diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/client-tls.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/client-tls.h index b39e887825..a9da4cc20b 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/client-tls.h +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/client-tls.h @@ -21,24 +21,6 @@ #ifndef _CLIENT_TLS_H_ #define _CLIENT_TLS_H_ -/* This example uses wolfssl test certificates */ -#if 1 - /* See wolfssl/certs_test.h */ - #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ - defined(CONFIG_IDF_TARGET_ESP8684) || \ - defined(CONFIG_IDF_TARGET_ESP8266) - /* Use smaller certs for low-memory devices */ - #define USE_CERT_BUFFERS_1024 - #else - #define USE_CERT_BUFFERS_2048 - #endif - - /* always include smallest testing 32 byte RSA/ECC keys */ - #define USE_CERT_BUFFERS_256 -#else - /* define your own certificate macros; see user_settings.h */ -#endif - #include #include diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/time_helper.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/time_helper.h deleted file mode 100644 index 789656bee4..0000000000 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/time_helper.h +++ /dev/null @@ -1,55 +0,0 @@ -/* time_helper.h - * - * Copyright (C) 2006-2025 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -/* common Espressif time_helper v5.6.3.001 */ - -#ifndef _TIME_HELPER_H_ -#define _TIME_HELPER_H_ - -/* ESP-IDF uses a 64-bit signed integer to represent time_t starting from - * release v5.0 See Espressif api-reference/system/system_time - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/* a function to show the current data and time */ -int esp_show_current_datetime(void); - -/* worst case, if GitHub time not available, used fixed time */ -int set_fixed_default_time(void); - -/* set time from string (e.g. GitHub commit time) */ -int set_time_from_string(const char* time_buffer); - -/* set time from NTP servers, - * also initially calls set_fixed_default_time or set_time_from_string */ -int set_time(void); - -/* wait NTP_RETRY_COUNT seconds before giving up on NTP time */ -int set_time_wait_for_ntp(void); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* #ifndef _TIME_HELPER_H_ */ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/wifi_connect.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/wifi_connect.h deleted file mode 100644 index 6ea003f061..0000000000 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/wifi_connect.h +++ /dev/null @@ -1,139 +0,0 @@ -/* wifi_connect.h - * - * Copyright (C) 2006-2025 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ -#ifndef _WIFI_CONNECT_H_ -#define _WIFI_CONNECT_H_ - -/* ESP lwip */ -#define EXAMPLE_ESP_MAXIMUM_RETRY CONFIG_ESP_MAXIMUM_RETRY - -#define TLS_SMP_WIFI_SSID CONFIG_WIFI_SSID -#define TLS_SMP_WIFI_PASS CONFIG_WIFI_PASSWORD - -#define USE_WIFI_EXAMPLE -#ifdef USE_WIFI_EXAMPLE - #include "esp_netif.h" - #include "protocol_examples_common.h" /* see project CMakeLists.txt */ -#endif - -/** - ****************************************************************************** - ****************************************************************************** - ** USER APPLICATION SETTINGS BEGIN - ****************************************************************************** - ****************************************************************************** - **/ - -/* when using a private config with plain text passwords, - * file my_private_config.h should be excluded from git updates */ -/* #define USE_MY_PRIVATE_CONFIG */ - -/* Note that IntelliSense may not work properly in the next section for the - * Espressif SDK 3.4 on the ESP8266. Macros should still be defined. - * See the project-level Makefile. Example found in: - * https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/template - * - * The USE_MY_PRIVATE_[OS]_CONFIG is typically an environment variable that - * triggers the make (not cmake) to add compiler defines. - */ -#if defined(USE_MY_PRIVATE_WINDOWS_CONFIG) - #include "/workspace/my_private_config.h" -#elif defined(USE_MY_PRIVATE_WSL_CONFIG) - #include "/mnt/c/workspace/my_private_config.h" -#elif defined(USE_MY_PRIVATE_LINUX_CONFIG) - #include "~/workspace/my_private_config.h" -#elif defined(USE_MY_PRIVATE_MAC_CONFIG) - #include "~/Documents/my_private_config.h" -#elif defined(USE_MY_PRIVATE_CONFIG) - /* This section works best with cmake & non-environment variable setting */ - #if defined(WOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS) - #define WOLFSSL_CMAKE - #include "/workspace/my_private_config.h" - #elif defined(WOLFSSL_MAKE_SYSTEM_NAME_WINDOWS) - #define WOLFSSL_MAKE - #include "/workspace/my_private_config.h" - #elif defined(WOLFSSL_CMAKE_SYSTEM_NAME_WSL) - #define WOLFSSL_CMAKE - #include "/mnt/c/workspace/my_private_config.h" - #elif defined(WOLFSSL_MAKE_SYSTEM_NAME_WSL) - #define WOLFSSL_MAKE - #include "/mnt/c/workspace/my_private_config.h" - #elif defined(WOLFSSL_CMAKE_SYSTEM_NAME_LINUX) - #define WOLFSSL_CMAKE - #include "~/workspace/my_private_config.h" - #elif defined(WOLFSSL_MAKE_SYSTEM_NAME_LINUX) - #define WOLFSSL_MAKE - #include "~/workspace/my_private_config.h" - #elif defined(WOLFSSL_CMAKE_SYSTEM_NAME_APPLE) - #include "~/Documents/my_private_config.h" - #elif defined(WOLFSSL_MAKE_SYSTEM_NAME_APPLE) - #define WOLFSSL_MAKE - #include "~/Documents/my_private_config.h" - #elif defined(OS_WINDOWS) - #include "/workspace/my_private_config.h" - #else - /* Edit as needed for your private config: */ - #warning "default private config using /workspace/my_private_config.h" - #include "/workspace/my_private_config.h" - #endif -#else - - /* - ** The examples use WiFi configuration that you can set via project - ** configuration menu - ** - ** If you'd rather not, just change the below entries to strings with - ** the config you want - ie #define EXAMPLE_WIFI_SSID "mywifissid" - */ - #if defined(CONFIG_ESP_WIFI_SSID) - /* tyically from ESP32 with ESP-IDF v4 to v5 */ - #define EXAMPLE_ESP_WIFI_SSID CONFIG_ESP_WIFI_SSID - #elif defined(CONFIG_EXAMPLE_WIFI_SSID) - /* typically from ESP8266 rtos-sdk/v3.4 */ - #define EXAMPLE_ESP_WIFI_SSID CONFIG_EXAMPLE_WIFI_SSID - #else - /* See new esp-sdk-lib.h helpers: */ - #ifndef EXAMPLE_ESP_WIFI_SSID - #define EXAMPLE_ESP_WIFI_SSID "MYSSID_WIFI_CONNECT" - #endif - #endif - - #if defined(CONFIG_ESP_WIFI_PASSWORD) - /* tyically from ESP32 with ESP-IDF v4 or v5 */ - #define EXAMPLE_ESP_WIFI_PASS CONFIG_ESP_WIFI_PASSWORD - #elif defined(CONFIG_EXAMPLE_WIFI_SSID) - /* typically from ESP8266 rtos-sdk/v3.4 */ - #define EXAMPLE_ESP_WIFI_PASS CONFIG_EXAMPLE_WIFI_PASSWORD - #else - /* See new esp-sdk-lib.h helpers: */ - #ifndef EXAMPLE_ESP_WIFI_PASS - #define EXAMPLE_ESP_WIFI_PASS "MYPASSWORD_WIFI_CONNECT" - #endif - #endif -#endif - -/* ESP lwip */ -#define EXAMPLE_ESP_MAXIMUM_RETRY CONFIG_ESP_MAXIMUM_RETRY - -int wifi_init_sta(void); - -int wifi_show_ip(void); - -#endif /* _WIFI_CONNECT_H_ */ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/main.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/main.c index 0cdccbd860..416bca7b4f 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/main.c +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/main.c @@ -18,26 +18,38 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ + +/* + * Attention maintainers: + * + * This code is mostly mirrored between client and server examples. + * + * Please apply any updates to both. + */ #include "sdkconfig.h" #include "main.h" /* ESP specific */ -#include #include #include +#include /* wolfSSL */ -/* Always include wolfcrypt/settings.h before any other wolfSSL file. */ -/* Reminder: settings.h pulls in user_settings.h; don't include it here. */ -#ifdef WOLFSSL_USER_SETTINGS +/* The wolfSSL user_settings.h is automatically included by settings.h file. + * Never explicitly include wolfSSL user_settings.h in any source file. + * The settings.h should also be listed above wolfssl library include files. */ +#if defined(WOLFSSL_USER_SETTINGS) #include #ifndef WOLFSSL_ESPIDF #warning "Problem with wolfSSL user_settings." #warning "Check components/wolfssl/include" #endif - /* This project not yet using the library */ - #undef USE_WOLFSSL_ESP_SDK_WIFI #include + #include + #if defined(CONFIG_WOLFSSL_CERTIFICATE_BUNDLE) && \ + CONFIG_WOLFSSL_CERTIFICATE_BUNDLE + #include + #endif #else /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include */ /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */ @@ -45,16 +57,35 @@ CFLAGS +=-DWOLFSSL_USER_SETTINGS" #endif -/* this project */ +/* Hardware; include after other libraries, + * particularly after freeRTOS from settings.h */ +#include + +#define THIS_MONITOR_UART_RX_BUFFER_SIZE 200 + +#ifdef CONFIG_ESP8266_XTAL_FREQ_26 + /* 26MHz crystal: 74880 bps */ + #define THIS_MONITOR_UART_BAUD_DATE 74880 +#else + /* 40MHz crystal: 115200 bps */ + #define THIS_MONITOR_UART_BAUD_DATE 115200 +#endif + +/* This project */ +#include "main.h" + #include "client-tls.h" -#include "time_helper.h" #ifdef CONFIG_IDF_TARGET_ESP32H2 - /* There's no WiFi on ESP32-H2. + /* There's no WiFi on ESP32-H2, no esp_eth.h in protocol_examples_common.h * For wired ethernet, see: * https://github.com/wolfSSL/wolfssl-examples/tree/master/ESP32/TLS13-ENC28J60-client */ #else - #include "wifi_connect.h" + /* See CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT that defines + * USE_WOLFSSL_ESP_SDK_WIFI */ + #include "protocol_examples_common.h" /* example connect */ + #include + /* * Note ModBus TCP cannot be disabled on ESP8266 tos-sdk/v3.4 * See https://github.com/espressif/esp-modbus/issues/2 @@ -133,22 +164,51 @@ void my_atmel_free(int slotId) /* Entry for FreeRTOS */ void app_main(void) { + uart_config_t uart_config = { + .baud_rate = THIS_MONITOR_UART_BAUD_DATE, + .data_bits = UART_DATA_8_BITS, + .parity = UART_PARITY_DISABLE, + .stop_bits = UART_STOP_BITS_1, + }; + esp_err_t ret = 0; #if !defined(SINGLE_THREADED) && INCLUDE_uxTaskGetStackHighWaterMark int stack_start = 0; #endif #if !defined(SINGLE_THREADED) int this_heap = 0; #endif - esp_err_t ret = 0; +#ifdef DEBUG_WOLFSSL + /* Turn debugging on or off: */ + /* wolfSSL_Debugging_ON(); */ + /* wolfSSL_Debugging_OFF(); */ +#endif +#if !defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT) + ESP_LOGW(TAG, "Warning: Example wolfSSL misconfigured? Check menuconfig."); +#endif + /* uart_set_pin(UART_NUM_0, TX_PIN, RX_PIN, + * UART_PIN_NO_CHANGE, UART_PIN_NO_CHANGE); */ + + /* Some targets may need to have UART speed set, such as ESP8266 */ + ESP_LOGI(TAG, "UART init"); + uart_param_config(UART_NUM_0, &uart_config); + uart_driver_install(UART_NUM_0, + THIS_MONITOR_UART_RX_BUFFER_SIZE, 0, 0, NULL, 0); ESP_LOGI(TAG, "---------------- wolfSSL TLS Client Example ------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); ESP_LOGI(TAG, "---------------------- BEGIN MAIN ----------------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); -#if !defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT) - ESP_LOGW(TAG, "Warning: Example wolfSSL misconfigured? Check menuconfig."); +#ifdef WOLFSSL_ESP_NO_WATCHDOG + ESP_LOGW(TAG, "Found WOLFSSL_ESP_NO_WATCHDOG, disabling..."); + esp_DisableWatchdog(); #endif +#if defined(HAVE_VERSION_EXTENDED_INFO) + esp_ShowExtendedSystemInfo(); +#else + ESP_LOGW(TAG, "HAVE_VERSION_EXTENDED_INFO not defined"); +#endif + #if defined(ESP_SDK_MEM_LIB_VERSION) && defined(DEBUG_WOLFSSL) sdk_init_meminfo(); #endif @@ -186,29 +246,33 @@ void app_main(void) #endif /* INCLUDE_uxTaskGetStackHighWaterMark */ #endif /* SINGLE_THREADED */ -#ifdef HAVE_VERSION_EXTENDED_INFO - esp_ShowExtendedSystemInfo(); -#endif -#ifdef DEBUG_WOLFSSL - wolfSSL_Debugging_OFF(); -#endif #ifdef CONFIG_IDF_TARGET_ESP32H2 ESP_LOGE(TAG, "No WiFi on the ESP32-H2 and ethernet not yet supported"); while (1) { vTaskDelay(60000); } #endif - /* Set time for cert validation. - * Some lwIP APIs, including SNTP functions, are not thread safe. */ - ret = set_time(); /* need to setup NTP before WiFi */ + + ESP_LOGI(TAG, "nvs flash init.."); + ret = nvs_flash_init(); /* Optionally erase flash */ - /* ESP_ERROR_CHECK(nvs_flash_erase()); */ +#if defined(ESP_ERR_NVS_NO_FREE_PAGES) && defined(ESP_ERR_NVS_NEW_VERSION_FOUND) + if (ret == ESP_ERR_NVS_NO_FREE_PAGES || ret == ESP_ERR_NVS_NEW_VERSION_FOUND) { + ESP_LOGI(TAG, "nvs flash erase.."); + ESP_ERROR_CHECK(nvs_flash_erase()); + ESP_LOGI(TAG, "nvs flash erase.."); + ret = nvs_flash_init(); + } + else { + ESP_LOGW(TAG, "nvs flash NOT erased"); + } +#else + #warning "nvs flash not initialized" +#endif #ifdef FOUND_PROTOCOL_EXAMPLES_DIR ESP_LOGI(TAG, "FOUND_PROTOCOL_EXAMPLES_DIR active, using example code."); - ESP_ERROR_CHECK(nvs_flash_init()); - #if defined(CONFIG_IDF_TARGET_ESP32H2) ESP_LOGE(TAG, "There's no WiFi on ESP32-H2."); #else @@ -222,9 +286,46 @@ void app_main(void) #define CONFIG_EXAMPLE_WIFI_SSID "myssid" ESP_LOGW(TAG, "WARNING: CONFIG_EXAMPLE_WIFI_SSID not defined."); #endif - ESP_ERROR_CHECK(esp_netif_init()); - ESP_ERROR_CHECK(esp_event_loop_create_default()); - ESP_ERROR_CHECK(example_connect()); + #ifdef DEBUG_WOLFSSL + /* Anytime we are debugging, can also debug WiFi: */ + /* esp_log_level_set("wifi", ESP_LOG_VERBOSE); */ + /* esp_log_level_set("wpa", ESP_LOG_VERBOSE); */ + #endif + #if defined(USE_WOLFSSL_ESP_SDK_WIFI) + #if defined(ESP_SDK_WIFI_LIB_VERSION) && \ + (ESP_SDK_WIFI_LIB_VERSION > 1) + esp_sdk_wifi_lib_init(); + ret = esp_sdk_wifi_init_sta(); + #else + ESP_LOGE(TAG, "A newer version of wolfSSL is needed"); + ret = ESP_FAIL; + #endif + + if (ret == ESP_OK) { + ESP_LOGI(TAG, "WiFi connect success!"); + } + else { + ESP_LOGI(TAG, "ERROR: WiFi connect failed!"); + while (1) { + vTaskDelay(10000 / portTICK_PERIOD_MS); + } + } + esp_sdk_wifi_show_ip(); + #else + ESP_LOGI(TAG, "esp netif init..."); + ESP_ERROR_CHECK(esp_netif_init()); + ESP_LOGI(TAG, "esp event loop create default..."); + ESP_ERROR_CHECK(esp_event_loop_create_default()); + #if defined(CONFIG_IDF_TARGET_ESP32H2) + ESP_LOGI(TAG, "There's no WiFi on the ESP32-H2"); + while (1) { + vTaskDelay(pdMS_TO_TICKS(1000)); + } + #else + ESP_LOGI(TAG, "example connect..."); + ESP_ERROR_CHECK(example_connect()); + #endif + #endif #endif #else ESP_ERROR_CHECK(nvs_flash_init()); @@ -255,25 +356,34 @@ void app_main(void) #else /* Initialize WiFi */ ESP_LOGI(TAG, "ESP_WIFI_MODE_STA"); - ret = wifi_init_sta(); + ret = esp_sdk_wifi_init_sta(); while (ret != 0) { ESP_LOGI(TAG, "Waiting..."); vTaskDelay(60000 / portTICK_PERIOD_MS); ESP_LOGI(TAG, "Trying WiFi again..."); - ret = wifi_init_sta(); + ret = esp_sdk_wifi_init_sta(); } #endif /* else not CONFIG_IDF_TARGET_ESP32H2 */ #endif /* else FOUND_PROTOCOL_EXAMPLES_DIR not found */ + /* Set time for cert validation. + * Some lwIP APIs, including SNTP functions, are not thread safe. */ + ret = set_time(); /* need to setup NTP before WiFi */ + /* Once we are connected to the network, start & wait for NTP time */ ret = set_time_wait_for_ntp(); - if (ret < -1) { - /* a value of -1 means there was no NTP server, so no need to wait */ - ESP_LOGI(TAG, "Waiting 10 more seconds for NTP to complete." ); - vTaskDelay(10000 / portTICK_PERIOD_MS); /* brute-force solution */ - esp_show_current_datetime(); - } + switch (ret) { + case ESP_OK: + break; + case ESP_ERR_TIMEOUT: + ESP_LOGI(TAG, "Waiting 10 more seconds for NTP to complete." ); + vTaskDelay(10000 / portTICK_PERIOD_MS); /* brute-force solution */ + esp_show_current_datetime(); + break; + default: + ESP_LOGE(TAG, "set_time_wait_for_ntp error %d", ret); + } /* switch ret values */ #if defined(SINGLE_THREADED) /* just call the task */ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/time_helper.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/time_helper.c deleted file mode 100644 index 5b5d76252e..0000000000 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/time_helper.c +++ /dev/null @@ -1,400 +0,0 @@ -/* time_helper.c - * - * Copyright (C) 2006-2025 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -/* common Espressif time_helper */ -#include "time_helper.h" - - -#include "sdkconfig.h" -/* wolfSSL */ -/* Always include wolfcrypt/settings.h before any other wolfSSL file. */ -/* Reminder: settings.h pulls in user_settings.h; don't include it here. */ -#ifdef WOLFSSL_USER_SETTINGS - #include - #ifndef WOLFSSL_ESPIDF - #warning "Problem with wolfSSL user_settings." - #warning "Check components/wolfssl/include" - #endif - /* This project not yet using the library */ - #undef USE_WOLFSSL_ESP_SDK_WIFI - #include -#else - /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include */ - /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */ - #error "Missing WOLFSSL_USER_SETTINGS in CMakeLists or Makefile:\ - CFLAGS +=-DWOLFSSL_USER_SETTINGS" -#endif - -#include -#include - -#if defined(ESP_IDF_VERSION_MAJOR) && defined(ESP_IDF_VERSION_MINOR) - #if (ESP_IDF_VERSION_MAJOR == 5) && (ESP_IDF_VERSION_MINOR >= 1) - #define HAS_ESP_NETIF_SNTP 1 - #include - #include - #else - #include - #include - #endif -#else - /* TODO Consider non ESP-IDF environments */ -#endif - -/* ESP-IDF uses a 64-bit signed integer to represent time_t starting from - * release v5.0. See: Espressif api-reference/system/system_time - */ - -/* see https://www.gnu.org/software/libc/manual/html_node/TZ-Variable.html */ -#ifndef TIME_ZONE - /* - * PST represents Pacific Standard Time. - * +8 specifies the offset from UTC (Coordinated Universal Time), indicating - * that Pacific Time is UTC-8 during standard time. - * PDT represents Pacific Daylight Time. - * M3.2.0 indicates that Daylight Saving Time (DST) starts on the - * second (2) Sunday (0) of March (3). - * M11.1.0 indicates that DST ends on the first (1) Sunday (0) of November (11) - */ - #define TIME_ZONE "PST+8PDT,M3.2.0,M11.1.0" -#endif /* not defined: TIME_ZONE, so we are setting our own */ - -#define NTP_RETRY_COUNT 10 - -/* NELEMS(x) number of elements - * To determine the number of elements in the array, we can divide the total - * size of the array by the size of the array element. - * See https://stackoverflow.com/questions/37538/how-do-i-determine-the-size-of-my-array-in-c - **/ -#define NELEMS(x) ( (int)(sizeof(x) / sizeof((x)[0])) ) - -/* See also CONFIG_LWIP_SNTP_MAX_SERVERS in sdkconfig */ -#define NTP_SERVER_LIST ( (char*[]) { \ - "pool.ntp.org", \ - "time.nist.gov", \ - "utcnist.colorado.edu" \ - } \ - ) -/* #define NTP_SERVER_COUNT using NELEMS: - * - * (int)(sizeof(NTP_SERVER_LIST) / sizeof(NTP_SERVER_LIST[0])) - */ -#define NTP_SERVER_COUNT NELEMS(NTP_SERVER_LIST) - -#ifndef CONFIG_LWIP_SNTP_MAX_SERVERS - /* We should find max value in sdkconfig, if not set it to our count:*/ - #define CONFIG_LWIP_SNTP_MAX_SERVERS NTP_SERVER_COUNT -#endif - -char* ntpServerList[NTP_SERVER_COUNT] = NTP_SERVER_LIST; - -const static char* TAG = "time_helper"; - -/* our NTP server list is global info */ -extern char* ntpServerList[NTP_SERVER_COUNT]; - -/* Show the current date and time */ -int esp_show_current_datetime(void) -{ - time_t now; - char strftime_buf[64]; - struct tm timeinfo; - - time(&now); - setenv("TZ", TIME_ZONE, 1); - tzset(); - - localtime_r(&now, &timeinfo); - strftime(strftime_buf, sizeof(strftime_buf), "%c", &timeinfo); - ESP_LOGI(TAG, "The current date/time is: %s", strftime_buf); - return ESP_OK; -} - -/* the worst-case scenario is a hard-coded date/time */ -int set_fixed_default_time(void) -{ - /* ideally, we'd like to set time from network, - * but let's set a default time, just in case */ - struct tm timeinfo = { - .tm_year = 2024 - 1900, - .tm_mon = 3, - .tm_mday = 01, - .tm_hour = 13, - .tm_min = 01, - .tm_sec = 05 - }; - struct timeval now; - time_t interim_time; - int ret = -1; - - /* set interim static time */ - interim_time = mktime(&timeinfo); - - ESP_LOGI(TAG, "Adjusting time from fixed value"); - now = (struct timeval){ .tv_sec = interim_time }; - ret = settimeofday(&now, NULL); - ESP_LOGI(TAG, "settimeofday result = %d", ret); - return ret; -} - -/* probably_valid_time_string(s) - * - * some sanity checks on time string before calling sscanf() - * - * returns 0 == ESP_OK == Success if str is likely a valid time. - * -1 == ESP_FAIL otherwise - */ -int probably_valid_time_string(const char* str) -{ - int ret = ESP_OK; - size_t length = 0; - size_t spaces = 0; - size_t colons = 0; - - while (str[length] != '\0') { - if (str[length] == ' ') { - spaces++; - } - if (str[length] == ':') { - colons++; - } - length++; - } - - if ((length > 32) || (spaces < 4) || (spaces > 5) || (colons > 2)) { - ret = ESP_FAIL; - ESP_LOGE(TAG, "ERROR, failed time sanity check: %s", str); - } - return ret; -} - -/* set_time_from_string(s) - * - * returns 0 = success if able to set the time from the provided string - * error for any other value, typically -1 */ -int set_time_from_string(const char* time_buffer) -{ - /* expecting github default formatting: 'Thu Aug 31 12:41:45 2023 -0700' */ - char offset[28]; /* large arrays, just in case there's still bad data */ - char day_str[28]; - char month_str[28]; - const char *format = "%3s %3s %d %d:%d:%d %d %s"; - struct tm this_timeinfo; - struct timeval now; - time_t interim_time; - int day, year, hour, minute, second; - int quote_offset = 0; - int ret = 0; - - /* perform some basic sanity checks */ - ret = probably_valid_time_string(time_buffer); - if (ret == ESP_OK) { - /* we are expecting the string to be encapsulated in single quotes */ - if (*time_buffer == 0x27) { - quote_offset = 1; - } - - ret = sscanf(time_buffer + quote_offset, - format, - day_str, month_str, - &day, &hour, &minute, &second, &year, &offset); - - if (ret == 8) { - /* we found a match for all components */ - - const char *months[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun", - "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" - }; - - for (int i = 0; i < 12; i++) { - if (strcmp(month_str, months[i]) == 0) { - this_timeinfo.tm_mon = i; - break; - } - } - - this_timeinfo.tm_mday = day; - this_timeinfo.tm_hour = hour; - this_timeinfo.tm_min = minute; - this_timeinfo.tm_sec = second; - this_timeinfo.tm_year = year - 1900; /* Years since 1900 */ - - interim_time = mktime(&this_timeinfo); - now = (struct timeval){ .tv_sec = interim_time }; - ret = settimeofday(&now, NULL); - ESP_LOGI(TAG, "Time updated to %s", time_buffer); - } - else { - ESP_LOGE(TAG, "Failed to convert \"%s\" to a tm date.", - time_buffer); - ESP_LOGI(TAG, "Trying fixed date that was hard-coded...."); - set_fixed_default_time(); - ret = ESP_FAIL; - } - } - - return ret; -} - -/* set time; returns 0 if succecssfully configured with NTP */ -int set_time(void) -{ -#ifndef NTP_SERVER_COUNT - ESP_LOGW(TAG, "Warning: no sntp server names defined. " - "Setting to empty list"); - #define NTP_SERVER_COUNT 0 - #warning "NTP not properly configured" -#endif /* not defined: NTP_SERVER_COUNT */ - -#ifdef HAS_ESP_NETIF_SNTP - #if CONFIG_LWIP_SNTP_MAX_SERVERS > 1 - esp_sntp_config_t config = ESP_NETIF_SNTP_DEFAULT_CONFIG_MULTIPLE( - NTP_SERVER_COUNT, - ESP_SNTP_SERVER_LIST(ntpServerList[0]) - ); - #else - esp_sntp_config_t config = ESP_NETIF_SNTP_DEFAULT_CONFIG(ntpServerList[0]); - #endif /* CONFIG_LWIP_SNTP_MAX_SERVERS > 1 */ -#endif /* HAS_ESP_NETIF_SNTP */ - - int ret = 0; - int i = 0; /* counter for time servers */ - - ESP_LOGI(TAG, "Setting the time. Startup time:"); - esp_show_current_datetime(); - -#ifdef LIBWOLFSSL_VERSION_GIT_HASH_DATE - /* initially set a default approximate time from recent git commit */ - ESP_LOGI(TAG, "Found git hash date, attempting to set system date: %s", - LIBWOLFSSL_VERSION_GIT_HASH_DATE); - set_time_from_string(LIBWOLFSSL_VERSION_GIT_HASH_DATE"\0"); - esp_show_current_datetime(); - - ret = -4; -#else - /* otherwise set a fixed time that was hard coded */ - set_fixed_default_time(); - esp_show_current_datetime(); - ret = -3; -#endif - -#ifdef CONFIG_SNTP_TIME_SYNC_METHOD_SMOOTH - config.smooth_sync = true; -#endif - - if (NTP_SERVER_COUNT) { - /* next, let's setup NTP time servers - * - * see Espressif api-reference/system/system_time - * - * WARNING: do not set operating mode while SNTP client is running! - */ - /* TODO Consider esp_sntp_setoperatingmode(SNTP_OPMODE_POLL); */ - sntp_setoperatingmode(SNTP_OPMODE_POLL); - if (NTP_SERVER_COUNT > CONFIG_LWIP_SNTP_MAX_SERVERS) { - ESP_LOGW(TAG, "WARNING: %d NTP Servers defined, but " - "CONFIG_LWIP_SNTP_MAX_SERVERS = %d", - NTP_SERVER_COUNT,CONFIG_LWIP_SNTP_MAX_SERVERS); - } - ESP_LOGI(TAG, "sntp_setservername:"); - for (i = 0; i < CONFIG_LWIP_SNTP_MAX_SERVERS; i++) { - const char* thisServer = ntpServerList[i]; - if (strncmp(thisServer, "\x00", 1) == 0) { - /* just in case we run out of NTP servers */ - break; - } - ESP_LOGI(TAG, "%s", thisServer); - sntp_setservername(i, thisServer); - ret = ESP_OK; - } - #ifdef HAS_ESP_NETIF_SNTP - ret = esp_netif_sntp_init(&config); - #else - ESP_LOGW(TAG,"Warning: Consider upgrading ESP-IDF to take advantage " - "of updated SNTP libraries"); - #endif - if (ret == ESP_OK) { - ESP_LOGV(TAG, "Successfully called esp_netif_sntp_init"); - } - else { - ESP_LOGE(TAG, "ERROR: esp_netif_sntp_init return = %d", ret); - } - - sntp_init(); - switch (ret) { - case ESP_ERR_INVALID_STATE: - break; - default: - break; - } - ESP_LOGI(TAG, "sntp_init done."); - } - else { - ESP_LOGW(TAG, "No sntp time servers found."); - ret = -1; - } - - esp_show_current_datetime(); - ESP_LOGI(TAG, "time helper existing with result = %d", ret); - return ret; -} - -/* wait for NTP to actually set the time */ -int set_time_wait_for_ntp(void) -{ - int ret = 0; -#ifdef HAS_ESP_NETIF_SNTP - int ntp_retry = 0; - const int ntp_retry_count = NTP_RETRY_COUNT; - - ret = esp_netif_sntp_start(); - - ret = esp_netif_sntp_sync_wait(500 / portTICK_PERIOD_MS); -#else - ESP_LOGW(TAG, "HAS_ESP_NETIF_SNTP not defined"); -#endif /* HAS_ESP_NETIF_SNTP */ - esp_show_current_datetime(); - -#ifdef HAS_ESP_NETIF_SNTP - while (ret == ESP_ERR_TIMEOUT && (ntp_retry++ < ntp_retry_count)) { - ret = esp_netif_sntp_sync_wait(1000 / portTICK_PERIOD_MS); - ESP_LOGI(TAG, "Waiting for NTP to sync time... (%d/%d)", - ntp_retry, - ntp_retry_count); - esp_show_current_datetime(); - } -#endif /* HAS_ESP_NETIF_SNTP */ - -#ifdef TIME_ZONE - setenv("TZ", TIME_ZONE, 1); - tzset(); -#endif - - if (ret == ESP_OK) { - ESP_LOGI(TAG, "Successfully set time via NTP servers."); - } - else { - ESP_LOGW(TAG, "Warning: Failed to set time with NTP: " - "result = 0x%0x: %s", - ret, esp_err_to_name(ret)); - } - return ret; -} diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/wifi_connect.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/wifi_connect.c deleted file mode 100644 index 98cb919e94..0000000000 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/wifi_connect.c +++ /dev/null @@ -1,404 +0,0 @@ -/* wifi_connect.c - * - * Copyright (C) 2006-2025 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ -#include "wifi_connect.h" - -/* FreeRTOS */ -#include -#include -#include - -/* Espressif */ -#include -#include -#include - -/* wolfSSL */ -/* Always include wolfcrypt/settings.h before any other wolfSSL file. */ -/* Reminder: settings.h pulls in user_settings.h; don't include it here. */ -#ifdef WOLFSSL_USER_SETTINGS - #include - #ifndef WOLFSSL_ESPIDF - #warning "Problem with wolfSSL user_settings." - #warning "Check components/wolfssl/include" - #endif - /* This project not yet using the library */ - #undef USE_WOLFSSL_ESP_SDK_WIFI - #include -#else - /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include */ - /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */ - #error "Missing WOLFSSL_USER_SETTINGS in CMakeLists or Makefile:\ - CFLAGS +=-DWOLFSSL_USER_SETTINGS" -#endif - -/* When there's too little heap, WiFi quietly refuses to connect */ -#define WIFI_LOW_HEAP_WARNING 21132 - -#if defined(CONFIG_IDF_TARGET_ESP8266) -#elif ESP_IDF_VERSION_MAJOR >= 5 - /* example path set in cmake file */ -#elif ESP_IDF_VERSION_MAJOR >= 4 - #include "protocol_examples_common.h" -#else - const static int CONNECTED_BIT = BIT0; - static EventGroupHandle_t wifi_event_group; -#endif - -#if defined(CONFIG_IDF_TARGET_ESP8266) - -#elif defined(ESP_IDF_VERSION_MAJOR) && defined(ESP_IDF_VERSION_MINOR) - #if ESP_IDF_VERSION_MAJOR >= 4 - /* likely using examples, see wifi_connect.h */ - #else - /* TODO - still supporting pre V4 ? */ - const static int CONNECTED_BIT = BIT0; - static EventGroupHandle_t wifi_event_group; - #endif - #if (ESP_IDF_VERSION_MAJOR == 5) - #define HAS_WPA3_FEATURES - #else - #undef HAS_WPA3_FEATURES - #endif -#else - /* TODO Consider pre IDF v5? */ -#endif - -/* breadcrumb prefix for logging */ -const static char *TAG = "wifi_connect"; - -#if defined(CONFIG_IDF_TARGET_ESP8266) -#ifndef CONFIG_ESP_MAX_STA_CONN - #define CONFIG_ESP_MAX_STA_CONN 4 -#endif -#define EXAMPLE_MAX_STA_CONN CONFIG_ESP_MAX_STA_CONN - -#define WIFI_CONNECTED_BIT BIT0 -#define WIFI_FAIL_BIT BIT1 -#ifndef CONFIG_ESP_MAXIMUM_RETRY - #define CONFIG_ESP_MAXIMUM_RETRY 5 -#endif -/* FreeRTOS event group to signal when we are connected*/ -static EventGroupHandle_t s_wifi_event_group; -static int s_retry_num = 0; - -#define EXAMPLE_ESP_MAXIMUM_RETRY CONFIG_ESP_MAXIMUM_RETRY -static void event_handler(void* arg, esp_event_base_t event_base, - int32_t event_id, void* event_data) -{ - if (event_base == WIFI_EVENT && event_id == WIFI_EVENT_STA_START) { - esp_wifi_connect(); - } else if (event_base == WIFI_EVENT && event_id == WIFI_EVENT_STA_DISCONNECTED) { - if (s_retry_num < EXAMPLE_ESP_MAXIMUM_RETRY) { - esp_wifi_connect(); - s_retry_num++; - ESP_LOGI(TAG, "retry to connect to the AP"); - } else { - xEventGroupSetBits(s_wifi_event_group, WIFI_FAIL_BIT); - } - ESP_LOGI(TAG,"connect to the AP fail"); - } else if (event_base == IP_EVENT && event_id == IP_EVENT_STA_GOT_IP) { - ip_event_got_ip_t* event = (ip_event_got_ip_t*) event_data; - ESP_LOGI(TAG, "got ip:%s", - ip4addr_ntoa(&event->ip_info.ip)); - s_retry_num = 0; - xEventGroupSetBits(s_wifi_event_group, WIFI_CONNECTED_BIT); - } -} - -int wifi_init_sta(void) -{ - word32 this_heap; - - s_wifi_event_group = xEventGroupCreate(); - - tcpip_adapter_init(); - - ESP_ERROR_CHECK(esp_event_loop_create_default()); - - wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT(); - ESP_ERROR_CHECK(esp_wifi_init(&cfg)); - - ESP_ERROR_CHECK(esp_event_handler_register(WIFI_EVENT, ESP_EVENT_ANY_ID, &event_handler, NULL)); - ESP_ERROR_CHECK(esp_event_handler_register(IP_EVENT, IP_EVENT_STA_GOT_IP, &event_handler, NULL)); - - wifi_config_t wifi_config = { - .sta = { - .ssid = EXAMPLE_ESP_WIFI_SSID, - .password = EXAMPLE_ESP_WIFI_PASS - }, - }; - - /* Setting a password implies station will connect to all security modes including WEP/WPA. - * However these modes are deprecated and not advisable to be used. In case your Access point - * doesn't support WPA2, these mode can be enabled by commenting below line */ - - if (strlen((char *)wifi_config.sta.password)) { - wifi_config.sta.threshold.authmode = WIFI_AUTH_WPA2_PSK; - } - - ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) ); - ESP_ERROR_CHECK(esp_wifi_set_config(ESP_IF_WIFI_STA, &wifi_config) ); - ESP_ERROR_CHECK(esp_wifi_start() ); - - ESP_LOGI(TAG, "wifi_init_sta finished. Connecting..."); - this_heap = esp_get_free_heap_size(); - ESP_LOGI(TAG, "this heap = %d", this_heap); - if (this_heap < WIFI_LOW_HEAP_WARNING) { - ESP_LOGW(TAG, "Warning: WiFi low heap: %d", WIFI_LOW_HEAP_WARNING); - } - /* Waiting until either the connection is established (WIFI_CONNECTED_BIT) or connection failed for the maximum - * number of re-tries (WIFI_FAIL_BIT). The bits are set by event_handler() (see above) */ - EventBits_t bits = xEventGroupWaitBits(s_wifi_event_group, - WIFI_CONNECTED_BIT | WIFI_FAIL_BIT, - pdFALSE, - pdFALSE, - portMAX_DELAY); - - ESP_LOGI(TAG, "xEventGroupWaitBits finished."); - /* xEventGroupWaitBits() returns the bits before the call returned, hence we can test which event actually - * happened. */ - if (bits & WIFI_CONNECTED_BIT) { - ESP_LOGI(TAG, "connected to ap SSID:%s", - EXAMPLE_ESP_WIFI_SSID); - } else if (bits & WIFI_FAIL_BIT) { - ESP_LOGI(TAG, "Failed to connect to SSID:%s, password:%s", - EXAMPLE_ESP_WIFI_SSID, EXAMPLE_ESP_WIFI_PASS); - } else { - ESP_LOGE(TAG, "UNEXPECTED EVENT"); - } - - ESP_ERROR_CHECK(esp_event_handler_unregister(IP_EVENT, IP_EVENT_STA_GOT_IP, &event_handler)); - ESP_ERROR_CHECK(esp_event_handler_unregister(WIFI_EVENT, ESP_EVENT_ANY_ID, &event_handler)); - vEventGroupDelete(s_wifi_event_group); - return ESP_OK; -} - -#elif ESP_IDF_VERSION_MAJOR < 4 -/* event handler for wifi events */ -static esp_err_t wifi_event_handler(void *ctx, system_event_t *event) -{ - switch (event->event_id) - { - case SYSTEM_EVENT_STA_START: - esp_wifi_connect(); - break; - case SYSTEM_EVENT_STA_GOT_IP: - #if ESP_IDF_VERSION_MAJOR >= 4 - ESP_LOGI(TAG, "got ip:" IPSTR "\n", - IP2STR(&event->event_info.got_ip.ip_info.ip)); - #else - ESP_LOGI(TAG, "got ip:%s", - ip4addr_ntoa(&event->event_info.got_ip.ip_info.ip)); - #endif - /* see Espressif api-reference/system/freertos_idf */ - xEventGroupSetBits(wifi_event_group, CONNECTED_BIT); - break; - case SYSTEM_EVENT_STA_DISCONNECTED: - esp_wifi_connect(); - xEventGroupClearBits(wifi_event_group, CONNECTED_BIT); - break; - default: - break; - } - return ESP_OK; -} -#else - -#ifdef CONFIG_ESP_MAXIMUM_RETRY - #define EXAMPLE_ESP_MAXIMUM_RETRY CONFIG_ESP_MAXIMUM_RETRY -#else - #define CONFIG_ESP_MAXIMUM_RETRY 5 -#endif - -#if CONFIG_ESP_WIFI_AUTH_OPEN -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_OPEN -#elif CONFIG_ESP_WIFI_AUTH_WEP -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WEP -#elif CONFIG_ESP_WIFI_AUTH_WPA_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WPA_PSK -#elif CONFIG_ESP_WIFI_AUTH_WPA2_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WPA2_PSK -#elif CONFIG_ESP_WIFI_AUTH_WPA_WPA2_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WPA_WPA2_PSK -#elif CONFIG_ESP_WIFI_AUTH_WPA3_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WPA3_PSK -#elif CONFIG_ESP_WIFI_AUTH_WPA2_WPA3_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WPA2_WPA3_PSK -#elif CONFIG_ESP_WIFI_AUTH_WAPI_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WAPI_PSK -#endif - -#ifndef ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD - #define CONFIG_ESP_WIFI_AUTH_WPA2_PSK 1 - #define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD CONFIG_ESP_WIFI_AUTH_WPA2_PSK -#endif - -/* FreeRTOS event group to signal when we are connected*/ -static EventGroupHandle_t s_wifi_event_group; - -/* The event group allows multiple bits for each event, but we only care about two events: - * - we are connected to the AP with an IP - * - we failed to connect after the maximum amount of retries */ -#define WIFI_CONNECTED_BIT BIT0 -#define WIFI_FAIL_BIT BIT1 - - -static