Reworked sections of user_settings.h

Enabling all wolfcrypt settings for PKCS11 build.
wolfSSL · Sep 12, 2023 · de067b6 · de067b6
1 parent 4b57004
commit de067b6
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 110 deletions.
diff --git a/include/user_settings.h b/include/user_settings.h
@@ -51,9 +51,11 @@ extern int tolower(int c);
 
 #if defined(WOLFBOOT_TPM_KEYSTORE) || defined(WOLFBOOT_TPM_SEAL)
 #   define WOLFBOOT_TPM_PARMENC /* used in this file to gate features */
-#   if defined(SIGN_ECC256) || defined(SIGN_ECC384) || defined(SIGN_ECC521)
-#       define HAVE_ECC_KEY_EXPORT
-#   endif
+#endif
+
+#ifdef WOLFCRYPT_SECURE_MODE
+    int hal_trng_get_entropy(unsigned char *out, unsigned len);
+    #define CUSTOM_RAND_GENERATE_SEED hal_trng_get_entropy
 #endif
 
 /* ED25519 and SHA512 */
@@ -64,7 +66,6 @@ extern int tolower(int c);
 #   define NO_ED25519_EXPORT
 #   define WOLFSSL_SHA512
 #   define USE_SLOW_SHA512
-#   define NO_RSA
 #endif
 
 /* ED448 */
@@ -74,15 +75,15 @@ extern int tolower(int c);
 #   define ED448_SMALL
 #   define NO_ED448_SIGN
 #   define NO_ED448_EXPORT
-#   define NO_RSA
 #   define WOLFSSL_SHA3
 #   define WOLFSSL_SHAKE256
 #endif
 
-/* ECC and SHA256 */
-#if defined(WOLFBOOT_SIGN_ECC256) ||\
-    defined(WOLFBOOT_SIGN_ECC384) ||\
-    defined(WOLFBOOT_SIGN_ECC521)
+/* ECC */
+#if defined(WOLFBOOT_SIGN_ECC256) || \
+    defined(WOLFBOOT_SIGN_ECC384) || \
+    defined(WOLFBOOT_SIGN_ECC521) || \
+    defined(WOLFCRYPT_SECURE_MODE)
 
 #   define HAVE_ECC
 #   define ECC_TIMING_RESISTANT
@@ -96,136 +97,122 @@ extern int tolower(int c);
 #      define FREESCALE_LTC_TFM
 #   endif
 
-/* SP MATH */
-#   if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
+
+/* Some ECC options are disabled to reduce size */
+#   if !defined(WOLFCRYPT_SECURE_MODE)
+#       ifndef WOLFBOOT_TPM
+#          define NO_ECC_SIGN
+#          define NO_ECC_EXPORT
+#          define NO_ECC_KEY_EXPORT
+#       else
+#           define HAVE_ECC_KEY_EXPORT
+#       endif
+#   else
+#       define HAVE_ECC_SIGN
+#       define HAVE_ECC_CDH
 #       define WOLFSSL_SP
 #       define WOLFSSL_SP_MATH
 #       define WOLFSSL_SP_SMALL
+#       define SP_WORD_SIZE 32
 #       define WOLFSSL_HAVE_SP_ECC
+#       define WOLFSSL_KEY_GEN
+#       define HAVE_ECC_KEY_EXPORT
 #   endif
 
