From b7aa18ec6dd66a983a695e0753cf7c62366da28b Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 3 Jun 2024 15:34:17 -0700 Subject: [PATCH] Merge pull request #7591 from dgarske/wolfssh_template Template for wolfSSH minimal build using user_settings.h --- .github/workflows/os-check.yml | 1 + examples/configs/README.md | 1 + examples/configs/include.am | 1 + examples/configs/user_settings_wolfssh.h | 214 +++++++++++++++++++++++ 4 files changed, 217 insertions(+) create mode 100644 examples/configs/user_settings_wolfssh.h diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index 4787363100..68557a31ab 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -76,6 +76,7 @@ jobs: 'examples/configs/user_settings_min_ecc.h', 'examples/configs/user_settings_wolfboot_keytools.h', 'examples/configs/user_settings_wolftpm.h', + 'examples/configs/user_settings_wolfssh.h', 'examples/configs/user_settings_tls12.h', ] name: make user_setting.h (testwolfcrypt only) diff --git a/examples/configs/README.md b/examples/configs/README.md index 596cd5db02..048c79d456 100644 --- a/examples/configs/README.md +++ b/examples/configs/README.md @@ -15,6 +15,7 @@ Example wolfSSL configuration file templates for use when autoconf is not availa * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack. * `user_settings_tls12`: Example for TLS v1.2 client only, ECC only, AES GCM only, SHA2-256 only. * `user_settings_wolfboot_keytools.h`: This from wolfBoot tools/keytools and is ECC, RSA, ED25519 and ChaCha20. +* `user_settings_wolfssh.h`: Minimum options for building wolfSSH. See comment at top for ./configure used to generate. * `user_settings_wolftpm.h`: Minimum options for building wolfTPM. See comment at top for ./configure used to generate. ## Usage diff --git a/examples/configs/include.am b/examples/configs/include.am index dd52d97e91..0319d21d86 100644 --- a/examples/configs/include.am +++ b/examples/configs/include.am @@ -13,4 +13,5 @@ EXTRA_DIST += examples/configs/user_settings_stm32.h EXTRA_DIST += examples/configs/user_settings_template.h EXTRA_DIST += examples/configs/user_settings_tls12.h EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h +EXTRA_DIST += examples/configs/user_settings_wolfssh.h EXTRA_DIST += examples/configs/user_settings_wolftpm.h diff --git a/examples/configs/user_settings_wolfssh.h b/examples/configs/user_settings_wolfssh.h new file mode 100644 index 0000000000..45821a729b --- /dev/null +++ b/examples/configs/user_settings_wolfssh.h @@ -0,0 +1,214 @@ +/* user_settings_wolfssh.h + * + * Copyright (C) 2006-2024 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + +/* To use the rename file to user_settings.h and define WOLFSSL_USER_SETTINGS */ + +/* Started from the following configure and hand tuned, organized and commented: +./configure --enable-wolfssh --enable-sp=small --enable-sp-math \ +--disable-sp-asm --disable-asm --disable-sys-ca-certs --enable-aesgcm=small \ +--enable-cryptonly --disable-sha3 --disable-chacha --disable-poly1305 \ +--disable-md5 --disable-error-queue-per-thread --disable-pkcs12 \ +--disable-errorstrings --disable-sni --disable-sha224 +make +*/ + +/* Tested using: +cp ./examples/configs/user_settings_wolfssh.h user_settings.h +cp ./examples/configs/user_settings_wolfssh.h ../wolfSSH/user_settings.h + +wolfSSL: +./configure --enable-usersettings --disable-examples CFLAGS="-Os" +make +sudo make install + +wolfSSH: +./configure --enable-scp --disable-shared --disable-term \ + CFLAGS="-DWOLFSSL_USER_SETTINGS -Os" +make +*/ + +#ifndef WOLFSSL_USER_SETTINGS_SSH_H +#define WOLFSSL_USER_SETTINGS_SSH_H + +#ifdef __cplusplus +extern "C" { +#endif + +/* #define USE_LOW_RESOURCE */ + +/* Platform */ +#ifdef USE_LOW_RESOURCE + /* Threading and filesystem required for wolfSSH tests \ + * Can be set for wolfSSH library only use */ + #define SINGLE_THREADED + #define NO_FILESYSTEM + #define BENCH_EMBEDDED +#endif + +/* Features */ +#define WOLFSSL_WOLFSSH +#if 1 + #define WOLFCRYPT_ONLY /* no TLS */ +#endif +#define HAVE_HASHDRBG +#define WOLFSSL_ASN_TEMPLATE +#define WOLFSSL_PUBLIC_MP +#ifndef USE_LOW_RESOURCE + #define WOLFSSL_BASE64_ENCODE +#endif + +#ifndef WOLFCRYPT_ONLY + #define HAVE_TLS_EXTENSIONS + #define HAVE_SUPPORTED_CURVES + #define HAVE_ENCRYPT_THEN_MAC +#endif + +/* Timing Resistance */ +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +/* Asymmetric */ +#if 1 /* RSA - PKCS1v1.5 */ + #undef NO_RSA + #define WC_NO_RSA_OAEP /* SSH does not use OAEP */ + + #ifdef USE_LOW_RESOURCE + #define RSA_LOW_MEM + #endif +#else + #define NO_RSA +#endif + +#if 1 /* DH */ + /* RFC 4253 requires "DH w/SHA-1" + * RFC 9142 requires "diffie-hellman-group14-sha256" + */ + #undef NO_DH + #ifndef WOLFCRYPT_ONLY + #define HAVE_DH_DEFAULT_PARAMS + #define HAVE_FFDHE_2048 + #endif +#else + #define NO_DH +#endif +#if 1 /* ECC */ + #define HAVE_ECC + #ifndef USE_LOW_RESOURCE /* optional ECC SHAMIR speedup */ + #define ECC_SHAMIR + #endif + #define ECC_USER_CURVES + #ifndef USE_LOW_RESOURCE + #define HAVE_ECC384 + #define HAVE_ECC521 + #endif +#endif + +/* Symmetric AES CBC/GCM */ +#undef NO_AES_CBC +#if 1 /* GCM */ + #define HAVE_AESGCM + #define GCM_SMALL +#endif +#ifdef USE_LOW_RESOURCE + #define WOLFSSL_AES_SMALL_TABLES +#endif + +/* Hashing SHA-1/SHA2-256 */ +#undef NO_SHA +#undef NO_SHA256 +#ifdef USE_LOW_RESOURCE + #define USE_SLOW_SHA + #define USE_SLOW_SHA256 +#endif +#if 0 + #define WOLFSSL_SHA384 + #define WOLFSSL_SHA512 + #ifdef USE_LOW_RESOURCE + #define USE_SLOW_SHA512 + #endif +#endif + + +/* Math */ +/* Multi Precision (MP): Enable support for uncommon key sizes / curves */ +#if 0 + #define WOLFSSL_SP_MATH_ALL +#endif + +/* Single Precision (SP) Math */ +#define WOLFSSL_SP_MATH +#define WOLFSSL_SP_SMALL + +#if !defined(NO_RSA) || !defined(NO_DH) + #undef WOLFSSL_SP_NO_2048 /* 2048-bit */ + #ifdef USE_LOW_RESOURCE + #define WOLFSSL_SP_NO_3072 /* 3072-bit */ + #else + #undef WOLFSSL_SP_NO_3072 /* 3072-bit */ + #define WOLFSSL_SP_4096 /* 4096-bit */ + #endif + + #ifndef NO_RSA + #define WOLFSSL_HAVE_SP_RSA + #endif + #ifndef NO_DH + #define WOLFSSL_HAVE_SP_DH + #endif +#endif +#ifdef HAVE_ECC + #define WOLFSSL_HAVE_SP_ECC + + #undef WOLFSSL_SP_NO_256 /* 256-bit */ + #ifdef HAVE_ECC384 + #define WOLFSSL_SP_384 /* 384-bit */ + #endif + #ifdef HAVE_ECC521 + #define WOLFSSL_SP_521 /* 521-bit */ + #endif +#endif + +/* Disable Algorithms */ +#define NO_DSA +#define NO_DES3 +#define NO_MD4 +#define NO_MD5 +#define NO_RC4 +#define NO_PSK +#define NO_PKCS12 +#define NO_PWDBASED +#define WOLFSSL_NO_SHAKE128 +#define WOLFSSL_NO_SHAKE256 + +/* Disable Features */ +#define NO_ERROR_STRINGS +#define WC_NO_ASYNC_THREADING +#define NO_DES3_TLS_SUITES +#define NO_OLD_TLS +#define WOLFSSL_NO_TLS12 + +#ifdef __cplusplus +} +#endif + + +#endif /* WOLFSSL_USER_SETTINGS_SSH_H */