int s_retry_num = 0; -ip_event_got_ip_t* event; - - -static void event_handler(void* arg, - esp_event_base_t event_base, - int32_t event_id, - void* event_data) -{ - if (event_base == WIFI_EVENT && event_id == WIFI_EVENT_STA_START) { - esp_wifi_connect(); - } - else if (event_base == WIFI_EVENT && - event_id == WIFI_EVENT_STA_DISCONNECTED) { - if (s_retry_num < EXAMPLE_ESP_MAXIMUM_RETRY) { - esp_wifi_connect(); - s_retry_num++; - ESP_LOGI(TAG, "retry to connect to the AP"); - } - else { - xEventGroupSetBits(s_wifi_event_group, WIFI_FAIL_BIT); - } - ESP_LOGI(TAG, "connect to the AP fail"); - } - else if (event_base == IP_EVENT && event_id == IP_EVENT_STA_GOT_IP) { - event = (ip_event_got_ip_t*) event_data; - wifi_show_ip(); - s_retry_num = 0; - xEventGroupSetBits(s_wifi_event_group, WIFI_CONNECTED_BIT); - } -} - -int wifi_init_sta(void) -{ - int ret = ESP_OK; - - s_wifi_event_group = xEventGroupCreate(); - - ESP_ERROR_CHECK(esp_netif_init()); - - ESP_ERROR_CHECK(esp_event_loop_create_default()); - esp_netif_create_default_wifi_sta(); - - wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT(); - ESP_ERROR_CHECK(esp_wifi_init(&cfg)); - - esp_event_handler_instance_t instance_any_id; - esp_event_handler_instance_t instance_got_ip; - ESP_ERROR_CHECK(esp_event_handler_instance_register(WIFI_EVENT, - ESP_EVENT_ANY_ID, - &event_handler, - NULL, - &instance_any_id)); - ESP_ERROR_CHECK(esp_event_handler_instance_register(IP_EVENT, - IP_EVENT_STA_GOT_IP, - &event_handler, - NULL, - &instance_got_ip)); - - wifi_config_t wifi_config = { - .sta = { - .ssid = EXAMPLE_ESP_WIFI_SSID, - .password = EXAMPLE_ESP_WIFI_PASS, - /* Authmode threshold resets to WPA2 as default if password matches - * WPA2 standards (password len => 8). If you want to connect the - * device to deprecated WEP/WPA networks, Please set the threshold - * value WIFI_AUTH_WEP/WIFI_AUTH_WPA_PSK and set the password with - * length and format matching to WIFI_AUTH_WEP/WIFI_AUTH_WPA_PSK - * standards. */ - .threshold.authmode = ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD, - #ifdef HAS_WPA3_FEATURES - .sae_pwe_h2e = WPA3_SAE_PWE_BOTH, - #endif - }, - }; - ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) ); - ESP_ERROR_CHECK(esp_wifi_set_config(WIFI_IF_STA, &wifi_config) ); - -#ifdef CONFIG_EXAMPLE_WIFI_SSID - if (XSTRCMP(CONFIG_EXAMPLE_WIFI_SSID, "myssid") == 0) { - ESP_LOGW(TAG, "WARNING: CONFIG_EXAMPLE_WIFI_SSID is \"myssid\"."); - ESP_LOGW(TAG, " Do you have a WiFi AP called \"myssid\", "); - ESP_LOGW(TAG, " or did you forget the ESP-IDF configuration?"); - } -#else - ESP_LOGW(TAG, "WARNING: CONFIG_EXAMPLE_WIFI_SSID not defined."); -#endif - - ESP_ERROR_CHECK(esp_wifi_start() ); - - ESP_LOGI(TAG, "wifi_init_sta finished."); - - /* Waiting until either the connection is established (WIFI_CONNECTED_BIT) - * or connection failed for the maximum number of re-tries (WIFI_FAIL_BIT). - * The bits are set by event_handler() (see above) */ - EventBits_t bits = xEventGroupWaitBits(s_wifi_event_group, - WIFI_CONNECTED_BIT | WIFI_FAIL_BIT, - pdFALSE, - pdFALSE, - portMAX_DELAY); - - /* xEventGroupWaitBits() returns the bits before the call returned, - * hence we can test which event actually happened. */ -#if defined(SHOW_SSID_AND_PASSWORD) - ESP_LOGW(TAG, "Undefine SHOW_SSID_AND_PASSWORD to not show SSID/password"); - if (bits & WIFI_CONNECTED_BIT) { - ESP_LOGI(TAG, "connected to ap SSID:%s password:%s", - EXAMPLE_ESP_WIFI_SSID, - EXAMPLE_ESP_WIFI_PASS); - } - else if (bits & WIFI_FAIL_BIT) { - ESP_LOGI(TAG, "Failed to connect to SSID:%s, password:%s", - EXAMPLE_ESP_WIFI_SSID, - EXAMPLE_ESP_WIFI_PASS); - } - else { - ESP_LOGE(TAG, "UNEXPECTED EVENT"); - } -#else - if (bits & WIFI_CONNECTED_BIT) { - ESP_LOGI(TAG, "Connected to AP"); - } - else if (bits & WIFI_FAIL_BIT) { - ESP_LOGI(TAG, "Failed to connect to AP"); - ret = -1; - } - else { - ESP_LOGE(TAG, "AP UNEXPECTED EVENT"); - ret = -2; - } -#endif - return ret; -} - -int wifi_show_ip(void) -{ - /* TODO Causes panic: ESP_LOGI(TAG, "got ip:" IPSTR, - * IP2STR(&event->ip_info.ip)); */ - return ESP_OK; -} -#endif diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults index d2b0b890eb..b479e65be3 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults @@ -1,18 +1,46 @@ +# sdkconfig.defaults + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + # Set the known example app config to TLS Client (see user_settings.h) CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT=y +# ------------- BEGIN COMMON SECTION ------------- + # CONFIG_EXAMPLE_WIFI_SSID="myssid" # CONFIG_EXAMPLE_WIFI_PASSWORD="mypassword" +CONFIG_EXAMPLE_CONNECT_IPV6=n +CONFIG_LWIP_IPV6=n + +# Colorization disabled by default in IDF V6+ +CONFIG_LOG_COLORS=y + # Some wolfSSL helpers CONFIG_USE_WOLFSSL_ESP_SDK_TIME=y +CONFIG_LWIP_SNTP_MAX_SERVERS=3 # sdkconfig.defaults for ESP8266 + ESP32 # See separate sdkconfig.defaults.esp8266 # FreeRTOS ticks at 1ms interval CONFIG_FREERTOS_UNICORE=y CONFIG_FREERTOS_HZ=1000 -CONFIG_ESP32_DEFAULT_CPU_FREQ_240=y # # Default main stack size. See user_settings.h @@ -44,28 +72,12 @@ CONFIG_ESP_TASK_WDT_EN=n CONFIG_ESP_SYSTEM_PANIC_PRINT_HALT=y CONFIG_ESP_INT_WDT=n -# ESP8266 Watchdog: -CONFIG_TASK_WDT=n -CONFIG_TASK_WDT_PANIC=n - -# ESP8266 WDT -# CONFIG_ESP_PANIC_PRINT_REBOOT is not set -CONFIG_ESP_PANIC_PRINT_REBOOT=n -CONFIG_ESP_PANIC_PRINT_HALT=y - # CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS is not set CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS=n -# ESP8266 Memory -CONFIG_FREERTOS_GLOBAL_DATA_LINK_IRAM=y -CONFIG_HEAP_DISABLE_IRAM=y - # Performance # CONFIG_COMPILER_OPTIMIZATION_PERF=y -# Set max CPU frequency (falls back as needed for lower maximum) -CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y - # Enable wolfSSL TLS in esp-tls # CONFIG_ESP_TLS_USING_WOLFSSL=y # CONFIG_TLS_STACK_WOLFSSL=y @@ -86,16 +98,9 @@ CONFIG_USE_WOLFSSL_ESP_SDK_TIME=n # CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS is not set CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS=n -# ESP8266 Memory -CONFIG_FREERTOS_GLOBAL_DATA_LINK_IRAM=y -CONFIG_HEAP_DISABLE_IRAM=y - # Performance # CONFIG_COMPILER_OPTIMIZATION_PERF=y -# Set max COU frequency (falls back as needed for lower maximum) -CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y - # FreeRTOS ticks at 1ms interval CONFIG_FREERTOS_UNICORE=y CONFIG_FREERTOS_HZ=1000 @@ -147,10 +152,6 @@ CONFIG_COMPILER_STACK_CHECK=y # CONFIG_COMPILER_DUMP_RTL_FILES is not set # end of Compiler options -# We don't know that the min is actually v2, -# but this is the earliest tested. -CONFIG_ESP32C3_REV_MIN_2=y - # # Partition Table # diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults.esp32c2 b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults.esp32c2 index a24d9302e6..dba65f98d0 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults.esp32c2 +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults.esp32c2 @@ -1,3 +1,25 @@ +# sdkconfig.defaults.esp32c2 + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + +# File Version 5.8.2.001 for esp-idf integration + # # Main XTAL Config # @@ -5,3 +27,11 @@ CONFIG_XTAL_FREQ_26=y # CONFIG_XTAL_FREQ_40 is not set CONFIG_XTAL_FREQ=26 # end of Main XTAL Config + +# Limited memory +CONFIG_ESP_MAIN_MAIN_TASK_STACK_SIZE=10500 +CONFIG_MAIN_MAIN_TASK_STACK_SIZE=10500 +CONFIG_WOLFSSL_ALLOW_TLS12=y +# CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13=y + + diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults.esp8266 b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults.esp8266 index 77299dfe4a..4bf90cd3f1 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults.esp8266 +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults.esp8266 @@ -1,3 +1,44 @@ +# sdkconfig.defaults.esp8266 + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + +# File Version 5.8.2.001 for esp-idf integration + +# Limited memory +# TLS 1.2 only needs about 6000 bytes +# TLS 1.2 + 1.3 needs about 10K +CONFIG_ESP_MAIN_TASK_STACK_SIZE=10240 +CONFIG_MAIN_TASK_STACK_SIZE=10240 +CONFIG_WOLFSSL_ALLOW_TLS12=y + +# TLS 1.3 can be disabled on very low memory devices +# CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13=y + +# CONFIG_TCPIP_TASK_STACK_SIZE=3072 +# CONFIG_ESP_SYSTEM_EVENT_TASK_STACK_SIZE=2304 +# CONFIG_FREERTOS_IDLE_TASK_STACKSIZE=1536 +# CONFIG_FREERTOS_ISR_STACKSIZE=1536 +# CONFIG_TCP_SND_BUF_DEFAULT=5760 + +# wolfSSL sets UART to 115200 instead of 74880 default +CONFIG_CONSOLE_UART_BAUDRATE=115200 + # ESP8266 WDT # CONFIG_ESP_PANIC_PRINT_REBOOT is not set CONFIG_ESP_PANIC_PRINT_REBOOT=n diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/wolfssl_client_ESP8266.vgdbproj b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/wolfssl_client_ESP8266.vgdbproj index 7074a28a9c..74fd36980c 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/wolfssl_client_ESP8266.vgdbproj +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/wolfssl_client_ESP8266.vgdbproj @@ -53,7 +53,7 @@ - COM80 + COM65 74880 8 @@ -234,10 +234,12 @@ false true 0 + 0 false 0 true false + true openocd @@ -287,6 +289,13 @@ 0 false + + + false + false + false + + true \ No newline at end of file diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/CMakeLists.txt index 477b3be8b0..54ca017a5e 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/CMakeLists.txt @@ -1,11 +1,35 @@ # wolfSSL Espressif Example Project CMakeLists.txt -# v1.3 +# v5.8.2.001 # # The following lines of boilerplate have to be in your project's # CMakeLists in this exact order for cmake to work correctly message(STATUS "Begin project ${CMAKE_PROJECT_NAME}") cmake_minimum_required(VERSION 3.16) +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") + +# Optionally set flag for using a private include. See wolfcrypt/port/Espressif/esp-sdk-lib.h +if( "$ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}" STREQUAL "1" ) + message(STATUS "Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") +else() + message(STATUS "CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.") +endif() + +# Different ESP-IDF versions have different lock files. +# Not starting fresh has unintuitive results. +# So force a fresh dependencies.lock by deleting the current one: +file(REMOVE "./dependencies.lock") + +# Force custom partition table regardless of IDE presets +set(PARTITION_TABLE_CUSTOM ON CACHE BOOL "" FORCE) +set(PARTITION_TABLE_FILENAME "${CMAKE_SOURCE_DIR}/partitions_singleapp_large.csv" CACHE STRING "" FORCE) + +if("${IDF_TARGET}" STREQUAL "linux") + set(COMPONENTS main) +endif() # For the main project using ESP-IDF version 6 or greater. # Numerous "dangerous relocation: call8: call target out of range: memcpy" errors encountered @@ -34,6 +58,7 @@ endif() # # Optional WOLFSSL_CMAKE_SYSTEM_NAME detection to find # USE_MY_PRIVATE_CONFIG path for my_private_config.h +# See: wolfcrypt/port/Espressif/esp-sdk-lib.h # # Expected path varies: # @@ -41,6 +66,8 @@ endif() # Linux: ~/workspace # Windows: C:\workspace # + + if(WIN32) # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS") @@ -49,9 +76,6 @@ endif() if(CMAKE_HOST_UNIX) message(STATUS "Detected UNIX") endif() -if(APPLE) - message(STATUS "Detected APPLE") -endif() if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop") # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL") @@ -63,7 +87,7 @@ if(CMAKE_HOST_UNIX AND (NOT APPLE) AND (NOT WIN32)) message(STATUS "Detected Linux") endif() if(APPLE) - # Windows-specific configuration here + # Apple-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_APPLE") message(STATUS "Detected Apple") endif() @@ -157,6 +181,27 @@ endif() include($ENV{IDF_PATH}/tools/cmake/project.cmake) +message(STATUS "Checking Project CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}") +# Optionally force syntax highlighting fix in Visual Studio 2022 for ESP-IDF v6 +# See https://sysprogs.com/w/forums/topic/espressif-esp-idf-v6-0-intellisense-error-invalid-value-gnu2b-in-stdgnu2b/ +# To resolve, enter the text in VisualGDB Project Properties - Intellisense Settings Tab, "Additional flags for C files": +# -std=gnu17 +# And set here: +if( "$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}" STREQUAL "1" ) + set(PREFERRED_DIALECT "gnu17") + if(DEFINED IDF_VERSION_MAJOR AND IDF_VERSION_MAJOR GREATER_EQUAL 6) + message(STATUS "-- Found CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX, replacing -std=gnu2b with -std=${PREFERRED_DIALECT}") + if(CMAKE_C_COMPILER_ID MATCHES "Clang") + string(REPLACE "-std=gnu2b" "-std=${PREFERRED_DIALECT}" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + endif() + else() + message(STATUS "-- Visual Studio Intellisense Fix not needed for this ESP-IDF version=${IDF_VERSION_MAJOR}") + endif() +else() + message(STATUS "-- Not replacing -std=gnu2b with -std=${PREFERRED_DIALECT} for Viosual Studio Intellisense fix") + message(STATUS "-- To enable, define environment variable: CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=1") +endif() + # Once the project is loaded, next check for ESP-IDF version 6 or greater. # Numerous "dangerous relocation: call8: call target out of range: memcpy" errors encountered # So we'll allow long calls with the `-mlongcalls` compiler option for all components. diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/Makefile b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/Makefile index e3bb4037f5..14d3124cdc 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/Makefile +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/Makefile @@ -1,14 +1,193 @@ +# ESP8266 Project Makefile for wolfssl_client # -# This is a project Makefile. It is assumed the directory this Makefile resides in is a -# project subdirectory. +# Copyright (C) 2006-2025 wolfSSL Inc. # +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA +# + +PROJECT_NAME := wolfssl_server + +$(info ************* wolfssl_server main project *************) + +# ------------- BEGIN COMMON SECTION ------------- +ifeq ($(strip $(WOLFSSL_ROOT)),) + $(info Initial WOLFSSL_ROOT is blank, component will search parent directories) +else + $(info Found WOLFSSL_ROOT = $(WOLFSSL_ROOT)) + $(info Checking if WOLFSSL_ROOT is anywhere in current path parent) + WOLFSSL_ROOT_ABS := $(abspath $(WOLFSSL_ROOT)) + CURDIR_ABS := $(abspath $(CURDIR)) + + # Ensure trailing slashes stripped once, then re-add exactly one + ROOT_NOSLASH := $(patsubst %/,%,$(WOLFSSL_ROOT_ABS)) + CUR_NOSLASH := $(patsubst %/,%,$(CURDIR_ABS)) + THIS_ROOT := $(ROOT_NOSLASH)/ + THIS_CDIR := $(CUR_NOSLASH)/ -PROJECT_NAME := tls_server + $(info THIS_ROOT = $(THIS_ROOT)) + $(info THIS_CDIR = $(THIS_CDIR)) + + ifeq ($(wildcard $(WOLFSSL_ROOT_ABS)),) + $(error Directory does NOT exist: $(WOLFSSL_ROOT_ABS)) + else + $(info Confirmed directory exists: $(WOLFSSL_ROOT_ABS)) + endif + + ifneq (,$(filter $(THIS_ROOT)%,$(THIS_CDIR))) + $(info WOLFSSL_ROOT ($(WOLFSSL_ROOT_ABS)) is in the parent tree of $(CURDIR_ABS)) + else + $(warning WOLFSSL_ROOT ($(WOLFSSL_ROOT_ABS)) is NOT in the parent tree of $(CURDIR_ABS)) + endif +endif + +ifeq ($(strip $(IDF_PATH)),) + $(error IDF_PATH is not set. Please export it before running make) +endif + +# Default compiler flags +CFLAGS ?= +CXXFLAGS ?= CFLAGS += -DWOLFSSL_USER_SETTINGS +# Some of the tests are CPU intenstive, so we'll force the watchdog timer off. +# There's an espressif NO_WATCHDOG; we don't use it, as it is reset by sdkconfig. +CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 + +# Check if CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG is set to 1 in environment +ifeq ($(CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG),1) + $(info Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable for Makefile) + CFLAGS += -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1 + CXXFLAGS += -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1 +else + $(info CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.) +endif + +# +# This is a project Makefile. +# It is assumed the directory this Makefile resides in is a +# project subdirectory containing an entire project. +# +# Optional private config headers. Define environment variables +# to include various default header files that are typically +# not in a git path, and thus excluded from being checked in. +# +# Environment Variable Name | Header file name included +# ---------------------------------- | --------------------------------------- +# MY_PRIVATE_CONFIG (files detected / selected in header) +# USE_MY_PRIVATE_WSL_CONFIG /mnt/c/workspace/my_private_config.h +# USE_MY_PRIVATE_MAC_CONFIG ~/Documents/my_private_config.h +# USE_MY_PRIVATE_LINUX_CONFIG ~/workspace/my_private_config.h +# USE_MY_PRIVATE_WINDOWS_CONFIG /workspace/my_private_config.h +# +# + +# Optionally include component source when print path (needs work to then properly build) +# +# include components/wolfssl/component.mk + +MY_PRIVATE_CONFIG ?= n +USE_MY_PRIVATE_WSL_CONFIG ?= n +USE_MY_PRIVATE_MAC_CONFIG ?= n +USE_MY_PRIVATE_LINUX_CONFIG ?= n +USE_MY_PRIVATE_WINDOWS_CONFIG ?= n + +# Calling shell causes unintuitive error in Windows: +# OS := $(shell uname -s) +# +# But OS, or MY_PRIVATE_CONFIG should already be defined: + +ifeq ($(MY_PRIVATE_CONFIG),y) + CFLAGS += -DMY_PRIVATE_CONFIG + $(info Enabled MY_PRIVATE_CONFIG) +endif + +# Check for Windows environment variable: USE_MY_PRIVATE_WINDOWS_CONFIG +ifeq ($(USE_MY_PRIVATE_WINDOWS_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := /workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_WINDOWS_CONFIG + $(info Using private config file for: Windows) + endif +endif + +# Check for WSL environment variable: USE_MY_PRIVATE_WSL_CONFIG +ifeq ($(USE_MY_PRIVATE_WSL_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := /mnt/c/workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_WSL_CONFIG + $(info Using private config file for: WSL) + endif +endif + +# Check for Linux environment variable: USE_MY_PRIVATE_LINUX_CONFIG +ifeq ($(USE_MY_PRIVATE_LINUX_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := $(HOME)/workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_LINUX_CONFIG + $(info Using private config file for: Linux) + endif +endif + +# Check for Mac environment variable: USE_MY_PRIVATE_MAC_CONFIG +ifeq ($(USE_MY_PRIVATE_MAC_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := $(HOME)/Documents/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_MAC_CONFIG + $(info Using private config file for: Mac) + endif +endif + +ifneq ($(OS),MY_PRIVATE_CONFIG) + CFLAGS += -DMY_PRIVATE_CONFIG="$(MY_PRIVATE_CONFIG)" +else + ifeq ($(OS),Linux) + CFLAGS += -DOS_LINUX + endif + ifeq ($(OS),Windows_NT) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_WINDOWS + endif + ifeq ($(OS),Darwin) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_APPLE + endif + ifneq (,$(findstring MINGW,$(OS))) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_MINGW + endif + ifneq (,$(findstring CYGWIN,$(OS))) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_CYGWIN + endif +endif + # if there isn't the directory, please disable the line below. EXTRA_COMPONENT_DIRS = $(IDF_PATH)/examples/common_components/protocol_examples_common +# The Standard Espressif IDF include: include $(IDF_PATH)/make/project.mk +$(info ************* end wolfssl_server main project *************) diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/CMakeLists.txt index a266a9c1c2..23fb4ffbb9 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/CMakeLists.txt @@ -19,7 +19,7 @@ # # cmake for wolfssl Espressif projects # -# Version 5.8.0 Espressif ESP-IDF + PlatformIO integration (2) +# Version 5.8.2 Espressif ESP-IDF + PlatformIO integration (1) # # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html # @@ -27,9 +27,18 @@ message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") cmake_minimum_required(VERSION 3.16) # The scope of this CMAKE_C_FLAGS is just this component: -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") +message(STATUS "Peek CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG = $ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}") +if( "$ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}" STREQUAL "1" ) + message(STATUS "Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") +else() + message(STATUS "CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.") +endif() + set(CMAKE_CURRENT_SOURCE_DIR ".") # Optionally set your source to wolfSSL in your project CMakeLists.txt like this: @@ -48,6 +57,7 @@ set(THIS_ESP_TLS "") # LIBWOLFSSL_CMAKE_OUTPUT can be printed at runtime set(LIBWOLFSSL_CMAKE_OUTPUT "") +set(git_cmd "git") if(CMAKE_BUILD_EARLY_EXPANSION) message(STATUS "Skipping libwolfssl_output.h update during CMAKE_BUILD_EARLY_EXPANSION") @@ -66,6 +76,19 @@ else() "#define _LIBWOLFSSL_OUTPUT_H_\n\n") endif() +# CMakeLists.txt (project or component) +# Known RISC-V families in ESP-IDF: esp32c2, esp32c3, esp32c6, esp32h2, esp32p4 +set(_riscv_targets esp32c2 esp32c3 esp32c6 esp32h2 esp32p4) + +list(FIND _riscv_targets "${IDF_TARGET}" _idx) +if(_idx GREATER -1) + set(IS_RISCV TRUE) +else() + set(IS_RISCV FALSE) +endif() + +message(STATUS "IDF target: ${IDF_TARGET} (RISC-V: ${IS_RISCV})") + # Append messages with: # LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n"message" "0") # See function: APPEND_LIBWOLFSSL_CMAKE_OUTPUT @@ -73,8 +96,7 @@ endif() # function: IS_ESP_IDF_COMPONENT # output: RESULT = 1 (true) if this component is located in the ESP-IDF components # otherwise 0 (false) -function( IS_ESP_IDF_COMPONENT - RESULT) +function( IS_ESP_IDF_COMPONENT RESULT ) # NOTE: Component location is based on the location of the CMakeList.txt # and *not* the location of the wolfSSL source code. (which may be anywhere) @@ -110,60 +132,60 @@ function ( LIBWOLFSSL_SAVE_INFO VAR_OUTPUT THIS_VAR VAR_RESULT ) # if we had a successful operation, save the THIS_VAR in VAR_OUTPUT if(${IS_VALID_VALUE}) - if(0) - # Optional debug - message(STATUS "Looking for LF in ${THIS_VAR}") - endif() + if(0) + # Optional debug + message(STATUS "Looking for LF in ${THIS_VAR}") + endif() - # Check if the text to print in THIS_VAR is multi-line - string(REPLACE "\n" ";" LINES "${THIS_VAR}") - list(LENGTH LINES LINE_COUNT) - - # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def - if(LINE_COUNT GREATER 1) - message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") - add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") - - # Split into lines - string(REPLACE "\n" ";" LINES "${THIS_VAR}") - foreach(LINE IN LISTS LINES) - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") - endforeach() + # Check if the text to print in THIS_VAR is multi-line + string(REPLACE "\r" "" THIS_VAR "${THIS_VAR}") + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + list(LENGTH LINES LINE_COUNT) - # Final empty line to close the macro - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") + # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def + if(LINE_COUNT GREATER 1) + message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") + add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") - message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") - target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") - else() - message(STATUS "No HAS_LIBWOLFSSL_OUTPUT_HEADER") - # We should not have any, but just to be sure: - # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE - string(REPLACE "\n" "" VAR_VALUE "${THIS_VAR}") + # Split into lines + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + foreach(LINE IN LISTS LINES) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") + endforeach() + + # Final empty line to close the macro + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") - # we'll could percolate the value to the parent for possible later use - # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) + message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") + else() # 1 or zero lines in THIS_VAR + message(STATUS "Result line count=${LINE_COUNT}; Not setting HAS_LIBWOLFSSL_OUTPUT_HEADER") + # We should not have any, but just to be sure: + # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" THIS_VAR "${THIS_VAR}") + string(REPLACE "\r" "" VAR_VALUE "${THIS_VAR}") - # but we're only using it here in this function - set(${VAR_OUTPUT} ${VAR_VALUE}) + # we could percolate the value to the parent for possible later use + # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) - # we'll print what we found to the console - message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + # but we're only using it here in this function + set(${VAR_OUTPUT} ${VAR_VALUE}) - # the interesting part is defining the VAR_OUTPUT name a value to use in the app - add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUTPUT name a value to use in the app + add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") endif() - else() + else() # !IS_VALID_VALUE # if we get here, check the execute_process command and parameters. - message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT=${VAR_RESULT} for THIS_VAR=${THIS_VAR}") set(${VAR_OUTPUT} "Unknown") - endif() - - -endfunction() # LIBWOLFSSL_SAVE_INFO + endif() # IS_VALID_VALUE +endfunction()# LIBWOLFSSL_SAVE_INFO # # APPEND_LIBWOLFSSL_CMAKE_OUTPUT(THIS_MESSAGE OUTPUT_VALUE) @@ -558,7 +580,7 @@ if(CMAKE_BUILD_EARLY_EXPANSION) "${THIS_INCLUDE_TIMER}" "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark ) - + # Do not set compile options during early expansion else() # not CMAKE_BUILD_EARLY_EXPANSION message(STATUS "************************************************************************************************") @@ -596,6 +618,15 @@ else() if(WOLFSSL_ROOT) message(STATUS "Confirmed wolfssl directory at: ${WOLFSSL_ROOT}") + # Once WOLFSSL_ROOT has been determined, see if there's a Espressif.cmake file to include + + set(WOLFSSL_ROOT_ESPRESSIF_CMAKE "${WOLFSSL_ROOT}/cmake/modules/Espressif.cmake") + if( EXISTS "${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + message(STATUS "Found WOLFSSL_ROOT_ESPRESSIF_CMAKE: ${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + include("${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + else() + message(STATUS "Not found WOLFSSL_ROOT_ESPRESSIF_CMAKE: ${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + endif() else() # Try to allow a more intuitive error that the source code was not found in cmake: set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_WARNING_SOURCE_NOT_FOUND") @@ -896,6 +927,25 @@ else() "${THIS_INCLUDE_TIMER}" "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark ) + + message(STATUS "Checking wolfSSL Component CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}") + # Optionally force syntax highlighting fix in Visual Studio 2022 for ESP-IDF v6 + # See https://sysprogs.com/w/forums/topic/espressif-esp-idf-v6-0-intellisense-error-invalid-value-gnu2b-in-stdgnu2b/ + # To resolve, enter the text in VisualGDB Project Properties - Intellisense Settings Tab, "Additional flags for C files": + # -std=gnu17 + # And set here: + if( "$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}" STREQUAL "1" ) + set(PREFERRED_DIALECT "gnu17") + if(DEFINED IDF_VERSION_MAJOR AND IDF_VERSION_MAJOR GREATER_EQUAL 6) + message(STATUS "-- Setting -std=${PREFERRED_DIALECT} with target_compile_options $<$:-std=${PREFERRED_DIALECT}>") + target_compile_options(${COMPONENT_LIB} PRIVATE $<$:-std=${PREFERRED_DIALECT}>) + else() + message(STATUS "-- Visual Studio Intellisense Fix not needed for this ESP-IDF version=${IDF_VERSION_MAJOR}") + endif() + else() + message(STATUS "-- Not setting -std=${PREFERRED_DIALECT} with target_compile_options for Visual Studio Intellisense Fix") + message(STATUS "-- To enable, define environment variable: CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=1") + endif() else() # Register the component simply to allow CMake to complete, but there's no wolfSSL source. # Expect many other errors, but the project should at least be loadable and UI can edit Kconfig settings. @@ -906,8 +956,7 @@ else() # function(WOLFSSL_INIT_CERT_BUNDLE) if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE - AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") - ) + AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") ) APPEND_LIBWOLFSSL_CMAKE_OUTPUT("wolfSSL Certificate Bundles Enabled") if (CMAKE_BUILD_EARLY_EXPANSION) @@ -1154,50 +1203,72 @@ if( EXISTS "${WOLFSSL_PROJECT_DIR}" AND EXISTS "$ENV{IDF_PATH}/components/wolfss endif() # end multiple component check - +message(STATUS "Checking for github with git_cmd='${git_cmd}' ...") execute_process( COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree" OUTPUT_VARIABLE IS_GIT_REPO OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET ) +message(STATUS "Checking for github result IS_GIT_REPO='${IS_GIT_REPO}'") # create some programmatic #define values that will be used by ShowExtendedSystemInfo(). # see wolfcrypt\src\port\Espressif\esp32_utl.c +message(STATUS "Checking for macro definitions:") if(NOT CMAKE_BUILD_EARLY_EXPANSION AND WOLFSSL_ROOT AND (IS_GIT_REPO STREQUAL "true")) set (git_cmd "git") message(STATUS "Adding macro definitions:") + # LIBWOLFSSL_VERSION_GIT_TAG: git config describe --tags --abbrev=0 + execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "describe" "--tags" "--abbrev=0" + OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") + LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_TAG "${TMP_OUT}" "${TMP_RES}") + # LIBWOLFSSL_VERSION_GIT_ORIGIN: git config --get remote.origin.url execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "config" "--get" "remote.origin.url" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_ORIGIN "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_BRANCH: git rev-parse --abbrev-ref HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--abbrev-ref" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_BRANCH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_HASH: git rev-parse HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_SHORT_HASH: git rev-parse --short HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--short" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_SHORT_HASH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_HASH_DATE git show --no-patch --no-notes --pretty=\'\%cd\' execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "show" "--no-patch" "--no-notes" "--pretty=\'\%cd\'" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH_DATE "${TMP_OUT}" "${TMP_RES}") - LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "${TMP_RES}") - +else() + message(STATUS "CMAKE_BUILD_EARLY_EXPANSION=${CMAKE_BUILD_EARLY_EXPANSION}; WOLFSSL_ROOT=${WOLFSSL_ROOT}; IS_GIT_REPO=${IS_GIT_REPO};") endif() +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "0") +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_IDF_PATH "${THIS_IDF_PATH}" "0") + # Ensure flag "-DWOLFSSL_ESPIDF" is already in CMAKE_C_FLAGS if not yet found from project string(FIND "${CMAKE_C_FLAGS}" "-DWOLFSSL_ESPIDF" FLAG_ALRREADY_FOUND_WOLFSSL_ESPIDF) @@ -1246,6 +1317,26 @@ file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n" "#endif\n" ) +# Memory peek helper +set(LINKER_REGION_PEEK "${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld") +if( CMAKE_BUILD_EARLY_EXPANSION AND EXISTS "${LINKER_REGION_PEEK}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_HAVE_LINKER_REGION_PEEK") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_HAVE_LINKER_REGION_PEEK") + + message(STATUS "Found linker region peek helper file: ${LINKER_REGION_PEEK}") + if (COMMAND target_linker_scripts) + message(STATUS "target_linker_scripts(${COMPONENT_LIB} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld)") + target_linker_scripts(${COMPONENT_LIB} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + else() + # Fallback if target_linker_scripts isn't available + message(STATUS "target_linker_scripts not available, using target_link_options") + target_link_options(${COMPONENT_LIB} INTERFACE -T${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + set_property(TARGET ${COMPONENT_LIB} APPEND PROPERTY LINK_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + endif() +else() + message(STATUS "Found linker region peek helper NOT FOUND: ${LINKER_REGION_PEEK}") +endif() + message(STATUS "************************************************************************************************") message(STATUS "wolfSSL component config complete!") message(STATUS "************************************************************************************************") diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig index 22e4a0767d..e8524a8092 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kconfig @@ -19,8 +19,11 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA # -# Kconfig File Version 5.7.2.001 for esp-idf integration +# Kconfig File Version 5.8.2.001 for esp-idf integration +# See the VSCode extension: nRF Kconfig by Nordic Semiconductor: +# https://marketplace.visualstudio.com/items?itemName=nordic-semiconductor.nrf-kconfig +# # Kconfig Format Rules # # See: @@ -48,106 +51,242 @@ # python -m kconfcheck # # --------------------------------------------------------------------------------------------------------------------- +# See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL +# --------------------------------------------------------------------------------------------------------------------- +# +# Note linking to ESP-IDF component: +# +# From: esp-idf\[version]\components\esp-tls\Kconfig +# +# menu "ESP-TLS" +# choice ESP_TLS_LIBRARY_CHOOSE +# bool "wolfSSL (License info in wolfSSL directory README)" +# select TLS_STACK_WOLFSSL +# +# Selecting TLS_STACK_WOLFSSL in ESP-TLS will be linked to this Kconfig via the +# invisible local keyword by the same name in this Kconfig, below. +# +# See setting here, just above this item: menu "wolfSSL ESP-TLS" +# +# --------------------------------------------------------------------------------------------------------------------- # Begin main wolfSSL configuration menu # --------------------------------------------------------------------------------------------------------------------- # See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL -menu "wolfSSL" +menu "wolfSSL Embedded Cryptography, SSL/TLS; FIPS 140-3" + # Warning: help token not supported here << + config ESP_WOLFSSL_WOLFCRYPT_ONLY + bool "Use wolfcrypt only" + default n + help + Enable this option to use cryptographic libraries but disable things like TLS communication. Normally not set. Enables WOLFCRYPT_ONLY + # ----------------------------------------------------------------------------------------------------------------- - menu "Hardening" - config ESP_WOLFSSL_WC_NO_HARDEN - bool "Disable wolfSSL hardening" - default n + menu "wolfSSL Algorithm Settings" + config ESP_WOLFSSL_USE_ECC + bool "Enable ECC (Elliptic Curve Cryptography) in wolfSSL" + default y help - Sets WC_NO_HARDEN + Enables ECC algorithm - config ESP_WOLFSSL_TFM_TIMING_RESISTANT - bool "Enable TFM Timing Resistant Code" - default n + config ESP_WOLFSSL_USE_RSA + bool "Enable RSA (Rivest-Shamir-Adlemanl) in wolfSSL" + default y help - Sets TFM_TIMING_RESISTANT. + Enables RSA algorithm - endmenu # Hardening + config ESP_WOLFSSL_USE_SM + bool "Enable SM (Shang Mi) in wolfSSL" + default n + help + Enabled SM Cipher Suite: Macros WOLFSSL_SM2, WOLFSSL_SM3, WOLFSSL_SM4 - config ESP_WOLFSSL_ENABLE_BENCHMARK - bool "Enable wolfSSL Benchmark Library" - default n - help - Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK. + config ESP_WOLFSSL_DISABLE_ECC + bool "Disable ECC in wolfSSL" + default n + help + Enabled by default, ECC is required if you want ECDHE key exchange (and/or ECDSA). + Select this option to disable ECC. + config ESP_WOLFSSL_DISABLE_DH + bool "Disable DH in wolfSSL" + default n + help + Enabled by default, DH is required if you want DHE/FFDHE groups. + Select this option to disable DH. - menu "Benchmark Debug" - config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING - bool "Enable benchmark timing debug" - depends on ESP_WOLFSSL_ENABLE_BENCHMARK + config ESP_WOLFSSL_SHA224 + bool "Enable SHA-224" default n help - Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc). + Enables SHA224 algorithm by defining macro: WOLFSSL_SHA224 - config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG - bool "Enable benchmark timer debug" - depends on ESP_WOLFSSL_ENABLE_BENCHMARK + config ESP_WOLFSSL_SHA384 + bool "Enable SHA-384" default n help - Turn on timer debugging (used when CPU cycles not available) + Enables SHA384 algorithm by defining macro: WOLFSSL_SHA384 - endmenu # Benchmark Debug + choice + prompt "Select math library to use" - # ----------------------------------------------------------------------------------------------------------------- - # wolfCrypt Test - # ----------------------------------------------------------------------------------------------------------------- - config ESP_WOLFSSL_ENABLE_TEST - bool "Enable wolfCrypt Test Library" - default n - help - Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST. + config ESP_WOLFSSL_USE_FAST_MATH + bool "Use Fast Math (default)" + + config ESP_WOLFSSL_SP_MATH + bool "Use SP Math" + + config ESP_WOLFSSL_SP_MATH_ALL + bool "Use SP Math All" - menu "wolfCrypt tests" - config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS - bool "Enable wolfCrypt Test Options" - depends on ESP_WOLFSSL_ENABLE_TEST + config ESP_WOLFSSL_USE_INTEGER_HEAP_MATH + bool "Use Integer Heap Math" + + config ESP_WOLFSSL_SP_RISCV32 + bool "Use SP Match for RISC-V Devices" + endchoice + + menu "Hardening" + config ESP_WOLFSSL_WC_NO_HARDEN + bool "Disable wolfSSL hardening" + default n + help + Sets WC_NO_HARDEN + + config ESP_WOLFSSL_TFM_TIMING_RESISTANT + bool "Enable TFM Timing Resistant Code" + default n + help + Sets TFM_TIMING_RESISTANT. + + endmenu # Hardening + endmenu # wolfSSL Algorithm Settings + + menu "wolfSSL Application Specific Tuning" + config ESP_WOLFSSL_MULTI_THREAD + bool "Set wolfSSL SINGLE_THREAD mode" default n help - Enables HAVE_WOLFCRYPT_TEST_OPTIONS + Enable to use semaphores for multi-task applications. Requires a small about of additional long term RAM. + When not selected, defines wolfSSL SINGLE_THREADED macro. The ESP32 ESP-IDF uses FreeRTOS regardless of this setting. - config TEST_ESPIDF_ALL_WOLFSSL - bool "Enable all features to use in tests" - depends on ESP_WOLFSSL_ENABLE_TEST + config ESP_WOLFSSL_STATIC_MEMORY + bool "Set wolfSSL Static Memory mode" default n help - Enables TEST_ESPIDF_ALL_WOLFSSL - - endmenu # wolfCrypt tests + Enable to use experimental static memory, no malloc. May be problematic on devices with low RAM. + When disabled, sets WOLFSSL_SMALL_STACK. The DEBUG_WOLFSSL_MALLOC is also enabled by default to + show malloc failures which may occur on low RAM devices. - # ----------------------------------------------------------------------------------------------------------------- - # Apple HomeKit Options - # ----------------------------------------------------------------------------------------------------------------- - menu "Apple HomeKit" - config WOLFSSL_APPLE_HOMEKIT - bool "Enable Apple HomeKit options" + config ESP_WOLFSSL_RSA_LOW_MEM + bool "RSA Low Memory Mode" default n help - Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit. - endmenu # Apple HomeKit - # ----------------------------------------------------------------------------------------------------------------- + When enabled, use have as much memory, but RSA is twice as slow. - config ESP_WOLFSSL_DISABLE_MY_ECC - bool "Disable ECC in my project" - default "n" - help - ECC is enabled by default. Select this option to disable. + # ----------------------------------------------------------------------------------------------------------------- + # Apple HomeKit Options + # ----------------------------------------------------------------------------------------------------------------- + menu "Apple HomeKit" + config WOLFSSL_APPLE_HOMEKIT + bool "Enable Apple HomeKit options" + default n + help + Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit. + endmenu # Apple HomeKit + + # ----------------------------------------------------------------------------------------------------------------- + # wolfCrypt Benchmark + # ----------------------------------------------------------------------------------------------------------------- + menu "wolfCrypt Benchmark" + config ESP_WOLFSSL_ENABLE_BENCHMARK + bool "Enable wolfSSL Benchmark Library" + default n + help + Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK. - config ESP_WOLFSSL_ENABLE_MY_USE_RSA - bool "Enable RSA in my project" - default "n" - help - RSA is disabled by default. Select this option to enable. + config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING + bool "Enable benchmark timing debug" + depends on ESP_WOLFSSL_ENABLE_BENCHMARK + default n + help + Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc). + + config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG + bool "Enable benchmark timer debug" + depends on ESP_WOLFSSL_ENABLE_BENCHMARK + default n + help + Turn on timer debugging (used when CPU cycles not available) + endmenu # wolfCrypt Benchmark + + # ----------------------------------------------------------------------------------------------------------------- + # wolfCrypt Test + # ----------------------------------------------------------------------------------------------------------------- + menu "wolfCrypt Test" + config ESP_WOLFSSL_ENABLE_TEST + bool "Enable wolfCrypt Test Library" + default n + help + Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST. + + config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS + bool "Enable wolfCrypt Test Options" + depends on ESP_WOLFSSL_ENABLE_TEST + default n + help + Enables HAVE_WOLFCRYPT_TEST_OPTIONS + + config TEST_ESPIDF_ALL_WOLFSSL + bool "Enable all features to use in tests" + depends on ESP_WOLFSSL_ENABLE_TEST + default n + help + Enables TEST_ESPIDF_ALL_WOLFSSL + endmenu # wolfCrypt tests + + # ----------------------------------------------------------------------------------------------------------------- + # TLS Client/Server + # ----------------------------------------------------------------------------------------------------------------- + menu "TLS Client/Server" + choice WOLFSSL_USE_TLS_CERT_EXAMPLE + prompt "Use example certificates (see user_settings.h)" + default WOLFSSL_USE_CERT_BUFFERS_2048 + help + Select which bundled example certificate set to compile in. + + config WOLFSSL_USE_CERT_BUFFERS_2048 + bool "Use 2048 bit RSA cert buffers example (default)" + help + Uses example cert buffers ca_cert_der_2048, client_cert_der_2048 etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_1024 + bool "Use 1024 bit RSA cert buffers" + help + Uses example cert buffers ca_cert_der_1024, client_cert_der_1024, etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_256 + bool "Use 256 bit ECC cert buffers" + help + Uses example cert buffers ca_ecc_cert_der_256, cliecc_cert_der_256, etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_SM + bool "Use SM (Shang Mi) cert buffers" + help + Use the SM (Shang Mi) Cipher Examples + Include header: wolfssl/certs_test_sm.h + + config WOLFSSL_USE_CERT_BUFFERS_NONE + bool "Do not use the default wolfSSL certificate examples" + help + Define your own macro values for the examples. + endchoice + endmenu # TLS Client/Server + endmenu # Application Specific - config ESP_WOLFSSL_BENCHMARK - bool "Enable wolfSSL Benchmark" - default n - help - Enables user settings relevant to benchmark code config ESP_TLS_USING_WOLFSSL_SPECIFIED bool "Use the specified wolfssl for ESP-TLS" @@ -170,7 +309,7 @@ menu "wolfSSL" disabling TFM fast math provides faster wolfSSL software algorithms in an even smaller flash memory footprint. - menu "Protocol Config" + menu "wolfSSL Protocol Config" config WOLFSSL_HAVE_ALPN bool "Enable ALPN (Application Layer Protocol Negotiation) in wolfSSL" default y @@ -182,9 +321,16 @@ menu "wolfSSL" Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2. When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted. + config WOLFSSL_LOW_MEMORY_DISABLE_TLS13 + bool "Disable TLS 1.3 on known low-memory devices" + default n + help + Overrides other settings allowing TLS 1.3. Typically used for ESP8266 and ESP32C2 + devices with known memory limitations. + config WOLFSSL_ALLOW_TLS12 bool "Allow TLS 1.2" - default n + default y help Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2. When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted. @@ -209,13 +355,63 @@ menu "wolfSSL" help Sets HAVE_OCSP + choice + prompt "Select session cache size" + default ESP_WOLFSSL_NO_SESSION_CACHE + + config ESP_WOLFSSL_NO_SESSION_CACHE + bool "No session cache is used" + help + No memory is reserved for session cache. + + config ESP_WOLFSSL_MICRO_SESSION_CACHE + bool "Micro Session Cache" + help + Uses less than 1K. Stored only 1 session for cache. + SessionCache takes about 400 bytes, ClientCache takes 576 bytes. + + config ESP_WOLFSSL_SMALL_SESSION_CACHE + bool "Small Session Cache" + help + Allows storing 6 sessions. + SessionCache takes about 2K, ClientCache takes about 3K bytes. + + config ESP_WOLFSSL_MEDIUM_SESSION_CACHE + bool "Medium Session Cache" + help + Allows for over 1,000 sessions. Consider using external memory. + + config ESP_WOLFSSL_BIG_SESSION_CACHE + bool "Big Session Cache" + help + Allows for over 20,000 sessions. Unrealistic for most ESP32 devices. + + config ESP_WOLFSSL_TITAN_SESSION_CACHE + bool "Tital Session Cache" + help + Allows for over 2 million sessions. Unrealistic for most ESP32 devices. + endchoice + + config ESP_WOLFSSL_TCP_REUSE + int "TCP Reuse" + default 0 + help + Set to 1 to allow socket reuse. + endmenu # Protocol Config # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- config TLS_STACK_WOLFSSL # Invisible option that locks TLS_STACK_WOLFSSL to ESP_TLS_USING_WOLFSSL - bool + # + # See setting in: esp-idf\[version]\components\esp-tls\Kconfig: + # + # config ESP_TLS_USING_WOLFSSL + # bool "wolfSSL (License info in wolfSSL directory README)" + # select TLS_STACK_WOLFSSL + # + bool # No prompt, invisible here. Set in ESP-TLS component default n select FREERTOS_ENABLE_BACKWARD_COMPATIBILITY help @@ -223,6 +419,7 @@ menu "wolfSSL" Enabled when wolfSSL is selected in ESP_TLS_LIBRARY_CHOOSE. menu "wolfSSL ESP-TLS" + # Enabled only when Component config - ESP-TLS - Choose SSL/TLS Library for ESP-TLS has wolfSSL selected: depends on ESP_TLS_USING_WOLFSSL menu "Certificate Bundle" @@ -255,8 +452,8 @@ menu "wolfSSL" depends on ESP_TLS_USING_WOLFSSL help Although not recommended, there may be certificates in the bundle that are missing - a serial number. This option allows the missing value without having to fully - disable strict ASN checking with WOLFSSL_NO_ASN_STRICT. + a serial number. This option allows the missing value (a zero) without having to fully + disable strict ASN checking with WOLFSSL_NO_ASN_STRICT. Note this is disallowed by RFC 5280 choice WOLFSSL_DEFAULT_CERTIFICATE_BUNDLE bool "Default certificate bundle options" @@ -323,6 +520,19 @@ menu "wolfSSL" default 200 depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + config ESP_WOLFSSL_DEBUG_CERT_BUNDLE + bool "Enable certificate bundle debug" + depends on WOLFSSL_CERTIFICATE_BUNDLE + default n + help + View debug messages for cert bundle processing. + + config ESP_WOLFSSL_OPENSSL_EXTRA + bool "Enable wolfSSL OpenSSL Extra support" + default n + help + Enable OpenSSL support: old SHA functions only available with OpenSSLL (not recommended) + endmenu endmenu # wolfSSL ESP-TLS # ----------------------------------------------------------------------------------------------------------------- @@ -429,7 +639,7 @@ menu "wolfSSL" bool "Enable ML-KEM (Kyber Post Quantum)" default n help - bool "Enable wolfSSL ML-KEM" + Enable wolfSSL ML-KEM config WOLFSSL_ENABLE_KYBER bool "Enable Kyber (Round 3)" @@ -442,11 +652,23 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- menu "wolfSSL Debug Options" + config ESP_WOLFSSL_DEBUG_CERTS + bool "Enable wolfSSL Certificate Debugging" + default n + help + Enable debugging messages for wolfSSL certificate processing. See user_settings.h for additional debug options. + config ESP_WOLFSSL_DEBUG_WOLFSSL bool "Enable wolfSSL Debugging" default n help - Enable debugging messages for wolfSSL. See user_settings.h for additional debug options. + Enable debugging messages for wolfSSL. Includes wolfSSL Certificate Debugging (WOLFSSL_DEBUG_CERTS) See user_settings.h for additional debug options. + + config WOLFSSL_EXAMPLE_VERBOSITY + bool "Enable example verbosity" + default n + help + This is only intended to be used with examples. Excessive verbosity may have undesired effects on timing-critical code. config ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING bool "Suppress build-time warnings for main stack size" @@ -454,6 +676,12 @@ menu "wolfSSL" help Useful only when wolfSSL is running in main task. See FreeRTOS stack size for custom tasks. + config ESP_NO_DEFAULT_TASK_MONITOR + bool "Disable automatic enable of task monitoring." + default n + help + Unless disabled, ESP_MONITOR_HW_TASK_LOCK is automatically enabled in esp32-crypt.h + config ESP_WOLFSSL_TEST_LOOP bool "Run test apps in a loop until failure" default y @@ -465,6 +693,26 @@ menu "wolfSSL" default n help Enables experimental settings for wolfSSL. See documentation. + + config ESP_LATEST_MITIGATIONS + bool "Enable mitigation for latest ESP-IDF" + default y + help + Address any issues in latest (unreleased) ESP-IDF. Currently v6. + Known problems include SHA HW acceleration on RISC-V devices failing. + Enable this option to disable SHA HW on only ESP32-C2, C3, C6. + Only implemented in user_settings.h + + config WOLFSSL_USE_MY_PRIVATE_CONFIG + bool "Use a private include file for config" + default n + help + Sets WOLFSSL_USE_MY_PRIVATE_CONFIG for platform-specific default + config file outside of GitHub repository. + Handy for things like WiFi SSID and Passwords that are typically + not saved on GitHub. + Can also set CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG environment variable to 1 + endmenu # wolfSSL Debug Options # ----------------------------------------------------------------------------------------------------------------- @@ -482,7 +730,7 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- - menu "Component Config" + menu "wolfSSL Component Config" config IGNORE_ESP_IDF_WOLFSSL_COMPONENT bool "Ignore the ESP-IDF component of wolfSSL (if present)" default n @@ -500,7 +748,7 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- - menu "Utility Config" + menu "wolfSSL Utility Config" config USE_WOLFSSL_ESP_SDK_TIME bool "Enable wolfSSL time helper functions" default n @@ -523,12 +771,14 @@ menu "wolfSSH" config ESP_ENABLE_WOLFSSH bool "Enable wolfSSH options" default n + # See wolfssl settings.h help Enables WOLFSSH_TERM, WOLFSSL_KEY_GEN, WOLFSSL_PTHREADS, WOLFSSH_TEST_SERVER, WOLFSSH_TEST_THREADING config ESP_WOLFSSL_DEBUG_WOLFSSH bool "Enable wolfSSH debugging" default n + # See wolfssl settings.h help Enable wolfSSH debugging macro. See user_settings.h diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h index 9c14dc9dfc..cd232962ba 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h @@ -18,8 +18,28 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ + #define WOLFSSL_ESPIDF_COMPONENT_VERSION 0x01 +/* This user_settings.h is for Espressif ESP-IDF + * + * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.8.2-1 + * + * Do not include any wolfssl headers here. + * + * Note to maintainers: + * + * When editing this file ensure all examples match. + * The template example is the reference. + * Consider Kconfig. Managed Components do not allow editing of user_settings.h + */ +#undef WOLFSSL_ESPIDF +#define WOLFSSL_ESPIDF + +#define NO_FILESYSTEM +#define NO_OLD_TLS +#define WOLFSSL_ASN_TEMPLATE + /* Examples such as test and benchmark are known to cause watchdog timeouts. * Note this is often set in project Makefile: * CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 */ @@ -28,15 +48,17 @@ /* The Espressif project config file. See also sdkconfig.defaults */ #include "sdkconfig.h" -/* This user_settings.h is for Espressif ESP-IDF - * - * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.8.2-1 certs - * - * Do not include any wolfssl headers here. - * - * When editing this file: - * ensure all examples match. The template example is the reference. - */ +/* Some mitigations are ESP-IDF version-specific. */ +#include "esp_idf_version.h" + +/* Optional mitigations for latest (unreleased) ESP-IDF v6 */ +#if defined(CONFIG_ESP_LATEST_MITIGATIONS) && CONFIG_ESP_LATEST_MITIGATIONS + #if defined(ESP_IDF_VERSION_MAJOR) && (ESP_IDF_VERSION_MAJOR >= 6) + /* There's a known issue with SHA HW accerlator on RISC-V chips in V6 + * Fixed in https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_RISCV_SHA_HW_MITIGATION 1 + #endif +#endif /* Naming convention: (see also esp32-crypt.h for the reference source). * @@ -81,17 +103,48 @@ ** CONFIG_IDF_TARGET_ESP32C6 */ -#undef WOLFSSL_ESPIDF -#define WOLFSSL_ESPIDF - /* Test various user_settings between applications by selecting example apps * in `idf.py menuconfig` for Example wolfSSL Configuration settings: */ /* Turn on messages that are useful to see only in examples. */ -#define WOLFSSL_EXAMPLE_VERBOSITY +#if defined(CONFIG_WOLFSSL_EXAMPLE_VERBOSITY) && \ + CONFIG_WOLFSSL_EXAMPLE_VERBOSITY + #undef WOLFSSL_EXAMPLE_VERBOSITY + #define WOLFSSL_EXAMPLE_VERBOSITY +#endif + +#if defined(CONFIG_WOLFSSL_ALT_CERT_CHAINS) && \ + CONFIG_WOLFSSL_ALT_CERT_CHAINS + #undef WOLFSSL_ALT_CERT_CHAINS + #define WOLFSSL_ALT_CERT_CHAINS +#endif + +#if defined(CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL) && \ + CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL + #define DEBUG_WOLFSSL +#endif + +#if defined(CONFIG_ESP_WOLFSSL_DEBUG_CERTS) && \ + CONFIG_ESP_WOLFSSL_DEBUG_CERTS + #define WOLFSSL_DEBUG_CERTS +#endif + +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP8266) + /* WOLFSSL_LOW_MEMORY detected at runtime for low memory warning */ + #define WOLFSSL_LOW_MEMORY +#endif /* Paths can be long, ensure the entire value printed during debug */ -#define WOLFSSL_MAX_ERROR_SZ 500 +#ifdef WOLFSSL_LOW_MEMORY + /* If too small, the error_test() will fail. */ + #define WOLFSSL_MAX_ERROR_SZ 65 + #define WOLFSSL_MSG_EX_BUF_SZ 65 +#else + #define WOLFSSL_MAX_ERROR_SZ 500 + #define WOLFSSL_MSG_EX_BUF_SZ 500 +#endif /* wolfSSL Examples: set macros used in example applications. * @@ -116,12 +169,28 @@ /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */ /* #define USE_WOLFSSL_ESP_SDK_WIFI */ #define WOLFSSL_BENCHMARK_FIXED_UNITS_KB + #define BENCH_EMBEDDED #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT) /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_client */ - #define USE_WOLFSSL_ESP_SDK_WIFI + #if defined(CONFIG_IDF_TARGET_ESP32H2) + /* There's no WiFi on the ESP32 H2, use idf.menuconfig to enable */ + #else + /* This example will always use the wolfSSL WiFi helper */ + #define USE_WOLFSSL_ESP_SDK_WIFI + #endif + #define USE_WOLFSSL_ESP_SDK_TIME + #define NO_WOLFSSL_SERVER #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_SERVER) /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_server */ - #define USE_WOLFSSL_ESP_SDK_WIFI + #define NO_WOLFSSL_CLIENT + #if defined(CONFIG_IDF_TARGET_ESP32H2) + /* There's no WiFi on the ESP32 H2, use idf.menuconfig to enable */ + #else + /* This example will always use the wolfSSL WiFi helper */ + #define USE_WOLFSSL_ESP_SDK_WIFI + #endif + /* Even without WiFi, the wolfSSL helper has some static time settings */ + #define USE_WOLFSSL_ESP_SDK_TIME /* wolfSSH Examples */ #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE) @@ -214,6 +283,7 @@ /* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */ #ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM /* Kyber typically needs a minimum 10K stack */ + #define WOLFSSL_MLKEM_KYBER #define WOLFSSL_HAVE_MLKEM #define WOLFSSL_WC_MLKEM #define WOLFSSL_SHAKE128 @@ -250,6 +320,7 @@ #ifdef NO_AES #warning "Found NO_AES, wolfSSL AES Cannot be enabled. Check config." #else + #define HAVE_AESGCM #define WOLFSSL_AES #define WOLFSSL_AES_COUNTER @@ -356,24 +427,103 @@ #endif /* See below for chipset detection from sdkconfig.h */ -/* when you want to use SINGLE THREAD. Note Default ESP-IDF is FreeRTOS */ -#define SINGLE_THREADED +/* See Kconfig: Check if Multi Thread selected in idf.py menuconfig + * Single Thread avoids RAM-consuming semaphores. + * Note Default ESP-IDF is FreeRTOS rergardless of this setting */ +#if defined(CONFIG_ESP_WOLFSSL_MULTI_THREAD) && \ + CONFIG_ESP_WOLFSSL_MULTI_THREAD + /* Unless SINGLE_THREADED defined, wolfssl assumes multi-thread. */ + /* #undef SINGLE_THREADED */ +#else + #define SINGLE_THREADED +#endif /* Small session cache saves a lot of RAM for ClientCache and SessionCache. * Memory requirement is about 5KB, otherwise 20K is needed when not specified. * If extra small footprint is needed, try MICRO_SESSION_CACHE (< 1K) * When really desperate or no TLS used, try NO_SESSION_CACHE. */ -#define NO_SESSION_CACHE +#if defined(CONFIG_ESP_WOLFSSL_TITAN_SESSION_CACHE) + /* Consider RAM requirements. Unrealistic for most ESP32 devices */ + #define TITAN_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_BIG_SESSION_CACHE) + /* Consider RAM requirements. Unrealistic for most ESP32 devices */ + #define BIG_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_MEDIUM_SESSION_CACHE) + /* Consider RAM requirements. */ + #define MEDIUM_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_SMALL_SESSION_CACHE) + #define SMALL_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_MICRO_SESSION_CACHE) + #define MICRO_SESSION_CACHE +#else + #define NO_SESSION_CACHE + #define WOLFSSL_NO_TICKET +#endif + +#ifndef NO_SESSION_CACHE + #define HAVE_SESSION_TICKET +#endif + +/* See Kconfig: Check if Static Memory selected in idf.py menuconfig */ +#if defined(CONFIG_ESP_WOLFSSL_STATIC_MEMORY) && \ + CONFIG_ESP_WOLFSSL_STATIC_MEMORY + #define WOLFSSL_STATIC_MEMORY +#endif + +#if defined(WOLFSSL_STATIC_MEMORY) + #define WOLFSSL_STATIC_MEMORY + #define WOLFSSL_STATIC_MEMORY_LEAN + #define WOLFSSL_NO_MALLOC + #ifdef WOLFSSL_SMALL_STACK + #error "Cannot use WOLFSSL_SMALL_STACK with WOLFSSL_NO_MALLOC" + #endif + #if 1 + /* trap malloc failure */ + #define WOLFSSL_MALLOC_CHECK + #endif + #define HAVE_MAX_FRAGMENT + #define HAVE_TLS_EXTENSIONS -/* Small Stack uses more heap. */ -#define WOLFSSL_SMALL_STACK + #define WOLFSSL_CUSTOM_CURVES + #define HAVE_ECC_KOBLITZ + #define HAVE_ECC256 + #define NO_ECC192 + #define NO_ECC224 + #define NO_ECC384 + #define NO_ECC521 -/* Full debugging turned off, but show malloc failure detail */ -/* #define DEBUG_WOLFSSL */ -#define DEBUG_WOLFSSL_MALLOC + #ifdef HAVE_ED25519 + #undef HAVE_ED25519 + #endif + #ifdef WOLFSSL_SHA512 + #undef WOLFSSL_SHA512 + #endif + + /* multiple of 16 & 32 */ + #define WOLFMEM_IO_SZ 2048 + + #if (1) + #define USE_FAST_MATH + #else + #define SP_MATH + #define FP_ECC + #endif +#else + /* Not using static memory */ + + /* Small Stack uses more heap. */ + #define WOLFSSL_SMALL_STACK + + /* Full debugging turned off, but show malloc failure detail */ + /* #define DEBUG_WOLFSSL */ + #define DEBUG_WOLFSSL_MALLOC +#endif /* RSA_LOW_MEM: Half as much memory but twice as slow. */ -#define RSA_LOW_MEM +#if defined(CONFIG_ESP_WOLFSSL_RSA_LOW_MEM) && \ + CONFIG_ESP_WOLFSSL_RSA_LOW_MEM + #define RSA_LOW_MEM +#endif /* optionally turn off SHA512/224 SHA512/256 */ /* #define WOLFSSL_NOSHA512_224 */ @@ -386,16 +536,43 @@ /* #define NO_SHA */ /* #define NO_OLD_TLS */ -#define BENCH_EMBEDDED +/* Very low memory device notice: + * TLS 1.2 typically enabled + * TLS 1.3 typically disabled + * + * See runtime warning for limited-resource devices. + * + * Typical error codes at client, talking to low-memory server: + * -125 MEMORY_E out of memory error + * -308 SOCKET_ERROR_E error state on socket + * -313 FATAL_ERROR recvd alert fatal error + */ + +#if defined(CONFIG_WOLFSSL_ALLOW_TLS12) && CONFIG_WOLFSSL_ALLOW_TLS12 + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) + /* low-memory devices with TLS 1.2 enabled */ + #endif + + /* TLS 1.2 uses extensions by default */ + #define HAVE_TLS_EXTENSIONS + +#else + /* Unless explicitly enabled, only TLS 1.3 is configured */ + #define WOLFSSL_NO_TLS12 +#endif + /* TLS 1.3 */ -#ifdef CONFIG_WOLFSSL_ALLOW_TLS13 +#if (defined(CONFIG_WOLFSSL_ALLOW_TLS13) && CONFIG_WOLFSSL_ALLOW_TLS13) && \ + !defined(CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13) #define WOLFSSL_TLS13 #define HAVE_TLS_EXTENSIONS #define HAVE_HKDF - /* May be required */ + /* AEAD May be required */ #ifndef HAVE_AEAD + /* Syntax highlighting detection only */ #endif /* Required for ECC */ @@ -416,8 +593,32 @@ #endif #endif +/* Settings common to both TLS 1.2 and TLS 1.3 */ +#if (defined(CONFIG_WOLFSSL_ALLOW_TLS12) && CONFIG_WOLFSSL_ALLOW_TLS12) || \ + (defined(CONFIG_WOLFSSL_ALLOW_TLS13) && CONFIG_WOLFSSL_ALLOW_TLS13) + + /* ECC can optionally be disabled, but is normally enabled */ + #if defined(ESP_WOLFSSL_DISABLE_ECC) && \ + ESP_WOLFSSL_DISABLE_ECC + #undef HAVE_ECC + #else + #define HAVE_ECC + #endif + + /* DH can optionally be disabled, but is normally enabled */ + #if defined(ESP_WOLFSSL_DISABLE_DH) && \ + ESP_WOLFSSL_DISABLE_DH + #undef HAVE_DH + #else + #define HAVE_DH + #endif + +#endif + + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ - defined(CONFIG_IDF_TARGET_ESP8684) + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP8266) /* Optionally set smaller size here */ #ifdef HAVE_FFDHE_4096 /* this size may be problematic on the C2 */ @@ -427,26 +628,25 @@ #define HAVE_FFDHE_4096 #endif -#define NO_FILESYSTEM - -#define NO_OLD_TLS - -#define HAVE_AESGCM - /* Optional RIPEMD: RACE Integrity Primitives Evaluation Message Digest */ /* #define WOLFSSL_RIPEMD */ /* when you want to use SHA224 */ -#define WOLFSSL_SHA224 +#if defined(CONFIG_ESP_WOLFSSL_SHA224) && \ + CONFIG_ESP_WOLFSSL_SHA224 + #define WOLFSSL_SHA224 +#endif /* when you want to use SHA384 */ -#define WOLFSSL_SHA384 +#if defined(CONFIG_ESP_WOLFSSL_SHA384) && \ + CONFIG_ESP_WOLFSSL_SHA384 + #define WOLFSSL_SHA384 +#endif /* Some features not enabled for ESP8266: */ #if defined(CONFIG_IDF_TARGET_ESP8266) || \ defined(CONFIG_IDF_TARGET_ESP32C2) /* Some known low-memory devices have features not enabled by default. */ - /* TODO determine low memory configuration for ECC. */ #else /* when you want to use SHA512 */ #define WOLFSSL_SHA512 @@ -458,23 +658,17 @@ #define HAVE_ED25519 #endif -#if defined(CONFIG_IDF_TARGET_ESP8266) || defined(CONFIG_IDF_TARGET_ESP32C2) - #define MY_USE_ECC 0 - #define MY_USE_RSA 1 -#else - #define MY_USE_ECC 1 - #define MY_USE_RSA 0 -#endif - -/* We can use either or both ECC and RSA, but must use at least one. */ -#if MY_USE_ECC || MY_USE_RSA - #if MY_USE_ECC +/* We can use either or both ECC and RSA, but must use at least one for TLS */ +#if (defined(CONFIG_ESP_WOLFSSL_USE_ECC) && CONFIG_ESP_WOLFSSL_USE_ECC) || \ + (defined(CONFIG_ESP_WOLFSSL_USE_RSA) && CONFIG_ESP_WOLFSSL_USE_RSA) + /* Some ECC checks */ + #if CONFIG_ESP_WOLFSSL_USE_ECC /* ---- ECDSA / ECC ---- */ #define HAVE_ECC + /* #define HAVE_CURVE25519 #define HAVE_ED25519 #define WOLFSSL_SHA512 - /* #define HAVE_ECC384 #define CURVE25519_SMALL */ @@ -485,17 +679,27 @@ #define WOLFSSH_NO_ECDSA #endif - #if MY_USE_RSA + #if CONFIG_ESP_WOLFSSL_USE_RSA /* ---- RSA ----- */ /* #define RSA_LOW_MEM */ /* DH disabled by default, needed if ECDSA/ECC also turned off */ #define HAVE_DH + #define HAVE_RSA #else + #undef HAVE_RSA + #define NO_RSA + /* Also disable RSA if wolfSSH used */ #define WOLFSSH_NO_RSA #endif #else - #error "Either RSA or ECC must be enabled" + #if defined(CONFIG_ESP_WOLFSSL_ENABLE_MLKEM) + /* See above for PQ-only config */ + #elif defined(WOLFCRYPT_ONLY) + /* Communications such as (D)TLS not compiled in */ + #else + #warning "PQ, RSA, and ECC are disabled. Consider WOLFCRYPT_ONLY" + #endif #endif /* Optional OpenSSL compatibility */ @@ -552,21 +756,37 @@ #define HASH_SIZE_LIMIT /* USE_FAST_MATH is default */ -#define USE_FAST_MATH - -/***** Use SP_MATH *****/ -/* #undef USE_FAST_MATH */ -/* #define SP_MATH */ -/* #define WOLFSSL_SP_MATH_ALL */ -/* #define WOLFSSL_SP_RISCV32 */ +#if defined(CONFIG_ESP_WOLFSSL_USE_FAST_MATH) && \ + ESP_WOLFSSL_USE_FAST_MATH + /***** Use Fast Math *****/ + #define USE_FAST_MATH + #undef WOLFSSL_SP_MATH + #undef WOLFSSL_SP_MATH_ALL + #define USE_INTEGER_HEAP_MATH +#elif defined(CONFIG_ESP_WOLFSSL_SP_MATH) && \ + CONFIG_ESP_WOLFSSL_SP_MATH + /***** Use SP_MATH *****/ + #undef USE_FAST_MATH + #undef USE_INTEGER_HEAP_MATH + #define WOLFSSL_SP_MATH + #define WOLFSSL_SP_MATH_ALL +#elif defined(CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH) && \ + CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH + /***** Use Integer Heap Math *****/ + #undef USE_FAST_MATH + #undef WOLFSSL_SP_MATH + #undef WOLFSSL_SP_MATH_ALL + #define USE_INTEGER_HEAP_MATH +#else + #define USE_FAST_MATH +#endif /***** Use Integer Heap Math *****/ /* #undef USE_FAST_MATH */ /* #define USE_INTEGER_HEAP_MATH */ /* Just syntax highlighting to check math libraries: */ -#if defined(SP_MATH) || \ - defined(USE_INTEGER_HEAP_MATH) || \ +#if defined(WOLFSSL_SP_MATH) || \ defined(USE_INTEGER_HEAP_MATH) || \ defined(USE_FAST_MATH) || \ defined(WOLFSSL_SP_MATH_ALL) || \ @@ -577,10 +797,6 @@ #define HAVE_VERSION_EXTENDED_INFO /* #define HAVE_WC_INTROSPECTION */ -#ifndef NO_SESSION_CACHE - #define HAVE_SESSION_TICKET -#endif - /* #define HAVE_HASHDRBG */ #if 0 @@ -604,8 +820,6 @@ #endif -#define WOLFSSL_ASN_TEMPLATE - /* #undef WOLFSSL_KEY_GEN #undef WOLFSSL_CERT_REQ @@ -623,11 +837,13 @@ */ /* optional SM4 Ciphers. See https://github.com/wolfSSL/wolfsm */ -/* -#define WOLFSSL_SM2 -#define WOLFSSL_SM3 -#define WOLFSSL_SM4 -*/ + +#if defined(ESP_WOLFSSL_USE_SM) && \ + ESP_WOLFSSL_USE_SM + #define WOLFSSL_SM2 + #define WOLFSSL_SM3 + #define WOLFSSL_SM4 +#endif #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) /* SM settings, possible cipher suites: @@ -669,9 +885,16 @@ #undef HAVE_AESGCM #define HAVE_AESGCM -#endif + + /* ByteReverseWords is known to need alignment */ + #undef WOLFSSL_USE_ALIGN + #define WOLFSSL_USE_ALIGN +#endif /* SM or regular certs */ /* Chipset detection from sdkconfig.h + * See idf.py --list-targets + * or ESP-IDF ./components/esp_hw_support/include/esp_chip_info.h + * Set target example: idf.py set-target esp32s3 * Default is HW enabled unless turned off. * Uncomment lines to force SW instead of HW acceleration */ #if defined(CONFIG_IDF_TARGET_ESP32) || defined(WOLFSSL_ESPWROOM32SE) @@ -692,7 +915,7 @@ #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 /* no SHA224 HW on ESP32 */ #undef ESP_RSA_MULM_BITS - #define ESP_RSA_MULM_BITS 16 /* TODO add compile-time warning */ + #define ESP_RSA_MULM_BITS 16 /***** END CONFIG_IDF_TARGET_ESP32 *****/ #elif defined(CONFIG_IDF_TARGET_ESP32S2) @@ -736,8 +959,16 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ /* These are defined automatically in esp32-crypt.h, here for clarity */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C2 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C2 */ + /* no SHA384 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MIGIATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif /* There's no AES or RSA/Math accelerator on the ESP32-C2 * Auto defined with NO_WOLFSSL_ESP32_CRYPT_RSA_PRI, for clarity: */ @@ -756,8 +987,16 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ /* These are defined automatically in esp32-crypt.h, here for clarity: */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MIGIATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ @@ -766,16 +1005,34 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ /***** END CONFIG_IDF_TARGET_ESP32C3 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C5) + #define WOLFSSL_ESP32 + + /* There's no Hardware Acceleration available on ESP32-C5 */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32C5 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32C6) #define WOLFSSL_ESP32 /* wolfSSL HW Acceleration supported on ESP32-C6. Uncomment to disable: */ - /* #define NO_ESP32_CRYPT */ - /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* These are defined automatically in esp32-crypt.h, here for clarity: */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MITIGATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ @@ -783,7 +1040,34 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ /***** END CONFIG_IDF_TARGET_ESP32C6 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C61) + #define WOLFSSL_ESP32 + /* wolfSSL HW Acceleration not yet supported on ESP32-C61. */ + + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + + /* TODO latest WIP ESP-IDF v6 needs esp_sha_set_mode, disable for now: */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH + + /* These are defined automatically in esp32-crypt.h, here for clarity: */ + /* no SHA384 HW on C61 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C61 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + + /* HW temporarily disabled on the ESP32-C61 pending additional development. + * See also settings.h