1 /*************************************************************************** 2 * _ _ ____ _ 3 * Project ___| | | | _ \| | 4 * / __| | | | |_) | | 5 * | (__| |_| | _ <| |___ 6 * \___|\___/|_| \_\_____| 7 * 8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 9 * 10 * This software is licensed as described in the file COPYING, which 11 * you should have received as part of this distribution. The terms 12 * are also available at https://curl.se/docs/copyright.html. 13 * 14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 15 * copies of the Software, and permit persons to whom the Software is 16 * furnished to do so, under the terms of the COPYING file. 17 * 18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 19 * KIND, either express or implied. 20 * 21 * SPDX-License-Identifier: curl 22 * 23 ***************************************************************************/ 24 /* 25 By default wolfSSL has a very conservative configuration that can result in 26 connections to servers failing due to certificate or algorithm problems. 27 To remedy this issue for libcurl I've generated this options file that 28 build-wolfssl will copy to the wolfSSL include directories and will result in 29 maximum compatibility. 30 31 These are the configure options that were used to build wolfSSL v5.1.1 in 32 mingw and generate the options in this file: 33 34 C_EXTRA_FLAGS="\ 35 -Wno-attributes \ 36 -Wno-unused-but-set-variable \ 37 -DFP_MAX_BITS=16384 \ 38 -DHAVE_SECRET_CALLBACK \ 39 -DTFM_TIMING_RESISTANT \ 40 -DUSE_WOLF_STRTOK \ 41 -DWOLFSSL_DES_ECB \ 42 -DWOLFSSL_STATIC_DH \ 43 -DWOLFSSL_STATIC_RSA \ 44 " \ 45 ./configure --prefix=/usr/local \ 46 --disable-jobserver \ 47 --enable-aesgcm \ 48 --enable-alpn \ 49 --enable-altcertchains \ 50 --enable-certgen \ 51 --enable-des3 \ 52 --enable-dh \ 53 --enable-dsa \ 54 --enable-ecc \ 55 --enable-eccshamir \ 56 --enable-fastmath \ 57 --enable-opensslextra \ 58 --enable-ripemd \ 59 --enable-sessioncerts \ 60 --enable-sha512 \ 61 --enable-sni \ 62 --enable-tlsv10 \ 63 --enable-supportedcurves \ 64 --enable-tls13 \ 65 --enable-testcert \ 66 > config.out 2>&1 67 68 Two generated options HAVE_THREAD_LS and _POSIX_THREADS were removed since they 69 are inapplicable for our Visual Studio build. Currently thread local storage is 70 only used by the Fixed Point cache ECC which we're not enabling. However even 71 if we later may decide to enable the cache it will fallback on mutexes when 72 thread local storage is not available. wolfSSL is using __declspec(thread) to 73 create the thread local storage and that could be a problem for LoadLibrary. 74 75 Regarding the options that were added via C_EXTRA_FLAGS: 76 77 FP_MAX_BITS=16384 78 https://www.yassl.com/forums/topic423-cacertorgs-ca-cert-verify-failed-but-withdisablefastmath-it-works.html 79 "Since root.crt uses a 4096-bit RSA key, you'll need to increase the fastmath 80 buffer size. You can do this using the define: 81 FP_MAX_BITS and setting it to 8192." 82 83 HAVE_SECRET_CALLBACK 84 Build wolfSSL with wolfSSL_set_tls13_secret_cb which allows saving TLS 1.3 85 secrets to SSLKEYLOGFILE. 86 87 TFM_TIMING_RESISTANT 88 https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-2-building-wolfssl.html 89 From section 2.4.5 Increasing Performance, USE_FAST_MATH: 90 "Because the stack memory usage can be larger when using fastmath, we recommend 91 defining TFM_TIMING_RESISTANT as well when using this option." 92 93 USE_WOLF_STRTOK 94 Build wolfSSL to always use its internal strtok instead of C runtime strtok. 95 96 WOLFSSL_DES_ECB 97 Build wolfSSL with wolfSSL_DES_ecb_encrypt which is needed by libcurl for NTLM. 98 99 WOLFSSL_STATIC_DH: Allow TLS_ECDH_ ciphers 100 WOLFSSL_STATIC_RSA: Allow TLS_RSA_ ciphers 101 https://github.com/wolfSSL/wolfssl/blob/v3.6.6/README.md#note-1 102 Static key cipher suites are deprecated and disabled by default since v3.6.6. 