-
-/* ECC options disabled to reduce size */
-#if !defined(WOLFCRYPT_SECURE_MODE)
-#   define HAVE_ECC
-#   if !defined(WOLFBOOT_TPM_PARMENC)
-#       define NO_ECC_SIGN
-#       define NO_ECC_EXPORT
-#       define NO_ECC_KEY_EXPORT
+    /* SP MATH */
+#   if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
+#       define WOLFSSL_SP
+#       define WOLFSSL_SP_MATH
+#       define WOLFSSL_SP_SMALL
+#       define WOLFSSL_HAVE_SP_ECC
 #   endif
-#else
-#   define HAVE_ECC_SIGN
-#   define HAVE_ECC_CDH
-#   define WOLFSSL_SP
-#   define WOLFSSL_SP_MATH
-#   define WOLFSSL_SP_SMALL
-#   define SP_WORD_SIZE 32
-#   define WOLFSSL_HAVE_SP_ECC
-#   define WOLFSSL_SP_MATH_ALL
-#  define WOLFSSL_KEY_GEN
-#  define HAVE_ECC_KEY_EXPORT
-
-int hal_trng_get_entropy(unsigned char *out, unsigned len);
-#   define CUSTOM_RAND_GENERATE_SEED hal_trng_get_entropy
-#endif
+
 
 /* Curve */
-#ifdef WOLFBOOT_SIGN_ECC256
-#   define HAVE_ECC256
-#   define FP_MAX_BITS (256 + 32)
-#elif defined(WOLFBOOT_SIGN_ECC384)
-#   define HAVE_ECC384
-#   define FP_MAX_BITS (384 * 2)
-#   if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
-#       define WOLFSSL_SP_384
-#       define WOLFSSL_SP_NO_256
-#   endif
-#   if !defined(WOLFBOOT_TPM_PARMENC)
-#       define NO_ECC256
-#   endif
-#elif defined(WOLFBOOT_SIGN_ECC521)
-#   define HAVE_ECC521
-#   define FP_MAX_BITS (528 * 2)
-#   if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
-#       define WOLFSSL_SP_521
-#       define WOLFSSL_SP_NO_256
-#   endif
-#   if !defined(WOLFBOOT_TPM_PARMENC)
-#       define NO_ECC256
+#   ifdef WOLFBOOT_SIGN_ECC256
+#       define HAVE_ECC256
+#       define FP_MAX_BITS (256 + 32)
+#   elif defined(WOLFBOOT_SIGN_ECC384)
+#       define HAVE_ECC384
+#       define FP_MAX_BITS (384 * 2)
+#       if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
+#           define WOLFSSL_SP_384
+#           define WOLFSSL_SP_NO_256
+#       endif
+#       if !defined(WOLFBOOT_TPM_PARMENC)
+#           define NO_ECC256
+#       endif
+#   elif defined(WOLFBOOT_SIGN_ECC521)
+#       define HAVE_ECC521
+#       define FP_MAX_BITS (528 * 2)
+#       if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
+#           define WOLFSSL_SP_521
+#           define WOLFSSL_SP_NO_256
+#       endif
+#       if !defined(WOLFBOOT_TPM_PARMENC)
+#           define NO_ECC256
+#       endif
 #   endif
-#endif
-#   define NO_RSA
 #endif /* WOLFBOOT_SIGN_ECC521 || WOLFBOOT_SIGN_ECC384 || WOLFBOOT_SIGN_ECC256 */
 
-#ifdef WOLFBOOT_SIGN_RSA2048
+
+#if defined(WOLFBOOT_SIGN_RSA2048) || \
+    defined(WOLFBOOT_SIGN_RSA3072) || \
+    defined(WOLFBOOT_SIGN_RSA4096) || \
+    defined(WOLFCRYPT_SECURE_MODE)
+
+#   define WC_RSA_BLINDING 
+#   define WC_RSA_DIRECT
 #   define RSA_LOW_MEM
-#   ifndef WOLFBOOT_TPM
+#   define WC_ASN_HASH_SHA256
+
+#   if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE)
 #       define WOLFSSL_RSA_VERIFY_INLINE
 #       define WOLFSSL_RSA_VERIFY_ONLY
-#   endif
-#   if !defined(WOLFBOOT_TPM_PARMENC)
 #       define WC_NO_RSA_OAEP
 #   endif
-#   define FP_MAX_BITS (2048 * 2)
-    /* sp math */
 #   if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
 #       define WOLFSSL_HAVE_SP_RSA
 #       define WOLFSSL_SP
 #       define WOLFSSL_SP_SMALL
 #       define WOLFSSL_SP_MATH
+#   endif
+
+
+#   ifdef WOLFBOOT_SIGN_RSA2048
+#       define FP_MAX_BITS (2048 * 2)
 #       define WOLFSSL_SP_NO_3072
 #       define WOLFSSL_SP_NO_4096
+#       define WC_ASN_HASH_SHA256
 #   endif
-#   define WC_ASN_HASH_SHA256
-#endif
 