that should also be disabling these after v5.8.0 */ + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD + /***** END CONFIG_IDF_TARGET_ESP32C61 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32H2) + /* Reminder: There's no wifi on ESP32-H2 */ + #define WOLFSSL_ESP32 /* wolfSSL Hardware Acceleration not yet implemented */ #define NO_ESP32_CRYPT @@ -792,6 +1076,24 @@ #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /***** END CONFIG_IDF_TARGET_ESP32H2 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32H21) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H21 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32H4) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H4 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32P4) #define WOLFSSL_ESP32 /* wolfSSL Hardware Acceleration not yet implemented */ @@ -818,16 +1120,25 @@ /***** END CONFIG_IDF_TARGET_ESP266 *****/ #elif defined(CONFIG_IDF_TARGET_ESP8684) - /* There's no Hardware Acceleration available on ESP8684 */ + /* There's no Hardware Acceleration available on ESP8684 + * Note that it usually presents as ESP32C2 */ #define NO_ESP32_CRYPT #define NO_WOLFSSL_ESP32_CRYPT_HASH #define NO_WOLFSSL_ESP32_CRYPT_AES #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /***** END CONFIG_IDF_TARGET_ESP8684 *****/ +#elif defined(POSIX_LINUX) + /* There's no Hardware Acceleration available on POSIX/Linux simulator */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_POSIX_LINUX *****/ + #else /* Anything else encountered, disable HW acceleration */ - #warning "Unexpected CONFIG_IDF_TARGET_NN value" + #warning "Unexpected CONFIG_IDF_TARGET_NN value, disabling all HW crypto" #define NO_ESP32_CRYPT #define NO_WOLFSSL_ESP32_CRYPT_HASH #define NO_WOLFSSL_ESP32_CRYPT_AES @@ -845,7 +1156,7 @@ /* See idf.py menuconfig for stack warning settings */ #if !defined(CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING) #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 - #warning "RSA may be difficult with less than 10KB Stack" + /* RSA may be difficult with less than 10KB Stack */ #endif #else /* Implement your own stack warning here */ @@ -856,11 +1167,17 @@ /* NOTE HW unreliable for small values! */ /* threshold for performance adjustment for HW primitive use */ /* X bits of G^X mod P greater than */ - #undef ESP_RSA_EXPT_XBITS + #if defined(ESP_RSA_EXPT_XBITS) && (ESP_RSA_EXPT_XBITS < 32) + #warning "Adjusting ESP_RSA_EXPT_XBITS to 32" + #undef ESP_RSA_EXPT_XBITS + #endif #define ESP_RSA_EXPT_XBITS 32 /* X and Y of X * Y mod P greater than */ - #undef ESP_RSA_MULM_BITS + #if defined(ESP_RSA_MULM_BITS) && (ESP_RSA_MULM_BITS < 16) + #warning "Adjusting ESP_RSA_MULM_BITS to 16" + #undef ESP_RSA_MULM_BITS + #endif #define ESP_RSA_MULM_BITS 16 #endif #endif @@ -1016,87 +1333,317 @@ Turn on timer debugging (used when CPU cycles not available) * https://github.com/wolfSSL/wolfssl/pull/6825 * https://github.com/wolfSSL/wolfsm * - * Uncomment these 3 macros to enable the SM Ciphers and use the macros below. + * Check to see if idf.py menuconfig selected example certs, otheruse use 2048: */ - -/* -#define WOLFSSL_SM2 -#define WOLFSSL_SM3 -#define WOLFSSL_SM4 -*/ +#if defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_2048) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_2048 + #define USE_CERT_BUFFERS_2048 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_1024) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_1024 + #define USE_CERT_BUFFERS_1024 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_256) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_256 + #define USE_CERT_BUFFERS_256 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_SM) && \ + CONFIG_WOLFSSL_USE_CERT_BUFFERS_SM + #define WOLFSSL_SM2 + #define WOLFSSL_SM3 + #define WOLFSSL_SM4 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_NONE) + /* See user_settings.h for referenbce on defining your own cert */ +#else + #define USE_CERT_BUFFERS_2048 +#endif /* Conditional macros used in wolfSSL TLS client and server examples */ #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) - #include - #define CTX_CA_CERT root_sm2 - #define CTX_CA_CERT_SIZE sizeof_root_sm2 - #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_PEM - #define CTX_SERVER_CERT server_sm2 - #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 - #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM - #define CTX_SERVER_KEY server_sm2_priv - #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv - #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (SM)" - #undef WOLFSSL_BASE16 - #define WOLFSSL_BASE16 -#else - #if defined(USE_CERT_BUFFERS_2048) - #ifdef USE_CERT_BUFFERS_1024 - #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." - #endif + #ifndef HAVE_TLS_EXTENSIONS + #error "SM Ciphers require HAVE_TLS_EXTENSIONS" + #endif + #ifndef HAVE_HKDF + #error "SM Ciphers require HAVE_HKDF" + #endif + #ifndef HAVE_ECC + #error "SM Ciphers require HAVE_ECC" + #endif + #ifndef WOLFSSL_USE_ALIGN + #warning "Define WOLFSSL_USE_ALIGN to avoid LoadStoreAlignment panic" + #endif + + #ifdef WOLFSSL_ALT_CERT_CHAINS + /* When on, wolfSSL will accept the peer if the leaf sent matches + * the one loaded, even without a CA in the path */ + #endif + + /* ./examples/client/client -h 192.168.1.107 -v 3 \ + * -l ECDHE-ECDSA-SM4-CBC-SM3 + * -c ./certs/sm2/client-sm2.pem + * -k ./certs/sm2/client-sm2-priv.pem + * -A ./certs/sm2/ca-sm2.pem -C + */ + + /* Certificate file `-c`; client command default: certs/server-cert.pem + * wolfSSL_CTX_use_certificate_chain_buffer_format + * + * Note that the PEM file of server_sm2 contains both leaf and CA + * The DER file contains only the server cert. */ + + /* Server */ + #ifndef NO_WOLFSSL_SERVER + #define CTX_SERVER_CERT server_sm2 + #define CTX_SERVER_CERT_NAME "server_sm2" + #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + + /* Key file `-k`; client command default: ./certs/server-key.pem + * wolfSSL_CTX_use_certificate_buffer */ + #define CTX_SERVER_KEY server_sm2_priv_der + #define CTX_SERVER_KEY_NAME "server_sm2_priv_der" + #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv_der + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Client */ + #ifndef NO_WOLFSSL_CLIENT + #define CTX_CA_CERT root_sm2_der + #define CTX_CA_CERT_NAME "root_sm2_der" + #define CTX_CA_CERT_SIZE sizeof_root_sm2_der + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_KEY client_sm2_priv_der + #define CTX_CLIENT_KEY_NAME "client_sm2_priv_der" + #define CTX_CLIENT_KEY_SIZE sizeof_client_sm2_priv_der + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Client Cert. + * This is also the optional peer verify certificate at server */ + #define CTX_CLIENT_CERT client_sm2_der + #define CTX_CLIENT_CERT_NAME "client_sm2_der" + #define CTX_CLIENT_CERT_SIZE sizeof_client_sm2_der + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END SM */ - /* Be sure to include in app, not here, when using example certs: */ - /* #include */ +#elif defined(USE_CERT_BUFFERS_2048) + /* + * To connect to ESP32 server with a client from commandline: + * + * The client uses 2048 certs by default, so no certs needed on commandline: + * + * TLS 1.2 + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 + * + * TLS 1.3 + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 + */ + + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_2048)" + + #ifdef USE_CERT_BUFFERS_1024 + #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_256 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + #if defined(NO_RSA) + #error "RSA is needed to use CERT_BUFFERS_2048 example" + #endif + /* Client */ + #ifndef NO_WOLFSSL_CLIENT #define CTX_CA_CERT ca_cert_der_2048 #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_2048 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_SERVER_CERT server_cert_der_2048 - #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 - #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_SERVER_KEY server_key_der_2048 - #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 - #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 - - #define CTX_CLIENT_CERT client_cert_der_2048 - #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 - #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #define CTX_CLIENT_KEY client_key_der_2048 #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_2048 #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif - #elif defined(USE_CERT_BUFFERS_1024) - #ifdef USE_CERT_BUFFERS_2048 - #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + /* Server */ + #ifndef NO_WOLFSSL_SERVER + #if (0) + /* No PEM certs available at this time */ + #define CTX_SERVER_CERT server_cert_2048 + #define CTX_SERVER_CERT_NAME "server_cert_2048" + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + + #define CTX_SERVER_KEY server_key_2048 + #define CTX_SERVER_KEY_NAME "server_key_2048" + #define CTX_SERVER_KEY_SIZE sizeof_server_key_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + #else + #define CTX_SERVER_CERT server_cert_der_2048 + #define CTX_SERVER_CERT_NAME "server_cert_der_2048" + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_SERVER_KEY server_key_der_2048 + #define CTX_SERVER_KEY_NAME "server_key_der_2048" + #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 #endif + #endif /* server */ + + /* -A Client peer verify at the server + * defaults: ./examples/client/client -v 3 -h 192.168.1.107 */ + #define CTX_CLIENT_CERT client_cert_der_2048 + #define CTX_CLIENT_CERT_NAME "client_cert_der_2048" + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END USE_CERT_BUFFERS_2048 */ - /* Be sure to include in app, not here, when using example certs: */ - /* #include */ +#elif defined(USE_CERT_BUFFERS_1024) + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_1024)" + /* + * To connect to ESP32 server with a client from commandline: + * + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d \ + -A ./certs/1024/ca-cert.pem \ + -c ./certs/1024/client-cert.pem \ + -k ./certs/1024/client-key.pem -C + */ + #ifdef USE_CERT_BUFFERS_2048 + #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_256 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + /* Client */ + #ifndef NO_WOLFSSL_CLIENT #define CTX_CA_CERT ca_cert_der_1024 + #define CTX_CA_CERT_NAME "ca_cert_der_1024" #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_1024 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_CLIENT_CERT client_cert_der_1024 - #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 - #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #define CTX_CLIENT_KEY client_key_der_1024 #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_1024 #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + /* Server */ + #ifndef NO_WOLFSSL_SERVER #define CTX_SERVER_CERT server_cert_der_1024 + #define CTX_SERVER_CERT_NAME "server_cert_der_1024" #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_1024 #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + #define CTX_SERVER_KEY server_key_der_1024 + #define CTX_SERVER_KEY_NAME "server_key_der_1024" #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_1024 #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Optional shared client peer verify for wolfSSL_CTX_set_verify() */ + #define CTX_CLIENT_CERT client_cert_der_1024 + #define CTX_CLIENT_CERT_NAME "client_cert_der_1024" + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END USE_CERT_BUFFERS_1024 */ + +#elif defined(USE_CERT_BUFFERS_256) + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_256)" + #ifndef HAVE_ECC + #error "USE_CERT_BUFFERS_256 requires HAVE_ECC" + #endif + + #if (0) /* Optional SECP256K1 */ + #define HAVE_ECC_SECP256K1 + #define HAVE_ECC_KOBLITZ + #define WOLFSSL_CUSTOM_CURVES + #endif + /* + * To connect to this ESP32 server with a client from commandline: + * + * TLS 1.3, disable peer cert: + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 -d + * + * TLS 1.2, disable peer cert: + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d + * + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 \ + -A ./certs/ecc/ca-secp256k1-cert.pem \ + -c ./certs/ecc/client-secp256k1-cert.pem \ + -k ./certs/ecc/secp256k1-key.pem + + ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 \ + -A ./certs/ca-ecc-cert.pem \ + -c ./certs/client-ecc-cert.pem \ + -k ./certs/ecc-client-key.pem + */ + #ifdef USE_CERT_BUFFERS_2048 + #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_1024 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + + #ifndef NO_WOLFSSL_CLIENT + #define CTX_CA_CERT ca_ecc_cert_der_256 + #define CTX_CA_CERT_SIZE sizeof_ca_ecc_cert_der_256 + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_KEY ecc_clikey_der_256 + #define CTX_CLIENT_KEY_SIZE sizeof_ecc_clikey_der_256 + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Server */ + #ifndef NO_WOLFSSL_SERVER + /* wolfSSL_CTX_use_certificate_chain_buffer_format */ + #if (0) + /* serv_ecc_der_256 leaf only */ + #define CTX_SERVER_CERT serv_ecc_der_256 + #define CTX_SERVER_CERT_NAME "serv_ecc_der_256" + #define CTX_SERVER_CERT_SIZE sizeof_serv_ecc_der_256 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #else - /* Optionally define custom cert arrays, sizes, and types here */ + /* new leaf + ca, needs https://github.com/wolfSSL/wolfssl/pull/9231 */ + #define CTX_SERVER_CERT server_ecc_cert + #define CTX_SERVER_CERT_NAME "server_ecc_cert" + #define CTX_SERVER_CERT_SIZE sizeof_server_ecc_cert + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM #endif -#endif /* Conditional key and cert constant names */ + /* wolfSSL_CTX_use_PrivateKey_buffer */ + #define CTX_SERVER_KEY ecc_key_der_256 + #define CTX_SERVER_KEY_NAME "ecc_key_der_256" + #define CTX_SERVER_KEY_SIZE sizeof_ecc_key_der_256 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + + /* wolfSSL_CTX_load_verify_buffer */ + #define CTX_CLIENT_CERT cliecc_cert_der_256 + #define CTX_CLIENT_CERT_NAME "cliecc_cert_der_256" + #define CTX_CLIENT_CERT_SIZE sizeof_cliecc_cert_der_256 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #endif /* Server */ + /* END USE_CERT_BUFFERS_256 */ + +#endif /* USE_CERT_BUFFERS_[n] */ + +/* +./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d \ + -A ./certs/ca-ecc-cert.pem \ + -c ./certs/ecc/client-ecc-cert.pem \ + -k ./certs/ecc/ecc-key.pem +*/ /****************************************************************************** ** Sanity Checks ******************************************************************************/ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/ld/region_peek.ld b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/ld/region_peek.ld new file mode 100644 index 0000000000..e8ca4b3ae4 --- /dev/null +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/ld/region_peek.ld @@ -0,0 +1,9 @@ +/* ORIGIN()/LENGTH() always see the SoC memory regions: */ +INCLUDE memory.ld + +/* Region boundary symbols derived from memory.ld */ +PROVIDE(__dram0_start = ORIGIN(dram0_0_seg)); +PROVIDE(__dram0_end = ORIGIN(dram0_0_seg) + LENGTH(dram0_0_seg)); + +PROVIDE(__drom0_start = ORIGIN(drom0_0_seg)); +PROVIDE(__drom0_end = ORIGIN(drom0_0_seg) + LENGTH(drom0_0_seg)); diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/CMakeLists.txt index 4f5613953a..39da251aff 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/CMakeLists.txt @@ -4,7 +4,8 @@ # wolfssl server test # message(STATUS "Begin wolfSSL main CMakeLists.txt") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") if (idf_target STREQUAL "esp8266" OR IDF_TARGET STREQUAL "esp8266" OR IDF_VERSION_MAJOR VERSION_LESS "5.0") # `driver` component not available for ESP8266 @@ -21,9 +22,6 @@ endif() if(CMAKE_HOST_UNIX) message(STATUS "Detected UNIX") endif() -if(APPLE) - message(STATUS "Detected APPLE") -endif() if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop") # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL") @@ -62,8 +60,6 @@ endif() ## register_component() idf_component_register(SRCS main.c - wifi_connect.c - time_helper.c server-tls.c INCLUDE_DIRS "." "./include" diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/server-tls.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/server-tls.h index a1d12ad2cf..11517404e9 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/server-tls.h +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/server-tls.h @@ -30,11 +30,8 @@ /* Use smaller certs for low-memory devices */ #define USE_CERT_BUFFERS_1024 #else - #define USE_CERT_BUFFERS_2048 + // #define USE_CERT_BUFFERS_2048 #endif - - /* always include smallest testing 32 byte RSA/ECC keys */ - #define USE_CERT_BUFFERS_256 #else /* define your own certificate macros; see user_settings.h */ #endif diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/time_helper.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/time_helper.h deleted file mode 100644 index 3345258d0a..0000000000 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/time_helper.h +++ /dev/null @@ -1,56 +0,0 @@ -/* time_helper.h - * - * Copyright (C) 2006-2025 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -/* common Espressif time_helper v5.6.3.001 */ - -#ifndef _TIME_HELPER_H_ -#define _TIME_HELPER_H_ - -/* ESP-IDF uses a 64-bit signed integer to represent time_t starting from - * release v5.0 See: Espressif api-reference/system/system_time - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/* a function to show the current data and time */ -int esp_show_current_datetime(void); - -/* worst case, if GitHub time not available, used fixed time */ -int set_fixed_default_time(void); - -/* set time from string (e.g. GitHub commit time) */ -/* When not using the new esp-sdk-lib.h helpers: */ -/* int set_time_from_string(char* time_buffer); */ - -/* set time from NTP servers, - * also initially calls set_fixed_default_time or set_time_from_string */ -int set_time(void); - -/* wait NTP_RETRY_COUNT seconds before giving up on NTP time */ -int set_time_wait_for_ntp(void); - -#ifdef __cplusplus -} /* extern "C" */ -#endif - -#endif /* #ifndef _TIME_HELPER_H */ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/wifi_connect.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/wifi_connect.h deleted file mode 100644 index 8dfe31d141..0000000000 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/wifi_connect.h +++ /dev/null @@ -1,145 +0,0 @@ -/* wifi_connect.h - * - * Copyright (C) 2006-2025 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ -#ifndef _WIFI_CONNECT_H_ -#define _WIFI_CONNECT_H_ - -/* ESP lwip */ -#define EXAMPLE_ESP_MAXIMUM_RETRY CONFIG_ESP_MAXIMUM_RETRY - -#define TLS_SMP_SERVER_TASK_NAME "tls_sever_example" -#define TLS_SMP_SERVER_TASK_BYTES 22240 -#define TLS_SMP_SERVER_TASK_PRIORITY 8 - -/* Optionally use ESP-IDF config settings -#define TLS_SMP_WIFI_SSID CONFIG_WIFI_SSID -#define TLS_SMP_WIFI_PASS CONFIG_WIFI_PASSWORD -*/ - -#define USE_WIFI_EXAMPLE -#ifdef USE_WIFI_EXAMPLE - #include "esp_netif.h" - #include "protocol_examples_common.h" /* see project CMakeLists.txt */ -#endif - -/** - ****************************************************************************** - ****************************************************************************** - ** USER APPLICATION SETTINGS BEGIN - ****************************************************************************** - ****************************************************************************** - **/ - -/* when using a private config with plain text passwords, - * file my_private_config.h should be excluded from git updates */ -/* #define USE_MY_PRIVATE_CONFIG */ - -/* Note that IntelliSense may not work properly in the next section for the - * Espressif SDK 3.4 on the ESP8266. Macros should still be defined. - * See the project-level Makefile. Example found in: - * https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/template - * - * The USE_MY_PRIVATE_[OS]_CONFIG is typically an environment variable that - * triggers the make (not cmake) to add compiler defines. - */ -#if defined(USE_MY_PRIVATE_WINDOWS_CONFIG) - #include "/workspace/my_private_config.h" -#elif defined(USE_MY_PRIVATE_WSL_CONFIG) - #include "/mnt/c/workspace/my_private_config.h" -#elif defined(USE_MY_PRIVATE_LINUX_CONFIG) - #include "~/workspace/my_private_config.h" -#elif defined(USE_MY_PRIVATE_MAC_CONFIG) - #include "~/Documents/my_private_config.h" -#elif defined(USE_MY_PRIVATE_CONFIG) - /* This section works best with cmake & non-environment variable setting */ - #if defined(WOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS) - #define WOLFSSL_CMAKE - #include "/workspace/my_private_config.h" - #elif defined(WOLFSSL_MAKE_SYSTEM_NAME_WINDOWS) - #define WOLFSSL_MAKE - #include "/workspace/my_private_config.h" - #elif defined(WOLFSSL_CMAKE_SYSTEM_NAME_WSL) - #define WOLFSSL_CMAKE - #include "/mnt/c/workspace/my_private_config.h" - #elif defined(WOLFSSL_MAKE_SYSTEM_NAME_WSL) - #define WOLFSSL_MAKE - #include "/mnt/c/workspace/my_private_config.h" - #elif defined(WOLFSSL_CMAKE_SYSTEM_NAME_LINUX) - #define WOLFSSL_CMAKE - #include "~/workspace/my_private_config.h" - #elif defined(WOLFSSL_MAKE_SYSTEM_NAME_LINUX) - #define WOLFSSL_MAKE - #include "~/workspace/my_private_config.h" - #elif defined(WOLFSSL_CMAKE_SYSTEM_NAME_APPLE) - #include "~/Documents/my_private_config.h" - #elif defined(WOLFSSL_MAKE_SYSTEM_NAME_APPLE) - #define WOLFSSL_MAKE - #include "~/Documents/my_private_config.h" - #elif defined(OS_WINDOWS) - #include "/workspace/my_private_config.h" - #else - /* Edit as needed for your private config: */ - #warning "default private config using /workspace/my_private_config.h" - #include "/workspace/my_private_config.h" - #endif -#else - - /* - ** The examples use WiFi configuration that you can set via project - ** configuration menu - ** - ** If you'd rather not, just change the below entries to strings with - ** the config you want - ie #define EXAMPLE_WIFI_SSID "mywifissid" - */ - #if defined(CONFIG_ESP_WIFI_SSID) - /* typically from ESP32 with ESP-IDF v4 to v5 */ - #define EXAMPLE_ESP_WIFI_SSID CONFIG_ESP_WIFI_SSID - #elif defined(CONFIG_EXAMPLE_WIFI_SSID) - /* typically from ESP8266 rtos-sdk/v3.4 */ - #define EXAMPLE_ESP_WIFI_SSID CONFIG_EXAMPLE_WIFI_SSID - #else - /* See new esp-sdk-lib.h helpers: */ - #ifndef EXAMPLE_ESP_WIFI_SSID - #define EXAMPLE_ESP_WIFI_SSID "MYSSID_WIFI_CONNECT" - #endif - #endif - - #if defined(CONFIG_ESP_WIFI_PASSWORD) - /* tyically from ESP32 with ESP-IDF v4 or v5 */ - #define EXAMPLE_ESP_WIFI_PASS CONFIG_ESP_WIFI_PASSWORD - #elif defined(CONFIG_EXAMPLE_WIFI_SSID) - /* typically from ESP8266 rtos-sdk/v3.4 */ - #define EXAMPLE_ESP_WIFI_PASS CONFIG_EXAMPLE_WIFI_PASSWORD - #else - /* See new esp-sdk-lib.h helpers: */ - #ifndef EXAMPLE_ESP_WIFI_PASS - #define EXAMPLE_ESP_WIFI_PASS "MYPASSWORD_WIFI_CONNECT" - #endif - #endif -#endif - -/* ESP lwip */ -#define EXAMPLE_ESP_MAXIMUM_RETRY CONFIG_ESP_MAXIMUM_RETRY - -int wifi_init_sta(void); - -int wifi_show_ip(void); - -#endif /* _WIFI_CONNECT_H_ */ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/main.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/main.c index 65e4376b95..f7aebb5d3e 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/main.c +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/main.c @@ -18,24 +18,39 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ + +/* + * Attention maintainers: + * + * This code is mostly mirrored between client and server examples. + * + * Please apply any updates to both. + */ #include "sdkconfig.h" #include "main.h" /* ESP specific */ -#include #include #include +#include /* wolfSSL */ -/* Always include wolfcrypt/settings.h before any other wolfSSL file. */ -/* Reminder: settings.h pulls in user_settings.h; don't include it here. */ -#ifdef WOLFSSL_USER_SETTINGS +/* The wolfSSL user_settings.h is automatically included by settings.h file. + * Never explicitly include wolfSSL user_settings.h in any source file. + * The settings.h should also be listed above wolfssl library include files. */ +#if defined(WOLFSSL_USER_SETTINGS) #include #ifndef WOLFSSL_ESPIDF #warning "Problem with wolfSSL user_settings." #warning "Check components/wolfssl/include" #endif + #include #include + #include + #if defined(CONFIG_WOLFSSL_CERTIFICATE_BUNDLE) && \ + CONFIG_WOLFSSL_CERTIFICATE_BUNDLE + #include + #endif #else /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include */ /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */ @@ -43,16 +58,34 @@ CFLAGS +=-DWOLFSSL_USER_SETTINGS" #endif -/* this project */ +/* Hardware; include after other libraries, + * particularly after freeRTOS from settings.h */ +#include + +#define THIS_MONITOR_UART_RX_BUFFER_SIZE 200 + +#ifdef CONFIG_ESP8266_XTAL_FREQ_26 + /* 26MHz crystal: 74880 bps */ + #define THIS_MONITOR_UART_BAUD_DATE 74880 +#else + /* 40MHz crystal: 115200 bps */ + #define THIS_MONITOR_UART_BAUD_DATE 115200 +#endif + +/* This project */ +#include "main.h" #include "server-tls.h" -#include "time_helper.h" #ifdef CONFIG_IDF_TARGET_ESP32H2 - /* There's no WiFi on ESP32-H2. + /* There's no WiFi on ESP32-H2, no esp_eth.h in protocol_examples_common.h * For wired ethernet, see: * https://github.com/wolfSSL/wolfssl-examples/tree/master/ESP32/TLS13-ENC28J60-client */ #else - #include "wifi_connect.h" + /* See CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT that defines + * USE_WOLFSSL_ESP_SDK_WIFI */ + #include "protocol_examples_common.h" /* example connect */ + #include + /* * Note ModBus TCP cannot be disabled on ESP8266 tos-sdk/v3.4 * See https://github.com/espressif/esp-modbus/issues/2 @@ -131,22 +164,60 @@ void my_atmel_free(int slotId) /* Entry for FreeRTOS */ void app_main(void) { + uart_config_t uart_config = { + .baud_rate = THIS_MONITOR_UART_BAUD_DATE, + .data_bits = UART_DATA_8_BITS, + .parity = UART_PARITY_DISABLE, + .stop_bits = UART_STOP_BITS_1, + }; esp_err_t ret = 0; -#ifndef SINGLE_THREADED +#if !defined(SINGLE_THREADED) && INCLUDE_uxTaskGetStackHighWaterMark + int stack_start = 0; +#endif +#if !defined(SINGLE_THREADED) int this_heap = 0; - #ifdef INCLUDE_uxTaskGetStackHighWaterMark - int stack_start = 0; - #endif #endif +#ifdef DEBUG_WOLFSSL + /* Turn debugging on or off: */ + /* wolfSSL_Debugging_ON(); */ + /* wolfSSL_Debugging_OFF(); */ +#endif + +#if !defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_SERVER) + ESP_LOGW(TAG, "Warning: Example wolfSSL misconfigured? Check menuconfig."); +#endif + /* uart_set_pin(UART_NUM_0, TX_PIN, RX_PIN, + * UART_PIN_NO_CHANGE, UART_PIN_NO_CHANGE); */ + + /* Some targets may need to have UART speed set, such as ESP8266 */ + ESP_LOGI(TAG, "UART init"); + uart_param_config(UART_NUM_0, &uart_config); + uart_driver_install(UART_NUM_0, + THIS_MONITOR_UART_RX_BUFFER_SIZE, 0, 0, NULL, 0); + /* Startup delay only for pretty align of startup config: I (nnnn) items */ + vTaskDelay(500 / portTICK_PERIOD_MS); + ESP_LOGI(TAG, "---------------- wolfSSL TLS Server Example ------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); ESP_LOGI(TAG, "---------------------- BEGIN MAIN ----------------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); -#if !defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_SERVER) - ESP_LOGW(TAG, "Warning: Example wolfSSL misconfigured? Check menuconfig."); +#ifdef HAVE_WOLFCRYPT_WARMUP + /* Unless disabled, we'll try to allocate known, long-term heap early + * in an attempt to minimize later fragmentation */ + ESP_ERROR_CHECK(esp_sdk_wolfssl_warmup()); #endif +#ifdef WOLFSSL_ESP_NO_WATCHDOG + ESP_LOGW(TAG, "Found WOLFSSL_ESP_NO_WATCHDOG, disabling..."); + esp_DisableWatchdog(); +#endif +#if defined(HAVE_VERSION_EXTENDED_INFO) + esp_ShowExtendedSystemInfo(); +#else + ESP_LOGW(TAG, "HAVE_VERSION_EXTENDED_INFO not defined"); +#endif + #if defined(ESP_SDK_MEM_LIB_VERSION) && defined(DEBUG_WOLFSSL) sdk_init_meminfo(); #endif @@ -184,29 +255,33 @@ void app_main(void) #endif /* INCLUDE_uxTaskGetStackHighWaterMark */ #endif /* SINGLE_THREADED */ -#ifdef HAVE_VERSION_EXTENDED_INFO - esp_ShowExtendedSystemInfo(); -#endif -#ifdef DEBUG_WOLFSSL - wolfSSL_Debugging_OFF(); -#endif #ifdef CONFIG_IDF_TARGET_ESP32H2 ESP_LOGE(TAG, "No WiFi on the ESP32-H2 and ethernet not yet supported"); while (1) { vTaskDelay(60000); } #endif - /* Set time for cert validation. - * Some lwIP APIs, including SNTP functions, are not thread safe. */ - ret = set_time(); /* need to setup NTP before WiFi */ + + ESP_LOGI(TAG, "nvs flash init.."); + ret = nvs_flash_init(); /* Optionally erase flash */ - /* ESP_ERROR_CHECK(nvs_flash_erase()); */ +#if defined(ESP_ERR_NVS_NO_FREE_PAGES) && defined(ESP_ERR_NVS_NEW_VERSION_FOUND) + if (ret == ESP_ERR_NVS_NO_FREE_PAGES || ret == ESP_ERR_NVS_NEW_VERSION_FOUND) { + ESP_LOGI(TAG, "nvs flash erase.."); + ESP_ERROR_CHECK(nvs_flash_erase()); + ESP_LOGI(TAG, "nvs flash erase.."); + ret = nvs_flash_init(); + } + else { + ESP_LOGW(TAG, "nvs flash NOT erased"); + } +#else + ESP_LOGW(TAG, "nvs flash not initialized"); +#endif #ifdef FOUND_PROTOCOL_EXAMPLES_DIR ESP_LOGI(TAG, "FOUND_PROTOCOL_EXAMPLES_DIR active, using example code."); - ESP_ERROR_CHECK(nvs_flash_init()); - #if defined(CONFIG_IDF_TARGET_ESP32H2) ESP_LOGE(TAG, "There's no WiFi on ESP32-H2."); #else @@ -220,13 +295,47 @@ void app_main(void) #define CONFIG_EXAMPLE_WIFI_SSID "myssid" ESP_LOGW(TAG, "WARNING: CONFIG_EXAMPLE_WIFI_SSID not defined."); #endif - ESP_ERROR_CHECK(esp_netif_init()); - ESP_ERROR_CHECK(esp_event_loop_create_default()); - ESP_ERROR_CHECK(example_connect()); + #ifdef DEBUG_WOLFSSL + /* Anytime we are debugging, also debug WiFi */ + esp_log_level_set("wifi", ESP_LOG_VERBOSE); + esp_log_level_set("wpa", ESP_LOG_VERBOSE); + #endif + #if defined(USE_WOLFSSL_ESP_SDK_WIFI) + #if defined(ESP_SDK_WIFI_LIB_VERSION) && \ + (ESP_SDK_WIFI_LIB_VERSION > 1) + esp_sdk_wifi_lib_init(); + ret = esp_sdk_wifi_init_sta(); + #else + ESP_LOGE(TAG, "A newer version of wolfSSL is needed"); + ret = ESP_FAIL; + #endif + if (ret == ESP_OK) { + ESP_LOGI(TAG, "WiFi connect success!"); + } + else { + ESP_LOGI(TAG, "ERROR: WiFi connect failed!"); + while (1) { + vTaskDelay(10000 / portTICK_PERIOD_MS); + } + } + esp_sdk_wifi_show_ip(); + #else + ESP_LOGI(TAG, "esp netif init..."); + ESP_ERROR_CHECK(esp_netif_init()); + ESP_LOGI(TAG, "esp event loop create default..."); + ESP_ERROR_CHECK(esp_event_loop_create_default()); + #if defined(CONFIG_IDF_TARGET_ESP32H2) + ESP_LOGI(TAG, "There's no WiFi on the ESP32-H2"); + while (1) { + vTaskDelay(pdMS_TO_TICKS(1000)); + } + #else + ESP_LOGI(TAG, "example connect..."); + ESP_ERROR_CHECK(example_connect()); + #endif + #endif #endif #else - ESP_ERROR_CHECK(nvs_flash_init()); - /* Initialize NVS */ ret = nvs_flash_init(); #if defined(CONFIG_IDF_TARGET_ESP8266) @@ -253,25 +362,34 @@ void app_main(void) #else /* Initialize WiFi */ ESP_LOGI(TAG, "ESP_WIFI_MODE_STA"); - ret = wifi_init_sta(); - while (ret != 0) { + ret = esp_sdk_wifi_init_sta(); + while (ret != ESP_OK) { ESP_LOGI(TAG, "Waiting..."); vTaskDelay(60000 / portTICK_PERIOD_MS); ESP_LOGI(TAG, "Trying WiFi again..."); - ret = wifi_init_sta(); + ret = esp_sdk_wifi_init_sta(); } #endif /* else not CONFIG_IDF_TARGET_ESP32H2 */ #endif /* else FOUND_PROTOCOL_EXAMPLES_DIR not found */ + /* Set time for cert validation. + * Some lwIP APIs, including SNTP functions, are not thread safe. */ + ret = set_time(); /* need to setup NTP before WiFi */ + /* Once we are connected to the network, start & wait for NTP time */ ret = set_time_wait_for_ntp(); - if (ret < -1) { - /* a value of -1 means there was no NTP server, so no need to wait */ - ESP_LOGI(TAG, "Waiting 10 more seconds for NTP to complete." ); - vTaskDelay(10000 / portTICK_PERIOD_MS); /* brute-force solution */ - esp_show_current_datetime(); - } + switch (ret) { + case ESP_OK: + break; + case ESP_ERR_TIMEOUT: + ESP_LOGI(TAG, "Waiting 10 more seconds for NTP to complete." ); + vTaskDelay(10000 / portTICK_PERIOD_MS); /* brute-force solution */ + esp_show_current_datetime(); + break; + default: + ESP_LOGE(TAG, "set_time_wait_for_ntp error %d", ret); + } /* switch ret values */ #if defined(SINGLE_THREADED) /* just call the task */ @@ -286,33 +404,29 @@ void app_main(void) CONFIG_ESP_MAIN_TASK_STACK_SIZE - (uxTaskGetStackHighWaterMark(NULL)) ); - ESP_LOGI(TAG, "Starting TLS Server task...\n"); + ESP_LOGI(TAG, "Starting TLS Server task..."); ESP_LOGI(TAG, "main tls_smp_client_init heap @ %p = %d", &this_heap, this_heap); + tls_smp_server_init(args); /* NULL will use the DEFAULT_PORT value */ +#endif +#ifdef INCLUDE_uxTaskGetStackHighWaterMark + ESP_LOGI(TAG, "Stack HWM: %d", uxTaskGetStackHighWaterMark(NULL)); - tls_smp_server_init(args); /* NULL will use the DEFAULT_PORT value */ + ESP_LOGI(TAG, "Stack used: %d", CONFIG_ESP_MAIN_TASK_STACK_SIZE + - (uxTaskGetStackHighWaterMark(NULL) )); #endif /* Done */ #ifdef SINGLE_THREADED ESP_LOGV(TAG, "\n\nDone!\n\n"); - while (1); -#else - ESP_LOGV(TAG, "\n\nvTaskDelete...\n\n"); - vTaskDelete(NULL); - /* done */ while (1) { - ESP_LOGV(TAG, "\n\nLoop...