103 */ 104 105 /* wolfssl options.h 106 * generated from configure options 107 * 108 * Copyright (C) 2006-2022 wolfSSL Inc. 109 * 110 * This file is part of wolfSSL. (formerly known as CyaSSL) 111 * 112 */ 113 114 #ifndef WOLFSSL_OPTIONS_H 115 #define WOLFSSL_OPTIONS_H 116 117 118 #ifdef __cplusplus 119 extern "C" { 120 #endif 121 122 #undef FP_MAX_BITS 123 #define FP_MAX_BITS 16384 124 125 #undef HAVE_SECRET_CALLBACK 126 #define HAVE_SECRET_CALLBACK 127 128 #undef TFM_TIMING_RESISTANT 129 #define TFM_TIMING_RESISTANT 130 131 #undef USE_WOLF_STRTOK 132 #define USE_WOLF_STRTOK 133 134 #undef WOLFSSL_DES_ECB 135 #define WOLFSSL_DES_ECB 136 137 #undef WOLFSSL_STATIC_DH 138 #define WOLFSSL_STATIC_DH 139 140 #undef WOLFSSL_STATIC_RSA 141 #define WOLFSSL_STATIC_RSA 142 143 #undef TFM_TIMING_RESISTANT 144 #define TFM_TIMING_RESISTANT 145 146 #undef ECC_TIMING_RESISTANT 147 #define ECC_TIMING_RESISTANT 148 149 #undef WC_RSA_BLINDING 150 #define WC_RSA_BLINDING 151 152 #undef WOLFSSL_USE_ALIGN 153 #define WOLFSSL_USE_ALIGN 154 155 #undef WOLFSSL_RIPEMD 156 #define WOLFSSL_RIPEMD 157 158 #undef WOLFSSL_SHA512 159 #define WOLFSSL_SHA512 160 161 #undef WOLFSSL_SHA384 162 #define WOLFSSL_SHA384 163 164 #undef SESSION_CERTS 165 #define SESSION_CERTS 166 167 #undef HAVE_HKDF 168 #define HAVE_HKDF 169 170 #undef HAVE_ECC 171 #define HAVE_ECC 172 173 #undef TFM_ECC256 174 #define TFM_ECC256 175 176 #undef ECC_SHAMIR 177 #define ECC_SHAMIR 178 179 #undef WOLFSSL_ALLOW_TLSV10 180 #define WOLFSSL_ALLOW_TLSV10 181 182 #undef WC_RSA_PSS 183 #define WC_RSA_PSS 184 185 #undef NO_HC128 186 #define NO_HC128 187 188 #undef NO_RABBIT 189 #define NO_RABBIT 190 191 #undef HAVE_POLY1305 192 #define HAVE_POLY1305 193 194 #undef HAVE_ONE_TIME_AUTH 195 #define HAVE_ONE_TIME_AUTH 196 197 #undef HAVE_CHACHA 198 #define HAVE_CHACHA 199 200 #undef HAVE_HASHDRBG 201 #define HAVE_HASHDRBG 202 203 #undef HAVE_TLS_EXTENSIONS 204 #define HAVE_TLS_EXTENSIONS 205 206 #undef HAVE_SNI 207 #define HAVE_SNI 208 209 #undef HAVE_TLS_EXTENSIONS 210 #define HAVE_TLS_EXTENSIONS 211 212 #undef HAVE_ALPN 213 #define HAVE_ALPN 214 215 #undef HAVE_TLS_EXTENSIONS 216 #define HAVE_TLS_EXTENSIONS 217 218 #undef HAVE_SUPPORTED_CURVES 219 #define HAVE_SUPPORTED_CURVES 220 221 #undef HAVE_FFDHE_2048 222 #define HAVE_FFDHE_2048 223 224 #undef HAVE_SUPPORTED_CURVES 225 #define HAVE_SUPPORTED_CURVES 226 227 #undef WOLFSSL_TLS13 228 #define WOLFSSL_TLS13 229 230 #undef HAVE_TLS_EXTENSIONS 231 #define HAVE_TLS_EXTENSIONS 232 233 #undef HAVE_EXTENDED_MASTER 234 #define HAVE_EXTENDED_MASTER 235 236 #undef WOLFSSL_ALT_CERT_CHAINS 237 #define WOLFSSL_ALT_CERT_CHAINS 238 239 #undef WOLFSSL_TEST_CERT 240 #define WOLFSSL_TEST_CERT 241 242 #undef NO_RC4 243 #define NO_RC4 244 245 #undef HAVE_ENCRYPT_THEN_MAC 246 #define HAVE_ENCRYPT_THEN_MAC 247 248 #undef NO_PSK 249 #define NO_PSK 250 251 #undef NO_MD4 252 #define NO_MD4 253 254 #undef WOLFSSL_ENCRYPTED_KEYS 255 #define WOLFSSL_ENCRYPTED_KEYS 256 257 #undef USE_FAST_MATH 258 #define USE_FAST_MATH 259 260 #undef WC_NO_ASYNC_THREADING 261 #define WC_NO_ASYNC_THREADING 262 263 #undef HAVE_DH_DEFAULT_PARAMS 264 #define HAVE_DH_DEFAULT_PARAMS 265 266 #undef WOLFSSL_CERT_GEN 267 #define WOLFSSL_CERT_GEN 268 269 #undef OPENSSL_EXTRA 270 #define OPENSSL_EXTRA 271 272 #undef WOLFSSL_ALWAYS_VERIFY_CB 273 #define WOLFSSL_ALWAYS_VERIFY_CB 274 275 #undef WOLFSSL_VERIFY_CB_ALL_CERTS 276 #define WOLFSSL_VERIFY_CB_ALL_CERTS 277 278 #undef WOLFSSL_EXTRA_ALERTS 279 #define WOLFSSL_EXTRA_ALERTS 280 281 #undef HAVE_EXT_CACHE 282 #define HAVE_EXT_CACHE 283 284 #undef WOLFSSL_FORCE_CACHE_ON_TICKET 285 #define WOLFSSL_FORCE_CACHE_ON_TICKET 286 287 #undef WOLFSSL_AKID_NAME 288 #define WOLFSSL_AKID_NAME 289 290 #undef HAVE_CTS 291 #define HAVE_CTS 292 293 #undef GCM_TABLE_4BIT 294 #define GCM_TABLE_4BIT 295 296 #undef HAVE_AESGCM 297 #define HAVE_AESGCM 298 299 #undef HAVE_WC_INTROSPECTION 300 #define HAVE_WC_INTROSPECTION 301 302 303 #ifdef __cplusplus 304 } /* end of extern "C" */ 305 #endif 306 307 308 #endif /* WOLFSSL_OPTIONS_H */ 309