diff --git a/examples/configs/README.md b/examples/configs/README.md index ddde95d69..dadfa45ec 100644 --- a/examples/configs/README.md +++ b/examples/configs/README.md @@ -9,6 +9,7 @@ Example wolfSSL configuration file templates for use when autoconf is not availa * `user_settings_min_ecc.h`: This is ECC and SHA-256 only. For ECC verify only add `BUILD_VERIFY_ONLY`. * `user_settings_wolfboot_keytools.h`: This from wolfBoot tools/keytools and is ECC, RSA, ED25519 and ChaCha20. * `user_settings_fipsv2.h`: The FIPS v2 (3389) 140-2 certificate build options. +* `user_settings_fipsv5.h`: The FIPS v5 (ready) 140-3 build options. Equivalent to `./configure --enable-fips=v5-dev`. * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack. ## Usage diff --git a/examples/configs/include.am b/examples/configs/include.am index 9568c9536..a74fe24ef 100644 --- a/examples/configs/include.am +++ b/examples/configs/include.am @@ -7,4 +7,5 @@ EXTRA_DIST += examples/configs/user_settings_min_ecc.h EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h EXTRA_DIST += examples/configs/user_settings_template.h EXTRA_DIST += examples/configs/user_settings_fipsv2.h +EXTRA_DIST += examples/configs/user_settings_fipsv5.h EXTRA_DIST += examples/configs/user_settings_stm32.h diff --git a/examples/configs/user_settings_fipsv5.h b/examples/configs/user_settings_fipsv5.h new file mode 100644 index 000000000..8cf0b5302 --- /dev/null +++ b/examples/configs/user_settings_fipsv5.h @@ -0,0 +1,145 @@ +/* user_settings_fipsv5.h + * + * Copyright (C) 2006-2022 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/* should be renamed to user_settings.h for customer use + * generated from configure options: + * ./fips-check.sh linuxv5-dev keep + * XXX-fips-test\wolfssl\options.h + * ./configure --enable-fips=v5-dev + * + * Cleaned up by David Garske + */ + + +#ifndef WOLFSSL_USER_SETTINGS_H +#define WOLFSSL_USER_SETTINGS_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* FIPS Version 5.3 */ +#define HAVE_FIPS +#define HAVE_FIPS_VERSION 5 +#define HAVE_FIPS_VERSION_MINOR 3 + +#define HAVE_HASHDRBG /* NIST Certified DRBG - SHA256 based */ +#define HAVE_THREAD_LS + +/* Math */ +#define USE_FAST_MATH +#define FP_MAX_BITS 16384 +#define SP_INT_BITS 8192 + +/* Timing Resistance */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* FIPS Features */ +#define WC_RNG_SEED_CB +#define WOLFSSL_VALIDATE_ECC_IMPORT +#define WOLFSSL_VALIDATE_ECC_KEYGEN +#define WOLFSSL_VALIDATE_FFC_IMPORT + +/* TLS Features */ +#define WOLFSSL_TLS13 +#define WOLFSSL_BASE64_ENCODE +#define WOLFSSL_USE_ALIGN +#define WOLFSSL_PUBLIC_MP +#define HAVE_ENCRYPT_THEN_MAC +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_EXTENDED_MASTER +//#define HAVE_SERVER_RENEGOTIATION_INFO + +#undef WOLFSSL_WOLFSSH +#define WOLFSSL_WOLFSSH + +/* DH */ +#undef NO_DH +#define HAVE_FFDHE_Q +#define HAVE_FFDHE_2048 +#define HAVE_FFDHE_3072 +#define HAVE_FFDHE_4096 +#define HAVE_FFDHE_6144 +#define HAVE_FFDHE_8192 +#define HAVE_DH_DEFAULT_PARAMS +#define HAVE_PUBLIC_FFDHE + +/* ECC */ +#define HAVE_ECC +#define TFM_ECC256 +#define ECC_SHAMIR +#define HAVE_ECC_CDH +#define ECC_USER_CURVES +#define HAVE_ECC192 +#define HAVE_ECC224 +#define HAVE_ECC256 +#define HAVE_ECC384 +#define HAVE_ECC521 +#define WOLFSSL_ECDSA_SET_K + +/* RSA */ +#undef NO_RSA +#define WC_RSA_PSS +#define WOLFSSL_KEY_GEN +#define WC_RSA_NO_PADDING + +/* AES */ +#define WOLFSSL_AES_COUNTER +#define HAVE_AESCCM +#define HAVE_AES_ECB +#define WOLFSSL_AES_COUNTER +#define WOLFSSL_AES_DIRECT +#define WOLFSSL_AES_OFB +#define HAVE_AESGCM +#define GCM_TABLE_4BIT +#define WOLFSSL_CMAC + +/* Hashing */ +#undef NO_SHA +#undef NO_SHA256 +#define WOLFSSL_SHA224 +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA384 +#define WOLFSSL_NO_SHAKE256 +#define WOLFSSL_NOSHA512_224 +#define WOLFSSL_NOSHA512_256 +#define WOLFSSL_SHA3 +#define HAVE_HKDF + +/* Disabled Algorithms */ +#define NO_OLD_TLS +#define NO_RC4 +#define NO_MD4 +#define NO_MD5 +#define NO_DES3 +#define NO_PSK +#define NO_DSA +#define NO_PWDBASED +#define WOLFSSL_NO_SHAKE256 + +#ifdef __cplusplus +} +#endif + +#endif /* WOLFSSL_USER_SETTINGS_H */