\n\n"); - #ifdef INCLUDE_uxTaskGetStackHighWaterMark - ESP_LOGI(TAG, "Stack HWM: %d", uxTaskGetStackHighWaterMark(NULL)); - - ESP_LOGI(TAG, "Stack used: %d", CONFIG_ESP_MAIN_TASK_STACK_SIZE - - (uxTaskGetStackHighWaterMark(NULL) )); - #endif vTaskDelay(60000); - } /* done while */ + } +#else + ESP_LOGI(TAG, "vTaskDelete main()"); + vTaskDelete(NULL); #endif /* else not SINGLE_THREADED */ } /* app_main */ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c index 8f7eb62c8c..4083a8d08c 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c @@ -21,6 +21,8 @@ #include "server-tls.h" +#define MY_PEER_VERIFY 1 + /* Espressif FreeRTOS */ #ifndef SINGLE_THREADED #include @@ -28,16 +30,15 @@ #include #endif +/* Espressif */ +#include + /* socket includes */ #include #include #include /* For TCP options */ #include -#ifndef TCP_RTO_MIN - #define TCP_RTO_MIN 1500 -#endif - /* wolfSSL */ /* Always include wolfcrypt/settings.h before any other wolfSSL file. */ /* Reminder: settings.h pulls in user_settings.h; don't include it here. */ @@ -48,6 +49,7 @@ #warning "Check components/wolfssl/include" #endif #include + #include #else /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include */ /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */ @@ -58,9 +60,26 @@ #include #include #endif -#if defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024) + +/* The default user_settings.h includes macros that reference sample certs: */ +#if defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024) || \ + defined(USE_CERT_BUFFERS_256) #include #endif +#if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) + #include +#endif +/* Some older versions don't have cert name strings, so set to blanks: */ +#ifndef CTX_CLIENT_CERT_NAME + #define CTX_CLIENT_CERT_NAME "" +#endif +#ifndef CTX_SERVER_KEY_NAME + #define CTX_SERVER_KEY_NAME "" +#endif +#ifndef CTX_SERVER_CERT_NAME + #define CTX_SERVER_CERT_NAME "" +#endif + #ifdef WOLFSSL_TRACK_MEMORY #include #endif @@ -74,9 +93,52 @@ #define DEFAULT_MAX_DHKEY_BITS 2048 #endif -/* Project */ -#include "wifi_connect.h" -#include "time_helper.h" +/* Optional experimental static memory to consider. See docs. */ +#if defined(WOLFSSL_STATIC_MEMORY) + #include + #define MAX_CONNS 1 + #define MAX_CONCURRENT_HANDSHAKES 1 + /* multiple of 16 & 32 */ + /* #define WOLFMEM_IO_SZ 2048 */ + + + /* 2 fixed + 2 spare */ + #define IO_BLOCKS_PER_CONN 4 + #if defined(WOLFSSL_LOW_MEMORY) + /* handshake, certs, math temps */ + #define GEN_POOL_SZ (72 * 1024) + /* if using MFL=512 -> ~2x ~660B; round up */ + #define IO_POOL_SZ (WOLFMEM_IO_SZ * IO_BLOCKS_PER_CONN * MAX_CONNS) + /* #define IO_POOL_SZ ((2 * WOLFMEM_IO_SZ * MAX_CONNS) * 4) */ + #else + /* handshake, certs, math temps */ + #define GEN_POOL_SZ (60 * 1024) + /* if using MFL=512 -> ~2x ~660B; round up */ + #define IO_POOL_SZ (2 * 720) + #endif + #if (GEN_POOL_SZ % 32) != 0 + #error "GEN_POOL_SZ must be 32-byte aligned with WOLFMEM_IO_POOL_FIXED" + #endif + #if (WOLFMEM_IO_SZ % 32) != 0 + #error "WOLFMEM_IO_SZ must be 32-byte aligned with WOLFMEM_IO_POOL_FIXED" + #endif + static __attribute__((aligned(32))) uint8_t genPool[GEN_POOL_SZ]; + static __attribute__((aligned(32))) uint8_t ioPool [IO_POOL_SZ]; +#endif + +/* + * Optionally define explicit ciphers, for example these TLS 1.3 options. + * + * TLS13-AES128-GCM-SHA256 + * TLS13-AES256-GCM-SHA384 + * TLS13-AES128-CCM-SHA256 + * TLS13-AES128-CCM-8-SHA256 + * TLS13-AES128-CCM8-SHA256 + * + * examples: + * #define WOLFSSL_ESP32_CIPHER_SUITE "TLS13-AES128-GCM-SHA256:PSK-AES128-GCM-SHA256" + * #define WOLFSSL_ESP32_CIPHER_SUITE "TLS13-AES128-CCM-8-SHA256" + */ static const char* const TAG = "server-tls"; @@ -90,7 +152,7 @@ int ShowCiphers(WOLFSSL* ssl) int ret = 0; if (ssl == NULL) { - ESP_LOGI(TAG, "WOLFSSL* ssl is NULL, so no cipher in use"); + ESP_LOGI(TAG, "WOLFSSL* ssl is NULL, so no cipher in use yet."); ret = wolfSSL_get_ciphers(ciphers, (int)sizeof(ciphers)); if (ret == WOLFSSL_SUCCESS) { for (int i = 0; i < CLIENT_TLS_MAX_CIPHER_LENGTH; i++) { @@ -105,6 +167,7 @@ int ShowCiphers(WOLFSSL* ssl) } } else { + ESP_LOGI(TAG, "checking %p", ssl); cipher_used = wolfSSL_get_cipher_name(ssl); ESP_LOGI(TAG, "WOLFSSL* ssl using %s", cipher_used); } @@ -112,6 +175,14 @@ int ShowCiphers(WOLFSSL* ssl) return ret; } +static void halt_for_reboot(const char* s) +{ + ESP_LOGE(TAG, "Halt. %s", s); + while (1) { + vTaskDelay(60000); + } +} + /* FreeRTOS */ /* server task */ WOLFSSL_ESP_TASK tls_smp_server_task(void *args) @@ -131,151 +202,282 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args) int shutdown = 0; int ret; int ret_i; /* interim return values */ + int reset_heap = 0; socklen_t size = sizeof(clientAddr); size_t len; -#if 0 - /* optionally set TCP RTO. See also below. */ - int rto_min = 200; /* Minimum TCP RTO in milliseconds */ -#endif + size_t success_ct = 0; /* number of client connect successes */ + size_t failure_ct = 0; /* number of client connect failures */ + /* declare wolfSSL objects */ - WOLFSSL_CTX* ctx; - WOLFSSL* ssl; + WOLFSSL_CTX* ctx; + WOLFSSL* ssl; +#if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_NO_MALLOC) + size_t this_heap = 0; +#endif + +#if defined(CONFIG_ESP_WOLFSSL_TCP_REUSE) && (CONFIG_ESP_WOLFSSL_TCP_REUSE > 0) + /* optionally set TCP reuse. See also below. */ + int tcp_reuse = 1; +#endif WOLFSSL_ENTER("tls_smp_server_task"); #ifdef DEBUG_WOLFSSL + /* Turn debugging off as needed: */ + wolfSSL_Debugging_OFF(); wolfSSL_Debugging_ON(); ShowCiphers(NULL); #endif +#if defined(SINGLE_THREADED) + /* No startup delay */ +#else + /* Brief delay to allow the main task to be deleted and free memory. */ + vTaskDelay(100); +#endif + /* Initialize wolfSSL */ - WOLFSSL_MSG("Start wolfSSL_Init()"); - wolfSSL_Init(); + ESP_LOGI(TAG, "Start wolfSSL_Init()"); + ret_i = wolfSSL_Init(); + if (ret_i != WOLFSSL_SUCCESS) { + ESP_LOGE(TAG, "Failed to initialize wolfSSL"); + } - /* Create a socket that uses an internet IPv4 address, + /* Create a socket that uses an Internet IPv4 address, * Sets the socket to be stream based (TCP), * 0 means choose the default protocol. */ WOLFSSL_MSG( "start socket())"); - if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { - ESP_LOGE(TAG, "ERROR: failed to create the socket"); + if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == -1) { + halt_for_reboot("ERROR: failed to create the socket"); } - /* Optionally set TCP RTO - setsockopt(sockfd, IPPROTO_TCP, TCP_RTO_MIN, &rto_min, sizeof(rto_min)); */ + /* Optionally set TCP Socket Reuse. */ +#if defined(CONFIG_ESP_WOLFSSL_TCP_REUSE) && (CONFIG_ESP_WOLFSSL_TCP_REUSE > 0) + setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &tcp_reuse, sizeof(tcp_reuse)); +#ifdef SO_REUSEPORT /* not always available on lwIP */ + setsockopt(sockfd, SOL_SOCKET, SO_REUSEPORT, &tcp_reuse, sizeof(tcp_reuse)); +#endif /* SO_REUSEPORT */ +#endif /* optional TCP reuse */ /* Create and initialize WOLFSSL_CTX */ WOLFSSL_MSG("Create and initialize WOLFSSL_CTX"); -#if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_LOW_MEMORY) + ESP_LOGW(TAG, "Warning: TLS 1.3 enabled on low-memory device."); +#endif +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_NO_TLS12) + ESP_LOGW(TAG, "Creating TLS 1.3 (only) server context..."); + ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()); +#elif defined(WOLFSSL_TLS13) + ESP_LOGI(TAG, "Creating TLS (1.2 or 1.3) server context..."); ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); - /* ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()); for only TLS 1.3 */ +#else + ESP_LOGW(TAG, "Creating TLS 1.2 (only) server context..."); + ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method()); +#endif /* TLS 1.2 or TLS 1.3 */ if (ctx == NULL) { - ESP_LOGE(TAG, "ERROR: failed to create WOLFSSL_CTX"); + halt_for_reboot("ERROR: failed to create wolfSSL ctx"); } -#else - if ((ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())) == NULL) { - ESP_LOGE(TAG, "ERROR: failed to create WOLFSSL_CTX"); + + + // TODO Begin fix or remove + /* There's some temporary, non-working static memory */ + +#ifndef NO_WOLFSSL_CLIENT + ret = wolfSSL_CTX_UseMaxFragment(ctx, WOLFSSL_MFL_2_9); + if (ret == WOLFSSL_SUCCESS) { + WOLFSSL_MSG("wolfSSL_CTX_UseMaxFragment success"); + } + else { + halt_for_reboot("ERROR: failed wolfSSL_CTX_UseMaxFragment"); } #endif -#if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) - ESP_LOGI(TAG, "Start SM3\n"); +#if 0 + WOLFSSL_MSG("memory success, create gen pool"); + ret = wolfSSL_CTX_load_static_memory(&ctx, + wolfTLSv1_2_server_method_ex, + genPool, GEN_POOL_SZ, + WOLFMEM_GENERAL, /* general pool */ + MAX_CONNS); + if (ret != WOLFSSL_SUCCESS) { + ESP_LOGE(TAG, "ERROR: failed to create static memory WOLFSSL_CTX"); + } + else { + WOLFSSL_MSG("wolfSSL_CTX_load_static_memory success"); + } +#endif - /* Optional set explicit ciphers - ret = wolfSSL_CTX_set_cipher_list(ctx, WOLFSSL_ESP32_CIPHER_SUITE); - if (ret == SSL_SUCCESS) { - ESP_LOGI(TAG, "Set cipher list: "WOLFSSL_ESP32_CIPHER_SUITE"\n"); +#if defined(WOLFSSL_STATIC_MEMORY) + WOLFSSL_HEAP_HINT* heap = NULL; + ret = wc_LoadStaticMemory(&heap, genPool, sizeof(genPool), + WOLFMEM_GENERAL, MAX_CONNS); + if (ret == 0) { + WOLFSSL_MSG("wc_LoadStaticMemory success"); + /* default heap for any NULL-heap calls */ + wolfSSL_SetGlobalHeapHint(heap); } else { - ESP_LOGE(TAG, "ERROR: failed to set cipher list: "WOLFSSL_ESP32_CIPHER_SUITE"\n"); + ESP_LOGE(TAG, "ERROR: failed to create static memory heap"); } - */ - ShowCiphers(NULL); - ESP_LOGI(TAG, "Stack used: %d\n", CONFIG_ESP_MAIN_TASK_STACK_SIZE - - uxTaskGetStackHighWaterMark(NULL)); - WOLFSSL_MSG("Loading certificate..."); - /* -c Load server certificates into WOLFSSL_CTX */ - ret = wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, - CTX_SERVER_CERT, - CTX_SERVER_CERT_SIZE, - CTX_SERVER_CERT_TYPE - ); - -/* optional wolfSSL_CTX_use_certificate_buffer - ret = wolfSSL_CTX_use_certificate_buffer(ctx, - server_sm2, - sizeof_server_sm2, - WOLFSSL_FILETYPE_PEM); -*/ - if (ret == SSL_SUCCESS) { - ESP_LOGI(TAG, "Loaded server_sm2\n"); + const WOLFSSL_METHOD* method = wolfTLSv1_2_server_method_ex(heap); + ctx = wolfSSL_CTX_new_ex((WOLFSSL_METHOD*)method, heap); + if (ctx == NULL) { + halt_for_reboot("ERROR: failed to create ctx on static heap"); + } + + ret = wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-AES128-GCM-SHA256"); + if (ret == WOLFSSL_SUCCESS) { + WOLFSSL_MSG("wolfSSL_CTX_set_cipher_list success"); } else { - ESP_LOGE(TAG, "ERROR: failed to load cert\n"); + halt_for_reboot("ERROR: failed wolfSSL_CTX_set_cipher_list"); } - ESP_LOGI(TAG, "Stack used: %d\n", CONFIG_ESP_MAIN_TASK_STACK_SIZE - - uxTaskGetStackHighWaterMark(NULL)); -#ifndef NO_DH - #define DEFAULT_MIN_DHKEY_BITS 1024 - #define DEFAULT_MAX_DHKEY_BITS 2048 - int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS; - ret = wolfSSL_CTX_SetMinDhKey_Sz(ctx, (word16)minDhKeyBits); + ret = wolfSSL_CTX_load_static_memory(&ctx, NULL, + ioPool, IO_POOL_SZ, + WOLFMEM_IO_POOL_FIXED | WOLFMEM_TRACK_STATS, + MAX_CONNS); + if (ret == WOLFSSL_SUCCESS) { + WOLFSSL_MSG("wolfSSL_CTX_load_static_memory IO Pool success"); + } + else { + halt_for_reboot("ERROR: failed to create static memory heap"); + } + /* + #define WOLFMEM_GENERAL 0x01 + #define WOLFMEM_IO_POOL 0x02 + #define WOLFMEM_IO_POOL_FIXED 0x04 + #define WOLFMEM_TRACK_STATS 0x08 + **/ +#else + +#endif /* ctx via heap or WOLFSSL_STATIC_MEMORY */ + +#if defined(USE_CERT_BUFFERS_1024) + /* The x1024 test certs are in current user_settings.h, but not default. + * Smaller certs are typically used with smaller RAM devices.(ESP8266) + * Example client will need explicit params: + * ./examples/client/client -h 192.168.1.48 -p 11111 -v 3 \ + * -A ./certs/1024/ca-cert.pem \ + * -c ./certs/1024/client-cert.pem \ + * -k ./certs/1024/client-key.pem -d + */ + ESP_LOGW(TAG, "Example certificates USE_CERT_BUFFERS_1024 (not default)"); +#endif +#if defined(USE_CERT_BUFFERS_2048) + /* Anything other than this x2048 default is a warning or error. + * + * Example TLS 1.2 client with default build does not need explicit cert: + * ./examples/client/client -h 192.168.1.47 -p 11111 -v 3 + * + * Example TLS 1.3 client: + * ./examples/client/client -h 192.168.1.47 -p 11111 -v 4 + */ + ESP_LOGI(TAG, "Example certificates USE_CERT_BUFFERS_2048"); +#endif +#if defined(USE_CERT_BUFFERS_3072) + /* The x3072 test certs are not in current user_settings.h */ + ESP_LOGE(TAG, "Example certificates USE_CERT_BUFFERS_3072 (not default)"); #endif -#ifndef NO_RSA - #define DEFAULT_MIN_RSAKEY_BITS 1024 - short minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS; - ret = wolfSSL_CTX_SetMinRsaKey_Sz(ctx, minRsaKeyBits); +#if defined(USE_CERT_BUFFERS_4096) + /* The x3072 test certs are not in current user_settings.h */ + ESP_LOGE(TAG, "Example certificates USE_CERT_BUFFERS_4096 (not default)"); #endif - WOLFSSL_MSG("Loading key info..."); - /* -k Load server key into WOLFSSL_CTX */ +#if (0) + /* Optionally disable CRL checks */ + wolfSSL_CTX_DisableCRL(ctx); +#endif + +#if (0) + #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) + #ifndef NO_DH + #define DEFAULT_MIN_DHKEY_BITS 1024 + #define DEFAULT_MAX_DHKEY_BITS 2048 + int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS; + ret = wolfSSL_CTX_SetMinDhKey_Sz(ctx, (word16)minDhKeyBits); + #endif + #ifndef NO_RSA + #define DEFAULT_MIN_RSAKEY_BITS 1024 + short minRsaKeyBits = DEFAULT_MIN_RSAKEY_BITS; + ret = wolfSSL_CTX_SetMinRsaKey_Sz(ctx, minRsaKeyBits); + #endif + #endif +#endif + +#if (0) + wolfSSL_CTX_SetMinVersion(ctx, WOLFSSL_TLSV1_3); + wolfSSL_CTX_set_cipher_list(ctx, "TLS13-SM4-GCM-SM3"); +#endif + + /* Identify certificates used, typically in wolfssl/certs_test[_sm].h */ + ESP_LOGI(TAG, "Loading server certificate %s", CTX_SERVER_CERT_NAME); + /* Load server certificates into WOLFSSL_CTX, to send to client */ + ret = wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, + CTX_SERVER_CERT, + CTX_SERVER_CERT_SIZE, + CTX_SERVER_CERT_TYPE); + if (ret != SSL_SUCCESS) { + /* Always clean up when errors encountered */ + wolfSSL_CTX_free(ctx); + ctx = NULL; + halt_for_reboot("ERROR: failed to load cert"); + } + + ESP_LOGI(TAG, "Loading server key %s", CTX_SERVER_KEY_NAME); + /* Load server key into WOLFSSL_CTX */ ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, CTX_SERVER_KEY, CTX_SERVER_KEY_SIZE, CTX_SERVER_KEY_TYPE); - - if (ret == SSL_SUCCESS) { - ESP_LOGI(TAG, "Loaded PrivateKey_buffer server_sm2_priv\n"); - } - else { - ESP_LOGE(TAG, "ERROR: failed to load " - "PrivateKey_buffer server_sm2_priv\n"); + if (ret != SSL_SUCCESS) { + /* Always clean up when errors encountered */ + wolfSSL_CTX_free(ctx); + ctx = NULL; + halt_for_reboot("ERROR: failed to load privatekey"); } - ESP_LOGI(TAG, "Stack used: %d\n", CONFIG_ESP_MAIN_TASK_STACK_SIZE - - uxTaskGetStackHighWaterMark(NULL)); - /* -A load authority */ + +#if defined(MY_PEER_VERIFY) && MY_PEER_VERIFY + #if defined(USE_CERT_BUFFERS_256) && !defined(sizeof_server_ecc_cert) + /* Currently there are only DER format ECC examples in certs_test.h so + * only a leaf cert is available. + * + * Use a PEM for leaf + CA + * or disable peer verification */ + #error "Peer verify not available for ECC USE_CERT_BUFFERS_256" + #endif + + ESP_LOGI(TAG, "Set verify: verify peer, fail if no peer..."); + + wolfSSL_CTX_set_verify(ctx, + (WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT | + WOLFSSL_VERIFY_PEER), + NULL); + /* -A */ + ESP_LOGI(TAG, "Load verify cert %s", CTX_CLIENT_CERT_NAME); ret = wolfSSL_CTX_load_verify_buffer(ctx, - client_sm2, - sizeof_client_sm2, - WOLFSSL_FILETYPE_PEM); - if (ret == SSL_SUCCESS) { - ESP_LOGI(TAG, "Success: load verify buffer\n"); - } - else { - ESP_LOGE(TAG, "ERROR: failed to load verify buffer\n"); + CTX_CLIENT_CERT, + CTX_CLIENT_CERT_SIZE, + CTX_CLIENT_CERT_TYPE); + if (ret != SSL_SUCCESS) { + wolfSSL_CTX_free(ctx); + ctx = NULL; + halt_for_reboot("ERROR: failed to load wolfSSL_CTX_load_verify_buffer"); } - ESP_LOGI(TAG, "Finish SM2\n"); #else - WOLFSSL_MSG("Loading certificate..."); - /* Load server certificates into WOLFSSL_CTX */ + ESP_LOGI(TAG, "CTX SSL_VERIFY_NONE"); + wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); +#endif - if ((ret = wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048, - sizeof_server_cert_der_2048, - WOLFSSL_FILETYPE_ASN1)) != SSL_SUCCESS) { - ESP_LOGE(TAG, "ERROR: failed to load cert"); - } - WOLFSSL_MSG("Loading key info..."); - /* Load server key into WOLFSSL_CTX */ - if((ret=wolfSSL_CTX_use_PrivateKey_buffer(ctx, - server_key_der_2048, sizeof_server_key_der_2048, - WOLFSSL_FILETYPE_ASN1)) != SSL_SUCCESS) { - ESP_LOGE(TAG, "ERROR: failed to load privatekey"); - } +/* TODO cleanup: + * ./examples/client/client -h 192.168.1.107 -v 3 -l ECDHE-ECDSA-SM4-CBC-SM3 -c ./certs/sm2/client-sm2.pem -k ./certs/sm2/client-sm2-priv.pem -A ./certs/sm2/ca-sm2.pem -C + ./examples/client/client -v 3 -l ECDHE-ECDSA-SM4-CBC-SM3 -h 192.168.1.107 -c ./certs/sm2/client-sm2.pem -k ./certs/sm2/client-sm2-priv.pem -A ./certs/sm2/root-sm2.pem -C -#endif +./examples/client/client -v 4 -l "$CIPHER" -h 192.168.1.107 -c ./certs/sm2/client-sm2.pem -k ./certs/sm2/client-sm2-priv.pem -A ./certs/sm2/root-sm2.pem -C + **/ /* TODO when using ECDSA,it loads the provisioned certificate and present it. TODO when using ECDSA,it uses the generated key instead of loading key */ @@ -289,12 +491,14 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args) /* Bind the server socket to our port */ if (bind(sockfd, (struct sockaddr*)&servAddr, sizeof(servAddr)) == -1) { - ESP_LOGE(TAG, "ERROR: failed to bind"); + halt_for_reboot("ERROR: failed to bind"); } /* Listen for a new connection, allow 5 pending connections */ if (listen(sockfd, 5) == -1) { - ESP_LOGE(TAG, "ERROR: failed to listen"); + ESP_LOGE(TAG, "ERROR: failed to listen on port %d", + TLS_SMP_DEFAULT_PORT); + halt_for_reboot("sockd == -1"); } #if defined(WOLFSSL_ESPWROOM32SE) && defined(HAVE_PK_CALLBACKS) \ @@ -310,14 +514,34 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args) ESP_LOGI(TAG, "Initial stack used: %d\n", TLS_SMP_SERVER_TASK_BYTES - uxTaskGetStackHighWaterMark(NULL) ); #endif - ESP_LOGI(TAG, "accept clients..."); + + ESP_LOGI(TAG, "----------------------------------------------------------"); + ESP_LOGI(TAG, "Begin connection loop..."); + ESP_LOGI(TAG, "----------------------------------------------------------"); /* Continue to accept clients until shutdown is issued */ while (!shutdown) { - WOLFSSL_MSG("Waiting for a connection..."); -#if ESP_IDF_VERSION_MAJOR >=4 - /* TODO: IP Address is problematic in RTOS SDK 3.4 */ - wifi_show_ip(); +#ifdef HAVE_STACK_HEAP_INFO + ret_i = esp_sdk_stack_heap_info(reset_heap); + if (ret_i != ESP_OK) { + ESP_LOGE(TAG, "ERROR: stack and heap check"); + } +#endif +#if defined(ESP_SDK_UTIL_LIB_VERSION) && \ + (ESP_SDK_UTIL_LIB_VERSION > 1) + esp_sdk_device_show_info(); #endif +#ifdef USE_WOLFSSL_ESP_SDK_WIFI + esp_sdk_wifi_show_ip(); +#endif +#ifdef CTX_CERT_SET_NAME + ESP_LOGI(TAG, "Certificate set in use:"); + ESP_LOGI(TAG, "-- %s", CTX_CERT_SET_NAME); +#else + /* Check user_settings.h and wolfssl version. */ + ESP_LOGW(TAG, "Unknown Certificates in use!"); +#endif + ESP_LOGI(TAG, "Waiting for a connection on port %d ...", + TLS_SMP_DEFAULT_PORT); /* Accept client socket connections */ if ((connd = accept(sockfd, (struct sockaddr*)&clientAddr, &size)) == -1) { @@ -328,12 +552,11 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args) #endif /* Create a WOLFSSL object */ if ((ssl = wolfSSL_new(ctx)) == NULL) { - ESP_LOGE(TAG, "ERROR: failed to create WOLFSSL object"); + halt_for_reboot("ERROR: failed to create (WOLFSSL*) ssl object"); } else { -#ifdef DEBUG_WOLFSSL +#if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_NO_MALLOC) ESP_LOGI(TAG, "\nCreated WOLFSSL object:"); - ShowCiphers(ssl); this_heap = esp_get_free_heap_size(); ESP_LOGI(TAG, "tls_smp_client_task heap @ %p = %d", &this_heap, this_heap); @@ -364,6 +587,14 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args) ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is not enabled, not using PQ."); #endif } + +#if defined(MY_PEER_VERIFY) && MY_PEER_VERIFY + /* SSL verify peer enabled by default */ +#else + wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); + ESP_LOGI(TAG, "ssl SSL_VERIFY_NONE"); +#endif + /* show what cipher connected for this WOLFSSL* object */ ShowCiphers(ssl); @@ -373,46 +604,54 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args) /* Establish TLS connection */ ret = wolfSSL_accept(ssl); if (ret == SSL_SUCCESS) { - ShowCiphers(ssl); - const char* curve = wolfSSL_get_curve_name(ssl); - ESP_LOGI(TAG, "Server negotiated key share group: %s", curve); + ESP_LOGI(TAG, "Client connected successfully"); + + /* Read the client data into our buff array */ + memset(buff, 0, sizeof(buff)); + if (wolfSSL_read(ssl, buff, sizeof(buff)-1) == -1) { + ESP_LOGE(TAG, "ERROR: failed to read"); + } + + ESP_LOGI(TAG, "Client sends: %s", buff); + + /* Check for server shutdown command */ + if (strncmp(buff, "shutdown", 8) == 0) { + ESP_LOGI(TAG, "Shutdown command issued!"); + shutdown = 1; + } + /* Write our reply into buff */ + memset(buff, 0, sizeof(buff)); + memcpy(buff, msg, sizeof(msg)); + len = strnlen(buff, sizeof(buff)); + /* Reply back to the client */ + if (wolfSSL_write(ssl, buff, len) == len) { + success_ct++; + } + else { + ESP_LOGE(TAG, "ERROR: failed to write"); + failure_ct++; + } } else { ESP_LOGE(TAG, "wolfSSL_accept error %d", wolfSSL_get_error(ssl, ret)); } - ESP_LOGI(TAG, "Client connected successfully"); - - /* Read the client data into our buff array */ - memset(buff, 0, sizeof(buff)); - if (wolfSSL_read(ssl, buff, sizeof(buff)-1) == -1) { - ESP_LOGE(TAG, "ERROR: failed to read"); - } - - ESP_LOGI(TAG, "Client sends: %s", buff); - /* Check for server shutdown command */ - if (strncmp(buff, "shutdown", 8) == 0) { - ESP_LOGI(TAG, "Shutdown command issued!"); - shutdown = 1; - } - /* Write our reply into buff */ - memset(buff, 0, sizeof(buff)); - memcpy(buff, msg, sizeof(msg)); - len = strnlen(buff, sizeof(buff)); - /* Reply back to the client */ - if (wolfSSL_write(ssl, buff, len) != len) { - ESP_LOGE(TAG, "ERROR: failed to write"); - } - ESP_LOGI(TAG, "Done! Cleanup..."); + ESP_LOGI(TAG, "Done! Cleanup... "); /* Cleanup after this connection */ + ESP_LOGI(TAG, "wolfSSL_free..."); wolfSSL_free(ssl); /* Free the wolfSSL object */ + ESP_LOGI(TAG, "close connection..."); close(connd); /* Close the connection to the client */ #ifdef WOLFSSL_EXAMPLE_VERBOSITY ESP_LOGI(TAG, "Stack used: %d\n", TLS_SMP_SERVER_TASK_BYTES - uxTaskGetStackHighWaterMark(NULL)); #endif - } /* !shutdown */ + ESP_LOGI(TAG, "End connection loop: %d successes, %d failures", + success_ct, failure_ct); + } /* -------------------------- !shutdown loop -------------------- */ + + ESP_LOGI(TAG, "Done! Cleanup and delete this task."); /* Cleanup and return */ wolfSSL_free(ssl); /* Free the wolfSSL object */ wolfSSL_CTX_free(ctx); /* Free the wolfSSL context object */ @@ -427,25 +666,33 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args) #if defined(SINGLE_THREADED) /* we don't initialize a thread */ #else + +// TODO: these should always be available +#define TLS_SMP_SERVER_TASK_BYTES (16 * 1024) +#define TLS_SMP_SERVER_TASK_NAME "task" +#define TLS_SMP_SERVER_TASK_PRIORITY 5 + /* create task */ WOLFSSL_ESP_TASK tls_smp_server_init(void* args) { + int thisPort = 0; + int ret_i = 0; /* interim return result */ #if defined(SINGLE_THREADED) #define TLS_SMP_CLIENT_TASK_RET ret #else #define TLS_SMP_CLIENT_TASK_RET #endif - int thisPort = 0; - int ret_i = 0; /* interim return result */ - if (thisPort == 0) { - thisPort = TLS_SMP_DEFAULT_PORT; - } #if ESP_IDF_VERSION_MAJOR >= 4 TaskHandle_t _handle; #else xTaskHandle _handle; #endif + + if (thisPort == 0) { + thisPort = TLS_SMP_DEFAULT_PORT; + } + /* Note that despite vanilla FreeRTOS using WORDS for a parameter, * Espressif uses BYTES for the task stack size here. */ ESP_LOGI(TAG, "Creating tls_smp_server_task with stack size = %d", @@ -465,4 +712,3 @@ WOLFSSL_ESP_TASK tls_smp_server_init(void* args) return TLS_SMP_CLIENT_TASK_RET; } #endif - diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/time_helper.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/time_helper.c deleted file mode 100644 index 20779ffac5..0000000000 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/time_helper.c +++ /dev/null @@ -1,381 +0,0 @@ -/* time_helper.c - * - * Copyright (C) 2006-2025 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -/* See https://tf.nist.gov/tf-cgi/servers.cgi */ - -/* common Espressif time_helper v5.6.6.001 */ -#include "sdkconfig.h" -#include "time_helper.h" - -#include -#include - -#if defined(ESP_IDF_VERSION_MAJOR) && defined(ESP_IDF_VERSION_MINOR) - #if (ESP_IDF_VERSION_MAJOR == 5) && (ESP_IDF_VERSION_MINOR >= 1) - #define HAS_ESP_NETIF_SNTP 1 - #include - #include - #else - #include - #include - #endif -#else - /* TODO Consider non ESP-IDF environments */ -#endif - -/* ESP-IDF uses a 64-bit signed integer to represent time_t starting from - * release v5.0. See: Espressif api-reference/system/system_time */ - -/* see https://www.gnu.org/software/libc/manual/html_node/TZ-Variable.html */ -#ifndef TIME_ZONE - /* - * PST represents Pacific Standard Time. - * +8 specifies the offset from UTC (Coordinated Universal Time), indicating - * that Pacific Time is UTC-8 during standard time. - * PDT represents Pacific Daylight Time. - * M3.2.0 indicates that Daylight Saving Time (DST) starts on the - * second (2) Sunday (0) of March (3). - * M11.1.0 indicates that DST ends on the first (1) Sunday (0) of November (11) - */ - #define TIME_ZONE "PST+8PDT,M3.2.0,M11.1.0" -#endif /* not defined: TIME_ZONE, so we are setting our own */ - -#define NTP_RETRY_COUNT 10 - -/* NELEMS(x) number of elements - * To determine the number of elements in the array, we can divide the total - * size of the array by the size of the array element. - * See https://stackoverflow.com/questions/37538/how-do-i-determine-the-size-of-my-array-in-c - **/ -#define NELEMS(x) ( (int)(sizeof(x) / sizeof((x)[0])) ) - -/* See also CONFIG_LWIP_SNTP_MAX_SERVERS in sdkconfig */ -#define NTP_SERVER_LIST ( (char*[]) { \ - "pool.ntp.org", \ - "time.nist.gov", \ - "utcnist.colorado.edu" \ - } \ - ) -/* #define NTP_SERVER_COUNT using NELEMS: - * - * (int)(sizeof(NTP_SERVER_LIST) / sizeof(NTP_SERVER_LIST[0])) - */ -#define NTP_SERVER_COUNT NELEMS(NTP_SERVER_LIST) - -#ifndef CONFIG_LWIP_SNTP_MAX_SERVERS - /* We should find max value in sdkconfig, if not set it to our count:*/ - #define CONFIG_LWIP_SNTP_MAX_SERVERS NTP_SERVER_COUNT -#endif - -char* ntpServerList[NTP_SERVER_COUNT] = NTP_SERVER_LIST; - -const static char* TAG = "time_helper"; - -/* our NTP server list is global info */ -extern char* ntpServerList[NTP_SERVER_COUNT]; - -/* Show the current date and time */ -int esp_show_current_datetime(void) -{ - time_t now; - char strftime_buf[64]; - struct tm timeinfo; - - time(&now); - setenv("TZ", TIME_ZONE, 1); - tzset(); - - localtime_r(&now, &timeinfo); - strftime(strftime_buf, sizeof(strftime_buf), "%c", &timeinfo); - ESP_LOGI(TAG, "The current date/time is: %s", strftime_buf); - return ESP_OK; -} - -/* the worst-case scenario is a hard-coded date/time */ -int set_fixed_default_time(void) -{ - /* ideally, we'd like to set time from network, - * but let's set a default time, just in case */ - struct tm timeinfo = { - .tm_year = 2024 - 1900, - .tm_mon = 10, - .tm_mday = 11, - .tm_hour = 13, - .tm_min = 01, - .tm_sec = 05 - }; - struct timeval now; - time_t interim_time; - int ret = -1; - - /* set interim static time */ - interim_time = mktime(&timeinfo); - - ESP_LOGI(TAG, "Adjusting time from fixed value"); - now = (struct timeval){ .tv_sec = interim_time }; - ret = settimeofday(&now, NULL); - ESP_LOGI(TAG, "settimeofday result = %d", ret); - return ret; -} - -/* probably_valid_time_string(s) - * - * some sanity checks on time string before calling sscanf() - * - * returns 0 == ESP_OK == Success if str is likely a valid time. - * -1 == ESP_FAIL otherwise - */ -int probably_valid_time_string(const char* str) -{ - int ret = ESP_OK; - size_t length = 0; - size_t spaces = 0; - size_t colons = 0; - - while (str[length] != '\0') { - if (str[length] == ' ') { - spaces++; - } - if (str[length] == ':') { - colons++; - } - length++; - } - - if ((length > 32) || (spaces < 4) || (spaces > 5) || (colons > 2)) { - ret = ESP_FAIL; - ESP_LOGE(TAG, "ERROR, failed time sanity check: %s", str); - } - return ret; -} - -/* set_time_from_string(s) - * - * returns 0 = success if able to set the time from the provided string - * error for any other value, typically -1 */ -int set_time_from_string(const char* time_buffer) -{ - /* expecting github default formatting: 'Thu Aug 31 12:41:45 2023 -0700' */ - char offset[28]; /* large arrays, just in case there's still bad data */ - char day_str[28]; - char month_str[28]; - const char *format = "%3s %3s %d %d:%d:%d %d %s"; - struct tm this_timeinfo; - struct timeval now; - time_t interim_time; - int day, year, hour, minute, second; - int quote_offset = 0; - int ret = 0; - - /* perform some basic sanity checks */ - ret = probably_valid_time_string(time_buffer); - if (ret == ESP_OK) { - /* we are expecting the string to be encapsulated in single quotes */ - if (*time_buffer == 0x27) { - quote_offset = 1; - } - - ret = sscanf(time_buffer + quote_offset, - format, - day_str, month_str, - &day, &hour, &minute, &second, &year, &offset); - - if (ret == 8) { - /* we found a match for all components */ - - const char *months[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun", - "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" - }; - - for (int i = 0; i < 12; i++) { - if (strcmp(month_str, months[i]) == 0) { - this_timeinfo.tm_mon = i; - break; - } - } - - this_timeinfo.tm_mday = day; - this_timeinfo.tm_hour = hour; - this_timeinfo.tm_min = minute; - this_timeinfo.tm_sec = second; - this_timeinfo.tm_year = year - 1900; /* Years since 1900 */ - - interim_time = mktime(&this_timeinfo); - now = (struct timeval){ .tv_sec = interim_time }; - ret = settimeofday(&now, NULL); - ESP_LOGI(TAG, "Time updated to %s", time_buffer); - } - else { - ESP_LOGE(TAG, "Failed to convert \"%s\" to a tm date.", - time_buffer); - ESP_LOGI(TAG, "Trying fixed date that was hard-coded...."); - set_fixed_default_time(); - ret = ESP_FAIL; - } - } - - return ret; -} - -/* set time; returns 0 if succecssfully configured with NTP */ -int set_time(void) -{ -#ifndef NTP_SERVER_COUNT - ESP_LOGW(TAG, "Warning: no sntp server names defined. " - "Setting to empty list"); - #define NTP_SERVER_COUNT 0 - #warning "NTP not properly configured" -#endif /* not defined: NTP_SERVER_COUNT */ - -#ifdef HAS_ESP_NETIF_SNTP - #if CONFIG_LWIP_SNTP_MAX_SERVERS > 1 - esp_sntp_config_t config = ESP_NETIF_SNTP_DEFAULT_CONFIG_MULTIPLE( - NTP_SERVER_COUNT, - ESP_SNTP_SERVER_LIST(ntpServerList[0]) - ); - #else - esp_sntp_config_t config = ESP_NETIF_SNTP_DEFAULT_CONFIG(ntpServerList[0]); - #endif /* CONFIG_LWIP_SNTP_MAX_SERVERS > 1 */ -#endif /* HAS_ESP_NETIF_SNTP */ - - int ret = 0; - int i = 0; /* counter for time servers */ - - ESP_LOGI(TAG, "Setting the time. Startup time:"); - esp_show_current_datetime(); - -#ifdef LIBWOLFSSL_VERSION_GIT_HASH_DATE - /* initially set a default approximate time from recent git commit */ - ESP_LOGI(TAG, "Found git hash date, attempting to set system date: %s", - LIBWOLFSSL_VERSION_GIT_HASH_DATE); - set_time_from_string(LIBWOLFSSL_VERSION_GIT_HASH_DATE"\0"); - esp_show_current_datetime(); - - ret = -4; -#else - /* otherwise set a fixed time that was hard coded */ - set_fixed_default_time(); - esp_show_current_datetime(); - ret = -3; -#endif - -#ifdef CONFIG_SNTP_TIME_SYNC_METHOD_SMOOTH - config.smooth_sync = true; -#endif - - if (NTP_SERVER_COUNT) { - /* next, let's setup NTP time servers - * - * see Espressifapi-reference/system/system_time.html#sntp-time-synchronization - * - * WARNING: do not set operating mode while SNTP client is running! - */ - /* TODO Consider esp_sntp_setoperatingmode(SNTP_OPMODE_POLL); */ - sntp_setoperatingmode(SNTP_OPMODE_POLL); - if (NTP_SERVER_COUNT > CONFIG_LWIP_SNTP_MAX_SERVERS) { - ESP_LOGW(TAG, "WARNING: %d NTP Servers defined, but " - "CONFIG_LWIP_SNTP_MAX_SERVERS = %d", - NTP_SERVER_COUNT,CONFIG_LWIP_SNTP_MAX_SERVERS); - } - ESP_LOGI(TAG, "sntp_setservername:"); - for (i = 0; i < CONFIG_LWIP_SNTP_MAX_SERVERS; i++) { - const char* thisServer = ntpServerList[i]; - if (strncmp(thisServer, "\x00", 1) == 0) { - /* just in case we run out of NTP servers */ - break; - } - ESP_LOGI(TAG, "%s", thisServer); - sntp_setservername(i, thisServer); - ret = ESP_OK; - } - #ifdef HAS_ESP_NETIF_SNTP - ret = esp_netif_sntp_init(&config); - #else - ESP_LOGW(TAG,"Warning: Consider upgrading ESP-IDF to take advantage " - "of updated SNTP libraries"); - #endif - if (ret == ESP_OK) { - ESP_LOGV(TAG, "Successfully called esp_netif_sntp_init"); - } - else { - ESP_LOGE(TAG, "ERROR: esp_netif_sntp_init return = %d", ret); - } - - sntp_init(); - switch (ret) { - case ESP_ERR_INVALID_STATE: - break; - default: - break; - } - ESP_LOGI(TAG, "sntp_init done."); - } - else { - ESP_LOGW(TAG, "No sntp time servers found."); - ret = -1; - } - - esp_show_current_datetime(); - ESP_LOGI(TAG, "time helper existing with result = %d", ret); - return ret; -} - -/* wait for NTP to actually set the time */ -int set_time_wait_for_ntp(void) -{ - int ret = 0; -#ifdef HAS_ESP_NETIF_SNTP - int ntp_retry = 0; - const int ntp_retry_count = NTP_RETRY_COUNT; - - ret = esp_netif_sntp_start(); - - ret = esp_netif_sntp_sync_wait(500 / portTICK_PERIOD_MS); -#else - ESP_LOGW(TAG, "HAS_ESP_NETIF_SNTP not defined"); -#endif /* HAS_ESP_NETIF_SNTP */ - esp_show_current_datetime(); - -#ifdef HAS_ESP_NETIF_SNTP - while (ret == ESP_ERR_TIMEOUT && (ntp_retry++ < ntp_retry_count)) { - ret = esp_netif_sntp_sync_wait(1000 / portTICK_PERIOD_MS); - ESP_LOGI(TAG, "Waiting for NTP to sync time... (%d/%d)", - ntp_retry, - ntp_retry_count); - esp_show_current_datetime(); - } -#endif /* HAS_ESP_NETIF_SNTP */ - -#ifdef TIME_ZONE - setenv("TZ", TIME_ZONE, 1); - tzset(); -#endif - - if (ret == ESP_OK) { - ESP_LOGI(TAG, "Successfully set time via NTP servers."); - } - else { - ESP_LOGW(TAG, "Warning: Failed to set time with NTP: " - "result = 0x%0x: %s", - ret, esp_err_to_name(ret)); - } - return ret; -} diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/wifi_connect.