-#ifdef WOLFBOOT_SIGN_RSA3072
-#   define RSA_LOW_MEM
-#   define WOLFSSL_RSA_VERIFY_INLINE
-#   define WOLFSSL_RSA_VERIFY_ONLY
-#   define WC_NO_RSA_OAEP
-#   define FP_MAX_BITS (3072 * 2)
-    /* sp math */
-#   if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
-#       define WOLFSSL_HAVE_SP_RSA
-#       define WOLFSSL_SP
-#       define WOLFSSL_SP_SMALL
-#       define WOLFSSL_SP_MATH
+#   ifdef WOLFBOOT_SIGN_RSA3072
+#       define FP_MAX_BITS (3072 * 2)
 #       define WOLFSSL_SP_NO_2048
 #       define WOLFSSL_SP_NO_4096
 #   endif
-#   define WC_ASN_HASH_SHA256
-#endif
 
-#ifdef WOLFBOOT_SIGN_RSA4096
-#   define RSA_LOW_MEM
-#   define WOLFSSL_RSA_VERIFY_INLINE
-#   define WOLFSSL_RSA_VERIFY_ONLY
-#   define WC_NO_RSA_OAEP
-#   define FP_MAX_BITS (4096 * 2)
-    /* sp math */
-#   if !defined(USE_FAST_MATH) && !defined(WOLFSSL_SP_MATH_ALL)
-#       define WOLFSSL_HAVE_SP_RSA
-#       define WOLFSSL_SP
-#       define WOLFSSL_SP_SMALL
-#       define WOLFSSL_SP_MATH
-#       define WOLFSSL_SP_4096
+#   ifdef WOLFBOOT_SIGN_RSA4096
+#       define FP_MAX_BITS (4096 * 2)
 #       define WOLFSSL_SP_NO_2048
 #       define WOLFSSL_SP_NO_3072
 #   endif
-#   define WC_ASN_HASH_SHA256
-#endif
+#else
+#   define NO_RSA
+#endif /* RSA */
 
 #ifdef WOLFBOOT_HASH_SHA3_384
 #   define WOLFSSL_SHA3
-#   if defined(NO_RSA) && !defined(WOLFBOOT_TPM_PARMENC)
+#   if defined(NO_RSA) && !defined(WOLFBOOT_TPM_PARMENC) && \
+    !defined(WOLFCRYPT_SECURE_MODE)
 #       define NO_SHA256
 #   endif
 #endif
 
 #ifdef WOLFBOOT_HASH_SHA384
 #   define WOLFSSL_SHA384
-#   if defined(NO_RSA) && !defined(WOLFBOOT_TPM_PARMENC)
+#   if defined(NO_RSA) && !defined(WOLFBOOT_TPM_PARMENC) && \
+    !defined(WOLFCRYPT_SECURE_MODE)
 #       define NO_SHA256
 #   endif
 #endif
@@ -270,8 +257,6 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
 # 	define HAVE_SCRYPT
 # 	define HAVE_AESGCM
 	typedef unsigned long time_t;
-#else
-#   define NO_HMAC
 #endif
 
 #ifndef HAVE_PWDBASED
@@ -300,7 +285,6 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
         /* Configure RNG seed */
         #define CUSTOM_RAND_GENERATE_SEED(buf, sz) ({(void)buf; (void)sz; 0;}) /* stub, not used */
         #define WC_RNG_SEED_CB
-        #define HAVE_HASHDRBG
     #endif
 