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/wifi_connect.c deleted file mode 100644 index 80311dc579..0000000000 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/wifi_connect.c +++ /dev/null @@ -1,403 +0,0 @@ -/* wifi_connect.c - * - * Copyright (C) 2006-2025 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ -#include "wifi_connect.h" - -/* FreeRTOS */ -#include -#include -#include - -/* Espressif */ -#include -#include -#include - -/* wolfSSL */ -/* Always include wolfcrypt/settings.h before any other wolfSSL file. */ -/* Reminder: settings.h pulls in user_settings.h; don't include it here. */ -#ifdef WOLFSSL_USER_SETTINGS - #include - #ifndef WOLFSSL_ESPIDF - #warning "Problem with wolfSSL user_settings." - #warning "Check components/wolfssl/include" - #endif - #include - #include -#else - /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include */ - /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */ - #error "Missing WOLFSSL_USER_SETTINGS in CMakeLists or Makefile:\ - CFLAGS +=-DWOLFSSL_USER_SETTINGS" -#endif - -/* When there's too little heap, WiFi quietly refuses to connect */ -#define WIFI_LOW_HEAP_WARNING 21132 - -#if defined(CONFIG_IDF_TARGET_ESP8266) -#elif ESP_IDF_VERSION_MAJOR >= 5 - /* example path set in cmake file */ -#elif ESP_IDF_VERSION_MAJOR >= 4 - #include "protocol_examples_common.h" -#else - const static int CONNECTED_BIT = BIT0; - static EventGroupHandle_t wifi_event_group; -#endif - -#if defined(CONFIG_IDF_TARGET_ESP8266) - -#elif defined(ESP_IDF_VERSION_MAJOR) && defined(ESP_IDF_VERSION_MINOR) - #if ESP_IDF_VERSION_MAJOR >= 4 - /* likely using examples, see wifi_connect.h */ - #else - /* TODO - still supporting pre V4 ? */ - const static int CONNECTED_BIT = BIT0; - static EventGroupHandle_t wifi_event_group; - #endif - #if (ESP_IDF_VERSION_MAJOR == 5) - #define HAS_WPA3_FEATURES - #else - #undef HAS_WPA3_FEATURES - #endif -#else - /* TODO Consider pre IDF v5? */ -#endif - -/* breadcrumb prefix for logging */ -const static char *TAG = "wifi_connect"; - -#if defined(CONFIG_IDF_TARGET_ESP8266) -#ifndef CONFIG_ESP_MAX_STA_CONN - #define CONFIG_ESP_MAX_STA_CONN 4 -#endif -#define EXAMPLE_MAX_STA_CONN CONFIG_ESP_MAX_STA_CONN - -#define WIFI_CONNECTED_BIT BIT0 -#define WIFI_FAIL_BIT BIT1 -#ifndef CONFIG_ESP_MAXIMUM_RETRY - #define CONFIG_ESP_MAXIMUM_RETRY 5 -#endif -/* FreeRTOS event group to signal when we are connected*/ -static EventGroupHandle_t s_wifi_event_group; -static int s_retry_num = 0; - -#define EXAMPLE_ESP_MAXIMUM_RETRY CONFIG_ESP_MAXIMUM_RETRY -static void event_handler(void* arg, esp_event_base_t event_base, - int32_t event_id, void* event_data) -{ - if (event_base == WIFI_EVENT && event_id == WIFI_EVENT_STA_START) { - esp_wifi_connect(); - } else if (event_base == WIFI_EVENT && event_id == WIFI_EVENT_STA_DISCONNECTED) { - if (s_retry_num < EXAMPLE_ESP_MAXIMUM_RETRY) { - esp_wifi_connect(); - s_retry_num++; - ESP_LOGI(TAG, "retry to connect to the AP"); - } else { - xEventGroupSetBits(s_wifi_event_group, WIFI_FAIL_BIT); - } - ESP_LOGI(TAG,"connect to the AP fail"); - } else if (event_base == IP_EVENT && event_id == IP_EVENT_STA_GOT_IP) { - ip_event_got_ip_t* event = (ip_event_got_ip_t*) event_data; - ESP_LOGI(TAG, "got ip:%s", - ip4addr_ntoa(&event->ip_info.ip)); - s_retry_num = 0; - xEventGroupSetBits(s_wifi_event_group, WIFI_CONNECTED_BIT); - } -} - -int wifi_init_sta(void) -{ - word32 this_heap; - - s_wifi_event_group = xEventGroupCreate(); - - tcpip_adapter_init(); - - ESP_ERROR_CHECK(esp_event_loop_create_default()); - - wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT(); - ESP_ERROR_CHECK(esp_wifi_init(&cfg)); - - ESP_ERROR_CHECK(esp_event_handler_register(WIFI_EVENT, ESP_EVENT_ANY_ID, &event_handler, NULL)); - ESP_ERROR_CHECK(esp_event_handler_register(IP_EVENT, IP_EVENT_STA_GOT_IP, &event_handler, NULL)); - - wifi_config_t wifi_config = { - .sta = { - .ssid = EXAMPLE_ESP_WIFI_SSID, - .password = EXAMPLE_ESP_WIFI_PASS - }, - }; - - /* Setting a password implies station will connect to all security modes including WEP/WPA. - * However these modes are deprecated and not advisable to be used. In case your Access point - * doesn't support WPA2, these mode can be enabled by commenting below line */ - - if (strlen((char *)wifi_config.sta.password)) { - wifi_config.sta.threshold.authmode = WIFI_AUTH_WPA2_PSK; - } - - ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) ); - ESP_ERROR_CHECK(esp_wifi_set_config(ESP_IF_WIFI_STA, &wifi_config) ); - ESP_ERROR_CHECK(esp_wifi_start() ); - - ESP_LOGI(TAG, "wifi_init_sta finished. Connecting..."); - this_heap = esp_get_free_heap_size(); - ESP_LOGI(TAG, "this heap = %d", this_heap); - if (this_heap < WIFI_LOW_HEAP_WARNING) { - ESP_LOGW(TAG, "Warning: WiFi low heap: %d", WIFI_LOW_HEAP_WARNING); - } - /* Waiting until either the connection is established (WIFI_CONNECTED_BIT) or connection failed for the maximum - * number of re-tries (WIFI_FAIL_BIT). The bits are set by event_handler() (see above) */ - EventBits_t bits = xEventGroupWaitBits(s_wifi_event_group, - WIFI_CONNECTED_BIT | WIFI_FAIL_BIT, - pdFALSE, - pdFALSE, - portMAX_DELAY); - - ESP_LOGI(TAG, "xEventGroupWaitBits finished."); - /* xEventGroupWaitBits() returns the bits before the call returned, hence we can test which event actually - * happened. */ - if (bits & WIFI_CONNECTED_BIT) { - ESP_LOGI(TAG, "connected to ap SSID:%s", - EXAMPLE_ESP_WIFI_SSID); - } else if (bits & WIFI_FAIL_BIT) { - ESP_LOGI(TAG, "Failed to connect to SSID:%s, password:%s", - EXAMPLE_ESP_WIFI_SSID, EXAMPLE_ESP_WIFI_PASS); - } else { - ESP_LOGE(TAG, "UNEXPECTED EVENT"); - } - - ESP_ERROR_CHECK(esp_event_handler_unregister(IP_EVENT, IP_EVENT_STA_GOT_IP, &event_handler)); - ESP_ERROR_CHECK(esp_event_handler_unregister(WIFI_EVENT, ESP_EVENT_ANY_ID, &event_handler)); - vEventGroupDelete(s_wifi_event_group); - return ESP_OK; -} - -#elif ESP_IDF_VERSION_MAJOR < 4 -/* event handler for wifi events */ -static esp_err_t wifi_event_handler(void *ctx, system_event_t *event) -{ - switch (event->event_id) - { - case SYSTEM_EVENT_STA_START: - esp_wifi_connect(); - break; - case SYSTEM_EVENT_STA_GOT_IP: - #if ESP_IDF_VERSION_MAJOR >= 4 - ESP_LOGI(TAG, "got ip:" IPSTR "\n", - IP2STR(&event->event_info.got_ip.ip_info.ip)); - #else - ESP_LOGI(TAG, "got ip:%s", - ip4addr_ntoa(&event->event_info.got_ip.ip_info.ip)); - #endif - /* see Espressif api-reference/system/freertos_idf.html */ - xEventGroupSetBits(wifi_event_group, CONNECTED_BIT); - break; - case SYSTEM_EVENT_STA_DISCONNECTED: - esp_wifi_connect(); - xEventGroupClearBits(wifi_event_group, CONNECTED_BIT); - break; - default: - break; - } - return ESP_OK; -} -#else - -#ifdef CONFIG_ESP_MAXIMUM_RETRY - #define EXAMPLE_ESP_MAXIMUM_RETRY CONFIG_ESP_MAXIMUM_RETRY -#else - #define CONFIG_ESP_MAXIMUM_RETRY 5 -#endif - -#if CONFIG_ESP_WIFI_AUTH_OPEN -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_OPEN -#elif CONFIG_ESP_WIFI_AUTH_WEP -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WEP -#elif CONFIG_ESP_WIFI_AUTH_WPA_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WPA_PSK -#elif CONFIG_ESP_WIFI_AUTH_WPA2_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WPA2_PSK -#elif CONFIG_ESP_WIFI_AUTH_WPA_WPA2_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WPA_WPA2_PSK -#elif CONFIG_ESP_WIFI_AUTH_WPA3_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WPA3_PSK -#elif CONFIG_ESP_WIFI_AUTH_WPA2_WPA3_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WPA2_WPA3_PSK -#elif CONFIG_ESP_WIFI_AUTH_WAPI_PSK -#define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD WIFI_AUTH_WAPI_PSK -#endif - -#ifndef ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD - #define CONFIG_ESP_WIFI_AUTH_WPA2_PSK 1 - #define ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD CONFIG_ESP_WIFI_AUTH_WPA2_PSK -#endif - -/* FreeRTOS event group to signal when we are connected*/ -static EventGroupHandle_t s_wifi_event_group; - -/* The event group allows multiple bits for each event, but we only care about two events: - * - we are connected to the AP with an IP - * - we failed to connect after the maximum amount of retries */ -#define WIFI_CONNECTED_BIT BIT0 -#define WIFI_FAIL_BIT BIT1 - - -static int s_retry_num = 0; -ip_event_got_ip_t* event; - - -static void event_handler(void* arg, - esp_event_base_t event_base, - int32_t event_id, - void* event_data) -{ - if (event_base == WIFI_EVENT && event_id == WIFI_EVENT_STA_START) { - esp_wifi_connect(); - } - else if (event_base == WIFI_EVENT && - event_id == WIFI_EVENT_STA_DISCONNECTED) { - if (s_retry_num < EXAMPLE_ESP_MAXIMUM_RETRY) { - esp_wifi_connect(); - s_retry_num++; - ESP_LOGI(TAG, "retry to connect to the AP"); - } - else { - xEventGroupSetBits(s_wifi_event_group, WIFI_FAIL_BIT); - } - ESP_LOGI(TAG, "connect to the AP fail"); - } - else if (event_base == IP_EVENT && event_id == IP_EVENT_STA_GOT_IP) { - event = (ip_event_got_ip_t*) event_data; - wifi_show_ip(); - s_retry_num = 0; - xEventGroupSetBits(s_wifi_event_group, WIFI_CONNECTED_BIT); - } -} - -int wifi_init_sta(void) -{ - int ret = ESP_OK; - - s_wifi_event_group = xEventGroupCreate(); - - ESP_ERROR_CHECK(esp_netif_init()); - - ESP_ERROR_CHECK(esp_event_loop_create_default()); - esp_netif_create_default_wifi_sta(); - - wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT(); - ESP_ERROR_CHECK(esp_wifi_init(&cfg)); - - esp_event_handler_instance_t instance_any_id; - esp_event_handler_instance_t instance_got_ip; - ESP_ERROR_CHECK(esp_event_handler_instance_register(WIFI_EVENT, - ESP_EVENT_ANY_ID, - &event_handler, - NULL, - &instance_any_id)); - ESP_ERROR_CHECK(esp_event_handler_instance_register(IP_EVENT, - IP_EVENT_STA_GOT_IP, - &event_handler, - NULL, - &instance_got_ip)); - - wifi_config_t wifi_config = { - .sta = { - .ssid = EXAMPLE_ESP_WIFI_SSID, - .password = EXAMPLE_ESP_WIFI_PASS, - /* Authmode threshold resets to WPA2 as default if password matches - * WPA2 standards (password len => 8). If you want to connect the - * device to deprecated WEP/WPA networks, Please set the threshold - * value WIFI_AUTH_WEP/WIFI_AUTH_WPA_PSK and set the password with - * length and format matching to WIFI_AUTH_WEP/WIFI_AUTH_WPA_PSK - * standards. */ - .threshold.authmode = ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD, - #ifdef HAS_WPA3_FEATURES - .sae_pwe_h2e = WPA3_SAE_PWE_BOTH, - #endif - }, - }; - ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) ); - ESP_ERROR_CHECK(esp_wifi_set_config(WIFI_IF_STA, &wifi_config) ); - -#ifdef CONFIG_EXAMPLE_WIFI_SSID - if (XSTRCMP(CONFIG_EXAMPLE_WIFI_SSID, "myssid") == 0) { - ESP_LOGW(TAG, "WARNING: CONFIG_EXAMPLE_WIFI_SSID is \"myssid\"."); - ESP_LOGW(TAG, " Do you have a WiFi AP called \"myssid\", "); - ESP_LOGW(TAG, " or did you forget the ESP-IDF configuration?"); - } -#else - ESP_LOGW(TAG, "WARNING: CONFIG_EXAMPLE_WIFI_SSID not defined."); -#endif - - ESP_ERROR_CHECK(esp_wifi_start() ); - - ESP_LOGI(TAG, "wifi_init_sta finished."); - - /* Waiting until either the connection is established (WIFI_CONNECTED_BIT) - * or connection failed for the maximum number of re-tries (WIFI_FAIL_BIT). - * The bits are set by event_handler() (see above) */ - EventBits_t bits = xEventGroupWaitBits(s_wifi_event_group, - WIFI_CONNECTED_BIT | WIFI_FAIL_BIT, - pdFALSE, - pdFALSE, - portMAX_DELAY); - - /* xEventGroupWaitBits() returns the bits before the call returned, - * hence we can test which event actually happened. */ -#if defined(SHOW_SSID_AND_PASSWORD) - ESP_LOGW(TAG, "Undefine SHOW_SSID_AND_PASSWORD to not show SSID/password"); - if (bits & WIFI_CONNECTED_BIT) { - ESP_LOGI(TAG, "connected to ap SSID:%s password:%s", - EXAMPLE_ESP_WIFI_SSID, - EXAMPLE_ESP_WIFI_PASS); - } - else if (bits & WIFI_FAIL_BIT) { - ESP_LOGI(TAG, "Failed to connect to SSID:%s, password:%s", - EXAMPLE_ESP_WIFI_SSID, - EXAMPLE_ESP_WIFI_PASS); - } - else { - ESP_LOGE(TAG, "UNEXPECTED EVENT"); - } -#else - if (bits & WIFI_CONNECTED_BIT) { - ESP_LOGI(TAG, "Connected to AP"); - } - else if (bits & WIFI_FAIL_BIT) { - ESP_LOGI(TAG, "Failed to connect to AP"); - ret = -1; - } - else { - ESP_LOGE(TAG, "AP UNEXPECTED EVENT"); - ret = -2; - } -#endif - return ret; -} - -int wifi_show_ip(void) -{ - /* TODO Causes panic: ESP_LOGI(TAG, "got ip:" IPSTR, - * IP2STR(&event->ip_info.ip)); */ - return ESP_OK; -} -#endif diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults index ca33fd17bd..4ad38b7b19 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults @@ -1,18 +1,46 @@ +# sdkconfig.defaults + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + # Set the known example app config to TLS Server (see user_settings.h) CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_SERVER=y +# ------------- BEGIN COMMON SECTION ------------- + # CONFIG_EXAMPLE_WIFI_SSID="myssid" # CONFIG_EXAMPLE_WIFI_PASSWORD="mypassword" +CONFIG_EXAMPLE_CONNECT_IPV6=n +CONFIG_LWIP_IPV6=n + +# Colorization disabled by default in IDF V6+ +CONFIG_LOG_COLORS=y + # Some wolfSSL helpers CONFIG_USE_WOLFSSL_ESP_SDK_TIME=y +CONFIG_LWIP_SNTP_MAX_SERVERS=3 # sdkconfig.defaults for ESP8266 + ESP32 # See separate sdkconfig.defaults.esp8266 # FreeRTOS ticks at 1ms interval CONFIG_FREERTOS_UNICORE=y CONFIG_FREERTOS_HZ=1000 -CONFIG_ESP32_DEFAULT_CPU_FREQ_240=y # # Default main stack size. See user_settings.h @@ -44,28 +72,12 @@ CONFIG_ESP_TASK_WDT_EN=n CONFIG_ESP_SYSTEM_PANIC_PRINT_HALT=y CONFIG_ESP_INT_WDT=n -# ESP8266 Watchdog: -CONFIG_TASK_WDT=n -CONFIG_TASK_WDT_PANIC=n - -# ESP8266 WDT -# CONFIG_ESP_PANIC_PRINT_REBOOT is not set -CONFIG_ESP_PANIC_PRINT_REBOOT=n -CONFIG_ESP_PANIC_PRINT_HALT=y - # CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS is not set CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS=n -# ESP8266 Memory -CONFIG_FREERTOS_GLOBAL_DATA_LINK_IRAM=y -CONFIG_HEAP_DISABLE_IRAM=y - # Performance # CONFIG_COMPILER_OPTIMIZATION_PERF=y -# Set max CPU frequency (falls back as needed for lower maximum) -CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y - # Enable wolfSSL TLS in esp-tls # CONFIG_ESP_TLS_USING_WOLFSSL=y # CONFIG_TLS_STACK_WOLFSSL=y @@ -86,16 +98,9 @@ CONFIG_USE_WOLFSSL_ESP_SDK_TIME=n # CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS is not set CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS=n -# ESP8266 Memory -CONFIG_FREERTOS_GLOBAL_DATA_LINK_IRAM=y -CONFIG_HEAP_DISABLE_IRAM=y - # Performance # CONFIG_COMPILER_OPTIMIZATION_PERF=y -# Set max COU frequency (falls back as needed for lower maximum) -CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y - # FreeRTOS ticks at 1ms interval CONFIG_FREERTOS_UNICORE=y CONFIG_FREERTOS_HZ=1000 @@ -147,10 +152,6 @@ CONFIG_COMPILER_STACK_CHECK=y # CONFIG_COMPILER_DUMP_RTL_FILES is not set # end of Compiler options -# We don't know that the min is actually v2, -# but this is the earliest tested. -CONFIG_ESP32C3_REV_MIN_2=y - # # Partition Table # diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults.esp32c2 b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults.esp32c2 index a24d9302e6..dba65f98d0 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults.esp32c2 +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults.esp32c2 @@ -1,3 +1,25 @@ +# sdkconfig.defaults.esp32c2 + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + +# File Version 5.8.2.001 for esp-idf integration + # # Main XTAL Config # @@ -5,3 +27,11 @@ CONFIG_XTAL_FREQ_26=y # CONFIG_XTAL_FREQ_40 is not set CONFIG_XTAL_FREQ=26 # end of Main XTAL Config + +# Limited memory +CONFIG_ESP_MAIN_MAIN_TASK_STACK_SIZE=10500 +CONFIG_MAIN_MAIN_TASK_STACK_SIZE=10500 +CONFIG_WOLFSSL_ALLOW_TLS12=y +# CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13=y + + diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults.esp8266 b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults.esp8266 index 77299dfe4a..4bf90cd3f1 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults.esp8266 +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/sdkconfig.defaults.esp8266 @@ -1,3 +1,44 @@ +# sdkconfig.defaults.esp8266 + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + +# File Version 5.8.2.001 for esp-idf integration + +# Limited memory +# TLS 1.2 only needs about 6000 bytes +# TLS 1.2 + 1.3 needs about 10K +CONFIG_ESP_MAIN_TASK_STACK_SIZE=10240 +CONFIG_MAIN_TASK_STACK_SIZE=10240 +CONFIG_WOLFSSL_ALLOW_TLS12=y + +# TLS 1.3 can be disabled on very low memory devices +# CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13=y + +# CONFIG_TCPIP_TASK_STACK_SIZE=3072 +# CONFIG_ESP_SYSTEM_EVENT_TASK_STACK_SIZE=2304 +# CONFIG_FREERTOS_IDLE_TASK_STACKSIZE=1536 +# CONFIG_FREERTOS_ISR_STACKSIZE=1536 +# CONFIG_TCP_SND_BUF_DEFAULT=5760 + +# wolfSSL sets UART to 115200 instead of 74880 default +CONFIG_CONSOLE_UART_BAUDRATE=115200 + # ESP8266 WDT # CONFIG_ESP_PANIC_PRINT_REBOOT is not set CONFIG_ESP_PANIC_PRINT_REBOOT=n diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/wolfssl_server_ESP8266.vgdbproj b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/wolfssl_server_ESP8266.vgdbproj index 6181d50c7c..74fd36980c 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/wolfssl_server_ESP8266.vgdbproj +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/wolfssl_server_ESP8266.vgdbproj @@ -53,7 +53,7 @@ - COM70 + COM65 74880 8 @@ -234,10 +234,12 @@ false true 0 + 0 false 0 true false + true openocd @@ -287,6 +289,13 @@ 0 false + + + false + false + false + + true \ No newline at end of file diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/CMakeLists.txt index ac32187d88..f80605a3ab 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/CMakeLists.txt @@ -1,11 +1,35 @@ # wolfSSL Espressif Example Project CMakeLists.txt -# v1.3 +# v5.8.2.001 # # The following lines of boilerplate have to be in your project's # CMakeLists in this exact order for cmake to work correctly message(STATUS "Begin project ${CMAKE_PROJECT_NAME}") cmake_minimum_required(VERSION 3.16) +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") + +# Optionally set flag for using a private include. See wolfcrypt/port/Espressif/esp-sdk-lib.h +if( "$ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}" STREQUAL "1" ) + message(STATUS "Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") +else() + message(STATUS "CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.") +endif() + +# Different ESP-IDF versions have different lock files. +# Not starting fresh has unintuitive results. +# So force a fresh dependencies.lock by deleting the current one: +file(REMOVE "./dependencies.lock") + +# Force custom partition table regardless of IDE presets +set(PARTITION_TABLE_CUSTOM ON CACHE BOOL "" FORCE) +set(PARTITION_TABLE_FILENAME "${CMAKE_SOURCE_DIR}/partitions_singleapp_large.csv" CACHE STRING "" FORCE) + +if("${IDF_TARGET}" STREQUAL "linux") + set(COMPONENTS main) +endif() # For the main project using ESP-IDF version 6 or greater. # Numerous "dangerous relocation: call8: call target out of range: memcpy" errors encountered @@ -34,6 +58,7 @@ endif() # # Optional WOLFSSL_CMAKE_SYSTEM_NAME detection to find # USE_MY_PRIVATE_CONFIG path for my_private_config.h +# See: wolfcrypt/port/Espressif/esp-sdk-lib.h # # Expected path varies: # @@ -41,6 +66,8 @@ endif() # Linux: ~/workspace # Windows: C:\workspace # + + if(WIN32) # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS") @@ -49,9 +76,6 @@ endif() if(CMAKE_HOST_UNIX) message(STATUS "Detected UNIX") endif() -if(APPLE) - message(STATUS "Detected APPLE") -endif() if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop") # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL") @@ -63,7 +87,7 @@ if(CMAKE_HOST_UNIX AND (NOT APPLE) AND (NOT WIN32)) message(STATUS "Detected Linux") endif() if(APPLE) - # Windows-specific configuration here + # Apple-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_APPLE") message(STATUS "Detected Apple") endif() @@ -157,6 +181,27 @@ endif() include($ENV{IDF_PATH}/tools/cmake/project.cmake) +message(STATUS "Checking Project CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}") +# Optionally force syntax highlighting fix in Visual Studio 2022 for ESP-IDF v6 +# See https://sysprogs.com/w/forums/topic/espressif-esp-idf-v6-0-intellisense-error-invalid-value-gnu2b-in-stdgnu2b/ +# To resolve, enter the text in VisualGDB Project Properties - Intellisense Settings Tab, "Additional flags for C files": +# -std=gnu17 +# And set here: +if( "$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}" STREQUAL "1" ) + set(PREFERRED_DIALECT "gnu17") + if(DEFINED IDF_VERSION_MAJOR AND IDF_VERSION_MAJOR GREATER_EQUAL 6) + message(STATUS "-- Found CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX, replacing -std=gnu2b with -std=${PREFERRED_DIALECT}") + if(CMAKE_C_COMPILER_ID MATCHES "Clang") + string(REPLACE "-std=gnu2b" "-std=${PREFERRED_DIALECT}" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + endif() + else() + message(STATUS "-- Visual Studio Intellisense Fix not needed for this ESP-IDF version=${IDF_VERSION_MAJOR}") + endif() +else() + message(STATUS "-- Not replacing -std=gnu2b with -std=${PREFERRED_DIALECT} for Viosual Studio Intellisense fix") + message(STATUS "-- To enable, define environment variable: CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=1") +endif() + # Once the project is loaded, next check for ESP-IDF version 6 or greater. # Numerous "dangerous relocation: call8: call target out of range: memcpy" errors encountered # So we'll allow long calls with the `-mlongcalls` compiler option for all components. diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/Makefile b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/Makefile index 0763d5ae63..6f17c05898 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/Makefile +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/Makefile @@ -1,7 +1,36 @@ +# ESP8266 Project Makefile for wolfssl_client # -# This is a project Makefile. It is assumed the directory this Makefile resides in is a -# project subdirectory. +# Copyright (C) 2006-2025 wolfSSL Inc. # +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA +# + +PROJECT_NAME := wolfssl_test +$(info ************* wolfssl_test *************) + +# ------------- BEGIN COMMON SECTION ------------- + +ifeq ($(strip $(IDF_PATH)),) + $(error IDF_PATH is not set. Please export it before running make) +endif + +# Default compiler flags +CFLAGS ?= +CXXFLAGS ?= CFLAGS += -DWOLFSSL_USER_SETTINGS @@ -9,6 +38,124 @@ CFLAGS += -DWOLFSSL_USER_SETTINGS # There's an espressif NO_WATCHDOG; we don't use it, as it is reset by sdkconfig. CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 -PROJECT_NAME := wolfssl_test +# Check if CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG is set to 1 in environment +ifeq ($(CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG),1) + $(info Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variablev for Makefile) + CFLAGS += -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1 + CXXFLAGS += -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1 +else + $(info CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.) +endif + +# +# This is a project Makefile. +# It is assumed the directory this Makefile resides in is a +# project subdirectory containing an entire project. +# +# Optional private config headers. Define environment variables +# to include various default header files that are typically +# not in a git path, and thus excluded from being checked in. +# +# Environment Variable Name | Header file name included +# ---------------------------------- | --------------------------------------- +# MY_PRIVATE_CONFIG (files detected / selected in header) +# USE_MY_PRIVATE_WSL_CONFIG /mnt/c/workspace/my_private_config.h +# USE_MY_PRIVATE_MAC_CONFIG ~/Documents/my_private_config.h +# USE_MY_PRIVATE_LINUX_CONFIG ~/workspace/my_private_config.h +# USE_MY_PRIVATE_WINDOWS_CONFIG /workspace/my_private_config.h +# +# + +# Optionally include component source when print path (needs work to then properly build) +# +# include components/wolfssl/component.mk + +MY_PRIVATE_CONFIG ?= n +USE_MY_PRIVATE_WSL_CONFIG ?= n +USE_MY_PRIVATE_MAC_CONFIG ?= n +USE_MY_PRIVATE_LINUX_CONFIG ?= n +USE_MY_PRIVATE_WINDOWS_CONFIG ?= n + +# Calling shell causes unintuitive error in Windows: +# OS := $(shell uname -s) +# +# But OS, or MY_PRIVATE_CONFIG should already be defined: + +ifeq ($(MY_PRIVATE_CONFIG),y) + CFLAGS += -DMY_PRIVATE_CONFIG + $(info Enabled MY_PRIVATE_CONFIG") +endif + +# Check for Windows environment variable: USE_MY_PRIVATE_WINDOWS_CONFIG +ifeq ($(USE_MY_PRIVATE_WINDOWS_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := /workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_WINDOWS_CONFIG + $(info Using private config file for: Windows) + endif +endif + +# Check for WSL environment variable: USE_MY_PRIVATE_WSL_CONFIG +ifeq ($(USE_MY_PRIVATE_WSL_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := /mnt/c/workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_WSL_CONFIG + $(info Using private config file for: WSL) + endif +endif + +# Check for Linux environment variable: USE_MY_PRIVATE_LINUX_CONFIG +ifeq ($(USE_MY_PRIVATE_LINUX_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := ~/workspace/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_LINUX_CONFIG + $(info Using private config file for: Linux) + endif +endif + +# Check for Mac environment variable: USE_MY_PRIVATE_MAC_CONFIG +ifeq ($(USE_MY_PRIVATE_MAC_CONFIG),y) + # This hard coded MY_CONFIG_FILE value must match that in the header file. + MY_CONFIG_FILE := ~/Documents/my_private_config.h + ifeq ($(wildcard $(MY_CONFIG_FILE)),) + $(info File does not exist: $(MY_CONFIG_FILE)) + else + CFLAGS += -DUSE_MY_PRIVATE_MAC_CONFIG + $(info Using private config file for: Mac) + endif +endif + +ifneq ($(OS),MY_PRIVATE_CONFIG) + CFLAGS += -DMY_PRIVATE_CONFIG="$(MY_PRIVATE_CONFIG)" +else + ifeq ($(OS),Linux) + CFLAGS += -DOS_LINUX + endif + ifeq ($(OS),Windows_NT) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_WINDOWS + endif + ifeq ($(OS),Darwin) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_APPLE + endif + ifneq (,$(findstring MINGW,$(OS))) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_MINGW + endif + ifneq (,$(findstring CYGWIN,$(OS))) + CFLAGS += -DWOLFSSL_MAKE_SYSTEM_NAME_CYGWIN + endif +endif + +# if there isn't the directory, please disable the line below. +EXTRA_COMPONENT_DIRS = $(IDF_PATH)/examples/common_components/protocol_examples_common +# The Standard Espressif IDF include: include $(IDF_PATH)/make/project.mk diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/CMakeLists.txt index a266a9c1c2..a131f06973 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/CMakeLists.txt @@ -19,7 +19,7 @@ # # cmake for wolfssl Espressif projects # -# Version 5.8.0 Espressif ESP-IDF + PlatformIO integration (2) +# Version 5.8.2 Espressif ESP-IDF + PlatformIO integration (1) # # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html # @@ -27,9 +27,18 @@ message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}") cmake_minimum_required(VERSION 3.16) # The scope of this CMAKE_C_FLAGS is just this component: -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") +message(STATUS "Peek CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG = $ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}") +if( "$ENV{CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG}" STREQUAL "1" ) + message(STATUS "Setting CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG from environment variable") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DCONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG=1") +else() + message(STATUS "CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG not set, not using private config.") +endif() + set(CMAKE_CURRENT_SOURCE_DIR ".") # Optionally set your source to wolfSSL in your project CMakeLists.txt like this: @@ -48,6 +57,7 @@ set(THIS_ESP_TLS "") # LIBWOLFSSL_CMAKE_OUTPUT can be printed at runtime set(LIBWOLFSSL_CMAKE_OUTPUT "") +set(git_cmd "git") if(CMAKE_BUILD_EARLY_EXPANSION) message(STATUS "Skipping libwolfssl_output.h update during CMAKE_BUILD_EARLY_EXPANSION") @@ -66,6 +76,19 @@ else() "#define _LIBWOLFSSL_OUTPUT_H_\n\n") endif() +# CMakeLists.txt (project or component) +# Known RISC-V families in ESP-IDF: esp32c2, esp32c3, esp32c6, esp32h2, esp32p4 +set(_riscv_targets esp32c2 esp32c3 esp32c6 esp32h2 esp32p4) + +list(FIND _riscv_targets "${IDF_TARGET}" _idx) +if(_idx GREATER -1) + set(IS_RISCV TRUE) +else() + set(IS_RISCV FALSE) +endif() + +message(STATUS "IDF target: ${IDF_TARGET} (RISC-V: ${IS_RISCV})") + # Append messages with: # LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_CMAKE_OUTPUT "${LIBWOLFSSL_CMAKE_OUTPUT}\n"message" "0") # See function: APPEND_LIBWOLFSSL_CMAKE_OUTPUT @@ -73,8 +96,7 @@ endif() # function: IS_ESP_IDF_COMPONENT # output: RESULT = 1 (true) if this component is located in the ESP-IDF components # otherwise 0 (false) -function( IS_ESP_IDF_COMPONENT - RESULT) +function( IS_ESP_IDF_COMPONENT RESULT ) # NOTE: Component location is based on the location of the CMakeList.txt # and *not* the location of the wolfSSL source code. (which may be anywhere) @@ -110,60 +132,60 @@ function ( LIBWOLFSSL_SAVE_INFO VAR_OUTPUT THIS_VAR VAR_RESULT ) # if we had a successful operation, save the THIS_VAR in VAR_OUTPUT if(${IS_VALID_VALUE}) - if(0) - # Optional debug - message(STATUS "Looking for LF in ${THIS_VAR}") - endif() + if(0) + # Optional debug + message(STATUS "Looking for LF in ${THIS_VAR}") + endif() - # Check if the text to print in THIS_VAR is multi-line - string(REPLACE "\n" ";" LINES "${THIS_VAR}") - list(LENGTH LINES LINE_COUNT) - - # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def - if(LINE_COUNT GREATER 1) - message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") - add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") - - # Split into lines - string(REPLACE "\n" ";" LINES "${THIS_VAR}") - foreach(LINE IN LISTS LINES) - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") - endforeach() + # Check if the text to print in THIS_VAR is multi-line + string(REPLACE "\r" "" THIS_VAR "${THIS_VAR}") + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + list(LENGTH LINES LINE_COUNT) - # Final empty line to close the macro - file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") + # Save var to "libwolfssl_output.h" header if multi-line, otherwise a simple compile def + if(LINE_COUNT GREATER 1) + message(STATUS "Setting HAVE_LIBWOLFSSL_OUTPUT_HEADER=1 for ${VAR_OUTPUT}") + add_compile_definitions(HAVE_LIBWOLFSSL_OUTPUT_HEADER=1) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#undef ${VAR_OUTPUT}\n") + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "#define ${VAR_OUTPUT} \\\n") - message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") - target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") - else() - message(STATUS "No HAS_LIBWOLFSSL_OUTPUT_HEADER") - # We should not have any, but just to be sure: - # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE - string(REPLACE "\n" "" VAR_VALUE "${THIS_VAR}") + # Split into lines + string(REPLACE "\n" ";" LINES "${THIS_VAR}") + foreach(LINE IN LISTS LINES) + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\"${LINE}\\n\" \\\n") + endforeach() + + # Final empty line to close the macro + file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n") - # we'll could percolate the value to the parent for possible later use - # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) + message(STATUS "COMPONENT_LIB=${COMPONENT_LIB}") + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_BINARY_DIR}") + else() # 1 or zero lines in THIS_VAR + message(STATUS "Result line count=${LINE_COUNT}; Not setting HAS_LIBWOLFSSL_OUTPUT_HEADER") + # We should not have any, but just to be sure: + # Strip newline chars in THIS_VAR parameter and save in VAR_VALUE + string(REPLACE "\n" "" THIS_VAR "${THIS_VAR}") + string(REPLACE "\r" "" VAR_VALUE "${THIS_VAR}") - # but we're only using it here in this function - set(${VAR_OUTPUT} ${VAR_VALUE}) + # we could percolate the value to the parent for possible later use + # set(${VAR_OUTPUT} ${VAR_VALUE} PARENT_SCOPE) - # we'll print what we found to the console - message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + # but we're only using it here in this function + set(${VAR_OUTPUT} ${VAR_VALUE}) - # the interesting part is defining the VAR_OUTPUT name a value to use in the app - add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") + # we'll print what we found to the console + message(STATUS "Found ${VAR_OUTPUT}=${VAR_VALUE}") + + # the interesting part is defining the VAR_OUTPUT name a value to use in the app + add_compile_definitions(${VAR_OUTPUT}=\"${VAR_VALUE}\") endif() - else() + else() # !IS_VALID_VALUE # if we get here, check the execute_process command and parameters. - message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT") + message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT=${VAR_RESULT} for THIS_VAR=${THIS_VAR}") set(${VAR_OUTPUT} "Unknown") - endif() - - -endfunction() # LIBWOLFSSL_SAVE_INFO + endif() # IS_VALID_VALUE +endfunction()# LIBWOLFSSL_SAVE_INFO # # APPEND_LIBWOLFSSL_CMAKE_OUTPUT(THIS_MESSAGE OUTPUT_VALUE) @@ -558,7 +580,7 @@ if(CMAKE_BUILD_EARLY_EXPANSION) "${THIS_INCLUDE_TIMER}" "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark ) - + # Do not set compile options during early expansion else() # not CMAKE_BUILD_EARLY_EXPANSION message(STATUS "************************************************************************************************") @@ -596,6 +618,15 @@ else() if(WOLFSSL_ROOT) message(STATUS "Confirmed wolfssl directory at: ${WOLFSSL_ROOT}") + # Once WOLFSSL_ROOT has been determined, see if there's a Espressif.cmake file to include + + set(WOLFSSL_ROOT_ESPRESSIF_CMAKE "${WOLFSSL_ROOT}/cmake/modules/Espressif.cmake") + if( EXISTS "${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + message(STATUS "Found WOLFSSL_ROOT_ESPRESSIF_CMAKE: ${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + include("${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + else() + message(STATUS "Not found WOLFSSL_ROOT_ESPRESSIF_CMAKE: ${WOLFSSL_ROOT_ESPRESSIF_CMAKE}") + endif() else() # Try to allow a more intuitive error that the source code was not found in cmake: set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_WARNING_SOURCE_NOT_FOUND") @@ -896,6 +927,25 @@ else() "${THIS_INCLUDE_TIMER}" "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark ) + + message(STATUS "Checking wolfSSL Component CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}") + # Optionally force syntax highlighting fix in Visual Studio 2022 for ESP-IDF v6 + # See https://sysprogs.com/w/forums/topic/espressif-esp-idf-v6-0-intellisense-error-invalid-value-gnu2b-in-stdgnu2b/ + # To resolve, enter the text in VisualGDB Project Properties - Intellisense Settings Tab, Additional flags for C files: + # -std=gnu17 + # And set here: + if( "$ENV{CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX}" STREQUAL "1" ) + set(PREFERRED_DIALECT "gnu17") + if(DEFINED IDF_VERSION_MAJOR AND IDF_VERSION_MAJOR GREATER_EQUAL 6) + message(STATUS "-- Setting -std=${PREFERRED_DIALECT} with target_compile_options $<$:-std=${PREFERRED_DIALECT}>") + target_compile_options(${COMPONENT_LIB} PRIVATE $<$:-std=${PREFERRED_DIALECT}>) + else() + message(STATUS "-- Visual Studio Intellisense Fix not needed for this ESP-IDF version=${IDF_VERSION_MAJOR}") + endif() + else() + message(STATUS "-- Not setting -std=${PREFERRED_DIALECT} with target_compile_options for Visual Studio Intellisense Fix") + message(STATUS "-- To enable, define environment variable: CONFIG_WOLFSSL_FORCE_V6_INTELLISENSE_FIX=1") + endif() else() # Register the component simply to allow CMake to complete, but there's no wolfSSL source. # Expect many other errors, but the project should at least be loadable and UI can edit Kconfig settings. @@ -906,8 +956,7 @@ else() # function(WOLFSSL_INIT_CERT_BUNDLE) if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE - AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") - ) + AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") ) APPEND_LIBWOLFSSL_CMAKE_OUTPUT("wolfSSL Certificate Bundles Enabled") if (CMAKE_BUILD_EARLY_EXPANSION) @@ -1154,50 +1203,72 @@ if( EXISTS "${WOLFSSL_PROJECT_DIR}" AND EXISTS "$ENV{IDF_PATH}/components/wolfss endif() # end multiple component check - +message(STATUS "Checking for github with git_cmd='${git_cmd}' ...") execute_process( COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree" OUTPUT_VARIABLE IS_GIT_REPO OUTPUT_STRIP_TRAILING_WHITESPACE ERROR_QUIET ) +message(STATUS "Checking for github result IS_GIT_REPO='${IS_GIT_REPO}'") # create some programmatic #define values that will be