     #ifdef WOLFTPM_MMIO
@@ -329,9 +313,8 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
     #define WC_NO_HASHDRBG
     #define NO_AES_CBC
 #else
-    #ifndef HAVE_HASHDRBG
-        #define HAVE_HASHDRBG
-    #endif
+    #define HAVE_HASHDRBG
+    #define WOLFSSL_AES_CFB
 #endif
 
 
@@ -340,7 +323,7 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
     #define NO_AES
 #endif
 
-#if !defined(WOLFBOOT_TPM_PARMENC) && !defined(WOLFCRYPT_SECURE_MODE)
+#if !defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE)
     #define NO_HMAC
     #define WC_NO_RNG
     #define WC_NO_HASHDRBG
@@ -350,12 +333,12 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
 #endif
 
 #define NO_CMAC
+#define NO_DH
 #define NO_CODING
 #define WOLFSSL_NO_PEM
 #define NO_ASN_TIME
 #define NO_RC4
 #define NO_SHA
-#define NO_DH
 #define NO_DSA
 #define NO_MD4
 #define NO_RABBIT
@@ -396,7 +379,7 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
 #       define WOLFSSL_SP_NO_MALLOC
 #       define WOLFSSL_SP_NO_DYN_STACK
 #   endif
-#   if !defined(ARCH_SIM) && !defined(SECURE_PKCS11)
+#   if !defined(ARCH_SIM) && !defined(WOLFCRYPT_SECURE_MODE)
 #       define WOLFSSL_NO_MALLOC
 #   endif
 #else
@@ -415,7 +398,7 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
     #define XPRINTF uart_printf
 #endif
 
-#ifdef SECURE_PKCS11
+#ifdef WOLFCRYPT_SECURE_MODE
 typedef unsigned long time_t;
 #endif
 

diff --git a/options.mk b/options.mk
@@ -187,6 +187,9 @@ ifeq ($(SIGN),ED448)
     endif
   endif
 
+ifeq ($(SECURE_PKCS11),1)
+endif
+
 
   ifneq ($(HASH),SHA3)
     WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/sha3.o
@@ -380,9 +383,6 @@ ifeq ($(SIGN),LMS)
 endif
 
 
-ifeq ($(USE_GCC_HEADLESS),1)
-  CFLAGS+="-Wstack-usage=$(STACK_USAGE)"
-endif
 
 ifeq ($(RAM_CODE),1)
   CFLAGS+= -D"RAM_CODE"
@@ -544,12 +544,15 @@ ifeq ($(SECURE_PKCS11),1)
   OBJS+=src/pkcs11_store.o
   OBJS+=src/pkcs11_callable.o
   WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/aes.o
+  WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/rsa.o
   WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/pwdbased.o
   WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/hmac.o
+  WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/dh.o
   WOLFCRYPT_OBJS+=./lib/wolfPKCS11/src/crypto.o \
 		./lib/wolfPKCS11/src/internal.o \
 		./lib/wolfPKCS11/src/slot.o \
 		./lib/wolfPKCS11/src/wolfpkcs11.o
+  STACK_USAGE=12596
 endif
 
 OBJS+=$(PUBLIC_KEY_OBJS)
@@ -589,6 +592,7 @@ ifeq ($(WOLFTPM),1)
   WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/aes.o
   WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/hmac.o
   WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/random.o
+  WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/asn.o
   ifeq ($(DEBUG),1)
     CFLAGS+=-DWOLFBOOT_DEBUG_TPM=1
   endif
@@ -677,6 +681,10 @@ endif
 
 CFLAGS+=$(CFLAGS_EXTRA)
 
+ifeq ($(USE_GCC_HEADLESS),1)
+  CFLAGS+="-Wstack-usage=$(STACK_USAGE)"
+endif
+
 ifeq ($(SIGN_ALG),)
   SIGN_ALG=$(SIGN)
 endif