used by ShowExtendedSystemInfo(). # see wolfcrypt\src\port\Espressif\esp32_utl.c +message(STATUS "Checking for macro definitions:") if(NOT CMAKE_BUILD_EARLY_EXPANSION AND WOLFSSL_ROOT AND (IS_GIT_REPO STREQUAL "true")) set (git_cmd "git") message(STATUS "Adding macro definitions:") + # LIBWOLFSSL_VERSION_GIT_TAG: git config describe --tags --abbrev=0 + execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "describe" "--tags" "--abbrev=0" + OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") + LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_TAG "${TMP_OUT}" "${TMP_RES}") + # LIBWOLFSSL_VERSION_GIT_ORIGIN: git config --get remote.origin.url execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "config" "--get" "remote.origin.url" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_ORIGIN "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_BRANCH: git rev-parse --abbrev-ref HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--abbrev-ref" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_BRANCH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_HASH: git rev-parse HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_SHORT_HASH: git rev-parse --short HEAD execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--short" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_SHORT_HASH "${TMP_OUT}" "${TMP_RES}") # LIBWOLFSSL_VERSION_GIT_HASH_DATE git show --no-patch --no-notes --pretty=\'\%cd\' execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "show" "--no-patch" "--no-notes" "--pretty=\'\%cd\'" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ) + string(REPLACE "\r" "" TMP_OUT "${TMP_OUT}") + string(REPLACE "\n" "" TMP_OUT "${TMP_OUT}") LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH_DATE "${TMP_OUT}" "${TMP_RES}") - LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "${TMP_RES}") - +else() + message(STATUS "CMAKE_BUILD_EARLY_EXPANSION=${CMAKE_BUILD_EARLY_EXPANSION}; WOLFSSL_ROOT=${WOLFSSL_ROOT}; IS_GIT_REPO=${IS_GIT_REPO};") endif() +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "0") +LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_IDF_PATH "${THIS_IDF_PATH}" "0") + # Ensure flag "-DWOLFSSL_ESPIDF" is already in CMAKE_C_FLAGS if not yet found from project string(FIND "${CMAKE_C_FLAGS}" "-DWOLFSSL_ESPIDF" FLAG_ALRREADY_FOUND_WOLFSSL_ESPIDF) @@ -1246,6 +1317,26 @@ file(APPEND "${CMAKE_BINARY_DIR}/libwolfssl_output.h" "\n" "#endif\n" ) +# Memory peek helper +set(LINKER_REGION_PEEK "${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld") +if( CMAKE_BUILD_EARLY_EXPANSION AND EXISTS "${LINKER_REGION_PEEK}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_HAVE_LINKER_REGION_PEEK") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_HAVE_LINKER_REGION_PEEK") + + message(STATUS "Found linker region peek helper file: ${LINKER_REGION_PEEK}") + if (COMMAND target_linker_scripts) + message(STATUS "target_linker_scripts(${COMPONENT_LIB} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld)") + target_linker_scripts(${COMPONENT_LIB} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + else() + # Fallback if target_linker_scripts isn't available + message(STATUS "target_linker_scripts not available, using target_link_options") + target_link_options(${COMPONENT_LIB} INTERFACE -T${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + set_property(TARGET ${COMPONENT_LIB} APPEND PROPERTY LINK_DEPENDS ${CMAKE_CURRENT_LIST_DIR}/ld/region_peek.ld) + endif() +else() + message(STATUS "Found linker region peek helper NOT FOUND: ${LINKER_REGION_PEEK}") +endif() + message(STATUS "************************************************************************************************") message(STATUS "wolfSSL component config complete!") message(STATUS "************************************************************************************************") diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig index 22e4a0767d..e8524a8092 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kconfig @@ -19,8 +19,11 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA # -# Kconfig File Version 5.7.2.001 for esp-idf integration +# Kconfig File Version 5.8.2.001 for esp-idf integration +# See the VSCode extension: nRF Kconfig by Nordic Semiconductor: +# https://marketplace.visualstudio.com/items?itemName=nordic-semiconductor.nrf-kconfig +# # Kconfig Format Rules # # See: @@ -48,106 +51,242 @@ # python -m kconfcheck # # --------------------------------------------------------------------------------------------------------------------- +# See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL +# --------------------------------------------------------------------------------------------------------------------- +# +# Note linking to ESP-IDF component: +# +# From: esp-idf\[version]\components\esp-tls\Kconfig +# +# menu "ESP-TLS" +# choice ESP_TLS_LIBRARY_CHOOSE +# bool "wolfSSL (License info in wolfSSL directory README)" +# select TLS_STACK_WOLFSSL +# +# Selecting TLS_STACK_WOLFSSL in ESP-TLS will be linked to this Kconfig via the +# invisible local keyword by the same name in this Kconfig, below. +# +# See setting here, just above this item: menu "wolfSSL ESP-TLS" +# +# --------------------------------------------------------------------------------------------------------------------- # Begin main wolfSSL configuration menu # --------------------------------------------------------------------------------------------------------------------- # See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL -menu "wolfSSL" +menu "wolfSSL Embedded Cryptography, SSL/TLS; FIPS 140-3" + # Warning: help token not supported here << + config ESP_WOLFSSL_WOLFCRYPT_ONLY + bool "Use wolfcrypt only" + default n + help + Enable this option to use cryptographic libraries but disable things like TLS communication. Normally not set. Enables WOLFCRYPT_ONLY + # ----------------------------------------------------------------------------------------------------------------- - menu "Hardening" - config ESP_WOLFSSL_WC_NO_HARDEN - bool "Disable wolfSSL hardening" - default n + menu "wolfSSL Algorithm Settings" + config ESP_WOLFSSL_USE_ECC + bool "Enable ECC (Elliptic Curve Cryptography) in wolfSSL" + default y help - Sets WC_NO_HARDEN + Enables ECC algorithm - config ESP_WOLFSSL_TFM_TIMING_RESISTANT - bool "Enable TFM Timing Resistant Code" - default n + config ESP_WOLFSSL_USE_RSA + bool "Enable RSA (Rivest-Shamir-Adlemanl) in wolfSSL" + default y help - Sets TFM_TIMING_RESISTANT. + Enables RSA algorithm - endmenu # Hardening + config ESP_WOLFSSL_USE_SM + bool "Enable SM (Shang Mi) in wolfSSL" + default n + help + Enabled SM Cipher Suite: Macros WOLFSSL_SM2, WOLFSSL_SM3, WOLFSSL_SM4 - config ESP_WOLFSSL_ENABLE_BENCHMARK - bool "Enable wolfSSL Benchmark Library" - default n - help - Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK. + config ESP_WOLFSSL_DISABLE_ECC + bool "Disable ECC in wolfSSL" + default n + help + Enabled by default, ECC is required if you want ECDHE key exchange (and/or ECDSA). + Select this option to disable ECC. + config ESP_WOLFSSL_DISABLE_DH + bool "Disable DH in wolfSSL" + default n + help + Enabled by default, DH is required if you want DHE/FFDHE groups. + Select this option to disable DH. - menu "Benchmark Debug" - config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING - bool "Enable benchmark timing debug" - depends on ESP_WOLFSSL_ENABLE_BENCHMARK + config ESP_WOLFSSL_SHA224 + bool "Enable SHA-224" default n help - Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc). + Enables SHA224 algorithm by defining macro: WOLFSSL_SHA224 - config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG - bool "Enable benchmark timer debug" - depends on ESP_WOLFSSL_ENABLE_BENCHMARK + config ESP_WOLFSSL_SHA384 + bool "Enable SHA-384" default n help - Turn on timer debugging (used when CPU cycles not available) + Enables SHA384 algorithm by defining macro: WOLFSSL_SHA384 - endmenu # Benchmark Debug + choice + prompt "Select math library to use" - # ----------------------------------------------------------------------------------------------------------------- - # wolfCrypt Test - # ----------------------------------------------------------------------------------------------------------------- - config ESP_WOLFSSL_ENABLE_TEST - bool "Enable wolfCrypt Test Library" - default n - help - Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST. + config ESP_WOLFSSL_USE_FAST_MATH + bool "Use Fast Math (default)" + + config ESP_WOLFSSL_SP_MATH + bool "Use SP Math" + + config ESP_WOLFSSL_SP_MATH_ALL + bool "Use SP Math All" - menu "wolfCrypt tests" - config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS - bool "Enable wolfCrypt Test Options" - depends on ESP_WOLFSSL_ENABLE_TEST + config ESP_WOLFSSL_USE_INTEGER_HEAP_MATH + bool "Use Integer Heap Math" + + config ESP_WOLFSSL_SP_RISCV32 + bool "Use SP Match for RISC-V Devices" + endchoice + + menu "Hardening" + config ESP_WOLFSSL_WC_NO_HARDEN + bool "Disable wolfSSL hardening" + default n + help + Sets WC_NO_HARDEN + + config ESP_WOLFSSL_TFM_TIMING_RESISTANT + bool "Enable TFM Timing Resistant Code" + default n + help + Sets TFM_TIMING_RESISTANT. + + endmenu # Hardening + endmenu # wolfSSL Algorithm Settings + + menu "wolfSSL Application Specific Tuning" + config ESP_WOLFSSL_MULTI_THREAD + bool "Set wolfSSL SINGLE_THREAD mode" default n help - Enables HAVE_WOLFCRYPT_TEST_OPTIONS + Enable to use semaphores for multi-task applications. Requires a small about of additional long term RAM. + When not selected, defines wolfSSL SINGLE_THREADED macro. The ESP32 ESP-IDF uses FreeRTOS regardless of this setting. - config TEST_ESPIDF_ALL_WOLFSSL - bool "Enable all features to use in tests" - depends on ESP_WOLFSSL_ENABLE_TEST + config ESP_WOLFSSL_STATIC_MEMORY + bool "Set wolfSSL Static Memory mode" default n help - Enables TEST_ESPIDF_ALL_WOLFSSL - - endmenu # wolfCrypt tests + Enable to use experimental static memory, no malloc. May be problematic on devices with low RAM. + When disabled, sets WOLFSSL_SMALL_STACK. The DEBUG_WOLFSSL_MALLOC is also enabled by default to + show malloc failures which may occur on low RAM devices. - # ----------------------------------------------------------------------------------------------------------------- - # Apple HomeKit Options - # ----------------------------------------------------------------------------------------------------------------- - menu "Apple HomeKit" - config WOLFSSL_APPLE_HOMEKIT - bool "Enable Apple HomeKit options" + config ESP_WOLFSSL_RSA_LOW_MEM + bool "RSA Low Memory Mode" default n help - Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit. - endmenu # Apple HomeKit - # ----------------------------------------------------------------------------------------------------------------- + When enabled, use have as much memory, but RSA is twice as slow. - config ESP_WOLFSSL_DISABLE_MY_ECC - bool "Disable ECC in my project" - default "n" - help - ECC is enabled by default. Select this option to disable. + # ----------------------------------------------------------------------------------------------------------------- + # Apple HomeKit Options + # ----------------------------------------------------------------------------------------------------------------- + menu "Apple HomeKit" + config WOLFSSL_APPLE_HOMEKIT + bool "Enable Apple HomeKit options" + default n + help + Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit. + endmenu # Apple HomeKit + + # ----------------------------------------------------------------------------------------------------------------- + # wolfCrypt Benchmark + # ----------------------------------------------------------------------------------------------------------------- + menu "wolfCrypt Benchmark" + config ESP_WOLFSSL_ENABLE_BENCHMARK + bool "Enable wolfSSL Benchmark Library" + default n + help + Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK. - config ESP_WOLFSSL_ENABLE_MY_USE_RSA - bool "Enable RSA in my project" - default "n" - help - RSA is disabled by default. Select this option to enable. + config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING + bool "Enable benchmark timing debug" + depends on ESP_WOLFSSL_ENABLE_BENCHMARK + default n + help + Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc). + + config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG + bool "Enable benchmark timer debug" + depends on ESP_WOLFSSL_ENABLE_BENCHMARK + default n + help + Turn on timer debugging (used when CPU cycles not available) + endmenu # wolfCrypt Benchmark + + # ----------------------------------------------------------------------------------------------------------------- + # wolfCrypt Test + # ----------------------------------------------------------------------------------------------------------------- + menu "wolfCrypt Test" + config ESP_WOLFSSL_ENABLE_TEST + bool "Enable wolfCrypt Test Library" + default n + help + Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST. + + config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS + bool "Enable wolfCrypt Test Options" + depends on ESP_WOLFSSL_ENABLE_TEST + default n + help + Enables HAVE_WOLFCRYPT_TEST_OPTIONS + + config TEST_ESPIDF_ALL_WOLFSSL + bool "Enable all features to use in tests" + depends on ESP_WOLFSSL_ENABLE_TEST + default n + help + Enables TEST_ESPIDF_ALL_WOLFSSL + endmenu # wolfCrypt tests + + # ----------------------------------------------------------------------------------------------------------------- + # TLS Client/Server + # ----------------------------------------------------------------------------------------------------------------- + menu "TLS Client/Server" + choice WOLFSSL_USE_TLS_CERT_EXAMPLE + prompt "Use example certificates (see user_settings.h)" + default WOLFSSL_USE_CERT_BUFFERS_2048 + help + Select which bundled example certificate set to compile in. + + config WOLFSSL_USE_CERT_BUFFERS_2048 + bool "Use 2048 bit RSA cert buffers example (default)" + help + Uses example cert buffers ca_cert_der_2048, client_cert_der_2048 etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_1024 + bool "Use 1024 bit RSA cert buffers" + help + Uses example cert buffers ca_cert_der_1024, client_cert_der_1024, etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_256 + bool "Use 256 bit ECC cert buffers" + help + Uses example cert buffers ca_ecc_cert_der_256, cliecc_cert_der_256, etc. + Include header: wolfssl/certs_test.h + + config WOLFSSL_USE_CERT_BUFFERS_SM + bool "Use SM (Shang Mi) cert buffers" + help + Use the SM (Shang Mi) Cipher Examples + Include header: wolfssl/certs_test_sm.h + + config WOLFSSL_USE_CERT_BUFFERS_NONE + bool "Do not use the default wolfSSL certificate examples" + help + Define your own macro values for the examples. + endchoice + endmenu # TLS Client/Server + endmenu # Application Specific - config ESP_WOLFSSL_BENCHMARK - bool "Enable wolfSSL Benchmark" - default n - help - Enables user settings relevant to benchmark code config ESP_TLS_USING_WOLFSSL_SPECIFIED bool "Use the specified wolfssl for ESP-TLS" @@ -170,7 +309,7 @@ menu "wolfSSL" disabling TFM fast math provides faster wolfSSL software algorithms in an even smaller flash memory footprint. - menu "Protocol Config" + menu "wolfSSL Protocol Config" config WOLFSSL_HAVE_ALPN bool "Enable ALPN (Application Layer Protocol Negotiation) in wolfSSL" default y @@ -182,9 +321,16 @@ menu "wolfSSL" Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2. When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted. + config WOLFSSL_LOW_MEMORY_DISABLE_TLS13 + bool "Disable TLS 1.3 on known low-memory devices" + default n + help + Overrides other settings allowing TLS 1.3. Typically used for ESP8266 and ESP32C2 + devices with known memory limitations. + config WOLFSSL_ALLOW_TLS12 bool "Allow TLS 1.2" - default n + default y help Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2. When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted. @@ -209,13 +355,63 @@ menu "wolfSSL" help Sets HAVE_OCSP + choice + prompt "Select session cache size" + default ESP_WOLFSSL_NO_SESSION_CACHE + + config ESP_WOLFSSL_NO_SESSION_CACHE + bool "No session cache is used" + help + No memory is reserved for session cache. + + config ESP_WOLFSSL_MICRO_SESSION_CACHE + bool "Micro Session Cache" + help + Uses less than 1K. Stored only 1 session for cache. + SessionCache takes about 400 bytes, ClientCache takes 576 bytes. + + config ESP_WOLFSSL_SMALL_SESSION_CACHE + bool "Small Session Cache" + help + Allows storing 6 sessions. + SessionCache takes about 2K, ClientCache takes about 3K bytes. + + config ESP_WOLFSSL_MEDIUM_SESSION_CACHE + bool "Medium Session Cache" + help + Allows for over 1,000 sessions. Consider using external memory. + + config ESP_WOLFSSL_BIG_SESSION_CACHE + bool "Big Session Cache" + help + Allows for over 20,000 sessions. Unrealistic for most ESP32 devices. + + config ESP_WOLFSSL_TITAN_SESSION_CACHE + bool "Tital Session Cache" + help + Allows for over 2 million sessions. Unrealistic for most ESP32 devices. + endchoice + + config ESP_WOLFSSL_TCP_REUSE + int "TCP Reuse" + default 0 + help + Set to 1 to allow socket reuse. + endmenu # Protocol Config # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- config TLS_STACK_WOLFSSL # Invisible option that locks TLS_STACK_WOLFSSL to ESP_TLS_USING_WOLFSSL - bool + # + # See setting in: esp-idf\[version]\components\esp-tls\Kconfig: + # + # config ESP_TLS_USING_WOLFSSL + # bool "wolfSSL (License info in wolfSSL directory README)" + # select TLS_STACK_WOLFSSL + # + bool # No prompt, invisible here. Set in ESP-TLS component default n select FREERTOS_ENABLE_BACKWARD_COMPATIBILITY help @@ -223,6 +419,7 @@ menu "wolfSSL" Enabled when wolfSSL is selected in ESP_TLS_LIBRARY_CHOOSE. menu "wolfSSL ESP-TLS" + # Enabled only when Component config - ESP-TLS - Choose SSL/TLS Library for ESP-TLS has wolfSSL selected: depends on ESP_TLS_USING_WOLFSSL menu "Certificate Bundle" @@ -255,8 +452,8 @@ menu "wolfSSL" depends on ESP_TLS_USING_WOLFSSL help Although not recommended, there may be certificates in the bundle that are missing - a serial number. This option allows the missing value without having to fully - disable strict ASN checking with WOLFSSL_NO_ASN_STRICT. + a serial number. This option allows the missing value (a zero) without having to fully + disable strict ASN checking with WOLFSSL_NO_ASN_STRICT. Note this is disallowed by RFC 5280 choice WOLFSSL_DEFAULT_CERTIFICATE_BUNDLE bool "Default certificate bundle options" @@ -323,6 +520,19 @@ menu "wolfSSL" default 200 depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL + config ESP_WOLFSSL_DEBUG_CERT_BUNDLE + bool "Enable certificate bundle debug" + depends on WOLFSSL_CERTIFICATE_BUNDLE + default n + help + View debug messages for cert bundle processing. + + config ESP_WOLFSSL_OPENSSL_EXTRA + bool "Enable wolfSSL OpenSSL Extra support" + default n + help + Enable OpenSSL support: old SHA functions only available with OpenSSLL (not recommended) + endmenu endmenu # wolfSSL ESP-TLS # ----------------------------------------------------------------------------------------------------------------- @@ -429,7 +639,7 @@ menu "wolfSSL" bool "Enable ML-KEM (Kyber Post Quantum)" default n help - bool "Enable wolfSSL ML-KEM" + Enable wolfSSL ML-KEM config WOLFSSL_ENABLE_KYBER bool "Enable Kyber (Round 3)" @@ -442,11 +652,23 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- menu "wolfSSL Debug Options" + config ESP_WOLFSSL_DEBUG_CERTS + bool "Enable wolfSSL Certificate Debugging" + default n + help + Enable debugging messages for wolfSSL certificate processing. See user_settings.h for additional debug options. + config ESP_WOLFSSL_DEBUG_WOLFSSL bool "Enable wolfSSL Debugging" default n help - Enable debugging messages for wolfSSL. See user_settings.h for additional debug options. + Enable debugging messages for wolfSSL. Includes wolfSSL Certificate Debugging (WOLFSSL_DEBUG_CERTS) See user_settings.h for additional debug options. + + config WOLFSSL_EXAMPLE_VERBOSITY + bool "Enable example verbosity" + default n + help + This is only intended to be used with examples. Excessive verbosity may have undesired effects on timing-critical code. config ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING bool "Suppress build-time warnings for main stack size" @@ -454,6 +676,12 @@ menu "wolfSSL" help Useful only when wolfSSL is running in main task. See FreeRTOS stack size for custom tasks. + config ESP_NO_DEFAULT_TASK_MONITOR + bool "Disable automatic enable of task monitoring." + default n + help + Unless disabled, ESP_MONITOR_HW_TASK_LOCK is automatically enabled in esp32-crypt.h + config ESP_WOLFSSL_TEST_LOOP bool "Run test apps in a loop until failure" default y @@ -465,6 +693,26 @@ menu "wolfSSL" default n help Enables experimental settings for wolfSSL. See documentation. + + config ESP_LATEST_MITIGATIONS + bool "Enable mitigation for latest ESP-IDF" + default y + help + Address any issues in latest (unreleased) ESP-IDF. Currently v6. + Known problems include SHA HW acceleration on RISC-V devices failing. + Enable this option to disable SHA HW on only ESP32-C2, C3, C6. + Only implemented in user_settings.h + + config WOLFSSL_USE_MY_PRIVATE_CONFIG + bool "Use a private include file for config" + default n + help + Sets WOLFSSL_USE_MY_PRIVATE_CONFIG for platform-specific default + config file outside of GitHub repository. + Handy for things like WiFi SSID and Passwords that are typically + not saved on GitHub. + Can also set CONFIG_WOLFSSL_USE_MY_PRIVATE_CONFIG environment variable to 1 + endmenu # wolfSSL Debug Options # ----------------------------------------------------------------------------------------------------------------- @@ -482,7 +730,7 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- - menu "Component Config" + menu "wolfSSL Component Config" config IGNORE_ESP_IDF_WOLFSSL_COMPONENT bool "Ignore the ESP-IDF component of wolfSSL (if present)" default n @@ -500,7 +748,7 @@ menu "wolfSSL" # ----------------------------------------------------------------------------------------------------------------- # ----------------------------------------------------------------------------------------------------------------- - menu "Utility Config" + menu "wolfSSL Utility Config" config USE_WOLFSSL_ESP_SDK_TIME bool "Enable wolfSSL time helper functions" default n @@ -523,12 +771,14 @@ menu "wolfSSH" config ESP_ENABLE_WOLFSSH bool "Enable wolfSSH options" default n + # See wolfssl settings.h help Enables WOLFSSH_TERM, WOLFSSL_KEY_GEN, WOLFSSL_PTHREADS, WOLFSSH_TEST_SERVER, WOLFSSH_TEST_THREADING config ESP_WOLFSSL_DEBUG_WOLFSSH bool "Enable wolfSSH debugging" default n + # See wolfssl settings.h help Enable wolfSSH debugging macro. See user_settings.h diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h index 9c14dc9dfc..577e555bd8 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h @@ -18,8 +18,28 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ + #define WOLFSSL_ESPIDF_COMPONENT_VERSION 0x01 +/* This user_settings.h is for Espressif ESP-IDF + * + * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.8.2-1 + * + * Do not include any wolfssl headers here. + * + * Note to maintainers: + * + * When editing this file ensure all examples match. + * The template example is the reference. + * Consider Kconfig. Managed Components do not allow editing of user_settings.h + */ +#undef WOLFSSL_ESPIDF +#define WOLFSSL_ESPIDF + +#define NO_FILESYSTEM +#define NO_OLD_TLS +#define WOLFSSL_ASN_TEMPLATE + /* Examples such as test and benchmark are known to cause watchdog timeouts. * Note this is often set in project Makefile: * CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 */ @@ -28,15 +48,17 @@ /* The Espressif project config file. See also sdkconfig.defaults */ #include "sdkconfig.h" -/* This user_settings.h is for Espressif ESP-IDF - * - * Standardized wolfSSL Espressif ESP32 + ESP8266 user_settings.h V5.8.2-1 certs - * - * Do not include any wolfssl headers here. - * - * When editing this file: - * ensure all examples match. The template example is the reference. - */ +/* Some mitigations are ESP-IDF version-specific. */ +#include "esp_idf_version.h" + +/* Optional mitigations for latest (unreleased) ESP-IDF v6 */ +#if defined(CONFIG_ESP_LATEST_MITIGATIONS) && CONFIG_ESP_LATEST_MITIGATIONS + #if defined(ESP_IDF_VERSION_MAJOR) && (ESP_IDF_VERSION_MAJOR >= 6) + /* There's a known issue with SHA HW accerlator on RISC-V chips in V6 + * Fixed in https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_RISCV_SHA_HW_MITIGATION 1 + #endif +#endif /* Naming convention: (see also esp32-crypt.h for the reference source). * @@ -81,17 +103,48 @@ ** CONFIG_IDF_TARGET_ESP32C6 */ -#undef WOLFSSL_ESPIDF -#define WOLFSSL_ESPIDF - /* Test various user_settings between applications by selecting example apps * in `idf.py menuconfig` for Example wolfSSL Configuration settings: */ /* Turn on messages that are useful to see only in examples. */ -#define WOLFSSL_EXAMPLE_VERBOSITY +#if defined(CONFIG_WOLFSSL_EXAMPLE_VERBOSITY) && \ + CONFIG_WOLFSSL_EXAMPLE_VERBOSITY + #undef WOLFSSL_EXAMPLE_VERBOSITY + #define WOLFSSL_EXAMPLE_VERBOSITY +#endif + +#if defined(CONFIG_WOLFSSL_ALT_CERT_CHAINS) && \ + CONFIG_WOLFSSL_ALT_CERT_CHAINS + #undef WOLFSSL_ALT_CERT_CHAINS + #define WOLFSSL_ALT_CERT_CHAINS +#endif + +#if defined(CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL) && \ + CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL + #define DEBUG_WOLFSSL +#endif + +#if defined(CONFIG_ESP_WOLFSSL_DEBUG_CERTS) && \ + CONFIG_ESP_WOLFSSL_DEBUG_CERTS + #define WOLFSSL_DEBUG_CERTS +#endif + +#if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP8266) + /* WOLFSSL_LOW_MEMORY detected at runtime for low memory warning */ + #define WOLFSSL_LOW_MEMORY +#endif /* Paths can be long, ensure the entire value printed during debug */ -#define WOLFSSL_MAX_ERROR_SZ 500 +#ifdef WOLFSSL_LOW_MEMORY + /* If too small, the error_test() will fail. */ + #define WOLFSSL_MAX_ERROR_SZ 65 + #define WOLFSSL_MSG_EX_BUF_SZ 65 +#else + #define WOLFSSL_MAX_ERROR_SZ 500 + #define WOLFSSL_MSG_EX_BUF_SZ 500 +#endif /* wolfSSL Examples: set macros used in example applications. * @@ -116,12 +169,28 @@ /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */ /* #define USE_WOLFSSL_ESP_SDK_WIFI */ #define WOLFSSL_BENCHMARK_FIXED_UNITS_KB + #define BENCH_EMBEDDED #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT) /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_client */ - #define USE_WOLFSSL_ESP_SDK_WIFI + #if defined(CONFIG_IDF_TARGET_ESP32H2) + /* There's no WiFi on the ESP32 H2, use idf.menuconfig to enable */ + #else + /* This example will always use the wolfSSL WiFi helper */ + #define USE_WOLFSSL_ESP_SDK_WIFI + #endif + #define USE_WOLFSSL_ESP_SDK_TIME + #define NO_WOLFSSL_SERVER #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_SERVER) /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_server */ - #define USE_WOLFSSL_ESP_SDK_WIFI + #define NO_WOLFSSL_CLIENT + #if defined(CONFIG_IDF_TARGET_ESP32H2) + /* There's no WiFi on the ESP32 H2, use idf.menuconfig to enable */ + #else + /* This example will always use the wolfSSL WiFi helper */ + #define USE_WOLFSSL_ESP_SDK_WIFI + #endif + /* Even without WiFi, the wolfSSL helper has some static time settings */ + #define USE_WOLFSSL_ESP_SDK_TIME /* wolfSSH Examples */ #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE) @@ -214,6 +283,7 @@ /* See Kconfig / menuconfig ESP_WOLFSSL_ENABLE_MLKEM */ #ifdef CONFIG_ESP_WOLFSSL_ENABLE_MLKEM /* Kyber typically needs a minimum 10K stack */ + #define WOLFSSL_MLKEM_KYBER #define WOLFSSL_HAVE_MLKEM #define WOLFSSL_WC_MLKEM #define WOLFSSL_SHAKE128 @@ -250,6 +320,7 @@ #ifdef NO_AES #warning "Found NO_AES, wolfSSL AES Cannot be enabled. Check config." #else + #define HAVE_AESGCM #define WOLFSSL_AES #define WOLFSSL_AES_COUNTER @@ -356,24 +427,103 @@ #endif /* See below for chipset detection from sdkconfig.h */ -/* when you want to use SINGLE THREAD. Note Default ESP-IDF is FreeRTOS */ -#define SINGLE_THREADED +/* See Kconfig: Check if Multi Thread selected in idf.py menuconfig + * Single Thread avoids RAM-consuming semaphores. + * Note Default ESP-IDF is FreeRTOS rergardless of this setting */ +#if defined(CONFIG_ESP_WOLFSSL_MULTI_THREAD) && \ + CONFIG_ESP_WOLFSSL_MULTI_THREAD + /* Unless SINGLE_THREADED defined, wolfssl assumes multi-thread. */ + /* #undef SINGLE_THREADED */ +#else + #define SINGLE_THREADED +#endif /* Small session cache saves a lot of RAM for ClientCache and SessionCache. * Memory requirement is about 5KB, otherwise 20K is needed when not specified. * If extra small footprint is needed, try MICRO_SESSION_CACHE (< 1K) * When really desperate or no TLS used, try NO_SESSION_CACHE. */ -#define NO_SESSION_CACHE +#if defined(CONFIG_ESP_WOLFSSL_TITAN_SESSION_CACHE) + /* Consider RAM requirements. Unrealistic for most ESP32 devices */ + #define TITAN_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_BIG_SESSION_CACHE) + /* Consider RAM requirements. Unrealistic for most ESP32 devices */ + #define BIG_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_MEDIUM_SESSION_CACHE) + /* Consider RAM requirements. */ + #define MEDIUM_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_SMALL_SESSION_CACHE) + #define SMALL_SESSION_CACHE +#elif defined(CONFIG_ESP_WOLFSSL_MICRO_SESSION_CACHE) + #define MICRO_SESSION_CACHE +#else + #define NO_SESSION_CACHE + #define WOLFSSL_NO_TICKET +#endif + +#ifndef NO_SESSION_CACHE + #define HAVE_SESSION_TICKET +#endif + +/* See Kconfig: Check if Static Memory selected in idf.py menuconfig */ +#if defined(CONFIG_ESP_WOLFSSL_STATIC_MEMORY) && \ + CONFIG_ESP_WOLFSSL_STATIC_MEMORY + #define WOLFSSL_STATIC_MEMORY +#endif + +#if defined(WOLFSSL_STATIC_MEMORY) + #define WOLFSSL_STATIC_MEMORY + #define WOLFSSL_STATIC_MEMORY_LEAN + #define WOLFSSL_NO_MALLOC + #ifdef WOLFSSL_SMALL_STACK + #error "Cannot use WOLFSSL_SMALL_STACK with WOLFSSL_NO_MALLOC" + #endif + #if 1 + /* trap malloc failure */ + #define WOLFSSL_MALLOC_CHECK + #endif + #define HAVE_MAX_FRAGMENT + #define HAVE_TLS_EXTENSIONS -/* Small Stack uses more heap. */ -#define WOLFSSL_SMALL_STACK + #define WOLFSSL_CUSTOM_CURVES + #define HAVE_ECC_KOBLITZ + #define HAVE_ECC256 + #define NO_ECC192 + #define NO_ECC224 + #define NO_ECC384 + #define NO_ECC521 -/* Full debugging turned off, but show malloc failure detail */ -/* #define DEBUG_WOLFSSL */ -#define DEBUG_WOLFSSL_MALLOC + #ifdef HAVE_ED25519 + #undef HAVE_ED25519 + #endif + #ifdef WOLFSSL_SHA512 + #undef WOLFSSL_SHA512 + #endif + + /* multiple of 16 & 32 */ + #define WOLFMEM_IO_SZ 2048 + + #if (1) + #define USE_FAST_MATH + #else + #define SP_MATH + #define FP_ECC + #endif +#else + /* Not using static memory */ + + /* Small Stack uses more heap. */ + #define WOLFSSL_SMALL_STACK + + /* Full debugging turned off, but show malloc failure detail */ + /* #define DEBUG_WOLFSSL */ + #define DEBUG_WOLFSSL_MALLOC +#endif /* RSA_LOW_MEM: Half as much memory but twice as slow. */ -#define RSA_LOW_MEM +#if defined(CONFIG_ESP_WOLFSSL_RSA_LOW_MEM) && \ + CONFIG_ESP_WOLFSSL_RSA_LOW_MEM + #define RSA_LOW_MEM +#endif /* optionally turn off SHA512/224 SHA512/256 */ /* #define WOLFSSL_NOSHA512_224 */ @@ -386,16 +536,43 @@ /* #define NO_SHA */ /* #define NO_OLD_TLS */ -#define BENCH_EMBEDDED +/* Very low memory device notice: + * TLS 1.2 typically enabled + * TLS 1.3 typically disabled + * + * See runtime warning for limited-resource devices. + * + * Typical error codes at client, talking to low-memory server: + * -125 MEMORY_E out of memory error + * -308 SOCKET_ERROR_E error state on socket + * -313 FATAL_ERROR recvd alert fatal error + */ + +#if defined(CONFIG_WOLFSSL_ALLOW_TLS12) && CONFIG_WOLFSSL_ALLOW_TLS12 + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ + defined(CONFIG_IDF_TARGET_ESP8684) + /* low-memory devices with TLS 1.2 enabled */ + #endif + + /* TLS 1.2 uses extensions by default */ + #define HAVE_TLS_EXTENSIONS + +#else + /* Unless explicitly enabled, only TLS 1.3 is configured */ + #define WOLFSSL_NO_TLS12 +#endif + /* TLS 1.3 */ -#ifdef CONFIG_WOLFSSL_ALLOW_TLS13 +#if (defined(CONFIG_WOLFSSL_ALLOW_TLS13) && CONFIG_WOLFSSL_ALLOW_TLS13) && \ + !defined(CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13) #define WOLFSSL_TLS13 #define HAVE_TLS_EXTENSIONS #define HAVE_HKDF - /* May be required */ + /* AEAD May be required */ #ifndef HAVE_AEAD + /* Syntax highlighting detection only */ #endif /* Required for ECC */ @@ -416,8 +593,32 @@ #endif #endif +/* Settings common to both TLS 1.2 and TLS 1.3 */ +#if (defined(CONFIG_WOLFSSL_ALLOW_TLS12) && CONFIG_WOLFSSL_ALLOW_TLS12) || \ + (defined(CONFIG_WOLFSSL_ALLOW_TLS13) && CONFIG_WOLFSSL_ALLOW_TLS13) + + /* ECC can optionally be disabled, but is normally enabled */ + #if defined(ESP_WOLFSSL_DISABLE_ECC) && \ + ESP_WOLFSSL_DISABLE_ECC + #undef HAVE_ECC + #else + #define HAVE_ECC + #endif + + /* DH can optionally be disabled, but is normally enabled */ + #if defined(ESP_WOLFSSL_DISABLE_DH) && \ + ESP_WOLFSSL_DISABLE_DH + #undef HAVE_DH + #else + #define HAVE_DH + #endif + +#endif + + #if defined(CONFIG_IDF_TARGET_ESP32C2) || \ - defined(CONFIG_IDF_TARGET_ESP8684) + defined(CONFIG_IDF_TARGET_ESP8684) || \ + defined(CONFIG_IDF_TARGET_ESP8266) /* Optionally set smaller size here */ #ifdef HAVE_FFDHE_4096 /* this size may be problematic on the C2 */ @@ -427,26 +628,25 @@ #define HAVE_FFDHE_4096 #endif -#define NO_FILESYSTEM - -#define NO_OLD_TLS - -#define HAVE_AESGCM - /* Optional RIPEMD: RACE Integrity Primitives Evaluation Message Digest */ /* #define WOLFSSL_RIPEMD */ /* when you want to use SHA224 */ -#define WOLFSSL_SHA224 +#if defined(CONFIG_ESP_WOLFSSL_SHA224) && \ + CONFIG_ESP_WOLFSSL_SHA224 + #define WOLFSSL_SHA224 +#endif /* when you want to use SHA384 */ -#define WOLFSSL_SHA384 +#if defined(CONFIG_ESP_WOLFSSL_SHA384) && \ + CONFIG_ESP_WOLFSSL_SHA384 + #define WOLFSSL_SHA384 +#endif /* Some features not enabled for ESP8266: */ #if defined(CONFIG_IDF_TARGET_ESP8266) || \ defined(CONFIG_IDF_TARGET_ESP32C2) /* Some known low-memory devices have features not enabled by default. */ - /* TODO determine low memory configuration for ECC. */ #else /* when you want to use SHA512 */ #define WOLFSSL_SHA512 @@ -458,23 +658,17 @@ #define HAVE_ED25519 #endif -#if defined(CONFIG_IDF_TARGET_ESP8266) || defined(CONFIG_IDF_TARGET_ESP32C2) - #define MY_USE_ECC 0 - #define MY_USE_RSA 1 -#else - #define MY_USE_ECC 1 - #define MY_USE_RSA 0 -#endif - -/* We can use either or both ECC and RSA, but must use at least one. */ -#if MY_USE_ECC || MY_USE_RSA - #if MY_USE_ECC +/* We can use either or both ECC and RSA, but must use at least one for TLS */ +#if (defined(CONFIG_ESP_WOLFSSL_USE_ECC) && CONFIG_ESP_WOLFSSL_USE_ECC) || \ + (defined(CONFIG_ESP_WOLFSSL_USE_RSA) && CONFIG_ESP_WOLFSSL_USE_RSA) + /* Some ECC checks */ + #if CONFIG_ESP_WOLFSSL_USE_ECC /* ---- ECDSA / ECC ---- */ #define HAVE_ECC + /* #define HAVE_CURVE25519 #define HAVE_ED25519 #define WOLFSSL_SHA512 - /* #define HAVE_ECC384 #define CURVE25519_SMALL */ @@ -485,17 +679,27 @@ #define WOLFSSH_NO_ECDSA #endif - #if MY_USE_RSA + #if CONFIG_ESP_WOLFSSL_USE_RSA /* ---- RSA ----- */ /* #define RSA_LOW_MEM */ /* DH disabled by default, needed if ECDSA/ECC also turned off */ #define HAVE_DH + #define HAVE_RSA #else + #undef HAVE_RSA + #define NO_RSA + /* Also disable RSA if wolfSSH used */ #define WOLFSSH_NO_RSA #endif #else - #error "Either RSA or ECC must be enabled" + #if defined(CONFIG_ESP_WOLFSSL_ENABLE_MLKEM) + /* See above for PQ-only config */ + #elif defined(WOLFCRYPT_ONLY) + /* Communications such as (D)TLS not compiled in */ + #else + #warning "PQ, RSA, and ECC are disabled. Consider WOLFCRYPT_ONLY" + #endif #endif /* Optional OpenSSL compatibility */ @@ -552,21 +756,37 @@ #define HASH_SIZE_LIMIT /* USE_FAST_MATH is default */ -#define USE_FAST_MATH - -/***** Use SP_MATH *****/ -/* #undef USE_FAST_MATH */ -/* #define SP_MATH */ -/* #define WOLFSSL_SP_MATH_ALL */ -/* #define WOLFSSL_SP_RISCV32 */ +#if defined(CONFIG_ESP_WOLFSSL_USE_FAST_MATH) && \ + ESP_WOLFSSL_USE_FAST_MATH + /***** Use Fast Math *****/ + #define USE_FAST_MATH + #undef WOLFSSL_SP_MATH + #undef WOLFSSL_SP_MATH_ALL + #define USE_INTEGER_HEAP_MATH +#elif defined(CONFIG_ESP_WOLFSSL_SP_MATH) && \ + CONFIG_ESP_WOLFSSL_SP_MATH + /***** Use SP_MATH *****/ + #undef USE_FAST_MATH + #undef USE_INTEGER_HEAP_MATH + #define WOLFSSL_SP_MATH + #define WOLFSSL_SP_MATH_ALL +#elif defined(CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH) && \ + CONFIG_ESP_WOLFSSL_USE_INTEGER_HEAP_MATH + /***** Use Integer Heap Math *****/ + #undef USE_FAST_MATH + #undef WOLFSSL_SP_MATH + #undef WOLFSSL_SP_MATH_ALL + #define USE_INTEGER_HEAP_MATH +#else + #define USE_FAST_MATH +#endif /***** Use Integer Heap Math *****/ /* #undef USE_FAST_MATH */ /* #define USE_INTEGER_HEAP_MATH */ /* Just syntax highlighting to check math libraries: */ -#if defined(SP_MATH) || \ - defined(USE_INTEGER_HEAP_MATH) || \ +#if defined(WOLFSSL_SP_MATH) || \ defined(USE_INTEGER_HEAP_MATH) || \ defined(USE_FAST_MATH) || \ defined(WOLFSSL_SP_MATH_ALL) || \ @@ -577,10 +797,6 @@ #define HAVE_VERSION_EXTENDED_INFO /* #define HAVE_WC_INTROSPECTION */ -#ifndef NO_SESSION_CACHE - #define HAVE_SESSION_TICKET -#endif - /* #define HAVE_HASHDRBG */ #if 0 @@ -604,8 +820,6 @@ #endif -#define WOLFSSL_ASN_TEMPLATE - /* #undef WOLFSSL_KEY_GEN #undef WOLFSSL_CERT_REQ @@ -623,11 +837,13 @@ */ /* optional SM4 Ciphers. See https://github.com/wolfSSL/wolfsm */ -/* -#define WOLFSSL_SM2 -#define WOLFSSL_SM3 -#define WOLFSSL_SM4 -*/ + +#if defined(ESP_WOLFSSL_USE_SM) && \ + ESP_WOLFSSL_USE_SM + #define WOLFSSL_SM2 + #define WOLFSSL_SM3 + #define WOLFSSL_SM4 +#endif #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) /* SM settings, possible cipher suites: @@ -669,9 +885,16 @@ #undef HAVE_AESGCM #define HAVE_AESGCM -#endif + + /* ByteReverseWords is known to need alignment */ + #undef WOLFSSL_USE_ALIGN + #define WOLFSSL_USE_ALIGN +#endif /* SM or regular certs */ /* Chipset detection from sdkconfig.h + * See idf.py --list-targets + * or ESP-IDF ./components/esp_hw_support/include/esp_chip_info.h + * Set target example: idf.py set-target esp32s3 * Default is HW enabled unless turned off. * Uncomment lines to force SW instead of HW acceleration */ #if defined(CONFIG_IDF_TARGET_ESP32) || defined(WOLFSSL_ESPWROOM32SE) @@ -692,7 +915,7 @@ #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA224 /* no SHA224 HW on ESP32 */ #undef ESP_RSA_MULM_BITS - #define ESP_RSA_MULM_BITS 16 /* TODO add compile-time warning */ + #define ESP_RSA_MULM_BITS 16 /***** END CONFIG_IDF_TARGET_ESP32 *****/ #elif defined(CONFIG_IDF_TARGET_ESP32S2) @@ -736,8 +959,16 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ /* These are defined automatically in esp32-crypt.h, here for clarity */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C2 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C2 */ + /* no SHA384 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C2 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MIGIATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif /* There's no AES or RSA/Math accelerator on the ESP32-C2 * Auto defined with NO_WOLFSSL_ESP32_CRYPT_RSA_PRI, for clarity: */ @@ -756,8 +987,16 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* to disable all SHA HW */ /* These are defined automatically in esp32-crypt.h, here for clarity: */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MIGIATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ @@ -766,16 +1005,34 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ /***** END CONFIG_IDF_TARGET_ESP32C3 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C5) + #define WOLFSSL_ESP32 + + /* There's no Hardware Acceleration available on ESP32-C5 */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32C5 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32C6) #define WOLFSSL_ESP32 /* wolfSSL HW Acceleration supported on ESP32-C6. Uncomment to disable: */ - /* #define NO_ESP32_CRYPT */ - /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* These are defined automatically in esp32-crypt.h, here for clarity: */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 /* no SHA384 HW on C6 */ - #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 /* no SHA512 HW on C6 */ + /* no SHA384 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C6 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + +#if defined(WOLFSSL_RISCV_SHA_HW_MITIGATION) + /* TODO not needed after https://github.com/wolfSSL/wolfssl/pull/9225 */ + #define WOLFSSL_IDF_PRERELEASE_MITIGATION_ACTIVE + #define NO_WOLFSSL_ESP32_CRYPT_HASH +#endif + /* #define NO_ESP32_CRYPT */ + /* #define NO_WOLFSSL_ESP32_CRYPT_HASH */ /* #define NO_WOLFSSL_ESP32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI */ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */ @@ -783,7 +1040,34 @@ /* #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */ /***** END CONFIG_IDF_TARGET_ESP32C6 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32C61) + #define WOLFSSL_ESP32 + /* wolfSSL HW Acceleration not yet supported on ESP32-C61. */ + + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + + /* TODO latest WIP ESP-IDF v6 needs esp_sha_set_mode, disable for now: */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH + + /* These are defined automatically in esp32-crypt.h, here for clarity: */ + /* no SHA384 HW on C61 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA384 + /* no SHA512 HW on C61 */ + #define NO_WOLFSSL_ESP32_CRYPT_HASH_SHA512 + + /* HW temporarily disabled on the ESP32-C61 pending additional development. + * See also settings.h that should also be disabling these after v5.8.0 */ + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD + /***** END CONFIG_IDF_TARGET_ESP32C61 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32H2) + /* Reminder: There's no wifi on ESP32-H2 */ + #define WOLFSSL_ESP32 /* wolfSSL Hardware Acceleration not yet implemented */ #define NO_ESP32_CRYPT @@ -792,6 +1076,24 @@ #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /***** END CONFIG_IDF_TARGET_ESP32H2 *****/ +#elif defined(CONFIG_IDF_TARGET_ESP32H21) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H21 *****/ + +#elif defined(CONFIG_IDF_TARGET_ESP32H4) + #define WOLFSSL_ESP32 + /* wolfSSL Hardware Acceleration not yet implemented */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_ESP32H4 *****/ + #elif defined(CONFIG_IDF_TARGET_ESP32P4) #define WOLFSSL_ESP32 /* wolfSSL Hardware Acceleration not yet implemented */ @@ -818,16 +1120,25 @@ /***** END CONFIG_IDF_TARGET_ESP266 *****/ #elif defined(CONFIG_IDF_TARGET_ESP8684) - /* There's no Hardware Acceleration available on ESP8684 */ + /* There's no Hardware Acceleration available on ESP8684 + * Note that it usually presents as ESP32C2 */ #define NO_ESP32_CRYPT #define NO_WOLFSSL_ESP32_CRYPT_HASH #define NO_WOLFSSL_ESP32_CRYPT_AES #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI /***** END CONFIG_IDF_TARGET_ESP8684 *****/ +#elif defined(POSIX_LINUX) + /* There's no Hardware Acceleration available on POSIX/Linux simulator */ + #define NO_ESP32_CRYPT + #define NO_WOLFSSL_ESP32_CRYPT_HASH + #define NO_WOLFSSL_ESP32_CRYPT_AES + #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI + /***** END CONFIG_IDF_TARGET_POSIX_LINUX *****/ + #else /* Anything else encountered, disable HW acceleration */ - #warning "Unexpected CONFIG_IDF_TARGET_NN value" + #warning "Unexpected CONFIG_IDF_TARGET_NN value, disabling all HW crypto" #define NO_ESP32_CRYPT #define NO_WOLFSSL_ESP32_CRYPT_HASH #define NO_WOLFSSL_ESP32_CRYPT_AES @@ -845,7 +1156,7 @@ /* See idf.py menuconfig for stack warning settings */ #if !defined(CONFIG_ESP_WOLFSSL_NO_STACK_SIZE_BUILD_WARNING) #if CONFIG_ESP_MAIN_TASK_STACK_SIZE < 10500 - #warning "RSA may be difficult with less than 10KB Stack" + /* RSA may be difficult with less than 10KB Stack */ #endif #else /* Implement your own stack warning here */ @@ -856,11 +1167,17 @@ /* NOTE HW unreliable for small values! */ /* threshold for performance adjustment for HW primitive use */ /* X bits of G^X mod P greater than */ - #undef ESP_RSA_EXPT_XBITS + #if defined(ESP_RSA_EXPT_XBITS) && (ESP_RSA_EXPT_XBITS < 32) + #warning "Adjusting ESP_RSA_EXPT_XBITS to 32" + #undef ESP_RSA_EXPT_XBITS + #endif #define ESP_RSA_EXPT_XBITS 32 /* X and Y of X * Y mod P greater than */ - #undef ESP_RSA_MULM_BITS + #if defined(ESP_RSA_MULM_BITS) && (ESP_RSA_MULM_BITS < 16) + #warning "Adjusting ESP_RSA_MULM_BITS to 16" + #undef ESP_RSA_MULM_BITS + #endif #define ESP_RSA_MULM_BITS 16 #endif #endif @@ -1016,87 +1333,313 @@ Turn on timer debugging (used when CPU cycles not available) * https://github.com/wolfSSL/wolfssl/pull/6825 * https://github.com/wolfSSL/wolfsm * - * Uncomment these 3 macros to enable the SM Ciphers and use the macros below. + * Check to see if idf.py menuconfig selected example certs, otheruse use 2048: */ - -/* -#define WOLFSSL_SM2 -#define WOLFSSL_SM3 -#define WOLFSSL_SM4 -*/ +#if defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_2048) + #define USE_CERT_BUFFERS_2048 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_1024) + #define USE_CERT_BUFFERS_1024 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_256) + #define USE_CERT_BUFFERS_256 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_SM) + #define WOLFSSL_SM2 + #define WOLFSSL_SM3 + #define WOLFSSL_SM4 +#elif defined(CONFIG_WOLFSSL_USE_CERT_BUFFERS_NONE) + /* See user_settings.h for referenbce on defining your own cert */ +#else + #define USE_CERT_BUFFERS_2048 +#endif /* Conditional macros used in wolfSSL TLS client and server examples */ #if defined(WOLFSSL_SM2) || defined(WOLFSSL_SM3) || defined(WOLFSSL_SM4) - #include - #define CTX_CA_CERT root_sm2 - #define CTX_CA_CERT_SIZE sizeof_root_sm2 - #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_PEM - #define CTX_SERVER_CERT server_sm2 - #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 - #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM - #define CTX_SERVER_KEY server_sm2_priv - #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv - #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (SM)" - #undef WOLFSSL_BASE16 - #define WOLFSSL_BASE16 -#else - #if defined(USE_CERT_BUFFERS_2048) - #ifdef USE_CERT_BUFFERS_1024 - #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." - #endif + #ifndef HAVE_TLS_EXTENSIONS + #error "SM Ciphers require HAVE_TLS_EXTENSIONS" + #endif + #ifndef HAVE_HKDF + #error "SM Ciphers require HAVE_HKDF" + #endif + #ifndef HAVE_ECC + #error "SM Ciphers require HAVE_ECC" + #endif + #ifndef WOLFSSL_USE_ALIGN + #warning "Define WOLFSSL_USE_ALIGN to avoid LoadStoreAlignment panic" + #endif + + #ifdef WOLFSSL_ALT_CERT_CHAINS + /* When on, wolfSSL will accept the peer if the leaf sent matches + * the one loaded, even without a CA in the path */ + #endif + + /* ./examples/client/client -h 192.168.1.107 -v 3 \ + * -l ECDHE-ECDSA-SM4-CBC-SM3 + * -c ./certs/sm2/client-sm2.pem + * -k ./certs/sm2/client-sm2-priv.pem + * -A ./certs/sm2/ca-sm2.pem -C + */ + + /* Certificate file `-c`; client command default: certs/server-cert.pem + * wolfSSL_CTX_use_certificate_chain_buffer_format + * + * Note that the PEM file of server_sm2 contains both leaf and CA + * The DER file contains only the server cert. */ + + /* Server */ + #ifndef NO_WOLFSSL_SERVER + #define CTX_SERVER_CERT server_sm2 + #define CTX_SERVER_CERT_NAME "server_sm2" + #define CTX_SERVER_CERT_SIZE sizeof_server_sm2 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + + /* Key file `-k`; client command default: ./certs/server-key.pem + * wolfSSL_CTX_use_certificate_buffer */ + #define CTX_SERVER_KEY server_sm2_priv_der + #define CTX_SERVER_KEY_NAME "server_sm2_priv_der" + #define CTX_SERVER_KEY_SIZE sizeof_server_sm2_priv_der + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Client */ + #ifndef NO_WOLFSSL_CLIENT + #define CTX_CA_CERT root_sm2_der + #define CTX_CA_CERT_NAME "root_sm2_der" + #define CTX_CA_CERT_SIZE sizeof_root_sm2_der + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_KEY client_sm2_priv_der + #define CTX_CLIENT_KEY_NAME "client_sm2_priv_der" + #define CTX_CLIENT_KEY_SIZE sizeof_client_sm2_priv_der + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Client Cert. + * This is also the optional peer verify certificate at server */ + #define CTX_CLIENT_CERT client_sm2_der + #define CTX_CLIENT_CERT_NAME "client_sm2_der" + #define CTX_CLIENT_CERT_SIZE sizeof_client_sm2_der + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END SM */ - /* Be sure to include in app, not here, when using example certs: */ - /* #include */ +#elif defined(USE_CERT_BUFFERS_2048) + /* + * To connect to ESP32 server with a client from commandline: + * + * The client uses 2048 certs by default, so no certs needed on commandline: + * + * TLS 1.2 + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 + * + * TLS 1.3 + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 + */ + + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_2048)" + + #ifdef USE_CERT_BUFFERS_1024 + #error "USE_CERT_BUFFERS_1024 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_256 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + #if defined(NO_RSA) + #error "RSA is needed to use CERT_BUFFERS_2048 example" + #endif + /* Client */ + #ifndef NO_WOLFSSL_CLIENT #define CTX_CA_CERT ca_cert_der_2048 #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_2048 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_SERVER_CERT server_cert_der_2048 - #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 - #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_SERVER_KEY server_key_der_2048 - #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 - #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 - - #define CTX_CLIENT_CERT client_cert_der_2048 - #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 - #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #define CTX_CLIENT_KEY client_key_der_2048 #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_2048 #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif - #elif defined(USE_CERT_BUFFERS_1024) - #ifdef USE_CERT_BUFFERS_2048 - #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + /* Server */ + #ifndef NO_WOLFSSL_SERVER + #if (0) + /* No PEM certs available at this time */ + #define CTX_SERVER_CERT server_cert_2048 + #define CTX_SERVER_CERT_NAME "server_cert_2048" + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM + + #define CTX_SERVER_KEY server_key_2048 + #define CTX_SERVER_KEY_NAME "server_key_2048" + #define CTX_SERVER_KEY_SIZE sizeof_server_key_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_PEM + #else + #define CTX_SERVER_CERT server_cert_der_2048 + #define CTX_SERVER_CERT_NAME "server_cert_der_2048" + #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_2048 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_SERVER_KEY server_key_der_2048 + #define CTX_SERVER_KEY_NAME "server_key_der_2048" + #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_2048 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 #endif + #endif /* server */ + + /* -A Client peer verify at the server + * defaults: ./examples/client/client -v 3 -h 192.168.1.107 */ + #define CTX_CLIENT_CERT client_cert_der_2048 + #define CTX_CLIENT_CERT_NAME "client_cert_der_2048" + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_2048 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END USE_CERT_BUFFERS_2048 */ - /* Be sure to include in app, not here, when using example certs: */ - /* #include */ +#elif defined(USE_CERT_BUFFERS_1024) + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_1024)" + /* + * To connect to ESP32 server with a client from commandline: + * + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d \ + -A ./certs/1024/ca-cert.pem \ + -c ./certs/1024/client-cert.pem \ + -k ./certs/1024/client-key.pem -C + */ + #ifdef USE_CERT_BUFFERS_2048 + #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_256 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + /* Client */ + #ifndef NO_WOLFSSL_CLIENT #define CTX_CA_CERT ca_cert_der_1024 + #define CTX_CA_CERT_NAME "ca_cert_der_1024" #define CTX_CA_CERT_SIZE sizeof_ca_cert_der_1024 #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 - #define CTX_CLIENT_CERT client_cert_der_1024 - #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 - #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #define CTX_CLIENT_KEY client_key_der_1024 #define CTX_CLIENT_KEY_SIZE sizeof_client_key_der_1024 #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + /* Server */ + #ifndef NO_WOLFSSL_SERVER #define CTX_SERVER_CERT server_cert_der_1024 + #define CTX_SERVER_CERT_NAME "server_cert_der_1024" #define CTX_SERVER_CERT_SIZE sizeof_server_cert_der_1024 #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + #define CTX_SERVER_KEY server_key_der_1024 + #define CTX_SERVER_KEY_NAME "server_key_der_1024" #define CTX_SERVER_KEY_SIZE sizeof_server_key_der_1024 #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Optional shared client peer verify for wolfSSL_CTX_set_verify() */ + #define CTX_CLIENT_CERT client_cert_der_1024 + #define CTX_CLIENT_CERT_NAME "client_cert_der_1024" + #define CTX_CLIENT_CERT_SIZE sizeof_client_cert_der_1024 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + /* END USE_CERT_BUFFERS_1024 */ + +#elif defined(USE_CERT_BUFFERS_256) + /* Be sure to include in app, not here, when using example certs: */ + /* #include */ + #define CTX_CERT_SET_NAME "wolfSSL Test Certs (USE_CERT_BUFFERS_256)" + #ifndef HAVE_ECC + #error "USE_CERT_BUFFERS_256 requires HAVE_ECC" + #endif + + #if (0) /* Optional SECP256K1 */ + #define HAVE_ECC_SECP256K1 + #define HAVE_ECC_KOBLITZ + #define WOLFSSL_CUSTOM_CURVES + #endif + /* + * To connect to this ESP32 server with a client from commandline: + * + * TLS 1.3, disable peer cert: + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 -d + * + * TLS 1.2, disable peer cert: + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d + * + * ./examples/client/client -h 192.168.1.107 -p 11111 -v 3 \ + -A ./certs/ecc/ca-secp256k1-cert.pem \ + -c ./certs/ecc/client-secp256k1-cert.pem \ + -k ./certs/ecc/secp256k1-key.pem + + ./examples/client/client -h 192.168.1.107 -p 11111 -v 4 \ + -A ./certs/ca-ecc-cert.pem \ + -c ./certs/client-ecc-cert.pem \ + -k ./certs/ecc-client-key.pem + */ + #ifdef USE_CERT_BUFFERS_2048 + #error "USE_CERT_BUFFERS_2048 is already defined. Pick one." + #endif + #ifdef USE_CERT_BUFFERS_1024 + #error "USE_CERT_BUFFERS_256 is already defined. Pick one." + #endif + + #ifndef NO_WOLFSSL_CLIENT + #define CTX_CA_CERT ca_ecc_cert_der_256 + #define CTX_CA_CERT_SIZE sizeof_ca_ecc_cert_der_256 + #define CTX_CA_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #define CTX_CLIENT_KEY ecc_clikey_der_256 + #define CTX_CLIENT_KEY_SIZE sizeof_ecc_clikey_der_256 + #define CTX_CLIENT_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + #endif + + /* Server */ + #ifndef NO_WOLFSSL_SERVER + /* wolfSSL_CTX_use_certificate_chain_buffer_format */ + #if (0) + /* serv_ecc_der_256 leaf only */ + #define CTX_SERVER_CERT serv_ecc_der_256 + #define CTX_SERVER_CERT_NAME "serv_ecc_der_256" + #define CTX_SERVER_CERT_SIZE sizeof_serv_ecc_der_256 + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_ASN1 #else - /* Optionally define custom cert arrays, sizes, and types here */ + /* new leaf + ca, needs https://github.com/wolfSSL/wolfssl/pull/9231 */ + #define CTX_SERVER_CERT server_ecc_cert + #define CTX_SERVER_CERT_NAME "server_ecc_cert" + #define CTX_SERVER_CERT_SIZE sizeof_server_ecc_cert + #define CTX_SERVER_CERT_TYPE WOLFSSL_FILETYPE_PEM #endif -#endif /* Conditional key and cert constant names */ + /* wolfSSL_CTX_use_PrivateKey_buffer */ + #define CTX_SERVER_KEY ecc_key_der_256 + #define CTX_SERVER_KEY_NAME "ecc_key_der_256" + #define CTX_SERVER_KEY_SIZE sizeof_ecc_key_der_256 + #define CTX_SERVER_KEY_TYPE WOLFSSL_FILETYPE_ASN1 + + /* wolfSSL_CTX_load_verify_buffer */ + #define CTX_CLIENT_CERT cliecc_cert_der_256 + #define CTX_CLIENT_CERT_NAME "cliecc_cert_der_256" + #define CTX_CLIENT_CERT_SIZE sizeof_cliecc_cert_der_256 + #define CTX_CLIENT_CERT_TYPE WOLFSSL_FILETYPE_ASN1 + + #endif /* Server */ + /* END USE_CERT_BUFFERS_256 */ + +#endif /* USE_CERT_BUFFERS_[n] */ + +/* +./examples/client/client -h 192.168.1.107 -p 11111 -v 3 -d \ + -A ./certs/ca-ecc-cert.pem \ + -c ./certs/ecc/client-ecc-cert.pem \ + -k ./certs/ecc/ecc-key.pem +*/ /****************************************************************************** ** Sanity Checks ******************************************************************************/ diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/ld/region_peek.ld b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/ld/region_peek.ld new file mode 100644 index 0000000000..e8ca4b3ae4 --- /dev/null +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/ld/region_peek.ld @@ -0,0 +1,9 @@ +/* ORIGIN()/LENGTH() always see the SoC memory regions: */ +INCLUDE memory.ld + +/* Region boundary symbols derived from memory.ld */ +PROVIDE(__dram0_start = ORIGIN(dram0_0_seg)); +PROVIDE(__dram0_end = ORIGIN(dram0_0_seg) + LENGTH(dram0_0_seg)); + +PROVIDE(__drom0_start = ORIGIN(drom0_0_seg)); +PROVIDE(__drom0_end = ORIGIN(drom0_0_seg) + LENGTH(drom0_0_seg)); diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/CMakeLists.txt b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/CMakeLists.txt index 2998d8ee59..95d47b2a3e 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/CMakeLists.txt +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/CMakeLists.txt @@ -4,7 +4,8 @@ # wolfssl crypt test # message(STATUS "Begin wolfSSL main CMakeLists.txt") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS") +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS") if (idf_target STREQUAL "esp8266" OR IDF_TARGET STREQUAL "esp8266" OR IDF_VERSION_MAJOR VERSION_LESS "5.0") # `driver` component not available for ESP8266 @@ -21,9 +22,6 @@ endif() if(CMAKE_HOST_UNIX) message(STATUS "Detected UNIX") endif() -if(APPLE) - message(STATUS "Detected APPLE") -endif() if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop") # Windows-specific configuration here set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL") diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/main.c b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/main.c index 407506ab74..9d4c9fc1a0 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/main.c +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/main.c @@ -20,17 +20,19 @@ */ /* ESP-IDF */ -#include #include "sdkconfig.h" +#include /* wolfSSL */ -/* Always include wolfcrypt/settings.h before any other wolfSSL file. */ -/* Reminder: settings.h pulls in user_settings.h; don't include it here. */ +/* The wolfSSL user_settings.h is automatically included by settings.h file. + * Never explicitly include wolfSSL user_settings.h in any source file. + * The settings.h should also be listed above wolfssl library include files. */ #if defined(WOLFSSL_USER_SETTINGS) #include #if defined(WOLFSSL_ESPIDF) #include #include + #include #include #include #include @@ -187,7 +189,16 @@ void app_main(void) ESP_LOGI(TAG, "--------------------------------------------------------"); ESP_LOGI(TAG, "--------------------------------------------------------"); ESP_LOGI(TAG, "Stack Start: 0x%x", stack_start); - +#ifdef HAVE_WOLFCRYPT_WARMUP + /* Unless disabled, we'll try to allocate known, long-term heap items early + * in an attempt to avoid later allocations that may cause fragmentation. */ + ESP_ERROR_CHECK(esp_sdk_wolfssl_warmup()); +#endif +#ifdef DEBUG_WOLFSSL + /* Turn debugging on and off as needed: */ + wolfSSL_Debugging_ON(); + wolfSSL_Debugging_OFF(); +#endif #ifdef WOLFSSL_ESP_NO_WATCHDOG ESP_LOGW(TAG, "Found WOLFSSL_ESP_NO_WATCHDOG, disabling..."); esp_DisableWatchdog(); diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults index 50773fdc1d..08ba8866c5 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults @@ -1,11 +1,40 @@ +# sdkconfig.defaults + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + # Set the known example app config to template example (see user_settings.h) CONFIG_WOLFSSL_EXAMPLE_NAME_TEST=y +# ------------- BEGIN COMMON SECTION ------------- + # CONFIG_EXAMPLE_WIFI_SSID="myssid" # CONFIG_EXAMPLE_WIFI_PASSWORD="mypassword" +CONFIG_EXAMPLE_CONNECT_IPV6=n +CONFIG_LWIP_IPV6=n + +# Colorization disabled by default in IDF V6+ +CONFIG_LOG_COLORS=y + # Some wolfSSL helpers CONFIG_USE_WOLFSSL_ESP_SDK_TIME=y +CONFIG_LWIP_SNTP_MAX_SERVERS=3 # sdkconfig.defaults for ESP8266 + ESP32 # See separate sdkconfig.defaults.esp8266 diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp32c2 b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp32c2 new file mode 100644 index 0000000000..dba65f98d0 --- /dev/null +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp32c2 @@ -0,0 +1,37 @@ +# sdkconfig.defaults.esp32c2 + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + +# File Version 5.8.2.001 for esp-idf integration + +# +# Main XTAL Config +# +CONFIG_XTAL_FREQ_26=y +# CONFIG_XTAL_FREQ_40 is not set +CONFIG_XTAL_FREQ=26 +# end of Main XTAL Config + +# Limited memory +CONFIG_ESP_MAIN_MAIN_TASK_STACK_SIZE=10500 +CONFIG_MAIN_MAIN_TASK_STACK_SIZE=10500 +CONFIG_WOLFSSL_ALLOW_TLS12=y +# CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13=y + + diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp32c6 b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp32c6 index a252c51ba8..9d61e301da 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp32c6 +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp32c6 @@ -1,4 +1,4 @@ # Note that during the build process, settings from sdkconfig.defaults will not override those already in sdkconfig. # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html#custom-sdkconfig-defaults -CONFIG_ESP_MAIN_TASK_STACK_SIZE=25500 +CONFIG_ESP_MAIN_TASK_STACK_SIZE=28672 diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp8266 b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp8266 index 77299dfe4a..63c491ec8e 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp8266 +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp8266 @@ -1,3 +1,42 @@ +# sdkconfig.defaults.esp328266 + +# Copyright (C) 2006-2025 wolfSSL Inc. +# +# This file is part of wolfSSL. +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + +# File Version 5.8.2.001 for esp-idf integration + +# Limited memory +CONFIG_ESP_MAIN_TASK_STACK_SIZE=7500 +CONFIG_MAIN_TASK_STACK_SIZE=7500 +CONFIG_WOLFSSL_ALLOW_TLS12=y + +# TLS 1.3 can be disabled on very low memory devices +# CONFIG_WOLFSSL_LOW_MEMORY_DISABLE_TLS13=y + +# CONFIG_TCPIP_TASK_STACK_SIZE=3072 +# CONFIG_ESP_SYSTEM_EVENT_TASK_STACK_SIZE=2304 +# CONFIG_FREERTOS_IDLE_TASK_STACKSIZE=1536 +# CONFIG_FREERTOS_ISR_STACKSIZE=1536 +# CONFIG_TCP_SND_BUF_DEFAULT=5760 + +# wolfSSL sets UART to 115200 instead of 74880 default +CONFIG_CONSOLE_UART_BAUDRATE=115200 + # ESP8266 WDT # CONFIG_ESP_PANIC_PRINT_REBOOT is not set CONFIG_ESP_PANIC_PRINT_REBOOT=n diff --git a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/wolfssl_test_ESP8266.vgdbproj b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/wolfssl_test_ESP8266.vgdbproj index 6181d50c7c..43e3b19e4e 100644 --- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/wolfssl_test_ESP8266.vgdbproj +++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/wolfssl_test_ESP8266.vgdbproj @@ -53,7 +53,7 @@ - COM70 + COM65 74880 8 @@ -234,10 +234,12 @@ false true 0 + 0 false 0 true false + true openocd diff --git a/IDE/Espressif/include.am b/IDE/Espressif/include.am index 3d356b7671..2b4e66b1e7 100644 --- a/IDE/Espressif/include.am +++ b/IDE/Espressif/include.am @@ -30,6 +30,7 @@ EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/README.md EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h +EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/ld/region_peek.ld EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/Makefile EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/main/main.c EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/main/Kconfig.projbuild @@ -40,6 +41,7 @@ EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/main/include/main.h EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/partitions_singleapp_large.csv EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/README.md EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults +EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults.esp32c2 EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/sdkconfig.defaults.esp8266 EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/template/VisualGDB @@ -56,6 +58,7 @@ EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/README.md EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h +EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/ld/region_peek.ld EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/CMakeLists.txt EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/component.mk @@ -67,6 +70,7 @@ EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/Makefile EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/partitions_singleapp_large.csv EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/README.md EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults +EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults.esp32c2 EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults.esp8266 EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/VisualGDB EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/VisualGDB/wolfssl_benchmark_IDF_v4.4_ESP32.sln @@ -89,6 +93,7 @@ EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/Kc EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/README.md EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h +EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/ld/region_peek.ld EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults.esp32c2 EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/sdkconfig.defaults.esp8266 @@ -99,12 +104,8 @@ EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/component.mk EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/Kconfig.projbuild EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/main.c -EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/time_helper.c -EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/wifi_connect.c EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/client-tls.h EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/main.h -EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/time_helper.h -EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/wifi_connect.h EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/Makefile EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/partitions_singleapp_large.csv EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_client/README.md @@ -127,6 +128,7 @@ EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/Kc EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/README.md EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h +EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/ld/region_peek.ld EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/CMakeLists.txt EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/component.mk @@ -134,12 +136,8 @@ EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/Kconfig.projbuild EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/main.c EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c -EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/time_helper.c -EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/wifi_connect.c EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/main.h EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/server-tls.h -EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/time_helper.h -EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/wifi_connect.h EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/Makefile EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/partitions_singleapp_large.csv EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_server/README.md @@ -167,6 +165,7 @@ EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/Kcon EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/README.md EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h +EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/ld/region_peek.ld EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/main EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/CMakeLists.txt @@ -179,6 +178,7 @@ EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/Makefile EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/partitions_singleapp_large.csv EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/README.md EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults +EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp32c2 EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults.esp8266 EXTRA_DIST+= IDE/Espressif/ESP-IDF/examples/wolfssl_test/VisualGDB diff --git a/wolfssl/wolfcrypt/hash.h b/wolfssl/wolfcrypt/hash.h index 99bcea00a0..5209b570dd 100644 --- a/wolfssl/wolfcrypt/hash.h +++ b/wolfssl/wolfcrypt/hash.h @@ -104,6 +104,7 @@ typedef union { wc_Sha3 sha3; #endif #ifdef WOLFSSL_SM3 + /* See install.sh in wolfssl/wolfsm repo */ wc_Sm3 sm3; #endif WOLF_AGG_DUMMY_MEMBER;